From f4b66beedb1f2c1f5413c63927069490c58d80f9 Mon Sep 17 00:00:00 2001 From: Peter Wemm Date: Sat, 21 Mar 1998 10:04:55 +0000 Subject: [PATCH] Import ipfilter 3.2.3 --- .../ipfilter/FreeBSD-2.2/ip_output.c.diffs | 6 +- contrib/ipfilter/HISTORY | 43 +++++ contrib/ipfilter/IMPORTANT | 5 + contrib/ipfilter/INSTALL.BSDOS3 | 44 +++++ contrib/ipfilter/INSTALL.IRIX | 108 ++++++++++++ contrib/ipfilter/INSTALL.Linux | 49 ++++++ contrib/ipfilter/INSTALL.NetBSD | 5 + contrib/ipfilter/INSTALL.Sol2 | 8 +- contrib/ipfilter/Makefile | 8 +- contrib/ipfilter/buildlinux | 16 ++ contrib/ipfilter/fil.c | 52 ++++-- contrib/ipfilter/fils.c | 4 +- contrib/ipfilter/ip_compat.h | 23 +-- contrib/ipfilter/ip_fil.c | 23 +-- contrib/ipfilter/ip_fil.h | 24 +-- contrib/ipfilter/ip_lfil.c | 69 ++++---- contrib/ipfilter/ip_log.c | 8 +- contrib/ipfilter/ip_nat.c | 29 +-- contrib/ipfilter/ip_proxy.c | 25 ++- contrib/ipfilter/ip_proxy.h | 3 +- contrib/ipfilter/ip_sfil.c | 8 +- contrib/ipfilter/ip_state.c | 4 +- contrib/ipfilter/ipl.h | 2 +- contrib/ipfilter/iplang/iplang.tst | 8 +- contrib/ipfilter/iplang/iplang_l.l | 8 +- contrib/ipfilter/iplang/iplang_y.y | 165 ++++++++---------- contrib/ipfilter/ipmon.c | 158 +++++++++++------ contrib/ipfilter/ipsend/ip.c | 54 +++--- contrib/ipfilter/ipsend/iptest.c | 11 +- contrib/ipfilter/ipsend/iptests.c | 63 +++++-- contrib/ipfilter/ipsend/sock.c | 4 +- contrib/ipfilter/man/ipf.4 | 2 +- contrib/ipfilter/man/ipf.5 | 2 +- contrib/ipfilter/man/ipf.8 | 14 +- contrib/ipfilter/man/ipfilter.5 | 2 +- contrib/ipfilter/man/ipfstat.8 | 2 +- contrib/ipfilter/man/ipftest.1 | 2 +- contrib/ipfilter/man/ipmon.8 | 36 +++- contrib/ipfilter/man/ipnat.1 | 2 +- contrib/ipfilter/man/ipnat.4 | 2 +- contrib/ipfilter/man/mkfilters.1 | 3 +- contrib/ipfilter/mlf_ipl.c | 52 ++++-- contrib/ipfilter/parse.c | 7 +- contrib/ipfilter/rules/example.2 | 2 +- contrib/ipfilter/samples/proxy.c | 2 +- contrib/ipfilter/solaris.c | 4 +- contrib/ipfilter/todo | 11 ++ 47 files changed, 820 insertions(+), 362 deletions(-) create mode 100644 contrib/ipfilter/INSTALL.BSDOS3 create mode 100644 contrib/ipfilter/INSTALL.IRIX create mode 100644 contrib/ipfilter/INSTALL.Linux create mode 100755 contrib/ipfilter/buildlinux diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs index d3cebd0a7374..ff5ae0a5d66b 100644 --- a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs +++ b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs @@ -32,7 +32,7 @@ __P((int, struct ip_moptions **, struct mbuf *)); *************** *** 338,343 **** ---- 342,358 ---- +--- 342,356 ---- * - Wrap: fake packet's addr/port * - Encapsulate: put it in another IP and send out. */ @@ -40,9 +40,7 @@ + if (fr_checkp) { + struct mbuf *m1 = m; + -+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) -+ error = EHOSTUNREACH; -+ if (error || !m1) ++ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index ea561457b396..c708038e7dc8 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -5,6 +5,49 @@ # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # +3.2.3 10/11/97 - Released + +fix some iplang bugs + +fix tcp checksum data overrun, sgi #define changes, +avoid infinite loop when nat'ing to single IP# - Marc Boucher + +fixup DEVFS usage for FreeBSD + +fix sunos5 "make clean" cleaning up too much + +3.2.2 28/11/97 - Released + +change packet matching to return actual error, if bad packet, to facilitate +ECONNRESET for TCP. + +allow ip:netmask in grammar too now - Guido + +assume IRIX has u_int32_t in sys/types.h (needed for R10000) + +rewrite parts of command line options for ipmon + +fix TCP urgent packet & offset testing and add LAND attack test for iptest + +fix grammar error in yacc grammar for iplang + +redirect (rdr) destination port bytes-wapped when it shouldn't be. + +general: fr_check now returns error code, such as EHOSTUNREACH or +ECONNRESET (attempt to make ECONNRESET work for locally outbound +packets). + +linux: enable return-rst, need to filter tcp retransmits which are sent + separately from normal packets + +memory leak plugged in ip_proxy.c + +BSDI compatibility patches from Guido + +tcp checksum fix - Marc Boucher + +recursive mutex and ioctl param fix - Marc Boucher + 3.2.1 12/11/97 - Released port to BSD/OS 3.0 diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT index 00272f2b1f53..d706c3626da0 100644 --- a/contrib/ipfilter/IMPORTANT +++ b/contrib/ipfilter/IMPORTANT @@ -36,6 +36,11 @@ otherwise not have been (due to the ports not). This behaviour has subsequently been fixed. +3) + +If you have BOTH GNU make and the normal make shipped with your system, +DO NOT use the GNU make to build this package. + Darren darrenr@cyber.com.au **************************************** diff --git a/contrib/ipfilter/INSTALL.BSDOS3 b/contrib/ipfilter/INSTALL.BSDOS3 new file mode 100644 index 000000000000..8842b981911c --- /dev/null +++ b/contrib/ipfilter/INSTALL.BSDOS3 @@ -0,0 +1,44 @@ + +BSD/OS 3.x users. +----------------- + +First, you will need to either: +(a) have a source license for the kernel so you can patch some files or +(b) obtain the relevant pre-compiled .o files (I can't supply these yet). + +The files which you will need patched are: +ip_input.c, ip_output.c (maybe in_proto.c and ioconf.c.i386 too - NOT sure). + +First, you need to build IP Filter. Do this from the "ip_fil3.2.x" +directory with the command "make bsdos". If this completes successfully, +install the various bits and pieces with "make install-bsd". + +Prior to starting, it is a good idea for you to know what your kernel config +file is (it appears that the script guesses incorrectly at present). + +Once you have that in mind, run the 'kinstall' script in the BSDOS3 +directory. This will attempt to patch a bunch of files. If you've +obtained the relevant .o files, ignore the errors, otherwise please +report them to me and mention which version of BSD/OS you are using +and on what platform (Sparc, i386, etc). It will also go and install +all the IP Filter .c and .h files where they can be find when it comes +time to build the kernel. + +The script will then pause and ask you for your kernel configuration +file. After you enter this, it will add "options IPFILTER" to your +kernel configuration file. IF YOU WANT TO DO LOGGING, ADD +"options IPFILTER_LOG" to your kernel configuration file NOW! + +Now that you've got your kernel configuration file done, use config +to setup a new kernel build and complete with make. + +When the kernel rebuilt is complete, put it into / and reboot with +your new kernel. If IP Filter has been configured into your kernel +correctly, you will see a message like this when your system boots: + +IP Filter: initialized. Default = pass all, Logging = enabled + +Upon logging in, the IP Filter commands ipfstat, et al, should all +function properly. + +Darren diff --git a/contrib/ipfilter/INSTALL.IRIX b/contrib/ipfilter/INSTALL.IRIX new file mode 100644 index 000000000000..b64d4349879b --- /dev/null +++ b/contrib/ipfilter/INSTALL.IRIX @@ -0,0 +1,108 @@ + +IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3 +as well. Under IRIX 5.3, it has been successfully compiled and linked in the +kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported. + +To build a kernel with the IP filter and install it on your system, +follow these steps: + + 1. edit the top-level Makefile to + a) comment-out the IPFLKM definition. + This means changing the line reading: + IPFLKM=-DIPFILTER_LKM + to + #IPFLKM=-DIPFILTER_LKM + b) select the system's compiler (cc) + This means changing the line reading: + CC=gcc + to + CC=cc + b) enable full optimization + This means changing the lines reading: + DEBUG=-g + CFLAGS=-I$$(TOP) + to + DEBUG= + CFLAGS=-O2 -I$$(TOP) + + 1. do "make irix" (Warning: GNU make is not supported, so if it has + been installed on your system, verify your path and/or do "which make" + to guarantee that IRIX's /sbin/make has precedence) + + 2. do "make install-irix" as root + (a new kernel will be automatically built) + + 3. determine the filtering rules and place them in /etc/ipf.conf + and /etc/ipnat.conf + + 4. do "init 6" as root to reboot with the new kernel + + After restarting, the filter should be active and behaving according to + the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf. + + These files can be changed at any time, and reloaded using the + following command sequence: + + # sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start + + +To remove the IP Filter from your kernel, follow these steps: + + 1. Delete the /var/sysgen/boot/ipfilter.o file + + # rm /var/sysgen/boot/ipfilter.o + + 2. If SGI's ipfilter.o had been previously installed, restore it + back to its original location + + # mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o + + 3. Build a new kernel + + # /etc/autoconfig + + 4. Delete the /etc/rc2.d/S33ipf symbolic link + + # rm /etc/rc2.d/S33ipf + + 5. Reboot + + # init 6 + + +ADDITIONAL NOTES: + + - The IP filter uses the same kernel interface to the IP driver as + SGI's ipfilter. In fact, it is installed in place of SGI's + /var/sysgen/boot/ipfilter.o module, after renaming it (if installed) + to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's + ipfilterd daemon is not running simultaneously, since this package uses + the same major device number. + + - We have not tested IP Filter on a multiprocessor machine yet. + However, feel free to try it and send your experiences/patches + back to marc@CAM.ORG. SGI prescribes that kernel code be built on such + systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should + probably be uncommented on the DFLAGS line of IRIX/Makefile if your + machine has more than one processor. + + - It is also possible to build IP Filter as a dynamically loadable + kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the + top-level Makefile), but this is not recommended other than for testing + and debugging purposes, because the only possible method for dynamic + attachment to the IP stack (instruction patching) is highly dependent + on the processor architecture. The code provided has only been tested + with IP22 CPU boards and can sometime cause panics during loading due + to a potential race condition. + + +CREDITS: + + IP Filter was ported to IRIX by Marc Boucher + + Marc Boucher wishes to thank the + ICARI Institute (http://www.icari.qc.ca) + and + Aurelio Cascio + for their financial support and testing facilities, respectively. + diff --git a/contrib/ipfilter/INSTALL.Linux b/contrib/ipfilter/INSTALL.Linux new file mode 100644 index 000000000000..c190095fddf1 --- /dev/null +++ b/contrib/ipfilter/INSTALL.Linux @@ -0,0 +1,49 @@ +IP-Filter on Linux 2.0.31 +------------------------- + +NOTE: I have *ONLY* compiled and created patches for using IP Filter on + Linux 2.0.31. Any other kernel revision may need seprate patches. + Also, I've only tested on a x86 CPU so I can't make any guarantees + about it working on Sparc/Mac/Amiga. + +First, you should do a sanity check of your system to make sure it will +compile IP Filter. You will need a "libfl" and a "libelf". If you don't +have these, install them before proceeding. + +The installation and compiliation process assumes that Linux 2.0.31 +will be in the /usr/src/linux directory and that all the symbolic links +in /usr/include match. /usr/src/linux may be a symbolic link too, but +it must point to a 2.0.31 kernel source tree. + +The first step is to make the IP Filter binaries. Do this with a +"make linux" from the ip_fil3.2.x directory. If this completes with +no errors, install IP Filter with a "make install-linux". + +Now that the user part of it is complete, it is time to work on the +kernel. To start this off, run "Linux/kinstall". This will patch your +kernel source code and configuration files so you can enabled IP Filter. +You must now go to /usr/src/linux and configure your kernel using one of +the available interfaces to enable IP Filter. IP Filter will be presented +as a three way choice "y/m/n" - select "m" to enable it. Save your kernel +configuration file, rebuild, install and reboot with the new kernel. + +When you've rebooted with the new kernel, you should be able to load +IP Filter with the command "insmod if_ipl". All going will, you will +see a message like this on your console: + +IP Filter: initialized. Default = pass all, Logging = enabled + +indicating that IP Filter has successfully been loaded into the kernel +and is awaiting. + +Darren + +Features Not Available on Linux, yet: + +- compiled into the kernel +" in on to ..." +" in on dup-to ..." +" in on fastroute ..." +"block return-rst ..." +"map ... proxy ..." (Linux's masquerading is better at present) + diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD index cc48d17325b7..847871203f66 100644 --- a/contrib/ipfilter/INSTALL.NetBSD +++ b/contrib/ipfilter/INSTALL.NetBSD @@ -36,12 +36,17 @@ To build a kernel with the IP filter, follow these steps: run "NetBSD/kinstall" as root 3(b) NetBSD 1.2 systems or later: run "NetBSD-1.2/kinstall" as root + 3(c) If conf.c fails on the 2nd hunk of the patch, you will have to + manually apply the patch. 4. build a new kernel 5. create /dev/ipl with "mknod /dev/ipl c 59 0". (for NetBSD-1.2, use "mknod /dev/ipl c 49 0") + ** NOTE: both the numbers 49 and 59 should be substituted with + whatever number you inserted it into conf.c as. + 6. install and reboot with the new kernel Darren Reed diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2 index 6ed6473579dc..1939c265663e 100644 --- a/contrib/ipfilter/INSTALL.Sol2 +++ b/contrib/ipfilter/INSTALL.Sol2 @@ -6,14 +6,14 @@ Type "make solaris" to build all the required binaries. Once IP Filter has been successfully compiled, you may then install it using the usual package method (using pkgadd), however, the package needs to be -created, prior to pkgadd'ing. To create the package in /var/spoo/pkg, change +created, prior to pkgadd'ing. To create the package in /var/spool/pkg, change directory to SunOS5 and enter the following command: make package -If you wish to then install it using `pkgadd', run the following command: - -pkgadd -s '/var/spool/pkg' +This will build the package into SunOS5//root, copy that to +/var/spool/pkg as a package and then start the installation using +pkgadd. As part of the postinstall script, it will install loadable kernel module as part of Solaris 2 (using add_drv) making it available for immeadiate use. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index a5756bb28d66..a48ad31e5907 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.0.2.26.2.1 1997/11/12 10:40:21 darrenr Exp $ +# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -13,6 +13,7 @@ MANDIR=/usr/local/man #To test prototyping #CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror CC=gcc +#CC=cc -Dconst= DEBUG=-g CFLAGS=-I$$(TOP) CPU=`uname -m` @@ -65,6 +66,7 @@ all: @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" + @echo "linux - compile for Linux 2.0.31+" @echo "" tests: @@ -118,8 +120,8 @@ bsd: include bsdi bsdos: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..) irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" diff --git a/contrib/ipfilter/buildlinux b/contrib/ipfilter/buildlinux new file mode 100755 index 000000000000..7ce043fc6e6a --- /dev/null +++ b/contrib/ipfilter/buildlinux @@ -0,0 +1,16 @@ +#!/bin/sh +LINUX=`uname -r | perl -e '$_=<>;@F=split(/\./);printf "%02d%02d\n",$F[0],$F[1];';` + +case ${LINUX} in + 0200) + make linuxrev "LINUXK=-DLINUX=${LINUX}" + ;; + 0201) + make linuxrev "LINUXK=-DLINUX=${LINUX}" + ;; + *) + echo "invalid linux version $LINUX" + exit 1; + ;; +esac +exit 0 diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 4c0f8c1b74d6..58c28e14126b 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $"; #endif #include @@ -73,7 +73,7 @@ extern int opts; second; } # define FR_VERBOSE(verb_pr) verbose verb_pr # define FR_DEBUG(verb_pr) debug verb_pr -# define SEND_RESET(ip, qif, if) send_reset(ip, if) +# define SEND_RESET(ip, qif, if, m) send_reset(ip, if) # define IPLLOG(a, c, d, e) ipllog() # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # if SOLARIS @@ -98,7 +98,12 @@ extern kmutex_t ipf_mutex, ipf_auth; icmp_error(ip, t, c, if, src) # else /* SOLARIS */ # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) -# define SEND_RESET(ip, qif, if) send_reset((struct tcpiphdr *)ip) +# ifdef linux +# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\ + ifp) +# else +# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip) +# endif # ifdef __sgi # define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, t, c, if, src, if) @@ -553,7 +558,7 @@ int out; fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; - int pass, changed, apass; + int pass, changed, apass, error = EHOSTUNREACH; #if !SOLARIS || !defined(_KERNEL) register mb_t *m = *mp; #endif @@ -767,10 +772,11 @@ logit: # else # ifndef linux mc = m_copy(m, 0, M_COPYALL); +# else + ; # endif # endif #endif - if (pass & FR_PASS) frstats[out].fr_pass++; else if (pass & FR_BLOCK) { @@ -811,6 +817,9 @@ logit: frstats[1].fr_ret++; } #endif + } else { + if (pass & FR_RETRST) + error = ECONNRESET; } } @@ -842,8 +851,8 @@ logit: m_copyback(m, 0, up, hbuf); # endif # endif /* !linux */ - return (pass & FR_PASS) ? 0 : -1; -# else /* !SOLARIS */ + return (pass & FR_PASS) ? 