This commit was generated by cvs2svn to compensate for changes in r92688,

which included commits to RCS files with non-trunk default branches.
This commit is contained in:
Darren Reed 2002-03-19 11:45:24 +00:00
commit 0df2c61f4f
30 changed files with 1886 additions and 0 deletions

View File

@ -0,0 +1,24 @@
To build a kernel with the IP filter, follow these seven steps:
1. do "make freebsd4"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-4/kinstall" as root
4. build a new kernel
5. install the new kernel
6. If not using DEVFS, create devices for IP Filter as follows:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
7. reboot
Darren Reed
darrenr@pobox.com

View File

@ -0,0 +1,275 @@
/*
* Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
*
* This source code has been published by QNX Software Systems Ltd. (QSSL).
* However, any use, reproduction, modification, distribution or transfer of
* this software, or any software which includes or is based upon any of this
* code, is only permitted under the terms of the QNX Open Community License
* version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
* authorized by a written license agreement from QSSL. For more information,
* please email licensing@qnx.com.
*
*/
/*
* Simple H.323 proxy
*
* by xtang@canada.com
* ported to ipfilter 3.4.20 by Michael Grant mg-ipf@grant.org
*/
#if __FreeBSD_version >= 220000 && defined(_KERNEL)
# include <sys/fcntl.h>
# include <sys/filio.h>
#else
# include <sys/ioctl.h>
#endif
#define IPF_H323_PROXY
int ippr_h323_init __P((void));
int ippr_h323_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
void ippr_h323_del __P((ap_session_t *));
int ippr_h323_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h323_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_init __P((void));
int ippr_h245_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
static frentry_t h323_fr;
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern KRWLOCK_T ipf_nat;
#endif
static int find_port __P((int, u_char *, int datlen, int *, u_short *));
static int find_port(ipaddr, data, datlen, off, port)
int ipaddr;
unsigned char *data;
int datlen, *off;
unsigned short *port;
{
if (datlen < 6)
return -1;
*port = 0;
for (*off = 0; *off <= datlen - 6; *off = *off + 1) {
if (ipaddr == *(int *)(data + *off))
{
*port = (*(data + *off + 4) << 8) + *(data + *off +5);
break;
}
}
return (*off > datlen - 6) ? -1 : 0;
}
/*
* Initialize local structures.
*/
int ippr_h323_init()
{
bzero((char *)&h323_fr, sizeof(h323_fr));
h323_fr.fr_ref = 1;
h323_fr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
int ippr_h323_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
aps->aps_data = NULL;
aps->aps_psiz = 0;
return 0;
}
void ippr_h323_del(aps)
ap_session_t *aps;
{
int i;
ipnat_t *ipn;
if (aps->aps_data) {
for (i = 0, ipn = aps->aps_data;
i < (aps->aps_psiz / sizeof(ipnat_t));
i++, ipn = (ipnat_t *)((char *)ipn + sizeof(*ipn)))
{
/*
* Check the comment in ippr_h323_in() function,
* just above nat_ioctl() call.
* We are lucky here because this function is not
* called with ipf_nat locked.
*/
if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) {
/* log the error */
}
}
KFREES(aps->aps_data, aps->aps_psiz);
}
return;
}
int ippr_h323_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
return 0;
}
int ippr_h323_in(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
unsigned short port;
unsigned char *data;
tcphdr_t *tcp;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = ip->ip_src.s_addr;
data = (unsigned char *)tcp + (tcp->th_off << 2);
datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
ipnat_t *ipn;
char *newarray;
/* setup a nat rule to set a h245 proxy on tcp-port "port"
* it's like:
* map <if> <inter_ip>/<mask> -> <gate_ip>/<mask> proxy port <port> <port>/tcp
*/
KMALLOCS(newarray, char *, aps->aps_psiz + sizeof(*ipn));
if (newarray == NULL) {
return -1;
}
ipn = (ipnat_t *)&newarray[aps->aps_psiz];
bcopy(nat->nat_ptr, ipn, sizeof(ipnat_t));
strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_dport = htons(port);
/*
* we got a problem here. we need to call nat_ioctl() to add
* the h245 proxy rule, but since we already hold (READ locked)
* the nat table rwlock (ipf_nat), if we go into nat_ioctl(),
* it will try to WRITE lock it. This will causing dead lock
* on RTP.
*
* The quick & dirty solution here is release the read lock,
* call nat_ioctl() and re-lock it.
* A (maybe better) solution is do a UPGRADE(), and instead
* of calling nat_ioctl(), we add the nat rule ourself.
*/
RWLOCK_EXIT(&ipf_nat);
if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) {
READ_ENTER(&ipf_nat);
return -1;
}
READ_ENTER(&ipf_nat);
bcopy(aps->aps_data, newarray, aps->aps_psiz);
KFREES(aps->aps_data, aps->aps_psiz);
aps->aps_data = newarray;
aps->aps_psiz += sizeof(*ipn);
}
return 0;
}
int ippr_h245_init()
{
return 0;
}
int ippr_h245_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
aps->aps_data = NULL;
aps->aps_psiz = 0;
return 0;
}
int ippr_h245_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
u_short port;
unsigned char *data;
tcphdr_t *tcp;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = nat->nat_inip.s_addr;
data = (unsigned char *)tcp + (tcp->th_off << 2);
datlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
fr_info_t fi;
nat_t *ipn;
/* port = htons(port); */
ipn = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
ip->ip_src, ip->ip_dst, 1);
if (ipn == NULL) {
struct ip newip;
struct udphdr udp;
bcopy(ip, &newip, sizeof(newip));
newip.ip_len = fin->fin_hlen + sizeof(udp);
newip.ip_p = IPPROTO_UDP;
newip.ip_src = nat->nat_inip;
bzero(&udp, sizeof(udp));
udp.uh_sport = port;
bcopy(fin, &fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_UDP;
fi.fin_data[0] = port;
fi.fin_data[1] = 0;
fi.fin_dp = (char *)&udp;
ipn = nat_new(&fi, &newip, nat->nat_ptr, NULL,
IPN_UDP|FI_W_DPORT, NAT_OUTBOUND);
if (ipn != NULL) {
ipn->nat_ptr->in_hits++;
#ifdef IPFILTER_LOG
nat_log(ipn, (u_int)(nat->nat_ptr->in_redir));
#endif
*(int *)(data + off) = ip->ip_src.s_addr;
*(short *)(data + off + 4) = ipn->nat_outport;
}
}
}
return 0;
}
int ippr_h245_in(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
return 0;
}

