258 Commits

Author SHA1 Message Date
Cy Schubert
b85540d0a3 Remove a random equal sign from the example. It should not be there.
It's a syntax error.

PR:		210303
Reported by:	leventelist at gmail.com
MFC after:	3 days
2020-10-27 04:35:47 +00:00
Cy Schubert
bbd1103c30 Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC after:	3 days
2020-10-27 04:35:36 +00:00
Cy Schubert
6dbd2fb858 ipfilter getifname ifdef cleanup.
MFC after:	2 months
2020-09-30 08:26:22 +00:00
Cy Schubert
2c1685f369 Resurrect ipfilter's getifname, replacing the stub with the real
function.

MFC after:	2 months
2020-09-30 08:26:00 +00:00
Cy Schubert
15dc17b8d5 Remove Linux and IRIX specific files.
MFC after:	1 week
2020-09-27 18:39:12 +00:00
Cy Schubert
2e93aaa766 Continuing the effort started in r343701, #ifdef cleanup, remove
never to be used again checks.

MFC after:	1 week
2020-09-27 18:39:09 +00:00
Cy Schubert
a5849fa4ab Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC after:	1 week
2020-08-05 15:33:32 +00:00
Cy Schubert
12b2f3daaa Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC after:	1 week
2020-07-29 19:36:24 +00:00
Cy Schubert
f0276e8c38 Document the IPFILTER_PREDEFINED environment variable.
PR:		248088
Reported by:	joeb1@a1poweruser.com
MFC after:	1 week
2020-07-23 17:39:49 +00:00
Cy Schubert
64a1886d5c -4 and -6 only make sense with -i, -o, and -t.
PR:		247952
MFC after:	1 week
2020-07-17 19:07:53 +00:00
Cy Schubert
ebdefe6cb4 The output from usage() need not contain usage for -t when STATETOP
is not compiled in.

PR:		247952
MFC after:	1 week
2020-07-17 19:07:50 +00:00
Cy Schubert
e082c89385 Make ipfstat -t header generic when IPv4 and IPv6 output are
displayed in the same display.

PR:		247952
MFC after:	1 week
2020-07-17 19:07:47 +00:00
Cy Schubert
08c24e2f88 ipfstat -t defaults to IPv4 output. Make consistent with ipfstat -i
and ipfstat -o where without an argument IPv4 and IPv6 states are
shown. Use -4 and -6 to limit the display to IPv4 or IPv6 respectively.

PR:		247952
MFC after:	1 week
2020-07-17 19:07:44 +00:00
Cy Schubert
88b86bb0f3 Historically ipfstat listings and stats only listed IPv4 or IPv6 output.
ipfstat would list IPv4 outputs by default while -6 would produce IPv6
outputs. This commit combines the ipfstat -i and -o outputs into one
listing of IPv4 and IPv6 rules. The -4 option lists only IPv4 rules
(as the default before) while -6 continues to list only rules that affect
IPv6.

PR:		247952
Reported by:	joeb1@a1poweruser.com
MFC after:	1 week
2020-07-17 19:07:40 +00:00
Cy Schubert
5317660176 fr_family (the protocol family) must be AF_INET or AF_INET6, as in
the kernel, not an arbitrary 4 or 6.

This only affected printing ipfilter stats and rules from a kernel
dump. (This is currently undocumented.)

PR:		247952
MFC after:	1 week
2020-07-17 19:07:37 +00:00
Cy Schubert
ce1c2aafce Only use the use_inet6 variable when INET6 is a build option.
This is a prerequisite to upcoming argument processing cleanups which
will resolve consistency as was done with ippool previously.

PR:		247952
MFC after:	1 week
2020-07-17 19:07:34 +00:00
Cy Schubert
9543f281e8 Per-rule hit counts (-h) can be used with either -i (input) or -o (output)
filter rule lists.

MFC after:	3 days
2020-06-02 03:44:22 +00:00
Kyle Evans
0690ee732a ipfilter: remove duplicate definition of 'thishost'
thishost is already defined in lib/initparse.c; no need for this one. This
fixes the ipfilter build with -fno-common.

-fno-common will become the default in GCC10/LLVM11.

MFC after:	3 days
2020-03-29 02:26:58 +00:00
Cy Schubert
9658b6b3f4 As with ipf(8), give ippool(8) the ability to load IP pools from multiple
files. This allows for loading, during the same invocation of ippool, of
multiple sources of input using multiple tools to concurrently maintain the
files such as fail2ban, macro preprocessors, and manually.

