From b6b47f0bf017ea9acdb6e5e144ba9d79c7379034 Mon Sep 17 00:00:00 2001 From: darrenr Date: Sun, 18 Nov 2007 11:03:29 +0000 Subject: [PATCH] MFC IPFilter update from 4.1.13 to 4.1.28, including additional fixes applied post 4.1.28 for FreeBSD. See src/contrib/ipfilter/HISTORY for more details of the bugs fixed, etc. --- contrib/ipfilter/BSD/Makefile | 26 +- contrib/ipfilter/BSD/kupgrade | 14 +- contrib/ipfilter/BugReport | 20 +- contrib/ipfilter/FreeBSD-2.2/files.diffs | 24 - .../ipfilter/FreeBSD-2.2/files.newconf.diffs | 24 - contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs | 16 - contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs | 32 - .../ipfilter/FreeBSD-2.2/ip_output.c.diffs | 67 - contrib/ipfilter/FreeBSD-2.2/kinstall | 67 - contrib/ipfilter/FreeBSD-2.2/minstall | 38 - contrib/ipfilter/FreeBSD-2.2/unkinstall | 57 - contrib/ipfilter/FreeBSD-2.2/unminstall | 36 - contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 | 26 - contrib/ipfilter/FreeBSD-3/kinstall | 52 - contrib/ipfilter/FreeBSD-3/unkinstall | 45 - contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 | 63 - contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 | 65 - contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 | 65 - contrib/ipfilter/FreeBSD-4.0/kinstall | 63 - contrib/ipfilter/FreeBSD-4.0/unkinstall | 49 - contrib/ipfilter/FreeBSD/conf.c.diffs | 46 - contrib/ipfilter/FreeBSD/files.diffs | 23 - contrib/ipfilter/FreeBSD/files.newconf.diffs | 23 - contrib/ipfilter/FreeBSD/files.oldconf.diffs | 23 - contrib/ipfilter/FreeBSD/filez.diffs | 23 - contrib/ipfilter/FreeBSD/in_proto.c.diffs | 16 - contrib/ipfilter/FreeBSD/ip_input.c.diffs | 88 - contrib/ipfilter/FreeBSD/ip_output.c.diffs | 36 - contrib/ipfilter/FreeBSD/kinstall | 72 - contrib/ipfilter/FreeBSD/minstall | 51 - contrib/ipfilter/FreeBSD/unkinstall | 58 - contrib/ipfilter/FreeBSD/unminstall | 49 - contrib/ipfilter/HISTORY | 261 +++ contrib/ipfilter/INST.FreeBSD-2.2 | 62 - contrib/ipfilter/INSTALL.FreeBSD | 56 - contrib/ipfilter/INSTALL.xBSD | 45 - contrib/ipfilter/IPF.KANJI | 465 ------ contrib/ipfilter/Makefile | 30 +- contrib/ipfilter/bpf_filter.c | 5 +- contrib/ipfilter/ip_fil.c | 247 +-- contrib/ipfilter/ipf.h | 35 +- contrib/ipfilter/iplang/Makefile | 9 +- contrib/ipfilter/iplang/iplang_y.y | 13 +- contrib/ipfilter/ipsend/44arp.c | 4 +- contrib/ipfilter/ipsend/arp.c | 9 +- contrib/ipfilter/ipsend/ip.c | 5 +- contrib/ipfilter/ipsend/iptests.c | 11 +- contrib/ipfilter/ipsend/resend.c | 5 +- contrib/ipfilter/ipsend/sdlpi.c | 3 +- contrib/ipfilter/ipsend/sock.c | 16 +- contrib/ipfilter/l4check/Makefile | 2 +- contrib/ipfilter/l4check/l4check.c | 43 +- contrib/ipfilter/lib/Makefile | 74 +- contrib/ipfilter/lib/addicmp.c | 4 +- contrib/ipfilter/lib/addipopt.c | 4 +- contrib/ipfilter/lib/bcopywrap.c | 8 + contrib/ipfilter/lib/binprint.c | 4 +- contrib/ipfilter/lib/buildopts.c | 4 +- contrib/ipfilter/lib/checkrev.c | 4 +- contrib/ipfilter/lib/count4bits.c | 4 +- contrib/ipfilter/lib/count6bits.c | 4 +- contrib/ipfilter/lib/debug.c | 4 +- contrib/ipfilter/lib/extras.c | 114 -- contrib/ipfilter/lib/facpri.c | 6 +- contrib/ipfilter/lib/facpri.h | 4 +- contrib/ipfilter/lib/fill6bits.c | 4 +- contrib/ipfilter/lib/flags.c | 4 +- contrib/ipfilter/lib/genmask.c | 56 - contrib/ipfilter/lib/gethost.c | 8 + contrib/ipfilter/lib/getifname.c | 16 + contrib/ipfilter/lib/getline.c | 58 - contrib/ipfilter/lib/getnattype.c | 29 +- contrib/ipfilter/lib/getport.c | 8 + contrib/ipfilter/lib/getportproto.c | 8 + contrib/ipfilter/lib/getproto.c | 8 + contrib/ipfilter/lib/getsumd.c | 8 + contrib/ipfilter/lib/hexdump.c | 30 - contrib/ipfilter/lib/hostmask.c | 95 -- contrib/ipfilter/lib/hostname.c | 9 + contrib/ipfilter/lib/hostnum.c | 49 - contrib/ipfilter/lib/icmpcode.c | 4 +- contrib/ipfilter/lib/initparse.c | 4 +- contrib/ipfilter/lib/ionames.c | 4 +- contrib/ipfilter/lib/ipf_dotuning.c | 8 + contrib/ipfilter/lib/ipft_ef.c | 23 +- contrib/ipfilter/lib/ipft_hx.c | 4 +- contrib/ipfilter/lib/ipft_pc.c | 6 +- contrib/ipfilter/lib/ipft_sn.c | 6 +- contrib/ipfilter/lib/ipft_td.c | 10 +- contrib/ipfilter/lib/ipft_tx.c | 48 +- contrib/ipfilter/lib/ipoptsec.c | 4 +- contrib/ipfilter/lib/kmem.c | 4 +- contrib/ipfilter/lib/kmem.h | 4 +- contrib/ipfilter/lib/kmemcpywrap.c | 8 + contrib/ipfilter/lib/kvatoname.c | 8 + contrib/ipfilter/lib/load_hash.c | 8 +- contrib/ipfilter/lib/load_hashnode.c | 4 +- contrib/ipfilter/lib/load_pool.c | 4 +- contrib/ipfilter/lib/load_poolnode.c | 6 +- contrib/ipfilter/lib/loglevel.c | 55 - contrib/ipfilter/lib/mutex_emul.c | 8 + contrib/ipfilter/lib/nametokva.c | 8 + contrib/ipfilter/lib/nat_setgroupmap.c | 4 +- contrib/ipfilter/lib/natparse.c | 730 -------- contrib/ipfilter/lib/ntomask.c | 8 + contrib/ipfilter/lib/optname.c | 4 +- contrib/ipfilter/lib/optprint.c | 4 +- contrib/ipfilter/lib/optprintv6.c | 4 +- contrib/ipfilter/lib/optvalue.c | 4 +- contrib/ipfilter/lib/parse.c | 754 --------- contrib/ipfilter/lib/portname.c | 4 +- contrib/ipfilter/lib/portnum.c | 64 - contrib/ipfilter/lib/ports.c | 81 - contrib/ipfilter/lib/print_toif.c | 4 +- contrib/ipfilter/lib/printactivenat.c | 16 +- contrib/ipfilter/lib/printaps.c | 4 +- contrib/ipfilter/lib/printbuf.c | 4 +- contrib/ipfilter/lib/printfr.c | 9 +- contrib/ipfilter/lib/printfraginfo.c | 13 +- contrib/ipfilter/lib/printhash.c | 102 +- contrib/ipfilter/lib/printhashnode.c | 3 +- contrib/ipfilter/lib/printhostmap.c | 12 +- contrib/ipfilter/lib/printhostmask.c | 4 +- contrib/ipfilter/lib/printifname.c | 4 +- contrib/ipfilter/lib/printip.c | 4 +- contrib/ipfilter/lib/printlog.c | 4 +- contrib/ipfilter/lib/printmask.c | 4 +- contrib/ipfilter/lib/printnat.c | 25 +- contrib/ipfilter/lib/printpacket.c | 7 +- contrib/ipfilter/lib/printpacket6.c | 8 + contrib/ipfilter/lib/printpool.c | 56 +- contrib/ipfilter/lib/printpoolnode.c | 8 +- contrib/ipfilter/lib/printportcmp.c | 4 +- contrib/ipfilter/lib/printproto.c | 4 +- contrib/ipfilter/lib/printsbuf.c | 8 + contrib/ipfilter/lib/printstate.c | 158 +- contrib/ipfilter/lib/printtunable.c | 8 + contrib/ipfilter/lib/ratoi.c | 26 - contrib/ipfilter/lib/ratoui.c | 26 - contrib/ipfilter/lib/remove_hash.c | 4 +- contrib/ipfilter/lib/remove_hashnode.c | 4 +- contrib/ipfilter/lib/remove_pool.c | 4 +- contrib/ipfilter/lib/remove_poolnode.c | 4 +- contrib/ipfilter/lib/resetlexer.c | 8 + contrib/ipfilter/lib/rwlock_emul.c | 8 + contrib/ipfilter/lib/tcp_flags.c | 4 +- contrib/ipfilter/lib/tcpflags.c | 4 +- contrib/ipfilter/lib/tcpoptnames.c | 22 - contrib/ipfilter/lib/to_interface.c | 31 - contrib/ipfilter/lib/v6ionames.c | 4 +- contrib/ipfilter/lib/v6optvalue.c | 4 +- contrib/ipfilter/lib/var.c | 8 + contrib/ipfilter/lib/verbose.c | 4 +- contrib/ipfilter/man/ipf.8 | 12 + contrib/ipfilter/man/ipfstat.8 | 6 +- contrib/ipfilter/man/ipmon.8 | 1 + contrib/ipfilter/man/ippool.5 | 2 +- contrib/ipfilter/md5.h | 2 +- contrib/ipfilter/mlf_ipl.c | 469 ------ contrib/ipfilter/radix.c | 6 + contrib/ipfilter/radix_ipf.h | 4 +- contrib/ipfilter/test/Makefile | 40 +- contrib/ipfilter/test/dotest | 8 +- contrib/ipfilter/test/expected/f11 | 124 ++ contrib/ipfilter/test/expected/f12 | 54 +- contrib/ipfilter/test/expected/f13 | 64 +- contrib/ipfilter/test/expected/i11 | 18 +- contrib/ipfilter/test/expected/i12 | 4 +- contrib/ipfilter/test/expected/i4 | 2 +- contrib/ipfilter/test/expected/i9 | 2 +- contrib/ipfilter/test/expected/in1 | 1 + contrib/ipfilter/test/expected/in6 | 1 + contrib/ipfilter/test/expected/ipv6.1 | 1 + contrib/ipfilter/test/expected/n10 | 3 + contrib/ipfilter/test/expected/n12 | 3 + contrib/ipfilter/test/expected/n4 | 8 +- contrib/ipfilter/test/expected/n6 | 6 +- contrib/ipfilter/test/expected/n8 | 4 + contrib/ipfilter/test/expected/n9 | 4 + contrib/ipfilter/test/expected/ni1 | 15 + contrib/ipfilter/test/expected/ni10 | 4 + contrib/ipfilter/test/expected/ni11 | 4 + contrib/ipfilter/test/expected/ni12 | 4 + contrib/ipfilter/test/expected/ni13 | 35 +- contrib/ipfilter/test/expected/ni14 | 47 +- contrib/ipfilter/test/expected/ni15 | 31 + contrib/ipfilter/test/expected/ni16 | 35 +- contrib/ipfilter/test/expected/ni2 | 11 +- contrib/ipfilter/test/expected/ni3 | 3 + contrib/ipfilter/test/expected/ni4 | 3 + contrib/ipfilter/test/expected/ni5 | 90 +- contrib/ipfilter/test/expected/ni6 | 8 + contrib/ipfilter/test/expected/ni7 | 2 + contrib/ipfilter/test/expected/ni8 | 4 + contrib/ipfilter/test/expected/ni9 | 4 + contrib/ipfilter/test/expected/p2 | 4 +- contrib/ipfilter/test/input/f11 | 22 +- contrib/ipfilter/test/input/f13 | 3 +- contrib/ipfilter/test/input/ipv6.1 | 12 + contrib/ipfilter/test/input/l1 | 16 +- contrib/ipfilter/test/input/ni1 | 36 + contrib/ipfilter/test/input/ni13 | 4 +- contrib/ipfilter/test/input/ni14 | 16 +- contrib/ipfilter/test/input/ni16 | 4 +- contrib/ipfilter/test/input/ni2 | 6 +- contrib/ipfilter/test/input/ni3 | 2 +- contrib/ipfilter/test/input/ni4 | 2 +- contrib/ipfilter/test/input/ni5 | 195 ++- contrib/ipfilter/test/natipftest | 54 +- contrib/ipfilter/test/nattest | 9 +- contrib/ipfilter/test/regress/i3 | 6 +- contrib/ipfilter/test/regress/in1 | 1 + contrib/ipfilter/test/regress/in6 | 1 + contrib/ipfilter/test/regress/ni1.nat | 4 +- contrib/ipfilter/test/test.format | 10 +- contrib/ipfilter/test/vfycksum.pl | 32 +- contrib/ipfilter/tools/Makefile | 6 +- contrib/ipfilter/tools/ipf.c | 12 +- contrib/ipfilter/tools/ipf_y.y | 72 +- contrib/ipfilter/tools/ipfcomp.c | 27 +- contrib/ipfilter/tools/ipfs.c | 20 +- contrib/ipfilter/tools/ipfstat.c | 527 ++++-- contrib/ipfilter/tools/ipftest.c | 28 +- contrib/ipfilter/tools/ipmon.c | 76 +- contrib/ipfilter/tools/ipmon_y.y | 6 + contrib/ipfilter/tools/ipnat.c | 308 +++- contrib/ipfilter/tools/ipnat_y.y | 13 +- contrib/ipfilter/tools/ippool.c | 514 ++++-- contrib/ipfilter/tools/ippool_y.y | 113 +- contrib/ipfilter/tools/ipscan_y.y | 6 + contrib/ipfilter/tools/ipsyncm.c | 4 +- contrib/ipfilter/tools/ipsyncs.c | 4 +- contrib/ipfilter/tools/lex_var.h | 5 + contrib/ipfilter/tools/lexer.c | 71 +- contrib/ipfilter/tools/lexer.h | 5 + sys/contrib/ipfilter/netinet/fil.c | 1472 ++++++++++++++--- sys/contrib/ipfilter/netinet/ip_auth.c | 725 +++++--- sys/contrib/ipfilter/netinet/ip_auth.h | 6 +- sys/contrib/ipfilter/netinet/ip_compat.h | 293 ++-- sys/contrib/ipfilter/netinet/ip_fil.h | 237 ++- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 537 +++--- sys/contrib/ipfilter/netinet/ip_frag.c | 196 ++- sys/contrib/ipfilter/netinet/ip_frag.h | 27 +- sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 36 +- sys/contrib/ipfilter/netinet/ip_htable.c | 348 +++- sys/contrib/ipfilter/netinet/ip_htable.h | 15 +- sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c | 6 +- sys/contrib/ipfilter/netinet/ip_irc_pxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_log.c | 60 +- sys/contrib/ipfilter/netinet/ip_lookup.c | 218 ++- sys/contrib/ipfilter/netinet/ip_lookup.h | 34 +- sys/contrib/ipfilter/netinet/ip_nat.c | 1201 ++++++++++---- sys/contrib/ipfilter/netinet/ip_nat.h | 41 +- sys/contrib/ipfilter/netinet/ip_pool.c | 350 +++- sys/contrib/ipfilter/netinet/ip_pool.h | 17 +- sys/contrib/ipfilter/netinet/ip_pptp_pxy.c | 7 +- sys/contrib/ipfilter/netinet/ip_proxy.c | 25 +- sys/contrib/ipfilter/netinet/ip_proxy.h | 5 +- sys/contrib/ipfilter/netinet/ip_raudio_pxy.c | 6 +- sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c | 4 +- sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c | 12 +- sys/contrib/ipfilter/netinet/ip_scan.c | 38 +- sys/contrib/ipfilter/netinet/ip_scan.h | 4 +- sys/contrib/ipfilter/netinet/ip_state.c | 884 ++++++---- sys/contrib/ipfilter/netinet/ip_state.h | 15 +- sys/contrib/ipfilter/netinet/ip_sync.c | 15 +- sys/contrib/ipfilter/netinet/ip_sync.h | 24 +- sys/contrib/ipfilter/netinet/ipl.h | 6 +- sys/contrib/ipfilter/netinet/mlfk_ipl.c | 45 +- 269 files changed, 8217 insertions(+), 7949 deletions(-) delete mode 100644 contrib/ipfilter/FreeBSD-2.2/files.diffs delete mode 100644 contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs delete mode 100644 contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs delete mode 100644 contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs delete mode 100644 contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs delete mode 100755 contrib/ipfilter/FreeBSD-2.2/kinstall delete mode 100755 contrib/ipfilter/FreeBSD-2.2/minstall delete mode 100755 contrib/ipfilter/FreeBSD-2.2/unkinstall delete mode 100755 contrib/ipfilter/FreeBSD-2.2/unminstall delete mode 100644 contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 delete mode 100755 contrib/ipfilter/FreeBSD-3/kinstall delete mode 100755 contrib/ipfilter/FreeBSD-3/unkinstall delete mode 100755 contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 delete mode 100644 contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 delete mode 100644 contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 delete mode 100755 contrib/ipfilter/FreeBSD-4.0/kinstall delete mode 100755 contrib/ipfilter/FreeBSD-4.0/unkinstall delete mode 100644 contrib/ipfilter/FreeBSD/conf.c.diffs delete mode 100644 contrib/ipfilter/FreeBSD/files.diffs delete mode 100644 contrib/ipfilter/FreeBSD/files.newconf.diffs delete mode 100644 contrib/ipfilter/FreeBSD/files.oldconf.diffs delete mode 100644 contrib/ipfilter/FreeBSD/filez.diffs delete mode 100644 contrib/ipfilter/FreeBSD/in_proto.c.diffs delete mode 100644 contrib/ipfilter/FreeBSD/ip_input.c.diffs delete mode 100644 contrib/ipfilter/FreeBSD/ip_output.c.diffs delete mode 100755 contrib/ipfilter/FreeBSD/kinstall delete mode 100755 contrib/ipfilter/FreeBSD/minstall delete mode 100755 contrib/ipfilter/FreeBSD/unkinstall delete mode 100755 contrib/ipfilter/FreeBSD/unminstall delete mode 100644 contrib/ipfilter/INST.FreeBSD-2.2 delete mode 100644 contrib/ipfilter/INSTALL.FreeBSD delete mode 100644 contrib/ipfilter/INSTALL.xBSD delete mode 100644 contrib/ipfilter/IPF.KANJI delete mode 100644 contrib/ipfilter/lib/extras.c delete mode 100644 contrib/ipfilter/lib/genmask.c delete mode 100644 contrib/ipfilter/lib/getline.c delete mode 100644 contrib/ipfilter/lib/hexdump.c delete mode 100644 contrib/ipfilter/lib/hostmask.c delete mode 100644 contrib/ipfilter/lib/hostnum.c delete mode 100644 contrib/ipfilter/lib/loglevel.c delete mode 100644 contrib/ipfilter/lib/natparse.c delete mode 100644 contrib/ipfilter/lib/parse.c delete mode 100644 contrib/ipfilter/lib/portnum.c delete mode 100644 contrib/ipfilter/lib/ports.c delete mode 100644 contrib/ipfilter/lib/ratoi.c delete mode 100644 contrib/ipfilter/lib/ratoui.c delete mode 100644 contrib/ipfilter/lib/tcpoptnames.c delete mode 100644 contrib/ipfilter/lib/to_interface.c delete mode 100644 contrib/ipfilter/mlf_ipl.c diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 1bce4f4d331f..fe8a4d4e567f 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -84,6 +84,11 @@ build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \ -ln -s ../tools . -ln -s ../tools .. +bpf.h: + echo '#define DEV_BPF 1' > bpf.h + +$(TOP)/ip_compat.h: bpf.h + machine: Makefile.kmod if [ -f Makefile.kmod ] ; then \ make -f Makefile.kmod depend MKUPDATE=no; \ @@ -137,7 +142,7 @@ ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \ fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \ $(TOP)/opts.h $(TOP)/ip_rules.h - $(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -D_RADIX_H_ -c $(TOP)/fil.c -o $@ + $(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -c $(TOP)/fil.c -o $@ fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \ $(TOP)/ip_rules.h @@ -447,14 +452,14 @@ clean: ${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest ${RM} -f ../ipscan ../ipsyncm ../ipsyncs ${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon - ${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* + ${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* ipfrule.kld* ${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h ${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h ${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h ${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h - ${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h + ${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h bpf.h ${RM} -f *.da *.gcov *.bb *.bbg tools ${MAKE} -f Makefile.ipsend ${MFLAGS} clean @@ -480,13 +485,21 @@ install: cp if_ipl.o /lkm; \ fi -if [ -d /modules -a -f ipf.ko ] ; then \ - cp ipf.ko /modules; \ + if [ -f /modules/ipl.ko ] ; then \ + cp ipf.ko /modules/ipl.ko; \ + else \ + cp ipf.ko /modules; \ + fi \ fi -if [ -d /modules -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /modules; \ fi -if [ -d /boot/kernel -a -f ipf.ko ] ; then \ - cp ipf.ko /boot/kernel; \ + if [ -f /boot/kernel/ipl.ko ] ; then \ + cp ipf.ko /boot/kernel/ipl.ko; \ + else \ + cp ipf.ko /boot/kernel; \ + fi \ fi -if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /boot/kernel; \ @@ -514,6 +527,9 @@ install: $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \ fi \ done + if [ -d /etc/rc.d ] ; then \ + $(INSTALL) -c -g wheel -m 755 -o root ../ipfadm-rcd $(SBINDEST)/ipfadm; \ + fi (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) coverage: diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 77a6ba1f534e..04b257d7ca60 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -32,11 +32,15 @@ else fi if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then - echo "Please do a build of ipfilter and then run the following" - echo "command to build extra files:" - echo - echo "make ip_rules.c" - exit 1 + echo "Trying to build ip_rules.c and ip_rules.h" + make ip_rules.c + if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then + echo "Please do a build of ipfilter and then run the following" + echo "command to build extra files:" + echo + echo "make ip_rules.c" + exit 1 + fi fi echo -n "Installing " diff --git a/contrib/ipfilter/BugReport b/contrib/ipfilter/BugReport index 0bd243ca1fd7..699483189012 100644 --- a/contrib/ipfilter/BugReport +++ b/contrib/ipfilter/BugReport @@ -1,10 +1,12 @@ -IP Filter bug report form. +Please submit this information at SourceForge using this URL: +http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053 + +Please also send an email to darrenr@reed.wattle.id.au. + +Some information that I generally find important: -------------------------- -IP Filter Version: -Operating System Version: -Configuration: - -Description of problem: - -How to repeat: - +* IP Filter Version +* Operating System and its Version +* Configuration: (LKM or compiled-into-kernel) +* Description of problem +* How to repeat diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs deleted file mode 100644 index 2ada3fa4b300..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/files.diffs +++ /dev/null @@ -1,24 +0,0 @@ -*** files.orig Tue Sep 9 16:58:40 1997 ---- files Sat Apr 4 10:52:58 1998 -*************** -*** 222,227 **** ---- 222,240 ---- - netinet/tcp_timer.c optional inet - netinet/tcp_usrreq.c optional inet - netinet/udp_usrreq.c optional inet -+ netinet/ip_fil.c optional ipfilter inet -+ netinet/fil.c optional ipfilter inet -+ netinet/ip_nat.c optional ipfilter inet -+ netinet/ip_frag.c optional ipfilter inet -+ netinet/ip_state.c optional ipfilter inet -+ netinet/ip_proxy.c optional ipfilter inet -+ netinet/mlf_ipl.c optional ipfilter inet -+ netinet/ip_auth.c optional ipfilter inet -+ netinet/ip_log.c optional ipfilter inet -+ netinet/ip_scan.c optional ipfilter inet -+ netinet/ip_sync.c optional ipfilter inet -+ netinet/ip_pool.c optional ipfilter_pool inet -+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet - netipx/ipx.c optional ipx - netipx/ipx_cksum.c optional ipx - netipx/ipx_input.c optional ipx diff --git a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs deleted file mode 100644 index 82599f199056..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs +++ /dev/null @@ -1,24 +0,0 @@ -*** files.newconf.orig Sun Jun 25 02:17:29 1995 ---- files.newconf Sun Jun 25 02:19:10 1995 -*************** -*** 161,166 **** ---- 161,179 ---- - file netinet/ip_input.c inet - file netinet/ip_mroute.c inet - file netinet/ip_output.c inet -+ file netinet/ip_fil.c ipfilter -+ file netinet/fil.c ipfilter -+ file netinet/ip_nat.c ipfilter -+ file netinet/ip_frag.c ipfilter -+ file netinet/ip_state.c ipfilter -+ file netinet/ip_proxy.c ipfilter -+ file netinet/ip_auth.c ipfilter -+ file netinet/ip_log.c ipfilter -+ file netinet/mlf_ipl.c ipfilter -+ file netinet/ip_scan.c ipfilter -+ file netinet/ip_sync.c ipfilter -+ file netinet/ip_pool.c ipfilter_pool -+ file netinet/ip_rules.c ipfilter_compiled - file netinet/raw_ip.c inet - file netinet/tcp_debug.c inet - file netinet/tcp_input.c inet diff --git a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs deleted file mode 100644 index c2822d3ff9d3..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs +++ /dev/null @@ -1,16 +0,0 @@ -*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997 ---- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997 -*************** -*** 89,94 **** ---- 89,99 ---- - void eoninput(), eonctlinput(), eonprotoinit(); - #endif /* EON */ - -+ #if defined(IPFILTER) && !defined(IPFILTER_LKM) -+ void iplinit(); -+ #define ip_init iplinit -+ #endif -+ - extern struct domain inetdomain; - - struct protosw inetsw[] = { diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs deleted file mode 100644 index c2b2b15301ce..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs +++ /dev/null @@ -1,32 +0,0 @@ -*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997 ---- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997 -*************** -*** 74,79 **** ---- 74,82 ---- - #ifdef IPFIREWALL - #include - #endif -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ #endif - - int rsvp_on = 0; - static int ip_rsvp_on; -*************** -*** 310,315 **** ---- 313,327 ---- - * - Wrap: fake packet's addr/port - * - Encapsulate: put it in another IP and send out. - */ -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) -+ return; -+ ip = mtod(m = m1, struct ip *); -+ } -+ #endif - - #ifdef COMPAT_IPFW - if (ip_fw_chk_ptr) { diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs deleted file mode 100644 index ff5ae0a5d66b..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs +++ /dev/null @@ -1,67 +0,0 @@ -*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997 ---- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997 -*************** -*** 67,72 **** ---- 67,76 ---- - #else - #undef COMPAT_IPFW - #endif -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ #endif -+ - - u_short ip_id; - -*************** -*** 75,81 **** - __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); - static int ip_getmoptions - __P((int, struct ip_moptions *, struct mbuf **)); -! static int ip_optcopy __P((struct ip *, struct ip *)); - static int ip_pcbopts __P((struct mbuf **, struct mbuf *)); - static int ip_setmoptions - __P((int, struct ip_moptions **, struct mbuf *)); ---- 79,85 ---- - __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); - static int ip_getmoptions - __P((int, struct ip_moptions *, struct mbuf **)); -! int ip_optcopy __P((struct ip *, struct ip *)); - static int ip_pcbopts __P((struct mbuf **, struct mbuf *)); - static int ip_setmoptions - __P((int, struct ip_moptions **, struct mbuf *)); -*************** -*** 338,343 **** ---- 342,356 ---- - * - Wrap: fake packet's addr/port - * - Encapsulate: put it in another IP and send out. - */ -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) -+ goto done; -+ ip = mtod(m = m1, struct ip *); -+ } -+ #endif - - #ifdef COMPAT_IPFW - if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) { -*************** -*** 559,565 **** - * Copy options from ip to jp, - * omitting those not copied during fragmentation. - */ -! static int - ip_optcopy(ip, jp) - struct ip *ip, *jp; - { ---- 574,580 ---- - * Copy options from ip to jp, - * omitting those not copied during fragmentation. - */ -! int - ip_optcopy(ip, jp) - struct ip *ip, *jp; - { diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall deleted file mode 100755 index 5a4368eba122..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/kinstall +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Installing " -foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ - ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h ip_log.c) - echo -n "$i "; - cp $i /sys/netinet - chmod 644 /sys/netinet/$i - switch ($i) - case *.h: - /bin/cp $i /usr/include/netinet/$i - chmod 644 /usr/include/netinet/$i - breaksw - endsw -end -echo "" -echo "Copying /usr/include/osreldate.h to /sys/sys" -cp /usr/include/osreldate.h /sys/sys -echo "Patching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ -(cd /sys/netinet; patch) - -if ( -f /sys/conf/files.newconf ) then - echo "Patching /sys/conf/files.newconf" - cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Patching /sys/conf/files.oldconf" - cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -echo "Re-config'ing $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \ - $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/minstall b/contrib/ipfilter/FreeBSD-2.2/minstall deleted file mode 100755 index 832b68e81a63..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/minstall +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD-2.2 ) cd .. -echo "Patching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ -(cd /sys/netinet; patch) - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -echo "Re-config'ing $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}${bak} ) - set bak=".bak."$dot - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}$bak -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM\noptions IPFILTER_LOG"}}' \ - $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/unkinstall b/contrib/ipfilter/FreeBSD-2.2/unkinstall deleted file mode 100755 index 1955f5c415db..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/unkinstall +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Uninstalling " -foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_compat.h ip_log.c \ - mlf_ipl.c ipl.h) - echo -n "$i "; - /bin/rm -f /sys/netinet/$i -end -echo "" -echo "Unpatching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ -(cd /sys/netinet; patch -R) - -if ( -f /sys/conf/files.newconf ) then - echo "Unpatching /sys/conf/files.newconf" - cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Unpatching /sys/conf/files.oldconf" - cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/unminstall b/contrib/ipfilter/FreeBSD-2.2/unminstall deleted file mode 100755 index 07aaac08f2ce..000000000000 --- a/contrib/ipfilter/FreeBSD-2.2/unminstall +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo "Unpatching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ -(cd /sys/netinet; patch -R) - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak -endif -grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 deleted file mode 100644 index 5c30b57821f2..000000000000 --- a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 +++ /dev/null @@ -1,26 +0,0 @@ -To build a kernel with the IP filter, follow these seven steps: - - 1. do "make freebsd3" - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. run "FreeBSD-3/kinstall" as root - - 4. build a new kernel - - 5. install the new kernel - - 6. If not using DEVFS, create devices for IP Filter as follows: - mknod /dev/ipl c 79 0 - mknod /dev/ipnat c 79 1 - mknod /dev/ipstate c 79 2 - mknod /dev/ipauth c 79 3 - mknod /dev/ipsync c 79 4 - mknod /dev/ipscan c 79 5 - - 7. reboot - - -Darren Reed -darrenr@pobox.com diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall deleted file mode 100755 index 20f0369d6eaf..000000000000 --- a/contrib/ipfilter/FreeBSD-3/kinstall +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Installing " -foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ - ip_compat.h ip_auth.[ch] ip_log.c) - echo -n "$i "; - cp $i /sys/netinet - chmod 644 /sys/netinet/$i - switch ($i) - case *.h: - /bin/cp $i /usr/include/netinet/$i - chmod 644 /usr/include/netinet/$i - breaksw - endsw -end -echo "" -echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" -ln -s /usr/include/osreldate.h /sys/sys/osreldate.h - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -echo "Rewriting $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\ - $confdir/$newconfig.bak > $confdir/$newconfig -echo "You will now need to run config on $newconfig and build a new kernel." -exit 0 diff --git a/contrib/ipfilter/FreeBSD-3/unkinstall b/contrib/ipfilter/FreeBSD-3/unkinstall deleted file mode 100755 index 687ebc62a7f7..000000000000 --- a/contrib/ipfilter/FreeBSD-3/unkinstall +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/csh -f -# -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Uninstalling " -foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ - ip_log.c mlf_ipl.c ipl.h) - echo -n "$i "; - /bin/rm -f /sys/netinet/$i -end -echo "" - -echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h" -rm /sys/sys/osreldate.h - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 deleted file mode 100755 index 149580135216..000000000000 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 +++ /dev/null @@ -1,63 +0,0 @@ -.\" $FreeBSD$ -.\" -*** ip6_input.c.orig Sun Feb 13 14:32:01 2000 ---- ip6_input.c Wed Apr 26 22:31:34 2000 -*************** -*** 121,126 **** ---- 121,127 ---- - - extern struct domain inet6domain; - extern struct ip6protosw inet6sw[]; -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); - - u_char ip6_protox[IPPROTO_MAX]; - static int ip6qmaxlen = IFQ_MAXLEN; -*************** -*** 302,307 **** ---- 303,317 ---- - ip6stat.ip6s_badvers++; - in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); - goto bad; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, -+ 0, &m1) || !m1) -+ return; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; -*** ip6_output.c.orig Fri Mar 10 01:57:16 2000 ---- ip6_output.c Wed Apr 26 22:34:34 2000 -*************** -*** 108,113 **** ---- 108,115 ---- - #include - #endif - -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ - static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); - - struct ip6_exthdrs { -*************** -*** 754,759 **** ---- 756,770 ---- - ip6->ip6_src.s6_addr16[1] = 0; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) - ip6->ip6_dst.s6_addr16[1] = 0; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || -+ !m1) -+ goto done; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 deleted file mode 100644 index 2e1d7e80673f..000000000000 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 +++ /dev/null @@ -1,65 +0,0 @@ -.\" $FreeBSD$ -.\" -*** ip6_input.c.orig Sat Jul 15 07:14:34 2000 ---- ip6_input.c Thu Oct 19 17:14:37 2000 -*************** -*** 120,125 **** ---- 120,127 ---- - - extern struct domain inet6domain; - extern struct ip6protosw inet6sw[]; -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, -+ struct mbuf **)); - - u_char ip6_protox[IPPROTO_MAX]; - static int ip6qmaxlen = IFQ_MAXLEN; -*************** -*** 289,294 **** ---- 291,305 ---- - ip6stat.ip6s_badvers++; - in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); - goto bad; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, -+ 0, &m1) || !m1) -+ return; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; - -*** ip6_output.c.orig Sat Jul 15 07:14:35 2000 ---- ip6_output.c Thu Oct 19 17:13:53 2000 -*************** -*** 106,111 **** ---- 106,113 ---- - #include - #endif - -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ - static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); - - struct ip6_exthdrs { -*************** -*** 787,792 **** ---- 789,803 ---- - ip6->ip6_src.s6_addr16[1] = 0; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) - ip6->ip6_dst.s6_addr16[1] = 0; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || -+ !m1) -+ goto done; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 deleted file mode 100644 index 2e1d7e80673f..000000000000 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 +++ /dev/null @@ -1,65 +0,0 @@ -.\" $FreeBSD$ -.\" -*** ip6_input.c.orig Sat Jul 15 07:14:34 2000 ---- ip6_input.c Thu Oct 19 17:14:37 2000 -*************** -*** 120,125 **** ---- 120,127 ---- - - extern struct domain inet6domain; - extern struct ip6protosw inet6sw[]; -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, -+ struct mbuf **)); - - u_char ip6_protox[IPPROTO_MAX]; - static int ip6qmaxlen = IFQ_MAXLEN; -*************** -*** 289,294 **** ---- 291,305 ---- - ip6stat.ip6s_badvers++; - in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); - goto bad; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, -+ 0, &m1) || !m1) -+ return; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; - -*** ip6_output.c.orig Sat Jul 15 07:14:35 2000 ---- ip6_output.c Thu Oct 19 17:13:53 2000 -*************** -*** 106,111 **** ---- 106,113 ---- - #include - #endif - -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ - static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); - - struct ip6_exthdrs { -*************** -*** 787,792 **** ---- 789,803 ---- - ip6->ip6_src.s6_addr16[1] = 0; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) - ip6->ip6_dst.s6_addr16[1] = 0; -+ } -+ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || -+ !m1) -+ goto done; -+ ip6 = mtod(m = m1, struct ip6_hdr *); - } - - #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall deleted file mode 100755 index ebd6e2e8a075..000000000000 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -set ipfdir=/sys/netinet -set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Installing " -foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ - ip_*_pxy.c mlfk_ipl.c ipl.h ip_compat.h ip_log.c ) - echo -n "$i "; - cp $i /sys/netinet - chmod 644 /sys/netinet/$i - switch ($i) - case *.h: - /bin/cp $i /usr/include/netinet/$i - chmod 644 /usr/include/netinet/$i - breaksw - endsw -end -echo "" -echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" -ln -s /usr/include/osreldate.h /sys/sys/osreldate.h - -echo "" -echo "Patching ip6_input.c and ip6_output.c" -cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -N) - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -grep -q IPFILTER $confdir/$newconfig -if ($status == 0) then - echo "IPFilter already configured in kernel config file" - exit 0 -endif -echo "Rewriting $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\ - $confdir/$newconfig.bak > $confdir/$newconfig -echo "You will now need to run config on $newconfig and build a new kernel." -exit 0 diff --git a/contrib/ipfilter/FreeBSD-4.0/unkinstall b/contrib/ipfilter/FreeBSD-4.0/unkinstall deleted file mode 100755 index 4e9caaa9e541..000000000000 --- a/contrib/ipfilter/FreeBSD-4.0/unkinstall +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/csh -f -# -# -set dir=`pwd` -set karch=`uname -m` -set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD* ) cd .. -echo -n "Uninstalling " -foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ - ip_log.c mlf_ipl.c ipl.h) - echo -n "$i "; - /bin/rm -f /sys/netinet/$i -end -echo "" - -echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h" -rm /sys/sys/osreldate.h - -echo "Removing patch to ip6_input.c and ip6_output.c" -cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -R) - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD/conf.c.diffs b/contrib/ipfilter/FreeBSD/conf.c.diffs deleted file mode 100644 index afd288040d43..000000000000 --- a/contrib/ipfilter/FreeBSD/conf.c.diffs +++ /dev/null @@ -1,46 +0,0 @@ -*** conf.c.orig Sun Jan 14 15:39:32 1996 ---- conf.c Sun Jan 14 15:48:21 1996 -*************** -*** 1128,1133 **** ---- 1128,1149 ---- - #define labpcioctl nxioctl - #endif - -+ #ifdef IPFILTER -+ d_open_t iplopen; -+ d_close_t iplclose; -+ d_ioctl_t iplioctl; -+ # ifdef IPFILTER_LOG -+ d_read_t iplread; -+ # else -+ #define iplread nxread -+ # endif -+ #else -+ #define iplopen nxopen -+ #define iplclose nxclose -+ #define iplioctl nxioctl -+ #define iplread nxread -+ #endif -+ - /* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */ - struct cdevsw cdevsw[] = - { -*************** -*** 1199,1206 **** - * Otherwise, simply use the one reserved for local use. - */ - /* character device 20 is reserved for local use */ -! { nxopen, nxclose, nxread, nxwrite, /*20*/ -! nxioctl, nxstop, nxreset, nxdevtotty,/* reserved */ - nxselect, nxmmap, NULL }, - { psmopen, psmclose, psmread, nowrite, /*21*/ - psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ ---- 1215,1222 ---- - * Otherwise, simply use the one reserved for local use. - */ - /* character device 20 is reserved for local use */ -! { iplopen, iplclose, iplread, nxwrite, /*20*/ -! iplioctl, nxstop, nxreset, nxdevtotty,/* reserved */ - nxselect, nxmmap, NULL }, - { psmopen, psmclose, psmread, nowrite, /*21*/ - psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ diff --git a/contrib/ipfilter/FreeBSD/files.diffs b/contrib/ipfilter/FreeBSD/files.diffs deleted file mode 100644 index 2f028e337eb0..000000000000 --- a/contrib/ipfilter/FreeBSD/files.diffs +++ /dev/null @@ -1,23 +0,0 @@ -*** files.orig Sat Sep 30 18:01:55 1995 ---- files Sun Jan 14 14:32:25 1996 -*************** -*** 208,213 **** ---- 208,225 ---- - netinet/tcp_timer.c optional inet - netinet/tcp_usrreq.c optional inet - netinet/udp_usrreq.c optional inet -+ netinet/ip_fil.c optional ipfilter inet -+ netinet/fil.c optional ipfilter inet -+ netinet/ip_nat.c optional ipfilter inet -+ netinet/ip_frag.c optional ipfilter inet -+ netinet/ip_state.c optional ipfilter inet -+ netinet/ip_auth.c optional ipfilter inet -+ netinet/ip_proxy.c optional ipfilter inet -+ netinet/ip_log.c optional ipfilter inet -+ netinet/ip_scan.c optional ipfilter inet -+ netinet/ip_sync.c optional ipfilter inet -+ netinet/ip_pool.c optional ipfilter_pool ipfilter inet -+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet - netiso/clnp_debug.c optional iso - netiso/clnp_er.c optional iso - netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/files.newconf.diffs b/contrib/ipfilter/FreeBSD/files.newconf.diffs deleted file mode 100644 index 29aea54dc2fa..000000000000 --- a/contrib/ipfilter/FreeBSD/files.newconf.diffs +++ /dev/null @@ -1,23 +0,0 @@ -*** files.newconf.orig Sun Jun 25 02:17:29 1995 ---- files.newconf Sun Jun 25 02:19:10 1995 -*************** -*** 161,166 **** ---- 161,178 ---- - file netinet/ip_input.c inet - file netinet/ip_mroute.c inet - file netinet/ip_output.c inet -+ file netinet/ip_fil.c ipfilter -+ file netinet/fil.c ipfilter -+ file netinet/ip_nat.c ipfilter -+ file netinet/ip_frag.c ipfilter -+ file netinet/ip_state.c ipfilter -+ file netinet/ip_proxy.c ipfilter -+ file netinet/ip_auth.c ipfilter -+ file netinet/ip_log.c ipfilter -+ file netinet/ip_scan.c ipfilter -+ file netinet/ip_sync.c ipfilter -+ file netinet/ip_pool.c ipfilter_pool -+ file netinet/ip_rules.c ipfilter_compiled - file netinet/raw_ip.c inet - file netinet/tcp_debug.c inet - file netinet/tcp_input.c inet diff --git a/contrib/ipfilter/FreeBSD/files.oldconf.diffs b/contrib/ipfilter/FreeBSD/files.oldconf.diffs deleted file mode 100644 index ed8aff94b39f..000000000000 --- a/contrib/ipfilter/FreeBSD/files.oldconf.diffs +++ /dev/null @@ -1,23 +0,0 @@ -*** files.oldconf.orig Sat Apr 29 19:59:31 1995 ---- files.oldconf Sun Apr 23 17:54:18 1995 -*************** -*** 180,185 **** ---- 180,197 ---- - netinet/tcp_timer.c optional inet - netinet/tcp_usrreq.c optional inet - netinet/udp_usrreq.c optional inet -+ netinet/ip_fil.c optional ipfilter requires inet -+ netinet/fil.c optional ipfilter requires inet -+ netinet/ip_nat.c optional ipfilter requires inet -+ netinet/ip_frag.c optional ipfilter requires inet -+ netinet/ip_state.c optional ipfilter requires inet -+ netinet/ip_proxy.c optional ipfilter requires inet -+ netinet/ip_auth.c optional ipfilter requires inet -+ netinet/ip_log.c optional ipfilter requires inet -+ netinet/ip_scan.c optional ipfilter requires inet -+ netinet/ip_sync.c optional ipfilter requires inet -+ netinet/ip_pool.c optional ipfilter_pool requires ipfilter -+ netinet/ip_rules.c optional ipfilter_compiled requires ipfilter - netiso/clnp_debug.c optional iso - netiso/clnp_er.c optional iso - netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/filez.diffs b/contrib/ipfilter/FreeBSD/filez.diffs deleted file mode 100644 index 96560063dcd7..000000000000 --- a/contrib/ipfilter/FreeBSD/filez.diffs +++ /dev/null @@ -1,23 +0,0 @@ -*** files.orig Sat Apr 29 20:00:02 1995 ---- files Sun Apr 23 17:53:58 1995 -*************** -*** 222,227 **** ---- 222,235 ---- - file netinet/tcp_timer.c inet - file netinet/tcp_usrreq.c inet - file netinet/udp_usrreq.c inet -+ file netinet/ip_fil.c ipfilter -+ file netinet/fil.c ipfilter -+ file netinet/ip_nat.c ipfilter -+ file netinet/ip_frag.c ipfilter -+ file netinet/ip_state.c ipfilter -+ file netinet/ip_proxy.c ipfilter -+ file netinet/ip_auth.c ipfilter -+ file netinet/ip_log.c ipfilter -+ file netinet/ip_scan.c ipfilter -+ file netinet/ip_sync.c ipfilter -+ file netinet/ip_pool.c ipfilter_pool -+ file netinet/ip_rules.c ipfilter_compiled - file netiso/clnp_debug.c iso - file netiso/clnp_er.c iso - file netiso/clnp_frag.c iso diff --git a/contrib/ipfilter/FreeBSD/in_proto.c.diffs b/contrib/ipfilter/FreeBSD/in_proto.c.diffs deleted file mode 100644 index 052dd514ee18..000000000000 --- a/contrib/ipfilter/FreeBSD/in_proto.c.diffs +++ /dev/null @@ -1,16 +0,0 @@ -*** in_proto.c.orig Wed Sep 6 20:31:34 1995 ---- in_proto.c Mon Mar 11 22:40:03 1996 -*************** -*** 81,86 **** ---- 81,91 ---- - void eoninput(), eonctlinput(), eonprotoinit(); - #endif /* EON */ - -+ #ifdef IPFILTER -+ void iplinit(); -+ #define ip_init iplinit -+ #endif -+ - void rsvp_input(struct mbuf *, int); - void ipip_input(struct mbuf *, int); - diff --git a/contrib/ipfilter/FreeBSD/ip_input.c.diffs b/contrib/ipfilter/FreeBSD/ip_input.c.diffs deleted file mode 100644 index a70be897ea89..000000000000 --- a/contrib/ipfilter/FreeBSD/ip_input.c.diffs +++ /dev/null @@ -1,88 +0,0 @@ -*** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996 ---- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997 -*************** -*** 93,98 **** ---- 93,102 ---- - int ipqmaxlen = IFQ_MAXLEN; - struct in_ifaddr *in_ifaddr; /* first inet address */ - struct ifqueue ipintrq; -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ #endif - - struct ipstat ipstat; - struct ipq ipq; -*************** -*** 219,226 **** - } - ip = mtod(m, struct ip *); - } -! ip->ip_sum = in_cksum(m, hlen); -! if (ip->ip_sum) { - ipstat.ips_badsum++; - goto bad; - } ---- 223,229 ---- - } - ip = mtod(m, struct ip *); - } -! if (in_cksum(m, hlen)) { - ipstat.ips_badsum++; - goto bad; - } -*************** -*** 267,272 **** ---- 270,288 ---- - goto next; - } - -+ #if defined(IPFILTER) || defined(IPFILTER_LKM) -+ /* -+ * Check if we want to allow this packet to be processed. -+ * Consider it to be bad if not. -+ */ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) -+ goto next; -+ ip = mtod(m = m1, struct ip *); -+ } -+ #endif - /* - * Process options and, if not destined for us, - * ship it on. ip_dooptions returns 1 when an -*************** -*** 527,532 **** ---- 533,540 ---- - * if they are completely covered, dequeue them. - */ - while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) { -+ struct mbuf *m0; -+ - i = (ip->ip_off + ip->ip_len) - q->ip_off; - if (i < q->ip_len) { - q->ip_len -= i; -*************** -*** 526,534 **** - m_adj(dtom(q), i); - break; - } - q = q->ipf_next; -- m_freem(dtom(q->ipf_prev)); - ip_deq(q->ipf_prev); - } - - insert: ---- 542,551 ---- - m_adj(dtom(q), i); - break; - } -+ m0 = dtom(q); - q = q->ipf_next; - ip_deq(q->ipf_prev); -+ m_freem(m0); - } - - insert: diff --git a/contrib/ipfilter/FreeBSD/ip_output.c.diffs b/contrib/ipfilter/FreeBSD/ip_output.c.diffs deleted file mode 100644 index f1fe9accea03..000000000000 --- a/contrib/ipfilter/FreeBSD/ip_output.c.diffs +++ /dev/null @@ -1,36 +0,0 @@ -*** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996 ---- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997 -*************** -*** 65,70 **** ---- 65,74 ---- - static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *)); - static void ip_mloopback - __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); -+ #if defined(IPFILTER_LKM) || defined(IPFILTER) -+ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -+ #endif - - /* - * IP output. The packet in mbuf chain m contains a skeletal IP -*************** -*** 330,335 **** ---- 334,351 ---- - m->m_flags &= ~M_BCAST; - - sendit: -+ #if defined(IPFILTER) || defined(IPFILTER_LKM) -+ /* -+ * looks like most checking has been done now...do a filter check -+ */ -+ if (fr_checkp) { -+ struct mbuf *m1 = m; -+ -+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) -+ goto done; -+ ip = mtod(m = m1, struct ip *); -+ } -+ #endif - /* - * Check with the firewall... - */ diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall deleted file mode 100755 index 2b67b9ad995c..000000000000 --- a/contrib/ipfilter/FreeBSD/kinstall +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD ) cd .. -echo -n "Installing " -foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ - ip_*_pxy.c ip_compat.h ip_log.c ) - echo -n "$i "; - cp $i /sys/netinet - chmod 644 /sys/netinet/$i - switch ($i) - case *.h: - /bin/cp $i /usr/include/netinet/$i - chmod 644 /usr/include/netinet/$i - breaksw - endsw -end -echo "" -grep iplopen $archdir/$karch/conf.c >& /dev/null -if ( $status != 0 ) then - echo "Patching $archdir/$karch/conf.c" - cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch) -endif -grep fr_checkp /sys/netinet/ip_input.c >& /dev/null -if ( $status != 0 ) then - echo "Patching ip_input.c, ip_output.c and in_proto.c" - cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ - (cd /sys/netinet; patch) -endif -if ( -f /sys/conf/files.newconf ) then - echo "Patching /sys/conf/files.newconf" - cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD/files.diffs | (cd /sys/conf; patch) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Patching /sys/conf/files.oldconf" - cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD/filez.diffs | (cd /sys/conf; patch) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -echo "Re-config'ing $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \ - $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD/minstall b/contrib/ipfilter/FreeBSD/minstall deleted file mode 100755 index 0cfe7c360d9a..000000000000 --- a/contrib/ipfilter/FreeBSD/minstall +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD ) cd .. -echo "Patching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ -(cd /sys/netinet; patch) - -if ( -f /sys/conf/files.newconf ) then - echo "Patching /sys/conf/files.newconf" - cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD/files.diffs | (cd /sys/conf; patch) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Patching /sys/conf/files.oldconf" - cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) - echo "Patching /sys/conf/files" - cat FreeBSD/filez.diffs | (cd /sys/conf; patch) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -echo "Re-config'ing $newconfig..." -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak -endif -awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \ - $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD/unkinstall b/contrib/ipfilter/FreeBSD/unkinstall deleted file mode 100755 index 8547fcd90d8b..000000000000 --- a/contrib/ipfilter/FreeBSD/unkinstall +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD ) cd .. -echo -n "Uninstalling " -foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c) - echo -n "$i "; - /bin/rm -f /sys/netinet/$i -end -echo "" -echo "Unpatching $archdir/$karch/conf.c" -cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R) -echo "Unpatching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ -(cd /sys/netinet; patch -R) - -if ( -f /sys/conf/files.newconf ) then - echo "Unpatching /sys/conf/files.newconf" - cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Unpatching /sys/conf/files.oldconf" - cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} -endif -egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/FreeBSD/unminstall b/contrib/ipfilter/FreeBSD/unminstall deleted file mode 100755 index a25746cb4f70..000000000000 --- a/contrib/ipfilter/FreeBSD/unminstall +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/csh -f -# -set dir=`pwd` -set karch=`uname -m` -if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" -if ( -d /sys/$karch ) set archdir="/sys/$karch" -set confdir="$archdir/conf" - -if ( $dir =~ */FreeBSD ) cd .. -echo "Unpatching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ -(cd /sys/netinet; patch -R) - -if ( -f /sys/conf/files.newconf ) then - echo "Unpatching /sys/conf/files.newconf" - cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) -endif -if ( -f /sys/conf/files.oldconf ) then - echo "Unpatching /sys/conf/files.oldconf" - cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) - echo "Unpatching /sys/conf/files" - cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) -endif - -set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` -echo -n "Kernel configuration to update [$config] " -set newconfig=$< -if ( "$newconfig" != "" ) then - set config="$confdir/$newconfig" -else - set newconfig=$config -endif -if ( -f $confdir/$newconfig ) then - mv $confdir/$newconfig $confdir/$newconfig.bak -endif -if ( -d $archdir/../compile/$newconfig ) then - set bak=".bak" - set dot=0 - while ( -d $archdir/../compile/${newconfig}.${bak} ) - set bak=".bak.$dot" - set dot=`expr 1 + $dot` - end - mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak -endif -grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig -echo 'You will now need to run "config" and build a new kernel.' -exit 0 diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 996f883501f4..b500c20632ca 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -10,6 +10,266 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +4.1.28 - Release 16 October 2007 + +backout changes (B1) & (B2) as they've caused NAT entries to persist for +too long and possibly other side effects. + +Still need to compile in our own radix.c for Solaris as the one in S10U4 +has a different alignment of structure members (causes panic) + +keep state doesn't work with multicast/broadcast packets (makes UPnP easier) + +ippool -l may only lists every 2nd pool's contents + +4.1.27 - Released 29 September 2007 + +SunOS5/replace script does not deal with i386 systems that have the +i86/amd64 directory pair. + +make BSD/kupgrade try to build ip_rules.[ch] before complaining + +Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko + +Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs +to drive 32bit cc builds differently for sparc/i386 now. + +Update instructions for rebuilding FreeBSD kernels + +Make the target "freebsd" work for building ipfilter + +destroying NAT entries for blocked packets can lead to NAT table entry leak, +provide a counter of orphan'd NAT entries to track this problem. + +4.1.26 - Released 24 September 2007 + +Fix build problem for Solaris prior to S10U4 + +4.1.25 - Released 20 September 2007 + +stepping through structures with ioctls can lead to the wrong things +being free'd and panics + +if a NAT entry (such as an rdr) is created but the packet ends up being +blocked, tear down the NAT entry. + +fix fragment cache preventing keep state from functioning + +fix handling of \ to indicate a continued line in .conf files + +include port ranges in the allowed input for ipf when using "port = ()" + +only advance TCP state for packets on the leading edge of the window. (B1) + +using ipnat -l can lead to memory corruption in high stress situations + +track TCP sequence numbers with NAT so that it can do timeout advances +correctly inline with state + +ICMP checksums for some redirect'd packets are not adjusted correctly. + +IPv6 address components need to be explicitly cast to a 32bit pointer +boundary so that compilers don't try to access them as two 64bit +pieces (no guarantee is made that an Ipv6 address is on a 64bit +aligned address) + +filling up the ipauth packet queue can lead to no more packets being +processed. + +locking used to deref a nat entry causes a significant performance hit + +m_pulldown isn't properly handled, leading to possible panics with ICMPv6 +packets + +IPv6 fragment handling doesn't allow for "keep frag" to work + +build on Solaris10 Update4 with pfhooks in the kernel + +logging of Ipv6 packets with extension headers fix - Miroslaw Luc + +4.1.24 - Released 8 July 2007 + +patch from Stuart Remphrey to address recursive mutex lock with TCP state + +add hash table bucket stats display to ipnat -s + +give ASSERT some teeth for user compiles + +initialising ipf_global, ipf_frcache, ipf_mutex should all be done very +early on + +do some caddr_t cleanup, where possible + +fr_ref no longer tracks the number of children rules in a group for head rules + +make sure all BCOPY* have a value assigned to something + +fix possible use of icmp pointer after pullup makes it invalid + +resolve compile problems related to FreeBSD tree + +4.1.23 - Released 31 May 2007 + +NAT was not always correctly fixing ICMP headers for errors + +some TCP state steps when closing do not update timeouts, leading to +them being removed prematurely. (B2) + +fix compilation problems for netbsd 4.99 + +protect enumeration of lists in the kernel from callout interrupts on +BSD without locking + +fix various problems with IPv6 header checks: TCP/UDP checksum validation +was not being done, fragmentation header parsed dangerously and routing +header prevented others from being seen + +fix gcc 4.2 compiler warnings + +fix TCP/UDP checksum calculation for IPv6 + +fix reference after free'ing ipftoken memory + +4.1.22 - Released 13 May 2007 + +fix endless loop when flushing state/NAT by idle time + +4.1.21 - Released 12 May 2007 + +show the number of states created against a rule with "-v" for ipfstat + +fix build problems with FreeBSD + +make it possible to flush the state table by idle time and TCP state + +fix flushing out idle connections when state/NAT tables fill + +print out the TCP state population with ipfstat/ipnat + +stop creation of state table orphans via return-*/fastroute + +fix printing out of rule groups - they now only appear once + +4.1.20 - Released 30 April 2007 + +adjust TCP state numbers, making 11 closed (was 0) to better facilitate +detecting closing connections that we can wipe out when a SYN arrives +that matches the old + +make it compile on Solaris10 Update3 + +structures used for ipf command ioctls weren't being freed in timeout +fashion on solairs + +use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions + +adjust TCP timeout values and introduce a time-wait specifc timeout +to get a better TCP FSM emulation and one that can hopefully do a better +job of cleaning up in a speedy fashion than previous + +refactor the automatic flushing of TCP state entries when we fill up, +but use the same algorithm as before but now it hopefully works + +only 2 out of 4 interface names were being changed by ipfs when +interface renaming was being used for state entries + +add ipf_proxy_debug to ipf-T + +matching of last fragments that had a number of bytes that wasn't a +multiple of 8 failed + +some combinations of TCP flags are considered bad aren't picked up as such, +but these may be possible with T/TCP + +4.1.19 - Released 22 February 2007 + +Fix up compilation problems with NetBSD and Solaris. + +4.1.18 - Released 18 February 2007 + +fix compiling on Tru64 + +fix listing out filter rules with ipfstat (delete token at end of +the list and detect zero rule being returned.) + +fix extended flushing of NAT tables (was clearing out state tables) + +fix null-pointer deref in hash table lookup + +fix NAT and stateful filtering with to/reply-to on destination interface + +4.1.17 - Released 20 January 2007 + +make flushing pools that are still in use mark them for deletion and +have attempting to recreate them clear the delete flag + +walking through the NAT tables with ioctls caused lock recursion + +fix tracking TCP window scaling in the state code + +4.1.16 - Released 20 December 2006 + +allow rdr rules to only differ on the new port number + +when creating state entry orphans, leave them on the linked list but not +attached to the hash table and mark them visible as orphans in "ipfstat -sl" + +log state removed when unloading differently to allow visible cues + +return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl + +abort logging a packet if the mbuf pointer is null when ipflog is called + +Some NetBSD's have a selinfo.h instead of select.h + +SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth + +listing accounting rules using ioctl interface wasn't possible + +fix leakage of state entries due to packets not matching up with NAT + +improve ICMP error packet matching with state/NAT + +fix problems with parsing and printing "-" as an interface name in ipnat.conf + +4.1.15 - Released 03 November 2006 + +Add in automatic flushing of NAT, like state, table if it fills up too much + +Update comments in the code for NAT checksum adjustments + +Fix compiling on FreeBSD 5.4 and 6.0 + +prevent panics from read/write IOs trying to use uninitialised structures + +Newer NetBSD should use malloc() instead of MALLOC() in the kernel where +the size is not staticly defined + +Some gcc warning message cleanup from NetBSD + +Missing include for on Solaris for poll work + +NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h + +4.1.14 - Released 04 October 2006 + +rewrite checksum alteration for ICMP packets being NAT'd to use a sane +algorithm that can be understood...now it needs better comments + +fix 1 byte error in checksum validation perl script + +remove unused files in lib directory + +ipftest will say "bad-packet" if it has been freed rather than just "blocked" + +make it possible to load IP address pools from external files in ippool.conf + +update copyright messages in tools directory + +consolidate ioctl hanlding source code into fil.c + +make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem + 4.1.13 - Released 4 April 2006 fix bug where null pointers introduced by proxies could cause a crash @@ -39,6 +299,7 @@ add missing ipfsync_canread() and ipfsync_canwrite() behaviour of \ on the end of a line in ipf.conf does not match older behaviour remove duplicate statistics line output with "ipfstat -s" + 4.1.11 - Released 19 March 2006 Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2 deleted file mode 100644 index d668c39f7b58..000000000000 --- a/contrib/ipfilter/INST.FreeBSD-2.2 +++ /dev/null @@ -1,62 +0,0 @@ -.\" $FreeBSD$ -.\" - -To build a kernel for use with the loadable kernel module, follow these -steps: - 1. In /sys/i386/conf, create a new kernel config file (to be used - with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL" - - 2. build the object files, telling it the name of the kernel to be - used. "freebsd22" MUST be the target, so the command would be - something like this: "make freebsd22 IPFILKERN=FIREWALL" - - 3. do "make install-bsd" - (probably has to be done as root) - - 4. run "FreeBSD-2.2/minstall" as root - - 5. build a new kernel - - 6. install and reboot with the new kernel - - 7. use modload(8) to load the packet filter with: - modload if_ipl.o - - 8. do "modstat" to confirm that it has been loaded successfully. - -There is no need to use mknod to create the device in /dev; -- upon loading the module, it will create itself with the correct values, - under the name (IPL_NAME) from the Makefile. It will also remove itself - from /dev when it is modunload'd. - -To build a kernel with the IP filter, follow these steps: - -*** KERNEL INSTALL CURRENTLY UNSUPPORTED *** - 1. do "make freebsd22" - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. run "FreeBSD-2.2/kinstall" as root - - 4. build a new kernel - - 5a) For FreeBSD 2.2 (or later) - create devices for IP Filter as follows: - mknod /dev/ipl c 79 0 - mknod /dev/ipnat c 79 1 - mknod /dev/ipstate c 79 2 - mknod /dev/ipauth c 79 3 - - 5b) For versions prior to FreeBSD 2.2: - create devices for IP Filter as follows (assuming it was - installed into the device table as char dev 20): - mknod /dev/ipl c 20 0 - mknod /dev/ipnat c 20 1 - mknod /dev/ipstate c 20 2 - mknod /dev/ipauth c 20 3 - - 6. install and reboot with the new kernel - -Darren Reed -darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD deleted file mode 100644 index a4a787ac42be..000000000000 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ /dev/null @@ -1,56 +0,0 @@ - -This file is for use with FreeBSD 4.x and 5.x only. - -To build a kernel for use with the loadable kernel module, follow these -steps: - 1. For FreeBSD version: - 4.* do make freebsd4 - 5.* do make freebsd5 - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. Run "BSD/kupgrade" - - 4. build a new kernel - - 5. install and reboot with the new kernel - - 6. use modload(8) to load the packet filter with: - modload if_ipl.o - - 7. do "modstat" to confirm that it has been loaded successfully. - -There is no need to use mknod to create the device in /dev; -- upon loading the module, it will create itself with the correct values, - under the name (IPL_NAME) from the Makefile. It will also remove itself - from /dev when it is modunload'd. - -To build a kernel with the IP filter, follow these steps: - - 1. For FreeBSD version: - 4.* do make freebsd4 - 5.* do make freebsd5 - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. run "FreeBSD/kinstall" as root - - 4. build a new kernel - - 5. - b) If you are using FreeBSD-3 or later: - create devices for IP Filter as follows (assuming it was - installed into the device table as char dev 20): - mknod /dev/ipl c 79 0 - mknod /dev/ipnat c 79 1 - mknod /dev/ipstate c 79 2 - mknod /dev/ipauth c 79 3 - mknod /dev/ipsync c 79 4 - mknod /dev/ipscan c 79 5 - - 6. install and reboot with the new kernel - -Darren Reed -darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.xBSD b/contrib/ipfilter/INSTALL.xBSD deleted file mode 100644 index 2f933ffc7018..000000000000 --- a/contrib/ipfilter/INSTALL.xBSD +++ /dev/null @@ -1,45 +0,0 @@ -# $FreeBSD$ - -To build a kernel for use with the loadable kernel module, follow these -steps: - 1. do "make bsd" - - 2. cd to the "BSD" directory and type "make install" - - 3. run "4bsd/minstall" as root - - 4. build a new kernel - - 5. install and reboot with the new kernel - - 6. use modload(8) to load the packet filter with: - modload if_ipl.o - - 7. do "modstat" to confirm that it has been loaded successfully. - -There is no need to use mknod to create the device in /dev; -- upon loading the module, it will create itself with the correct values, - under the name (IPL_NAME) from the Makefile. It will also remove itself - from /dev when it is modunload'd. - -To build a kernel with the IP filter, follow these steps: - - 1. do "make bsd" - - 2. cd to the "BSD" directory and type "make install" - - 3. run "4bsd/kinstall" as root - - 4. build a new kernel - - 5. create devices for IP Filter as follows (assuming it was - installed into the device table as char dev 20): - mknod /dev/ipl c 20 0 - mknod /dev/ipnat c 20 1 - mknod /dev/ipstate c 20 2 - mknod /dev/ipauth c 20 3 - - 6. install and reboot with the new kernel - -Darren -darrenr@pobox.com diff --git a/contrib/ipfilter/IPF.KANJI b/contrib/ipfilter/IPF.KANJI deleted file mode 100644 index 85af5ce9e9aa..000000000000 --- a/contrib/ipfilter/IPF.KANJI +++ /dev/null @@ -1,465 +0,0 @@ -IP filter $B%7%g!<%H%,%$%I(B Dec, 1999 - -$B%[!<%`%Z!<%8(B: http://coombs.anu.edu.au/~avalon/ip-filter.html -FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/ - - $B30;3(B $B=c@8(B - $B;3K\(B $BBY1'(B - ------ -$B$O$8$a$K(B - -IP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B -$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B - -$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B -$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B - Solaris/Solaris-x86 2.3 - 8 (early access) - SunOS 4.1.1 - 4.1.4 - NetBSD 1.0 - 1.4 - FreeBSD 2.0.0 - 2.2.8 - BSD/OS-1.1 - 4 - IRIX 6.2 -$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B - -$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B -$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B - -$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B -ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz -(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B) -$B$+$il9g$O(B pass $B$H$J$j$^$9!#(B - -log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$re$N%m%0$O>C$($F(B -$B$7$^$$$^$9!#(B - -/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B -ipmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B -$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!" /dev/null 2>&1 & - -${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B -$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B -local0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B -$BNc$($P!"(B - -local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost) - - -quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B -$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B -$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B - - -===================== $B$3$3$+$i(B ==================== -########## group setup -# -block in on hme1 all head 100 -block out on hme1 all head 150 -pass in quick on hme0 all -pass out quick on hme0 all -===================== $B$3$3$^$G(B ==================== - -$BJN,7A$G$9!#(B - -$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B -$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B -$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r< 140 group 160 -# -## pass all TCP connection setup packets except for netbios ports (137-139). -# -pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150 -block out log quick proto tcp from any to any port 136 >< 140 group 170 -===================== $B$3$3$^$G(B ==================== - -$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios -(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows -$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B -Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B -$B62$l$,$"$j$^$9!#(B - -$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B -* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B -* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B -* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B -* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup - XXX$B$H$7$F;2>H$G$-$k(B -* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B) - group$B$K8BDj$G$-$k!#(B - -$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B - from any to any port 136 >< 140 -$B$H$$$&$N$O!"(B - $B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B - $B%"%I%l%9$X$N%Q%1%C%H!W(B -$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B -$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B -$B$?$H$($P(B - from any to any port = telnet -$B$H(B - from any to any port = 23 -$B$OF1$80UL#$H$J$j$^$9!#(B - -$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B -rule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B -$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B -$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B - -pass out quick proto udp from any to any keep state head 160 group 150 -block out log quick proto udp from any to any port 136 >< 140 group 160 - -$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B -$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B -$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B -block $B$7$F$$$kLu$G$9!#(B -$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B -$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B - ----------- -$BpJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B -pass in quick proto udp from any to any port = 520 keep state group 100 - -* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B -pass in quick proto icmp from any to any group 100 - -* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B - $B$NG$0U$N@\B3$r 1023 flags S/SA keep state group 100 - - $B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B - 1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B - $B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B) - $B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B - $B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B - -* sendmail$B$d(Bftpd$B$K7R$0$H!"Ajo$O5/F0$5$l$F$$(B - $B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B - $B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B - $BAjH$9$k$3$H$,$G$-$^$9!#(B - -$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B -$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B - -$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B -$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B -$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B -$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B -$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B - - -X$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B -$B$H$K$7$^$9!#(B - -* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B -pass in quick proto tcp from any to any port = telnet keep state group 110 - -* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B - ($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B -pass in quick proto tcp from any to any port = ftp keep state group 110 -pass in quick proto tcp from any to any port = ftp-data keep state group 110 - -* X$B$X$N(Bssh$B$r5v$7$^$9!#(B -pass in quick proto tcp from any to any port = 22 keep state group 110 - -* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B -pass in quick proto tcp from any to any port = ftp keep state group 111 -pass in quick proto tcp from any to any port = ftp-data keep state group 111 -pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111 - - Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B - $B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B - $B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B - $B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B - $B@_Dj$7$F$$$^$9!#(B - - passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B - $B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B - $B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B - $B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B - - passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B - $B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B - $B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B - - $B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B - $B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B - $B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B - $B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess - $B$H$$$&%U%!%$%k$K(B - - # passive ports - passive ports 0.0.0.0/0 3000 3099 - - $B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B - -* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B -pass in quick proto tcp from any to any port = 80 keep state group 111 - -* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B -pass in quick proto tcp from any to any port = smtp keep state group 111 - -* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B -pass in quick proto tcp from any to any port = 110 keep state group 111 - -$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B -$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B -$B$/$J$j!"4IM}$N$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B -$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B - ------ -$B$=$NB>$NCm0U(B - -1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B -$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B -$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a, -b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B -$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111 -$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B - -($BNc(B) -#### grouping by host -block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100 -block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100 -#### allow NNTP -pass in quick proto tcp from any to any port = nntp keep state group 112 -pass in quick proto tcp from any to any port = nntp keep state group 113 - -gateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP -filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B -$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B - -2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B - NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B - -3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B - $B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding - $B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure - $B$GHFMQE*$JJ}K!$G$9!#(B - -$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B -$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B -# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B - -# 123.45.1.Z:0 (server) <-> A.B.C.D (client) -pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100 - ------ -$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B -$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"< 140 group 160 -# -## pass all TCP connection setup packets except for netbios ports (137-139). -# -pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150 -block out log quick proto tcp from any to any port 136 >< 140 group 170 -# -######### INCOMING -## ICMP -pass in quick proto icmp from any to any group 100 -## RIP -pass in quick proto udp from any to any port = 520 keep state group 100 -## FTP -pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100 -## IDENT -pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100 -# -## grouping by host (112 & 113 is the gateway address) -block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100 -block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100 -block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100 -block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100 -# -## telnet, ftp, ssh, www, smtp, pop -pass in quick proto tcp from any to any port = telnet keep state group 110 -pass in quick proto tcp from any to any port = ftp keep state group 110 -pass in quick proto tcp from any to any port = ftp-data keep state group 110 -pass in quick proto tcp from any to any port = 22 keep state group 110 -pass in quick proto tcp from any to any port = ftp keep state group 111 -pass in quick proto tcp from any to any port = ftp-data keep state group 111 -pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111 -pass in quick proto tcp from any to any port = 80 keep state group 111 -pass in quick proto tcp from any to any port = smtp keep state group 111 -pass in quick proto tcp from any to any port = 110 keep state -group 111 -# -## allow NNTP on the gateway -pass in quick proto tcp from any to any port = nntp keep state group 112 -pass in quick proto tcp from any to any port = nntp keep state group 113 -# -## X connections -# 123.45.1.Z:0 (server) <-> A.B.C.D (client) -pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100 -# -## log blocked packets -## THIS MUST BE THE LAST RULE! -block in log quick from any to 123.45.1.111/24 group 100 -block in log quick from any to 123.45.2.10 group 100 -===================== $B$3$3$^$G(B ==================== - ----- -$B$3$NJ8=q$N - and YAMAMOTO Hirotaka - -THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. - -Permission to modify this document and to distribute it is hereby -granted, as long as above notices and copyright notice are retained. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 4b45a0a538f5..334cd4512188 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -6,7 +6,7 @@ # to the original author and the contributors. # # $FreeBSD$ -# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $ +# Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin @@ -132,10 +132,7 @@ all: @echo "openbsd - compile for OpenBSD" @echo "freebsd20 - compile for FreeBSD 2.0, 2.1 or earlier" @echo "freebsd22 - compile for FreeBSD-2.2 or greater" - @echo "freebsd3 - compile for FreeBSD-3.x" - @echo "freebsd4 - compile for FreeBSD-4.x" - @echo "freebsd5 - compile for FreeBSD-5.x" - @echo "freebsd6 - compile for FreeBSD-6.x" + @echo "freebsd - compile for all other versions of FreeBSD" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -152,6 +149,7 @@ retest: else echo test directory not present, sorry; fi include: + -mkdir -p net netinet if [ ! -f netinet/done ] ; then \ (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \ (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \ @@ -167,6 +165,9 @@ sunos solaris: include MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \ CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos +freebsd: + make freebsd`uname -r|cut -c1` + freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @@ -188,7 +189,7 @@ freebsd22: include fi make freebsd20 -freebsd5 freebsd6: include +freebsd5 freebsd6 freebsd7: include if [ x$(INET6) = x ] ; then \ echo "#undef INET6" > opt_inet6.h; \ else \ @@ -230,6 +231,15 @@ freebsd3 freebsd30: include netbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" + @if [ ! -d /sys -o ! -d /sys/arch ] ; then \ + echo "*****************************************************"; \ + echo "* *"; \ + echo "* Please extract source code to create /sys and *";\ + echo "* /sys/arch and run 'config GENERIC' *"; \ + echo "* *"; \ + echo "*****************************************************"; \ + exit 1; \ + fi (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) @@ -342,13 +352,9 @@ sunos4 solaris1: (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) sunos5 solaris2: null - (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) + (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..) (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) -sunos5x86 solaris2x86: null - (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) - (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) - linux: include (cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..) (cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..) @@ -365,7 +371,7 @@ install-sunos4: solaris (cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install) install-sunos5: solaris null - (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install) + (cd SunOS5; $(MAKE) TOP=.. install) install-aix: (cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c index 9291163f62ca..d75570e29267 100644 --- a/contrib/ipfilter/bpf_filter.c +++ b/contrib/ipfilter/bpf_filter.c @@ -42,7 +42,7 @@ #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = - "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.2 2005/12/30 12:57:28 darrenr Exp $ (LBL)"; + "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)"; #endif #include @@ -195,7 +195,8 @@ bpf_filter(pc, p, wirelen, buflen) register int k; int32 mem[BPF_MEMWORDS]; mb_t *m, *n; - int merr, len; + int merr = 0; /* XXX: GCC */ + int len; if (buflen == 0) { m = (mb_t *)p; diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 2bb4f5a517f4..a3efa871b251 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.11 2006/03/25 11:15:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $"; #endif #ifndef SOLARIS @@ -64,7 +64,6 @@ struct file; #include #include #include -#include #ifdef __hpux # define _NET_ROUTE_INCLUDED @@ -82,10 +81,12 @@ struct file; #include # endif #endif -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(SOLARIS2) # include "radix_ipf.h" #endif -#include +#ifndef __osf__ +# include +#endif #include #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \ !defined(__hpux) && !defined(linux) @@ -109,6 +110,7 @@ struct file; #include #include #include +#include #ifdef __hpux # undef _NET_ROUTE_INCLUDED #endif @@ -146,7 +148,6 @@ extern struct protosw inetsw[]; static struct ifnet **ifneta = NULL; static int nifs = 0; -static int frzerostats __P((caddr_t)); static void fr_setifpaddr __P((struct ifnet *, char *)); void init_ifp __P((void)); #if defined(__sgi) && (IRIX < 60500) @@ -169,37 +170,20 @@ static int write_output __P((struct ifnet *, struct mbuf *, #endif -int iplattach() +int ipfattach() { fr_running = 1; return 0; } -int ipldetach() +int ipfdetach() { fr_running = -1; return 0; } -static int frzerostats(data) -caddr_t data; -{ - friostat_t fio; - int error; - - fr_getstat(&fio); - error = copyoutptr(&fio, data, sizeof(fio)); - if (error) - return EFAULT; - - bzero((char *)frstats, sizeof(*frstats) * 2); - - return 0; -} - - /* * Filter ioctl interface. */ @@ -209,210 +193,20 @@ ioctlcmd_t cmd; caddr_t data; int mode; { - int error = 0, unit = 0, tmp; - friostat_t fio; + int error = 0, unit = 0, uid; + SPL_INT(s); + uid = getuid(); unit = dev; SPL_NET(s); - if (unit == IPL_LOGNAT) { - if (fr_running > 0) - error = fr_nat_ioctl(data, cmd, mode); - else - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGSTATE) { - if (fr_running > 0) - error = fr_state_ioctl(data, cmd, mode); - else - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGAUTH) { - if (fr_running > 0) { - if ((cmd == (ioctlcmd_t)SIOCADAFR) || - (cmd == (ioctlcmd_t)SIOCRMAFR)) { - if (!(mode & FWRITE)) { - error = EPERM; - } else { - error = frrequest(unit, cmd, data, - fr_active, 1); - } - } else { - error = fr_auth_ioctl(data, mode, cmd); - } - } else - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGSYNC) { -#ifdef IPFILTER_SYNC - if (fr_running > 0) - error = fr_sync_ioctl(data, cmd, mode); - else -#endif - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGSCAN) { -#ifdef IPFILTER_SCAN - if (fr_running > 0) - error = fr_scan_ioctl(data, cmd, mode); - else -#endif - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGLOOKUP) { - if (fr_running > 0) - error = ip_lookup_ioctl(data, cmd, mode); - else - error = EIO; + error = fr_ioctlswitch(unit, data, cmd, mode, uid, NULL); + if (error != -1) { SPL_X(s); return error; } - switch (cmd) - { - case FIONREAD : -#ifdef IPFILTER_LOG - error = COPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); -#endif - break; - case SIOCFRENB : - if (!(mode & FWRITE)) - error = EPERM; - else { - error = COPYIN(data, &tmp, sizeof(tmp)); - if (error) - break; - if (tmp) - error = iplattach(); - else - error = ipldetach(); - } - break; - case SIOCIPFSET : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - case SIOCIPFGETNEXT : - case SIOCIPFGET : - error = fr_ipftune(cmd, (void *)data); - break; - case SIOCSETFF : - if (!