Not in this commit: Many spammed deltas have been removed to restore

back to the vendor branch.

Re-merge changes from the vendor branch.

Undo the local spammed changes that I could find.  There are probably
more local fixes that were clobbered that I've missed.
This commit is contained in:
Peter Wemm 2000-02-10 03:17:51 +00:00
parent 94fafad064
commit 96c630d7b2
11 changed files with 476 additions and 157 deletions

View File

@ -1,43 +1,52 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-1997 by Darren Reed.
* Copyright (C) 1993-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $";
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $";
#endif
#ifndef SOLARIS
#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/file.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#ifndef __FreeBSD__
#if !defined(__SVR4) && !defined(__svr4__)
# if (__FreeBSD_version >= 300000)
# include <sys/dirent.h>
# else
# include <sys/dir.h>
# endif
#else
# include <sys/filio.h>
# include <sys/byteorder.h>
#endif
#include <strings.h>
#include <signal.h>
#include <sys/dir.h>
#else
#include <sys/filio.h>
#include <sys/byteorder.h>
#endif
#endif
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/file.h>
#include <sys/time.h>
#include <stdlib.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <net/if.h>
#include <netinet/ip.h>
#include <netinet/tcp_fsm.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
@ -46,7 +55,6 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45
#include <sys/uio.h>
#ifndef linux
# include <sys/protosw.h>
# include <sys/user.h>
# include <netinet/ip_var.h>
#endif
@ -87,6 +95,15 @@ struct flags tcpfl[] = {
{ 0, '\0' }
};
#if SOLARIS
static char *pidfile = "/etc/opt/ipf/ipmon.pid";
#else
# if BSD >= 199306
static char *pidfile = "/var/run/ipmon.pid";
# else
static char *pidfile = "/etc/ipmon.pid";
# endif
#endif
static char line[2048];
static int opts = 0;
@ -101,12 +118,20 @@ static void print_ipflog __P((FILE *, char *, int));
static void print_natlog __P((FILE *, char *, int));
static void print_statelog __P((FILE *, char *, int));
static void dumphex __P((FILE *, u_char *, int));
static int read_log __P((int, int *, char *, int, FILE *));
static int read_log __P((int, int *, char *, int));
static void write_pid __P((char *));
char *hostname __P((int, struct in_addr));
char *portname __P((int, char *, u_short));
char *portname __P((int, char *, u_int));
int main __P((int, char *[]));
static void logopts __P((int, char *));
static void init_tabs __P((void));
static char *getproto __P((u_int));
static char **protocols = NULL;
static char **udp_ports = NULL;
static char **tcp_ports = NULL;
#define OPT_SYSLOG 0x001
@ -119,14 +144,14 @@ static void logopts __P((int, char *));
#define OPT_STATE 0x100
#define OPT_FILTER 0x200
#define OPT_PORTNUM 0x400
#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER)
#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
#endif
static void handlehup(sig)
void handlehup(sig)
int sig;
{
FILE *fp;
@ -134,14 +159,91 @@ int sig;
signal(SIGHUP, handlehup);
if (logfile && (fp = fopen(logfile, "a")))
newlog = fp;
init_tabs();
donehup = 1;
}
static int read_log(fd, lenp, buf, bufsize, log)
static void init_tabs()
{
struct protoent *p;
struct servent *s;
char *name, **tab;
u_int port;
if (protocols != NULL) {
free(protocols);
protocols = NULL;
}
protocols = (char **)malloc(256 * sizeof(*protocols));
if (protocols != NULL) {
bzero((char *)protocols, 256 * sizeof(*protocols));
setprotoent(1);
