From 965575f97c41ba491915667faac038cb6d3a850e Mon Sep 17 00:00:00 2001 From: Darren Reed Date: Sat, 15 Feb 2003 06:27:40 +0000 Subject: [PATCH] Import userland tools for IPFilter 3.4.31 into -current --- contrib/ipfilter/BSD/Makefile | 2 +- contrib/ipfilter/BSD/kupgrade | 18 + contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 | 2 +- contrib/ipfilter/HISTORY | 46 ++ contrib/ipfilter/Makefile | 16 +- contrib/ipfilter/bpf.h | 450 ++++++++++++++++++++ contrib/ipfilter/common.c | 2 +- contrib/ipfilter/fil.c | 65 ++- contrib/ipfilter/fils.c | 56 ++- contrib/ipfilter/ip_auth.c | 122 ++++-- contrib/ipfilter/ip_auth.h | 8 +- contrib/ipfilter/ip_compat.h | 4 +- contrib/ipfilter/ip_fil.c | 113 +++-- contrib/ipfilter/ip_fil.h | 18 +- contrib/ipfilter/ip_frag.c | 4 +- contrib/ipfilter/ip_ftp_pxy.c | 286 ++++++++++--- contrib/ipfilter/ip_lfil.c | 11 +- contrib/ipfilter/ip_log.c | 29 +- contrib/ipfilter/ip_nat.c | 88 +++- contrib/ipfilter/ip_nat.h | 4 +- contrib/ipfilter/ip_proxy.c | 24 +- contrib/ipfilter/ip_proxy.h | 3 +- contrib/ipfilter/ip_rcmd_pxy.c | 3 +- contrib/ipfilter/ip_sfil.c | 49 ++- contrib/ipfilter/ip_state.c | 49 ++- contrib/ipfilter/ipf.c | 27 +- contrib/ipfilter/ipfs.c | 61 ++- contrib/ipfilter/ipft_ef.c | 4 +- contrib/ipfilter/ipft_hx.c | 4 +- contrib/ipfilter/ipft_pc.c | 86 +++- contrib/ipfilter/ipft_sn.c | 4 +- contrib/ipfilter/ipft_td.c | 4 +- contrib/ipfilter/ipft_tx.c | 4 +- contrib/ipfilter/ipl.h | 4 +- contrib/ipfilter/iplang/iplang_y.y | 6 +- contrib/ipfilter/ipmon.c | 4 +- contrib/ipfilter/ipnat.c | 4 +- contrib/ipfilter/ipsend/44arp.c | 2 +- contrib/ipfilter/ipsend/arp.c | 4 +- contrib/ipfilter/ipsend/ip.c | 4 +- contrib/ipfilter/ipsend/ipresend.c | 4 +- contrib/ipfilter/ipsend/ipsend.c | 4 +- contrib/ipfilter/ipsend/ipsopt.c | 4 +- contrib/ipfilter/ipsend/iptest.c | 4 +- contrib/ipfilter/ipsend/iptests.c | 46 +- contrib/ipfilter/ipsend/lsock.c | 4 +- contrib/ipfilter/ipsend/resend.c | 4 +- contrib/ipfilter/ipsend/sirix.c | 2 +- contrib/ipfilter/ipsend/sock.c | 4 +- contrib/ipfilter/ipt.c | 21 +- contrib/ipfilter/kmem.c | 4 +- contrib/ipfilter/man/ipf.4 | 2 +- contrib/ipfilter/man/ipf.5 | 2 +- contrib/ipfilter/man/ipf.8 | 2 +- contrib/ipfilter/man/ipfs.8 | 4 +- contrib/ipfilter/man/ipfstat.8 | 4 +- contrib/ipfilter/man/ipftest.1 | 8 + contrib/ipfilter/man/ipmon.8 | 4 +- contrib/ipfilter/man/ipnat.5 | 39 +- contrib/ipfilter/man/ipnat.8 | 2 +- contrib/ipfilter/misc.c | 4 +- contrib/ipfilter/mli_ipl.c | 4 +- contrib/ipfilter/mln_ipl.c | 34 +- contrib/ipfilter/natparse.c | 51 ++- contrib/ipfilter/opt.c | 4 +- contrib/ipfilter/parse.c | 16 +- contrib/ipfilter/printnat.c | 18 +- contrib/ipfilter/printstate.c | 2 +- contrib/ipfilter/relay.c | 51 ++- contrib/ipfilter/test/Makefile | 6 +- contrib/ipfilter/test/expected/ipv6.3 | 6 + contrib/ipfilter/test/expected/ni5 | 1 + contrib/ipfilter/test/input/ipv6.3 | 30 ++ contrib/ipfilter/test/input/ni5 | 34 +- contrib/ipfilter/test/regress/ipv6.3 | 1 + 75 files changed, 1714 insertions(+), 410 deletions(-) create mode 100644 contrib/ipfilter/bpf.h create mode 100644 contrib/ipfilter/test/expected/ipv6.3 create mode 100644 contrib/ipfilter/test/input/ipv6.3 create mode 100644 contrib/ipfilter/test/regress/ipv6.3 diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 4d97a9bd4d00..50a61e886a44 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -246,7 +246,7 @@ install: for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \ ip_frag.h ip_auth.h; do \ /bin/cp $(TOP)/$$i /usr/include/netinet/; \ - -$(CHMOD) 444 /usr/include/netinet/$$i; \ + $(CHMOD) 444 /usr/include/netinet/$$i; \ done -if [ -d /lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /lkm; \ diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 4d8573d44790..f4cb518e8b1d 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -31,6 +31,24 @@ for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] chmod 644 $ipfdir/$i done echo "" +echo -n "Installing into /usr/include/netinet" +for j in auth compat fil frag nat proxy state ; do + i=ip_$j.h + if [ -f "$i" ] ; then + echo -n " $i" + cp $i /usr/include/netinet/$i + chmod 644 /usr/include/netinet/$i + fi +done +for j in ipl.h; do + if [ -f "$j" ] ; then + echo -n " $j" + cp $j /usr/include/netinet/$j + chmod 644 /usr/include/netinet/$j + fi +done +echo + if [ -f /sys/netinet/ip_fil_compat.h ] ; then echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h" rm /sys/netinet/ip_fil_compat.h diff --git a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 index 6ae366a394cd..7d1b7a2b8f4c 100644 --- a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 +++ b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 @@ -5,7 +5,7 @@ To build a kernel with the IP filter, follow these seven steps: 2. do "make install-bsd" (probably has to be done as root) - 3. run "FreeBSD-4/kinstall" as root + 3. run "FreeBSD-4.0/kinstall" as root 4. build a new kernel diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 75026a0c3eaf..80b49e209255 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,52 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.31 7/12/2002 - Released + +Solaris 10 compatibility + +fix linking into pfil in NetBSD + +fix IRIX 6.2 compatibility + +add code to check consistency of fr_checkp/fr_check on non-Solaris + +OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2, + make LKM work for 3.2 (OpenBSD LKMs now match NetBSD) + +3.4.30 26/11/2002 - Released + +attempt to detect using GNU make and abort if so + +OpenBSD 3.2 patches from Stefan Hermes von GMX + +add MSS clamping code from NetBSD + +correctly display ipv6 output with ipfstat for (accounting) rules + +fix problems with ioctl handling for /dev/ipauth + +set SYN bit in rcmd fake packet to create back channel + +make libpcap reader capable of determining in/out (not in libpcap file) +and add more DLT types + +do not allow redirects to localhost for Solaris in NAT parser + +allow return-rst with auth rules + +man page corrections + +fix for handling ipv6 icmp errors + +fix up ipfs command line option processing + +only allow processing a ftp 227 response following a PASV command + +NetBSD: use poll() and adapt to new cdevsw mechanism + +make flushing for just ipv6 things work + 3.4.29 28/8/2002 - Released Make substantial changes to the FTP proxy to improve reliability, security diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 9cc636ba7c39..2abeb53a1f06 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -3,7 +3,7 @@ # # See the IPFILTER.LICENCE file for details on licencing. # -# $Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp $ +# $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -91,7 +91,6 @@ all: @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" - @echo "linux - compile for Linux 2.0.31+" @echo "" tests: @@ -237,15 +236,15 @@ get: fi \ done -sunos4 solaris1: +sunos4 solaris1: null (cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) (cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) -sunos5 solaris2: +sunos5 solaris2: null (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) -sunos5x86 solaris2x86: +sunos5x86 solaris2x86: null (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) @@ -282,3 +281,10 @@ rcsget: do-cvs: find . -type d -name CVS -print | xargs /bin/rm -rf find . -type f -name .cvsignore -print | xargs /bin/rm -f + +null: + -@if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \ + echo 'Do not use GNU make (gmake) to compile IPFilter'; \ + exit 1; \ + fi + -@echo make ok diff --git a/contrib/ipfilter/bpf.h b/contrib/ipfilter/bpf.h new file mode 100644 index 000000000000..715c79a8d173 --- /dev/null +++ b/contrib/ipfilter/bpf.h @@ -0,0 +1,450 @@ +/*- + * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from the Stanford/CMU enet packet filter, + * (net/enet.c) distributed as part of 4.3BSD, and code contributed + * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence + * Berkeley Laboratory. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)bpf.h 7.1 (Berkeley) 5/7/91 + * + * @(#) $Header: /devel/CVS/IP-Filter/Attic/bpf.h,v 1.1.2.1 2002/11/07 13:18:35 darrenr Exp $ (LBL) + */ + +#ifndef BPF_MAJOR_VERSION + +#ifdef __cplusplus +extern "C" { +#endif + +/* BSD style release date */ +#define BPF_RELEASE 199606 + +typedef int bpf_int32; +typedef u_int bpf_u_int32; + +/* + * Alignment macros. BPF_WORDALIGN rounds up to the next + * even multiple of BPF_ALIGNMENT. + */ +#ifndef __NetBSD__ +#define BPF_ALIGNMENT sizeof(bpf_int32) +#else +#define BPF_ALIGNMENT sizeof(long) +#endif +#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) + +#define BPF_MAXINSNS 512 +#define BPF_MAXBUFSIZE 0x8000 +#define BPF_MINBUFSIZE 32 + +/* + * Structure for BIOCSETF. + */ +struct bpf_program { + u_int bf_len; + struct bpf_insn *bf_insns; +}; + +/* + * Struct returned by BIOCGSTATS. + */ +struct bpf_stat { + u_int bs_recv; /* number of packets received */ + u_int bs_drop; /* number of packets dropped */ +}; + +/* + * Struct return by BIOCVERSION. This represents the version number of + * the filter language described by the instruction encodings below. + * bpf understands a program iff kernel_major == filter_major && + * kernel_minor >= filter_minor, that is, if the value returned by the + * running kernel has the same major number and a minor number equal + * equal to or less than the filter being downloaded. Otherwise, the + * results are undefined, meaning an error may be returned or packets + * may be accepted haphazardly. + * It has nothing to do with the source code version. + */ +struct bpf_version { + u_short bv_major; + u_short bv_minor; +}; +/* Current version number of filter architecture. */ +#define BPF_MAJOR_VERSION 1 +#define BPF_MINOR_VERSION 1 + +/* + * BPF ioctls + * + * The first set is for compatibility with Sun's pcc style + * header files. If your using gcc, we assume that you + * have run fixincludes so the latter set should work. + */ +#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) +#define BIOCGBLEN _IOR(B,102, u_int) +#define BIOCSBLEN _IOWR(B,102, u_int) +#define BIOCSETF _IOW(B,103, struct bpf_program) +#define BIOCFLUSH _IO(B,104) +#define BIOCPROMISC _IO(B,105) +#define BIOCGDLT _IOR(B,106, u_int) +#define BIOCGETIF _IOR(B,107, struct ifreq) +#define BIOCSETIF _IOW(B,108, struct ifreq) +#define BIOCSRTIMEOUT _IOW(B,109, struct timeval) +#define BIOCGRTIMEOUT _IOR(B,110, struct timeval) +#define BIOCGSTATS _IOR(B,111, struct bpf_stat) +#define BIOCIMMEDIATE _IOW(B,112, u_int) +#define BIOCVERSION _IOR(B,113, struct bpf_version) +#define BIOCSTCPF _IOW(B,114, struct bpf_program) +#define BIOCSUDPF _IOW(B,115, struct bpf_program) +#else +#define BIOCGBLEN _IOR('B',102, u_int) +#define BIOCSBLEN _IOWR('B',102, u_int) +#define BIOCSETF _IOW('B',103, struct bpf_program) +#define BIOCFLUSH _IO('B',104) +#define BIOCPROMISC _IO('B',105) +#define BIOCGDLT _IOR('B',106, u_int) +#define BIOCGETIF _IOR('B',107, struct ifreq) +#define BIOCSETIF _IOW('B',108, struct ifreq) +#define BIOCSRTIMEOUT _IOW('B',109, struct timeval) +#define BIOCGRTIMEOUT _IOR('B',110, struct timeval) +#define BIOCGSTATS _IOR('B',111, struct bpf_stat) +#define BIOCIMMEDIATE _IOW('B',112, u_int) +#define BIOCVERSION _IOR('B',113, struct bpf_version) +#define BIOCSTCPF _IOW('B',114, struct bpf_program) +#define BIOCSUDPF _IOW('B',115, struct bpf_program) +#endif + +/* + * Structure prepended to each packet. + */ +struct bpf_hdr { + struct timeval bh_tstamp; /* time stamp */ + bpf_u_int32 bh_caplen; /* length of captured portion */ + bpf_u_int32 bh_datalen; /* original length of packet */ + u_short bh_hdrlen; /* length of bpf header (this struct + plus alignment padding) */ +}; +/* + * Because the structure above is not a multiple of 4 bytes, some compilers + * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. + * Only the kernel needs to know about it; applications use bh_hdrlen. + */ +#if defined(KERNEL) || defined(_KERNEL) +#define SIZEOF_BPF_HDR 18 +#endif + +/* + * Data-link level type codes. + */ + +/* + * These are the types that are the same on all platforms; on other + * platforms, a should be supplied that defines the additional + * DLT_* codes appropriately for that platform (the BSDs, for example, + * should not just pick up this version of "bpf.h"; they should also define + * the additional DLT_* codes used by their kernels, as well as the values + * defined here - and, if the values they use for particular DLT_ types + * differ from those here, they should use their values, not the ones + * here). + */ +#define DLT_NULL 0 /* no link-layer encapsulation */ +#define DLT_EN10MB 1 /* Ethernet (10Mb) */ +#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ +#define DLT_AX25 3 /* Amateur Radio AX.25 */ +#define DLT_PRONET 4 /* Proteon ProNET Token Ring */ +#define DLT_CHAOS 5 /* Chaos */ +#define DLT_IEEE802 6 /* IEEE 802 Networks */ +#define DLT_ARCNET 7 /* ARCNET */ +#define DLT_SLIP 8 /* Serial Line IP */ +#define DLT_PPP 9 /* Point-to-point Protocol */ +#define DLT_FDDI 10 /* FDDI */ + +/* + * These are values from the traditional libpcap "bpf.h". + * Ports of this to particular platforms should replace these definitions + * with the ones appropriate to that platform, if the values