Import IPFilter 4.1.22
This commit is contained in:
martin
parent
9a9131c20f
commit
29fd0d9db1
|
|
@ -3,7 +3,7 @@
|
|||
#
|
||||
# See the IPFILTER.LICENCE file for details on licencing.
|
||||
#
|
||||
# Id: Makefile,v 1.41.2.12 2006/08/25 22:43:21 darrenr Exp
|
||||
# Id: Makefile,v 1.41.2.13 2007/05/10 06:02:19 darrenr Exp
|
||||
#
|
||||
INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
|
||||
|
||||
|
|
@ -87,6 +87,7 @@ LIBOBJS=$(DEST)/addicmp.o \
|
|||
$(DEST)/printpacket6.o \
|
||||
$(DEST)/printsbuf.o \
|
||||
$(DEST)/printstate.o \
|
||||
$(DEST)/printtqtable.o \
|
||||
$(DEST)/printtunable.o \
|
||||
$(DEST)/remove_hash.o \
|
||||
$(DEST)/remove_hashnode.o \
|
||||
|
|
@ -278,6 +279,8 @@ $(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP)
|
|||
$(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@
|
||||
$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h
|
||||
$(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@
|
||||
$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP)
|
||||
$(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@
|
||||
$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP)
|
||||
$(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@
|
||||
$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
/* $NetBSD: printfr.c,v 1.1.1.6 2007/04/14 20:17:31 martin Exp $ */
|
||||
/* $NetBSD: printfr.c,v 1.1.1.7 2007/05/15 22:26:09 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2000-2006 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*
|
||||
* Id: printfr.c,v 1.43.2.17 2006/06/16 17:21:10 darrenr Exp
|
||||
* Id: printfr.c,v 1.43.2.18 2007/05/07 06:55:38 darrenr Exp
|
||||
*/
|
||||
|
||||
#include "ipf.h"
|
||||
|
|
@ -470,7 +470,12 @@ ioctlfunc_t iocfunc;
|
|||
}
|
||||
printf(")");
|
||||
}
|
||||
|
||||
if (fp->fr_pps)
|
||||
printf(" pps %d", fp->fr_pps);
|
||||
|
||||
if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
|
||||
printf(" # count %d", fp->fr_statecnt);
|
||||
}
|
||||
(void)putchar('\n');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,28 @@
|
|||
/* $NetBSD: printtqtable.c,v 1.1.1.1 2007/05/15 22:26:09 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2007 by Darren Reed.
|
||||
*
|
||||
* See the IPFILTER.LICENCE file for details on licencing.
|
||||
*/
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include "ipf.h"
|
||||
#include "ipl.h"
|
||||
|
||||
|
||||
void printtqtable(table)
|
||||
ipftq_t *table;
|
||||
{
|
||||
int i;
|
||||
|
||||
printf("TCP Entries per state\n");
|
||||
for (i = 0; i < IPF_TCP_NSTATES; i++)
|
||||
printf(" %5d", i);
|
||||
printf("\n");
|
||||
|
||||
for (i = 0; i < IPF_TCP_NSTATES; i++)
|
||||
printf(" %5d", table[i].ifq_ref - 1);
|
||||
printf("\n");
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: mlfk_ipl.c,v 1.1.1.9 2007/04/14 20:17:24 martin Exp $ */
|
||||
/* $NetBSD: mlfk_ipl.c,v 1.1.1.10 2007/05/15 22:26:02 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2000 by Darren Reed.
|
||||
|
|
@ -98,8 +98,8 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
|
|||
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
|
||||
|
||||
#define CDEV_MAJOR 79
|
||||
#if __FreeBSD_version >= 501000
|
||||
# include <sys/poll.h>
|
||||
#include <sys/poll.h>
|
||||
#if __FreeBSD_version >= 500043
|
||||
# include <sys/select.h>
|
||||
static int iplpoll(struct cdev *dev, int events, struct thread *td);
|
||||
|
||||
|
|
@ -114,12 +114,16 @@ static struct cdevsw ipl_cdevsw = {
|
|||
.d_write = iplwrite,
|
||||
.d_ioctl = iplioctl,
|
||||
.d_name = "ipl",
|
||||
# if __FreeBSD_version >= 500043
|
||||
.d_poll = iplpoll,
|
||||
# endif
|
||||
# if __FreeBSD_version < 600000
|
||||
.d_maj = CDEV_MAJOR,
|
||||
# endif
|
||||
};
|
||||
#else
|
||||
static int iplpoll(dev_t dev, int events, struct proc *p);
|
||||
|
||||
static struct cdevsw ipl_cdevsw = {
|
||||
/* open */ iplopen,
|
||||
/* close */ iplclose,
|
||||
|
|
@ -137,7 +141,9 @@ static struct cdevsw ipl_cdevsw = {
|
|||
# if (__FreeBSD_version < 500043)
|
||||
/* bmaj */ -1,
|
||||
# endif
|
||||
# if (__FreeBSD_version > 430000)
|
||||
/* kqfilter */ NULL
|
||||
# endif
|
||||
};
|
||||
#endif
|
||||
|
||||
|
|
@ -284,9 +290,12 @@ sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
|
|||
#endif
|
||||
|
||||
|
||||
#if __FreeBSD_version >= 501000
|
||||
static int
|
||||
#if __FreeBSD_version >= 500043
|
||||
iplpoll(struct cdev *dev, int events, struct thread *td)
|
||||
#else
|
||||
iplpoll(dev_t dev, int events, struct proc *td)
|
||||
#endif
|
||||
{
|
||||
u_int xmin = GET_MINOR(dev);
|
||||
int revents;
|
||||
|
|
@ -329,4 +338,3 @@ iplpoll(struct cdev *dev, int events, struct thread *td)
|
|||
|
||||
return revents;
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipnat.c,v 1.1.1.4 2007/04/14 20:17:34 martin Exp $ */
|
||||
/* $NetBSD: ipnat.c,v 1.1.1.5 2007/05/15 22:26:12 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2001-2006 by Darren Reed.
