d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC IPFilter update from 4.1.13 to 4.1.28, including additional fixes applied

Browse Source 
post 4.1.28 for FreeBSD.  See src/contrib/ipfilter/HISTORY for more details
of the bugs fixed, etc.
This commit is contained in:
darrenr 2007-11-18 11:03:29 +00:00
parent a1dd99d2f5
commit b6b47f0bf0
269 changed files with 8217 additions and 7949 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
contrib/ipfilter/BSD/Makefile
View File

@ -84,6 +84,11 @@ build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \
-ln -s ../tools .
-ln -s ../tools ..
bpf.h:
echo '#define DEV_BPF 1' > bpf.h
$(TOP)/ip_compat.h: bpf.h
machine: Makefile.kmod
if [ -f Makefile.kmod ] ; then \
make -f Makefile.kmod depend MKUPDATE=no; \
@ -137,7 +142,7 @@ ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \
fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
$(TOP)/opts.h $(TOP)/ip_rules.h
$(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -D_RADIX_H_ -c $(TOP)/fil.c -o $@
$(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -c $(TOP)/fil.c -o $@
fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \
$(TOP)/ip_rules.h
@ -447,14 +452,14 @@ clean:
${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest
${RM} -f ../ipscan ../ipsyncm ../ipsyncs
${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon
${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld*
${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* ipfrule.kld*
${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h
${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h
${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h
${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h
${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h
${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h
${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h
${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h bpf.h
${RM} -f *.da *.gcov *.bb *.bbg tools
${MAKE} -f Makefile.ipsend ${MFLAGS} clean
@ -480,13 +485,21 @@ install:
cp if_ipl.o /lkm; \
fi
-if [ -d /modules -a -f ipf.ko ] ; then \
cp ipf.ko /modules; \
if [ -f /modules/ipl.ko ] ; then \
cp ipf.ko /modules/ipl.ko; \
else \
cp ipf.ko /modules; \
fi \
fi
-if [ -d /modules -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /modules; \
fi
-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
cp ipf.ko /boot/kernel; \
if [ -f /boot/kernel/ipl.ko ] ; then \
cp ipf.ko /boot/kernel/ipl.ko; \
else \
cp ipf.ko /boot/kernel; \
fi \
fi
-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /boot/kernel; \
@ -514,6 +527,9 @@ install:
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
fi \
done
if [ -d /etc/rc.d ] ; then \
$(INSTALL) -c -g wheel -m 755 -o root ../ipfadm-rcd $(SBINDEST)/ipfadm; \
fi
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
coverage:

14
contrib/ipfilter/BSD/kupgrade
View File

@ -32,11 +32,15 @@ else
fi
if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
echo "Please do a build of ipfilter and then run the following"
echo "command to build extra files:"
echo
echo "make ip_rules.c"
exit 1
echo "Trying to build ip_rules.c and ip_rules.h"
make ip_rules.c
if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
echo "Please do a build of ipfilter and then run the following"
echo "command to build extra files:"
echo
echo "make ip_rules.c"
exit 1
fi
fi
echo -n "Installing "

20
contrib/ipfilter/BugReport
View File

@ -1,10 +1,12 @@
IP Filter bug report form.
Please submit this information at SourceForge using this URL:
http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053
Please also send an email to darrenr@reed.wattle.id.au.
Some information that I generally find important:
--------------------------
IP Filter Version:
Operating System Version:
Configuration: <LKM or compiled-into-kernel>
Description of problem:
How to repeat:
* IP Filter Version
* Operating System and its Version
* Configuration: (LKM or compiled-into-kernel)
* Description of problem
* How to repeat

24
contrib/ipfilter/FreeBSD-2.2/files.diffs
View File

@ -1,24 +0,0 @@
*** files.orig Tue Sep 9 16:58:40 1997
--- files Sat Apr 4 10:52:58 1998
***************
*** 222,227 ****
--- 222,240 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter inet
+ netinet/fil.c optional ipfilter inet
+ netinet/ip_nat.c optional ipfilter inet
+ netinet/ip_frag.c optional ipfilter inet
+ netinet/ip_state.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/mlf_ipl.c optional ipfilter inet
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_input.c optional ipx

24
contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
View File

@ -1,24 +0,0 @@
*** files.newconf.orig Sun Jun 25 02:17:29 1995
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,179 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/mlf_ipl.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

16
contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
View File

@ -1,16 +0,0 @@
*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997
--- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997
***************
*** 89,94 ****
--- 89,99 ----
void eoninput(), eonctlinput(), eonprotoinit();
#endif /* EON */
+ #if defined(IPFILTER) && !defined(IPFILTER_LKM)
+ void iplinit();
+ #define ip_init iplinit
+ #endif
+
extern struct domain inetdomain;
struct protosw inetsw[] = {

32
contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
View File

@ -1,32 +0,0 @@
*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997
--- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997
***************
*** 74,79 ****
--- 74,82 ----
#ifdef IPFIREWALL
#include <netinet/ip_fw.h>
#endif
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
int rsvp_on = 0;
static int ip_rsvp_on;
***************
*** 310,315 ****
--- 313,327 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ return;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
#ifdef COMPAT_IPFW
if (ip_fw_chk_ptr) {

67
contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
View File

@ -1,67 +0,0 @@
*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997
--- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997
***************
*** 67,72 ****
--- 67,76 ----
#else
#undef COMPAT_IPFW
#endif
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+
u_short ip_id;
***************
*** 75,81 ****
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
static int ip_getmoptions
__P((int, struct ip_moptions *, struct mbuf **));
! static int ip_optcopy __P((struct ip *, struct ip *));
static int ip_pcbopts __P((struct mbuf **, struct mbuf *));
static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *));
--- 79,85 ----
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
static int ip_getmoptions
__P((int, struct ip_moptions *, struct mbuf **));
! int ip_optcopy __P((struct ip *, struct ip *));
static int ip_pcbopts __P((struct mbuf **, struct mbuf *));
static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *));
***************
*** 338,343 ****
--- 342,356 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
#ifdef COMPAT_IPFW
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
***************
*** 559,565 ****
* Copy options from ip to jp,
* omitting those not copied during fragmentation.
*/
! static int
ip_optcopy(ip, jp)
struct ip *ip, *jp;
{
--- 574,580 ----
* Copy options from ip to jp,
* omitting those not copied during fragmentation.
*/
! int
ip_optcopy(ip, jp)
struct ip *ip, *jp;
{

67
contrib/ipfilter/FreeBSD-2.2/kinstall
View File

@ -1,67 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Copying /usr/include/osreldate.h to /sys/sys"
cp /usr/include/osreldate.h /sys/sys
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch)
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

38
contrib/ipfilter/FreeBSD-2.2/minstall
View File

@ -1,38 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD-2.2 ) cd ..
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}${bak} )
set bak=".bak."$dot
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}$bak
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM\noptions IPFILTER_LOG"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

57
contrib/ipfilter/FreeBSD-2.2/unkinstall
View File

@ -1,57 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_compat.h ip_log.c \
mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

36
contrib/ipfilter/FreeBSD-2.2/unminstall
View File

@ -1,36 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

26
contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3
View File

@ -1,26 +0,0 @@
To build a kernel with the IP filter, follow these seven steps:
1. do "make freebsd3"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-3/kinstall" as root
4. build a new kernel
5. install the new kernel
6. If not using DEVFS, create devices for IP Filter as follows:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
7. reboot
Darren Reed
darrenr@pobox.com

52
contrib/ipfilter/FreeBSD-3/kinstall
View File

@ -1,52 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Rewriting $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
$confdir/$newconfig.bak > $confdir/$newconfig
echo "You will now need to run config on $newconfig and build a new kernel."
exit 0

45
contrib/ipfilter/FreeBSD-3/unkinstall
View File

@ -1,45 +0,0 @@
#!/bin/csh -f
#
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
ip_log.c mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
rm /sys/sys/osreldate.h
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

63
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
View File

@ -1,63 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
--- ip6_input.c Wed Apr 26 22:31:34 2000
***************
*** 121,126 ****
--- 121,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 302,307 ****
--- 303,317 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Fri Mar 10 01:57:16 2000
--- ip6_output.c Wed Apr 26 22:34:34 2000
***************
*** 108,113 ****
--- 108,115 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 754,759 ****
--- 756,770 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

65
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
View File

@ -1,65 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************
*** 120,125 ****
--- 120,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 289,294 ****
--- 291,305 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Sat Jul 15 07:14:35 2000
--- ip6_output.c Thu Oct 19 17:13:53 2000
***************
*** 106,111 ****
--- 106,113 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 787,792 ****
--- 789,803 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

65
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
View File

@ -1,65 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************
*** 120,125 ****
--- 120,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 289,294 ****
--- 291,305 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Sat Jul 15 07:14:35 2000
--- ip6_output.c Thu Oct 19 17:13:53 2000
***************
*** 106,111 ****
--- 106,113 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 787,792 ****
--- 789,803 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

63
contrib/ipfilter/FreeBSD-4.0/kinstall
View File

@ -1,63 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
set ipfdir=/sys/netinet
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlfk_ipl.c ipl.h ip_compat.h ip_log.c )
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -N)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
grep -q IPFILTER $confdir/$newconfig
if ($status == 0) then
echo "IPFilter already configured in kernel config file"
exit 0
endif
echo "Rewriting $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
$confdir/$newconfig.bak > $confdir/$newconfig
echo "You will now need to run config on $newconfig and build a new kernel."
exit 0

49
contrib/ipfilter/FreeBSD-4.0/unkinstall
View File

@ -1,49 +0,0 @@
#!/bin/csh -f
#
#
set dir=`pwd`
set karch=`uname -m`
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
ip_log.c mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
rm /sys/sys/osreldate.h
echo "Removing patch to ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

46
contrib/ipfilter/FreeBSD/conf.c.diffs
View File

@ -1,46 +0,0 @@
*** conf.c.orig Sun Jan 14 15:39:32 1996
--- conf.c Sun Jan 14 15:48:21 1996
***************
*** 1128,1133 ****
--- 1128,1149 ----
#define labpcioctl nxioctl
#endif
+ #ifdef IPFILTER
+ d_open_t iplopen;
+ d_close_t iplclose;
+ d_ioctl_t iplioctl;
+ # ifdef IPFILTER_LOG
+ d_read_t iplread;
+ # else
+ #define iplread nxread
+ # endif
+ #else
+ #define iplopen nxopen
+ #define iplclose nxclose
+ #define iplioctl nxioctl
+ #define iplread nxread
+ #endif
+
/* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */
struct cdevsw cdevsw[] =
{
***************
*** 1199,1206 ****
* Otherwise, simply use the one reserved for local use.
*/
/* character device 20 is reserved for local use */
! { nxopen, nxclose, nxread, nxwrite, /*20*/
! nxioctl, nxstop, nxreset, nxdevtotty,/* reserved */
nxselect, nxmmap, NULL },
{ psmopen, psmclose, psmread, nowrite, /*21*/
psmioctl, nostop, nullreset, nodevtotty,/* psm mice */
--- 1215,1222 ----
* Otherwise, simply use the one reserved for local use.
*/
/* character device 20 is reserved for local use */
! { iplopen, iplclose, iplread, nxwrite, /*20*/
! iplioctl, nxstop, nxreset, nxdevtotty,/* reserved */
nxselect, nxmmap, NULL },
{ psmopen, psmclose, psmread, nowrite, /*21*/
psmioctl, nostop, nullreset, nodevtotty,/* psm mice */

