This commit was generated by cvs2svn to compensate for changes in r92686,
which included commits to RCS files with non-trunk default branches.
This commit is contained in:
commit
f371049810
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=92687
@ -2,27 +2,29 @@ filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
|
||||
[ proto ] [ ip ] [ group ].
|
||||
|
||||
insert = "@" decnumber .
|
||||
action = block | "pass" | log | "count" | skip | auth | call .
|
||||
action = block | "no-match" | "pass" | log | "count" | skip | auth | call .
|
||||
in-out = "in" | "out" .
|
||||
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
|
||||
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
|
||||
[ via ] ] .
|
||||
tos = "tos" decnumber | "tos" hexnumber .
|
||||
ttl = "ttl" decnumber .
|
||||
proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
group = [ "head" decnumber ] [ "group" decnumber ] .
|
||||
|
||||
block = "block" [ reutrn-icmp[return-code] | "return-rst" ] .
|
||||
block = "block" [ return-icmp[return-code] | "return-rst" ] .
|
||||
auth = "auth" | "preauth" .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
skip = "skip" decnumber .
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
via = "in-via" interface-name | "out-via" interface-name .
|
||||
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
|
||||
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
||||
srcdst = "all" | fromto .
|
||||
fromto = "from" object "to" object .
|
||||
|
||||
reutrn-icmp = "return-icmp" | "return-icmp-as-dest" .
|
||||
return-icmp = "return-icmp" | "return-icmp-as-dest" .
|
||||
loglevel = facility"."priority | priority .
|
||||
object = addr [ port-comp | port-range ] .
|
||||
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
||||
@ -32,7 +34,8 @@ flags = "flags" flag { flag } [ "/" flag { flag } ] .
|
||||
with = "with" | "and" .
|
||||
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
||||
return-code = "("icmp-code")" .
|
||||
keep = "keep" "state" | "keep" "frags" .
|
||||
keep = "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
|
||||
state-age = decnmber [ "/" decnumber ] .
|
||||
|
||||
nummask = host-name [ "/" decnumber ] .
|
||||
host-name = ipaddr | hostname | "any" .
|
||||
|
@ -8,7 +8,7 @@
|
||||
BINDEST=/usr/sbin
|
||||
SBINDEST=/sbin
|
||||
MANDIR=/usr/share/man
|
||||
CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O
|
||||
CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O
|
||||
CFLAGS=-g -I$(TOP)
|
||||
#
|
||||
# For NetBSD/FreeBSD
|
||||
@ -39,22 +39,23 @@ INSTALL=install
|
||||
#
|
||||
MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
|
||||
ip_auth.o ip_log.o
|
||||
DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF) $(DLKM)
|
||||
DFLAGS=$(IPFLKM) $(DEF) $(DLKM)
|
||||
IPF=ipf.o parse.o common.o opt.o facpri.o
|
||||
IPT=ipt.o parse.o common.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o \
|
||||
opt.o ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \
|
||||
ip_auth_u.o ipft_hx.o ip_fil_u.o natparse.o facpri.o
|
||||
IPNAT=ipnat.o kmem.o natparse.o common.o
|
||||
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o
|
||||
ip_auth_u.o ipft_hx.o ip_fil_u.o ip_log_u.o natparse.o facpri.o \
|
||||
printnat.o printstate.o
|
||||
IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o
|
||||
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o
|
||||
|
||||
build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM)
|
||||
|
||||
ipfstat: $(FILS)
|
||||
$(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
|
||||
-o $@ $(LIBS) $(STATETOP_LIB)
|
||||
$(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
|
||||
$(FILS) -o $@ $(LIBS) $(STATETOP_LIB) -lkvm
|
||||
|
||||
ipf: $(IPF)
|
||||
$(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
|
||||
$(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
|
||||
/bin/rm -f $(TOP)/ipf
|
||||
ln -s `pwd`/ipf $(TOP)
|
||||
|
||||
@ -64,10 +65,10 @@ ipftest: $(IPT)
|
||||
ln -s `pwd`/ipftest $(TOP)
|
||||
|
||||
ipnat: $(IPNAT)
|
||||
$(CC) $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS)
|
||||
$(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm
|
||||
|
||||
ipfs: ipfs.o
|
||||
$(CC) $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS)
|
||||
$(CC) -static $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS)
|
||||
|
||||
tests:
|
||||
(cd test; make )
|
||||
@ -107,6 +108,14 @@ natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
|
||||
$(TOP)/ip_compat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@
|
||||
|
||||
printnat.o: $(TOP)/printnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
|
||||
$(TOP)/ip_compat.h $(TOP)/ip_proxy.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printnat.c -o $@
|
||||
|
||||
printstate.o: $(TOP)/printstate.c $(TOP)/ip_fil.h $(TOP)/ipf.h \
|
||||
$(TOP)/ip_state.h $(TOP)/ip_compat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printstate.c -o $@
|
||||
|
||||
ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \
|
||||
$(TOP)/snoop.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@
|
||||
@ -130,7 +139,8 @@ ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@
|
||||
|
||||
ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
|
||||
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_nat.h
|
||||
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c \
|
||||
$(TOP)/ip_raudio_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@
|
||||
|
||||
ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
|
||||
@ -148,6 +158,9 @@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
|
||||
ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@
|
||||
|
||||
ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_log.c -o $@
|
||||
|
||||
if_ipl.o: $(MODOBJS)
|
||||
ld -r $(MODOBJS) -o $(LKM)
|
||||
${RM} -f if_ipl
|
||||
@ -170,7 +183,7 @@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
|
||||
|
||||
ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
|
||||
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \
|
||||
$(TOP)/ip_nat.h
|
||||
$(TOP)/ip_rcmd_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
|
||||
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
|
||||
|
||||
ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
|
||||
@ -207,6 +220,8 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h
|
||||
|
||||
ipmon: $(TOP)/ipmon.c
|
||||
$(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS)
|
||||
/bin/rm -f $(TOP)/ipmon
|
||||
ln -s `pwd`/ipmon $(TOP)
|
||||
|
||||
clean:
|
||||
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
|
||||
@ -231,10 +246,20 @@ install:
|
||||
-if [ -d /modules -a -f ipf.ko ] ; then \
|
||||
cp ipf.ko /modules; \
|
||||
fi
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipf $(SBINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipfs $(SBINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipnat $(SBINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipfstat $(SBINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipmon $(BINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipftest $(BINDEST)
|
||||
@for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \
|
||||
ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
|
||||
def="`expr $$i : '[^:]*:\(.*\)'`"; \
|
||||
p="`expr $$i : '\([^:]*\):.*'`"; \
|
||||
for d in $(BINDEST) $(SBINDEST); do \
|
||||
if [ -f $$d/$$i ] ; then \
|
||||
echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
|
||||
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
|
||||
dd=$$d; \
|
||||
fi; \
|
||||
done; \
|
||||
if [ -z "$$dd" ] ; then \
|
||||
echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
|
||||
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
|
||||
fi \
|
||||
done
|
||||
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
|
||||
|
@ -9,13 +9,17 @@ argv0=`basename $0`
|
||||
dir=`pwd`
|
||||
karch=`uname -m`
|
||||
archdir="/sys/arch/$karch"
|
||||
ipfdir=/sys/netinet
|
||||
if [ -d /sys/contrib/ipfilter ] ; then
|
||||
ipfdir=/sys/contrib/ipfilter/netinet
|
||||
fi
|
||||
confdir="$archdir/conf"
|
||||
|
||||
echo -n "Installing "
|
||||
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c ; do
|
||||
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_*_pxy.c ; do
|
||||
echo -n "$i "
|
||||
cp $i /sys/netinet/
|
||||
chmod 644 /sys/netinet/$i
|
||||
cp $i $ipfdir
|
||||
chmod 644 $ipfdir/$i
|
||||
done
|
||||
echo ""
|
||||
if [ -f /sys/netinet/ip_fil_compat.h ] ; then
|
||||
|
@ -9,11 +9,17 @@ set confdir="$archdir/conf"
|
||||
if ( $dir =~ */FreeBSD* ) cd ..
|
||||
echo -n "Installing "
|
||||
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
|
||||
ip_proxy.[ch] ip_{ftp,rcmd}_pxy.c mlf_ipl.c ipl.h ip_compat.h \
|
||||
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h \
|
||||
ip_auth.[ch] ip_log.c)
|
||||
echo -n "$i ";
|
||||
cp $i /sys/netinet
|
||||
chmod 644 /sys/netinet/$i
|
||||
switch ( $i )
|
||||
case *.h:
|
||||
/bin/cp $i /usr/include/netinet/$i
|
||||
chmod 644 /usr/include/netinet/$i
|
||||
breaksw
|
||||
endsw
|
||||
end
|
||||
echo ""
|
||||
echo "Copying /usr/include/osreldate.h to /sys/sys"
|
||||
|
@ -9,11 +9,17 @@ set confdir="$archdir/conf"
|
||||
if ( $dir =~ */FreeBSD* ) cd ..
|
||||
echo -n "Installing "
|
||||
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
|
||||
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
|
||||
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h \
|
||||
ip_compat.h ip_auth.[ch] ip_log.c)
|
||||
echo -n "$i ";
|
||||
cp $i /sys/netinet
|
||||
chmod 644 /sys/netinet/$i
|
||||
switch ( $i )
|
||||
case *.h:
|
||||
/bin/cp $i /usr/include/netinet/$i
|
||||
chmod 644 /usr/include/netinet/$i
|
||||
breaksw
|
||||
endsw
|
||||
end
|
||||
echo ""
|
||||
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
|
||||
|
@ -2,27 +2,38 @@
|
||||
#
|
||||
set dir=`pwd`
|
||||
set karch=`uname -m`
|
||||
set ipfdir=/sys/netinet
|
||||
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
|
||||
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
|
||||
if ( -d /sys/$karch ) set archdir="/sys/$karch"
|
||||
if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet
|
||||
set confdir="$archdir/conf"
|
||||
|
||||
if ( $dir =~ */FreeBSD* ) cd ..
|
||||
echo -n "Installing "
|
||||
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
|
||||
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \
|
||||
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c mlfk_ipl.c \
|
||||
ipl.h ip_compat.h ip_auth.[ch] ip_log.c)
|
||||
echo -n "$i ";
|
||||
cp $i /sys/netinet
|
||||
chmod 644 /sys/netinet/$i
|
||||
cp $i $ipfdir
|
||||
chmod 644 $ipfdir/$i
|
||||
switch ( $i )
|
||||
case *.h:
|
||||
/bin/cp $i /usr/include/netinet/$i
|
||||
chmod 644 /usr/include/netinet/$i
|
||||
breaksw
|
||||
endsw
|
||||
end
|
||||
echo ""
|
||||
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
|
||||
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
|
||||
|
||||
echo ""
|
||||
echo "Patching ip6_input.c and ip6_output.c"
|
||||
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch)
|
||||
patchfile=FreeBSd-4.0/ipv6-patch-$krev
|
||||
if ( -f $patchfile ) then
|
||||
echo ""
|
||||
echo "Patching ip6_input.c and ip6_output.c"
|
||||
cat $patchfile | (cd /sys/netinet6; patch)
|
||||
endif
|
||||
|
||||
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
|
||||
echo -n "Kernel configuration to update [$config] "
|
||||
|
@ -9,10 +9,16 @@ set confdir="$archdir/conf"
|
||||
if ( $dir =~ */FreeBSD ) cd ..
|
||||
echo -n "Installing "
|
||||
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
|
||||
ip_proxy.[ch] ip_auth.[ch] ip_{ftp,rcmd}_pxy.c ip_compat.h ip_log.c)
|
||||
ip_proxy.[ch] ip_auth.[ch] ip_*_pxy.c ip_compat.h ip_log.c)
|
||||
echo -n "$i ";
|
||||
cp $i /sys/netinet
|
||||
chmod 644 /sys/netinet/$i
|
||||
switch ( $i )
|
||||
case *.h:
|
||||
/bin/cp $i /usr/include/netinet/$i
|
||||
chmod 644 /usr/include/netinet/$i
|
||||
breaksw
|
||||
endsw
|
||||
end
|
||||
echo ""
|
||||
grep iplopen $archdir/$karch/conf.c >& /dev/null
|
||||
|
@ -22,6 +22,219 @@
|
||||
# and especially those who have found the time to port IP Filter to new
|
||||
# platforms.
|
||||
#
|
||||
3.4.25 13/03/2002 - Released
|
||||
|
||||
retain rule # in state information
|
||||
|
||||
log the direction of a packet so ipmon gets it right rather than incorrectly
|
||||
deriving it from the rule flags
|
||||
|
||||
add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD
|
||||
kernel config files to increase that buffer size)
|
||||
|
||||
recognise return-* rules differently to block in ipftest
|
||||
|
||||
fix bug in ipmon output for solaris
|
||||
|
||||
add regression testing for skip rules, logging and using head/group
|
||||
|
||||
fix output of ipmon: was displaying large unsigned ints rather than -1
|
||||
when no rules matched.
|
||||
|
||||
make logging code compile into ipftest and add -l command line option to
|
||||
dump binary log file (read with ipmon -f) when it finishes.
|
||||
|
||||
protect rule # and group # from interference when checking accounting rules
|
||||
|
||||
add regression testing for log output (text) from ipmon.
|
||||
|
||||
document -b command line option for ipmon
|
||||
|
||||
fix double-quick in Solaris startup script
|
||||
|
||||
3.4.24 01/03/2002 - Released
|
||||
|
||||
fix how files are installed on SunOS5
|
||||
|
||||
fix some minor problems in SunOS5 ipfboot script
|
||||
|
||||
by default, compile all OpenBSD tools in 3.0 for IPv6
|
||||
|
||||
fix NULL-pointer dereference in NAT code
|
||||
|
||||
make a better attempt at replacing the appropriate binaries on BSD systems
|
||||
|
||||
always print IPv6 icmp-types as a number
|
||||
|
||||
impose some rules about what "skip" can be used with
|
||||
|
||||
fix parsing problems with "keep state" and "keep state-age"
|
||||
|
||||
Try to read as much data as is in the log device in ipmon
|
||||
|
||||
remove some redundant checks when searching for rdr/nat rules
|
||||
|
||||
fix bug in handling of ACCT with FTP proxy
|
||||
|
||||
increase array size for interface names, using LIFNAMSIZ
|
||||
|
||||
include H.323 proxy from QNX
|
||||
|
||||
3.4.23 16/01/2002 - Released
|
||||
|
||||
Include patches to install IPFilter into OpenBSD 3.0, both for just kernel
|
||||
compiles and complete system builds.
|
||||
|
||||
Fix bug in automatic flushing of state table which would cause it to hang
|
||||
in an infinite loop bug introduced in 3.4.20.
|
||||
|
||||
Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for
|
||||
the outgoing connection to make it look like it comes from the real source.
|
||||
|
||||
Only support ICMPv6 with IPv6.
|
||||
|
||||
Move ipnat.1 to ipnat.8
|
||||
|
||||
Enhance ipmon to print textual ICMP[v6] types and subtypes where possible.
|
||||
|
||||
Make it possible to do IPv6 regression testing with ipftest.
|
||||
|
||||
Use kvm library for kmem access, rather than trying to do it manually with
|
||||
open/lseek/read.
|
||||
|
||||
Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute.
|
||||
|
||||
Remove Berkeley advertising licence clause. Reference:
|
||||
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
|
||||
|
||||
Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded
|
||||
and fragmentation required.
|
||||
|
||||
Fix ipfboot script on Solaris to deal with no nameservers or no route to
|
||||
them in a clean manner.
|
||||
|
||||
Support per-rule set timeouts for non-TCP NAT and state
|
||||
|
||||
Add netbios proxy
|
||||
|
||||
Add ICMPv6 stateful checking, including handling multicast destination
|
||||
addresses for neighbour discovery.
|
||||
|
||||
Fix problems with internals of ICMP messages for MTU discovery and
|
||||
unreachables not being correctly adjust on little endian boxes.
|
||||
|
||||
Add "in-via" and "out-via" to filtering rules grammar. It is now possible
|
||||
to bind a rule to both incoming and outgoing interfaces, in both forward
|
||||
and reverse directions (4 directions in total). allows for asymetric flows
|
||||
through a firewall.
|
||||
|
||||
Fix ipfstat and ipnat for working on crash dumps.
|
||||
|
||||
Don't let USE_INET6 stay defined for SunOS4
|
||||
|
||||
Count things we see for each interface on solaris.
|
||||
|
||||
Include <netinet/icmp6.h> when compiling with USE_INET6 defined and
|
||||
also include a whole bunch of #define's to make sure the symbols expected
|
||||
can be used.
|
||||
|
||||
Fix up fastroute on BSD systems.
|
||||
|
||||
Make fastrouting work for IPv6 just a bit better. doesn't split up big
|
||||
packets into fragments like the IPv4 one does. You can now do a
|
||||
"to <if>:<ipv6_addr>"
|
||||
|
||||
Remove some of the differences between user-space and kernel-space code
|
||||
that is internal to ipfilter.
|
||||
|
||||
Call ipfr_slowtimer() after each packet is processed in ipftest to artificially
|
||||
create the illusion of passing time and include the expire functions in the
|
||||
code compiled for user-space.
|
||||
|
||||
Fix issues with the IPSec proxy not working or leading to a system crash.
|
||||
|
||||
Junk all processing of SPIs and special handling for ESP.
|
||||
|
||||
Add "no-match" as a filter rule action (resets _LAST_ match)
|
||||
|
||||
Add hack to workaround problems with Cassini interface cards on
|
||||
Solaris and VLANs
|
||||
|
||||
Add some protocols to etc/protocols
|
||||
|
||||
3.4.22 03/12/2001 - Released
|
||||
|
||||
various openbsd changes
|
||||
|
||||
sorting based on IP numbers for ipfstat top output
|
||||
|
||||
fix various IPv6 code & compile problems
|
||||
|
||||
modify ip_fil.c to be more netbsd friendly
|
||||
|
||||
fix fastroute bug where it modified a packet post-sending
|
||||
|
||||
fix get_unit() - don't understand why it was broken.
|
||||
|
||||
add FI_IGNOREPKT and don't count so marked packets when doing stats or
|
||||
state/nat.
|
||||
|
||||
extend the interface name saved to log output
|
||||
|
||||
make proxies capable of extending the matching done on a packet with a
|
||||
particular nat session
|
||||
|
||||
change interfaces inside NAT & state code to accomodate redesign to allow
|
||||
IPsec proxy to work.
|
||||
|
||||
fix bug when free'ing loaded rules that results in a memory leak
|
||||
(only an issue with "ipf -rf -", not flush)
|
||||
|
||||
make ipftest capable of loading > 1 file or rules, making it now possible
|
||||
to load both NAT & filter rules
|
||||
|
||||
fix hex input for ipftest to allow interface name & direction to work
|
||||
|
||||
show ipsec proxy details in ipnat output
|
||||
|
||||
if OPT_HEX is set in opts, print a packet out as hex
|
||||
|
||||
don't modify b_next or preseve it or preserve b_prev for solaris
|
||||
|
||||
fix up kinstall scripts to install all the files everywhere they need to
|
||||
|
||||
fix overflowing of bits in ip_off inside iptest
|
||||
|
||||
make userauth and proxy in samples directory compile
|
||||
|
||||
fix minimum size when doing a pullup for ESP & ICMPv6
|
||||
|
||||
3.4.21 24/10/2001 - Released
|
||||
|
||||
include ipsec proxy
|
||||
|
||||
make state work for non-tcp/udp/icmp in a very simple way
|
||||
|
||||
include diffs for ipv6 firewall on openbsd-2.9
|
||||
|
||||
add compatibility filter wrapper for NetBSD-current
|
||||
|
||||
fix command line option problems with ipfs
|
||||
|
||||
if we fill the state table and a automated flush doesn't purge any
|
||||
expiring entries, remove all entries idle for more than half a day
|
||||
|
||||
fix bug with sending resets/icmp errors where the pointer to the data
|
||||
section of the packet was not being set (BSD only)
|
||||
|
||||
split out validating ftp commands and responses into different halves,
|
||||
one for each of server & client.
|
||||
|
||||
do not compile in STATETOP support for specific architectures
|
||||
|
||||
fix INSTALL.FreeBSD to no longer provide directions and properly direct
|
||||
people to the right file for the right version of FreeBSD.
|
||||
|
||||
3.4.20 24/07/2001 - Released
|
||||
|
||||
adjust NAT hashing to give a better spread across the table
|
||||
|
@ -1,51 +1,7 @@
|
||||
|
||||
*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" ***
|
||||
*** IF you are using FreeBSD 3 or later, see the file "INST.FreeBSD-3" ***
|
||||
*** in the "FreeBSD-3" directory ***
|
||||
|
||||
|
||||
To build a kernel for use with the loadable kernel module, follow these
|
||||
steps:
|
||||
1. do "make freebsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3. run "FreeBSD/minstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. install and reboot with the new kernel
|
||||
|
||||
6. use modload(8) to load the packet filter with:
|
||||
modload if_ipl.o
|
||||
|
||||
7. do "modstat" to confirm that it has been loaded successfully.
|
||||
|
||||
There is no need to use mknod to create the device in /dev;
|
||||
- upon loading the module, it will create itself with the correct values,
|
||||
under the name (IPL_NAME) from the Makefile. It will also remove itself
|
||||
from /dev when it is modunload'd.
|
||||
|
||||
To build a kernel with the IP filter, follow these steps:
|
||||
|
||||
1. do "make freebsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3. run "FreeBSD/kinstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. create devices for IP Filter as follows (assuming it was
|
||||
installed into the device table as char dev 20):
|
||||
mknod /dev/ipl c 20 0
|
||||
mknod /dev/ipnat c 20 1
|
||||
mknod /dev/ipstate c 20 2
|
||||
mknod /dev/ipauth c 20 3
|
||||
|
||||
6. install and reboot with the new kernel
|
||||
*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" ***
|
||||
*** IF you are using FreeBSD 3.x, see the file "FreeBSD-3/INST.FreeBSD-3" ***
|
||||
*** IF you are using FreeBSD 4.x, see the file "FreeBSD-4.0/INST.FreeBSD-4" ***
|
||||
|
||||
Darren Reed
|
||||
darrenr@pobox.com
|
||||
|
@ -1,4 +1,4 @@
|
||||
Copyright (C) 1993-2001 by Darren Reed.
|
||||
Copyright (C) 1993-2002 by Darren Reed.
|
||||
|
||||
The author accepts no responsibility for the use of this software and
|
||||
provides it on an ``as is'' basis without express or implied warranty.
