Import ipfilter 3.2.3

This commit is contained in:
Peter Wemm 1998-03-21 10:04:55 +00:00
parent af5dd3181a
commit f4b66beedb
47 changed files with 820 additions and 362 deletions

@ -32,7 +32,7 @@
__P((int, struct ip_moptions **, struct mbuf *));
***************
*** 338,343 ****
--- 342,358 ----
--- 342,356 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
@ -40,9 +40,7 @@
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
+ error = EHOSTUNREACH;
+ if (error || !m1)
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }

@ -5,6 +5,49 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
3.2.3 10/11/97 - Released
fix some iplang bugs
fix tcp checksum data overrun, sgi #define changes,
avoid infinite loop when nat'ing to single IP# - Marc Boucher
fixup DEVFS usage for FreeBSD
fix sunos5 "make clean" cleaning up too much
3.2.2 28/11/97 - Released
change packet matching to return actual error, if bad packet, to facilitate
ECONNRESET for TCP.
allow ip:netmask in grammar too now - Guido
assume IRIX has u_int32_t in sys/types.h (needed for R10000)
rewrite parts of command line options for ipmon
fix TCP urgent packet & offset testing and add LAND attack test for iptest
fix grammar error in yacc grammar for iplang
redirect (rdr) destination port bytes-wapped when it shouldn't be.
general: fr_check now returns error code, such as EHOSTUNREACH or
ECONNRESET (attempt to make ECONNRESET work for locally outbound
packets).
linux: enable return-rst, need to filter tcp retransmits which are sent
separately from normal packets
memory leak plugged in ip_proxy.c
BSDI compatibility patches from Guido
tcp checksum fix - Marc Boucher
recursive mutex and ioctl param fix - Marc Boucher
3.2.1 12/11/97 - Released
port to BSD/OS 3.0

@ -36,6 +36,11 @@ otherwise not have been (due to the ports not). This behaviour has
subsequently been fixed.
3)
If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.
Darren
darrenr@cyber.com.au
****************************************

@ -0,0 +1,44 @@
BSD/OS 3.x users.
-----------------
First, you will need to either:
(a) have a source license for the kernel so you can patch some files or
(b) obtain the relevant pre-compiled .o files (I can't supply these yet).
The files which you will need patched are:
ip_input.c, ip_output.c (maybe in_proto.c and ioconf.c.i386 too - NOT sure).
First, you need to build IP Filter. Do this from the "ip_fil3.2.x"
directory with the command "make bsdos". If this completes successfully,
install the various bits and pieces with "make install-bsd".
Prior to starting, it is a good idea for you to know what your kernel config
file is (it appears that the script guesses incorrectly at present).
Once you have that in mind, run the 'kinstall' script in the BSDOS3
directory. This will attempt to patch a bunch of files. If you've
obtained the relevant .o files, ignore the errors, otherwise please
report them to me and mention which version of BSD/OS you are using
and on what platform (Sparc, i386, etc). It will also go and install
all the IP Filter .c and .h files where they can be find when it comes
time to build the kernel.
The script will then pause and ask you for your kernel configuration
file. After you enter this, it will add "options IPFILTER" to your
kernel configuration file. IF YOU WANT TO DO LOGGING, ADD
"options IPFILTER_LOG" to your kernel configuration file NOW!
Now that you've got your kernel configuration file done, use config
to setup a new kernel build and complete with make.
When the kernel rebuilt is complete, put it into / and reboot with
your new kernel. If IP Filter has been configured into your kernel
correctly, you will see a message like this when your system boots:
IP Filter: initialized. Default = pass all, Logging = enabled
Upon logging in, the IP Filter commands ipfstat, et al, should all
function properly.
Darren

@ -0,0 +1,108 @@
IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
as well. Under IRIX 5.3, it has been successfully compiled and linked in the
kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
To build a kernel with the IP filter and install it on your system,
follow these steps:
1. edit the top-level Makefile to
a) comment-out the IPFLKM definition.
This means changing the line reading:
IPFLKM=-DIPFILTER_LKM
to
#IPFLKM=-DIPFILTER_LKM
b) select the system's compiler (cc)
This means changing the line reading:
CC=gcc
to
CC=cc
b) enable full optimization
This means changing the lines reading:
DEBUG=-g
CFLAGS=-I$$(TOP)
to
DEBUG=
CFLAGS=-O2 -I$$(TOP)
1. do "make irix" (Warning: GNU make is not supported, so if it has
been installed on your system, verify your path and/or do "which make"
to guarantee that IRIX's /sbin/make has precedence)
2. do "make install-irix" as root
(a new kernel will be automatically built)
3. determine the filtering rules and place them in /etc/ipf.conf
and /etc/ipnat.conf
4. do "init 6" as root to reboot with the new kernel
After restarting, the filter should be active and behaving according to
the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
These files can be changed at any time, and reloaded using the
following command sequence:
# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
To remove the IP Filter from your kernel, follow these steps:
1. Delete the /var/sysgen/boot/ipfilter.o file
# rm /var/sysgen/boot/ipfilter.o
2. If SGI's ipfilter.o had been previously installed, restore it
back to its original location
# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
3. Build a new kernel
# /etc/autoconfig
4. Delete the /etc/rc2.d/S33ipf symbolic link
# rm /etc/rc2.d/S33ipf
5. Reboot
# init 6
ADDITIONAL NOTES:
- The IP filter uses the same kernel interface to the IP driver as
SGI's ipfilter. In fact, it is installed in place of SGI's
/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
ipfilterd daemon is not running simultaneously, since this package uses
the same major device number.
- We have not tested IP Filter on a multiprocessor machine yet.
However, feel free to try it and send your experiences/patches
back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
probably be uncommented on the DFLAGS line of IRIX/Makefile if your
machine has more than one processor.
- It is also possible to build IP Filter as a dynamically loadable
kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
top-level Makefile), but this is not recommended other than for testing
and debugging purposes, because the only possible method for dynamic
attachment to the IP stack (instruction patching) is highly dependent
on the processor architecture. The code provided has only been tested
with IP22 CPU boards and can sometime cause panics during loading due
to a potential race condition.
CREDITS:
IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
Marc Boucher wishes to thank the
ICARI Institute (http://www.icari.qc.ca)
and
Aurelio Cascio <aurelio@toonboom.com>
for their financial support and testing facilities, respectively.

@ -0,0 +1,49 @@
IP-Filter on Linux 2.0.31
-------------------------
NOTE: I have *ONLY* compiled and created patches for using IP Filter on
Linux 2.0.31. Any other kernel revision may need seprate patches.
Also, I've only tested on a x86 CPU so I can't make any guarantees
about it working on Sparc/Mac/Amiga.
First, you should do a sanity check of your system to make sure it will
compile IP Filter. You will need a "libfl" and a "libelf". If you don't
have these, install them before proceeding.
The installation and compiliation process assumes that Linux 2.0.31
will be in the /usr/src/linux directory and that all the symbolic links
in /usr/include match. /usr/src/linux may be a symbolic link too, but
it must point to a 2.0.31 kernel source tree.
The first step is to make the IP Filter binaries. Do this with a
"make linux" from the ip_fil3.2.x directory. If this completes with
no errors, install IP Filter with a "make install-linux".
Now that the user part of it is complete, it is time to work on the
kernel. To start this off, run "Linux/kinstall". This will patch your
kernel source code and configuration files so you can enabled IP Filter.
You must now go to /usr/src/linux and configure your kernel using one of
the available interfaces to enable IP Filter. IP Filter will be presented
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
configuration file, rebuild, install and reboot with the new kernel.
When you've rebooted with the new kernel, you should be able to load
IP Filter with the command "insmod if_ipl". All going will, you will
see a message like this on your console:
IP Filter: initialized. Default = pass all, Logging = enabled
indicating that IP Filter has successfully been loaded into the kernel
and is awaiting.
Darren
Features Not Available on Linux, yet:
- compiled into the kernel
"<action> in on <if> to <if> ..."
"<action> in on <if> dup-to <if> ..."
"<action> in on <if> fastroute ..."
"block return-rst ..."
"map ... proxy ..." (Linux's masquerading is better at present)

@ -36,12 +36,17 @@ To build a kernel with the IP filter, follow these steps:
run "NetBSD/kinstall" as root
3(b) NetBSD 1.2 systems or later:
run "NetBSD-1.2/kinstall" as root
3(c) If conf.c fails on the 2nd hunk of the patch, you will have to
manually apply the patch.
4. build a new kernel
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
(for NetBSD-1.2, use "mknod /dev/ipl c 49 0")
** NOTE: both the numbers 49 and 59 should be substituted with
whatever number you inserted it into conf.c as.
6. install and reboot with the new kernel
Darren Reed

@ -6,14 +6,14 @@ Type "make solaris" to build all the required binaries.
Once IP Filter has been successfully compiled, you may then install it using
the usual package method (using pkgadd), however, the package needs to be
created, prior to pkgadd'ing. To create the package in /var/spoo/pkg, change
created, prior to pkgadd'ing. To create the package in /var/spool/pkg, change
directory to SunOS5 and enter the following command:
make package
If you wish to then install it using `pkgadd', run the following command:
pkgadd -s '/var/spool/pkg'
This will build the package into SunOS5/<arch>/root, copy that to
/var/spool/pkg as a package and then start the installation using
pkgadd.
As part of the postinstall script, it will install loadable kernel module
as part of Solaris 2 (using add_drv) making it available for immeadiate use.

