d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

This commit was generated by cvs2svn to compensate for changes in r92686,

Browse Source 
which included commits to RCS files with non-trunk default branches.
This commit is contained in:
Darren Reed 2002-03-19 11:45:20 +00:00
commit f371049810
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=92687
55 changed files with 2459 additions and 1262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
contrib/ipfilter/BNF
View File

@ -2,27 +2,29 @@ filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
insert = "@" decnumber .
action = block | "pass" | log | "count" | skip | auth | call .
action = block | "no-match" | "pass" | log | "count" | skip | auth | call .
in-out = "in" | "out" .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
[ via ] ] .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ reutrn-icmp[return-code] | "return-rst" ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
dup = "dup-to" interface-name[":"ipaddr] .
via = "in-via" interface-name | "out-via" interface-name .
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .
reutrn-icmp = "return-icmp" | "return-icmp-as-dest" .
return-icmp = "return-icmp" | "return-icmp-as-dest" .
loglevel = facility"."priority | priority .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
@ -32,7 +34,8 @@ flags = "flags" flag { flag } [ "/" flag { flag } ] .
with = "with" | "and" .
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep = "keep" "state" | "keep" "frags" .
keep = "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
state-age = decnmber [ "/" decnumber ] .
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .

61
contrib/ipfilter/BSD/Makefile
View File

@ -8,7 +8,7 @@
BINDEST=/usr/sbin
SBINDEST=/sbin
MANDIR=/usr/share/man
CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O
CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O
CFLAGS=-g -I$(TOP)
#
# For NetBSD/FreeBSD
@ -39,22 +39,23 @@ INSTALL=install
#
MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
ip_auth.o ip_log.o
DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF) $(DLKM)
DFLAGS=$(IPFLKM) $(DEF) $(DLKM)
IPF=ipf.o parse.o common.o opt.o facpri.o
IPT=ipt.o parse.o common.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o \
opt.o ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \
ip_auth_u.o ipft_hx.o ip_fil_u.o natparse.o facpri.o
IPNAT=ipnat.o kmem.o natparse.o common.o
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o
ip_auth_u.o ipft_hx.o ip_fil_u.o ip_log_u.o natparse.o facpri.o \
printnat.o printstate.o
IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o
build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM)
ipfstat: $(FILS)
$(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
-o $@ $(LIBS) $(STATETOP_LIB)
$(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
$(FILS) -o $@ $(LIBS) $(STATETOP_LIB) -lkvm
ipf: $(IPF)
$(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
/bin/rm -f $(TOP)/ipf
ln -s `pwd`/ipf $(TOP)
@ -64,10 +65,10 @@ ipftest: $(IPT)
ln -s `pwd`/ipftest $(TOP)
ipnat: $(IPNAT)
$(CC) $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm
ipfs: ipfs.o
$(CC) $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS)
$(CC) -static $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS)
tests:
(cd test; make )
@ -107,6 +108,14 @@ natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@
printnat.o: $(TOP)/printnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/ip_compat.h $(TOP)/ip_proxy.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printnat.c -o $@
printstate.o: $(TOP)/printstate.c $(TOP)/ip_fil.h $(TOP)/ipf.h \
$(TOP)/ip_state.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printstate.c -o $@
ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \
$(TOP)/snoop.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@
@ -130,7 +139,8 @@ ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@
ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_nat.h
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c \
$(TOP)/ip_raudio_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@
ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
@ -148,6 +158,9 @@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@
ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_log.c -o $@
if_ipl.o: $(MODOBJS)
ld -r $(MODOBJS) -o $(LKM)
${RM} -f if_ipl
@ -170,7 +183,7 @@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \
$(TOP)/ip_nat.h
$(TOP)/ip_rcmd_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
@ -207,6 +220,8 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h
ipmon: $(TOP)/ipmon.c
$(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS)
/bin/rm -f $(TOP)/ipmon
ln -s `pwd`/ipmon $(TOP)
clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
@ -231,10 +246,20 @@ install:
-if [ -d /modules -a -f ipf.ko ] ; then \
cp ipf.ko /modules; \
fi
-$(INSTALL) -cs -g wheel -m 755 -o root ipf $(SBINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipfs $(SBINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipnat $(SBINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipfstat $(SBINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipmon $(BINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipftest $(BINDEST)
@for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \
ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
def="`expr $$i : '[^:]*:\(.*\)'`"; \
p="`expr $$i : '\([^:]*\):.*'`"; \
for d in $(BINDEST) $(SBINDEST); do \
if [ -f $$d/$$i ] ; then \
echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
dd=$$d; \
fi; \
done; \
if [ -z "$$dd" ] ; then \
echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
fi \
done
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))

10
contrib/ipfilter/BSD/kupgrade
View File

@ -9,13 +9,17 @@ argv0=`basename $0`
dir=`pwd`
karch=`uname -m`
archdir="/sys/arch/$karch"
ipfdir=/sys/netinet
if [ -d /sys/contrib/ipfilter ] ; then
ipfdir=/sys/contrib/ipfilter/netinet
fi
confdir="$archdir/conf"
echo -n "Installing "
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c ; do
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_*_pxy.c ; do
echo -n "$i "
cp $i /sys/netinet/
chmod 644 /sys/netinet/$i
cp $i $ipfdir
chmod 644 $ipfdir/$i
done
echo ""
if [ -f /sys/netinet/ip_fil_compat.h ] ; then

8
contrib/ipfilter/FreeBSD-2.2/kinstall
View File

@ -9,11 +9,17 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_{ftp,rcmd}_pxy.c mlf_ipl.c ipl.h ip_compat.h \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h \
ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Copying /usr/include/osreldate.h to /sys/sys"

8
contrib/ipfilter/FreeBSD-3/kinstall
View File

@ -9,11 +9,17 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h \
ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"

23
contrib/ipfilter/FreeBSD-4.0/kinstall
View File

@ -2,27 +2,38 @@
#
set dir=`pwd`
set karch=`uname -m`
set ipfdir=/sys/netinet
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c mlfk_ipl.c \
ipl.h ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
cp $i $ipfdir
chmod 644 $ipfdir/$i
switch ( $i )
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch)
patchfile=FreeBSd-4.0/ipv6-patch-$krev
if ( -f $patchfile ) then
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat $patchfile | (cd /sys/netinet6; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "

8
contrib/ipfilter/FreeBSD/kinstall
View File

@ -9,10 +9,16 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_auth.[ch] ip_{ftp,rcmd}_pxy.c ip_compat.h ip_log.c)
ip_proxy.[ch] ip_auth.[ch] ip_*_pxy.c ip_compat.h ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
grep iplopen $archdir/$karch/conf.c >& /dev/null

213
contrib/ipfilter/HISTORY
View File

@ -22,6 +22,219 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.25 13/03/2002 - Released
retain rule # in state information
log the direction of a packet so ipmon gets it right rather than incorrectly
deriving it from the rule flags
add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD
kernel config files to increase that buffer size)
recognise return-* rules differently to block in ipftest
fix bug in ipmon output for solaris
add regression testing for skip rules, logging and using head/group
fix output of ipmon: was displaying large unsigned ints rather than -1
when no rules matched.
make logging code compile into ipftest and add -l command line option to
dump binary log file (read with ipmon -f) when it finishes.
protect rule # and group # from interference when checking accounting rules
add regression testing for log output (text) from ipmon.
document -b command line option for ipmon
fix double-quick in Solaris startup script
3.4.24 01/03/2002 - Released
fix how files are installed on SunOS5
fix some minor problems in SunOS5 ipfboot script
by default, compile all OpenBSD tools in 3.0 for IPv6
fix NULL-pointer dereference in NAT code
make a better attempt at replacing the appropriate binaries on BSD systems
always print IPv6 icmp-types as a number
impose some rules about what "skip" can be used with
fix parsing problems with "keep state" and "keep state-age"
Try to read as much data as is in the log device in ipmon
remove some redundant checks when searching for rdr/nat rules
fix bug in handling of ACCT with FTP proxy
increase array size for interface names, using LIFNAMSIZ
include H.323 proxy from QNX
3.4.23 16/01/2002 - Released
Include patches to install IPFilter into OpenBSD 3.0, both for just kernel
compiles and complete system builds.
Fix bug in automatic flushing of state table which would cause it to hang
in an infinite loop bug introduced in 3.4.20.
Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for
the outgoing connection to make it look like it comes from the real source.
Only support ICMPv6 with IPv6.
Move ipnat.1 to ipnat.8
Enhance ipmon to print textual ICMP[v6] types and subtypes where possible.
Make it possible to do IPv6 regression testing with ipftest.
Use kvm library for kmem access, rather than trying to do it manually with
open/lseek/read.
Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute.
Remove Berkeley advertising licence clause. Reference:
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded
and fragmentation required.
Fix ipfboot script on Solaris to deal with no nameservers or no route to
them in a clean manner.
Support per-rule set timeouts for non-TCP NAT and state
Add netbios proxy
Add ICMPv6 stateful checking, including handling multicast destination
addresses for neighbour discovery.
Fix problems with internals of ICMP messages for MTU discovery and
unreachables not being correctly adjust on little endian boxes.
Add "in-via" and "out-via" to filtering rules grammar. It is now possible
to bind a rule to both incoming and outgoing interfaces, in both forward
and reverse directions (4 directions in total). allows for asymetric flows
through a firewall.
Fix ipfstat and ipnat for working on crash dumps.
Don't let USE_INET6 stay defined for SunOS4
Count things we see for each interface on solaris.
Include <netinet/icmp6.h> when compiling with USE_INET6 defined and
also include a whole bunch of #define's to make sure the symbols expected
can be used.
Fix up fastroute on BSD systems.
Make fastrouting work for IPv6 just a bit better. doesn't split up big
packets into fragments like the IPv4 one does. You can now do a
"to <if>:<ipv6_addr>"
Remove some of the differences between user-space and kernel-space code
that is internal to ipfilter.
Call ipfr_slowtimer() after each packet is processed in ipftest to artificially
create the illusion of passing time and include the expire functions in the
code compiled for user-space.
Fix issues with the IPSec proxy not working or leading to a system crash.
Junk all processing of SPIs and special handling for ESP.
Add "no-match" as a filter rule action (resets _LAST_ match)
Add hack to workaround problems with Cassini interface cards on
Solaris and VLANs
Add some protocols to etc/protocols
3.4.22 03/12/2001 - Released
various openbsd changes
sorting based on IP numbers for ipfstat top output
fix various IPv6 code & compile problems
modify ip_fil.c to be more netbsd friendly
fix fastroute bug where it modified a packet post-sending
fix get_unit() - don't understand why it was broken.
add FI_IGNOREPKT and don't count so marked packets when doing stats or
state/nat.
extend the interface name saved to log output
make proxies capable of extending the matching done on a packet with a
particular nat session
change interfaces inside NAT & state code to accomodate redesign to allow
IPsec proxy to work.
fix bug when free'ing loaded rules that results in a memory leak
(only an issue with "ipf -rf -", not flush)
make ipftest capable of loading > 1 file or rules, making it now possible
to load both NAT & filter rules
fix hex input for ipftest to allow interface name & direction to work
show ipsec proxy details in ipnat output
if OPT_HEX is set in opts, print a packet out as hex
don't modify b_next or preseve it or preserve b_prev for solaris
fix up kinstall scripts to install all the files everywhere they need to
fix overflowing of bits in ip_off inside iptest
make userauth and proxy in samples directory compile
fix minimum size when doing a pullup for ESP & ICMPv6
3.4.21 24/10/2001 - Released
include ipsec proxy
make state work for non-tcp/udp/icmp in a very simple way
include diffs for ipv6 firewall on openbsd-2.9
add compatibility filter wrapper for NetBSD-current
fix command line option problems with ipfs
if we fill the state table and a automated flush doesn't purge any
expiring entries, remove all entries idle for more than half a day
fix bug with sending resets/icmp errors where the pointer to the data
section of the packet was not being set (BSD only)
split out validating ftp commands and responses into different halves,
one for each of server & client.
do not compile in STATETOP support for specific architectures
fix INSTALL.FreeBSD to no longer provide directions and properly direct
people to the right file for the right version of FreeBSD.
3.4.20 24/07/2001 - Released
adjust NAT hashing to give a better spread across the table

50
contrib/ipfilter/INSTALL.FreeBSD
View File

@ -1,51 +1,7 @@
*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" ***
*** IF you are using FreeBSD 3 or later, see the file "INST.FreeBSD-3" ***
*** in the "FreeBSD-3" directory ***
To build a kernel for use with the loadable kernel module, follow these
steps:
1. do "make freebsd"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD/minstall" as root
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8) to load the packet filter with:
modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. do "make freebsd"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD/kinstall" as root
4. build a new kernel
5. create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" ***
*** IF you are using FreeBSD 3.x, see the file "FreeBSD-3/INST.FreeBSD-3" ***
*** IF you are using FreeBSD 4.x, see the file "FreeBSD-4.0/INST.FreeBSD-4" ***
Darren Reed
darrenr@pobox.com

2
contrib/ipfilter/IPFILTER.LICENCE
View File

@ -1,4 +1,4 @@
Copyright (C) 1993-2001 by Darren Reed.
Copyright (C) 1993-2002 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.

16
contrib/ipfilter/Makefile
View File

@ -3,7 +3,7 @@
#
# See the IPFILTER.LICENCE file for details on licencing.
#
# $Id: Makefile,v 2.11.2.8 2001/06/26 10:43:10 darrenr Exp $
# $Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -34,7 +34,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
#
# Uncomment the next 3 lines if you want to view the state table a la top(1)
# (requires that you have installed ncurses).
#STATETOP_CFLAGS=-DSTATETOP
STATETOP_CFLAGS=-DSTATETOP
#
# Where to find the ncurses include files (if not in default path),
#
@ -43,7 +43,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
#
# How to link the ncurses library
#
#STATETOP_LIB=-lncurses
STATETOP_LIB=-lcurses
#STATETOP_LIB=-L/usr/local/lib -lncurses
#
@ -59,7 +59,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
#
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
#
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6)' \
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6) $(IPFLOG)' \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)" 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' \
@ -100,7 +100,7 @@ tests:
include:
if [ ! -f netinet/done ] ; then \
(cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .; ln -s ../ip_rcmd_pxy.c .; ln -s ../ip_raudio_pxy.c .); \
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); \
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
touch netinet/done; \
fi
@ -168,8 +168,8 @@ bsdi bsdos: include
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;)
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi)
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) SGI=`../getrev` $(MFLAGS); else smake build SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi;)
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi)
linux: include
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
@ -258,7 +258,7 @@ install-bsd:
(cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-sunos4: solaris
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
(cd SunOS4; $(MAKE) "CPU=$(CPU)" "TOP=.." install)
install-sunos5: solaris
(cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install)

56
contrib/ipfilter/common.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da
extern struct ipopt_names ionames[], secclass[];
extern int opts;
#ifdef USE_INET6
extern int use_inet6;
#endif
char *proto = NULL;
@ -54,10 +55,8 @@ char flagset[] = "FSRPAUEC";
u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
TH_ECN, TH_CWR };
#ifdef USE_INET6
void fill6bits __P((int, u_32_t *));
int count6bits __P((u_32_t *));
#endif
static char thishost[MAXHOSTNAMELEN];
@ -95,30 +94,24 @@ u_32_t *mskp;
* set x most significant bits
*/
bits = (int)strtol(msk, &endptr, 0);
#ifdef USE_INET6
if ((*endptr != '\0') ||
((bits > 32) && !use_inet6) || (bits < 0) ||
((bits > 128) && use_inet6))
#else
if (*endptr != '\0' || bits > 32 || bits < 0)
#endif
return -1;
#ifdef USE_INET6
if (use_inet6)
fill6bits(bits, mskp);
else
#endif
if (bits == 0)
*mskp = 0;
else
*mskp = htonl(0xffffffff << (32 - bits));
else {
if (bits == 0)
*mskp = 0;
else
*mskp = htonl(0xffffffff << (32 - bits));
}
}
return 0;
}
#ifdef USE_INET6
void fill6bits(bits, msk)
int bits;
u_32_t *msk;
@ -134,7 +127,6 @@ u_32_t *msk;
while (i < 4)
msk[i++] = 0;
}
#endif
/*
@ -197,7 +189,6 @@ int linenum;
return -1;
}
(*seg)++;
#ifdef USE_INET6
if (use_inet6) {
u_32_t k = 0;
if (sa[0] || sa[1] || sa[2] || sa[3])
@ -205,8 +196,7 @@ int linenum;
msk[0] = msk[1] = msk[2] = msk[3] = k;
}
else
#endif
*msk = *sa ? 0xffffffff : 0;
*msk = *sa ? 0xffffffff : 0;
return ports(seg, pp, cp, tp, linenum);
}
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
@ -448,7 +438,6 @@ u_32_t ip;
}
#ifdef USE_INET6
int count6bits(msk)
u_32_t *msk;
{
@ -465,7 +454,6 @@ u_32_t *msk;
}
return i;
}
#endif
char *portname(pr, port)
@ -596,3 +584,27 @@ int len, zend;
break;
}
}
char *hostname(v, ip)
int v;
void *ip;
{
#ifdef USE_INET6
static char hostbuf[MAXHOSTNAMELEN+1];
#endif
struct in_addr ipa;
if (v == 4) {
ipa.s_addr = *(u_32_t *)ip;
return inet_ntoa(ipa);
}
#ifdef USE_INET6
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
hostbuf[MAXHOSTNAMELEN] = '\0';
return hostbuf;
#else
return "IPv6";
#endif
}