while ((p = getprotoent()) != NULL)
if (p->p_proto >= 0 && p->p_proto <= 255 &&
p->p_name != NULL)
protocols[p->p_proto] = strdup(p->p_name);
endprotoent();
}
if (udp_ports != NULL) {
free(udp_ports);
udp_ports = NULL;
}
udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
if (udp_ports != NULL)
bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
if (tcp_ports != NULL) {
free(tcp_ports);
tcp_ports = NULL;
}
tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
if (tcp_ports != NULL)
bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
setservent(1);
while ((s = getservent()) != NULL) {
if (s->s_proto == NULL)
continue;
else if (!strcmp(s->s_proto, "tcp")) {
port = (u_int)s->s_port;
name = s->s_name;
tab = tcp_ports;
} else if (!strcmp(s->s_proto, "udp")) {
port = (u_int)s->s_port;
name = s->s_name;
tab = udp_ports;
} else
continue;
if ((port < 0 || port > 65535) || (name == NULL))
continue;
tab[port] = strdup(name);
}
endservent();
}
static char *getproto(p)
u_int p;
{
static char pnum[4];
char *s;
p &= 0xff;
s = protocols ? protocols[p] : NULL;
if (s == NULL) {
sprintf(pnum, "%u", p);
s = pnum;
}
return s;
}
static int read_log(fd, lenp, buf, bufsize)
int fd, bufsize, *lenp;
char *buf;
FILE *log;
{
int nr;
@ -173,18 +275,24 @@ struct in_addr ip;
char *portname(res, proto, port)
int res;
char *proto;
u_short port;
u_int port;
{
static char pname[8];
struct servent *serv;
char *s;
(void) sprintf(pname, "%hu", htons(port));
port = ntohs(port);
port &= 0xffff;
(void) sprintf(pname, "%u", port);
if (!res || (opts & OPT_PORTNUM))
return pname;
serv = getservbyport((int)port, proto);
if (!serv)
return pname;
return serv->s_name;
s = NULL;
if (!strcmp(proto, "tcp"))
s = tcp_ports[port];
else if (!strcmp(proto, "udp"))
s = udp_ports[port];
if (s == NULL)
s = pname;
return s;
}
@ -254,6 +362,7 @@ int blen;
char *t = line;
struct tm *tm;
int res, i, len;
char *proto;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
@ -274,20 +383,22 @@ int blen;
strcpy(t, "NAT:MAP ");
else if (nl->nl_type == NL_NEWRDR)
strcpy(t, "NAT:RDR ");
else if (nl->nl_type == ISL_EXPIRE)
else if (nl->nl_type == NL_EXPIRE)
strcpy(t, "NAT:EXPIRE ");
else
sprintf(t, "Type: %d ", nl->nl_type);
t += strlen(t);
proto = getproto(nl->nl_p);
(void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip),
portname(res, NULL, nl->nl_inport));
portname(res, proto, (u_int)nl->nl_inport));
t += strlen(t);
(void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip),
portname(res, NULL, nl->nl_outport));
portname(res, proto, (u_int)nl->nl_outport));
t += strlen(t);
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
portname(res, NULL, nl->nl_origport));
portname(res, proto, (u_int)nl->nl_origport));
t += strlen(t);
if (nl->nl_type == NL_EXPIRE) {
#ifdef USE_QUAD_T
@ -315,8 +426,7 @@ int blen;
{
struct ipslog *sl;
iplog_t *ipl = (iplog_t *)buf;
struct protoent *pr;
char *t = line, *proto, pname[6];
char *t = line, *proto;
struct tm *tm;
int res, i, len;
@ -337,27 +447,29 @@ int blen;
if (sl->isl_type == ISL_NEW)
strcpy(t, "STATE:NEW ");
else if (sl->isl_type == ISL_EXPIRE)
strcpy(t, "STATE:EXPIRE ");
else if (sl->isl_type == ISL_EXPIRE) {
if ((sl->isl_p == IPPROTO_TCP) &&
(sl->isl_state[0] > TCPS_ESTABLISHED ||
sl->isl_state[1] > TCPS_ESTABLISHED))
strcpy(t, "STATE:CLOSE ");
else
strcpy(t, "STATE:EXPIRE ");
} else if (sl->isl_type == ISL_FLUSH)
strcpy(t, "STATE:FLUSH ");
else
sprintf(t, "Type: %d ", sl->isl_type);
t += strlen(t);
pr = getprotobynumber((int)sl->isl_p);
if (!pr) {
proto = pname;