@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
# $Id: Makefile,v 2.0.2.26.2.1 1997/11/12 10:40:21 darrenr Exp $
# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -13,6 +13,7 @@ MANDIR=/usr/local/man
#To test prototyping
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
CC=gcc
#CC=cc -Dconst=
DEBUG=-g
CFLAGS=-I$$(TOP)
CPU=`uname -m`
@ -65,6 +66,7 @@ all:
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@echo "linux - compile for Linux 2.0.31+"
@echo ""
tests:
@ -118,8 +120,8 @@ bsd: include
bsdi bsdos: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..)
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"

16
contrib/ipfilter/buildlinux Executable file

@ -0,0 +1,16 @@
#!/bin/sh
LINUX=`uname -r | perl -e '$_=<>;@F=split(/\./);printf "%02d%02d\n",$F[0],$F[1];';`
case ${LINUX} in
0200)
make linuxrev "LINUXK=-DLINUX=${LINUX}"
;;
0201)
make linuxrev "LINUXK=-DLINUX=${LINUX}"
;;
*)
echo "invalid linux version $LINUX"
exit 1;
;;
esac
exit 0

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -73,7 +73,7 @@ extern int opts;
second; }
# define FR_VERBOSE(verb_pr) verbose verb_pr
# define FR_DEBUG(verb_pr) debug verb_pr
# define SEND_RESET(ip, qif, if) send_reset(ip, if)
# define SEND_RESET(ip, qif, if, m) send_reset(ip, if)
# define IPLLOG(a, c, d, e) ipllog()
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
# if SOLARIS
@ -98,7 +98,12 @@ extern kmutex_t ipf_mutex, ipf_auth;
icmp_error(ip, t, c, if, src)
# else /* SOLARIS */
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
# define SEND_RESET(ip, qif, if) send_reset((struct tcpiphdr *)ip)
# ifdef linux
# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\
ifp)
# else
# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip)
# endif
# ifdef __sgi
# define ICMP_ERROR(b, ip, t, c, if, src) \
icmp_error(b, t, c, if, src, if)
@ -553,7 +558,7 @@ int out;
fr_info_t frinfo, *fc;
register fr_info_t *fin = &frinfo;
frentry_t *fr = NULL;
int pass, changed, apass;
int pass, changed, apass, error = EHOSTUNREACH;
#if !SOLARIS || !defined(_KERNEL)
register mb_t *m = *mp;
#endif
@ -767,10 +772,11 @@ logit:
# else
# ifndef linux
mc = m_copy(m, 0, M_COPYALL);
# else
;
# endif
# endif
#endif
if (pass & FR_PASS)
frstats[out].fr_pass++;
else if (pass & FR_BLOCK) {
@ -811,6 +817,9 @@ logit:
frstats[1].fr_ret++;
}
#endif
} else {
if (pass & FR_RETRST)
error = ECONNRESET;
}
}
@ -842,8 +851,8 @@ logit:
m_copyback(m, 0, up, hbuf);
# endif
# endif /* !linux */
return (pass & FR_PASS) ? 0 : -1;
# else /* !SOLARIS */
return (pass & FR_PASS) ? 0 : error;
# else /* !SOLARIS */
if (fr) {
frdest_t *fdp = &fr->fr_tif;
@ -855,7 +864,7 @@ logit:
if (mc)
ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
}
return (pass & FR_PASS) ? changed : -1;
return (pass & FR_PASS) ? changed : error;
# endif /* !SOLARIS */
#else /* _KERNEL */
if (pass & FR_NOMATCH)
@ -872,6 +881,7 @@ logit:
/*
* ipf_cksum
* addr should be 16bit aligned and len is in bytes.
* length is in bytes
*/
u_short ipf_cksum(addr, len)
register u_short *addr;
@ -900,10 +910,11 @@ register int len;
* and the TCP header. We also assume that data blocks aren't allocated in
* odd sizes.
*/
u_short fr_tcpsum(m, ip, tcp)
u_short fr_tcpsum(m, ip, tcp, len)
mb_t *m;
ip_t *ip;
tcphdr_t *tcp;
int len;
{
union {
u_char c[2];
@ -911,7 +922,6 @@ tcphdr_t *tcp;
} bytes;
u_long sum;
u_short *sp;
int len;
# if SOLARIS || defined(__sgi)
int add, hlen;
# endif
@ -926,9 +936,9 @@ tcphdr_t *tcp;
/*
* Add up IP Header portion
*/
len = ip->ip_len - (ip->ip_hl << 2);
bytes.c[0] = 0;
bytes.c[1] = IPPROTO_TCP;
len -= (ip->ip_hl << 2);
sum = bytes.s;
sum += htons((u_short)len);
sp = (u_short *)&ip->ip_src;
@ -994,13 +1004,13 @@ tcphdr_t *tcp;
goto nodata;
while (len > 0) {
#if SOLARIS
if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
while ((caddr_t)sp >= (caddr_t)m->b_wptr) {
m = m->b_cont;
PANIC((!m),("fr_tcpsum: not enough data"));
sp = (u_short *)m->b_rptr;
}
#else
if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
{
m = m->m_next;
PANIC((!m),("fr_tcpsum: not enough data"));
@ -1009,7 +1019,11 @@ tcphdr_t *tcp;
#endif /* SOLARIS */
if (len < 2)
break;
sum += *sp++;
if((u_long)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
} else
sum += *sp++;
len -= 2;
}
if (len) {
@ -1059,7 +1073,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $
* $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1258,11 +1272,11 @@ frentry_t *list, **listp;
}
void frflush(unit, data)
void frflush(unit, result)
int unit;
caddr_t data;
int *result;
{
int flags = *(int *)data, flushed = 0, set = fr_active;
int flags = *result, flushed = 0, set = fr_active;
bzero((char *)frcache, sizeof(frcache[0]) * 2);
@ -1286,5 +1300,5 @@ caddr_t data;
}
}
*(int *)data = flushed;
*result = flushed;
}

@ -46,7 +46,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.1 1997/11/06 21:21:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $";
#endif
#ifdef _PATH_UNIX
#define VMUNIX _PATH_UNIX
@ -258,7 +258,7 @@ struct friostat *fp;
fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
fp->f_froute[0], fp->f_froute[1]);
PRINTF("TCP cksum fails in:\t%lu\tout%lu\n",
PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
PRINTF("Packet log flags set: (%#x)\n", frf);

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.0.2.31.2.4 1997/11/12 10:48:43 darrenr Exp $
* $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@ -50,17 +50,18 @@ struct ether_addr {
};
#endif
#ifdef __sgi
# ifdef IPFILTER_LKM
# define IPL_PRFX ipl
# define IPL_EXTERN(ep) ipl##ep
# else
# define IPL_PRFX ipfilter
#if defined(__sgi) && !defined(IPFILTER_LKM)
# ifdef __STDC__
# define IPL_EXTERN(ep) ipfilter##ep
# else
# define IPL_EXTERN(ep) ipfilter/**/ep
# endif
#else
# define IPL_PRFX ipl
# define IPL_EXTERN(ep) ipl##ep
# ifdef __STDC__
# define IPL_EXTERN(ep) ipl##ep
# else
# define IPL_EXTERN(ep) ipl/**/ep
# endif
#endif
#ifdef linux
@ -110,7 +111,8 @@ struct ether_addr {
/*
* These operating systems already take care of the problem for us.
*/
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
defined(__sgi)
typedef u_int32_t u_32_t;
#else
/*
@ -689,6 +691,7 @@ typedef struct icmp icmphdr_t;
typedef struct ip ip_t;
typedef struct ether_header ether_header_t;
#endif /* linux */
typedef struct tcpiphdr tcpiphdr_t;
#if defined(hpux) || defined(linux)
struct ether_addr {