View File

@ -0,0 +1,292 @@
/*
* Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
*
*/
#define IPF_IPSEC_PROXY
int ippr_ipsec_init __P((void));
int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
void ippr_ipsec_del __P((ap_session_t *));
int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
static frentry_t ipsecfr;
static char ipsec_buffer[1500];
/*
* RCMD application proxy initialization.
*/
int ippr_ipsec_init()
{
bzero((char *)&ipsecfr, sizeof(ipsecfr));
ipsecfr.fr_ref = 1;
ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
/*
* Setup for a new IPSEC proxy.
*/
int ippr_ipsec_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
fr_info_t fi;
ipnat_t *ipn;
char *ptr;
int p, off, dlen;
mb_t *m;
bzero(ipsec_buffer, sizeof(ipsec_buffer));
off = fin->fin_hlen + sizeof(udphdr_t);
#ifdef _KERNEL
# if SOLARIS
m = fin->fin_qfm;
dlen = msgdsize(m) - off;
if (dlen < 16)
return -1;
copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
# else
m = *(mb_t **)fin->fin_mp;
dlen = mbufchainlen(m) - off;
if (dlen < 16)
return -1;
m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
# endif
#else
m = *(mb_t **)fin->fin_mp;
dlen = ip->ip_len - off;
ptr = (char *)m;
ptr += off;
bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
#endif
/*
* Because _new() gets called from nat_new(), ipf_nat is held with a
* write lock so pass rw=1 to nat_outlookup().
*/
if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
ip->ip_dst, 1) != NULL)
return -1;
aps->aps_psiz = sizeof(*ipsec);
KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
if (aps->aps_data == NULL)
return -1;
ipsec = aps->aps_data;
bzero((char *)ipsec, sizeof(*ipsec));
/*
* Create NAT rule against which the tunnel/transport mapping is
* created. This is required because the current NAT rule does not
* describe ESP but UDP instead.
*/
ipn = &ipsec->ipsc_rule;
ipn->in_ifp = fin->fin_ifp;
ipn->in_apr = NULL;
ipn->in_use = 1;
ipn->in_hits = 1;
ipn->in_nip = ntohl(nat->nat_outip.s_addr);
ipn->in_ippip = 1;
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_outip = nat->nat_outip.s_addr;
ipn->in_outmsk = 0xffffffff;
ipn->in_srcip = fin->fin_saddr;
ipn->in_srcmsk = 0xffffffff;
ipn->in_redir = NAT_MAP;
bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
ipn->in_p = IPPROTO_ESP;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_ESP;
fi.fin_fr = &ipsecfr;
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
p = ip->ip_p;
ip->ip_p = IPPROTO_ESP;
fi.fin_fl &= ~FI_TCPUDP;
ptr = ipsec_buffer;
bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
ptr += sizeof(ipsec_cookie_t);
bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
/*
* The responder cookie should only be non-zero if the initiator
* cookie is non-zero. Therefore, it is safe to assume(!) that the
* cookies are both set after copying if the responder is non-zero.
*/
if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
ipsec->ipsc_rckset = 1;
else
nat->nat_age = 60; /* 30 seconds */
ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
NAT_OUTBOUND);
if (ipsec->ipsc_nat != NULL) {
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
FI_IGNOREPKT|FI_NORULE);
}
ip->ip_p = p;
return 0;
}
/*
* For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
* we can. If they have disappeared, recreate them.
*/
int ippr_ipsec_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
fr_info_t fi;
int p;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_ESP;
fi.fin_fr = &ipsecfr;
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
p = ip->ip_p;
ip->ip_p = IPPROTO_ESP;
fi.fin_fl &= ~FI_TCPUDP;
ipsec = aps->aps_data;
if (ipsec != NULL) {
/*
* Update NAT timeout/create NAT if missing.
*/
if (ipsec->ipsc_rckset == 0)
nat->nat_age = 60; /* 30 seconds */
if (ipsec->ipsc_nat != NULL)
ipsec->ipsc_nat->nat_age = nat->nat_age;
else
ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
&ipsec->ipsc_nat,
FI_IGNOREPKT, NAT_OUTBOUND);
/*
* Update state timeout/create state if missing.
*/
READ_ENTER(&ipf_state);
if (ipsec->ipsc_state != NULL) {
ipsec->ipsc_state->is_age = nat->nat_age;
RWLOCK_EXIT(&ipf_state);
} else {
RWLOCK_EXIT(&ipf_state);
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
ipsec->ipsc_state = fr_addstate(ip, &fi,
&ipsec->ipsc_state,
FI_IGNOREPKT|FI_NORULE);
}
}
ip->ip_p = p;
return 0;
}
/*
* This extends the NAT matching to be based on the cookies associated with
* a session and found at the front of IKE packets. The cookies are always
* in the same order (not reversed depending on packet flow direction as with
* UDP/TCP port numbers).
*/
int ippr_ipsec_match(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
u_32_t cookies[4];
mb_t *m;
int off;
if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
return -1;
ipsec = aps->aps_data;
off = fin->fin_hlen + sizeof(udphdr_t);
#ifdef _KERNEL
# if SOLARIS
m = fin->fin_qfm;
copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
# else
m = *(mb_t **)fin->fin_mp;
m_copydata(m, off, sizeof(cookies), (char *)cookies);
# endif
#else
m = *(mb_t **)fin->fin_mp;
bcopy((char *)m + off, cookies, sizeof(cookies));
#endif
if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
(cookies[1] != ipsec->ipsc_icookie[1]))
return -1;
if (ipsec->ipsc_rckset == 0) {
if ((cookies[2]|cookies[3]) == 0) {
nat->nat_age = 60; /* 30 seconds */
return 0;
}
ipsec->ipsc_rckset = 1;
ipsec->ipsc_rcookie[0] = cookies[2];
ipsec->ipsc_rcookie[1] = cookies[3];
return 0;
}
if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
(cookies[3] != ipsec->ipsc_rcookie[1]))
return -1;
return 0;
}
/*
* clean up after ourselves.
*/
void ippr_ipsec_del(aps)
ap_session_t *aps;
{
ipsec_pxy_t *ipsec;
ipsec = aps->aps_data;
if (ipsec != NULL) {
/*
* Don't delete it from here, just schedule it to be
* deleted ASAP.
*/
if (ipsec->ipsc_nat != NULL) {
ipsec->ipsc_nat->nat_age = 1;
ipsec->ipsc_nat->nat_ptr = NULL;
}
READ_ENTER(&ipf_state);
if (ipsec->ipsc_state != NULL)
ipsec->ipsc_state->is_age = 1;
RWLOCK_EXIT(&ipf_state);
ipsec->ipsc_state = NULL;
ipsec->ipsc_nat = NULL;
}
}