|
||||
|
@ -3,7 +3,7 @@
|
||||
#
|
||||
# See the IPFILTER.LICENCE file for details on licencing.
|
||||
#
|
||||
# $Id: Makefile,v 2.11.2.8 2001/06/26 10:43:10 darrenr Exp $
|
||||
# $Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp $
|
||||
#
|
||||
BINDEST=/usr/local/bin
|
||||
SBINDEST=/sbin
|
||||
@ -34,7 +34,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
|
||||
#
|
||||
# Uncomment the next 3 lines if you want to view the state table a la top(1)
|
||||
# (requires that you have installed ncurses).
|
||||
#STATETOP_CFLAGS=-DSTATETOP
|
||||
STATETOP_CFLAGS=-DSTATETOP
|
||||
#
|
||||
# Where to find the ncurses include files (if not in default path),
|
||||
#
|
||||
@ -43,7 +43,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
|
||||
#
|
||||
# How to link the ncurses library
|
||||
#
|
||||
#STATETOP_LIB=-lncurses
|
||||
STATETOP_LIB=-lcurses
|
||||
#STATETOP_LIB=-L/usr/local/lib -lncurses
|
||||
|
||||
#
|
||||
@ -59,7 +59,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
|
||||
#
|
||||
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
|
||||
#
|
||||
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6)' \
|
||||
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6) $(IPFLOG)' \
|
||||
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
|
||||
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
|
||||
"CPUDIR=$(CPUDIR)" 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' \
|
||||
@ -100,7 +100,7 @@ tests:
|
||||
|
||||
include:
|
||||
if [ ! -f netinet/done ] ; then \
|
||||
(cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .; ln -s ../ip_rcmd_pxy.c .; ln -s ../ip_raudio_pxy.c .); \
|
||||
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); \
|
||||
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
|
||||
touch netinet/done; \
|
||||
fi
|
||||
@ -168,8 +168,8 @@ bsdi bsdos: include
|
||||
|
||||
irix IRIX: include
|
||||
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
|
||||
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;)
|
||||
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi)
|
||||
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) SGI=`../getrev` $(MFLAGS); else smake build SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi;)
|
||||
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi)
|
||||
|
||||
linux: include
|
||||
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
|
||||
@ -258,7 +258,7 @@ install-bsd:
|
||||
(cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
|
||||
|
||||
install-sunos4: solaris
|
||||
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
|
||||
(cd SunOS4; $(MAKE) "CPU=$(CPU)" "TOP=.." install)
|
||||
|
||||
install-sunos5: solaris
|
||||
(cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install)
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da
|
||||
|
||||
extern struct ipopt_names ionames[], secclass[];
|
||||
extern int opts;
|
||||
#ifdef USE_INET6
|
||||
extern int use_inet6;
|
||||
#endif
|
||||
|
||||
|
||||
char *proto = NULL;
|
||||
@ -54,10 +55,8 @@ char flagset[] = "FSRPAUEC";
|
||||
u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
|
||||
TH_ECN, TH_CWR };
|
||||
|
||||
#ifdef USE_INET6
|
||||
void fill6bits __P((int, u_32_t *));
|
||||
int count6bits __P((u_32_t *));
|
||||
#endif
|
||||
|
||||
static char thishost[MAXHOSTNAMELEN];
|
||||
|
||||
@ -95,30 +94,24 @@ u_32_t *mskp;
|
||||
* set x most significant bits
|
||||
*/
|
||||
bits = (int)strtol(msk, &endptr, 0);
|
||||
#ifdef USE_INET6
|
||||
if ((*endptr != '\0') ||
|
||||
((bits > 32) && !use_inet6) || (bits < 0) ||
|
||||
((bits > 128) && use_inet6))
|
||||
#else
|
||||
if (*endptr != '\0' || bits > 32 || bits < 0)
|
||||
#endif
|
||||
return -1;
|
||||
#ifdef USE_INET6
|
||||
if (use_inet6)
|
||||
fill6bits(bits, mskp);
|
||||
else
|
||||
#endif
|
||||
if (bits == 0)
|
||||
*mskp = 0;
|
||||
else
|
||||
*mskp = htonl(0xffffffff << (32 - bits));
|
||||
else {
|
||||
if (bits == 0)
|
||||
*mskp = 0;
|
||||
else
|
||||
*mskp = htonl(0xffffffff << (32 - bits));
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
#ifdef USE_INET6
|
||||
void fill6bits(bits, msk)
|
||||
int bits;
|
||||
u_32_t *msk;
|
||||
@ -134,7 +127,6 @@ u_32_t *msk;
|
||||
while (i < 4)
|
||||
msk[i++] = 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
@ -197,7 +189,6 @@ int linenum;
|
||||
return -1;
|
||||
}
|
||||
(*seg)++;
|
||||
#ifdef USE_INET6
|
||||
if (use_inet6) {
|
||||
u_32_t k = 0;
|
||||
if (sa[0] || sa[1] || sa[2] || sa[3])
|
||||
@ -205,8 +196,7 @@ int linenum;
|
||||
msk[0] = msk[1] = msk[2] = msk[3] = k;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
*msk = *sa ? 0xffffffff : 0;
|
||||
*msk = *sa ? 0xffffffff : 0;
|
||||
return ports(seg, pp, cp, tp, linenum);
|
||||
}
|
||||
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
|
||||
@ -448,7 +438,6 @@ u_32_t ip;
|
||||
}
|
||||
|
||||
|
||||
#ifdef USE_INET6
|
||||
int count6bits(msk)
|
||||
u_32_t *msk;
|
||||
{
|
||||
@ -465,7 +454,6 @@ u_32_t *msk;
|
||||
}
|
||||
return i;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
char *portname(pr, port)
|
||||
@ -596,3 +584,27 @@ int len, zend;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
char *hostname(v, ip)
|
||||
int v;
|
||||
void *ip;
|
||||
{
|
||||
#ifdef USE_INET6
|
||||
static char hostbuf[MAXHOSTNAMELEN+1];
|
||||
#endif
|
||||
struct in_addr ipa;
|
||||
|
||||
if (v == 4) {
|
||||
ipa.s_addr = *(u_32_t *)ip;
|
||||
return inet_ntoa(ipa);
|
||||
}
|
||||
#ifdef USE_INET6
|
||||
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
|
||||
hostbuf[MAXHOSTNAMELEN] = '\0';
|
||||
return hostbuf;
|
||||
#else
|
||||
return "IPv6";
|
||||
#endif
|
||||
}
|
||||
|
@ -47,11 +47,15 @@ rsvp 46 RSVP # Reservation Protocol
|
||||
gre 47 GRE # General Routing Encapsulation
|
||||
mhrp 48 MHRP # Mobile Host Routing Protocol
|
||||
bna 49 BNA # BNA
|
||||
sipp-esp 50 SIPP-ESP # SIPP Encap Security Payload
|
||||
sipp-ah 51 SIPP-AH # SIPP Authentication Header
|
||||
esp 50 esp # Encap Security Payload
|
||||
ah 51 AH # Authentication Header
|
||||
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
|
||||
swipe 53 SWIPE # IP with Encryption
|
||||
nhrp 54 NHRP # NBMA Next Hop Resolution Protocol
|
||||
mobile 55 MOBILE # IP Mobility (IP tunneling)
|
||||
ipv6-icmp 58 icmpv6 IPv6-ICMP ICMPv6 # ICMP version 6
|
||||
ipv6-nonxt 59 IPv6-Nonxt # No Next Header for IPv6
|
||||
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
|
||||
any 61 any # host internal protocol
|
||||
cftp 62 CFTP # CFTP
|
||||
any 63 any # local network
|
||||
@ -92,4 +96,6 @@ etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
|
||||
encap 98 ENCAP # Encapsulation Header
|
||||
any 99 any # private encryption scheme
|
||||
gmtp 100 GMTP # GMTP
|
||||
pim 103 PIM # Protocol Independant Multicast
|
||||
ipcomp 108 IPCOMP # IP Payload Compression Protocol
|
||||
reserved 255 Reserved #
|
||||
|
@ -12,6 +12,9 @@
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
@ -21,8 +24,24 @@
|
||||
#include <sys/time.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#if defined(STATETOP) && defined(sun) && !defined(__svr4__) && !defined(__SVR4)
|
||||
#include <sys/select.h>
|
||||
#if defined(STATETOP)
|
||||
# if defined(_BSDI_VERSION)
|
||||
# undef STATETOP)
|
||||
# endif
|
||||
# if defined(__FreeBSD__) && \
|
||||
(!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
|
||||
# undef STATETOP
|
||||
# endif
|
||||
# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000)
|
||||
# undef STATETOP
|
||||
# endif
|
||||
# if defined(sun)
|
||||
# if defined(__svr4__) || defined(__SVR4)
|
||||
# include <sys/select.h>
|
||||
# else
|
||||
# undef STATETOP /* NOT supported on SunOS4 */
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
@ -50,15 +69,16 @@
|
||||
#include "netinet/ip_compat.h"
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "ipf.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
#include "netinet/ip_frag.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_auth.h"
|
||||
#ifdef STATETOP
|
||||
# include "netinet/ipl.h"
|
||||
# include <ctype.h>
|
||||
# if SOLARIS
|
||||
# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
|
||||
defined(__sgi)
|
||||
# ifdef ERR
|
||||
# undef ERR
|
||||
# endif
|
||||
@ -74,7 +94,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.17 2001/07/19 12:24:09 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
@ -89,9 +109,8 @@ static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
|
||||
"ipacct(in)", "ipacct(out)" };
|
||||
|
||||
int opts = 0;
|
||||
#ifdef USE_INET6
|
||||
int use_inet6 = 0;
|
||||
#endif
|
||||
int live_kernel = 1;
|
||||
|
||||
#ifdef STATETOP
|
||||
#define STSTRSIZE 80
|
||||
@ -102,7 +121,9 @@ int use_inet6 = 0;
|
||||
#define STSORT_PKTS 1
|
||||
#define STSORT_BYTES 2
|
||||
#define STSORT_TTL 3
|
||||
#define STSORT_MAX STSORT_TTL
|
||||
#define STSORT_SRCIP 4
|
||||
#define STSORT_DSTIP 5
|
||||
#define STSORT_MAX STSORT_DSTIP
|
||||
#define STSORT_DEFAULT STSORT_BYTES
|
||||
|
||||
|
||||
@ -120,51 +141,33 @@ typedef struct statetop {
|
||||
#endif
|
||||
|
||||
extern int main __P((int, char *[]));
|
||||
static void showstats __P((int, friostat_t *));
|
||||
static void showfrstates __P((int, ipfrstat_t *));
|
||||
static void showstats __P((friostat_t *, u_32_t));
|
||||
static void showfrstates __P((ipfrstat_t *));
|
||||
static void showlist __P((friostat_t *));
|
||||
static void showipstates __P((int, ips_stat_t *));
|
||||
static void showauthstates __P((int, fr_authstat_t *));
|
||||
static void showipstates __P((ips_stat_t *));
|
||||
static void showauthstates __P((fr_authstat_t *));
|
||||
static void showgroups __P((friostat_t *));
|
||||
static void Usage __P((char *));
|
||||
static void printlist __P((frentry_t *));
|
||||
static char *get_ifname __P((void *));
|
||||
static char *hostname __P((int, void *));
|
||||
static void parse_ipportstr __P((const char *, struct in_addr *, int *));
|
||||
static int ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
|
||||
ipfrstat_t **, fr_authstat_t **, u_32_t *));
|
||||
static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
|
||||
ipfrstat_t **, fr_authstat_t **, u_32_t *));
|
||||
#ifdef STATETOP
|
||||
static void topipstates __P((int, struct in_addr, struct in_addr, int, int, int, int, int));
|
||||
static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int));
|
||||
static char *ttl_to_string __P((long));
|
||||
static int sort_p __P((const void *, const void *));
|
||||
static int sort_pkts __P((const void *, const void *));
|
||||
static int sort_bytes __P((const void *, const void *));
|
||||
static int sort_ttl __P((const void *, const void *));
|
||||
static int sort_srcip __P((const void *, const void *));
|
||||
static int sort_dstip __P((const void *, const void *));
|
||||
#endif
|
||||
#if SOLARIS
|
||||
void showqiflist __P((char *));
|
||||
#endif
|
||||
|
||||
static char *hostname(v, ip)
|
||||
int v;
|
||||
void *ip;
|
||||
{
|
||||
#ifdef USE_INET6
|
||||
static char hostbuf[MAXHOSTNAMELEN+1];
|
||||
#endif
|
||||
struct in_addr ipa;
|
||||
|
||||
if (v == 4) {
|
||||
ipa.s_addr = *(u_32_t *)ip;
|
||||
return inet_ntoa(ipa);
|
||||
}
|
||||
#ifdef USE_INET6
|
||||
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
|
||||
hostbuf[MAXHOSTNAMELEN] = '\0';
|
||||
return hostbuf;
|
||||
#else
|
||||
return "IPv6";
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
static void Usage(name)
|
||||
char *name;
|
||||
@ -174,11 +177,8 @@ char *name;
|
||||
#else
|
||||
fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
|
||||
#endif
|
||||
fprintf(stderr, "\t\t[-M corefile]");
|
||||
#if SOLARIS
|
||||
fprintf(stderr, " [-N symbol-list]");
|
||||
#endif
|
||||
fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
|
||||
fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n");
|
||||
fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -190,15 +190,13 @@ char *argv[];
|
||||
fr_authstat_t frauthst;
|
||||
fr_authstat_t *frauthstp = &frauthst;
|
||||
friostat_t fio;
|
||||
friostat_t *fiop=&fio;
|
||||
friostat_t *fiop = &fio;
|
||||
ips_stat_t ipsst;
|
||||
ips_stat_t *ipsstp = &ipsst;
|
||||
ipfrstat_t ifrst;
|
||||
ipfrstat_t *ifrstp = &ifrst;
|
||||
char *name = NULL, *device = IPL_NAME, *memf = NULL;
|
||||
#if SOLARIS
|
||||
char *device = IPL_NAME, *memf = NULL;
|
||||
char *kern = NULL;
|
||||
#endif
|
||||
int c, fd, myoptind;
|
||||
struct protoent *proto;
|
||||
|
||||
@ -208,6 +206,8 @@ char *argv[];
|
||||
int dport = -1; /* -1 = wild card for any dest port */
|
||||
int topclosed = 0; /* do not show closed tcp sessions */
|
||||
struct in_addr saddr, daddr;
|
||||
u_32_t frf;
|
||||
|
||||
saddr.s_addr = INADDR_ANY; /* default any source addr */
|
||||
daddr.s_addr = INADDR_ANY; /* default any dest addr */
|
||||
|
||||
@ -216,45 +216,33 @@ char *argv[];
|
||||
* in the parsing of the rest.
|
||||
*/
|
||||
myoptind = optind;
|
||||
#if SOLARIS
|
||||
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
|
||||
#else
|
||||
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1)
|
||||
#endif
|
||||
switch (c)
|
||||
{
|
||||
case 'M' :
|
||||
memf = optarg;
|
||||
live_kernel = 0;
|
||||
break;
|
||||
#if SOLARIS
|
||||
case 'N' :
|
||||
kern = optarg;
|
||||
live_kernel = 0;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
optind = myoptind;
|
||||
|
||||
#if SOLARIS
|
||||
if (kern != NULL || memf != NULL)
|
||||
#else
|
||||
if (memf != NULL)
|
||||
#endif
|
||||
{
|
||||
(void)setuid(getuid());
|
||||
(void)setgid(getgid());
|
||||
}
|
||||
|
||||
if (openkmem(memf) == -1)
|
||||
if (openkmem(kern, memf) == -1)
|
||||
exit(-1);
|
||||
|
||||
(void)setuid(getuid());
|
||||
(void)setgid(getgid());
|
||||
|
||||
#if SOLARIS
|
||||
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
|
||||
#else
|
||||
while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:M:P:S:T:")) != -1)
|
||||
#endif
|
||||
{
|
||||
switch (c)
|
||||
{
|
||||
@ -265,7 +253,8 @@ char *argv[];
|
||||
#endif
|
||||
case 'a' :
|
||||
opts |= OPT_ACCNT|OPT_SHOWLIST;
|
||||
break; case 'A' :
|
||||
break;
|
||||
case 'A' :
|
||||
device = IPAUTH_NAME;
|
||||
opts |= OPT_AUTHSTATS;
|
||||
break;
|
||||
@ -316,11 +305,15 @@ char *argv[];
|
||||
exit(-2);
|
||||
}
|
||||
break;
|
||||
#if SOLARIS
|
||||
case 'q' :
|
||||
#if SOLARIS
|
||||
showqiflist(kern);
|
||||
exit(0);
|
||||
break;
|
||||
#else
|
||||
fprintf(stderr, "-q only availble on Solaris\n");
|
||||
exit(1);
|
||||
break;
|
||||
#endif
|
||||
case 's' :
|
||||
opts |= OPT_IPSTATES;
|
||||
@ -356,19 +349,67 @@ char *argv[];
|
||||
}
|
||||
}
|
||||
|
||||
if (live_kernel == 1) {
|
||||
bzero((char *)&fio, sizeof(fio));
|
||||
bzero((char *)&ipsst, sizeof(ipsst));
|
||||
bzero((char *)&ifrst, sizeof(ifrst));
|
||||
|
||||
fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
|
||||
&frauthstp, &frf);
|
||||
} else
|
||||
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
|
||||
|
||||
if (opts & OPT_IPSTATES) {
|
||||
showipstates(ipsstp);
|
||||
} else if (opts & OPT_SHOWLIST) {
|
||||
showlist(fiop);
|
||||
if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
|
||||
opts &= ~OPT_OUTQUE;
|
||||
showlist(fiop);
|
||||
}
|
||||
} else {
|
||||
if (opts & OPT_FRSTATES)
|
||||
showfrstates(ifrstp);
|
||||
#ifdef STATETOP
|
||||
else if (opts & OPT_STATETOP)
|
||||
topipstates(saddr, daddr, sport, dport,
|
||||
protocol, refreshtime, topclosed);
|
||||
#endif
|
||||
else if (opts & OPT_AUTHSTATS)
|
||||
showauthstates(frauthstp);
|
||||
else if (opts & OPT_GROUPS)
|
||||
showgroups(fiop);
|
||||
else
|
||||
showstats(fiop, frf);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Fill in the stats structures from the live kernel, using a combination
|
||||
* of ioctl's and copying directly from kernel memory.
|
||||
*/
|
||||
int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
|
||||
char *device;
|
||||
friostat_t **fiopp;
|
||||
ips_stat_t **ipsstpp;
|
||||
ipfrstat_t **ifrstpp;
|
||||
fr_authstat_t **frauthstpp;
|
||||
u_32_t *frfp;
|
||||
{
|
||||
int fd;
|
||||
|
||||
if ((fd = open(device, O_RDONLY)) < 0) {
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
bzero((char *)&fio, sizeof(fio));
|
||||
bzero((char *)&ipsst, sizeof(ipsst));
|
||||
bzero((char *)&ifrst, sizeof(ifrst));
|
||||
|
||||
if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, &fiop) == -1) {
|
||||
if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, fiopp) == -1) {
|
||||
perror("ioctl(ipf:SIOCGETFS)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if ((opts & OPT_IPSTATES)) {
|
||||
int sfd = open(IPL_STATE, O_RDONLY);
|
||||
|
||||
@ -376,64 +417,237 @@ char *argv[];
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) {
|
||||
if ((ioctl(sfd, SIOCGETFS, ipsstpp) == -1)) {
|
||||
perror("ioctl(state:SIOCGETFS)");
|
||||
exit(-1);
|
||||
}
|
||||
close(sfd);
|
||||
}
|
||||
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrstp) == -1)) {
|
||||
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, ifrstpp) == -1)) {
|
||||
perror("ioctl(SIOCGFRST)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (opts & OPT_VERBOSE)
|
||||
PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
|
||||
PRINTF("opts %#x name %s\n", opts, device);
|
||||
|
||||
if ((opts & OPT_AUTHSTATS) &&
|
||||
(ioctl(fd, SIOCATHST, &frauthstp) == -1)) {
|
||||
(ioctl(fd, SIOCATHST, frauthstpp) == -1)) {
|
||||
perror("ioctl(SIOCATHST)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (opts & OPT_IPSTATES) {
|
||||
showipstates(fd, ipsstp);
|
||||
} else if (opts & OPT_SHOWLIST) {
|
||||
showlist(&fio);
|
||||
if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
|
||||
opts &= ~OPT_OUTQUE;
|
||||
showlist(&fio);
|
||||
}
|
||||
} else {
|
||||
if (opts & OPT_FRSTATES)
|
||||
showfrstates(fd, ifrstp);
|
||||
#ifdef STATETOP
|
||||
else if (opts & OPT_STATETOP)
|
||||
topipstates(fd, saddr, daddr, sport, dport,
|
||||
protocol, refreshtime, topclosed);
|
||||
#endif
|
||||
else if (opts & OPT_AUTHSTATS)
|
||||
showauthstates(fd, frauthstp);
|
||||
else if (opts & OPT_GROUPS)
|
||||
showgroups(&fio);
|
||||
else
|
||||
showstats(fd, &fio);
|
||||
}
|
||||
return 0;
|
||||
if (ioctl(fd, SIOCGETFF, frfp) == -1)
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* read the kernel stats for packets blocked and passed
|
||||
* Build up the stats structures from data held in the "core" memory.
|
||||
* This is mainly useful when looking at data in crash dumps and ioctl's
|
||||
* just won't work any more.
|
||||
*/
|
||||
static void showstats(fd, fp)
|
||||
int fd;
|
||||
struct friostat *fp;
|
||||
void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
|
||||
char *kernel;
|
||||
friostat_t **fiopp;
|
||||
ips_stat_t **ipsstpp;
|
||||
ipfrstat_t **ifrstpp;
|
||||
fr_authstat_t **frauthstpp;
|
||||
u_32_t *frfp;
|
||||
{
|
||||
u_32_t frf = 0;
|
||||
static fr_authstat_t frauthst, *frauthstp;
|
||||
static ips_stat_t ipsst, *ipsstp;
|
||||
static ipfrstat_t ifrst, *ifrstp;
|
||||
static friostat_t fio, *fiop;
|
||||
|
||||
if (ioctl(fd, SIOCGETFF, &frf) == -1)
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
void *rules[2][2];
|
||||
struct nlist deadlist[42] = {
|
||||
{ "fr_authstats" }, /* 0 */
|
||||
{ "fae_list" },
|
||||
{ "ipauth" },
|
||||
{ "fr_authlist" },
|
||||
{ "fr_authstart" },
|
||||
{ "fr_authend" }, /* 5 */
|
||||
{ "fr_authnext" },
|
||||
{ "fr_auth" },
|
||||
{ "fr_authused" },
|
||||
{ "fr_authsize" },
|
||||
{ "fr_defaultauthage" }, /* 10 */
|
||||
{ "fr_authpkts" },
|
||||
{ "fr_auth_lock" },
|
||||
{ "frstats" },
|
||||
{ "ips_stats" },
|
||||
{ "ips_num" }, /* 15 */
|
||||
{ "ips_wild" },
|
||||
{ "ips_list" },
|
||||
{ "ips_table" },
|
||||
{ "fr_statemax" },
|
||||
{ "fr_statesize" }, /* 20 */
|
||||
{ "fr_state_doflush" },
|
||||
{ "fr_state_lock" },
|
||||
{ "ipfr_heads" },
|
||||
{ "ipfr_nattab" },
|
||||
{ "ipfr_stats" }, /* 25 */
|
||||
{ "ipfr_inuse" },
|
||||
{ "fr_ipfrttl" },
|
||||
{ "fr_frag_lock" },
|
||||
{ "ipfr_timer_id" },
|
||||
{ "fr_nat_lock" }, /* 30 */
|
||||
{ "ipfilter" },
|
||||
{ "ipfilter6" },
|
||||
{ "ipacct" },
|
||||
{ "ipacct6" },
|
||||
{ "ipl_frouteok" }, /* 35 */
|
||||
{ "fr_running" },
|
||||
{ "ipfgroups" },
|
||||
{ "fr_active" },
|
||||
{ "fr_pass" },
|
||||
{ "fr_flags" }, /* 40 */
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
|
||||
frauthstp = &frauthst;
|
||||
ipsstp = &ipsst;
|
||||
ifrstp = &ifrst;
|
||||
fiop = &fio;
|
||||
|
||||
*frfp = 0;
|
||||
*fiopp = fiop;
|
||||
*ipsstpp = ipsstp;
|
||||
*ifrstpp = ifrstp;
|
||||
*frauthstpp = frauthstp;
|
||||
|
||||
bzero((char *)fiop, sizeof(*fiop));
|
||||
bzero((char *)ipsstp, sizeof(*ipsstp));
|
||||
bzero((char *)ifrstp, sizeof(*ifrstp));
|
||||
bzero((char *)frauthstp, sizeof(*frauthstp));
|
||||
|
||||
if (nlist(kernel, deadlist) == -1) {
|
||||
fprintf(stderr, "nlist error\n");
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* This is for SIOCGETFF.
|
||||
*/
|
||||
kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
|
||||
|
||||
/*
|
||||
* f_locks is a combination of the lock variable from each part of
|
||||
* ipfilter (state, auth, nat, fragments).
|
||||
*/
|
||||
kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
|
||||
kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
|
||||
sizeof(fiop->f_locks[0]));
|
||||
kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
|
||||
sizeof(fiop->f_locks[1]));
|
||||
kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
|
||||
sizeof(fiop->f_locks[2]));
|
||||
kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
|
||||
sizeof(fiop->f_locks[3]));
|
||||
|
||||
/*
|
||||
* Get pointers to each list of rules (active, inactive, in, out)
|
||||
*/
|
||||
kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
|
||||
fiop->f_fin[0] = rules[0][0];
|
||||
fiop->f_fin[1] = rules[0][1];
|
||||
fiop->f_fout[0] = rules[1][0];
|
||||
fiop->f_fout[1] = rules[1][1];
|
||||
|
||||
/*
|
||||
* Same for IPv6, except make them null if support for it is not
|
||||
* being compiled in.
|
||||
*/
|
||||
#ifdef USE_INET6
|
||||
kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
|
||||
fiop->f_fin6[0] = rules[0][0];
|
||||
fiop->f_fin6[1] = rules[0][1];
|
||||
fiop->f_fout6[0] = rules[1][0];
|
||||
fiop->f_fout6[1] = rules[1][1];
|
||||
#else
|
||||
fiop->f_fin6[0] = NULL;
|
||||
fiop->f_fin6[1] = NULL;
|
||||
fiop->f_fout6[0] = NULL;
|
||||
fiop->f_fout6[1] = NULL;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Now get accounting rules pointers.