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.2 1997/11/12 10:49:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -275,7 +275,7 @@ int ipldetach()
fr_checkp = fr_savep;
inetsw[0].pr_slowtimo = fr_saveslowtimo;
frflush(IPL_LOGIPF, (caddr_t)&i);
frflush(IPL_LOGIPF, &i);
ipl_inited = 0;
# ifdef NETBSD_PF
@ -339,7 +339,7 @@ struct proc *p;
)
#endif
dev_t dev;
#if defined(__NetBSD__) || defined(__OpenBSD__)
#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
u_long cmd;
#else
int cmd;
@ -351,7 +351,7 @@ int mode;
#if defined(_KERNEL) && !SOLARIS
int s;
#endif
int error = 0, unit = 0;
int error = 0, unit = 0, tmp;
#ifdef _KERNEL
unit = GET_MINOR(dev);
@ -460,8 +460,11 @@ int mode;
case SIOCIPFFL :
if (!(mode & FWRITE))
error = EPERM;
else
frflush(unit, data);
else {
IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
frflush(unit, &tmp);
IWCOPY((caddr_t)&tmp, data, sizeof(tmp));
}
break;
#ifdef IPFILTER_LOG
case SIOCIPFFB :
@ -786,7 +789,7 @@ struct tcpiphdr *ti;
struct tcpiphdr *tp;
struct tcphdr *tcp;
struct mbuf *m;
int tlen = 0;
int tlen = 0, err;
ip_t *ip;
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
struct route ro;
@ -837,16 +840,16 @@ struct tcpiphdr *ti;
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
bzero((char *)&ro, sizeof(ro));
(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
err = ip_output(m, (struct mbuf *)0, &ro, 0, 0);
if (ro.ro_rt)
RTFREE(ro.ro_rt);
# else
/*
* extra 0 in case of multicast
*/
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
err = ip_output(m, (struct mbuf *)0, 0, 0, 0);
# endif
return 0;
return err;
}

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.0.2.39.2.4 1997/11/12 10:50:02 darrenr Exp $
* $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@ -94,10 +94,10 @@ typedef struct fr_ip {
u_short fi_auth;
} fr_ip_t;
#define FI_OPTIONS 0x01
#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */
#define FI_FRAG 0x04
#define FI_SHORT 0x08
#define FI_OPTIONS (FF_OPTIONS >> 24)
#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
#define FI_FRAG (FF_FRAG >> 24)
#define FI_SHORT (FF_SHORT >> 24)
typedef struct fr_info {
struct fr_ip fin_fi;
@ -381,7 +381,7 @@ extern int ipf_log __P((void));
extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
extern struct ifnet *get_unit __P((char *));
# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
# if defined(__NetBSD__) || defined(__OpenBSD__)
# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
extern int iplioctl __P((dev_t, u_long, caddr_t, int));
# else
extern int iplioctl __P((dev_t, int, caddr_t, int));
@ -423,7 +423,11 @@ extern int iplread __P((dev_t, struct uio *, cred_t *));
# else /* SOLARIS */
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern int send_reset __P((struct tcpiphdr *));
# ifdef linux
extern int send_reset __P((tcpiphdr_t *, struct ifnet *));
# else
extern int send_reset __P((tcpiphdr_t *));
# endif
extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi
@ -442,7 +446,7 @@ extern int iplidentify __P((char *));
# endif
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
(NetBSD >= 199511)
# ifdef __NetBSD__
# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701)
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
# else
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
@ -491,12 +495,12 @@ extern int iplread(struct inode *, struct file *, char *, int);
#endif
extern int ipldetach __P((void));
extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int));
#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
extern u_short ipf_cksum __P((u_short *, int));
extern int fr_copytolog __P((int, char *, int));
extern void frflush __P((int, caddr_t));
extern void frflush __P((int, int *));
extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int));
extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***));
extern void fr_delgroup __P((u_short, u_32_t, int, int));

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:57 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@ -49,6 +49,9 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 da
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"
#ifdef _KERNEL
#include <net/ip_forward.h>
#endif
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
@ -143,7 +146,7 @@ int ipldetach()
}
fr_checkp = fr_savep;
frflush(IPL_LOGIPF, (caddr_t)&i);
frflush(IPL_LOGIPF, &i);
ipl_inited = 0;
ipfr_unload();
@ -197,7 +200,7 @@ int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
{
#endif
int error = 0, unit = 0;
int error = 0, unit = 0, tmp;
#ifdef _KERNEL
unit = GET_MINOR(inode->i_rdev);
@ -305,8 +308,11 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
case SIOCIPFFL :
if (!(mode & FWRITE))
error = EPERM;
else
frflush(unit, data);
else {
IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
frflush(unit, &tmp);
IWCOPY((caddr_t)&tmp, data, sizeof(tmp));
}
break;
#ifdef IPFILTER_LOG
case SIOCIPFFB :
@ -577,54 +583,53 @@ int iplread(struct inode *inode, struct file *file, char *buf, int nbytes)
* send_reset - this could conceivably be a call to tcp_respond(), but that
* requires a large amount of setting up and isn't any more efficient.
*/
int send_reset(ti)
int send_reset(ti, ifp)
struct tcpiphdr *ti;
struct ifnet *ifp;
{
#if notyet
struct tcpiphdr *tp;
tcphdr_t *tcp;
seq_t seq;
int tlen = 0;
ip_t *ip;
mb_t *m;
if (ti->ti_flags & TH_RST)
return -1; /* feedback loop */
m = alloc_skb(MAX_HEADER + sizeof(*ti), GFP_ATOMIC);
m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC);
if (m == NULL)
return -1;
if (ti->ti_flags & TH_SYN)
tlen = 1;
m->m_len = sizeof (struct tcpiphdr);
bzero(mtod(m, char *), sizeof(struct tcpiphdr));
ip = mtod(m, ip_t *);
tp = mtod(m, struct tcpiphdr *);
tcp = (tcphdr_t *)((char *)ip + sizeof(struct ip));
m->dev = ifp;
m->csum = 0;
ip = mtod(m, ip_t *);
m->h.iph = ip;
m->ip_hdr = NULL;
m->m_len = sizeof(tcpiphdr_t);
tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t));
bzero((char *)ip, sizeof(tcpiphdr_t));
ip->ip_v = IPVERSION;
ip->ip_hl = sizeof(ip_t) >> 2;
ip->ip_tos = ((ip_t *)ti)->ip_tos;
ip->ip_p = ((ip_t *)ti)->ip_p;
ip->ip_id = ((ip_t *)ti)->ip_id;
ip->ip_len = htons(sizeof(tcpiphdr_t));
ip->ip_ttl = 127;
ip->ip_src.s_addr = ti->ti_dst.s_addr;
ip->ip_dst.s_addr = ti->ti_src.s_addr;
tcp->th_dport = ti->ti_sport;
tcp->th_sport = ti->ti_dport;
seq = ntohl(ti->ti_seq);
tcp->th_ack = htonl(seq + tlen);
tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
tcp->th_off = sizeof(tcphdr_t) >> 2;
tcp->th_flags = TH_RST|TH_ACK;
tp->ti_pr = ((ip_t *)ti)->ip_p;
tp->ti_len = htons(sizeof(struct tcphdr));
tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr));
ip->ip_tos = ((ip_t *)ti)->ip_tos;
ip->ip_p = ((ip_t *)ti)->ip_p;
ip->ip_len = sizeof (struct tcpiphdr);
ip->ip_ttl = 255;
/*
* extra 0 in case of multicast
*/
(void) ip_output(m, (mb_t *)0, 0, 0, 0);
return 0;
#endif
ip->ip_sum = 0;
ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t));
tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t));
return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr);
}

@ -5,17 +5,17 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: ip_log.c,v 2.0.2.13.2.2 1997/11/12 10:52:21 darrenr Exp $
* $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $
*/
#ifdef IPFILTER_LOG
# ifndef SOLARIS
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
# endif
# if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
# endif
# ifdef __FreeBSD__
# if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
# endif
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/osreldate.h>
# else

@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -317,6 +317,7 @@ int mode;
break;
}
ret = nat_flushtable();
(void) ap_unload();
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
case SIOCCNATL :
@ -513,18 +514,14 @@ struct in_addr *inp;
/*
* Create a new NAT table entry.
*/
#ifdef __STDC__
nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction)
#else
nat_t *nat_new(np, ip, fin, flags, direction)
ipnat_t *np;
ip_t *ip;
fr_info_t *fin;
u_short flags;
int direction;
#endif
{
register u_long sum1, sum2, sumd;
register u_long sum1, sum2, sumd, l;
u_short port = 0, sport = 0, dport = 0, nport = 0;
struct in_addr in;
tcphdr_t *tcp = NULL;
@ -554,13 +551,22 @@ int direction;
* If it's an outbound packet which doesn't match any existing
* record, then create a new port
*/
l = 0;
do {
l++;
port = 0;
in.s_addr = np->in_nip;
if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1)
if ((l > 1) ||
nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) {
KFREE(nat);
return NULL;
}
} else if (!in.s_addr && !np->in_outmsk) {
if (l > 1) {
KFREE(nat);
return NULL;
}
in.s_addr = ntohl(ip->ip_src.s_addr);
if (nflags & IPN_TCPUDP)
port = sport;
@ -609,7 +615,7 @@ int direction;
* internal port.
*/
in.s_addr = ntohl(np->in_inip);
if (!(nport = htons(np->in_pnext)))
if (!(nport = np->in_pnext))
nport = dport;
nat->nat_inip.s_addr = htonl(in.s_addr);
@ -1083,7 +1089,7 @@ fr_info_t *fin;
(void) ap_check(ip, tcp, fin, nat);
nat_stats.ns_mapped[1]++;
MUTEX_EXIT(&ipf_nat);
return 1;
return -2;
}
MUTEX_EXIT(&ipf_nat);
return 0;
@ -1212,7 +1218,7 @@ fr_info_t *fin;
}
nat_stats.ns_mapped[0]++;
MUTEX_EXIT(&ipf_nat);
return 1;
return -2;
}
MUTEX_EXIT(&ipf_nat);
return 0;
@ -1257,6 +1263,9 @@ void ip_natexpire()
nat_delete(nat);
nat_stats.ns_expire++;
}
ap_expire();
MUTEX_EXIT(&ipf_nat);
SPL_X(s);
}