23
contrib/ipfilter/FreeBSD/files.diffs
View File

@ -1,23 +0,0 @@
*** files.orig Sat Sep 30 18:01:55 1995
--- files Sun Jan 14 14:32:25 1996
***************
*** 208,213 ****
--- 208,225 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter inet
+ netinet/fil.c optional ipfilter inet
+ netinet/ip_nat.c optional ipfilter inet
+ netinet/ip_frag.c optional ipfilter inet
+ netinet/ip_state.c optional ipfilter inet
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool ipfilter inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

23
contrib/ipfilter/FreeBSD/files.newconf.diffs
View File

@ -1,23 +0,0 @@
*** files.newconf.orig Sun Jun 25 02:17:29 1995
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,178 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

23
contrib/ipfilter/FreeBSD/files.oldconf.diffs
View File

@ -1,23 +0,0 @@
*** files.oldconf.orig Sat Apr 29 19:59:31 1995
--- files.oldconf Sun Apr 23 17:54:18 1995
***************
*** 180,185 ****
--- 180,197 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter requires inet
+ netinet/fil.c optional ipfilter requires inet
+ netinet/ip_nat.c optional ipfilter requires inet
+ netinet/ip_frag.c optional ipfilter requires inet
+ netinet/ip_state.c optional ipfilter requires inet
+ netinet/ip_proxy.c optional ipfilter requires inet
+ netinet/ip_auth.c optional ipfilter requires inet
+ netinet/ip_log.c optional ipfilter requires inet
+ netinet/ip_scan.c optional ipfilter requires inet
+ netinet/ip_sync.c optional ipfilter requires inet
+ netinet/ip_pool.c optional ipfilter_pool requires ipfilter
+ netinet/ip_rules.c optional ipfilter_compiled requires ipfilter
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

23
contrib/ipfilter/FreeBSD/filez.diffs
View File

@ -1,23 +0,0 @@
*** files.orig Sat Apr 29 20:00:02 1995
--- files Sun Apr 23 17:53:58 1995
***************
*** 222,227 ****
--- 222,235 ----
file netinet/tcp_timer.c inet
file netinet/tcp_usrreq.c inet
file netinet/udp_usrreq.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netiso/clnp_debug.c iso
file netiso/clnp_er.c iso
file netiso/clnp_frag.c iso

16
contrib/ipfilter/FreeBSD/in_proto.c.diffs
View File

@ -1,16 +0,0 @@
*** in_proto.c.orig Wed Sep 6 20:31:34 1995
--- in_proto.c Mon Mar 11 22:40:03 1996
***************
*** 81,86 ****
--- 81,91 ----
void eoninput(), eonctlinput(), eonprotoinit();
#endif /* EON */
+ #ifdef IPFILTER
+ void iplinit();
+ #define ip_init iplinit
+ #endif
+
void rsvp_input(struct mbuf *, int);
void ipip_input(struct mbuf *, int);

88
contrib/ipfilter/FreeBSD/ip_input.c.diffs
View File

@ -1,88 +0,0 @@
*** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996
--- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997
***************
*** 93,98 ****
--- 93,102 ----
int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddr *in_ifaddr; /* first inet address */
struct ifqueue ipintrq;
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
struct ipstat ipstat;
struct ipq ipq;
***************
*** 219,226 ****
}
ip = mtod(m, struct ip *);
}
! ip->ip_sum = in_cksum(m, hlen);
! if (ip->ip_sum) {
ipstat.ips_badsum++;
goto bad;
}
--- 223,229 ----
}
ip = mtod(m, struct ip *);
}
! if (in_cksum(m, hlen)) {
ipstat.ips_badsum++;
goto bad;
}
***************
*** 267,272 ****
--- 270,288 ----
goto next;
}
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ goto next;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* Process options and, if not destined for us,
* ship it on. ip_dooptions returns 1 when an
***************
*** 527,532 ****
--- 533,540 ----
* if they are completely covered, dequeue them.
*/
while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) {
+ struct mbuf *m0;
+
i = (ip->ip_off + ip->ip_len) - q->ip_off;
if (i < q->ip_len) {
q->ip_len -= i;
***************
*** 526,534 ****
m_adj(dtom(q), i);
break;
}
q = q->ipf_next;
- m_freem(dtom(q->ipf_prev));
ip_deq(q->ipf_prev);
}
insert:
--- 542,551 ----
m_adj(dtom(q), i);
break;
}
+ m0 = dtom(q);
q = q->ipf_next;
ip_deq(q->ipf_prev);
+ m_freem(m0);
}
insert:

36
contrib/ipfilter/FreeBSD/ip_output.c.diffs
View File

@ -1,36 +0,0 @@
*** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996
--- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997
***************
*** 65,70 ****
--- 65,74 ----
static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *));
static void ip_mloopback
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
***************
*** 330,335 ****
--- 334,351 ----
m->m_flags &= ~M_BCAST;
sendit:
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* Check with the firewall...
*/

72
contrib/ipfilter/FreeBSD/kinstall
View File

@ -1,72 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c ip_compat.h ip_log.c )
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
grep iplopen $archdir/$karch/conf.c >& /dev/null
if ( $status != 0 ) then
echo "Patching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
endif
grep fr_checkp /sys/netinet/ip_input.c >& /dev/null
if ( $status != 0 ) then
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
endif
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

51
contrib/ipfilter/FreeBSD/minstall
View File

@ -1,51 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

58
contrib/ipfilter/FreeBSD/unkinstall
View File

@ -1,58 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Unpatching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R)
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

49
contrib/ipfilter/FreeBSD/unminstall
View File

@ -1,49 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

261
contrib/ipfilter/HISTORY
View File

@ -10,6 +10,266 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.28 - Release 16 October 2007
backout changes (B1) & (B2) as they've caused NAT entries to persist for
too long and possibly other side effects.
Still need to compile in our own radix.c for Solaris as the one in S10U4
has a different alignment of structure members (causes panic)
keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
ippool -l may only lists every 2nd pool's contents
4.1.27 - Released 29 September 2007
SunOS5/replace script does not deal with i386 systems that have the
i86/amd64 directory pair.
make BSD/kupgrade try to build ip_rules.[ch] before complaining
Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
to drive 32bit cc builds differently for sparc/i386 now.
Update instructions for rebuilding FreeBSD kernels
Make the target "freebsd" work for building ipfilter
destroying NAT entries for blocked packets can lead to NAT table entry leak,
provide a counter of orphan'd NAT entries to track this problem.
4.1.26 - Released 24 September 2007
Fix build problem for Solaris prior to S10U4
4.1.25 - Released 20 September 2007
stepping through structures with ioctls can lead to the wrong things
being free'd and panics
if a NAT entry (such as an rdr) is created but the packet ends up being
blocked, tear down the NAT entry.
fix fragment cache preventing keep state from functioning
fix handling of \ to indicate a continued line in .conf files
include port ranges in the allowed input for ipf when using "port = ()"
only advance TCP state for packets on the leading edge of the window. (B1)
using ipnat -l can lead to memory corruption in high stress situations
track TCP sequence numbers with NAT so that it can do timeout advances
correctly inline with state
ICMP checksums for some redirect'd packets are not adjusted correctly.
IPv6 address components need to be explicitly cast to a 32bit pointer
boundary so that compilers don't try to access them as two 64bit
pieces (no guarantee is made that an Ipv6 address is on a 64bit
aligned address)
filling up the ipauth packet queue can lead to no more packets being
processed.
locking used to deref a nat entry causes a significant performance hit
m_pulldown isn't properly handled, leading to possible panics with ICMPv6
packets
IPv6 fragment handling doesn't allow for "keep frag" to work
build on Solaris10 Update4 with pfhooks in the kernel
logging of Ipv6 packets with extension headers fix - Miroslaw Luc
4.1.24 - Released 8 July 2007
patch from Stuart Remphrey to address recursive mutex lock with TCP state
add hash table bucket stats display to ipnat -s
give ASSERT some teeth for user compiles
initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
early on
do some caddr_t cleanup, where possible
fr_ref no longer tracks the number of children rules in a group for head rules
make sure all BCOPY* have a value assigned to something
fix possible use of icmp pointer after pullup makes it invalid
resolve compile problems related to FreeBSD tree
4.1.23 - Released 31 May 2007
NAT was not always correctly fixing ICMP headers for errors
some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely. (B2)
fix compilation problems for netbsd 4.99
protect enumeration of lists in the kernel from callout interrupts on
BSD without locking
fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen
fix gcc 4.2 compiler warnings
fix TCP/UDP checksum calculation for IPv6
fix reference after free'ing ipftoken memory
4.1.22 - Released 13 May 2007
fix endless loop when flushing state/NAT by idle time
4.1.21 - Released 12 May 2007
show the number of states created against a rule with "-v" for ipfstat
fix build problems with FreeBSD
make it possible to flush the state table by idle time and TCP state
fix flushing out idle connections when state/NAT tables fill
print out the TCP state population with ipfstat/ipnat
stop creation of state table orphans via return-*/fastroute
fix printing out of rule groups - they now only appear once
4.1.20 - Released 30 April 2007
adjust TCP state numbers, making 11 closed (was 0) to better facilitate
detecting closing connections that we can wipe out when a SYN arrives
that matches the old
make it compile on Solaris10 Update3
structures used for ipf command ioctls weren't being freed in timeout
fashion on solairs
use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
adjust TCP timeout values and introduce a time-wait specifc timeout
to get a better TCP FSM emulation and one that can hopefully do a better
job of cleaning up in a speedy fashion than previous
refactor the automatic flushing of TCP state entries when we fill up,
but use the same algorithm as before but now it hopefully works
only 2 out of 4 interface names were being changed by ipfs when
interface renaming was being used for state entries
add ipf_proxy_debug to ipf-T
matching of last fragments that had a number of bytes that wasn't a
multiple of 8 failed
some combinations of TCP flags are considered bad aren't picked up as such,
but these may be possible with T/TCP
4.1.19 - Released 22 February 2007
Fix up compilation problems with NetBSD and Solaris.
4.1.18 - Released 18 February 2007
fix compiling on Tru64
fix listing out filter rules with ipfstat (delete token at end of
the list and detect zero rule being returned.)
fix extended flushing of NAT tables (was clearing out state tables)
fix null-pointer deref in hash table lookup
fix NAT and stateful filtering with to/reply-to on destination interface
4.1.17 - Released 20 January 2007
make flushing pools that are still in use mark them for deletion and
have attempting to recreate them clear the delete flag
walking through the NAT tables with ioctls caused lock recursion
fix tracking TCP window scaling in the state code
4.1.16 - Released 20 December 2006
allow rdr rules to only differ on the new port number
when creating state entry orphans, leave them on the linked list but not
attached to the hash table and mark them visible as orphans in "ipfstat -sl"
log state removed when unloading differently to allow visible cues
return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
abort logging a packet if the mbuf pointer is null when ipflog is called
Some NetBSD's have a selinfo.h instead of select.h
SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
listing accounting rules using ioctl interface wasn't possible
fix leakage of state entries due to packets not matching up with NAT
improve ICMP error packet matching with state/NAT
fix problems with parsing and printing "-" as an interface name in ipnat.conf
4.1.15 - Released 03 November 2006
Add in automatic flushing of NAT, like state, table if it fills up too much
Update comments in the code for NAT checksum adjustments
Fix compiling on FreeBSD 5.4 and 6.0
prevent panics from read/write IOs trying to use uninitialised structures
Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
the size is not staticly defined
Some gcc warning message cleanup from NetBSD
Missing include for <sys/filio.h> on Solaris for poll work
NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h
4.1.14 - Released 04 October 2006
rewrite checksum alteration for ICMP packets being NAT'd to use a sane
algorithm that can be understood...now it needs better comments
fix 1 byte error in checksum validation perl script
remove unused files in lib directory
ipftest will say "bad-packet" if it has been freed rather than just "blocked"
make it possible to load IP address pools from external files in ippool.conf
update copyright messages in tools directory
consolidate ioctl hanlding source code into fil.c
make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem
4.1.13 - Released 4 April 2006
fix bug where null pointers introduced by proxies could cause a crash
@ -39,6 +299,7 @@ add missing ipfsync_canread() and ipfsync_canwrite()
behaviour of \ on the end of a line in ipf.conf does not match older behaviour
remove duplicate statistics line output with "ipfstat -s"
4.1.11 - Released 19 March 2006
Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org