(mode & FWRITE)) - error = EPERM; - else - error = COPYIN(data, &fr_flags, sizeof(fr_flags)); - break; - case SIOCGETFF : - error = COPYOUT(&fr_flags, data, sizeof(fr_flags)); - break; - case SIOCFUNCL : - error = fr_resolvefunc(data); - break; - case SIOCINAFR : - case SIOCRMAFR : - case SIOCADAFR : - case SIOCZRLST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, fr_active, 1); - break; - case SIOCINIFR : - case SIOCRMIFR : - case SIOCADIFR : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, 1 - fr_active, 1); - break; - case SIOCSWAPA : - if (!(mode & FWRITE)) - error = EPERM; - else { - bzero((char *)frcache, sizeof(frcache[0]) * 2); - *(u_int *)data = fr_active; - fr_active = 1 - fr_active; - } - break; - case SIOCGETFS : - fr_getstat(&fio); - error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT); - break; - case SIOCFRZST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frzerostats(data); - break; - case SIOCIPFFL : - if (!(mode & FWRITE)) - error = EPERM; - else { - error = COPYIN(data, &tmp, sizeof(tmp)); - if (!error) { - tmp = frflush(unit, 4, tmp); - error = COPYOUT(&tmp, data, sizeof(tmp)); - } - } - break; -#ifdef USE_INET6 - case SIOCIPFL6 : - if (!(mode & FWRITE)) - error = EPERM; - else { - error = COPYIN(data, &tmp, sizeof(tmp)); - if (!error) { - tmp = frflush(unit, 6, tmp); - error = COPYOUT(&tmp, data, sizeof(tmp)); - } - } - break; -#endif - case SIOCSTLCK : - error = COPYIN(data, &tmp, sizeof(tmp)); - if (error == 0) { - fr_state_lock = tmp; - fr_nat_lock = tmp; - fr_frag_lock = tmp; - fr_auth_lock = tmp; - } else - error = EFAULT; - break; -#ifdef IPFILTER_LOG - case SIOCIPFFB : - if (!(mode & FWRITE)) - error = EPERM; - else - *(int *)data = ipflog_clear(unit); - break; -#endif /* IPFILTER_LOG */ - case SIOCGFRST : - error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT); - break; - case SIOCFRSYN : - if (!(mode & FWRITE)) - error = EPERM; - else { - frsync(NULL); - } - break; - default : - error = EINVAL; - break; - } SPL_X(s); return error; } @@ -596,7 +390,7 @@ int v; *addr++ = '\0'; for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { - COPYIFNAME(ifp, ifname); + COPYIFNAME(v, ifp, ifname); if (!strcmp(name, ifname)) { if (addr != NULL) fr_setifpaddr(ifp, addr); @@ -635,6 +429,9 @@ int v; } ifp = ifneta[nifs - 1]; +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + TAILQ_INIT(&ifp->if_addrlist); +#endif #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) @@ -652,7 +449,7 @@ int v; ifp->if_unit = -1; } #endif - ifp->if_output = no_output; + ifp->if_output = (void *)no_output; if (addr != NULL) { fr_setifpaddr(ifp, addr); @@ -688,7 +485,7 @@ void init_ifp() (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { - ifp->if_output = write_output; + ifp->if_output = (void *)write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); if (fd == -1) @@ -998,3 +795,9 @@ struct in_addr *inp, *inpmask; } return 0; } + + +int ipfsync() +{ + return 0; +} diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 25401c45f963..ae05ca75a906 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.71.2.8 2005/12/30 07:03:21 darrenr Exp $ + * $Id: ipf.h,v 2.71.2.15 2007/05/11 10:44:14 darrenr Exp $ */ #ifndef __IPF_H__ @@ -183,14 +183,14 @@ extern struct ipopt_names v6ionames[]; extern int addicmp __P((char ***, struct frentry *, int)); extern int addipopt __P((char *, struct ipopt_names *, int, char *)); -extern int addkeep __P((char ***, struct frentry *, int)); +extern void alist_free __P((alist_t *)); +extern alist_t *alist_new __P((int, char *)); extern void binprint __P((void *, size_t)); extern void initparse __P((void)); extern u_32_t buildopts __P((char *, char *, int)); extern int checkrev __P((char *)); extern int count6bits __P((u_32_t *)); extern int count4bits __P((u_32_t)); -extern int extras __P((char ***, struct frentry *, int)); extern char *fac_toname __P((int)); extern int fac_findname __P((char *)); extern void fill6bits __P((int, u_int *)); @@ -198,19 +198,12 @@ extern int gethost __P((char *, u_32_t *)); extern int getport __P((struct frentry *, char *, u_short *)); extern int getportproto __P((char *, int)); extern int getproto __P((char *)); -extern char *getline __P((char *, size_t, FILE *, int *)); -extern int genmask __P((char *, u_32_t *)); -extern char *getnattype __P((struct ipnat *)); +extern char *getnattype __P((struct nat *, int)); extern char *getsumd __P((u_32_t)); extern u_32_t getoptbyname __P((char *)); extern u_32_t getoptbyvalue __P((int)); extern u_32_t getv6optbyname __P((char *)); extern u_32_t getv6optbyvalue __P((int)); -extern void hexdump __P((FILE *, void *, int, int)); -extern int hostmask __P((char ***, char *, char *, u_32_t *, u_32_t *, int)); -extern int hostnum __P((u_32_t *, char *, int, char *)); -extern int icmpcode __P((char *)); -extern int icmpidnum __P((char *, u_short *, int)); extern void initparse __P((void)); extern void ipf_dotuning __P((int, char *, ioctlfunc_t)); extern void ipf_addrule __P((int, ioctlfunc_t, void *)); @@ -225,23 +218,21 @@ extern int ippool_parsefile __P((int, char *, ioctlfunc_t)); extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t)); extern int kmemcpywrap __P((void *, void *, size_t)); extern char *kvatoname __P((ipfunc_t, ioctlfunc_t)); +extern alist_t *load_file __P((char *)); extern int load_hash __P((struct iphtable_s *, struct iphtent_s *, ioctlfunc_t)); extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); +extern alist_t *load_http __P((char *)); extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t)); extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); -extern int loglevel __P((char **, u_int *, int)); +extern alist_t *load_url __P((char *)); extern alist_t *make_range __P((int, struct in_addr, struct in_addr)); extern ipfunc_t nametokva __P((char *, ioctlfunc_t)); -extern ipnat_t *natparse __P((char *, int)); -extern void natparsefile __P((int, char *, int)); extern void nat_setgroupmap __P((struct ipnat *)); extern int ntomask __P((int, int, u_32_t *)); extern u_32_t optname __P((char ***, u_short *, int)); extern struct frentry *parse __P((char *, int)); extern char *portname __P((int, int)); -extern int portnum __P((char *, char *, u_short *, int)); -extern int ports __P((char ***, char *, u_short *, int *, u_short *, int)); extern int pri_findname __P((char *)); extern char *pri_toname __P((int)); extern void print_toif __P((char *, struct frdest *)); @@ -251,6 +242,8 @@ extern void printfr __P((struct frentry *, ioctlfunc_t)); extern void printtunable __P((ipftune_t *)); extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t, char *, int)); +extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, int)); +extern void printhashdata __P((iphtable_t *, int)); extern struct iphtent_s *printhashnode __P((struct iphtable_s *, struct iphtent_s *, copyfunc_t, int)); @@ -263,6 +256,9 @@ extern void printpacket __P((struct ip *)); extern void printpacket6 __P((struct ip *)); extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, char *, int)); +extern struct ip_pool_s *printpool_live __P((struct ip_pool_s *, int, + char *, int)); +extern void printpooldata __P((ip_pool_t *, int)); extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int)); extern void printproto __P((struct protoent *, int, struct ipnat *)); extern void printportcmp __P((int, struct frpcmp *)); @@ -270,15 +266,12 @@ extern void optprint __P((u_short *, u_long, u_long)); #ifdef USE_INET6 extern void optprintv6 __P((u_short *, u_long, u_long)); #endif -extern int ratoi __P((char *, int *, int, int)); -extern int ratoui __P((char *, u_int *, u_int, u_int)); extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t)); extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); extern int remove_pool __P((ip_pool_t *, ioctlfunc_t)); extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); extern u_char tcp_flags __P((char *, u_char *, int)); extern u_char tcpflags __P((char *)); -extern int to_interface __P((struct frdest *, char *, int)); extern void printc __P((struct frentry *)); extern void printC __P((int)); extern void emit __P((int, int, void *, struct frentry *)); @@ -290,9 +283,9 @@ extern char *hostname __P((int, void *)); extern struct ipstate *printstate __P((struct ipstate *, int, u_long)); extern void printsbuf __P((char *)); extern void printnat __P((struct ipnat *, int)); -extern void printactivenat __P((struct nat *, int)); +extern void printactivenat __P((struct nat *, int, int, u_long)); extern void printhostmap __P((struct hostmap *, u_int)); -extern void printpacket __P((struct ip *)); +extern void printtqtable __P((ipftq_t *)); extern void set_variable __P((char *, char *)); extern char *get_variable __P((char *, char **, int)); diff --git a/contrib/ipfilter/iplang/Makefile b/contrib/ipfilter/iplang/Makefile index 5b53e9a43609..1d66bb655c5a 100644 --- a/contrib/ipfilter/iplang/Makefile +++ b/contrib/ipfilter/iplang/Makefile @@ -3,20 +3,21 @@ # #CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O CFLAGS=-I.. +CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o $(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c - $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@ + $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@ $(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c - $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@ + $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@ iplang_y.o: iplang_y.c - $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@ + $(CC) $(CCARGS) $< -o $@ iplang_l.o: iplang_l.c - $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@ + $(CC) $(CCARGS) $< -o $@ $(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h lex iplang_l.l diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 34a980ff61ff..4080ac15329f 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -6,17 +6,17 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $ * $FreeBSD$ + * Id: iplang_y.y,v 2.9.2.5 2007/02/17 12:41:48 darrenr Exp $ */ #include #include #include #if !defined(__SVR4) && !defined(__svr4__) -#include +# include #else -#include +# include #endif #include #include @@ -30,11 +30,14 @@ #include #include #ifndef linux -#include +# include +#endif +#ifdef __osf__ +# include "radix_ipf_local.h" #endif #include #ifndef linux -#include +# include #endif #include #include diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 1063d3a752e0..6ee4f1b58f87 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -16,7 +16,9 @@ #if defined(__FreeBSD__) # include "radix_ipf.h" #endif -#include +#ifndef __osf__ +# include +#endif #include #include #include diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index d519a548922e..8670bda76b46 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -7,20 +7,23 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.1 2005/06/12 07:18:38 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darrenr Exp $"; #endif #include #include #if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) && !defined(_AIX51) -#include +# include #endif #include #include #include +#ifdef __osf__ +# include "radix_ipf_local.h" +#endif #include #include #ifndef ultrix -#include +# include #endif #include #include diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 8d469efafa99..26a7a892bed3 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,12 +7,15 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $"; #endif #include #include #include #include +#ifdef __osf__ +# include "radix_ipf_local.h" +#endif #include #include #include diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index ea358df36516..0dd96b831320 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.7 2006/03/21 16:10:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $"; #endif #include #include @@ -22,6 +22,9 @@ typedef int boolean_t; #endif #include #if !defined(__osf__) +# ifdef __NetBSD__ +# include +# endif # define _KERNEL # define KERNEL # if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux) @@ -64,6 +67,9 @@ typedef int boolean_t; #ifdef __hpux # define _NET_ROUTE_INCLUDED #endif +#ifdef __osf__ +# include "radix_ipf_local.h" +#endif #include #if defined(linux) && (LINUX >= 0200) # include @@ -1094,7 +1100,8 @@ int ptest; struct tcpcb *tcbp, tcb; struct tcpiphdr ti; struct sockaddr_in sin; - int fd, slen; + int fd; + socklen_t slen; bzero((char *)&sin, sizeof(sin)); diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index da5c2bfb03ee..b988e9b20d94 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -8,12 +8,15 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.2 2006/03/17 13:45:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.3 2007/02/17 12:41:51 darrenr Exp $"; #endif #include #include #include #include +#ifdef __osf__ +# include "radix_ipf_local.h" +#endif #include #include #include diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index 5b5835940797..f48fd06bbc34 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -27,6 +27,7 @@ #endif #ifdef __osf__ # include +# include "radix_ipf_local.h" #else # include #endif @@ -48,7 +49,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.1 2004/12/09 19:41:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index f6edbd2d148f..9a2cfc3fb667 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.4 2006/03/21 16:10:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $"; #endif #include #include @@ -30,6 +30,9 @@ typedef int boolean_t; # include #endif #if !defined(__osf__) +# ifdef __NetBSD__ +# include +# endif # define _KERNEL # define KERNEL # ifdef ultrix @@ -66,7 +69,9 @@ typedef int boolean_t; #if defined(__FreeBSD__) # include "radix_ipf.h" #endif -#include +#ifndef __osf__ +# include +#endif #include #include #include @@ -294,11 +299,14 @@ struct tcpiphdr *ti; return NULL; fd = (struct filedesc *)malloc(sizeof(*fd)); + if (fd == NULL) + return NULL; #if defined( __FreeBSD_version) && __FreeBSD_version >= 500013 if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1) { fprintf(stderr, "read(%#lx,%#lx) failed\n", (u_long)p, (u_long)p->ki_fd); + free(fd); return NULL; } #else @@ -306,6 +314,7 @@ struct tcpiphdr *ti; { fprintf(stderr, "read(%#lx,%#lx) failed\n", (u_long)p, (u_long)p->kp_proc.p_fd); + free(fd); return NULL; } #endif @@ -379,7 +388,8 @@ struct in_addr gwip; { struct sockaddr_in rsin, lsin; struct tcpcb *t, tcb; - int fd, nfd, len; + int fd, nfd; + socklen_t len; printf("Dest. Port: %d\n", ti->ti_dport); diff --git a/contrib/ipfilter/l4check/Makefile b/contrib/ipfilter/l4check/Makefile index e7366b63ad6a..e2bb9f8b3cff 100644 --- a/contrib/ipfilter/l4check/Makefile +++ b/contrib/ipfilter/l4check/Makefile @@ -4,7 +4,7 @@ all: l4check l4check: l4check.c - $(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@ + $(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@ clean: /bin/rm -f l4check diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c index 5c44a3703e52..fd2753ea22be 100644 --- a/contrib/ipfilter/l4check/l4check.c +++ b/contrib/ipfilter/l4check/l4check.c @@ -27,6 +27,7 @@ #include "ip_compat.h" #include "ip_fil.h" #include "ip_nat.h" +#include "ipl.h" #include "ipf.h" @@ -98,13 +99,21 @@ char *dst, *src; void addnat(l4) l4cfg_t *l4; { + ipnat_t *ipn = &l4->l4_nat; - printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]), + printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ntohs(ipn->in_pmin)); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext)); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext)); if (!(opts & OPT_DONOTHING)) { - if (ioctl(natfd, SIOCADNAT, &ipn) == -1) + ipfobj_t obj; + + bzero(&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*ipn); + obj.ipfo_ptr = ipn; + + if (ioctl(natfd, SIOCADNAT, &obj) == -1) perror("ioctl(SIOCADNAT)"); } } @@ -116,9 +125,16 @@ l4cfg_t *l4; ipnat_t *ipn = &l4->l4_nat; printf("Remove NAT rule for %s/%#x,%u -> ", - inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext); + inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext); if (!(opts & OPT_DONOTHING)) { + ipfobj_t obj; + + bzero(&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*ipn); + obj.ipfo_ptr = ipn; + if (ioctl(natfd, SIOCRMNAT, &ipn) == -1) perror("ioctl(SIOCRMNAT)"); } @@ -178,7 +194,6 @@ l4cfg_t *l4; void writefd(l4) l4cfg_t *l4; { - char buf[80], *ptr; int n, i, fd; fd = l4->l4_fd; @@ -410,7 +425,6 @@ u_short *portp; struct servent *sp; struct hostent *hp; char *host, *port; - struct in_addr ip; host = str; port = strchr(host, ','); @@ -555,7 +569,8 @@ char *filename; break; } - strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname)); + strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ); + strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ); if (!gethostport(t, num, &ipn->in_outip, &ipn->in_pmin)) { errtxt = line; @@ -567,11 +582,11 @@ char *filename; if (opts & OPT_VERBOSE) fprintf(stderr, "Interface %s %s/%#x port %u\n", - ipn->in_ifname, - inet_ntoa(ipn->in_out[0]), + ipn->in_ifnames[0], + inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin); } else if (!strcasecmp(t, "remote")) { - if (!*ipn->in_ifname) { + if (!*ipn->in_ifnames[0]) { fprintf(stderr, "%d: ifname not set prior to remote\n", num); @@ -606,7 +621,7 @@ char *filename; break; } bcopy((char *)&template, (char *)l4, sizeof(*l4)); - l4->l4_sin.sin_addr = ipn->in_in[0]; + l4->l4_sin.sin_addr = ipn->in_in[0].in4; l4->l4_sin.sin_port = ipn->in_pnext; l4->l4_next = l4list; l4list = l4; @@ -793,7 +808,7 @@ char *argv[]; } if (!(opts & OPT_DONOTHING)) { - natfd = open(IPL_NAT, O_RDWR); + natfd = open(IPNAT_NAME, O_RDWR); if (natfd == -1) { perror("open(IPL_NAT)"); exit(1); @@ -804,4 +819,6 @@ char *argv[]; fprintf(stderr, "Starting...\n"); while (runconfig() == 0) ; + + exit(1); } diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile index 3dcf3a16b66e..a838063c674c 100644 --- a/contrib/ipfilter/lib/Makefile +++ b/contrib/ipfilter/lib/Makefile @@ -1,7 +1,16 @@ +# +# Copyright (C) 1993-2001 by Darren Reed. +# +# See the IPFILTER.LICENCE file for details on licencing. +# +# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $ +# INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/addipopt.o \ + $(DEST)/alist_free.o \ + $(DEST)/alist_new.o \ $(DEST)/bcopywrap.o \ $(DEST)/binprint.o \ $(DEST)/buildopts.o \ @@ -9,23 +18,17 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/count6bits.o \ $(DEST)/count4bits.o \ $(DEST)/debug.o \ - $(DEST)/extras.o \ $(DEST)/facpri.o \ $(DEST)/flags.o \ $(DEST)/fill6bits.o \ - $(DEST)/genmask.o \ $(DEST)/gethost.o \ $(DEST)/getifname.o \ - $(DEST)/getline.o \ $(DEST)/getnattype.o \ $(DEST)/getport.o \ $(DEST)/getportproto.o \ $(DEST)/getproto.o \ $(DEST)/getsumd.o \ - $(DEST)/hexdump.o \ - $(DEST)/hostmask.o \ $(DEST)/hostname.o \ - $(DEST)/hostnum.o \ $(DEST)/icmpcode.o \ $(DEST)/inet_addr.o \ $(DEST)/initparse.o \ @@ -41,11 +44,13 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/kmem.o \ $(DEST)/kmemcpywrap.o \ $(DEST)/kvatoname.o \ + $(DEST)/load_file.o \ $(DEST)/load_hash.o \ $(DEST)/load_hashnode.o \ + $(DEST)/load_http.o \ $(DEST)/load_pool.o \ $(DEST)/load_poolnode.o \ - $(DEST)/loglevel.o \ + $(DEST)/load_url.o \ $(DEST)/mutex_emul.o \ $(DEST)/nametokva.o \ $(DEST)/nat_setgroupmap.o \ @@ -55,17 +60,19 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/optprintv6.o \ $(DEST)/optvalue.o \ $(DEST)/portname.o \ - $(DEST)/portnum.o \ - $(DEST)/ports.o \ $(DEST)/print_toif.o \ $(DEST)/printactivenat.o \ $(DEST)/printaps.o \ $(DEST)/printbuf.o \ $(DEST)/printhash.o \ + $(DEST)/printhashdata.o \ $(DEST)/printhashnode.o \ + $(DEST)/printhash_live.o \ $(DEST)/printip.o \ $(DEST)/printpool.o \ + $(DEST)/printpooldata.o \ $(DEST)/printpoolnode.o \ + $(DEST)/printpool_live.o \ $(DEST)/printproto.o \ $(DEST)/printfr.o \ $(DEST)/printfraginfo.o \ @@ -80,9 +87,8 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/printpacket6.o \ $(DEST)/printsbuf.o \ $(DEST)/printstate.o \ + $(DEST)/printtqtable.o \ $(DEST)/printtunable.o \ - $(DEST)/ratoi.o \ - $(DEST)/ratoui.o \ $(DEST)/remove_hash.o \ $(DEST)/remove_hashnode.o \ $(DEST)/remove_pool.o \ @@ -91,7 +97,6 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/rwlock_emul.o \ $(DEST)/tcpflags.o \ $(DEST)/tcp_flags.o \ - $(DEST)/to_interface.o \ $(DEST)/var.o \ $(DEST)/verbose.o \ $(DEST)/v6ionames.o \ @@ -106,6 +111,10 @@ $(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@ $(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@ +$(DEST)/alist_free.o: $(LIBSRC)/alist_free.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@ +$(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@ $(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@ $(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP) @@ -120,18 +129,12 @@ $(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@ $(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@ -$(DEST)/extras.o: $(LIBSRC)/extras.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/extras.c -o $@ $(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@ $(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@ $(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@ -$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@ -$(DEST)/getline.o: $(LIBSRC)/getline.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getline.c -o $@ $(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@ $(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP) @@ -146,14 +149,8 @@ $(DEST)/getproto.o: $(LIBSRC)/getproto.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/getproto.c -o $@ $(DEST)/getsumd.o: $(LIBSRC)/getsumd.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/getsumd.c -o $@ -$(DEST)/hexdump.o: $(LIBSRC)/hexdump.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/hexdump.c -o $@ -$(DEST)/hostmask.o: $(LIBSRC)/hostmask.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/hostmask.c -o $@ $(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@ -$(DEST)/hostnum.o: $(LIBSRC)/hostnum.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/hostnum.c -o $@ $(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@ $(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP) @@ -184,14 +181,20 @@ $(DEST)/kmemcpywrap.o: $(LIBSRC)/kmemcpywrap.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/kmemcpywrap.c -o $@ $(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@ +$(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@ $(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@ $(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/load_hashnode.c -o $@ +$(DEST)/load_http.o: $(LIBSRC)/load_http.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/load_http.c -o $@ $(DEST)/load_pool.o: $(LIBSRC)/load_pool.c $(INCDEP) $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(LIBSRC)/load_pool.c -o $@ $(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@ +$(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@ $(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@ $(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP) @@ -203,8 +206,6 @@ $(DEST)/nat_setgroupmap.o: $(LIBSRC)/nat_setgroupmap.c $(TOP)/ip_compat.h \ $(CC) $(CCARGS) -c $(LIBSRC)/nat_setgroupmap.c -o $@ $(DEST)/ntomask.o: $(LIBSRC)/ntomask.c $(TOP)/ip_compat.h $(CC) $(CCARGS) -c $(LIBSRC)/ntomask.c -o $@ -$(DEST)/loglevel.o: $(LIBSRC)/loglevel.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/loglevel.c -o $@ $(DEST)/optname.o: $(LIBSRC)/optname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/optname.c -o $@ $(DEST)/optprint.o: $(LIBSRC)/optprint.c $(INCDEP) @@ -215,10 +216,6 @@ $(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@ $(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@ -$(DEST)/portnum.o: $(LIBSRC)/portnum.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/portnum.c -o $@ -$(DEST)/ports.o: $(LIBSRC)/ports.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ports.c -o $@ $(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@ $(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP) @@ -233,16 +230,25 @@ $(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@ $(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@ +$(DEST)/printhashdata.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h + $(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@ $(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \ $(TOP)/ip_htable.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@ +$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h + $(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@ $(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@ $(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@ +$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h + $(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@ $(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \ $(TOP)/ip_pool.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@ +$(DEST)/printpool_live.o: $(LIBSRC)/printpool_live.c $(TOP)/ip_fil.h \ + $(TOP)/ip_pool.h $(TOP)/ip_lookup.h + $(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@ $(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@ $(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h @@ -267,12 +273,10 @@ $(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@ $(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h $(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@ +$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@ $(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@ -$(DEST)/ratoi.o: $(LIBSRC)/ratoi.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ratoi.c -o $@ -$(DEST)/ratoui.o: $(LIBSRC)/ratoui.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ratoui.c -o $@ $(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \ $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@ @@ -289,8 +293,6 @@ $(DEST)/resetlexer.o: $(LIBSRC)/resetlexer.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/resetlexer.c -o $@ $(DEST)/rwlock_emul.o: $(LIBSRC)/rwlock_emul.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/rwlock_emul.c -o $@ -$(DEST)/to_interface.o: $(LIBSRC)/to_interface.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/to_interface.c -o $@ $(DEST)/tcpflags.o: $(LIBSRC)/tcpflags.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/tcpflags.c -o $@ $(DEST)/tcp_flags.o: $(LIBSRC)/tcp_flags.c $(INCDEP) diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c index 39b6fd4e8e46..ef9abfed3c9c 100644 --- a/contrib/ipfilter/lib/addicmp.c +++ b/contrib/ipfilter/lib/addicmp.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addicmp.c,v 1.10.2.4 2006/02/25 17:41:57 darrenr Exp $ + * $Id: addicmp.c,v 1.10.2.5 2006/06/16 17:20:55 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/addipopt.c b/contrib/ipfilter/lib/addipopt.c index 6dc7f48bb2ca..79155e7e4c57 100644 --- a/contrib/ipfilter/lib/addipopt.c +++ b/contrib/ipfilter/lib/addipopt.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addipopt.c,v 1.7 2002/01/28 06:50:45 darrenr Exp $ + * $Id: addipopt.c,v 1.7.4.1 2006/06/16 17:20:56 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/bcopywrap.c b/contrib/ipfilter/lib/bcopywrap.c index 4c689309a6b9..b2e8427a7b37 100644 --- a/contrib/ipfilter/lib/bcopywrap.c +++ b/contrib/ipfilter/lib/bcopywrap.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: bcopywrap.c,v 1.1.4.1 2006/06/16 17:20:56 darrenr Exp $ + */ + #include "ipf.h" int bcopywrap(from, to, size) diff --git a/contrib/ipfilter/lib/binprint.c b/contrib/ipfilter/lib/binprint.c index b475aa130889..fcb47ed37e5b 100644 --- a/contrib/ipfilter/lib/binprint.c +++ b/contrib/ipfilter/lib/binprint.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: binprint.c,v 1.8 2002/05/14 15:18:56 darrenr Exp $ + * $Id: binprint.c,v 1.8.4.1 2006/06/16 17:20:56 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/buildopts.c b/contrib/ipfilter/lib/buildopts.c index 7a8df09cc874..bdd0538fdd14 100644 --- a/contrib/ipfilter/lib/buildopts.c +++ b/contrib/ipfilter/lib/buildopts.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: buildopts.c,v 1.6 2002/01/28 06:50:45 darrenr Exp $ + * $Id: buildopts.c,v 1.6.4.1 2006/06/16 17:20:56 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/checkrev.c b/contrib/ipfilter/lib/checkrev.c index 97ed689d77e1..9e584cc48d89 100644 --- a/contrib/ipfilter/lib/checkrev.c +++ b/contrib/ipfilter/lib/checkrev.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: checkrev.c,v 1.12.2.1 2004/03/09 14:44:39 darrenr Exp $ + * $Id: checkrev.c,v 1.12.2.2 2006/06/16 17:20:56 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/count4bits.c b/contrib/ipfilter/lib/count4bits.c index b2aaa3b1df51..38e574290c69 100644 --- a/contrib/ipfilter/lib/count4bits.c +++ b/contrib/ipfilter/lib/count4bits.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: count4bits.c,v 1.1 2002/06/15 04:46:39 darrenr Exp $ + * $Id: count4bits.c,v 1.1.4.1 2006/06/16 17:20:57 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/count6bits.c b/contrib/ipfilter/lib/count6bits.c index 6011e964a846..15538c36c19c 100644 --- a/contrib/ipfilter/lib/count6bits.c +++ b/contrib/ipfilter/lib/count6bits.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: count6bits.c,v 1.4 2001/06/09 17:09:23 darrenr Exp $ + * $Id: count6bits.c,v 1.4.4.1 2006/06/16 17:20:57 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/debug.c b/contrib/ipfilter/lib/debug.c index d5f6ab2dd281..3181e78e1e10 100644 --- a/contrib/ipfilter/lib/debug.c +++ b/contrib/ipfilter/lib/debug.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: debug.c,v 1.6 2001/06/09 17:09:24 darrenr Exp $ + * $Id: debug.c,v 1.6.4.1 2006/06/16 17:20:57 darrenr Exp $ */ #if defined(__STDC__) diff --git a/contrib/ipfilter/lib/extras.c b/contrib/ipfilter/lib/extras.c deleted file mode 100644 index 926ec43d2462..000000000000 --- a/contrib/ipfilter/lib/extras.c +++ /dev/null @@ -1,114 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: extras.c,v 1.12 2002/07/13 12:06:49 darrenr Exp $ - */ - -#include "ipf.h" - - -/* - * deal with extra bits on end of the line - */ -int extras(cp, fr, linenum) -char ***cp; -struct frentry *fr; -int linenum; -{ - u_short secmsk; - u_long opts; - int notopt; - - opts = 0; - secmsk = 0; - notopt = 0; - (*cp)++; - if (!**cp) - return -1; - - while (**cp) { - if (!strcasecmp(**cp, "not") || !strcasecmp(**cp, "no")) { - notopt = 1; - (*cp)++; - continue; - } else if (!strncasecmp(**cp, "ipopt", 5)) { - if (!notopt) - fr->fr_flx |= FI_OPTIONS; - fr->fr_mflx |= FI_OPTIONS; - goto nextopt; - } else if (!strcasecmp(**cp, "lowttl")) { - if (!notopt) - fr->fr_flx |= FI_LOWTTL; - fr->fr_mflx |= FI_LOWTTL; - goto nextopt; - } else if (!strcasecmp(**cp, "bad-src")) { - if (!notopt) - fr->fr_flx |= FI_BADSRC; - fr->fr_mflx |= FI_BADSRC; - goto nextopt; - } else if (!strncasecmp(**cp, "mbcast", 6)) { - if (!notopt) - fr->fr_flx |= FI_MBCAST; - fr->fr_mflx |= FI_MBCAST; - goto nextopt; - } else if (!strncasecmp(**cp, "nat", 3)) { - if (!notopt) - fr->fr_flx |= FI_NATED; - fr->fr_mflx |= FI_NATED; - goto nextopt; - } else if (!strncasecmp(**cp, "frag", 4)) { - if (!notopt) - fr->fr_flx |= FI_FRAG; - fr->fr_mflx |= FI_FRAG; - goto nextopt; - } else if (!strncasecmp(**cp, "opt", 3)) { - if (!*(*cp + 1)) { - fprintf(stderr, "%d: opt missing arguements\n", - linenum); - return -1; - } - (*cp)++; - if (!(opts = optname(cp, &secmsk, linenum))) - return -1; - - if (notopt) { - if (!secmsk) { - fr->fr_optmask |= opts; - } else { - fr->fr_optmask |= (opts & ~0x0100); - fr->fr_secmask |= secmsk; - } - fr->fr_secbits &= ~secmsk; - fr->fr_optbits &= ~opts; - } else { - fr->fr_optmask |= opts; - fr->fr_secmask |= secmsk; - fr->fr_optbits |= opts; - fr->fr_secbits |= secmsk; - } - } else if (!strncasecmp(**cp, "short", 5)) { - if (fr->fr_tcpf) { - fprintf(stderr, - "%d: short cannot be used with TCP flags\n", - linenum); - return -1; - } - - if (!notopt) - fr->fr_flx |= FI_SHORT; - fr->fr_mflx |= FI_SHORT; - goto nextopt; - } else - return -1; -nextopt: - notopt = 0; - opts = 0; - secmsk = 0; - (*cp)++; - } - return 0; -} diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c index a9bae6dce68e..b89e0f8e0127 100644 --- a/contrib/ipfilter/lib/facpri.c +++ b/contrib/ipfilter/lib/facpri.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $ + * $Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $ */ #include @@ -22,7 +22,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.4 2006/03/17 22:28:41 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/lib/facpri.h b/contrib/ipfilter/lib/facpri.h index 212cd15b18d7..ca53e051f90d 100644 --- a/contrib/ipfilter/lib/facpri.h +++ b/contrib/ipfilter/lib/facpri.h @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1999-2001 by Darren Reed. + * Copyright (C) 2000-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.h,v 1.3 2001/06/09 17:19:50 darrenr Exp $ + * $Id: facpri.h,v 1.3.4.1 2006/06/16 17:20:58 darrenr Exp $ */ #ifndef __FACPRI_H__ diff --git a/contrib/ipfilter/lib/fill6bits.c b/contrib/ipfilter/lib/fill6bits.c index ec34d4e859fd..c0faf6ae5f20 100644 --- a/contrib/ipfilter/lib/fill6bits.c +++ b/contrib/ipfilter/lib/fill6bits.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: fill6bits.c,v 1.5 2002/03/27 15:09:57 darrenr Exp $ + * $Id: fill6bits.c,v 1.5.4.1 2006/06/16 17:20:58 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/flags.c b/contrib/ipfilter/lib/flags.c index 1b9dc729f996..200484c2231c 100644 --- a/contrib/ipfilter/lib/flags.c +++ b/contrib/ipfilter/lib/flags.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: flags.c,v 1.4 2002/11/02 07:16:36 darrenr Exp $ + * $Id: flags.c,v 1.4.4.1 2006/06/16 17:20:58 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/genmask.c b/contrib/ipfilter/lib/genmask.c deleted file mode 100644 index 2155f374b976..000000000000 --- a/contrib/ipfilter/lib/genmask.c +++ /dev/null @@ -1,56 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: genmask.c,v 1.7 2003/11/11 13:40:15 darrenr Exp $ - */ - -#include "ipf.h" - - -int genmask(msk, mskp) -char *msk; -u_32_t *mskp; -{ - char *endptr = 0L; - int bits; - - if (strchr(msk, '.') || strchr(msk, 'x') || strchr(msk, ':')) { - /* possibly of the form xxx.xxx.xxx.xxx - * or 0xYYYYYYYY */ -#ifdef USE_INET6 - if (use_inet6) { - if (inet_pton(AF_INET6, msk, mskp) != 1) - return -1; - } else -#endif - if (inet_aton(msk, (struct in_addr *)mskp) == 0) - return -1; - } else { - /* - * set x most significant bits - */ - bits = (int)strtol(msk, &endptr, 0); -#ifdef USE_INET6 - if ((*endptr != '\0') || - ((bits > 32) && !use_inet6) || (bits < 0) || - ((bits > 128) && use_inet6)) -#else - if (*endptr != '\0' || bits > 32 || bits < 0) -#endif - return -1; -#ifdef USE_INET6 - if (use_inet6) - fill6bits(bits, mskp); - else -#endif - if (bits == 0) - *mskp = 0; - else - *mskp = htonl(0xffffffff << (32 - bits)); - } - return 0; -} diff --git a/contrib/ipfilter/lib/gethost.c b/contrib/ipfilter/lib/gethost.c index f9034ccbbee5..be536c1e755d 100644 --- a/contrib/ipfilter/lib/gethost.c +++ b/contrib/ipfilter/lib/gethost.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: gethost.c,v 1.3.2.2 2006/06/16 17:20:59 darrenr Exp $ + */ + #include "ipf.h" int gethost(name, hostp) diff --git a/contrib/ipfilter/lib/getifname.c b/contrib/ipfilter/lib/getifname.c index 35acb32a62c7..7246fbb83714 100644 --- a/contrib/ipfilter/lib/getifname.c +++ b/contrib/ipfilter/lib/getifname.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: getifname.c,v 1.5.2.3 2006/07/14 06:12:24 darrenr Exp $ + */ + #include "ipf.h" #include "kmem.h" @@ -8,6 +16,7 @@ * Given a pointer to an interface in the kernel, return a pointer to a * string which is the interface name. */ +#if 0 char *getifname(ptr) struct ifnet *ptr; { @@ -74,3 +83,10 @@ struct ifnet *ptr; # endif #endif } +#else +char *getifname(ptr) +struct ifnet *ptr; +{ + return "X"; +} +#endif diff --git a/contrib/ipfilter/lib/getline.c b/contrib/ipfilter/lib/getline.c deleted file mode 100644 index 2d3f9bdc0c90..000000000000 --- a/contrib/ipfilter/lib/getline.c +++ /dev/null @@ -1,58 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getline.c,v 1.3 2001/06/09 17:09:24 darrenr Exp $ - */ - -#include -#if !defined(__SVR4) && !defined(__GNUC__) -#include -#endif -#include -#include "ipf.h" - - -/* - * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. - * Returns NULL if error occured, EOF encounterd or input line is too long. - */ -char *getline(str, size, file, linenum) -register char *str; -size_t size; -FILE *file; -int *linenum; -{ - char *p; - int s, len; - - do { - for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { - /* - * if an error occured, EOF was encounterd, or there - * was no room to put NUL, return NULL. - */ - if (fgets(p, s, file) == NULL) - return (NULL); - len = strlen(p); - if (p[len - 1] != '\n') { - p[len] = '\0'; - break; - } - (*linenum)++; - p[len - 1] = '\0'; - if (len < 2 || p[len - 2] != '\\') - break; - else - /* - * Convert '\\' to a space so words don't - * run together - */ - p[len - 2] = ' '; - } - } while (*str == '\0'); - return (str); -} diff --git a/contrib/ipfilter/lib/getnattype.c b/contrib/ipfilter/lib/getnattype.c index beb0a8a852d0..2fb5d174e4a2 100644 --- a/contrib/ipfilter/lib/getnattype.c +++ b/contrib/ipfilter/lib/getnattype.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -11,26 +11,34 @@ #include "kmem.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3 2004/01/17 17:26:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3.2.2 2006/07/14 06:12:24 darrenr Exp $"; #endif /* * Get a nat filter type given its kernel address. */ -char *getnattype(ipnat) -ipnat_t *ipnat; +char *getnattype(nat, alive) +nat_t *nat; +int alive; { static char unknownbuf[20]; - ipnat_t ipnatbuff; + ipnat_t *ipn, ipnat; char *which; + int type; - if (!ipnat) + if (!nat) return "???"; - if (kmemcpy((char *)&ipnatbuff, (long)ipnat, sizeof(ipnatbuff))) - return "!!!"; + if (alive) { + type = nat->nat_redir; + } else { + ipn = nat->nat_ptr; + if (kmemcpy((char *)&ipnat, (long)ipn, sizeof(ipnat))) + return "!!!"; + type = ipnat.in_redir; + } - switch (ipnatbuff.in_redir) + switch (type) { case NAT_MAP : which = "MAP"; @@ -45,8 +53,7 @@ ipnat_t *ipnat; which = "BIMAP"; break; default : - sprintf(unknownbuf, "unknown(%04x)", - ipnatbuff.in_redir & 0xffffffff); + sprintf(unknownbuf, "unknown(%04x)", type & 0xffffffff); which = unknownbuf; break; } diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c index 51c39b1bd3b1..69e897c660c3 100644 --- a/contrib/ipfilter/lib/getport.c +++ b/contrib/ipfilter/lib/getport.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: getport.c,v 1.1.4.6 2006/06/16 17:21:00 darrenr Exp $ + */ + #include "ipf.h" int getport(fr, name, port) diff --git a/contrib/ipfilter/lib/getportproto.c b/contrib/ipfilter/lib/getportproto.c index 02e3c2041288..23e5fb18a6a5 100644 --- a/contrib/ipfilter/lib/getportproto.c +++ b/contrib/ipfilter/lib/getportproto.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: getportproto.c,v 1.2.4.4 2006/06/16 17:21:00 darrenr Exp $ + */ + #include #include "ipf.h" diff --git a/contrib/ipfilter/lib/getproto.c b/contrib/ipfilter/lib/getproto.c index ec87490f6a31..33f6f47ac1b9 100644 --- a/contrib/ipfilter/lib/getproto.c +++ b/contrib/ipfilter/lib/getproto.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: getproto.c,v 1.2.2.3 2006/06/16 17:21:00 darrenr Exp $ + */ + #include "ipf.h" int getproto(name) diff --git a/contrib/ipfilter/lib/getsumd.c b/contrib/ipfilter/lib/getsumd.c index 44ff3aa6f331..fdad461673e3 100644 --- a/contrib/ipfilter/lib/getsumd.c +++ b/contrib/ipfilter/lib/getsumd.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: getsumd.c,v 1.2.4.1 2006/06/16 17:21:01 darrenr Exp $ + */ + #include "ipf.h" char *getsumd(sum) diff --git a/contrib/ipfilter/lib/hexdump.c b/contrib/ipfilter/lib/hexdump.c deleted file mode 100644 index f6cc156910c8..000000000000 --- a/contrib/ipfilter/lib/hexdump.c +++ /dev/null @@ -1,30 +0,0 @@ -/* $FreeBSD$ */ - -#include - -#include "ipf.h" - -void hexdump(out, addr, len, ascii) -FILE *out; -void *addr; -int len, ascii; -{ - FILE *fpout; - u_char *s, *t; - int i; - - fpout = out ? out : stdout; - for (i = 0, s = addr; i < len; i++, s++) { - fprintf(fpout, "%02x", *s); - if (i % 16 == 15) { - if (ascii != 0) { - fputc('\t', fpout); - for (t = s - 15; t<= s; t++) - fputc(ISPRINT(*t) ? *t : '.', fpout); - } - fputc('\n', fpout); - } else if (i % 4 == 3) { - fputc(' ', fpout); - } - } -} diff --git a/contrib/ipfilter/lib/hostmask.c b/contrib/ipfilter/lib/hostmask.c deleted file mode 100644 index ba33d483871c..000000000000 --- a/contrib/ipfilter/lib/hostmask.c +++ /dev/null @@ -1,95 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: hostmask.c,v 1.10 2002/01/28 06:50:46 darrenr Exp $ - */ - -#include "ipf.h" - - -/* - * returns -1 if neither "hostmask/num" or "hostmask mask addr" are - * found in the line segments, there is an error processing this information, - * or there is an error processing ports information. - */ -int hostmask(seg, proto, ifname, sa, msk, linenum) -char ***seg, *proto, *ifname; -u_32_t *sa, *msk; -int linenum; -{ - struct in_addr maskaddr; - char *s; - - if ((s = strchr(**seg, '='))) { - *s++ = '\0'; - if (!strcmp(**seg, "pool")) { - *sa = atoi(s); - return 1; - } - } - - /* - * is it possibly hostname/num ? - */ - if ((s = strchr(**seg, '/')) || - ((s = strchr(**seg, ':')) && !strchr(s + 1, ':'))) { - *s++ ='\0'; - if (genmask(s, msk) == -1) { - fprintf(stderr, "%d: bad mask (%s)\n", linenum, s); - return -1; - } - if (hostnum(sa, **seg, linenum, ifname) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - *sa &= *msk; - (*seg)++; - return 0; - } - - /* - * look for extra segments if "mask" found in right spot - */ - if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { - if (hostnum(sa, **seg, linenum, ifname) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - (*seg)++; - if (inet_aton(**seg, &maskaddr) == 0) { - fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); - return -1; - } - *msk = maskaddr.s_addr; - (*seg)++; - *sa &= *msk; - return 0; - } - - if (**seg) { - u_32_t k; - - if (hostnum(sa, **seg, linenum, ifname) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - k = *sa ? 0xffffffff : 0; -#ifdef USE_INET6 - if (use_inet6) { - msk[1] = k; - msk[2] = k; - msk[3] = k; - } -#endif - *msk = k; - return 0; - } - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; -} diff --git a/contrib/ipfilter/lib/hostname.c b/contrib/ipfilter/lib/hostname.c index c4950e9ab9e8..e8fde98e5efa 100644 --- a/contrib/ipfilter/lib/hostname.c +++ b/contrib/ipfilter/lib/hostname.c @@ -1,5 +1,12 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: hostname.c,v 1.6.2.2 2007/01/16 02:25:22 darrenr Exp $ + */ #include "ipf.h" @@ -12,6 +19,8 @@ void *ip; struct in_addr ipa; struct netent *np; + memset(&ipa, 0, sizeof(ipa)); /* XXX gcc */ + if (v == 4) { ipa.s_addr = *(u_32_t *)ip; if (ipa.s_addr == htonl(0xfedcba98)) diff --git a/contrib/ipfilter/lib/hostnum.c b/contrib/ipfilter/lib/hostnum.c deleted file mode 100644 index 78f93828b2c3..000000000000 --- a/contrib/ipfilter/lib/hostnum.c +++ /dev/null @@ -1,49 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: hostnum.c,v 1.10.2.1 2004/12/09 19:41:20 darrenr Exp $ - */ - -#include - -#include "ipf.h" - - -/* - * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_addr() call - */ -int hostnum(ipa, host, linenum, ifname) -u_32_t *ipa; -char *host; -int linenum; -char *ifname; -{ - struct in_addr ip; - - if (!strcasecmp("any", host) || - (ifname && *ifname && !strcasecmp(ifname, host))) - return 0; - -#ifdef USE_INET6 - if (use_inet6) { - if (inet_pton(AF_INET6, host, ipa) == 1) - return 0; - else - return -1; - } -#endif - if (ISDIGIT(*host) && inet_aton(host, &ip)) { - *ipa = ip.s_addr; - return 0; - } - - if (!strcasecmp("", host)) - host = thishost; - - return gethost(host, ipa); -} diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c index 864fac178bbc..d558bebf7de6 100644 --- a/contrib/ipfilter/lib/icmpcode.c +++ b/contrib/ipfilter/lib/icmpcode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: icmpcode.c,v 1.7.2.4 2006/02/25 17:40:22 darrenr Exp $ + * $Id: icmpcode.c,v 1.7.2.5 2006/06/16 17:21:02 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/initparse.c b/contrib/ipfilter/lib/initparse.c index 5f52f95c69af..6fdfc8a9a161 100644 --- a/contrib/ipfilter/lib/initparse.c +++ b/contrib/ipfilter/lib/initparse.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: initparse.c,v 1.6 2002/01/28 06:50:46 darrenr Exp $ + * $Id: initparse.c,v 1.6.4.1 2006/06/16 17:21:02 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/ionames.c b/contrib/ipfilter/lib/ionames.c index 5d7d2ac38e5c..d2fc97775452 100644 --- a/contrib/ipfilter/lib/ionames.c +++ b/contrib/ipfilter/lib/ionames.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ionames.c,v 1.7 2002/01/28 06:50:46 darrenr Exp $ + * $Id: ionames.c,v 1.7.4.1 2006/06/16 17:21:02 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/ipf_dotuning.c b/contrib/ipfilter/lib/ipf_dotuning.c index 3f146d7bb520..6508a266271c 100644 --- a/contrib/ipfilter/lib/ipf_dotuning.c +++ b/contrib/ipfilter/lib/ipf_dotuning.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2003-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: ipf_dotuning.c,v 1.2.4.3 2006/06/16 17:21:02 darrenr Exp $ + */ + #include "ipf.h" #include "netinet/ipl.h" #include diff --git a/contrib/ipfilter/lib/ipft_ef.c b/contrib/ipfilter/lib/ipft_ef.c index 9e2093f8a01e..2d50f076bfbe 100644 --- a/contrib/ipfilter/lib/ipft_ef.c +++ b/contrib/ipfilter/lib/ipft_ef.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $ + * $Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $ */ /* @@ -33,7 +33,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $"; #endif static int etherf_open __P((char *)); @@ -98,13 +98,18 @@ int cnt, *dir; switch (ip->ip_p) { case IPPROTO_TCP : + if (isdigit(*sprt)) + pkt.ti_sport = htons(atoi(sprt) & 65535); + if (isdigit(*dprt)) + pkt.ti_dport = htons(atoi(dprt) & 65535); + extra = sizeof(struct tcphdr); + break; case IPPROTO_UDP : - s = strtok(NULL, " :"); - ip->ip_len += atoi(s); - if (ip->ip_p == IPPROTO_TCP) - extra = sizeof(struct tcphdr); - else if (ip->ip_p == IPPROTO_UDP) - extra = sizeof(struct udphdr); + if (isdigit(*sprt)) + pkt.ti_sport = htons(atoi(sprt) & 65535); + if (isdigit(*dprt)) + pkt.ti_dport = htons(atoi(dprt) & 65535); + extra = sizeof(struct udphdr); break; #ifdef IGMP case IPPROTO_IGMP : diff --git a/contrib/ipfilter/lib/ipft_hx.c b/contrib/ipfilter/lib/ipft_hx.c index efc0a413341c..d295c21a7d9f 100644 --- a/contrib/ipfilter/lib/ipft_hx.c +++ b/contrib/ipfilter/lib/ipft_hx.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1995-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.3 2005/12/04 10:07:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.4 2006/06/16 17:21:03 darrenr Exp $"; #endif #include diff --git a/contrib/ipfilter/lib/ipft_pc.c b/contrib/ipfilter/lib/ipft_pc.c index e3e2bd34dc0c..0f31a10efd3b 100644 --- a/contrib/ipfilter/lib/ipft_pc.c +++ b/contrib/ipfilter/lib/ipft_pc.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_pc.c,v 1.10.2.1 2005/12/04 09:55:10 darrenr Exp $ + * $Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $ */ #include "ipf.h" #include "pcap-ipf.h" @@ -13,7 +13,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.1 2005/12/04 09:55:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/lib/ipft_sn.c b/contrib/ipfilter/lib/ipft_sn.c index 5841ed5fe9bd..2beb6eed704f 100644 --- a/contrib/ipfilter/lib/ipft_sn.c +++ b/contrib/ipfilter/lib/ipft_sn.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_sn.c,v 1.7 2003/02/16 02:32:36 darrenr Exp $ + * $Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $ */ /* @@ -16,7 +16,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7 2003/02/16 02:32:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/lib/ipft_td.c b/contrib/ipfilter/lib/ipft_td.c index 758eb5128a8f..d571ada7b56e 100644 --- a/contrib/ipfilter/lib/ipft_td.c +++ b/contrib/ipfilter/lib/ipft_td.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $ + * $Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $ */ /* @@ -42,7 +42,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $"; #endif static int tcpd_open __P((char *)); @@ -144,6 +144,8 @@ int cnt, *dir; IP_HL_A(ip, sizeof(ip_t)); s = strtok(misc, " :"); + if (s == NULL) + return 0; ip->ip_p = getproto(s); switch (ip->ip_p) @@ -151,6 +153,8 @@ int cnt, *dir; case IPPROTO_TCP : case IPPROTO_UDP : s = strtok(NULL, " :"); + if (s == NULL) + return 0; ip->ip_len += atoi(s); if (ip->ip_p == IPPROTO_TCP) extra = sizeof(struct tcphdr); diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c index 36d89be2f388..f4475e3c8426 100644 --- a/contrib/ipfilter/lib/ipft_tx.c +++ b/contrib/ipfilter/lib/ipft_tx.c @@ -1,15 +1,15 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1995-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $ + * $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.7 2005/12/18 14:53:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $"; #endif #include @@ -129,6 +129,7 @@ int cnt, *dir; { register char *s; char line[513]; + ip_t *ip; *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { @@ -144,12 +145,10 @@ int cnt, *dir; printf("input: %s\n", line); *ifn = NULL; *dir = 0; - if (!parseline(line, (ip_t *)buf, ifn, dir)) -#if 0 - return sizeof(ip_t) + sizeof(tcphdr_t); -#else - return sizeof(ip_t); -#endif + if (!parseline(line, (ip_t *)buf, ifn, dir)) { + ip = (ip_t *)buf; + return ntohs(ip->ip_len); + } } if (feof(tfp)) return 0; @@ -260,19 +259,30 @@ int *out; } ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); cpp++; - if (*cpp && ip->ip_p == IPPROTO_TCP) { - char *s, *t; + if (ip->ip_p == IPPROTO_TCP) { + if (*cpp != NULL) { + char *s, *t; + + tcp->th_flags = 0; + for (s = *cpp; *s; s++) + if ((t = strchr(myflagset, *s))) + tcp->th_flags |= myflags[t-myflagset]; + if (tcp->th_flags) + cpp++; + } - tcp->th_flags = 0; - for (s = *cpp; *s; s++) - if ((t = strchr(myflagset, *s))) - tcp->th_flags |= myflags[t - myflagset]; - if (tcp->th_flags) - cpp++; - if (tcp->th_flags == 0) - abort(); if (tcp->th_flags & TH_URG) tcp->th_urp = htons(1); + + if (*cpp && !strncasecmp(*cpp, "seq=", 4)) { + tcp->th_seq = htonl(atoi(*cpp + 4)); + cpp++; + } + + if (*cpp && !strncasecmp(*cpp, "ack=", 4)) { + tcp->th_ack = htonl(atoi(*cpp + 4)); + cpp++; + } } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; diff --git a/contrib/ipfilter/lib/ipoptsec.c b/contrib/ipfilter/lib/ipoptsec.c index 5990170759ea..66a55c80dbb7 100644 --- a/contrib/ipfilter/lib/ipoptsec.c +++ b/contrib/ipfilter/lib/ipoptsec.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipoptsec.c,v 1.2 2002/01/28 06:50:46 darrenr Exp $ + * $Id: ipoptsec.c,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/kmem.c b/contrib/ipfilter/lib/kmem.c index 04a64d1aa1a4..26da2d0139f7 100644 --- a/contrib/ipfilter/lib/kmem.c +++ b/contrib/ipfilter/lib/kmem.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -44,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.2 2005/06/12 07:18:41 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.3 2006/06/16 17:21:04 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/lib/kmem.h b/contrib/ipfilter/lib/kmem.h index c1dd7f9aa013..bcfde06d045d 100644 --- a/contrib/ipfilter/lib/kmem.h +++ b/contrib/ipfilter/lib/kmem.h @@ -1,10 +1,10 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * $Id: kmem.h,v 1.2 2002/08/21 22:57:36 darrenr Exp $ + * $Id: kmem.h,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $ */ #ifndef __KMEM_H__ diff --git a/contrib/ipfilter/lib/kmemcpywrap.c b/contrib/ipfilter/lib/kmemcpywrap.c index 4eeb62d17c42..87474915334e 100644 --- a/contrib/ipfilter/lib/kmemcpywrap.c +++ b/contrib/ipfilter/lib/kmemcpywrap.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: kmemcpywrap.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ + */ + #include "ipf.h" #include "kmem.h" diff --git a/contrib/ipfilter/lib/kvatoname.c b/contrib/ipfilter/lib/kvatoname.c index a3764e46fd27..c8c0d8fff621 100644 --- a/contrib/ipfilter/lib/kvatoname.c +++ b/contrib/ipfilter/lib/kvatoname.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: kvatoname.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ + */ + #include "ipf.h" #include diff --git a/contrib/ipfilter/lib/load_hash.c b/contrib/ipfilter/lib/load_hash.c index ff093c922767..7683470b47e8 100644 --- a/contrib/ipfilter/lib/load_hash.c +++ b/contrib/ipfilter/lib/load_hash.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hash.c,v 1.11.2.3 2005/11/13 15:41:12 darrenr Exp $ + * $Id: load_hash.c,v 1.11.2.5 2006/07/14 06:12:25 darrenr Exp $ */ #include @@ -62,6 +62,7 @@ ioctlfunc_t iocfunc; iph.iph_size = size; iph.iph_seed = iphp->iph_seed; iph.iph_table = NULL; + iph.iph_list = NULL; iph.iph_ref = 0; if ((opts & OPT_REMOVE) == 0) { @@ -85,9 +86,10 @@ ioctlfunc_t iocfunc; perror("calloc(size, sizeof(*iph.iph_table))"); return -1; } - iph.iph_table[0] = list; + iph.iph_list = list; printhash(&iph, bcopywrap, iph.iph_name, opts); free(iph.iph_table); + iph.iph_list = NULL; for (a = list; a != NULL; a = a->ipe_next) { a->ipe_addr.in4_addr = htonl(a->ipe_addr.in4_addr); diff --git a/contrib/ipfilter/lib/load_hashnode.c b/contrib/ipfilter/lib/load_hashnode.c index 083bea8ff974..3c3416d95a14 100644 --- a/contrib/ipfilter/lib/load_hashnode.c +++ b/contrib/ipfilter/lib/load_hashnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hashnode.c,v 1.2.4.1 2004/03/06 14:33:28 darrenr Exp $ + * $Id: load_hashnode.c,v 1.2.4.2 2006/06/16 17:21:05 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/load_pool.c b/contrib/ipfilter/lib/load_pool.c index 574cd2c62195..08baae767db9 100644 --- a/contrib/ipfilter/lib/load_pool.c +++ b/contrib/ipfilter/lib/load_pool.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_pool.c,v 1.14.2.3 2005/11/13 15:41:13 darrenr Exp $ + * $Id: load_pool.c,v 1.14.2.4 2006/06/16 17:21:06 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/load_poolnode.c b/contrib/ipfilter/lib/load_poolnode.c index e8a6fe6bbe64..110a8b9c3e5b 100644 --- a/contrib/ipfilter/lib/load_poolnode.c +++ b/contrib/ipfilter/lib/load_poolnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $ + * $Id: load_poolnode.c,v 1.3.2.3 2006/06/16 17:21:06 darrenr Exp $ */ #include @@ -54,7 +54,7 @@ ioctlfunc_t iocfunc; if (err != 0) { if ((opts & OPT_DONOTHING) == 0) { - perror("load_pool:SIOCLOOKUP*NODE"); + perror("load_poolnode:SIOCLOOKUP*NODE"); return -1; } } diff --git a/contrib/ipfilter/lib/loglevel.c b/contrib/ipfilter/lib/loglevel.c deleted file mode 100644 index af5dda822dfc..000000000000 --- a/contrib/ipfilter/lib/loglevel.c +++ /dev/null @@ -1,55 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: loglevel.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $ - */ - -#include "ipf.h" - - -int loglevel(cpp, facpri, linenum) -char **cpp; -u_int *facpri; -int linenum; -{ - int fac, pri; - char *s; - - fac = 0; - pri = 0; - if (!*++cpp) { - fprintf(stderr, "%d: %s\n", linenum, - "missing identifier after level"); - return -1; - } - - s = strchr(*cpp, '.'); - if (s) { - *s++ = '\0'; - fac = fac_findname(*cpp); - if (fac == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown facility", *cpp); - return -1; - } - pri = pri_findname(s); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", s); - return -1; - } - } else { - pri = pri_findname(*cpp); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", *cpp); - return -1; - } - } - *facpri = fac|pri; - return 0; -} diff --git a/contrib/ipfilter/lib/mutex_emul.c b/contrib/ipfilter/lib/mutex_emul.c index 10472e589f65..3983f04c6257 100644 --- a/contrib/ipfilter/lib/mutex_emul.c +++ b/contrib/ipfilter/lib/mutex_emul.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: mutex_emul.c,v 1.2.4.1 2006/06/16 17:21:06 darrenr Exp $ + */ + #include "ipf.h" #define EMM_MAGIC 0x9d7adba3 diff --git a/contrib/ipfilter/lib/nametokva.c b/contrib/ipfilter/lib/nametokva.c index b2854d6d7f87..deee4399b946 100644 --- a/contrib/ipfilter/lib/nametokva.c +++ b/contrib/ipfilter/lib/nametokva.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: nametokva.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $ + */ + #include "ipf.h" #include diff --git a/contrib/ipfilter/lib/nat_setgroupmap.c b/contrib/ipfilter/lib/nat_setgroupmap.c index d4e637ee4b10..08b1a0a4475b 100644 --- a/contrib/ipfilter/lib/nat_setgroupmap.c +++ b/contrib/ipfilter/lib/nat_setgroupmap.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: nat_setgroupmap.c,v 1.1 2003/04/13 06:40:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: nat_setgroupmap.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $"; #endif #include "ipf.h" diff --git a/contrib/ipfilter/lib/natparse.c b/contrib/ipfilter/lib/natparse.c deleted file mode 100644 index 512eb35e45b3..000000000000 --- a/contrib/ipfilter/lib/natparse.c +++ /dev/null @@ -1,730 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.8.2.1 2004/12/09 19:41:21 darrenr Exp $"; -#endif - -#include -#include -#include - -#include "ipf.h" -#include "opts.h" - - -void nat_setgroupmap(n) -ipnat_t *n; -{ - if (n->in_outmsk == n->in_inmsk) - n->in_ippip = 1; - else if (n->in_flags & IPN_AUTOPORTMAP) { - n->in_ippip = ~ntohl(n->in_inmsk); - if (n->in_outmsk != 0xffffffff) - n->in_ippip /= (~ntohl(n->in_outmsk) + 1); - n->in_ippip++; - if (n->in_ippip == 0) - n->in_ippip = 1; - n->in_ppip = USABLE_PORTS / n->in_ippip; - } else { - n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); - n->in_nip = 0; - if (!(n->in_ppip = n->in_pmin)) - n->in_ppip = 1; - n->in_ippip = USABLE_PORTS / n->in_ppip; - } -} - - - -ipnat_t *natparse(line, linenum) -char *line; -int linenum; -{ - static ipnat_t ipn; - struct protoent *pr; - char *dnetm = NULL, *dport = NULL, *proto = NULL; - char *s, *t, *cps[31], **cpp; - int i, cnt; - - - if ((s = strchr(line, '\n'))) - *s = '\0'; - if ((s = strchr(line, '#'))) - *s = '\0'; - while (*line && ISSPACE(*line)) - line++; - if (!*line) - return NULL; - - bzero((char *)&ipn, sizeof(ipn)); - cnt = 0; - - for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) - cps[++i] = strtok(NULL, " \b\t\r\n"); - - cps[i] = NULL; - - if (cnt < 3) { - fprintf(stderr, "%d: not enough segments in line\n", linenum); - return NULL; - } - - cpp = cps; - - if (!strcasecmp(*cpp, "map")) - ipn.in_redir = NAT_MAP; - else if (!strcasecmp(*cpp, "map-block")) - ipn.in_redir = NAT_MAPBLK; - else if (!strcasecmp(*cpp, "rdr")) - ipn.in_redir = NAT_REDIRECT; - else if (!strcasecmp(*cpp, "bimap")) - ipn.in_redir = NAT_BIMAP; - else { - fprintf(stderr, "%d: unknown mapping: \"%s\"\n", - linenum, *cpp); - return NULL; - } - - cpp++; - - strncpy(ipn.in_ifnames[0], *cpp, sizeof(ipn.in_ifnames[0]) - 1); - ipn.in_ifnames[0][sizeof(ipn.in_ifnames[0]) - 1] = '\0'; - cpp++; - - if (!strcasecmp(*cpp, "from") || (**cpp == '!')) { - if (!strcmp(*cpp, "!")) { - cpp++; - if (strcasecmp(*cpp, "from")) { - fprintf(stderr, "Missing from after !\n"); - return NULL; - } - ipn.in_flags |= IPN_NOTSRC; - } else if (**cpp == '!') { - if (strcasecmp(*cpp + 1, "from")) { - fprintf(stderr, "Missing from after !\n"); - return NULL; - } - ipn.in_flags |= IPN_NOTSRC; - } - if ((ipn.in_flags & IPN_NOTSRC) && - (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) { - fprintf(stderr, "Cannot use '! from' with map\n"); - return NULL; - } - - ipn.in_flags |= IPN_FILTER; - cpp++; - if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, proto, NULL, - (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, linenum) == -1) - return NULL; - - if (ports(&cpp, proto, &ipn.in_sport, - &ipn.in_scmp, &ipn.in_stop, linenum)) - return NULL; - } else { - if (hostmask(&cpp, proto, NULL, - (u_32_t *)&ipn.in_inip, - (u_32_t *)&ipn.in_inmsk, linenum) == -1) - return NULL; - - if (ports(&cpp, proto, &ipn.in_dport, - &ipn.in_dcmp, &ipn.in_dtop, linenum)) - return NULL; - } - - if (!strcmp(*cpp, "!")) { - cpp++; - ipn.in_flags |= IPN_NOTDST; - } else if (**cpp == '!') { - (*cpp)++; - ipn.in_flags |= IPN_NOTDST; - } - - if (strcasecmp(*cpp, "to")) { - fprintf(stderr, "%d: unexpected keyword (%s) - to\n", - linenum, *cpp); - return NULL; - } - if ((ipn.in_flags & IPN_NOTDST) && - (ipn.in_redir & (NAT_REDIRECT))) { - fprintf(stderr, "Cannot use '! to' with rdr\n"); - return NULL; - } - - if (!*++cpp) { - fprintf(stderr, "%d: missing host after to\n", linenum); - return NULL; - } - if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, proto, NULL, - (u_32_t *)&ipn.in_outip, - (u_32_t *)&ipn.in_outmsk, linenum)) - return NULL; - - if (ports(&cpp, proto, &ipn.in_dport, - &ipn.in_dcmp, &ipn.in_dtop, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_dport); - } else { - if (hostmask(&cpp, proto, NULL, - (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, linenum)) - return NULL; - - if (ports(&cpp, proto, &ipn.in_sport, - &ipn.in_scmp, &ipn.in_stop, linenum)) - return NULL; - } - } else { - s = *cpp; - if (!s) - return NULL; - t = strchr(s, '/'); - if (!t) - return NULL; - *t++ = '\0'; - if (ipn.in_redir == NAT_REDIRECT) { - if (hostnum((u_32_t *)&ipn.in_outip, s, linenum, NULL)) - return NULL; - if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) { - return NULL; - } - } else { - if (hostnum((u_32_t *)&ipn.in_inip, s, linenum, NULL)) - return NULL; - if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) { - return NULL; - } - } - cpp++; - if (!*cpp) - return NULL; - } - - if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { - if (strcasecmp(*cpp, "port")) { - fprintf(stderr, "%d: missing fields - 1st port\n", - linenum); - return NULL; - } - - cpp++; - - if (!*cpp) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); - return NULL; - } - - if (ISDIGIT(**cpp) && (s = strchr(*cpp, '-'))) - *s++ = '\0'; - else - s = NULL; - - if (!portnum(*cpp, proto, &ipn.in_pmin, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_pmin); - cpp++; - - if (!strcmp(*cpp, "-")) { - cpp++; - s = *cpp++; - } - - if (s) { - if (!portnum(s, proto, &ipn.in_pmax, linenum)) - return NULL; - ipn.in_pmax = htons(ipn.in_pmax); - } else - ipn.in_pmax = ipn.in_pmin; - } - - if (!*cpp) { - fprintf(stderr, "%d: missing fields (->)\n", linenum); - return NULL; - } - if (strcmp(*cpp, "->")) { - fprintf(stderr, "%d: missing ->\n", linenum); - return NULL; - } - cpp++; - - if (!*cpp) { - fprintf(stderr, "%d: missing fields (%s)\n", - linenum, ipn.in_redir ? "destination" : "target"); - return NULL; - } - - if (ipn.in_redir == NAT_MAP) { - if (!strcasecmp(*cpp, "range")) { - cpp++; - ipn.in_flags |= IPN_IPRANGE; - if (!*cpp) { - fprintf(stderr, "%d: missing fields (%s)\n", - linenum, - ipn.in_redir ? "destination":"target"); - return NULL; - } - } - } - - if (ipn.in_flags & IPN_IPRANGE) { - dnetm = strrchr(*cpp, '-'); - if (dnetm == NULL) { - cpp++; - if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1)) - dnetm = *(cpp + 1); - } else - *dnetm++ = '\0'; - if (dnetm == NULL || *dnetm == '\0') { - fprintf(stderr, - "%d: desination range not specified\n", - linenum); - return NULL; - } - } else if (ipn.in_redir != NAT_REDIRECT) { - dnetm = strrchr(*cpp, '/'); - if (dnetm == NULL) { - cpp++; - if (*cpp && !strcasecmp(*cpp, "netmask")) - dnetm = *++cpp; - } - if (dnetm == NULL) { - fprintf(stderr, - "%d: missing fields (dest netmask)\n", - linenum); - return NULL; - } - if (*dnetm == '/') - *dnetm++ = '\0'; - } - - if (ipn.in_redir == NAT_REDIRECT) { - dnetm = strchr(*cpp, ','); - if (dnetm != NULL) { - ipn.in_flags |= IPN_SPLIT; - *dnetm++ = '\0'; - } - if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum, NULL)) - return NULL; - } else { - if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum, NULL)) - return NULL; - } - cpp++; - - if (ipn.in_redir & NAT_MAPBLK) { - if (*cpp && strcasecmp(*cpp, "ports")) { - fprintf(stderr, - "%d: expected \"ports\" - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - cpp++; - if (*cpp) { - ipn.in_pmin = atoi(*cpp); - cpp++; - } else - ipn.in_pmin = 0; - } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { - if (*cpp && strrchr(*cpp, '/') != NULL) { - fprintf(stderr, "%d: No netmask supported in %s\n", - linenum, "destination host for redirect"); - return NULL; - } - /* If it's a in_redir, expect target port */ - - if (!*cpp || strcasecmp(*cpp, "port")) { - fprintf(stderr, "%d: missing fields - 2nd port (%s)\n", - linenum, *cpp); - return NULL; - } - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); - return NULL; - } - if (!portnum(*cpp, proto, &ipn.in_pnext, linenum)) - return NULL; - ipn.in_pnext = htons(ipn.in_pnext); - cpp++; - } - if (dnetm && *dnetm == '/') - *dnetm++ = '\0'; - - if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { - if (ipn.in_flags & IPN_IPRANGE) { - if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm, - linenum, NULL) == -1) - return NULL; - } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) - return NULL; - } else { - if (ipn.in_flags & IPN_SPLIT) { - if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm, - linenum, NULL) == -1) - return NULL; - } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)) - return NULL; - if (!*cpp) { - ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */ - proto = "tcp"; - } else { - if (!strcasecmp(*cpp, "tcp")) - ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) - ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcp/udp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcpudp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "ip")) - ipn.in_flags |= IPN_ANY; - else { - ipn.in_flags |= IPN_ANY; - ipn.in_p = getproto(*cpp); - } - proto = *cpp; - cpp++; - - if (*cpp && !strcasecmp(*cpp, "round-robin")) { - cpp++; - ipn.in_flags |= IPN_ROUNDR; - } - - if (*cpp && !strcasecmp(*cpp, "frag")) { - cpp++; - ipn.in_flags |= IPN_FRAG; - } - - if (*cpp && !strcasecmp(*cpp, "age")) { - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: age with no parameters\n", - linenum); - return NULL; - } - - ipn.in_age[0] = atoi(*cpp); - s = strchr(*cpp, '/'); - if (s != NULL) - ipn.in_age[1] = atoi(s + 1); - else - ipn.in_age[1] = ipn.in_age[0]; - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "mssclamp")) { - cpp++; - if (*cpp) { - ipn.in_mssclamp = atoi(*cpp); - cpp++; - } else { - fprintf(stderr, - "%d: mssclamp with no parameters\n", - linenum); - return NULL; - } - } - - if (*cpp) { - fprintf(stderr, - "%d: extra junk at the end of rdr: %s\n", - linenum, *cpp); - return NULL; - } - } - } - - if (!(ipn.in_flags & IPN_SPLIT)) - ipn.in_inip &= ipn.in_inmsk; - if ((ipn.in_flags & IPN_IPRANGE) == 0) - ipn.in_outip &= ipn.in_outmsk; - ipn.in_srcip &= ipn.in_srcmsk; - - if ((ipn.in_redir & NAT_MAPBLK) != 0) - nat_setgroupmap(&ipn); - - if (*cpp && !strcasecmp(*cpp, "frag")) { - cpp++; - ipn.in_flags |= IPN_ROUNDR; - } - - if (!*cpp) - return &ipn; - - if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) { - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, "%d: cannot use proxy with bimap\n", - linenum); - return NULL; - } - - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"proxy\"\n", - linenum); - return NULL; - } - dport = NULL; - - if (!strcasecmp(*cpp, "port")) { - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"port\"\n", - linenum); - return NULL; - } - - dport = *cpp; - cpp++; - - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"proxy\"\n", - linenum); - return NULL; - } - } else { - fprintf(stderr, - "%d: missing keyword \"port\"\n", linenum); - return NULL; - } - - if ((proto = strchr(*cpp, '/'))) { - *proto++ = '\0'; - ipn.in_p = getproto(proto); - } else - ipn.in_p = 0; - - if (dport && !portnum(dport, proto, &ipn.in_dport, linenum)) - return NULL; - ipn.in_dport = htons(ipn.in_dport); - - (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); - cpp++; - - if (*cpp) { - fprintf(stderr, - "%d: too many parameters for \"proxy\"\n", - linenum); - return NULL; - } - return &ipn; - } - - - if (!strcasecmp(*cpp, "icmpidmap")) { - - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: icmpidmap misses protocol and range\n", - linenum); - return NULL; - }; - - if (!strcasecmp(*cpp, "icmp")) - ipn.in_flags = IPN_ICMPQUERY; - else { - fprintf(stderr, "%d: icmpidmap only valid for icmp\n", - linenum); - return NULL; - } - cpp++; - - if (!*cpp) { - fprintf(stderr, "%d: no icmp id argument found\n", - linenum); - return NULL; - } - - if (!(t = strchr(*cpp, ':'))) { - fprintf(stderr, - "%d: no icmp id range detected in \"%s\"\n", - linenum, *cpp); - return NULL; - } - *t++ = '\0'; - - if (!icmpidnum(*cpp, &ipn.in_pmin, linenum) || - !icmpidnum(t, &ipn.in_pmax, linenum)) - return NULL; - } else if (!strcasecmp(*cpp, "portmap")) { - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, "%d: cannot use proxy with bimap\n", - linenum); - return NULL; - } - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing expression following portmap\n", - linenum); - return NULL; - } - - if (!strcasecmp(*cpp, "tcp")) - ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) - ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcpudp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcp/udp")) - ipn.in_flags |= IPN_TCPUDP; - else { - fprintf(stderr, - "%d: expected protocol name - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - proto = *cpp; - cpp++; - - if (!*cpp) { - fprintf(stderr, "%d: no port range found\n", linenum); - return NULL; - } - - if (!strcasecmp(*cpp, "auto")) { - ipn.in_flags |= IPN_AUTOPORTMAP; - ipn.in_pmin = htons(1024); - ipn.in_pmax = htons(65535); - nat_setgroupmap(&ipn); - } else { - if (!(t = strchr(*cpp, ':'))) { - fprintf(stderr, - "%d: no port range in \"%s\"\n", - linenum, *cpp); - return NULL; - } - *t++ = '\0'; - if (!portnum(*cpp, proto, &ipn.in_pmin, linenum) || - !portnum(t, proto, &ipn.in_pmax, linenum)) - return NULL; - } - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "round-robin")) { - cpp++; - ipn.in_flags |= IPN_ROUNDR; - } - - if (*cpp && !strcasecmp(*cpp, "age")) { - cpp++; - if (!*cpp) { - fprintf(stderr, "%d: age with no parameters\n", - linenum); - return NULL; - } - s = strchr(*cpp, '/'); - if (s != NULL) - ipn.in_age[1] = atoi(s + 1); - else - ipn.in_age[1] = ipn.in_age[0]; - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "mssclamp")) { - cpp++; - if (*cpp) { - ipn.in_mssclamp = atoi(*cpp); - cpp++; - } else { - fprintf(stderr, "%d: mssclamp with no parameters\n", - linenum); - return NULL; - } - } - - if (*cpp) { - fprintf(stderr, "%d: extra junk at the end of the line: %s\n", - linenum, *cpp); - return NULL; - } - - ipn.in_pmin = htons(ipn.in_pmin); - ipn.in_pmax = htons(ipn.in_pmax); - return &ipn; -} - - -void natparsefile(fd, file, opts) -int fd; -char *file; -int opts; -{ - char line[512], *s; - ipnat_t *np; - FILE *fp; - int linenum = 0; - - if (strcmp(file, "-")) { - if (!(fp = fopen(file, "r"))) { - fprintf(stderr, "%s: open: %s\n", file, - STRERROR(errno)); - exit(1); - } - } else - fp = stdin; - - while (getline(line, sizeof(line) - 1, fp, &linenum)) { - line[sizeof(line) - 1] = '\0'; - if ((s = strchr(line, '\n'))) - *s = '\0'; - - if (!(np = natparse(line, linenum))) { - if (*line) - fprintf(stderr, "%d: syntax error in \"%s\"\n", - linenum, line); - } else { - if ((opts & OPT_VERBOSE) && np) - printnat(np, opts); - if (!(opts & OPT_DONOTHING)) { - if (!(opts & OPT_REMOVE)) { - if (ioctl(fd, SIOCADNAT, &np) == -1) - perror("ioctl(SIOCADNAT)"); - } else if (ioctl(fd, SIOCRMNAT, &np) == -1) - perror("ioctl(SIOCRMNAT)"); - } - } - } - if (fp != stdin) - fclose(fp); -} - - -int icmpidnum(str, id, linenum) -char *str; -u_short *id; -int linenum; -{ - int i; - - - i = atoi(str); - - if ((i<0) || (i>65535)) { - fprintf(stderr, "%d: invalid icmp id\"%s\".\n", linenum, str); - return 0; - } - - *id = (u_short)i; - - return 1; -} diff --git a/contrib/ipfilter/lib/ntomask.c b/contrib/ipfilter/lib/ntomask.c index c95f78fe79ae..ba91a65b526c 100644 --- a/contrib/ipfilter/lib/ntomask.c +++ b/contrib/ipfilter/lib/ntomask.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: ntomask.c,v 1.6.2.1 2006/06/16 17:21:07 darrenr Exp $ + */ + #include "ipf.h" int ntomask(v, nbits, ap) diff --git a/contrib/ipfilter/lib/optname.c b/contrib/ipfilter/lib/optname.c index 813a0dfbdf2d..f41cab11ea17 100644 --- a/contrib/ipfilter/lib/optname.c +++ b/contrib/ipfilter/lib/optname.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optname.c,v 1.3 2001/06/09 17:09:24 darrenr Exp $ + * $Id: optname.c,v 1.3.4.1 2006/06/16 17:21:07 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c index 7f18318866d8..81a3287cf672 100644 --- a/contrib/ipfilter/lib/optprint.c +++ b/contrib/ipfilter/lib/optprint.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprint.c,v 1.6.4.1 2005/12/18 14:51:28 darrenr Exp $ + * $Id: optprint.c,v 1.6.4.2 2006/06/16 17:21:08 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/optprintv6.c b/contrib/ipfilter/lib/optprintv6.c index 086496d5691f..f6ea6eca905e 100644 --- a/contrib/ipfilter/lib/optprintv6.c +++ b/contrib/ipfilter/lib/optprintv6.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprintv6.c,v 1.2 2003/04/30 00:39:39 darrenr Exp $ + * $Id: optprintv6.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/optvalue.c b/contrib/ipfilter/lib/optvalue.c index 3609448e6312..aa1ef2e7648f 100644 --- a/contrib/ipfilter/lib/optvalue.c +++ b/contrib/ipfilter/lib/optvalue.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optvalue.c,v 1.2 2002/01/28 06:50:47 darrenr Exp $ + * $Id: optvalue.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/parse.c b/contrib/ipfilter/lib/parse.c deleted file mode 100644 index 8bb121cb2fc1..000000000000 --- a/contrib/ipfilter/lib/parse.c +++ /dev/null @@ -1,754 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: parse.c,v 1.34.2.1 2004/12/09 19:41:21 darrenr Exp $ - */ -#include -#include "ipf.h" -#include "opts.h" - -static frentry_t *fp = NULL; - -/* parse() - * - * parse a line read from the input filter rule file - */ -struct frentry *parse(line, linenum) -char *line; -int linenum; -{ - static fripf_t fip; - char *cps[31], **cpp, *endptr, *proto = NULL, *s; - struct protoent *p = NULL; - int i, cnt = 1, j; - u_int k; - - if (fp == NULL) { - fp = malloc(sizeof(*fp)); - if (fp == NULL) - return NULL; - } - - while (*line && ISSPACE(*line)) - line++; - if (!*line) - return NULL; - - bzero((char *)fp, sizeof(*fp)); - bzero((char *)&fip, sizeof(fip)); - fp->fr_v = use_inet6 ? 6 : 4; - fp->fr_ipf = &fip; - fp->fr_dsize = sizeof(fip); - fp->fr_ip.fi_v = fp->fr_v; - fp->fr_mip.fi_v = 0xf; - fp->fr_type = FR_T_NONE; - fp->fr_loglevel = 0xffff; - fp->fr_isc = (void *)-1; - fp->fr_tag = FR_NOTAG; - - /* - * break line up into max of 20 segments - */ - if (opts & OPT_DEBUG) - fprintf(stderr, "parse [%s]\n", line); - for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) - cps[++i] = strtok(NULL, " \b\t\r\n"); - cps[i] = NULL; - - if (cnt < 3) { - fprintf(stderr, "%d: not enough segments in line\n", linenum); - return NULL; - } - - cpp = cps; - /* - * The presence of an '@' followed by a number gives the position in - * the current rule list to insert this one. - */ - if (**cpp == '@') - fp->fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1; - - /* - * Check the first keyword in the rule and any options that are - * expected to follow it. - */ - if (!strcasecmp("block", *cpp)) { - fp->fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && - (i = 19)) - fp->fr_flags |= FR_FAKEICMP; - else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11)) - fp->fr_flags |= FR_RETICMP; - if (fp->fr_flags & FR_RETICMP) { - cpp++; - if (strlen(*cpp) == i) { - if (*(cpp + 1) && **(cpp +1) == '(') { - cpp++; - i = 0; - } else - i = -1; - } - - /* - * The ICMP code is not required to follow in ()'s - */ - if ((i >= 0) && (*(*cpp + i) == '(')) { - i++; - j = icmpcode(*cpp + i); - if (j == -1) { - fprintf(stderr, - "%d: unrecognised icmp code %s\n", - linenum, *cpp + 20); - return NULL; - } - fp->fr_icode = j; - } - } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) { - fp->fr_flags |= FR_RETRST; - cpp++; - } - } else if (!strcasecmp("count", *cpp)) { - fp->fr_flags |= FR_ACCOUNT; - } else if (!strcasecmp("pass", *cpp)) { - fp->fr_flags |= FR_PASS; - } else if (!strcasecmp("auth", *cpp)) { - fp->fr_flags |= FR_AUTH; - } else if (fp->fr_arg != 0) { - printf("skip %u", fp->fr_arg); - } else if (!strcasecmp("preauth", *cpp)) { - fp->fr_flags |= FR_PREAUTH; - } else if (!strcasecmp("nomatch", *cpp)) { - fp->fr_flags |= FR_NOMATCH; - } else if (!strcasecmp("skip", *cpp)) { - cpp++; - if (ratoui(*cpp, &k, 0, UINT_MAX)) - fp->fr_arg = k; - else { - fprintf(stderr, "%d: integer must follow skip\n", - linenum); - return NULL; - } - } else if (!strcasecmp("log", *cpp)) { - fp->fr_flags |= FR_LOG; - if (!strcasecmp(*(cpp+1), "body")) { - fp->fr_flags |= FR_LOGBODY; - cpp++; - } - if (!strcasecmp(*(cpp+1), "first")) { - fp->fr_flags |= FR_LOGFIRST; - cpp++; - } - if (*cpp && !strcasecmp(*(cpp+1), "or-block")) { - fp->fr_flags |= FR_LOGORBLOCK; - cpp++; - } - if (!strcasecmp(*(cpp+1), "level")) { - cpp++; - if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1) - return NULL; - cpp++; - } - } else { - /* - * Doesn't start with one of the action words - */ - fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum); - return NULL; - } - - /* - * Get the direction for filtering. Impose restrictions on direction - * if blocking with returning ICMP or an RST has been requested. - */ - if (!strcasecmp("in", *cpp)) - fp->fr_flags |= FR_INQUE; - else if (!strcasecmp("out", *cpp)) { - fp->fr_flags |= FR_OUTQUE; - if (fp->fr_flags & FR_RETICMP) { - fprintf(stderr, - "%d: Can only use return-icmp with 'in'\n", - linenum); - return NULL; - } else if (fp->fr_flags & FR_RETRST) { - fprintf(stderr, - "%d: Can only use return-rst with 'in'\n", - linenum); - return NULL; - } - } - if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", linenum); - return NULL; - } - - if (!strcasecmp("log", *cpp)) { - if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", - linenum); - return NULL; - } - if (FR_ISPASS(fp->fr_flags)) - fp->fr_flags |= FR_LOGP; - else if (FR_ISBLOCK(fp->fr_flags)) - fp->fr_flags |= FR_LOGB; - if (*cpp && !strcasecmp(*cpp, "body")) { - fp->fr_flags |= FR_LOGBODY; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "first")) { - fp->fr_flags |= FR_LOGFIRST; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "or-block")) { - if (!FR_ISPASS(fp->fr_flags)) { - fprintf(stderr, - "%d: or-block must be used with pass\n", - linenum); - return NULL; - } - fp->fr_flags |= FR_LOGORBLOCK; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "level")) { - if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1) - return NULL; - cpp++; - cpp++; - } - } - - if (*cpp && !strcasecmp("quick", *cpp)) { - if (fp->fr_arg != 0) { - fprintf(stderr, "%d: cannot use skip with quick\n", - linenum); - return NULL; - } - cpp++; - fp->fr_flags |= FR_QUICK; - } - - /* - * Parse rule options that are available if a rule is tied to an - * interface. - */ - *fp->fr_ifname = '\0'; - *fp->fr_oifname = '\0'; - if (*cpp && !strcasecmp(*cpp, "on")) { - if (!*++cpp) { - fprintf(stderr, "%d: interface name missing\n", - linenum); - return NULL; - } - (void)strncpy(fp->fr_ifname, *cpp, IFNAMSIZ-1); - fp->fr_ifname[IFNAMSIZ-1] = '\0'; - cpp++; - if (!*cpp) { - if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) { - fprintf(stderr, - "%d: %s can only be used with TCP\n", - linenum, "return-rst"); - return NULL; - } - return fp; - } - - if (!strcasecmp(*cpp, "out-via")) { - if (fp->fr_flags & FR_OUTQUE) { - fprintf(stderr, - "out-via must be used with in\n"); - return NULL; - } - cpp++; - (void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1); - fp->fr_oifname[IFNAMSIZ-1] = '\0'; - cpp++; - } else if (!strcasecmp(*cpp, "in-via")) { - if (fp->fr_flags & FR_INQUE) { - fprintf(stderr, - "in-via must be used with out\n"); - return NULL; - } - cpp++; - (void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1); - fp->fr_oifname[IFNAMSIZ-1] = '\0'; - cpp++; - } - - if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { - cpp++; - if (to_interface(&fp->fr_dif, *cpp, linenum)) - return NULL; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) { - cpp++; - if (to_interface(&fp->fr_tif, *cpp, linenum)) - return NULL; - cpp++; - } else if (*cpp && !strcasecmp(*cpp, "fastroute")) { - if (!(fp->fr_flags & FR_INQUE)) { - fprintf(stderr, - "can only use %s with 'in'\n", - "fastroute"); - return NULL; - } - fp->fr_flags |= FR_FASTROUTE; - cpp++; - } - - /* - * Set the "other" interface name. Lets you specify both - * inbound and outbound interfaces for state rules. Do not - * prevent both interfaces from being the same. - */ - strcpy(fp->fr_ifnames[3], "*"); - if ((*cpp != NULL) && (*(cpp + 1) != NULL) && - ((((fp->fr_flags & FR_INQUE) != 0) && - (strcasecmp(*cpp, "out-via") == 0)) || - (((fp->fr_flags & FR_OUTQUE) != 0) && - (strcasecmp(*cpp, "in-via") == 0)))) { - cpp++; - - s = strchr(*cpp, ','); - if (s != NULL) { - *s++ = '\0'; - (void)strncpy(fp->fr_ifnames[3], s, - IFNAMSIZ - 1); - fp->fr_ifnames[3][IFNAMSIZ - 1] = '\0'; - } - - (void)strncpy(fp->fr_ifnames[2], *cpp, IFNAMSIZ - 1); - fp->fr_ifnames[2][IFNAMSIZ - 1] = '\0'; - cpp++; - } else - strcpy(fp->fr_ifnames[2], "*"); - - } - - if (*cpp && !strcasecmp(*cpp, "tos")) { - if (!*++cpp) { - fprintf(stderr, "%d: tos missing value\n", linenum); - return NULL; - } - fp->fr_tos = strtol(*cpp, NULL, 0); - fp->fr_mip.fi_tos = 0xff; - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "ttl")) { - if (!*++cpp) { - fprintf(stderr, "%d: ttl missing hopcount value\n", - linenum); - return NULL; - } - if (ratoi(*cpp, &i, 0, 255)) - fp->fr_ttl = i; - else { - fprintf(stderr, "%d: invalid ttl (%s)\n", - linenum, *cpp); - return NULL; - } - fp->fr_mip.fi_ttl = 0xff; - cpp++; - } - - /* - * check for "proto " only decode udp/tcp/icmp as protoname - */ - if (*cpp && !strcasecmp(*cpp, "proto")) { - if (!*++cpp) { - fprintf(stderr, "%d: protocol name missing\n", linenum); - return NULL; - } - fp->fr_type = FR_T_IPF; - proto = *cpp++; - if (!strcasecmp(proto, "tcp/udp")) { - fp->fr_flx |= FI_TCPUDP; - fp->fr_mflx |= FI_TCPUDP; - } else if (use_inet6 && !strcasecmp(proto, "icmp")) { - fprintf(stderr, -"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n", - linenum); - return NULL; - } else { - fp->fr_proto = getproto(proto); - fp->fr_mip.fi_p = 0xff; - } - } - if ((fp->fr_proto != IPPROTO_TCP) && - ((fp->fr_flags & FR_RETMASK) == FR_RETRST)) { - fprintf(stderr, "%d: %s can only be used with TCP\n", - linenum, "return-rst"); - return NULL; - } - - /* - * get the from host and bit mask to use against packets - */ - - if (!*cpp) { - fprintf(stderr, "%d: missing source specification\n", linenum); - return NULL; - } - if (!strcasecmp(*cpp, "all")) { - cpp++; - if (!