|
||||
*/
|
||||
kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
|
||||
fiop->f_acctin[0] = rules[0][0];
|
||||
fiop->f_acctin[1] = rules[0][1];
|
||||
fiop->f_acctout[0] = rules[1][0];
|
||||
fiop->f_acctout[1] = rules[1][1];
|
||||
|
||||
#ifdef USE_INET6
|
||||
kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
|
||||
fiop->f_acctin6[0] = rules[0][0];
|
||||
fiop->f_acctin6[1] = rules[0][1];
|
||||
fiop->f_acctout6[0] = rules[1][0];
|
||||
fiop->f_acctout6[1] = rules[1][1];
|
||||
#else
|
||||
fiop->f_acctin6[0] = NULL;
|
||||
fiop->f_acctin6[1] = NULL;
|
||||
fiop->f_acctout6[0] = NULL;
|
||||
fiop->f_acctout6[1] = NULL;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* A collection of "global" variables used inside the kernel which
|
||||
* are all collected in friostat_t via ioctl.
|
||||
*/
|
||||
kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
|
||||
sizeof(fiop->f_froute));
|
||||
kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
|
||||
sizeof(fiop->f_running));
|
||||
kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
|
||||
sizeof(fiop->f_groups));
|
||||
kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
|
||||
sizeof(fiop->f_active));
|
||||
kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
|
||||
sizeof(fiop->f_defpass));
|
||||
|
||||
/*
|
||||
* Build up the state information stats structure.
|
||||
*/
|
||||
kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
|
||||
kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value,
|
||||
sizeof(ipsstp->iss_active));
|
||||
ipsstp->iss_table = (void *)deadlist[18].n_value;
|
||||
ipsstp->iss_list = (void *)deadlist[17].n_value;
|
||||
|
||||
/*
|
||||
* Build up the authentiation information stats structure.
|
||||
*/
|
||||
kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
|
||||
sizeof(*frauthstp));
|
||||
frauthstp->fas_faelist = (void *)deadlist[1].n_value;
|
||||
|
||||
/*
|
||||
* Build up the fragment information stats structure.
|
||||
*/
|
||||
kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
|
||||
sizeof(*ifrstp));
|
||||
ifrstp->ifs_table = (void *)deadlist[23].n_value;
|
||||
ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
|
||||
kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
|
||||
sizeof(ifrstp->ifs_inuse));
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Display the kernel stats for packets blocked and passed and other
|
||||
* associated running totals which are kept.
|
||||
*/
|
||||
static void showstats(fp, frf)
|
||||
struct friostat *fp;
|
||||
u_32_t frf;
|
||||
{
|
||||
|
||||
#if SOLARIS
|
||||
PRINTF("dropped packets:\tin %lu\tout %lu\n",
|
||||
@ -505,6 +719,9 @@ struct friostat *fp;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Print out a list of rules from the kernel, starting at the one passed.
|
||||
*/
|
||||
static void printlist(fp)
|
||||
frentry_t *fp;
|
||||
{
|
||||
@ -543,7 +760,8 @@ frentry_t *fp;
|
||||
}
|
||||
|
||||
/*
|
||||
* print out filter rule list
|
||||
* print out all of the asked for rule sets, using the stats struct as
|
||||
* the base from which to get the pointers.
|
||||
*/
|
||||
static void showlist(fiop)
|
||||
struct friostat *fiop;
|
||||
@ -598,12 +816,17 @@ struct friostat *fiop;
|
||||
}
|
||||
|
||||
|
||||
static void showipstates(fd, ipsp)
|
||||
int fd;
|
||||
/*
|
||||
* Display ipfilter stateful filtering information
|
||||
*/
|
||||
static void showipstates(ipsp)
|
||||
ips_stat_t *ipsp;
|
||||
{
|
||||
ipstate_t *istab[IPSTATE_SIZE], ips;
|
||||
ipstate_t *istab[IPSTATE_SIZE];
|
||||
|
||||
/*
|
||||
* If a list of states hasn't been asked for, only print out stats
|
||||
*/
|
||||
if (!(opts & OPT_SHOWLIST)) {
|
||||
PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
|
||||
ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
|
||||
@ -619,116 +842,20 @@ ips_stat_t *ipsp;
|
||||
if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
|
||||
return;
|
||||
|
||||
while (ipsp->iss_list) {
|
||||
if (kmemcpy((char *)&ips, (u_long)ipsp->iss_list, sizeof(ips)))
|
||||
break;
|
||||
ipsp->iss_list = ips.is_next;
|
||||
PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
|
||||
PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
|
||||
hostname(ips.is_v, &ips.is_dst.in4),
|
||||
ips.is_age, ips.is_pass, ips.is_p,
|
||||
ips.is_state[0], ips.is_state[1]);
|
||||
#ifdef USE_QUAD_T
|
||||
PRINTF("\tpkts %qu bytes %qu",
|
||||
(unsigned long long) ips.is_pkts,
|
||||
(unsigned long long) ips.is_bytes);
|
||||
#else
|
||||
PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
|
||||
#endif
|
||||
if (ips.is_p == IPPROTO_TCP)
|
||||
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
|
||||
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
|
||||
ntohs(ips.is_sport), ntohs(ips.is_dport),
|
||||
ips.is_send, ips.is_dend,
|
||||
ips.is_maxswin, ips.is_maxdwin);
|
||||
#else
|
||||
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
|
||||
ntohs(ips.is_sport), ntohs(ips.is_dport),
|
||||
ips.is_send, ips.is_dend,
|
||||
ips.is_maxswin, ips.is_maxdwin);
|
||||
#endif
|
||||
else if (ips.is_p == IPPROTO_UDP)
|
||||
PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
|
||||
ntohs(ips.is_dport));
|
||||
else if (ips.is_p == IPPROTO_ICMP
|
||||
#ifdef USE_INET6
|
||||
|| ips.is_p == IPPROTO_ICMPV6
|
||||
#endif
|
||||
)
|
||||
PRINTF(" %hu %hu %d", ips.is_icmp.ics_id,
|
||||
ips.is_icmp.ics_seq, ips.is_icmp.ics_type);
|
||||
|
||||
PRINTF("\n\t");
|
||||
|
||||
if (ips.is_pass & FR_PASS) {
|
||||
PRINTF("pass");
|
||||
} else if (ips.is_pass & FR_BLOCK) {
|
||||
PRINTF("block");
|
||||
switch (ips.is_pass & FR_RETMASK)
|
||||
{
|
||||
case FR_RETICMP :
|
||||
PRINTF(" return-icmp");
|
||||
break;
|
||||
case FR_FAKEICMP :
|
||||
PRINTF(" return-icmp-as-dest");
|
||||
break;
|
||||
case FR_RETRST :
|
||||
PRINTF(" return-rst");
|
||||
break;
|
||||
default :
|
||||
break;
|
||||
}
|
||||
} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
|
||||
PRINTF("log");
|
||||
if (ips.is_pass & FR_LOGBODY)
|
||||
PRINTF(" body");
|
||||
if (ips.is_pass & FR_LOGFIRST)
|
||||
PRINTF(" first");
|
||||
} else if (ips.is_pass & FR_ACCOUNT)
|
||||
PRINTF("count");
|
||||
|
||||
if (ips.is_pass & FR_OUTQUE)
|
||||
PRINTF(" out");
|
||||
else
|
||||
PRINTF(" in");
|
||||
|
||||
if ((ips.is_pass & FR_LOG) != 0) {
|
||||
PRINTF(" log");
|
||||
if (ips.is_pass & FR_LOGBODY)
|
||||
PRINTF(" body");
|
||||
if (ips.is_pass & FR_LOGFIRST)
|
||||
PRINTF(" first");
|
||||
if (ips.is_pass & FR_LOGORBLOCK)
|
||||
PRINTF(" or-block");
|
||||
}
|
||||
if (ips.is_pass & FR_QUICK)
|
||||
PRINTF(" quick");
|
||||
if (ips.is_pass & FR_KEEPFRAG)
|
||||
PRINTF(" keep frags");
|
||||
/* a given; no? */
|
||||
if (ips.is_pass & FR_KEEPSTATE)
|
||||
PRINTF(" keep state");
|
||||
PRINTF("\tIPv%d", ips.is_v);
|
||||
PRINTF("\n");
|
||||
|
||||
PRINTF("\tpkt_flags & %x(%x) = %x,\t",
|
||||
ips.is_flags & 0xf, ips.is_flags,
|
||||
ips.is_flags >> 4);
|
||||
PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
|
||||
ips.is_opt);
|
||||
PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
|
||||
ips.is_secmsk, ips.is_sec, ips.is_authmsk,
|
||||
ips.is_auth);
|
||||
PRINTF("\tinterfaces: in %s[%p] ",
|
||||
get_ifname(ips.is_ifpin), ips.is_ifpin);
|
||||
PRINTF("out %s[%p]\n",
|
||||
get_ifname(ips.is_ifpout), ips.is_ifpout);
|
||||
/*
|
||||
* Print out all the state information currently held in the kernel.
|
||||
*/
|
||||
while (ipsp->iss_list != NULL) {
|
||||
ipsp->iss_list = printstate(ipsp->iss_list, opts);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#if SOLARIS
|
||||
/*
|
||||
* Displays the list of interfaces of which IPFilter has taken control in
|
||||
* Solaris.
|
||||
*/
|
||||
void showqiflist(kern)
|
||||
char *kern;
|
||||
{
|
||||
@ -737,6 +864,7 @@ char *kern;
|
||||
{ NULL }
|
||||
};
|
||||
qif_t qif, *qf;
|
||||
ill_t ill;
|
||||
|
||||
if (kern == NULL)
|
||||
kern = "/dev/ksyms";
|
||||
@ -752,24 +880,27 @@ char *kern;
|
||||
while (qf) {
|
||||
if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
|
||||
break;
|
||||
printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n",
|
||||
if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill)))
|
||||
ill.ill_ppa = -1;
|
||||
printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d",
|
||||
qif.qf_name, qif.qf_hl,
|
||||
#ifdef IP6_DL_SAP
|
||||
(qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
|
||||
#else
|
||||
"IPv4"
|
||||
#endif
|
||||
, qif.qf_sap);
|
||||
, qif.qf_sap, ill.ill_ppa);
|
||||
printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt);
|
||||
qf = qif.qf_next;
|
||||
putchar('\n');
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef STATETOP
|
||||
static void topipstates(fd, saddr, daddr, sport, dport, protocol,
|
||||
static void topipstates(saddr, daddr, sport, dport, protocol,
|
||||
refreshtime, topclosed)
|
||||
int fd;
|
||||
struct in_addr saddr;
|
||||
struct in_addr daddr;
|
||||
int sport;
|
||||
@ -841,8 +972,8 @@ int topclosed;
|
||||
((dport < 0) ||
|
||||
(htons(dport) == ips.is_dport)))) &&
|
||||
(topclosed || (ips.is_p != IPPROTO_TCP) ||
|
||||
(ips.is_state[0] < TCPS_CLOSE_WAIT) ||
|
||||
(ips.is_state[1] < TCPS_CLOSE_WAIT))) {
|
||||
(ips.is_state[0] < TCPS_LAST_ACK) ||
|
||||
(ips.is_state[1] < TCPS_LAST_ACK))) {
|
||||
/*
|
||||
* if necessary make room for this state
|
||||
* entry
|
||||
@ -899,6 +1030,14 @@ int topclosed;
|
||||
qsort(tstable, tsentry + 1,
|
||||
sizeof(statetop_t), sort_ttl);
|
||||
break;
|
||||
case STSORT_SRCIP:
|
||||
qsort(tstable, tsentry + 1,
|
||||
sizeof(statetop_t), sort_srcip);
|
||||
break;
|
||||
case STSORT_DSTIP:
|
||||
qsort(tstable, tsentry + 1,
|
||||
sizeof(statetop_t), sort_dstip);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@ -957,6 +1096,12 @@ int topclosed;
|
||||
case STSORT_TTL:
|
||||
sprintf(str4, "ttl");
|
||||
break;
|
||||
case STSORT_SRCIP:
|
||||
sprintf(str4, "srcip");
|
||||
break;
|
||||
case STSORT_DSTIP:
|
||||
sprintf(str4, "dstip");
|
||||
break;
|
||||
default:
|
||||
sprintf(str4, "unknown");
|
||||
break;
|
||||
@ -1079,14 +1224,20 @@ int topclosed;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void showfrstates(fd, ifsp)
|
||||
int fd;
|
||||
|
||||
/*
|
||||
* Show fragment cache information that's held in the kernel.
|
||||
*/
|
||||
static void showfrstates(ifsp)
|
||||
ipfrstat_t *ifsp;
|
||||
{
|
||||
struct ipfr *ipfrtab[IPFT_SIZE], ifr;
|
||||
frentry_t fr;
|
||||
int i;
|
||||
|
||||
/*
|
||||
* print out the numeric statistics
|
||||
*/
|
||||
PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
|
||||
ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
|
||||
PRINTF("\t%lu no memory\n\t%lu already exist\n",
|
||||
@ -1094,6 +1245,10 @@ ipfrstat_t *ifsp;
|
||||
PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
|
||||
if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
|
||||
return;
|
||||
|
||||
/*
|
||||
* Print out the contents (if any) of the fragment cache table.
|
||||
*/
|
||||
for (i = 0; i < IPFT_SIZE; i++)
|
||||
while (ipfrtab[i]) {
|
||||
if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
|
||||
@ -1129,8 +1284,10 @@ ipfrstat_t *ifsp;
|
||||
}
|
||||
|
||||
|
||||
static void showauthstates(fd, asp)
|
||||
int fd;
|
||||
/*
|
||||
* Show stats on how auth within IPFilter has been used
|
||||
*/
|
||||
static void showauthstates(asp)
|
||||
fr_authstat_t *asp;
|
||||
{
|
||||
frauthent_t *frap, fra;
|
||||
@ -1161,63 +1318,10 @@ fr_authstat_t *asp;
|
||||
}
|
||||
|
||||
|
||||
static char *get_ifname(ptr)
|
||||
void *ptr;
|
||||
{
|
||||
#if SOLARIS
|
||||
char *ifname;
|
||||
ill_t ill;
|
||||
|
||||
if (ptr == (void *)-1)
|
||||
return "!";
|
||||
if (ptr == NULL)
|
||||
return "-";
|
||||
|
||||
if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
|
||||
return "X";
|
||||
ifname = malloc(ill.ill_name_length + 1);
|
||||
if (kmemcpy(ifname, (u_long)ill.ill_name,
|
||||
ill.ill_name_length) == -1)
|
||||
return "X";
|
||||
return ifname;
|
||||
#else
|
||||
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
#else
|
||||
char buf[32];
|
||||
int len;
|
||||
# endif
|
||||
struct ifnet netif;
|
||||
|
||||
if (ptr == (void *)-1)
|
||||
return "!";
|
||||
if (ptr == NULL)
|
||||
return "-";
|
||||
|
||||
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
|
||||
return "X";
|
||||
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
return strdup(netif.if_xname);
|
||||
# else
|
||||
if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
|
||||
return "X";
|
||||
if (netif.if_unit < 10)
|
||||
len = 2;
|
||||
else if (netif.if_unit < 1000)
|
||||
len = 3;
|
||||
else if (netif.if_unit < 10000)
|
||||
len = 4;
|
||||
else
|
||||
len = 5;
|
||||
buf[sizeof(buf) - len] = '\0';
|
||||
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
|
||||
return strdup(buf);
|
||||
# endif
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Display groups used for each of filter rules, accounting rules and
|
||||
* authentication, separately.
|
||||
*/
|
||||
static void showgroups(fiop)
|
||||
struct friostat *fiop;
|
||||
{
|
||||
@ -1370,4 +1474,32 @@ const void *b;
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int sort_srcip(a, b)
|
||||
const void *a;
|
||||
const void *b;
|
||||
{
|
||||
register const statetop_t *ap = a;
|
||||
register const statetop_t *bp = b;
|
||||
|
||||
if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr))
|
||||
return 0;
|
||||
else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr))
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int sort_dstip(a, b)
|
||||
const void *a;
|
||||
const void *b;
|
||||
{
|
||||
register const statetop_t *ap = a;
|
||||
register const statetop_t *bp = b;
|
||||
|
||||
if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr))
|
||||
return 0;
|
||||
else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr))
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
|
@ -65,7 +65,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
|
||||
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.1 2001/07/15 22:06:14 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $";
|
||||
#endif /* LIBC_SCCS and not lint */
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -182,7 +182,8 @@ inet_aton(cp, addr)
|
||||
* Ascii internet address interpretation routine.
|
||||
* The value returned is in network order.
|
||||
*/
|
||||
#if defined(SOLARIS2) && (SOLARIS2 > 5)
|
||||
#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
|
||||
(defined(IRIX) && (IRIX >= 605))
|
||||
in_addr_t
|
||||
#else
|
||||
u_long
|
||||
|
@ -4,7 +4,7 @@
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.4 2002/03/06 09:44:11 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -16,7 +16,6 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/dir.h>
|
||||
#include <sys/socket.h>
|
||||
#ifndef _KERNEL
|
||||
@ -42,8 +41,8 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da
|
||||
#include "netinet/ip_compat.h"
|
||||
#include <netinet/tcpip.h>
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_frag.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_auth.h"
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.12 2001/07/18 14:57:09 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -375,14 +375,14 @@ caddr_t data;
|
||||
{
|
||||
register frentry_t *fp, *f, **fprev;
|
||||
register frentry_t **ftail;
|
||||
frentry_t fr;
|
||||
frdest_t *fdp;
|
||||
frgroup_t *fg = NULL;
|
||||
u_int *p, *pp;
|
||||
int error = 0, in;
|
||||
int error = 0, in, i;
|
||||
u_int *p, *pp;
|
||||
frdest_t *fdp;
|
||||
frentry_t fr;
|
||||
u_32_t group;
|
||||
ill_t *ill;
|
||||
ipif_t *ipif;
|
||||
ill_t *ill;
|
||||
ire_t *ire;
|
||||
|
||||
fp = &fr;
|
||||
@ -448,11 +448,16 @@ caddr_t data;
|
||||
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
if (*fp->fr_ifname) {
|
||||
fp->fr_ifa = (void *)get_unit((char *)fp->fr_ifname,
|
||||
(int)fp->fr_v);
|
||||
if (!fp->fr_ifa)
|
||||
fp->fr_ifa = (struct ifnet *)-1;
|
||||
for (i = 0; i < 4; i++) {
|
||||
if ((fp->fr_ifnames[i][1] == '\0') &&
|
||||
((fp->fr_ifnames[i][0] == '-') ||
|
||||
(fp->fr_ifnames[i][0] == '*'))) {
|
||||
fp->fr_ifas[i] = NULL;
|
||||
} else if (*fp->fr_ifnames[i]) {
|
||||
fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
|
||||
if (!fp->fr_ifas[i])
|
||||
fp->fr_ifas[i] = (void *)-1;
|
||||
}
|
||||
}
|
||||
|
||||
fdp = &fp->fr_dif;
|
||||
@ -583,6 +588,7 @@ caddr_t data;
|
||||
fixskip(fprev, f, -1);
|
||||
*ftail = f->fr_next;
|
||||
f->fr_next = NULL;
|
||||
f->fr_ref--;
|
||||
if (f->fr_ref == 0)
|
||||
KFREE(f);
|
||||
}
|
||||
|
@ -12,6 +12,9 @@
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
@ -47,7 +50,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.10 2001/07/18 11:34:19 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if SOLARIS
|
||||
@ -64,9 +67,7 @@ void zerostats __P((void));
|
||||
int main __P((int, char *[]));
|
||||
|
||||
int opts = 0;
|
||||
#ifdef USE_INET6
|
||||
int use_inet6 = 0;
|
||||
#endif
|
||||
|
||||
static int fd = -1;
|
||||
|
||||
@ -105,11 +106,9 @@ char *argv[];
|
||||
while ((c = getopt(argc, argv, OPTS)) != -1) {
|
||||
switch (c)
|
||||
{
|
||||
#ifdef USE_INET6
|
||||
case '6' :
|
||||
use_inet6 = 1;
|
||||
break;
|
||||
#endif
|
||||
case 'A' :
|
||||
opts &= ~OPT_INACTIVE;
|
||||
break;
|
||||
|
@ -4,7 +4,7 @@
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*
|
||||
* @(#)ipf.h 1.12 6/5/96
|
||||
* $Id: ipf.h,v 2.9.2.3 2001/06/26 10:43:18 darrenr Exp $
|
||||
* $Id: ipf.h,v 2.9.2.6 2002/01/03 08:00:12 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IPF_H__
|
||||
@ -38,6 +38,7 @@
|
||||
#define OPT_STATETOP 0x400000
|
||||
#define OPT_FLUSH 0x800000
|
||||
#define OPT_CLEAR 0x1000000
|
||||
#define OPT_HEX 0x2000000
|
||||
#define OPT_NODO 0x80000000
|
||||
|
||||
#define OPT_STAT OPT_FRSTATES
|
||||
@ -52,7 +53,10 @@
|
||||
# endif
|
||||
#endif
|
||||
|
||||
struct ipstate;
|
||||
struct frpcmp;
|
||||
struct ipnat;
|
||||
struct nat;
|
||||
|
||||
#ifdef ultrix
|
||||
extern char *strdup __P((char *));
|
||||
@ -90,9 +94,15 @@ extern int genmask __P((char *, u_32_t *));
|
||||
extern int hostnum __P((u_32_t *, char *, int));
|
||||
extern u_32_t optname __P((char ***, u_short *, int));
|
||||
extern void printpacket __P((ip_t *));
|
||||
extern void printpacket6 __P((ip_t *));
|
||||
extern void printportcmp __P((int, struct frpcmp *));
|
||||
extern void printhostmask __P((int, u_32_t *, u_32_t *));
|
||||
extern void printbuf __P((char *, int, int));
|
||||
extern char *hostname __P((int, void *));
|
||||
extern struct ipstate *printstate __P((struct ipstate *, int));
|
||||
extern void printnat __P((struct ipnat *, int));
|
||||
extern void printactivenat __P((struct nat *, int));
|
||||
|
||||
#if SOLARIS
|
||||
extern int inet_aton __P((const char *, struct in_addr *));
|
||||
extern int gethostname __P((char *, int ));
|
||||
|
@ -45,7 +45,7 @@
|
||||
#include "ipf.h"
|
||||
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.7 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#ifndef IPF_SAVEDIR
|
||||
@ -237,13 +237,13 @@ char *argv[];
|
||||
opts |= OPT_DONOTHING;
|
||||
break;
|
||||
case 'N' :
|
||||
if ((ns > 0) || dirname || (rw != -1) || set)
|
||||
if ((ns >= 0) || dirname || (rw != -1) || set)
|
||||
usage();
|
||||
ns = 0;
|
||||
set = 1;
|
||||
break;
|
||||
case 'r' :
|
||||
if ((ns > 0) || dirname || (rw != -1))
|
||||
if ((ns >= 0) || dirname || (rw != -1))
|
||||
usage();
|
||||
rw = 0;
|
||||
set = 1;
|
||||
@ -253,7 +253,7 @@ char *argv[];
|
||||
set = 1;
|
||||
break;
|
||||
case 'S' :
|
||||
if ((ns > 0) || dirname || (rw != -1) || set)
|
||||
if ((ns >= 0) || dirname || (rw != -1) || set)
|
||||
usage();
|
||||
ns = 1;
|
||||
set = 1;
|
||||
@ -268,7 +268,7 @@ char *argv[];
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
case 'w' :
|
||||
if ((ns > 0) || dirname || (rw != -1) || (ns == -1))
|
||||
if (dirname || (rw != -1) || (ns == -1))
|
||||
usage();
|
||||
rw = 1;
|
||||
set = 1;
|
||||
@ -283,7 +283,7 @@ char *argv[];
|
||||
}
|
||||
|
||||
if (ifs) {
|
||||
if (!filename || ns<0)
|
||||
if (!filename || ns < 0)
|
||||
usage();
|
||||
if (ns == 0)
|
||||
return changenatif(ifs, filename);
|
||||
|
@ -17,6 +17,9 @@ etherfind -n -t
|
||||
0.32 91 04 131.170.1.10 128.250.133.13
|
||||
0.33 566 udp 128.250.37.155 128.250.133.3 901 901
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
@ -49,7 +52,7 @@ etherfind -n -t
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int etherf_open __P((char *));
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <assert.h>
|
||||
@ -40,7 +43,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -91,6 +94,14 @@ int cnt, *dir;
|
||||
char line[513];
|
||||
ip_t *ip;
|
||||
|
||||
/*
|
||||
* interpret start of line as possibly "[ifname]" or
|
||||
* "[in/out,ifname]".
|
||||
*/
|
||||
if (ifn)
|
||||
*ifn = NULL;
|
||||
if (dir)
|
||||
*dir = 0;
|
||||
ip = (ip_t *)buf;
|
||||
while (fgets(line, sizeof(line)-1, tfp)) {
|
||||
if ((s = index(line, '\n'))) {
|
||||
@ -107,21 +118,14 @@ int cnt, *dir;
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
/*
|
||||
* interpret start of line as possibly "[ifname]" or
|
||||
* "[in/out,ifname]".
