Import ipfilter 3.2.3
This commit is contained in:
parent
af5dd3181a
commit
f4b66beedb
@ -32,7 +32,7 @@
|
||||
__P((int, struct ip_moptions **, struct mbuf *));
|
||||
***************
|
||||
*** 338,343 ****
|
||||
--- 342,358 ----
|
||||
--- 342,356 ----
|
||||
* - Wrap: fake packet's addr/port <unimpl.>
|
||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||
*/
|
||||
@ -40,9 +40,7 @@
|
||||
+ if (fr_checkp) {
|
||||
+ struct mbuf *m1 = m;
|
||||
+
|
||||
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
|
||||
+ error = EHOSTUNREACH;
|
||||
+ if (error || !m1)
|
||||
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
|
||||
+ goto done;
|
||||
+ ip = mtod(m = m1, struct ip *);
|
||||
+ }
|
||||
|
@ -5,6 +5,49 @@
|
||||
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
|
||||
# loan of a machine to work on a Solaris 2.x port of this software.
|
||||
#
|
||||
3.2.3 10/11/97 - Released
|
||||
|
||||
fix some iplang bugs
|
||||
|
||||
fix tcp checksum data overrun, sgi #define changes,
|
||||
avoid infinite loop when nat'ing to single IP# - Marc Boucher
|
||||
|
||||
fixup DEVFS usage for FreeBSD
|
||||
|
||||
fix sunos5 "make clean" cleaning up too much
|
||||
|
||||
3.2.2 28/11/97 - Released
|
||||
|
||||
change packet matching to return actual error, if bad packet, to facilitate
|
||||
ECONNRESET for TCP.
|
||||
|
||||
allow ip:netmask in grammar too now - Guido
|
||||
|
||||
assume IRIX has u_int32_t in sys/types.h (needed for R10000)
|
||||
|
||||
rewrite parts of command line options for ipmon
|
||||
|
||||
fix TCP urgent packet & offset testing and add LAND attack test for iptest
|
||||
|
||||
fix grammar error in yacc grammar for iplang
|
||||
|
||||
redirect (rdr) destination port bytes-wapped when it shouldn't be.
|
||||
|
||||
general: fr_check now returns error code, such as EHOSTUNREACH or
|
||||
ECONNRESET (attempt to make ECONNRESET work for locally outbound
|
||||
packets).
|
||||
|
||||
linux: enable return-rst, need to filter tcp retransmits which are sent
|
||||
separately from normal packets
|
||||
|
||||
memory leak plugged in ip_proxy.c
|
||||
|
||||
BSDI compatibility patches from Guido
|
||||
|
||||
tcp checksum fix - Marc Boucher
|
||||
|
||||
recursive mutex and ioctl param fix - Marc Boucher
|
||||
|
||||
3.2.1 12/11/97 - Released
|
||||
|
||||
port to BSD/OS 3.0
|
||||
|
@ -36,6 +36,11 @@ otherwise not have been (due to the ports not). This behaviour has
|
||||
subsequently been fixed.
|
||||
|
||||
|
||||
3)
|
||||
|
||||
If you have BOTH GNU make and the normal make shipped with your system,
|
||||
DO NOT use the GNU make to build this package.
|
||||
|
||||
Darren
|
||||
darrenr@cyber.com.au
|
||||
****************************************
|
||||
|
44
contrib/ipfilter/INSTALL.BSDOS3
Normal file
44
contrib/ipfilter/INSTALL.BSDOS3
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
BSD/OS 3.x users.
|
||||
-----------------
|
||||
|
||||
First, you will need to either:
|
||||
(a) have a source license for the kernel so you can patch some files or
|
||||
(b) obtain the relevant pre-compiled .o files (I can't supply these yet).
|
||||
|
||||
The files which you will need patched are:
|
||||
ip_input.c, ip_output.c (maybe in_proto.c and ioconf.c.i386 too - NOT sure).
|
||||
|
||||
First, you need to build IP Filter. Do this from the "ip_fil3.2.x"
|
||||
directory with the command "make bsdos". If this completes successfully,
|
||||
install the various bits and pieces with "make install-bsd".
|
||||
|
||||
Prior to starting, it is a good idea for you to know what your kernel config
|
||||
file is (it appears that the script guesses incorrectly at present).
|
||||
|
||||
Once you have that in mind, run the 'kinstall' script in the BSDOS3
|
||||
directory. This will attempt to patch a bunch of files. If you've
|
||||
obtained the relevant .o files, ignore the errors, otherwise please
|
||||
report them to me and mention which version of BSD/OS you are using
|
||||
and on what platform (Sparc, i386, etc). It will also go and install
|
||||
all the IP Filter .c and .h files where they can be find when it comes
|
||||
time to build the kernel.
|
||||
|
||||
The script will then pause and ask you for your kernel configuration
|
||||
file. After you enter this, it will add "options IPFILTER" to your
|
||||
kernel configuration file. IF YOU WANT TO DO LOGGING, ADD
|
||||
"options IPFILTER_LOG" to your kernel configuration file NOW!
|
||||
|
||||
Now that you've got your kernel configuration file done, use config
|
||||
to setup a new kernel build and complete with make.
|
||||
|
||||
When the kernel rebuilt is complete, put it into / and reboot with
|
||||
your new kernel. If IP Filter has been configured into your kernel
|
||||
correctly, you will see a message like this when your system boots:
|
||||
|
||||
IP Filter: initialized. Default = pass all, Logging = enabled
|
||||
|
||||
Upon logging in, the IP Filter commands ipfstat, et al, should all
|
||||
function properly.
|
||||
|
||||
Darren
|
108
contrib/ipfilter/INSTALL.IRIX
Normal file
108
contrib/ipfilter/INSTALL.IRIX
Normal file
@ -0,0 +1,108 @@
|
||||
|
||||
IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
|
||||
as well. Under IRIX 5.3, it has been successfully compiled and linked in the
|
||||
kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
|
||||
|
||||
To build a kernel with the IP filter and install it on your system,
|
||||
follow these steps:
|
||||
|
||||
1. edit the top-level Makefile to
|
||||
a) comment-out the IPFLKM definition.
|
||||
This means changing the line reading:
|
||||
IPFLKM=-DIPFILTER_LKM
|
||||
to
|
||||
#IPFLKM=-DIPFILTER_LKM
|
||||
b) select the system's compiler (cc)
|
||||
This means changing the line reading:
|
||||
CC=gcc
|
||||
to
|
||||
CC=cc
|
||||
b) enable full optimization
|
||||
This means changing the lines reading:
|
||||
DEBUG=-g
|
||||
CFLAGS=-I$$(TOP)
|
||||
to
|
||||
DEBUG=
|
||||
CFLAGS=-O2 -I$$(TOP)
|
||||
|
||||
1. do "make irix" (Warning: GNU make is not supported, so if it has
|
||||
been installed on your system, verify your path and/or do "which make"
|
||||
to guarantee that IRIX's /sbin/make has precedence)
|
||||
|
||||
2. do "make install-irix" as root
|
||||
(a new kernel will be automatically built)
|
||||
|
||||
3. determine the filtering rules and place them in /etc/ipf.conf
|
||||
and /etc/ipnat.conf
|
||||
|
||||
4. do "init 6" as root to reboot with the new kernel
|
||||
|
||||
After restarting, the filter should be active and behaving according to
|
||||
the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
|
||||
|
||||
These files can be changed at any time, and reloaded using the
|
||||
following command sequence:
|
||||
|
||||
# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
|
||||
|
||||
|
||||
To remove the IP Filter from your kernel, follow these steps:
|
||||
|
||||
1. Delete the /var/sysgen/boot/ipfilter.o file
|
||||
|
||||
# rm /var/sysgen/boot/ipfilter.o
|
||||
|
||||
2. If SGI's ipfilter.o had been previously installed, restore it
|
||||
back to its original location
|
||||
|
||||
# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
|
||||
|
||||
3. Build a new kernel
|
||||
|
||||
# /etc/autoconfig
|
||||
|
||||
4. Delete the /etc/rc2.d/S33ipf symbolic link
|
||||
|
||||
# rm /etc/rc2.d/S33ipf
|
||||
|
||||
5. Reboot
|
||||
|
||||
# init 6
|
||||
|
||||
|
||||
ADDITIONAL NOTES:
|
||||
|
||||
- The IP filter uses the same kernel interface to the IP driver as
|
||||
SGI's ipfilter. In fact, it is installed in place of SGI's
|
||||
/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
|
||||
to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
|
||||
ipfilterd daemon is not running simultaneously, since this package uses
|
||||
the same major device number.
|
||||
|
||||
- We have not tested IP Filter on a multiprocessor machine yet.
|
||||
However, feel free to try it and send your experiences/patches
|
||||
back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
|
||||
systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
|
||||
probably be uncommented on the DFLAGS line of IRIX/Makefile if your
|
||||
machine has more than one processor.
|
||||
|
||||
- It is also possible to build IP Filter as a dynamically loadable
|
||||
kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
|
||||
top-level Makefile), but this is not recommended other than for testing
|
||||
and debugging purposes, because the only possible method for dynamic
|
||||
attachment to the IP stack (instruction patching) is highly dependent
|
||||
on the processor architecture. The code provided has only been tested
|
||||
with IP22 CPU boards and can sometime cause panics during loading due
|
||||
to a potential race condition.
|
||||
|
||||
|
||||
CREDITS:
|
||||
|
||||
IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
|
||||
|
||||
Marc Boucher wishes to thank the
|
||||
ICARI Institute (http://www.icari.qc.ca)
|
||||
and
|
||||
Aurelio Cascio <aurelio@toonboom.com>
|
||||
for their financial support and testing facilities, respectively.
|
||||
|
49
contrib/ipfilter/INSTALL.Linux
Normal file
49
contrib/ipfilter/INSTALL.Linux
Normal file
@ -0,0 +1,49 @@
|
||||
IP-Filter on Linux 2.0.31
|
||||
-------------------------
|
||||
|
||||
NOTE: I have *ONLY* compiled and created patches for using IP Filter on
|
||||
Linux 2.0.31. Any other kernel revision may need seprate patches.
|
||||
Also, I've only tested on a x86 CPU so I can't make any guarantees
|
||||
about it working on Sparc/Mac/Amiga.
|
||||
|
||||
First, you should do a sanity check of your system to make sure it will
|
||||
compile IP Filter. You will need a "libfl" and a "libelf". If you don't
|
||||
have these, install them before proceeding.
|
||||
|
||||
The installation and compiliation process assumes that Linux 2.0.31
|
||||
will be in the /usr/src/linux directory and that all the symbolic links
|
||||
in /usr/include match. /usr/src/linux may be a symbolic link too, but
|
||||
it must point to a 2.0.31 kernel source tree.
|
||||
|
||||
The first step is to make the IP Filter binaries. Do this with a
|
||||
"make linux" from the ip_fil3.2.x directory. If this completes with
|
||||
no errors, install IP Filter with a "make install-linux".
|
||||
|
||||
Now that the user part of it is complete, it is time to work on the
|
||||
kernel. To start this off, run "Linux/kinstall". This will patch your
|
||||
kernel source code and configuration files so you can enabled IP Filter.
|
||||
You must now go to /usr/src/linux and configure your kernel using one of
|
||||
the available interfaces to enable IP Filter. IP Filter will be presented
|
||||
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
|
||||
configuration file, rebuild, install and reboot with the new kernel.
|
||||
|
||||
When you've rebooted with the new kernel, you should be able to load
|
||||
IP Filter with the command "insmod if_ipl". All going will, you will
|
||||
see a message like this on your console:
|
||||
|
||||
IP Filter: initialized. Default = pass all, Logging = enabled
|
||||
|
||||
indicating that IP Filter has successfully been loaded into the kernel
|
||||
and is awaiting.
|
||||
|
||||
Darren
|
||||
|
||||
Features Not Available on Linux, yet:
|
||||
|
||||
- compiled into the kernel
|
||||
"<action> in on <if> to <if> ..."
|
||||
"<action> in on <if> dup-to <if> ..."
|
||||
"<action> in on <if> fastroute ..."
|
||||
"block return-rst ..."
|
||||
"map ... proxy ..." (Linux's masquerading is better at present)
|
||||
|
@ -36,12 +36,17 @@ To build a kernel with the IP filter, follow these steps:
|
||||
run "NetBSD/kinstall" as root
|
||||
3(b) NetBSD 1.2 systems or later:
|
||||
run "NetBSD-1.2/kinstall" as root
|
||||
3(c) If conf.c fails on the 2nd hunk of the patch, you will have to
|
||||
manually apply the patch.