View File

@ -0,0 +1,109 @@
/*
* Simple netbios-dgm transparent proxy for in-kernel use.
* For use with the NAT code.
* $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
*/
/*-
* Copyright (c) 2002 Paul J. Ledbetter III
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
*/
#define IPF_NETBIOS_PROXY
int ippr_netbios_init __P((void));
int ippr_netbios_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
static frentry_t netbiosfr;
/*
* Initialize local structures.
*/
int ippr_netbios_init()
{
bzero((char *)&netbiosfr, sizeof(netbiosfr));
netbiosfr.fr_ref = 1;
netbiosfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
int ippr_netbios_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
char dgmbuf[6];
int off, dlen;
udphdr_t *udp;
mb_t *m;
m = *(mb_t **)fin->fin_mp;
off = fin->fin_hlen + sizeof(udphdr_t);
#if SOLARIS
dlen = msgdsize(m);
#else
dlen = mbufchainlen(m);
#endif
dlen -= off;
/*
* no net bios datagram could possibly be shorter than this
*/
if (dlen < 11)
return 0;
udp = (udphdr_t *)fin->fin_dp;
/*
* move past the
* ip header;
* udp header;
* 4 bytes into the net bios dgm header.
* According to rfc1002, this should be the exact location of
* the source address/port
*/
off += 4;
/* Copy NATed source Address/port*/
dgmbuf[0] = (char)((ip->ip_src.s_addr ) &0xFF);
dgmbuf[1] = (char)((ip->ip_src.s_addr >> 8) &0xFF);
dgmbuf[2] = (char)((ip->ip_src.s_addr >> 16)&0xFF);
dgmbuf[3] = (char)((ip->ip_src.s_addr >> 24)&0xFF);
dgmbuf[4] = (char)((udp->uh_sport )&0xFF);
dgmbuf[5] = (char)((udp->uh_sport >> 8)&0xFF);
/* replace data in packet */
#if SOLARIS
copyin_mblk(m, off, sizeof(dgmbuf), dgmbuf);
#else
m_copyback(m, off, sizeof(dgmbuf), dgmbuf);
#endif
return 0;
}