|
||||
*/
|
||||
if (ifn)
|
||||
*ifn = NULL;
|
||||
if (dir)
|
||||
*dir = 0;
|
||||
if ((*buf == '[') && (s = index(line, ']'))) {
|
||||
t = buf + 1;
|
||||
if (t - s > 0) {
|
||||
if ((*line == '[') && (s = index(line, ']'))) {
|
||||
t = line + 1;
|
||||
if (s - t > 0) {
|
||||
*s++ = '\0';
|
||||
if ((u = index(t, ',')) && (u < s)) {
|
||||
u++;
|
||||
if (ifn)
|
||||
*ifn = u;
|
||||
*ifn = strdup(u);
|
||||
if (dir) {
|
||||
if (*t == 'i')
|
||||
*dir = 0;
|
||||
@ -130,7 +134,6 @@ int cnt, *dir;
|
||||
}
|
||||
} else if (ifn)
|
||||
*ifn = t;
|
||||
*s++ = '\0';
|
||||
}
|
||||
} else
|
||||
s = line;
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
@ -31,7 +34,7 @@
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
|
@ -7,6 +7,9 @@
|
||||
/*
|
||||
* Written to comply with the recent RFC 1761 from Sun.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
@ -35,7 +38,7 @@
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
|
@ -26,6 +26,9 @@ tcpdump -nqte
|
||||
8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
|
||||
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
@ -58,7 +61,7 @@ tcpdump -nqte
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int tcpd_open __P((char *));
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <assert.h>
|
||||
@ -41,7 +44,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.4 2001/06/26 10:43:18 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -261,7 +264,7 @@ int *out;
|
||||
tx_proto = "udp";
|
||||
} else {
|
||||
ip->ip_p = IPPROTO_ICMP;
|
||||
ip->ip_len += sizeof(struct icmp);
|
||||
ip->ip_len += ICMPERR_IPICMPHLEN;
|
||||
tx_proto = "icmp";
|
||||
}
|
||||
cpp++;
|
||||
|
@ -1,10 +1,13 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*
|
||||
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
@ -39,10 +42,12 @@
|
||||
#include <arpa/inet.h>
|
||||
#include <resolv.h>
|
||||
#include <ctype.h>
|
||||
#include <nlist.h>
|
||||
#include "netinet/ip_compat.h"
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "ipf.h"
|
||||
#include "kmem.h"
|
||||
|
||||
@ -55,32 +60,32 @@ extern char *sys_errlist[];
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.9 2001/07/18 15:06:33 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
#if SOLARIS
|
||||
#define bzero(a,b) memset(a,0,b)
|
||||
#endif
|
||||
#ifdef USE_INET6
|
||||
int use_inet6 = 0;
|
||||
#endif
|
||||
|
||||
static char thishost[MAXHOSTNAMELEN];
|
||||
|
||||
char thishost[MAXHOSTNAMELEN];
|
||||
|
||||
extern char *optarg;
|
||||
extern ipnat_t *natparse __P((char *, int));
|
||||
extern void natparsefile __P((int, char *, int));
|
||||
extern void printnat __P((ipnat_t *, int, void *));
|
||||
extern void printnat __P((ipnat_t *, int));
|
||||
extern void printactivenat __P((nat_t *, int));
|
||||
extern void printhostmap __P((hostmap_t *, u_int));
|
||||
extern char *getsumd __P((u_32_t));
|
||||
|
||||
void dostats __P((int, int)), flushtable __P((int, int));
|
||||
void dostats __P((natstat_t *, int)), flushtable __P((int, int));
|
||||
void usage __P((char *));
|
||||
int countbits __P((u_32_t));
|
||||
char *getnattype __P((ipnat_t *));
|
||||
int main __P((int, char*[]));
|
||||
void printaps __P((ap_session_t *, int));
|
||||
char *getsumd __P((u_32_t));
|
||||
void showhostmap __P((natstat_t *nsp));
|
||||
void natstat_dead __P((natstat_t *, char *));
|
||||
|
||||
|
||||
void usage(name)
|
||||
@ -91,27 +96,22 @@ char *name;
|
||||
}
|
||||
|
||||
|
||||
char *getsumd(sum)
|
||||
u_32_t sum;
|
||||
{
|
||||
static char sumdbuf[17];
|
||||
|
||||
if (sum & NAT_HW_CKSUM)
|
||||
sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
|
||||
else
|
||||
sprintf(sumdbuf, "%#0x", sum);
|
||||
return sumdbuf;
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
int fd = -1, opts = 0, c, mode = O_RDWR;
|
||||
char *file = NULL, *core = NULL;
|
||||
natstat_t ns, *nsp = &ns;
|
||||
char *file, *core, *kernel;
|
||||
int fd, opts, c, mode;
|
||||
|
||||
while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1)
|
||||
fd = -1;
|
||||
opts = 0;
|
||||
file = NULL;
|
||||
core = NULL;
|
||||
kernel = NULL;
|
||||
mode = O_RDWR;
|
||||
|
||||
while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'C' :
|
||||
@ -136,6 +136,9 @@ char *argv[];
|
||||
case 'M' :
|
||||
core = optarg;
|
||||
break;
|
||||
case 'N' :
|
||||
kernel = optarg;
|
||||
break;
|
||||
case 'n' :
|
||||
opts |= OPT_NODO;
|
||||
mode = O_RDONLY;
|
||||
@ -154,21 +157,40 @@ char *argv[];
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
if (core != NULL) {
|
||||
if (openkmem(core) == -1)
|
||||
exit(1);
|
||||
if ((kernel != NULL) || (core != NULL)) {
|
||||
(void) setgid(getgid());
|
||||
(void) setuid(getuid());
|
||||
}
|
||||
|
||||
bzero((char *)&ns, sizeof(ns));
|
||||
|
||||
gethostname(thishost, sizeof(thishost));
|
||||
thishost[sizeof(thishost) - 1] = '\0';
|
||||
|
||||
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) &&
|
||||
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
|
||||
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
|
||||
if (openkmem(kernel, core) == -1)
|
||||
exit(1);
|
||||
|
||||
if (((fd = open(IPL_NAT, mode)) == -1) &&
|
||||
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
|
||||
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
|
||||
STRERROR(errno));
|
||||
exit(1);
|
||||
}
|
||||
if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
|
||||
perror("ioctl(SIOCGNATS)");
|
||||
exit(1);
|
||||
}
|
||||
(void) setgid(getgid());
|
||||
(void) setuid(getuid());
|
||||
} else if ((kernel != NULL) || (core != NULL)) {
|
||||
if (openkmem(kernel, core) == -1)
|
||||
exit(1);
|
||||
|
||||
natstat_dead(nsp, kernel);
|
||||
if (opts & (OPT_LIST|OPT_STAT))
|
||||
dostats(nsp, opts);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (opts & (OPT_FLUSH|OPT_CLEAR))
|
||||
@ -176,172 +198,113 @@ char *argv[];
|
||||
if (file)
|
||||
natparsefile(fd, file, opts);
|
||||
if (opts & (OPT_LIST|OPT_STAT))
|
||||
dostats(fd, opts);
|
||||
dostats(nsp, opts);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
void printaps(aps, opts)
|
||||
ap_session_t *aps;
|
||||
int opts;
|
||||
/*
|
||||
* Read nat statistic information in using a symbol table and memory file
|
||||
* rather than doing ioctl's.
|
||||
*/
|
||||
void natstat_dead(nsp, kernel)
|
||||
natstat_t *nsp;
|
||||
char *kernel;
|
||||
{
|
||||
ap_session_t ap;
|
||||
ftpinfo_t ftp;
|
||||
aproxy_t apr;
|
||||
raudio_t ra;
|
||||
struct nlist nat_nlist[10] = {
|
||||
{ "nat_table" }, /* 0 */
|
||||
{ "nat_list" },
|
||||
{ "maptable" },
|
||||
{ "ipf_nattable_sz" },
|
||||
{ "ipf_natrules_sz" },
|
||||
{ "ipf_rdrrules_sz" }, /* 5 */
|
||||
{ "ipf_hostmap_sz" },
|
||||
{ "nat_instances" },
|
||||
{ "ap_sess_list" },
|
||||
{ NULL }
|
||||
};
|
||||
void *tables[2];
|
||||
|
||||
if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
|
||||
if (nlist(kernel, nat_nlist) == -1) {
|
||||
fprintf(stderr, "nlist error\n");
|
||||
return;
|
||||
if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
|
||||
return;
|
||||
printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
|
||||
apr.apr_p, apr.apr_ref, apr.apr_flags);
|
||||
printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
|
||||
#ifdef USE_QUAD_T
|
||||
printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
|
||||
(unsigned long long)ap.aps_pkts);
|
||||
#else
|
||||
printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
|
||||
#endif
|
||||
printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz);
|
||||
if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
|
||||
printf("\t\tstate[%u,%u], sel[%d,%d]\n",
|
||||
ap.aps_state[0], ap.aps_state[1],
|
||||
ap.aps_sel[0], ap.aps_sel[1]);
|
||||
#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
|
||||
(__FreeBSD_version >= 300000) || defined(OpenBSD)
|
||||
printf("\t\tseq: off %hd/%hd min %x/%x\n",
|
||||
ap.aps_seqoff[0], ap.aps_seqoff[1],
|
||||
ap.aps_seqmin[0], ap.aps_seqmin[1]);
|
||||
printf("\t\tack: off %hd/%hd min %x/%x\n",
|
||||
ap.aps_ackoff[0], ap.aps_ackoff[1],
|
||||
ap.aps_ackmin[0], ap.aps_ackmin[1]);
|
||||
#else
|
||||
printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
|
||||
ap.aps_seqoff[0], ap.aps_seqoff[1],
|
||||
ap.aps_seqmin[0], ap.aps_seqmin[1]);
|
||||
printf("\t\tack: off %hd/%hd min %lx/%lx\n",
|
||||
ap.aps_ackoff[0], ap.aps_ackoff[1],
|
||||
ap.aps_ackmin[0], ap.aps_ackmin[1]);
|
||||
#endif
|
||||
}
|
||||
|
||||
if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
|
||||
if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
|
||||
return;
|
||||
printf("\tReal Audio Proxy:\n");
|
||||
printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
|
||||
ra.rap_seenpna, ra.rap_version, ra.rap_eos);
|
||||
printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
|
||||
printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
|
||||
ra.rap_plport, ra.rap_prport, ra.rap_srport);
|
||||
} else if (!strcmp(apr.apr_label, "ftp") &&
|
||||
(ap.aps_psiz == sizeof(ftp))) {
|
||||
if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
|
||||
return;
|
||||
printf("\tFTP Proxy:\n");
|
||||
printf("\t\tpassok: %d\n", ftp.ftp_passok);
|
||||
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
|
||||
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
|
||||
printf("\tClient:\n");
|
||||
printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
|
||||
ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr,
|
||||
ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
|
||||
ftp.ftp_side[0].ftps_junk);
|
||||
printf("\t\tbuf [");
|
||||
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
|
||||
printf("]\n\tServer:\n");
|
||||
printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
|
||||
ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr,
|
||||
ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
|
||||
ftp.ftp_side[1].ftps_junk);
|
||||
printf("\t\tbuf [");
|
||||
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
|
||||
printf("]\n");
|
||||
}
|
||||
/*
|
||||
* Normally the ioctl copies all of these values into the structure
|
||||
* for us, before returning it to useland, so here we must copy each
|
||||
* one in individually.
|
||||
*/
|
||||
kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
|
||||
nsp->ns_table[0] = tables[0];
|
||||
nsp->ns_table[1] = tables[1];
|
||||
|
||||
kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
|
||||
sizeof(nsp->ns_list));
|
||||
kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
|
||||
sizeof(nsp->ns_maptable));
|
||||
kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
|
||||
sizeof(nsp->ns_nattab_sz));
|
||||
kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
|
||||
sizeof(nsp->ns_rultab_sz));
|
||||
kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
|
||||
sizeof(nsp->ns_rdrtab_sz));
|
||||
kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
|
||||
sizeof(nsp->ns_hostmap_sz));
|
||||
kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
|
||||
sizeof(nsp->ns_instances));
|
||||
kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
|
||||
sizeof(nsp->ns_apslist));
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Get a nat filter type given its kernel address.
|
||||
* Display NAT statistics.
|
||||
*/
|
||||
char *getnattype(ipnat)
|
||||
ipnat_t *ipnat;
|
||||
void dostats(nsp, opts)
|
||||
natstat_t *nsp;
|
||||
int opts;
|
||||
{
|
||||
char *which;
|
||||
ipnat_t ipnatbuff;
|
||||
|
||||
if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
|
||||
sizeof(ipnatbuff))))
|
||||
return "???";
|
||||
|
||||
switch (ipnatbuff.in_redir)
|
||||
{
|
||||
case NAT_MAP :
|
||||
which = "MAP";
|
||||
break;
|
||||
case NAT_MAPBLK :
|
||||
which = "MAP-BLOCK";
|
||||
break;
|
||||
case NAT_REDIRECT :
|
||||
which = "RDR";
|
||||
break;
|
||||
case NAT_BIMAP :
|
||||
which = "BIMAP";
|
||||
break;
|
||||
default :
|
||||
which = "unknown";
|
||||
break;
|
||||
}
|
||||
return which;
|
||||
}
|
||||
|
||||
|
||||
void dostats(fd, opts)
|
||||
int fd, opts;
|
||||
{
|
||||
hostmap_t hm, *hmp, **maptable;
|
||||
natstat_t ns, *nsp = &ns;
|
||||
nat_t **nt[2], *np, nat;
|
||||
u_int hv, hv1, hv2;
|
||||
ipnat_t ipn;
|
||||
|
||||
bzero((char *)&ns, sizeof(ns));
|
||||
|
||||
if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &nsp) == -1) {
|
||||
perror("ioctl(SIOCGNATS)");
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Show statistics ?
|
||||
*/
|
||||
if (opts & OPT_STAT) {
|
||||
printf("mapped\tin\t%lu\tout\t%lu\n",
|
||||
ns.ns_mapped[0], ns.ns_mapped[1]);
|
||||
nsp->ns_mapped[0], nsp->ns_mapped[1]);
|
||||
printf("added\t%lu\texpired\t%lu\n",
|
||||
ns.ns_added, ns.ns_expire);
|
||||
nsp->ns_added, nsp->ns_expire);
|
||||
printf("no memory\t%lu\tbad nat\t%lu\n",
|
||||
ns.ns_memfail, ns.ns_badnat);
|
||||
printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules);
|
||||
printf("wilds\t%u\n", ns.ns_wilds);
|
||||
nsp->ns_memfail, nsp->ns_badnat);
|
||||
printf("inuse\t%lu\nrules\t%lu\n",
|
||||
nsp->ns_inuse, nsp->ns_rules);
|
||||
printf("wilds\t%u\n", nsp->ns_wilds);
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("table %p list %p\n", ns.ns_table, ns.ns_list);
|
||||
printf("table %p list %p\n",
|
||||
nsp->ns_table, nsp->ns_list);
|
||||
}
|
||||
|
||||
/*
|
||||
* Show list of NAT rules and NAT sessions ?
|
||||
*/
|
||||
if (opts & OPT_LIST) {
|
||||
printf("List of active MAP/Redirect filters:\n");
|
||||
while (ns.ns_list) {
|
||||
if (kmemcpy((char *)&ipn, (long)ns.ns_list,
|
||||
while (nsp->ns_list) {
|
||||
if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
|
||||
sizeof(ipn))) {
|
||||
perror("kmemcpy");
|
||||
break;
|
||||
}
|
||||
if (opts & OPT_HITS)
|
||||
printf("%d ", ipn.in_hits);
|
||||
printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE),
|
||||
(void *)ns.ns_list);
|
||||
ns.ns_list = ipn.in_next;
|
||||
printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
|
||||
nsp->ns_list = ipn.in_next;
|
||||
}
|
||||
|
||||
nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
|
||||
if (kmemcpy((char *)nt[0], (long)ns.ns_table[0],
|
||||
if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
|
||||
sizeof(**nt) * NAT_SIZE)) {
|
||||
perror("kmemcpy");
|
||||
return;
|
||||
@ -349,89 +312,59 @@ int fd, opts;
|
||||
|
||||
printf("\nList of active sessions:\n");
|
||||
|
||||
for (np = ns.ns_instances; np; np = nat.nat_next) {
|
||||
for (np = nsp->ns_instances; np; np = nat.nat_next) {
|
||||
if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
|
||||
break;
|
||||
|
||||
printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr),
|
||||
inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport));
|
||||
printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip),
|
||||
ntohs(nat.nat_outport));
|
||||
printf(" [%s %hu]", inet_ntoa(nat.nat_oip),
|
||||
ntohs(nat.nat_oport));
|
||||
if (opts & OPT_VERBOSE) {
|
||||
printf("\n\tage %lu use %hu sumd %s/",
|
||||
nat.nat_age, nat.nat_use,
|
||||
getsumd(nat.nat_sumd[0]));
|
||||
hv1 = NAT_HASH_FN(nat.nat_inip.s_addr,
|
||||
nat.nat_inport,
|
||||
0xffffffff),
|
||||
hv1 = NAT_HASH_FN(nat.nat_oip.s_addr,
|
||||
hv1 + nat.nat_oport,
|
||||
NAT_TABLE_SZ),
|
||||
hv2 = NAT_HASH_FN(nat.nat_outip.s_addr,
|
||||
nat.nat_outport,
|
||||
0xffffffff),
|
||||
hv2 = NAT_HASH_FN(nat.nat_oip.s_addr,
|
||||
hv2 + nat.nat_oport,
|
||||
NAT_TABLE_SZ),
|
||||
printf("%s pr %u bkt %d/%d flags %x ",
|
||||
getsumd(nat.nat_sumd[1]), nat.nat_p,
|
||||
hv1, hv2, nat.nat_flags);
|
||||
#ifdef USE_QUAD_T
|
||||
printf("bytes %qu pkts %qu",
|
||||
(unsigned long long)nat.nat_bytes,
|
||||
(unsigned long long)nat.nat_pkts);
|
||||
#else
|
||||
printf("bytes %lu pkts %lu",
|
||||
nat.nat_bytes, nat.nat_pkts);
|
||||
#endif
|
||||
#if SOLARIS
|
||||
printf(" %lx", nat.nat_ipsumd);
|
||||
#endif
|
||||
}
|
||||
putchar('\n');
|
||||
if (nat.nat_aps)
|
||||
printaps(nat.nat_aps, opts);
|
||||
printactivenat(&nat, opts);
|
||||
}
|
||||
|
||||
if (opts & OPT_VERBOSE) {
|
||||
printf("\nList of active host mappings:\n");
|
||||
|
||||
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
|
||||
ns.ns_hostmap_sz);
|
||||
if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable,
|
||||
sizeof(hostmap_t *) * ns.ns_hostmap_sz)) {
|
||||
perror("kmemcpy (maptable)");
|
||||
return;
|
||||
}
|
||||
|
||||
for (hv = 0; hv < ns.ns_hostmap_sz; hv++) {
|
||||
hmp = maptable[hv];
|
||||
|
||||
while(hmp) {
|
||||
|
||||
if (kmemcpy((char *)&hm, (u_long)hmp,
|
||||
sizeof(hostmap_t))) {
|
||||
perror("kmemcpy (hostmap)");
|
||||
return;
|
||||
}
|
||||
|
||||
printf("%s -> ",
|
||||
inet_ntoa(hm.hm_realip));
|
||||
printf("%s ", inet_ntoa(hm.hm_mapip));
|
||||
printf("(use = %d hv = %u)\n",
|
||||
hm.hm_ref, hv);
|
||||
hmp = hm.hm_next;
|
||||
}
|
||||
}
|
||||
free(maptable);
|
||||
}
|
||||
if (opts & OPT_VERBOSE)
|
||||
showhostmap(nsp);
|
||||
free(nt[0]);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* display the active host mapping table.
|
||||
*/
|
||||
void showhostmap(nsp)
|
||||
natstat_t *nsp;
|
||||
{
|
||||
hostmap_t hm, *hmp, **maptable;
|
||||
u_int hv;
|
||||
|
||||
printf("\nList of active host mappings:\n");
|
||||
|
||||
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
|
||||
nsp->ns_hostmap_sz);
|
||||
if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
|
||||
sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
|
||||
perror("kmemcpy (maptable)");
|
||||
return;
|
||||
}
|
||||
|
||||
for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
|
||||
hmp = maptable[hv];
|
||||
|
||||
while (hmp) {
|
||||
if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
|
||||
perror("kmemcpy (hostmap)");
|
||||
return;
|
||||
}
|
||||
|
||||
printhostmap(&hm, hv);
|
||||
hmp = hm.hm_next;
|
||||
}
|
||||
}
|
||||
free(maptable);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Issue an ioctl to flush either the NAT rules table or the active mapping
|
||||
* table or both.