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
|
||||
(for NetBSD-1.2, use "mknod /dev/ipl c 49 0")
|
||||
|
||||
** NOTE: both the numbers 49 and 59 should be substituted with
|
||||
whatever number you inserted it into conf.c as.
|
||||
|
||||
6. install and reboot with the new kernel
|
||||
|
||||
Darren Reed
|
||||
|
@ -6,14 +6,14 @@ Type "make solaris" to build all the required binaries.
|
||||
|
||||
Once IP Filter has been successfully compiled, you may then install it using
|
||||
the usual package method (using pkgadd), however, the package needs to be
|
||||
created, prior to pkgadd'ing. To create the package in /var/spoo/pkg, change
|
||||
created, prior to pkgadd'ing. To create the package in /var/spool/pkg, change
|
||||
directory to SunOS5 and enter the following command:
|
||||
|
||||
make package
|
||||
|
||||
If you wish to then install it using `pkgadd', run the following command:
|
||||
|
||||
pkgadd -s '/var/spool/pkg'
|
||||
This will build the package into SunOS5/<arch>/root, copy that to
|
||||
/var/spool/pkg as a package and then start the installation using
|
||||
pkgadd.
|
||||
|
||||
As part of the postinstall script, it will install loadable kernel module
|
||||
as part of Solaris 2 (using add_drv) making it available for immeadiate use.
|
||||
|
@ -5,7 +5,7 @@
|
||||
# provided that this notice is preserved and due credit is given
|
||||
# to the original author and the contributors.
|
||||
#
|
||||
# $Id: Makefile,v 2.0.2.26.2.1 1997/11/12 10:40:21 darrenr Exp $
|
||||
# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $
|
||||
#
|
||||
BINDEST=/usr/local/bin
|
||||
SBINDEST=/sbin
|
||||
@ -13,6 +13,7 @@ MANDIR=/usr/local/man
|
||||
#To test prototyping
|
||||
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
|
||||
CC=gcc
|
||||
#CC=cc -Dconst=
|
||||
DEBUG=-g
|
||||
CFLAGS=-I$$(TOP)
|
||||
CPU=`uname -m`
|
||||
@ -65,6 +66,7 @@ all:
|
||||
@echo "bsd - compile for generic 4.4BSD systems"
|
||||
@echo "bsdi - compile for BSD/OS"
|
||||
@echo "irix - compile for SGI IRIX"
|
||||
@echo "linux - compile for Linux 2.0.31+"
|
||||
@echo ""
|
||||
|
||||
tests:
|
||||
@ -118,8 +120,8 @@ bsd: include
|
||||
|
||||
bsdi bsdos: include
|
||||
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
|
||||
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..)
|
||||
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||
(cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..)
|
||||
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..)
|
||||
|
||||
irix IRIX: include
|
||||
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
|
||||
|
16
contrib/ipfilter/buildlinux
Executable file
16
contrib/ipfilter/buildlinux
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/sh
|
||||
LINUX=`uname -r | perl -e '$_=<>;@F=split(/\./);printf "%02d%02d\n",$F[0],$F[1];';`
|
||||
|
||||
case ${LINUX} in
|
||||
0200)
|
||||
make linuxrev "LINUXK=-DLINUX=${LINUX}"
|
||||
;;
|
||||
0201)
|
||||
make linuxrev "LINUXK=-DLINUX=${LINUX}"
|
||||
;;
|
||||
*)
|
||||
echo "invalid linux version $LINUX"
|
||||
exit 1;
|
||||
;;
|
||||
esac
|
||||
exit 0
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -73,7 +73,7 @@ extern int opts;
|
||||
second; }
|
||||
# define FR_VERBOSE(verb_pr) verbose verb_pr
|
||||
# define FR_DEBUG(verb_pr) debug verb_pr
|
||||
# define SEND_RESET(ip, qif, if) send_reset(ip, if)
|
||||
# define SEND_RESET(ip, qif, if, m) send_reset(ip, if)
|
||||
# define IPLLOG(a, c, d, e) ipllog()
|
||||
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
|
||||
# if SOLARIS
|
||||
@ -98,7 +98,12 @@ extern kmutex_t ipf_mutex, ipf_auth;
|
||||
icmp_error(ip, t, c, if, src)
|
||||
# else /* SOLARIS */
|
||||
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
|
||||
# define SEND_RESET(ip, qif, if) send_reset((struct tcpiphdr *)ip)
|
||||
# ifdef linux
|
||||
# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\
|
||||
ifp)
|
||||
# else
|
||||
# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip)
|
||||
# endif
|
||||
# ifdef __sgi
|
||||
# define ICMP_ERROR(b, ip, t, c, if, src) \
|
||||
icmp_error(b, t, c, if, src, if)
|
||||
@ -553,7 +558,7 @@ int out;
|
||||
fr_info_t frinfo, *fc;
|
||||
register fr_info_t *fin = &frinfo;
|
||||
frentry_t *fr = NULL;
|
||||
int pass, changed, apass;
|
||||
int pass, changed, apass, error = EHOSTUNREACH;
|
||||
#if !SOLARIS || !defined(_KERNEL)
|
||||
register mb_t *m = *mp;
|
||||
#endif
|
||||
@ -767,10 +772,11 @@ logit:
|
||||
# else
|
||||
# ifndef linux
|
||||
mc = m_copy(m, 0, M_COPYALL);
|
||||
# else
|
||||
;
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
|
||||
if (pass & FR_PASS)
|
||||
frstats[out].fr_pass++;
|
||||
else if (pass & FR_BLOCK) {
|
||||
@ -811,6 +817,9 @@ logit:
|
||||
frstats[1].fr_ret++;
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
if (pass & FR_RETRST)
|
||||
error = ECONNRESET;
|
||||
}
|
||||
}
|
||||
|
||||
@ -842,8 +851,8 @@ logit:
|
||||
m_copyback(m, 0, up, hbuf);
|
||||
# endif
|
||||
# endif /* !linux */
|
||||
return (pass & FR_PASS) ? 0 : -1;
|
||||
# else /* !SOLARIS */
|
||||
return (pass & FR_PASS) ? 0 : error;
|
||||
# else /* !SOLARIS */
|
||||
if (fr) {
|
||||
frdest_t *fdp = &fr->fr_tif;
|
||||
|
||||
@ -855,7 +864,7 @@ logit:
|
||||
if (mc)
|
||||
ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
|
||||
}
|
||||
return (pass & FR_PASS) ? changed : -1;
|
||||
return (pass & FR_PASS) ? changed : error;
|
||||
# endif /* !SOLARIS */
|
||||
#else /* _KERNEL */
|
||||
if (pass & FR_NOMATCH)
|
||||
@ -872,6 +881,7 @@ logit:
|
||||
/*
|
||||
* ipf_cksum
|
||||
* addr should be 16bit aligned and len is in bytes.
|
||||
* length is in bytes
|
||||
*/
|
||||
u_short ipf_cksum(addr, len)
|
||||
register u_short *addr;
|
||||
@ -900,10 +910,11 @@ register int len;
|
||||
* and the TCP header. We also assume that data blocks aren't allocated in
|
||||
* odd sizes.
|
||||
*/
|
||||
u_short fr_tcpsum(m, ip, tcp)
|
||||
u_short fr_tcpsum(m, ip, tcp, len)
|
||||
mb_t *m;
|
||||
ip_t *ip;
|
||||
tcphdr_t *tcp;
|
||||
int len;
|
||||
{
|
||||
union {
|
||||
u_char c[2];
|
||||
@ -911,7 +922,6 @@ tcphdr_t *tcp;
|
||||
} bytes;
|
||||
u_long sum;
|
||||
u_short *sp;
|
||||
int len;
|
||||
# if SOLARIS || defined(__sgi)
|
||||
int add, hlen;
|
||||
# endif
|
||||
@ -926,9 +936,9 @@ tcphdr_t *tcp;
|
||||
/*
|
||||
* Add up IP Header portion
|
||||
*/
|
||||
len = ip->ip_len - (ip->ip_hl << 2);
|
||||
bytes.c[0] = 0;
|
||||
bytes.c[1] = IPPROTO_TCP;
|
||||
len -= (ip->ip_hl << 2);
|
||||
sum = bytes.s;
|
||||
sum += htons((u_short)len);
|
||||
sp = (u_short *)&ip->ip_src;
|
||||
@ -994,13 +1004,13 @@ tcphdr_t *tcp;
|
||||
goto nodata;
|
||||
while (len > 0) {
|
||||
#if SOLARIS
|
||||
if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
|
||||
while ((caddr_t)sp >= (caddr_t)m->b_wptr) {
|
||||
m = m->b_cont;
|
||||
PANIC((!m),("fr_tcpsum: not enough data"));
|
||||
sp = (u_short *)m->b_rptr;
|
||||
}
|
||||
#else
|
||||
if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
|
||||
while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
|
||||
{
|
||||
m = m->m_next;
|
||||
PANIC((!m),("fr_tcpsum: not enough data"));
|
||||
@ -1009,7 +1019,11 @@ tcphdr_t *tcp;
|
||||
#endif /* SOLARIS */
|
||||
if (len < 2)
|
||||
break;
|
||||
sum += *sp++;
|
||||
if((u_long)sp & 1) {
|
||||
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
|
||||
sum += bytes.s;
|
||||
} else
|
||||
sum += *sp++;
|
||||
len -= 2;
|
||||
}
|
||||
if (len) {
|
||||
@ -1059,7 +1073,7 @@ nodata:
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $
|
||||
* $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $
|
||||
*/
|
||||
/*
|
||||
* Copy data from an mbuf chain starting "off" bytes from the beginning,
|
||||
@ -1258,11 +1272,11 @@ frentry_t *list, **listp;
|
||||
}
|
||||
|
||||
|
||||
void frflush(unit, data)
|
||||
void frflush(unit, result)
|
||||
int unit;
|
||||
caddr_t data;
|
||||
int *result;
|
||||
{
|
||||
int flags = *(int *)data, flushed = 0, set = fr_active;
|
||||
int flags = *result, flushed = 0, set = fr_active;
|
||||
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
@ -1286,5 +1300,5 @@ caddr_t data;
|
||||
}
|
||||
}
|
||||
|
||||
*(int *)data = flushed;
|
||||
*result = flushed;
|
||||
}
|
||||
|
@ -46,7 +46,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.1 1997/11/06 21:21:19 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $";
|
||||
#endif
|
||||
#ifdef _PATH_UNIX
|
||||
#define VMUNIX _PATH_UNIX
|
||||
@ -258,7 +258,7 @@ struct friostat *fp;
|
||||
fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
|
||||
PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
|
||||
fp->f_froute[0], fp->f_froute[1]);
|
||||
PRINTF("TCP cksum fails in:\t%lu\tout%lu\n",
|
||||
PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
|
||||
fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
|
||||
|
||||
PRINTF("Packet log flags set: (%#x)\n", frf);
|
||||
|
@ -6,7 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_compat.h 1.8 1/14/96
|
||||
* $Id: ip_compat.h,v 2.0.2.31.2.4 1997/11/12 10:48:43 darrenr Exp $
|
||||
* $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_COMPAT_H__
|
||||
@ -50,17 +50,18 @@ struct ether_addr {
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef __sgi
|
||||
# ifdef IPFILTER_LKM
|
||||
# define IPL_PRFX ipl
|
||||
# define IPL_EXTERN(ep) ipl##ep
|
||||
# else
|
||||
# define IPL_PRFX ipfilter
|
||||
#if defined(__sgi) && !defined(IPFILTER_LKM)
|
||||
# ifdef __STDC__
|
||||
# define IPL_EXTERN(ep) ipfilter##ep
|
||||
# else
|
||||
# define IPL_EXTERN(ep) ipfilter/**/ep
|
||||
# endif
|
||||
#else
|
||||
# define IPL_PRFX ipl
|
||||
# define IPL_EXTERN(ep) ipl##ep
|
||||
# ifdef __STDC__
|
||||
# define IPL_EXTERN(ep) ipl##ep
|
||||
# else
|
||||
# define IPL_EXTERN(ep) ipl/**/ep
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifdef linux
|
||||
@ -110,7 +111,8 @@ struct ether_addr {
|
||||
/*
|
||||
* These operating systems already take care of the problem for us.