sprintf(proto, "%d", (u_int)sl->isl_p);
} else
proto = pr->p_name;
proto = getproto(sl->isl_p);
if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
(void) sprintf(t, "%s,%s -> ",
hostname(res, sl->isl_src),
portname(res, proto, sl->isl_sport));
portname(res, proto, (u_int)sl->isl_sport));
t += strlen(t);
(void) sprintf(t, "%s,%s PR %s",
hostname(res, sl->isl_dst),
portname(res, proto, sl->isl_dport), proto);
portname(res, proto, (u_int)sl->isl_dport), proto);
} else if (sl->isl_p == IPPROTO_ICMP) {
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
t += strlen(t);
@ -439,11 +551,10 @@ FILE *log;
char *buf;
int blen;
{
struct protoent *pr;
struct tcphdr *tp;
tcphdr_t *tp;
struct icmp *ic;
struct tm *tm;
char c[3], pname[8], *t, *proto;
char *t, *proto;
u_short hl, p;
int i, lvl, res, len;
ip_t *ipc, *ip;
@ -483,60 +594,62 @@ int blen;
(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
len = (int)sizeof(ipf->fl_ifname);
(void) sprintf(t, "%*.*s", len, len, ipf->fl_ifname);
t += strlen(t);
# if SOLARIS
if (isalpha(*(t - 1)))
*t++ = '0' + ipf->fl_unit;
# endif
#else
for (len = 0; len < 3; len++)
if (!ipf->fl_ifname[len])
if (ipf->fl_ifname[len] == '\0')
break;
if (ipf->fl_ifname[len])
len++;
(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
#endif
t += strlen(t);
#endif
(void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1);
pr = getprotobynumber((int)p);
if (!pr) {
proto = pname;
sprintf(proto, "%d", (u_int)p);
} else
proto = pr->p_name;
t += strlen(t);
proto = getproto(p);
if (ipf->fl_flags & FF_SHORT) {
c[0] = 'S';
*t++ = 'S';
lvl = LOG_ERR;
} else if (ipf->fl_flags & FR_PASS) {
if (ipf->fl_flags & FR_LOGP)
c[0] = 'p';
*t++ = 'p';
else
c[0] = 'P';
*t++ = 'P';
lvl = LOG_NOTICE;
} else if (ipf->fl_flags & FR_BLOCK) {
if (ipf->fl_flags & FR_LOGB)
c[0] = 'b';
*t++ = 'b';
else
c[0] = 'B';
*t++ = 'B';
lvl = LOG_WARNING;
} else if (ipf->fl_flags & FF_LOGNOMATCH) {
c[0] = 'n';
*t++ = 'n';
lvl = LOG_NOTICE;
} else {
c[0] = 'L';
*t++ = 'L';
lvl = LOG_INFO;
}
c[1] = ' ';
c[2] = '\0';
(void) strcat(line, c);
t = line + strlen(line);
if (ipf->fl_loglevel != 0xffff)
lvl = ipf->fl_loglevel;
*t++ = ' ';
*t = '\0';
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) {
tp = (struct tcphdr *)((char *)ip + hl);
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) &&
!(ip->ip_off & IP_OFFMASK)) {
tp = (tcphdr_t *)((char *)ip + hl);
if (!(ipf->fl_flags & (FI_SHORT << 16))) {
(void) sprintf(t, "%s,%s -> ",
hostname(res, ip->ip_src),
portname(res, proto, tp->th_sport));
portname(res, proto, (u_int)tp->th_sport));
t += strlen(t);
(void) sprintf(t, "%s,%s PR %s len %hu %hu ",
hostname(res, ip->ip_dst),
portname(res, proto, tp->th_dport),
portname(res, proto, (u_int)tp->th_dport),
proto, hl, ip->ip_len);
t += strlen(t);
@ -545,12 +658,13 @@ int blen;
for (i = 0; tcpfl[i].value; i++)
if (tp->th_flags & tcpfl[i].value)
*t++ = tcpfl[i].flag;
}
if (opts & OPT_VERBOSE) {
(void) sprintf(t, " %lu %lu %hu",
(u_long)tp->th_seq,
(u_long)tp->th_ack, tp->th_win);
t += strlen(t);
if (opts & OPT_VERBOSE) {
(void) sprintf(t, " %lu %lu %hu",
(u_long)(ntohl(tp->th_seq)),
(u_long)(ntohl(tp->th_ack)),
ntohs(tp->th_win));
t += strlen(t);
}
}
*t = '\0';
} else {
@ -560,7 +674,7 @@ int blen;
hostname(res, ip->ip_dst), proto,
hl, ip->ip_len);
}
} else if (p == IPPROTO_ICMP) {
} else if ((p == IPPROTO_ICMP) && !(ip->ip_off & IP_OFFMASK)) {
ic = (struct icmp *)((char *)ip + hl);
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
t += strlen(t);
@ -573,24 +687,18 @@ int blen;