are + * different on that platform. + */ +#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ +#define DLT_RAW 12 /* raw IP */ + +/* + * These are values from BSD/OS's "bpf.h". + * These are not the same as the values from the traditional libpcap + * "bpf.h"; however, these values shouldn't be generated by any + * OS other than BSD/OS, so the correct values to use here are the + * BSD/OS values. + * + * Platforms that have already assigned these values to other + * DLT_ codes, however, should give these codes the values + * from that platform, so that programs that use these codes will + * continue to compile - even though they won't correctly read + * files of these types. + */ +#ifdef __NetBSD__ +#ifndef DLT_SLIP_BSDOS +#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ +#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ +#endif +#else +#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ +#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ +#endif + +#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ + +/* + * These values are defined by NetBSD; other platforms should refrain from + * using them for other purposes, so that NetBSD savefiles with link + * types of 50 or 51 can be read as this type on all platforms. + */ +#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ +#define DLT_PPP_ETHER 51 /* PPP over Ethernet */ + +/* + * Values between 100 and 103 are used in capture file headers as + * link-layer types corresponding to DLT_ types that differ + * between platforms; don't use those values for new DLT_ new types. + */ + +/* + * This value was defined by libpcap 0.5; platforms that have defined + * it with a different value should define it here with that value - + * a link type of 104 in a save file will be mapped to DLT_C_HDLC, + * whatever value that happens to be, so programs will correctly + * handle files with that link type regardless of the value of + * DLT_C_HDLC. + * + * The name DLT_C_HDLC was used by BSD/OS; we use that name for source + * compatibility with programs written for BSD/OS. + * + * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, + * for source compatibility with programs written for libpcap 0.5. + */ +#define DLT_C_HDLC 104 /* Cisco HDLC */ +#define DLT_CHDLC DLT_C_HDLC + +#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ + +/* + * Values between 106 and 107 are used in capture file headers as + * link-layer types corresponding to DLT_ types that might differ + * between platforms; don't use those values for new DLT_ new types. + */ + +/* + * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except + * that the AF_ type in the link-layer header is in network byte order. + * + * OpenBSD defines it as 12, but that collides with DLT_RAW, so we + * define it as 108 here. If OpenBSD picks up this file, it should + * define DLT_LOOP as 12 in its version, as per the comment above - + * and should not use 108 as a DLT_ value. + */ +#define DLT_LOOP 108 + +/* + * Values between 109 and 112 are used in capture file headers as + * link-layer types corresponding to DLT_ types that might differ + * between platforms; don't use those values for new DLT_ types + * other than the corresponding DLT_ types. + */ + +/* + * This is for Linux cooked sockets. + */ +#define DLT_LINUX_SLL 113 + +/* + * Apple LocalTalk hardware. + */ +#define DLT_LTALK 114 + +/* + * Acorn Econet. + */ +#define DLT_ECONET 115 + +/* + * Reserved for use with OpenBSD ipfilter. + */ +#define DLT_IPFILTER 116 + +/* + * Reserved for use in capture-file headers as a link-layer type + * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, + * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it + * in capture-file headers. + */ +#define DLT_PFLOG 117 + +/* + * Registered for Cisco-internal use. + */ +#define DLT_CISCO_IOS 118 + +/* + * Reserved for 802.11 cards using the Prism II chips, with a link-layer + * header including Prism monitor mode information plus an 802.11 + * header. + */ +#define DLT_PRISM_HEADER 119 + +/* + * Reserved for Aironet 802.11 cards, with an Aironet link-layer header + * (see Doug Ambrisko's FreeBSD patches). + */ +#define DLT_AIRONET_HEADER 120 + +/* + * Reserved for Siemens HiPath HDLC. + */ +#define DLT_HHDLC 121 + +/* + * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from + * Don Lee . + * + * This is not for use with raw Fibre Channel, where the link-layer + * header starts with a Fibre Channel frame header; it's for IP-over-FC, + * where the link-layer header starts with an RFC 2625 Network_Header + * field. + */ +#define DLT_IP_OVER_FC 122 + +/* + * The instruction encodings. + */ +/* instruction classes */ +#define BPF_CLASS(code) ((code) & 0x07) +#define BPF_LD 0x00 +#define BPF_LDX 0x01 +#define BPF_ST 0x02 +#define BPF_STX 0x03 +#define BPF_ALU 0x04 +#define BPF_JMP 0x05 +#define BPF_RET 0x06 +#define BPF_MISC 0x07 + +/* ld/ldx fields */ +#define BPF_SIZE(code) ((code) & 0x18) +#define BPF_W 0x00 +#define BPF_H 0x08 +#define BPF_B 0x10 +#define BPF_MODE(code) ((code) & 0xe0) +#define BPF_IMM 0x00 +#define BPF_ABS 0x20 +#define BPF_IND 0x40 +#define BPF_MEM 0x60 +#define BPF_LEN 0x80 +#define BPF_MSH 0xa0 + +/* alu/jmp fields */ +#define BPF_OP(code) ((code) & 0xf0) +#define BPF_ADD 0x00 +#define BPF_SUB 0x10 +#define BPF_MUL 0x20 +#define BPF_DIV 0x30 +#define BPF_OR 0x40 +#define BPF_AND 0x50 +#define BPF_LSH 0x60 +#define BPF_RSH 0x70 +#define BPF_NEG 0x80 +#define BPF_JA 0x00 +#define BPF_JEQ 0x10 +#define BPF_JGT 0x20 +#define BPF_JGE 0x30 +#define BPF_JSET 0x40 +#define BPF_SRC(code) ((code) & 0x08) +#define BPF_K 0x00 +#define BPF_X 0x08 + +/* ret - BPF_K and BPF_X also apply */ +#define BPF_RVAL(code) ((code) & 0x18) +#define BPF_A 0x10 + +/* misc */ +#define BPF_MISCOP(code) ((code) & 0xf8) +#define BPF_TAX 0x00 +#define BPF_TXA 0x80 + +/* + * The instruction data structure. + */ +struct bpf_insn { + u_short code; + u_char jt; + u_char jf; + bpf_int32 k; +}; + +/* + * Macros for insn array initializers. + */ +#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } +#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } + +#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL)) +/* + * Systems based on non-BSD kernels don't have ifnet's (or they don't mean + * anything if it is in ) and won't work like this. + */ +# if __STDC__ +extern void bpf_tap(struct ifnet *, u_char *, u_int); +extern void bpf_mtap(struct ifnet *, struct mbuf *); +extern void bpfattach(struct ifnet *, u_int, u_int); +extern void bpfilterattach(int); +# else +extern void bpf_tap(); +extern void bpf_mtap(); +extern void bpfattach(); +extern void bpfilterattach(); +# endif /* __STDC__ */ +#endif /* BSD && (_KERNEL || KERNEL) */ +#if __STDC__ || defined(__cplusplus) +extern int bpf_validate(struct bpf_insn *, int); +extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); +#else +extern int bpf_validate(); +extern u_int bpf_filter(); +#endif + +/* + * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). + */ +#define BPF_MEMWORDS 16 + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c index b3319c53aba9..8c72591affcc 100644 --- a/contrib/ipfilter/common.c +++ b/contrib/ipfilter/common.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 146e70aac1df..a981fcb91992 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $"; #endif #ifndef _KERNEL @@ -699,7 +699,8 @@ void *m; if (!fr_tcpudpchk(&fr->fr_tuc, fin)) continue; } else if (fr->fr_icmpm || fr->fr_icmp) { - if ((fi->fi_p != IPPROTO_ICMP) || off || + if (((fi->fi_p != IPPROTO_ICMP) && + (fi->fi_p != IPPROTO_ICMPV6)) || off || (fin->fin_dlen < 2)) continue; if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { @@ -814,6 +815,26 @@ int out; # endif int up; +# if !SOLARIS && !defined(NETBSD_PF) && \ + ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \ + defined(__OpenBSD__) || defined(_BSDI_VERSION)) + if (fr_checkp != fr_check && fr_running > 0) { + static int counter = 0; + + if (counter == 0) { + printf("WARNING: fr_checkp corrupt: value %lx\n", + (u_long)fr_checkp); + printf("WARNING: fr_checkp should be %lx\n", + (u_long)fr_check); + printf("WARNING: fixing fr_checkp\n"); + } + fr_checkp = fr_check; + counter++; + if (counter == 10000) + counter = 0; + } +# endif + # ifdef M_CANFASTFWD /* * XXX For now, IP Filter and fast-forwarding of cached flows @@ -1510,7 +1531,7 @@ tcphdr_t *tcp; * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $ + * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1716,9 +1737,9 @@ frentry_t **listp; } -int frflush(unit, flags) +int frflush(unit, proto, flags) minor_t unit; -int flags; +int proto, flags; { int flushed = 0, set; @@ -1733,19 +1754,35 @@ int flags; if (flags & FR_OUTQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[1][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[1][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[1][set]); + } } if (flags & FR_INQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[0][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[0][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[0][set]); + } } RWLOCK_EXIT(&ipf_mutex); return flushed; diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index e6bf11f2bd75..4092ac4079d3 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -12,7 +12,7 @@ # endif # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -32,8 +32,13 @@ (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000)) # undef STATETOP # endif -# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000) -# undef STATETOP +# if defined(__NetBSD_Version__) +# if (__NetBSD_Version__ < 105000000) +# undef STATETOP +# else +# include +# define USE_POLL +# endif # endif # if defined(sun) # if defined(__svr4__) || defined(__SVR4) @@ -94,7 +99,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.40 2002/12/06 11:40:20 darrenr Exp $"; #endif extern char *optarg; @@ -104,7 +109,8 @@ extern int optind; #define FPRINTF (void)fprintf #define F_IN 0 #define F_OUT 1 -#define F_AC 2 +#define F_ACIN 2 +#define F_ACOUT 3 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; @@ -773,13 +779,22 @@ struct friostat *fiop; if (opts & OPT_INACTIVE) set = 1 - set; if (opts & OPT_ACCNT) { - i = F_AC; +#ifdef USE_INET6 + if ((use_inet6) && (opts & OPT_OUTQUE)) { + i = F_ACOUT; + fp = (struct frentry *)fiop->f_acctout6[set]; + } else if ((use_inet6) && (opts & OPT_INQUE)) { + i = F_ACIN; + fp = (struct frentry *)fiop->f_acctin6[set]; + } else +#endif if (opts & OPT_OUTQUE) { + i = F_ACOUT; fp = (struct frentry *)fiop->f_acctout[set]; - i++; - } else if (opts & OPT_INQUE) + } else if (opts & OPT_INQUE) { + i = F_ACIN; fp = (struct frentry *)fiop->f_acctin[set]; - else { + } else { FPRINTF(stderr, "No -i or -o given with -a\n"); return; } @@ -807,7 +822,7 @@ struct friostat *fiop; if (opts & OPT_VERBOSE) PRINTF("fp %p set %d\n", fp, set); - if (!fp) { + if (fp == NULL) { FPRINTF(stderr, "empty list for %s%s\n", (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); return; @@ -915,12 +930,16 @@ int topclosed; ipstate_t *istab[IPSTATE_SIZE], ips; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; - struct timeval selecttimeout; char hostnm[HOSTNMLEN]; struct protoent *proto; - fd_set readfd; int c = 0; time_t t; +#ifdef USE_POLL + struct pollfd set[1]; +#else + struct timeval selecttimeout; + fd_set readfd; +#endif /* open state device */ if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) { @@ -1188,6 +1207,14 @@ int topclosed; } /* wait for key press or a 1 second time out period */ +#ifdef USE_POLL + set[0].fd = 0; + set[0].events = POLLIN; + poll(set, 1, refreshtime * 1000); + + /* if key pressed, read all waiting keys */ + if (set[0].revents & POLLIN) +#else selecttimeout.tv_sec = refreshtime; selecttimeout.tv_usec = 0; FD_ZERO(&readfd); @@ -1195,7 +1222,10 @@ int topclosed; select(1, &readfd, NULL, NULL, &selecttimeout); /* if key pressed, read all waiting keys */ - if (FD_ISSET(0, &readfd)) { + if (FD_ISSET(0, &readfd)) +#endif + + { c = wgetch(stdscr); if (c == ERR) continue; diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index efe2e99337d5..604d7547a23c 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $"; #endif @@ -292,9 +292,9 @@ ip_t *ip; cv_signal(&ipfauthwait); #else # if defined(BSD) && !defined(sparc) && (BSD >= 199306) - if (!fin->fin_out) { - HTONS(ip->ip_len); - HTONS(ip->ip_off); + if (fin->fin_out == 0) { + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); } # endif fr_authpkts[i] = m; @@ -304,7 +304,7 @@ ip_t *ip; } -int fr_auth_ioctl(data, mode, cmd, fr, frptr) +int fr_auth_ioctl(data, mode, cmd) caddr_t data; int mode; #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) @@ -312,7 +312,6 @@ u_long cmd; #else int cmd; #endif -frentry_t *fr, **frptr; { mb_t *m; #if defined(_KERNEL) && !SOLARIS @@ -320,12 +319,15 @@ frentry_t *fr, **frptr; int s; #endif frauth_t auth, *au = &auth, *fra; - frauthent_t *fae, **faep; int i, error = 0; switch (cmd) { case SIOCSTLCK : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } error = fr_lock(data, &fr_auth_lock); break; case SIOCINIFR : @@ -338,45 +340,8 @@ frentry_t *fr, **frptr; break; case SIOCRMAFR : case SIOCADAFR : - for (faep = &fae_list; (fae = *faep); ) - if (&fae->fae_fr == fr) - break; - else - faep = &fae->fae_next; - if (cmd == SIOCRMAFR) { - if (!fr || !frptr) - error = EINVAL; - else if (!fae) - error = ESRCH; - else { - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - *faep = fae->fae_next; - *frptr = fr->fr_next; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - KFREE(fae); - } - } else if (fr && frptr) { - KMALLOC(fae, frauthent_t *); - if (fae != NULL) { - bcopy((char *)fr, (char *)&fae->fae_fr, - sizeof(*fr)); - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - fae->fae_age = fr_defaultauthage; - fae->fae_fr.fr_hits = 0; - fae->fae_fr.fr_next = *frptr; - *frptr = &fae->fae_fr; - fae->fae_next = *faep; - *faep = fae; - ipauth = &fae_list->fae_fr; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - } else - error = ENOMEM; - } else - error = EINVAL; + /* These commands go via request to fr_preauthcmd */ + error = EINVAL; break; case SIOCATHST: fr_authstats.fas_faelist = fae_list; @@ -630,3 +595,66 @@ void fr_authexpire() RWLOCK_EXIT(&ipf_auth); SPL_X(s); } + +int fr_preauthcmd(cmd, fr, frptr) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) +u_long cmd; +#else +int cmd; +#endif +frentry_t *fr, **frptr; +{ + frauthent_t *fae, **faep; + int error = 0; +#if defined(KERNEL) && !SOLARIS + int s; +#endif + + if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { + /* Should not happen */ + printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd); + return EIO; + } + + for (faep = &fae_list; (fae = *faep); ) + if (&fae->fae_fr == fr) + break; + else + faep = &fae->fae_next; + if (cmd == SIOCRMAFR) { + if (!fr || !frptr) + error = EINVAL; + else if (!fae) + error = ESRCH; + else { + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + *faep = fae->fae_next; + *frptr = fr->fr_next; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + KFREE(fae); + } + } else if (fr && frptr) { + KMALLOC(fae, frauthent_t *); + if (fae != NULL) { + bcopy((char *)fr, (char *)&fae->fae_fr, + sizeof(*fr)); + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + fae->fae_age = fr_defaultauthage; + fae->fae_fr.fr_hits = 0; + fae->fae_fr.fr_next = *frptr; + *frptr = &fae->fae_fr; + fae->fae_next = *faep; + *faep = fae; + ipauth = &fae_list->fae_fr; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + } else + error = ENOMEM; + } else + error = EINVAL; + return error; +} diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h index cb168c4ca959..e0cbf048f0a5 100644 --- a/contrib/ipfilter/ip_auth.h +++ b/contrib/ipfilter/ip_auth.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_auth.h,v 2.3.2.5 2001/11/04 13:15:51 darrenr Exp $ + * $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -54,8 +54,10 @@ extern mb_t *fr_authpkts[]; extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *)); #if defined(__NetBSD__) || defined(__OpenBSD__) || \ (__FreeBSD_version >= 300003) -extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, u_long)); #else -extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, int)); #endif #endif /* __IP_AUTH_H__ */ diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 4d8cfafe2b87..3eacc7354e99 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -532,6 +532,7 @@ extern ill_t *get_unit __P((char *, int)); # ifdef sun # if !SOLARIS +# include # include # define GETUNIT(n, v) ifunit(n, IFNAMSIZ) # define IFNAME(x) ((struct ifnet *)x)->if_name @@ -654,6 +655,7 @@ extern vm_map_t kmem_map; # define IWCOPYPTR iwcopyptr # define IFNAME(x) get_ifname((struct ifnet *)x) # define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d) +# include extern void m_copydata __P((mb_t *, int, int, caddr_t)); extern int ipfuiomove __P((caddr_t, int, int, struct uio *)); #endif /* KERNEL */ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 90bcb8218c8e..8fcd05db7b48 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -24,7 +24,7 @@ # include # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # define _KMEMUSER # include #endif @@ -117,10 +117,14 @@ # include extern int ip_optcopy __P((struct ip *, struct ip *)); #endif +#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL) +extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *, + struct ifnet *, struct in6_addr *, u_long *); +#endif #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $"; #endif @@ -192,6 +196,15 @@ struct timeout ipfr_slowtimer_ch; toid_t ipfr_slowtimer_ch; #endif +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \ + defined(_KERNEL) +# include +const struct cdevsw ipl_cdevsw = { + iplopen, iplclose, iplread, nowrite, iplioctl, + nostop, notty, nopoll, nommap, +}; +#endif + #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include # include @@ -319,7 +332,7 @@ int count; # endif -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) int ipl_enable() # else int iplattach() @@ -363,10 +376,13 @@ int iplattach() # ifdef NETBSD_PF # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) # if __NetBSD_Version__ >= 105110000 - if ( - !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) + ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); # ifdef USE_INET6 - && !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6)) + ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); +# endif + if (ph_inet == NULL +# ifdef USE_INET6 + && ph_inet6 == NULL # endif ) return ENODEV; @@ -484,7 +500,8 @@ int ipldetach() # endif { int s, i; -#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) +#if defined(NETBSD_PF) && \ + ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) int error = 0; # if __NetBSD_Version__ >= 105150000 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); @@ -524,8 +541,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -670,7 +687,16 @@ int mode; if (!fr_running) error = EIO; else - error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); + if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) { + if (!(mode & FWRITE)) { + error = EPERM; + } else { + error = frrequest(unit, cmd, data, + fr_active); + } + } else { + error = fr_auth_ioctl(data, mode, cmd); + } SPL_X(s); return error; } @@ -694,7 +720,7 @@ int mode; if (error) break; if (enable) -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) error = ipl_enable(); # else error = iplattach(); @@ -767,12 +793,26 @@ int mode; else { error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { - tmp = frflush(unit, tmp); + tmp = frflush(unit, 4, tmp); error = IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } } break; +#ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(unit, 6, tmp); + error = IWCOPY((caddr_t)&tmp, data, + sizeof(tmp)); + } + } + break; +#endif case SIOCSTLCK : error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { @@ -797,12 +837,6 @@ int mode; if (error) error = EFAULT; break; - case SIOCAUTHW : - case SIOCAUTHR : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } case SIOCFRSYN : if (!(mode & FWRITE)) error = EPERM; @@ -1008,6 +1042,9 @@ caddr_t data; return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, f, ftail); + } if (f->fr_grhead) fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, unit, set); @@ -1022,6 +1059,9 @@ caddr_t data; if (f) error = EEXIST; else { + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, fp, ftail); + } KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) @@ -1247,7 +1287,8 @@ struct mbuf **mp; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; -# if defined(__NetBSD__) || defined(__OpenBSD__) +# if defined(__NetBSD__) || \ + (defined(__OpenBSD__) && (OpenBSD >= 200012)) if (ip_mtudisc != 0) ip->ip_off = IP_DF; # else @@ -1482,7 +1523,7 @@ void iplinit() { -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) if (ipl_enable() != 0) # else if (iplattach() != 0) @@ -1587,7 +1628,7 @@ frdest_t *fdp; /* * Route packet. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX >= 605) ROUTE_RDLOCK(); #endif bzero((caddr_t)ro, sizeof (*ro)); @@ -1627,7 +1668,7 @@ frdest_t *fdp; rtalloc(ro); # endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) ROUTE_UNLOCK(); #endif @@ -1898,6 +1939,12 @@ frdest_t *fdp; struct route_in6 *ro; struct ifnet *ifp; frentry_t *fr; +#if defined(OpenBSD) && (OpenBSD >= 200211) + struct route_in6 *ro_pmtu = NULL; + struct in6_addr finaldst; + ip6_t *ip6; +#endif + u_long mtu; int error; ifp = NULL; @@ -1935,11 +1982,23 @@ frdest_t *fdp; dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway; ro->ro_rt->rt_use++; - if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu) - error = nd6_output(ifp, fin->fin_ifp, m0, dst6, - ro->ro_rt); - else - error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + ip6 = mtod(m0, ip6_t *); + ro_pmtu = ro; + finaldst = ip6->ip6_dst; + error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu); + if (error == 0) { +#else + mtu = nd_ifinfo[ifp->if_index].linkmtu; +#endif + if (m0->m_pkthdr.len <= mtu) + error = nd6_output(ifp, fin->fin_ifp, m0, + dst6, ro->ro_rt); + else + error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + } +#endif } if (ro->ro_rt != NULL) { diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 56175f28c986..b97c796376c0 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -63,6 +63,7 @@ # define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) # define SIOCSTGSZ _IOWR('r', 82, struct natget) # define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) +# define SIOCIPFL6 _IOWR('r', 84, int) #else # define SIOCADAFR _IOW(r, 60, struct frentry *) # define SIOCRMAFR _IOW(r, 61, struct frentry *) @@ -88,6 +89,7 @@ # define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) # define SIOCSTGSZ _IOWR(r, 82, struct natget) # define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) +# define SIOCIPFL6 _IOWR(r, 84, int) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR @@ -412,14 +414,16 @@ typedef struct frgroup { * structure which is then followed by any packet data. */ typedef struct iplog { - u_32_t ipl_magic; - u_int ipl_count; - u_long ipl_sec; - u_long ipl_usec; - size_t ipl_dsize; + u_32_t ipl_magic; + u_int ipl_count; + struct timeval ipl_tv; + size_t ipl_dsize; struct iplog *ipl_next; } iplog_t; +#define ipl_sec ipl_tv.tv_sec +#define ipl_usec ipl_tv.tv_usec + #define IPL_MAGIC 0x49504c4d /* 'IPLM' */ #define IPLOG_SIZE sizeof(iplog_t) @@ -612,7 +616,7 @@ extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); extern int ipflog_read __P((minor_t, struct uio *)); -extern int frflush __P((minor_t, int)); +extern int frflush __P((minor_t, int, int)); extern void frsync __P((void)); extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int)); extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int)); diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index bed47b708f69..0f3b818f9694 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ # define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index a5a27be6b905..010841026840 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.42 2002/11/25 21:42:35 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -39,24 +39,30 @@ extern kmutex_t ipf_rw; #define FTPXY_PASS_2 14 #define FTPXY_PAOK_2 15 +/* + * Values for FTP commands. Numerics cover 0-999 + */ +#define FTPXY_C_PASV 1000 + int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_complete __P((char *, size_t)); int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_init __P((void)); int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); +int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); -int ippr_ftp_valid __P((int, char *, size_t)); -int ippr_ftp_server_valid __P((char *, size_t)); -int ippr_ftp_client_valid __P((char *, size_t)); +int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t)); +int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t)); +int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t)); u_short ippr_ftp_atoi __P((char **)); static frentry_t ftppxyfr; int ippr_ftp_pasvonly = 0; int ippr_ftp_insecure = 0; +int ippr_ftp_forcepasv = 0; /* @@ -123,8 +129,13 @@ int dlen; /* * Check for client sending out PORT message. */ - if (dlen < IPF_MINPORTLEN) + if (dlen < IPF_MINPORTLEN) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen); +#endif return 0; + } off = fin->fin_hlen + (tcp->th_off << 2); /* * Skip the PORT command + space @@ -134,23 +145,39 @@ int dlen; * Pick out the address components, two at a time. */ a1 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(1) failed\n"); +#endif return 0; + } a2 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(2) failed\n"); +#endif return 0; + } /* * check that IP address in the PORT/PASV reply is the same as the * sender of the command - prevents using PORT for port scanning. */ a1 <<= 16; a1 |= a2; - if (a1 != ntohl(nat->nat_inip.s_addr)) + if (a1 != ntohl(nat->nat_inip.s_addr)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:a1 != nat->nat_inip\n"); +#endif return 0; + } a5 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(3) failed\n"); +#endif return 0; + } if (*s == ')') s++; @@ -162,8 +189,12 @@ int dlen; if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; a6 = a5 & 0xff; - } else + } else { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:missing cr-lf\n"); +#endif return 0; + } a5 >>= 8; a5 &= 0xff; /* @@ -181,8 +212,13 @@ int dlen; nlen = strlen(newbuf); inc = nlen - olen; - if ((inc + ip->ip_len) > 65535) + if ((inc + ip->ip_len) > 65535) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc); +#endif return 0; + } #if !defined(_KERNEL) m = *((mb_t **)fin->fin_mp); @@ -253,8 +289,13 @@ int dlen; * Don't allow the PORT command to specify a port < 1024 due to * security crap. */ - if (sp < 1024) + if (sp < 1024) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_port:sp(%d) < 1024\n", sp); +#endif return 0; + } + /* * The server may not make the connection back from port 20, but * it is the most likely so use it here to check for a conflicting @@ -369,11 +410,11 @@ int dlen; } -int ippr_ftp_pasv(fin, ip, nat, f, dlen) +int ippr_ftp_pasv(fin, ip, nat, ftp, dlen) fr_info_t *fin; ip_t *ip; nat_t *nat; -ftpside_t *f; +ftpinfo_t *ftp; int dlen; { tcphdr_t *tcp, tcph, *tcp2 = &tcph; @@ -381,23 +422,45 @@ int dlen; u_int a1, a2, a3, a4; u_short a5, a6, dp; fr_info_t fi; + ftpside_t *f; nat_t *ipn; int inc; char *s; + if (ippr_ftp_forcepasv != 0 && + ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n", + ftp->ftp_side[0].ftps_cmds); +#endif + return 0; + } + + f = &ftp->ftp_side[1]; + #define PASV_REPLEN 24 /* * Check for PASV reply message. */ - if (dlen < IPF_MIN227LEN) + if (dlen < IPF_MIN227LEN) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen); +#endif return 0; - else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) + } else if (strncmp(f->ftps_rptr, + "227 Entering Passive Mod", PASV_REPLEN)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:227 reply wrong\n"); +#endif return 0; + } tcp = (tcphdr_t *)fin->fin_dp; /* - * Skip the PORT command + space + * Skip the PASV reply + space */ s = f->ftps_rptr + PASV_REPLEN; while (*s && !isdigit(*s)) @@ -406,11 +469,19 @@ int dlen; * Pick out the address components, two at a time. */ a1 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(1) failed\n"); +#endif return 0; + } a2 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(2) failed\n"); +#endif return 0; + } /* * check that IP address in the PORT/PASV reply is the same as the @@ -418,12 +489,20 @@ int dlen; */ a1 <<= 16; a1 |= a2; - if (a1 != ntohl(nat->nat_oip.s_addr)) + if (a1 != ntohl(nat->nat_oip.s_addr)) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:a1 != nat->nat_oip\n"); +#endif return 0; + } a5 = ippr_ftp_atoi(&s); - if (!s) + if (s == NULL) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(3) failed\n"); +#endif return 0; + } if (*s == ')') s++; @@ -437,8 +516,12 @@ int dlen; if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; a6 = a5 & 0xff; - } else + } else { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_pasv:missing cr-lf\n"); +#endif return 0; + } a5 >>= 8; /* * Calculate new address parts for 227 reply @@ -580,9 +663,9 @@ int dlen; return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen); } else if (*rptr == '5' || *rptr == '4') ftp->ftp_passok = FTPXY_INIT; else if (ftp->ftp_incok) { @@ -608,6 +691,7 @@ int dlen; } } ftp->ftp_incok = 0; + while ((*rptr++ != '\n') && (rptr < wptr)) ; f->ftps_rptr = rptr; @@ -619,100 +703,150 @@ int dlen; * Look to see if the buffer starts with something which we recognise as * being the correct syntax for the FTP protocol. */ -int ippr_ftp_client_valid(buf, len) +int ippr_ftp_client_valid(ftps, buf, len) +ftpside_t *ftps; char *buf; size_t len; { register char *s, c; register size_t i = len; + char cmd[5]; - if (i < 5) + if (i < 5) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_client_valid:i(%d) < 5\n", i); +#endif return 2; + } s = buf; c = *s++; i--; if (isalpha(c)) { + cmd[0] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[1] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[2] = toupper(c); c = *s++; i--; if (isalpha(c)) { + cmd[3] = toupper(c); c = *s++; i--; if ((c != ' ') && (c != '\r')) - return 1; + goto bad_client_command; } else if ((c != ' ') && (c != '\r')) - return 1; + goto bad_client_command; } else - return 1; + goto bad_client_command; } else - return 1; - } else + goto bad_client_command; + } else { +bad_client_command: +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_client_valid:bad cmd:len %d i %d c 0x%x\n", + i, len, c); +#endif return 1; + } + for (; i; i--) { c = *s++; - if (c == '\n') + if (c == '\n') { + cmd[4] = '\0'; + if (!strcmp(cmd, "PASV")) + ftps->ftps_cmds = FTPXY_C_PASV; + else + ftps->ftps_cmds = 0; return 0; + } } +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_client_valid:junk after cmd[%s]\n", buf); +#endif return 2; } -int ippr_ftp_server_valid(buf, len) +int ippr_ftp_server_valid(ftps, buf, len) +ftpside_t *ftps; char *buf; size_t len; { register char *s, c; register size_t i = len; + int cmd; if (i < 5) return 2; s = buf; c = *s++; + cmd = 0; i--; if (isdigit(c)) { + cmd = (c - '0') * 100; c = *s++; i--; if (isdigit(c)) { + cmd += (c - '0') * 10; c = *s++; i--; if (isdigit(c)) { + cmd += (c - '0'); c = *s++; i--; if ((c != '-') && (c != ' ')) - return 1; + goto bad_server_command; } else - return 1; + goto bad_server_command; } else - return 1; - } else + goto bad_server_command; + } else { +bad_server_command: +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_server_valid:bad cmd:len %d i %d c 0x%x\n", + i, len, c); +#endif return 1; + } + for (; i; i--) { c = *s++; - if (c == '\n') + if (c == '\n') { + ftps->ftps_cmds = cmd; return 0; + } } +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, "ippr_ftp_server_valid:junk after cmd[%s]\n", buf); +#endif return 2; } -int ippr_ftp_valid(side, buf, len) +int ippr_ftp_valid(ftp, side, buf, len) +ftpinfo_t *ftp; int side; char *buf; size_t len; { + ftpside_t *ftps; int ret; + ftps = &ftp->ftp_side[side]; + if (side == 0) - ret = ippr_ftp_client_valid(buf, len); + ret = ippr_ftp_client_valid(ftps, buf, len); else - ret = ippr_ftp_server_valid(buf, len); + ret = ippr_ftp_server_valid(ftps, buf, len); return ret; } @@ -814,9 +948,10 @@ int rv; #endif ok = 0; - if (t->ftps_seq[0] == 0) - t->ftps_seq[0] = thack, ok = 1; - else { + if (t->ftps_seq[0] == 0) { + t->ftps_seq[0] = thack; + ok = 1; + } else { if (ackoff == 0) { if (t->ftps_seq[0] == thack) ok = 1; @@ -845,20 +980,24 @@ int rv; #endif if (!mlen) { - if (t->ftps_seq[0] + ackoff != thack) + if (t->ftps_seq[0] + ackoff != thack) { +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n", + t->ftps_seq[0], ackoff, thack); +#endif return APR_ERR(1); + } #if PROXY_DEBUG printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); #endif if (tcp->th_flags & TH_FIN) { - if (thseq + seqoff == f->ftps_seq[0] + 1 || - f->ftps_seq[0] + seqoff + 1 == thseq || - thseq + seqoff == f->ftps_seq[0] || - thseq == f->ftps_seq[0] + seqoff) - ; - else { -#if PROXY_DEBUG + if (thseq == f->ftps_seq[1]) { + f->ftps_seq[0] = f->ftps_seq[1] - seqoff; + f->ftps_seq[1] = thseq + 1 - seqoff; + } else { +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("FIN: thseq %x seqoff %d ftps_seq %x\n", thseq, seqoff, f->ftps_seq[0]); #endif @@ -870,17 +1009,19 @@ int rv; } ok = 0; - if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1]) + if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) { ok = 1; /* * Retransmitted data packet. */ - else if (thseq + mlen == f->ftps_seq[0] || - thseq + mlen == f->ftps_seq[1]) + } else if ((thseq + mlen == f->ftps_seq[0]) || + (thseq + mlen == f->ftps_seq[1])) { ok = 1; + } + if (ok == 0) { inc = thseq - f->ftps_seq[0]; -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("inc %d sel %d rv %d\n", inc, sel, rv); printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], f->ftps_seq[1]); @@ -917,10 +1058,12 @@ int rv; wptr += len; f->ftps_wptr = wptr; if (f->ftps_junk == 2) - f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr); + f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, + wptr - rptr); while ((f->ftps_junk == 0) && (wptr > rptr)) { - f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr); + f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, + wptr - rptr); if (f->ftps_junk == 0) { f->ftps_cmds++; len = wptr - rptr; @@ -942,6 +1085,10 @@ int rv; */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { /* f->ftps_seq[1] += inc; */ +#if !defined(_KERNEL) && !defined(KERNEL) + fprintf(stdout, + "ippr_ftp_process:cmds == 0 junk == 1\n"); +#endif return APR_ERR(2); } @@ -985,18 +1132,17 @@ int rv; /* f->ftps_seq[1] += inc; */ if (tcp->th_flags & TH_FIN) f->ftps_seq[1]++; -#ifndef _KERNEL - mlen = mbuflen(m); -#else -# if SOLARIS - mlen = msgdsize(m); -# else - mlen = mbufchainlen(m); -# endif -#endif - off = fin->fin_hlen + (tcp->th_off << 2); - mlen -= off; #if PROXY_DEBUG +# ifndef _KERNEL + mlen = mbuflen(m); +# else +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif +# endif + mlen -= off; printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); #endif diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index 4393c3ba9634..196d64e0fedf 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.4 2002/03/06 09:44:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.5 2002/10/03 13:47:19 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -327,15 +327,6 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); break; - case SIOCAUTHW : - case SIOCAUTHR : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - case SIOCATHST : - error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); - break; case SIOCFRSYN : if (!(mode & FWRITE)) error = EPERM; diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index 6bf7a4d9b171..e57bd690969f 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.21 2002/10/26 06:21:30 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) @@ -99,6 +99,9 @@ # include # include # include +# ifdef USE_INET6 +# include +# endif # include # ifndef _KERNEL # include @@ -211,6 +214,26 @@ mb_t *m; break; } } +#ifdef USE_INET6 + else if (p == IPPROTO_ICMPV6) { + struct icmp6_hdr *icmp; + + icmp = (struct icmp6_hdr *)fin->fin_dp; + + /* + * For ICMPV6, if the packet is an error packet, also + * include the information about the packet which + * caused the error. + */ + if (icmp->icmp6_type < 128) { + hlen += MIN(sizeof(struct icmp6_hdr) + 8, + fin->fin_dlen); + } else { + hlen += MIN(sizeof(struct icmp6_hdr), + fin->fin_dlen); + } + } +#endif } /* * Get the interface number and name to which this packet is @@ -334,10 +357,10 @@ int *types, cnt; ipl->ipl_dsize = len; # ifdef _KERNEL # if SOLARIS || defined(sun) - uniqtime((struct timeval *)&ipl->ipl_sec); + uniqtime(&ipl->ipl_tv); # else # if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) - microtime((struct timeval *)&ipl->ipl_sec); + microtime(&ipl->ipl_tv); # endif # endif # else diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 854c68dc4a2d..d8c862220cea 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ #define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.74 2002/12/06 11:40:21 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -148,6 +148,7 @@ static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); static void nat_hostmapdel __P((struct hostmap *)); +static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *)); int nat_init() @@ -456,8 +457,9 @@ int mode; /* * For add/delete, look to see if the NAT entry is already present */ - if (getlock == 1) + if (getlock == 1) { WRITE_ENTER(&ipf_nat); + } if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { nat = &natd; nat->in_flags &= IPN_USERFLAGS; @@ -726,8 +728,9 @@ int mode; error = EINVAL; break; } - if (getlock == 1) + if (getlock == 1) { RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ + } done: if (nt) KFREE(nt); @@ -1465,6 +1468,7 @@ int direction; nat->nat_p = fin->fin_p; nat->nat_bytes = 0; nat->nat_pkts = 0; + nat->nat_mssclamp = np->in_mssclamp; nat->nat_fr = fin->fin_fr; if (nat->nat_fr != NULL) { ATOMIC_INC32(nat->nat_fr->fr_ref); @@ -2517,6 +2521,16 @@ fr_info_t *fin; */ if (nat->nat_age == fr_tcpclosed) nat->nat_age = fr_tcplastack; + + /* + * Do a MSS CLAMPING on a SYN packet, + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && + (tcp->th_flags & TH_SYN) != 0) + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); + MUTEX_EXIT(&nat->nat_lock); } else if (fin->fin_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -2728,6 +2742,15 @@ fr_info_t *fin; */ if (nat->nat_age == fr_tcpclosed) nat->nat_age = fr_tcplastack; + /* + * Do a MSS CLAMPING on a SYN packet, + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && + (tcp->th_flags & TH_SYN) != 0) + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); + MUTEX_EXIT(&nat->nat_lock); } else if (fin->fin_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -2927,3 +2950,60 @@ void *ifp; return; } #endif + + +/* + * Check for MSS option and clamp it if necessary. + */ +static void nat_mssclamp(tcp, maxmss, fin, csump) +tcphdr_t *tcp; +u_32_t maxmss; +fr_info_t *fin; +u_short *csump; +{ + u_char *cp, *ep, opt; + int hlen, advance; + u_32_t mss, sumd; + u_short v; + + hlen = tcp->th_off << 2; + if (hlen > sizeof(*tcp)) { + cp = (u_char *)tcp + sizeof(*tcp); + ep = (u_char *)tcp + hlen; + + while (cp < ep) { + opt = cp[0]; + if (opt == TCPOPT_EOL) + break; + else if (opt == TCPOPT_NOP) { + cp++; + continue; + } + + if (&cp[1] >= ep) + break; + advance = cp[1]; + if (&cp[advance] >= ep) + break; + switch (opt) { + case TCPOPT_MAXSEG: + if (advance != 4) + break; + bcopy(&cp[2], &v, sizeof(v)); + mss = ntohs(v); + if (mss > maxmss) { + v = htons(maxmss); + bcopy(&v, &cp[2], sizeof(v)); + CALC_SUMD(mss, maxmss, sumd); + fix_outcksum(fin, csump, sumd); + } + break; + default: + /* ignore unknown options */ + break; + } + + cp += advance; + } + } +} diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index e1b160fbf618..e052449b1894 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.28 2002/11/03 13:06:21 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -84,6 +84,7 @@ typedef struct nat { u_short nat_use; u_char nat_tcpstate[2]; u_char nat_p; /* protocol for NAT */ + u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ struct ipnat *nat_ptr; /* pointer back to the rule */ struct hostmap *nat_hm; struct nat *nat_next; @@ -113,6 +114,7 @@ typedef struct ipnat { u_short in_pnext; u_short in_ippip; /* IP #'s per IP# */ u_32_t in_flags; /* From here to in_dport must be reflected */ + u_32_t in_mssclamp; /* if != zero clamp MSS to this */ u_short in_spare; u_short in_ppip; /* ports per IP */ u_short in_port[2]; /* correctly in IPN_CMPSIZ */ diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index f36753ad0fa3..f3b2cd5d21a2 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -7,7 +7,7 @@ # define _KERNEL #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.26 2002/12/06 11:40:23 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -315,7 +315,7 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy tcp checksum failure\n"); #endif frstats[fin->fin_out].fr_tcpbad++; @@ -323,8 +323,8 @@ nat_t *nat; } /* - * Don't both the proxy with these...or in fact, should - * we free up proxy stuff when seen? + * Don't bother the proxy with these...or in fact, + * should we free up proxy stuff when seen? */ if ((tcp->th_flags & TH_RST) != 0) return 0; @@ -342,13 +342,13 @@ nat_t *nat; rv = APR_EXIT(err); if (rv == 1) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy says bad packet received\n"); #endif return -1; } if (rv == 2) { -#if PROXY_DEBUG +#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) printf("proxy says free app proxy data\n"); #endif appr_free(apr); @@ -424,7 +424,7 @@ ap_session_t *aps; apr = aps->aps_apr; if ((apr != NULL) && (apr->apr_del != NULL)) (*apr->apr_del)(aps); - + if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) KFREES(aps->aps_data, aps->aps_psiz); KFREE(aps); @@ -468,7 +468,7 @@ int inc; sel, !sel, seq1, aps->aps_seqmin[!sel]); #endif sel = aps->aps_sel[out] = !sel; -} + } if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -503,7 +503,7 @@ int inc; sel, !sel, seq1, aps->aps_ackmin[!sel]); #endif sel = aps->aps_sel[1 - out] = !sel; -} + } if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -522,7 +522,7 @@ int inc; sel, !sel, seq1, aps->aps_ackmin[!sel]); #endif sel = aps->aps_sel[out] = !sel; -} + } if (aps->aps_ackoff[sel]) { seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; @@ -557,7 +557,7 @@ int inc; sel, !sel, seq1, aps->aps_seqmin[!sel]); #endif sel = aps->aps_sel[1 - out] = !sel; -} + } if (aps->aps_seqoff[sel] != 0) { #if PROXY_DEBUG diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index fad791dcd67b..50b0559ea263 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.14 2002/09/02 12:19:26 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -99,6 +99,7 @@ typedef struct ftpside { u_32_t ftps_len; int ftps_junk; int ftps_cmds; + int ftps_cmd; char ftps_buf[FTP_BUFSZ]; } ftpside_t; diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c index 641d303c023e..3fecf49e2aec 100644 --- a/contrib/ipfilter/ip_rcmd_pxy.c +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.5 2001/10/30 16:38:14 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.6 2002/10/01 15:24:59 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -143,6 +143,7 @@ nat_t *nat; tcp2->th_sport = htons(sp); tcp2->th_dport = 0; /* XXX - don't specify remote port */ tcp2->th_off = 5; + tcp2->th_flags = TH_SYN; fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; fi.fin_dlen = sizeof(*tcp2); diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 2904585c5885..0cb2181f7fb2 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.24 2002/12/06 11:42:22 darrenr Exp $"; #endif #include @@ -88,8 +88,8 @@ int ipldetach() for (i = IPL_LOGMAX; i >= 0; i--) ipflog_clear(i); #endif - i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); ipfr_unload(); fr_stateunload(); ip_natunload(); @@ -226,7 +226,16 @@ int *rp; return error; } if (unit == IPL_LOGAUTH) { - error = fr_auth_ioctl((caddr_t)data, mode, cmd, NULL, NULL); + if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) { + if (!(mode & FWRITE)) { + error = EPERM; + } else { + error = frrequest(unit, cmd, (caddr_t)data, + fr_active); + } + } else { + error = fr_auth_ioctl((caddr_t)data, mode, cmd); + } RWLOCK_EXIT(&ipf_solaris); return error; } @@ -316,7 +325,7 @@ int *rp; error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { - tmp = frflush(unit, tmp); + tmp = frflush(unit, 4, tmp); error = IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); if (error) @@ -324,6 +333,23 @@ int *rp; } } break; +#ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = IRCOPY((caddr_t)data, (caddr_t)&tmp, + sizeof(tmp)); + if (!error) { + tmp = frflush(unit, 6, tmp); + error = IWCOPY((caddr_t)&tmp, (caddr_t)data, + sizeof(tmp)); + if (error) + error = EFAULT; + } + } + break; +#endif case SIOCSTLCK : error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { @@ -383,6 +409,9 @@ int v; { size_t len = strlen(name) + 1; /* includes \0 */ ill_t *il; +#if SOLARIS2 >= 10 + ill_walk_context_t ctx; +#endif int sap; if (v == 4) @@ -391,7 +420,11 @@ int v; sap = 0x86dd; else return NULL; +#if SOLARIS2 >= 10 + for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il)) +#else for (il = ill_g_head; il; il = il->ill_next) +#endif if ((len == il->ill_name_length) && (il->ill_sap == sap) && !strncmp(il->ill_name, name, len)) return il; @@ -614,6 +647,9 @@ caddr_t data; } if (fg && fg->fg_head) fg->fg_head->fr_ref--; + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, f, ftail); + } if (f->fr_grhead) fr_delgroup(f->fr_grhead, fp->fr_flags, unit, set); @@ -628,6 +664,9 @@ caddr_t data; if (f) { error = EEXIST; } else { + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, fp, ftail); + } KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 43fe8203ceea..5ab78cc3b34a 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.77 2002/12/06 11:40:24 darrenr Exp $"; #endif #ifndef MIN @@ -117,8 +117,8 @@ static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *)); static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr, fr_info_t *, tcphdr_t *)); static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *)); -static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *)); -static int fr_state_flush __P((int)); +static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *, int)); +static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); static void fr_delstate __P((ipstate_t *)); static int fr_state_remove __P((caddr_t)); @@ -203,8 +203,8 @@ static ips_stat_t *fr_statetstats() * starting at > 4 days idle and working back in successive half- * days to at most 12 hours old. */ -static int fr_state_flush(which) -int which; +static int fr_state_flush(which, proto) +int which, proto; { ipstate_t *is, **isp; #if defined(_KERNEL) && !SOLARIS @@ -216,6 +216,9 @@ int which; for (isp = &ips_list; (is = *isp); ) { delete = 0; + if ((proto != 0) && (is->is_v != proto)) + continue; + switch (which) { case 0 : @@ -337,12 +340,26 @@ int mode; break; if (arg == 0 || arg == 1) { WRITE_ENTER(&ipf_state); - ret = fr_state_flush(arg); + ret = fr_state_flush(arg, 4); RWLOCK_EXIT(&ipf_state); error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); } else error = EINVAL; break; +#ifdef USE_INET6 + case SIOCIPFL6 : + error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); + if (error) + break; + if (arg == 0 || arg == 1) { + WRITE_ENTER(&ipf_state); + ret = fr_state_flush(arg, 6); + RWLOCK_EXIT(&ipf_state); + error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); + } else + error = EINVAL; + break; +#endif #ifdef IPFILTER_LOG case SIOCIPFFB : if (!(mode & FWRITE)) @@ -1118,7 +1135,7 @@ tcphdr_t *tcp; return 1; } -static int fr_matchicmpqueryreply(v, is, icmp) +static int fr_matchicmpqueryreply(v, is, icmp, rev) int v; ipstate_t *is; icmphdr_t *icmp; @@ -1128,8 +1145,8 @@ icmphdr_t *icmp; * If we matched its type on the way in, then when going out * it will still be the same type. */ - if (((icmp->icmp_type == is->is_type) || - (icmpreplytype4[is->is_type] == icmp->icmp_type))) { + if ((!rev && (icmp->icmp_type == is->is_type)) || + (rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) { if (icmp->icmp_type != ICMP_ECHOREPLY) return 1; if ((icmp->icmp_id == is->is_icmp.ics_id) && @@ -1139,8 +1156,8 @@ icmphdr_t *icmp; } #ifdef USE_INET6 else if (is->is_v == 6) { - if (((icmp->icmp_type == is->is_type) || - (icmpreplytype6[is->is_type] == icmp->icmp_type))) { + if ((!rev && (icmp->icmp_type == is->is_type)) || + (rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) { if (icmp->icmp_type != ICMP6_ECHO_REPLY) return 1; if ((icmp->icmp_id == is->is_icmp.ics_id) && @@ -1278,7 +1295,7 @@ fr_info_t *fin; for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == 4) && fr_matchsrcdst(is, src, dst, &ofin, NULL) && - fr_matchicmpqueryreply(is->is_v, is, icmp)) { + fr_matchicmpqueryreply(is->is_v, is, icmp, fin->fin_rev)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; @@ -1460,7 +1477,7 @@ fr_info_t *fin; for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && - fr_matchicmpqueryreply(v, is, ic)) { + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; @@ -1515,7 +1532,7 @@ fr_info_t *fin; for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext) if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && - fr_matchicmpqueryreply(v, is, ic)) { + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; @@ -1750,7 +1767,7 @@ void fr_timeoutstate() } else isp = &is->is_next; if (fr_state_doflush) { - (void) fr_state_flush(2); + (void) fr_state_flush(2, 0); fr_state_doflush = 0; } RWLOCK_EXIT(&ipf_state); diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index b22addf0d5ff..b6a60c7469e0 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -12,7 +12,7 @@ # endif # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.19 2002/12/06 11:41:13 darrenr Exp $"; #endif #if SOLARIS @@ -440,9 +440,15 @@ char *arg; rem = fl; closedevice(); - if (opendevice(IPL_STATE) != -2 && - ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("ioctl(SIOCIPFFL)"); + if (opendevice(IPL_STATE) != -2) { + if (use_inet6) { + if (ioctl(fd, SIOCIPFL6, &fl) == -1) + perror("ioctl(SIOCIPFL6)"); + } else { + if (ioctl(fd, SIOCIPFFL, &fl) == -1) + perror("ioctl(SIOCIPFFL)"); + } + } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { printf("remove flags %s (%d)\n", arg, rem); printf("removed %d filter rules\n", fl); @@ -459,8 +465,15 @@ char *arg; fl |= (opts & FR_INACTIVE); rem = fl; - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("ioctl(SIOCIPFFL)"); + if (opendevice(ipfname) != -2) { + if (use_inet6) { + if (ioctl(fd, SIOCIPFL6, &fl) == -1) + perror("ioctl(SIOCIPFL6)"); + } else { + if (ioctl(fd, SIOCIPFFL, &fl) == -1) + perror("ioctl(SIOCIPFFL)"); + } + } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "", (rem & FR_OUTQUE) ? "O" : "", rem); diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index 0e864f7c2361..84fadc05d0c6 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -45,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.12 2002/09/26 12:25:19 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -77,19 +77,25 @@ int setlock __P((int, int)); int writeall __P((char *)); int readall __P((char *)); int writenat __P((int, char *)); +char *concat __P((char *, char *)); int opts = 0; void usage() { - fprintf(stderr, "usage: ipfs [-nv] -l\n"); - fprintf(stderr, "usage: ipfs [-nv] -u\n"); - fprintf(stderr, "usage: ipfs [-nv] [-d ] -R\n"); - fprintf(stderr, "usage: ipfs [-nv] [-d ] -W\n"); - fprintf(stderr, "usage: ipfs [-nNSv] [-f ] -r\n"); - fprintf(stderr, "usage: ipfs [-nNSv] [-f ] -w\n"); - fprintf(stderr, "usage: ipfs [-nNSv] -f -i ,\n"); + fprintf(stderr, "\ +usage: ipfs [-nv] -l\n\ +usage: ipfs [-nv] -u\n\ +usage: ipfs [-nv] [-d ] -R\n\ +usage: ipfs [-nv] [-d ] -W\n\ +usage: ipfs [-nv] -N [-f | -d ] -r\n\ +usage: ipfs [-nv] -S [-f | -d ] -r\n\ +usage: ipfs [-nv] -N [-f | -d ] -w\n\ +usage: ipfs [-nv] -S [-f | -d ] -w\n\ +usage: ipfs [-nv] -N [-f | -d ] -i ,\n\ +usage: ipfs [-nv] -S [-f | -d ] -i ,\n\ +"); exit(1); } @@ -218,7 +224,7 @@ char *argv[]; usage(); break; case 'f' : - if ((set == 0) && !dirname && !filename) + if ((set == 1) && !dirname && !filename && !