|
||||
*/
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
|
||||
defined(__sgi)
|
||||
typedef u_int32_t u_32_t;
|
||||
#else
|
||||
/*
|
||||
@ -689,6 +691,7 @@ typedef struct icmp icmphdr_t;
|
||||
typedef struct ip ip_t;
|
||||
typedef struct ether_header ether_header_t;
|
||||
#endif /* linux */
|
||||
typedef struct tcpiphdr tcpiphdr_t;
|
||||
|
||||
#if defined(hpux) || defined(linux)
|
||||
struct ether_addr {
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.2 1997/11/12 10:49:25 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#ifndef SOLARIS
|
||||
@ -275,7 +275,7 @@ int ipldetach()
|
||||
|
||||
fr_checkp = fr_savep;
|
||||
inetsw[0].pr_slowtimo = fr_saveslowtimo;
|
||||
frflush(IPL_LOGIPF, (caddr_t)&i);
|
||||
frflush(IPL_LOGIPF, &i);
|
||||
ipl_inited = 0;
|
||||
|
||||
# ifdef NETBSD_PF
|
||||
@ -339,7 +339,7 @@ struct proc *p;
|
||||
)
|
||||
#endif
|
||||
dev_t dev;
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__)
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
|
||||
u_long cmd;
|
||||
#else
|
||||
int cmd;
|
||||
@ -351,7 +351,7 @@ int mode;
|
||||
#if defined(_KERNEL) && !SOLARIS
|
||||
int s;
|
||||
#endif
|
||||
int error = 0, unit = 0;
|
||||
int error = 0, unit = 0, tmp;
|
||||
|
||||
#ifdef _KERNEL
|
||||
unit = GET_MINOR(dev);
|
||||
@ -460,8 +460,11 @@ int mode;
|
||||
case SIOCIPFFL :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
frflush(unit, data);
|
||||
else {
|
||||
IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
|
||||
frflush(unit, &tmp);
|
||||
IWCOPY((caddr_t)&tmp, data, sizeof(tmp));
|
||||
}
|
||||
break;
|
||||
#ifdef IPFILTER_LOG
|
||||
case SIOCIPFFB :
|
||||
@ -786,7 +789,7 @@ struct tcpiphdr *ti;
|
||||
struct tcpiphdr *tp;
|
||||
struct tcphdr *tcp;
|
||||
struct mbuf *m;
|
||||
int tlen = 0;
|
||||
int tlen = 0, err;
|
||||
ip_t *ip;
|
||||
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
|
||||
struct route ro;
|
||||
@ -837,16 +840,16 @@ struct tcpiphdr *ti;
|
||||
|
||||
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
|
||||
bzero((char *)&ro, sizeof(ro));
|
||||
(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
|
||||
err = ip_output(m, (struct mbuf *)0, &ro, 0, 0);
|
||||
if (ro.ro_rt)
|
||||
RTFREE(ro.ro_rt);
|
||||
# else
|
||||
/*
|
||||
* extra 0 in case of multicast
|
||||
*/
|
||||
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||
err = ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||
# endif
|
||||
return 0;
|
||||
return err;
|
||||
}
|
||||
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_fil.h 1.35 6/5/96
|
||||
* $Id: ip_fil.h,v 2.0.2.39.2.4 1997/11/12 10:50:02 darrenr Exp $
|
||||
* $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_FIL_H__
|
||||
@ -94,10 +94,10 @@ typedef struct fr_ip {
|
||||
u_short fi_auth;
|
||||
} fr_ip_t;
|
||||
|
||||
#define FI_OPTIONS 0x01
|
||||
#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */
|
||||
#define FI_FRAG 0x04
|
||||
#define FI_SHORT 0x08
|
||||
#define FI_OPTIONS (FF_OPTIONS >> 24)
|
||||
#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
|
||||
#define FI_FRAG (FF_FRAG >> 24)
|
||||
#define FI_SHORT (FF_SHORT >> 24)
|
||||
|
||||
typedef struct fr_info {
|
||||
struct fr_ip fin_fi;
|
||||
@ -381,7 +381,7 @@ extern int ipf_log __P((void));
|
||||
extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
|
||||
extern struct ifnet *get_unit __P((char *));
|
||||
# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
|
||||
# if defined(__NetBSD__) || defined(__OpenBSD__)
|
||||
# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
|
||||
extern int iplioctl __P((dev_t, u_long, caddr_t, int));
|
||||
# else
|
||||
extern int iplioctl __P((dev_t, int, caddr_t, int));
|
||||
@ -423,7 +423,11 @@ extern int iplread __P((dev_t, struct uio *, cred_t *));
|
||||
# else /* SOLARIS */
|
||||
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int send_reset __P((struct tcpiphdr *));
|
||||
# ifdef linux
|
||||
extern int send_reset __P((tcpiphdr_t *, struct ifnet *));
|
||||
# else
|
||||
extern int send_reset __P((tcpiphdr_t *));
|
||||
# endif
|
||||
extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
|
||||
extern size_t mbufchainlen __P((mb_t *));
|
||||
# ifdef __sgi
|
||||
@ -442,7 +446,7 @@ extern int iplidentify __P((char *));
|
||||
# endif
|
||||
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
|
||||
(NetBSD >= 199511)
|
||||
# ifdef __NetBSD__
|
||||
# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701)
|
||||
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
|
||||
# else
|
||||
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
|
||||
@ -491,12 +495,12 @@ extern int iplread(struct inode *, struct file *, char *, int);
|
||||
#endif
|
||||
|
||||
extern int ipldetach __P((void));
|
||||
extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
|
||||
extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int));
|
||||
#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
|
||||
extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
|
||||
extern u_short ipf_cksum __P((u_short *, int));
|
||||
extern int fr_copytolog __P((int, char *, int));
|
||||
extern void frflush __P((int, caddr_t));
|
||||
extern void frflush __P((int, int *));
|
||||
extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int));
|
||||
extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***));
|
||||
extern void fr_delgroup __P((u_short, u_32_t, int, int));
|
||||
|
@ -6,7 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:57 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -49,6 +49,9 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 da
|
||||
#include "netinet/ip_frag.h"
|
||||
#include "netinet/ip_state.h"
|
||||
#include "netinet/ip_auth.h"
|
||||
#ifdef _KERNEL
|
||||
#include <net/ip_forward.h>
|
||||
#endif
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
@ -143,7 +146,7 @@ int ipldetach()
|
||||
}
|
||||
|
||||
fr_checkp = fr_savep;
|
||||
frflush(IPL_LOGIPF, (caddr_t)&i);
|
||||
frflush(IPL_LOGIPF, &i);
|
||||
ipl_inited = 0;
|
||||
|
||||
ipfr_unload();
|
||||
@ -197,7 +200,7 @@ int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
|
||||
int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
|
||||
{
|
||||
#endif
|
||||
int error = 0, unit = 0;
|
||||
int error = 0, unit = 0, tmp;
|
||||
|
||||
#ifdef _KERNEL
|
||||
unit = GET_MINOR(inode->i_rdev);
|
||||
@ -305,8 +308,11 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
|
||||
case SIOCIPFFL :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
frflush(unit, data);
|
||||
else {
|
||||
IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
|
||||
frflush(unit, &tmp);
|
||||
IWCOPY((caddr_t)&tmp, data, sizeof(tmp));
|
||||
}
|
||||
break;
|
||||
#ifdef IPFILTER_LOG
|
||||
case SIOCIPFFB :
|
||||
@ -577,54 +583,53 @@ int iplread(struct inode *inode, struct file *file, char *buf, int nbytes)
|
||||
* send_reset - this could conceivably be a call to tcp_respond(), but that
|
||||
* requires a large amount of setting up and isn't any more efficient.
|
||||
*/
|
||||
int send_reset(ti)
|
||||
int send_reset(ti, ifp)
|
||||
struct tcpiphdr *ti;
|
||||
struct ifnet *ifp;
|
||||
{
|
||||
#if notyet
|
||||
struct tcpiphdr *tp;
|
||||
tcphdr_t *tcp;
|
||||
seq_t seq;
|
||||
int tlen = 0;
|
||||
ip_t *ip;
|
||||
mb_t *m;
|
||||
|
||||
if (ti->ti_flags & TH_RST)
|
||||
return -1; /* feedback loop */
|
||||
m = alloc_skb(MAX_HEADER + sizeof(*ti), GFP_ATOMIC);
|
||||
|
||||
m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC);
|
||||
if (m == NULL)
|
||||
return -1;
|
||||
|
||||
if (ti->ti_flags & TH_SYN)
|
||||
tlen = 1;
|
||||
m->m_len = sizeof (struct tcpiphdr);
|
||||
bzero(mtod(m, char *), sizeof(struct tcpiphdr));
|
||||
ip = mtod(m, ip_t *);
|
||||
tp = mtod(m, struct tcpiphdr *);
|
||||
tcp = (tcphdr_t *)((char *)ip + sizeof(struct ip));
|
||||
|
||||
m->dev = ifp;
|
||||
m->csum = 0;
|
||||
ip = mtod(m, ip_t *);
|
||||
m->h.iph = ip;
|
||||
m->ip_hdr = NULL;
|
||||
m->m_len = sizeof(tcpiphdr_t);
|
||||
tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t));
|
||||
bzero((char *)ip, sizeof(tcpiphdr_t));
|
||||
|
||||
ip->ip_v = IPVERSION;
|
||||
ip->ip_hl = sizeof(ip_t) >> 2;
|
||||
ip->ip_tos = ((ip_t *)ti)->ip_tos;
|
||||
ip->ip_p = ((ip_t *)ti)->ip_p;
|
||||
ip->ip_id = ((ip_t *)ti)->ip_id;
|
||||
ip->ip_len = htons(sizeof(tcpiphdr_t));
|
||||
ip->ip_ttl = 127;
|
||||
ip->ip_src.s_addr = ti->ti_dst.s_addr;
|
||||
ip->ip_dst.s_addr = ti->ti_src.s_addr;
|
||||
tcp->th_dport = ti->ti_sport;
|
||||
tcp->th_sport = ti->ti_dport;
|
||||
seq = ntohl(ti->ti_seq);
|
||||
tcp->th_ack = htonl(seq + tlen);
|
||||
tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
|
||||
tcp->th_off = sizeof(tcphdr_t) >> 2;
|
||||
tcp->th_flags = TH_RST|TH_ACK;
|
||||
tp->ti_pr = ((ip_t *)ti)->ip_p;
|
||||
tp->ti_len = htons(sizeof(struct tcphdr));
|
||||
tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr));
|
||||
|
||||
ip->ip_tos = ((ip_t *)ti)->ip_tos;
|
||||
ip->ip_p = ((ip_t *)ti)->ip_p;
|
||||
ip->ip_len = sizeof (struct tcpiphdr);
|
||||
ip->ip_ttl = 255;
|
||||
|
||||
/*
|
||||
* extra 0 in case of multicast
|
||||
*/
|
||||
(void) ip_output(m, (mb_t *)0, 0, 0, 0);
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
ip->ip_sum = 0;
|
||||
ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t));
|
||||
tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t));
|
||||
return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr);
|
||||
}
|
||||
|
||||
|
||||
|
@ -5,17 +5,17 @@
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_log.c,v 2.0.2.13.2.2 1997/11/12 10:52:21 darrenr Exp $
|
||||
* $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $
|
||||
*/
|
||||
#ifdef IPFILTER_LOG
|
||||
# ifndef SOLARIS
|
||||
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
# endif
|
||||
|
||||
# if defined(KERNEL) && !defined(_KERNEL)
|
||||
# define _KERNEL
|
||||
# endif
|
||||
# ifdef __FreeBSD__
|
||||
# if defined(KERNEL) && !defined(_KERNEL)
|
||||
# define _KERNEL
|
||||
# endif
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# include <sys/osreldate.h>
|
||||
# else
|
||||
|
@ -9,7 +9,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -317,6 +317,7 @@ int mode;
|
||||
break;
|
||||
}
|
||||
ret = nat_flushtable();
|
||||
(void) ap_unload();
|
||||
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
||||
break;
|
||||
case SIOCCNATL :
|
||||
@ -513,18 +514,14 @@ struct in_addr *inp;
|
||||
/*
|
||||
* Create a new NAT table entry.
