fix conflicts

contrib/ipfilter/ipmon.c

@@ -1,14 +1,13 @@
-/* $FreeBSD$ */
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
  * to the original author and the contributors.
  */
 #if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-1998 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $";
+static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
+static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 
 #ifndef SOLARIS
@@ -121,7 +120,7 @@ static	void	dumphex __P((FILE *, u_char *, int));
 static	int	read_log __P((int, int *, char *, int));
 static	void	write_pid __P((char *));
 
-char	*hostname __P((int, struct in_addr));
+char	*hostname __P((int, int, u_32_t *));
 char	*portname __P((int, char *, u_int));
 int	main __P((int, char *[]));
 
@@ -146,6 +145,8 @@ static	char	**tcp_ports = NULL;
 #define	OPT_PORTNUM	0x400
 #define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
 
+#define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
+
 #ifndef	LOGFAC
 #define	LOGFAC	LOG_LOCAL0
 #endif
@@ -169,7 +170,7 @@ static void init_tabs()
 	struct	protoent	*p;
 	struct	servent	*s;
 	char	*name, **tab;
-	u_int	port;
+	int	port;
 
 	if (protocols != NULL) {
 		free(protocols);
@@ -208,11 +209,11 @@ static void init_tabs()
 		if (s->s_proto == NULL)
 			continue;
 		else if (!strcmp(s->s_proto, "tcp")) {
-			port = (u_int)s->s_port;
+			port = s->s_port;
 			name = s->s_name;
 			tab = tcp_ports;
 		} else if (!strcmp(s->s_proto, "udp")) {
-			port = (u_int)s->s_port;
+			port = s->s_port;
 			name = s->s_name;
 			tab = udp_ports;
 		} else
@@ -257,18 +258,33 @@ char *buf;
 }
 
 
-char	*hostname(res, ip)
-int	res;
-struct	in_addr	ip;
+char	*hostname(res, v, ip)
+int	res, v;
+u_32_t	*ip;
 {
+#ifdef	USE_INET6
+	static char hostbuf[MAXHOSTNAMELEN+1];
+#endif
 	struct hostent *hp;
+	struct in_addr ipa;
 
+	if (v == 4) {
+		ipa.s_addr = *ip;
 		if (!res)
-		return inet_ntoa(ip);
-	hp = gethostbyaddr((char *)&ip, sizeof(ip), AF_INET);
+			return inet_ntoa(ipa);
+		hp = gethostbyaddr((char *)ip, sizeof(ip), AF_INET);
 		if (!hp)
-		return inet_ntoa(ip);
+			return inet_ntoa(ipa);
 		return hp->h_name;
+
+	}
+#ifdef	USE_INET6
+	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
+	hostbuf[MAXHOSTNAMELEN] = '\0';
+	return hostbuf;
+#else
+	return "IPv6";
+#endif
 }
 
 
@@ -391,22 +407,24 @@ int	blen;
 
 	proto = getproto(nl->nl_p);
 
-	(void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip),
+	(void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
 		portname(res, proto, (u_int)nl->nl_inport));
 	t += strlen(t);
-	(void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip),
+	(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
 		portname(res, proto, (u_int)nl->nl_outport));
 	t += strlen(t);
-	(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
+	(void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
 		portname(res, proto, (u_int)nl->nl_origport));
 	t += strlen(t);
 	if (nl->nl_type == NL_EXPIRE) {
 #ifdef	USE_QUAD_T
 		(void) sprintf(t, " Pkts %qd Bytes %qd",
+				(long long)nl->nl_pkts,
+				(long long)nl->nl_bytes);
 #else
 		(void) sprintf(t, " Pkts %ld Bytes %ld",
-#endif
 				nl->nl_pkts, nl->nl_bytes);
+#endif
 		t += strlen(t);
 	}
 