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.2 1997/11/12 10:54:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -226,7 +226,7 @@ nat_t *nat;
* don't do anything with this packet.
*/
if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp,
ip, tcp)) {
ip, tcp, ip->ip_len)) {
frstats[fin->fin_out].fr_tcpbad++;
return -1;
}
@ -246,7 +246,8 @@ nat_t *nat;
aps, nat);
}
if (err == 2) {
tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip,
tcp, ip->ip_len);
err = 0;
}
return err;
@ -298,3 +299,21 @@ void ap_unload()
aps_free(aps);
}
}
void ap_expire()
{
ap_session_t *aps, **apsp;
int i;
for (i = 0; i < AP_SESS_SIZE; i++)
for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) {
aps->aps_tout--;
if (!aps->aps_tout) {
ap_sess_tab[i] = aps->aps_next;
aps_free(aps);
*apsp = aps->aps_next;
} else
apsp = &aps->aps_next;
}
}

@ -5,7 +5,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: ip_proxy.h,v 2.0.2.10 1997/10/19 15:39:23 darrenr Exp $
* $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@ -88,5 +88,6 @@ extern void ap_free __P((aproxy_t *));
extern void aps_free __P((ap_session_t *));
extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *));
extern aproxy_t *ap_match __P((u_char, char *));
extern void ap_expire __P((void));
#endif /* __IP_PROXY_H__ */

@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.3 1997/11/12 10:54:35 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55:39 darrenr Exp $";
#endif
#include <sys/types.h>
@ -76,7 +76,7 @@ int ipldetach()
ipflog_clear(i);
untimeout(ipfr_timer_id);
i = FR_INQUE|FR_OUTQUE;
frflush(IPL_LOGIPF, (caddr_t)&i);
frflush(IPL_LOGIPF, &i);
ipfr_unload();
fr_stateunload();
ip_natunload();
@ -250,9 +250,11 @@ int *rp;
case SIOCIPFFL :
if (!(mode & FWRITE))
return EPERM;
IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
mutex_enter(&ipf_mutex);
frflush(unit, (caddr_t)data);
frflush(unit, &tmp);
mutex_exit(&ipf_mutex);
IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp));
break;
#ifdef IPFILTER_LOG
case SIOCIPFFB :

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.3 1997/11/12 10:55:34 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
@ -179,9 +179,7 @@ int mode;
case SIOCIPFFL :
IRCOPY(data, (caddr_t)&arg, sizeof(arg));
if (arg == 0 || arg == 1) {
MUTEX_ENTER(&ipf_state);
ret = fr_state_flush(arg);
MUTEX_EXIT(&ipf_state);
IWCOPY((caddr_t)&ret, data, sizeof(ret));
} else
error = EINVAL;

@ -11,6 +11,6 @@
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter v3.2.1"
#define IPL_VERSION "IP Filter v3.2.3"
#endif

@ -1,11 +1,11 @@
#
interface { ifname le0; mtu 1500; }
interface { ifname le0; mtu 1500; } ;
ipv4 {
src 1.1.1.1; dst 2.2.2.2;
tcp {
seq 12345; ack 0; sport 9999; dport 23; flags S;
data { value "abcdef"; } ;
}
}
send { via 10.1.1.1; }
} ;
} ;
send { via 10.1.1.1; } ;

@ -10,7 +10,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: iplang_l.l,v 2.0.2.15.2.1 1997/11/05 11:04:04 darrenr Exp $
* $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $
*/
#include <stdio.h>
#include <string.h>
@ -164,6 +164,7 @@ rtime { return next_state(IL_ICMP_RTIME, -1); }
ttime { return next_state(IL_ICMP_TTIME, -1); }
icmpseq { return next_state(IL_ICMP_SEQ, -1); }
icmpid { return next_state(IL_ICMP_SEQ, -1); }
\377 { return 0; } /* EOF */
\{ { push_proto(); return next_item('{'); }
\} { pop_proto(); return next_item('}'); }
\. { return next_item(IL_DOT); }
@ -210,11 +211,8 @@ void pop_proto()
int save_token()
{
static char *buf = NULL;
if (buf && (buf == yylval.str))
free(buf);
buf = yylval.str = strdup(yytext);
yylval.str = strdup(yytext);
return IL_TOKEN;
}

