Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgraded IPFilter to 4.1.1

Browse Source
This commit is contained in:
martti 2004-03-28 09:00:53 +00:00
parent 6c70d527d6
commit 24d567d60d
113 changed files with 18047 additions and 22785 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
dist/ipf/BNF vendored
View File

@ -1,25 +1,26 @@
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
[ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
insert = "@" decnumber .
action = block | "no-match" | "pass" | log | "count" | skip | auth | call .
action = block | "pass" | log | "count" | auth | call .
in-out = "in" | "out" .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
[ via ] ] .
options = [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
pps = "pps" decnumber .
onif = "on" interface-name [ "out-via" interface-name ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
tag = "tag" tagid .
call = "call" [ "now" ] function-name "/" decnumber.
dup = "dup-to" interface-name[":"ipaddr] .
via = "in-via" interface-name | "out-via" interface-name .
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
froute = "fastroute" | "to" interface-name .
replyto = "reply-to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .
@ -34,8 +35,7 @@ flags = "flags" flag { flag } [ "/" flag { flag } ] .
with = "with" | "and" .
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep = "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
state-age = decnmber [ "/" decnumber ] .
keep = "keep" "state" [ "limit" number ] | "keep" "frags" .
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
@ -43,8 +43,9 @@ ipaddr = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
"mbcast" | "opt" ipopts .
optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
secname = seclvl [ "," secname ] .
@ -77,4 +78,4 @@ compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
range = "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag = "F" | "S" | "R" | "P" | "A" | "U" .
flag = "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .

707
dist/ipf/FWTK/fwtk-2.1-transparency.txt vendored
View File

@ -1,707 +0,0 @@
diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
*** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998
--- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998
***************
*** 44,49 ****
--- 44,51 ----
extern char *optarg;
+ char *getdsthost();
+
#include "firewall.h"
***************
*** 88,93 ****
--- 90,97 ----
static int cmdcnt = 0;
static int timeout = PROXY_TIMEOUT;
+ static int do_transparent = 0;
+
static int cmd_user();
static int cmd_authorize();
***************
*** 101,106 ****
--- 105,111 ----
static int cmd_passthru();
static void saveline();
static void flushsaved();
+ static int connectdest();
#define OP_CONN 001 /* only valid if connected */
#define OP_WCON 002 /* writethrough if connected */
***************
*** 173,178 ****
--- 178,184 ----
char xuf[1024];
char huf[512];
char *passuser = (char *)0; /* passed user as av */
+ char *psychic, *hotline;
#ifndef LOG_DAEMON
openlog("ftp-gw",LOG_PID);
***************
*** 317,322 ****
--- 323,332 ----
} else
timeout = PROXY_TIMEOUT;
+ psychic = getdsthost(0, NULL);
+ if (psychic)
+ do_transparent++;
+
/* display a welcome file or message */
if(passuser == (char *)0) {
if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
***************
*** 324,329 ****
--- 334,345 ----
syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
exit(1);
}
+ if (do_transparent) {
+ if (sayfile2(0, cf->argv[0], 220)) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
+ exit(1);
+ }
+ } else
if(sayfile(0,cf->argv[0],220)) {
syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
exit(1);
***************
*** 336,341 ****
--- 352,360 ----
if(say(0,"220-Proxy first requires authentication"))
exit(1);
+ if (do_transparent)
+ sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
+ else
sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
if(say(0,xuf))
exit(1);
***************
*** 357,362 ****
--- 376,384 ----
exit(1);
}
+ if (do_transparent)
+ connectdest(psychic, 21);
+
/* main loop */
while(1) {
FD_ZERO(&rdy);
***************
*** 653,658 ****
--- 675,696 ----
return(sayn(0,noad,sizeof(noad)-1));
}
+ if (do_transparent) {
+ if((rfd == (-1)) && (x = connectdest(dest,port)))
+ return x;
+
+ sprintf(buf,"USER %s",user);
+
+ if (say(rfd, buf))
+ return(1);
+
+ x = getresp(rfd, buf, sizeof(buf), 1);
+ if (sendsaved(0, x))
+ return(1);
+
+ return(say(0, buf));
+ }
+
if(*dest == '\0')
dest = "localhost";
***************
*** 694,705 ****
char ebuf[512];
strcpy(ebuf,buf);
! sprintf(buf,"521 %s: %s",dest,ebuf);
rfd = -1;
return(say(0,buf));
}
! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
! saveline(buf);
/* we are now connected and need to try the autologin thing */
x = getresp(rfd,buf,sizeof(buf),1);
--- 732,748 ----
char ebuf[512];
strcpy(ebuf,buf);
! if (do_transparent)
! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
! else
! sprintf(buf,"521 %s: %s",dest,ebuf);
rfd = -1;
return(say(0,buf));
}
! if (!do_transparent) {
! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
! saveline(buf);
! }
/* we are now connected and need to try the autologin thing */
x = getresp(rfd,buf,sizeof(buf),1);
***************
*** 1889,1891 ****
--- 1932,2050 ----
dup(nread);
}
#endif
+
+ static int connectdest(dest, port)
+ char *dest;
+ short port;
+ {
+ char buf[1024], mbuf[512];
+ int msg_int, x;
+
+ if(*dest == '\0')
+ dest = "localhost";
+
+ if(validests != (char **)0) {
+ char **xp;
+ int x;
+
+ for(xp = validests; *xp != (char *)0; xp++) {
+ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
+ return(baddest(0,dest));
+ } else {
+ if(hostmatch(*xp,dest))
+ break;
+ }
+ }
+ if(*xp == (char *)0)
+ return(baddest(0,dest));
+ }
+
+ /* Extended permissions processing goes in here for destination */
+ if(extendperm) {
+ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
+ if(msg_int == 1) {
+ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
+ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
+ say(0,mbuf);
+ return(1);
+ } else {
+ if(msg_int == -1) {
+ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
+ say(0,mbuf);
+ return(1);
+ }
+ }
+ }
+
+ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
+
+ if((rfd = conn_server(dest,port,0,buf)) < 0) {
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+ if (do_transparent)
+ sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
+ else
+ sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+ if (!do_transparent) {
+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+ saveline(buf);
+ }
+
+ /* we are now connected and need to try the autologin thing */
+ x = getresp(rfd,buf,sizeof(buf),1);
+ if(x / 100 != COMPLETE) {
+ sendsaved(0,-1);
+ return(say(0,buf));
+ }
+ saveline(buf);
+
+ sendsaved(0,-1);
+ return 0;
+ }
+
+ /* quick hack */
+ sayfile2(fd,fn,code)
+ int fd;
+ char *fn;
+ int code;
+ {
+ FILE *f;
+ char buf[BUFSIZ];
+ char yuf[BUFSIZ];
+ char *c;
+ int x;
+ int saidsomething = 0;
+
+ if((f = fopen(fn,"r")) == (FILE *)0)
+ return(1);
+ while(fgets(buf,sizeof(buf),f) != (char *)0) {
+ if((c = index(buf,'\n')) != (char *)0)
+ *c = '\0';
+ x = fgetc(f);
+ if(feof(f))
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ else {
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ ungetc(x,f);
+ }
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ saidsomething++;
+ }
+ fclose(f);
+ if (!saidsomething) {
+ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
+ sprintf(yuf, "%3.3d The file to display is empty",code);
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ }
+ return(0);
+ }
diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
*** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998
--- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998
***************
*** 27,32 ****
--- 27,35 ----
static char http_buffer[8192];
static char reason[8192];
static int checkBrowserType = 1;
+ static int do_transparent = 0;
+
+ char * getdsthost();
static void do_logging()
{ char *proto = "GOPHER";
***************
*** 473,478 ****
--- 476,490 ----
/*(NOT A SPECIAL FORM)*/
if((rem_type & TYPE_LOCAL)== 0){
+ char * psychic = getdsthost(sockfd, &def_port);
+ if (psychic) {
+ if (strlen(psychic) <= MAXHOSTNAMELEN) {
+ do_transparent ++;
+ strncpy(def_httpd, psychic, strlen(psychic));
+ strncpy(def_server, psychic, strlen(psychic));
+ }
+ }
+
/* See if it can be forwarded */
if( can_forward(buf)){
***************
*** 1564,1570 ****
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }else{
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
--- 1576,1589 ----
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }
! else
! if (do_transparent) {
! sprintf(new_reply, "%s\t%s\t%s\t%s",
! parse_vec[0], parse_vec[1],
! parse_vec[2],parse_vec[3]);
! }
! else {
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
*** ./lib/hnam.c Tue Dec 10 13:08:48 1996
--- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998
***************
*** 23,28 ****
--- 23,33 ----
#include "firewall.h"
+ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
+ #include <net/if.h>
+ #include "ip_nat.h"
+ #endif /* __FreeBSD__ */
+
char *
maphostname(name)
***************
*** 49,52 ****
--- 54,132 ----
}
bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
return(inet_ntoa(sin.sin_addr));
+ }
+
+ char *getdsthost(fd, ptr)
+ int fd;
+ int *ptr;
+ {
+ struct sockaddr_in sin;
+ struct hostent * hp;
+ int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
+ char buf[255], hostbuf[255];
+ #ifdef __FreeBSD__
+ struct sockaddr_in rsin;
+ struct natlookup natlookup;
+ #endif
+
+ #ifdef linux
+ if (!(err = getsockname(0, &sin, &sl))) {
+ if(ptr)
+ * ptr = ntohs(sin.sin_port);
+
+ sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
+ gethostname(hostbuf, 254);
+ hp = gethostbyname(hostbuf);
+ while (hp->h_addr_list[i]) {
+ bzero(&sin, &sl);
+ memcpy(&sin.sin_addr, hp->h_addr_list[i++],
+ sizeof(hp->h_addr_list[i++]));
+
+ if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
+ local_h++;
+ }
+
+ if(local_h)
+ return(NULL);
+ else
+ return(buf);
+ }
+ #endif
+
+ #ifdef __FreeBSD__
+ /* The basis for this block of code is Darren Reed's
+ * patches to the TIS ftwk's ftp-gw.
+ */
+ bzero((char*)&sin, sizeof(sin));
+ bzero((char*)&rsin, sizeof(rsin));
+
+ if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
+ return NULL;
+
+ sl = sizeof(rsin);
+
+ if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
+ return NULL;
+
+ natlookup.nl_inport=sin.sin_port;
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+
+ if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
+ return NULL;
+
+ if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
+ return NULL;
+
+ close(natfd);
+
+ if (ptr)
+ *ptr = ntohs(natlookup.nl_inport);
+
+ sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
+ #endif
+
+ /* No transparent proxy support */
+ return(NULL);
}
diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
*** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998
--- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998
***************
*** 43,48 ****
--- 43,50 ----
static char **validdests = (char **)0;
static int net_write();
+ static int do_transparent = 0;
+
main(ac,av)
int ac;
char *av[];
***************
*** 198,206 ****
--- 200,220 ----
char *ptr;
int state = 0;
int ssl_plug = 0;
+ char * getdsthost();
+ int pport = 0;
struct timeval timo;
+ /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
+ * idea ..
+ */
+ dhost = getdsthost(0, &pport);
+ if (dhost) {
+ do_transparent++;
+ portid = pport;
+ }
+
+
if(c->flags & PERM_DENY) {
if (p == -1)
syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
***************
*** 220,226 ****
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! dhost = av[x];
continue;
}
--- 234,241 ----
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! if (!dhost)
! dhost = av[x];
continue;
}
diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
*** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998
--- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998
***************
*** 103,108 ****
--- 103,111 ----
static int trusted = 0;
static int doX = 0;
static char *prompt;
+ static int do_transparent = 0;
+
+ char * getdsthost();
main(ac,av)
int ac;
***************
*** 123,128 ****
--- 126,132 ----
static char *tokav[56];
int tokac;
struct timeval timo;
+ char * psychic;
#ifndef LOG_NDELAY
openlog("rlogin-gw",LOG_PID);
***************
*** 188,194 ****
xforwarder = cf->argv[0];
}
!
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
--- 192,203 ----
xforwarder = cf->argv[0];
}
! psychic = getdsthost(0, NULL);
! if (psychic) {
! do_transparent++;
! strncpy(dest, psychic, 511);
! dest[511] = '\0';
! }
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
***************
*** 266,271 ****
--- 275,281 ----
if((p = index(rusername,'@')) != (char *)0) {
char *namp;
+ dest[0] = '\0';
*p++ = '\0';
if(*p == '\0')
p = "localhost";
***************
*** 297,302 ****
--- 307,326 ----
if(dest[0] != '\0') {
/* Setup connection directly to remote machine */
+ if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+ if (cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+
+ if (sayfile(0, cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
+ exit(1);
+ }
+ }
+
+ /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
+
sprintf(buf,"connect %.1000s",dest);
tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
if (cmd_connect(tokac, tokav, buf) != 2)
***************
*** 535,548 ****
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
! if(strlen(namp) > 20)
! namp[20] = '\0';
! if(rusername[0] != '\0')
! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
! else
! sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
--- 559,574 ----
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
! if (!do_transparent) {
! if(strlen(namp) > 20)
! namp[20] = '\0';
! if(rusername[0] != '\0')
! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
! else
! sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
*** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998
--- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998
***************
*** 91,96 ****
--- 91,100 ----
static int cmd_xforward();
static int cmd_timeout();
+ char * getdsthost();
+
+ static int do_transparent = 0;
+
static int tn3270 = 1; /* don't do tn3270 stuff */
static int doX;
***************
*** 144,149 ****
--- 148,155 ----
char tokbuf[BSIZ];
char *tokav[56];
int tokac;
+ int port;
+ char * psychic;
#ifndef LOG_DAEMON
openlog("tn-gw",LOG_PID);
***************
*** 325,330 ****
--- 331,362 ----
}
}
+ psychic = getdsthost(0, &port);
+ if (psychic) {
+ if ((strlen(psychic) + 10) < 510) {
+ do_transparent++;
+ if (port)
+ sprintf(dest, "%s:%d", psychic, port);
+ else
+ sprintf(dest, "%s", psychic);
+
+ if (!welcomedone)
+ if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
+ if (cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+
+ if (sayfile(0, cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
+ exit(1);
+ }
+
+ welcomedone = 1;
+ }
+ }
+ }
+
while (argc > 1) {
argc--;
argv++;
***************
*** 947,955 ****
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
--- 979,989 ----
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
! if (!do_transparent) {
! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
***************
*** 991,998 ****
syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! sprintf(buf, "Connected to %.512s.", dest);
! say(0, buf);
return(2);
}
--- 1025,1034 ----
syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! if (!do_transparent) {
! sprintf(buf, "Connected to %.512s.", dest);
! say(0, buf);
! }
return(2);
}

4
dist/ipf/FWTK/fwtk_transparent.diff vendored
View File

@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
***************
*** 11,30 ****
#
# RcsId: "$Header: /cvsroot/src/dist/ipf/FWTK/Attic/fwtk_transparent.diff,v 1.1.1.2 2004/03/28 08:55:59 martti Exp $"
# RcsId: "$Header: /cvsroot/src/dist/ipf/FWTK/Attic/fwtk_transparent.diff,v 1.2 2004/03/28 09:00:54 martti Exp $"
# Your C compiler (eg, "cc" or "gcc")
@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
-Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \
--- 11,34 ----
#
# RcsId: "$Header: /cvsroot/src/dist/ipf/FWTK/Attic/fwtk_transparent.diff,v 1.1.1.2 2004/03/28 08:55:59 martti Exp $"
# RcsId: "$Header: /cvsroot/src/dist/ipf/FWTK/Attic/fwtk_transparent.diff,v 1.2 2004/03/28 09:00:54 martti Exp $"
+ #
+ # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c)

82
dist/ipf/FWTK/tproxy.diff vendored
View File

@ -1,82 +0,0 @@
*** tproxy.c.orig Fri Dec 20 10:53:24 1996
--- tproxy.c Sun Jan 3 11:33:55 1999
***************
*** 135,140 ****
--- 135,144 ----
#include <netinet/in.h>
#include <sys/signal.h>
#include <syslog.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+ #include <net/if.h>
#include "tproxy.h"
#ifdef AIX
***************
*** 147,152 ****
--- 151,159 ----
#define bzero(buf,size) memset(buf, '\0', size);
#endif /* SYSV */
+ #include "ip_compat.h"
+ #include "ip_fil.h"
+ #include "ip_nat.h"
/* socket to audio server */
***************
*** 324,329 ****
--- 331,369 ----
char localbuf[2048];
void timeout();
extern int errno;
+ /*
+ * IP-Filter block
+ */
+ struct sockaddr_in laddr, faddr;
+ struct natlookup natlookup;
+ int slen, natfd;
+
+ bzero((char *)&laddr, sizeof(laddr));
+ bzero((char *)&faddr, sizeof(faddr));
+ slen = sizeof(laddr);
+ if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0)
+ return -1;
+ slen = sizeof(faddr);
+ if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0)
+ return -1;
+ natlookup.nl_inport = laddr.sin_port;
+ natlookup.nl_outport = faddr.sin_port;
+ natlookup.nl_inip = laddr.sin_addr;
+ natlookup.nl_outip = faddr.sin_addr;
+ natlookup.nl_flags = IPN_TCP;
+ if ((natfd = open(IPL_NAT, O_RDONLY)) < 0)
+ return -1;
+ if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
+ syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
+ close(natfd);
+ return -1;
+ }
+ close(natfd);
+ strcpy(hostname, inet_ntoa(natlookup.nl_realip));
+ serverport = ntohs(natlookup.nl_realport);
+ /*
+ * End of IP-Filter block
+ */
/* setup a timeout in case dialog doesn't finish */
signal(SIGALRM, timeout);
***************
*** 337,344 ****
--- 377,386 ----
* and modify the call to (and subroutine) serverconnect() as
* appropriate.
*/
+ #if 0
strcpy(hostname, "randomhostname");
serverport = 7070;
+ #endif
/* Can we connect to the server */
if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) {
/* errno may still be set from previous call */

630
dist/ipf/HISTORY vendored
View File

@ -6,11 +6,9 @@
# in providing a very available location for the IP Filter home page and
# distribution center.
#
# Thanks to Hewlett Packard for making it possible to port IP Filter to
# HP-UX 11.00.
#
# Thanks to Tel.Net Media for supplying me with equipment to ensure that
# IP Filter continues to work on Solaris/sparc64.
# Thanks to Tel.Net Media for allowing me to maintain and further develop
# IP Filter as part of my job and supplying Sun equipment for testing the
# move to 64bits and Gigabit Ethernet.
#
# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
# to further support development of IP Filter under BSDI.
@ -22,614 +20,134 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.29 28/8/2002 - Released
4.1.1 - RELEASED - 24 March 2004
Make substantial changes to the FTP proxy to improve reliability, security
and functionality.
allow new connections with the same port numbers as an existing one
in the state table if the creating packet is a SYN
don't send ICMP errors/TCP RST's in response to blocked proxy packets
timeout values have drifted, incorrectly, from what they were in 3.4
fix potential memory leaks when unloading ipfilter from kernel
FreeBSD - compatibility changes for 5.2
fix bug in SIOCGNATL handler that did not preserve the expected
byte order from earlier versions in the port number
don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
rather than per "flow"
set do not fragment flag in generated packets according to system flags,
where available.
fr_cksum() returned the wrong answer for ICMP
preserve filter rule number and group number in state structure
Linux:
- get return-rst and return-icmp working
- treat the interface name the same as if_xname on BSD
fix bug in ipmon printing of p/P/b/B
adjust expectations for TCP urgent bits based on observed traffic in the
wild
make some changes to the kmem.c code for IRIX compatibility
openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called
add code to specifically handle ip.tun* interfaces on Solaris
fix flushing of hash pool gorups (ippool -F) as well as displaying them
(ippool -l)
3.4.28 6/6/2002 - Released
passing of pointers to interface structures wrong for HP-UX/Solaris with
return-* rules.
Fix for H.323 proxy to work on little endian boxes
Make the solaris boot script able to run on 2.5.1
IRIX: Update installation documentation
add route lock patch
ippool related files missing from Solaris packages
allow use of groups > 65535
The name /dev/ippool should be /dev/iplookup
create a new packet info summary for packets going through ipfr_fastroute()
so that where details are different (RST/ICMP errors), the packet now gets
correctly NAT'd, etc.
add regression testing for parsing long interface names in nat rules,
along with mssclamp and tags. Also add test for mssclamp operation.
fix the FTP proxy so that checks for TCP sequence numbers outside the
normal offset due to data changes use absolute numbers
ttl displayed for "ipfstat -t" is wrong because ttl is not computed.
make it possible to remove rules in ipftest
parse logical interface names (Sun)
Update installing onto OpenBSD and split into two directories:
OpenBSD-2 and OpenBSD-3
unloading LKMs was only working if they were enabled.
fix error in printout out the protocol in NAT rules
sync'ing up NAT sessions when NICs change should cause NAT rules to
re-lookup name->pointer mappings
always unlock ipfilter if locking fails half way through in ipfs
not all of the ippool ioctl's are IOWR and they should be because they
use the ipfobj_t for passing information in/out of the kernel. leave the
old values defined and handle them, for compatibility.
fix problems with TCP window scaling
pool stats wrong: ippoolstate used where ipoolstat should be, hash table
statistics not reported at all
update of man pages for ipnat(4) and ipftest(1)
fr_running not set correctly for OpenBSD when compiled into the kernel
3.4.27 28/04/2002 - Released
Allow SIOCGETFF while disabled
fix calculation of 2's complmenent 16 bit checksum for user space
Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
altered. How do you say "untested" ?)
add mbuflen() to usespace compiles.
4.1 - RELEASED - 12 February 2004
add more #ifdef complexity for platform portability
4.0-BETA1 20 August 2003
add OpenBSD 3.1 diffs
support 0/32 and 0/0 on the RHS in redirect rules
3.4.26 25/04/2002 - Released
where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
for bimap rules.
fix parsing and printing of NAT rules with regression tests.
allow NAT rule to match 'all' interfaces with * as interface name
add code to adjust TCP checksums inside ICMP errors where present and as
required for NAT.
do mapping of ICMP sequence id#'s in pings
fix documentation problems in instal documents
allow default age for NAT entries to be set per NAT rule
fix locking problem with auth code on Solaris
provide round robin selection of destination addresses for redirect
fix use of version macros for FreeBSD and make the use of __FreeBSD_version
override previous hacks except when not present
ipmon can load a configuration file with instructions on actions
to take when a matching log entry is received
fix the macros defined for SIOCAUTHR and SIOCAUTHW
now requires pfil to work on Solaris & HP-UX
fix the H.323 proxy so it no longer panics (multiple issues: re-entry into
nat_ioctl with lock held on Solaris, trying to copy data from kernel space
with copyin, unaligned access to get 32bit & 16bit numbers)
supports mapping outbound connections to a specific address/port
use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets
generated by IPFilter
support toggling of logging per ipfilter 'device'
fix comparing state information to delete state table entries
use queues to expire data rather than lists
flag packets as being "bad state" if they're outside the window and prevent
them from being able to cause new state to be created - except for SYN packets
add MSN RPC proxy
be stricter about what packets match a TCP state table entry if its creation
was triggered by a SYN packet.
add IRC proxy
add patches to handle TCP window scaling
support rules with dynamic ip addresses
don't update TCP state table entries if the packet is not considered to be
part of the connection
add ability to define a pool of addresses & networks which can then
be placed in a single rule
ipfs wasn't allowing -i command line option in getopt
support passing entire packet back to user program for authentication
IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2
regardless of user compile, fix the getkflags script to prune down the
output more so it is acceptable
support master/slave for state information sharing
change building in Makefiles to create links to the application in $(TOP)
at the end of "build" rather than when each is created.
reorganise generic code into a lib directory and make libipf.a
update BSD/kupgrade for FreeBSD
user programs enforce version matching with the kernel
l4check wasn't properly closing things when a connection fails
supports window scaling if seen at TCP session setup
man page updates for ipmon(8) and ipnat(5)
generates C code from filter rules to compile in or load as native
machine code.
more regression tests added.
supports loading rules comprised of BPF bytecode statements
3.4.25 13/03/2002 - Released
HP-UX 11 port completed
retain rule # in state information
and packets-per-second filtering
log the direction of a packet so ipmon gets it right rather than incorrectly
deriving it from the rule flags
add numerical tags to rules for filtering and display in ipmon output
add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD
kernel config files to increase that buffer size)
recognise return-* rules differently to block in ipftest
fix bug in ipmon output for solaris
add regression testing for skip rules, logging and using head/group
fix output of ipmon: was displaying large unsigned ints rather than -1
when no rules matched.
make logging code compile into ipftest and add -l command line option to
dump binary log file (read with ipmon -f) when it finishes.
protect rule # and group # from interference when checking accounting rules
add regression testing for log output (text) from ipmon.
document -b command line option for ipmon
fix double-quick in Solaris startup script
3.4.24 01/03/2002 - Released
fix how files are installed on SunOS5
fix some minor problems in SunOS5 ipfboot script
by default, compile all OpenBSD tools in 3.0 for IPv6
fix NULL-pointer dereference in NAT code
make a better attempt at replacing the appropriate binaries on BSD systems
always print IPv6 icmp-types as a number
impose some rules about what "skip" can be used with
fix parsing problems with "keep state" and "keep state-age"
Try to read as much data as is in the log device in ipmon
remove some redundant checks when searching for rdr/nat rules
fix bug in handling of ACCT with FTP proxy
increase array size for interface names, using LIFNAMSIZ
include H.323 proxy from QNX
3.4.23 16/01/2002 - Released
Include patches to install IPFilter into OpenBSD 3.0, both for just kernel
compiles and complete system builds.
Fix bug in automatic flushing of state table which would cause it to hang
in an infinite loop bug introduced in 3.4.20.
Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for
the outgoing connection to make it look like it comes from the real source.
Only support ICMPv6 with IPv6.
Move ipnat.1 to ipnat.8
Enhance ipmon to print textual ICMP[v6] types and subtypes where possible.
Make it possible to do IPv6 regression testing with ipftest.
Use kvm library for kmem access, rather than trying to do it manually with
open/lseek/read.
Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute.
Remove Berkeley advertising licence clause. Reference:
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded
and fragmentation required.
Fix ipfboot script on Solaris to deal with no nameservers or no route to
them in a clean manner.
Support per-rule set timeouts for non-TCP NAT and state
Add netbios proxy
Add ICMPv6 stateful checking, including handling multicast destination
addresses for neighbour discovery.
Fix problems with internals of ICMP messages for MTU discovery and
unreachables not being correctly adjust on little endian boxes.
Add "in-via" and "out-via" to filtering rules grammar. It is now possible
to bind a rule to both incoming and outgoing interfaces, in both forward
and reverse directions (4 directions in total). allows for asymetric flows
through a firewall.
Fix ipfstat and ipnat for working on crash dumps.
Don't let USE_INET6 stay defined for SunOS4
Count things we see for each interface on solaris.
Include <netinet/icmp6.h> when compiling with USE_INET6 defined and
also include a whole bunch of #define's to make sure the symbols expected
can be used.
Fix up fastroute on BSD systems.
Make fastrouting work for IPv6 just a bit better. doesn't split up big
packets into fragments like the IPv4 one does. You can now do a
"to <if>:<ipv6_addr>"
Remove some of the differences between user-space and kernel-space code
that is internal to ipfilter.
Call ipfr_slowtimer() after each packet is processed in ipftest to artificially
create the illusion of passing time and include the expire functions in the
code compiled for user-space.
Fix issues with the IPSec proxy not working or leading to a system crash.
Junk all processing of SPIs and special handling for ESP.
Add "no-match" as a filter rule action (resets _LAST_ match)
Add hack to workaround problems with Cassini interface cards on
Solaris and VLANs
Add some protocols to etc/protocols
3.4.22 03/12/2001 - Released
various openbsd changes
sorting based on IP numbers for ipfstat top output
fix various IPv6 code & compile problems
modify ip_fil.c to be more netbsd friendly
fix fastroute bug where it modified a packet post-sending
fix get_unit() - don't understand why it was broken.
add FI_IGNOREPKT and don't count so marked packets when doing stats or
state/nat.
extend the interface name saved to log output
make proxies capable of extending the matching done on a packet with a
particular nat session
change interfaces inside NAT & state code to accomodate redesign to allow
IPsec proxy to work.
fix bug when free'ing loaded rules that results in a memory leak
(only an issue with "ipf -rf -", not flush)
make ipftest capable of loading > 1 file or rules, making it now possible
to load both NAT & filter rules
fix hex input for ipftest to allow interface name & direction to work
show ipsec proxy details in ipnat output
if OPT_HEX is set in opts, print a packet out as hex
don't modify b_next or preseve it or preserve b_prev for solaris
fix up kinstall scripts to install all the files everywhere they need to
fix overflowing of bits in ip_off inside iptest
make userauth and proxy in samples directory compile
fix minimum size when doing a pullup for ESP & ICMPv6
3.4.21 24/10/2001 - Released
include ipsec proxy
make state work for non-tcp/udp/icmp in a very simple way
include diffs for ipv6 firewall on openbsd-2.9
add compatibility filter wrapper for NetBSD-current
fix command line option problems with ipfs
if we fill the state table and a automated flush doesn't purge any
expiring entries, remove all entries idle for more than half a day
fix bug with sending resets/icmp errors where the pointer to the data
section of the packet was not being set (BSD only)
split out validating ftp commands and responses into different halves,
one for each of server & client.
do not compile in STATETOP support for specific architectures
fix INSTALL.FreeBSD to no longer provide directions and properly direct
people to the right file for the right version of FreeBSD.
3.4.20 24/07/2001 - Released
adjust NAT hashing to give a better spread across the table
show icmp code/type names in output, where known
fix bug in altering cached interface names in state when resync'ing
fix bug in real audio proxy that caused crashs
fix compiling using sunos4 cc
patch from casper to address weird exit problem for ipstat in top mode
patch from Greg Woods to produce names for icmp types/unreach codes,
where they are known
fix bug where ipfr_fastroute() would use a mblk and it would also get
freed later.
don't match fragments which would cause 64k length to be exceeded
ftp proxy fix for port numbers being setup for pasv ftp with state/nat
change hashing for NAT to include both IP#'s and ports.
Solaris fixes for IPv6
fix compiling iplang bits, under Solaris, for ipsend
3.4.19 29/06/2001 - Released
fix to support suspend/resume on solaris8 as well as ipv6
include group/group-head in match of filter rules
fix endian problem reading snoop files
make all licence comments point to the one place
fix ftp proxy to only advance state if a reply is received in response to
a recognised command
3.4.18 05/06/2001 - Released
fix up parsing of "from ! host" where '!' is separate
disable hardware checksums for NetBSD
put ipftest temporary files in . rather than /tmp
modify ftp proxy to be more intelligent about moving between states
and recognise new authentication commands
allow state/nat table sizes to be externally influenced
print out host mapping table for NAT with ipnat -l
fix handling of hardware checksum'ing on Solaris
fixup makefiles for Solaris
update regression tests
fix surrender of SPL's for failure cases
include patches for OpenBSD's new timeout mechanism
default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it
ICMP_UNREACH_FILTER
fix up handling of packets matching auth rules and interaction with state
add -q command line option to ipfstat on Solaris to list bound interfaces
add command line option to ipfstat/ipnat to select different core image
don't use ncurses on Solaris for STATETOP
fix includes to get FreeBSD version
do not byte swap ip_id
fix handling success for packets matching the auth rule
don't double-count short packets
add ICMP router discovery message size recognition
fix packet length calculation for IPv6
set CPUDIR when for install-sunos5 make target
SUNWspro -xF causes Solaris 2.5.1 kernel to crash
3.4.17 06/04/2001 - Released
fix fragment#0 handling bug where they could get in via cache information
created by state table entries
use ire_walk to look for ire cache entries with link layer headers cached
deal with bad SPL assumptions for log reading on BSD
fix ftp proxy to allow logins with passwords
some auth rule patches, fixing byte endian problems and returning as an error
support LOG_SECURITY, where available, in ipmon
don't return an error for packets which match auth rules
introduce fr_icmpacktimeout to timeout entries once an ICMP reply has
been seen separately to when created
3.4.16 15/01/2001 - Released
fix race condition in flushing of state entries that are timing out
Add TCP ECN patches
log all NAT entries created, not just those via rules
3.4.15 17/12/2000 - Released
add minimum ttl filtering (to be replaced later by return-icmp-as-dest
for all ICMP packets matching state entries).
fix NAT'ing of fragments
fix sanity checks for ICMPV6
fix up compiling on IRIX 6.2 with IDF/IDL installed
3.4.14 02/11/2000 - Released
cause flushing NAT table to generate log records the same as state flush
does.
fix ftp proxy port/pasv
fix problem where nat_{in,out}lookup() would release a write lock when it
didn't need to.
add check for ipf6.conf in Solaris ipfboot
3.4.13 28/10/2000 - Released
fix introduced bug with ICMP packets being rejected when valid
fix bug with proxy's that don't set fin_dlen correctly when calling
fr_addstate()
3.4.12 26/10/2000 - Released
fix installing into FreeBSD-4.1
fix FTP proxy bug where it'd hang and make NAT slightly more efficient
fix general compiling errors/warnings on various platforms
don't access ICMP data fields that aren't there
3.4.11 09/10/2000 - Released
return NULL for IPv6 access control lists if it is disabled rather than
random garbage.
fix for getting protocol & packet length for IPv6 packets for pullup.
update plog script from version 0.8 to version 0.10
patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the
capabilities for "fixing" checksums.
3.4.10 03/09/2000 - Released
merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors'
getline() adjusts linenum now
add tcphalfclosed timeout
fill in icmp_nextmtu field if it is defined on the platform
RST generation fix from guido
force 32bit compile for gcc on solaris if it can't generate 64bit code
encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG
fix up line wrap problems in plog script
fix ICMP packet handling to not drop valid ICMP errors
freebsd 5.0 compat changes
3.4.9 08/08/2000 - Released
implement new aging mechanism in fr_tcp_age()
fix icmp state checking bug
revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
if on an Ultra with a 64bit system & compiler (Caseper Dik)
open ipfilter device read only if we know we can
print out better information for ICMP packets in ipmon
move checking for source spoofed packets to a point where we can generate
logs of them
return EFAULT from ircopyptr/iwcopyptr
don't do ioctl(SIOCGETFS) for auth stats
fix up freeing mbufs for post-4.3BSD
fix returning of inc from ftp proxy
fix bugs with ipfs -R/-W (Caseper Dik)
3.4.8 19/07/2000 - Released
create fake opt_inet6.h for FreeBSD-4 compile as LKM
add #ifdef's for KLD_MODULE sanity
NAT fastroute'd packets which come out of return-*
fix upper/lower case crap in ftp proxy and get seq# checking fixed up.
3.4.7 08/07/2000 - Released
make "ipf -y" lookup NAT if's which are unknown
prepend line numbers to ioctl error messages in ipf/ipnat
don't apply patches to FreeBSD twice
allow for ip_len to be on an unaligned boundary early on in fr_precheck
fix printing of icmp code when it is 0
correct printing of port numbers in map rules with from/to
don't allow fr_func to be called at securelevel > 0 or rules to be added
if securelevel > 0 if they have a non-zero fr_func.
3.4.6 11/06/2000 - Released
add extra regression tests for new nat functionality
place restrictions on using '!' in map/rdr rules
fix up solaris compile problems
3.4.5 10/06/2000 - Released
mention -sl in ipfstat.8
fix/support '!' in from/to rules (rdr) for NAT
add from/to support to rdr NAT rules
don't send ICMP errors in response to ICMP errors
fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
input accounting list used for both outbound and inbound packets
3.4.4 23/05/2000 - Released
3.4.4 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out
RST/ICMP packets in a manner that bypasses IP Filter.
add patch to work with 4.0_STABLE delayed checksums
3.4.3 20/05/2000 - Released
3.4.3 20/05/2000 - Released
fix ipmon -F