*cpp) { - if (fp->fr_type == FR_T_NONE) { - fp->fr_dsize = 0; - fp->fr_data = NULL; - } - return fp; - } - fp->fr_type = FR_T_IPF; -#ifdef IPFILTER_BPF - } else if (!strcmp(*cpp, "{")) { - struct bpf_program bpf; - struct pcap *p; - char **cp; - u_32_t l; - - if (fp->fr_type != FR_T_NONE) { - fprintf(stderr, - "%d: cannot mix BPF/ipf matching\n", linenum); - return NULL; - } - fp->fr_type = FR_T_BPFOPC; - cpp++; - if (!strncmp(*cpp, "0x", 2)) { - fp->fr_data = malloc(4); - for (cp = cpp, i = 0; *cp; cp++, i++) { - if (!strcmp(*cp, "}")) - break; - fp->fr_data = realloc(fp->fr_data, - (i + 1) * 4); - l = strtoul(*cp, NULL, 0); - ((u_32_t *)fp->fr_data)[i] = l; - } - if (!*cp) { - fprintf(stderr, "Missing closing '}'\n"); - return NULL; - } - fp->fr_dsize = i * sizeof(l); - bpf.bf_insns = fp->fr_data; - bpf.bf_len = fp->fr_dsize / sizeof(struct bpf_insn); - } else { - for (cp = cpp; *cp; cp++) { - if (!strcmp(*cp, "}")) - break; - (*cp)[-1] = ' '; - } - if (!*cp) { - fprintf(stderr, "Missing closing '}'\n"); - return NULL; - } - - bzero((char *)&bpf, sizeof(bpf)); - p = pcap_open_dead(DLT_RAW, 1); - if (!p) { - fprintf(stderr, "pcap_open_dead failed\n"); - return NULL; - } - - if (pcap_compile(p, &bpf, *cpp, 1, 0xffffffff)) { - pcap_perror(p, "ipf"); - pcap_close(p); - fprintf(stderr, "pcap parsing failed\n"); - return NULL; - } - pcap_close(p); - fp->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); - fp->fr_data = bpf.bf_insns; - if (!bpf_validate(fp->fr_data, bpf.bf_len)) { - fprintf(stderr, "BPF validation failed\n"); - return NULL; - } - if (opts & OPT_DEBUG) - bpf_dump(&bpf, 0); - } - cpp = cp; - (*cpp)++; -#endif - } else { - fp->fr_type = FR_T_IPF; - - if (strcasecmp(*cpp, "from")) { - fprintf(stderr, "%d: unexpected keyword (%s) - from\n", - linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing host after from\n", - linenum); - return NULL; - } - if (**cpp == '!') { - fp->fr_flags |= FR_NOTSRCIP; - (*cpp)++; - } else if (!strcmp(*cpp, "!")) { - fp->fr_flags |= FR_NOTSRCIP; - cpp++; - } - - s = *cpp; - i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_src, - (u_32_t *)&fp->fr_smsk, linenum); - if (i == -1) - return NULL; - if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname)) - fp->fr_satype = FRI_DYNAMIC; - if (i == 1) { - if (fp->fr_v == 6) { - fprintf(stderr, - "can only use pools with ipv4\n"); - return NULL; - } - fp->fr_satype = FRI_LOOKUP; - } - - if (ports(&cpp, proto, &fp->fr_sport, &fp->fr_scmp, - &fp->fr_stop, linenum)) - return NULL; - - if (!*cpp) { - fprintf(stderr, "%d: missing to fields\n", linenum); - return NULL; - } - - /* - * do the same for the to field (destination host) - */ - if (strcasecmp(*cpp, "to")) { - fprintf(stderr, "%d: unexpected keyword (%s) - to\n", - linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing host after to\n", linenum); - return NULL; - } - - if (**cpp == '!') { - fp->fr_flags |= FR_NOTDSTIP; - (*cpp)++; - } else if (!strcmp(*cpp, "!")) { - fp->fr_flags |= FR_NOTDSTIP; - cpp++; - } - - s = *cpp; - i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_dst, - (u_32_t *)&fp->fr_dmsk, linenum); - if (i == -1) - return NULL; - if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname)) - fp->fr_datype = FRI_DYNAMIC; - if (i == 1) { - if (fp->fr_v == 6) { - fprintf(stderr, - "can only use pools with ipv4\n"); - return NULL; - } - fp->fr_datype = FRI_LOOKUP; - } - - if (ports(&cpp, proto, &fp->fr_dport, &fp->fr_dcmp, - &fp->fr_dtop, linenum)) - return NULL; - } - - if (fp->fr_type == FR_T_IPF) { - /* - * check some sanity, make sure we don't have icmp checks - * with tcp or udp or visa versa. - */ - if (fp->fr_proto && (fp->fr_dcmp || fp->fr_scmp) && - fp->fr_proto != IPPROTO_TCP && - fp->fr_proto != IPPROTO_UDP) { - fprintf(stderr, - "%d: port operation on non tcp/udp\n",linenum); - return NULL; - } - if (fp->fr_icmp && fp->fr_proto != IPPROTO_ICMP) { - fprintf(stderr, - "%d: icmp comparisons on wrong protocol\n", - linenum); - return NULL; - } - - if (!*cpp) - return fp; - - if (*cpp && (fp->fr_type == FR_T_IPF) && - !strcasecmp(*cpp, "flags")) { - if (!*++cpp) { - fprintf(stderr, "%d: no flags present\n", - linenum); - return NULL; - } - fp->fr_tcpf = tcp_flags(*cpp, &fp->fr_tcpfm, linenum); - cpp++; - } - - /* - * extras... - */ - if ((fp->fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") || - !strcasecmp(*cpp, "and"))) - if (extras(&cpp, fp, linenum)) - return NULL; - - /* - * icmp types for use with the icmp protocol - */ - if (*cpp && !strcasecmp(*cpp, "icmp-type")) { - if (fp->fr_proto != IPPROTO_ICMP && - fp->fr_proto != IPPROTO_ICMPV6) { - fprintf(stderr, - "%d: icmp with wrong protocol (%d)\n", - linenum, fp->fr_proto); - return NULL; - } - if (addicmp(&cpp, fp, linenum)) - return NULL; - fp->fr_icmp = htons(fp->fr_icmp); - fp->fr_icmpm = htons(fp->fr_icmpm); - } - } - - /* - * Keep something... - */ - while (*cpp && !strcasecmp(*cpp, "keep")) - if (addkeep(&cpp, fp, linenum)) - return NULL; - - /* - * This is here to enforce the old interface binding behaviour. - * That is, "on X" is equivalent to " on X -via -,X" - */ - if (fp->fr_flags & FR_KEEPSTATE) { - if (*fp->fr_ifnames[0] && !*fp->fr_ifnames[3]) { - bcopy(fp->fr_ifnames[0], fp->fr_ifnames[3], - sizeof(fp->fr_ifnames[3])); - strncpy(fp->fr_ifnames[2], "*", - sizeof(fp->fr_ifnames[3])); - } - } - - /* - * head of a new group ? - */ - if (*cpp && !strcasecmp(*cpp, "head")) { - if (fp->fr_arg != 0) { - fprintf(stderr, "%d: cannot use skip with head\n", - linenum); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: head without group #\n", linenum); - return NULL; - } - if (strlen(*cpp) > FR_GROUPLEN) { - fprintf(stderr, "%d: head name too long #\n", linenum); - return NULL; - } - strncpy(fp->fr_grhead, *cpp, FR_GROUPLEN); - cpp++; - } - - /* - * reference to an already existing group ? - */ - if (*cpp && !strcasecmp(*cpp, "group")) { - if (!*++cpp) { - fprintf(stderr, "%d: group without group #\n", - linenum); - return NULL; - } - if (strlen(*cpp) > FR_GROUPLEN) { - fprintf(stderr, "%d: group name too long #\n", linenum); - return NULL; - } - strncpy(fp->fr_group, *cpp, FR_GROUPLEN); - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "tag")) { - if (!*++cpp) { - fprintf(stderr, "%d: tag id missing value\n", linenum); - return NULL; - } - fp->fr_tag = strtol(*cpp, NULL, 0); - cpp++; - } - - /* - * pps counter - */ - if (*cpp && !strcasecmp(*cpp, "pps")) { - if (!*++cpp) { - fprintf(stderr, "%d: pps without rate\n", linenum); - return NULL; - } - if (ratoui(*cpp, &k, 0, INT_MAX)) - fp->fr_pps = k; - else { - fprintf(stderr, "%d: invalid pps rate (%s)\n", - linenum, *cpp); - return NULL; - } - cpp++; - } - - /* - * leftovers...yuck - */ - if (*cpp && **cpp) { - fprintf(stderr, "%d: unknown words at end: [", linenum); - for (; *cpp; cpp++) - fprintf(stderr, "%s ", *cpp); - fprintf(stderr, "]\n"); - return NULL; - } - - /* - * lazy users... - */ - if (fp->fr_type == FR_T_IPF) { - if ((fp->fr_tcpf || fp->fr_tcpfm) && - (fp->fr_proto != IPPROTO_TCP)) { - fprintf(stderr, - "%d: TCP protocol not specified\n", linenum); - return NULL; - } - if (!(fp->fr_flx & FI_TCPUDP) && - (fp->fr_proto != IPPROTO_TCP) && - (fp->fr_proto != IPPROTO_UDP) && - (fp->fr_dcmp || fp->fr_scmp)) { - if (!fp->fr_proto) { - fp->fr_flx |= FI_TCPUDP; - fp->fr_mflx |= FI_TCPUDP; - } else { - fprintf(stderr, - "%d: port check for non-TCP/UDP\n", - linenum); - return NULL; - } - } - } - if (*fp->fr_oifname && strcmp(fp->fr_oifname, "*") && - !(fp->fr_flags & FR_KEEPSTATE)) { - fprintf(stderr, "%d: *-via must be used %s\n", - linenum, "with keep-state"); - return NULL; - } - return fp; -} diff --git a/contrib/ipfilter/lib/portname.c b/contrib/ipfilter/lib/portname.c index 4bf1c09a5bde..f0c8625e6a77 100644 --- a/contrib/ipfilter/lib/portname.c +++ b/contrib/ipfilter/lib/portname.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: portname.c,v 1.7 2003/08/14 14:27:43 darrenr Exp $ + * $Id: portname.c,v 1.7.2.1 2006/06/16 17:21:09 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/portnum.c b/contrib/ipfilter/lib/portnum.c deleted file mode 100644 index f80f86d42c93..000000000000 --- a/contrib/ipfilter/lib/portnum.c +++ /dev/null @@ -1,64 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * - * $Id: portnum.c,v 1.6.4.1 2004/12/09 19:41:22 darrenr Exp $ - */ - -#include - -#include "ipf.h" - - -/* - * find the port number given by the name, either from getservbyname() or - * straight atoi(). Return 1 on success, 0 on failure - */ -int portnum(name, proto, port, linenum) -char *name, *proto; -u_short *port; -int linenum; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - int i; - - if (ISDIGIT(*name)) { - if (ratoi(name, &i, 0, USHRT_MAX)) { - *port = (u_short)i; - return 1; - } - fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); - return 0; - } - if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { - sp = getservbyname(name, proto); - if (sp) { - *port = ntohs(sp->s_port); - return 1; - } - fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", - linenum, name); - return 0; - } - if (p1 != sp2->s_port) { - fprintf(stderr, "%d: %s %d/tcp is a different port to ", - linenum, name, p1); - fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); - return 0; - } - *port = ntohs(p1); - return 1; -} diff --git a/contrib/ipfilter/lib/ports.c b/contrib/ipfilter/lib/ports.c deleted file mode 100644 index 22308053d1d7..000000000000 --- a/contrib/ipfilter/lib/ports.c +++ /dev/null @@ -1,81 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ports.c,v 1.9.4.1 2004/12/09 19:41:22 darrenr Exp $ - */ - -#include - -#include "ipf.h" - - -/* - * check for possible presence of the port fields in the line - */ -int ports(seg, proto, pp, cp, tp, linenum) -char ***seg; -char *proto; -u_short *pp; -int *cp; -u_short *tp; -int linenum; -{ - int comp = -1; - - if (!*seg || !**seg || !***seg) - return 0; - if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { - (*seg)++; - if (ISALNUM(***seg) && *(*seg + 2)) { - if (portnum(**seg, proto, pp, linenum) == 0) - return -1; - (*seg)++; - if (!strcmp(**seg, "<>")) - comp = FR_OUTRANGE; - else if (!strcmp(**seg, "><")) - comp = FR_INRANGE; - else { - fprintf(stderr, - "%d: unknown range operator (%s)\n", - linenum, **seg); - return -1; - } - (*seg)++; - if (**seg == NULL) { - fprintf(stderr, "%d: missing 2nd port value\n", - linenum); - return -1; - } - if (portnum(**seg, proto, tp, linenum) == 0) - return -1; - } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) - comp = FR_EQUAL; - else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) - comp = FR_NEQUAL; - else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) - comp = FR_LESST; - else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) - comp = FR_GREATERT; - else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) - comp = FR_LESSTE; - else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) - comp = FR_GREATERTE; - else { - fprintf(stderr, "%d: unknown comparator (%s)\n", - linenum, **seg); - return -1; - } - if (comp != FR_OUTRANGE && comp != FR_INRANGE) { - (*seg)++; - if (portnum(**seg, proto, pp, linenum) == 0) - return -1; - } - *cp = comp; - (*seg)++; - } - return 0; -} diff --git a/contrib/ipfilter/lib/print_toif.c b/contrib/ipfilter/lib/print_toif.c index 443100466437..94a4618dbae2 100644 --- a/contrib/ipfilter/lib/print_toif.c +++ b/contrib/ipfilter/lib/print_toif.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: print_toif.c,v 1.8 2002/01/28 06:50:47 darrenr Exp $ + * $Id: print_toif.c,v 1.8.4.1 2006/06/16 17:21:09 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printactivenat.c b/contrib/ipfilter/lib/printactivenat.c index 2155378970c2..a2e292406614 100644 --- a/contrib/ipfilter/lib/printactivenat.c +++ b/contrib/ipfilter/lib/printactivenat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -12,16 +12,17 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.4 2004/05/11 16:07:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.7 2006/12/12 16:13:00 darrenr Exp $"; #endif -void printactivenat(nat, opts) +void printactivenat(nat, opts, alive, now) nat_t *nat; -int opts; +int opts, alive; +u_long now; { - printf("%s", getnattype(nat->nat_ptr)); + printf("%s", getnattype(nat, alive)); if (nat->nat_flags & SI_CLONE) printf(" CLONE"); @@ -42,8 +43,9 @@ int opts; printf("]"); if (opts & OPT_VERBOSE) { - printf("\n\tage %lu use %hu sumd %s/", - nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0])); + printf("\n\tttl %lu use %hu sumd %s/", + nat->nat_age - now, nat->nat_use, + getsumd(nat->nat_sumd[0])); printf("%s pr %u bkt %d/%d flags %x\n", getsumd(nat->nat_sumd[1]), nat->nat_p, nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags); diff --git a/contrib/ipfilter/lib/printaps.c b/contrib/ipfilter/lib/printaps.c index 235a5fdd42bf..87a12cd494fc 100644 --- a/contrib/ipfilter/lib/printaps.c +++ b/contrib/ipfilter/lib/printaps.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -13,7 +13,7 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printaps.c,v 1.4 2004/01/08 13:34:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printaps.c,v 1.4.2.1 2006/06/16 17:21:10 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/lib/printbuf.c b/contrib/ipfilter/lib/printbuf.c index 1f0763efffc0..b2e209a01325 100644 --- a/contrib/ipfilter/lib/printbuf.c +++ b/contrib/ipfilter/lib/printbuf.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printbuf.c,v 1.5.4.1 2004/12/09 19:41:22 darrenr Exp $ + * $Id: printbuf.c,v 1.5.4.2 2006/06/16 17:21:10 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c index 6ad81e135566..587d8cb01a48 100644 --- a/contrib/ipfilter/lib/printfr.c +++ b/contrib/ipfilter/lib/printfr.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfr.c,v 1.43.2.16 2006/03/29 11:19:59 darrenr Exp $ + * $Id: printfr.c,v 1.43.2.18 2007/05/07 06:55:38 darrenr Exp $ */ #include "ipf.h" @@ -470,7 +470,12 @@ ioctlfunc_t iocfunc; } printf(")"); } + if (fp->fr_pps) printf(" pps %d", fp->fr_pps); + + if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) { + printf(" # count %d", fp->fr_statecnt); + } (void)putchar('\n'); } diff --git a/contrib/ipfilter/lib/printfraginfo.c b/contrib/ipfilter/lib/printfraginfo.c index 05c03992452a..d9317e87480d 100644 --- a/contrib/ipfilter/lib/printfraginfo.c +++ b/contrib/ipfilter/lib/printfraginfo.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2004 by Darren Reed. + * Copyright (C) 2004-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfraginfo.c,v 1.1.2.2 2004/03/23 15:15:45 darrenr Exp $ + * $Id: printfraginfo.c,v 1.1.2.5 2006/12/25 15:10:37 darrenr Exp $ */ #include "ipf.h" #include "kmem.h" @@ -19,11 +19,12 @@ struct ipfr *ifr; fr.fr_flags = 0xffffffff; printf("%s%s -> ", prefix, hostname(4, &ifr->ipfr_src)); +/* if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule, sizeof(fr)) == -1) return; - printf("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = %#x\n", - hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_seen0, - ifr->ipfr_ttl, ifr->ipfr_p, ifr->ipfr_ifp, ifr->ipfr_tos, - fr.fr_flags); +*/ + printf("%s id %d ttl %ld pr %d seen0 %d ref %d tos %#02x\n", + hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_ttl, + ifr->ipfr_p, ifr->ipfr_seen0, ifr->ipfr_ref, ifr->ipfr_tos); } diff --git a/contrib/ipfilter/lib/printhash.c b/contrib/ipfilter/lib/printhash.c index fab0659281d8..975b60eabcd5 100644 --- a/contrib/ipfilter/lib/printhash.c +++ b/contrib/ipfilter/lib/printhash.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -20,7 +20,7 @@ int opts; { iphtent_t *ipep, **table; iphtable_t iph; - int i, printed; + int printed; size_t sz; if ((*copyfunc)((char *)hp, (char *)&iph, sizeof(iph))) @@ -29,94 +29,10 @@ int opts; if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN)) return iph.iph_next; - if ((opts & OPT_DEBUG) == 0) { - if ((iph.iph_type & IPHASH_ANON) == IPHASH_ANON) - PRINTF("# 'anonymous' table\n"); - switch (iph.iph_type & ~IPHASH_ANON) - { - case IPHASH_LOOKUP : - PRINTF("table"); - break; - case IPHASH_GROUPMAP : - PRINTF("group-map"); - if (iph.iph_flags & FR_INQUE) - PRINTF(" in"); - else if (iph.iph_flags & FR_OUTQUE) - PRINTF(" out"); - else - PRINTF(" ???"); - break; - default : - PRINTF("%#x", iph.iph_type); - break; - } - PRINTF(" role = "); - } else { - PRINTF("Hash Table Number: %s", iph.iph_name); - if ((iph.iph_type & IPHASH_ANON) == IPHASH_ANON) - PRINTF("(anon)"); - putchar(' '); - PRINTF("Role: "); - } + printhashdata(hp, opts); - switch (iph.iph_unit) - { - case IPL_LOGNAT : - PRINTF("nat"); - break; - case IPL_LOGIPF : - PRINTF("ipf"); - break; - case IPL_LOGAUTH : - PRINTF("auth"); - break; - case IPL_LOGCOUNT : - PRINTF("count"); - break; - default : - PRINTF("#%d", iph.iph_unit); - break; - } - - if ((opts & OPT_DEBUG) == 0) { - if ((iph.iph_type & ~IPHASH_ANON) == IPHASH_LOOKUP) - PRINTF(" type = hash"); - PRINTF(" number = %s size = %lu", - iph.iph_name, (u_long)iph.iph_size); - if (iph.iph_seed != 0) - PRINTF(" seed = %lu", iph.iph_seed); - putchar('\n'); - } else { - PRINTF(" Type: "); - switch (iph.iph_type & ~IPHASH_ANON) - { - case IPHASH_LOOKUP : - PRINTF("lookup"); - break; - case IPHASH_GROUPMAP : - PRINTF("groupmap Group. %s", iph.iph_name); - break; - default : - break; - } - - putchar('\n'); - PRINTF("\t\tSize: %lu\tSeed: %lu", - (u_long)iph.iph_size, iph.iph_seed); - PRINTF("\tRef. Count: %d\tMasks: %#x\n", iph.iph_ref, - iph.iph_masks); - } - - if ((opts & OPT_DEBUG) != 0) { - struct in_addr m; - - for (i = 0; i < 32; i++) { - if ((1 << i) & iph.iph_masks) { - ntomask(4, i, &m.s_addr); - PRINTF("\t\tMask: %s\n", inet_ntoa(m)); - } - } - } + if ((hp->iph_flags & IPHASH_DELETE) != 0) + PRINTF("# "); if ((opts & OPT_DEBUG) == 0) PRINTF("\t{"); @@ -126,11 +42,9 @@ int opts; if ((*copyfunc)((char *)iph.iph_table, (char *)table, sz)) return NULL; - for (i = 0, printed = 0; i < iph.iph_size; i++) { - for (ipep = table[i]; ipep != NULL; ) { - ipep = printhashnode(&iph, ipep, copyfunc, opts); - printed++; - } + for (printed = 0, ipep = iph.iph_list; ipep != NULL; ) { + ipep = printhashnode(&iph, ipep, copyfunc, opts); + printed++; } if (printed == 0) putchar(';'); diff --git a/contrib/ipfilter/lib/printhashnode.c b/contrib/ipfilter/lib/printhashnode.c index b5eda15e0b93..ed83c397b4c5 100644 --- a/contrib/ipfilter/lib/printhashnode.c +++ b/contrib/ipfilter/lib/printhashnode.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -47,6 +47,7 @@ int opts; } putchar(';'); } + ipep = ipe.ipe_next; return ipep; } diff --git a/contrib/ipfilter/lib/printhostmap.c b/contrib/ipfilter/lib/printhostmap.c index cb5f8e7498a5..0c9242f91eef 100644 --- a/contrib/ipfilter/lib/printhostmap.c +++ b/contrib/ipfilter/lib/printhostmap.c @@ -1,16 +1,22 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printhostmap.c,v 1.3.2.3 2006/09/30 21:42:07 darrenr Exp $ + */ + #include "ipf.h" void printhostmap(hmp, hv) hostmap_t *hmp; u_int hv; { - struct in_addr in; printf("%s,", inet_ntoa(hmp->hm_srcip)); printf("%s -> ", inet_ntoa(hmp->hm_dstip)); - in.s_addr = htonl(hmp->hm_mapip.s_addr); - printf("%s ", inet_ntoa(in)); + printf("%s ", inet_ntoa(hmp->hm_mapip)); printf("(use = %d hv = %u)\n", hmp->hm_ref, hv); } diff --git a/contrib/ipfilter/lib/printhostmask.c b/contrib/ipfilter/lib/printhostmask.c index 19f87a6c242d..44703c4c4636 100644 --- a/contrib/ipfilter/lib/printhostmask.c +++ b/contrib/ipfilter/lib/printhostmask.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printhostmask.c,v 1.8 2002/04/11 15:01:19 darrenr Exp $ + * $Id: printhostmask.c,v 1.8.4.1 2006/06/16 17:21:12 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printifname.c b/contrib/ipfilter/lib/printifname.c index bc74a3468524..2f7d912cf3e0 100644 --- a/contrib/ipfilter/lib/printifname.c +++ b/contrib/ipfilter/lib/printifname.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printifname.c,v 1.2 2002/01/28 06:50:47 darrenr Exp $ + * $Id: printifname.c,v 1.2.4.1 2006/06/16 17:21:12 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printip.c b/contrib/ipfilter/lib/printip.c index 8841f0a94f32..8c008afa9d24 100644 --- a/contrib/ipfilter/lib/printip.c +++ b/contrib/ipfilter/lib/printip.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printip.c,v 1.3 2002/07/13 12:10:27 darrenr Exp $ + * $Id: printip.c,v 1.3.4.1 2006/06/16 17:21:12 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c index dd18e981f673..82c0400759eb 100644 --- a/contrib/ipfilter/lib/printlog.c +++ b/contrib/ipfilter/lib/printlog.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printlog.c,v 1.6.4.2 2005/12/18 14:49:06 darrenr Exp $ + * $Id: printlog.c,v 1.6.4.3 2006/06/16 17:21:12 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printmask.c b/contrib/ipfilter/lib/printmask.c index 195b9a98ace2..9230dc0026a5 100644 --- a/contrib/ipfilter/lib/printmask.c +++ b/contrib/ipfilter/lib/printmask.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printmask.c,v 1.5 2002/06/15 04:48:33 darrenr Exp $ + * $Id: printmask.c,v 1.5.4.1 2006/06/16 17:21:13 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c index 67b5a279b703..62942ce4d4ea 100644 --- a/contrib/ipfilter/lib/printnat.c +++ b/contrib/ipfilter/lib/printnat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -13,7 +13,7 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.11 2005/11/14 17:45:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.14 2007/09/06 16:40:11 darrenr Exp $"; #endif /* @@ -48,10 +48,16 @@ int opts; break; } - printf(" %s", np->in_ifnames[0]); + if (!strcmp(np->in_ifnames[0], "-")) + printf(" \"%s\"", np->in_ifnames[0]); + else + printf(" %s", np->in_ifnames[0]); if ((np->in_ifnames[1][0] != '\0') && (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) { - printf(",%s", np->in_ifnames[1]); + if (!strcmp(np->in_ifnames[1], "-")) + printf(",\"%s\"", np->in_ifnames[1]); + else + printf(",%s", np->in_ifnames[1]); } putchar(' '); @@ -130,6 +136,8 @@ int opts; if (opts & OPT_DEBUG) printf("\tpmax %u\n", np->in_pmax); } else { + int protoprinted = 0; + if (!(np->in_flags & IPN_FILTER)) { printf("%s/", inet_ntoa(np->in_in[0].in4)); bits = count4bits(np->in_inmsk); @@ -166,6 +174,7 @@ int opts; printf(" %.*s/", (int)sizeof(np->in_plabel), np->in_plabel); printproto(pr, np->in_p, NULL); + protoprinted = 1; } else if (np->in_redir == NAT_MAPBLK) { if ((np->in_pmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) @@ -181,6 +190,7 @@ int opts; printf(" portmap "); } printproto(pr, np->in_p, np); + protoprinted = 1; if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) @@ -192,9 +202,6 @@ int opts; printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } - } else if (np->in_flags & IPN_TCPUDP || np->in_p) { - putchar(' '); - printproto(pr, np->in_p, np); } if (np->in_flags & IPN_FRAG) @@ -206,6 +213,10 @@ int opts; printf(" mssclamp %d", np->in_mssclamp); if (np->in_tag.ipt_tag[0] != '\0') printf(" tag %s", np->in_tag.ipt_tag); + if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) { + putchar(' '); + printproto(pr, np->in_p, np); + } printf("\n"); if (opts & OPT_DEBUG) { struct in_addr nip; diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c index 7090e383ae19..25a4d5a8f7da 100644 --- a/contrib/ipfilter/lib/printpacket.c +++ b/contrib/ipfilter/lib/printpacket.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printpacket.c,v 1.12.4.2 2005/12/04 09:33:06 darrenr Exp $ + * $Id: printpacket.c,v 1.12.4.5 2007/09/09 22:15:30 darrenr Exp $ */ #include "ipf.h" @@ -43,6 +43,7 @@ struct ip *ip; putchar(' '); } putchar('\n'); + putchar('\n'); return; } @@ -55,7 +56,7 @@ struct ip *ip; printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len), IP_HL(ip) << 2, ip->ip_p); if (off & IP_OFFMASK) - printf(" @%d", off << 3); + printf(" @%d", (off & IP_OFFMASK) << 3); printf(" %s", inet_ntoa(ip->ip_src)); if (!(off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) diff --git a/contrib/ipfilter/lib/printpacket6.c b/contrib/ipfilter/lib/printpacket6.c index 2ddffed67276..ca3b42133a3e 100644 --- a/contrib/ipfilter/lib/printpacket6.c +++ b/contrib/ipfilter/lib/printpacket6.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printpacket6.c,v 1.3.4.1 2006/06/16 17:21:13 darrenr Exp $ + */ + #include "ipf.h" /* diff --git a/contrib/ipfilter/lib/printpool.c b/contrib/ipfilter/lib/printpool.c index 4bd48aa6bf73..4ab85fac8c35 100644 --- a/contrib/ipfilter/lib/printpool.c +++ b/contrib/ipfilter/lib/printpool.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -26,58 +26,12 @@ int opts; if ((name != NULL) && strncmp(name, ipp.ipo_name, FR_GROUPLEN)) return ipp.ipo_next; - if ((opts & OPT_DEBUG) == 0) { - if ((ipp.ipo_flags & IPOOL_ANON) != 0) - PRINTF("# 'anonymous' tree %s\n", ipp.ipo_name); - PRINTF("table role = "); - } else { - PRINTF("Name: %s", ipp.ipo_name); - if ((ipp.ipo_flags & IPOOL_ANON) == IPOOL_ANON) - PRINTF("(anon)"); - putchar(' '); - PRINTF("Role: "); - } + printpooldata(&ipp, opts); - switch (ipp.ipo_unit) - { - case IPL_LOGIPF : - printf("ipf"); - break; - case IPL_LOGNAT : - printf("nat"); - break; - case IPL_LOGSTATE : - printf("state"); - break; - case IPL_LOGAUTH : - printf("auth"); - break; - case IPL_LOGSYNC : - printf("sync"); - break; - case IPL_LOGSCAN : - printf("scan"); - break; - case IPL_LOGLOOKUP : - printf("lookup"); - break; - case IPL_LOGCOUNT : - printf("count"); - break; - default : - printf("unknown(%d)", ipp.ipo_unit); - } - - if ((opts & OPT_DEBUG) == 0) { - PRINTF(" type = tree number = %s\n", ipp.ipo_name); + if ((ipp.ipo_flags & IPOOL_DELETE) != 0) + PRINTF("# "); + if ((opts & OPT_DEBUG) == 0) PRINTF("\t{"); - } else { - putchar(' '); - - PRINTF("\tReferences: %d\tHits: %lu\n", ipp.ipo_ref, - ipp.ipo_hits); - PRINTF("\tNodes Starting at %p\n", ipp.ipo_list); - } ipnpn = ipp.ipo_list; ipp.ipo_list = NULL; diff --git a/contrib/ipfilter/lib/printpoolnode.c b/contrib/ipfilter/lib/printpoolnode.c index ec8ac3e9fffa..3327b8a5a43a 100644 --- a/contrib/ipfilter/lib/printpoolnode.c +++ b/contrib/ipfilter/lib/printpoolnode.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -23,11 +23,11 @@ int opts; printip((u_32_t *)&np->ipn_addr.adf_addr.in4); printmask((u_32_t *)&np->ipn_mask.adf_addr); } else { - PRINTF("\t\t%s%s", np->ipn_info ? "! " : "", + PRINTF("\tAddress: %s%s", np->ipn_info ? "! " : "", inet_ntoa(np->ipn_addr.adf_addr.in4)); printmask((u_32_t *)&np->ipn_mask.adf_addr); - PRINTF("\n\t\tHits %lu\tName %s\n", - np->ipn_hits, np->ipn_name); + PRINTF("\t\tHits %lu\tName %s\tRef %d\n", + np->ipn_hits, np->ipn_name, np->ipn_ref); } return np->ipn_next; } diff --git a/contrib/ipfilter/lib/printportcmp.c b/contrib/ipfilter/lib/printportcmp.c index 3f00db7731fb..6a1a461b6206 100644 --- a/contrib/ipfilter/lib/printportcmp.c +++ b/contrib/ipfilter/lib/printportcmp.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printportcmp.c,v 1.7 2003/02/16 02:31:05 darrenr Exp $ + * $Id: printportcmp.c,v 1.7.4.1 2006/06/16 17:21:14 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/printproto.c b/contrib/ipfilter/lib/printproto.c index dd0ce39ca57e..e65ec1160826 100644 --- a/contrib/ipfilter/lib/printproto.c +++ b/contrib/ipfilter/lib/printproto.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-2005 by Darren Reed. + * Copyright (C) 2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -8,7 +8,7 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.1 2005/06/12 07:21:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.2 2006/06/16 17:21:14 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/lib/printsbuf.c b/contrib/ipfilter/lib/printsbuf.c index cfa9171d1f4a..f6c633c13fd6 100644 --- a/contrib/ipfilter/lib/printsbuf.c +++ b/contrib/ipfilter/lib/printsbuf.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printsbuf.c,v 1.2.4.2 2006/06/16 17:21:14 darrenr Exp $ + */ + #ifdef IPFILTER_SCAN #include diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c index c8e238da10cc..a8777b2b59f2 100644 --- a/contrib/ipfilter/lib/printstate.c +++ b/contrib/ipfilter/lib/printstate.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2002-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -17,64 +17,64 @@ ipstate_t *sp; int opts; u_long now; { - ipstate_t ips; synclist_t ipsync; - if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips))) - return NULL; + if (sp->is_phnext == NULL) + PRINTF("ORPHAN "); + PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4)); + PRINTF("%s pass %#x pr %d state %d/%d", + hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p, + sp->is_state[0], sp->is_state[1]); + if (opts & OPT_DEBUG) + PRINTF(" bkt %d ref %d", sp->is_hv, sp->is_ref); + PRINTF("\n\ttag %u ttl %lu", sp->is_tag, sp->is_die - now); - PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4)); - PRINTF("%s pass %#x pr %d state %d/%d bkt %d\n", - hostname(ips.is_v, &ips.is_dst.in4), ips.is_pass, ips.is_p, - ips.is_state[0], ips.is_state[1], ips.is_hv); - PRINTF("\ttag %u ttl %lu", ips.is_tag, ips.is_die - now); - - if (ips.is_p == IPPROTO_TCP) { + if (sp->is_p == IPPROTO_TCP) { PRINTF("\n\t%hu -> %hu %x:%x %hu<<%d:%hu<<%d\n", - ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_swinscale, - ips.is_maxdwin, ips.is_dwinscale); - PRINTF("\tcmsk %04x smsk %04x isc %p s0 %08x/%08x\n", - ips.is_smsk[0], ips.is_smsk[1], ips.is_isc, - ips.is_s0[0], ips.is_s0[1]); + ntohs(sp->is_sport), ntohs(sp->is_dport), + sp->is_send, sp->is_dend, + sp->is_maxswin, sp->is_swinscale, + sp->is_maxdwin, sp->is_dwinscale); + PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n", + sp->is_smsk[0], sp->is_smsk[1], + sp->is_s0[0], sp->is_s0[1]); PRINTF("\tFWD:ISN inc %x sumd %x\n", - ips.is_isninc[0], ips.is_sumd[0]); + sp->is_isninc[0], sp->is_sumd[0]); PRINTF("\tREV:ISN inc %x sumd %x\n", - ips.is_isninc[1], ips.is_sumd[1]); + sp->is_isninc[1], sp->is_sumd[1]); #ifdef IPFILTER_SCAN PRINTF("\tsbuf[0] ["); - printsbuf(ips.is_sbuf[0]); + printsbuf(sp->is_sbuf[0]); PRINTF("] sbuf[1] ["); - printsbuf(ips.is_sbuf[1]); + printsbuf(sp->is_sbuf[1]); PRINTF("]\n"); #endif - } else if (ips.is_p == IPPROTO_UDP) { - PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport), - ntohs(ips.is_dport)); - } else if (ips.is_p == IPPROTO_GRE) { - PRINTF(" call %hx/%hx\n", ntohs(ips.is_gre.gs_call[0]), - ntohs(ips.is_gre.gs_call[1])); - } else if (ips.is_p == IPPROTO_ICMP + } else if (sp->is_p == IPPROTO_UDP) { + PRINTF(" %hu -> %hu\n", ntohs(sp->is_sport), + ntohs(sp->is_dport)); + } else if (sp->is_p == IPPROTO_GRE) { + PRINTF(" call %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]), + ntohs(sp->is_gre.gs_call[1])); + } else if (sp->is_p == IPPROTO_ICMP #ifdef USE_INET6 - || ips.is_p == IPPROTO_ICMPV6 + || sp->is_p == IPPROTO_ICMPV6 #endif ) - PRINTF(" id %hu seq %hu type %d\n", ips.is_icmp.ici_id, - ips.is_icmp.ici_seq, ips.is_icmp.ici_type); + PRINTF(" id %hu seq %hu type %d\n", sp->is_icmp.ici_id, + sp->is_icmp.ici_seq, sp->is_icmp.ici_type); #ifdef USE_QUAD_T PRINTF("\tforward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n\tbackward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n", - ips.is_pkts[0], ips.is_bytes[0], - ips.is_pkts[1], ips.is_bytes[1], - ips.is_pkts[2], ips.is_bytes[2], - ips.is_pkts[3], ips.is_bytes[3]); + sp->is_pkts[0], sp->is_bytes[0], + sp->is_pkts[1], sp->is_bytes[1], + sp->is_pkts[2], sp->is_bytes[2], + sp->is_pkts[3], sp->is_bytes[3]); #else PRINTF("\tforward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n\tbackward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n", - ips.is_pkts[0], ips.is_bytes[0], - ips.is_pkts[1], ips.is_bytes[1], - ips.is_pkts[2], ips.is_bytes[2], - ips.is_pkts[3], ips.is_bytes[3]); + sp->is_pkts[0], sp->is_bytes[0], + sp->is_pkts[1], sp->is_bytes[1], + sp->is_pkts[2], sp->is_bytes[2], + sp->is_pkts[3], sp->is_bytes[3]); #endif PRINTF("\t"); @@ -83,11 +83,11 @@ u_long now; * Print out bits set in the result code for the state being * kept as they would for a rule. */ - if (FR_ISPASS(ips.is_pass)) { + if (FR_ISPASS(sp->is_pass)) { PRINTF("pass"); - } else if (FR_ISBLOCK(ips.is_pass)) { + } else if (FR_ISBLOCK(sp->is_pass)) { PRINTF("block"); - switch (ips.is_pass & FR_RETMASK) + switch (sp->is_pass & FR_RETMASK) { case FR_RETICMP : PRINTF(" return-icmp"); @@ -101,77 +101,77 @@ u_long now; default : break; } - } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { + } else if ((sp->is_pass & FR_LOGMASK) == FR_LOG) { PRINTF("log"); - if (ips.is_pass & FR_LOGBODY) + if (sp->is_pass & FR_LOGBODY) PRINTF(" body"); - if (ips.is_pass & FR_LOGFIRST) + if (sp->is_pass & FR_LOGFIRST) PRINTF(" first"); - } else if (FR_ISACCOUNT(ips.is_pass)) { + } else if (FR_ISACCOUNT(sp->is_pass)) { PRINTF("count"); - } else if (FR_ISPREAUTH(ips.is_pass)) { + } else if (FR_ISPREAUTH(sp->is_pass)) { PRINTF("preauth"); - } else if (FR_ISAUTH(ips.is_pass)) + } else if (FR_ISAUTH(sp->is_pass)) PRINTF("auth"); - if (ips.is_pass & FR_OUTQUE) + if (sp->is_pass & FR_OUTQUE) PRINTF(" out"); else PRINTF(" in"); - if ((ips.is_pass & FR_LOG) != 0) { + if ((sp->is_pass & FR_LOG) != 0) { PRINTF(" log"); - if (ips.is_pass & FR_LOGBODY) + if (sp->is_pass & FR_LOGBODY) PRINTF(" body"); - if (ips.is_pass & FR_LOGFIRST) + if (sp->is_pass & FR_LOGFIRST) PRINTF(" first"); - if (ips.is_pass & FR_LOGORBLOCK) + if (sp->is_pass & FR_LOGORBLOCK) PRINTF(" or-block"); } - if (ips.is_pass & FR_QUICK) + if (sp->is_pass & FR_QUICK) PRINTF(" quick"); - if (ips.is_pass & FR_KEEPFRAG) + if (sp->is_pass & FR_KEEPFRAG) PRINTF(" keep frags"); /* a given; no? */ - if (ips.is_pass & FR_KEEPSTATE) { + if (sp->is_pass & FR_KEEPSTATE) { PRINTF(" keep state"); - if (ips.is_pass & FR_STATESYNC) + if (sp->is_pass & FR_STATESYNC) PRINTF(" ( sync )"); } - PRINTF("\tIPv%d", ips.is_v); + PRINTF("\tIPv%d", sp->is_v); PRINTF("\n"); PRINTF("\tpkt_flags & %x(%x) = %x,\t", - ips.is_flags & 0xf, ips.is_flags, - ips.is_flags >> 4); - PRINTF("\tpkt_options & %x = %x, %x = %x \n", ips.is_optmsk[0], - ips.is_opt[0], ips.is_optmsk[1], ips.is_opt[1]); + sp->is_flags & 0xf, sp->is_flags, + sp->is_flags >> 4); + PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0], + sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]); PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", - ips.is_secmsk, ips.is_sec, ips.is_authmsk, - ips.is_auth); - PRINTF("\tis_flx %#x %#x %#x %#x\n", ips.is_flx[0][0], ips.is_flx[0][1], - ips.is_flx[1][0], ips.is_flx[1][1]); - PRINTF("\tinterfaces: in %s[%s", getifname(ips.is_ifp[0]), - ips.is_ifname[0]); + sp->is_secmsk, sp->is_sec, sp->is_authmsk, + sp->is_auth); + PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0], sp->is_flx[0][1], + sp->is_flx[1][0], sp->is_flx[1][1]); + PRINTF("\tinterfaces: in %s[%s", getifname(sp->is_ifp[0]), + sp->is_ifname[0]); if (opts & OPT_DEBUG) - PRINTF("/%p", ips.is_ifp[0]); + PRINTF("/%p", sp->is_ifp[0]); putchar(']'); - PRINTF(",%s[%s", getifname(ips.is_ifp[1]), ips.is_ifname[1]); + PRINTF(",%s[%s", getifname(sp->is_ifp[1]), sp->is_ifname[1]); if (opts & OPT_DEBUG) - PRINTF("/%p", ips.is_ifp[1]); + PRINTF("/%p", sp->is_ifp[1]); putchar(']'); - PRINTF(" out %s[%s", getifname(ips.is_ifp[2]), ips.is_ifname[2]); + PRINTF(" out %s[%s", getifname(sp->is_ifp[2]), sp->is_ifname[2]); if (opts & OPT_DEBUG) - PRINTF("/%p", ips.is_ifp[2]); + PRINTF("/%p", sp->is_ifp[2]); putchar(']'); - PRINTF(",%s[%s", getifname(ips.is_ifp[3]), ips.is_ifname[3]); + PRINTF(",%s[%s", getifname(sp->is_ifp[3]), sp->is_ifname[3]); if (opts & OPT_DEBUG) - PRINTF("/%p", ips.is_ifp[3]); + PRINTF("/%p", sp->is_ifp[3]); PRINTF("]\n"); - if (ips.is_sync != NULL) { + if (sp->is_sync != NULL) { - if (kmemcpy((char *)&ipsync, (u_long)ips.is_sync, sizeof(ipsync))) { + if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync, sizeof(ipsync))) { PRINTF("\tSync status: status could not be retrieved\n"); return NULL; @@ -185,5 +185,5 @@ u_long now; PRINTF("\tSync status: not synchronized\n"); } - return ips.is_next; + return sp->is_next; } diff --git a/contrib/ipfilter/lib/printtunable.c b/contrib/ipfilter/lib/printtunable.c index 12e019dbc6c1..aa7ae5d0e578 100644 --- a/contrib/ipfilter/lib/printtunable.c +++ b/contrib/ipfilter/lib/printtunable.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printtunable.c,v 1.1.4.1 2006/06/16 17:21:15 darrenr Exp $ + */ + #include "ipf.h" void printtunable(tup) diff --git a/contrib/ipfilter/lib/ratoi.c b/contrib/ipfilter/lib/ratoi.c deleted file mode 100644 index 078f566bdd42..000000000000 --- a/contrib/ipfilter/lib/ratoi.c +++ /dev/null @@ -1,26 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ratoi.c,v 1.4 2001/06/09 17:09:25 darrenr Exp $ - */ - -#include "ipf.h" - - -int ratoi(ps, pi, min, max) -char *ps; -int *pi, min, max; -{ - int i; - char *pe; - - i = (int)strtol(ps, &pe, 0); - if (*pe != '\0' || i < min || i > max) - return 0; - *pi = i; - return 1; -} diff --git a/contrib/ipfilter/lib/ratoui.c b/contrib/ipfilter/lib/ratoui.c deleted file mode 100644 index 4cf6a5a9cfc8..000000000000 --- a/contrib/ipfilter/lib/ratoui.c +++ /dev/null @@ -1,26 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ratoui.c,v 1.4 2001/06/09 17:09:25 darrenr Exp $ - */ - -#include "ipf.h" - - -int ratoui(ps, pi, min, max) -char *ps; -u_int *pi, min, max; -{ - u_int i; - char *pe; - - i = (u_int)strtol(ps, &pe, 0); - if (*pe != '\0' || i < min || i > max) - return 0; - *pi = i; - return 1; -} diff --git a/contrib/ipfilter/lib/remove_hash.c b/contrib/ipfilter/lib/remove_hash.c index a60bdd3c9f44..297db4827d73 100644 --- a/contrib/ipfilter/lib/remove_hash.c +++ b/contrib/ipfilter/lib/remove_hash.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_hash.c,v 1.1 2003/04/13 06:40:14 darrenr Exp $ + * $Id: remove_hash.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/remove_hashnode.c b/contrib/ipfilter/lib/remove_hashnode.c index 0b2098c0a818..47a19dcaa62f 100644 --- a/contrib/ipfilter/lib/remove_hashnode.c +++ b/contrib/ipfilter/lib/remove_hashnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_hashnode.c,v 1.1 2003/04/13 06:40:14 darrenr Exp $ + * $Id: remove_hashnode.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/remove_pool.c b/contrib/ipfilter/lib/remove_pool.c index 8fbad2e5cae2..1e7fe5f16cdf 100644 --- a/contrib/ipfilter/lib/remove_pool.c +++ b/contrib/ipfilter/lib/remove_pool.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_pool.c,v 1.1 2003/04/13 06:40:14 darrenr Exp $ + * $Id: remove_pool.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/remove_poolnode.c b/contrib/ipfilter/lib/remove_poolnode.c index 51649ba73c38..c80ff7093c67 100644 --- a/contrib/ipfilter/lib/remove_poolnode.c +++ b/contrib/ipfilter/lib/remove_poolnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_poolnode.c,v 1.3 2003/11/22 10:14:36 darrenr Exp $ + * $Id: remove_poolnode.c,v 1.3.2.1 2006/06/16 17:21:16 darrenr Exp $ */ #include diff --git a/contrib/ipfilter/lib/resetlexer.c b/contrib/ipfilter/lib/resetlexer.c index 19eb161460a7..8ea83f101a23 100644 --- a/contrib/ipfilter/lib/resetlexer.c +++ b/contrib/ipfilter/lib/resetlexer.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: resetlexer.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ + */ + #include "ipf.h" long string_start = -1; diff --git a/contrib/ipfilter/lib/rwlock_emul.c b/contrib/ipfilter/lib/rwlock_emul.c index d3beb6037b74..1ee247570082 100644 --- a/contrib/ipfilter/lib/rwlock_emul.c +++ b/contrib/ipfilter/lib/rwlock_emul.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: rwlock_emul.c,v 1.1.4.1 2006/06/16 17:21:17 darrenr Exp $ + */ + #include "ipf.h" #define EMM_MAGIC 0x97dd8b3a diff --git a/contrib/ipfilter/lib/tcp_flags.c b/contrib/ipfilter/lib/tcp_flags.c index d6b5034ac262..0b602e66ab30 100644 --- a/contrib/ipfilter/lib/tcp_flags.c +++ b/contrib/ipfilter/lib/tcp_flags.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2004 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: tcp_flags.c,v 1.8 2004/02/07 18:15:54 darrenr Exp $ + * $Id: tcp_flags.c,v 1.8.2.1 2006/06/16 17:21:17 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/tcpflags.c b/contrib/ipfilter/lib/tcpflags.c index e5763d7ff1f9..f01d7dc31573 100644 --- a/contrib/ipfilter/lib/tcpflags.c +++ b/contrib/ipfilter/lib/tcpflags.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: tcpflags.c,v 1.3 2002/11/02 07:18:01 darrenr Exp $ + * $Id: tcpflags.c,v 1.3.4.1 2006/06/16 17:21:17 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/tcpoptnames.c b/contrib/ipfilter/lib/tcpoptnames.c deleted file mode 100644 index a215c5508b74..000000000000 --- a/contrib/ipfilter/lib/tcpoptnames.c +++ /dev/null @@ -1,22 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: tcpoptnames.c,v 1.5 2002/01/28 06:50:48 darrenr Exp $ - */ - -#include "ipf.h" - - -struct ipopt_names tcpoptnames[] ={ - { TCPOPT_NOP, 0x000001, 1, "nop" }, - { TCPOPT_MAXSEG, 0x000002, 4, "maxseg" }, - { TCPOPT_WINDOW, 0x000004, 3, "wscale" }, - { TCPOPT_SACK_PERMITTED, 0x000008, 2, "sackok" }, - { TCPOPT_SACK, 0x000010, 3, "sack" }, - { TCPOPT_TIMESTAMP, 0x000020, 10, "tstamp" }, - { 0, 0, 0, (char *)NULL } /* must be last */ -}; diff --git a/contrib/ipfilter/lib/to_interface.c b/contrib/ipfilter/lib/to_interface.c deleted file mode 100644 index 34fad266081b..000000000000 --- a/contrib/ipfilter/lib/to_interface.c +++ /dev/null @@ -1,31 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: to_interface.c,v 1.8 2002/01/28 06:50:48 darrenr Exp $ - */ - -#include "ipf.h" - - -int to_interface(fdp, to, linenum) -frdest_t *fdp; -char *to; -int linenum; -{ - char *s; - - s = strchr(to, ':'); - fdp->fd_ifp = NULL; - if (s) { - *s++ = '\0'; - if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum, NULL) == -1) - return -1; - } - (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1); - fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0'; - return 0; -} diff --git a/contrib/ipfilter/lib/v6ionames.c b/contrib/ipfilter/lib/v6ionames.c index 224a81504fe2..b57b301e67bc 100644 --- a/contrib/ipfilter/lib/v6ionames.c +++ b/contrib/ipfilter/lib/v6ionames.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2003-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: v6ionames.c,v 1.1.4.2 2005/10/17 18:31:09 darrenr Exp $ + * $Id: v6ionames.c,v 1.1.4.3 2006/06/16 17:21:18 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/v6optvalue.c b/contrib/ipfilter/lib/v6optvalue.c index a2e013973e5b..a60d076bfbb7 100644 --- a/contrib/ipfilter/lib/v6optvalue.c +++ b/contrib/ipfilter/lib/v6optvalue.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: v6optvalue.c,v 1.1 2003/04/26 04:55:58 darrenr Exp $ + * $Id: v6optvalue.c,v 1.1.4.1 2006/06/16 17:21:18 darrenr Exp $ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/var.c b/contrib/ipfilter/lib/var.c index 5f3e0150fba5..4a62d7aed2e7 100644 --- a/contrib/ipfilter/lib/var.c +++ b/contrib/ipfilter/lib/var.c @@ -1,5 +1,13 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: var.c,v 1.4.2.3 2006/06/16 17:21:18 darrenr Exp $ + */ + #include #include "ipf.h" diff --git a/contrib/ipfilter/lib/verbose.c b/contrib/ipfilter/lib/verbose.c index bd01bcdf1381..f1b4516a96cd 100644 --- a/contrib/ipfilter/lib/verbose.c +++ b/contrib/ipfilter/lib/verbose.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2000-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: verbose.c,v 1.6 2001/06/09 17:09:25 darrenr Exp $ + * $Id: verbose.c,v 1.6.4.1 2006/06/16 17:21:18 darrenr Exp $ */ #if defined(__STDC__) diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index bcf9307e0d91..678010f73d26 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -74,6 +74,17 @@ one of the two options may be given. A fully established connection will show up in \fBipfstat -s\fP output as 5/5, with deviations either way indicating it is not fully established any more. .TP +.BR \-F <5|6|7|8|9|10|11> +For the TCP states that represent the closing of a connection has begun, +be it only one side or the complete connection, it is possible to flush +those states directly using the number corresponding to that state. +The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1, +7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed. +.TP +.BR \-F +If the argument supplied to \fB-F\fP is greater than 30, then state table +entries that have been idle for more than this many seconds will be flushed. +.TP .BR \-f \0 This option specifies which files \fBipf\fP should use to get input from for modifying the packet filter rule @@ -105,6 +116,7 @@ Remove matching filter rules rather than add them to the internal lists .TP .B \-s Swap the active filter list in use to be the "other" one. +.TP .B \-T This option allows run-time changing of IPFilter kernel variables. Some variables require IPFilter to be in a disabled state (\fB-D\fP) for changing, diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index d0cb2a932b44..44ba8ba0d430 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -124,7 +124,11 @@ seconds between an update. Any positive integer can be used. The default (and minimal update time) is 1. .TP .B \-v -Turn verbose mode on. Displays more debugging information. +Turn verbose mode on. Displays more debugging information. When used with +either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the +number of times it has been matched and the number of bytes from such packets +is displayed. For "keep state" rules, a count of the number of state sessions +active against the rule is also displayed. .SH SYNOPSIS The role of \fBipfstat\fP is to display current kernel statistics gathered as a result of applying the filters in place (if any) to packets going in and diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 2a35d16b970a..1082e06ec262 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -107,6 +107,7 @@ even should the result be zero. .B \-L Using this option allows you to change the default syslog facility that ipmon uses for syslog messages. The default is local0. +.TP .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5 index 974a0e8981fb..367eb8d6f2bb 100644 --- a/contrib/ipfilter/man/ippool.5 +++ b/contrib/ipfilter/man/ippool.5 @@ -94,7 +94,7 @@ to use the tree data storage type with configuration entries. .SH POOL ROLES .PP -When a pool is defined in the configruation file, it must have an associated +When a pool is defined in the configuration file, it must have an associated role. At present the only supported role is .B ipf. Future development will see futher expansion of their use by other sections diff --git a/contrib/ipfilter/md5.h b/contrib/ipfilter/md5.h index 82705312fbed..914df74355a0 100644 --- a/contrib/ipfilter/md5.h +++ b/contrib/ipfilter/md5.h @@ -39,7 +39,7 @@ *********************************************************************** */ -#ifndef __MD5_INCLUDE__ +#if !defined(__MD5_INCLUDE__) && !defined(_SYS_MD5_H) #ifndef __P # ifdef __STDC__ diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c deleted file mode 100644 index ca79596e3844..000000000000 --- a/contrib/ipfilter/mlf_ipl.c +++ /dev/null @@ -1,469 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -/* - * 29/12/94 Added code from Marc Huber to allow it to allocate - * its own major char number! Way cool patch! - */ - - -#include - -#ifdef IPFILTER_LKM -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# endif -# endif -# define ACTUALLY_LKM_NOT_KERNEL -#else -# ifndef __FreeBSD_cc_version -# include -# else -# if __FreeBSD_cc_version < 430000 -# include -# endif -# endif -#endif -#include -#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) -# ifndef ACTUALLY_LKM_NOT_KERNEL -# include "opt_devfs.h" -# endif -# include -# include -# ifdef DEVFS -# include -# endif /*DEVFS*/ -#endif -#include -#include -#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) -# include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#if BSD >= 199506 -# include -#endif -#if (__FreeBSD_version >= 300000) -# include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "netinet/ipl.h" -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_state.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_auth.h" -#include "netinet/ip_frag.h" - - -#if !defined(VOP_LEASE) && defined(LEASE_CHECK) -#define VOP_LEASE LEASE_CHECK -#endif - -int xxxinit __P((struct lkm_table *, int, int)); - -#ifdef SYSCTL_OID -int sysctl_ipf_int SYSCTL_HANDLER_ARGS; -# define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \ - ptr, val, sysctl_ipf_int, "I", descr); -# define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ -# define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) -SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, - &fr_tcpidletimeout, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, - &fr_tcphalfclosed, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, - &fr_tcpclosewait, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, - &fr_tcplastack, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, - &fr_tcptimeout, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, - &fr_tcpclosed, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, - &fr_udptimeout, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, - &fr_icmptimeout, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, - &fr_defnatage, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, - &fr_ipfrttl, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, - &fr_running, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, - &fr_statesize, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO, - &fr_statemax, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO, - &fr_authsize, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, - &fr_authused, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, - &fr_defaultauthage, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW, - &ippr_ftp_pasvonly, 0, ""); -#endif - -#ifdef DEVFS -static void *ipf_devfs[IPL_LOGSIZE]; -#endif - -#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) -int ipl_major = 0; - -static struct cdevsw ipldevsw = -{ - iplopen, /* open */ - iplclose, /* close */ - iplread, /* read */ - (void *)nullop, /* write */ - iplioctl, /* ioctl */ - (void *)nullop, /* stop */ - (void *)nullop, /* reset */ - (void *)NULL, /* tty */ - (void *)nullop, /* select */ - (void *)nullop, /* mmap */ - NULL /* strategy */ -}; - -MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); - -extern struct cdevsw cdevsw[]; -extern int vd_unuseddev __P((void)); -extern int nchrdev; -#else - -static struct cdevsw ipl_cdevsw = { - iplopen, iplclose, iplread, nowrite, /* 79 */ - iplioctl, nostop, noreset, nodevtotty, -#if (__FreeBSD_version >= 300000) - seltrue, nommap, nostrategy, "ipl", -#else - noselect, nommap, nostrategy, "ipl", -#endif - NULL, -1 -}; -#endif - -static void ipl_drvinit __P((void *)); - -#ifdef ACTUALLY_LKM_NOT_KERNEL -static int if_ipl_unload __P((struct lkm_table *, int)); -static int if_ipl_load __P((struct lkm_table *, int)); -static int if_ipl_remove __P((void)); -static int ipl_major = CDEV_MAJOR; - -static int iplaction __P((struct lkm_table *, int)); -static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, - IPL_SCAN, IPL_SYNC, IPL_POOL, NULL }; - -extern int lkmenodev __P((void)); - -static int iplaction(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; -{ -#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) - int i = ipl_major; - struct lkm_dev *args = lkmtp->private.lkm_dev; -#endif - int err = 0; - - switch (cmd) - { - case LKM_E_LOAD : - if (lkmexists(lkmtp)) - return EEXIST; - -#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) - for (i = 0; i < nchrdev; i++) - if (cdevsw[i].d_open == lkmenodev || - cdevsw[i].d_open == iplopen) - break; - if (i == nchrdev) { - printf("IP Filter: No free cdevsw slots\n"); - return ENODEV; - } - - ipl_major = i; - args->lkm_offset = i; /* slot in cdevsw[] */ -#endif - printf("IP Filter: loaded into slot %d\n", ipl_major); - err = if_ipl_load(lkmtp, cmd); - if (!err) - ipl_drvinit((void *)NULL); - return err; - break; - case LKM_E_UNLOAD : - err = if_ipl_unload(lkmtp, cmd); - if (!err) { - printf("IP Filter: unloaded from slot %d\n", - ipl_major); -#ifdef DEVFS - if (ipf_devfs[IPL_LOGIPF]) - devfs_remove_dev(ipf_devfs[IPL_LOGIPF]); - if (ipf_devfs[IPL_LOGNAT]) - devfs_remove_dev(ipf_devfs[IPL_LOGNAT]); - if (ipf_devfs[IPL_LOGSTATE]) - devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]); - if (ipf_devfs[IPL_LOGAUTH]) - devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]); - if (ipf_devfs[IPL_LOGSCAN]) - devfs_remove_dev(ipf_devfs[IPL_LOGSCAN]); - if (ipf_devfs[IPL_LOGSYNC]) - devfs_remove_dev(ipf_devfs[IPL_LOGSYNC]); - if (ipf_devfs[IPL_LOGLOOKUP]) - devfs_remove_dev(ipf_devfs[IPL_LOGLOOKUP]); -#endif - } - return err; - case LKM_E_STAT : - break; - default: - err = EIO; - break; - } - return 0; -} - - -static int if_ipl_remove __P((void)) -{ - char *name; - struct nameidata nd; - int error, i; - - for (i = 0; (name = ipf_devfiles[i]); i++) { - NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc); - if ((error = namei(&nd))) - return (error); - VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); -#if (__FreeBSD_version >= 300000) - VOP_LOCK(nd.ni_vp, LK_RETRY | LK_EXCLUSIVE, curproc); - VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); - (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); - - if (nd.ni_dvp == nd.ni_vp) - vrele(nd.ni_dvp); - else - vput(nd.ni_dvp); - if (nd.ni_vp != NULLVP) - vput(nd.ni_vp); -#else - VOP_LOCK(nd.ni_vp); - VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); - (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); -#endif - } - - return 0; -} - - -static int if_ipl_unload(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; -{ - int error = 0; - - error = ipldetach(); - if (!error) - error = if_ipl_remove(); - return error; -} - - -static int if_ipl_load(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; -{ - struct nameidata nd; - struct vattr vattr; - int error = 0, fmode = S_IFCHR|0600, i; - char *name; - - error = iplattach(); - if (error) - return error; - (void) if_ipl_remove(); - - for (i = 0; (name = ipf_devfiles[i]); i++) { - NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc); - if ((error = namei(&nd))) - return error; - if (nd.ni_vp != NULL) { - VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); - if (nd.ni_dvp == nd.ni_vp) - vrele(nd.ni_dvp); - else - vput(nd.ni_dvp); - vrele(nd.ni_vp); - return (EEXIST); - } - VATTR_NULL(&vattr); - vattr.va_type = VCHR; - vattr.va_mode = (fmode & 07777); - vattr.va_rdev = (ipl_major << 8) | i; - VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); - error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); -#if (__FreeBSD_version >= 300000) - vput(nd.ni_dvp); -#endif - if (error) - return error; - } - return 0; -} - -#endif /* actually LKM */ - -#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) -/* - * strlen isn't present in 2.1.* kernels. - */ -size_t strlen(string) -char *string; -{ - register char *s; - - for (s = string; *s; s++) - ; - return (size_t)(s - string); -} - - -int xxxinit(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; -{ - DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); -} -#else /* __FREEBSD_version >= 220000 */ -# ifdef IPFILTER_LKM -# include - -# if (__FreeBSD_version >= 300000) -MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw); -# else -MOD_DECL(if_ipl); - - -static struct lkm_dev _module = { - LM_DEV, - LKM_VERSION, - IPL_VERSION, - CDEV_MAJOR, - LM_DT_CHAR, - { (void *)&ipl_cdevsw } -}; -# endif - - -int if_ipl __P((struct lkm_table *, int, int)); - - -int if_ipl(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; -{ -# if (__FreeBSD_version >= 300000) - MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction); -# else - DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); -# endif -} -# endif /* IPFILTER_LKM */ -static ipl_devsw_installed = 0; - -static void ipl_drvinit __P((void *unused)) -{ - dev_t dev; -# ifdef DEVFS - void **tp = ipf_devfs; -# endif - - if (!ipl_devsw_installed ) { - dev = makedev(CDEV_MAJOR, 0); - cdevsw_add(&dev, &ipl_cdevsw, NULL); - ipl_devsw_installed = 1; - -# ifdef DEVFS - tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF, - DV_CHR, 0, 0, 0600, "ipf"); - tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT, - DV_CHR, 0, 0, 0600, "ipnat"); - tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE, - DV_CHR, 0, 0, 0600, - "ipstate"); - tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH, - DV_CHR, 0, 0, 0600, - "ipauth"); -# endif - } -} - - -#ifdef SYSCTL_IPF -int -sysctl_ipf_int SYSCTL_HANDLER_ARGS -{ - int error = 0; - - if (arg1) - error = SYSCTL_OUT(req, arg1, sizeof(int)); - else - error = SYSCTL_OUT(req, &arg2, sizeof(int)); - - if (error || !req->newptr) - return (error); - - if (!arg1) - error = EPERM; - else { - if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0)) - error = EBUSY; - else - error = SYSCTL_IN(req, arg1, sizeof(int)); - } - return (error); -} -#endif - - -# if defined(IPFILTER_LKM) || \ - defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) -SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) -# endif /* IPFILTER_LKM */ -#endif /* _FreeBSD_version */ diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c index e0c69edef048..8c67562553e2 100644 --- a/contrib/ipfilter/radix.c +++ b/contrib/ipfilter/radix.c @@ -76,8 +76,14 @@ void panic __P((char *str)); #include #include #include +#ifdef SOLARIS2 +# define _RADIX_H_ +#endif #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" +#ifdef SOLARIS2 +# undef _RADIX_H_ +#endif /* END OF INCLUDES */ #include "radix_ipf.h" #ifndef min diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h index 294407b612b0..11e4ba761aae 100644 --- a/contrib/ipfilter/radix_ipf.h +++ b/contrib/ipfilter/radix_ipf.h @@ -42,7 +42,7 @@ # endif #endif -#if defined(__sgi) +#if defined(__sgi) || defined(__osf__) || defined(sun) # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node # define radix_node_head ipf_radix_node_head @@ -163,7 +163,7 @@ struct radix_node_head { #define FreeS(p, z) KFREES(p, z) #define Free(p) KFREE(p) -#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516)) && defined(_KERNEL) +#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL) # define rn_init ipf_rn_init # define rn_fini ipf_rn_fini # define rn_inithead ipf_rn_inithead diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 192390801708..b0462f3f388d 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -6,7 +6,10 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -all: results tests +all: expected.d results tests + +expected.d: + (cd expected; make) results: mkdir -p results @@ -21,43 +24,43 @@ first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \ i20 i21 -ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 +ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16 nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \ - ni16 ni19 ni20 ni21 + ni16 ni19 ni20 ni21 ni23 intests: in1 in2 in3 in4 in5 in6 logtests: l1 -pools: p1 p2 p3 ip1 +pools: p1 p2 p3 p5 ip1 ip2 -ipv6: ipv6.1 ipv6.2 ipv6.3 +ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6 bpf: bpf1 bpf-f1 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19: @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` -f15 f16 f17 f18 f20: +f15 f16 f17 f18 f20 f24: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1: @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` -n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14: +n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16: @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` -ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20: +ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20: @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` -ni6 ni21: +ni1 ni6 ni21 ni23: @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` in1 in2 in3 in4 in5 in6: @@ -66,30 +69,31 @@ in1 in2 in3 in4 in5 in6: l1: @/bin/sh ./logtest `awk "/^$@ / { print; } " test.format` -ipv6.1 ipv6.2 ipv6.3: +ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6: @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` -p1 p2 p3: +p1 p2 p3 p5: @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` -ip1: +ip1 ip2: @/bin/sh ./iptest `awk "/^$@ / { print; } " test.format` bpf-f1: /bin/sh ./bpftest `awk "/^$@ / { print; } " test.format` clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 - /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 + /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 - /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 + /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 ni23 /bin/rm -f in1 in2 in3 in4 in5 in6 - /bin/rm -f p1 p2 p3 ip1 + /bin/rm -f p1 p2 p3 p5 ip1 ip2 /bin/rm -f l1 - /bin/rm -f ipv6.1 ipv6.2 ipv6.3 + /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6 /bin/rm -f bpf1 bpf-f1 /bin/rm -f results/* logout + (cd expected; make clean) diffs: -cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then diff -c $$i ../results/$$i >> ../diff.out; fi done diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest index 72853d4eb0b3..29891091da59 100644 --- a/contrib/ipfilter/test/dotest +++ b/contrib/ipfilter/test/dotest @@ -15,7 +15,13 @@ else fi fi if [ "$tuning" != "" ] ; then - tuning="-T $tuning" + case $tuning in + -*) + ;; + *) + tuning="-T $tuning" + ;; + esac fi echo "${thistest}..."; /bin/cp /dev/null results/${thistest} diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 index b977e41604ee..c1eb060a7126 100644 --- a/contrib/ipfilter/test/expected/f11 +++ b/contrib/ipfilter/test/expected/f11 @@ -14,6 +14,16 @@ nomatch nomatch nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- block nomatch @@ -31,6 +41,16 @@ nomatch nomatch nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- nomatch nomatch @@ -48,6 +68,16 @@ pass nomatch nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- nomatch nomatch @@ -65,6 +95,16 @@ block nomatch nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- nomatch nomatch @@ -82,6 +122,36 @@ pass pass nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +2.2.2.2 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0 + tag 0 ttl 240 2 -> 53 + forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0 + pass in keep state IPv4 + pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 + pkt_security & ffff = 0, pkt_auth & ffff = 0 + is_flx 0x8001 0 0 0 + interfaces: in X[e1],X[] out X[],X[] + Sync status: not synchronized +1.1.1.1 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0 + tag 0 ttl 24 1 -> 53 + forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + pass in keep state IPv4 + pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 + pkt_security & ffff = 0, pkt_auth & ffff = 0 + is_flx 0x8001 0x8001 0 0 + interfaces: in X[e1],X[e0] out X[],X[] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- nomatch nomatch @@ -99,6 +169,36 @@ block block nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +2.2.2.2 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0 + tag 0 ttl 240 2 -> 53 + forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0 + block in keep state IPv4 + pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 + pkt_security & ffff = 0, pkt_auth & ffff = 0 + is_flx 0x8001 0 0 0 + interfaces: in X[e1],X[] out X[],X[] + Sync status: not synchronized +1.1.1.1 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0 + tag 0 ttl 24 1 -> 53 + forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 + block in keep state IPv4 + pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 + pkt_security & ffff = 0, pkt_auth & ffff = 0 + is_flx 0x8001 0x8001 0 0 + interfaces: in X[e1],X[e0] out X[],X[] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- nomatch nomatch @@ -116,4 +216,28 @@ nomatch nomatch nomatch nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +1.1.1.1 -> 2.1.2.2 pass 0x40008402 pr 6 state 3/4 + tag 0 ttl 864000 + 1 -> 25 2:66 4096<<0:16384<<0 + cmsk 0000 smsk 0000 s0 00000000/00000000 + FWD:ISN inc 0 sumd 0 + REV:ISN inc 0 sumd 0 + forward: pkts in 1 bytes in 40 pkts out 0 bytes out 0 + backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0 + pass in keep state IPv4 + pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 + pkt_security & ffff = 0, pkt_auth & ffff = 0 + is_flx 0x8001 0x8001 0 0 + interfaces: in X[e0],X[e1] out X[],X[] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) -------- diff --git a/contrib/ipfilter/test/expected/f12 b/contrib/ipfilter/test/expected/f12 index 88354d95030d..094d8c01d486 100644 --- a/contrib/ipfilter/test/expected/f12 +++ b/contrib/ipfilter/test/expected/f12 @@ -1,60 +1,60 @@ pass pass pass +bad-packet nomatch nomatch -nomatch -nomatch +bad-packet nomatch nomatch -------- pass pass pass -pass -nomatch -nomatch -nomatch -nomatch -nomatch --------- -nomatch -nomatch -nomatch -block -block -nomatch -nomatch -nomatch -nomatch --------- -nomatch -nomatch -block -block -block +bad-packet nomatch nomatch +bad-packet nomatch nomatch -------- nomatch nomatch nomatch +bad-packet +block +nomatch +bad-packet +nomatch +nomatch +-------- +nomatch +nomatch +block +bad-packet +block +nomatch +bad-packet +nomatch +nomatch +-------- nomatch nomatch nomatch -pass +bad-packet +nomatch +nomatch +bad-packet nomatch pass -------- nomatch nomatch nomatch +bad-packet nomatch nomatch -nomatch -nomatch +bad-packet nomatch block -------- diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13 index 2a0195b078ad..99c05651cea6 100644 --- a/contrib/ipfilter/test/expected/f13 +++ b/contrib/ipfilter/test/expected/f13 @@ -1,13 +1,13 @@ pass -nomatch +bad-packet nomatch pass +bad-packet nomatch nomatch +bad-packet nomatch -nomatch -nomatch -nomatch +bad-packet nomatch nomatch nomatch @@ -19,15 +19,15 @@ nomatch nomatch -------- block -nomatch +bad-packet nomatch block +bad-packet nomatch nomatch +bad-packet nomatch -nomatch -nomatch -nomatch +bad-packet nomatch nomatch nomatch @@ -39,15 +39,15 @@ nomatch nomatch -------- nomatch +bad-packet nomatch nomatch +bad-packet nomatch nomatch -nomatch -nomatch +bad-packet pass -pass -nomatch +bad-packet nomatch nomatch pass @@ -59,15 +59,15 @@ nomatch nomatch -------- nomatch +bad-packet nomatch nomatch +bad-packet nomatch nomatch -nomatch -nomatch +bad-packet block -block -nomatch +bad-packet nomatch nomatch block @@ -79,15 +79,15 @@ nomatch nomatch -------- block -nomatch +bad-packet nomatch pass +bad-packet nomatch nomatch +bad-packet nomatch -nomatch -nomatch -nomatch +bad-packet nomatch nomatch nomatch @@ -99,15 +99,15 @@ pass pass -------- block -nomatch +bad-packet nomatch block +bad-packet nomatch nomatch +bad-packet nomatch -nomatch -nomatch -nomatch +bad-packet nomatch nomatch nomatch @@ -119,15 +119,15 @@ block block -------- nomatch +bad-packet nomatch nomatch +bad-packet nomatch nomatch -nomatch -nomatch +bad-packet pass -pass -nomatch +bad-packet nomatch nomatch nomatch @@ -139,15 +139,15 @@ nomatch nomatch -------- block -block +bad-packet nomatch pass -block -nomatch -nomatch +bad-packet nomatch nomatch +bad-packet nomatch +bad-packet nomatch nomatch nomatch diff --git a/contrib/ipfilter/test/expected/i11 b/contrib/ipfilter/test/expected/i11 index d4a6ec41abb0..154f31e810bb 100644 --- a/contrib/ipfilter/test/expected/i11 +++ b/contrib/ipfilter/test/expected/i11 @@ -1,11 +1,11 @@ -pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state -block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state +pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state # count 0 +block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state # count 0 pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 20499 keep frags pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags (strict) -pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags -pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state -pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state -pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state -pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state -pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) -pass in proto udp from any to any keep state (sync,age 10/20) +pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags # count 0 +pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state # count 0 +pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state # count 0 +pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state # count 0 +pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state # count 0 +pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) # count 0 +pass in proto udp from any to any keep state (sync,age 10/20) # count 0 diff --git a/contrib/ipfilter/test/expected/i12 b/contrib/ipfilter/test/expected/i12 index e21724c7a259..dadf597fc3df 100644 --- a/contrib/ipfilter/test/expected/i12 +++ b/contrib/ipfilter/test/expected/i12 @@ -32,8 +32,8 @@ pass in proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 9 pass in from 10.10.10.10/32 to 11.11.11.11/32 pass in from pool/101(!) to hash/202(!) pass in from hash/303(!) to pool/404(!) -table role = ipf type = tree number = +table role = ipf type = tree name = { ! 1.1.1.1/32; 2.2.2.2/32; ! 2.2.0.0/16; }; -table role = ipf type = tree number = +table role = ipf type = tree name = { 1.1.0.0/16; }; pass in from pool/0(!) to pool/0(!) diff --git a/contrib/ipfilter/test/expected/i4 b/contrib/ipfilter/test/expected/i4 index 639dae88aca5..49924555a27e 100644 --- a/contrib/ipfilter/test/expected/i4 +++ b/contrib/ipfilter/test/expected/i4 @@ -6,4 +6,4 @@ block in proto udp from any port != 123 to any port < 7 block in proto tcp from any port = 25 to any port > 25 pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 pass in proto tcp/udp from any port 2:2 to any port 10:20 -pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state +pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state # count 0 diff --git a/contrib/ipfilter/test/expected/i9 b/contrib/ipfilter/test/expected/i9 index 2d464543f177..b128f99d57ac 100644 --- a/contrib/ipfilter/test/expected/i9 +++ b/contrib/ipfilter/test/expected/i9 @@ -4,7 +4,7 @@ pass in from any to any with opt nop,rr,zsu pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body -pass in proto tcp from any to any flags S/FSRPAU with not oow keep state +pass in proto tcp from any to any flags S/FSRPAU with not oow keep state # count 0 block in proto tcp from any to any with oow pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat block in proto tcp from any to any flags S/FSRPAU with bad,not bad-src,not bad-nat diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1 index 8c47a929e540..03436b65a4dd 100644 --- a/contrib/ipfilter/test/expected/in1 +++ b/contrib/ipfilter/test/expected/in1 @@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc map thisisalonginte 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere map bar0 0.0.0.0/0 -> 0.0.0.0/32 icmpidmap icmp 1000:2000 map ppp0,adsl0 0.0.0.0/0 -> 0.0.0.0/32 +map ppp0 from 192.168.0.0/16 to any port = 123 -> 0.0.0.0/32 age 30/1 udp diff --git a/contrib/ipfilter/test/expected/in6 b/contrib/ipfilter/test/expected/in6 index 338bd808f57f..05426e7a8dc2 100644 --- a/contrib/ipfilter/test/expected/in6 +++ b/contrib/ipfilter/test/expected/in6 @@ -5,3 +5,4 @@ map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0.0.0.0/32 tcp/udp +map foo0 from any port 10:20 to any port 30:40 -> 0.0.0.0/32 tcp/udp diff --git a/contrib/ipfilter/test/expected/ipv6.1 b/contrib/ipfilter/test/expected/ipv6.1 index abc0e87c6917..9fd54371f14b 100644 --- a/contrib/ipfilter/test/expected/ipv6.1 +++ b/contrib/ipfilter/test/expected/ipv6.1 @@ -1,3 +1,4 @@ pass pass +nomatch -------- diff --git a/contrib/ipfilter/test/expected/n10 b/contrib/ipfilter/test/expected/n10 index f30d7573bec5..ae541d158571 100644 --- a/contrib/ipfilter/test/expected/n10 +++ b/contrib/ipfilter/test/expected/n10 @@ -1,6 +1,9 @@ 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 655d 0000 0204 0064 + ------------------------------- 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 61d9 0000 0204 03e8 + ------------------------------- 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 600d 0000 0204 05b4 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/n12 b/contrib/ipfilter/test/expected/n12 index 010b77b63e15..0d5cefbf7e77 100644 --- a/contrib/ipfilter/test/expected/n12 +++ b/contrib/ipfilter/test/expected/n12 @@ -1,4 +1,7 @@ 4510 0040 2020 4000 4006 9478 c0a8 01bc c0a8 0303 2710 0017 4e33 298e 0000 0000 b002 4000 6ff8 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000 + 4500 003c 00b0 4000 fe06 7964 c0a8 0303 c0a8 7e53 0017 12c2 f674 e02c 4e33 298f a012 2798 7ace 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4 + 4510 0034 493b 4000 4006 6b69 c0a8 01bc c0a8 0303 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/n4 b/contrib/ipfilter/test/expected/n4 index 9349542396c1..863217c1db79 100644 --- a/contrib/ipfilter/test/expected/n4 +++ b/contrib/ipfilter/test/expected/n4 @@ -50,8 +50,8 @@ ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 -ip #0 40(20) 6 10.1.1.0,53 > 10.3.3.3,12345 +ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 ------------------------------- ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 @@ -61,6 +61,6 @@ ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 -ip #0 40(20) 6 10.1.1.0,53 > 10.3.3.3,12345 +ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 ------------------------------- diff --git a/contrib/ipfilter/test/expected/n6 b/contrib/ipfilter/test/expected/n6 index 2b2c37fe7a90..cbdad9f1388e 100644 --- a/contrib/ipfilter/test/expected/n6 +++ b/contrib/ipfilter/test/expected/n6 @@ -13,7 +13,7 @@ ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 @@ -27,7 +27,7 @@ ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 @@ -48,7 +48,7 @@ ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 diff --git a/contrib/ipfilter/test/expected/n8 b/contrib/ipfilter/test/expected/n8 index 7a26a26a6513..d3e061da974a 100644 --- a/contrib/ipfilter/test/expected/n8 +++ b/contrib/ipfilter/test/expected/n8 @@ -1,5 +1,9 @@ 4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/n9 b/contrib/ipfilter/test/expected/n9 index 39979fa55fff..917105f74ed4 100644 --- a/contrib/ipfilter/test/expected/n9 +++ b/contrib/ipfilter/test/expected/n9 @@ -1,5 +1,9 @@ 4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni1 b/contrib/ipfilter/test/expected/ni1 index be981f1e10b0..d4e2de2db8a5 100644 --- a/contrib/ipfilter/test/expected/ni1 +++ b/contrib/ipfilter/test/expected/ni1 @@ -1,4 +1,19 @@ 4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 + 4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 5773 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10 + 4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10 0402 0000 3be5 468d 000a cfc3 + +4500 0028 0001 4000 0111 65b0 0606 0607 0404 0404 4e20 829e 0014 c4b0 0402 0000 3be5 468d 000a cfc3 + +4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 5773 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 0800 829e 0014 12da + +4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 0800 829e 0014 12da 0402 0000 3be5 468d 000a cfc3 + +4500 0028 0002 4000 0111 65ae 0606 0608 0404 0404 07d0 829e 0014 0b00 0402 0000 3be5 468d 000a cfc3 + +4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 ff6a 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 5000 829e 0014 22e2 + +4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 5000 829e 0014 cad9 0402 0000 3be5 468d 000a cfc3 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni10 b/contrib/ipfilter/test/expected/ni10 index df7b03f83fee..3ee63fb8ddd0 100644 --- a/contrib/ipfilter/test/expected/ni10 +++ b/contrib/ipfilter/test/expected/ni10 @@ -1,5 +1,9 @@ 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 + 4500 0058 0001 0000 ff01 af98 0202 0202 0404 0404 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni11 b/contrib/ipfilter/test/expected/ni11 index d6db012a2ab0..88d6406e6ee7 100644 --- a/contrib/ipfilter/test/expected/ni11 +++ b/contrib/ipfilter/test/expected/ni11 @@ -1,5 +1,9 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 + 4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni12 b/contrib/ipfilter/test/expected/ni12 index 70f991b8397e..7d24a493fd32 100644 --- a/contrib/ipfilter/test/expected/ni12 +++ b/contrib/ipfilter/test/expected/ni12 @@ -1,5 +1,9 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 + 4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni13 b/contrib/ipfilter/test/expected/ni13 index 3848d395956d..897bef3e9b2c 100644 --- a/contrib/ipfilter/test/expected/ni13 +++ b/contrib/ipfilter/test/expected/ni13 @@ -1,32 +1,63 @@ 4500 0030 5e11 4000 8006 3961 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 + 4500 002c 0000 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 + 4500 00c4 5e12 4000 8006 38cc c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00c4 0001 4000 4006 d6dd c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00d0 5e13 4000 8006 38bf c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0048 0002 4000 4006 d758 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 + 4500 0040 5e14 4000 8006 394e c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff + 4500 0039 5e15 0000 802f 792b c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 + 4500 0020 0003 0000 ff2f 5856 c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff + 4500 0028 0004 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 + 4500 0038 0005 0000 ff2f 583c c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 002f 0006 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 + 4500 003c 5e16 0000 802f 7927 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 0036 5e17 0000 802f 792c c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 003a 0007 0000 ff2f 5838 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 0032 0008 0000 ff2f 583f c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 + 4500 0040 5e18 4000 8006 394a c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff + 4500 0038 5e19 0000 802f 7928 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 0009 0000 ff2f 5832 c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 5e1a 0000 802f 7921 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0044 000a 0000 ff2f 582b c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0030 5e1b 0000 802f 792e c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 + 4500 002a 000b 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 + 4500 002c 000c 0000 ff2f 5841 c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 + 4500 0048 5e1c 0000 802f 7915 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0042 000d 0000 ff2f 582a c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0030 5e1d 0000 802f 792c c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 + 4500 0030 000e 0000 ff2f 583b c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 -4500 002a 5e1e 0000 802f 7933 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 -4500 0032 5e1f 0000 802f 792a c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc + +4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 + +4500 0032 5e1f 0000 802f 7928 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc + 4500 002a 000f 0000 ff2f 5840 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni14 b/contrib/ipfilter/test/expected/ni14 index 852132396b58..5ad5a1b40409 100644 --- a/contrib/ipfilter/test/expected/ni14 +++ b/contrib/ipfilter/test/expected/ni14 @@ -1,32 +1,63 @@ 4500 0030 5e11 4000 8006 ec0b c0a8 7101 7f00 0001 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 d44b 0000 0204 05b4 0101 0402 + 4500 002c 0000 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 + 4500 00c4 5e12 4000 8006 eb76 c0a8 7101 7f00 0001 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 954b 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00c4 0001 4000 4006 d6dd c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00d0 5e13 4000 8006 eb69 c0a8 7101 7f00 0001 05e7 06bb abf0 4b42 a564 6977 5018 fa54 5eb2 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0048 0002 4000 4006 d758 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 + 4500 0040 5e14 4000 8006 ebf8 c0a8 7101 7f00 0001 05e7 06bb abf0 4bea a564 6997 5018 fa34 9abb 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff + 4500 0039 5e15 0000 802f 2bd6 c0a8 7101 7f00 0001 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 + 4500 0020 0003 0000 ff2f 5856 c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff + 4500 0028 0004 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 + 4500 0038 0005 0000 ff2f 583c c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 002f 0006 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 + 4500 003c 5e16 0000 802f 2bd2 c0a8 7101 7f00 0001 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 0036 5e17 0000 802f 2bd7 c0a8 7101 7f00 0001 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 003a 0007 0000 ff2f 5838 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 -4500 0032 0008 0000 ff2f a594 c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 + +4500 0032 0008 0000 ff2f 583f c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 + 4500 0040 5e18 4000 8006 ebf4 c0a8 7101 7f00 0001 05e7 06bb abf0 4c02 a564 6997 5018 fa34 9aa3 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff + 4500 0038 5e19 0000 802f 2bd3 c0a8 7101 7f00 0001 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 -4500 003e 0009 0000 ff2f a587 c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + +4500 003e 0009 0000 ff2f 5832 c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 5e1a 0000 802f 2bcc c0a8 7101 7f00 0001 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 -4500 0044 000a 0000 ff2f a580 c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + +4500 0044 000a 0000 ff2f 582b c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0030 5e1b 0000 802f 2bd9 c0a8 7101 7f00 0001 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 -4500 002a 000b 0000 ff2f a599 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 -4500 002c 000c 0000 ff2f a596 c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 + +4500 002a 000b 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 + +4500 002c 000c 0000 ff2f 5841 c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 + 4500 0048 5e1c 0000 802f 2bc0 c0a8 7101 7f00 0001 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 -4500 0042 000d 0000 ff2f a57f c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + +4500 0042 000d 0000 ff2f 582a c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0030 5e1d 0000 802f 2bd7 c0a8 7101 7f00 0001 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 -4500 0030 000e 0000 ff2f a590 c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 + +4500 0030 000e 0000 ff2f 583b c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 + 4500 002a 5e1e 0000 802f 2bdc c0a8 7101 7f00 0001 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 + 4500 0032 5e1f 0000 802f 2bd3 c0a8 7101 7f00 0001 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc -4500 002a 000f 0000 ff2f a595 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 + +4500 002a 000f 0000 ff2f 5840 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni15 