d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts

Browse Source 
MFC after:	1 weeks
This commit is contained in:
Guido van Rooij 2006-08-16 12:23:02 +00:00
parent 4160f4c64e
commit dac098f2c9
38 changed files with 526 additions and 439 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
contrib/ipfilter/Makefile
View File

@ -6,7 +6,7 @@
# to the original author and the contributors.
#
# $FreeBSD$
# Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp
# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $
#
SHELL=/bin/sh
BINDEST=/usr/local/bin
@ -135,6 +135,7 @@ all:
@echo "freebsd3 - compile for FreeBSD-3.x"
@echo "freebsd4 - compile for FreeBSD-4.x"
@echo "freebsd5 - compile for FreeBSD-5.x"
@echo "freebsd6 - compile for FreeBSD-6.x"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@ -187,7 +188,7 @@ freebsd22: include
fi
make freebsd20
freebsd5: include
freebsd5 freebsd6: include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \

135
contrib/ipfilter/bpf_filter.c
View File

@ -42,7 +42,7 @@
#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
static const char rcsid[] =
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)";
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)";
#endif
#include <sys/param.h>
@ -468,9 +468,10 @@ bpf_filter(pc, p, wirelen, buflen)
/*
* Return true if the 'fcode' is a valid filter program.
* The constraints are that each jump be forward and to a valid
* code. The code must terminate with either an accept or reject.
* 'valid' is an array for use by the routine (it must be at least
* 'len' bytes long).
* code, that memory accesses are within valid ranges (to the
* extent that this can be checked statically; loads of packet
* data have to be, and are, also checked at run time), and that
* the code terminates with either an accept or reject.
*
* The kernel needs to be able to verify an application's filter code.
* Otherwise, a bogus program could easily crash the system.
@ -480,38 +481,114 @@ bpf_validate(f, len)
struct bpf_insn *f;
int len;
{
register int i;
register struct bpf_insn *p;
u_int i, from;
const struct bpf_insn *p;
if (len == 0)
return 1;
if (len < 1 || len > BPF_MAXINSNS)
return 0;
for (i = 0; i < len; ++i) {
/*
* Check that that jumps are forward, and within
* the code block.
*/
p = &f[i];
if (BPF_CLASS(p->code) == BPF_JMP) {
register int from = i + 1;
if (BPF_OP(p->code) == BPF_JA) {
if (from + p->k >= (unsigned)len)
return 0;
}
else if (from + p->jt >= len || from + p->jf >= len)
return 0;
}
switch (BPF_CLASS(p->code)) {
/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
(p->k >= BPF_MEMWORDS || p->k < 0))
return 0;
/*
* Check for constant division by 0.
*/
if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
case BPF_LD:
case BPF_LDX:
switch (BPF_MODE(p->code)) {
case BPF_IMM:
break;
case BPF_ABS:
case BPF_IND:
case BPF_MSH:
/*
* More strict check with actual packet length
* is done runtime.
*/
#if 0
if (p->k >= bpf_maxbufsize)
return 0;
#endif
break;
case BPF_MEM:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_LEN:
break;
default:
return 0;
}
break;
case BPF_ST:
case BPF_STX:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_ALU:
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
case BPF_RSH:
case BPF_NEG:
break;
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
default:
return 0;
}
break;
case BPF_JMP:
/*
* Check that jumps are within the code block,
* and that unconditional branches don't go
* backwards as a result of an overflow.
* Unconditional branches have a 32-bit offset,
* so they could overflow; we check to make
* sure they don't. Conditional branches have
* an 8-bit offset, and the from address is <=
* BPF_MAXINSNS, and we assume that BPF_MAXINSNS
* is sufficiently small that adding 255 to it
* won't overflow.
*
* We know that len is <= BPF_MAXINSNS, and we
* assume that BPF_MAXINSNS is < the maximum size
* of a u_int, so that i + 1 doesn't overflow.
*/
from = i + 1;
switch (BPF_OP(p->code)) {
case BPF_JA:
if (from + p->k < from || from + p->k >= len)
return 0;
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p->jt >= len || from + p->jf >= len)
return 0;
break;
default:
return 0;
}
break;
case BPF_RET:
break;
case BPF_MISC:
break;
default:
return 0;
}
}
return BPF_CLASS(f[len - 1].code) == BPF_RET;
}

43
contrib/ipfilter/ip_fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -138,7 +138,7 @@ struct rtentry;
#include "md5.h"
#if !defined(__osf__)
#if !defined(__osf__) && !defined(__linux__)
extern struct protosw inetsw[];
#endif
@ -718,13 +718,45 @@ frdest_t *fdp;
{
struct ifnet *ifp = fdp->fd_ifp;
ip_t *ip = fin->fin_ip;
int error = 0;
frentry_t *fr;
void *sifp;
if (!ifp)
return 0; /* no routing table out here */
ip->ip_len = htons((u_short)ip->ip_len);
ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
fr = fin->fin_fr;
ip->ip_sum = 0;
if (fin->fin_out == 0) {
sifp = fin->fin_ifp;
fin->fin_ifp = ifp;
fin->fin_out = 1;
(void) fr_acctpkt(fin, NULL);
fin->fin_fr = NULL;
if (!fr || !(fr->fr_flags & FR_RETMASK)) {
u_32_t pass;
(void) fr_checkstate(fin, &pass);
}
switch (fr_checknatout(fin, NULL))
{
case 0 :
break;
case 1 :
ip->ip_sum = 0;
break;
case -1 :
error = -1;
goto done;
break;
}
fin->fin_ifp = sifp;
fin->fin_out = 0;
}
#if defined(__sgi) && (IRIX < 60500)
(*ifp->if_output)(ifp, (void *)ip, NULL);
# if TRU64 >= 1885
@ -733,7 +765,8 @@ frdest_t *fdp;
(*ifp->if_output)(ifp, (void *)m, NULL, 0);
# endif
#endif
return 0;
done:
return error;
}