303
dist/ipf/Makefile vendored
View File

@ -1,23 +1,27 @@
#
# Copyright (C) 1993-2001 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
# Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp
# Id: Makefile,v 2.76.2.1 2004/03/06 14:32:46 darrenr Exp
#
SHELL=/bin/sh
BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/local/man
#To test prototyping
CC=gcc -Wstrict-prototypes -Wmissing-prototypes
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes
# -Wunused -Wuninitialized
#CC=gcc
#CC=cc -Dconst=
DEBUG=-g
TOP=../..
CFLAGS=-I$$(TOP)
# -O
CFLAGS=-I$$(TOP) -D_BSD_SOURCE
CPU=`uname -m`
CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`
IPFILKERN=`/bin/ls -1tr /usr/src/sys/compile | grep -v .bak | tail -1`
OBJ=.
#
# To enable this to work as a Loadable Kernel Module...
#
@ -27,14 +31,48 @@ IPFLKM=-DIPFILTER_LKM
#
IPFLOG=-DIPFILTER_LOG
#
# To enable loading filter rules compiled to C code...
#
#COMPIPF=-DIPFILTER_COMPILED
#
# To enable synchronisation between IPFilter hosts
#
#SYNC=-DIPFILTER_SYNC
#
# To enable extended IPFilter functionality
#
LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN
#
# The facility you wish to log messages from ipmon to syslogd with.
#
LOGFAC=-DLOGFAC=LOG_LOCAL0
#
# To enable rules to be written with BPF syntax, uncomment these two lines.
#
#IPFBPF=-DIPFILTER_BPF -I/usr/local/include
#LIBBPF=-L/usr/local/lib -lpcap
#
# HP-UX and Solaris require this uncommented for BPF.
#
#BPFILTER=bpf_filter.o
#
# LINUXKERNEL is the path to the top of your Linux kernel source tree.
# By default IPFilter looks for /usr/src/linux, but you may have to change
# it to /usr/src/linux-2.4 or similar.
#
LINUXKERNEL=/usr/src/linux-2.4
#
# All of the compile-time options are here, used for compiling the userland
# tools for regression testing. Well, all except for IPFILTER_LKM, of course.
#
ALLOPTS=-DIPFILTER_LOG -DIPFILTER_COMPILED -DIPFILTER_LOOKUP \
-DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM
#
# Uncomment the next 3 lines if you want to view the state table a la top(1)
# (requires that you have installed ncurses).
STATETOP_CFLAGS=-DSTATETOP
#STATETOP_CFLAGS=-DSTATETOP
#
# Where to find the ncurses include files (if not in default path),
#
@ -43,7 +81,7 @@ STATETOP_CFLAGS=-DSTATETOP
#
# How to link the ncurses library
#
STATETOP_LIB=-lcurses
#STATETOP_LIB=-lncurses
#STATETOP_LIB=-L/usr/local/lib -lncurses
#
@ -59,14 +97,16 @@ STATETOP_LIB=-lcurses
#
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
#
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6) $(IPFLOG)' \
MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(SGIREV) $(INET6)' \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)" 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' \
"LIBBPF=$(LIBBPF)" "CPUDIR=$(CPUDIR)" "IPFBPF=$(IPFBPF)" \
'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' "BPFILTER=$(BPFILTER)" \
'STATETOP_INC=$(STATETOP_INC)' 'STATETOP_LIB=$(STATETOP_LIB)' \
"BITS=$(BITS)" "OBJ=$(OBJ)"
DEST="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)"
"BITS=$(BITS)" "OBJ=$(OBJ)" "LOOKUP=$(LOOKUP)" "COMPIPF=$(COMPIPF)" \
'SYNC=$(SYNC)' 'ALLOPTS=$(ALLOPTS)' 'LIBBPF=$(LIBBPF)'
MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)"
MACHASSERT=`find /usr/sys -name mach_assert.h -print`
#
SHELL=/bin/sh
#
@ -88,10 +128,12 @@ all:
@echo "freebsd22 - compile for FreeBSD-2.2 or greater"
@echo "freebsd3 - compile for FreeBSD-3.x"
@echo "freebsd4 - compile for FreeBSD-4.x"
@echo "freebsd5 - compile for FreeBSD-5.x"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@echo "linux - compile for Linux 2.0.31+"
@echo "hpux - compile for HP-UX 11.00"
@echo "osf - compile for OSF/Tru64 5.1"
@echo ""
tests:
@ -100,185 +142,228 @@ tests:
include:
if [ ! -f netinet/done ] ; then \
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); \
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
touch netinet/done; \
fi
if [ ! -f net/done ] ; then \
(cd net; ln -s ../radix_ipf.h .; ); \
touch net/done; \
fi
sunos solaris: include
CC="$(CC)" ./buildsunos
MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos
freebsd22: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
@if [ -n $(IPFILKERN) ] ; then \
-if [ x$(IPFILKERN) != x ] ; then \
if [ -f /sys/compile/$(IPFILKERN)/ioconf.h ] ; then \
ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$$y; \
else \
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$$y; \
fi \
elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
echo -n "Can't find ioconf.h in "; \
echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
exit 1;\
else \
ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
x=`uname -v|sed -e 's@^.*:\(/[^: ]*\).*$$@\1/ioconf.h@'`; \
y=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`; \
if [ ! -f $$x ] ; then \
echo -n "Can't find ioconf.h at $$x "; \
exit 1;\
else \
ln -s $$x BSD/$$y ; \
fi \
fi
make freebsd
freebsd4: include
if [ x$INET6 = x ] ; then \
freebsd5: include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
echo "#define INET6" > opt_inet6.h; \
fi
if [ x$(ENABLE_PFIL) = x ] ; then \
echo "#undef PFIL_HOOKS" > opt_pfil.h; \
else \
echo "#define PFIL_HOOKS" > opt_pfil.h; \
fi
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
freebsd4 : include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
echo "#define INET6" > opt_inet6.h; \
fi
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "DLKM=-DKLD_MODULE -I/sys"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "LKMR=ipfrule.ko" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
freebsd3 freebsd30: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" "MLR=mlf_rule.o" LKM= LKMR=; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
netbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
openbsd openbsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mlo_ipl.c" "MLR=mlo_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
freebsd freebsd20 freebsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c" "MLR=mlf_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
osf tru64: null include
make setup "TARGOS=OSF" "CPUDIR=`OSF/cpurev`"
(cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..)
(cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..)
bsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
bsdi bsdos: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= LKMR= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend build "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) SGI=`../getrev` $(MFLAGS); else smake build SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi;)
-(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi)
linux: include
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
./buildlinux
linuxrev:
(cd Linux/$(CPUDIR); make build TOP=../.. $(DEST) $(MFLAGS) LKM= ; cd ..)
(cd Linux/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); cd ..)
make setup TARGOS=IRIX CPUDIR=`IRIX/cpurev`
if [ "x${SGIREV}" = "x" ] ; then \
make irix "SGIREV=-D_KMEMUSER -DIRIX=`IRIX/getrev`"; \
else \
(cd IRIX/`IRIX/cpurev`; smake -l -J 1 build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
(cd IRIX/`IRIX/cpurev`; make -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
fi
setup:
-if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi
-rm -f $(TARGOS)/$(CPUDIR)/Makefile $(TARGOS)/$(CPUDIR)/Makefile.ipsend
-ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile
-if [ ! -f $(TARGOS)/$(CPUDIR)/Makefile.std -a \
-f $(TARGOS)/Makefile.std ] ; then \
ln -s ../Makefile.std $(TARGOS)/$(CPUDIR)/Makefile.std; \
fi
-if [ ! -f $(TARGOS)/$(CPUDIR)/Makefile.ipsend.std -a \
-f $(TARGOS)/Makefile.ipsend.std ] ; then \
ln -s ../Makefile.ipsend.std $(TARGOS)/$(CPUDIR)/Makefile.ipsend.std; \
fi
-ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend
-if [ -f $(TARGOS)/Makefile.common ] ; then \
rm -f $(TARGOS)/$(CPUDIR)/Makefile.common; \
ln -s ../Makefile.common $(TARGOS)/$(CPUDIR)/Makefile.common;\
fi
clean: clean-include
/bin/rm -rf h y.output
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
vnode_if.h $(LKM) *~
${RM} -rf sparcv7 sparcv9
(cd SunOS4; make clean)
(cd SunOS5; make clean)
(cd BSD; make clean)
(cd Linux; make clean)
if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; make clean); fi
[ -d test ] && (cd test; make clean)
(cd ipsend; make clean)
/bin/rm -rf sparcv7 sparcv9 mdbgen_build
(cd SunOS4; $(MAKE) TOP=.. clean)
-(cd SunOS5; $(MAKE) TOP=.. clean)
(cd BSD; $(MAKE) TOP=.. clean)
(cd HPUX; $(MAKE) BITS=32 TOP=.. clean)
(cd Linux; $(MAKE) TOP=.. clean)
(cd OSF; $(MAKE) TOP=.. clean)
if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi
[ -d test ] && (cd test; $(MAKE) clean)
(cd ipsend; $(MAKE) clean)
clean-include:
sh -c 'cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done'
${RM} -f netinet/done
sh -c 'if [ -d netinet ] ; then cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
sh -c 'if [ -d net ] ; then cd net; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
${RM} -f netinet/done net/done
clean-bsd: clean-include
(cd BSD; make clean)
(cd BSD; make TOP=.. clean)
clean-hpux: clean-include
(cd HPUX; $(MAKE) BITS=32 clean)
clean-osf: clean-include
(cd OSF; make clean)
clean-linux: clean-include
(cd Linux; make clean)
clean-sunos4: clean-include
(cd SunOS4; make clean)
clean-sunos5: clean-include
(cd SunOS5; make clean)
(cd SunOS5; $(MAKE) clean)
/bin/rm -rf sparcv?
clean-irix: clean-include
(cd IRIX; make clean)
(cd IRIX; $(MAKE) clean)
clean-linux: clean-include
(cd Linux; make clean)
h/xti.h:
mkdir -p h
ln -s /usr/include/sys/xti.h h
get:
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
ip_frag.h ip_sfil.c misc.c; do \
if [ ! -f $$i ] ; then \
echo "getting $$i"; \
sccs get $$i; \
fi \
done
hpux: include h/xti.h
make setup CPUDIR=`HPUX/cpurev` TARGOS=HPUX
(cd HPUX/`HPUX/cpurev`; $(MAKE) build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
(cd HPUX/`HPUX/cpurev`; $(MAKE) -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
sunos4 solaris1:
(cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
(cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2:
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2: null
(cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
sunos5x86 solaris2x86: null
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
install-linux:
(cd Linux/$(CPUDIR); make install "TOP=../.." $(DEST) $(MFLAGS); cd ..)
(cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(DEST) $(MFLAGS); cd ..)
linux: null include
(cd Linux; make build LINUX=`uname -r | awk -F. ' { for(i=0;i<NF;i++){printf("%02d",$$(i+1));}}'` TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..)
# (cd Linux; make -f Makefile.ipsend build LINUX=`uname -r | awk -F. ' { for(i=0;i<NF;i++){printf("%02d",$$(i+1));}}'` TOP=.. "CC=$(CC)" $(MFLAGS); cd ..)
install-linux: linux
(cd Linux/$(CPUDIR); make LINUX=`uname -r | awk -F. ' { for(i=0;i<NF;i++){printf("%02d",$$(i+1));}}'` TOP=../.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-sunos4: solaris
(cd SunOS4; $(MAKE) "CPU=$(CPU)" "TOP=.." install)
(cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install)
install-sunos5: solaris
(cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install)
(cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install)
install-hpux: hpux
(cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install)
install-irix: irix
(cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS))
(cd IRIX; smake install CPU=$(CPU) TOP=.. $(DEST) $(MFLAGS) CPUDIR=`./cpurev`)
rcsget:
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
ip_frag.h ip_sfil.c misc.c; do \
if [ ! -f $$i ] ; then \
echo "getting $$i"; \
co $$i; \
fi \
done
install-osf install-tru64:
(cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)
(cd OSF/`OSF/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
do-cvs:
find . -type d -name CVS -print | xargs /bin/rm -rf
find . -type f -name .cvsignore -print | xargs /bin/rm -f
/bin/rm -f ip_msnrpc_pxy.c ip_sunrpc_pxy.c
ip_rules.c ip_rules.h: rules/ip_rules tools/ipfcomp.c
-./ipf -cc -f rules/ip_rules 2>/dev/null 1>&2
null:
-@if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \
echo 'Do not use GNU make (gmake) to compile IPFilter'; \
exit 1; \
fi
-@echo make ok
mdb:
/bin/rm -rf mdbgen_build
mdbgen -D_KERNEL -DIPFILTER_LOG -DIPFILTER_LOOKUP -DSUNDDI \
-DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \
-I/home/dr146992/pfil -I/home/dr146992/ipf -f \
/usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h

18
dist/ipf/OpenBSD/files.diffs vendored Normal file
View File

@ -0,0 +1,18 @@
*** files.FCS Thu May 1 06:21:14 1997
--- files Mon Oct 27 14:08:53 1997
***************
*** 299,304 ****
--- 299,311 ----
file netinet/ip_nat.c ipfilter
file netinet/ip_frag.c ipfilter
file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/ip_ah.c inet & ipsec
file netinet/ip_esp.c inet & ipsec
file netinet/ip_espdes.c inet & ipsec

82
dist/ipf/OpenBSD/kinstall vendored Normal file
View File

@ -0,0 +1,82 @@
#! /bin/sh
#
# kinstall/minstall - install patches to kernel sources
#
# WARNING: This script should be run exactly once on a virgin system
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
argv0=`basename $0`
dir=`pwd`
karch=`uname -m`
archdir="/sys/arch/$karch"
confdir="$archdir/conf"
case "$dir" in
*/OpenBSD )
cd ..
;;
esac
echo -n "Backing up existing kernel sources ..."
backup=""
for i in fil.c ip_fil.[ch] ip_frag.[ch] ip_nat.[ch] ip_state.[ch] ip_fil_compat.h; do
if [ -e /sys/netinet/$i ] ; then
backup="${backup} ${i}"
fi
done
if [ -n "$backup" ] ; then
( cd /sys/netinet ; tar cf ipfbackup.tar $backup )
fi
echo
echo -n "Installing "
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c; do
echo -n "$i "
cp $i /sys/netinet/
chmod 644 /sys/netinet/$i
done
echo
if [ -f /sys/conf/files ] ; then
echo "Patching /sys/conf/files ..."
cat OpenBSD/files.diffs | (cd /sys/conf; patch)
ip_files=`egrep '^file.*ipfilter' /sys/conf/files | wc -l`
if [ $ip_files -lt 8 ] ; then
echo "Patching /sys/conf/files ..."
cat OpenBSD/files.diffs | (cd /sys/conf; patch)
fi
fi
if [ -f /sys/netinet/ip_fil_compat.h ] ; then
echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h"
rm /sys/netinet/ip_fil_compat.h
ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h
fi
echo -n "Kernel configuration to update [GENERIC] "
read newconfig junk
if [ -n "$newconfig" ] ; then
config="$confdir/$newconfig"
else
newconfig="$confdir/GENERIC"
fi
if egrep 'option.*IPFILTER' $confdir/$newconfig > /dev/null 2>&1 ; then
echo "$newconfig already contains proper options statement..."
echo 'You will now need to build a new kernel.'
else
echo "Backing up $newconfig to .bak and adding IPFILTER options..."
if [ -f $confdir/$newconfig ]; then
mv $confdir/$newconfig $confdir/$newconfig.bak
fi
if [ -d $archdir/compile/$newconfig ]; then
mv $archdir/compile/$newconfig $archdir/compile/$newconfig.bak
fi
awk '{print $0} $2=="INET"{print "options IPFILTER"}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
fi
exit 0

21
dist/ipf/OpenBSD/mknewipf.sh vendored Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
# documented from
# http://www.tfsb.org/ipf-openbsd/
ARCH=sparc
KERNEL=MULAN
IPF=ip-fil3.4.17
rm -rf $IPF
tar zxf $IPF.tar.gz
cd $IPF
perl -pi -e "s/#STATETOP_CFLAGS=/STATETOP_CFLAGS=/" Makefile
perl -pi -e "s/#STATETOP_INC=$/STATETOP_INC=/" Makefile
perl -pi -e "s/#STATETOP_LIB=-lncurses/STATETOP_LIB=-lcurses/" Makefile
perl -pi -e "s/#INET6/INET6/" Makefile
make openbsd
make install-bsd
cd OpenBSD
echo $KERNEL | ./kinstall >/dev/null 2>&1
cd /usr/src/sys/arch/$ARCH/conf
config $KERNEL
cd /usr/src/sys/arch/$ARCH/compile/$KERNEL
make clean && make depend && make && mv /bsd /bsd.old && mv bsd /bsd && reboot

23
dist/ipf/OpenBSD/patch.1 vendored Normal file
View File

@ -0,0 +1,23 @@
.\" $NetBSD: patch.1,v 1.3 2004/03/28 09:00:55 martti Exp $
.\"
*** net/if_bridge.c.orig Sat Mar 20 07:47:33 1999
--- net/if_bridge.c Wed Sep 15 22:44:16 1999
***************
*** 55,62 ****
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
! #ifdef IPFILTER
! #include <netinet/ip_fil_compat.h>
#include <netinet/ip_fil.h>
#endif
#endif
--- 55,62 ----
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
! #if (defined(IPFILTER) || defined(IPFILTER_LKM))
! #include <netinet/ip_compat.h>
#include <netinet/ip_fil.h>
#endif
#endif

53
dist/ipf/OpenBSD/unkinstall vendored Normal file
View File

@ -0,0 +1,53 @@
#! /bin/sh
#
# kinstall/minstall - install patches to kernel sources
#
# WARNING: This script should be run exactly once on a virgin system
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
# try to bomb out fast if anything fails....
set -e
argv0=`basename $0`
dir=`pwd`
karch=`uname -m`
archdir="/sys/arch/$karch"
confdir="$archdir/conf"
case "$dir" in
*/OpenBSD )
cd ..
;;
esac
echo -n "Removing "
for i in ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c ip_compat.h ip_proxy.[ch] ip_ftp_pxy.c ip_auth.[ch] ip_log.c
do
echo -n "/sys/netinet/$i "
/bin/rm -f /sys/netinet/$i
done
echo
if [ -f /sys/netinet/ipfbackup.tar ] ; then
echo -n "Restoring old kernel sources"
( cd /sys/netinet ; tar xpf ipfbackup.tar )
fi
echo
echo "Unpatching /sys/conf/files ..."
cat OpenBSD/files.diffs | (cd /sys/conf; patch -R)
echo -n "Kernel configuration to update [GENERIC] "
read newconfig junk
if [ -n "$newconfig" ] ; then
config="$confdir/$newconfig"
else
newconfig="$confdir/GENERIC"
fi
mv $archdir/compile/$newconfig $archdir/compile/$newconfig.bak
egrep -v 'IPFILTER' $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

275
dist/ipf/QNX_OCL.txt vendored
View File

@ -1,275 +0,0 @@
End User License Certificate (EULA) End User License Certificate
(EULA)
Support Support
QNX Source Licenses QNX Source Licenses
License of the month
Confidential Source License
Version 1.0
QNX Open Community License Version 1.0
THIS QNX OPEN COMMUNITY LICENSE ( "THE OCL", OR "THIS AGREEMENT")
APPLIES TO PROGRAMS THAT QNX SOFTWARE SYSTEMS LTD. ("QSS") EXPRESSLY
ELECTS TO LICENSE UNDER THE OCL TERMS. IT ALSO APPLIES TO DERIVATIVE
WORKS CREATED UNDER THIS AGREEMENT THAT CREATORS ELECT TO LICENSE TO
OTHERS IN SOURCE CODE FORM. ANY USE, REPRODUCTION, MODIFICATION OR
DISTRIBUTION OF SUCH PROGRAMS CONSTITUTES RECIPIENT'S ACCEPTANCE OF
THE OCL. THE LICENSE RIGHTS GRANTED BELOW ARE CONDITIONAL UPON
RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT AND THE FORMATION OF A
BINDING CONTRACT. NOTHING ELSE GRANTS PERMISSION TO USE, REPRODUCE,
MODIFY OR DISTRIBUTE SUCH PROGRAMS OR THEIR DERIVATIVE WORKS. THESE
ACTIONS ARE OTHERWISE PROHIBITED. CONTACT QSS IF OTHER STEPS ARE
REQUIRED LOCALLY TO CREATE A BINDING CONTRACT.
The OCL is intended to promote the development, use and distribution
of derivative works created from QSS source code. This includes
commercial distribution of object code versions under the terms of
Recipient's own license agreement and, at Recipient's option, sharing
of source code modifications within the QNX developer's community. The
license granted under the OCL is royalty free. Recipient is entitled
to charge royalties for object code versions of derivative works that
originate with Recipient. If Recipient elects to license source code
for its derivative works to others, then it must be licensed under the
OCL. The terms of the OCL are as follows:
1. DEFINITIONS
"Contribution" means:
a. in the case of QSS: (i) the Original Program, where the Original
Program originates from QSS, (ii) changes and/or additions to
Unrestricted Open Source, where the Original Program originates
from Unrestricted Open Source and where such changes and/or
additions originate from QSS, and (iii) changes and/or additions
to the Program where such changes and/or additions originate from
QSS.
b. in the case of each Contributor, changes and/or additions to the
Program, where such changes and/or additions originate from and
are distributed by that particular Contributor.
A Contribution 'originates' from a Contributor if it was added to the
Program by such Contributor itself or anyone acting on such
Contributor's behalf. Contributions do not include additions to the
Program which: (i) are separate modules of software distributed in
conjunction with the Program under their own license agreement, and
(ii) are not derivative works of the Program.
"Contributor" means QSS and any other entity that distributes the
Program.
"Licensed Patents " mean patent claims licensable by Contributor to
others, which are necessarily infringed by the use or sale of its
Contribution alone or when combined with the Program.
"Unrestricted Open Source" means published source code that is
licensed for free use and distribution under an unrestricted licensing
and distribution model, such as the Berkley Software Design ("BSD")
and "BSD-like" licenses. It specifically excludes any source code
licensed under any version of the GNU General Public License (GPL) or
the GNU Lesser/Library GPL. All "Unrestricted Open Source" license
terms appear or are clearly identified in the header of any affected
source code for the Original Program.
"Original Program" means the original version of the software
accompanying this Agreement as released by QSS, including source code,
object code and documentation, if any.
"Program" means the Original Program and Contributions.
"Recipient" means anyone who receives the Program under this
Agreement, including all Contributors.
2. GRANT OF RIGHTS
a. Subject to the terms of this Agreement, each Contributor hereby
grants Recipient a non-exclusive, worldwide, royalty-free
copyright license to reproduce, prepare derivative works of,
publicly display, publicly perform, and directly and indirectly
sublicense and distribute the Contribution of such Contributor, if
any, and such derivative works, in source code and object code
form.
b. Subject to the terms of this Agreement, each Contributor hereby
grants Recipient a non-exclusive, worldwide, royalty-free patent
license under Licensed Patents to make, use, sell, offer to sell,
import and otherwise transfer the Contribution of such
Contributor, if any, in source code and object code form. This
patent license shall apply to the combination of the Contribution
and the Program if, at the time the Contribution is added by the
Contributor, such addition of the Contribution causes such
combination to be covered by the Licensed Patents. The patent
license shall not apply to any other combinations which include
the Contribution.
c. Recipient understands that although each Contributor grants the
licenses to its Contributions set forth herein, no assurances are
provided by any Contributor that the Program does not infringe the
patent or other intellectual property rights of any other entity.
Each Contributor disclaims any liability to Recipient for claims
brought by any other entity based on infringement of intellectual
property rights or otherwise. As a condition to exercising the
rights and licenses granted hereunder, each Recipient hereby
assumes sole responsibility to secure any other intellectual
property rights needed, if any. For example, if a third party
patent license is required to allow Recipient to distribute the
Program, it is Recipient's responsibility to acquire that license
before distributing the Program.
d. Each Contributor represents that to its knowledge it has
sufficient copyright rights in its Contribution, if any, to grant
the copyright license set forth in this Agreement.
3. REQUIREMENTS
A Contributor may choose to distribute the Program in object code form
under its own license agreement, provided that:
a. it complies with the terms and conditions of this Agreement; and
b. its license agreement:
i. effectively disclaims on behalf of all Contributors all
warranties and conditions, express and implied, including
warranties or conditions of title and non-infringement, and
implied warranties or conditions of merchantability and
fitness for a particular purpose;
ii. effectively excludes on behalf of all Contributors all
liability for damages, including direct, indirect, special,
incidental and consequential damages, such as lost profits;
and
iii. states that any provisions which differ from this Agreement
are offered by that Contributor alone and not by any other
party.
If the Program is made available in source code form:
a. it must be made available under this Agreement; and
b. a copy of this Agreement must be included with each copy of the
Program. Each Contributor must include the following in a
conspicuous location in the Program along with any other copyright
or attribution statements required by the terms of any applicable
Unrestricted Open Source license:
Copyright {date here}, QNX Software Systems Ltd. and others. All
Rights Reserved.
In addition, each Contributor must identify itself as the originator
of its Contribution, if any, in a manner that reasonably allows
subsequent Recipients to identify the originator of the Contribution.
4. COMMERCIAL DISTRIBUTION
Commercial distributors of software may accept certain
responsibilities with respect to end users, business partners and the
like. While this license is intended to facilitate the commercial use
of the Program, the Contributor who includes the Program in a
commercial product offering should do so in a manner which does not
create potential liability for other Contributors. Therefore, if a
Contributor includes the Program in a commercial product offering,
such Contributor ("Commercial Contributor") hereby agrees to defend
and indemnify every other Contributor ("Indemnified Contributor")
against any losses, damages and costs (collectively "Losses") arising
from claims, lawsuits and other legal actions brought by a third party
against the Indemnified Contributor to the extent caused by the acts
or omissions of such Commercial Contributor in connection with its
distribution of the Program in a commercial product offering. The
obligations in this section do not apply to any claims or Losses
relating to any actual or alleged intellectual property infringement.
In order to qualify, an Indemnified Contributor must: a) promptly
notify the Commercial Contributor in writing of such claim, and b)
allow the Commercial Contributor to control, and cooperate with the
Commercial Contributor in, the defense and any related settlement
negotiations. The Indemnified Contributor may participate in any such
claim at its own expense.
For example, a Contributor might include the Program in a commercial
product offering, Product X. That Contributor is then a Commercial
Contributor. If that Commercial Contributor then makes performance
claims, or offers warranties related to Product X, those performance
claims and warranties are such Commercial Contributor's responsibility
alone. Under this section, the Commercial Contributor would have to
defend claims against the other Contributors related to those
performance claims and warranties, and if a court requires any other
Contributor to pay any damages as a result, the Commercial Contributor
must pay those damages.
5. NO WARRANTY
Recipient acknowledges that there may be errors or bugs in the Program
and that it is imperative that Recipient conduct thorough testing to
identify and correct any problems prior to the productive use or
commercial release of any products that use the Program, and prior to
the release of any modifications, updates or enhancements thereto.
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS
PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY
WARRANTIES OR CONDITIONS OF TITLE, NON- INFRINGEMENT, MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
responsible for determining the appropriateness of using and
distributing the Program and assumes all risks associated with its
exercise of rights under this Agreement, including but not limited to
the risks and costs of program errors, compliance with applicable
laws, damage to or loss of data, programs or equipment, and
unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR
DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED
HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. GENERAL
If any provision of this Agreement is invalid or unenforceable under
applicable law, it shall not affect the validity or enforceability of
the remainder of the terms of this Agreement, and without further
action by the parties hereto, such provision shall be reformed to the
minimum extent necessary to make such provision valid and enforceable.
If Recipient institutes patent litigation against a Contributor with
respect to a patent applicable to software (including a cross-claim or
counterclaim in a lawsuit), then any patent licenses granted by that
Contributor to such recipient under this Agreement shall terminate as
of the date such litigation is filed. In addition, If Recipient
institutes patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Program
itself (excluding combinations of the Program with other software or
hardware) infringes such Recipient's patent(s), then such Recipient's
rights granted under Section 2(b) shall terminate as of the date such
litigation is filed.
All Recipient's rights under this Agreement shall terminate if it
fails to comply with any of the material terms or conditions of this
Agreement and does not cure such failure in a reasonable period of
time after becoming aware of such noncompliance. If all Recipient's
rights under this Agreement terminate, Recipient agrees to cease use
and distribution of the Program as soon as reasonably practicable.
However, Recipient's obligations under this Agreement and any licenses
granted by Recipient relating to the Program shall continue and
survive.
QSS may publish new versions (including revisions) of this Agreement
from time to time. Each new version of the Agreement will be given a
distinguishing version number. The Program (including Contributions)
may always be distributed subject to the version of the Agreement
under which it was received. In addition, after a new version of the
Agreement is published, Contributor may elect to distribute the
Program (including its Contributions) under the new version. No one
other than QSS has the right to modify this Agreement. Except as
expressly stated in Sections 2(a) and 2(b) above, Recipient receives
no rights or licenses to the intellectual property of any Contributor
under this Agreement, whether expressly, by implication, estoppel or
otherwise. All rights in the Program not expressly granted under this
Agreement are reserved.
This Agreement is governed by the laws in force in the Province of
Ontario, Canada without regard to the conflict of law provisions
therein. The parties expressly disclaim the provisions of the United
Nations Convention on Contracts for the International Sale of Goods.
No party to this Agreement will bring a legal action under this
Agreement more than one year after the cause of action arose. Each
party waives its rights to a jury trial in any resulting litigation.
* QNX is a registered trademark of QNX Software Systems Ltd.
Document Version: ocl1_00

10
dist/ipf/UPGRADE_NOTICE vendored
View File

@ -1,10 +0,0 @@
NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT
AND setup ACL's to allow untranslated address through from outside,
THIS HAS BEEN FIXED
so your ACL's will now be `broken'. Please correct your ACL's to
match the the untranslated addresses (the way it was meant to work).
Darren

614
dist/ipf/common.c vendored
View File

@ -1,614 +0,0 @@
/* $NetBSD: common.c,v 1.2 2002/04/09 02:32:51 thorpej Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/param.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include <syslog.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ipf.h"
#include "facpri.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
extern int opts;
extern int use_inet6;
char *proto = NULL;
char flagset[] = "FSRPAUEC";
u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
TH_ECN, TH_CWR };
void fill6bits __P((int, u_32_t *));
int count6bits __P((u_32_t *));
static char thishost[MAXHOSTNAMELEN];
void initparse()
{
gethostname(thishost, sizeof(thishost));
thishost[sizeof(thishost) - 1] = '\0';
}
int genmask(msk, mskp)
char *msk;
u_32_t *mskp;
{
char *endptr = NULL;
#ifdef USE_INET6
u_32_t addr;
#endif
int bits;
if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) {
/* possibly of the form xxx.xxx.xxx.xxx
* or 0xYYYYYYYY */
#ifdef USE_INET6
if (use_inet6) {
if (inet_pton(AF_INET6, msk, &addr) != 1)
return -1;
} else
#endif
if (inet_aton(msk, (struct in_addr *)mskp) == 0)
return -1;
} else {
/*
* set x most significant bits
*/
bits = (int)strtol(msk, &endptr, 0);
if ((*endptr != '\0') ||
((bits > 32) && !use_inet6) || (bits < 0) ||
((bits > 128) && use_inet6))
return -1;
if (use_inet6)
fill6bits(bits, mskp);
else {
if (bits == 0)
*mskp = 0;
else
*mskp = htonl(0xffffffff << (32 - bits));
}
}
return 0;
}
void fill6bits(bits, msk)
int bits;
u_32_t *msk;
{
int i;
for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32)
msk[i] = 0xffffffff;
if (bits > 0 && i < 4)
msk[i++] = htonl(0xffffffff << (32 - bits));
while (i < 4)
msk[i++] = 0;
}
/*
* returns -1 if neither "hostmask/num" or "hostmask mask addr" are
* found in the line segments, there is an error processing this information,
* or there is an error processing ports information.
*/
int hostmask(seg, sa, msk, pp, cp, tp, linenum)
char ***seg;
u_32_t *sa, *msk;
u_short *pp, *tp;
int *cp;
int linenum;
{
struct in_addr maskaddr;
char *s;
/*
* is it possibly hostname/num ?
*/
if ((s = index(**seg, '/')) ||
((s = index(**seg, ':')) && !index(s + 1, ':'))) {
*s++ = '\0';
if (genmask(s, msk) == -1) {
fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
return -1;
}
if (hostnum(sa, **seg, linenum) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
*sa &= *msk;
(*seg)++;
return ports(seg, pp, cp, tp, linenum);
}
/*
* look for extra segments if "mask" found in right spot
*/
if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
if (hostnum(sa, **seg, linenum) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
(*seg)++;
(*seg)++;
if (inet_aton(**seg, &maskaddr) == 0) {
fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
return -1;
}
*msk = maskaddr.s_addr;
(*seg)++;
*sa &= *msk;
return ports(seg, pp, cp, tp, linenum);
}
if (**seg) {
if (hostnum(sa, **seg, linenum) == -1) {
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
(*seg)++;
if (use_inet6) {
u_32_t k = 0;
if (sa[0] || sa[1] || sa[2] || sa[3])
k = 0xffffffff;
msk[0] = msk[1] = msk[2] = msk[3] = k;
}
else
*msk = *sa ? 0xffffffff : 0;
return ports(seg, pp, cp, tp, linenum);
}
fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
return -1;
}
/*
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
int hostnum(ipa, host, linenum)
u_32_t *ipa;
char *host;
int linenum;
{
struct hostent *hp;
struct netent *np;
struct in_addr ip;
if (!strcasecmp("any", host))
return 0;
#ifdef USE_INET6
if (use_inet6) {
if (inet_pton(AF_INET6, host, ipa) == 1)
return 0;
else
return -1;
}
#endif
if (isdigit(*host) && inet_aton(host, &ip)) {
*ipa = ip.s_addr;
return 0;
}
if (!strcasecmp("<thishost>", host))
host = thishost;
if (!(hp = gethostbyname(host))) {
if (!(np = getnetbyname(host))) {
fprintf(stderr, "%d: can't resolve hostname: %s\n",
linenum, host);
return -1;
}
*ipa = htonl(np->n_net);
return 0;
}
*ipa = *(u_32_t *)hp->h_addr;
return 0;
}
/*
* check for possible presence of the port fields in the line
*/
int ports(seg, pp, cp, tp, linenum)
char ***seg;
u_short *pp, *tp;
int *cp;
int linenum;
{
int comp = -1;
if (!*seg || !**seg || !***seg)
return 0;
if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
(*seg)++;
if (isalnum(***seg) && *(*seg + 2)) {
if (portnum(**seg, pp, linenum) == 0)
return -1;
(*seg)++;
if (!strcmp(**seg, "<>"))
comp = FR_OUTRANGE;
else if (!strcmp(**seg, "><"))
comp = FR_INRANGE;
else {
fprintf(stderr,
"%d: unknown range operator (%s)\n",
linenum, **seg);
return -1;
}
(*seg)++;
if (**seg == NULL) {
fprintf(stderr, "%d: missing 2nd port value\n",
linenum);
return -1;
}
if (portnum(**seg, tp, linenum) == 0)
return -1;
} else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
comp = FR_EQUAL;
else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
comp = FR_NEQUAL;
else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
comp = FR_LESST;
else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
comp = FR_GREATERT;
else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
comp = FR_LESSTE;
else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
comp = FR_GREATERTE;
else {
fprintf(stderr, "%d: unknown comparator (%s)\n",
linenum, **seg);
return -1;
}
if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
(*seg)++;
if (portnum(**seg, pp, linenum) == 0)
return -1;
}
*cp = comp;
(*seg)++;
}
return 0;
}
/*
* find the port number given by the name, either from getservbyname() or
* straight atoi(). Return 1 on success, 0 on failure
*/
int portnum(name, port, linenum)
char *name;
u_short *port;
int linenum;
{
struct servent *sp, *sp2;
u_short p1 = 0;
int i;
if (isdigit(*name)) {
if (ratoi(name, &i, 0, USHRT_MAX)) {
*port = (u_short)i;
return 1;
}
fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
return 0;
}
if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
sp = getservbyname(name, proto);
if (sp) {
*port = ntohs(sp->s_port);
return 1;
}
fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
return 0;
}
sp = getservbyname(name, "tcp");
if (sp)
p1 = sp->s_port;
sp2 = getservbyname(name, "udp");
if (!sp || !sp2) {
fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
linenum, name);
return 0;
}
if (p1 != sp2->s_port) {
fprintf(stderr, "%d: %s %d/tcp is a different port to ",
linenum, name, p1);
fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
return 0;
}
*port = ntohs(p1);
return 1;
}
u_char tcp_flags(flgs, mask, linenum)
char *flgs;
u_char *mask;
int linenum;
{
u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
char *s, *t;
if (*flgs == '0') {
s = strchr(flgs, '/');
if (s)
*s++ = '\0';
tcpf = strtol(flgs, NULL, 0);
fp = &tcpfm;
} else
s = flgs;
for (; *s; s++) {
if (*s == '/' && fp == &tcpf) {
fp = &tcpfm;
if (*(s + 1) == '0')
break;
continue;
}
if (!(t = index(flagset, *s))) {
fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
return 0;
}
*fp |= flags[t - flagset];
}
if (s && *s == '0')
tcpfm = strtol(s, NULL, 0);
if (!tcpfm) {
if (tcpf == TH_SYN)
tcpfm = 0xff & ~(TH_ECN|TH_CWR);
else
tcpfm = 0xff & ~(TH_ECN);
}
*mask = tcpfm;
return tcpf;
}
/*
* count consecutive 1's in bit mask. If the mask generated by counting
* consecutive 1's is different to that passed, return -1, else return #
* of bits.
*/
int countbits(ip)
u_32_t ip;
{
u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
for (i = 32; i; i--, ipn *= 2)
if (ipn & 0x80000000)
cnt++;
else
break;
ipn = 0;
for (i = 32, j = cnt; i; i--, j--) {
ipn *= 2;
if (j > 0)
ipn++;
}
if (ipn == ip)
return cnt;
return -1;
}
int count6bits(msk)
u_32_t *msk;
{
int i = 0, k;
u_32_t j;
for (k = 3; k >= 0; k--)
if (msk[k] == 0xffffffff)
i += 32;
else {
for (j = msk[k]; j; j <<= 1)
if (j & 0x80000000)
i++;
}
return i;
}
char *portname(pr, port)
int pr, port;
{
static char buf[32];
struct protoent *p = NULL;
struct servent *sv = NULL, *sv1 = NULL;
if (pr == -1) {
if ((sv = getservbyport(htons(port), "tcp"))) {
strncpy(buf, sv->s_name, sizeof(buf)-1);
buf[sizeof(buf)-1] = '\0';
sv1 = getservbyport(htons(port), "udp");
sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
NULL : sv1;
}
if (sv)
return buf;
} else if (pr && (p = getprotobynumber(pr))) {
if ((sv = getservbyport(htons(port), p->p_name))) {
strncpy(buf, sv->s_name, sizeof(buf)-1);
buf[sizeof(buf)-1] = '\0';
return buf;
}
}
(void) sprintf(buf, "%d", port);
return buf;
}
int ratoi(ps, pi, min, max)
char *ps;
int *pi, min, max;
{
int i;
char *pe;
i = (int)strtol(ps, &pe, 0);
if (*pe != '\0' || i < min || i > max)
return 0;
*pi = i;
return 1;
}
int ratoui(ps, pi, min, max)
char *ps;
u_int *pi, min, max;
{
u_int i;
char *pe;
i = (u_int)strtol(ps, &pe, 0);
if (*pe != '\0' || i < min || i > max)
return 0;
*pi = i;
return 1;
}
void printhostmask(v, addr, mask)
int v;
u_32_t *addr, *mask;
{
struct in_addr ipa;
int ones;
#ifdef USE_INET6
if (v == 6) {
ones = count6bits(mask);
if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3])
printf("any");
else {
char ipbuf[64];
printf("%s/%d",
inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)),
ones);
}
}
else
#endif
if (!*addr && !*mask)
printf("any");
else {
ipa.s_addr = *addr;
printf("%s", inet_ntoa(ipa));
if ((ones = countbits(*mask)) == -1) {
ipa.s_addr = *mask;
printf("/%s", inet_ntoa(ipa));
} else
printf("/%d", ones);
}
}
void printportcmp(pr, frp)
int pr;
frpcmp_t *frp;
{
static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
"<>", "><"};
if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
printf(" port %d %s %d", frp->frp_port,
pcmp1[frp->frp_cmp], frp->frp_top);
else
printf(" port %s %s", pcmp1[frp->frp_cmp],
portname(pr, frp->frp_port));
}
void printbuf(buf, len, zend)
char *buf;
int len, zend;
{
char *s, c;
int i;
for (s = buf, i = len; i; i--) {
c = *s++;
if (isprint(c))
putchar(c);
else
printf("\\%03o", c);
if ((c == '\0') && zend)
break;
}
}
char *hostname(v, ip)
int v;
void *ip;
{
#ifdef USE_INET6
static char hostbuf[MAXHOSTNAMELEN+1];
#endif
struct in_addr ipa;
if (v == 4) {
ipa.s_addr = *(u_32_t *)ip;
return inet_ntoa(ipa);
}
#ifdef USE_INET6
(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
hostbuf[MAXHOSTNAMELEN] = '\0';
return hostbuf;
#else
return "IPv6";
#endif
}

2
dist/ipf/etc/services vendored
View File

@ -2359,8 +2359,8 @@ dpserve 7020/tcp # DP Serve
dpserve 7020/udp # DP Serve
dpserveadmin 7021/tcp # DP Serve Admin
dpserveadmin 7021/udp # DP Serve Admin
raudio 7070/tcp @ Real Audio
arcp 7070/tcp # ARCP
raudio 7070/tcp # Real Audio
arcp 7070/udp # ARCP
clutild 7174/tcp # Clutild
clutild 7174/udp # Clutild

154
dist/ipf/facpri.c vendored
View File

@ -1,154 +0,0 @@
/* $NetBSD: facpri.c,v 1.4 2002/04/09 02:32:51 thorpej Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#endif
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <syslog.h>
#include "facpri.h"
#ifndef __STDC__
# define const
#endif
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp";
#endif
typedef struct table {
char *name;
int value;
} table_t;
table_t facs[] = {
{ "kern", LOG_KERN }, { "user", LOG_USER },
{ "mail", LOG_MAIL }, { "daemon", LOG_DAEMON },
{ "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG },
{ "lpr", LOG_LPR }, { "news", LOG_NEWS },
{ "uucp", LOG_UUCP },
#if LOG_CRON == LOG_CRON2
{ "cron2", LOG_CRON1 },
#else
{ "cron", LOG_CRON1 },
#endif
#ifdef LOG_FTP
{ "ftp", LOG_FTP },
#endif
#ifdef LOG_AUTHPRIV
{ "authpriv", LOG_AUTHPRIV },
#endif
#ifdef LOG_AUDIT
{ "audit", LOG_AUDIT },
#endif
#ifdef LOG_LFMT
{ "logalert", LOG_LFMT },
#endif
#if LOG_CRON == LOG_CRON1
{ "cron", LOG_CRON2 },
#else
{ "cron2", LOG_CRON2 },
#endif
#ifdef LOG_SECURITY
{ "security", LOG_SECURITY },
#endif
{ "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 },
{ "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 },
{ "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 },
{ "local6", LOG_LOCAL6 }, { "local7", LOG_LOCAL7 },
{ NULL, 0 }
};
/*
* map a facility number to its name
*/
char *
fac_toname(facpri)
int facpri;
{
int i, j, fac;
fac = facpri & LOG_FACMASK;
j = fac >> 3;
if (j < 24) {
if (facs[j].value == fac)
return facs[j].name;
for (i = 0; facs[i].name; i++)
if (fac == facs[i].value)
return facs[i].name;
}
return NULL;
}
/*
* map a facility name to its number
*/
int
fac_findname(name)
char *name;
{
int i;
for (i = 0; facs[i].name; i++)
if (!strcmp(facs[i].name, name))
return facs[i].value;
return -1;
}
table_t pris[] = {
{ "emerg", LOG_EMERG }, { "alert", LOG_ALERT },
{ "crit", LOG_CRIT }, { "err", LOG_ERR },
{ "warn", LOG_WARNING }, { "notice", LOG_NOTICE },
{ "info", LOG_INFO }, { "debug", LOG_DEBUG },
{ NULL, 0 }
};
/*
* map a priority name to its number
*/
int
pri_findname(name)
char *name;
{
int i;
for (i = 0; pris[i].name; i++)
if (!strcmp(pris[i].name, name))
return pris[i].value;
return -1;
}
/*
* map a priority number to its name
*/
char *
pri_toname(facpri)
int facpri;
{
int i, pri;
pri = facpri & LOG_PRIMASK;
if (pris[pri].value == pri)
return pris[pri].name;
for (i = 0; pris[i].name; i++)
if (pri == pris[i].value)
return pris[i].name;
return NULL;
}