ic->icmp_type == ICMP_REDIRECT ||
ic->icmp_type == ICMP_TIMXCEED) {
ipc = &ic->icmp_ip;
tp = (struct tcphdr *)((char *)ipc + hl);
tp = (tcphdr_t *)((char *)ipc + hl);
p = (u_short)ipc->ip_p;
pr = getprotobynumber((int)p);
if (!pr) {
proto = pname;
(void) sprintf(proto, "%d", (int)p);
} else
proto = pr->p_name;
proto = getproto(ipc->ip_p);
t += strlen(t);
(void) sprintf(t, " for %s,%s -",
hostname(res, ipc->ip_src),
portname(res, proto, tp->th_sport));
portname(res, proto, (u_int)tp->th_sport));
t += strlen(t);
(void) sprintf(t, " %s,%s PR %s len %hu %hu",
hostname(res, ipc->ip_dst),
portname(res, proto, tp->th_dport),
portname(res, proto, (u_int)tp->th_dport),
proto, ipc->ip_hl << 2, ipc->ip_len);
}
} else {
@ -599,11 +707,12 @@ int blen;
(void) sprintf(t, "%s PR %s len %hu (%hu)",
hostname(res, ip->ip_dst), proto, hl, ip->ip_len);
t += strlen(t);
if (ip->ip_off & 0x1fff)
if (ip->ip_off & IP_OFFMASK)
(void) sprintf(t, " frag %s%s%hu@%hu",
ip->ip_off & IP_MF ? "+" : "",
ip->ip_off & IP_DF ? "-" : "",
ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3);
ip->ip_len - hl,
(ip->ip_off & IP_OFFMASK) << 3);
}
t += strlen(t);
@ -617,6 +726,11 @@ int blen;
t += strlen(t);
}
if (ipf->fl_flags & FR_INQUE)
strcpy(t, " IN");
else if (ipf->fl_flags & FR_OUTQUE)
strcpy(t, " OUT");
t += strlen(t);
*t++ = '\n';
*t++ = '\0';
if (opts & OPT_SYSLOG)
@ -624,7 +738,7 @@ int blen;
else
(void) fprintf(log, "%s", line);
if (opts & OPT_HEXHDR)
dumphex(log, (u_char *)buf, sizeof(iplog_t));
dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
if (opts & OPT_HEXBODY)
dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
}
@ -638,6 +752,25 @@ char *prog;
}
static void write_pid(file)
char *file;
{
FILE *fp = NULL;
int fd;
if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0)
fp = fdopen(fd, "w");
if (!fp) {
close(fd);
fprintf(stderr, "unable to open/create pid file: %s\n", file);
return;
}
fprintf(fp, "%d", getpid());
fclose(fp);
close(fd);
}
static void flushlogs(file, log)
char *file;
FILE *log;
@ -709,7 +842,7 @@ char *argv[];
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
int fdt[3], devices = 0, make_daemon = 0;
char buf[512], *iplfile[3];
char buf[512], *iplfile[3], *s;
extern int optind;
extern char *optarg;
@ -719,11 +852,14 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1)
while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
opts |= OPT_ALL;
opts |= OPT_LOGALL;
fdt[0] = IPL_LOGIPF;
fdt[1] = IPL_LOGNAT;
fdt[2] = IPL_LOGSTATE;
break;
case 'D' :
make_daemon = 1;
@ -759,8 +895,17 @@ char *argv[];
case 'p' :
opts |= OPT_PORTNUM;
break;
case 'P' :
pidfile = optarg;
break;
case 's' :
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
s = strrchr(argv[0], '/');
if (s == NULL)
s = argv[0];
else
s++;
openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
s = NULL;
opts |= OPT_SYSLOG;
break;
case 'S' :
@ -786,6 +931,8 @@ char *argv[];
usage(argv[0]);
}
init_tabs();
/*
* Default action is to only open the filter log file.
*/
@ -825,16 +972,19 @@ char *argv[];
exit(-1);
}
setvbuf(log, NULL, _IONBF, 0);
}
} else
log = NULL;
if (make_daemon && (log != stdout)) {
if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
if (fork() > 0)
exit(0);
write_pid(pidfile);
close(0);
close(1);
close(2);
setsid();
}
} else
write_pid(pidfile);
signal(SIGHUP, handlehup);
@ -859,7 +1009,7 @@ char *argv[];
continue;
nr += tr;
tr = read_log(fd[i], &n, buf, sizeof(buf), log);
tr = read_log(fd[i], &n, buf, sizeof(buf));
if (donehup) {
donehup = 0;
if (newlog) {

