d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IPFilter version 3.4.20

Browse Source
This commit is contained in:
darrenr 2001-07-28 11:59:33 +00:00
parent c32397cc6e
commit c51cd1facc
93 changed files with 1975 additions and 1094 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/ipfilter/BNF
View File

@ -17,7 +17,7 @@ log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
dup = "dup-to" interface-name[":"ipaddr] .
froute = "fastroute" | "to" interface-name .
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .

115
contrib/ipfilter/HISTORY
View File

@ -22,6 +22,121 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.20 24/07/2001 - Released
adjust NAT hashing to give a better spread across the table
show icmp code/type names in output, where known
fix bug in altering cached interface names in state when resync'ing
fix bug in real audio proxy that caused crashs
fix compiling using sunos4 cc
patch from casper to address weird exit problem for ipstat in top mode
patch from Greg Woods to produce names for icmp types/unreach codes,
where they are known
fix bug where ipfr_fastroute() would use a mblk and it would also get
freed later.
don't match fragments which would cause 64k length to be exceeded
ftp proxy fix for port numbers being setup for pasv ftp with state/nat
change hashing for NAT to include both IP#'s and ports.
Solaris fixes for IPv6
fix compiling iplang bits, under Solaris, for ipsend
3.4.19 29/06/2001 - Released
fix to support suspend/resume on solaris8 as well as ipv6
include group/group-head in match of filter rules
fix endian problem reading snoop files
make all licence comments point to the one place
fix ftp proxy to only advance state if a reply is received in response to
a recognised command
3.4.18 05/06/2001 - Released
fix up parsing of "from ! host" where '!' is separate
disable hardware checksums for NetBSD
put ipftest temporary files in . rather than /tmp
modify ftp proxy to be more intelligent about moving between states
and recognise new authentication commands
allow state/nat table sizes to be externally influenced
print out host mapping table for NAT with ipnat -l
fix handling of hardware checksum'ing on Solaris
fixup makefiles for Solaris
update regression tests
fix surrender of SPL's for failure cases
include patches for OpenBSD's new timeout mechanism
default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it
ICMP_UNREACH_FILTER
fix up handling of packets matching auth rules and interaction with state
add -q command line option to ipfstat on Solaris to list bound interfaces
add command line option to ipfstat/ipnat to select different core image
don't use ncurses on Solaris for STATETOP
fix includes to get FreeBSD version
do not byte swap ip_id
fix handling success for packets matching the auth rule
don't double-count short packets
add ICMP router discovery message size recognition
fix packet length calculation for IPv6
set CPUDIR when for install-sunos5 make target
SUNWspro -xF causes Solaris 2.5.1 kernel to crash
3.4.17 06/04/2001 - Released
fix fragment#0 handling bug where they could get in via cache information
created by state table entries
use ire_walk to look for ire cache entries with link layer headers cached
deal with bad SPL assumptions for log reading on BSD
fix ftp proxy to allow logins with passwords
some auth rule patches, fixing byte endian problems and returning as an error
support LOG_SECURITY, where available, in ipmon
don't return an error for packets which match auth rules
introduce fr_icmpacktimeout to timeout entries once an ICMP reply has
been seen separately to when created
3.4.16 15/01/2001 - Released
fix race condition in flushing of state entries that are timing out

35
contrib/ipfilter/IMPORTANT
View File

@ -3,41 +3,6 @@
****************************************
1)
If you're using this software and have a rule which ends like this:
flags S
(for TCP), then to make it totally effective, you need to change it to appear
as follows:
flags S/SA
The problem is that the old code would compare all the TCP flags against the
rule (which just has "S") to see if that matched exactly. It is very possible
for this to not be the case and in these cases, the rule would fail to match
a 'valid' TCP SYN packet.
Why does it need to be "S/SA" and not "S/S" ?
"S/S" will match the SYN-ACK as well the SYN.
By defalt, "flags S" will now be converted to "flags S/AUPRFS".
If you have any queries regarding this, see the examples and ipf(4).
If you still have a query or suggestion, please email me.
2)
If a filter rule used, in combination port comparisons and the flags
keywords, a "short" TCP packet, if not explicitly blocked high up in
the list of packets, would actually get matched even though it would
otherwise not have been (due to the ports not). This behaviour has
subsequently been fixed.
3)
If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.

11
contrib/ipfilter/Makefile
View File

@ -1,11 +1,9 @@
#
# Copyright (C) 1993-2000 by Darren Reed.
# Copyright (C) 1993-2001 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
# $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $
# $Id: Makefile,v 2.11.2.8 2001/06/26 10:43:10 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -19,6 +17,7 @@ TOP=../..
CFLAGS=-I$$(TOP)
CPU=`uname -m`
CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`
IPFILKERN=`/bin/ls -1tr /usr/src/sys/compile | grep -v .bak | tail -1`
#
# To enable this to work as a Loadable Kernel Module...
#
@ -262,7 +261,7 @@ install-sunos4: solaris
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
install-sunos5: solaris
(cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install)
(cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install)
install-irix: irix
(cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS))

6
contrib/ipfilter/common.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)

1
contrib/ipfilter/etc/services
View File

@ -2360,6 +2360,7 @@ dpserve 7020/udp # DP Serve
dpserveadmin 7021/tcp # DP Serve Admin
dpserveadmin 7021/udp # DP Serve Admin
arcp 7070/tcp # ARCP
raudio 7070/tcp # Real Audio
arcp 7070/udp # ARCP
clutild 7174/tcp # Clutild
clutild 7174/udp # Clutild

15
contrib/ipfilter/facpri.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <string.h>
@ -18,8 +16,12 @@
#include <syslog.h>
#include "facpri.h"
#ifndef __STDC__
# define const
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3 2000/03/13 22:10:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp $";
#endif
typedef struct table {
@ -54,6 +56,9 @@ table_t facs[] = {
{ "cron", LOG_CRON2 },
#else
{ "cron2", LOG_CRON2 },
#endif
#ifdef LOG_SECURITY
{ "security", LOG_SECURITY },
#endif
{ "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 },
{ "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 },

8
contrib/ipfilter/facpri.h
View File

@ -1,10 +1,8 @@
/*
* Copyright (C) 1999-2000 by Darren Reed.
* Copyright (C) 1999-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: facpri.h,v 1.3 2000/03/13 22:10:18 darrenr Exp $
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp $
*/
#ifndef __FACPRI_H__

144
contrib/ipfilter/fil.c
View File

@ -1,15 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $";
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@ -100,6 +93,11 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darr
#endif
#include "netinet/ipl.h"
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $";
#endif
#ifndef _KERNEL
# include "ipf.h"
# include "ipt.h"
@ -115,12 +113,6 @@ extern int opts;
# if SOLARIS || defined(__sgi)
extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat;
extern kmutex_t ipf_rw;
# endif
# if SOLARIS
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
ip, qif)
# else /* SOLARIS */
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
# endif /* SOLARIS || __sgi */
#endif /* _KERNEL */
@ -226,7 +218,7 @@ fr_info_t *fin;
if (v == 4) {
fin->fin_id = ip->ip_id;
fi->fi_tos = ip->ip_tos;
off = (ip->ip_off & IP_OFFMASK) << 3;
off = (ip->ip_off & IP_OFFMASK);
tcp = (tcphdr_t *)((char *)ip + hlen);
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
fi->fi_src.i6[1] = 0;
@ -239,7 +231,7 @@ fr_info_t *fin;
fi->fi_daddr = ip->ip_dst.s_addr;
p = ip->ip_p;
fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
if (ip->ip_off & 0x3fff)
if (ip->ip_off & (IP_MF|IP_OFFMASK))
fi->fi_fl |= FI_FRAG;
plen = ip->ip_len;
fin->fin_dlen = plen - hlen;
@ -260,6 +252,7 @@ fr_info_t *fin;
fi->fi_fl = 0;
plen = ntohs(ip6->ip6_plen);
fin->fin_dlen = plen;
plen += sizeof(*ip6);
}
#endif
else
@ -268,6 +261,7 @@ fr_info_t *fin;
fin->fin_off = off;
fin->fin_plen = plen;
fin->fin_dp = (void *)tcp;
off <<= 3;
switch (p)
{
@ -315,25 +309,34 @@ fr_info_t *fin;
icmp = (icmphdr_t *)tcp;
if (icmp->icmp_type == ICMP_ECHOREPLY ||
icmp->icmp_type == ICMP_ECHO)
switch (icmp->icmp_type)
{
case ICMP_ECHOREPLY :
case ICMP_ECHO :
/* Router discovery messages - RFC 1256 */
case ICMP_ROUTERADVERT :
case ICMP_ROUTERSOLICIT :
minicmpsz = ICMP_MINLEN;
break;
/*
* type(1) + code(1) + cksum(2) + id(2) seq(2) +
* 3*timestamp(3*4)
*/
else if (icmp->icmp_type == ICMP_TSTAMP ||
icmp->icmp_type == ICMP_TSTAMPREPLY)
case ICMP_TSTAMP :
case ICMP_TSTAMPREPLY :
minicmpsz = 20;
break;
/*
* type(1) + code(1) + cksum(2) + id(2) seq(2) +
* mask(4)
*/
else if (icmp->icmp_type == ICMP_MASKREQ ||
icmp->icmp_type == ICMP_MASKREPLY)
case ICMP_MASKREQ :
case ICMP_MASKREPLY :
minicmpsz = 12;
break;
default :
break;
}
}
if ((!(plen >= hlen + minicmpsz) && !off) ||
@ -522,7 +525,7 @@ fr_info_t *fin;
* satisfy the "short" class too).
*/
if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
if (fin->fin_fi.fi_fl & FI_SHORT)
if (fin->fin_fl & FI_SHORT)
return !(ft->ftu_tcpf | ft->ftu_tcpfm);
/*
* Match the flags ? If not, abort this match.
@ -557,10 +560,7 @@ void *m;
fin->fin_fr = NULL;
fin->fin_rule = 0;
fin->fin_group = 0;
if (fin->fin_v == 4)
off = ip->ip_off & IP_OFFMASK;
else
off = 0;
off = fin->fin_off;
pass |= (fi->fi_fl << 24);
if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
@ -787,7 +787,7 @@ int out;
mb_t *mc = NULL;
# if !defined(__SVR4) && !defined(__svr4__)
# ifdef __sgi
char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8];
char hbuf[128];
# endif
int up;
@ -812,6 +812,9 @@ int out;
# ifdef USE_INET6
if (v == 6) {
len = ntohs(((ip6_t*)ip)->ip6_plen);
if (!len)
return -1; /* potential jumbo gram */
len += sizeof(ip6_t);
p = ((ip6_t *)ip)->ip6_nxt;
} else
# endif
@ -820,7 +823,8 @@ int out;
len = ip->ip_len;
}
if ((p == IPPROTO_TCP || p == IPPROTO_UDP || p == IPPROTO_ICMP
if ((p == IPPROTO_TCP || p == IPPROTO_UDP ||
(v == 4 && p == IPPROTO_ICMP)
# ifdef USE_INET6
|| (v == 6 && p == IPPROTO_ICMPV6)
# endif
@ -889,13 +893,6 @@ int out;
# endif
#endif /* _KERNEL */
/*
* Be careful here: ip_id is in network byte order when called
* from ip_output()
*/
if ((out) && (v == 4))
ip->ip_id = ntohs(ip->ip_id);
changed = 0;
fin->fin_ifp = ifp;
fin->fin_v = v;
@ -940,15 +937,12 @@ int out;
}
#endif
pass = fr_pass;
if (fin->fin_fi.fi_fl & FI_SHORT) {
if (fin->fin_fl & FI_SHORT) {
ATOMIC_INCL(frstats[out].fr_short);
}
READ_ENTER(&ipf_mutex);
if (fin->fin_fi.fi_fl & FI_SHORT)
ATOMIC_INCL(frstats[out].fr_short);
/*
* Check auth now. This, combined with the check below to see if apass
* is 0 is to ensure that we don't count the packet twice, which can
@ -972,8 +966,18 @@ int out;
}
}
if (apass || (!(fr = ipfr_knownfrag(ip, fin)) &&
!(fr = fr_checkstate(ip, fin)))) {
if (!apass) {
if ((fin->fin_fl & FI_FRAG) == FI_FRAG)
fr = ipfr_knownfrag(ip, fin);
if (!fr && !(fin->fin_fl & FI_SHORT))
fr = fr_checkstate(ip, fin);
if (fr != NULL)
pass = fr->fr_flags;
if (fr && (pass & FR_LOGFIRST))
pass &= ~(FR_LOGFIRST|FR_LOG);
}
if (apass || !fr) {
/*
* If a packet is found in the auth table, then skip checking
* the access lists for permission but we do need to consider
@ -1008,22 +1012,26 @@ int out;
ATOMIC_INCL(frstats[out].fr_nom);
}
}
fr = fin->fin_fr;
} else
pass = apass;
fr = fin->fin_fr;
/*
* If we fail to add a packet to the authorization queue,
* then we drop the packet later. However, if it was added
* then pretend we've dropped it already.
*/
if ((pass & FR_AUTH))
if (fr_newauth((mb_t *)m, fin, ip) != 0)
if ((pass & FR_AUTH)) {
if (fr_newauth((mb_t *)m, fin, ip) != 0) {
#ifdef _KERNEL
m = *mp = NULL;
#else
;
#endif
error = 0;
} else
error = ENOSPC;
}
if (pass & FR_PREAUTH) {
READ_ENTER(&ipf_auth);
@ -1038,7 +1046,7 @@ int out;
fin->fin_fr = fr;
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_fi.fi_fl & FI_FRAG) {
if (fin->fin_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1) {
ATOMIC_INCL(frstats[out].fr_bnfr);
} else {
@ -1116,9 +1124,6 @@ int out;
}
#endif /* IPFILTER_LOG */
if ((out) && (v == 4))
ip->ip_id = htons(ip->ip_id);
#ifdef _KERNEL
/*
* Only allow FR_DUP to work if a rule matched - it makes no sense to
@ -1160,7 +1165,7 @@ int out;
send_icmp_err(ip, ICMP_UNREACH, fin, dst);
ATOMIC_INCL(frstats[0].fr_ret);
} else if (((pass & FR_RETMASK) == FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
!(fin->fin_fl & FI_SHORT)) {
if (send_reset(ip, fin) == 0) {
ATOMIC_INCL(frstats[1].fr_ret);
}
@ -1173,7 +1178,7 @@ int out;
verbose("- forged ICMP unreachable sent\n");
ATOMIC_INCL(frstats[0].fr_ret);
} else if (((pass & FR_RETMASK) == FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
!(fin->fin_fl & FI_SHORT)) {
verbose("- TCP RST sent\n");
ATOMIC_INCL(frstats[1].fr_ret);
}
@ -1202,15 +1207,17 @@ int out;
frdest_t *fdp = &fr->fr_tif;
if (((pass & FR_FASTROUTE) && !out) ||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
if (ipfr_fastroute(m, fin, fdp) == 0)
m = *mp = NULL;
}
if (mc)
ipfr_fastroute(mc, fin, &fr->fr_dif);
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
(void) ipfr_fastroute(m, mp, fin, fdp);
if (mc != NULL)
(void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif);
}
if (!(pass & FR_PASS) && m)
if (!(pass & FR_PASS) && m) {
m_freem(m);
m = *mp = NULL;
}
# ifdef __sgi
else if (changed && up && m)
m_copyback(m, 0, up, hbuf);
@ -1221,12 +1228,11 @@ int out;
frdest_t *fdp = &fr->fr_tif;
if (((pass & FR_FASTROUTE) && !out) ||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0)
m = *mp = NULL;
}
if (mc)
ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif);
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
(void) ipfr_fastroute(ip, m, mp, fin, fdp);
if (mc != NULL)
(void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif);
}
# endif /* !SOLARIS */
return (pass & FR_PASS) ? 0 : error;
@ -1458,7 +1464,7 @@ tcphdr_t *tcp;
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $
* $Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1907,7 +1913,7 @@ void frsync()
ip_statesync(ifp);
}
ip_natsync((struct ifnet *)-1);
# endif
# endif /* !SOLARIS */
WRITE_ENTER(&ipf_mutex);
frsynclist(ipacct[0][fr_active]);