(rw & 2)) filename = optarg; else usage(); @@ -243,12 +249,14 @@ char *argv[]; set = 1; break; case 'r' : - if ((ns >= 0) || dirname || (rw != -1)) + if (dirname || (rw != -1) || (ns == -1)) usage(); rw = 0; set = 1; break; case 'R' : + if (filename || (ns != -1)) + usage(); rw = 2; set = 1; break; @@ -274,14 +282,31 @@ char *argv[]; set = 1; break; case 'W' : + if (filename || (ns != -1)) + usage(); rw = 3; set = 1; break; - case '?' : default : usage(); } + if (filename == NULL) { + if (ns == 0) { + if (dirname == NULL) + dirname = IPF_SAVEDIR; + if (dirname[strlen(dirname) - 1] != '/') + dirname = concat(dirname, "/"); + filename = concat(dirname, IPF_NATFILE); + } else if (ns == 1) { + if (dirname == NULL) + dirname = IPF_SAVEDIR; + if (dirname[strlen(dirname) - 1] != '/') + dirname = concat(dirname, "/"); + filename = concat(dirname, IPF_STATEFILE); + } + } + if (ifs) { if (!filename || ns < 0) usage(); @@ -331,6 +356,20 @@ char *argv[]; } +char *concat(base, append) +char *base, *append; +{ + char *str; + + str = malloc(strlen(base) + strlen(append) + 1); + if (str != NULL) { + strcpy(str, base); + strcat(str, append); + } + return str; +} + + int opendevice(ipfdev) char *ipfdev; { diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index ae408277856a..6b34ac0ed06d 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -17,7 +17,7 @@ etherfind -n -t 0.32 91 04 131.170.1.10 128.250.133.13 0.33 566 udp 128.250.37.155 128.250.133.3 901 901 */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -52,7 +52,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.4 2002/12/06 11:40:25 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index 2ce233534fc8..b26bd93e02aa 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.6 2002/12/06 11:40:25 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 8b80fecd64ae..b6060de2297d 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -31,13 +31,15 @@ #include #include "ipf.h" #include "pcap.h" +#include "bpf.h" #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.5 2002/12/06 11:40:25 darrenr Exp $"; #endif struct llc { + int lc_type; int lc_sz; /* LLC header length */ int lc_to; /* LLC Type offset */ int lc_tl; /* LLC Type length */ @@ -47,23 +49,48 @@ struct llc { * While many of these maybe the same, some do have different header formats * which make this useful. */ -#define DLT_MAX 14 -static struct llc llcs[DLT_MAX+1] = { - { 0, 0, 0 }, /* DLT_NULL */ - { 14, 12, 2 }, /* DLT_E10MB */ - { 0, 0, 0 }, /* DLT_EN3MB */ - { 0, 0, 0 }, /* DLT_AX25 */ - { 0, 0, 0 }, /* DLT_PRONET */ - { 0, 0, 0 }, /* DLT_CHAOS */ - { 0, 0, 0 }, /* DLT_IEEE802 */ - { 0, 0, 0 }, /* DLT_ARCNET */ - { 0, 0, 0 }, /* DLT_SLIP */ - { 0, 0, 0 }, /* DLT_PPP */ - { 0, 0, 0 }, /* DLT_FDDI */ - { 0, 0, 0 }, /* DLT_ATMRFC1483 */ - { 0, 0, 0 }, /* DLT_LOOP */ - { 0, 0, 0 } /* DLT_ENC */ +static struct llc llcs[] = { + { DLT_NULL, 0, 0, 0 }, + { DLT_EN10MB, 14, 12, 2 }, + { DLT_EN3MB, 0, 0, 0 }, + { DLT_AX25, 0, 0, 0 }, + { DLT_PRONET, 0, 0, 0 }, + { DLT_CHAOS, 0, 0, 0 }, + { DLT_IEEE802, 0, 0, 0 }, + { DLT_ARCNET, 0, 0, 0 }, + { DLT_SLIP, 0, 0, 0 }, + { DLT_PPP, 0, 0, 0 }, + { DLT_FDDI, 0, 0, 0 }, +#ifdef DLT_ATMRFC1483 + { DLT_ATMRFC1483, 0, 0, 0 }, +#endif + { DLT_RAW, 0, 0, 0 }, +#ifdef DLT_ENC + { DLT_ENC, 0, 0, 0 }, +#endif +#ifdef DLT_SLIP_BSDOS + { DLT_SLIP_BSDOS, 0, 0, 0 }, +#endif +#ifdef DLT_PPP_BSDOS + { DLT_PPP_BSDOS, 0, 0, 0 }, +#endif +#ifdef DLT_HIPPI + { DLT_HIPPI, 0, 0, 0 }, +#endif +#ifdef DLT_HDLC + { DLT_HDLC, 0, 0, 0 }, +#endif +#ifdef DLT_PPP_SERIAL + { DLT_PPP_SERIAL, 4, 4, 0 }, +#endif +#ifdef DLT_PPP_ETHER + { DLT_PPP_ETHER, 8, 8, 0 }, +#endif +#ifdef DLT_ECONET + { DLT_ECONET, 0, 0, 0 }, +#endif + { -1, -1, -1, -1 } }; static int pcap_open __P((char *)); @@ -73,6 +100,7 @@ static void swap_hdr __P((pcaphdr_t *)); static int pcap_read_rec __P((struct pcap_pkthdr *)); static int pfd = -1, s_type = -1, swapped = 0; +static struct llc *llcp = NULL; struct ipread pcap = { pcap_open, pcap_close, pcap_readip }; @@ -96,7 +124,7 @@ static int pcap_open(fname) char *fname; { pcaphdr_t ph; - int fd; + int fd, i; if (pfd != -1) return pfd; @@ -118,7 +146,18 @@ char *fname; swap_hdr(&ph); } - if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) { + if (ph.pc_v_maj != PCAP_VERSION_MAJ) { + (void) close(fd); + return -2; + } + + for (i = 0; llcs[i].lc_type != -1; i++) + if (llcs[i].lc_type == ph.pc_type) { + llcp = llcs + i; + break; + } + + if (llcp == NULL) { (void) close(fd); return -2; } @@ -210,7 +249,9 @@ int cnt, *dir; char *s, ty[4]; int i, n; - do { + l = llcp; + + /* do { */ if ((i = pcap_read_rec(&rec)) <= 0) return i; @@ -223,12 +264,11 @@ int cnt, *dir; if (read(pfd, s, i) != i) return -2; - l = &llcs[s_type]; i -= l->lc_sz; s += l->lc_to; bcopy(s, ty, l->lc_tl); s += l->lc_tl; - } while (ty[0] != 0x8 && ty[1] != 0); + /* } while (ty[0] != 0x8 && ty[1] != 0); */ n = MIN(i, cnt); bcopy(s, buf, n); return n; diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index 1a8f5a271ddd..859bf5ed9df7 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -7,7 +7,7 @@ /* * Written to comply with the recent RFC 1761 from Sun. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -38,7 +38,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index 7fede06c1868..b3b7d176eef6 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -26,7 +26,7 @@ tcpdump -nqte 8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -61,7 +61,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 1de571355b82..7ea87e334c86 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -44,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.8 2002/12/06 11:40:26 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index ced3e567b162..2a23a441a12f 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.38 2002/12/07 02:40:05 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.29" +#define IPL_VERSION "IP Filter: v3.4.31" #endif diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 3d77bf58f86a..f536f358152c 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -6,10 +6,10 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_y.y,v 2.2.2.2 2002/02/22 15:32:57 darrenr Exp $ + * $Id: iplang_y.y,v 2.2.2.3 2002/12/06 11:41:14 darrenr Exp $ */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -52,7 +52,7 @@ #include "iplang.h" #if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \ - __FreeBSD_version < 400020) + __FreeBSD_version < 400020 ) && SOLARIS2 < 10 extern struct ether_addr *ether_aton __P((char *)); #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 88270b9524fc..2c563d7a41d7 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -7,7 +7,7 @@ #define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -68,7 +68,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.37 2002/12/06 11:40:26 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 5df3f20e41f9..2c1093971ac8 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -5,7 +5,7 @@ * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -60,7 +60,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.22 2002/12/06 11:40:26 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 920c7e10c552..de9f4d9ce703 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -1,7 +1,7 @@ /* * Based upon 4.4BSD's /usr/sbin/arp */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 307f4cb6547c..8e5f7f4b8d42 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -29,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index dc2b816489b9..8d30bf5031ac 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -32,7 +32,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.5 2002/12/06 11:40:35 darrenr Exp $"; #endif static char *ipbuf = NULL, *ethbuf = NULL; diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index ea63ab29caee..9252b4b00b18 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -8,7 +8,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -34,7 +34,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 4dc5e973bb92..4e3f050dfba2 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -8,7 +8,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -34,7 +34,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.6 2002/12/06 11:40:35 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 27bb5138abef..5759bf9662e0 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -25,7 +25,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index 463fd4f116f7..72d0d7825640 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -8,7 +8,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -37,7 +37,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.4 2002/12/06 11:40:35 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index cc64f6008acc..a2f8432b0233 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -75,16 +75,24 @@ #if defined(__SVR4) || defined(__svr4__) || defined(__sgi) # include #endif +#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000) +# define USE_NANOSLEEP +#endif #include "ipsend.h" #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.8 2002/12/06 11:40:35 darrenr Exp $"; #endif -#define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \ - (void) select(0, NULL, NULL, NULL, &tv) +#ifdef USE_NANOSLEEP +# define PAUSE() ts.tv_sec = 0; ts.tv_nsec = 10000000; \ + (void) nanosleep(&ts, NULL) +#else +# define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \ + (void) select(0, NULL, NULL, NULL, &tv) +#endif void ip_test1(dev, mtu, ip, gwip, ptest) @@ -94,7 +102,11 @@ ip_t *ip; struct in_addr gwip; int ptest; { +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif udphdr_t *u; int nfd, i = 0, len, id = getpid(); @@ -438,7 +450,11 @@ ip_t *ip; struct in_addr gwip; int ptest; { +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif int nfd; u_char *s; @@ -529,7 +545,11 @@ int ptest; { static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 }; static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 }; +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif struct icmp *icp; int nfd, i; @@ -721,7 +741,11 @@ ip_t *ip; struct in_addr gwip; int ptest; { +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif udphdr_t *u; int nfd, i; @@ -879,7 +903,11 @@ ip_t *ip; struct in_addr gwip; int ptest; { +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif tcphdr_t *t; int nfd, i; @@ -1222,7 +1250,11 @@ ip_t *ip; struct in_addr gwip; int ptest; { +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif udphdr_t *u; int nfd, i, j, k; @@ -1297,8 +1329,12 @@ ip_t *ip; struct in_addr gwip; int ptest; { - ip_t *pip; +#ifdef USE_NANOSLEEP + struct timespec ts; +#else struct timeval tv; +#endif + ip_t *pip; int nfd, i, j; u_char *s; diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index 56442c77663e..23a762114f81 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -5,9 +5,9 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.3 2002/12/06 11:40:36 darrenr Exp $"; #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 2cbfe75d33a3..646da1a22e05 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -8,7 +8,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -38,7 +38,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.5 2002/12/06 11:40:36 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index 403c7e9e1471..8f491f7866bf 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -4,7 +4,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 3568f230ad65..2e7a11ce781a 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -65,7 +65,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.6 2002/12/06 11:40:36 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 83650859f4ab..48f35cf89e6f 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -12,7 +12,7 @@ # endif # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # define _KMEMUSER # include #endif @@ -64,7 +64,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.24 2002/12/06 11:40:26 darrenr Exp $"; #endif extern char *optarg; @@ -92,6 +92,7 @@ char *argv[]; { char *datain, *iface, *ifname, *packet, *logout; int fd, i, dir, c, loaded, dump, hlen; + struct in_addr src; struct ifnet *ifp; struct ipread *r; u_long buf[2048]; @@ -103,6 +104,7 @@ char *argv[]; r = &iptext; iface = NULL; logout = NULL; + src.s_addr = 0; ifname = "anon0"; datain = NULL; @@ -112,7 +114,7 @@ char *argv[]; ipflog_init(); fr_running = 1; - while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1) + while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:Rs:STvxX")) != -1) switch (c) { case '6' : @@ -149,6 +151,9 @@ char *argv[]; return -1; loaded = 1; break; + case 's' : + src.s_addr = inet_addr(optarg); + break; case 'v' : opts |= OPT_VERBOSE; break; @@ -208,11 +213,21 @@ char *argv[]; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); hlen = ip->ip_hl << 2; + if (src.s_addr != 0) { + if (src.s_addr == ip->ip_src.s_addr) + dir = 1; + else if (src.s_addr == ip->ip_dst.s_addr) + dir = 0; + } } #ifdef USE_INET6 else hlen = sizeof(ip6_t); #endif + if (opts & OPT_VERBOSE) { + printf("%s on [%s]: ", dir ? "out" : "in", + (iface && *iface) ? iface : "??"); + } packet = (char *)buf; /* ipfr_slowtimer(); */ i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet); diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 5cb0efd363aa..17622cdb79cc 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -8,7 +8,7 @@ * returns 0 on success, -1 on error. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -46,7 +46,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.16 2002/12/06 11:40:27 darrenr Exp $"; #endif #ifdef __sgi diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index 1bd1503aa5fe..7d6436a11705 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -162,7 +162,7 @@ and FR_OUTQUE (see above). This ioctl is also implemented for or just all those which are not established if passed 1. .IP "\fBGeneral Logging Flags\fP" 0 -There are two flags which can be set to log packets independantly of the +There are two flags which can be set to log packets independently of the rules used. These allow for packets which are either passed or blocked to be logged. To set (and clear)/get these flags, two ioctls are provided: diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index c359703256d6..8c7dac043e5c 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -61,7 +61,7 @@ host-num = digit [ digit [ digit ] ] . port-num = service-name | decnumber . withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "frag" | "opt" ipopts . +opttype = "ipopts" | "short" | "frag" | "opt" optname . optname = ipopts [ "," optname ] . ipopts = optlist | "sec-class" [ secname ] . secname = seclvl [ "," secname ] . diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index ea92e80ca1b3..8688566583ad 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -55,7 +55,7 @@ the order on the command line being that used to execute options. .TP .BR \-F \0 To flush entries from the state table, the \fB-F\fP option is used in -conjuction with either "s" (removes state information about any non-fully +conjunction with either "s" (removes state information about any non-fully established connections) or "S" (deletes the entire state table). Only one of the two options may be given. A fully established connection will show up in \fBipfstat -s\fP output as 4/4, with deviations either diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8 index 04b886319553..b07935a9e350 100644 --- a/contrib/ipfilter/man/ipfs.8 +++ b/contrib/ipfilter/man/ipfs.8 @@ -80,12 +80,12 @@ Lock state tables in the kernel. .B \-r Read information in from the specified file and load it into the kernel. This requires the state tables to have already been locked -and does not change the lock once comlete. +and does not change the lock once complete. .TP .B \-w Write information out to the specified file and from the kernel. This requires the state tables to have already been locked -and does not change the lock once comlete. +and does not change the lock once complete. .TP .B \-R Restores all saved state information, if any, from two files, diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index a5909d0b403c..f641d5971783 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -122,7 +122,7 @@ be used while ipfstat is in top mode. .BR \-T \0 This option is only valid in combination with \fB\-t\fP. Specifies how often the state top display should be updated. The refresh time is the number of -seconds between an update. Any postive integer can be used. The default (and +seconds between an update. Any positive integer can be used. The default (and minimal update time) is 1. .TP .B \-v @@ -162,7 +162,7 @@ the number of bytes. States are sorted in descending order, but you can use the \fBr\fP key to sort them in ascending order. .SH STATE TOP LIMITATIONS It is currently not possible to interactively change the source, destination -and protocol filters or the refreh frequency. This must be done from the +and protocol filters or the refresh frequency. This must be done from the command line. .PP The screen must have at least 80 columns. This is however not checked. diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index 9f7f2e3f2982..e7cc13a06c11 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -14,6 +14,9 @@ interface [ .B \-i +] [ +.B \-s + ] .SH DESCRIPTION .PP @@ -128,6 +131,11 @@ Specify the filename from which to take input. Default is stdin. .TP .BR \-r \0 Specify the filename from which to read filter rules. +.TP +.BR \-s \0 +Where the input format is incapable of telling \fBipftest\fP whther a packet is +going in or out, setting this option to an IP address results in the direction +being set to out if the source matches or in if the destination matches. .SH SEE ALSO ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 0030c7454957..6a40802d361e 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -54,7 +54,7 @@ setting, not a particular rule. .LP 6. The addresses. This is actually three fields: the source address and port -(separted by a comma), the \fB->\fP symbol, and the destination address +(separated by a comma), the \fB->\fP symbol, and the destination address and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP. .LP 7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP. @@ -110,7 +110,7 @@ equivalent to using \fB-o NSI\fP. .TP .B \-O Specify which log files you do not wish to read from. This is most sensibly -used with the \fB-a\fP. Letters available as paramters to this are the same +used with the \fB-a\fP. Letters available as parameters to this are the same as for \fB-o\fP. .TP .B \-p diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index f0a4ac93c5ea..fe45464d343e 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -7,10 +7,10 @@ The format for files accepted by ipnat is described by the following grammar: .nf ipmap :: = mapblock | redir | map . -map ::= mapit ifname ipmask "->" dstipmask [ mapport ] . -map ::= mapit ifname fromto "->" dstipmask [ mapport ] . -mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . +map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions. +map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions. +mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions. +redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . @@ -20,7 +20,8 @@ fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portspec . -options ::= [ tcpudp ] [ rr ] . +mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . +rdroptions ::= [ tcpudp ] [ rr ] [ "frag" ] [ age ] [ clamp ] . object :: = addr [ port-comp | port-range ] . addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . @@ -28,8 +29,12 @@ port-comp :: = "port" compare port-num . port-range :: = "port" port-num range port-num . rr ::= "round-robin" . -nummask = host-name [ "/" decnumber ] . -tcpudp ::= "tcp" | "udp" | "tcp/udp" . +age ::= "age" decnumber [ "/" decnumber ] . +clamp ::= "mssclamp" decnumber . +tcpudp ::= "tcp/udp" | protocol . + +protocol ::= protocol-name | decnumber . +nummask ::= host-name [ "/" decnumber ] . portspec ::= "auto" | portnumber ":" portnumber . portnumber ::= number { numbers } . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . @@ -107,6 +112,26 @@ rule. Such a rule might look like the following: .PP Only IP address and port numbers can be compared against. This is available with all NAT rules. +.SH COMMAND QUALIFIERS +At the end of each rule, a number of qualifiers can be used to change how +the rule works. They are as follows: +.TP +protocol +A specific protocol may be given either by its name (as found in +/etc/protocols) or its number. A special case for supporting both +TCP and UDP is allowed with the name \fBtcp/udp\fP. +.TP +.B round-robin +Once a rule with this term has been successfully used, it is put at the +bottom of the list of those available so that each one will get used, in +turn, in a list of matching left hand sides. +.TP +.B frag +This qualifier is currently has no impact on NAT operation. +.TP +.B age +If more refined timeouts are required than those available globally for +NAT settings, this allows you to set them for \fBnon-TCP\fP use. .SH TRANSLATION .PP To the right of the "->" is the address and port specificaton which will be diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8 index 760e0af4e885..3b365ed6bc25 100644 --- a/contrib/ipfilter/man/ipnat.8 +++ b/contrib/ipfilter/man/ipnat.8 @@ -29,7 +29,7 @@ active NAT mappings) Show the list of current NAT table entry mappings. .TP .B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl +This flag (no-change) prevents \fBipnat\fP from actually making any ioctl calls or doing anything which would alter the currently running kernel. .TP .B \-s diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index 55f953aa048a..e39b98fd76f3 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #if (SOLARIS2 >= 7) @@ -53,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.8 2002/04/26 10:24:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.9 2002/12/06 11:40:27 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index 94b1bc2ab83e..235a5af21f17 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -274,10 +274,10 @@ ipfilterattach(void) static void nifattach() { - nif_t *nif, *qf2; struct ifnet *ifp; struct frentry *f; ipnat_t *np; + nif_t *nif; MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ @@ -430,8 +430,8 @@ ipfsync(void) static void nifdetach() { - nif_t *nif, *qf2, **qp; struct ifnet *ifp; + nif_t *nif, **qp; MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ /* diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 33dce6392358..35c0e2857fe8 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -61,7 +61,7 @@ extern int lkmenodev __P((void)); -#if NetBSD >= 199706 +#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211)) int if_ipl_lkmentry __P((struct lkm_table *, int, int)); #else #if defined(OpenBSD) @@ -80,6 +80,9 @@ static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, #if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \ (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511)) +# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) +extern const struct cdevsw ipl_cdevsw; +# else struct cdevsw ipldevsw = { iplopen, /* open */ @@ -93,6 +96,7 @@ struct cdevsw ipldevsw = 0, /* mmap */ NULL /* strategy */ }; +# endif #else struct cdevsw ipldevsw = { @@ -113,14 +117,18 @@ struct cdevsw ipldevsw = #endif int ipl_major = 0; +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) +MOD_DEV(IPL_VERSION, "ipl", NULL, -1, &ipl_cdevsw, -1); +#else MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); +#endif extern int vd_unuseddev __P((void)); extern struct cdevsw cdevsw[]; extern int nchrdev; -#if NetBSD >= 199706 +#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211)) int if_ipl_lkmentry(lkmtp, cmd, ver) #else #if defined(OpenBSD) @@ -143,9 +151,11 @@ static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; int cmd; { - int i; struct lkm_dev *args = lkmtp->private.lkm_dev; int err = 0; +#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000) + int i; +#endif switch (cmd) { @@ -153,6 +163,7 @@ int cmd; if (lkmexists(lkmtp)) return EEXIST; +#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000) for (i = 0; i < nchrdev; i++) if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev || cdevsw[i].d_open == iplopen) @@ -164,9 +175,22 @@ int cmd; ipl_major = i; args->lkm_offset = i; /* slot in cdevsw[] */ +#else + err = devsw_attach(args->lkm_devname, + args->lkm_bdev, &args->lkm_bdevmaj, + args->lkm_cdev, &args->lkm_cdevmaj); + if (err != 0) + return (err); + ipl_major = args->lkm_cdevmaj; +#endif printf("IP Filter: loaded into slot %d\n", ipl_major); return ipl_load(); case LKM_E_UNLOAD : +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) + devsw_detach(args->lkm_bdev, args->lkm_cdev); + args->lkm_bdevmaj = -1; + args->lkm_cdevmaj = -1; +#endif err = ipl_unload(); if (!err) printf("IP Filter: unloaded from slot %d\n", @@ -213,7 +237,11 @@ static int ipl_unload() * Unloading - remove the filter rule check from the IP * input/output stream. */ +#if defined(__NetBSD__) + error = ipl_disable(); +#else error = ipldetach(); +#endif if (!error) error = ipl_remove(); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index e1c3a499fef4..d46107ebedf8 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -12,9 +12,9 @@ #include #include #if !defined(__SVR4) && !defined(__svr4__) -#include +# include #else -#include +# include #endif #include #include @@ -56,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.27 2002/12/06 11:40:27 darrenr Exp $"; #endif @@ -385,6 +385,13 @@ int linenum; } if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) return NULL; +#if SOLARIS + if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) { + fprintf(stderr, + "localhost as destination not supported\n"); + return NULL; + } +#endif } else { if (!strcmp(*cpp, ipn.in_ifname)) *cpp = "0"; @@ -525,6 +532,19 @@ int linenum; cpp++; } + if (*cpp && !strcasecmp(*cpp, "mssclamp")) { + cpp++; + if (*cpp) { + ipn.in_mssclamp = atoi(*cpp); + cpp++; + } else { + fprintf(stderr, + "%d: mssclamp with no parameters\n", + linenum); + return NULL; + } + } + if (*cpp) { fprintf(stderr, "%d: extra junk at the end of the line: %s\n", @@ -569,14 +589,7 @@ int linenum; if (!