Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IPFilter 4.1.5

Browse Source
This commit is contained in:
martti 2005-02-08 06:52:59 +00:00
parent 7245b8aa0a
commit 4d6a62d250
54 changed files with 1522 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
dist/ipf/Linux/Makefile.kbuild vendored Normal file
View File

@ -0,0 +1,182 @@
#
# Copyright (C) 1993-1998 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
CONFIG_IPFILTER=m
#
# For Linux
#
CPUTYPE:=$(shell uname -m | sed -e 's/i.86/i386/' -e 's/sun4u/sparc64/' -e 's/arm.*/arm/' -e 's/sa110/arm/')
ARCH:=$(shell uname -m)
OBJ=.
TOP=..
CPU:=$(shell uname -i)
KREV:=$(shell uname -r)
MODDIR=/lib/modules/$(KREV)
IPV4DIR=$(MODDIR)/kernel/net/ipv4/
CPUDIR=
DEBUG=-g
#
########## ########## ########## ########## ########## ########## ##########
#
#
MODOBJS=$(OBJ)/linuxm.o $(OBJ)/ip_film.o $(OBJ)/fil.o $(OBJ)/ip_nat.o \
$(OBJ)/ip_frag.o $(OBJ)/ip_scan.o $(OBJ)/ip_sync.o \
$(OBJ)/ip_state.o $(OBJ)/ip_proxy.o $(OBJ)/ip_auth.o \
$(OBJ)/ip_lookup.o $(OBJ)/ip_pool.o $(OBJ)/ip_htable.o \
$(OBJ)/ip_log.o $(OBJ)/radix.o
obj-$(CONFIG_IPFILTER) += ipfilter.o
ipfilter-objs =$(MODOBJS)
all: ipflkm
ipflkm:
if [ $(LINUX) -lt 20499 ] ; then \
make $(OBJ)/ipfilter.o ; \
else \
make $(OBJ)/ipflkm.o ; \
fi
$(OBJ)/ipfilter.o: $(MODOBJS)
ld -r $(MODOBJS) -o $(OBJ)/ipfilter.o
${RM} -f $(OBJ)/ipfilter
fil.c $(obj)//fil.c: $(TOP)/fil.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_nat.c $(obj)//ip_nat.c: $(TOP)/ip_nat.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_frag.c $(obj)//ip_frag.c: $(TOP)/ip_frag.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_state.c $(obj)//ip_state.c: $(TOP)/ip_state.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_proxy.c $(obj)//ip_proxy.c: $(TOP)/ip_proxy.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_auth.c $(obj)//ip_auth.c: $(TOP)/ip_auth.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_lookup.c $(obj)//ip_lookup.c: $(TOP)/ip_lookup.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_htable.c $(obj)//ip_htable.c: $(TOP)/ip_htable.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_pool.c $(obj)//ip_pool.c: $(TOP)/ip_pool.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_scan.c $(obj)//ip_scan.c: $(TOP)/ip_scan.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_sync.c $(obj)//ip_sync.c: $(TOP)/ip_sync.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
$(OBJ)/ip_log.o: ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
ip_log.c $(obj)//ip_log.c: $(TOP)/ip_log.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
radix.c $(obj)//radix.c: $(TOP)/radix.c Makefile
sed -e '/^#/,$$d' $< > $@
echo '#include "ipf-linux.h"' >> $@
sed -ne '/END OF INCLUDES/,$$p' $< >> $@
ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.o $(OBJ)/ipf
$(OBJ)/ipf -cc -nf $(TOP)/rules/ip_rules
$(TOP)/ip_rules.h: ip_rules.c
if [ ! -f $(TOP)/ip_rules.h ] ; then \
/bin/mv -f ip_rules.h $(TOP); \
else \
touch $(TOP)/ip_rules.h; \
fi
$(obj)//linuxm.o: $(obj)/linuxm.c
$(obj)//fil.o: $(obj)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
$(obj)/../ipf-linux.h
$(obj)//ip_auth.o: $(obj)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_film.o: $(obj)/ip_film.c