3
contrib/ipfilter/ipf.h
View File

@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $
* $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $
*/
#ifndef __IPF_H__
@ -184,7 +184,6 @@ extern struct ipopt_names v6ionames[];
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int addkeep __P((char ***, struct frentry *, int));
extern int bcopywrap __P((void *, void *, size_t));
extern void binprint __P((void *, size_t));
extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));

4
contrib/ipfilter/iplang/iplang_y.y
View File

@ -6,7 +6,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp
* Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $
* $FreeBSD$
*/
@ -1649,7 +1649,7 @@ void *ptr;
for (sto = toipopts; sto->sto_st; sto++)
if (sto->sto_st == state)
break;
if (!sto || !sto->sto_st) {
if (!sto->sto_st) {
fprintf(stderr, "No mapping for state %d to IP option\n",
state);
return;

3
contrib/ipfilter/ipmon.h
View File

@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $
* $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $
*/
@ -94,3 +94,4 @@ extern int load_config __P((char *));
extern void dumphex __P((FILE *, int, char *, int));
extern int check_action __P((char *, char *, int, int));
extern char *getword __P((int));
extern int fac_findname __P((char *));

16
contrib/ipfilter/ipsd/sbpf.c
View File

@ -11,6 +11,9 @@
#include <ctype.h>
#include <signal.h>
#include <errno.h>
#ifdef __NetBSD__
# include <paths.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/mbuf.h>
@ -123,8 +126,18 @@ int tout;
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
#ifdef _PATH_BPF
char *bpfname = _PATH_BPF;
int fd;
if ((fd = open(bpfname, O_RDWR)) < 0)
{
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#else
char bpfname[16];
int fd, i;
int fd = -1, i;
for (i = 0; i < 16; i++)
{
@ -137,6 +150,7 @@ int tout;
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#endif
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
{

4
contrib/ipfilter/ipsend/ipsend.c
View File

@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -155,6 +155,8 @@ struct in_addr gwip;
int wfd;
wfd = initdevice(dev, 5);
if (wfd == -1)
return -1;
return send_packet(wfd, mtu, ip, gwip);
}

33
contrib/ipfilter/ipsend/iptests.c
View File

@ -8,10 +8,18 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#if defined(__NetBSD__) && defined(__vax__)
/*
* XXX need to declare boolean_t for _KERNEL <sys/files.h>
* which ends up including <sys/device.h> for vax. See PR#32907
* for further details.
*/
typedef int boolean_t;
#endif
#include <sys/time.h>
#if !defined(__osf__)
# define _KERNEL
@ -136,7 +144,10 @@ int ptest;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -470,11 +481,14 @@ int ptest;
int nfd;
u_char *s;
s = (u_char *)(ip + 1);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
IP_HL_A(ip, 6);
ip->ip_len = IP_HL(ip) << 2;
s = (u_char *)(ip + 1);
s[IPOPT_OPTVAL] = IPOPT_NOP;
s++;
if (!ptest || (ptest == 1)) {
@ -574,7 +588,10 @@ int ptest;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -773,7 +790,10 @@ int ptest;
u->uh_sport = htons(1);
u->uh_dport = htons(1);
u->uh_ulen = htons(sizeof(*u) + 4);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -936,7 +956,10 @@ int ptest;
t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -1281,6 +1304,9 @@ int ptest;
u->uh_sum = 0;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
@ -1350,6 +1376,9 @@ int ptest;
u_char *s;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
pip = (ip_t *)tbuf;
srand(time(NULL) ^ (getpid() * getppid()));

4
contrib/ipfilter/ipsend/lsock.c
View File

@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -227,6 +227,8 @@ struct in_addr gwip;
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, 0);
if (nfd == -1)
return -1;
if (!(s = find_tcp(fd, ti)))
return -1;

7
contrib/ipfilter/ipsend/resend.c
View File

@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -81,6 +81,9 @@ char *datain;
ip_t *ip;
int fd, wfd = initdevice(dev, 5), len, i;
if (wfd == -1)
return -1;
if (datain)
fd = (*r->r_open)(datain);
else
@ -101,6 +104,7 @@ char *datain;
if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
{
perror("arp");
free(eh);
return -2;
}
@ -137,5 +141,6 @@ char *datain;
}
}
(*r->r_close)();
free(eh);
return 0;
}

16
contrib/ipfilter/ipsend/sbpf.c
View File

@ -37,6 +37,9 @@
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#ifdef __NetBSD__
# include <paths.h>
#endif
#include <ctype.h>
#include <signal.h>
#include <errno.h>
@ -45,7 +48,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $";
#endif
/*
@ -62,6 +65,16 @@ int tout;
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
#ifdef _PATH_BPF
char *bpfname = _PATH_BPF;
int fd;
if ((fd = open(bpfname, O_RDWR)) < 0)
{
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#else
char bpfname[16];
int fd = 0, i;
@ -76,6 +89,7 @@ int tout;
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#endif
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
{

