d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IP Filter 4.1.13

Browse Source
This commit is contained in:
guido 2006-08-16 11:51:32 +00:00
parent 9749beb9e3
commit 092f5d1218
79 changed files with 1160 additions and 359 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/ipfilter/BSD/Makefile
View File

@ -3,12 +3,13 @@
#
# See the IPFILTER.LICENCE file for details on licencing.
#
TOP=../..
BINDEST=/usr/sbin
SBINDEST=/sbin
MANDIR=/usr/share/man
SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i<NF;i++){print $$i;}}' - | sort -u
CC=gcc -Wall -Wuninitialized -Wstrict-prototypes -O
CC=gcc -Wall -Wuninitialized -Wstrict-prototypes -O -Wmissing-prototypes -Wpointer-arith -Wno-sign-compare -Wno-traditional -Werror
#UFLAGS=-fprofile-arcs -ftest-coverage
CFLAGS=-g -I$(TOP)
#
@ -17,7 +18,7 @@ CFLAGS=-g -I$(TOP)
DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p'
CPU!=uname -m
INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch
DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS)
DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) -fno-builtin
IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST
VNODESHDIR=/sys/kern
MLD=$(ML)
@ -516,8 +517,8 @@ install:
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
coverage:
ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -n > report
sort -n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += $$F[0]/100*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,$$t/$$lc*100;' >> report
ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -k 1n -k 3n > report
sort -k 1n -k 3n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += ($$F[0]/100)*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,($$t/$$lc)*100;' >> report
clean-coverage:
/bin/rm -f *.gcov *.da

82
contrib/ipfilter/HISTORY
View File

@ -10,6 +10,88 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.13 - Released 4 April 2006
fix bug where null pointers introduced by proxies could cause a crash
pass out the rule flags with SIOCAUTHW
force loading NAT rules with bad proxy labels to cause an error
nat_state is used unsafely in calls to fr_addstate
make return-rst and return-icmp* work with auth rules
4.1.12 - Released 28 March 2006
poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup
make the fastroute code used by ipftest invoke state/NAT
move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)
remove unused code in fr_fastroute
fix NAT with rules that specify forward and reverise interfaces
add missing ipfsync_canread() and ipfsync_canwrite()
behaviour of \ on the end of a line in ipf.conf does not match older behaviour
remove duplicate statistics line output with "ipfstat -s"
4.1.11 - Released 19 March 2006
Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org
NetBSD coverity report fixes (from run 5)
Possible to reacquire ipf_auth without releasing it in some circumstances
Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be
Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux
Using auth rules to return "keep state" got broken with pushing fr_addstate
call into fr_firewall
all use of '!' in map/rdr rules to match use in ipf configs
add -L command line option to ipmon to set the default syslog facility
looking up a port number is more complex than needed in ipft_tx.c
allow lib/getport to work when neither tcp or udp are specified in a rule
remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c
program in some more cases where TCP packets fail an initial in-window
check but should be allowed to match
filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
initialise all fields, making it possible to panic
simplify NAT ICMP error handling where it updates checksums
rename "min" variables to "xmin" on NetBSD to avoid problems with the
macro "min"
#ifdef's for NetBSD compile incorrect for pfil interface
support select/poll on NetBSD
copying out a packet with an auth rule fails (EFAULT) because the wrong
pointer is passed to copyoutptr
ip_len/ip_off where byte swapped twice instead of once for packets
going to be stored on the auth queue
change timeout queue manipulation functions to make fewer mutex calls
fix use of skip rules with groups
fix coding problems discovered by the coverity project for FreeBSD
update BPF program validation with FreeBSD changes
4.1.10 - Released 6 December 2005
Expand regression testing to cover more features

5
contrib/ipfilter/Makefile
View File

@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
# $Id: Makefile,v 2.76.2.18 2005/12/04 23:41:22 darrenr Exp $
# $Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $
#
SHELL=/bin/sh
BINDEST=/usr/local/bin
@ -134,6 +134,7 @@ all:
@echo "freebsd3 - compile for FreeBSD-3.x"
@echo "freebsd4 - compile for FreeBSD-4.x"
@echo "freebsd5 - compile for FreeBSD-5.x"
@echo "freebsd6 - compile for FreeBSD-6.x"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@ -186,7 +187,7 @@ freebsd22: include
fi
make freebsd20
freebsd5: include
freebsd5 freebsd6: include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \

135
contrib/ipfilter/bpf_filter.c
View File

@ -40,7 +40,7 @@
#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
static const char rcsid[] =
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)";
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)";
#endif
#include <sys/param.h>
@ -466,9 +466,10 @@ bpf_filter(pc, p, wirelen, buflen)
/*
* Return true if the 'fcode' is a valid filter program.
* The constraints are that each jump be forward and to a valid
* code. The code must terminate with either an accept or reject.
* 'valid' is an array for use by the routine (it must be at least
* 'len' bytes long).
* code, that memory accesses are within valid ranges (to the
* extent that this can be checked statically; loads of packet
* data have to be, and are, also checked at run time), and that
* the code terminates with either an accept or reject.
*
* The kernel needs to be able to verify an application's filter code.
* Otherwise, a bogus program could easily crash the system.
@ -478,38 +479,114 @@ bpf_validate(f, len)
struct bpf_insn *f;
int len;
{
register int i;
register struct bpf_insn *p;
u_int i, from;
const struct bpf_insn *p;
if (len == 0)
return 1;
if (len < 1 || len > BPF_MAXINSNS)
return 0;
for (i = 0; i < len; ++i) {
/*
* Check that that jumps are forward, and within
* the code block.
*/
p = &f[i];
if (BPF_CLASS(p->code) == BPF_JMP) {
register int from = i + 1;
if (BPF_OP(p->code) == BPF_JA) {
if (from + p->k >= (unsigned)len)
return 0;
}
else if (from + p->jt >= len || from + p->jf >= len)
return 0;
}
switch (BPF_CLASS(p->code)) {
/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
(p->k >= BPF_MEMWORDS || p->k < 0))
return 0;
/*
* Check for constant division by 0.
*/
if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
case BPF_LD:
case BPF_LDX:
switch (BPF_MODE(p->code)) {
case BPF_IMM:
break;
case BPF_ABS:
case BPF_IND:
case BPF_MSH:
/*
* More strict check with actual packet length
* is done runtime.
*/
#if 0
if (p->k >= bpf_maxbufsize)
return 0;
#endif
break;
case BPF_MEM:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_LEN:
break;
default:
return 0;
}
break;
case BPF_ST:
case BPF_STX:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_ALU:
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
case BPF_RSH:
case BPF_NEG:
break;
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
default:
return 0;
}
break;
case BPF_JMP:
/*
* Check that jumps are within the code block,
* and that unconditional branches don't go
* backwards as a result of an overflow.
* Unconditional branches have a 32-bit offset,
* so they could overflow; we check to make
* sure they don't. Conditional branches have
* an 8-bit offset, and the from address is <=
* BPF_MAXINSNS, and we assume that BPF_MAXINSNS
* is sufficiently small that adding 255 to it
* won't overflow.
*
* We know that len is <= BPF_MAXINSNS, and we
* assume that BPF_MAXINSNS is < the maximum size
* of a u_int, so that i + 1 doesn't overflow.
*/
from = i + 1;
switch (BPF_OP(p->code)) {
case BPF_JA:
if (from + p->k < from || from + p->k >= len)
return 0;
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p->jt >= len || from + p->jf >= len)
return 0;
break;
default:
return 0;
}
break;
case BPF_RET:
break;
case BPF_MISC:
break;
default:
return 0;
}
}
return BPF_CLASS(f[len - 1].code) == BPF_RET;
}

43
contrib/ipfilter/ip_fil.c
View File

@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -136,7 +136,7 @@ struct rtentry;
#include "md5.h"
#if !defined(__osf__)
#if !defined(__osf__) && !defined(__linux__)
extern struct protosw inetsw[];
#endif
@ -716,13 +716,45 @@ frdest_t *fdp;
{
struct ifnet *ifp = fdp->fd_ifp;
ip_t *ip = fin->fin_ip;
int error = 0;
frentry_t *fr;
void *sifp;
if (!ifp)
return 0; /* no routing table out here */
ip->ip_len = htons((u_short)ip->ip_len);
ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
fr = fin->fin_fr;
ip->ip_sum = 0;
if (fin->fin_out == 0) {
sifp = fin->fin_ifp;
fin->fin_ifp = ifp;
fin->fin_out = 1;
(void) fr_acctpkt(fin, NULL);
fin->fin_fr = NULL;
if (!fr || !(fr->fr_flags & FR_RETMASK)) {
u_32_t pass;
(void) fr_checkstate(fin, &pass);
}
switch (fr_checknatout(fin, NULL))
{
case 0 :
break;
case 1 :
ip->ip_sum = 0;
break;
case -1 :
error = -1;
goto done;
break;
}
fin->fin_ifp = sifp;
fin->fin_out = 0;
}
#if defined(__sgi) && (IRIX < 60500)
(*ifp->if_output)(ifp, (void *)ip, NULL);
# if TRU64 >= 1885
@ -731,7 +763,8 @@ frdest_t *fdp;
(*ifp->if_output)(ifp, (void *)m, NULL, 0);
# endif
#endif
return 0;
done:
return error;
}

3
contrib/ipfilter/ipf.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $
* $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $
*/
#ifndef __IPF_H__
@ -182,7 +182,6 @@ extern struct ipopt_names v6ionames[];
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int addkeep __P((char ***, struct frentry *, int));
extern int bcopywrap __P((void *, void *, size_t));
extern void binprint __P((void *, size_t));
extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));