62
contrib/ipfilter/INST.FreeBSD-2.2
View File

@ -1,62 +0,0 @@
.\" $FreeBSD$
.\"
To build a kernel for use with the loadable kernel module, follow these
steps:
1. In /sys/i386/conf, create a new kernel config file (to be used
with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
2. build the object files, telling it the name of the kernel to be
used. "freebsd22" MUST be the target, so the command would be
something like this: "make freebsd22 IPFILKERN=FIREWALL"
3. do "make install-bsd"
(probably has to be done as root)
4. run "FreeBSD-2.2/minstall" as root
5. build a new kernel
6. install and reboot with the new kernel
7. use modload(8) to load the packet filter with:
modload if_ipl.o
8. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
*** KERNEL INSTALL CURRENTLY UNSUPPORTED ***
1. do "make freebsd22"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-2.2/kinstall" as root
4. build a new kernel
5a) For FreeBSD 2.2 (or later)
create devices for IP Filter as follows:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
5b) For versions prior to FreeBSD 2.2:
create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
darrenr@pobox.com

56
contrib/ipfilter/INSTALL.FreeBSD
View File

@ -1,56 +0,0 @@
This file is for use with FreeBSD 4.x and 5.x only.
To build a kernel for use with the loadable kernel module, follow these
steps:
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. Run "BSD/kupgrade"
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8) to load the packet filter with:
modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD/kinstall" as root
4. build a new kernel
5.
b) If you are using FreeBSD-3 or later:
create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
6. install and reboot with the new kernel
Darren Reed
darrenr@pobox.com

45
contrib/ipfilter/INSTALL.xBSD
View File

@ -1,45 +0,0 @@
# $FreeBSD$
To build a kernel for use with the loadable kernel module, follow these
steps:
1. do "make bsd"
2. cd to the "BSD" directory and type "make install"
3. run "4bsd/minstall" as root
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8) to load the packet filter with:
modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. do "make bsd"
2. cd to the "BSD" directory and type "make install"
3. run "4bsd/kinstall" as root
4. build a new kernel
5. create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren
darrenr@pobox.com

465
contrib/ipfilter/IPF.KANJI
View File

@ -1,465 +0,0 @@
IP filter $B%7%g!<%H%,%$%I(B Dec, 1999
$B%[!<%`%Z!<%8(B: http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
$B30;3(B $B=c@8(B <sumio@is.s.u-tokyo.ac.jp>
$B;3K\(B $BBY1'(B <ymmt@is.s.u-tokyo.ac.jp>
-----
$B$O$8$a$K(B
IP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B
$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B
$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B
$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B
Solaris/Solaris-x86 2.3 - 8 (early access)
SunOS 4.1.1 - 4.1.4
NetBSD 1.0 - 1.4
FreeBSD 2.0.0 - 2.2.8
BSD/OS-1.1 - 4
IRIX 6.2
$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B
$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B
$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B
$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B)
$B$+$i<h$C$F$/$k$+!"(BWorkshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F(B 64bit
driver $B$r:n$C$F$/$@$5$$!#(B
-----
$B@_Dj%U%!%$%k$N5-=RJ}K!(B
IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I(B
$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r(B block $B$9$k$+(B pass $B$9$k$+!"(B
$B$r;XDj$9$k$3$H$G9T$$$^$9!#(B
$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9(B
$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"(B
$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#(B
$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r(B
123.45.1.0/24
$B$H$7$FNc$r<($7$^$9!#(B24$B$O%5%V%M%C%H%^%9%/$G$9!#(B
$B$^$?!"(Bgateway $B$O(B
123.45.1.111 (hme0)
$B$,(B LAN$BB&$N%$%s%?!<%U%'!<%9!"(B
123.45.2.10 (hme1)
$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== $B$3$3$^$G(B ====================
$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#(Bblock $B$O(B block $B$9(B
$B$k0UL#$G!"H?BP$KDL$9>l9g$O(B pass $B$H$J$j$^$9!#(B
log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G(B
$B$9!#%m%0$O(B /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"(B
$B$3$N%G%P%$%9$O(B bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F(B
$B$7$^$$$^$9!#(B
/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B
ipmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B
$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r(B rc $B%U%!%$%k(B
$B$K=q$/$H$h$$$G$7$g$&!#(B
ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B
$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B
local0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B
$BNc$($P!"(B
local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B
$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B
$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== $B$3$3$^$G(B ====================
$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,(B
$BN`$7$^$9!#(Bhme0 $B$O(B LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D(B
(pass quick)$B$7$F$$$^$9!#(B
all $B$H$$$&$N$O!"(Bfrom any to any $B$N>JN,7A$G$9!#(B
$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B
$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B
$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&(B
$B0UL#$G$9!#(B
===================== $B$3$3$+$i(B ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== $B$3$3$^$G(B ====================
IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N(B
group 100 $B$H$$$&$N$O(B head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9(B
$B$k%k!<%k$H$$$&0UL#$G$9!#(B
-----
$B$3$3$^$G$G!"4pK\E*$K(BLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)(B
$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP(B
$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#(B
$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== $B$3$3$^$G(B ====================
$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios
(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows
$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B
Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B
$B62$l$,$"$j$^$9!#(B
$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B
* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B
* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B
* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B
* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup
XXX$B$H$7$F;2>H$G$-$k(B
* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B)
group$B$K8BDj$G$-$k!#(B
$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B
from any to any port 136 >< 140
$B$H$$$&$N$O!"(B
$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B
$B%"%I%l%9$X$N%Q%1%C%H!W(B
$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B
$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B
$B$?$H$($P(B
from any to any port = telnet
$B$H(B
from any to any port = 23
$B$OF1$80UL#$H$J$j$^$9!#(B
$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B
rule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B
$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B
$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B
$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B
$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B
block $B$7$F$$$kLu$G$9!#(B
$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B
$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B
----------
$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#(B
* $B%k!<%F%#%s%0>pJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B
pass in quick proto udp from any to any port = 520 keep state group 100
* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B
pass in quick proto icmp from any to any group 100
* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B
$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O(Bpassive mode$B$G$J$$(BFTP$B$N5sF0(B
$B$G$9!#(B
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B
1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B
$B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B)
$B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B
$B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B
* sendmail$B$d(Bftpd$B$K7R$0$H!"Aj<j$,(Bident$B%]!<%H$X%"%/%;%9$7$F$/$k$3(B
$B$H$,$"$k$N$G!"(Bident port$B$r3+$1$^$9!#(Bident $B$ODL>o$O5/F0$5$l$F$$(B
$B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B
$B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B
$BAj<jB&$O(B timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"(BFTP $B$d(B mail $B$NAw?.(B
$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#(B
$B$b$7(B 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K(B
$BDd;_$9$k$3$H$r4+$a$^$9!#(B
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
------
$B<!$K!"30It$+$i(B firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-(B
$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV(B
$B9f$r$D$1$^$9!#(B
===================== $B$3$3$+$i(B ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== $B$3$3$^$G(B ====================
$B$3$l$G!"(B
$B30It$+$i(B 123.45.1.X $B$X$N@\B3$O(B group 110
$B30It$+$i(B 123.45.1.Y $B$X$N@\B3$O(B group 111
$B$G;2>H$9$k$3$H$,$G$-$^$9!#(B
$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B
$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B
$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B
$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B
$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B
$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B
$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B
X$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B
$B$H$K$7$^$9!#(B
* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B
pass in quick proto tcp from any to any port = telnet keep state group 110
* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B
($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
* X$B$X$N(Bssh$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 22 keep state group 110
* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B
$B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B
$B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B
$B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B
$B@_Dj$7$F$$$^$9!#(B
passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B
$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B
$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B
$B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B
passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B
$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B
$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B
$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B
$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B
$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B
$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess
$B$H$$$&%U%!%$%k$K(B
# passive ports <cidr> <min> <max>
passive ports 0.0.0.0/0 3000 3099
$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B
* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 80 keep state group 111
* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = smtp keep state group 111
* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 110 keep state group 111
$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B
$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B
$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#(B
$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B
$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B
-----
$B$=$NB>$NCm0U(B
1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B
$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B
$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a,
b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B
$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111
$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B
($BNc(B)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
gateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP
filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B
$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B
2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B
NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B
3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B
$B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding
$B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure
$B$GHFMQE*$JJ}K!$G$9!#(B
$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B
$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B
# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-----
$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B
$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C(B
$B$($^$9!#(B
## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
------
$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0) (LAN)
# route add 123.45.2.10 localhost 0 (hme1) (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== $B$3$3$^$G(B ====================
----
$B$3$NJ8=q$N<h$j07$$$K$D$$$F(B
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.