$(obj)//ip_frag.o: $(obj)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_htable.o: $(obj)/ip_htable.c $(TOP)/ip_htable.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_lookup.o: $(obj)/ip_lookup.c $(TOP)/ip_lookup.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_nat.o: $(obj)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_pool.o: $(obj)/ip_pool.c $(TOP)/ip_pool.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_proxy.o: $(obj)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_scan.o: $(obj)/ip_scan.c $(TOP)/ip_scan.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//ip_state.o: $(obj)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_nat.h $(obj)/../ipf-linux.h
$(obj)//ip_sync.o: $(obj)/ip_sync.c $(TOP)/ip_sync.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)//radix.o: $(obj)/radix.c $(TOP)/radix_ipf.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/linux.o: $(obj)/$(CPUDIR)/linux.c
$(obj)/$(CPUDIR)/fil.o: $(obj)/$(CPUDIR)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h \
$(TOP)/ip_compat.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_auth.o: $(obj)/$(CPUDIR)/ip_auth.c $(TOP)/ip_auth.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_film.o: $(obj)/$(CPUDIR)/ip_film.c
$(obj)/$(CPUDIR)/ip_frag.o: $(obj)/$(CPUDIR)/ip_frag.c $(TOP)/ip_frag.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_htable.o: $(obj)/$(CPUDIR)/ip_htable.c $(TOP)/ip_htable.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_lookup.o: $(obj)/$(CPUDIR)/ip_lookup.c $(TOP)/ip_lookup.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_nat.o: $(obj)/$(CPUDIR)/ip_nat.c $(TOP)/ip_nat.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_pool.o: $(obj)/$(CPUDIR)/ip_pool.c $(TOP)/ip_pool.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_proxy.o: $(obj)/$(CPUDIR)/ip_proxy.c $(TOP)/ip_proxy.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_scan.o: $(obj)/$(CPUDIR)/ip_scan.c $(TOP)/ip_scan.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_state.o: $(obj)/$(CPUDIR)/ip_state.c $(TOP)/ip_state.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_nat.h \
$(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/ip_sync.o: $(obj)/$(CPUDIR)/ip_sync.c $(TOP)/ip_sync.h \
$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(obj)/../ipf-linux.h
$(obj)/$(CPUDIR)/radix.o: $(obj)/$(CPUDIR)/radix.c $(TOP)/radix_ipf.h \
ipf-linux.h
$(obj)/$(CPUDIR)/linuxm.c $(obj)//linuxm.c: $(TOP)/linux.c
@if [ ! -h $@ ] ; then ln -s $< $@; fi
$(obj)/$(CPUDIR)/ip_film.c $(obj)//ip_film.c: $(TOP)/ip_fil_linux.c
@if [ ! -h $@ ] ; then ln -s $< $@; fi

17
dist/ipf/ip_htable.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_htable.c,v 1.1.1.1 2004/03/28 08:55:38 martti Exp $ */
/* $NetBSD: ip_htable.c,v 1.1.1.2 2005/02/08 06:52:59 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -53,7 +53,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.1 2004/03/06 14:32:58 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -377,6 +377,15 @@ void *tptr, *aptr;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_iphmfindip */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* aptr(I) - pointer to address information */
/* */
/* Search the hash table for a given address and return a search result. */
/* ------------------------------------------------------------------------ */
int fr_iphmfindip(tptr, version, aptr)
void *tptr, *aptr;
int version;
@ -387,10 +396,10 @@ int version;
int rval;
if (version != 4)
return 1;
return -1;
if (tptr == NULL || aptr == NULL)
return 1;
return -1;
iph = tptr;
addr = aptr;

22
dist/ipf/ip_irc_pxy.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_irc_pxy.c,v 1.1.1.2 2004/07/23 05:33:55 martti Exp $ */