View File

@ -1,5 +1,6 @@
/* $FreeBSD$ */
/*
* ipsend.c (C) 1995-1997 Darren Reed
* ipsend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
@ -12,13 +13,14 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.1.2.2 1999/11/28 03:43:44 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
@ -32,7 +34,6 @@ static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:1
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip_compat.h>
#include "ipsend.h"
#include "ipf.h"
@ -177,7 +178,8 @@ char **argv;
struct in_addr gwip;
tcphdr_t *tcp;
ip_t *ip;
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
char *name = argv[0], host[MAXHOSTNAMELEN + 1];
char *gateway = NULL, *dev = NULL;
char *src = NULL, *dst, *s;
int mtu = 1500, olen = 0, c, nonl = 0;

View File

@ -1,5 +1,6 @@
/* $FreeBSD$ */
/*
* (C)opyright 1995-1997 Darren Reed. (from tcplog)
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@ -23,7 +24,11 @@
#include <sys/ioctl.h>
#if BSD < 199103
#include <sys/fcntlcom.h>
#include <sys/dir.h>
#endif
#if (__FreeBSD_version >= 300000)
# include <sys/dirent.h>
#else
# include <sys/dir.h>
#endif
#include <net/bpf.h>
@ -39,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.0.2.7 1997/10/23 11:42:47 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $";
#endif
/*