4
contrib/ipfilter/iplang/iplang_y.y
View File

@ -4,7 +4,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: iplang_y.y,v 2.9.2.3 2005/10/17 17:25:04 darrenr Exp $
* $Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $
*/
#include <stdio.h>
@ -1646,7 +1646,7 @@ void *ptr;
for (sto = toipopts; sto->sto_st; sto++)
if (sto->sto_st == state)
break;
if (!sto || !sto->sto_st) {
if (!sto->sto_st) {
fprintf(stderr, "No mapping for state %d to IP option\n",
state);
return;

3
contrib/ipfilter/ipmon.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $
* $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $
*/
@ -92,3 +92,4 @@ extern int load_config __P((char *));
extern void dumphex __P((FILE *, int, char *, int));
extern int check_action __P((char *, char *, int, int));
extern char *getword __P((int));
extern int fac_findname __P((char *));

16
contrib/ipfilter/ipsd/sbpf.c
View File

@ -9,6 +9,9 @@
#include <ctype.h>
#include <signal.h>
#include <errno.h>
#ifdef __NetBSD__
# include <paths.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/mbuf.h>
@ -121,8 +124,18 @@ int tout;
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
#ifdef _PATH_BPF
char *bpfname = _PATH_BPF;
int fd;
if ((fd = open(bpfname, O_RDWR)) < 0)
{
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#else
char bpfname[16];
int fd, i;
int fd = -1, i;
for (i = 0; i < 16; i++)
{
@ -135,6 +148,7 @@ int tout;
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#endif
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
{

2
contrib/ipfilter/ipsend/.OLD/ip_compat.h
View File

@ -1,5 +1,3 @@
/* $NetBSD$ */
/*
* (C)opyright 1995 by Darren Reed.
*

4
contrib/ipfilter/ipsend/ipsend.c
View File

@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -154,6 +154,8 @@ struct in_addr gwip;
int wfd;
wfd = initdevice(dev, 5);
if (wfd == -1)
return -1;
return send_packet(wfd, mtu, ip, gwip);
}

33
contrib/ipfilter/ipsend/iptests.c
View File

@ -6,10 +6,18 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.4 2005/06/12 07:18:39 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#if defined(__NetBSD__) && defined(__vax__)
/*
* XXX need to declare boolean_t for _KERNEL <sys/files.h>
* which ends up including <sys/device.h> for vax. See PR#32907
* for further details.
*/
typedef int boolean_t;
#endif
#include <sys/time.h>
#if !defined(__osf__)
# define _KERNEL
@ -134,7 +142,10 @@ int ptest;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -468,11 +479,14 @@ int ptest;
int nfd;
u_char *s;
s = (u_char *)(ip + 1);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
IP_HL_A(ip, 6);
ip->ip_len = IP_HL(ip) << 2;
s = (u_char *)(ip + 1);
s[IPOPT_OPTVAL] = IPOPT_NOP;
s++;
if (!ptest || (ptest == 1)) {
@ -572,7 +586,10 @@ int ptest;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -771,7 +788,10 @@ int ptest;
u->uh_sport = htons(1);
u->uh_dport = htons(1);
u->uh_ulen = htons(sizeof(*u) + 4);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -934,7 +954,10 @@ int ptest;
t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
if (!ptest || (ptest == 1)) {
/*
@ -1279,6 +1302,9 @@ int ptest;
u->uh_sum = 0;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
@ -1348,6 +1374,9 @@ int ptest;
u_char *s;
nfd = initdevice(dev, 1);
if (nfd == -1)
return;
pip = (ip_t *)tbuf;
srand(time(NULL) ^ (getpid() * getppid()));

4
contrib/ipfilter/ipsend/lsock.c
View File

@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -225,6 +225,8 @@ struct in_addr gwip;
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, 0);
if (nfd == -1)
return -1;
if (!(s = find_tcp(fd, ti)))
return -1;

7
contrib/ipfilter/ipsend/resend.c
View File

@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -79,6 +79,9 @@ char *datain;
ip_t *ip;
int fd, wfd = initdevice(dev, 5), len, i;
if (wfd == -1)
return -1;
if (datain)
fd = (*r->r_open)(datain);
else
@ -99,6 +102,7 @@ char *datain;
if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
{
perror("arp");
free(eh);
return -2;
}
@ -135,5 +139,6 @@ char *datain;
}
}
(*r->r_close)();
free(eh);
return 0;
}

16
contrib/ipfilter/ipsend/sbpf.c
View File

@ -36,6 +36,9 @@
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#ifdef __NetBSD__
# include <paths.h>
#endif
#include <ctype.h>
#include <signal.h>
#include <errno.h>
@ -44,7 +47,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $";
#endif
/*
@ -61,6 +64,16 @@ int tout;
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
#ifdef _PATH_BPF
char *bpfname = _PATH_BPF;
int fd;
if ((fd = open(bpfname, O_RDWR)) < 0)
{
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#else
char bpfname[16];
int fd = 0, i;
@ -75,6 +88,7 @@ int tout;
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
return -1;
}
#endif
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
{

42
contrib/ipfilter/ipsend/sock.c
View File

@ -6,12 +6,20 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/stat.h>
#if defined(__NetBSD__) && defined(__vax__)
/*
* XXX need to declare boolean_t for _KERNEL <sys/files.h>
* which ends up including <sys/device.h> for vax. See PR#32907
* for further details.
*/
typedef int boolean_t;
#endif
#ifndef ultrix
#include <fcntl.h>
#endif
@ -301,19 +309,25 @@ struct tcpiphdr *ti;
}
#endif
o = NULL;
f = NULL;
s = NULL;
i = NULL;
t = NULL;
o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n",
(u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o));
return NULL;
goto finderror;
}
f = (struct file *)calloc(1, sizeof(*f));
if (KMCPY(f, o[tfd], sizeof(*f)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n",
(u_long)o[tfd], (u_long)f, (u_long)sizeof(*f));
return NULL;
goto finderror;
}
s = (struct socket *)calloc(1, sizeof(*s));
@ -321,7 +335,7 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n",
(u_long)f->f_data, (u_long)s, (u_long)sizeof(*s));
return NULL;
goto finderror;
}
i = (struct inpcb *)calloc(1, sizeof(*i));
@ -329,7 +343,7 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n",
(u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i));
return NULL;
goto finderror;
}
t = (struct tcpcb *)calloc(1, sizeof(*t));
@ -337,9 +351,22 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n",
(u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t));
return NULL;
goto finderror;
}
return (struct tcpcb *)i->inp_ppcb;
finderror:
if (o != NULL)
free(o);
if (f != NULL)
free(f);
if (s != NULL)
free(s);
if (i != NULL)
free(i);
if (t != NULL)
free(t);
return NULL;
}
#endif /* BSD < 199301 */
@ -381,7 +408,10 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, 1);
if (nfd == -1)
return -1;
if (!(t = find_tcp(fd, ti)))
return -1;

2
contrib/ipfilter/ipt.h
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp $
* $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $
*/
#ifndef __IPT_H__

4
contrib/ipfilter/lib/Makefile
View File

@ -2,7 +2,6 @@ INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/addipopt.o \
$(DEST)/addkeep.o \
$(DEST)/bcopywrap.o \
$(DEST)/binprint.o \
$(DEST)/buildopts.o \
@ -47,7 +46,6 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/load_pool.o \
$(DEST)/load_poolnode.o \
$(DEST)/loglevel.o \
$(DEST)/make_range.o \
$(DEST)/mutex_emul.o \
$(DEST)/nametokva.o \
$(DEST)/nat_setgroupmap.o \
@ -108,8 +106,6 @@ $(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@
$(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@
$(DEST)/addkeep.o: $(LIBSRC)/addkeep.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addkeep.c -o $@
$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@
$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP)

75
contrib/ipfilter/lib/addicmp.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $
* $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $
*/
#include <ctype.h>
@ -17,76 +17,3 @@ char *icmptypes[MAX_ICMPTYPE + 1] = {
"routersol", "timex", "paramprob", "timest", "timestrep",
"inforeq", "inforep", "maskreq", "maskrep", "END"
};
/*
* set the icmp field to the correct type if "icmp" word is found
*/
int addicmp(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
char **t;
int i;
(*cp)++;
if (!**cp)
return -1;
if (!fp->fr_proto) /* to catch lusers */
fp->fr_proto = IPPROTO_ICMP;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
continue;
if (!strcasecmp("END", *t)) {
i = -1;
break;
}
if (!strcasecmp(*t, **cp))
break;
}
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
}
fp->fr_icmp = (u_short)(i << 8);
fp->fr_icmpm = (u_short)0xff00;
(*cp)++;
if (!**cp)
return 0;
if (**cp && strcasecmp("code", **cp))
return 0;
(*cp)++;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
i = icmpcode(**cp);
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
}
i &= 0xff;
fp->fr_icmp |= (u_short)i;
fp->fr_icmpm = (u_short)0xffff;
(*cp)++;
return 0;
}