42
dist/ipf/facpri.h vendored
View File

@ -1,42 +0,0 @@
/* $NetBSD: facpri.h,v 1.3 2002/01/24 08:21:31 martti Exp $ */
/*
* Copyright (C) 1999-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp
*/
#ifndef __FACPRI_H__
#define __FACPRI_H__
#ifndef __P
# define P_DEF
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
extern char *fac_toname __P((int));
extern int fac_findname __P((char *));
extern char *pri_toname __P((int));
extern int pri_findname __P((char *));
#ifdef P_DEF
# undef __P
# undef P_DEF
#endif
#if LOG_CRON == (9<<3)
# define LOG_CRON1 LOG_CRON
# define LOG_CRON2 (15<<3)
#endif
#if LOG_CRON == (15<<3)
# define LOG_CRON1 (9<<3)
# define LOG_CRON2 LOG_CRON
#endif
#endif /* __FACPRI_H__ */

1536
dist/ipf/fils.c vendored
View File

File diff suppressed because it is too large Load Diff

633
dist/ipf/ipf.c vendored
View File

@ -1,633 +0,0 @@
/* $NetBSD: ipf.c,v 1.13 2002/09/19 08:10:38 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#include <stdlib.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ipf.h"
#include "ipl.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp";
#endif
#if SOLARIS
static void blockunknown __P((void));
#endif
#if !defined(__SVR4) && defined(__GNUC__)
extern char *index __P((const char *, int));
#endif
extern char *optarg;
void frsync __P((void));
void zerostats __P((void));
int main __P((int, char *[]));
int opts = 0;
int use_inet6 = 0;
static int fd = -1;
static void procfile __P((char *, char *)), flushfilter __P((char *));
static void set_state __P((u_int)), showstats __P((friostat_t *));
static void packetlogon __P((char *)), swapactive __P((void));
static int opendevice __P((char *));
static void closedevice __P((void));
static char *getline __P((char *, size_t, FILE *, int *));
static char *ipfname = IPL_NAME;
static void usage __P((void));
static int showversion __P((void));
static int get_flags __P((void));
#if SOLARIS
# define OPTS "6AdDEf:F:Il:noPrsUvVyzZ"
#else
# define OPTS "6AdDEf:F:Il:noPrsvVyzZ"
#endif
static void usage()
{
fprintf(stderr, "usage: ipf [-%s] %s %s %s\n", OPTS,
"[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
exit(1);
}
int main(argc,argv)
int argc;
char *argv[];
{
int c;
while ((c = getopt(argc, argv, OPTS)) != -1) {
switch (c)
{
case '6' :
use_inet6 = 1;
break;
case 'A' :
opts &= ~OPT_INACTIVE;
break;
case 'E' :
set_state((u_int)1);
break;
case 'D' :
set_state((u_int)0);
break;
case 'd' :
opts |= OPT_DEBUG;
break;
case 'f' :
procfile(argv[0], optarg);
break;
case 'F' :
flushfilter(optarg);
break;
case 'I' :
opts |= OPT_INACTIVE;
break;
case 'l' :
packetlogon(optarg);
break;
case 'n' :
opts |= OPT_DONOTHING;
break;
case 'o' :
break;
case 'P' :
ipfname = IPL_AUTH;
break;
case 'r' :
opts |= OPT_REMOVE;
break;
case 's' :
swapactive();
break;
#if SOLARIS
case 'U' :
blockunknown();
break;
#endif
case 'v' :
opts += OPT_VERBOSE;
break;
case 'V' :
if (showversion())
exit(1);
break;
case 'y' :
frsync();
break;
case 'z' :
opts |= OPT_ZERORULEST;
break;
case 'Z' :
zerostats();
break;
default :
usage();
break;
}
}
if (fd != -1)
(void) close(fd);
exit(0);
/* NOTREACHED */
}
static int opendevice(ipfdev)
char *ipfdev;
{
if (opts & OPT_DONOTHING)
return -2;
if (!ipfdev)
ipfdev = ipfname;
if (!(opts & OPT_DONOTHING) && fd == -1)
if ((fd = open(ipfdev, O_RDWR)) == -1)
if ((fd = open(ipfdev, O_RDONLY)) == -1) {
perror("open device");
if (errno == ENODEV)
fprintf(stderr, "IPFilter enabled?\n");
}
return fd;
}
static void closedevice()
{
close(fd);
fd = -1;
}
static int get_flags()
{
int i;
if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) {
perror("SIOCGETFF");
return 0;
}
return i;
}
static void set_state(enable)
u_int enable;
{
if (opendevice(ipfname) != -2)
if (ioctl(fd, SIOCFRENB, &enable) == -1) {
if (errno == EBUSY)
fprintf(stderr,
"IP Filter: already initialized\n");
else
perror("SIOCFRENB");
}
return;
}
static void procfile(name, file)
char *name, *file;
{
FILE *fp;
char line[513], *s;
struct frentry *fr;
u_int add, del;
int linenum = 0;
(void) opendevice(ipfname);
if (opts & OPT_INACTIVE) {
add = SIOCADIFR;
del = SIOCRMIFR;
} else {
add = SIOCADAFR;
del = SIOCRMAFR;
}
if (opts & OPT_DEBUG)
printf("add %x del %x\n", add, del);
initparse();
if (!strcmp(file, "-"))
fp = stdin;
else if (!(fp = fopen(file, "r"))) {
fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
STRERROR(errno));
exit(1);
}
while (getline(line, sizeof(line), fp, &linenum)) {
/*
* treat CR as EOL. LF is converted to NUL by getline().
*/
if ((s = index(line, '\r')))
*s = '\0';
/*
* # is comment marker, everything after is a ignored
*/
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
if (opts & OPT_VERBOSE)
(void)fprintf(stderr, "[%s]\n", line);
fr = parse(line, linenum);
(void)fflush(stdout);
if (fr) {
if (opts & OPT_ZERORULEST)
add = SIOCZRLST;
else if (opts & OPT_INACTIVE)
add = (u_int)fr->fr_hits ? SIOCINIFR :
SIOCADIFR;
else
add = (u_int)fr->fr_hits ? SIOCINAFR :
SIOCADAFR;
if (fr->fr_hits)
fr->fr_hits--;
if (fr && (opts & OPT_VERBOSE))
printfr(fr);
if (fr && (opts & OPT_OUTQUE))
fr->fr_flags |= FR_OUTQUE;
if (opts & OPT_DEBUG)
binprint(fr);
if ((opts & OPT_ZERORULEST) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCZRLST)");
} else {
#ifdef USE_QUAD_T
printf("hits %qd bytes %qd ",
(long long)fr->fr_hits,
(long long)fr->fr_bytes);
#else
printf("hits %ld bytes %ld ",
fr->fr_hits, fr->fr_bytes);
#endif
printfr(fr);
}
} else if ((opts & OPT_REMOVE) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, del, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(delete rule)");
}
} else if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(add/insert rule)");
}
}
}
}
if (ferror(fp) || !feof(fp)) {
fprintf(stderr, "%s: %s: file error or line too long\n",
name, file);
exit(1);
}
(void)fclose(fp);
}
/*
* Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
* Returns NULL if error occured, EOF encounterd or input line is too long.
*/
static char *getline(str, size, file, linenum)
register char *str;
size_t size;
FILE *file;
int *linenum;
{
char *p;
int s, len;
do {
for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
/*
* if an error occured, EOF was encounterd, or there
* was no room to put NUL, return NULL.
*/
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
if (p[len - 1] != '\n') {
p[len] = '\0';
break;
}
(*linenum)++;
p[len - 1] = '\0';
if (len < 2 || p[len - 2] != '\\')
break;
else
/*
* Convert '\\' to a space so words don't
* run together
*/
p[len - 2] = ' ';
}
} while (*str == '\0');
return (str);
}
static void packetlogon(opt)
char *opt;
{
int flag;
flag = get_flags();
if (flag != 0) {
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
printf("log flag is currently %#x\n", flag);
}
flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
if (index(opt, 'p')) {
flag |= FF_LOGPASS;
if (opts & OPT_VERBOSE)
printf("set log flag: pass\n");
}
if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
flag |= FF_LOGNOMATCH;
if (opts & OPT_VERBOSE)
printf("set log flag: nomatch\n");
}
if (index(opt, 'b') || index(opt, 'd')) {
flag |= FF_LOGBLOCK;
if (opts & OPT_VERBOSE)
printf("set log flag: block\n");
}
if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0))
perror("ioctl(SIOCSETFF)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
flag = get_flags();
printf("log flag is now %#x\n", flag);
}
}
static void flushfilter(arg)
char *arg;
{
int fl = 0, rem;
if (!arg || !*arg)
return;
if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
if (*arg == 'S')
fl = 0;
else
fl = 1;
rem = fl;
closedevice();
if (opendevice(IPL_STATE) != -2 &&
ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s (%d)\n", arg, rem);
printf("removed %d filter rules\n", fl);
}
closedevice();
return;
}
if (strchr(arg, 'i') || strchr(arg, 'I'))
fl = FR_INQUE;
if (strchr(arg, 'o') || strchr(arg, 'O'))
fl = FR_OUTQUE;
if (strchr(arg, 'a') || strchr(arg, 'A'))
fl = FR_OUTQUE|FR_INQUE;
fl |= (opts & FR_INACTIVE);
rem = fl;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
(rem & FR_OUTQUE) ? "O" : "", rem);
printf("removed %d filter rules\n", fl);
}
return;
}
static void swapactive()
{
int in = 2;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
perror("ioctl(SIOCSWAPA)");
else
printf("Set %d now inactive\n", in);
}
void frsync()
{
int frsyn = 0;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
perror("SIOCFRSYN");
else
printf("filter sync'd\n");
}
void zerostats()
{
friostat_t fio;
friostat_t *fiop = &fio;
if (opendevice(ipfname) != -2) {
if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
perror("ioctl(SIOCFRZST)");
exit(-1);
}
showstats(fiop);
}
}
/*
* read the kernel stats for packets blocked and passed
*/
static void showstats(fp)
friostat_t *fp;
{
#if SOLARIS
printf("dropped packets:\tin %lu\tout %lu\n",
fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
printf("non-ip packets:\t\tin %lu\tout %lu\n",
fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
printf(" bad packets:\t\tin %lu\tout %lu\n",
fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
#endif
printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
fp->f_st[0].fr_nom);
printf(" counted %lu\n", fp->f_st[0].fr_acct);
printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
fp->f_st[1].fr_nom);
printf(" counted %lu\n", fp->f_st[0].fr_acct);
printf(" input packets logged:\tblocked %lu passed %lu\n",
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
printf("output packets logged:\tblocked %lu passed %lu\n",
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
}
#if SOLARIS
static void blockunknown()
{
u_32_t flag;
if (opendevice(ipfname) == -1)
return;
flag = get_flags();
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
printf("log flag is currently %#x\n", flag);
flag ^= FF_BLOCKNONIP;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSETFF, &flag))
perror("ioctl(SIOCSETFF)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
if (ioctl(fd, SIOCGETFF, &flag))
perror("ioctl(SIOCGETFF)");
printf("log flag is now %#x\n", flag);
}
}
#endif
static int showversion()
{
struct friostat fio;
struct friostat *fiop=&fio;
u_32_t flags;
char *s;
int vfd;
printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
if ((vfd = open(ipfname, O_RDONLY)) == -1) {
perror("open device");
return 1;
}
if (ioctl(vfd, SIOCGETFS, &fiop)) {
perror("ioctl(SIOCGETFS)");
close(vfd);
return 1;
}
close(vfd);
flags = get_flags();
printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
(int)sizeof(fio.f_version), fio.f_version);
printf("Running: %s\n", fio.f_running ? "yes" : "no");
printf("Log Flags: %#x = ", flags);
s = "";
if (flags & FF_LOGPASS) {
printf("pass");
s = ", ";
}
if (flags & FF_LOGBLOCK) {
printf("%sblock", s);
s = ", ";
}
if (flags & FF_LOGNOMATCH) {
printf("%snomatch", s);
s = ", ";
}
if (flags & FF_BLOCKNONIP) {
printf("%snonip", s);
s = ", ";
}
if (!*s)
printf("none set");
putchar('\n');
printf("Default: ");
if (fio.f_defpass & FR_PASS)
s = "pass";
else if (fio.f_defpass & FR_BLOCK)
s = "block";
else
s = "nomatch -> block";
printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
printf("Active list: %d\n", fio.f_active);
return 0;
}

345
dist/ipf/ipf.h vendored
View File

@ -1,74 +1,123 @@
/* $NetBSD: ipf.h,v 1.4 2002/01/24 08:21:32 martti Exp $ */
/* $NetBSD: ipf.h,v 1.5 2004/03/28 09:00:53 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* Id: ipf.h,v 2.9.2.6 2002/01/03 08:00:12 darrenr Exp
* Id: ipf.h,v 2.71.2.2 2004/03/19 23:02:50 darrenr Exp
*/
#ifndef __IPF_H__
#define __IPF_H__
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#if defined(__osf__)
# define radix_mask ipf_radix_mask
# define radix_node ipf_radix_node
# define radix_node_head ipf_radix_node_head
#endif
#define OPT_REMOVE 0x000001
#define OPT_DEBUG 0x000002
#define OPT_OUTQUE FR_OUTQUE /* 0x00004 */
#define OPT_INQUE FR_INQUE /* 0x00008 */
#define OPT_LOG FR_LOG /* 0x00010 */
#define OPT_SHOWLIST 0x000020
#define OPT_VERBOSE 0x000040
#define OPT_DONOTHING 0x000080
#define OPT_HITS 0x000100
#define OPT_BRIEF 0x000200
#define OPT_ACCNT FR_ACCOUNT /* 0x0400 */
#define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */
#define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */
#define OPT_INACTIVE FR_INACTIVE /* 0x2000 */
#define OPT_SHOWLINENO 0x004000
#define OPT_PRINTFR 0x008000
#define OPT_ZERORULEST 0x010000
#define OPT_SAVEOUT 0x020000
#define OPT_AUTHSTATS 0x040000
#define OPT_RAW 0x080000
#define OPT_NAT 0x100000
#define OPT_GROUPS 0x200000
#define OPT_STATETOP 0x400000
#define OPT_FLUSH 0x800000
#define OPT_CLEAR 0x1000000
#define OPT_HEX 0x2000000
#define OPT_NODO 0x80000000
#define OPT_STAT OPT_FRSTATES
#define OPT_LIST OPT_SHOWLIST
#include <sys/param.h>
#include <sys/types.h>
#include <sys/file.h>
/*
* This is a workaround for <sys/uio.h> troubles on FreeBSD, HPUX, OpenBSD.
* Needed here because on some systems <sys/uio.h> gets included by things
* like <sys/socket.h>
*/
#ifndef _KERNEL
# define ADD_KERNEL
# define _KERNEL
# define KERNEL
#endif
#ifdef __OpenBSD__
struct file;
#endif
#include <sys/uio.h>
#ifdef ADD_KERNEL
# undef _KERNEL
# undef KERNEL
#endif
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#ifndef TCP_PAWS_IDLE /* IRIX */
# include <netinet/tcp.h>
#endif
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <limits.h>
#include <netdb.h>
#include <stdlib.h>
#include <stddef.h>
#include <stdio.h>
#if !defined(__SVR4) && !defined(__svr4__) && defined(sun)
# include <strings.h>
#endif
#include <string.h>
#include <unistd.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
#include "netinet/ip_scan.h"
#include "netinet/ip_htable.h"
#include "opts.h"
#ifndef __P
# ifdef __STDC__
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
struct ipstate;
struct frpcmp;
struct ipnat;
struct nat;
#ifdef ultrix
extern char *strdup __P((char *));
#ifndef __STDC__
# undef const
# define const
#endif
extern struct frentry *parse __P((char *, int));
#ifndef U_32_T
# define U_32_T 1
# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
defined(__sgi)
typedef u_int32_t u_32_t;
# else
# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
typedef unsigned int u_32_t;
# else
# if SOLARIS2 >= 6
typedef uint32_t u_32_t;
# else
typedef unsigned int u_32_t;
# endif
# endif
# endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
#endif /* U_32_T */
extern void printfr __P((struct frentry *));
extern void binprint __P((struct frentry *)), initparse __P((void));
extern int portnum __P((char *, u_short *, int));
#ifndef MAXHOSTNAMELEN
# define MAXHOSTNAMELEN 256
#endif
#define MAX_ICMPCODE 16
#define MAX_ICMPTYPE 19
struct ipopt_names {
@ -79,47 +128,177 @@ struct ipopt_names {
};
extern char *proto;
typedef struct alist_s {
struct alist_s *al_next;
int al_not;
i6addr_t al_i6addr;
i6addr_t al_i6mask;
} alist_t;
#define al_addr al_i6addr.in4_addr
#define al_mask al_i6mask.in4_addr
#define al_1 al_addr
#define al_2 al_mask
typedef struct {
u_short fb_c;
u_char fb_t;
u_char fb_f;
u_32_t fb_k;
} fakebpf_t;
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux)
# include <stdarg.h>
typedef int (* ioctlfunc_t) __P((int, ioctlcmd_t, ...));
#else
typedef int (* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *));
#endif
typedef void (* addfunc_t) __P((int, ioctlfunc_t, void *));
typedef int (* copyfunc_t) __P((void *, void *, size_t));
/*
* SunOS4
*/
#if defined(sun) && !defined(__SVR4) && !defined(__svr4__)
extern int ioctl __P((int, int, void *));
#endif
extern char thishost[];
extern char flagset[];
extern u_char flags[];
extern struct ipopt_names ionames[];
extern struct ipopt_names secclass[];
extern char *icmpcodes[MAX_ICMPCODE + 1];
extern char *icmptypes[MAX_ICMPTYPE + 1];
extern int use_inet6;
extern int lineNum;
extern struct ipopt_names v6ionames[];
extern u_char tcp_flags __P((char *, u_char *, int));
extern int countbits __P((u_32_t));
extern int ratoi __P((char *, int *, int, int));
extern int ratoui __P((char *, u_int *, u_int, u_int));
extern int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, int *,
u_short *, int));
extern int ports __P((char ***, u_short *, int *, u_short *, int));
extern char *portname __P((int, int));
extern u_32_t buildopts __P((char *, char *, int));
extern int genmask __P((char *, u_32_t *));
extern int hostnum __P((u_32_t *, char *, int));
extern u_32_t optname __P((char ***, u_short *, int));
extern void printpacket __P((ip_t *));
extern void printpacket6 __P((ip_t *));
extern void printportcmp __P((int, struct frpcmp *));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
extern void printbuf __P((char *, int, int));
extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int addkeep __P((char ***, struct frentry *, int));
extern int bcopywrap __P((void *, void *, size_t));
extern void binprint __P((void *, size_t));
extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));
extern int checkrev __P((char *));
extern int count6bits __P((u_32_t *));
extern int count4bits __P((u_32_t));
extern int extras __P((char ***, struct frentry *, int));
extern char *fac_toname __P((int));
extern int fac_findname __P((char *));
extern void fill6bits __P((int, u_int *));
extern int gethost __P((char *, u_32_t *));
extern int getport __P((char *));
extern int getportproto __P((char *, int));
extern int getproto __P((char *));
extern char *getline __P((char *, size_t, FILE *, int *));
extern int genmask __P((char *, u_32_t *));
extern char *getnattype __P((struct ipnat *));
extern char *getsumd __P((u_32_t));
extern u_32_t getoptbyname __P((char *));
extern u_32_t getoptbyvalue __P((int));
extern u_32_t getv6optbyname __P((char *));
extern u_32_t getv6optbyvalue __P((int));
extern void hexdump __P((FILE *, void *, int, int));
extern int hostmask __P((char ***, char *, char *, u_32_t *, u_32_t *, int));
extern int hostnum __P((u_32_t *, char *, int, char *));
extern int icmpcode __P((char *));
extern int icmpidnum __P((char *, u_short *, int));
extern void initparse __P((void));
extern void ipf_dotuning __P((int, char *, ioctlfunc_t));
extern void ipf_addrule __P((int, ioctlfunc_t, void *));
extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *));
extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *));
extern int ipmon_parsefile __P((char *));
extern int ipmon_parsesome __P((FILE *));
extern void ipnat_addrule __P((int, ioctlfunc_t, void *));
extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *));
extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *));
extern int ippool_parsefile __P((int, char *, ioctlfunc_t));
extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t));
extern int kmemcpywrap __P((void *, void *, size_t));
extern char *kvatoname __P((ipfunc_t, ioctlfunc_t));
extern int load_hash __P((struct iphtable_s *, struct iphtent_s *,
ioctlfunc_t));
extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t));
extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern int loglevel __P((char **, u_int *, int));
extern alist_t *make_range __P((int, struct in_addr, struct in_addr));
extern ipfunc_t nametokva __P((char *, ioctlfunc_t));
extern ipnat_t *natparse __P((char *, int));
extern void natparsefile __P((int, char *, int));
extern void nat_setgroupmap __P((struct ipnat *));
extern int ntomask __P((int, int, u_32_t *));
extern u_32_t optname __P((char ***, u_short *, int));
extern struct frentry *parse __P((char *, int));
extern char *portname __P((int, int));
extern int portnum __P((char *, char *, u_short *, int));
extern int ports __P((char ***, char *, u_short *, int *, u_short *, int));
extern int pri_findname __P((char *));
extern char *pri_toname __P((int));
extern void print_toif __P((char *, struct frdest *));
extern void printaps __P((ap_session_t *, int));
extern void printbuf __P((char *, int, int));
extern void printfr __P((struct frentry *, ioctlfunc_t));
extern void printtunable __P((ipftune_t *));
extern struct iphtable_s *printhash __P((struct iphtable_s *,
copyfunc_t, int));
extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
struct iphtent_s *,
copyfunc_t, int));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
extern void printip __P((u_32_t *));
extern void printlog __P((struct frentry *));
extern void printlookup __P((i6addr_t *addr, i6addr_t *mask));
extern void printmask __P((u_32_t *));
extern void printpacket __P((struct ip *));
extern void printpacket6 __P((struct ip *));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, int));
extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
extern void printportcmp __P((int, struct frpcmp *));
extern void optprint __P((u_short *, u_long, u_long));
#ifdef USE_INET6
extern void optprintv6 __P((u_short *, u_long, u_long));
#endif
extern int ratoi __P((char *, int *, int, int));
extern int ratoui __P((char *, u_int *, u_int, u_int));
extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t));
extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int remove_pool __P((ip_pool_t *, ioctlfunc_t));
extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern u_char tcp_flags __P((char *, u_char *, int));
extern u_char tcpflags __P((char *));
extern int to_interface __P((struct frdest *, char *, int));
extern void printc __P((struct frentry *));
extern void printC __P((int));
extern void emit __P((int, int, void *, struct frentry *));
extern u_char secbit __P((int));
extern u_char seclevel __P((char *));
extern void printfraginfo __P((char *, struct ipfr *));
extern void printifname __P((char *, char *, void *));
extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int, u_long));
extern void printsbuf __P((char *));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
extern void printhostmap __P((struct hostmap *, u_int));
extern void printpacket __P((struct ip *));
extern void set_variable __P((char *, char *));
extern char *get_variable __P((char *, char **, int));
extern void resetlexer __P((void));
#if SOLARIS
extern int inet_aton __P((const char *, struct in_addr *));
extern int gethostname __P((char *, int ));
extern void sync __P((void));
#endif
#if defined(sun) && !SOLARIS
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#ifndef MIN
#define MIN(a,b) ((a) > (b) ? (b) : (a))
extern int gethostname __P((char *, int ));
extern void sync __P((void));
#endif
#endif /* __IPF_H__ */

806
dist/ipf/ipfs.c vendored
View File

@ -1,806 +0,0 @@
/* $NetBSD: ipfs.c,v 1.10 2002/09/19 08:10:39 martti Exp $ */
/*
* Copyright (C) 1999-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#include <stdlib.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ipf.h"
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp";
#endif
#ifndef IPF_SAVEDIR
# define IPF_SAVEDIR "/var/db/ipf"
#endif
#ifndef IPF_NATFILE
# define IPF_NATFILE "ipnat.ipf"
#endif
#ifndef IPF_STATEFILE
# define IPF_STATEFILE "ipstate.ipf"
#endif
#if !defined(__SVR4) && defined(__GNUC__)
extern char *index __P((const char *, int));
#endif
extern char *optarg;
int main __P((int, char *[]));
void usage __P((void));
int changestateif __P((char *, char *));
int changenatif __P((char *, char *));
int readstate __P((int, char *));
int readnat __P((int, char *));
int writestate __P((int, char *));
int opendevice __P((char *));
void closedevice __P((int));
int setlock __P((int, int));
int writeall __P((char *));
int readall __P((char *));
int writenat __P((int, char *));
int opts = 0;
void usage()
{
fprintf(stderr, "usage: ipfs [-nv] -l\n");
fprintf(stderr, "usage: ipfs [-nv] -u\n");
fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -R\n");
fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -W\n");
fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -r\n");
fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -w\n");
fprintf(stderr, "usage: ipfs [-nNSv] -f <filename> -i <if1>,<if2>\n");
exit(1);
}
/*
* Change interface names in state information saved out to disk.
*/
int changestateif(ifs, fname)
char *ifs, *fname;
{
int fd, olen, nlen, rw;
ipstate_save_t ips;
off_t pos;
char *s;
s = strchr(ifs, ',');
if (!s)
usage();
*s++ = '\0';
nlen = strlen(s);
olen = strlen(ifs);
if (nlen >= sizeof(ips.ips_is.is_ifname) ||
olen >= sizeof(ips.ips_is.is_ifname))
usage();
fd = open(fname, O_RDWR);
if (fd == -1) {
perror("open");
exit(1);
}
for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) {
rw = 0;
if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) {
strcpy(ips.ips_is.is_ifname[0], s);
rw = 1;
}
if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) {
strcpy(ips.ips_is.is_ifname[1], s);
rw = 1;
}
if (rw == 1) {
if (lseek(fd, pos, SEEK_SET) != pos) {
perror("lseek");
exit(1);
}
if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) {
perror("write");
exit(1);
}
}
pos = lseek(fd, 0, SEEK_CUR);
}
close(fd);
return 0;
}
/*
* Change interface names in NAT information saved out to disk.
*/
int changenatif(ifs, fname)
char *ifs, *fname;
{
int fd, olen, nlen, rw;
nat_save_t ipn;
nat_t *nat;
off_t pos;
char *s;
s = strchr(ifs, ',');
if (!s)
usage();
*s++ = '\0';
nlen = strlen(s);
olen = strlen(ifs);
nat = &ipn.ipn_nat;
if (nlen >= sizeof(nat->nat_ifname) || olen >= sizeof(nat->nat_ifname))
usage();
fd = open(fname, O_RDWR);
if (fd == -1) {
perror("open");
exit(1);
}
for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) {
rw = 0;
if (!strncmp(nat->nat_ifname, ifs, olen + 1)) {
strcpy(nat->nat_ifname, s);
rw = 1;
}
if (rw == 1) {
if (lseek(fd, pos, SEEK_SET) != pos) {
perror("lseek");
exit(1);
}
if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) {
perror("write");
exit(1);
}
}
pos = lseek(fd, 0, SEEK_CUR);
}
close(fd);
return 0;
}
int main(argc,argv)
int argc;
char *argv[];
{
int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
char *dirname = NULL, *filename = NULL, *ifs = NULL;
while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
switch (c)
{
case 'd' :
if ((set == 0) && !dirname && !filename)
dirname = optarg;
else
usage();
break;
case 'f' :
if ((set == 0) && !dirname && !filename)
filename = optarg;
else
usage();
break;
case 'i' :
ifs = optarg;
set = 1;
break;
case 'l' :
if (filename || dirname || set)
usage();
lock = 1;
set = 1;
break;
case 'n' :
opts |= OPT_DONOTHING;
break;
case 'N' :
if ((ns >= 0) || dirname || (rw != -1) || set)
usage();
ns = 0;
set = 1;
break;
case 'r' :
if ((ns >= 0) || dirname || (rw != -1))
usage();
rw = 0;
set = 1;
break;
case 'R' :
rw = 2;
set = 1;
break;
case 'S' :
if ((ns >= 0) || dirname || (rw != -1) || set)
usage();
ns = 1;
set = 1;
break;
case 'u' :
if (filename || dirname || set)
usage();
lock = 0;
set = 1;
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
case 'w' :
if (dirname || (rw != -1) || (ns == -1))
usage();
rw = 1;
set = 1;
break;
case 'W' :
rw = 3;
set = 1;
break;
case '?' :
default :
usage();
}
if (ifs) {
if (!filename || ns < 0)
usage();
if (ns == 0)
return changenatif(ifs, filename);
else
return changestateif(ifs, filename);
}
if ((ns >= 0) || (lock >= 0)) {
if (lock >= 0)
devfd = opendevice(NULL);
else if (ns >= 0) {
if (ns == 1)
devfd = opendevice(IPL_STATE);
else if (ns == 0)
devfd = opendevice(IPL_NAT);
}
if (devfd == -1)
exit(1);
}
if (lock >= 0)
err = setlock(devfd, lock);
else if (rw >= 0) {
if (rw & 1) { /* WRITE */
if (rw & 2)
err = writeall(dirname);
else {
if (ns == 0)
err = writenat(devfd, filename);
else if (ns == 1)
err = writestate(devfd, filename);
}
} else {
if (rw & 2)
err = readall(dirname);
else {
if (ns == 0)
err = readnat(devfd, filename);
else if (ns == 1)
err = readstate(devfd, filename);
}
}
}
return err;
}
int opendevice(ipfdev)
char *ipfdev;
{
int fd = -1;
if (opts & OPT_DONOTHING)
return -2;
if (!ipfdev)
ipfdev = IPL_NAME;
if ((fd = open(ipfdev, O_RDWR)) == -1)
if ((fd = open(ipfdev, O_RDONLY)) == -1)
perror("open device");
return fd;
}
void closedevice(fd)
int fd;
{
close(fd);
}
int setlock(fd, lock)
int fd, lock;
{
if (opts & OPT_VERBOSE)
printf("Turn lock %s\n", lock ? "on" : "off");
if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, SIOCSTLCK, &lock) == -1) {
perror("SIOCSTLCK");
return 1;
}
if (opts & OPT_VERBOSE)
printf("Lock now %s\n", lock ? "on" : "off");
}
return 0;
}
int writestate(fd, file)
int fd;
char *file;
{
ipstate_save_t ips, *ipsp;
int wfd = -1;
if (!file)
file = IPF_STATEFILE;
wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
if (wfd == -1) {
fprintf(stderr, "%s ", file);
perror("state:open");
return 1;
}
ipsp = &ips;
bzero((char *)ipsp, sizeof(ips));
do {
if (opts & OPT_VERBOSE)
printf("Getting state from addr %p\n", ips.ips_next);
if (ioctl(fd, SIOCSTGET, &ipsp)) {
if (errno == ENOENT)
break;
perror("state:SIOCSTGET");
close(wfd);
return 1;
}
if (opts & OPT_VERBOSE)
printf("Got state next %p\n", ips.ips_next);
if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) {
perror("state:write");
close(wfd);
return 1;
}
} while (ips.ips_next != NULL);
close(wfd);
return 0;
}
int readstate(fd, file)
int fd;
char *file;
{
ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
int sfd = -1, i;
if (!file)
file = IPF_STATEFILE;
sfd = open(file, O_RDONLY, 0600);
if (sfd == -1) {
fprintf(stderr, "%s ", file);
perror("open");
return 1;
}
bzero((char *)&ips, sizeof(ips));
/*
* 1. Read all state information in.
*/
do {
i = read(sfd, &ips, sizeof(ips));
if (i == -1) {
perror("read");
close(sfd);
return 1;
}
if (i == 0)
break;
if (i != sizeof(ips)) {
fprintf(stderr, "incomplete read: %d != %d\n", i,
(int)sizeof(ips));
close(sfd);
return 1;
}
is = (ipstate_save_t *)malloc(sizeof(*is));
if(!is) {
fprintf(stderr, "malloc failed\n");
return 1;
}
bcopy((char *)&ips, (char *)is, sizeof(ips));
/*
* Check to see if this is the first state entry that will
* reference a particular rule and if so, flag it as such
* else just adjust the rule pointer to become a pointer to
* the other. We do this so we have a means later for tracking
* who is referencing us when we get back the real pointer
* in is_rule after doing the ioctl.
*/
for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next)
if (is1->ips_rule == is->ips_rule)
break;
if (is1 == NULL)
is->ips_is.is_flags |= FI_NEWFR;
else
is->ips_rule = (void *)&is1->ips_rule;
/*
* Use a tail-queue type list (add things to the end)..
*/
is->ips_next = NULL;
if (!ipshead)
ipshead = is;
if (ipstail)
ipstail->ips_next = is;
ipstail = is;
} while (1);
close(sfd);
for (is = ipshead; is; is = is->ips_next) {
if (opts & OPT_VERBOSE)
printf("Loading new state table entry\n");
if (is->ips_is.is_flags & FI_NEWFR) {
if (opts & OPT_VERBOSE)
printf("Loading new filter rule\n");
}
if (!(opts & OPT_DONOTHING))
if (ioctl(fd, SIOCSTPUT, &is)) {
perror("SIOCSTPUT");
return 1;
}
if (is->ips_is.is_flags & FI_NEWFR) {
if (opts & OPT_VERBOSE)
printf("Real rule addr %p\n", is->ips_rule);
for (is1 = is->ips_next; is1; is1 = is1->ips_next)
if (is1->ips_rule == (frentry_t *)&is->ips_rule)
is1->ips_rule = is->ips_rule;
}
}
return 0;
}
int readnat(fd, file)
int fd;
char *file;
{
nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL, *ipnp;
int nfd = -1, i;
nat_t *nat;
if (!file)
file = IPF_NATFILE;
nfd = open(file, O_RDONLY);
if (nfd == -1) {
fprintf(stderr, "%s ", file);
perror("nat:open");
return 1;
}
bzero((char *)&ipn, sizeof(ipn));
ipnp = &ipn;
/*
* 1. Read all state information in.
*/
do {
i = read(nfd, &ipn, sizeof(ipn));
if (i == -1) {
perror("read");
close(nfd);
return 1;
}
if (i == 0)
break;
if (i != sizeof(ipn)) {
fprintf(stderr, "incomplete read: %d != %d\n", i,
(int)sizeof(ipn));
close(nfd);
return 1;
}
if (ipn.ipn_dsize > 0) {
char *s = ipnp->ipn_data;
int n = ipnp->ipn_dsize;
n -= sizeof(ipnp->ipn_data);
in = malloc(sizeof(*in) + n);
if (!in)
break;
s += sizeof(ipnp->ipn_data);
i = read(nfd, s, n);
if (i == 0)
break;
if (i != n) {
fprintf(stderr, "incomplete read: %d != %d\n",
i, n);
close(nfd);
return 1;
}
} else
in = (nat_save_t *)malloc(sizeof(*in));
bcopy((char *)ipnp, (char *)in, sizeof(ipn));
/*
* Check to see if this is the first state entry that will
* reference a particular rule and if so, flag it as such
* else just adjust the rule pointer to become a pointer to
* the other. We do this so we have a means later for tracking
* who is referencing us when we get back the real pointer
* in is_rule after doing the ioctl.
*/
nat = &in->ipn_nat;
if (nat->nat_fr != NULL) {
for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next)
if (in1->ipn_rule == nat->nat_fr)
break;
if (in1 == NULL)
nat->nat_flags |= FI_NEWFR;
else
nat->nat_fr = &in1->ipn_fr;
}
/*
* Use a tail-queue type list (add things to the end)..
*/
in->ipn_next = NULL;
if (!ipnhead)
ipnhead = in;
if (ipntail)
ipntail->ipn_next = in;
ipntail = in;
} while (1);
close(nfd);
for (in = ipnhead; in; in = in->ipn_next) {
if (opts & OPT_VERBOSE)
printf("Loading new NAT table entry\n");
nat = &in->ipn_nat;
if (nat->nat_flags & FI_NEWFR) {
if (opts & OPT_VERBOSE)
printf("Loading new filter rule\n");
}
if (!(opts & OPT_DONOTHING))
if (ioctl(fd, SIOCSTPUT, &in)) {
perror("SIOCSTPUT");
return 1;
}
if (nat->nat_flags & FI_NEWFR) {
if (opts & OPT_VERBOSE)
printf("Real rule addr %p\n", nat->nat_fr);
for (in1 = in->ipn_next; in1; in1 = in1->ipn_next)
if (in1->ipn_rule == &in->ipn_fr)
in1->ipn_rule = nat->nat_fr;
}
}
return 0;
}
int writenat(fd, file)
int fd;
char *file;
{
nat_save_t *ipnp = NULL, *next = NULL;
int nfd = -1;
natget_t ng;
if (!file)
file = IPF_NATFILE;
nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
if (nfd == -1) {
fprintf(stderr, "%s ", file);
perror("nat:open");
return 1;
}
do {
if (opts & OPT_VERBOSE)
printf("Getting nat from addr %p\n", ipnp);
ng.ng_ptr = next;
ng.ng_sz = 0;
if (ioctl(fd, SIOCSTGSZ, &ng)) {
perror("nat:SIOCSTGSZ");
close(nfd);
return 1;
}
if (opts & OPT_VERBOSE)
printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr);
if (ng.ng_sz == 0)
break;
if (!ipnp)
ipnp = malloc(ng.ng_sz);
else
ipnp = realloc((char *)ipnp, ng.ng_sz);
if (!ipnp) {
fprintf(stderr,
"malloc for %d bytes failed\n", ng.ng_sz);
break;
}
bzero((char *)ipnp, ng.ng_sz);
ipnp->ipn_next = next;
if (ioctl(fd, SIOCSTGET, &ipnp)) {
if (errno == ENOENT)
break;
perror("nat:SIOCSTGET");
close(nfd);
return 1;
}
if (opts & OPT_VERBOSE)
printf("Got nat next %p\n", ipnp->ipn_next);
if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) {
perror("nat:write");
close(nfd);
return 1;
}
next = ipnp->ipn_next;
} while (ipnp && next);
close(nfd);
return 0;
}
int writeall(dirname)
char *dirname;
{
int fd, devfd;
if (!dirname)
dirname = IPF_SAVEDIR;
if (chdir(dirname)) {
perror("chdir(IPF_SAVEDIR)");
return 1;
}
fd = opendevice(NULL);
if (fd == -1)
return 1;
if (setlock(fd, 1)) {
close(fd);
return 1;
}
devfd = opendevice(IPL_STATE);
if (devfd == -1)
goto bad;
if (writestate(devfd, NULL))
goto bad;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
goto bad;
if (writenat(devfd, NULL))
goto bad;
close(devfd);
if (setlock(fd, 0)) {
close(fd);
return 1;
}
return 0;
bad:
setlock(fd, 0);
close(fd);
return 1;
}
int readall(dirname)
char *dirname;
{
int fd, devfd;
if (!dirname)
dirname = IPF_SAVEDIR;
if (chdir(dirname)) {
perror("chdir(IPF_SAVEDIR)");
return 1;
}
fd = opendevice(NULL);
if (fd == -1)
return 1;
if (setlock(fd, 1)) {
close(fd);
return 1;
}
devfd = opendevice(IPL_STATE);
if (devfd == -1)
return 1;
if (readstate(devfd, NULL))
return 1;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
return 1;
if (readnat(devfd, NULL))
return 1;
close(devfd);
if (setlock(fd, 0)) {
close(fd);
return 1;
}
return 0;
}