/* $NetBSD: ip_irc_pxy.c,v 1.1.1.3 2005/02/08 06:52:59 martti Exp $ */
/*
* Copyright (C) 2000-2003 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_irc_pxy.c,v 2.39.2.2 2004/05/24 14:01:48 darrenr Exp
* Id: ip_irc_pxy.c,v 2.39.2.3 2004/12/09 19:40:59 darrenr Exp
*/
#define IPF_IRC_PROXY
@ -95,10 +95,10 @@ size_t len;
s++;
c = *s;
ircp->irc_snick = s;
if (!isalpha(c))
if (!ISALPHA(c))
return 0;
i--;
for (c = *s; !isspace(c) && (i > 0); i--)
for (c = *s; !ISSPACE(c) && (i > 0); i--)
c = *s++;
if (i < 31)
return 0;
@ -120,9 +120,9 @@ size_t len;
/*
* Loosely check that the destination is a nickname of some sort
*/
if (!isalpha(c))
if (!ISALPHA(c))
return 0;
for (; !isspace(c) && (i > 0); i--)
for (; !ISSPACE(c) && (i > 0); i--)
c = *s++;
if (i < 20)
return 0;
@ -166,7 +166,7 @@ size_t len;
* Check for the arg
*/
c = *s;
if (isspace(c))
if (ISSPACE(c))
return 0;
ircp->irc_arg = s;
for (; (c != ' ') && (c != '\001') && (i > 0); i--)
@ -181,13 +181,13 @@ size_t len;
s++;
i--;
c = *s;
if (!isdigit(c))
if (!ISDIGIT(c))
return 0;
ircp->irc_addr = s;
/*
* Get the IP#
*/
for (l = 0; isdigit(c) && (i > 0); i--) {
for (l = 0; ISDIGIT(c) && (i > 0); i--) {
l *= 10;
l += c - '0';
c = *s++;
@ -203,12 +203,12 @@ size_t len;
s++;
i--;
c = *s;
if (!isdigit(c))
if (!ISDIGIT(c))
return 0;
/*
* Get the port#
*/
for (l = 0; isdigit(c) && (i > 0); i--) {
for (l = 0; ISDIGIT(c) && (i > 0); i--) {
l *= 10;
l += c - '0';
c = *s++;

8
dist/ipf/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.1.1.2 2004/07/23 05:34:00 martti Exp $ */
/* $NetBSD: ip_pool.c,v 1.1.1.3 2005/02/08 06:53:01 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -79,7 +79,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.9 2004/06/13 23:45:18 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.11 2004/10/17 15:49:14 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -367,7 +367,7 @@ addrfamily_t *addr, *mask;
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_search */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve match */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* dptr(I) - pointer to address information */
@ -390,7 +390,7 @@ void *dptr;
if (ipo == NULL)
return -1;
rv = -1;
rv = 1;
m = NULL;
addr = (i6addr_t *)dptr;
bzero(&v, sizeof(v));

6
dist/ipf/ip_pptp_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.2 2004/07/23 05:34:00 martti Exp $ */
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.3 2005/02/08 06:53:01 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed
@ -6,7 +6,7 @@
* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_pptp_pxy.c,v 2.10.2.5 2004/06/07 14:20:05 darrenr Exp
* Id: ip_pptp_pxy.c,v 2.10.2.6 2004/11/25 15:37:37 darrenr Exp
*
*/
#define IPF_PPTP_PROXY
@ -120,7 +120,7 @@ nat_t *nat;
fi.fin_flx &= ~FI_TCPUDP;
fi.fin_flx |= FI_IGNORE;
nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, 0, NAT_OUTBOUND);
nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, NAT_SLAVE, NAT_OUTBOUND);
pptp->pptp_nat = nat2;
if (nat2 != NULL) {
(void) nat_proto(&fi, nat2, 0);

10
dist/ipf/ip_rpcb_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_rpcb_pxy.c,v 1.1.1.2 2004/07/23 05:34:01 martti Exp $ */
/* $NetBSD: ip_rpcb_pxy.c,v 1.1.1.3 2005/02/08 06:53:01 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
@ -39,7 +39,7 @@
* o The enclosed hack of STREAMS support is pretty sick and most likely
* broken.
*
* Id: ip_rpcb_pxy.c,v 2.25.2.1 2004/05/04 03:47:49 darrenr Exp
* Id: ip_rpcb_pxy.c,v 2.25.2.2 2004/12/09 19:41:00 darrenr Exp
*/
#define IPF_RPCB_PROXY
@ -684,11 +684,11 @@ ippr_rpcb_getuaddr(rm, xu, p)
* Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
* an IP address and [ef] are the bytes of a L4 port.
*/
if (!(isdigit(uastr[0]) && isdigit(uastr[l-1])))
if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
return(-1);
b = uastr;
for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
if (isdigit(*c)) {
if (ISDIGIT(*c)) {
dd = 0;
continue;
}
@ -742,7 +742,7 @@ ippr_rpcb_atoi(ptr)
register char *s = ptr, c;
register u_int i = 0;
while (((c = *s++) != '\0') && isdigit(c)) {
while (((c = *s++) != '\0') && ISDIGIT(c)) {
i *= 10;
i += c - '0';
}

6
dist/ipf/ip_scan.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_scan.c,v 1.1.1.1 2004/03/28 08:55:43 martti Exp $ */
/* $NetBSD: ip_scan.c,v 1.1.1.2 2005/02/08 06:53:01 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -60,7 +60,7 @@ struct file;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40 2004/01/27 00:24:56 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.1 2004/12/09 19:41:01 darrenr Exp";
#endif
#ifdef IPFILTER_SCAN /* endif at bottom of file */
@ -300,7 +300,7 @@ int n;
return 1;
break;
case '?' :
if (!isalpha(*up) || ((*s & 0x5f) != (*up & 0x5f)))
if (!ISALPHA(*up) || ((*s & 0x5f) != (*up & 0x5f)))
return 1;
break;
case '*' :

215
dist/ipf/ip_sync.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_sync.c,v 1.1.1.1 2004/03/28 08:55:46 martti Exp $ */
/* $NetBSD: ip_sync.c,v 1.1.1.2 2005/02/08 06:53:02 martti Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@ -98,7 +98,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.1 2004/03/22 12:21:54 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.2 2004/10/31 18:45:58 darrenr Exp";
#endif
#define SYNC_STATETABSZ 256
@ -120,6 +120,7 @@ u_int sl_idx = 0, /* next available sync log entry */
su_idx = 0, /* next available sync update entry */
sl_tail = 0, /* next sync log entry to read */
su_tail = 0; /* next sync update entry to read */
int ipf_sync_debug = 0;
# if !defined(sparc) && !defined(__hppa)
@ -263,6 +264,7 @@ ipstate_t *ips;
# define ipfsync_storder(x,y)
# endif /* !defined(sparc) && !defined(__hppa) */
/* enable this for debugging */
# ifdef _KERNEL
/* ------------------------------------------------------------------------ */
@ -277,37 +279,129 @@ int ipfsync_write(uio)
struct uio *uio;
{
synchdr_t sh;
/*
* THIS MUST BE SUFFICIENT LARGE TO STORE
* ANY POSSIBLE DATA TYPE
*/
char data[2048];
int err = 0;
/*
* All writes will be in multiples of 4 and at least 8 bytes.