MFC after:	1 week
2020-02-18 11:26:49 +00:00
Cy Schubert
87b60ffe39 Fix a typo (upto --> up to) and reword to improve word flow.
MFC after:	3 days
2019-12-02 20:39:40 +00:00
Cy Schubert
a97e8d2fe4 Implement the dynamic add (-A) and removal (-R) of ippool pools
from the command line. Prior to this the functionality was mostly there
however since the pool type (-t) was not recognized by the -A and -R
command options -- not recognized by getopt(). Additionally the code to
implement the dynamic add and removal of pools didn't work.

When dynamically adding (-A) a pool a type (-t) to specify if the pool
is a tree or hash pool must  be specified. When dynamically removing (-R)
a pool, omitting -t will cause a search-and-destroy which will remove
both types of pools matching the name given (-m).

PR:		218433
MFC after:	1 week
2019-09-27 00:29:12 +00:00
Cy Schubert
e7257e1499 The no resolve (OPT_NORESOLVE) does nothing. Additionally, it (-R)
conflicts with the command option of the same name (also -R).
Remove the superfluous and confusing non-global non-command -R option.

PR:		218433
MFC after:	1 week
2019-09-27 00:29:09 +00:00
Cy Schubert
80aa6435f0 Sync with source:
Only a role of "ipf" is currentlysupported as the other documented
(and undocumented) roles are #ifdef'd out.

The plan is to complete ippool(8) as it is even in its current state
a powerful feature/tool.

PR:		218433
MFC after:	1 month
2019-09-27 00:29:06 +00:00
Cy Schubert
a263199455 Fix a typo.
MFC after:	3 days
2019-09-27 00:29:03 +00:00
Cy Schubert
4fcb870612 Teach the ippool parser about address families. This is a precursor
to implementing IPv6 support within ippool which requires reworking
radix_ipf.c.

MFC after:	1 month
2019-09-26 03:09:45 +00:00
Cy Schubert
9aa0318d3c Fix a typo.
PR:		238816
MFC after:	1 week
X-MFC with:	r349503
2019-06-28 04:52:24 +00:00
Cy Schubert
76af5effde Document the -B, binary logfile, and the -C config file options.
Reference the ipmon.5 man page and ipmon.conf.

PR:		238816
MFC after:	1 week
2019-06-28 04:28:32 +00:00
Cy Schubert
358e680a67 Return a return code scripts might expect. I missed this while
reviewing and rewriting a patch in PR/238816.

PR:		238816
Reported by:	rgrimes@
Pointy hat to:	cy@
MFC after:	1 week
X-MFC with:	r349450
2019-06-27 03:50:13 +00:00
Cy Schubert
accc4633db Update usage() to refect the current state of ipmon.
PR:		238816
MFC after:	1 week
2019-06-27 02:43:30 +00:00
Cy Schubert
797a7db05a Fix a typo.
PR/238816 initially addressed updates to usage() however it has now
become a shopping list of fixes to ipmon man pages and usage().

PR:		238816
MFC after:	3 days
2019-06-27 02:42:56 +00:00
Cy Schubert
e9a5006bff Kernel module shim sources have no business being in the userland
build directory, especially those for other operating systems.
The kernel module shims for other operating systems are hereby removed.
The kernel module shim for FreeBSD, mlfk_ipl.c, is already in
sys/contrib/ipfilter/netinet. The one here is never used and should
not be in the userland build directory either.

mlfk_rule.c isn't used either however we will keep it in case someone
wishes to use this shim to load rules via a kernel module, handy for
embedded. In that case it should be copied to
sys/contrib/ipfilter/netinet and a Makefile created to employ it.
(Probably a useful documentation project when time permits.)

MFC after:	1 month
2019-02-03 05:26:07 +00:00
Cy Schubert
e559413d6f Remove a redundant ip_compat.h, originally merged from upstream.
MFC after:	1 month
2019-02-03 05:26:01 +00:00
Cy Schubert
0fcd8cab4e ipfilter #ifdef cleanup.
Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by:	glebius@
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19006
2019-02-03 05:25:49 +00:00
Cy Schubert
60f4a175c5 Fix a typo.
MFC after:	3 days
2019-01-27 02:31:42 +00:00
Cy Schubert
e719f737b7 Remove redundant ipfilter version of pcap-bpf.h. As of r214535 it was
no longer needed.