30
contrib/ipfilter/Makefile
View File

@ -6,7 +6,7 @@
# to the original author and the contributors.
#
# $FreeBSD$
# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $
# Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $
#
SHELL=/bin/sh
BINDEST=/usr/local/bin
@ -132,10 +132,7 @@ all:
@echo "openbsd - compile for OpenBSD"
@echo "freebsd20 - compile for FreeBSD 2.0, 2.1 or earlier"
@echo "freebsd22 - compile for FreeBSD-2.2 or greater"
@echo "freebsd3 - compile for FreeBSD-3.x"
@echo "freebsd4 - compile for FreeBSD-4.x"
@echo "freebsd5 - compile for FreeBSD-5.x"
@echo "freebsd6 - compile for FreeBSD-6.x"
@echo "freebsd - compile for all other versions of FreeBSD"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@ -152,6 +149,7 @@ retest:
else echo test directory not present, sorry; fi
include:
-mkdir -p net netinet
if [ ! -f netinet/done ] ; then \
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
@ -167,6 +165,9 @@ sunos solaris: include
MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos
freebsd:
make freebsd`uname -r|cut -c1`
freebsd22: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
@ -188,7 +189,7 @@ freebsd22: include
fi
make freebsd20
freebsd5 freebsd6: include
freebsd5 freebsd6 freebsd7: include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
@ -230,6 +231,15 @@ freebsd3 freebsd30: include
netbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
@if [ ! -d /sys -o ! -d /sys/arch ] ; then \
echo "*****************************************************"; \
echo "* *"; \
echo "* Please extract source code to create /sys and *";\
echo "* /sys/arch and run 'config GENERIC' *"; \
echo "* *"; \
echo "*****************************************************"; \
exit 1; \
fi
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
@ -342,13 +352,9 @@ sunos4 solaris1:
(cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2: null
(cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..)
(cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
sunos5x86 solaris2x86: null
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
linux: include
(cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..)
(cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..)
@ -365,7 +371,7 @@ install-sunos4: solaris
(cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install)
install-sunos5: solaris null
(cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install)
(cd SunOS5; $(MAKE) TOP=.. install)
install-aix:
(cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)

5
contrib/ipfilter/bpf_filter.c
View File

@ -42,7 +42,7 @@
#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
static const char rcsid[] =
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)";
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)";
#endif
#include <sys/param.h>
@ -195,7 +195,8 @@ bpf_filter(pc, p, wirelen, buflen)
register int k;
int32 mem[BPF_MEMWORDS];
mb_t *m, *n;
int merr, len;
int merr = 0; /* XXX: GCC */
int len;
if (buflen == 0) {
m = (mb_t *)p;

247
contrib/ipfilter/ip_fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -64,7 +64,6 @@ struct file;
#include <stdlib.h>
#include <ctype.h>
#include <fcntl.h>
#include <arpa/inet.h>
#ifdef __hpux
# define _NET_ROUTE_INCLUDED
@ -82,10 +81,12 @@ struct file;
#include <sys/hashing.h>
# endif
#endif
#if defined(__FreeBSD__)
#if defined(__FreeBSD__) || defined(SOLARIS2)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#ifndef __osf__
# include <net/route.h>
#endif
#include <netinet/in.h>
#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \
!defined(__hpux) && !defined(linux)
@ -109,6 +110,7 @@ struct file;
#include <netinet/ip_icmp.h>
#include <unistd.h>
#include <syslog.h>
#include <arpa/inet.h>
#ifdef __hpux
# undef _NET_ROUTE_INCLUDED
#endif
@ -146,7 +148,6 @@ extern struct protosw inetsw[];
static struct ifnet **ifneta = NULL;
static int nifs = 0;
static int frzerostats __P((caddr_t));
static void fr_setifpaddr __P((struct ifnet *, char *));
void init_ifp __P((void));
#if defined(__sgi) && (IRIX < 60500)
@ -169,37 +170,20 @@ static int write_output __P((struct ifnet *, struct mbuf *,
#endif
int iplattach()
int ipfattach()
{
fr_running = 1;
return 0;
}
int ipldetach()
int ipfdetach()
{
fr_running = -1;
return 0;
}
static int frzerostats(data)
caddr_t data;
{
friostat_t fio;
int error;
fr_getstat(&fio);
error = copyoutptr(&fio, data, sizeof(fio));
if (error)
return EFAULT;
bzero((char *)frstats, sizeof(*frstats) * 2);
return 0;
}
/*
* Filter ioctl interface.
*/
@ -209,210 +193,20 @@ ioctlcmd_t cmd;
caddr_t data;
int mode;
{
int error = 0, unit = 0, tmp;
friostat_t fio;
int error = 0, unit = 0, uid;
SPL_INT(s);
uid = getuid();
unit = dev;
SPL_NET(s);
if (unit == IPL_LOGNAT) {
if (fr_running > 0)
error = fr_nat_ioctl(data, cmd, mode);
else
error = EIO;
SPL_X(s);
return error;
}
if (unit == IPL_LOGSTATE) {
if (fr_running > 0)
error = fr_state_ioctl(data, cmd, mode);
else
error = EIO;
SPL_X(s);
return error;
}
if (unit == IPL_LOGAUTH) {
if (fr_running > 0) {
if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
(cmd == (ioctlcmd_t)SIOCRMAFR)) {
if (!(mode & FWRITE)) {
error = EPERM;
} else {
error = frrequest(unit, cmd, data,
fr_active, 1);
}
} else {
error = fr_auth_ioctl(data, mode, cmd);
}
} else
error = EIO;
SPL_X(s);
return error;
}
if (unit == IPL_LOGSYNC) {
#ifdef IPFILTER_SYNC
if (fr_running > 0)
error = fr_sync_ioctl(data, cmd, mode);
else
#endif
error = EIO;
SPL_X(s);
return error;
}
if (unit == IPL_LOGSCAN) {
#ifdef IPFILTER_SCAN
if (fr_running > 0)
error = fr_scan_ioctl(data, cmd, mode);
else
#endif
error = EIO;
SPL_X(s);
return error;
}
if (unit == IPL_LOGLOOKUP) {
if (fr_running > 0)
error = ip_lookup_ioctl(data, cmd, mode);
else
error = EIO;
error = fr_ioctlswitch(unit, data, cmd, mode, uid, NULL);
if (error != -1) {
SPL_X(s);
return error;
}
switch (cmd)
{
case FIONREAD :
#ifdef IPFILTER_LOG
error = COPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data,
sizeof(iplused[IPL_LOGIPF]));
#endif
break;
case SIOCFRENB :
if (!(mode & FWRITE))
error = EPERM;
else {
error = COPYIN(data, &tmp, sizeof(tmp));
if (error)
break;
if (tmp)
error = iplattach();
else
error = ipldetach();
}
break;
case SIOCIPFSET :
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
case SIOCIPFGETNEXT :
case SIOCIPFGET :
error = fr_ipftune(cmd, (void *)data);
break;
case SIOCSETFF :
if (!(mode & FWRITE))
error = EPERM;
else
error = COPYIN(data, &fr_flags, sizeof(fr_flags));
break;
case SIOCGETFF :
error = COPYOUT(&fr_flags, data, sizeof(fr_flags));
break;
case SIOCFUNCL :
error = fr_resolvefunc(data);
break;
case SIOCINAFR :
case SIOCRMAFR :
case SIOCADAFR :
case SIOCZRLST :
if (!(mode & FWRITE))
error = EPERM;
else
error = frrequest(unit, cmd, data, fr_active, 1);
break;
case SIOCINIFR :
case SIOCRMIFR :
case SIOCADIFR :
if (!(mode & FWRITE))
error = EPERM;
else
error = frrequest(unit, cmd, data, 1 - fr_active, 1);
break;
case SIOCSWAPA :
if (!(mode & FWRITE))
error = EPERM;
else {
bzero((char *)frcache, sizeof(frcache[0]) * 2);
*(u_int *)data = fr_active;
fr_active = 1 - fr_active;
}
break;
case SIOCGETFS :
fr_getstat(&fio);
error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT);
break;
case SIOCFRZST :
if (!(mode & FWRITE))
error = EPERM;
else
error = frzerostats(data);
break;
case SIOCIPFFL :
if (!(mode & FWRITE))
error = EPERM;
else {
error = COPYIN(data, &tmp, sizeof(tmp));
if (!error) {
tmp = frflush(unit, 4, tmp);
error = COPYOUT(&tmp, data, sizeof(tmp));
}
}
break;
#ifdef USE_INET6
case SIOCIPFL6 :
if (!(mode & FWRITE))
error = EPERM;
else {
error = COPYIN(data, &tmp, sizeof(tmp));
if (!error) {
tmp = frflush(unit, 6, tmp);
error = COPYOUT(&tmp, data, sizeof(tmp));
}
}
break;
#endif
case SIOCSTLCK :
error = COPYIN(data, &tmp, sizeof(tmp));
if (error == 0) {
fr_state_lock = tmp;
fr_nat_lock = tmp;
fr_frag_lock = tmp;
fr_auth_lock = tmp;
} else
error = EFAULT;
break;
#ifdef IPFILTER_LOG
case SIOCIPFFB :
if (!(mode & FWRITE))
error = EPERM;
else
*(int *)data = ipflog_clear(unit);
break;
#endif /* IPFILTER_LOG */
case SIOCGFRST :
error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT);
break;
case SIOCFRSYN :
if (!(mode & FWRITE))
error = EPERM;
else {
frsync(NULL);
}
break;
default :
error = EINVAL;
break;
}
SPL_X(s);
return error;
}
@ -596,7 +390,7 @@ int v;
*addr++ = '\0';
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
COPYIFNAME(ifp, ifname);
COPYIFNAME(v, ifp, ifname);
if (!strcmp(name, ifname)) {
if (addr != NULL)
fr_setifpaddr(ifp, addr);
@ -635,6 +429,9 @@ int v;
}
ifp = ifneta[nifs - 1];
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
TAILQ_INIT(&ifp->if_addrlist);
#endif
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
@ -652,7 +449,7 @@ int v;
ifp->if_unit = -1;
}
#endif
ifp->if_output = no_output;
ifp->if_output = (void *)no_output;
if (addr != NULL) {
fr_setifpaddr(ifp, addr);
@ -688,7 +485,7 @@ void init_ifp()
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
ifp->if_output = write_output;
ifp->if_output = (void *)write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname);
fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
if (fd == -1)
@ -998,3 +795,9 @@ struct in_addr *inp, *inpmask;
}
return 0;
}
int ipfsync()
{
return 0;
}