0 : error; +# else /* !SOLARIS */ if (fr) { frdest_t *fdp = &fr->fr_tif; @@ -855,7 +864,7 @@ logit: if (mc) ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } - return (pass & FR_PASS) ? changed : -1; + return (pass & FR_PASS) ? changed : error; # endif /* !SOLARIS */ #else /* _KERNEL */ if (pass & FR_NOMATCH) @@ -872,6 +881,7 @@ logit: /* * ipf_cksum * addr should be 16bit aligned and len is in bytes. + * length is in bytes */ u_short ipf_cksum(addr, len) register u_short *addr; @@ -900,10 +910,11 @@ register int len; * and the TCP header. We also assume that data blocks aren't allocated in * odd sizes. */ -u_short fr_tcpsum(m, ip, tcp) +u_short fr_tcpsum(m, ip, tcp, len) mb_t *m; ip_t *ip; tcphdr_t *tcp; +int len; { union { u_char c[2]; @@ -911,7 +922,6 @@ tcphdr_t *tcp; } bytes; u_long sum; u_short *sp; - int len; # if SOLARIS || defined(__sgi) int add, hlen; # endif @@ -926,9 +936,9 @@ tcphdr_t *tcp; /* * Add up IP Header portion */ - len = ip->ip_len - (ip->ip_hl << 2); bytes.c[0] = 0; bytes.c[1] = IPPROTO_TCP; + len -= (ip->ip_hl << 2); sum = bytes.s; sum += htons((u_short)len); sp = (u_short *)&ip->ip_src; @@ -994,13 +1004,13 @@ tcphdr_t *tcp; goto nodata; while (len > 0) { #if SOLARIS - if ((caddr_t)sp >= (caddr_t)m->b_wptr) { + while ((caddr_t)sp >= (caddr_t)m->b_wptr) { m = m->b_cont; PANIC((!m),("fr_tcpsum: not enough data")); sp = (u_short *)m->b_rptr; } #else - if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) + while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_tcpsum: not enough data")); @@ -1009,7 +1019,11 @@ tcphdr_t *tcp; #endif /* SOLARIS */ if (len < 2) break; - sum += *sp++; + if((u_long)sp & 1) { + bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); + sum += bytes.s; + } else + sum += *sp++; len -= 2; } if (len) { @@ -1059,7 +1073,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $ + * $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1258,11 +1272,11 @@ frentry_t *list, **listp; } -void frflush(unit, data) +void frflush(unit, result) int unit; -caddr_t data; +int *result; { - int flags = *(int *)data, flushed = 0, set = fr_active; + int flags = *result, flushed = 0, set = fr_active; bzero((char *)frcache, sizeof(frcache[0]) * 2); @@ -1286,5 +1300,5 @@ caddr_t data; } } - *(int *)data = flushed; + *result = flushed; } diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index aeda2eed2857..cfcfd991c5b6 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -46,7 +46,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.1 1997/11/06 21:21:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX @@ -258,7 +258,7 @@ struct friostat *fp; fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", fp->f_froute[0], fp->f_froute[1]); - PRINTF("TCP cksum fails in:\t%lu\tout%lu\n", + PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); PRINTF("Packet log flags set: (%#x)\n", frf); diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 3866ef083540..1fe90c3cb677 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.2.31.2.4 1997/11/12 10:48:43 darrenr Exp $ + * $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -50,17 +50,18 @@ struct ether_addr { }; #endif -#ifdef __sgi -# ifdef IPFILTER_LKM -# define IPL_PRFX ipl -# define IPL_EXTERN(ep) ipl##ep -# else -# define IPL_PRFX ipfilter +#if defined(__sgi) && !defined(IPFILTER_LKM) +# ifdef __STDC__ # define IPL_EXTERN(ep) ipfilter##ep +# else +# define IPL_EXTERN(ep) ipfilter/**/ep # endif #else -# define IPL_PRFX ipl -# define IPL_EXTERN(ep) ipl##ep +# ifdef __STDC__ +# define IPL_EXTERN(ep) ipl##ep +# else +# define IPL_EXTERN(ep) ipl/**/ep +# endif #endif #ifdef linux @@ -110,7 +111,8 @@ struct ether_addr { /* * These operating systems already take care of the problem for us. */ -#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \ + defined(__sgi) typedef u_int32_t u_32_t; #else /* @@ -689,6 +691,7 @@ typedef struct icmp icmphdr_t; typedef struct ip ip_t; typedef struct ether_header ether_header_t; #endif /* linux */ +typedef struct tcpiphdr tcpiphdr_t; #if defined(hpux) || defined(linux) struct ether_addr { diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index c3c758e74396..d518d1793af0 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.2 1997/11/12 10:49:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $"; #endif #ifndef SOLARIS @@ -275,7 +275,7 @@ int ipldetach() fr_checkp = fr_savep; inetsw[0].pr_slowtimo = fr_saveslowtimo; - frflush(IPL_LOGIPF, (caddr_t)&i); + frflush(IPL_LOGIPF, &i); ipl_inited = 0; # ifdef NETBSD_PF @@ -339,7 +339,7 @@ struct proc *p; ) #endif dev_t dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) u_long cmd; #else int cmd; @@ -351,7 +351,7 @@ int mode; #if defined(_KERNEL) && !SOLARIS int s; #endif - int error = 0, unit = 0; + int error = 0, unit = 0, tmp; #ifdef _KERNEL unit = GET_MINOR(dev); @@ -460,8 +460,11 @@ int mode; case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; - else - frflush(unit, data); + else { + IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + frflush(unit, &tmp); + IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); + } break; #ifdef IPFILTER_LOG case SIOCIPFFB : @@ -786,7 +789,7 @@ struct tcpiphdr *ti; struct tcpiphdr *tp; struct tcphdr *tcp; struct mbuf *m; - int tlen = 0; + int tlen = 0, err; ip_t *ip; # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) struct route ro; @@ -837,16 +840,16 @@ struct tcpiphdr *ti; # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) bzero((char *)&ro, sizeof(ro)); - (void) ip_output(m, (struct mbuf *)0, &ro, 0, 0); + err = ip_output(m, (struct mbuf *)0, &ro, 0, 0); if (ro.ro_rt) RTFREE(ro.ro_rt); # else /* * extra 0 in case of multicast */ - (void) ip_output(m, (struct mbuf *)0, 0, 0, 0); + err = ip_output(m, (struct mbuf *)0, 0, 0, 0); # endif - return 0; + return err; } diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 39cca349e319..2e2aaa7cb28d 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.39.2.4 1997/11/12 10:50:02 darrenr Exp $ + * $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -94,10 +94,10 @@ typedef struct fr_ip { u_short fi_auth; } fr_ip_t; -#define FI_OPTIONS 0x01 -#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */ -#define FI_FRAG 0x04 -#define FI_SHORT 0x08 +#define FI_OPTIONS (FF_OPTIONS >> 24) +#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ +#define FI_FRAG (FF_FRAG >> 24) +#define FI_SHORT (FF_SHORT >> 24) typedef struct fr_info { struct fr_ip fin_fi; @@ -381,7 +381,7 @@ extern int ipf_log __P((void)); extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); # define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -# if defined(__NetBSD__) || defined(__OpenBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); @@ -423,7 +423,11 @@ extern int iplread __P((dev_t, struct uio *, cred_t *)); # else /* SOLARIS */ extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); -extern int send_reset __P((struct tcpiphdr *)); +# ifdef linux +extern int send_reset __P((tcpiphdr_t *, struct ifnet *)); +# else +extern int send_reset __P((tcpiphdr_t *)); +# endif extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi @@ -442,7 +446,7 @@ extern int iplidentify __P((char *)); # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ (NetBSD >= 199511) -# ifdef __NetBSD__ +# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); @@ -491,12 +495,12 @@ extern int iplread(struct inode *, struct file *, char *, int); #endif extern int ipldetach __P((void)); -extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); +extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int)); #define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); extern u_short ipf_cksum __P((u_short *, int)); extern int fr_copytolog __P((int, char *, int)); -extern void frflush __P((int, caddr_t)); +extern void frflush __P((int, int *)); extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); extern void fr_delgroup __P((u_short, u_32_t, int, int)); diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index 364bb305449a..b64fb02e72fd 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:57 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -49,6 +49,9 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 da #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +#ifdef _KERNEL +#include +#endif #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif @@ -143,7 +146,7 @@ int ipldetach() } fr_checkp = fr_savep; - frflush(IPL_LOGIPF, (caddr_t)&i); + frflush(IPL_LOGIPF, &i); ipl_inited = 0; ipfr_unload(); @@ -197,7 +200,7 @@ int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg) int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) { #endif - int error = 0, unit = 0; + int error = 0, unit = 0, tmp; #ifdef _KERNEL unit = GET_MINOR(inode->i_rdev); @@ -305,8 +308,11 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; - else - frflush(unit, data); + else { + IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + frflush(unit, &tmp); + IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); + } break; #ifdef IPFILTER_LOG case SIOCIPFFB : @@ -577,54 +583,53 @@ int iplread(struct inode *inode, struct file *file, char *buf, int nbytes) * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ -int send_reset(ti) +int send_reset(ti, ifp) struct tcpiphdr *ti; +struct ifnet *ifp; { -#if notyet - struct tcpiphdr *tp; tcphdr_t *tcp; - seq_t seq; int tlen = 0; ip_t *ip; mb_t *m; if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ - m = alloc_skb(MAX_HEADER + sizeof(*ti), GFP_ATOMIC); + + m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC); if (m == NULL) return -1; if (ti->ti_flags & TH_SYN) tlen = 1; - m->m_len = sizeof (struct tcpiphdr); - bzero(mtod(m, char *), sizeof(struct tcpiphdr)); - ip = mtod(m, ip_t *); - tp = mtod(m, struct tcpiphdr *); - tcp = (tcphdr_t *)((char *)ip + sizeof(struct ip)); + m->dev = ifp; + m->csum = 0; + ip = mtod(m, ip_t *); + m->h.iph = ip; + m->ip_hdr = NULL; + m->m_len = sizeof(tcpiphdr_t); + tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t)); + bzero((char *)ip, sizeof(tcpiphdr_t)); + + ip->ip_v = IPVERSION; + ip->ip_hl = sizeof(ip_t) >> 2; + ip->ip_tos = ((ip_t *)ti)->ip_tos; + ip->ip_p = ((ip_t *)ti)->ip_p; + ip->ip_id = ((ip_t *)ti)->ip_id; + ip->ip_len = htons(sizeof(tcpiphdr_t)); + ip->ip_ttl = 127; ip->ip_src.s_addr = ti->ti_dst.s_addr; ip->ip_dst.s_addr = ti->ti_src.s_addr; tcp->th_dport = ti->ti_sport; tcp->th_sport = ti->ti_dport; - seq = ntohl(ti->ti_seq); - tcp->th_ack = htonl(seq + tlen); + tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); tcp->th_off = sizeof(tcphdr_t) >> 2; tcp->th_flags = TH_RST|TH_ACK; - tp->ti_pr = ((ip_t *)ti)->ip_p; - tp->ti_len = htons(sizeof(struct tcphdr)); - tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr)); - - ip->ip_tos = ((ip_t *)ti)->ip_tos; - ip->ip_p = ((ip_t *)ti)->ip_p; - ip->ip_len = sizeof (struct tcpiphdr); - ip->ip_ttl = 255; - - /* - * extra 0 in case of multicast - */ - (void) ip_output(m, (mb_t *)0, 0, 0, 0); - return 0; -#endif + + ip->ip_sum = 0; + ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t)); + tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t)); + return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr); } diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index 6440124c6f91..81e89e5c022b 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -5,17 +5,17 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_log.c,v 2.0.2.13.2.2 1997/11/12 10:52:21 darrenr Exp $ + * $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $ */ #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) # endif +# if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL +# endif # ifdef __FreeBSD__ -# if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -# endif # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include # else diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index e1774b34bb05..0b6c07fc9b4f 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -317,6 +317,7 @@ int mode; break; } ret = nat_flushtable(); + (void) ap_unload(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : @@ -513,18 +514,14 @@ struct in_addr *inp; /* * Create a new NAT table entry. */ -#ifdef __STDC__ -nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction) -#else nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; u_short flags; int direction; -#endif { - register u_long sum1, sum2, sumd; + register u_long sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; struct in_addr in; tcphdr_t *tcp = NULL; @@ -554,13 +551,22 @@ int direction; * If it's an outbound packet which doesn't match any existing * record, then create a new port */ + l = 0; do { + l++; port = 0; in.s_addr = np->in_nip; if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { - if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) + if ((l > 1) || + nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) { + KFREE(nat); return NULL; + } } else if (!in.s_addr && !np->in_outmsk) { + if (l > 1) { + KFREE(nat); + return NULL; + } in.s_addr = ntohl(ip->ip_src.s_addr); if (nflags & IPN_TCPUDP) port = sport; @@ -609,7 +615,7 @@ int direction; * internal port. */ in.s_addr = ntohl(np->in_inip); - if (!(nport = htons(np->in_pnext))) + if (!(nport = np->in_pnext)) nport = dport; nat->nat_inip.s_addr = htonl(in.s_addr); @@ -1083,7 +1089,7 @@ fr_info_t *fin; (void) ap_check(ip, tcp, fin, nat); nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); - return 1; + return -2; } MUTEX_EXIT(&ipf_nat); return 0; @@ -1212,7 +1218,7 @@ fr_info_t *fin; } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); - return 1; + return -2; } MUTEX_EXIT(&ipf_nat); return 0; @@ -1257,6 +1263,9 @@ void ip_natexpire() nat_delete(nat); nat_stats.ns_expire++; } + + ap_expire(); + MUTEX_EXIT(&ipf_nat); SPL_X(s); } diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index cea27f6ca0cb..cc3b9a0d032e 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.2 1997/11/12 10:54:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -226,7 +226,7 @@ nat_t *nat; * don't do anything with this packet. */ if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp, - ip, tcp)) { + ip, tcp, ip->ip_len)) { frstats[fin->fin_out].fr_tcpbad++; return -1; } @@ -246,7 +246,8 @@ nat_t *nat; aps, nat); } if (err == 2) { - tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); + tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, + tcp, ip->ip_len); err = 0; } return err; @@ -298,3 +299,21 @@ void ap_unload() aps_free(aps); } } + + +void ap_expire() +{ + ap_session_t *aps, **apsp; + int i; + + for (i = 0; i < AP_SESS_SIZE; i++) + for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) { + aps->aps_tout--; + if (!aps->aps_tout) { + ap_sess_tab[i] = aps->aps_next; + aps_free(aps); + *apsp = aps->aps_next; + } else + apsp = &aps->aps_next; + } +} diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index 2f71316a6800..a361e9368ada 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -5,7 +5,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 2.0.2.10 1997/10/19 15:39:23 darrenr Exp $ + * $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -88,5 +88,6 @@ extern void ap_free __P((aproxy_t *)); extern void aps_free __P((ap_session_t *)); extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *)); extern aproxy_t *ap_match __P((u_char, char *)); +extern void ap_expire __P((void)); #endif /* __IP_PROXY_H__ */ diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 5192f93ece07..0677b94113f9 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.3 1997/11/12 10:54:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55:39 darrenr Exp $"; #endif #include @@ -76,7 +76,7 @@ int ipldetach() ipflog_clear(i); untimeout(ipfr_timer_id); i = FR_INQUE|FR_OUTQUE; - frflush(IPL_LOGIPF, (caddr_t)&i); + frflush(IPL_LOGIPF, &i); ipfr_unload(); fr_stateunload(); ip_natunload(); @@ -250,9 +250,11 @@ int *rp; case SIOCIPFFL : if (!(mode & FWRITE)) return EPERM; + IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); mutex_enter(&ipf_mutex); - frflush(unit, (caddr_t)data); + frflush(unit, &tmp); mutex_exit(&ipf_mutex); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); break; #ifdef IPFILTER_LOG case SIOCIPFFB : diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index cc14c1a9d9e6..bffb17b7fa45 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.3 1997/11/12 10:55:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) @@ -179,9 +179,7 @@ int mode; case SIOCIPFFL : IRCOPY(data, (caddr_t)&arg, sizeof(arg)); if (arg == 0 || arg == 1) { - MUTEX_ENTER(&ipf_state); ret = fr_state_flush(arg); - MUTEX_EXIT(&ipf_state); IWCOPY((caddr_t)&ret, data, sizeof(ret)); } else error = EINVAL; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 3c5af92b263c..4ad6bd312f5d 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -11,6 +11,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.2.1" +#define IPL_VERSION "IP Filter v3.2.3" #endif diff --git a/contrib/ipfilter/iplang/iplang.tst b/contrib/ipfilter/iplang/iplang.tst index 9a8c35e99507..a0a2ad3315ae 100644 --- a/contrib/ipfilter/iplang/iplang.tst +++ b/contrib/ipfilter/iplang/iplang.tst @@ -1,11 +1,11 @@ # -interface { ifname le0; mtu 1500; } +interface { ifname le0; mtu 1500; } ; ipv4 { src 1.1.1.1; dst 2.2.2.2; tcp { seq 12345; ack 0; sport 9999; dport 23; flags S; data { value "abcdef"; } ; - } -} -send { via 10.1.1.1; } + } ; +} ; +send { via 10.1.1.1; } ; diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index c136e9108b1f..458a85206996 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -10,7 +10,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_l.l,v 2.0.2.15.2.1 1997/11/05 11:04:04 darrenr Exp $ + * $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $ */ #include #include @@ -164,6 +164,7 @@ rtime { return next_state(IL_ICMP_RTIME, -1); } ttime { return next_state(IL_ICMP_TTIME, -1); } icmpseq { return next_state(IL_ICMP_SEQ, -1); } icmpid { return next_state(IL_ICMP_SEQ, -1); } +\377 { return 0; } /* EOF */ \{ { push_proto(); return next_item('{'); } \} { pop_proto(); return next_item('}'); } \. { return next_item(IL_DOT); } @@ -210,11 +211,8 @@ void pop_proto() int save_token() { - static char *buf = NULL; - if (buf && (buf == yylval.str)) - free(buf); - buf = yylval.str = strdup(yytext); + yylval.str = strdup(yytext); return IL_TOKEN; } diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 6d56bc5047c9..090668041045 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -6,7 +6,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_y.y,v 2.0.2.18.2.2 1997/11/05 11:04:19 darrenr Exp $ + * $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $ */ #include @@ -190,8 +190,8 @@ int yyparse __P((void)); %token IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC %token IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD %token IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE -%token IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3 -%token IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1 +%token IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3 +%token IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1 %token IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET %token IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT %token IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL @@ -235,10 +235,10 @@ ifaceopts: ; ifaceopt: - IL_IFNAME token { set_ifname(&yylval.str); } - | IL_MTU number { set_ifmtu(yylval.num); } - | IL_V4ADDR token { set_ifv4addr(&yylval.str); } - | IL_EADDR token { set_ifeaddr(&yylval.str); } + IL_IFNAME token { set_ifname(&$2); } + | IL_MTU number { set_ifmtu($2); } + | IL_V4ADDR token { set_ifv4addr(&$2); } + | IL_EADDR token { set_ifeaddr(&$2); } ; send: sendhdr '{' sendbody '}' ';' { packet_done(); } @@ -255,8 +255,8 @@ sendbody: ; sendopt: - IL_IFNAME token { set_sendif(&yylval.str); } - | IL_VIA token { set_sendvia(&yylval.str); } + IL_IFNAME token { set_sendif(&$2); } + | IL_VIA token { set_sendvia(&$2); } ; arp: arphdr '{' arpbody '}' ';' @@ -270,12 +270,12 @@ arpbody: | arpbody arpopt ; -arpopt: IL_V4ADDR token { set_arpv4addr(&yylval.str); } - | IL_EADDR token { set_arpeaddr(&yylval.str); } +arpopt: IL_V4ADDR token { set_arpv4addr(&$2); } + | IL_EADDR token { set_arpeaddr(&$2); } ; defrouter: - IL_DEFROUTER token { set_defaultrouter(&yylval.str); } + IL_DEFROUTER token { set_defaultrouter(&$2); } ; bodyline: @@ -298,17 +298,17 @@ ipv4body: ; ipv4type: - IL_V4PROTO token { set_ipv4proto(&yylval.str); } - | IL_V4SRC token { set_ipv4src(&yylval.str); } - | IL_V4DST token { set_ipv4dst(&yylval.str); } - | IL_V4OFF token { set_ipv4off(&yylval.str); } - | IL_V4V token { set_ipv4v(&yylval.str); } - | IL_V4HL token { set_ipv4hl(&yylval.str); } - | IL_V4ID token { set_ipv4id(&yylval.str); } - | IL_V4TTL token { set_ipv4ttl(&yylval.str); } - | IL_V4TOS token { set_ipv4tos(&yylval.str); } - | IL_V4SUM token { set_ipv4sum(&yylval.str); } - | IL_V4LEN token { set_ipv4len(&yylval.str); } + IL_V4PROTO token { set_ipv4proto(&$2); } + | IL_V4SRC token { set_ipv4src(&$2); } + | IL_V4DST token { set_ipv4dst(&$2); } + | IL_V4OFF token { set_ipv4off(&$2); } + | IL_V4V token { set_ipv4v(&$2); } + | IL_V4HL token { set_ipv4hl(&$2); } + | IL_V4ID token { set_ipv4id(&$2); } + | IL_V4TTL token { set_ipv4ttl(&$2); } + | IL_V4TOS token { set_ipv4tos(&$2); } + | IL_V4SUM token { set_ipv4sum(&$2); } + | IL_V4LEN token { set_ipv4len(&$2); } | ipv4opt '{' ipv4optlist '}' ';' { end_ipopt(); } ; @@ -320,20 +320,21 @@ tcpline: ; tcpheader: - tcpbody tcpheader + tcpbody + | tcpbody tcpheader | bodyline ; tcpbody: - IL_SPORT token { set_tcpsport(&yylval.str); } - | IL_DPORT token { set_tcpdport(&yylval.str); } - | IL_TCPSEQ token { set_tcpseq(&yylval.str); } - | IL_TCPACK token { set_tcpack(&yylval.str); } - | IL_TCPOFF token { set_tcpoff(&yylval.str); } - | IL_TCPURP token { set_tcpurp(&yylval.str); } - | IL_TCPWIN token { set_tcpwin(&yylval.str); } - | IL_TCPSUM token { set_tcpsum(&yylval.str); } - | IL_TCPFL token { set_tcpflags(&yylval.str); } + IL_SPORT token { set_tcpsport(&$2); } + | IL_DPORT token { set_tcpdport(&$2); } + | IL_TCPSEQ token { set_tcpseq(&$2); } + | IL_TCPACK token { set_tcpack(&$2); } + | IL_TCPOFF token { set_tcpoff(&$2); } + | IL_TCPURP token { set_tcpurp(&$2); } + | IL_TCPWIN token { set_tcpwin(&$2); } + | IL_TCPSUM token { set_tcpsum(&$2); } + | IL_TCPFL token { set_tcpflags(&$2); } | IL_TCPOPT '{' tcpopts '}' ';' { end_tcpopt(); } ; @@ -343,9 +344,9 @@ tcpopts: tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); } | IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); } - | IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);} - | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&yylval.str);} - | IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &yylval.str);} + | IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);} + | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);} + | IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);} ; udp: IL_UDP { new_udpheader(); } @@ -363,10 +364,10 @@ udpheader: ; udpbody: - IL_SPORT token { set_tcpsport(&yylval.str); } - | IL_DPORT token { set_tcpdport(&yylval.str); } - | IL_UDPLEN token { set_udplen(&yylval.str); } - | IL_UDPSUM token { set_udpsum(&yylval.str); } + IL_SPORT token { set_tcpsport(&$2); } + | IL_DPORT token { set_tcpdport(&$2); } + | IL_UDPLEN token { set_udplen(&$2); } + | IL_UDPSUM token { set_udpsum(&$2); } ; icmp: IL_ICMP { new_icmpheader(); } @@ -387,7 +388,7 @@ icmpheader: ; icmpcode: - IL_ICMPCODE token { set_icmpcodetok(&yylval.str); } + IL_ICMPCODE token { set_icmpcodetok(&$2); } ; icmptype: @@ -413,7 +414,7 @@ icmptype: | IL_ICMP_MASKREPLY '{' token '}' ';' | IL_ICMP_PARAMPROB ';' { set_icmptype(ICMP_PARAMPROB); } | IL_ICMP_PARAMPROB '{' paramprob '}' ';' - | IL_TOKEN ';' { set_icmptypetok(&yylval.str); } + | IL_TOKEN ';' { set_icmptypetok(&$1); } ; icmpechoopts: @@ -421,17 +422,17 @@ icmpechoopts: ; icmpecho: - IL_ICMP_SEQ number { set_icmpseq(yylval.num); } - | IL_ICMP_ID number { set_icmpid(yylval.num); } + IL_ICMP_SEQ number { set_icmpseq($2); } + | IL_ICMP_ID number { set_icmpid($2); } ; icmptsopts: | icmptsopts icmpts ';' ; -icmpts: IL_ICMP_OTIME number { set_icmpotime(yylval.num); } - | IL_ICMP_RTIME number { set_icmprtime(yylval.num); } - | IL_ICMP_TTIME number { set_icmpttime(yylval.num); } +icmpts: IL_ICMP_OTIME number { set_icmpotime($2); } + | IL_ICMP_RTIME number { set_icmprtime($2); } + | IL_ICMP_TTIME number { set_icmpttime($2); } ; unreach: @@ -444,7 +445,7 @@ unreachopts: | IL_ICMP_UNREACH_HOST line | IL_ICMP_UNREACH_PROTOCOL line | IL_ICMP_UNREACH_PORT line - | IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu(yylval.num); } + | IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu($2); } | IL_ICMP_UNREACH_SRCFAIL line | IL_ICMP_UNREACH_NET_UNKNOWN line | IL_ICMP_UNREACH_HOST_UNKNOWN line @@ -464,10 +465,10 @@ redirect: ; redirectopts: - | IL_ICMP_REDIRECT_NET token { set_redir(0, &yylval.str); } - | IL_ICMP_REDIRECT_HOST token { set_redir(1, &yylval.str); } - | IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &yylval.str); } - | IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &yylval.str); } + | IL_ICMP_REDIRECT_NET token { set_redir(0, &$2); } + | IL_ICMP_REDIRECT_HOST token { set_redir(1, &$2); } + | IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &$2); } + | IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &$2); } ; exceed: @@ -480,7 +481,7 @@ paramprob: | IL_ICMP_PARAMPROB_OPTABSENT paraprobarg paraprobarg: - '{' number '}' ';' { set_icmppprob(yylval.num); } + '{' number '}' ';' { set_icmppprob($2); } ; ipv4opt: IL_V4OPT { new_ipv4opt(); } @@ -492,7 +493,7 @@ ipv4optlist: ipv4opts: IL_IPO_NOP ';' { add_ipopt(IL_IPO_NOP, NULL); } - | IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &yylval.num); } + | IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &$2); } | IL_IPO_ZSU ';' { add_ipopt(IL_IPO_ZSU, NULL); } | IL_IPO_MTUP ';' { add_ipopt(IL_IPO_MTUP, NULL); } | IL_IPO_MTUR ';' { add_ipopt(IL_IPO_MTUR, NULL); } @@ -501,11 +502,11 @@ ipv4opts: | IL_IPO_TR ';' { add_ipopt(IL_IPO_TR, NULL); } | IL_IPO_SEC ';' { add_ipopt(IL_IPO_SEC, NULL); } | IL_IPO_SECCLASS secclass { add_ipopt(IL_IPO_SECCLASS, sclass); } - | IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&yylval.str); } + | IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&$2); } | IL_IPO_ESEC ';' { add_ipopt(IL_IPO_ESEC, NULL); } | IL_IPO_CIPSO ';' { add_ipopt(IL_IPO_CIPSO, NULL); } - | IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&yylval.num);} - | IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&yylval.str); } + | IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&$2);} + | IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&$2); } | IL_IPO_ADDEXT ';' { add_ipopt(IL_IPO_ADDEXT, NULL); } | IL_IPO_VISA ';' { add_ipopt(IL_IPO_VISA, NULL); } | IL_IPO_IMITD ';' { add_ipopt(IL_IPO_IMITD, NULL); } @@ -514,14 +515,14 @@ ipv4opts: ; secclass: - IL_IPS_RESERV4 ';' { set_secclass(&yylval.str); } - | IL_IPS_TOPSECRET ';' { set_secclass(&yylval.str); } - | IL_IPS_SECRET ';' { set_secclass(&yylval.str); } - | IL_IPS_RESERV3 ';' { set_secclass(&yylval.str); } - | IL_IPS_CONFID ';' { set_secclass(&yylval.str); } - | IL_IPS_UNCLASS ';' { set_secclass(&yylval.str); } - | IL_IPS_RESERV2 ';' { set_secclass(&yylval.str); } - | IL_IPS_RESERV1 ';' { set_secclass(&yylval.str); } + IL_IPS_RESERV4 ';' { set_secclass(&$1); } + | IL_IPS_TOPSECRET ';' { set_secclass(&$1); } + | IL_IPS_SECRET ';' { set_secclass(&$1); } + | IL_IPS_RESERV3 ';' { set_secclass(&$1); } + | IL_IPS_CONFID ';' { set_secclass(&$1); } + | IL_IPS_UNCLASS ';' { set_secclass(&$1); } + | IL_IPS_RESERV2 ';' { set_secclass(&$1); } + | IL_IPS_RESERV1 ';' { set_secclass(&$1); } ; data: IL_DATA { new_data(); } @@ -536,9 +537,9 @@ databody: dataopts ; dataopts: - IL_DLEN token { set_datalen(&yylval.str); } - | IL_DVALUE token { set_data(&yylval.str); } - | IL_DFILE token { set_datafile(&yylval.str); } + IL_DLEN token { set_datalen(&$2); } + | IL_DVALUE token { set_data(&$2); } + | IL_DFILE token { set_datafile(&$2); } ; token: IL_TOKEN ';' @@ -618,28 +619,6 @@ ether_aton(s) } #endif -#ifdef bsdi -struct ether_addr * -ether_aton(s) - char *s; -{ - static struct ether_addr n; - u_int i[6]; - - if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1], - &i[2], &i[3], &i[4], &i[5]) == 6) { - n.ether_addr_octet[0] = (u_char)i[0]; - n.ether_addr_octet[1] = (u_char)i[1]; - n.ether_addr_octet[2] = (u_char)i[2]; - n.ether_addr_octet[3] = (u_char)i[3]; - n.ether_addr_octet[4] = (u_char)i[4]; - n.ether_addr_octet[5] = (u_char)i[5]; - return &n; - } - return NULL; -} -#endif - struct in_addr getipv4addr(arg) char *arg; @@ -663,7 +642,7 @@ char *pr, *name; struct servent *sp; if (!(sp = getservbyname(name, pr))) - return atoi(name); + return htons(atoi(name)); return sp->s_port; } @@ -1740,7 +1719,9 @@ void free_anipheader() canip->ah_next = NULL; aniptail = &canip->ah_next; } - free(aip); + + if (canip) + free(aip); } diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index f86c2df5da6e..4d738b6df3c2 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.3 1997/11/12 10:57:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $"; #endif #include @@ -106,9 +106,11 @@ int main __P((int, char *[])); #define OPT_VERBOSE 0x008 #define OPT_HEXHDR 0x010 #define OPT_TAIL 0x020 -#define OPT_ALL 0x040 #define OPT_NAT 0x080 #define OPT_STATE 0x100 +#define OPT_FILTER 0x200 +#define OPT_PORTNUM 0x400 +#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 @@ -156,7 +158,7 @@ u_short port; struct servent *serv; (void) sprintf(pname, "%hu", htons(port)); - if (!res) + if (!res || (opts & OPT_PORTNUM)) return pname; serv = getservbyport((int)port, proto); if (!serv) @@ -598,7 +600,7 @@ FILE *log; int fd, flushed = 0; if ((fd = open(file, O_RDWR)) == -1) { - (void) fprintf(stderr, "%s: open: %s", file, STRERROR(errno)); + (void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno)); exit(-1); } @@ -620,50 +622,94 @@ FILE *log; } +static void logopts(turnon, options) +int turnon; +char *options; +{ + int flags = 0; + char *s; + + for (s = options; *s; s++) + { + switch (*s) + { + case 'N' : + flags |= OPT_NAT; + break; + case 'S' : + flags |= OPT_STATE; + break; + case 'I' : + flags |= OPT_FILTER; + break; + default : + fprintf(stderr, "Unknown log option %c\n", *s); + exit(1); + } + } + + if (turnon) + opts |= flags; + else + opts &= ~(flags); +} + + int main(argc, argv) int argc; char *argv[]; { struct stat sb; FILE *log = stdout; - int fd[3], doread, n, i, nfd = 1; - int tr, nr, regular, c; - int fdt[3]; - char buf[512], *iplfile = IPL_NAME; + int fd[3], doread, n, i; + int tr, nr, regular[3], c; + int fdt[3], devices = 0; + char buf[512], *iplfile[3]; extern int optind; extern char *optarg; fd[0] = fd[1] = fd[2] = -1; - fdt[0] = IPL_LOGIPF; - fdt[1] = IPL_LOGNAT; - fdt[2] = IPL_LOGSTATE; + fdt[0] = fdt[1] = fdt[2] = -1; + iplfile[0] = IPL_NAME; + iplfile[1] = IPNAT_NAME; + iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1) + while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1) switch (c) { case 'a' : opts |= OPT_ALL; - nfd = 3; break; - case 'f' : - iplfile = optarg; + case 'f' : case 'I' : + opts |= OPT_FILTER; + fdt[0] = IPL_LOGIPF; + iplfile[0] = optarg; break; case 'F' : - if (!(opts & OPT_ALL)) - flushlogs(iplfile, log); - else { - flushlogs(IPL_NAME, log); - flushlogs(IPL_NAT, log); - flushlogs(IPL_STATE, log); - } + flushlogs(iplfile[0], log); + flushlogs(iplfile[1], log); + flushlogs(iplfile[2], log); break; case 'n' : opts |= OPT_RESOLVE; break; case 'N' : opts |= OPT_NAT; - fdt[0] = IPL_LOGNAT; - iplfile = IPL_NAT; + fdt[1] = IPL_LOGNAT; + iplfile[1] = optarg; + break; + case 'o' : case 'O' : + logopts(c == 'o', optarg); + fdt[0] = fdt[1] = fdt[2] = -1; + if (opts & OPT_FILTER) + fdt[0] = IPL_LOGIPF; + if (opts & OPT_NAT) + fdt[1] = IPL_LOGNAT; + if (opts & OPT_STATE) + fdt[2] = IPL_LOGSTATE; + break; + case 'p' : + opts |= OPT_PORTNUM; break; case 's' : openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC); @@ -671,8 +717,8 @@ char *argv[]; break; case 'S' : opts |= OPT_STATE; - fdt[0] = IPL_LOGSTATE; - iplfile = IPL_STATE; + fdt[2] = IPL_LOGSTATE; + iplfile[2] = optarg; break; case 't' : opts |= OPT_TAIL; @@ -692,22 +738,32 @@ char *argv[]; usage(argv[0]); } - if ((fd[0] == -1) && (fd[0] = open(iplfile, O_RDONLY)) == -1) { - (void) fprintf(stderr, "%s: open: %s", iplfile, - STRERROR(errno)); - exit(-1); - } + /* + * Default action is to only open the filter log file. + */ + if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1)) + fdt[0] = IPL_LOGIPF; - if ((opts & OPT_ALL)) { - if ((fd[1] = open(IPL_NAT, O_RDONLY)) == -1) { - (void) fprintf(stderr, "%s: open: %s", IPL_NAT, - STRERROR(errno)); - exit(-1); - } - if ((fd[2] = open(IPL_STATE, O_RDONLY)) == -1) { - (void) fprintf(stderr, "%s: open: %s", IPL_STATE, - STRERROR(errno)); - exit(-1); + for (i = 0; i < 3; i++) { + if (fdt[i] == -1) + continue; + if (!strcmp(iplfile[i], "-")) + fd[i] = 0; + else { + if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) { + (void) fprintf(stderr, + "%s: open: %s\n", iplfile[i], + STRERROR(errno)); + exit(-1); + } + + if (fstat(fd[i], &sb) == -1) { + (void) fprintf(stderr, "%d: fstat: %s\n",fd[i], + STRERROR(errno)); + exit(-1); + } + if (!(regular[i] = !S_ISCHR(sb.st_mode))) + devices++; } } @@ -715,27 +771,21 @@ char *argv[]; log = argv[optind] ? fopen(argv[optind], "a") : stdout; if (log == NULL) { - (void) fprintf(stderr, "%s: fopen: %s", argv[optind], + (void) fprintf(stderr, "%s: fopen: %s\n", argv[optind], STRERROR(errno)); exit(-1); } setvbuf(log, NULL, _IONBF, 0); } - if (stat(iplfile, &sb) == -1) { - (void) fprintf(stderr, "%s: stat: %s", iplfile, - STRERROR(errno)); - exit(-1); - } - - regular = !S_ISCHR(sb.st_mode); - for (doread = 1; doread; ) { nr = 0; - for (i = 0; i < nfd; i++) { + for (i = 0; i < 3; i++) { tr = 0; - if (!regular) { + if (fdt[i] == -1) + continue; + if (!regular[i]) { if (ioctl(fd[i], FIONREAD, &tr) == -1) { perror("ioctl(FIONREAD)"); exit(-1); @@ -745,7 +795,7 @@ char *argv[]; if (!tr && !(opts & OPT_TAIL)) doread = 0; } - if (!tr && nfd != 1) + if (!tr) continue; nr += tr; @@ -777,7 +827,7 @@ char *argv[]; break; } } - if (!nr && ((opts & OPT_TAIL) || !regular)) + if (!nr && ((opts & OPT_TAIL) || devices)) sleep(1); } exit(0); diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 0f8d19b29fc4..459c09bdeca3 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11 1997/10/23 11:42:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $"; #endif #include #include @@ -96,7 +96,7 @@ int frag; static u_short id = 0; ether_header_t *eh; ip_t ipsv; - int err; + int err, iplen; if (!ipbuf) ipbuf = (char *)malloc(65536); @@ -115,7 +115,8 @@ int frag; bcopy((char *)ip, (char *)&ipsv, sizeof(*ip)); last_gw.s_addr = gwip.s_addr; - ip->ip_len = htons(ip->ip_len); + iplen = ip->ip_len; + ip->ip_len = htons(iplen); ip->ip_off = htons(ip->ip_off); if (!