View File

@ -0,0 +1,48 @@
.TH IPNAT 8
.SH NAME
ipnat \- user interface to the NAT
.SH SYNOPSIS
.B ipnat
[
.B \-lnrsvCF
]
.B \-f <\fIfilename\fP>
.SH DESCRIPTION
.PP
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
file for a set of rules which are to be added or removed from the IP NAT.
.PP
Each rule processed by \fBipnat\fP
is added to the kernels internal lists if there are no parsing problems.
Rules are added to the end of the internal lists, matching the order in
which they appear when given to \fBipnat\fP.
.SH OPTIONS
.TP
.B \-C
delete all entries in the current NAT rule listing (NAT rules)
.TP
.B \-F
delete all active entries in the current NAT translation table (currently
active NAT mappings)
.TP
.B \-l
Show the list of current NAT table entry mappings.
.TP
.B \-n
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
calls or doing anything which would alter the currently running kernel.
.TP
.B \-s
Retrieve and display NAT statistics
.TP
.B \-r
Remove matching NAT rules rather than add them to the internal lists
.TP
.B \-v
Turn verbose mode on. Displays information relating to rule processing
and active rules/table entries.
.DT
.SH FILES
/dev/ipnat
.SH SEE ALSO
ipnat(5), ipf(8), ipfstat(8)