32
contrib/ipfilter/lib/facpri.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $
* $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $
*/
#include <stdio.h>
@ -20,7 +20,7 @@
#include "facpri.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.1 2005/11/14 17:45:06 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $";
#endif
@ -79,13 +79,13 @@ fac_toname(facpri)
fac = facpri & LOG_FACMASK;
j = fac >> 3;
if (j < 24) {
if (j < (sizeof(facs)/sizeof(facs[0]))) {
if (facs[j].value == fac)
return facs[j].name;
for (i = 0; facs[i].name; i++)
if (fac == facs[i].value)
return facs[i].name;
}
for (i = 0; facs[i].name; i++)
if (fac == facs[i].value)
return facs[i].name;
return NULL;
}
@ -94,11 +94,11 @@ fac_toname(facpri)
/*
* map a facility name to its number
*/
int
int
fac_findname(name)
char *name;
{
int i;
int i;
for (i = 0; facs[i].name; i++)
if (!strcmp(facs[i].name, name))
@ -116,22 +116,6 @@ table_t pris[] = {
};
/*
* map a priority name to its number
*/
int
pri_findname(name)
char *name;
{
int i;
for (i = 0; pris[i].name; i++)
if (!strcmp(pris[i].name, name))
return pris[i].value;
return -1;
}
/*
* map a priority number to its name
*/

27
contrib/ipfilter/lib/getport.c
View File

@ -18,6 +18,33 @@ u_short *port;
return -1;
}
/*
* Some people will use port names in rules without specifying
* either TCP or UDP because it is implied by the group head.
* If we don't know the protocol, then the best we can do here is
* to take either only the TCP or UDP mapping (if one or the other
* is missing) or make sure both of them agree.
*/
if (fr->fr_proto == 0) {
s = getservbyname(name, "tcp");
if (s != NULL)
p1 = s->s_port;
else
p1 = 0;
s = getservbyname(name, "udp");
if (s != NULL) {
if (p1 != s->s_port)
return -1;
}
if ((p1 == 0) && (s == NULL))
return -1;
if (p1)
*port = p1;
else
*port = s->s_port;
return 0;
}
if ((fr->fr_flx & FI_TCPUDP) != 0) {
/*
* If a rule is "tcp/udp" then check that both TCP and UDP

27
contrib/ipfilter/lib/icmpcode.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $
* $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $
*/
#include <ctype.h>
@ -20,28 +20,3 @@ char *icmpcodes[MAX_ICMPCODE + 1] = {
"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
NULL };
/*
* Return the number for the associated ICMP unreachable code.
*/
int icmpcode(str)
char *str;
{
char *s;
int i, len;
if ((s = strrchr(str, ')')))
*s = '\0';
if (ISDIGIT(*str)) {
if (!ratoi(str, &i, 0, 255))
return -1;
else
return i;
}
len = strlen(str);
for (i = 0; icmpcodes[i]; i++)
if (!strncasecmp(str, icmpcodes[i], MIN(len,
strlen(icmpcodes[i])) ))
return i;
return -1;
}

35
contrib/ipfilter/lib/ipft_tx.c
View File

@ -3,11 +3,11 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $
* $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.6 2005/12/04 10:07:22 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $";
#endif
#include <ctype.h>
@ -73,36 +73,15 @@ int *resolved;
static u_short tx_portnum(name)
char *name;
{
struct servent *sp, *sp2;
u_short p1 = 0;
struct servent *sp;
if (ISDIGIT(*name))
return (u_short)atoi(name);
if (!tx_proto)
tx_proto = "tcp/udp";
if (strcasecmp(tx_proto, "tcp/udp")) {
sp = getservbyname(name, tx_proto);
if (sp)
return ntohs(sp->s_port);
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
return 0;
}
sp = getservbyname(name, "tcp");
sp = getservbyname(name, tx_proto);
if (sp)
p1 = sp->s_port;
sp2 = getservbyname(name, "udp");
if (!sp || !sp2) {
(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
name);
return 0;
}
if (p1 != sp2->s_port) {
(void) fprintf(stderr, "%s %d/tcp is a different port to ",
name, p1);
(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
return 0;
}
return ntohs(p1);
return ntohs(sp->s_port);
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
return 0;
}

6
contrib/ipfilter/lib/optprint.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: optprint.c,v 1.6 2002/07/13 15:59:49 darrenr Exp $
* $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $
*/
#include "ipf.h"
@ -23,6 +23,10 @@ u_long optmsk, optbits;
if ((io->on_value != IPOPT_SECURITY) ||
(!secmsk && !secbits)) {
printf("%s%s", s, io->on_name);
/*
* Because the ionames table has this entry
* twice.
*/
if (io->on_value == IPOPT_SECURITY)
io++;
s = ",";

30
contrib/ipfilter/lib/printfr.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: printfr.c,v 1.43.2.15 2005/11/14 17:45:06 darrenr Exp $
* $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $
*/
#include "ipf.h"
@ -120,20 +120,6 @@ ioctlfunc_t iocfunc;
printf("pass");
else if (FR_ISBLOCK(fp->fr_flags)) {
printf("block");
if (fp->fr_flags & FR_RETICMP) {
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
printf(" return-icmp-as-dest");
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
printf(" return-icmp");
if (fp->fr_icode) {
if (fp->fr_icode <= MAX_ICMPCODE)
printf("(%s)",
icmpcodes[(int)fp->fr_icode]);
else
printf("(%d)", fp->fr_icode);
}
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
printf(" return-rst");
} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
printlog(fp);
} else if (FR_ISACCOUNT(fp->fr_flags))
@ -149,6 +135,20 @@ ioctlfunc_t iocfunc;
else {
printf("%x", fp->fr_flags);
}
if (fp->fr_flags & FR_RETICMP) {
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
printf(" return-icmp-as-dest");
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
printf(" return-icmp");
if (fp->fr_icode) {
if (fp->fr_icode <= MAX_ICMPCODE)
printf("(%s)",
icmpcodes[(int)fp->fr_icode]);
else
printf("(%d)", fp->fr_icode);
}
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
printf(" return-rst");
if (fp->fr_flags & FR_OUTQUE)
printf(" out ");

11
contrib/ipfilter/lib/printlog.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: printlog.c,v 1.6.4.1 2005/11/14 17:45:06 darrenr Exp $
* $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $
*/
#include "ipf.h"
@ -26,14 +26,11 @@ frentry_t *fp;
if (fp->fr_loglevel != 0xffff) {
printf(" level ");
s = fac_toname(fp->fr_loglevel);
if (s == NULL)
if (s == NULL || *s == '\0')
s = "!!!";
u = pri_toname(fp->fr_loglevel);
if (u == NULL)
if (u == NULL || *u == '\0')
u = "!!!";
if (*s)
printf("%s.%s", s, u);
else
printf("%s", u);
printf("%s.%s", s, u);
}
}

7
contrib/ipfilter/man/ipmon.8
View File

@ -8,6 +8,8 @@ ipmon \- monitors /dev/ipl for logged packets
] [
.B "\-N <device>"
] [
.B "\-L <facility>"
] [
.B "\-o [NSI]"
] [
.B "\-O [NSI]"
@ -72,7 +74,7 @@ In order for \fBipmon\fP to properly work, the kernel option
\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
\fBoptions(4)\fP for more details.
.LP
\fBipmon\fP reopns its log file(s) and rereads its configuration file
\fBipmon\fP reopens its log file(s) and rereads its configuration file
when it receives a SIGHUP signal.
.SH OPTIONS
.TP
@ -101,6 +103,9 @@ for normal IP Filter log records.
Flush the current packet log buffer. The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B \-L <facility>
Using this option allows you to change the default syslog facility that
ipmon uses for syslog messages. The default is local0.
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.

2
contrib/ipfilter/radix.c
View File

@ -137,7 +137,7 @@ struct radix_node *rn_addmask __P((int, int, void *));
* node as high in the tree as we can go.
*
* The present version of the code makes use of normal routes in short-
* circuiting an explict mask and compare operation when testing whether
* circuiting an explicit mask and compare operation when testing whether
* a key satisfies a normal route, and also in remembering the unique leaf
* that governs a subtree.
*/

1
contrib/ipfilter/samples/proxy.c
View File

@ -55,7 +55,6 @@ char *argv[];
struct sockaddr_in sin, sloc, sout;
ipfobj_t obj;
natlookup_t natlook;
natlookup_t *natlookp = &natlook;
char buffer[512];
int namelen, fd, n;

15
contrib/ipfilter/test/Makefile
View File

@ -21,7 +21,7 @@ first:
-mkdir -p results
# Filtering tests
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
@ -29,7 +29,8 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16
nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \
ni16 ni19 ni20 ni21
intests: in1 in2 in3 in4 in5 in6
@ -44,7 +45,7 @@ bpf: bpf1 bpf-f1
f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19:
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f15 f16 f17 f18:
f15 f16 f17 f18 f20:
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1:
@ -53,10 +54,10 @@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1:
n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14:
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16:
ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20:
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni6:
ni6 ni21:
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
in1 in2 in3 in4 in5 in6:
@ -78,11 +79,11 @@ bpf-f1:
/bin/sh ./bpftest `awk "/^$@ / { print; } " test.format`
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21
/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9
/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16
/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21
/bin/rm -f in1 in2 in3 in4 in5 in6
/bin/rm -f p1 p2 p3 ip1
/bin/rm -f l1

3
contrib/ipfilter/test/expected/f20 Normal file
View File

@ -0,0 +1,3 @@
pass
nomatch
--------

4
contrib/ipfilter/test/expected/i1
View File

@ -3,12 +3,12 @@ block out all
log in all
log body in all
count in from any to any
pass in from !any to any
pass in from !any to any pps 10
block in from any to !any
pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
pass in on ed0(!),vx0(!) from 127.0.0.1/32 to 127.0.0.1/32
block in log first on lo0(!) from any to any
pass in log body quick from any to any
pass in log body or-block quick from any to any
block return-rst in quick on le0(!) proto tcp from any to any
block return-icmp in on qe0(!) from any to any
block return-icmp(host-unr) in on qe0(!) from any to any

1
contrib/ipfilter/test/expected/i10
View File

@ -1,4 +1,5 @@
pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt sec
pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec
block in from any to any with not opt sec-class topsecret
block in from any to any with not opt sec-class topsecret,secret
pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass

3
contrib/ipfilter/test/expected/i11
View File

@ -7,4 +7,5 @@ pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state
pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state
pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state
pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state
pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err)
pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600)
pass in proto udp from any to any keep state (sync,age 10/20)

3
contrib/ipfilter/test/expected/i18
View File

@ -1,6 +1,7 @@
pass in tos 0x50 from any to any
pass in tos 0x80 from any to any
pass in tos 0x28 from any to any
pass in tos 0x80 from any to any
pass in tos 0x50 from any to any
block in ttl 0 from any to any
block in ttl 1 from any to any
block in ttl 2 from any to any

4
contrib/ipfilter/test/expected/i5
View File

@ -3,3 +3,7 @@ count in tos 0x80 from any to any
pass in on ed0(!) tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32
block in log on lo0(!) ttl 0 from any to any
pass in quick ttl 1 from any to any
skip 3 out from 127.0.0.1/32 to any
auth out on foo0(!) proto tcp from any to any port = 80
preauth out on foo0(!) proto tcp from any to any port = 22
nomatch out on foo0(!) proto tcp from any port < 1024 to any

2
contrib/ipfilter/test/expected/i8
View File

@ -31,3 +31,5 @@ pass in proto icmp from any to any icmp-type squench
pass in proto icmp from any to any icmp-type timest
pass in proto icmp from any to any icmp-type timestrep
pass in proto icmp from any to any icmp-type timex
pass in proto icmp from any to any icmp-type 254
pass in proto icmp from any to any icmp-type 253 code 254

7
contrib/ipfilter/test/expected/i9
View File

@ -5,8 +5,13 @@ pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr
pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag
pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body
pass in proto tcp from any to any flags S/FSRPAU with not oow keep state
block in proto tcp from any to any with oow
pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat
block in proto tcp from any to any flags S/FSRPAU with bad,not bad-src,not bad-nat
pass in quick from any to any with not short
block in quick from any to any with not nat
pass in quick from any to any with not frag-body
block in quick from any to any with not lowttl
pass in from any to any with mbcast,not bcast,mcast,not state
pass in from any to any with not ipopts,mbcast,not bcast,mcast,not state
block in from any to any with not mbcast,bcast,not mcast,state
pass in from any to any with opt mtup,mtur,encode,ts,tr,sec,e-sec,cipso,satid,ssrr,addext,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump

2
contrib/ipfilter/test/expected/in2
View File

@ -1,5 +1,5 @@
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/32 -> 1.1.1.1 255
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.0.0.0/8 -> 1.1.1.1 ip

3
contrib/ipfilter/test/expected/in5
View File

@ -1,7 +1,8 @@
map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1/32 portmap tcp 10000:20000
map le0 from 9.8.7.6/32 port > 1024 ! to 1.2.3.4/32 -> 1.1.1.1/32 portmap tcp 10000:20000
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 ! from 1.2.3.4/32 to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp

25
contrib/ipfilter/test/expected/ni19 Normal file
View File

@ -0,0 +1,25 @@
4500 0040 e3fc 4000 4006 40b5 0a01 0101 0a01 0104 03f1 0202 6523 90b2 0000 0000 b002 8000 a431 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000
4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302
4500 0028 e3fd 4000 4006 40cc 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5010 832c e3b7 0000
4500 002d e3fe 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5018 832c 8242 0000 3130 3038 00
4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000
4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302
4500 0040 e3ff 4000 4006 40b2 0a01 0101 0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 452f 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101
4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000
4500 0030 e400 4000 4006 40c1 0a01 0101 0a01 0104 03f1 0202 6523 90b8 915a a5c5 5018 832c 3560 0000 6461 7272 656e 7200
4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000
4500 0053 e401 4000 4006 409d 0a01 0101 0a01 0104 03f1 0202 6523 90c0 915a a5c5 5018 832c cce7 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00
4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000
4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00
4500 0028 e403 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90eb 915a a5c6 5010 832c e37e 0000
4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a
4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a
4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000
4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000
4500 0028 e404 4000 4006 1a1b c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5010 8328 bcd3 0000
4500 0034 e405 4000 4006 1a0e c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 57d7 0000 0101 080a 0000 0004 0039 dd6c
4500 0028 e40a 4000 4006 1a15 c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5011 832c bcce 0000
4500 0034 e40b 4000 4006 1a08 c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 57d2 0000 0101 080a 0000 0004 0039 dd6c
4500 0028 0004 4000 4006 fe1b 0a01 0104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 3a47 0000
4500 0034 118e 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 d548 0000 0101 080a 0039 dd6e 0000 0004
-------------------------------

25
contrib/ipfilter/test/expected/ni20 Normal file
View File

@ -0,0 +1,25 @@
4500 0040 e3fc 4000 4006 f362 c0a8 7103 c0a8 7104 03f1 0202 6523 90b2 0000 0000 b002 8000 56df 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000
4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302
4500 0028 e3fd 4000 4006 f379 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5010 832c 9665 0000
4500 002d e3fe 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5018 832c 34f0 0000 3130 3038 00
4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000
4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302
4500 0040 e3ff 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 f7dc 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101
4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000
4500 0030 e400 4000 4006 f36e c0a8 7103 c0a8 7104 03f1 0202 6523 90b8 915a a5c5 5018 832c e80d 0000 6461 7272 656e 7200
4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000
4500 0053 e401 4000 4006 f34a c0a8 7103 c0a8 7104 03f1 0202 6523 90c0 915a a5c5 5018 832c 7f95 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00
4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000
4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00
4500 0028 e403 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5c6 5010 832c 962c 0000
4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a
4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a
4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000
4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000
4500 0028 e404 4000 4006 f372 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5010 8328 962b 0000
4500 0034 e405 4000 4006 f365 c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 312f 0000 0101 080a 0000 0004 0039 dd6c
4500 0028 e40a 4000 4006 f36c c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5011 832c 9626 0000
4500 0034 e40b 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 312a 0000 0101 080a 0000 0004 0039 dd6c
4500 0028 0004 4000 4006 d773 c0a8 7104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 139f 0000
4500 0034 118e 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 aea0 0000 0101 080a 0039 dd6e 0000 0004
-------------------------------

4
contrib/ipfilter/test/expected/ni21 Normal file
View File

@ -0,0 +1,4 @@
ip #0 20(20) 0 4.4.4.4 > 3.3.3.3
ip #0 20(20) 0 3.3.3.3 > 2.2.2.2
ip #0 20(20) 0 4.4.4.4 > 3.3.3.3
-------------------------------

4
contrib/ipfilter/test/input/f2
View File

@ -1,5 +1,5 @@
in tcp 127.0.0.1,1 127.0.0.1,21
in tcp 1.1.1.1,1 1.2.1.1,21
in tcp 127.0.0.1,1 127.0.0.1,ftp
in tcp 1.1.1.1,1 1.2.1.1,ftp
in udp 127.0.0.1,1 127.0.0.1,21
in udp 1.1.1.1,1 1.2.1.1,21
in icmp 127.0.0.1 127.0.0.1