45
contrib/ipfilter/ipsend/sock.c
View File

@ -7,12 +7,20 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/stat.h>
#if defined(__NetBSD__) && defined(__vax__)
/*
* XXX need to declare boolean_t for _KERNEL <sys/files.h>
* which ends up including <sys/device.h> for vax. See PR#32907
* for further details.
*/
typedef int boolean_t;
#endif
#ifndef ultrix
#include <fcntl.h>
#endif
@ -302,28 +310,33 @@ struct tcpiphdr *ti;
}
#endif
o = NULL;
f = NULL;
s = NULL;
i = NULL;
t = NULL;
o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n",
(u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o));
return NULL;
goto finderror;
}
f = (struct file *)calloc(1, sizeof(*f));
if (KMCPY(f, o[tfd], sizeof(*f)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n",
(u_long)o[tfd], (u_long)f, (u_long)sizeof(*f));
return NULL;
goto finderror;
}
s = (struct socket *)calloc(1, sizeof(*s));
if (KMCPY(s, f->f_data, sizeof(*s)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n",
(u_long)f->f_data, (u_long)s,
(u_long)sizeof(*s));
return NULL;
(u_long)f->f_data, (u_long)s, (u_long)sizeof(*s));
goto finderror;
}
i = (struct inpcb *)calloc(1, sizeof(*i));
@ -331,7 +344,7 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n",
(u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i));
return NULL;
goto finderror;
}
t = (struct tcpcb *)calloc(1, sizeof(*t));
@ -339,9 +352,22 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n",
(u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t));
return NULL;
goto finderror;
}
return (struct tcpcb *)i->inp_ppcb;
finderror:
if (o != NULL)
free(o);
if (f != NULL)
free(f);
if (s != NULL)
free(s);
if (i != NULL)
free(i);
if (t != NULL)
free(t);
return NULL;
}
#endif /* BSD < 199301 */
@ -383,7 +409,10 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, 1);
if (nfd == -1)
return -1;
if (!(t = find_tcp(fd, ti)))
return -1;

2
contrib/ipfilter/ipt.h
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp $
* $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $
*/
#ifndef __IPT_H__

75
contrib/ipfilter/lib/addicmp.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $
* $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $
*/
#include <ctype.h>
@ -19,76 +19,3 @@ char *icmptypes[MAX_ICMPTYPE + 1] = {
"routersol", "timex", "paramprob", "timest", "timestrep",
"inforeq", "inforep", "maskreq", "maskrep", "END"
};
/*
* set the icmp field to the correct type if "icmp" word is found
*/
int addicmp(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
char **t;
int i;
(*cp)++;
if (!**cp)
return -1;
if (!fp->fr_proto) /* to catch lusers */
fp->fr_proto = IPPROTO_ICMP;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
continue;
if (!strcasecmp("END", *t)) {
i = -1;
break;
}
if (!strcasecmp(*t, **cp))
break;
}
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
}
fp->fr_icmp = (u_short)(i << 8);
fp->fr_icmpm = (u_short)0xff00;
(*cp)++;
if (!**cp)
return 0;
if (**cp && strcasecmp("code", **cp))
return 0;
(*cp)++;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
i = icmpcode(**cp);
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
}
i &= 0xff;
fp->fr_icmp |= (u_short)i;
fp->fr_icmpm = (u_short)0xffff;
(*cp)++;
return 0;
}

86
contrib/ipfilter/lib/addkeep.c
View File

@ -1,86 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: addkeep.c,v 1.12 2003/12/01 01:59:42 darrenr Exp $
*/
#include "ipf.h"
/*
* Parses "keep state" and "keep frags" stuff on the end of a line.
*/
int addkeep(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
char *s;
(*cp)++;
if (!**cp) {
fprintf(stderr, "%d: Missing state/frag after keep\n",
linenum);
return -1;
}
if (!strcasecmp(**cp, "state")) {
fp->fr_flags |= FR_KEEPSTATE;
(*cp)++;
if (**cp && !strcasecmp(**cp, "limit")) {
(*cp)++;
fp->fr_statemax = atoi(**cp);
(*cp)++;
}
if (**cp && !strcasecmp(**cp, "scan")) {
(*cp)++;
if (!strcmp(**cp, "*")) {
fp->fr_isc = NULL;
fp->fr_isctag[0] = '\0';
} else {
strncpy(fp->fr_isctag, **cp,
sizeof(fp->fr_isctag));
fp->fr_isctag[sizeof(fp->fr_isctag)-1] = '\0';
fp->fr_isc = NULL;
}
(*cp)++;
} else
fp->fr_isc = (struct ipscan *)-1;
} else if (!strncasecmp(**cp, "frag", 4)) {
fp->fr_flags |= FR_KEEPFRAG;
(*cp)++;
} else if (!strcasecmp(**cp, "state-age")) {
if (fp->fr_ip.fi_p == IPPROTO_TCP) {
fprintf(stderr, "%d: cannot use state-age with tcp\n",
linenum);
return -1;
}
if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
fprintf(stderr, "%d: state-age with no 'keep state'\n",
linenum);
return -1;
}
(*cp)++;
if (!**cp) {
fprintf(stderr, "%d: state-age with no arg\n",
linenum);
return -1;
}
fp->fr_age[0] = atoi(**cp);
s = strchr(**cp, '/');
if (s != NULL) {
s++;
fp->fr_age[1] = atoi(s);
} else
fp->fr_age[1] = fp->fr_age[0];
} else {
fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
linenum, **cp);
return -1;
}
return 0;
}

32
contrib/ipfilter/lib/facpri.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $
* $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $
*/
#include <stdio.h>
@ -22,7 +22,7 @@
#include "facpri.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $";
#endif
@ -81,13 +81,13 @@ fac_toname(facpri)
fac = facpri & LOG_FACMASK;
j = fac >> 3;
if (j < 24) {
if (j < (sizeof(facs)/sizeof(facs[0]))) {
if (facs[j].value == fac)
return facs[j].name;
for (i = 0; facs[i].name; i++)
if (fac == facs[i].value)
return facs[i].name;
}
for (i = 0; facs[i].name; i++)
if (fac == facs[i].value)
return facs[i].name;
return NULL;
}
@ -96,11 +96,11 @@ fac_toname(facpri)
/*
* map a facility name to its number
*/
int
int
fac_findname(name)
char *name;
{
int i;
int i;
for (i = 0; facs[i].name; i++)
if (!strcmp(facs[i].name, name))
@ -118,22 +118,6 @@ table_t pris[] = {
};
/*
* map a priority name to its number
*/
int
pri_findname(name)
char *name;
{
int i;
for (i = 0; pris[i].name; i++)
if (!strcmp(pris[i].name, name))
return pris[i].value;
return -1;
}
/*
* map a priority number to its name
*/