|
||||
*/
|
||||
void flushtable(fd, opts)
|
||||
int fd, opts;
|
||||
{
|
||||
|
@ -1,6 +1,9 @@
|
||||
/*
|
||||
* Based upon 4.4BSD's /usr/sbin/arp
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
@ -26,7 +29,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@ -29,7 +32,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995";
|
||||
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.3 2001/07/15 22:00:13 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static char *ipbuf = NULL, *ethbuf = NULL;
|
||||
|
@ -8,12 +8,16 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
@ -30,7 +34,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -3,6 +3,10 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <sys/param.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
@ -21,7 +25,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -8,6 +8,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
@ -34,7 +37,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.2 2001/07/15 22:00:14 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -5,7 +5,10 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp $";
|
||||
#endif
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
@ -8,6 +8,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
@ -35,7 +38,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -4,6 +4,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
@ -12,6 +12,9 @@
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
#include <string.h>
|
||||
@ -54,12 +57,13 @@
|
||||
#include "ip_fil.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_state.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.2 2001/06/26 10:43:19 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
@ -71,23 +75,42 @@ extern ipnat_t *natparse __P((char *, int));
|
||||
extern int fr_running;
|
||||
|
||||
int opts = 0;
|
||||
#ifdef USE_INET6
|
||||
int use_inet6 = 0;
|
||||
#endif
|
||||
int main __P((int, char *[]));
|
||||
int loadrules __P((char *));
|
||||
int kmemcpy __P((char *, long, int));
|
||||
void dumpnat __P((void));
|
||||
void dumpstate __P((void));
|
||||
char *getifname __P((void *));
|
||||
void drain_log __P((char *));
|
||||
|
||||
int main(argc,argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
struct ipread *r = &iptext;
|
||||
u_long buf[2048];
|
||||
char *datain, *iface, *ifname, *packet, *logout;
|
||||
int fd, i, dir, c, loaded, dump, hlen;
|
||||
struct ifnet *ifp;
|
||||
char *rules = NULL, *datain = NULL, *iface = NULL;
|
||||
struct ipread *r;
|
||||
u_long buf[2048];
|
||||
ip_t *ip;
|
||||
int fd, i, dir = 0, c;
|
||||
|
||||
while ((c = getopt(argc, argv, "6bdEHi:I:NoPr:STvX")) != -1)
|
||||
dir = 0;
|
||||
dump = 0;
|
||||
loaded = 0;
|
||||
r = &iptext;
|
||||
iface = NULL;
|
||||
logout = NULL;
|
||||
ifname = "anon0";
|
||||
datain = NULL;
|
||||
|
||||
nat_init();
|
||||
fr_stateinit();
|
||||
initparse();
|
||||
ipflog_init();
|
||||
fr_running = 1;
|
||||
|
||||
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
#ifdef USE_INET6
|
||||
@ -101,17 +124,25 @@ char *argv[];
|
||||
case 'd' :
|
||||
opts |= OPT_DEBUG;
|
||||
break;
|
||||
case 'D' :
|
||||
dump = 1;
|
||||
break;
|
||||
case 'i' :
|
||||
datain = optarg;
|
||||
break;
|
||||
case 'I' :
|
||||
iface = optarg;
|
||||
ifname = optarg;
|
||||
break;
|
||||
case 'l' :
|
||||
logout = optarg;
|
||||
break;
|
||||
case 'o' :
|
||||
opts |= OPT_SAVEOUT;
|
||||
break;
|
||||
case 'r' :
|
||||
rules = optarg;
|
||||
if (loadrules(optarg) == -1)
|
||||
return -1;
|
||||
loaded = 1;
|
||||
break;
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
@ -134,80 +165,19 @@ char *argv[];
|
||||
case 'T' :
|
||||
r = &tcpd;
|
||||
break;
|
||||
case 'x' :
|
||||
opts |= OPT_HEX;
|
||||
break;
|
||||
case 'X' :
|
||||
r = &iptext;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!rules) {
|
||||
(void)fprintf(stderr,"no rule file present\n");
|
||||
if (loaded == 0) {
|
||||
(void)fprintf(stderr,"no rules loaded\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
nat_init();
|
||||
fr_stateinit();
|
||||
initparse();
|
||||
fr_running = 1;
|
||||
|
||||
if (rules) {
|
||||
char line[513], *s;
|
||||
void *fr;
|
||||
FILE *fp;
|
||||
int linenum = 0;
|
||||
|
||||
if (!strcmp(rules, "-"))
|
||||
fp = stdin;
|
||||
else if (!(fp = fopen(rules, "r"))) {
|
||||
(void)fprintf(stderr, "couldn't open %s\n", rules);
|
||||
exit(-1);
|
||||
}
|
||||
if (!(opts & OPT_BRIEF))
|
||||
(void)printf("opening rule file \"%s\"\n", rules);
|
||||
while (fgets(line, sizeof(line)-1, fp)) {
|
||||
linenum++;
|
||||
/*
|
||||
* treat both CR and LF as EOL
|
||||
*/
|
||||
if ((s = index(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '\r')))
|
||||
*s = '\0';
|
||||
/*
|
||||
* # is comment marker, everything after is a ignored
|
||||
*/
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
|
||||
if (!*line)
|
||||
continue;
|
||||
|
||||
/* fake an `ioctl' call :) */
|
||||
|
||||
if ((opts & OPT_NAT) != 0) {
|
||||
if (!(fr = natparse(line, linenum)))
|
||||
continue;
|
||||
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
|
||||
(caddr_t)&fr,
|
||||
FWRITE|FREAD);
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr,
|
||||
"iplioctl(ADNAT,%p,1) = %d\n",
|
||||
fr, i);
|
||||
} else {
|
||||
if (!(fr = parse(line, linenum)))
|
||||
continue;
|
||||
i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
|
||||
(caddr_t)&fr,
|
||||
FWRITE|FREAD);
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr,
|
||||
"iplioctl(ADAFR,%p,1) = %d\n",
|
||||
fr, i);
|
||||
}
|
||||
}
|
||||
(void)fclose(fp);
|
||||
}
|
||||
|
||||
if (opts & OPT_SAVEOUT)
|
||||
init_ifp();
|
||||
|
||||
@ -222,13 +192,34 @@ char *argv[];
|
||||
ip = (ip_t *)buf;
|
||||
while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
|
||||
&iface, &dir)) > 0) {
|
||||
ifp = iface ? get_unit(iface, ip->ip_v) : NULL;
|
||||
ip->ip_off = ntohs(ip->ip_off);
|
||||
ip->ip_len = ntohs(ip->ip_len);
|
||||
i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf);
|
||||
if (iface == NULL || *iface == '\0')
|
||||
iface = ifname;
|
||||
ifp = get_unit(iface, ip->ip_v);
|
||||
hlen = 0;
|
||||
if (!use_inet6) {
|
||||
ip->ip_off = ntohs(ip->ip_off);
|
||||
ip->ip_len = ntohs(ip->ip_len);
|
||||
hlen = ip->ip_hl << 2;
|
||||
}
|
||||
#ifdef USE_INET6
|
||||
else
|
||||
hlen = sizeof(ip6_t);
|
||||
#endif
|
||||
packet = (char *)buf;
|
||||
/* ipfr_slowtimer(); */
|
||||
i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);
|
||||
if ((opts & OPT_NAT) == 0)
|
||||
switch (i)
|
||||
{
|
||||
case -5 :
|
||||
(void)printf("block return-icmp-as-dest");
|
||||
break;
|
||||
case -4 :
|
||||
(void)printf("block return-icmp");
|
||||
break;
|
||||
case -3 :
|
||||
(void)printf("block return-rst");
|
||||
break;
|
||||
case -2 :
|
||||
(void)printf("auth");
|
||||
break;
|
||||
@ -242,6 +233,10 @@ char *argv[];
|
||||
(void)printf("nomatch");
|
||||
break;
|
||||
}
|
||||
if (!use_inet6) {
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
}
|
||||
|
||||
if (!(opts & OPT_BRIEF)) {
|
||||
putchar(' ');
|
||||
@ -250,17 +245,232 @@ char *argv[];
|
||||
} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
|
||||
printpacket((ip_t *)buf);
|
||||
#ifndef linux
|
||||
if (dir && ifp && ip->ip_v)
|
||||
# ifdef __sgi
|
||||
(*ifp->if_output)(ifp, (void *)buf, NULL);
|
||||
if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
|
||||
# if defined(__sgi) && (IRIX < 605)
|
||||
(*ifp->if_output)(ifp, (void *)packet, NULL);
|
||||
# else
|
||||
(*ifp->if_output)(ifp, (void *)buf, NULL, 0);
|
||||
(*ifp->if_output)(ifp, (void *)packet, NULL, 0);
|
||||
# endif
|
||||
#endif
|
||||
if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
|
||||
putchar('\n');
|
||||
dir = 0;
|
||||
if (iface != ifname) {
|
||||
free(iface);
|
||||
iface = ifname;
|
||||
}
|
||||
}
|
||||
(*r->r_close)();
|
||||
|
||||
if (logout != NULL) {
|
||||
drain_log(logout);
|
||||
}
|
||||
|
||||
if (dump == 1) {
|
||||
dumpnat();
|
||||
dumpstate();
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Load in either NAT or ipf rules from a file, which is treated as stdin
|
||||
* if the name is "-". NOTE, stdin can only be used once as the file is
|
||||
* closed after use.
|
||||
*/
|
||||
int loadrules(file)
|
||||
char *file;
|
||||
{
|
||||
char line[513], *s;
|
||||
int linenum, i;
|
||||
void *fr;
|
||||
FILE *fp;
|
||||
|
||||
if (!strcmp(file, "-"))
|
||||
fp = stdin;
|
||||
else if (!(fp = fopen(file, "r"))) {
|
||||
(void)fprintf(stderr, "couldn't open %s\n", file);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (!(opts & OPT_BRIEF))
|
||||
(void)printf("opening rule file \"%s\"\n", file);
|
||||
|
||||
linenum = 0;
|
||||
|
||||
while (fgets(line, sizeof(line) - 1, fp)) {
|
||||
linenum++;
|
||||
|
||||
/*
|
||||
* treat both CR and LF as EOL
|
||||
*/
|
||||
if ((s = index(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '\r')))
|
||||
*s = '\0';
|
||||
|
||||
/*
|
||||
* # is comment marker, everything after is a ignored
|
||||
*/
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
|
||||
if (!*line)
|
||||
continue;
|
||||
|
||||
/* fake an `ioctl' call :) */
|
||||
|
||||
if ((opts & OPT_NAT) != 0) {
|
||||
if (!(fr = natparse(line, linenum)))
|
||||
continue;
|
||||
|
||||
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
|
||||
(caddr_t)&fr, FWRITE|FREAD);
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n",
|
||||
fr, i);
|
||||
} else {
|
||||
if (!(fr = parse(line, linenum)))
|
||||
continue;
|
||||
|
||||
i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr,
|
||||
FWRITE|FREAD);
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n",
|
||||
fr, i);
|
||||
}
|
||||
}
|
||||
(void)fclose(fp);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int kmemcpy(addr, offset, size)
|
||||
char *addr;
|
||||
long offset;
|
||||
int size;
|
||||
{
|
||||
bcopy((char *)offset, addr, size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Display the built up NAT table rules and mapping entries.
|
||||
*/
|
||||
void dumpnat()
|
||||
{
|
||||
ipnat_t *ipn;
|
||||
nat_t *nat;
|
||||
|
||||
printf("List of active MAP/Redirect filters:\n");
|
||||
for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
|
||||
printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
|
||||
printf("\nList of active sessions:\n");
|
||||
for (nat = nat_instances; nat; nat = nat->nat_next)
|
||||
printactivenat(nat, opts);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Display the built up state table rules and mapping entries.
|
||||
*/
|
||||
void dumpstate()
|
||||
{
|
||||
ipstate_t *ips;
|
||||
|
||||
printf("List of active state sessions:\n");
|
||||
for (ips = ips_list; ips != NULL; )
|
||||
ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Given a pointer to an interface in the kernel, return a pointer to a
|
||||
* string which is the interface name.
|
||||
*/
|
||||
char *getifname(ptr)
|
||||
void *ptr;
|
||||
{
|
||||
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
#else
|
||||
char buf[32], *s;
|
||||
int len;
|
||||
#endif
|
||||
struct ifnet netif;
|
||||
|
||||
if (ptr == (void *)-1)
|
||||
return "!";
|
||||
if (ptr == NULL)
|
||||
return "-";
|
||||
|
||||
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
|
||||
return "X";
|
||||
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
return strdup(netif.if_xname);
|
||||
#else
|
||||
if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
|
||||
return "X";
|
||||
if (netif.if_unit < 10)
|
||||
len = 2;
|
||||
else if (netif.if_unit < 1000)
|
||||
len = 3;
|
||||
else if (netif.if_unit < 10000)
|
||||
len = 4;
|
||||
else
|
||||
len = 5;
|
||||
buf[sizeof(buf) - len] = '\0';
|
||||
for (s = buf; *s && !isdigit(*s); s++)
|
||||
;
|
||||
if (isdigit(*s))
|
||||
*s = '\0';
|
||||
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
|
||||
return strdup(buf);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
void drain_log(filename)
|
||||
char *filename;
|
||||
{
|
||||
char buffer[IPLLOGSIZE];
|
||||
struct iovec iov;
|
||||
struct uio uio;
|
||||
size_t resid;
|
||||
int fd;
|
||||
|
||||
fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
|
||||
if (fd == -1) {
|
||||
perror("drain_log:open");
|
||||
return;
|
||||
}
|
||||
|
||||
while (1) {
|
||||
bzero((char *)&iov, sizeof(iov));
|
||||
iov.iov_base = buffer;
|
||||
iov.iov_len = sizeof(buffer);
|
||||
|
||||
bzero((char *)&uio, sizeof(uio));
|
||||
uio.uio_iov = &iov;
|
||||
uio.uio_iovcnt = 1;
|
||||
uio.uio_resid = iov.iov_len;
|
||||
resid = uio.uio_resid;
|
||||
|
||||
if (ipflog_read(0, &uio) == 0) {
|
||||
/*
|
||||
* If nothing was read then break out.
|
||||
*/
|
||||
if (uio.uio_resid == resid)
|
||||
break;
|
||||
write(fd, buffer, resid - uio.uio_resid);
|
||||
} else
|
||||
break;
|
||||
}
|
||||
|
||||
close(fd);
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
@ -8,13 +8,37 @@
|
||||
* returns 0 on success, -1 on error.
|
||||
*/
|
||||
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/file.h>
|
||||
#ifndef __sgi
|
||||
#include <kvm.h>
|
||||
#endif
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <net/if.h>
|
||||
#if __FreeBSD_version >= 300000
|
||||
# include <net/if_var.h>
|
||||
#endif
|
||||
|
||||
#include "kmem.h"
|
||||
#include "netinet/ip_compat.h"
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "ipf.h"
|
||||
|
||||
|
||||
#ifndef __STDC__
|
||||
# define const
|
||||
@ -22,23 +46,68 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.3 2001/07/15 22:06:16 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int kmemfd = -1;
|
||||
#ifndef __sgi
|
||||
|
||||
int openkmem(core)
|
||||
char *core;
|
||||
static kvm_t *kvm_f = NULL;
|
||||
|
||||
#else
|
||||
|
||||
typedef int kvm_t;
|
||||
|
||||
static kvm_t kvm_f = -1;
|
||||
static char *kvm_errstr;
|
||||
|
||||
kvm_t kvm_open(kernel, core, swap, mode, errstr)
|
||||
char *kernel, *core, *swap;
|
||||
int mode;
|
||||
char *errstr;
|
||||
{
|
||||
if (core == NULL)
|
||||
core = KMEM;
|
||||
kvm_t fd;
|
||||
|
||||
if ((kmemfd = open(core, O_RDONLY)) == -1)
|
||||
kvm_errstr = errstr;
|
||||
|
||||
fd = open(core, mode);
|
||||
return fd;
|
||||
}
|
||||
|
||||
int kvm_read(kvm, pos, buffer, size)
|
||||
kvm_t kvm;
|
||||
u_long pos;
|
||||
char *buffer;
|
||||
size_t size;
|
||||
{
|
||||
int r, left;
|
||||
char *bufp;
|
||||
|
||||
if (lseek(kvm, pos, 0) == -1) {
|
||||
fprintf(stderr, "%s", kvm_errstr);
|
||||
perror("lseek");
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
|
||||
r = read(kvm, bufp, 1);
|
||||
if (r <= 0)
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
int openkmem(kern, core)
|
||||
char *kern, *core;
|
||||
{
|
||||
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
|
||||
if (kvm_f == NULL)
|
||||
{
|
||||
perror("kmeminit:open");
|
||||
perror("openkmem:open");
|
||||
return -1;
|
||||
}
|
||||
return kmemfd;
|
||||
return (int)kvm_f;
|
||||
}
|
||||
|
||||
int kmemcpy(buf, pos, n)
|
||||
@ -50,23 +119,22 @@ register int n;
|
||||
|
||||
if (!n)
|
||||
return 0;
|
||||
if (kmemfd == -1)
|
||||
if (openkmem(NULL) == -1)
|
||||
|
||||
if (kvm_f == NULL)
|
||||
if (openkmem(NULL, NULL) == -1)
|
||||
return -1;
|
||||
if (lseek(kmemfd, pos, 0) == -1)
|
||||
{
|
||||
perror("kmemcpy:lseek");
|
||||
return -1;
|
||||
}
|
||||
while ((r = read(kmemfd, buf, n)) < n)
|
||||
|
||||
while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
|
||||
if (r <= 0)
|
||||
{
|
||||
fprintf(stderr, "pos=0x%x ", (u_int)pos);
|
||||
perror("kmemcpy:read");
|
||||
return -1;
|
||||
}
|
||||
else
|
||||
{
|
||||
buf += r;
|
||||
pos += r;
|
||||
n -= r;
|
||||
}
|
||||
return 0;
|
||||
@ -81,19 +149,18 @@ register int n;
|
||||
|
||||
if (!n)
|
||||
return 0;
|
||||
if (kmemfd == -1)
|
||||
if (openkmem(NULL) == -1)
|
||||
|
||||
if (kvm_f == NULL)
|
||||
if (openkmem(NULL, NULL) == -1)
|
||||
return -1;
|
||||
if (lseek(kmemfd, pos, 0) == -1)
|
||||
|
||||
while (n > 0)
|
||||
{
|
||||
perror("kmemcpy:lseek");
|
||||
return -1;
|
||||
}
|
||||
while (n > 0) {
|
||||
r = read(kmemfd, buf, 1);
|
||||
r = kvm_read(kvm_f, pos, buf, 1);
|
||||
if (r <= 0)
|
||||
{
|
||||
perror("kmemcpy:read");
|
||||
fprintf(stderr, "pos=0x%x ", (u_int)pos);
|
||||
perror("kstrncpy:read");
|
||||
return -1;
|
||||
}
|
||||
else
|
||||
@ -101,8 +168,70 @@ register int n;
|
||||
if (*buf == '\0')
|
||||
break;
|
||||
buf++;
|
||||
pos++;
|
||||
n--;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Given a pointer to an interface in the kernel, return a pointer to a
|
||||
* string which is the interface name.
|
||||
*/
|
||||
char *getifname(ptr)
|
||||
void *ptr;
|
||||
{
|
||||
#if SOLARIS
|
||||
char *ifname;
|
||||
ill_t ill;
|
||||
|
||||
if (ptr == (void *)-1)
|
||||
return "!";
|
||||
if (ptr == NULL)
|
||||
return "-";
|
||||
|
||||
if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
|
||||
return "X";
|
||||
ifname = malloc(ill.ill_name_length + 1);
|
||||
if (kmemcpy(ifname, (u_long)ill.ill_name,
|
||||
ill.ill_name_length) == -1)
|
||||
return "X";
|
||||
return ifname;
|
||||
#else
|
||||
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
#else
|
||||
char buf[32];
|
||||
int len;
|
||||
# endif
|
||||
struct ifnet netif;
|
||||
|
||||
if (ptr == (void *)-1)
|
||||
return "!";
|
||||
if (ptr == NULL)
|
||||
return "-";
|
||||
|
||||
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
|
||||
return "X";
|
||||
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
|
||||
defined(__OpenBSD__)
|
||||
return strdup(netif.if_xname);
|
||||
# else
|
||||
if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
|
||||
return "X";
|
||||
if (netif.if_unit < 10)
|
||||
len = 2;
|
||||
else if (netif.if_unit < 1000)
|
||||
len = 3;
|
||||
else if (netif.if_unit < 10000)
|
||||
len = 4;
|
||||
else
|
||||
len = 5;
|
||||
buf[sizeof(buf) - len] = '\0';
|
||||
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
|
||||
return strdup(buf);
|
||||
# endif
|
||||
#endif
|
||||
}
|
||||
|
@ -2,7 +2,7 @@
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
* $Id: kmem.h,v 2.2.2.2 2001/06/26 10:43:19 darrenr Exp $
|
||||
* $Id: kmem.h,v 2.2.2.4 2002/01/01 13:43:48 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __KMEM_H__
|
||||
@ -15,9 +15,10 @@
|
||||
# define __P(x) ()
|
||||
# endif
|
||||
#endif
|
||||
extern int openkmem __P((char *));
|
||||
extern int openkmem __P((char *, char *));
|
||||
extern int kmemcpy __P((char *, long, int));
|
||||
extern int kstrncpy __P((char *, long, int));
|
||||
extern char *getifname __P((void *));
|
||||
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD)
|
||||
# include <paths.h>
|
||||
|
@ -10,7 +10,7 @@ all:
|
||||
|
||||
install:
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
|
||||
|
@ -52,6 +52,7 @@ Change the default directory used with
|
||||
and
|
||||
.B \-W
|
||||
options for saving state information.
|
||||
.TP
|
||||
.B \-n
|
||||
Don't actually take any action that would effect information stored in
|
||||
the kernel or on disk.
|
||||
@ -59,6 +60,11 @@ the kernel or on disk.
|
||||
.B \-v
|
||||
Provides a verbose description of what's being done.
|
||||
.TP
|
||||
.B \-i <ifname1>,<ifname2>
|
||||
Change all instances of interface name ifname1 in the state save file to
|
||||
ifname2. Useful if you're restoring state information after a hardware
|
||||
reconfiguration or change.
|
||||
.TP
|
||||
.B \-N
|
||||
Operate on NAT information.
|
||||
.TP
|
||||
@ -69,7 +75,7 @@ Operate on filtering state information.
|
||||
Unlock state tables in the kernel.
|
||||
.TP
|
||||
.B \-l
|
||||
Unlock state tables in the kernel.
|
||||
Lock state tables in the kernel.
|
||||
.TP
|
||||
.B \-r
|
||||
Read information in from the specified file and load it into the
|
||||
|
@ -49,7 +49,7 @@ When reading from the \fBipl\fP device, it is necessary to call read(2) with
|
||||
a buffer big enough to hold at least 1 complete log record - reading of partial
|
||||
log records is not supported.
|
||||
.PP
|
||||
If the packet contents is more then 128 bytes when \fBlog body\fP is used,
|
||||
If the packet contents are more than 128 bytes when \fBlog body\fP is used,
|
||||
then only 128 bytes of the packet contents is logged.
|
||||
.PP
|
||||
Although it is only possible to read from the \fBipl\fP device, opening it
|
||||
|
@ -10,10 +10,11 @@ ipmap :: = mapblock | redir | map .
|
||||
map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
|
||||
map ::= mapit ifname fromto "->" ipmask [ mapport ] .
|
||||
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
|
||||
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
|
||||
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
|
||||
|
||||
dport ::= "port" portnum [ "-" portnum ] .
|
||||
ports ::= "ports" numports | "auto" .
|
||||
rdrport ::= "port" portnum .
|
||||
mapit ::= "map" | "bimap" .
|
||||
fromto ::= "from" object "to" object .
|
||||
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
|
||||
@ -199,6 +200,7 @@ own. As opposed to the above use of \fBmap\fP, if for some reason the user
|
||||
of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
|
||||
be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
|
||||
IP address with the \fBmap\fP command.
|
||||
.SH FILES
|
||||
/dev/ipnat
|
||||
.br
|
||||
/etc/services
|
||||
|
@ -1,8 +1,11 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#if (SOLARIS2 >= 7)
|
||||
# define _SYS_VARARGS_H
|
||||
# define _VARARGS_H
|
||||
@ -50,7 +53,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.7 2002/02/22 15:32:55 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -60,9 +63,38 @@ void printpacket(ip)
|
||||
ip_t *ip;
|
||||
{
|
||||
tcphdr_t *tcp;
|
||||
u_short len;
|
||||
|
||||
if (ip->ip_v == 4)
|
||||
len = ntohs(ip->ip_len);
|
||||
else if (ip->ip_v == 6)
|
||||
len = ntohs(((u_short *)ip)[2]) + 40;
|
||||
else
|
||||
len = 0;
|
||||
|
||||
if ((opts & OPT_HEX) == OPT_HEX) {
|
||||
u_char *s;
|
||||
int i;
|
||||
|
||||
for (s = (u_char *)ip, i = 0; i < len; i++) {
|
||||
printf("%02x", *s++ & 0xff);
|
||||
if (len - i > 1) {
|
||||
i++;
|
||||
printf("%02x", *s++ & 0xff);
|
||||
}
|
||||
putchar(' ');
|
||||
}
|
||||
putchar('\n');
|
||||
return;
|
||||
}
|
||||
|
||||
if (ip->ip_v == 6) {
|
||||
printpacket6(ip);
|
||||
return;
|
||||
}
|
||||
|
||||
tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
|
||||
printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p);
|
||||
printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
|
||||
if (ip->ip_off & IP_OFFMASK)
|
||||
printf(" @%d", ip->ip_off << 3);
|
||||
(void)printf(" %s", inet_ntoa(ip->ip_src));
|
||||
@ -78,6 +110,48 @@ ip_t *ip;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* This is meant to work without the IPv6 header files being present or
|
||||
* the inet_ntop() library.
|
||||
*/
|
||||
void printpacket6(ip)
|
||||
ip_t *ip;
|
||||
{
|
||||
u_char *buf, p, hops;
|
||||
u_short plen, *addrs;
|
||||
tcphdr_t *tcp;
|
||||
u_32_t flow;
|
||||
|
||||
buf = (u_char *)ip;
|
||||
tcp = (tcphdr_t *)(buf + 40);
|
||||
p = buf[6];
|
||||
hops = buf[7];
|
||||
flow = ntohl(*(u_32_t *)buf);
|
||||
flow &= 0xfffff;
|
||||
plen = ntohs(*((u_short *)buf +2));
|
||||
addrs = (u_short *)buf + 4;
|
||||
|
||||
printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
|
||||
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
|
||||
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
|
||||
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
|
||||
ntohs(addrs[6]), ntohs(addrs[7]));
|
||||
if (plen >= 4)
|
||||
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
|
||||
(void)printf(",%d", ntohs(tcp->th_sport));
|
||||
printf(" >");
|
||||
addrs += 8;
|
||||
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
|
||||
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
|
||||
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
|
||||
ntohs(addrs[6]), ntohs(addrs[7]));
|
||||
if (plen >= 4)
|
||||
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
|
||||
(void)printf(",%d", ntohs(tcp->th_dport));
|
||||
putchar('\n');
|
||||
}
|
||||
|
||||
|
||||
#if defined(__STDC__)
|
||||
void verbose(char *fmt, ...)