10
contrib/ipfilter/etc/protocols
View File

@ -47,11 +47,15 @@ rsvp 46 RSVP # Reservation Protocol
gre 47 GRE # General Routing Encapsulation
mhrp 48 MHRP # Mobile Host Routing Protocol
bna 49 BNA # BNA
sipp-esp 50 SIPP-ESP # SIPP Encap Security Payload
sipp-ah 51 SIPP-AH # SIPP Authentication Header
esp 50 esp # Encap Security Payload
ah 51 AH # Authentication Header
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
swipe 53 SWIPE # IP with Encryption
nhrp 54 NHRP # NBMA Next Hop Resolution Protocol
mobile 55 MOBILE # IP Mobility (IP tunneling)
ipv6-icmp 58 icmpv6 IPv6-ICMP ICMPv6 # ICMP version 6
ipv6-nonxt 59 IPv6-Nonxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
any 61 any # host internal protocol
cftp 62 CFTP # CFTP
any 63 any # local network
@ -92,4 +96,6 @@ etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
encap 98 ENCAP # Encapsulation Header
any 99 any # private encryption scheme
gmtp 100 GMTP # GMTP
pim 103 PIM # Protocol Independant Multicast
ipcomp 108 IPCOMP # IP Payload Compression Protocol
reserved 255 Reserved #

690
contrib/ipfilter/fils.c
View File

@ -12,6 +12,9 @@
# endif
# endif
#endif
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__svr4__)
@ -21,8 +24,24 @@
#include <sys/time.h>
#include <sys/param.h>
#include <sys/file.h>
#if defined(STATETOP) && defined(sun) && !defined(__svr4__) && !defined(__SVR4)
#include <sys/select.h>
#if defined(STATETOP)
# if defined(_BSDI_VERSION)
# undef STATETOP)
# endif
# if defined(__FreeBSD__) && \
(!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
# undef STATETOP
# endif
# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000)
# undef STATETOP
# endif
# if defined(sun)
# if defined(__svr4__) || defined(__SVR4)
# include <sys/select.h>
# else
# undef STATETOP /* NOT supported on SunOS4 */
# endif
# endif
#endif
#include <stdlib.h>
#include <unistd.h>
@ -50,15 +69,16 @@
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "ipf.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
#ifdef STATETOP
# include "netinet/ipl.h"
# include <ctype.h>
# if SOLARIS
# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
defined(__sgi)
# ifdef ERR
# undef ERR
# endif
@ -74,7 +94,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.17 2001/07/19 12:24:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $";
#endif
extern char *optarg;
@ -89,9 +109,8 @@ static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
"ipacct(in)", "ipacct(out)" };
int opts = 0;
#ifdef USE_INET6
int use_inet6 = 0;
#endif
int live_kernel = 1;
#ifdef STATETOP
#define STSTRSIZE 80
@ -102,7 +121,9 @@ int use_inet6 = 0;
#define STSORT_PKTS 1
#define STSORT_BYTES 2
#define STSORT_TTL 3
#define STSORT_MAX STSORT_TTL
#define STSORT_SRCIP 4
#define STSORT_DSTIP 5
#define STSORT_MAX STSORT_DSTIP
#define STSORT_DEFAULT STSORT_BYTES
@ -120,51 +141,33 @@ typedef struct statetop {
#endif
extern int main __P((int, char *[]));
static void showstats __P((int, friostat_t *));
static void showfrstates __P((int, ipfrstat_t *));
static void showstats __P((friostat_t *, u_32_t));
static void showfrstates __P((ipfrstat_t *));
static void showlist __P((friostat_t *));
static void showipstates __P((int, ips_stat_t *));
static void showauthstates __P((int, fr_authstat_t *));
static void showipstates __P((ips_stat_t *));
static void showauthstates __P((fr_authstat_t *));
static void showgroups __P((friostat_t *));
static void Usage __P((char *));
static void printlist __P((frentry_t *));
static char *get_ifname __P((void *));
static char *hostname __P((int, void *));
static void parse_ipportstr __P((const char *, struct in_addr *, int *));
static int ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
ipfrstat_t **, fr_authstat_t **, u_32_t *));
static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
ipfrstat_t **, fr_authstat_t **, u_32_t *));
#ifdef STATETOP
static void topipstates __P((int, struct in_addr, struct in_addr, int, int, int, int, int));
static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int));
static char *ttl_to_string __P((long));
static int sort_p __P((const void *, const void *));
static int sort_pkts __P((const void *, const void *));
static int sort_bytes __P((const void *, const void *));
static int sort_ttl __P((const void *, const void *));
static int sort_srcip __P((const void *, const void *));
static int sort_dstip __P((const void *, const void *));
#endif
#if SOLARIS
void showqiflist __P((char *));
#endif
static char *hostname(v, ip)
int v;
void *ip;
{
#ifdef USE_INET6
static char hostbuf[MAXHOSTNAMELEN+1];
#endif
struct in_addr ipa;
if (v == 4) {
ipa.s_addr = *(u_32_t *)ip;
return inet_ntoa(ipa);
}
#ifdef USE_INET6
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
hostbuf[MAXHOSTNAMELEN] = '\0';
return hostbuf;
#else
return "IPv6";
#endif
}
static void Usage(name)
char *name;
@ -174,11 +177,8 @@ char *name;
#else
fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
#endif
fprintf(stderr, "\t\t[-M corefile]");
#if SOLARIS
fprintf(stderr, " [-N symbol-list]");
#endif
fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n");
fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
exit(1);
}
@ -190,15 +190,13 @@ char *argv[];
fr_authstat_t frauthst;
fr_authstat_t *frauthstp = &frauthst;
friostat_t fio;
friostat_t *fiop=&fio;
friostat_t *fiop = &fio;
ips_stat_t ipsst;
ips_stat_t *ipsstp = &ipsst;
ipfrstat_t ifrst;
ipfrstat_t *ifrstp = &ifrst;
char *name = NULL, *device = IPL_NAME, *memf = NULL;
#if SOLARIS
char *device = IPL_NAME, *memf = NULL;
char *kern = NULL;
#endif
int c, fd, myoptind;
struct protoent *proto;
@ -208,6 +206,8 @@ char *argv[];
int dport = -1; /* -1 = wild card for any dest port */
int topclosed = 0; /* do not show closed tcp sessions */
struct in_addr saddr, daddr;
u_32_t frf;
saddr.s_addr = INADDR_ANY; /* default any source addr */
daddr.s_addr = INADDR_ANY; /* default any dest addr */
@ -216,45 +216,33 @@ char *argv[];
* in the parsing of the rest.
*/
myoptind = optind;
#if SOLARIS
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
#else
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1)
#endif
switch (c)
{
case 'M' :
memf = optarg;
live_kernel = 0;
break;
#if SOLARIS
case 'N' :
kern = optarg;
live_kernel = 0;
break;
#endif
}
optind = myoptind;
#if SOLARIS
if (kern != NULL || memf != NULL)
#else
if (memf != NULL)
#endif
{
(void)setuid(getuid());
(void)setgid(getgid());
}
if (openkmem(memf) == -1)
if (openkmem(kern, memf) == -1)
exit(-1);
(void)setuid(getuid());
(void)setgid(getgid());
#if SOLARIS
while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
#else
while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:M:P:S:T:")) != -1)
#endif
{
switch (c)
{
@ -265,7 +253,8 @@ char *argv[];
#endif
case 'a' :
opts |= OPT_ACCNT|OPT_SHOWLIST;
break; case 'A' :
break;
case 'A' :
device = IPAUTH_NAME;
opts |= OPT_AUTHSTATS;
break;
@ -316,11 +305,15 @@ char *argv[];
exit(-2);
}
break;
#if SOLARIS
case 'q' :
#if SOLARIS
showqiflist(kern);
exit(0);
break;
#else
fprintf(stderr, "-q only availble on Solaris\n");
exit(1);
break;
#endif
case 's' :
opts |= OPT_IPSTATES;
@ -356,19 +349,67 @@ char *argv[];
}
}
if (live_kernel == 1) {
bzero((char *)&fio, sizeof(fio));
bzero((char *)&ipsst, sizeof(ipsst));
bzero((char *)&ifrst, sizeof(ifrst));
fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
&frauthstp, &frf);
} else
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
if (opts & OPT_IPSTATES) {
showipstates(ipsstp);
} else if (opts & OPT_SHOWLIST) {
showlist(fiop);
if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
opts &= ~OPT_OUTQUE;
showlist(fiop);
}
} else {
if (opts & OPT_FRSTATES)
showfrstates(ifrstp);
#ifdef STATETOP
else if (opts & OPT_STATETOP)
topipstates(saddr, daddr, sport, dport,
protocol, refreshtime, topclosed);
#endif
else if (opts & OPT_AUTHSTATS)
showauthstates(frauthstp);
else if (opts & OPT_GROUPS)
showgroups(fiop);
else
showstats(fiop, frf);
}
return 0;
}
/*
* Fill in the stats structures from the live kernel, using a combination
* of ioctl's and copying directly from kernel memory.
*/
int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
char *device;
friostat_t **fiopp;
ips_stat_t **ipsstpp;
ipfrstat_t **ifrstpp;
fr_authstat_t **frauthstpp;
u_32_t *frfp;
{
int fd;
if ((fd = open(device, O_RDONLY)) < 0) {
perror("open");
exit(-1);
}
bzero((char *)&fio, sizeof(fio));
bzero((char *)&ipsst, sizeof(ipsst));
bzero((char *)&ifrst, sizeof(ifrst));
if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, &fiop) == -1) {
if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, fiopp) == -1) {
perror("ioctl(ipf:SIOCGETFS)");
exit(-1);
}
if ((opts & OPT_IPSTATES)) {
int sfd = open(IPL_STATE, O_RDONLY);
@ -376,64 +417,237 @@ char *argv[];
perror("open");
exit(-1);
}
if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) {
if ((ioctl(sfd, SIOCGETFS, ipsstpp) == -1)) {
perror("ioctl(state:SIOCGETFS)");
exit(-1);
}
close(sfd);
}
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrstp) == -1)) {
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, ifrstpp) == -1)) {
perror("ioctl(SIOCGFRST)");
exit(-1);
}
if (opts & OPT_VERBOSE)
PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
PRINTF("opts %#x name %s\n", opts, device);
if ((opts & OPT_AUTHSTATS) &&
(ioctl(fd, SIOCATHST, &frauthstp) == -1)) {
(ioctl(fd, SIOCATHST, frauthstpp) == -1)) {
perror("ioctl(SIOCATHST)");
exit(-1);
}
if (opts & OPT_IPSTATES) {
showipstates(fd, ipsstp);
} else if (opts & OPT_SHOWLIST) {
showlist(&fio);
if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
opts &= ~OPT_OUTQUE;
showlist(&fio);
}
} else {
if (opts & OPT_FRSTATES)
showfrstates(fd, ifrstp);
#ifdef STATETOP
else if (opts & OPT_STATETOP)
topipstates(fd, saddr, daddr, sport, dport,
protocol, refreshtime, topclosed);
#endif
else if (opts & OPT_AUTHSTATS)
showauthstates(fd, frauthstp);
else if (opts & OPT_GROUPS)
showgroups(&fio);
else
showstats(fd, &fio);
}
return 0;
if (ioctl(fd, SIOCGETFF, frfp) == -1)
perror("ioctl(SIOCGETFF)");
return fd;
}
/*
* read the kernel stats for packets blocked and passed
* Build up the stats structures from data held in the "core" memory.
* This is mainly useful when looking at data in crash dumps and ioctl's
* just won't work any more.
*/
static void showstats(fd, fp)
int fd;
struct friostat *fp;
void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
char *kernel;
friostat_t **fiopp;
ips_stat_t **ipsstpp;
ipfrstat_t **ifrstpp;
fr_authstat_t **frauthstpp;
u_32_t *frfp;
{
u_32_t frf = 0;
static fr_authstat_t frauthst, *frauthstp;
static ips_stat_t ipsst, *ipsstp;
static ipfrstat_t ifrst, *ifrstp;
static friostat_t fio, *fiop;
if (ioctl(fd, SIOCGETFF, &frf) == -1)
perror("ioctl(SIOCGETFF)");
void *rules[2][2];
struct nlist deadlist[42] = {
{ "fr_authstats" }, /* 0 */
{ "fae_list" },
{ "ipauth" },
{ "fr_authlist" },
{ "fr_authstart" },
{ "fr_authend" }, /* 5 */
{ "fr_authnext" },
{ "fr_auth" },
{ "fr_authused" },
{ "fr_authsize" },
{ "fr_defaultauthage" }, /* 10 */
{ "fr_authpkts" },
{ "fr_auth_lock" },
{ "frstats" },
{ "ips_stats" },
{ "ips_num" }, /* 15 */
{ "ips_wild" },
{ "ips_list" },
{ "ips_table" },
{ "fr_statemax" },
{ "fr_statesize" }, /* 20 */
{ "fr_state_doflush" },
{ "fr_state_lock" },
{ "ipfr_heads" },
{ "ipfr_nattab" },
{ "ipfr_stats" }, /* 25 */
{ "ipfr_inuse" },
{ "fr_ipfrttl" },
{ "fr_frag_lock" },
{ "ipfr_timer_id" },
{ "fr_nat_lock" }, /* 30 */
{ "ipfilter" },
{ "ipfilter6" },
{ "ipacct" },
{ "ipacct6" },
{ "ipl_frouteok" }, /* 35 */
{ "fr_running" },
{ "ipfgroups" },
{ "fr_active" },
{ "fr_pass" },
{ "fr_flags" }, /* 40 */
{ NULL }
};
frauthstp = &frauthst;
ipsstp = &ipsst;
ifrstp = &ifrst;
fiop = &fio;
*frfp = 0;
*fiopp = fiop;
*ipsstpp = ipsstp;
*ifrstpp = ifrstp;
*frauthstpp = frauthstp;
bzero((char *)fiop, sizeof(*fiop));
bzero((char *)ipsstp, sizeof(*ipsstp));
bzero((char *)ifrstp, sizeof(*ifrstp));
bzero((char *)frauthstp, sizeof(*frauthstp));
if (nlist(kernel, deadlist) == -1) {
fprintf(stderr, "nlist error\n");
return;
}
/*
* This is for SIOCGETFF.
*/
kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
/*
* f_locks is a combination of the lock variable from each part of
* ipfilter (state, auth, nat, fragments).
*/
kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
sizeof(fiop->f_locks[0]));
kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
sizeof(fiop->f_locks[1]));
kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
sizeof(fiop->f_locks[2]));
kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
sizeof(fiop->f_locks[3]));
/*
* Get pointers to each list of rules (active, inactive, in, out)
*/
kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
fiop->f_fin[0] = rules[0][0];
fiop->f_fin[1] = rules[0][1];
fiop->f_fout[0] = rules[1][0];
fiop->f_fout[1] = rules[1][1];
/*
* Same for IPv6, except make them null if support for it is not
* being compiled in.
*/
#ifdef USE_INET6
kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
fiop->f_fin6[0] = rules[0][0];
fiop->f_fin6[1] = rules[0][1];
fiop->f_fout6[0] = rules[1][0];
fiop->f_fout6[1] = rules[1][1];
#else
fiop->f_fin6[0] = NULL;
fiop->f_fin6[1] = NULL;
fiop->f_fout6[0] = NULL;
fiop->f_fout6[1] = NULL;
#endif
/*
* Now get accounting rules pointers.
*/
kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
fiop->f_acctin[0] = rules[0][0];
fiop->f_acctin[1] = rules[0][1];
fiop->f_acctout[0] = rules[1][0];
fiop->f_acctout[1] = rules[1][1];
#ifdef USE_INET6
kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
fiop->f_acctin6[0] = rules[0][0];
fiop->f_acctin6[1] = rules[0][1];
fiop->f_acctout6[0] = rules[1][0];
fiop->f_acctout6[1] = rules[1][1];
#else
fiop->f_acctin6[0] = NULL;
fiop->f_acctin6[1] = NULL;
fiop->f_acctout6[0] = NULL;
fiop->f_acctout6[1] = NULL;
#endif
/*
* A collection of "global" variables used inside the kernel which
* are all collected in friostat_t via ioctl.
*/
kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
sizeof(fiop->f_froute));
kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
sizeof(fiop->f_running));
kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
sizeof(fiop->f_groups));
kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
sizeof(fiop->f_active));
kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
sizeof(fiop->f_defpass));
/*
* Build up the state information stats structure.
*/
kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value,
sizeof(ipsstp->iss_active));
ipsstp->iss_table = (void *)deadlist[18].n_value;
ipsstp->iss_list = (void *)deadlist[17].n_value;
/*
* Build up the authentiation information stats structure.
*/
kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
sizeof(*frauthstp));
frauthstp->fas_faelist = (void *)deadlist[1].n_value;
/*
* Build up the fragment information stats structure.
*/
kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
sizeof(*ifrstp));
ifrstp->ifs_table = (void *)deadlist[23].n_value;
ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
sizeof(ifrstp->ifs_inuse));
}
/*
* Display the kernel stats for packets blocked and passed and other
* associated running totals which are kept.
*/
static void showstats(fp, frf)
struct friostat *fp;
u_32_t frf;
{
#if SOLARIS
PRINTF("dropped packets:\tin %lu\tout %lu\n",
@ -505,6 +719,9 @@ struct friostat *fp;
}
/*
* Print out a list of rules from the kernel, starting at the one passed.
*/
static void printlist(fp)
frentry_t *fp;
{
@ -543,7 +760,8 @@ frentry_t *fp;
}
/*
* print out filter rule list
* print out all of the asked for rule sets, using the stats struct as
* the base from which to get the pointers.
*/
static void showlist(fiop)
struct friostat *fiop;
@ -598,12 +816,17 @@ struct friostat *fiop;
}
static void showipstates(fd, ipsp)
int fd;
/*
* Display ipfilter stateful filtering information
*/
static void showipstates(ipsp)
ips_stat_t *ipsp;
{
ipstate_t *istab[IPSTATE_SIZE], ips;
ipstate_t *istab[IPSTATE_SIZE];
/*
* If a list of states hasn't been asked for, only print out stats
*/
if (!(opts & OPT_SHOWLIST)) {
PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
@ -619,116 +842,20 @@ ips_stat_t *ipsp;
if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
return;
while (ipsp->iss_list) {
if (kmemcpy((char *)&ips, (u_long)ipsp->iss_list, sizeof(ips)))
break;
ipsp->iss_list = ips.is_next;
PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
hostname(ips.is_v, &ips.is_dst.in4),
ips.is_age, ips.is_pass, ips.is_p,
ips.is_state[0], ips.is_state[1]);
#ifdef USE_QUAD_T
PRINTF("\tpkts %qu bytes %qu",
(unsigned long long) ips.is_pkts,
(unsigned long long) ips.is_bytes);
#else
PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
#endif
if (ips.is_p == IPPROTO_TCP)
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin, ips.is_maxdwin);
#else
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin, ips.is_maxdwin);
#endif
else if (ips.is_p == IPPROTO_UDP)
PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
ntohs(ips.is_dport));
else if (ips.is_p == IPPROTO_ICMP
#ifdef USE_INET6
|| ips.is_p == IPPROTO_ICMPV6
#endif
)
PRINTF(" %hu %hu %d", ips.is_icmp.ics_id,
ips.is_icmp.ics_seq, ips.is_icmp.ics_type);
PRINTF("\n\t");
if (ips.is_pass & FR_PASS) {
PRINTF("pass");
} else if (ips.is_pass & FR_BLOCK) {
PRINTF("block");
switch (ips.is_pass & FR_RETMASK)
{
case FR_RETICMP :
PRINTF(" return-icmp");
break;
case FR_FAKEICMP :
PRINTF(" return-icmp-as-dest");
break;
case FR_RETRST :
PRINTF(" return-rst");
break;
default :
break;
}
} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
PRINTF("log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
} else if (ips.is_pass & FR_ACCOUNT)
PRINTF("count");
if (ips.is_pass & FR_OUTQUE)
PRINTF(" out");
else
PRINTF(" in");
if ((ips.is_pass & FR_LOG) != 0) {
PRINTF(" log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
if (ips.is_pass & FR_LOGORBLOCK)
PRINTF(" or-block");
}
if (ips.is_pass & FR_QUICK)
PRINTF(" quick");
if (ips.is_pass & FR_KEEPFRAG)
PRINTF(" keep frags");
/* a given; no? */
if (ips.is_pass & FR_KEEPSTATE)
PRINTF(" keep state");
PRINTF("\tIPv%d", ips.is_v);
PRINTF("\n");
PRINTF("\tpkt_flags & %x(%x) = %x,\t",
ips.is_flags & 0xf, ips.is_flags,
ips.is_flags >> 4);
PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
ips.is_opt);
PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
ips.is_secmsk, ips.is_sec, ips.is_authmsk,
ips.is_auth);
PRINTF("\tinterfaces: in %s[%p] ",
get_ifname(ips.is_ifpin), ips.is_ifpin);
PRINTF("out %s[%p]\n",
get_ifname(ips.is_ifpout), ips.is_ifpout);
/*
* Print out all the state information currently held in the kernel.
*/
while (ipsp->iss_list != NULL) {
ipsp->iss_list = printstate(ipsp->iss_list, opts);
}
}
#if SOLARIS
/*
* Displays the list of interfaces of which IPFilter has taken control in
* Solaris.
*/
void showqiflist(kern)
char *kern;
{
@ -737,6 +864,7 @@ char *kern;
{ NULL }
};
qif_t qif, *qf;
ill_t ill;
if (kern == NULL)
kern = "/dev/ksyms";
@ -752,24 +880,27 @@ char *kern;
while (qf) {
if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
break;
printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n",
if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill)))
ill.ill_ppa = -1;
printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d",
qif.qf_name, qif.qf_hl,
#ifdef IP6_DL_SAP
(qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
#else
"IPv4"
#endif
, qif.qf_sap);
, qif.qf_sap, ill.ill_ppa);
printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt);
qf = qif.qf_next;
putchar('\n');
}
}
#endif
#ifdef STATETOP
static void topipstates(fd, saddr, daddr, sport, dport, protocol,
static void topipstates(saddr, daddr, sport, dport, protocol,
refreshtime, topclosed)
int fd;
struct in_addr saddr;
struct in_addr daddr;
int sport;
@ -841,8 +972,8 @@ int topclosed;
((dport < 0) ||
(htons(dport) == ips.is_dport)))) &&
(topclosed || (ips.is_p != IPPROTO_TCP) ||
(ips.is_state[0] < TCPS_CLOSE_WAIT) ||
(ips.is_state[1] < TCPS_CLOSE_WAIT))) {
(ips.is_state[0] < TCPS_LAST_ACK) ||
(ips.is_state[1] < TCPS_LAST_ACK))) {
/*
* if necessary make room for this state
* entry
@ -899,6 +1030,14 @@ int topclosed;
qsort(tstable, tsentry + 1,
sizeof(statetop_t), sort_ttl);
break;
case STSORT_SRCIP:
qsort(tstable, tsentry + 1,
sizeof(statetop_t), sort_srcip);
break;
case STSORT_DSTIP:
qsort(tstable, tsentry + 1,
sizeof(statetop_t), sort_dstip);
break;
default:
break;
}
@ -957,6 +1096,12 @@ int topclosed;
case STSORT_TTL:
sprintf(str4, "ttl");
break;
case STSORT_SRCIP:
sprintf(str4, "srcip");
break;
case STSORT_DSTIP:
sprintf(str4, "dstip");
break;
default:
sprintf(str4, "unknown");
break;
@ -1079,14 +1224,20 @@ int topclosed;
}
#endif
static void showfrstates(fd, ifsp)
int fd;
/*
* Show fragment cache information that's held in the kernel.
*/
static void showfrstates(ifsp)
ipfrstat_t *ifsp;
{
struct ipfr *ipfrtab[IPFT_SIZE], ifr;
frentry_t fr;
int i;
/*
* print out the numeric statistics
*/
PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
PRINTF("\t%lu no memory\n\t%lu already exist\n",
@ -1094,6 +1245,10 @@ ipfrstat_t *ifsp;
PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
return;
/*
* Print out the contents (if any) of the fragment cache table.
*/
for (i = 0; i < IPFT_SIZE; i++)
while (ipfrtab[i]) {
if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
@ -1129,8 +1284,10 @@ ipfrstat_t *ifsp;
}
static void showauthstates(fd, asp)
int fd;
/*
* Show stats on how auth within IPFilter has been used
*/
static void showauthstates(asp)
fr_authstat_t *asp;
{
frauthent_t *frap, fra;
@ -1161,63 +1318,10 @@ fr_authstat_t *asp;
}
static char *get_ifname(ptr)
void *ptr;
{
#if SOLARIS
char *ifname;
ill_t ill;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
return "X";
ifname = malloc(ill.ill_name_length + 1);
if (kmemcpy(ifname, (u_long)ill.ill_name,
ill.ill_name_length) == -1)
return "X";
return ifname;
#else
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
#else
char buf[32];
int len;
# endif
struct ifnet netif;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
return strdup(netif.if_xname);
# else
if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
return "X";
if (netif.if_unit < 10)
len = 2;
else if (netif.if_unit < 1000)
len = 3;
else if (netif.if_unit < 10000)
len = 4;
else
len = 5;
buf[sizeof(buf) - len] = '\0';
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
return strdup(buf);
# endif
#endif
}
/*
* Display groups used for each of filter rules, accounting rules and
* authentication, separately.
*/
static void showgroups(fiop)
struct friostat *fiop;
{
@ -1370,4 +1474,32 @@ const void *b;
return 1;
return -1;
}
static int sort_srcip(a, b)
const void *a;
const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr))
return 0;
else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr))
return 1;
return -1;
}
static int sort_dstip(a, b)
const void *a;
const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr))
return 0;
else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr))
return 1;
return -1;
}
#endif