27
contrib/ipfilter/lib/getport.c
View File

@ -20,6 +20,33 @@ u_short *port;
return -1;
}
/*
* Some people will use port names in rules without specifying
* either TCP or UDP because it is implied by the group head.
* If we don't know the protocol, then the best we can do here is
* to take either only the TCP or UDP mapping (if one or the other
* is missing) or make sure both of them agree.
*/
if (fr->fr_proto == 0) {
s = getservbyname(name, "tcp");
if (s != NULL)
p1 = s->s_port;
else
p1 = 0;
s = getservbyname(name, "udp");
if (s != NULL) {
if (p1 != s->s_port)
return -1;
}
if ((p1 == 0) && (s == NULL))
return -1;
if (p1)
*port = p1;
else
*port = s->s_port;
return 0;
}
if ((fr->fr_flx & FI_TCPUDP) != 0) {
/*
* If a rule is "tcp/udp" then check that both TCP and UDP

27
contrib/ipfilter/lib/icmpcode.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $
* $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $
*/
#include <ctype.h>
@ -22,28 +22,3 @@ char *icmpcodes[MAX_ICMPCODE + 1] = {
"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
NULL };
/*
* Return the number for the associated ICMP unreachable code.
*/
int icmpcode(str)
char *str;
{
char *s;
int i, len;
if ((s = strrchr(str, ')')))
*s = '\0';
if (ISDIGIT(*str)) {
if (!ratoi(str, &i, 0, 255))
return -1;
else
return i;
}
len = strlen(str);
for (i = 0; icmpcodes[i]; i++)
if (!strncasecmp(str, icmpcodes[i], MIN(len,
strlen(icmpcodes[i])) ))
return i;
return -1;
}

35
contrib/ipfilter/lib/ipft_tx.c
View File

@ -5,11 +5,11 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $
* $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $";
#endif
#include <ctype.h>
@ -75,36 +75,15 @@ int *resolved;
static u_short tx_portnum(name)
char *name;
{
struct servent *sp, *sp2;
u_short p1 = 0;
struct servent *sp;
if (ISDIGIT(*name))
return (u_short)atoi(name);
if (!tx_proto)
tx_proto = "tcp/udp";
if (strcasecmp(tx_proto, "tcp/udp")) {
sp = getservbyname(name, tx_proto);
if (sp)
return ntohs(sp->s_port);
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
return 0;
}
sp = getservbyname(name, "tcp");
sp = getservbyname(name, tx_proto);
if (sp)
p1 = sp->s_port;
sp2 = getservbyname(name, "udp");
if (!sp || !sp2) {
(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
name);
return 0;
}
if (p1 != sp2->s_port) {
(void) fprintf(stderr, "%s %d/tcp is a different port to ",
name, p1);
(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
return 0;
}
return ntohs(p1);
return ntohs(sp->s_port);
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
return 0;
}

26
contrib/ipfilter/lib/make_range.c
View File

@ -1,26 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: make_range.c,v 1.2 2002/05/18 07:27:52 darrenr Exp $
*/
#include "ipf.h"
alist_t *make_range(not, a1, a2)
int not;
struct in_addr a1, a2;
{
alist_t *a;
a = (alist_t *)calloc(1, sizeof(*a));
if (a != NULL) {
a->al_1 = a1.s_addr;
a->al_2 = a2.s_addr;
a->al_not = not;
}
return a;
}

6
contrib/ipfilter/lib/optprint.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: optprint.c,v 1.6 2002/07/13 15:59:49 darrenr Exp $
* $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $
*/
#include "ipf.h"
@ -25,6 +25,10 @@ u_long optmsk, optbits;
if ((io->on_value != IPOPT_SECURITY) ||
(!secmsk && !secbits)) {
printf("%s%s", s, io->on_name);
/*
* Because the ionames table has this entry
* twice.
*/
if (io->on_value == IPOPT_SECURITY)
io++;
s = ",";

30
contrib/ipfilter/lib/printfr.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: printfr.c,v 1.43.2.15 2005/11/14 17:45:06 darrenr Exp $
* $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $
*/
#include "ipf.h"
@ -122,20 +122,6 @@ ioctlfunc_t iocfunc;
printf("pass");
else if (FR_ISBLOCK(fp->fr_flags)) {
printf("block");
if (fp->fr_flags & FR_RETICMP) {
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
printf(" return-icmp-as-dest");
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
printf(" return-icmp");
if (fp->fr_icode) {
if (fp->fr_icode <= MAX_ICMPCODE)
printf("(%s)",
icmpcodes[(int)fp->fr_icode]);
else
printf("(%d)", fp->fr_icode);
}
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
printf(" return-rst");
} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
printlog(fp);
} else if (FR_ISACCOUNT(fp->fr_flags))
@ -151,6 +137,20 @@ ioctlfunc_t iocfunc;
else {
printf("%x", fp->fr_flags);
}
if (fp->fr_flags & FR_RETICMP) {
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
printf(" return-icmp-as-dest");
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
printf(" return-icmp");
if (fp->fr_icode) {
if (fp->fr_icode <= MAX_ICMPCODE)
printf("(%s)",
icmpcodes[(int)fp->fr_icode]);
else
printf("(%d)", fp->fr_icode);
}
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
printf(" return-rst");
if (fp->fr_flags & FR_OUTQUE)
printf(" out ");