@ -6,7 +6,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: iplang_y.y,v 2.0.2.18.2.2 1997/11/05 11:04:19 darrenr Exp $
* $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $
*/
#include <stdio.h>
@ -190,8 +190,8 @@ int yyparse __P((void));
%token IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC
%token IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD
%token IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE
%token IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3
%token IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1
%token <str> IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3
%token <str> IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1
%token IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET
%token IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT
%token IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL
@ -235,10 +235,10 @@ ifaceopts:
;
ifaceopt:
IL_IFNAME token { set_ifname(&yylval.str); }
| IL_MTU number { set_ifmtu(yylval.num); }
| IL_V4ADDR token { set_ifv4addr(&yylval.str); }
| IL_EADDR token { set_ifeaddr(&yylval.str); }
IL_IFNAME token { set_ifname(&$2); }
| IL_MTU number { set_ifmtu($2); }
| IL_V4ADDR token { set_ifv4addr(&$2); }
| IL_EADDR token { set_ifeaddr(&$2); }
;
send: sendhdr '{' sendbody '}' ';' { packet_done(); }
@ -255,8 +255,8 @@ sendbody:
;
sendopt:
IL_IFNAME token { set_sendif(&yylval.str); }
| IL_VIA token { set_sendvia(&yylval.str); }
IL_IFNAME token { set_sendif(&$2); }
| IL_VIA token { set_sendvia(&$2); }
;
arp: arphdr '{' arpbody '}' ';'
@ -270,12 +270,12 @@ arpbody:
| arpbody arpopt
;
arpopt: IL_V4ADDR token { set_arpv4addr(&yylval.str); }
| IL_EADDR token { set_arpeaddr(&yylval.str); }
arpopt: IL_V4ADDR token { set_arpv4addr(&$2); }
| IL_EADDR token { set_arpeaddr(&$2); }
;
defrouter:
IL_DEFROUTER token { set_defaultrouter(&yylval.str); }
IL_DEFROUTER token { set_defaultrouter(&$2); }
;
bodyline:
@ -298,17 +298,17 @@ ipv4body:
;
ipv4type:
IL_V4PROTO token { set_ipv4proto(&yylval.str); }
| IL_V4SRC token { set_ipv4src(&yylval.str); }
| IL_V4DST token { set_ipv4dst(&yylval.str); }
| IL_V4OFF token { set_ipv4off(&yylval.str); }
| IL_V4V token { set_ipv4v(&yylval.str); }
| IL_V4HL token { set_ipv4hl(&yylval.str); }
| IL_V4ID token { set_ipv4id(&yylval.str); }
| IL_V4TTL token { set_ipv4ttl(&yylval.str); }
| IL_V4TOS token { set_ipv4tos(&yylval.str); }
| IL_V4SUM token { set_ipv4sum(&yylval.str); }
| IL_V4LEN token { set_ipv4len(&yylval.str); }
IL_V4PROTO token { set_ipv4proto(&$2); }
| IL_V4SRC token { set_ipv4src(&$2); }
| IL_V4DST token { set_ipv4dst(&$2); }
| IL_V4OFF token { set_ipv4off(&$2); }
| IL_V4V token { set_ipv4v(&$2); }
| IL_V4HL token { set_ipv4hl(&$2); }
| IL_V4ID token { set_ipv4id(&$2); }
| IL_V4TTL token { set_ipv4ttl(&$2); }
| IL_V4TOS token { set_ipv4tos(&$2); }
| IL_V4SUM token { set_ipv4sum(&$2); }
| IL_V4LEN token { set_ipv4len(&$2); }
| ipv4opt '{' ipv4optlist '}' ';' { end_ipopt(); }
;
@ -320,20 +320,21 @@ tcpline:
;
tcpheader:
tcpbody tcpheader
tcpbody
| tcpbody tcpheader
| bodyline
;
tcpbody:
IL_SPORT token { set_tcpsport(&yylval.str); }
| IL_DPORT token { set_tcpdport(&yylval.str); }
| IL_TCPSEQ token { set_tcpseq(&yylval.str); }
| IL_TCPACK token { set_tcpack(&yylval.str); }
| IL_TCPOFF token { set_tcpoff(&yylval.str); }
| IL_TCPURP token { set_tcpurp(&yylval.str); }
| IL_TCPWIN token { set_tcpwin(&yylval.str); }
| IL_TCPSUM token { set_tcpsum(&yylval.str); }
| IL_TCPFL token { set_tcpflags(&yylval.str); }
IL_SPORT token { set_tcpsport(&$2); }
| IL_DPORT token { set_tcpdport(&$2); }
| IL_TCPSEQ token { set_tcpseq(&$2); }
| IL_TCPACK token { set_tcpack(&$2); }
| IL_TCPOFF token { set_tcpoff(&$2); }
| IL_TCPURP token { set_tcpurp(&$2); }
| IL_TCPWIN token { set_tcpwin(&$2); }
| IL_TCPSUM token { set_tcpsum(&$2); }
| IL_TCPFL token { set_tcpflags(&$2); }
| IL_TCPOPT '{' tcpopts '}' ';' { end_tcpopt(); }
;
@ -343,9 +344,9 @@ tcpopts:
tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); }
| IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); }
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);}
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);}
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &yylval.str);}
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);}
;
udp: IL_UDP { new_udpheader(); }
@ -363,10 +364,10 @@ udpheader:
;
udpbody:
IL_SPORT token { set_tcpsport(&yylval.str); }
| IL_DPORT token { set_tcpdport(&yylval.str); }
| IL_UDPLEN token { set_udplen(&yylval.str); }
| IL_UDPSUM token { set_udpsum(&yylval.str); }
IL_SPORT token { set_tcpsport(&$2); }
| IL_DPORT token { set_tcpdport(&$2); }
| IL_UDPLEN token { set_udplen(&$2); }
| IL_UDPSUM token { set_udpsum(&$2); }
;
icmp: IL_ICMP { new_icmpheader(); }
@ -387,7 +388,7 @@ icmpheader:
;
icmpcode:
IL_ICMPCODE token { set_icmpcodetok(&yylval.str); }
IL_ICMPCODE token { set_icmpcodetok(&$2); }
;
icmptype:
@ -413,7 +414,7 @@ icmptype:
| IL_ICMP_MASKREPLY '{' token '}' ';'
| IL_ICMP_PARAMPROB ';' { set_icmptype(ICMP_PARAMPROB); }
| IL_ICMP_PARAMPROB '{' paramprob '}' ';'
| IL_TOKEN ';' { set_icmptypetok(&yylval.str); }
| IL_TOKEN ';' { set_icmptypetok(&$1); }
;
icmpechoopts:
@ -421,17 +422,17 @@ icmpechoopts:
;
icmpecho:
IL_ICMP_SEQ number { set_icmpseq(yylval.num); }
| IL_ICMP_ID number { set_icmpid(yylval.num); }
IL_ICMP_SEQ number { set_icmpseq($2); }
| IL_ICMP_ID number { set_icmpid($2); }
;
icmptsopts:
| icmptsopts icmpts ';'
;
icmpts: IL_ICMP_OTIME number { set_icmpotime(yylval.num); }
| IL_ICMP_RTIME number { set_icmprtime(yylval.num); }
| IL_ICMP_TTIME number { set_icmpttime(yylval.num); }
icmpts: IL_ICMP_OTIME number { set_icmpotime($2); }
| IL_ICMP_RTIME number { set_icmprtime($2); }
| IL_ICMP_TTIME number { set_icmpttime($2); }
;
unreach:
@ -444,7 +445,7 @@ unreachopts:
| IL_ICMP_UNREACH_HOST line
| IL_ICMP_UNREACH_PROTOCOL line
| IL_ICMP_UNREACH_PORT line
| IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu(yylval.num); }
| IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu($2); }
| IL_ICMP_UNREACH_SRCFAIL line
| IL_ICMP_UNREACH_NET_UNKNOWN line
| IL_ICMP_UNREACH_HOST_UNKNOWN line
@ -464,10 +465,10 @@ redirect:
;
redirectopts:
| IL_ICMP_REDIRECT_NET token { set_redir(0, &yylval.str); }
| IL_ICMP_REDIRECT_HOST token { set_redir(1, &yylval.str); }
| IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &yylval.str); }
| IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &yylval.str); }
| IL_ICMP_REDIRECT_NET token { set_redir(0, &$2); }
| IL_ICMP_REDIRECT_HOST token { set_redir(1, &$2); }
| IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &$2); }
| IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &$2); }
;
exceed:
@ -480,7 +481,7 @@ paramprob:
| IL_ICMP_PARAMPROB_OPTABSENT paraprobarg
paraprobarg:
'{' number '}' ';' { set_icmppprob(yylval.num); }
'{' number '}' ';' { set_icmppprob($2); }
;
ipv4opt: IL_V4OPT { new_ipv4opt(); }
@ -492,7 +493,7 @@ ipv4optlist:
ipv4opts:
IL_IPO_NOP ';' { add_ipopt(IL_IPO_NOP, NULL); }
| IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &yylval.num); }
| IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &$2); }
| IL_IPO_ZSU ';' { add_ipopt(IL_IPO_ZSU, NULL); }
| IL_IPO_MTUP ';' { add_ipopt(IL_IPO_MTUP, NULL); }
| IL_IPO_MTUR ';' { add_ipopt(IL_IPO_MTUR, NULL); }
@ -501,11 +502,11 @@ ipv4opts:
| IL_IPO_TR ';' { add_ipopt(IL_IPO_TR, NULL); }
| IL_IPO_SEC ';' { add_ipopt(IL_IPO_SEC, NULL); }
| IL_IPO_SECCLASS secclass { add_ipopt(IL_IPO_SECCLASS, sclass); }
| IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&yylval.str); }
| IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&$2); }
| IL_IPO_ESEC ';' { add_ipopt(IL_IPO_ESEC, NULL); }
| IL_IPO_CIPSO ';' { add_ipopt(IL_IPO_CIPSO, NULL); }
| IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&yylval.num);}
| IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&yylval.str); }
| IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&$2);}
| IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&$2); }
| IL_IPO_ADDEXT ';' { add_ipopt(IL_IPO_ADDEXT, NULL); }
| IL_IPO_VISA ';' { add_ipopt(IL_IPO_VISA, NULL); }
| IL_IPO_IMITD ';' { add_ipopt(IL_IPO_IMITD, NULL); }
@ -514,14 +515,14 @@ ipv4opts:
;
secclass:
IL_IPS_RESERV4 ';' { set_secclass(&yylval.str); }
| IL_IPS_TOPSECRET ';' { set_secclass(&yylval.str); }
| IL_IPS_SECRET ';' { set_secclass(&yylval.str); }
| IL_IPS_RESERV3 ';' { set_secclass(&yylval.str); }
| IL_IPS_CONFID ';' { set_secclass(&yylval.str); }
| IL_IPS_UNCLASS ';' { set_secclass(&yylval.str); }
| IL_IPS_RESERV2 ';' { set_secclass(&yylval.str); }
| IL_IPS_RESERV1 ';' { set_secclass(&yylval.str); }
IL_IPS_RESERV4 ';' { set_secclass(&$1); }
| IL_IPS_TOPSECRET ';' { set_secclass(&$1); }
| IL_IPS_SECRET ';' { set_secclass(&$1); }
| IL_IPS_RESERV3 ';' { set_secclass(&$1); }
| IL_IPS_CONFID ';' { set_secclass(&$1); }
| IL_IPS_UNCLASS ';' { set_secclass(&$1); }
| IL_IPS_RESERV2 ';' { set_secclass(&$1); }
| IL_IPS_RESERV1 ';' { set_secclass(&$1); }
;
data: IL_DATA { new_data(); }
@ -536,9 +537,9 @@ databody: dataopts
;
dataopts:
IL_DLEN token { set_datalen(&yylval.str); }
| IL_DVALUE token { set_data(&yylval.str); }
| IL_DFILE token { set_datafile(&yylval.str); }
IL_DLEN token { set_datalen(&$2); }
| IL_DVALUE token { set_data(&$2); }
| IL_DFILE token { set_datafile(&$2); }
;
token: IL_TOKEN ';'
@ -618,28 +619,6 @@ ether_aton(s)
}
#endif
#ifdef bsdi
struct ether_addr *
ether_aton(s)
char *s;
{
static struct ether_addr n;
u_int i[6];
if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1],
&i[2], &i[3], &i[4], &i[5]) == 6) {
n.ether_addr_octet[0] = (u_char)i[0];
n.ether_addr_octet[1] = (u_char)i[1];
n.ether_addr_octet[2] = (u_char)i[2];
n.ether_addr_octet[3] = (u_char)i[3];
n.ether_addr_octet[4] = (u_char)i[4];
n.ether_addr_octet[5] = (u_char)i[5];
return &n;
}
return NULL;
}
#endif
struct in_addr getipv4addr(arg)
char *arg;
@ -663,7 +642,7 @@ char *pr, *name;
struct servent *sp;
if (!(sp = getservbyname(name, pr)))
return atoi(name);
return htons(atoi(name));
return sp->s_port;
}
@ -1740,7 +1719,9 @@ void free_anipheader()
canip->ah_next = NULL;
aniptail = &canip->ah_next;
}
free(aip);
if (canip)
free(aip);
}