197
contrib/ipfilter/fils.c
View File

@ -1,12 +1,16 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# include <osreldate.h>
#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#include <stdio.h>
#include <string.h>
@ -25,10 +29,6 @@
#include <fcntl.h>
#include <stddef.h>
#include <nlist.h>
#ifdef STATETOP
#include <ctype.h>
#include <ncurses.h>
#endif
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
@ -56,8 +56,17 @@
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"
#ifdef STATETOP
#include "netinet/ipl.h"
#endif
# include "netinet/ipl.h"
# include <ctype.h>
# if SOLARIS
# ifdef ERR
# undef ERR
# endif
# include <curses.h>
# else /* SOLARIS */
# include <ncurses.h>
# endif /* SOLARIS */
#endif /* STATETOP */
#include "kmem.h"
#if defined(__NetBSD__) || (__OpenBSD__)
# include <paths.h>
@ -65,10 +74,11 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.17 2001/07/19 12:24:09 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;
#define PRINTF (void)printf
#define FPRINTF (void)fprintf
@ -86,6 +96,7 @@ int use_inet6 = 0;
#ifdef STATETOP
#define STSTRSIZE 80
#define STGROWSIZE 16
#define HOSTNMLEN 40
#define STSORT_PR 0
#define STSORT_PKTS 1
@ -128,6 +139,9 @@ static int sort_pkts __P((const void *, const void *));
static int sort_bytes __P((const void *, const void *));
static int sort_ttl __P((const void *, const void *));
#endif
#if SOLARIS
void showqiflist __P((char *));
#endif
static char *hostname(v, ip)
int v;
@ -160,7 +174,11 @@ char *name;
#else
fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
#endif
fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
fprintf(stderr, "\t\t[-M corefile]");
#if SOLARIS
fprintf(stderr, " [-N symbol-list]");
#endif
fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
exit(1);
}
@ -177,8 +195,11 @@ char *argv[];
ips_stat_t *ipsstp = &ipsst;
ipfrstat_t ifrst;
ipfrstat_t *ifrstp = &ifrst;
char *name = NULL, *device = IPL_NAME;
int c, fd;
char *name = NULL, *device = IPL_NAME, *memf = NULL;
#if SOLARIS
char *kern = NULL;
#endif
int c, fd, myoptind;
struct protoent *proto;
int protocol = -1; /* -1 = wild card for any protocol */
@ -190,13 +211,50 @@ char *argv[];
saddr.s_addr = INADDR_ANY; /* default any source addr */
daddr.s_addr = INADDR_ANY; /* default any dest addr */
if (openkmem() == -1)
/*
* Parse these two arguments now lest there be any buffer overflows
* in the parsing of the rest.
*/
myoptind = optind;
#if SOLARIS
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
#else
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1)
#endif
switch (c)
{
case 'M' :
memf = optarg;
break;
#if SOLARIS
case 'N' :
kern = optarg;
break;
#endif
}
optind = myoptind;
#if SOLARIS
if (kern != NULL || memf != NULL)
#else
if (memf != NULL)
#endif
{
(void)setuid(getuid());
(void)setgid(getgid());
}
if (openkmem(memf) == -1)
exit(-1);
(void)setuid(getuid());
(void)setgid(getgid());
while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:P:S:T:")) != -1)
#if SOLARIS
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
#else
while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:M:P:S:T:")) != -1)
#endif
{
switch (c)
{
@ -207,8 +265,7 @@ char *argv[];
#endif
case 'a' :
opts |= OPT_ACCNT|OPT_SHOWLIST;
break;
case 'A' :
break; case 'A' :
device = IPAUTH_NAME;
opts |= OPT_AUTHSTATS;
break;
@ -239,6 +296,10 @@ char *argv[];
case 'l' :
opts |= OPT_SHOWLIST;
break;
case 'M' :
break;
case 'N' :
break;
case 'n' :
opts |= OPT_SHOWLINENO;
break;
@ -255,6 +316,12 @@ char *argv[];
exit(-2);
}
break;
#if SOLARIS
case 'q' :
showqiflist(kern);
exit(0);
break;
#endif
case 's' :
opts |= OPT_IPSTATES;
break;
@ -653,13 +720,52 @@ ips_stat_t *ipsp;
PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
ips.is_secmsk, ips.is_sec, ips.is_authmsk,
ips.is_auth);
PRINTF("interfaces: in %s[%p] ",
PRINTF("\tinterfaces: in %s[%p] ",
get_ifname(ips.is_ifpin), ips.is_ifpin);
PRINTF("out %s[%p]\n",
get_ifname(ips.is_ifpout), ips.is_ifpout);
}
}
#if SOLARIS
void showqiflist(kern)
char *kern;
{
struct nlist qifnlist[2] = {
{ "qif_head" },
{ NULL }
};
qif_t qif, *qf;
if (kern == NULL)
kern = "/dev/ksyms";
if (nlist(kern, qifnlist) == -1) {
fprintf(stderr, "nlist error\n");
return;
}
printf("List of interfaces bound by IPFilter:\n");
if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf)))
return;
while (qf) {
if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
break;
printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n",
qif.qf_name, qif.qf_hl,
#ifdef IP6_DL_SAP
(qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
#else
"IPv4"
#endif
, qif.qf_sap);
qf = qif.qf_next;
}
}
#endif
#ifdef STATETOP
static void topipstates(fd, saddr, daddr, sport, dport, protocol,
refreshtime, topclosed)
@ -679,9 +785,10 @@ int topclosed;
ips_stat_t ipsst, *ipsstp = &ipsst;
statetop_t *tstable = NULL, *tp;
struct timeval selecttimeout;
char hostnm[HOSTNMLEN];
struct protoent *proto;
fd_set readfd;
char c = '\0';
int c = 0;
time_t t;
/* open state device */
@ -694,7 +801,10 @@ int topclosed;
initscr();
cbreak();
noecho();
nodelay(stdscr, 1);
/* init hostname */
gethostname(hostnm, sizeof(hostnm) - 1);
hostnm[sizeof(hostnm) - 1] = '\0';
/* repeat until user aborts */
while ( 1 ) {
@ -799,8 +909,8 @@ int topclosed;
attron(A_BOLD);
winx = 0;
move(winx,0);
sprintf(str1, "%s - state top", IPL_VERSION);
for(j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
printw(" ");
printw("%s", str1);
attroff(A_BOLD);
@ -873,7 +983,9 @@ int topclosed;
if (reverse)
tp += tsentry;
for(i = 0; i <= tsentry; i++) {
if (tsentry > maxy - 6)
tsentry = maxy - 6;
for (i = 0; i <= tsentry; i++) {
/* print src/dest and port */
if ((tp->st_p == IPPROTO_TCP) ||
(tp->st_p == IPPROTO_UDP)) {
@ -938,22 +1050,25 @@ int topclosed;
select(1, &readfd, NULL, NULL, &selecttimeout);
/* if key pressed, read all waiting keys */
if (FD_ISSET(0, &readfd))
while ((c = wgetch(stdscr)) != ERR) {
if (tolower(c) == 'l') {
redraw = 1;
} else if (tolower(c) == 'q') {
nocbreak();
endwin();
exit(0);
} else if (tolower(c) == 'r') {
reverse = !reverse;
} else if (tolower(c) == 's') {
sorting++;
if (sorting > STSORT_MAX)
sorting = 0;
}
if (FD_ISSET(0, &readfd)) {
c = wgetch(stdscr);
if (c == ERR)
continue;
if (tolower(c) == 'l') {
redraw = 1;
} else if (tolower(c) == 'q') {
nocbreak();
endwin();
exit(0);
} else if (tolower(c) == 'r') {
reverse = !reverse;
} else if (tolower(c) == 's') {
sorting++;
if (sorting > STSORT_MAX)
sorting = 0;
}
}
} /* while */
close(sfd);

19
contrib/ipfilter/inet_addr.c
View File

@ -52,10 +52,20 @@
* -
* --Copyright--
*/
#ifdef __STDC__
# ifndef __P
# define __P(x) x
# endif
#else
# undef __P
# define __P(x) ()
# undef const
# define const
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.1 2001/07/15 22:06:14 darrenr Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
@ -63,13 +73,6 @@ static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darr
#include <arpa/inet.h>
#include <ctype.h>
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
int inet_aton __P((const char *, struct in_addr *));
/*

219
contrib/ipfilter/ip_auth.c
View File

@ -1,14 +1,8 @@
/*
* Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij.
* Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $";
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@ -77,7 +71,7 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 d
#endif
#include <netinet/tcp.h>
#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
extern struct ifqueue ipintrq; /* ip packet input queue */
extern struct ifqueue ipintrq; /* ip packet input queue */
#else
# ifndef linux
# if __FreeBSD_version >= 300000
@ -107,10 +101,13 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
# endif
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $";
#endif
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern KRWLOCK_T ipf_auth;
extern KRWLOCK_T ipf_auth, ipf_mutex;
extern kmutex_t ipf_authmx;
# if SOLARIS
extern kcondvar_t ipfauthwait;
@ -129,7 +126,8 @@ static frauth_t fr_auth[FR_NUMAUTH];
mb_t *fr_authpkts[FR_NUMAUTH];
static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
static frauthent_t *fae_list = NULL;
frentry_t *ipauth = NULL;
frentry_t *ipauth = NULL,
*fr_authlist = NULL;
/*
@ -142,10 +140,12 @@ ip_t *ip;
fr_info_t *fin;
{
u_short id = ip->ip_id;
frentry_t *fr;
frauth_t *fra;
u_32_t pass;
int i;
if (fr_auth_lock)
if (fr_auth_lock || !fr_authused)
return 0;
READ_ENTER(&ipf_auth);
@ -155,24 +155,54 @@ fr_info_t *fin;
* case the same packet gets sent again and it hasn't yet been
* auth'd.
*/
if ((fr_auth[i].fra_index == -2) &&
(id == fr_auth[i].fra_info.fin_id) &&
!bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
fra = fr_auth + i;
if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
!bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
/*
* Avoid feedback loop.
*/
if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
pass = FR_BLOCK;
/*
* Create a dummy rule for the stateful checking to
* use and return. Zero out any values we don't
* trust from userland!
*/
if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
(fin->fin_fi.fi_fl & FI_FRAG))) {
KMALLOC(fr, frentry_t *);
if (fr) {
bcopy((char *)fra->fra_info.fin_fr,
fr, sizeof(*fr));
fr->fr_grp = NULL;
fr->fr_ifa = fin->fin_ifp;
fr->fr_func = NULL;
fr->fr_ref = 1;
fr->fr_flags = pass;
#if BSD >= 199306
fr->fr_oifa = NULL;
#endif
}
} else
fr = fra->fra_info.fin_fr;
fin->fin_fr = fr;
RWLOCK_EXIT(&ipf_auth);
WRITE_ENTER(&ipf_auth);
if (fr && fr != fra->fra_info.fin_fr) {
fr->fr_next = fr_authlist;
fr_authlist = fr;
}
fr_authstats.fas_hits++;
fr_auth[i].fra_index = -1;
fra->fra_index = -1;
fr_authused--;
if (i == fr_authstart) {
while (fr_auth[i].fra_index == -1) {
while (fra->fra_index == -1) {
i++;
if (i == FR_NUMAUTH)
fra++;
if (i == FR_NUMAUTH) {
i = 0;
fra = fr_auth;
}
fr_authstart = i;
if (i == fr_authend)
break;
@ -208,6 +238,7 @@ ip_t *ip;
#if defined(_KERNEL) && SOLARIS
qif_t *qif = fin->fin_qif;
#endif
frauth_t *fra;
int i;
if (fr_auth_lock)
@ -219,7 +250,7 @@ ip_t *ip;
RWLOCK_EXIT(&ipf_auth);
return 0;
} else {
if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) {
if (fr_authused == FR_NUMAUTH) {
fr_authstats.fas_nospace++;
RWLOCK_EXIT(&ipf_auth);
return 0;
@ -232,51 +263,48 @@ ip_t *ip;
if (fr_authend == FR_NUMAUTH)
fr_authend = 0;
RWLOCK_EXIT(&ipf_auth);
fr_auth[i].fra_index = i;
fr_auth[i].fra_pass = 0;
fr_auth[i].fra_age = fr_defaultauthage;
bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
#if !defined(sparc) && !defined(m68k)
fra = fr_auth + i;
fra->fra_index = i;
fra->fra_pass = 0;
fra->fra_age = fr_defaultauthage;
bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
#if SOLARIS && defined(_KERNEL)
# if !defined(sparc)
/*
* No need to copyback here as we want to undo the changes, not keep
* them.
*/
# if SOLARIS && defined(_KERNEL)
if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
# endif
{
register u_short bo;
bo = ip->ip_len;
ip->ip_len = htons(bo);
# if !SOLARIS && !defined(__NetBSD__)
/* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
bo = ip->ip_id;
ip->ip_id = htons(bo);
# endif
bo = ip->ip_off;
ip->ip_off = htons(bo);
}
#endif
#if SOLARIS && defined(_KERNEL)
# endif
m->b_rptr -= qif->qf_off;
fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
fr_auth[i].fra_q = qif->qf_q;
fra->fra_q = qif->qf_q;
cv_signal(&ipfauthwait);
#else
fr_authpkts[i] = m;
# if defined(linux) && defined(_KERNEL)
wake_up_interruptible(&ipfauthwait);
# else
WAKEUP(&fr_authnext);
# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
if (!fin->fin_out) {
HTONS(ip->ip_len);
HTONS(ip->ip_off);
}
# endif
fr_authpkts[i] = m;
WAKEUP(&fr_authnext);
#endif
return 1;
}
int fr_auth_ioctl(data, cmd, fr, frptr)
int fr_auth_ioctl(data, mode, cmd, fr, frptr)
caddr_t data;
int mode;
#if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003)
u_long cmd;
#else
@ -287,8 +315,9 @@ frentry_t *fr, **frptr;
mb_t *m;
#if defined(_KERNEL) && !SOLARIS
struct ifqueue *ifq;
int s;
#endif
frauth_t auth, *au = &auth;
frauth_t auth, *au = &auth, *fra;
frauthent_t *fae, **faep;
int i, error = 0;
@ -313,21 +342,26 @@ frentry_t *fr, **frptr;
else
faep = &fae->fae_next;
if (cmd == SIOCRMAFR) {
if (!fae)
if (!fr || !frptr)
error = EINVAL;
else if (!fae)
error = ESRCH;
else {
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
*faep = fae->fae_next;
*frptr = fr->fr_next;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
KFREE(fae);
}
} else {
} else if (fr && frptr) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
@ -335,10 +369,12 @@ frentry_t *fr, **frptr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
} else
error = ENOMEM;
}
} else
error = EINVAL;
break;
case SIOCATHST:
READ_ENTER(&ipf_auth);
@ -348,6 +384,10 @@ frentry_t *fr, **frptr;
sizeof(fr_authstats));
break;
case SIOCAUTHW:
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
fr_authioctlloop:
READ_ENTER(&ipf_auth);
if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
@ -357,9 +397,11 @@ frentry_t *fr, **frptr;
if (error)
break;
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
fr_authnext++;
if (fr_authnext == FR_NUMAUTH)
fr_authnext = 0;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
return 0;
}
@ -372,55 +414,62 @@ frentry_t *fr, **frptr;
}
mutex_exit(&ipf_authmx);
# else
# ifdef linux
interruptible_sleep_on(&ipfauthwait);
if (current->signal & ~current->blocked)
error = -EINTR;
# else
error = SLEEP(&fr_authnext, "fr_authnext");
# endif
# endif
#endif
RWLOCK_EXIT(&ipf_auth);
if (!error)
goto fr_authioctlloop;
break;
case SIOCAUTHR:
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
if (error)
return error;
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
i = au->fra_index;
fra = fr_auth + i;
if ((i < 0) || (i > FR_NUMAUTH) ||
(fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
(fra->fra_info.fin_id != au->fra_info.fin_id)) {
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
return EINVAL;
}
m = fr_authpkts[i];
fr_auth[i].fra_index = -2;
fr_auth[i].fra_pass = au->fra_pass;
fra->fra_index = -2;
fra->fra_pass = au->fra_pass;
fr_authpkts[i] = NULL;
#ifdef _KERNEL
RWLOCK_EXIT(&ipf_auth);
# ifndef linux
#ifdef _KERNEL
if (m && au->fra_info.fin_out) {
# if SOLARIS
error = fr_qout(fr_auth[i].fra_q, m);
# else /* SOLARIS */
# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__)
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
# if SOLARIS
error = fr_qout(fra->fra_q, m);
# else /* SOLARIS */
struct route ro;
bzero((char *)&ro, sizeof(ro));
# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
defined(__OpenBSD__)
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
NULL);
# else
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
# endif
# endif /* SOLARIS */
# else
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
# endif
if (ro.ro_rt) {
RTFREE(ro.ro_rt);
}
# endif /* SOLARIS */
if (error)
fr_authstats.fas_sendfail++;
else
fr_authstats.fas_sendok++;
} else if (m) {
# if SOLARIS
error = fr_qin(fr_auth[i].fra_q, m);
error = fr_qin(fra->fra_q, m);
# else /* SOLARIS */
ifq = &ipintrq;
if (IF_QFULL(ifq)) {
@ -438,7 +487,6 @@ frentry_t *fr, **frptr;
fr_authstats.fas_queok++;
} else
error = EINVAL;
# endif
# if SOLARIS
if (error)
error = EINVAL;
@ -449,10 +497,10 @@ frentry_t *fr, **frptr;
*/
if (error == ENOBUFS) {
fr_authused--;
fr_auth[i].fra_index = -1;
fr_auth[i].fra_pass = 0;
fra->fra_index = -1;
fra->fra_pass = 0;
if (i == fr_authstart) {
while (fr_auth[i].fra_index == -1) {
while (fra->fra_index == -1) {
i++;
if (i == FR_NUMAUTH)
i = 0;
@ -468,6 +516,7 @@ frentry_t *fr, **frptr;
}
# endif
#endif /* _KERNEL */
SPL_X(s);
break;
default :
error = EINVAL;
@ -485,6 +534,7 @@ void fr_authunload()
{
register int i;
register frauthent_t *fae, **faep;
frentry_t *fr, **frp;
mb_t *m;
WRITE_ENTER(&ipf_auth);
@ -503,6 +553,26 @@ void fr_authunload()
}
ipauth = NULL;
RWLOCK_EXIT(&ipf_auth);
if (fr_authlist) {
/*
* We *MuST* reget ipf_auth because otherwise we won't get the
* locks in the right order and risk deadlock.
* We need ipf_mutex here to prevent a rule from using it
* inside fr_check().
*/
WRITE_ENTER(&ipf_mutex);
WRITE_ENTER(&ipf_auth);
for (frp = &fr_authlist; (fr = *frp); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
} else
frp = &fr->fr_next;
}
RWLOCK_EXIT(&ipf_auth);
RWLOCK_EXIT(&ipf_mutex);
}
}
@ -515,6 +585,7 @@ void fr_authexpire()
register int i;
register frauth_t *fra;
register frauthent_t *fae, **faep;
register frentry_t *fr, **frp;
mb_t *m;
#if !SOLARIS
int s;
@ -544,6 +615,14 @@ void fr_authexpire()
faep = &fae->fae_next;
}
ipauth = &fae_list->fae_fr;
for (frp = &fr_authlist; (fr = *frp); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
} else
frp = &fr->fr_next;
}
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
}

12
contrib/ipfilter/ip_auth.h
View File

@ -1,11 +1,9 @@
/*
* Copyright (C) 1997-2000 by Darren Reed & Guido Van Rooij.
* Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_auth.h,v 2.3.2.2 2000/10/19 15:38:44 darrenr Exp $
* $Id: ip_auth.h,v 2.3.2.4 2001/07/18 14:57:08 darrenr Exp $
*
*/
#ifndef __IP_AUTH_H__
@ -55,8 +53,8 @@ extern void fr_authunload __P((void));
extern mb_t *fr_authpkts[];
extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
#if defined(__NetBSD__) || defined(__OpenBSD__)
extern int fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **));
extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **));
#else
extern int fr_auth_ioctl __P((caddr_t, int, frentry_t *, frentry_t **));
extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **));
#endif
#endif /* __IP_AUTH_H__ */

97
contrib/ipfilter/ip_compat.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $
* $Id: ip_compat.h,v 2.26.2.17 2001/07/23 04:22:48 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@ -27,6 +25,9 @@
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
#if SOLARIS && !defined(SOLARIS2)
# define SOLARIS2 4 /* Pick an old version */
#endif
#if SOLARIS2 >= 8
# ifndef USE_INET6
# define USE_INET6
@ -119,10 +120,34 @@ struct ether_addr {
# define V4_PART_OF_V6(v6) v6.s6_addr32[3]
# endif
# endif
#else
typedef struct qif {
struct qif *qf_next;
ill_t *qf_ill;
kmutex_t qf_lock;
void *qf_iptr;
void *qf_optr;
queue_t *qf_in;
queue_t *qf_out;
struct qinit *qf_wqinfo;
struct qinit *qf_rqinfo;
struct qinit qf_wqinit;
struct qinit qf_rqinit;
mblk_t *qf_m; /* These three fields are for passing data up from */
queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */
size_t qf_off;
size_t qf_len; /* this field is used for in ipfr_fastroute */
char qf_name[8];
/*
* in case the ILL has disappeared...
*/
size_t qf_hl; /* header length */
int qf_sap;
} qif_t;
#else /* SOLARIS */
# if !defined(__sgi)
typedef int minor_t;
#endif
# endif
#endif /* SOLARIS */
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
@ -264,10 +289,26 @@ union i6addr {
#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
# ifdef IPFILTER_LKM
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# else
# include <sys/param.h>
# endif
# endif
# define ACTUALLY_LKM_NOT_KERNEL
# else
# include <sys/osreldate.h>
# ifndef __FreeBSD_cc_version
# include <sys/osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <sys/osreldate.h>
# else
# include <sys/param.h>
# endif
# endif
# endif
# if __FreeBSD__ < 3
# include <machine/spl.h>
@ -325,6 +366,7 @@ typedef struct {
# define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1)
# define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1)
# else
# define IRE_CACHE IRE_ROUTE
# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \
mutex_exit(&ipf_rw); }
# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \
@ -374,29 +416,6 @@ typedef struct {
# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
# define GET_MINOR(x) getminor(x)
typedef struct qif {
struct qif *qf_next;
ill_t *qf_ill;
kmutex_t qf_lock;
void *qf_iptr;
void *qf_optr;
queue_t *qf_in;
queue_t *qf_out;
struct qinit *qf_wqinfo;
struct qinit *qf_rqinfo;
struct qinit qf_wqinit;
struct qinit qf_rqinit;
mblk_t *qf_m; /* These three fields are for passing data up from */
queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */
size_t qf_off;
size_t qf_len; /* this field is used for in ipfr_fastroute */
char qf_name[8];
/*
* in case the ILL has disappeared...
*/
size_t qf_hl; /* header length */
int qf_sap;
} qif_t;
extern ill_t *get_unit __P((char *, int));
# define GETUNIT(n, v) get_unit(n, v)
# define IFNAME(x) ((ill_t *)x)->ill_name
@ -452,7 +471,9 @@ extern ill_t *get_unit __P((char *, int));
(defined(OpenBSD) && (OpenBSD >= 199603))
# define IFNAME(x) ((struct ifnet *)x)->if_xname
# else
# define IFNAME(x) ((struct ifnet *)x)->if_name
# define USE_GETIFNAME 1
# define IFNAME(x) get_ifname((struct ifnet *)x)
extern char *get_ifname __P((struct ifnet *));
# endif
# endif
# endif /* sun */
@ -508,7 +529,8 @@ extern vm_map_t kmem_map;
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
# define WAKEUP(id) wakeup(id)
# endif /* BSD */
# if defined(NetBSD) && NetBSD <= 1991011 && NetBSD >= 199407
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \
(defined(OpenBSD) && (OpenBSD >= 200006))
# define SPL_NET(x) x = splsoftnet()
# define SPL_X(x) (void) splx(x)
# else
@ -517,7 +539,7 @@ extern vm_map_t kmem_map;
# define SPL_NET(x) x = splnet()
# define SPL_X(x) (void) splx(x)
# endif
# endif /* NetBSD && NetBSD <= 1991011 && NetBSD >= 199407 */
# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
# define PANIC(x,y) if (x) panic y
#else /* KERNEL */
# define SLEEP(x,y) ;
@ -576,7 +598,6 @@ typedef struct mbuf mb_t;
# endif
#endif /* SOLARIS */
#if defined(linux) || defined(__sgi)
/*
* These #ifdef's are here mainly for linux, but who knows, they may
* not be in other places or maybe one day linux will grow up and some
@ -615,6 +636,9 @@ typedef struct mbuf mb_t;
#ifndef ICMP_MASKREPLY
# define ICMP_MASKREPLY ICMP_ADDRESSREPLY
#endif
#ifndef ICMP_PARAMPROB_OPTABSENT
# define ICMP_PARAMPROB_OPTABSENT 1
#endif
#ifndef IPVERSION
# define IPVERSION 4
#endif
@ -702,7 +726,6 @@ typedef struct mbuf mb_t;
#ifndef IPOPT_OLEN
# define IPOPT_OLEN 1
#endif
#endif /* linux || __sgi */
#ifdef linux
#include <linux/in_systm.h>

