d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4a9a9e0514
freebsd-dev/contrib/ipfilter/ipf.c
Darren Reed dfb9a48c69 Import ipfilter 3.4.35 onto vendor branch
2004-06-21 22:47:51 +00:00

765 lines
14 KiB
C
Raw Blame History

/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#include <stdlib.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ipf.h"
#include "ipl.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.23 2003/06/27 14:39:13 darrenr Exp $";
#endif
#if SOLARIS
static void blockunknown __P((void));
#endif
#if !defined(__SVR4) && defined(__GNUC__)
extern char *index __P((const char *, int));
#endif
extern char *optarg;
extern int optind;
void frsync __P((void));
void zerostats __P((void));
int main __P((int, char *[]));
int opts = 0;
int use_inet6 = 0;
static int fd = -1;
static void procfile __P((char *, char *)), flushfilter __P((char *));
static int set_state __P((u_int));
static void showstats __P((friostat_t *));
static void packetlogon __P((char *)), swapactive __P((void));
static int opendevice __P((char *));
static void closedevice __P((void));
static char *getline __P((char *, size_t, FILE *, int *));
static char *ipfname = IPL_NAME;
static void usage __P((char *));
static int showversion __P((void));
static int get_flags __P((int *));
#if SOLARIS
# define OPTS "6AdDEf:F:Il:noPrsUvVyzZ"
#else
# define OPTS "6AdDEf:F:Il:noPrsvVyzZ"
#endif
static void usage(name)
char *name;
{
fprintf(stderr, "usage: %s [-%s] %s %s %s\n", name, OPTS,
"[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
exit(1);
}
int main(argc,argv)
int argc;
char *argv[];
{
int c;
if (argc < 2)
usage(argv[0]);
while ((c = getopt(argc, argv, OPTS)) != -1) {
switch (c)
{
case '6' :
use_inet6 = 1;
break;
case 'A' :
opts &= ~OPT_INACTIVE;
break;
case 'E' :
if (set_state((u_int)1))
exit(1);
break;
case 'D' :
if (set_state((u_int)0))
exit(1);
break;
case 'd' :
opts |= OPT_DEBUG;
break;
case 'f' :
procfile(argv[0], optarg);
break;
case 'F' :
flushfilter(optarg);
break;
case 'I' :
opts |= OPT_INACTIVE;
break;
case 'l' :
packetlogon(optarg);
break;
case 'n' :
opts |= OPT_DONOTHING;
break;
case 'o' :
break;
case 'P' :
ipfname = IPL_AUTH;
break;
case 'r' :
opts |= OPT_REMOVE;
break;
case 's' :
swapactive();
break;
#if SOLARIS
case 'U' :
blockunknown();
break;
#endif
case 'v' :
opts += OPT_VERBOSE;
break;
case 'V' :
if (showversion())
exit(1);
break;
case 'y' :
frsync();
break;
case 'z' :
opts |= OPT_ZERORULEST;
break;
case 'Z' :
zerostats();
break;
case '?' :
default :
usage(argv[0]);
break;
}
}
if (optind < 2)
usage(argv[0]);
if (fd != -1)
(void) close(fd);
exit(0);
/* NOTREACHED */
}
static int opendevice(ipfdev)
char *ipfdev;
{
if (opts & OPT_DONOTHING)
return 0;
if (!ipfdev)
ipfdev = ipfname;
/*
* shouldn't we really be testing for fd < 0 here and below?
*/
if (fd != -1)
return 0;
if ((fd = open(ipfdev, O_RDWR)) == -1) {
if ((fd = open(ipfdev, O_RDONLY)) == -1) {
perror("open device");
if (errno == ENODEV)
fprintf(stderr, "IPFilter enabled?\n");
return -1;
}
}
return 0;
}
static void closedevice()
{
if (fd != -1)
close(fd);
fd = -1;
}
/*
* Return codes:
* 0 Success
* !0 Failure (and an error message has already been printed)
*/
static int get_flags(i)
int *i;
{
if (opts & OPT_DONOTHING)
return 0;
if (opendevice(ipfname) < 0)
return -1;
if (ioctl(fd, SIOCGETFF, i) == -1) {
perror("SIOCGETFF");
return -1;
}
return 0;
}
static int set_state(enable)
u_int enable;
{
if (opts & OPT_DONOTHING)
return 0;
if (opendevice(ipfname))
return -1;
if (ioctl(fd, SIOCFRENB, &enable) == -1) {
if (errno == EBUSY)
/* Not really an error */
fprintf(stderr,
"IP Filter: already initialized\n");
else {
perror("SIOCFRENB");
return -1;
}
}
return 0;
}
static void procfile(name, file)
char *name, *file;
{
FILE *fp;
char line[513], *s;
struct frentry *fr;
u_int add, del;
int linenum = 0;
int parsestatus;
if (opendevice(ipfname) == -1)
exit(1);
if (opts & OPT_INACTIVE) {
add = SIOCADIFR;
del = SIOCRMIFR;
} else {
add = SIOCADAFR;
del = SIOCRMAFR;
}
if (opts & OPT_DEBUG)
printf("add %x del %x\n", add, del);
initparse();
if (!strcmp(file, "-"))
fp = stdin;
else if (!(fp = fopen(file, "r"))) {
fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
STRERROR(errno));
exit(1);
}
while (getline(line, sizeof(line), fp, &linenum)) {
/*
* treat CR as EOL. LF is converted to NUL by getline().