|
||||
|
|
@ -67,7 +67,7 @@ extern char *sys_errlist[];
|
|||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
||||
static const char rcsid[] = "@(#)Id: ipnat.c,v 1.24.2.5 2006/12/12 16:13:01 darrenr Exp";
|
||||
static const char rcsid[] = "@(#)Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp";
|
||||
#endif
|
||||
|
||||
|
||||
|
|
@ -89,6 +89,7 @@ void dostats_live __P((int, natstat_t *, int));
|
|||
void showhostmap_dead __P((natstat_t *));
|
||||
void showhostmap_live __P((int, natstat_t *));
|
||||
void dostats_dead __P((natstat_t *, int));
|
||||
void showtqtable_live __P((int));
|
||||
|
||||
int opts;
|
||||
|
||||
|
|
@ -364,6 +365,8 @@ int fd, opts, alive;
|
|||
if (opts & OPT_VERBOSE)
|
||||
printf("table %p list %p\n",
|
||||
nsp->ns_table, nsp->ns_list);
|
||||
if (alive)
|
||||
showtqtable_live(fd);
|
||||
}
|
||||
|
||||
if (opts & OPT_LIST) {
|
||||
|
|
@ -496,3 +499,21 @@ natstat_t *nsp;
|
|||
nsp->ns_maplist = hm.hm_next;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void showtqtable_live(fd)
|
||||
int fd;
|
||||
{
|
||||
ipftq_t table[IPF_TCP_NSTATES];
|
||||
ipfobj_t obj;
|
||||
|
||||
bzero((char *)&obj, sizeof(obj));
|
||||
obj.ipfo_rev = IPFILTER_VERSION;
|
||||
obj.ipfo_size = sizeof(table);
|
||||
obj.ipfo_ptr = (void *)table;
|
||||
obj.ipfo_type = IPFOBJ_STATETQTAB;
|
||||
|
||||
if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
|
||||
printtqtable(table);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state
|
||||
block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state
|
||||
pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state # count 0
|
||||
block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state # count 0
|
||||
pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 20499 keep frags
|
||||
pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags (strict)
|
||||
pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags
|
||||
pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state
|
||||
pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state
|
||||
pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state
|
||||
pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state
|
||||
pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600)
|
||||
pass in proto udp from any to any keep state (sync,age 10/20)
|
||||
pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags # count 0
|
||||
pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state # count 0
|
||||
pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state # count 0
|
||||
pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state # count 0
|
||||
pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state # count 0
|
||||
pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) # count 0
|
||||
pass in proto udp from any to any keep state (sync,age 10/20) # count 0
|
||||
|
|
|
|||
|
|
@ -6,4 +6,4 @@ block in proto udp from any port != 123 to any port < 7
|
|||
block in proto tcp from any port = 25 to any port > 25
|
||||
pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3
|
||||
pass in proto tcp/udp from any port 2:2 to any port 10:20
|
||||
pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state
|
||||
pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state # count 0
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ pass in from any to any with opt nop,rr,zsu
|
|||
pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr
|
||||
pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag
|
||||
pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body
|
||||
pass in proto tcp from any to any flags S/FSRPAU with not oow keep state
|
||||
pass in proto tcp from any to any flags S/FSRPAU with not oow keep state # count 0
|
||||
block in proto tcp from any to any with oow
|
||||
pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat
|
||||
block in proto tcp from any to any flags S/FSRPAU with bad,not bad-src,not bad-nat
|
||||
|
|
|
|||
Loading…
Reference in New Issue