b/contrib/ipfilter/test/expected/ni15 index 1c59de17d466..3820d560d1b7 100644 --- a/contrib/ipfilter/test/expected/ni15 +++ b/contrib/ipfilter/test/expected/ni15 @@ -1,32 +1,63 @@ 4500 0030 0000 4000 8006 9772 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 + 4500 002c 69a6 4000 4006 6dd0 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 + 4500 00c4 0001 4000 8006 96dd c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00c4 69a7 4000 4006 6d37 c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00d0 0002 4000 8006 96d0 c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0048 69a8 4000 4006 6db2 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 + 4500 0040 0003 4000 8006 975f c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff + 4500 0039 0004 0000 802f d73c c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 + 4500 0020 69a9 0000 ff2f eeaf c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff + 4500 0028 69aa 4000 4006 6dd0 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 + 4500 0038 69ab 0000 ff2f ee95 c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 002f 69ac 0000 ff2f ee9d c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 + 4500 003c 0005 0000 802f d738 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 0036 0006 0000 802f d73d c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 003a 69ad 0000 ff2f ee91 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 0032 69ae 0000 ff2f ee98 c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 + 4500 0040 0007 4000 8006 975b c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff + 4500 0038 0008 0000 802f d739 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 69af 0000 ff2f ee8b c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 0009 0000 802f d732 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0044 69b0 0000 ff2f ee84 c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0030 000a 0000 802f d73f c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 + 4500 002a 69b1 0000 ff2f ee9d c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 + 4500 002c 69b2 0000 ff2f ee9a c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 + 4500 0048 000b 0000 802f d726 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0042 69b3 0000 ff2f ee83 c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0030 000c 0000 802f d73d c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 + 4500 0030 69b4 0000 ff2f ee94 c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 + 4500 002a 000d 0000 802f d742 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 + 4500 0032 000e 0000 802f d739 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc + 4500 002a 69b5 0000 ff2f ee99 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni16 b/contrib/ipfilter/test/expected/ni16 index c30b0d22bac4..2c34f5c7094d 100644 --- a/contrib/ipfilter/test/expected/ni16 +++ b/contrib/ipfilter/test/expected/ni16 @@ -1,32 +1,63 @@ 4500 0030 0000 4000 8006 9772 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 + 4500 002c 69a6 4000 4006 9376 c0a8 7103 0a02 0202 06bb 05e7 a564 68da abf0 4aa6 6012 8000 c8ee 0000 0204 05b4 + 4500 00c4 0001 4000 8006 96dd c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00c4 69a7 4000 4006 92dd c0a8 7103 0a02 0202 06bb 05e7 a564 68db abf0 4b42 5018 832c f475 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 00d0 0002 4000 8006 96d0 c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0048 69a8 4000 4006 9358 c0a8 7103 0a02 0202 06bb 05e7 a564 6977 abf0 4bea 5018 832c 5ca0 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 + 4500 0040 0003 4000 8006 975f c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff + 4500 0039 0004 0000 802f d73c c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 + 4500 0020 69a9 0000 ff2f 1456 c0a8 7103 0a02 0202 2081 880b 0000 4000 ffff ffff + 4500 0028 69aa 4000 4006 9376 c0a8 7103 0a02 0202 06bb 05e7 a564 6997 abf0 4c02 5010 832c db67 0000 + 4500 0038 69ab 0000 ff2f 143c c0a8 7103 0a02 0202 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 002f 69ac 0000 ff2f 1444 c0a8 7103 0a02 0202 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 + 4500 003c 0005 0000 802f d738 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 + 4500 0036 0006 0000 802f d73d c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 003a 69ad 0000 ff2f 1438 c0a8 7103 0a02 0202 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 + 4500 0032 69ae 0000 ff2f 143f c0a8 7103 0a02 0202 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 + 4500 0040 0007 4000 8006 975b c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff + 4500 0038 0008 0000 802f d739 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 69af 0000 ff2f 1432 c0a8 7103 0a02 0202 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 + 4500 003e 0009 0000 802f d732 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0044 69b0 0000 ff2f 142b c0a8 7103 0a02 0202 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 + 4500 0030 000a 0000 802f d73f c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 + 4500 002a 69b1 0000 ff2f 1444 c0a8 7103 0a02 0202 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 + 4500 002c 69b2 0000 ff2f 1441 c0a8 7103 0a02 0202 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 + 4500 0048 000b 0000 802f d726 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0042 69b3 0000 ff2f 142a c0a8 7103 0a02 0202 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 + 4500 0030 000c 0000 802f d73d c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 + 4500 0030 69b4 0000 ff2f 143b c0a8 7103 0a02 0202 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 -4500 002a 000d 0000 802f d744 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 -4500 0032 000e 0000 802f d73b c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc + +4500 002a 000d 0000 802f d742 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 + +4500 0032 000e 0000 802f d739 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc + 4500 002a 69b5 0000 ff2f 1440 c0a8 7103 0a02 0202 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni2 b/contrib/ipfilter/test/expected/ni2 index 6aef39f7ce86..e2a7eb89ffaf 100644 --- a/contrib/ipfilter/test/expected/ni2 +++ b/contrib/ipfilter/test/expected/ni2 @@ -1,10 +1,19 @@ 4510 002c 0000 4000 3e06 78df 0101 0101 c0a8 0133 9c40 0077 a664 2485 0000 0000 6002 4000 2ca8 0000 0204 05b4 + 4500 002c ce83 4000 7e06 606b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a21 a664 2486 6012 2238 c0a8 0000 0204 05b4 + 4510 0028 0001 4000 3e06 78e2 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a22 5010 4470 29e3 0000 + 4500 005b cf83 4000 7e06 5f3c c0a8 0133 0a01 0201 0077 05f6 fbdf 1a22 a664 2486 5018 2238 ce2a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0a + 4510 0028 0002 4000 3e06 78e1 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5010 4470 29b0 0000 + 4510 002e 0003 4000 3e06 78da 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 1c98 0000 0000 0000 0d0a + 4500 0048 e383 4000 7e06 4b4f c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 d80a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 -4500 0038 0004 4000 4001 76e4 0101 0101 c0a8 0133 0304 444f 0000 05a0 4500 05dc e483 4000 7e06 4ebb c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 + +4500 0038 0004 4000 4001 76e4 0101 0101 c0a8 0133 0304 9dea 0000 05a0 4500 05dc e483 4000 7e06 4ebb c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni3 b/contrib/ipfilter/test/expected/ni3 index 600b6249a3ec..107d5d939342 100644 --- a/contrib/ipfilter/test/expected/ni3 +++ b/contrib/ipfilter/test/expected/ni3 @@ -1,4 +1,7 @@ 4500 003c 0000 4000 ff06 67a8 0606 0606 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 + 4500 0058 809a 0000 ff01 3101 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni4 b/contrib/ipfilter/test/expected/ni4 index cd5ebac85c75..c9f7504d7ac1 100644 --- a/contrib/ipfilter/test/expected/ni4 +++ b/contrib/ipfilter/test/expected/ni4 @@ -1,4 +1,7 @@ 4500 003c 0000 4000 ff06 67a8 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 + 4500 0058 809a 0000 ff01 3101 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni5 b/contrib/ipfilter/test/expected/ni5 index a64d8129820b..e713cf285101 100644 --- a/contrib/ipfilter/test/expected/ni5 +++ b/contrib/ipfilter/test/expected/ni5 @@ -1,47 +1,103 @@ 4500 002c 0000 4000 ff06 02fc 0101 0101 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 f5a2 0000 0204 05b4 + 4500 002c ffdd 4000 ef06 5374 96cb e002 c0a8 0103 0015 8032 3786 76c4 bd6b c9c9 6012 269c 8369 0000 0204 0584 + 4500 0028 0001 4000 ff06 02ff 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 5aa0 0000 + 4500 006f ffde 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 76c5 bd6b c9c9 5018 269c 967e 0000 3232 302d 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 7520 4e63 4654 5064 2053 6572 7665 7220 2866 7265 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a + 4500 0028 0002 4000 ff06 02fe 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 5a59 0000 + 4500 00c7 ffdf 4000 ef06 52d7 96cb e002 c0a8 0103 0015 8032 3786 770c bd6b c9c9 5018 269c 1087 0000 3232 302d 0d0a 3232 302d 4d61 696e 7461 696e 6564 2062 7920 5253 5353 2061 6e64 2052 5350 4153 2049 5420 5374 6166 6620 2870 7265 7669 6f75 736c 7920 6b6e 6f77 6e20 6173 2043 6f6f 6d62 7320 436f 6d70 7574 696e 6720 556e 6974 290d 0a32 3230 2d41 6e79 2070 726f 626c 656d 7320 636f 6e74 6163 7420 6674 706d 6173 7465 7240 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 750d 0a32 3230 2d0d 0a32 3230 200d 0a + 4500 0028 0003 4000 ff06 02fd 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5010 269c 59ba 0000 + 4500 0038 0004 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5018 269c d1c5 0000 5553 4552 2061 6e6f 6e79 6d6f 7573 0d0a + 4500 0028 ffe0 4000 ef06 5375 96cb e002 c0a8 0103 0015 8032 3786 77ab bd6b c9d9 5010 269c 9a00 0000 + 4500 006c ffe1 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 77ab bd6b c9d9 5018 269c b00f 0000 3333 3120 4775 6573 7420 6c6f 6769 6e20 6f6b 2c20 7365 6e64 2079 6f75 7220 636f 6d70 6c65 7465 2065 2d6d 6169 6c20 6164 6472 6573 7320 6173 2070 6173 7377 6f72 642e 0d0a + 4500 0028 0005 4000 ff06 02fb 0101 0101 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5010 269c 5966 0000 + 4500 0036 0006 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5018 269c 373f 0000 5041 5353 2061 7661 6c6f 6e40 0d0a + 4500 005f ffe2 4000 ef06 533c 96cb e002 c0a8 0103 0015 8032 3786 77ef bd6b c9e7 5018 269c 895e 0000 3233 302d 596f 7520 6172 6520 7573 6572 2023 3420 6f66 2035 3020 7369 6d75 6c74 616e 656f 7573 2075 7365 7273 2061 6c6c 6f77 6564 2e0d 0a + 4500 0028 0007 4000 ff06 02f9 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7826 5010 269c 5921 0000 + 4500 0099 ffe3 4000 ef06 5301 96cb e002 c0a8 0103 0015 8032 3786 7826 bd6b c9e7 5018 269c d399 0000 3233 302d 0d0a 3233 302d 0d0a 3233 302d 4869 2e20 2057 6527 7265 2063 6c65 616e 696e 6720 7570 2e20 2041 6e79 2066 6565 6462 6163 6b20 6d6f 7374 2077 656c 636f 6d65 2e20 3130 2041 7567 2030 300d 0a32 3330 2d0d 0a32 3330 204c 6f67 6765 6420 696e 2061 6e6f 6e79 6d6f 7573 6c79 2e0d 0a + 4500 0028 0008 4000 ff06 02f8 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7897 5010 269c 58b0 0000 + 4500 0030 0009 4000 ff06 02ef 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7897 5018 269c 86ae 0000 5459 5045 2049 0d0a + 4500 0038 ffe4 4000 ef06 5361 96cb e002 c0a8 0103 0015 8032 3786 7897 bd6b c9ef 5018 269c 5fae 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a + 4500 0028 000a 4000 ff06 02f6 0101 0101 96cb e002 8032 0015 bd6b c9ef 3786 78a7 5010 269c 5898 0000 + 4500 003d 000b 4000 ff06 02e0 0101 0101 96cb e002 8032 0015 bd6b c9ef 3786 78a7 5018 269c 4b67 0000 504f 5254 2031 2c31 2c31 2c31 2c31 3238 2c35 310d 0a + 4500 0046 ffe5 4000 ef06 5352 96cb e002 c0a8 0103 0015 8032 3786 78a7 bd6b ca0c 5018 269c dbc3 0000 3230 3020 504f 5254 2063 6f6d 6d61 6e64 2073 7563 6365 7373 6675 6c2e 0d0a + 4500 0030 000c 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b ca04 3786 78c5 5018 269c 866b 0000 5459 5045 2041 0d0a + 4500 0038 ffe6 4000 ef06 535f 96cb e002 c0a8 0103 0015 8032 3786 78c5 bd6b ca14 5018 269c 5f5b 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a + 4500 002e 000d 4000 ff06 02ed 0101 0101 96cb e002 8032 0015 bd6b ca0c 3786 78d5 5018 269c a994 0000 4e4c 5354 0d0a + 4500 002c ffe7 4000 ef06 536a 96cb e002 c0a8 0103 0014 8033 d9f8 11d4 0000 0000 6002 2238 d190 0000 0204 0584 + 4500 002c 000e 4000 ff06 02ee 0101 0101 96cb e002 8033 0014 bd78 5c12 d9f8 11d5 6012 02f8 96de 0000 0204 0584 + 4500 0028 ffe8 4000 ef06 536d 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5010 269c cb1d 0000 + 4500 005d ffe9 4000 ef06 5337 96cb e002 c0a8 0103 0015 8032 3786 78d5 bd6b ca1a 5018 269c eed0 0000 3135 3020 4f70 656e 696e 6720 4153 4349 4920 6d6f 6465 2064 6174 6120 636f 6e6e 6563 7469 6f6e 2066 6f72 202f 6269 6e2f 6c73 2e0d 0a + 4500 0028 000f 4000 ff06 02f1 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 11d5 5010 6348 4e1b 0000 -4500 0063 ffea 4000 ef06 5330 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5018 269c a315 0000 636f 6f6d 6273 7061 7065 7273 0d0a 6465 7074 730d 0a66 6f75 6e64 2d66 696c 6573 0d0a 696e 636f 6d69 6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075 620d 0a -4500 0028 0010 4000 ff06 02f0 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 1210 5010 6348 4de0 0000 -4500 0028 ffeb 4000 ef06 536a 96cb e002 c0a8 0103 0014 8033 d9f8 1210 bd78 5c13 5011 269c cae1 0000 -4500 0028 10da 4000 ff06 327c c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5010 6348 8e35 0000 -4500 0028 10db 4000 ff06 327b c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5011 6348 8e34 0000 -4500 0028 ffec 4000 ef06 5369 96cb e002 c0a8 0103 0014 8033 d9f8 1211 bd78 5c14 5010 269c cae0 0000 -4500 0028 0011 4000 ff06 02ef 0101 0101 96cb e002 8032 0015 bd6b ca12 3786 790a 5010 269c 5812 0000 -4500 0040 ffed 4000 ef06 5350 96cb e002 c0a8 0103 0015 8032 3786 790a bd6b ca1a 5018 269c 7c9e 0000 3232 3620 4c69 7374 696e 6720 636f 6d70 6c65 7465 642e 0d0a -4500 0030 0012 4000 ff06 02e6 0101 0101 96cb e002 8032 0015 bd6b ca12 3786 7922 5018 269c 85f8 0000 5459 5045 2049 0d0a -4500 0038 ffee 4000 ef06 5357 96cb e002 c0a8 0103 0015 8032 3786 7922 bd6b ca22 5018 269c 5ef0 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a -4500 0028 0013 4000 ff06 02ed 0101 0101 96cb e002 8032 0015 bd6b ca1a 3786 7932 5010 269c 57e2 0000 -4500 002e 0014 4000 ff06 02e6 0101 0101 96cb e002 8032 0015 bd6b ca1a 3786 7932 5018 269c b020 0000 5155 4954 0d0a -4500 0036 ffef 4000 ef06 5358 96cb e002 c0a8 0103 0015 8032 3786 7932 bd6b ca28 5018 269c a93c 0000 3232 3120 476f 6f64 6279 652e 0d0a -4500 0028 0015 4000 ff06 02eb 0101 0101 96cb e002 8032 0015 bd6b ca20 3786 7940 5011 269c 57cd 0000 -4500 0028 fff0 4000 ef06 5365 96cb e002 c0a8 0103 0015 8032 3786 7940 bd6b ca28 5011 269c 981b 0000 -4500 0028 10e1 4000 ff06 3275 c0a8 0103 96cb e002 8032 0015 bd6b ca25 3786 7941 5010 269c 981e 0000 -4500 0028 fff1 4000 ef06 5364 96cb e002 c0a8 0103 0015 8032 3786 7941 bd6b ca29 5010 269c 981a 0000 + +4500 003d 0010 4000 ff06 02db 0101 0101 96cb e002 8032 0015 bd6b ca12 3786 78d5 5018 269c 4a16 0000 504f 5254 2031 2c31 2c31 2c31 2c31 3238 2c35 320d 0a + +4500 0046 ffea 4000 ef06 534d 96cb e002 c0a8 0103 0015 8032 3786 78d5 bd6b ca37 5018 269c db6a 0000 3230 3020 504f 5254 2063 6f6d 6d61 6e64 2073 7563 6365 7373 6675 6c2e 0d0a + +4500 0030 0011 4000 ff06 02e7 0101 0101 96cb e002 8032 0015 bd6b ca27 3786 78f3 5018 269c 861a 0000 5459 5045 2041 0d0a + +4500 0038 ffeb 4000 ef06 535a 96cb e002 c0a8 0103 0015 8032 3786 78f3 bd6b ca3f 5018 269c 5ef2 0000 3230 3020 5479 7065 206f 6b61 793e 0d0a + +4500 002e 0012 4000 ff06 02e8 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 7903 5018 269c a943 0000 4e4c 5354 0d0a + +4500 002c ffec 4000 ef06 5365 96cb e002 c0a8 0103 0014 8034 d9f8 11d4 0000 0000 6002 2238 d18f 0000 0204 0584 + +4500 002c 0013 4000 ff06 02e9 0101 0101 96cb e002 8034 0014 bd78 5c12 d9f8 11d5 6012 02f8 96dd 0000 0204 0584 + +4500 0028 ffec 4000 ef06 5369 96cb e002 c0a8 0103 0014 8034 d9f8 11d4 0000 0000 5010 2238 e90d 0000 + +4500 0063 ffed 4000 ef06 532d 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5018 269c a315 0000 636f 6f6d 6273 7061 7065 7273 0d0a 6465 7074 730d 0a66 6f75 6e64 2d66 696c 6573 0d0a 696e 636f 6d69 6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075 620d 0a + +4500 0028 0014 4000 ff06 02ec 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 1210 5010 6348 4de0 0000 + +4500 0028 ffee 4000 ef06 5367 96cb e002 c0a8 0103 0014 8033 d9f8 1210 bd78 5c13 5011 269c cae1 0000 + +4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5010 6348 8e35 0000 + +4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5011 6348 8e34 0000 + +4500 0028 ffef 4000 ef06 5366 96cb e002 c0a8 0103 0014 8033 d9f8 1211 bd78 5c14 5010 269c cae0 0000 + +4500 0040 fff0 4000 ef06 534d 96cb e002 c0a8 0103 0015 8032 3786 7903 bd6b ca3f 5018 269c 7c80 0000 3232 3620 4c69 7374 696e 6720 636f 6d70 6c65 7465 642e 0d0a + +4500 0028 0015 4000 ff06 02eb 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5010 269c 57e4 0000 + +4500 002e 0016 4000 ff06 02e4 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5018 269c b022 0000 5155 4954 0d0a + +4500 0036 fff2 4000 ef06 5355 96cb e002 c0a8 0103 0015 8032 3786 791b bd6b ca45 5018 269c a936 0000 3232 3120 476f 6f64 6279 652e 0d0a + +4500 0028 0017 4000 ff06 02e9 0101 0101 96cb e002 8032 0015 bd6b ca35 3786 7929 5011 269c 57cf 0000 + +4500 0028 fff3 4000 ef06 5362 96cb e002 c0a8 0103 0015 8032 3786 7929 bd6b ca45 5011 269c 9815 0000 + +4500 0028 10e3 4000 ff06 3273 c0a8 0103 96cb e002 8032 0015 bd6b ca3d 3786 792a 5010 269c 981d 0000 + +4500 0028 fff4 4000 ef06 5361 96cb e002 c0a8 0103 0015 8032 3786 792a bd6b ca46 5010 269c 9814 0000 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni6 b/contrib/ipfilter/test/expected/ni6 index a4e4acebf537..0da034a781b3 100644 --- a/contrib/ipfilter/test/expected/ni6 +++ b/contrib/ipfilter/test/expected/ni6 @@ -1,9 +1,17 @@ 4500 0054 cd8a 4000 ff11 1fbb c0a8 0601 c0a8 0701 8075 006f 0040 d26e 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 + 4500 0054 0000 4000 ff11 ec44 c0a8 0702 c0a8 0701 8075 006f 0040 d16d 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 + 4500 0038 cd83 4000 ff11 1fde c0a8 0701 c0a8 0601 006f 8075 0024 d805 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 + 4500 0038 0001 4000 ff11 ee5f c0a8 0602 c0a8 0601 006f 8075 0024 d904 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 + 4500 0044 d5a6 4000 ff11 17af c0a8 0601 c0a8 0701 80df 0801 0030 03f1 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0044 0002 4000 ff11 ec52 c0a8 0702 c0a8 0701 80df 0801 0030 02f0 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0034 0000 4000 fe11 ee65 c0a8 0701 c0a8 0601 0801 80df 0020 8ab8 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 + 4500 0034 0003 4000 fe11 ef61 c0a8 0602 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni7 b/contrib/ipfilter/test/expected/ni7 index f0d0010d20b8..38c39ab71e23 100644 --- a/contrib/ipfilter/test/expected/ni7 +++ b/contrib/ipfilter/test/expected/ni7 @@ -1,3 +1,5 @@ 4500 0028 4706 4000 0111 1eac 0404 0404 0606 0606 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 + 4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0b00 f91c 0000 0000 4500 0028 4706 4000 0111 26b4 0404 0404 0202 0202 afc9 829e 0014 c966 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni8 b/contrib/ipfilter/test/expected/ni8 index 4741b18cfb80..689ccaa87ead 100644 --- a/contrib/ipfilter/test/expected/ni8 +++ b/contrib/ipfilter/test/expected/ni8 @@ -1,5 +1,9 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 + 4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni9 b/contrib/ipfilter/test/expected/ni9 index 9effc52d3d2f..1eb6fbcca8c2 100644 --- a/contrib/ipfilter/test/expected/ni9 +++ b/contrib/ipfilter/test/expected/ni9 @@ -1,5 +1,9 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0000 0000 ff01 adb7 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 + 4500 0058 0001 0000 ff01 ad96 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 + 4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 + ------------------------------- diff --git a/contrib/ipfilter/test/expected/p2 b/contrib/ipfilter/test/expected/p2 index 2f330c26f8b9..67a7c3ea26f3 100644 --- a/contrib/ipfilter/test/expected/p2 +++ b/contrib/ipfilter/test/expected/p2 @@ -16,10 +16,10 @@ List of configured pools List of configured hash tables # 'anonymous' table table role = ipf type = hash number = 2147483650 size = 3 - { 4.4.0.0/16; 127.0.0.1/32; }; + { 127.0.0.1/32; 4.4.0.0/16; }; # 'anonymous' table table role = ipf type = hash number = 2147483649 size = 3 - { 4.4.0.0/16; 127.0.0.1/32; }; + { 127.0.0.1/32; 4.4.0.0/16; }; List of groups configured (set 0) List of groups configured (set 1) ------------------------------- diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11 index c54bb80eb476..d558150045c2 100644 --- a/contrib/ipfilter/test/input/f11 +++ b/contrib/ipfilter/test/input/f11 @@ -1,14 +1,14 @@ -in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S -in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA -in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA -in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA -in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A -in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A -in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A -in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A -in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA -in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A -in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S seq=1 ack=0 +in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA seq=1 ack=1 +in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA seq=101 ack=2 +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA seq=101 ack=2 +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102 +in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A seq=2 ack=102 +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A seq=102 ack=2 +in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A seq=102 ack=2 +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA seq=2 ack=102 +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102 +in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A seq=2 ack=102 in on e1 udp 1.1.1.1,1 4.4.4.4,53 in on e1 udp 2.2.2.2,2 4.4.4.4,53 in on e0 udp 4.4.4.4,53 1.1.1.1,1 diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 index d7b07249ace4..77e537e2b638 100644 --- a/contrib/ipfilter/test/input/f13 +++ b/contrib/ipfilter/test/input/f13 @@ -1,3 +1,4 @@ +# This checksum is deliberately incorrect. # 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,FO=0 SYN [in] 4500 0028 0001 4000 3f06 36cc 0101 0101 0201 0101 @@ -16,7 +17,7 @@ # 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN [in] 4500 0028 0003 6000 3f06 16ca 0101 0101 0201 0101 -0400 0019 7000 0000 0000 0000 5002 2000 0000 0000 +0400 0019 7000 0000 0000 0000 5002 2000 16c6 0000 # 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 [in] diff --git a/contrib/ipfilter/test/input/ipv6.1 b/contrib/ipfilter/test/input/ipv6.1 index 39208103edde..3f0fd308102f 100644 --- a/contrib/ipfilter/test/input/ipv6.1 +++ b/contrib/ipfilter/test/input/ipv6.1 @@ -18,3 +18,15 @@ ef00 1001 2002 0001 0000 0000 0000 0070 f427 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 +[in,gif0] 6000 0000 0048 3a40 +ef00 1001 0880 6cbf 0000 0000 0000 0001 +ef00 1001 2002 0001 0000 0000 0000 0070 +0300 7d44 0000 0000 +6000 0000 0018 1101 +ef00 1001 2002 1001 0000 0000 0000 0070 +2001 1002 3333 0001 0000 0000 0000 0001 +8083 829a +0018 +f427 +0000 0344 0000 0004 f8f1 9d3c ddba 0e00 + diff --git a/contrib/ipfilter/test/input/l1 b/contrib/ipfilter/test/input/l1 index 56d766aa07bf..a59dbe3ce6b5 100644 --- a/contrib/ipfilter/test/input/l1 +++ b/contrib/ipfilter/test/input/l1 @@ -1,36 +1,36 @@ # 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF SYN [] 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202 -0401 0019 0000 0000 0000 0000 5002 2000 85c3 0000 +0401 0019 0000 0001 0000 0000 5002 2000 85c2 0000 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A [] 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202 -0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000 +0401 0019 0000 0001 0000 0000 5010 2000 85b4 0000 #in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS [] 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101 -0019 0401 0000 0000 0000 0000 5012 2000 85b3 0000 +0019 0401 0000 0011 0000 0002 5012 2000 85a0 0000 #in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A [out,e1] 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101 -0019 0401 0000 0000 0000 0000 5010 2000 85b5 0000 +0019 0401 0000 0012 0000 0002 5010 2000 85a1 0000 -#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F +#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 AF [] 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202 -0401 0019 0000 0000 0000 0000 5011 2000 85b4 0000 +0401 0019 0000 0002 0000 0012 5011 2000 85a0 0000 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A [] 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202 -0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000 +0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A [] 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202 -0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000 +0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000 #in on e1 udp 1.1.1.1,1 4.4.4.4,53 [] diff --git a/contrib/ipfilter/test/input/ni1 b/contrib/ipfilter/test/input/ni1 index 8f548d5efca2..fb6b0b63e5f9 100644 --- a/contrib/ipfilter/test/input/ni1 +++ b/contrib/ipfilter/test/input/ni1 @@ -18,3 +18,39 @@ afc9 829e 0014 6308 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 +[out,df0] +4500 0028 4706 4000 0111 26b4 0202 0202 +0404 0404 0800 829e 0014 12da 0402 0000 +3be5 468d 000a cfc3 + +[in,df0] +4500 0038 809a 0000 ff01 2918 0303 0303 +0606 0607 0b00 5f7c 0000 0000 +4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404 +4e20 829e 0014 c4b0 + +[in,df0] +4500 0044 809a 0000 ff01 290c 0303 0303 +0606 0607 0b00 093a 0000 0000 +4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404 +4e20 829e 0014 c4b0 +0402 0000 3be5 468d 000a cfc3 + +[out,df0] +4500 0028 4706 4000 0111 26b4 0202 0202 +0404 0404 5000 829e 0014 cad9 0402 0000 +3be5 468d 000a cfc3 + +[in,df0] +4500 0038 809a 0000 ff01 2917 0303 0303 +0606 0608 0b00 0775 0000 0000 +4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404 +07d0 829e 0014 6308 + +[in,df0] +4500 0044 809a 0000 ff01 290b 0303 0303 +0606 0608 0b00 093b 0000 0000 +4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404 +07d0 829e 0014 0b00 +0402 0000 3be5 468d 000a cfc3 + diff --git a/contrib/ipfilter/test/input/ni13 b/contrib/ipfilter/test/input/ni13 index 56ddb792abd2..77569eead702 100644 --- a/contrib/ipfilter/test/input/ni13 +++ b/contrib/ipfilter/test/input/ni13 @@ -216,13 +216,13 @@ c0a8 7101 3081 880b 000c 4000 0000 0009 # 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1) [in,pcn1] -4500 002a 5e1e 0000 802f 7933 c0a8 7101 +4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 0000 0000 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [in,pcn1] -4500 0032 5e1f 0000 802f 792a c0a8 7101 +4500 0032 5e1f 0000 802f 7928 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc diff --git a/contrib/ipfilter/test/input/ni14 b/contrib/ipfilter/test/input/ni14 index 00f02900952c..681132120e23 100644 --- a/contrib/ipfilter/test/input/ni14 +++ b/contrib/ipfilter/test/input/ni14 @@ -127,7 +127,7 @@ c0a8 7101 3081 880b 0016 4000 0000 0002 # 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp [out,pcn1] -4500 0032 69ae 0000 ff2f ee98 7f00 0001 +4500 0032 69ae 0000 ff2f a143 7f00 0001 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 @@ -148,7 +148,7 @@ c0a8 7103 3081 880b 0014 0000 0000 0003 # 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2) [out,pcn1] -4500 003e 69af 0000 ff2f ee8b 7f00 0001 +4500 003e 69af 0000 ff2f a136 7f00 0001 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 @@ -162,7 +162,7 @@ c0a8 7103 3081 880b 001a 0000 0000 0004 # 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3) [out,pcn1] -4500 0044 69b0 0000 ff2f ee84 7f00 0001 +4500 0044 69b0 0000 ff2f a12f 7f00 0001 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 @@ -176,13 +176,13 @@ c0a8 7103 3081 880b 000c 0000 0000 0005 # 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1) [out,pcn1] -4500 002a 69b1 0000 ff2f ee9d 7f00 0001 +4500 002a 69b1 0000 ff2f a148 7f00 0001 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 # 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC [out,pcn1] -4500 002c 69b2 0000 ff2f ee9a 7f00 0001 +4500 002c 69b2 0000 ff2f a145 7f00 0001 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 @@ -196,7 +196,7 @@ c0a8 7103 3081 880b 0024 0000 0000 0006 # 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0 [out,pcn1] -4500 0042 69b3 0000 ff2f ee83 7f00 0001 +4500 0042 69b3 0000 ff2f a12e 7f00 0001 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 @@ -210,7 +210,7 @@ c0a8 7103 3081 880b 000c 0000 0000 0007 # 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1 [out,pcn1] -4500 0030 69b4 0000 ff2f ee94 7f00 0001 +4500 0030 69b4 0000 ff2f a13f 7f00 0001 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 @@ -229,7 +229,7 @@ c0a8 7103 3001 880b 0012 0000 0000 0009 # 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6) [out,pcn1] -4500 002a 69b5 0000 ff2f ee99 7f00 0001 +4500 002a 69b5 0000 ff2f a144 7f00 0001 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 diff --git a/contrib/ipfilter/test/input/ni16 b/contrib/ipfilter/test/input/ni16 index b1cc521ac8f2..24bfcfc3835f 100644 --- a/contrib/ipfilter/test/input/ni16 +++ b/contrib/ipfilter/test/input/ni16 @@ -216,13 +216,13 @@ c0a8 7101 3081 880b 000c 4000 0000 0009 # 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1) [out,pcn1] -4500 002a 5e1e 0000 802f 9ed9 0a02 0202 +4500 002a 5e1e 0000 802f 9ed7 0a02 0202 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 0000 0000 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [out,pcn1] -4500 0032 5e1f 0000 802f 9ed0 0a02 0202 +4500 0032 5e1f 0000 802f 9ece 0a02 0202 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc diff --git a/contrib/ipfilter/test/input/ni2 b/contrib/ipfilter/test/input/ni2 index b16cd027c600..30458212bb03 100644 --- a/contrib/ipfilter/test/input/ni2 +++ b/contrib/ipfilter/test/input/ni2 @@ -155,7 +155,7 @@ c0a8 0133 4500 0038 d71d 4000 4001 7d22 c0a8 6401 c0a8 0133 -0304 da99 0000 05a0 4500 05dc -e483 4000 7e06 44bb c0a8 0133 0a01 0201 -0077 05f6 fbdf 1a75 +0304 3435 0000 05a0 +4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 +0077 05f6 fbdf 1a75 a664 diff --git a/contrib/ipfilter/test/input/ni3 b/contrib/ipfilter/test/input/ni3 index feb4b29b1ec1..66b22a6d4293 100644 --- a/contrib/ipfilter/test/input/ni3 +++ b/contrib/ipfilter/test/input/ni3 @@ -3,7 +3,7 @@ # going out) [out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 -[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 ac ac 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 +[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 ac ab 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) [in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 diff --git a/contrib/ipfilter/test/input/ni4 b/contrib/ipfilter/test/input/ni4 index b2be5503f835..ad5575f95317 100644 --- a/contrib/ipfilter/test/input/ni4 +++ b/contrib/ipfilter/test/input/ni4 @@ -3,7 +3,7 @@ # going out) [out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 -[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 60 6c 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 +[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 60 6b 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) [in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 84 9a 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 diff --git a/contrib/ipfilter/test/input/ni5 b/contrib/ipfilter/test/input/ni5 index a8aec23b2961..c45be54266ff 100644 --- a/contrib/ipfilter/test/input/ni5 +++ b/contrib/ipfilter/test/input/ni5 @@ -1,18 +1,22 @@ +# 32818,21 SYN [out,ppp0] 4500 002c 10c9 4000 ff06 3289 c0a8 0103 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 35f9 0000 0204 05b4 +# 21,32818 SYN+ACK [in,ppp0] 4500 002c ffdd 4000 ef06 131e 96cb e002 0101 0101 0015 8032 3786 76c4 bd6b c9c9 6012 269c 4313 0000 0204 0584 +# 32818,21 ACK [out,ppp0] 4500 0028 10ca 4000 ff06 328c c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 9af6 0000 +# ACK+PUSH "[220-coombs.anu.edu.au NcFTPd Server (free educational license) ready.\r\n" [in,ppp0] 4500 006f ffde 4000 ef06 12da 96cb e002 0101 0101 0015 8032 3786 76c5 bd6b c9c9 @@ -22,11 +26,16 @@ 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a +# 32818,21 ACK [out,ppp0] 4500 0028 10cb 4000 ff06 328b c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 9aaf 0000 +# 21,32818 ACK+PUSH +# "220-Maintained by RSSS and RSPAS IT Staff (previously known as Coombs Computing Unit)\r\n +# "220-Any problems contact ftpmaster@coombs.anu.edu.au\r\n" +# "220-\r\n220 \r\n" [in,ppp0] 4500 00c7 ffdf 4000 ef06 1281 96cb e002 0101 0101 0015 8032 3786 770c bd6b c9c9 @@ -42,22 +51,26 @@ 6e75 2e65 6475 2e61 750d 0a32 3230 2d0d 0a32 3230 200d 0a +# 32818,21 ACK [out,ppp0] 4500 0028 10cc 4000 ff06 328a c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5010 269c 9a10 0000 +# 32818,21 ACK+PUSH "USER anonymous\r\n" [out,ppp0] 4500 0038 10cd 4000 ff06 3279 c0a8 0103 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5018 269c 121c 0000 5553 4552 2061 6e6f 6e79 6d6f 7573 0d0a +# 21,32818 ACK [in,ppp0] 4500 0028 ffe0 4000 ef06 131f 96cb e002 0101 0101 0015 8032 3786 77ab bd6b c9d9 5010 269c 59aa 0000 +# 21,32818 ACK+PUSH "331 Guest login ok, send your complete e-mail address as password.\r\n" [in,ppp0] 4500 006c ffe1 4000 ef06 12da 96cb e002 0101 0101 0015 8032 3786 77ab bd6b c9d9 @@ -67,17 +80,21 @@ 2d6d 6169 6c20 6164 6472 6573 7320 6173 2070 6173 7377 6f72 642e 0d0a +# 32818,21 ACK [out,ppp0] 4500 0028 10ce 4000 ff06 3288 c0a8 0103 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5010 269c 99bc 0000 +# 32818,21 ACK+PUSH "PASS avalon@\r\n" [out,ppp0] 4500 0036 10cf 4000 ff06 3279 c0a8 0103 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5018 269c 7795 0000 5041 5353 2061 7661 6c6f 6e40 0d0a +# 21,32818 ACK+PUSH +# "230-You are user #4 of 50 simultaneous users allowed.\r\n" [in,ppp0] 4500 005f ffe2 4000 ef06 12e6 96cb e002 0101 0101 0015 8032 3786 77ef bd6b c9e7 @@ -86,11 +103,16 @@ 3020 7369 6d75 6c74 616e 656f 7573 2075 7365 7273 2061 6c6c 6f77 6564 2e0d 0a +# 32818,21 ACK [out,ppp0] 4500 0028 10d0 4000 ff06 3286 c0a8 0103 96cb e002 8032 0015 bd6b c9e7 3786 7826 5010 269c 9977 0000 +# 21,32818 ACK+PUSH +# "230-\r\n230-\r\n" +# "230-Hi. We're cleaning up. Any feedback most welcome. 10 Aug 00\r\n" +# "230-\r\n230 Logged in anonymously.\r\n" [in,ppp0] 4500 0099 ffe3 4000 ef06 12ab 96cb e002 0101 0101 0015 8032 3786 7826 bd6b c9e7 @@ -103,27 +125,32 @@ 204c 6f67 6765 6420 696e 2061 6e6f 6e79 6d6f 7573 6c79 2e0d 0a +# 32818,21 ACK [out,ppp0] 4500 0028 10d1 4000 ff06 3285 c0a8 0103 96cb e002 8032 0015 bd6b c9e7 3786 7897 5010 269c 9906 0000 +# 32818,21 ACK "TYPE I\r\n" [out,ppp0] 4500 0030 10d2 4000 ff06 327c c0a8 0103 96cb e002 8032 0015 bd6b c9e7 3786 7897 5018 269c c704 0000 5459 5045 2049 0d0a +# 21,32818 "200 Type okay.\r\n" [in,ppp0] 4500 0038 ffe4 4000 ef06 130b 96cb e002 0101 0101 0015 8032 3786 7897 bd6b c9ef 5018 269c 1f58 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a +# 32818,21 ACK [out,ppp0] 4500 0028 10d3 4000 ff06 3283 c0a8 0103 96cb e002 8032 0015 bd6b c9ef 3786 78a7 5010 269c 98ee 0000 +# 32818,21 ACK "PORT 192,158,1,3,128,51\r\n" [out,ppp0] 4500 0041 10d4 4000 ff06 3269 c0a8 0103 96cb e002 8032 0015 bd6b c9ef 3786 78a7 @@ -131,6 +158,7 @@ 2c31 3638 2c31 2c33 2c31 3238 2c35 310d 0a +# 32818,21 ACK "200 PORT command successful.\r\n" [in,ppp0] 4500 0046 ffe5 4000 ef06 12fc 96cb e002 0101 0101 0015 8032 3786 78a7 bd6b ca08 @@ -138,37 +166,44 @@ 2063 6f6d 6d61 6e64 2073 7563 6365 7373 6675 6c2e 0d0a +# 32818,21 "TYPE A\r\n" [out,ppp0] 4500 0030 10d5 4000 ff06 3279 c0a8 0103 96cb e002 8032 0015 bd6b ca08 3786 78c5 5018 269c c6bd 0000 5459 5045 2041 0d0a +# 21,32818 "200 Type okay.\r\n" [in,ppp0] 4500 0038 ffe6 4000 ef06 1309 96cb e002 0101 0101 0015 8032 3786 78c5 bd6b ca10 5018 269c 1f09 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a +# 32818,21 "NLST\r\n" [out,ppp0] 4500 002e 10d6 4000 ff06 327a c0a8 0103 96cb e002 8032 0015 bd6b ca10 3786 78d5 5018 269c e9e6 0000 4e4c 5354 0d0a +# 20,32819 SYN [in,ppp0] 4500 002c ffe7 4000 ef06 1314 96cb e002 0101 0101 0014 8033 d9f8 11d4 0000 0000 6002 2238 913a 0000 0204 0584 +# 32819,20 SYN+ACK [out,ppp0] 4500 002c 10d7 4000 ff06 327b c0a8 0103 96cb e002 8033 0014 bd78 5c12 d9f8 11d5 6012 02f8 d734 0000 0204 0584 +# 20,32819 ACK [in,ppp0] 4500 0028 ffe8 4000 ef06 1317 96cb e002 0101 0101 0014 8033 d9f8 11d5 bd78 5c13 5010 269c 8ac7 0000 +# 21,32819 ACK "150 Opening ASCII mode data connection for /bin/ls.\r\n" [in,ppp0] 4500 005d ffe9 4000 ef06 12e1 96cb e002 0101 0101 0015 8032 3786 78d5 bd6b ca16 @@ -177,13 +212,68 @@ 6174 6120 636f 6e6e 6563 7469 6f6e 2066 6f72 202f 6269 6e2f 6c73 2e0d 0a +# 32819,20 ACK [out,ppp0] 4500 0028 10d8 4000 ff06 327e c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 11d5 5010 6348 8e71 0000 +# 32818,21 ACK+PUSH "PORT 192,158,1,3,128,52\r\n" +[out,ppp0] +4500 0041 10d9 4000 ff06 3264 c0a8 0103 +96cb e002 8032 0015 bd6b ca16 3786 78d5 +5018 269c 1af8 0000 504f 5254 2031 3932 +2c31 3638 2c31 2c33 2c31 3238 2c35 320d +0a + +# 21,32818 ACK+PUSH "200 PORT command successful\r\n" [in,ppp0] -4500 0063 ffea 4000 ef06 12da 96cb e002 +4500 0046 ffea 4000 ef06 12f7 96cb e002 +0101 0101 0015 8032 3786 78d5 bd6b ca2f +5018 269c 9b1c 0000 3230 3020 504f 5254 +2063 6f6d 6d61 6e64 2073 7563 6365 7373 +6675 6c2e 0d0a + +# 32818,21 ACK+PUSH "TYPE A\r\n" +[out,ppp0] +4500 0030 10da 4000 ff06 3274 c0a8 0103 +96cb e002 8032 0015 bd6b ca2f 3786 78f3 +5018 269c c668 0000 5459 5045 2041 0d0a + +# 21,32818 "200 Type okay.\r\n" +[in,ppp0] +4500 0038 ffeb 4000 ef06 1304 96cb e002 +0101 0101 0015 8032 3786 78f3 bd6b ca37 +5018 269c 1ea4 0000 3230 3020 5479 7065 +206f 6b61 793e 0d0a + +# 32818,21 ACK+PUSH "NLST\r\n" +[out,ppp0] +4500 002e 10db 4000 ff06 3275 c0a8 0103 +96cb e002 8032 0015 bd6b ca37 3786 7903 +5018 269c e991 0000 4e4c 5354 0d0a + +# 20,32820 2nd connection SYN +[in,ppp0] +4500 002c ffec 4000 ef06 130f 96cb e002 +0101 0101 0014 8034 d9f8 11d4 0000 0000 +6002 2238 9139 0000 0204 0584 + +# 32820,20 SYN+ACK +[out,ppp0] +4500 002c 10d7 4000 ff06 327b c0a8 0103 +96cb e002 8034 0014 bd78 5c12 d9f8 11d5 +6012 02f8 d733 0000 0204 0584 + +# 20,32820 ACK +[in,ppp0] +4500 0028 ffec 4000 ef06 1313 96cb e002 +0101 0101 0014 8034 d9f8 11d4 0000 0000 +5010 2238 a8b7 0000 + +# 20,32819 ACK+PUSH +[in,ppp0] +4500 0063 ffed 4000 ef06 12d7 96cb e002 0101 0101 0014 8033 d9f8 11d5 bd78 5c13 5018 269c 62bf 0000 636f 6f6d 6273 7061 7065 7273 0d0a 6465 7074 730d 0a66 6f75 @@ -191,86 +281,83 @@ 6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075 620d 0a +# 32819,20 ACK [out,ppp0] -4500 0028 10d9 4000 ff06 327d c0a8 0103 +4500 0028 10dc 4000 ff06 327a c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1210 5010 6348 8e36 0000 +# 20,32819 FIN+ACK [in,ppp0] -4500 0028 ffeb 4000 ef06 1314 96cb e002 +4500 0028 ffee 4000 ef06 1311 96cb e002 0101 0101 0014 8033 d9f8 1210 bd78 5c13 5011 269c 8a8b 0000 +# 32819,20 ACK [out,ppp0] -4500 0028 10da 4000 ff06 327c c0a8 0103 +4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5010 6348 8e35 0000 +# 32819,20 FIN+ACK [out,ppp0] -4500 0028 10db 4000 ff06 327b c0a8 0103 +4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5011 6348 8e34 0000 +# 20,32819 ACK [in,ppp0] -4500 0028 ffec 4000 ef06 1313 96cb e002 +4500 0028 ffef 4000 ef06 1310 96cb e002 0101 0101 0014 8033 d9f8 1211 bd78 5c14 5010 269c 8a8a 0000 -[out,ppp0] -4500 0028 10dc 4000 ff06 327a c0a8 0103 -96cb e002 8032 0015 bd6b ca16 3786 790a -5010 269c 9864 0000 - +# 21,32818 220 "226 Listing completed.\r\n" [in,ppp0] -4500 0040 ffed 4000 ef06 12fa 96cb e002 -0101 0101 0015 8032 3786 790a bd6b ca16 -5018 269c 3c4c 0000 3232 3620 4c69 7374 +4500 0040 fff0 4000 ef06 12f7 96cb e002 +0101 0101 0015 8032 3786 7903 bd6b ca37 +5018 269c 3c32 0000 3232 3620 4c69 7374 696e 6720 636f 6d70 6c65 7465 642e 0d0a -[out,ppp0] -4500 0030 10dd 4000 ff06 3271 c0a8 0103 -96cb e002 8032 0015 bd6b ca16 3786 7922 -5018 269c c64a 0000 5459 5045 2049 0d0a - -[in,ppp0] -4500 0038 ffee 4000 ef06 1301 96cb e002 -0101 0101 0015 8032 3786 7922 bd6b ca1e -5018 269c 1e9e 0000 3230 3020 5479 7065 -206f 6b61 792e 0d0a - -[out,ppp0] -4500 0028 10de 4000 ff06 3278 c0a8 0103 -96cb e002 8032 0015 bd6b ca1e 3786 7932 -5010 269c 9834 0000 - -[out,ppp0] -4500 002e 10df 4000 ff06 3271 c0a8 0103 -96cb e002 8032 0015 bd6b ca1e 3786 7932 -5018 269c f072 0000 5155 4954 0d0a - -[in,ppp0] -4500 0036 ffef 4000 ef06 1302 96cb e002 -0101 0101 0015 8032 3786 7932 bd6b ca24 -5018 269c 68ea 0000 3232 3120 476f 6f64 -6279 652e 0d0a - +# 32818,21 ACK [out,ppp0] 4500 0028 10e0 4000 ff06 3276 c0a8 0103 -96cb e002 8032 0015 bd6b ca24 3786 7940 -5011 269c 981f 0000 - -[in,ppp0] -4500 0028 fff0 4000 ef06 130f 96cb e002 -0101 0101 0015 8032 3786 7940 bd6b ca24 -5011 269c 57c9 0000 +96cb e002 8032 0015 bd6b ca37 3786 791b +5010 269c 9832 0000 +# 32818,21 "QUIT\r\n" [out,ppp0] -4500 0028 10e1 4000 ff06 3275 c0a8 0103 -96cb e002 8032 0015 bd6b ca25 3786 7941 -5010 269c 981e 0000 +4500 002e 10e1 4000 ff06 326f c0a8 0103 +96cb e002 8032 0015 bd6b ca37 3786 791b +5018 269c f070 0000 5155 4954 0d0a +# 21,32818 "221 Goodbye." [in,ppp0] -4500 0028 fff1 4000 ef06 130e 96cb e002 -0101 0101 0015 8032 3786 7941 bd6b ca25 -5010 269c 57c8 0000 +4500 0036 fff2 4000 ef06 12ff 96cb e002 +0101 0101 0015 8032 3786 791b bd6b ca3d +5018 269c 68e8 0000 3232 3120 476f 6f64 +6279 652e 0d0a + +# 32818,21 ACK+FIN +[out,ppp0] +4500 0028 10e2 4000 ff06 3274 c0a8 0103 +96cb e002 8032 0015 bd6b ca3d 3786 7929 +5011 269c 981d 0000 + +# 21,32818 ACK+FIN +[in,ppp0] +4500 0028 fff3 4000 ef06 130c 96cb e002 +0101 0101 0015 8032 3786 7929 bd6b ca3d +5011 269c 57c7 0000 + +# 32818,21 ACK +[out,ppp0] +4500 0028 10e3 4000 ff06 3273 c0a8 0103 +96cb e002 8032 0015 bd6b ca3d 3786 792a +5010 269c 981d 0000 + +# 21,32818 ACK +[in,ppp0] +4500 0028 fff4 4000 ef06 130b 96cb e002 +0101 0101 0015 8032 3786 792a bd6b ca3e +5010 269c 57c6 0000 diff --git a/contrib/ipfilter/test/natipftest b/contrib/ipfilter/test/natipftest index abdc7603b002..5776b4202c95 100755 --- a/contrib/ipfilter/test/natipftest +++ b/contrib/ipfilter/test/natipftest @@ -1,14 +1,26 @@ #!/bin/sh mode=$1 +name=$2 +input=$3 +output=$4 shift -if [ $3 = hex ] ; then - format="-xF $2" +if [ $output = hex ] ; then + format="-xF $input" else - format="-F $2" -fi -if [ "$4" != "" ] ; then - format="-T $4 $format" + format="-F $input" fi +shift +shift +shift +while [ $# -ge 1 ] ; do + l=`echo $1 | cut -c1` + if [ "$l" = "-" ] ; then + format="$format $1" + else + format="-T $1 $format" + fi + shift +done mkdir -p results if [ -f /usr/ucb/touch ] ; then TOUCH=/usr/ucb/touch @@ -24,35 +36,35 @@ fi case $mode in single) - echo "$1..."; - /bin/cp /dev/null results/$1 + echo "$name..."; + /bin/cp /dev/null results/$name ( while read rule; do - echo "$rule" | ../ipftest -R $format -b -r regress/$1.ipf -N - -i input/$1 >> \ - results/$1; + echo "$rule" | ../ipftest -R $format -b -r regress/$name.ipf -N - -i input/$name >> \ + results/$name; if [ $? -ne 0 ] ; then exit 1; fi - echo "-------------------------------" >> results/$1 - done ) < regress/$1.nat - cmp expected/$1 results/$1 + echo "-------------------------------" >> results/$name + done ) < regress/$name.nat + cmp expected/$name results/$name status=$? if [ $status = 0 ] ; then - $TOUCH $1 + $TOUCH $name fi ;; multi) - echo "$1..."; - /bin/cp /dev/null results/$1 - ../ipftest -R $format -b -r regress/$1.ipf -N regress/$1.nat \ - -i input/$1 >> results/$1; + echo "$name..."; + /bin/cp /dev/null results/$name + ../ipftest -R $format -b -r regress/$name.ipf -N regress/$name.nat \ + -i input/$name >> results/$name; if [ $? -ne 0 ] ; then exit 2; fi - echo "-------------------------------" >> results/$1 - cmp expected/$1 results/$1 + echo "-------------------------------" >> results/$name + cmp expected/$name results/$name status=$? if [ $status = 0 ] ; then - $TOUCH $1 + $TOUCH $name fi ;; esac diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest index 78b757ec4341..fece276a6a76 100755 --- a/contrib/ipfilter/test/nattest +++ b/contrib/ipfilter/test/nattest @@ -5,7 +5,14 @@ else format="-F $2" fi if [ "$4" != "" ] ; then - format="-T $4 $format" + case $4 in + -*) + format="$4 $format" + ;; + *) + format="-T $4 $format" + ;; + esac fi if [ -f /usr/ucb/touch ] ; then TOUCH=/usr/ucb/touch diff --git a/contrib/ipfilter/test/regress/i3 b/contrib/ipfilter/test/regress/i3 index 0d82e8a0b834..390fc3c60e42 100644 --- a/contrib/ipfilter/test/regress/i3 +++ b/contrib/ipfilter/test/regress/i3 @@ -1,7 +1,9 @@ log in all pass in from 128.16/16 to 129.10.10/24 -pass in from 128.0.0.1/24 to 128\ -.0.0.1/16 +pass in from 128.0.0.1/24 to 1\ +28\ +.\ +0.0.1/16 pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000 pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0 pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000 diff --git a/contrib/ipfilter/test/regress/in1 b/contrib/ipfilter/test/regress/in1 index 163d834fb1c1..d5d0cf4c3d19 100644 --- a/contrib/ipfilter/test/regress/in1 +++ b/contrib/ipfilter/test/regress/in1 @@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc map thisisalonginte 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere map bar0 0/0 -> 0/32 icmpidmap icmp 1000:2000 map ppp0,adsl0 0/0 -> 0/32 +map ppp0 from 192.168.0.0/16 to any port = 123 -> 0/32 age 30/1 udp diff --git a/contrib/ipfilter/test/regress/in6 b/contrib/ipfilter/test/regress/in6 index 932df9b23676..70e71ddeb16b 100644 --- a/contrib/ipfilter/test/regress/in6 +++ b/contrib/ipfilter/test/regress/in6 @@ -5,3 +5,4 @@ map foo0 from any port lt 1 to any port gt 0 -> 0/32 tcp map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp map foo0 from any port le 1 to any port ge 0 -> 0/32 tcp/udp map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0/32 tcp/udp +map foo0 from any port 10:20 to any port 30:40 -> 0/32 tcp/udp diff --git a/contrib/ipfilter/test/regress/ni1.nat b/contrib/ipfilter/test/regress/ni1.nat index 4306f4b45d3d..f38e435bcf7a 100644 --- a/contrib/ipfilter/test/regress/ni1.nat +++ b/contrib/ipfilter/test/regress/ni1.nat @@ -1 +1,3 @@ -map df0 2.2.2.2/32 -> 6.6.6.6/32 +map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp 2000:2500 +map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp 20000:25000 +map df0 from 2.2.2.2/32 to any -> 6.6.6.6/32 diff --git a/contrib/ipfilter/test/test.format b/contrib/ipfilter/test/test.format index 4bb18515e39c..dfc3f35b619a 100644 --- a/contrib/ipfilter/test/test.format +++ b/contrib/ipfilter/test/test.format @@ -11,7 +11,7 @@ f7 text text f8 text text f9 text text f10 text text -f11 text text +f11 text text -D f12 hex hex f13 hex hex f14 text text @@ -49,9 +49,11 @@ in4 text text in5 text text in6 text text ip1 text text +ip2 text text ipv6.1 hex hex ipv6.2 hex hex ipv6.3 hex hex +ipv6.5 hex hex l1 hex hex n1 text text n2 text text @@ -86,6 +88,12 @@ ni16 hex hex fr_update_ipid=1 ni19 hex hex fr_update_ipid=0 ni20 hex hex fr_update_ipid=0 ni21 text text +ni23 text text -D p1 text text p2 text text p3 text text +p4 text text +p5 text text +n16 hex hex -D +f24 hex text +ipv6.6 hex text diff --git a/contrib/ipfilter/test/vfycksum.pl b/contrib/ipfilter/test/vfycksum.pl index d23c88430f5a..b3a20be0cf24 100755 --- a/contrib/ipfilter/test/vfycksum.pl +++ b/contrib/ipfilter/test/vfycksum.pl @@ -21,9 +21,7 @@ sub dosum { for ($idx = $start, $lsum = $seed; $idx < $max; $idx++) { $lsum += $bytes[$idx]; } - while ($lsum > 65535) { - $lsum = ($lsum & 0xffff) + ($lsum >> 16); - } + $lsum = ($lsum & 0xffff) + ($lsum >> 16); $lsum = ~$lsum & 0xffff; return $lsum; } @@ -40,9 +38,9 @@ sub ipv4check { if ($hs != 0) { $bytes[$base + 5] = 0; - $hs2 = &dosum($base, 0, $base + $hl); + $hs2 = &dosum(0, $base, $base + $hl); $bytes[$base + 5] = $osum; - printf " IP: (%x) %x != %x", $hs, $osum, $hs2; + printf " IP: ($hl,%x) %x != %x", $hs, $osum, $hs2; } else { print " IP($base): ok "; } @@ -104,6 +102,10 @@ sub tcpcheck { $x = ($cnt - $base) * 2; $y = $hl + $thl; $z = 3; + } elsif ($len < $thl) { + $x = ($cnt - $base) * 2; + $y = $len; + $z = 4; } if ($z) { @@ -199,19 +201,9 @@ sub icmpcheck { } local($osum) = $bytes[$base + $hl + 1]; - $bytes[$hl + 1] = 0; - for ($i = $base + $hl, $hs2 = 0; $i < $cnt; $i++) { - $hs2 += $bytes[$i]; - } - $hs = $hs2 + $osum; - while ($hs2 > 65535) { - $hs2 = ($hs2 & 0xffff) + ($hs2 >> 16); - } - while ($hs > 65535) { - $hs = ($hs & 0xffff) + ($hs >> 16); - } - $hs2 = ~$hs2 & 0xffff; - $hs = ~$hs & 0xffff; + $bytes[$base + $hl + 1] = 0; + $hs2 = &dosum(0, $base + $hl, $cnt); + $bytes[$base + $hl + 1] = $osum; if ($osum != $hs2) { printf " ICMP: (%x) %x != %x", $hs, $osum, $hs2; @@ -266,6 +258,10 @@ while ($#ARGV >= 0) { $b=$_; s/(.*?) ([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F]) (.*)/$1 $2$3 $4/g; } + if (/.* [0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F]/) { +$b=$_; + s/(.*?) ([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F])/$1 $2$3/g; + } while (/^[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F].*/) { $x = $_; $x =~ s/([0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]).*/$1/; diff --git a/contrib/ipfilter/tools/Makefile b/contrib/ipfilter/tools/Makefile index 49a869c78a45..43ec1a897b83 100644 --- a/contrib/ipfilter/tools/Makefile +++ b/contrib/ipfilter/tools/Makefile @@ -1,4 +1,8 @@ - +# +# Copyright (C) 1993-2001 by Darren Reed. +# +# See the IPFILTER.LICENCE file for details on licencing. +# DEST=. all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \ diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c index b923f580f67f..fe9fec2581ec 100644 --- a/contrib/ipfilter/tools/ipf.c +++ b/contrib/ipfilter/tools/ipf.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -21,7 +21,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.8 2007/05/10 06:12:01 darrenr Exp $"; #endif #if !defined(__SVR4) && defined(__GNUC__) @@ -344,11 +344,13 @@ char *arg; if (!arg || !*arg) return; - if (!strcmp(arg, "s") || !strcmp(arg, "S")) { + if (!strcmp(arg, "s") || !strcmp(arg, "S") || ISDIGIT(*arg)) { if (*arg == 'S') fl = 0; - else + else if (*arg == 's') fl = 1; + else + fl = atoi(arg); rem = fl; closedevice(); @@ -370,7 +372,7 @@ char *arg; } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { printf("remove flags %s (%d)\n", arg, rem); - printf("removed %d filter rules\n", fl); + printf("removed %d entries\n", fl); } closedevice(); return; diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index 5a24592b3173..2ce4291f2ec8 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2001-2006 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ %{ #include "ipf.h" #include @@ -171,7 +176,7 @@ file: line | file assign ; -line: xx rule { while ((fr = frtop) != NULL) { +line: rule { while ((fr = frtop) != NULL) { frtop = fr->fr_next; fr->fr_next = NULL; (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); @@ -190,6 +195,7 @@ assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); resetlexer(); free($1); free($3); + yyvarnext = 0; } ; @@ -213,8 +219,8 @@ outrule: ; rulehead: - collection action - | insert collection action + xx collection action + | xx insert collection action ; markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } @@ -766,8 +772,20 @@ fromport: srcportlist: portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } | srcportlist lmore portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } + | srcportlist lmore portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } + | srcportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } ; dstobject: @@ -832,25 +850,49 @@ toport: dstportlist: portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } | dstportlist lmore portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } + | dstportlist lmore portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } + | dstportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } ; addr: pool '/' YY_NUMBER { pooled = 1; - yyexpectaddr = 0; $$.a.iplookuptype = IPLT_POOL; + $$.a.iplookupsubtype = 0; $$.a.iplookupnum = $3; } - | pool '=' '(' poollist ')' { pooled = 1; - yyexpectaddr = 0; + | pool '/' YY_STR { pooled = 1; $$.a.iplookuptype = IPLT_POOL; + $$.a.iplookupsubtype = 1; + strncpy($$.a.iplookupname, $3, + sizeof($$.a.iplookupname)); + } + | pool '=' '(' poollist ')' { pooled = 1; + $$.a.iplookuptype = IPLT_POOL; + $$.a.iplookupsubtype = 0; $$.a.iplookupnum = makepool($4); } | hash '/' YY_NUMBER { hashed = 1; - yyexpectaddr = 0; $$.a.iplookuptype = IPLT_HASH; + $$.a.iplookupsubtype = 0; $$.a.iplookupnum = $3; } - | hash '=' '(' addrlist ')' { hashed = 1; - yyexpectaddr = 0; + | hash '/' YY_STR { pooled = 1; $$.a.iplookuptype = IPLT_HASH; + $$.a.iplookupsubtype = 1; + strncpy($$.a.iplookupname, $3, + sizeof($$.a.iplookupname)); + } + | hash '=' '(' addrlist ')' { hashed = 1; + $$.a.iplookuptype = IPLT_HASH; + $$.a.iplookupsubtype = 0; $$.a.iplookupnum = makehash($4); } | ipaddr { bcopy(&$1, &$$, sizeof($$)); yyexpectaddr = 0; } @@ -1375,8 +1417,8 @@ servicename: YY_STR { $$ = $1; } ; -interfacename: YY_STR { $$ = $1; } - | YY_STR ':' YY_NUMBER +interfacename: name { $$ = $1; } + | name ':' YY_NUMBER { $$ = $1; fprintf(stderr, "%d: Logical interface %s:%d unsupported, " "use the physical interface %s instead.\n", @@ -1385,6 +1427,7 @@ interfacename: YY_STR { $$ = $1; } ; name: YY_STR { $$ = $1; } + | '-' { $$ = strdup("-"); } ; ipv4_16: @@ -2033,6 +2076,9 @@ void *ptr; frentry_t *fr; ipfobj_t obj; + if (ptr == NULL) + return; + fr = ptr; add = 0; del = 0; @@ -2062,10 +2108,10 @@ void *ptr; fr->fr_flags |= FR_OUTQUE; if (fr->fr_hits) fr->fr_hits--; - if (fr && (opts & OPT_VERBOSE)) + if ((opts & OPT_VERBOSE) != 0) printfr(fr, ioctlfunc); - if (opts & OPT_DEBUG) { + if ((opts & OPT_DEBUG) != 0) { binprint(fr, sizeof(*fr)); if (fr->fr_data != NULL) binprint(fr->fr_data, fr->fr_dsize); diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c index da80da8032a3..1e26de5966c3 100644 --- a/contrib/ipfilter/tools/ipfcomp.c +++ b/contrib/ipfilter/tools/ipfcomp.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2005 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $"; #endif #include "ipf.h" @@ -94,11 +94,22 @@ frentry_t *fr; fprintf(fp, "* to the original author and the contributors.\n"); fprintf(fp, "*/\n\n"); + fprintf(fp, "#include \n"); fprintf(fp, "#include \n"); fprintf(fp, "#include \n"); fprintf(fp, "#include \n"); - fprintf(fp, "#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n"); - fprintf(fp, "# include \n"); + fprintf(fp, "#if (__FreeBSD_version >= 40000)\n"); + fprintf(fp, "# if defined(_KERNEL)\n"); + fprintf(fp, "# include \n"); + fprintf(fp, "# else\n"); + fprintf(fp, "# include \n"); + fprintf(fp, "# endif\n"); + fprintf(fp, "#endif\n"); + fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n"); + fprintf(fp, "#else\n"); + fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n"); + fprintf(fp, "# include \n"); + fprintf(fp, "# endif\n"); fprintf(fp, "#endif\n"); fprintf(fp, "#include \n"); fprintf(fp, "#include \n"); @@ -493,7 +504,8 @@ u_int incount, outcount; /* * Output the array of pointers to rules for this group. */ - if (num == -2 && dir == 0 && header[0] == 0 && incount != 0) { + if (g != NULL && num == -2 && dir == 0 && header[0] == 0 && + incount != 0) { fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {", group, incount); for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { @@ -512,7 +524,8 @@ u_int incount, outcount; fprintf(fp, "\n};\n"); } - if (num == -2 && dir == 1 && header[1] == 0 && outcount != 0) { + if (g != NULL && num == -2 && dir == 1 && header[0] == 0 && + outcount != 0) { fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {", group, outcount); for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { @@ -541,7 +554,7 @@ u_int incount, outcount; /* * If the function header has not been printed then print it now. */ - if (header[dir] == 0) { + if (g != NULL && header[dir] == 0) { int pdst = 0, psrc = 0; openfunc = 1; diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c index a89ea0b0ab55..eab650a7ee36 100644 --- a/contrib/ipfilter/tools/ipfs.c +++ b/contrib/ipfilter/tools/ipfs.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1999-2001, 2003 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -133,6 +133,14 @@ char *ifs, *fname; strcpy(ips.ips_is.is_ifname[1], s); rw = 1; } + if (!strncmp(ips.ips_is.is_ifname[2], ifs, olen + 1)) { + strcpy(ips.ips_is.is_ifname[2], s); + rw = 1; + } + if (!strncmp(ips.ips_is.is_ifname[3], ifs, olen + 1)) { + strcpy(ips.ips_is.is_ifname[3], s); + rw = 1; + } if (rw == 1) { if (lseek(fd, pos, SEEK_SET) != pos) { perror("lseek"); @@ -190,6 +198,14 @@ char *ifs, *fname; strcpy(nat->nat_ifnames[1], s); rw = 1; } + if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) { + strcpy(nat->nat_ifnames[2], s); + rw = 1; + } + if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) { + strcpy(nat->nat_ifnames[3], s); + rw = 1; + } if (rw == 1) { if (lseek(fd, pos, SEEK_SET) != pos) { perror("lseek"); @@ -216,7 +232,7 @@ char *argv[]; char *dirname = NULL, *filename = NULL, *ifs = NULL; progname = argv[0]; - while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1) + while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) switch (c) { case 'd' : diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index 85eba20dbb1e..3c5bfdd50ac4 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001, 2003 by Darren Reed. + * Copyright (C) 2002-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -53,6 +53,7 @@ #ifdef STATETOP # include # include +# include # if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \ defined(__sgi) # ifdef ERR @@ -70,7 +71,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $"; #endif #ifdef __hpux @@ -83,10 +84,6 @@ extern int opterr; #define PRINTF (void)printf #define FPRINTF (void)fprintf -#define F_IN 0 -#define F_OUT 1 -#define F_ACIN 2 -#define F_ACOUT 3 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; static int state_logging = -1; @@ -96,6 +93,10 @@ int use_inet6 = 0; int live_kernel = 1; int state_fd = -1; int ipf_fd = -1; +int auth_fd = -1; +int nat_fd = -1; +frgroup_t *grtop = NULL; +frgroup_t *grtail = NULL; #ifdef STATETOP #define STSTRSIZE 80 @@ -130,19 +131,23 @@ typedef struct statetop { int main __P((int, char *[])); +static int fetchfrag __P((int, int, ipfr_t *)); static void showstats __P((friostat_t *, u_32_t)); -static void showfrstates __P((ipfrstat_t *)); +static void showfrstates __P((ipfrstat_t *, u_long)); static void showlist __P((friostat_t *)); static void showipstates __P((ips_stat_t *)); static void showauthstates __P((fr_authstat_t *)); static void showgroups __P((friostat_t *)); static void usage __P((char *)); -static void printlist __P((frentry_t *, char *)); +static void showtqtable_live __P((int)); +static void printlivelist __P((int, int, frentry_t *, char *, char *)); +static void printdeadlist __P((int, int, frentry_t *, char *, char *)); static void parse_ipportstr __P((const char *, i6addr_t *, int *)); static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **, ipfrstat_t **, fr_authstat_t **, u_32_t *)); static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, ipfrstat_t **, fr_authstat_t **, u_32_t *)); +static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *)); #ifdef STATETOP static void topipstates __P((i6addr_t, i6addr_t, int, int, int, int, int, int)); @@ -192,7 +197,7 @@ char *argv[]; ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; - char *device = IPL_NAME, *memf = NULL; + char *memf = NULL; char *options, *kern = NULL; int c, myoptind; @@ -245,8 +250,16 @@ char *argv[]; perror("open(IPSTATE_NAME)"); exit(-1); } - if ((ipf_fd = open(device, O_RDONLY)) == -1) { - fprintf(stderr, "open(%s)", device); + if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) { + perror("open(IPAUTH_NAME)"); + exit(-1); + } + if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) { + perror("open(IPAUTH_NAME)"); + exit(-1); + } + if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) { + fprintf(stderr, "open(%s)", IPL_NAME); perror(""); exit(-1); } @@ -257,10 +270,12 @@ char *argv[]; (void)setuid(getuid()); } - if (live_kernel == 1) - (void) checkrev(device); - if (openkmem(kern, memf) == -1) - exit(-1); + if (live_kernel == 1) { + (void) checkrev(IPL_NAME); + } else { + if (openkmem(kern, memf) == -1) + exit(-1); + } (void)setgid(getgid()); (void)setuid(getuid()); @@ -369,7 +384,7 @@ char *argv[]; bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ifrst, sizeof(ifrst)); - ipfstate_live(device, &fiop, &ipsstp, &ifrstp, + ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); } else ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); @@ -383,7 +398,7 @@ char *argv[]; showlist(fiop); } } else if (opts & OPT_FRSTATES) - showfrstates(ifrstp); + showfrstates(ifrstp, fiop->f_ticks); #ifdef STATETOP else if (opts & OPT_STATETOP) topipstates(saddr, daddr, sport, dport, protocol, @@ -422,9 +437,9 @@ u_32_t *frfp; if ((opts & OPT_AUTHSTATS) == 0) { bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; + ipfo.ipfo_type = IPFOBJ_IPFSTAT; ipfo.ipfo_size = sizeof(friostat_t); ipfo.ipfo_ptr = (void *)*fiopp; - ipfo.ipfo_type = IPFOBJ_IPFSTAT; if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) { perror("ioctl(ipf:SIOCGETFS)"); @@ -439,9 +454,9 @@ u_32_t *frfp; bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; + ipfo.ipfo_type = IPFOBJ_STATESTAT; ipfo.ipfo_size = sizeof(ips_stat_t); ipfo.ipfo_ptr = (void *)*ipsstpp; - ipfo.ipfo_type = IPFOBJ_STATESTAT; if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { perror("ioctl(state:SIOCGETFS)"); @@ -456,9 +471,9 @@ u_32_t *frfp; if ((opts & OPT_FRSTATES) != 0) { bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; + ipfo.ipfo_type = IPFOBJ_FRAGSTAT; ipfo.ipfo_size = sizeof(ipfrstat_t); ipfo.ipfo_ptr = (void *)*ifrstpp; - ipfo.ipfo_type = IPFOBJ_FRAGSTAT; if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) { perror("ioctl(SIOCGFRST)"); @@ -466,27 +481,17 @@ u_32_t *frfp; } } - if (opts & OPT_VERBOSE) + if (opts & OPT_DEBUG) PRINTF("opts %#x name %s\n", opts, device); if ((opts & OPT_AUTHSTATS) != 0) { - if (ipf_fd >= 0) { - close(ipf_fd); - ipf_fd = -1; - } - device = IPAUTH_NAME; - if ((ipf_fd = open(device, O_RDONLY)) == -1) { - perror("open"); - exit(-1); - } - bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; + ipfo.ipfo_type = IPFOBJ_AUTHSTAT; ipfo.ipfo_size = sizeof(fr_authstat_t); ipfo.ipfo_ptr = (void *)*frauthstpp; - ipfo.ipfo_type = IPFOBJ_AUTHSTAT; - if (ioctl(ipf_fd, SIOCATHST, &ipfo) == -1) { + if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) { perror("ioctl(SIOCATHST)"); exit(-1); } @@ -511,10 +516,11 @@ u_32_t *frfp; static ips_stat_t ipsst, *ipsstp; static ipfrstat_t ifrst, *ifrstp; static friostat_t fio, *fiop; + static ipftq_t ipssttab[IPF_TCP_NSTATES]; int temp; void *rules[2][2]; - struct nlist deadlist[43] = { + struct nlist deadlist[44] = { { "fr_authstats" }, /* 0 */ { "fae_list" }, { "ipauth" }, @@ -557,6 +563,7 @@ u_32_t *frfp; { "fr_pass" }, { "fr_flags" }, /* 40 */ { "ipstate_logging" }, + { "ips_tqtqb" }, { NULL } }; @@ -669,9 +676,12 @@ u_32_t *frfp; */ kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp)); + kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value, + sizeof(ipssttab)); ipsstp->iss_active = temp; ipsstp->iss_table = (void *)deadlist[18].n_value; ipsstp->iss_list = (void *)deadlist[17].n_value; + ipsstp->iss_tcptab = ipssttab; /* * Build up the authentiation information stats structure. @@ -771,21 +781,62 @@ u_32_t frf; /* * Print out a list of rules from the kernel, starting at the one passed. */ -static void printlist(fp, comment) +static void printlivelist(out, set, fp, group, comment) +int out, set; frentry_t *fp; -char *comment; +char *group, *comment; { - struct frentry fb, *fg; - char *data; - u_32_t type; - int n; + struct frentry fb; + ipfruleiter_t rule; + frentry_t zero; + frgroup_t *g; + ipfobj_t obj; + int n; - for (n = 1; fp; n++) { - if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) { - perror("kmemcpy"); + if (use_inet6 == 1) + fb.fr_v = 6; + else + fb.fr_v = 4; + fb.fr_next = fp; + n = 0; + + rule.iri_inout = out; + rule.iri_active = set; + rule.iri_rule = &fb; + rule.iri_nrules = 1; + rule.iri_v = use_inet6 ? 6 : 4; + if (group != NULL) + strncpy(rule.iri_group, group, FR_GROUPLEN); + else + rule.iri_group[0] = '\0'; + + bzero((char *)&zero, sizeof(zero)); + + bzero((char *)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_IPFITER; + obj.ipfo_size = sizeof(rule); + obj.ipfo_ptr = &rule; + + do { + u_long array[1000]; + + memset(array, 0xff, sizeof(array)); + fp = (frentry_t *)array; + rule.iri_rule = fp; + if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) { + perror("ioctl(SIOCIPFITER)"); + n = IPFGENITER_IPF; + ioctl(ipf_fd, SIOCIPFDELTOK, &n); return; } - fp = &fb; + if (bcmp(fp, &zero, sizeof(zero)) == 0) + break; + if (fp->fr_data != NULL) + fp->fr_data = (char *)fp + sizeof(*fp); + + n++; + if (opts & (OPT_HITS|OPT_VERBOSE)) #ifdef USE_QUAD_T PRINTF("%qu ", (unsigned long long) fp->fr_hits); @@ -800,20 +851,6 @@ char *comment; #endif if (opts & OPT_SHOWLINENO) PRINTF("@%d ", n); - data = NULL; - type = fp->fr_type & ~FR_T_BUILTIN; - if (type == FR_T_IPF || type == FR_T_BPFOPC) { - if (fp->fr_dsize) { - data = malloc(fp->fr_dsize); - - if (kmemcpy(data, (u_long)fp->fr_data, - fp->fr_dsize) == -1) { - perror("kmemcpy"); - return; - } - fp->fr_data = data; - } - } printfr(fp, ioctl); if (opts & OPT_DEBUG) { @@ -821,17 +858,137 @@ char *comment; if (fp->fr_data != NULL && fp->fr_dsize > 0) binprint(fp->fr_data, fp->fr_dsize); } + if (fp->fr_grhead[0] != '\0') { + for (g = grtop; g != NULL; g = g->fg_next) { + if (!strncmp(fp->fr_grhead, g->fg_name, + FR_GROUPLEN)) + break; + } + if (g == NULL) { + g = calloc(1, sizeof(*g)); + + if (g != NULL) { + strncpy(g->fg_name, fp->fr_grhead, + FR_GROUPLEN); + if (grtop == NULL) { + grtop = g; + grtail = g; + } else { + grtail->fg_next = g; + grtail = g; + } + } + } + } + if (fp->fr_type == FR_T_CALLFUNC) { + printlivelist(out, set, fp->fr_data, group, + "# callfunc: "); + } + } while (fp->fr_next != NULL); + + n = IPFGENITER_IPF; + ioctl(ipf_fd, SIOCIPFDELTOK, &n); + + if (group == NULL) { + while ((g = grtop) != NULL) { + printf("# Group %s\n", g->fg_name); + printlivelist(out, set, NULL, g->fg_name, comment); + grtop = g->fg_next; + free(g); + } + } +} + + +static void printdeadlist(out, set, fp, group, comment) +int out, set; +frentry_t *fp; +char *group, *comment; +{ + frgroup_t *grtop, *grtail, *g; + struct frentry fb; + char *data; + u_32_t type; + int n; + + fb.fr_next = fp; + n = 0; + grtop = NULL; + grtail = NULL; + + do { + fp = fb.fr_next; + if (kmemcpy((char *)&fb, (u_long)fb.fr_next, + sizeof(fb)) == -1) { + perror("kmemcpy"); + return; + } + + data = NULL; + type = fb.fr_type & ~FR_T_BUILTIN; + if (type == FR_T_IPF || type == FR_T_BPFOPC) { + if (fb.fr_dsize) { + data = malloc(fb.fr_dsize); + + if (kmemcpy(data, (u_long)fb.fr_data, + fb.fr_dsize) == -1) { + perror("kmemcpy"); + return; + } + fb.fr_data = data; + } + } + + n++; + + if (opts & (OPT_HITS|OPT_VERBOSE)) +#ifdef USE_QUAD_T + PRINTF("%qu ", (unsigned long long) fb.fr_hits); +#else + PRINTF("%lu ", fb.fr_hits); +#endif + if (opts & (OPT_ACCNT|OPT_VERBOSE)) +#ifdef USE_QUAD_T + PRINTF("%qu ", (unsigned long long) fb.fr_bytes); +#else + PRINTF("%lu ", fb.fr_bytes); +#endif + if (opts & OPT_SHOWLINENO) + PRINTF("@%d ", n); + + printfr(fp, ioctl); + if (opts & OPT_DEBUG) { + binprint(fp, sizeof(*fp)); + if (fb.fr_data != NULL && fb.fr_dsize > 0) + binprint(fb.fr_data, fb.fr_dsize); + } if (data != NULL) free(data); - if (fp->fr_grp != NULL) { - if (!kmemcpy((char *)&fg, (u_long)fp->fr_grp, - sizeof(fg))) - printlist(fg, comment); + if (fb.fr_grhead[0] != '\0') { + g = calloc(1, sizeof(*g)); + + if (g != NULL) { + strncpy(g->fg_name, fb.fr_grhead, + FR_GROUPLEN); + if (grtop == NULL) { + grtop = g; + grtail = g; + } else { + grtail->fg_next = g; + grtail = g; + } + } } if (type == FR_T_CALLFUNC) { - printlist(fp->fr_data, "# callfunc: "); + printdeadlist(out, set, fb.fr_data, group, + "# callfunc: "); } - fp = fp->fr_next; + } while (fb.fr_next != NULL); + + while ((g = grtop) != NULL) { + printdeadlist(out, set, NULL, g->fg_name, comment); + grtop = g->fg_next; + free(g); } } @@ -887,17 +1044,20 @@ struct friostat *fiop; } else return; } - if (opts & OPT_VERBOSE) + if (opts & OPT_DEBUG) FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i); - if (opts & OPT_VERBOSE) + if (opts & OPT_DEBUG) PRINTF("fp %p set %d\n", fp, set); if (!fp) { FPRINTF(stderr, "empty list for %s%s\n", (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); return; } - printlist(fp, NULL); + if (live_kernel == 1) + printlivelist(i, set, fp, NULL, NULL); + else + printdeadlist(i, set, fp, NULL, NULL); } @@ -908,23 +1068,45 @@ static void showipstates(ipsp) ips_stat_t *ipsp; { u_long minlen, maxlen, totallen, *buckets; + ipftable_t table; + ipfobj_t obj; int i, sz; - sz = sizeof(*buckets) * ipsp->iss_statesize; - buckets = (u_long *)malloc(sz); - if (kmemcpy((char *)buckets, (u_long)ipsp->iss_bucketlen, sz)) { - free(buckets); - return; - } - /* * If a list of states hasn't been asked for, only print out stats */ if (!(opts & OPT_SHOWLIST)) { + + sz = sizeof(*buckets) * ipsp->iss_statesize; + buckets = (u_long *)malloc(sz); + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GTABLE; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = &table; + + table.ita_type = IPFTABLE_BUCKETS; + table.ita_table = buckets; + + if (live_kernel == 1) { + if (ioctl(state_fd, SIOCGTABL, &obj) != 0) { + free(buckets); + return; + } + } else { + if (kmemcpy((char *)buckets, + (u_long)ipsp->iss_bucketlen, sz)) { + free(buckets); + return; + } + } + PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); + PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull); + PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref); PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", @@ -935,8 +1117,10 @@ ips_stat_t *ipsp; PRINTF("\nState table bucket statistics:\n"); PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); + PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ? + (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0); - minlen = ipsp->iss_max; + minlen = ipsp->iss_inuse; totallen = 0; maxlen = 0; @@ -944,7 +1128,7 @@ ips_stat_t *ipsp; if (buckets[i] > maxlen) maxlen = buckets[i]; if (buckets[i] < minlen) - minlen = buckets[i]; + minlen = buckets[i]; totallen += buckets[i]; } @@ -975,18 +1159,30 @@ ips_stat_t *ipsp; PRINTF("\n"); free(buckets); + + if (live_kernel == 1) { + showtqtable_live(state_fd); + } else { + printtqtable(ipsp->iss_tcptab); + } + return; + } /* * Print out all the state information currently held in the kernel. */ while (ipsp->iss_list != NULL) { - ipsp->iss_list = printstate(ipsp->iss_list, opts, - ipsp->iss_ticks); - } + ipstate_t ips; - free(buckets); + ipsp->iss_list = fetchstate(ipsp->iss_list, &ips); + + if (ipsp->iss_list != NULL) { + ipsp->iss_list = ips.is_next; + printstate(&ips, opts, ipsp->iss_ticks); + } + } } @@ -1040,9 +1236,9 @@ int topclosed; /* init ipfobj_t stuff */ bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; + ipfo.ipfo_type = IPFOBJ_STATESTAT; ipfo.ipfo_size = sizeof(*ipsstp); ipfo.ipfo_ptr = (void *)ipsstp; - ipfo.ipfo_type = IPFOBJ_STATESTAT; /* repeat until user aborts */ while ( 1 ) { @@ -1064,8 +1260,8 @@ int topclosed; /* read the state table and store in tstable */ for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) { - if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list, - sizeof(ips))) + ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips); + if (ipsstp->iss_list == NULL) break; if (ips.is_v != ver) @@ -1432,8 +1628,9 @@ out: /* * Show fragment cache information that's held in the kernel. */ -static void showfrstates(ifsp) +static void showfrstates(ifsp, ticks) ipfrstat_t *ifsp; +u_long ticks; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; int i; @@ -1448,34 +1645,65 @@ ipfrstat_t *ifsp; PRINTF("\t%lu no memory\n\t%lu already exist\n", ifsp->ifs_nomem, ifsp->ifs_exists); PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab))) - return; + PRINTF("\n"); + + if (live_kernel == 0) { + if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, + sizeof(ipfrtab))) + return; + } /* * Print out the contents (if any) of the fragment cache table. */ - PRINTF("\n"); - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i] != NULL) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) + if (live_kernel == 1) { + do { + if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0) break; + if (ifr.ipfr_ifp == NULL) + break; + ifr.ipfr_ttl -= ticks; printfraginfo("", &ifr); - ipfrtab[i] = ifr.ipfr_next; - } + } while (1); + } else { + for (i = 0; i < IPFT_SIZE; i++) + while (ipfrtab[i] != NULL) { + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], + sizeof(ifr)) == -1) + break; + printfraginfo("", &ifr); + ipfrtab[i] = ifr.ipfr_next; + } + } /* * Print out the contents (if any) of the NAT fragment cache table. */ - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) - return; - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i] != NULL) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) + + if (live_kernel == 0) { + if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab, + sizeof(ipfrtab))) + return; + } + + if (live_kernel == 1) { + do { + if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0) break; + if (ifr.ipfr_ifp == NULL) + break; + ifr.ipfr_ttl -= ticks; printfraginfo("NAT: ", &ifr); - ipfrtab[i] = ifr.ipfr_next; - } + } while (1); + } else { + for (i = 0; i < IPFT_SIZE; i++) + while (ipfrtab[i] != NULL) { + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], + sizeof(ifr)) == -1) + break; + printfraginfo("NAT: ", &ifr); + ipfrtab[i] = ifr.ipfr_next; + } + } } @@ -1486,6 +1714,17 @@ static void showauthstates(asp) fr_authstat_t *asp; { frauthent_t *frap, fra; + ipfgeniter_t auth; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GENITER; + obj.ipfo_size = sizeof(auth); + obj.ipfo_ptr = &auth; + + auth.igi_type = IPFGENITER_AUTH; + auth.igi_nitems = 1; + auth.igi_data = &fra; #ifdef USE_QUAD_T printf("Authorisation hits: %qu\tmisses %qu\n", @@ -1503,9 +1742,14 @@ fr_authstat_t *asp; frap = asp->fas_faelist; while (frap) { - if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1) - break; - + if (live_kernel == 1) { + if (ioctl(auth_fd, SIOCGENITER, &obj)) + break; + } else { + if (kmemcpy((char *)&fra, (u_long)frap, + sizeof(fra)) == -1) + break; + } printf("age %ld\t", fra.fae_age); printfr(&fra.fae_fr, ioctl); frap = fra.fae_next; @@ -1567,7 +1811,7 @@ int *port; *port = -1; } else if (!sscanf(comma + 1, "%d", port) || (*port < 0) || (*port > 65535)) { - fprintf(stderr, "Invalid port specfication in %s\n", + fprintf(stderr, "Invalid port specification in %s\n", argument); free(s); exit(-2); @@ -1579,6 +1823,7 @@ int *port; /* get ip address */ if (!strcasecmp(s, "any")) { ip->in4.s_addr = INADDR_ANY; + ok = 1; #ifdef USE_INET6 ip->in6 = in6addr_any; } else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) { @@ -1795,3 +2040,75 @@ const void *b; } #endif + + +ipstate_t *fetchstate(src, dst) +ipstate_t *src, *dst; +{ + int i; + + if (live_kernel == 1) { + ipfgeniter_t state; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GENITER; + obj.ipfo_size = sizeof(state); + obj.ipfo_ptr = &state; + + state.igi_type = IPFGENITER_STATE; + state.igi_nitems = 1; + state.igi_data = dst; + + if (ioctl(state_fd, SIOCGENITER, &obj) != 0) + return NULL; + if (dst->is_next == NULL) { + i = IPFGENITER_STATE; + ioctl(state_fd, SIOCIPFDELTOK, &i); + } + } else { + if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst))) + return NULL; + } + return dst; +} + + +static int fetchfrag(fd, type, frp) +int fd, type; +ipfr_t *frp; +{ + ipfgeniter_t frag; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GENITER; + obj.ipfo_size = sizeof(frag); + obj.ipfo_ptr = &frag; + + frag.igi_type = type; + frag.igi_nitems = 1; + frag.igi_data = frp; + + if (ioctl(fd, SIOCGENITER, &obj)) + return EFAULT; + return 0; +} + + +static void showtqtable_live(fd) +int fd; +{ + ipftq_t table[IPF_TCP_NSTATES]; + ipfobj_t obj; + + bzero((char *)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = (void *)table; + obj.ipfo_type = IPFOBJ_STATETQTAB; + + if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { + printtqtable(table); + } +} diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c index 3b99a0bd919e..963ed197cb9c 100644 --- a/contrib/ipfilter/tools/ipftest.c +++ b/contrib/ipfilter/tools/ipftest.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2002-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -12,7 +12,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $"; #endif extern char *optarg; @@ -22,12 +22,13 @@ extern struct ifnet *get_unit __P((char *, int)); extern void init_ifp __P((void)); extern ipnat_t *natparse __P((char *, int)); extern int fr_running; -extern hostmap_t **maptable; +extern hostmap_t **ipf_hm_maptable; +extern hostmap_t *ipf_hm_maplist; ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache; -ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; +ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens; int opts = OPT_DONOTHING; int use_inet6 = 0; int docksum = 0; @@ -103,6 +104,7 @@ char *argv[]; RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); RWLOCK_INIT(&ipf_frcache, "ipf filter cache"); + RWLOCK_INIT(&ipf_tokens, "ipf token rwlock"); initparse(); if (fr_initialise() == -1) @@ -251,7 +253,10 @@ char *argv[]; (void)printf("pass"); break; case 1 : - (void)printf("nomatch"); + if (m == NULL) + (void)printf("bad-packet"); + else + (void)printf("nomatch"); break; case 3 : (void)printf("block return-rst"); @@ -631,26 +636,23 @@ int n; */ void dumpnat() { - ipnat_t *ipn; - nat_t *nat; hostmap_t *hm; - int i; + ipnat_t *ipn; + nat_t *nat; printf("List of active MAP/Redirect filters:\n"); for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next) printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); printf("\nList of active sessions:\n"); for (nat = nat_instances; nat; nat = nat->nat_next) { - printactivenat(nat, opts); + printactivenat(nat, opts, 0, 0); if (nat->nat_aps) printaps(nat->nat_aps, opts); } printf("\nHostmap table:\n"); - for (i = 0; i < ipf_hostmap_sz; i++) { - for (hm = maptable[i]; hm != NULL; hm = hm->hm_next) - printhostmap(hm, i); - } + for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next) + printhostmap(hm, 0); } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index fea09f35fbf2..ceaed82cb4b3 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001, 2003 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -78,7 +78,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $"; #endif @@ -752,6 +752,8 @@ int blen; strcpy(t, "NAT:MAPBLOCK "); else if (nl->nl_type == NL_CLONE) strcpy(t, "NAT:CLONE "); + else if (nl->nl_type == NL_DESTROY) + strcpy(t, "NAT:DESTROY "); else sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); @@ -764,8 +766,9 @@ int blen; (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip), portname(res, proto, (u_int)nl->nl_outport)); t += strlen(t); - (void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip), - portname(res, proto, (u_int)nl->nl_origport)); + (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip), + portname(res, proto, (u_int)nl->nl_origport), + getproto(nl->nl_p)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T @@ -817,27 +820,49 @@ int blen; (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); - if (sl->isl_type == ISL_NEW) + switch (sl->isl_type) + { + case ISL_NEW : strcpy(t, "STATE:NEW "); - else if (sl->isl_type == ISL_CLONE) + break; + + case ISL_CLONE : strcpy(t, "STATE:CLONED "); - else if (sl->isl_type == ISL_EXPIRE) { + break; + + case ISL_EXPIRE : if ((sl->isl_p == IPPROTO_TCP) && (sl->isl_state[0] > IPF_TCPS_ESTABLISHED || sl->isl_state[1] > IPF_TCPS_ESTABLISHED)) strcpy(t, "STATE:CLOSE "); else strcpy(t, "STATE:EXPIRE "); - } else if (sl->isl_type == ISL_FLUSH) + break; + + case ISL_FLUSH : strcpy(t, "STATE:FLUSH "); - else if (sl->isl_type == ISL_INTERMEDIATE) + break; + + case ISL_INTERMEDIATE : strcpy(t, "STATE:INTERMEDIATE "); - else if (sl->isl_type == ISL_REMOVE) + break; + + case ISL_REMOVE : strcpy(t, "STATE:REMOVE "); - else if (sl->isl_type == ISL_KILLED) + break; + + case ISL_KILLED : strcpy(t, "STATE:KILLED "); - else + break; + + case ISL_UNLOAD : + strcpy(t, "STATE:UNLOAD "); + break; + + default : sprintf(t, "Type: %d ", sl->isl_type); + break; + } t += strlen(t); proto = getproto(sl->isl_p); @@ -980,7 +1005,10 @@ int blen; ipflog_t *ipf; iplog_t *ipl; #ifdef USE_INET6 + struct ip6_ext *ehp; + u_short ehl; ip6_t *ip6; + int go; #endif ipl = (iplog_t *)buf; @@ -1089,6 +1117,29 @@ int blen; s = (u_32_t *)&ip6->ip6_src; d = (u_32_t *)&ip6->ip6_dst; plen = hl + ntohs(ip6->ip6_plen); + go = 1; + ehp = (struct ip6_ext *)((char *)ip6 + hl); + while (go == 1) { + switch (p) + { + case IPPROTO_HOPOPTS : + case IPPROTO_MOBILITY : + case IPPROTO_DSTOPTS : + case IPPROTO_ROUTING : + case IPPROTO_AH : + p = ehp->ip6e_nxt; + ehl = 8 + (ehp->ip6e_len << 3); + hl += ehl; + ehp = (struct ip6_ext *)((char *)ehp + ehl); + break; + case IPPROTO_FRAGMENT : + hl += sizeof(struct ip6_frag); + /* FALLTHROUGH */ + default : + go = 0; + break; + } + } #else sprintf(t, "ipv6"); goto printipflog; @@ -1629,6 +1680,7 @@ char *argv[]; if (!tr) continue; nr += tr; + n = 0; tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y index e1aa81204607..98042d880222 100644 --- a/contrib/ipfilter/tools/ipmon_y.y +++ b/contrib/ipfilter/tools/ipmon_y.y @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2001-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ %{ #include "ipf.h" #include @@ -77,6 +82,7 @@ assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); resetlexer(); free($1); free($3); + yyvarnext = 0; } ; diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c index 5ebea45b2aa1..28e29ec74199 100644 --- a/contrib/ipfilter/tools/ipnat.c +++ b/contrib/ipfilter/tools/ipnat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -67,7 +67,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.2 2005/05/10 21:19:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $"; #endif @@ -79,11 +79,18 @@ char thishost[MAXHOSTNAMELEN]; extern char *optarg; -void dostats __P((natstat_t *, int)), flushtable __P((int, int)); +void dostats __P((int, natstat_t *, int, int)); +void dotable __P((natstat_t *, int, int)); +void flushtable __P((int, int)); void usage __P((char *)); int main __P((int, char*[])); void showhostmap __P((natstat_t *nsp)); void natstat_dead __P((natstat_t *, char *)); +void dostats_live __P((int, natstat_t *, int)); +void showhostmap_dead __P((natstat_t *)); +void showhostmap_live __P((int, natstat_t *)); +void dostats_dead __P((natstat_t *, int)); +void showtqtable_live __P((int)); int opts; @@ -168,6 +175,15 @@ char *argv[]; (void) setuid(getuid()); } + if (!