5
contrib/ipfilter/inet_addr.c
View File

@ -65,7 +65,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.1 2001/07/15 22:06:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
@ -182,7 +182,8 @@ inet_aton(cp, addr)
* Ascii internet address interpretation routine.
* The value returned is in network order.
*/
#if defined(SOLARIS2) && (SOLARIS2 > 5)
#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
(defined(IRIX) && (IRIX >= 605))
in_addr_t
#else
u_long

5
contrib/ipfilter/ip_lfil.c
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.4 2002/03/06 09:44:11 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@ -16,7 +16,6 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/uio.h>
#include <sys/dir.h>
#include <sys/socket.h>
#ifndef _KERNEL
@ -42,8 +41,8 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da
#include "netinet/ip_compat.h"
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"

28
contrib/ipfilter/ip_sfil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.12 2001/07/18 14:57:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $";
#endif
#include <sys/types.h>
@ -375,14 +375,14 @@ caddr_t data;
{
register frentry_t *fp, *f, **fprev;
register frentry_t **ftail;
frentry_t fr;
frdest_t *fdp;
frgroup_t *fg = NULL;
u_int *p, *pp;
int error = 0, in;
int error = 0, in, i;
u_int *p, *pp;
frdest_t *fdp;
frentry_t fr;
u_32_t group;
ill_t *ill;
ipif_t *ipif;
ill_t *ill;
ire_t *ire;
fp = &fr;
@ -448,11 +448,16 @@ caddr_t data;
bzero((char *)frcache, sizeof(frcache[0]) * 2);
if (*fp->fr_ifname) {
fp->fr_ifa = (void *)get_unit((char *)fp->fr_ifname,
(int)fp->fr_v);
if (!fp->fr_ifa)
fp->fr_ifa = (struct ifnet *)-1;
for (i = 0; i < 4; i++) {
if ((fp->fr_ifnames[i][1] == '\0') &&
((fp->fr_ifnames[i][0] == '-') ||
(fp->fr_ifnames[i][0] == '*'))) {
fp->fr_ifas[i] = NULL;
} else if (*fp->fr_ifnames[i]) {
fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
if (!fp->fr_ifas[i])
fp->fr_ifas[i] = (void *)-1;
}
}
fdp = &fp->fr_dif;
@ -583,6 +588,7 @@ caddr_t data;
fixskip(fprev, f, -1);
*ftail = f->fr_next;
f->fr_next = NULL;
f->fr_ref--;
if (f->fr_ref == 0)
KFREE(f);
}

9
contrib/ipfilter/ipf.c
View File

@ -12,6 +12,9 @@
# endif
# endif
#endif
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
@ -47,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.10 2001/07/18 11:34:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $";
#endif
#if SOLARIS
@ -64,9 +67,7 @@ void zerostats __P((void));
int main __P((int, char *[]));
int opts = 0;
#ifdef USE_INET6
int use_inet6 = 0;
#endif
static int fd = -1;
@ -105,11 +106,9 @@ char *argv[];
while ((c = getopt(argc, argv, OPTS)) != -1) {
switch (c)
{
#ifdef USE_INET6
case '6' :
use_inet6 = 1;
break;
#endif
case 'A' :
opts &= ~OPT_INACTIVE;
break;

12
contrib/ipfilter/ipf.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.9.2.3 2001/06/26 10:43:18 darrenr Exp $
* $Id: ipf.h,v 2.9.2.6 2002/01/03 08:00:12 darrenr Exp $
*/
#ifndef __IPF_H__
@ -38,6 +38,7 @@
#define OPT_STATETOP 0x400000
#define OPT_FLUSH 0x800000
#define OPT_CLEAR 0x1000000
#define OPT_HEX 0x2000000
#define OPT_NODO 0x80000000
#define OPT_STAT OPT_FRSTATES
@ -52,7 +53,10 @@
# endif
#endif
struct ipstate;
struct frpcmp;
struct ipnat;
struct nat;
#ifdef ultrix
extern char *strdup __P((char *));
@ -90,9 +94,15 @@ extern int genmask __P((char *, u_32_t *));
extern int hostnum __P((u_32_t *, char *, int));
extern u_32_t optname __P((char ***, u_short *, int));
extern void printpacket __P((ip_t *));
extern void printpacket6 __P((ip_t *));
extern void printportcmp __P((int, struct frpcmp *));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
extern void printbuf __P((char *, int, int));
extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
#if SOLARIS
extern int inet_aton __P((const char *, struct in_addr *));
extern int gethostname __P((char *, int ));

12
contrib/ipfilter/ipfs.c
View File

@ -45,7 +45,7 @@
#include "ipf.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.7 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
@ -237,13 +237,13 @@ char *argv[];
opts |= OPT_DONOTHING;
break;
case 'N' :
if ((ns > 0) || dirname || (rw != -1) || set)
if ((ns >= 0) || dirname || (rw != -1) || set)
usage();
ns = 0;
set = 1;
break;
case 'r' :
if ((ns > 0) || dirname || (rw != -1))
if ((ns >= 0) || dirname || (rw != -1))
usage();
rw = 0;
set = 1;
@ -253,7 +253,7 @@ char *argv[];
set = 1;
break;
case 'S' :
if ((ns > 0) || dirname || (rw != -1) || set)
if ((ns >= 0) || dirname || (rw != -1) || set)
usage();
ns = 1;
set = 1;
@ -268,7 +268,7 @@ char *argv[];
opts |= OPT_VERBOSE;
break;
case 'w' :
if ((ns > 0) || dirname || (rw != -1) || (ns == -1))
if (dirname || (rw != -1) || (ns == -1))
usage();
rw = 1;
set = 1;
@ -283,7 +283,7 @@ char *argv[];
}
if (ifs) {
if (!filename || ns<0)
if (!filename || ns < 0)
usage();
if (ns == 0)
return changenatif(ifs, filename);

5
contrib/ipfilter/ipft_ef.c
View File

@ -17,6 +17,9 @@ etherfind -n -t
0.32 91 04 131.170.1.10 128.250.133.13
0.33 566 udp 128.250.37.155 128.250.133.3 901 901
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
@ -49,7 +52,7 @@ etherfind -n -t
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $";
#endif
static int etherf_open __P((char *));

31
contrib/ipfilter/ipft_hx.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
@ -40,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp $";
#endif
extern int opts;
@ -91,6 +94,14 @@ int cnt, *dir;
char line[513];
ip_t *ip;
/*
* interpret start of line as possibly "[ifname]" or
* "[in/out,ifname]".
*/
if (ifn)
*ifn = NULL;
if (dir)
*dir = 0;
ip = (ip_t *)buf;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n'))) {
@ -107,21 +118,14 @@ int cnt, *dir;
fflush(stdout);
}
/*
* interpret start of line as possibly "[ifname]" or
* "[in/out,ifname]".
*/
if (ifn)
*ifn = NULL;
if (dir)
*dir = 0;
if ((*buf == '[') && (s = index(line, ']'))) {
t = buf + 1;
if (t - s > 0) {
if ((*line == '[') && (s = index(line, ']'))) {
t = line + 1;
if (s - t > 0) {
*s++ = '\0';
if ((u = index(t, ',')) && (u < s)) {
u++;
if (ifn)
*ifn = u;
*ifn = strdup(u);
if (dir) {
if (*t == 'i')
*dir = 0;
@ -130,7 +134,6 @@ int cnt, *dir;
}
} else if (ifn)
*ifn = t;
*s++ = '\0';
}
} else
s = line;