|
||||
*/
|
||||
#ifdef __STDC__
|
||||
nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction)
|
||||
#else
|
||||
nat_t *nat_new(np, ip, fin, flags, direction)
|
||||
ipnat_t *np;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
u_short flags;
|
||||
int direction;
|
||||
#endif
|
||||
{
|
||||
register u_long sum1, sum2, sumd;
|
||||
register u_long sum1, sum2, sumd, l;
|
||||
u_short port = 0, sport = 0, dport = 0, nport = 0;
|
||||
struct in_addr in;
|
||||
tcphdr_t *tcp = NULL;
|
||||
@ -554,13 +551,22 @@ int direction;
|
||||
* If it's an outbound packet which doesn't match any existing
|
||||
* record, then create a new port
|
||||
*/
|
||||
l = 0;
|
||||
do {
|
||||
l++;
|
||||
port = 0;
|
||||
in.s_addr = np->in_nip;
|
||||
if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
|
||||
if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1)
|
||||
if ((l > 1) ||
|
||||
nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) {
|
||||
KFREE(nat);
|
||||
return NULL;
|
||||
}
|
||||
} else if (!in.s_addr && !np->in_outmsk) {
|
||||
if (l > 1) {
|
||||
KFREE(nat);
|
||||
return NULL;
|
||||
}
|
||||
in.s_addr = ntohl(ip->ip_src.s_addr);
|
||||
if (nflags & IPN_TCPUDP)
|
||||
port = sport;
|
||||
@ -609,7 +615,7 @@ int direction;
|
||||
* internal port.
|
||||
*/
|
||||
in.s_addr = ntohl(np->in_inip);
|
||||
if (!(nport = htons(np->in_pnext)))
|
||||
if (!(nport = np->in_pnext))
|
||||
nport = dport;
|
||||
|
||||
nat->nat_inip.s_addr = htonl(in.s_addr);
|
||||
@ -1083,7 +1089,7 @@ fr_info_t *fin;
|
||||
(void) ap_check(ip, tcp, fin, nat);
|
||||
nat_stats.ns_mapped[1]++;
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 1;
|
||||
return -2;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 0;
|
||||
@ -1212,7 +1218,7 @@ fr_info_t *fin;
|
||||
}
|
||||
nat_stats.ns_mapped[0]++;
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 1;
|
||||
return -2;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 0;
|
||||
@ -1257,6 +1263,9 @@ void ip_natexpire()
|
||||
nat_delete(nat);
|
||||
nat_stats.ns_expire++;
|
||||
}
|
||||
|
||||
ap_expire();
|
||||
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
SPL_X(s);
|
||||
}
|
||||
|
@ -6,7 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.2 1997/11/12 10:54:11 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -226,7 +226,7 @@ nat_t *nat;
|
||||
* don't do anything with this packet.
|
||||
*/
|
||||
if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp,
|
||||
ip, tcp)) {
|
||||
ip, tcp, ip->ip_len)) {
|
||||
frstats[fin->fin_out].fr_tcpbad++;
|
||||
return -1;
|
||||
}
|
||||
@ -246,7 +246,8 @@ nat_t *nat;
|
||||
aps, nat);
|
||||
}
|
||||
if (err == 2) {
|
||||
tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
|
||||
tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip,
|
||||
tcp, ip->ip_len);
|
||||
err = 0;
|
||||
}
|
||||
return err;
|
||||
@ -298,3 +299,21 @@ void ap_unload()
|
||||
aps_free(aps);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void ap_expire()
|
||||
{
|
||||
ap_session_t *aps, **apsp;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < AP_SESS_SIZE; i++)
|
||||
for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) {
|
||||
aps->aps_tout--;
|
||||
if (!aps->aps_tout) {
|
||||
ap_sess_tab[i] = aps->aps_next;
|
||||
aps_free(aps);
|
||||
*apsp = aps->aps_next;
|
||||
} else
|
||||
apsp = &aps->aps_next;
|
||||
}
|
||||
}
|
||||
|
@ -5,7 +5,7 @@
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_proxy.h,v 2.0.2.10 1997/10/19 15:39:23 darrenr Exp $
|
||||
* $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_PROXY_H__
|
||||
@ -88,5 +88,6 @@ extern void ap_free __P((aproxy_t *));
|
||||
extern void aps_free __P((ap_session_t *));
|
||||
extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *));
|
||||
extern aproxy_t *ap_match __P((u_char, char *));
|
||||
extern void ap_expire __P((void));
|
||||
|
||||
#endif /* __IP_PROXY_H__ */
|
||||
|
@ -9,7 +9,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.3 1997/11/12 10:54:35 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55:39 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -76,7 +76,7 @@ int ipldetach()
|
||||
ipflog_clear(i);
|
||||
untimeout(ipfr_timer_id);
|
||||
i = FR_INQUE|FR_OUTQUE;
|
||||
frflush(IPL_LOGIPF, (caddr_t)&i);
|
||||
frflush(IPL_LOGIPF, &i);
|
||||
ipfr_unload();
|
||||
fr_stateunload();
|
||||
ip_natunload();
|
||||
@ -250,9 +250,11 @@ int *rp;
|
||||
case SIOCIPFFL :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
|
||||
mutex_enter(&ipf_mutex);
|
||||
frflush(unit, (caddr_t)data);
|
||||
frflush(unit, &tmp);
|
||||
mutex_exit(&ipf_mutex);
|
||||
IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp));
|
||||
break;
|
||||
#ifdef IPFILTER_LOG
|
||||
case SIOCIPFFB :
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.3 1997/11/12 10:55:34 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
|
||||
@ -179,9 +179,7 @@ int mode;
|
||||
case SIOCIPFFL :
|
||||
IRCOPY(data, (caddr_t)&arg, sizeof(arg));
|
||||
if (arg == 0 || arg == 1) {
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
ret = fr_state_flush(arg);
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
||||
} else
|
||||
error = EINVAL;
|
||||
|
@ -11,6 +11,6 @@
|
||||
#ifndef __IPL_H__
|
||||
#define __IPL_H__
|
||||
|
||||
#define IPL_VERSION "IP Filter v3.2.1"
|
||||
#define IPL_VERSION "IP Filter v3.2.3"
|
||||
|
||||
#endif
|
||||
|
@ -1,11 +1,11 @@
|
||||
#
|
||||
interface { ifname le0; mtu 1500; }
|
||||
interface { ifname le0; mtu 1500; } ;
|
||||
|
||||
ipv4 {
|
||||
src 1.1.1.1; dst 2.2.2.2;
|
||||
tcp {
|
||||
seq 12345; ack 0; sport 9999; dport 23; flags S;
|
||||
data { value "abcdef"; } ;
|
||||
}
|
||||
}
|
||||
send { via 10.1.1.1; }
|
||||
} ;
|
||||
} ;
|
||||
send { via 10.1.1.1; } ;
|
||||
|
@ -10,7 +10,7 @@
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: iplang_l.l,v 2.0.2.15.2.1 1997/11/05 11:04:04 darrenr Exp $
|
||||
* $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
@ -164,6 +164,7 @@ rtime { return next_state(IL_ICMP_RTIME, -1); }
|
||||
ttime { return next_state(IL_ICMP_TTIME, -1); }
|
||||
icmpseq { return next_state(IL_ICMP_SEQ, -1); }
|
||||
icmpid { return next_state(IL_ICMP_SEQ, -1); }
|
||||
\377 { return 0; } /* EOF */
|
||||
\{ { push_proto(); return next_item('{'); }
|
||||
\} { pop_proto(); return next_item('}'); }
|
||||
\. { return next_item(IL_DOT); }
|
||||
@ -210,11 +211,8 @@ void pop_proto()
|
||||
|
||||
int save_token()
|
||||
{
|
||||
static char *buf = NULL;
|
||||
|
||||
if (buf && (buf == yylval.str))
|
||||
free(buf);
|
||||
buf = yylval.str = strdup(yytext);
|
||||
yylval.str = strdup(yytext);
|
||||
return IL_TOKEN;
|
||||
}
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: iplang_y.y,v 2.0.2.18.2.2 1997/11/05 11:04:19 darrenr Exp $
|
||||
* $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
@ -190,8 +190,8 @@ int yyparse __P((void));
|
||||
%token IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC
|
||||
%token IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD
|
||||
%token IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE
|
||||
%token IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3
|
||||
%token IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1
|
||||
%token <str> IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3
|
||||
%token <str> IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1
|
||||
%token IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET
|
||||
%token IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT
|
||||
%token IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL
|
||||
@ -235,10 +235,10 @@ ifaceopts:
|
||||
;
|
||||
|
||||
ifaceopt:
|
||||
IL_IFNAME token { set_ifname(&yylval.str); }
|
||||
| IL_MTU number { set_ifmtu(yylval.num); }
|
||||
| IL_V4ADDR token { set_ifv4addr(&yylval.str); }
|
||||
| IL_EADDR token { set_ifeaddr(&yylval.str); }
|
||||
IL_IFNAME token { set_ifname(&$2); }
|
||||
| IL_MTU number { set_ifmtu($2); }
|
||||
| IL_V4ADDR token { set_ifv4addr(&$2); }
|
||||
| IL_EADDR token { set_ifeaddr(&$2); }
|
||||
;
|
||||
|
||||
send: sendhdr '{' sendbody '}' ';' { packet_done(); }
|
||||
@ -255,8 +255,8 @@ sendbody:
|
||||
;
|
||||
|
||||
sendopt:
|
||||
IL_IFNAME token { set_sendif(&yylval.str); }
|
||||
| IL_VIA token { set_sendvia(&yylval.str); }
|
||||
IL_IFNAME token { set_sendif(&$2); }
|
||||
| IL_VIA token { set_sendvia(&$2); }
|
||||
;
|
||||
|
||||
arp: arphdr '{' arpbody '}' ';'
|
||||
@ -270,12 +270,12 @@ arpbody:
|
||||
| arpbody arpopt
|
||||
;
|
||||
|
||||
arpopt: IL_V4ADDR token { set_arpv4addr(&yylval.str); }
|
||||
| IL_EADDR token { set_arpeaddr(&yylval.str); }
|
||||
arpopt: IL_V4ADDR token { set_arpv4addr(&$2); }
|
||||
| IL_EADDR token { set_arpeaddr(&$2); }
|
||||
;
|
||||
|
||||
defrouter:
|
||||
IL_DEFROUTER token { set_defaultrouter(&yylval.str); }
|
||||
IL_DEFROUTER token { set_defaultrouter(&$2); }
|
||||
;
|
||||
|
||||
bodyline:
|
||||
@ -298,17 +298,17 @@ ipv4body:
|
||||
;
|
||||
|
||||
ipv4type:
|
||||
IL_V4PROTO token { set_ipv4proto(&yylval.str); }
|
||||
| IL_V4SRC token { set_ipv4src(&yylval.str); }
|
||||
| IL_V4DST token { set_ipv4dst(&yylval.str); }
|
||||
| IL_V4OFF token { set_ipv4off(&yylval.str); }
|
||||
| IL_V4V token { set_ipv4v(&yylval.str); }
|
||||
| IL_V4HL token { set_ipv4hl(&yylval.str); }
|
||||
