From 44c002beb1a4c8685fc1170c276e09adec810522 Mon Sep 17 00:00:00 2001 From: mrg Date: Thu, 30 Oct 1997 05:27:24 +0000 Subject: [PATCH] import ip-filter 3.2 --- sys/netinet/ip_auth.h | 8 +- sys/netinet/ip_log.c | 60 ++++++--- usr.sbin/ipf/ipf/ipf.8 | 4 +- usr.sbin/ipf/ipf/ipf.h | 12 +- usr.sbin/ipf/ipf/opt.c | 17 ++- usr.sbin/ipf/ipfstat/kmem.c | 10 +- usr.sbin/ipf/ipfstat/kmem.h | 6 +- usr.sbin/ipf/ipftest/ipft_ef.c | 21 ++- usr.sbin/ipf/ipftest/ipft_hx.c | 19 ++- usr.sbin/ipf/ipftest/ipft_pc.c | 15 ++- usr.sbin/ipf/ipftest/ipft_sn.c | 15 ++- usr.sbin/ipf/ipftest/ipft_td.c | 21 ++- usr.sbin/ipf/ipftest/ipft_tx.c | 37 +++--- usr.sbin/ipf/ipftest/ipt.h | 6 +- usr.sbin/ipf/ipftest/misc.c | 12 +- usr.sbin/ipf/ipftest/pcap.h | 6 +- usr.sbin/ipf/ipftest/snoop.h | 6 +- usr.sbin/ipf/ipresend/ipresend.c | 11 +- usr.sbin/ipf/ipsend/iplang.h | 4 +- usr.sbin/ipf/ipsend/iplang.tst | 17 +-- usr.sbin/ipf/ipsend/iplang_l.l | 88 +++++++++++-- usr.sbin/ipf/ipsend/ipsend.1 | 15 ++- usr.sbin/ipf/ipsend/ipsend.5 | 218 +++++++++++++++++++++++++++---- usr.sbin/ipf/ipsend/tcpip.h | 8 +- usr.sbin/ipf/rules/BASIC.NAT | 45 +++++++ usr.sbin/ipf/rules/BASIC_1.FW | 99 ++++++++++++++ usr.sbin/ipf/rules/BASIC_2.FW | 72 ++++++++++ usr.sbin/ipf/rules/Makefile | 2 +- usr.sbin/ipf/rules/example.10 | 4 +- 29 files changed, 691 insertions(+), 167 deletions(-) create mode 100644 usr.sbin/ipf/rules/BASIC.NAT create mode 100644 usr.sbin/ipf/rules/BASIC_1.FW create mode 100644 usr.sbin/ipf/rules/BASIC_2.FW diff --git a/sys/netinet/ip_auth.h b/sys/netinet/ip_auth.h index d56ed2f2150d..dc8afd778122 100644 --- a/sys/netinet/ip_auth.h +++ b/sys/netinet/ip_auth.h @@ -1,13 +1,13 @@ -/* $NetBSD: ip_auth.h,v 1.1.1.2 1997/09/21 16:49:28 veego Exp $ */ +/* $NetBSD: ip_auth.h,v 1.1.1.3 1997/10/30 05:31:16 mrg Exp $ */ /* - * (C)opyright 1997 by Darren Reed & Guido Van Rooij. + * Copyright (C) 1997 by Darren Reed & Guido Van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp + * Id: ip_auth.h,v 2.0.2.10 1997/10/29 12:14:07 darrenr Exp * */ #ifndef __IP_AUTH_H__ @@ -60,7 +60,7 @@ extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *, qif_t *)); #else extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *)); #endif -#ifdef __NetBSD__ +#if defined(__NetBSD__) || defined(__OpenBSD__) extern int fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **)); #else extern int fr_auth_ioctl __P((caddr_t, int, frentry_t *, frentry_t **)); diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c index 279d1feae011..a65b84e1c7eb 100644 --- a/sys/netinet/ip_log.c +++ b/sys/netinet/ip_log.c @@ -1,13 +1,13 @@ -/* $NetBSD: ip_log.c,v 1.1.1.1 1997/09/21 16:49:48 veego Exp $ */ +/* $NetBSD: ip_log.c,v 1.1.1.2 1997/10/30 05:31:59 mrg Exp $ */ /* - * (C)opyright 1997 by Darren Reed. + * Copyright (C) 1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * Id: ip_log.c,v 2.0.2.6 1997/09/10 13:08:18 darrenr Exp + * Id: ip_log.c,v 2.0.2.13 1997/10/29 12:14:11 darrenr Exp */ #ifdef IPFILTER_LOG # ifndef SOLARIS @@ -46,7 +46,7 @@ # endif # include # if !SOLARIS -# if NetBSD > 199609 +# if (NetBSD > 199609) || (OpenBSD > 199603) # include # else # include @@ -75,7 +75,15 @@ # endif # include # include +#ifdef __sgi +#include +# ifdef IFF_DRVRLOCK /* IRIX6 */ +#include +# endif +#endif +#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ # include +#endif # include # include # include @@ -98,9 +106,11 @@ # endif -#if SOLARIS +#if SOLARIS || defined(__sgi) extern kmutex_t ipl_mutex; +# if SOLARIS extern kcondvar_t iplwait; +# endif #endif iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; @@ -123,7 +133,7 @@ void ipflog_init() iplh[i] = &iplt[i]; iplused[i] = 0; } -# if BSD >= 199306 || defined(__FreeBSD__) +# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) microtime(&tv); # else uniqtime(&tv); @@ -162,8 +172,10 @@ mb_t *m; * calculate header size. */ hlen = fin->fin_hlen; - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) + if (ip->ip_p == IPPROTO_TCP) hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); + else if (ip->ip_p == IPPROTO_UDP) + hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); else if (ip->ip_p == IPPROTO_ICMP) { struct icmp *icmp = (struct icmp *)((char *)ip + hlen); @@ -194,7 +206,8 @@ mb_t *m; bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4)); mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0; # else -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) +# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ + (defined(OpenBSD) && (OpenBSD >= 199603)) strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ); # else ipfl.fl_unit = (u_char)ifp->if_unit; @@ -292,6 +305,7 @@ int *types, cnt; * amount of space we're going to use. */ ipl = (iplog_t *)buf; + ipl->ipl_magic = IPL_MAGIC; ipl->ipl_count = 1; ipl->ipl_next = NULL; ipl->ipl_dsize = len; @@ -301,7 +315,7 @@ int *types, cnt; # ifdef sun uniqtime((struct timeval *)&ipl->ipl_sec); # endif -# if BSD >= 199306 || defined(__FreeBSD__) +# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) microtime((struct timeval *)&ipl->ipl_sec); # endif # endif @@ -329,7 +343,8 @@ int *types, cnt; cv_signal(&iplwait); mutex_exit(&ipl_mutex); # else - wakeup(iplh[dev]); + MUTEX_EXIT(&ipl_mutex); + wakeup(&iplh[dev]); # endif return 1; } @@ -361,24 +376,25 @@ struct uio *uio; * Lock the log so we can snapshot the variables. Wait for a signal * if the log is empty. */ - SPLNET(s); + SPL_NET(s); MUTEX_ENTER(&ipl_mutex); + while (!iplused[unit] || !iplt[unit]) { # if SOLARIS && defined(_KERNEL) - while (!iplused[unit]) if (!cv_wait_sig(&iplwait, &ipl_mutex)) { MUTEX_EXIT(&ipl_mutex); return EINTR; } # else - while (!iplused[unit]) { - SPLX(s); - error = SLEEP(iplh[unit], "ipl sleep"); + MUTEX_EXIT(&ipl_mutex); + SPL_X(s); + error = SLEEP(&iplh[unit], "ipl sleep"); if (error) return error; - SPLNET(s); - } + SPL_NET(s); + MUTEX_ENTER(&ipl_mutex); # endif + } # if BSD >= 199306 || defined(__FreeBSD__) uio->uio_rw = UIO_READ; @@ -393,21 +409,23 @@ struct uio *uio; */ iplt[unit] = ipl->ipl_next; MUTEX_EXIT(&ipl_mutex); - SPLX(s); + SPL_X(s); error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio); KFREES((caddr_t)ipl, ipl->ipl_dsize); if (error) break; - SPLNET(s); + SPL_NET(s); MUTEX_ENTER(&ipl_mutex); iplused[unit] -= dlen; } - if (!ipl) + if (!ipl) { + iplused[unit] = 0; iplh[unit] = &iplt[unit]; + } if (!error) { MUTEX_EXIT(&ipl_mutex); - SPLX(s); + SPL_X(s); } return error; } diff --git a/usr.sbin/ipf/ipf/ipf.8 b/usr.sbin/ipf/ipf/ipf.8 index 9246b3500802..b13e2ddb2f05 100644 --- a/usr.sbin/ipf/ipf/ipf.8 +++ b/usr.sbin/ipf/ipf/ipf.8 @@ -1,6 +1,6 @@ -.TH IPF 1 +.TH IPF 8 .SH NAME -ipf \- alters packet filtering lists for IP packet input and ouput +ipf \- alters packet filtering lists for IP packet input and output .SH SYNOPSIS .B ipf [ diff --git a/usr.sbin/ipf/ipf/ipf.h b/usr.sbin/ipf/ipf/ipf.h index 3acb90502d4a..ef016587d564 100644 --- a/usr.sbin/ipf/ipf/ipf.h +++ b/usr.sbin/ipf/ipf/ipf.h @@ -1,14 +1,14 @@ -/* $NetBSD: ipf.h,v 1.1.1.6 1997/09/21 16:47:51 veego Exp $ */ +/* $NetBSD: ipf.h,v 1.1.1.7 1997/10/30 05:27:27 mrg Exp $ */ /* - * (C)opyright 1993-1997 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * Id: ipf.h,v 2.0.2.9 1997/08/26 12:52:46 darrenr Exp + * Id: ipf.h,v 2.0.2.12 1997/09/28 07:11:50 darrenr Exp */ #ifndef __IPF_H__ @@ -46,6 +46,10 @@ # endif #endif +#ifdef ultrix +extern char *strdup __P((char *)); +#endif + extern struct frentry *parse __P((char *)); extern void printfr __P((struct frentry *)); @@ -64,7 +68,7 @@ struct ipopt_names { extern u_32_t buildopts __P((char *, char *, int)); extern u_32_t hostnum __P((char *, int *)); extern u_32_t optname __P((char ***, u_short *)); -extern void printpacket __P((struct ip *)); +extern void printpacket __P((ip_t *)); #if SOLARIS extern int inet_aton __P((const char *, struct in_addr *)); #endif diff --git a/usr.sbin/ipf/ipf/opt.c b/usr.sbin/ipf/ipf/opt.c index 4ee0f5c649db..812001bc427a 100644 --- a/usr.sbin/ipf/ipf/opt.c +++ b/usr.sbin/ipf/ipf/opt.c @@ -1,7 +1,7 @@ -/* $NetBSD: opt.c,v 1.1.1.6 1997/09/21 16:47:50 veego Exp $ */ +/* $NetBSD: opt.c,v 1.1.1.7 1997/10/30 05:27:24 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -16,17 +16,24 @@ #include #include #include +#ifndef linux #include +#endif #include +#ifndef linux #include +#endif #include #include #include #include "ipf.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "Id: opt.c,v 2.0.2.7 1997/09/10 13:08:23 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: opt.c,v 2.0.2.9 1997/09/28 07:12:08 darrenr Exp "; #endif extern int opts; diff --git a/usr.sbin/ipf/ipfstat/kmem.c b/usr.sbin/ipf/ipfstat/kmem.c index 0282da853b97..15132837b884 100644 --- a/usr.sbin/ipf/ipfstat/kmem.c +++ b/usr.sbin/ipf/ipfstat/kmem.c @@ -1,7 +1,7 @@ -/* $NetBSD: kmem.c,v 1.1.1.6 1997/09/21 16:47:59 veego Exp $ */ +/* $NetBSD: kmem.c,v 1.1.1.7 1997/10/30 05:27:38 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -20,9 +20,9 @@ #include #include "kmem.h" -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static char rcsid[] = "Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; +static const char rcsid[] = "@(#)Id: kmem.c,v 2.0.2.5 1997/10/23 14:50:53 darrenr Exp "; #endif static int kmemfd = -1; diff --git a/usr.sbin/ipf/ipfstat/kmem.h b/usr.sbin/ipf/ipfstat/kmem.h index d1a89bfae6f8..d0e697777cfc 100644 --- a/usr.sbin/ipf/ipfstat/kmem.h +++ b/usr.sbin/ipf/ipfstat/kmem.h @@ -1,12 +1,12 @@ -/* $NetBSD: kmem.h,v 1.1.1.6 1997/09/21 16:48:00 veego Exp $ */ +/* $NetBSD: kmem.h,v 1.1.1.7 1997/10/30 05:27:41 mrg Exp $ */ /* - * (C)opyright 1993-1997 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp + * Id: kmem.h,v 2.0.2.6 1997/09/28 07:12:02 darrenr Exp */ #ifndef __KMEM_H__ diff --git a/usr.sbin/ipf/ipftest/ipft_ef.c b/usr.sbin/ipf/ipftest/ipft_ef.c index bed16027144f..f0b53112113b 100644 --- a/usr.sbin/ipf/ipftest/ipft_ef.c +++ b/usr.sbin/ipf/ipftest/ipft_ef.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_ef.c,v 1.1.1.6 1997/09/21 16:48:07 veego Exp $ */ +/* $NetBSD: ipft_ef.c,v 1.1.1.7 1997/10/30 05:27:56 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -37,21 +37,28 @@ etherfind -n -t #include #include #include +#ifndef linux #include +#endif #include #include #include #include +#ifndef linux #include +#endif #include #include #include #include "ipf.h" #include "ipt.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_ef.c,v 2.0.2.7 1997/09/28 07:11:50 darrenr Exp "; #endif static int etherf_open __P((char *)); @@ -92,7 +99,7 @@ char *buf, **ifn; int cnt, *dir; { struct tcpiphdr pkt; - struct ip *ip = (struct ip *)&pkt; + ip_t *ip = (ip_t *)&pkt; struct protoent *p = NULL; char src[16], dst[16], sprt[16], dprt[16]; char lbuf[128], len[8], prot[8], time[8], *s; @@ -145,7 +152,7 @@ int cnt, *dir; (void) inet_aton(src, &ip->ip_src); (void) inet_aton(dst, &ip->ip_dst); ip->ip_len = atoi(len); - ip->ip_hl = sizeof(struct ip); + ip->ip_hl = sizeof(ip_t); slen = ip->ip_hl + extra; i = MIN(cnt, slen); diff --git a/usr.sbin/ipf/ipftest/ipft_hx.c b/usr.sbin/ipf/ipftest/ipft_hx.c index 5d1ae55a57be..be64f8defe30 100644 --- a/usr.sbin/ipf/ipftest/ipft_hx.c +++ b/usr.sbin/ipf/ipftest/ipft_hx.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_hx.c,v 1.1.1.6 1997/09/21 16:48:13 veego Exp $ */ +/* $NetBSD: ipft_hx.c,v 1.1.1.7 1997/10/30 05:28:09 mrg Exp $ */ /* - * (C)opyright 1995 by Darren Reed. + * Copyright (C) 1995-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,12 +11,12 @@ #include #include #include +#include #if !defined(__SVR4) && !defined(__svr4__) #include #else #include #endif -#include #include #include #include @@ -26,12 +26,16 @@ #include #include #include +#ifndef linux #include +#endif #include #include #include #include +#ifndef linux #include +#endif #include #include #include @@ -39,10 +43,13 @@ #include #include "ipf.h" #include "ipt.