5
contrib/ipfilter/ipft_pc.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
@ -31,7 +34,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
#endif
struct llc {

5
contrib/ipfilter/ipft_sn.c
View File

@ -7,6 +7,9 @@
/*
* Written to comply with the recent RFC 1761 from Sun.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
@ -35,7 +38,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
#endif
struct llc {

5
contrib/ipfilter/ipft_td.c
View File

@ -26,6 +26,9 @@ tcpdump -nqte
8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
@ -58,7 +61,7 @@ tcpdump -nqte
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $";
#endif
static int tcpd_open __P((char *));

7
contrib/ipfilter/ipft_tx.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
@ -41,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.4 2001/06/26 10:43:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $";
#endif
extern int opts;
@ -261,7 +264,7 @@ int *out;
tx_proto = "udp";
} else {
ip->ip_p = IPPROTO_ICMP;
ip->ip_len += sizeof(struct icmp);
ip->ip_len += ICMPERR_IPICMPHLEN;
tx_proto = "icmp";
}
cpp++;

413
contrib/ipfilter/ipnat.c
View File

@ -1,10 +1,13 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
@ -39,10 +42,12 @@
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include <nlist.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#include "kmem.h"
@ -55,32 +60,32 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.9 2001/07/18 15:06:33 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $";
#endif
#if SOLARIS
#define bzero(a,b) memset(a,0,b)
#endif
#ifdef USE_INET6
int use_inet6 = 0;
#endif
static char thishost[MAXHOSTNAMELEN];
char thishost[MAXHOSTNAMELEN];
extern char *optarg;
extern ipnat_t *natparse __P((char *, int));
extern void natparsefile __P((int, char *, int));
extern void printnat __P((ipnat_t *, int, void *));
extern void printnat __P((ipnat_t *, int));
extern void printactivenat __P((nat_t *, int));
extern void printhostmap __P((hostmap_t *, u_int));
extern char *getsumd __P((u_32_t));
void dostats __P((int, int)), flushtable __P((int, int));
void dostats __P((natstat_t *, int)), flushtable __P((int, int));
void usage __P((char *));
int countbits __P((u_32_t));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
void printaps __P((ap_session_t *, int));
char *getsumd __P((u_32_t));
void showhostmap __P((natstat_t *nsp));
void natstat_dead __P((natstat_t *, char *));
void usage(name)
@ -91,27 +96,22 @@ char *name;
}
char *getsumd(sum)
u_32_t sum;
{
static char sumdbuf[17];
if (sum & NAT_HW_CKSUM)
sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
else
sprintf(sumdbuf, "%#0x", sum);
return sumdbuf;
}
int main(argc, argv)
int argc;
char *argv[];
{
int fd = -1, opts = 0, c, mode = O_RDWR;
char *file = NULL, *core = NULL;
natstat_t ns, *nsp = &ns;
char *file, *core, *kernel;
int fd, opts, c, mode;
while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1)
fd = -1;
opts = 0;
file = NULL;
core = NULL;
kernel = NULL;
mode = O_RDWR;
while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
switch (c)
{
case 'C' :
@ -136,6 +136,9 @@ char *argv[];
case 'M' :
core = optarg;
break;
case 'N' :
kernel = optarg;
break;
case 'n' :
opts |= OPT_NODO;
mode = O_RDONLY;
@ -154,21 +157,40 @@ char *argv[];
usage(argv[0]);
}
if (core != NULL) {
if (openkmem(core) == -1)
exit(1);
if ((kernel != NULL) || (core != NULL)) {
(void) setgid(getgid());
(void) setuid(getuid());
}
bzero((char *)&ns, sizeof(ns));
gethostname(thishost, sizeof(thishost));
thishost[sizeof(thishost) - 1] = '\0';
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) &&
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
exit(-1);
if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
if (openkmem(kernel, core) == -1)
exit(1);
if (((fd = open(IPL_NAT, mode)) == -1) &&
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
exit(1);
}
if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
perror("ioctl(SIOCGNATS)");
exit(1);
}
(void) setgid(getgid());
(void) setuid(getuid());
} else if ((kernel != NULL) || (core != NULL)) {
if (openkmem(kernel, core) == -1)
exit(1);
natstat_dead(nsp, kernel);
if (opts & (OPT_LIST|OPT_STAT))
dostats(nsp, opts);
exit(0);
}
if (opts & (OPT_FLUSH|OPT_CLEAR))
@ -176,172 +198,113 @@ char *argv[];
if (file)
natparsefile(fd, file, opts);
if (opts & (OPT_LIST|OPT_STAT))
dostats(fd, opts);
dostats(nsp, opts);
return 0;
}
void printaps(aps, opts)
ap_session_t *aps;
int opts;
/*
* Read nat statistic information in using a symbol table and memory file
* rather than doing ioctl's.
*/
void natstat_dead(nsp, kernel)
natstat_t *nsp;
char *kernel;
{
ap_session_t ap;
ftpinfo_t ftp;
aproxy_t apr;
raudio_t ra;
struct nlist nat_nlist[10] = {
{ "nat_table" }, /* 0 */
{ "nat_list" },
{ "maptable" },
{ "ipf_nattable_sz" },
{ "ipf_natrules_sz" },
{ "ipf_rdrrules_sz" }, /* 5 */
{ "ipf_hostmap_sz" },
{ "nat_instances" },
{ "ap_sess_list" },
{ NULL }
};
void *tables[2];
if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
if (nlist(kernel, nat_nlist) == -1) {
fprintf(stderr, "nlist error\n");
return;
if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
return;
printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
apr.apr_p, apr.apr_ref, apr.apr_flags);
printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
#ifdef USE_QUAD_T
printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
(unsigned long long)ap.aps_pkts);
#else
printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
#endif
printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz);
if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
printf("\t\tstate[%u,%u], sel[%d,%d]\n",
ap.aps_state[0], ap.aps_state[1],
ap.aps_sel[0], ap.aps_sel[1]);
#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
(__FreeBSD_version >= 300000) || defined(OpenBSD)
printf("\t\tseq: off %hd/%hd min %x/%x\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %x/%x\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#else
printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %lx/%lx\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#endif
}
if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
return;
printf("\tReal Audio Proxy:\n");
printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
ra.rap_seenpna, ra.rap_version, ra.rap_eos);
printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
ra.rap_plport, ra.rap_prport, ra.rap_srport);
} else if (!strcmp(apr.apr_label, "ftp") &&
(ap.aps_psiz == sizeof(ftp))) {
if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
return;
printf("\tFTP Proxy:\n");
printf("\t\tpassok: %d\n", ftp.ftp_passok);
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
printf("\tClient:\n");
printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr,
ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
ftp.ftp_side[0].ftps_junk);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
printf("]\n\tServer:\n");
printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr,
ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
ftp.ftp_side[1].ftps_junk);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
printf("]\n");
}
/*
* Normally the ioctl copies all of these values into the structure
* for us, before returning it to useland, so here we must copy each
* one in individually.
*/
kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
nsp->ns_table[0] = tables[0];
nsp->ns_table[1] = tables[1];
kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
sizeof(nsp->ns_list));
kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
sizeof(nsp->ns_maptable));
kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
sizeof(nsp->ns_nattab_sz));
kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
sizeof(nsp->ns_rultab_sz));
kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
sizeof(nsp->ns_rdrtab_sz));
kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
sizeof(nsp->ns_hostmap_sz));
kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
sizeof(nsp->ns_instances));
kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
sizeof(nsp->ns_apslist));
}
/*
* Get a nat filter type given its kernel address.
* Display NAT statistics.
*/
char *getnattype(ipnat)
ipnat_t *ipnat;
void dostats(nsp, opts)
natstat_t *nsp;
int opts;
{
char *which;
ipnat_t ipnatbuff;
if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
sizeof(ipnatbuff))))
return "???";
switch (ipnatbuff.in_redir)
{
case NAT_MAP :
which = "MAP";
break;
case NAT_MAPBLK :
which = "MAP-BLOCK";
break;
case NAT_REDIRECT :
which = "RDR";
break;
case NAT_BIMAP :
which = "BIMAP";
break;
default :
which = "unknown";
break;
}
return which;
}
void dostats(fd, opts)
int fd, opts;
{
hostmap_t hm, *hmp, **maptable;
natstat_t ns, *nsp = &ns;
nat_t **nt[2], *np, nat;
u_int hv, hv1, hv2;
ipnat_t ipn;
bzero((char *)&ns, sizeof(ns));
if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &nsp) == -1) {
perror("ioctl(SIOCGNATS)");
return;
}
/*
* Show statistics ?
*/
if (opts & OPT_STAT) {
printf("mapped\tin\t%lu\tout\t%lu\n",
ns.ns_mapped[0], ns.ns_mapped[1]);
nsp->ns_mapped[0], nsp->ns_mapped[1]);
printf("added\t%lu\texpired\t%lu\n",
ns.ns_added, ns.ns_expire);
nsp->ns_added, nsp->ns_expire);
printf("no memory\t%lu\tbad nat\t%lu\n",
ns.ns_memfail, ns.ns_badnat);
printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules);
printf("wilds\t%u\n", ns.ns_wilds);
nsp->ns_memfail, nsp->ns_badnat);
printf("inuse\t%lu\nrules\t%lu\n",
nsp->ns_inuse, nsp->ns_rules);
printf("wilds\t%u\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
printf("table %p list %p\n", ns.ns_table, ns.ns_list);
printf("table %p list %p\n",
nsp->ns_table, nsp->ns_list);
}
/*
* Show list of NAT rules and NAT sessions ?
*/
if (opts & OPT_LIST) {
printf("List of active MAP/Redirect filters:\n");
while (ns.ns_list) {
if (kmemcpy((char *)&ipn, (long)ns.ns_list,
while (nsp->ns_list) {
if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
sizeof(ipn))) {
perror("kmemcpy");
break;
}
if (opts & OPT_HITS)
printf("%d ", ipn.in_hits);
printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE),
(void *)ns.ns_list);
ns.ns_list = ipn.in_next;
printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
nsp->ns_list = ipn.in_next;
}
nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
if (kmemcpy((char *)nt[0], (long)ns.ns_table[0],
if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
sizeof(**nt) * NAT_SIZE)) {
perror("kmemcpy");
return;
@ -349,89 +312,59 @@ int fd, opts;
printf("\nList of active sessions:\n");
for (np = ns.ns_instances; np; np = nat.nat_next) {
for (np = nsp->ns_instances; np; np = nat.nat_next) {
if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
break;
printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr),
inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport));
printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip),
ntohs(nat.nat_outport));
printf(" [%s %hu]", inet_ntoa(nat.nat_oip),
ntohs(nat.nat_oport));
if (opts & OPT_VERBOSE) {
printf("\n\tage %lu use %hu sumd %s/",
nat.nat_age, nat.nat_use,
getsumd(nat.nat_sumd[0]));
hv1 = NAT_HASH_FN(nat.nat_inip.s_addr,
nat.nat_inport,
0xffffffff),
hv1 = NAT_HASH_FN(nat.nat_oip.s_addr,
hv1 + nat.nat_oport,
NAT_TABLE_SZ),
hv2 = NAT_HASH_FN(nat.nat_outip.s_addr,
nat.nat_outport,
0xffffffff),
hv2 = NAT_HASH_FN(nat.nat_oip.s_addr,
hv2 + nat.nat_oport,
NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x ",
getsumd(nat.nat_sumd[1]), nat.nat_p,
hv1, hv2, nat.nat_flags);
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",
(unsigned long long)nat.nat_bytes,
(unsigned long long)nat.nat_pkts);
#else
printf("bytes %lu pkts %lu",
nat.nat_bytes, nat.nat_pkts);
#endif
#if SOLARIS
printf(" %lx", nat.nat_ipsumd);
#endif
}
putchar('\n');
if (nat.nat_aps)
printaps(nat.nat_aps, opts);
printactivenat(&nat, opts);
}
if (opts & OPT_VERBOSE) {
printf("\nList of active host mappings:\n");
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
ns.ns_hostmap_sz);
if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable,
sizeof(hostmap_t *) * ns.ns_hostmap_sz)) {
perror("kmemcpy (maptable)");
return;
}
for (hv = 0; hv < ns.ns_hostmap_sz; hv++) {
hmp = maptable[hv];
while(hmp) {
if (kmemcpy((char *)&hm, (u_long)hmp,
sizeof(hostmap_t))) {
perror("kmemcpy (hostmap)");
return;
}
printf("%s -> ",
inet_ntoa(hm.hm_realip));
printf("%s ", inet_ntoa(hm.hm_mapip));
printf("(use = %d hv = %u)\n",
hm.hm_ref, hv);
hmp = hm.hm_next;
}
}
free(maptable);
}
if (opts & OPT_VERBOSE)
showhostmap(nsp);
free(nt[0]);
}
}
/*
* display the active host mapping table.
*/
void showhostmap(nsp)
natstat_t *nsp;
{
hostmap_t hm, *hmp, **maptable;
u_int hv;
printf("\nList of active host mappings:\n");
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
nsp->ns_hostmap_sz);
if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
perror("kmemcpy (maptable)");
return;
}
for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
hmp = maptable[hv];
while (hmp) {
if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
perror("kmemcpy (hostmap)");
return;
}
printhostmap(&hm, hv);
hmp = hm.hm_next;
}
}
free(maptable);
}
/*
* Issue an ioctl to flush either the NAT rules table or the active mapping
* table or both.
*/
void flushtable(fd, opts)
int fd, opts;
{

3
contrib/ipfilter/ipsend/44arp.c
View File

@ -1,6 +1,9 @@
/*
* Based upon 4.4BSD's /usr/sbin/arp
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

5
contrib/ipfilter/ipsend/arp.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
@ -26,7 +29,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
#endif

5
contrib/ipfilter/ipsend/ip.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
@ -29,7 +32,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.3 2001/07/15 22:00:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp $";
#endif
static char *ipbuf = NULL, *ethbuf = NULL;

6
contrib/ipfilter/ipsend/ipresend.c
View File

@ -8,12 +8,16 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
@ -30,7 +34,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
#endif

6
contrib/ipfilter/ipsend/ipsopt.c
View File

@ -3,6 +3,10 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/param.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@ -21,7 +25,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp $";
#endif

5
contrib/ipfilter/ipsend/iptest.c
View File

@ -8,6 +8,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
@ -34,7 +37,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.2 2001/07/15 22:00:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp $";
#endif

5
contrib/ipfilter/ipsend/lsock.c
View File

@ -5,7 +5,10 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp $";
#endif
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <unistd.h>

5
contrib/ipfilter/ipsend/resend.c
View File

@ -8,6 +8,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
@ -35,7 +38,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp $";
#endif

3
contrib/ipfilter/ipsend/sirix.c
View File

@ -4,6 +4,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <sys/types.h>
#include <string.h>