| IL_V4ID token { set_ipv4id(&yylval.str); }
|
||||
| IL_V4TTL token { set_ipv4ttl(&yylval.str); }
|
||||
| IL_V4TOS token { set_ipv4tos(&yylval.str); }
|
||||
| IL_V4SUM token { set_ipv4sum(&yylval.str); }
|
||||
| IL_V4LEN token { set_ipv4len(&yylval.str); }
|
||||
IL_V4PROTO token { set_ipv4proto(&$2); }
|
||||
| IL_V4SRC token { set_ipv4src(&$2); }
|
||||
| IL_V4DST token { set_ipv4dst(&$2); }
|
||||
| IL_V4OFF token { set_ipv4off(&$2); }
|
||||
| IL_V4V token { set_ipv4v(&$2); }
|
||||
| IL_V4HL token { set_ipv4hl(&$2); }
|
||||
| IL_V4ID token { set_ipv4id(&$2); }
|
||||
| IL_V4TTL token { set_ipv4ttl(&$2); }
|
||||
| IL_V4TOS token { set_ipv4tos(&$2); }
|
||||
| IL_V4SUM token { set_ipv4sum(&$2); }
|
||||
| IL_V4LEN token { set_ipv4len(&$2); }
|
||||
| ipv4opt '{' ipv4optlist '}' ';' { end_ipopt(); }
|
||||
;
|
||||
|
||||
@ -320,20 +320,21 @@ tcpline:
|
||||
;
|
||||
|
||||
tcpheader:
|
||||
tcpbody tcpheader
|
||||
tcpbody
|
||||
| tcpbody tcpheader
|
||||
| bodyline
|
||||
;
|
||||
|
||||
tcpbody:
|
||||
IL_SPORT token { set_tcpsport(&yylval.str); }
|
||||
| IL_DPORT token { set_tcpdport(&yylval.str); }
|
||||
| IL_TCPSEQ token { set_tcpseq(&yylval.str); }
|
||||
| IL_TCPACK token { set_tcpack(&yylval.str); }
|
||||
| IL_TCPOFF token { set_tcpoff(&yylval.str); }
|
||||
| IL_TCPURP token { set_tcpurp(&yylval.str); }
|
||||
| IL_TCPWIN token { set_tcpwin(&yylval.str); }
|
||||
| IL_TCPSUM token { set_tcpsum(&yylval.str); }
|
||||
| IL_TCPFL token { set_tcpflags(&yylval.str); }
|
||||
IL_SPORT token { set_tcpsport(&$2); }
|
||||
| IL_DPORT token { set_tcpdport(&$2); }
|
||||
| IL_TCPSEQ token { set_tcpseq(&$2); }
|
||||
| IL_TCPACK token { set_tcpack(&$2); }
|
||||
| IL_TCPOFF token { set_tcpoff(&$2); }
|
||||
| IL_TCPURP token { set_tcpurp(&$2); }
|
||||
| IL_TCPWIN token { set_tcpwin(&$2); }
|
||||
| IL_TCPSUM token { set_tcpsum(&$2); }
|
||||
| IL_TCPFL token { set_tcpflags(&$2); }
|
||||
| IL_TCPOPT '{' tcpopts '}' ';' { end_tcpopt(); }
|
||||
;
|
||||
|
||||
@ -343,9 +344,9 @@ tcpopts:
|
||||
|
||||
tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); }
|
||||
| IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); }
|
||||
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);}
|
||||
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);}
|
||||
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &yylval.str);}
|
||||
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
|
||||
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
|
||||
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);}
|
||||
;
|
||||
|
||||
udp: IL_UDP { new_udpheader(); }
|
||||
@ -363,10 +364,10 @@ udpheader:
|
||||
;
|
||||
|
||||
udpbody:
|
||||
IL_SPORT token { set_tcpsport(&yylval.str); }
|
||||
| IL_DPORT token { set_tcpdport(&yylval.str); }
|
||||
| IL_UDPLEN token { set_udplen(&yylval.str); }
|
||||
| IL_UDPSUM token { set_udpsum(&yylval.str); }
|
||||
IL_SPORT token { set_tcpsport(&$2); }
|
||||
| IL_DPORT token { set_tcpdport(&$2); }
|
||||
| IL_UDPLEN token { set_udplen(&$2); }
|
||||
| IL_UDPSUM token { set_udpsum(&$2); }
|
||||
;
|
||||
|
||||
icmp: IL_ICMP { new_icmpheader(); }
|
||||
@ -387,7 +388,7 @@ icmpheader:
|
||||
;
|
||||
|
||||
icmpcode:
|
||||
IL_ICMPCODE token { set_icmpcodetok(&yylval.str); }
|
||||
IL_ICMPCODE token { set_icmpcodetok(&$2); }
|
||||
;
|
||||
|
||||
icmptype:
|
||||
@ -413,7 +414,7 @@ icmptype:
|
||||
| IL_ICMP_MASKREPLY '{' token '}' ';'
|
||||
| IL_ICMP_PARAMPROB ';' { set_icmptype(ICMP_PARAMPROB); }
|
||||
| IL_ICMP_PARAMPROB '{' paramprob '}' ';'
|
||||
| IL_TOKEN ';' { set_icmptypetok(&yylval.str); }
|
||||
| IL_TOKEN ';' { set_icmptypetok(&$1); }
|
||||
;
|
||||
|
||||
icmpechoopts:
|
||||
@ -421,17 +422,17 @@ icmpechoopts:
|
||||
;
|
||||
|
||||
icmpecho:
|
||||
IL_ICMP_SEQ number { set_icmpseq(yylval.num); }
|
||||
| IL_ICMP_ID number { set_icmpid(yylval.num); }
|
||||
IL_ICMP_SEQ number { set_icmpseq($2); }
|
||||
| IL_ICMP_ID number { set_icmpid($2); }
|
||||
;
|
||||
|
||||
icmptsopts:
|
||||
| icmptsopts icmpts ';'
|
||||
;
|
||||
|
||||
icmpts: IL_ICMP_OTIME number { set_icmpotime(yylval.num); }
|
||||
| IL_ICMP_RTIME number { set_icmprtime(yylval.num); }
|
||||
| IL_ICMP_TTIME number { set_icmpttime(yylval.num); }
|
||||
icmpts: IL_ICMP_OTIME number { set_icmpotime($2); }
|
||||
| IL_ICMP_RTIME number { set_icmprtime($2); }
|
||||
| IL_ICMP_TTIME number { set_icmpttime($2); }
|
||||
;
|
||||
|
||||
unreach:
|
||||
@ -444,7 +445,7 @@ unreachopts:
|
||||
| IL_ICMP_UNREACH_HOST line
|
||||
| IL_ICMP_UNREACH_PROTOCOL line
|
||||
| IL_ICMP_UNREACH_PORT line
|
||||
| IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu(yylval.num); }
|
||||
| IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu($2); }
|
||||
| IL_ICMP_UNREACH_SRCFAIL line
|
||||
| IL_ICMP_UNREACH_NET_UNKNOWN line
|
||||
| IL_ICMP_UNREACH_HOST_UNKNOWN line
|
||||
@ -464,10 +465,10 @@ redirect:
|
||||
;
|
||||
|
||||
redirectopts:
|
||||
| IL_ICMP_REDIRECT_NET token { set_redir(0, &yylval.str); }
|
||||
| IL_ICMP_REDIRECT_HOST token { set_redir(1, &yylval.str); }
|
||||
| IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &yylval.str); }
|
||||
| IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &yylval.str); }
|
||||
| IL_ICMP_REDIRECT_NET token { set_redir(0, &$2); }
|
||||
| IL_ICMP_REDIRECT_HOST token { set_redir(1, &$2); }
|
||||
| IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &$2); }
|
||||
| IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &$2); }
|
||||
;
|
||||
|
||||
exceed:
|
||||
@ -480,7 +481,7 @@ paramprob:
|
||||
| IL_ICMP_PARAMPROB_OPTABSENT paraprobarg
|
||||
|
||||
paraprobarg:
|
||||
'{' number '}' ';' { set_icmppprob(yylval.num); }
|
||||
'{' number '}' ';' { set_icmppprob($2); }
|
||||
;
|
||||
|
||||
ipv4opt: IL_V4OPT { new_ipv4opt(); }
|
||||
@ -492,7 +493,7 @@ ipv4optlist:
|
||||
|
||||
ipv4opts:
|
||||
IL_IPO_NOP ';' { add_ipopt(IL_IPO_NOP, NULL); }
|
||||
| IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &yylval.num); }
|
||||
| IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &$2); }
|
||||
| IL_IPO_ZSU ';' { add_ipopt(IL_IPO_ZSU, NULL); }
|
||||
| IL_IPO_MTUP ';' { add_ipopt(IL_IPO_MTUP, NULL); }
|
||||
| IL_IPO_MTUR ';' { add_ipopt(IL_IPO_MTUR, NULL); }
|
||||
@ -501,11 +502,11 @@ ipv4opts:
|
||||
| IL_IPO_TR ';' { add_ipopt(IL_IPO_TR, NULL); }
|
||||
| IL_IPO_SEC ';' { add_ipopt(IL_IPO_SEC, NULL); }
|
||||
| IL_IPO_SECCLASS secclass { add_ipopt(IL_IPO_SECCLASS, sclass); }
|
||||
| IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&yylval.str); }
|
||||
| IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&$2); }
|
||||
| IL_IPO_ESEC ';' { add_ipopt(IL_IPO_ESEC, NULL); }
|
||||
| IL_IPO_CIPSO ';' { add_ipopt(IL_IPO_CIPSO, NULL); }
|
||||
| IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&yylval.num);}
|
||||
| IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&yylval.str); }
|
||||
| IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&$2);}
|
||||
| IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&$2); }
|
||||
| IL_IPO_ADDEXT ';' { add_ipopt(IL_IPO_ADDEXT, NULL); }
|
||||
| IL_IPO_VISA ';' { add_ipopt(IL_IPO_VISA, NULL); }
|
||||
| IL_IPO_IMITD ';' { add_ipopt(IL_IPO_IMITD, NULL); }
|
||||
@ -514,14 +515,14 @@ ipv4opts:
|
||||
;
|
||||
|
||||
secclass:
|
||||
IL_IPS_RESERV4 ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_TOPSECRET ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_SECRET ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_RESERV3 ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_CONFID ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_UNCLASS ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_RESERV2 ';' { set_secclass(&yylval.str); }
|
||||
| IL_IPS_RESERV1 ';' { set_secclass(&yylval.str); }
|
||||
IL_IPS_RESERV4 ';' { set_secclass(&$1); }
|
||||
| IL_IPS_TOPSECRET ';' { set_secclass(&$1); }
|
||||
| IL_IPS_SECRET ';' { set_secclass(&$1); }
|
||||
| IL_IPS_RESERV3 ';' { set_secclass(&$1); }
|
||||
| IL_IPS_CONFID ';' { set_secclass(&$1); }
|
||||
| IL_IPS_UNCLASS ';' { set_secclass(&$1); }
|
||||
| IL_IPS_RESERV2 ';' { set_secclass(&$1); }
|
||||
| IL_IPS_RESERV1 ';' { set_secclass(&$1); }
|
||||
;
|
||||
|
||||
data: IL_DATA { new_data(); }
|
||||
@ -536,9 +537,9 @@ databody: dataopts
|
||||
;
|
||||
|
||||
dataopts:
|
||||
IL_DLEN token { set_datalen(&yylval.str); }
|
||||
| IL_DVALUE token { set_data(&yylval.str); }
|
||||
| IL_DFILE token { set_datafile(&yylval.str); }
|
||||
IL_DLEN token { set_datalen(&$2); }
|
||||
| IL_DVALUE token { set_data(&$2); }
|
||||
| IL_DFILE token { set_datafile(&$2); }
|
||||
;
|
||||
|
||||
token: IL_TOKEN ';'
|
||||
@ -618,28 +619,6 @@ ether_aton(s)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef bsdi
|
||||
struct ether_addr *
|
||||
ether_aton(s)
|
||||
char *s;
|
||||
{
|
||||
static struct ether_addr n;
|
||||
u_int i[6];
|
||||
|
||||
if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1],
|
||||
&i[2], &i[3], &i[4], &i[5]) == 6) {
|
||||
n.ether_addr_octet[0] = (u_char)i[0];
|
||||
n.ether_addr_octet[1] = (u_char)i[1];
|
||||
n.ether_addr_octet[2] = (u_char)i[2];
|
||||
n.ether_addr_octet[3] = (u_char)i[3];
|
||||
n.ether_addr_octet[4] = (u_char)i[4];
|
||||
n.ether_addr_octet[5] = (u_char)i[5];
|
||||
return &n;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
struct in_addr getipv4addr(arg)