11
contrib/ipfilter/lib/printlog.c
View File

@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: printlog.c,v 1.6.4.1 2005/11/14 17:45:06 darrenr Exp $
* $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $
*/
#include "ipf.h"
@ -28,14 +28,11 @@ frentry_t *fp;
if (fp->fr_loglevel != 0xffff) {
printf(" level ");
s = fac_toname(fp->fr_loglevel);
if (s == NULL)
if (s == NULL || *s == '\0')
s = "!!!";
u = pri_toname(fp->fr_loglevel);
if (u == NULL)
if (u == NULL || *u == '\0')
u = "!!!";
if (*s)
printf("%s.%s", s, u);
else
printf("%s", u);
printf("%s.%s", s, u);
}
}

7
contrib/ipfilter/man/ipmon.8
View File

@ -9,6 +9,8 @@ ipmon \- monitors /dev/ipl for logged packets
] [
.B "\-N <device>"
] [
.B "\-L <facility>"
] [
.B "\-o [NSI]"
] [
.B "\-O [NSI]"
@ -73,7 +75,7 @@ In order for \fBipmon\fP to properly work, the kernel option
\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
\fBoptions(4)\fP for more details.
.LP
\fBipmon\fP reopns its log file(s) and rereads its configuration file
\fBipmon\fP reopens its log file(s) and rereads its configuration file
when it receives a SIGHUP signal.
.SH OPTIONS
.TP
@ -102,6 +104,9 @@ for normal IP Filter log records.
Flush the current packet log buffer. The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B \-L <facility>
Using this option allows you to change the default syslog facility that
ipmon uses for syslog messages. The default is local0.
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.

2
contrib/ipfilter/radix.c
View File

@ -139,7 +139,7 @@ struct radix_node *rn_addmask __P((int, int, void *));
* node as high in the tree as we can go.
*
* The present version of the code makes use of normal routes in short-
* circuiting an explict mask and compare operation when testing whether
* circuiting an explicit mask and compare operation when testing whether
* a key satisfies a normal route, and also in remembering the unique leaf
* that governs a subtree.
*/

1
contrib/ipfilter/samples/proxy.c
View File

@ -57,7 +57,6 @@ char *argv[];
struct sockaddr_in sin, sloc, sout;
ipfobj_t obj;
natlookup_t natlook;
natlookup_t *natlookp = &natlook;
char buffer[512];
int namelen, fd, n;

4
contrib/ipfilter/tools/ipf.c
View File

@ -21,7 +21,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $";
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@ -198,7 +198,7 @@ static void closedevice()
static int get_flags()
{
int i;
int i = 0;
if ((opendevice(ipfname, 1) != -2) &&
(ioctl(fd, SIOCGETFF, &i) == -1)) {

59
contrib/ipfilter/tools/ipf_y.y
View File

@ -81,6 +81,10 @@ static struct wordtab logwords[33];
union i6addr m;
} ipp;
union i6addr ip6;
struct {
char *if1;
char *if2;
} ifs;
};
%type <port> portnum
@ -93,6 +97,7 @@ static struct wordtab logwords[33];
%type <str> servicename name interfacename
%type <pc> portrange portcomp
%type <alist> addrlist poollist
%type <ifs> onname
%token <num> YY_NUMBER YY_HEX
%token <str> YY_STR
@ -101,7 +106,7 @@ static struct wordtab logwords[33];
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
%token IPFY_IN IPFY_OUT
%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
@ -178,7 +183,7 @@ line: xx rule { while ((fr = frtop) != NULL) {
| YY_COMMENT
;
xx: { newrule(); }
xx: { newrule(); }
;
assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
@ -257,6 +262,7 @@ collection:
action: block
| IPFY_PASS { fr->fr_flags |= FR_PASS; }
| IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
| log
| IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
| auth
@ -286,7 +292,7 @@ log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
;
auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
| IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);}
| IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
| IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
;
@ -467,18 +473,41 @@ quick:
;
on: IPFY_ON onname
| IPFY_ON lstart onlist lend
| IPFY_ON onname IPFY_INVIA vianame
| IPFY_ON onname IPFY_OUTVIA vianame
;
onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
sizeof(fr->fr_ifnames[0])); \
if ($1.if2 != NULL) { \
strncpy(fr->fr_ifnames[1], \
$1.if2, \
sizeof(fr->fr_ifnames[1]));\
} \
) }
| onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
sizeof(fr->fr_ifnames[0])); \
if ($3.if2 != NULL) { \
strncpy(fr->fr_ifnames[1], \
$3.if2, \
sizeof(fr->fr_ifnames[1]));\
} \
) }
;
onname: interfacename
{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
$$.if1 = fr->fr_ifnames[0];
$$.if2 = NULL;
free($1);
}
| interfacename ',' interfacename
{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
$$.if1 = fr->fr_ifnames[0];
free($1);
strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
$$.if1 = fr->fr_ifnames[1];
free($3);
}
;
@ -1027,7 +1056,8 @@ codelist:
icmpcode
{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
| codelist lmore icmpcode
{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
fr->fr_icmpm |= htons(0xff);) }
;
age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
@ -1087,7 +1117,11 @@ stateopt:
| IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
| IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
age;
| IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
fr->fr_age[1] = $2;) }
| IPFY_AGE YY_NUMBER '/' YY_NUMBER
{ DOALL(fr->fr_age[0] = $2; \
fr->fr_age[1] = $4;) }
;
portnum:
@ -1445,6 +1479,7 @@ static struct wordtab ipfwords[95] = {
{ "newisn", IPFY_NEWISN },
{ "no", IPFY_NO },
{ "no-icmp-err", IPFY_NOICMPERR },
{ "nomatch", IPFY_NOMATCH },
{ "now", IPFY_NOW },
{ "not", IPFY_NOT },
{ "oow", IPFY_OOW },
@ -1753,18 +1788,6 @@ static frentry_t *addrule()
;
count = nrules;
if (count == 0) {
f = (frentry_t *)calloc(sizeof(*f), 1);
added++;
f2->fr_next = f;
bcopy(f2, f, sizeof(*f));
if (f2->fr_caddr != NULL) {
f->fr_caddr = malloc(f->fr_dsize);
bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
}
f->fr_next = NULL;
return f;
}
f = f2;
for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
@ -2035,7 +2058,7 @@ void *ptr;
del = SIOCRMAFR;
}
if (fr && (opts & OPT_OUTQUE))
if ((opts & OPT_OUTQUE) != 0)
fr->fr_flags |= FR_OUTQUE;
if (fr->fr_hits)
fr->fr_hits--;