@@ -456,6 +474,8 @@ int	blen;
 			strcpy(t, "STATE:EXPIRE ");
 	} else if (sl->isl_type == ISL_FLUSH)
 		strcpy(t, "STATE:FLUSH ");
+	else if (sl->isl_type == ISL_REMOVE)
+		strcpy(t, "STATE:REMOVE ");
 	else
 		sprintf(t, "Type: %d ", sl->isl_type);
 	t += strlen(t);
@@ -464,26 +484,30 @@ int	blen;
 
 	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
 		(void) sprintf(t, "%s,%s -> ",
-			hostname(res, sl->isl_src),
+			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
 			portname(res, proto, (u_int)sl->isl_sport));
 		t += strlen(t);
 		(void) sprintf(t, "%s,%s PR %s",
-			hostname(res, sl->isl_dst),
+			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
 			portname(res, proto, (u_int)sl->isl_dport), proto);
 	} else if (sl->isl_p == IPPROTO_ICMP) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
+		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
+						     (u_32_t *)&sl->isl_src));
 		t += strlen(t);
 		(void) sprintf(t, "%s PR icmp %d",
-			hostname(res, sl->isl_dst), sl->isl_itype);
+			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
+			sl->isl_itype);
 	}
 	t += strlen(t);
 	if (sl->isl_type != ISL_NEW) {
 #ifdef	USE_QUAD_T
 		(void) sprintf(t, " Pkts %qd Bytes %qd",
+				(long long)sl->isl_pkts,
+				(long long)sl->isl_bytes);
 #else
 		(void) sprintf(t, " Pkts %ld Bytes %ld",
-#endif
 				sl->isl_pkts, sl->isl_bytes);
+#endif
 		t += strlen(t);
 	}
 
@@ -555,22 +579,26 @@ int	blen;
 	struct	icmp	*ic;
 	struct	tm	*tm;
 	char	*t, *proto;
-	u_short	hl, p;
-	int	i, lvl, res, len;
+	int	i, v, lvl, res, len, off, plen, ipoff;
 	ip_t	*ipc, *ip;
-	iplog_t	*ipl;
+	u_short	hl, p;
 	ipflog_t *ipf;
+	iplog_t	*ipl;
+	u_32_t	*s, *d;
+#ifdef	USE_INET6
+	ip6_t *ip6;
+#endif
 
 	ipl = (iplog_t *)buf;
 	ipf = (ipflog_t *)((char *)buf + sizeof(*ipl));
 	ip = (ip_t *)((char *)ipf + sizeof(*ipf));
+	v = ip->ip_v;
 	res = (opts & OPT_RESOLVE) ? 1 : 0;
 	t = line;
 	*t = '\0';
-	hl = (ip->ip_hl << 2);
-	p = (u_short)ip->ip_p;
 	tm = localtime((time_t *)&ipl->ipl_sec);
 #ifdef	linux
+	if (v == 4)
 		ip->ip_len = ntohs(ip->ip_len);
 #endif
 
@@ -610,7 +638,6 @@ int	blen;
 #endif
 	(void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1);
 	t += strlen(t);
-	proto = getproto(p);
 
  	if (ipf->fl_flags & FF_SHORT) {
 		*t++ = 'S';
@@ -639,18 +666,43 @@ int	blen;
 	*t++ = ' ';
 	*t = '\0';
 
-	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) &&
-	    !(ip->ip_off & IP_OFFMASK)) {
+	if (v == 6) {
+#ifdef	USE_INET6
+		off = 0;
+		ipoff = 0;
+		hl = sizeof(ip6_t);
+		ip6 = (ip6_t *)ip;
+		p = (u_short)ip6->ip6_nxt;
+		s = (u_32_t *)&ip6->ip6_src;
+		d = (u_32_t *)&ip6->ip6_dst;
+		plen = ntohs(ip6->ip6_plen);
+#else
+		sprintf(t, "ipv6");
+		goto printipflog;
+#endif
+	} else if (v == 4) {
+		hl = (ip->ip_hl << 2);
+		ipoff = ip->ip_off;
+		off = ipoff & IP_OFFMASK;
+		p = (u_short)ip->ip_p;
+		s = (u_32_t *)&ip->ip_src;
+		d = (u_32_t *)&ip->ip_dst;
+		plen = ntohs(ip->ip_len);
+	} else {
+		goto printipflog;
+	}
+	proto = getproto(p);
+
+	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
 		tp = (tcphdr_t *)((char *)ip + hl);
 		if (!(ipf->fl_flags & (FI_SHORT << 16))) {
-			(void) sprintf(t, "%s,%s -> ",
-				hostname(res, ip->ip_src),
+			(void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
 				portname(res, proto, (u_int)tp->th_sport));
 			t += strlen(t);
 			(void) sprintf(t, "%s,%s PR %s len %hu %hu ",
-				hostname(res, ip->ip_dst),
+				hostname(res, v, d),
 				portname(res, proto, (u_int)tp->th_dport),
-				proto, hl, ip->ip_len);
+				proto, hl, plen);
 			t += strlen(t);
 