*/
if ((s = index(line, '\r')))
*s = '\0';
/*
* # is comment marker, everything after is a ignored
*/
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
if (opts & OPT_VERBOSE)
(void)fprintf(stderr, "[%s]\n", line);
parsestatus = 1;
fr = parse(line, linenum, &parsestatus);
(void)fflush(stdout);
if (parsestatus != 0) {
fprintf(stderr, "%s: %s: %s error (%d), quitting\n",
name, file,
((parsestatus < 0)? "parse": "internal"),
parsestatus);
exit(1);
}
if (fr) {
if (opts & OPT_ZERORULEST)
add = SIOCZRLST;
else if (opts & OPT_INACTIVE)
add = (u_int)fr->fr_hits ? SIOCINIFR :
SIOCADIFR;
else
add = (u_int)fr->fr_hits ? SIOCINAFR :
SIOCADAFR;
if (fr->fr_hits)
fr->fr_hits--;
if (fr && (opts & OPT_VERBOSE))
printfr(fr);
if (fr && (opts & OPT_OUTQUE))
fr->fr_flags |= FR_OUTQUE;
if (opts & OPT_DEBUG)
binprint(fr);
if ((opts & OPT_ZERORULEST) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCZRLST)");
exit(1);
} else {
#ifdef USE_QUAD_T
printf("hits %qd bytes %qd ",
(long long)fr->fr_hits,
(long long)fr->fr_bytes);
#else
printf("hits %ld bytes %ld ",
fr->fr_hits, fr->fr_bytes);
#endif
printfr(fr);
}
} else if ((opts & OPT_REMOVE) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, del, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(delete rule)");
exit(1);
}
} else if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(add/insert rule)");
exit(1);
}
}
}
}
if (ferror(fp) || !feof(fp)) {
fprintf(stderr, "%s: %s: file error or line too long\n",
name, file);
exit(1);
}
(void)fclose(fp);
}
/*
* Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
* Returns NULL if error occurred, EOF encounterd or input line is too long.
*/
static char *getline(str, size, file, linenum)
register char *str;
size_t size;
FILE *file;
int *linenum;
{
char *p;
int s, len;
do {
for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
/*
* if an error occurred, EOF was encounterd, or there
* was no room to put NUL, return NULL.
*/
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
if (p[len - 1] != '\n') {
p[len] = '\0';
break;
}
(*linenum)++;
p[len - 1] = '\0';
if (len < 2 || p[len - 2] != '\\')
break;
else
/*
* Convert '\\' to a space so words don't
* run together
*/
p[len - 2] = ' ';
}
} while (*str == '\0');
return (str);
}
static void packetlogon(opt)
char *opt;
{
int flag;
if (get_flags(&flag))
exit(1);
if (flag != 0) {
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
printf("log flag is currently %#x\n", flag);
}
flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
if (index(opt, 'p')) {
flag |= FF_LOGPASS;
if (opts & OPT_VERBOSE)
printf("set log flag: pass\n");
}
if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
flag |= FF_LOGNOMATCH;
if (opts & OPT_VERBOSE)
printf("set log flag: nomatch\n");
}
if (index(opt, 'b') || index(opt, 'd')) {
flag |= FF_LOGBLOCK;
if (opts & OPT_VERBOSE)
printf("set log flag: block\n");
}
if (opendevice(ipfname) == -1) {
exit(1);
}
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCSETFF, &flag) != 0) {
perror("ioctl(SIOCSETFF)");
exit(1);
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
/*
* Even though the ioctls above succeeded, it
* is possible that a calling script/program
* relies on the following verbose mode string.
* Thus, we still take an error exit if get_flags
* fails here.