2
contrib/ipfilter/test/input/f20 Normal file
View File

@ -0,0 +1,2 @@
out on de0 1.1.1.1 2.2.2.2
out on ab0 1.1.1.1 2.2.2.2

157
contrib/ipfilter/test/input/ni19 Normal file
View File

@ -0,0 +1,157 @@
# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
[out,bge0]
4500 0040 e3fc 4000 4006 1a0b c0a8 7103
0a01 0104 03f1 0202 6523 90b2 0000 0000
b002 8000 7d87 0000 0204 05b4 0103 0300
0402 0101 0101 080a 0000 0000 0000 0000
# 10.1.1.4.shell > 10.1.1.1.1009: SYN win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
[in,bge0]
4500 0034 0000 4000 4006 24be 0a01 0104
0a01 0101 0202 03f1 915a a5c4 6523 90b3
8012 16d0 0f47 0000 0204 05b4 0101 0402
0103 0302
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0028 e3fd 4000 4006 1a22 c0a8 7103
0a01 0104 03f1 0202 6523 90b3 915a a5c5
5010 832c bd0d 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 002d e3fe 4000 4006 1a1c c0a8 7103
0a01 0104 03f1 0202 6523 90b3 915a a5c5
5018 832c 5b98 0000 3130 3038 00
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0028 7ce5 4000 4006 a7e4 0a01 0104
0a01 0101 0202 03f1 915a a5c5 6523 90b8
5010 05b4 612b 0000 0000 0000 0000
# 10.1.1.4.1023 > 10.1.1.1.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2>
[in,bge0]
4500 003c 1186 4000 4006 1330 0a01 0104
0a01 0101 03ff 03f0 91d4 c8a2 0000 0000
a002 16d0 df6a 0000 0204 05b4 0402 080a
0039 d924 0000 0000 0103 0302
# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 3791140,sackOK,nop,nop>
[out,bge0]
4500 0040 e3ff 4000 4006 1a08 c0a8 7103
0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3
b012 8000 1e85 0000 0204 05b4 0103 0300
0101 080a 0000 0000 0039 d924 0402 0101
# 10.1.1.4.1023 > 10.1.1.1.1008
[in,bge0]
4500 0034 1188 4000 4006 1336 0a01 0104
0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811
8010 05b4 0046 0000 0101 080a 0039 d925
0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0030 e400 4000 4006 1a17 c0a8 7103
0a01 0104 03f1 0202 6523 90b8 915a a5c5
5018 832c 0eb6 0000 6461 7272 656e 7200
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0028 7ce7 4000 4006 a7e2 0a01 0104
0a01 0101 0202 03f1 915a a5c5 6523 90c0
5010 05b4 6123 0000 0000 0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0053 e401 4000 4006 19f3 c0a8 7103
0a01 0104 03f1 0202 6523 90c0 915a a5c5
5018 832c a63d 0000 6461 7272 656e 7200
7368 202d 6320 2265 6368 6f20 666f 6f20
3e26 313b 2065 6368 6f20 6261 7220 3e26
3222 00
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0028 7ce9 4000 4006 a7e0 0a01 0104
0a01 0101 0202 03f1 915a a5c5 6523 90eb
5010 05b4 60f8 0000 0000 0000 0000
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0029 7ceb 4000 4006 a7dd 0a01 0104
0a01 0101 0202 03f1 915a a5c5 6523 90eb
5018 05b4 60ef 0000 0000 0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0028 e403 4000 4006 1a1c c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5c6
5010 832c bcd4 0000
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 002c 7ced 4000 4006 a7d8 0a01 0104
0a01 0101 0202 03f1 915a a5c6 6523 90eb
5018 05b4 8b71 0000 666f 6f0a 0000
# 10.1.1.4.1023 > 10.1.1.1.1008
[in,bge0]
4500 0038 118a 4000 4006 1330 0a01 0104
0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811
8018 05b4 2787 0000 0101 080a 0039 dd6c
0000 0000 6261 720a
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0028 7cef 4000 4006 a7da 0a01 0104
0a01 0101 0202 03f1 915a a5ca 6523 90eb
5011 05b4 60f2 0000 0000 0000 0000
# 10.1.1.4.1023 > 10.1.1.1.1008
[in,bge0]
4500 0034 118c 4000 4006 1332 0a01 0104
0a01 0101 03ff 03f0 91d4 c8a7 66e5 b811
8011 05b4 fbf8 0000 0101 080a 0039 dd6d
0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0028 e404 4000 4006 1a1b c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5cb
5010 8328 bcd3 0000
# 192.168.113.3.1008 > 10.1.1.4.1023
[out,bge0]
4500 0034 e405 4000 4006 1a0e c0a8 7103
0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
8010 8328 57d7 0000 0101 080a 0000 0004
0039 dd6c
# 192.168.113.3.1009 > 10.1.1.4.shell
[out,bge0]
4500 0028 e40a 4000 4006 1a15 c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5cb
5011 832c bcce 0000
# 192.168.113.3.1008 > 10.1.1.4.1023
[out,bge0]
4500 0034 e40b 4000 4006 1a08 c0a8 7103
0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
8011 832c 57d2 0000 0101 080a 0000 0004
0039 dd6c
# 10.1.1.4.shell > 10.1.1.1.1009
[in,bge0]
4500 0028 0004 4000 4006 24c6 0a01 0104
0a01 0101 0202 03f1 915a a5cb 6523 90ec
5010 05b4 60f1 0000 0000 0000 0000
# 10.1.1.4.1023 > 10.1.1.1.1008
[in,bge0]
4500 0034 118e 4000 4006 1330 0a01 0104
0a01 0101 03ff 03f0 91d4 c8a8 66e5 b812
8010 05b4 fbf2 0000 0101 080a 0039 dd6e
0000 0004

157
contrib/ipfilter/test/input/ni20 Normal file
View File

@ -0,0 +1,157 @@
# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
[in,bge0]
4500 0040 e3fc 4000 4006 1a0b c0a8 7103
0a01 0104 03f1 0202 6523 90b2 0000 0000
b002 8000 7d87 0000 0204 05b4 0103 0300
0402 0101 0101 080a 0000 0000 0000 0000
# 192.168.113.4.shell > 192.168.113.3.1009: SYN win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
[out,bge0]
4500 0034 0000 4000 4006 d76b c0a8 7104
c0a8 7103 0202 03f1 915a a5c4 6523 90b3
8012 16d0 c1f4 0000 0204 05b4 0101 0402
0103 0302
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0028 e3fd 4000 4006 1a22 c0a8 7103
0a01 0104 03f1 0202 6523 90b3 915a a5c5
5010 832c bd0d 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 002d e3fe 4000 4006 1a1c c0a8 7103
0a01 0104 03f1 0202 6523 90b3 915a a5c5
5018 832c 5b98 0000 3130 3038 00
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0028 7ce5 4000 4006 5a92 c0a8 7104
c0a8 7103 0202 03f1 915a a5c5 6523 90b8
5010 05b4 13d9 0000 0000 0000 0000
# 192.168.113.4.1023 > 192.168.113.3.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2>
[out,bge0]
4500 003c 1186 4000 4006 c5dd c0a8 7104
c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000
a002 16d0 9218 0000 0204 05b4 0402 080a
0039 d924 0000 0000 0103 0302
# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 3791140,sackOK,nop,nop>
[in,bge0]
4500 0040 e3ff 4000 4006 1a08 c0a8 7103
0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3
b012 8000 1e85 0000 0204 05b4 0103 0300
0101 080a 0000 0000 0039 d924 0402 0101
# 192.168.113.4.1023 > 192.168.113.3.1008
[out,bge0]
4500 0034 1188 4000 4006 c5e3 c0a8 7104
c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811
8010 05b4 b2f3 0000 0101 080a 0039 d925
0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0030 e400 4000 4006 1a17 c0a8 7103
0a01 0104 03f1 0202 6523 90b8 915a a5c5
5018 832c 0eb6 0000 6461 7272 656e 7200
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0028 7ce7 4000 4006 5a90 c0a8 7104
c0a8 7103 0202 03f1 915a a5c5 6523 90c0
5010 05b4 13d1 0000 0000 0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0053 e401 4000 4006 19f3 c0a8 7103
0a01 0104 03f1 0202 6523 90c0 915a a5c5
5018 832c a63d 0000 6461 7272 656e 7200
7368 202d 6320 2265 6368 6f20 666f 6f20
3e26 313b 2065 6368 6f20 6261 7220 3e26
3222 00
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0028 7ce9 4000 4006 5a8e c0a8 7104
c0a8 7103 0202 03f1 915a a5c5 6523 90eb
5010 05b4 13a6 0000 0000 0000 0000
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0029 7ceb 4000 4006 5a8b c0a8 7104
c0a8 7103 0202 03f1 915a a5c5 6523 90eb
5018 05b4 139d 0000 0000 0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0028 e403 4000 4006 1a1c c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5c6
5010 832c bcd4 0000
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 002c 7ced 4000 4006 5a86 c0a8 7104
c0a8 7103 0202 03f1 915a a5c6 6523 90eb
5018 05b4 3e1f 0000 666f 6f0a 0000
# 192.168.113.4.1023 > 192.168.113.3.1008
[out,bge0]
4500 0038 118a 4000 4006 c5dd c0a8 7104
c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811
8018 05b4 da34 0000 0101 080a 0039 dd6c
0000 0000 6261 720a
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0028 7cef 4000 4006 5a88 c0a8 7104
c0a8 7103 0202 03f1 915a a5ca 6523 90eb
5011 05b4 13a0 0000 0000 0000 0000
# 192.168.113.4.1023 > 192.168.113.3.1008
[out,bge0]
4500 0034 118c 4000 4006 c5df c0a8 7104
c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811
8011 05b4 aea6 0000 0101 080a 0039 dd6d
0000 0000
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0028 e404 4000 4006 1a1b c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5cb
5010 8328 bcd3 0000
# 192.168.113.3.1008 > 10.1.1.4.1023
[in,bge0]
4500 0034 e405 4000 4006 1a0e c0a8 7103
0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
8010 8328 57d7 0000 0101 080a 0000 0004
0039 dd6c
# 192.168.113.3.1009 > 10.1.1.4.shell
[in,bge0]
4500 0028 e40a 4000 4006 1a15 c0a8 7103
0a01 0104 03f1 0202 6523 90eb 915a a5cb
5011 832c bcce 0000
# 192.168.113.3.1008 > 10.1.1.4.1023
[in,bge0]
4500 0034 e40b 4000 4006 1a08 c0a8 7103
0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
8011 832c 57d2 0000 0101 080a 0000 0004
0039 dd6c
# 192.168.113.4.shell > 192.168.113.3.1009
[out,bge0]
4500 0028 0004 4000 4006 d773 c0a8 7104
c0a8 7103 0202 03f1 915a a5cb 6523 90ec
5010 05b4 139f 0000 0000 0000 0000
# 192.168.113.4.1023 > 192.168.113.3.1008
[out,bge0]
4500 0034 118e 4000 4006 c5dd c0a8 7104
c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812
8010 05b4 aea0 0000 0101 080a 0039 dd6e
0000 0004

3
contrib/ipfilter/test/input/ni21 Normal file
View File

@ -0,0 +1,3 @@
out on lan0 2.2.2.2 3.3.3.3
in on lan0 3.3.3.3 4.4.4.4
out on lan0 2.2.2.2 3.3.3.3

4
contrib/ipfilter/test/regress/f20 Normal file
View File

@ -0,0 +1,4 @@
block out quick on de0 head 100
skip 1 out group 100
block out quick group 100
pass out quick group 100

4
contrib/ipfilter/test/regress/i1
View File

@ -4,12 +4,12 @@ all
log in all
log body in all
count in from any to any
pass in from !any to any
pass in from !any to any pps 10
block in from any to !any
pass in on ed0 from localhost to localhost
pass in on ed0,vx0 from localhost to localhost
block in log first on lo0 from any to any
pass in log body quick from any to any
pass in log body or-block quick from any to any
block return-rst in quick on le0 proto tcp from any to any
block return-icmp in on qe0 from any to any
block return-icmp(1) in on qe0 from any to any