|
||||
char *arg;
|
||||
@ -663,7 +642,7 @@ char *pr, *name;
|
||||
struct servent *sp;
|
||||
|
||||
if (!(sp = getservbyname(name, pr)))
|
||||
return atoi(name);
|
||||
return htons(atoi(name));
|
||||
return sp->s_port;
|
||||
}
|
||||
|
||||
@ -1740,7 +1719,9 @@ void free_anipheader()
|
||||
canip->ah_next = NULL;
|
||||
aniptail = &canip->ah_next;
|
||||
}
|
||||
free(aip);
|
||||
|
||||
if (canip)
|
||||
free(aip);
|
||||
}
|
||||
|
||||
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.3 1997/11/12 10:57:25 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <stdio.h>
|
||||
@ -106,9 +106,11 @@ int main __P((int, char *[]));
|
||||
#define OPT_VERBOSE 0x008
|
||||
#define OPT_HEXHDR 0x010
|
||||
#define OPT_TAIL 0x020
|
||||
#define OPT_ALL 0x040
|
||||
#define OPT_NAT 0x080
|
||||
#define OPT_STATE 0x100
|
||||
#define OPT_FILTER 0x200
|
||||
#define OPT_PORTNUM 0x400
|
||||
#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER)
|
||||
|
||||
#ifndef LOGFAC
|
||||
#define LOGFAC LOG_LOCAL0
|
||||
@ -156,7 +158,7 @@ u_short port;
|
||||
struct servent *serv;
|
||||
|
||||
(void) sprintf(pname, "%hu", htons(port));
|
||||
if (!res)
|
||||
if (!res || (opts & OPT_PORTNUM))
|
||||
return pname;
|
||||
serv = getservbyport((int)port, proto);
|
||||
if (!serv)
|
||||
@ -598,7 +600,7 @@ FILE *log;
|
||||
int fd, flushed = 0;
|
||||
|
||||
if ((fd = open(file, O_RDWR)) == -1) {
|
||||
(void) fprintf(stderr, "%s: open: %s", file, STRERROR(errno));
|
||||
(void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
@ -620,50 +622,94 @@ FILE *log;
|
||||
}
|
||||
|
||||
|
||||
static void logopts(turnon, options)
|
||||
int turnon;
|
||||
char *options;
|
||||
{
|
||||
int flags = 0;
|
||||
char *s;
|
||||
|
||||
for (s = options; *s; s++)
|
||||
{
|
||||
switch (*s)
|
||||
{
|
||||
case 'N' :
|
||||
flags |= OPT_NAT;
|
||||
break;
|
||||
case 'S' :
|
||||
flags |= OPT_STATE;
|
||||
break;
|
||||
case 'I' :
|
||||
flags |= OPT_FILTER;
|
||||
break;
|
||||
default :
|
||||
fprintf(stderr, "Unknown log option %c\n", *s);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
if (turnon)
|
||||
opts |= flags;
|
||||
else
|
||||
opts &= ~(flags);
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
struct stat sb;
|
||||
FILE *log = stdout;
|
||||
int fd[3], doread, n, i, nfd = 1;
|
||||
int tr, nr, regular, c;
|
||||
int fdt[3];
|
||||
char buf[512], *iplfile = IPL_NAME;
|
||||
int fd[3], doread, n, i;
|
||||
int tr, nr, regular[3], c;
|
||||
int fdt[3], devices = 0;
|
||||
char buf[512], *iplfile[3];
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
||||
fd[0] = fd[1] = fd[2] = -1;
|
||||
fdt[0] = IPL_LOGIPF;
|
||||
fdt[1] = IPL_LOGNAT;
|
||||
fdt[2] = IPL_LOGSTATE;
|
||||
fdt[0] = fdt[1] = fdt[2] = -1;
|
||||
iplfile[0] = IPL_NAME;
|
||||
iplfile[1] = IPNAT_NAME;
|
||||
iplfile[2] = IPSTATE_NAME;
|
||||
|
||||
while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1)
|
||||
while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'a' :
|
||||
opts |= OPT_ALL;
|
||||
nfd = 3;
|
||||
break;
|
||||
case 'f' :
|
||||
iplfile = optarg;
|
||||
case 'f' : case 'I' :
|
||||
opts |= OPT_FILTER;
|
||||
fdt[0] = IPL_LOGIPF;
|
||||
iplfile[0] = optarg;
|
||||
break;
|
||||
case 'F' :
|
||||
if (!(opts & OPT_ALL))
|
||||
flushlogs(iplfile, log);
|
||||
else {
|
||||
flushlogs(IPL_NAME, log);
|
||||
flushlogs(IPL_NAT, log);
|
||||
flushlogs(IPL_STATE, log);
|
||||
}
|
||||
flushlogs(iplfile[0], log);
|
||||
flushlogs(iplfile[1], log);
|
||||
flushlogs(iplfile[2], log);
|
||||
break;
|
||||
case 'n' :
|
||||
opts |= OPT_RESOLVE;
|
||||
break;
|
||||
case 'N' :
|
||||
opts |= OPT_NAT;
|
||||
fdt[0] = IPL_LOGNAT;
|
||||
iplfile = IPL_NAT;
|
||||
fdt[1] = IPL_LOGNAT;
|
||||
iplfile[1] = optarg;
|
||||
break;
|
||||
case 'o' : case 'O' :
|
||||
logopts(c == 'o', optarg);
|
||||
fdt[0] = fdt[1] = fdt[2] = -1;
|
||||
if (opts & OPT_FILTER)
|
||||
fdt[0] = IPL_LOGIPF;
|
||||
if (opts & OPT_NAT)
|
||||
fdt[1] = IPL_LOGNAT;
|
||||
if (opts & OPT_STATE)
|
||||
fdt[2] = IPL_LOGSTATE;
|
||||
break;
|
||||
case 'p' :
|
||||
opts |= OPT_PORTNUM;
|
||||
break;
|
||||
case 's' :
|
||||
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
|
||||
@ -671,8 +717,8 @@ char *argv[];
|
||||
break;
|
||||
case 'S' :
|
||||
opts |= OPT_STATE;
|
||||
fdt[0] = IPL_LOGSTATE;
|
||||
iplfile = IPL_STATE;
|
||||
fdt[2] = IPL_LOGSTATE;
|
||||
iplfile[2] = optarg;
|
||||
break;
|
||||
case 't' :
|
||||
opts |= OPT_TAIL;
|
||||
@ -692,22 +738,32 @@ char *argv[];
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
if ((fd[0] == -1) && (fd[0] = open(iplfile, O_RDONLY)) == -1) {
|
||||
(void) fprintf(stderr, "%s: open: %s", iplfile,
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
/*
|
||||
* Default action is to only open the filter log file.
|
||||
*/
|
||||
if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
|
||||
fdt[0] = IPL_LOGIPF;
|
||||
|
||||
if ((opts & OPT_ALL)) {
|
||||
if ((fd[1] = open(IPL_NAT, O_RDONLY)) == -1) {
|
||||
(void) fprintf(stderr, "%s: open: %s", IPL_NAT,
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
if ((fd[2] = open(IPL_STATE, O_RDONLY)) == -1) {
|
||||
(void) fprintf(stderr, "%s: open: %s", IPL_STATE,
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
for (i = 0; i < 3; i++) {
|
||||
if (fdt[i] == -1)
|
||||
continue;
|
||||
if (!strcmp(iplfile[i], "-"))
|
||||
fd[i] = 0;
|
||||
else {
|
||||
if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
|
||||
(void) fprintf(stderr,
|
||||
"%s: open: %s\n", iplfile[i],
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (fstat(fd[i], &sb) == -1) {
|
||||
(void) fprintf(stderr, "%d: fstat: %s\n",fd[i],
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
if (!(regular[i] = !S_ISCHR(sb.st_mode)))
|
||||
devices++;
|
||||
}
|
||||
}
|
||||
|
||||
@ -715,27 +771,21 @@ char *argv[];
|
||||
log = argv[optind] ? fopen(argv[optind], "a") : stdout;
|
||||
if (log == NULL) {
|
||||
|
||||
(void) fprintf(stderr, "%s: fopen: %s", argv[optind],
|
||||
(void) fprintf(stderr, "%s: fopen: %s\n", argv[optind],
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
setvbuf(log, NULL, _IONBF, 0);
|
||||
}
|
||||
|
||||
if (stat(iplfile, &sb) == -1) {
|
||||
(void) fprintf(stderr, "%s: stat: %s", iplfile,
|
||||
STRERROR(errno));
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
regular = !S_ISCHR(sb.st_mode);
|
||||
|
||||
for (doread = 1; doread; ) {
|
||||
nr = 0;
|
||||
|
||||
for (i = 0; i < nfd; i++) {
|
||||
for (i = 0; i < 3; i++) {
|
||||
tr = 0;
|
||||
if (!regular) {
|
||||
if (fdt[i] == -1)
|
||||
continue;
|
||||
if (!regular[i]) {
|
||||
if (ioctl(fd[i], FIONREAD, &tr) == -1) {
|
||||
perror("ioctl(FIONREAD)");
|
||||
exit(-1);
|
||||
@ -745,7 +795,7 @@ char *argv[];
|
||||
if (!tr && !(opts & OPT_TAIL))
|
||||
doread = 0;
|
||||
}
|
||||
if (!tr && nfd != 1)
|
||||
if (!tr)
|
||||
continue;
|
||||
nr += tr;
|
||||
|
||||
@ -777,7 +827,7 @@ char *argv[];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!nr && ((opts & OPT_TAIL) || !regular))
|
||||
if (!nr && ((opts & OPT_TAIL) || devices))
|
||||
sleep(1);
|
||||
}
|
||||
exit(0);
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995";
|
||||
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11 1997/10/23 11:42:44 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $";
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
@ -96,7 +96,7 @@ int frag;
|
||||
static u_short id = 0;
|
||||
ether_header_t *eh;
|
||||
ip_t ipsv;
|
||||
int err;
|
||||
int err, iplen;
|
||||
|
||||
if (!ipbuf)
|
||||
ipbuf = (char *)malloc(65536);
|
||||
@ -115,7 +115,8 @@ int frag;
|
||||
|
||||
bcopy((char *)ip, (char *)&ipsv, sizeof(*ip));
|
||||
last_gw.s_addr = gwip.s_addr;
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
iplen = ip->ip_len;
|
||||
ip->ip_len = htons(iplen);
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
if (!(frag & 2)) {
|
||||
if (!ip->ip_v)
|
||||
@ -126,13 +127,13 @@ int frag;
|
||||
ip->ip_ttl = 60;
|
||||
}
|
||||
|
||||
if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu))
|
||||
if (!frag || (sizeof(*eh) + iplen < mtu))
|
||||
{
|
||||
ip->ip_sum = 0;
|
||||
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
|
||||
|
||||
bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len));
|
||||
err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len));
|
||||
bcopy((char *)ip, ipbuf + sizeof(*eh), iplen);
|
||||
err = sendip(nfd, ipbuf, sizeof(*eh) + iplen);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -144,7 +145,7 @@ int frag;
|
||||
ether_header_t eth;
|
||||
char optcpy[48], ol;
|
||||
char *s;
|
||||
int i, iplen, sent = 0, ts, hlen, olen;
|
||||
int i, sent = 0, ts, hlen, olen;
|
||||
|
||||
hlen = ip->ip_hl << 2;
|
||||
if (mtu < (hlen + 8)) {
|
||||
@ -235,43 +236,44 @@ struct in_addr gwip;
|
||||
{
|
||||
static tcp_seq iss = 2;
|
||||
struct tcpiphdr *ti;
|
||||
int thlen, i;
|
||||
u_long lbuf[20];
|
||||
tcphdr_t *t;
|
||||
int thlen, i, iplen, hlen;
|
||||
u_32_t lbuf[20];
|
||||
|
||||
iplen = ip->ip_len;
|
||||
hlen = ip->ip_hl << 2;
|
||||
t = (tcphdr_t *)((char *)ip + hlen);
|
||||
ti = (struct tcpiphdr *)lbuf;
|
||||
thlen = t->th_off << 2;
|
||||
if (!thlen)
|
||||
thlen = sizeof(tcphdr_t);
|
||||
bzero((char *)ti, sizeof(*ti));
|
||||
thlen = sizeof(tcphdr_t);
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