(opts & OPT_DONOTHING)) { + if (((fd = open(IPNAT_NAME, mode)) == -1) && + ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) { + (void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME, + STRERROR(errno)); + exit(1); + } + } + bzero((char *)&ns, sizeof(ns)); if ((opts & OPT_DONOTHING) == 0) { @@ -177,22 +193,11 @@ char *argv[]; } } - if (!(opts & OPT_DONOTHING) && (kernel == NULL) && (core == NULL)) { - if (openkmem(kernel, core) == -1) - exit(1); - - if (((fd = open(IPNAT_NAME, mode)) == -1) && - ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) { - (void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME, - STRERROR(errno)); - exit(1); - } - bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*nsp); obj.ipfo_type = IPFOBJ_NATSTAT; + obj.ipfo_size = sizeof(*nsp); obj.ipfo_ptr = (void *)nsp; if (ioctl(fd, SIOCGNATS, &obj) == -1) { perror("ioctl(SIOCGNATS)"); @@ -206,7 +211,7 @@ char *argv[]; natstat_dead(nsp, kernel); if (opts & (OPT_LIST|OPT_STAT)) - dostats(nsp, opts); + dostats(fd, nsp, opts, 0); exit(0); } @@ -216,7 +221,7 @@ char *argv[]; ipnat_parsefile(fd, ipnat_addrule, ioctl, file); } if (opts & (OPT_LIST|OPT_STAT)) - dostats(nsp, opts); + dostats(fd, nsp, opts, 1); return 0; } @@ -276,16 +281,75 @@ char *kernel; } +/* + * Issue an ioctl to flush either the NAT rules table or the active mapping + * table or both. + */ +void flushtable(fd, opts) +int fd, opts; +{ + int n = 0; + + if (opts & OPT_FLUSH) { + n = 0; + if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) + perror("ioctl(SIOCFLNAT)"); + else + printf("%d entries flushed from NAT table\n", n); + } + + if (opts & OPT_CLEAR) { + n = 1; + if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) + perror("ioctl(SIOCCNATL)"); + else + printf("%d entries flushed from NAT list\n", n); + } +} + + /* * Display NAT statistics. */ -void dostats(nsp, opts) +void dostats_dead(nsp, opts) natstat_t *nsp; int opts; { nat_t *np, nat; ipnat_t ipn; + printf("List of active MAP/Redirect filters:\n"); + while (nsp->ns_list) { + if (kmemcpy((char *)&ipn, (long)nsp->ns_list, + sizeof(ipn))) { + perror("kmemcpy"); + break; + } + if (opts & OPT_HITS) + printf("%lu ", ipn.in_hits); + printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + nsp->ns_list = ipn.in_next; + } + + printf("\nList of active sessions:\n"); + + for (np = nsp->ns_instances; np; np = nat.nat_next) { + if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) + break; + printactivenat(&nat, opts, 0, nsp->ns_ticks); + if (nat.nat_aps) + printaps(nat.nat_aps, opts); + } + + if (opts & OPT_VERBOSE) + showhostmap_dead(nsp); +} + + +void dostats(fd, nsp, opts, alive) +natstat_t *nsp; +int fd, opts, alive; +{ /* * Show statistics ? */ @@ -296,51 +360,142 @@ int opts; nsp->ns_added, nsp->ns_expire); printf("no memory\t%lu\tbad nat\t%lu\n", nsp->ns_memfail, nsp->ns_badnat); - printf("inuse\t%lu\nrules\t%lu\n", - nsp->ns_inuse, nsp->ns_rules); + printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n", + nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules); printf("wilds\t%u\n", nsp->ns_wilds); + dotable(nsp, fd, alive); if (opts & OPT_VERBOSE) printf("table %p list %p\n", nsp->ns_table, nsp->ns_list); + if (alive) + showtqtable_live(fd); } + if (opts & OPT_LIST) { + if (alive) + dostats_live(fd, nsp, opts); + else + dostats_dead(nsp, opts); + } +} + + +void dotable(nsp, fd, alive) +natstat_t *nsp; +int fd, alive; +{ + int sz, i, used, totallen, maxlen, minlen; + ipftable_t table; + u_long *buckets; + ipfobj_t obj; + + sz = sizeof(*buckets) * nsp->ns_nattab_sz; + buckets = (u_long *)malloc(sz); + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GTABLE; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = &table; + + table.ita_type = IPFTABLE_BUCKETS_NATIN; + table.ita_table = buckets; + + if (alive) { + if (ioctl(fd, SIOCGTABL, &obj) != 0) { + free(buckets); + return; + } + } else { + if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) { + free(buckets); + return; + } + } + + totallen = 0; + maxlen = 0; + minlen = nsp->ns_inuse; + used = 0; + + for (i = 0; i < nsp->ns_nattab_sz; i++) { + if (buckets[i] > maxlen) + maxlen = buckets[i]; + if (buckets[i] < minlen) + minlen = buckets[i]; + if (buckets[i] != 0) + used++; + totallen += buckets[i]; + } + + printf("hash efficiency\t%2.2f%%\n", + totallen ? ((float)used / totallen) * 100.0 : 0.0); + printf("bucket usage\t%2.2f%%\n", + ((float)used / nsp->ns_nattab_sz) * 100.0); + printf("minimal length\t%d\n", minlen); + printf("maximal length\t%d\n", maxlen); + printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0); +} + + +/* + * Display NAT statistics. + */ +void dostats_live(fd, nsp, opts) +natstat_t *nsp; +int fd, opts; +{ + ipfgeniter_t iter; + ipfobj_t obj; + ipnat_t ipn; + nat_t nat; + + bzero((char *)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GENITER; + obj.ipfo_size = sizeof(iter); + obj.ipfo_ptr = &iter; + + iter.igi_type = IPFGENITER_IPNAT; + iter.igi_nitems = 1; + iter.igi_data = &ipn; + /* * Show list of NAT rules and NAT sessions ? */ - if (opts & OPT_LIST) { - printf("List of active MAP/Redirect filters:\n"); - while (nsp->ns_list) { - if (kmemcpy((char *)&ipn, (long)nsp->ns_list, - sizeof(ipn))) { - perror("kmemcpy"); - break; - } - if (opts & OPT_HITS) - printf("%lu ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - nsp->ns_list = ipn.in_next; - } - - printf("\nList of active sessions:\n"); - - for (np = nsp->ns_instances; np; np = nat.nat_next) { - if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) - break; - printactivenat(&nat, opts); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); - } - - if (opts & OPT_VERBOSE) - showhostmap(nsp); + printf("List of active MAP/Redirect filters:\n"); + while (nsp->ns_list) { + if (ioctl(fd, SIOCGENITER, &obj) == -1) + break; + if (opts & OPT_HITS) + printf("%lu ", ipn.in_hits); + printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + nsp->ns_list = ipn.in_next; } + + printf("\nList of active sessions:\n"); + + iter.igi_type = IPFGENITER_NAT; + iter.igi_nitems = 1; + iter.igi_data = &nat; + + while (nsp->ns_instances != NULL) { + if (ioctl(fd, SIOCGENITER, &obj) == -1) + break; + printactivenat(&nat, opts, 1, nsp->ns_ticks); + if (nat.nat_aps) + printaps(nat.nat_aps, opts); + nsp->ns_instances = nat.nat_next; + } + + if (opts & OPT_VERBOSE) + showhostmap_live(fd, nsp); } /* * Display the active host mapping table. */ -void showhostmap(nsp) +void showhostmap_dead(nsp) natstat_t *nsp; { hostmap_t hm, *hmp, **maptable; @@ -374,27 +529,50 @@ natstat_t *nsp; /* - * Issue an ioctl to flush either the NAT rules table or the active mapping - * table or both. + * Display the active host mapping table. */ -void flushtable(fd, opts) -int fd, opts; +void showhostmap_live(fd, nsp) +int fd; +natstat_t *nsp; { - int n = 0; + ipfgeniter_t iter; + hostmap_t hm; + ipfobj_t obj; - if (opts & OPT_FLUSH) { - n = 0; - if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCFLNAT)"); - else - printf("%d entries flushed from NAT table\n", n); - } + bzero((char *)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GENITER; + obj.ipfo_size = sizeof(iter); + obj.ipfo_ptr = &iter; - if (opts & OPT_CLEAR) { - n = 1; - if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCCNATL)"); - else - printf("%d entries flushed from NAT list\n", n); + iter.igi_type = IPFGENITER_HOSTMAP; + iter.igi_nitems = 1; + iter.igi_data = &hm; + + printf("\nList of active host mappings:\n"); + + while (nsp->ns_maplist != NULL) { + if (ioctl(fd, SIOCGENITER, &obj) == -1) + break; + printhostmap(&hm, 0); + nsp->ns_maplist = hm.hm_next; + } +} + + +void showtqtable_live(fd) +int fd; +{ + ipftq_t table[IPF_TCP_NSTATES]; + ipfobj_t obj; + + bzero((char *)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = (void *)table; + obj.ipfo_type = IPFOBJ_STATETQTAB; + + if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { + printtqtable(table); } } diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index a01ec56abd8e..cce717d8ee05 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2001-2006 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ %{ #ifdef __FreeBSD__ # ifndef __FreeBSD_cc_version @@ -117,6 +122,7 @@ assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); resetlexer(); free($1); free($3); + yyvarnext = 0; } ; @@ -348,11 +354,11 @@ portspec: ; dport: | port portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($2); } + nat->in_pmax = htons($2); } | port portspec '-' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } + nat->in_pmax = htons($4); } | port portspec ':' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } + nat->in_pmax = htons($4); } ; nport: port portspec { nat->in_pnext = htons($2); } @@ -605,6 +611,7 @@ compare: range: YY_RANGE_OUT { $$ = FR_OUTRANGE; } | YY_RANGE_IN { $$ = FR_INRANGE; } + | ':' { $$ = FR_INCRANGE; } ; ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c index 5cefc66fd80a..8b7096050736 100644 --- a/contrib/ipfilter/tools/ippool.c +++ b/contrib/ipfilter/tools/ippool.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2002-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -29,8 +29,14 @@ #include #include #include +#ifdef linux +# include +#else +# include +#endif #include "ipf.h" +#include "netinet/ipl.h" #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" @@ -43,17 +49,21 @@ extern FILE *ippool_yyin; extern char *optarg; extern int lineNum; -void showpools __P((ip_pool_stat_t *)); void usage __P((char *)); int main __P((int, char **)); int poolcommand __P((int, int, char *[])); int poolnodecommand __P((int, int, char *[])); int loadpoolfile __P((int, char *[], char *)); int poollist __P((int, char *[])); +void poollist_dead __P((int, char *, int, char *, char *)); +void poollist_live __P((int, char *, int, int)); int poolflush __P((int, char *[])); int poolstats __P((int, char *[])); int gettype __P((char *, u_int *)); int getrole __P((char *)); +int setnodeaddr __P((ip_pool_node_t *node, char *arg)); +void showpools_live __P((int, int, ip_pool_stat_t *, char *)); +void showhashs_live __P((int, int, iphtstat_t *, char *)); int opts = 0; int fd = -1; @@ -115,7 +125,9 @@ char *argv[]; exit(1); } - return err; + if (err != 0) + exit(1); + return 0; } @@ -123,10 +135,9 @@ int poolnodecommand(remove, argc, argv) int remove, argc; char *argv[]; { - char *poolname = NULL, *s; int err, c, ipset, role; + char *poolname = NULL; ip_pool_node_t node; - struct in_addr mask; ipset = 0; role = IPL_LOGIPF; @@ -140,22 +151,8 @@ char *argv[]; ippool_yydebug++; break; case 'i' : - s = strchr(optarg, '/'); - if (s == NULL) - mask.s_addr = 0xffffffff; - else if (strchr(s, '.') == NULL) { - if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0) - return -1; - } else { - mask.s_addr = inet_addr(s + 1); - } - if (s != NULL) - *s = '\0'; - ipset = 1; - node.ipn_addr.adf_len = sizeof(node.ipn_addr); - node.ipn_addr.adf_addr.in4.s_addr = inet_addr(optarg); - node.ipn_mask.adf_len = sizeof(node.ipn_mask); - node.ipn_mask.adf_addr.in4.s_addr = mask.s_addr; + if (setnodeaddr(&node, optarg) == 0) + ipset = 1; break; case 'm' : poolname = optarg; @@ -176,11 +173,19 @@ char *argv[]; break; } + if (argv[optind] != NULL && ipset == 0) { + if (setnodeaddr(&node, argv[optind]) == 0) + ipset = 1; + } + if (opts & OPT_DEBUG) fprintf(stderr, "poolnodecommand: opts = %#x\n", opts); - if (ipset == 0) + if (ipset == 0) { + fprintf(stderr, "no IP address given with -i\n"); return -1; + } + if (poolname == NULL) { fprintf(stderr, "poolname not given with add/remove node\n"); return -1; @@ -338,151 +343,6 @@ char *argv[], *infile; } -int poollist(argc, argv) -int argc; -char *argv[]; -{ - char *kernel, *core, *poolname; - int c, role, type, live_kernel; - ip_pool_stat_t *plstp, plstat; - iphtstat_t *htstp, htstat; - iphtable_t *hptr; - iplookupop_t op; - ip_pool_t *ptr; - - core = NULL; - kernel = NULL; - live_kernel = 1; - type = IPLT_ALL; - poolname = NULL; - role = IPL_LOGALL; - - while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - break; - case 'm' : - poolname = optarg; - break; - case 'M' : - live_kernel = 0; - core = optarg; - break; - case 'N' : - live_kernel = 0; - kernel = optarg; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) { - fprintf(stderr, "unknown role '%s'\n", optarg); - return -1; - } - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 't' : - type = gettype(optarg, NULL); - if (type == IPLT_NONE) { - fprintf(stderr, "unknown type '%s'\n", optarg); - return -1; - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poollist: opts = %#x\n", opts); - - if (!(opts & OPT_DONOTHING) && (fd == -1)) { - fd = open(IPLOOKUP_NAME, O_RDWR); - if (fd == -1) { - perror("open(IPLOOKUP_NAME)"); - exit(1); - } - } - - bzero((char *)&op, sizeof(op)); - if (poolname != NULL) { - strncpy(op.iplo_name, poolname, sizeof(op.iplo_name)); - op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; - } - op.iplo_unit = role; - - if (openkmem(kernel, core) == -1) - exit(-1); - - if (type == IPLT_ALL || type == IPLT_POOL) { - plstp = &plstat; - op.iplo_type = IPLT_POOL; - op.iplo_size = sizeof(plstat); - op.iplo_struct = &plstat; - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return -1; - } - - if (role != IPL_LOGALL) { - ptr = plstp->ipls_list[role]; - while (ptr != NULL) { - ptr = printpool(ptr, kmemcpywrap, poolname, - opts); - } - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - ptr = plstp->ipls_list[role]; - while (ptr != NULL) { - ptr = printpool(ptr, kmemcpywrap, - poolname, opts); - } - } - role = IPL_LOGALL; - } - } - if (type == IPLT_ALL || type == IPLT_HASH) { - htstp = &htstat; - op.iplo_type = IPLT_HASH; - op.iplo_size = sizeof(htstat); - op.iplo_struct = &htstat; - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return -1; - } - - if (role != IPL_LOGALL) { - hptr = htstp->iphs_tables; - while (hptr != NULL) { - hptr = printhash(hptr, kmemcpywrap, - poolname, opts); - } - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - hptr = htstp->iphs_tables; - while (hptr != NULL) { - hptr = printhash(hptr, kmemcpywrap, - poolname, opts); - } - - op.iplo_unit = role; - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return -1; - } - } - } - } - return 0; -} - - int poolstats(argc, argv) int argc; char *argv[]; @@ -683,7 +543,7 @@ u_int *minor; { int type; - if (!strcasecmp(optarg, "tree")) { + if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) { type = IPLT_POOL; } else if (!strcasecmp(optarg, "hash")) { type = IPLT_HASH; @@ -698,3 +558,321 @@ u_int *minor; } return type; } + + +int poollist(argc, argv) +int argc; +char *argv[]; +{ + char *kernel, *core, *poolname; + int c, role, type, live_kernel; + iplookupop_t op; + + core = NULL; + kernel = NULL; + live_kernel = 1; + type = IPLT_ALL; + poolname = NULL; + role = IPL_LOGALL; + + while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1) + switch (c) + { + case 'd' : + opts |= OPT_DEBUG; + break; + case 'm' : + poolname = optarg; + break; + case 'M' : + live_kernel = 0; + core = optarg; + break; + case 'N' : + live_kernel = 0; + kernel = optarg; + break; + case 'o' : + role = getrole(optarg); + if (role == IPL_LOGNONE) { + fprintf(stderr, "unknown role '%s'\n", optarg); + return -1; + } + break; + case 'R' : + opts |= OPT_NORESOLVE; + break; + case 't' : + type = gettype(optarg, NULL); + if (type == IPLT_NONE) { + fprintf(stderr, "unknown type '%s'\n", optarg); + return -1; + } + break; + case 'v' : + opts |= OPT_VERBOSE; + break; + } + + if (opts & OPT_DEBUG) + fprintf(stderr, "poollist: opts = %#x\n", opts); + + if (!(opts & OPT_DONOTHING) && (fd == -1)) { + fd = open(IPLOOKUP_NAME, O_RDWR); + if (fd == -1) { + perror("open(IPLOOKUP_NAME)"); + exit(1); + } + } + + bzero((char *)&op, sizeof(op)); + if (poolname != NULL) { + strncpy(op.iplo_name, poolname, sizeof(op.iplo_name)); + op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; + } + op.iplo_unit = role; + + if (live_kernel) + poollist_live(role, poolname, type, fd); + else + poollist_dead(role, poolname, type, kernel, core); + return 0; +} + + +void poollist_dead(role, poolname, type, kernel, core) +int role, type; +char *poolname, *kernel, *core; +{ + iphtable_t *hptr; + ip_pool_t *ptr; + + if (openkmem(kernel, core) == -1) + exit(-1); + + if (type == IPLT_ALL || type == IPLT_POOL) { + ip_pool_t *pools[IPL_LOGSIZE]; + struct nlist names[2] = { { "ip_pool_list" } , { "" } }; + + if (nlist(kernel, names) != 1) + return; + + bzero(&pools, sizeof(pools)); + if (kmemcpy((char *)&pools, names[0].n_value, sizeof(pools))) + return; + + if (role != IPL_LOGALL) { + ptr = pools[role]; + while (ptr != NULL) { + ptr = printpool(ptr, kmemcpywrap, poolname, + opts); + } + } else { + for (role = 0; role <= IPL_LOGMAX; role++) { + ptr = pools[role]; + while (ptr != NULL) { + ptr = printpool(ptr, kmemcpywrap, + poolname, opts); + } + } + role = IPL_LOGALL; + } + } + if (type == IPLT_ALL || type == IPLT_HASH) { + iphtable_t *tables[IPL_LOGSIZE]; + struct nlist names[2] = { { "ipf_htables" } , { "" } }; + + if (nlist(kernel, names) != 1) + return; + + bzero(&tables, sizeof(tables)); + if (kmemcpy((char *)&tables, names[0].n_value, sizeof(tables))) + return; + + if (role != IPL_LOGALL) { + hptr = tables[role]; + while (hptr != NULL) { + hptr = printhash(hptr, kmemcpywrap, + poolname, opts); + } + } else { + for (role = 0; role <= IPL_LOGMAX; role++) { + hptr = tables[role]; + while (hptr != NULL) { + hptr = printhash(hptr, kmemcpywrap, + poolname, opts); + } + } + } + } +} + + +void poollist_live(role, poolname, type, fd) +int role, type, fd; +char *poolname; +{ + ip_pool_stat_t plstat; + iphtstat_t htstat; + iplookupop_t op; + int c; + + if (type == IPLT_ALL || type == IPLT_POOL) { + op.iplo_type = IPLT_POOL; + op.iplo_size = sizeof(plstat); + op.iplo_struct = &plstat; + op.iplo_name[0] = '\0'; + op.iplo_arg = 0; + + if (role != IPL_LOGALL) { + op.iplo_unit = role; + + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + perror("ioctl(SIOCLOOKUPSTAT)"); + return; + } + + showpools_live(fd, role, &plstat, poolname); + } else { + for (role = 0; role <= IPL_LOGMAX; role++) { + op.iplo_unit = role; + + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + perror("ioctl(SIOCLOOKUPSTAT)"); + return; + } + + showpools_live(fd, role, &plstat, poolname); + } + + role = IPL_LOGALL; + } + } + + if (type == IPLT_ALL || type == IPLT_HASH) { + op.iplo_type = IPLT_HASH; + op.iplo_size = sizeof(htstat); + op.iplo_struct = &htstat; + op.iplo_name[0] = '\0'; + op.iplo_arg = 0; + + if (role != IPL_LOGALL) { + op.iplo_unit = role; + + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + perror("ioctl(SIOCLOOKUPSTAT)"); + return; + } + showhashs_live(fd, role, &htstat, poolname); + } else { + for (role = 0; role <= IPL_LOGMAX; role++) { + + op.iplo_unit = role; + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + perror("ioctl(SIOCLOOKUPSTAT)"); + return; + } + + showhashs_live(fd, role, &htstat, poolname); + } + } + } +} + + +void showpools_live(fd, role, plstp, poolname) +int fd, role; +ip_pool_stat_t *plstp; +char *poolname; +{ + ipflookupiter_t iter; + ip_pool_t pool; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_LOOKUPITER; + obj.ipfo_size = sizeof(iter); + obj.ipfo_ptr = &iter; + + iter.ili_type = IPLT_POOL; + iter.ili_otype = IPFLOOKUPITER_LIST; + iter.ili_ival = IPFGENITER_LOOKUP; + iter.ili_nitems = 1; + iter.ili_data = &pool; + iter.ili_unit = role; + *iter.ili_name = '\0'; + + while (plstp->ipls_list[role] != NULL) { + if (ioctl(fd, SIOCLOOKUPITER, &obj)) { + perror("ioctl(SIOCLOOKUPITER)"); + break; + } + printpool_live(&pool, fd, poolname, opts); + + plstp->ipls_list[role] = pool.ipo_next; + } +} + + +void showhashs_live(fd, role, htstp, poolname) +int fd, role; +iphtstat_t *htstp; +char *poolname; +{ + ipflookupiter_t iter; + iphtable_t table; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_LOOKUPITER; + obj.ipfo_size = sizeof(iter); + obj.ipfo_ptr = &iter; + + iter.ili_type = IPLT_HASH; + iter.ili_otype = IPFLOOKUPITER_LIST; + iter.ili_ival = IPFGENITER_LOOKUP; + iter.ili_nitems = 1; + iter.ili_data = &table; + iter.ili_unit = role; + *iter.ili_name = '\0'; + + while (htstp->iphs_tables != NULL) { + if (ioctl(fd, SIOCLOOKUPITER, &obj)) { + perror("ioctl(SIOCLOOKUPITER)"); + break; + } + + printhash_live(&table, fd, poolname, opts); + + htstp->iphs_tables = table.iph_next; + } +} + + +int setnodeaddr(ip_pool_node_t *node, char *arg) +{ + struct in_addr mask; + char *s; + + s = strchr(arg, '/'); + if (s == NULL) + mask.s_addr = 0xffffffff; + else if (strchr(s, '.') == NULL) { + if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0) + return -1; + } else { + mask.s_addr = inet_addr(s + 1); + } + if (s != NULL) + *s = '\0'; + node->ipn_addr.adf_len = sizeof(node->ipn_addr); + node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg); + node->ipn_mask.adf_len = sizeof(node->ipn_mask); + node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr; + + return 0; +} diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y index f0ba451a2003..24f683bd1c19 100644 --- a/contrib/ipfilter/tools/ippool_y.y +++ b/contrib/ipfilter/tools/ippool_y.y @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2001-2006 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ %{ #include #include @@ -34,6 +39,7 @@ #include "kmem.h" #define YYDEBUG 1 +#define YYSTACKSIZE 0x00ffffff extern int yyparse __P((void)); extern int yydebug; @@ -45,6 +51,9 @@ static ip_pool_t iplo; static ioctlfunc_t poolioctl = NULL; static char poolname[FR_GROUPLEN]; +static iphtent_t *add_htablehosts __P((char *)); +static ip_pool_node_t *add_poolhosts __P((char *)); + %} %union { @@ -112,6 +121,7 @@ assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); resetlexer(); free($1); free($3); + yyvarnext = 0; } ; @@ -248,6 +258,7 @@ groupentry: FR_GROUPLEN); free($3); } + | YY_STR { $$ = add_htablehosts($1); } ; range: addrmask { $$ = calloc(1, sizeof(*$$)); @@ -264,6 +275,7 @@ range: addrmask { $$ = calloc(1, sizeof(*$$)); $$->ipn_mask.adf_len = sizeof($$->ipn_mask); $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr; } + | YY_STR { $$ = add_poolhosts($1); } hashlist: next { $$ = NULL; } @@ -280,6 +292,7 @@ hashentry: (char *)&($$->ipe_mask), sizeof($$->ipe_mask)); } + | YY_STR { $$ = add_htablehosts($1); } ; addrmask: @@ -293,9 +306,6 @@ addrmask: ipaddr: ipv4 { $$ = $1; } | YY_NUMBER { $$.s_addr = htonl($1); } - | YY_STR { if (gethost($1, &($$.s_addr)) == -1) - yyerror("Unknown hostname"); - } ; mask: YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$.s_addr); } @@ -413,3 +423,100 @@ ioctlfunc_t iocfunc; yyparse(); return 1; } + + +static iphtent_t * +add_htablehosts(url) +char *url; +{ + iphtent_t *htop, *hbot, *h; + alist_t *a, *hlist; + + if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) { + hlist = load_url(url); + } else { + use_inet6 = 0; + + hlist = calloc(1, sizeof(*hlist)); + if (hlist == NULL) + return NULL; + + if (gethost(url, &hlist->al_addr) == -1) + yyerror("Unknown hostname"); + } + + hbot = NULL; + htop = NULL; + + for (a = hlist; a != NULL; a = a->al_next) { + h = calloc(1, sizeof(*h)); + if (h == NULL) + break; + + bcopy((char *)&a->al_addr, (char *)&h->ipe_addr, + sizeof(h->ipe_addr)); + bcopy((char *)&a->al_mask, (char *)&h->ipe_mask, + sizeof(h->ipe_mask)); + + if (hbot != NULL) + hbot->ipe_next = h; + else + htop = h; + hbot = h; + } + + alist_free(hlist); + + return htop; +} + + +static ip_pool_node_t * +add_poolhosts(url) +char *url; +{ + ip_pool_node_t *ptop, *pbot, *p; + alist_t *a, *hlist; + + if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) { + hlist = load_url(url); + } else { + use_inet6 = 0; + + hlist = calloc(1, sizeof(*hlist)); + if (hlist == NULL) + return NULL; + + if (gethost(url, &hlist->al_addr) == -1) + yyerror("Unknown hostname"); + } + + pbot = NULL; + ptop = NULL; + + for (a = hlist; a != NULL; a = a->al_next) { + p = calloc(1, sizeof(*p)); + if (p == NULL) + break; + + p->ipn_addr.adf_len = 8; + p->ipn_mask.adf_len = 8; + + p->ipn_info = a->al_not; + + bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr, + sizeof(p->ipn_addr.adf_addr)); + bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr, + sizeof(p->ipn_mask.adf_addr)); + + if (pbot != NULL) + pbot->ipn_next = p; + else + ptop = p; + pbot = p; + } + + alist_free(hlist); + + return ptop; +} diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y index af360d446400..5dbefd6ab5ae 100644 --- a/contrib/ipfilter/tools/ipscan_y.y +++ b/contrib/ipfilter/tools/ipscan_y.y @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2001-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ %{ #include #include @@ -94,6 +99,7 @@ assign: YY_STR assigning YY_STR resetlexer(); free($1); free($3); + yyvarnext = 0; } ; diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c index c712435fdc1f..600d39ad0d6c 100644 --- a/contrib/ipfilter/tools/ipsyncm.c +++ b/contrib/ipfilter/tools/ipsyncm.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.5 2006/08/26 11:21:14 darrenr Exp $"; #endif #include #include diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c index c6662b738e66..887eeab310c6 100644 --- a/contrib/ipfilter/tools/ipsyncs.c +++ b/contrib/ipfilter/tools/ipsyncs.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2001-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.4 2006/08/26 11:21:15 darrenr Exp $"; #endif #include #include diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h index 547ebf310cf3..78c5efc4263d 100644 --- a/contrib/ipfilter/tools/lex_var.h +++ b/contrib/ipfilter/tools/lex_var.h @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ extern long string_start; extern long string_end; diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 3969a5fea564..989643c966b5 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2002-2006 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -38,6 +38,7 @@ extern int yydebug; char *yystr = NULL; int yytext[YYBUFSIZ+1]; +char yychars[YYBUFSIZ+1]; int yylineNum = 1; int yypos = 0; int yylast = -1; @@ -51,13 +52,15 @@ wordtab_t *yysavewords[30]; static wordtab_t *yyfindkey __P((char *)); -static int yygetc __P((void)); +static int yygetc __P((int)); static void yyunputc __P((int)); static int yyswallow __P((int)); static char *yytexttostr __P((int, int)); static void yystrtotext __P((char *)); +static char *yytexttochar __P((void)); -static int yygetc() +static int yygetc(docont) +int docont; { int c; @@ -76,6 +79,13 @@ static int yygetc() yypos++; } else { c = fgetc(yyin); + if (docont && (c == '\\')) { + c = fgetc(yyin); + if (c == '\n') { + yylineNum++; + c = fgetc(yyin); + } + } } if (c == '\n') yylineNum++; @@ -101,7 +111,7 @@ int last; { int c; - while (((c = yygetc()) > '\0') && (c != last)) + while (((c = yygetc(0)) > '\0') && (c != last)) ; if (c != EOF) @@ -112,6 +122,17 @@ int last; } +static char *yytexttochar() +{ + int i; + + for (i = 0; i < yypos; i++) + yychars[i] = (char)(yytext[i] & 0xff); + yychars[i] = '\0'; + return yychars; +} + + static void yystrtotext(str) char *str; { @@ -167,7 +188,9 @@ int yylex() } nextchar: - c = yygetc(); + c = yygetc(0); + if (yydebug > 1) + printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar()); switch (c) { @@ -230,20 +253,20 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '{') { if (yyswallow('}') == -1) { rval = -2; goto done; } - (void) yygetc(); + (void) yygetc(0); } else { if (!ISALPHA(n)) { yyunputc(n); break; } do { - n = yygetc(); + n = yygetc(1); } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); yyunputc(n); } @@ -275,7 +298,7 @@ nextchar: goto done; } do { - n = yygetc(); + n = yygetc(1); if (n == EOF || n == TOOLONG) { rval = -2; goto done; @@ -285,8 +308,9 @@ nextchar: yypos++; } } while (n != c); - yyunputc(n); - break; + rval = YY_STR; + goto done; + /* NOTREACHED */ case EOF : yylineNum = 1; @@ -324,7 +348,7 @@ nextchar: break; if (isbuilding == 1) break; - n = yygetc(); + n = yygetc(0); if (n == '>') { isbuilding = 1; goto done; @@ -338,7 +362,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_NE; goto done; @@ -354,7 +378,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_LE; goto done; @@ -374,7 +398,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_GE; goto done; @@ -411,7 +435,7 @@ nextchar: */ do { *s++ = c; - c = yygetc(); + c = yygetc(1); } while ((ishex(c) || c == ':' || c == '.') && (s - ipv6buf < 46)); yyunputc(c); @@ -437,10 +461,10 @@ nextchar: } if (isbuilding == 0 && c == '0') { - n = yygetc(); + n = yygetc(0); if (n == 'x') { do { - n = yygetc(); + n = yygetc(1); } while (ishex(n)); yyunputc(n); rval = YY_HEX; @@ -454,7 +478,7 @@ nextchar: */ if (isbuilding == 0 && ISDIGIT(c)) { do { - n = yygetc(); + n = yygetc(1); } while (ISDIGIT(n)); yyunputc(n); rval = YY_NUMBER; @@ -467,6 +491,9 @@ nextchar: done: yystr = yytexttostr(0, yypos); + if (yydebug) + printf("isbuilding %d yyvarnext %d nokey %d\n", + isbuilding, yyvarnext, nokey); if (isbuilding == 1) { wordtab_t *w; @@ -493,8 +520,8 @@ done: yytokentype = rval; if (yydebug) - printf("lexed(%s) [%d,%d,%d] => %d\n", yystr, string_start, - string_end, pos, rval); + printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start, + string_end, pos, rval, yysavedepth); switch (rval) { @@ -609,6 +636,8 @@ wordtab_t *newdict; void yyresetdict() { + if (yydebug) + printf("yyresetdict(%d)\n", yysavedepth); if (yysavedepth > 0) { yysettab(yysavewords[--yysavedepth]); if (yydebug) diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h index b172c9351866..d973ea42ae35 100644 --- a/contrib/ipfilter/tools/lexer.h +++ b/contrib/ipfilter/tools/lexer.h @@ -1,5 +1,10 @@ /* $FreeBSD$ */ +/* + * Copyright (C) 2002-2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ typedef struct wordtab { char *w_word; diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index ee21a941c246..9c6d6ea9e854 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -17,7 +17,11 @@ #include #if defined(__NetBSD__) # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL) -# include "opt_ipfilter_log.h" +# if (__NetBSD_Version__ < 399001400) +# include "opt_ipfilter_log.h" +# else +# include "opt_ipfilter.h" +# endif # endif #endif #if defined(_KERNEL) && defined(__FreeBSD_version) && \ @@ -34,6 +38,9 @@ #else # include #endif +#if (defined(__SVR4) || defined(__svr4__)) && defined(sun) +# include +#endif #if !defined(_AIX51) # include #endif @@ -75,13 +82,17 @@ struct file; #ifdef sun # include #endif -#if !defined(_KERNEL) && defined(__FreeBSD__) +#if !defined(_KERNEL) && (defined(__FreeBSD__) || defined(SOLARIS2)) # if (__FreeBSD_version >= 504000) # undef _RADIX_H_ # endif # include "radix_ipf.h" #endif -#include +#ifdef __osf__ +# include "radix_ipf.h" +#else +# include +#endif #include #include #include @@ -100,6 +111,9 @@ struct file; #ifdef __hpux # undef _NET_ROUTE_INCLUDED #endif +#ifdef __osf__ +# undef _RADIX_H_ +#endif #include "netinet/ip_compat.h" #ifdef USE_INET6 # include @@ -142,7 +156,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)$FreeBSD$"; -/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp $"; */ +/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $"; */ #endif #ifndef _KERNEL @@ -154,7 +168,7 @@ extern int opts; fr_info_t frcache[2][8]; -struct filterstats frstats[2] = { { 0, 0, 0, 0, 0 }, { 0, 0, 0, 0, 0 } }; +struct filterstats frstats[2]; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } }, @@ -235,11 +249,14 @@ static INLINE int frpr_udpcommon __P((fr_info_t *)); static int fr_updateipid __P((fr_info_t *)); #ifdef IPFILTER_LOOKUP static int fr_grpmapinit __P((frentry_t *fr)); -static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *)); +static INLINE void *fr_resolvelookup __P((u_int, u_int, i6addr_t *, lookupfunc_t *)); #endif static void frsynclist __P((frentry_t *, void *)); static ipftuneable_t *fr_findtunebyname __P((const char *)); static ipftuneable_t *fr_findtunebycookie __P((void *, void **)); +static int ipf_geniter __P((ipftoken_t *, ipfgeniter_t *)); +static int ipf_frruleiter __P((void *, int, void *)); +static void ipf_unlinktoken __P((ipftoken_t *)); /* @@ -319,7 +336,7 @@ static ipfunc_resolve_t fr_availfuncs[] = { { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit }, { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit }, #endif - { "", NULL } + { "", NULL, NULL } }; @@ -345,7 +362,7 @@ static INLINE int frpr_hopopts6 __P((fr_info_t *)); static INLINE int frpr_mobility6 __P((fr_info_t *)); static INLINE int frpr_routing6 __P((fr_info_t *)); static INLINE int frpr_dstopts6 __P((fr_info_t *)); -static INLINE void frpr_fragment6 __P((fr_info_t *)); +static INLINE int frpr_fragment6 __P((fr_info_t *)); static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int)); @@ -463,8 +480,9 @@ fr_info_t *fin; break; case IPPROTO_FRAGMENT : - frpr_fragment6(fin); - go = 0; + p = frpr_fragment6(fin); + if (fin->fin_off != 0) + go = 0; break; default : @@ -532,7 +550,16 @@ int multiple, proto; return IPPROTO_NONE; hdr = fin->fin_dp; - shift = 8 + (hdr->ip6e_len << 3); + switch (proto) + { + case IPPROTO_FRAGMENT : + shift = 8; + break; + default : + shift = 8 + (hdr->ip6e_len << 3); + break; + } + if (shift > fin->fin_dlen) { /* Nasty extension header length? */ fin->fin_flx |= FI_BAD; return IPPROTO_NONE; @@ -551,6 +578,7 @@ int multiple, proto; break; } + fin->fin_exthdr = fin->fin_dp; fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; @@ -600,24 +628,22 @@ static INLINE int frpr_routing6(fin) fr_info_t *fin; { struct ip6_ext *hdr; - int shift; if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE) return IPPROTO_NONE; + hdr = fin->fin_exthdr; - hdr = fin->fin_dp; - shift = 8 + (hdr->ip6e_len << 3); - /* - * Nasty extension header length? - */ - if ((shift < sizeof(struct ip6_hdr)) || - ((shift - sizeof(struct ip6_hdr)) & 15)) { + if ((hdr->ip6e_len & 1) != 0) { + /* + * The routing header data is made up of 128 bit IPv6 addresses + * which means it must be a multiple of 2 lots of 8 in length. + */ fin->fin_flx |= FI_BAD; /* * Compensate for the changes made in frpr_ipv6exthdr() */ - fin->fin_dlen += shift; - fin->fin_dp = (char *)fin->fin_dp - shift; + fin->fin_dlen += 8 + (hdr->ip6e_len << 3); + fin->fin_dp = hdr; return IPPROTO_NONE; } @@ -627,7 +653,7 @@ fr_info_t *fin; /* ------------------------------------------------------------------------ */ /* Function: frpr_fragment6 */ -/* Returns: void */ +/* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ @@ -639,35 +665,41 @@ fr_info_t *fin; /* upper layer header has been seen (or where it ends) and thus we are not */ /* able to continue processing beyond this header with any confidence. */ /* ------------------------------------------------------------------------ */ -static INLINE void frpr_fragment6(fin) +static INLINE int frpr_fragment6(fin) fr_info_t *fin; { struct ip6_frag *frag; + int extoff; fin->fin_flx |= FI_FRAG; if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE) - return; + return IPPROTO_NONE; + + extoff = (char *)fin->fin_exthdr - (char *)fin->fin_dp; if (frpr_pullup(fin, sizeof(*frag)) == -1) - return; + return IPPROTO_NONE; - frag = fin->fin_dp; + fin->fin_exthdr = (char *)fin->fin_dp + extoff; + frag = fin->fin_exthdr; /* * Fragment but no fragmentation info set? Bad packet... */ if (frag->ip6f_offlg == 0) { fin->fin_flx |= FI_BAD; - return; + return IPPROTO_NONE; } - fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK; + fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK); fin->fin_off <<= 3; if (fin->fin_off != 0) fin->fin_flx |= FI_FRAGBODY; fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag); fin->fin_dlen -= sizeof(*frag); + + return frag->ip6f_nxt; } @@ -702,10 +734,12 @@ fr_info_t *fin; int minicmpsz = sizeof(struct icmp6_hdr); struct icmp6_hdr *icmp6; - if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t)) == -1) + if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1) return; if (fin->fin_dlen > 1) { + ip6_t *ip6; + icmp6 = fin->fin_dp; fin->fin_data[0] = *(u_short *)icmp6; @@ -720,13 +754,27 @@ fr_info_t *fin; case ICMP6_PACKET_TOO_BIG : case ICMP6_TIME_EXCEEDED : case ICMP6_PARAM_PROB : - if ((fin->fin_m != NULL) && - (M_LEN(fin->fin_m) < fin->fin_plen)) { + fin->fin_flx |= FI_ICMPERR; + minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); + if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) + break; + + if (M_LEN(fin->fin_m) < fin->fin_plen) { if (fr_coalesce(fin) != 1) return; } - fin->fin_flx |= FI_ICMPERR; - minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); + + /* + * If the destination of this packet doesn't match the + * source of the original packet then this packet is + * not correct. + */ + icmp6 = fin->fin_dp; + ip6 = (ip6_t *)((char *)icmp6 + ICMPERR_ICMPHLEN); + if (IP6_NEQ(&fin->fin_fi.fi_dst, + (i6addr_t *)&ip6->ip6_src)) + fin->fin_flx |= FI_BAD; + break; default : break; @@ -752,8 +800,13 @@ fr_info_t *fin; frpr_short6(fin, sizeof(struct udphdr)); - if (frpr_udpcommon(fin) == 0) + if (frpr_udpcommon(fin) == 0) { + u_char p = fin->fin_p; + + fin->fin_p = IPPROTO_UDP; fr_checkv6sum(fin); + fin->fin_p = p; + } } @@ -772,8 +825,13 @@ fr_info_t *fin; frpr_short6(fin, sizeof(struct tcphdr)); - if (frpr_tcpcommon(fin) == 0) + if (frpr_tcpcommon(fin) == 0) { + u_char p = fin->fin_p; + + fin->fin_p = IPPROTO_TCP; fr_checkv6sum(fin); + fin->fin_p = p; + } } @@ -857,23 +915,39 @@ fr_info_t *fin; /* Short inline function to cut down on code duplication to perform a call */ /* to fr_pullup to ensure there is the required amount of data, */ /* consecutively in the packet buffer. */ +/* */ +/* This function pulls up 'extra' data at the location of fin_dp. fin_dp */ +/* points to the first byte after the complete layer 3 header, which will */ +/* include all of the known extension headers for IPv6 or options for IPv4. */ +/* */ +/* Since fr_pullup() expects the total length of bytes to be pulled up, it */ +/* is necessary to add those we can already assume to be pulled up (fin_dp */ +/* - fin_ip) to what is passed through. */ /* ------------------------------------------------------------------------ */ static INLINE int frpr_pullup(fin, plen) fr_info_t *fin; int plen; { -#if defined(_KERNEL) if (fin->fin_m != NULL) { if (fin->fin_dp != NULL) plen += (char *)fin->fin_dp - ((char *)fin->fin_ip + fin->fin_hlen); plen += fin->fin_hlen; if (M_LEN(fin->fin_m) < plen) { +#if defined(_KERNEL) if (fr_pullup(fin->fin_m, fin, plen) == NULL) return -1; +#else + /* + * Fake fr_pullup failing + */ + *fin->fin_mp = NULL; + fin->fin_m = NULL; + fin->fin_ip = NULL; + return -1; +#endif } } -#endif return 0; } @@ -937,6 +1011,9 @@ fr_info_t *fin; fin->fin_data[0] = *(u_short *)icmp; + if (fin->fin_dlen >= 6) /* ID field */ + fin->fin_data[1] = icmp->icmp_id; + switch (icmp->icmp_type) { case ICMP_ECHOREPLY : @@ -987,18 +1064,32 @@ fr_info_t *fin; oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0) fin->fin_flx |= FI_BAD; + + /* + * If the destination of this packet doesn't match the + * source of the original packet then this packet is + * not correct. + */ + if (oip->ip_src.s_addr != fin->fin_daddr) + fin->fin_flx |= FI_BAD; + + /* + * If the destination of this packet doesn't match the + * source of the original packet then this packet is + * not correct. + */ + if (oip->ip_src.s_addr != fin->fin_daddr) + fin->fin_flx |= FI_BAD; break; default : break; } - - if (fin->fin_dlen >= 6) /* ID field */ - fin->fin_data[1] = icmp->icmp_id; } frpr_short(fin, minicmpsz); - fr_checkv4sum(fin); + if ((fin->fin_flx & FI_FRAG) == 0) + fr_checkv4sum(fin); } @@ -1054,14 +1145,27 @@ fr_info_t *fin; */ if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) { fin->fin_flx |= FI_BAD; +#if 0 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) { - /* Ignore this case, it shows up in "real" traffic with */ - /* bogus values in the urgent pointer field. */ - ; + /* + * Ignore this case (#if 0) as it shows up in "real" + * traffic with bogus values in the urgent pointer field. + */ + fin->fin_flx |= FI_BAD; +#endif } else if (((flags & (TH_SYN|TH_FIN)) != 0) && ((flags & (TH_RST|TH_ACK)) == TH_RST)) { /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */ fin->fin_flx |= FI_BAD; +#if 1 + } else if (((flags & TH_SYN) != 0) && + ((flags & (TH_URG|TH_PUSH)) != 0)) { + /* + * SYN with URG and PUSH set is not for normal TCP but it is + * possible(?) with T/TCP...but who uses T/TCP? + */ + fin->fin_flx |= FI_BAD; +#endif } else if (!(flags & TH_ACK)) { /* * If the ack bit isn't set, then either the SYN or @@ -1101,6 +1205,7 @@ fr_info_t *fin; return -1; #if 0 + tcp = fin->fin_dp; ip = fin->fin_ip; s = (u_char *)(tcp + 1); off = IP_HL(ip) << 2; @@ -1188,8 +1293,10 @@ fr_info_t *fin; frpr_short(fin, sizeof(tcphdr_t)); - if (frpr_tcpcommon(fin) == 0) - fr_checkv4sum(fin); + if (frpr_tcpcommon(fin) == 0) { + if ((fin->fin_flx & FI_FRAG) == 0) + fr_checkv4sum(fin); + } } @@ -1207,8 +1314,10 @@ fr_info_t *fin; frpr_short(fin, sizeof(udphdr_t)); - if (frpr_udpcommon(fin) == 0) - fr_checkv4sum(fin); + if (frpr_udpcommon(fin) == 0) { + if ((fin->fin_flx & FI_FRAG) == 0) + fr_checkv4sum(fin); + } } @@ -1347,13 +1456,16 @@ fr_info_t *fin; */ off &= IP_MF|IP_OFFMASK; if (off != 0) { + int morefrag = off & IP_MF; + fi->fi_flx |= FI_FRAG; off &= IP_OFFMASK; if (off != 0) { fin->fin_flx |= FI_FRAGBODY; off <<= 3; if ((off + fin->fin_dlen > 65535) || - (fin->fin_dlen == 0) || (fin->fin_dlen & 7)) { + (fin->fin_dlen == 0) || + ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) { /* * The length of the packet, starting at its * offset cannot exceed 65535 (0xffff) as the @@ -1507,18 +1619,24 @@ fr_info_t *fin; fin->fin_rule = 0xffffffff; fin->fin_group[0] = -1; fin->fin_group[1] = '\0'; - fin->fin_dlen = fin->fin_plen - hlen; fin->fin_dp = (char *)ip + hlen; v = fin->fin_v; - if (v == 4) + if (v == 4) { + fin->fin_plen = ip->ip_len; + fin->fin_dlen = fin->fin_plen - hlen; + frpr_ipv4hdr(fin); #ifdef USE_INET6 - else if (v == 6) { + } else if (v == 6) { + fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); + fin->fin_dlen = fin->fin_plen; + fin->fin_plen += hlen; + if (frpr_ipv6hdr(fin) == -1) return -1; - } #endif + } if (fin->fin_ip == NULL) return -1; return 0; @@ -1680,7 +1798,7 @@ int portcmp; */ i = ((*lip & *lm) != *ld); FR_DEBUG(("0. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); if (i) return 1; @@ -1691,7 +1809,7 @@ int portcmp; lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("1. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); if (i) return 1; @@ -1714,20 +1832,20 @@ int portcmp; #endif i = ((*lip & *lm) != *ld); FR_DEBUG(("2a. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); if (fi->fi_v == 6) { lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("2b. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("2c. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("2d. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); } else { lip += 3; lm += 3; @@ -1756,20 +1874,20 @@ int portcmp; #endif i = ((*lip & *lm) != *ld); FR_DEBUG(("3a. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); if (fi->fi_v == 6) { lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("3b. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("3c. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); lip++, lm++, ld++; i |= ((*lip & *lm) != *ld); FR_DEBUG(("3d. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); + ntohl(*lip), ntohl(*lm), ntohl(*ld))); } else { lip += 3; lm += 3; @@ -1849,7 +1967,7 @@ int fr_scanlist(fin, pass) fr_info_t *fin; u_32_t pass; { - int rulen, portcmp, off, logged, skip; + int rulen, portcmp, off, skip; struct frentry *fr, *fnext; u_32_t passt, passo; @@ -1868,7 +1986,6 @@ u_32_t pass; return pass; skip = 0; - logged = 0; portcmp = 0; fin->fin_depth++; fin->fin_fr = NULL; @@ -2002,7 +2119,7 @@ u_32_t pass; ATOMIC_INCL(frstats[fin->fin_out].fr_skip); } ATOMIC_INCL(frstats[fin->fin_out].fr_pkl); - logged = 1; + fin->fin_flx |= FI_DONTCACHE; } #endif /* IPFILTER_LOG */ fr->fr_bytes += (U_QUAD_T)fin->fin_plen; @@ -2027,8 +2144,6 @@ u_32_t pass; fin->fin_fr = fr; passt = pass; } - if (fin->fin_flx & FI_DONTCACHE) - logged = 1; pass = passt; } @@ -2056,8 +2171,6 @@ u_32_t pass; break; } } - if (logged) - fin->fin_flx |= FI_DONTCACHE; fin->fin_depth--; return pass; } @@ -2297,9 +2410,6 @@ int out; int v = IP_V(ip); mb_t *mc = NULL; mb_t *m; -#ifdef USE_INET6 - ip6_t *ip6; -#endif /* * The first part of fr_check() deals with making sure that what goes * into the filtering engine makes some sense. Information about the @@ -2311,8 +2421,10 @@ int out; # ifdef MENTAT qpktinfo_t *qpi = qif; +# if !defined(_INET_IP_STACK_H) if ((u_int)ip & 0x3) return 2; +# endif # else SPL_INT(s); # endif @@ -2395,21 +2507,17 @@ int out; * structures to handle comfortably, for now, so just drop * them. */ - ip6 = (ip6_t *)ip; - fin->fin_plen = ntohs(ip6->ip6_plen); - if (fin->fin_plen == 0) { + if (((ip6_t *)ip)->ip6_plen == 0) { pass = FR_BLOCK|FR_NOMATCH; goto finished; } - fin->fin_plen += sizeof(ip6_t); } else #endif { -#if (defined(OpenBSD) && OpenBSD >= 200311) && defined(_KERNEL) +#if (defined(OpenBSD) && (OpenBSD >= 200311)) && defined(_KERNEL) ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); #endif - fin->fin_plen = ip->ip_len; } if (fr_makefrip(hlen, ip, fin) == -1) { @@ -2439,8 +2547,7 @@ int out; } #ifdef USE_INET6 else if (v == 6) { - ip6 = (ip6_t *)ip; - if (ip6->ip6_hlim < fr_minttl) { + if (((ip6_t *)ip)->ip6_hlim < fr_minttl) { ATOMIC_INCL(frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } @@ -2464,18 +2571,26 @@ int out; fr = fr_checkauth(fin, &pass); if (!out) { if (fr_checknatin(fin, &pass) == -1) { - RWLOCK_EXIT(&ipf_mutex); - goto finished; + goto filterdone; } } if (!out) (void) fr_acctpkt(fin, NULL); - if (fr == NULL) - if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG) + if (fr == NULL) { + if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG) { fr = fr_knownfrag(fin, &pass); - if (fr == NULL) - fr = fr_checkstate(fin, &pass); + /* + * Reset the keep state flag here so that we don't + * try and add a new state entry because of it, leading + * to a blocked packet because the add will fail. + */ + if (fr != NULL) + pass &= ~FR_KEEPSTATE; + } + if (fr == NULL) + fr = fr_checkstate(fin, &pass); + } if ((pass & FR_NOMATCH) || (fr == NULL)) fr = fr_firewall(fin, &pass); @@ -2507,8 +2622,7 @@ int out; (void) fr_acctpkt(fin, NULL); if (fr_checknatout(fin, &pass) == -1) { - RWLOCK_EXIT(&ipf_mutex); - goto finished; + ; } else if ((fr_update_ipid != 0) && (v == 4)) { if (fr_updateipid(fin) == -1) { ATOMIC_INCL(frstats[1].fr_ipud); @@ -2520,20 +2634,33 @@ int out; } } +filterdone: #ifdef IPFILTER_LOG if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { (void) fr_dolog(fin, &pass); } #endif + /* + * The FI_STATE flag is cleared here so that calling fr_checkstate + * will work when called from inside of fr_fastroute. Although + * there is a similar flag, FI_NATED, for NAT, it does have the same + * impact on code execution. + */ if (fin->fin_state != NULL) { - fr_statederef(fin, (ipstate_t **)&fin->fin_state); - fin->fin_state = NULL; + fr_statederef((ipstate_t **)&fin->fin_state); + fin->fin_flx ^= FI_STATE; } if (fin->fin_nat != NULL) { - fr_natderef((nat_t **)&fin->fin_nat); - fin->fin_nat = NULL; + if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT)) { + WRITE_ENTER(&ipf_nat); + nat_delete((nat_t *)fin->fin_nat, NL_DESTROY); + RWLOCK_EXIT(&ipf_nat); + fin->fin_nat = NULL; + } else { + fr_natderef((nat_t **)&fin->fin_nat); + } } /* @@ -2650,7 +2777,7 @@ finished: RWLOCK_EXIT(&ipf_global); #ifdef _KERNEL -# if defined(OpenBSD) && OpenBSD >= 200311 +# if (defined(OpenBSD) && (OpenBSD >= 200311)) if (FR_ISPASS(pass) && (v == 4)) { ip = fin->fin_ip; ip->ip_len = ntohs(ip->ip_len); @@ -2788,6 +2915,7 @@ int len; /* ip(I) - pointer to IP header */ /* l4proto(I) - protocol to caclulate checksum for */ /* l4hdr(I) - pointer to layer 4 header */ +/* l3len(I) - length of layer 4 data plus layer 3 header */ /* */ /* Calculates the TCP checksum for the packet held in "m", using the data */ /* in the IP header "ip" to seed it. */ @@ -2796,6 +2924,8 @@ int len; /* and the TCP header. We also assume that data blocks aren't allocated in */ /* odd sizes. */ /* */ +/* For IPv6, l3len excludes extension header size. */ +/* */ /* Expects ip_len to be in host byte order when called. */ /* ------------------------------------------------------------------------ */ u_short fr_cksum(m, ip, l4proto, l4hdr, l3len) @@ -2838,9 +2968,9 @@ void *l4hdr; } else if (IP_V(ip) == 6) { ip6 = (ip6_t *)ip; hlen = sizeof(*ip6); - slen = ntohs(l3len); + slen = l3len - hlen; sum = htons((u_short)l4proto); - sum += slen; + sum += htons(slen); sp = (u_short *)&ip6->ip6_src; sum += *sp++; /* ip6_src */ sum += *sp++; @@ -2970,8 +3100,8 @@ void *l4hdr; * In case we had to copy the IP & TCP header out of mbufs, * skip over the mbuf bits which are the header */ - if ((caddr_t)ip != mtod(m, caddr_t)) { - hlen = (caddr_t)sp - (caddr_t)ip; + if ((char *)ip != mtod(m, char *)) { + hlen = (char *)sp - (char *)ip; while (hlen) { add = MIN(hlen, m->m_len); sp = (u_short *)(mtod(m, caddr_t) + add); @@ -2994,12 +3124,12 @@ void *l4hdr; goto nodata; while (len > 1) { - if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { + if (((char *)sp - mtod(m, char *)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_cksum(2): not enough data")); sp = mtod(m, u_short *); } - if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) { + if (((char *)(sp + 1) - mtod(m, char *)) > m->m_len) { bytes.c[0] = *(u_char *)sp; m = m->m_next; PANIC((!m),("fr_cksum(3): not enough data")); @@ -3026,6 +3156,12 @@ nodata: # endif /* defined(BSD) || defined(sun) */ # endif /* MENTAT */ #else /* _KERNEL */ + /* + * Add up IP Header portion + */ + if (sp != (u_short *)l4hdr) + sp = (u_short *)l4hdr; + for (; slen > 1; slen -= 2) sum += *sp++; if (slen) @@ -3071,7 +3207,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp $ + * $Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -3377,7 +3513,7 @@ minor_t unit; int *nfreedp; frentry_t **listp; { - int freed = 0, i; + int freed = 0; frentry_t *fp; while ((fp = *listp) != NULL) { @@ -3388,8 +3524,7 @@ frentry_t **listp; } *listp = fp->fr_next; if (fp->fr_grp != NULL) { - i = frflushlist(set, unit, nfreedp, fp->fr_grp); - fp->fr_ref -= i; + (void) frflushlist(set, unit, nfreedp, fp->fr_grp); } if (fp->fr_grhead != NULL) { @@ -3662,13 +3797,15 @@ void *ifp; if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP && fr->fr_srcptr == NULL) { fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype, - fr->fr_srcnum, + fr->fr_srcsubtype, + &fr->fr_slookup, &fr->fr_srcfunc); } if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP && fr->fr_dstptr == NULL) { fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype, - fr->fr_dstnum, + fr->fr_dstsubtype, + &fr->fr_dlookup, &fr->fr_dstfunc); } #endif @@ -3740,17 +3877,19 @@ void *src, *dst; size_t size; { caddr_t ca; - int err; + int error; # if SOLARIS - err = COPYIN(src, (caddr_t)&ca, sizeof(ca)); - if (err != 0) - return err; + error = COPYIN(src, &ca, sizeof(ca)); + if (error != 0) + return error; # else bcopy(src, (caddr_t)&ca, sizeof(ca)); # endif - err = COPYIN(ca, dst, size); - return err; + error = COPYIN(ca, dst, size); + if (error != 0) + error = EFAULT; + return error; } @@ -3770,33 +3909,40 @@ void *src, *dst; size_t size; { caddr_t ca; - int err; + int error; bcopy(dst, (caddr_t)&ca, sizeof(ca)); - err = COPYOUT(src, ca, size); - return err; + error = COPYOUT(src, ca, size); + if (error != 0) + error = EFAULT; + return error; } #endif /* ------------------------------------------------------------------------ */ /* Function: fr_lock */ -/* Returns: (void) */ +/* Returns: int - 0 = success, else error */ /* Parameters: data(I) - pointer to lock value to set */ /* lockp(O) - pointer to location to store old lock value */ /* */ /* Get the new value for the lock integer, set it and return the old value */ /* in *lockp. */ /* ------------------------------------------------------------------------ */ -void fr_lock(data, lockp) +int fr_lock(data, lockp) caddr_t data; int *lockp; { - int arg; + int arg, err; - BCOPYIN(data, (caddr_t)&arg, sizeof(arg)); - BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp)); + err = BCOPYIN(data, &arg, sizeof(arg)); + if (err != 0) + return EFAULT; + err = BCOPYOUT(lockp, data, sizeof(*lockp)); + if (err != 0) + return EFAULT; *lockp = arg; + return 0; } @@ -3950,7 +4096,8 @@ int rev; /* Function: fr_resolvelookup */ /* Returns: void * - NULL = failure, else success. */ /* Parameters: type(I) - type of lookup these parameters are for. */ -/* number(I) - table number to use when searching */ +/* subtype(I) - whether the info below contains number/name */ +/* info(I) - pointer to name/number of the lookup data */ /* funcptr(IO) - pointer to pointer for storing IP address */ /* searching function. */ /* */ @@ -3959,20 +4106,35 @@ int rev; /* call to do the IP address search will be change, regardless of whether */ /* or not the "table" number exists. */ /* ------------------------------------------------------------------------ */ -static void *fr_resolvelookup(type, number, funcptr) -u_int type, number; +static void *fr_resolvelookup(type, subtype, info, funcptr) +u_int type, subtype; +i6addr_t *info; lookupfunc_t *funcptr; { - char name[FR_GROUPLEN]; + char label[FR_GROUPLEN], *name; iphtable_t *iph; ip_pool_t *ipo; void *ptr; + if (subtype == 0) { #if defined(SNPRINTF) && defined(_KERNEL) - SNPRINTF(name, sizeof(name), "%u", number); + SNPRINTF(label, sizeof(label), "%u", info->iplookupnum); #else - (void) sprintf(name, "%u", number); + (void) sprintf(label, "%u", info->iplookupnum); #endif + name = label; + } else if (subtype == 1) { + /* + * Because iplookupname is currently only a 12 character + * string and FR_GROUPLEN is 16, copy all of it into the + * label buffer and add on a NULL at the end. + */ + strncpy(label, info->iplookupname, sizeof(info->iplookupname)); + label[sizeof(info->iplookupname)] = '\0'; + name = label; + } else { + return NULL; + } READ_ENTER(&ip_poolrw); @@ -4144,16 +4306,6 @@ caddr_t data; fprev = &fg->fg_start; } - ftail = fprev; - for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) { - if (fp->fr_collect <= f->fr_collect) { - ftail = fprev; - f = NULL; - break; - } - fprev = ftail; - } - /* * Copy in extra data for the rule. */ @@ -4163,6 +4315,8 @@ caddr_t data; if (!ptr) return ENOMEM; error = COPYIN(uptr, ptr, fp->fr_dsize); + if (error != 0) + error = EFAULT; } else { ptr = uptr; error = 0; @@ -4221,8 +4375,11 @@ caddr_t data; #ifdef IPFILTER_LOOKUP case FRI_LOOKUP : fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype, - fp->fr_srcnum, + fp->fr_srcsubtype, + &fp->fr_slookup, &fp->fr_srcfunc); + if (fp->fr_srcptr == NULL) + return ESRCH; break; #endif default : @@ -4246,8 +4403,11 @@ caddr_t data; #ifdef IPFILTER_LOOKUP case FRI_LOOKUP : fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype, - fp->fr_dstnum, + fp->fr_dstsubtype, + &fp->fr_dlookup, &fp->fr_dstfunc); + if (fp->fr_dstptr == NULL) + return ESRCH; break; #endif default : @@ -4288,6 +4448,20 @@ caddr_t data; fp->fr_cksum += *p; WRITE_ENTER(&ipf_mutex); + + /* + * Now that the filter rule lists are locked, we can walk the + * chain of them without fear. + */ + ftail = fprev; + for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) { + if (fp->fr_collect <= f->fr_collect) { + ftail = fprev; + f = NULL; + break; + } + fprev = ftail; + } bzero((char *)frcache, sizeof(frcache)); for (; (f = *ftail) != NULL; ftail = &f->fr_next) { @@ -4331,6 +4505,8 @@ caddr_t data; if ((f->fr_dsize != 0) && (uptr != NULL)) error = COPYOUT(f->fr_data, uptr, f->fr_dsize); + if (error != 0) + error = EFAULT; if (error == 0) { f->fr_hits = 0; f->fr_bytes = 0; @@ -4405,7 +4581,7 @@ caddr_t data; /* * Return EBUSY if the rule is being reference by - * something else (eg state information. + * something else (eg state information.) */ if (f->fr_ref > 1) { error = EBUSY; @@ -4416,8 +4592,6 @@ caddr_t data; (f->fr_isc != (struct ipscan *)-1)) ipsc_detachfr(f); #endif - if ((fg != NULL) && (fg->fg_head != NULL)) - fg->fg_head->fr_ref--; if (unit == IPL_LOGAUTH) { error = fr_preauthcmd(req, f, ftail); goto done; @@ -4427,7 +4601,7 @@ caddr_t data; fr_fixskip(ftail, f, -1); *ftail = f->fr_next; f->fr_next = NULL; - (void)fr_derefrule(&f); + (void) fr_derefrule(&f); } } else { /* @@ -4445,8 +4619,6 @@ caddr_t data; } else f = fp; if (f != NULL) { - if (fg != NULL && fg->fg_head != NULL) - fg->fg_head->fr_ref++; if (fp != f) bcopy((char *)fp, (char *)f, sizeof(*f)); @@ -4546,8 +4718,11 @@ int fr_resolvefunc(data) void *data; { ipfunc_resolve_t res, *ft; + int err; - BCOPYIN(data, &res, sizeof(res)); + err = BCOPYIN(data, &res, sizeof(res)); + if (err != 0) + return EFAULT; if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') { for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++) @@ -4576,7 +4751,7 @@ void *data; #if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \ - (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \ + (defined(__FreeBSD__) && (__FreeBSD_version < 501000)) || \ (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \ (defined(__OpenBSD__) && (OpenBSD < 200006)) /* @@ -4641,6 +4816,7 @@ frentry_t **frp; frentry_t *fr; fr = *frp; + *frp = NULL; MUTEX_ENTER(&fr->fr_lock); fr->fr_ref--; @@ -4666,7 +4842,6 @@ frentry_t **frp; } else { MUTEX_EXIT(&fr->fr_lock); } - *frp = NULL; return -1; } @@ -5196,55 +5371,47 @@ char *buffer; /* data(I) - pointer to ioctl data */ /* cmd(I) - ioctl command */ /* mode(I) - mode value */ +/* uid(I) - uid making the ioctl call */ +/* ctx(I) - pointer to context data */ /* */ /* Based on the value of unit, call the appropriate ioctl handler or return */ /* EIO if ipfilter is not running. Also checks if write perms are req'd */ /* for the device in order to execute the ioctl. */ /* ------------------------------------------------------------------------ */ -int fr_ioctlswitch(unit, data, cmd, mode) -int unit, mode; +int fr_ioctlswitch(unit, data, cmd, mode, uid, ctx) +int unit, mode, uid; ioctlcmd_t cmd; -void *data; +void *data, *ctx; { int error = 0; switch (unit) { case IPL_LOGIPF : - error = -1; + error = fr_ipf_ioctl(data, cmd, mode, uid, ctx); break; case IPL_LOGNAT : if (fr_running > 0) - error = fr_nat_ioctl(data, cmd, mode); + error = fr_nat_ioctl(data, cmd, mode, uid, ctx); else error = EIO; break; case IPL_LOGSTATE : if (fr_running > 0) - error = fr_state_ioctl(data, cmd, mode); + error = fr_state_ioctl(data, cmd, mode, uid, ctx); else error = EIO; break; case IPL_LOGAUTH : - if (fr_running > 0) { - if ((cmd == (ioctlcmd_t)SIOCADAFR) || - (cmd == (ioctlcmd_t)SIOCRMAFR)) { - if (!(mode & FWRITE)) { - error = EPERM; - } else { - error = frrequest(unit, cmd, data, - fr_active, 1); - } - } else { - error = fr_auth_ioctl(data, cmd, mode); - } - } else + if (fr_running > 0) + error = fr_auth_ioctl(data, cmd, mode, uid, ctx); + else error = EIO; break; case IPL_LOGSYNC : #ifdef IPFILTER_SYNC if (fr_running > 0) - error = fr_sync_ioctl(data, cmd, mode); + error = fr_sync_ioctl(data, cmd, mode, uid, ctx); else #endif error = EIO; @@ -5252,7 +5419,7 @@ void *data; case IPL_LOGSCAN : #ifdef IPFILTER_SCAN if (fr_running > 0) - error = fr_scan_ioctl(data, cmd, mode); + error = fr_scan_ioctl(data, cmd, mode, uid, ctx); else #endif error = EIO; @@ -5260,7 +5427,7 @@ void *data; case IPL_LOGLOOKUP : #ifdef IPFILTER_LOOKUP if (fr_running > 0) - error = ip_lookup_ioctl(data, cmd, mode); + error = ip_lookup_ioctl(data, cmd, mode, uid, ctx); else #endif error = EIO; @@ -5278,9 +5445,7 @@ void *data; * This array defines the expected size of objects coming into the kernel * for the various recognised object types. */ -#define NUM_OBJ_TYPES 14 - -static int fr_objbytes[NUM_OBJ_TYPES][2] = { +static int fr_objbytes[IPFOBJ_COUNT][2] = { { 1, sizeof(struct frentry) }, /* frentry */ { 0, sizeof(struct friostat) }, { 0, sizeof(struct fr_info) }, @@ -5294,7 +5459,13 @@ static int fr_objbytes[NUM_OBJ_TYPES][2] = { { 1, sizeof(struct ipstate) }, /* ipstate */ { 0, sizeof(struct ips_stat) }, { 0, sizeof(struct frauth) }, - { 0, sizeof(struct ipftune) } + { 0, sizeof(struct ipftune) }, + { 0, sizeof(struct nat) }, /* nat_t */ + { 0, sizeof(struct ipfruleiter) }, + { 0, sizeof(struct ipfgeniter) }, + { 0, sizeof(struct ipftable) }, + { 0, sizeof(struct ipflookupiter) }, + { 0, sizeof(struct ipftq) * IPF_TCP_NSTATES }, }; @@ -5317,10 +5488,12 @@ int type; ipfobj_t obj; int error = 0; - if ((type < 0) || (type > NUM_OBJ_TYPES-1)) + if ((type < 0) || (type >= IPFOBJ_COUNT)) return EINVAL; - BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj)); + error = BCOPYIN(data, &obj, sizeof(obj)); + if (error != 0) + return EFAULT; if (obj.ipfo_type != type) return EINVAL; @@ -5329,8 +5502,9 @@ int type; if ((fr_objbytes[type][0] & 1) != 0) { if (obj.ipfo_size < fr_objbytes[type][1]) return EINVAL; - } else if (obj.ipfo_size != fr_objbytes[type][1]) + } else if (obj.ipfo_size != fr_objbytes[type][1]) { return EINVAL; + } #else if (obj.ipfo_rev != IPFILTER_VERSION) /* XXX compatibility hook here */ @@ -5345,12 +5519,12 @@ int type; #endif if ((fr_objbytes[type][0] & 1) != 0) { - error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, - fr_objbytes[type][1]); + error = COPYIN(obj.ipfo_ptr, ptr, fr_objbytes[type][1]); } else { - error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, - obj.ipfo_size); + error = COPYIN(obj.ipfo_ptr, ptr, obj.ipfo_size); } + if (error != 0) + error = EFAULT; return error; } @@ -5377,12 +5551,14 @@ int type, sz; ipfobj_t obj; int error; - if ((type < 0) || (type > NUM_OBJ_TYPES-1)) + if ((type < 0) || (type >= IPFOBJ_COUNT)) return EINVAL; if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1])) return EINVAL; - BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj)); + error = BCOPYIN(data, &obj, sizeof(obj)); + if (error != 0) + return EFAULT; if (obj.ipfo_type != type) return EINVAL; @@ -5399,7 +5575,9 @@ int type, sz; return EINVAL; #endif - error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz); + error = COPYIN(obj.ipfo_ptr, ptr, sz); + if (error != 0) + error = EFAULT; return error; } @@ -5426,12 +5604,14 @@ int type, sz; ipfobj_t obj; int error; - if ((type < 0) || (type > NUM_OBJ_TYPES-1) || + if ((type < 0) || (type >= IPFOBJ_COUNT) || ((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1])) return EINVAL; - BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj)); + error = BCOPYIN(data, &obj, sizeof(obj)); + if (error != 0) + return EFAULT; if (obj.ipfo_type != type) return EINVAL; @@ -5448,7 +5628,9 @@ int type, sz; return EINVAL; #endif - error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz); + error = COPYOUT(ptr, obj.ipfo_ptr, sz); + if (error != 0) + error = EFAULT; return error; } @@ -5472,10 +5654,12 @@ int type; ipfobj_t obj; int error; - if ((type < 0) || (type > NUM_OBJ_TYPES-1)) + if ((type < 0) || (type >= IPFOBJ_COUNT)) return EINVAL; - BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj)); + error = BCOPYIN(data, &obj, sizeof(obj)); + if (error != 0) + return EFAULT; if (obj.ipfo_type != type) return EINVAL; @@ -5499,7 +5683,9 @@ int type; return EINVAL; #endif - error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size); + error = COPYOUT(ptr, obj.ipfo_ptr, obj.ipfo_size); + if (error != 0) + error = EFAULT; return error; } @@ -5523,6 +5709,12 @@ fr_info_t *fin; if ((fin->fin_flx & FI_NOCKSUM) != 0) return 0; + if (fin->fin_cksum == 1) + return 0; + + if (fin->fin_cksum == -1) + return -1; + /* * If the TCP packet isn't a fragment, isn't too short and otherwise * isn't already considered "bad", then validate the checksum. If @@ -5570,9 +5762,11 @@ fr_info_t *fin; if (csump != NULL) hdrsum = *csump; - if (dosum) + if (dosum) { sum = fr_cksum(fin->fin_m, fin->fin_ip, - fin->fin_p, fin->fin_dp, fin->fin_plen); + fin->fin_p, fin->fin_dp, + fin->fin_dlen + fin->fin_hlen); + } #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID) } #endif @@ -5583,8 +5777,11 @@ fr_info_t *fin; FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum)); } #endif - if (hdrsum == sum) + if (hdrsum == sum) { + fin->fin_cksum = 1; return 0; + } + fin->fin_cksum = -1; return -1; } @@ -5773,100 +5970,104 @@ fr_info_t *fin; ipftuneable_t ipf_tuneables[] = { /* filtering */ { { &fr_flags }, "fr_flags", 0, 0xffffffff, - sizeof(fr_flags), 0 }, + sizeof(fr_flags), 0, NULL }, { { &fr_active }, "fr_active", 0, 0, - sizeof(fr_active), IPFT_RDONLY }, + sizeof(fr_active), IPFT_RDONLY, NULL }, { { &fr_control_forwarding }, "fr_control_forwarding", 0, 1, - sizeof(fr_control_forwarding), 0 }, + sizeof(fr_control_forwarding), 0, NULL }, { { &fr_update_ipid }, "fr_update_ipid", 0, 1, - sizeof(fr_update_ipid), 0 }, + sizeof(fr_update_ipid), 0, NULL }, { { &fr_chksrc }, "fr_chksrc", 0, 1, - sizeof(fr_chksrc), 0 }, + sizeof(fr_chksrc), 0, NULL }, { { &fr_minttl }, "fr_minttl", 0, 1, - sizeof(fr_minttl), 0 }, + sizeof(fr_minttl), 0, NULL }, { { &fr_icmpminfragmtu }, "fr_icmpminfragmtu", 0, 1, - sizeof(fr_icmpminfragmtu), 0 }, + sizeof(fr_icmpminfragmtu), 0, NULL }, { { &fr_pass }, "fr_pass", 0, 0xffffffff, - sizeof(fr_pass), 0 }, + sizeof(fr_pass), 0, NULL }, /* state */ { { &fr_tcpidletimeout }, "fr_tcpidletimeout", 1, 0x7fffffff, - sizeof(fr_tcpidletimeout), IPFT_WRDISABLED }, + sizeof(fr_tcpidletimeout), IPFT_WRDISABLED, NULL }, { { &fr_tcpclosewait }, "fr_tcpclosewait", 1, 0x7fffffff, - sizeof(fr_tcpclosewait), IPFT_WRDISABLED }, + sizeof(fr_tcpclosewait), IPFT_WRDISABLED, NULL }, { { &fr_tcplastack }, "fr_tcplastack", 1, 0x7fffffff, - sizeof(fr_tcplastack), IPFT_WRDISABLED }, + sizeof(fr_tcplastack), IPFT_WRDISABLED, NULL }, { { &fr_tcptimeout }, "fr_tcptimeout", 1, 0x7fffffff, - sizeof(fr_tcptimeout), IPFT_WRDISABLED }, + sizeof(fr_tcptimeout), IPFT_WRDISABLED, NULL }, { { &fr_tcpclosed }, "fr_tcpclosed", 1, 0x7fffffff, - sizeof(fr_tcpclosed), IPFT_WRDISABLED }, + sizeof(fr_tcpclosed), IPFT_WRDISABLED, NULL }, { { &fr_tcphalfclosed }, "fr_tcphalfclosed", 1, 0x7fffffff, - sizeof(fr_tcphalfclosed), IPFT_WRDISABLED }, + sizeof(fr_tcphalfclosed), IPFT_WRDISABLED, NULL }, { { &fr_udptimeout }, "fr_udptimeout", 1, 0x7fffffff, - sizeof(fr_udptimeout), IPFT_WRDISABLED }, + sizeof(fr_udptimeout), IPFT_WRDISABLED, NULL }, { { &fr_udpacktimeout }, "fr_udpacktimeout", 1, 0x7fffffff, - sizeof(fr_udpacktimeout), IPFT_WRDISABLED }, + sizeof(fr_udpacktimeout), IPFT_WRDISABLED, NULL }, { { &fr_icmptimeout }, "fr_icmptimeout", 1, 0x7fffffff, - sizeof(fr_icmptimeout), IPFT_WRDISABLED }, + sizeof(fr_icmptimeout), IPFT_WRDISABLED, NULL }, { { &fr_icmpacktimeout }, "fr_icmpacktimeout", 1, 0x7fffffff, - sizeof(fr_icmpacktimeout), IPFT_WRDISABLED }, + sizeof(fr_icmpacktimeout), IPFT_WRDISABLED, NULL }, { { &fr_iptimeout }, "fr_iptimeout", 1, 0x7fffffff, - sizeof(fr_iptimeout), IPFT_WRDISABLED }, + sizeof(fr_iptimeout), IPFT_WRDISABLED, NULL }, { { &fr_statemax }, "fr_statemax", 1, 0x7fffffff, - sizeof(fr_statemax), 0 }, + sizeof(fr_statemax), 0, NULL }, { { &fr_statesize }, "fr_statesize", 1, 0x7fffffff, - sizeof(fr_statesize), IPFT_WRDISABLED }, + sizeof(fr_statesize), IPFT_WRDISABLED, NULL }, { { &fr_state_lock }, "fr_state_lock", 0, 1, - sizeof(fr_state_lock), IPFT_RDONLY }, + sizeof(fr_state_lock), IPFT_RDONLY, NULL }, { { &fr_state_maxbucket }, "fr_state_maxbucket", 1, 0x7fffffff, - sizeof(fr_state_maxbucket), IPFT_WRDISABLED }, + sizeof(fr_state_maxbucket), IPFT_WRDISABLED, NULL }, { { &fr_state_maxbucket_reset }, "fr_state_maxbucket_reset", 0, 1, - sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED }, + sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED, NULL }, { { &ipstate_logging }, "ipstate_logging", 0, 1, - sizeof(ipstate_logging), 0 }, + sizeof(ipstate_logging), 0, NULL }, /* nat */ { { &fr_nat_lock }, "fr_nat_lock", 0, 1, - sizeof(fr_nat_lock), IPFT_RDONLY }, + sizeof(fr_nat_lock), IPFT_RDONLY, NULL }, { { &ipf_nattable_sz }, "ipf_nattable_sz", 1, 0x7fffffff, - sizeof(ipf_nattable_sz), IPFT_WRDISABLED }, + sizeof(ipf_nattable_sz), IPFT_WRDISABLED, NULL }, { { &ipf_nattable_max }, "ipf_nattable_max", 1, 0x7fffffff, - sizeof(ipf_nattable_max), 0 }, + sizeof(ipf_nattable_max), 0, NULL }, { { &ipf_natrules_sz }, "ipf_natrules_sz", 1, 0x7fffffff, - sizeof(ipf_natrules_sz), IPFT_WRDISABLED }, + sizeof(ipf_natrules_sz), IPFT_WRDISABLED, NULL }, { { &ipf_rdrrules_sz }, "ipf_rdrrules_sz", 1, 0x7fffffff, - sizeof(ipf_rdrrules_sz), IPFT_WRDISABLED }, + sizeof(ipf_rdrrules_sz), IPFT_WRDISABLED, NULL }, { { &ipf_hostmap_sz }, "ipf_hostmap_sz", 1, 0x7fffffff, - sizeof(ipf_hostmap_sz), IPFT_WRDISABLED }, + sizeof(ipf_hostmap_sz), IPFT_WRDISABLED, NULL }, { { &fr_nat_maxbucket }, "fr_nat_maxbucket", 1, 0x7fffffff, - sizeof(fr_nat_maxbucket), IPFT_WRDISABLED }, + sizeof(fr_nat_maxbucket), 0, NULL }, { { &fr_nat_maxbucket_reset }, "fr_nat_maxbucket_reset", 0, 1, - sizeof(fr_nat_maxbucket_reset), IPFT_WRDISABLED }, + sizeof(fr_nat_maxbucket_reset), IPFT_WRDISABLED, NULL }, { { &nat_logging }, "nat_logging", 0, 1, - sizeof(nat_logging), 0 }, + sizeof(nat_logging), 0, NULL }, { { &fr_defnatage }, "fr_defnatage", 1, 0x7fffffff, - sizeof(fr_defnatage), IPFT_WRDISABLED }, + sizeof(fr_defnatage), IPFT_WRDISABLED, NULL }, { { &fr_defnatipage }, "fr_defnatipage", 1, 0x7fffffff, - sizeof(fr_defnatipage), IPFT_WRDISABLED }, + sizeof(fr_defnatipage), IPFT_WRDISABLED, NULL }, { { &fr_defnaticmpage }, "fr_defnaticmpage", 1, 0x7fffffff, - sizeof(fr_defnaticmpage), IPFT_WRDISABLED }, + sizeof(fr_defnaticmpage), IPFT_WRDISABLED, NULL }, + { { &fr_nat_doflush }, "fr_nat_doflush", 0, 1, + sizeof(fr_nat_doflush), 0, NULL }, + /* proxy */ + { { &ipf_proxy_debug }, "ipf_proxy_debug", 0, 10, + sizeof(ipf_proxy_debug), 0, 0 }, /* frag */ { { &ipfr_size }, "ipfr_size", 1, 0x7fffffff, - sizeof(ipfr_size), IPFT_WRDISABLED }, + sizeof(ipfr_size), IPFT_WRDISABLED, NULL }, { { &fr_ipfrttl }, "fr_ipfrttl", 1, 0x7fffffff, - sizeof(fr_ipfrttl), IPFT_WRDISABLED }, + sizeof(fr_ipfrttl), IPFT_WRDISABLED, NULL }, #ifdef IPFILTER_LOG /* log */ { { &ipl_suppress }, "ipl_suppress", 0, 1, - sizeof(ipl_suppress), 0 }, - { { &ipl_buffer_sz }, "ipl_buffer_sz", 0, 0, - sizeof(ipl_buffer_sz), IPFT_RDONLY }, + sizeof(ipl_suppress), 0, NULL }, { { &ipl_logmax }, "ipl_logmax", 0, 0x7fffffff, - sizeof(ipl_logmax), IPFT_WRDISABLED }, + sizeof(ipl_logmax), IPFT_WRDISABLED, NULL }, { { &ipl_logall }, "ipl_logall", 0, 1, - sizeof(ipl_logall), 0 }, + sizeof(ipl_logall), 0, NULL }, { { &ipl_logsize }, "ipl_logsize", 0, 0x80000, - sizeof(ipl_logsize), 0 }, + sizeof(ipl_logsize), 0, NULL }, #endif - { { NULL }, NULL, 0, 0 } + { { NULL }, NULL, 0, 0, + 0, 0, NULL } }; static ipftuneable_t *ipf_tunelist = NULL; @@ -6177,6 +6378,8 @@ int fr_initialise() { int i; + bzero(&frstats, sizeof(frstats)); + #ifdef IPFILTER_LOG i = fr_loginit(); if (i < 0) @@ -6274,7 +6477,7 @@ void fr_deinitialise() /* the copyout may result in paging (ie network activity.) */ /* ------------------------------------------------------------------------ */ int fr_zerostats(data) -caddr_t data; +void *data; { friostat_t fio; int error; @@ -6285,7 +6488,7 @@ caddr_t data; return EFAULT; WRITE_ENTER(&ipf_mutex); - bzero((char *)frstats, sizeof(*frstats) * 2); + bzero(&frstats, sizeof(frstats)); RWLOCK_EXIT(&ipf_mutex); return 0; @@ -6364,3 +6567,792 @@ int v; nic = (void *)-1; return nic; } + + +ipftoken_t *ipftokenhead = NULL, **ipftokentail = &ipftokenhead; + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_expiretokens */ +/* Returns: None. */ +/* Parameters: None. */ +/* */ +/* This function is run every ipf tick to see if there are any tokens that */ +/* have been held for too long and need to be freed up. */ +/* ------------------------------------------------------------------------ */ +void ipf_expiretokens() +{ + ipftoken_t *it; + + WRITE_ENTER(&ipf_tokens); + while ((it = ipftokenhead) != NULL) { + if (it->ipt_die > fr_ticks) + break; + + ipf_freetoken(it); + } + RWLOCK_EXIT(&ipf_tokens); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_deltoken */ +/* Returns: int - 0 = success, else error */ +/* Parameters: type(I) - the token type to match */ +/* uid(I) - uid owning the token */ +/* ptr(I) - context pointer for the token */ +/* */ +/* This function looks for a a token in the current list that matches up */ +/* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */ +/* call ipf_freetoken() to remove it from the list. */ +/* ------------------------------------------------------------------------ */ +int ipf_deltoken(type, uid, ptr) +int type, uid; +void *ptr; +{ + ipftoken_t *it; + int error = ESRCH; + + WRITE_ENTER(&ipf_tokens); + for (it = ipftokenhead; it != NULL; it = it->ipt_next) + if (ptr == it->ipt_ctx && type == it->ipt_type && + uid == it->ipt_uid) { + ipf_freetoken(it); + error = 0; + break; + } + RWLOCK_EXIT(&ipf_tokens); + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_findtoken */ +/* Returns: ipftoken_t * - NULL if no memory, else pointer to token */ +/* Parameters: type(I) - the token type to match */ +/* uid(I) - uid owning the token */ +/* ptr(I) - context pointer for the token */ +/* */ +/* This function looks for a live token in the list of current tokens that */ +/* matches the tuple (type, uid, ptr). If one cannot be found then one is */ +/* allocated. If one is found then it is moved to the top of the list of */ +/* currently active tokens. */ +/* */ +/* NOTE: It is by design that this function returns holding a read lock on */ +/* ipf_tokens. Callers must make sure they release it! */ +/* ------------------------------------------------------------------------ */ +ipftoken_t *ipf_findtoken(type, uid, ptr) +int type, uid; +void *ptr; +{ + ipftoken_t *it, *new; + + KMALLOC(new, ipftoken_t *); + + WRITE_ENTER(&ipf_tokens); + for (it = ipftokenhead; it != NULL; it = it->ipt_next) { + if (it->ipt_alive == 0) + continue; + if (ptr == it->ipt_ctx && type == it->ipt_type && + uid == it->ipt_uid) + break; + } + + if (it == NULL) { + it = new; + new = NULL; + if (it == NULL) + return NULL; + it->ipt_data = NULL; + it->ipt_ctx = ptr; + it->ipt_uid = uid; + it->ipt_type = type; + it->ipt_next = NULL; + it->ipt_alive = 1; + } else { + if (new != NULL) { + KFREE(new); + new = NULL; + } + + ipf_unlinktoken(it); + } + it->ipt_pnext = ipftokentail; + *ipftokentail = it; + ipftokentail = &it->ipt_next; + it->ipt_next = NULL; + + it->ipt_die = fr_ticks + 2; + + MUTEX_DOWNGRADE(&ipf_tokens); + + return it; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_unlinktoken */ +/* Returns: None. */ +/* Parameters: token(I) - pointer to token structure */ +/* */ +/* This function unlinks a token structure from the linked list of tokens */ +/* that "own" it. The head pointer never needs to be explicitly adjusted */ +/* but the tail does due to the linked list implementation. */ +/* ------------------------------------------------------------------------ */ +static void ipf_unlinktoken(token) +ipftoken_t *token; +{ + + if (ipftokentail == &token->ipt_next) + ipftokentail = token->ipt_pnext; + + *token->ipt_pnext = token->ipt_next; + if (token->ipt_next != NULL) + token->ipt_next->ipt_pnext = token->ipt_pnext; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_freetoken */ +/* Returns: None. */ +/* Parameters: token(I) - pointer to token structure */ +/* */ +/* This function unlinks a token from the linked list and on the path to */ +/* free'ing the data, it calls the dereference function that is associated */ +/* with the type of data pointed to by the token as it is considered to */ +/* hold a reference to it. */ +/* ------------------------------------------------------------------------ */ +void ipf_freetoken(token) +ipftoken_t *token; +{ + void *data, **datap; + + ipf_unlinktoken(token); + + data = token->ipt_data; + datap = &data; + + if ((data != NULL) && (data != (void *)-1)) { + switch (token->ipt_type) + { + case IPFGENITER_IPF : + (void) fr_derefrule((frentry_t **)datap); + break; + case IPFGENITER_IPNAT : + WRITE_ENTER(&ipf_nat); + fr_ipnatderef((ipnat_t **)datap); + RWLOCK_EXIT(&ipf_nat); + break; + case IPFGENITER_NAT : + fr_natderef((nat_t **)datap); + break; + case IPFGENITER_STATE : + fr_statederef((ipstate_t **)datap); + break; + case IPFGENITER_FRAG : +#ifdef USE_MUTEXES + fr_fragderef((ipfr_t **)datap, &ipf_frag); +#else + fr_fragderef((ipfr_t **)datap); +#endif + break; + case IPFGENITER_NATFRAG : +#ifdef USE_MUTEXES + fr_fragderef((ipfr_t **)datap, &ipf_natfrag); +#else + fr_fragderef((ipfr_t **)datap); +#endif + break; + case IPFGENITER_HOSTMAP : + WRITE_ENTER(&ipf_nat); + fr_hostmapdel((hostmap_t **)datap); + RWLOCK_EXIT(&ipf_nat); + break; + default : +#ifdef IPFILTER_LOOKUP + ip_lookup_iterderef(token->ipt_type, data); +#endif + break; + } + } + + KFREE(token); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_getnextrule */ +/* Returns: int - 0 = success, else error */ +/* Parameters: t(I) - pointer to destination information to resolve */ +/* ptr(I) - pointer to ipfobj_t to copyin from user space */ +/* */ +/* This function's first job is to bring in the ipfruleiter_t structure via */ +/* the ipfobj_t structure to determine what should be the next rule to */ +/* return. Once the ipfruleiter_t has been brought in, it then tries to */ +/* find the 'next rule'. This may include searching rule group lists or */ +/* just be as simple as looking at the 'next' field in the rule structure. */ +/* When we have found the rule to return, increase its reference count and */ +/* if we used an existing rule to get here, decrease its reference count. */ +/* ------------------------------------------------------------------------ */ +int ipf_getnextrule(ipftoken_t *t, void *ptr) +{ + frentry_t *fr, *next, zero; + int error, count, out; + ipfruleiter_t it; + frgroup_t *fg; + char *dst; + + if (t == NULL || ptr == NULL) + return EFAULT; + error = fr_inobj(ptr, &it, IPFOBJ_IPFITER); + if (error != 0) + return error; + if ((it.iri_inout < 0) || (it.iri_inout > 3)) + return EINVAL; + if ((it.iri_active != 0) && (it.iri_active != 1)) + return EINVAL; + if (it.iri_nrules == 0) + return ENOSPC; + if (it.iri_rule == NULL) + return EFAULT; + + out = it.iri_inout & F_OUT; + fr = t->ipt_data; + READ_ENTER(&ipf_mutex); + if (fr == NULL) { + if (*it.iri_group == '\0') { + if ((it.iri_inout & F_ACIN) != 0) { + if (it.iri_v == 4) + next = ipacct[out][it.iri_active]; + else + next = ipacct6[out][it.iri_active]; + } else { + if (it.iri_v == 4) + next = ipfilter[out][it.iri_active]; + else + next = ipfilter6[out][it.iri_active]; + } + } else { + fg = fr_findgroup(it.iri_group, IPL_LOGIPF, + it.iri_active, NULL); + if (fg != NULL) + next = fg->fg_start; + else + next = NULL; + } + } else { + next = fr->fr_next; + } + + dst = (char *)it.iri_rule; + count = it.iri_nrules; + /* + * The ipfruleiter may ask for more than 1 rule at a time to be + * copied out, so long as that many exist in the list to start with! + */ + for (;;) { + if (next != NULL) { + if (count == 1) { + MUTEX_ENTER(&next->fr_lock); + next->fr_ref++; + MUTEX_EXIT(&next->fr_lock); + t->ipt_data = next; + } + } else { + bzero(&zero, sizeof(zero)); + next = &zero; + count = 1; + t->ipt_data = NULL; + } + RWLOCK_EXIT(&ipf_mutex); + + error = COPYOUT(next, dst, sizeof(*next)); + if (error != 0) + return EFAULT; + + if (next->fr_data != NULL) { + dst += sizeof(*next); + error = COPYOUT(next->fr_data, dst, next->fr_dsize); + if (error != 0) + error = EFAULT; + else + dst += next->fr_dsize; + } + + if ((count == 1) || (error != 0)) + break; + + count--; + + READ_ENTER(&ipf_mutex); + next = next->fr_next; + } + + if (fr != NULL) { + (void) fr_derefrule(&fr); + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_frruleiter */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - the token type to match */ +/* uid(I) - uid owning the token */ +/* ptr(I) - context pointer for the token */ +/* */ +/* This function serves as a stepping stone between fr_ipf_ioctl and */ +/* ipf_getnextrule. It's role is to find the right token in the kernel for */ +/* the process doing the ioctl and use that to ask for the next rule. */ +/* ------------------------------------------------------------------------ */ +static int ipf_frruleiter(data, uid, ctx) +void *data, *ctx; +int uid; +{ + ipftoken_t *token; + int error; + + token = ipf_findtoken(IPFGENITER_IPF, uid, ctx); + if (token != NULL) + error = ipf_getnextrule(token, data); + else + error = EFAULT; + RWLOCK_EXIT(&ipf_tokens); + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_geniter */ +/* Returns: int - 0 = success, else error */ +/* Parameters: token(I) - pointer to ipftoken_t structure */ +/* itp(I) - */ +/* */ +/* ------------------------------------------------------------------------ */ +static int ipf_geniter(token, itp) +ipftoken_t *token; +ipfgeniter_t *itp; +{ + int error; + + switch (itp->igi_type) + { + case IPFGENITER_FRAG : +#ifdef USE_MUTEXES + error = fr_nextfrag(token, itp, + &ipfr_list, &ipfr_tail, &ipf_frag); +#else + error = fr_nextfrag(token, itp, &ipfr_list, &ipfr_tail); +#endif + break; + default : + error = EINVAL; + break; + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_genericiter */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - the token type to match */ +/* uid(I) - uid owning the token */ +/* ptr(I) - context pointer for the token */ +/* */ +/* ------------------------------------------------------------------------ */ +int ipf_genericiter(data, uid, ctx) +void *data, *ctx; +int uid; +{ + ipftoken_t *token; + ipfgeniter_t iter; + int error; + + error = fr_inobj(data, &iter, IPFOBJ_GENITER); + if (error != 0) + return error; + + token = ipf_findtoken(iter.igi_type, uid, ctx); + if (token != NULL) { + token->ipt_subtype = iter.igi_type; + error = ipf_geniter(token, &iter); + } else + error = EFAULT; + RWLOCK_EXIT(&ipf_tokens); + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_ipf_ioctl */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - the token type to match */ +/* cmd(I) - the ioctl command number */ +/* mode(I) - mode flags for the ioctl */ +/* uid(I) - uid owning the token */ +/* ptr(I) - context pointer for the token */ +/* */ +/* This function handles all of the ioctl command that are actually isssued */ +/* to the /dev/ipl device. */ +/* ------------------------------------------------------------------------ */ +int fr_ipf_ioctl(data, cmd, mode, uid, ctx) +caddr_t data; +ioctlcmd_t cmd; +int mode, uid; +void *ctx; +{ + friostat_t fio; + int error, tmp; + SPL_INT(s); + + switch (cmd) + { + case SIOCFRENB : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = BCOPYIN(data, &tmp, sizeof(tmp)); + if (error != 0) { + error = EFAULT; + break; + } + + WRITE_ENTER(&ipf_global); + if (tmp) { + if (fr_running > 0) + error = 0; + else + error = ipfattach(); + if (error == 0) + fr_running = 1; + else + (void) ipfdetach(); + } else { + error = ipfdetach(); + if (error == 0) + fr_running = -1; + } + RWLOCK_EXIT(&ipf_global); + } + break; + + case SIOCIPFSET : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + /* FALLTHRU */ + case SIOCIPFGETNEXT : + case SIOCIPFGET : + error = fr_ipftune(cmd, (void *)data); + break; + + case SIOCSETFF : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = BCOPYIN(data, &fr_flags, sizeof(fr_flags)); + if (error != 0) + error = EFAULT; + } + break; + + case SIOCGETFF : + error = BCOPYOUT(&fr_flags, data, sizeof(fr_flags)); + if (error != 0) + error = EFAULT; + break; + + case SIOCFUNCL : + error = fr_resolvefunc((void *)data); + break; + + case SIOCINAFR : + case SIOCRMAFR : + case SIOCADAFR : + case SIOCZRLST : + if (!