1
contrib/ipfilter/test/regress/i10
View File

@ -1,4 +1,5 @@
pass in from localhost to localhost with opt sec
pass in from localhost to localhost with opt lsrr not opt sec
block in from any to any with not opt sec-class topsecret
block in from any to any with not opt sec-class topsecret,secret
pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass

3
contrib/ipfilter/test/regress/i11
View File

@ -7,4 +7,5 @@ pass in on ed0 out-via vx0 proto udp from any to any keep state
pass out on ppp0 in-via le0 proto tcp from any to any keep state
pass in on ed0,vx0 out-via vx0,ed0 proto udp from any to any keep state
pass in proto tcp from any port gt 1024 to localhost port eq 1024 keep state
pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101)
pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101,age 600)
pass in proto udp all keep state(age 10/20,sync)

1
contrib/ipfilter/test/regress/i15
View File

@ -2,4 +2,3 @@ pass out on fxp0 all set-tag(log=100)
pass out on fxp0 all set-tag(nat=foo)
pass out on fxp0 all set-tag(log=100, nat=200)
pass out on fxp0 all set-tag(log=2147483648, nat=overtherainbowisapotof)

2
contrib/ipfilter/test/regress/i17
View File

@ -9,3 +9,5 @@ pass in from localhost to any
@0 pass in from 1.1.1.1 to any
@1 110 pass in from 2.2.2.2 to any
@2 pass in from 3.3.3.3 to any
call fr_srcgrpmap/100 out from 10.1.0.0/16 to any
call now fr_dstgrpmap/200 in from 10.2.0.0/16 to any

3
contrib/ipfilter/test/regress/i18
View File

@ -1,2 +1,3 @@
pass in tos (80,0x80,40) all
pass in tos (80,0x80) all
pass in tos (0x80,80) all
block in ttl (0,1,2,3,4,5,6) all

4
contrib/ipfilter/test/regress/i5
View File

@ -3,3 +3,7 @@ count in tos 0x80 from any to any
pass in on ed0 tos 64 from localhost to localhost
block in log on lo0 ttl 0 from any to any
pass in quick ttl 1 from any to any
skip 3 out from 127.0.0.1 to any
auth out on foo0 proto tcp from any to any port = 80
preauth out on foo0 proto tcp from any to any port = 22
nomatch out on foo0 proto tcp from any port < 1024 to any

2
contrib/ipfilter/test/regress/i8
View File

@ -29,3 +29,5 @@ pass in proto icmp all icmp-type squench
pass in proto icmp all icmp-type timest
pass in proto icmp all icmp-type timestrep
pass in proto icmp all icmp-type timex
pass in proto icmp all icmp-type 254
pass in proto icmp all icmp-type 253 code 254

7
contrib/ipfilter/test/regress/i9
View File

@ -5,8 +5,13 @@ pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr
pass in from localhost to localhost and not frag
pass in from localhost to localhost with frags,frag-body
pass in proto tcp all flags S with not oow keep state
block in proto tcp all with oow
pass in proto tcp all flags S with not bad,bad-src,bad-nat
block in proto tcp all flags S with bad,not bad-src,not bad-nat
pass in quick all with not short
block in quick all with not nat
pass in quick all with not frag-body
block in quick all with not lowttl
pass in all with mbcast,not bcast,multicast,not state
pass in all with mbcast,not bcast,multicast,not state,not ipopts
block in all with not mbcast,bcast,not multicast,state
pass in from any to any with opt mtur,mtup,encode,ts,tr,sec,cipso,satid,ssrr,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump,addext,e-sec

2
contrib/ipfilter/test/regress/in2
View File

@ -1,5 +1,5 @@
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 255
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/0xff000000 -> 1.1.1.1 ip

3
contrib/ipfilter/test/regress/in5
View File

@ -1,7 +1,8 @@
map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1 portmap 10000:20000 tcp
map le0 from 9.8.7.6/32 port > 1024 to ! 1.2.3.4 -> 1.1.1.1 portmap 10000:20000 tcp
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
rdr le0 from any to 9.8.7.6/0xffffffff port = 0 -> 1.1.1.1 port 0 ip
rdr le0 from any to 9.8.7.6 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 ! from 1.2.3.4 to 9.8.7.6 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/255.255.255.255 port = 8888 -> 1.1.1.1 port 888 ip
rdr le0 from any to 9.8.7.6 mask 0xffffffff port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6 mask 255.255.255.255 port = 8888 -> 1.1.1.1 port 888 udp

3
contrib/ipfilter/test/regress/ni19.ipf Normal file
View File

@ -0,0 +1,3 @@
block in all
pass out quick on bge0 proto tcp from any to any port = shell flags S keep state
block out all

1
contrib/ipfilter/test/regress/ni19.nat Normal file
View File

@ -0,0 +1 @@
map bge0 192.168.113.0/24 -> 10.1.1.1/32 proxy port shell rcmd/tcp

3
contrib/ipfilter/test/regress/ni20.ipf Normal file
View File

@ -0,0 +1,3 @@
block in all
pass in quick on bge0 proto tcp from any to any port = shell flags S keep state
block out all

1
contrib/ipfilter/test/regress/ni20.nat Normal file
View File

@ -0,0 +1 @@
rdr bge0 10.1.1.4/32 port shell -> 192.168.113.4 port shell tcp proxy rcmd

1
contrib/ipfilter/test/regress/ni21.ipf Normal file
View File

@ -0,0 +1 @@
pass out on lan0 to eri0:1.1.1.1 from 2.2.2.2 to any

1
contrib/ipfilter/test/regress/ni21.nat Normal file
View File

@ -0,0 +1 @@
map lan0,eri0 2.2.2.2 -> 4.4.4.4

4
contrib/ipfilter/test/test.format
View File

@ -20,6 +20,7 @@ f16 text text
f17 hex hex
f18 text text
f19 text text fr_statemax=3
f20 text text
i1 text ipf
i2 text ipf
i3 text ipf
@ -82,6 +83,9 @@ ni13 hex hex fr_update_ipid=1
ni14 hex hex fr_update_ipid=1
ni15 hex hex fr_update_ipid=1
ni16 hex hex fr_update_ipid=1
ni19 hex hex fr_update_ipid=0
ni20 hex hex fr_update_ipid=0
ni21 text text
p1 text text
p2 text text
p3 text text

98
contrib/ipfilter/todo Normal file
View File

@ -0,0 +1,98 @@
BUGS:
-----
* fix "to <ifname>" bug on FreeBSD 2.2.8
fastroute works
===============================================================================
GENERAL:
--------
* support redirection like "rdr tun0 0/32 port 80 ..."
* use fr_tcpstate() with NAT code for increased NAT usage security or even
fr_checkstate() - suspect this is not possible.
* add another alias for <thishost> for interfaces <thisif>? as well as
all IP#'s associated with the box <myaddrs>?
time permitting:
* load balancing across interfaces
* record buffering for TCP/UDP
* modular application proxying
-done
* allow multiple ip addresses in a source route list for ipsend
* port IP Filter to Linux
Not in this century.
* document bimap
* document NAT rule order processing
* add more docs
in progress
3.4:
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.
* Bandwidth limiting!!!
maybe for solaris, otherwise "ALTQ"
* More examples
* More documentation
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.
- done
I would also love to see a more extensive NAT. It can choose to do
rdr and map based on saddr, daddr, sport and dport. (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)
-sort of done
* intrusion detection
detection of port scans
detection of multiple connection attempts
* support for multiple log files
i.e. all connections to ftp and telnet logged to
a seperate log file
* multiple levels of log severity with E-mail notification
of intrusion alerts or other high priority errors
* poison pill facility
after detection of a port scan, start sending back
large packets of garbage or other packets to
otherwise confuse the intruder (ping of death?)
IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation
BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
Tru64:
------
* IPv6 checksum calculation for RST's and ICMP packets is not done (there
are routines in the Tru64 kernel to do this but what is the interface?)
does bimap allow equal sized subnets?
make return-icmp 'intelligent' if no type is given about what type to use?
reply-to - enforce packets to pass through interfaces in particular
combinations - opposite to "to", set reverse path interface

4
contrib/ipfilter/tools/ipf.c
View File

@ -19,7 +19,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $";
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@ -196,7 +196,7 @@ static void closedevice()
static int get_flags()
{
int i;
int i = 0;
if ((opendevice(ipfname, 1) != -2) &&
(ioctl(fd, SIOCGETFF, &i) == -1)) {