*/
if ((uio->uio_resid & 3) || (uio->uio_resid < 8))
return EINVAL;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
while ((uio->uio_resid > 0) &&
UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio) == 0) {
sh.sm_num = ntohl(sh.sm_num);
if (sh.sm_v != 4 && sh.sm_v != 6)
continue;
/* Try to get bytes */
while (uio->uio_resid > 0) {
if (uio->uio_resid >= sizeof(sh)) {
err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio);
if (err) {
if (ipf_sync_debug > 2)
printf("uiomove(header) failed: %d\n",
err);
return err;
}
/* convert to host order */
sh.sm_magic = ntohl(sh.sm_magic);
sh.sm_len = ntohl(sh.sm_len);
sh.sm_num = ntohl(sh.sm_num);
if (ipf_sync_debug > 8)
printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n",
sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd,
sh.sm_table, sh.sm_rev, sh.sm_len,
sh.sm_magic);
if (sh.sm_magic != SYNHDRMAGIC) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalud %x\n",
"magic");
return EINVAL;
}
if (sh.sm_v != 4 && sh.sm_v != 6) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"protocol");
return EINVAL;
}
if (sh.sm_cmd > SMC_MAXCMD) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"command");
return EINVAL;
}
if (sh.sm_table > SMC_MAXTBL) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"table");
return EINVAL;
}
} else {
/* unsufficient data, wait until next call */
if (ipf_sync_debug > 2)
printf("uiomove(header) insufficient data");
return EAGAIN;
}
if ((sh.sm_cmd > SMC_MAXCMD) || (sh.sm_table > SMC_MAXTBL))
continue;
/*
* We currently only synchronise state information and NAT
* information - and even then, the NAT information is not
* yet sync'd for proxied connections.
* We have a header, so try to read the amount of data
* needed for the request
*/
if (sh.sm_table == SMC_STATE)
err = ipfsync_state(&sh, uio);
else if (sh.sm_table == SMC_NAT)
err = ipfsync_nat(&sh, uio);
if (err)
break;
}
return err;
/* not supported */
if (sh.sm_len == 0) {
if (ipf_sync_debug > 2)
printf("uiomove(data zero length %s\n",
"not supported");
return EINVAL;
}
if (uio->uio_resid >= sh.sm_len) {
err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio);
if (err) {
if (ipf_sync_debug > 2)
printf("uiomove(data) failed: %d\n",
err);
return err;
}
if (ipf_sync_debug > 7)
printf("uiomove(data) %d bytes read\n",
sh.sm_len);
if (sh.sm_table == SMC_STATE)
err = ipfsync_state(&sh, data);
else if (sh.sm_table == SMC_NAT)
err = ipfsync_nat(&sh, data);
if (ipf_sync_debug > 7)
printf("[%d] Finished with error %d\n",
sh.sm_num, err);
} else {
/* insufficient data, wait until next call */
if (ipf_sync_debug > 2)
printf("uiomove(data) %s %d bytes, got %d\n",
"insufficient data, need",
sh.sm_len, uio->uio_resid);
return EAGAIN;
}
}
/* no more data */
return 0;
}
@ -408,28 +502,24 @@ struct uio *uio;
/* create a new state entry or update one. Deletion is left to the state */
/* structures being timed out correctly. */
/* ------------------------------------------------------------------------ */
int ipfsync_state(sp, uio)
int ipfsync_state(sp, data)
synchdr_t *sp;
struct uio *uio;
void *data;
{
synctcp_update_t su;
ipstate_t *is, sn;
synclist_t *sl;
frentry_t *fr;
u_int hv;
int err;
int err = 0;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
hv = sp->sm_num & (SYNC_STATETABSZ - 1);
switch (sp->sm_cmd)
{
case SMC_CREATE :
err = UIOMOVE((caddr_t)&sn, sizeof(sn), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &sn, sizeof(sn));
KMALLOC(is, ipstate_t *);
if (is == NULL) {
err = ENOMEM;
@ -462,12 +552,15 @@ struct uio *uio;
}
RWLOCK_EXIT(&ipf_mutex);
if (ipf_sync_debug > 4)
printf("[%d] Filter rules = %p\n", sp->sm_num, fr);
is->is_rule = fr;
is->is_sync = sl;
sl->sl_idx = -1;
sl->sl_ips = is;
sl->sl_num = ntohl(sp->sm_num);
bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr));
WRITE_ENTER(&ipf_syncstate);
WRITE_ENTER(&ipf_state);
@ -486,19 +579,25 @@ struct uio *uio;
*
* Put this state entry on its timeout queue.