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.3 1997/11/12 10:57:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $";
#endif
#include <stdio.h>
@ -106,9 +106,11 @@ int main __P((int, char *[]));
#define OPT_VERBOSE 0x008
#define OPT_HEXHDR 0x010
#define OPT_TAIL 0x020
#define OPT_ALL 0x040
#define OPT_NAT 0x080
#define OPT_STATE 0x100
#define OPT_FILTER 0x200
#define OPT_PORTNUM 0x400
#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER)
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
@ -156,7 +158,7 @@ u_short port;
struct servent *serv;
(void) sprintf(pname, "%hu", htons(port));
if (!res)
if (!res || (opts & OPT_PORTNUM))
return pname;
serv = getservbyport((int)port, proto);
if (!serv)
@ -598,7 +600,7 @@ FILE *log;
int fd, flushed = 0;
if ((fd = open(file, O_RDWR)) == -1) {
(void) fprintf(stderr, "%s: open: %s", file, STRERROR(errno));
(void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno));
exit(-1);
}
@ -620,50 +622,94 @@ FILE *log;
}
static void logopts(turnon, options)
int turnon;
char *options;
{
int flags = 0;
char *s;
for (s = options; *s; s++)
{
switch (*s)
{
case 'N' :
flags |= OPT_NAT;
break;
case 'S' :
flags |= OPT_STATE;
break;
case 'I' :
flags |= OPT_FILTER;
break;
default :
fprintf(stderr, "Unknown log option %c\n", *s);
exit(1);
}
}
if (turnon)
opts |= flags;
else
opts &= ~(flags);
}
int main(argc, argv)
int argc;
char *argv[];
{
struct stat sb;
FILE *log = stdout;
int fd[3], doread, n, i, nfd = 1;
int tr, nr, regular, c;
int fdt[3];
char buf[512], *iplfile = IPL_NAME;
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
int fdt[3], devices = 0;
char buf[512], *iplfile[3];
extern int optind;
extern char *optarg;
fd[0] = fd[1] = fd[2] = -1;
fdt[0] = IPL_LOGIPF;
fdt[1] = IPL_LOGNAT;
fdt[2] = IPL_LOGSTATE;
fdt[0] = fdt[1] = fdt[2] = -1;
iplfile[0] = IPL_NAME;
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1)
while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
opts |= OPT_ALL;
nfd = 3;
break;
case 'f' :
iplfile = optarg;
case 'f' : case 'I' :
opts |= OPT_FILTER;
fdt[0] = IPL_LOGIPF;
iplfile[0] = optarg;
break;
case 'F' :
if (!(opts & OPT_ALL))
flushlogs(iplfile, log);
else {
flushlogs(IPL_NAME, log);
flushlogs(IPL_NAT, log);
flushlogs(IPL_STATE, log);
}
flushlogs(iplfile[0], log);
flushlogs(iplfile[1], log);
flushlogs(iplfile[2], log);
break;
case 'n' :
opts |= OPT_RESOLVE;
break;
case 'N' :
opts |= OPT_NAT;
fdt[0] = IPL_LOGNAT;
iplfile = IPL_NAT;
fdt[1] = IPL_LOGNAT;
iplfile[1] = optarg;
break;
case 'o' : case 'O' :
logopts(c == 'o', optarg);
fdt[0] = fdt[1] = fdt[2] = -1;
if (opts & OPT_FILTER)
fdt[0] = IPL_LOGIPF;
if (opts & OPT_NAT)
fdt[1] = IPL_LOGNAT;
if (opts & OPT_STATE)
fdt[2] = IPL_LOGSTATE;
break;
case 'p' :
opts |= OPT_PORTNUM;
break;
case 's' :
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
@ -671,8 +717,8 @@ char *argv[];
break;
case 'S' :
opts |= OPT_STATE;
fdt[0] = IPL_LOGSTATE;
iplfile = IPL_STATE;
fdt[2] = IPL_LOGSTATE;
iplfile[2] = optarg;
break;
case 't' :
opts |= OPT_TAIL;
@ -692,22 +738,32 @@ char *argv[];
usage(argv[0]);
}
if ((fd[0] == -1) && (fd[0] = open(iplfile, O_RDONLY)) == -1) {
(void) fprintf(stderr, "%s: open: %s", iplfile,
STRERROR(errno));
exit(-1);
}
/*
* Default action is to only open the filter log file.
*/
if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
fdt[0] = IPL_LOGIPF;
if ((opts & OPT_ALL)) {
if ((fd[1] = open(IPL_NAT, O_RDONLY)) == -1) {
(void) fprintf(stderr, "%s: open: %s", IPL_NAT,
STRERROR(errno));
exit(-1);
}
if ((fd[2] = open(IPL_STATE, O_RDONLY)) == -1) {
(void) fprintf(stderr, "%s: open: %s", IPL_STATE,
STRERROR(errno));
exit(-1);
for (i = 0; i < 3; i++) {
if (fdt[i] == -1)
continue;
if (!strcmp(iplfile[i], "-"))
fd[i] = 0;
else {
if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
(void) fprintf(stderr,
"%s: open: %s\n", iplfile[i],
STRERROR(errno));
exit(-1);
}
if (fstat(fd[i], &sb) == -1) {
(void) fprintf(stderr, "%d: fstat: %s\n",fd[i],
STRERROR(errno));
exit(-1);
}
if (!(regular[i] = !S_ISCHR(sb.st_mode)))
devices++;
}
}
@ -715,27 +771,21 @@ char *argv[];
log = argv[optind] ? fopen(argv[optind], "a") : stdout;
if (log == NULL) {
(void) fprintf(stderr, "%s: fopen: %s", argv[optind],
(void) fprintf(stderr, "%s: fopen: %s\n", argv[optind],
STRERROR(errno));
exit(-1);
}
setvbuf(log, NULL, _IONBF, 0);
}
if (stat(iplfile, &sb) == -1) {
(void) fprintf(stderr, "%s: stat: %s", iplfile,
STRERROR(errno));
exit(-1);
}
regular = !S_ISCHR(sb.st_mode);
for (doread = 1; doread; ) {
nr = 0;
for (i = 0; i < nfd; i++) {
for (i = 0; i < 3; i++) {
tr = 0;
if (!regular) {
if (fdt[i] == -1)
continue;
if (!regular[i]) {
if (ioctl(fd[i], FIONREAD, &tr) == -1) {
perror("ioctl(FIONREAD)");
exit(-1);
@ -745,7 +795,7 @@ char *argv[];
if (!tr && !(opts & OPT_TAIL))
doread = 0;
}
if (!tr && nfd != 1)
if (!tr)
continue;
nr += tr;
@ -777,7 +827,7 @@ char *argv[];
break;
}
}
if (!nr && ((opts & OPT_TAIL) || !regular))
if (!nr && ((opts & OPT_TAIL) || devices))
sleep(1);
}
exit(0);