462
contrib/ipfilter/printnat.c Normal file
View File

@ -0,0 +1,462 @@
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/time.h>
#include <sys/param.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#include "kmem.h"
#if defined(sun) && !SOLARIS2
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $";
#endif
#if SOLARIS
#define bzero(a,b) memset(a,0,b)
#endif
#ifdef USE_INET6
extern int use_inet6;
#endif
extern char thishost[MAXHOSTNAMELEN];
extern int countbits __P((u_32_t));
void printnat __P((ipnat_t *, int));
char *getnattype __P((ipnat_t *));
void printactivenat __P((nat_t *, int));
void printhostmap __P((hostmap_t *, u_int));
char *getsumd __P((u_32_t));
static void printaps __P((ap_session_t *, int));
static void printaps(aps, opts)
ap_session_t *aps;
int opts;
{
ipsec_pxy_t ipsec;
ap_session_t ap;
ftpinfo_t ftp;
aproxy_t apr;
raudio_t ra;
if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
return;
if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
return;
printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
apr.apr_p, apr.apr_ref, apr.apr_flags);
printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
#ifdef USE_QUAD_T
printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
(unsigned long long)ap.aps_pkts);
#else
printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
#endif
printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
printf("\t\tstate[%u,%u], sel[%d,%d]\n",
ap.aps_state[0], ap.aps_state[1],
ap.aps_sel[0], ap.aps_sel[1]);
#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
(__FreeBSD_version >= 300000) || defined(OpenBSD)
printf("\t\tseq: off %hd/%hd min %x/%x\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %x/%x\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#else
printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %lx/%lx\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#endif
}
if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
return;
printf("\tReal Audio Proxy:\n");
printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
ra.rap_seenpna, ra.rap_version, ra.rap_eos);
printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
ra.rap_plport, ra.rap_prport, ra.rap_srport);
} else if (!strcmp(apr.apr_label, "ftp") &&
(ap.aps_psiz == sizeof(ftp))) {
if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
return;
printf("\tFTP Proxy:\n");
printf("\t\tpassok: %d\n", ftp.ftp_passok);
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
printf("\tClient:\n");
printf("\t\tseq %x len %d junk %d cmds %d\n",
ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
printf("]\n\tServer:\n");
printf("\t\tseq %x len %d junk %d cmds %d\n",
ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
printf("]\n");
} else if (!strcmp(apr.apr_label, "ipsec") &&
(ap.aps_psiz == sizeof(ipsec))) {
if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
return;
printf("\tIPSec Proxy:\n");
printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
(u_int)ntohl(ipsec.ipsc_icookie[0]),
(u_int)ntohl(ipsec.ipsc_icookie[1]),
(u_int)ntohl(ipsec.ipsc_rcookie[0]),
(u_int)ntohl(ipsec.ipsc_rcookie[1]),
ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
}
}
/*
* Get a nat filter type given its kernel address.
*/
char *getnattype(ipnat)
ipnat_t *ipnat;
{
static char unknownbuf[20];
ipnat_t ipnatbuff;
char *which;
if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
sizeof(ipnatbuff))))
return "???";
switch (ipnatbuff.in_redir)
{
case NAT_MAP :
which = "MAP";
break;
case NAT_MAPBLK :
which = "MAP-BLOCK";
break;
case NAT_REDIRECT :
which = "RDR";
break;
case NAT_BIMAP :
which = "BIMAP";
break;
default :
sprintf(unknownbuf, "unknown(%04x)",
ipnatbuff.in_redir & 0xffffffff);
which = unknownbuf;
break;
}
return which;
}
void printactivenat(nat, opts)
nat_t *nat;
int opts;
{
u_int hv1, hv2;
printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %-5hu", ntohs(nat->nat_inport));
printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %-5hu", ntohs(nat->nat_outport));
printf(" [%s", inet_ntoa(nat->nat_oip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %hu", ntohs(nat->nat_oport));
printf("]");
if (opts & OPT_VERBOSE) {
printf("\n\tage %lu use %hu sumd %s/",
nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
0xffffffff),
hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
NAT_TABLE_SZ),
hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
0xffffffff),
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x\n",
getsumd(nat->nat_sumd[1]), nat->nat_p,
hv1, hv2, nat->nat_flags);
printf("\tifp %s ", getifname(nat->nat_ifp));
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",
(unsigned long long)nat->nat_bytes,
(unsigned long long)nat->nat_pkts);
#else
printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
#endif
#if SOLARIS
printf(" %lx", nat->nat_ipsumd);
#endif
}
putchar('\n');
if (nat->nat_aps)
printaps(nat->nat_aps, opts);
}
void printhostmap(hmp, hv)
hostmap_t *hmp;
u_int hv;
{
printf("%s -> ", inet_ntoa(hmp->hm_realip));
printf("%s ", inet_ntoa(hmp->hm_mapip));
printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
}
char *getsumd(sum)
u_32_t sum;
{
static char sumdbuf[17];
if (sum & NAT_HW_CKSUM)
sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
else
sprintf(sumdbuf, "%#0x", sum);
return sumdbuf;
}
/*
* Print out a NAT rule
*/
void printnat(np, opts)
ipnat_t *np;
int opts;
{
struct protoent *pr;
struct servent *sv;
int bits;
switch (np->in_redir)
{
case NAT_REDIRECT :
printf("rdr");
break;
case NAT_MAP :
printf("map");
break;
case NAT_MAPBLK :
printf("map-block");
break;
case NAT_BIMAP :
printf("bimap");
break;
default :
fprintf(stderr, "unknown value for in_redir: %#x\n",
np->in_redir);
break;
}
printf(" %s ", np->in_ifname);
if (np->in_flags & IPN_FILTER) {
if (np->in_flags & IPN_NOTSRC)
printf("! ");
printf("from ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
} else {
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
}
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
if (np->in_flags & IPN_NOTDST)
printf(" !");
printf(" to ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_outip,
(u_32_t *)&np->in_outmsk);
} else {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
}
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
}
if (np->in_redir == NAT_REDIRECT) {
if (!(np->in_flags & IPN_FILTER)) {
printf("%s", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("/%d ", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1]));
printf("port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("- %d", ntohs(np->in_pmax));
}
printf(" -> %s", inet_ntoa(np->in_in[0]));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1]));
printf(" port %d", ntohs(np->in_pnext));
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
printf(" tcp");
else if ((np->in_flags & IPN_UDP) == IPN_UDP)
printf(" udp");
else if (np->in_p == 0)
printf(" ip");
else if (np->in_p != 0)
printf(" %d", np->in_p);
if (np->in_flags & IPN_ROUNDR)
printf(" round-robin");
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG)
printf("\tspc %lu flg %#x max %u use %d\n",
np->in_space, np->in_flags,
np->in_pmax, np->in_use);
} else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
if (!(np->in_flags & IPN_FILTER)) {
printf("%s/", inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_in[1]));
}
printf(" -> ");
if (np->in_flags & IPN_IPRANGE) {
printf("range %s-", inet_ntoa(np->in_out[0]));
printf("%s", inet_ntoa(np->in_out[1]));
} else {
printf("%s/", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
}
if (*np->in_plabel) {
pr = getprotobynumber(np->in_p);
printf(" proxy port");
if (np->in_dport != 0) {
if (pr != NULL)
sv = getservbyport(np->in_dport,
pr->p_name);
else
sv = getservbyport(np->in_dport, NULL);
if (sv != NULL)
printf(" %s", sv->s_name);
else
printf(" %hu", ntohs(np->in_dport));
}
printf(" %.*s/", (int)sizeof(np->in_plabel),
np->in_plabel);
if (pr != NULL)
fputs(pr->p_name, stdout);
else
printf("%d", np->in_p);
} else if (np->in_redir == NAT_MAPBLK) {
printf(" ports %d", np->in_pmin);
if (opts & OPT_VERBOSE)
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)
printf(" [%d:%d %d %d]",
ntohs(np->in_pmin),
ntohs(np->in_pmax),
np->in_ippip, np->in_ppip);
} else {
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
printf(" udp");
printf(" %d:%d", ntohs(np->in_pmin),
ntohs(np->in_pmax));
}
}
if (np->in_flags & IPN_FRAG)
printf(" frag");
printf("\n");
if (opts & OPT_DEBUG) {
printf("\tspace %lu nextip %s pnext %d", np->in_space,
inet_ntoa(np->in_nextip), np->in_pnext);
printf(" flags %x use %u\n",
np->in_flags, np->in_use);
}
}
}