59
contrib/ipfilter/tools/ipf_y.y
View File

@ -79,6 +79,10 @@ static struct wordtab logwords[33];
union i6addr m;
} ipp;
union i6addr ip6;
struct {
char *if1;
char *if2;
} ifs;
};
%type <port> portnum
@ -91,6 +95,7 @@ static struct wordtab logwords[33];
%type <str> servicename name interfacename
%type <pc> portrange portcomp
%type <alist> addrlist poollist
%type <ifs> onname
%token <num> YY_NUMBER YY_HEX
%token <str> YY_STR
@ -99,7 +104,7 @@ static struct wordtab logwords[33];
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
%token IPFY_IN IPFY_OUT
%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
@ -176,7 +181,7 @@ line: xx rule { while ((fr = frtop) != NULL) {
| YY_COMMENT
;
xx: { newrule(); }
xx: { newrule(); }
;
assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
@ -255,6 +260,7 @@ collection:
action: block
| IPFY_PASS { fr->fr_flags |= FR_PASS; }
| IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
| log
| IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
| auth
@ -284,7 +290,7 @@ log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
;
auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
| IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);}
| IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
| IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
;
@ -465,18 +471,41 @@ quick:
;
on: IPFY_ON onname
| IPFY_ON lstart onlist lend
| IPFY_ON onname IPFY_INVIA vianame
| IPFY_ON onname IPFY_OUTVIA vianame
;
onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
sizeof(fr->fr_ifnames[0])); \
if ($1.if2 != NULL) { \
strncpy(fr->fr_ifnames[1], \
$1.if2, \
sizeof(fr->fr_ifnames[1]));\
} \
) }
| onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
sizeof(fr->fr_ifnames[0])); \
if ($3.if2 != NULL) { \
strncpy(fr->fr_ifnames[1], \
$3.if2, \
sizeof(fr->fr_ifnames[1]));\
} \
) }
;
onname: interfacename
{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
$$.if1 = fr->fr_ifnames[0];
$$.if2 = NULL;
free($1);
}
| interfacename ',' interfacename
{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
$$.if1 = fr->fr_ifnames[0];
free($1);
strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
$$.if1 = fr->fr_ifnames[1];
free($3);
}
;
@ -1025,7 +1054,8 @@ codelist:
icmpcode
{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
| codelist lmore icmpcode
{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
fr->fr_icmpm |= htons(0xff);) }
;
age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
@ -1085,7 +1115,11 @@ stateopt:
| IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
| IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
age;
| IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
fr->fr_age[1] = $2;) }
| IPFY_AGE YY_NUMBER '/' YY_NUMBER
{ DOALL(fr->fr_age[0] = $2; \
fr->fr_age[1] = $4;) }
;
portnum:
@ -1443,6 +1477,7 @@ static struct wordtab ipfwords[95] = {
{ "newisn", IPFY_NEWISN },
{ "no", IPFY_NO },
{ "no-icmp-err", IPFY_NOICMPERR },
{ "nomatch", IPFY_NOMATCH },
{ "now", IPFY_NOW },
{ "not", IPFY_NOT },
{ "oow", IPFY_OOW },
@ -1751,18 +1786,6 @@ static frentry_t *addrule()
;
count = nrules;
if (count == 0) {
f = (frentry_t *)calloc(sizeof(*f), 1);
added++;
f2->fr_next = f;
bcopy(f2, f, sizeof(*f));
if (f2->fr_caddr != NULL) {
f->fr_caddr = malloc(f->fr_dsize);
bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
}
f->fr_next = NULL;
return f;
}
f = f2;
for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
@ -2033,7 +2056,7 @@ void *ptr;
del = SIOCRMAFR;
}
if (fr && (opts & OPT_OUTQUE))
if ((opts & OPT_OUTQUE) != 0)
fr->fr_flags |= FR_OUTQUE;
if (fr->fr_hits)
fr->fr_hits--;

4
contrib/ipfilter/tools/ipfcomp.c
View File

@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $";
#endif
#include "ipf.h"
@ -1222,7 +1222,7 @@ frgroup_t *grp;
char *instr;
group = grp->fg_name;
dogrp = 0;
dogrp = *group ? 1 : 0;
if (in && out) {
fprintf(stderr,

55
contrib/ipfilter/tools/ipfs.c
View File

@ -458,21 +458,19 @@ char *file;
i = read(sfd, &ips, sizeof(ips));
if (i == -1) {
perror("read");
close(sfd);
return 1;
goto freeipshead;
}
if (i == 0)
break;
if (i != sizeof(ips)) {
fprintf(stderr, "state:incomplete read: %d != %d\n",
i, (int)sizeof(ips));
close(sfd);
return 1;
goto freeipshead;
}
is = (ipstate_save_t *)malloc(sizeof(*is));
if(!is) {
if (is == NULL) {
fprintf(stderr, "malloc failed\n");
return 1;
goto freeipshead;
}
bcopy((char *)&ips, (char *)is, sizeof(ips));
@ -510,7 +508,7 @@ char *file;
obj.ipfo_size = sizeof(*is);
obj.ipfo_type = IPFOBJ_STATESAVE;
for (is = ipshead; is; is = is->ips_next) {
while ((is = ipshead) != NULL) {
if (opts & OPT_VERBOSE)
printf("Loading new state table entry\n");
if (is->ips_is.is_flags & SI_NEWFR) {
@ -522,7 +520,7 @@ char *file;
if (!(opts & OPT_DONOTHING))
if (ioctl(fd, SIOCSTPUT, &obj)) {
perror("SIOCSTPUT");
return 1;
goto freeipshead;
}
if (is->ips_is.is_flags & SI_NEWFR) {
@ -532,9 +530,21 @@ char *file;
if (is1->ips_rule == (frentry_t *)&is->ips_rule)
is1->ips_rule = is->ips_rule;
}
ipshead = is->ips_next;
free(is);
}
return 0;
freeipshead:
while ((is = ipshead) != NULL) {
ipshead = is->ips_next;
free(is);
}
if (sfd != -1)
close(sfd);
return 1;
}
@ -573,21 +583,21 @@ char *file;
i = read(nfd, &ipn, sizeof(ipn));
if (i == -1) {
perror("read");
close(nfd);
return 1;
goto freenathead;
}
if (i == 0)
break;
if (i != sizeof(ipn)) {
fprintf(stderr, "nat:incomplete read: %d != %d\n",
i, (int)sizeof(ipn));
close(nfd);
return 1;
goto freenathead;
}
in = (nat_save_t *)malloc(ipn.ipn_dsize);
if (!in)
break;
if (in == NULL) {
fprintf(stderr, "nat:cannot malloc nat save atruct\n");
goto freenathead;
}
if (ipn.ipn_dsize > sizeof(ipn)) {
n = ipn.ipn_dsize - sizeof(ipn);
@ -600,8 +610,7 @@ char *file;
fprintf(stderr,
"nat:incomplete read: %d != %d\n",
i, n);
close(nfd);
return 1;
goto freenathead;
}
}
}
@ -643,7 +652,7 @@ char *file;
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_type = IPFOBJ_NATSAVE;
for (in = ipnhead; in; in = in->ipn_next) {
while ((in = ipnhead) != NULL) {
if (opts & OPT_VERBOSE)
printf("Loading new NAT table entry\n");
nat = &in->ipn_nat;
@ -668,9 +677,21 @@ char *file;
if (in1->ipn_rule == &in->ipn_fr)
in1->ipn_rule = nat->nat_fr;
}
ipnhead = in->ipn_next;
free(in);
}
return 0;
freenathead:
while ((in = ipnhead) != NULL) {
ipnhead = in->ipn_next;
free(in);
}
if (nfd != -1)
close(nfd);
return 1;
}

4
contrib/ipfilter/tools/ipfstat.c
View File

@ -68,7 +68,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.13 2005/10/17 17:26:32 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $";
#endif
#ifdef __hpux
@ -923,8 +923,6 @@ ips_stat_t *ipsp;
ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
ipsp->iss_miss);
PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n",
ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull);
PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",

6
contrib/ipfilter/tools/ipftest.c
View File

@ -10,7 +10,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.7 2005/12/07 08:29:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $";
#endif
extern char *optarg;
@ -210,7 +210,7 @@ char *argv[];
ip = MTOD(m, ip_t *);
while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
&iface, &dir)) > 0) {
if (iface == NULL || *iface == '\0')
if ((iface == NULL) || (*iface == '\0'))
iface = ifname;
ifp = get_unit(iface, IP_V(ip));
if (!use_inet6) {
@ -797,6 +797,6 @@ ip_t *ip;
}
if (hdr != NULL) {
*csump = 0;
*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr);
*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);
}
}

56
contrib/ipfilter/tools/ipmon.c
View File

@ -76,7 +76,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $";
#endif
@ -189,6 +189,7 @@ static char *conf_file = NULL;
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
#endif
int logfac = LOGFAC;
static icmp_subtype_t icmpunreachnames[] = {
@ -648,10 +649,10 @@ int len;
if (j && !(j & 0xf)) {
*t++ = '\n';
*t = '\0';
if (!(dopts & OPT_SYSLOG))
fputs(hline, log);
else
if ((dopts & OPT_SYSLOG))
syslog(LOG_INFO, "%s", hline);
else if (log != NULL)
fputs(hline, log);
t = (u_char *)hline;
*t = '\0';
}
@ -684,11 +685,12 @@ int len;
*t++ = '\n';
*t = '\0';
}
if (!(dopts & OPT_SYSLOG)) {
if ((dopts & OPT_SYSLOG) != 0)
syslog(LOG_INFO, "%s", hline);
else if (log != NULL) {
fputs(hline, log);
fflush(log);
} else
syslog(LOG_INFO, "%s", hline);
}
}
@ -782,7 +784,7 @@ int blen;
*t++ = '\0';
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
}
@ -899,7 +901,7 @@ int blen;
*t++ = '\0';
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
}
@ -1030,12 +1032,7 @@ int blen;
(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
t += strlen(t);
#endif
#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \
defined(__arm__)
if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0'))
#else
if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0'))
#endif
if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
strcat(t, " @-1:");
else if (ipf->fl_group[0] == '\0')
(void) strcpy(t, " @0:");
@ -1305,8 +1302,9 @@ printipflog:
if (defaction == 0) {
if (opts & OPT_SYSLOG)
syslog(lvl, "%s", line);
else
else if (log != NULL)
(void) fprintf(log, "%s", line);
if (opts & OPT_HEXHDR)
dumphex(log, opts, buf,
sizeof(iplog_t) + sizeof(*ipf));
@ -1369,11 +1367,12 @@ FILE *log;
(void) close(fd);
if (flushed) {
if (opts & OPT_SYSLOG)
if (opts & OPT_SYSLOG) {
syslog(LOG_INFO, "%d bytes flushed from log\n",
flushed);
else if (log != stdout)
} else if ((log != stdout) && (log != NULL)) {
fprintf(log, "%d bytes flushed from log\n", flushed);
}
}
}
@ -1431,7 +1430,8 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1)
while ((c = getopt(argc, argv,
"?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
@ -1463,6 +1463,15 @@ char *argv[];
flushlogs(iplfile[1], log);
flushlogs(iplfile[2], log);
break;
case 'L' :
logfac = fac_findname(optarg);
if (logfac == -1) {
fprintf(stderr,
"Unknown syslog facility '%s'\n",
optarg);
exit(1);
}
break;
case 'n' :
opts |= OPT_RESOLVE;
break;
@ -1493,7 +1502,7 @@ char *argv[];
s = argv[0];
else
s++;
openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
openlog(s, LOG_NDELAY|LOG_PID, logfac);
s = NULL;
opts |= OPT_SYSLOG;
log = NULL;
@ -1588,8 +1597,8 @@ char *argv[];
#endif /* !BSD */
close(0);
close(1);
write_pid(pidfile);
}
write_pid(pidfile);
signal(SIGHUP, handlehup);
@ -1625,7 +1634,8 @@ char *argv[];
fclose(log);
log = fp;
}
if (binarylogfile && (fp = fopen(binarylogfile, "a"))) {
if (binarylogfile &&
(fp = fopen(binarylogfile, "a"))) {
fclose(binarylog);
binarylog = fp;
}
@ -1647,7 +1657,7 @@ char *argv[];
case 1 :
if (opts & OPT_SYSLOG)
syslog(LOG_CRIT, "aborting logging\n");
else
else if (log != NULL)
fprintf(log, "aborting logging\n");
doread = 0;
break;