 			if (p == IPPROTO_TCP) {
@@ -668,18 +720,17 @@ int	blen;
 			}
 			*t = '\0';
 		} else {
-			(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
+			(void) sprintf(t, "%s -> ", hostname(res, v, s));
 			t += strlen(t);
 			(void) sprintf(t, "%s PR %s len %hu %hu",
-				hostname(res, ip->ip_dst), proto,
-				hl, ip->ip_len);
+				hostname(res, v, d), proto, hl, plen);
 		}
-	} else if ((p == IPPROTO_ICMP) && !(ip->ip_off & IP_OFFMASK)) {
+	} else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
 		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
+		(void) sprintf(t, "%s -> ", hostname(res, v, s));
 		t += strlen(t);
 		(void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d",
-			hostname(res, ip->ip_dst), hl, ip->ip_len,
+			hostname(res, v, d), hl, plen,
 			ic->icmp_type, ic->icmp_code);
 		if (ic->icmp_type == ICMP_UNREACH ||
 		    ic->icmp_type == ICMP_SOURCEQUENCH ||
@@ -693,26 +744,25 @@ int	blen;
 
 			t += strlen(t);
 			(void) sprintf(t, " for %s,%s -",
-				hostname(res, ipc->ip_src),
+				HOSTNAME_V4(res, ipc->ip_src),
 				portname(res, proto, (u_int)tp->th_sport));
 			t += strlen(t);
 			(void) sprintf(t, " %s,%s PR %s len %hu %hu",
-				hostname(res, ipc->ip_dst),
+				HOSTNAME_V4(res, ipc->ip_dst),
 				portname(res, proto, (u_int)tp->th_dport),
 				proto, ipc->ip_hl << 2, ipc->ip_len);
 		}
 	} else {
-		(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
+		(void) sprintf(t, "%s -> ", hostname(res, v, s));
 		t += strlen(t);
 		(void) sprintf(t, "%s PR %s len %hu (%hu)",
-			hostname(res, ip->ip_dst), proto, hl, ip->ip_len);
+			hostname(res, v, d), proto, hl, plen);
 		t += strlen(t);
-		if (ip->ip_off & IP_OFFMASK)
+		if (off & IP_OFFMASK)
 			(void) sprintf(t, " frag %s%s%hu@%hu",
-				ip->ip_off & IP_MF ? "+" : "",
-				ip->ip_off & IP_DF ? "-" : "",
-				ip->ip_len - hl,
-				(ip->ip_off & IP_OFFMASK) << 3);
+				ipoff & IP_MF ? "+" : "",
+				ipoff & IP_DF ? "-" : "",
+				plen - hl, (off & IP_OFFMASK) << 3);
 	}
 	t += strlen(t);
 