35
contrib/ipfilter/ipf.h
View File

@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $
* $Id: ipf.h,v 2.71.2.15 2007/05/11 10:44:14 darrenr Exp $
*/
#ifndef __IPF_H__
@ -183,14 +183,14 @@ extern struct ipopt_names v6ionames[];
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int addkeep __P((char ***, struct frentry *, int));
extern void alist_free __P((alist_t *));
extern alist_t *alist_new __P((int, char *));
extern void binprint __P((void *, size_t));
extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));
extern int checkrev __P((char *));
extern int count6bits __P((u_32_t *));
extern int count4bits __P((u_32_t));
extern int extras __P((char ***, struct frentry *, int));
extern char *fac_toname __P((int));
extern int fac_findname __P((char *));
extern void fill6bits __P((int, u_int *));
@ -198,19 +198,12 @@ extern int gethost __P((char *, u_32_t *));
extern int getport __P((struct frentry *, char *, u_short *));
extern int getportproto __P((char *, int));
extern int getproto __P((char *));
extern char *getline __P((char *, size_t, FILE *, int *));
extern int genmask __P((char *, u_32_t *));
extern char *getnattype __P((struct ipnat *));
extern char *getnattype __P((struct nat *, int));
extern char *getsumd __P((u_32_t));
extern u_32_t getoptbyname __P((char *));
extern u_32_t getoptbyvalue __P((int));
extern u_32_t getv6optbyname __P((char *));
extern u_32_t getv6optbyvalue __P((int));
extern void hexdump __P((FILE *, void *, int, int));
extern int hostmask __P((char ***, char *, char *, u_32_t *, u_32_t *, int));
extern int hostnum __P((u_32_t *, char *, int, char *));
extern int icmpcode __P((char *));
extern int icmpidnum __P((char *, u_short *, int));
extern void initparse __P((void));
extern void ipf_dotuning __P((int, char *, ioctlfunc_t));
extern void ipf_addrule __P((int, ioctlfunc_t, void *));
@ -225,23 +218,21 @@ extern int ippool_parsefile __P((int, char *, ioctlfunc_t));
extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t));
extern int kmemcpywrap __P((void *, void *, size_t));
extern char *kvatoname __P((ipfunc_t, ioctlfunc_t));
extern alist_t *load_file __P((char *));
extern int load_hash __P((struct iphtable_s *, struct iphtent_s *,
ioctlfunc_t));
extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern alist_t *load_http __P((char *));
extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t));
extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern int loglevel __P((char **, u_int *, int));
extern alist_t *load_url __P((char *));
extern alist_t *make_range __P((int, struct in_addr, struct in_addr));
extern ipfunc_t nametokva __P((char *, ioctlfunc_t));
extern ipnat_t *natparse __P((char *, int));
extern void natparsefile __P((int, char *, int));
extern void nat_setgroupmap __P((struct ipnat *));
extern int ntomask __P((int, int, u_32_t *));
extern u_32_t optname __P((char ***, u_short *, int));
extern struct frentry *parse __P((char *, int));
extern char *portname __P((int, int));
extern int portnum __P((char *, char *, u_short *, int));
extern int ports __P((char ***, char *, u_short *, int *, u_short *, int));
extern int pri_findname __P((char *));
extern char *pri_toname __P((int));
extern void print_toif __P((char *, struct frdest *));
@ -251,6 +242,8 @@ extern void printfr __P((struct frentry *, ioctlfunc_t));
extern void printtunable __P((ipftune_t *));
extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t,
char *, int));
extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, int));
extern void printhashdata __P((iphtable_t *, int));
extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
struct iphtent_s *,
copyfunc_t, int));
@ -263,6 +256,9 @@ extern void printpacket __P((struct ip *));
extern void printpacket6 __P((struct ip *));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t,
char *, int));
extern struct ip_pool_s *printpool_live __P((struct ip_pool_s *, int,
char *, int));
extern void printpooldata __P((ip_pool_t *, int));
extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
extern void printproto __P((struct protoent *, int, struct ipnat *));
extern void printportcmp __P((int, struct frpcmp *));
@ -270,15 +266,12 @@ extern void optprint __P((u_short *, u_long, u_long));
#ifdef USE_INET6
extern void optprintv6 __P((u_short *, u_long, u_long));
#endif
extern int ratoi __P((char *, int *, int, int));
extern int ratoui __P((char *, u_int *, u_int, u_int));
extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t));
extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int remove_pool __P((ip_pool_t *, ioctlfunc_t));
extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern u_char tcp_flags __P((char *, u_char *, int));
extern u_char tcpflags __P((char *));
extern int to_interface __P((struct frdest *, char *, int));
extern void printc __P((struct frentry *));
extern void printC __P((int));
extern void emit __P((int, int, void *, struct frentry *));
@ -290,9 +283,9 @@ extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int, u_long));
extern void printsbuf __P((char *));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
extern void printactivenat __P((struct nat *, int, int, u_long));
extern void printhostmap __P((struct hostmap *, u_int));
extern void printpacket __P((struct ip *));
extern void printtqtable __P((ipftq_t *));
extern void set_variable __P((char *, char *));
extern char *get_variable __P((char *, char **, int));

9
contrib/ipfilter/iplang/Makefile
View File

@ -3,20 +3,21 @@
#
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend
all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
iplang_y.o: iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
$(CC) $(CCARGS) $< -o $@
iplang_l.o: iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
$(CC) $(CCARGS) $< -o $@
$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
lex iplang_l.l

13
contrib/ipfilter/iplang/iplang_y.y
View File

@ -6,17 +6,17 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $
* $FreeBSD$
* Id: iplang_y.y,v 2.9.2.5 2007/02/17 12:41:48 darrenr Exp $
*/
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
# include <strings.h>
#else
#include <sys/byteorder.h>
# include <sys/byteorder.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
@ -30,11 +30,14 @@
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef linux
#include <netinet/ip_var.h>
# include <netinet/ip_var.h>
#endif
#ifdef __osf__
# include "radix_ipf_local.h"
#endif
#include <net/if.h>
#ifndef linux
#include <netinet/if_ether.h>
# include <netinet/if_ether.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>

4
contrib/ipfilter/ipsend/44arp.c
View File

@ -16,7 +16,9 @@
#if defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#ifndef __osf__
# include <net/route.h>
#endif
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <arpa/inet.h>

9
contrib/ipfilter/ipsend/arp.c
View File

@ -7,20 +7,23 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.1 2005/06/12 07:18:38 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darrenr Exp $";
#endif
#include <sys/types.h>
#include <sys/socket.h>
#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) && !defined(_AIX51)
#include <sys/sockio.h>
# include <sys/sockio.h>
#endif
#include <sys/ioctl.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#ifdef __osf__
# include "radix_ipf_local.h"
#endif
#include <net/if.h>
#include <netinet/if_ether.h>
#ifndef ultrix
#include <net/if_arp.h>
# include <net/if_arp.h>
#endif
#include <netinet/in.h>
#include <netinet/ip.h>

5
contrib/ipfilter/ipsend/ip.c
View File

@ -7,12 +7,15 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <sys/socket.h>
#ifdef __osf__
# include "radix_ipf_local.h"
#endif
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip.h>

11
contrib/ipfilter/ipsend/iptests.c
View File

@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -22,6 +22,9 @@ typedef int boolean_t;
#endif
#include <sys/time.h>
#if !defined(__osf__)
# ifdef __NetBSD__
# include <machine/lock.h>
# endif
# define _KERNEL
# define KERNEL
# if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux)
@ -64,6 +67,9 @@ typedef int boolean_t;
#ifdef __hpux
# define _NET_ROUTE_INCLUDED
#endif
#ifdef __osf__
# include "radix_ipf_local.h"
#endif
#include <net/if.h>
#if defined(linux) && (LINUX >= 0200)
# include <asm/atomic.h>
@ -1094,7 +1100,8 @@ int ptest;
struct tcpcb *tcbp, tcb;
struct tcpiphdr ti;
struct sockaddr_in sin;
int fd, slen;
int fd;
socklen_t slen;
bzero((char *)&sin, sizeof(sin));

5
contrib/ipfilter/ipsend/resend.c
View File

@ -8,12 +8,15 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.3 2007/02/17 12:41:51 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef __osf__
# include "radix_ipf_local.h"
#endif
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>

3
contrib/ipfilter/ipsend/sdlpi.c
View File

@ -27,6 +27,7 @@
#endif
#ifdef __osf__
# include <sys/dlpihdr.h>
# include "radix_ipf_local.h"
#else
# include <sys/dlpi.h>
#endif
@ -48,7 +49,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.1 2004/12/09 19:41:13 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $";
#endif
#define CHUNKSIZE 8192

16
contrib/ipfilter/ipsend/sock.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@ -30,6 +30,9 @@ typedef int boolean_t;
# include <sys/dir.h>
#endif
#if !defined(__osf__)
# ifdef __NetBSD__
# include <machine/lock.h>
# endif
# define _KERNEL
# define KERNEL
# ifdef ultrix
@ -66,7 +69,9 @@ typedef int boolean_t;
#if defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#ifndef __osf__
# include <net/route.h>
#endif
#include <netinet/ip_var.h>
#include <netinet/in_pcb.h>
#include <netinet/tcp_timer.h>
@ -294,11 +299,14 @@ struct tcpiphdr *ti;
return NULL;
fd = (struct filedesc *)malloc(sizeof(*fd));
if (fd == NULL)
return NULL;
#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013
if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx) failed\n",
(u_long)p, (u_long)p->ki_fd);
free(fd);
return NULL;
}
#else
@ -306,6 +314,7 @@ struct tcpiphdr *ti;
{
fprintf(stderr, "read(%#lx,%#lx) failed\n",
(u_long)p, (u_long)p->kp_proc.p_fd);
free(fd);
return NULL;
}
#endif
@ -379,7 +388,8 @@ struct in_addr gwip;
{
struct sockaddr_in rsin, lsin;
struct tcpcb *t, tcb;
int fd, nfd, len;
int fd, nfd;
socklen_t len;
printf("Dest. Port: %d\n", ti->ti_dport);

2
contrib/ipfilter/l4check/Makefile
View File

@ -4,7 +4,7 @@
all: l4check
l4check: l4check.c
$(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@
$(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@
clean:
/bin/rm -f l4check

43
contrib/ipfilter/l4check/l4check.c
View File

@ -27,6 +27,7 @@
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ipl.h"
#include "ipf.h"
@ -98,13 +99,21 @@ char *dst, *src;
void addnat(l4)
l4cfg_t *l4;
{
ipnat_t *ipn = &l4->l4_nat;
printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]),
printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4),
ipn->in_outmsk, ntohs(ipn->in_pmin));
printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext));
printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext));
if (!(opts & OPT_DONOTHING)) {
if (ioctl(natfd, SIOCADNAT, &ipn) == -1)
ipfobj_t obj;
bzero(&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_size = sizeof(*ipn);
obj.ipfo_ptr = ipn;
if (ioctl(natfd, SIOCADNAT, &obj) == -1)
perror("ioctl(SIOCADNAT)");
}
}
@ -116,9 +125,16 @@ l4cfg_t *l4;
ipnat_t *ipn = &l4->l4_nat;
printf("Remove NAT rule for %s/%#x,%u -> ",
inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin);
printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext);
inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin);
printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext);
if (!(opts & OPT_DONOTHING)) {
ipfobj_t obj;
bzero(&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_size = sizeof(*ipn);
obj.ipfo_ptr = ipn;
if (ioctl(natfd, SIOCRMNAT, &ipn) == -1)
perror("ioctl(SIOCRMNAT)");
}
@ -178,7 +194,6 @@ l4cfg_t *l4;
void writefd(l4)
l4cfg_t *l4;
{
char buf[80], *ptr;
int n, i, fd;
fd = l4->l4_fd;
@ -410,7 +425,6 @@ u_short *portp;
struct servent *sp;
struct hostent *hp;
char *host, *port;
struct in_addr ip;
host = str;
port = strchr(host, ',');
@ -555,7 +569,8 @@ char *filename;
break;
}
strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname));
strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ);
strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ);
if (!gethostport(t, num, &ipn->in_outip,
&ipn->in_pmin)) {
errtxt = line;
@ -567,11 +582,11 @@ char *filename;
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Interface %s %s/%#x port %u\n",
ipn->in_ifname,
inet_ntoa(ipn->in_out[0]),
ipn->in_ifnames[0],
inet_ntoa(ipn->in_out[0].in4),
ipn->in_outmsk, ipn->in_pmin);
} else if (!strcasecmp(t, "remote")) {
if (!*ipn->in_ifname) {
if (!*ipn->in_ifnames[0]) {
fprintf(stderr,
"%d: ifname not set prior to remote\n",
num);
@ -606,7 +621,7 @@ char *filename;
break;
}
bcopy((char *)&template, (char *)l4, sizeof(*l4));
l4->l4_sin.sin_addr = ipn->in_in[0];
l4->l4_sin.sin_addr = ipn->in_in[0].in4;
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_next = l4list;
l4list = l4;
@ -793,7 +808,7 @@ char *argv[];
}
if (!(opts & OPT_DONOTHING)) {
natfd = open(IPL_NAT, O_RDWR);
natfd = open(IPNAT_NAME, O_RDWR);
if (natfd == -1) {
perror("open(IPL_NAT)");
exit(1);
@ -804,4 +819,6 @@ char *argv[];
fprintf(stderr, "Starting...\n");
while (runconfig() == 0)
;
exit(1);
}