215
contrib/ipfilter/ip_fil.c
View File

@ -1,15 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 darrenr Exp $";
#endif
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
@ -118,6 +111,11 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 d
extern int ip_optcopy __P((struct ip *, struct ip *));
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.34 2001/07/23 13:49:57 darrenr Exp $";
#endif
extern struct protosw inetsw[];
@ -131,7 +129,11 @@ extern int tcp_ttl;
# endif
#endif
#ifdef ICMP_UNREACH_FILTER_PROHIB
int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
#else
int ipl_unreach = ICMP_UNREACH_FILTER;
#endif
u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
@ -171,6 +173,10 @@ struct callout_handle ipfr_slowtimer_ch;
# include <sys/callout.h>
struct callout ipfr_slowtimer_ch;
#endif
#if defined(__OpenBSD__)
# include <sys/timeout.h>
struct timeout ipfr_slowtimer_ch;
#endif
#if defined(__sgi) && defined(_KERNEL)
toid_t ipfr_slowtimer_ch;
#endif
@ -246,12 +252,18 @@ int iplattach()
# ifdef IPFILTER_LOG
ipflog_init();
# endif
if (nat_init() == -1)
return -1;
if (fr_stateinit() == -1)
return -1;
if (appr_init() == -1)
return -1;
if (nat_init() == -1) {
SPL_X(s);
return EIO;
}
if (fr_stateinit() == -1) {
SPL_X(s);
return EIO;
}
if (appr_init() == -1) {
SPL_X(s);
return EIO;
}
# ifdef NETBSD_PF
# if __NetBSD_Version__ >= 104200000
@ -261,6 +273,7 @@ int iplattach()
# ifdef USE_INET6
goto pfil_error;
# else
SPL_X(s);
appr_unload();
ip_natunload();
fr_stateunload();
@ -277,6 +290,7 @@ int iplattach()
pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
pfil_error:
SPL_X(s);
appr_unload();
ip_natunload();
fr_stateunload();
@ -321,10 +335,15 @@ int iplattach()
callout_init(&ipfr_slowtimer_ch);
callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
# else
# if (__FreeBSD_version >= 300000) || defined(__sgi)
ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
# if defined(__OpenBSD__)
timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL);
timeout_add(&ipfr_slowtimer_ch, hz/2);
# else
# if (__FreeBSD_version >= 300000) || defined(__sgi)
ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
# else
timeout(ipfr_slowtimer, NULL, hz/2);
# endif
# endif
# endif
#endif
@ -353,8 +372,12 @@ int ipldetach()
# ifdef __sgi
untimeout(ipfr_slowtimer_ch);
# else
# if defined(__OpenBSD__)
timeout_del(&ipfr_slowtimer_ch);
# else
untimeout(ipfr_slowtimer, NULL);
# endif
# endif /* OpenBSD */
# endif /* __sgi */
# endif /* FreeBSD */
# endif /* NetBSD */
#endif
@ -376,16 +399,20 @@ int ipldetach()
# if __NetBSD_Version__ >= 104200000
error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
if (error)
if (error) {
SPL_X(s);
return error;
}
# else
pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
# endif
# ifdef USE_INET6
error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
if (error)
if (error) {
SPL_X(s);
return error;
}
# endif
# endif
@ -489,8 +516,9 @@ int mode;
}
if (unit == IPL_LOGAUTH) {
if (!fr_running)
return EIO;
error = fr_auth_ioctl(data, cmd, NULL, NULL);
error = EIO;
else
error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
SPL_X(s);
return error;
}
@ -564,7 +592,7 @@ int mode;
fr_getstat(&fio);
error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
if (error)
return EFAULT;
error = EFAULT;
break;
}
case SIOCFRZST :
@ -607,7 +635,7 @@ int mode;
error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
sizeof(ipfrstat_t));
if (error)
return EFAULT;
error = EFAULT;
break;
case SIOCAUTHW :
case SIOCAUTHR :
@ -820,8 +848,6 @@ caddr_t data;
return EBUSY;
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH)
return fr_auth_ioctl(data, req, f, ftail);
if (f->fr_grhead)
fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
unit, set);
@ -835,8 +861,6 @@ caddr_t data;
if (f)
error = EEXIST;
else {
if (unit == IPL_LOGAUTH)
return fr_auth_ioctl(data, req, fp, ftail);
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)
@ -1068,7 +1092,7 @@ struct mbuf *m;
# ifdef IPSEC
m->m_pkthdr.rcvif = NULL;
# endif
return ipfr_fastroute(m, fin, NULL);
return ipfr_fastroute(m, fin->fin_mp, fin, NULL);
}
@ -1079,6 +1103,7 @@ fr_info_t *fin;
int dst;
{
int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code;
u_short shlen, slen = 0, soff = 0;
struct in_addr dst4;
struct icmp *icmp;
struct mbuf *m;
@ -1220,6 +1245,11 @@ int dst;
} else
#endif
{
slen = oip->ip_len;
oip->ip_len = htons(oip->ip_len);
soff = oip->ip_off;
oip->ip_off = htons(ip->ip_off);
ip->ip_src.s_addr = dst4.s_addr;
ip->ip_dst.s_addr = oip->ip_src.s_addr;
@ -1233,7 +1263,18 @@ int dst;
ip->ip_len = iclen;
ip->ip_p = IPPROTO_ICMP;
}
shlen = fin->fin_hlen;
fin->fin_hlen = hlen;
err = send_ip(oip, fin, m);
fin->fin_hlen = shlen;
#ifdef USE_INET6
if (fin->fin_v == 4)
#endif
{
oip->ip_len = slen;
oip->ip_off = soff;
}
return err;
}
@ -1268,8 +1309,8 @@ register struct mbuf *m0;
}
int ipfr_fastroute(m0, fin, fdp)
struct mbuf *m0;
int ipfr_fastroute(m0, mpp, fin, fdp)
struct mbuf *m0, **mpp;
fr_info_t *fin;
frdest_t *fdp;
{
@ -1282,16 +1323,49 @@ frdest_t *fdp;
struct route iproute;
frentry_t *fr;
#ifdef M_WRITABLE
/*
* HOT FIX/KLUDGE:
*
* If the mbuf we're about to send is not writable (because of
* a cluster reference, for example) we'll need to make a copy
* of it since this routine modifies the contents.
*
* If you have non-crappy network hardware that can transmit data
* from the mbuf, rather than making a copy, this is gonna be a
* problem.
*/
if (M_WRITABLE(m) == 0) {
if ((m0 = m_dup(m, M_DONTWAIT)) != 0) {
m_freem(m);
m = m0;
} else {
error = ENOBUFS;
m_freem(m);
ipl_frouteok[1]++;
}
}
#endif
hlen = fin->fin_hlen;
ip = mtod(m0, struct ip *);
#if defined(__NetBSD__) && defined(M_CSUM_IPv4)
/*
* Clear any in-bound checksum flags for this packet.
*/
m0->m_pkthdr.csuminfo = 0;
#endif /* __NetBSD__ && M_CSUM_IPv4 */
#ifdef USE_INET6
if (ip->ip_v == 6) {
/*
* currently "to <if>" and "to <if>:ip#" are not supported
* for IPv6
*/
return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
error = ip6_output(m0, NULL, NULL, 0, NULL, NULL);
*mpp = NULL;
return error;
}
#endif
/*
@ -1316,10 +1390,15 @@ frdest_t *fdp;
*/
if ((fr != NULL) && (fin->fin_rev != 0)) {
if ((ifp != NULL) && (fdp == &fr->fr_tif))
return -1;
return 0;
dst->sin_addr = ip->ip_dst;
} else if (fdp)
dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
} else if (fdp) {
if (fdp->fd_ip.s_addr) {
dst->sin_addr = fdp->fd_ip;
ip->ip_dst = fdp->fd_ip;
} else
dst->sin_addr = ip->ip_dst;
}
# if BSD >= 199306
dst->sin_len = sizeof(*dst);
@ -1374,36 +1453,44 @@ frdest_t *fdp;
* If small enough for interface, can just send directly.
*/
if (ip->ip_len <= ifp->if_mtu) {
# if BSD >= 199306
# if defined(MCLISREFERENCED) && !defined(sparc)
int i = 0;
# ifdef MCLISREFERENCED
if ((m->m_flags & M_EXT) && MCLISREFERENCED(m))
# else
if (m->m_flags & M_EXT)
# endif
i = 1;
# endif
# ifndef sparc
# if !(_BSDI_VERSION >= 199510)
ip->ip_id = htons(ip->ip_id);
# endif
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
# endif
# if defined(__NetBSD__) && defined(M_CSUM_IPv4)
if (ifp->if_capabilities & IFCAP_CSUM_IPv4)
m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
else if (ip->ip_sum == 0)
ip->ip_sum = in_cksum(m, hlen);
# else
if (!ip->ip_sum)
ip->ip_sum = in_cksum(m, hlen);
# endif /* __NetBSD__ && M_CSUM_IPv4 */
# if BSD >= 199306
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt);
# if defined(MCLISREFERENCED) && !defined(sparc)
if (i) {
ip->ip_id = ntohs(ip->ip_id);
ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off);
}
# endif
# else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
# endif
goto done;
}
/*
* Too large for interface; fragment if possible.
* Must be able to put at least 8 bytes per fragment.
@ -1506,9 +1593,11 @@ frdest_t *fdp;
else
ipl_frouteok[1]++;
if (ro->ro_rt)
if (ro->ro_rt) {
RTFREE(ro->ro_rt);
return 0;
}
*mpp = NULL;
return error;
bad:
if (error == EMSGSIZE) {
sifp = fin->fin_ifp;
@ -1550,6 +1639,18 @@ void *ifp;
return (ifp == iproute.ro_rt->rt_ifp);
}
# ifdef USE_GETIFNAME
char *
get_ifname(ifp)
struct ifnet *ifp;
{
static char workbuf[64];
sprintf(workbuf, "%s%d", ifp->if_name, ifp->if_unit);
return workbuf;
}
# endif
#else /* #ifdef _KERNEL */
@ -1586,9 +1687,9 @@ ip_t *ip;
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
sprintf(fname, "/tmp/%s", ifp->if_xname);
sprintf(fname, "%s", ifp->if_xname);
# else
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
sprintf(fname, "%s%d", ifp->if_name, ifp->if_unit);
# endif
fd = open(fname, O_WRONLY|O_APPEND);
if (fd == -1) {
@ -1605,7 +1706,7 @@ struct ifnet *get_unit(name, v)
char *name;
int v;
{
struct ifnet *ifp, **ifa;
struct ifnet *ifp, **ifa, **old_ifneta;
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
@ -1634,10 +1735,12 @@ int v;
}
nifs = 1;
} else {
old_ifneta = ifneta;
nifs++;
ifneta = (struct ifnet **)realloc(ifneta,
(nifs + 1) * sizeof(*ifa));
if (!ifneta) {
free(old_ifneta);
nifs = 0;
return NULL;
}
@ -1704,28 +1807,6 @@ void init_ifp()
}
int ipfr_fastroute(ip, fin, fdp)
ip_t *ip;
fr_info_t *fin;
frdest_t *fdp;
{
struct ifnet *ifp = fdp->fd_ifp;
if (!ifp)
return 0; /* no routing table out here */
ip->ip_len = htons((u_short)ip->ip_len);
ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
ip->ip_sum = 0;
#ifdef __sgi
(*ifp->if_output)(ifp, (void *)ip, NULL);
#else
(*ifp->if_output)(ifp, (void *)ip, NULL, 0);
#endif
return 0;
}
int ipllog __P((void))
{
verbose("l");

29
contrib/ipfilter/ip_fil.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $
* $Id: ip_fil.h,v 2.29.2.10 2001/07/15 13:51:42 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@ -59,7 +57,7 @@
# define SIOCSTLCK _IOWR('r', 79, u_int)
# define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *)
# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR('r', 82, struct natget *)
# define SIOCSTGSZ _IOWR('r', 82, struct natget)
# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *)
#else
# define SIOCADAFR _IOW(r, 60, struct frentry *)
@ -84,7 +82,7 @@
# define SIOCSTLCK _IOWR(r, 79, u_int)
# define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *)
# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR(r, 82, struct natget *)
# define SIOCSTGSZ _IOWR(r, 82, struct natget)
# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *)
#endif
#define SIOCADDFR SIOCADAFR
@ -152,7 +150,10 @@ typedef struct fr_info {
u_short fin_off;
} fr_info_t;
#define fin_v fin_fi.fi_v
#define fin_v fin_fi.fi_v
#define fin_saddr fin_fi.fi_saddr
#define fin_daddr fin_fi.fi_daddr
#define fin_fl fin_fi.fi_fl
/*
* Size for compares on fr_info structures
@ -168,6 +169,9 @@ typedef struct frdest {
void *fd_ifp;
struct in_addr fd_ip;
char fd_ifname[IFNAMSIZ];
#if SOLARIS
mb_t *fd_mp; /* cache resolver for to/dup-to */
#endif
} frdest_t;
typedef struct frpcmp {
@ -192,8 +196,6 @@ typedef struct frtuc {
typedef struct frentry {
struct frentry *fr_next;
u_32_t fr_group; /* group to which this rule belongs */
u_32_t fr_grhead; /* group # which this rule starts */
struct frentry *fr_grp;
int fr_ref; /* reference count - for grouping */
void *fr_ifa;
@ -217,6 +219,8 @@ typedef struct frentry {
u_short fr_icmp;
frtuc_t fr_tuc;
u_32_t fr_group; /* group to which this rule belongs */
u_32_t fr_grhead; /* group # which this rule starts */
u_32_t fr_flags; /* per-rule flags && options (see below) */
u_int fr_skip; /* # of rules to skip */
u_int fr_loglevel; /* syslog log facility + priority */
@ -436,6 +440,8 @@ typedef struct ipflog {
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define IPLLOGSIZE 8192
#define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
/*
* Device filenames for reading log information. Use ipf on Solaris2 because
* ipl is already a name used by something else.
@ -484,7 +490,6 @@ extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern int send_reset __P((ip_t *, struct ifnet *));
extern int icmp_error __P((ip_t *, struct ifnet *));
extern int ipf_log __P((void));
extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
extern struct ifnet *get_unit __P((char *, int));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
@ -530,7 +535,7 @@ extern int iplread __P((dev_t, struct uio *, cred_t *));
# else /* SOLARIS */
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern int ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi
# include <sys/cred.h>

107
contrib/ipfilter/ip_frag.c
View File

@ -1,15 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
#endif
@ -81,7 +74,7 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 d
# ifndef IPFILTER_LKM
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
# endif
extern struct callout_handle ipfr_slowtimer_ch;
# endif
#endif
@ -89,6 +82,15 @@ extern struct callout_handle ipfr_slowtimer_ch;
# include <sys/callout.h>
extern struct callout ipfr_slowtimer_ch;
#endif
#if defined(__OpenBSD__)
# include <sys/timeout.h>
extern struct timeout ipfr_slowtimer_ch;
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.14 2001/07/15 22:06:15 darrenr Exp $";
#endif
static ipfr_t *ipfr_heads[IPFT_SIZE];
@ -141,12 +143,15 @@ fr_info_t *fin;
u_int pass;
ipfr_t *table[];
{
ipfr_t **fp, *fra, frag;
u_int idx;
ipfr_t **fp, *fra, frag;
u_int idx, off;
if (ipfr_inuse >= IPFT_SIZE)
return NULL;
if (!(fin->fin_fl & FI_FRAG))
return NULL;
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;
@ -160,6 +165,10 @@ ipfr_t *table[];
idx *= 127;
idx %= IPFT_SIZE;
frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
frag.ipfr_auth = fin->fin_fi.fi_auth;
/*
* first, make sure it isn't already there...
*/
@ -200,7 +209,10 @@ ipfr_t *table[];
/*
* Compute the offset of the expected start of the next packet.
*/
fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3);
off = ip->ip_off & IP_OFFMASK;
if (!off)
fra->ipfr_seen0 = 1;
fra->ipfr_off = off + (fin->fin_dlen >> 3);
ATOMIC_INCL(ipfr_stats.ifs_new);
ATOMIC_INC32(ipfr_inuse);
return fra;
@ -219,7 +231,12 @@ u_int pass;
WRITE_ENTER(&ipf_frag);
ipf = ipfr_new(ip, fin, pass, ipfr_heads);
RWLOCK_EXIT(&ipf_frag);
return ipf ? 0 : -1;
if (ipf == NULL) {
ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
return -1;
}
ATOMIC_INCL(frstats[fin->fin_out].fr_nfr);
return 0;
}
@ -230,9 +247,16 @@ u_int pass;
nat_t *nat;
{
ipfr_t *ipf;
int off;
if ((ip->ip_v != 4) || (fr_frag_lock))
return -1;
off = fin->fin_off;
off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
return NULL;
WRITE_ENTER(&ipf_natfrag);
ipf = ipfr_new(ip, fin, pass, ipfr_nattab);
if (ipf != NULL) {
@ -254,8 +278,8 @@ fr_info_t *fin;
ipfr_t *table[];
{
ipfr_t *f, frag;
u_int idx;
u_int idx;
/*
* For fragments, we record protocol, packet id, TOS and both IP#'s
* (these should all be the same for all fragments of a packet).
@ -275,6 +299,10 @@ ipfr_t *table[];
idx *= 127;
idx %= IPFT_SIZE;
frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
frag.ipfr_auth = fin->fin_fi.fi_auth;
/*
* check the table, careful to only compare the right amount of data
*/
@ -283,6 +311,20 @@ ipfr_t *table[];
IPFR_CMPSZ)) {
u_short atoff, off;
off = fin->fin_off;
/*
* XXX - We really need to be guarding against the
* retransmission of (src,dst,id,offset-range) here
* because a fragmented packet is never resent with
* the same IP ID#.
*/
if (f->ipfr_seen0) {
if (!off || (fin->fin_fl & FI_SHORT))
continue;
} else if (!off)
f->ipfr_seen0 = 1;
if (f != table[idx]) {
/*
* move fragment info. to the top of the list
@ -295,7 +337,6 @@ ipfr_t *table[];
f->ipfr_prev = NULL;
table[idx] = f;
}
off = ip->ip_off & IP_OFFMASK;
atoff = off + (fin->fin_dlen >> 3);
/*
* If we've follwed the fragments, and this is the
@ -321,11 +362,18 @@ nat_t *ipfr_nat_knownfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
nat_t *nat;
ipfr_t *ipf;
ipfr_t *ipf;
nat_t *nat;
int off;
if ((ip->ip_v != 4) || (fr_frag_lock))
if ((fin->fin_v != 4) || (fr_frag_lock))
return NULL;
off = fin->fin_off;
off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
return NULL;
READ_ENTER(&ipf_natfrag);
ipf = ipfr_lookup(ip, fin, ipfr_nattab);
if (ipf != NULL) {
@ -351,15 +399,24 @@ frentry_t *ipfr_knownfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
frentry_t *fr = NULL;
ipfr_t *fra;
frentry_t *fr;
ipfr_t *fra;
int off;
if ((ip->ip_v != 4) || (fr_frag_lock))
if ((fin->fin_v != 4) || (fr_frag_lock))
return NULL;
off = fin->fin_off;
off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
return NULL;
READ_ENTER(&ipf_frag);
fra = ipfr_lookup(ip, fin, ipfr_heads);
if (fra != NULL)
fr = fra->ipfr_rule;
else
fr = NULL;
RWLOCK_EXIT(&ipf_frag);
return fr;
}
@ -544,7 +601,11 @@ int ipfr_slowtimer()
# if (__FreeBSD_version >= 300000)
ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
# else
# if defined(__OpenBSD_)
timeout_add(&ipfr_slowtimer_ch, hz/2, ipfr_slowtimer, NULL);
# else
timeout(ipfr_slowtimer, NULL, hz/2);
# endif
# endif
# if (BSD < 199306) && !defined(__sgi)
return 0;