View File

@ -0,0 +1,142 @@
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <net/if.h>
#include <stdio.h>
#include "kmem.h"
#include "netinet/ip_compat.h"
#include "ipf.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_state.h"
#define PRINTF (void)printf
#define FPRINTF (void)fprintf
ipstate_t *printstate(sp, opts)
ipstate_t *sp;
int opts;
{
ipstate_t ips;
if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
return NULL;
PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
hostname(ips.is_v, &ips.is_dst.in4),
ips.is_age, ips.is_pass, ips.is_p,
ips.is_state[0], ips.is_state[1]);
#ifdef USE_QUAD_T
PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
(unsigned long long) ips.is_bytes);
#else
PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
#endif
if (ips.is_p == IPPROTO_TCP)
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin, ips.is_maxdwin);
#else
PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin, ips.is_maxdwin);
#endif
else if (ips.is_p == IPPROTO_UDP)
PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
ntohs(ips.is_dport));
else if (ips.is_p == IPPROTO_ICMP
#ifdef USE_INET6
|| ips.is_p == IPPROTO_ICMPV6
#endif
)
PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
PRINTF("\n\t");
/*
* Print out bits set in the result code for the state being
* kept as they would for a rule.
*/
if (ips.is_pass & FR_PASS) {
PRINTF("pass");
} else if (ips.is_pass & FR_BLOCK) {
PRINTF("block");
switch (ips.is_pass & FR_RETMASK)
{
case FR_RETICMP :
PRINTF(" return-icmp");
break;
case FR_FAKEICMP :
PRINTF(" return-icmp-as-dest");
break;
case FR_RETRST :
PRINTF(" return-rst");
break;
default :
break;
}
} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
PRINTF("log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
} else if (ips.is_pass & FR_ACCOUNT)
PRINTF("count");
if (ips.is_pass & FR_OUTQUE)
PRINTF(" out");
else
PRINTF(" in");
if ((ips.is_pass & FR_LOG) != 0) {
PRINTF(" log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
if (ips.is_pass & FR_LOGORBLOCK)
PRINTF(" or-block");
}
if (ips.is_pass & FR_QUICK)
PRINTF(" quick");
if (ips.is_pass & FR_KEEPFRAG)
PRINTF(" keep frags");
/* a given; no? */
if (ips.is_pass & FR_KEEPSTATE)
PRINTF(" keep state");
PRINTF("\tIPv%d", ips.is_v);
PRINTF("\n");
PRINTF("\tpkt_flags & %x(%x) = %x,\t",
ips.is_flags & 0xf, ips.is_flags,
ips.is_flags >> 4);
PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
ips.is_opt);
PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
ips.is_secmsk, ips.is_sec, ips.is_authmsk,
ips.is_auth);
PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
PRINTF(",%s", getifname(ips.is_ifp[1]));
PRINTF(" out %s", getifname(ips.is_ifp[2]));
PRINTF(",%s\n", getifname(ips.is_ifp[3]));
return ips.is_next;
}

View File

@ -0,0 +1,9 @@
block return-rst
pass
block return-icmp
pass
block
nomatch
pass
pass
--------

View File

@ -0,0 +1,9 @@
block
block
pass
block
pass
pass
block
block
--------

View File

@ -0,0 +1,49 @@
log in all
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
pass in on anon0 all head 100
--------
pass in log quick from 3.3.3.3 to any group 100
--------
pass in log body quick from 2.2.2.2 to any
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
--------
pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
--------
pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
--------
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------

View File

@ -0,0 +1,47 @@
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
--------
--------
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d ............
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
--------
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
--------
01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
--------
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d ............
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a
42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------

View File

@ -0,0 +1,3 @@
4500 0028 4706 4000 0111 ced8 0606 0606 0404 0404 afc9 829e 0014 0b2d 0402 0000 3be5 468d 000a cfc3
4500 0038 809a 0000 ff01 8f31 0303 0303 0202 0202 0b00 a537 0000 0000 4500 0028 4703 4000 0111 ef89 0202 0202 0404 0404 afc9 829e 0014 1d4f
-------------------------------

View File

@ -0,0 +1,10 @@
4510 002c bd0d 4000 3e06 ea1d 0101 0101 c0a8 0133 9c40 0077 a664 2485 0000 0000 6002 4000 cea4 0000 0204 05b4
4500 002c ce83 4000 7e06 98b7 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a21 a664 2486 6012 2238 62a5 0000 0204 05b4
4510 0028 bd0e 4000 3e06 ea20 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a22 5010 4470 cbdf 0000
4500 005b cf83 4000 7e06 9788 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a22 a664 2486 5018 2238 b5d9 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0a
4510 0028 bd18 4000 3e06 ea16 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5010 4470 cbac 0000
4510 002e bd1e 4000 3e06 ea0a 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 deb6 0000 0000 0000 0d0a
4500 0048 e383 4000 7e06 839b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 fe54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 05dc e483 4000 7e06 7d07 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f6c 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 0038 d71d 4000 4001 f0be 0101 0101 c0a8 0133 0304 348b 0000 05a0 4500 05dc e483 4000 7e06 8707 c0a8 0133 0101 0101 0077 9c40 fbdf 1a75
-------------------------------

View File

@ -0,0 +1,8 @@
in on hme0 tcp 10.1.2.3,1200 195.134.65.10,100 S
in on hme0 tcp 10.1.2.3,1200 195.134.65.10,22 S
in on hme0 udp 10.1.2.3,1200 195.134.65.10,100
in on hme0 udp 10.1.2.3,53 195.134.65.10,53
in on hme0 10.1.2.3 195.134.65.10
in on hme1 195.134.65.10 10.1.2.3
in on hme1 udp 195.134.65.10,53 10.1.2.3,53
in on hme1 tcp 195.134.65.10,22 10.1.2.3,1200 SA

View File

@ -0,0 +1,8 @@
in 2.2.2.2 5.5.5.5
in 2.2.2.2 1.1.1.1
in udp 4.4.4.4,110 1.1.1.1,53
in udp 4.4.4.9,101 1.1.1.3,35
in udp 4.4.4.8,111 1.1.1.2,53
in tcp 4.4.4.7,220 1.1.1.1,23
in tcp 4.4.4.6,202 1.1.1.3,22
in tcp 4.4.4.5,222 1.1.1.2,52