159
dist/ipf/ipft_ef.c vendored
View File

@ -1,159 +0,0 @@
/* $NetBSD: ipft_ef.c,v 1.8 2003/05/17 01:11:52 itojun Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
icmp type
lnth proto source destination src port dst port
etherfind -n
60 tcp 128.250.20.20 128.250.133.13 2419 telnet
etherfind -n -t
0.32 91 04 131.170.1.10 128.250.133.13
0.33 566 udp 128.250.37.155 128.250.133.3 901 901
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#include <netdb.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp";
#endif
static int etherf_open __P((char *));
static int etherf_close __P((void));
static int etherf_readip __P((char *, int, char **, int *));
struct ipread etherf = { etherf_open, etherf_close, etherf_readip };
static FILE *efp = NULL;
static int efd = -1;
static int etherf_open(fname)
char *fname;
{
if (efd != -1)
return efd;
if (!strcmp(fname, "-")) {
efd = 0;
efp = stdin;
} else {
efd = open(fname, O_RDONLY);
efp = fdopen(efd, "r");
}
return efd;
}
static int etherf_close()
{
return close(efd);
}
static int etherf_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
struct tcpiphdr pkt;
ip_t *ip = (ip_t *)&pkt;
struct protoent *p = NULL;
char src[16], dst[16], sprt[16], dprt[16];
char lbuf[128], len[8], prot[8], time[8], *s;
int slen, extra = 0, i;
if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
return 0;
if ((s = strchr(lbuf, '\n')))
*s = '\0';
lbuf[sizeof(lbuf)-1] = '\0';
bzero(&pkt, sizeof(pkt));
if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst,
sprt, dprt) != 6)
if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time,
len, prot, src, dst, sprt, dprt) != 7)
return -1;
ip->ip_p = atoi(prot);
if (ip->ip_p == 0) {
if (!(p = getprotobyname(prot)))
return -1;
ip->ip_p = p->p_proto;
}
switch (ip->ip_p) {
case IPPROTO_TCP :
case IPPROTO_UDP :
s = strtok(NULL, " :");
ip->ip_len += atoi(s);
if (p->p_proto == IPPROTO_TCP)
extra = sizeof(struct tcphdr);
else if (p->p_proto == IPPROTO_UDP)
extra = sizeof(struct udphdr);
break;
#ifdef IGMP
case IPPROTO_IGMP :
extra = sizeof(struct igmp);
break;
#endif
case IPPROTO_ICMP :
extra = sizeof(struct icmp);
break;
default :
break;
}
(void) inet_aton(src, &ip->ip_src);
(void) inet_aton(dst, &ip->ip_dst);
ip->ip_len = atoi(len);
ip->ip_hl = sizeof(ip_t);
slen = ip->ip_hl + extra;
i = MIN(cnt, slen);
bcopy((char *)&pkt, buf, i);
return i;
}

177
dist/ipf/ipft_hx.c vendored
View File

@ -1,177 +0,0 @@
/* $NetBSD: ipft_hx.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
#include <string.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp";
#endif
extern int opts;
static int hex_open __P((char *));
static int hex_close __P((void));
static int hex_readip __P((char *, int, char **, int *));
static char *readhex __P((char *, char *));
struct ipread iphex = { hex_open, hex_close, hex_readip };
static FILE *tfp = NULL;
static int tfd = -1;
static int hex_open(fname)
char *fname;
{
if (tfp && tfd != -1) {
rewind(tfp);
return tfd;
}
if (!strcmp(fname, "-")) {
tfd = 0;
tfp = stdin;
} else {
tfd = open(fname, O_RDONLY);
if (tfd != -1)
tfp = fdopen(tfd, "r");
}
return tfd;
}
static int hex_close()
{
int cfd = tfd;
tfd = -1;
return close(cfd);
}
static int hex_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
register char *s, *t, *u;
char line[513];
ip_t *ip;
/*
* interpret start of line as possibly "[ifname]" or
* "[in/out,ifname]".
*/
if (ifn)
*ifn = NULL;
if (dir)
*dir = 0;
ip = (ip_t *)buf;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n'))) {
if (s == line)
return (char *)ip - buf;
*s = '\0';
}
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
if (!(opts & OPT_BRIEF)) {
printf("input: %s\n", line);
fflush(stdout);
}
if ((*line == '[') && (s = index(line, ']'))) {
t = line + 1;
if (s - t > 0) {
*s++ = '\0';
if ((u = index(t, ',')) && (u < s)) {
u++;
if (ifn)
*ifn = strdup(u);
if (dir) {
if (*t == 'i')
*dir = 0;
else if (*t == 'o')
*dir = 1;
}
} else if (ifn)
*ifn = t;
}
} else
s = line;
ip = (ip_t *)readhex(s, (char *)ip);
}
return -1;
}
static char *readhex(src, dst)
register char *src, *dst;
{
int state = 0;
char c;
while ((c = *src++)) {
if (isspace(c)) {
if (state) {
dst++;
state = 0;
}
continue;
} else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
(c >= 'A' && c <= 'F')) {
c = isdigit(c) ? (c - '0') : (toupper(c) - 55);
if (state == 0) {
*dst = (c << 4);
state++;
} else {
*dst++ |= c;
state = 0;
}
} else
break;
}
return dst;
}

238
dist/ipf/ipft_pc.c vendored
View File

@ -1,238 +0,0 @@
/* $NetBSD: ipft_pc.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "pcap.h"
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp";
#endif
struct llc {
int lc_sz; /* LLC header length */
int lc_to; /* LLC Type offset */
int lc_tl; /* LLC Type length */
};
/*
* While many of these maybe the same, some do have different header formats
* which make this useful.
*/
#define DLT_MAX 14
static struct llc llcs[DLT_MAX+1] = {
{ 0, 0, 0 }, /* DLT_NULL */
{ 14, 12, 2 }, /* DLT_E10MB */
{ 0, 0, 0 }, /* DLT_EN3MB */
{ 0, 0, 0 }, /* DLT_AX25 */
{ 0, 0, 0 }, /* DLT_PRONET */
{ 0, 0, 0 }, /* DLT_CHAOS */
{ 0, 0, 0 }, /* DLT_IEEE802 */
{ 0, 0, 0 }, /* DLT_ARCNET */
{ 0, 0, 0 }, /* DLT_SLIP */
{ 0, 0, 0 }, /* DLT_PPP */
{ 0, 0, 0 }, /* DLT_FDDI */
{ 0, 0, 0 }, /* DLT_ATMRFC1483 */
{ 0, 0, 0 }, /* DLT_LOOP */
{ 0, 0, 0 } /* DLT_ENC */
};
static int pcap_open __P((char *));
static int pcap_close __P((void));
static int pcap_readip __P((char *, int, char **, int *));
static void swap_hdr __P((pcaphdr_t *));
static int pcap_read_rec __P((struct pcap_pkthdr *));
static int pfd = -1, s_type = -1, swapped = 0;
struct ipread pcap = { pcap_open, pcap_close, pcap_readip };
#define SWAPLONG(y) \
((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
#define SWAPSHORT(y) \
( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
static void swap_hdr(p)
pcaphdr_t *p;
{
p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
p->pc_v_min = SWAPSHORT(p->pc_v_min);
p->pc_zone = SWAPLONG(p->pc_zone);
p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
p->pc_slen = SWAPLONG(p->pc_slen);
p->pc_type = SWAPLONG(p->pc_type);
}
static int pcap_open(fname)
char *fname;
{
pcaphdr_t ph;
int fd;
if (pfd != -1)
return pfd;
if (!strcmp(fname, "-"))
fd = 0;
else if ((fd = open(fname, O_RDONLY)) == -1)
return -1;
if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
return -2;
if (ph.pc_id != TCPDUMP_MAGIC) {
if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
(void) close(fd);
return -2;
}
swapped = 1;
swap_hdr(&ph);
}
if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) {
(void) close(fd);
return -2;
}
pfd = fd;
s_type = ph.pc_type;
printf("opened pcap file %s:\n", fname);
printf("\tid: %08x version: %d.%d type: %d snap %d\n",
ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
return fd;
}
static int pcap_close()
{
return close(pfd);
}
/*
* read in the header (and validate) which should be the first record
* in a pcap file.
*/
static int pcap_read_rec(rec)
struct pcap_pkthdr *rec;
{
int n, p;
if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
return -2;
if (swapped) {
rec->ph_clen = SWAPLONG(rec->ph_clen);
rec->ph_len = SWAPLONG(rec->ph_len);
rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
}
p = rec->ph_clen;
n = MIN(p, rec->ph_len);
if (!n || n < 0)
return -3;
return p;
}
#ifdef notyet
/*
* read an entire pcap packet record. only the data part is copied into
* the available buffer, with the number of bytes copied returned.
*/
static int pcap_read(buf, cnt)
char *buf;
int cnt;
{
struct pcap_pkthdr rec;
static char *bufp = NULL;
int i, n;
if ((i = pcap_read_rec(&rec)) <= 0)
return i;
if (!bufp)
bufp = malloc(i);
else
bufp = realloc(bufp, i);
if (read(pfd, bufp, i) != i)
return -2;
n = MIN(i, cnt);
bcopy(bufp, buf, n);
return n;
}
#endif
/*
* return only an IP packet read into buf
*/
static int pcap_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
static char *bufp = NULL;
struct pcap_pkthdr rec;
struct llc *l;
char *s, ty[4];
int i, n;
do {
if ((i = pcap_read_rec(&rec)) <= 0)
return i;
if (!bufp)
bufp = malloc(i);
else
bufp = realloc(bufp, i);
s = bufp;
if (read(pfd, s, i) != i)
return -2;
l = &llcs[s_type];
i -= l->lc_sz;
s += l->lc_to;
bcopy(s, ty, l->lc_tl);
s += l->lc_tl;
} while (ty[0] != 0x8 && ty[1] != 0);
n = MIN(i, cnt);
bcopy(s, buf, n);
return n;
}

222
dist/ipf/ipft_sn.c vendored
View File

@ -1,222 +0,0 @@
/* $NetBSD: ipft_sn.c,v 1.5 2002/04/09 02:32:52 thorpej Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* Written to comply with the recent RFC 1761 from Sun.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "snoop.h"
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp";
#endif
struct llc {
int lc_sz; /* LLC header length */
int lc_to; /* LLC Type offset */
int lc_tl; /* LLC Type length */
};
/*
* While many of these maybe the same, some do have different header formats
* which make this useful.
*/
static struct llc llcs[SDL_MAX+1] = {
{ 0, 0, 0 }, /* SDL_8023 */
{ 0, 0, 0 }, /* SDL_8024 */
{ 0, 0, 0 }, /* SDL_8025 */
{ 0, 0, 0 }, /* SDL_8026 */
{ 14, 12, 2 }, /* SDL_ETHER */
{ 0, 0, 0 }, /* SDL_HDLC */
{ 0, 0, 0 }, /* SDL_CHSYNC */
{ 0, 0, 0 }, /* SDL_IBMCC */
{ 0, 0, 0 }, /* SDL_FDDI */
{ 0, 0, 0 }, /* SDL_OTHER */
};
static int snoop_open __P((char *));
static int snoop_close __P((void));
static int snoop_readip __P((char *, int, char **, int *));
static int sfd = -1, s_type = -1;
static int snoop_read_rec __P((struct snooppkt *));
struct ipread snoop = { snoop_open, snoop_close, snoop_readip };
static int snoop_open(fname)
char *fname;
{
struct snoophdr sh;
int fd;
int s_v;
if (sfd != -1)
return sfd;
if (!strcmp(fname, "-"))
fd = 0;
else if ((fd = open(fname, O_RDONLY)) == -1)
return -1;
if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
return -2;
s_v = (int)ntohl(sh.s_v);
s_type = (int)ntohl(sh.s_type);
if (s_v != SNOOP_VERSION ||
s_type < 0 || s_type > SDL_MAX) {
(void) close(fd);
return -2;
}
sfd = fd;
printf("opened snoop file %s:\n", fname);
printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
return fd;
}
static int snoop_close()
{
return close(sfd);
}
/*
* read in the header (and validate) which should be the first record
* in a snoop file.
*/
static int snoop_read_rec(rec)
struct snooppkt *rec;
{
int n, plen, ilen;
if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
return -2;
ilen = (int)ntohl(rec->sp_ilen);
plen = (int)ntohl(rec->sp_plen);
if (ilen > plen || plen < sizeof(*rec))
return -2;
plen -= sizeof(*rec);
n = MIN(plen, ilen);
if (!n || n < 0)
return -3;
return plen;
}
#ifdef notyet
/*
* read an entire snoop packet record. only the data part is copied into
* the available buffer, with the number of bytes copied returned.
*/
static int snoop_read(buf, cnt)
char *buf;
int cnt;
{
struct snooppkt rec;
static char *bufp = NULL;
int i, n;
if ((i = snoop_read_rec(&rec)) <= 0)
return i;
if (!bufp)
bufp = malloc(i);
else
bufp = realloc(bufp, i);
if (read(sfd, bufp, i) != i)
return -2;
n = MIN(i, cnt);
bcopy(bufp, buf, n);
return n;
}
#endif
/*
* return only an IP packet read into buf
*/
static int snoop_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
static char *bufp = NULL;
struct snooppkt rec;
struct llc *l;
char ty[4], *s;
int i, n;
do {
if ((i = snoop_read_rec(&rec)) <= 0)
return i;
if (!bufp)
bufp = malloc(i);
else
bufp = realloc(bufp, i);
s = bufp;
if (read(sfd, s, i) != i)
return -2;
l = &llcs[s_type];
i -= l->lc_to;
s += l->lc_to;
/*
* XXX - bogus assumption here on the part of the time field
* that it won't be greater than 4 bytes and the 1st two will
* have the values 8 and 0 for IP. Should be a table of
* these too somewhere. Really only works for SDL_ETHER.
*/
bcopy(s, ty, l->lc_tl);
} while (ty[0] != 0x8 && ty[1] != 0);
i -= l->lc_tl;
s += l->lc_tl;
n = MIN(i, cnt);
bcopy(s, buf, n);
return n;
}

197
dist/ipf/ipft_td.c vendored
View File

@ -1,197 +0,0 @@
/* $NetBSD: ipft_td.c,v 1.8 2003/05/17 01:11:53 itojun Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
tcpdump -n
00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
tcpdump -nq
00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
tcpdump -nqt
128.250.133.13.23 > 128.250.20.20.2419: tcp 27
tcpdump -nqtt
123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
tcpdump -nqte
8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#include <netdb.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp";
#endif
static int tcpd_open __P((char *));
static int tcpd_close __P((void));
static int tcpd_readip __P((char *, int, char **, int *));
static int count_dots __P((char *));
struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip };
static FILE *tfp = NULL;
static int tfd = -1;
static int tcpd_open(fname)
char *fname;
{
if (tfd != -1)
return tfd;
if (!strcmp(fname, "-")) {
tfd = 0;
tfp = stdin;
} else {
tfd = open(fname, O_RDONLY);
tfp = fdopen(tfd, "r");
}
return tfd;
}
static int tcpd_close()
{
(void) fclose(tfp);
return close(tfd);
}
static int count_dots(str)
char *str;
{
int i = 0;
while (*str)
if (*str++ == '.')
i++;
return i;
}
static int tcpd_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
struct tcpiphdr pkt;
ip_t *ip = (ip_t *)&pkt;
struct protoent *p;
char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
char lbuf[160], *s;
int n, slen, extra = 0;
if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
return 0;
if ((s = strchr(lbuf, '\n')))
*s = '\0';
lbuf[sizeof(lbuf)-1] = '\0';
bzero(&pkt, sizeof(pkt));
if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3)
if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s",
time, src, dst, misc)) != 4)
if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s",
link1, link2, src, dst, misc)) != 5) {
n = sscanf(lbuf,
"%31s %31s %31s: %31s > %31s: %255s",
time, link1, link2, src, dst, misc);
if (n != 6)
return -1;
}
if (count_dots(dst) == 4) {
s = strrchr(src, '.');
*s++ = '\0';
(void) inet_aton(src, &ip->ip_src);
pkt.ti_sport = htons(atoi(s));
*--s = '.';
s = strrchr(dst, '.');
*s++ = '\0';
(void) inet_aton(src, &ip->ip_dst);
pkt.ti_dport = htons(atoi(s));
*--s = '.';
} else {
(void) inet_aton(src, &ip->ip_src);
(void) inet_aton(src, &ip->ip_dst);
}
ip->ip_len = ip->ip_hl = sizeof(ip_t);
s = strtok(misc, " :");
if ((p = getprotobyname(s))) {
ip->ip_p = p->p_proto;
switch (p->p_proto) {
case IPPROTO_TCP :
case IPPROTO_UDP :
s = strtok(NULL, " :");
ip->ip_len += atoi(s);
if (p->p_proto == IPPROTO_TCP)
extra = sizeof(struct tcphdr);
else if (p->p_proto == IPPROTO_UDP)
extra = sizeof(struct udphdr);
break;
#ifdef IGMP
case IPPROTO_IGMP :
extra = sizeof(struct igmp);
break;
#endif
case IPPROTO_ICMP :
extra = sizeof(struct icmp);
break;
default :
break;
}
}
slen = ip->ip_hl + extra + ip->ip_len;
return slen;
}

357
dist/ipf/ipft_tx.c vendored
View File

@ -1,357 +0,0 @@
/* $NetBSD: ipft_tx.c,v 1.8 2002/09/19 08:10:40 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
#include <string.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp";
#endif
extern int opts;
static char *tx_proto = "";
static int text_open __P((char *)), text_close __P((void));
static int text_readip __P((char *, int, char **, int *));
static int parseline __P((char *, ip_t *, char **, int *));
static char _tcp_flagset[] = "FSRPAUEC";
static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
TH_ACK, TH_URG, TH_ECN, TH_CWR };
struct ipread iptext = { text_open, text_close, text_readip };
static FILE *tfp = NULL;
static int tfd = -1;
static u_32_t tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
/*
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
static u_32_t tx_hostnum(host, resolved)
char *host;
int *resolved;
{
struct hostent *hp;
struct netent *np;
*resolved = 0;
if (!strcasecmp("any",host))
return 0L;
if (isdigit(*host))
return inet_addr(host);
if (!(hp = gethostbyname(host))) {
if (!(np = getnetbyname(host))) {
*resolved = -1;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
/*
* find the port number given by the name, either from getservbyname() or
* straight atoi()
*/
static u_short tx_portnum(name)
char *name;
{
struct servent *sp, *sp2;
u_short p1 = 0;
if (isdigit(*name))
return (u_short)atoi(name);
if (!tx_proto)
tx_proto = "tcp/udp";
if (strcasecmp(tx_proto, "tcp/udp")) {
sp = getservbyname(name, tx_proto);
if (sp)
return ntohs(sp->s_port);
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
return 0;
}
sp = getservbyname(name, "tcp");
if (sp)
p1 = sp->s_port;
sp2 = getservbyname(name, "udp");
if (!sp || !sp2) {
(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
name);
return 0;
}
if (p1 != sp2->s_port) {
(void) fprintf(stderr, "%s %d/tcp is a different port to ",
name, p1);
(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
return 0;
}
return ntohs(p1);
}
char *tx_icmptypes[] = {
"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
"routersol", "timex", "paramprob", "timest", "timestrep",
"inforeq", "inforep", "maskreq", "maskrep", "END"
};
static int text_open(fname)
char *fname;
{
if (tfp && tfd != -1) {
rewind(tfp);
return tfd;
}
if (!strcmp(fname, "-")) {
tfd = 0;
tfp = stdin;
} else {
tfd = open(fname, O_RDONLY);
if (tfd != -1)
tfp = fdopen(tfd, "r");
}
return tfd;
}
static int text_close()
{
int cfd = tfd;
tfd = -1;
return close(cfd);
}
static int text_readip(buf, cnt, ifn, dir)
char *buf, **ifn;
int cnt, *dir;
{
register char *s;
char line[513];
*ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n')))
*s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
if (!(opts & OPT_BRIEF))
printf("input: %s\n", line);
*ifn = NULL;
*dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir))
#if 0
return sizeof(ip_t) + sizeof(tcphdr_t);
#else
return sizeof(ip_t);
#endif
}
return -1;
}
static int parseline(line, ip, ifn, out)
char *line;
ip_t *ip;
char **ifn;
int *out;
{
tcphdr_t th, *tcp = &th;
struct icmp icmp, *ic = &icmp;
char *cps[20], **cpp, c, ipopts[68];
int i, r;
if (*ifn)
free(*ifn);
bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
bzero((char *)tcp, sizeof(*tcp));
bzero((char *)ic, sizeof(*ic));
bzero(ipopts, sizeof(ipopts));
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); )
cps[++i] = strtok(NULL, " \b\t\r\n");
cpp = cps;
if (!*cpp)
return 1;
c = **cpp;
if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
fprintf(stderr, "bad direction \"%s\"\n", *cpp);
return 1;
}
*out = (tolower(c) == 'o') ? 1 : 0;
cpp++;
if (!*cpp)
return 1;
if (!strcasecmp(*cpp, "on")) {
cpp++;
if (!*cpp)
return 1;
*ifn = strdup(*cpp++);
if (!*cpp)
return 1;
}
c = **cpp;
ip->ip_len = sizeof(ip_t);
if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
!strcasecmp(*cpp, "icmp")) {
if (c == 't') {
ip->ip_p = IPPROTO_TCP;
ip->ip_len += sizeof(struct tcphdr);
tx_proto = "tcp";
} else if (c == 'u') {
ip->ip_p = IPPROTO_UDP;
ip->ip_len += sizeof(struct udphdr);
tx_proto = "udp";
} else {
ip->ip_p = IPPROTO_ICMP;
ip->ip_len += ICMPERR_IPICMPHLEN;
tx_proto = "icmp";
}
cpp++;
} else if (isdigit(**cpp) && !index(*cpp, '.')) {
ip->ip_p = atoi(*cpp);
cpp++;
} else
ip->ip_p = IPPROTO_IP;
if (!*cpp)
return 1;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
char *last;
last = index(*cpp, ',');
if (!last) {
fprintf(stderr, "tcp/udp with no source port\n");
return 1;
}
*last++ = '\0';
tcp->th_sport = htons(tx_portnum(last));
}
ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
cpp++;
if (!*cpp)
return 1;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
char *last;
last = index(*cpp, ',');
if (!last) {
fprintf(stderr, "tcp/udp with no destination port\n");
return 1;
}
*last++ = '\0';
tcp->th_dport = htons(tx_portnum(last));
}
ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
cpp++;
if (*cpp && ip->ip_p == IPPROTO_TCP) {
extern char _tcp_flagset[];
extern u_char _tcp_flags[];
char *s, *t;
for (s = *cpp; *s; s++)
if ((t = index(_tcp_flagset, *s)))
tcp->th_flags |= _tcp_flags[t - _tcp_flagset];
if (tcp->th_flags)
cpp++;
assert(tcp->th_flags != 0);
tcp->th_win = htons(4096);
tcp->th_off = sizeof(*tcp) >> 2;
} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
extern char *tx_icmptypes[];
char **s, *t;
int i;
for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
s++, i++)
if (*s && !strncasecmp(*cpp, *s, strlen(*s))) {
ic->icmp_type = i;
if ((t = index(*cpp, ',')))
ic->icmp_code = atoi(t+1);
cpp++;
break;
}
}
if (*cpp && !strcasecmp(*cpp, "opt")) {
u_long olen;
cpp++;
olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
if (olen) {
bcopy(ipopts, (char *)(ip + 1), olen);
ip->ip_hl += olen >> 2;
}
}
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2),
sizeof(*tcp));
else if (ip->ip_p == IPPROTO_ICMP)
bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2),
sizeof(*ic));
ip->ip_len = htons(ip->ip_len);
return 0;
}

35
dist/ipf/iplang/Makefile vendored
View File

@ -1,36 +1,31 @@
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
all: $(DESTDIR)/y.tab.o $(DESTDIR)/lex.yy.o
all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
$(DESTDIR)/y.tab.o: $(DESTDIR)/y.tab.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@
$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(DESTDIR)/$(OBJ)/y.tab.o: $(DESTDIR)/y.tab.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@
$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
$(DESTDIR)/lex.yy.o: $(DESTDIR)/lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/lex.yy.c -o $@
iplang_y.o: iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
y.tab.o: y.tab.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c y.tab.c -o $@
iplang_l.o: iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
lex.yy.o: lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c lex.yy.c -o $@
$(DESTDIR)/lex.yy.c: iplang_l.l $(DESTDIR)/y.tab.h
$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
lex iplang_l.l
mv lex.yy.c $(DESTDIR)
mv lex.yy.c $(DESTDIR)/iplang_l.c
$(DESTDIR)/y.tab.c $(DESTDIR)/y.tab.h: iplang_y.y
$(DESTDIR)/iplang_y.c $(DESTDIR)/iplang_y.h: iplang_y.y
yacc -d iplang_y.y
mv y.tab.c $(DESTDIR)
mv y.tab.h $(DESTDIR)
mv y.tab.c $(DESTDIR)/iplang_y.c
mv y.tab.h $(DESTDIR)/iplang_y.h
clean:
/bin/rm -f *.o lex.yy.c y.tab.c y.tab.h

21
dist/ipf/iplang/iplang_l.l vendored
View File

@ -1,14 +1,12 @@
/* $NetBSD: iplang_l.l,v 1.4 2003/07/20 03:14:40 lukem Exp $ */
/* $NetBSD: iplang_l.l,v 1.5 2004/03/28 09:00:55 martti Exp $ */
%{
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: iplang_l.l,v 2.2 2000/02/18 00:18:05 darrenr Exp
* Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp
*/
#include <stdio.h>
#include <string.h>
@ -20,7 +18,6 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include "iplang_y.h"
#include "ip_compat.h"
#include "ipf.h"
#ifndef __P
@ -45,13 +42,13 @@ int save_token __P((void));
void swallow __P((void));
int yylex __P((void));
struct wordtab {
struct lwordtab {
char *word;
int state;
int next;
};
struct wordtab words[] = {
struct lwordtab words[] = {
{ "interface", IL_INTERFACE, -1 },
{ "iface", IL_INTERFACE, -1 },
{ "name", IL_IFNAME, IL_TOKEN },
@ -219,7 +216,7 @@ void pop_proto()
int save_token()
{
yylval.str = strdup(yytext);
yylval.str = strdup((char *)yytext);
return IL_TOKEN;
}
@ -227,7 +224,7 @@ int save_token()
int next_item(nstate)
int nstate;
{
struct wordtab *wt;
struct lwordtab *wt;
if (opts & OPT_DEBUG)
printf("text=[%s] id=%d next=%d\n", yytext, nstate, next);
@ -238,13 +235,13 @@ int nstate;
token++;
for (wt = words; wt->word; wt++)
if (!strcasecmp(wt->word, yytext))
if (!strcasecmp(wt->word, (char *)yytext))
return next_state(wt->state, wt->next);
if (opts & OPT_DEBUG)
printf("unknown keyword=[%s]\n", yytext);
next = -1;
if (nstate == IL_NUMBER)
yylval.num = atoi(yytext);
yylval.num = atoi((char *)yytext);
token++;
return nstate;
}

30
dist/ipf/iplang/iplang_y.y vendored
View File

@ -1,19 +1,14 @@
/* $NetBSD: iplang_y.y,v 1.4 2002/03/14 12:32:39 martti Exp $ */
/* $NetBSD: iplang_y.y,v 1.5 2004/03/28 09:00:55 martti Exp $ */
%{
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: iplang_y.y,v 2.2.2.2 2002/02/22 15:32:57 darrenr Exp
* Id: iplang_y.y,v 2.9.2.1 2004/03/23 12:58:38 darrenr Exp
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
@ -33,12 +28,9 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <net/if.h>
#ifndef linux
#include <netinet/if_ether.h>
@ -54,7 +46,7 @@
#include "iplang.h"
#if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \
__FreeBSD_version < 400020)
__FreeBSD_version < 400020) && (!SOLARIS || SOLARIS2 < 10)
extern struct ether_addr *ether_aton __P((char *));
#endif
@ -1296,7 +1288,7 @@ void prep_packet()
return;
}
if (ifp->if_fd == -1)
ifp->if_fd = initdevice(ifp->if_name, 0, 5);
ifp->if_fd = initdevice(ifp->if_name, 5);
gwip = sending.snd_gw;
if (!gwip.s_addr)
gwip = aniphead->ah_ip->ip_dst;
@ -1520,11 +1512,6 @@ int type;
}
static char *icmpcodes[] = {
"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
"net-tos", "host-tos", NULL };
void set_icmpcodetok(code)
char **code;
{
@ -1543,13 +1530,6 @@ char **code;
}
static char *icmptypes[] = {
"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
"redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL,
(char *)NULL, "timex", "paramprob", "timest", "timestrep",
"inforeq", "inforep", "maskreq", "maskrep", "END"
};
void set_icmptypetok(type)
char **type;
{

1500
dist/ipf/ipmon.c vendored
View File

File diff suppressed because it is too large Load Diff

394
dist/ipf/ipnat.c vendored
View File

@ -1,394 +0,0 @@
/* $NetBSD: ipnat.c,v 1.12 2002/09/19 08:10:40 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/time.h>
#include <sys/param.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include <nlist.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#include "kmem.h"
#if defined(sun) && !SOLARIS2
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp";
#endif
#if SOLARIS
#define bzero(a,b) memset(a,0,b)
#endif
int use_inet6 = 0;
char thishost[MAXHOSTNAMELEN];
extern char *optarg;
extern ipnat_t *natparse __P((char *, int));
extern void natparsefile __P((int, char *, int));
extern void printnat __P((ipnat_t *, int));
extern void printactivenat __P((nat_t *, int));
extern void printhostmap __P((hostmap_t *, u_int));
extern char *getsumd __P((u_32_t));
void dostats __P((natstat_t *, int)), flushtable __P((int, int));
void usage __P((char *));
int countbits __P((u_32_t));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
void printaps __P((ap_session_t *, int));
void showhostmap __P((natstat_t *nsp));
void natstat_dead __P((natstat_t *, char *));
void usage(name)
char *name;
{
fprintf(stderr, "%s: [-CFhlnrsv] [-f filename]\n", name);
exit(1);
}
int main(argc, argv)
int argc;
char *argv[];
{
natstat_t ns, *nsp = &ns;
char *file, *core, *kernel;
int fd, opts, c, mode;
fd = -1;
opts = 0;
file = NULL;
core = NULL;
kernel = NULL;
mode = O_RDWR;
while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
switch (c)
{
case 'C' :
opts |= OPT_CLEAR;
break;
case 'd' :
opts |= OPT_DEBUG;
break;
case 'f' :
file = optarg;
break;
case 'F' :
opts |= OPT_FLUSH;
break;
case 'h' :
opts |=OPT_HITS;
break;
case 'l' :
opts |= OPT_LIST;
mode = O_RDONLY;
break;
case 'M' :
core = optarg;
break;
case 'N' :
kernel = optarg;
break;
case 'n' :
opts |= OPT_NODO;
mode = O_RDONLY;
break;
case 'r' :
opts |= OPT_REMOVE;
break;
case 's' :
opts |= OPT_STAT;
mode = O_RDONLY;
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
default :
usage(argv[0]);
}
if ((kernel != NULL) || (core != NULL)) {
(void) setgid(getgid());
(void) setuid(getuid());
}
bzero((char *)&ns, sizeof(ns));
gethostname(thishost, sizeof(thishost));
thishost[sizeof(thishost) - 1] = '\0';
if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
if (openkmem(kernel, core) == -1)
exit(1);
if (((fd = open(IPL_NAT, mode)) == -1) &&
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
if (errno == ENODEV)
fprintf(stderr, "IPFilter enabled?\n");
exit(1);
}
if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
perror("ioctl(SIOCGNATS)");
exit(1);
}
(void) setgid(getgid());
(void) setuid(getuid());
} else if ((kernel != NULL) || (core != NULL)) {
if (openkmem(kernel, core) == -1)
exit(1);
natstat_dead(nsp, kernel);
if (opts & (OPT_LIST|OPT_STAT))
dostats(nsp, opts);
exit(0);
}
if (opts & (OPT_FLUSH|OPT_CLEAR))
flushtable(fd, opts);
if (file)
natparsefile(fd, file, opts);
if (opts & (OPT_LIST|OPT_STAT))
dostats(nsp, opts);
return 0;
}
/*
* Read nat statistic information in using a symbol table and memory file
* rather than doing ioctl's.
*/
void natstat_dead(nsp, kernel)
natstat_t *nsp;
char *kernel;
{
struct nlist nat_nlist[10] = {
{ "nat_table" }, /* 0 */
{ "nat_list" },
{ "maptable" },
{ "ipf_nattable_sz" },
{ "ipf_natrules_sz" },
{ "ipf_rdrrules_sz" }, /* 5 */
{ "ipf_hostmap_sz" },
{ "nat_instances" },
{ "ap_sess_list" },
{ NULL }
};
void *tables[2];
if (nlist(kernel, nat_nlist) == -1) {
fprintf(stderr, "nlist error\n");
return;
}
/*
* Normally the ioctl copies all of these values into the structure
* for us, before returning it to useland, so here we must copy each
* one in individually.
*/
kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
nsp->ns_table[0] = tables[0];
nsp->ns_table[1] = tables[1];
kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
sizeof(nsp->ns_list));
kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
sizeof(nsp->ns_maptable));
kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
sizeof(nsp->ns_nattab_sz));
kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
sizeof(nsp->ns_rultab_sz));
kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
sizeof(nsp->ns_rdrtab_sz));
kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
sizeof(nsp->ns_hostmap_sz));
kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
sizeof(nsp->ns_instances));
kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
sizeof(nsp->ns_apslist));
}
/*
* Display NAT statistics.
*/
void dostats(nsp, opts)
natstat_t *nsp;
int opts;
{
nat_t **nt[2], *np, nat;
ipnat_t ipn;
/*
* Show statistics ?
*/
if (opts & OPT_STAT) {
printf("mapped\tin\t%lu\tout\t%lu\n",
nsp->ns_mapped[0], nsp->ns_mapped[1]);
printf("added\t%lu\texpired\t%lu\n",
nsp->ns_added, nsp->ns_expire);
printf("no memory\t%lu\tbad nat\t%lu\n",
nsp->ns_memfail, nsp->ns_badnat);
printf("inuse\t%lu\nrules\t%lu\n",
nsp->ns_inuse, nsp->ns_rules);
printf("wilds\t%u\n", nsp->ns_wilds);
if (opts & OPT_VERBOSE)
printf("table %p list %p\n",
nsp->ns_table, nsp->ns_list);
}
/*
* Show list of NAT rules and NAT sessions ?
*/
if (opts & OPT_LIST) {
printf("List of active MAP/Redirect filters:\n");
while (nsp->ns_list) {
if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
sizeof(ipn))) {
perror("kmemcpy");
break;
}
if (opts & OPT_HITS)
printf("%d ", ipn.in_hits);
printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
nsp->ns_list = ipn.in_next;
}
nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
sizeof(**nt) * NAT_SIZE)) {
perror("kmemcpy");
return;
}
printf("\nList of active sessions:\n");
for (np = nsp->ns_instances; np; np = nat.nat_next) {
if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
break;
printactivenat(&nat, opts);
}
if (opts & OPT_VERBOSE)
showhostmap(nsp);
free(nt[0]);
}
}
/*
* display the active host mapping table.
*/
void showhostmap(nsp)
natstat_t *nsp;
{
hostmap_t hm, *hmp, **maptable;
u_int hv;
printf("\nList of active host mappings:\n");
maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
nsp->ns_hostmap_sz);
if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
perror("kmemcpy (maptable)");
return;
}
for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
hmp = maptable[hv];
while (hmp) {
if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
perror("kmemcpy (hostmap)");
return;
}
printhostmap(&hm, hv);
hmp = hm.hm_next;
}
}
free(maptable);
}
/*
* Issue an ioctl to flush either the NAT rules table or the active mapping
* table or both.
*/
void flushtable(fd, opts)
int fd, opts;
{
int n = 0;
if (opts & OPT_FLUSH) {
n = 0;
if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1)
perror("ioctl(SIOCFLNAT)");
else
printf("%d entries flushed from NAT table\n", n);
}
if (opts & OPT_CLEAR) {
n = 1;
if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1)
perror("ioctl(SIOCCNATL)");
else
printf("%d entries flushed from NAT list\n", n);
}
}

7
dist/ipf/ipsd/ipsd.c vendored
View File

@ -1,13 +1,10 @@
/* $NetBSD: ipsd.c,v 1.2 2002/01/24 08:21:37 martti Exp $ */
/* $NetBSD: ipsd.c,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>
#include <fcntl.h>
@ -37,7 +34,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsd.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp";
#endif
extern char *optarg;

5
dist/ipf/ipsd/ipsd.h vendored
View File

@ -1,13 +1,10 @@
/* $NetBSD: ipsd.h,v 1.2 2002/01/24 08:21:37 martti Exp $ */
/* $NetBSD: ipsd.h,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
* @(#)ipsd.h 1.3 12/3/95
*/

7
dist/ipf/ipsd/ipsdr.c vendored
View File

@ -1,13 +1,10 @@
/* $NetBSD: ipsdr.c,v 1.2 2002/01/24 08:21:38 martti Exp $ */
/* $NetBSD: ipsdr.c,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>
#include <fcntl.h>
@ -38,7 +35,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsdr.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp";
#endif
extern char *optarg;

5
dist/ipf/ipsd/slinux.c vendored
View File

@ -1,13 +1,10 @@
/* $NetBSD: slinux.c,v 1.2 2002/01/24 08:21:38 martti Exp $ */
/* $NetBSD: slinux.c,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>

5
dist/ipf/ipsd/snit.c vendored
View File

@ -1,13 +1,10 @@
/* $NetBSD: snit.c,v 1.2 2002/01/24 08:21:38 martti Exp $ */
/* $NetBSD: snit.c,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>

30
dist/ipf/ipsend/44arp.c vendored
View File

@ -1,35 +1,37 @@
/* $NetBSD: 44arp.c,v 1.3 2002/03/14 12:32:39 martti Exp $ */
/* $NetBSD: 44arp.c,v 1.4 2004/03/28 09:00:55 martti Exp $ */
/*
* Based upon 4.4BSD's /usr/sbin/arp
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/param.h>
#include <sys/file.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <net/if_dl.h>
#include <net/if_types.h>
#if defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <nlist.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include "ipsend.h"
#include "iplang/iplang.h"
@ -39,7 +41,7 @@
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;

35
dist/ipf/ipsend/arp.c vendored
View File

@ -1,22 +1,21 @@
/* $NetBSD: arp.c,v 1.3 2002/03/14 12:32:39 martti Exp $ */
/* $NetBSD: arp.c,v 1.4 2004/03/28 09:00:55 martti Exp $ */
/*
* arp.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: arp.c,v 2.8 2003/12/01 02:01:15 darrenr Exp";
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#if !defined(ultrix) && !defined(hpux)
#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__)
#include <sys/sockio.h>
#endif
#include <sys/ioctl.h>
#include <netdb.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <net/if.h>
#include <netinet/if_ether.h>
@ -24,23 +23,22 @@
#include <net/if_arp.h>
#endif
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include "ipsend.h"
#include "iplang/iplang.h"
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp";
#endif
/*
* lookup host and return
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;
@ -92,7 +90,11 @@ char *ether;
bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
#ifndef hpux
if ((hp = gethostbyaddr(ip, 4, AF_INET)))
# if SOLARIS && (SOLARIS2 >= 10)
if (!(ether_hostton(hp->h_name, (struct ether_addr *)ether)))
# else
if (!(ether_hostton(hp->h_name, ether)))
# endif
goto savearp;
#endif
@ -124,6 +126,13 @@ tryagain:
return -1;
}
if ((ar.arp_ha.sa_data[0] == 0) && (ar.arp_ha.sa_data[1] == 0) &&
(ar.arp_ha.sa_data[2] == 0) && (ar.arp_ha.sa_data[3] == 0) &&
(ar.arp_ha.sa_data[4] == 0) && (ar.arp_ha.sa_data[5] == 0)) {
fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
return -1;
}
bcopy(ar.arp_ha.sa_data, ether, 6);
savearp:
bcopy(ether, ethersave, 6);

2
dist/ipf/ipsend/dlcommon.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dlcommon.c,v 1.1.1.2 2004/03/28 08:56:14 martti Exp $ */
/* $NetBSD: dlcommon.c,v 1.2 2004/03/28 09:00:55 martti Exp $ */
/*
* Common (shared) DLPI test routines.