(frag & 2)) { if (!ip->ip_v) @@ -126,13 +127,13 @@ int frag; ip->ip_ttl = 60; } - if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu)) + if (!frag || (sizeof(*eh) + iplen < mtu)) { ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len)); - err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len)); + bcopy((char *)ip, ipbuf + sizeof(*eh), iplen); + err = sendip(nfd, ipbuf, sizeof(*eh) + iplen); } else { @@ -144,7 +145,7 @@ int frag; ether_header_t eth; char optcpy[48], ol; char *s; - int i, iplen, sent = 0, ts, hlen, olen; + int i, sent = 0, ts, hlen, olen; hlen = ip->ip_hl << 2; if (mtu < (hlen + 8)) { @@ -235,43 +236,44 @@ struct in_addr gwip; { static tcp_seq iss = 2; struct tcpiphdr *ti; - int thlen, i; - u_long lbuf[20]; + tcphdr_t *t; + int thlen, i, iplen, hlen; + u_32_t lbuf[20]; + iplen = ip->ip_len; + hlen = ip->ip_hl << 2; + t = (tcphdr_t *)((char *)ip + hlen); ti = (struct tcpiphdr *)lbuf; + thlen = t->th_off << 2; + if (!thlen) + thlen = sizeof(tcphdr_t); bzero((char *)ti, sizeof(*ti)); - thlen = sizeof(tcphdr_t); ip->ip_p = IPPROTO_TCP; ti->ti_pr = ip->ip_p; ti->ti_src = ip->ip_src; ti->ti_dst = ip->ip_dst; - bcopy((char *)ip + (ip->ip_hl << 2), - (char *)&ti->ti_sport, sizeof(tcphdr_t)); + bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen); if (!ti->ti_win) ti->ti_win = htons(4096); - if (!ti->ti_seq) - ti->ti_seq = htonl(iss); - iss += 64; + iss += 63; - if ((ti->ti_flags == TH_SYN) && !ip->ip_off) - { - ip = (ip_t *)realloc((char *)ip, ntohs(ip->ip_len) + 4); - i = sizeof(struct tcpiphdr) / sizeof(long); + i = sizeof(struct tcpiphdr) / sizeof(long); + + if ((ti->ti_flags == TH_SYN) && !ip->ip_off && + (lbuf[i] != htonl(0x020405b4))) { lbuf[i] = htonl(0x020405b4); - bcopy((char *)(lbuf + i), (char*)ip + ntohs(ip->ip_len), - sizeof(u_long)); + bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, + iplen - thlen - hlen); thlen += 4; } - if (!ti->ti_off) - ti->ti_off = thlen >> 2; + ti->ti_off = thlen >> 2; ti->ti_len = htons(thlen); - ip->ip_len = (ip->ip_hl << 2) + thlen; + ip->ip_len = hlen + thlen; ti->ti_sum = 0; ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); - bcopy((char *)&ti->ti_sport, - (char *)ip + (ip->ip_hl << 2), thlen); + bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen); return send_ip(nfd, mtu, ip, gwip, 1); } diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index 6b3cf2374dd1..415e4fcbd5f5 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8 1997/10/12 09:48:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $"; #endif #include #include @@ -146,7 +146,7 @@ char **argv; usage(name); } - if (argc - optind < 2 && !tests) + if ((argc <= optind) || !argv[optind]) usage(name); dst = argv[optind++]; @@ -209,6 +209,13 @@ char **argv; ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); break; default : + ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); break; } return 0; diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index f9382721ae44..f12dbadd2024 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13 1997/10/23 11:42:45 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $"; #endif #include #include @@ -892,6 +892,7 @@ int ptest; t->th_sum = 0; t->th_seq = 1; t->th_ack = 0; + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); nfd = initdevice(dev, t->th_sport, 1); if (!ptest || (ptest == 1)) { @@ -1021,9 +1022,10 @@ int ptest; PAUSE(); } -#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi) +#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \ + !defined(__sgi) { - struct tcpcb *t, tcb; + struct tcpcb *tcbp, tcb; struct tcpiphdr ti; struct sockaddr_in sin; int fd, slen; @@ -1032,10 +1034,13 @@ int ptest; for (i = 1; i < 63; i++) { fd = socket(AF_INET, SOCK_STREAM, 0); + bzero((char *)&sin, sizeof(sin)); sin.sin_addr.s_addr = ip->ip_dst.s_addr; sin.sin_port = htons(i); + sin.sin_family = AF_INET; if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin))) break; + close(fd); } if (i == 63) { @@ -1046,15 +1051,15 @@ int ptest; } bcopy((char *)ip, (char *)&ti, sizeof(*ip)); - ti.ti_dport = i; + t->th_dport = htons(i); slen = sizeof(sin); if (!getsockname(fd, (struct sockaddr *)&sin, &slen)) - ti.ti_sport = sin.sin_port; - if (!(t = find_tcp(fd, &ti))) { + t->th_sport = sin.sin_port; + if (!(tcbp = find_tcp(fd, &ti))) { printf("Can't find PCB\n"); goto skip_five_and_six; } - KMCPY(&tcb, t, sizeof(tcb)); + KMCPY(&tcb, tcbp, sizeof(tcb)); ti.ti_win = tcb.rcv_adv; ti.ti_seq = tcb.snd_nxt - 1; ti.ti_ack = tcb.rcv_nxt; @@ -1063,27 +1068,36 @@ int ptest; /* * Test 5: urp */ - printf("5.1 TCP Urgent pointer\n"); - ti.ti_urp = 1; + t->th_flags = TH_ACK|TH_URG; + printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n", + ntohs(t->th_sport), ntohs(t->th_dport)); + t->th_urp = htons(1); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); - ti.ti_urp = 0x7fff; + + t->th_seq = tcb.snd_nxt; + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1; + t->th_urp = htons(0x7fff); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); - ti.ti_urp = 0x8000; + t->th_urp = htons(0x8000); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); - ti.ti_urp = 0xffff; + t->th_urp = htons(0xffff); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); + t->th_urp = htons(0); + t->th_flags &= ~TH_URG; + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } if (!ptest || (ptest == 6)) { /* * Test 6: data offset, off = 0, off is inside, off is outside */ - printf("6.1 TCP off = 0-15, len = 40\n"); - for (i = 0; i < 16; i++) { + t->th_flags = TH_ACK; + printf("5.6.1 TCP off = 1-15, len = 40\n"); + for (i = 1; i < 16; i++) { ti.ti_off = ntohs(i); (void) send_tcp(nfd, mtu, ip, gwip); printf("%d\r", i); @@ -1091,6 +1105,7 @@ int ptest; PAUSE(); } putchar('\n'); + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } (void) close(fd); @@ -1099,9 +1114,9 @@ skip_five_and_six: #endif t->th_seq = 1; t->th_ack = 1; + t->th_off = 0; if (!ptest || (ptest == 7)) { - t->th_off = 0; t->th_flags = TH_SYN; /* * Test 7: sport = 0, sport = 1, sport = 32767 @@ -1140,6 +1155,7 @@ skip_five_and_six: if (!ptest || (ptest == 8)) { t->th_sport = 1; + t->th_flags = TH_SYN; /* * Test 8: dport = 0, dport = 1, dport = 32767 * dport = 32768, dport = 65535 @@ -1174,6 +1190,20 @@ skip_five_and_six: fflush(stdout); PAUSE(); } + + /* LAND attack - self connect, so make src & dst ip/port the same */ + if (!ptest || (ptest == 9)) { + printf("5.9 TCP LAND attack. sport = 25, dport = 25\n"); + /* chose SMTP port 25 */ + t->th_sport = htons(25); + t->th_dport = htons(25); + t->th_flags = TH_SYN; + ip->ip_src = ip->ip_dst; + (void) send_tcp(nfd, mtu, ip, gwip); + fflush(stdout); + PAUSE(); + } + /* TCP options header checking */ /* 0 length options, etc */ } @@ -1208,6 +1238,9 @@ int ptest; u->uh_dport = htons(u->uh_dport); u->uh_ulen = 7168; + printf("6. Exhaustive mbuf test.\n"); + printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n"); + printf(" Total of around 8,900 packets\n"); for (i = 0; i < 128; i++) { /* * First send the entire packet in 768 byte chunks. diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 92e4a24b8bfa..fc4e866b418e 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9 1997/09/28 07:13:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $"; #endif #include #include @@ -253,7 +253,7 @@ static struct kinfo_proc *getproc() mib[2] = KERN_PROC_PID; mib[3] = pid; - n = 1; + n = sizeof(kp); if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1) { perror("sysctl"); diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index 6cf9f204ef89..9d835506c50b 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -201,4 +201,4 @@ struct filterstats { }; .fi .SH SEE ALSO -ipfstat(1), ipf(1), ipf(5) +ipfstat(8), ipf(8), ipf(5) diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index c202be71f6a0..1ee1584d1875 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -481,4 +481,4 @@ qualifies all service/port names with the protocol specified. .br /etc/hosts .SH SEE ALSO -ipf(1), ipftest(1), mkfilters(1) +ipf(8), ipftest(1), mkfilters(1), ipmon(8) diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index b13e2ddb2f05..11a1666e2e32 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -10,7 +10,7 @@ ipf \- alters packet filtering lists for IP packet input and output ] [ .B \-F - + ] .B \-f <\fIfilename\fP> @@ -43,13 +43,21 @@ Disable the filter (if enabled). Not effective for loadable kernel versions. .B \-E Enable the filter (if disabled). Not effective for loadable kernel versions. .TP -.BR \-F \0 +.BR \-F \0 This option specifies which filter list to flush. The parameter should either be "i" (input), "o" (output) or "a" (remove all filter rules). Either a single letter or an entire word starting with the appropriate letter maybe used. This option maybe before, or after, any other with the order on the command line being that used to execute options. .TP +.BR \-F \0 +To flush entries from the state table, the \fB-F\fP option is used in +conjuction with either "s" (removes state information about any non-fully +established connections) or "S" (deletes the entire state table). Only +one of the two options may be given. A fully established connection +will show up in \fBipfstat -s\fP output as 4/4, with deviations either +way indicating it is not fully established any more. +.TP .BR \-f \0 This option specifies which files \fBipf\fP should use to get input from for modifying the packet filter rule @@ -99,7 +107,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT .SH SEE ALSO -ipfstat(1), ipftest(1), ipf(5), mkfilters(1) +ipfstat(8), ipftest(1), ipf(5), mkfilters(1) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5 index 40175e48d8df..2826359ad16a 100644 --- a/contrib/ipfilter/man/ipfilter.5 +++ b/contrib/ipfilter/man/ipfilter.5 @@ -4,4 +4,4 @@ IP FIlter .SH DESCRIPTION .PP .SH SEE ALSO -ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) +ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index