74
contrib/ipfilter/lib/Makefile
View File

@ -1,7 +1,16 @@
#
# Copyright (C) 1993-2001 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $
#
INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/addipopt.o \
$(DEST)/alist_free.o \
$(DEST)/alist_new.o \
$(DEST)/bcopywrap.o \
$(DEST)/binprint.o \
$(DEST)/buildopts.o \
@ -9,23 +18,17 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/count6bits.o \
$(DEST)/count4bits.o \
$(DEST)/debug.o \
$(DEST)/extras.o \
$(DEST)/facpri.o \
$(DEST)/flags.o \
$(DEST)/fill6bits.o \
$(DEST)/genmask.o \
$(DEST)/gethost.o \
$(DEST)/getifname.o \
$(DEST)/getline.o \
$(DEST)/getnattype.o \
$(DEST)/getport.o \
$(DEST)/getportproto.o \
$(DEST)/getproto.o \
$(DEST)/getsumd.o \
$(DEST)/hexdump.o \
$(DEST)/hostmask.o \
$(DEST)/hostname.o \
$(DEST)/hostnum.o \
$(DEST)/icmpcode.o \
$(DEST)/inet_addr.o \
$(DEST)/initparse.o \
@ -41,11 +44,13 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/kmem.o \
$(DEST)/kmemcpywrap.o \
$(DEST)/kvatoname.o \
$(DEST)/load_file.o \
$(DEST)/load_hash.o \
$(DEST)/load_hashnode.o \
$(DEST)/load_http.o \
$(DEST)/load_pool.o \
$(DEST)/load_poolnode.o \
$(DEST)/loglevel.o \
$(DEST)/load_url.o \
$(DEST)/mutex_emul.o \
$(DEST)/nametokva.o \
$(DEST)/nat_setgroupmap.o \
@ -55,17 +60,19 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/optprintv6.o \
$(DEST)/optvalue.o \
$(DEST)/portname.o \
$(DEST)/portnum.o \
$(DEST)/ports.o \
$(DEST)/print_toif.o \
$(DEST)/printactivenat.o \
$(DEST)/printaps.o \
$(DEST)/printbuf.o \
$(DEST)/printhash.o \
$(DEST)/printhashdata.o \
$(DEST)/printhashnode.o \
$(DEST)/printhash_live.o \
$(DEST)/printip.o \
$(DEST)/printpool.o \
$(DEST)/printpooldata.o \
$(DEST)/printpoolnode.o \
$(DEST)/printpool_live.o \
$(DEST)/printproto.o \
$(DEST)/printfr.o \
$(DEST)/printfraginfo.o \
@ -80,9 +87,8 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/printpacket6.o \
$(DEST)/printsbuf.o \
$(DEST)/printstate.o \
$(DEST)/printtqtable.o \
$(DEST)/printtunable.o \
$(DEST)/ratoi.o \
$(DEST)/ratoui.o \
$(DEST)/remove_hash.o \
$(DEST)/remove_hashnode.o \
$(DEST)/remove_pool.o \
@ -91,7 +97,6 @@ LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/rwlock_emul.o \
$(DEST)/tcpflags.o \
$(DEST)/tcp_flags.o \
$(DEST)/to_interface.o \
$(DEST)/var.o \
$(DEST)/verbose.o \
$(DEST)/v6ionames.o \
@ -106,6 +111,10 @@ $(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@
$(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@
$(DEST)/alist_free.o: $(LIBSRC)/alist_free.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@
$(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@
$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@
$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP)
@ -120,18 +129,12 @@ $(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@
$(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@
$(DEST)/extras.o: $(LIBSRC)/extras.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/extras.c -o $@
$(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@
$(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@
$(DEST)/getline.o: $(LIBSRC)/getline.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getline.c -o $@
$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
@ -146,14 +149,8 @@ $(DEST)/getproto.o: $(LIBSRC)/getproto.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getproto.c -o $@
$(DEST)/getsumd.o: $(LIBSRC)/getsumd.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getsumd.c -o $@
$(DEST)/hexdump.o: $(LIBSRC)/hexdump.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hexdump.c -o $@
$(DEST)/hostmask.o: $(LIBSRC)/hostmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostmask.c -o $@
$(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@
$(DEST)/hostnum.o: $(LIBSRC)/hostnum.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostnum.c -o $@
$(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@
$(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP)
@ -184,14 +181,20 @@ $(DEST)/kmemcpywrap.o: $(LIBSRC)/kmemcpywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/kmemcpywrap.c -o $@
$(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@
$(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@
$(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@
$(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_hashnode.c -o $@
$(DEST)/load_http.o: $(LIBSRC)/load_http.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/load_http.c -o $@
$(DEST)/load_pool.o: $(LIBSRC)/load_pool.c $(INCDEP) $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_pool.c -o $@
$(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@
$(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@
$(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@
$(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP)
@ -203,8 +206,6 @@ $(DEST)/nat_setgroupmap.o: $(LIBSRC)/nat_setgroupmap.c $(TOP)/ip_compat.h \
$(CC) $(CCARGS) -c $(LIBSRC)/nat_setgroupmap.c -o $@
$(DEST)/ntomask.o: $(LIBSRC)/ntomask.c $(TOP)/ip_compat.h
$(CC) $(CCARGS) -c $(LIBSRC)/ntomask.c -o $@
$(DEST)/loglevel.o: $(LIBSRC)/loglevel.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/loglevel.c -o $@
$(DEST)/optname.o: $(LIBSRC)/optname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optname.c -o $@
$(DEST)/optprint.o: $(LIBSRC)/optprint.c $(INCDEP)
@ -215,10 +216,6 @@ $(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
$(DEST)/portnum.o: $(LIBSRC)/portnum.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portnum.c -o $@
$(DEST)/ports.o: $(LIBSRC)/ports.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ports.c -o $@
$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
@ -233,16 +230,25 @@ $(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@
$(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@
$(DEST)/printhashdata.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@
$(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_htable.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@
$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@
$(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@
$(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@
$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@
$(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@
$(DEST)/printpool_live.o: $(LIBSRC)/printpool_live.c $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@
$(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@
$(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h
@ -267,12 +273,10 @@ $(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@
$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h
$(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@
$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@
$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@
$(DEST)/ratoi.o: $(LIBSRC)/ratoi.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ratoi.c -o $@
$(DEST)/ratoui.o: $(LIBSRC)/ratoui.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ratoui.c -o $@
$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@
@ -289,8 +293,6 @@ $(DEST)/resetlexer.o: $(LIBSRC)/resetlexer.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/resetlexer.c -o $@
$(DEST)/rwlock_emul.o: $(LIBSRC)/rwlock_emul.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/rwlock_emul.c -o $@
$(DEST)/to_interface.o: $(LIBSRC)/to_interface.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/to_interface.c -o $@
$(DEST)/tcpflags.o: $(LIBSRC)/tcpflags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/tcpflags.c -o $@
$(DEST)/tcp_flags.o: $(LIBSRC)/tcp_flags.c $(INCDEP)

4
contrib/ipfilter/lib/addicmp.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $
* $Id: addicmp.c,v 1.10.2.5 2006/06/16 17:20:55 darrenr Exp $
*/
#include <ctype.h>

4
contrib/ipfilter/lib/addipopt.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: addipopt.c,v 1.7 2002/01/28 06:50:45 darrenr Exp $
* $Id: addipopt.c,v 1.7.4.1 2006/06/16 17:20:56 darrenr Exp $
*/
#include "ipf.h"

8
contrib/ipfilter/lib/bcopywrap.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: bcopywrap.c,v 1.1.4.1 2006/06/16 17:20:56 darrenr Exp $
*/
#include "ipf.h"
int bcopywrap(from, to, size)

4
contrib/ipfilter/lib/binprint.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: binprint.c,v 1.8 2002/05/14 15:18:56 darrenr Exp $
* $Id: binprint.c,v 1.8.4.1 2006/06/16 17:20:56 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/buildopts.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: buildopts.c,v 1.6 2002/01/28 06:50:45 darrenr Exp $
* $Id: buildopts.c,v 1.6.4.1 2006/06/16 17:20:56 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/checkrev.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2004 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: checkrev.c,v 1.12.2.1 2004/03/09 14:44:39 darrenr Exp $
* $Id: checkrev.c,v 1.12.2.2 2006/06/16 17:20:56 darrenr Exp $
*/
#include <sys/ioctl.h>

4
contrib/ipfilter/lib/count4bits.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: count4bits.c,v 1.1 2002/06/15 04:46:39 darrenr Exp $
* $Id: count4bits.c,v 1.1.4.1 2006/06/16 17:20:57 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/count6bits.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: count6bits.c,v 1.4 2001/06/09 17:09:23 darrenr Exp $
* $Id: count6bits.c,v 1.4.4.1 2006/06/16 17:20:57 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/debug.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: debug.c,v 1.6 2001/06/09 17:09:24 darrenr Exp $
* $Id: debug.c,v 1.6.4.1 2006/06/16 17:20:57 darrenr Exp $
*/
#if defined(__STDC__)