(mode & FWRITE)) + error = EPERM; + else + error = frrequest(IPL_LOGIPF, cmd, data, fr_active, 1); + break; + + case SIOCINIFR : + case SIOCRMIFR : + case SIOCADIFR : + if (!(mode & FWRITE)) + error = EPERM; + else + error = frrequest(IPL_LOGIPF, cmd, data, + 1 - fr_active, 1); + break; + + case SIOCSWAPA : + if (!(mode & FWRITE)) + error = EPERM; + else { + WRITE_ENTER(&ipf_mutex); + bzero((char *)frcache, sizeof(frcache[0]) * 2); + error = BCOPYOUT(&fr_active, data, sizeof(fr_active)); + if (error != 0) + error = EFAULT; + else + fr_active = 1 - fr_active; + RWLOCK_EXIT(&ipf_mutex); + } + break; + + case SIOCGETFS : + fr_getstat(&fio); + error = fr_outobj((void *)data, &fio, IPFOBJ_IPFSTAT); + break; + + case SIOCFRZST : + if (!(mode & FWRITE)) + error = EPERM; + else + error = fr_zerostats(data); + break; + + case SIOCIPFFL : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = BCOPYIN(data, &tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(IPL_LOGIPF, 4, tmp); + error = BCOPYOUT(&tmp, data, sizeof(tmp)); + if (error != 0) + error = EFAULT; + } else + error = EFAULT; + } + break; + +#ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = BCOPYIN(data, &tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(IPL_LOGIPF, 6, tmp); + error = BCOPYOUT(&tmp, data, sizeof(tmp)); + if (error != 0) + error = EFAULT; + } else + error = EFAULT; + } + break; +#endif + + case SIOCSTLCK : + error = BCOPYIN(data, &tmp, sizeof(tmp)); + if (error == 0) { + fr_state_lock = tmp; + fr_nat_lock = tmp; + fr_frag_lock = tmp; + fr_auth_lock = tmp; + } else + error = EFAULT; + break; + +#ifdef IPFILTER_LOG + case SIOCIPFFB : + if (!(mode & FWRITE)) + error = EPERM; + else { + tmp = ipflog_clear(IPL_LOGIPF); + error = BCOPYOUT(&tmp, data, sizeof(tmp)); + if (error) + error = EFAULT; + } + break; +#endif /* IPFILTER_LOG */ + + case SIOCFRSYN : + if (!(mode & FWRITE)) + error = EPERM; + else { + WRITE_ENTER(&ipf_global); +#ifdef MENTAT + error = ipfsync(); +#else + frsync(NULL); + error = 0; +#endif + RWLOCK_EXIT(&ipf_global); + + } + break; + + case SIOCGFRST : + error = fr_outobj((void *)data, fr_fragstats(), + IPFOBJ_FRAGSTAT); + break; + +#ifdef IPFILTER_LOG + case FIONREAD : + tmp = (int)iplused[IPL_LOGIPF]; + + error = BCOPYOUT(&tmp, data, sizeof(tmp)); + break; +#endif + + case SIOCIPFITER : + SPL_SCHED(s); + error = ipf_frruleiter(data, uid, ctx); + SPL_X(s); + break; + + case SIOCGENITER : + SPL_SCHED(s); + error = ipf_genericiter(data, uid, ctx); + SPL_X(s); + break; + + case SIOCIPFDELTOK : + SPL_SCHED(s); + error = BCOPYIN(data, &tmp, sizeof(tmp)); + if (error == 0) + error = ipf_deltoken(tmp, uid, ctx); + SPL_X(s); + break; + + default : + error = EINVAL; + break; + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_queueflush */ +/* Returns: int - number of entries flushed (0 = none) */ +/* Parameters: deletefn(I) - function to call to delete entry */ +/* ipfqs(I) - top of the list of ipf internal queues */ +/* userqs(I) - top of the list of user defined timeouts */ +/* */ +/* This fucntion gets called when the state/NAT hash tables fill up and we */ +/* need to try a bit harder to free up some space. The algorithm used is */ +/* to look for the oldest entries on each timeout queue and free them if */ +/* they are within the given window we are considering. Where the window */ +/* starts and the steps taken to increase its size depend upon how long ipf */ +/* has been running (fr_ticks.) Anything modified in the last 30 seconds */ +/* is not touched. */ +/* touched */ +/* die fr_ticks 30*1.5 1800*1.5 | 43200*1.5 */ +/* | | | | | | */ +/* future <--+----------+--------+-----------+-----+-----+-----------> past */ +/* now \_int=30s_/ \_int=1hr_/ \_int=12hr */ +/* */ +/* Points to note: */ +/* - tqe_die is the time, in the future, when entries die. */ +/* - tqe_die - fr_ticks is how long left the connection has to live in ipf */ +/* ticks. */ +/* - tqe_touched is when the entry was last used by NAT/state */ +/* - the closer tqe_touched is to fr_ticks, the further tqe_die will be for */ +/* any given timeout queue and vice versa. */ +/* - both tqe_die and tqe_touched increase over time */ +/* - timeout queues are sorted with the highest value of tqe_die at the */ +/* bottom and therefore the smallest values of each are at the top */ +/* */ +/* We start by setting up a maximum range to scan for things to move of */ +/* iend (newest) to istart (oldest) in chunks of "interval". If nothing is */ +/* found in that range, "interval" is adjusted (so long as it isn't 30) and */ +/* we start again with a new value for "iend" and "istart". The downside */ +/* of the current implementation is that it may return removing just 1 entry*/ +/* every time (pathological case) where it could remove more. */ +/* ------------------------------------------------------------------------ */ +int ipf_queueflush(deletefn, ipfqs, userqs) +ipftq_delete_fn_t deletefn; +ipftq_t *ipfqs, *userqs; +{ + u_long interval, istart, iend; + ipftq_t *ifq, *ifqnext; + ipftqent_t *tqe, *tqn; + int removed; + + /* + * NOTE: Use of "* 15 / 10" is required here because if "* 1.5" is + * used then the operations are upgraded to floating point + * and kernels don't like floating point... + */ + if (fr_ticks > IPF_TTLVAL(43200 * 15 / 10)) { + istart = IPF_TTLVAL(86400 * 4); + interval = IPF_TTLVAL(43200); + } else if (fr_ticks > IPF_TTLVAL(1800 * 15 / 10)) { + istart = IPF_TTLVAL(43200); + interval = IPF_TTLVAL(1800); + } else if (fr_ticks > IPF_TTLVAL(30 * 15 / 10)) { + istart = IPF_TTLVAL(1800); + interval = IPF_TTLVAL(30); + } else { + return 0; + } + if (istart > fr_ticks) { + if (fr_ticks - interval < interval) + istart = interval; + else + istart = (fr_ticks / interval) * interval; + } + + iend = fr_ticks - interval; + removed = 0; + + for (;;) { + u_long try; + + try = fr_ticks - istart; + + for (ifq = ipfqs; ifq != NULL; ifq = ifq->ifq_next) { + for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { + if (try < tqe->tqe_touched) + break; + tqn = tqe->tqe_next; + if ((*deletefn)(tqe->tqe_parent) == 0) + removed++; + } + } + + for (ifq = userqs; ifq != NULL; ifq = ifqnext) { + ifqnext = ifq->ifq_next; + + for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { + if (try < tqe->tqe_touched) + break; + tqn = tqe->tqe_next; + if ((*deletefn)(tqe->tqe_parent) == 0) + removed++; + } + } + + if (try >= iend) { + if (removed > 0) + break; + if (interval == IPF_TTLVAL(43200)) { + interval = IPF_TTLVAL(1800); + } else if (interval == IPF_TTLVAL(1800)) { + interval = IPF_TTLVAL(30); + } else { + break; + } + if (interval >= fr_ticks) + break; + + iend = fr_ticks - interval; + } + istart -= interval; + } + + return removed; +} diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index 3f82d2521164..fddb0438eed6 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -53,7 +53,7 @@ struct file; # include #endif #if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199802) || \ - (__FreeBSD_version >= 400000) + (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) # include #endif #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) @@ -121,7 +121,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #if !defined(lint) static const char rcsid[] = "@(#)$FreeBSD$"; -/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.13 2006/03/29 11:19:55 darrenr Exp $"; */ +/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */ #endif @@ -146,7 +146,19 @@ frauthent_t *fae_list = NULL; frentry_t *ipauth = NULL, *fr_authlist = NULL; +void fr_authderef __P((frauthent_t **)); +int fr_authgeniter __P((ipftoken_t *, ipfgeniter_t *)); +int fr_authreply __P((char *)); +int fr_authwait __P((char *)); +/* ------------------------------------------------------------------------ */ +/* Function: fr_authinit */ +/* Returns: int - 0 == success, else error */ +/* Parameters: None */ +/* */ +/* Allocate memory and initialise data structures used in handling auth */ +/* rules. */ +/* ------------------------------------------------------------------------ */ int fr_authinit() { KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth)); @@ -176,11 +188,16 @@ int fr_authinit() } -/* - * Check if a packet has authorization. If the packet is found to match an - * authorization result and that would result in a feedback loop (i.e. it - * will end up returning FR_AUTH) then return FR_BLOCK instead. - */ +/* ------------------------------------------------------------------------ */ +/* Function: fr_checkauth */ +/* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ +/* Parameters: fin(I) - pointer to ipftoken structure */ +/* passp(I) - pointer to ipfgeniter structure */ +/* */ +/* Check if a packet has authorization. If the packet is found to match an */ +/* authorization result and that would result in a feedback loop (i.e. it */ +/* will end up returning FR_AUTH) then return FR_BLOCK instead. */ +/* ------------------------------------------------------------------------ */ frentry_t *fr_checkauth(fin, passp) fr_info_t *fin; u_32_t *passp; @@ -237,7 +254,12 @@ u_32_t *passp; fr = fra->fra_info.fin_fr; fin->fin_fr = fr; RWLOCK_EXIT(&ipf_auth); + WRITE_ENTER(&ipf_auth); + /* + * fr_authlist is populated with the rules malloc'd + * above and only those. + */ if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { fr->fr_next = fr_authlist; fr_authlist = fr; @@ -279,11 +301,16 @@ u_32_t *passp; } -/* - * Check if we have room in the auth array to hold details for another packet. - * If we do, store it and wake up any user programs which are waiting to - * hear about these events. - */ +/* ------------------------------------------------------------------------ */ +/* Function: fr_newauth */ +/* Returns: int - 0 == success, else error */ +/* Parameters: m(I) - pointer to mb_t with packet in it */ +/* fin(I) - pointer to packet information */ +/* */ +/* Check if we have room in the auth array to hold details for another */ +/* packet. If we do, store it and wake up any user programs which are */ +/* waiting to hear about these events. */ +/* ------------------------------------------------------------------------ */ int fr_newauth(m, fin) mb_t *m; fr_info_t *fin; @@ -301,16 +328,10 @@ fr_info_t *fin; return 0; WRITE_ENTER(&ipf_auth); - if (fr_authstart > fr_authend) { + if (((fr_authend + 1) % fr_authsize) == fr_authstart) { fr_authstats.fas_nospace++; RWLOCK_EXIT(&ipf_auth); return 0; - } else { - if (fr_authused == fr_authsize) { - fr_authstats.fas_nospace++; - RWLOCK_EXIT(&ipf_auth); - return 0; - } } fr_authstats.fas_added++; @@ -322,7 +343,10 @@ fr_info_t *fin; fra = fr_auth + i; fra->fra_index = i; - fra->fra_pass = fin->fin_fr->fr_flags; + if (fin->fin_fr != NULL) + fra->fra_pass = fin->fin_fr->fr_flags; + else + fra->fra_pass = 0; fra->fra_age = fr_defaultauthage; bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); #if !defined(sparc) && !defined(m68k) @@ -344,10 +368,12 @@ fr_info_t *fin; } #endif #if SOLARIS && defined(_KERNEL) - COPYIFNAME(fin->fin_ifp, fra->fra_info.fin_ifname); + COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); m->b_rptr -= qpi->qpi_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; +# if !defined(_INET_IP_STACK_H) fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ +# endif fra->fra_m = *fin->fin_mp; fra->fra_info.fin_mp = &fra->fra_m; cv_signal(&ipfauthwait); @@ -360,29 +386,65 @@ fr_info_t *fin; } -int fr_auth_ioctl(data, cmd, mode) +/* ------------------------------------------------------------------------ */ +/* Function: fr_auth_ioctl */ +/* Returns: int - 0 == success, else error */ +/* Parameters: data(IO) - pointer to ioctl data */ +/* cmd(I) - ioctl command */ +/* mode(I) - mode flags associated with open descriptor */ +/* uid(I) - uid associatd with application making the call */ +/* ctx(I) - pointer for context */ +/* */ +/* This function handles all of the ioctls recognised by the auth component */ +/* in IPFilter - ie ioctls called on an open fd for /dev/ipauth */ +/* ------------------------------------------------------------------------ */ +int fr_auth_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { - frauth_t auth, *au = &auth, *fra; - int i, error = 0, len; - char *t; - mb_t *m; -#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \ - (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000)) - struct ifqueue *ifq; + int error = 0, i; SPL_INT(s); -#endif switch (cmd) { + case SIOCGENITER : + { + ipftoken_t *token; + ipfgeniter_t iter; + + error = fr_inobj(data, &iter, IPFOBJ_GENITER); + if (error != 0) + break; + + SPL_SCHED(s); + token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx); + if (token != NULL) + error = fr_authgeniter(token, &iter); + else + error = ESRCH; + RWLOCK_EXIT(&ipf_tokens); + SPL_X(s); + + break; + } + + case SIOCADAFR : + case SIOCRMAFR : + if (!(mode & FWRITE)) + error = EPERM; + else + error = frrequest(IPL_LOGAUTH, cmd, data, + fr_active, 1); + break; + case SIOCSTLCK : if (!(mode & FWRITE)) { error = EPERM; break; } - fr_lock(data, &fr_auth_lock); + error = fr_lock(data, &fr_auth_lock); break; case SIOCATHST: @@ -396,203 +458,17 @@ int mode; i = fr_authflush(); RWLOCK_EXIT(&ipf_auth); SPL_X(s); - error = copyoutptr((char *)&i, data, sizeof(i)); + error = BCOPYOUT((char *)&i, data, sizeof(i)); + if (error != 0) + error = EFAULT; break; case SIOCAUTHW: -fr_authioctlloop: - error = fr_inobj(data, au, IPFOBJ_FRAUTH); - if (error != 0) - break; - READ_ENTER(&ipf_auth); - if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { - error = fr_outobj(data, &fr_auth[fr_authnext], - IPFOBJ_FRAUTH); - if (error != 0) - break; - if (auth.fra_len != 0 && auth.fra_buf != NULL) { - /* - * Copy packet contents out to user space if - * requested. Bail on an error. - */ - m = fr_authpkts[fr_authnext]; - len = MSGDSIZE(m); - if (len > auth.fra_len) - len = auth.fra_len; - auth.fra_len = len; - for (t = auth.fra_buf; m && (len > 0); ) { - i = MIN(M_LEN(m), len); - error = copyoutptr(MTOD(m, char *), - &t, i); - len -= i; - t += i; - if (error != 0) - break; - m = m->m_next; - } - } - RWLOCK_EXIT(&ipf_auth); - if (error != 0) - break; - SPL_NET(s); - WRITE_ENTER(&ipf_auth); - fr_authnext++; - if (fr_authnext == fr_authsize) - fr_authnext = 0; - RWLOCK_EXIT(&ipf_auth); - SPL_X(s); - return 0; - } - RWLOCK_EXIT(&ipf_auth); - /* - * We exit ipf_global here because a program that enters in - * here will have a lock on it and goto sleep having this lock. - * If someone were to do an 'ipf -D' the system would then - * deadlock. The catch with releasing it here is that the - * caller of this function expects it to be held when we - * return so we have to reacquire it in here. - */ - RWLOCK_EXIT(&ipf_global); - - MUTEX_ENTER(&ipf_authmx); -#ifdef _KERNEL -# if SOLARIS - error = 0; - if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk)) - error = EINTR; -# else /* SOLARIS */ -# ifdef __hpux - { - lock_t *l; - - l = get_sleep_lock(&fr_authnext); - error = sleep(&fr_authnext, PZERO+1); - spinunlock(l); - } -# else -# ifdef __osf__ - error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0, - &ipf_authmx, MS_LOCK_SIMPLE); -# else - error = SLEEP(&fr_authnext, "fr_authnext"); -# endif /* __osf__ */ -# endif /* __hpux */ -# endif /* SOLARIS */ -#endif - MUTEX_EXIT(&ipf_authmx); - READ_ENTER(&ipf_global); - if (error == 0) - goto fr_authioctlloop; + error = fr_authwait(data); break; case SIOCAUTHR: - error = fr_inobj(data, &auth, IPFOBJ_FRAUTH); - if (error != 0) - return error; - SPL_NET(s); - WRITE_ENTER(&ipf_auth); - i = au->fra_index; - fra = fr_auth + i; - error = 0; - if ((i < 0) || (i >= fr_authsize) || - (fra->fra_info.fin_id != au->fra_info.fin_id)) { - RWLOCK_EXIT(&ipf_auth); - SPL_X(s); - return ESRCH; - } - m = fr_authpkts[i]; - fra->fra_index = -2; - fra->fra_pass = au->fra_pass; - fr_authpkts[i] = NULL; - RWLOCK_EXIT(&ipf_auth); -#ifdef _KERNEL - if ((m != NULL) && (au->fra_info.fin_out != 0)) { -# ifdef MENTAT - error = ipf_inject(&fra->fra_info); - if (error != 0) { - FREE_MB_T(m); - error = ENOBUFS; - } -# else /* MENTAT */ -# if defined(linux) || defined(AIX) -# else -# if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199802) || \ - (defined(__OpenBSD__)) || \ - (defined(__sgi) && (IRIX >= 60500) || \ - (defined(__FreeBSD__) && (__FreeBSD_version >= 470102))) - error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, - NULL); -# else - error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); -# endif -# endif /* Linux */ -# endif /* MENTAT */ - if (error != 0) - fr_authstats.fas_sendfail++; - else - fr_authstats.fas_sendok++; - } else if (m) { -# ifdef MENTAT - error = ipf_inject(&fra->fra_info); - if (error != 0) { - FREE_MB_T(m); - error = ENOBUFS; - } -# else /* MENTAT */ -# if defined(linux) || defined(AIX) -# else -# if (__FreeBSD_version >= 501000) - netisr_dispatch(NETISR_IP, m); -# else -# if (IRIX >= 60516) - ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd; -# else - ifq = &ipintrq; -# endif - if (IF_QFULL(ifq)) { - IF_DROP(ifq); - FREE_MB_T(m); - error = ENOBUFS; - } else { - IF_ENQUEUE(ifq, m); -# if IRIX < 60500 - schednetisr(NETISR_IP); -# endif - } -# endif -# endif /* Linux */ -# endif /* MENTAT */ - if (error != 0) - fr_authstats.fas_quefail++; - else - fr_authstats.fas_queok++; - } else - error = EINVAL; - /* - * If we experience an error which will result in the packet - * not being processed, make sure we advance to the next one. - */ - if (error == ENOBUFS) { - fr_authused--; - fra->fra_index = -1; - fra->fra_pass = 0; - if (i == fr_authstart) { - while (fra->fra_index == -1) { - i++; - if (i == fr_authsize) - i = 0; - fr_authstart = i; - if (i == fr_authend) - break; - } - if (fr_authstart == fr_authend) { - fr_authnext = 0; - fr_authstart = fr_authend = 0; - } - } - } -#endif /* _KERNEL */ - SPL_X(s); + error = fr_authreply(data); break; default : @@ -603,9 +479,13 @@ fr_authioctlloop: } -/* - * Free all network buffer memory used to keep saved packets. - */ +/* ------------------------------------------------------------------------ */ +/* Function: fr_authunload */ +/* Returns: None */ +/* Parameters: None */ +/* */ +/* Free all network buffer memory used to keep saved packets. */ +/* ------------------------------------------------------------------------ */ void fr_authunload() { register int i; @@ -659,17 +539,21 @@ void fr_authunload() } -/* - * Slowly expire held auth records. Timeouts are set - * in expectation of this being called twice per second. - */ +/* ------------------------------------------------------------------------ */ +/* Function: fr_authexpire */ +/* Returns: None */ +/* Parameters: None */ +/* */ +/* Slowly expire held auth records. Timeouts are set in expectation of */ +/* this being called twice per second. */ +/* ------------------------------------------------------------------------ */ void fr_authexpire() { - register int i; - register frauth_t *fra; - register frauthent_t *fae, **faep; - register frentry_t *fr, **frp; + frauthent_t *fae, **faep; + frentry_t *fr, **frp; + frauth_t *fra; mb_t *m; + int i; SPL_INT(s); if (fr_auth_lock) @@ -688,11 +572,13 @@ void fr_authexpire() } } + /* + * Expire pre-auth rules + */ for (faep = &fae_list; ((fae = *faep) != NULL); ) { fae->fae_age--; if (fae->fae_age == 0) { - *faep = fae->fae_next; - KFREE(fae); + fr_authderef(&fae); fr_authstats.fas_expire++; } else faep = &fae->fae_next; @@ -713,6 +599,15 @@ void fr_authexpire() SPL_X(s); } + +/* ------------------------------------------------------------------------ */ +/* Function: fr_preauthcmd */ +/* Returns: int - 0 == success, else error */ +/* Parameters: cmd(I) - ioctl command for rule */ +/* fr(I) - pointer to ipf rule */ +/* fptr(I) - pointer to caller's 'fr' */ +/* */ +/* ------------------------------------------------------------------------ */ int fr_preauthcmd(cmd, fr, frptr) ioctlcmd_t cmd; frentry_t *fr, **frptr; @@ -723,7 +618,7 @@ frentry_t *fr, **frptr; if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) return EIO; - + for (faep = &fae_list; ((fae = *faep) != NULL); ) { if (&fae->fae_fr == fr) break; @@ -757,6 +652,7 @@ frentry_t *fr, **frptr; fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; fae->fae_fr.fr_next = *frptr; + fae->fae_ref = 1; *frptr = &fae->fae_fr; fae->fae_next = *faep; *faep = fae; @@ -771,11 +667,18 @@ frentry_t *fr, **frptr; } -/* - * Flush held packets. - * Must already be properly SPL'ed and Locked on &ipf_auth. - * - */ +/* ------------------------------------------------------------------------ */ +/* Function: fr_authflush */ +/* Returns: int - number of auth entries flushed */ +/* Parameters: None */ +/* Locks: WRITE(ipf_auth) */ +/* */ +/* This function flushs the fr_authpkts array of any packet data with */ +/* references still there. */ +/* It is expected that the caller has already acquired the correct locks or */ +/* set the priority level correctly for this to block out other code paths */ +/* into these data structures. */ +/* ------------------------------------------------------------------------ */ int fr_authflush() { register int i, num_flushed; @@ -807,7 +710,343 @@ int fr_authflush() } +/* ------------------------------------------------------------------------ */ +/* Function: fr_auth_waiting */ +/* Returns: int - 0 = no pakcets wiating, 1 = packets waiting. */ +/* Parameters: None */ +/* */ +/* Simple truth check to see if there are any packets waiting in the auth */ +/* queue. */ +/* ------------------------------------------------------------------------ */ int fr_auth_waiting() { - return (fr_authnext != fr_authend) && fr_authpkts[fr_authnext]; + return (fr_authused != 0); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_authgeniter */ +/* Returns: int - 0 == success, else error */ +/* Parameters: token(I) - pointer to ipftoken structure */ +/* itp(I) - pointer to ipfgeniter structure */ +/* */ +/* ------------------------------------------------------------------------ */ +int fr_authgeniter(token, itp) +ipftoken_t *token; +ipfgeniter_t *itp; +{ + frauthent_t *fae, *next, zero; + int error; + + if (itp->igi_data == NULL) + return EFAULT; + + if (itp->igi_type != IPFGENITER_AUTH) + return EINVAL; + + fae = token->ipt_data; + READ_ENTER(&ipf_auth); + if (fae == NULL) { + next = fae_list; + } else { + next = fae->fae_next; + } + + if (next != NULL) { + /* + * If we find an auth entry to use, bump its reference count + * so that it can be used for is_next when we come back. + */ + ATOMIC_INC(next->fae_ref); + if (next->fae_next == NULL) { + ipf_freetoken(token); + token = NULL; + } else { + token->ipt_data = next; + } + } else { + bzero(&zero, sizeof(zero)); + next = &zero; + } + RWLOCK_EXIT(&ipf_auth); + + /* + * If we had a prior pointer to an auth entry, release it. + */ + if (fae != NULL) { + WRITE_ENTER(&ipf_auth); + fr_authderef(&fae); + RWLOCK_EXIT(&ipf_auth); + } + + /* + * This should arguably be via fr_outobj() so that the auth + * structure can (if required) be massaged going out. + */ + error = COPYOUT(next, itp->igi_data, sizeof(*next)); + if (error != 0) + error = EFAULT; + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_authderef */ +/* Returns: None */ +/* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ +/* Locks: WRITE(ipf_auth) */ +/* */ +/* This function unconditionally sets the pointer in the caller to NULL, */ +/* to make it clear that it should no longer use that pointer, and drops */ +/* the reference count on the structure by 1. If it reaches 0, free it up. */ +/* ------------------------------------------------------------------------ */ +void fr_authderef(faep) +frauthent_t **faep; +{ + frauthent_t *fae; + + fae = *faep; + *faep = NULL; + + fae->fae_ref--; + if (fae->fae_ref == 0) { + KFREE(fae); + } +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_authwait */ +/* Returns: int - 0 == success, else error */ +/* Parameters: data(I) - pointer to data from ioctl call */ +/* */ +/* This function is called when an application is waiting for a packet to */ +/* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ +/* a packet waiting on the queue then we will return that _one_ immediately.*/ +/* If there are no packets present in the queue (fr_authpkts) then we go to */ +/* sleep. */ +/* ------------------------------------------------------------------------ */ +int fr_authwait(data) +char *data; +{ + frauth_t auth, *au = &auth; + int error, len, i; + mb_t *m; + char *t; +#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \ + (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000)) + SPL_INT(s); +#endif + +fr_authioctlloop: + error = fr_inobj(data, au, IPFOBJ_FRAUTH); + if (error != 0) + return error; + + /* + * XXX Locks are held below over calls to copyout...a better + * solution needs to be found so this isn't necessary. The situation + * we are trying to guard against here is an error in the copyout + * steps should not cause the packet to "disappear" from the queue. + */ + READ_ENTER(&ipf_auth); + + /* + * If fr_authnext is not equal to fr_authend it will be because there + * is a packet waiting to be delt with in the fr_authpkts array. We + * copy as much of that out to user space as requested. + */ + if (fr_authused > 0) { + while (fr_authpkts[fr_authnext] == NULL) { + fr_authnext++; + if (fr_authnext == fr_authsize) + fr_authnext = 0; + } + + error = fr_outobj(data, &fr_auth[fr_authnext], IPFOBJ_FRAUTH); + if (error != 0) + return error; + + if (auth.fra_len != 0 && auth.fra_buf != NULL) { + /* + * Copy packet contents out to user space if + * requested. Bail on an error. + */ + m = fr_authpkts[fr_authnext]; + len = MSGDSIZE(m); + if (len > auth.fra_len) + len = auth.fra_len; + auth.fra_len = len; + + for (t = auth.fra_buf; m && (len > 0); ) { + i = MIN(M_LEN(m), len); + error = copyoutptr(MTOD(m, char *), &t, i); + len -= i; + t += i; + if (error != 0) + return error; + m = m->m_next; + } + } + RWLOCK_EXIT(&ipf_auth); + + SPL_NET(s); + WRITE_ENTER(&ipf_auth); + fr_authnext++; + if (fr_authnext == fr_authsize) + fr_authnext = 0; + RWLOCK_EXIT(&ipf_auth); + SPL_X(s); + + return 0; + } + RWLOCK_EXIT(&ipf_auth); + + /* + * We exit ipf_global here because a program that enters in + * here will have a lock on it and goto sleep having this lock. + * If someone were to do an 'ipf -D' the system would then + * deadlock. The catch with releasing it here is that the + * caller of this function expects it to be held when we + * return so we have to reacquire it in here. + */ + RWLOCK_EXIT(&ipf_global); + + MUTEX_ENTER(&ipf_authmx); +#ifdef _KERNEL +# if SOLARIS + error = 0; + if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk)) + error = EINTR; +# else /* SOLARIS */ +# ifdef __hpux + { + lock_t *l; + + l = get_sleep_lock(&fr_authnext); + error = sleep(&fr_authnext, PZERO+1); + spinunlock(l); + } +# else +# ifdef __osf__ + error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0, + &ipf_authmx, MS_LOCK_SIMPLE); +# else + error = SLEEP(&fr_authnext, "fr_authnext"); +# endif /* __osf__ */ +# endif /* __hpux */ +# endif /* SOLARIS */ +#endif + MUTEX_EXIT(&ipf_authmx); + READ_ENTER(&ipf_global); + if (error == 0) + goto fr_authioctlloop; + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_authreply */ +/* Returns: int - 0 == success, else error */ +/* Parameters: data(I) - pointer to data from ioctl call */ +/* */ +/* This function is called by an application when it wants to return a */ +/* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ +/* received information using an SIOCAUTHW. The decision returned in the */ +/* form of flags, the same as those used in each rule. */ +/* ------------------------------------------------------------------------ */ +int fr_authreply(data) +char *data; +{ + frauth_t auth, *au = &auth, *fra; + int error, i; + mb_t *m; + SPL_INT(s); + + error = fr_inobj(data, &auth, IPFOBJ_FRAUTH); + if (error != 0) + return error; + + SPL_NET(s); + WRITE_ENTER(&ipf_auth); + + i = au->fra_index; + fra = fr_auth + i; + error = 0; + + /* + * Check the validity of the information being returned with two simple + * checks. First, the auth index value should be within the size of + * the array and second the packet id being returned should also match. + */ + if ((i < 0) || (i >= fr_authsize) || + (fra->fra_info.fin_id != au->fra_info.fin_id)) { + RWLOCK_EXIT(&ipf_auth); + SPL_X(s); + return ESRCH; + } + + m = fr_authpkts[i]; + fra->fra_index = -2; + fra->fra_pass = au->fra_pass; + fr_authpkts[i] = NULL; + + RWLOCK_EXIT(&ipf_auth); + + /* + * Re-insert the packet back into the packet stream flowing through + * the kernel in a manner that will mean IPFilter sees the packet + * again. This is not the same as is done with fastroute, + * deliberately, as we want to resume the normal packet processing + * path for it. + */ +#ifdef _KERNEL + if ((m != NULL) && (au->fra_info.fin_out != 0)) { + error = ipf_inject(&fra->fra_info, m); + if (error != 0) { + error = ENOBUFS; + fr_authstats.fas_sendfail++; + } else { + fr_authstats.fas_sendok++; + } + } else if (m) { + error = ipf_inject(&fra->fra_info, m); + if (error != 0) { + error = ENOBUFS; + fr_authstats.fas_quefail++; + } else { + fr_authstats.fas_queok++; + } + } else { + error = EINVAL; + } + + /* + * If we experience an error which will result in the packet + * not being processed, make sure we advance to the next one. + */ + if (error == ENOBUFS) { + fr_authused--; + fra->fra_index = -1; + fra->fra_pass = 0; + if (i == fr_authstart) { + while (fra->fra_index == -1) { + i++; + if (i == fr_authsize) + i = 0; + fr_authstart = i; + if (i == fr_authend) + break; + } + if (fr_authstart == fr_authend) { + fr_authnext = 0; + fr_authstart = fr_authend = 0; + } + } + } +#endif /* _KERNEL */ + SPL_X(s); + + return 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index a480c5df1b04..d2e73d32a82e 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * $FreeBSD$ - * Id: ip_auth.h,v 2.16.2.2 2006/03/16 06:45:49 darrenr Exp $ + * Id: ip_auth.h,v 2.16.2.3 2006/07/14 06:12:05 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -30,7 +30,9 @@ typedef struct frauth { typedef struct frauthent { struct frentry fae_fr; struct frauthent *fae_next; + struct frauthent **fae_pnext; u_long fae_age; + int fae_ref; } frauthent_t; typedef struct fr_authstat { @@ -63,7 +65,7 @@ extern int fr_authflush __P((void)); extern mb_t **fr_authpkts; extern int fr_newauth __P((mb_t *, fr_info_t *)); extern int fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **)); -extern int fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern int fr_auth_waiting __P((void)); #endif /* __IP_AUTH_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index ebf8fbe4cb3d..97c9d7e22016 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -5,7 +5,7 @@ * * @(#)ip_compat.h 1.8 1/14/96 * $FreeBSD$ - * Id: ip_compat.h,v 2.142.2.36 2006/03/26 05:50:29 darrenr Exp $ + * Id: ip_compat.h,v 2.142.2.57 2007/10/10 09:51:42 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -35,7 +35,7 @@ #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#if defined(SOLARIS2) && SOLARIS2 >= 8 +#if (defined(SOLARIS2) && (SOLARIS2 >= 8)) # ifndef USE_INET6 # define USE_INET6 # endif @@ -169,6 +169,11 @@ struct file; # ifdef i386 # define _SYS_PROMIF_H # endif +# ifndef _KERNEL +# include "radix_ipf.h" +# else +# include "radix_ipf_local.h" +# endif # include # undef COPYOUT # include @@ -201,9 +206,29 @@ typedef unsigned int u_32_t; # ifdef _KERNEL # define KRWLOCK_T krwlock_t # define KMUTEX_T kmutex_t -# include "qif.h" -# include "pfil.h" -# if defined(SOLARIS2) && SOLARIS2 >= 6 + +# if !defined(FW_HOOKS) +# include "qif.h" +# include "pfil.h" +# else +# include + +extern net_data_t ipfipv4; +extern net_data_t ipfipv6; + +typedef struct qpktinfo { + void *qpi_data; + mblk_t **qpi_mp; + mblk_t *qpi_m; + uintptr_t qpi_real; + int qpi_flags; + int qpi_num; + int qpi_off; +} qpktinfo_t; +# define QF_GROUP 0x01 +# endif + +# if SOLARIS2 >= 6 # if SOLARIS2 == 6 # define ATOMIC_INCL(x) atomic_add_long((uint32_t*)&(x), 1) # define ATOMIC_DECL(x) atomic_add_long((uint32_t*)&(x), -1) @@ -239,11 +264,12 @@ typedef unsigned int u_32_t; # define MUTEX_EXIT(x) mutex_exit(&(x)->ipf_lk) # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) (void) copyin((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) (void) copyout((caddr_t)(a), (caddr_t)(b), (c)) +# define BCOPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) +# define BCOPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) # define KFREES(x,s) kmem_free((char *)(x), (s)) +# define SPL_SCHED(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # undef SPL_X @@ -259,10 +285,24 @@ typedef unsigned int u_32_t; # define GET_MINOR(x) getminor(x) extern void *get_unit __P((char *, int)); # define GETIFP(n, v) get_unit(n, v) -# define IFNAME(x) ((qif_t *)x)->qf_name -# define COPYIFNAME(x, b) \ +# if defined(_INET_IP_STACK_H) +# define COPYIFNAME(v, x, b) \ + do { \ + if ((v) == 4) { \ + (void) net_getifname(ipfipv4,\ + (uintptr_t)x, b, \ + LIFNAMSIZ); \ + } else { \ + (void) net_getifname(ipfipv6,\ + (uintptr_t)x, b, \ + LIFNAMSIZ); \ + } \ + } while (0) +# else +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, ((qif_t *)x)->qf_name, \ LIFNAMSIZ) +# endif # define GETKTIME(x) uniqtime((struct timeval *)x) # define MSGDSIZE(x) msgdsize(x) # define M_LEN(x) ((x)->b_wptr - (x)->b_rptr) @@ -271,7 +311,11 @@ extern void *get_unit __P((char *, int)); # define MTYPE(m) ((m)->b_datap->db_type) # define FREE_MB_T(m) freemsg(m) # define m_next b_cont -# define CACHE_HASH(x) (((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7) +# if !defined(_INET_IP_STACK_H) +# define CACHE_HASH(x) (((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7) +# else +# define CACHE_HASH(x) ((uintptr_t)(x)->fin_ifp & 7) +# endif # define IPF_PANIC(x,y) if (x) { printf y; cmn_err(CE_PANIC, "ipf_panic"); } typedef mblk_t mb_t; # endif /* _KERNEL */ @@ -416,21 +460,14 @@ typedef struct iplog_select_s { # define RW_DESTROY(x) # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# if HPUXREV >= 1111 -# define BCOPYIN(a,b,c) 0; bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) 0; bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# else -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# endif +# define SPL_SCHED(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # undef SPL_X # define SPL_X(x) ; extern void *get_unit __P((char *, int)); # define GETIFP(n, v) get_unit(n, v) -# define IFNAME(x, b) ((ill_t *)x)->ill_name -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, ((qif_t *)x)->qf_name, \ LIFNAMSIZ) # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) @@ -575,8 +612,6 @@ typedef struct { # define MTOD(m,t) mtod(m,t) # define COPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) # define COPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) -# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) -# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define SLEEP(id, n) sleep((id), PZERO+1) # define WAKEUP(id,x) wakeup(id+x) @@ -592,6 +627,7 @@ typedef struct { # define USE_SPL 1 # define SPL_IMP(x) (x) = splimp() # define SPL_NET(x) (x) = splnet() +# define SPL_SCHED(x) (x) = splsched() # define SPL_X(x) (void) splx(x) extern void m_copydata __P((struct mbuf *, int, int, caddr_t)); extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); @@ -599,6 +635,7 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) # define GETKTIME(x) microtime((struct timeval *)x) +# define IFNAME(x) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } @@ -652,6 +689,7 @@ typedef struct mbuf mb_t; simple_unlock(&ipf_rw); } # define ATOMIC_DEC(x) { simple_lock(&ipf_rw); (x)--; \ simple_unlock(&ipf_rw); } +# define SPL_SCHED(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # undef SPL_X @@ -665,8 +703,6 @@ typedef struct mbuf mb_t; # define POLLWAKEUP(x) ; # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFILT, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFILT, \ ((c) > 4096) ? M_WAITOK : M_NOWAIT) @@ -676,6 +712,7 @@ typedef struct mbuf mb_t; # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) # define GETKTIME(x) microtime((struct timeval *)x) +# define IFNAME(x) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } @@ -719,6 +756,14 @@ typedef unsigned int u_32_t; /* N E T B S D */ /* ----------------------------------------------------------------------- */ #ifdef __NetBSD__ +# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL) +# include "opt_ipfilter.h" +# endif +# if defined(_KERNEL) +# include +# else +# include +# endif # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include "bpfilter.h" # if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000) @@ -732,7 +777,14 @@ typedef unsigned int u_32_t; # endif # endif +# if (__NetBSD_Version__ >= 499000000) +typedef char * caddr_t; +# endif + # ifdef _KERNEL +# if (__NetBSD_Version__ >= 399001400) +# define KMALLOCS(a, b, c) (a) = (b)malloc((c), _M_IPF, M_NOWAIT) +# endif # define MSGDSIZE(x) mbufchainlen(x) # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) @@ -740,22 +792,20 @@ typedef unsigned int u_32_t; # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) typedef struct mbuf mb_t; # endif /* _KERNEL */ # if (NetBSD <= 1991011) && (NetBSD >= 199606) # define IFNAME(x) ((struct ifnet *)x)->if_xname -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) # define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index)&7) # else +# define IFNAME(x) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # endif - typedef struct uio uio_t; typedef u_long ioctlcmd_t; typedef int minor_t; @@ -797,8 +847,6 @@ typedef u_int32_t u_32_t; # endif # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # if (__FreeBSD_version >= 500043) # define NETBSD_PF @@ -807,24 +855,66 @@ typedef u_int32_t u_32_t; # if (__FreeBSD_version >= 500043) # include -# include +# if (__FreeBSD_version > 700014) +# include +# define KRWLOCK_T struct rwlock +# ifdef _KERNEL +# define READ_ENTER(x) rw_rlock(&(x)->ipf_lk) +# define WRITE_ENTER(x) rw_wlock(&(x)->ipf_lk) +# define MUTEX_DOWNGRADE(x) rw_downgrade(&(x)->ipf_lk) +# define RWLOCK_INIT(x, y) rw_init(&(x)->ipf_lk, (y)) +# define RW_DESTROY(x) rw_destroy(&(x)->ipf_lk) +# define RWLOCK_EXIT(x) do { \ + if (rw_wowned(&(x)->ipf_lk)) \ + rw_wunlock(&(x)->ipf_lk); \ + else \ + rw_runlock(&(x)->ipf_lk); \ + } while (0) +# endif +# else +# include /* * Whilst the sx(9) locks on FreeBSD have the right semantics and interface * for what we want to use them for, despite testing showing they work - * with a WITNESS kernel, it generates LOR messages. */ -# define KMUTEX_T struct mtx -# if 1 -# define KRWLOCK_T struct mtx -# else -# define KRWLOCK_T struct sx +# ifdef _KERNEL +# if (__FreeBSD_version < 700000) +# define KRWLOCK_T struct mtx +# define READ_ENTER(x) mtx_lock(&(x)->ipf_lk) +# define WRITE_ENTER(x) mtx_lock(&(x)->ipf_lk) +# define RWLOCK_EXIT(x) mtx_unlock(&(x)->ipf_lk) +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\ + MTX_DEF) +# define RW_DESTROY(x) mtx_destroy(&(x)->ipf_lk) +# else +# define KRWLOCK_T struct sx +# define READ_ENTER(x) sx_slock(&(x)->ipf_lk) +# define WRITE_ENTER(x) sx_xlock(&(x)->ipf_lk) +# define MUTEX_DOWNGRADE(x) sx_downgrade(&(x)->ipf_lk) +# define RWLOCK_INIT(x, y) sx_init(&(x)->ipf_lk, (y)) +# define RW_DESTROY(x) sx_destroy(&(x)->ipf_lk) +# ifdef sx_unlock +# define RWLOCK_EXIT(x) sx_unlock(&(x)->ipf_lk) +# else +# define RWLOCK_EXIT(x) do { \ + if ((x)->ipf_lk.sx_cnt < 0) \ + sx_xunlock(&(x)->ipf_lk); \ + else \ + sx_sunlock(&(x)->ipf_lk); \ + } while (0) +# endif +# endif +# endif # endif +# define KMUTEX_T struct mtx # endif # if (__FreeBSD_version >= 501113) # include # define IFNAME(x) ((struct ifnet *)x)->if_xname -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) @@ -832,6 +922,7 @@ typedef u_int32_t u_32_t; # if (__FreeBSD_version >= 500043) # define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index) & 7) # else +# define IFNAME(x) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # endif @@ -853,36 +944,6 @@ typedef u_int32_t u_32_t; MTX_DEF) # define MUTEX_DESTROY(x) mtx_destroy(&(x)->ipf_lk) # define MUTEX_NUKE(x) bzero((x), sizeof(*(x))) -/* - * Whilst the sx(9) locks on FreeBSD have the right semantics and interface - * for what we want to use them for, despite testing showing they work - - * with a WITNESS kernel, it generates LOR messages. - */ -# if 1 -# define READ_ENTER(x) mtx_lock(&(x)->ipf_lk) -# define WRITE_ENTER(x) mtx_lock(&(x)->ipf_lk) -# define RWLOCK_EXIT(x) mtx_unlock(&(x)->ipf_lk) -# define MUTEX_DOWNGRADE(x) ; -# define RWLOCK_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\ - MTX_DEF) -# define RW_DESTROY(x) mtx_destroy(&(x)->ipf_lk) -# else -# define READ_ENTER(x) sx_slock(&(x)->ipf_lk) -# define WRITE_ENTER(x) sx_xlock(&(x)->ipf_lk) -# define MUTEX_DOWNGRADE(x) sx_downgrade(&(x)->ipf_lk) -# define RWLOCK_INIT(x, y) sx_init(&(x)->ipf_lk, (y)) -# define RW_DESTROY(x) sx_destroy(&(x)->ipf_lk) -# ifdef sx_unlock -# define RWLOCK_EXIT(x) sx_unlock(x) -# else -# define RWLOCK_EXIT(x) do { \ - if ((x)->ipf_lk.sx_cnt < 0) \ - sx_xunlock(&(x)->ipf_lk); \ - else \ - sx_sunlock(&(x)->ipf_lk); \ - } while (0) -# endif -# endif # include # define ATOMIC_INC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)++; \ mtx_unlock(&ipf_rw.ipf_lk); } @@ -890,16 +951,19 @@ typedef u_int32_t u_32_t; mtx_unlock(&ipf_rw.ipf_lk); } # define ATOMIC_INCL(x) atomic_add_long(&(x), 1) # define ATOMIC_INC64(x) ATOMIC_INC(x) -# define ATOMIC_INC32(x) atomic_add_32(&(x), 1) +# define ATOMIC_INC32(x) atomic_add_32((u_int *)&(x), 1) # define ATOMIC_INC16(x) atomic_add_16(&(x), 1) # define ATOMIC_DECL(x) atomic_add_long(&(x), -1) # define ATOMIC_DEC64(x) ATOMIC_DEC(x) -# define ATOMIC_DEC32(x) atomic_add_32(&(x), -1) +# define ATOMIC_DEC32(x) atomic_add_32((u_int *)&(x), -1) # define ATOMIC_DEC16(x) atomic_add_16(&(x), -1) # define SPL_X(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; +# define SPL_SCHED(x) ; extern int in_cksum __P((struct mbuf *, int)); +# else +# define SPL_SCHED(x) x = splhigh() # endif /* __FreeBSD_version >= 500043 */ # define MSGDSIZE(x) mbufchainlen(x) # define M_LEN(x) (x)->m_len @@ -956,8 +1020,6 @@ typedef u_int32_t u_32_t; # endif # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define GETKTIME(x) microtime((struct timeval *)x) # define MSGDSIZE(x) mbufchainlen(x) # define M_LEN(x) (x)->m_len @@ -967,12 +1029,13 @@ typedef struct mbuf mb_t; # endif /* _KERNEL */ # if (OpenBSD >= 199603) # define IFNAME(x, b) ((struct ifnet *)x)->if_xname -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) # define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index)&7) # else +# define IFNAME(x, b) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # endif @@ -1000,6 +1063,7 @@ typedef u_int32_t u_32_t; # define MSGDSIZE(x) mbufchainlen(x) # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) +# define IFNAME(x, b) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) typedef struct mbuf mb_t; @@ -1026,6 +1090,7 @@ typedef u_int32_t u_32_t; # define MSGDSIZE(x) mbufchainlen(x) # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) +# define IFNAME(x, b) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # define GETIFP(n, v) ifunit(n, IFNAMSIZ) @@ -1059,7 +1124,7 @@ typedef unsigned int u_32_t; #if defined(linux) && !defined(OS_RECOGNISED) #include #include -# if LINUX >= 20600 +# if (LINUX >= 20600) && defined(_KERNEL) # define HDR_T_PRIVATE 1 # endif # undef USE_INET6 @@ -1072,16 +1137,18 @@ struct ip6_ext { # ifdef _KERNEL # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define COPYIN(a,b,c) copy_from_user((caddr_t)(b), (caddr_t)(a), (c)) # define COPYOUT(a,b,c) copy_to_user((caddr_t)(b), (caddr_t)(a), (c)) # define FREE_MB_T(m) kfree_skb(m) # define GETKTIME(x) do_gettimeofday((struct timeval *)x) -# define SLEEP(x,s) 0, interruptible_sleep_on(x##_linux) # define POLLWAKEUP(x) ; -# define WAKEUP(x,y) wake_up(x##_linux + y) -# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d) +# ifdef wait_event_interruptible +# define SLEEP(x,s) wait_event_interruptible((*(x##_linux)), 0) +# else +# define SLEEP(x,s) 0, interruptible_sleep_on(x##_linux) +# endif +# define WAKEUP(x,y) wake_up(x##_linux + y) +# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define USE_MUTEXES # define KRWLOCK_T rwlock_t # define KMUTEX_T spinlock_t @@ -1092,7 +1159,7 @@ struct ip6_ext { # define MUTEX_NUKE(x) bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk)) # define READ_ENTER(x) ipf_read_enter(x) # define WRITE_ENTER(x) ipf_write_enter(x) -# define RWLOCK_INIT(x,y) rwlock_init(&(x)->ipf_lk) +# define RWLOCK_INIT(x,y) ipf_rw_init(x, y) # define RW_DESTROY(x) do { } while (0) # define RWLOCK_EXIT(x) ipf_rw_exit(x) # define MUTEX_DOWNGRADE(x) ipf_rw_downgrade(x) @@ -1112,6 +1179,7 @@ struct ip6_ext { MUTEX_EXIT(&ipf_rw) # define ATOMIC_DEC16(x) MUTEX_ENTER(&ipf_rw); (x)--; \ MUTEX_EXIT(&ipf_rw) +# define SPL_SCHED(x) do { } while (0) # define SPL_IMP(x) do { } while (0) # define SPL_NET(x) do { } while (0) # define SPL_X(x) do { } while (0) @@ -1174,7 +1242,7 @@ struct ifnet { # endif /* _KERNEL */ -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) @@ -1261,6 +1329,7 @@ typedef u_int32_t u_32_t; MUTEX_EXIT(&ipf_rw); } # define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ MUTEX_EXIT(&ipf_rw); } +# define SPL_SCHED(x) x = splsched() # define SPL_NET(x) x = splnet() # define SPL_IMP(x) x = splimp() # undef SPL_X @@ -1274,8 +1343,6 @@ extern void* getifp __P((char *, int)); # define POLLWAKEUP(x) ; # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) -# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT) # define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, \ ((c) > 4096) ? M_WAITOK : M_NOWAIT) @@ -1285,6 +1352,7 @@ extern void* getifp __P((char *, int)); # define M_LEN(x) (x)->m_len # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) # define GETKTIME(x) +# define IFNAME(x, b) ((struct ifnet *)x)->if_name # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) # define IPF_PANIC(x,y) @@ -1352,7 +1420,7 @@ typedef struct { u_int eMm_magic; int eMm_held; int eMm_heldat; -#ifdef __hpux +#if defined(__hpux) || defined(__linux) char eMm_fill[8]; #endif } eMmutex_t; @@ -1411,6 +1479,7 @@ typedef union { extern void ipf_read_enter __P((ipfrwlock_t *)); extern void ipf_write_enter __P((ipfrwlock_t *)); extern void ipf_rw_exit __P((ipfrwlock_t *)); +extern void ipf_rw_init __P((ipfrwlock_t *, char *)); extern void ipf_rw_downgrade __P((ipfrwlock_t *)); #endif @@ -1439,6 +1508,7 @@ typedef struct mb_s { # define POLLWAKEUP(y) ; # define IPF_PANIC(x,y) ; # define PANIC(x,y) ; +# define SPL_SCHED(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # define SPL_X(x) ; @@ -1449,14 +1519,12 @@ typedef struct mb_s { # define GETIFP(x, v) get_unit(x,v) # define COPYIN(a,b,c) bcopywrap((a), (b), (c)) # define COPYOUT(a,b,c) bcopywrap((a), (b), (c)) -# define BCOPYIN(a,b,c) (bcopy((a), (b), (c)), 0) -# define BCOPYOUT(a,b,c) (bcopy((a), (b), (c)), 0) # define COPYDATA(m, o, l, b) bcopy(MTOD((mb_t *)m, char *) + (o), \ (b), (l)) # define COPYBACK(m, o, l, b) bcopy((b), \ MTOD((mb_t *)m, char *) + (o), \ (l)) -# define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d) +# define UIOMOVE(a,b,c,d) ipfuiomove((caddr_t)a,b,c,d) extern void m_copydata __P((mb_t *, int, int, caddr_t)); extern int ipfuiomove __P((caddr_t, int, int, struct uio *)); extern int bcopywrap __P((void *, void *, size_t)); @@ -1581,10 +1649,12 @@ MALLOC_DECLARE(M_IPFILTER); # endif /* M_PFIL */ # endif /* IPFILTER_M_IPFILTER */ # define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), _M_IPF, M_NOWAIT) -# define KMALLOCS(a, b, c) MALLOC((a), b, (c), _M_IPF, M_NOWAIT) +# if !defined(KMALLOCS) +# define KMALLOCS(a, b, c) MALLOC((a), b, (c), _M_IPF, M_NOWAIT) +# endif # define KFREE(x) FREE((x), _M_IPF) # define KFREES(x,s) FREE((x), _M_IPF) -# define UIOMOVE(a,b,c,d) uiomove(a,b,d) +# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,d) # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define WAKEUP(id,x) wakeup(id+x) # define POLLWAKEUP(x) selwakeup(ipfselwait+x) @@ -1599,6 +1669,9 @@ MALLOC_DECLARE(M_IPFILTER); # define SPL_IMP(x) x = splimp() # define SPL_NET(x) x = splnet() # endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */ +# if !defined(SPL_SCHED) +# define SPL_SCHED(x) x = splsched() +# endif # define SPL_X(x) (void) splx(x) # endif /* !USE_MUTEXES */ @@ -1613,8 +1686,6 @@ MALLOC_DECLARE(M_IPFILTER); # ifndef COPYIN # define COPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) # define COPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) -# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) -# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) # endif # ifndef KMALLOC @@ -1629,18 +1700,27 @@ MALLOC_DECLARE(M_IPFILTER); # define PANIC(x,y) if (x) panic y #endif /* _KERNEL */ -#ifndef IFNAME +#if !defined(IFNAME) && !defined(_KERNEL) # define IFNAME(x) ((struct ifnet *)x)->if_name #endif #ifndef COPYIFNAME # define NEED_FRGETIFNAME extern char *fr_getifname __P((struct ifnet *, char *)); -# define COPYIFNAME(x, b) \ +# define COPYIFNAME(v, x, b) \ fr_getifname((struct ifnet *)x, b) #endif #ifndef ASSERT -# define ASSERT(x) +# ifdef _KERNEL +# define ASSERT(x) +# else +# define ASSERT(x) do { if (!(x)) abort(); } while (0) +# endif +#endif + +#ifndef BCOPYIN +# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) +# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0) #endif /* @@ -1719,9 +1799,6 @@ typedef struct tcpiphdr tcpiphdr_t; # define FR_GROUPLEN 16 #endif -#ifdef offsetof -# undef offsetof -#endif #ifndef offsetof # define offsetof(t,m) (int)((&((t *)0L)->m)) #endif @@ -1741,7 +1818,7 @@ typedef struct tcpiphdr tcpiphdr_t; # define IP_HL(x) (x)->ip_hl #endif #ifndef IP_HL_A -# define IP_HL_A(x,y) (x)->ip_hl = (y) +# define IP_HL_A(x,y) (x)->ip_hl = ((y) & 0xf) #endif #ifndef TCP_X2 # define TCP_X2(x) (x)->th_x2 @@ -2349,21 +2426,21 @@ typedef struct tcpiphdr tcpiphdr_t; /* * TCP States */ -#define IPF_TCPS_CLOSED 0 /* closed */ -#define IPF_TCPS_LISTEN 1 /* listening for connection */ -#define IPF_TCPS_SYN_SENT 2 /* active, have sent syn */ -#define IPF_TCPS_SYN_RECEIVED 3 /* have send and received syn */ -#define IPF_TCPS_HALF_ESTAB 4 /* for connections not fully "up" */ +#define IPF_TCPS_LISTEN 0 /* listening for connection */ +#define IPF_TCPS_SYN_SENT 1 /* active, have sent syn */ +#define IPF_TCPS_SYN_RECEIVED 2 /* have send and received syn */ +#define IPF_TCPS_HALF_ESTAB 3 /* for connections not fully "up" */ /* states < IPF_TCPS_ESTABLISHED are those where connections not established */ -#define IPF_TCPS_ESTABLISHED 5 /* established */ -#define IPF_TCPS_CLOSE_WAIT 6 /* rcvd fin, waiting for close */ +#define IPF_TCPS_ESTABLISHED 4 /* established */ +#define IPF_TCPS_CLOSE_WAIT 5 /* rcvd fin, waiting for close */ /* states > IPF_TCPS_CLOSE_WAIT are those where user has closed */ -#define IPF_TCPS_FIN_WAIT_1 7 /* have closed, sent fin */ -#define IPF_TCPS_CLOSING 8 /* closed xchd FIN; await FIN ACK */ -#define IPF_TCPS_LAST_ACK 9 /* had fin and close; await FIN ACK */ +#define IPF_TCPS_FIN_WAIT_1 6 /* have closed, sent fin */ +#define IPF_TCPS_CLOSING 7 /* closed xchd FIN; await FIN ACK */ +#define IPF_TCPS_LAST_ACK 8 /* had fin and close; await FIN ACK */ /* states > IPF_TCPS_CLOSE_WAIT && < IPF_TCPS_FIN_WAIT_2 await ACK of FIN */ -#define IPF_TCPS_FIN_WAIT_2 10 /* have closed, fin is acked */ -#define IPF_TCPS_TIME_WAIT 11 /* in 2*msl quiet wait after close */ +#define IPF_TCPS_FIN_WAIT_2 9 /* have closed, fin is acked */ +#define IPF_TCPS_TIME_WAIT 10 /* in 2*msl quiet wait after close */ +#define IPF_TCPS_CLOSED 11 /* closed */ #define IPF_TCP_NSTATES 12 #define TCP_MSL 120 diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 568453d2326d..353328c7d0be 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -5,7 +5,7 @@ * * @(#)ip_fil.h 1.35 6/5/96 * $FreeBSD$ - * Id: ip_fil.h,v 2.170.2.29 2006/03/29 11:19:55 darrenr Exp $ + * Id: ip_fil.h,v 2.170.2.51 2007/10/10 09:48:03 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -44,12 +44,12 @@ # define SIOCZRLST _IOWR('r', 75, struct ipfobj) # define SIOCAUTHW _IOWR('r', 76, struct ipfobj) # define SIOCAUTHR _IOWR('r', 77, struct ipfobj) -# define SIOCATHST _IOWR('r', 78, struct ipfobj) +# define SIOCSTAT1 _IOWR('r', 78, struct ipfobj) # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipfobj) # define SIOCSTGET _IOWR('r', 81, struct ipfobj) # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj) -# define SIOCGFRST _IOWR('r', 83, struct ipfobj) +# define SIOCSTAT2 _IOWR('r', 83, struct ipfobj) # define SIOCSETLG _IOWR('r', 84, int) # define SIOCGETLG _IOWR('r', 85, int) # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve) @@ -57,6 +57,12 @@ # define SIOCIPFGET _IOWR('r', 88, struct ipfobj) # define SIOCIPFSET _IOWR('r', 89, struct ipfobj) # define SIOCIPFL6 _IOWR('r', 90, int) +# define SIOCIPFITER _IOWR('r', 91, struct ipfobj) +# define SIOCGENITER _IOWR('r', 92, struct ipfobj) +# define SIOCGTABL _IOWR('r', 93, struct ipfobj) +# define SIOCIPFDELTOK _IOWR('r', 94, int) +# define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj) +# define SIOCGTQTAB _IOWR('r', 96, struct ipfobj) #else # define SIOCADAFR _IOW(r, 60, struct ipfobj) # define SIOCRMAFR _IOW(r, 61, struct ipfobj) @@ -76,12 +82,12 @@ # define SIOCZRLST _IOWR(r, 75, struct ipfobj) # define SIOCAUTHW _IOWR(r, 76, struct ipfobj) # define SIOCAUTHR _IOWR(r, 77, struct ipfobj) -# define SIOCATHST _IOWR(r, 78, struct ipfobj) +# define SIOCSTAT1 _IOWR(r, 78, struct ipfobj) # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipfobj) # define SIOCSTGET _IOWR(r, 81, struct ipfobj) # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj) -# define SIOCGFRST _IOWR(r, 83, struct ipfobj) +# define SIOCSTAT2 _IOWR(r, 83, struct ipfobj) # define SIOCSETLG _IOWR(r, 84, int) # define SIOCGETLG _IOWR(r, 85, int) # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve) @@ -89,10 +95,18 @@ # define SIOCIPFGET _IOWR(r, 88, struct ipfobj) # define SIOCIPFSET _IOWR(r, 89, struct ipfobj) # define SIOCIPFL6 _IOWR(r, 90, int) +# define SIOCIPFITER _IOWR(r, 91, struct ipfobj) +# define SIOCGENITER _IOWR(r, 92, struct ipfobj) +# define SIOCGTABL _IOWR(r, 93, struct ipfobj) +# define SIOCIPFDELTOK _IOWR(r, 94, int) +# define SIOCLOOKUPITER _IOWR(r, 95, struct ipfobj) +# define SIOCGTQTAB _IOWR(r, 96, struct ipfobj) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR #define SIOCINSFR SIOCINAFR +#define SIOCATHST SIOCSTAT1 +#define SIOCGFRST SIOCSTAT2 struct ipscan; @@ -112,6 +126,11 @@ typedef union i6addr { struct in6_addr in6; void *vptr[2]; lookupfunc_t lptr[2]; + struct { + u_short type; + u_short subtype; + char label[12]; + } i6un; } i6addr_t; #else typedef union i6addr { @@ -119,26 +138,33 @@ typedef union i6addr { struct in_addr in4; void *vptr[2]; lookupfunc_t lptr[2]; + struct { + u_short type; + u_short subtype; + char label[12]; + } i6un; } i6addr_t; #endif #define in4_addr in4.s_addr -#define iplookupnum i6[0] -#define iplookuptype i6[1] +#define iplookupnum i6[1] +#define iplookupname i6un.label +#define iplookuptype i6un.type +#define iplookupsubtype i6un.subtype /* * NOTE: These DO overlap the above on 64bit systems and this IS recognised. */ #define iplookupptr vptr[0] #define iplookupfunc lptr[1] -#define I60(x) (((i6addr_t *)(x))->i6[0]) -#define I61(x) (((i6addr_t *)(x))->i6[1]) -#define I62(x) (((i6addr_t *)(x))->i6[2]) -#define I63(x) (((i6addr_t *)(x))->i6[3]) -#define HI60(x) ntohl(((i6addr_t *)(x))->i6[0]) -#define HI61(x) ntohl(((i6addr_t *)(x))->i6[1]) -#define HI62(x) ntohl(((i6addr_t *)(x))->i6[2]) -#define HI63(x) ntohl(((i6addr_t *)(x))->i6[3]) +#define I60(x) (((u_32_t *)(x))[0]) +#define I61(x) (((u_32_t *)(x))[1]) +#define I62(x) (((u_32_t *)(x))[2]) +#define I63(x) (((u_32_t *)(x))[3]) +#define HI60(x) ntohl(((u_32_t *)(x))[0]) +#define HI61(x) ntohl(((u_32_t *)(x))[1]) +#define HI62(x) ntohl(((u_32_t *)(x))[2]) +#define HI63(x) ntohl(((u_32_t *)(x))[3]) #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \ (I61(a) == I61(b)) && (I60(a) == I60(b))) @@ -156,14 +182,14 @@ typedef union i6addr { HI63(a) < HI63(b))))))) #define NLADD(n,x) htonl(ntohl(n) + (x)) #define IP6_INC(a) \ - { i6addr_t *_i6 = (i6addr_t *)(a); \ - _i6->i6[0] = NLADD(_i6->i6[0], 1); \ - if (_i6->i6[0] == 0) { \ - _i6->i6[0] = NLADD(_i6->i6[1], 1); \ - if (_i6->i6[1] == 0) { \ - _i6->i6[0] = NLADD(_i6->i6[2], 1); \ - if (_i6->i6[2] == 0) { \ - _i6->i6[0] = NLADD(_i6->i6[3], 1); \ + { u_32_t *_i6 = (u_32_t *)(a); \ + _i6[3] = NLADD(_i6[3], 1); \ + if (_i6[3] == 0) { \ + _i6[2] = NLADD(_i6[2], 1); \ + if (_i6[2] == 0) { \ + _i6[1] = NLADD(_i6[1], 1); \ + if (_i6[1] == 0) { \ + _i6[0] = NLADD(_i6[0], 1); \ } \ } \ } \ @@ -237,11 +263,12 @@ typedef struct fr_ip { #define FI_FRAGBODY 0x2000 #define FI_BADSRC 0x4000 #define FI_LOWTTL 0x8000 -#define FI_CMP 0xcfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */ +#define FI_CMP 0xcf03 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL,broadcast */ #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */ #define FI_WITH 0xeffe /* Not FI_TCPUDP */ #define FI_V6EXTHDR 0x10000 #define FI_COALESCE 0x20000 +#define FI_NEWNAT 0x40000 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */ #define FI_DONTCACHE 0x40000000 /* don't cache the result */ #define FI_IGNORE 0x80000000 @@ -250,8 +277,12 @@ typedef struct fr_ip { #define fi_daddr fi_dst.in4.s_addr #define fi_srcnum fi_src.iplookupnum #define fi_dstnum fi_dst.iplookupnum +#define fi_srcname fi_src.iplookupname +#define fi_dstname fi_dst.iplookupname #define fi_srctype fi_src.iplookuptype #define fi_dsttype fi_dst.iplookuptype +#define fi_srcsubtype fi_src.iplookupsubtype +#define fi_dstsubtype fi_dst.iplookupsubtype #define fi_srcptr fi_src.iplookupptr #define fi_dstptr fi_dst.iplookupptr #define fi_srcfunc fi_src.iplookupfunc @@ -297,9 +328,11 @@ typedef struct fr_info { u_short fin_off; int fin_depth; /* Group nesting depth */ int fin_error; /* Error code to return */ + int fin_cksum; /* -1 bad, 1 good, 0 not done */ void *fin_nat; void *fin_state; void *fin_nattag; + void *fin_exthdr; ip_t *fin_ip; mb_t **fin_mp; /* pointer to pointer to mbuf */ mb_t *fin_m; /* pointer to mbuf */ @@ -330,8 +363,8 @@ typedef struct fr_info { #define fin_dport fin_dat.fid_16[1] #define fin_ports fin_dat.fid_32 -#define IPF_IN 0 -#define IPF_OUT 1 +#define IPF_IN 0 +#define IPF_OUT 1 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *)); typedef int (*ipfuncinit_t) __P((struct frentry *)); @@ -441,9 +474,13 @@ typedef struct fripf { int fri_difpidx; /* index into fr_ifps[] to use when */ } fripf_t; -#define fri_dstnum fri_ip.fi_dstnum +#define fri_dlookup fri_mip.fi_dst +#define fri_slookup fri_mip.fi_src +#define fri_dstnum fri_mip.fi_dstnum #define fri_srcnum fri_mip.fi_srcnum -#define fri_dstptr fri_ip.fi_dstptr +#define fri_dstname fri_mip.fi_dstname +#define fri_srcname fri_mip.fi_srcname +#define fri_dstptr fri_mip.fi_dstptr #define fri_srcptr fri_mip.fi_srcptr #define FRI_NORMAL 0 /* Normal address */ @@ -468,6 +505,13 @@ typedef struct frentry { char *fr_comment; /* text comment for rule */ int fr_ref; /* reference count - for grouping */ int fr_statecnt; /* state count - for limit rules */ + /* + * The line number from a file is here because we need to be able to + * match the rule generated with ``grep rule ipf.conf | ipf -rf -'' + * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be + * on the other side of fr_func. + */ + int fr_flineno; /* line number from conf file */ /* * These are only incremented when a packet matches this rule and * it is the last match @@ -495,7 +539,6 @@ typedef struct frentry { int fr_dsize; int fr_pps; int fr_statemax; /* max reference count */ - int fr_flineno; /* line number from conf file */ u_32_t fr_type; u_32_t fr_flags; /* per-rule flags && options (see below) */ u_32_t fr_logtag; /* user defined log tag # */ @@ -555,8 +598,14 @@ typedef struct frentry { #define fr_smask fr_mip.fi_src.in4.s_addr #define fr_dstnum fr_ip.fi_dstnum #define fr_srcnum fr_ip.fi_srcnum +#define fr_dlookup fr_ip.fi_dst +#define fr_slookup fr_ip.fi_src +#define fr_dstname fr_ip.fi_dstname +#define fr_srcname fr_ip.fi_srcname #define fr_dsttype fr_ip.fi_dsttype #define fr_srctype fr_ip.fi_srctype +#define fr_dstsubtype fr_ip.fi_dstsubtype +#define fr_srcsubtype fr_ip.fi_srcsubtype #define fr_dstptr fr_mip.fi_dstptr #define fr_srcptr fr_mip.fi_srcptr #define fr_dstfunc fr_mip.fi_dstfunc @@ -1019,6 +1068,8 @@ typedef struct ipftq { /* checks its timeout queues. */ #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE) +typedef int (*ipftq_delete_fn_t)(void *); + /* * Structure to define address for pool lookups. */ @@ -1054,6 +1105,13 @@ typedef struct ipfobj { #define IPFOBJ_STATESTAT 11 /* struct ips_stat */ #define IPFOBJ_FRAUTH 12 /* struct frauth */ #define IPFOBJ_TUNEABLE 13 /* struct ipftune */ +#define IPFOBJ_NAT 14 /* struct nat */ +#define IPFOBJ_IPFITER 15 /* struct ipfruleiter */ +#define IPFOBJ_GENITER 16 /* struct ipfgeniter */ +#define IPFOBJ_GTABLE 17 /* struct ipftable */ +#define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */ +#define IPFOBJ_STATETQTAB 19 /* struct ipftq [NSTATES] */ +#define IPFOBJ_COUNT 20 /* How many #defines are above this? */ typedef union ipftunevalptr { @@ -1066,7 +1124,7 @@ typedef union ipftunevalptr { typedef struct ipftuneable { ipftunevalptr_t ipft_una; - char *ipft_name; + const char *ipft_name; u_long ipft_min; u_long ipft_max; int ipft_sz; @@ -1105,6 +1163,68 @@ typedef struct ipftune { #define ipft_vshort ipft_un.ipftu_short #define ipft_vchar ipft_un.ipftu_char +/* + * + */ +typedef struct ipfruleiter { + int iri_inout; + char iri_group[FR_GROUPLEN]; + int iri_active; + int iri_nrules; + int iri_v; + frentry_t *iri_rule; +} ipfruleiter_t; + +/* + * Values for iri_inout + */ +#define F_IN 0 +#define F_OUT 1 +#define F_ACIN 2 +#define F_ACOUT 3 + + +typedef struct ipfgeniter { + int igi_type; + int igi_nitems; + void *igi_data; +} ipfgeniter_t; + +#define IPFGENITER_IPF 0 +#define IPFGENITER_NAT 1 +#define IPFGENITER_IPNAT 2 +#define IPFGENITER_FRAG 3 +#define IPFGENITER_AUTH 4 +#define IPFGENITER_STATE 5 +#define IPFGENITER_NATFRAG 6 +#define IPFGENITER_HOSTMAP 7 +#define IPFGENITER_LOOKUP 8 + +typedef struct ipftable { + int ita_type; + void *ita_table; +} ipftable_t; + +#define IPFTABLE_BUCKETS 1 +#define IPFTABLE_BUCKETS_NATIN 2 +#define IPFTABLE_BUCKETS_NATOUT 3 + + +/* + * + */ +typedef struct ipftoken { + struct ipftoken *ipt_next; + struct ipftoken **ipt_pnext; + void *ipt_ctx; + void *ipt_data; + u_long ipt_die; + int ipt_type; + int ipt_uid; + int ipt_subtype; + int ipt_alive; +} ipftoken_t; + /* ** HPUX Port @@ -1163,11 +1283,22 @@ extern int iplclose __P((dev_t, int)); extern void m_freem __P((mb_t *)); extern int bcopywrap __P((void *, void *, size_t)); #else /* #ifndef _KERNEL */ +# ifdef BSD +# if (defined(__NetBSD__) && (__NetBSD_Version__ < 399000000)) || \ + defined(__osf__) || \ + (defined(__FreeBSD_version) && (__FreeBSD_version < 500043)) +# include +# else +# include +# endif +extern struct selinfo ipfselwait[IPL_LOGSIZE]; +# endif # if defined(__NetBSD__) && defined(PFIL_HOOKS) extern void ipfilterattach __P((int)); # endif extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); +extern int ipf_inject __P((fr_info_t *, mb_t *)); # ifdef MENTAT extern int fr_check __P((struct ip *, int, void *, int, void *, mblk_t **)); @@ -1190,7 +1321,6 @@ extern int iplread __P((dev_t, uio_t *)); extern int iplwrite __P((dev_t, uio_t *)); extern int iplselect __P((dev_t, int)); # endif -extern int ipfsync __P((void)); extern int fr_qout __P((queue_t *, mblk_t *)); # else /* MENTAT */ extern int fr_check __P((struct ip *, int, void *, int, mb_t **)); @@ -1203,7 +1333,6 @@ extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int iplread __P((dev_t, uio_t *, cred_t *)); extern int iplwrite __P((dev_t, uio_t *, cred_t *)); -extern int ipfsync __P((void)); extern int ipfilter_sgi_attach __P((void)); extern void ipfilter_sgi_detach __P((void)); extern void ipfilter_sgi_intfsync __P((void)); @@ -1224,7 +1353,15 @@ extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *)); extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *)); # endif /* __FreeBSD_version >= 502116 */ # else +# if (__NetBSD_Version__ >= 499001000) +extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *)); +# else +# if (__NetBSD_Version__ >= 399001400) +extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *)); +# else extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); +# endif +# endif # endif /* __FreeBSD_version >= 500024 */ # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct thread *)); @@ -1238,8 +1375,13 @@ extern int iplopen __P((dev_t, int, int, struct thread *)); extern int iplclose __P((dev_t, int, int, struct thread *)); # endif /* __FreeBSD_version >= 502116 */ # else +# if (__NetBSD_Version__ >= 399001400) +extern int iplopen __P((dev_t, int, int, struct lwp *)); +extern int iplclose __P((dev_t, int, int, struct lwp *)); +# else extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); +# endif /* __NetBSD_Version__ >= 399001400 */ # endif /* __FreeBSD_version >= 500024 */ # else # ifdef linux @@ -1267,27 +1409,35 @@ extern int iplwrite __P((dev_t, struct uio *)); # endif /* __ sgi */ # endif /* MENTAT */ +# if defined(__FreeBSD_version) +extern int ipf_pfil_hook __P((void)); +extern int ipf_pfil_unhook __P((void)); +extern void ipf_event_reg __P((void)); +extern void ipf_event_dereg __P((void)); +# endif + #endif /* #ifndef _KERNEL */ extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap; extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new; extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag; extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; -extern ipfrwlock_t ipf_frcache; +extern ipfrwlock_t ipf_frcache, ipf_tokens; extern char *memstr __P((const char *, char *, size_t, size_t)); extern int count4bits __P((u_32_t)); extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int)); extern char *getifname __P((struct ifnet *)); -extern int iplattach __P((void)); -extern int ipldetach __P((void)); +extern int ipfattach __P((void)); +extern int ipfdetach __P((void)); extern u_short ipf_cksum __P((u_short *, int)); extern int copyinptr __P((void *, void *, size_t)); extern int copyoutptr __P((void *, void *, size_t)); extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); extern int fr_inobj __P((void *, void *, int)); extern int fr_inobjsz __P((void *, void *, int, int)); -extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int)); +extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *)); +extern int fr_ipf_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern int fr_ipftune __P((ioctlcmd_t, void *)); extern int fr_outobj __P((void *, void *, int)); extern int fr_outobjsz __P((void *, void *, int, int)); @@ -1297,7 +1447,7 @@ extern int fr_resolvefunc __P((void *)); extern void *fr_resolvenic __P((char *, int)); extern int fr_send_icmp_err __P((int, fr_info_t *, int)); extern int fr_send_reset __P((fr_info_t *)); -#if (__FreeBSD_version < 490000) || !defined(_KERNEL) +#if (__FreeBSD_version < 501000) || !defined(_KERNEL) extern int ppsratecheck __P((struct timeval *, int *, int)); #endif extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int)); @@ -1352,19 +1502,27 @@ extern void fr_getstat __P((struct friostat *)); extern int fr_ifpaddr __P((int, int, void *, struct in_addr *, struct in_addr *)); extern int fr_initialise __P((void)); -extern void fr_lock __P((caddr_t, int *)); +extern int fr_lock __P((caddr_t, int *)); extern int fr_makefrip __P((int, ip_t *, fr_info_t *)); extern int fr_matchtag __P((ipftag_t *, ipftag_t *)); extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *, struct icmp *, int)); extern u_32_t fr_newisn __P((fr_info_t *)); extern u_short fr_nextipid __P((fr_info_t *)); +extern int ipf_queueflush __P((ipftq_delete_fn_t, ipftq_t *, ipftq_t *)); extern int fr_rulen __P((int, frentry_t *)); extern int fr_scanlist __P((fr_info_t *, u_32_t)); extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *)); extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *)); extern int fr_verifysrc __P((fr_info_t *fin)); -extern int fr_zerostats __P((char *)); +extern int fr_zerostats __P((void *)); +extern ipftoken_t *ipf_findtoken __P((int, int, void *)); +extern int ipf_getnextrule __P((ipftoken_t *, void *)); +extern void ipf_expiretokens __P((void)); +extern void ipf_freetoken __P((ipftoken_t *)); +extern int ipf_deltoken __P((int,int, void *)); +extern int ipfsync __P((void)); +extern int ipf_genericiter __P((void *, int, void *)); extern int fr_running; extern u_long fr_frouteok[2]; @@ -1379,7 +1537,6 @@ extern int fr_update_ipid; extern int nat_logging; extern int ipstate_logging; extern int ipl_suppress; -extern int ipl_buffer_sz; extern int ipl_logmax; extern int ipl_logall; extern int ipl_logsize; diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c index 65d1b524934c..0f39afa268eb 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.32 2006/03/25 13:03:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.50 2007/09/20 12:51:50 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) @@ -57,11 +57,18 @@ static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.32 2006/03/25 13 #endif #include #include -#include +#if __FreeBSD_version >= 500043 +# include +#else +# include +#endif #include #if __FreeBSD_version >= 300000 # include +# if __FreeBSD_version >= 500043 +# include +# endif # if !defined(IPFILTER_LKM) # include "opt_ipfilter.h" # endif @@ -126,7 +133,7 @@ static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **)); # ifdef USE_MUTEXES ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; -ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache; +ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache, ipf_tokens; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; # endif int ipf_locks_done = 0; @@ -193,19 +200,10 @@ char *s; #endif /* IPFILTER_LKM */ -int iplattach() +int ipfattach() { #ifdef USE_SPL int s; -#endif -#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011) - int error = 0; -# if __FreeBSD_version >= 501108 - struct pfil_head *ph_inet; -# ifdef USE_INET6 - struct pfil_head *ph_inet6; -# endif -# endif #endif SPL_NET(s); @@ -215,11 +213,9 @@ int iplattach() } MUTEX_INIT(&ipf_rw, "ipf rw mutex"); - RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex"); - RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); - RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); + RWLOCK_INIT(&ipf_tokens, "ipf token rwlock"); ipf_locks_done = 1; if (fr_initialise() < 0) { @@ -228,77 +224,6 @@ int iplattach() } -# ifdef NETBSD_PF -# if __FreeBSD_version >= 500011 -# if __FreeBSD_version >= 501108 - ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); -# ifdef USE_INET6 - ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); -# endif - if (ph_inet == NULL -# ifdef USE_INET6 - && ph_inet6 == NULL -# endif - ) - return ENODEV; - - if (ph_inet != NULL) - error = pfil_add_hook((void *)fr_check_wrapper, NULL, - PFIL_IN|PFIL_OUT, ph_inet); - else - error = 0; -# else - error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); -# endif - if (error) { -# ifdef USE_INET6 - goto pfil_error; -# else - fr_deinitialise(); - SPL_X(s); - return error; -# endif - } -# else - pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); -# endif -# ifdef USE_INET6 -# if __FreeBSD_version >= 501108 - if (ph_inet6 != NULL) - error = pfil_add_hook((void *)fr_check_wrapper6, NULL, - PFIL_IN|PFIL_OUT, ph_inet6); - else - error = 0; - if (error) { - pfil_remove_hook((void *)fr_check_wrapper6, NULL, - PFIL_IN|PFIL_OUT, ph_inet6); -# else - error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); - if (error) { - pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); -# endif -pfil_error: - fr_deinitialise(); - SPL_X(s); - return error; - } -# endif -# endif - -#if (__FreeBSD_version >= 502103) - ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \ - ipf_ifevent, NULL, \ - EVENTHANDLER_PRI_ANY); - ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \ - ipf_ifevent, NULL, \ - EVENTHANDLER_PRI_ANY); - ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \ - NULL, EVENTHANDLER_PRI_ANY); -#endif - if (fr_checkp != fr_check) { fr_savep = fr_checkp; fr_checkp = fr_check; @@ -326,36 +251,14 @@ pfil_error: * Disable the filter by removing the hooks from the IP input/output * stream. */ -int ipldetach() +int ipfdetach() { #ifdef USE_SPL int s; #endif -#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011) - int error = 0; -# if __FreeBSD_version >= 501108 - struct pfil_head *ph_inet; -# ifdef USE_INET6 - struct pfil_head *ph_inet6; -# endif -# endif -#endif - if (fr_control_forwarding & 2) ipforwarding = 0; -#if (__FreeBSD_version >= 502103) - if (ipf_arrivetag != NULL) { - EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag); - } - if (ipf_departtag != NULL) { - EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag); - } - if (ipf_clonetag != NULL) { - EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag); - } -#endif - SPL_NET(s); #if (__FreeBSD_version >= 300000) @@ -372,44 +275,6 @@ int ipldetach() fr_savep = NULL; #endif -#ifdef NETBSD_PF -# if (__FreeBSD_version >= 500011) -# if (__FreeBSD_version >= 501108) - ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); - if (ph_inet != NULL) - error = pfil_remove_hook((void *)fr_check_wrapper, NULL, - PFIL_IN|PFIL_OUT, ph_inet); - else - error = 0; -# else - error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); -# endif - if (error) { - SPL_X(s); - return error; - } -# else - pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); -# endif -# ifdef USE_INET6 -# if (__FreeBSD_version >= 501108) - ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); - if (ph_inet6 != NULL) - error = pfil_remove_hook((void *)fr_check_wrapper6, NULL, - PFIL_IN|PFIL_OUT, ph_inet6); - else - error = 0; -# else - error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); -# endif - if (error) { - SPL_X(s); - return error; - } -# endif -#endif fr_deinitialise(); fr_running = -2; @@ -420,10 +285,8 @@ int ipldetach() if (ipf_locks_done == 1) { MUTEX_DESTROY(&ipf_timeoutlock); MUTEX_DESTROY(&ipf_rw); - RW_DESTROY(&ipf_mutex); - RW_DESTROY(&ipf_frcache); RW_DESTROY(&ipf_ipidfrag); - RW_DESTROY(&ipf_global); + RW_DESTROY(&ipf_tokens); ipf_locks_done = 0; } @@ -441,8 +304,14 @@ int iplioctl(dev, cmd, data, mode , p) # if (__FreeBSD_version >= 500024) struct thread *p; +# if (__FreeBSD_version >= 500043) +# define p_uid td_ucred->cr_ruid +# else +# define p_uid t_proc->p_cred->p_ruid +# endif # else struct proc *p; +# define p_uid p_cred->p_ruid # endif /* __FreeBSD_version >= 500024 */ # else ) @@ -456,11 +325,8 @@ ioctlcmd_t cmd; caddr_t data; int mode; { -#ifdef USE_SPL - int s; -#endif - int error = 0, unit = 0, tmp; - friostat_t fio; + int error = 0, unit = 0; + SPL_INT(s); #if (BSD >= 199306) && defined(_KERNEL) if ((securelevel >= 3) && (mode & FWRITE)) @@ -475,165 +341,19 @@ int mode; if (unit != IPL_LOGIPF) return EIO; if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET && - cmd != SIOCIPFSET && cmd != SIOCFRENB && + cmd != SIOCIPFSET && cmd != SIOCFRENB && cmd != SIOCGETFS && cmd != SIOCGETFF) return EIO; } SPL_NET(s); - if (fr_running > 0) - READ_ENTER(&ipf_global); - error = fr_ioctlswitch(unit, data, cmd, mode); + error = fr_ioctlswitch(unit, data, cmd, mode, p->p_uid, p); if (error != -1) { - RWLOCK_EXIT(&ipf_global); SPL_X(s); return error; } - error = 0; - switch (cmd) - { - case FIONREAD : -#ifdef IPFILTER_LOG - BCOPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); -#endif - break; - case SIOCFRENB : - if (!(mode & FWRITE)) - error = EPERM; - else { - BCOPYIN(data, &tmp, sizeof(tmp)); - if (tmp) { - if (fr_running > 0) - error = 0; - else - error = iplattach(); - if (error == 0) - fr_running = 1; - else - (void) ipldetach(); - } else { - if (fr_running <= 0) - error = 0; - else - error = ipldetach(); - if (error == 0) - fr_running = -1; - } - } - break; - case SIOCIPFSET : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - case SIOCIPFGETNEXT : - case SIOCIPFGET : - error = fr_ipftune(cmd, data); - break; - case SIOCSETFF : - if (!(mode & FWRITE)) - error = EPERM; - else - BCOPYIN(data, &fr_flags, sizeof(fr_flags)); - break; - case SIOCGETFF : - BCOPYOUT(&fr_flags, data, sizeof(fr_flags)); - break; - case SIOCFUNCL : - error = fr_resolvefunc(data); - break; - case SIOCINAFR : - case SIOCRMAFR : - case SIOCADAFR : - case SIOCZRLST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, fr_active, 1); - break; - case SIOCINIFR : - case SIOCRMIFR : - case SIOCADIFR : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, 1 - fr_active, 1); - break; - case SIOCSWAPA : - if (!(mode & FWRITE)) - error = EPERM; - else { - bzero((char *)frcache, sizeof(frcache[0]) * 2); - *(u_int *)data = fr_active; - fr_active = 1 - fr_active; - } - break; - case SIOCGETFS : - fr_getstat(&fio); - error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT); - break; - case SIOCFRZST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = fr_zerostats(data); - break; - case SIOCIPFFL : - if (!(mode & FWRITE)) - error = EPERM; - else { - BCOPYIN(data, &tmp, sizeof(tmp)); - tmp = frflush(unit, 4, tmp); - BCOPYOUT(&tmp, data, sizeof(tmp)); - } - break; -#ifdef USE_INET6 - case SIOCIPFL6 : - if (!(mode & FWRITE)) - error = EPERM; - else { - BCOPYIN(data, &tmp, sizeof(tmp)); - tmp = frflush(unit, 6, tmp); - BCOPYOUT(&tmp, data, sizeof(tmp)); - } - break; -#endif - case SIOCSTLCK : - BCOPYIN(data, &tmp, sizeof(tmp)); - fr_state_lock = tmp; - fr_nat_lock = tmp; - fr_frag_lock = tmp; - fr_auth_lock = tmp; - break; -#ifdef IPFILTER_LOG - case SIOCIPFFB : - if (!(mode & FWRITE)) - error = EPERM; - else - *(int *)data = ipflog_clear(unit); - break; -#endif /* IPFILTER_LOG */ - case SIOCGFRST : - error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT); - break; - case SIOCFRSYN : - if (!(mode & FWRITE)) - error = EPERM; - else { - frsync(NULL); - } - break; - default : - error = EINVAL; - break; - } - - if (fr_running > 0) - if (mtx_owned(&(&ipf_global)->ipf_lk)) - RWLOCK_EXIT(&ipf_global); SPL_X(s); return error; @@ -760,6 +480,9 @@ register struct uio *uio; { u_int xmin = GET_MINOR(dev); + if (fr_running < 1) + return EIO; + if (xmin < 0) return ENXIO; @@ -796,6 +519,9 @@ dev_t dev; register struct uio *uio; { + if (fr_running < 1) + return EIO; + #ifdef IPFILTER_SYNC if (GET_MINOR(dev) == IPL_LOGSYNC) return ipfsync_write(uio); @@ -823,10 +549,8 @@ fr_info_t *fin; if (tcp->th_flags & TH_RST) return -1; /* feedback loop */ -#ifndef IPFILTER_CKSUM if (fr_checkl4sum(fin) == -1) return -1; -#endif tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + @@ -985,7 +709,7 @@ int dst; #endif ip_t *ip, *ip2; - if ((type < 0) || (type > ICMP_MAXTYPE)) + if ((type < 0) || (type >= ICMP_MAXTYPE)) return -1; code = fin->fin_icode; @@ -994,10 +718,8 @@ int dst; return -1; #endif -#ifndef IPFILTER_CKSUM if (fr_checkl4sum(fin) == -1) return -1; -#endif #ifdef MGETHDR MGETHDR(m, M_DONTWAIT, MT_HEADER); #else @@ -1153,20 +875,24 @@ void # endif iplinit() { - if (iplattach() != 0) + if (ipfattach() != 0) printf("IP Filter failed to attach\n"); ip_init(); } #endif /* __FreeBSD_version < 300000 */ +/* + * m0 - pointer to mbuf where the IP packet starts + * mpp - pointer to the mbuf pointer that is the start of the mbuf chain + */ int fr_fastroute(m0, mpp, fin, fdp) mb_t *m0, **mpp; fr_info_t *fin; frdest_t *fdp; { register struct ip *ip, *mhip; - register struct mbuf *m = m0; + register struct mbuf *m = *mpp; register struct route *ro; int len, off, error = 0, hlen, code; struct ifnet *ifp, *sifp; @@ -1264,9 +990,11 @@ frdest_t *fdp; /* * For input packets which are being "fastrouted", they won't * go back through output filtering and miss their chance to get - * NAT'd and counted. + * NAT'd and counted. Duplicated packets aren't considered to be + * part of the normal packet stream, so do not NAT them or pass + * them through stateful checking, etc. */ - if (fin->fin_out == 0) { + if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) { sifp = fin->fin_ifp; fin->fin_ifp = ifp; fin->fin_out = 1; @@ -1275,7 +1003,8 @@ frdest_t *fdp; if (!fr || !