@@ -731,6 +781,7 @@ int	blen;
 	else if (ipf->fl_flags & FR_OUTQUE)
 		strcpy(t, " OUT");
 	t += strlen(t);
+printipflog:
 	*t++ = '\n';
 	*t++ = '\0';
 	if (opts & OPT_SYSLOG)

contrib/ipfilter/ipsend/ipsend.c

@@ -13,7 +13,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipsend.c	1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.1.2.2 1999/11/28 03:43:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 #include <stdio.h>
 #include <stdlib.h>

contrib/ipfilter/man/ipf.8

@@ -5,7 +5,7 @@ ipf \- alters packet filtering lists for IP packet input and output
 .SH SYNOPSIS
 .B ipf
 [
-.B \-AdDEInoPrsUvVyzZ
+.B \-6AdDEInoPrsUvVyzZ
 ] [
 .B \-l
 <block|pass|nomatch>
@@ -31,6 +31,9 @@ Rules are added to the end of the internal lists, matching the order in
 which they appear when given to \fBipf\fP.
 .SH OPTIONS
 .TP
+.B \-6
+This option is required to parse IPv6 rules and to have them loaded.
+.TP
 .B \-A
 Set the list to make changes to the active list (default).
 .TP

contrib/ipfilter/man/ipfstat.8

@@ -5,7 +5,27 @@ ipfstat \- reports on packet filter statistics and filter list
 .SH SYNOPSIS
 .B ipfstat
 [
-.B \-aAfghIinosv
+.B \-6aAfghIinosv
+] [
+.B \-d
+<device>
+]
+
+.B ipfstat -t
+[
+.B \-C
+] [
+.B \-D
+<addrport>
+] [
+.B \-P
+<protocol>
+] [
+.B \-S
+<addrport>
+] [
+.B \-T
+<refresh time>
 ] [
 .B \-d
 <device>
@@ -22,15 +42,32 @@ is to retrieve and display the accumulated statistics which have been
 accumulated over time as the kernel has put packets through the filter.
 .SH OPTIONS
 .TP
+.B \-6
+Display filter lists for IPv6, if available.
+.TP
 .B \-a
 Display the accounting filter list and show bytes counted against each rule.
 .TP
 .B \-A
 Display packet authentication statistics.
 .TP 
+.B \-C
+This option is only valid in combination with \fB\-t\fP.
+Display "closed" states as well in the top. Normally, a TCP connection is
+not displayed when it reaches the CLOSE_WAIT protocol state. With this
+option enabled, all state entries are displayed.
+.TP
 .BR \-d \0<device>
 Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
 .TP
+.BR \-D \0<addrport>
+This option is only valid in combination with \fB\-t\fP. Limit the state top
+display to show only state entries whose destination IP address and port
+match the addport argument. The addrport specification is of the form
+ipaddress[,port].  The ipaddress and port should be either numerical or the
+string "any" (specifying any ip address resp. any port). If the \fB\-D\fP
+option is not specified, it defaults to "\fB\-D\fP any,any".
+.TP
 .B \-f
 Show fragment state information (statistics) and held state information (in
 the kernel) if any is present.
@@ -55,10 +92,38 @@ Show the "rule number" for each rule as it is printed.
 .B \-o
 Display the filter list used for the output side of the kernel IP processing.
 .TP
+.BR \-P \0<protocol>
+This option is only valid in combination with \fB\-t\fP. Limit the state top
+display to show only state entries that match a specific protocol. The
+argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a
+protocol number. If this option is not specified, state entries for any
+protocol are specified.
+.TP
 .B \-s
 Show packet/flow state information (statistics) and held state information (in
 the kernel) if any is present.
 .TP
+.BR \-S \0<addrport>
+This option is only valid in combination with \fB\-t\fP. Limit the state top
+display to show only state entries whose source IP address and port match
+the addport argument. The addrport specification is of the form
+ipaddress[,port].  The ipaddress and port should be either numerical or the
+string "any" (specifying any ip address resp. any port). If the \fB\-S\fP
+option is not specified, it defaults to "\fB\-S\fP any,any".
+.TP
+.B \-t
+Show the state table in a way similar to they way \fBtop(1)\fP shows the process
+table. States can be sorted using a number of different ways. This options
+requires \fBncurses(3)\fP and needs to be compiled in. It may not be available on
+all operating systems. See below, for more information on the keys that can
+be used while ipfstat is in top mode.
+.TP
+.BR \-T \0<refreshtime>
+This option is only valid in combination with \fB\-t\fP. Specifies how often
+the state top display should be updated. The refresh time is the number of
+seconds between an update. Any postive integer can be used. The default (and
+minimal update time) is 1.
+.TP
 .B \-v
 Turn verbose mode on.  Displays more debugging information.
 .SH SYNOPSIS
@@ -70,6 +135,35 @@ parameters are present.
 When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
 the appropriate list of filter rules currently installed and in use by the
 kernel.
+.SH STATE TOP
+Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
+this mode the state table is displayed similar to the way \fBtop\fP displays
+the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and\fB\-T\fP 
+commandline options can be used to restrict the state entries that will be 
+shown and to specify the frequency of display updates.
+.PP
+In state top mode, the following keys can be used to influence the displayed
+information. \fBl\fP can be used to redraw the screen. \fBq\fP is used to
+quit the program. \fBs\fP can be used to change the sorting criterion and
+\fBr\fP can be used to reverse the sorting criterion.
+.PP
+States can be sorted by protocol number, by number of IP packets, by number
+of bytes and by time-to-live of the state entry. The default is to sort by
+the number of bytes. States are sorted in descending order, but you can use
+the \fBr\fP key to sort them in ascending order.
+.SH STATE TOP LIMITATIONS
+It is currently not possible to interactively change the source, destination
+and protocol filters or the refreh frequency. This must be done from the
+command line.
+.PP
+The screen must have at least 80 columns. This is however not checked.
+.PP
+Only the first X-5 entries that match the sort and filter criteria are
+displayed (where X is the number of rows on the display. There is no way to 
+see more entries.
+.PP
+No support for IPv6
+.PP
 .SH FILES
 /dev/kmem
 .br