114
contrib/ipfilter/lib/extras.c
View File

@ -1,114 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: extras.c,v 1.12 2002/07/13 12:06:49 darrenr Exp $
*/
#include "ipf.h"
/*
* deal with extra bits on end of the line
*/
int extras(cp, fr, linenum)
char ***cp;
struct frentry *fr;
int linenum;
{
u_short secmsk;
u_long opts;
int notopt;
opts = 0;
secmsk = 0;
notopt = 0;
(*cp)++;
if (!**cp)
return -1;
while (**cp) {
if (!strcasecmp(**cp, "not") || !strcasecmp(**cp, "no")) {
notopt = 1;
(*cp)++;
continue;
} else if (!strncasecmp(**cp, "ipopt", 5)) {
if (!notopt)
fr->fr_flx |= FI_OPTIONS;
fr->fr_mflx |= FI_OPTIONS;
goto nextopt;
} else if (!strcasecmp(**cp, "lowttl")) {
if (!notopt)
fr->fr_flx |= FI_LOWTTL;
fr->fr_mflx |= FI_LOWTTL;
goto nextopt;
} else if (!strcasecmp(**cp, "bad-src")) {
if (!notopt)
fr->fr_flx |= FI_BADSRC;
fr->fr_mflx |= FI_BADSRC;
goto nextopt;
} else if (!strncasecmp(**cp, "mbcast", 6)) {
if (!notopt)
fr->fr_flx |= FI_MBCAST;
fr->fr_mflx |= FI_MBCAST;
goto nextopt;
} else if (!strncasecmp(**cp, "nat", 3)) {
if (!notopt)
fr->fr_flx |= FI_NATED;
fr->fr_mflx |= FI_NATED;
goto nextopt;
} else if (!strncasecmp(**cp, "frag", 4)) {
if (!notopt)
fr->fr_flx |= FI_FRAG;
fr->fr_mflx |= FI_FRAG;
goto nextopt;
} else if (!strncasecmp(**cp, "opt", 3)) {
if (!*(*cp + 1)) {
fprintf(stderr, "%d: opt missing arguements\n",
linenum);
return -1;
}
(*cp)++;
if (!(opts = optname(cp, &secmsk, linenum)))
return -1;
if (notopt) {
if (!secmsk) {
fr->fr_optmask |= opts;
} else {
fr->fr_optmask |= (opts & ~0x0100);
fr->fr_secmask |= secmsk;
}
fr->fr_secbits &= ~secmsk;
fr->fr_optbits &= ~opts;
} else {
fr->fr_optmask |= opts;
fr->fr_secmask |= secmsk;
fr->fr_optbits |= opts;
fr->fr_secbits |= secmsk;
}
} else if (!strncasecmp(**cp, "short", 5)) {
if (fr->fr_tcpf) {
fprintf(stderr,
"%d: short cannot be used with TCP flags\n",
linenum);
return -1;
}
if (!notopt)
fr->fr_flx |= FI_SHORT;
fr->fr_mflx |= FI_SHORT;
goto nextopt;
} else
return -1;
nextopt:
notopt = 0;
opts = 0;
secmsk = 0;
(*cp)++;
}
return 0;
}

6
contrib/ipfilter/lib/facpri.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $
* $Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $
*/
#include <stdio.h>
@ -22,7 +22,7 @@
#include "facpri.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $";
#endif

4
contrib/ipfilter/lib/facpri.h
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1999-2001 by Darren Reed.
* Copyright (C) 2000-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: facpri.h,v 1.3 2001/06/09 17:19:50 darrenr Exp $
* $Id: facpri.h,v 1.3.4.1 2006/06/16 17:20:58 darrenr Exp $
*/
#ifndef __FACPRI_H__

4
contrib/ipfilter/lib/fill6bits.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: fill6bits.c,v 1.5 2002/03/27 15:09:57 darrenr Exp $
* $Id: fill6bits.c,v 1.5.4.1 2006/06/16 17:20:58 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/flags.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2001-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: flags.c,v 1.4 2002/11/02 07:16:36 darrenr Exp $
* $Id: flags.c,v 1.4.4.1 2006/06/16 17:20:58 darrenr Exp $
*/
#include "ipf.h"

56
contrib/ipfilter/lib/genmask.c
View File

@ -1,56 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: genmask.c,v 1.7 2003/11/11 13:40:15 darrenr Exp $
*/
#include "ipf.h"
int genmask(msk, mskp)
char *msk;
u_32_t *mskp;
{
char *endptr = 0L;
int bits;
if (strchr(msk, '.') || strchr(msk, 'x') || strchr(msk, ':')) {
/* possibly of the form xxx.xxx.xxx.xxx
* or 0xYYYYYYYY */
#ifdef USE_INET6
if (use_inet6) {
if (inet_pton(AF_INET6, msk, mskp) != 1)
return -1;
} else
#endif
if (inet_aton(msk, (struct in_addr *)mskp) == 0)
return -1;
} else {
/*
* set x most significant bits
*/
bits = (int)strtol(msk, &endptr, 0);
#ifdef USE_INET6
if ((*endptr != '\0') ||
((bits > 32) && !use_inet6) || (bits < 0) ||
((bits > 128) && use_inet6))
#else
if (*endptr != '\0' || bits > 32 || bits < 0)
#endif
return -1;
#ifdef USE_INET6
if (use_inet6)
fill6bits(bits, mskp);
else
#endif
if (bits == 0)
*mskp = 0;
else
*mskp = htonl(0xffffffff << (32 - bits));
}
return 0;
}

8
contrib/ipfilter/lib/gethost.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2004 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: gethost.c,v 1.3.2.2 2006/06/16 17:20:59 darrenr Exp $
*/
#include "ipf.h"
int gethost(name, hostp)

16
contrib/ipfilter/lib/getifname.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2004 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getifname.c,v 1.5.2.3 2006/07/14 06:12:24 darrenr Exp $
*/
#include "ipf.h"
#include "kmem.h"
@ -8,6 +16,7 @@
* Given a pointer to an interface in the kernel, return a pointer to a
* string which is the interface name.
*/
#if 0
char *getifname(ptr)
struct ifnet *ptr;
{
@ -74,3 +83,10 @@ struct ifnet *ptr;
# endif
#endif
}
#else
char *getifname(ptr)
struct ifnet *ptr;
{
return "X";
}
#endif

58
contrib/ipfilter/lib/getline.c
View File

@ -1,58 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getline.c,v 1.3 2001/06/09 17:09:24 darrenr Exp $
*/
#include <stdio.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <string.h>
#include "ipf.h"
/*
* Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
* Returns NULL if error occured, EOF encounterd or input line is too long.
*/
char *getline(str, size, file, linenum)
register char *str;
size_t size;
FILE *file;
int *linenum;
{
char *p;
int s, len;
do {
for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
/*
* if an error occured, EOF was encounterd, or there
* was no room to put NUL, return NULL.
*/
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
if (p[len - 1] != '\n') {
p[len] = '\0';
break;
}
(*linenum)++;
p[len - 1] = '\0';
if (len < 2 || p[len - 2] != '\\')
break;
else
/*
* Convert '\\' to a space so words don't
* run together
*/
p[len - 2] = ' ';
}
} while (*str == '\0');
return (str);
}

29
contrib/ipfilter/lib/getnattype.c
View File

@ -1,7 +1,7 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2002-2004 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@ -11,26 +11,34 @@
#include "kmem.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3 2004/01/17 17:26:07 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3.2.2 2006/07/14 06:12:24 darrenr Exp $";
#endif
/*
* Get a nat filter type given its kernel address.
*/
char *getnattype(ipnat)
ipnat_t *ipnat;
char *getnattype(nat, alive)
nat_t *nat;
int alive;
{
static char unknownbuf[20];
ipnat_t ipnatbuff;
ipnat_t *ipn, ipnat;
char *which;
int type;
if (!ipnat)
if (!nat)
return "???";
if (kmemcpy((char *)&ipnatbuff, (long)ipnat, sizeof(ipnatbuff)))
return "!!!";
if (alive) {
type = nat->nat_redir;
} else {
ipn = nat->nat_ptr;
if (kmemcpy((char *)&ipnat, (long)ipn, sizeof(ipnat)))
return "!!!";
type = ipnat.in_redir;
}
switch (ipnatbuff.in_redir)
switch (type)
{
case NAT_MAP :
which = "MAP";
@ -45,8 +53,7 @@ ipnat_t *ipnat;
which = "BIMAP";
break;
default :
sprintf(unknownbuf, "unknown(%04x)",
ipnatbuff.in_redir & 0xffffffff);
sprintf(unknownbuf, "unknown(%04x)", type & 0xffffffff);
which = unknownbuf;
break;
}

8
contrib/ipfilter/lib/getport.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getport.c,v 1.1.4.6 2006/06/16 17:21:00 darrenr Exp $
*/
#include "ipf.h"
int getport(fr, name, port)

8
contrib/ipfilter/lib/getportproto.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getportproto.c,v 1.2.4.4 2006/06/16 17:21:00 darrenr Exp $
*/
#include <ctype.h>
#include "ipf.h"

8
contrib/ipfilter/lib/getproto.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getproto.c,v 1.2.2.3 2006/06/16 17:21:00 darrenr Exp $
*/
#include "ipf.h"
int getproto(name)

8
contrib/ipfilter/lib/getsumd.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: getsumd.c,v 1.2.4.1 2006/06/16 17:21:01 darrenr Exp $
*/
#include "ipf.h"
char *getsumd(sum)

30
contrib/ipfilter/lib/hexdump.c
View File

@ -1,30 +0,0 @@
/* $FreeBSD$ */
#include <ctype.h>
#include "ipf.h"
void hexdump(out, addr, len, ascii)
FILE *out;
void *addr;
int len, ascii;
{
FILE *fpout;
u_char *s, *t;
int i;
fpout = out ? out : stdout;
for (i = 0, s = addr; i < len; i++, s++) {
fprintf(fpout, "%02x", *s);
if (i % 16 == 15) {
if (ascii != 0) {
fputc('\t', fpout);
for (t = s - 15; t<= s; t++)
fputc(ISPRINT(*t) ? *t : '.', fpout);
}
fputc('\n', fpout);
} else if (i % 4 == 3) {
fputc(' ', fpout);
}
}
}

95
contrib/ipfilter/lib/hostmask.c
View File

@ -1,95 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: hostmask.c,v 1.10 2002/01/28 06:50:46 darrenr Exp $
*/
#include "ipf.h"
/*
* returns -1 if neither "hostmask/num" or "hostmask mask addr" are
* found in the line segments, there is an error processing this information,
* or there is an error processing ports information.
*/
int hostmask(seg, proto, ifname, sa, msk, linenum)
char ***seg, *proto, *ifname;
u_32_t *sa, *msk;
int linenum;
{
struct in_addr maskaddr;
char *s;
if ((s = strchr(**seg, '='))) {
*s++ = '\0';
if (!strcmp(**seg, "pool")) {
*sa = atoi(s);
return 1;
}
}
/*
* is it possibly hostname/num ?
*/
if ((s = strchr(**seg, '/')) ||
((s = strchr(**seg, ':')) && !strchr(s + 1, ':'))) {
*s++ ='\0';
if (genmask(s, msk) == -1) {
fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
return -1;
}
if (hostnum(sa, **seg, linenum, ifname) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
*sa &= *msk;
(*seg)++;
return 0;
}
/*
* look for extra segments if "mask" found in right spot
*/
if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
if (hostnum(sa, **seg, linenum, ifname) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
(*seg)++;
(*seg)++;
if (inet_aton(**seg, &maskaddr) == 0) {
fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
return -1;
}
*msk = maskaddr.s_addr;
(*seg)++;
*sa &= *msk;
return 0;
}
if (**seg) {
u_32_t k;
if (hostnum(sa, **seg, linenum, ifname) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
(*seg)++;
k = *sa ? 0xffffffff : 0;
#ifdef USE_INET6
if (use_inet6) {
msk[1] = k;
msk[2] = k;
msk[3] = k;
}
#endif
*msk = k;
return 0;
}
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}

9
contrib/ipfilter/lib/hostname.c
View File

@ -1,5 +1,12 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: hostname.c,v 1.6.2.2 2007/01/16 02:25:22 darrenr Exp $
*/
#include "ipf.h"
@ -12,6 +19,8 @@ void *ip;
struct in_addr ipa;
struct netent *np;
memset(&ipa, 0, sizeof(ipa)); /* XXX gcc */
if (v == 4) {
ipa.s_addr = *(u_32_t *)ip;
if (ipa.s_addr == htonl(0xfedcba98))