MFC after:	1 week
2019-01-16 20:46:39 +00:00
Cy Schubert
636a29ff4f Remove an IRIX-only source file.
MFC after:	1 week
2019-01-16 02:05:42 +00:00
Cy Schubert
480717af29 Remove ipsd (IP Scan Detetor). It is unused and to my knowledge has
never been used on any platform that ipfilter has been on. However
it looks like it could be a useful utility, therefore there are plans
to make it a port one day. It lacks a man page as well.

MFC after:	1 month
2019-01-06 21:24:44 +00:00
Cy Schubert
da7e48c690 TCP_PAWS_IDLE is does not exist in NetBSD and illumos. In FreeBSD
TCP_PAWS_IDLE is defined in netinet/tcp_seq.h, however this header
isn't included explicitly or implicitly at this point therefore
as far ipfilter is concerned TCP_PAWS_IDLE is not defined. Remove
the #ifdef and include netinet/tcp.h unconditionally.

MFC after:	1 week
2018-12-30 04:25:48 +00:00
Cy Schubert
efc4145a6e Remove an ugly Ultrix hack. Ultrix has been AWOL since the last ice
age, more to come.

MFC after:	1 week
2018-12-06 20:15:54 +00:00
Cy Schubert
b1ece51fb8 As part of the general cleanup of the ipfilter code, special cases
are committed separately to document fixing them separately from
the general cleanup. In this case we don't want to hide the utter
brokenness of what is being fixed.

Clean up a discombobulated block of #if's, with one block unreachable.
ip_fil.c is used in ipftest which is used to dry-run test ipfilter
rules in userspace without loading them in the kernel. The call to
(*ifp->if_output) matches that in the FreeBSD kernel.

Further testing and work will be required to make ipftest fully
functional.

MFC after:	1 week
2018-12-04 06:11:04 +00:00
Cy Schubert
11b5e0cd9c loadpoolfile() implements a -R (NORESOLVE) option which is not listed
in usage(). This commit trues up usage() with loadpoolfile().
2017-08-05 06:46:06 +00:00
Cy Schubert
223428af47 As in r315225, discard 3072 bytes of RC4 bytestream instead of 1024.
PR:		217920
Submitted by:	codarren@hackers.mu
Reviewed by:	emaste, cem
Approved by:	so (implicit, in r315225)
MFC after:	1 week
Differential Revision:	D11747
Patterned after:	r315225
2017-07-27 06:26:15 +00:00
Cy Schubert
e7df11b869 Document supported poollist() (ippool -l) options in usage() and in
ippool.8 man page.
2017-07-05 05:50:36 +00:00
Cy Schubert
e5426b9f65 Ansify entry and exit points.
MFC after:	1 month
2017-06-28 19:08:07 +00:00
Cy Schubert
3fe0d81e1f In poolnodecommand() (ippool -a and ippool -r) -m (pool name) is not
optional.
2017-06-28 02:30:32 +00:00
Cy Schubert
f21680fd98 Replace AF_INET6 ifdefs with USE_INET6 to be consistent with the rest
of the ipfilter souce tree.
2017-06-27 04:54:58 +00:00
Cy Schubert
43988e3f50 Replace AF_INET6 ifdefs with USE_INET6 ifdefs. This is more consistent
and guaranteed to build everywhere in ipfilter.

Not all of this commit can be MFCed. Some is original code while others
are not.
2017-06-23 02:42:04 +00:00
Cy Schubert
cd32671786 In poolnodcommand(): TTL (-T) is only valid when adding a node to a
pool (ippool -a) not when removing a node from a pool (ippool -r).
Flag -T as an error in ippool -r.
2017-06-22 12:46:48 +00:00
Cy Schubert
3f296d78cc poolflush() has no positional arguments. 2017-06-22 06:25:34 +00:00
Cy Schubert
3f6a9d3760 Fix -S handling within poolcommand(). Specifying a seed (-S) is only
valid when adding a pool (ippool -A), not when removing a pool
(ippool -R). It is a command line syntax error if specifying a seed (-S)
is specified when emoving a pool (-R).
2017-06-21 12:19:05 +00:00