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11 1997/10/23 11:42:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $";
#endif
#include <errno.h>
#include <stdio.h>
@ -96,7 +96,7 @@ int frag;
static u_short id = 0;
ether_header_t *eh;
ip_t ipsv;
int err;
int err, iplen;
if (!ipbuf)
ipbuf = (char *)malloc(65536);
@ -115,7 +115,8 @@ int frag;
bcopy((char *)ip, (char *)&ipsv, sizeof(*ip));
last_gw.s_addr = gwip.s_addr;
ip->ip_len = htons(ip->ip_len);
iplen = ip->ip_len;
ip->ip_len = htons(iplen);
ip->ip_off = htons(ip->ip_off);
if (!(frag & 2)) {
if (!ip->ip_v)
@ -126,13 +127,13 @@ int frag;
ip->ip_ttl = 60;
}
if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu))
if (!frag || (sizeof(*eh) + iplen < mtu))
{
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len));
err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len));
bcopy((char *)ip, ipbuf + sizeof(*eh), iplen);
err = sendip(nfd, ipbuf, sizeof(*eh) + iplen);
}
else
{
@ -144,7 +145,7 @@ int frag;
ether_header_t eth;
char optcpy[48], ol;
char *s;
int i, iplen, sent = 0, ts, hlen, olen;
int i, sent = 0, ts, hlen, olen;
hlen = ip->ip_hl << 2;
if (mtu < (hlen + 8)) {
@ -235,43 +236,44 @@ struct in_addr gwip;
{
static tcp_seq iss = 2;
struct tcpiphdr *ti;
int thlen, i;
u_long lbuf[20];
tcphdr_t *t;
int thlen, i, iplen, hlen;
u_32_t lbuf[20];
iplen = ip->ip_len;
hlen = ip->ip_hl << 2;
t = (tcphdr_t *)((char *)ip + hlen);
ti = (struct tcpiphdr *)lbuf;
thlen = t->th_off << 2;
if (!thlen)
thlen = sizeof(tcphdr_t);
bzero((char *)ti, sizeof(*ti));
thlen = sizeof(tcphdr_t);
ip->ip_p = IPPROTO_TCP;
ti->ti_pr = ip->ip_p;
ti->ti_src = ip->ip_src;
ti->ti_dst = ip->ip_dst;
bcopy((char *)ip + (ip->ip_hl << 2),
(char *)&ti->ti_sport, sizeof(tcphdr_t));
bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen);
if (!ti->ti_win)
ti->ti_win = htons(4096);
if (!ti->ti_seq)
ti->ti_seq = htonl(iss);
iss += 64;
iss += 63;
if ((ti->ti_flags == TH_SYN) && !ip->ip_off)
{
ip = (ip_t *)realloc((char *)ip, ntohs(ip->ip_len) + 4);
i = sizeof(struct tcpiphdr) / sizeof(long);
i = sizeof(struct tcpiphdr) / sizeof(long);
if ((ti->ti_flags == TH_SYN) && !ip->ip_off &&
(lbuf[i] != htonl(0x020405b4))) {
lbuf[i] = htonl(0x020405b4);
bcopy((char *)(lbuf + i), (char*)ip + ntohs(ip->ip_len),
sizeof(u_long));
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
iplen - thlen - hlen);
thlen += 4;
}
if (!ti->ti_off)
ti->ti_off = thlen >> 2;
ti->ti_off = thlen >> 2;
ti->ti_len = htons(thlen);
ip->ip_len = (ip->ip_hl << 2) + thlen;
ip->ip_len = hlen + thlen;
ti->ti_sum = 0;
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
bcopy((char *)&ti->ti_sport,
(char *)ip + (ip->ip_hl << 2), thlen);
bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen);
return send_ip(nfd, mtu, ip, gwip, 1);
}

@ -12,7 +12,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8 1997/10/12 09:48:39 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $";
#endif
#include <stdio.h>
#include <netdb.h>
@ -146,7 +146,7 @@ char **argv;
usage(name);
}
if (argc - optind < 2 && !tests)
if ((argc <= optind) || !argv[optind])
usage(name);
dst = argv[optind++];
@ -209,6 +209,13 @@ char **argv;
ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
break;
default :
ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest);
ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
break;
}
return 0;

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13 1997/10/23 11:42:45 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -892,6 +892,7 @@ int ptest;
t->th_sum = 0;
t->th_seq = 1;
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, t->th_sport, 1);
if (!ptest || (ptest == 1)) {
@ -1021,9 +1022,10 @@ int ptest;
PAUSE();
}
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \
!defined(__sgi)
{
struct tcpcb *t, tcb;
struct tcpcb *tcbp, tcb;
struct tcpiphdr ti;
struct sockaddr_in sin;
int fd, slen;
@ -1032,10 +1034,13 @@ int ptest;
for (i = 1; i < 63; i++) {
fd = socket(AF_INET, SOCK_STREAM, 0);
bzero((char *)&sin, sizeof(sin));
sin.sin_addr.s_addr = ip->ip_dst.s_addr;
sin.sin_port = htons(i);
sin.sin_family = AF_INET;
if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin)))
break;
close(fd);
}
if (i == 63) {
@ -1046,15 +1051,15 @@ int ptest;
}
bcopy((char *)ip, (char *)&ti, sizeof(*ip));
ti.ti_dport = i;
t->th_dport = htons(i);
slen = sizeof(sin);
if (!getsockname(fd, (struct sockaddr *)&sin, &slen))
ti.ti_sport = sin.sin_port;
if (!(t = find_tcp(fd, &ti))) {
t->th_sport = sin.sin_port;
if (!(tcbp = find_tcp(fd, &ti))) {
printf("Can't find PCB\n");
goto skip_five_and_six;
}
KMCPY(&tcb, t, sizeof(tcb));
KMCPY(&tcb, tcbp, sizeof(tcb));
ti.ti_win = tcb.rcv_adv;
ti.ti_seq = tcb.snd_nxt - 1;
ti.ti_ack = tcb.rcv_nxt;
@ -1063,27 +1068,36 @@ int ptest;
/*
* Test 5: urp
*/
printf("5.1 TCP Urgent pointer\n");
ti.ti_urp = 1;
t->th_flags = TH_ACK|TH_URG;
printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n",
ntohs(t->th_sport), ntohs(t->th_dport));
t->th_urp = htons(1);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
ti.ti_urp = 0x7fff;
t->th_seq = tcb.snd_nxt;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1;
t->th_urp = htons(0x7fff);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
ti.ti_urp = 0x8000;
t->th_urp = htons(0x8000);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
ti.ti_urp = 0xffff;
t->th_urp = htons(0xffff);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
t->th_urp = htons(0);
t->th_flags &= ~TH_URG;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
}
if (!ptest || (ptest == 6)) {
/*
* Test 6: data offset, off = 0, off is inside, off is outside
*/
printf("6.1 TCP off = 0-15, len = 40\n");
for (i = 0; i < 16; i++) {
t->th_flags = TH_ACK;
printf("5.6.1 TCP off = 1-15, len = 40\n");
for (i = 1; i < 16; i++) {
ti.ti_off = ntohs(i);
(void) send_tcp(nfd, mtu, ip, gwip);
printf("%d\r", i);
@ -1091,6 +1105,7 @@ int ptest;
PAUSE();
}
putchar('\n');
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
}
(void) close(fd);
@ -1099,9 +1114,9 @@ skip_five_and_six:
#endif
t->th_seq = 1;
t->th_ack = 1;
t->th_off = 0;
if (!ptest || (ptest == 7)) {
t->th_off = 0;
t->th_flags = TH_SYN;
/*
* Test 7: sport = 0, sport = 1, sport = 32767
@ -1140,6 +1155,7 @@ skip_five_and_six:
if (!ptest || (ptest == 8)) {
t->th_sport = 1;
t->th_flags = TH_SYN;
/*
* Test 8: dport = 0, dport = 1, dport = 32767
* dport = 32768, dport = 65535
@ -1174,6 +1190,20 @@ skip_five_and_six:
fflush(stdout);
PAUSE();
}
/* LAND attack - self connect, so make src & dst ip/port the same */
if (!ptest || (ptest == 9)) {
printf("5.9 TCP LAND attack. sport = 25, dport = 25\n");
/* chose SMTP port 25 */
t->th_sport = htons(25);
t->th_dport = htons(25);
t->th_flags = TH_SYN;
ip->ip_src = ip->ip_dst;
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
}
/* TCP options header checking */
/* 0 length options, etc */
}
@ -1208,6 +1238,9 @@ int ptest;
u->uh_dport = htons(u->uh_dport);
u->uh_ulen = 7168;
printf("6. Exhaustive mbuf test.\n");
printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n");
printf(" Total of around 8,900 packets\n");
for (i = 0; i < 128; i++) {
/*
* First send the entire packet in 768 byte chunks.