ti->ti_pr = ip->ip_p;
|
||||
ti->ti_src = ip->ip_src;
|
||||
ti->ti_dst = ip->ip_dst;
|
||||
bcopy((char *)ip + (ip->ip_hl << 2),
|
||||
(char *)&ti->ti_sport, sizeof(tcphdr_t));
|
||||
bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen);
|
||||
|
||||
if (!ti->ti_win)
|
||||
ti->ti_win = htons(4096);
|
||||
if (!ti->ti_seq)
|
||||
ti->ti_seq = htonl(iss);
|
||||
iss += 64;
|
||||
iss += 63;
|
||||
|
||||
if ((ti->ti_flags == TH_SYN) && !ip->ip_off)
|
||||
{
|
||||
ip = (ip_t *)realloc((char *)ip, ntohs(ip->ip_len) + 4);
|
||||
i = sizeof(struct tcpiphdr) / sizeof(long);
|
||||
i = sizeof(struct tcpiphdr) / sizeof(long);
|
||||
|
||||
if ((ti->ti_flags == TH_SYN) && !ip->ip_off &&
|
||||
(lbuf[i] != htonl(0x020405b4))) {
|
||||
lbuf[i] = htonl(0x020405b4);
|
||||
bcopy((char *)(lbuf + i), (char*)ip + ntohs(ip->ip_len),
|
||||
sizeof(u_long));
|
||||
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
|
||||
iplen - thlen - hlen);
|
||||
thlen += 4;
|
||||
}
|
||||
if (!ti->ti_off)
|
||||
ti->ti_off = thlen >> 2;
|
||||
ti->ti_off = thlen >> 2;
|
||||
ti->ti_len = htons(thlen);
|
||||
ip->ip_len = (ip->ip_hl << 2) + thlen;
|
||||
ip->ip_len = hlen + thlen;
|
||||
ti->ti_sum = 0;
|
||||
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
|
||||
|
||||
bcopy((char *)&ti->ti_sport,
|
||||
(char *)ip + (ip->ip_hl << 2), thlen);
|
||||
bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen);
|
||||
return send_ip(nfd, mtu, ip, gwip, 1);
|
||||
}
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8 1997/10/12 09:48:39 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
@ -146,7 +146,7 @@ char **argv;
|
||||
usage(name);
|
||||
}
|
||||
|
||||
if (argc - optind < 2 && !tests)
|
||||
if ((argc <= optind) || !argv[optind])
|
||||
usage(name);
|
||||
dst = argv[optind++];
|
||||
|
||||
@ -209,6 +209,13 @@ char **argv;
|
||||
ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
break;
|
||||
default :
|
||||
ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13 1997/10/23 11:42:45 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
@ -892,6 +892,7 @@ int ptest;
|
||||
t->th_sum = 0;
|
||||
t->th_seq = 1;
|
||||
t->th_ack = 0;
|
||||
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
|
||||
nfd = initdevice(dev, t->th_sport, 1);
|
||||
|
||||
if (!ptest || (ptest == 1)) {
|
||||
@ -1021,9 +1022,10 @@ int ptest;
|
||||
PAUSE();
|
||||
}
|
||||
|
||||
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
|
||||
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \
|
||||
!defined(__sgi)
|
||||
{
|
||||
struct tcpcb *t, tcb;
|
||||
struct tcpcb *tcbp, tcb;
|
||||
struct tcpiphdr ti;
|
||||
struct sockaddr_in sin;
|
||||
int fd, slen;
|
||||
@ -1032,10 +1034,13 @@ int ptest;
|
||||
|
||||
for (i = 1; i < 63; i++) {
|
||||
fd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
bzero((char *)&sin, sizeof(sin));
|
||||
sin.sin_addr.s_addr = ip->ip_dst.s_addr;
|
||||
sin.sin_port = htons(i);
|
||||
sin.sin_family = AF_INET;
|
||||
if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin)))
|
||||
break;
|
||||
close(fd);
|
||||
}
|
||||
|
||||
if (i == 63) {
|
||||
@ -1046,15 +1051,15 @@ int ptest;
|
||||
}
|
||||
|
||||
bcopy((char *)ip, (char *)&ti, sizeof(*ip));
|
||||
ti.ti_dport = i;
|
||||
t->th_dport = htons(i);
|
||||
slen = sizeof(sin);
|
||||
if (!getsockname(fd, (struct sockaddr *)&sin, &slen))
|
||||
ti.ti_sport = sin.sin_port;
|
||||
if (!(t = find_tcp(fd, &ti))) {
|
||||
t->th_sport = sin.sin_port;
|
||||
if (!(tcbp = find_tcp(fd, &ti))) {
|
||||
printf("Can't find PCB\n");
|
||||
goto skip_five_and_six;
|
||||
}
|
||||
KMCPY(&tcb, t, sizeof(tcb));
|
||||
KMCPY(&tcb, tcbp, sizeof(tcb));
|
||||
ti.ti_win = tcb.rcv_adv;
|
||||
ti.ti_seq = tcb.snd_nxt - 1;
|
||||
ti.ti_ack = tcb.rcv_nxt;
|
||||
@ -1063,27 +1068,36 @@ int ptest;
|
||||
/*
|
||||
* Test 5: urp
|
||||
*/
|
||||
printf("5.1 TCP Urgent pointer\n");
|
||||
ti.ti_urp = 1;
|
||||
t->th_flags = TH_ACK|TH_URG;
|
||||
printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n",
|
||||
ntohs(t->th_sport), ntohs(t->th_dport));
|
||||
t->th_urp = htons(1);
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
PAUSE();
|
||||
ti.ti_urp = 0x7fff;
|
||||
|
||||
t->th_seq = tcb.snd_nxt;
|
||||
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1;
|
||||
t->th_urp = htons(0x7fff);
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
PAUSE();
|
||||
ti.ti_urp = 0x8000;
|
||||
t->th_urp = htons(0x8000);
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
PAUSE();
|
||||
ti.ti_urp = 0xffff;
|
||||
t->th_urp = htons(0xffff);
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
PAUSE();
|
||||
t->th_urp = htons(0);
|
||||
t->th_flags &= ~TH_URG;
|
||||
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
|
||||
}
|
||||
|
||||
if (!ptest || (ptest == 6)) {
|
||||
/*
|
||||
* Test 6: data offset, off = 0, off is inside, off is outside
|
||||
*/
|
||||
printf("6.1 TCP off = 0-15, len = 40\n");
|
||||
for (i = 0; i < 16; i++) {
|
||||
t->th_flags = TH_ACK;
|
||||
printf("5.6.1 TCP off = 1-15, len = 40\n");
|
||||
for (i = 1; i < 16; i++) {
|
||||
ti.ti_off = ntohs(i);
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
printf("%d\r", i);
|
||||
@ -1091,6 +1105,7 @@ int ptest;
|
||||
PAUSE();
|
||||
}
|
||||
putchar('\n');
|
||||
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
|
||||
}
|
||||
|
||||
(void) close(fd);
|
||||
@ -1099,9 +1114,9 @@ skip_five_and_six:
|
||||
#endif
|
||||
t->th_seq = 1;
|
||||
t->th_ack = 1;
|
||||
t->th_off = 0;
|
||||
|
||||
if (!ptest || (ptest == 7)) {
|
||||
t->th_off = 0;
|
||||
t->th_flags = TH_SYN;
|
||||
/*
|
||||
* Test 7: sport = 0, sport = 1, sport = 32767
|
||||
@ -1140,6 +1155,7 @@ skip_five_and_six:
|
||||
|
||||
if (!ptest || (ptest == 8)) {
|
||||
t->th_sport = 1;
|
||||
t->th_flags = TH_SYN;
|
||||
/*
|
||||
* Test 8: dport = 0, dport = 1, dport = 32767
|
||||
* dport = 32768, dport = 65535
|
||||
@ -1174,6 +1190,20 @@ skip_five_and_six:
|
||||
fflush(stdout);
|
||||
PAUSE();
|
||||
}
|
||||
|
||||
/* LAND attack - self connect, so make src & dst ip/port the same */
|
||||
if (!ptest || (ptest == 9)) {
|
||||
printf("5.9 TCP LAND attack. sport = 25, dport = 25\n");
|
||||
/* chose SMTP port 25 */
|
||||
t->th_sport = htons(25);
|
||||
t->th_dport = htons(25);
|
||||
t->th_flags = TH_SYN;
|
||||
ip->ip_src = ip->ip_dst;
|
||||
(void) send_tcp(nfd, mtu, ip, gwip);
|
||||
fflush(stdout);
|
||||
PAUSE();
|
||||
}
|
||||
|
||||
/* TCP options header checking */
|
||||
/* 0 length options, etc */
|
||||
}
|
||||
@ -1208,6 +1238,9 @@ int ptest;
|
||||
u->uh_dport = htons(u->uh_dport);
|
||||
u->uh_ulen = 7168;
|
||||
|
||||
printf("6. Exhaustive mbuf test.\n");
|
||||
printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n");
|
||||
printf(" Total of around 8,900 packets\n");
|
||||
for (i = 0; i < 128; i++) {
|
||||
/*
|
||||
* First send the entire packet in 768 byte chunks.
|
||||
|
@ -7,7 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9 1997/09/28 07:13:37 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
@ -253,7 +253,7 @@ static struct kinfo_proc *getproc()
|
||||
mib[2] = KERN_PROC_PID;
|
||||
mib[3] = pid;
|
||||
|
||||
n = 1;
|
||||
n = sizeof(kp);
|
||||
if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1)
|
||||
{
|
||||
perror("sysctl");
|
||||
|
@ -201,4 +201,4 @@ struct filterstats {
|
||||
};
|
||||
.fi
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipf(1), ipf(5)
|
||||
ipfstat(8), ipf(8), ipf(5)
|
||||
|
@ -481,4 +481,4 @@ qualifies all service/port names with the protocol specified.
|
||||
.br
|
||||
/etc/hosts
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipftest(1), mkfilters(1)
|
||||
ipf(8), ipftest(1), mkfilters(1), ipmon(8)
|
||||
|
@ -10,7 +10,7 @@ ipf \- alters packet filtering lists for IP packet input and output
|
||||
<block|pass|nomatch>
|
||||
] [
|
||||
.B \-F
|
||||
<i|o|a>
|
||||
<i|o|a|s|S>
|
||||
]
|
||||
.B \-f
|
||||
<\fIfilename\fP>
|
||||
@ -43,13 +43,21 @@ Disable the filter (if enabled). Not effective for loadable kernel versions.
|
||||
.B \-E
|
||||
Enable the filter (if disabled). Not effective for loadable kernel versions.
|
||||
.TP
|
||||
.BR \-F \0<param>
|
||||
.BR \-F \0<i|o|a>
|
||||
This option specifies which filter list to flush. The parameter should
|
||||
either be "i" (input), "o" (output) or "a" (remove all filter rules).
|
||||
Either a single letter or an entire word starting with the appropriate
|
||||
letter maybe used. This option maybe before, or after, any other with
|
||||
the order on the command line being that used to execute options.
|
||||
.TP
|
||||
.BR \-F \0<s|S>
|
||||
To flush entries from the state table, the \fB-F\fP option is used in
|
||||
conjuction with either "s" (removes state information about any non-fully
|
||||
established connections) or "S" (deletes the entire state table). Only
|
||||
one of the two options may be given. A fully established connection
|
||||
will show up in \fBipfstat -s\fP output as 4/4, with deviations either
|
||||
way indicating it is not fully established any more.
|
||||
.TP
|
||||
.BR \-f \0<filename>
|
||||
This option specifies which files
|
||||
\fBipf\fP should use to get input from for modifying the packet filter rule
|
||||
@ -99,7 +107,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't
|
||||
affect fragment or state statistics).