380
contrib/ipfilter/ipt.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@ -12,6 +12,9 @@
# endif
# endif
#endif
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <assert.h>
#include <string.h>
@ -54,12 +57,13 @@
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ip_frag.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.2 2001/06/26 10:43:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $";
#endif
extern char *optarg;
@ -71,23 +75,42 @@ extern ipnat_t *natparse __P((char *, int));
extern int fr_running;
int opts = 0;
#ifdef USE_INET6
int use_inet6 = 0;
#endif
int main __P((int, char *[]));
int loadrules __P((char *));
int kmemcpy __P((char *, long, int));
void dumpnat __P((void));
void dumpstate __P((void));
char *getifname __P((void *));
void drain_log __P((char *));
int main(argc,argv)
int argc;
char *argv[];
{
struct ipread *r = &iptext;
u_long buf[2048];
char *datain, *iface, *ifname, *packet, *logout;
int fd, i, dir, c, loaded, dump, hlen;
struct ifnet *ifp;
char *rules = NULL, *datain = NULL, *iface = NULL;
struct ipread *r;
u_long buf[2048];
ip_t *ip;
int fd, i, dir = 0, c;
while ((c = getopt(argc, argv, "6bdEHi:I:NoPr:STvX")) != -1)
dir = 0;
dump = 0;
loaded = 0;
r = &iptext;
iface = NULL;
logout = NULL;
ifname = "anon0";
datain = NULL;
nat_init();
fr_stateinit();
initparse();
ipflog_init();
fr_running = 1;
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
switch (c)
{
#ifdef USE_INET6
@ -101,17 +124,25 @@ char *argv[];
case 'd' :
opts |= OPT_DEBUG;
break;
case 'D' :
dump = 1;
break;
case 'i' :
datain = optarg;
break;
case 'I' :
iface = optarg;
ifname = optarg;
break;
case 'l' :
logout = optarg;
break;
case 'o' :
opts |= OPT_SAVEOUT;
break;
case 'r' :
rules = optarg;
if (loadrules(optarg) == -1)
return -1;
loaded = 1;
break;
case 'v' :
opts |= OPT_VERBOSE;
@ -134,80 +165,19 @@ char *argv[];
case 'T' :
r = &tcpd;
break;
case 'x' :
opts |= OPT_HEX;
break;
case 'X' :
r = &iptext;
break;
}
if (!rules) {
(void)fprintf(stderr,"no rule file present\n");
if (loaded == 0) {
(void)fprintf(stderr,"no rules loaded\n");
exit(-1);
}
nat_init();
fr_stateinit();
initparse();
fr_running = 1;
if (rules) {
char line[513], *s;
void *fr;
FILE *fp;
int linenum = 0;
if (!strcmp(rules, "-"))
fp = stdin;
else if (!(fp = fopen(rules, "r"))) {
(void)fprintf(stderr, "couldn't open %s\n", rules);
exit(-1);
}
if (!(opts & OPT_BRIEF))
(void)printf("opening rule file \"%s\"\n", rules);
while (fgets(line, sizeof(line)-1, fp)) {
linenum++;
/*
* treat both CR and LF as EOL
*/
if ((s = index(line, '\n')))
*s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
/*
* # is comment marker, everything after is a ignored
*/
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
/* fake an `ioctl' call :) */
if ((opts & OPT_NAT) != 0) {
if (!(fr = natparse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADNAT,%p,1) = %d\n",
fr, i);
} else {
if (!(fr = parse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADAFR,%p,1) = %d\n",
fr, i);
}
}
(void)fclose(fp);
}
if (opts & OPT_SAVEOUT)
init_ifp();
@ -222,13 +192,34 @@ char *argv[];
ip = (ip_t *)buf;
while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
&iface, &dir)) > 0) {
ifp = iface ? get_unit(iface, ip->ip_v) : NULL;
ip->ip_off = ntohs(ip->ip_off);
ip->ip_len = ntohs(ip->ip_len);
i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf);
if (iface == NULL || *iface == '\0')
iface = ifname;
ifp = get_unit(iface, ip->ip_v);
hlen = 0;
if (!use_inet6) {
ip->ip_off = ntohs(ip->ip_off);
ip->ip_len = ntohs(ip->ip_len);
hlen = ip->ip_hl << 2;
}
#ifdef USE_INET6
else
hlen = sizeof(ip6_t);
#endif
packet = (char *)buf;
/* ipfr_slowtimer(); */
i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);
if ((opts & OPT_NAT) == 0)
switch (i)
{
case -5 :
(void)printf("block return-icmp-as-dest");
break;
case -4 :
(void)printf("block return-icmp");
break;
case -3 :
(void)printf("block return-rst");
break;
case -2 :
(void)printf("auth");
break;
@ -242,6 +233,10 @@ char *argv[];
(void)printf("nomatch");
break;
}
if (!use_inet6) {
ip->ip_off = htons(ip->ip_off);
ip->ip_len = htons(ip->ip_len);
}
if (!(opts & OPT_BRIEF)) {
putchar(' ');
@ -250,17 +245,232 @@ char *argv[];
} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
printpacket((ip_t *)buf);
#ifndef linux
if (dir && ifp && ip->ip_v)
# ifdef __sgi
(*ifp->if_output)(ifp, (void *)buf, NULL);
if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
# if defined(__sgi) && (IRIX < 605)
(*ifp->if_output)(ifp, (void *)packet, NULL);
# else
(*ifp->if_output)(ifp, (void *)buf, NULL, 0);
(*ifp->if_output)(ifp, (void *)packet, NULL, 0);
# endif
#endif
if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
putchar('\n');
dir = 0;
if (iface != ifname) {
free(iface);
iface = ifname;
}
}
(*r->r_close)();
if (logout != NULL) {
drain_log(logout);
}
if (dump == 1) {
dumpnat();
dumpstate();
}
return 0;
}
/*
* Load in either NAT or ipf rules from a file, which is treated as stdin
* if the name is "-". NOTE, stdin can only be used once as the file is
* closed after use.
*/
int loadrules(file)
char *file;
{
char line[513], *s;
int linenum, i;
void *fr;
FILE *fp;
if (!strcmp(file, "-"))
fp = stdin;
else if (!(fp = fopen(file, "r"))) {
(void)fprintf(stderr, "couldn't open %s\n", file);
return (-1);
}
if (!(opts & OPT_BRIEF))
(void)printf("opening rule file \"%s\"\n", file);
linenum = 0;
while (fgets(line, sizeof(line) - 1, fp)) {
linenum++;
/*
* treat both CR and LF as EOL
*/
if ((s = index(line, '\n')))
*s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
/*
* # is comment marker, everything after is a ignored
*/
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
/* fake an `ioctl' call :) */
if ((opts & OPT_NAT) != 0) {
if (!(fr = natparse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
(caddr_t)&fr, FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n",
fr, i);
} else {
if (!(fr = parse(line, linenum)))
continue;
i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n",
fr, i);
}
}
(void)fclose(fp);
return 0;
}
int kmemcpy(addr, offset, size)
char *addr;
long offset;
int size;
{
bcopy((char *)offset, addr, size);
return 0;
}
/*
* Display the built up NAT table rules and mapping entries.
*/
void dumpnat()
{
ipnat_t *ipn;
nat_t *nat;
printf("List of active MAP/Redirect filters:\n");
for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
printf("\nList of active sessions:\n");
for (nat = nat_instances; nat; nat = nat->nat_next)
printactivenat(nat, opts);
}
/*
* Display the built up state table rules and mapping entries.
*/
void dumpstate()
{
ipstate_t *ips;
printf("List of active state sessions:\n");
for (ips = ips_list; ips != NULL; )
ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
}
/*
* Given a pointer to an interface in the kernel, return a pointer to a
* string which is the interface name.
*/
char *getifname(ptr)
void *ptr;
{
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
#else
char buf[32], *s;
int len;
#endif
struct ifnet netif;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
return strdup(netif.if_xname);
#else
if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
return "X";
if (netif.if_unit < 10)
len = 2;
else if (netif.if_unit < 1000)
len = 3;
else if (netif.if_unit < 10000)
len = 4;
else
len = 5;
buf[sizeof(buf) - len] = '\0';
for (s = buf; *s && !isdigit(*s); s++)
;
if (isdigit(*s))
*s = '\0';
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
return strdup(buf);
#endif
}
void drain_log(filename)
char *filename;
{
char buffer[IPLLOGSIZE];
struct iovec iov;
struct uio uio;
size_t resid;
int fd;
fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
if (fd == -1) {
perror("drain_log:open");
return;
}
while (1) {
bzero((char *)&iov, sizeof(iov));
iov.iov_base = buffer;
iov.iov_len = sizeof(buffer);
bzero((char *)&uio, sizeof(uio));
uio.uio_iov = &iov;
uio.uio_iovcnt = 1;
uio.uio_resid = iov.iov_len;
resid = uio.uio_resid;
if (ipflog_read(0, &uio) == 0) {
/*
* If nothing was read then break out.
*/
if (uio.uio_resid == resid)
break;
write(fd, buffer, resid - uio.uio_resid);
} else
break;
}
close(fd);
}

187
contrib/ipfilter/kmem.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@ -8,13 +8,37 @@
* returns 0 on success, -1 on error.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/file.h>
#ifndef __sgi
#include <kvm.h>
#endif
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include "kmem.h"
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "ipf.h"
#ifndef __STDC__
# define const
@ -22,23 +46,68 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.3 2001/07/15 22:06:16 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $";
#endif
static int kmemfd = -1;
#ifndef __sgi
int openkmem(core)
char *core;
static kvm_t *kvm_f = NULL;
#else
typedef int kvm_t;
static kvm_t kvm_f = -1;
static char *kvm_errstr;
kvm_t kvm_open(kernel, core, swap, mode, errstr)
char *kernel, *core, *swap;
int mode;
char *errstr;
{
if (core == NULL)
core = KMEM;
kvm_t fd;
if ((kmemfd = open(core, O_RDONLY)) == -1)
kvm_errstr = errstr;
fd = open(core, mode);
return fd;
}
int kvm_read(kvm, pos, buffer, size)
kvm_t kvm;
u_long pos;
char *buffer;
size_t size;
{
int r, left;
char *bufp;
if (lseek(kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr);
perror("lseek");
return -1;
}
for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
r = read(kvm, bufp, 1);
if (r <= 0)
return -1;
}
return 0;
}
#endif
int openkmem(kern, core)
char *kern, *core;
{
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
if (kvm_f == NULL)
{
perror("kmeminit:open");
perror("openkmem:open");
return -1;
}
return kmemfd;
return (int)kvm_f;
}
int kmemcpy(buf, pos, n)
@ -50,23 +119,22 @@ register int n;
if (!n)
return 0;
if (kmemfd == -1)
if (openkmem(NULL) == -1)
if (kvm_f == NULL)
if (openkmem(NULL, NULL) == -1)
return -1;
if (lseek(kmemfd, pos, 0) == -1)
{
perror("kmemcpy:lseek");
return -1;
}
while ((r = read(kmemfd, buf, n)) < n)
while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
perror("kmemcpy:read");
return -1;
}
else
{
buf += r;
pos += r;
n -= r;
}
return 0;
@ -81,19 +149,18 @@ register int n;
if (!n)
return 0;
if (kmemfd == -1)
if (openkmem(NULL) == -1)
if (kvm_f == NULL)
if (openkmem(NULL, NULL) == -1)
return -1;
if (lseek(kmemfd, pos, 0) == -1)
while (n > 0)
{
perror("kmemcpy:lseek");
return -1;
}
while (n > 0) {
r = read(kmemfd, buf, 1);
r = kvm_read(kvm_f, pos, buf, 1);
if (r <= 0)
{
perror("kmemcpy:read");
fprintf(stderr, "pos=0x%x ", (u_int)pos);
perror("kstrncpy:read");
return -1;
}
else
@ -101,8 +168,70 @@ register int n;
if (*buf == '\0')
break;
buf++;
pos++;
n--;
}
}
}
return 0;
}
/*
* Given a pointer to an interface in the kernel, return a pointer to a
* string which is the interface name.
*/
char *getifname(ptr)
void *ptr;
{
#if SOLARIS
char *ifname;
ill_t ill;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
return "X";
ifname = malloc(ill.ill_name_length + 1);
if (kmemcpy(ifname, (u_long)ill.ill_name,
ill.ill_name_length) == -1)
return "X";
return ifname;
#else
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
#else
char buf[32];
int len;
# endif
struct ifnet netif;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
return strdup(netif.if_xname);
# else
if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
return "X";
if (netif.if_unit < 10)
len = 2;
else if (netif.if_unit < 1000)
len = 3;
else if (netif.if_unit < 10000)
len = 4;
else
len = 5;
buf[sizeof(buf) - len] = '\0';
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
return strdup(buf);
# endif
#endif
}

5
contrib/ipfilter/kmem.h
View File

@ -2,7 +2,7 @@
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: kmem.h,v 2.2.2.2 2001/06/26 10:43:19 darrenr Exp $
* $Id: kmem.h,v 2.2.2.4 2002/01/01 13:43:48 darrenr Exp $
*/
#ifndef __KMEM_H__
@ -15,9 +15,10 @@
# define __P(x) ()
# endif
#endif
extern int openkmem __P((char *));
extern int openkmem __P((char *, char *));
extern int kmemcpy __P((char *, long, int));
extern int kstrncpy __P((char *, long, int));
extern char *getifname __P((void *));
#if defined(__NetBSD__) || defined(__OpenBSD)
# include <paths.h>

2
contrib/ipfilter/man/Makefile
View File

@ -10,7 +10,7 @@ all:
install:
$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
$(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1
$(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4

8
contrib/ipfilter/man/ipfs.8
View File

@ -52,6 +52,7 @@ Change the default directory used with
and
.B \-W
options for saving state information.
.TP
.B \-n
Don't actually take any action that would effect information stored in
the kernel or on disk.
@ -59,6 +60,11 @@ the kernel or on disk.
.B \-v
Provides a verbose description of what's being done.
.TP
.B \-i <ifname1>,<ifname2>
Change all instances of interface name ifname1 in the state save file to
ifname2. Useful if you're restoring state information after a hardware
reconfiguration or change.
.TP
.B \-N
Operate on NAT information.
.TP
@ -69,7 +75,7 @@ Operate on filtering state information.
Unlock state tables in the kernel.
.TP
.B \-l
Unlock state tables in the kernel.
Lock state tables in the kernel.
.TP
.B \-r
Read information in from the specified file and load it into the

2
contrib/ipfilter/man/ipl.4
View File

@ -49,7 +49,7 @@ When reading from the \fBipl\fP device, it is necessary to call read(2) with
a buffer big enough to hold at least 1 complete log record - reading of partial
log records is not supported.
.PP
If the packet contents is more then 128 bytes when \fBlog body\fP is used,
If the packet contents are more than 128 bytes when \fBlog body\fP is used,
then only 128 bytes of the packet contents is logged.
.PP
Although it is only possible to read from the \fBipl\fP device, opening it

4
contrib/ipfilter/man/ipnat.5
View File

@ -10,10 +10,11 @@ ipmap :: = mapblock | redir | map .
map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
map ::= mapit ifname fromto "->" ipmask [ mapport ] .
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
dport ::= "port" portnum [ "-" portnum ] .
ports ::= "ports" numports | "auto" .
rdrport ::= "port" portnum .
mapit ::= "map" | "bimap" .
fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
@ -199,6 +200,7 @@ own. As opposed to the above use of \fBmap\fP, if for some reason the user
of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
IP address with the \fBmap\fP command.
.SH FILES
/dev/ipnat
.br
/etc/services

80
contrib/ipfilter/misc.c
View File

@ -1,8 +1,11 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#if (SOLARIS2 >= 7)
# define _SYS_VARARGS_H
# define _VARARGS_H
@ -50,7 +53,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.7 2002/02/22 15:32:55 darrenr Exp $";
#endif
extern int opts;
@ -60,9 +63,38 @@ void printpacket(ip)
ip_t *ip;
{
tcphdr_t *tcp;
u_short len;
if (ip->ip_v == 4)
len = ntohs(ip->ip_len);
else if (ip->ip_v == 6)
len = ntohs(((u_short *)ip)[2]) + 40;
else
len = 0;
if ((opts & OPT_HEX) == OPT_HEX) {
u_char *s;
int i;
for (s = (u_char *)ip, i = 0; i < len; i++) {
printf("%02x", *s++ & 0xff);
if (len - i > 1) {
i++;
printf("%02x", *s++ & 0xff);
}
putchar(' ');
}
putchar('\n');
return;
}
if (ip->ip_v == 6) {
printpacket6(ip);
return;
}
tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p);
printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
if (ip->ip_off & IP_OFFMASK)
printf(" @%d", ip->ip_off << 3);
(void)printf(" %s", inet_ntoa(ip->ip_src));
@ -78,6 +110,48 @@ ip_t *ip;
}
/*
* This is meant to work without the IPv6 header files being present or
* the inet_ntop() library.
*/
void printpacket6(ip)
ip_t *ip;
{
u_char *buf, p, hops;
u_short plen, *addrs;
tcphdr_t *tcp;
u_32_t flow;
buf = (u_char *)ip;
tcp = (tcphdr_t *)(buf + 40);
p = buf[6];
hops = buf[7];
flow = ntohl(*(u_32_t *)buf);
flow &= 0xfffff;
plen = ntohs(*((u_short *)buf +2));
addrs = (u_short *)buf + 4;
printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_sport));
printf(" >");
addrs += 8;
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_dport));
putchar('\n');
}
#if defined(__STDC__)
void verbose(char *fmt, ...)
#else

4
contrib/ipfilter/mlf_ipl.c
View File

@ -117,8 +117,12 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RW,
&fr_tcpclosed, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RW,
&fr_udptimeout, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RW,
&fr_udpacktimeout, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RW,
&fr_icmptimeout, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmpacktimeout, CTLFLAG_RW,
&fr_icmpacktimeout, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RW,
&fr_defnatage, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,

21
contrib/ipfilter/mli_ipl.c
View File

@ -62,7 +62,12 @@ static __psunsigned_t ipfk_code[4];
typedef struct nif {
struct nif *nf_next;
struct ifnet *nf_ifp;
#if IRIX < 605
int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *);
#else
int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
struct rtentry *);
#endif
char nf_name[IFNAMSIZ];
int nf_unit;
} nif_t;
@ -74,7 +79,12 @@ extern int in_interfaces;
extern ipnat_t *nat_list;
static int
#if IRIX < 605
ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
#else
ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
struct rtentry *rt)
#endif
{
nif_t *nif;
@ -112,19 +122,19 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
#if IPFDEBUG >= 4
if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
return (*nif->nf_output)(ifp, m, dst);
goto done;
}
#endif
if (m->m_len < sizeof(char)) {
printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
return (*nif->nf_output)(ifp, m, dst);
goto done;
}
ip = mtod(m, struct ip *);
if (ip->ip_v != IPVERSION) {
#if IPFDEBUG >= 4
printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
#endif
return (*nif->nf_output)(ifp, m, dst);
goto done;
}
hlen = ip->ip_hl << 2;
@ -142,7 +152,12 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
break;
}
}
done:
#if IRIX < 605
return (*nif->nf_output)(ifp, m, dst);
#else
return (*nif->nf_output)(ifp, m, dst, rt);
#endif
}
int