(fr->fr_flags & FR_RETMASK)) { u_32_t pass; - (void) fr_checkstate(fin, &pass); + if (fr_checkstate(fin, &pass) != NULL) + fr_statederef((ipstate_t **)&fin->fin_state); } switch (fr_checknatout(fin, NULL)) @@ -1288,7 +1017,7 @@ frdest_t *fdp; break; case -1 : error = -1; - goto done; + goto bad; break; } @@ -1598,6 +1327,9 @@ fr_info_t *fin; if ((fin->fin_flx & FI_NOCKSUM) != 0) return; + if (fin->fin_cksum != 0) + return; + m = fin->fin_m; if (m == NULL) { manual = 1; @@ -1613,8 +1345,12 @@ fr_info_t *fin; htonl(m->m_pkthdr.csum_data + fin->fin_ip->ip_len + fin->fin_p)); sum ^= 0xffff; - if (sum != 0) + if (sum != 0) { fin->fin_flx |= FI_BAD; + fin->fin_cksum = -1; + } else { + fin->fin_cksum = 1; + } } else manual = 1; skipauto: @@ -1726,11 +1462,16 @@ int len; m = m_pullup(m, len); } *fin->fin_mp = m; - fin->fin_m = m; if (m == NULL) { + fin->fin_m = NULL; ATOMIC_INCL(frstats[out].fr_pull[1]); return NULL; } + + while (M_LEN(m) == 0) { + m = m->m_next; + } + fin->fin_m = m; ip = MTOD(m, char *) + ipoff; } @@ -1743,3 +1484,165 @@ int len; fin->fin_flx |= FI_COALESCE; return ip; } + + +int ipf_inject(fin, m) +fr_info_t *fin; +mb_t *m; +{ + int error = 0; + + if (fin->fin_out == 0) { +#if (__FreeBSD_version >= 501000) + netisr_dispatch(NETISR_IP, m); +#else + struct ifqueue *ifq; + + ifq = &ipintrq; + +# ifdef _IF_QFULL + if (_IF_QFULL(ifq)) +# else + if (IF_QFULL(ifq)) +# endif + { +# ifdef _IF_DROP + _IF_DROP(ifq); +# else + IF_DROP(ifq); +# endif + FREE_MB_T(m); + error = ENOBUFS; + } else { + IF_ENQUEUE(ifq, m); + } +#endif + } else { +#if (__FreeBSD_version >= 470102) + error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); +#else + error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); +#endif + } + + return error; +} + +int ipf_pfil_unhook(void) { +#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011) +# if __FreeBSD_version >= 501108 + struct pfil_head *ph_inet; +# ifdef USE_INET6 + struct pfil_head *ph_inet6; +# endif +# endif +#endif + +#ifdef NETBSD_PF +# if (__FreeBSD_version >= 500011) +# if (__FreeBSD_version >= 501108) + ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); + if (ph_inet != NULL) + pfil_remove_hook((void *)fr_check_wrapper, NULL, + PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet); +# else + pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); +# endif +# else + pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK); +# endif +# ifdef USE_INET6 +# if (__FreeBSD_version >= 501108) + ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); + if (ph_inet6 != NULL) + pfil_remove_hook((void *)fr_check_wrapper6, NULL, + PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6); +# else + pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK, + &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); +# endif +# endif +#endif + + return (0); +} + +int ipf_pfil_hook(void) { +#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011) +# if __FreeBSD_version >= 501108 + struct pfil_head *ph_inet; +# ifdef USE_INET6 + struct pfil_head *ph_inet6; +# endif +# endif +#endif + +# ifdef NETBSD_PF +# if __FreeBSD_version >= 500011 +# if __FreeBSD_version >= 501108 + ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); +# ifdef USE_INET6 + ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); +# endif + if (ph_inet == NULL +# ifdef USE_INET6 + && ph_inet6 == NULL +# endif + ) + return ENODEV; + + if (ph_inet != NULL) + pfil_add_hook((void *)fr_check_wrapper, NULL, + PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet); +# else + pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); +# endif +# else + pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK); +# endif +# ifdef USE_INET6 +# if __FreeBSD_version >= 501108 + if (ph_inet6 != NULL) + pfil_add_hook((void *)fr_check_wrapper6, NULL, + PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6); +# else + pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK, + &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); +# endif +# endif +# endif + return (0); +} + +void +ipf_event_reg(void) +{ +#if (__FreeBSD_version >= 502103) + ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \ + ipf_ifevent, NULL, \ + EVENTHANDLER_PRI_ANY); + ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \ + ipf_ifevent, NULL, \ + EVENTHANDLER_PRI_ANY); + ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \ + NULL, EVENTHANDLER_PRI_ANY); +#endif +} + +void +ipf_event_dereg(void) +{ +#if (__FreeBSD_version >= 502103) + if (ipf_arrivetag != NULL) { + EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag); + } + if (ipf_departtag != NULL) { + EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag); + } + if (ipf_clonetag != NULL) { + EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag); + } +#endif +} diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index 5a932951601d..fb21bd1d4846 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -103,20 +103,21 @@ extern struct timeout fr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)$FreeBSD$"; -/* static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.5 2006/02/26 08:26:54 darrenr Exp $";*/ +/* static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.12 2007/09/20 12:51:51 darrenr Exp $"; */ #endif -static ipfr_t *ipfr_list = NULL; -static ipfr_t **ipfr_tail = &ipfr_list; +ipfr_t *ipfr_list = NULL; +ipfr_t **ipfr_tail = &ipfr_list; + +ipfr_t *ipfr_natlist = NULL; +ipfr_t **ipfr_nattail = &ipfr_natlist; + +ipfr_t *ipfr_ipidlist = NULL; +ipfr_t **ipfr_ipidtail = &ipfr_ipidlist; + static ipfr_t **ipfr_heads; - -static ipfr_t *ipfr_natlist = NULL; -static ipfr_t **ipfr_nattail = &ipfr_natlist; static ipfr_t **ipfr_nattab; - -static ipfr_t *ipfr_ipidlist = NULL; -static ipfr_t **ipfr_ipidtail = &ipfr_ipidlist; static ipfr_t **ipfr_ipidtab; static ipfrstat_t ipfr_stats; @@ -132,6 +133,7 @@ u_long fr_ticks = 0; static ipfr_t *ipfr_newfrag __P((fr_info_t *, u_32_t, ipfr_t **)); static ipfr_t *fr_fraglookup __P((fr_info_t *, ipfr_t **)); static void fr_fragdelete __P((ipfr_t *, ipfr_t ***)); +static void fr_fragfree __P((ipfr_t *)); /* ------------------------------------------------------------------------ */ @@ -308,6 +310,7 @@ ipfr_t *table[]; fra->ipfr_seen0 = 1; fra->ipfr_off = off + (fin->fin_dlen >> 3); fra->ipfr_pass = pass; + fra->ipfr_ref = 1; ipfr_stats.ifs_new++; ipfr_inuse++; return fra; @@ -688,11 +691,6 @@ void *ptr; static void fr_fragdelete(fra, tail) ipfr_t *fra, ***tail; { - frentry_t *fr; - - fr = fra->ipfr_rule; - if (fr != NULL) - (void)fr_derefrule(&fr); if (fra->ipfr_next) fra->ipfr_next->ipfr_prev = fra->ipfr_prev; @@ -703,7 +701,30 @@ ipfr_t *fra, ***tail; if (fra->ipfr_hnext) fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev; *fra->ipfr_hprev = fra->ipfr_hnext; + + if (fra->ipfr_rule != NULL) { + (void) fr_derefrule(&fra->ipfr_rule); + } + + if (fra->ipfr_ref <= 0) + fr_fragfree(fra); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_fragfree */ +/* Returns: Nil */ +/* Parameters: fra - pointer to frag structure to free */ +/* */ +/* Take care of the details associated with deleting an entry from the frag */ +/* cache. Currently this just means bumping stats correctly after freeing */ +/* ------------------------------------------------------------------------ */ +static void fr_fragfree(fra) +ipfr_t *fra; +{ KFREE(fra); + ipfr_stats.ifs_expire++; + ipfr_inuse--; } @@ -721,8 +742,10 @@ void fr_fragclear() nat_t *nat; WRITE_ENTER(&ipf_frag); - while ((fra = ipfr_list) != NULL) + while ((fra = ipfr_list) != NULL) { + fra->ipfr_ref--; fr_fragdelete(fra, &ipfr_tail); + } ipfr_tail = &ipfr_list; RWLOCK_EXIT(&ipf_frag); @@ -734,6 +757,7 @@ void fr_fragclear() if (nat->nat_data == fra) nat->nat_data = NULL; } + fra->ipfr_ref--; fr_fragdelete(fra, &ipfr_nattail); } ipfr_nattail = &ipfr_natlist; @@ -767,9 +791,8 @@ void fr_fragexpire() for (fp = &ipfr_list; ((fra = *fp) != NULL); ) { if (fra->ipfr_ttl > fr_ticks) break; + fra->ipfr_ref--; fr_fragdelete(fra, &ipfr_tail); - ipfr_stats.ifs_expire++; - ipfr_inuse--; } RWLOCK_EXIT(&ipf_frag); @@ -777,9 +800,8 @@ void fr_fragexpire() for (fp = &ipfr_ipidlist; ((fra = *fp) != NULL); ) { if (fra->ipfr_ttl > fr_ticks) break; + fra->ipfr_ref--; fr_fragdelete(fra, &ipfr_ipidtail); - ipfr_stats.ifs_expire++; - ipfr_inuse--; } RWLOCK_EXIT(&ipf_ipidfrag); @@ -789,23 +811,27 @@ void fr_fragexpire() * at the one to be free'd, NULL the reference from the NAT struct. * NOTE: We need to grab both mutex's early, and in this order so as * to prevent a deadlock if both try to expire at the same time. + * The extra if() statement here is because it locks out all NAT + * operations - no need to do that if there are no entries in this + * list, right? */ - WRITE_ENTER(&ipf_nat); - WRITE_ENTER(&ipf_natfrag); - for (fp = &ipfr_natlist; ((fra = *fp) != NULL); ) { - if (fra->ipfr_ttl > fr_ticks) - break; - nat = fra->ipfr_data; - if (nat != NULL) { - if (nat->nat_data == fra) - nat->nat_data = NULL; + if (ipfr_natlist != NULL) { + WRITE_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_natfrag); + for (fp = &ipfr_natlist; ((fra = *fp) != NULL); ) { + if (fra->ipfr_ttl > fr_ticks) + break; + nat = fra->ipfr_data; + if (nat != NULL) { + if (nat->nat_data == fra) + nat->nat_data = NULL; + } + fra->ipfr_ref--; + fr_fragdelete(fra, &ipfr_nattail); } - fr_fragdelete(fra, &ipfr_nattail); - ipfr_stats.ifs_expire++; - ipfr_inuse--; + RWLOCK_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_nat); } - RWLOCK_EXIT(&ipf_natfrag); - RWLOCK_EXIT(&ipf_nat); SPL_X(s); } @@ -828,6 +854,7 @@ int fr_slowtimer() { READ_ENTER(&ipf_global); + ipf_expiretokens(); fr_fragexpire(); fr_timeoutstate(); fr_natexpire(); @@ -861,3 +888,106 @@ done: # endif } #endif /* !SOLARIS && !defined(__hpux) && !defined(__sgi) */ + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_nextfrag */ +/* Returns: int - 0 == success, else error */ +/* Parameters: token(I) - pointer to token information for this caller */ +/* itp(I) - pointer to generic iterator from caller */ +/* top(I) - top of the fragment list */ +/* tail(I) - tail of the fragment list */ +/* lock(I) - fragment cache lock */ +/* */ +/* This function is used to interate through the list of entries in the */ +/* fragment cache. It increases the reference count on the one currently */ +/* being returned so that the caller can come back and resume from it later.*/ +/* */ +/* This function is used for both the NAT fragment cache as well as the ipf */ +/* fragment cache - hence the reason for passing in top, tail and lock. */ +/* ------------------------------------------------------------------------ */ +int fr_nextfrag(token, itp, top, tail +#ifdef USE_MUTEXES +, lock +#endif +) +ipftoken_t *token; +ipfgeniter_t *itp; +ipfr_t **top, ***tail; +#ifdef USE_MUTEXES +ipfrwlock_t *lock; +#endif +{ + ipfr_t *frag, *next, zero; + int error = 0; + + frag = token->ipt_data; + if (frag == (ipfr_t *)-1) { + ipf_freetoken(token); + return ESRCH; + } + + READ_ENTER(lock); + if (frag == NULL) + next = *top; + else + next = frag->ipfr_next; + + if (next != NULL) { + ATOMIC_INC(next->ipfr_ref); + token->ipt_data = next; + } else { + bzero(&zero, sizeof(zero)); + next = &zero; + token->ipt_data = NULL; + } + RWLOCK_EXIT(lock); + + if (frag != NULL) { +#ifdef USE_MUTEXES + fr_fragderef(&frag, lock); +#else + fr_fragderef(&frag); +#endif + } + + error = COPYOUT(next, itp->igi_data, sizeof(*next)); + if (error != 0) + error = EFAULT; + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_fragderef */ +/* Returns: Nil */ +/* Parameters: frp(IO) - pointer to fragment structure to deference */ +/* lock(I) - lock associated with the fragment */ +/* */ +/* This function dereferences a fragment structure (ipfr_t). The pointer */ +/* passed in will always be reset back to NULL, even if the structure is */ +/* not freed, to enforce the notion that the caller is no longer entitled */ +/* to use the pointer it is dropping the reference to. */ +/* ------------------------------------------------------------------------ */ +void fr_fragderef(frp +#ifdef USE_MUTEXES +, lock +#endif +) +ipfr_t **frp; +#ifdef USE_MUTEXES +ipfrwlock_t *lock; +#endif +{ + ipfr_t *fra; + + fra = *frp; + *frp = NULL; + + WRITE_ENTER(lock); + fra->ipfr_ref--; + if (fra->ipfr_ref <= 0) + fr_fragfree(fra); + RWLOCK_EXIT(lock); +} diff --git a/sys/contrib/ipfilter/netinet/ip_frag.h b/sys/contrib/ipfilter/netinet/ip_frag.h index 88b588277cb5..f21d84af5d41 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.h +++ b/sys/contrib/ipfilter/netinet/ip_frag.h @@ -7,7 +7,7 @@ * * @(#)ip_frag.h 1.5 3/24/96 * $FreeBSD$ - * Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp + * Id: ip_frag.h,v 2.23.2.5 2006/12/23 11:11:47 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -19,6 +19,16 @@ typedef struct ipfr { struct ipfr *ipfr_hnext, **ipfr_hprev; struct ipfr *ipfr_next, **ipfr_prev; void *ipfr_data; + frentry_t *ipfr_rule; + u_long ipfr_ttl; + int ipfr_ref; + u_short ipfr_off; + u_short ipfr_seen0; + /* + * All of the fields, from ipfr_ifp to ipfr_pass, are compared + * using bcmp to see if an identical entry is present. It is + * therefore important for this set to remain together. + */ void *ipfr_ifp; struct in_addr ipfr_src; struct in_addr ipfr_dst; @@ -29,10 +39,6 @@ typedef struct ipfr { u_char ipfr_p; u_char ipfr_tos; u_32_t ipfr_pass; - u_short ipfr_off; - u_char ipfr_ttl; - u_char ipfr_seen0; - frentry_t *ipfr_rule; } ipfr_t; @@ -52,6 +58,8 @@ typedef struct ipfrstat { #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_pass) - \ offsetof(ipfr_t, ipfr_ifp)) +extern ipfr_t *ipfr_list, **ipfr_tail; +extern ipfr_t *ipfr_natlist, **ipfr_nattail; extern int ipfr_size; extern int fr_ipfrttl; extern int fr_frag_lock; @@ -67,6 +75,15 @@ extern nat_t *fr_nat_knownfrag __P((fr_info_t *)); extern int fr_ipid_newfrag __P((fr_info_t *, u_32_t)); extern u_32_t fr_ipid_knownfrag __P((fr_info_t *)); +#ifdef USE_MUTEXES +extern void fr_fragderef __P((ipfr_t **, ipfrwlock_t *)); +extern int fr_nextfrag __P((ipftoken_t *, ipfgeniter_t *, ipfr_t **, \ + ipfr_t ***, ipfrwlock_t *)); +#else +extern void fr_fragderef __P((ipfr_t **)); +extern int fr_nextfrag __P((ipftoken_t *, ipfgeniter_t *, ipfr_t **, \ + ipfr_t ***)); +#endif extern void fr_forget __P((void *)); extern void fr_forgetnat __P((void *)); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 6718f85625f5..39626c047ff6 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -9,7 +9,7 @@ * code. * * $FreeBSD$ - * Id: ip_ftp_pxy.c,v 2.88.2.19 2006/04/01 10:14:53 darrenr Exp $ + * Id: ip_ftp_pxy.c,v 2.88.2.22 2007/05/10 09:30:39 darrenr Exp $ */ #define IPF_FTP_PROXY @@ -371,24 +371,11 @@ int dlen; } (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_len = slen; ip->ip_src = swip; ip->ip_dst = swip2; - } else { - ipstate_t *is; - - nat_update(&fi, nat2, nat->nat_ptr); - READ_ENTER(&ipf_state); - is = nat2->nat_state; - if (is != NULL) { - MUTEX_ENTER(&is->is_lock); - (void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb, - is->is_flags); - MUTEX_EXIT(&is->is_lock); - } - RWLOCK_EXIT(&ipf_state); } return APR_INC(inc); } @@ -733,25 +720,12 @@ u_int data_ip; } (void) fr_addstate(&fi, NULL, sflags); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_len = slen; ip->ip_src = swip; ip->ip_dst = swip2; - } else { - ipstate_t *is; - - nat_update(&fi, nat2, nat->nat_ptr); - READ_ENTER(&ipf_state); - is = nat2->nat_state; - if (is != NULL) { - MUTEX_ENTER(&is->is_lock); - (void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb, - is->is_flags); - MUTEX_EXIT(&is->is_lock); - } - RWLOCK_EXIT(&ipf_state); } return inc; } @@ -1144,8 +1118,8 @@ int rv; f->ftps_seq[1] = thseq + 1 - seqoff; } else { if (ippr_ftp_debug > 1) { - printf("FIN: thseq %x seqoff %d ftps_seq %x\n", - thseq, seqoff, f->ftps_seq[0]); + printf("FIN: thseq %x seqoff %d ftps_seq %x %x\n", + thseq, seqoff, f->ftps_seq[0], f->ftps_seq[1]); } return APR_ERR(1); } diff --git a/sys/contrib/ipfilter/netinet/ip_htable.c b/sys/contrib/ipfilter/netinet/ip_htable.c index aaecaa63f52d..fc521d851a32 100644 --- a/sys/contrib/ipfilter/netinet/ip_htable.c +++ b/sys/contrib/ipfilter/netinet/ip_htable.c @@ -53,7 +53,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.4 2005/11/13 15:38:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.11 2007/09/20 12:51:51 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP @@ -103,30 +103,34 @@ iplookupop_t *op; char name[FR_GROUPLEN]; int err, i, unit; + unit = op->iplo_unit; + if ((op->iplo_arg & IPHASH_ANON) == 0) { + iph = fr_existshtable(unit, op->iplo_name); + if (iph != NULL) { + if ((iph->iph_flags & IPHASH_DELETE) == 0) + return EEXIST; + iph->iph_flags &= ~IPHASH_DELETE; + return 0; + } + } + KMALLOC(iph, iphtable_t *); if (iph == NULL) { ipht_nomem[op->iplo_unit]++; return ENOMEM; } - err = COPYIN(op->iplo_struct, iph, sizeof(*iph)); if (err != 0) { KFREE(iph); return EFAULT; } - unit = op->iplo_unit; if (iph->iph_unit != unit) { KFREE(iph); return EINVAL; } - if ((op->iplo_arg & IPHASH_ANON) == 0) { - if (fr_findhtable(op->iplo_unit, op->iplo_name) != NULL) { - KFREE(iph); - return EEXIST; - } - } else { + if ((op->iplo_arg & IPHASH_ANON) != 0) { i = IPHASH_ANON; do { i++; @@ -157,13 +161,14 @@ iplookupop_t *op; bzero((char *)iph->iph_table, iph->iph_size * sizeof(*iph->iph_table)); iph->iph_masks = 0; + iph->iph_list = NULL; + iph->iph_ref = 1; iph->iph_next = ipf_htables[unit]; iph->iph_pnext = &ipf_htables[unit]; if (ipf_htables[unit] != NULL) ipf_htables[unit]->iph_pnext = &iph->iph_next; ipf_htables[unit] = iph; - ipf_nhtables[unit]++; return 0; @@ -172,22 +177,24 @@ iplookupop_t *op; /* */ -int fr_removehtable(op) -iplookupop_t *op; +int fr_removehtable(unit, name) +int unit; +char *name; { iphtable_t *iph; - - iph = fr_findhtable(op->iplo_unit, op->iplo_name); + iph = fr_findhtable(unit, name); if (iph == NULL) return ESRCH; - if (iph->iph_unit != op->iplo_unit) { + if (iph->iph_unit != unit) { return EINVAL; } if (iph->iph_ref != 0) { - return EBUSY; + (void) fr_clearhtable(iph); + iph->iph_flags |= IPHASH_DELETE; + return 0; } fr_delhtable(iph); @@ -196,40 +203,106 @@ iplookupop_t *op; } -void fr_delhtable(iph) +int fr_clearhtable(iph) iphtable_t *iph; { iphtent_t *ipe; - int i; - for (i = 0; i < iph->iph_size; i++) - while ((ipe = iph->iph_table[i]) != NULL) - if (fr_delhtent(iph, ipe) != 0) - return; + while ((ipe = iph->iph_list) != NULL) + if (fr_delhtent(iph, ipe) != 0) + return 1; + return 0; +} - *iph->iph_pnext = iph->iph_next; + +int fr_delhtable(iph) +iphtable_t *iph; +{ + + if (fr_clearhtable(iph) != 0) + return 1; + + if (iph->iph_pnext != NULL) + *iph->iph_pnext = iph->iph_next; if (iph->iph_next != NULL) iph->iph_next->iph_pnext = iph->iph_pnext; ipf_nhtables[iph->iph_unit]--; + return fr_derefhtable(iph); +} + + +/* + * Delete an entry from a hash table. + */ +int fr_delhtent(iph, ipe) +iphtable_t *iph; +iphtent_t *ipe; +{ + + if (ipe->ipe_phnext != NULL) + *ipe->ipe_phnext = ipe->ipe_hnext; + if (ipe->ipe_hnext != NULL) + ipe->ipe_hnext->ipe_phnext = ipe->ipe_phnext; + + if (ipe->ipe_pnext != NULL) + *ipe->ipe_pnext = ipe->ipe_next; + if (ipe->ipe_next != NULL) + ipe->ipe_next->ipe_pnext = ipe->ipe_pnext; + + switch (iph->iph_type & ~IPHASH_ANON) + { + case IPHASH_GROUPMAP : + if (ipe->ipe_group != NULL) + fr_delgroup(ipe->ipe_group, IPL_LOGIPF, fr_active); + break; + + default : + ipe->ipe_ptr = NULL; + ipe->ipe_value = 0; + break; + } + + return fr_derefhtent(ipe); +} + + +int fr_derefhtable(iph) +iphtable_t *iph; +{ + int refs; + + iph->iph_ref--; + refs = iph->iph_ref; + if (iph->iph_ref == 0) { KFREES(iph->iph_table, iph->iph_size * sizeof(*iph->iph_table)); KFREE(iph); } + + return refs; } -void fr_derefhtable(iph) -iphtable_t *iph; +int fr_derefhtent(ipe) +iphtent_t *ipe; { - iph->iph_ref--; - if (iph->iph_ref == 0) - fr_delhtable(iph); + + ipe->ipe_ref--; + if (ipe->ipe_ref == 0) { + ipf_nhtnodes[ipe->ipe_unit]--; + + KFREE(ipe); + + return 0; + } + + return ipe->ipe_ref; } -iphtable_t *fr_findhtable(unit, name) +iphtable_t *fr_existshtable(unit, name) int unit; char *name; { @@ -242,6 +315,20 @@ char *name; } +iphtable_t *fr_findhtable(unit, name) +int unit; +char *name; +{ + iphtable_t *iph; + + iph = fr_existshtable(unit, name); + if ((iph != NULL) && (iph->iph_flags & IPHASH_DELETE) == 0) + return iph; + + return NULL; +} + + size_t fr_flushhtable(op) iplookupflush_t *op; { @@ -254,8 +341,11 @@ iplookupflush_t *op; for (i = 0; i <= IPL_LOGMAX; i++) { if (op->iplf_unit == i || op->iplf_unit == IPL_LOGALL) { while ((iph = ipf_htables[i]) != NULL) { - fr_delhtable(iph); - freed++; + if (fr_delhtable(iph) == 0) { + freed++; + } else { + iph->iph_flags |= IPHASH_DELETE; + } } } } @@ -287,13 +377,20 @@ iphtent_t *ipeo; hv = IPE_HASH_FN(ipe->ipe_addr.in4_addr, ipe->ipe_mask.in4_addr, iph->iph_size); - ipe->ipe_ref = 0; - ipe->ipe_next = iph->iph_table[hv]; - ipe->ipe_pnext = iph->iph_table + hv; + ipe->ipe_ref = 1; + ipe->ipe_hnext = iph->iph_table[hv]; + ipe->ipe_phnext = iph->iph_table + hv; if (iph->iph_table[hv] != NULL) - iph->iph_table[hv]->ipe_pnext = &ipe->ipe_next; + iph->iph_table[hv]->ipe_phnext = &ipe->ipe_hnext; iph->iph_table[hv] = ipe; + + ipe->ipe_next = iph->iph_list; + ipe->ipe_pnext = &iph->iph_list; + if (ipe->ipe_next != NULL) + ipe->ipe_next->ipe_pnext = &ipe->ipe_next; + iph->iph_list = ipe; + if ((bits >= 0) && (bits != 32)) iph->iph_masks |= 1 << bits; @@ -311,44 +408,8 @@ iphtent_t *ipeo; break; } - ipf_nhtnodes[iph->iph_unit]++; - - return 0; -} - - -/* - * Delete an entry from a hash table. - */ -int fr_delhtent(iph, ipe) -iphtable_t *iph; -iphtent_t *ipe; -{ - - if (ipe->ipe_ref != 0) - return EBUSY; - - - *ipe->ipe_pnext = ipe->ipe_next; - if (ipe->ipe_next != NULL) - ipe->ipe_next->ipe_pnext = ipe->ipe_pnext; - - switch (iph->iph_type & ~IPHASH_ANON) - { - case IPHASH_GROUPMAP : - if (ipe->ipe_group != NULL) - fr_delgroup(ipe->ipe_group, IPL_LOGIPF, fr_active); - break; - - default : - ipe->ipe_ptr = NULL; - ipe->ipe_value = 0; - break; - } - - KFREE(ipe); - - ipf_nhtnodes[iph->iph_unit]--; + ipe->ipe_unit = iph->iph_unit; + ipf_nhtnodes[ipe->ipe_unit]++; return 0; } @@ -379,22 +440,22 @@ void *tptr, *aptr; /* ------------------------------------------------------------------------ */ /* Function: fr_iphmfindip */ /* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */ -/* Parameters: tptr(I) - pointer to the pool to search */ -/* version(I) - IP protocol version (4 or 6) */ -/* aptr(I) - pointer to address information */ +/* Parameters: tptr(I) - pointer to the pool to search */ +/* ipversion(I) - IP protocol version (4 or 6) */ +/* aptr(I) - pointer to address information */ /* */ /* Search the hash table for a given address and return a search result. */ /* ------------------------------------------------------------------------ */ -int fr_iphmfindip(tptr, version, aptr) +int fr_iphmfindip(tptr, ipversion, aptr) void *tptr, *aptr; -int version; +int ipversion; { struct in_addr *addr; iphtable_t *iph; iphtent_t *ipe; int rval; - if (version != 4) + if (ipversion != 4) return -1; if (tptr == NULL || aptr == NULL) @@ -428,7 +489,7 @@ struct in_addr *addr; maskloop: ips = ntohl(addr->s_addr) & msk; hv = IPE_HASH_FN(ips, msk, iph->iph_size); - for (ipe = iph->iph_table[hv]; (ipe != NULL); ipe = ipe->ipe_next) { + for (ipe = iph->iph_table[hv]; (ipe != NULL); ipe = ipe->ipe_hnext) { if (ipe->ipe_mask.in4_addr != msk || ipe->ipe_addr.in4_addr != ips) { continue; @@ -451,4 +512,131 @@ maskloop: return ipe; } + +int fr_htable_getnext(token, ilp) +ipftoken_t *token; +ipflookupiter_t *ilp; +{ + iphtent_t *node, zn, *nextnode; + iphtable_t *iph, zp, *nextiph; + int err; + + err = 0; + iph = NULL; + node = NULL; + nextiph = NULL; + nextnode = NULL; + + READ_ENTER(&ip_poolrw); + + switch (ilp->ili_otype) + { + case IPFLOOKUPITER_LIST : + iph = token->ipt_data; + if (iph == NULL) { + nextiph = ipf_htables[(int)ilp->ili_unit]; + } else { + nextiph = iph->iph_next; + } + + if (nextiph != NULL) { + ATOMIC_INC(nextiph->iph_ref); + token->ipt_data = nextiph; + } else { + bzero((char *)&zp, sizeof(zp)); + nextiph = &zp; + token->ipt_data = NULL; + } + break; + + case IPFLOOKUPITER_NODE : + node = token->ipt_data; + if (node == NULL) { + iph = fr_findhtable(ilp->ili_unit, ilp->ili_name); + if (iph == NULL) + err = ESRCH; + else { + nextnode = iph->iph_list; + } + } else { + nextnode = node->ipe_next; + } + + if (nextnode != NULL) { + ATOMIC_INC(nextnode->ipe_ref); + token->ipt_data = nextnode; + } else { + bzero((char *)&zn, sizeof(zn)); + nextnode = &zn; + token->ipt_data = NULL; + } + break; + default : + err = EINVAL; + break; + } + + RWLOCK_EXIT(&ip_poolrw); + if (err != 0) + return err; + + switch (ilp->ili_otype) + { + case IPFLOOKUPITER_LIST : + if (iph != NULL) { + WRITE_ENTER(&ip_poolrw); + fr_derefhtable(iph); + RWLOCK_EXIT(&ip_poolrw); + } + err = COPYOUT(nextiph, ilp->ili_data, sizeof(*nextiph)); + if (err != 0) + err = EFAULT; + break; + + case IPFLOOKUPITER_NODE : + if (node != NULL) { + WRITE_ENTER(&ip_poolrw); + fr_derefhtent(node); + RWLOCK_EXIT(&ip_poolrw); + } + err = COPYOUT(nextnode, ilp->ili_data, sizeof(*nextnode)); + if (err != 0) + err = EFAULT; + break; + } + + return err; +} + + +void fr_htable_iterderef(otype, unit, data) +u_int otype; +int unit; +void *data; +{ + + if (data == NULL) + return; + + if (unit < 0 || unit > IPL_LOGMAX) + return; + + switch (otype) + { + case IPFLOOKUPITER_LIST : + WRITE_ENTER(&ip_poolrw); + fr_derefhtable((iphtable_t *)data); + RWLOCK_EXIT(&ip_poolrw); + break; + + case IPFLOOKUPITER_NODE : + WRITE_ENTER(&ip_poolrw); + fr_derefhtent((iphtent_t *)data); + RWLOCK_EXIT(&ip_poolrw); + break; + default : + break; + } +} + #endif /* IPFILTER_LOOKUP */ diff --git a/sys/contrib/ipfilter/netinet/ip_htable.h b/sys/contrib/ipfilter/netinet/ip_htable.h index ebee58d7525f..2c0881230117 100644 --- a/sys/contrib/ipfilter/netinet/ip_htable.h +++ b/sys/contrib/ipfilter/netinet/ip_htable.h @@ -5,10 +5,12 @@ typedef struct iphtent_s { struct iphtent_s *ipe_next, **ipe_pnext; + struct iphtent_s *ipe_hnext, **ipe_phnext; void *ipe_ptr; i6addr_t ipe_addr; i6addr_t ipe_mask; int ipe_ref; + int ipe_unit; union { char ipeu_char[16]; u_long ipeu_long; @@ -26,6 +28,7 @@ typedef struct iphtable_s { ipfrwlock_t iph_rwlock; struct iphtable_s *iph_next, **iph_pnext; struct iphtent_s **iph_table; + struct iphtent_s *iph_list; size_t iph_size; /* size of hash table */ u_long iph_seed; /* hashing seed */ u_32_t iph_flags; @@ -39,6 +42,7 @@ typedef struct iphtable_s { /* iph_type */ #define IPHASH_LOOKUP 0 #define IPHASH_GROUPMAP 1 +#define IPHASH_DELETE 2 #define IPHASH_ANON 0x80000000 @@ -53,17 +57,22 @@ typedef struct iphtstat_s { extern iphtable_t *ipf_htables[IPL_LOGSIZE]; +extern iphtable_t *fr_existshtable __P((int, char *)); +extern int fr_clearhtable __P((iphtable_t *)); extern void fr_htable_unload __P((void)); extern int fr_newhtable __P((iplookupop_t *)); extern iphtable_t *fr_findhtable __P((int, char *)); -extern int fr_removehtable __P((iplookupop_t *)); +extern int fr_removehtable __P((int, char *)); extern size_t fr_flushhtable __P((iplookupflush_t *)); extern int fr_addhtent __P((iphtable_t *, iphtent_t *)); extern int fr_delhtent __P((iphtable_t *, iphtent_t *)); -extern void fr_derefhtable __P((iphtable_t *)); -extern void fr_delhtable __P((iphtable_t *)); +extern int fr_derefhtable __P((iphtable_t *)); +extern int fr_derefhtent __P((iphtent_t *)); +extern int fr_delhtable __P((iphtable_t *)); extern void *fr_iphmfindgroup __P((void *, void *)); extern int fr_iphmfindip __P((void *, int, void *)); extern int fr_gethtablestat __P((iplookupop_t *)); +extern int fr_htable_getnext __P((ipftoken_t *, ipflookupiter_t *)); +extern void fr_htable_iterderef __P((u_int, int, void *)); #endif /* __IP_HTABLE_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c b/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c index 93cf070c8b72..e88a6b98b514 100644 --- a/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c @@ -6,7 +6,7 @@ * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/08/20 13:48:22 darrenr Exp $ + * $Id: ip_ipsec_pxy.c,v 2.20.2.8 2006/07/14 06:12:14 darrenr Exp $ * */ #define IPF_IPSEC_PROXY @@ -177,7 +177,7 @@ nat_t *nat; ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state, SI_WILDP); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_p = p & 0xff; return 0; @@ -256,7 +256,7 @@ nat_t *nat; &ipsec->ipsc_state, SI_WILDP); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_p = p; } diff --git a/sys/contrib/ipfilter/netinet/ip_irc_pxy.c b/sys/contrib/ipfilter/netinet/ip_irc_pxy.c index 0aa571024c22..5bb252a25dac 100644 --- a/sys/contrib/ipfilter/netinet/ip_irc_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_irc_pxy.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_irc_pxy.c,v 2.39.2.5 2005/12/04 23:39:27 darrenr Exp $ + * $Id: ip_irc_pxy.c,v 2.39.2.6 2006/07/14 06:12:14 darrenr Exp $ */ #define IPF_IRC_PROXY @@ -415,7 +415,7 @@ nat_t *nat; (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_src = swip; } diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 83dcb70331d8..863cc9c058e2 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * $FreeBSD$ - * Id: ip_log.c,v 2.75.2.11 2006/03/26 13:50:47 darrenr Exp $ + * Id: ip_log.c,v 2.75.2.19 2007/09/09 11:32:06 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) @@ -17,7 +17,11 @@ #endif #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ defined(_KERNEL) -# include "opt_ipfilter_log.h" +# if (__NetBSD_Version__ < 399001400) +# include "opt_ipfilter_log.h" +# else +# include "opt_ipfilter.h" +# endif #endif #if defined(__FreeBSD__) && !defined(IPFILTER_LKM) # if defined(_KERNEL) @@ -48,7 +52,8 @@ struct file; # undef _KERNEL # undef KERNEL #endif -#if __FreeBSD_version >= 220000 && defined(_KERNEL) +#if (defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)) && \ + defined(_KERNEL) # include # include #else @@ -57,14 +62,14 @@ struct file; #include #if defined(_KERNEL) # include -# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000) +# if (defined(NetBSD) && (__NetBSD_Version__ >= 104000000)) # include # endif #endif /* _KERNEL */ #if !SOLARIS && !defined(__hpux) && !defined(linux) -# if (defined(NetBSD) && NetBSD > 199609) || \ - (defined(OpenBSD) && OpenBSD > 199603) || \ - (__FreeBSD_version >= 300000) +# if (defined(NetBSD) && (NetBSD > 199609)) || \ + (defined(OpenBSD) && (OpenBSD > 199603)) || \ + (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) # include # else # include @@ -148,12 +153,11 @@ iplog_select_t iplog_ss[IPL_LOGMAX+1]; extern int selwait; # endif /* IPL_SELECT */ -extern struct selinfo ipfselwait[IPL_LOGSIZE]; # if defined(linux) && defined(_KERNEL) wait_queue_head_t iplh_linux[IPL_LOGSIZE]; # endif -# if SOLARIS +# if SOLARIS && defined(_KERNEL) extern kcondvar_t iplwait; extern struct pollhead iplpollhead[IPL_LOGSIZE]; # endif @@ -162,7 +166,6 @@ iplog_t **iplh[IPL_LOGSIZE], *iplt[IPL_LOGSIZE], *ipll[IPL_LOGSIZE]; int iplused[IPL_LOGSIZE]; static fr_info_t iplcrc[IPL_LOGSIZE]; int ipl_suppress = 1; -int ipl_buffer_sz; int ipl_logmax = IPL_LOGMAX; int ipl_logall = 0; int ipl_log_init = 0; @@ -259,16 +262,23 @@ u_int flags; ipflog_t ipfl; u_char p; mb_t *m; -# if (SOLARIS || defined(__hpux)) && defined(_KERNEL) +# if (SOLARIS || defined(__hpux)) && defined(_KERNEL) && \ + !defined(_INET_IP_STACK_H) qif_t *ifp; # else struct ifnet *ifp; # endif /* SOLARIS || __hpux */ - ipfl.fl_nattag.ipt_num[0] = 0; m = fin->fin_m; + if (m == NULL) + return -1; + + ipfl.fl_nattag.ipt_num[0] = 0; ifp = fin->fin_ifp; - hlen = fin->fin_hlen; + if (fin->fin_exthdr != NULL) + hlen = (char *)fin->fin_dp - (char *)fin->fin_ip; + else + hlen = fin->fin_hlen; /* * calculate header size. */ @@ -329,14 +339,16 @@ u_int flags; * Get the interface number and name to which this packet is * currently associated. */ -# if (SOLARIS || defined(__hpux)) && defined(_KERNEL) +# if (SOLARIS || defined(__hpux)) && defined(_KERNEL) && \ + !defined(_INET_IP_STACK_H) ipfl.fl_unit = (u_int)ifp->qf_ppa; - COPYIFNAME(ifp, ipfl.fl_ifname); + COPYIFNAME(fin->fin_v, ifp, ipfl.fl_ifname); # else # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ - (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) - COPYIFNAME(ifp, ipfl.fl_ifname); + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \ + (SOLARIS && defined(_INET_IP_STACK_H)) + COPYIFNAME(fin->fin_v, ifp, ipfl.fl_ifname); # else ipfl.fl_unit = (u_int)ifp->if_unit; # if defined(_KERNEL) @@ -345,7 +357,7 @@ u_int flags; if ((ipfl.fl_ifname[2] = ifp->if_name[2])) ipfl.fl_ifname[3] = ifp->if_name[3]; # else - (void) strncpy(ipfl.fl_ifname, IFNAME(ifp), sizeof(ipfl.fl_ifname)); + COPYIFNAME(fin->fin_v, ifp, ipfl.fl_ifname); ipfl.fl_ifname[sizeof(ipfl.fl_ifname) - 1] = '\0'; # endif # endif @@ -421,7 +433,7 @@ void **items; size_t *itemsz; int *types, cnt; { - caddr_t buf, ptr; + u_char *buf, *ptr; iplog_t *ipl; size_t len; int i; @@ -458,7 +470,7 @@ int *types, cnt; * check that we have space to record this information and can * allocate that much. */ - KMALLOCS(buf, caddr_t, len); + KMALLOCS(buf, u_char *, len); if (buf == NULL) return -1; SPL_NET(s); @@ -497,7 +509,7 @@ int *types, cnt; if (types[i] == 0) { bcopy(items[i], ptr, itemsz[i]); } else if (types[i] == 1) { - COPYDATA(items[i], 0, itemsz[i], ptr); + COPYDATA(items[i], 0, itemsz[i], (char *)ptr); } ptr += itemsz[i]; } @@ -622,7 +634,7 @@ struct uio *uio; iplused[unit] -= dlen; MUTEX_EXIT(&ipl_mutex); SPL_X(s); - error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); + error = UIOMOVE(ipl, dlen, UIO_READ, uio); if (error) { SPL_NET(s); MUTEX_ENTER(&ipl_mutex); @@ -632,7 +644,7 @@ struct uio *uio; break; } MUTEX_ENTER(&ipl_mutex); - KFREES((caddr_t)ipl, dlen); + KFREES(ipl, dlen); SPL_NET(s); } if (!iplt[unit]) { @@ -665,7 +677,7 @@ minor_t unit; MUTEX_ENTER(&ipl_mutex); while ((ipl = iplt[unit]) != NULL) { iplt[unit] = ipl->ipl_next; - KFREES((caddr_t)ipl, ipl->ipl_dsize); + KFREES(ipl, ipl->ipl_dsize); } iplh[unit] = &iplt[unit]; ipll[unit] = NULL; diff --git a/sys/contrib/ipfilter/netinet/ip_lookup.c b/sys/contrib/ipfilter/netinet/ip_lookup.c index 3c7eb5f75c52..e33a6fe5cbe0 100644 --- a/sys/contrib/ipfilter/netinet/ip_lookup.c +++ b/sys/contrib/ipfilter/netinet/ip_lookup.c @@ -34,9 +34,6 @@ struct file; #endif #include #if (defined(__osf__) || defined(AIX) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL) -# ifdef __osf__ -# include -# endif # include "radix_ipf_local.h" # define _RADIX_H_ #endif @@ -61,7 +58,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.8 2005/11/13 15:35:45 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.19 2007/10/11 09:05:51 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP @@ -73,6 +70,8 @@ static int iplookup_addtable __P((caddr_t)); static int iplookup_deltable __P((caddr_t)); static int iplookup_stats __P((caddr_t)); static int iplookup_flush __P((caddr_t)); +static int iplookup_iterate __P((void *, int, void *)); +static int iplookup_deltok __P((void *, int, void *)); /* ------------------------------------------------------------------------ */ @@ -129,10 +128,11 @@ void ip_lookup_unload() /* involves just calling another function to handle the specifics of each */ /* command. */ /* ------------------------------------------------------------------------ */ -int ip_lookup_ioctl(data, cmd, mode) +int ip_lookup_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { int err; SPL_INT(s); @@ -182,6 +182,14 @@ int mode; RWLOCK_EXIT(&ip_poolrw); break; + case SIOCLOOKUPITER : + err = iplookup_iterate(data, uid, ctx); + break; + + case SIOCIPFDELTOK : + err = iplookup_deltok(data, uid, ctx); + break; + default : err = EINVAL; break; @@ -210,8 +218,13 @@ caddr_t data; ip_pool_t *p; int err; - err = 0; - BCOPYIN(data, &op, sizeof(op)); + err = BCOPYIN(data, &op, sizeof(op)); + if (err != 0) + return EFAULT; + + if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) + return EINVAL; + op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; switch (op.iplo_type) @@ -280,8 +293,12 @@ caddr_t data; ip_pool_t *p; int err; - err = 0; - BCOPYIN(data, &op, sizeof(op)); + err = BCOPYIN(data, &op, sizeof(op)); + if (err != 0) + return EFAULT; + + if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) + return EINVAL; op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; @@ -341,8 +358,12 @@ caddr_t data; iplookupop_t op; int err; - err = 0; - BCOPYIN(data, &op, sizeof(op)); + err = BCOPYIN(data, &op, sizeof(op)); + if (err != 0) + return EFAULT; + + if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) + return EINVAL; op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; @@ -371,8 +392,10 @@ caddr_t data; * For anonymous pools, copy back the operation struct because in the * case of success it will contain the new table's name. */ - if ((err == 0) && ((op.iplo_arg & IPOOL_ANON) != 0)) { - BCOPYOUT(&op, data, sizeof(op)); + if ((err == 0) && ((op.iplo_arg & LOOKUP_ANON) != 0)) { + err = BCOPYOUT(&op, data, sizeof(op)); + if (err != 0) + err = EFAULT; } return err; @@ -393,11 +416,14 @@ caddr_t data; iplookupop_t op; int err; - BCOPYIN(data, &op, sizeof(op)); - op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; + err = BCOPYIN(data, &op, sizeof(op)); + if (err != 0) + return EFAULT; - if (op.iplo_arg & IPLT_ANON) - op.iplo_arg &= IPLT_ANON; + if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) + return EINVAL; + + op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; /* * create a new pool - fail if one already exists with @@ -406,11 +432,11 @@ caddr_t data; switch (op.iplo_type) { case IPLT_POOL : - err = ip_pool_destroy(&op); + err = ip_pool_destroy(op.iplo_unit, op.iplo_name); break; case IPLT_HASH : - err = fr_removehtable(&op); + err = fr_removehtable(op.iplo_unit, op.iplo_name); break; default : @@ -434,8 +460,12 @@ caddr_t data; iplookupop_t op; int err; - err = 0; - BCOPYIN(data, &op, sizeof(op)); + err = BCOPYIN(data, &op, sizeof(op)); + if (err != 0) + return EFAULT; + + if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) + return EINVAL; switch (op.iplo_type) { @@ -469,15 +499,16 @@ caddr_t data; int err, unit, num, type; iplookupflush_t flush; - err = 0; - BCOPYIN(data, &flush, sizeof(flush)); - - flush.iplf_name[sizeof(flush.iplf_name) - 1] = '\0'; + err = BCOPYIN(data, &flush, sizeof(flush)); + if (err != 0) + return EFAULT; unit = flush.iplf_unit; if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL)) return EINVAL; + flush.iplf_name[sizeof(flush.iplf_name) - 1] = '\0'; + type = flush.iplf_type; err = EINVAL; num = 0; @@ -494,12 +525,23 @@ caddr_t data; if (err == 0) { flush.iplf_count = num; - err = COPYOUT(&flush, data, sizeof(flush)); + err = BCOPYOUT(&flush, data, sizeof(flush)); + if (err != 0) + err = EFAULT; } return err; } +/* ------------------------------------------------------------------------ */ +/* Function: ip_lookup_delref */ +/* Returns: void */ +/* Parameters: type(I) - table type to operate on */ +/* ptr(I) - pointer to object to remove reference for */ +/* */ +/* This function organises calling the correct deref function for a given */ +/* type of object being passed into it. */ +/* ------------------------------------------------------------------------ */ void ip_lookup_deref(type, ptr) int type; void *ptr; @@ -522,13 +564,131 @@ void *ptr; } +/* ------------------------------------------------------------------------ */ +/* Function: iplookup_iterate */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - pointer to data from ioctl call */ +/* uid(I) - uid of caller */ +/* ctx(I) - pointer to give the uid context */ +/* */ +/* Decodes ioctl request to step through either hash tables or pools. */ +/* ------------------------------------------------------------------------ */ +static int iplookup_iterate(data, uid, ctx) +void *data; +int uid; +void *ctx; +{ + ipflookupiter_t iter; + ipftoken_t *token; + int err; + SPL_INT(s); + + err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER); + if (err != 0) + return err; + + if (iter.ili_unit > IPL_LOGMAX) + return EINVAL; + + if (iter.ili_ival != IPFGENITER_LOOKUP) + return EINVAL; + + SPL_SCHED(s); + token = ipf_findtoken(iter.ili_key, uid, ctx); + if (token == NULL) { + RWLOCK_EXIT(&ipf_tokens); + SPL_X(s); + return ESRCH; + } + + switch (iter.ili_type) + { + case IPLT_POOL : + err = ip_pool_getnext(token, &iter); + break; + case IPLT_HASH : + err = fr_htable_getnext(token, &iter); + break; + default : + err = EINVAL; + break; + } + RWLOCK_EXIT(&ipf_tokens); + SPL_X(s); + + return err; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: iplookup_iterderef */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - pointer to data from ioctl call */ +/* */ +/* Decodes ioctl request to remove a particular hash table or pool and */ +/* calls the relevant function to do the cleanup. */ +/* ------------------------------------------------------------------------ */ +void ip_lookup_iterderef(type, data) +u_32_t type; +void *data; +{ + iplookupiterkey_t key; + + key.ilik_key = type; + + if (key.ilik_unstr.ilik_ival != IPFGENITER_LOOKUP) + return; + + switch (key.ilik_unstr.ilik_type) + { + case IPLT_HASH : + fr_htable_iterderef((u_int)key.ilik_unstr.ilik_otype, + (int)key.ilik_unstr.ilik_unit, data); + break; + case IPLT_POOL : + ip_pool_iterderef((u_int)key.ilik_unstr.ilik_otype, + (int)key.ilik_unstr.ilik_unit, data); + break; + } +} + + +/* ------------------------------------------------------------------------ */ +/* Function: iplookup_deltok */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - pointer to data from ioctl call */ +/* uid(I) - uid of caller */ +/* ctx(I) - pointer to give the uid context */ +/* */ +/* Deletes the token identified by the combination of (type,uid,ctx) */ +/* "key" is a combination of the table type, iterator type and the unit for */ +/* which the token was being used. */ +/* ------------------------------------------------------------------------ */ +static int iplookup_deltok(data, uid, ctx) +void *data; +int uid; +void *ctx; +{ + int error, key; + SPL_INT(s); + + SPL_SCHED(s); + error = BCOPYIN(data, &key, sizeof(key)); + if (error == 0) + error = ipf_deltoken(key, uid, ctx); + SPL_X(s); + return error; +} + + #else /* IPFILTER_LOOKUP */ /*ARGSUSED*/ -int ip_lookup_ioctl(data, cmd, mode) +int ip_lookup_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { return EIO; } diff --git a/sys/contrib/ipfilter/netinet/ip_lookup.h b/sys/contrib/ipfilter/netinet/ip_lookup.h index 953dde1149f1..3886df16303d 100644 --- a/sys/contrib/ipfilter/netinet/ip_lookup.h +++ b/sys/contrib/ipfilter/netinet/ip_lookup.h @@ -33,6 +33,9 @@ typedef struct iplookupop { void *iplo_struct; } iplookupop_t; +#define LOOKUP_ANON 0x80000000 + + typedef struct iplookupflush { int iplf_type; /* IPLT_* */ int iplf_unit; /* IPL_LOG* */ @@ -55,9 +58,38 @@ typedef struct iplookuplink { #define IPLT_ANON 0x80000000 + +typedef union { + struct iplookupiterkey { + char ilik_ival; + u_char ilik_type; /* IPLT_* */ + u_char ilik_otype; + u_char ilik_unit; /* IPL_LOG* */ + } ilik_unstr; + u_32_t ilik_key; +} iplookupiterkey_t; + +typedef struct ipflookupiter { + int ili_nitems; + iplookupiterkey_t ili_lkey; + char ili_name[FR_GROUPLEN]; + void *ili_data; +} ipflookupiter_t; + +#define ili_key ili_lkey.ilik_key +#define ili_ival ili_lkey.ilik_unstr.ilik_ival +#define ili_unit ili_lkey.ilik_unstr.ilik_unit +#define ili_type ili_lkey.ilik_unstr.ilik_type +#define ili_otype ili_lkey.ilik_unstr.ilik_otype + +#define IPFLOOKUPITER_LIST 0 +#define IPFLOOKUPITER_NODE 1 + + extern int ip_lookup_init __P((void)); -extern int ip_lookup_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int ip_lookup_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern void ip_lookup_unload __P((void)); extern void ip_lookup_deref __P((int, void *)); +extern void ip_lookup_iterderef __P((u_32_t, void *)); #endif /* __IP_LOOKUP_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 063f557f493e..a6963213a0a5 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -16,9 +16,17 @@ #include #include #include +#if defined(_KERNEL) && defined(__NetBSD_Version__) && \ + (__NetBSD_Version__ >= 399002000) +# include +#endif #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ defined(_KERNEL) -# include "opt_ipfilter_log.h" +#if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 399001400) +# include "opt_ipfilter_log.h" +# else +# include "opt_ipfilter.h" +# endif #endif #if !defined(_KERNEL) # include @@ -110,7 +118,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; static const char rcsid[] = "@(#)$FreeBSD$"; -/* static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.56 2006/04/01 10:15:34 darrenr Exp $";*/ +/* static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.102 2007/10/16 10:08:10 darrenr Exp $"; */ #endif @@ -148,14 +156,17 @@ u_int fr_nat_maxbucket = 0, fr_nat_maxbucket_reset = 1; u_32_t nat_masks = 0; u_32_t rdr_masks = 0; +u_long nat_last_force_flush = 0; ipnat_t **nat_rules = NULL; ipnat_t **rdr_rules = NULL; -hostmap_t **maptable = NULL; +hostmap_t **ipf_hm_maptable = NULL; +hostmap_t *ipf_hm_maplist = NULL; ipftq_t nat_tqb[IPF_TCP_NSTATES]; ipftq_t nat_udptq; ipftq_t nat_icmptq; ipftq_t nat_iptq; ipftq_t *nat_utqe = NULL; +int fr_nat_doflush = 0; #ifdef IPFILTER_LOG int nat_logging = 1; #else @@ -168,27 +179,28 @@ u_long fr_defnatage = DEF_NAT_AGE, natstat_t nat_stats; int fr_nat_lock = 0; int fr_nat_init = 0; -#if SOLARIS +#if SOLARIS && !defined(_INET_IP_STACK_H) extern int pfil_delayed_copy; #endif +static int nat_flush_entry __P((void *)); static int nat_flushtable __P((void)); static int nat_clearlist __P((void)); static void nat_addnat __P((struct ipnat *)); static void nat_addrdr __P((struct ipnat *)); -static void nat_delete __P((struct nat *, int)); static void nat_delrdr __P((struct ipnat *)); static void nat_delnat __P((struct ipnat *)); -static int fr_natgetent __P((caddr_t)); -static int fr_natgetsz __P((caddr_t)); +static int fr_natgetent __P((caddr_t, int)); +static int fr_natgetsz __P((caddr_t, int)); static int fr_natputent __P((caddr_t, int)); +static int nat_extraflush __P((int)); +static int nat_gettable __P((char *)); static void nat_tabmove __P((nat_t *)); static int nat_match __P((fr_info_t *, ipnat_t *)); static INLINE int nat_newmap __P((fr_info_t *, nat_t *, natinfo_t *)); static INLINE int nat_newrdr __P((fr_info_t *, nat_t *, natinfo_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr, struct in_addr, u_32_t)); -static void nat_hostmapdel __P((struct hostmap *)); static int nat_icmpquerytype4 __P((int)); static int nat_siocaddnat __P((ipnat_t *, ipnat_t **, int)); static void nat_siocdelnat __P((ipnat_t *, ipnat_t **, int)); @@ -198,6 +210,8 @@ static int nat_resolverule __P((ipnat_t *)); static nat_t *fr_natclone __P((fr_info_t *, nat_t *)); static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *)); static int nat_wildok __P((nat_t *, int, int, int, int)); +static int nat_getnext __P((ipftoken_t *, ipfgeniter_t *)); +static int nat_iterator __P((ipftoken_t *, ipfgeniter_t *)); /* ------------------------------------------------------------------------ */ @@ -235,11 +249,14 @@ int fr_natinit() else return -4; - KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz); - if (maptable != NULL) - bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz); + KMALLOCS(ipf_hm_maptable, hostmap_t **, \ + sizeof(hostmap_t *) * ipf_hostmap_sz); + if (ipf_hm_maptable != NULL) + bzero((char *)ipf_hm_maptable, + sizeof(hostmap_t *) * ipf_hostmap_sz); else return -5; + ipf_hm_maplist = NULL; KMALLOCS(nat_stats.ns_bucketlen[0], u_long *, ipf_nattable_sz * sizeof(u_long)); @@ -439,7 +456,7 @@ u_32_t port; hv += src.s_addr; hv += dst.s_addr; hv %= HOSTMAP_SIZE; - for (hm = maptable[hv]; hm; hm = hm->hm_next) + for (hm = ipf_hm_maptable[hv]; hm; hm = hm->hm_next) if ((hm->hm_srcip.s_addr == src.s_addr) && (hm->hm_dstip.s_addr == dst.s_addr) && ((np == NULL) || (np == hm->hm_ipnat)) && @@ -453,11 +470,16 @@ u_32_t port; KMALLOC(hm, hostmap_t *); if (hm) { - hm->hm_next = maptable[hv]; - hm->hm_pnext = maptable + hv; - if (maptable[hv] != NULL) - maptable[hv]->hm_pnext = &hm->hm_next; - maptable[hv] = hm; + hm->hm_next = ipf_hm_maplist; + hm->hm_pnext = &ipf_hm_maplist; + if (ipf_hm_maplist != NULL) + ipf_hm_maplist->hm_pnext = &hm->hm_next; + ipf_hm_maplist = hm; + hm->hm_hnext = ipf_hm_maptable[hv]; + hm->hm_phnext = ipf_hm_maptable + hv; + if (ipf_hm_maptable[hv] != NULL) + ipf_hm_maptable[hv]->hm_phnext = &hm->hm_hnext; + ipf_hm_maptable[hv] = hm; hm->hm_ipnat = np; hm->hm_srcip = src; hm->hm_dstip = dst; @@ -470,19 +492,27 @@ u_32_t port; /* ------------------------------------------------------------------------ */ -/* Function: nat_hostmapdel */ +/* Function: fr_hostmapdel */ /* Returns: Nil */ -/* Parameters: hm(I) - pointer to hostmap structure */ +/* Parameters: hmp(I) - pointer to hostmap structure pointer */ /* Write Locks: ipf_nat */ /* */ /* Decrement the references to this hostmap structure by one. If this */ /* reaches zero then remove it and free it. */ /* ------------------------------------------------------------------------ */ -static void nat_hostmapdel(hm) -struct hostmap *hm; +void fr_hostmapdel(hmp) +struct hostmap **hmp; { + struct hostmap *hm; + + hm = *hmp; + *hmp = NULL; + hm->hm_ref--; if (hm->hm_ref == 0) { + if (hm->hm_hnext) + hm->hm_hnext->hm_phnext = hm->hm_phnext; + *hm->hm_phnext = hm->hm_hnext; if (hm->hm_next) hm->hm_next->hm_pnext = hm->hm_pnext; *hm->hm_pnext = hm->hm_next; @@ -612,18 +642,30 @@ u_32_t n; /* */ /* Processes an ioctl call made to operate on the IP Filter NAT device. */ /* ------------------------------------------------------------------------ */ -int fr_nat_ioctl(data, cmd, mode) +int fr_nat_ioctl(data, cmd, mode, uid, ctx) ioctlcmd_t cmd; caddr_t data; -int mode; +int mode, uid; +void *ctx; { ipnat_t *nat, *nt, *n = NULL, **np = NULL; int error = 0, ret, arg, getlock; ipnat_t natd; + SPL_INT(s); #if (BSD >= 199306) && defined(_KERNEL) - if ((securelevel >= 3) && (mode & FWRITE)) +# if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 399002000) + if ((mode & FWRITE) && + kauth_authorize_network(curlwp->l_cred, KAUTH_NETWORK_FIREWALL, + KAUTH_REQ_NETWORK_FIREWALL_FW, + NULL, NULL, NULL)) { return EPERM; + } +# else + if ((securelevel >= 3) && (mode & FWRITE)) { + return EPERM; + } +# endif #endif #if defined(__osf__) && defined(_KERNEL) @@ -646,9 +688,6 @@ int mode; } else { error = fr_inobj(data, &natd, IPFOBJ_IPNAT); } - - } else if (cmd == (ioctlcmd_t)SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ - BCOPYIN(data, &arg, sizeof(arg)); } if (error != 0) @@ -670,9 +709,13 @@ int mode; } MUTEX_ENTER(&ipf_natio); for (np = &nat_list; ((n = *np) != NULL); np = &n->in_next) - if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + if (bcmp((char *)&nat->in_flags, (char *)&n->in_flags, + IPN_CMPSIZ) == 0) { + if (nat->in_redir == NAT_REDIRECT && + nat->in_pnext != n->in_pnext) + continue; break; + } } switch (cmd) @@ -686,25 +729,37 @@ int mode; error = EPERM; else { tmp = ipflog_clear(IPL_LOGNAT); - BCOPYOUT((char *)&tmp, (char *)data, sizeof(tmp)); + error = BCOPYOUT((char *)&tmp, (char *)data, + sizeof(tmp)); + if (error != 0) + error = EFAULT; } break; } + case SIOCSETLG : if (!(mode & FWRITE)) error = EPERM; else { - BCOPYIN((char *)data, (char *)&nat_logging, - sizeof(nat_logging)); + error = BCOPYIN((char *)data, (char *)&nat_logging, + sizeof(nat_logging)); + if (error != 0) + error = EFAULT; } break; + case SIOCGETLG : - BCOPYOUT((char *)&nat_logging, (char *)data, - sizeof(nat_logging)); + error = BCOPYOUT((char *)&nat_logging, (char *)data, + sizeof(nat_logging)); + if (error != 0) + error = EFAULT; break; + case FIONREAD : arg = iplused[IPL_LOGNAT]; - BCOPYOUT(&arg, data, sizeof(arg)); + error = BCOPYOUT(&arg, data, sizeof(arg)); + if (error != 0) + error = EFAULT; break; #endif case SIOCADNAT : @@ -725,6 +780,7 @@ int mode; if (error == 0) nt = NULL; break; + case SIOCRMNAT : if (!(mode & FWRITE)) { error = EPERM; @@ -742,11 +798,13 @@ int mode; MUTEX_EXIT(&ipf_natio); n = NULL; break; + case SIOCGNATS : nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; - nat_stats.ns_maptable = maptable; + nat_stats.ns_maptable = ipf_hm_maptable; + nat_stats.ns_maplist = ipf_hm_maplist; nat_stats.ns_nattab_sz = ipf_nattable_sz; nat_stats.ns_nattab_max = ipf_nattable_max; nat_stats.ns_rultab_sz = ipf_natrules_sz; @@ -754,28 +812,34 @@ int mode; nat_stats.ns_hostmap_sz = ipf_hostmap_sz; nat_stats.ns_instances = nat_instances; nat_stats.ns_apslist = ap_sess_list; + nat_stats.ns_ticks = fr_ticks; error = fr_outobj(data, &nat_stats, IPFOBJ_NATSTAT); break; + case SIOCGNATL : { natlookup_t nl; - if (getlock) { - READ_ENTER(&ipf_nat); - } error = fr_inobj(data, &nl, IPFOBJ_NATLOOKUP); if (error == 0) { - if (nat_lookupredir(&nl) != NULL) { + void *ptr; + + if (getlock) { + READ_ENTER(&ipf_nat); + } + ptr = nat_lookupredir(&nl); + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + } + if (ptr != NULL) { error = fr_outobj(data, &nl, IPFOBJ_NATLOOKUP); } else { error = ESRCH; } } - if (getlock) { - RWLOCK_EXIT(&ipf_nat); - } break; } + case SIOCIPFFL : /* old SIOCFLNAT & SIOCCNATL */ if (!(mode & FWRITE)) { error = EPERM; @@ -784,30 +848,39 @@ int mode; if (getlock) { WRITE_ENTER(&ipf_nat); } - error = 0; - if (arg == 0) - ret = nat_flushtable(); - else if (arg == 1) - ret = nat_clearlist(); - else - error = EINVAL; + + error = BCOPYIN(data, &arg, sizeof(arg)); + if (error != 0) + error = EFAULT; + else { + if (arg == 0) + ret = nat_flushtable(); + else if (arg == 1) + ret = nat_clearlist(); + else + ret = nat_extraflush(arg); + } + if (getlock) { RWLOCK_EXIT(&ipf_nat); } if (error == 0) { - BCOPYOUT(&ret, data, sizeof(ret)); + error = BCOPYOUT(&ret, data, sizeof(ret)); } break; + case SIOCPROXY : - error = appr_ioctl(data, cmd, mode); + error = appr_ioctl(data, cmd, mode, ctx); break; + case SIOCSTLCK : if (!(mode & FWRITE)) { error = EPERM; } else { - fr_lock(data, &fr_nat_lock); + error = fr_lock(data, &fr_nat_lock); } break; + case SIOCSTPUT : if ((mode & FWRITE) != 0) { error = fr_natputent(data, getlock); @@ -815,36 +888,64 @@ int mode; error = EACCES; } break; + case SIOCSTGSZ : if (fr_nat_lock) { - if (getlock) { - READ_ENTER(&ipf_nat); - } - error = fr_natgetsz(data); - if (getlock) { - RWLOCK_EXIT(&ipf_nat); - } + error = fr_natgetsz(data, getlock); } else error = EACCES; break; + case SIOCSTGET : if (fr_nat_lock) { - if (getlock) { - READ_ENTER(&ipf_nat); - } - error = fr_natgetent(data); - if (getlock) { - RWLOCK_EXIT(&ipf_nat); - } + error = fr_natgetent(data, getlock); } else error = EACCES; break; + + case SIOCGENITER : + { + ipfgeniter_t iter; + ipftoken_t *token; + + SPL_SCHED(s); + error = fr_inobj(data, &iter, IPFOBJ_GENITER); + if (error == 0) { + token = ipf_findtoken(iter.igi_type, uid, ctx); + if (token != NULL) { + error = nat_iterator(token, &iter); + } + RWLOCK_EXIT(&ipf_tokens); + } + SPL_X(s); + break; + } + + case SIOCIPFDELTOK : + error = BCOPYIN((caddr_t)data, (caddr_t)&arg, sizeof(arg)); + if (error == 0) { + SPL_SCHED(s); + error = ipf_deltoken(arg, uid, ctx); + SPL_X(s); + } else { + error = EFAULT; + } + break; + + case SIOCGTQTAB : + error = fr_outobj(data, nat_tqb, IPFOBJ_STATETQTAB); + break; + + case SIOCGTABL : + error = nat_gettable(data); + break; + default : error = EINVAL; break; } done: - if (nt) + if (nt != NULL) KFREE(nt); return error; } @@ -972,9 +1073,11 @@ int getlock; n->in_flags &= ~IPN_NOTSRC; nat_addnat(n); } + MUTEX_INIT(&n->in_lock, "ipnat rule lock"); + n = NULL; nat_stats.ns_rules++; -#if SOLARIS +#if SOLARIS && !defined(_INET_IP_STACK_H) pfil_delayed_copy = 0; #endif if (getlock) { @@ -1062,9 +1165,10 @@ int getlock; if (n->in_use == 0) { if (n->in_apr) appr_free(n->in_apr); + MUTEX_DESTROY(&n->in_lock); KFREE(n); nat_stats.ns_rules--; -#if SOLARIS +#if SOLARIS && !defined(_INET_IP_STACK_H) if (nat_stats.ns_rules == 0) pfil_delayed_copy = 1; #endif @@ -1089,14 +1193,20 @@ int getlock; /* The size of the entry is stored in the ng_sz field and the enture natget */ /* structure is copied back to the user. */ /* ------------------------------------------------------------------------ */ -static int fr_natgetsz(data) +static int fr_natgetsz(data, getlock) caddr_t data; +int getlock; { ap_session_t *aps; nat_t *nat, *n; natget_t ng; - BCOPYIN(data, &ng, sizeof(ng)); + if (BCOPYIN(data, &ng, sizeof(ng)) != 0) + return EFAULT; + + if (getlock) { + READ_ENTER(&ipf_nat); + } nat = ng.ng_ptr; if (!nat) { @@ -1106,7 +1216,11 @@ caddr_t data; * Empty list so the size returned is 0. Simple. */ if (nat == NULL) { - BCOPYOUT(&ng, data, sizeof(ng)); + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + } + if (BCOPYOUT(&ng, data, sizeof(ng)) != 0) + return EFAULT; return 0; } } else { @@ -1118,8 +1232,12 @@ caddr_t data; for (n = nat_instances; n; n = n->nat_next) if (n == nat) break; - if (!n) + if (n == NULL) { + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + } return ESRCH; + } } /* @@ -1132,8 +1250,12 @@ caddr_t data; if (aps->aps_data != 0) ng.ng_sz += aps->aps_psiz; } + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + } - BCOPYOUT(&ng, data, sizeof(ng)); + if (BCOPYOUT(&ng, data, sizeof(ng)) != 0) + return EFAULT; return 0; } @@ -1148,8 +1270,9 @@ caddr_t data; /* Copies out NAT entry to user space. Any additional data held for a */ /* proxy is also copied, as to is the NAT rule which was responsible for it */ /* ------------------------------------------------------------------------ */ -static int fr_natgetent(data) +static int fr_natgetent(data, getlock) caddr_t data; +int getlock; { int error, outsize; ap_session_t *aps; @@ -1167,6 +1290,10 @@ caddr_t data; if (ipn == NULL) return ENOMEM; + if (getlock) { + READ_ENTER(&ipf_nat); + } + ipn->ipn_dsize = ipns.ipn_dsize; nat = ipns.ipn_next; if (nat == NULL) { @@ -1237,10 +1364,17 @@ caddr_t data; error = ENOBUFS; } if (error == 0) { + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + getlock = 0; + } error = fr_outobjsz(data, ipn, IPFOBJ_NATSAVE, ipns.ipn_dsize); } finished: + if (getlock) { + RWLOCK_EXIT(&ipf_nat); + } if (ipn != NULL) { KFREES(ipn, ipns.ipn_dsize); } @@ -1283,12 +1417,12 @@ int getlock; aps = NULL; nat = NULL; ipnn = NULL; + fr = NULL; /* * New entry, copy in the rest of the NAT entry if it's size is more * than just the nat_t structure. */ - fr = NULL; if (ipn.ipn_dsize > sizeof(ipn)) { if (ipn.ipn_dsize > 81920) { error = ENOMEM; @@ -1357,8 +1491,8 @@ int getlock; */ bzero((char *)&fin, sizeof(fin)); fin.fin_p = nat->nat_p; - fin.fin_ifp = nat->nat_ifps[0]; if (nat->nat_dir == NAT_OUTBOUND) { + fin.fin_ifp = nat->nat_ifps[0]; fin.fin_data[0] = ntohs(nat->nat_oport); fin.fin_data[1] = ntohs(nat->nat_outport); if (getlock) { @@ -1374,6 +1508,7 @@ int getlock; goto junkput; } } else if (nat->nat_dir == NAT_INBOUND) { + fin.fin_ifp = nat->nat_ifps[0]; fin.fin_data[0] = ntohs(nat->nat_outport); fin.fin_data[1] = ntohs(nat->nat_oport); if (getlock) { @@ -1501,7 +1636,7 @@ int getlock; junkput: if (fr != NULL) - fr_derefrule(&fr); + (void) fr_derefrule(&fr); if ((ipnn != NULL) && (ipnn != &ipn)) { KFREES(ipnn, ipn.ipn_dsize); @@ -1534,22 +1669,23 @@ junkput: /* Delete a nat entry from the various lists and table. If NAT logging is */ /* enabled then generate a NAT log record for this event. */ /* ------------------------------------------------------------------------ */ -static void nat_delete(nat, logtype) +void nat_delete(nat, logtype) struct nat *nat; int logtype; { struct ipnat *ipn; + int removed = 0; if (logtype != 0 && nat_logging != 0) nat_log(nat, logtype); - MUTEX_ENTER(&ipf_nat_new); - /* * Take it as a general indication that all the pointers are set if * nat_pnext is set. */ if (nat->nat_pnext != NULL) { + removed = 1; + nat_stats.ns_bucketlen[0][nat->nat_hv[0]]--; nat_stats.ns_bucketlen[1][nat->nat_hv[1]]--; @@ -1583,16 +1719,41 @@ int logtype; nat->nat_me = NULL; } - fr_deletequeueentry(&nat->nat_tqe); + if (nat->nat_tqe.tqe_ifq != NULL) + fr_deletequeueentry(&nat->nat_tqe); - nat->nat_ref--; - if (nat->nat_ref > 0) { - MUTEX_EXIT(&ipf_nat_new); + if (logtype == NL_EXPIRE) + nat_stats.ns_expire++; + + MUTEX_ENTER(&nat->nat_lock); + /* + * NL_DESTROY should only be passed in when we've got nat_ref >= 2. + * This happens when a nat'd packet is blocked and we want to throw + * away the NAT session. + */ + if (logtype == NL_DESTROY) { + if (nat->nat_ref > 2) { + nat->nat_ref -= 2; + MUTEX_EXIT(&nat->nat_lock); + if (removed) + nat_stats.ns_orphans++; + return; + } + } else if (nat->nat_ref > 1) { + nat->nat_ref--; + MUTEX_EXIT(&nat->nat_lock); + if (removed) + nat_stats.ns_orphans++; return; } + MUTEX_EXIT(&nat->nat_lock); + /* - * At this point, nat_ref can be either 0 or -1 + * At this point, nat_ref is 1, doing "--" would make it 0.. */ + nat->nat_ref = 0; + if (!removed) + nat_stats.ns_orphans--; #ifdef IPFILTER_SYNC if (nat->nat_sync) @@ -1600,10 +1761,10 @@ int logtype; #endif if (nat->nat_fr != NULL) - (void)fr_derefrule(&nat->nat_fr); + (void) fr_derefrule(&nat->nat_fr); if (nat->nat_hm != NULL) - nat_hostmapdel(nat->nat_hm); + fr_hostmapdel(&nat->nat_hm); /* * If there is an active reference from the nat entry to its parent @@ -1612,25 +1773,13 @@ int logtype; */ ipn = nat->nat_ptr; if (ipn != NULL) { - ipn->in_space++; - ipn->in_use--; - if (ipn->in_use == 0 && (ipn->in_flags & IPN_DELETE)) { - if (ipn->in_apr) - appr_free(ipn->in_apr); - KFREE(ipn); - nat_stats.ns_rules--; -#if SOLARIS - if (nat_stats.ns_rules == 0) - pfil_delayed_copy = 1; -#endif - } + fr_ipnatderef(&ipn); } MUTEX_DESTROY(&nat->nat_lock); aps_free(nat->nat_aps); nat_stats.ns_inuse--; - MUTEX_EXIT(&ipf_nat_new); /* * If there's a fragment table entry too for this nat entry, then @@ -1704,6 +1853,7 @@ static int nat_clearlist() if (n->in_use == 0) { if (n->in_apr != NULL) appr_free(n->in_apr); + MUTEX_DESTROY(&n->in_lock); KFREE(n); nat_stats.ns_rules--; } else { @@ -1712,7 +1862,7 @@ static int nat_clearlist() } i++; } -#if SOLARIS +#if SOLARIS && !defined(_INET_IP_STACK_H) pfil_delayed_copy = 1; #endif nat_masks = 0; @@ -1779,8 +1929,7 @@ natinfo_t *ni; if (hm != NULL) in.s_addr = hm->hm_mapip.s_addr; } else if ((l == 1) && (hm != NULL)) { - nat_hostmapdel(hm); - hm = NULL; + fr_hostmapdel(&hm); } in.s_addr = ntohl(in.s_addr); @@ -2001,10 +2150,12 @@ nat_t *nat; natinfo_t *ni; { u_short nport, dport, sport; - struct in_addr in; + struct in_addr in, inb; + u_short sp, dp; hostmap_t *hm; u_32_t flags; ipnat_t *np; + nat_t *natl; int move; move = 1; @@ -2114,6 +2265,23 @@ natinfo_t *ni; in.s_addr = ntohl(fin->fin_daddr); } + /* + * Check to see if this redirect mapping already exists and if + * it does, return "failure" (allowing it to be created will just + * cause one or both of these "connections" to stop working.) + */ + inb.s_addr = htonl(in.s_addr); + sp = fin->fin_data[0]; + dp = fin->fin_data[1]; + fin->fin_data[1] = fin->fin_data[0]; + fin->fin_data[0] = ntohs(nport); + natl = nat_outlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH), + (u_int)fin->fin_p, inb, fin->fin_src); + fin->fin_data[0] = sp; + fin->fin_data[1] = dp; + if (natl != NULL) + return -1; + nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = fin->fin_dst; nat->nat_oip = fin->fin_src; @@ -2197,6 +2365,7 @@ int direction; if (nat_stats.ns_inuse >= ipf_nattable_max) { nat_stats.ns_memfail++; + fr_nat_doflush = 1; return NULL; } @@ -2207,6 +2376,8 @@ int direction; ni.nai_np = np; ni.nai_nflags = nflags; ni.nai_flags = flags; + ni.nai_dport = 0; + ni.nai_sport = 0; /* Give me a new nat */ KMALLOC(nat, nat_t *); @@ -2250,6 +2421,7 @@ int direction; bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; + nat->nat_redir = np->in_redir; if ((flags & NAT_SLAVE) == 0) { MUTEX_ENTER(&ipf_nat_new); @@ -2354,15 +2526,17 @@ int direction; } if (nat_finalise(fin, nat, &ni, tcp, natsave, direction) == -1) { + fr_nat_doflush = 1; goto badnat; } if (flags & SI_WILDP) nat_stats.ns_wilds++; + fin->fin_flx |= FI_NEWNAT; goto done; badnat: nat_stats.ns_badnat++; if ((hm = nat->nat_hm) != NULL) - nat_hostmapdel(hm); + fr_hostmapdel(&hm); KFREE(nat); nat = NULL; done: @@ -2400,10 +2574,10 @@ int direction; np = ni->nai_np; if (np->in_ifps[0] != NULL) { - COPYIFNAME(np->in_ifps[0], nat->nat_ifnames[0]); + COPYIFNAME(4, np->in_ifps[0], nat->nat_ifnames[0]); } if (np->in_ifps[1] != NULL) { - COPYIFNAME(np->in_ifps[1], nat->nat_ifnames[1]); + COPYIFNAME(4, np->in_ifps[1], nat->nat_ifnames[1]); } #ifdef IPFILTER_SYNC if ((nat->nat_flags & SI_CLONE) == 0) @@ -2417,6 +2591,8 @@ int direction; nat->nat_ptr = np; nat->nat_p = fin->fin_p; nat->nat_mssclamp = np->in_mssclamp; + if (nat->nat_p == IPPROTO_TCP) + nat->nat_seqnext[0] = ntohl(tcp->th_seq); if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0)) if (appr_new(fin, nat) == -1) @@ -2689,9 +2865,9 @@ u_int *nflags; int dir; { u_32_t sum1, sum2, sumd, sumd2; - struct in_addr in; + struct in_addr a1, a2; + int flags, dlen, odst; icmphdr_t *icmp; - int flags, dlen; u_short *csump; tcphdr_t *tcp; nat_t *nat; @@ -2742,33 +2918,7 @@ int dir; /* * Step 1 * Fix the IP addresses in the offending IP packet. You also need - * to adjust the IP header checksum of that offending IP packet - * and the ICMP checksum of the ICMP error message itself. - * - * Unfortunately, for UDP and TCP, the IP addresses are also contained - * in the pseudo header that is used to compute the UDP resp. TCP - * checksum. So, we must compensate that as well. Even worse, the - * change in the UDP and TCP checksums require yet another - * adjustment of the ICMP checksum of the ICMP error message. - */ - - if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { - sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); - in = nat->nat_inip; - oip->ip_src = in; - } else { - sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); - in = nat->nat_outip; - oip->ip_dst = in; - } - - sum2 = LONG_SUM(ntohl(in.s_addr)); - - CALC_SUMD(sum1, sum2, sumd); - - /* - * Fix IP checksum of the offending IP packet to adjust for - * the change in the IP address. + * to adjust the IP header checksum of that offending IP packet. * * Normally, you would expect that the ICMP checksum of the * ICMP error message needs to be adjusted as well for the @@ -2780,183 +2930,133 @@ int dir; * the IP address is x, then the delta for ip_sum is minus x), * so no change in the icmp_cksum is necessary. * - * Be careful that nat_dir refers to the direction of the - * offending IP packet (oip), not to its ICMP response (icmp) + * Inbound ICMP + * ------------ + * MAP rule, SRC=a,DST=b -> SRC=c,DST=b + * - response to outgoing packet (a,b)=>(c,b) (OIP_SRC=c,OIP_DST=b) + * - OIP_SRC(c)=nat_outip, OIP_DST(b)=nat_oip + * + * RDR rule, SRC=a,DST=b -> SRC=a,DST=c + * - response to outgoing packet (c,a)=>(b,a) (OIP_SRC=b,OIP_DST=a) + * - OIP_SRC(b)=nat_outip, OIP_DST(a)=nat_oip + * + * Outbound ICMP + * ------------- + * MAP rule, SRC=a,DST=b -> SRC=c,DST=b + * - response to incoming packet (b,c)=>(b,a) (OIP_SRC=b,OIP_DST=a) + * - OIP_SRC(a)=nat_oip, OIP_DST(c)=nat_inip + * + * RDR rule, SRC=a,DST=b -> SRC=a,DST=c + * - response to incoming packet (a,b)=>(a,c) (OIP_SRC=a,OIP_DST=c) + * - OIP_SRC(a)=nat_oip, OIP_DST(c)=nat_inip + * */ - fix_datacksum(&oip->ip_sum, sumd); - /* Fix icmp cksum : IP Addr + Cksum */ - sumd2 = (sumd >> 16); + odst = (oip->ip_dst.s_addr == nat->nat_oip.s_addr) ? 1 : 0; + if (odst == 1) { + a1.s_addr = ntohl(nat->nat_inip.s_addr); + a2.s_addr = ntohl(oip->ip_src.s_addr); + oip->ip_src.s_addr = htonl(a1.s_addr); + } else { + a1.s_addr = ntohl(nat->nat_outip.s_addr); + a2.s_addr = ntohl(oip->ip_dst.s_addr); + oip->ip_dst.s_addr = htonl(a1.s_addr); + } + + sumd = a2.s_addr - a1.s_addr; + if (sumd != 0) { + if (a1.s_addr > a2.s_addr) + sumd--; + sumd = ~sumd; + + fix_datacksum(&oip->ip_sum, sumd); + } + + sumd2 = sumd; + sum1 = 0; + sum2 = 0; /* * Fix UDP pseudo header checksum to compensate for the * IP address change. */ - if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && (*csump != 0)) { - /* - * The UDP checksum is optional, only adjust it - * if it has been set. - */ - sum1 = ntohs(*csump); - fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compensate the UDP - * checksum adjustment. - */ - sumd2 = sumd << 1; - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - } - - /* - * Fix TCP pseudo header checksum to compensate for the - * IP address change. Before we can do the change, we - * must make sure that oip is sufficient large to hold - * the TCP checksum (normally it does not!). - * 18 = offsetof(tcphdr_t, th_sum) + 2 - */ - else if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { - sum1 = ntohs(*csump); - fix_datacksum(csump, sumd); - sum2 = ntohs(*csump); - - /* - * Fix ICMP checksum to compensate the TCP - * checksum adjustment. - */ - sumd2 = sumd << 1; - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - } else { - if (nat->nat_dir == NAT_OUTBOUND) - sumd2 = ~sumd2; - else - sumd2 = ~sumd2 + 1; - } - if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) { - int mode = 0; - /* * Step 2 : * For offending TCP/UDP IP packets, translate the ports as * well, based on the NAT specification. Of course such - * a change must be reflected in the ICMP checksum as well. - * - * Advance notice : Now it becomes complicated :-) + * a change may be reflected in the ICMP checksum as well. * * Since the port fields are part of the TCP/UDP checksum * of the offending IP packet, you need to adjust that checksum * as well... except that the change in the port numbers should - * be offset by the checksum change, so we only need to change - * the ICMP checksum if we only change the ports. - * - * To further complicate: the TCP checksum is not in the first - * 8 bytes of the offending ip packet, so it most likely is not - * available. Some OSses like Solaris return enough bytes to - * include the TCP checksum. So we have to check if the - * ip->ip_len actually holds the TCP checksum of the oip! + * be offset by the checksum change. However, the TCP/UDP + * checksum will also need to change if there has been an + * IP address change. */ + if (odst == 1) { + sum1 = ntohs(nat->nat_inport); + sum2 = ntohs(tcp->th_sport); - if (nat->nat_oport == tcp->th_dport) { - if (tcp->th_sport != nat->nat_inport) { - mode = 1; - sum1 = ntohs(nat->nat_inport); - sum2 = ntohs(tcp->th_sport); - } - } else if (tcp->th_sport == nat->nat_oport) { - mode = 2; + tcp->th_sport = htons(sum1); + } else { sum1 = ntohs(nat->nat_outport); sum2 = ntohs(tcp->th_dport); - } - if (mode == 1) { - /* - * Fix ICMP checksum to compensate port adjustment. - */ - tcp->th_sport = htons(sum1); - - /* - * Fix udp checksum to compensate port adjustment. - * NOTE : the offending IP packet flows the other - * direction compared to the ICMP message. - * - * The UDP checksum is optional, only adjust it if - * it has been set. - */ - if (oip->ip_p == IPPROTO_UDP) { - sumd = sum1 - sum2; - - if ((dlen >= 8) && (*csump != 0)) { - fix_datacksum(csump, sumd); - } else { - sumd2 += sumd; - } - } - - /* - * Fix TCP checksum (if present) to compensate port - * adjustment. NOTE : the offending IP packet flows - * the other direction compared to the ICMP message. - */ - if (oip->ip_p == IPPROTO_TCP) { - sumd = sum1 - sum2; - - if (dlen >= 18) { - fix_datacksum(csump, sumd); - } else { - sumd = sum2 - sum1 + 1; - sumd2 += sumd; - } - } - } else if (mode == 2) { - /* - * Fix ICMP checksum to compensate port adjustment. - */ tcp->th_dport = htons(sum1); + } + sumd += sum1 - sum2; + if (sumd != 0 || sumd2 != 0) { /* - * Fix UDP checksum to compensate port adjustment. - * NOTE : the offending IP packet flows the other - * direction compared to the ICMP message. + * At this point, sumd is the delta to apply to the + * TCP/UDP header, given the changes in both the IP + * address and the ports and sumd2 is the delta to + * apply to the ICMP header, given the IP address + * change delta that may need to be applied to the + * TCP/UDP checksum instead. * - * The UDP checksum is optional, only adjust - * it if it has been set. + * If we will both the IP and TCP/UDP checksums + * then the ICMP checksum changes by the address + * delta applied to the TCP/UDP checksum. If we + * do not change the TCP/UDP checksum them we + * apply the delta in ports to the ICMP checksum. */ if (oip->ip_p == IPPROTO_UDP) { - sumd = sum1 - sum2; - if ((dlen >= 8) && (*csump != 0)) { fix_datacksum(csump, sumd); } else { - sumd2 += sumd; + sumd2 = sum1 - sum2; + if (sum2 > sum1) + sumd2--; } - } - - /* - * Fix TCP checksum (if present) to compensate port - * adjustment. NOTE : the offending IP packet flows - * the other direction compared to the ICMP message. - */ - if (oip->ip_p == IPPROTO_TCP) { - sumd = sum1 - sum2; - + } else if (oip->ip_p == IPPROTO_TCP) { if (dlen >= 18) { fix_datacksum(csump, sumd); } else { - if (nat->nat_dir == NAT_INBOUND) - sumd = sum2 - sum1; - else - sumd = sum2 - sum1 + 1; - sumd2 += sumd; + sumd2 = sum2 - sum1; + if (sum1 > sum2) + sumd2--; + } + } + + if (sumd2 != 0) { + ipnat_t *np; + + np = nat->nat_ptr; + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + + if ((odst == 0) && (dir == NAT_OUTBOUND) && + (fin->fin_rev == 0) && (np != NULL) && + (np->in_redir & NAT_REDIRECT)) { + fix_outcksum(fin, &icmp->icmp_cksum, + sumd2); + } else { + fix_incksum(fin, &icmp->icmp_cksum, + sumd2); } } - } - if (sumd2 != 0) { - sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); - sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); - fix_incksum(fin, &icmp->icmp_cksum, sumd2); } } else if (((flags & IPN_ICMPQUERY) != 0) && (dlen >= 8)) { icmphdr_t *orgicmp; @@ -2967,7 +3067,7 @@ int dir; */ orgicmp = (icmphdr_t *)dp; - if (nat->nat_dir == NAT_OUTBOUND) { + if (odst == 1) { if (orgicmp->icmp_id != nat->nat_inport) { /* @@ -3582,6 +3682,26 @@ ipnat_t *np; ifq2 = NULL; if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) { + u_32_t end, ack; + u_char tcpflags; + tcphdr_t *tcp; + int dsize; + + tcp = fin->fin_dp; + tcpflags = tcp->th_flags; + dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) + + ((tcpflags & TH_SYN) ? 1 : 0) + + ((tcpflags & TH_FIN) ? 1 : 0); + + ack = ntohl(tcp->th_ack); + end = ntohl(tcp->th_seq) + dsize; + + if (SEQ_GT(ack, nat->nat_seqnext[1 - fin->fin_rev])) + nat->nat_seqnext[1 - fin->fin_rev] = ack; + + if (nat->nat_seqnext[fin->fin_rev] == 0) + nat->nat_seqnext[fin->fin_rev] = end; + (void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0); } else { if (ifq2 == NULL) { @@ -3635,9 +3755,11 @@ u_32_t *passp; natfailed = 0; fr = fin->fin_fr; sifp = fin->fin_ifp; - if ((fr != NULL) && !(fr->fr_flags & FR_DUP) && - fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) - fin->fin_ifp = fr->fr_tif.fd_ifp; + if (fr != NULL) { + ifp = fr->fr_tifs[fin->fin_rev].fd_ifp; + if ((ifp != NULL) && (ifp != (void *)-1)) + fin->fin_ifp = ifp; + } ifp = fin->fin_ifp; if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { @@ -3749,6 +3871,7 @@ maskloop: MUTEX_ENTER(&nat->nat_lock); nat->nat_ref++; MUTEX_EXIT(&nat->nat_lock); + nat->nat_touched = fr_ticks; fin->fin_nat = nat; } } else @@ -4042,8 +4165,8 @@ maskloop: MUTEX_ENTER(&nat->nat_lock); nat->nat_ref++; MUTEX_EXIT(&nat->nat_lock); + nat->nat_touched = fr_ticks; fin->fin_nat = nat; - fin->fin_state = nat->nat_state; } } else rval = natfailed; @@ -4287,9 +4410,9 @@ void fr_natunload() KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz); rdr_rules = NULL; } - if (maptable != NULL) { - KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz); - maptable = NULL; + if (ipf_hm_maptable != NULL) { + KFREES(ipf_hm_maptable, sizeof(hostmap_t *) * ipf_hostmap_sz); + ipf_hm_maptable = NULL; } if (nat_stats.ns_bucketlen[0] != NULL) { KFREES(nat_stats.ns_bucketlen[0], @@ -4368,6 +4491,11 @@ void fr_natexpire() } } + if (fr_nat_doflush != 0) { + nat_extraflush(2); + fr_nat_doflush = 0; + } + RWLOCK_EXIT(&ipf_nat); SPL_X(s); } @@ -4576,6 +4704,36 @@ void *ifp; #endif +/* ------------------------------------------------------------------------ */ +/* Function: fr_ipnatderef */ +/* Returns: Nil */ +/* Parameters: isp(I) - pointer to pointer to NAT rule */ +/* Write Locks: ipf_nat */ +/* */ +/* ------------------------------------------------------------------------ */ +void fr_ipnatderef(inp) +ipnat_t **inp; +{ + ipnat_t *in; + + in = *inp; + *inp = NULL; + in->in_space++; + in->in_use--; + if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) { + if (in->in_apr) + appr_free(in->in_apr); + MUTEX_DESTROY(&in->in_lock); + KFREE(in); + nat_stats.ns_rules--; +#if SOLARIS && !defined(_INET_IP_STACK_H) + if (nat_stats.ns_rules == 0) + pfil_delayed_copy = 1; +#endif + } +} + + /* ------------------------------------------------------------------------ */ /* Function: fr_natderef */ /* Returns: Nil */ @@ -4583,6 +4741,14 @@ void *ifp; /* */ /* Decrement the reference counter for this NAT table entry and free it if */ /* there are no more things using it. */ +/* */ +/* IF nat_ref == 1 when this function is called, then we have an orphan nat */ +/* structure *because* it only gets called on paths _after_ nat_ref has been*/ +/* incremented. If nat_ref == 1 then we shouldn't decrement it here */ +/* because nat_delete() will do that and send nat_ref to -1. */ +/* */ +/* Holding the lock on nat_lock is required to serialise nat_delete() being */ +/* called from a NAT flush ioctl with a deref happening because of a packet.