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static char rcsid[] = "Id: ipft_hx.c,v 2.0.2.5 1997/07/20 11:10:32 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_hx.c,v 2.0.2.8 1997/10/19 15:39:23 darrenr Exp "; #endif extern int opts; diff --git a/usr.sbin/ipf/ipftest/ipft_pc.c b/usr.sbin/ipf/ipftest/ipft_pc.c index b620201f5582..8ec99d9683eb 100644 --- a/usr.sbin/ipf/ipftest/ipft_pc.c +++ b/usr.sbin/ipf/ipftest/ipft_pc.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_pc.c,v 1.1.1.6 1997/09/21 16:48:09 veego Exp $ */ +/* $NetBSD: ipft_pc.c,v 1.1.1.7 1997/10/30 05:28:01 mrg Exp $ */ /* - * (C)opyright 1993-1996 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -22,18 +22,25 @@ #include #include #include +#ifndef linux #include +#endif #include #include +#ifndef linux #include +#endif #include #include #include "ipf.h" #include "ipt.h" #include "pcap.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp "; +#if !defined(lint) +static const char rcsid[] = "@(#)Id: ipft_pc.c,v 2.0.2.6 1997/09/28 07:11:52 darrenr Exp "; #endif struct llc { diff --git a/usr.sbin/ipf/ipftest/ipft_sn.c b/usr.sbin/ipf/ipftest/ipft_sn.c index af343b8a2826..e8d53f3bb119 100644 --- a/usr.sbin/ipf/ipftest/ipft_sn.c +++ b/usr.sbin/ipf/ipftest/ipft_sn.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_sn.c,v 1.1.1.6 1997/09/21 16:48:06 veego Exp $ */ +/* $NetBSD: ipft_sn.c,v 1.1.1.7 1997/10/30 05:27:54 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -26,18 +26,25 @@ #include #include #include +#ifndef linux #include +#endif #include #include +#ifndef linux #include +#endif #include #include #include "ipf.h" #include "ipt.h" #include "snoop.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp "; +#if !defined(lint) +static const char rcsid[] = "@(#)Id: ipft_sn.c,v 2.0.2.6 1997/09/28 07:11:53 darrenr Exp "; #endif struct llc { diff --git a/usr.sbin/ipf/ipftest/ipft_td.c b/usr.sbin/ipf/ipftest/ipft_td.c index eb751908669e..5d7854cf36ff 100644 --- a/usr.sbin/ipf/ipftest/ipft_td.c +++ b/usr.sbin/ipf/ipftest/ipft_td.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_td.c,v 1.1.1.6 1997/09/21 16:48:08 veego Exp $ */ +/* $NetBSD: ipft_td.c,v 1.1.1.7 1997/10/30 05:27:59 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -46,21 +46,28 @@ tcpdump -nqte #include #include #include +#ifndef linux #include +#endif #include #include #include #include +#ifndef linux #include +#endif #include #include #include #include "ipf.h" #include "ipt.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_td.c,v 2.0.2.6 1997/09/28 07:11:54 darrenr Exp "; #endif static int tcpd_open __P((char *)); @@ -115,7 +122,7 @@ char *buf, **ifn; int cnt, *dir; { struct tcpiphdr pkt; - struct ip *ip = (struct ip *)&pkt; + ip_t *ip = (ip_t *)&pkt; struct protoent *p; char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char lbuf[160], *s; @@ -158,7 +165,7 @@ int cnt, *dir; (void) inet_aton(src, &ip->ip_src); (void) inet_aton(src, &ip->ip_dst); } - ip->ip_len = ip->ip_hl = sizeof(struct ip); + ip->ip_len = ip->ip_hl = sizeof(ip_t); s = strtok(misc, " :"); if ((p = getprotobyname(s))) { diff --git a/usr.sbin/ipf/ipftest/ipft_tx.c b/usr.sbin/ipf/ipftest/ipft_tx.c index 20d45f8c31c9..4f084e83c583 100644 --- a/usr.sbin/ipf/ipftest/ipft_tx.c +++ b/usr.sbin/ipf/ipftest/ipft_tx.c @@ -1,7 +1,7 @@ -/* $NetBSD: ipft_tx.c,v 1.1.1.6 1997/09/21 16:48:10 veego Exp $ */ +/* $NetBSD: ipft_tx.c,v 1.1.1.7 1997/10/30 05:28:04 mrg Exp $ */ /* - * (C)opyright 1995 by Darren Reed. + * Copyright (C) 1995-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,12 +11,12 @@ #include #include #include +#include #if !defined(__SVR4) && !defined(__svr4__) #include #else #include #endif -#include #include #include #include @@ -26,12 +26,16 @@ #include #include #include +#ifndef linux #include +#endif #include #include #include #include +#ifndef linux #include +#endif #include #include #include @@ -40,10 +44,13 @@ #include #include "ipf.h" #include "ipt.h" +#ifdef linux +#include "tcpip.h" +#endif -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "Id: ipft_tx.c,v 2.0.2.7 1997/08/26 12:52:03 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipft_tx.c,v 2.0.2.11 1997/10/19 15:39:24 darrenr Exp "; #endif extern int opts; @@ -52,7 +59,7 @@ static char *tx_proto = ""; static int text_open __P((char *)), text_close __P((void)); static int text_readip __P((char *, int, char **, int *)); -static int parseline __P((char *, struct ip *, char **, int *)); +static int parseline __P((char *, ip_t *, char **, int *)); static char tcp_flagset[] = "FSRPAU"; static u_char tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, @@ -137,8 +144,8 @@ char *name; char *tx_icmptypes[] = { "echorep", (char *)NULL, (char *)NULL, "unreach", "squench", - "redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL, - (char *)NULL, "timex", "paramprob", "timest", "timestrep", + "redir", (char *)NULL, (char *)NULL, "echo", "routerad", + "routersol", "timex", "paramprob", "timest", "timestrep", "inforeq", "inforep", "maskreq", "maskrep", "END" }; @@ -176,10 +183,10 @@ char *buf, **ifn; int cnt, *dir; { register char *s; - struct ip *ip; + ip_t *ip; char line[513]; - ip = (struct ip *)buf; + ip = (ip_t *)buf; *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = index(line, '\n'))) @@ -194,11 +201,11 @@ int cnt, *dir; printf("input: %s\n", line); *ifn = NULL; *dir = 0; - if (!parseline(line, (struct ip *)buf, ifn, dir)) + if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 return sizeof(struct tcpiphdr); #else - return sizeof(struct ip); + return sizeof(ip_t); #endif } return -1; @@ -206,7 +213,7 @@ int cnt, *dir; static int parseline(line, ip, ifn, out) char *line; -struct ip *ip; +ip_t *ip; char **ifn; int *out; { @@ -246,7 +253,7 @@ int *out; } c = **cpp; - ip->ip_len = sizeof(struct ip); + ip->ip_len = sizeof(ip_t); if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") || !strcasecmp(*cpp, "icmp")) { if (c == 't') { diff --git a/usr.sbin/ipf/ipftest/ipt.h b/usr.sbin/ipf/ipftest/ipt.h index 4a84424969ca..c38402d0a9b8 100644 --- a/usr.sbin/ipf/ipftest/ipt.h +++ b/usr.sbin/ipf/ipftest/ipt.h @@ -1,12 +1,12 @@ -/* $NetBSD: ipt.h,v 1.1.1.6 1997/09/21 16:48:14 veego Exp $ */ +/* $NetBSD: ipt.h,v 1.1.1.7 1997/10/30 05:28:12 mrg Exp $ */ /* - * (C)opyright 1993-1997 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp + * Id: ipt.h,v 2.0.2.7 1997/09/28 07:12:00 darrenr Exp */ #ifndef __IPT_H__ diff --git a/usr.sbin/ipf/ipftest/misc.c b/usr.sbin/ipf/ipftest/misc.c index 6f71a555ad08..afdab00f1f7e 100644 --- a/usr.sbin/ipf/ipftest/misc.c +++ b/usr.sbin/ipf/ipftest/misc.c @@ -1,7 +1,7 @@ -/* $NetBSD: misc.c,v 1.1.1.6 1997/09/21 16:48:11 veego Exp $ */ +/* $NetBSD: misc.c,v 1.1.1.7 1997/10/30 05:28:07 mrg Exp $ */ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -10,12 +10,12 @@ #include #include #include +#include #if !defined(__SVR4) && !defined(__svr4__) #include #else #include #endif -#include #include #include #include @@ -41,9 +41,9 @@ #include "ipf.h" #include "ipt.h" -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static char rcsid[] = "Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp "; +#if !defined(lint) +static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: misc.c,v 2.0.2.8 1997/10/19 15:39:28 darrenr Exp "; #endif extern int opts; diff --git a/usr.sbin/ipf/ipftest/pcap.h b/usr.sbin/ipf/ipftest/pcap.h index eb1a45301a11..1640ab5a6ea9 100644 --- a/usr.sbin/ipf/ipftest/pcap.h +++ b/usr.sbin/ipf/ipftest/pcap.h @@ -1,12 +1,12 @@ -/* $NetBSD: pcap.h,v 1.1.1.3 1997/09/21 16:48:16 veego Exp $ */ +/* $NetBSD: pcap.h,v 1.1.1.4 1997/10/30 05:28:18 mrg Exp $ */ /* - * (C)opyright 1993-1997 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp + * Id: pcap.h,v 2.0.2.4 1997/09/28 07:12:10 darrenr Exp */ /* * This header file is constructed to match the version described by diff --git a/usr.sbin/ipf/ipftest/snoop.h b/usr.sbin/ipf/ipftest/snoop.h index 111a9d91451d..f4a603f3e05a 100644 --- a/usr.sbin/ipf/ipftest/snoop.h +++ b/usr.sbin/ipf/ipftest/snoop.h @@ -1,7 +1,7 @@ -/* $NetBSD: snoop.h,v 1.1.1.6 1997/09/21 16:48:15 veego Exp $ */ +/* $NetBSD: snoop.h,v 1.1.1.7 1997/10/30 05:28:16 mrg Exp $ */ /* - * (C)opyright 1993-1997 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -13,7 +13,7 @@ /* * written to comply with the RFC (1761) from Sun. - * Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp + * Id: snoop.h,v 2.0.2.5 1997/09/28 07:12:11 darrenr Exp */ struct snoophdr { char s_id[8]; diff --git a/usr.sbin/ipf/ipresend/ipresend.c b/usr.sbin/ipf/ipresend/ipresend.c index 7dedfb74d5e7..d5e5c6ad42d1 100644 --- a/usr.sbin/ipf/ipresend/ipresend.c +++ b/usr.sbin/ipf/ipresend/ipresend.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipresend.c,v 1.1.1.3 1997/09/21 16:49:04 veego Exp $ */ +/* $NetBSD: ipresend.c,v 1.1.1.4 1997/10/30 05:29:39 mrg Exp $ */ /* * ipresend.c (C) 1995-1997 Darren Reed @@ -12,8 +12,9 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ -#if !defined(lint) && defined(LIBC_SCCS) -static char sccsid[] = "%W% %G% (C)1995 Darren Reed"; +#if !defined(lint) +static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)Id: ipresend.c,v 2.0.2.9 1997/10/12 09:48:37 darrenr Exp "; #endif #include #include @@ -56,7 +57,11 @@ char default_device[] = "ln0"; # ifdef __bsdi__ char default_device[] = "ef0"; # else +# ifdef __sgi +char default_device[] = "ec0"; +# else char default_device[] = "lan0"; +# endif # endif # endif # endif diff --git a/usr.sbin/ipf/ipsend/iplang.h b/usr.sbin/ipf/ipsend/iplang.h index 7c75f37f174a..619d502f7cf9 100644 --- a/usr.sbin/ipf/ipsend/iplang.h +++ b/usr.sbin/ipf/ipsend/iplang.h @@ -1,7 +1,7 @@ -/* $NetBSD: iplang.h,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */ +/* $NetBSD: iplang.h,v 1.1.1.2 1997/10/30 05:30:27 mrg Exp $ */ /* - * (C)opyright 1997 by Darren Reed. + * Copyright (C) 1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/usr.sbin/ipf/ipsend/iplang.tst b/usr.sbin/ipf/ipsend/iplang.tst index 53457165a401..9a8c35e99507 100644 --- a/usr.sbin/ipf/ipsend/iplang.tst +++ b/usr.sbin/ipf/ipsend/iplang.tst @@ -2,19 +2,10 @@ interface { ifname le0; mtu 1500; } ipv4 { - src 10.1.1.49; dst 10.1.1.50; id 123; opt { rr 7; }; + src 1.1.1.1; dst 2.2.2.2; tcp { - seq 12345; ack 0; sport 9999; dport 23; flags S; - opt { mss 65535; }; data { value "abcdef"; } ; + seq 12345; ack 0; sport 9999; dport 23; flags S; + data { value "abcdef"; } ; } } -send { via 10.1.1.50; } -# -ipv4 { - src 10.1.1.49; dst 10.1.1.50; id 1; opt { lsrr 1.1.1.1; }; - tcp { - seq 12345; ack 0; sport 9999; dport 23; flags S; - opt { wscale 2 ; eol; mss 1; }; data { value "abcdef"; } ; - } -} -send { via 10.1.1.50; } +send { via 10.1.1.1; } diff --git a/usr.sbin/ipf/ipsend/iplang_l.l b/usr.sbin/ipf/ipsend/iplang_l.l index 7a1422fe1a23..927977d8f1ca 100644 --- a/usr.sbin/ipf/ipsend/iplang_l.l +++ b/usr.sbin/ipf/ipsend/iplang_l.l @@ -1,20 +1,31 @@ -/* $NetBSD: iplang_l.l,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */ +/* $NetBSD: iplang_l.l,v 1.1.1.2 1997/10/30 05:30:18 mrg Exp $ */ +%e 1500 +%p 4000 +%a 4000 +%o 6000 %{ /* - * (C)opyright 1997 by Darren Reed. + * Copyright (C) 1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * Id: iplang_l.l,v 2.0.2.8 1997/09/13 07:14:23 darrenr Exp + * Id: iplang_l.l,v 2.0.2.15 1997/09/28 07:13:08 darrenr Exp */ - #include #include #include +#if defined(__SVR4) || defined(__sysv__) +#include +#endif +#include +#include +#include #include "y.tab.h" +#include +#include "ipf.h" #ifndef __P # ifdef __STDC__ @@ -24,6 +35,8 @@ # endif #endif +extern int opts; + int lineNum = 0, proto = 0, oldproto = 0, next = -1, laststate = 0; int *prstack = NULL, numpr = 0, state = 0, token = 0; @@ -100,16 +113,62 @@ mss { return next_state(IL_TCPO_MSS, IL_TOKEN); } wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); } reserv-4 { return next_state(IL_IPS_RESERV4, -1); } topsecret { return next_state(IL_IPS_TOPSECRET, -1); } -secret { return next_state(IL_IPS_SECRET, -1); } +secret { return next_state(IL_IPS_SECRET, -1); } reserv-3 { return next_state(IL_IPS_RESERV3, -1); } -confid { return next_state(IL_IPS_CONFID, -1); } -unclass { return next_state(IL_IPS_UNCLASS, -1); } +confid { return next_state(IL_IPS_CONFID, -1); } +unclass { return next_state(IL_IPS_UNCLASS, -1); } reserv-2 { return next_state(IL_IPS_RESERV2, -1); } reserv-1 { return next_state(IL_IPS_RESERV1, -1); } -\{ { push_proto(); return next_item(IL_LBRACE); } -\} { pop_proto(); return next_item(IL_RBRACE); } +icmp { return next_state(IL_ICMP, -1); } +type { return next_state(IL_ICMPTYPE, -1); } +code { return next_state(IL_ICMPCODE, -1); } +echorep { return next_state(IL_ICMP_ECHOREPLY, -1); } +unreach { return next_state(IL_ICMP_UNREACH, -1); } +squench { return next_state(IL_ICMP_SOURCEQUENCH, -1); } +redir { return next_state(IL_ICMP_REDIRECT, -1); } +echo { return next_state(IL_ICMP_ECHO, -1); } +routerad { return next_state(IL_ICMP_ROUTERADVERT, -1); } +routersol { return next_state(IL_ICMP_ROUTERSOLICIT, -1); } +timex { return next_state(IL_ICMP_TIMXCEED, -1); } +paramprob { return next_state(IL_ICMP_PARAMPROB, -1); } +timest { return next_state(IL_ICMP_TSTAMP, -1); } +timestrep { return next_state(IL_ICMP_TSTAMPREPLY, -1); } +inforeq { return next_state(IL_ICMP_IREQ, -1); } +inforep { return next_state(IL_ICMP_IREQREPLY, -1); } +maskreq { return next_state(IL_ICMP_MASKREQ, -1); } +maskrep { return next_state(IL_ICMP_MASKREPLY, -1); } +net-unr { return next_state(IL_ICMP_UNREACH_NET, -1); } +host-unr { return next_state(IL_ICMP_UNREACH_HOST, -1); } +proto-unr { return next_state(IL_ICMP_UNREACH_PROTOCOL, -1); } +port-unr { return next_state(IL_ICMP_UNREACH_PORT, -1); } +needfrag { return next_state(IL_ICMP_UNREACH_NEEDFRAG, -1); } +srcfail { return next_state(IL_ICMP_UNREACH_SRCFAIL, -1); } +net-unk { return next_state(IL_ICMP_UNREACH_NET_UNKNOWN, -1); } +host-unk { return next_state(IL_ICMP_UNREACH_HOST_UNKNOWN, -1); } +isolate { return next_state(IL_ICMP_UNREACH_ISOLATED, -1); } +net-prohib { return next_state(IL_ICMP_UNREACH_NET_PROHIB, -1); } +host-prohib { return next_state(IL_ICMP_UNREACH_HOST_PROHIB, -1); } +net-tos { return next_state(IL_ICMP_UNREACH_TOSNET, -1); } +host-tos { return next_state(IL_ICMP_UNREACH_TOSHOST, -1); } +filter-prohib { return next_state(IL_ICMP_UNREACH_FILTER_PROHIB, -1); } +host-preced { return next_state(IL_ICMP_UNREACH_HOST_PRECEDENCE, -1); } +cutoff-preced { return next_state(IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1); } +net-redir { return next_state(IL_ICMP_REDIRECT_NET, -1); } +host-redir { return next_state(IL_ICMP_REDIRECT_HOST, -1); } +tos-net-redir { return next_state(IL_ICMP_REDIRECT_TOSNET, -1); } +tos-host-redir { return next_state(IL_ICMP_REDIRECT_TOSHOST, -1); } +intrans { return next_state(IL_ICMP_TIMXCEED_INTRANS, -1); } +reass { return next_state(IL_ICMP_TIMXCEED_REASS, -1); } +optabsent { return next_state(IL_ICMP_PARAMPROB_OPTABSENT, -1); } +otime { return next_state(IL_ICMP_OTIME, -1); } +rtime { return next_state(IL_ICMP_RTIME, -1); } +ttime { return next_state(IL_ICMP_TTIME, -1); } +icmpseq { return next_state(IL_ICMP_SEQ, -1); } +icmpid { return next_state(IL_ICMP_SEQ, -1); } +\{ { push_proto(); return next_item('{'); } +\} { pop_proto(); return next_item('}'); } \. { return next_item(IL_DOT); } -; { return next_item(IL_SEMICOLON); } +; { return next_item(';'); } [0-9]+ { return next_item(IL_NUMBER); } [0-9a-fA-F] { return next_item(IL_HEXDIGIT); } : { return next_item(IL_COLON); } @@ -117,6 +176,15 @@ reserv-1 { return next_state(IL_IPS_RESERV1, -1); } [^ {}\n\t;]* { return next_item(IL_TOKEN); } \"[^\"]*\" { return next_item(IL_TOKEN); } %% +void yyerror(msg) +char *msg; +{ + fprintf(stderr, "%s error at \"%s\", line %d\n", msg, yytext, + lineNum + 1); + exit(1); +} + + void push_proto() { numpr++; diff --git a/usr.sbin/ipf/ipsend/ipsend.1 b/usr.sbin/ipf/ipsend/ipsend.1 index 7494de8ccf18..d99038ddca77 100644 --- a/usr.sbin/ipf/ipsend/ipsend.1 +++ b/usr.sbin/ipf/ipsend/ipsend.1 @@ -4,9 +4,9 @@ ipsend \- sends IP packets .SH SYNOPSIS .B ipsend [ -.B \-ITU +.B \-dITUv ] [ -.B \-d +.B \-i ] [ .B \-f @@ -46,8 +46,8 @@ attempt at making a TCP connection using a with ipsend resending the SYN packet as per the command line options. .SH OPTIONS .TP -.BR \-d \0 -Set the interface name to be the name supplied. +.BR \-d +enable debugging mode. .TP .BR \-f \0 The \fI-f\fP allows the IP offset field in the IP header to be set to an @@ -58,6 +58,10 @@ Specify the hostname of the gateway through which to route packets. This is required whenever the destination host isn't directly attached to the same network as the host from which you're sending. .TP +.BR \-i \0 +Set the interface name to be the name supplied. +.TP +.TP .BR \-m \0 Specify the MTU to be used when sending out packets. This option allows you to set a fake MTU, allowing the simulation of network interfaces with small @@ -91,6 +95,9 @@ Set the protocol to TCP. .TP .B \-U Set the protocol to UDP. +.TP +.BR \-d +enable verbose mode. .DT .SH SEE ALSO ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p) diff --git a/usr.sbin/ipf/ipsend/ipsend.5 b/usr.sbin/ipf/ipsend/ipsend.5 index aa1917b9bd5f..b6a3e0496775 100644 --- a/usr.sbin/ipf/ipsend/ipsend.5 +++ b/usr.sbin/ipf/ipsend/ipsend.5 @@ -11,52 +11,73 @@ also allows encapsulation to be so done to an arbitary level. .nf line ::= iface | arp | send | defrouter | ipv4line . -iface ::= ifhdr "{" ifaceopts "}" . +iface ::= ifhdr "{" ifaceopts "}" ";" . ifhdr ::= "interface" | "iface" . -ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | "eaddr" eaddr . +ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | + "eaddr" eaddr . -send ::= "send" ";" | "send" "{" sendbodyopts "}" . +send ::= "send" ";" | "send" "{" sendbodyopts "}" ";" . sendbodyopts ::= sendbody [ sendbodyopts ] . sendbody ::= "ifname" name | "via" ipaddr . defrouter ::= "router" ipaddr . -arp ::= "arp" "{" arpbodyopts "}" . +arp ::= "arp" "{" arpbodyopts "}" ";" . arpbodyopts ::= arpbody [ arpbodyopts ] . arpbody ::= "v4addr" ipaddr | "eaddr" eaddr . -ipv4line ::= "ipv4" "{" ipv4bodyopts "}" . -ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] . +bodyline ::= ipv4line | tcpline | udpline | icmpline | dataline . + +ipv4line ::= "ipv4" "{" ipv4bodyopts "}" ";" . +ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] | bodyline . ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr | - "off" number | "v" number | "hl" number| "id" number | - "ttl" number | "tos" number | "sum" number | "len" number | - "opt" "{" ipv4optlist "}" | tcpline | udpline | icmpline | - ipv4line . + "off" number | "v" number | "hl" number| "id" number | + "ttl" number | "tos" number | "sum" number | "len" number | + "opt" "{" ipv4optlist "}" ";" . ipv4optlist ::= ipv4option [ ipv4optlist ] . ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | - "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | - "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" | - "secclass" ipv4secclass. + "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | + "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" | + "secclass" ipv4secclass. ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" | - "reserv-3" | "reserv-4" | "secret" | "topsecret" . + "reserv-3" | "reserv-4" | "secret" | "topsecret" . -tcpline ::= "tcp" "{" tcpbodyopts "}" . -tcpbodyopts ::= tcpbody [ tcpbodyopts ] . +tcpline ::= "tcp" "{" tcpbodyopts "}" ";" . +tcpbodyopts ::= tcpbody [ tcpbodyopts ] | bodyline . tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number | - "off" number | "urp" number | "win" number | "sum" number | - "flags" tcpflags | data . + "off" number | "urp" number | "win" number | "sum" number | + "flags" tcpflags | data . -udpline ::= "udp" "{" udpbodyopts "}" . -udpbodyopts ::= udpbody [ udpbodyopts ] . +udpline ::= "udp" "{" udpbodyopts "}" ";" . +udpbodyopts ::= udpbody [ udpbodyopts ] | bodyline . udpbody ::= "sport" port | "dport" port | "len" number | "sum" number | - data . + data . -icmpline ::= "icmp" "{" icmpbodyopts "}" . -icmpbodyopts ::= icmpbody [ icmpbodyopts ] . -icmpbody ::= "type" icmptype [ typeopts ] [ "code" icmpcode ] . -icmptype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" . +icmpline ::= "icmp" "{" icmpbodyopts "}" ";" . +icmpbodyopts ::= icmpbody [ icmpbodyopts ] | bodyline . +icmpbody ::= "type" icmptype [ "code" icmpcode ] . +icmptype ::= "echorep" | "echorep" "{" echoopts "}" ";" | "unreach" | + "unreach" "{" unreachtype "}" ";" | "squench" | "redir" | + "redir" "{" redirtype "}" ";" | "echo" "{" echoopts "}" ";" | + "echo" | "routerad" | "routersol" | "timex" | + "timex" "{" timextype "}" ";" | "paramprob" | + "paramprob" "{" parapptype "}" ";" | "timest" | "timestrep" | + "inforeq" | "inforep" | "maskreq" | "maskrep" . + +echoopts ::= echoopts [ icmpechoopts ] . +unreachtype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" | + "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | + "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | + "filter-prohib" | "host-preced" | "cutoff-preced" . +redirtype ::= "net-redir" | "host-redir" | "tos-net-redir" | + "tos-host-redir" . +timextype ::= "intrans" | "reass" . +paramptype ::= "optabsent" . + +data ::= "data" "{" databodyopts "}" ";" . +databodyopts ::= "len" number | "value" string | "file" filename . + +icmpechoopts ::= "icmpseq" number | "icmpid" number . .fi .SH COMMANDS .PP @@ -136,6 +157,69 @@ is used to indicate the a ICMP protocol header is to follow. See the .B data is used to indicate that raw data is to be included in the IP packet. See the \fBDATA\fP section for details on options available. +.SH "IPv4 Options" +these keywords indicate that the releveant IP option should be added to the +IP header (the header length field will be adjusted appropriately). +.TP +.B nop +No Operation [RFC 791] (space filler). +.TP +.B rr +Record Router [RFC 791]. The number given specifies the number of +\fBbytes\fP to be used for storage. This should be a multiple of 4 for +proper operation. +.TP +.B zsu +Experimental Measurement. +.TP +.B mtup [RFC 1191]. +MTU Probe. +.TP +.B mtur [RFC 1191]. +MTU Ready. +.TP +.B encode +.TP +.B ts +Timestamp [RFC 791]. +.TP +.B tr +Traceroute [RFC 1393]. +.TP +.B "sec-class , sec" +Security [RFC 1108]. This option specifies the security label for the packet. +Using \fBsec\fP sets up the framework of the security option but unless +\fBsec-class\fP is given, the level may not be set. +.TP +.B "lsrr " +Loose Source Route [RFC 791]. +.TP +.B e-sec +Extended Security [RFC 1108]. +.TP +.B cipso +Commercial Security. +.TP +.B satid +Stream ID [RFC 791]. +.TP +.B "ssrr " +Strict Source Route [RFC 791]. +.TP +.B addext +Address Extension +.TP +.B visa +Expermental Access Control. +.TP +.B imitd +IMI Traffic Descriptor. +.TP +.B eip +[RFC 1358]. +.TP +.B finn +Experimental Flow Control. .SH TCP .TP .B sport @@ -177,6 +261,13 @@ TCP header, the \fBoff\fP field is updated to match. .B data indicates that a data section is to follow and is to be included as raw data, being appended to the header. +.SH "TCP options" +With a TCP header, it is possible to append a number of header options. +The TCP header offset will be updated automatically to reflect the change +in size. The valid options are: \fBnop\fP No Operation, +\fBeol\fP End Of (option) List, \fBmss [ size ]\fP Maximum Segment Size - this +sets the maximum receivable size of a packet containing data, +\fBwscale\fP Window Scale, \fBts\fP Timestamp. .SH UDP .TP .B sport @@ -201,7 +292,7 @@ data, being appended to the header. .TP .B type sets the ICMP type according the to the icmptype tag. This may either be -a number or one of the recognised tags (see the ICMP TYPES section for a +a number or one of the recognised tags (see the \fBICMP TYPES\fP section for a list of names recognised). .TP .B code @@ -229,6 +320,77 @@ octal numbers. .B file reads data in from the specified file and appends it to the current packet. If the new total length would exceed 64k, an error will be reported. +.SH "ICMP TYPES" +.TP +.B echorep +Eecho Reply. +.TP +.B "unreach [ unreachable-code ]" +Generic Unreachable error. This is used to indicate that an error has +occurred whilst trying to send the packet across the network