6
dist/ipf/ipsend/hpux.c vendored
View File

@ -1,9 +1,11 @@
/* $NetBSD: hpux.c,v 1.2 2002/01/24 08:21:39 martti Exp $ */
/* $NetBSD: hpux.c,v 1.3 2004/03/28 09:00:55 martti Exp $ */
/*
* (C)opyright 1997-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#include <stdio.h>
#include <strings.h>

100
dist/ipf/ipsend/ip.c vendored
View File

@ -1,27 +1,21 @@
/* $NetBSD: ip.c,v 1.5 2002/04/09 02:32:54 thorpej Exp $ */
/* $NetBSD: ip.c,v 1.6 2004/03/28 09:00:55 martti Exp $ */
/*
* ip.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)Id: ip.c,v 2.8 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <sys/param.h>
#ifndef linux
# include <netinet/if_ether.h>
@ -30,14 +24,13 @@
# include <net/if_var.h>
# endif
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"%W% %G% (C)1995";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp";
#endif
static char *ipbuf = NULL, *ethbuf = NULL;
@ -96,7 +89,8 @@ ip_t *ip;
struct in_addr gwip;
int frag;
{
static struct in_addr last_gw;
static struct in_addr last_gw, local_ip;
static char local_arp[6] = { 0, 0, 0, 0, 0, 0};
static char last_arp[6] = { 0, 0, 0, 0, 0, 0};
static u_short id = 0;
ether_header_t *eh;
@ -106,7 +100,7 @@ int frag;
if (!ipbuf)
{
ipbuf = (char *)malloc(65536);
if(!ipbuf)
if (!ipbuf)
{
perror("malloc failed");
return -2;
@ -131,18 +125,29 @@ int frag;
iplen = ip->ip_len;
ip->ip_len = htons(iplen);
if (!(frag & 2)) {
if (!ip->ip_v)
ip->ip_v = IPVERSION;
if (!IP_V(ip))
IP_V_A(ip, IPVERSION);
if (!ip->ip_id)
ip->ip_id = htons(id++);
if (!ip->ip_ttl)
ip->ip_ttl = 60;
}
if (ip->ip_src.s_addr != local_ip.s_addr) {
if (arp((char *)&ip->ip_src, (char *)A_A local_arp) == -1)
{
perror("arp");
return -2;
}
bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp));
local_ip = ip->ip_src;
} else
bcopy(local_arp, (char *)A_A eh->ether_shost, 6);
if (!frag || (sizeof(*eh) + iplen < mtu))
{
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
bcopy((char *)ip, ipbuf + sizeof(*eh), iplen);
err = sendip(nfd, ipbuf, sizeof(*eh) + iplen);
@ -159,14 +164,14 @@ int frag;
char *s;
int i, sent = 0, ts, hlen, olen;
hlen = ip->ip_hl << 2;
hlen = IP_HL(ip) << 2;
if (mtu < (hlen + 8)) {
fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n",
mtu, hlen);
fprintf(stderr, "can't fragment data\n");
return -2;
}
ol = (ip->ip_hl << 2) - sizeof(*ip);
ol = (IP_HL(ip) << 2) - sizeof(*ip);
for (i = 0, s = (char*)(ip + 1); ol > 0; )
if (*s == IPOPT_EOL) {
optcpy[i++] = *s;
@ -227,7 +232,7 @@ int frag;
else if (!(ip->ip_off & htons(0x1fff)))
{
hlen = i + sizeof(*ip);
ip->ip_hl = (sizeof(*ip) + i) >> 2;
IP_HL_A(ip, (sizeof(*ip) + i) >> 2);
bcopy(optcpy, (char *)(ip + 1), i);
}
}
@ -247,45 +252,46 @@ ip_t *ip;
struct in_addr gwip;
{
static tcp_seq iss = 2;
struct tcpiphdr *ti;
tcphdr_t *t;
tcphdr_t *t, *t2;
int thlen, i, iplen, hlen;
u_32_t lbuf[20];
ip_t *ip2;
iplen = ip->ip_len;
hlen = ip->ip_hl << 2;
hlen = IP_HL(ip) << 2;
t = (tcphdr_t *)((char *)ip + hlen);
ti = (struct tcpiphdr *)lbuf;
thlen = t->th_off << 2;
ip2 = (struct ip *)lbuf;
t2 = (tcphdr_t *)((char *)ip2 + hlen);
thlen = TCP_OFF(t) << 2;
if (!thlen)
thlen = sizeof(tcphdr_t);
bzero((char *)ti, sizeof(*ti));
bzero((char *)ip2, sizeof(*ip2) + sizeof(*t2));
ip->ip_p = IPPROTO_TCP;
ti->ti_pr = ip->ip_p;
ti->ti_src = ip->ip_src;
ti->ti_dst = ip->ip_dst;
bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen);
ip2->ip_p = ip->ip_p;
ip2->ip_src = ip->ip_src;
ip2->ip_dst = ip->ip_dst;
bcopy((char *)ip + hlen, (char *)t2, thlen);
if (!ti->ti_win)
ti->ti_win = htons(4096);
if (!t2->th_win)
t2->th_win = htons(4096);
iss += 63;
i = sizeof(struct tcpiphdr) / sizeof(long);
if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) &&
if ((t2->th_flags == TH_SYN) && !ntohs(ip->ip_off) &&
(lbuf[i] != htonl(0x020405b4))) {
lbuf[i] = htonl(0x020405b4);
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
iplen - thlen - hlen);
thlen += 4;
}
ti->ti_off = thlen >> 2;
ti->ti_len = htons(thlen);
TCP_OFF_A(t2, thlen >> 2);
ip2->ip_len = htons(thlen);
ip->ip_len = hlen + thlen;
ti->ti_sum = 0;
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
t2->th_sum = 0;
t2->th_sum = chksum((u_short *)ip2, thlen + sizeof(ip_t));
bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen);
bcopy((char *)t2, (char *)ip + hlen, thlen);
return send_ip(nfd, mtu, ip, gwip, 1);
}
@ -308,16 +314,16 @@ struct in_addr gwip;
ti->ti_pr = ip->ip_p;
ti->ti_src = ip->ip_src;
ti->ti_dst = ip->ip_dst;
bcopy((char *)ip + (ip->ip_hl << 2),
bcopy((char *)ip + (IP_HL(ip) << 2),
(char *)&ti->ti_sport, sizeof(udphdr_t));
ti->ti_len = htons(thlen);
ip->ip_len = (ip->ip_hl << 2) + thlen;
ip->ip_len = (IP_HL(ip) << 2) + thlen;
ti->ti_sum = 0;
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
bcopy((char *)&ti->ti_sport,
(char *)ip + (ip->ip_hl << 2), sizeof(udphdr_t));
(char *)ip + (IP_HL(ip) << 2), sizeof(udphdr_t));
return send_ip(nfd, mtu, ip, gwip, 1);
}
@ -332,7 +338,7 @@ struct in_addr gwip;
{
struct icmp *ic;
ic = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
ic = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
ic->icmp_cksum = 0;
ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp));

4
dist/ipf/ipsend/ip_var.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_var.h,v 1.2 2002/09/19 08:08:21 martti Exp $ */
/* $NetBSD: ip_var.h,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */
@ -46,7 +46,7 @@ struct ipq {
* Note: ipf_next must be at same offset as ipq_next above
*/
struct ipasfrag {
#if defined(vax) || defined(i386) || defined(__i386__)
#if defined(vax) || defined(i386)
u_char ip_hl:4,
ip_v:4;
#endif

35
dist/ipf/ipsend/ipresend.c vendored
View File

@ -1,46 +1,33 @@
/* $NetBSD: ipresend.c,v 1.4 2002/04/09 02:32:54 thorpej Exp $ */
/* $NetBSD: ipresend.c,v 1.5 2004/03/28 09:00:56 martti Exp $ */
/*
* ipresend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"%W% %G% (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp";
#endif
extern char *optarg;
extern int optind;

166
dist/ipf/ipsend/ipsend.c vendored
View File

@ -1,23 +1,14 @@
/* $NetBSD: ipsend.c,v 1.8 2002/05/30 18:10:32 thorpej Exp $ */
/* $NetBSD: ipsend.c,v 1.9 2004/03/28 09:00:56 martti Exp $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsend.c,v 2.8.2.1 2004/03/23 12:58:05 darrenr Exp";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
@ -25,20 +16,19 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
# include <netinet/ip_var.h>
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp";
#include "ipf.h"
#ifndef linux
# include <netinet/udp_var.h>
#endif
@ -48,31 +38,32 @@ extern void iplang __P((FILE *));
char options[68];
int opts;
#ifdef linux
#ifdef linux
char default_device[] = "eth0";
#else
# ifdef sun
char default_device[] = "le0";
# else
# ifdef ultrix
# ifdef ultrix
char default_device[] = "ln0";
# else
# ifdef __bsdi__
# else
# ifdef __bsdi__
char default_device[] = "ef0";
# else
# ifdef __sgi
# else
# ifdef __sgi
char default_device[] = "ec0";
# else
# else
# ifdef __hpux
char default_device[] = "lan0";
# endif
# endif
# endif
# endif
#endif
# else
char default_device[] = "le0";
# endif /* __hpux */
# endif /* __sgi */
# endif /* __bsdi__ */
# endif /* ultrix */
#endif /* linux */
static void usage __P((char *));
static void do_icmp __P((ip_t *, char *));
void udpcksum(ip_t *, struct udphdr *, int);
int main __P((int, char **));
@ -162,25 +153,52 @@ int mtu;
ip_t *ip;
struct in_addr gwip;
{
u_short sport = 0;
int wfd;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
sport = ((struct tcpiphdr *)ip)->ti_sport;
wfd = initdevice(dev, sport, 5);
int wfd;
wfd = initdevice(dev, 5);
return send_packet(wfd, mtu, ip, gwip);
}
void
udpcksum(ip_t *ip, struct udphdr *udp, int len)
{
union pseudoh {
struct hdr {
u_short len;
u_char ttl;
u_char proto;
u_32_t src;
u_32_t dst;
} h;
u_short w[6];
} ph;
u_32_t temp32;
u_short cksum, *opts;
ph.h.len = htons(len);
ph.h.ttl = 0;
ph.h.proto = IPPROTO_UDP;
ph.h.src = ip->ip_src.s_addr;
ph.h.dst = ip->ip_dst.s_addr;
temp32 = 0;
opts = &ph.w[0];
temp32 += opts[0] + opts[1] + opts[2] + opts[3] + opts[4] + opts[5];
temp32 = (temp32 >> 16) + (temp32 & 65535);
temp32 += (temp32 >> 16);
udp->uh_sum = temp32 & 65535;
udp->uh_sum = chksum((u_short *)udp, len);
if (udp->uh_sum == 0)
udp->uh_sum = 0xffff;
}
int main(argc, argv)
int argc;
char **argv;
{
FILE *langfile = NULL;
struct tcpiphdr *ti;
struct in_addr gwip;
tcphdr_t *tcp;
udphdr_t *udp;
ip_t *ip;
char *name = argv[0], host[MAXHOSTNAMELEN + 1];
char *gateway = NULL, *dev = NULL;
@ -191,12 +209,12 @@ char **argv;
* 65535 is maximum packet size...you never know...
*/
ip = (ip_t *)calloc(1, 65536);
ti = (struct tcpiphdr *)ip;
tcp = (tcphdr_t *)&ti->ti_sport;
tcp = (tcphdr_t *)(ip + 1);
udp = (udphdr_t *)tcp;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
IP_HL_A(ip, sizeof(*ip) >> 2);
while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1)
while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1) {
switch (c)
{
case 'I' :
@ -290,7 +308,7 @@ char **argv;
break;
case 'o' :
nonl++;
olen = buildopts(optarg, options, (ip->ip_hl - 5) << 2);
olen = buildopts(optarg, options, (IP_HL(ip) - 5) << 2);
break;
case 's' :
nonl++;
@ -315,6 +333,7 @@ char **argv;
fprintf(stderr, "Unknown option \"%c\"\n", c);
usage(name);
}
}
if (argc - optind < 1)
usage(name);
@ -348,25 +367,30 @@ char **argv;
if (olen)
{
caddr_t ipo = (caddr_t)ip;
int hlen;
char *p;
printf("Options: %d\n", olen);
ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
if(!ti)
{
fprintf(stderr,"malloc failed\n");
exit(2);
}
bcopy((char *)ip, (char *)ti, sizeof(*ip));
ip = (ip_t *)ti;
ip->ip_hl = (olen >> 2);
bcopy(options, (char *)(ip + 1), olen);
bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
hlen = sizeof(*ip) + olen;
IP_HL_A(ip, hlen >> 2);
ip->ip_len += olen;
bcopy((char *)ip, (char *)ipo, ip->ip_len);
ip = (ip_t *)ipo;
tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
p = (char *)malloc(65536);
if (p == NULL)
{
fprintf(stderr, "malloc failed\n");
exit(2);
}
bcopy(ip, p, sizeof(*ip));
bcopy(options, p + sizeof(*ip), olen);
bcopy(ip + 1, p + hlen, ip->ip_len - hlen);
ip = (ip_t *)p;
if (ip->ip_p == IPPROTO_TCP) {
tcp = (tcphdr_t *)(p + hlen);
} else if (ip->ip_p == IPPROTO_UDP) {
udp = (udphdr_t *)(p + hlen);
}
}
if (ip->ip_p == IPPROTO_TCP)
@ -403,9 +427,13 @@ char **argv;
printf("Flags: %#x\n", tcp->th_flags);
printf("mtu: %d\n", mtu);
if (ip->ip_p == IPPROTO_UDP) {
udp->uh_sum = 0;
udpcksum(ip, udp, ip->ip_len - (IP_HL(ip) << 2));
}
#ifdef DOSOCKET
if (tcp->th_dport)
return do_socket(dev, mtu, ti, gwip);
if (ip->ip_p == IPPROTO_TCP && tcp->th_dport)
return do_socket(dev, mtu, ip, gwip);
#endif
return send_packets(dev, mtu, (ip_t *)ti, gwip);
return send_packets(dev, mtu, ip, gwip);
}

24
dist/ipf/ipsend/ipsend.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsend.h,v 1.2 2002/01/24 08:21:39 martti Exp $ */
/* $NetBSD: ipsend.h,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* ipsend.h (C) 1997-1998 Darren Reed
@ -8,7 +8,11 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
*
*/
#ifndef __P
@ -19,13 +23,14 @@
# endif
#endif
#include "ip_compat.h"
#include <net/if.h>
#include "ipf.h"
#ifdef linux
#include <linux/sockios.h>
#endif
#include "tcpip.h"
#include "ipt.h"
#include "ipf.h"
extern int resolve __P((char *, char *));
extern int arp __P((char *, char *));
@ -37,10 +42,10 @@ extern int send_udp __P((int, int, ip_t *, struct in_addr));
extern int send_icmp __P((int, int, ip_t *, struct in_addr));
extern int send_packet __P((int, int, ip_t *, struct in_addr));
extern int send_packets __P((char *, int, ip_t *, struct in_addr));
extern u_short seclevel __P((char *));
extern u_short ipseclevel __P((char *));
extern u_32_t buildopts __P((char *, char *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int initdevice __P((char *, int, int));
extern int initdevice __P((char *, int));
extern int sendip __P((int, char *, int));
#ifdef linux
extern struct sock *find_tcp __P((int, struct tcpiphdr *));
@ -57,7 +62,6 @@ extern void ip_test5 __P((char *, int, ip_t *, struct in_addr, int));
extern void ip_test6 __P((char *, int, ip_t *, struct in_addr, int));
extern void ip_test7 __P((char *, int, ip_t *, struct in_addr, int));
extern int do_socket __P((char *, int, struct tcpiphdr *, struct in_addr));
extern int openkmem __P((void));
extern int kmemcpy __P((char *, void *, int));
#define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c))
@ -65,9 +69,3 @@ extern int kmemcpy __P((char *, void *, int));
#ifndef OPT_RAW
#define OPT_RAW 0x80000
#endif
#ifndef __STDC__
# ifndef const
# define const
# endif
#endif

35
dist/ipf/ipsend/ipsopt.c vendored
View File

@ -1,23 +1,25 @@
/* $NetBSD: ipsopt.c,v 1.4 2002/04/09 02:32:54 thorpej Exp $ */
/* $NetBSD: ipsopt.c,v 1.5 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsopt.c,v 2.4.4.1 2004/03/23 12:58:05 darrenr Exp";
#endif
#include <sys/param.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
@ -25,11 +27,13 @@
#include <arpa/inet.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp";
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
@ -57,7 +61,7 @@ struct ipopt_names secnames[] = {
};
u_short seclevel(slevel)
u_short ipseclevel(slevel)
char *slevel;
{
struct ipopt_names *so;
@ -102,14 +106,17 @@ char *class;
len += val;
} else
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
if (io->on_value == IPOPT_TS)
*op++ = IPOPT_MINOFF + 1;
else
*op++ = IPOPT_MINOFF;
while (class && *class) {
t = NULL;
switch (io->on_value)
{
case IPOPT_SECURITY :
lvl = seclevel(class);
lvl = ipseclevel(class);
*(op - 1) = lvl;
break;
case IPOPT_LSRR :

35
dist/ipf/ipsend/iptest.c vendored
View File

@ -1,23 +1,15 @@
/* $NetBSD: iptest.c,v 1.5 2002/04/09 02:32:54 thorpej Exp $ */
/* $NetBSD: iptest.c,v 1.6 2004/03/28 09:00:56 martti Exp $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: iptest.c,v 2.6 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
@ -26,24 +18,19 @@
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#ifdef linux
#include <linux/sockios.h>
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"%W% %G% (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp";
#endif
extern char *optarg;
extern int optind;
@ -115,7 +102,7 @@ char **argv;
ip = (ip_t *)calloc(1, 65536);
ti = (struct tcpiphdr *)ip;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
IP_HL_A(ip, sizeof(*ip) >> 2);
while ((c = getopt(argc, argv, "1234567d:g:m:p:s:")) != -1)
switch (c)

179
dist/ipf/ipsend/iptests.c vendored
View File

@ -1,37 +1,38 @@
/* $NetBSD: iptests.c,v 1.5 2002/09/20 15:00:06 mycroft Exp $ */
/* $NetBSD: iptests.c,v 1.6 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: iptests.c,v 2.8.2.1 2004/03/23 12:58:06 darrenr Exp";
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/param.h>
#define _KERNEL
#define KERNEL
#if !defined(solaris) && !defined(linux) && !defined(__sgi)
# include <sys/file.h>
#else
# ifdef solaris
# include <sys/dditypes.h>
#if !defined(__osf__)
# define _KERNEL
# define KERNEL
# if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux)
# include <sys/file.h>
# else
# ifdef solaris
# include <sys/dditypes.h>
# endif
# endif
# undef _KERNEL
# undef KERNEL
#endif
#undef _KERNEL
#undef KERNEL
#if !defined(solaris) && !defined(linux) && !defined(__sgi)
# include <nlist.h>
# include <sys/user.h>
# include <sys/proc.h>
#endif
#if !defined(ultrix) && !defined(hpux) && !defined(linux) && !defined(__sgi)
#if !defined(ultrix) && !defined(hpux) && !defined(linux) && \
!defined(__sgi) && !defined(__osf__)
# include <kvm.h>
#endif
#ifndef ultrix
@ -52,11 +53,17 @@
#endif
#include <netinet/in_systm.h>
#include <sys/socket.h>
#ifdef __hpux
# define _NET_ROUTE_INCLUDED
#endif
#include <net/if.h>
#if defined(linux) && (LINUX >= 0200)
# include <asm/atomic.h>
#endif
#if !defined(linux)
# if defined(__FreeBSD__)
# include "radix_ipf.h"
# endif
# include <net/route.h>
#else
# define __KERNEL__ /* because there's a macro not wrapped by this */
@ -65,28 +72,29 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#if !defined(linux)
# include <netinet/ip_var.h>
# include <netinet/in_pcb.h>
# include <netinet/tcp_timer.h>
# include <netinet/tcp_var.h>
# if !defined(__hpux)
# include <netinet/in_pcb.h>
# endif
#endif
#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
# include <sys/sysmacros.h>
#endif
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
# define USE_NANOSLEEP
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#ifdef __hpux
# undef _NET_ROUTE_INCLUDED
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"%W% %G% (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: iptests.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp";
#if !defined(linux) && !defined(__hpux)
# include <netinet/tcp_timer.h>
# include <netinet/tcp_var.h>
#endif
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
# define USE_NANOSLEEP
#endif
@ -114,8 +122,8 @@ int ptest;
udphdr_t *u;
int nfd, i = 0, len, id = getpid();
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
IP_HL_A(ip, sizeof(*ip) >> 2);
IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
@ -128,7 +136,7 @@ int ptest;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
nfd = initdevice(dev, u->uh_sport, 1);
nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
@ -137,7 +145,7 @@ int ptest;
ip->ip_id = 0;
printf("1.1. sending packets with ip_hl < ip_len\n");
for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
IP_HL_A(ip, i >> 2);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@ -153,7 +161,7 @@ int ptest;
ip->ip_id = 0;
printf("1.2. sending packets with ip_hl > ip_len\n");
for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
IP_HL_A(ip, i >> 2);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@ -168,9 +176,9 @@ int ptest;
*/
ip->ip_id = 0;
printf("1.3. ip_v < 4\n");
ip->ip_hl = sizeof(*ip) >> 2;
IP_HL_A(ip, sizeof(*ip) >> 2);
for (i = 0; i < 4; i++) {
ip->ip_v = i;
IP_V_A(ip, i);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@ -186,7 +194,7 @@ int ptest;
ip->ip_id = 0;
printf("1.4. ip_v > 4\n");
for (i = 5; i < 16; i++) {
ip->ip_v = i;
IP_V_A(ip, i);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@ -200,13 +208,13 @@ int ptest;
* Part5: len < packet
*/
ip->ip_id = 0;
ip->ip_v = IPVERSION;
IP_V_A(ip, IPVERSION);
i = ip->ip_len + 1;
printf("1.5.0 ip_len < packet size (size++, long packets)\n");
for (; i < (ip->ip_len * 2); i++) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, i, gwip);
printf("%d\r", i);
fflush(stdout);
@ -218,7 +226,7 @@ int ptest;
ip->ip_id = htons(id++);
ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
printf("%d\r", i);
fflush(stdout);
@ -237,7 +245,7 @@ int ptest;
ip->ip_id = htons(id++);
ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
printf("%d\r", i);
fflush(stdout);
@ -249,7 +257,7 @@ int ptest;
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, i, gwip);
printf("%d\r", i);
fflush(stdout);
@ -318,14 +326,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = htons((i >> 3) & 0x1fff);
ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@ -352,7 +360,7 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
ip->ip_off = htons(IP_MF | (i >> 3));
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@ -362,7 +370,7 @@ int ptest;
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = htons((i >> 3) & 0x1fff);
ip->ip_off = htons(i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@ -389,14 +397,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (32 * 1024 + 768); i += 768) {
ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = htons((i >> 3) & 0x1fff);
ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@ -463,10 +471,10 @@ int ptest;
u_char *s;
s = (u_char *)(ip + 1);
nfd = initdevice(dev, htons(1), 1);
nfd = initdevice(dev, 1);
ip->ip_hl = 6;
ip->ip_len = ip->ip_hl << 2;
IP_HL_A(ip, 6);
ip->ip_len = IP_HL(ip) << 2;
s[IPOPT_OPTVAL] = IPOPT_NOP;
s++;
if (!ptest || (ptest == 1)) {
@ -484,8 +492,8 @@ int ptest;
PAUSE();
}
ip->ip_hl = 7;
ip->ip_len = ip->ip_hl << 2;
IP_HL_A(ip, 7);
ip->ip_len = IP_HL(ip) << 2;
if (!ptest || (ptest == 1)) {
/*
* Test 2: options have length = 0
@ -557,16 +565,16 @@ int ptest;
struct icmp *icp;
int nfd, i;
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
IP_HL_A(ip, sizeof(*ip) >> 2);
IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
ip->ip_p = IPPROTO_ICMP;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
nfd = initdevice(dev, htons(1), 1);
icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
@ -754,25 +762,25 @@ int ptest;
int nfd, i;
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
IP_HL_A(ip, sizeof(*ip) >> 2);
IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2));
u = (udphdr_t *)((char *)ip + (IP_HL(ip) << 2));
u->uh_sport = htons(1);
u->uh_dport = htons(1);
u->uh_ulen = htons(sizeof(*u) + 4);
nfd = initdevice(dev, u->uh_sport, 1);
nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1. ulen > packet
*/
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.1 UDP uh_ulen > packet size - short packets\n");
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
u->uh_ulen = htons(i);
@ -789,7 +797,7 @@ int ptest;
* Test 2. ulen < packet
*/
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.2 UDP uh_ulen < packet size - short packets\n");
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
ip->ip_len = i;
@ -807,7 +815,7 @@ int ptest;
* sport = 32768, sport = 65535
*/
u->uh_ulen = sizeof(*u) + 4;
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.3.1 UDP sport = 0\n");
u->uh_sport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@ -848,7 +856,7 @@ int ptest;
*/
u->uh_ulen = ntohs(sizeof(*u) + 4);
u->uh_sport = htons(1);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.4.1 UDP dport = 0\n");
u->uh_dport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@ -915,11 +923,11 @@ int ptest;
tcphdr_t *t;
int nfd, i;
t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2));
#ifndef linux
t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
#if !defined(linux) && !defined(__osf__)
t->th_x2 = 0;
#endif
t->th_off = 0;
TCP_OFF_A(t, 0);
t->th_sport = htons(1);
t->th_dport = htons(1);
t->th_win = htons(4096);
@ -928,13 +936,13 @@ int ptest;
t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, t->th_sport, 1);
nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1: flags variations, 0 - 3f
*/
t->th_off = sizeof(*t) >> 2;
TCP_OFF_A(t, sizeof(*t) >> 2);
printf("5.1 Test TCP flag combinations\n");
for (i = 0; i <= (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN);
i++) {
@ -1058,14 +1066,13 @@ int ptest;
}
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \
!defined(__sgi)
!defined(__sgi) && !defined(__hpux) && !defined(__osf__)
{
struct tcpcb *tcbp, tcb;
struct tcpiphdr ti;
struct sockaddr_in sin;
int fd, slen;
fd = -1;
bzero((char *)&sin, sizeof(sin));
for (i = 1; i < 63; i++) {
@ -1134,7 +1141,7 @@ int ptest;
t->th_flags = TH_ACK;
printf("5.6.1 TCP off = 1-15, len = 40\n");
for (i = 1; i < 16; i++) {
ti.ti_off = ntohs(i);
TCP_OFF_A(t, ntohs(i));
(void) send_tcp(nfd, mtu, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@ -1150,7 +1157,7 @@ skip_five_and_six:
#endif
t->th_seq = htonl(1);
t->th_ack = htonl(1);
t->th_off = 0;
TCP_OFF_A(t, 0);
if (!ptest || (ptest == 7)) {
t->th_flags = TH_SYN;
@ -1262,7 +1269,7 @@ int ptest;
udphdr_t *u;
int nfd, i, j, k;
ip->ip_v = IPVERSION;
IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
@ -1273,7 +1280,7 @@ int ptest;
u->uh_dport = htons(9);
u->uh_sum = 0;
nfd = initdevice(dev, u->uh_sport, 1);
nfd = initdevice(dev, 1);
u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
@ -1284,7 +1291,7 @@ int ptest;
* First send the entire packet in 768 byte chunks.
*/
ip->ip_len = sizeof(*ip) + 768 + sizeof(*u);
ip->ip_hl = sizeof(*ip) >> 2;
IP_HL_A(ip, sizeof(*ip) >> 2);
ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
@ -1302,7 +1309,7 @@ int ptest;
for (j = 768; j < 3584; j += 768) {
ip->ip_len = sizeof(*ip) + 768;
ip->ip_off = htons(IP_MF|((j>>3) & 0x1fff));
ip->ip_off = htons(IP_MF|(j>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, j);
fflush(stdout);
@ -1310,7 +1317,7 @@ int ptest;
ip->ip_len = sizeof(*ip) + 128;
for (k = j - 768; k < j; k += 128) {
ip->ip_off = htons(IP_MF|((k>>3) & 0x1fff));
ip->ip_off = htons(IP_MF|(k>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, k);
fflush(stdout);
@ -1342,7 +1349,7 @@ int ptest;
int nfd, i, j;
u_char *s;
nfd = initdevice(dev, 0, 1);
nfd = initdevice(dev, 1);
pip = (ip_t *)tbuf;
srand(time(NULL) ^ (getpid() * getppid()));
@ -1352,7 +1359,7 @@ int ptest;
for (i = 0; i < 512; i++) {
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
pip->ip_v = IPVERSION;
IP_V_A(pip, IPVERSION);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));
pip->ip_sum = 0;
@ -1367,7 +1374,7 @@ int ptest;
for (i = 0; i < 512; i++) {
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
pip->ip_v = IPVERSION;
IP_V_A(pip, IPVERSION);
pip->ip_off &= htons(0xc000);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));

14
dist/ipf/ipsend/larp.c vendored
View File

@ -1,23 +1,25 @@
/* $NetBSD: larp.c,v 1.2 2002/01/24 08:21:40 martti Exp $ */
/* $NetBSD: larp.c,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* larp.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if !defined(lint)
static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp";
static const char rcsid[] = "@(#)Id: larp.c,v 2.4 2003/12/01 02:01:16 darrenr Exp";
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <stdio.h>
#include <netdb.h>
#include <errno.h>
#include "ip_compat.h"
#include "iplang/iplang.h"
@ -27,7 +29,7 @@ static const char rcsid[] = "@(#)Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darren
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;

6
dist/ipf/ipsend/linux.h vendored
View File

@ -1,9 +1,11 @@
/* $NetBSD: linux.h,v 1.2 2002/01/24 08:21:40 martti Exp $ */
/* $NetBSD: linux.h,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
* for the use of this software. I hate legaleese, don't you ?
*
* @(#)linux.h 1.1 8/19/95
*/

10
dist/ipf/ipsend/lsock.c vendored
View File

@ -1,16 +1,14 @@
/* $NetBSD: lsock.c,v 1.3 2002/03/14 12:32:40 martti Exp $ */
/* $NetBSD: lsock.c,v 1.4 2004/03/28 09:00:56 martti Exp $ */
/*
* lsock.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp";
#endif
#ifdef __sgi
# include <sys/ptimers.h>
static const char rcsid[] = "@(#)Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#include <stdio.h>
#include <unistd.h>
@ -228,7 +226,7 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, ntohs(lsin.sin_port), 0);
nfd = initdevice(dev, 0);
if (!(s = find_tcp(fd, ti)))
return -1;

43
dist/ipf/ipsend/resend.c vendored
View File

@ -1,23 +1,16 @@
/* $NetBSD: resend.c,v 1.5 2002/04/09 02:32:54 thorpej Exp $ */
/* $NetBSD: resend.c,v 1.6 2004/03/28 09:00:56 martti Exp $ */
/*
* resend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
@ -26,9 +19,6 @@
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
# include <netinet/ip_var.h>
# include <netinet/if_ether.h>
@ -36,16 +26,13 @@
# include <net/if_var.h>
# endif
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp";
#endif
extern int opts;
static u_char pbuf[65536]; /* 1 big packet */
@ -58,7 +45,7 @@ ip_t *ip;
tcphdr_t *t;
int i, j;
t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2));
t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
if (ip->ip_tos)
printf("tos %#x ", ip->ip_tos);
if (ip->ip_off & 0x3fff)
@ -92,13 +79,13 @@ char *datain;
ether_header_t *eh;
char dhost[6];
ip_t *ip;
int fd, wfd = initdevice(dev, 0, 5), len, i;
int fd, wfd = initdevice(dev, 5), len, i;
if (datain)
fd = (*r->r_open)(datain);
else
fd = (*r->r_open)("-");
if (fd < 0)
exit(-1);
@ -134,7 +121,7 @@ char *datain;
sizeof(dhost));
if (!ip->ip_sum)
ip->ip_sum = chksum((u_short *)ip,
ip->ip_hl << 2);
IP_HL(ip) << 2);
bcopy(ip, (char *)(eh + 1), len);
len += sizeof(*eh);
printpacket(ip);

37
dist/ipf/ipsend/sbpf.c vendored
View File

@ -1,20 +1,13 @@
/* $NetBSD: sbpf.c,v 1.3 2002/04/09 02:32:55 thorpej Exp $ */
/* $NetBSD: sbpf.c,v 1.4 2004/03/28 09:00:56 martti Exp $ */
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/mbuf.h>
#include <sys/time.h>
#include <sys/timeb.h>
@ -39,13 +32,21 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <errno.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: sbpf.c,v 2.1.4.2 2001/09/30 04:04:28 darrenr Exp";
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp";
#endif
/*
@ -55,17 +56,15 @@ static u_char *buf = NULL;
static int bufsize = 0, timeout = 1;
int initdevice(device, sport, tout)
int initdevice(device, tout)
char *device;
int sport, tout;
int tout;
{
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
char bpfname[16];
int fd, i;
fd = -1;
int fd = 0, i;
for (i = 0; i < 16; i++)
{

67
dist/ipf/ipsend/sdlpi.c vendored
View File

@ -1,9 +1,10 @@
/* $NetBSD: sdlpi.c,v 1.2 2002/01/24 08:21:41 martti Exp $ */
/* $NetBSD: sdlpi.c,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -21,10 +22,17 @@
#include <sys/stropts.h>
#ifdef sun
#include <sys/pfmod.h>
#include <sys/bufmod.h>
# include <sys/pfmod.h>
# include <sys/bufmod.h>
#endif
#ifdef __osf__
# include <sys/dlpihdr.h>
#else
# include <sys/dlpi.h>
#endif
#ifdef __hpux
# include <sys/dlpi_ext.h>
#endif
#include <sys/dlpi.h>
#include <net/if.h>
#include <netinet/in.h>
@ -40,7 +48,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darrenr Exp";
static const char rcsid[] = "@(#)Id: sdlpi.c,v 2.8 2004/01/05 14:17:07 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -51,9 +59,9 @@ static const char rcsid[] = "@(#)Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darre
* Be careful to only include those defined in the flags option for the
* interface are included in the header size.
*/
int initdevice(device, sport, tout)
int initdevice(device, tout)
char *device;
int sport, tout;
int tout;
{
char devname[16], *s, buf[256];
int i, fd;
@ -81,24 +89,43 @@ int sport, tout;
exit(-1);
}
if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1)
if (dlattachreq(fd, i) == -1)
{
fprintf(stderr, "DLPI error\n");
fprintf(stderr, "dlattachreq: DLPI error\n");
exit(-1);
}
else if (dlokack(fd, buf) == -1)
{
fprintf(stderr, "dlokack(attach): DLPI error\n");
exit(-1);
}
#ifdef DL_HP_RAWDLS
if (dlpromisconreq(fd, DL_PROMISC_SAP) < 0)
{
fprintf(stderr, "dlpromisconreq: DL_PROMISC_PHYS error\n");
exit(-1);
}
else if (dlokack(fd, buf) < 0)
{
fprintf(stderr, "dlokack(promisc): DLPI error\n");
exit(-1);
}
/* 22 is INSAP as per the HP-UX DLPI Programmer's Guide */
dlbindreq(fd, 22, 1, DL_HP_RAWDLS, 0, 0);
#else
dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
#endif
dlbindack(fd, buf);
/*
* write full headers
*/
#ifdef sun /* we require RAW DLPI mode, which is a Sun extension */
#ifdef DLIOCRAW /* we require RAW DLPI mode, which is a Sun extension */
if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
{
fprintf(stderr, "DLIOCRAW error\n");
exit(-1);
}
#else
you lose
#endif
return fd;
}
@ -111,8 +138,19 @@ int sendip(fd, pkt, len)
int fd, len;
char *pkt;
{
struct strbuf dbuf, *dp = &dbuf;
struct strbuf dbuf, *dp = &dbuf, *cp = NULL;
int pri = 0;
#ifdef DL_HP_RAWDLS
struct strbuf cbuf;
dl_hp_rawdata_req_t raw;
cp = &cbuf;
raw.dl_primitive = DL_HP_RAWDATA_REQ;
cp->len = sizeof(raw);
cp->buf = (char *)&raw;
cp->maxlen = cp->len;
pri = MSG_HIPRI;
#endif
/*
* construct NIT STREAMS messages, first control then data.
*/
@ -120,7 +158,7 @@ char *pkt;
dp->len = len;
dp->maxlen = dp->len;
if (putmsg(fd, NULL, dp, 0) == -1)
if (putmsg(fd, cp, dp, pri) == -1)
{
perror("putmsg");
return -1;
@ -132,3 +170,4 @@ char *pkt;
}
return len;
}

12
dist/ipf/ipsend/sirix.c vendored
View File

@ -1,14 +1,12 @@
/* $NetBSD: sirix.c,v 1.3 2002/03/14 12:32:40 martti Exp $ */
/* $NetBSD: sirix.c,v 1.4 2004/03/28 09:00:56 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed.
* (C)opyright 1997 Marc Boucher.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
@ -25,17 +23,15 @@
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include "ipsend.h"
#include <netinet/udp_var.h>
#if !defined(lint) && defined(LIBC_SCCS)
static char sirix[] = "@(#)sirix.c 1.0 10/9/97 (C)1997 Marc Boucher";
#endif
int initdevice(char *device, int sport, int tout)
int initdevice(char *device, int tout)
{
int fd;
struct sockaddr_raw sr;

9
dist/ipf/ipsend/slinux.c vendored
View File

@ -1,9 +1,10 @@
/* $NetBSD: slinux.c,v 1.2 2002/01/24 08:21:41 martti Exp $ */
/* $NetBSD: slinux.c,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -29,7 +30,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95";
static const char rcsid[] = "@(#)Id: slinux.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp";
static const char rcsid[] = "@(#)Id: slinux.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -44,9 +45,9 @@ static int timeout;
static char *eth_dev = NULL;
int initdevice(dev, sport, spare)
int initdevice(dev, spare)
char *dev;
int sport, spare;
int spare;
{
int fd;