View File

@ -1,5 +1,6 @@
/* $FreeBSD$ */
/*
* sock.c (C) 1995-1997 Darren Reed
* sock.c (C) 1995-1998 Darren Reed
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@ -7,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -22,8 +23,10 @@ static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 d
#ifndef ultrix
#include <fcntl.h>
#endif
#ifndef __FreeBSD__
#include <sys/dir.h>
#if (__FreeBSD_version >= 300000)
# include <sys/dirent.h>
#else
# include <sys/dir.h>
#endif
#define _KERNEL
#define KERNEL

View File

@ -1,3 +1,4 @@
.\" $FreeBSD$
.TH IPF 4
.SH NAME
ipf \- packet filtering kernel interface
@ -25,7 +26,19 @@ However, the full complement is as follows:
ioctl(fd, SIOCRMIFR, struct frentry *)
ioctl(fd, SIOCINAFR, struct frentry *)
ioctl(fd, SIOCINIFR, struct frentry *)
ioctl(fd, SIOCSETFF, u_int *)
ioctl(fd, SIOGGETFF, u_int *)
ioctl(fd, SIOCGETFS, struct friostat *)
ioctl(fd, SIOCIPFFL, int *)
ioctl(fd, SIOCIPFFB, int *)
ioctl(fd, SIOCSWAPA, u_int *)
ioctl(fd, SIOCFRENB, u_int *)
ioctl(fd, SIOCFRSYN, u_int *)
ioctl(fd, SIOCFRZST, struct friostat *)
ioctl(fd, SIOCZRLST, struct frentry *)
ioctl(fd, SIOCAUTHW, struct fr_info *)
ioctl(fd, SIOCAUTHR, struct fr_info *)
ioctl(fd, SIOCATHST, struct fr_authstat *)
.fi
.PP
The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
@ -44,21 +57,24 @@ which it is inserted is stored in the "fr_hits" field, below.
typedef struct frentry {
struct frentry *fr_next;
u_short fr_group; /* group to which this rule belongs */
u_short fr_head; /* group # which this rule starts */
u_short fr_grhead; /* group # which this rule starts */
struct frentry *fr_grp;
int fr_ref; /* reference count - for grouping */
struct ifnet *fr_ifa;
void *fr_ifa;
#if BSD >= 199306
void *fr_oifa;
#endif
/*
* These are only incremented when a packet matches this rule and
* it is the last match
*/
U_QUAD_T fr_hits;
U_QUAD_T fr_bytes;
U_QUAD_T fr_hits;
U_QUAD_T fr_bytes;
/*
* Fields after this may not change whilst in the kernel.
*/
struct fr_ip fr_ip;
struct fr_ip fr_mip;
struct fr_ip fr_mip; /* mask structure */
u_char fr_tcpfm; /* tcp flags mask */
u_char fr_tcpf; /* tcp flags */
@ -67,16 +83,20 @@ typedef struct frentry {
u_short fr_icmp;
u_char fr_scmp; /* data for port comparisons */
u_char fr_dcmp;
u_char fr_dcmp;
u_short fr_dport;
u_short fr_sport;
u_short fr_stop; /* top port for <> and >< */
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_long fr_flags; /* per-rule flags && options (see below) */
int fr_skip; /* # of rules to skip */
int (*fr_func)(); /* call this function */
u_32_t fr_flags; /* per-rule flags && options (see below) */
u_short fr_skip; /* # of rules to skip */
u_short fr_loglevel; /* syslog log facility + priority */
int (*fr_func) __P((int, ip_t *, fr_info_t *));
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
#if BSD > 199306
char fr_oifname[IFNAMSIZ];
#endif
struct frdest fr_tif; /* "to" interface */
struct frdest fr_dif; /* duplicate packet interfaces */
} frentry_t;
@ -96,12 +116,13 @@ Flags which are recognised in fr_pass:
FR_OUTQUE 0x000004 /* outgoing packets */
FR_INQUE 0x000008 /* ingoing packets */
FR_LOG 0x000010 /* Log */
FR_LOGP 0x000011 /* Log-pass */
FR_LOGB 0x000012 /* Log-fail */
FR_LOGB 0x000011 /* Log-fail */
FR_LOGP 0x000012 /* Log-pass */
FR_LOGBODY 0x000020 /* log the body of packets too */
FR_LOGFIRST 0x000040 /* log only the first packet to match */
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
FR__RETICMP 0x000100 /* return an ICMP packet if blocked */
FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
FR_NOMATCH 0x000200 /* no match occured */
FR_ACCOUNT 0x000400 /* count packet bytes */
FR_KEEPFRAG 0x000800 /* keep fragment information */
@ -137,9 +158,11 @@ comparisons) :
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
output filter list or both and it returns the number of filters removed
from the list(s). The values which it will take and recognise are FR_INQUE
and FR_OUTQUE (see above).
and FR_OUTQUE (see above). This ioctl is also implemented for
\fB/dev/ipstate\fP and will flush all state tables entries if passed 0
or just all those which are not established if passed 1.
\fBGeneral Logging Flags\fP
.IP "\fBGeneral Logging Flags\fP" 0
There are two flags which can be set to log packets independently of the
rules used. These allow for packets which are either passed or blocked
to be logged. To set (and clear)/get these flags, two ioctls are
@ -157,8 +180,7 @@ those provided (clearing/setting all in one).
.IP SIOCGETFF 16
Takes a pointer to an unsigned integer as the parameter. A copy of the
flags currently in used is copied to user space.
.LP
\fBFilter statistics\fP
.IP "\fBFilter statistics\fP" 0
Statistics on the various operations performed by this package on packets
is kept inside the kernel. These statistics apply to packets traversing
through the kernel. To retrieve this structure, use this ioctl:
@ -173,7 +195,12 @@ struct friostat {
struct frentry *f_acctin[2];
struct frentry *f_acctout[2];
struct frentry *f_auth;
int f_active;
u_long f_froute[2];
int f_active; /* 1 or 0 - active rule set */
int f_defpass; /* default pass - from fr_pass */
int f_running; /* 1 if running, else 0 */
int f_logging; /* 1 if enabled, else 0 */
char f_version[32]; /* version string */
};
struct filterstats {
@ -195,12 +222,28 @@ struct filterstats {
u_long fr_chit; /* cached hit */
u_long fr_pull[2]; /* good and bad pullup attempts */
#if SOLARIS
u_long fr_notdata; /* PROTO/PCPROTO that have no data */
u_long fr_nodata; /* mblks that have no data */
u_long fr_bad; /* bad IP packets to the filter */
u_long fr_notip; /* packets passed through no on ip queue */
u_long fr_drop; /* packets dropped - no info for them! */
#endif
};
.fi
If we wanted to retrieve all the statistics and reset the counters back to
0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
In addition to the statistics above, each rule keeps a hit count, counting
both number of packets and bytes. To reset these counters for a rule,
load the various rule information into a frentry structure and call
SIOCZRLST.
.IP "Swapping Active lists" 0
IP Filter supports two lists of rules for filtering and accounting: an
active list and an inactive list. This allows for large scale rule base
changes to be put in place atomically with otherwise minimal interruption.
Which of the two is active can be changed using the SIOCSWAPA ioctl. It
is important to note that no passed argument is recognised and that the
value returned is that of the list which is now inactive.
.br
.SH FILES
/dev/ipauth
.br

View File

@ -1,3 +1,4 @@
.\" $FreeBSD$
.TH IPF 5
.SH NAME
ipf, ipf.conf \- IP packet filter rule syntax
@ -31,17 +32,18 @@ proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
block = "block" [ icmp[return-code] | "return-rst" ] .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
dup = "dup-to" interface-name[":"ipaddr] .
froute = "fastroute" | "to" interface-name .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .
fromto = "from" [ "!" ] object "to" [ "!" ] object .
icmp = "return-icmp" | "return-icmp-as-dest" .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
@ -51,6 +53,7 @@ with = "with" | "and" .
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep = "keep" "state" | "keep" "frags" .
loglevel = facility"."priority | priority .
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
@ -70,10 +73,17 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
"inforep" | "maskreq" | "maskrep" | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
"filter-prohib" | "host-preced" | "cutoff-preced" .
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
"addext" | "visa" | "imitd" | "eip" | "finn" .
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
"lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
"audit" | "logalert" | "local0" | "local1" | "local2" |
"local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
"info" | "debug" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
@ -118,11 +128,23 @@ actions are recognised:
.B block
indicates that the packet should be flagged to be dropped. In response
to blocking a packet, the filter may be instructed to send a reply
packet, either an ICMP packet (\fBreturn-icmp\fP) or a TCP "reset"
(\fBreturn-rst\fP). An ICMP packet may be generated in response to
any IP packet, and its type may optionally be specified, but a TCP
reset may only be used with a rule which is being applied to TCP
packets.
packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
masquerading as being from the original packet's destination
(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
ICMP packet may be generated in response to any IP packet, and its
type may optionally be specified, but a TCP reset may only be used
with a rule which is being applied to TCP packets. When using
\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
the actual unreachable `type'. That is, whether it is a network
unreachable, port unreachable or even administratively
prohibitied. This is done by enclosing the ICMP code associated with
it in parenthesis directly following \fBreturn-icmp\fP or
\fBreturn-icmp-as-dest\fP as follows:
.nf
block return-icmp(11) ...
.fi
.PP
Would return a Type-Of-Service (TOS) ICMP unreachable error.
.TP
.B pass
will flag the packet to be let through the filter.
@ -145,10 +167,27 @@ feature is for use by knowledgeable hackers, and is not currently
documented.
.TP
.B "skip <n>"
causes the filter to skip over the next \fIn\fP filter rules. If a rule is
inserted or deleted inside the region being skipped over, then the value of
\fIn\fP is adjusted appropriately.
.TP
.B auth
this allows authentication to be performed by a user-space program running
and waiting for packet information to validate. The packet is held for a
period of time in an internal buffer whilst it waits for the program to return
to the kernel the \fIreal\fP flags for whether it should be allowed through
or not. Such a program might look at the source address and request some sort
of authentication from the user (such as a password) before allowing the
packet through or telling the kernel to drop it if from an unrecognised source.
.TP
.B preauth
tells the filter that for packets of this class, it should look in the
pre-authenticated list for further clarification. If no further matching
rule is found, the packet will be dropped (the FR_PREAUTH is not the same
as FR_PASS). If a further matching rule is found, the result from that is
used in its instead. This might be used in a situation where a person
\fIlogs in\fP to the firewall and it sets up some temporary rules defining
the access for that person.
.PP
The next word must be either \fBin\fP or \fBout\fP. Each packet
moving through the kernel is either inbound (just been received on an
@ -195,7 +234,10 @@ which the specified source address would be expected, others may be
logged and/or dropped.
.TP
.B dup-to
causes the packet to be copied, and the duplicate packet to be sent outbound on the specified interface, optionally with the destination IP address changed to that specified. This is useful for off-host logging, using a network sniffer.
causes the packet to be copied, and the duplicate packet to be sent
outbound on the specified interface, optionally with the destination
IP address changed to that specified. This is useful for off-host
logging, using a network sniffer.
.TP
.B to
causes the packet to be moved to the outbound queue on the
@ -394,10 +436,19 @@ indicates that the first 128 bytes of the packet contents will be
logged after the headers.
.TP
.B first
??
If log is being used in conjunction with a "keep" option, it is recommended
that this option is also applied so that only the triggering packet is logged
and not every packet which thereafter matches state information.
.TP
.B or-block
indicates that, if for some reason the filter is unable to log the packet (such as the log reader being too slow) then the rule should be interpreted as if the action was \fBblock\fP for this packet.
indicates that, if for some reason the filter is unable to log the
packet (such as the log reader being too slow) then the rule should be
interpreted as if the action was \fBblock\fP for this packet.
.TP
.B "level <loglevel>"
indicates what logging facility and priority, or just priority with
the default facility being used, will be used to log information about
this packet using ipmon's -s option.
.PP
See ipl(4) for the format of records written
to this device. The ipmon(8) program can be used to read and format
@ -419,7 +470,7 @@ The "fall-through" rule parsing allows for effects such as this:
.nf
block in from any to any port < 6000
pass in from any to any port >= 6000
block in from any to port > 6003
block in from any to any port > 6003
.fi
.PP
which sets up the range 6000-6003 as being permitted and all others being
@ -441,14 +492,14 @@ rule such as:
.fi
.PP
would be needed before the first block. To create a new group for
processing all inbould packets on le0/le1/lo0, with the default being to block
processing all inbound packets on le0/le1/lo0, with the default being to block
all inbound packets, we would do something like:
.LP
.nf
block in all
block in on le0 quick all head 100
block in on le1 quick all head 200
block in on lo0 quick all head 300
block in quick on le0 all head 100
block in quick on le1 all head 200
block in quick on lo0 all head 300
.fi
.PP
@ -487,4 +538,4 @@ qualifies all service/port names with the protocol specified.
.br
/etc/services
.SH SEE ALSO
ipftest(1), iptest(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)