4
contrib/ipfilter/tools/ipfcomp.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $";
#endif
#include "ipf.h"
@ -1224,7 +1224,7 @@ frgroup_t *grp;
char *instr;
group = grp->fg_name;
dogrp = 0;
dogrp = *group ? 1 : 0;
if (in && out) {
fprintf(stderr,

55
contrib/ipfilter/tools/ipfs.c
View File

@ -460,21 +460,19 @@ char *file;
i = read(sfd, &ips, sizeof(ips));
if (i == -1) {
perror("read");
close(sfd);
return 1;
goto freeipshead;
}
if (i == 0)
break;
if (i != sizeof(ips)) {
fprintf(stderr, "state:incomplete read: %d != %d\n",
i, (int)sizeof(ips));
close(sfd);
return 1;
goto freeipshead;
}
is = (ipstate_save_t *)malloc(sizeof(*is));
if(!is) {
if (is == NULL) {
fprintf(stderr, "malloc failed\n");
return 1;
goto freeipshead;
}
bcopy((char *)&ips, (char *)is, sizeof(ips));
@ -512,7 +510,7 @@ char *file;
obj.ipfo_size = sizeof(*is);
obj.ipfo_type = IPFOBJ_STATESAVE;
for (is = ipshead; is; is = is->ips_next) {
while ((is = ipshead) != NULL) {
if (opts & OPT_VERBOSE)
printf("Loading new state table entry\n");
if (is->ips_is.is_flags & SI_NEWFR) {
@ -524,7 +522,7 @@ char *file;
if (!(opts & OPT_DONOTHING))
if (ioctl(fd, SIOCSTPUT, &obj)) {
perror("SIOCSTPUT");
return 1;
goto freeipshead;
}
if (is->ips_is.is_flags & SI_NEWFR) {
@ -534,9 +532,21 @@ char *file;
if (is1->ips_rule == (frentry_t *)&is->ips_rule)
is1->ips_rule = is->ips_rule;
}
ipshead = is->ips_next;
free(is);
}
return 0;
freeipshead:
while ((is = ipshead) != NULL) {
ipshead = is->ips_next;
free(is);
}
if (sfd != -1)
close(sfd);
return 1;
}
@ -575,21 +585,21 @@ char *file;
i = read(nfd, &ipn, sizeof(ipn));
if (i == -1) {
perror("read");
close(nfd);
return 1;
goto freenathead;
}
if (i == 0)
break;
if (i != sizeof(ipn)) {
fprintf(stderr, "nat:incomplete read: %d != %d\n",
i, (int)sizeof(ipn));
close(nfd);
return 1;
goto freenathead;
}
in = (nat_save_t *)malloc(ipn.ipn_dsize);
if (!in)
break;
if (in == NULL) {
fprintf(stderr, "nat:cannot malloc nat save atruct\n");
goto freenathead;
}
if (ipn.ipn_dsize > sizeof(ipn)) {
n = ipn.ipn_dsize - sizeof(ipn);
@ -602,8 +612,7 @@ char *file;
fprintf(stderr,
"nat:incomplete read: %d != %d\n",
i, n);
close(nfd);
return 1;
goto freenathead;
}
}
}
@ -645,7 +654,7 @@ char *file;
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_type = IPFOBJ_NATSAVE;
for (in = ipnhead; in; in = in->ipn_next) {
while ((in = ipnhead) != NULL) {
if (opts & OPT_VERBOSE)
printf("Loading new NAT table entry\n");
nat = &in->ipn_nat;
@ -670,9 +679,21 @@ char *file;
if (in1->ipn_rule == &in->ipn_fr)
in1->ipn_rule = nat->nat_fr;
}
ipnhead = in->ipn_next;
free(in);
}
return 0;
freenathead:
while ((in = ipnhead) != NULL) {
ipnhead = in->ipn_next;
free(in);
}
if (nfd != -1)
close(nfd);
return 1;
}

4
contrib/ipfilter/tools/ipfstat.c
View File

@ -70,7 +70,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.13 2005/10/17 17:26:32 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $";
#endif
#ifdef __hpux
@ -925,8 +925,6 @@ ips_stat_t *ipsp;
ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
ipsp->iss_miss);
PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n",
ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull);
PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",

6
contrib/ipfilter/tools/ipftest.c
View File

@ -12,7 +12,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.7 2005/12/07 08:29:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $";
#endif
extern char *optarg;
@ -212,7 +212,7 @@ char *argv[];
ip = MTOD(m, ip_t *);
while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
&iface, &dir)) > 0) {
if (iface == NULL || *iface == '\0')
if ((iface == NULL) || (*iface == '\0'))
iface = ifname;
ifp = get_unit(iface, IP_V(ip));
if (!use_inet6) {
@ -799,6 +799,6 @@ ip_t *ip;
}
if (hdr != NULL) {
*csump = 0;
*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr);
*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);
}
}