63
contrib/ipfilter/tools/ipnat_y.y
View File

@ -52,6 +52,7 @@ static ipnat_t *nat = NULL;
static int natfd = -1;
static ioctlfunc_t natioctlfunc = NULL;
static addfunc_t nataddfunc = NULL;
static int suggest_port = 0;
static void newnatrule __P((void));
static void setnatproto __P((int));
@ -170,6 +171,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if ((nat->in_flags & IPN_TCPUDP) == 0)
setnatproto(nat->in_p);
if (((nat->in_redir & NAT_MAPBLK) != 0) ||
@ -184,6 +188,9 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (((nat->in_redir & NAT_MAPBLK) != 0) ||
((nat->in_flags & IPN_AUTOPORTMAP) != 0))
nat_setgroupmap(nat);
@ -222,7 +229,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
(nat->in_pmin != 0 ||
nat->in_pmax != 0 ||
nat->in_pnext != 0))
setnatproto(IPPROTO_TCP);
setnatproto(IPPROTO_TCP);
}
| rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
{ nat->in_v = 4;
@ -232,6 +239,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
nat->in_pmax != 0 ||
nat->in_pnext != 0))
setnatproto(IPPROTO_TCP);
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (nat->in_ifnames[1][0] == '\0')
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
@ -246,9 +256,19 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
}
| rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions
{ nat->in_v = 4;
if ((suggest_port == 1) &&
(nat->in_flags & IPN_TCPUDP) == 0)
nat->in_flags |= IPN_TCPUDP;
if (nat->in_ifnames[1][0] == '\0')
strncpy(nat->in_ifnames[1],
nat->in_ifnames[0],
sizeof(nat->in_ifnames[0]));
}
;
proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
proxy: | IPNY_PROXY port portspec YY_STR '/' proto
{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
if (nat->in_dcmp == 0) {
nat->in_dport = htons($3);
@ -258,7 +278,7 @@ proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto
setnatproto($6);
free($4);
}
| IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto
| IPNY_PROXY port YY_STR YY_STR '/' proto
{ int pnum;
strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
pnum = getportproto($3, $6);
@ -310,6 +330,9 @@ dip:
nat->in_inmsk = $3.s_addr; }
;
port: IPNY_PORT { suggest_port = 1; }
;
portspec:
YY_NUMBER { if ($1 > 65535) /* Unsigned */
yyerror("invalid port number");
@ -322,16 +345,16 @@ portspec:
}
;
dport: | IPNY_PORT portspec { nat->in_pmin = htons($2);
dport: | port portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($2); }
| IPNY_PORT portspec '-' portspec { nat->in_pmin = htons($2);
| port portspec '-' portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($4); }
| IPNY_PORT portspec ':' portspec { nat->in_pmin = htons($2);
| port portspec ':' portspec { nat->in_pmin = htons($2);
nat->in_pmax = htons($4); }
;
nport: IPNY_PORT portspec { nat->in_pnext = htons($2); }
| IPNY_PORT '=' portspec { nat->in_pnext = htons($3);
nport: port portspec { nat->in_pnext = htons($2); }
| port '=' portspec { nat->in_pnext = htons($3);
nat->in_flags |= IPN_FIXEDDPORT;
}
;
@ -355,12 +378,16 @@ mapfrom:
from sobject IPNY_TO dobject
| from sobject '!' IPNY_TO dobject
{ nat->in_flags |= IPN_NOTDST; }
| from sobject IPNY_TO '!' dobject
{ nat->in_flags |= IPN_NOTDST; }
;
rdrfrom:
from sobject IPNY_TO dobject
| '!' from sobject IPNY_TO dobject
{ nat->in_flags |= IPN_NOTSRC; }
| from '!' sobject IPNY_TO dobject
{ nat->in_flags |= IPN_NOTSRC; }
;
from: IPNY_FROM { nat->in_flags |= IPN_FILTER; }
@ -413,7 +440,7 @@ mapport:
sobject:
saddr
| saddr IPNY_PORT portstuff { nat->in_sport = $3.p1;
| saddr port portstuff { nat->in_sport = $3.p1;
nat->in_stop = $3.p2;
nat->in_scmp = $3.pc; }
;
@ -430,7 +457,7 @@ saddr: addr { if (nat->in_redir == NAT_REDIRECT) {
dobject:
daddr
| daddr IPNY_PORT portstuff { nat->in_dport = $3.p1;
| daddr port portstuff { nat->in_dport = $3.p1;
nat->in_dtop = $3.p2;
nat->in_dcmp = $3.pc;
if (nat->in_redir == NAT_REDIRECT)
@ -535,10 +562,18 @@ rdrproxy:
}
;
proto: YY_NUMBER { $$ = $1; }
proto: YY_NUMBER { $$ = $1;
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
suggest_port = 0;
}
| IPNY_TCP { $$ = IPPROTO_TCP; }
| IPNY_UDP { $$ = IPPROTO_UDP; }
| YY_STR { $$ = getproto($1); free($1); }
| YY_STR { $$ = getproto($1); free($1);
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
suggest_port = 0;
}
;
hexnumber:
@ -706,6 +741,8 @@ static void newnatrule()
nat->in_next = n;
nat = n;
}
suggest_port = 0;
}
@ -782,7 +819,7 @@ void *ptr;
del = SIOCRMNAT;
}
if (ipn && (opts & OPT_VERBOSE))
if ((opts & OPT_VERBOSE) != 0)
printnat(ipn, opts);
if (opts & OPT_DEBUG)

9
contrib/ipfilter/tools/ipsyncm.c
View File

@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $";
#endif
#include <sys/types.h>
#include <sys/time.h>
@ -20,7 +20,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <strings.h>
#include <string.h>
#include <syslog.h>
#include <signal.h>
@ -32,6 +32,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 da
int main __P((int, char *[]));
void usage __P((const char *));
int terminate = 0;
@ -39,10 +40,12 @@ void usage(const char *progname) {
fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname);
}
#if 0
static void handleterm(int sig)
{
terminate = sig;
}
#endif
/* should be large enough to hold header + any datatype */
@ -115,7 +118,7 @@ char *argv[];
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
syslog(LOG_INFO, "Sending data to %s",
inet_ntoa(sin.sin_addr));
inbuf = 0;

18
contrib/ipfilter/tools/ipsyncs.c
View File

@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $";
#endif
#include <sys/types.h>
#include <sys/time.h>
@ -19,7 +19,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <strings.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>
#include <errno.h>
@ -32,6 +32,7 @@ static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 da
#include "netinet/ip_sync.h"
int main __P((int, char *[]));
void usage __P((const char *progname));
int terminate = 0;
@ -41,11 +42,12 @@ void usage(const char *progname) {
progname);
}
#if 0
static void handleterm(int sig)
{
terminate = sig;
}
#endif
#define BUFFERLEN 1400
@ -130,8 +132,7 @@ char *argv[];
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
inet_ntoa(sin.sin_addr));
syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr));
inbuf = 0;
while (1) {
@ -223,14 +224,15 @@ moreinbuf:
n2 = sizeof(*sh) + len;
n3 = write(lfd, buff, n2);
if (n3 <= 0) {
syslog(LOG_ERR, "Write error: %m");
syslog(LOG_ERR, "%s: Write error: %m",
IPSYNC_NAME);
goto tryagain;
}
if (n3 != n2) {
syslog(LOG_ERR, "Incomplete write (%d/%d)",
n3, n2);
syslog(LOG_ERR, "%s: Incomplete write (%d/%d)",
IPSYNC_NAME, n3, n2);
goto tryagain;
}

2
contrib/ipfilter/tools/lexer.c
View File

@ -170,6 +170,8 @@ nextchar:
switch (c)
{
case '\n' :
lnext = 0;
nokey = 0;
case '\t' :
case '\r' :
case ' ' :