49
contrib/ipfilter/lib/hostnum.c
View File

@ -1,49 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: hostnum.c,v 1.10.2.1 2004/12/09 19:41:20 darrenr Exp $
*/
#include <ctype.h>
#include "ipf.h"
/*
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
int hostnum(ipa, host, linenum, ifname)
u_32_t *ipa;
char *host;
int linenum;
char *ifname;
{
struct in_addr ip;
if (!strcasecmp("any", host) ||
(ifname && *ifname && !strcasecmp(ifname, host)))
return 0;
#ifdef USE_INET6
if (use_inet6) {
if (inet_pton(AF_INET6, host, ipa) == 1)
return 0;
else
return -1;
}
#endif
if (ISDIGIT(*host) && inet_aton(host, &ip)) {
*ipa = ip.s_addr;
return 0;
}
if (!strcasecmp("<thishost>", host))
host = thishost;
return gethost(host, ipa);
}

4
contrib/ipfilter/lib/icmpcode.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $
* $Id: icmpcode.c,v 1.7.2.5 2006/06/16 17:21:02 darrenr Exp $
*/
#include <ctype.h>

4
contrib/ipfilter/lib/initparse.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: initparse.c,v 1.6 2002/01/28 06:50:46 darrenr Exp $
* $Id: initparse.c,v 1.6.4.1 2006/06/16 17:21:02 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/ionames.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ionames.c,v 1.7 2002/01/28 06:50:46 darrenr Exp $
* $Id: ionames.c,v 1.7.4.1 2006/06/16 17:21:02 darrenr Exp $
*/
#include "ipf.h"

8
contrib/ipfilter/lib/ipf_dotuning.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2003-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipf_dotuning.c,v 1.2.4.3 2006/06/16 17:21:02 darrenr Exp $
*/
#include "ipf.h"
#include "netinet/ipl.h"
#include <sys/ioctl.h>

23
contrib/ipfilter/lib/ipft_ef.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $
* $Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $
*/
/*
@ -33,7 +33,7 @@ etherfind -n -t
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $";
#endif
static int etherf_open __P((char *));
@ -98,13 +98,18 @@ int cnt, *dir;
switch (ip->ip_p) {
case IPPROTO_TCP :
if (isdigit(*sprt))
pkt.ti_sport = htons(atoi(sprt) & 65535);
if (isdigit(*dprt))
pkt.ti_dport = htons(atoi(dprt) & 65535);
extra = sizeof(struct tcphdr);
break;
case IPPROTO_UDP :
s = strtok(NULL, " :");
ip->ip_len += atoi(s);
if (ip->ip_p == IPPROTO_TCP)
extra = sizeof(struct tcphdr);
else if (ip->ip_p == IPPROTO_UDP)
extra = sizeof(struct udphdr);
if (isdigit(*sprt))
pkt.ti_sport = htons(atoi(sprt) & 65535);
if (isdigit(*dprt))
pkt.ti_dport = htons(atoi(dprt) & 65535);
extra = sizeof(struct udphdr);
break;
#ifdef IGMP
case IPPROTO_IGMP :

4
contrib/ipfilter/lib/ipft_hx.c
View File

@ -1,13 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
* Copyright (C) 2000-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.3 2005/12/04 10:07:21 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.4 2006/06/16 17:21:03 darrenr Exp $";
#endif
#include <ctype.h>

6
contrib/ipfilter/lib/ipft_pc.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_pc.c,v 1.10.2.1 2005/12/04 09:55:10 darrenr Exp $
* $Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $
*/
#include "ipf.h"
#include "pcap-ipf.h"
@ -13,7 +13,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.1 2005/12/04 09:55:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $";
#endif
struct llc {

6
contrib/ipfilter/lib/ipft_sn.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_sn.c,v 1.7 2003/02/16 02:32:36 darrenr Exp $
* $Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $
*/
/*
@ -16,7 +16,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7 2003/02/16 02:32:36 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $";
#endif
struct llc {

10
contrib/ipfilter/lib/ipft_td.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $
* $Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $
*/
/*
@ -42,7 +42,7 @@ tcpdump -nqte
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $";
#endif
static int tcpd_open __P((char *));
@ -144,6 +144,8 @@ int cnt, *dir;
IP_HL_A(ip, sizeof(ip_t));
s = strtok(misc, " :");
if (s == NULL)
return 0;
ip->ip_p = getproto(s);
switch (ip->ip_p)
@ -151,6 +153,8 @@ int cnt, *dir;
case IPPROTO_TCP :
case IPPROTO_UDP :
s = strtok(NULL, " :");
if (s == NULL)
return 0;
ip->ip_len += atoi(s);
if (ip->ip_p == IPPROTO_TCP)
extra = sizeof(struct tcphdr);

48
contrib/ipfilter/lib/ipft_tx.c
View File

@ -1,15 +1,15 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
* Copyright (C) 2000-2006 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $
* $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $";
#endif
#include <ctype.h>
@ -129,6 +129,7 @@ int cnt, *dir;
{
register char *s;
char line[513];
ip_t *ip;
*ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) {
@ -144,12 +145,10 @@ int cnt, *dir;
printf("input: %s\n", line);
*ifn = NULL;
*dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir))
#if 0
return sizeof(ip_t) + sizeof(tcphdr_t);
#else
return sizeof(ip_t);
#endif
if (!parseline(line, (ip_t *)buf, ifn, dir)) {
ip = (ip_t *)buf;
return ntohs(ip->ip_len);
}
}
if (feof(tfp))
return 0;
@ -260,19 +259,30 @@ int *out;
}
ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
cpp++;
if (*cpp && ip->ip_p == IPPROTO_TCP) {
char *s, *t;
if (ip->ip_p == IPPROTO_TCP) {
if (*cpp != NULL) {
char *s, *t;
tcp->th_flags = 0;
for (s = *cpp; *s; s++)
if ((t = strchr(myflagset, *s)))
tcp->th_flags |= myflags[t-myflagset];
if (tcp->th_flags)
cpp++;
}
tcp->th_flags = 0;
for (s = *cpp; *s; s++)
if ((t = strchr(myflagset, *s)))
tcp->th_flags |= myflags[t - myflagset];
if (tcp->th_flags)
cpp++;
if (tcp->th_flags == 0)
abort();
if (tcp->th_flags & TH_URG)
tcp->th_urp = htons(1);
if (*cpp && !strncasecmp(*cpp, "seq=", 4)) {
tcp->th_seq = htonl(atoi(*cpp + 4));
cpp++;
}
if (*cpp && !strncasecmp(*cpp, "ack=", 4)) {
tcp->th_ack = htonl(atoi(*cpp + 4));
cpp++;
}
} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
extern char *tx_icmptypes[];
char **s, *t;

4
contrib/ipfilter/lib/ipoptsec.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2001-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ipoptsec.c,v 1.2 2002/01/28 06:50:46 darrenr Exp $
* $Id: ipoptsec.c,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $
*/
#include "ipf.h"

4
contrib/ipfilter/lib/kmem.c
View File

@ -1,7 +1,7 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2000-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@ -44,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.2 2005/06/12 07:18:41 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.3 2006/06/16 17:21:04 darrenr Exp $";
#endif

4
contrib/ipfilter/lib/kmem.h
View File

@ -1,10 +1,10 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: kmem.h,v 1.2 2002/08/21 22:57:36 darrenr Exp $
* $Id: kmem.h,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $
*/
#ifndef __KMEM_H__

8
contrib/ipfilter/lib/kmemcpywrap.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: kmemcpywrap.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $
*/
#include "ipf.h"
#include "kmem.h"

8
contrib/ipfilter/lib/kvatoname.c
View File

@ -1,5 +1,13 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: kvatoname.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $
*/
#include "ipf.h"
#include <fcntl.h>

8
contrib/ipfilter/lib/load_hash.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
* Copyright (C) 2002-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: load_hash.c,v 1.11.2.3 2005/11/13 15:41:12 darrenr Exp $
* $Id: load_hash.c,v 1.11.2.5 2006/07/14 06:12:25 darrenr Exp $
*/
#include <fcntl.h>
@ -62,6 +62,7 @@ ioctlfunc_t iocfunc;
iph.iph_size = size;
iph.iph_seed = iphp->iph_seed;
iph.iph_table = NULL;
iph.iph_list = NULL;
iph.iph_ref = 0;
if ((opts & OPT_REMOVE) == 0) {
@ -85,9 +86,10 @@ ioctlfunc_t iocfunc;
perror("calloc(size, sizeof(*iph.iph_table))");
return -1;
}
iph.iph_table[0] = list;
iph.iph_list = list;
printhash(&iph, bcopywrap, iph.iph_name, opts);
free(iph.iph_table);
iph.iph_list = NULL;
for (a = list; a != NULL; a = a->ipe_next) {
a->ipe_addr.in4_addr = htonl(a->ipe_addr.in4_addr);

4
contrib/ipfilter/lib/load_hashnode.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
* Copyright (C) 2003-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: load_hashnode.c,v 1.2.4.1 2004/03/06 14:33:28 darrenr Exp $
* $Id: load_hashnode.c,v 1.2.4.2 2006/06/16 17:21:05 darrenr Exp $
*/
#include <fcntl.h>

4
contrib/ipfilter/lib/load_pool.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
* Copyright (C) 2002-2005 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: load_pool.c,v 1.14.2.3 2005/11/13 15:41:13 darrenr Exp $
* $Id: load_pool.c,v 1.14.2.4 2006/06/16 17:21:06 darrenr Exp $
*/
#include <fcntl.h>

6
contrib/ipfilter/lib/load_poolnode.c
View File

@ -1,11 +1,11 @@
/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
* Copyright (C) 2003-2004 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $
* $Id: load_poolnode.c,v 1.3.2.3 2006/06/16 17:21:06 darrenr Exp $
*/
#include <fcntl.h>
@ -54,7 +54,7 @@ ioctlfunc_t iocfunc;
if (err != 0) {
if ((opts & OPT_DONOTHING) == 0) {
perror("load_pool:SIOCLOOKUP*NODE");
perror("load_poolnode:SIOCLOOKUP*NODE");
return -1;
}
}

55
contrib/ipfilter/lib/loglevel.c
View File

@ -1,55 +0,0 @@
/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: loglevel.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $
*/
#include "ipf.h"
int loglevel(cpp, facpri, linenum)
char **cpp;
u_int *facpri;
int linenum;
{
int fac, pri;
char *s;
fac = 0;
pri = 0;
if (!*++cpp) {
fprintf(stderr, "%d: %s\n", linenum,
"missing identifier after level");
return -1;
}
s = strchr(*cpp, '.');
if (s) {
*s++ = '\0';
fac = fac_findname(*cpp);
if (fac == -1) {
fprintf(stderr, "%d: %s %s\n", linenum,
"Unknown facility", *cpp);
return -1;
}
pri = pri_findname(s);
if (pri == -1) {
fprintf(stderr, "%d: %s %s\n", linenum,
"Unknown priority", s);
return -1;
}
} else {
pri = pri_findname(*cpp);
if (pri == -1) {
fprintf(stderr, "%d: %s %s\n", linenum,
"Unknown priority", *cpp);
return -1;
}
}
*facpri = fac|pri;
return 0;
}

Some files were not shown because too many files have changed in this diff Show More