9
dist/ipf/ipsend/snit.c vendored
View File

@ -1,9 +1,10 @@
/* $NetBSD: snit.c,v 1.2 2002/01/24 08:21:41 martti Exp $ */
/* $NetBSD: snit.c,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -40,7 +41,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp";
static const char rcsid[] = "@(#)Id: snit.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -56,9 +57,9 @@ static const char rcsid[] = "@(#)Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darren
static int timeout;
int initdevice(device, sport, tout)
int initdevice(device, tout)
char *device;
int sport, tout;
int tout;
{
struct strioctl si;
struct timeval to;

54
dist/ipf/ipsend/sock.c vendored
View File

@ -1,22 +1,18 @@
/* $NetBSD: sock.c,v 1.5 2002/04/09 02:32:55 thorpej Exp $ */
/* $NetBSD: sock.c,v 1.6 2004/03/28 09:00:56 martti Exp $ */
/*
* sock.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp";
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#include <pwd.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/param.h>
#include <sys/stat.h>
#ifndef ultrix
#include <fcntl.h>
@ -26,21 +22,23 @@
#else
# include <sys/dir.h>
#endif
#define _KERNEL
#define KERNEL
#ifdef ultrix
# undef LOCORE
# include <sys/smp_lock.h>
#if !defined(__osf__)
# define _KERNEL
# define KERNEL
# ifdef ultrix
# undef LOCORE
# include <sys/smp_lock.h>
# endif
# include <sys/file.h>
# undef _KERNEL
# undef KERNEL
#endif
#include <sys/file.h>
#undef _KERNEL
#undef KERNEL
#include <nlist.h>
#include <sys/user.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/proc.h>
#if !defined(ultrix) && !defined(hpux)
#if !defined(ultrix) && !defined(hpux) && !defined(__osf__)
# include <kvm.h>
#endif
#ifdef sun
@ -58,20 +56,22 @@
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#include <netinet/ip_var.h>
#include <netinet/in_pcb.h>
#include <netinet/tcp_timer.h>
#include <netinet/tcp_var.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#include <pwd.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: sock.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp";
#endif
int nproc;
struct proc *proc;
@ -383,7 +383,7 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, ntohs(lsin.sin_port), 1);
nfd = initdevice(dev, 1);
if (!(t = find_tcp(fd, ti)))
return -1;

8
dist/ipf/ipsend/tcpip.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tcpip.h,v 1.2 2003/08/07 09:21:11 agc Exp $ */
/* $NetBSD: tcpip.h,v 1.3 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@ -29,7 +29,7 @@
* SUCH DAMAGE.
*
* @(#)tcpip.h 8.1 (Berkeley) 6/10/93
* Id: tcpip.h,v 2.1 1999/08/04 17:31:16 darrenr Exp
* Id: tcpip.h,v 2.2.2.1 2004/03/23 12:58:06 darrenr Exp
*/
#ifndef _NETINET_TCPIP_H_
@ -52,11 +52,7 @@ struct ipovly {
*/
struct tcpiphdr {
struct ipovly ti_i; /* overlaid ip structure */
#ifdef linux
tcphdr_t ti_t;
#else
struct tcphdr ti_t; /* tcp header */
#endif
};
#ifdef notyet
/*

86
dist/ipf/ipsend/ultrix.c vendored
View File

@ -1,86 +0,0 @@
/* $NetBSD: ultrix.c,v 1.2 2002/01/24 08:21:41 martti Exp $ */
/*
* (C)opyright 1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include <stdio.h>
#include <strings.h>
#include <unistd.h>
#include <stdlib.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netdnet/dli_var.h>
static struct dli_devid dli_devid;
int initdevice(device, sport, tout)
char *device;
int sport, tout;
{
u_char *s;
int fd;
fd = socket(AF_DLI, SOCK_DGRAM, 0);
if (fd == -1)
perror("socket(AF_DLI,SOCK_DGRAM)");
else {
strncpy(dli_devid.dli_devname, device, DLI_DEVSIZE);
dli_devid.dli_devname[DLI_DEVSIZE] ='\0';
for (s = dli_devid.dli_devname; *s && isalpha((char)*s); s++)
;
if (*s && isdigit((char)*s)) {
dli_devid.dli_devnumber = atoi(s);
}
}
return fd;
}
/*
* output an IP packet onto a fd opened for /dev/bpf
*/
int sendip(fd, pkt, len)
int fd, len;
char *pkt;
{
struct sockaddr_dl dl;
struct sockaddr_edl *edl = &dl.choose_addr.dli_eaddr;
dl.dli_family = AF_DLI;
dl.dli_substructype = DLI_ETHERNET;
bcopy((char *)&dli_devid, (char *)&dl.dli_device, sizeof(dli_devid));
bcopy(pkt, edl->dli_target, DLI_EADDRSIZE);
bcopy(pkt, edl->dli_dest, DLI_EADDRSIZE);
bcopy(pkt + DLI_EADDRSIZE * 2, (char *)&edl->dli_protype, 2);
edl->dli_ioctlflg = 0;
if (sendto(fd, pkt, len, 0, (struct sockaddr *)&dl, sizeof(dl)) == -1)
{
perror("send");
return -1;
}
return len;
}
char *strdup(str)
char *str;
{
char *s;
if ((s = (char *)malloc(strlen(str) + 1)))
return strcpy(s, str);
return NULL;
}

512
dist/ipf/ipt.c vendored
View File

@ -1,512 +0,0 @@
/* $NetBSD: ipt.c,v 1.11 2002/12/06 04:43:53 thorpej Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
# if __FreeBSD_cc_version < 430000
# include <osreldate.h>
# endif
# endif
#endif
#ifdef __sgi
# define _KMEMUSER
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <assert.h>
#include <string.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
#include <strings.h>
#else
#if !defined(__sgi)
#include <sys/byteorder.h>
#endif
#include <sys/file.h>
#endif
#include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ip_frag.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp";
#endif
extern char *optarg;
extern struct frentry *ipfilter[2][2];
extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;
extern struct ifnet *get_unit __P((char *, int));
extern void init_ifp __P((void));
extern ipnat_t *natparse __P((char *, int));
extern int fr_running;
int opts = 0;
int rremove = 0;
int use_inet6 = 0;
int main __P((int, char *[]));
int loadrules __P((char *));
int kmemcpy __P((char *, long, int));
void dumpnat __P((void));
void dumpstate __P((void));
char *getifname __P((void *));
void drain_log __P((char *));
int main(argc,argv)
int argc;
char *argv[];
{
char *datain, *iface, *ifname, *packet, *logout;
int fd, i, dir, c, loaded, dump, hlen;
struct ifnet *ifp;
struct ipread *r;
u_long buf[2048];
ip_t *ip;
dir = 0;
dump = 0;
loaded = 0;
r = &iptext;
iface = NULL;
logout = NULL;
ifname = "anon0";
datain = NULL;
nat_init();
fr_stateinit();
initparse();
ipflog_init();
fr_running = 1;
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1)
switch (c)
{
case '6' :
#ifdef USE_INET6
use_inet6 = 1;
break;
#else
fprintf(stderr, "IPv6 not supported\n");
exit(1);
#endif
case 'b' :
opts |= OPT_BRIEF;
break;
case 'd' :
opts |= OPT_DEBUG;
break;
case 'D' :
dump = 1;
break;
case 'i' :
datain = optarg;
break;
case 'I' :
ifname = optarg;
break;
case 'l' :
logout = optarg;
break;
case 'o' :
opts |= OPT_SAVEOUT;
break;
case 'r' :
if (loadrules(optarg) == -1)
return -1;
loaded = 1;
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
case 'E' :
r = &etherf;
break;
case 'H' :
r = &iphex;
break;
case 'N' :
opts |= OPT_NAT;
break;
case 'P' :
r = &pcap;
break;
case 'R' :
rremove = 1;
break;
case 'S' :
r = &snoop;
break;
case 'T' :
r = &tcpd;
break;
case 'x' :
opts |= OPT_HEX;
break;
case 'X' :
r = &iptext;
break;
}
if (loaded == 0) {
(void)fprintf(stderr,"no rules loaded\n");
exit(-1);
}
if (opts & OPT_SAVEOUT)
init_ifp();
if (datain)
fd = (*r->r_open)(datain);
else
fd = (*r->r_open)("-");
if (fd < 0)
exit(-1);
ip = (ip_t *)buf;
while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
&iface, &dir)) > 0) {
if (iface == NULL || *iface == '\0')
iface = ifname;
ifp = get_unit(iface, ip->ip_v);
hlen = 0;
if (!use_inet6) {
ip->ip_off = ntohs(ip->ip_off);
ip->ip_len = ntohs(ip->ip_len);
hlen = ip->ip_hl << 2;
}
#ifdef USE_INET6
else
hlen = sizeof(ip6_t);
#endif
packet = (char *)buf;
/* ipfr_slowtimer(); */
i = fr_check(ip, hlen, ifp, dir, (void *)&packet);
if ((opts & OPT_NAT) == 0)
switch (i)
{
case -5 :
(void)printf("block return-icmp-as-dest");
break;
case -4 :
(void)printf("block return-icmp");
break;
case -3 :
(void)printf("block return-rst");
break;
case -2 :
(void)printf("auth");
break;
case -1 :
(void)printf("block");
break;
case 0 :
(void)printf("pass");
break;
case 1 :
(void)printf("nomatch");
break;
}
if (!use_inet6) {
ip->ip_off = htons(ip->ip_off);
ip->ip_len = htons(ip->ip_len);
}
if (!(opts & OPT_BRIEF)) {
putchar(' ');
printpacket((ip_t *)buf);
printf("--------------");
} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
printpacket((ip_t *)buf);
#ifndef linux
if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
# if defined(__sgi) && (IRIX < 605)
(*ifp->if_output)(ifp, (void *)packet, NULL);
# else
(*ifp->if_output)(ifp, (void *)packet, NULL, 0);
# endif
#endif
if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
putchar('\n');
dir = 0;
if (iface != ifname) {
free(iface);
iface = ifname;
}
}
(*r->r_close)();
if (logout != NULL) {
drain_log(logout);
}
if (dump == 1) {
dumpnat();
dumpstate();
}
return 0;
}
/*
* Load in either NAT or ipf rules from a file, which is treated as stdin
* if the name is "-". NOTE, stdin can only be used once as the file is
* closed after use.
*/
int loadrules(file)
char *file;
{
char line[513], *s;
int linenum, i;
void *fr;
FILE *fp;
if (!strcmp(file, "-"))
fp = stdin;
else if (!(fp = fopen(file, "r"))) {
(void)fprintf(stderr, "couldn't open %s\n", file);
return (-1);
}
if (!(opts & OPT_BRIEF))
(void)printf("opening rule file \"%s\"\n", file);
linenum = 0;
while (fgets(line, sizeof(line) - 1, fp)) {
linenum++;
/*
* treat both CR and LF as EOL
*/
if ((s = index(line, '\n')))
*s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
/*
* # is comment marker, everything after is a ignored
*/
if ((s = index(line, '#')))
*s = '\0';
if (!*line)
continue;
/* fake an `ioctl' call :) */
if ((opts & OPT_NAT) != 0) {
if (!(fr = natparse(line, linenum)))
continue;
if (rremove == 0) {
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADNAT,%p,1) = %d\n",
fr, i);
} else {
i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(RMNAT,%p,1) = %d\n",
fr, i);
}
} else {
if (!(fr = parse(line, linenum)))
continue;
if (rremove == 0) {
i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(ADAFR,%p,1) = %d\n",
fr, i);
} else {
i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
(caddr_t)&fr,
FWRITE|FREAD);
if (opts & OPT_DEBUG)
fprintf(stderr,
"iplioctl(RMAFR,%p,1) = %d\n",
fr, i);
}
}
}
(void)fclose(fp);
return 0;
}
int kmemcpy(addr, offset, size)
char *addr;
long offset;
int size;
{
bcopy((char *)offset, addr, size);
return 0;
}
/*
* Display the built up NAT table rules and mapping entries.
*/
void dumpnat()
{
ipnat_t *ipn;
nat_t *nat;
printf("List of active MAP/Redirect filters:\n");
for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
printf("\nList of active sessions:\n");
for (nat = nat_instances; nat; nat = nat->nat_next)
printactivenat(nat, opts);
}
/*
* Display the built up state table rules and mapping entries.
*/
void dumpstate()
{
ipstate_t *ips;
printf("List of active state sessions:\n");
for (ips = ips_list; ips != NULL; )
ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
}
/*
* Given a pointer to an interface in the kernel, return a pointer to a
* string which is the interface name.
*/
char *getifname(ptr)
void *ptr;
{
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
#else
char buf[32], *s;
int len;
#endif
struct ifnet netif;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
return strdup(netif.if_xname);
#else
if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
return "X";
if (netif.if_unit < 10)
len = 2;
else if (netif.if_unit < 1000)
len = 3;
else if (netif.if_unit < 10000)
len = 4;
else
len = 5;
buf[sizeof(buf) - len] = '\0';
for (s = buf; *s && !isdigit(*s); s++)
;
if (isdigit(*s))
*s = '\0';
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
return strdup(buf);
#endif
}
void drain_log(filename)
char *filename;
{
char buffer[IPLLOGSIZE];
struct iovec iov;
struct uio uio;
size_t resid;
int fd;
fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
if (fd == -1) {
perror("drain_log:open");
return;
}
while (1) {
bzero((char *)&iov, sizeof(iov));
iov.iov_base = buffer;
iov.iov_len = sizeof(buffer);
bzero((char *)&uio, sizeof(uio));
uio.uio_iov = &iov;
uio.uio_iovcnt = 1;
uio.uio_resid = iov.iov_len;
resid = uio.uio_resid;
if (ipflog_read(0, &uio) == 0) {
/*
* If nothing was read then break out.
*/
if (uio.uio_resid == resid)
break;
write(fd, buffer, resid - uio.uio_resid);
} else
break;
}
close(fd);
}

14
dist/ipf/ipt.h vendored
View File

@ -1,10 +1,11 @@
/* $NetBSD: ipt.h,v 1.4 2002/01/24 08:21:34 martti Exp $ */
/* $NetBSD: ipt.h,v 1.5 2004/03/28 09:00:54 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* Id: ipt.h,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp
*
* Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp
*/
#ifndef __IPT_H__
@ -26,12 +27,13 @@ struct ipread {
int (*r_open) __P((char *));
int (*r_close) __P((void));
int (*r_readip) __P((char *, int, char **, int *));
int r_flags;
};
extern void debug __P((char *, ...))
__attribute__((__format__(__printf__, 1, 2)));
extern void verbose __P((char *, ...))
__attribute__((__format__(__printf__, 1, 2)));
#define R_DO_CKSUM 0x01
extern void debug __P((char *, ...));
extern void verbose __P((char *, ...));
#ifdef P_DEF
# undef __P

244
dist/ipf/kmem.c vendored
View File

@ -1,244 +0,0 @@
/* $NetBSD: kmem.c,v 1.10 2002/09/19 08:10:41 martti Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
/*
* kmemcpy() - copies n bytes from kernel memory into user buffer.
* returns 0 on success, -1 on error.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <sys/param.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/file.h>
#ifndef __sgi
#include <kvm.h>
#endif
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include "kmem.h"
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "ipf.h"
#ifndef __STDC__
# define const
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp";
#endif
#ifdef __sgi
typedef int kvm_t;
static int kvm_fd = -1;
static char *kvm_errstr;
kvm_t *kvm_open(kernel, core, swap, mode, errstr)
char *kernel, *core, *swap;
int mode;
char *errstr;
{
kvm_errstr = errstr;
if (core == NULL)
core = "/dev/kmem";
kvm_fd = open(core, mode);
return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
}
int kvm_read(kvm, pos, buffer, size)
kvm_t *kvm;
u_long pos;
char *buffer;
size_t size;
{
size_t left;
char *bufp;
int r;
if (lseek(*kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr);
perror("lseek");
return -1;
}
for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
r = read(*kvm, bufp, 1);
if (r <= 0)
return -1;
}
return size;
}
#endif
static kvm_t *kvm_f = NULL;
int openkmem(kern, core)
char *kern, *core;
{
union {
int ui;
kvm_t *uk;
} k;
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
if (kvm_f == NULL)
{
perror("openkmem:open");
return -1;
}
k.uk = kvm_f;
return k.ui;
}
int kmemcpy(buf, pos, n)
register char *buf;
long pos;
register int n;
{
register int r;
if (!n)
return 0;
if (kvm_f == NULL)
if (openkmem(NULL, NULL) == -1)
return -1;
while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
perror("kmemcpy:read");
return -1;
}
else
{
buf += r;
pos += r;
n -= r;
}
return 0;
}
int kstrncpy(buf, pos, n)
register char *buf;
long pos;
register int n;
{
register int r;
if (!n)
return 0;
if (kvm_f == NULL)
if (openkmem(NULL, NULL) == -1)
return -1;
while (n > 0)
{
r = kvm_read(kvm_f, pos, buf, (size_t)1);
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
perror("kstrncpy:read");
return -1;
}
else
{
if (*buf == '\0')
break;
buf++;
pos++;
n--;
}
}
return 0;
}
/*
* Given a pointer to an interface in the kernel, return a pointer to a
* string which is the interface name.
*/
char *getifname(ptr)
void *ptr;
{
#if SOLARIS
char *ifname;
ill_t ill;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
return "X";
ifname = malloc(ill.ill_name_length + 1);
if (kmemcpy(ifname, (u_long)ill.ill_name,
ill.ill_name_length) == -1)
return "X";
return ifname;
#else
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
#else
char buf[32];
int len;
# endif
struct ifnet netif;
if (ptr == (void *)-1)
return "!";
if (ptr == NULL)
return "-";
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
defined(__OpenBSD__)
return strdup(netif.if_xname);
# else
if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
return "X";
if (netif.if_unit < 10)
len = 2;
else if (netif.if_unit < 1000)
len = 3;
else if (netif.if_unit < 10000)
len = 4;
else
len = 5;
buf[sizeof(buf) - len] = '\0';
sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
return strdup(buf);
# endif
#endif
}

5
dist/ipf/kmem.h vendored
View File

@ -1,10 +1,10 @@
/* $NetBSD: kmem.h,v 1.3 2002/01/24 08:21:34 martti Exp $ */
/* $NetBSD: kmem.h,v 1.4 2004/03/28 09:00:54 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* Id: kmem.h,v 2.2.2.4 2002/01/01 13:43:48 darrenr Exp
* Id: kmem.h,v 2.5 2002/08/21 22:57:36 darrenr Exp
*/
#ifndef __KMEM_H__
@ -20,7 +20,6 @@
extern int openkmem __P((char *, char *));
extern int kmemcpy __P((char *, long, int));
extern int kstrncpy __P((char *, long, int));
extern char *getifname __P((void *));
#if defined(__NetBSD__) || defined(__OpenBSD)
# include <paths.h>

11
dist/ipf/man/Makefile vendored
View File

@ -1,9 +1,7 @@
#
# Copyright (C) 1993-1998 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
all:
@ -12,12 +10,19 @@ install:
$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
$(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipfilter.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipfilter.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipmon.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ippool.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ippool.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipscan.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipscan.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
@echo "Remember to rebuild the whatis database."

8
dist/ipf/man/ipf.4 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipf.4,v 1.10 2002/09/04 00:09:23 wiz Exp $
.\" $NetBSD: ipf.4,v 1.11 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPF 4
.SH NAME
@ -37,8 +37,8 @@ However, the full complement is as follows:
ioctl(fd, SIOCFRSYN, u_int *)
ioctl(fd, SIOCFRZST, struct friostat **)
ioctl(fd, SIOCZRLST, struct frentry **)
ioctl(fd, SIOCAUTHW, struct frauth_t **)
ioctl(fd, SIOCAUTHR, struct frauth_t **)
ioctl(fd, SIOCAUTHW, struct fr_info **)
ioctl(fd, SIOCAUTHR, struct fr_info **)
ioctl(fd, SIOCATHST, struct fr_authstat **)
.fi
.PP
@ -124,7 +124,7 @@ Flags which are recognised in fr_flags:
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
FR_NOMATCH 0x000200 /* No match occurred */
FR_NOMATCH 0x000200 /* no match occured */
FR_ACCOUNT 0x000400 /* count packet bytes */
FR_KEEPFRAG 0x000800 /* keep fragment information */
FR_KEEPSTATE 0x001000 /* keep `connection' state information */

31
dist/ipf/man/ipf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipf.5,v 1.9 2002/12/21 13:28:25 wiz Exp $
.\" $NetBSD: ipf.5,v 1.10 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPF 5
.SH NAME
@ -21,12 +21,13 @@ described using the following grammar in BNF:
\fC
.nf
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
[ proto ] ip [ group ].
insert = "@" decnumber .
action = block | "pass" | log | "count" | skip | auth | call .
in-out = "in" | "out" .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
[ froute ] [ replyto ] ] .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
@ -34,19 +35,24 @@ ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
tag = "tag" tagid .
skip = "skip" decnumber .
dup = "dup-to" interface-name[":"ipaddr] .
froute = "fastroute" | "to" interface-name .
auth = "auth" | "preauth" .
call = "call" [ "now" ] function-name .
dup = "dup-to" interface-name [ ":" ipaddr ] .
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
replyto = "reply-to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" [ "!" ] object "to" [ "!" ] object .
return-icmp = "return-icmp" | "return-icmp-as-dest" .
return-code = "(" icmp-code ")" .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
addr = "any" | "<thishost>" | nummask |
host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags = "flags" flag { flag } [ "/" flag { flag } ] .
@ -63,7 +69,7 @@ host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" optname .
opttype = "ipopts" | "short" | "frag" | "opt" optname .
optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
secname = seclvl [ "," secname ] .
@ -207,6 +213,13 @@ indicates that, should this be the last matching rule, the packet
header will be written to the \fBipl\fP log (as described in the
LOGGING section below).
.TP
.B tag tagid
indicates that, if this rule causes the packet to be logged or entered
in the state table, the tagid will be logged as part of the log entry.
This can be used to quickly match "similar" rules in scripts that post
process the log files for e.g. generation of security reports or accounting
purposes. The tagid is a 32 bit unsigned integer.
.TP
.B quick
allows "short-cut" rules in order to speed up the filter or override
later rules. If a packet matches a filter rule which is marked as
@ -376,7 +389,7 @@ against, e.g.:
# packets with ONLY the SYN flag set.
... flags SA
# becomes "flags SA/AUPRFSC" and will match any
# becomes "flags SA/AUPRFS" and will match any
# packet with only the SYN and ACK flags set.
... flags S/SA

36
dist/ipf/man/ipf.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipf.8,v 1.8 2003/05/17 13:58:07 itojun Exp $
.\" $NetBSD: ipf.8,v 1.9 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPF 8
.SH NAME
@ -6,11 +6,14 @@ ipf \- alters packet filtering lists for IP packet input and output
.SH SYNOPSIS
.B ipf
[
.B \-6AdDEInoPrsUvVyzZ
.B \-6AcdDEInoPrsvVyzZ
] [
.B \-l
<block|pass|nomatch>
] [
.B \-T
<optionlist>
] [
.B \-F
<i|o|a|s|S>
]
@ -38,6 +41,15 @@ This option is required to parse IPv6 rules and to have them loaded.
.B \-A
Set the list to make changes to the active list (default).
.TP
.B \-c <language>
This option causes \fBipf\fP to generate output files for a compiler that
supports \fBlanguage\fI. At present, the only target language supported is
\fBC\fB (-cc) for which two files - \fBip_rules.c\fP
and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when
\fBipf\fP is being run. These files can be used with the
\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticly into
the kernel.
.TP
.B \-d
Turn debug mode on. Causes a hexdump of filter rules to be generated as
it processes each one.
@ -94,10 +106,22 @@ Remove matching filter rules rather than add them to the internal lists
.TP
.B \-s
Swap the active filter list in use to be the "other" one.
.TP
.B \-U
(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
recognised as IP packets. They will be printed out on the console.
.B \-T <optionlist>
This option allows run-time changing of IPFilter kernel variables. Some
variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
others do not. The optionlist parameter is a comma separated list of tuning
commands. A tuning command is either "list" (retrieve a list of all variables
in the kernel, their maximum, minimum and current value), a single variable
name (retrieve its current value) and a variable name with a following
assignment to set a new value. Some examples follow.
.nf
# Print out all IPFilter kernel tunable parameters
ipf -T list
# Display the current TCP idle timeout and then set it to 3600
ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
ipf -T fr_pass,fr_chksrc,fr_chksrc=1
.fi
.TP
.B \-v
Turn verbose mode on. Displays information relating to rule processing.

10
dist/ipf/man/ipfs.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipfs.8,v 1.3 2003/01/04 01:18:02 wiz Exp $
.\" $NetBSD: ipfs.8,v 1.4 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPFS 8
.SH NAME
@ -54,7 +54,6 @@ Change the default directory used with
and
.B \-W
options for saving state information.
.TP
.B \-n
Don't actually take any action that would effect information stored in
the kernel or on disk.
@ -62,11 +61,6 @@ the kernel or on disk.
.B \-v
Provides a verbose description of what's being done.
.TP
.B \-i <ifname1>,<ifname2>
Change all instances of interface name ifname1 in the state save file to
ifname2. Useful if you're restoring state information after a hardware
reconfiguration or change.
.TP
.B \-N
Operate on NAT information.
.TP
@ -77,7 +71,7 @@ Operate on filtering state information.
Unlock state tables in the kernel.
.TP
.B \-l
Lock state tables in the kernel.
Unlock state tables in the kernel.
.TP
.B \-r
Read information in from the specified file and load it into the

14
dist/ipf/man/ipfstat.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipfstat.8,v 1.9 2003/03/30 17:10:31 wiz Exp $
.\" $NetBSD: ipfstat.8,v 1.10 2004/03/28 09:00:56 martti Exp $
.\"
.TH ipfstat 8
.SH NAME
@ -6,10 +6,7 @@ ipfstat \- reports on packet filter statistics and filter list
.SH SYNOPSIS
.B ipfstat
[
.B \-6aAfghIinosv
] [
.B \-d
<device>
.B \-6aACdfghIinosv
]
.B ipfstat -t
@ -27,9 +24,6 @@ ipfstat \- reports on packet filter statistics and filter list
] [
.B \-T
<refresh time>
] [
.B \-d
<device>
]
.SH DESCRIPTION
.PP
@ -58,8 +52,8 @@ Display "closed" states as well in the top. Normally, a TCP connection is
not displayed when it reaches the CLOSE_WAIT protocol state. With this
option enabled, all state entries are displayed.
.TP
.BR \-d \0<device>
Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
.BR \-d
Produce debugging output when displaying data.
.TP
.BR \-D \0<addrport>
This option is only valid in combination with \fB\-t\fP. Limit the state top

65
dist/ipf/man/ipftest.1 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipftest.1,v 1.4 2002/12/21 13:14:38 wiz Exp $
.\" $NetBSD: ipftest.1,v 1.5 2004/03/28 09:00:56 martti Exp $
.\"
.TH ipftest 1
.SH NAME
@ -6,7 +6,10 @@ ipftest \- test packet filter rules with arbitrary input.
.SH SYNOPSIS
.B ipftest
[
.B \-vbdPRSTEHX
.B \-6bdDNovxX
] [
.B \-F
input-format
] [
.B \-I
interface
@ -73,21 +76,42 @@ This is useful with the \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is
not otherwise possible to associate a packet with an interface. Normal
"text packets" can override this setting.
.TP
.B \-P
.B \-F
This option is used to select which input format the input file is in.
The following formats are available: etherfind, hex, pcap, snoop, tcpdump.
.RS
.TP
.B etherfind
The input file is to be text output from etherfind. The text formats which
are currently supported are those which result from the following etherfind
option combinations:
.PP
.nf
etherfind -n
etherfind -n -t
.fi
.TP
.B hex
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
the IP header. A packet may be broken up over several lines of hex digits,
a blank line indicating the end of the packet. It is possible to specify
both the interface name and direction of the packet (for filtering purposes)
at the start of the line using this format: [direction,interface] To define
a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
and part of the input syntax.
.HP
.B pcap
The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes). An interface maybe specified using \fB\-I\fP.
.TP
.B \-R
Remove rules rather than load them. This is not a toggle option, so once
set, it cannot be reset by further use of -R.
.TP
.B \-S
.B snoop
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
most useful input type, currently.
.TP
.B \-T
.B tcpdump
The input file is to be text output from tcpdump. The text formats which
are currently supported are those which result from the following tcpdump
option combinations:
@ -100,31 +124,12 @@ option combinations:
tcpdump -nqte
.fi
.LP
.TP
.B \-H
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
the IP header. A packet may be broken up over several lines of hex digits,
a blank line indicating the end of the packet. It is possible to specify
both the interface name and direction of the packet (for filtering purposes)
at the start of the line using this format: [direction,interface] To define
a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
and part of the input syntax.
.RE
.DT
.TP
.B \-X
The input file is composed of text descriptions of IP packets.
.TP
.B \-E
The input file is to be text output from etherfind. The text formats which
are currently supported are those which result from the following etherfind
option combinations:
.PP
.nf
etherfind -n
etherfind -n -t
.fi
.LP
.TP
.BR \-i \0<filename>
Specify the filename from which to take input. Default is stdin.
.TP

6
dist/ipf/man/ipl.4 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipl.4,v 1.5 2003/01/04 01:18:02 wiz Exp $
.\" $NetBSD: ipl.4,v 1.6 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPL 4
.SH NAME
@ -51,7 +51,7 @@ When reading from the \fBipl\fP device, it is necessary to call read(2) with
a buffer big enough to hold at least 1 complete log record - reading of partial
log records is not supported.
.PP
If the packet contents are more than 128 bytes when \fBlog body\fP is used,
If the packet contents is more then 128 bytes when \fBlog body\fP is used,
then only 128 bytes of the packet contents is logged.
.PP
Although it is only possible to read from the \fBipl\fP device, opening it
@ -78,4 +78,4 @@ ipf(4)
.SH BUGS
Packet headers are dropped when the internal buffer (static size) fills.
.SH FILES
/dev/ipl
/dev/ipl0

11
dist/ipf/man/ipmon.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipmon.8,v 1.14 2004/01/28 20:15:52 kleink Exp $
.\" $NetBSD: ipmon.8,v 1.15 2004/03/28 09:00:56 martti Exp $
.\"
.TH ipmon 8
.SH NAME
@ -48,11 +48,8 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order
of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or
\fBB\fP means that the packet has been logged due to a global logging
setting, not a particular rule.
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
@ -172,3 +169,5 @@ recorded data.
.SH SEE ALSO
ipl(4), ipf(8), ipfstat(8), ipnat(8)
.SH BUGS
.PP
If you find any, please send email to me at darrenr@pobox.com

125
dist/ipf/man/ipnat.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipnat.5,v 1.14 2003/07/02 13:26:26 wiz Exp $
.\" $NetBSD: ipnat.5,v 1.15 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPNAT 5
.SH NAME
@ -9,11 +9,11 @@ The format for files accepted by ipnat is described by the following grammar:
.nf
ipmap :: = mapblock | redir | map .
map ::= mapit ifname ipmask "->" dstipmask [ mapport ] [ clamp ] .
map ::= mapit ifname fromto "->" dstipmask [ mapport ] [ clamp ] .
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] [ clamp ] .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
map ::= mapit ifname lhs "->" dstipmask [ mapport | mapproxy ] mapoptions.
mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions.
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions .
lhs ::= ipmask | fromto .
dport ::= "port" portnum [ "-" portnum ] .
ports ::= "ports" numports | "auto" .
rdrport ::= "port" portnum .
@ -22,28 +22,32 @@ fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
dstipmask ::= ipmask | "range" ip "-" ip .
mapport ::= "portmap" tcpudp portspec .
clamp ::= "mssclamp" number .
options ::= [ tcpudp ] [ rr ] .
mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] .
object :: = addr [ port-comp | port-range ] .
addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
object :: = addr [ port-comp | port-range ] .
addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp :: = "port" compare port-num .
port-range :: = "port" port-num range port-num .
rdrproto ::= tcpudp | protocol .
rr ::= "round-robin" .
nummask = host-name [ "/" decnumber ] .
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
age ::= "age" decnumber [ "/" decnumber ] .
clamp ::= "mssclamp" decnumber .
tcpudp ::= "tcp/udp" | protocol .
mapproxy ::= "proxy" "port" port proxy-name '/' protocol
rdrproxy ::= "proxy" proxy-name .
protocol ::= protocol-name | decnumber .
nummask ::= host-name [ "/" decnumber ] .
portspec ::= "auto" | portnumber ":" portnumber .
port ::= portnumber | port-name .
portnumber ::= number { numbers } .
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
.fi
.PP
In addition to this, # is used to mark the start of a comment and may
appear at the end of a line with a NAT rule (as described above) or on its
own lines. Blank lines are ignored.
.PP
For standard NAT functionality, a rule should start with \fBmap\fP and then
proceeds to specify the interface for which outgoing packets will have their
source address rewritten.
@ -99,15 +103,6 @@ or as
map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
.fi
.LP
For even greater control, one may negate either of the "from" or "to" clauses
with a preceding exclamation mark ("!"). Please note that one may not use a
negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
rule. Such a rule might look like the following:
.LP
.nf
+map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
.fi
.PP
Only IP address and port numbers can be compared against. This is available
with all NAT rules.
.SH TRANSLATION
@ -128,11 +123,74 @@ how it searches for a new, free and unique tuple, in that it will used an
algorithm to determine what the new source address should be, along with the
range of available ports - the IP address is never changed and nor does the
port number ever exceed its allotted range.
.SH ICMPIDMAP
.PP
ICMP messages can be divided into two groups: "errors" and "queries". ICMP
errors are generated as a response of another IP packet. IP Filter will take
care that ICMP errors that are the response of a NAT-ed IP packet are
handled properly.
.PP
For 4 types of ICMP queries (echo request, timestamp request, information
request and address mask request) IP Filter supports an additional mapping
called "ICMP id mapping". All these 4 types of ICMP queries use a unique
identifier called the ICMP id. This id is set by the process sending the
ICMP query and it is usually equal to the process id. The receiver of the
ICMP query will use the same id in its response, thus enabling the
sender to recognize that the incoming ICMP reply is intended for him and is
an answer to a query that he made. The "ICMP id mapping" feature modifies
these ICMP id in a way identical to \fBportmap\fP for TCP or UDP.
.PP
The reason that you might want this, is that using this feature you don't
need an IP address per host behind the NAT box, that wants to do ICMP queries.
The two numbers behind the \fBicmpidmap\fP keyword are the first and the
last icmp id number that can be used. There is one important caveat: if you
map to an IP address that belongs to the NAT box itself (notably if you have
only a single public IP address), then you must ensure that the NAT box does
not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule.
Since the ICMP id is usually the process id, it is wise to restrict the
largest permittable process id (PID) on your operating system to e.g. 63999 and
use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is
system dependent. For most BSD derived systems can be done by changing
PID_MAX in /usr/include/sys/proc.h and then rebuild the system.
.SH KERNEL PROXIES
.PP
IP Filter comes with a few, simple, proxies built into the code that is loaded
into the kernel to allow secondary channels to be opened without forcing the
packets through a user program.
packets through a user program. The current state of the proxies is listed
below, as one of three states:
.HP
Aging - protocol is roughly understood from
the time at which the proxy was written but it is not well tested or
maintained;
.HP
Developmental - basic functionality exists, works most of the time but
may be problematic in extended real use;
.HP
Experimental - rough support for the protocol at best, may or may not
work as testing has been at best sporadic, possible large scale changes
to the code in order to properly support the protocol.
.HP
Mature - well tested, protocol is properly
understood by the proxy;
.PP
The currently compiled in proxy list is as follows:
.HP
FTP - Mature
.HP
IRC - Experimental
.HP
rpcbind - Experimental
.HP
H.323 - Experimental
.HP
Real Audio (PNA) - Aging
.HP
IPsec - Developmental
.HP
netbios - Experimental
.HP
R-command - Mature
.SH TRANSPARENT PROXIES
.PP
True transparent proxying should be performed using the redirect (\fBrdr\fP)
@ -219,23 +277,6 @@ own. As opposed to the above use of \fBmap\fP, if for some reason the user
of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
IP address with the \fBmap\fP command.
.LP
.nf
map pppoe0 10.0.0.0/8 -> 209.1.2.0/24 mssclamp 1452
.fi
.PP
The mssclamp clause tells the NAT processor to scan for TCP packets in the
three-way handshake and limit their negotiated MSS value to the number
given in the rule. This is useful to make hosts behind a connection with
low MTU (like PPPoE or tunnels) communicate without any outside proxies
with broken sites that use a misconfigured firewall. Unfortunately such
sites are not rare.
.PP
The value for the clamping clause is calculated as interface-MTU less
40 bytes (size of IP header plus maximal IP options size), so for a
PPPoE interface it is 1492 - 40 = 1452. Some sites seem to require clamping
to even smaller values, but there is no rationale for this behaviour.
.SH FILES
/dev/ipnat
.br
/etc/services

4
dist/ipf/man/ipnat.8 vendored
View File

@ -1,8 +1,8 @@
.\" $NetBSD: ipnat.8,v 1.4 2002/09/12 06:58:13 jdolecek Exp $
.\" $NetBSD: ipnat.8,v 1.5 2004/03/28 09:00:56 martti Exp $
.\"
.TH IPNAT 8
.SH NAME
ipnat \- user interface to the NAT
ipnat \- user interface to the NAT subsystem
.SH SYNOPSIS
.Nm ipnat
.B ipnat

211
dist/ipf/misc.c vendored
View File

@ -1,211 +0,0 @@
/* $NetBSD: misc.c,v 1.7 2002/05/30 18:10:29 thorpej Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#if (SOLARIS2 >= 7)
# define _SYS_VARARGS_H
# define _VARARGS_H
#endif
#if defined(__STDC__)
# include <stdarg.h>
#else
# include <varargs.h>
#endif
#include <stdio.h>
#include <assert.h>
#include <string.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ip_fil.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: misc.c,v 2.2.2.8 2002/04/26 10:24:24 darrenr Exp";
#endif
extern int opts;
void printpacket(ip)
ip_t *ip;
{
tcphdr_t *tcp;
u_short len;
if (ip->ip_v == 4)
len = ntohs(ip->ip_len);
else if (ip->ip_v == 6)
len = ntohs(((u_short *)ip)[2]) + 40;
else
len = 0;
if ((opts & OPT_HEX) == OPT_HEX) {
u_char *s;
int i;
for (s = (u_char *)ip, i = 0; i < len; i++) {
printf("%02x", *s++ & 0xff);
if (len - i > 1) {
i++;
printf("%02x", *s++ & 0xff);
}
if (i + 1 != len)
putchar(' ');
}
putchar('\n');
return;
}
if (ip->ip_v == 6) {
printpacket6(ip);
return;
}
tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
if (ip->ip_off & IP_OFFMASK)
printf(" @%d", ip->ip_off << 3);
(void)printf(" %s", inet_ntoa(ip->ip_src));
if (!(ip->ip_off & IP_OFFMASK))
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_sport));
(void)printf(" > ");
(void)printf("%s", inet_ntoa(ip->ip_dst));
if (!(ip->ip_off & IP_OFFMASK)) {
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_dport));
if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags)) {
putchar(' ');
if (tcp->th_flags & TH_FIN)
putchar('F');
if (tcp->th_flags & TH_SYN)
putchar('S');
if (tcp->th_flags & TH_RST)
putchar('R');
if (tcp->th_flags & TH_PUSH)
putchar('P');
if (tcp->th_flags & TH_ACK)
putchar('A');
if (tcp->th_flags & TH_URG)
putchar('U');
if (tcp->th_flags & TH_ECN)
putchar('E');
if (tcp->th_flags & TH_CWR)
putchar('C');
}
}
putchar('\n');
}
/*
* This is meant to work without the IPv6 header files being present or
* the inet_ntop() library.
*/
void printpacket6(ip)
ip_t *ip;
{
u_char *buf, p, hops;
u_short plen, *addrs;
tcphdr_t *tcp;
u_32_t flow;
buf = (u_char *)ip;
tcp = (tcphdr_t *)(buf + 40);
p = buf[6];
hops = buf[7];
flow = ntohl(*(u_32_t *)buf);
flow &= 0xfffff;
plen = ntohs(*((u_short *)buf +2));
addrs = (u_short *)buf + 4;
printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_sport));
printf(" >");
addrs += 8;
printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
(void)printf(",%d", ntohs(tcp->th_dport));
putchar('\n');
}
#if defined(__STDC__)
void verbose(char *fmt, ...)
#else
void verbose(fmt, va_alist)
char *fmt;
va_dcl
#endif
{
va_list pvar;
va_start(pvar, fmt);
if (opts & OPT_VERBOSE)
vprintf(fmt, pvar);
va_end(pvar);
}
#ifdef __STDC__
void debug(char *fmt, ...)
#else
void debug(fmt, va_alist)
char *fmt;
va_dcl
#endif
{
va_list pvar;
va_start(pvar, fmt);
if (opts & OPT_DEBUG)
vprintf(fmt, pvar);
va_end(pvar);
}