*/ /* ------------------------------------------------------------------------ */ void fr_natderef(natp) nat_t **natp; @@ -4591,10 +4757,17 @@ nat_t **natp; nat = *natp; *natp = NULL; + + MUTEX_ENTER(&nat->nat_lock); + if (nat->nat_ref > 1) { + nat->nat_ref--; + MUTEX_EXIT(&nat->nat_lock); + return; + } + MUTEX_EXIT(&nat->nat_lock); + WRITE_ENTER(&ipf_nat); - nat->nat_ref--; - if (nat->nat_ref == 0) - nat_delete(nat, NL_EXPIRE); + nat_delete(nat, NL_EXPIRE); RWLOCK_EXIT(&ipf_nat); } @@ -4857,3 +5030,449 @@ int rev; fr_queueappend(&nat->nat_tqe, nifq, nat); return; } + + +/* ------------------------------------------------------------------------ */ +/* Function: nat_getnext */ +/* Returns: int - 0 == ok, else error */ +/* Parameters: t(I) - pointer to ipftoken structure */ +/* itp(I) - pointer to ipfgeniter_t structure */ +/* */ +/* Fetch the next nat/ipnat structure pointer from the linked list and */ +/* copy it out to the storage space pointed to by itp_data. The next item */ +/* in the list to look at is put back in the ipftoken struture. */ +/* If we call ipf_freetoken, the accompanying pointer is set to NULL because*/ +/* ipf_freetoken will call a deref function for us and we dont want to call */ +/* that twice (second time would be in the second switch statement below. */ +/* ------------------------------------------------------------------------ */ +static int nat_getnext(t, itp) +ipftoken_t *t; +ipfgeniter_t *itp; +{ + hostmap_t *hm, *nexthm = NULL, zerohm; + ipnat_t *ipn, *nextipnat = NULL, zeroipn; + nat_t *nat, *nextnat = NULL, zeronat; + int error = 0, count; + char *dst; + + count = itp->igi_nitems; + if (count < 1) + return ENOSPC; + + READ_ENTER(&ipf_nat); + + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + hm = t->ipt_data; + if (hm == NULL) { + nexthm = ipf_hm_maplist; + } else { + nexthm = hm->hm_next; + } + break; + + case IPFGENITER_IPNAT : + ipn = t->ipt_data; + if (ipn == NULL) { + nextipnat = nat_list; + } else { + nextipnat = ipn->in_next; + } + break; + + case IPFGENITER_NAT : + nat = t->ipt_data; + if (nat == NULL) { + nextnat = nat_instances; + } else { + nextnat = nat->nat_next; + } + break; + default : + RWLOCK_EXIT(&ipf_nat); + return EINVAL; + } + + dst = itp->igi_data; + for (;;) { + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + if (nexthm != NULL) { + if (count == 1) { + ATOMIC_INC32(nexthm->hm_ref); + t->ipt_data = nexthm; + } + } else { + bzero(&zerohm, sizeof(zerohm)); + nexthm = &zerohm; + count = 1; + t->ipt_data = NULL; + } + break; + + case IPFGENITER_IPNAT : + if (nextipnat != NULL) { + if (count == 1) { + MUTEX_ENTER(&nextipnat->in_lock); + nextipnat->in_use++; + MUTEX_EXIT(&nextipnat->in_lock); + t->ipt_data = nextipnat; + } + } else { + bzero(&zeroipn, sizeof(zeroipn)); + nextipnat = &zeroipn; + count = 1; + t->ipt_data = NULL; + } + break; + + case IPFGENITER_NAT : + if (nextnat != NULL) { + if (count == 1) { + MUTEX_ENTER(&nextnat->nat_lock); + nextnat->nat_ref++; + MUTEX_EXIT(&nextnat->nat_lock); + t->ipt_data = nextnat; + } + } else { + bzero(&zeronat, sizeof(zeronat)); + nextnat = &zeronat; + count = 1; + t->ipt_data = NULL; + } + break; + default : + break; + } + RWLOCK_EXIT(&ipf_nat); + + /* + * Copying out to user space needs to be done without the lock. + */ + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + error = COPYOUT(nexthm, dst, sizeof(*nexthm)); + if (error != 0) + error = EFAULT; + else + dst += sizeof(*nexthm); + break; + + case IPFGENITER_IPNAT : + error = COPYOUT(nextipnat, dst, sizeof(*nextipnat)); + if (error != 0) + error = EFAULT; + else + dst += sizeof(*nextipnat); + break; + + case IPFGENITER_NAT : + error = COPYOUT(nextnat, dst, sizeof(*nextnat)); + if (error != 0) + error = EFAULT; + else + dst += sizeof(*nextnat); + break; + } + + if ((count == 1) || (error != 0)) + break; + + count--; + + READ_ENTER(&ipf_nat); + + /* + * We need to have the lock again here to make sure that + * using _next is consistent. + */ + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + nexthm = nexthm->hm_next; + break; + case IPFGENITER_IPNAT : + nextipnat = nextipnat->in_next; + break; + case IPFGENITER_NAT : + nextnat = nextnat->nat_next; + break; + } + } + + + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + if (hm != NULL) { + WRITE_ENTER(&ipf_nat); + fr_hostmapdel(&hm); + RWLOCK_EXIT(&ipf_nat); + } + break; + case IPFGENITER_IPNAT : + if (ipn != NULL) { + fr_ipnatderef(&ipn); + } + break; + case IPFGENITER_NAT : + if (nat != NULL) { + fr_natderef(&nat); + } + break; + default : + break; + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: nat_iterator */ +/* Returns: int - 0 == ok, else error */ +/* Parameters: token(I) - pointer to ipftoken structure */ +/* itp(I) - pointer to ipfgeniter_t structure */ +/* */ +/* This function acts as a handler for the SIOCGENITER ioctls that use a */ +/* generic structure to iterate through a list. There are three different */ +/* linked lists of NAT related information to go through: NAT rules, active */ +/* NAT mappings and the NAT fragment cache. */ +/* ------------------------------------------------------------------------ */ +static int nat_iterator(token, itp) +ipftoken_t *token; +ipfgeniter_t *itp; +{ + int error; + + if (itp->igi_data == NULL) + return EFAULT; + + token->ipt_subtype = itp->igi_type; + + switch (itp->igi_type) + { + case IPFGENITER_HOSTMAP : + case IPFGENITER_IPNAT : + case IPFGENITER_NAT : + error = nat_getnext(token, itp); + break; + + case IPFGENITER_NATFRAG : +#ifdef USE_MUTEXES + error = fr_nextfrag(token, itp, &ipfr_natlist, + &ipfr_nattail, &ipf_natfrag); +#else + error = fr_nextfrag(token, itp, &ipfr_natlist, &ipfr_nattail); +#endif + break; + default : + error = EINVAL; + break; + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: nat_extraflush */ +/* Returns: int - 0 == success, -1 == failure */ +/* Parameters: which(I) - how to flush the active NAT table */ +/* Write Locks: ipf_nat */ +/* */ +/* Flush nat tables. Three actions currently defined: */ +/* which == 0 : flush all nat table entries */ +/* which == 1 : flush TCP connections which have started to close but are */ +/* stuck for some reason. */ +/* which == 2 : flush TCP connections which have been idle for a long time, */ +/* starting at > 4 days idle and working back in successive half-*/ +/* days to at most 12 hours old. If this fails to free enough */ +/* slots then work backwards in half hour slots to 30 minutes. */ +/* If that too fails, then work backwards in 30 second intervals */ +/* for the last 30 minutes to at worst 30 seconds idle. */ +/* ------------------------------------------------------------------------ */ +static int nat_extraflush(which) +int which; +{ + ipftq_t *ifq, *ifqnext; + nat_t *nat, **natp; + ipftqent_t *tqn; + int removed; + SPL_INT(s); + + removed = 0; + + SPL_NET(s); + + switch (which) + { + case 0 : + /* + * Style 0 flush removes everything... + */ + for (natp = &nat_instances; ((nat = *natp) != NULL); ) { + nat_delete(nat, NL_FLUSH); + removed++; + } + break; + + case 1 : + /* + * Since we're only interested in things that are closing, + * we can start with the appropriate timeout queue. + */ + for (ifq = nat_tqb + IPF_TCPS_CLOSE_WAIT; ifq != NULL; + ifq = ifq->ifq_next) { + + for (tqn = ifq->ifq_head; tqn != NULL; ) { + nat = tqn->tqe_parent; + tqn = tqn->tqe_next; + if (nat->nat_p != IPPROTO_TCP) + break; + nat_delete(nat, NL_EXPIRE); + removed++; + } + } + + /* + * Also need to look through the user defined queues. + */ + for (ifq = nat_utqe; ifq != NULL; ifq = ifqnext) { + ifqnext = ifq->ifq_next; + for (tqn = ifq->ifq_head; tqn != NULL; ) { + nat = tqn->tqe_parent; + tqn = tqn->tqe_next; + if (nat->nat_p != IPPROTO_TCP) + continue; + + if ((nat->nat_tcpstate[0] > + IPF_TCPS_ESTABLISHED) && + (nat->nat_tcpstate[1] > + IPF_TCPS_ESTABLISHED)) { + nat_delete(nat, NL_EXPIRE); + removed++; + } + } + } + break; + + /* + * Args 5-11 correspond to flushing those particular states + * for TCP connections. + */ + case IPF_TCPS_CLOSE_WAIT : + case IPF_TCPS_FIN_WAIT_1 : + case IPF_TCPS_CLOSING : + case IPF_TCPS_LAST_ACK : + case IPF_TCPS_FIN_WAIT_2 : + case IPF_TCPS_TIME_WAIT : + case IPF_TCPS_CLOSED : + tqn = nat_tqb[which].ifq_head; + while (tqn != NULL) { + nat = tqn->tqe_parent; + tqn = tqn->tqe_next; + nat_delete(nat, NL_FLUSH); + removed++; + } + break; + + default : + if (which < 30) + break; + + /* + * Take a large arbitrary number to mean the number of seconds + * for which which consider to be the maximum value we'll allow + * the expiration to be. + */ + which = IPF_TTLVAL(which); + for (natp = &nat_instances; ((nat = *natp) != NULL); ) { + if (fr_ticks - nat->nat_touched > which) { + nat_delete(nat, NL_FLUSH); + removed++; + } else + natp = &nat->nat_next; + } + break; + } + + if (which != 2) { + SPL_X(s); + return removed; + } + + /* + * Asked to remove inactive entries because the table is full. + */ + if (fr_ticks - nat_last_force_flush > IPF_TTLVAL(5)) { + nat_last_force_flush = fr_ticks; + removed = ipf_queueflush(nat_flush_entry, nat_tqb, nat_utqe); + } + + SPL_X(s); + return removed; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: nat_flush_entry */ +/* Returns: 0 - always succeeds */ +/* Parameters: entry(I) - pointer to NAT entry */ +/* Write Locks: ipf_nat */ +/* */ +/* This function is a stepping stone between ipf_queueflush() and */ +/* nat_dlete(). It is used so we can provide a uniform interface via the */ +/* ipf_queueflush() function. Since the nat_delete() function returns void */ +/* we translate that to mean it always succeeds in deleting something. */ +/* ------------------------------------------------------------------------ */ +static int nat_flush_entry(entry) +void *entry; +{ + nat_delete(entry, NL_FLUSH); + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: nat_gettable */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - pointer to ioctl data */ +/* */ +/* This function handles ioctl requests for tables of nat information. */ +/* At present the only table it deals with is the hash bucket statistics. */ +/* ------------------------------------------------------------------------ */ +static int nat_gettable(data) +char *data; +{ + ipftable_t table; + int error; + + error = fr_inobj(data, &table, IPFOBJ_GTABLE); + if (error != 0) + return error; + + switch (table.ita_type) + { + case IPFTABLE_BUCKETS_NATIN : + error = COPYOUT(nat_stats.ns_bucketlen[0], table.ita_table, + ipf_nattable_sz * sizeof(u_long)); + break; + + case IPFTABLE_BUCKETS_NATOUT : + error = COPYOUT(nat_stats.ns_bucketlen[1], table.ita_table, + ipf_nattable_sz * sizeof(u_long)); + break; + + default : + return EINVAL; + } + + if (error != 0) { + error = EFAULT; + } + return error; +} diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h index e1bec966abb4..3020eb69ee12 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.h +++ b/sys/contrib/ipfilter/netinet/ip_nat.h @@ -7,7 +7,7 @@ * * @(#)ip_nat.h 1.5 2/4/96 * $FreeBSD$ - * Id: ip_nat.h,v 2.90.2.9 2005/03/28 11:09:55 darrenr Exp + * Id: ip_nat.h,v 2.90.2.20 2007/09/25 08:27:32 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -124,6 +124,8 @@ typedef struct nat { int nat_hv[2]; char nat_ifnames[2][LIFNAMSIZ]; int nat_rev; /* 0 = forward, 1 = reverse */ + int nat_redir; /* copy of in_redir */ + u_32_t nat_seqnext[2]; } nat_t; #define nat_inip nat_inip6.in4 @@ -136,6 +138,8 @@ typedef struct nat { #define nat_seq nat_un.nat_uni.ici_seq #define nat_id nat_un.nat_uni.ici_id #define nat_tcpstate nat_tqe.tqe_state +#define nat_die nat_tqe.tqe_die +#define nat_touched nat_tqe.tqe_touched /* * Values for nat_dir @@ -152,7 +156,7 @@ typedef struct nat { #define NAT_ICMPQUERY 0x0008 /* IPN_ICMPQUERY */ #define NAT_SEARCH 0x0010 #define NAT_SLAVE 0x0020 /* Slave connection for a proxy */ -#define NAT_NOTRULEPORT 0x0040 +#define NAT_NOTRULEPORT 0x0040 /* Don't use the port # in the NAT rule */ #define NAT_TCPUDP (NAT_TCP|NAT_UDP) #define NAT_TCPUDPICMP (NAT_TCP|NAT_UDP|NAT_ICMPERR) @@ -171,6 +175,7 @@ typedef struct nat { #define NAT_DEBUG 0x800000 typedef struct ipnat { + ipfmutex_t in_lock; struct ipnat *in_next; /* NAT rule list next */ struct ipnat *in_rnext; /* rdr rule hash next */ struct ipnat **in_prnext; /* prior rdr next ptr */ @@ -296,25 +301,6 @@ typedef struct natget { } natget_t; -#undef tr_flags -typedef struct nattrpnt { - struct in_addr tr_dstip; /* real destination IP# */ - struct in_addr tr_srcip; /* real source IP# */ - struct in_addr tr_locip; /* local source IP# */ - u_int tr_flags; - int tr_expire; - u_short tr_dstport; /* real destination port# */ - u_short tr_srcport; /* real source port# */ - u_short tr_locport; /* local source port# */ - struct nattrpnt *tr_hnext; - struct nattrpnt **tr_phnext; - struct nattrpnt *tr_next; - struct nattrpnt **tr_pnext; /* previous next */ -} nattrpnt_t; - -#define TN_CMPSIZ offsetof(nattrpnt_t, tr_hnext) - - /* * This structure gets used to help NAT sessions keep the same NAT rule (and * thus translation for IP address) when: @@ -322,6 +308,8 @@ typedef struct nattrpnt { * (b) different IP add */ typedef struct hostmap { + struct hostmap *hm_hnext; + struct hostmap **hm_phnext; struct hostmap *hm_next; struct hostmap **hm_pnext; struct ipnat *hm_ipnat; @@ -373,8 +361,10 @@ typedef struct natstat { u_int ns_trpntab_sz; u_int ns_hostmap_sz; nat_t *ns_instances; - nattrpnt_t *ns_trpntlist; + hostmap_t *ns_maplist; u_long *ns_bucketlen[2]; + u_long ns_ticks; + u_int ns_orphans; } natstat_t; typedef struct natlog { @@ -396,6 +386,7 @@ typedef struct natlog { #define NL_NEWRDR NAT_REDIRECT #define NL_NEWBIMAP NAT_BIMAP #define NL_NEWBLOCK NAT_MAPBLK +#define NL_DESTROY 0xfffc #define NL_CLONE 0xfffd #define NL_FLUSH 0xfffe #define NL_EXPIRE 0xffff @@ -427,6 +418,7 @@ extern u_int ipf_hostmap_sz; extern u_int fr_nat_maxbucket; extern u_int fr_nat_maxbucket_reset; extern int fr_nat_lock; +extern int fr_nat_doflush; extern void fr_natsync __P((void *)); extern u_long fr_defnatage; extern u_long fr_defnaticmpage; @@ -444,7 +436,7 @@ extern natstat_t nat_stats; #if defined(__OpenBSD__) extern void nat_ifdetach __P((void *)); #endif -extern int fr_nat_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int fr_nat_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern int fr_natinit __P((void)); extern nat_t *nat_new __P((fr_info_t *, ipnat_t *, nat_t **, u_int, int)); extern nat_t *nat_outlookup __P((fr_info_t *, u_int, u_int, struct in_addr, @@ -458,6 +450,7 @@ extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, extern nat_t *nat_lookupredir __P((natlookup_t *)); extern nat_t *nat_icmperrorlookup __P((fr_info_t *, int)); extern nat_t *nat_icmperror __P((fr_info_t *, u_int *, int)); +extern void nat_delete __P((struct nat *, int)); extern int nat_insert __P((nat_t *, int)); extern int fr_checknatout __P((fr_info_t *, u_32_t *)); @@ -469,9 +462,11 @@ extern void fr_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); extern void fix_incksum __P((fr_info_t *, u_short *, u_32_t)); extern void fix_outcksum __P((fr_info_t *, u_short *, u_32_t)); +extern void fr_ipnatderef __P((ipnat_t **)); extern void fr_natderef __P((nat_t **)); extern u_short *nat_proto __P((fr_info_t *, nat_t *, u_int)); extern void nat_update __P((fr_info_t *, nat_t *, ipnat_t *)); extern void fr_setnatqueue __P((nat_t *, int)); +extern void fr_hostmapdel __P((hostmap_t **)); #endif /* __IP_NAT_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_pool.c b/sys/contrib/ipfilter/netinet/ip_pool.c index 3d19afbf06ba..eab33108a567 100644 --- a/sys/contrib/ipfilter/netinet/ip_pool.c +++ b/sys/contrib/ipfilter/netinet/ip_pool.c @@ -53,11 +53,11 @@ struct file; # include #endif +#if defined(SOLARIS2) && !defined(_KERNEL) +# include "radix_ipf.h" +#endif #if defined(_KERNEL) && (defined(__osf__) || defined(AIX) || \ defined(__hpux) || defined(__sgi)) -# ifdef __osf__ -# include -# endif # include "radix_ipf_local.h" # define _RADIX_H_ #endif @@ -78,18 +78,22 @@ static int rn_freenode __P((struct radix_node *, void *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.15 2005/11/13 15:38:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.24 2007/10/10 09:45:37 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP -# ifndef RADIX_NODE_HEAD_LOCK +# if !defined(RADIX_NODE_HEAD_LOCK) || !defined(RADIX_NODE_HEAD_UNLOCK) || \ + !defined(_KERNEL) +# undef RADIX_NODE_HEAD_LOCK +# undef RADIX_NODE_HEAD_UNLOCK # define RADIX_NODE_HEAD_LOCK(x) ; -# endif -# ifndef RADIX_NODE_HEAD_UNLOCK # define RADIX_NODE_HEAD_UNLOCK(x) ; # endif +static void ip_pool_clearnodes __P((ip_pool_t *)); +static void *ip_pool_exists __P((int, char *)); + ip_pool_stat_t ipoolstat; ipfrwlock_t ip_poolrw; @@ -137,7 +141,7 @@ main(argc, argv) strcpy(op.iplo_name, "0"); if (ip_pool_create(&op) == 0) - ipo = ip_pool_find(0, "0"); + ipo = ip_pool_exists(0, "0"); a.adf_addr.in4.s_addr = 0x0a010203; b.adf_addr.in4.s_addr = 0xffffffff; @@ -262,18 +266,12 @@ int ip_pool_init() void ip_pool_fini() { ip_pool_t *p, *q; - iplookupop_t op; int i; - ASSERT(rw_read_locked(&ipf_global.ipf_lk) == 0); - for (i = 0; i <= IPL_LOGMAX; i++) { for (q = ip_pool_list[i]; (p = q) != NULL; ) { - op.iplo_unit = i; - (void)strncpy(op.iplo_name, p->ipo_name, - sizeof(op.iplo_name)); q = p->ipo_next; - (void) ip_pool_destroy(&op); + (void) ip_pool_destroy(i, p->ipo_name); } } @@ -307,8 +305,8 @@ iplookupop_t *op; stats.ipls_list[i] = ip_pool_list[i]; } else if (unit >= 0 && unit < IPL_LOGSIZE) { if (op->iplo_name[0] != '\0') - stats.ipls_list[unit] = ip_pool_find(unit, - op->iplo_name); + stats.ipls_list[unit] = ip_pool_exists(unit, + op->iplo_name); else stats.ipls_list[unit] = ip_pool_list[unit]; } else @@ -319,16 +317,15 @@ iplookupop_t *op; } - /* ------------------------------------------------------------------------ */ -/* Function: ip_pool_find */ +/* Function: ip_pool_exists */ /* Returns: int - 0 = success, else error */ /* Parameters: ipo(I) - pointer to the pool getting the new node. */ /* */ /* Find a matching pool inside the collection of pools for a particular */ /* device, indicated by the unit number. */ /* ------------------------------------------------------------------------ */ -void *ip_pool_find(unit, name) +static void *ip_pool_exists(unit, name) int unit; char *name; { @@ -341,6 +338,29 @@ char *name; } +/* ------------------------------------------------------------------------ */ +/* Function: ip_pool_find */ +/* Returns: int - 0 = success, else error */ +/* Parameters: ipo(I) - pointer to the pool getting the new node. */ +/* */ +/* Find a matching pool inside the collection of pools for a particular */ +/* device, indicated by the unit number. If it is marked for deletion then */ +/* pretend it does not exist. */ +/* ------------------------------------------------------------------------ */ +void *ip_pool_find(unit, name) +int unit; +char *name; +{ + ip_pool_t *p; + + p = ip_pool_exists(unit, name); + if ((p != NULL) && (p->ipo_flags & IPOOL_DELETE)) + return NULL; + + return p; +} + + /* ------------------------------------------------------------------------ */ /* Function: ip_pool_findeq */ /* Returns: int - 0 = success, else error */ @@ -375,9 +395,9 @@ addrfamily_t *addr, *mask; /* */ /* Search the pool for a given address and return a search result. */ /* ------------------------------------------------------------------------ */ -int ip_pool_search(tptr, version, dptr) +int ip_pool_search(tptr, ipversion, dptr) void *tptr; -int version; +int ipversion; void *dptr; { struct radix_node *rn; @@ -397,11 +417,11 @@ void *dptr; bzero(&v, sizeof(v)); v.adf_len = offsetof(addrfamily_t, adf_addr); - if (version == 4) { + if (ipversion == 4) { v.adf_len += sizeof(addr->in4); v.adf_addr.in4 = addr->in4; #ifdef USE_INET6 - } else if (version == 6) { + } else if (ipversion == 6) { v.adf_len += sizeof(addr->in6); v.adf_addr.in6 = addr->in6; #endif @@ -445,8 +465,6 @@ int info; struct radix_node *rn; ip_pool_node_t *x; - ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0); - KMALLOC(x, ip_pool_node_t *); if (x == NULL) { return ENOMEM; @@ -475,6 +493,7 @@ int info; return ENOMEM; } + x->ipn_ref = 1; x->ipn_next = ipo->ipo_list; x->ipn_pnext = &ipo->ipo_list; if (ipo->ipo_list != NULL) @@ -498,6 +517,10 @@ int info; /* when being inserted - assume this has already been done. If the pool is */ /* marked as being anonymous, give it a new, unique, identifier. Call any */ /* other functions required to initialise the structure. */ +/* */ +/* If the structure is flagged for deletion then reset the flag and return, */ +/* as this likely means we've tried to free a pool that is in use (flush) */ +/* and now want to repopulate it with "new" data. */ /* ------------------------------------------------------------------------ */ int ip_pool_create(op) iplookupop_t *op; @@ -506,7 +529,17 @@ iplookupop_t *op; int poolnum, unit; ip_pool_t *h; - ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0); + unit = op->iplo_unit; + + if ((op->iplo_arg & LOOKUP_ANON) == 0) { + h = ip_pool_exists(unit, op->iplo_name); + if (h != NULL) { + if ((h->ipo_flags & IPOOL_DELETE) == 0) + return EEXIST; + h->ipo_flags &= ~IPOOL_DELETE; + return 0; + } + } KMALLOC(h, ip_pool_t *); if (h == NULL) @@ -519,12 +552,11 @@ iplookupop_t *op; return ENOMEM; } - unit = op->iplo_unit; - - if ((op->iplo_arg & IPOOL_ANON) != 0) { + if ((op->iplo_arg & LOOKUP_ANON) != 0) { ip_pool_t *p; - poolnum = IPOOL_ANON; + h->ipo_flags |= IPOOL_ANON; + poolnum = LOOKUP_ANON; #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(name, sizeof(name), "%x", poolnum); @@ -549,7 +581,7 @@ iplookupop_t *op; (void)strncpy(h->ipo_name, name, sizeof(h->ipo_name)); (void)strncpy(op->iplo_name, name, sizeof(op->iplo_name)); } else { - (void) strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name)); + (void)strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name)); } h->ipo_ref = 1; @@ -574,36 +606,24 @@ iplookupop_t *op; /* ipe(I) - address being deleted as a node */ /* Locks: WRITE(ip_poolrw) */ /* */ -/* Add another node to the pool given by ipo. The three parameters passed */ -/* in (addr, mask, info) shold all be stored in the node. */ +/* Remove a node from the pool given by ipo. */ /* ------------------------------------------------------------------------ */ int ip_pool_remove(ipo, ipe) ip_pool_t *ipo; ip_pool_node_t *ipe; { - ip_pool_node_t **ipp, *n; - ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0); - - for (ipp = &ipo->ipo_list; (n = *ipp) != NULL; ipp = &n->ipn_next) { - if (ipe == n) { - *n->ipn_pnext = n->ipn_next; - if (n->ipn_next) - n->ipn_next->ipn_pnext = n->ipn_pnext; - break; - } - } - - if (n == NULL) - return ENOENT; + if (ipe->ipn_pnext != NULL) + *ipe->ipn_pnext = ipe->ipn_next; + if (ipe->ipn_next != NULL) + ipe->ipn_next->ipn_pnext = ipe->ipn_pnext; RADIX_NODE_HEAD_LOCK(ipo->ipo_head); - ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask, + ipo->ipo_head->rnh_deladdr(&ipe->ipn_addr, &ipe->ipn_mask, ipo->ipo_head); RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head); - KFREE(n); - ipoolstat.ipls_nodes--; + ip_pool_node_deref(ipe); return 0; } @@ -616,23 +636,28 @@ ip_pool_node_t *ipe; /* Locks: WRITE(ip_poolrw) or WRITE(ipf_global) */ /* */ /* Search for a pool using paramters passed in and if it's not otherwise */ -/* busy, free it. */ +/* busy, free it. If it is busy, clear all of its nodes, mark it for being */ +/* deleted and return an error saying it is busy. */ /* */ -/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */ +/* NOTE: Because this function is called out of ipfdetach() where ip_poolrw */ /* may not be initialised, we can't use an ASSERT to enforce the locking */ /* assertion that one of the two (ip_poolrw,ipf_global) is held. */ /* ------------------------------------------------------------------------ */ -int ip_pool_destroy(op) -iplookupop_t *op; +int ip_pool_destroy(unit, name) +int unit; +char *name; { ip_pool_t *ipo; - ipo = ip_pool_find(op->iplo_unit, op->iplo_name); + ipo = ip_pool_exists(unit, name); if (ipo == NULL) return ESRCH; - if (ipo->ipo_ref != 1) - return EBUSY; + if (ipo->ipo_ref != 1) { + ip_pool_clearnodes(ipo); + ipo->ipo_flags |= IPOOL_DELETE; + return 0; + } ip_pool_free(ipo); return 0; @@ -648,7 +673,7 @@ iplookupop_t *op; /* Free all pools associated with the device that matches the unit number */ /* passed in with operation. */ /* */ -/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */ +/* NOTE: Because this function is called out of ipfdetach() where ip_poolrw */ /* may not be initialised, we can't use an ASSERT to enforce the locking */ /* assertion that one of the two (ip_poolrw,ipf_global) is held. */ /* ------------------------------------------------------------------------ */ @@ -669,7 +694,7 @@ iplookupflush_t *fp; (void)strncpy(op.iplo_name, p->ipo_name, sizeof(op.iplo_name)); q = p->ipo_next; - err = ip_pool_destroy(&op); + err = ip_pool_destroy(op.iplo_unit, op.iplo_name); if (err == 0) num++; else @@ -690,12 +715,36 @@ iplookupflush_t *fp; /* all of the address information stored in it, including any tree data */ /* structures also allocated. */ /* */ -/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */ +/* NOTE: Because this function is called out of ipfdetach() where ip_poolrw */ /* may not be initialised, we can't use an ASSERT to enforce the locking */ /* assertion that one of the two (ip_poolrw,ipf_global) is held. */ /* ------------------------------------------------------------------------ */ void ip_pool_free(ipo) ip_pool_t *ipo; +{ + + ip_pool_clearnodes(ipo); + + if (ipo->ipo_next != NULL) + ipo->ipo_next->ipo_pnext = ipo->ipo_pnext; + *ipo->ipo_pnext = ipo->ipo_next; + rn_freehead(ipo->ipo_head); + KFREE(ipo); + + ipoolstat.ipls_pools--; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ip_pool_clearnodes */ +/* Returns: void */ +/* Parameters: ipo(I) - pointer to pool structure */ +/* Locks: WRITE(ip_poolrw) or WRITE(ipf_global) */ +/* */ +/* Deletes all nodes stored in a pool structure. */ +/* ------------------------------------------------------------------------ */ +static void ip_pool_clearnodes(ipo) +ip_pool_t *ipo; { ip_pool_node_t *n; @@ -715,13 +764,6 @@ ip_pool_t *ipo; RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head); ipo->ipo_list = NULL; - if (ipo->ipo_next != NULL) - ipo->ipo_next->ipo_pnext = ipo->ipo_pnext; - *ipo->ipo_pnext = ipo->ipo_next; - rn_freehead(ipo->ipo_head); - KFREE(ipo); - - ipoolstat.ipls_pools--; } @@ -738,11 +780,178 @@ void ip_pool_deref(ipo) ip_pool_t *ipo; { - ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0); - ipo->ipo_ref--; + if (ipo->ipo_ref == 0) ip_pool_free(ipo); + + else if ((ipo->ipo_ref == 1) && (ipo->ipo_flags & IPOOL_DELETE)) + ip_pool_destroy(ipo->ipo_unit, ipo->ipo_name); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ip_pool_node_deref */ +/* Returns: void */ +/* Parameters: ipn(I) - pointer to pool structure */ +/* Locks: WRITE(ip_poolrw) */ +/* */ +/* Drop a reference to the pool node passed in and if we're the last, free */ +/* it all up and adjust the stats accordingly. */ +/* ------------------------------------------------------------------------ */ +void ip_pool_node_deref(ipn) +ip_pool_node_t *ipn; +{ + + ipn->ipn_ref--; + + if (ipn->ipn_ref == 0) { + KFREE(ipn); + ipoolstat.ipls_nodes--; + } +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ip_pool_getnext */ +/* Returns: void */ +/* Parameters: token(I) - pointer to pool structure */ +/* Parameters: ilp(IO) - pointer to pool iterating structure */ +/* */ +/* ------------------------------------------------------------------------ */ +int ip_pool_getnext(token, ilp) +ipftoken_t *token; +ipflookupiter_t *ilp; +{ + ip_pool_node_t *node, zn, *nextnode; + ip_pool_t *ipo, zp, *nextipo; + int err; + + err = 0; + node = NULL; + nextnode = NULL; + ipo = NULL; + nextipo = NULL; + + READ_ENTER(&ip_poolrw); + + switch (ilp->ili_otype) + { + case IPFLOOKUPITER_LIST : + ipo = token->ipt_data; + if (ipo == NULL) { + nextipo = ip_pool_list[(int)ilp->ili_unit]; + } else { + nextipo = ipo->ipo_next; + } + + if (nextipo != NULL) { + ATOMIC_INC(nextipo->ipo_ref); + token->ipt_data = nextipo; + } else { + bzero((char *)&zp, sizeof(zp)); + nextipo = &zp; + token->ipt_data = NULL; + } + break; + + case IPFLOOKUPITER_NODE : + node = token->ipt_data; + if (node == NULL) { + ipo = ip_pool_exists(ilp->ili_unit, ilp->ili_name); + if (ipo == NULL) + err = ESRCH; + else { + nextnode = ipo->ipo_list; + ipo = NULL; + } + } else { + nextnode = node->ipn_next; + } + + if (nextnode != NULL) { + ATOMIC_INC(nextnode->ipn_ref); + token->ipt_data = nextnode; + } else { + bzero((char *)&zn, sizeof(zn)); + nextnode = &zn; + token->ipt_data = NULL; + } + break; + default : + err = EINVAL; + break; + } + + RWLOCK_EXIT(&ip_poolrw); + + if (err != 0) + return err; + + switch (ilp->ili_otype) + { + case IPFLOOKUPITER_LIST : + if (ipo != NULL) { + WRITE_ENTER(&ip_poolrw); + ip_pool_deref(ipo); + RWLOCK_EXIT(&ip_poolrw); + } + err = COPYOUT(nextipo, ilp->ili_data, sizeof(*nextipo)); + if (err != 0) + err = EFAULT; + break; + + case IPFLOOKUPITER_NODE : + if (node != NULL) { + WRITE_ENTER(&ip_poolrw); + ip_pool_node_deref(node); + RWLOCK_EXIT(&ip_poolrw); + } + err = COPYOUT(nextnode, ilp->ili_data, sizeof(*nextnode)); + if (err != 0) + err = EFAULT; + break; + } + + return err; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ip_pool_iterderef */ +/* Returns: void */ +/* Parameters: ipn(I) - pointer to pool structure */ +/* Locks: WRITE(ip_poolrw) */ +/* */ +/* ------------------------------------------------------------------------ */ +void ip_pool_iterderef(otype, unit, data) +u_int otype; +int unit; +void *data; +{ + + if (data == NULL) + return; + + if (unit < 0 || unit > IPL_LOGMAX) + return; + + switch (otype) + { + case IPFLOOKUPITER_LIST : + WRITE_ENTER(&ip_poolrw); + ip_pool_deref((ip_pool_t *)data); + RWLOCK_EXIT(&ip_poolrw); + break; + + case IPFLOOKUPITER_NODE : + WRITE_ENTER(&ip_poolrw); + ip_pool_node_deref((ip_pool_node_t *)data); + RWLOCK_EXIT(&ip_poolrw); + break; + default : + break; + } } @@ -780,5 +989,4 @@ rn_freehead(rnh) Free(rnh); } # endif - #endif /* IPFILTER_LOOKUP */ diff --git a/sys/contrib/ipfilter/netinet/ip_pool.h b/sys/contrib/ipfilter/netinet/ip_pool.h index 3731fe964bcb..9968ef012f5b 100644 --- a/sys/contrib/ipfilter/netinet/ip_pool.h +++ b/sys/contrib/ipfilter/netinet/ip_pool.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_pool.h,v 2.26.2.3 2005/06/12 07:18:27 darrenr Exp $ + * $Id: ip_pool.h,v 2.26.2.6 2007/10/10 09:51:43 darrenr Exp $ */ #ifndef __IP_POOL_H__ @@ -16,7 +16,7 @@ extern void rn_freehead __P((struct radix_node_head *)); # define FreeS(p, z) KFREES(p, z) extern int max_keylen; #else -# if defined(__osf__) || defined(__hpux) +# if defined(__osf__) || defined(__hpux) || defined(sun) # include "radix_ipf_local.h" # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node @@ -35,8 +35,9 @@ typedef struct ip_pool_node { addrfamily_t ipn_addr; addrfamily_t ipn_mask; int ipn_info; - char ipn_name[FR_GROUPLEN]; - u_long ipn_hits; + int ipn_ref; +char ipn_name[FR_GROUPLEN]; +u_long ipn_hits; struct ip_pool_node *ipn_next, **ipn_pnext; } ip_pool_node_t; @@ -53,7 +54,8 @@ typedef struct ip_pool_s { char ipo_name[FR_GROUPLEN]; } ip_pool_t; -#define IPOOL_ANON 0x80000000 +#define IPOOL_DELETE 0x01 +#define IPOOL_ANON 0x02 typedef struct ip_pool_stat { @@ -73,13 +75,16 @@ extern void ip_pool_fini __P((void)); extern int ip_pool_create __P((iplookupop_t *)); extern int ip_pool_insert __P((ip_pool_t *, i6addr_t *, i6addr_t *, int)); extern int ip_pool_remove __P((ip_pool_t *, ip_pool_node_t *)); -extern int ip_pool_destroy __P((iplookupop_t *)); +extern int ip_pool_destroy __P((int, char *)); extern void ip_pool_free __P((ip_pool_t *)); extern void ip_pool_deref __P((ip_pool_t *)); +extern void ip_pool_node_deref __P((ip_pool_node_t *)); extern void *ip_pool_find __P((int, char *)); extern ip_pool_node_t *ip_pool_findeq __P((ip_pool_t *, addrfamily_t *, addrfamily_t *)); extern int ip_pool_flush __P((iplookupflush_t *)); extern int ip_pool_statistics __P((iplookupop_t *)); +extern int ip_pool_getnext __P((ipftoken_t *, ipflookupiter_t *)); +extern void ip_pool_iterderef __P((u_int, int, void *)); #endif /* __IP_POOL_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c b/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c index 2ef2e17dc5dc..3924d4b829ed 100644 --- a/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_pptp_pxy.c @@ -4,7 +4,7 @@ * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_pptp_pxy.c,v 2.10.2.13 2006/03/17 10:40:05 darrenr Exp $ + * $Id: ip_pptp_pxy.c,v 2.10.2.15 2006/10/31 12:11:23 darrenr Exp $ * */ #define IPF_PPTP_PROXY @@ -78,6 +78,9 @@ void ippr_pptp_fini() /* * Setup for a new PPTP proxy. + * + * NOTE: The printf's are broken up with %s in them to prevent them being + * optimised into puts statements on FreeBSD (this doesn't exist in the kernel) */ int ippr_pptp_new(fin, aps, nat) fr_info_t *fin; @@ -220,7 +223,7 @@ pptp_pxy_t *pptp; pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state, 0); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_p = p; return; diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index eb84cd191ea6..b0490a1303e2 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -104,7 +104,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.16 2006/03/29 11:19:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.21 2007/06/02 21:22:28 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); @@ -122,7 +122,7 @@ aproxy_t *ap_proxylist = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini, - ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL }, + ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL, NULL }, #endif #ifdef IPF_IRC_PROXY { NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini, @@ -156,9 +156,9 @@ aproxy_t ap_proxies[] = { #endif #ifdef IPF_H323_PROXY { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini, - ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL }, + ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL, NULL }, { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL, - ippr_h245_new, NULL, NULL, ippr_h245_out, NULL }, + ippr_h245_new, NULL, NULL, ippr_h245_out, NULL, NULL }, #endif #ifdef IPF_RPCB_PROXY # if 0 @@ -170,7 +170,7 @@ aproxy_t ap_proxies[] = { ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del, ippr_rpcb_in, ippr_rpcb_out, NULL, NULL }, #endif - { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL } + { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL } }; /* @@ -192,7 +192,7 @@ aproxy_t *ap; return -1; } - for (a = ap_proxylist; a->apr_p; a = a->apr_next) + for (a = ap_proxylist; (a != NULL); a = a->apr_next) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, sizeof(ap->apr_label))) { @@ -289,13 +289,14 @@ ipnat_t *nat; } -int appr_ioctl(data, cmd, mode) +int appr_ioctl(data, cmd, mode, ctx) caddr_t data; ioctlcmd_t cmd; int mode; +void *ctx; { ap_ctl_t ctl; - caddr_t ptr; + u_char *ptr; int error; mode = mode; /* LINT */ @@ -303,11 +304,13 @@ int mode; switch (cmd) { case SIOCPROXY : - BCOPYIN(data, &ctl, sizeof(ctl)); + error = BCOPYIN(data, &ctl, sizeof(ctl)); + if (error != 0) + return EFAULT; ptr = NULL; if (ctl.apc_dsize > 0) { - KMALLOCS(ptr, caddr_t, ctl.apc_dsize); + KMALLOCS(ptr, u_char *, ctl.apc_dsize); if (ptr == NULL) error = ENOMEM; else { @@ -814,7 +817,7 @@ int inc; if (ipf_proxy_debug > 8) printf("appr_fixseqack: seq %x ack %x\n", - ntohl(tcp->th_seq), ntohl(tcp->th_ack)); + (u_32_t)ntohl(tcp->th_seq), (u_32_t)ntohl(tcp->th_ack)); return ch ? 2 : 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.h b/sys/contrib/ipfilter/netinet/ip_proxy.h index 71c1b816cbc1..ecddc2917cad 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.h +++ b/sys/contrib/ipfilter/netinet/ip_proxy.h @@ -6,7 +6,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * $FreeBSD$ - * Id: ip_proxy.h,v 2.31.2.2 2005/03/12 19:33:48 darrenr Exp + * Id: ip_proxy.h,v 2.31.2.5 2007/04/16 21:06:52 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -443,6 +443,7 @@ extern ap_session_t *ap_sess_tab[AP_SESS_SIZE]; extern ap_session_t *ap_sess_list; extern aproxy_t ap_proxies[]; extern int ippr_ftp_pasvonly; +extern int ipf_proxy_debug; extern int appr_add __P((aproxy_t *)); extern int appr_ctl __P((ap_ctl_t *)); @@ -456,6 +457,6 @@ extern void aps_free __P((ap_session_t *)); extern int appr_check __P((fr_info_t *, struct nat *)); extern aproxy_t *appr_lookup __P((u_int, char *)); extern int appr_new __P((fr_info_t *, struct nat *)); -extern int appr_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int appr_ioctl __P((caddr_t, ioctlcmd_t, int, void *)); #endif /* __IP_PROXY_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c b/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c index 607fd742f537..2729dc6725b0 100644 --- a/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c @@ -6,7 +6,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_raudio_pxy.c,v 1.40.2.3 2005/02/04 10:22:55 darrenr Exp $ + * $Id: ip_raudio_pxy.c,v 1.40.2.4 2006/07/14 06:12:17 darrenr Exp $ */ #define IPF_RAUDIO_PROXY @@ -307,7 +307,7 @@ nat_t *nat; (void) fr_addstate(&fi, NULL, (sp ? 0 : SI_W_SPORT)); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } } @@ -327,7 +327,7 @@ nat_t *nat; (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } } diff --git a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c index c0d755a1f481..dc92bf546845 100644 --- a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_rcmd_pxy.c,v 1.41.2.6 2006/04/01 10:14:54 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.41.2.7 2006/07/14 06:12:18 darrenr Exp $ * * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. @@ -207,7 +207,7 @@ nat_t *nat; } (void) fr_addstate(&fi, NULL, SI_W_DPORT); if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } ip->ip_len = slen; ip->ip_src = swip; diff --git a/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c b/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c index 112e4da8e5ca..da76fde4d155 100644 --- a/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c @@ -37,7 +37,7 @@ * o The enclosed hack of STREAMS support is pretty sick and most likely * broken. * - * $Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp $ + * $Id: ip_rpcb_pxy.c,v 2.25.2.7 2007/06/04 09:16:31 darrenr Exp $ */ #define IPF_RPCB_PROXY @@ -290,6 +290,7 @@ ippr_rpcb_out(fin, aps, nat) /* Perform basic variable initialization. */ rs = (rpcb_session_t *)aps->aps_data; + rx = NULL; m = fin->fin_m; off = (char *)fin->fin_dp - (char *)fin->fin_ip; @@ -307,6 +308,8 @@ ippr_rpcb_out(fin, aps, nat) COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf); rm->rm_buflen = dlen; + rx = NULL; /* XXX gcc */ + /* Send off to decode reply. */ rv = ippr_rpcb_decoderep(fin, nat, rs, rm, &rx); @@ -1156,6 +1159,8 @@ ippr_rpcb_getnat(fin, nat, proto, port) /* Generate dummy fr_info */ bcopy((char *)fin, (char *)&fi, sizeof(fi)); + fi.fin_state = NULL; + fi.fin_nat = NULL; fi.fin_out = 0; fi.fin_src = fin->fin_dst; fi.fin_dst = nat->nat_outip; @@ -1191,8 +1196,9 @@ ippr_rpcb_getnat(fin, nat, proto, port) * no use for this lock, so simply unlock it if necessary. */ is = fr_stlookup(&fi, &tcp, NULL); - if (is != NULL) + if (is != NULL) { RWLOCK_EXIT(&ipf_state); + } RWLOCK_EXIT(&ipf_nat); @@ -1271,7 +1277,7 @@ ippr_rpcb_getnat(fin, nat, proto, port) return(-1); } if (fi.fin_state != NULL) - fr_statederef(&fi, (ipstate_t **)&fi.fin_state); + fr_statederef((ipstate_t **)&fi.fin_state); } return(0); diff --git a/sys/contrib/ipfilter/netinet/ip_scan.c b/sys/contrib/ipfilter/netinet/ip_scan.c index 13a5a60210e1..54acb2aa4297 100644 --- a/sys/contrib/ipfilter/netinet/ip_scan.c +++ b/sys/contrib/ipfilter/netinet/ip_scan.c @@ -58,7 +58,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.6 2006/03/26 23:06:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.10 2007/06/02 21:22:28 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ @@ -115,8 +115,10 @@ caddr_t data; return ENOMEM; err = copyinptr(data, isc, sizeof(*isc)); - if (err) + if (err) { + KFREE(isc); return err; + } WRITE_ENTER(&ipsc_rwlock); @@ -230,20 +232,17 @@ struct ipstate *is; fr = is->is_rule; if (fr) { i = fr->fr_isc; - if (!i || (i != (ipscan_t *)-1)) { + if ((i != NULL) && (i != (ipscan_t *)-1)) { is->is_isc = i; - if (i) { - ATOMIC_INC32(i->ipsc_sref); - if (i->ipsc_clen) - is->is_flags |= IS_SC_CLIENT; - else - is->is_flags |= IS_SC_MATCHC; - if (i->ipsc_slen) - is->is_flags |= IS_SC_SERVER; - else - is->is_flags |= IS_SC_MATCHS; - } else - is->is_flags |= (IS_SC_CLIENT|IS_SC_SERVER); + ATOMIC_INC32(i->ipsc_sref); + if (i->ipsc_clen) + is->is_flags |= IS_SC_CLIENT; + else + is->is_flags |= IS_SC_MATCHC; + if (i->ipsc_slen) + is->is_flags |= IS_SC_SERVER; + else + is->is_flags |= IS_SC_MATCHS; } } RWLOCK_EXIT(&ipsc_rwlock); @@ -568,10 +567,11 @@ ipstate_t *is; } -int fr_scan_ioctl(data, cmd, mode) +int fr_scan_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { ipscanstat_t ipscs; int err = 0; @@ -587,7 +587,9 @@ int mode; case SIOCGSCST : bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs)); ipscs.iscs_list = ipsc_list; - BCOPYOUT(&ipscs, data, sizeof(ipscs)); + err = BCOPYOUT(&ipscs, data, sizeof(ipscs)); + if (err != 0) + err = EFAULT; break; default : err = EINVAL; diff --git a/sys/contrib/ipfilter/netinet/ip_scan.h b/sys/contrib/ipfilter/netinet/ip_scan.h index d85745378b81..4772d28c012b 100644 --- a/sys/contrib/ipfilter/netinet/ip_scan.h +++ b/sys/contrib/ipfilter/netinet/ip_scan.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_scan.h,v 2.9.2.1 2005/06/12 07:18:29 darrenr Exp $ + * $Id: ip_scan.h,v 2.9.2.2 2006/07/14 06:12:19 darrenr Exp $ */ #ifndef __IP_SCAN_H__ @@ -94,7 +94,7 @@ typedef struct ipscanstat { } ipscanstat_t; -extern int fr_scan_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int fr_scan_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern int ipsc_init __P((void)); extern int ipsc_attachis __P((struct ipstate *)); extern int ipsc_attachfr __P((struct frentry *)); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 5a877a616c27..aa9192afee13 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -17,7 +17,11 @@ #include #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ defined(_KERNEL) -# include "opt_ipfilter_log.h" +# if (__NetBSD_Version__ < 399001400) +# include "opt_ipfilter_log.h" +# else +# include "opt_ipfilter.h" +# endif #endif #if defined(_KERNEL) && defined(__FreeBSD_version) && \ (__FreeBSD_version >= 400000) && !defined(KLD_MODULE) @@ -109,7 +113,7 @@ struct file; #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.41 2006/04/01 10:16:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.80 2007/10/16 09:33:23 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; @@ -125,8 +129,9 @@ static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *, i6addr_t *, tcphdr_t *, u_32_t)); static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *)); static int fr_state_flush __P((int, int)); +static int fr_state_flush_entry __P((void *)); static ips_stat_t *fr_statetstats __P((void)); -static void fr_delstate __P((ipstate_t *, int)); +static int fr_delstate __P((ipstate_t *, int)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t *, u_int)); static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *)); @@ -135,6 +140,8 @@ static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *)); static void fr_fixinisn __P((fr_info_t *, ipstate_t *)); static void fr_fixoutisn __P((fr_info_t *, ipstate_t *)); static void fr_checknewisn __P((fr_info_t *, ipstate_t *)); +static int fr_stateiter __P((ipftoken_t *, ipfgeniter_t *)); +static int fr_stgettable __P((char *)); int fr_stputent __P((caddr_t)); int fr_stgetent __P((caddr_t)); @@ -145,9 +152,10 @@ int fr_stgetent __P((caddr_t)); u_long fr_tcpidletimeout = FIVE_DAYS, fr_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL), - fr_tcplastack = IPF_TTLVAL(2 * TCP_MSL), + fr_tcplastack = IPF_TTLVAL(30), fr_tcptimeout = IPF_TTLVAL(2 * TCP_MSL), - fr_tcpclosed = IPF_TTLVAL(60), + fr_tcptimewait = IPF_TTLVAL(2 * TCP_MSL), + fr_tcpclosed = IPF_TTLVAL(30), fr_tcphalfclosed = IPF_TTLVAL(2 * 3600), /* 2 hours */ fr_udptimeout = IPF_TTLVAL(120), fr_udpacktimeout = IPF_TTLVAL(12), @@ -167,6 +175,7 @@ ipftq_t ips_tqtqb[IPF_TCP_NSTATES], ips_iptq, ips_icmptq, ips_icmpacktq, + ips_deletetq, *ips_utqe = NULL; #ifdef IPFILTER_LOG int ipstate_logging = 1; @@ -241,6 +250,7 @@ int fr_stateinit() fr_state_maxbucket *= 2; } + ips_stats.iss_tcptab = ips_tqtqb; fr_sttab_init(ips_tqtqb); ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ips_udptq; ips_udptq.ifq_ttl = (u_long)fr_udptimeout; @@ -272,7 +282,13 @@ int fr_stateinit() ips_iptq.ifq_head = NULL; ips_iptq.ifq_tail = &ips_iptq.ifq_head; MUTEX_INIT(&ips_iptq.ifq_lock, "ipftq ip tab"); - ips_iptq.ifq_next = NULL; + ips_iptq.ifq_next = &ips_deletetq; + ips_deletetq.ifq_ttl = (u_long)1; + ips_deletetq.ifq_ref = 1; + ips_deletetq.ifq_head = NULL; + ips_deletetq.ifq_tail = &ips_deletetq.ifq_head; + MUTEX_INIT(&ips_deletetq.ifq_lock, "state delete queue"); + ips_deletetq.ifq_next = NULL; RWLOCK_INIT(&ipf_state, "ipf IP state rwlock"); MUTEX_INIT(&ipf_stinsert, "ipf state insert mutex"); @@ -297,7 +313,7 @@ void fr_stateunload() ipstate_t *is; while ((is = ips_list) != NULL) - fr_delstate(is, 0); + fr_delstate(is, ISL_UNLOAD); /* * Proxy timeout queues are not cleaned here because although they @@ -323,6 +339,7 @@ void fr_stateunload() MUTEX_DESTROY(&ips_udpacktq.ifq_lock); MUTEX_DESTROY(&ips_icmpacktq.ifq_lock); MUTEX_DESTROY(&ips_iptq.ifq_lock); + MUTEX_DESTROY(&ips_deletetq.ifq_lock); } if (ips_table != NULL) { @@ -416,12 +433,14 @@ caddr_t data; /* */ /* Processes an ioctl call made to operate on the IP Filter state device. */ /* ------------------------------------------------------------------------ */ -int fr_state_ioctl(data, cmd, mode) +int fr_state_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { int arg, ret, error = 0; + SPL_INT(s); switch (cmd) { @@ -431,29 +450,37 @@ int mode; case SIOCDELST : error = fr_state_remove(data); break; + /* * Flush the state table */ case SIOCIPFFL : - BCOPYIN(data, (char *)&arg, sizeof(arg)); - if (arg == 0 || arg == 1) { + error = BCOPYIN(data, (char *)&arg, sizeof(arg)); + if (error != 0) { + error = EFAULT; + } else { WRITE_ENTER(&ipf_state); ret = fr_state_flush(arg, 4); RWLOCK_EXIT(&ipf_state); - BCOPYOUT((char *)&ret, data, sizeof(ret)); - } else - error = EINVAL; + error = BCOPYOUT((char *)&ret, data, sizeof(ret)); + if (error != 0) + error = EFAULT; + } break; + #ifdef USE_INET6 case SIOCIPFL6 : - BCOPYIN(data, (char *)&arg, sizeof(arg)); - if (arg == 0 || arg == 1) { + error = BCOPYIN(data, (char *)&arg, sizeof(arg)); + if (error != 0) { + error = EFAULT; + } else { WRITE_ENTER(&ipf_state); ret = fr_state_flush(arg, 6); RWLOCK_EXIT(&ipf_state); - BCOPYOUT((char *)&ret, data, sizeof(ret)); - } else - error = EINVAL; + error = BCOPYOUT((char *)&ret, data, sizeof(ret)); + if (error != 0) + error = EFAULT; + } break; #endif #ifdef IPFILTER_LOG @@ -467,9 +494,12 @@ int mode; int tmp; tmp = ipflog_clear(IPL_LOGSTATE); - BCOPYOUT((char *)&tmp, data, sizeof(tmp)); + error = BCOPYOUT((char *)&tmp, data, sizeof(tmp)); + if (error != 0) + error = EFAULT; } break; + /* * Turn logging of state information on/off. */ @@ -477,31 +507,41 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - BCOPYIN((char *)data, (char *)&ipstate_logging, - sizeof(ipstate_logging)); + error = BCOPYIN((char *)data, (char *)&ipstate_logging, + sizeof(ipstate_logging)); + if (error != 0) + error = EFAULT; } break; + /* * Return the current state of logging. */ case SIOCGETLG : - BCOPYOUT((char *)&ipstate_logging, (char *)data, - sizeof(ipstate_logging)); + error = BCOPYOUT((char *)&ipstate_logging, (char *)data, + sizeof(ipstate_logging)); + if (error != 0) + error = EFAULT; break; + /* * Return the number of bytes currently waiting to be read. */ case FIONREAD : arg = iplused[IPL_LOGSTATE]; /* returned in an int */ - BCOPYOUT((char *)&arg, data, sizeof(arg)); + error = BCOPYOUT((char *)&arg, data, sizeof(arg)); + if (error != 0) + error = EFAULT; break; #endif + /* * Get the current state statistics. */ case SIOCGETFS : error = fr_outobj(data, fr_statetstats(), IPFOBJ_STATESTAT); break; + /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -510,9 +550,10 @@ int mode; if (!(mode & FWRITE)) { error = EPERM; } else { - fr_lock(data, &fr_state_lock); + error = fr_lock(data, &fr_state_lock); } break; + /* * Add an entry to the current state table. */ @@ -523,6 +564,7 @@ int mode; } error = fr_stputent(data); break; + /* * Get a state table entry. */ @@ -533,6 +575,56 @@ int mode; } error = fr_stgetent(data); break; + + /* + * Return a copy of the hash table bucket lengths + */ + case SIOCSTAT1 : + error = BCOPYOUT(ips_stats.iss_bucketlen, data, + fr_statesize * sizeof(u_long)); + if (error != 0) + error = EFAULT; + break; + + case SIOCGENITER : + { + ipftoken_t *token; + ipfgeniter_t iter; + + error = fr_inobj(data, &iter, IPFOBJ_GENITER); + if (error != 0) + break; + + SPL_SCHED(s); + token = ipf_findtoken(IPFGENITER_STATE, uid, ctx); + if (token != NULL) + error = fr_stateiter(token, &iter); + else + error = ESRCH; + RWLOCK_EXIT(&ipf_tokens); + SPL_X(s); + break; + } + + case SIOCGTABL : + error = fr_stgettable(data); + break; + + case SIOCIPFDELTOK : + error = BCOPYIN(data, (char *)&arg, sizeof(arg)); + if (error != 0) { + error = EFAULT; + } else { + SPL_SCHED(s); + error = ipf_deltoken(arg, uid, ctx); + SPL_X(s); + } + break; + + case SIOCGTQTAB : + error = fr_outobj(data, ips_tqtqb, IPFOBJ_STATETQTAB); + break; + default : error = EINVAL; break; @@ -560,13 +652,15 @@ caddr_t data; int error; error = fr_inobj(data, &ips, IPFOBJ_STATESAVE); - if (error) - return EFAULT; + if (error != 0) + return error; + READ_ENTER(&ipf_state); isn = ips.ips_next; if (isn == NULL) { isn = ips_list; if (isn == NULL) { + RWLOCK_EXIT(&ipf_state); if (ips.ips_next == NULL) return ENOENT; return 0; @@ -580,8 +674,10 @@ caddr_t data; for (is = ips_list; is; is = is->is_next) if (is == isn) break; - if (!is) + if (is == NULL) { + RWLOCK_EXIT(&ipf_state); return ESRCH; + } } ips.ips_next = isn->is_next; bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is)); @@ -589,10 +685,9 @@ caddr_t data; if (isn->is_rule != NULL) bcopy((char *)isn->is_rule, (char *)&ips.ips_fr, sizeof(ips.ips_fr)); + RWLOCK_EXIT(&ipf_state); error = fr_outobj(data, &ips, IPFOBJ_STATESAVE); - if (error) - return EFAULT; - return 0; + return error; } @@ -672,7 +767,8 @@ caddr_t data; fr->fr_data = NULL; fr->fr_type = FR_T_NONE; - fr_resolvedest(&fr->fr_tif, fr->fr_v); + fr_resolvedest(&fr->fr_tifs[0], fr->fr_v); + fr_resolvedest(&fr->fr_tifs[1], fr->fr_v); fr_resolvedest(&fr->fr_dif, fr->fr_v); /* @@ -821,7 +917,6 @@ u_int flags; frentry_t *fr; tcphdr_t *tcp; grehdr_t *gre; - void *ifp; int out; if (fr_state_lock || @@ -843,7 +938,7 @@ u_int flags; */ fr = fin->fin_fr; if (fr != NULL) { - if ((ips_num == fr_statemax) && (fr->fr_statemax == 0)) { + if ((ips_num >= fr_statemax) && (fr->fr_statemax == 0)) { ATOMIC_INCL(ips_stats.iss_max); fr_state_doflush = 1; return NULL; @@ -851,7 +946,6 @@ u_int flags; if ((fr->fr_statemax != 0) && (fr->fr_statecnt >= fr->fr_statemax)) { ATOMIC_INCL(ips_stats.iss_maxref); - fr_state_doflush = 1; return NULL; } } @@ -902,6 +996,16 @@ u_int flags; hv += is->is_src.i6[3]; } #endif + if ((fin->fin_v == 4) && + (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) { + if (fin->fin_out == 0) { + flags |= SI_W_DADDR|SI_CLONE; + hv -= is->is_daddr; + } else { + flags |= SI_W_SADDR|SI_CLONE; + hv -= is->is_saddr; + } + } switch (is->is_p) { @@ -1086,30 +1190,43 @@ u_int flags; is->is_tag = fr->fr_logtag; - is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1]; - is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2]; - is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3]; + /* + * The name '-' is special for network interfaces and causes + * a NULL name to be present, always, allowing packets to + * match it, regardless of their interface. + */ + if ((fin->fin_ifp == NULL) || + (fr->fr_ifnames[out << 1][0] == '-' && + fr->fr_ifnames[out << 1][1] == '\0')) { + is->is_ifp[out << 1] = fr->fr_ifas[0]; + strncpy(is->is_ifname[out << 1], fr->fr_ifnames[0], + sizeof(fr->fr_ifnames[0])); + } else { + is->is_ifp[out << 1] = fin->fin_ifp; + COPYIFNAME(is->is_v, fin->fin_ifp, + is->is_ifname[out << 1]); + } - if (((ifp = fr->fr_ifas[1]) != NULL) && - (ifp != (void *)-1)) { - COPYIFNAME(ifp, is->is_ifname[(out << 1) + 1]); - } - if (((ifp = fr->fr_ifas[2]) != NULL) && - (ifp != (void *)-1)) { - COPYIFNAME(ifp, is->is_ifname[(1 - out) << 1]); - } - if (((ifp = fr->fr_ifas[3]) != NULL) && - (ifp != (void *)-1)) { - COPYIFNAME(ifp, is->is_ifname[((1 - out) << 1) + 1]); - } + is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1]; + strncpy(is->is_ifname[(out << 1) + 1], fr->fr_ifnames[1], + sizeof(fr->fr_ifnames[1])); + + is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2]; + strncpy(is->is_ifname[((1 - out) << 1)], fr->fr_ifnames[2], + sizeof(fr->fr_ifnames[2])); + + is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3]; + strncpy(is->is_ifname[((1 - out) << 1) + 1], fr->fr_ifnames[3], + sizeof(fr->fr_ifnames[3])); } else { pass = fr_flags; is->is_tag = FR_NOLOGTAG; - } - is->is_ifp[out << 1] = fin->fin_ifp; - if (fin->fin_ifp != NULL) { - COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1]); + if (fin->fin_ifp != NULL) { + is->is_ifp[out << 1] = fin->fin_ifp; + COPYIFNAME(is->is_v, fin->fin_ifp, + is->is_ifname[out << 1]); + } } /* @@ -1326,7 +1443,24 @@ ipstate_t *is; tdata = &is->is_tcp.ts_data[source]; MUTEX_ENTER(&is->is_lock); - if (fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags)) { + + /* + * If a SYN packet is received for a connection that is on the way out + * but hasn't yet departed then advance this session along the way. + */ + if ((tcp->th_flags & TH_OPENING) == TH_SYN) { + if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) && + (is->is_state[1] > IPF_TCPS_ESTABLISHED)) { + is->is_state[!source] = IPF_TCPS_CLOSED; + fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq, + &ips_deletetq); + MUTEX_EXIT(&is->is_lock); + return 0; + } + } + + ret = fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags); + if (ret > 0) { #ifdef IPFILTER_SCAN if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) { ipsc_packet(fin, is); @@ -1358,21 +1492,16 @@ ipstate_t *is; if (flags == (TH_SYN|TH_ACK)) { is->is_s0[source] = ntohl(tcp->th_ack); is->is_s0[!source] = ntohl(tcp->th_seq) + 1; - if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) && - (tdata->td_winflags & TCP_WSCALE_SEEN)) { + if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) { if (fr_tcpoptions(fin, tcp, fdata) == -1) fin->fin_flx |= FI_BAD; - if (!(fdata->td_winflags & TCP_WSCALE_SEEN)) { - fdata->td_winscale = 0; - tdata->td_winscale = 0; - } } if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN)) fr_checknewisn(fin, is); } else if (flags == TH_SYN) { is->is_s0[source] = ntohl(tcp->th_seq) + 1; if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) { - if (fr_tcpoptions(fin, tcp, tdata) == -1) + if (fr_tcpoptions(fin, tcp, fdata) == -1) fin->fin_flx |= FI_BAD; } @@ -1381,8 +1510,9 @@ ipstate_t *is; } ret = 1; - } else + } else { fin->fin_flx |= FI_OOW; + } MUTEX_EXIT(&is->is_lock); return ret; } @@ -1426,7 +1556,8 @@ ipstate_t *is; /* ------------------------------------------------------------------------ */ /* Function: fr_tcpinwindow */ -/* Returns: int - 1 == packet inside TCP "window", 0 == not inside. */ +/* Returns: int - 1 == packet inside TCP "window", 0 == not inside, */ +/* 2 == packet seq number matches next expected */ /* Parameters: fin(I) - pointer to packet information */ /* fdata(I) - pointer to tcp state informatio (forward) */ /* tdata(I) - pointer to tcp state informatio (reverse) */ @@ -1479,17 +1610,8 @@ int flags; * the receiver also does window scaling) */ if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) { - if (tdata->td_winflags & TCP_WSCALE_SEEN) { - fdata->td_winflags &= ~TCP_WSCALE_FIRST; - fdata->td_maxwin = win; - } else { - fdata->td_winscale = 0; - fdata->td_winflags &= ~(TCP_WSCALE_FIRST| - TCP_WSCALE_SEEN); - tdata->td_winscale = 0; - tdata->td_winflags &= ~(TCP_WSCALE_FIRST| - TCP_WSCALE_SEEN); - } + fdata->td_winflags &= ~TCP_WSCALE_FIRST; + fdata->td_maxwin = win; } end = seq + dsize; @@ -1519,20 +1641,18 @@ int flags; /* * Strict sequencing only allows in-order delivery. */ - if ((flags & IS_STRICT) != 0) { - if (seq != fdata->td_end) { + if (seq != fdata->td_end) { + if ((flags & IS_STRICT) != 0) { return 0; } } -#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) -#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) inseq = 0; if ((SEQ_GE(fdata->td_maxend, end)) && (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 - (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) && + (-ackskew <= (MAXACKWINDOW)) && ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) { inseq = 1; /* @@ -1578,6 +1698,8 @@ int flags; } } + /* TRACE(inseq, fdata, tdata, seq, end, ack, ackskew, win, maxwin) */ + if (inseq) { /* if ackskew < 0 then this should be due to fragmented * packets. There is no way to know the length of the @@ -1735,9 +1857,9 @@ u_32_t cmask; * If the interface for this 'direction' is set, make sure it matches. * An interface name that is not set matches any, as does a name of *. */ - if ((is->is_ifp[idx] == NULL && - (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) || - is->is_ifp[idx] == ifp) + if ((is->is_ifp[idx] == ifp) || (is->is_ifp[idx] == NULL && + (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '-' || + *is->is_ifname[idx] == '*'))) ret = 1; if (ret == 0) @@ -1921,7 +2043,7 @@ u_32_t cmask; if (is->is_ifp[idx] == NULL && (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) { is->is_ifp[idx] = ifp; - COPYIFNAME(ifp, is->is_ifname[idx]); + COPYIFNAME(is->is_v, ifp, is->is_ifname[idx]); } fin->fin_rev = rev; return is; @@ -2007,7 +2129,7 @@ fr_info_t *fin; # endif } #endif - bcopy((char *)fin, (char *)&ofin, sizeof(fin)); + bcopy((char *)fin, (char *)&ofin, sizeof(*fin)); /* * in the IPv4 case we must zero the i6addr union otherwise @@ -2037,7 +2159,6 @@ fr_info_t *fin; ofin.fin_ip = oip; ofin.fin_m = NULL; /* if dereferenced, panic XXX */ ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - ofin.fin_plen = fin->fin_dlen - ICMPERR_ICMPHLEN; (void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin); ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; @@ -2193,8 +2314,6 @@ u_int hv; ipstate_t **isp; u_int hvm; - ASSERT(rw_read_locked(&ipf_state.ipf_lk) == 0); - hvm = is->is_hv; /* * Remove the hash from the old location... @@ -2277,6 +2396,14 @@ ipftq_t **ifqp; } } #endif + if ((v == 4) && + (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) { + if (fin->fin_out == 0) { + hv -= src.in4.s_addr; + } else { + hv -= dst.in4.s_addr; + } + } /* * Search the hash table for matching packet header info. @@ -2297,6 +2424,13 @@ icmp6again: hvm = DOUBLE_HASH(hv); for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) { isp = &is->is_hnext; + /* + * If a connection is about to be deleted, no packets + * are allowed to match it. + */ + if (is->is_sti.tqe_ifq == &ips_deletetq) + continue; + if ((is->is_p != pr) || (is->is_v != v)) continue; is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP); @@ -2418,12 +2552,31 @@ retry_tcpudp: } RWLOCK_EXIT(&ipf_state); - if (!tryagain && ips_stats.iss_wild) { - hv -= dport; - hv -= sport; - tryagain = 1; - WRITE_ENTER(&ipf_state); - goto retry_tcpudp; + if (ips_stats.iss_wild) { + if (tryagain == 0) { + hv -= dport; + hv -= sport; + } else if (tryagain == 1) { + hv = fin->fin_fi.fi_p; + /* + * If we try to pretend this is a reply to a + * multicast/broadcast packet then we need to + * exclude part of the address from the hash + * calculation. + */ + if (fin->fin_out == 0) { + hv += src.in4.s_addr; + } else { + hv += dst.in4.s_addr; + } + hv += dport; + hv += sport; + } + tryagain++; + if (tryagain <= 2) { + WRITE_ENTER(&ipf_state); + goto retry_tcpudp; + } } fin->fin_flx |= oow; break; @@ -2626,8 +2779,6 @@ matched: fin->fin_rule = is->is_rulen; pass = is->is_pass; fr_updatestate(fin, is, ifq); - if (fin->fin_out == 1) - fin->fin_nat = is->is_nat[fin->fin_rev]; fin->fin_state = is; is->is_touched = fr_ticks; @@ -2763,7 +2914,7 @@ void *ifp; /* ------------------------------------------------------------------------ */ /* Function: fr_delstate */ -/* Returns: Nil */ +/* Returns: int - 0 = entry deleted, else reference count on struct */ /* Parameters: is(I) - pointer to state structure to delete */ /* why(I) - if not 0, log reason why it was deleted */ /* Write Locks: ipf_state */ @@ -2772,27 +2923,15 @@ void *ifp; /* and timeout queue lists. Make adjustments to hash table statistics and */ /* global counters as required. */ /* ------------------------------------------------------------------------ */ -static void fr_delstate(is, why) +static int fr_delstate(is, why) ipstate_t *is; int why; { - ASSERT(rw_read_locked(&ipf_state.ipf_lk) == 0); - /* * Since we want to delete this, remove it from the state table, * where it can be found & used, first. */ - if (is->is_pnext != NULL) { - *is->is_pnext = is->is_next; - - if (is->is_next != NULL) - is->is_next->is_pnext = is->is_pnext; - - is->is_pnext = NULL; - is->is_next = NULL; - } - if (is->is_phnext != NULL) { *is->is_phnext = is->is_hnext; if (is->is_hnext != NULL) @@ -2820,7 +2959,8 @@ int why; /* * Next, remove it from the timeout queue it is in. */ - fr_deletequeueentry(&is->is_sti); + if (is->is_sti.tqe_ifq != NULL) + fr_deletequeueentry(&is->is_sti); if (is->is_me != NULL) { *is->is_me = NULL; @@ -2829,11 +2969,21 @@ int why; /* * If it is still in use by something else, do not go any further, - * but note that at this point it is now an orphan. + * but note that at this point it is now an orphan. How can this + * be? fr_state_flush() calls fr_delete() directly because it wants + * to empty the table out and if something has a hold on a state + * entry (such as ipfstat), it'll do the deref path that'll bring + * us back here to do the real delete & free. */ - is->is_ref--; - if (is->is_ref > 0) - return; + MUTEX_ENTER(&is->is_lock); + if (is->is_ref > 1) { + is->is_ref--; + MUTEX_EXIT(&is->is_lock); + return is->is_ref; + } + MUTEX_EXIT(&is->is_lock); + + is->is_ref = 0; if (is->is_tqehead[0] != NULL) { if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0) @@ -2852,6 +3002,19 @@ int why; (void) ipsc_detachis(is); #endif + /* + * Now remove it from the linked list of known states + */ + if (is->is_pnext != NULL) { + *is->is_pnext = is->is_next; + + if (is->is_next != NULL) + is->is_next->is_pnext = is->is_pnext; + + is->is_pnext = NULL; + is->is_next = NULL; + } + if (ipstate_logging != 0 && why != 0) ipstate_log(is, why); @@ -2862,12 +3025,14 @@ int why; if (is->is_rule != NULL) { is->is_rule->fr_statecnt--; - (void)fr_derefrule(&is->is_rule); + (void) fr_derefrule(&is->is_rule); } MUTEX_DESTROY(&is->is_lock); KFREE(is); ips_num--; + + return 0; } @@ -2953,42 +3118,115 @@ int which, proto; ipftq_t *ifq, *ifqnext; ipftqent_t *tqe, *tqn; ipstate_t *is, **isp; - int delete, removed; - long try, maxtick; - u_long interval; + int removed; SPL_INT(s); removed = 0; SPL_NET(s); - for (isp = &ips_list; ((is = *isp) != NULL); ) { - delete = 0; - if ((proto != 0) && (is->is_v != proto)) { - isp = &is->is_next; - continue; + switch (which) + { + case 0 : + /* + * Style 0 flush removes everything... + */ + for (isp = &ips_list; ((is = *isp) != NULL); ) { + if ((proto != 0) && (is->is_v != proto)) { + isp = &is->is_next; + continue; + } + if (fr_delstate(is, ISL_FLUSH) == 0) + removed++; + else + isp = &is->is_next; + } + break; + + case 1 : + /* + * Since we're only interested in things that are closing, + * we can start with the appropriate timeout queue. + */ + for (ifq = ips_tqtqb + IPF_TCPS_CLOSE_WAIT; ifq != NULL; + ifq = ifq->ifq_next) { + + for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { + tqn = tqe->tqe_next; + is = tqe->tqe_parent; + if (is->is_p != IPPROTO_TCP) + break; + if (fr_delstate(is, ISL_EXPIRE) == 0) + removed++; + } } - switch (which) - { - case 0 : - delete = 1; - break; - case 1 : - case 2 : - if (is->is_p != IPPROTO_TCP) - break; - if ((is->is_state[0] != IPF_TCPS_ESTABLISHED) || - (is->is_state[1] != IPF_TCPS_ESTABLISHED)) - delete = 1; - break; - } + /* + * Also need to look through the user defined queues. + */ + for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) { + ifqnext = ifq->ifq_next; + for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { + tqn = tqe->tqe_next; + is = tqe->tqe_parent; + if (is->is_p != IPPROTO_TCP) + continue; - if (delete) { - fr_delstate(is, ISL_FLUSH); - removed++; - } else + if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) && + (is->is_state[1] > IPF_TCPS_ESTABLISHED)) { + if (fr_delstate(is, ISL_EXPIRE) == 0) + removed++; + } + } + } + break; + + case 2 : + break; + + /* + * Args 5-11 correspond to flushing those particular states + * for TCP connections. + */ + case IPF_TCPS_CLOSE_WAIT : + case IPF_TCPS_FIN_WAIT_1 : + case IPF_TCPS_CLOSING : + case IPF_TCPS_LAST_ACK : + case IPF_TCPS_FIN_WAIT_2 : + case IPF_TCPS_TIME_WAIT : + case IPF_TCPS_CLOSED : + tqn = ips_tqtqb[which].ifq_head; + while (tqn != NULL) { + tqe = tqn; + tqn = tqe->tqe_next; + is = tqe->tqe_parent; + if (fr_delstate(is, ISL_FLUSH) == 0) + removed++; + } + break; + + default : + if (which < 30) + break; + + /* + * Take a large arbitrary number to mean the number of seconds + * for which which consider to be the maximum value we'll allow + * the expiration to be. + */ + which = IPF_TTLVAL(which); + for (isp = &ips_list; ((is = *isp) != NULL); ) { + if ((proto == 0) || (is->is_v == proto)) { + if (fr_ticks - is->is_touched > which) { + if (fr_delstate(is, ISL_FLUSH) == 0) { + removed++; + continue; + } + } + } isp = &is->is_next; + } + break; } if (which != 2) { @@ -2997,83 +3235,35 @@ int which, proto; } /* - * Asked to remove inactive entries because the table is full, try - * again, 3 times, if first attempt failed with a different criteria - * each time. The order tried in must be in decreasing age. - * Another alternative is to implement random drop and drop N entries - * at random until N have been freed up. + * Asked to remove inactive entries because the table is full. */ - if (fr_ticks - ips_last_force_flush < IPF_TTLVAL(5)) - goto force_flush_skipped; - ips_last_force_flush = fr_ticks; - - if (fr_ticks > IPF_TTLVAL(43200)) - interval = IPF_TTLVAL(43200); - else if (fr_ticks > IPF_TTLVAL(1800)) - interval = IPF_TTLVAL(1800); - else if (fr_ticks > IPF_TTLVAL(30)) - interval = IPF_TTLVAL(30); - else - interval = IPF_TTLVAL(10); - try = fr_ticks - (fr_ticks - interval); - if (try < 0) - goto force_flush_skipped; - - while (removed == 0) { - maxtick = fr_ticks - interval; - if (maxtick < 0) - break; - - while (try < maxtick) { - for (ifq = ips_tqtqb; ifq != NULL; - ifq = ifq->ifq_next) { - for (tqn = ifq->ifq_head; - ((tqe = tqn) != NULL); ) { - if (tqe->tqe_die > try) - break; - tqn = tqe->tqe_next; - is = tqe->tqe_parent; - fr_delstate(is, ISL_EXPIRE); - removed++; - } - } - - for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) { - ifqnext = ifq->ifq_next; - - for (tqn = ifq->ifq_head; - ((tqe = tqn) != NULL); ) { - if (tqe->tqe_die > try) - break; - tqn = tqe->tqe_next; - is = tqe->tqe_parent; - fr_delstate(is, ISL_EXPIRE); - removed++; - } - } - if (try + interval > maxtick) - break; - try += interval; - } - - if (removed == 0) { - if (interval == IPF_TTLVAL(43200)) { - interval = IPF_TTLVAL(1800); - } else if (interval == IPF_TTLVAL(1800)) { - interval = IPF_TTLVAL(30); - } else if (interval == IPF_TTLVAL(30)) { - interval = IPF_TTLVAL(10); - } else { - break; - } - } + if (fr_ticks - ips_last_force_flush > IPF_TTLVAL(5)) { + ips_last_force_flush = fr_ticks; + removed = ipf_queueflush(fr_state_flush_entry, ips_tqtqb, + ips_utqe); } -force_flush_skipped: + SPL_X(s); return removed; } +/* ------------------------------------------------------------------------ */ +/* Function: fr_state_flush_entry */ +/* Returns: int - 0 = entry deleted, else not deleted */ +/* Parameters: entry(I) - pointer to state structure to delete */ +/* Write Locks: ipf_state */ +/* */ +/* This function is a stepping stone between ipf_queueflush() and */ +/* fr_delstate(). It is used so we can provide a uniform interface via the */ +/* ipf_queueflush() function. */ +/* ------------------------------------------------------------------------ */ +static int fr_state_flush_entry(entry) +void *entry; +{ + return fr_delstate(entry, ISL_FLUSH); +} + /* ------------------------------------------------------------------------ */ /* Function: fr_tcp_age */ @@ -3103,6 +3293,25 @@ force_flush_skipped: /* dir == 0 : a packet from source to dest */ /* dir == 1 : a packet from dest to source */ /* */ +/* A typical procession for a connection is as follows: */ +/* */ +/* +--------------+-------------------+ */ +/* | Side '0' | Side '1' | */ +/* +--------------+-------------------+ */ +/* | 0 -> 1 (SYN) | | */ +/* | | 0 -> 2 (SYN-ACK) | */ +/* | 1 -> 3 (ACK) | | */ +/* | | 2 -> 4 (ACK-PUSH) | */ +/* | 3 -> 4 (ACK) | | */ +/* | ... | ... | */ +/* | | 4 -> 6 (FIN-ACK) | */ +/* | 4 -> 5 (ACK) | | */ +/* | | 6 -> 6 (ACK-PUSH) | */ +/* | 5 -> 5 (ACK) | | */ +/* | 5 -> 8 (FIN) | | */ +/* | | 6 -> 10 (ACK) | */ +/* +--------------+-------------------+ */ +/* */ /* Locking: it is assumed that the parent of the tqe structure is locked. */ /* ------------------------------------------------------------------------ */ int fr_tcp_age(tqe, fin, tqtab, flags) @@ -3134,16 +3343,16 @@ int flags; switch (nstate) { - case IPF_TCPS_CLOSED: /* 0 */ + case IPF_TCPS_LISTEN: /* 0 */ if ((tcpflags & TH_OPENING) == TH_OPENING) { /* * 'dir' received an S and sends SA in - * response, CLOSED -> SYN_RECEIVED + * response, LISTEN -> SYN_RECEIVED */ nstate = IPF_TCPS_SYN_RECEIVED; rval = 1; } else if ((tcpflags & TH_OPENING) == TH_SYN) { - /* 'dir' sent S, CLOSED -> SYN_SENT */ + /* 'dir' sent S, LISTEN -> SYN_SENT */ nstate = IPF_TCPS_SYN_SENT; rval = 1; } @@ -3162,7 +3371,7 @@ int flags; */ switch (ostate) { - case IPF_TCPS_CLOSED : + case IPF_TCPS_LISTEN : case IPF_TCPS_SYN_RECEIVED : nstate = IPF_TCPS_HALF_ESTAB; rval = 1; @@ -3183,11 +3392,7 @@ int flags; */ break; - case IPF_TCPS_LISTEN: /* 1 */ - /* NOT USED */ - break; - - case IPF_TCPS_SYN_SENT: /* 2 */ + case IPF_TCPS_SYN_SENT: /* 1 */ if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) { /* * A retransmitted SYN packet. We do not reset @@ -3228,7 +3433,7 @@ int flags; } break; - case IPF_TCPS_SYN_RECEIVED: /* 3 */ + case IPF_TCPS_SYN_RECEIVED: /* 2 */ if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { /* * we see an A from 'dir' which was in @@ -3257,7 +3462,7 @@ int flags; } break; - case IPF_TCPS_HALF_ESTAB: /* 4 */ + case IPF_TCPS_HALF_ESTAB: /* 3 */ if (tcpflags & TH_FIN) { nstate = IPF_TCPS_FIN_WAIT_1; rval = 1; @@ -3272,7 +3477,7 @@ int flags; */ switch (ostate) { - case IPF_TCPS_CLOSED : + case IPF_TCPS_LISTEN : case IPF_TCPS_SYN_SENT : case IPF_TCPS_SYN_RECEIVED : rval = 1; @@ -3288,7 +3493,7 @@ int flags; } break; - case IPF_TCPS_ESTABLISHED: /* 5 */ + case IPF_TCPS_ESTABLISHED: /* 4 */ rval = 1; if (tcpflags & TH_FIN) { /* @@ -3296,7 +3501,11 @@ int flags; * this gives us a half-closed connection; * ESTABLISHED -> FIN_WAIT_1 */ - nstate = IPF_TCPS_FIN_WAIT_1; + if (ostate == IPF_TCPS_FIN_WAIT_1) { + nstate = IPF_TCPS_CLOSING; + } else { + nstate = IPF_TCPS_FIN_WAIT_1; + } } else if (tcpflags & TH_ACK) { /* * an ACK, should we exclude other flags here? @@ -3321,7 +3530,7 @@ int flags; } break; - case IPF_TCPS_CLOSE_WAIT: /* 6 */ + case IPF_TCPS_CLOSE_WAIT: /* 5 */ rval = 1; if (tcpflags & TH_FIN) { /* @@ -3339,7 +3548,7 @@ int flags; } break; - case IPF_TCPS_FIN_WAIT_1: /* 7 */ + case IPF_TCPS_FIN_WAIT_1: /* 6 */ rval = 1; if ((tcpflags & TH_ACK) && ostate > IPF_TCPS_CLOSE_WAIT) { @@ -3367,11 +3576,14 @@ int flags; } break; - case IPF_TCPS_CLOSING: /* 8 */ - /* NOT USED */ + case IPF_TCPS_CLOSING: /* 7 */ + if ((tcpflags & (TH_FIN|TH_ACK)) == TH_ACK) { + nstate = IPF_TCPS_TIME_WAIT; + } + rval = 2; break; - case IPF_TCPS_LAST_ACK: /* 9 */ + case IPF_TCPS_LAST_ACK: /* 8 */ if (tcpflags & TH_ACK) { if ((tcpflags & TH_PUSH) || dlen) /* @@ -3390,19 +3602,22 @@ int flags; */ break; - case IPF_TCPS_FIN_WAIT_2: /* 10 */ - rval = 1; - if ((tcpflags & TH_OPENING) == TH_OPENING) - nstate = IPF_TCPS_SYN_RECEIVED; - else if (tcpflags & TH_SYN) - nstate = IPF_TCPS_SYN_SENT; + case IPF_TCPS_FIN_WAIT_2: /* 9 */ + /* NOT USED */ break; - case IPF_TCPS_TIME_WAIT: /* 11 */ + case IPF_TCPS_TIME_WAIT: /* 10 */ /* we're in 2MSL timeout now */ + if (ostate == IPF_TCPS_LAST_ACK) { + nstate = IPF_TCPS_CLOSED; + } rval = 1; break; + case IPF_TCPS_CLOSED: /* 11 */ + rval = 2; + break; + default : #if defined(_KERNEL) # if SOLARIS @@ -3553,7 +3768,7 @@ fr_info_t *fin; if (fin->fin_plen < sizeof(*oip6)) return NULL; - bcopy((char *)fin, (char *)&ofin, sizeof(fin)); + bcopy((char *)fin, (char *)&ofin, sizeof(*fin)); ofin.fin_v = 6; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; @@ -3574,7 +3789,6 @@ fr_info_t *fin; oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN; ofin.fin_flx = FI_NOCKSUM; ofin.fin_ip = (ip_t *)oip6; - ofin.fin_plen = oip6->ip6_plen; (void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin); ofin.fin_flx &= ~(FI_BAD|FI_SHORT); oip6->ip6_plen = savelen; @@ -3721,7 +3935,7 @@ ipftq_t *tqp; tqp[IPF_TCPS_CLOSING].ifq_ttl = fr_tcptimeout; tqp[IPF_TCPS_LAST_ACK].ifq_ttl = fr_tcplastack; tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = fr_tcpclosewait; - tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = fr_tcptimeout; + tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = fr_tcptimewait; tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = fr_tcptimeout; } @@ -3752,6 +3966,14 @@ ipftq_t *tqp; /* Decrement the reference counter for this state table entry and free it */ /* if there are no more things using it. */ /* */ +/* This function is only called when cleaning up after increasing is_ref by */ +/* one earlier in the 'code path' so if is_ref is 1 when entering, we do */ +/* have an orphan, otherwise not. However there is a possible race between */ +/* the entry being deleted via flushing with an ioctl call (that calls the */ +/* delete function directly) and the tail end of packet processing so we */ +/* need to grab is_lock before doing the check to synchronise the two code */ +/* paths. */ +/* */ /* When operating in userland (ipftest), we have no timers to clear a state */ /* entry. Therefore, we make a few simple tests before deleting an entry */ /* outright. We compare states on each side looking for a combination of */ @@ -3767,60 +3989,30 @@ ipftq_t *tqp; /* dir == 0 : a packet from source to dest */ /* dir == 1 : a packet from dest to source */ /* ------------------------------------------------------------------------ */ -void fr_statederef(fin, isp) -fr_info_t *fin; +void fr_statederef(isp) ipstate_t **isp; { - ipstate_t *is = *isp; -#if 0 - int nstate, ostate, dir, eol; + ipstate_t *is; - eol = 0; /* End-of-the-line flag. */ - dir = fin->fin_rev; - ostate = is->is_state[1 - dir]; - nstate = is->is_state[dir]; - /* - * Determine whether this packet is local or routed. State entries - * with us as the destination will have an interface list of - * int1,-,-,int1. Entries with us as the origin run as -,int1,int1,-. - */ - if ((fin->fin_p == IPPROTO_TCP) && (fin->fin_out == 0)) { - if ((strcmp(is->is_ifname[0], is->is_ifname[3]) == 0) && - (strcmp(is->is_ifname[1], is->is_ifname[2]) == 0)) { - if ((dir == 0) && - (strcmp(is->is_ifname[1], "-") == 0) && - (strcmp(is->is_ifname[0], "-") != 0)) { - eol = 1; - } else if ((dir == 1) && - (strcmp(is->is_ifname[0], "-") == 0) && - (strcmp(is->is_ifname[1], "-") != 0)) { - eol = 1; - } - } - } -#endif - - fin = fin; /* LINT */ is = *isp; *isp = NULL; - WRITE_ENTER(&ipf_state); - is->is_ref--; - if (is->is_ref == 0) { - is->is_ref++; /* To counter ref-- in fr_delstate() */ - fr_delstate(is, ISL_EXPIRE); + + MUTEX_ENTER(&is->is_lock); + if (is->is_ref > 1) { + is->is_ref--; + MUTEX_EXIT(&is->is_lock); #ifndef _KERNEL -#if 0 - } else if (((fin->fin_out == 1) || (eol == 1)) && - ((ostate == IPF_TCPS_LAST_ACK) && - (nstate == IPF_TCPS_TIME_WAIT))) { - ; -#else - } else if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) || + if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) || (is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) { + fr_delstate(is, ISL_ORPHAN); + } #endif - fr_delstate(is, ISL_ORPHAN); -#endif + return; } + MUTEX_EXIT(&is->is_lock); + + WRITE_ENTER(&ipf_state); + fr_delstate(is, ISL_EXPIRE); RWLOCK_EXIT(&ipf_state); } @@ -3892,3 +4084,121 @@ int rev; fr_queueappend(&is->is_sti, nifq, is); return; } + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_stateiter */ +/* Returns: int - 0 == success, else error */ +/* Parameters: token(I) - pointer to ipftoken structure */ +/* itp(I) - pointer to ipfgeniter structure */ +/* */ +/* This function handles the SIOCGENITER ioctl for the state tables and */ +/* walks through the list of entries in the state table list (ips_list.) */ +/* ------------------------------------------------------------------------ */ +static int fr_stateiter(token, itp) +ipftoken_t *token; +ipfgeniter_t *itp; +{ + ipstate_t *is, *next, zero; + int error, count; + char *dst; + + if (itp->igi_data == NULL) + return EFAULT; + + if (itp->igi_nitems < 1) + return ENOSPC; + + if (itp->igi_type != IPFGENITER_STATE) + return EINVAL; + + is = token->ipt_data; + if (is == (void *)-1) { + ipf_freetoken(token); + return ESRCH; + } + + error = 0; + dst = itp->igi_data; + + READ_ENTER(&ipf_state); + if (is == NULL) { + next = ips_list; + } else { + next = is->is_next; + } + + count = itp->igi_nitems; + for (;;) { + if (next != NULL) { + /* + * If we find a state entry to use, bump its + * reference count so that it can be used for + * is_next when we come back. + */ + if (count == 1) { + MUTEX_ENTER(&next->is_lock); + next->is_ref++; + MUTEX_EXIT(&next->is_lock); + token->ipt_data = next; + } + } else { + bzero(&zero, sizeof(zero)); + next = &zero; + count = 1; + token->ipt_data = NULL; + } + RWLOCK_EXIT(&ipf_state); + + /* + * This should arguably be via fr_outobj() so that the state + * structure can (if required) be massaged going out. + */ + error = COPYOUT(next, dst, sizeof(*next)); + if (error != 0) + error = EFAULT; + if ((count == 1) || (error != 0)) + break; + + dst += sizeof(*next); + count--; + + READ_ENTER(&ipf_state); + next = next->is_next; + } + + if (is != NULL) { + fr_statederef(&is); + } + + return error; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: fr_stgettable */ +/* Returns: int - 0 = success, else error */ +/* Parameters: data(I) - pointer to ioctl data */ +/* */ +/* This function handles ioctl requests for tables of state information. */ +/* At present the only table it deals with is the hash bucket statistics. */ +/* ------------------------------------------------------------------------ */ +static int fr_stgettable(data) +char *data; +{ + ipftable_t table; + int error; + + error = fr_inobj(data, &table, IPFOBJ_GTABLE); + if (error != 0) + return error; + + if (table.ita_type != IPFTABLE_BUCKETS) + return EINVAL; + + error = COPYOUT(ips_stats.iss_bucketlen, table.ita_table, + fr_statesize * sizeof(u_long)); + if (error != 0) + error = EFAULT; + return error; +} diff --git a/sys/contrib/ipfilter/netinet/ip_state.h b/sys/contrib/ipfilter/netinet/ip_state.h index 9c457cfcfbb1..9c4e8149d7fc 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.h +++ b/sys/contrib/ipfilter/netinet/ip_state.h @@ -7,7 +7,7 @@ * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed * $FreeBSD$ - * Id: ip_state.h,v 2.68.2.3 2005/03/03 14:24:11 darrenr Exp + * Id: ip_state.h,v 2.68.2.10 2007/10/16 09:33:24 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -27,10 +27,8 @@ struct ipscan; # define IPSTATE_MAX 4013 /* Maximum number of states held */ #endif -#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ - (((s1) == (d2)) && ((d1) == (s2)))) -#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ - (s2).s_addr, (d2).s_addr) +#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) typedef struct ipstate { @@ -42,7 +40,6 @@ typedef struct ipstate { struct ipstate **is_me; void *is_ifp[4]; void *is_sync; - struct nat *is_nat[2]; frentry_t *is_rule; struct ipftq *is_tqehead[2]; struct ipscan *is_isc; @@ -190,6 +187,7 @@ typedef struct ipslog { #define ISL_INTERMEDIATE 0xfffc #define ISL_KILLED 0xfffb #define ISL_ORPHAN 0xfffa +#define ISL_UNLOAD 0xfff9 typedef struct ips_stat { @@ -216,6 +214,7 @@ typedef struct ips_stat { ipstate_t **iss_table; ipstate_t *iss_list; u_long *iss_bucketlen; + ipftq_t *iss_tcptab; } ips_stat_t; @@ -251,12 +250,12 @@ extern int fr_tcpinwindow __P((struct fr_info *, struct tcpdata *, struct tcpdata *, tcphdr_t *, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_int)); -extern int fr_state_ioctl __P((caddr_t, ioctlcmd_t, int)); +extern int fr_state_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern void fr_stinsert __P((struct ipstate *, int)); extern void fr_sttab_init __P((struct ipftq *)); extern void fr_sttab_destroy __P((struct ipftq *)); extern void fr_updatestate __P((fr_info_t *, ipstate_t *, ipftq_t *)); -extern void fr_statederef __P((fr_info_t *, ipstate_t **)); +extern void fr_statederef __P((ipstate_t **)); extern void fr_setstatequeue __P((ipstate_t *, int)); #endif /* __IP_STATE_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_sync.c b/sys/contrib/ipfilter/netinet/ip_sync.c index d41091a2e611..a72f50f34bd4 100644 --- a/sys/contrib/ipfilter/netinet/ip_sync.c +++ b/sys/contrib/ipfilter/netinet/ip_sync.c @@ -98,7 +98,7 @@ struct file; /* END OF INCLUDES */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.7 2006/03/19 14:59:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.9 2007/06/02 21:22:28 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 @@ -301,7 +301,7 @@ struct uio *uio; if (uio->uio_resid >= sizeof(sh)) { - err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio); + err = UIOMOVE(&sh, sizeof(sh), UIO_WRITE, uio); if (err) { if (ipf_sync_debug > 2) @@ -373,7 +373,7 @@ struct uio *uio; if (uio->uio_resid >= sh.sm_len) { - err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio); + err = UIOMOVE(data, sh.sm_len, UIO_WRITE, uio); if (err) { if (ipf_sync_debug > 2) @@ -473,7 +473,7 @@ struct uio *uio; READ_ENTER(&ipf_syncstate); while ((sl_tail < sl_idx) && (uio->uio_resid > sizeof(*sl))) { sl = synclog + sl_tail++; - err = UIOMOVE((caddr_t)sl, sizeof(*sl), UIO_READ, uio); + err = UIOMOVE(sl, sizeof(*sl), UIO_READ, uio); if (err != 0) break; } @@ -481,7 +481,7 @@ struct uio *uio; while ((su_tail < su_idx) && (uio->uio_resid > sizeof(*su))) { su = syncupd + su_tail; su_tail++; - err = UIOMOVE((caddr_t)su, sizeof(*su), UIO_READ, uio); + err = UIOMOVE(su, sizeof(*su), UIO_READ, uio); if (err != 0) break; if (su->sup_hdr.sm_sl != NULL) @@ -997,10 +997,11 @@ synclist_t *sl; /* This function currently does not handle any ioctls and so just returns */ /* EINVAL on all occasions. */ /* ------------------------------------------------------------------------ */ -int fr_sync_ioctl(data, cmd, mode) +int fr_sync_ioctl(data, cmd, mode, uid, ctx) caddr_t data; ioctlcmd_t cmd; -int mode; +int mode, uid; +void *ctx; { return EINVAL; } diff --git a/sys/contrib/ipfilter/netinet/ip_sync.h b/sys/contrib/ipfilter/netinet/ip_sync.h index 76862f7534a1..8104db3f2c3d 100644 --- a/sys/contrib/ipfilter/netinet/ip_sync.h +++ b/sys/contrib/ipfilter/netinet/ip_sync.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_sync.h,v 2.11.2.3 2006/03/19 14:59:39 darrenr Exp $ + * $Id: ip_sync.h,v 2.11.2.4 2006/07/14 06:12:20 darrenr Exp $ */ #ifndef __IP_SYNC_H__ @@ -102,16 +102,16 @@ typedef struct syncupdent { /* 28 or 32 bytes */ extern synclogent_t synclog[SYNCLOG_SZ]; -extern int fr_sync_ioctl __P((caddr_t, ioctlcmd_t, int)); -extern synclist_t *ipfsync_new __P((int, fr_info_t *, void *)); -extern void ipfsync_del __P((synclist_t *)); -extern void ipfsync_update __P((int, fr_info_t *, synclist_t *)); -extern int ipfsync_init __P((void)); -extern int ipfsync_nat __P((synchdr_t *sp, void *data)); -extern int ipfsync_state __P((synchdr_t *sp, void *data)); -extern int ipfsync_read __P((struct uio *uio)); -extern int ipfsync_write __P((struct uio *uio)); -extern int ipfsync_canread __P((void)); -extern int ipfsync_canwrite __P((void)); +extern int fr_sync_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); +extern synclist_t *ipfsync_new __P((int, fr_info_t *, void *)); +extern void ipfsync_del __P((synclist_t *)); +extern void ipfsync_update __P((int, fr_info_t *, synclist_t *)); +extern int ipfsync_init __P((void)); +extern int ipfsync_nat __P((synchdr_t *sp, void *data)); +extern int ipfsync_state __P((synchdr_t *sp, void *data)); +extern int ipfsync_read __P((struct uio *uio)); +extern int ipfsync_write __P((struct uio *uio)); +extern int ipfsync_canread __P((void)); +extern int ipfsync_canwrite __P((void)); #endif /* IP_SYNC */ diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index cdbf3d0c21dc..4f2f122821a4 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -7,14 +7,14 @@ * * @(#)ipl.h 1.21 6/5/96 * $FreeBSD$ - * Id: ipl.h,v 2.52.2.14 2006/04/01 20:09:42 darrenr Exp $ + * Id: ipl.h,v 2.52.2.30 2007/10/16 09:41:00 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v4.1.13" +#define IPL_VERSION "IP Filter: v4.1.28" -#define IPFILTER_VERSION 4011300 +#define IPFILTER_VERSION 4012800 #endif diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c index 2048df4322a4..36048e4bb067 100644 --- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c +++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c @@ -33,8 +33,6 @@ #include #include -extern struct selinfo ipfselwait[IPL_LOGSIZE]; - #if __FreeBSD_version >= 502116 static struct cdev *ipf_devs[IPL_LOGSIZE]; #else @@ -101,8 +99,8 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); #define CDEV_MAJOR 79 -#if __FreeBSD_version >= 501000 -# include +#include +#if __FreeBSD_version >= 500043 # include static int iplpoll(struct cdev *dev, int events, struct thread *td); @@ -117,12 +115,16 @@ static struct cdevsw ipl_cdevsw = { .d_write = iplwrite, .d_ioctl = iplioctl, .d_name = "ipl", +# if __FreeBSD_version >= 500043 .d_poll = iplpoll, +# endif # if __FreeBSD_version < 600000 .d_maj = CDEV_MAJOR, # endif }; #else +static int iplpoll(dev_t dev, int events, struct proc *p); + static struct cdevsw ipl_cdevsw = { /* open */ iplopen, /* close */ iplclose, @@ -140,7 +142,9 @@ static struct cdevsw ipl_cdevsw = { # if (__FreeBSD_version < 500043) /* bmaj */ -1, # endif +# if (__FreeBSD_version > 430000) /* kqfilter */ NULL +# endif }; #endif @@ -176,9 +180,17 @@ ipf_modload() char *defpass, *c, *str; int i, j, error; - error = iplattach(); - if (error) + RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); + RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); + + error = ipfattach(); + if (error) { + RW_DESTROY(&ipf_global); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); return error; + } for (i = 0; i < IPL_LOGSIZE; i++) ipf_devs[i] = NULL; @@ -195,6 +207,11 @@ ipf_modload() ipf_devs[i] = make_dev(&ipl_cdevsw, i, 0, 0, 0600, c); } + error = ipf_pfil_hook(); + if (error != 0) + return error; + ipf_event_reg(); + if (FR_ISPASS(fr_pass)) defpass = "pass"; else if (FR_ISBLOCK(fr_pass)) @@ -228,12 +245,20 @@ ipf_modunload() return EBUSY; if (fr_running >= 0) { - error = ipldetach(); + ipf_pfil_unhook(); + ipf_event_dereg(); + WRITE_ENTER(&ipf_global); + error = ipfdetach(); + RWLOCK_EXIT(&ipf_global); if (error != 0) return error; } else error = 0; + RW_DESTROY(&ipf_global); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); + fr_running = -2; for (i = 0; ipf_devfiles[i]; i++) { @@ -287,9 +312,12 @@ sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ) #endif -#if __FreeBSD_version >= 501000 static int +#if __FreeBSD_version >= 500043 iplpoll(struct cdev *dev, int events, struct thread *td) +#else +iplpoll(dev_t dev, int events, struct proc *td) +#endif { u_int xmin = GET_MINOR(dev); int revents; @@ -332,4 +360,3 @@ iplpoll(struct cdev *dev, int events, struct thread *td) return revents; } -#endif