17
contrib/ipfilter/ip_frag.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
* $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $
* $Id: ip_frag.h,v 2.4.2.5 2001/06/26 10:43:13 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@ -20,11 +18,15 @@ typedef struct ipfr {
struct in_addr ipfr_src;
struct in_addr ipfr_dst;
void *ipfr_ifp;
u_32_t ipfr_optmsk;
u_short ipfr_secmsk;
u_short ipfr_auth;
u_short ipfr_id;
u_char ipfr_p;
u_char ipfr_tos;
u_short ipfr_off;
u_short ipfr_ttl;
u_char ipfr_ttl;
u_char ipfr_seen0;
frentry_t *ipfr_rule;
} ipfr_t;
@ -40,7 +42,8 @@ typedef struct ipfrstat {
struct ipfr **ifs_nattab;
} ipfrstat_t;
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \
offsetof(ipfr_t, ipfr_src))
extern int fr_ipfrttl;
extern int fr_frag_lock;

110
contrib/ipfilter/ip_ftp_pxy.c
View File

@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $
* $Id: ip_ftp_pxy.c,v 2.7.2.26 2001/07/15 13:50:54 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@ -22,6 +22,22 @@ extern kmutex_t ipf_rw;
#define IPF_MAX227LEN 51
#define IPF_FTPBUFSZ 96 /* This *MUST* be >= 53! */
#define FTPXY_GO 0
#define FTPXY_INIT 1
#define FTPXY_USER_1 2
#define FTPXY_USOK_1 3
#define FTPXY_PASS_1 4
#define FTPXY_PAOK_1 5
#define FTPXY_AUTH_1 6
#define FTPXY_AUOK_1 7
#define FTPXY_ADAT_1 8
#define FTPXY_ADOK_1 9
#define FTPXY_ACCT_1 10
#define FTPXY_ACOK_1 11
#define FTPXY_USER_2 12
#define FTPXY_USOK_2 13
#define FTPXY_PASS_2 14
#define FTPXY_PAOK_2 15
int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_complete __P((char *, size_t));
@ -75,6 +91,7 @@ nat_t *nat;
f = &ftp->ftp_side[1];
f->ftps_rptr = f->ftps_buf;
f->ftps_wptr = f->ftps_buf;
ftp->ftp_passok = FTPXY_INIT;
return 0;
}
@ -215,7 +232,7 @@ int dlen;
sum2 -= sum1;
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
fix_outcksum(&ip->ip_sum, sum2);
fix_outcksum(fin, &ip->ip_sum, sum2);
#endif
ip->ip_len += inc;
}
@ -255,6 +272,7 @@ int dlen;
fi.fin_dlen = sizeof(*tcp2);
fi.fin_dp = (char *)tcp2;
fi.fin_fr = &natfr;
fi.fin_out = 1;
swip = ip->ip_src;
fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
ip->ip_src = nat->nat_inip;
@ -297,11 +315,36 @@ int dlen;
}
cmd[i] = '\0';
if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5))
ftp->ftp_passok = 1;
else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5))
ftp->ftp_passok = 3;
else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly &&
ftp->ftp_incok = 0;
if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) {
if (ftp->ftp_passok == FTPXY_ADOK_1 ||
ftp->ftp_passok == FTPXY_AUOK_1) {
ftp->ftp_passok = FTPXY_USER_2;
ftp->ftp_incok = 1;
} else {
ftp->ftp_passok = FTPXY_USER_1;
ftp->ftp_incok = 1;
}
} else if (!strncmp(cmd, "AUTH ", 5)) {
ftp->ftp_passok = FTPXY_AUTH_1;
ftp->ftp_incok = 1;
} else if (!strncmp(cmd, "PASS ", 5)) {
if (ftp->ftp_passok == FTPXY_USOK_1) {
ftp->ftp_passok = FTPXY_PASS_1;
ftp->ftp_incok = 1;
} else if (ftp->ftp_passok == FTPXY_USOK_2) {
ftp->ftp_passok = FTPXY_PASS_2;
ftp->ftp_incok = 1;
}
} else if ((ftp->ftp_passok == FTPXY_AUOK_1) &&
!strncmp(cmd, "ADAT ", 5)) {
ftp->ftp_passok = FTPXY_ADAT_1;
ftp->ftp_incok = 1;
} else if ((ftp->ftp_passok == FTPXY_PAOK_2) &&
!strncmp(cmd, "ACCT ", 5)) {
ftp->ftp_passok = FTPXY_ACCT_1;
ftp->ftp_incok = 1;
} else if ((ftp->ftp_passok == FTPXY_GO) && !ippr_ftp_pasvonly &&
!strncmp(cmd, "PORT ", 5)) {
inc = ippr_ftp_port(fin, ip, nat, f, dlen);
} else if (ippr_ftp_insecure && !ippr_ftp_pasvonly &&
@ -332,12 +375,13 @@ int dlen;
int inc;
char *s;
#define PASV_REPLEN 24
/*
* Check for PASV reply message.
*/
if (dlen < IPF_MIN227LEN)
return 0;
else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25))
else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN))
return 0;
tcp = (tcphdr_t *)fin->fin_dp;
@ -345,7 +389,7 @@ int dlen;
/*
* Skip the PORT command + space
*/
s = f->ftps_rptr + 25;
s = f->ftps_rptr + PASV_REPLEN;
while (*s && !isdigit(*s))
s++;
/*
@ -373,6 +417,8 @@ int dlen;
if (*s == ')')
s++;
if (*s == '.')
s++;
if (*s == '\n')
s--;
/*
@ -445,7 +491,7 @@ int dlen;
sum2 -= sum1;
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
fix_outcksum(&ip->ip_sum, sum2);
fix_outcksum(fin, &ip->ip_sum, sum2);
#endif /* SOLARIS || defined(__sgi) */
ip->ip_len += inc;
}
@ -469,12 +515,13 @@ int dlen;
tcp2->th_win = htons(8192);
tcp2->th_sport = 0; /* XXX - fake it for nat_new */
tcp2->th_off = 5;
fi.fin_data[1] = a5 << 8 | a6;
fi.fin_data[0] = a5 << 8 | a6;
fi.fin_dlen = sizeof(*tcp2);
tcp2->th_dport = htons(fi.fin_data[1]);
fi.fin_data[0] = 0;
tcp2->th_dport = htons(fi.fin_data[0]);
fi.fin_data[1] = 0;
fi.fin_dp = (char *)tcp2;
fi.fin_fr = &natfr;
fi.fin_out = 1;
swip = ip->ip_src;
swip2 = ip->ip_dst;
fi.fin_fi.fi_daddr = ip->ip_src.s_addr;
@ -511,17 +558,38 @@ int dlen;
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3))
ftp->ftp_passok = 2;
else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "230", 3))
ftp->ftp_passok = 4;
else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3))
ftp->ftp_passok = 0;
else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2)))
return inc;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
} else if (*rptr == '5' || *rptr == '4')
ftp->ftp_passok = FTPXY_INIT;
else if (ftp->ftp_incok) {
if (*rptr == '3') {
if (ftp->ftp_passok == FTPXY_ACCT_1)
ftp->ftp_passok = FTPXY_GO;
else
ftp->ftp_passok++;
} else if (*rptr == '2') {
switch (ftp->ftp_passok)
{
case FTPXY_USER_1 :
case FTPXY_USER_2 :
case FTPXY_PASS_1 :
case FTPXY_PASS_2 :
case FTPXY_ACCT_1 :
ftp->ftp_passok = FTPXY_GO;
break;
default :
ftp->ftp_passok += 3;
break;
}
}
}
ftp->ftp_incok = 0;
while ((*rptr++ != '\n') && (rptr < wptr))
;
f->ftps_rptr = rptr;

14
contrib/ipfilter/ip_lfil.c
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6 2000/03/13 22:10:21 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@ -337,7 +335,7 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
break;
}
case SIOCATHST :
error = fr_auth_ioctl(data, cmd, NULL, NULL);
error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
break;
case SIOCFRSYN :
if (!(mode & FWRITE))
@ -484,7 +482,7 @@ caddr_t data;
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH)
return fr_auth_ioctl(data, req, f, ftail);
return fr_auth_ioctl(data, mode, req, f, ftail);
if (f->fr_grhead)
fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
unit, set);
@ -497,7 +495,7 @@ caddr_t data;
error = EEXIST;
else {
if (unit == IPL_LOGAUTH)
return fr_auth_ioctl(data, req, f, ftail);
return fr_auth_ioctl(data, mode, req, f, ftail);
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)

67
contrib/ipfilter/ip_log.c
View File

@ -1,11 +1,9 @@
/*
* Copyright (C) 1997-2000 by Darren Reed.
* Copyright (C) 1997-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_log.c,v 2.5.2.2 2000/08/13 03:50:41 darrenr Exp $
* $Id: ip_log.c,v 2.5.2.5 2001/06/26 10:43:14 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@ -21,7 +19,13 @@
# endif
# else
# ifdef KLD_MODULE
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
# endif
# endif
#endif
@ -45,7 +49,7 @@
# include <sys/ioctl.h>
# endif
# include <sys/time.h>
# if defined(_KERNEL) && !defined(linux)
# if defined(_KERNEL)
# include <sys/systm.h>
# endif
# include <sys/uio.h>
@ -55,9 +59,7 @@
# else
# include <sys/dir.h>
# endif
# ifndef linux
# include <sys/mbuf.h>
# endif
# include <sys/mbuf.h>
# else
# include <sys/filio.h>
# include <sys/cred.h>
@ -69,9 +71,7 @@
# include <sys/dditypes.h>
# include <sys/cmn_err.h>
# endif
# ifndef linux
# include <sys/protosw.h>
# endif
# include <sys/protosw.h>
# include <sys/socket.h>
# include <net/if.h>
@ -89,7 +89,7 @@
# include <sys/hashing.h>
# endif
# endif
# if !defined(linux) && !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
# if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
# include <netinet/in_var.h>
# endif
# include <netinet/in_systm.h>
@ -97,9 +97,7 @@
# include <netinet/tcp.h>
# include <netinet/udp.h>
# include <netinet/ip_icmp.h>
# ifndef linux
# include <netinet/ip_var.h>
# endif
# include <netinet/ip_var.h>
# ifndef _KERNEL
# include <syslog.h>
# endif
@ -130,9 +128,6 @@ extern kcondvar_t iplwait;
iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1];
size_t iplused[IPL_LOGMAX+1];
static fr_info_t iplcrc[IPL_LOGMAX+1];
# ifdef linux
static struct wait_queue *iplwait[IPL_LOGMAX+1];
# endif
/*
@ -229,9 +224,7 @@ mb_t *m;
(defined(OpenBSD) && (OpenBSD >= 199603))
strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
# else
# ifndef linux
ipfl.fl_unit = (u_char)ifp->if_unit;
# endif
if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
@ -337,7 +330,7 @@ int *types, cnt;
ipl->ipl_count = 1;
ipl->ipl_next = NULL;
ipl->ipl_dsize = len;
# if SOLARIS || defined(sun) || defined(linux)
# if SOLARIS || defined(sun)
uniqtime((struct timeval *)&ipl->ipl_sec);
# else
# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
@ -370,11 +363,7 @@ int *types, cnt;
mutex_exit(&ipl_mutex);
# else
MUTEX_EXIT(&ipl_mutex);
# ifdef linux
wake_up_interruptible(&iplwait[dev]);
# else
wakeup(&iplh[dev]);
# endif
# endif
return 1;
}
@ -399,8 +388,7 @@ struct uio *uio;
return ENXIO;
if (!uio->uio_resid)
return 0;
if ((uio->uio_resid < sizeof(iplog_t)) ||
(uio->uio_resid > IPLLOGSIZE))
if (uio->uio_resid < sizeof(iplog_t))
return EINVAL;
/*
@ -417,19 +405,13 @@ struct uio *uio;
return EINTR;
}
# else
# ifdef linux
interruptible_sleep_on(&iplwait[unit]);
if (current->signal & ~current->blocked)
return -EINTR;
# else
MUTEX_EXIT(&ipl_mutex);
SPL_X(s);
error = SLEEP(&iplh[unit], "ipl sleep");
if (error)
if (error) {
SPL_X(s);
return error;
SPL_NET(s);
}
MUTEX_ENTER(&ipl_mutex);
# endif /* linux */
# endif /* SOLARIS */
}
@ -447,10 +429,8 @@ struct uio *uio;
iplt[unit] = ipl->ipl_next;
iplused[unit] -= dlen;
MUTEX_EXIT(&ipl_mutex);
SPL_X(s);
error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio);
if (error) {
SPL_NET(s);
MUTEX_ENTER(&ipl_mutex);
ipl->ipl_next = iplt[unit];
iplt[unit] = ipl;
@ -458,7 +438,6 @@ struct uio *uio;
break;
}
KFREES((caddr_t)ipl, dlen);
SPL_NET(s);
MUTEX_ENTER(&ipl_mutex);
}
if (!iplt[unit]) {
@ -469,13 +448,7 @@ struct uio *uio;
MUTEX_EXIT(&ipl_mutex);
SPL_X(s);
# ifdef linux
if (!error)
return (int)copied;
return -error;
# else
return error;
# endif
}

156
contrib/ipfilter/ip_nat.c
View File

@ -1,17 +1,10 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com)
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
@ -91,6 +84,7 @@ extern struct ifnet vpnif;
#ifndef linux
# include <netinet/ip_var.h>
# include <netinet/tcp_fsm.h>
#endif
#include <netinet/tcp.h>
#include <netinet/udp.h>
@ -111,6 +105,11 @@ extern struct ifnet vpnif;
#undef SOCKADDR_IN
#define SOCKADDR_IN struct sockaddr_in
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.44 2001/07/21 07:17:22 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
*nat_instances = NULL;
ipnat_t *nat_list = NULL;
@ -301,7 +300,8 @@ struct hostmap *hm;
}
void fix_outcksum(sp, n)
void fix_outcksum(fin, sp, n)
fr_info_t *fin;
u_short *sp;
u_32_t n;
{
@ -310,12 +310,13 @@ u_32_t n;
if (!n)
return;
#if SOLARIS2 >= 6
else if (n & NAT_HW_CKSUM) {
n &= 0xffff;
n += fin->fin_dlen;
n = (n & 0xffff) + (n >> 16);
*sp = n & 0xffff;
return;
}
#endif
sum1 = (~ntohs(*sp)) & 0xffff;
sum1 += (n);
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
@ -326,7 +327,8 @@ u_32_t n;
}
void fix_incksum(sp, n)
void fix_incksum(fin, sp, n)
fr_info_t *fin;
u_short *sp;
u_32_t n;
{
@ -335,12 +337,13 @@ u_32_t n;
if (!n)
return;
#if SOLARIS2 >= 6
else if (n & NAT_HW_CKSUM) {
n &= 0xffff;
n += fin->fin_dlen;
n = (n & 0xffff) + (n >> 16);
*sp = n & 0xffff;
return;
}
#endif
#ifdef sparc
sum1 = (~(*sp)) & 0xffff;
#else
@ -625,9 +628,11 @@ int mode;
nat_stats.ns_table[0] = nat_table[0];
nat_stats.ns_table[1] = nat_table[1];
nat_stats.ns_list = nat_list;
nat_stats.ns_maptable = maptable;
nat_stats.ns_nattab_sz = ipf_nattable_sz;
nat_stats.ns_rultab_sz = ipf_natrules_sz;
nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
nat_stats.ns_hostmap_sz = ipf_hostmap_sz;
nat_stats.ns_instances = nat_instances;
nat_stats.ns_apslist = ap_sess_list;
error = IWCOPYPTR((char *)&nat_stats, (char *)data,
@ -1395,14 +1400,14 @@ int direction;
CALC_SUMD(sum1, sum2, sumd);
nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
if ((flags == IPN_TCP) && dohwcksum &&
if ((flags & IPN_TCPUDP) && dohwcksum &&
(qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
if (direction == NAT_OUTBOUND)
sum1 = LONG_SUM(ntohl(in.s_addr));
else
sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr));
sum1 += 30;
sum1 += IPPROTO_TCP;
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff);
} else
@ -1463,8 +1468,8 @@ int direction;
void nat_insert(nat)
nat_t *nat;
{
u_int hv1, hv2;
nat_t **natp;
u_int hv;
MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL);
@ -1477,18 +1482,30 @@ nat_t *nat;
nat->nat_next = nat_instances;
nat_instances = nat;
hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
ipf_nattable_sz);
natp = &nat_table[0][hv];
if (!(nat->nat_flags & (FI_W_SPORT|FI_W_DPORT))) {
hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
0xffffffff);
hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
ipf_nattable_sz);
hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
0xffffffff);
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
ipf_nattable_sz);
} else {
hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, 0, 0xffffffff);
hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1, ipf_nattable_sz);
hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, 0, 0xffffffff);
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2, ipf_nattable_sz);
}
natp = &nat_table[0][hv1];
if (*natp)
(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
nat->nat_phnext[0] = natp;
nat->nat_hnext[0] = *natp;
*natp = nat;
hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
ipf_nattable_sz);
natp = &nat_table[1][hv];
natp = &nat_table[1][hv2];
if (*natp)
(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
nat->nat_phnext[1] = natp;
@ -1604,7 +1621,7 @@ int dir;
ip_t *oip;
int flags = 0;
if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))
if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0))
return NULL;
/*
* nat_icmplookup() will return NULL for `defective' packets.
@ -1878,13 +1895,14 @@ int dir;
sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
if (nat->nat_dir == NAT_OUTBOUND) {
fix_outcksum(&icmp->icmp_cksum, sumd2);
fix_outcksum(fin, &icmp->icmp_cksum, sumd2);
} else {
fix_incksum(&icmp->icmp_cksum, sumd2);
fix_incksum(fin, &icmp->icmp_cksum, sumd2);
}
}
}
nat->nat_age = fr_defnaticmpage;
if (oip->ip_p == IPPROTO_ICMP)
nat->nat_age = fr_defnaticmpage;
return nat;
}
@ -1917,7 +1935,8 @@ int rw;
sport = ports & 0xffff;
flags &= IPN_TCPUDP;
hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz);
hv = NAT_HASH_FN(dst, dport, 0xffffffff);
hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz);
nat = nat_table[1][hv];
for (; nat; nat = nat->nat_hnext[1]) {
nflags = nat->nat_flags;
@ -1935,7 +1954,8 @@ int rw;
if (!rw) {
RWLOCK_EXIT(&ipf_nat);
}
hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz);
hv = NAT_HASH_FN(dst, 0, 0xffffffff);
hv = NAT_HASH_FN(src.s_addr, hv, ipf_nattable_sz);
if (!rw) {
WRITE_ENTER(&ipf_nat);
}
@ -1999,7 +2019,8 @@ u_32_t ports;
/*
* Add into the NAT table in the new position
*/
hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz);
hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, 0xffffffff);
hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz);
natp = &nat_table[0][hv];
if (*natp)
(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
@ -2007,7 +2028,8 @@ u_32_t ports;
nat->nat_hnext[0] = *natp;
*natp = nat;
hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz);
hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, 0xffffffff);
hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz);
natp = &nat_table[1][hv];
if (*natp)
(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
@ -2041,7 +2063,8 @@ int rw;
flags &= IPN_TCPUDP;
srcip = src.s_addr;
hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz);
hv = NAT_HASH_FN(srcip, sport, 0xffffffff);
hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz);
nat = nat_table[0][hv];
for (; nat; nat = nat->nat_hnext[0]) {
nflags = nat->nat_flags;
@ -2061,6 +2084,7 @@ int rw;
RWLOCK_EXIT(&ipf_nat);
}
hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz);
hv = NAT_HASH_FN(dst.s_addr, hv, ipf_nattable_sz);
if (!rw) {
WRITE_ENTER(&ipf_nat);
}
@ -2145,8 +2169,8 @@ ip_t *ip;
}
ft = &np->in_tuc;
if (!(fin->fin_fi.fi_fl & FI_TCPUDP) ||
(fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) {
if (!(fin->fin_fl & FI_TCPUDP) ||
(fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) {
if (ft->ftu_scmp || ft->ftu_dcmp)
return 0;
return 1;
@ -2168,13 +2192,12 @@ fr_info_t *fin;
register u_32_t ipa;
tcphdr_t *tcp = NULL;
u_short sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
int natadd = 1;
frentry_t *fr;
int natadd = 1, i, icmpset = 1;
u_int nflags = 0, hv, msk;
struct ifnet *ifp;
frentry_t *fr;
u_32_t iph;
nat_t *nat;
int i;
if (nat_list == NULL || (fr_nat_lock))
return 0;
@ -2185,7 +2208,7 @@ fr_info_t *fin;
else
ifp = fin->fin_ifp;
if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
if (ip->ip_p == IPPROTO_TCP)
nflags = IPN_TCP;
else if (ip->ip_p == IPPROTO_UDP)
@ -2203,8 +2226,8 @@ fr_info_t *fin;
if ((ip->ip_p == IPPROTO_ICMP) &&
(nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
;
else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
icmpset = 1;
else if ((fin->fin_fl & FI_FRAG) &&
(nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p,
@ -2238,8 +2261,7 @@ fr_info_t *fin;
hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
for (np = nat_rules[hv]; np; np = np->in_mnext)
{
if ((np->in_ifp && (np->in_ifp != ifp)) ||
!np->in_space)
if (np->in_ifp && (np->in_ifp != ifp))
continue;
if ((np->in_flags & IPN_RF) &&
!(np->in_flags & nflags))
@ -2283,7 +2305,7 @@ fr_info_t *fin;
*/
if (nat) {
np = nat->nat_ptr;
if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat);
MUTEX_ENTER(&nat->nat_lock);
nat->nat_age = fr_defnatage;
@ -2303,22 +2325,21 @@ fr_info_t *fin;
CALC_SUMD(s1, s2, sumd);
if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, sumd);
fix_incksum(fin, &ip->ip_sum, sumd);
else
fix_outcksum(&ip->ip_sum, sumd);
fix_outcksum(fin, &ip->ip_sum, sumd);
}
#if SOLARIS || defined(__sgi)
else {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd);
else
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd);
}
#endif
ip->ip_src = nat->nat_outip;
if (!(ip->ip_off & IP_OFFMASK) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) {
tcp->th_sport = nat->nat_outport;
@ -2351,14 +2372,15 @@ fr_info_t *fin;
if (udp->uh_sum)
csump = &udp->uh_sum;
} else if (ip->ip_p == IPPROTO_ICMP) {
nat->nat_age = fr_defnaticmpage;
if (!icmpset)
nat->nat_age = fr_defnaticmpage;
}
if (csump) {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump, nat->nat_sumd[1]);
fix_outcksum(fin, csump, nat->nat_sumd[1]);
else
fix_incksum(csump, nat->nat_sumd[1]);
fix_incksum(fin, csump, nat->nat_sumd[1]);
}
}
@ -2389,18 +2411,18 @@ fr_info_t *fin;
register struct in_addr src;
register struct in_addr in;
register ipnat_t *np;
u_short sport = 0, dport = 0, *csump = NULL;
u_int nflags = 0, natadd = 1, hv, msk;
struct ifnet *ifp = fin->fin_ifp;
tcphdr_t *tcp = NULL;
u_short sport = 0, dport = 0, *csump = NULL;
int i, icmpset = 0;
nat_t *nat;
u_32_t iph;
int i;
if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
return 0;
if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
if (ip->ip_p == IPPROTO_TCP)
nflags = IPN_TCP;
else if (ip->ip_p == IPPROTO_UDP)
@ -2420,8 +2442,8 @@ fr_info_t *fin;
if ((ip->ip_p == IPPROTO_ICMP) &&
(nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
;
else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
icmpset = 1;
else if ((fin->fin_fl & FI_FRAG) &&
(nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p,
@ -2488,7 +2510,7 @@ fr_info_t *fin;
if (nat) {
np = nat->nat_ptr;
fin->fin_fr = nat->nat_fr;
if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
if (natadd && (fin->fin_fl & FI_FRAG) && np)
ipfr_nat_newfrag(ip, fin, 0, nat);
if ((np->in_apr != NULL) && (np->in_dport == 0 ||
(tcp != NULL && sport == np->in_dport))) {
@ -2515,12 +2537,11 @@ fr_info_t *fin;
*/
#if SOLARIS || defined(__sgi)
if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd);
else
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd);
#endif
if (!(ip->ip_off & IP_OFFMASK) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) {
tcp->th_dport = nat->nat_inport;
@ -2553,14 +2574,15 @@ fr_info_t *fin;
if (udp->uh_sum)
csump = &udp->uh_sum;
} else if (ip->ip_p == IPPROTO_ICMP) {
nat->nat_age = fr_defnaticmpage;
if (!icmpset)
nat->nat_age = fr_defnaticmpage;
}
if (csump) {
if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(csump, nat->nat_sumd[0]);
fix_incksum(fin, csump, nat->nat_sumd[0]);
else
fix_outcksum(csump, nat->nat_sumd[0]);
fix_outcksum(fin, csump, nat->nat_sumd[0]);
}
}
ATOMIC_INCL(nat_stats.ns_mapped[0]);

33
contrib/ipfilter/ip_nat.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $
* $Id: ip_nat.h,v 2.17.2.20 2001/06/26 10:43:15 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@ -35,10 +33,18 @@
* appropriate sizes. The figures below were used for
* a setup with 1000-2000 networks to NAT.
*/
#define NAT_SIZE 127
#define RDR_SIZE 127
#define HOSTMAP_SIZE 127
#define NAT_TABLE_SZ 127
#ifndef NAT_SIZE
# define NAT_SIZE 127
#endif
#ifndef RDR_SIZE
# define RDR_SIZE 127
#endif
#ifndef HOSTMAP_SIZE
# define HOSTMAP_SIZE 127
#endif
#ifndef NAT_TABLE_SZ
# define NAT_TABLE_SZ 127
#endif
#ifdef LARGE_NAT
#undef NAT_SIZE
#undef RDR_SIZE
@ -201,11 +207,13 @@ typedef struct natstat {
u_long ns_memfail;
u_long ns_badnat;
nat_t **ns_table[2];
hostmap_t **ns_maptable;
ipnat_t *ns_list;
void *ns_apslist;
u_int ns_nattab_sz;
u_int ns_rultab_sz;
u_int ns_rdrtab_sz;
u_int ns_hostmap_sz;
nat_t *ns_instances;
u_int ns_wilds;
} natstat_t;
@ -220,12 +228,13 @@ typedef struct natstat {
#define IPN_AUTOPORTMAP 0x010
#define IPN_IPRANGE 0x020
#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST)
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_FRAG)
#define IPN_FILTER 0x040
#define IPN_SPLIT 0x080
#define IPN_ROUNDR 0x100
#define IPN_NOTSRC 0x080000
#define IPN_NOTDST 0x100000
#define IPN_FRAG 0x200000
typedef struct natlog {
@ -300,8 +309,8 @@ extern int ip_natout __P((ip_t *, fr_info_t *));
extern int ip_natin __P((ip_t *, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_int));
extern void fix_incksum __P((u_short *, u_32_t));
extern void fix_outcksum __P((u_short *, u_32_t));
extern void fix_incksum __P((fr_info_t *, u_short *, u_32_t));
extern void fix_outcksum __P((fr_info_t *, u_short *, u_32_t));
extern void fix_datacksum __P((u_short *, u_32_t));
#endif /* __IP_NAT_H__ */

34
contrib/ipfilter/ip_proxy.c
View File

@ -1,14 +1,8 @@
/*
* Copyright (C) 1997-2000 by Darren Reed.
* Copyright (C) 1997-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
#endif
@ -78,6 +72,10 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 d
# include <sys/malloc.h>
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.6 2001/07/15 22:06:15 darrenr Exp $";
#endif
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
@ -216,9 +214,13 @@ ip_t *ip;
fr_info_t *fin;
nat_t *nat;
{
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
mb_t *m = fin->fin_qfm;
int dosum = 1;
#endif
tcphdr_t *tcp = NULL;
ap_session_t *aps;
aproxy_t *apr;
tcphdr_t *tcp = NULL;
u_32_t sum;
short rv;
int err;
@ -234,8 +236,13 @@ nat_t *nat;
* verify that the checksum is correct. If not, then
* don't do anything with this packet.
*/
#if SOLARIS && defined(_KERNEL)
sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
if (dohwcksum && (m->b_ick_flag == ICK_VALID)) {
sum = tcp->th_sum;
dosum = 0;
}
if (dosum)
sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
#else
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
@ -261,8 +268,9 @@ nat_t *nat;
if (tcp != NULL) {
err = appr_fixseqack(fin, ip, aps, APR_INC(err));
#if SOLARIS && defined(_KERNEL)
tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
if (dosum)
tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
#else
tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif

11
contrib/ipfilter/ip_proxy.h
View File

@ -1,11 +1,9 @@
/*
* Copyright (C) 1997-2000 by Darren Reed.
* Copyright (C) 1997-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $
* $Id: ip_proxy.h,v 2.8.2.7 2001/06/26 10:43:16 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@ -102,7 +100,8 @@ typedef struct ftpside {
} ftpside_t;
typedef struct ftpinfo {
u_int ftp_passok;
int ftp_passok;
int ftp_incok;
ftpside_t ftp_side[2];
} ftpinfo_t;

22
contrib/ipfilter/ip_raudio_pxy.c
View File

@ -1,5 +1,5 @@
/*
* $Id: ip_raudio_pxy.c,v 1.7.2.3 2000/10/27 22:54:04 darrenr Exp $
* $Id: ip_raudio_pxy.c,v 1.7.2.6 2001/07/23 04:17:56 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@ -62,8 +62,8 @@ nat_t *nat;
raudio_t *rap = aps->aps_data;
unsigned char membuf[512 + 1], *s;
u_short id = 0;
tcphdr_t *tcp;
int off, dlen;
tcphdr_t *tcp;
int len = 0;
mb_t *m;
#if SOLARIS
@ -86,14 +86,16 @@ nat_t *nat;
dlen = msgdsize(m) - off;
if (dlen <= 0)
return 0;
copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf);
dlen = MIN(sizeof(membuf), dlen);
copyout_mblk(m, off, dlen, (char *)membuf);
#else
m = *(mb_t **)fin->fin_mp;
dlen = mbufchainlen(m) - off;
if (dlen <= 0)
return 0;
m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf);
dlen = MIN(sizeof(membuf), dlen);
m_copydata(m, off, dlen, (char *)membuf);
#endif
/*
* In all the startup parsing, ensure that we don't go outside
@ -170,8 +172,8 @@ nat_t *nat;
unsigned char membuf[IPF_MAXPORTLEN + 1], *s;
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
raudio_t *rap = aps->aps_data;
int off, dlen, slen, clen;
struct in_addr swa, swb;
int off, dlen, slen;
int a1, a2, a3, a4;
u_short sp, dp;
fr_info_t fi;
@ -202,13 +204,15 @@ nat_t *nat;
if (dlen <= 0)
return 0;
bzero(membuf, sizeof(membuf));
copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf);
clen = MIN(sizeof(membuf), dlen);
copyout_mblk(m, off, clen, (char *)membuf);
#else
dlen = mbufchainlen(m) - off;
if (dlen <= 0)
return 0;
bzero(membuf, sizeof(membuf));
m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf);
clen = MIN(sizeof(membuf), dlen);
m_copydata(m, off, clen, (char *)membuf);
#endif
seq = ntohl(tcp->th_seq);
@ -217,7 +221,7 @@ nat_t *nat;
* We only care for the first 19 bytes coming back from the server.
*/
if (rap->rap_sseq == 0) {
s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen);
s = (u_char *)memstr("PNA", (char *)membuf, 3, clen);
if (s == NULL)
return 0;
a1 = s - membuf;
@ -278,6 +282,7 @@ nat_t *nat;
tcp2->th_dport = htons(dp);
fi.fin_data[0] = dp;
fi.fin_data[1] = sp;
fi.fin_out = 0;
ipn = nat_new(nat->nat_ptr, ip, &fi,
IPN_UDP | (sp ? 0 : FI_W_SPORT), NAT_OUTBOUND);
if (ipn != NULL) {
@ -292,6 +297,7 @@ nat_t *nat;
tcp2->th_dport = 0; /* XXX - don't specify remote port */
fi.fin_data[0] = sp;
fi.fin_data[1] = 0;
fi.fin_out = 1;
ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP|FI_W_DPORT,
NAT_OUTBOUND);
if (ipn != NULL) {

20
contrib/ipfilter/ip_sfil.c
View File

@ -1,15 +1,13 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* I hate legaleese, don't you ?
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.9 2000/11/12 11:55:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.12 2001/07/18 14:57:09 darrenr Exp $";
#endif
#include <sys/types.h>
@ -197,7 +195,7 @@ int *rp;
return error;
}
if (unit == IPL_LOGAUTH) {
error = fr_auth_ioctl((caddr_t)data, cmd, NULL, NULL);
error = fr_auth_ioctl((caddr_t)data, mode, cmd, NULL, NULL);
RWLOCK_EXIT(&ipf_solaris);
return error;
}
@ -458,6 +456,7 @@ caddr_t data;
}
fdp = &fp->fr_dif;
fdp->fd_mp = NULL;
fp->fr_flags &= ~FR_DUP;
if (*fdp->fd_ifname) {
ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
@ -491,6 +490,7 @@ caddr_t data;
}
fdp = &fp->fr_tif;
fdp->fd_mp = NULL;
if (*fdp->fd_ifname) {
ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
if (!ill)
@ -577,10 +577,6 @@ caddr_t data;
}
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH) {
error = fr_auth_ioctl(data, req, fp, ftail);
goto out;
}
if (f->fr_grhead)
fr_delgroup(f->fr_grhead, fp->fr_flags,
unit, set);
@ -594,10 +590,6 @@ caddr_t data;
if (f) {
error = EEXIST;
} else {
if (unit == IPL_LOGAUTH) {
error = fr_auth_ioctl(data, req, fp, ftail);
goto out;
}
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)

77
contrib/ipfilter/ip_state.c
View File

@ -1,15 +1,8 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $";
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@ -97,6 +90,11 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46
# endif
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.38 2001/07/23 13:49:46 darrenr Exp $";
#endif
#ifndef MIN
# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
@ -140,7 +138,9 @@ u_long fr_tcpidletimeout = FIVE_DAYS,
fr_tcpclosed = 120,
fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */
fr_udptimeout = 240,
fr_icmptimeout = 120;
fr_udpacktimeout = 24,
fr_icmptimeout = 120,
fr_icmpacktimeout = 12;
int fr_statemax = IPSTATE_MAX,
fr_statesize = IPSTATE_SIZE;
int fr_state_doflush = 0,
@ -241,6 +241,7 @@ caddr_t data;
if (error)
return EFAULT;
WRITE_ENTER(&ipf_state);
for (sp = ips_list; sp; sp = sp->is_next)
if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
!bcmp((char *)&sp->is_src, (char *)&st.is_src,
@ -249,7 +250,6 @@ caddr_t data;
sizeof(st.is_dst)) &&
!bcmp((char *)&sp->is_ps, (char *)&st.is_ps,
sizeof(st.is_ps))) {
WRITE_ENTER(&ipf_state);
#ifdef IPFILTER_LOG
ipstate_log(sp, ISL_REMOVE);
#endif
@ -257,6 +257,7 @@ caddr_t data;
RWLOCK_EXIT(&ipf_state);
return 0;
}
RWLOCK_EXIT(&ipf_state);
return ESRCH;
}
@ -502,8 +503,7 @@ u_int flags;
u_int pass;
int out;
if (fr_state_lock || (fin->fin_off & IP_OFFMASK) ||
(fin->fin_fi.fi_fl & FI_SHORT))
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT))
return NULL;
if (ips_num == fr_statemax) {
ips_stats.iss_max++;
@ -663,7 +663,7 @@ u_int flags;
is->is_secmsk = 0xffff;
is->is_auth = fin->fin_fi.fi_auth;
is->is_authmsk = 0xffff;
is->is_flags = fin->fin_fi.fi_fl & FI_CMP;
is->is_flags = fin->fin_fl & FI_CMP;
is->is_flags |= FI_CMP << 4;
is->is_flags |= flags & (FI_WILDP|FI_WILDA);
if (flags & (FI_WILDP|FI_WILDA))
@ -688,7 +688,7 @@ u_int flags;
#endif
RWLOCK_EXIT(&ipf_state);
fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst);
if (fin->fin_fi.fi_fl & FI_FRAG)
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
return is;
}
@ -717,6 +717,8 @@ tcphdr_t *tcp;
* Find difference between last checked packet and this packet.
*/
source = IP6EQ(fin->fin_fi.fi_src, is->is_src);
if (source && (ntohs(is->is_sport) != fin->fin_data[0]))
source = 0;
fdata = &is->is_tcp.ts_data[!source];
tdata = &is->is_tcp.ts_data[source];
seq = ntohl(tcp->th_seq);
@ -809,7 +811,7 @@ tcphdr_t *tcp;
u_short sp, dp;
void *ifp;
rev = fin->fin_rev = IP6NEQ(is->is_dst, dst);
rev = IP6NEQ(is->is_dst, dst);
ifp = fin->fin_ifp;
out = fin->fin_out;
@ -817,6 +819,12 @@ tcphdr_t *tcp;
flags = is->is_flags;
sp = tcp->th_sport;
dp = tcp->th_dport;
if (!rev) {
if (!(flags & FI_W_SPORT) && (sp != is->is_sport))
rev = 1;
else if (!(flags & FI_W_DPORT) && (dp != is->is_dport))
rev = 1;
}
} else {
flags = is->is_flags & FI_WILDA;
sp = 0;
@ -871,10 +879,10 @@ tcphdr_t *tcp;
if (tcp == NULL)
flags = is->is_flags & (FI_CMP|(FI_CMP<<4));
if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) ||
((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth))
if (((fin->fin_fl & (flags >> 4)) != (flags & FI_CMP)) ||
(fin->fin_fi.fi_optmsk != is->is_opt) ||
(fin->fin_fi.fi_secmsk != is->is_sec) ||
(fin->fin_fi.fi_auth != is->is_auth))
return 0;
if ((flags & (FI_W_SPORT|FI_W_DPORT))) {
@ -924,16 +932,11 @@ tcphdr_t *tcp;
if (ret >= 0) {
is->is_ifp[ret] = ifp;
#ifdef _KERNEL
strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp),
sizeof(is->is_ifname[1]));
strncpy(is->is_ifname[ret], IFNAME(fin->fin_ifp),
sizeof(is->is_ifname[ret]));
#endif
}
#ifdef _KERNEL
if (ret >= 0) {
strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp),
sizeof(is->is_ifname[1]));
}
#endif
fin->fin_rev = rev;
return 1;
}
@ -1209,8 +1212,7 @@ fr_info_t *fin;
frentry_t *fr;
tcphdr_t *tcp;
if (fr_state_lock || (fin->fin_off & IP_OFFMASK) ||
(fin->fin_fi.fi_fl & FI_SHORT))
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT))
return NULL;
is = NULL;
@ -1254,7 +1256,10 @@ fr_info_t *fin;
if ((is->is_p == pr) && (is->is_v == v) &&
fr_matchsrcdst(is, src, dst, fin, NULL) &&
fr_matchicmpqueryreply(v, is, ic)) {
is->is_age = fr_icmptimeout;
if (fin->fin_rev)
is->is_age = fr_icmpacktimeout;
else
is->is_age = fr_icmptimeout;
break;
}
}
@ -1302,6 +1307,11 @@ fr_info_t *fin;
if (!fr_tcpstate(is, fin, ip, tcp)) {
continue;
}
} else if ((pr == IPPROTO_UDP)) {
if (fin->fin_rev)
is->is_age = fr_udpacktimeout;
else
is->is_age = fr_udptimeout;
}
break;
}
@ -1345,7 +1355,7 @@ fr_info_t *fin;
fr_delstate(is);
#endif
RWLOCK_EXIT(&ipf_state);
if (fin->fin_fi.fi_fl & FI_FRAG)
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
return fr;
}
@ -1420,7 +1430,8 @@ void fr_stateunload()
ips_stats.iss_inuse = 0;
ips_num = 0;
RWLOCK_EXIT(&ipf_state);
KFREES(ips_table, fr_statesize * sizeof(ipstate_t *));
if (ips_table)
KFREES(ips_table, fr_statesize * sizeof(ipstate_t *));
ips_table = NULL;
}