56
contrib/ipfilter/tools/ipmon.c
View File

@ -78,7 +78,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $";
#endif
@ -191,6 +191,7 @@ static char *conf_file = NULL;
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
#endif
int logfac = LOGFAC;
static icmp_subtype_t icmpunreachnames[] = {
@ -650,10 +651,10 @@ int len;
if (j && !(j & 0xf)) {
*t++ = '\n';
*t = '\0';
if (!(dopts & OPT_SYSLOG))
fputs(hline, log);
else
if ((dopts & OPT_SYSLOG))
syslog(LOG_INFO, "%s", hline);
else if (log != NULL)
fputs(hline, log);
t = (u_char *)hline;
*t = '\0';
}
@ -686,11 +687,12 @@ int len;
*t++ = '\n';
*t = '\0';
}
if (!(dopts & OPT_SYSLOG)) {
if ((dopts & OPT_SYSLOG) != 0)
syslog(LOG_INFO, "%s", hline);
else if (log != NULL) {
fputs(hline, log);
fflush(log);
} else
syslog(LOG_INFO, "%s", hline);
}
}
@ -784,7 +786,7 @@ int blen;
*t++ = '\0';
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
}
@ -901,7 +903,7 @@ int blen;
*t++ = '\0';
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
}
@ -1032,12 +1034,7 @@ int blen;
(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
t += strlen(t);
#endif
#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \
defined(__arm__)
if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0'))
#else
if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0'))
#endif
if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
strcat(t, " @-1:");
else if (ipf->fl_group[0] == '\0')
(void) strcpy(t, " @0:");
@ -1307,8 +1304,9 @@ printipflog:
if (defaction == 0) {
if (opts & OPT_SYSLOG)
syslog(lvl, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
if (opts & OPT_HEXHDR)
dumphex(log, opts, buf,
sizeof(iplog_t) + sizeof(*ipf));
@ -1371,11 +1369,12 @@ FILE *log;
(void) close(fd);
if (flushed) {
if (opts & OPT_SYSLOG)
if (opts & OPT_SYSLOG) {
syslog(LOG_INFO, "%d bytes flushed from log\n",
flushed);
else if (log != stdout)
} else if ((log != stdout) && (log != NULL)) {
fprintf(log, "%d bytes flushed from log\n", flushed);
}
}
}
@ -1433,7 +1432,8 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1)
while ((c = getopt(argc, argv,
"?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
@ -1465,6 +1465,15 @@ char *argv[];
flushlogs(iplfile[1], log);
flushlogs(iplfile[2], log);
break;
case 'L' :
logfac = fac_findname(optarg);
if (logfac == -1) {
fprintf(stderr,
"Unknown syslog facility '%s'\n",
optarg);
exit(1);
}
break;
case 'n' :
opts |= OPT_RESOLVE;
break;
@ -1495,7 +1504,7 @@ char *argv[];
s = argv[0];
else
s++;
openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
openlog(s, LOG_NDELAY|LOG_PID, logfac);
s = NULL;
opts |= OPT_SYSLOG;
log = NULL;
@ -1590,8 +1599,8 @@ char *argv[];
#endif /* !BSD */
close(0);
close(1);
write_pid(pidfile);
}
write_pid(pidfile);
signal(SIGHUP, handlehup);
@ -1627,7 +1636,8 @@ char *argv[];
fclose(log);
log = fp;
}
if (binarylogfile && (fp = fopen(binarylogfile, "a"))) {
if (binarylogfile &&
(fp = fopen(binarylogfile, "a"))) {
fclose(binarylog);
binarylog = fp;
}
@ -1649,7 +1659,7 @@ char *argv[];
case 1 :
if (opts & OPT_SYSLOG)
syslog(LOG_CRIT, "aborting logging\n");
else
else if (log != NULL)
fprintf(log, "aborting logging\n");
doread = 0;
break;