2
contrib/ipfilter/mln_ipl.c
View File

@ -235,7 +235,7 @@ static int ipl_load()
*/
(void)ipl_remove();
error = iplattach();
error = ipl_enable();
if (error)
return error;

496
contrib/ipfilter/natparse.c
View File

@ -1,8 +1,11 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
@ -39,8 +42,9 @@
#include <ctype.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#if defined(sun) && !SOLARIS2
@ -52,7 +56,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $";
#endif
@ -60,191 +64,15 @@ static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09
#define bzero(a,b) memset(a,0,b)
#endif
extern void printnat __P((ipnat_t *, int));
extern int countbits __P((u_32_t));
extern char *proto;
ipnat_t *natparse __P((char *, int));
void printnat __P((ipnat_t *, int, void *));
void natparsefile __P((int, char *, int));
void nat_setgroupmap __P((struct ipnat *));
void printnat(np, opts, ptr)
ipnat_t *np;
int opts;
void *ptr;
{
struct protoent *pr;
struct servent *sv;
int bits;
switch (np->in_redir)
{
case NAT_REDIRECT :
printf("rdr");
break;
case NAT_MAP :
printf("map");
break;
case NAT_MAPBLK :
printf("map-block");
break;
case NAT_BIMAP :
printf("bimap");
break;
default :
fprintf(stderr, "unknown value for in_redir: %#x\n",
np->in_redir);
break;
}
printf(" %s ", np->in_ifname);
if (np->in_flags & IPN_FILTER) {
if (np->in_flags & IPN_NOTSRC)
printf("! ");
printf("from ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
} else {
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
}
if (np->in_flags & IPN_NOTDST)
printf(" !");
printf(" to ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_outip,
(u_32_t *)&np->in_outmsk);
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
} else {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
}
}
if (np->in_redir == NAT_REDIRECT) {
if (!(np->in_flags & IPN_FILTER)) {
printf("%s", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("/%d ", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1]));
if (np->in_pmin)
printf("port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("- %d", ntohs(np->in_pmax));
}
printf(" -> %s", inet_ntoa(np->in_in[0]));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1]));
if (np->in_pnext)
printf(" port %d", ntohs(np->in_pnext));
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
printf(" tcp");
else if ((np->in_flags & IPN_UDP) == IPN_UDP)
printf(" udp");
if (np->in_flags & IPN_ROUNDR)
printf(" round-robin");
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG)
printf("\t%p %lu %#x %u %p %d\n", np->in_ifp,
np->in_space, np->in_flags, np->in_pmax, np,
np->in_use);
} else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
if (!(np->in_flags & IPN_FILTER)) {
printf("%s/", inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_in[1]));
}
printf(" -> ");
if (np->in_flags & IPN_IPRANGE) {
printf("range %s-", inet_ntoa(np->in_out[0]));
printf("%s", inet_ntoa(np->in_out[1]));
} else {
printf("%s/", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
}
if (*np->in_plabel) {
pr = getprotobynumber(np->in_p);
printf(" proxy port");
if (np->in_dport != 0) {
if (pr != NULL)
sv = getservbyport(np->in_dport,
pr->p_name);
else
sv = getservbyport(np->in_dport, NULL);
if (sv != NULL)
printf(" %s", sv->s_name);
else
printf(" %hu", ntohs(np->in_dport));
}
printf(" %.*s/", (int)sizeof(np->in_plabel),
np->in_plabel);
if (pr != NULL)
fputs(pr->p_name, stdout);
else
printf("%d", np->in_p);
} else if (np->in_redir == NAT_MAPBLK) {
printf(" ports %d", np->in_pmin);
if (opts & OPT_VERBOSE)
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)
printf(" [%d:%d %d %d]",
ntohs(np->in_pmin),
ntohs(np->in_pmax),
np->in_ippip, np->in_ppip);
} else {
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
printf(" udp");
printf(" %d:%d", ntohs(np->in_pmin),
ntohs(np->in_pmax));
}
}
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG) {
printf("\tifp %p space %lu nextip %s pnext %d",
np->in_ifp, np->in_space,
inet_ntoa(np->in_nextip), np->in_pnext);
printf(" flags %x use %u\n",
np->in_flags, np->in_use);
}
}
}
void nat_setgroupmap(n)
ipnat_t *n;
{
@ -268,7 +96,9 @@ ipnat_t *n;
}
/*
* Parse a line of input from the ipnat configuration file
*/
ipnat_t *natparse(line, linenum)
char *line;
int linenum;
@ -278,9 +108,13 @@ int linenum;
char *dnetm = NULL, *dport = NULL;
char *s, *t, *cps[31], **cpp;
int i, cnt;
char *port1a = NULL, *port1b = NULL, *port2a = NULL;
proto = NULL;
/*
* Search for end of line and comment marker, advance of leading spaces
*/
if ((s = strchr(line, '\n')))
*s = '\0';
if ((s = strchr(line, '#')))
@ -293,6 +127,9 @@ int linenum;
bzero((char *)&ipn, sizeof(ipn));
cnt = 0;
/*
* split line upto into segments.
*/
for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
cps[++i] = strtok(NULL, " \b\t\r\n");
@ -305,6 +142,9 @@ int linenum;
cpp = cps;
/*
* Check first word is a recognised keyword and then is the interface
*/
if (!strcasecmp(*cpp, "map"))
ipn.in_redir = NAT_MAP;
else if (!strcasecmp(*cpp, "map-block"))
@ -325,6 +165,10 @@ int linenum;
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
cpp++;
/*
* If the first word after the interface is "from" or is a ! then
* the expanded syntax is being used so parse it differently.
*/
if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
if (!strcmp(*cpp, "!")) {
cpp++;
@ -349,19 +193,17 @@ int linenum;
ipn.in_flags |= IPN_FILTER;
cpp++;
if (ipn.in_redir == NAT_REDIRECT) {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk,
&ipn.in_sport, &ipn.in_scmp,
&ipn.in_stop, linenum)) {
return NULL;
}
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
&ipn.in_scmp, &ipn.in_stop, linenum)) {
return NULL;
}
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk,
&ipn.in_sport, &ipn.in_scmp,
&ipn.in_stop, linenum)) {
return NULL;
}
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
&ipn.in_scmp, &ipn.in_stop, linenum)) {
return NULL;
}
}
if (!strcmp(*cpp, "!")) {
@ -388,28 +230,30 @@ int linenum;
return NULL;
}
if (ipn.in_redir == NAT_REDIRECT) {
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
(u_32_t *)&ipn.in_outmsk,
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
return NULL;
}
ipn.in_pmin = htons(ipn.in_dport);
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
(u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
return NULL;
}
ipn.in_pmin = htons(ipn.in_dport);
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk,
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
return NULL;
}
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
return NULL;
}
}
} else {
s = *cpp;
if (!s)
if (!s) {
fprintf(stderr, "%d: short line\n", linenum);
return NULL;
}
t = strchr(s, '/');
if (!t)
if (!t) {
fprintf(stderr, "%d: no netmask on LHS\n", linenum);
return NULL;
}
*t++ = '\0';
if (ipn.in_redir == NAT_REDIRECT) {
if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
@ -425,10 +269,16 @@ int linenum;
}
}
cpp++;
if (!*cpp)
if (!*cpp) {
fprintf(stderr, "%d: short line\n", linenum);
return NULL;
}
}
/*
* If it is a standard redirect then we expect it to have a port
* match after the hostmask.
*/
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
if (strcasecmp(*cpp, "port")) {
fprintf(stderr, "%d: missing fields - 1st port\n",
@ -450,24 +300,23 @@ int linenum;
else
s = NULL;
if (!portnum(*cpp, &ipn.in_pmin, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
cpp++;
port1a = *cpp++;
if (!strcmp(*cpp, "-")) {
cpp++;
s = *cpp++;
}
if (s) {
if (!portnum(s, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmax = htons(ipn.in_pmax);
} else
if (s)
port1b = s;
else
ipn.in_pmax = ipn.in_pmin;
}
/*
* In the middle of the NAT rule syntax is -> to indicate the
* direction of translation.
*/
if (!*cpp) {
fprintf(stderr, "%d: missing fields (->)\n", linenum);
return NULL;
@ -537,6 +386,8 @@ int linenum;
if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
return NULL;
} else {
if (!strcmp(*cpp, ipn.in_ifname))
*cpp = "0";
if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
return NULL;
}
@ -556,11 +407,18 @@ int linenum;
} else
ipn.in_pmin = 0;
} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
if (!*cpp || strrchr(*cpp, '/') != NULL) {
if (*cpp && (strrchr(*cpp, '/') != NULL)) {
fprintf(stderr, "%d: No netmask supported in %s\n",
linenum, "destination host for redirect");
return NULL;
}
if (!*cpp) {
fprintf(stderr, "%d: Missing destination port %s\n",
linenum, "in redirect");
return NULL;
}
/* If it's a in_redir, expect target port */
if (strcasecmp(*cpp, "port")) {
@ -575,10 +433,8 @@ int linenum;
linenum);
return NULL;
}
if (!portnum(*cpp, &ipn.in_pnext, linenum))
return NULL;
ipn.in_pnext = htons(ipn.in_pnext);
cpp++;
port2a = *cpp++;
}
if (dnetm && *dnetm == '/')
*dnetm++ = '\0';
@ -601,25 +457,32 @@ int linenum;
ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
proto = "tcp";
} else {
if (!strcasecmp(*cpp, "tcp"))
proto = *cpp++;
if (!strcasecmp(proto, "tcp"))
ipn.in_flags |= IPN_TCP;
else if (!strcasecmp(*cpp, "udp"))
else if (!strcasecmp(proto, "udp"))
ipn.in_flags |= IPN_UDP;
else if (!strcasecmp(*cpp, "tcp/udp"))
else if (!strcasecmp(proto, "tcp/udp"))
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(*cpp, "tcpudp"))
else if (!strcasecmp(proto, "tcpudp")) {
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(*cpp, "ip"))
proto = "tcp/udp";
} else if (!strcasecmp(proto, "ip"))
ipn.in_flags |= IPN_ANY;
else {
ipn.in_flags |= IPN_ANY;
if ((pr = getprotobyname(*cpp)))
if ((pr = getprotobyname(proto)))
ipn.in_p = pr->p_proto;
else
ipn.in_p = atoi(*cpp);
else {
if (!isdigit(*proto)) {
fprintf(stderr,
"%d: Unknown protocol %s\n",
linenum, proto);
return NULL;
} else
ipn.in_p = atoi(proto);
}
}
proto = *cpp;
cpp++;
if (*cpp && !strcasecmp(*cpp, "round-robin")) {
cpp++;
@ -631,15 +494,51 @@ int linenum;
ipn.in_flags |= IPN_FRAG;
}
if (*cpp && !strcasecmp(*cpp, "age")) {
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: age with no parameters\n",
linenum);
return NULL;
}
ipn.in_age[0] = atoi(*cpp);
s = index(*cpp, '/');
if (s != NULL)
ipn.in_age[1] = atoi(s + 1);
else
ipn.in_age[1] = ipn.in_age[0];
cpp++;
}
if (*cpp) {
fprintf(stderr,
"%d: extra junk at the end of rdr: %s\n",
"%d: extra junk at the end of the line: %s\n",
linenum, *cpp);
return NULL;
}
}
}
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
if (!portnum(port1a, &ipn.in_pmin, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
if (port1b != NULL) {
if (!portnum(port1b, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmax = htons(ipn.in_pmax);
} else
ipn.in_pmax = ipn.in_pmin;
}
if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
if (!portnum(port2a, &ipn.in_pnext, linenum))
return NULL;
ipn.in_pnext = htons(ipn.in_pnext);
}
if (!(ipn.in_flags & IPN_SPLIT))
ipn.in_inip &= ipn.in_inmsk;
if ((ipn.in_flags & IPN_IPRANGE) == 0)
@ -665,6 +564,11 @@ int linenum;
}
if (!strcasecmp(*cpp, "proxy")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use proxy with bimap\n",
linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
@ -720,63 +624,85 @@ int linenum;
linenum);
return NULL;
}
return &ipn;
} else if (!strcasecmp(*cpp, "portmap")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use portmap with bimap\n",
linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing expression following portmap\n",
linenum);
return NULL;
}
if (!strcasecmp(*cpp, "tcp"))
ipn.in_flags |= IPN_TCP;
else if (!strcasecmp(*cpp, "udp"))
ipn.in_flags |= IPN_UDP;
else if (!strcasecmp(*cpp, "tcpudp"))
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(*cpp, "tcp/udp"))
ipn.in_flags |= IPN_TCPUDP;
else {
fprintf(stderr,
"%d: expected protocol name - got \"%s\"\n",
linenum, *cpp);
return NULL;
}
proto = *cpp;
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: no port range found\n", linenum);
return NULL;
}
if (!strcasecmp(*cpp, "auto")) {
ipn.in_flags |= IPN_AUTOPORTMAP;
ipn.in_pmin = htons(1024);
ipn.in_pmax = htons(65535);
nat_setgroupmap(&ipn);
cpp++;
} else {
if (!(t = strchr(*cpp, ':'))) {
fprintf(stderr,
"%d: no port range in \"%s\"\n",
linenum, *cpp);
return NULL;
}
*t++ = '\0';
if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
!portnum(t, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
ipn.in_pmax = htons(ipn.in_pmax);
cpp++;
}
}
if (strcasecmp(*cpp, "portmap")) {
fprintf(stderr,
"%d: expected \"portmap\" - got \"%s\"\n", linenum,
*cpp);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: missing expression following portmap\n",
linenum);
return NULL;
if (*cpp && !strcasecmp(*cpp, "age")) {
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: age with no parameters\n",
linenum);
return NULL;
}
s = index(*cpp, '/');
if (s != NULL)
ipn.in_age[1] = atoi(s + 1);
else
ipn.in_age[1] = ipn.in_age[0];
cpp++;
}
if (!strcasecmp(*cpp, "tcp"))
ipn.in_flags |= IPN_TCP;
else if (!strcasecmp(*cpp, "udp"))
ipn.in_flags |= IPN_UDP;
else if (!strcasecmp(*cpp, "tcpudp"))
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(*cpp, "tcp/udp"))
ipn.in_flags |= IPN_TCPUDP;
else {
fprintf(stderr,
"%d: expected protocol name - got \"%s\"\n",
if (*cpp) {
fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
linenum, *cpp);
return NULL;
}
proto = *cpp;
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: no port range found\n", linenum);
return NULL;
}
if (!strcasecmp(*cpp, "auto")) {
ipn.in_flags |= IPN_AUTOPORTMAP;
ipn.in_pmin = htons(1024);
ipn.in_pmax = htons(65535);
nat_setgroupmap(&ipn);
return &ipn;
}
if (!(t = strchr(*cpp, ':'))) {
fprintf(stderr, "%d: no port range in \"%s\"\n",
linenum, *cpp);
return NULL;
}
*t++ = '\0';
if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
!portnum(t, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
ipn.in_pmax = htons(ipn.in_pmax);
return &ipn;
}
@ -812,7 +738,7 @@ int opts;
linenum, line);
} else {
if ((opts & OPT_VERBOSE) && np)
printnat(np, opts, NULL);
printnat(np, opts);
if (!(opts & OPT_NODO)) {
if (!(opts & OPT_REMOVE)) {
if (ioctl(fd, SIOCADNAT, &np) == -1) {

5
contrib/ipfilter/opt.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@ -25,7 +28,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp $";
#endif
extern int opts;