16
contrib/ipfilter/ip_state.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $Id: ip_state.h,v 2.13.2.2 2000/08/23 11:01:31 darrenr Exp $
* $Id: ip_state.h,v 2.13.2.4 2001/06/26 10:43:17 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@ -17,8 +15,12 @@
# define SIOCDELST _IOW(r, 61, struct ipstate *)
#endif
#define IPSTATE_SIZE 5737
#define IPSTATE_MAX 4013 /* Maximum number of states held */
#ifndef IPSTATE_SIZE
# define IPSTATE_SIZE 5737
#endif
#ifndef IPSTATE_MAX
# define IPSTATE_MAX 4013 /* Maximum number of states held */
#endif
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))

46
contrib/ipfilter/ipf.c
View File

@ -1,12 +1,16 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#include <stdio.h>
#include <unistd.h>
@ -43,7 +47,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.5 2000/10/25 10:37:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.10 2001/07/18 11:34:19 darrenr Exp $";
#endif
#if SOLARIS
@ -74,13 +78,19 @@ static void closedevice __P((void));
static char *getline __P((char *, size_t, FILE *, int *));
static char *ipfname = IPL_NAME;
static void usage __P((void));
static void showversion __P((void));
static int showversion __P((void));
static int get_flags __P((void));
#if SOLARIS
# define OPTS "6AdDEf:F:Il:noPrsUvVyzZ"
#else
# define OPTS "6AdDEf:F:Il:noPrsvVyzZ"
#endif
static void usage()
{
fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n",
fprintf(stderr, "usage: ipf [-%s] %s %s %s\n", OPTS,
"[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
exit(1);
}
@ -92,11 +102,9 @@ char *argv[];
{
int c;
while ((c = getopt(argc, argv, "6AdDEf:F:Il:noPrsUvVyzZ")) != -1) {
while ((c = getopt(argc, argv, OPTS)) != -1) {
switch (c)
{
case '?' :
usage();
#ifdef USE_INET6
case '6' :
use_inet6 = 1;
@ -146,10 +154,11 @@ char *argv[];
break;
#endif
case 'v' :
opts |= OPT_VERBOSE;
opts += OPT_VERBOSE;
break;
case 'V' :
showversion();
if (showversion())
exit(1);
break;
case 'y' :
frsync();
@ -160,6 +169,9 @@ char *argv[];
case 'Z' :
zerostats();
break;
default :
usage();
break;
}
}
@ -553,7 +565,7 @@ static void blockunknown()
#endif
static void showversion()
static int showversion()
{
struct friostat fio;
struct friostat *fiop=&fio;
@ -565,13 +577,13 @@ static void showversion()
if ((vfd = open(ipfname, O_RDONLY)) == -1) {
perror("open device");
return;
return 1;
}
if (ioctl(vfd, SIOCGETFS, &fiop)) {
perror("ioctl(SIOCGETFS)");
close(vfd);
return;
return 1;
}
close(vfd);
flags = get_flags();
@ -610,4 +622,6 @@ static void showversion()
s = "nomatch -> block";
printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
printf("Active list: %d\n", fio.f_active);
return 0;
}

8
contrib/ipfilter/ipf.h
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.9.2.2 2000/05/06 11:20:20 darrenr Exp $
* $Id: ipf.h,v 2.9.2.3 2001/06/26 10:43:18 darrenr Exp $
*/
#ifndef __IPF_H__

19
contrib/ipfilter/ipfs.c
View File

@ -1,12 +1,16 @@
/*
* Copyright (C) 1999 by Darren Reed.
* Copyright (C) 1999-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#include <stdio.h>
#include <unistd.h>
@ -41,7 +45,7 @@
#include "ipf.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.7 2001/06/26 10:43:18 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
@ -532,6 +536,7 @@ char *file;
}
bzero((char *)&ipn, sizeof(ipn));
ipnp = &ipn;
/*
* 1. Read all state information in.
@ -573,7 +578,7 @@ char *file;
}
} else
in = (nat_save_t *)malloc(sizeof(*in));
bcopy((char *)&ipnp, (char *)in, sizeof(ipn));
bcopy((char *)ipnp, (char *)in, sizeof(ipn));
/*
* Check to see if this is the first state entry that will

8
contrib/ipfilter/ipft_ef.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
@ -51,7 +49,7 @@ etherfind -n -t
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
#endif
static int etherf_open __P((char *));

8
contrib/ipfilter/ipft_hx.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <ctype.h>
@ -42,7 +40,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
#endif
extern int opts;

17
contrib/ipfilter/ipft_pc.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <string.h>
@ -33,7 +31,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
#endif
struct llc {
@ -46,7 +44,7 @@ struct llc {
* While many of these maybe the same, some do have different header formats
* which make this useful.
*/
#define DLT_MAX 10
#define DLT_MAX 14
static struct llc llcs[DLT_MAX+1] = {
{ 0, 0, 0 }, /* DLT_NULL */
@ -59,7 +57,10 @@ static struct llc llcs[DLT_MAX+1] = {
{ 0, 0, 0 }, /* DLT_ARCNET */
{ 0, 0, 0 }, /* DLT_SLIP */
{ 0, 0, 0 }, /* DLT_PPP */
{ 0, 0, 0 } /* DLT_FDDI */
{ 0, 0, 0 }, /* DLT_FDDI */
{ 0, 0, 0 }, /* DLT_ATMRFC1483 */
{ 0, 0, 0 }, /* DLT_LOOP */
{ 0, 0, 0 } /* DLT_ENC */
};
static int pcap_open __P((char *));
@ -114,7 +115,7 @@ char *fname;
swap_hdr(&ph);
}
if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type > DLT_MAX) {
if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) {
(void) close(fd);
return -2;
}

31
contrib/ipfilter/ipft_sn.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
@ -37,7 +35,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
#endif
struct llc {
@ -78,6 +76,7 @@ char *fname;
{
struct snoophdr sh;
int fd;
int s_v;
if (sfd != -1)
return sfd;
@ -90,16 +89,18 @@ char *fname;
if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
return -2;
if (sh.s_v != SNOOP_VERSION ||
sh.s_type < 0 || sh.s_type > SDL_MAX) {
s_v = (int)ntohl(sh.s_v);
s_type = (int)ntohl(sh.s_type);
if (s_v != SNOOP_VERSION ||
s_type < 0 || s_type > SDL_MAX) {
(void) close(fd);
return -2;
}
sfd = fd;
s_type = sh.s_type;
printf("opened snoop file %s:\n", fname);
printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, sh.s_v, s_type);
printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
return fd;
}
@ -118,20 +119,22 @@ static int snoop_close()
static int snoop_read_rec(rec)
struct snooppkt *rec;
{
int n, p;
int n, plen, ilen;
if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
return -2;
if (rec->sp_ilen > rec->sp_plen || rec->sp_plen < sizeof(*rec))
ilen = (int)ntohl(rec->sp_ilen);
plen = (int)ntohl(rec->sp_plen);
if (ilen > plen || plen < sizeof(*rec))
return -2;
p = rec->sp_plen - sizeof(*rec);
n = MIN(p, rec->sp_ilen);
plen -= sizeof(*rec);
n = MIN(plen, ilen);
if (!n || n < 0)
return -3;
return p;
return plen;
}

8
contrib/ipfilter/ipft_td.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
@ -60,7 +58,7 @@ tcpdump -nqte
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
#endif
static int tcpd_open __P((char *));

18
contrib/ipfilter/ipft_tx.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1995-2000 by Darren Reed.
* Copyright (C) 1995-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <ctype.h>
@ -43,7 +41,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.4 2001/06/26 10:43:18 darrenr Exp $";
#endif
extern int opts;
@ -223,12 +221,12 @@ int *out;
bzero(ipopts, sizeof(ipopts));
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; )
for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); )
cps[++i] = strtok(NULL, " \b\t\r\n");
if (i < 2)
return 1;
cpp = cps;
if (!*cpp)
return 1;
c = **cpp;
if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
@ -237,12 +235,16 @@ int *out;
}
*out = (tolower(c) == 'o') ? 1 : 0;
cpp++;
if (!*cpp)
return 1;
if (!strcasecmp(*cpp, "on")) {
cpp++;
if (!*cpp)
return 1;
*ifn = strdup(*cpp++);
if (!*cpp)
return 1;
}
c = **cpp;

10
contrib/ipfilter/ipl.h
View File

@ -1,17 +1,15 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $
* $Id: ipl.h,v 2.15.2.23 2001/07/23 13:52:10 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v3.4.16"
#define IPL_VERSION "IP Filter: v3.4.20"
#endif

4
contrib/ipfilter/iplang/iplang.h
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
typedef struct iface {
int if_MTU;

205
contrib/ipfilter/ipmon.c
View File

@ -1,15 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $";
#endif
#ifndef SOLARIS
#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
#endif
@ -37,7 +30,9 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 dar
# include <sys/filio.h>
# include <sys/byteorder.h>
#endif
#include <strings.h>
#if !defined(__SVR4) && !defined(__GNUC__)
# include <strings.h>
#endif
#include <signal.h>
#include <stdlib.h>
#include <stddef.h>
@ -70,6 +65,11 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 dar
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.13 2001/07/19 12:24:59 darrenr Exp $";
#endif
#if defined(sun) && !defined(SOLARIS2)
#define STRERROR(x) sys_errlist[x]
@ -121,6 +121,7 @@ static void print_statelog __P((FILE *, char *, int));
static void dumphex __P((FILE *, u_char *, int));
static int read_log __P((int, int *, char *, int));
static void write_pid __P((char *));
static char *icmpname __P((u_int, u_int));
char *hostname __P((int, int, u_32_t *));
char *portname __P((int, char *, u_int));
@ -133,7 +134,7 @@ static char *getproto __P((u_int));
static char **protocols = NULL;
static char **udp_ports = NULL;
static char **tcp_ports = NULL;
static char *argv0 = "ipmon";
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
@ -155,7 +156,49 @@ static char **tcp_ports = NULL;
#endif
void handlehup(sig)
#define ICMPUNREACHNAMES 14
static char *icmpunreachnames[ICMPUNREACHNAMES] = {
"net",
"host",
"protocol",
"port",
"needfrag",
"srcfail",
"net_unknown",
"host_unknown",
"isolated",
"net_prohib",
"host_prohib",
"tosnet",
"toshost",
"admin_prohibit"
};
#define ICMPTYPES 19
static char *icmptypes[ICMPTYPES] = {
"echoreply",
NULL,
NULL,
"unreach",
"sourcequench",
"redirect",
NULL,
NULL,
"echo",
"routeradvert",
"routersolicit",
"timxceed",
"paramprob",
"timestamp",
"timestampreply",
"inforeq",
"inforeply",
"maskreq",
"maskreply"
};
static void handlehup(sig)
int sig;
{
FILE *fp;
@ -265,6 +308,8 @@ char *hostname(res, v, ip)
int res, v;
u_32_t *ip;
{
# define MAX_INETA 16
static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
#ifdef USE_INET6
static char hostbuf[MAXHOSTNAMELEN+1];
#endif
@ -278,8 +323,8 @@ u_32_t *ip;
hp = gethostbyaddr((char *)ip, sizeof(ip), AF_INET);
if (!hp)
return inet_ntoa(ipa);
return hp->h_name;
sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name, inet_ntoa(ipa));
return hname;
}
#ifdef USE_INET6
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
@ -315,6 +360,67 @@ u_int port;
}
#define TYPECODE(x,y) (((x) << 8) | (y))
static char *icmpname(type, code)
u_int type;
u_int code;
{
static char name[80];
char codeval[8], *s;
u_int typecode;
sprintf(codeval, "%d", code);
s = NULL;
if (type < ICMPTYPES)
s = icmptypes[type];
if (s == NULL)
sprintf(name, "icmptype(%d)/", type);
else
sprintf(name, "%s/", s);
if (type == ICMP_UNREACH) {
if (code >= ICMPUNREACHNAMES)
sprintf(name + strlen(name), "%d", code);
else
strcat(name, icmpunreachnames[code]);
} else {
typecode = (type << 8) | code;
switch (typecode)
{
case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_NET) :
strcat(name, "net");
break;
case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_HOST) :
strcat(name, "host");
break;
case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_TOSNET) :
strcat(name, "tosnet");
break;
case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_TOSHOST) :
strcat(name, "toshost");
break;
case TYPECODE(ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS) :
strcat(name, "intrans");
break;
case TYPECODE(ICMP_TIMXCEED, ICMP_TIMXCEED_REASS) :
strcat(name, "reass");
break;
case TYPECODE(ICMP_PARAMPROB, ICMP_PARAMPROB_OPTABSENT) :
strcat(name, "optabsent");
break;
default:
strcat(name, codeval);
break;
}
}
return name;
}
static void dumphex(log, buf, len)
FILE *log;
u_char *buf;
@ -739,9 +845,9 @@ int blen;
ic = (struct icmp *)((char *)ip + hl);
(void) sprintf(t, "%s -> ", hostname(res, v, s));
t += strlen(t);
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d",
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
hostname(res, v, d), hl, plen,
ic->icmp_type, ic->icmp_code);
icmpname((u_int) ic->icmp_type, (u_int) ic->icmp_code));
if (ic->icmp_type == ICMP_UNREACH ||
ic->icmp_type == ICMP_SOURCEQUENCH ||
ic->icmp_type == ICMP_PARAMPROB ||
@ -879,7 +985,7 @@ FILE *log;
if ((fd = open(file, O_RDWR)) == -1) {
(void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno));
exit(-1);
exit(1);
}
if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
@ -942,7 +1048,7 @@ char *argv[];
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
int fdt[3], devices = 0, make_daemon = 0;
char buf[512], *iplfile[3], *s;
char buf[512], *iplfile[3];
extern int optind;
extern char *optarg;
@ -952,6 +1058,12 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
argv0 = strrchr(argv[0], '/');
if (argv0 == NULL)
argv0 = argv[0];
else
argv0++;
while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
@ -1002,14 +1114,9 @@ char *argv[];
pidfile = optarg;
break;
case 's' :
s = strrchr(argv[0], '/');
if (s == NULL)
s = argv[0];
else
s++;
openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
s = NULL;
openlog(argv0, LOG_NDELAY|LOG_PID, LOGFAC);
opts |= OPT_SYSLOG;
log = NULL;
break;
case 'S' :
opts |= OPT_STATE;
@ -1031,7 +1138,7 @@ char *argv[];
default :
case 'h' :
case '?' :
usage(argv[0]);
usage(argv0);
}
init_tabs();
@ -1052,13 +1159,14 @@ char *argv[];
(void) fprintf(stderr,
"%s: open: %s\n", iplfile[i],
STRERROR(errno));
exit(-1);
exit(1);
/* NOTREACHED */
}
if (fstat(fd[i], &sb) == -1) {
(void) fprintf(stderr, "%d: fstat: %s\n",fd[i],
STRERROR(errno));
exit(-1);
exit(1);
/* NOTREACHED */
}
if (!(regular[i] = !S_ISCHR(sb.st_mode)))
devices++;
@ -1069,25 +1177,36 @@ char *argv[];
logfile = argv[optind];
log = logfile ? fopen(logfile, "a") : stdout;
if (log == NULL) {
(void) fprintf(stderr, "%s: fopen: %s\n", argv[optind],
STRERROR(errno));
exit(-1);
exit(1);
/* NOTREACHED */
}
setvbuf(log, NULL, _IONBF, 0);
} else
log = NULL;
if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
if (fork() > 0)
#if BSD
daemon(0, !(opts & OPT_SYSLOG));
#else
int pid;
if ((pid = fork()) > 0)
exit(0);
write_pid(pidfile);
if (pid < 0) {
(void) fprintf(stderr, "%s: fork() failed: %s\n", argv0,
STRERROR(errno));
exit(1);
/* NOTREACHED */
}
setsid();
if ((opts & OPT_SYSLOG))
close(2);
#endif /* !BSD */
close(0);
close(1);
close(2);
setsid();
} else
write_pid(pidfile);
}
write_pid(pidfile);
signal(SIGHUP, handlehup);
@ -1100,8 +1219,12 @@ char *argv[];
continue;
if (!regular[i]) {
if (ioctl(fd[i], FIONREAD, &tr) == -1) {
perror("ioctl(FIONREAD)");
exit(-1);
if (opts & OPT_SYSLOG)
syslog(LOG_CRIT, "ioctl(FIONREAD): %m");
else
perror("ioctl(FIONREAD)");
exit(1);
/* NOTREACHED */
}
} else {
tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
@ -1126,14 +1249,14 @@ char *argv[];
{
case -1 :
if (opts & OPT_SYSLOG)
syslog(LOG_ERR, "read: %m\n");
syslog(LOG_CRIT, "read: %m\n");
else
perror("read");
doread = 0;
break;
case 1 :
if (opts & OPT_SYSLOG)
syslog(LOG_ERR, "aborting logging\n");
syslog(LOG_CRIT, "aborting logging\n");
else
fprintf(log, "aborting logging\n");
doread = 0;

76
contrib/ipfilter/ipnat.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
@ -57,7 +55,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.9 2001/07/18 15:06:33 darrenr Exp $";
#endif
@ -110,10 +108,10 @@ int main(argc, argv)
int argc;
char *argv[];
{
char *file = NULL;
int fd = -1, opts = 0, c, mode = O_RDWR;
char *file = NULL, *core = NULL;
while ((c = getopt(argc, argv, "CdFf:hlnrsv")) != -1)
while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1)
switch (c)
{
case 'C' :
@ -135,6 +133,9 @@ char *argv[];
opts |= OPT_LIST;
mode = O_RDONLY;
break;
case 'M' :
core = optarg;
break;
case 'n' :
opts |= OPT_NODO;
mode = O_RDONLY;
@ -153,6 +154,13 @@ char *argv[];
usage(argv[0]);
}
if (core != NULL) {
if (openkmem(core) == -1)
exit(1);
(void) setgid(getgid());
(void) setuid(getuid());
}
gethostname(thishost, sizeof(thishost));
thishost[sizeof(thishost) - 1] = '\0';
@ -292,8 +300,10 @@ ipnat_t *ipnat;
void dostats(fd, opts)
int fd, opts;
{
hostmap_t hm, *hmp, **maptable;
natstat_t ns, *nsp = &ns;
nat_t **nt[2], *np, nat;
u_int hv, hv1, hv2;
ipnat_t ipn;
bzero((char *)&ns, sizeof(ns));
@ -353,15 +363,21 @@ int fd, opts;
printf("\n\tage %lu use %hu sumd %s/",
nat.nat_age, nat.nat_use,
getsumd(nat.nat_sumd[0]));
hv1 = NAT_HASH_FN(nat.nat_inip.s_addr,
nat.nat_inport,
0xffffffff),
hv1 = NAT_HASH_FN(nat.nat_oip.s_addr,
hv1 + nat.nat_oport,
NAT_TABLE_SZ),
hv2 = NAT_HASH_FN(nat.nat_outip.s_addr,
nat.nat_outport,
0xffffffff),
hv2 = NAT_HASH_FN(nat.nat_oip.s_addr,
hv2 + nat.nat_oport,
NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x ",
getsumd(nat.nat_sumd[1]), nat.nat_p,
(int)NAT_HASH_FN(nat.nat_inip.s_addr,
nat.nat_inport,
NAT_TABLE_SZ),
(int)NAT_HASH_FN(nat.nat_outip.s_addr,
nat.nat_outport,
NAT_TABLE_SZ),
nat.nat_flags);
hv1, hv2, nat.nat_flags);
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",
(unsigned long long)nat.nat_bytes,
@ -379,6 +395,38 @@ int fd, opts;
printaps(nat.nat_aps, opts);
}
if (opts & OPT_VERBOSE) {
printf("\nList of active host mappings:\n");
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
ns.ns_hostmap_sz);
if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable,
sizeof(hostmap_t *) * ns.ns_hostmap_sz)) {
perror("kmemcpy (maptable)");
return;
}
for (hv = 0; hv < ns.ns_hostmap_sz; hv++) {
hmp = maptable[hv];
while(hmp) {
if (kmemcpy((char *)&hm, (u_long)hmp,
sizeof(hostmap_t))) {
perror("kmemcpy (hostmap)");
return;
}
printf("%s -> ",
inet_ntoa(hm.hm_realip));
printf("%s ", inet_ntoa(hm.hm_mapip));
printf("(use = %d hv = %u)\n",
hm.hm_ref, hv);
hmp = hm.hm_next;
}
}
free(maptable);
}
free(nt[0]);
}
}

6
contrib/ipfilter/ipsd/ipsd.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1995-1998 Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
@ -37,7 +35,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1 1999/08/04 17:30:56 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $";
#endif
extern char *optarg;

4
contrib/ipfilter/ipsd/ipsd.h
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1995-1998 Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.

6
contrib/ipfilter/ipsd/ipsdr.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1995-1998 Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
@ -38,7 +36,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1 1999/08/04 17:30:57 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $";
#endif
extern char *optarg;

4
contrib/ipfilter/ipsd/linux.h
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)linux.h 1.1 8/19/95
*/

4
contrib/ipfilter/ipsd/sbpf.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>

4
contrib/ipfilter/ipsd/sdlpi.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
*/

4
contrib/ipfilter/ipsd/slinux.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.

4
contrib/ipfilter/ipsd/snit.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.

13
contrib/ipfilter/ipsend/arp.c
View File

@ -1,14 +1,8 @@
/*
* arp.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Exp $";
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
@ -30,6 +24,11 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Ex
#include "ipsend.h"
#include "iplang/iplang.h"
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
#endif
/*
* lookup host and return

4
contrib/ipfilter/ipsend/hpux.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1997-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <strings.h>

12
contrib/ipfilter/ipsend/ip.c
View File

@ -1,14 +1,8 @@
/*
* ip.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $";
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
@ -33,6 +27,10 @@ static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.3 2001/07/15 22:00:13 darrenr Exp $";
#endif
static char *ipbuf = NULL, *ethbuf = NULL;

2
contrib/ipfilter/ipsend/ipresend.1
View File

@ -2,7 +2,7 @@
.SH NAME
ipresend \- resend IP packets out to network
.SH SYNOPSIS
.B ipsend
.B ipresend
[
.B \-EHPRSTX
] [

13
contrib/ipfilter/ipsend/ipresend.c
View File

@ -6,14 +6,8 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@ -34,6 +28,11 @@ static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darre
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;

13
contrib/ipfilter/ipsend/ipsend.c
View File

@ -6,14 +6,8 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@ -36,6 +30,11 @@ static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 dar
#include "ipsend.h"
#include "ipf.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.3 2001/07/15 22:00:14 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;

12
contrib/ipfilter/ipsend/ipsend.h
View File

@ -6,11 +6,7 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifndef __P
@ -67,3 +63,9 @@ extern int kmemcpy __P((char *, void *, int));
#ifndef OPT_RAW
#define OPT_RAW 0x80000
#endif
#ifndef __STDC__
# ifndef const
# define const
# endif
#endif

18
contrib/ipfilter/ipsend/ipsopt.c
View File

@ -1,14 +1,8 @@
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr Exp $";
#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@ -25,13 +19,9 @@ static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr
#include <arpa/inet.h>
#include "ipsend.h"
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $";
#endif

13
contrib/ipfilter/ipsend/iptest.c
View File

@ -6,14 +6,8 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $";
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
@ -38,6 +32,11 @@ static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.2 2001/07/15 22:00:14 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;

13
contrib/ipfilter/ipsend/iptests.c
View File

@ -1,14 +1,8 @@
/*
* Copyright (C) 1993-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
@ -80,6 +74,11 @@ static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darren
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $";
#endif
#define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \
(void) select(0, NULL, NULL, NULL, &tv)

6
contrib/ipfilter/ipsend/larp.c
View File

@ -1,13 +1,11 @@
/*
* larp.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: larp.c,v 2.1 1999/08/04 17:31:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
#endif
#include <stdio.h>
#include <errno.h>

4
contrib/ipfilter/ipsend/linux.h
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
* for the use of this software. I hate legaleese, don't you ?
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)linux.h 1.1 8/19/95
*/

6
contrib/ipfilter/ipsend/lsock.c
View File

@ -1,13 +1,11 @@
/*
* lsock.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1 1999/08/04 17:31:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>

14
contrib/ipfilter/ipsend/resend.c
View File

@ -6,14 +6,8 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $";
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
@ -39,6 +33,12 @@ static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 dar
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $";
#endif
extern int opts;
static u_char pbuf[65536]; /* 1 big packet */

6
contrib/ipfilter/ipsend/sbpf.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <netdb.h>
@ -43,7 +41,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
#endif
/*

9
contrib/ipfilter/ipsend/sdlpi.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
@ -40,7 +38,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darrenr Exp $";
#endif
#define CHUNKSIZE 8192
@ -58,7 +56,8 @@ int sport, tout;
char devname[16], *s, buf[256];
int i, fd;
(void) sprintf(devname, "/dev/%s", device);
(void) strcpy(devname, "/dev/");
(void) strncat(devname, device, sizeof(devname) - strlen(devname));
s = devname + 5;
while (*s && !isdigit(*s))

4
contrib/ipfilter/ipsend/sirix.c
View File

@ -2,9 +2,7 @@
* (C)opyright 1992-1998 Darren Reed.
* (C)opyright 1997 Marc Boucher.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <sys/types.h>

6
contrib/ipfilter/ipsend/slinux.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
@ -29,7 +27,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95";
static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1 1999/08/04 17:31:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
#endif
#define CHUNKSIZE 8192

6
contrib/ipfilter/ipsend/snit.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
@ -40,7 +38,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: snit.c,v 2.1 1999/08/04 17:31:15 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
#endif
#define CHUNKSIZE 8192

14
contrib/ipfilter/ipsend/sock.c
View File

@ -1,14 +1,8 @@
/*
* sock.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
@ -66,6 +60,12 @@ static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darre
#include <netinet/tcp_var.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $";
#endif
int nproc;
struct proc *proc;

4
contrib/ipfilter/ipsend/ultrix.c
View File

@ -1,9 +1,7 @@
/*
* (C)opyright 1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <strings.h>

16
contrib/ipfilter/ipt.c
View File

@ -1,12 +1,16 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#include <stdio.h>
#include <assert.h>
@ -55,7 +59,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6 2000/03/13 22:10:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.2 2001/06/26 10:43:19 darrenr Exp $";
#endif
extern char *optarg;

8
contrib/ipfilter/ipt.h
View File

@ -1,10 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: ipt.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: ipt.h,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $
*/
#ifndef __IPT_H__

24
contrib/ipfilter/kmem.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* kmemcpy() - copies n bytes from kernel memory into user buffer.
@ -18,16 +16,24 @@
#include <sys/file.h>
#include "kmem.h"
#ifndef __STDC__
# define const
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.3 2001/07/15 22:06:16 darrenr Exp $";
#endif
static int kmemfd = -1;
int openkmem()
int openkmem(core)
char *core;
{
if ((kmemfd = open(KMEM,O_RDONLY)) == -1)
if (core == NULL)
core = KMEM;
if ((kmemfd = open(core, O_RDONLY)) == -1)
{
perror("kmeminit:open");
return -1;
@ -45,7 +51,7 @@ register int n;
if (!n)
return 0;
if (kmemfd == -1)
if (openkmem() == -1)
if (openkmem(NULL) == -1)
return -1;
if (lseek(kmemfd, pos, 0) == -1)
{
@ -76,7 +82,7 @@ register int n;
if (!n)
return 0;
if (kmemfd == -1)
if (openkmem() == -1)
if (openkmem(NULL) == -1)
return -1;
if (lseek(kmemfd, pos, 0) == -1)
{

10
contrib/ipfilter/kmem.h
View File

@ -1,10 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: kmem.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: kmem.h,v 2.2.2.2 2001/06/26 10:43:19 darrenr Exp $
*/
#ifndef __KMEM_H__
@ -17,7 +15,7 @@
# define __P(x) ()
# endif
#endif
extern int openkmem __P((void));
extern int openkmem __P((char *));
extern int kmemcpy __P((char *, long, int));
extern int kstrncpy __P((char *, long, int));

2
contrib/ipfilter/man/ipf.5
View File

@ -374,7 +374,7 @@ against, e.g.:
# packets with ONLY the SYN flag set.
... flags SA
# becomes "flags SA/AUPRFS" and will match any
# becomes "flags SA/AUPRFSC" and will match any
# packet with only the SYN and ACK flags set.
... flags S/SA

2
contrib/ipfilter/man/ipl.4
View File

@ -76,4 +76,4 @@ ipf(4)
.SH BUGS
Packet headers are dropped when the internal buffer (static size) fills.
.SH FILES
/dev/ipl0
/dev/ipl

8
contrib/ipfilter/misc.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if (SOLARIS2 >= 7)
# define _SYS_VARARGS_H
@ -52,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $";
#endif
extern int opts;

6
contrib/ipfilter/ml_ipl.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors. The author accepts no
* See the IPFILTER.LICENCE file for details on licencing.
* responsibility and is not changed in any way.
*
* I hate legaleese, don't you ?

33
contrib/ipfilter/mlf_ipl.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
@ -13,12 +11,24 @@
#include <sys/param.h>
#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
#if defined(__FreeBSD__)
# ifdef IPFILTER_LKM
# include <osreldate.h>
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
# define ACTUALLY_LKM_NOT_KERNEL
# else
# include <sys/osreldate.h>
# ifndef __FreeBSD_cc_version
# include <sys/osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <sys/osreldate.h>
# endif
# endif
# endif
#endif
#include <sys/systm.h>
@ -53,19 +63,16 @@
#if (__FreeBSD_version >= 300000)
# include <sys/socket.h>
#endif
#if (__FreeBSD_version >= 199511)
#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <net/route.h>
#include <net/if.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#endif
#if (__FreeBSD__ > 1)
# include <sys/sysent.h>
#endif
#include <sys/sysent.h>
#include <sys/lkm.h>
#include "netinet/ipl.h"
#include "netinet/ip_compat.h"
@ -392,7 +399,7 @@ int cmd, ver;
# endif
}
# endif /* IPFILTER_LKM */
static ipl_devsw_installed = 0;
static int ipl_devsw_installed = 0;
static void ipl_drvinit __P((void *unused))
{

6
contrib/ipfilter/mli_ipl.c
View File

@ -1,10 +1,8 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
* (C)opyright 1997 by Marc Boucher.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original authors and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/* TODO: (MARCXXX)

6
contrib/ipfilter/mln_ipl.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate

8
contrib/ipfilter/mls_ipl.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
@ -42,7 +40,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $";
#endif
extern int ipldetach __P((void));

25
contrib/ipfilter/natparse.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <string.h>
@ -54,7 +52,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 darrenr Exp $";
#endif
@ -160,6 +158,8 @@ void *ptr;
printf(" udp");
if (np->in_flags & IPN_ROUNDR)
printf(" round-robin");
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG)
printf("\t%p %lu %#x %u %p %d\n", np->in_ifp,
@ -231,6 +231,8 @@ void *ptr;
ntohs(np->in_pmax));
}
}
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG) {
printf("\tifp %p space %lu nextip %s pnext %d",
@ -277,6 +279,7 @@ int linenum;
char *s, *t, *cps[31], **cpp;
int i, cnt;
proto = NULL;
if ((s = strchr(line, '\n')))
*s = '\0';
@ -553,7 +556,7 @@ int linenum;
} else
ipn.in_pmin = 0;
} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
if (strrchr(*cpp, '/') != NULL) {
if (!*cpp || strrchr(*cpp, '/') != NULL) {
fprintf(stderr, "%d: No netmask supported in %s\n",
linenum, "destination host for redirect");
return NULL;
@ -623,6 +626,11 @@ int linenum;
ipn.in_flags |= IPN_ROUNDR;
}
if (*cpp && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
if (*cpp) {
fprintf(stderr,
"%d: extra junk at the end of rdr: %s\n",
@ -641,6 +649,11 @@ int linenum;
if ((ipn.in_redir & NAT_MAPBLK) != 0)
nat_setgroupmap(&ipn);
if (*cpp && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
if (!*cpp)
return &ipn;

8
contrib/ipfilter/opt.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <string.h>
@ -27,7 +25,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $";
#endif
extern int opts;

26
contrib/ipfilter/parse.c
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
@ -394,7 +392,15 @@ int linenum;
linenum);
return NULL;
}
if (**cpp == '!') {
if (!strcmp(*cpp, "!")) {
fil.fr_flags |= FR_NOTSRCIP;
if (!*++cpp) {
fprintf(stderr,
"%d: missing host after from\n",
linenum);
return NULL;
}
} else if (**cpp == '!') {
fil.fr_flags |= FR_NOTSRCIP;
(*cpp)++;
}
@ -424,7 +430,15 @@ int linenum;
return NULL;
}
ch = 0;
if (**cpp == '!') {
if (!strcmp(*cpp, "!")) {
fil.fr_flags |= FR_NOTDSTIP;
if (!*++cpp) {
fprintf(stderr,
"%d: missing host after from\n",
linenum);
return NULL;
}
} else if (**cpp == '!') {
fil.fr_flags |= FR_NOTDSTIP;
(*cpp)++;
}

9
contrib/ipfilter/pcap.h
View File

@ -1,10 +1,9 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: pcap.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $
*/
/*
* This header file is constructed to match the version described by

9
contrib/ipfilter/relay.c
View File

@ -107,7 +107,7 @@ char *argv[];
int fd, sl = sizeof(sl), se;
openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
if ((fd = open("/dev/ipl", O_RDONLY)) == -1) {
if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) {
se = errno;
perror("open");
errno = se;
@ -115,6 +115,9 @@ char *argv[];
exit(-1);
}
bzero(&nl, sizeof(nl));
nl.nl_flags = IPN_TCP;
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sl = sizeof(sin);
@ -151,8 +154,8 @@ char *argv[];
exit(-1);
}
sin.sin_port = nl.nl_inport;
sin.sin_addr = nl.nl_inip;
sin.sin_port = nl.nl_realport;
sin.sin_addr = nl.nl_realip;
sl = sizeof(sin);
fd = socket(AF_INET, SOCK_STREAM, 0);

8
contrib/ipfilter/snoop.h
View File

@ -1,9 +1,7 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifndef __SNOOP_H__
@ -11,7 +9,7 @@
/*
* written to comply with the RFC (1761) from Sun.
* $Id: snoop.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $
* $Id: snoop.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $
*/
struct snoophdr {
char s_id[8];