63
contrib/ipfilter/tools/ipnat_y.y
View File

@ -54,6 +54,7 @@ static ipnat_t *nat = NULL;
static int natfd = -1;
static ioctlfunc_t natioctlfunc = NULL;
static addfunc_t nataddfunc = NULL;
static int suggest_port = 0;
static void newnatrule __P((void));
static void setnatproto __P((int));
@ -172,6 +173,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if ((nat->in_flags & IPN_TCPUDP) == 0)
setnatproto(nat->in_p);
if (((nat->in_redir & NAT_MAPBLK) != 0) ||
@ -186,6 +190,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (((nat->in_redir & NAT_MAPBLK) != 0) ||
((nat->in_flags & IPN_AUTOPORTMAP) != 0))
nat_setgroupmap(nat);
@ -224,7 +231,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
(nat->in_pmin != 0 ||
nat->in_pmax != 0 ||
nat->in_pnext != 0))
setnatproto(IPPROTO_TCP);
setnatproto(IPPROTO_TCP);
}
| rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
{ nat->in_v = 4;
@ -234,6 +241,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
nat->in_pmax != 0 ||
nat->in_pnext != 0))
setnatproto(IPPROTO_TCP);
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (nat->in_ifnames[1][0] == '\0')
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
@ -248,9 +258,19 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
}
| rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions
{ nat->in_v = 4;
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (nat->in_ifnames[1][0] == '\0')
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
}
;
proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
proxy: | IPNY_PROXY port portspec YY_STR '/' proto
{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
if (nat->in_dcmp == 0) {
nat->in_dport = htons($3);
@ -260,7 +280,7 @@ proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
setnatproto($6);
free($4);
}
| IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto
| IPNY_PROXY port YY_STR YY_STR '/' proto
{ int pnum;
strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
pnum = getportproto($3, $6);
@ -312,6 +332,9 @@ dip:
nat->in_inmsk = $3.s_addr; }
;
port: IPNY_PORT { suggest_port = 1; }
;
portspec:
YY_NUMBER { if ($1 > 65535) /* Unsigned */
yyerror("invalid port number");
@ -324,16 +347,16 @@ portspec:
}
;
dport: | IPNY_PORT portspec { nat->in_pmin = htons($2);
dport: | port portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($2); }
| IPNY_PORT portspec '-' portspec { nat->in_pmin = htons($2);
| port portspec '-' portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($4); }
| IPNY_PORT portspec ':' portspec { nat->in_pmin = htons($2);
| port portspec ':' portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($4); }
;
nport: IPNY_PORT portspec { nat->in_pnext = htons($2); }
| IPNY_PORT '=' portspec { nat->in_pnext = htons($3);
nport: port portspec { nat->in_pnext = htons($2); }
| port '=' portspec { nat->in_pnext = htons($3);
nat->in_flags |= IPN_FIXEDDPORT;
}
;
@ -357,12 +380,16 @@ mapfrom:
from sobject IPNY_TO dobject
| from sobject '!' IPNY_TO dobject
{ nat->in_flags |= IPN_NOTDST; }
| from sobject IPNY_TO '!' dobject
{ nat->in_flags |= IPN_NOTDST; }
;
rdrfrom:
from sobject IPNY_TO dobject
| '!' from sobject IPNY_TO dobject
{ nat->in_flags |= IPN_NOTSRC; }
| from '!' sobject IPNY_TO dobject
{ nat->in_flags |= IPN_NOTSRC; }
;
from: IPNY_FROM { nat->in_flags |= IPN_FILTER; }
@ -415,7 +442,7 @@ mapport:
sobject:
saddr
| saddr IPNY_PORT portstuff { nat->in_sport = $3.p1;
| saddr port portstuff { nat->in_sport = $3.p1;
nat->in_stop = $3.p2;
nat->in_scmp = $3.pc; }
;
@ -432,7 +459,7 @@ saddr: addr { if (nat->in_redir == NAT_REDIRECT) {
dobject:
daddr
| daddr IPNY_PORT portstuff { nat->in_dport = $3.p1;
| daddr port portstuff { nat->in_dport = $3.p1;
nat->in_dtop = $3.p2;
nat->in_dcmp = $3.pc;
if (nat->in_redir == NAT_REDIRECT)
@ -537,10 +564,18 @@ rdrproxy:
}
;
proto: YY_NUMBER { $$ = $1; }
proto: YY_NUMBER { $$ = $1;
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
suggest_port = 0;
}
| IPNY_TCP { $$ = IPPROTO_TCP; }
| IPNY_UDP { $$ = IPPROTO_UDP; }
| YY_STR { $$ = getproto($1); free($1); }
| YY_STR { $$ = getproto($1); free($1);
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
suggest_port = 0;
}
;
hexnumber:
@ -708,6 +743,8 @@ static void newnatrule()
nat->in_next = n;
nat = n;
}
suggest_port = 0;
}
@ -784,7 +821,7 @@ void *ptr;
del = SIOCRMNAT;
}
if (ipn && (opts & OPT_VERBOSE))
if ((opts & OPT_VERBOSE) != 0)
printnat(ipn, opts);
if (opts & OPT_DEBUG)

9
contrib/ipfilter/tools/ipsyncm.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $";
#endif
#include <sys/types.h>
#include <sys/time.h>
@ -22,7 +22,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <strings.h>
#include <string.h>
#include <syslog.h>
#include <signal.h>
@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
int main __P((int, char *[]));
void usage __P((const char *));
int terminate = 0;
@ -41,10 +42,12 @@ void usage(const char *progname) {
fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname);
}
#if 0
static void handleterm(int sig)
{
terminate = sig;
}
#endif
/* should be large enough to hold header + any datatype */
@ -117,7 +120,7 @@ char *argv[];
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
syslog(LOG_INFO, "Sending data to %s",
inet_ntoa(sin.sin_addr));
inbuf = 0;

18
contrib/ipfilter/tools/ipsyncs.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $";
#endif
#include <sys/types.h>
#include <sys/time.h>
@ -21,7 +21,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <strings.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>
#include <errno.h>
@ -34,6 +34,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
#include "netinet/ip_sync.h"
int main __P((int, char *[]));
void usage __P((const char *progname));
int terminate = 0;
@ -43,11 +44,12 @@ void usage(const char *progname) {
progname);
}
#if 0
static void handleterm(int sig)
{
terminate = sig;
}
#endif
#define BUFFERLEN 1400
@ -132,8 +134,7 @@ char *argv[];
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
inet_ntoa(sin.sin_addr));
syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr));
inbuf = 0;
while (1) {
@ -225,14 +226,15 @@ moreinbuf:
n2 = sizeof(*sh) + len;
n3 = write(lfd, buff, n2);
if (n3 <= 0) {
syslog(LOG_ERR, "Write error: %m");
syslog(LOG_ERR, "%s: Write error: %m",
IPSYNC_NAME);
goto tryagain;
}
if (n3 != n2) {
syslog(LOG_ERR, "Incomplete write (%d/%d)",
n3, n2);
syslog(LOG_ERR, "%s: Incomplete write (%d/%d)",
IPSYNC_NAME, n3, n2);
goto tryagain;
}

2
contrib/ipfilter/tools/lexer.c
View File

@ -172,6 +172,8 @@ nextchar:
switch (c)
{
case '\n' :
lnext = 0;
nokey = 0;
case '\t' :
case '\r' :
case ' ' :