|
||||
#else
|
||||
|
@ -117,8 +117,12 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RW,
|
||||
&fr_tcpclosed, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RW,
|
||||
&fr_udptimeout, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RW,
|
||||
&fr_udpacktimeout, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RW,
|
||||
&fr_icmptimeout, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmpacktimeout, CTLFLAG_RW,
|
||||
&fr_icmpacktimeout, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RW,
|
||||
&fr_defnatage, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
|
||||
|
@ -62,7 +62,12 @@ static __psunsigned_t ipfk_code[4];
|
||||
typedef struct nif {
|
||||
struct nif *nf_next;
|
||||
struct ifnet *nf_ifp;
|
||||
#if IRIX < 605
|
||||
int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *);
|
||||
#else
|
||||
int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
|
||||
struct rtentry *);
|
||||
#endif
|
||||
char nf_name[IFNAMSIZ];
|
||||
int nf_unit;
|
||||
} nif_t;
|
||||
@ -74,7 +79,12 @@ extern int in_interfaces;
|
||||
extern ipnat_t *nat_list;
|
||||
|
||||
static int
|
||||
#if IRIX < 605
|
||||
ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
|
||||
#else
|
||||
ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
|
||||
struct rtentry *rt)
|
||||
#endif
|
||||
{
|
||||
nif_t *nif;
|
||||
|
||||
@ -112,19 +122,19 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
|
||||
#if IPFDEBUG >= 4
|
||||
if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
|
||||
printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
|
||||
return (*nif->nf_output)(ifp, m, dst);
|
||||
goto done;
|
||||
}
|
||||
#endif
|
||||
if (m->m_len < sizeof(char)) {
|
||||
printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
|
||||
return (*nif->nf_output)(ifp, m, dst);
|
||||
goto done;
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
if (ip->ip_v != IPVERSION) {
|
||||
#if IPFDEBUG >= 4
|
||||
printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
|
||||
#endif
|
||||
return (*nif->nf_output)(ifp, m, dst);
|
||||
goto done;
|
||||
}
|
||||
|
||||
hlen = ip->ip_hl << 2;
|
||||
@ -142,7 +152,12 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
|
||||
break;
|
||||
}
|
||||
}
|
||||
done:
|
||||
#if IRIX < 605
|
||||
return (*nif->nf_output)(ifp, m, dst);
|
||||
#else
|
||||
return (*nif->nf_output)(ifp, m, dst, rt);
|
||||
#endif
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -235,7 +235,7 @@ static int ipl_load()
|
||||
*/
|
||||
(void)ipl_remove();
|
||||
|
||||
error = iplattach();
|
||||
error = ipl_enable();
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
|
@ -1,8 +1,11 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
@ -39,8 +42,9 @@
|
||||
#include <ctype.h>
|
||||
#include "netinet/ip_compat.h"
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "ipf.h"
|
||||
|
||||
#if defined(sun) && !SOLARIS2
|
||||
@ -52,7 +56,7 @@ extern char *sys_errlist[];
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
|
||||
@ -60,191 +64,15 @@ static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09
|
||||
#define bzero(a,b) memset(a,0,b)
|
||||
#endif
|
||||
|
||||
extern void printnat __P((ipnat_t *, int));
|
||||
extern int countbits __P((u_32_t));
|
||||
extern char *proto;
|
||||
|
||||
ipnat_t *natparse __P((char *, int));
|
||||
void printnat __P((ipnat_t *, int, void *));
|
||||
void natparsefile __P((int, char *, int));
|
||||
void nat_setgroupmap __P((struct ipnat *));
|
||||
|
||||
|
||||
void printnat(np, opts, ptr)
|
||||
ipnat_t *np;
|
||||
int opts;
|
||||
void *ptr;
|
||||
{
|
||||
struct protoent *pr;
|
||||
struct servent *sv;
|
||||
int bits;
|
||||
|
||||
switch (np->in_redir)
|
||||
{
|
||||
case NAT_REDIRECT :
|
||||
printf("rdr");
|
||||
break;
|
||||
case NAT_MAP :
|
||||
printf("map");
|
||||
break;
|
||||
case NAT_MAPBLK :
|
||||
printf("map-block");
|
||||
break;
|
||||
case NAT_BIMAP :
|
||||
printf("bimap");
|
||||
break;
|
||||
default :
|
||||
fprintf(stderr, "unknown value for in_redir: %#x\n",
|
||||
np->in_redir);
|
||||
break;
|
||||
}
|
||||
|
||||
printf(" %s ", np->in_ifname);
|
||||
|
||||
if (np->in_flags & IPN_FILTER) {
|
||||
if (np->in_flags & IPN_NOTSRC)
|
||||
printf("! ");
|
||||
printf("from ");
|
||||
if (np->in_redir == NAT_REDIRECT) {
|
||||
printhostmask(4, (u_32_t *)&np->in_srcip,
|
||||
(u_32_t *)&np->in_srcmsk);
|
||||
if (np->in_scmp)
|
||||
printportcmp(np->in_p, &np->in_tuc.ftu_src);
|
||||
} else {
|
||||
printhostmask(4, (u_32_t *)&np->in_inip,
|
||||
(u_32_t *)&np->in_inmsk);
|
||||
if (np->in_dcmp)
|
||||
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
|
||||
}
|
||||
|
||||
if (np->in_flags & IPN_NOTDST)
|
||||
printf(" !");
|
||||
printf(" to ");
|
||||
if (np->in_redir == NAT_REDIRECT) {
|
||||
printhostmask(4, (u_32_t *)&np->in_outip,
|
||||
(u_32_t *)&np->in_outmsk);
|
||||
if (np->in_dcmp)
|
||||
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
|
||||
} else {
|
||||
printhostmask(4, (u_32_t *)&np->in_srcip,
|
||||
(u_32_t *)&np->in_srcmsk);
|
||||
if (np->in_scmp)
|
||||
printportcmp(np->in_p, &np->in_tuc.ftu_src);
|
||||
}
|
||||
}
|
||||
|
||||
if (np->in_redir == NAT_REDIRECT) {
|
||||
if (!(np->in_flags & IPN_FILTER)) {
|
||||
printf("%s", inet_ntoa(np->in_out[0]));
|
||||
bits = countbits(np->in_out[1].s_addr);
|
||||
if (bits != -1)
|
||||
printf("/%d ", bits);
|
||||
else
|
||||
printf("/%s ", inet_ntoa(np->in_out[1]));
|
||||
if (np->in_pmin)
|
||||
printf("port %d", ntohs(np->in_pmin));
|
||||
if (np->in_pmax != np->in_pmin)
|
||||
printf("- %d", ntohs(np->in_pmax));
|
||||
}
|
||||
printf(" -> %s", inet_ntoa(np->in_in[0]));
|
||||
if (np->in_flags & IPN_SPLIT)
|
||||
printf(",%s", inet_ntoa(np->in_in[1]));
|
||||
if (np->in_pnext)
|
||||
printf(" port %d", ntohs(np->in_pnext));
|
||||
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
|
||||
printf(" tcp/udp");
|
||||
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
|
||||
printf(" tcp");
|
||||
else if ((np->in_flags & IPN_UDP) == IPN_UDP)
|
||||
printf(" udp");
|
||||
if (np->in_flags & IPN_ROUNDR)
|
||||
printf(" round-robin");
|
||||
if (np->in_flags & IPN_FRAG)
|
||||
printf(" frag");
|
||||
printf("\n");
|
||||
if (opts & OPT_DEBUG)
|
||||
printf("\t%p %lu %#x %u %p %d\n", np->in_ifp,
|
||||
np->in_space, np->in_flags, np->in_pmax, np,
|
||||
np->in_use);
|
||||
} else {
|
||||
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
|
||||
if (!(np->in_flags & IPN_FILTER)) {
|
||||
printf("%s/", inet_ntoa(np->in_in[0]));
|
||||
bits = countbits(np->in_in[1].s_addr);
|
||||
if (bits != -1)
|
||||
printf("%d ", bits);
|
||||
else
|
||||
printf("%s", inet_ntoa(np->in_in[1]));
|
||||
}
|
||||
printf(" -> ");
|
||||
if (np->in_flags & IPN_IPRANGE) {
|
||||
printf("range %s-", inet_ntoa(np->in_out[0]));
|
||||
printf("%s", inet_ntoa(np->in_out[1]));
|
||||
} else {
|
||||
printf("%s/", inet_ntoa(np->in_out[0]));
|
||||
bits = countbits(np->in_out[1].s_addr);
|
||||
if (bits != -1)
|
||||
printf("%d ", bits);
|
||||
else
|
||||
printf("%s", inet_ntoa(np->in_out[1]));
|
||||
}
|
||||
if (*np->in_plabel) {
|
||||
pr = getprotobynumber(np->in_p);
|
||||
printf(" proxy port");
|
||||
if (np->in_dport != 0) {
|
||||
if (pr != NULL)
|
||||
sv = getservbyport(np->in_dport,
|
||||
pr->p_name);
|
||||
else
|
||||
sv = getservbyport(np->in_dport, NULL);
|
||||
if (sv != NULL)
|
||||
printf(" %s", sv->s_name);
|
||||
else
|
||||
printf(" %hu", ntohs(np->in_dport));
|
||||
}
|
||||
printf(" %.*s/", (int)sizeof(np->in_plabel),
|
||||
np->in_plabel);
|
||||
if (pr != NULL)
|
||||
fputs(pr->p_name, stdout);
|
||||
else
|
||||
printf("%d", np->in_p);
|
||||
} else if (np->in_redir == NAT_MAPBLK) {
|
||||
printf(" ports %d", np->in_pmin);
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("\n\tip modulous %d", np->in_pmax);
|
||||
} else if (np->in_pmin || np->in_pmax) {
|
||||
printf(" portmap");
|
||||
if (np->in_flags & IPN_AUTOPORTMAP) {
|
||||
printf(" auto");
|
||||
if (opts & OPT_DEBUG)
|
||||
printf(" [%d:%d %d %d]",
|
||||
ntohs(np->in_pmin),
|
||||
ntohs(np->in_pmax),
|
||||
np->in_ippip, np->in_ppip);
|
||||
} else {
|
||||
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
|
||||
printf(" tcp/udp");
|
||||
else if (np->in_flags & IPN_TCP)
|
||||
printf(" tcp");
|
||||
else if (np->in_flags & IPN_UDP)
|
||||
printf(" udp");
|
||||
printf(" %d:%d", ntohs(np->in_pmin),
|
||||
ntohs(np->in_pmax));
|
||||
}
|
||||
}
|
||||
if (np->in_flags & IPN_FRAG)
|
||||
printf(" frag");
|
||||
printf("\n");
|
||||
if (opts & OPT_DEBUG) {
|
||||
printf("\tifp %p space %lu nextip %s pnext %d",
|
||||
np->in_ifp, np->in_space,
|
||||
inet_ntoa(np->in_nextip), np->in_pnext);
|
||||
printf(" flags %x use %u\n",
|
||||
np->in_flags, np->in_use);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void nat_setgroupmap(n)
|
||||
ipnat_t *n;
|
||||
{
|
||||
@ -268,7 +96,9 @@ ipnat_t *n;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Parse a line of input from the ipnat configuration file
|
||||
*/
|
||||
ipnat_t *natparse(line, linenum)
|
||||
char *line;
|
||||
int linenum;
|
||||
@ -278,9 +108,13 @@ int linenum;
|
||||
char *dnetm = NULL, *dport = NULL;
|
||||
char *s, *t, *cps[31], **cpp;
|
||||
int i, cnt;
|
||||
char *port1a = NULL, *port1b = NULL, *port2a = NULL;
|
||||
|
||||
proto = NULL;
|
||||
|
||||
/*
|
||||
* Search for end of line and comment marker, advance of leading spaces
|
||||
*/
|
||||
if ((s = strchr(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = strchr(line, '#')))
|
||||
@ -293,6 +127,9 @@ int linenum;
|
||||
bzero((char *)&ipn, sizeof(ipn));
|
||||
cnt = 0;
|
||||
|
||||
/*
|
||||
* split line upto into segments.
|
||||
*/
|
||||
for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
|
||||
cps[++i] = strtok(NULL, " \b\t\r\n");
|
||||
|
||||
@ -305,6 +142,9 @@ int linenum;
|
||||
|
||||
cpp = cps;
|
||||
|
||||
/*
|
||||
* Check first word is a recognised keyword and then is the interface
|
||||
*/
|
||||
if (!strcasecmp(*cpp, "map"))
|
||||
ipn.in_redir = NAT_MAP;
|
||||
else if (!strcasecmp(*cpp, "map-block"))
|
||||
@ -325,6 +165,10 @@ int linenum;
|
||||
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
|
||||
cpp++;
|
||||
|
||||
/*
|
||||
* If the first word after the interface is "from" or is a ! then
|
||||
* the expanded syntax is being used so parse it differently.
|
||||
*/
|
||||
if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
|
||||
if (!strcmp(*cpp, "!")) {
|
||||
cpp++;
|
||||
@ -349,19 +193,17 @@ int linenum;
|
||||
ipn.in_flags |= IPN_FILTER;
|
||||
cpp++;
|
||||
if (ipn.in_redir == NAT_REDIRECT) {
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
|
||||
(u_32_t *)&ipn.in_srcmsk,
|
||||
&ipn.in_sport, &ipn.in_scmp,
|
||||
&ipn.in_stop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
|
||||
(u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
|
||||
&ipn.in_scmp, &ipn.in_stop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
|
||||
(u_32_t *)&ipn.in_inmsk,
|
||||
&ipn.in_sport, &ipn.in_scmp,
|
||||
&ipn.in_stop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
|
||||
(u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
|
||||
&ipn.in_scmp, &ipn.in_stop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (!strcmp(*cpp, "!")) {
|
||||
@ -388,28 +230,30 @@ int linenum;
|
||||
return NULL;
|
||||
}
|
||||
if (ipn.in_redir == NAT_REDIRECT) {
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
|
||||
(u_32_t *)&ipn.in_outmsk,
|
||||
&ipn.in_dport, &ipn.in_dcmp,
|
||||
&ipn.in_dtop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
ipn.in_pmin = htons(ipn.in_dport);
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
|
||||
(u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
|
||||
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
ipn.in_pmin = htons(ipn.in_dport);
|
||||
} else {
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
|
||||
(u_32_t *)&ipn.in_srcmsk,
|
||||
&ipn.in_dport, &ipn.in_dcmp,
|
||||
&ipn.in_dtop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
|
||||
(u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
|
||||
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
s = *cpp;
|
||||
if (!s)
|
||||
if (!s) {
|
||||
fprintf(stderr, "%d: short line\n", linenum);
|
||||
return NULL;
|
||||
}
|
||||
t = strchr(s, '/');
|
||||
if (!t)
|
||||
if (!t) {
|
||||
fprintf(stderr, "%d: no netmask on LHS\n", linenum);
|
||||
return NULL;
|
||||
}
|
||||
*t++ = '\0';
|
||||
if (ipn.in_redir == NAT_REDIRECT) {
|
||||
if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
|
||||
@ -425,10 +269,16 @@ int linenum;
|
||||
}
|
||||
}
|
||||
cpp++;
|
||||
if (!*cpp)
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: short line\n", linenum);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If it is a standard redirect then we expect it to have a port
|
||||
* match after the hostmask.
|
||||
*/
|
||||
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
|
||||
if (strcasecmp(*cpp, "port")) {
|
||||
fprintf(stderr, "%d: missing fields - 1st port\n",
|
||||
@ -450,24 +300,23 @@ int linenum;
|
||||
else
|
||||
s = NULL;
|
||||
|
||||
if (!portnum(*cpp, &ipn.in_pmin, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmin = htons(ipn.in_pmin);
|
||||
cpp++;
|
||||
port1a = *cpp++;
|
||||
|
||||
if (!strcmp(*cpp, "-")) {
|
||||
cpp++;
|
||||
s = *cpp++;
|
||||
}
|
||||
|
||||
if (s) {
|
||||
if (!portnum(s, &ipn.in_pmax, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmax = htons(ipn.in_pmax);
|
||||
} else
|
||||
if (s)
|
||||
port1b = s;
|
||||
else
|
||||
ipn.in_pmax = ipn.in_pmin;
|
||||
}
|
||||
|
||||
/*
|
||||
* In the middle of the NAT rule syntax is -> to indicate the
|
||||
* direction of translation.
|
||||
*/
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: missing fields (->)\n", linenum);
|
||||
return NULL;
|
||||
@ -537,6 +386,8 @@ int linenum;
|
||||
if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
|
||||
return NULL;
|
||||
} else {
|
||||
if (!strcmp(*cpp, ipn.in_ifname))
|
||||
*cpp = "0";
|
||||
if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
|
||||
return NULL;
|
||||
}
|
||||
@ -556,11 +407,18 @@ int linenum;
|
||||
} else
|
||||
ipn.in_pmin = 0;
|
||||
} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
|
||||
if (!*cpp || strrchr(*cpp, '/') != NULL) {
|
||||
if (*cpp && (strrchr(*cpp, '/') != NULL)) {
|
||||
fprintf(stderr, "%d: No netmask supported in %s\n",
|
||||
linenum, "destination host for redirect");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: Missing destination port %s\n",
|
||||
linenum, "in redirect");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* If it's a in_redir, expect target port */
|
||||
|
||||
if (strcasecmp(*cpp, "port")) {
|
||||
@ -575,10 +433,8 @@ int linenum;
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
if (!portnum(*cpp, &ipn.in_pnext, linenum))
|
||||
return NULL;
|
||||
ipn.in_pnext = htons(ipn.in_pnext);
|
||||
cpp++;
|
||||
|
||||
port2a = *cpp++;
|
||||
}
|
||||
if (dnetm && *dnetm == '/')
|
||||
*dnetm++ = '\0';
|
||||
@ -601,25 +457,32 @@ int linenum;
|
||||
ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
|
||||
proto = "tcp";
|
||||
} else {
|
||||
if (!strcasecmp(*cpp, "tcp"))
|
||||
proto = *cpp++;
|
||||
if (!strcasecmp(proto, "tcp"))
|
||||
ipn.in_flags |= IPN_TCP;
|
||||
else if (!strcasecmp(*cpp, "udp"))
|
||||
else if (!strcasecmp(proto, "udp"))
|
||||
ipn.in_flags |= IPN_UDP;
|
||||
else if (!strcasecmp(*cpp, "tcp/udp"))
|
||||
else if (!strcasecmp(proto, "tcp/udp"))
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else if (!strcasecmp(*cpp, "tcpudp"))
|
||||
else if (!strcasecmp(proto, "tcpudp")) {
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else if (!strcasecmp(*cpp, "ip"))
|
||||
proto = "tcp/udp";
|
||||
} else if (!strcasecmp(proto, "ip"))
|
||||
ipn.in_flags |= IPN_ANY;
|
||||
else {
|
||||
ipn.in_flags |= IPN_ANY;
|
||||
if ((pr = getprotobyname(*cpp)))
|
||||
if ((pr = getprotobyname(proto)))
|
||||
ipn.in_p = pr->p_proto;
|
||||
else
|
||||
ipn.in_p = atoi(*cpp);
|
||||
else {
|
||||
if (!isdigit(*proto)) {
|
||||
fprintf(stderr,
|
||||
"%d: Unknown protocol %s\n",
|
||||
linenum, proto);
|
||||
return NULL;
|
||||
} else
|
||||
ipn.in_p = atoi(proto);
|
||||
}
|
||||
}
|
||||
proto = *cpp;
|
||||
cpp++;
|
||||
|
||||
if (*cpp && !strcasecmp(*cpp, "round-robin")) {
|
||||
cpp++;
|
||||
@ -631,15 +494,51 @@ int linenum;
|
||||
ipn.in_flags |= IPN_FRAG;
|
||||
}
|
||||
|
||||
if (*cpp && !strcasecmp(*cpp, "age")) {
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr,
|
||||
"%d: age with no parameters\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ipn.in_age[0] = atoi(*cpp);
|
||||
s = index(*cpp, '/');
|
||||
if (s != NULL)
|
||||
ipn.in_age[1] = atoi(s + 1);
|
||||
else
|
||||
ipn.in_age[1] = ipn.in_age[0];
|
||||
cpp++;
|
||||
}
|
||||
|
||||
if (*cpp) {
|
||||
fprintf(stderr,
|
||||
"%d: extra junk at the end of rdr: %s\n",
|
||||
"%d: extra junk at the end of the line: %s\n",
|
||||
linenum, *cpp);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
|
||||
if (!portnum(port1a, &ipn.in_pmin, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmin = htons(ipn.in_pmin);
|
||||
if (port1b != NULL) {
|
||||
if (!portnum(port1b, &ipn.in_pmax, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmax = htons(ipn.in_pmax);
|
||||
} else
|
||||
ipn.in_pmax = ipn.in_pmin;
|
||||
}
|
||||
|
||||
if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
|
||||
if (!portnum(port2a, &ipn.in_pnext, linenum))
|
||||
return NULL;
|
||||
ipn.in_pnext = htons(ipn.in_pnext);
|
||||
}
|
||||
|
||||
if (!(ipn.in_flags & IPN_SPLIT))
|
||||
ipn.in_inip &= ipn.in_inmsk;
|
||||
if ((ipn.in_flags & IPN_IPRANGE) == 0)
|
||||
@ -665,6 +564,11 @@ int linenum;
|
||||
}
|
||||
|
||||
if (!strcasecmp(*cpp, "proxy")) {
|
||||
if (ipn.in_redir == NAT_BIMAP) {
|
||||
fprintf(stderr, "%d: cannot use proxy with bimap\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr,
|
||||
@ -720,63 +624,85 @@ int linenum;
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
return &ipn;
|
||||
} else if (!strcasecmp(*cpp, "portmap")) {
|
||||
if (ipn.in_redir == NAT_BIMAP) {
|
||||
fprintf(stderr, "%d: cannot use portmap with bimap\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr,
|
||||
"%d: missing expression following portmap\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!strcasecmp(*cpp, "tcp"))
|
||||
ipn.in_flags |= IPN_TCP;
|
||||
else if (!strcasecmp(*cpp, "udp"))
|
||||
ipn.in_flags |= IPN_UDP;
|
||||
else if (!strcasecmp(*cpp, "tcpudp"))
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else if (!strcasecmp(*cpp, "tcp/udp"))
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else {
|
||||
fprintf(stderr,
|
||||
"%d: expected protocol name - got \"%s\"\n",
|
||||
linenum, *cpp);
|
||||
return NULL;
|
||||
}
|
||||
proto = *cpp;
|
||||
cpp++;
|
||||
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: no port range found\n", linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!strcasecmp(*cpp, "auto")) {
|
||||
ipn.in_flags |= IPN_AUTOPORTMAP;
|
||||
ipn.in_pmin = htons(1024);
|
||||
ipn.in_pmax = htons(65535);
|
||||
nat_setgroupmap(&ipn);
|
||||
cpp++;
|
||||
} else {
|
||||
if (!(t = strchr(*cpp, ':'))) {
|
||||
fprintf(stderr,
|
||||
"%d: no port range in \"%s\"\n",
|
||||
linenum, *cpp);
|
||||
return NULL;
|
||||
}
|
||||
*t++ = '\0';
|
||||
if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
|
||||
!portnum(t, &ipn.in_pmax, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmin = htons(ipn.in_pmin);
|
||||
ipn.in_pmax = htons(ipn.in_pmax);
|
||||
cpp++;
|
||||
}
|
||||
}
|
||||
|
||||
if (strcasecmp(*cpp, "portmap")) {
|
||||
fprintf(stderr,
|
||||
"%d: expected \"portmap\" - got \"%s\"\n", linenum,
|
||||
*cpp);
|
||||
return NULL;
|
||||
}
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: missing expression following portmap\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
if (*cpp && !strcasecmp(*cpp, "age")) {
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: age with no parameters\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
s = index(*cpp, '/');
|
||||
if (s != NULL)
|
||||
ipn.in_age[1] = atoi(s + 1);
|
||||
else
|
||||
ipn.in_age[1] = ipn.in_age[0];
|
||||
cpp++;
|
||||
}
|
||||
|
||||
if (!strcasecmp(*cpp, "tcp"))
|
||||
ipn.in_flags |= IPN_TCP;
|
||||
else if (!strcasecmp(*cpp, "udp"))
|
||||
ipn.in_flags |= IPN_UDP;
|
||||
else if (!strcasecmp(*cpp, "tcpudp"))
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else if (!strcasecmp(*cpp, "tcp/udp"))
|
||||
ipn.in_flags |= IPN_TCPUDP;
|
||||
else {
|
||||
fprintf(stderr,
|
||||
"%d: expected protocol name - got \"%s\"\n",
|
||||
if (*cpp) {
|
||||
fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
|
||||
linenum, *cpp);
|
||||
return NULL;
|
||||
}
|
||||
proto = *cpp;
|
||||
cpp++;
|
||||
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: no port range found\n", linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!strcasecmp(*cpp, "auto")) {
|
||||
ipn.in_flags |= IPN_AUTOPORTMAP;
|
||||
ipn.in_pmin = htons(1024);
|
||||
ipn.in_pmax = htons(65535);
|
||||
nat_setgroupmap(&ipn);
|
||||
return &ipn;
|
||||
}
|
||||
|
||||
if (!(t = strchr(*cpp, ':'))) {
|
||||
fprintf(stderr, "%d: no port range in \"%s\"\n",
|
||||
linenum, *cpp);
|
||||
return NULL;
|
||||
}
|
||||
*t++ = '\0';
|
||||
if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
|
||||
!portnum(t, &ipn.in_pmax, linenum))
|
||||
return NULL;
|
||||
ipn.in_pmin = htons(ipn.in_pmin);
|
||||
ipn.in_pmax = htons(ipn.in_pmax);
|
||||
return &ipn;
|
||||
}
|
||||
|
||||
@ -812,7 +738,7 @@ int opts;
|
||||
linenum, line);
|
||||
} else {
|
||||
if ((opts & OPT_VERBOSE) && np)
|
||||
printnat(np, opts, NULL);
|
||||
printnat(np, opts);
|
||||
if (!(opts & OPT_NODO)) {
|
||||
if (!(opts & OPT_REMOVE)) {
|
||||
if (ioctl(fd, SIOCADNAT, &np) == -1) {
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
@ -25,7 +28,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
|
@ -3,6 +3,9 @@
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
#ifdef __sgi
|
||||
# include <sys/ptimers.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da
|
||||
|
||||
extern struct ipopt_names ionames[], secclass[];
|
||||
extern int opts;
|
||||
#ifdef USE_INET6
|
||||
extern int use_inet6;
|
||||
#endif
|
||||
|
||||
int addicmp __P((char ***, struct frentry *, int));
|
||||
int extras __P((char ***, struct frentry *, int));
|
||||
@ -57,6 +58,7 @@ void print_toif __P((char *, frdest_t *));
|
||||
void optprint __P((u_short *, u_long, u_long));
|
||||
int loglevel __P((char **, u_int *, int));
|
||||
void printlog __P((frentry_t *));
|
||||
void printifname __P((char *, char *, void *));
|
||||
|
||||
extern char *proto;
|
||||
extern char flagset[];
|
||||
@ -72,8 +74,8 @@ char *line;
|
||||
int linenum;
|
||||
{
|
||||
static struct frentry fil;
|
||||
char *cps[31], **cpp, *endptr, *s;
|
||||
struct protoent *p = NULL;
|
||||
char *cps[31], **cpp, *endptr;
|
||||
int i, cnt = 1, j, ch;
|
||||
u_int k;
|
||||
|
||||
@ -84,11 +86,7 @@ int linenum;
|
||||
|
||||
bzero((char *)&fil, sizeof(fil));
|
||||
fil.fr_mip.fi_v = 0xf;
|
||||
#ifdef USE_INET6
|
||||
fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
|
||||
#else
|
||||
fil.fr_ip.fi_v = 4;
|
||||
#endif
|
||||
fil.fr_loglevel = 0xffff;
|
||||
|
||||
/*
|
||||
@ -106,10 +104,18 @@ int linenum;
|
||||
}
|
||||
|
||||
cpp = cps;
|
||||
/*
|
||||
* The presence of an '@' followed by a number gives the position in
|
||||
* the current rule list to insert this one.