contrib/ipfilter/man/ipmon.8

@@ -5,13 +5,15 @@ ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-aFhnstvxX
+.B \-aDFhnpstvxX
+] [
+.B "\-N <device>"
 ] [
 .B "\-o [NSI]"
 ] [
 .B "\-O [NSI]"
 ] [
-.B "\-N <device>"
+.B "\-P <pidfile>"
 ] [
 .B "\-S <device>"
 ] [
@@ -75,6 +77,10 @@ In order for \fBipmon\fP to properly work, the kernel option
 Open all of the device logfiles for reading log entries from.  All entries
 are displayed to the same output 'device' (stderr or syslog).
 .TP
+.B \-D
+Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
+of ipmon is not required to turn it into an orphan so it can run indefinately.
+.TP
 .B "\-f <device>"
 specify an alternative device/file from which to read the log information
 for normal IP Filter log records.
@@ -100,14 +106,19 @@ Specify which log files you do not wish to read from.  This is most sensibly
 used with the \fB-a\fP.  Letters available as parameters to this are the same
 as for \fB-o\fP.
 .TP
+.B \-p
+Cause the port number in log messages to always be printed as a number and
+never attempt to look it up as from \fI/etc/services\fP, etc.
+.TP
+.B \-P <pidfile>
+Write the pid of the ipmon process to a file.  By default this is
+\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD
+or later) or \fI/etc/ipmon.pid\fP for all others.
+.TP
 .B \-s
 Packet information read in will be sent through syslogd rather than
 saved to a file.  The default facility when compiled and installed is
 \fBlocal0\fP.  The following levels are used:
-.TP
-.B "\-S <device>"
-Set the logfile to be opened for reading state log records from to <device>.
-.TP
 .IP
 .B LOG_INFO
 \- packets logged using the "log" keyword as the action rather
@@ -123,6 +134,9 @@ than pass or block.
 \- packets which have been logged and which can be considered
 "short".
 .TP
+.B "\-S <device>"
+Set the logfile to be opened for reading state log records from to <device>.
+.TP
 .B \-t
 read the input file/device in a manner akin to tail(1).
 .TP
@@ -144,6 +158,8 @@ recorded data.
 /dev/ipnat
 .br
 /dev/ipstate
+.br
+/etc/services
 .SH SEE ALSO
 ipl(4), ipf(8), ipfstat(8), ipnat(8)
 .\".SH BUGS