11
dist/ipf/ml_ipl.c vendored
View File

@ -1,12 +1,9 @@
/* $NetBSD: ml_ipl.c,v 1.3 2002/01/24 08:21:35 martti Exp $ */
/* $NetBSD: ml_ipl.c,v 1.4 2004/03/28 09:00:54 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* responsibility and is not changed in any way.
*
* I hate legaleese, don't you ?
*/
/*
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
@ -37,7 +34,7 @@
extern int iplattach(), iplopen(), iplclose(), iplioctl(), iplread();
extern int nulldev(), iplidentify(), errno;
struct cdevsw ipldevsw =
struct cdevsw ipldevsw =
{
iplopen, iplclose, iplread, nulldev,
iplioctl, nulldev, nulldev, nulldev,
@ -45,7 +42,7 @@ struct cdevsw ipldevsw =
};
struct dev_ops ipl_ops =
struct dev_ops ipl_ops =
{
1,
iplidentify,
@ -65,7 +62,7 @@ struct dev_ops ipl_ops =
int ipl_major = 0;
#ifdef sun4m
struct vdldrv vd =
struct vdldrv vd =
{
VDMAGIC_PSEUDO,
"ipl",

783
dist/ipf/natparse.c vendored
View File

@ -1,783 +0,0 @@
/* $NetBSD: natparse.c,v 1.10 2002/05/30 18:10:30 thorpej Exp $ */
/*
* Copyright (C) 1993-2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/time.h>
#include <sys/param.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#if defined(sun) && !SOLARIS2
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp";
#endif
#if SOLARIS
#define bzero(a,b) memset(a,0,b)
#endif
extern void printnat __P((ipnat_t *, int));
extern int countbits __P((u_32_t));
extern char *proto;
ipnat_t *natparse __P((char *, int));
void natparsefile __P((int, char *, int));
void nat_setgroupmap __P((struct ipnat *));
void nat_setgroupmap(n)
ipnat_t *n;
{
if (n->in_outmsk == n->in_inmsk)
n->in_ippip = 1;
else if (n->in_flags & IPN_AUTOPORTMAP) {
n->in_ippip = ~ntohl(n->in_inmsk);
if (n->in_outmsk != 0xffffffff)
n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
n->in_ippip++;
if (n->in_ippip == 0)
n->in_ippip = 1;
n->in_ppip = USABLE_PORTS / n->in_ippip;
} else {
n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
n->in_nip = 0;
if (!(n->in_ppip = n->in_pmin))
n->in_ppip = 1;
n->in_ippip = USABLE_PORTS / n->in_ppip;
}
}
/*
* Parse a line of input from the ipnat configuration file
*/
ipnat_t *natparse(line, linenum)
char *line;
int linenum;
{
static ipnat_t ipn;
struct protoent *pr;
char *dnetm = NULL, *dport = NULL;
char *s, *t, *cps[31], **cpp;
int i, cnt;
char *port1a = NULL, *port1b = NULL, *port2a = NULL;
proto = NULL;
/*
* Search for end of line and comment marker, advance of leading spaces
*/
if ((s = strchr(line, '\n')))
*s = '\0';
if ((s = strchr(line, '#')))
*s = '\0';
while (*line && isspace(*line))
line++;
if (!*line)
return NULL;
bzero((char *)&ipn, sizeof(ipn));
cnt = 0;
/*
* split line upto into segments.
*/
for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
cps[++i] = strtok(NULL, " \b\t\r\n");
cps[i] = NULL;
if (cnt < 3) {
fprintf(stderr, "%d: not enough segments in line\n", linenum);
return NULL;
}
cpp = cps;
/*
* Check first word is a recognised keyword and then is the interface
*/
if (!strcasecmp(*cpp, "map"))
ipn.in_redir = NAT_MAP;
else if (!strcasecmp(*cpp, "map-block"))
ipn.in_redir = NAT_MAPBLK;
else if (!strcasecmp(*cpp, "rdr"))
ipn.in_redir = NAT_REDIRECT;
else if (!strcasecmp(*cpp, "bimap"))
ipn.in_redir = NAT_BIMAP;
else {
fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
linenum, *cpp);
return NULL;
}
cpp++;
strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
cpp++;
/*
* If the first word after the interface is "from" or is a ! then
* the expanded syntax is being used so parse it differently.
*/
if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
if (!strcmp(*cpp, "!")) {
cpp++;
if (strcasecmp(*cpp, "from")) {
fprintf(stderr, "Missing from after !\n");
return NULL;
}
ipn.in_flags |= IPN_NOTSRC;
} else if (**cpp == '!') {
if (strcasecmp(*cpp + 1, "from")) {
fprintf(stderr, "Missing from after !\n");
return NULL;
}
ipn.in_flags |= IPN_NOTSRC;
}
if ((ipn.in_flags & IPN_NOTSRC) &&
(ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
fprintf(stderr, "Cannot use '! from' with map\n");
return NULL;
}
ipn.in_flags |= IPN_FILTER;
cpp++;
if (ipn.in_redir == NAT_REDIRECT) {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
&ipn.in_scmp, &ipn.in_stop, linenum)) {
return NULL;
}
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
&ipn.in_scmp, &ipn.in_stop, linenum)) {
return NULL;
}
}
if (!strcmp(*cpp, "!")) {
cpp++;
ipn.in_flags |= IPN_NOTDST;
} else if (**cpp == '!') {
(*cpp)++;
ipn.in_flags |= IPN_NOTDST;
}
if (strcasecmp(*cpp, "to")) {
fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
linenum, *cpp);
return NULL;
}
if ((ipn.in_flags & IPN_NOTDST) &&
(ipn.in_redir & (NAT_REDIRECT))) {
fprintf(stderr, "Cannot use '! to' with rdr\n");
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: missing host after to\n", linenum);
return NULL;
}
if (ipn.in_redir == NAT_REDIRECT) {
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
(u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
return NULL;
}
ipn.in_pmin = htons(ipn.in_dport);
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
&ipn.in_dcmp, &ipn.in_dtop, linenum)) {
return NULL;
}
}
} else {
s = *cpp;
if (!s) {
fprintf(stderr, "%d: short line\n", linenum);
return NULL;
}
t = strchr(s, '/');
if (!t) {
fprintf(stderr, "%d: no netmask on LHS\n", linenum);
return NULL;
}
*t++ = '\0';
if (ipn.in_redir == NAT_REDIRECT) {
if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
return NULL;
if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
return NULL;
}
} else {
if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1)
return NULL;
if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
return NULL;
}
}
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: short line\n", linenum);
return NULL;
}
}
/*
* If it is a standard redirect then we expect it to have a port
* match after the hostmask.
*/
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
if (strcasecmp(*cpp, "port")) {
fprintf(stderr, "%d: missing fields - 1st port\n",
linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing fields (destination port)\n",
linenum);
return NULL;
}
if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
*s++ = '\0';
else
s = NULL;
port1a = *cpp++;
if (!strcmp(*cpp, "-")) {
cpp++;
s = *cpp++;
}
if (s)
port1b = s;
else
ipn.in_pmax = ipn.in_pmin;
}
/*
* In the middle of the NAT rule syntax is -> to indicate the
* direction of translation.
*/
if (!*cpp) {
fprintf(stderr, "%d: missing fields (->)\n", linenum);
return NULL;
}
if (strcmp(*cpp, "->")) {
fprintf(stderr, "%d: missing ->\n", linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: missing fields (%s)\n",
linenum, ipn.in_redir ? "destination" : "target");
return NULL;
}
if (ipn.in_redir == NAT_MAP) {
if (!strcasecmp(*cpp, "range")) {
cpp++;
ipn.in_flags |= IPN_IPRANGE;
if (!*cpp) {
fprintf(stderr, "%d: missing fields (%s)\n",
linenum,
ipn.in_redir ? "destination":"target");
return NULL;
}
}
}
if (ipn.in_flags & IPN_IPRANGE) {
dnetm = strrchr(*cpp, '-');
if (dnetm == NULL) {
cpp++;
if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
dnetm = *(cpp + 1);
} else
*dnetm++ = '\0';
if (dnetm == NULL || *dnetm == '\0') {
fprintf(stderr,
"%d: desination range not specified\n",
linenum);
return NULL;
}
} else if (ipn.in_redir != NAT_REDIRECT) {
dnetm = strrchr(*cpp, '/');
if (dnetm == NULL) {
cpp++;
if (*cpp && !strcasecmp(*cpp, "netmask"))
dnetm = *++cpp;
}
if (dnetm == NULL) {
fprintf(stderr,
"%d: missing fields (dest netmask)\n",
linenum);
return NULL;
}
if (*dnetm == '/')
*dnetm++ = '\0';
}
if (ipn.in_redir == NAT_REDIRECT) {
dnetm = strchr(*cpp, ',');
if (dnetm != NULL) {
ipn.in_flags |= IPN_SPLIT;
*dnetm++ = '\0';
}
if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
return NULL;
} else {
if (!strcmp(*cpp, ipn.in_ifname))
*cpp = "0";
if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
return NULL;
}
cpp++;
if (ipn.in_redir & NAT_MAPBLK) {
if (*cpp) {
if (strcasecmp(*cpp, "ports")) {
fprintf(stderr,
"%d: expected \"ports\" - got \"%s\"\n",
linenum, *cpp);
return NULL;
}
cpp++;
if (*cpp == NULL) {
fprintf(stderr,
"%d: missing argument to \"ports\"\n",
linenum);
return NULL;
}
if (!strcasecmp(*cpp, "auto"))
ipn.in_flags |= IPN_AUTOPORTMAP;
else
ipn.in_pmin = atoi(*cpp);
cpp++;
} else
ipn.in_pmin = 0;
} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
if (*cpp && (strrchr(*cpp, '/') != NULL)) {
fprintf(stderr, "%d: No netmask supported in %s\n",
linenum, "destination host for redirect");
return NULL;
}
if (!*cpp) {
fprintf(stderr, "%d: Missing destination port %s\n",
linenum, "in redirect");
return NULL;
}
/* If it's a in_redir, expect target port */
if (strcasecmp(*cpp, "port")) {
fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
linenum, *cpp);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing fields (destination port)\n",
linenum);
return NULL;
}
port2a = *cpp++;
}
if (dnetm && *dnetm == '/')
*dnetm++ = '\0';
if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
if (ipn.in_flags & IPN_IPRANGE) {
if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
linenum) == -1)
return NULL;
} else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk))
return NULL;
} else {
if (ipn.in_flags & IPN_SPLIT) {
if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
linenum) == -1)
return NULL;
} else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk))
return NULL;
if (!*cpp) {
ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
proto = "tcp";
} else {
proto = *cpp++;
if (!strcasecmp(proto, "tcp"))
ipn.in_flags |= IPN_TCP;
else if (!strcasecmp(proto, "udp"))
ipn.in_flags |= IPN_UDP;
else if (!strcasecmp(proto, "tcp/udp"))
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(proto, "tcpudp")) {
ipn.in_flags |= IPN_TCPUDP;
proto = "tcp/udp";
} else if (!strcasecmp(proto, "ip"))
ipn.in_flags |= IPN_ANY;
else {
ipn.in_flags |= IPN_ANY;
if ((pr = getprotobyname(proto)))
ipn.in_p = pr->p_proto;
else {
if (!isdigit(*proto)) {
fprintf(stderr,
"%d: Unknown protocol %s\n",
linenum, proto);
return NULL;
} else
ipn.in_p = atoi(proto);
}
}
if ((ipn.in_flags & IPN_TCPUDP) == 0) {
port1a = "0";
port2a = "0";
}
if (*cpp && !strcasecmp(*cpp, "round-robin")) {
cpp++;
ipn.in_flags |= IPN_ROUNDR;
}
if (*cpp && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
if (*cpp && !strcasecmp(*cpp, "age")) {
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: age with no parameters\n",
linenum);
return NULL;
}
ipn.in_age[0] = atoi(*cpp);
s = index(*cpp, '/');
if (s != NULL)
ipn.in_age[1] = atoi(s + 1);
else
ipn.in_age[1] = ipn.in_age[0];
cpp++;
}
if (*cpp) {
fprintf(stderr,
"%d: extra junk at the end of the line: %s\n",
linenum, *cpp);
return NULL;
}
}
}
if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
if (!portnum(port1a, &ipn.in_pmin, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
if (port1b != NULL) {
if (!portnum(port1b, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmax = htons(ipn.in_pmax);
} else
ipn.in_pmax = ipn.in_pmin;
}
if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
if (!portnum(port2a, &ipn.in_pnext, linenum))
return NULL;
ipn.in_pnext = htons(ipn.in_pnext);
}
if (!(ipn.in_flags & IPN_SPLIT))
ipn.in_inip &= ipn.in_inmsk;
if ((ipn.in_flags & IPN_IPRANGE) == 0)
ipn.in_outip &= ipn.in_outmsk;
ipn.in_srcip &= ipn.in_srcmsk;
if ((ipn.in_redir & NAT_MAPBLK) != 0)
nat_setgroupmap(&ipn);
if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
if (!*cpp)
return &ipn;
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr,
"%d: extra words at the end of bimap line: %s\n",
linenum, *cpp);
return NULL;
}
if (!strcasecmp(*cpp, "proxy")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use proxy with bimap\n",
linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing parameter for \"proxy\"\n",
linenum);
return NULL;
}
dport = NULL;
if (!strcasecmp(*cpp, "port")) {
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing parameter for \"port\"\n",
linenum);
return NULL;
}
dport = *cpp;
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing parameter for \"proxy\"\n",
linenum);
return NULL;
}
} else {
fprintf(stderr,
"%d: missing keyword \"port\"\n", linenum);
return NULL;
}
if ((proto = index(*cpp, '/'))) {
*proto++ = '\0';
if ((pr = getprotobyname(proto)))
ipn.in_p = pr->p_proto;
else
ipn.in_p = atoi(proto);
} else
ipn.in_p = 0;
if (dport && !portnum(dport, &ipn.in_dport, linenum))
return NULL;
ipn.in_dport = htons(ipn.in_dport);
(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
cpp++;
} else if (!strcasecmp(*cpp, "portmap")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use portmap with bimap\n",
linenum);
return NULL;
}
cpp++;
if (!*cpp) {
fprintf(stderr,
"%d: missing expression following portmap\n",
linenum);
return NULL;
}
if (!strcasecmp(*cpp, "tcp"))
ipn.in_flags |= IPN_TCP;
else if (!strcasecmp(*cpp, "udp"))
ipn.in_flags |= IPN_UDP;
else if (!strcasecmp(*cpp, "tcpudp"))
ipn.in_flags |= IPN_TCPUDP;
else if (!strcasecmp(*cpp, "tcp/udp"))
ipn.in_flags |= IPN_TCPUDP;
else {
fprintf(stderr,
"%d: expected protocol name - got \"%s\"\n",
linenum, *cpp);
return NULL;
}
proto = *cpp;
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: no port range found\n", linenum);
return NULL;
}
if (!strcasecmp(*cpp, "auto")) {
ipn.in_flags |= IPN_AUTOPORTMAP;
ipn.in_pmin = htons(1024);
ipn.in_pmax = htons(65535);
nat_setgroupmap(&ipn);
cpp++;
} else {
if (!(t = strchr(*cpp, ':'))) {
fprintf(stderr,
"%d: no port range in \"%s\"\n",
linenum, *cpp);
return NULL;
}
*t++ = '\0';
if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
!portnum(t, &ipn.in_pmax, linenum))
return NULL;
ipn.in_pmin = htons(ipn.in_pmin);
ipn.in_pmax = htons(ipn.in_pmax);
cpp++;
}
}
if (*cpp && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
if (*cpp && !strcasecmp(*cpp, "age")) {
cpp++;
if (!*cpp) {
fprintf(stderr, "%d: age with no parameters\n",
linenum);
return NULL;
}
ipn.in_age[0] = atoi(*cpp);
s = index(*cpp, '/');
if (s != NULL)
ipn.in_age[1] = atoi(s + 1);
else
ipn.in_age[1] = ipn.in_age[0];
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
cpp++;
if (*cpp) {
ipn.in_mssclamp = atoi(*cpp);
cpp++;
}
}
if (*cpp) {
fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
linenum, *cpp);
return NULL;
}
return &ipn;
}
void natparsefile(fd, file, opts)
int fd;
char *file;
int opts;
{
char line[512], *s;
ipnat_t *np;
FILE *fp;
int linenum = 0;
if (strcmp(file, "-")) {
if (!(fp = fopen(file, "r"))) {
fprintf(stderr, "%s: open: %s\n", file,
STRERROR(errno));
exit(1);
}
} else
fp = stdin;
while (fgets(line, sizeof(line) - 1, fp)) {
linenum++;
line[sizeof(line) - 1] = '\0';
if ((s = strchr(line, '\n')))
*s = '\0';
if (!(np = natparse(line, linenum))) {
if (*line)
fprintf(stderr, "%d: syntax error in \"%s\"\n",
linenum, line);
} else {
if ((opts & OPT_VERBOSE) && np)
printnat(np, opts);
if (!(opts & OPT_NODO)) {
if (!(opts & OPT_REMOVE)) {
if (ioctl(fd, SIOCADNAT, &np) == -1) {
fprintf(stderr, "%d:",
linenum);
perror("ioctl(SIOCADNAT)");
}
} else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCRMNAT)");
}
}
}
}
if (fp != stdin)
fclose(fp);
}

183
dist/ipf/opt.c vendored
View File

@ -1,183 +0,0 @@
/* $NetBSD: opt.c,v 1.5 2002/04/09 02:32:53 thorpej Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <netinet/tcp.h>
#include <net/if.h>
#include <arpa/inet.h>
#include "ip_compat.h"
#include <netinet/tcpip.h>
#include "ip_fil.h"
#include "ipf.h"
#if !defined(lint)
static const char sccsid[] __attribute__((__unused__)) =
"@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp";
#endif
extern int opts;
struct ipopt_names ionames[] ={
{ IPOPT_NOP, 0x000001, 1, "nop" },
{ IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */
{ IPOPT_ZSU, 0x000004, 3, "zsu" },
{ IPOPT_MTUP, 0x000008, 3, "mtup" },
{ IPOPT_MTUR, 0x000010, 3, "mtur" },
{ IPOPT_ENCODE, 0x000020, 3, "encode" },
{ IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */
{ IPOPT_TR, 0x000080, 3, "tr" },
{ IPOPT_SECURITY,0x000100, 11, "sec" },
{ IPOPT_SECURITY,0x000100, 11, "sec-class" },
{ IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */
{ IPOPT_E_SEC, 0x000400, 3, "e-sec" },
{ IPOPT_CIPSO, 0x000800, 3, "cipso" },
{ IPOPT_SATID, 0x001000, 4, "satid" },
{ IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */
{ IPOPT_ADDEXT, 0x004000, 3, "addext" },
{ IPOPT_VISA, 0x008000, 3, "visa" },
{ IPOPT_IMITD, 0x010000, 3, "imitd" },
{ IPOPT_EIP, 0x020000, 3, "eip" },
{ IPOPT_FINN, 0x040000, 3, "finn" },
{ 0, 0, 0, (char *)NULL } /* must be last */
};
struct ipopt_names secclass[] = {
{ IPSO_CLASS_RES4, 0x01, 0, "reserv-4" },
{ IPSO_CLASS_TOPS, 0x02, 0, "topsecret" },
{ IPSO_CLASS_SECR, 0x04, 0, "secret" },
{ IPSO_CLASS_RES3, 0x08, 0, "reserv-3" },
{ IPSO_CLASS_CONF, 0x10, 0, "confid" },
{ IPSO_CLASS_UNCL, 0x20, 0, "unclass" },
{ IPSO_CLASS_RES2, 0x40, 0, "reserv-2" },
{ IPSO_CLASS_RES1, 0x80, 0, "reserv-1" },
{ 0, 0, 0, NULL } /* must be last */
};
static u_char seclevel __P((char *));
int addipopt __P((char *, struct ipopt_names *, int, char *));
static u_char seclevel(slevel)
char *slevel;
{
struct ipopt_names *so;
for (so = secclass; so->on_name; so++)
if (!strcasecmp(slevel, so->on_name))
break;
if (!so->on_name) {
fprintf(stderr, "no such security level: %s\n", slevel);
return 0;
}
return (u_char)so->on_value;
}
int addipopt(op, io, len, class)
char *op;
struct ipopt_names *io;
int len;
char *class;
{
int olen = len;
struct in_addr ipadr;
u_short val;
u_char lvl;
char *s;
if ((len + io->on_siz) > 48) {
fprintf(stderr, "options too long\n");
return 0;
}
len += io->on_siz;
*op++ = io->on_value;
if (io->on_siz > 1) {
s = op;
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
if (class) {
switch (io->on_value)
{
case IPOPT_SECURITY :
lvl = seclevel(class);
*(op - 1) = lvl;
break;
case IPOPT_LSRR :
case IPOPT_SSRR :
ipadr.s_addr = inet_addr(class);
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
bcopy((char *)&ipadr, op, sizeof(ipadr));
break;
case IPOPT_SATID :
val = atoi(class);
bcopy((char *)&val, op, 2);
break;
}
}
op += io->on_siz - 3;
if (len & 3) {
*op++ = IPOPT_NOP;
len++;
}
}
if (opts & OPT_DEBUG)
fprintf(stderr, "bo: %s %d %#x: %d\n",
io->on_name, io->on_value, io->on_bit, len);
return len - olen;
}
u_32_t buildopts(cp, op, len)
char *cp, *op;
int len;
{
struct ipopt_names *io;
u_32_t msk = 0;
char *s, *t;
int inc;
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
if ((t = strchr(s, '=')))
*t++ = '\0';
for (io = ionames; io->on_name; io++) {
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
continue;
if ((inc = addipopt(op, io, len, t))) {
op += inc;
len += inc;
}
msk |= io->on_bit;
break;
}
if (!io->on_name) {
fprintf(stderr, "unknown IP option name %s\n", s);
return 0;
}
}
*op++ = IPOPT_EOL;
len++;
return len;
}

1431
dist/ipf/parse.c vendored
View File

File diff suppressed because it is too large Load Diff

36
dist/ipf/pcap.h vendored
View File

@ -1,36 +0,0 @@
/* $NetBSD: pcap.h,v 1.3 2002/01/24 08:21:35 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp
*/
/*
* This header file is constructed to match the version described by
* PCAP_VERSION_MAJ.
*
* The structure largely derives from libpcap which wouldn't include
* nicely without bpf.
*/
typedef struct pcap_filehdr {
u_int pc_id;
u_short pc_v_maj;
u_short pc_v_min;
u_int pc_zone;
u_int pc_sigfigs;
u_int pc_slen;
u_int pc_type;
} pcaphdr_t;
#define TCPDUMP_MAGIC 0xa1b2c3d4
#define PCAP_VERSION_MAJ 2
typedef struct pcap_pkthdr {
struct timeval ph_ts;
u_int ph_clen;
u_int ph_len;
} pcappkt_t;

485
dist/ipf/printnat.c vendored
View File

@ -1,485 +0,0 @@
/* $NetBSD: printnat.c,v 1.10 2002/09/19 08:11:38 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#else
#include <sys/byteorder.h>
#endif
#include <sys/time.h>
#include <sys/param.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "ipf.h"
#include "kmem.h"
#if defined(sun) && !SOLARIS2
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#if !defined(lint)
static const char rcsid[] __attribute__((__unused__)) =
"@(#)Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp";
#endif
#if SOLARIS
#define bzero(a,b) memset(a,0,b)
#endif
#ifdef USE_INET6
extern int use_inet6;
#endif
extern char thishost[MAXHOSTNAMELEN];
extern int countbits __P((u_32_t));
void printnat __P((ipnat_t *, int));
char *getnattype __P((ipnat_t *));
void printactivenat __P((nat_t *, int));
void printhostmap __P((hostmap_t *, u_int));
char *getsumd __P((u_32_t));
static void printaps __P((ap_session_t *, int));
static void printaps(aps, opts)
ap_session_t *aps;
int opts;
{
ipsec_pxy_t ipsec;
ap_session_t ap;
ftpinfo_t ftp;
aproxy_t apr;
raudio_t ra;
if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
return;
if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
return;
printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
apr.apr_p, apr.apr_ref, apr.apr_flags);
printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
#ifdef USE_QUAD_T
printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
(unsigned long long)ap.aps_pkts);
#else
printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
#endif
printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
printf("\t\tstate[%u,%u], sel[%d,%d]\n",
ap.aps_state[0], ap.aps_state[1],
ap.aps_sel[0], ap.aps_sel[1]);
#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
(__FreeBSD_version >= 300000) || defined(OpenBSD)
printf("\t\tseq: off %hd/%hd min %x/%x\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %x/%x\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#else
printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
printf("\t\tack: off %hd/%hd min %lx/%lx\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#endif
}
if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
return;
printf("\tReal Audio Proxy:\n");
printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
ra.rap_seenpna, ra.rap_version, ra.rap_eos);
printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
ra.rap_plport, ra.rap_prport, ra.rap_srport);
} else if (!strcmp(apr.apr_label, "ftp") &&
(ap.aps_psiz == sizeof(ftp))) {
if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
return;
printf("\tFTP Proxy:\n");
printf("\t\tpassok: %d\n", ftp.ftp_passok);
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
printf("\tClient:\n");
printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
ftp.ftp_side[0].ftps_seq[1],
ftp.ftp_side[0].ftps_seq[0],
ftp.ftp_side[0].ftps_len,
ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
printf("]\n\tServer:\n");
printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
ftp.ftp_side[1].ftps_seq[1],
ftp.ftp_side[1].ftps_seq[0],
ftp.ftp_side[1].ftps_len,
ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
printf("]\n");
} else if (!strcmp(apr.apr_label, "ipsec") &&
(ap.aps_psiz == sizeof(ipsec))) {
if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
return;
printf("\tIPSec Proxy:\n");
printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
(u_int)ntohl(ipsec.ipsc_icookie[0]),
(u_int)ntohl(ipsec.ipsc_icookie[1]),
(u_int)ntohl(ipsec.ipsc_rcookie[0]),
(u_int)ntohl(ipsec.ipsc_rcookie[1]),
ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
}
}
/*
* Get a nat filter type given its kernel address.
*/
char *getnattype(ipnat)
ipnat_t *ipnat;
{
static char unknownbuf[20];
ipnat_t ipnatbuff;
char *which;
if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
sizeof(ipnatbuff))))
return "???";
switch (ipnatbuff.in_redir)
{
case NAT_MAP :
which = "MAP";
break;
case NAT_MAPBLK :
which = "MAP-BLOCK";
break;
case NAT_REDIRECT :
which = "RDR";
break;
case NAT_BIMAP :
which = "BIMAP";
break;
default :
sprintf(unknownbuf, "unknown(%04x)",
ipnatbuff.in_redir & 0xffffffff);
which = unknownbuf;
break;
}
return which;
}
void printactivenat(nat, opts)
nat_t *nat;
int opts;
{
u_int hv1, hv2;
printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %-5hu", ntohs(nat->nat_inport));
printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %-5hu", ntohs(nat->nat_outport));
printf(" [%s", inet_ntoa(nat->nat_oip));
if ((nat->nat_flags & IPN_TCPUDP) != 0)
printf(" %hu", ntohs(nat->nat_oport));
printf("]");
if (opts & OPT_VERBOSE) {
printf("\n\tage %lu use %hu sumd %s/",
nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
0xffffffff),
hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
NAT_TABLE_SZ),
hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
0xffffffff),
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
NAT_TABLE_SZ),
printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
getsumd(nat->nat_sumd[1]), nat->nat_p,
hv1, hv2, nat->nat_flags,
nat->nat_drop[0], nat->nat_drop[1]);
printf("\tifp %s ", getifname(nat->nat_ifp));
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",
(unsigned long long)nat->nat_bytes,
(unsigned long long)nat->nat_pkts);
#else
printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
#endif
#if SOLARIS
printf(" %lx", nat->nat_ipsumd);
#endif
}
putchar('\n');
if (nat->nat_aps)
printaps(nat->nat_aps, opts);
}
void printhostmap(hmp, hv)
hostmap_t *hmp;
u_int hv;
{
printf("%s -> ", inet_ntoa(hmp->hm_realip));
printf("%s ", inet_ntoa(hmp->hm_mapip));
printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
}
char *getsumd(sum)
u_32_t sum;
{
static char sumdbuf[17];
if (sum & NAT_HW_CKSUM)
sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
else
sprintf(sumdbuf, "%#0x", sum);
return sumdbuf;
}
/*
* Print out a NAT rule
*/
void printnat(np, opts)
ipnat_t *np;
int opts;
{
struct protoent *pr;
struct servent *sv;
int bits;
pr = getprotobynumber(np->in_p);
switch (np->in_redir)
{
case NAT_REDIRECT :
printf("rdr");
break;
case NAT_MAP :
printf("map");
break;
case NAT_MAPBLK :
printf("map-block");
break;
case NAT_BIMAP :
printf("bimap");
break;
default :
fprintf(stderr, "unknown value for in_redir: %#x\n",
np->in_redir);
break;
}
printf(" %s ", np->in_ifname);
if (np->in_flags & IPN_FILTER) {
if (np->in_flags & IPN_NOTSRC)
printf("! ");
printf("from ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
} else {
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
}
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
if (np->in_flags & IPN_NOTDST)
printf(" !");
printf(" to ");
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_outip,
(u_32_t *)&np->in_outmsk);
} else {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
}
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
}
if (np->in_redir == NAT_REDIRECT) {
if (!(np->in_flags & IPN_FILTER)) {
printf("%s", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("/%d ", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1]));
printf("port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("- %d", ntohs(np->in_pmax));
}
printf(" -> %s", inet_ntoa(np->in_in[0]));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1]));
printf(" port %d", ntohs(np->in_pnext));
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
printf(" tcp");
else if ((np->in_flags & IPN_UDP) == IPN_UDP)
printf(" udp");
else if (np->in_p == 0)
printf(" ip");
else if (np->in_p != 0) {
if (pr != NULL)
printf(" %s", pr->p_name);
else
printf(" %d", np->in_p);
}
if (np->in_flags & IPN_ROUNDR)
printf(" round-robin");
if (np->in_flags & IPN_FRAG)
printf(" frag");
if (np->in_age[0])
printf(" age %d/%d", np->in_age[0], np->in_age[1]);
printf("\n");
if (opts & OPT_DEBUG)
printf("\tspc %lu flg %#x max %u use %d\n",
np->in_space, np->in_flags,
np->in_pmax, np->in_use);
} else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
if (!(np->in_flags & IPN_FILTER)) {
printf("%s/", inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr);
if (bits != -1)
printf("%d", bits);
else
printf("%s", inet_ntoa(np->in_in[1]));
}
printf(" -> ");
if (np->in_flags & IPN_IPRANGE) {
printf("range %s-", inet_ntoa(np->in_out[0]));
printf("%s", inet_ntoa(np->in_out[1]));
} else {
printf("%s/", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("%d", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
}
if (*np->in_plabel) {
printf(" proxy port");
if (np->in_dport != 0) {
if (pr != NULL)
sv = getservbyport(np->in_dport,
pr->p_name);
else
sv = getservbyport(np->in_dport, NULL);
if (sv != NULL)
printf(" %s", sv->s_name);
else
printf(" %hu", ntohs(np->in_dport));
}
printf(" %.*s/", (int)sizeof(np->in_plabel),
np->in_plabel);
if (pr != NULL)
fputs(pr->p_name, stdout);
else
printf("%d", np->in_p);
} else if (np->in_redir == NAT_MAPBLK) {
if ((np->in_pmin == 0) &&
(np->in_flags & IPN_AUTOPORTMAP))
printf(" ports auto");
else
printf(" ports %d", np->in_pmin);
if (opts & OPT_DEBUG)
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
printf(" udp");
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)
printf(" [%d:%d %d %d]",
ntohs(np->in_pmin),
ntohs(np->in_pmax),
np->in_ippip, np->in_ppip);
} else {
printf(" %d:%d", ntohs(np->in_pmin),
ntohs(np->in_pmax));
}
}
if (np->in_flags & IPN_FRAG)
printf(" frag");
if (np->in_mssclamp)
printf(" mssclamp %u", (unsigned)np->in_mssclamp);
if (np->in_age[0])
printf(" age %d/%d", np->in_age[0], np->in_age[1]);
printf("\n");
if (opts & OPT_DEBUG) {
printf("\tspace %lu nextip %s pnext %d", np->in_space,
inet_ntoa(np->in_nextip), np->in_pnext);
printf(" flags %x use %u\n",
np->in_flags, np->in_use);
}
}
}

149
dist/ipf/printstate.c vendored
View File

@ -1,149 +0,0 @@
/* $NetBSD: printstate.c,v 1.3 2002/05/02 17:11:38 martti Exp $ */
/*
* Copyright (C) 2002 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <net/if.h>
#include <stdio.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include "kmem.h"
#include "netinet/ip_compat.h"
#include "ipf.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_state.h"
#define PRINTF (void)printf
#define FPRINTF (void)fprintf
ipstate_t *printstate(sp, opts)
ipstate_t *sp;
int opts;
{
ipstate_t ips;
if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
return NULL;
PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
hostname(ips.is_v, &ips.is_dst.in4),
ips.is_age, ips.is_pass, ips.is_p,
ips.is_state[0], ips.is_state[1]);
#ifdef USE_QUAD_T
PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
(unsigned long long) ips.is_bytes);
#else
PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
#endif
if (ips.is_p == IPPROTO_TCP)
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
#else
PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
#endif
else if (ips.is_p == IPPROTO_UDP)
PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
ntohs(ips.is_dport));
else if (ips.is_p == IPPROTO_ICMP
#ifdef USE_INET6
|| ips.is_p == IPPROTO_ICMPV6
#endif
)
PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
PRINTF("\n\t");
/*
* Print out bits set in the result code for the state being
* kept as they would for a rule.
*/
if (ips.is_pass & FR_PASS) {
PRINTF("pass");
} else if (ips.is_pass & FR_BLOCK) {
PRINTF("block");
switch (ips.is_pass & FR_RETMASK)
{
case FR_RETICMP :
PRINTF(" return-icmp");
break;
case FR_FAKEICMP :
PRINTF(" return-icmp-as-dest");
break;
case FR_RETRST :
PRINTF(" return-rst");
break;
default :
break;
}
} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
PRINTF("log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
} else if (ips.is_pass & FR_ACCOUNT)
PRINTF("count");
if (ips.is_pass & FR_OUTQUE)
PRINTF(" out");
else
PRINTF(" in");
if ((ips.is_pass & FR_LOG) != 0) {
PRINTF(" log");
if (ips.is_pass & FR_LOGBODY)
PRINTF(" body");
if (ips.is_pass & FR_LOGFIRST)
PRINTF(" first");
if (ips.is_pass & FR_LOGORBLOCK)
PRINTF(" or-block");
}
if (ips.is_pass & FR_QUICK)
PRINTF(" quick");
if (ips.is_pass & FR_KEEPFRAG)
PRINTF(" keep frags");
/* a given; no? */
if (ips.is_pass & FR_KEEPSTATE)
PRINTF(" keep state");
PRINTF("\tIPv%d", ips.is_v);
PRINTF("\n");
PRINTF("\tpkt_flags & %x(%x) = %x,\t",
ips.is_flags & 0xf, ips.is_flags,
ips.is_flags >> 4);
PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
ips.is_opt);
PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
ips.is_secmsk, ips.is_sec, ips.is_authmsk,
ips.is_auth);
PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
PRINTF(",%s", getifname(ips.is_ifp[1]));
PRINTF(" out %s", getifname(ips.is_ifp[2]));
PRINTF(",%s\n", getifname(ips.is_ifp[3]));
return ips.is_next;
}

222
dist/ipf/relay.c vendored
View File

@ -1,222 +0,0 @@
/* $NetBSD: relay.c,v 1.6 2002/09/29 08:19:16 martti Exp $ */
/*
* Sample program to be used as a transparent proxy.
*
* Must be executed with permission enough to do an ioctl on /dev/ipl
* or equivalent. This is just a sample and is only alpha quality.
* - Darren Reed (8 April 1996)
*/
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/errno.h>
#include <sys/syslog.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <net/if.h>
#include <sys/socket.h>
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)
# include <poll.h>
# define USE_POLL
#endif
#include "ip_nat.h"
#define RELAY_BUFSZ 8192
char ibuff[RELAY_BUFSZ];
char obuff[RELAY_BUFSZ];
int relay(ifd, ofd, rfd)
int ifd, ofd, rfd;
{
char *irh, *irt, *rrh, *rrt;
char *iwh, *iwt, *rwh, *rwt;
int nfd, n, rw;
#ifdef USE_POLL
struct pollfd set[3];
#else
fd_set rfds, wfds;
#endif
irh = irt = ibuff;
iwh = iwt = obuff;
nfd = ifd;
if (nfd < ofd)
nfd = ofd;
if (nfd < rfd)
nfd = rfd;
#ifdef USE_POLL
set[0].fd = rfd;
set[1].fd = ifd;
set[2].fd = ofd;
#endif
while (1) {
#ifdef USE_POLL
set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) |
(irh > irt ? POLLOUT : 0);
set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0);
set[2].events = (iwh > iwt ? POLLOUT : 0);
#else
FD_ZERO(&rfds);
FD_ZERO(&wfds);
if (irh > irt)
FD_SET(rfd, &wfds);
if (irh < (ibuff + RELAY_BUFSZ))
FD_SET(ifd, &rfds);
if (iwh > iwt)
FD_SET(ofd, &wfds);
if (iwh < (obuff + RELAY_BUFSZ))
FD_SET(rfd, &rfds);
#endif
#ifdef USE_POLL
switch ((n = poll(set, 3, INFTIM)))
#else
switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
#endif
{
case -1 :
case 0 :
return -1;
default :
#ifdef USE_POLL
if (set[1].revents & POLLIN) {
#else
if (FD_ISSET(ifd, &rfds)) {
#endif
rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
if (rw == -1)
return -1;
if (rw == 0)
return 0;
irh += rw;
}
#ifdef USE_POLL
if (set[2].revents & POLLOUT) {
#else
if (FD_ISSET(ofd, &wfds)) {
#endif
rw = write(ofd, iwt, iwh - iwt);
if (rw == -1)
return -1;
iwt += rw;
}
#ifdef USE_POLL
if (set[0].revents & POLLIN) {
#else
if (FD_ISSET(rfd, &rfds)) {
#endif
rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
if (rw == -1)
return -1;
if (rw == 0)
return 0;
iwh += rw;
}
#ifdef USE_POLL
if (set[0].revents & POLLOUT) {
#else
if (FD_ISSET(rfd, &wfds)) {
#endif
rw = write(rfd, irt, irh - irt);
if (rw == -1)
return -1;
irt += rw;
}
if (irh == irt)
irh = irt = ibuff;
if (iwh == iwt)
iwh = iwt = obuff;
}
}
}
main(argc, argv)
int argc;
char *argv[];
{
struct sockaddr_in sin;
natlookup_t nl;
natlookup_t *nlp = &nl;
int fd, sl = sizeof(sl), se;
openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) {
se = errno;
perror("open");
errno = se;
syslog(LOG_ERR, "open: %m\n");
exit(-1);
}
bzero(&nl, sizeof(nl));
nl.nl_flags = IPN_TCP;
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sl = sizeof(sin);
if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
se = errno;
perror("getsockname");
errno = se;
syslog(LOG_ERR, "getsockname: %m\n");
exit(-1);
} else {
nl.nl_inip.s_addr = sin.sin_addr.s_addr;
nl.nl_inport = sin.sin_port;
}
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sl = sizeof(sin);
if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
se = errno;
perror("getpeername");
errno = se;
syslog(LOG_ERR, "getpeername: %m\n");
exit(-1);
} else {
nl.nl_outip.s_addr = sin.sin_addr.s_addr;
nl.nl_outport = sin.sin_port;
}
if (ioctl(fd, SIOCGNATL, &nlp) == -1) {
se = errno;
perror("ioctl");
errno = se;
syslog(LOG_ERR, "ioctl: %m\n");
exit(-1);
}
sin.sin_port = nl.nl_realport;
sin.sin_addr = nl.nl_realip;
sl = sizeof(sin);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
se = errno;
perror("connect");
errno = se;
syslog(LOG_ERR, "connect: %m\n");
exit(-1);
}
(void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
(void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
(void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
ntohs(sin.sin_port));
if (relay(0, 1, fd) == -1) {
se = errno;
perror("relay");
errno = se;
syslog(LOG_ERR, "relay: %m\n");
exit(-1);
}
exit(0);
}