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9 1997/09/28 07:13:37 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -253,7 +253,7 @@ static struct kinfo_proc *getproc()
mib[2] = KERN_PROC_PID;
mib[3] = pid;
n = 1;
n = sizeof(kp);
if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1)
{
perror("sysctl");

@ -201,4 +201,4 @@ struct filterstats {
};
.fi
.SH SEE ALSO
ipfstat(1), ipf(1), ipf(5)
ipfstat(8), ipf(8), ipf(5)

@ -481,4 +481,4 @@ qualifies all service/port names with the protocol specified.
.br
/etc/hosts
.SH SEE ALSO
ipf(1), ipftest(1), mkfilters(1)
ipf(8), ipftest(1), mkfilters(1), ipmon(8)

@ -10,7 +10,7 @@ ipf \- alters packet filtering lists for IP packet input and output
<block|pass|nomatch>
] [
.B \-F
<i|o|a>
<i|o|a|s|S>
]
.B \-f
<\fIfilename\fP>
@ -43,13 +43,21 @@ Disable the filter (if enabled). Not effective for loadable kernel versions.
.B \-E
Enable the filter (if disabled). Not effective for loadable kernel versions.
.TP
.BR \-F \0<param>
.BR \-F \0<i|o|a>
This option specifies which filter list to flush. The parameter should
either be "i" (input), "o" (output) or "a" (remove all filter rules).
Either a single letter or an entire word starting with the appropriate
letter maybe used. This option maybe before, or after, any other with
the order on the command line being that used to execute options.
.TP
.BR \-F \0<s|S>
To flush entries from the state table, the \fB-F\fP option is used in
conjuction with either "s" (removes state information about any non-fully
established connections) or "S" (deletes the entire state table). Only
one of the two options may be given. A fully established connection
will show up in \fBipfstat -s\fP output as 4/4, with deviations either
way indicating it is not fully established any more.
.TP
.BR \-f \0<filename>
This option specifies which files
\fBipf\fP should use to get input from for modifying the packet filter rule
@ -99,7 +107,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
.SH SEE ALSO
ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually

@ -4,4 +4,4 @@ IP FIlter
.SH DESCRIPTION
.PP
.SH SEE ALSO
ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)

@ -71,6 +71,6 @@ kernel.
.br
/vmunix
.SH SEE ALSO
ipf(1)
ipf(8)
.SH BUGS
none known.

@ -121,7 +121,7 @@ Specify the filename from which to take input. Default is stdin.
Specify the filename from which to read filter rules.
.SH FILES
.SH SEE ALSO
ipf(1), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.

@ -4,7 +4,15 @@ ipmon \- monitors /dev/ipl for logged packets
.SH SYNOPSIS
.B ipmon
[
.B \-aFhnNsStvxX
.B \-aFhnstvxX
] [
.B "\-o [NSI]"
] [
.B "\-O [NSI]"
] [
.B "\-N <device>"
] [
.B "\-S <device>"
] [
.B "\-f <device>"
] [
@ -27,22 +35,40 @@ Open all of the device logfiles for reading log entries from. All entries
are displayed to the same output 'device' (stderr or syslog).
.TP
.B "\-f <device>"
specify an alternative device/file from which to read the log information.
specify an alternative device/file from which to read the log information
for normal IP Filter log records.
.TP
.B \-F
Flush the current packet log buffer. The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B "\-N <device>"
Set the logfile to be opened for reading NAT log records from to <device>.
.TP
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.
.TP
.B \-N
Treat the logfile as being composed of NAT log records.
.B "\-N <device>"
Set the logfile to be opened for reading NAT log records from to <device>.
.TP
.B \-o
Specify which log files to actually read data from. N - NAT logfile,
S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is
equivalent to using \fB-o NSI\fP.
.TP
.B \-O
Specify which log files you do not wish to read from. This is most sensibly
used with the \fB-a\fP. Letters available as paramters to this are the same
as for \fB-o\fP.
.TP
.B \-s
Packet information read in will be sent through syslogd rather than
saved to a file. The following levels are used:
.TP
.B "\-S <device>"
Set the logfile to be opened for reading state log records from to <device>.
.TP
.IP
.B LOG_INFO
\- packets logged using the "log" keyword as the action rather
@ -76,5 +102,5 @@ recorded data.
.SH FILES
/dev/ipl
.SH SEE ALSO
ipf(1), ipfstat(1)
ipf(8), ipfstat(8)
.SH BUGS

@ -42,4 +42,4 @@ Remove matching NAT rules rather than add them to the internal lists
Turn verbose mode on. Displays information relating to rule processing.
.DT
.SH SEE ALSO
ipfstat(1), ipftest(1), ipf(1), ipnat(5)
ipfstat(1), ipftest(8), ipf(8), ipnat(5)

@ -88,4 +88,4 @@ typedef struct natstat {
It would be nice if there were more flexibility when adding and deleting
filter rules.
.SH SEE ALSO
ipfstat(1), ipf(1), ipf(4), ipnat(5)
ipfstat(8), ipf(8), ipf(4), ipnat(5)

@ -9,5 +9,4 @@ mkfilters \- generate a minimal firewall ruleset for ipfilter
use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
.DT
.SH SEE ALSO
ipf(1), ipf(5), ipfilter(5), ifconfig(8)
ipf(8), ipf(5), ipfilter(5), ifconfig(8)

@ -135,6 +135,10 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
&fr_defaultauthage, 0, "");
#endif
#ifdef DEVFS
void *ipf_devfs[IPL_LOGMAX + 1];
#endif
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
int ipl_major = 0;
@ -156,6 +160,7 @@ static struct cdevsw ipl_cdevsw = {
static int iplaction __P((struct lkm_table *, int));
static void ipl_drvinit __P((void *));
static int iplaction(lkmtp, cmd)
@ -188,13 +193,27 @@ int cmd;
args->lkm_offset = i; /* slot in cdevsw[] */
#endif
printf("IP Filter: loaded into slot %d\n", ipl_major);
return if_ipl_load(lkmtp, cmd);
err = if_ipl_load(lkmtp, cmd);
if (!err)
ipl_drvinit((void *)NULL);
return err;
break;
case LKM_E_UNLOAD :
err = if_ipl_unload(lkmtp, cmd);
if (!err)
if (!err) {
printf("IP Filter: unloaded from slot %d\n",
ipl_major);
# ifdef DEVFS
if (ipf_devfs[IPL_LOGIPF])
devfs_remove_dev(ipf_devfs[IPL_LOGIPF]);
if (ipf_devfs[IPL_LOGNAT])
devfs_remove_dev(ipf_devfs[IPL_LOGNAT]);
if (ipf_devfs[IPL_LOGSTATE])
devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]);
if (ipf_devfs[IPL_LOGAUTH])
devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]);
# endif
}
return err;
case LKM_E_STAT :
break;
@ -326,42 +345,37 @@ int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}
# else
#ifdef DEVFS
static void *ipf_devfs_token[IPL_LOGMAX + 1];
#endif
# endif
static ipl_devsw_installed = 0;
static void ipl_drvinit __P((void *unused))
{
dev_t dev;
#ifdef DEVFS
void **tp = ipf_devfs_token;
#endif
# ifdef DEVFS
void **tp = ipf_devfs;
# endif
if (!ipl_devsw_installed ) {
dev = makedev(CDEV_MAJOR, 0);
cdevsw_add(&dev, &ipl_cdevsw, NULL);
ipl_devsw_installed = 1;
#ifdef DEVFS
# ifdef DEVFS
tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
DV_CHR, 0, 0, 0600,
"ipf", IPL_LOGIPF);
DV_CHR, 0, 0, 0600, "ipf");
tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
DV_CHR, 0, 0, 0600,
"ipnat", IPL_LOGNAT);
DV_CHR, 0, 0, 0600, "ipnat");
tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
DV_CHR, 0, 0, 0600,
"ipstate", IPL_LOGSTATE);
"ipstate");
tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH,
DV_CHR, 0, 0, 0600,
"ipstate", IPL_LOGAUTH);
#endif
DV_CHR, 0, 0, 0600,
"ipauth");
# endif
}
}
# ifdef IPFILTER_LKM
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
# endif /* IPFILTER_LKM */
#endif /* _FreeBSD_version */

@ -35,7 +35,7 @@
#if !defined(lint)
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18 1997/10/19 15:39:29 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@ -475,7 +475,8 @@ char *line;
/*
* lazy users...
*/
if (!fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
(fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
(void)fprintf(stderr,
"no protocol given for TCP/UDP comparisons\n");
return NULL;
@ -541,7 +542,7 @@ u_char *cp;
/*
* is it possibly hostname/num ?
*/
if ((s = index(**seg, '/'))) {
if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) {
*s++ = '\0';
if (!isdigit(*s))
return -1;

@ -1,4 +1,4 @@
#
# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
#
block out on le0 proto tcp from any to bar/32 port != 23
block out on le0 proto tcp from any to bar/32 port = 23

@ -97,7 +97,7 @@ char *argv[];
* Log it
*/
syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d",
inet_ntoa(natlook.nl_realip), natlook.nl_realport);
inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
printf("connect to %s,%d\n",
inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.1 1997/11/08 04:55:57 darrenr Exp $";
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $";
#include <sys/systm.h>
#include <sys/types.h>
@ -525,7 +525,7 @@ tryagain:
ip->ip_off = htons(__ipoff);
}
#endif
if (err == 1) {
if (err == -2) {
if (*mp && (ip == (ip_t *)lbuf)) {
copyin_mblk(m, 0, len, (char *)lbuf);
frstats[out].fr_pull[1]++;

@ -23,3 +23,14 @@ done
* allow multiple ip addresses in a source route list for ipsend
* complete Linux port to implement all the IP Filter features
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
* add switches to ipmon for better selective control over which logs are
read/not read
done
* add a flag to automate src spoofing
* ipfsync() should change IP#'s in current mappings as well as what's
in rules.