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
|
||||
ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
|
||||
.SH DIAGNOSTICS
|
||||
.PP
|
||||
Needs to be run as root for the packet filtering lists to actually
|
||||
|
@ -4,4 +4,4 @@ IP FIlter
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
|
||||
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
|
||||
|
@ -71,6 +71,6 @@ kernel.
|
||||
.br
|
||||
/vmunix
|
||||
.SH SEE ALSO
|
||||
ipf(1)
|
||||
ipf(8)
|
||||
.SH BUGS
|
||||
none known.
|
||||
|
@ -121,7 +121,7 @@ Specify the filename from which to take input. Default is stdin.
|
||||
Specify the filename from which to read filter rules.
|
||||
.SH FILES
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
|
||||
ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
|
||||
.SH BUGS
|
||||
Not all of the input formats are sufficiently capable of introducing a
|
||||
wide enough variety of packets for them to be all useful in testing.
|
||||
|
@ -4,7 +4,15 @@ ipmon \- monitors /dev/ipl for logged packets
|
||||
.SH SYNOPSIS
|
||||
.B ipmon
|
||||
[
|
||||
.B \-aFhnNsStvxX
|
||||
.B \-aFhnstvxX
|
||||
] [
|
||||
.B "\-o [NSI]"
|
||||
] [
|
||||
.B "\-O [NSI]"
|
||||
] [
|
||||
.B "\-N <device>"
|
||||
] [
|
||||
.B "\-S <device>"
|
||||
] [
|
||||
.B "\-f <device>"
|
||||
] [
|
||||
@ -27,22 +35,40 @@ Open all of the device logfiles for reading log entries from. All entries
|
||||
are displayed to the same output 'device' (stderr or syslog).
|
||||
.TP
|
||||
.B "\-f <device>"
|
||||
specify an alternative device/file from which to read the log information.
|
||||
specify an alternative device/file from which to read the log information
|
||||
for normal IP Filter log records.
|
||||
.TP
|
||||
.B \-F
|
||||
Flush the current packet log buffer. The number of bytes flushed is displayed,
|
||||
even should the result be zero.
|
||||
.TP
|
||||
.B "\-N <device>"
|
||||
Set the logfile to be opened for reading NAT log records from to <device>.
|
||||
.TP
|
||||
.B \-n
|
||||
IP addresses and port numbers will be mapped, where possible, back into
|
||||
hostnames and service names.
|
||||
.TP
|
||||
.B \-N
|
||||
Treat the logfile as being composed of NAT log records.
|
||||
.B "\-N <device>"
|
||||
Set the logfile to be opened for reading NAT log records from to <device>.
|
||||
.TP
|
||||
.B \-o
|
||||
Specify which log files to actually read data from. N - NAT logfile,
|
||||
S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is
|
||||
equivalent to using \fB-o NSI\fP.
|
||||
.TP
|
||||
.B \-O
|
||||
Specify which log files you do not wish to read from. This is most sensibly
|
||||
used with the \fB-a\fP. Letters available as paramters to this are the same
|
||||
as for \fB-o\fP.
|
||||
.TP
|
||||
.B \-s
|
||||
Packet information read in will be sent through syslogd rather than
|
||||
saved to a file. The following levels are used:
|
||||
.TP
|
||||
.B "\-S <device>"
|
||||
Set the logfile to be opened for reading state log records from to <device>.
|
||||
.TP
|
||||
.IP
|
||||
.B LOG_INFO
|
||||
\- packets logged using the "log" keyword as the action rather
|
||||
@ -76,5 +102,5 @@ recorded data.
|
||||
.SH FILES
|
||||
/dev/ipl
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipfstat(1)
|
||||
ipf(8), ipfstat(8)
|
||||
.SH BUGS
|
||||
|
@ -42,4 +42,4 @@ Remove matching NAT rules rather than add them to the internal lists
|
||||
Turn verbose mode on. Displays information relating to rule processing.
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipftest(1), ipf(1), ipnat(5)
|
||||
ipfstat(1), ipftest(8), ipf(8), ipnat(5)
|
||||
|
@ -88,4 +88,4 @@ typedef struct natstat {
|
||||
It would be nice if there were more flexibility when adding and deleting
|
||||
filter rules.
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipf(1), ipf(4), ipnat(5)
|
||||
ipfstat(8), ipf(8), ipf(4), ipnat(5)
|
||||
|
@ -9,5 +9,4 @@ mkfilters \- generate a minimal firewall ruleset for ipfilter
|
||||
use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipf(5), ipfilter(5), ifconfig(8)
|
||||
|
||||
ipf(8), ipf(5), ipfilter(5), ifconfig(8)
|
||||
|
@ -135,6 +135,10 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
|
||||
&fr_defaultauthage, 0, "");
|
||||
#endif
|
||||
|
||||
#ifdef DEVFS
|
||||
void *ipf_devfs[IPL_LOGMAX + 1];
|
||||
#endif
|
||||
|
||||
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
|
||||
int ipl_major = 0;
|
||||
|
||||
@ -156,6 +160,7 @@ static struct cdevsw ipl_cdevsw = {
|
||||
|
||||
|
||||
static int iplaction __P((struct lkm_table *, int));
|
||||
static void ipl_drvinit __P((void *));
|
||||
|
||||
|
||||
static int iplaction(lkmtp, cmd)
|
||||
@ -188,13 +193,27 @@ int cmd;
|
||||
args->lkm_offset = i; /* slot in cdevsw[] */
|
||||
#endif
|
||||
printf("IP Filter: loaded into slot %d\n", ipl_major);
|
||||
return if_ipl_load(lkmtp, cmd);
|
||||
err = if_ipl_load(lkmtp, cmd);
|
||||
if (!err)
|
||||
ipl_drvinit((void *)NULL);
|
||||
return err;
|
||||
break;
|
||||
case LKM_E_UNLOAD :
|
||||
err = if_ipl_unload(lkmtp, cmd);
|
||||
if (!err)
|
||||
if (!err) {
|
||||
printf("IP Filter: unloaded from slot %d\n",
|
||||
ipl_major);
|
||||
# ifdef DEVFS
|
||||
if (ipf_devfs[IPL_LOGIPF])
|
||||
devfs_remove_dev(ipf_devfs[IPL_LOGIPF]);
|
||||
if (ipf_devfs[IPL_LOGNAT])
|
||||
devfs_remove_dev(ipf_devfs[IPL_LOGNAT]);
|
||||
if (ipf_devfs[IPL_LOGSTATE])
|
||||
devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]);
|
||||
if (ipf_devfs[IPL_LOGAUTH])
|
||||
devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]);
|
||||
# endif
|
||||
}
|
||||
return err;
|
||||
case LKM_E_STAT :
|
||||
break;
|
||||
@ -326,42 +345,37 @@ int cmd, ver;
|
||||
{
|
||||
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
||||
}
|
||||
# else
|
||||
|
||||
#ifdef DEVFS
|
||||
static void *ipf_devfs_token[IPL_LOGMAX + 1];
|
||||
#endif
|
||||
# endif
|
||||
static ipl_devsw_installed = 0;
|
||||
|
||||
static void ipl_drvinit __P((void *unused))
|
||||
{
|
||||
dev_t dev;
|
||||
#ifdef DEVFS
|
||||
void **tp = ipf_devfs_token;
|
||||
#endif
|
||||
# ifdef DEVFS
|
||||
void **tp = ipf_devfs;
|
||||
# endif
|
||||
|
||||
if (!ipl_devsw_installed ) {
|
||||
dev = makedev(CDEV_MAJOR, 0);
|
||||
cdevsw_add(&dev, &ipl_cdevsw, NULL);
|
||||
ipl_devsw_installed = 1;
|
||||
|
||||
#ifdef DEVFS
|
||||
# ifdef DEVFS
|
||||
tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
|
||||
DV_CHR, 0, 0, 0600,
|
||||
"ipf", IPL_LOGIPF);
|
||||
DV_CHR, 0, 0, 0600, "ipf");
|
||||
tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
|
||||
DV_CHR, 0, 0, 0600,
|
||||
"ipnat", IPL_LOGNAT);
|
||||
DV_CHR, 0, 0, 0600, "ipnat");
|
||||
tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
|
||||
DV_CHR, 0, 0, 0600,
|
||||
"ipstate", IPL_LOGSTATE);
|
||||
"ipstate");
|
||||
tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH,
|
||||
DV_CHR, 0, 0, 0600,
|
||||
"ipstate", IPL_LOGAUTH);
|
||||
#endif
|
||||
DV_CHR, 0, 0, 0600,
|
||||
"ipauth");
|
||||
# endif
|
||||
}
|
||||
}
|
||||
|
||||
# ifdef IPFILTER_LKM
|
||||
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
|
||||
# endif /* IPFILTER_LKM */
|
||||
#endif /* _FreeBSD_version */
|
||||
|
@ -35,7 +35,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18 1997/10/19 15:39:29 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern struct ipopt_names ionames[], secclass[];
|
||||
@ -475,7 +475,8 @@ char *line;
|
||||
/*
|
||||
* lazy users...
|
||||
*/
|
||||
if (!fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
|
||||
if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
|
||||
(fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
|
||||
(void)fprintf(stderr,
|
||||
"no protocol given for TCP/UDP comparisons\n");
|
||||
return NULL;
|
||||
@ -541,7 +542,7 @@ u_char *cp;
|
||||
/*
|
||||
* is it possibly hostname/num ?
|
||||
*/
|
||||
if ((s = index(**seg, '/'))) {
|
||||
if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) {
|
||||
*s++ = '\0';
|
||||
if (!isdigit(*s))
|
||||
return -1;
|
||||
|
@ -1,4 +1,4 @@
|
||||
#
|
||||
# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
|
||||
#
|
||||
block out on le0 proto tcp from any to bar/32 port != 23
|
||||
block out on le0 proto tcp from any to bar/32 port = 23
|
||||
|
@ -97,7 +97,7 @@ char *argv[];
|
||||
* Log it
|
||||
*/
|
||||
syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d",
|
||||
inet_ntoa(natlook.nl_realip), natlook.nl_realport);
|
||||
inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
|
||||
printf("connect to %s,%d\n",
|
||||
inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
|
||||
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.1 1997/11/08 04:55:57 darrenr Exp $";
|
||||
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $";
|
||||
|
||||
#include <sys/systm.h>
|
||||
#include <sys/types.h>
|
||||
@ -525,7 +525,7 @@ tryagain:
|
||||
ip->ip_off = htons(__ipoff);
|
||||
}
|
||||
#endif
|
||||
if (err == 1) {
|
||||
if (err == -2) {
|
||||
if (*mp && (ip == (ip_t *)lbuf)) {
|
||||
copyin_mblk(m, 0, len, (char *)lbuf);
|
||||
frstats[out].fr_pull[1]++;
|
||||
|
@ -23,3 +23,14 @@ done
|
||||
* allow multiple ip addresses in a source route list for ipsend
|
||||
|
||||
* complete Linux port to implement all the IP Filter features
|
||||
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
|
||||
|
||||
* add switches to ipmon for better selective control over which logs are
|
||||
read/not read
|
||||
done
|
||||
|
||||
* add a flag to automate src spoofing
|
||||
|
||||
* ipfsync() should change IP#'s in current mappings as well as what's
|
||||
in rules.
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user