c8679f1c0a21..166a114b26b6 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -71,6 +71,6 @@ kernel. .br /vmunix .SH SEE ALSO -ipf(1) +ipf(8) .SH BUGS none known. diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index 912b3a3542c3..e77ef96bc4be 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -121,7 +121,7 @@ Specify the filename from which to take input. Default is stdin. Specify the filename from which to read filter rules. .SH FILES .SH SEE ALSO -ipf(1), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) +ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 32f4cbdfc549..a4f7fc46ea0d 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -4,7 +4,15 @@ ipmon \- monitors /dev/ipl for logged packets .SH SYNOPSIS .B ipmon [ -.B \-aFhnNsStvxX +.B \-aFhnstvxX +] [ +.B "\-o [NSI]" +] [ +.B "\-O [NSI]" +] [ +.B "\-N " +] [ +.B "\-S " ] [ .B "\-f " ] [ @@ -27,22 +35,40 @@ Open all of the device logfiles for reading log entries from. All entries are displayed to the same output 'device' (stderr or syslog). .TP .B "\-f " -specify an alternative device/file from which to read the log information. +specify an alternative device/file from which to read the log information +for normal IP Filter log records. .TP .B \-F Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP +.B "\-N " +Set the logfile to be opened for reading NAT log records from to . +.TP .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. .TP -.B \-N -Treat the logfile as being composed of NAT log records. +.B "\-N " +Set the logfile to be opened for reading NAT log records from to . +.TP +.B \-o +Specify which log files to actually read data from. N - NAT logfile, +S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is +equivalent to using \fB-o NSI\fP. +.TP +.B \-O +Specify which log files you do not wish to read from. This is most sensibly +used with the \fB-a\fP. Letters available as paramters to this are the same +as for \fB-o\fP. .TP .B \-s Packet information read in will be sent through syslogd rather than saved to a file. The following levels are used: +.TP +.B "\-S " +Set the logfile to be opened for reading state log records from to . +.TP .IP .B LOG_INFO \- packets logged using the "log" keyword as the action rather @@ -76,5 +102,5 @@ recorded data. .SH FILES /dev/ipl .SH SEE ALSO -ipf(1), ipfstat(1) +ipf(8), ipfstat(8) .SH BUGS diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1 index c61e03bcd359..9b29f4d21278 100644 --- a/contrib/ipfilter/man/ipnat.1 +++ b/contrib/ipfilter/man/ipnat.1 @@ -42,4 +42,4 @@ Remove matching NAT rules rather than add them to the internal lists Turn verbose mode on. Displays information relating to rule processing. .DT .SH SEE ALSO -ipfstat(1), ipftest(1), ipf(1), ipnat(5) +ipfstat(1), ipftest(8), ipf(8), ipnat(5) diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 index ea789365ffd8..6af517f23db2 100644 --- a/contrib/ipfilter/man/ipnat.4 +++ b/contrib/ipfilter/man/ipnat.4 @@ -88,4 +88,4 @@ typedef struct natstat { It would be nice if there were more flexibility when adding and deleting filter rules. .SH SEE ALSO -ipfstat(1), ipf(1), ipf(4), ipnat(5) +ipfstat(8), ipf(8), ipf(4), ipnat(5) diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1 index e55054c2a99c..52c7a8f7e18f 100644 --- a/contrib/ipfilter/man/mkfilters.1 +++ b/contrib/ipfilter/man/mkfilters.1 @@ -9,5 +9,4 @@ mkfilters \- generate a minimal firewall ruleset for ipfilter use with \fBipfilter\fP by parsing the output of \fBifconfig\fP. .DT .SH SEE ALSO -ipf(1), ipf(5), ipfilter(5), ifconfig(8) - +ipf(8), ipf(5), ipfilter(5), ifconfig(8) diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 3a8ee905620b..d6601ba2ebc6 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -135,6 +135,10 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, &fr_defaultauthage, 0, ""); #endif +#ifdef DEVFS +void *ipf_devfs[IPL_LOGMAX + 1]; +#endif + #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) int ipl_major = 0; @@ -156,6 +160,7 @@ static struct cdevsw ipl_cdevsw = { static int iplaction __P((struct lkm_table *, int)); +static void ipl_drvinit __P((void *)); static int iplaction(lkmtp, cmd) @@ -188,13 +193,27 @@ int cmd; args->lkm_offset = i; /* slot in cdevsw[] */ #endif printf("IP Filter: loaded into slot %d\n", ipl_major); - return if_ipl_load(lkmtp, cmd); + err = if_ipl_load(lkmtp, cmd); + if (!err) + ipl_drvinit((void *)NULL); + return err; break; case LKM_E_UNLOAD : err = if_ipl_unload(lkmtp, cmd); - if (!err) + if (!err) { printf("IP Filter: unloaded from slot %d\n", ipl_major); +# ifdef DEVFS + if (ipf_devfs[IPL_LOGIPF]) + devfs_remove_dev(ipf_devfs[IPL_LOGIPF]); + if (ipf_devfs[IPL_LOGNAT]) + devfs_remove_dev(ipf_devfs[IPL_LOGNAT]); + if (ipf_devfs[IPL_LOGSTATE]) + devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]); + if (ipf_devfs[IPL_LOGAUTH]) + devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]); +# endif + } return err; case LKM_E_STAT : break; @@ -326,42 +345,37 @@ int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } -# else - -#ifdef DEVFS -static void *ipf_devfs_token[IPL_LOGMAX + 1]; -#endif +# endif static ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) { dev_t dev; -#ifdef DEVFS - void **tp = ipf_devfs_token; -#endif +# ifdef DEVFS + void **tp = ipf_devfs; +# endif if (!ipl_devsw_installed ) { dev = makedev(CDEV_MAJOR, 0); cdevsw_add(&dev, &ipl_cdevsw, NULL); ipl_devsw_installed = 1; -#ifdef DEVFS +# ifdef DEVFS tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF, - DV_CHR, 0, 0, 0600, - "ipf", IPL_LOGIPF); + DV_CHR, 0, 0, 0600, "ipf"); tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT, - DV_CHR, 0, 0, 0600, - "ipnat", IPL_LOGNAT); + DV_CHR, 0, 0, 0600, "ipnat"); tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE, DV_CHR, 0, 0, 0600, - "ipstate", IPL_LOGSTATE); + "ipstate"); tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH, - DV_CHR, 0, 0, 0600, - "ipstate", IPL_LOGAUTH); -#endif + DV_CHR, 0, 0, 0600, + "ipauth"); +# endif } } +# ifdef IPFILTER_LKM SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) # endif /* IPFILTER_LKM */ #endif /* _FreeBSD_version */ diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index c84205b8d4aa..bbc19257023e 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -35,7 +35,7 @@ #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18 1997/10/19 15:39:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -475,7 +475,8 @@ char *line; /* * lazy users... */ - if (!fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { + if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) && + (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { (void)fprintf(stderr, "no protocol given for TCP/UDP comparisons\n"); return NULL; @@ -541,7 +542,7 @@ u_char *cp; /* * is it possibly hostname/num ? */ - if ((s = index(**seg, '/'))) { + if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) { *s++ = '\0'; if (!isdigit(*s)) return -1; diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 index 59d9ec8648b4..8d8fe5771436 100644 --- a/contrib/ipfilter/rules/example.2 +++ b/contrib/ipfilter/rules/example.2 @@ -1,4 +1,4 @@ # # block all outgoing TCP packets on le0 from any host to port 23 of host bar. # -block out on le0 proto tcp from any to bar/32 port != 23 +block out on le0 proto tcp from any to bar/32 port = 23 diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c index 8d77cf020b3a..b72cccec9aaf 100644 --- a/contrib/ipfilter/samples/proxy.c +++ b/contrib/ipfilter/samples/proxy.c @@ -97,7 +97,7 @@ char *argv[]; * Log it */ syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d", - inet_ntoa(natlook.nl_realip), natlook.nl_realport); + inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport)); printf("connect to %s,%d\n", inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport)); diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index d076125f794a..4179133baa2a 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.1 1997/11/08 04:55:57 darrenr Exp $"; +#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $"; #include #include @@ -525,7 +525,7 @@ tryagain: ip->ip_off = htons(__ipoff); } #endif - if (err == 1) { + if (err == -2) { if (*mp && (ip == (ip_t *)lbuf)) { copyin_mblk(m, 0, len, (char *)lbuf); frstats[out].fr_pull[1]++; diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index f991db4cc2fc..f974adc77ad8 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -23,3 +23,14 @@ done * allow multiple ip addresses in a source route list for ipsend * complete Linux port to implement all the IP Filter features +return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-( + +* add switches to ipmon for better selective control over which logs are + read/not read +done + +* add a flag to automate src spoofing + +* ipfsync() should change IP#'s in current mappings as well as what's + in rules. +