12
dist/ipf/samples/Makefile vendored
View File

@ -11,14 +11,16 @@ all:
@echo "make sunos5"
sunos5:
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-I.. userauth.c -o userauth -lsocket -lnsl
$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-I.. proxy.c -o proxy -lsocket -lnsl
$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
$(CC) -I.. relay.c -o relay -lsocket -lnsl
$(CC) -I.. trans_relay.c -o trans_relay -lsocket -lnsl
freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd:
$(CC) -I.. userauth.c -o userauth
$(CC) -I.. proxy.c -o proxy
$(CC) -I.. relay.c -o relay
$(CC) -I.. trans_relay.c -o trans_relay
clean:
/bin/rm -f userauth proxy
/bin/rm -f userauth proxy relay trans_relay

12
dist/ipf/samples/userauth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: userauth.c,v 1.3 2001/03/26 06:11:48 mike Exp $ */
/* $NetBSD: userauth.c,v 1.4 2004/03/28 09:00:56 martti Exp $ */
#include <sys/types.h>
#include <sys/socket.h>
@ -23,7 +23,9 @@ main()
char yn[16];
int fd;
fd = open(IPL_AUTH, O_RDWR);
fd = open(IPL_NAME, O_RDWR);
fra.fra_len = 0;
fra.fra_buf = NULL;
while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
if (fra.fra_info.fin_out)
fra.fra_pass = FR_OUTQUE;
@ -31,10 +33,10 @@ main()
fra.fra_pass = FR_INQUE;
printf("%s ", inet_ntoa(fi->fi_src));
if (fi->fi_fl & FI_TCPUDP)
if (fi->fi_flx & FI_TCPUDP)
printf("port %d ", fin->fin_data[0]);
printf("-> %s ", inet_ntoa(fi->fi_dst));
if (fi->fi_fl & FI_TCPUDP)
if (fi->fi_flx & FI_TCPUDP)
printf("port %d ", fin->fin_data[1]);
printf("\n");
printf("Allow packet through ? [y/n]");
@ -46,7 +48,7 @@ main()
fra.fra_pass |= FR_BLOCK;
else if (yn[0] == 'y' || yn[0] == 'Y') {
fra.fra_pass |= FR_PASS;
if (fra.fra_info.fin_fi.fi_fl & FI_TCPUDP)
if (fra.fra_info.fin_fi.fi_flx & FI_TCPUDP)
fra.fra_pass |= FR_KEEPSTATE;
} else
fra.fra_pass |= FR_NOMATCH;

4
dist/ipf/snoop.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: snoop.h,v 1.3 2002/01/24 08:21:36 martti Exp $ */
/* $NetBSD: snoop.h,v 1.4 2004/03/28 09:00:54 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -11,7 +11,7 @@
/*
* written to comply with the RFC (1761) from Sun.
* Id: snoop.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp
* Id: snoop.h,v 2.3 2001/06/09 17:09:23 darrenr Exp
*/
struct snoophdr {
char s_id[8];

46
dist/ipf/todo vendored
View File

@ -7,9 +7,14 @@ fastroute works
GENERAL:
--------
* support redirection like "rdr tun0 0/32 port 80 ..."
* use fr_tcpstate() with NAT code for increased NAT usage security or even
fr_checkstate() - suspect this is not possible.
* add another alias for <thishost> for interfaces <thisif>? as well as
all IP#'s associated with the box <myaddrs>?
time permitting:
* load balancing across interfaces
@ -17,21 +22,13 @@ time permitting:
* record buffering for TCP/UDP
* modular application proxying
available
-done
* allow multiple ip addresses in a source route list for ipsend
* complete Linux port to implement all the IP Filter features
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
on hold until rewrite
* port IP Filter to Linux
Not in this century.
* add a flag to automate src spoofing
done
* ipfsync() should change IP#'s in current mappings as well as what's
in rules.
done
* document bimap
* document NAT rule order processing
@ -43,22 +40,23 @@ in progress
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.
* irc proxy for dcc
* Bandwidth limiting!!!
maybe for solaris, otherwise "ALTQ"
* More examples
* More documentation
* And did I mention bandwidth limiting???
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.
- done
I would also love to see a more extensive NAT. It can choose to do
rdr and map based on saddr, daddr, sport and dport. (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)
-sort of done
* intrusion detection
detection of port scans
@ -76,23 +74,25 @@ the userland ipnat?)
large packets of garbage or other packets to
otherwise confuse the intruder (ping of death?)
* I ran into your solaris streams stuff and noticed you are
playing with mblk's in an unsafe way. You seem to be modifying the
underlying datab without checking db_ref. If db_ref is greater than one,
you'll need to copy the mblk,
- fixed
* fix up where manual pages go for Solaris2
IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation
BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
fixed.
Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
Tru64:
------
* IPv6 checksum calculation for RST's and ICMP packets is not done (there
are routines in the Tru64 kernel to do this but what is the interface?)
does bimap allow equal sized subnets?
make return-icmp 'intelligent' if no type is given about what type to use?
reply-to - enforce packets to pass through interfaces in particular
combinations - opposite to "to", set reverse path interface

101
sys/lkm/netinet/if_ipl/mln_ipl.c
View File

@ -1,9 +1,10 @@
/* $NetBSD: mln_ipl.c,v 1.32 2003/06/29 22:31:37 fvdl Exp $ */
/* $NetBSD: mln_ipl.c,v 1.33 2004/03/28 09:00:57 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
/*
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
@ -11,7 +12,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: mln_ipl.c,v 1.32 2003/06/29 22:31:37 fvdl Exp $");
__KERNEL_RCSID(0, "$NetBSD: mln_ipl.c,v 1.33 2004/03/28 09:00:57 martti Exp $");
#include <sys/param.h>
@ -58,29 +59,29 @@ __KERNEL_RCSID(0, "$NetBSD: mln_ipl.c,v 1.32 2003/06/29 22:31:37 fvdl Exp $");
#define VOP_LEASE LEASE_CHECK
#endif
extern int lkmenodev __P((void));
#if NetBSD >= 199706
int if_ipl_lkmentry __P((struct lkm_table *, int, int));
#else
#if defined(OpenBSD)
int if_ipl __P((struct lkm_table *, int, int));
#else
int xxxinit __P((struct lkm_table *, int, int));
#endif
#endif
static int ipl_unload __P((void));
static int ipl_load __P((void));
static int ipl_remove __P((void));
static int iplaction __P((struct lkm_table *, int));
static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
NULL };
static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME,
IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME,
IPLOOKUP_NAME, NULL };
#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
extern const struct cdevsw ipl_cdevsw;
#else
struct cdevsw ipldevsw =
# else
struct cdevsw ipldevsw =
{
iplopen, /* open */
iplclose, /* close */
@ -93,9 +94,9 @@ struct cdevsw ipldevsw =
0, /* mmap */
NULL /* strategy */
};
#endif
# endif
#else
struct cdevsw ipldevsw =
struct cdevsw ipldevsw =
{
iplopen, /* open */
iplclose, /* close */
@ -103,9 +104,7 @@ struct cdevsw ipldevsw =
(void *)nullop, /* write */
iplioctl, /* ioctl */
(void *)nullop, /* stop */
#ifndef OpenBSD
(void *)nullop, /* reset */
#endif
(void *)NULL, /* tty */
(void *)nullop, /* select */
(void *)nullop, /* mmap */
@ -128,21 +127,14 @@ extern int nchrdev;
#if NetBSD >= 199706
int if_ipl_lkmentry(lkmtp, cmd, ver)
#else
#if defined(OpenBSD)
int if_ipl(lkmtp, cmd, ver)
#else
int xxxinit(lkmtp, cmd, ver)
#endif
#endif
struct lkm_table *lkmtp;
int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}
#ifdef OpenBSD
int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */
#endif
static int iplaction(lkmtp, cmd)
struct lkm_table *lkmtp;
@ -210,16 +202,19 @@ static int ipl_remove()
int error, i;
for (i = 0; (name = ipf_devfiles[i]); i++) {
#if (__NetBSD_Version__ > 106009999)
NDINIT(&nd, DELETE, LOCKPARENT|LOCKLEAF, UIO_SYSSPACE,
name, curproc);
#else
NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
#endif
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
#ifdef OpenBSD
VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc);
#else
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
#if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000)
vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
#endif
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
}
return 0;
@ -234,10 +229,16 @@ static int ipl_unload()
* Unloading - remove the filter rule check from the IP
* input/output stream.
*/
error = ipl_disable();
if (fr_refcnt)
error = EBUSY;
else if (fr_running >= 0)
error = ipldetach();
if (!error)
if (error == 0) {
fr_running = -2;
error = ipl_remove();
printf("%s unloaded\n", ipfilter_version);
}
return error;
}
@ -256,14 +257,12 @@ static int ipl_load()
*/
(void)ipl_remove();
error = ipl_enable();
if (error)
return error;
error = iplattach();
for (i = 0; (name = ipf_devfiles[i]); i++) {
for (i = 0; (error == 0) && (name = ipf_devfiles[i]); i++) {
NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
if ((error = namei(&nd)))
return error;
break;
if (nd.ni_vp != NULL) {
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
if (nd.ni_dvp == nd.ni_vp)
@ -271,7 +270,8 @@ static int ipl_load()
else
vput(nd.ni_dvp);
vrele(nd.ni_vp);
return (EEXIST);
error = EEXIST;
break;
}
VATTR_NULL(&vattr);
vattr.va_type = VCHR;
@ -279,9 +279,34 @@ static int ipl_load()
vattr.va_rdev = (ipl_major << 8) | i;
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
if (error)
return error;
vput(nd.ni_vp);
if (error == 0)
vput(nd.ni_vp);
}
if (error == 0) {
char *defpass;
if (FR_ISPASS(fr_pass))
defpass = "pass";
else if (FR_ISBLOCK(fr_pass))
defpass = "block";
else
defpass = "no-match -> block";
printf("%s initialized. Default = %s all, Logging = %s%s\n",
ipfilter_version, defpass,
#ifdef IPFILTER_LOG
"enabled",
#else
"disabled",
#endif
#ifdef IPFILTER_COMPILED
" (COMPILED)"
#else
""
#endif
);
fr_running = 1;
}
return error;
}

6038
sys/netinet/fil.c
View File

File diff suppressed because it is too large Load Diff

611
sys/netinet/ip_auth.c
View File

@ -1,41 +1,49 @@
/* $NetBSD: ip_auth.c,v 1.32 2003/08/22 21:53:03 itojun Exp $ */
/* $NetBSD: ip_auth.c,v 1.33 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
* Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
# include <sys/ptimers.h>
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
#if !defined(_KERNEL) && !defined(KERNEL)
#if !defined(_KERNEL)
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#endif
#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
#ifndef linux
#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
#if defined(_KERNEL)
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# ifndef linux
# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
# include <sys/mbuf.h>
# endif
#else
#endif
#if defined(__SVR4) || defined(__svr4__)
# include <sys/filio.h>
# include <sys/byteorder.h>
# ifdef _KERNEL
@ -50,6 +58,9 @@
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
# include <machine/cpu.h>
#endif
#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
# include <sys/proc.h>
#endif
#include <net/if.h>
#ifdef sun
# include <net/af.h>
@ -58,28 +69,29 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef KERNEL
#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
# define KERNEL
# define _KERNEL
# define NOT_KERNEL
#endif
#ifndef linux
#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#ifdef NOT_KERNEL
# undef _KERNEL
# undef KERNEL
#endif
#ifdef __sgi
# ifdef IFF_DRVRLOCK /* IRIX6 */
# include <sys/hashing.h>
# endif
#endif
#include <netinet/tcp.h>
#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
extern struct ifqueue ipintrq; /* ip packet input queue */
#else
# ifndef linux
# if !defined(__hpux) && !defined(linux)
# if __FreeBSD_version >= 300000
# include <net/if_var.h>
# if __FreeBSD_version >= 500042
# define IF_QFULL _IF_QFULL
# define IF_DROP _IF_DROP
# endif /* __FreeBSD_version >= 500042 */
# endif
# include <netinet/in_var.h>
# include <netinet/tcp_fsm.h>
@ -91,7 +103,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_auth.h"
#if !SOLARIS && !defined(linux)
#if !defined(MENTAT) && !defined(linux)
# include <net/netisr.h>
# ifdef __FreeBSD__
# include <machine/cpufunc.h>
@ -99,63 +111,94 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
#endif
/* END OF INCLUDES */
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.32 2003/08/22 21:53:03 itojun Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.33 2004/03/28 09:00:56 martti Exp $");
#else
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73 2004/02/11 14:18:14 darrenr Exp";
#endif
#endif
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern KRWLOCK_T ipf_auth, ipf_mutex;
extern kmutex_t ipf_authmx;
# if SOLARIS
#if SOLARIS
extern kcondvar_t ipfauthwait;
# endif
#endif
#ifdef linux
static struct wait_queue *ipfauthwait = NULL;
#endif /* SOLARIS */
#if defined(linux) && defined(_KERNEL)
wait_queue_head_t fr_authnext_linux;
#endif
int fr_authsize = FR_NUMAUTH;
int fr_authused = 0;
int fr_defaultauthage = 600;
int fr_auth_lock = 0;
int fr_auth_init = 0;
fr_authstat_t fr_authstats;
static frauth_t fr_auth[FR_NUMAUTH];
mb_t *fr_authpkts[FR_NUMAUTH];
static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
static frauthent_t *fae_list = NULL;
static frauth_t *fr_auth = NULL;
mb_t **fr_authpkts = NULL;
int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
frauthent_t *fae_list = NULL;
frentry_t *ipauth = NULL,
*fr_authlist = NULL;
int fr_authinit()
{
KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
if (fr_auth != NULL)
bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
else
return -1;
KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
if (fr_authpkts != NULL)
bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
else
return -1;
MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
#if SOLARIS && defined(_KERNEL)
cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
#endif
#if defined(linux) && defined(_KERNEL)
init_waitqueue_head(&fr_authnext_linux);
#endif
fr_auth_init = 1;
return 0;
}
/*
* Check if a packet has authorization. If the packet is found to match an
* authorization result and that would result in a feedback loop (i.e. it
* will end up returning FR_AUTH) then return FR_BLOCK instead.
*/
u_32_t fr_checkauth(ip, fin)
ip_t *ip;
frentry_t *fr_checkauth(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
u_short id = ip->ip_id;
frentry_t *fr;
frauth_t *fra;
u_32_t pass;
u_short id;
ip_t *ip;
int i;
if (fr_auth_lock || !fr_authused)
return 0;
return NULL;
ip = fin->fin_ip;
id = ip->ip_id;
READ_ENTER(&ipf_auth);
for (i = fr_authstart; i != fr_authend; ) {
@ -170,7 +213,7 @@ fr_info_t *fin;
/*
* Avoid feedback loop.
*/
if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
pass = FR_BLOCK;
/*
* Create a dummy rule for the stateful checking to
@ -178,26 +221,26 @@ fr_info_t *fin;
* trust from userland!
*/
if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
(fin->fin_fi.fi_fl & FI_FRAG))) {
(fin->fin_flx & FI_FRAG))) {
KMALLOC(fr, frentry_t *);
if (fr) {
bcopy((char *)fra->fra_info.fin_fr,
fr, sizeof(*fr));
(char *)fr, sizeof(*fr));
fr->fr_grp = NULL;
fr->fr_ifa = fin->fin_ifp;
fr->fr_func = NULL;
fr->fr_ref = 1;
fr->fr_flags = pass;
#if BSD >= 199306
fr->fr_oifa = NULL;
#endif
fr->fr_ifas[1] = NULL;
fr->fr_ifas[2] = NULL;
fr->fr_ifas[3] = NULL;
}
} else
fr = fra->fra_info.fin_fr;
fin->fin_fr = fr;
RWLOCK_EXIT(&ipf_auth);
WRITE_ENTER(&ipf_auth);
if (fr && fr != fra->fra_info.fin_fr) {
if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
fr->fr_next = fr_authlist;
fr_authlist = fr;
}
@ -208,7 +251,7 @@ fr_info_t *fin;
while (fra->fra_index == -1) {
i++;
fra++;
if (i == FR_NUMAUTH) {
if (i == fr_authsize) {
i = 0;
fra = fr_auth;
}
@ -222,15 +265,19 @@ fr_info_t *fin;
}
}
RWLOCK_EXIT(&ipf_auth);
return pass;
if (passp != NULL)
*passp = pass;
ATOMIC_INCL(fr_authstats.fas_hits);
return fr;
}
i++;
if (i == FR_NUMAUTH)
if (i == fr_authsize)
i = 0;
}
fr_authstats.fas_miss++;
RWLOCK_EXIT(&ipf_auth);
return 0;
ATOMIC_INCL(fr_authstats.fas_miss);
return NULL;
}
@ -239,15 +286,17 @@ fr_info_t *fin;
* If we do, store it and wake up any user programs which are waiting to
* hear about these events.
*/
int fr_newauth(m, fin, ip)
int fr_newauth(m, fin)
mb_t *m;
fr_info_t *fin;
ip_t *ip;
{
#if defined(_KERNEL) && SOLARIS
qif_t *qif = fin->fin_qif;
#if defined(_KERNEL) && defined(MENTAT)
qpktinfo_t *qpi = fin->fin_qpi;
#endif
frauth_t *fra;
#if !defined(sparc) && !defined(m68k)
ip_t *ip;
#endif
int i;
if (fr_auth_lock)
@ -259,7 +308,7 @@ ip_t *ip;
RWLOCK_EXIT(&ipf_auth);
return 0;
} else {
if (fr_authused == FR_NUMAUTH) {
if (fr_authused == fr_authsize) {
fr_authstats.fas_nospace++;
RWLOCK_EXIT(&ipf_auth);
return 0;
@ -269,21 +318,24 @@ ip_t *ip;
fr_authstats.fas_added++;
fr_authused++;
i = fr_authend++;
if (fr_authend == FR_NUMAUTH)
if (fr_authend == fr_authsize)
fr_authend = 0;
RWLOCK_EXIT(&ipf_auth);
fra = fr_auth + i;
fra->fra_index = i;
fra->fra_pass = 0;
fra->fra_age = fr_defaultauthage;
bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
#if SOLARIS && defined(_KERNEL)
# if !defined(sparc)
#if !defined(sparc) && !defined(m68k)
/*
* No need to copyback here as we want to undo the changes, not keep
* them.
*/
if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
ip = fin->fin_ip;
# if defined(MENTAT) && defined(_KERNEL)
if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
# endif
{
register u_short bo;
@ -292,159 +344,163 @@ ip_t *ip;
bo = ip->ip_off;
ip->ip_off = htons(bo);
}
# endif
m->b_rptr -= qif->qf_off;
#endif
#if SOLARIS && defined(_KERNEL)
m->b_rptr -= qpi->qpi_off;
fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
fra->fra_q = qif->qf_q;
fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
cv_signal(&ipfauthwait);
#else
# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
if (!fin->fin_out) {
HTONS(ip->ip_len);
HTONS(ip->ip_off);
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
}
# endif
fr_authpkts[i] = m;
WAKEUP(&fr_authnext);
WAKEUP(&fr_authnext,0);
#endif
return 1;
}
int fr_auth_ioctl(data, mode, cmd, fr, frptr)
int fr_auth_ioctl(data, cmd, mode)
caddr_t data;
ioctlcmd_t cmd;
int mode;
#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
u_long cmd;
#else
int cmd;
#endif
frentry_t *fr, **frptr;
{
mb_t *m;
#if defined(_KERNEL) && !SOLARIS
#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
(!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
struct ifqueue *ifq;
# ifdef USE_SPL
int s;
# endif /* USE_SPL */
#endif
frauth_t auth, *au = &auth, *fra;
frauthent_t *fae, **faep;
int i, error = 0;
int i, error = 0, len;
char *t;
switch (cmd)
{
case SIOCSTLCK :
error = fr_lock(data, &fr_auth_lock);
break;
case SIOCINIFR :
case SIOCRMIFR :
case SIOCADIFR :
error = EINVAL;
break;
case SIOCINAFR :
error = EINVAL;
break;
case SIOCRMAFR :
case SIOCADAFR :
for (faep = &fae_list; (fae = *faep); )
if (&fae->fae_fr == fr)
break;
else
faep = &fae->fae_next;
if (cmd == SIOCRMAFR) {
if (!fr || !frptr)
error = EINVAL;
else if (!fae)
error = ESRCH;
else {
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
*faep = fae->fae_next;
*frptr = fr->fr_next;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
KFREE(fae);
}
} else if (fr && frptr) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
*frptr = &fae->fae_fr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
} else
error = ENOMEM;
} else
error = EINVAL;
break;
case SIOCATHST:
fr_authstats.fas_faelist = fae_list;
error = IWCOPYPTR((char *)&fr_authstats, data,
sizeof(fr_authstats));
break;
case SIOCAUTHW:
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
error = fr_lock(data, &fr_auth_lock);
break;
case SIOCATHST:
fr_authstats.fas_faelist = fae_list;
error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
break;
case SIOCIPFFL:
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
i = fr_authflush();
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
error = copyoutptr((char *)&i, data, sizeof(i));
break;
case SIOCAUTHW:
fr_authioctlloop:
error = fr_inobj(data, au, IPFOBJ_FRAUTH);
READ_ENTER(&ipf_auth);
if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
sizeof(frauth_t));
error = fr_outobj(data, &fr_auth[fr_authnext],
IPFOBJ_FRAUTH);
if (auth.fra_len != 0 && auth.fra_buf != NULL) {
/*
* Copy packet contents out to user space if
* requested. Bail on an error.
*/
m = fr_authpkts[fr_authnext];
len = MSGDSIZE(m);
if (len > auth.fra_len)
len = auth.fra_len;
auth.fra_len = len;
for (t = auth.fra_buf; m && (len > 0); ) {
i = MIN(M_LEN(m), len);
error = copyoutptr(MTOD(m, char *),
t, i);
len -= i;
t += i;
if (error != 0)
break;
}
}
RWLOCK_EXIT(&ipf_auth);
if (error)
if (error != 0)
break;
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
fr_authnext++;
if (fr_authnext == FR_NUMAUTH)
if (fr_authnext == fr_authsize)
fr_authnext = 0;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
return 0;
}
RWLOCK_EXIT(&ipf_auth);
/*
* We exit ipf_global here because a program that enters in
* here will have a lock on it and goto sleep having this lock.
* If someone were to do an 'ipf -D' the system would then
* deadlock. The catch with releasing it here is that the
* caller of this function expects it to be held when we
* return so we have to reacquire it in here.
*/
RWLOCK_EXIT(&ipf_global);
MUTEX_ENTER(&ipf_authmx);
#ifdef _KERNEL
# if SOLARIS
mutex_enter(&ipf_authmx);
if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
mutex_exit(&ipf_authmx);
return EINTR;
error = 0;
if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
error = EINTR;
# else /* SOLARIS */
# ifdef __hpux
{
lock_t *l;
l = get_sleep_lock(&fr_authnext);
error = sleep(&fr_authnext, PZERO+1);
spinunlock(l);
}
mutex_exit(&ipf_authmx);
# else
# else
# ifdef __osf__
error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
&ipf_authmx, MS_LOCK_SIMPLE);
# else
error = SLEEP(&fr_authnext, "fr_authnext");
# endif
# endif /* __osf__ */
# endif /* __hpux */
# endif /* SOLARIS */
#endif
if (!error)
MUTEX_EXIT(&ipf_authmx);
READ_ENTER(&ipf_global);
if (error == 0) {
READ_ENTER(&ipf_auth);
goto fr_authioctlloop;
break;
case SIOCAUTHR:
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
if (error)
break;
case SIOCAUTHR:
error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
if (error != 0)
return error;
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
i = au->fra_index;
fra = fr_auth + i;
if ((i < 0) || (i > FR_NUMAUTH) ||
if ((i < 0) || (i >= fr_authsize) ||
(fra->fra_info.fin_id != au->fra_info.fin_id)) {
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
return EINVAL;
SPL_X(s);
return ESRCH;
}
m = fr_authpkts[i];
fra->fra_index = -2;
@ -452,59 +508,67 @@ fr_authioctlloop:
fr_authpkts[i] = NULL;
RWLOCK_EXIT(&ipf_auth);
#ifdef _KERNEL
if (m && au->fra_info.fin_out) {
# if SOLARIS
error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
# else /* SOLARIS */
struct route ro;
bzero((char *)&ro, sizeof(ro));
# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605))
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
NULL);
if ((m != NULL) && (au->fra_info.fin_out != 0)) {
# ifdef MENTAT
error = !putq(fra->fra_q, m);
# else /* MENTAT */
# ifdef linux
# else
error = ip_output(m, NULL, &ro, IP_FORWARDING,
(struct ip_moptions *)NULL, (struct socket *)NULL);
# endif
if (ro.ro_rt) {
RTFREE(ro.ro_rt);
}
# endif /* SOLARIS */
if (error)
# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \
(defined(__sgi) && (IRIX >= 60500) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 470102)))
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
NULL);
# else
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
# endif
# endif /* Linux */
# endif /* MENTAT */
if (error != 0)
fr_authstats.fas_sendfail++;
else
fr_authstats.fas_sendok++;
} else if (m) {
# if SOLARIS
error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
# else /* SOLARIS */
# ifdef MENTAT
error = !putq(fra->fra_q, m);
# else /* MENTAT */
# ifdef linux
# else
# if __FreeBSD_version >= 501000
netisr_dispatch(NETISR_IP, m);
# else
# if IRIX >= 60516
ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd;
# else
ifq = &ipintrq;
# endif
if (IF_QFULL(ifq)) {
IF_DROP(ifq);
m_freem(m);
FREE_MB_T(m);
error = ENOBUFS;
} else {
IF_ENQUEUE(ifq, m);
# if IRIX < 605
# if IRIX < 60500
schednetisr(NETISR_IP);
# endif
# endif
}
# endif /* SOLARIS */
if (error)
# endif
# endif /* Linux */
# endif /* MENTAT */
if (error != 0)
fr_authstats.fas_quefail++;
else
fr_authstats.fas_queok++;
} else
error = EINVAL;
# if SOLARIS
if (error)
# ifdef MENTAT
if (error != 0)
error = EINVAL;
# else
# else /* MENTAT */
/*
* If we experience an error which will result in the packet
* not being processed, make sure we advance to the next one.
*/
*/
if (error == ENOBUFS) {
fr_authused--;
fra->fra_index = -1;
@ -512,7 +576,7 @@ fr_authioctlloop:
if (i == fr_authstart) {
while (fra->fra_index == -1) {
i++;
if (i == FR_NUMAUTH)
if (i == fr_authsize)
i = 0;
fr_authstart = i;
if (i == fr_authend)
@ -524,10 +588,11 @@ fr_authioctlloop:
}
}
}
# endif
# endif /* MENTAT */
#endif /* _KERNEL */
SPL_X(s);
break;
default :
error = EINVAL;
break;
@ -546,41 +611,48 @@ void fr_authunload()
frentry_t *fr, **frp;
mb_t *m;
WRITE_ENTER(&ipf_auth);
for (i = 0; i < FR_NUMAUTH; i++) {
if ((m = fr_authpkts[i])) {
FREE_MB_T(m);
fr_authpkts[i] = NULL;
fr_auth[i].fra_index = -1;
}
if (fr_auth != NULL) {
KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
fr_auth = NULL;
}
if (fr_authpkts != NULL) {
for (i = 0; i < fr_authsize; i++) {
m = fr_authpkts[i];
if (m != NULL) {
FREE_MB_T(m);
fr_authpkts[i] = NULL;
}
}
KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
fr_authpkts = NULL;
}
for (faep = &fae_list; (fae = *faep); ) {
faep = &fae_list;
while ((fae = *faep) != NULL) {
*faep = fae->fae_next;
KFREE(fae);
}
ipauth = NULL;
RWLOCK_EXIT(&ipf_auth);
if (fr_authlist) {
/*
* We *MuST* reget ipf_auth because otherwise we won't get the
* locks in the right order and risk deadlock.
* We need ipf_mutex here to prevent a rule from using it
* inside fr_check().
*/
WRITE_ENTER(&ipf_mutex);
WRITE_ENTER(&ipf_auth);
for (frp = &fr_authlist; (fr = *frp); ) {
if (fr_authlist != NULL) {
for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
} else
frp = &fr->fr_next;
}
RWLOCK_EXIT(&ipf_auth);
RWLOCK_EXIT(&ipf_mutex);
}
if (fr_auth_init == 1) {
# if SOLARIS && defined(_KERNEL)
cv_destroy(&ipfauthwait);
# endif
MUTEX_DESTROY(&ipf_authmx);
RW_DESTROY(&ipf_auth);
fr_auth_init = 0;
}
}
@ -596,17 +668,18 @@ void fr_authexpire()
register frauthent_t *fae, **faep;
register frentry_t *fr, **frp;
mb_t *m;
#if !SOLARIS && defined(_KERNEL)
# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
#endif
# endif
if (fr_auth_lock)
return;
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
fra->fra_age--;
if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
FREE_MB_T(m);
fr_authpkts[i] = NULL;
fr_auth[i].fra_index = -1;
@ -615,8 +688,9 @@ void fr_authexpire()
}
}
for (faep = &fae_list; (fae = *faep); ) {
if (!--fae->fae_age) {
for (faep = &fae_list; ((fae = *faep) != NULL); ) {
fae->fae_age--;
if (fae->fae_age == 0) {
*faep = fae->fae_next;
KFREE(fae);
fr_authstats.fas_expire++;
@ -628,7 +702,7 @@ void fr_authexpire()
else
ipauth = NULL;
for (frp = &fr_authlist; (fr = *frp); ) {
for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
@ -638,3 +712,98 @@ void fr_authexpire()
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
}
int fr_preauthcmd(cmd, fr, frptr)
ioctlcmd_t cmd;
frentry_t *fr, **frptr;
{
frauthent_t *fae, **faep;
int error = 0;
# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
#endif
if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
return EIO;
for (faep = &fae_list; ((fae = *faep) != NULL); ) {
if (&fae->fae_fr == fr)
break;
else
faep = &fae->fae_next;
}
if (cmd == (ioctlcmd_t)SIOCRMAFR) {
if (fr == NULL || frptr == NULL)
error = EINVAL;
else if (fae == NULL)
error = ESRCH;
else {
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
*faep = fae->fae_next;
if (ipauth == &fae->fae_fr)
ipauth = fae_list ? &fae_list->fae_fr : NULL;
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
KFREE(fae);
}
} else if (fr != NULL && frptr != NULL) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
*frptr = &fae->fae_fr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
} else
error = ENOMEM;
} else
error = EINVAL;
return error;
}
/*
* Flush held packets.
* Must already be properly SPL'ed and Locked on &ipf_auth.
*
*/
int fr_authflush()
{
register int i, num_flushed;
mb_t *m;
if (fr_auth_lock)
return -1;
num_flushed = 0;
for (i = 0 ; i < fr_authsize; i++) {
m = fr_authpkts[i];
if (m != NULL) {
FREE_MB_T(m);
fr_authpkts[i] = NULL;
fr_auth[i].fra_index = -1;
/* perhaps add & use a flush counter inst.*/
fr_authstats.fas_expire++;
fr_authused--;
num_flushed++;
}
}
fr_authstart = 0;
fr_authend = 0;
fr_authnext = 0;
return num_flushed;
}

29
sys/netinet/ip_auth.h
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_auth.h,v 1.10 2002/01/24 08:23:41 martti Exp $ */
/* $NetBSD: ip_auth.h,v 1.11 2004/03/28 09:00:56 martti Exp $ */
/*
* Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_auth.h,v 2.3.2.5 2001/11/04 13:15:51 darrenr Exp
* Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp
*
*/
#ifndef _NETINET_IP_AUTH_H_
@ -15,10 +15,12 @@
typedef struct frauth {
int fra_age;
int fra_len;
int fra_index;
u_32_t fra_pass;
fr_info_t fra_info;
#if SOLARIS
char *fra_buf;
#ifdef MENTAT
queue_t *fra_q;
#endif
} frauth_t;
@ -46,18 +48,19 @@ typedef struct fr_authstat {
extern frentry_t *ipauth;
extern struct fr_authstat fr_authstats;
extern int fr_defaultauthage;
extern int fr_authstart;
extern int fr_authend;
extern int fr_authsize;
extern int fr_authused;
extern int fr_auth_lock;
extern u_32_t fr_checkauth __P((ip_t *, fr_info_t *));
extern frentry_t *fr_checkauth __P((fr_info_t *, u_32_t *));
extern void fr_authexpire __P((void));
extern int fr_authinit __P((void));
extern void fr_authunload __P((void));
extern mb_t *fr_authpkts[];
extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(__FreeBSD_version >= 300003)
extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **));
#else
extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **));
#endif
#endif /* _NETINET_IP_AUTH_H_ */
extern int fr_authflush __P((void));
extern mb_t **fr_authpkts;
extern int fr_newauth __P((mb_t *, fr_info_t *));
extern int fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **));
extern int fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int));
#endif /* __IP_AUTH_H__ */

2380
sys/netinet/ip_compat.h
View File

File diff suppressed because it is too large Load Diff

2232
sys/netinet/ip_fil.c
View File

File diff suppressed because it is too large Load Diff

1260
sys/netinet/ip_fil.h
View File

File diff suppressed because it is too large Load Diff

5
sys/netinet/ip_fil_netbsd.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil_netbsd.c,v 1.1.1.1 2004/03/28 08:56:39 martti Exp $ */
/* $NetBSD: ip_fil_netbsd.c,v 1.2 2004/03/28 09:00:57 martti Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -19,6 +19,8 @@ static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.2 2004/03/22 12:18
#include <sys/param.h>
#if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
# include "opt_ipfilter_log.h"
# include "opt_pfil_hooks.h"
# include "opt_ipsec.h"
#endif
#include <sys/errno.h>
#include <sys/types.h>
@ -77,6 +79,7 @@ MALLOC_DEFINE(M_IPFILTER, "IP Filter", "IP Filter packet filter data structures"
#if __NetBSD_Version__ >= 105009999
# define csuminfo csum_flags
#endif
#endif
extern struct protosw inetsw[];

794
sys/netinet/ip_frag.c
View File

File diff suppressed because it is too large Load Diff

61
sys/netinet/ip_frag.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.h,v 1.18 2002/09/19 08:09:15 martti Exp $ */
/* $NetBSD: ip_frag.h,v 1.19 2004/03/28 09:00:57 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
* Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp
* Id: ip_frag.h,v 2.23 2004/01/08 13:34:28 darrenr Exp
*/
#ifndef _NETINET_IP_FRAG_H_
@ -15,17 +15,19 @@
#define IPFT_SIZE 257
typedef struct ipfr {
struct ipfr *ipfr_next, *ipfr_prev;
struct ipfr *ipfr_hnext, **ipfr_hprev;
struct ipfr *ipfr_next, **ipfr_prev;
void *ipfr_data;
void *ipfr_ifp;
struct in_addr ipfr_src;
struct in_addr ipfr_dst;
void *ipfr_ifp;
u_32_t ipfr_optmsk;
u_short ipfr_secmsk;
u_short ipfr_auth;
u_short ipfr_id;
u_char ipfr_p;
u_char ipfr_tos;
u_32_t ipfr_pass;
u_short ipfr_off;
u_char ipfr_ttl;
u_char ipfr_seen0;
@ -40,36 +42,45 @@ typedef struct ipfrstat {
u_long ifs_hits;
u_long ifs_expire;
u_long ifs_inuse;
u_long ifs_retrans0;
u_long ifs_short;
struct ipfr **ifs_table;
struct ipfr **ifs_nattab;
} ipfrstat_t;
#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \
offsetof(ipfr_t, ipfr_src))
#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_pass) - \
offsetof(ipfr_t, ipfr_ifp))
extern int ipfr_size;
extern int fr_ipfrttl;
extern int fr_frag_lock;
extern ipfrstat_t *ipfr_fragstats __P((void));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *));
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *));
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_forget __P((void *));
extern void ipfr_unload __P((void));
extern void ipfr_fragexpire __P((void));
extern int fr_fraginit __P((void));
extern void fr_fragunload __P((void));
extern ipfrstat_t *fr_fragstats __P((void));
#ifdef _KERNEL
# if (BSD >= 199306) || SOLARIS || defined(__sgi)
# if defined(SOLARIS2) && (SOLARIS2 < 7)
extern void ipfr_slowtimer __P((void));
# else
extern void ipfr_slowtimer __P((void *));
# endif
extern int fr_newfrag __P((fr_info_t *, u_32_t));
extern frentry_t *fr_knownfrag __P((fr_info_t *, u_32_t *));
extern int fr_nat_newfrag __P((fr_info_t *, u_32_t, struct nat *));
extern nat_t *fr_nat_knownfrag __P((fr_info_t *));
extern int fr_ipid_newfrag __P((fr_info_t *, u_32_t));
extern u_32_t fr_ipid_knownfrag __P((fr_info_t *));
extern void fr_forget __P((void *));
extern void fr_forgetnat __P((void *));
extern void fr_fragclear __P((void));
extern void fr_fragexpire __P((void));
#if defined(_KERNEL) && ((BSD >= 199306) || SOLARIS || defined(__sgi) \
|| defined(__osf__) || (defined(__sgi) && (IRIX >= 60500)))
# if defined(SOLARIS2) && (SOLARIS2 < 7)
extern void fr_slowtimer __P((void));
# else
extern int ipfr_slowtimer __P((void));
# endif /* (BSD >= 199306) || SOLARIS */
extern void fr_slowtimer __P((void *));
# endif
#else
extern void ipfr_slowtimer __P((void));
#endif /* _KERNEL */
extern int fr_slowtimer __P((void));
#endif
#endif /* _NETINET_IP_FRAG_H_ */

874
sys/netinet/ip_ftp_pxy.c
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More