*cpp) return &ipn; - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, - "%d: extra words at the end of bimap line: %s\n", - linenum, *cpp); - return NULL; - } - - if (!strcasecmp(*cpp, "proxy")) { + if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use proxy with bimap\n", linenum); @@ -631,7 +644,7 @@ int linenum; (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; - } else if (!strcasecmp(*cpp, "portmap")) { + } else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use portmap with bimap\n", linenum); @@ -711,6 +724,18 @@ int linenum; cpp++; } + if (*cpp && !strcasecmp(*cpp, "mssclamp")) { + cpp++; + if (*cpp) { + ipn.in_mssclamp = atoi(*cpp); + cpp++; + } else { + fprintf(stderr, "%d: mssclamp with no parameters\n", + linenum); + return NULL; + } + } + if (*cpp) { fprintf(stderr, "%d: extra junk at the end of the line: %s\n", linenum, *cpp); diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index cad104505bd3..825a5e346dd0 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -28,7 +28,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.3 2002/12/06 11:40:27 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index ea13356e80a7..1147ee154fbd 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -158,7 +158,11 @@ int linenum; } else if (!strcasecmp("nomatch", *cpp)) { fil.fr_flags |= FR_NOMATCH; } else if (!strcasecmp("auth", *cpp)) { - fil.fr_flags |= FR_AUTH; + fil.fr_flags |= FR_AUTH; + if (!strncasecmp(*(cpp+1), "return-rst", 10)) { + fil.fr_flags |= FR_RETRST; + cpp++; + } } else if (!strcasecmp("preauth", *cpp)) { fil.fr_flags |= FR_PREAUTH; } else if (!strcasecmp("skip", *cpp)) { @@ -1027,7 +1031,7 @@ int linenum; } } else if (fp->fr_proto == IPPROTO_ICMPV6) { fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s", - linenum, **cp, "(use numeric value instead\n"); + linenum, **cp, "(use numeric value instead)\n"); return -1; } else { for (t = icmptypes, i = 0; ; t++, i++) { @@ -1214,9 +1218,11 @@ struct frentry *fp; printlog(fp); } else if (fp->fr_flags & FR_ACCOUNT) printf("count"); - else if (fp->fr_flags & FR_AUTH) + else if (fp->fr_flags & FR_AUTH) { printf("auth"); - else if (fp->fr_flags & FR_PREAUTH) + if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) + printf(" return-rst"); + } else if (fp->fr_flags & FR_PREAUTH) printf("preauth"); else if (fp->fr_skip) printf("skip %hu", fp->fr_skip); diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index 9ccae18f1dcb..aa791eb5f2cb 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -5,7 +5,7 @@ * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.13 2002/12/06 11:40:27 darrenr Exp $"; #endif @@ -145,14 +145,18 @@ int opts; ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; printf("\tClient:\n"); - printf("\t\tseq %x len %d junk %d cmds %d\n", - ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, + printf("\t\tseq %08x%08x len %d junk %d cmds %d\n", + ftp.ftp_side[0].ftps_seq[1], + ftp.ftp_side[0].ftps_seq[0], + ftp.ftp_side[0].ftps_len, ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds); printf("\t\tbuf ["); printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); printf("]\n\tServer:\n"); - printf("\t\tseq %x len %d junk %d cmds %d\n", - ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, + printf("\t\tseq %08x%08x len %d junk %d cmds %d\n", + ftp.ftp_side[1].ftps_seq[1], + ftp.ftp_side[1].ftps_seq[0], + ftp.ftp_side[1].ftps_len, ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds); printf("\t\tbuf ["); printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); @@ -387,6 +391,8 @@ int opts; printf(" frag"); if (np->in_age[0]) printf(" age %d/%d", np->in_age[0], np->in_age[1]); + if (np->in_mssclamp) + printf(" mssclamp %u", np->in_mssclamp); printf("\n"); if (opts & OPT_DEBUG) printf("\tspc %lu flg %#x max %u use %d\n", diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c index d462a22f432d..7362a5bca1c0 100644 --- a/contrib/ipfilter/printstate.c +++ b/contrib/ipfilter/printstate.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c index 58a44f0a17b5..6a67433c61a9 100644 --- a/contrib/ipfilter/relay.c +++ b/contrib/ipfilter/relay.c @@ -16,6 +16,10 @@ #include #include #include +#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000) +# include +# define USE_POLL +#endif #include "ip_nat.h" #define RELAY_BUFSZ 8192 @@ -26,7 +30,11 @@ char obuff[RELAY_BUFSZ]; int relay(ifd, ofd, rfd) int ifd, ofd, rfd; { +#ifdef USE_POLL + struct pollfd set[3]; +#else fd_set rfds, wfds; +#endif char *irh, *irt, *rrh, *rrt; char *iwh, *iwt, *rwh, *rwt; int nfd, n, rw; @@ -39,7 +47,21 @@ int ifd, ofd, rfd; if (nfd < rfd) nfd = rfd; +#ifdef USE_POLL + set[0].fd = rfd; + set[1].fd = ifd; + set[2].fd = ofd; +#endif + while (1) { +#ifdef USE_POLL + set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) | + (irh > irt ? POLLOUT : 0); + set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0); + set[2].events = (iwh > iwt ? POLLOUT : 0); + + switch ((n = poll(set, 3, INFTIM))) +#else FD_ZERO(&rfds); FD_ZERO(&wfds); if (irh > irt) @@ -52,12 +74,18 @@ int ifd, ofd, rfd; FD_SET(rfd, &rfds); switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL))) +#endif { case -1 : case 0 : return -1; default : - if (FD_ISSET(ifd, &rfds)) { +#ifdef USE_POLL + if (set[1].revents & POLLIN) +#else + if (FD_ISSET(ifd, &rfds)) +#endif + { rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh); if (rw == -1) return -1; @@ -66,14 +94,24 @@ int ifd, ofd, rfd; irh += rw; n--; } - if (n && FD_ISSET(ofd, &wfds)) { +#ifdef USE_POLL + if (set[2].revents & POLLOUT) +#else + if (n && FD_ISSET(ofd, &wfds)) +#endif + { rw = write(ofd, iwt, iwh - iwt); if (rw == -1) return -1; iwt += rw; n--; } - if (n && FD_ISSET(rfd, &rfds)) { +#ifdef USE_POLL + if (set[0].revents & POLLIN) +#else + if (n && FD_ISSET(rfd, &rfds)) +#endif + { rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh); if (rw == -1) return -1; @@ -82,7 +120,12 @@ int ifd, ofd, rfd; iwh += rw; n--; } - if (n && FD_ISSET(rfd, &wfds)) { +#ifdef USE_POLL + if (set[0].revents & POLLOUT) +#else + if (n && FD_ISSET(rfd, &wfds)) +#endif + { rw = write(rfd, irt, irh - irt); if (rw == -1) return -1; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 812841348a7a..c24ba46db235 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -28,7 +28,7 @@ intests: in1 in2 in3 in4 logtests: l1 -ipv6: ipv6.1 ipv6.2 +ipv6: ipv6.1 ipv6.2 ipv6.3 0: @(cd ..; make ipftest; ) @@ -60,7 +60,7 @@ in1 in2 in3 in4: l1: @/bin/sh ./logtest $@ -ipv6.1 ipv6.2: +ipv6.1 ipv6.2 ipv6.3: @/bin/sh ./dotest6 $@ clean: @@ -70,5 +70,5 @@ clean: /bin/rm -f ni1 ni2 ni3 ni4 ni5 /bin/rm -f in1 in2 in3 in4 /bin/rm -f l1 - /bin/rm -f ipv6.1 ipv6.2 + /bin/rm -f ipv6.1 ipv6.2 ipv6.3 /bin/rm -f results/* diff --git a/contrib/ipfilter/test/expected/ipv6.3 b/contrib/ipfilter/test/expected/ipv6.3 new file mode 100644 index 000000000000..58cddec82dd5 --- /dev/null +++ b/contrib/ipfilter/test/expected/ipv6.3 @@ -0,0 +1,6 @@ +pass +nomatch +nomatch +nomatch +pass +-------- diff --git a/contrib/ipfilter/test/expected/ni5 b/contrib/ipfilter/test/expected/ni5 index 050e2577bbf5..74c615f7d1ef 100644 --- a/contrib/ipfilter/test/expected/ni5 +++ b/contrib/ipfilter/test/expected/ni5 @@ -3,6 +3,7 @@ 4500 0028 10ca 4000 ff06 328c 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 5aa0 0000 4500 006f ffde 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 76c5 bd6b c9c9 5018 269c 967e 0000 3232 302d 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 7520 4e63 4654 5064 2053 6572 7665 7220 2866 7265 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a 4500 0028 10cb 4000 ff06 328b 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 5a59 0000 +ippr_ftp_server_valid:junk after cmd[220-Maintained by RSSS and RSPAS IT Staff (previously known as Coombs Comp] 4500 00c7 ffdf 4000 ef06 52d7 96cb e002 c0a8 0103 0015 8032 3786 770c bd6b c9c9 5018 269c 1087 0000 3232 302d 0d0a 3232 302d 4d61 696e 7461 696e 6564 2062 7920 5253 5353 2061 6e64 2052 5350 4153 2049 5420 5374 6166 6620 2870 7265 7669 6f75 736c 7920 6b6e 6f77 6e20 6173 2043 6f6f 6d62 7320 436f 6d70 7574 696e 6720 556e 6974 290d 0a32 3230 2d41 6e79 2070 726f 626c 656d 7320 636f 6e74 6163 7420 6674 706d 6173 7465 7240 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 750d 0a32 3230 2d0d 0a32 3230 200d 0a 4500 0028 10cc 4000 ff06 328a 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5010 269c 59ba 0000 4500 0038 10cd 4000 ff06 3279 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5018 269c d1c5 0000 5553 4552 2061 6e6f 6e79 6d6f 7573 0d0a diff --git a/contrib/ipfilter/test/input/ipv6.3 b/contrib/ipfilter/test/input/ipv6.3 new file mode 100644 index 000000000000..e8ad9f2f22d3 --- /dev/null +++ b/contrib/ipfilter/test/input/ipv6.3 @@ -0,0 +1,30 @@ +[out,gif0] +6000 0000 0010 3a40 3ffe 8280 0000 2001 +0000 0000 0000 4395 3ffe 8280 0000 2001 +0000 0000 0000 4394 8000 3f77 085c 0038 +0c06 b73d 1b3d 0d00 + +[in,gif0] +6000 0000 0010 3a40 3ffe 8280 0000 2001 +0000 0000 0000 4393 3ffe 8280 0000 2001 +0000 0000 0000 4395 8100 3e77 085c 0038 +0c06 b73d 1b3d 0d00 + +[in,gif0] +6000 0000 0010 3a40 3ffe 8280 0000 2001 +0000 0000 0000 4394 3ffe 8280 0000 2001 +0000 0000 0000 4395 8300 3e77 085c 0038 +0c06 b73d 1b3d 0d00 + +[in,gif0] +6000 0000 0010 3a40 3ffe 8280 0000 2001 +0000 0000 0000 4394 3ffe 8280 0000 2001 +0000 0000 0000 4395 8000 3e77 085c 0038 +0c06 b73d 1b3d 0d00 + +[in,gif0] +6000 0000 0010 3a40 3ffe 8280 0000 2001 +0000 0000 0000 4394 3ffe 8280 0000 2001 +0000 0000 0000 4395 8100 3e77 085c 0038 +0c06 b73d 1b3d 0d00 + diff --git a/contrib/ipfilter/test/input/ni5 b/contrib/ipfilter/test/input/ni5 index cd3d7ce050bb..b6ff31ab0459 100644 --- a/contrib/ipfilter/test/input/ni5 +++ b/contrib/ipfilter/test/input/ni5 @@ -1,7 +1,7 @@ [out,ppp0] 4500 002c 10c9 4000 ff06 3289 c0a8 0103 96cb e002 8032 0015 bd6b c9c8 0000 0000 -6002 2238 35f9 0000 0204 05b4 3cb9 +6002 2238 35f9 0000 0204 05b4 [in,ppp0] 4500 002c ffdd 4000 ef06 5374 96cb e002 @@ -11,7 +11,7 @@ [out,ppp0] 4500 0028 10ca 4000 ff06 328c c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 76c5 -5010 269c 9af6 0000 c0a8 0103 0015 +5010 269c 9af6 0000 [in,ppp0] 4500 006f ffde 4000 ef06 5330 96cb e002 @@ -25,7 +25,7 @@ [out,ppp0] 4500 0028 10cb 4000 ff06 328b c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 770c -5010 269c 9aaf 0000 0111 aa28 c0a8 +5010 269c 9aaf 0000 [in,ppp0] 4500 00c7 ffdf 4000 ef06 52d7 96cb e002 @@ -45,7 +45,7 @@ [out,ppp0] 4500 0028 10cc 4000 ff06 328a c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 77ab -5010 269c 9a10 0000 c0a8 0103 206c +5010 269c 9a10 0000 [out,ppp0] 4500 0038 10cd 4000 ff06 3279 c0a8 0103 @@ -70,7 +70,7 @@ [out,ppp0] 4500 0028 10ce 4000 ff06 3288 c0a8 0103 96cb e002 8032 0015 bd6b c9d9 3786 77ef -5010 269c 99bc 0000 c0a8 0103 0015 +5010 269c 99bc 0000 [out,ppp0] 4500 0036 10cf 4000 ff06 3279 c0a8 0103 @@ -89,7 +89,7 @@ [out,ppp0] 4500 0028 10d0 4000 ff06 3286 c0a8 0103 96cb e002 8032 0015 bd6b c9e7 3786 7826 -5010 269c 9977 0000 0000 0800 207a +5010 269c 9977 0000 [in,ppp0] 4500 0099 ffe3 4000 ef06 5301 96cb e002 @@ -106,7 +106,7 @@ [out,ppp0] 4500 0028 10d1 4000 ff06 3285 c0a8 0103 96cb e002 8032 0015 bd6b c9e7 3786 7897 -5010 269c 9906 0000 c0a8 0103 0015 +5010 269c 9906 0000 [out,ppp0] 4500 0030 10d2 4000 ff06 327c c0a8 0103 @@ -122,7 +122,7 @@ [out,ppp0] 4500 0028 10d3 4000 ff06 3283 c0a8 0103 96cb e002 8032 0015 bd6b c9ef 3786 78a7 -5010 269c 98ee 0000 c0a8 0103 0015 +5010 269c 98ee 0000 [out,ppp0] 4500 0041 10d4 4000 ff06 3269 c0a8 0103 @@ -162,7 +162,7 @@ [out,ppp0] 4500 002c 10d7 4000 ff06 327b c0a8 0103 96cb e002 8033 0014 bd78 5c12 d9f8 11d5 -6012 02f8 d734 0000 0204 0584 3cc7 +6012 02f8 d734 0000 0204 0584 [in,ppp0] 4500 0028 ffe8 4000 ef06 536d 96cb e002 @@ -180,7 +180,7 @@ [out,ppp0] 4500 0028 10d8 4000 ff06 327e c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 11d5 -5010 6348 8e71 0000 c0a8 0103 0015 +5010 6348 8e71 0000 [in,ppp0] 4500 0063 ffea 4000 ef06 5330 96cb e002 @@ -194,7 +194,7 @@ [out,ppp0] 4500 0028 10d9 4000 ff06 327d c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1210 -5010 6348 8e36 0000 c0a8 0103 0014 +5010 6348 8e36 0000 [in,ppp0] 4500 0028 ffeb 4000 ef06 536a 96cb e002 @@ -204,12 +204,12 @@ [out,ppp0] 4500 0028 10da 4000 ff06 327c c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 -5010 6348 8e35 0000 c0a8 0103 0014 +5010 6348 8e35 0000 [out,ppp0] 4500 0028 10db 4000 ff06 327b c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 -5011 6348 8e34 0000 c0a8 0103 0014 +5011 6348 8e34 0000 [in,ppp0] 4500 0028 ffec 4000 ef06 5369 96cb e002 @@ -219,7 +219,7 @@ [out,ppp0] 4500 0028 10dc 4000 ff06 327a c0a8 0103 96cb e002 8032 0015 bd6b ca16 3786 790a -5010 269c 9864 0000 c0a8 0103 0014 +5010 269c 9864 0000 [in,ppp0] 4500 0040 ffed 4000 ef06 5350 96cb e002 @@ -241,7 +241,7 @@ [out,ppp0] 4500 0028 10de 4000 ff06 3278 c0a8 0103 96cb e002 8032 0015 bd6b ca1e 3786 7932 -5010 269c 9834 0000 6720 636f 6d70 +5010 269c 9834 0000 [out,ppp0] 4500 002e 10df 4000 ff06 3271 c0a8 0103 @@ -257,7 +257,7 @@ [out,ppp0] 4500 0028 10e0 4000 ff06 3276 c0a8 0103 96cb e002 8032 0015 bd6b ca24 3786 7940 -5011 269c 981f 0000 c0a8 0103 0015 +5011 269c 981f 0000 [in,ppp0] 4500 0028 fff0 4000 ef06 5365 96cb e002 @@ -267,7 +267,7 @@ [out,ppp0] 4500 0028 10e1 4000 ff06 3275 c0a8 0103 96cb e002 8032 0015 bd6b ca25 3786 7941 -5010 269c 981e 0000 0663 6f6f 6d62 +5010 269c 981e 0000 [in,ppp0] 4500 0028 fff1 4000 ef06 5364 96cb e002 diff --git a/contrib/ipfilter/test/regress/ipv6.3 b/contrib/ipfilter/test/regress/ipv6.3 new file mode 100644 index 000000000000..6dc9e937a995 --- /dev/null +++ b/contrib/ipfilter/test/regress/ipv6.3 @@ -0,0 +1 @@ +pass out log quick on gif0 proto ipv6-icmp from any to any icmp-type 128 keep state