and that the +destination cannot be reached. The unreachable code names are: +\fBnet-unr\fP network unreachable, \fBhost-unr\fP host unreachable, +\fBproto-unr\fP protocol unreachable, \fBport-unr\fP port unreachable, +\fBneedfrag\fP, \fBsrcfail\fP source route failed, +\fBnet-unk\fP network unknown, \fBhost-unk\fP host unknown, +\fBisolate\fP, \fBnet-prohib\fP administratively prohibited contact with +network, +\fBhost-prohib\fP administratively prohibited contact with host, +\fBnet-tos\fP network unreachable with given TOS, +\fBhost-tos\fP host unreachable with given TOS, +\fBfilter-prohib\fP packet prohibited by packet filter, +\fBhost-preced\fP, +\fBcutoff-preced\fP. +.TP +.B squench +Source Quence. +.TP +.B "redir [ redirect-code ]" +Redirect (routing). This is used to indicate that the route being chosen +for forwarding the packet is suboptimal and that the sender of the packet +should be routing packets via another route. The redirect code names are: +\fBnet-redir\fP redirect packets for a network, +\fBhost-redir\fP redirect packets for a host, +\fBtos-net-redir\fP redirect packets for a network with a given TOS, +\fBtos-host-redir\fP redirect packets for a host with a given TOS. +.TP +.B echo +Echo. +.TP +.B routerad +Router Advertisment. +.TP +.B routersol +Router solicitation. +.TP +.B "timex [ timexceed-code ]" +Time Exceeded. This is used to indicate that the packet failed to reach the +destination because it was in transit too long (i.e. ttl reached 0). The +valid code names are: \fBintrans\fP, +\fBreass\fP could not reassemble packet from fragments within a given time. +.TP +.B "paramprob [ paramprob-code ]" +Parameter problem. There is only one available parameter problem code name: +\fBoptabsent\fP. +.TP +.B timest +Time stamp request. +.TP +.B "timestrep [ { timestamp-code } ]" +Time stamp reply. In a timestamp reply, it is possible to supply the +following values: \fBrtime\fP, \fBotime\fP, \fBttime\fP. +.TP +.B inforeq +Information request. +.TP +.B inforep +Information reply. +.TP +.B maskreq +Address mask request. +.TP +.B maskrep +Address mask reply. .SH FILES /etc/protocols /etc/services diff --git a/usr.sbin/ipf/ipsend/tcpip.h b/usr.sbin/ipf/ipsend/tcpip.h index 616f1e3bbe34..f3cc39aee192 100644 --- a/usr.sbin/ipf/ipsend/tcpip.h +++ b/usr.sbin/ipf/ipsend/tcpip.h @@ -1,4 +1,4 @@ -/* $NetBSD: tcpip.h,v 1.1.1.1 1997/09/21 16:49:15 veego Exp $ */ +/* $NetBSD: tcpip.h,v 1.1.1.2 1997/10/30 05:30:07 mrg Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -33,7 +33,7 @@ * SUCH DAMAGE. * * @(#)tcpip.h 8.1 (Berkeley) 6/10/93 - * Id: tcpip.h,v 2.0.2.2 1997/05/28 13:49:45 darrenr Exp + * Id: tcpip.h,v 2.0.2.3 1997/09/17 10:55:58 darrenr Exp */ #ifndef _NETINET_TCPIP_H_ @@ -44,7 +44,11 @@ */ struct tcpiphdr { struct ipovly ti_i; /* overlaid ip structure */ +#ifdef linux + tcphdr_t ti_t; +#else struct tcphdr ti_t; /* tcp header */ +#endif }; #ifdef notyet /* diff --git a/usr.sbin/ipf/rules/BASIC.NAT b/usr.sbin/ipf/rules/BASIC.NAT new file mode 100644 index 000000000000..31bf1b3e71e2 --- /dev/null +++ b/usr.sbin/ipf/rules/BASIC.NAT @@ -0,0 +1,45 @@ +#!/sbin/ipnat -f - +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# If we have only 1 valid IP address from our ISP, then we do this: +# +map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 +map ppp0 w.x.y.z/24 -> a.b.c.d/32 +# +# if we get a different dialup IP address each time, then we would use: +# +#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.z/24 -> 0/32 +# +# If we have a class C address space of valid IP#'s from our ISP, then we can +# do this: +# +#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.z/24 -> a.b.c.d/24 +# +# or, if we only have a small number of PC's, this: +# +#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.v/32 -> a.b.c.E/32 +#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.u/32 -> a.b.c.F/32 +#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.t/32 -> a.b.c.G/32 +#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.s/32 -> a.b.c.H/32 +#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.r/32 -> a.b.c.I/32 +#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.q/32 -> a.b.c.J/32 +#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.p/32 -> a.b.c.K/32 +# +# To make ftp work, using the internal ftp proxy, use: +# +map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp +# diff --git a/usr.sbin/ipf/rules/BASIC_1.FW b/usr.sbin/ipf/rules/BASIC_1.FW new file mode 100644 index 000000000000..be42c0b1ffb1 --- /dev/null +++ b/usr.sbin/ipf/rules/BASIC_1.FW @@ -0,0 +1,99 @@ +#!/sbin/ipf -f - +# +# SAMPLE: RESTRICTIVE FILTER RULES +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# This file contains the basic rules needed to construct a firewall for the +# above situation. +# +#------------------------------------------------------- +# *Nasty* packets we don't want to allow near us at all! +# short packets which are packets fragmented too short to be real. +block in log quick all with short +#------------------------------------------------------- +# Group setup. +# ============ +# By default, block and log everything. This maybe too much logging +# (especially for ed0) and needs to be further refined. +# +block in log on ppp0 all head 100 +block in log proto tcp all flags S/SA head 101 group 100 +block out log on ppp0 all head 150 +block in log on ed0 from w.x.y.z/24 to any head 200 +block in log proto tcp all flags S/SA head 201 group 200 +block in log proto udp all head 202 group 200 +block out log on ed0 all head 250 +#------------------------------------------------------- +# Localhost packets. +# ================== +# packets going in/out of network interfaces that aren't on the loopback +# interface should *NOT* exist. +block in log quick from 127.0.0.0/8 to any group 100 +block in log quick from any to 127.0.0.0/8 group 100 +block in log quick from 127.0.0.0/8 to any group 200 +block in log quick from any to 127.0.0.0/8 group 200 +# And of course, make sure the loopback allows packets to traverse it. +pass in quick on lo0 all +pass out quick on lo0 all +#------------------------------------------------------- +# Invalid Internet packets. +# ========================= +# +# Deny reserved addresses. +# +block in log quick from 10.0.0.0/8 to any group 100 +block in log quick from 192.168.0.0/16 to any group 100 +block in log quick from 172.0.0.0/16 to any group 100 +# +# Prevent IP spoofing. +# +block in log quick from a.b.c.d/24 to any group 100 +# +#------------------------------------------------------- +# Allow outgoing DNS requests (no named on firewall) +# +pass in quick proto udp from any to any port = 53 keep state group 202 +# +# If we were running named on the firewall and all internal hosts talked to +# it, we'd use the following: +# +#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 +#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state +# +# Allow outgoing FTP from any internal host to any external FTP server. +# +pass in quick proto tcp from any to any port = ftp keep state group 201 +pass in quick proto tcp from any to any port = ftp-data keep state group 201 +pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 +# +# Allow NTP from any internal host to any external NTP server. +# +pass in quick proto udp from any to any port = ntp keep state group 202 +# +# Allow outgoing connections: SSH, TELNET, WWW +# +pass in quick proto tcp from any to any port = 22 keep state group 201 +pass in quick proto tcp from any to any port = telnet keep state group 201 +pass in quick proto tcp from any to any port = www keep state group 201 +# +#------------------------------------------------------- +block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 +# +# Allow incoming to the external firewall interface: mail, WWW, DNS +# +pass in log quick proto tcp from any to any port = smtp keep state group 110 +pass in log quick proto tcp from any to any port = www keep state group 110 +pass in log quick proto tcp from any to any port = 53 keep state group 110 +pass in log quick proto udp from any to any port = 53 keep state group 100 +#------------------------------------------------------- +# Log these: +# ========== +# * return RST packets for invalid SYN packets to help the other end close +block return-rst in log proto tcp from any to any flags S/SA group 100 +# * return ICMP error packets for invalid UDP packets +block return-icmp(net-unr) in proto udp all group 100 diff --git a/usr.sbin/ipf/rules/BASIC_2.FW b/usr.sbin/ipf/rules/BASIC_2.FW new file mode 100644 index 000000000000..c2566eac40a8 --- /dev/null +++ b/usr.sbin/ipf/rules/BASIC_2.FW @@ -0,0 +1,72 @@ +#!/sbin/ipf -f - +# +# SAMPLE: PERMISSIVE FILTER RULES +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# This file contains the basic rules needed to construct a firewall for the +# above situation. +# +#------------------------------------------------------- +# *Nasty* packets we don't want to allow near us at all! +# short packets which are packets fragmented too short to be real. +block in log quick all with short +#------------------------------------------------------- +# Group setup. +# ============ +# By default, block and log everything. This maybe too much logging +# (especially for ed0) and needs to be further refined. +# +block in log on ppp0 all head 100 +block out log on ppp0 all head 150 +block in log on ed0 from w.x.y.z/24 to any head 200 +block out log on ed0 all head 250 +#------------------------------------------------------- +# Invalid Internet packets. +# ========================= +# +# Deny reserved addresses. +# +block in log quick from 10.0.0.0/8 to any group 100 +block in log quick from 192.168.0.0/16 to any group 100 +block in log quick from 172.0.0.0/16 to any group 100 +# +# Prevent IP spoofing. +# +block in log quick from a.b.c.d/24 to any group 100 +# +#------------------------------------------------------- +# Localhost packets. +# ================== +# packets going in/out of network interfaces that aren't on the loopback +# interface should *NOT* exist. +block in log quick from 127.0.0.0/8 to any group 100 +block in log quick from any to 127.0.0.0/8 group 100 +block in log quick from 127.0.0.0/8 to any group 200 +block in log quick from any to 127.0.0.0/8 group 200 +# And of course, make sure the loopback allows packets to traverse it. +pass in quick on lo0 all +pass out quick on lo0 all +#------------------------------------------------------- +# Allow any communication between the inside network and the outside only. +# +# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) +# +pass in log quick proto tcp all SA flags S/SA keep state group 200 +# +# Support all UDP `connections' initiated from inside. +# +# Allow ping out +# +pass in log quick proto icmp all keep state group 200 +#------------------------------------------------------- +# Log these: +# ========== +# * return RST packets for invalid SYN packets to help the other end close +block return-rst in log proto tcp from any to any flags S/SA group 100 +# * return ICMP error packets for invalid UDP packets +block return-icmp(net-unr) in proto udp all group 100 diff --git a/usr.sbin/ipf/rules/Makefile b/usr.sbin/ipf/rules/Makefile index ace24df0a7dc..c5ee67c5afc9 100644 --- a/usr.sbin/ipf/rules/Makefile +++ b/usr.sbin/ipf/rules/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.1.1.1 1997/09/21 16:49:25 veego Exp $ +# $NetBSD: Makefile,v 1.1.1.2 1997/10/30 05:31:07 mrg Exp $ FILESDIR= /usr/share/samples/ipf diff --git a/usr.sbin/ipf/rules/example.10 b/usr.sbin/ipf/rules/example.10 index 477c2e071a0e..560d1e670f61 100644 --- a/usr.sbin/ipf/rules/example.10 +++ b/usr.sbin/ipf/rules/example.10 @@ -1,8 +1,8 @@ # # pass ack packets (ie established connection) # -pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A -pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A +pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A # # block incoming connection requests to my internal network from the big bad # internet.