|
||||
*/
|
||||
if (**cpp == '@')
|
||||
fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
|
||||
|
||||
|
||||
/*
|
||||
* Check the first keyword in the rule and any options that are
|
||||
* expected to follow it.
|
||||
*/
|
||||
if (!strcasecmp("block", *cpp)) {
|
||||
fil.fr_flags |= FR_BLOCK;
|
||||
if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
|
||||
@ -149,6 +155,8 @@ int linenum;
|
||||
fil.fr_flags |= FR_ACCOUNT;
|
||||
} else if (!strcasecmp("pass", *cpp)) {
|
||||
fil.fr_flags |= FR_PASS;
|
||||
} else if (!strcasecmp("nomatch", *cpp)) {
|
||||
fil.fr_flags |= FR_NOMATCH;
|
||||
} else if (!strcasecmp("auth", *cpp)) {
|
||||
fil.fr_flags |= FR_AUTH;
|
||||
} else if (!strcasecmp("preauth", *cpp)) {
|
||||
@ -194,6 +202,10 @@ int linenum;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the direction for filtering. Impose restrictions on direction
|
||||
* if blocking with returning ICMP or an RST has been requested.
|
||||
*/
|
||||
if (!strcasecmp("in", *cpp))
|
||||
fil.fr_flags |= FR_INQUE;
|
||||
else if (!strcasecmp("out", *cpp)) {
|
||||
@ -252,19 +264,39 @@ int linenum;
|
||||
}
|
||||
|
||||
if (*cpp && !strcasecmp("quick", *cpp)) {
|
||||
if (fil.fr_skip != 0) {
|
||||
fprintf(stderr, "%d: cannot use skip with quick\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
cpp++;
|
||||
fil.fr_flags |= FR_QUICK;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse rule options that are available if a rule is tied to an
|
||||
* interface.
|
||||
*/
|
||||
*fil.fr_ifname = '\0';
|
||||
*fil.fr_oifname = '\0';
|
||||
if (*cpp && !strcasecmp(*cpp, "on")) {
|
||||
if (!*++cpp) {
|
||||
fprintf(stderr, "%d: interface name missing\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
(void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1);
|
||||
fil.fr_ifname[IFNAMSIZ-1] = '\0';
|
||||
|
||||
s = index(*cpp, ',');
|
||||
if (s != NULL) {
|
||||
*s++ = '\0';
|
||||
(void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
|
||||
fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
|
||||
} else
|
||||
strcpy(fil.fr_ifnames[1], "*");
|
||||
|
||||
(void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
|
||||
fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
|
||||
|
||||
cpp++;
|
||||
if (!*cpp) {
|
||||
if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
|
||||
@ -299,6 +331,33 @@ int linenum;
|
||||
cpp++;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Set the "other" interface name. Lets you specify both
|
||||
* inbound and outbound interfaces for state rules. Do not
|
||||
* prevent both interfaces from being the same.
|
||||
*/
|
||||
strcpy(fil.fr_ifnames[3], "*");
|
||||
if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
|
||||
((((fil.fr_flags & FR_INQUE) != 0) &&
|
||||
(strcasecmp(*cpp, "out-via") == 0)) ||
|
||||
(((fil.fr_flags & FR_OUTQUE) != 0) &&
|
||||
(strcasecmp(*cpp, "in-via") == 0)))) {
|
||||
cpp++;
|
||||
|
||||
s = index(*cpp, ',');
|
||||
if (s != NULL) {
|
||||
*s++ = '\0';
|
||||
(void)strncpy(fil.fr_ifnames[3], s,
|
||||
IFNAMSIZ - 1);
|
||||
fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
|
||||
}
|
||||
|
||||
(void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
|
||||
fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
|
||||
cpp++;
|
||||
} else
|
||||
strcpy(fil.fr_ifnames[2], "*");
|
||||
}
|
||||
if (*cpp && !strcasecmp(*cpp, "tos")) {
|
||||
if (!*++cpp) {
|
||||
@ -340,6 +399,10 @@ int linenum;
|
||||
if (!strcasecmp(proto, "tcp/udp")) {
|
||||
fil.fr_ip.fi_fl |= FI_TCPUDP;
|
||||
fil.fr_mip.fi_fl |= FI_TCPUDP;
|
||||
} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
|
||||
fprintf(stderr,
|
||||
"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
|
||||
linenum);
|
||||
} else {
|
||||
if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
|
||||
fprintf(stderr,
|
||||
@ -411,6 +474,15 @@ int linenum;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
|
||||
(fil.fr_proto != IPPROTO_UDP) &&
|
||||
!(fil.fr_ip.fi_fl & FI_TCPUDP)) {
|
||||
fprintf(stderr,
|
||||
"%d: cannot use port and neither tcp or udp\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
fil.fr_scmp = ch;
|
||||
if (!*cpp) {
|
||||
fprintf(stderr, "%d: missing to fields\n", linenum);
|
||||
@ -447,6 +519,15 @@ int linenum;
|
||||
&fil.fr_dtop, linenum)) {
|
||||
return NULL;
|
||||
}
|
||||
if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
|
||||
(fil.fr_proto != IPPROTO_UDP) &&
|
||||
!(fil.fr_ip.fi_fl & FI_TCPUDP)) {
|
||||
fprintf(stderr,
|
||||
"%d: cannot use port and neither tcp or udp\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
fil.fr_dcmp = ch;
|
||||
}
|
||||
|
||||
@ -489,7 +570,8 @@ int linenum;
|
||||
* icmp types for use with the icmp protocol
|
||||
*/
|
||||
if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
|
||||
if (fil.fr_proto != IPPROTO_ICMP) {
|
||||
if (fil.fr_proto != IPPROTO_ICMP &&
|
||||
fil.fr_proto != IPPROTO_ICMPV6) {
|
||||
fprintf(stderr,
|
||||
"%d: icmp with wrong protocol (%d)\n",
|
||||
linenum, fil.fr_proto);
|
||||
@ -508,10 +590,28 @@ int linenum;
|
||||
if (addkeep(&cpp, &fil, linenum))
|
||||
return NULL;
|
||||
|
||||
/*
|
||||
* This is here to enforce the old interface binding behaviour.
|
||||
* That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
|
||||
*/
|
||||
if (fil.fr_flags & FR_KEEPSTATE) {
|
||||
if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
|
||||
bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
|
||||
sizeof(fil.fr_ifnames[3]));
|
||||
strncpy(fil.fr_ifnames[2], "*",
|
||||
sizeof(fil.fr_ifnames[3]));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* head of a new group ?
|
||||
*/
|
||||
if (*cpp && !strcasecmp(*cpp, "head")) {
|
||||
if (fil.fr_skip != 0) {
|
||||
fprintf(stderr, "%d: cannot use skip with head\n",
|
||||
linenum);
|
||||
return NULL;
|
||||
}
|
||||
if (!*++cpp) {
|
||||
fprintf(stderr, "%d: head without group #\n", linenum);
|
||||
return NULL;
|
||||
@ -658,6 +758,15 @@ frdest_t *fdp;
|
||||
{
|
||||
printf("%s %s%s", tag, fdp->fd_ifname,
|
||||
(fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
|
||||
#ifdef USE_INET6
|
||||
if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
|
||||
char ipv6addr[80];
|
||||
|
||||
inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
|
||||
sizeof(fdp->fd_ip6));
|
||||
printf(":%s", ipv6addr);
|
||||
} else
|
||||
#endif
|
||||
if (fdp->fd_ip.s_addr)
|
||||
printf(":%s", inet_ntoa(fdp->fd_ip));
|
||||
putchar(' ');
|
||||
@ -685,9 +794,9 @@ int linenum;
|
||||
return -1;
|
||||
|
||||
while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
|
||||
!strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) ||
|
||||
!strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) ||
|
||||
!strncasecmp(**cp, "short", 5))) {
|
||||
!strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) ||
|
||||
!strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") ||
|
||||
!strcasecmp(**cp, "short"))) {
|
||||
if (***cp == 'n' || ***cp == 'N') {
|
||||
notopt = 1;
|
||||
(*cp)++;
|
||||
@ -899,10 +1008,10 @@ char *icmptypes[] = {
|
||||
/*
|
||||
* set the icmp field to the correct type if "icmp" word is found
|
||||
*/
|
||||
int addicmp(cp, fp, linenum)
|
||||
char ***cp;
|
||||
struct frentry *fp;
|
||||
int linenum;
|
||||
int addicmp(cp, fp, linenum)
|
||||
char ***cp;
|
||||
struct frentry *fp;
|
||||
int linenum;
|
||||
{
|
||||
char **t;
|
||||
int i;
|
||||
@ -910,8 +1019,7 @@ int linenum;
|
||||
(*cp)++;
|
||||
if (!**cp)
|
||||
return -1;
|
||||
if (!fp->fr_proto) /* to catch lusers */
|
||||
fp->fr_proto = IPPROTO_ICMP;
|
||||
|
||||
if (isdigit(***cp)) {
|
||||
if (!ratoi(**cp, &i, 0, 255)) {
|
||||
fprintf(stderr,
|
||||
@ -919,6 +1027,10 @@ int linenum;
|
||||
linenum, **cp);
|
||||
return -1;
|
||||
}
|
||||
} else if (fp->fr_proto == IPPROTO_ICMPV6) {
|
||||
fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
|
||||
linenum, **cp, "(use numeric value instead\n");
|
||||
return -1;
|
||||
} else {
|
||||
for (t = icmptypes, i = 0; ; t++, i++) {
|
||||
if (!*t)
|
||||
@ -973,10 +1085,10 @@ int linenum;
|
||||
#define MAX_ICMPCODE 15
|
||||
|
||||
char *icmpcodes[] = {
|
||||
"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
|
||||
"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
|
||||
"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
|
||||
NULL };
|
||||
"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag",
|
||||
"srcfail", "net-unk", "host-unk", "isolate", "net-prohib",
|
||||
"host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced",
|
||||
"preced-cutoff", NULL };
|
||||
/*
|
||||
* Return the number for the associated ICMP unreachable code.
|
||||
*/
|
||||
@ -1006,47 +1118,73 @@ char *str;
|
||||
/*
|
||||
* set the icmp field to the correct type if "icmp" word is found
|
||||
*/
|
||||
int addkeep(cp, fp, linenum)
|
||||
char ***cp;
|
||||
struct frentry *fp;
|
||||
int linenum;
|
||||
int addkeep(cp, fp, linenum)
|
||||
char ***cp;
|
||||
struct frentry *fp;
|
||||
int linenum;
|
||||
{
|
||||
if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP &&
|
||||
#ifdef USE_INET6
|
||||
fp->fr_proto != IPPROTO_ICMPV6 &&
|
||||
#endif
|
||||
fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) {
|
||||
fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n",
|
||||
char *s;
|
||||
|
||||
(*cp)++;
|
||||
if (!**cp) {
|
||||
fprintf(stderr, "%d: Missing keyword after keep\n",
|
||||
linenum);
|
||||
return -1;
|
||||
}
|
||||
|
||||
(*cp)++;
|
||||
if (!**cp) {
|
||||
fprintf(stderr, "%d: Missing state/frag after keep\n",
|
||||
linenum);
|
||||
return -1;
|
||||
}
|
||||
if (strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) {
|
||||
if (strcasecmp(**cp, "state") == 0)
|
||||
fp->fr_flags |= FR_KEEPSTATE;
|
||||
else if (strncasecmp(**cp, "frag", 4) == 0)
|
||||
fp->fr_flags |= FR_KEEPFRAG;
|
||||
else if (strcasecmp(**cp, "state-age") == 0) {
|
||||
if (fp->fr_ip.fi_p == IPPROTO_TCP) {
|
||||
fprintf(stderr, "%d: cannot use state-age with tcp\n",
|
||||
linenum);
|
||||
return -1;
|
||||
}
|
||||
if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
|
||||
fprintf(stderr, "%d: state-age with no 'keep state'\n",
|
||||
linenum);
|
||||
return -1;
|
||||
}
|
||||
(*cp)++;
|
||||
if (!**cp) {
|
||||
fprintf(stderr, "%d: state-age with no arg\n",
|
||||
linenum);
|
||||
return -1;
|
||||
}
|
||||
fp->fr_age[0] = atoi(**cp);
|
||||
s = index(**cp, '/');
|
||||
if (s != NULL) {
|
||||
s++;
|
||||
fp->fr_age[1] = atoi(s);
|
||||
} else
|
||||
fp->fr_age[1] = fp->fr_age[0];
|
||||
} else {
|
||||
fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
|
||||
linenum, **cp);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (***cp == 's' || ***cp == 'S')
|
||||
fp->fr_flags |= FR_KEEPSTATE;
|
||||
else if (***cp == 'f' || ***cp == 'F')
|
||||
fp->fr_flags |= FR_KEEPFRAG;
|
||||
(*cp)++;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
void printifname(format, name, ifp)
|
||||
char *format, *name;
|
||||
void *ifp;
|
||||
{
|
||||
printf("%s%s", format, name);
|
||||
if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
|
||||
printf("(!)");
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* print the filter structure in a useful way
|
||||
*/
|
||||
void printfr(fp)
|
||||
struct frentry *fp;
|
||||
void printfr(fp)
|
||||
struct frentry *fp;
|
||||
{
|
||||
struct protoent *p;
|
||||
u_short sec[2];
|
||||
@ -1056,6 +1194,8 @@ struct frentry *fp;
|
||||
|
||||
if (fp->fr_flags & FR_PASS)
|
||||
printf("pass");
|
||||
if (fp->fr_flags & FR_NOMATCH)
|
||||
printf("nomatch");
|
||||
else if (fp->fr_flags & FR_BLOCK) {
|
||||
printf("block");
|
||||
if (fp->fr_flags & FR_RETICMP) {
|
||||
@ -1098,8 +1238,11 @@ struct frentry *fp;
|
||||
printf("quick ");
|
||||
|
||||
if (*fp->fr_ifname) {
|
||||
printf("on %s%s ", fp->fr_ifname,
|
||||
(fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)");
|
||||
printifname("on ", fp->fr_ifname, fp->fr_ifa);
|
||||
if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
|
||||
printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
|
||||
putchar(' ');
|
||||
|
||||
if (*fp->fr_dif.fd_ifname)
|
||||
print_toif("dup-to", &fp->fr_dif);
|
||||
if (*fp->fr_tif.fd_ifname)
|
||||
@ -1107,7 +1250,26 @@ struct frentry *fp;
|
||||
if (fp->fr_flags & FR_FASTROUTE)
|
||||
printf("fastroute ");
|
||||
|
||||
if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
|
||||
(*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
|
||||
if (fp->fr_flags & FR_OUTQUE)
|
||||
printf("in-via ");
|
||||
else
|
||||
printf("out-via ");
|
||||
|
||||
if (*fp->fr_ifnames[2]) {
|
||||
printifname("", fp->fr_ifnames[2],
|
||||
fp->fr_ifas[2]);
|
||||
putchar(',');
|
||||
}
|
||||
|
||||
if (*fp->fr_ifnames[3])
|
||||
printifname("", fp->fr_ifnames[3],
|
||||
fp->fr_ifas[3]);
|
||||
putchar(' ');
|
||||
}
|
||||
}
|
||||
|
||||
if (fp->fr_mip.fi_tos)
|
||||
printf("tos %#x ", fp->fr_tos);
|
||||
if (fp->fr_mip.fi_ttl)
|
||||
@ -1161,7 +1323,7 @@ struct frentry *fp;
|
||||
printf(" frag");
|
||||
}
|
||||
}
|
||||
if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
|
||||
if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) {
|
||||
int type = fp->fr_icmp, code;
|
||||
|
||||
type = ntohs(fp->fr_icmp);
|
||||
@ -1175,6 +1337,16 @@ struct frentry *fp;
|
||||
if (ntohs(fp->fr_icmpm) & 0xff)
|
||||
printf(" code %d", code);
|
||||
}
|
||||
if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) {
|
||||
int type = fp->fr_icmp, code;
|
||||
|
||||
type = ntohs(fp->fr_icmp);
|
||||
code = type & 0xff;
|
||||
type /= 256;
|
||||
printf(" icmp-type %d", type);
|
||||
if (ntohs(fp->fr_icmpm) & 0xff)
|
||||
printf(" code %d", code);
|
||||
}
|
||||
if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
|
||||
printf(" flags ");
|
||||
if (fp->fr_tcpf & ~TCPF_ALL)
|
||||
@ -1198,6 +1370,8 @@ struct frentry *fp;
|
||||
printf(" keep state");
|
||||
if (fp->fr_flags & FR_KEEPFRAG)
|
||||
printf(" keep frags");
|
||||
if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0)
|
||||
printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]);
|
||||
if (fp->fr_grhead)
|
||||
printf(" head %d", fp->fr_grhead);
|
||||
if (fp->fr_group)
|
||||
|
@ -1,10 +1,22 @@
|
||||
CC=gcc
|
||||
all:
|
||||
@echo "Please do one of the following:"
|
||||
@echo "make bsd"
|
||||
@echo "make bsdi"
|
||||
@echo "make freebsd"
|
||||
@echo "make freebsd22"
|
||||
@echo "make netbsd"
|
||||
@echo "make openbsd"
|
||||
@echo "make sunos4"
|
||||
@echo "make sunos5"
|
||||
|
||||
sunos5:
|
||||
$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
|
||||
$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
|
||||
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
|
||||
-I.. userauth.c -o userauth -lsocket -lnsl
|
||||
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
|
||||
-I.. proxy.c -o proxy -lsocket -lnsl
|
||||
|
||||
freebsd freebsd22 netbsd bsd bsdi sunos4:
|
||||
freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd:
|
||||
$(CC) -I.. userauth.c -o userauth
|
||||
$(CC) -I.. proxy.c -o proxy
|
||||
|
||||
|
@ -41,6 +41,8 @@
|
||||
#include <ctype.h>
|
||||
#include "netinet/ip_compat.h"
|
||||
#include "netinet/ip_fil.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_proxy.h"
|
||||
#include "netinet/ip_nat.h"
|
||||
|
||||
@ -81,19 +83,25 @@ char *argv[];
|
||||
bzero((char *)&natlook, sizeof(natlook));
|
||||
natlook.nl_outip = sin.sin_addr;
|
||||
natlook.nl_inip = sloc.sin_addr;
|
||||
natlook.nl_flags = IPN_TCP;
|
||||
natlook.nl_outport = sin.sin_port;
|
||||
natlook.nl_inport = sloc.sin_port;
|
||||
natlook.nl_flags = IPN_TCPUDP;
|
||||
natlook.nl_outport = ntohs(sin.sin_port);
|
||||
natlook.nl_inport = ntohs(sloc.sin_port);
|
||||
|
||||
/*
|
||||
* Open the NAT device and lookup the mapping pair.
|
||||
*/
|
||||
fd = open(IPL_NAT, O_RDONLY);
|
||||
if (ioctl(fd, SIOCGNATL, &natlookp) == -1) {
|
||||
perror("ioctl");
|
||||
perror("ioctl(SIOCGNATL)");
|
||||
exit(-1);
|
||||
}
|
||||
close(fd);
|
||||
|
||||
#define DO_NAT_OUT
|
||||
#ifdef DO_NAT_OUT
|
||||
if (argc > 1)
|
||||
do_nat_out(0, 1, fd, &natlook, argv[1]);
|
||||
#else
|
||||
|
||||
/*
|
||||
* Log it
|
||||
*/
|
||||
@ -109,4 +117,181 @@ char *argv[];
|
||||
if (write(1, buffer, n) != n)
|
||||
break;
|
||||
close(0);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
#ifdef DO_NAT_OUT
|
||||
do_nat_out(in, out, fd, nlp, extif)
|
||||
int fd;
|
||||
natlookup_t *nlp;
|
||||
char *extif;
|
||||
{
|
||||
nat_save_t ns, *nsp = &ns;
|
||||
struct sockaddr_in usin;
|
||||
u_32_t sum1, sum2, sumd;
|
||||
int onoff, ofd, slen;
|
||||
ipnat_t *ipn;
|
||||
nat_t *nat;
|
||||
|
||||
bzero((char *)&ns, sizeof(ns));
|
||||
|
||||
nat = &ns.ipn_nat;
|
||||
nat->nat_p = IPPROTO_TCP;
|
||||
nat->nat_dir = NAT_OUTBOUND;
|
||||
if ((extif != NULL) && (*extif != '\0')) {
|
||||
strncpy(nat->nat_ifname, extif, sizeof(nat->nat_ifname));
|
||||
nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
|
||||
}
|
||||
|
||||
ofd = socket(AF_INET, SOCK_DGRAM, 0);
|
||||
bzero((char *)&usin, sizeof(usin));
|
||||
usin.sin_family = AF_INET;
|
||||
usin.sin_addr = nlp->nl_realip;
|
||||
usin.sin_port = nlp->nl_realport;
|
||||
(void) connect(ofd, (struct sockaddr *)&usin, sizeof(usin));
|
||||
slen = sizeof(usin);
|
||||
(void) getsockname(ofd, (struct sockaddr *)&usin, &slen);
|
||||
close(ofd);
|
||||
printf("local IP# to use: %s\n", inet_ntoa(usin.sin_addr));
|
||||
|
||||
if ((ofd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
|
||||
perror("socket");
|
||||
usin.sin_port = 0;
|
||||
if (bind(ofd, (struct sockaddr *)&usin, sizeof(usin)))
|
||||
perror("bind");
|
||||
slen = sizeof(usin);
|
||||
if (getsockname(ofd, (struct sockaddr *)&usin, &slen))
|
||||
perror("getsockname");
|
||||
printf("local port# to use: %d\n", ntohs(usin.sin_port));
|
||||
|
||||
nat->nat_inip = usin.sin_addr;
|
||||
nat->nat_outip = nlp->nl_outip;
|
||||
nat->nat_oip = nlp->nl_realip;
|
||||
|
||||
sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)) + ntohs(usin.sin_port);
|
||||
sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)) + ntohs(nlp->nl_outport);
|
||||
CALC_SUMD(sum1, sum2, sumd);
|
||||
nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
|
||||
nat->nat_sumd[1] = nat->nat_sumd[0];
|
||||
|
||||
sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr));
|
||||
sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
|
||||
CALC_SUMD(sum1, sum2, sumd);
|
||||
nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
|
||||
|
||||
nat->nat_inport = usin.sin_port;
|
||||
nat->nat_outport = nlp->nl_outport;
|
||||
nat->nat_oport = nlp->nl_realport;
|
||||
|
||||
nat->nat_flags = IPN_TCPUDP;
|
||||
|
||||
onoff = 1;
|
||||
if (ioctl(fd, SIOCSTLCK, &onoff) == 0) {
|
||||
if (ioctl(fd, SIOCSTPUT, &nsp) != 0)
|
||||
perror("SIOCSTPUT");
|
||||
onoff = 0;
|
||||
if (ioctl(fd, SIOCSTLCK, &onoff) != 0)
|
||||
perror("SIOCSTLCK");
|
||||
}
|
||||
|
||||
usin.sin_addr = nlp->nl_realip;
|
||||
usin.sin_port = nlp->nl_realport;
|
||||
printf("remote end for connection: %s,%d\n", inet_ntoa(usin.sin_addr),
|
||||
ntohs(usin.sin_port));
|
||||
fflush(stdout);
|
||||
if (connect(ofd, (struct sockaddr *)&usin, sizeof(usin)))
|
||||
perror("connect");
|
||||
|
||||
relay(in, out, ofd);
|
||||
}
|
||||
|
||||
|
||||
relay(in, out, net)
|
||||
int in, out, net;
|
||||
{
|
||||
char netbuf[1024], outbuf[1024];
|
||||
char *nwptr, *nrptr, *owptr, *orptr;
|
||||
size_t nsz, osz;
|
||||
fd_set rd, wr;
|
||||
int i, n, maxfd;
|
||||
|
||||
n = 0;
|
||||
maxfd = in;
|
||||
if (out > maxfd)
|
||||
maxfd = out;
|
||||
if (net > maxfd)
|
||||
maxfd = net;
|
||||
|
||||
nrptr = netbuf;
|
||||
nwptr = netbuf;
|
||||
nsz = sizeof(netbuf);
|
||||
orptr = outbuf;
|
||||
owptr = outbuf;
|
||||
osz = sizeof(outbuf);
|
||||
|
||||
while (n >= 0) {
|
||||
FD_ZERO(&rd);
|
||||
FD_ZERO(&wr);
|
||||
|
||||
if (nrptr - netbuf < sizeof(netbuf))
|
||||
FD_SET(in, &rd);
|
||||
if (orptr - outbuf < sizeof(outbuf))
|
||||
FD_SET(net, &rd);
|
||||
|
||||
if (nsz < sizeof(netbuf))
|
||||
FD_SET(net, &wr);
|
||||
if (osz < sizeof(outbuf))
|
||||
FD_SET(out, &wr);
|
||||
|
||||
n = select(maxfd + 1, &rd, &wr, NULL, NULL);
|
||||
|
||||
if ((n > 0) && FD_ISSET(in, &rd)) {
|
||||
i = read(in, nrptr, sizeof(netbuf) - (nrptr - netbuf));
|
||||
if (i <= 0)
|
||||
break;
|
||||
nsz -= i;
|
||||
nrptr += i;
|
||||
n--;
|
||||
}
|
||||
|
||||
if ((n > 0) && FD_ISSET(net, &rd)) {
|
||||
i = read(net, orptr, sizeof(outbuf) - (orptr - outbuf));
|
||||
if (i <= 0)
|
||||
break;
|
||||
osz -= i;
|
||||
orptr += i;
|
||||
n--;
|
||||
}
|
||||
|
||||
if ((n > 0) && FD_ISSET(out, &wr)) {
|
||||
i = write(out, owptr, orptr - owptr);
|
||||
if (i <= 0)
|
||||
break;
|
||||
osz += i;
|
||||
if (osz == sizeof(outbuf) || owptr == orptr) {
|
||||
orptr = outbuf;
|
||||
owptr = outbuf;
|
||||
} else
|
||||
owptr += i;
|
||||
n--;
|
||||
}
|
||||
|
||||
if ((n > 0) && FD_ISSET(net, &wr)) {
|
||||
i = write(net, nwptr, nrptr - nwptr);
|
||||
if (i <= 0)
|
||||
break;
|
||||
nsz += i;
|
||||
if (nsz == sizeof(netbuf) || nwptr == nrptr) {
|
||||
nrptr = netbuf;
|
||||
nwptr = netbuf;
|
||||
} else
|
||||
nwptr += i;
|
||||
}
|
||||
}
|
||||
|
||||
close(net);
|
||||
close(out);
|
||||
close(in);
|
||||
}
|
||||
#endif
|
||||
|
@ -1,10 +1,10 @@
|
||||
/*
|
||||
* Copyright (C) 1993-2001 by Darren Reed.
|
||||
* Copyright (C) 1993-2002 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
|
||||
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.20 2001/07/18 14:58:28 darrenr Exp $"
|
||||
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $"
|
||||
|
||||
#include <sys/systm.h>
|
||||
#include <sys/types.h>
|
||||
@ -93,10 +93,16 @@ extern void ipfr_slowtimer __P((void));
|
||||
int ipfr_timer_id;
|
||||
static int synctimeoutid = 0;
|
||||
#endif
|
||||
int ipf_debug = 0;
|
||||
int ipf_debug_verbose = 0;
|
||||
|
||||
/* #undef IPFDEBUG 1 */
|
||||
/* #undef IPFDEBUG_VERBOSE 1 */
|
||||
#ifdef IPFDEBUG
|
||||
void printire __P((ire_t *));
|
||||
#endif
|
||||
#define isdigit(x) ((x) >= '0' && (x) <= '9')
|
||||
|
||||
static int fr_precheck __P((mblk_t **, queue_t *, qif_t *, int));
|
||||
|
||||
|
||||
@ -150,7 +156,7 @@ static size_t hdrsizes[57][2] = {
|
||||
{ IFT_X25DDN, 0 },
|
||||
{ IFT_X25, 0 },
|
||||
{ IFT_ETHER, 14 },
|
||||
{ IFT_ISO88023, 0 },
|
||||
{ IFT_ISO88023, 14 },
|
||||
{ IFT_ISO88024, 0 },
|
||||
{ IFT_ISO88025, 0 },
|
||||
{ IFT_ISO88026, 0 },
|
||||
@ -210,7 +216,8 @@ int _init()
|
||||
|
||||
ipfinst = mod_install(&modlink1);
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
|
||||
#endif
|
||||
return ipfinst;
|
||||
}
|
||||
@ -222,7 +229,8 @@ int _fini(void)
|
||||
|
||||
ipfinst = mod_remove(&modlink1);
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
|
||||
#endif
|
||||
return ipfinst;
|
||||
}
|
||||
@ -235,7 +243,9 @@ struct modinfo *modinfop;
|
||||
|
||||
ipfinst = mod_info(&modlink1, modinfop);
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x",
|
||||
modinfop, ipfinst);
|
||||
#endif
|
||||
if (fr_running > 0)
|
||||
ipfsync();
|
||||
@ -249,7 +259,8 @@ dev_info_t *dip;
|
||||
if (fr_running < 0)
|
||||
return DDI_PROBE_FAILURE;
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
|
||||
#endif
|
||||
return DDI_PROBE_SUCCESS;
|
||||
}
|
||||
@ -259,7 +270,8 @@ static int ipf_identify(dip)
|
||||
dev_info_t *dip;
|
||||
{
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
|
||||
#endif
|
||||
if (strcmp(ddi_get_name(dip), "ipf") == 0)
|
||||
return (DDI_IDENTIFIED);
|
||||
@ -299,7 +311,8 @@ ddi_attach_cmd_t cmd;
|
||||
#ifdef IPFDEBUG
|
||||
int instance;
|
||||
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
|
||||
#endif
|
||||
switch (cmd) {
|
||||
case DDI_ATTACH:
|
||||
@ -308,6 +321,7 @@ ddi_attach_cmd_t cmd;
|
||||
#ifdef IPFDEBUG
|
||||
instance = ddi_get_instance(dip);
|
||||
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
|
||||
#endif
|
||||
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
|
||||
@ -344,7 +358,8 @@ ddi_attach_cmd_t cmd;
|
||||
solattach();
|
||||
solipdrvattach();
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
cmn_err(CE_CONT, "%s, attaching complete.\n", ipfilter_version);
|
||||
cmn_err(CE_CONT, "%s, attaching complete.\n",
|
||||
ipfilter_version);
|
||||
sync();
|
||||
if (fr_running == 0)
|
||||
fr_running = 1;
|
||||
@ -383,7 +398,8 @@ ddi_detach_cmd_t cmd;
|
||||
int i;
|
||||
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
|
||||
#endif
|
||||
switch (cmd) {
|
||||
case DDI_DETACH:
|
||||
@ -459,7 +475,9 @@ void *arg, **result;
|
||||
return DDI_FAILURE;
|
||||
error = DDI_FAILURE;
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", dip, infocmd, arg);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)",
|
||||
dip, infocmd, arg);
|
||||
#endif
|
||||
switch (infocmd) {
|
||||
case DDI_INFO_DEVT2DEVINFO:
|
||||
@ -784,15 +802,7 @@ int out;
|
||||
#endif
|
||||
) {
|
||||
m->b_rptr -= off;
|
||||
if (!synced) {
|
||||
synced = 1;
|
||||
RWLOCK_EXIT(&ipfs_mutex);
|
||||
ipfsync();
|
||||
READ_ENTER(&ipfs_mutex);
|
||||
goto tryagain;
|
||||
}
|
||||
frstats[out].fr_notip++;
|
||||
return (fr_flags & FF_BLOCKNONIP) ? -1 : 0;
|
||||
return -2;
|
||||
}
|
||||
|
||||
#ifndef sparc
|
||||
@ -969,27 +979,40 @@ mblk_t *mb;
|
||||
int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
|
||||
qif_t qf, *qif;
|
||||
|
||||
#ifdef IPFDEBUG_VERBOSE
|
||||
if (ipf_debug_verbose)
|
||||
cmn_err(CE_CONT,
|
||||
"fr_qin(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
|
||||
q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
|
||||
msgdsize(mb));
|
||||
#endif
|
||||
|
||||
/*
|
||||
* IPFilter is still in the packet path but not enabled. Drop whatever
|
||||
* it is that has come through.
|
||||
*/
|
||||
if (fr_running <= 0) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
type = MTYPE(mb);
|
||||
|
||||
/*
|
||||
* If a mblk has more than one reference, make a copy, filter that and
|
||||
* free a reference to the original.
|
||||
*/
|
||||
if (mb->b_datap->db_ref > 1) {
|
||||
mblk_t *m1;
|
||||
|
||||
m1 = copymsg(mb);
|
||||
if (!m1) {
|
||||
frstats[0].fr_drop++;
|
||||
mb->b_next = NULL;
|
||||
mb->b_prev = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
m1->b_next = mb->b_next;
|
||||
mb->b_next = NULL;
|
||||
m1->b_prev = mb->b_prev;
|
||||
mb->b_prev = NULL;
|
||||
freemsg(mb);
|
||||
mb = m1;
|
||||
@ -999,10 +1022,9 @@ mblk_t *mb;
|
||||
READ_ENTER(&ipf_solaris);
|
||||
again:
|
||||
if (fr_running <= 0) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
READ_ENTER(&ipfs_mutex);
|
||||
@ -1030,7 +1052,7 @@ mblk_t *mb;
|
||||
}
|
||||
cmn_err(CE_WARN,
|
||||
"!IP Filter: dropped: fr_qin(%x,%x): type %x qif %x",
|
||||
q, mb, MTYPE(mb), qif);
|
||||
q, mb, type, qif);
|
||||
cmn_err(CE_CONT,
|
||||
"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
|
||||
q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
|
||||
@ -1044,40 +1066,52 @@ mblk_t *mb;
|
||||
#endif
|
||||
);
|
||||
frstats[0].fr_drop++;
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
|
||||
qif->qf_incnt++;
|
||||
pnext = qif->qf_rqinfo->qi_putp;
|
||||
type = MTYPE(mb);
|
||||
if (type == M_IOCACK)
|
||||
fr_qif_update(qif, mb);
|
||||
else {
|
||||
bcopy((char *)qif, (char *)&qf, sizeof(qf));
|
||||
|
||||
if (datamsg(type) || (type == M_BREAK))
|
||||
err = fr_precheck(&mb, q, &qf, 0);
|
||||
}
|
||||
bcopy((char *)qif, (char *)&qf, sizeof(qf));
|
||||
if (datamsg(type) || (type == M_BREAK))
|
||||
err = fr_precheck(&mb, q, &qf, 0);
|
||||
|
||||
RWLOCK_EXIT(&ipfs_mutex);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
|
||||
if ((err == 0) && (mb != NULL)) {
|
||||
if (pnext)
|
||||
if (pnext) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return (*pnext)(q, mb);
|
||||
}
|
||||
|
||||
cmn_err(CE_WARN,
|
||||
"!IP Filter: inp NULL: qif %x %s q %x info %x",
|
||||
&qf, qf.qf_name, q, q->q_qinfo);
|
||||
qif, qf.qf_name, q, q->q_qinfo);
|
||||
}
|
||||
|
||||
if (err == -2) {
|
||||
if (synced == 0) {
|
||||
ipfsync();
|
||||
synced = 1;
|
||||
goto again;
|
||||
}
|
||||
frstats[0].fr_notip++;
|
||||
if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return (*pnext)(q, mb);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (mb) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1089,13 +1123,22 @@ mblk_t *mb;
|
||||
int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
|
||||
qif_t qf, *qif;
|
||||
|
||||
#ifdef IPFDEBUG_VERBOSE
|
||||
if (ipf_debug_verbose)
|
||||
cmn_err(CE_CONT,
|
||||
"fr_qout(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
|
||||
q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
|
||||
msgdsize(mb));
|
||||
#endif
|
||||
|
||||
if (fr_running <= 0) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
type = MTYPE(mb);
|
||||
|
||||
#if SOLARIS2 >= 6
|
||||
if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) &&
|
||||
(mb->b_datap->db_ref > 1))
|
||||
@ -1108,14 +1151,10 @@ mblk_t *mb;
|
||||
m1 = copymsg(mb);
|
||||
if (!m1) {
|
||||
frstats[1].fr_drop++;
|
||||
mb->b_next = NULL;
|
||||
mb->b_prev = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
m1->b_next = mb->b_next;
|
||||
mb->b_next = NULL;
|
||||
m1->b_prev = mb->b_prev;
|
||||
mb->b_prev = NULL;
|
||||
freemsg(mb);
|
||||
mb = m1;
|
||||
@ -1125,10 +1164,9 @@ mblk_t *mb;
|
||||
READ_ENTER(&ipf_solaris);
|
||||
again:
|
||||
if (fr_running <= 0) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
READ_ENTER(&ipfs_mutex);
|
||||
@ -1156,7 +1194,7 @@ mblk_t *mb;
|
||||
}
|
||||
cmn_err(CE_WARN,
|
||||
"!IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x",
|
||||
q, mb, MTYPE(mb), qif);
|
||||
q, mb, type, qif);
|
||||
cmn_err(CE_CONT,
|
||||
"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
|
||||
q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
|
||||
@ -1180,40 +1218,51 @@ mblk_t *mb;
|
||||
q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next,
|
||||
q->q_nbsrv->q_ptr);
|
||||
frstats[1].fr_drop++;
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
|
||||
qif->qf_outcnt++;
|
||||
pnext = qif->qf_wqinfo->qi_putp;
|
||||
type = MTYPE(mb);
|
||||
if (type == M_IOCACK)
|
||||
fr_qif_update(qif, mb);
|
||||
else {
|
||||
bcopy((char *)qif, (char *)&qf, sizeof(qf));
|
||||
|
||||
if (datamsg(type) || (type == M_BREAK))
|
||||
err = fr_precheck(&mb, q, &qf, 1);
|
||||
}
|
||||
bcopy((char *)qif, (char *)&qf, sizeof(qf));
|
||||
if (datamsg(type) || (type == M_BREAK))
|
||||
err = fr_precheck(&mb, q, &qf, 1);
|
||||
|
||||
RWLOCK_EXIT(&ipfs_mutex);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
|
||||
if ((err == 0) && (mb != NULL)) {
|
||||
if (pnext)
|
||||
if (pnext) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return (*pnext)(q, mb);
|
||||
}
|
||||
|
||||
cmn_err(CE_WARN,
|
||||
"!IP Filter: outp NULL: qif %x %s q %x info %x",
|
||||
&qf, qf.qf_name, q, q->q_qinfo);
|
||||
qif, qf.qf_name, q, q->q_qinfo);
|
||||
}
|
||||
|
||||
if (err == -2) {
|
||||
if (synced == 0) {
|
||||
ipfsync();
|
||||
synced = 1;
|
||||
goto again;
|
||||
}
|
||||
frstats[1].fr_notip++;
|
||||
if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return (*pnext)(q, mb);
|
||||
}
|
||||
}
|
||||
|
||||
if (mb) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1241,7 +1290,6 @@ mblk_t *mb;
|
||||
|
||||
if (fr_running <= 0) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
@ -1253,7 +1301,6 @@ mblk_t *mb;
|
||||
if (fr_running <= 0) {
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
return 0;
|
||||
}
|
||||
@ -1269,8 +1316,10 @@ mblk_t *mb;
|
||||
case SIOCSIFADDR:
|
||||
case SIOCSIFFLAGS:
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
|
||||
ioc->ioc_cmd);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
|
||||
ioc->ioc_cmd);
|
||||
#endif
|
||||
WRITE_ENTER(&ipfs_mutex);
|
||||
if (synctimeoutid == 0) {
|
||||
@ -1294,8 +1343,9 @@ extern struct streamtab ipinfo;
|
||||
void solipdrvattach()
|
||||
{
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
|
||||
ipdrvattcnt, &ipinfo);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
|
||||
ipdrvattcnt, &ipinfo);
|
||||
#endif
|
||||
|
||||
if (++ipdrvattcnt == 1) {
|
||||
@ -1309,8 +1359,9 @@ void solipdrvattach()
|
||||
int solipdrvdetach()
|
||||
{
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
|
||||
ipdrvattcnt, &ipinfo);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
|
||||
ipdrvattcnt, &ipinfo);
|
||||
#endif
|
||||
|
||||
WRITE_ENTER(&ipfs_mutex);
|
||||
@ -1362,7 +1413,8 @@ void solattach()
|
||||
RWLOCK_EXIT(&ipfs_mutex);
|
||||
continue;
|
||||
}
|
||||
#ifdef IPFDEBUG
|
||||
#ifdef IPFDEBUGX
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x",
|
||||
il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp,
|
||||
@ -1384,7 +1436,8 @@ void solattach()
|
||||
break;
|
||||
}
|
||||
if (!qf2) {
|
||||
#ifdef IPFDEBUG
|
||||
#ifdef IPFDEBUGX
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_WARN,
|
||||
"IP Filter: rq:%s put %x qi %x",
|
||||
il->ill_name, in->q_qinfo->qi_putp,
|
||||
@ -1404,7 +1457,8 @@ void solattach()
|
||||
break;
|
||||
}
|
||||
if (!qf2) {
|
||||
#ifdef IPFDEBUG
|
||||
#ifdef IPFDEBUGX
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_WARN,
|
||||
"IP Filter: wq:%s put %x qi %x",
|
||||
il->ill_name, out->q_qinfo->qi_putp,
|
||||
@ -1447,6 +1501,15 @@ void solattach()
|
||||
(hdrsizes[il->ill_type][0] == il->ill_type))
|
||||
qif->qf_hl = hdrsizes[il->ill_type][1];
|
||||
|
||||
/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
|
||||
if (il->ill_type == IFT_ETHER &&
|
||||
il->ill_name[0] == 'c' && il->ill_name[1] == 'e' &&
|
||||
isdigit(il->ill_name[2]) && il->ill_name_length >= 6) {
|
||||
cmn_err(CE_NOTE, "VLAN HACK ENABLED");
|
||||
qif->qf_hl += 4;
|
||||
}
|
||||
/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
|
||||
|
||||
if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER)
|
||||
cmn_err(CE_WARN,
|
||||
"Unknown layer 2 header size for %s type %d",
|
||||
@ -1524,10 +1587,10 @@ void solattach()
|
||||
sizeof(struct qinit));
|
||||
qif->qf_rqinit.qi_putp = fr_qin;
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, &qif->qf_rqinit
|
||||
);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, &qif->qf_rqinit);
|
||||
#endif
|
||||
in->q_qinfo = &qif->qf_rqinit;
|
||||
|
||||
@ -1535,10 +1598,10 @@ void solattach()
|
||||
sizeof(struct qinit));
|
||||
qif->qf_wqinit.qi_putp = fr_qout;
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, &qif->qf_wqinit
|
||||
);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, &qif->qf_wqinit);
|
||||
#endif
|
||||
out->q_qinfo = &qif->qf_wqinit;
|
||||
|
||||
@ -1638,19 +1701,19 @@ int ipfsync()
|
||||
in = qif->qf_in;
|
||||
if (in) {
|
||||
# ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, qif->qf_rqinfo
|
||||
);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, qif->qf_rqinfo);
|
||||
# endif
|
||||
in->q_qinfo = qif->qf_rqinfo;
|
||||
}
|
||||
if (out) {
|
||||
# ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, qif->qf_wqinfo
|
||||
);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, qif->qf_wqinfo);
|
||||
# endif
|
||||
out->q_qinfo = qif->qf_wqinfo;
|
||||
}
|
||||
@ -1719,9 +1782,10 @@ int soldetach()
|
||||
);
|
||||
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, qif->qf_rqinfo);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
in, in->q_qinfo, qif->qf_rqinfo);
|
||||
#endif
|
||||
in->q_qinfo = qif->qf_rqinfo;
|
||||
|
||||
@ -1729,9 +1793,10 @@ int soldetach()
|
||||
* and the write queue...
|
||||
*/
|
||||
#ifdef IPFDEBUG
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, qif->qf_wqinfo);
|
||||
if (ipf_debug)
|
||||
cmn_err(CE_NOTE,
|
||||
"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
|
||||
out, out->q_qinfo, qif->qf_wqinfo);
|
||||
#endif
|
||||
out->q_qinfo = qif->qf_wqinfo;
|
||||
}
|
||||
@ -1746,6 +1811,8 @@ int soldetach()
|
||||
void printire(ire)
|
||||
ire_t *ire;
|
||||
{
|
||||
if (!ipf_debug)
|
||||
return;
|
||||
printf("ire: ll_hdr_mp %p rfq %p stq %p src_addr %x max_frag %d\n",
|
||||
# if SOLARIS2 >= 8
|
||||
NULL,
|
||||
@ -1812,7 +1879,6 @@ frdest_t *fdp;
|
||||
mp = (*mpp)->b_cont;
|
||||
(*mpp)->b_cont = NULL;
|
||||
(*mpp)->b_prev = NULL;
|
||||
(*mpp)->b_next = NULL;
|
||||
freemsg(*mpp);
|
||||
*mpp = mp;
|
||||
}
|
||||
@ -1951,7 +2017,6 @@ frdest_t *fdp;
|
||||
q = WR(ir->ire_rfq);
|
||||
if (q) {
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
mb->b_queue = q;
|
||||
RWLOCK_EXIT(&ipfs_mutex);
|
||||
RWLOCK_EXIT(&ipf_solaris);
|
||||
@ -1979,7 +2044,6 @@ frdest_t *fdp;
|
||||
}
|
||||
bad_fastroute:
|
||||
mb->b_prev = NULL;
|
||||
mb->b_next = NULL;
|
||||
freemsg(mb);
|
||||
ipl_frouteok[1]++;
|
||||
*mpp = NULL;
|
||||
|
@ -9,19 +9,23 @@ BINDEST=/usr/local/bin
|
||||
SBINDEST=/sbin
|
||||
MANDIR=/usr/share/man
|
||||
|
||||
tests: first 0 ftests ptests ntests
|
||||
tests: first 0 ftests ptests ntests nitests logtests
|
||||
|
||||
first:
|
||||
-mkdir -p results
|
||||
|
||||
# Filtering tests
|
||||
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
|
||||
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16
|
||||
|
||||
# Rule parsing tests
|
||||
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
||||
|
||||
ntests: n1 n2 n3 n4 n5 n6 n7
|
||||
|
||||
nitests: ni1 ni2
|
||||
|
||||
logtests: l1
|
||||
|
||||
0:
|
||||
@(cd ..; make ipftest; )
|
||||
|
||||
@ -31,13 +35,25 @@ f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14:
|
||||
f12 f13:
|
||||
@/bin/sh ./hextest $@
|
||||
|
||||
f15 f16:
|
||||
@/bin/sh ./mtest $@
|
||||
|
||||
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
|
||||
@/bin/sh ./itest $@
|
||||
|
||||
n1 n2 n3 n4 n5 n6 n7:
|
||||
@/bin/sh ./nattest $@
|
||||
|
||||
ni1 ni2:
|
||||
@/bin/sh ./natipftest $@
|
||||
|
||||
l1:
|
||||
@/bin/sh ./logtest $@
|
||||
|
||||
clean:
|
||||
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 results/*
|
||||
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16
|
||||
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
||||
/bin/rm -f n1 n2 n3 n4 n5 n6 n7
|
||||
/bin/rm -f ni1 ni2
|
||||
/bin/rm -f l1
|
||||
/bin/rm -f results/*
|
||||
|
@ -91,6 +91,7 @@ IPv6:
|
||||
|
||||
BSD:
|
||||
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
|
||||
fixed.
|
||||
|
||||
Solaris:
|
||||
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
|
||||
|
Loading…
Reference in New Issue
Block a user