346
contrib/ipfilter/solaris.c
View File

@ -1,12 +1,10 @@
/*
* Copyright (C) 1993-2000 by Darren Reed.
* Copyright (C) 1993-2001 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $"
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.20 2001/07/18 14:58:28 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@ -147,7 +145,7 @@ static struct modlinkage modlink1 = { MODREV_1, &iplmod, NULL };
static size_t hdrsizes[57][2] = {
{ 0, 0 },
{ IFT_OTHER, 0 },
{ IFT_1822, 0 },
{ IFT_1822, 14 }, /* 14 for ire0 ?? */
{ IFT_HDH1822, 0 },
{ IFT_X25DDN, 0 },
{ IFT_X25, 0 },
@ -210,8 +208,6 @@ int _init()
{
int ipfinst;
if (fr_running < 0)
return -1;
ipfinst = mod_install(&modlink1);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
@ -224,8 +220,6 @@ int _fini(void)
{
int ipfinst;
if (fr_running < 0)
return -1;
ipfinst = mod_remove(&modlink1);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
@ -239,8 +233,6 @@ struct modinfo *modinfop;
{
int ipfinst;
if (fr_running < 0)
return -1;
ipfinst = mod_info(&modlink1, modinfop);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst);
@ -275,6 +267,31 @@ dev_info_t *dip;
}
static void ipf_ire_walk(ire, arg)
ire_t *ire;
void *arg;
{
qif_t *qif = arg;
if ((ire->ire_type == IRE_CACHE) &&
#if SOLARIS2 >= 6
(ire->ire_ipif != NULL) &&
(ire->ire_ipif->ipif_ill == qif->qf_ill)
#else
(ire_to_ill(ire) == qif->qf_ill)
#endif
) {
#if SOLARIS2 >= 8
mblk_t *m = ire->ire_fp_mp;
#else
mblk_t *m = ire->ire_ll_hdr_mp;
#endif
if (m != NULL)
qif->qf_hl = m->b_wptr - m->b_rptr;
}
}
static int ipf_attach(dip, cmd)
dev_info_t *dip;
ddi_attach_cmd_t cmd;
@ -336,6 +353,14 @@ ddi_attach_cmd_t cmd;
drv_usectohz(500000));
if (fr_running == 1)
return DDI_SUCCESS;
#if SOLARIS2 >= 8
case DDI_RESUME :
case DDI_PM_RESUME :
if (ipfr_timer_id == 0)
ipfr_timer_id = timeout(ipfr_slowtimer, NULL,
drv_usectohz(500000));
return DDI_SUCCESS;
#endif
default:
return DDI_FAILURE;
}
@ -403,6 +428,19 @@ ddi_detach_cmd_t cmd;
cmn_err(CE_CONT, "%s detached\n", ipfilter_version);
return (DDI_SUCCESS);
}
#if SOLARIS2 >= 8
case DDI_SUSPEND :
case DDI_PM_SUSPEND :
if (ipfr_timer_id != 0) {
untimeout(ipfr_timer_id);
ipfr_timer_id = 0;
}
if (synctimeoutid) {
untimeout(synctimeoutid);
synctimeoutid = 0;
}
return DDI_SUCCESS;
#endif
default:
return (DDI_FAILURE);
}
@ -479,7 +517,7 @@ size_t off;
m = m->b_cont;
cmn_err(CE_CONT, " !IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n",
qif ? qif->qf_name : "?", out, qif->qf_hl, q,
qif ? qif->qf_name : "?", out, qif ? qif->qf_hl : -1, q,
q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL,
mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr,
m->b_wptr - m->b_rptr, off, ip);
@ -529,8 +567,8 @@ int out;
{
register mblk_t *m, *mt = *mp;
register ip_t *ip;
size_t hlen, len, off, mlen, iphlen, plen;
int err, synced = 0, sap, p;
size_t hlen, len, off, off2, mlen, iphlen, plen, woff;
int err, synced = 0, sap, p, realigned = 0, multi = 0;
u_char *bp;
#if SOLARIS2 >= 8
ip6_t *ip6;
@ -556,8 +594,21 @@ int out;
bp = (u_char *)ALIGN32(mt->b_rptr);
if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) {
dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp;
if (dl->dl_primitive != DL_UNITDATA_IND &&
dl->dl_primitive != DL_UNITDATA_REQ) {
if (dl->dl_primitive == DL_UNITDATA_IND) {
multi = dl->dl_group_address;
m = mt->b_cont;
/*
* This is a complete kludge to try and work around
* some bizarre packets which drop through into
* fr_donotip.
*/
if (m && multi && ((*((u_char *)m->b_rptr) == 0x0) &&
((*((u_char *)m->b_rptr + 2) == 0x45)))) {
ip = (ip_t *)(m->b_rptr + 2);
off = 2;
} else
off = 0;
} else if (dl->dl_primitive != DL_UNITDATA_REQ) {
ip = (ip_t *)dl;
if ((ip->ip_v == IPVERSION) &&
(ip->ip_hl == (sizeof(*ip) >> 2)) &&
@ -584,19 +635,6 @@ int out;
return 0; /* No data blocks */
}
/*
* This is a complete kludge to try and work around some bizarre
* packets which drop through into fr_donotip.
*/
if ((mt != m) && (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO)) {
dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp;
if ((dl->dl_primitive == DL_UNITDATA_IND) &&
(dl->dl_group_address == 1))
if (((*((u_char *)m->b_rptr) == 0x0) &&
((*((u_char *)m->b_rptr + 2) == 0x45))))
off += 2;
}
ip = (ip_t *)(m->b_rptr + off); /* MMM */
/*
@ -648,10 +686,13 @@ int out;
((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0];
((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1];
plen = ntohs(tlen);
sap = IP6_DL_SAP;
if (!plen)
return -1; /* Jumbo gram */
plen += sizeof(*ip6);
}
#endif
else {
plen = 0;
hlen = 0;
sap = -1;
}
@ -659,34 +700,77 @@ int out;
/*
* Ok, the IP header isn't on a 32bit aligned address so junk it.
*/
if (((u_int)ip & 0x3) || (len < hlen) || (sap == -1)) {
mblk_t *m2;
u_char *s;
if (((u_long)ip & 0x3) || (plen > mlen) || (len < hlen) ||
(sap == -1)) {
mblk_t *m1, *m2;
u_char *s, c;
int v;
/*
* Junk using pullupmsg - it's next to useless.
*/
fixalign:
if (off)
m->b_rptr -= off;
c = *(u_char *)ip;
c >>= 4;
if (c != 4
#if SOLARIS2 >= 8
&& c != 6
#endif
) {
frstats[out].fr_notip++;
return (fr_flags & FF_BLOCKNONIP) ? -1 : 0;
}
if (realigned)
return -1;
realigned = 1;
off2 = (size_t)((u_long)ip & 0x3);
if (off2)
off2 = 4 - off2;
len = msgdsize(m);
m2 = allocb(len, BPRI_HI);
m2 = allocb(len + off2, BPRI_HI);
if (m2 == NULL) {
frstats[out].fr_pull[1]++;
return -1;
}
m2->b_wptr = m2->b_rptr + len;
s = (u_char *)ip;
for (bp = m2->b_rptr; m; bp += len) {
len = m->b_wptr - s;
bcopy(m->b_rptr, bp, len);
m = m->b_cont;
if (m)
s = m->b_rptr;
}
*mp = m2;
MTYPE(m2) = M_DATA;
freemsg(mt);
mt = m2;
if (m->b_rptr != (u_char *)ip)
m2->b_rptr += off2;
m2->b_wptr = m2->b_rptr + len;
m1 = m;
s = (u_char *)m->b_rptr;
for (bp = m2->b_rptr; m1 && (bp < m2->b_wptr); bp += len) {
len = MIN(m1->b_wptr - s, m2->b_wptr - bp);
bcopy(s, bp, len);
m1 = m1->b_cont;
if (m1)
s = m1->b_rptr;
}
if (mt != m && mt->b_cont == m && !off) {
/*
* check if the buffer we're changing is chained in-
* between other buffers and unlink/relink as required.
*/
(void) unlinkb(mt); /* should return 'm' */
m1 = unlinkb(m);
if (m1)
linkb(m2, m1);
freemsg(m);
linkb(mt, m2);
} else {
if (m == mt) {
m1 = unlinkb(mt);
if (m1)
linkb(m2, m1);
}
freemsg(mt);
*mp = m2;
mt = m2;
}
frstats[out].fr_pull[0]++;
synced = 1;
@ -714,7 +798,7 @@ int out;
#ifndef sparc
# if SOLARIS2 >= 8
if (sap == IP6_DL_SAP) {
ip6->ip6_plen = plen;
ip6->ip6_plen = plen - sizeof(*ip6);
} else {
# endif
__ipoff = (u_short)ip->ip_off;
@ -734,7 +818,7 @@ int out;
if ((
#if SOLARIS2 >= 8
(sap == IP6_DL_SAP) && (mlen < iphlen + plen)) ||
(sap == IP6_DL_SAP) && (mlen < plen)) ||
((sap == 0) &&
#endif
((iphlen < hlen) || (iphlen > plen) || (mlen < plen)))) {
@ -744,7 +828,7 @@ int out;
#ifndef sparc
# if SOLARIS2 >= 8
if (sap == IP6_DL_SAP) {
ip6->ip6_plen = htons(plen);
ip6->ip6_plen = htons(plen - sizeof(*ip6));
} else {
# endif
__ipoff = (u_short)ip->ip_off;
@ -790,15 +874,13 @@ int out;
break;
}
woff = 0;
if (hlen > mlen) {
hlen = mlen;
#if SOLARIS2 >= 8
} else if (sap == IP6_DL_SAP) {
if (m->b_wptr - m->b_rptr > plen + hlen)
m->b_wptr = m->b_rptr + plen + hlen;
#endif
} else if (m->b_wptr - m->b_rptr > plen)
m->b_wptr = m->b_rptr + plen;
} else if (m->b_wptr - m->b_rptr > plen) {
woff = m->b_wptr - m->b_rptr - plen;
m->b_wptr -= woff;
}
/*
* If we don't have enough data in the mblk or we haven't yet copied
@ -806,7 +888,7 @@ int out;
*/
if ((hlen > len)) {
if (!pullupmsg(m, (int)hlen)) {
cmn_err(CE_NOTE, "pullupmsg failed\n");
cmn_err(CE_NOTE, "pullupmsg failed");
frstats[out].fr_pull[1]++;
return -1;
}
@ -818,8 +900,9 @@ int out;
qif->qf_off = off;
qif->qf_len = len;
err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp);
if (err == 2)
if (err == 2) {
goto fixalign;
}
/*
* Copy back the ip header data if it was changed, we haven't yet
* freed the message and we aren't going to drop the packet.
@ -828,11 +911,12 @@ int out;
*/
if (*mp != NULL) {
if (*mp == mt) {
m->b_wptr += woff;
m->b_rptr -= off;
#ifndef sparc
# if SOLARIS2 >= 8
if (sap == IP6_DL_SAP) {
ip6->ip6_plen = htons(plen);
ip6->ip6_plen = htons(plen - sizeof(*ip6));
} else {
# endif
__ipoff = (u_short)ip->ip_off;
@ -847,13 +931,37 @@ int out;
#endif
} else
cmn_err(CE_NOTE,
"!IP Filter: *mp %p mt %p %s\n", *mp, mt,
"!IP Filter: *mp %p mt %p %s", *mp, mt,
"mblk changed, cannot revert ip_len, ip_off");
}
return err;
}
/*
* Only called for M_IOCACK messages
*/
void fr_qif_update(qif, mp)
qif_t *qif;
mblk_t *mp;
{
struct iocblk *iocp;
if (!qif || !mp)
return;
iocp = (struct iocblk *)mp->b_rptr;
if (mp->b_cont && (iocp->ioc_cmd == DL_IOC_HDR_INFO)) {
mp = mp->b_cont;
if (MTYPE(mp) == M_PROTO && mp->b_cont) {
mp = mp->b_cont;
if (MTYPE(mp) == M_DATA) {
qif->qf_hl = mp->b_wptr - mp->b_rptr;
}
}
}
}
int fr_qin(q, mb)
queue_t *q;
mblk_t *mb;
@ -863,6 +971,7 @@ mblk_t *mb;
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -871,6 +980,17 @@ mblk_t *mb;
mblk_t *m1;
m1 = copymsg(mb);
if (!m1) {
frstats[0].fr_drop++;
mb->b_next = NULL;
mb->b_prev = NULL;
freemsg(mb);
return 0;
}
m1->b_next = mb->b_next;
mb->b_next = NULL;
m1->b_prev = mb->b_prev;
mb->b_prev = NULL;
freemsg(mb);
mb = m1;
frstats[0].fr_copy++;
@ -881,6 +1001,7 @@ mblk_t *mb;
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -925,17 +1046,21 @@ mblk_t *mb;
frstats[0].fr_drop++;
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
bcopy((char *)qif, (char *)&qf, sizeof(qf));
qif = &qf;
type = MTYPE(mb);
pnext = qif->qf_rqinfo->qi_putp;
type = MTYPE(mb);
if (type == M_IOCACK)
fr_qif_update(qif, mb);
else {
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, qif, 0);
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 0);
}
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
@ -944,11 +1069,13 @@ mblk_t *mb;
if (pnext)
return (*pnext)(q, mb);
cmn_err(CE_WARN, "!IP Filter: inp NULL: qif %x q %x info %x",
qif, q, q->q_qinfo);
cmn_err(CE_WARN,
"!IP Filter: inp NULL: qif %x %s q %x info %x",
&qf, qf.qf_name, q, q->q_qinfo);
}
if (mb) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
}
return 0;
@ -964,14 +1091,32 @@ mblk_t *mb;
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
if (mb->b_datap->db_ref > 1) {
#if SOLARIS2 >= 6
if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) &&
(mb->b_datap->db_ref > 1))
#else
if (mb->b_datap->db_ref > 1)
#endif
{
mblk_t *m1;
m1 = copymsg(mb);
if (!m1) {
frstats[1].fr_drop++;
mb->b_next = NULL;
mb->b_prev = NULL;
freemsg(mb);
return 0;
}
m1->b_next = mb->b_next;
mb->b_next = NULL;
m1->b_prev = mb->b_prev;
mb->b_prev = NULL;
freemsg(mb);
mb = m1;
frstats[1].fr_copy++;
@ -982,6 +1127,7 @@ mblk_t *mb;
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -998,7 +1144,7 @@ mblk_t *mb;
synced = 1;
goto again;
}
/* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */
/* fr_donotip(1, NULL, q, mb, mb, NULL, 0); */
RWLOCK_EXIT(&ipf_solaris);
return (*pnext)(q, mb);
}
@ -1036,17 +1182,21 @@ mblk_t *mb;
frstats[1].fr_drop++;
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
bcopy((char *)qif, (char *)&qf, sizeof(qf));
qif = &qf;
type = MTYPE(mb);
pnext = qif->qf_wqinfo->qi_putp;
type = MTYPE(mb);
if (type == M_IOCACK)
fr_qif_update(qif, mb);
else {
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, qif, 1);
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 1);
}
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
@ -1057,10 +1207,11 @@ mblk_t *mb;
cmn_err(CE_WARN,
"!IP Filter: outp NULL: qif %x %s q %x info %x",
qif, qif->qf_name, q, q->q_qinfo);
&qf, qf.qf_name, q, q->q_qinfo);
}
if (mb) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
}
return 0;
@ -1080,6 +1231,7 @@ void *arg;
RWLOCK_EXIT(&ipf_solaris);
}
static int ipf_ip_qin(q, mb)
queue_t *q;
mblk_t *mb;
@ -1089,6 +1241,7 @@ mblk_t *mb;
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -1100,18 +1253,24 @@ mblk_t *mb;
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
ioc = (struct iocblk *)mb->b_rptr;
switch (ioc->ioc_cmd) {
switch (ioc->ioc_cmd)
{
case DL_IOC_HDR_INFO:
fr_qif_update(qif_from_queue(q), mb);
break;
case I_LINK:
case I_UNLINK:
case SIOCSIFADDR:
case SIOCSIFFLAGS:
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ioc->ioc_cmd);
cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
ioc->ioc_cmd);
#endif
WRITE_ENTER(&ipfs_mutex);
if (synctimeoutid == 0) {
@ -1135,7 +1294,7 @@ extern struct streamtab ipinfo;
void solipdrvattach()
{
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx\n",
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
#endif
@ -1150,7 +1309,7 @@ void solipdrvattach()
int solipdrvdetach()
{
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx\n",
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
#endif
@ -1212,7 +1371,7 @@ void solattach()
KMALLOC(qif, qif_t *);
if (!qif) {
cmn_err(CE_WARN,
"IP Filter: malloc(%d) for qif_t failed\n",
"IP Filter: malloc(%d) for qif_t failed",
sizeof(qif_t));
RWLOCK_EXIT(&ipfs_mutex);
continue;
@ -1288,11 +1447,17 @@ void solattach()
(hdrsizes[il->ill_type][0] == il->ill_type))
qif->qf_hl = hdrsizes[il->ill_type][1];
if (qif->qf_hl == 0)
if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER)
cmn_err(CE_WARN,
"Unknown layer 2 header size for %s type %d\n",
qif->qf_name, il->ill_type);
"Unknown layer 2 header size for %s type %d",
il->ill_name, il->ill_type);
}
/*
* XXX Awful hack for PPP; fix when PPP/snoop fixed.
*/
if (il->ill_type == IFT_ETHER && !il->ill_bcast_addr_length)
qif->qf_hl = 0;
#endif
strncpy(qif->qf_name, il->ill_name, sizeof(qif->qf_name));
qif->qf_name[sizeof(qif->qf_name) - 1] = '\0';
@ -1377,6 +1542,7 @@ void solattach()
#endif
out->q_qinfo = &qif->qf_wqinit;
ire_walk(ipf_ire_walk, (char *)qif);
RWLOCK_EXIT(&ipfs_mutex);
cmn_err(CE_CONT, "IP Filter: attach to [%s,%d] - %s\n",
qif->qf_name, il->ill_ppa,
@ -1634,7 +1800,7 @@ frdest_t *fdp;
* data, not the original, if and only if it is already pointing at
* the current mblk data.
*/
if (ip == (ip_t *)qf->qf_m->b_rptr && qf->qf_m != mb)
if ((ip == (ip_t *)qf->qf_m->b_rptr) && (qf->qf_m != mb))
ip = (ip_t *)mb->b_rptr;
/*
@ -1646,6 +1812,7 @@ frdest_t *fdp;
mp = (*mpp)->b_cont;
(*mpp)->b_cont = NULL;
(*mpp)->b_prev = NULL;
(*mpp)->b_next = NULL;
freemsg(*mpp);
*mpp = mp;
}
@ -1666,7 +1833,7 @@ frdest_t *fdp;
if (!ir)
ir = (ire_t *)-1;
fd.fd_ifp = (struct ifnet *)ir;
fd.fd_ifp = (struct ifnet *)ir;
fd.fd_ip = ip->ip_dst;
fdp = &fd;
}
@ -1715,6 +1882,7 @@ frdest_t *fdp;
if (ifp == NULL)
goto bad_fastroute;
fr = fin->fin_fr;
/*
* In case we're here due to "to <if>" being used with
* "keep state", check that we're going in the correct
@ -1722,7 +1890,7 @@ frdest_t *fdp;
*/
if ((fr != NULL) && (fdp->fd_ifp != NULL) &&
(fin->fin_rev != 0) && (fdp == &fr->fr_tif))
return -1;
return 1;
fin->fin_ifp = ifp;
if (fin->fin_out == 0) {
@ -1783,6 +1951,7 @@ frdest_t *fdp;
q = WR(ir->ire_rfq);
if (q) {
mb->b_prev = NULL;
mb->b_next = NULL;
mb->b_queue = q;
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
@ -1804,13 +1973,16 @@ frdest_t *fdp;
READ_ENTER(&ipf_solaris);
READ_ENTER(&ipfs_mutex);
ipl_frouteok[0]++;
*mpp = NULL;
return 0;
}
}
bad_fastroute:
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
ipl_frouteok[1]++;
*mpp = NULL;
return -1;
}

6
contrib/ipfilter/test/Makefile
View File

@ -15,7 +15,7 @@ first:
-mkdir -p results
# Filtering tests
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
@ -28,7 +28,7 @@ ntests: n1 n2 n3 n4 n5 n6 n7
f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14:
@/bin/sh ./dotest $@
f12:
f12 f13:
@/bin/sh ./hextest $@
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@ -38,6 +38,6 @@ n1 n2 n3 n4 n5 n6 n7:
@/bin/sh ./nattest $@
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/*
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 results/*
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
/bin/rm -f n1 n2 n3 n4 n5 n6 n7

4
contrib/ipfilter/test/expected/i7
View File

@ -1,4 +1,4 @@
pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA
block in on lo0(!) proto tcp from any to any flags A/0xbf
block in on lo0(!) proto tcp from any to any flags A/FSRPAUC
pass in on lo0(!) proto tcp from any to any flags /SPA
block in on lo0(!) proto tcp from any to any flags 0x80/A
block in on lo0(!) proto tcp from any to any flags C/A

4
contrib/ipfilter/test/input/f13
View File

@ -33,6 +33,10 @@
45 00 001c 0008 2000 3f 11 0000 01010101 02010101
0035003500040000
# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short)
45 00 0018 0008 2000 3f 11 0000 01010101 02010101
00350036
# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1
45 00 001c 0008 0001 3f 11 0000 01010101 02010101
0000000000000000