274
contrib/ipfilter/parse.c
View File

@ -3,6 +3,9 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da
extern struct ipopt_names ionames[], secclass[];
extern int opts;
#ifdef USE_INET6
extern int use_inet6;
#endif
int addicmp __P((char ***, struct frentry *, int));
int extras __P((char ***, struct frentry *, int));
@ -57,6 +58,7 @@ void print_toif __P((char *, frdest_t *));
void optprint __P((u_short *, u_long, u_long));
int loglevel __P((char **, u_int *, int));
void printlog __P((frentry_t *));
void printifname __P((char *, char *, void *));
extern char *proto;
extern char flagset[];
@ -72,8 +74,8 @@ char *line;
int linenum;
{
static struct frentry fil;
char *cps[31], **cpp, *endptr, *s;
struct protoent *p = NULL;
char *cps[31], **cpp, *endptr;
int i, cnt = 1, j, ch;
u_int k;
@ -84,11 +86,7 @@ int linenum;
bzero((char *)&fil, sizeof(fil));
fil.fr_mip.fi_v = 0xf;
#ifdef USE_INET6
fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
#else
fil.fr_ip.fi_v = 4;
#endif
fil.fr_loglevel = 0xffff;
/*
@ -106,10 +104,18 @@ int linenum;
}
cpp = cps;
/*
* The presence of an '@' followed by a number gives the position in
* the current rule list to insert this one.
*/
if (**cpp == '@')
fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
/*
* Check the first keyword in the rule and any options that are
* expected to follow it.
*/
if (!strcasecmp("block", *cpp)) {
fil.fr_flags |= FR_BLOCK;
if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
@ -149,6 +155,8 @@ int linenum;
fil.fr_flags |= FR_ACCOUNT;
} else if (!strcasecmp("pass", *cpp)) {
fil.fr_flags |= FR_PASS;
} else if (!strcasecmp("nomatch", *cpp)) {
fil.fr_flags |= FR_NOMATCH;
} else if (!strcasecmp("auth", *cpp)) {
fil.fr_flags |= FR_AUTH;
} else if (!strcasecmp("preauth", *cpp)) {
@ -194,6 +202,10 @@ int linenum;
return NULL;
}
/*
* Get the direction for filtering. Impose restrictions on direction
* if blocking with returning ICMP or an RST has been requested.
*/
if (!strcasecmp("in", *cpp))
fil.fr_flags |= FR_INQUE;
else if (!strcasecmp("out", *cpp)) {
@ -252,19 +264,39 @@ int linenum;
}
if (*cpp && !strcasecmp("quick", *cpp)) {
if (fil.fr_skip != 0) {
fprintf(stderr, "%d: cannot use skip with quick\n",
linenum);
return NULL;
}
cpp++;
fil.fr_flags |= FR_QUICK;
}
/*
* Parse rule options that are available if a rule is tied to an
* interface.
*/
*fil.fr_ifname = '\0';
*fil.fr_oifname = '\0';
if (*cpp && !strcasecmp(*cpp, "on")) {
if (!*++cpp) {
fprintf(stderr, "%d: interface name missing\n",
linenum);
return NULL;
}
(void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1);
fil.fr_ifname[IFNAMSIZ-1] = '\0';
s = index(*cpp, ',');
if (s != NULL) {
*s++ = '\0';
(void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
} else
strcpy(fil.fr_ifnames[1], "*");
(void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
cpp++;
if (!*cpp) {
if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
@ -299,6 +331,33 @@ int linenum;
cpp++;
}
}
/*
* Set the "other" interface name. Lets you specify both
* inbound and outbound interfaces for state rules. Do not
* prevent both interfaces from being the same.
*/
strcpy(fil.fr_ifnames[3], "*");
if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
((((fil.fr_flags & FR_INQUE) != 0) &&
(strcasecmp(*cpp, "out-via") == 0)) ||
(((fil.fr_flags & FR_OUTQUE) != 0) &&
(strcasecmp(*cpp, "in-via") == 0)))) {
cpp++;
s = index(*cpp, ',');
if (s != NULL) {
*s++ = '\0';
(void)strncpy(fil.fr_ifnames[3], s,
IFNAMSIZ - 1);
fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
}
(void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
cpp++;
} else
strcpy(fil.fr_ifnames[2], "*");
}
if (*cpp && !strcasecmp(*cpp, "tos")) {
if (!*++cpp) {
@ -340,6 +399,10 @@ int linenum;
if (!strcasecmp(proto, "tcp/udp")) {
fil.fr_ip.fi_fl |= FI_TCPUDP;
fil.fr_mip.fi_fl |= FI_TCPUDP;
} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
fprintf(stderr,
"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
linenum);
} else {
if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
fprintf(stderr,
@ -411,6 +474,15 @@ int linenum;
return NULL;
}
if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
(fil.fr_proto != IPPROTO_UDP) &&
!(fil.fr_ip.fi_fl & FI_TCPUDP)) {
fprintf(stderr,
"%d: cannot use port and neither tcp or udp\n",
linenum);
return NULL;
}
fil.fr_scmp = ch;
if (!*cpp) {
fprintf(stderr, "%d: missing to fields\n", linenum);
@ -447,6 +519,15 @@ int linenum;
&fil.fr_dtop, linenum)) {
return NULL;
}
if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
(fil.fr_proto != IPPROTO_UDP) &&
!(fil.fr_ip.fi_fl & FI_TCPUDP)) {
fprintf(stderr,
"%d: cannot use port and neither tcp or udp\n",
linenum);
return NULL;
}
fil.fr_dcmp = ch;
}
@ -489,7 +570,8 @@ int linenum;
* icmp types for use with the icmp protocol
*/
if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
if (fil.fr_proto != IPPROTO_ICMP) {
if (fil.fr_proto != IPPROTO_ICMP &&
fil.fr_proto != IPPROTO_ICMPV6) {
fprintf(stderr,
"%d: icmp with wrong protocol (%d)\n",
linenum, fil.fr_proto);
@ -508,10 +590,28 @@ int linenum;
if (addkeep(&cpp, &fil, linenum))
return NULL;
/*
* This is here to enforce the old interface binding behaviour.
* That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
*/
if (fil.fr_flags & FR_KEEPSTATE) {
if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
sizeof(fil.fr_ifnames[3]));
strncpy(fil.fr_ifnames[2], "*",
sizeof(fil.fr_ifnames[3]));
}
}
/*
* head of a new group ?
*/
if (*cpp && !strcasecmp(*cpp, "head")) {
if (fil.fr_skip != 0) {
fprintf(stderr, "%d: cannot use skip with head\n",
linenum);
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: head without group #\n", linenum);
return NULL;
@ -658,6 +758,15 @@ frdest_t *fdp;
{
printf("%s %s%s", tag, fdp->fd_ifname,
(fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
#ifdef USE_INET6
if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
char ipv6addr[80];
inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
sizeof(fdp->fd_ip6));
printf(":%s", ipv6addr);
} else
#endif
if (fdp->fd_ip.s_addr)
printf(":%s", inet_ntoa(fdp->fd_ip));
putchar(' ');
@ -685,9 +794,9 @@ int linenum;
return -1;
while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
!strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) ||
!strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) ||
!strncasecmp(**cp, "short", 5))) {
!strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) ||
!strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") ||
!strcasecmp(**cp, "short"))) {
if (***cp == 'n' || ***cp == 'N') {
notopt = 1;
(*cp)++;
@ -899,10 +1008,10 @@ char *icmptypes[] = {
/*
* set the icmp field to the correct type if "icmp" word is found
*/
int addicmp(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
int addicmp(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
char **t;
int i;
@ -910,8 +1019,7 @@ int linenum;
(*cp)++;
if (!**cp)
return -1;
if (!fp->fr_proto) /* to catch lusers */
fp->fr_proto = IPPROTO_ICMP;
if (isdigit(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
@ -919,6 +1027,10 @@ int linenum;
linenum, **cp);
return -1;
}
} else if (fp->fr_proto == IPPROTO_ICMPV6) {
fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
linenum, **cp, "(use numeric value instead\n");
return -1;
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
@ -973,10 +1085,10 @@ int linenum;
#define MAX_ICMPCODE 15
char *icmpcodes[] = {
"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
NULL };
"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag",
"srcfail", "net-unk", "host-unk", "isolate", "net-prohib",
"host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced",
"preced-cutoff", NULL };
/*
* Return the number for the associated ICMP unreachable code.
*/
@ -1006,47 +1118,73 @@ char *str;
/*
* set the icmp field to the correct type if "icmp" word is found
*/
int addkeep(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
int addkeep(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP &&
#ifdef USE_INET6
fp->fr_proto != IPPROTO_ICMPV6 &&
#endif
fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) {
fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n",
char *s;
(*cp)++;
if (!**cp) {
fprintf(stderr, "%d: Missing keyword after keep\n",
linenum);
return -1;
}
(*cp)++;
if (!**cp) {
fprintf(stderr, "%d: Missing state/frag after keep\n",
linenum);
return -1;
}
if (strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) {
if (strcasecmp(**cp, "state") == 0)
fp->fr_flags |= FR_KEEPSTATE;
else if (strncasecmp(**cp, "frag", 4) == 0)
fp->fr_flags |= FR_KEEPFRAG;
else if (strcasecmp(**cp, "state-age") == 0) {
if (fp->fr_ip.fi_p == IPPROTO_TCP) {
fprintf(stderr, "%d: cannot use state-age with tcp\n",
linenum);
return -1;
}
if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
fprintf(stderr, "%d: state-age with no 'keep state'\n",
linenum);
return -1;
}
(*cp)++;
if (!**cp) {
fprintf(stderr, "%d: state-age with no arg\n",
linenum);
return -1;
}
fp->fr_age[0] = atoi(**cp);
s = index(**cp, '/');
if (s != NULL) {
s++;
fp->fr_age[1] = atoi(s);
} else
fp->fr_age[1] = fp->fr_age[0];
} else {
fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
linenum, **cp);
return -1;
}
if (***cp == 's' || ***cp == 'S')
fp->fr_flags |= FR_KEEPSTATE;
else if (***cp == 'f' || ***cp == 'F')
fp->fr_flags |= FR_KEEPFRAG;
(*cp)++;
return 0;
}
void printifname(format, name, ifp)
char *format, *name;
void *ifp;
{
printf("%s%s", format, name);
if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
printf("(!)");
}
/*
* print the filter structure in a useful way
*/
void printfr(fp)
struct frentry *fp;
void printfr(fp)
struct frentry *fp;
{
struct protoent *p;
u_short sec[2];
@ -1056,6 +1194,8 @@ struct frentry *fp;
if (fp->fr_flags & FR_PASS)
printf("pass");
if (fp->fr_flags & FR_NOMATCH)
printf("nomatch");
else if (fp->fr_flags & FR_BLOCK) {
printf("block");
if (fp->fr_flags & FR_RETICMP) {
@ -1098,8 +1238,11 @@ struct frentry *fp;
printf("quick ");
if (*fp->fr_ifname) {
printf("on %s%s ", fp->fr_ifname,
(fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)");
printifname("on ", fp->fr_ifname, fp->fr_ifa);
if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
putchar(' ');
if (*fp->fr_dif.fd_ifname)
print_toif("dup-to", &fp->fr_dif);
if (*fp->fr_tif.fd_ifname)
@ -1107,7 +1250,26 @@ struct frentry *fp;
if (fp->fr_flags & FR_FASTROUTE)
printf("fastroute ");
if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
(*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
if (fp->fr_flags & FR_OUTQUE)
printf("in-via ");
else
printf("out-via ");
if (*fp->fr_ifnames[2]) {
printifname("", fp->fr_ifnames[2],
fp->fr_ifas[2]);
putchar(',');
}
if (*fp->fr_ifnames[3])
printifname("", fp->fr_ifnames[3],
fp->fr_ifas[3]);
putchar(' ');
}
}
if (fp->fr_mip.fi_tos)
printf("tos %#x ", fp->fr_tos);
if (fp->fr_mip.fi_ttl)
@ -1161,7 +1323,7 @@ struct frentry *fp;
printf(" frag");
}
}
if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) {
int type = fp->fr_icmp, code;
type = ntohs(fp->fr_icmp);
@ -1175,6 +1337,16 @@ struct frentry *fp;
if (ntohs(fp->fr_icmpm) & 0xff)
printf(" code %d", code);
}
if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) {
int type = fp->fr_icmp, code;
type = ntohs(fp->fr_icmp);
code = type & 0xff;
type /= 256;
printf(" icmp-type %d", type);
if (ntohs(fp->fr_icmpm) & 0xff)
printf(" code %d", code);
}
if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
printf(" flags ");
if (fp->fr_tcpf & ~TCPF_ALL)
@ -1198,6 +1370,8 @@ struct frentry *fp;
printf(" keep state");
if (fp->fr_flags & FR_KEEPFRAG)
printf(" keep frags");
if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0)
printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]);
if (fp->fr_grhead)
printf(" head %d", fp->fr_grhead);
if (fp->fr_group)

18
contrib/ipfilter/samples/Makefile
View File

@ -1,10 +1,22 @@
CC=gcc
all:
@echo "Please do one of the following:"
@echo "make bsd"
@echo "make bsdi"
@echo "make freebsd"
@echo "make freebsd22"
@echo "make netbsd"
@echo "make openbsd"
@echo "make sunos4"
@echo "make sunos5"
sunos5:
$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-I.. userauth.c -o userauth -lsocket -lnsl
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-I.. proxy.c -o proxy -lsocket -lnsl
freebsd freebsd22 netbsd bsd bsdi sunos4:
freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd:
$(CC) -I.. userauth.c -o userauth
$(CC) -I.. proxy.c -o proxy

195
contrib/ipfilter/samples/proxy.c
View File

@ -41,6 +41,8 @@
#include <ctype.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
@ -81,19 +83,25 @@ char *argv[];
bzero((char *)&natlook, sizeof(natlook));
natlook.nl_outip = sin.sin_addr;
natlook.nl_inip = sloc.sin_addr;
natlook.nl_flags = IPN_TCP;
natlook.nl_outport = sin.sin_port;
natlook.nl_inport = sloc.sin_port;
natlook.nl_flags = IPN_TCPUDP;
natlook.nl_outport = ntohs(sin.sin_port);
natlook.nl_inport = ntohs(sloc.sin_port);
/*
* Open the NAT device and lookup the mapping pair.
*/
fd = open(IPL_NAT, O_RDONLY);
if (ioctl(fd, SIOCGNATL, &natlookp) == -1) {
perror("ioctl");
perror("ioctl(SIOCGNATL)");
exit(-1);
}
close(fd);
#define DO_NAT_OUT
#ifdef DO_NAT_OUT
if (argc > 1)
do_nat_out(0, 1, fd, &natlook, argv[1]);
#else
/*
* Log it
*/
@ -109,4 +117,181 @@ char *argv[];
if (write(1, buffer, n) != n)
break;
close(0);
#endif
}
#ifdef DO_NAT_OUT
do_nat_out(in, out, fd, nlp, extif)
int fd;
natlookup_t *nlp;
char *extif;
{
nat_save_t ns, *nsp = &ns;
struct sockaddr_in usin;
u_32_t sum1, sum2, sumd;
int onoff, ofd, slen;
ipnat_t *ipn;
nat_t *nat;
bzero((char *)&ns, sizeof(ns));
nat = &ns.ipn_nat;
nat->nat_p = IPPROTO_TCP;
nat->nat_dir = NAT_OUTBOUND;
if ((extif != NULL) && (*extif != '\0')) {
strncpy(nat->nat_ifname, extif, sizeof(nat->nat_ifname));
nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
}
ofd = socket(AF_INET, SOCK_DGRAM, 0);
bzero((char *)&usin, sizeof(usin));
usin.sin_family = AF_INET;
usin.sin_addr = nlp->nl_realip;
usin.sin_port = nlp->nl_realport;
(void) connect(ofd, (struct sockaddr *)&usin, sizeof(usin));
slen = sizeof(usin);
(void) getsockname(ofd, (struct sockaddr *)&usin, &slen);
close(ofd);
printf("local IP# to use: %s\n", inet_ntoa(usin.sin_addr));
if ((ofd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
perror("socket");
usin.sin_port = 0;
if (bind(ofd, (struct sockaddr *)&usin, sizeof(usin)))
perror("bind");
slen = sizeof(usin);
if (getsockname(ofd, (struct sockaddr *)&usin, &slen))
perror("getsockname");
printf("local port# to use: %d\n", ntohs(usin.sin_port));
nat->nat_inip = usin.sin_addr;
nat->nat_outip = nlp->nl_outip;
nat->nat_oip = nlp->nl_realip;
sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)) + ntohs(usin.sin_port);
sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)) + ntohs(nlp->nl_outport);
CALC_SUMD(sum1, sum2, sumd);
nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
nat->nat_sumd[1] = nat->nat_sumd[0];
sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr));
sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
CALC_SUMD(sum1, sum2, sumd);
nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
nat->nat_inport = usin.sin_port;
nat->nat_outport = nlp->nl_outport;
nat->nat_oport = nlp->nl_realport;
nat->nat_flags = IPN_TCPUDP;
onoff = 1;
if (ioctl(fd, SIOCSTLCK, &onoff) == 0) {
if (ioctl(fd, SIOCSTPUT, &nsp) != 0)
perror("SIOCSTPUT");
onoff = 0;
if (ioctl(fd, SIOCSTLCK, &onoff) != 0)
perror("SIOCSTLCK");
}
usin.sin_addr = nlp->nl_realip;
usin.sin_port = nlp->nl_realport;
printf("remote end for connection: %s,%d\n", inet_ntoa(usin.sin_addr),
ntohs(usin.sin_port));
fflush(stdout);
if (connect(ofd, (struct sockaddr *)&usin, sizeof(usin)))
perror("connect");
relay(in, out, ofd);
}
relay(in, out, net)
int in, out, net;
{
char netbuf[1024], outbuf[1024];
char *nwptr, *nrptr, *owptr, *orptr;
size_t nsz, osz;
fd_set rd, wr;
int i, n, maxfd;
n = 0;
maxfd = in;
if (out > maxfd)
maxfd = out;
if (net > maxfd)
maxfd = net;
nrptr = netbuf;
nwptr = netbuf;
nsz = sizeof(netbuf);
orptr = outbuf;
owptr = outbuf;
osz = sizeof(outbuf);
while (n >= 0) {
FD_ZERO(&rd);
FD_ZERO(&wr);
if (nrptr - netbuf < sizeof(netbuf))
FD_SET(in, &rd);
if (orptr - outbuf < sizeof(outbuf))
FD_SET(net, &rd);
if (nsz < sizeof(netbuf))
FD_SET(net, &wr);
if (osz < sizeof(outbuf))
FD_SET(out, &wr);
n = select(maxfd + 1, &rd, &wr, NULL, NULL);
if ((n > 0) && FD_ISSET(in, &rd)) {
i = read(in, nrptr, sizeof(netbuf) - (nrptr - netbuf));
if (i <= 0)
break;
nsz -= i;
nrptr += i;
n--;
}
if ((n > 0) && FD_ISSET(net, &rd)) {
i = read(net, orptr, sizeof(outbuf) - (orptr - outbuf));
if (i <= 0)
break;
osz -= i;
orptr += i;
n--;
}
if ((n > 0) && FD_ISSET(out, &wr)) {
i = write(out, owptr, orptr - owptr);
if (i <= 0)
break;
osz += i;
if (osz == sizeof(outbuf) || owptr == orptr) {
orptr = outbuf;
owptr = outbuf;
} else
owptr += i;
n--;
}
if ((n > 0) && FD_ISSET(net, &wr)) {
i = write(net, nwptr, nrptr - nwptr);
if (i <= 0)
break;
nsz += i;
if (nsz == sizeof(netbuf) || nwptr == nrptr) {
nrptr = netbuf;
nwptr = netbuf;
} else
nwptr += i;
}
}
close(net);
close(out);
close(in);
}
#endif