*/
if (get_flags(&flag))
exit(1);
printf("log flag is now %#x\n", flag);
}
}
static void flushfilter(arg)
char *arg;
{
int fl = 0, rem;
if (!arg || !*arg) {
fprintf(stderr, "-F: no filter specified\n");
exit(1);
}
if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
if (*arg == 'S')
fl = 0;
else
fl = 1;
rem = fl;
closedevice();
if (opendevice(IPL_STATE) == -1) {
exit(1);
}
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
perror("ioctl(SIOCIPFL6)");
exit(1);
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
perror("ioctl(SIOCIPFFL)");
exit(1);
}
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s (%d)\n", arg, rem);
printf("removed %d filter rules\n", fl);
}
closedevice();
return;
}
if (strchr(arg, 'i') || strchr(arg, 'I'))
fl = FR_INQUE;
if (strchr(arg, 'o') || strchr(arg, 'O'))
fl = FR_OUTQUE;
if (strchr(arg, 'a') || strchr(arg, 'A'))
fl = FR_OUTQUE|FR_INQUE;
fl |= (opts & FR_INACTIVE);
rem = fl;
if (opendevice(ipfname) == -1) {
exit(1);
}
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
perror("ioctl(SIOCIPFL6)");
exit(1);
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
perror("ioctl(SIOCIPFFL)");
exit(1);
}
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
(rem & FR_OUTQUE) ? "O" : "", rem);
printf("removed %d filter rules\n", fl);
}
return;
}
static void swapactive()
{
int in = 2;
if (opendevice(ipfname) == -1) {
exit(1);
}
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCSWAPA, &in) == -1) {
perror("ioctl(SIOCSWAPA)");
exit(1);
}
}
printf("Set %d now inactive\n", in);
}
void frsync()
{
int frsyn = 0;
if (opendevice(ipfname) == -1)
exit(1);
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCFRSYN, &frsyn) == -1) {
perror("SIOCFRSYN");
exit(1);
}
}
printf("filter sync'd\n");
}
void zerostats()
{
friostat_t fio;
friostat_t *fiop = &fio;
if (opendevice(ipfname) == -1)
exit(1);
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
perror("ioctl(SIOCFRZST)");
exit(-1);
}
showstats(fiop);
}
}
/*
* Read the kernel stats for packets blocked and passed
*/
static void showstats(fp)
friostat_t *fp;
{
#if SOLARIS
printf("dropped packets:\tin %lu\tout %lu\n",
fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
printf("non-ip packets:\t\tin %lu\tout %lu\n",
fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
printf(" bad packets:\t\tin %lu\tout %lu\n",
fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
#endif
printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
fp->f_st[0].fr_nom);
printf(" counted %lu\n", fp->f_st[0].fr_acct);
printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
fp->f_st[1].fr_nom);
printf(" counted %lu\n", fp->f_st[0].fr_acct);
printf(" input packets logged:\tblocked %lu passed %lu\n",
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
printf("output packets logged:\tblocked %lu passed %lu\n",
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
}
#if SOLARIS
static void blockunknown()
{
int flag;
if (opendevice(ipfname) == -1)
exit(1);
if (get_flags(&flag))
exit(1);
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
printf("log flag is currently %#x\n", flag);
flag ^= FF_BLOCKNONIP;
if (opendevice(ipfname) == -1)
exit(1);
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCSETFF, &flag))
perror("ioctl(SIOCSETFF)");
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
if (ioctl(fd, SIOCGETFF, &flag))
perror("ioctl(SIOCGETFF)");
printf("log flag is now %#x\n", flag);
}
}
#endif
/*
* nonzero return value means caller should exit with error
*/
static int showversion()
{
struct friostat fio;
struct friostat *fiop=&fio;
int flags, vfd;
char *s;
printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
if ((vfd = open(ipfname, O_RDONLY)) == -1) {
perror("open device");
return 1;
}
if (ioctl(vfd, SIOCGETFS, &fiop)) {
perror("ioctl(SIOCGETFS)");
close(vfd);
return 1;
}
close(vfd);
printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
(int)sizeof(fio.f_version), fio.f_version);
printf("Running: %s\n", fio.f_running ? "yes" : "no");
if (get_flags(&flags)) {
return 1;
}
printf("Log Flags: %#x = ", flags);
s = "";
if (flags & FF_LOGPASS) {
printf("pass");
s = ", ";
}
if (flags & FF_LOGBLOCK) {
printf("%sblock", s);
s = ", ";
}
if (flags & FF_LOGNOMATCH) {
printf("%snomatch", s);
s = ", ";
}
if (flags & FF_BLOCKNONIP) {
printf("%snonip", s);
s = ", ";
}
if (!*s)
printf("none set");
putchar('\n');
printf("Default: ");
if (fio.f_defpass & FR_PASS)
s = "pass";
else if (fio.f_defpass & FR_BLOCK)
s = "block";
else
s = "nomatch -> block";
printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
printf("Active list: %d\n", fio.f_active);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink