Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts from the merge of ipf 3.2beta5.

Browse Source
This commit is contained in:
veego 1997-09-21 18:00:54 +00:00
parent b325cdd771
commit 4508fb4354
43 changed files with 1152 additions and 930 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/lkm/netinet/if_ipl/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.7 1997/07/06 22:12:56 thorpej Exp $
# $NetBSD: Makefile,v 1.8 1997/09/21 18:03:55 veego Exp $
.include "../Makefile.inc"
@ -6,7 +6,7 @@
KMOD= if_ipl
SRCS= ip_fil.c fil.c mln_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c \
ip_auth.c
ip_auth.c ip_log.c
NOMAN= yes
.include <bsd.kmod.mk>

4
sys/lkm/netinet/if_ipl/ipl.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.6 1997/07/05 05:52:40 darrenr Exp $ */
/* $NetBSD: ipl.h,v 1.7 1997/09/21 18:03:58 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -13,6 +13,6 @@
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter v3.2beta1"
#define IPL_VERSION "IP Filter v3.2beta5"
#endif

64
sys/lkm/netinet/if_ipl/mln_ipl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: mln_ipl.c,v 1.15 1997/07/19 22:42:18 kleink Exp $ */
/* $NetBSD: mln_ipl.c,v 1.16 1997/09/21 18:04:00 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -23,6 +23,7 @@
(defined(NetBSD1_2) && NetBSD1_2 > 1)
# define NETBSD_PF
#endif
#include <sys/systm.h>
#include <sys/conf.h>
#include <sys/file.h>
@ -36,8 +37,6 @@
#include <sys/mount.h>
#include <sys/exec.h>
#include <sys/mbuf.h>
#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \
(__FreeBSD_version >= 199511))
#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
@ -46,10 +45,6 @@
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#endif
#ifndef __NetBSD__
#include <sys/sysent.h>
#endif
#include <sys/lkm.h>
#include "ipl.h"
#include <netinet/ip_compat.h>
@ -68,9 +63,10 @@
#include <net/pfil.h>
#endif
extern int lkmenodev __P((void));
int if_ipl_lkmentry __P((struct lkm_table *, int, int));
int if_ipl_lkmentry __P((struct lkm_table *, int, int));
static int ipl_unload __P((void));
static int ipl_load __P((void));
static int ipl_remove __P((void));
@ -118,17 +114,27 @@ extern int vd_unuseddev __P((void));
extern struct cdevsw cdevsw[];
extern int nchrdev;
static int
iplaction(lkmtp, cmd)
struct lkm_table *lkmtp;
int cmd;
int
if_ipl_lkmentry(lkmtp, cmd, ver)
struct lkm_table *lkmtp;
int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}
static int iplaction(lkmtp, cmd)
struct lkm_table *lkmtp;
int cmd;
{
int i;
struct lkm_dev *args = lkmtp->private.lkm_dev;
int err = 0;
switch (cmd) {
case LKM_E_LOAD:
switch (cmd)
{
case LKM_E_LOAD :
if (lkmexists(lkmtp))
return EEXIST;
@ -143,17 +149,15 @@ iplaction(lkmtp, cmd)
ipl_major = i;
args->lkm_offset = i; /* slot in cdevsw[] */
#ifdef DEBUG
printf("IP Filter: loaded into slot %d\n", ipl_major);
#endif
return ipl_load();
case LKM_E_UNLOAD:
case LKM_E_UNLOAD :
err = ipl_unload();
if (!err)
printf("IP Filter: unloaded from slot %d\n",
ipl_major);
return err;
case LKM_E_STAT:
ipl_major);
break;
case LKM_E_STAT :
break;
default:
err = EIO;
@ -163,8 +167,7 @@ iplaction(lkmtp, cmd)
}
static int
ipl_remove()
static int ipl_remove()
{
char *name;
struct nameidata nd;
@ -183,10 +186,9 @@ ipl_remove()
}
static int
ipl_unload()
static int ipl_unload()
{
int error;
int error = 0;
/*
* Unloading - remove the filter rule check from the IP
@ -200,8 +202,7 @@ ipl_unload()
}
static int
ipl_load()
static int ipl_load()
{
struct nameidata nd;
struct vattr vattr;
@ -239,12 +240,3 @@ ipl_load()
}
return error;
}
int
if_ipl_lkmentry(lkmtp, cmd, ver)
struct lkm_table *lkmtp;
int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}

196
sys/netinet/fil.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.14 1997/07/08 05:54:02 mrg Exp $ */
/* $NetBSD: fil.c,v 1.15 1997/09/21 18:03:06 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "Id: fil.c,v 2.0.2.26 1997/07/05 04:38:38 darrenr Exp";
static char rcsid[] = "Id: fil.c,v 2.0.2.32 1997/08/26 13:27:00 darrenr Exp ";
#endif
#include <sys/errno.h>
@ -83,7 +83,7 @@ extern int opts;
# define FR_IFDEBUG(ex,second,verb_pr) ;
# define FR_VERBOSE(verb_pr)
# define FR_DEBUG(verb_pr)
# define IPLLOG(a, c, d, e) ipllog(a, IPL_LOGIPF, c, d, e)
# define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
# if SOLARIS
extern kmutex_t ipf_mutex, ipf_auth;
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
@ -108,11 +108,12 @@ extern kmutex_t ipf_mutex, ipf_auth;
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
struct frgroup *ipfgroups[3][2];
int fr_flags = IPF_LOGGING, fr_active = 0;
#if defined(IPFILTER_DEFAULT_BLOCK)
int fr_pass = FR_NOMATCH;
int fr_pass = FR_NOMATCH|FR_BLOCK;
#else
int fr_pass = FR_PASS;
int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
#endif
fr_info_t frcache[2];
@ -494,6 +495,10 @@ void *m;
fin->fin_icode = fr->fr_icode;
fin->fin_rule = rulen;
fin->fin_fr = fr;
if (fr->fr_grp) {
fin->fin_fr = fr->fr_grp;
pass = fr_scanlist(pass, ip, fin, m);
}
if (pass & FR_QUICK)
break;
}
@ -516,7 +521,7 @@ qif_t *qif;
mb_t **mp;
ip_t *ip;
int hlen;
struct ifnet *ifp;
void *ifp;
int out;
{
/*
@ -586,20 +591,20 @@ int out;
*/
if (!apass) {
fc = frcache + out;
if (fc->fin_fr &&
!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
/*
* copy cached data so we can unlock the mutex
* earlier.
*/
bcopy((char *)fc, (char *)fin, sizeof(*fin));
bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
frstats[out].fr_chit++;
pass = fin->fin_fr->fr_flags;
fr = fin->fin_fr;
pass = fr ? fr->fr_flags : fr_pass;
} else {
pass = fr_pass;
if ((fin->fin_fr = ipfilter[out][fr_active]))
pass = FR_SCANLIST(fr_pass, ip, fin, m);
bcopy((char *)fin, (char *)fc, FI_CSIZE);
bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
if (pass & FR_NOMATCH)
frstats[out].fr_nom++;
}
@ -797,38 +802,10 @@ logit:
}
#ifdef IPFILTER_LOG
int fr_copytolog(dev, buf, len)
int dev;
char *buf;
int len;
{
register char *bufp = iplbuf[dev], *tp = iplt[dev], *hp = iplh[dev];
register int clen, tail;
tail = (hp >= tp) ? (bufp + IPLLOGSIZE - hp) : (tp - hp);
clen = MIN(tail, len);
bcopy(buf, hp, clen);
len -= clen;
tail -= clen;
hp += clen;
buf += clen;
if (hp == bufp + IPLLOGSIZE) {
hp = bufp;
tail = tp - hp;
}
if (len && tail) {
clen = MIN(tail, len);
bcopy(buf, hp, clen);
len -= clen;
hp += clen;
}
iplh[dev] = hp;
return len;
}
#endif
/*
* ipf_cksum
* addr should be 16bit aligned and len is in bytes.
*/
u_short ipf_cksum(addr, len)
register u_short *addr;
register int len;
@ -949,3 +926,136 @@ nodata:
sum = (u_short)((~sum) & 0xffff);
return sum;
}
#if defined(_KERNEL) && (BSD < 199306) && !SOLARIS
/*
* Copyright (c) 1982, 1986, 1988, 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* Id: fil.c,v 2.0.2.32 1997/08/26 13:27:00 darrenr Exp
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
* continuing for "len" bytes, into the indicated buffer.
*/
#include <sys/mbuf.h>
void
m_copydata(m, off, len, cp)
register struct mbuf *m;
register int off;
register int len;
caddr_t cp;
{
register unsigned count;
if (off < 0 || len < 0)
panic("m_copydata");
while (off > 0) {
if (m == 0)
panic("m_copydata");
if (off < m->m_len)
break;
off -= m->m_len;
m = m->m_next;
}
while (len > 0) {
if (m == 0)
panic("m_copydata");
count = MIN(m->m_len - off, len);
bcopy(mtod(m, caddr_t) + off, cp, count);
len -= count;
cp += count;
off = 0;
m = m->m_next;
}
}
/*
* Copy data from a buffer back into the indicated mbuf chain,
* starting "off" bytes from the beginning, extending the mbuf
* chain if necessary.
*/
void
m_copyback(m0, off, len, cp)
struct mbuf *m0;
register int off;
register int len;
caddr_t cp;
{
register int mlen;
register struct mbuf *m = m0, *n;
int totlen = 0;
if (m0 == 0)
return;
while (off > (mlen = m->m_len)) {
off -= mlen;
totlen += mlen;
if (m->m_next == 0) {
n = m_getclr(M_DONTWAIT, m->m_type);
if (n == 0)
goto out;
n->m_len = min(MLEN, len + off);
m->m_next = n;
}
m = m->m_next;
}
while (len > 0) {
mlen = min (m->m_len - off, len);
bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
cp += mlen;
len -= mlen;
mlen += off;
off = 0;
totlen += mlen;
if (len == 0)
break;
if (m->m_next == 0) {
n = m_get(M_DONTWAIT, m->m_type);
if (n == 0)
break;
n->m_len = min(MLEN, len);
m->m_next = n;
}
m = m->m_next;
}
out:
#if 0
if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
m->m_pkthdr.len = totlen;
#endif
return;
}
#endif

5
sys/netinet/ip_auth.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_auth.c,v 1.3 1997/07/07 22:21:21 fvdl Exp $ */
/* $NetBSD: ip_auth.c,v 1.4 1997/09/21 18:03:09 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed & Guido van Rooij.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "Id: ip_auth.c,v 2.0.2.11 1997/06/23 09:20:44 darrenr Exp";
static char rcsid[] = "Id: ip_auth.c,v 2.0.2.14 1997/09/13 07:13:04 darrenr Exp ";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -44,7 +44,6 @@ static char rcsid[] = "Id: ip_auth.c,v 2.0.2.11 1997/06/23 09:20:44 darrenr Exp"
#ifdef __NetBSD__
# include <machine/cpu.h>
#endif
#include <net/if.h>
#ifdef sun
#include <net/af.h>

136
sys/netinet/ip_compat.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_compat.h,v 1.8 1997/07/06 05:29:14 thorpej Exp $ */
/* $NetBSD: ip_compat.h,v 1.9 1997/09/21 18:03:11 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
* Id: ip_compat.h,v 2.0.2.18 1997/07/05 04:38:40 darrenr Exp
* Id: ip_compat.h,v 2.0.2.22 1997/09/09 14:26:36 darrenr Exp
*/
#ifndef __IP_COMPAT_H__
@ -159,7 +159,7 @@ typedef unsigned long u_32_t;
#define IPOPT_FINN 205 /* FINN */
#ifdef __FreeBSD__
#if defined(__FreeBSD__) && defined(KERNEL)
# include <machine/spl.h>
# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
# define ACTUALLY_LKM_NOT_KERNEL
@ -198,10 +198,10 @@ typedef struct qif {
void *qf_optr;
queue_t *qf_in;
queue_t *qf_out;
void *qf_wqinfo;
void *qf_rqinfo;
int (*qf_inp) __P((queue_t *, mblk_t *));
int (*qf_outp) __P((queue_t *, mblk_t *));
struct qinit *qf_wqinfo;
struct qinit *qf_rqinfo;
struct qinit qf_wqinit;
struct qinit qf_rqinit;
mblk_t *qf_m; /* These three fields are for passing data up from */
queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */
int qf_off;
@ -235,7 +235,7 @@ extern ill_t *get_unit __P((char *));
# endif /* sun */
# if defined(sun) && !defined(linux)
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
# define SLEEP(id, n) sleep((id), PZERO+1)
# define WAKEUP(id) wakeup(id)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
@ -307,24 +307,127 @@ typedef struct mbuf mb_t;
#endif
#ifdef linux
/*
* These #ifdef's are here mainly for linux, but who knows, they may
* not be in other places or maybe one day linux will grow up and some
* of these will turn up there too.
*/
#ifndef ICMP_UNREACH
# define ICMP_UNREACH ICMP_DEST_UNREACH
#endif
#ifndef ICMP_SOURCEQUENCH
# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
#endif
#ifndef ICMP_TIMXCEED
# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
#endif
#ifndef ICMP_PARAMPROB
# define ICMP_PARAMPROB ICMP_PARAMETERPROB
#endif
#ifndef IPVERSION
# define IPVERSION 4
#endif
#ifndef IPOPT_MINOFF
# define IPOPT_MINOFF 4
#endif
#ifndef IPOPT_COPIED
# define IPOPT_COPIED(x) ((x)&0x80)
#endif
#ifndef IPOPT_EOL
# define IPOPT_EOL 0
#endif
#ifndef IPOPT_NOP
# define IPOPT_NOP 1
#endif
#ifndef IP_MF
# define IP_MF ((u_short)0x2000)
#endif
#ifndef ETHERTYPE_IP
# define ETHERTYPE_IP ((u_short)0x0800)
#endif
#ifndef TH_FIN
# define TH_FIN 0x01
#endif
#ifndef TH_SYN
# define TH_SYN 0x02
#endif
#ifndef TH_RST
# define TH_RST 0x04
#endif
#ifndef TH_PUSH
# define TH_PUSH 0x08
#endif
#ifndef TH_ACK
# define TH_ACK 0x10
#endif
#ifndef TH_URG
# define TH_URG 0x20
#endif
#ifndef IPOPT_EOL
# define IPOPT_EOL 0
#endif
#ifndef IPOPT_NOP
# define IPOPT_NOP 1
#endif
#ifndef IPOPT_RR
# define IPOPT_RR 7
#endif
#ifndef IPOPT_TS
# define IPOPT_TS 68
#endif
#ifndef IPOPT_SECURITY
# define IPOPT_SECURITY 130
#endif
#ifndef IPOPT_LSRR
# define IPOPT_LSRR 131
#endif
#ifndef IPOPT_SATID
# define IPOPT_SATID 136
#endif
#ifndef IPOPT_SSRR
# define IPOPT_SSRR 137
#endif
#ifndef IPOPT_SECUR_UNCLASS
# define IPOPT_SECUR_UNCLASS ((u_short)0x0000)
#endif
#ifndef IPOPT_SECUR_CONFID
# define IPOPT_SECUR_CONFID ((u_short)0xf135)
#endif
#ifndef IPOPT_SECUR_EFTO
# define IPOPT_SECUR_EFTO ((u_short)0x789a)
#endif
#ifndef IPOPT_SECUR_MMMM
# define IPOPT_SECUR_MMMM ((u_short)0xbc4d)
#endif
#ifndef IPOPT_SECUR_RESTR
# define IPOPT_SECUR_RESTR ((u_short)0xaf13)
#endif
#ifndef IPOPT_SECUR_SECRET
# define IPOPT_SECUR_SECRET ((u_short)0xd788)
#endif
#ifndef IPOPT_SECUR_TOPSECRET
# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5)
#endif
# if LINUX < 0200
# define icmp icmphdr
# define icmp_type type
# define icmp_code code
# endif
typedef struct {
__u16 th_sport;
__u16 th_dport;
__u32 th_seq;
__u32 th_ack;
__u8 th_x;
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
defined(vax)
__u8 th_res:4;
__u8 th_off:4;
#else
__u8 th_off:4;
__u8 th_res:4;
#endif
__u8 th_flags;
__u16 th_win;
__u16 th_sum;
@ -409,6 +512,12 @@ struct ipovly {
struct in_addr ih_dst; /* destination internet address */
};
typedef struct {
__u8 ether_dhost[6];
__u8 ether_shost[6];
__u16 ether_type;
} ether_header_t;
# define SPLX(x) (void)
# define SPLNET(x) (void)
# define SPLIMP(x) (void)
@ -439,6 +548,13 @@ typedef struct tcphdr tcphdr_t;
typedef struct udphdr udphdr_t;
typedef struct icmp icmphdr_t;
typedef struct ip ip_t;
typedef struct ether_header ether_header_t;
#endif /* linux */
#ifndef ICMP_ROUTERADVERT
# define ICMP_ROUTERADVERT 9
#endif
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
#endif /* __IP_COMPAT_H__ */

347
sys/netinet/ip_fil.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.c,v 1.23 1997/07/06 22:32:34 thorpej Exp $ */
/* $NetBSD: ip_fil.c,v 1.24 1997/09/21 18:03:13 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "Id: ip_fil.c,v 2.0.2.25 1997/07/05 04:38:41 darrenr Exp";
static char rcsid[] = "Id: ip_fil.c,v 2.0.2.34 1997/09/10 13:08:16 darrenr Exp ";
#endif
#ifndef SOLARIS
@ -113,32 +113,28 @@ static void (*fr_saveslowtimo) __P((void));
int ipl_inited = 0;
int ipl_unreach = ICMP_UNREACH_FILTER;
#ifdef IPFILTER_LOG
char iplbuf[IPL_LOGMAX+1][IPLLOGSIZE];
caddr_t iplh[IPL_LOGMAX+1], iplt[IPL_LOGMAX+1];
int iplused[IPL_LOGMAX+1] = {0,0,0};
#endif /* IPFILTER_LOG */
static void fixskip __P((frentry_t **, frentry_t *, int));
static void frzerostats __P((caddr_t));
static void frflush __P((caddr_t));
static void ipfsync __P((void));
static void fr_delgroup __P((u_short, u_32_t, int, int));
static frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int));
static frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***));
#ifdef __NetBSD__
static int frrequest __P((int, u_long, caddr_t, int));
#else
static int frrequest __P((int, int, caddr_t, int));
#endif
static void frzerostats __P((caddr_t));
static void fixskip __P((frentry_t **, frentry_t *, int));
#ifdef _KERNEL
static int (*fr_savep) __P((struct ip *, int, struct ifnet *,
static int (*fr_savep) __P((struct ip *, int, void *,
int, struct mbuf **));
#else
int ipllog __P((void));
void init_ifp __P((void));
/*
static int (*fr_savep) __P((struct ip *, int, struct ifnet *,
int, char *));
*/
static int no_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *));
static int write_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *));
static int write_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *));
#endif
#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
@ -164,8 +160,7 @@ struct devsw iplsw = {
/*
* We provide the fr_checkp name just to minimize changes later.
*/
int (*fr_checkp) __P((ip_t *ip, int hlen, struct ifnet *ifp, int out,
mb_t **mp));
int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
# endif /* NETBSD_PF */
#endif /* __NetBSD__ */
@ -184,15 +179,10 @@ char *s;
/*
* BSD pseudo-device attach routine; this is a no-op.
*/
/* ARGSUSED */
# if defined(__NetBSD__)
void
ipfilterattach(count)
# else
void
iplattach(count)
# endif /* __NetBSD__ */
int count;
int count;
{
/*
@ -200,14 +190,17 @@ iplattach(count)
* by the SIOCFRENB ioctl.
*/
}
# endif
# if defined(__NetBSD__)
int ipl_enable()
# else
int iplattach()
# endif
{
char *defpass;
int s;
# ifdef IPFILTER_LOG
int i;
# endif
SPLNET(s);
if (ipl_inited || (fr_checkp == fr_check)) {
@ -221,21 +214,16 @@ int ipl_enable()
# endif
ipl_inited = 1;
bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2);
bzero((char *)frcache, sizeof(frcache));
bzero((char *)nat_table, sizeof(nat_table));
fr_savep = fr_checkp;
fr_checkp = fr_check;
fr_saveslowtimo = inetsw[0].pr_slowtimo;
inetsw[0].pr_slowtimo = ipfr_slowtimer;
# ifdef IPFILTER_LOG
/*
* Set log buffer pointers for each of the log buffers
*/
for (i = 0; i <= 2; i++) {
iplh[i] = iplbuf[i];
iplt[i] = iplbuf[i];
}
# endif
#ifdef IPFILTER_LOG
ipflog_init();
#endif
SPLX(s);
if (fr_pass & FR_PASS)
defpass = "pass";
@ -253,7 +241,11 @@ int ipl_enable()
* Disable the filter by removing the hooks from the IP input/output
* stream.
*/
# if defined(__NetBSD__)
int ipl_disable()
# else
int ipldetach()
# endif
{
int s, i = FR_INQUE|FR_OUTQUE;
@ -367,7 +359,7 @@ int mode;
#if defined(_KERNEL) && !SOLARIS
int s;
#endif
int error = 0, unit;
int error = 0, unit = 0;
#ifdef _KERNEL
unit = minor(dev);
@ -390,10 +382,11 @@ int mode;
switch (cmd) {
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGIPF];
IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
sizeof(iplused[IPL_LOGIPF]));
#endif
break;
#if defined(_KERNEL)
#if (!defined(IPFILTER_LKM) || defined(__NetBSD__)) && defined(_KERNEL)
case SIOCFRENB :
{
u_int enable;
@ -402,10 +395,17 @@ int mode;
error = EPERM;
else {
IRCOPY(data, (caddr_t)&enable, sizeof(enable));
# if defined(__NetBSD__)
if (enable)
error = ipl_enable();
else
error = ipl_disable();
# else
if (enable)
error = iplattach();
else
error = ipldetach();
# endif
}
break;
}
@ -480,25 +480,28 @@ int mode;
case SIOCIPFFB :
if (!(mode & FWRITE))
error = EPERM;
else {
*(int *)data = iplused[unit];
iplh[unit] = iplt[unit] = iplbuf[unit];
iplused[unit] = 0;
}
else
*(int *)data = ipflog_clear(unit);
break;
#endif /* IPFILTER_LOG */
case SIOCGFRST :
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
break;
case SIOCAUTHW:
case SIOCAUTHR:
case SIOCAUTHW :
case SIOCAUTHR :
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
case SIOCATHST:
case SIOCATHST :
error = fr_auth_ioctl(data, cmd, NULL, NULL);
break;
case SIOCFRSYN :
if (!(mode & FWRITE))
error = EPERM;
else
ipfsync();
break;
default :
error = EINVAL;
break;
@ -507,6 +510,22 @@ int mode;
return error;
}
static void ipfsync()
{
#ifdef KERNEL
struct ifnet *ifp;
# if (NetBSD >= 199511)
for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next)
# else
for (ifp = ifnet; ifp; ifp = ifp->if_next)
# endif
ip_natsync(ifp);
#endif
}
static void fixskip(listp, rp, addremove)
frentry_t **listp, *rp;
int addremove;
@ -526,6 +545,71 @@ int addremove;
}
static frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
u_short num;
u_32_t flags;
int which, set;
frgroup_t ***fgpp;
{
frgroup_t *fg, **fgp;
if (which == IPL_LOGAUTH)
fgp = &ipfgroups[2][set];
else if (flags & FR_ACCOUNT)
fgp = &ipfgroups[1][set];
else if (flags & (FR_OUTQUE|FR_INQUE))
fgp = &ipfgroups[0][set];
else
return NULL;
while ((fg = *fgp))
if (fg->fg_num == num)
break;
else
fgp = &fg->fg_next;
if (fgpp)
*fgpp = fgp;
return fg;
}
static frgroup_t *fr_addgroup(num, fp, which, set)
u_short num;
frentry_t *fp;
int which, set;
{
frgroup_t *fg, **fgp;
if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
return fg;
KMALLOC(fg, frgroup_t *, sizeof(*fg));
if (fg) {
fg->fg_num = num;
fg->fg_next = *fgp;
fg->fg_head = fp;
fg->fg_start = &fp->fr_grp;
*fgp = fg;
}
return fg;
}
static void fr_delgroup(num, flags, which, set)
u_short num;
u_32_t flags;
int which, set;
{
frgroup_t *fg, **fgp;
if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
return;
*fgp = fg->fg_next;
KFREE(fg);
}
static int frrequest(unit, req, data, set)
int unit;
#ifdef __NetBSD__
@ -540,12 +624,25 @@ caddr_t data;
register frentry_t **ftail;
frentry_t frd;
frdest_t *fdp;
int error = 0, in;
frgroup_t *fg = NULL;
int error = 0, in, group;
fp = &frd;
IRCOPY(data, (caddr_t)fp, sizeof(*fp));
/*
* Check that the group number does exist and that if a head group
* has been specified, doesn't exist.
*/
if (fp->fr_grhead &&
fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL))
return EEXIST;
if (fp->fr_group &&
!fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL))
return ESRCH;
in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
if (unit == IPL_LOGAUTH)
ftail = fprev = &ipauth;
else if (fp->fr_flags & FR_ACCOUNT)
@ -555,12 +652,18 @@ caddr_t data;
else
return ESRCH;
if ((group = fp->fr_group)) {
if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
return ESRCH;
ftail = fprev = fg->fg_start;
}
bzero((char *)frcache, sizeof(frcache[0]) * 2);
if (*fp->fr_ifname) {
fp->fr_ifa = GETUNIT(fp->fr_ifname);
if (!fp->fr_ifa)
fp->fr_ifa = (struct ifnet *)-1;
fp->fr_ifa = (void *)-1;
}
fdp = &fp->fr_dif;
@ -616,8 +719,15 @@ caddr_t data;
if (!f)
error = ESRCH;
else {
if (f->fr_ref > 1)
return EBUSY;
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH)
return fr_auth_ioctl(data, req, f, ftail);
if (f->fr_grhead)
fr_delgroup(f->fr_grhead, fp->fr_flags, unit,
set);
fixskip(fprev, f, -1);
*ftail = f->fr_next;
KFREE(f);
@ -630,12 +740,18 @@ caddr_t data;
return fr_auth_ioctl(data, req, f, ftail);
KMALLOC(f, frentry_t *, sizeof(*f));
if (f != NULL) {
if (fg && fg->fg_head)
fg->fg_head->fr_ref++;
bcopy((char *)fp, (char *)f, sizeof(*f));
f->fr_ref = 1;
f->fr_hits = 0;
f->fr_next = *ftail;
*ftail = f;
if (req == SIOCINIFR || req == SIOCINAFR)
fixskip(fprev, f, 1);
f->fr_grp = NULL;
if ((group = f->fr_grhead))
fg = fr_addgroup(group, f, unit, set);
} else
error = ENOMEM;
}
@ -707,134 +823,13 @@ dev_t dev;
register struct uio *uio;
{
# ifdef IPFILTER_LOG
register int ret, unit;
register size_t sz, sx;
int error;
# if defined(_KERNEL) && !SOLARIS
int s;
# endif
unit = minor(dev);
if ((2 < unit) || (unit < 0))
return ENXIO;
if (!uio->uio_resid)
return 0;
while (!iplused[unit]) {
error = SLEEP(iplbuf[unit], "ipl sleep");
if (error)
return error;
}
SPLNET(s);
sx = sz = MIN(uio->uio_resid, iplused[unit]);
if (iplh[unit] < iplt[unit])
sz = MIN(sz, IPLLOGSIZE - (iplt[unit] - iplbuf[unit]));
sx -= sz;
# if BSD >= 199306 || defined(__FreeBSD__)
uio->uio_rw = UIO_READ;
# endif
if (!(ret = UIOMOVE(iplt[unit], sz, UIO_READ, uio))) {
iplt[unit] += sz;
iplused[unit] -= sz;
if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE))
iplt[unit] = iplbuf[unit];
if (sx && !(ret = UIOMOVE(iplt[unit], sx, UIO_READ, uio))) {
iplt[unit] += sx;
iplused[unit] -= sx;
if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE))
iplt[unit] = iplbuf[unit];
}
if (!iplused[unit]) /* minimise wrapping around the end */
iplh[unit] = iplt[unit] = iplbuf[unit];
}
SPLX(s);
return ret;
return ipflog_read(minor(dev), uio);
# else
return ENXIO;
# endif
}
# ifdef IPFILTER_LOG
int ipllog(flags, dev, ip, fin, m)
u_int flags;
int dev;
ip_t *ip;
register fr_info_t *fin;
struct mbuf *m;
{
struct ipl_ci iplci;
register int len, mlen, hlen;
struct ifnet *ifp = fin->fin_ifp;
hlen = fin->fin_hlen;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
else if (ip->ip_p == IPPROTO_ICMP) {
struct icmp *icmp = (struct icmp *)((char *)ip + hlen);
switch (icmp->icmp_type) {
case ICMP_UNREACH :
case ICMP_SOURCEQUENCH :
case ICMP_REDIRECT :
case ICMP_TIMXCEED :
case ICMP_PARAMPROB :
hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
break;
default :
hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
break;
}
}
mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
len = hlen + sizeof(iplci) + mlen;
if (iplused[dev] + len > IPLLOGSIZE)
return 0;
iplused[dev] += len;
# ifdef sun
uniqtime(&iplci);
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&iplci);
# endif
iplci.flags = flags;
iplci.hlen = (u_char)hlen;
iplci.plen = (u_char)mlen;
iplci.rule = fin->fin_rule;
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
strncpy(iplci.ifname, ifp->if_xname, IFNAMSIZ);
# else
iplci.unit = (u_char)ifp->if_unit;
if ((iplci.ifname[0] = ifp->if_name[0]))
if ((iplci.ifname[1] = ifp->if_name[1]))
if ((iplci.ifname[2] = ifp->if_name[2]))
iplci.ifname[3] = ifp->if_name[3];
# endif
if (iplh[dev] == iplbuf[dev] + IPLLOGSIZE)
iplh[dev] = iplbuf[dev];
/*
* Gauranteed to succeed from above
*/
(void) fr_copytolog(dev, (char *)&iplci, sizeof(iplci));
for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) {
hlen = MIN(len, m->m_len);
if (fr_copytolog(dev, mtod(m, char *), hlen))
break;
}
wakeup(iplbuf[dev]);
return 1;
}
# endif /* IPFILTER_LOG */
/*
* send_reset - this could conceivably be a call to tcp_respond(), but that
* requires a large amount of setting up and isn't any more efficient.
@ -909,7 +904,7 @@ struct tcpiphdr *ti;
}
# if !defined(IPFILTER_LKM) && !(__FreeBSD_version >= 300000)
# if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000)
# if BSD < 199306
int iplinit __P((void));
@ -921,10 +916,14 @@ void
# endif
iplinit()
{
# if defined(__NetBSD__)
(void) ipl_enable();
# else
(void) iplattach();
# endif
ip_init();
}
# endif /* ! __NetBSD__ */
# endif /* !IPFILTER_LKM && __FreeBSD_version < 300000 */
void ipfr_fastroute(m0, fin, fdp)

144
sys/netinet/ip_fil.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.h,v 1.19 1997/07/08 05:54:04 mrg Exp $ */
/* $NetBSD: ip_fil.h,v 1.20 1997/09/21 18:03:15 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.0.2.26 1997/07/05 04:38:43 darrenr Exp
* Id: ip_fil.h,v 2.0.2.34 1997/09/10 13:08:17 darrenr Exp
*/
#ifndef __IP_FIL_H__
@ -18,11 +18,11 @@
* Pathnames for various IP Filter control devices. Used by LKM
* and userland, so defined here.
*/
#define IPL_NAME "/dev/ipl"
#define IPNAT_NAME "/dev/ipnat"
#define IPSTATE_NAME "/dev/ipstate"
#define IPAUTH_NAME "/dev/ipauth"
#ifndef SOLARIS
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
@ -112,13 +112,20 @@ typedef struct fr_info {
u_short fin_dlen;
u_short fin_id;
void *fin_ifp;
char *fin_dp; /* start of data past IP header */
struct frentry *fin_fr;
char *fin_dp; /* start of data past IP header */
void *fin_mp;
} fr_info_t;
/*
* Size for compares on fr_info structures
*/
#define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \
sizeof(u_char))
/*
* Size for copying cache fr_info structure
*/
#define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void *) * 2)
typedef struct frdest {
void *fd_ifp;
@ -128,9 +135,13 @@ typedef struct frdest {
typedef struct frentry {
struct frentry *fr_next;
struct ifnet *fr_ifa;
u_short fr_group; /* group to which this rule belongs */
u_short fr_grhead; /* group # which this rule starts */
struct frentry *fr_grp;
int fr_ref; /* reference count - for grouping */
void *fr_ifa;
/*
* There are only incremented when a packet matches this rule and
* These are only incremented when a packet matches this rule and
* it is the last match
*/
U_QUAD_T fr_hits;
@ -178,10 +189,10 @@ typedef struct frentry {
/*
* fr_flags
*/
#define FR_BLOCK 0x00001
#define FR_PASS 0x00002
#define FR_OUTQUE 0x00004
#define FR_INQUE 0x00008
#define FR_BLOCK 0x00001 /* do not allow packet to pass */
#define FR_PASS 0x00002 /* allow packet to pass */
#define FR_OUTQUE 0x00004 /* outgoing packets */
#define FR_INQUE 0x00008 /* ingoing packets */
#define FR_LOG 0x00010 /* Log */
#define FR_LOGB 0x00011 /* Log-fail */
#define FR_LOGP 0x00012 /* Log-pass */
@ -189,7 +200,7 @@ typedef struct frentry {
#define FR_LOGFIRST 0x00040 /* Log the first byte if state held */
#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
#define FR_NOMATCH 0x00200
#define FR_NOMATCH 0x00200 /* no match occured */
#define FR_ACCOUNT 0x00400 /* count packet bytes */
#define FR_KEEPFRAG 0x00800 /* keep fragment information */
#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */
@ -270,30 +281,50 @@ typedef struct friostat {
int f_active;
} friostat_t;
typedef struct optlist {
typedef struct optlist {
u_short ol_val;
int ol_bit;
int ol_bit;
} optlist_t;
/*
* Log structure. Each packet header logged is prepended by one of these,
* minimize size to make most effective use of log space which should
* (ideally) be a muliple of the most common log entry size.
* Group list structure.
*/
typedef struct ipl_ci {
u_long sec;
u_long usec;
u_char hlen;
u_char plen;
u_short rule; /* assume never more than 64k rules, total */
u_32_t flags;
typedef struct frgroup {
u_short fg_num;
struct frgroup *fg_next;
struct frentry *fg_head;
struct frentry **fg_start;
} frgroup_t;
/*
* Log structure. Each packet header logged is prepended by one of these.
* Following this in the log records read from the device will be an ipflog
* structure which is then followed by any packet data.
*/
typedef struct iplog {
u_long ipl_sec;
u_long ipl_usec;
u_int ipl_len;
u_int ipl_count;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
typedef struct ipflog {
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
u_char ifname[IFNAMSIZ]; /* = 32 bytes */
u_char fl_ifname[IFNAMSIZ];
#else
u_int unit;
u_char ifname[4]; /* = 24 bytes */
u_int fl_unit;
u_char fl_ifname[4];
#endif
} ipl_ci_t;
u_char fl_plen; /* extra data after hlen */
u_char fl_hlen; /* length of IP headers saved */
u_short fl_rule; /* assume never more than 64k rules, total */
u_32_t fl_flags;
} ipflog_t;
#ifndef ICMP_UNREACH_FILTER
@ -303,13 +334,16 @@ typedef struct ipl_ci {
#ifndef IPF_LOGGING
#define IPF_LOGGING 0
#endif
#ifndef IPF_DEFAULT_PASS
#define IPF_DEFAULT_PASS FR_PASS
#endif
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define IPLLOGSIZE 8192
/*
* Device filenames. Use ipf on Solaris2 because ipl is already a name used
* by something else.
* Device filenames for reading log information. Use ipf on Solaris2 because
* ipl is already a name used by something else.
*/
#ifndef IPL_NAME
# if SOLARIS
@ -318,9 +352,10 @@ typedef struct ipl_ci {
# define IPL_NAME "/dev/ipl"
# endif
#endif
#define IPL_NAT "/dev/ipnat"
#define IPL_STATE "/dev/ipstate"
#define IPL_AUTH "/dev/ipauth"
#define IPL_NAT IPNAT_NAME
#define IPL_STATE IPSTATE_NAME
#define IPL_AUTH IPAUTH_NAME
#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
#define IPL_LOGNAT 1
#define IPL_LOGSTATE 2
@ -333,12 +368,11 @@ typedef struct ipl_ci {
#endif
#ifndef _KERNEL
extern int fr_check __P((struct ip *, int, struct ifnet *, int, mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
int, mb_t **));
extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
extern int send_reset __P((struct ip *, struct ifnet *));
extern int icmp_error __P((struct ip *, struct ifnet *));
extern int ipllog __P((void));
extern int ipf_log __P((void));
extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
extern struct ifnet *get_unit __P((char *));
# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
@ -350,18 +384,22 @@ extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
#else /* #ifndef _KERNEL */
/* Pesudo-device attach routine; no-op, really. */
# if defined(__NetBSD__)
/* Pesudo-device attach routine; no-op, really. */
extern void ipfilterattach __P((int));
# else
extern void iplattach __P((void));
extern int iplattach __P((void));
# endif
extern int ipl_enable __P((void));
extern int ipl_disable __P((void));
extern void ipflog_init __P((void));
extern int ipflog_clear __P((int));
extern int ipflog_read __P((int, struct uio *));
extern int ipflog __P((u_int, struct ip *, fr_info_t *, mb_t *));
extern int ipllog __P((int, u_long, void **, size_t *, int *, int));
# if SOLARIS
extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
extern int fr_check __P((struct ip *, int, void *, int, qif_t *, mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, void *,
int, qif_t *, mb_t **));
extern int icmp_error __P((ip_t *, int, int, qif_t *,
struct in_addr));
@ -369,23 +407,20 @@ extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int ipfsync __P((void));
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, mblk_t *));
extern int send_reset __P((ip_t *, qif_t *));
extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
fr_info_t *, frdest_t *));
extern void copyin_mblk __P((mblk_t *, int, char *, int));
extern void copyout_mblk __P((mblk_t *, int, char *, int));
extern void copyin_mblk __P((mblk_t *, int, int, char *));
extern void copyout_mblk __P((mblk_t *, int, int, char *));
extern int fr_qin __P((queue_t *, mblk_t *));
extern int fr_qout __P((queue_t *, mblk_t *));
# ifdef IPFILTER_LOG
extern int iplread __P((dev_t, struct uio *, cred_t *));
# endif
# else /* SOLARIS */
extern int fr_check __P((struct ip *, int, struct ifnet *, int, mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
mb_t **));
extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
extern int send_reset __P((struct tcpiphdr *));
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
# ifdef IPFILTER_LKM
extern int iplidentify __P((char *));
@ -399,7 +434,7 @@ extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
# endif
extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *));
# elif !defined(__NetBSD__) || (NetBSD < 199609)
# else
extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
@ -422,6 +457,9 @@ extern int iplread __P((dev_t, struct uio *));
# define NETBSD_PF
#endif
#ifndef __NetBSD__
extern int ipldetach __P((void));
#endif
extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
@ -432,12 +470,12 @@ extern int ipl_inited;
extern int fr_pass;
extern int fr_flags;
extern int fr_active;
extern fr_info_t frcache[];
extern fr_info_t frcache[2];
#ifdef IPFILTER_LOG
extern char *iplh[IPL_LOGMAX + 1], *iplt[IPL_LOGMAX + 1];
extern char iplbuf[IPL_LOGMAX + 1][IPLLOGSIZE];
extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
extern int iplused[IPL_LOGMAX + 1];
#endif
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct frgroup *ipfgroups[3][2];
extern struct filterstats frstats[];
#endif /* __IP_FIL_H__ */

4
sys/netinet/ip_frag.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.c,v 1.8 1997/07/06 05:29:17 thorpej Exp $ */
/* $NetBSD: ip_frag.c,v 1.9 1997/09/21 18:03:17 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "Id: ip_frag.c,v 2.0.2.14 1997/06/22 05:17:47 darrenr Exp";
static char rcsid[] = "Id: ip_frag.c,v 2.0.2.14 1997/06/22 05:17:47 darrenr Exp ";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)

4
sys/netinet/ip_frag.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.h,v 1.7 1997/07/06 05:29:18 thorpej Exp $ */
/* $NetBSD: ip_frag.h,v 1.8 1997/09/21 18:03:19 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
* Id: ip_frag.h,v 2.0.2.9 1997/06/16 02:46:12 darrenr Exp
* Id: ip_frag.h,v 2.0.2.9 1997/06/16 02:46:12 darrenr Exp
*/
#ifndef __IP_FRAG_H__

6
sys/netinet/ip_ftp_pxy.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_ftp_pxy.c,v 1.4 1997/07/05 05:38:19 darrenr Exp $ */
/* $NetBSD: ip_ftp_pxy.c,v 1.5 1997/09/21 18:03:21 veego Exp $ */
/*
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
@ -113,7 +113,7 @@ nat_t *nat;
dlen = m->b_wptr - m->b_rptr - off;
blen = m->b_datap->db_lim - m->b_datap->db_base;
bzero(portbuf, sizeof(portbuf));
copyout_mblk(m, off, portbuf, MIN(sizeof(portbuf), dlen));
copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#else
struct mbuf *m = *(struct mbuf **)fin->fin_mp;
@ -183,7 +183,7 @@ nat_t *nat;
for (m1 = m; m1->b_cont; m1 = m1->b_cont)
;
m1->b_wptr += inc;
copyin_mblk(m, off, newbuf, strlen(newbuf));
copyin_mblk(m, off, strlen(newbuf), newbuf);
#else
if (inc && dlen)
if ((inc < 0) || (blen >= dlen)) {

207
sys/netinet/ip_nat.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.12 1997/07/21 16:53:47 kleink Exp $ */
/* $NetBSD: ip_nat.c,v 1.13 1997/09/21 18:03:23 veego Exp $ */
/*
* (C)opyright 1995-1996 by Darren Reed.
@ -11,7 +11,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static char rcsid[] = "Id: ip_nat.c,v 2.0.2.25 1997/06/22 07:21:25 darrenr Exp";
static char rcsid[] = "Id: ip_nat.c,v 2.0.2.33 1997/09/10 13:08:19 darrenr Exp ";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -100,6 +100,7 @@ extern kmutex_t ipf_natfrag;
static int flush_nattable __P((void));
static int clear_natlist __P((void));
static void nat_delete __P((struct nat *));
static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *));
void fix_outcksum(sp, n)
u_short *sp;
@ -125,7 +126,11 @@ u_long n;
register u_short sumshort;
register u_long sum1;
#ifdef sparc
sum1 = (~(*sp)) & 0xffff;
#else
sum1 = (~ntohs(*sp)) & 0xffff;
#endif
sum1 += ~(n) & 0xffff;
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
/* Again */
@ -175,7 +180,7 @@ int mode;
int s;
#endif
nat = NULL; /* XXX gcc -Wuninitialized */
nat = NULL; /* XXX gcc -Wuninitialized */
/*
* For add/delete, look to see if the NAT entry is already present
@ -292,7 +297,8 @@ int mode;
break;
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGNAT];
IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
sizeof(iplused[IPL_LOGNAT]));
#endif
break;
}
@ -391,6 +397,65 @@ static int clear_natlist()
}
static int nat_ifpaddr(nat, ifptr, inp)
nat_t *nat;
void *ifptr;
struct in_addr *inp;
{
#if SOLARIS
ill_t *ill = ifptr;
#else
struct ifnet *ifp = ifptr;
#endif
struct in_addr in;
#if SOLARIS
in.s_addr = ill->ill_ipif->ipif_local_addr;
#else
struct ifaddr *ifa;
struct sockaddr_in *sin;
# if (__FreeBSD_version >= 300000)
ifa = TAILQ_FIRST(&ifp->if_addrhead);
# else
# ifdef __NetBSD__
ifa = ifp->if_addrlist.tqh_first;
# else
ifa = ifp->if_addrlist;
# endif
# endif
# if BSD < 199306
sin = (SOCKADDR_IN *)&ifa->ifa_addr;
# else
sin = (SOCKADDR_IN *)ifa->ifa_addr;
while (sin && ifa &&
sin->sin_family != AF_INET) {
# if (__FreeBSD_version >= 300000)
ifa = TAILQ_NEXT(ifa, ifa_link);
# else
# ifdef __NetBSD__
ifa = ifa->ifa_list.tqe_next;
# else
ifa = ifa->ifa_next;
# endif
# endif
sin = (SOCKADDR_IN *)ifa->ifa_addr;
}
if (!ifa)
sin = NULL;
if (!sin) {
KFREE(nat);
return -1;
}
# endif
in = sin->sin_addr;
in.s_addr = ntohl(in.s_addr);
#endif
*inp = in;
return 0;
}
/*
* Create a new NAT table entry.
*/
@ -427,11 +492,6 @@ int direction;
* Search the current table for a match.
*/
if (direction == NAT_OUTBOUND) {
#if SOLARIS
ill_t *ill = fin->fin_ifp;
#else
struct ifnet *ifp = fin->fin_ifp;
#endif
/*
* If it's an outbound packet which doesn't match any existing
* record, then create a new port
@ -439,50 +499,10 @@ int direction;
do {
port = 0;
in.s_addr = np->in_nip;
if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
#if SOLARIS
in.s_addr = ill->ill_ipif->ipif_local_addr;
#else
struct ifaddr *ifa;
struct sockaddr_in *sin;
# if (__FreeBSD_version >= 300000)
ifa = TAILQ_FIRST(&ifp->if_addrhead);
# else
# ifdef __NetBSD__
ifa = ifp->if_addrlist.tqh_first;
# else
ifa = ifp->if_addrlist;
# endif
# endif
# if BSD < 199306
sin = (SOCKADDR_IN *)&ifa->ifa_addr;
# else
sin = (SOCKADDR_IN *)ifa->ifa_addr;
while (sin && ifa &&
sin->sin_family != AF_INET) {
# if (__FreeBSD_version >= 300000)
ifa = TAILQ_NEXT(ifa, ifa_link);
# else
# ifdef __NetBSD__
ifa = ifa->ifa_list.tqe_next;
# else
ifa = ifa->ifa_next;
# endif
# endif
sin = (SOCKADDR_IN *)ifa->ifa_addr;
}
if (!ifa)
sin = NULL;
if (!sin) {
KFREE(nat);
if (!in.s_addr && (np->in_outmsk == 0xffffffff))
if (nat_ifpaddr(nat, fin->fin_ifp, &in) == -1)
return NULL;
}
# endif
in = sin->sin_addr;
in.s_addr = ntohl(in.s_addr);
#endif
}
if (nflags & IPN_TCPUDP) {
port = htons(np->in_pnext++);
if (np->in_pnext >= ntohs(np->in_pmax)) {
@ -769,7 +789,7 @@ fr_info_t *fin;
MUTEX_ENTER(&ipf_nat);
if ((nat = ipfr_nat_knownfrag(ip, fin)))
;
else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport,
ip->ip_dst, dport)))
np = nat->nat_ptr;
else
@ -1034,6 +1054,59 @@ void ip_natexpire()
}
/*
*/
void ip_natsync(ifp)
void *ifp;
{
register nat_t *nat;
register u_long sum1, sum2, sumd;
struct in_addr in;
ipnat_t *np;
#if defined(_KERNEL) && !SOLARIS
int s;
#endif
MUTEX_ENTER(&ipf_nat);
SPLNET(s);
for (nat = nat_instances; nat; nat = nat->nat_next)
if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr))
if ((np->in_outmsk == 0xffffffff) && !np->in_nip) {
/*
* Change the map-to address to be the same
* as the new one.
*/
sum1 = nat->nat_outip.s_addr;
if (nat_ifpaddr(nat, ifp, &in) == -1)
nat->nat_outip.s_addr = htonl(in.s_addr);
sum2 = nat->nat_outip.s_addr;
/*
* Readjust the checksum adjustment to take
* into account the new IP#.
*
* Do it twice
*/
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
/* Do it twice */
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
/* Because ~1 == -2, We really need ~1 == -1 */
if (sum1 > sum2)
sum2--;
sumd = sum2 - sum1;
sumd = (sumd & 0xffff) + (sumd >> 16);
sumd += nat->nat_sumd;
nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16);
}
SPLX(s);
MUTEX_EXIT(&ipf_nat);
}
#ifdef IPFILTER_LOG
void nat_log(nat, type)
struct nat *nat;
@ -1041,22 +1114,10 @@ u_short type;
{
struct ipnat *np;
struct natlog natl;
int rulen;
void *items[1];
size_t sizes[1];
int rulen, types[1];
if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) {
nat_stats.ns_logfail++;
return;
}
if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE)
iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT];
# ifdef sun
uniqtime(&natl.nl_tv);
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&natl);
# endif
natl.nl_inip = nat->nat_inip;
natl.nl_outip = nat->nat_outip;
natl.nl_origip = nat->nat_oip;
@ -1074,12 +1135,10 @@ u_short type;
break;
}
}
items[0] = &natl;
sizes[0] = sizeof(natl);
types[0] = 0;
if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) {
iplused[IPL_LOGNAT] += sizeof(natl);
nat_stats.ns_logged++;
} else
nat_stats.ns_logfail++;
wakeup(iplbuf[IPL_LOGNAT]);
(void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1);
}
#endif

6
sys/netinet/ip_nat.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.h,v 1.9 1997/07/06 05:29:20 thorpej Exp $ */
/* $NetBSD: ip_nat.h,v 1.10 1997/09/21 18:03:25 veego Exp $ */
/*
* (C)opyright 1995-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
* Id: ip_nat.h,v 2.0.2.16 1997/06/22 07:05:54 darrenr Exp
* Id: ip_nat.h,v 2.0.2.18 1997/09/10 11:15:36 darrenr Exp
*/
#ifndef __IP_NAT_H__
@ -134,7 +134,6 @@ typedef struct natstat {
typedef struct natlog {
struct timeval nl_tv;
struct in_addr nl_origip;
struct in_addr nl_outip;
struct in_addr nl_inip;
@ -153,6 +152,7 @@ typedef struct natlog {
#define NL_EXPIRE 0xffff
extern void ip_natsync __P((void *));
extern u_long fr_defnatage;
extern nat_t *nat_table[2][NAT_SIZE];
#ifdef __NetBSD__

7
sys/netinet/ip_proxy.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.5 1997/07/06 05:29:20 thorpej Exp $ */
/* $NetBSD: ip_proxy.c,v 1.6 1997/09/21 18:03:28 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "Id: ip_proxy.c,v 2.0.2.5 1997/07/05 04:38:46 darrenr Exp";
static char rcsid[] = "Id: ip_proxy.c,v 2.0.2.6 1997/07/27 07:24:54 darrenr Exp ";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -107,12 +107,13 @@ static ap_session_t *ap_find(ip, tcp)
ip_t *ip;
tcphdr_t *tcp;
{
struct in_addr src = ip->ip_src, dst = ip->ip_dst;
struct in_addr src, dst;
register u_long hv;
register u_short sp, dp;
register ap_session_t *aps;
register u_char p = ip->ip_p;
src = ip->ip_src, dst = ip->ip_dst;
sp = dp = 0; /* XXX gcc -Wunitialized */
hv = ip->ip_src.s_addr ^ ip->ip_dst.s_addr;

4
sys/netinet/ip_proxy.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.h,v 1.6 1997/07/06 05:29:21 thorpej Exp $ */
/* $NetBSD: ip_proxy.h,v 1.7 1997/09/21 18:03:30 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed.
@ -7,7 +7,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* Id: ip_proxy.h,v 2.0.2.7 1997/07/05 04:38:48 darrenr Exp
* Id: ip_proxy.h,v 2.0.2.7 1997/07/05 04:38:48 darrenr Exp
*/
#ifndef __IP_PROXY_H__

36
sys/netinet/ip_state.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.8 1997/07/06 05:29:22 thorpej Exp $ */
/* $NetBSD: ip_state.c,v 1.9 1997/09/21 18:03:32 veego Exp $ */
/*
* (C)opyright 1995 by Darren Reed.
@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "Id: ip_state.c,v 2.0.2.17 1997/06/22 05:16:30 darrenr Exp";
static char rcsid[] = "Id: ip_state.c,v 2.0.2.20 1997/08/20 16:27:20 darrenr Exp ";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -112,7 +112,8 @@ int mode;
break;
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGSTATE];
IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
sizeof(iplused[IPL_LOGSTATE]));
#endif
break;
default :
@ -272,12 +273,12 @@ u_short sport;
seqskew = seq - is->is_seq;
ackskew = ack - is->is_ack;
} else {
ackskew = seq - is->is_ack;
if (!is->is_ack)
/*
* Must be a SYN-ACK in reply to a SYN.
*/
is->is_ack = seq;
ackskew = seq - is->is_ack;
seqskew = ack - is->is_seq;
}
@ -592,21 +593,10 @@ struct ipstate *is;
u_short type;
{
struct ipslog ipsl;
void *items[1];
size_t sizes[1];
int types[1];
if (iplused[IPL_LOGSTATE] + sizeof(ipsl) > IPLLOGSIZE) {
ips_stats.iss_logfail++;
return;
}
if (iplh[IPL_LOGSTATE] == iplbuf[IPL_LOGSTATE] + IPLLOGSIZE)
iplh[IPL_LOGSTATE] = iplbuf[IPL_LOGSTATE];
# ifdef sun
uniqtime(&ipsl.isl_tv);
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&ipsl);
# endif
ipsl.isl_pkts = is->is_pkts;
ipsl.isl_bytes = is->is_bytes;
ipsl.isl_src = is->is_src;
@ -623,12 +613,10 @@ u_short type;
ipsl.isl_ps.isl_filler[0] = 0;
ipsl.isl_ps.isl_filler[1] = 0;
}
items[0] = &ipsl;
sizes[0] = sizeof(ipsl);
types[0] = 0;
if (!fr_copytolog(IPL_LOGSTATE, (char *)&ipsl, sizeof(ipsl))) {
iplused[IPL_LOGSTATE] += sizeof(ipsl);
ips_stats.iss_logged++;
} else
ips_stats.iss_logfail++;
wakeup(iplbuf[IPL_LOGSTATE]);
(void) ipllog(IPL_LOGSTATE, 0, items, sizes, types, 1);
}
#endif

5
sys/netinet/ip_state.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.h,v 1.7 1997/07/06 05:29:23 thorpej Exp $ */
/* $NetBSD: ip_state.h,v 1.8 1997/09/21 18:03:34 veego Exp $ */
/*
* (C)opyright 1995-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* Id: ip_state.h,v 2.0.2.11 1997/06/16 02:44:23 darrenr Exp
* Id: ip_state.h,v 2.0.2.12 1997/08/05 13:39:40 darrenr Exp
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@ -75,7 +75,6 @@ typedef struct ipstate {
typedef struct ipslog {
struct timeval isl_tv;
U_QUAD_T isl_pkts;
U_QUAD_T isl_bytes;
struct in_addr isl_src;

2
usr.sbin/ipf/ipf/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.8 1997/09/16 02:06:42 mrg Exp $
# $NetBSD: Makefile,v 1.9 1997/09/21 18:00:54 veego Exp $
PROG= ipf
SRCS= ipf.c parse.c opt.c

15
usr.sbin/ipf/ipf/ipf.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.c,v 1.6 1997/07/05 05:43:37 darrenr Exp $ */
/* $NetBSD: ipf.c,v 1.7 1997/09/21 18:00:56 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -42,11 +42,11 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ipf.c,v 1.6 1997/07/05 05:43:37 darrenr Exp $";
static char rcsid[] = "Id: ipf.c,v 2.0.2.12 1997/09/10 11:15:37 darrenr Exp ";
#endif
#if SOLARIS
static void frsync __P((void));
#if SOLARIS
static void blockunknown __P((void));
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@ -75,7 +75,7 @@ char *argv[];
{
int c;
while ((c = getopt(argc, argv, "AdDEf:F:Il:nopPrsUvyzZ")) != -1) {
while ((c = getopt(argc, argv, "AdDEf:F:Il:noPrsUvyzZ")) != -1) {
switch (c)
{
case 'A' :
@ -108,9 +108,6 @@ char *argv[];
case 'o' :
opts |= OPT_OUTQUE;
break;
case 'p' :
opts |= OPT_PRINTFR;
break;
case 'P' :
ipfname = IPL_AUTH;
break;
@ -128,11 +125,9 @@ char *argv[];
case 'v' :
opts |= OPT_VERBOSE;
break;
#if SOLARIS
case 'y' :
frsync();
break;
#endif
case 'z' :
opts |= OPT_ZERORULEST;
break;
@ -370,7 +365,6 @@ static void swapactive()
}
#if defined(sun) && (defined(__SVR4) || defined(__svr4__))
static void frsync()
{
if (opendevice() != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
@ -378,7 +372,6 @@ static void frsync()
else
printf("filter sync'd\n");
}
#endif
void zerostats()

80
usr.sbin/ipf/ipf/ipl.4
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipl.4,v 1.4 1997/02/18 21:28:19 mrg Exp $
.\" $NetBSD: ipl.4,v 1.5 1997/09/21 18:00:58 veego Exp $
.\"
.\" Copyright (c) 1997 Matthew R. Green
.\" All rights reserved.
@ -59,52 +59,74 @@ pseudo device's purpose is to provide an easy way to gather
packet headers of packets you wish to log. If a packet header is to be
logged, the entire header is logged (including any IP options \- TCP/UDP
options are not included when it calculates header size) or not at all.
The packet contents are also logged after the header.
The packet contents are also logged after the header. If the log reader
is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the
default) bytes of data are stored.
.Pp
Prepending every packet header logged is a structure containing information
relevant to the packet following and why it was logged. The structure's
format is as follows:
.Lp
.nf
struct ipl_ci {
u_long sec; /* time when the packet was logged */
u_long usec;
u_long plen; /* length of packet data logged */
u_short hlen; /* length of headers logged */
u_short rule; /* rule number (for log ...) or 0 if result = log */
u_long flags:24; /* XXX FIXME do we care about the extra bytes? */
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
u_long filler:8; /* XXX FIXME do we care? */
u_char ifname[IFNAMSIZ];
/*
* Log structure. Each packet header logged is prepended by one of these.
* Following this in the log records read from the device will be an ipflog
* structure which is then followed by any packet data.
*/
typedef struct iplog {
u_long ipl_sec;
u_long ipl_usec;
u_int ipl_len;
u_int ipl_count;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
typedef struct ipflog {
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
u_char fl_ifname[IFNAMSIZ];
#else
u_long unit:8;
u_char ifname[4];
u_int fl_unit;
u_char fl_ifname[4];
#endif
};
.Lp
u_char fl_plen; /* extra data after hlen */
u_char fl_hlen; /* length of IP headers saved */
u_short fl_rule; /* assume never more than 64k rules, total */
u_32_t fl_flags;
} ipflog_t;
.fi
.Pp
In the case of the header causing the buffer to finish on a non-32bit
boundary, padding will be `appended' to ensure that the next log entry
is aligned to a 32bit boundary.
.Lp
.Pp
If the packet contents is more then 128 bytes, then only 128 bytes of the
packet contents is logged. Should the packet contents finish on a non-32bit
boundary, then the last few bytes are not logged to ensure the log entry
is aligned to a 32bit boundary.
.Pp
When reading from the
.Nm
is a read-only (sequential) character pseudo-device.
device, it is necessary to call
.Xr read 2
with a buffer big enough to hold at least 1 complete log record - reading of
partial log records is not supported.
.Pp
If the packet contents is more then 128 bytes when \fBlog body\fP is used,
then only 128 bytes of the packet contents is logged.
.Pp
Although it is only possible to read from the
.Nm
device, opening it for writing is required when using an ioctl which changes
any kernel data.
.Pp
The ioctls which are loaded with this device can be found under
.Xr ipf 4 .
The only ioctl which is used for logging and doesn't affect the filter is:
The ioctls which are for use with logging and don't affect the filter are:
.Lp
.nf
ioctl(fd, SIOCIPFFB, int *)
ioctl(fd, FIONREAD, int *)
.fi
.Pp
This ioctl flushes the log buffer and returns the number of bytes flushed.
The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes
flushed. FIONREAD returns the number of bytes currently used for storing
log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not
available and FIONREAD will return but not do anything.
.Pp
There is currently no support for non-blocking IO with this device, meaning
all read operations should be considered blocking in nature (if there is no

32
usr.sbin/ipf/ipf/parse.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: parse.c,v 1.9 1997/07/05 05:43:37 darrenr Exp $ */
/* $NetBSD: parse.c,v 1.10 1997/09/21 18:01:00 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
@ -37,7 +37,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: parse.c,v 1.9 1997/07/05 05:43:37 darrenr Exp $";
static char rcsid[] = "Id: parse.c,v 2.0.2.14 1997/08/26 12:54:07 darrenr Exp ";
#endif
extern struct ipopt_names ionames[], secclass[];
@ -439,6 +439,30 @@ char *line;
if (addkeep(&cpp, &fil))
return NULL;
/*
* head of a new group ?
*/
if (*cpp && !strcasecmp(*cpp, "head")) {
if (!*++cpp) {
(void)fprintf(stderr, "head without group #\n");
return NULL;
}
fil.fr_grhead = atoi(*cpp);
cpp++;
}
/*
* head of a new group ?
*/
if (*cpp && !strcasecmp(*cpp, "group")) {
if (!*++cpp) {
(void)fprintf(stderr, "group without group #\n");
return NULL;
}
fil.fr_group = atoi(*cpp);
cpp++;
}
/*
* leftovers...yuck
*/
@ -1288,6 +1312,10 @@ struct frentry *fp;
printf(" keep state");
if (fp->fr_flags & FR_KEEPFRAG)
printf(" keep frags");
if (fp->fr_grhead)
printf(" head %d", fp->fr_grhead);
if (fp->fr_group)
printf(" group %d", fp->fr_group);
(void)putchar('\n');
}

2
usr.sbin/ipf/ipfstat/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.9 1997/07/05 05:43:42 darrenr Exp $
# $NetBSD: Makefile,v 1.10 1997/09/21 18:01:10 veego Exp $
PROG= ipfstat
SRCS= kmem.c fils.c opt.c parse.c

83
usr.sbin/ipf/ipfstat/fils.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: fils.c,v 1.8 1997/07/05 05:43:43 darrenr Exp $ */
/* $NetBSD: fils.c,v 1.9 1997/09/21 18:01:11 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
@ -48,7 +48,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: fils.c,v 1.8 1997/07/05 05:43:43 darrenr Exp $";
static char rcsid[] = "Id: fils.c,v 2.0.2.19 1997/09/10 13:08:13 darrenr Exp ";
#endif
#ifdef _PATH_UNIX
#define VMUNIX _PATH_UNIX
@ -75,6 +75,7 @@ static void showlist __P((friostat_t *));
static void showipstates __P((int, ips_stat_t *));
static void showauthstates __P((int, fr_authstat_t *));
static void Usage __P((char *));
static void printlist __P((frentry_t *));
static void Usage(name)
@ -124,12 +125,12 @@ char *argv[];
case 'i' :
opts |= OPT_INQUE|OPT_SHOWLIST;
break;
case 'n' :
opts |= OPT_SHOWLINENO;
break;
case 'I' :
opts |= OPT_INACTIVE;
break;
case 'n' :
opts |= OPT_SHOWLINENO;
break;
case 'o' :
opts |= OPT_OUTQUE|OPT_SHOWLIST;
break;
@ -267,15 +268,52 @@ struct friostat *fp;
PRINTF("\tnone\n");
}
static void printlist(fp)
frentry_t *fp;
{
struct frentry fb;
int n;
for (n = 1; fp; n++) {
if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
perror("kmemcpy");
return;
}
fp = &fb;
if (opts & OPT_OUTQUE)
fp->fr_flags |= FR_OUTQUE;
if (opts & (OPT_HITS|OPT_VERBOSE))
#ifdef USE_QUAD_T
PRINTF("%qd ", fp->fr_hits);
#else
PRINTF("%ld ", fp->fr_hits);
#endif
if (opts & (OPT_ACCNT|OPT_VERBOSE))
#ifdef USE_QUAD_T
PRINTF("%qd ", fp->fr_bytes);
#else
PRINTF("%ld ", fp->fr_bytes);
#endif
if (opts & OPT_SHOWLINENO)
PRINTF("@%d ", n);
printfr(fp);
if (opts & OPT_VERBOSE)
binprint(fp);
if (fp->fr_grp)
printlist(fp->fr_grp);
fp = fp->fr_next;
}
}
/*
* print out filter rule list
*/
static void showlist(fiop)
struct friostat *fiop;
{
struct frentry fb;
struct frentry *fp = NULL;
int i, set, n;
int i, set;
set = fiop->f_active;
if (opts & OPT_INACTIVE)
@ -303,40 +341,13 @@ struct friostat *fiop;
FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
if (opts & OPT_VERBOSE)
PRINTF("fp %#lx set %d\n", (u_long)fp, set);
PRINTF("fp %p set %d\n", fp, set);
if (!fp) {
FPRINTF(stderr, "empty list for %s%s\n",
(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
return;
}
for (n = 1; fp; n++) {
if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
perror("kmemcpy");
return;
}
fp = &fb;
if (opts & OPT_OUTQUE)
fp->fr_flags |= FR_OUTQUE;
if (opts & (OPT_HITS|OPT_VERBOSE))
#ifdef USE_QUAD_T
PRINTF("%qd ", fp->fr_hits);
#else
PRINTF("%ld ", fp->fr_hits);
#endif
if (opts & (OPT_ACCNT|OPT_VERBOSE))
#ifdef USE_QUAD_T
PRINTF("%qd ", fp->fr_bytes);
#else
PRINTF("%ld ", fp->fr_bytes);
#endif
if (opts & OPT_SHOWLINENO)
PRINTF("@%d ", n);
printfr(fp);
if (opts & OPT_VERBOSE)
binprint(fp);
fp = fp->fr_next;
}
printlist(fp);
}

4
usr.sbin/ipf/ipftest/Makefile
View File

@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.10 1997/07/06 22:34:34 thorpej Exp $
# $NetBSD: Makefile,v 1.11 1997/09/21 18:01:40 veego Exp $
PROG= ipftest
SRCS= ipt.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c opt.c ipft_tx.c misc.c ip_frag.c ip_state.c ip_nat.c ipft_hx.c ip_fil.c fil.c parse.c ip_proxy.c ip_auth.c
NOMAN= yes
CFLAGS+=-I${.CURDIR} -I${.CURDIR}/../ipf -I${.CURDIR}/../../../sys
CFLAGS+=-I${.CURDIR} -I${.CURDIR}/../ipf
.PATH: ${.CURDIR}/../ipf ${.CURDIR}/../../../sys/netinet
.include <bsd.prog.mk>

4
usr.sbin/ipf/ipftest/ipt.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipt.c,v 1.5 1997/07/05 05:43:48 darrenr Exp $ */
/* $NetBSD: ipt.c,v 1.6 1997/09/21 18:01:43 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
@ -51,7 +51,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: ipt.c,v 1.5 1997/07/05 05:43:48 darrenr Exp $";
static char rcsid[] = "Id: ipt.c,v 2.0.2.9 1997/06/23 09:20:50 darrenr Exp ";
#endif
extern char *optarg;

2
usr.sbin/ipf/ipmon/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.11 1997/07/05 05:43:52 darrenr Exp $
# $NetBSD: Makefile,v 1.12 1997/09/21 18:01:47 veego Exp $
PROG= ipmon
MAN= ipmon.8

338
usr.sbin/ipf/ipmon/ipmon.c
View File

@ -1,7 +1,7 @@
/* $NetBSD: ipmon.c,v 1.6 1997/07/05 05:43:53 darrenr Exp $ */
/* $NetBSD: ipmon.c,v 1.7 1997/09/21 18:01:50 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
* (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@ -56,8 +56,8 @@
#include "netinet/ip_state.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed";
static char rcsid[] = "$Id: ipmon.c,v 1.6 1997/07/05 05:43:53 darrenr Exp $";
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
static char rcsid[] = "Id: ipmon.c,v 2.0.2.21 1997/09/09 14:28:06 darrenr Exp ";
#endif
@ -81,23 +81,16 @@ static char line[2048];
static int opts = 0;
static void usage __P((char *));
static void flushlogs __P((char *, FILE *));
static void print_log __P((int, FILE *, char *, int));
static void print_ipflog __P((FILE *, char *, int));
static void print_natlog __P((FILE *, char *, int));
static void print_statelog __P((FILE *, char *, int));
static void dumphex __P((FILE *, u_char *, int));
static void resynclog __P((int, struct ipl_ci *, FILE *));
static int read_ipflog __P((int, int *, char *, int, FILE *));
static int read_natlog __P((int, int *, char *, int, FILE *));
static int read_statelog __P((int, int *, char *, int, FILE *));
static int read_log __P((int, int *, char *, int, FILE *));
char *hostname __P((int, struct in_addr));
char *portname __P((int, char *, u_short));
int main __P((int, char *[]));
static int (*readfunc[3]) __P((int, int *, char *, int, FILE *)) =
{ read_ipflog, read_natlog, read_statelog };
static void (*printfunc[3]) __P((FILE *, char *, int)) =
{ print_ipflog, print_natlog, print_statelog };
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
@ -114,203 +107,19 @@ static void (*printfunc[3]) __P((FILE *, char *, int)) =
#endif
void resynclog(fd, iplcp, log)
int fd;
struct ipl_ci *iplcp;
FILE *log;
{
time_t now;
char *s = NULL;
int len, nr = 0;
do {
if (s) {
s = (char *)&iplcp->sec;
if (opts & OPT_SYSLOG) {
syslog(LOG_INFO, "Sync bytes:");
syslog(LOG_INFO, " %02x %02x %02x %02x",
*s, *(s+1), *(s+2), *(s+3));
syslog(LOG_INFO, " %02x %02x %02x %02x\n",
*(s+4), *(s+5), *(s+6), *(s+7));
} else {
fprintf(log, "Sync bytes:");
fprintf(log, " %02x %02x %02x %02x",
*s, *(s+1), *(s+2), *(s+3));
fprintf(log, " %02x %02x %02x %02x\n",
*(s+4), *(s+5), *(s+6), *(s+7));
}
}
do {
s = (char *)&iplcp->sec;
len = sizeof(iplcp->sec);
while (len) {
switch ((nr = read(fd, s, len)))
{
case -1:
case 0:
return;
default :
s += nr;
len -= nr;
now = time(NULL);
break;
}
}
} while ((now < iplcp->sec) ||
((iplcp->sec - now) > (86400*5)));
len = sizeof(iplcp->usec);
while (len) {
switch ((nr = read(fd, s, len)))
{
case -1:
case 0:
return;
default :
s += nr;
len -= nr;
break;
}
}
} while (iplcp->usec > 1000000);
len = sizeof(*iplcp) - sizeof(iplcp->sec) - sizeof(iplcp->usec);
while (len) {
switch ((nr = read(fd, s, len)))
{
case -1:
case 0:
return;
default :
s += nr;
len -= nr;
break;
}
}
}
static int read_natlog(fd, lenp, buf, bufsize, log)
static int read_log(fd, lenp, buf, bufsize, log)
int fd, bufsize, *lenp;
char *buf;
FILE *log;
{
int len, avail = 0, want = sizeof(struct natlog);
int nr;
*lenp = 0;
if (ioctl(fd, FIONREAD, &avail) == -1) {
perror("ioctl(FIONREAD");
return 1;
}
if (avail < want)
nr = read(fd, buf, bufsize);
if (!nr)
return 2;
while (want) {
len = read(fd, buf, want);
if (len > 0)
want -= len;
else
break;
}
if (!want) {
*lenp = sizeof(struct natlog);
return 0;
}
return !len ? 2 : -1;
}
static int read_statelog(fd, lenp, buf, bufsize, log)
int fd, bufsize, *lenp;
char *buf;
FILE *log;
{
int len, avail = 0, want = sizeof(struct ipslog);
*lenp = 0;
if (ioctl(fd, FIONREAD, &avail) == -1) {
perror("ioctl(FIONREAD");
return 1;
}
if (avail < want)
return 2;
while (want) {
len = read(fd, buf, want);
if (len > 0)
want -= len;
else
break;
}
if (!want) {
*lenp = sizeof(struct ipslog);
return 0;
}
return !len ? 2 : -1;
}
static int read_ipflog(fd, lenp, buf, bufsize, log)
int fd, bufsize, *lenp;
char *buf;
FILE *log;
{
struct ipl_ci *icp = (struct ipl_ci *)buf;
time_t now;
char *s;
int len, n = bufsize, tr = sizeof(struct ipl_ci), nr;
if (bufsize < tr)
return 1;
for (s = buf; (n > 0) && (tr > 0); s += nr, n -= nr) {
nr = read(fd, s, tr);
if (nr > 0)
tr -= nr;
else
return -1;
}
now = time(NULL);
if ((icp->hlen > 92) || (now < icp->sec) ||
((now - icp->sec) > (86400*5))) {
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "Out of sync! (1,%lx)\n", now);
else
fprintf(log, "Out of sync! (1,%lx)\n", now);
dumphex(log, buf, sizeof(struct ipl_ci));
resynclog(fd, icp, log);
}
len = (int)((u_int)icp->plen);
if (len > 128 || len < 0) {
if (opts & OPT_SYSLOG)
syslog(LOG_INFO, "Out of sync! (2,%d)\n", len);
else
fprintf(log, "Out of sync! (2,%d)\n", len);
dumphex(log, buf, sizeof(struct ipl_ci));
resynclog(fd, icp, log);
}
tr = icp->hlen + icp->plen;
if (n < tr)
return 1;
for (; (n > 0) && (tr > 0); s += nr, n-= nr) {
nr = read(fd, s, tr);
if (nr > 0)
tr -= nr;
else
return -1;
}
*lenp = s - buf;
if (nr < 0)
return -1;
*lenp = nr;
return 0;
}
@ -404,26 +213,27 @@ int len;
syslog(LOG_INFO, "%s", line);
}
static void print_natlog(log, buf, blen)
FILE *log;
char *buf;
int blen;
{
struct natlog *nl = (struct natlog *)buf;
struct natlog *nl;
iplog_t *ipl = (iplog_t *)buf;
char *t = line;
struct tm *tm;
int res;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&nl->nl_tv.tv_sec);
tm = localtime((time_t *)&ipl->ipl_sec);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ",
tm->tm_hour, tm->tm_min, tm->tm_sec, nl->nl_tv.tv_usec,
tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec,
nl->nl_rule);
t += strlen(t);
@ -470,21 +280,23 @@ FILE *log;
char *buf;
int blen;
{
struct ipslog *sl = (struct ipslog *)buf;
struct ipslog *sl;
iplog_t *ipl = (iplog_t *)buf;
struct protoent *pr;
char *t = line, *proto, pname[6];
struct tm *tm;
int res;
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&sl->isl_tv.tv_sec);
tm = localtime((time_t *)&ipl->ipl_sec);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld ",
tm->tm_hour, tm->tm_min, tm->tm_sec, sl->isl_tv.tv_usec);
tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec);
t += strlen(t);
if (sl->isl_type == ISL_NEW)
@ -536,6 +348,36 @@ int blen;
}
static void print_log(logtype, log, buf, blen)
FILE *log;
char *buf;
int logtype, blen;
{
iplog_t *ipl;
int psize;
while (blen > 0) {
ipl = (iplog_t *)buf;
psize = ipl->ipl_dsize;
switch (logtype)
{
case IPL_LOGIPF :
print_ipflog(log, buf, psize);
break;
case IPL_LOGNAT :
print_natlog(log, buf, psize);
break;
case IPL_LOGSTATE :
print_statelog(log, buf, psize);
break;
}
blen -= psize;
buf += psize;
}
}
static void print_ipflog(log, buf, blen)
FILE *log;
char *buf;
@ -553,34 +395,41 @@ int blen;
int len;
#endif
struct ip *ip;
struct ipl_ci *lp;
iplog_t *ipl;
ipflog_t *ipf;
lp = (struct ipl_ci *)buf;
ip = (struct ip *)(buf + sizeof(*lp));
ipl = (iplog_t *)buf;
ipf = (ipflog_t *)((char *)buf + sizeof(*ipl));
ip = (struct ip *)((char *)ipf + sizeof(*ipf));
res = (opts & OPT_RESOLVE) ? 1 : 0;
t = line;
*t = '\0';
hl = (ip->ip_hl << 2);
p = (u_short)ip->ip_p;
tm = localtime((time_t *)&lp->sec);
tm = localtime((time_t *)&ipl->ipl_sec);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min,
tm->tm_sec, ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
(void) sprintf(t, "%dx ", ipl->ipl_count);
t += strlen(t);
}
#if SOLARIS || (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld %.*s @%hd ",
tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec,
(int)sizeof(lp->ifname), lp->ifname, lp->rule);
(void) sprintf(t, "%.*s @%hd ", (int)sizeof(ipf->fl_ifname),
ipf->fl_ifname, ipf->fl_rule);
#else
for (len = 0; len < 3; len++)
if (!lp->ifname[len])
if (!ipf->fl_ifname[len])
break;
if (lp->ifname[len])
if (ipf->fl_ifname[len])
len++;
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld %*.*s%u @%hd ",
tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec,
len, len, lp->ifname, lp->unit, lp->rule);
(void) sprintf(t, "%*.*s%u @%hd ", len, len, ipf->fl_ifname,
ipf->fl_unit, ipf->fl_rule);
#endif
pr = getprotobynumber((int)p);
if (!pr) {
@ -589,22 +438,22 @@ int blen;
} else
proto = pr->p_name;
if (lp->flags & FF_SHORT) {
if (ipf->fl_flags & FF_SHORT) {
c[0] = 'S';
lvl = LOG_ERR;
} else if (lp->flags & FR_PASS) {
if (lp->flags & FR_LOGP)
} else if (ipf->fl_flags & FR_PASS) {
if (ipf->fl_flags & FR_LOGP)
c[0] = 'p';
else
c[0] = 'P';
lvl = LOG_NOTICE;
} else if (lp->flags & FR_BLOCK) {
if (lp->flags & FR_LOGB)
} else if (ipf->fl_flags & FR_BLOCK) {
if (ipf->fl_flags & FR_LOGB)
c[0] = 'b';
else
c[0] = 'B';
lvl = LOG_WARNING;
} else if (lp->flags & FF_LOGNOMATCH) {
} else if (ipf->fl_flags & FF_LOGNOMATCH) {
c[0] = 'n';
lvl = LOG_NOTICE;
} else {
@ -618,7 +467,7 @@ int blen;
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) {
tp = (struct tcphdr *)((char *)ip + hl);
if (!(lp->flags & (FI_SHORT << 16))) {
if (!(ipf->fl_flags & (FI_SHORT << 16))) {
(void) sprintf(t, "%s,%s -> ",
hostname(res, ip->ip_src),
portname(res, proto, tp->th_sport));
@ -696,12 +545,12 @@ int blen;
}
t += strlen(t);
if (lp->flags & FR_KEEPSTATE) {
if (ipf->fl_flags & FR_KEEPSTATE) {
(void) strcpy(t, " K-S");
t += strlen(t);
}
if (lp->flags & FR_KEEPFRAG) {
if (ipf->fl_flags & FR_KEEPFRAG) {
(void) strcpy(t, " K-F");
t += strlen(t);
}
@ -713,9 +562,9 @@ int blen;
else
(void) fprintf(log, "%s", line);
if (opts & OPT_HEXHDR)
dumphex(log, buf, sizeof(struct ipl_ci));
dumphex(log, buf, sizeof(iplog_t));
if (opts & OPT_HEXBODY)
dumphex(log, (u_char *)ip, lp->plen + lp->hlen);
dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
}
@ -763,13 +612,18 @@ char *argv[];
{
struct stat sb;
FILE *log = NULL;
int fd[3] = {-1, -1, -1}, doread, n, i, nfd = 1;
int fd[3], doread, n, i, nfd = 1;
int tr, nr, regular, c;
int fdt[3] = {IPL_LOGIPF, IPL_LOGNAT, IPL_LOGSTATE};
int fdt[3];
char buf[512], *iplfile = IPL_NAME;
extern int optind;
extern char *optarg;
fd[0] = fd[1] = fd[2] = -1;
fdt[0] = IPL_LOGIPF;
fdt[1] = IPL_LOGNAT;
fdt[2] = IPL_LOGSTATE;
while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1)
switch (c)
{
@ -795,8 +649,6 @@ char *argv[];
case 'N' :
opts |= OPT_NAT;
fdt[0] = IPL_LOGNAT;
readfunc[0] = read_natlog;
printfunc[0] = print_natlog;
break;
case 's' :
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
@ -805,8 +657,6 @@ char *argv[];
case 'S' :
opts |= OPT_STATE;
fdt[0] = IPL_LOGSTATE;
readfunc[0] = read_statelog;
printfunc[0] = print_statelog;
break;
case 't' :
opts |= OPT_TAIL;
@ -873,11 +723,11 @@ char *argv[];
if (!tr && !(opts & OPT_TAIL))
doread = 0;
}
if (!tr)
if (!tr && nfd != 1)
continue;
nr += tr;
tr = (*readfunc[i])(fd[i], &n, buf, sizeof(buf), log);
tr = read_log(fd[i], &n, buf, sizeof(buf), log);
switch (tr)
{
case -1 :
@ -898,14 +748,14 @@ char *argv[];
break;
case 0 :
if (n > 0) {
(*printfunc[i])(log, buf, n);
print_log(fdt[i], log, buf, n);
if (!(opts & OPT_SYSLOG))
fflush(log);
}
break;
}
}
if (!nr && (opts & OPT_TAIL))
if (!nr && ((opts & OPT_TAIL) || !regular))
sleep(1);
}
exit(0);

3
usr.sbin/ipf/ipnat/Makefile
View File

@ -1,8 +1,9 @@
# $NetBSD: Makefile,v 1.9 1997/07/05 05:43:58 darrenr Exp $
# $NetBSD: Makefile,v 1.10 1997/09/21 18:01:53 veego Exp $
PROG= ipnat
SRCS= kmem.c ipnat.c
MAN= ipnat.8 ipnat.4 ipnat.5
MLINKS= ipnat.5 ipnat.conf.5
CFLAGS+=-I${.CURDIR}/../ipf -I${.CURDIR}/../ipfstat
.PATH: ${.CURDIR}/../ipf ${.CURDIR}/../ipfstat

14
usr.sbin/ipf/ipnat/ipnat.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipnat.c,v 1.8 1997/07/05 05:43:59 darrenr Exp $ */
/* $NetBSD: ipnat.c,v 1.9 1997/09/21 18:01:55 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -57,7 +57,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static char rcsid[] = "$Id: ipnat.c,v 1.8 1997/07/05 05:43:59 darrenr Exp $";
static char rcsid[] = "Id: ipnat.c,v 2.0.2.17 1997/09/10 13:08:21 darrenr Exp ";
#endif
#if SOLARIS
@ -100,7 +100,7 @@ int argc;
char *argv[];
{
char *file = NULL;
int fd, opts = 1, c;
int fd = -1, opts = 1, c;
while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1)
switch (c)
@ -188,7 +188,7 @@ void *ptr;
switch (np->in_redir)
{
case NAT_REDIRECT :
printf("redir ");
printf("rdr ");
break;
case NAT_MAP :
printf("map ");
@ -214,11 +214,11 @@ void *ptr;
printf("-> %s", inet_ntoa(np->in_in[0]));
if (np->in_pnext)
printf(" port %d", ntohs(np->in_pnext));
if (np->in_flags & IPN_TCPUDP)
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
else if ((np->in_flags & IPN_UDP) == IPN_UDP)
printf(" udp");
printf("\n");
if (verbose)

4
usr.sbin/ipf/ipresend/Makefile
View File

@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.9 1997/07/05 05:44:06 darrenr Exp $
# $NetBSD: Makefile,v 1.10 1997/09/21 18:01:59 veego Exp $
PROG= ipresend
SRCS= ipresend.c ip.c resend.c opt.c ipft_ef.c ipft_hx.c ipft_sn.c ipft_td.c ipft_tx.c sbpf.c 44arp.c
NOMAN= yes
MAN= ipresend.1
CFLAGS+=-I${.CURDIR}/../ipfstat -I${.CURDIR}/../ipsend -I${.CURDIR}/../ipftest -I${.CURDIR}/../ipf
.PATH: ${.CURDIR}/../ipf ${.CURDIR}/../ipfstat ${.CURDIR}/../ipsend ${.CURDIR}/../ipftest

53
usr.sbin/ipf/ipresend/resend.c
View File

@ -1,13 +1,16 @@
/* $NetBSD: resend.c,v 1.3 1997/05/27 23:08:25 thorpej Exp $ */
/* $NetBSD: resend.c,v 1.4 1997/09/21 18:02:00 veego Exp $ */
/*
* resend.c (C) 1995 Darren Reed
* resend.c (C) 1995-1997 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
@ -29,15 +32,12 @@ static char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#if defined(__NetBSD__)
#include <net/if_ether.h>
#else
#include <netinet/if_ether.h>
#endif
# include <netinet/ip_var.h>
# include <netinet/if_ether.h>
#endif
#include "ipsend.h"
extern int opts;
static u_char buf[65536]; /* 1 big packet */
static void printpacket __P((ip_t *));
@ -105,21 +105,30 @@ char *datain;
while ((i = (*r->r_readip)(buf, sizeof(buf), NULL, NULL)) > 0)
{
len = ntohs(ip->ip_len);
eh = (ether_header_t *)realloc((char *)eh, sizeof(*eh) + len);
eh->ether_type = htons((u_short)ETHERTYPE_IP);
if (!gwip.s_addr) {
if (arp((char *)&gwip,
(char *)&eh->ether_dhost) == -1) {
perror("arp");
continue;
}
} else
bcopy(dhost, (char *)&eh->ether_dhost, sizeof(dhost));
bcopy(ip, (char *)(eh + 1), len);
printpacket(ip);
if (!(opts & OPT_RAW)) {
len = ntohs(ip->ip_len);
eh = (ether_header_t *)realloc((char *)eh, sizeof(*eh) + len);
eh->ether_type = htons((u_short)ETHERTYPE_IP);
if (!gwip.s_addr) {
if (arp((char *)&gwip,
(char *)&eh->ether_dhost) == -1) {
perror("arp");
continue;
}
} else
bcopy(dhost, (char *)&eh->ether_dhost, sizeof(dhost));
if (!ip->ip_sum)
ip->ip_sum = chksum((u_short *)ip,
ip->ip_hl << 2);
bcopy(ip, (char *)(eh + 1), len);
len += sizeof(*eh);
printpacket(ip);
} else {
eh = (ether_header_t *)buf;
len = i;
}
if (sendip(wfd, (char *)eh, sizeof(*eh) + len) == -1)
if (sendip(wfd, (char *)eh, len) == -1)
{
perror("send_packet");
break;

6
usr.sbin/ipf/ipsend/44arp.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: 44arp.c,v 1.3 1997/05/27 23:10:46 thorpej Exp $ */
/* $NetBSD: 44arp.c,v 1.4 1997/09/21 18:02:03 veego Exp $ */
/*
* Based upon 4.4BSD's /usr/sbin/arp
@ -15,11 +15,7 @@
#include <net/if_types.h>
#include <net/route.h>
#include <netinet/in.h>
#if defined(__NetBSD__)
#include <netinet/if_inarp.h>
#else
#include <netinet/if_ether.h>
#endif
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

13
usr.sbin/ipf/ipsend/Makefile
View File

@ -1,9 +1,14 @@
# $NetBSD: Makefile,v 1.8 1997/07/05 05:44:11 darrenr Exp $
# $NetBSD: Makefile,v 1.9 1997/09/21 18:02:04 veego Exp $
PROG= ipsend
SRCS= ipsend.c ip.c ipsopt.c 44arp.c sbpf.c
NOMAN= yes
CFLAGS+=-I${.CURDIR}/../ipftest -I${.CURDIR}/../ipf
SRCS= ipsend.c ip.c ipsopt.c 44arp.c sbpf.c iplang_l.l iplang_y.y
CFLAGS+=-I${.CURDIR}/../ipftest -I${.CURDIR}/../ipf -I.
LDADD= -ll
DPADD= ${LIBL}
CLEANFILES+= y.tab.h
MAN= ipsend.1 ipsend.5
.PATH: ${.CURDIR}/../ipf
.include <bsd.prog.mk>

34
usr.sbin/ipf/ipsend/ip.c
View File

@ -1,13 +1,11 @@
/* $NetBSD: ip.c,v 1.3 1997/05/27 23:10:48 thorpej Exp $ */
/* $NetBSD: ip.c,v 1.4 1997/09/21 18:02:06 veego Exp $ */
/*
* ip.c (C) 1995 Darren Reed
* ip.c (C) 1995-1997 Darren Reed
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C)1995";
@ -27,12 +25,8 @@ static char sccsid[] = "%W% %G% (C)1995";
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#if defined(__NetBSD__)
#include <net/if_ether.h>
#else
#include <netinet/if_ether.h>
#endif
#include <netinet/ip_var.h>
# include <netinet/if_ether.h>
# include <netinet/ip_var.h>
#endif
#include "ipsend.h"
@ -120,12 +114,14 @@ int frag;
last_gw.s_addr = gwip.s_addr;
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
if (!ip->ip_v)
ip->ip_v = IPVERSION;
if (!ip->ip_id)
ip->ip_id = htons(id++);
if (!ip->ip_ttl)
ip->ip_ttl = 60;
if (!(frag & 2)) {
if (!ip->ip_v)
ip->ip_v = IPVERSION;
if (!ip->ip_id)
ip->ip_id = htons(id++);
if (!ip->ip_ttl)
ip->ip_ttl = 60;
}
if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu))
{

16
usr.sbin/ipf/ipsend/iplang_y.y
View File

@ -1,4 +1,4 @@
/* $NetBSD: iplang_y.y,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */
/* $NetBSD: iplang_y.y,v 1.2 1997/09/21 18:02:08 veego Exp $ */
%{
/*
@ -31,6 +31,7 @@
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <net/if.h>
@ -40,7 +41,7 @@
#include <arpa/inet.h>
#include <resolv.h>
#include <ctype.h>
#include <netinet/ip_compat.h>
#include "ipsend.h"
#include <netinet/ip_fil.h>
#include "ipf.h"
#include "iplang.h"
@ -53,6 +54,7 @@ extern int state, state, lineNum, token;
extern int yylineno;
extern char yytext[];
extern FILE *yyin;
int yylex __P((void));
/*#define YYDEBUG 1*/
int yydebug = 0;
@ -142,6 +144,7 @@ void set_icmpttime __P((int));
void set_icmpmtu __P((int));
void set_redir __P((int, char **));
void new_ipv4opt __P((void));
void set_icmppprob __P((int));
void add_ipopt __P((int, void *));
void end_ipopt __P((void));
void set_secclass __P((char **));
@ -790,7 +793,6 @@ void set_datafile(arg)
char **arg;
{
struct stat sb;
u_char *t = canip->ah_data;
char *file = *arg;
int fd, len;
@ -890,7 +892,7 @@ char **arg;
void set_ipv4hl(arg)
char **arg;
{
int offset, newhl, inc;
int newhl, inc;
newhl = strtol(*arg, NULL, 0);
inc = (newhl - ip->ip_hl) << 2;
@ -953,7 +955,6 @@ char **arg;
void new_tcpheader()
{
int offset, inc;
if ((ip->ip_p) && (ip->ip_p != IPPROTO_TCP)) {
fprintf(stderr, "protocol %d specified with TCP!\n", ip->ip_p);
@ -1072,7 +1073,6 @@ char **arg;
static int flagv[] = { TH_ACK, TH_SYN, TH_URG, TH_RST, TH_PUSH,
TH_FIN } ;
char *s, *t;
int nf = 0;
for (s = *arg; *s; s++)
if (!(t = strchr(flags, *s))) {
@ -1577,8 +1577,8 @@ void *ptr;
{
struct ipopt_names *io;
struct statetoopt *sto;
char *op, numbuf[16], *arg, **param = ptr;
int inc, optlen, hlen, *inptr;
char numbuf[16], *arg, **param = ptr;
int inc, hlen;
if (state == IL_IPO_RR || state == IL_IPO_SATID) {
if (param)

92
usr.sbin/ipf/ipsend/ipsend.c
View File

@ -1,20 +1,16 @@
/* $NetBSD: ipsend.c,v 1.3 1997/05/27 23:10:49 thorpej Exp $ */
/* $NetBSD: ipsend.c,v 1.4 1997/09/21 18:02:10 veego Exp $ */
/*
* ipsend.c (C) 1995 Darren Reed
* ipsend.c (C) 1995-1997 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
*
* This was written and tested (successfully) on SunOS 4.1.x.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
@ -38,12 +34,15 @@ static char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
#include <netinet/ip_var.h>
#endif
#include "ipsend.h"
#include "ipf.h"
extern char *optarg;
extern int optind;
extern void iplang __P((FILE *));
char options[68];
int opts;
#ifdef linux
char default_device[] = "eth0";
#else
@ -83,6 +82,12 @@ char *prog;
\t\t-T\t\tSet TCP protocol\n\
\t\t-t port\t\tdestination port\n\
\t\t-U\t\tSet UDP protocol\n\
\t\t-v\tverbose mode\n\
\t\t-w <window>\tSet the TCP window size\n\
", prog);
fprintf(stderr, "Usage: %s [-v] -L <filename>\n\
\toptions:\n\
\t\t-L filename\tUse IP language for sending packets\n\
", prog);
exit(1);
}
@ -160,13 +165,14 @@ int main(argc, argv)
int argc;
char **argv;
{
FILE *langfile = NULL;
struct tcpiphdr *ti;
struct in_addr gwip;
tcphdr_t *tcp;
ip_t *ip;
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
char *src = NULL, *dst, *s;
int c, mtu = 1500, olen = 0;
int mtu = 1500, olen = 0, c, nonl = 0;
/*
* 65535 is maximum packet size...you never know...
@ -177,10 +183,11 @@ char **argv;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
while ((c = (char)getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
while ((c = getopt(argc, argv, "IL:P:TUd:f:g:m:o:s:t:vw:")) != -1)
switch (c)
{
case 'I' :
nonl++;
if (ip->ip_p)
{
fprintf(stderr, "Protocol already set: %d\n",
@ -189,10 +196,26 @@ char **argv;
}
do_icmp(ip, optarg);
break;
case 'L' :
if (nonl) {
fprintf(stderr,
"Incorrect usage of -L option.\n");
usage(name);
}
if (!strcmp(optarg, "-"))
langfile = stdin;
else if (!(langfile = fopen(optarg, "r"))) {
fprintf(stderr, "can't open file %s\n",
optarg);
exit(1);
}
iplang(langfile);
return 0;
case 'P' :
{
struct protoent *p;
nonl++;
if (ip->ip_p)
{
fprintf(stderr, "Protocol already set: %d\n",
@ -207,6 +230,7 @@ char **argv;
break;
}
case 'T' :
nonl++;
if (ip->ip_p)
{
fprintf(stderr, "Protocol already set: %d\n",
@ -217,6 +241,7 @@ char **argv;
ip->ip_len += sizeof(tcphdr_t);
break;
case 'U' :
nonl++;
if (ip->ip_p)
{
fprintf(stderr, "Protocol already set: %d\n",
@ -227,15 +252,19 @@ char **argv;
ip->ip_len += sizeof(udphdr_t);
break;
case 'd' :
nonl++;
dev = optarg;
break;
case 'f' :
nonl++;
ip->ip_off = strtol(optarg, NULL, 0);
break;
case 'g' :
nonl++;
gateway = optarg;
break;
case 'm' :
nonl++;
mtu = atoi(optarg);
if (mtu < 28)
{
@ -244,16 +273,23 @@ char **argv;
}
break;
case 'o' :
olen = optname(optarg, options);
nonl++;
olen = buildopts(optarg, options, (ip->ip_hl - 5) << 2);
break;
case 's' :
nonl++;
src = optarg;
break;
case 't' :
nonl++;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
tcp->th_dport = htons(atoi(optarg));
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
case 'w' :
nonl++;
if (ip->ip_p == IPPROTO_TCP)
tcp->th_win = atoi(optarg);
else
@ -264,7 +300,7 @@ char **argv;
usage(name);
}
if (argc - optind < 2)
if (argc - optind < 1)
usage(name);
dst = argv[optind++];
@ -294,6 +330,23 @@ char **argv;
exit(2);
}
if (olen)
{
caddr_t ipo = (caddr_t)ip;
printf("Options: %d\n", olen);
ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
bcopy((char *)ip, (char *)ti, sizeof(*ip));
ip = (ip_t *)ti;
ip->ip_hl = (olen >> 2);
bcopy(options, (char *)(ip + 1), olen);
bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
ip->ip_len += olen;
bcopy((char *)ip, (char *)ipo, ip->ip_len);
ip = (ip_t *)ipo;
tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
}
if (ip->ip_p == IPPROTO_TCP)
for (s = argv[optind]; (c = *s); s++)
switch(c)
@ -328,19 +381,6 @@ char **argv;
printf("Flags: %#x\n", tcp->th_flags);
printf("mtu: %d\n", mtu);
if (olen)
{
printf("Options: %d\n", olen);
ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
bcopy((char *)ip, (char *)ti, sizeof(*ip));
ip = (ip_t *)ti;
ip->ip_hl += (olen >> 2);
bcopy(options, (char *)(ip + 1), olen);
bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
ip->ip_len += olen;
}
#ifdef DOSOCKET
if (tcp->th_dport)
return do_socket(dev, mtu, ti, gwip);

18
usr.sbin/ipf/ipsend/ipsend.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsend.h,v 1.2 1997/05/28 03:04:44 thorpej Exp $ */
/* $NetBSD: ipsend.h,v 1.3 1997/09/21 18:02:12 veego Exp $ */
/*
* ipsend.h (C) 1997 Darren Reed
@ -23,20 +23,13 @@
# endif
#endif
#include "ip_compat.h"
#include <netinet/ip_compat.h>
#ifdef linux
#include <linux/sockios.h>
#endif
/*
* XXX use the version in <netinet/tcpip.h> right now; the ipfilter
* XXX version cannot be redistributed!
*/
#if 0
#include "tcpip.h"
#else
#include <netinet/tcpip.h>
#endif
#include "ipt.h"
#include "ipf.h"
extern int resolve __P((char *, char *));
extern int arp __P((char *, char *));
@ -49,7 +42,8 @@ extern int send_icmp __P((int, int, ip_t *, struct in_addr));
extern int send_packet __P((int, int, ip_t *, struct in_addr));
extern int send_packets __P((char *, int, ip_t *, struct in_addr));
extern u_short seclevel __P((char *));
extern u_long optname __P((char *, char *));
extern u_32_t buildopts __P((char *, char *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int initdevice __P((char *, int, int));
extern int sendip __P((int, char *, int));
#ifdef linux
@ -72,3 +66,5 @@ extern int openkmem __P((void));
extern int kmemcpy __P((char *, void *, int));
#define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c))
#define OPT_RAW 0x80000

19
usr.sbin/ipf/ipsend/ipsopt.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsopt.c,v 1.1.1.3 1997/09/21 16:49:13 veego Exp $ */
/* $NetBSD: ipsopt.c,v 1.2 1997/09/21 18:02:14 veego Exp $ */
/*
* (C)opyright 1995-1997 by Darren Reed.
@ -19,8 +19,10 @@ static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netinet/ip_compat.h>
#include "ipsend.h"
#ifndef __P
@ -32,13 +34,6 @@ static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
#endif
struct ipopt_names {
int on_value;
int on_bit;
int on_siz;
char *on_name;
};
struct ipopt_names ionames[] = {
{ IPOPT_EOL, 0x01, 1, "eol" },
{ IPOPT_NOP, 0x02, 1, "nop" },
@ -63,12 +58,6 @@ struct ipopt_names secnames[] = {
};
u_short seclevel __P((char *));
u_long optname __P((char *, char *));
int addipopt __P((char *, struct ipopt_names *, int, char *));
u_32_t buildopts __P((char *, char *, int));
u_short seclevel(slevel)
char *slevel;
{

14
usr.sbin/ipf/ipsend/sbpf.c
View File

@ -1,11 +1,11 @@
/* $NetBSD: sbpf.c,v 1.3 1997/05/27 23:10:52 thorpej Exp $ */
/* $NetBSD: sbpf.c,v 1.4 1997/09/21 18:02:16 veego Exp $ */
/*
* (C)opyright October 1995 Darren Reed. (from tcplog)
*
* This software may be freely distributed as long as it is not altered
* in any way and that this messagge always accompanies it.
* (C)opyright 1995-1997 Darren Reed. (from tcplog)
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#include <stdio.h>
#include <netdb.h>
@ -33,11 +33,7 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#if defined(__NetBSD__)
#include <netinet/if_inarp.h>
#else
#include <netinet/if_ether.h>
#endif
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>

4
usr.sbin/ipf/iptest/Makefile
View File

@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.9 1997/07/05 05:44:14 darrenr Exp $
# $NetBSD: Makefile,v 1.10 1997/09/21 18:02:19 veego Exp $
PROG= iptest
SRCS= iptest.c iptests.c ip.c sbpf.c 44arp.c sock.c
NOMAN= yes
MAN= iptest.1
CFLAGS+=-I${.CURDIR}/../ipsend -I${.CURDIR}/../ipftest -I${.CURDIR}/../ipf
.PATH: ${.CURDIR}/../ipf ${.CURDIR}/../ipsend

19
usr.sbin/ipf/iptest/iptest.c
View File

@ -1,20 +1,16 @@
/* $NetBSD: iptest.c,v 1.3 1997/05/27 23:13:15 thorpej Exp $ */
/* $NetBSD: iptest.c,v 1.4 1997/09/21 18:02:21 veego Exp $ */
/*
* ipsend.c (C) 1995 Darren Reed
* ipsend.c (C) 1995-1997 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
*
* This was written and tested (successfully) on SunOS 4.1.x.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
@ -100,7 +96,7 @@ char **argv;
ip_t *ip;
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
char *src = NULL, *dst;
int c, mtu = 1500, tests = 0, pointtest = 0;
int mtu = 1500, tests = 0, pointtest = 0, c;
/*
* 65535 is maximum packet size...you never know...
@ -110,8 +106,7 @@ char **argv;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
while ((c = (char)getopt(argc, argv,
"1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
while ((c = getopt(argc, argv, "1234567d:g:m:p:s:")) != -1)
switch (c)
{
case '1' :

18
usr.sbin/ipf/iptest/iptests.c
View File

@ -1,11 +1,11 @@
/* $NetBSD: iptests.c,v 1.3 1997/05/27 23:13:17 thorpej Exp $ */
/* $NetBSD: iptests.c,v 1.4 1997/09/21 18:02:24 veego Exp $ */
/*
* (C)opyright 1993, 1994, 1995 by Darren Reed.
* (C)opyright 1993-1997 by Darren Reed.
*
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
* for the use of this software. I hate legaleese, don't you ?
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
@ -52,11 +52,7 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#if defined(__NetBSD__)
#include <netinet/if_inarp.h>
#else
#include <netinet/if_ether.h>
#endif
#include <netinet/ip_var.h>
#include <netinet/in_pcb.h>
#include <netinet/tcp_timer.h>
@ -80,7 +76,7 @@ int ptest;
{
struct timeval tv;
udphdr_t *u;
int nfd, i, len, id = getpid();
int nfd, i = 0, len, id = getpid();
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_v = IPVERSION;
@ -842,7 +838,7 @@ int ptest;
PAUSE();
}
if (!ptest || (ptest == 4)) {
if (!ptest || (ptest == 5)) {
/*
* Test 5: sizeof(struct ip) <= MTU <= sizeof(struct udphdr) +
* sizeof(struct ip)

14
usr.sbin/ipf/iptest/sock.c
View File

@ -1,13 +1,11 @@
/* $NetBSD: sock.c,v 1.4 1997/05/28 03:08:40 thorpej Exp $ */
/* $NetBSD: sock.c,v 1.5 1997/09/21 18:02:26 veego Exp $ */
/*
* sock.c (C) 1995 Darren Reed
* sock.c (C) 1995-1997 Darren Reed
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
@ -91,7 +89,7 @@ void *pos;
int n;
{
static int kfd = -1;
off_t offset = (u_long)pos;
off_t offset = (u_long)pos;
if (kfd == -1)
kfd = open(KMEM, O_RDONLY);