View File

@ -1,10 +1,11 @@
.\" $FreeBSD$
.TH IPF 8
.SH NAME
ipf \- alters packet filtering lists for IP packet input and output
.SH SYNOPSIS
.B ipf
[
.B \-AdDEInorsUvyzZ
.B \-AdDEInoPrsUvVyzZ
] [
.B \-l
<block|pass|nomatch>
@ -81,6 +82,9 @@ calls or doing anything which would alter the currently running kernel.
Force rules by default to be added/deleted to/from the output list, rather
than the (default) input list.
.TP
.B \-P
Add rules as temporary entries in the authentication rule table.
.TP
.B \-r
Remove matching filter rules rather than add them to the internal lists
.TP
@ -94,6 +98,12 @@ recognised as IP packets. They will be printed out on the console.
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
.TP
.B \-V
Show version information. This will display the version information compiled
into the ipf binary and retrieve it from the kernel code (if running/present).
If it is present in the kernel, information about its current state will be
displayed (whether logging is active, default filtering, etc).
.TP
.B \-y
Manually resync the in-kernel interface list maintained by IP Filter with
the current interface status list.
@ -113,7 +123,7 @@ affect fragment or state statistics).
.br
/dev/ipstate
.SH SEE ALSO
ipftest(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually

View File

@ -1,7 +1,11 @@
.\" $FreeBSD$
.TH IPFILTER 1
.SH NAME
IP FIlter
.SH DESCRIPTION
.PP
IP Filter is a package providing packet filtering capabilities for a variety
of operating systems. On a properly setup system, it can be used to build a
firewall.
.SH SEE ALSO
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5)
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)

View File

@ -1,10 +1,11 @@
.\" $FreeBSD$
.TH ipfstat 8
.SH NAME
ipfstat \- reports on packet filter statistics and filter list
.SH SYNOPSIS
.B ipfstat
[
.B \-aAfhIinosv
.B \-aAfghIinosv
] [
.B \-d
<device>
@ -34,6 +35,9 @@ Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
Show fragment state information (statistics) and held state information (in
the kernel) if any is present.
.TP
.B \-g
Show groups currently configured (both active and inactive).
.TP
.B \-h
Show per-rule the number of times each one scores a "hit". For use in
combination with \fB\-i\fP.

View File

@ -1,3 +1,4 @@
.\" $FreeBSD$
.TH ipmon 8
.SH NAME
ipmon \- monitors /dev/ipl for logged packets
@ -28,6 +29,46 @@ default or a filename, if given on the command line. Should the \fB\-s\fP
option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent
via syslog have the day, month and year removed from the message, but the
time (including microseconds), as recorded in the log, is still included.
.LP
Messages generated by ipmon consist of whitespace separated fields.
Fields common to all messages are:
.LP
1. The date of packet receipt. This is suppressed when the message is
sent to syslog.
.LP
2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
minutes seconds, and fractions of a second (which can be several digits
long).
.LP
3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
.LP
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
5. The action: \fBp\fP for passed or \fBb\fP for blocked.
.LP
6. The addresses.
This is actually three fields: the source address and port
(separted by a comma), the \fB->\fP symbol, and the destination address
and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
.LP
7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
.LP
8. \fBlen\fP followed by the header length and total length of the packet,
e.g., \fBlen 20 40\fP.
.LP
If the packet is a TCP packet, there will be an additional field starting
with a hyphen followed by letters corresponding to any flags that were set.
See the ipf.conf manual page for a list of letters and their flags.
.LP
If the packet is an ICMP packet, there will be two fields at the end,
the first always being `icmp', and the next being the ICMP message and
submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
unreachable message.
.LP
In order for \fBipmon\fP to properly work, the kernel option
\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
\fBoptions(4)\fP for more details.
.SH OPTIONS
.TP
.B \-a
@ -61,7 +102,12 @@ as for \fB-o\fP.
.TP
.B \-s
Packet information read in will be sent through syslogd rather than
saved to a file. The following levels are used:
saved to a file. The default facility when compiled and installed is
\fBlocal0\fP. The following levels are used:
.TP
.B "\-S <device>"
Set the logfile to be opened for reading state log records from to <device>.
.TP
.IP
.B LOG_INFO
\- packets logged using the "log" keyword as the action rather
@ -77,12 +123,12 @@ than pass or block.
\- packets which have been logged and which can be considered
"short".
.TP
.B "\-S <device>"
Set the logfile to be opened for reading state log records from to <device>.
.TP
.B \-t
read the input file/device in a manner akin to tail(1).
.TP
.B \-v
show tcp window, ack and sequence fields.
.TP
.B \-x
show the packet data in hex.
.TP

View File

@ -1,3 +1,4 @@
.\" $FreeBSD$
.TH IPNAT 4
.SH NAME
ipnat \- Network Address Translation kernel interface
@ -65,7 +66,7 @@ Recognised values for in_redir:
.PP
.LP
\fBNAT statistics\fP
Statistics on the the number of packets mapped, going in and out are kept,
Statistics on the number of packets mapped, going in and out are kept,
the number of times a new entry is added and deleted (through expiration) to
the NAT table and the current usage level of the NAT table.
.PP