262
contrib/ipfilter/solaris.c
View File

@ -1,10 +1,10 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.20 2001/07/18 14:58:28 darrenr Exp $"
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@ -93,10 +93,16 @@ extern void ipfr_slowtimer __P((void));
int ipfr_timer_id;
static int synctimeoutid = 0;
#endif
int ipf_debug = 0;
int ipf_debug_verbose = 0;
/* #undef IPFDEBUG 1 */
/* #undef IPFDEBUG_VERBOSE 1 */
#ifdef IPFDEBUG
void printire __P((ire_t *));
#endif
#define isdigit(x) ((x) >= '0' && (x) <= '9')
static int fr_precheck __P((mblk_t **, queue_t *, qif_t *, int));
@ -150,7 +156,7 @@ static size_t hdrsizes[57][2] = {
{ IFT_X25DDN, 0 },
{ IFT_X25, 0 },
{ IFT_ETHER, 14 },
{ IFT_ISO88023, 0 },
{ IFT_ISO88023, 14 },
{ IFT_ISO88024, 0 },
{ IFT_ISO88025, 0 },
{ IFT_ISO88026, 0 },
@ -210,7 +216,8 @@ int _init()
ipfinst = mod_install(&modlink1);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
#endif
return ipfinst;
}
@ -222,7 +229,8 @@ int _fini(void)
ipfinst = mod_remove(&modlink1);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
#endif
return ipfinst;
}
@ -235,7 +243,9 @@ struct modinfo *modinfop;
ipfinst = mod_info(&modlink1, modinfop);
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x",
modinfop, ipfinst);
#endif
if (fr_running > 0)
ipfsync();
@ -249,7 +259,8 @@ dev_info_t *dip;
if (fr_running < 0)
return DDI_PROBE_FAILURE;
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
#endif
return DDI_PROBE_SUCCESS;
}
@ -259,7 +270,8 @@ static int ipf_identify(dip)
dev_info_t *dip;
{
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
#endif
if (strcmp(ddi_get_name(dip), "ipf") == 0)
return (DDI_IDENTIFIED);
@ -299,7 +311,8 @@ ddi_attach_cmd_t cmd;
#ifdef IPFDEBUG
int instance;
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
#endif
switch (cmd) {
case DDI_ATTACH:
@ -308,6 +321,7 @@ ddi_attach_cmd_t cmd;
#ifdef IPFDEBUG
instance = ddi_get_instance(dip);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
#endif
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
@ -344,7 +358,8 @@ ddi_attach_cmd_t cmd;
solattach();
solipdrvattach();
RWLOCK_EXIT(&ipf_solaris);
cmn_err(CE_CONT, "%s, attaching complete.\n", ipfilter_version);
cmn_err(CE_CONT, "%s, attaching complete.\n",
ipfilter_version);
sync();
if (fr_running == 0)
fr_running = 1;
@ -383,7 +398,8 @@ ddi_detach_cmd_t cmd;
int i;
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
#endif
switch (cmd) {
case DDI_DETACH:
@ -459,7 +475,9 @@ void *arg, **result;
return DDI_FAILURE;
error = DDI_FAILURE;
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", dip, infocmd, arg);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)",
dip, infocmd, arg);
#endif
switch (infocmd) {
case DDI_INFO_DEVT2DEVINFO:
@ -784,15 +802,7 @@ int out;
#endif
) {
m->b_rptr -= off;
if (!synced) {
synced = 1;
RWLOCK_EXIT(&ipfs_mutex);
ipfsync();
READ_ENTER(&ipfs_mutex);
goto tryagain;
}
frstats[out].fr_notip++;
return (fr_flags & FF_BLOCKNONIP) ? -1 : 0;
return -2;
}
#ifndef sparc
@ -969,27 +979,40 @@ mblk_t *mb;
int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
qif_t qf, *qif;
#ifdef IPFDEBUG_VERBOSE
if (ipf_debug_verbose)
cmn_err(CE_CONT,
"fr_qin(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
msgdsize(mb));
#endif
/*
* IPFilter is still in the packet path but not enabled. Drop whatever
* it is that has come through.
*/
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
type = MTYPE(mb);
/*
* If a mblk has more than one reference, make a copy, filter that and
* free a reference to the original.
*/
if (mb->b_datap->db_ref > 1) {
mblk_t *m1;
m1 = copymsg(mb);
if (!m1) {
frstats[0].fr_drop++;
mb->b_next = NULL;
mb->b_prev = NULL;
freemsg(mb);
return 0;
}
m1->b_next = mb->b_next;
mb->b_next = NULL;
m1->b_prev = mb->b_prev;
mb->b_prev = NULL;
freemsg(mb);
mb = m1;
@ -999,10 +1022,9 @@ mblk_t *mb;
READ_ENTER(&ipf_solaris);
again:
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
READ_ENTER(&ipfs_mutex);
@ -1030,7 +1052,7 @@ mblk_t *mb;
}
cmn_err(CE_WARN,
"!IP Filter: dropped: fr_qin(%x,%x): type %x qif %x",
q, mb, MTYPE(mb), qif);
q, mb, type, qif);
cmn_err(CE_CONT,
"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
@ -1044,40 +1066,52 @@ mblk_t *mb;
#endif
);
frstats[0].fr_drop++;
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
qif->qf_incnt++;
pnext = qif->qf_rqinfo->qi_putp;
type = MTYPE(mb);
if (type == M_IOCACK)
fr_qif_update(qif, mb);
else {
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 0);
}
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 0);
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
if ((err == 0) && (mb != NULL)) {
if (pnext)
if (pnext) {
RWLOCK_EXIT(&ipf_solaris);
return (*pnext)(q, mb);
}
cmn_err(CE_WARN,
"!IP Filter: inp NULL: qif %x %s q %x info %x",
&qf, qf.qf_name, q, q->q_qinfo);
qif, qf.qf_name, q, q->q_qinfo);
}
if (err == -2) {
if (synced == 0) {
ipfsync();
synced = 1;
goto again;
}
frstats[0].fr_notip++;
if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
RWLOCK_EXIT(&ipf_solaris);
return (*pnext)(q, mb);
}
}
if (mb) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
}
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
@ -1089,13 +1123,22 @@ mblk_t *mb;
int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
qif_t qf, *qif;
#ifdef IPFDEBUG_VERBOSE
if (ipf_debug_verbose)
cmn_err(CE_CONT,
"fr_qout(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
msgdsize(mb));
#endif
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
type = MTYPE(mb);
#if SOLARIS2 >= 6
if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) &&
(mb->b_datap->db_ref > 1))
@ -1108,14 +1151,10 @@ mblk_t *mb;
m1 = copymsg(mb);
if (!m1) {
frstats[1].fr_drop++;
mb->b_next = NULL;
mb->b_prev = NULL;
freemsg(mb);
return 0;
}
m1->b_next = mb->b_next;
mb->b_next = NULL;
m1->b_prev = mb->b_prev;
mb->b_prev = NULL;
freemsg(mb);
mb = m1;
@ -1125,10 +1164,9 @@ mblk_t *mb;
READ_ENTER(&ipf_solaris);
again:
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
READ_ENTER(&ipfs_mutex);
@ -1156,7 +1194,7 @@ mblk_t *mb;
}
cmn_err(CE_WARN,
"!IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x",
q, mb, MTYPE(mb), qif);
q, mb, type, qif);
cmn_err(CE_CONT,
"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
@ -1180,40 +1218,51 @@ mblk_t *mb;
q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next,
q->q_nbsrv->q_ptr);
frstats[1].fr_drop++;
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
qif->qf_outcnt++;
pnext = qif->qf_wqinfo->qi_putp;
type = MTYPE(mb);
if (type == M_IOCACK)
fr_qif_update(qif, mb);
else {
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 1);
}
bcopy((char *)qif, (char *)&qf, sizeof(qf));
if (datamsg(type) || (type == M_BREAK))
err = fr_precheck(&mb, q, &qf, 1);
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
if ((err == 0) && (mb != NULL)) {
if (pnext)
if (pnext) {
RWLOCK_EXIT(&ipf_solaris);
return (*pnext)(q, mb);
}
cmn_err(CE_WARN,
"!IP Filter: outp NULL: qif %x %s q %x info %x",
&qf, qf.qf_name, q, q->q_qinfo);
qif, qf.qf_name, q, q->q_qinfo);
}
if (err == -2) {
if (synced == 0) {
ipfsync();
synced = 1;
goto again;
}
frstats[1].fr_notip++;
if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
RWLOCK_EXIT(&ipf_solaris);
return (*pnext)(q, mb);
}
}
if (mb) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
}
RWLOCK_EXIT(&ipf_solaris);
return 0;
}
@ -1241,7 +1290,6 @@ mblk_t *mb;
if (fr_running <= 0) {
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -1253,7 +1301,6 @@ mblk_t *mb;
if (fr_running <= 0) {
RWLOCK_EXIT(&ipf_solaris);
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
return 0;
}
@ -1269,8 +1316,10 @@ mblk_t *mb;
case SIOCSIFADDR:
case SIOCSIFFLAGS:
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
ioc->ioc_cmd);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
ioc->ioc_cmd);
#endif
WRITE_ENTER(&ipfs_mutex);
if (synctimeoutid == 0) {
@ -1294,8 +1343,9 @@ extern struct streamtab ipinfo;
void solipdrvattach()
{
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
#endif
if (++ipdrvattcnt == 1) {
@ -1309,8 +1359,9 @@ void solipdrvattach()
int solipdrvdetach()
{
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
if (ipf_debug)
cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
ipdrvattcnt, &ipinfo);
#endif
WRITE_ENTER(&ipfs_mutex);
@ -1362,7 +1413,8 @@ void solattach()
RWLOCK_EXIT(&ipfs_mutex);
continue;
}
#ifdef IPFDEBUG
#ifdef IPFDEBUGX
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x",
il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp,
@ -1384,7 +1436,8 @@ void solattach()
break;
}
if (!qf2) {
#ifdef IPFDEBUG
#ifdef IPFDEBUGX
if (ipf_debug)
cmn_err(CE_WARN,
"IP Filter: rq:%s put %x qi %x",
il->ill_name, in->q_qinfo->qi_putp,
@ -1404,7 +1457,8 @@ void solattach()
break;
}
if (!qf2) {
#ifdef IPFDEBUG
#ifdef IPFDEBUGX
if (ipf_debug)
cmn_err(CE_WARN,
"IP Filter: wq:%s put %x qi %x",
il->ill_name, out->q_qinfo->qi_putp,
@ -1447,6 +1501,15 @@ void solattach()
(hdrsizes[il->ill_type][0] == il->ill_type))
qif->qf_hl = hdrsizes[il->ill_type][1];
/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
if (il->ill_type == IFT_ETHER &&
il->ill_name[0] == 'c' && il->ill_name[1] == 'e' &&
isdigit(il->ill_name[2]) && il->ill_name_length >= 6) {
cmn_err(CE_NOTE, "VLAN HACK ENABLED");
qif->qf_hl += 4;
}
/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER)
cmn_err(CE_WARN,
"Unknown layer 2 header size for %s type %d",
@ -1524,10 +1587,10 @@ void solattach()
sizeof(struct qinit));
qif->qf_rqinit.qi_putp = fr_qin;
#ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, &qif->qf_rqinit
);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, &qif->qf_rqinit);
#endif
in->q_qinfo = &qif->qf_rqinit;
@ -1535,10 +1598,10 @@ void solattach()
sizeof(struct qinit));
qif->qf_wqinit.qi_putp = fr_qout;
#ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, &qif->qf_wqinit
);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, &qif->qf_wqinit);
#endif
out->q_qinfo = &qif->qf_wqinit;
@ -1638,19 +1701,19 @@ int ipfsync()
in = qif->qf_in;
if (in) {
# ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, qif->qf_rqinfo
);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, qif->qf_rqinfo);
# endif
in->q_qinfo = qif->qf_rqinfo;
}
if (out) {
# ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, qif->qf_wqinfo
);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, qif->qf_wqinfo);
# endif
out->q_qinfo = qif->qf_wqinfo;
}
@ -1719,9 +1782,10 @@ int soldetach()
);
#ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, qif->qf_rqinfo);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
in, in->q_qinfo, qif->qf_rqinfo);
#endif
in->q_qinfo = qif->qf_rqinfo;
@ -1729,9 +1793,10 @@ int soldetach()
* and the write queue...
*/
#ifdef IPFDEBUG
cmn_err(CE_NOTE,
"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, qif->qf_wqinfo);
if (ipf_debug)
cmn_err(CE_NOTE,
"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
out, out->q_qinfo, qif->qf_wqinfo);
#endif
out->q_qinfo = qif->qf_wqinfo;
}
@ -1746,6 +1811,8 @@ int soldetach()
void printire(ire)
ire_t *ire;
{
if (!ipf_debug)
return;
printf("ire: ll_hdr_mp %p rfq %p stq %p src_addr %x max_frag %d\n",
# if SOLARIS2 >= 8
NULL,
@ -1812,7 +1879,6 @@ frdest_t *fdp;
mp = (*mpp)->b_cont;
(*mpp)->b_cont = NULL;
(*mpp)->b_prev = NULL;
(*mpp)->b_next = NULL;
freemsg(*mpp);
*mpp = mp;
}
@ -1951,7 +2017,6 @@ frdest_t *fdp;
q = WR(ir->ire_rfq);
if (q) {
mb->b_prev = NULL;
mb->b_next = NULL;
mb->b_queue = q;
RWLOCK_EXIT(&ipfs_mutex);
RWLOCK_EXIT(&ipf_solaris);
@ -1979,7 +2044,6 @@ frdest_t *fdp;
}
bad_fastroute:
mb->b_prev = NULL;
mb->b_next = NULL;
freemsg(mb);
ipl_frouteok[1]++;
*mpp = NULL;

22
contrib/ipfilter/test/Makefile
View File

@ -9,19 +9,23 @@ BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/share/man
tests: first 0 ftests ptests ntests
tests: first 0 ftests ptests ntests nitests logtests
first:
-mkdir -p results
# Filtering tests
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
ntests: n1 n2 n3 n4 n5 n6 n7
nitests: ni1 ni2
logtests: l1
0:
@(cd ..; make ipftest; )
@ -31,13 +35,25 @@ f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14:
f12 f13:
@/bin/sh ./hextest $@
f15 f16:
@/bin/sh ./mtest $@
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@/bin/sh ./itest $@
n1 n2 n3 n4 n5 n6 n7:
@/bin/sh ./nattest $@
ni1 ni2:
@/bin/sh ./natipftest $@
l1:
@/bin/sh ./logtest $@
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 results/*
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
/bin/rm -f n1 n2 n3 n4 n5 n6 n7
/bin/rm -f ni1 ni2
/bin/rm -f l1
/bin/rm -f results/*

1
contrib/ipfilter/todo
View File

@ -91,6 +91,7 @@ IPv6:
BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
fixed.
Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.