View File

@ -0,0 +1,26 @@
[out,de0]
6000 0000 0020 3aff ef00 0000 0000 0000
0000 0000 0001 0013 ff02 0000 0000 0000
0000 0001 ff01 000b 8700 ea32 0000 0000
ef00 0000 0000 0000 0000 0000 0001 000b
0101 0048 5487 5c6f
[in,de0]
6000 0000 0020 3aff ef00 0000 0000 0000
0000 0000 0001 000b ef00 0000 0000 0000
0000 0000 0001 0013 8800 5322 6000 0000
ef00 0000 0000 0000 0000 0000 0001 000b
0201 0800 2071 cce1
[out,de0]
6000 0000 0010 3a40 ef00 0000 0000 0000
0000 0000 0001 0013 ef00 0000 0000 0000
0000 0000 0001 000b 8000 3210 06ff 0002
9ec3 3c3c 8a82 0300
[in,de0]
6000 0000 0010 3aff ef00 0000 0000 0000
0000 0000 0001 000b ef00 0000 0000 0000
0000 0000 0001 0013 8100 3110 06ff 0002
9ec3 3c3c 8a82 0300

View File

@ -0,0 +1,52 @@
# 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF SYN
45 00 0028 0000 4000 3f 06 0000 01010101 02020202
0401 0019 00000000 00000000 50 02 2000 0000 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
45 00 0028 0000 4000 3f 06 0000 01010101 02020202
0401 0019 00000000 00000000 50 10 2000 0000 0000
#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
45 00 0028 0000 4000 3f 06 0000 02020202 01010101
0019 0401 00000000 00000000 50 12 2000 0000 0000
#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
[out,e1] 45 00 0028 0000 4000 3f 06 0000 02020202 01010101
0019 0401 00000000 00000000 50 10 2000 0000 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F
45 00 0028 0000 4000 3f 06 0000 01010101 02020202
0401 0019 00000000 00000000 50 01 2000 0000 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
45 00 0028 0000 4000 3f 06 0000 01010101 02020202
0401 0019 00000000 00000000 50 10 2000 0000 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
45 00 0028 0000 4000 3f 06 0000 01010101 02020202
0401 0019 00000000 00000000 50 10 2000 0000 0000
#in on e1 udp 1.1.1.1,1 4.4.4.4,53
45 00 0028 0000 4000 3f 11 0000 01010101 04040404
0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
#in on e1 udp 2.2.2.2,2 4.4.4.4,53
45 00 0028 0000 4000 3f 11 0000 02020202 04040404
0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
#in on e1 udp 2.2.2.2,2 4.4.4.4,53
45 00 0038 0000 4000 3f 11 0000 02020202 04040404
0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
0e0f 4061 4263 4465 4667 4869 4a6b 4c6d
#in on e0 ip 4.4.4.4,53 1.1.1.1,1
45 00 0014 0000 4000 3f 00 0000 02020202 04040404
#in on e0 udp 3.3.3.3,1023 1.1.1.1,2049
45 00 001c 0000 4000 3f 11 0000 03030303 01010101
03ff 0801 0000 0000
#in on e0 udp 1.1.1.1,2049 3.3.3.3,1023
45 00 001c 0000 4000 3f 11 0000 01010101 03030303
0801 03ff 0000 0000

View File

@ -0,0 +1,6 @@
#v tos len id off ttl p sum src dst
# ICMP timeout exceeded in reply to a ICMP packet going out.
[out,df0] 45 00 0028 4706 4000 01 11 ced8 0202 0202 0404 0404 afc9 829e 0014 1335 0402 0000 3be5 468d 000a cfc3
[in,df0] 45 00 0038 809a 0000 ff 01 8f31 0303 0303 0101 0101 0b00 ad3f 0000 0000 4500 0028 4703 4000 0111 e781 0606 0606 0404 0404 afc9 829e 0014 1547

View File

@ -0,0 +1,161 @@
# Test of fragmentation required coming from the inside.
[out,xl0]
4510 002c bd0d 4000 3e06 ea1d
0a01 0201
c0a8 0133
05f6 0077 a664 2485 0000 0000
6002 4000 5aef 0000 0204 05b4
[in,xl0]
4500 002c ce83 4000 7e06 98b7
c0a8 0133
0a01 0201
0077 05f6 fbdf 1a21 a664 2486
6012 2238 62a5 0000 0204 05b4 0000
[out,xl0]
4510 0028 bd0e 4000 3e06 ea20
0a01 0201
c0a8 0133
05f6 0077 a664 2486 fbdf 1a22
5010 4470 582a 0000
[in,xl0]
4500 005b cf83 4000 7e06 9788
c0a8 0133
0a01 0201
0077 05f6 fbdf 1a22 a664 2486
5018 2238 b5d9 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0a
[out,xl0]
4510 0028 bd18 4000 3e06 ea16
0a01 0201
c0a8 0133
05f6 0077 a664 2486 fbdf 1a55
5010 4470 57f7 0000
[out,xl0]
4510 002e bd1e 4000 3e06 ea0a
0a01 0201
c0a8 0133
05f6 0077 a664 2486 fbdf 1a55
5018 4470 6b01 0000 0000 0000 0d0a
[in,xl0]
4500 0048 e383 4000 7e06 839b
c0a8 0133
0a01 0201
0077 05f6 fbdf 1a55 a664 248c
5018 2232 fe54 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000
[in,xl0]
4500 05dc e483 4000 7e06 7d07
c0a8 0133
0a01 0201
0077 05f6 fbdf 1a75 a664 248c
5010 2232 9f6c 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3331 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 1111 2222 3333
0000 0000 0000 0000 0000 0000 1111 2222
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1111 2222 3333 0000 0000 0000 0000
0000 0000 1111 2222 3333 0000 0000 0000
0000 0000 0000 1111 2222 3333 0000 0000
0000 0000 0000 0000 1111 2222 3333 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000
[out,xl0]
4500 0038 d71d 4000 4001 ce16
c0a8 6401
c0a8 0133
0304 cad5 0000 05a0 4500 05dc
e483 4000 7e06 7d07 c0a8 0133 0a01 0201
0077 05f6 fbdf 1a75

48
contrib/ipfilter/test/logtest Executable file
View File

@ -0,0 +1,48 @@
#!/bin/sh
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
else
if [ -f /usr/bin/touch ] ; then
TOUCH=/usr/bin/touch
else
if [ -f /bin/touch ] ; then
TOUCH=/bin/touch
fi
fi
fi
echo "$1...";
/bin/cp /dev/null results/$1
/bin/cp /dev/null results/$1.b
( while read rule; do
echo $rule >> results/$1
echo $rule | ../ipftest -br - -Hi input/$1 -l logout > /dev/null
if [ $? -ne 0 ] ; then
/bin/rm -f logout
exit 1
fi
../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
done ) < regress/$1
../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null
../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
cmp expected/$1 results/$1
status=$?
if [ $status -ne 0 ] ; then
exit $status
fi
cmp expected/$1.b results/$1.b
status=$?
if [ $status -ne 0 ] ; then
exit $status
fi
/bin/rm -f logout
$TOUCH $1
exit 0

36
contrib/ipfilter/test/mtest Executable file
View File

@ -0,0 +1,36 @@
#!/bin/sh
# multiple rules at the same time
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
else
if [ -f /usr/bin/touch ] ; then
TOUCH=/usr/bin/touch
else
if [ -f /bin/touch ] ; then
TOUCH=/bin/touch
fi
fi
fi
echo "$1...";
/bin/cp /dev/null results/$1
../ipftest -br regress/$1 -i input/$1 > results/$1
if [ $? -ne 0 ] ; then
exit 1
fi
echo "--------" >> results/$1
cmp expected/$1 results/$1
status=$?
if [ $status -ne 0 ] ; then
exit $status
fi
cmp expected/$1 results/$1
status=$?
if [ $status -ne 0 ] ; then
exit $status
fi
$TOUCH $1
exit 0

View File

@ -0,0 +1,28 @@
#!/bin/sh
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
else
if [ -f /usr/bin/touch ] ; then
TOUCH=/usr/bin/touch
else
if [ -f /bin/touch ] ; then
TOUCH=/bin/touch
fi
fi
fi
echo "$1...";
/bin/cp /dev/null results/$1
( while read rule; do
echo "$rule" | ../ipftest -bHx -r regress/$1.ipf -Nr - -i input/$1 >> \
results/$1;
if [ $? -ne 0 ] ; then
exit 1;
fi
echo "-------------------------------" >> results/$1
done ) < regress/$1.nat
cmp expected/$1 results/$1
status=$?
if [ $status = 0 ] ; then
$TOUCH $1
fi
exit $status

View File

@ -0,0 +1,8 @@
block in log quick on hme0 from any to 195.134.65.0/25 head 10
block return-rst in log quick proto tcp all flags S head 100 group 10
pass in quick proto tcp from any to any port = 22 keep state group 100
pass in quick proto tcp from any to any port = 23 keep state group 100
pass in quick proto tcp from any to any port = 21 keep state group 100
block return-icmp in quick proto udp all keep state head 110 group 10
pass in quick proto udp from any to any port = 53 keep state group 110
block in log quick on hme0 from any to any

View File

@ -0,0 +1,10 @@
pass in all
skip 2 in proto tcp all
block in quick proto tcp all
skip 4 in proto udp all
block in quick proto udp all
pass in quick proto tcp from any to 1.1.1.1
pass in quick proto tcp from any to 1.1.1.2 port = 22
block in quick proto udp from any to any port = 53
pass in quick proto udp from any to any port = 53
block in all

View File

@ -0,0 +1,3 @@
block in all
block out all
pass out proto 58 all keep state

View File

@ -0,0 +1,6 @@
log in all
pass in on anon0 all head 100
pass in log quick from 3.3.3.3 to any group 100
pass in log body quick from 2.2.2.2 to any
pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state

View File

@ -0,0 +1,4 @@
block in all
block out all
pass out proto udp from any to any keep state
pass out proto tcp from any to any flags S keep state

View File

@ -0,0 +1 @@
map df0 2.2.2.2/32 -> 6.6.6.6/32

View File

@ -0,0 +1 @@
pass out quick proto tcp from any to any flags S/SAFR keep state

View File

@ -0,0 +1 @@
map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000