*/
fr_setstatequeue(is, sp->sm_rev);
/*fr_setstatequeue(is, sp->sm_rev);*/
break;
case SMC_UPDATE :
err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &su, sizeof(su));
if (ipf_sync_debug > 4)
printf("[%d] Update age %lu state %d/%d \n",
sp->sm_num, su.stu_age, su.stu_state[0],
su.stu_state[1]);
READ_ENTER(&ipf_syncstate);
for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
if (sl->sl_hdr.sm_num == sp->sm_num)
break;
if (sl == NULL) {
if (ipf_sync_debug > 1)
printf("[%d] State not found - can't update\n",
sp->sm_num);
RWLOCK_EXIT(&ipf_syncstate);
err = ENOENT;
break;
@ -506,12 +605,19 @@ struct uio *uio;
READ_ENTER(&ipf_state);
if (ipf_sync_debug > 6)
printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n",
sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p,
sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table,
sl->sl_hdr.sm_rev);
is = sl->sl_ips;
MUTEX_ENTER(&is->is_lock);
switch (sp->sm_p)
{
case IPPROTO_TCP :
/* XXX FV --- shouldn't we do ntohl/htonl???? XXX */
is->is_send = su.stu_data[0].td_end;
is->is_maxsend = su.stu_data[0].td_maxend;
is->is_maxswin = su.stu_data[0].td_maxwin;
@ -524,7 +630,12 @@ struct uio *uio;
default :
break;
}
if (ipf_sync_debug > 6)
printf("[%d] Setting timers for state\n", sp->sm_num);
fr_setstatequeue(is, sp->sm_rev);
MUTEX_EXIT(&is->is_lock);
break;
@ -537,6 +648,11 @@ struct uio *uio;
RWLOCK_EXIT(&ipf_state);
RWLOCK_EXIT(&ipf_syncstate);
}
if (ipf_sync_debug > 6)
printf("[%d] Update completed with error %d\n",
sp->sm_num, err);
return err;
}
# endif /* _KERNEL */
@ -575,9 +691,9 @@ synclist_t *sl;
/* create a new NAT entry or update one. Deletion is left to the NAT */
/* structures being timed out correctly. */
/* ------------------------------------------------------------------------ */
int ipfsync_nat(sp, uio)
int ipfsync_nat(sp, data)
synchdr_t *sp;
struct uio *uio;
void *data;
{
synclogent_t sle;
syncupdent_t su;
@ -586,18 +702,12 @@ struct uio *uio;
u_int hv = 0;
int err;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
READ_ENTER(&ipf_syncstate);
switch (sp->sm_cmd)
{
case SMC_CREATE :
err = UIOMOVE((caddr_t)&sle, sizeof(sle), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &sle, sizeof(sle));
KMALLOC(n, nat_t *);
if (n == NULL) {
@ -634,9 +744,7 @@ struct uio *uio;
break;
case SMC_UPDATE :
err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &su, sizeof(su));
READ_ENTER(&ipf_syncstate);
for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
@ -731,6 +839,7 @@ void *ptr;
sl->sl_num = ipf_syncnum;
MUTEX_EXIT(&ipf_syncadd);
sl->sl_magic = htonl(SYNHDRMAGIC);
sl->sl_v = fin->fin_v;
sl->sl_p = fin->fin_p;
sl->sl_cmd = SMC_CREATE;
@ -747,6 +856,7 @@ void *ptr;
ptr = NULL;
sz = 0;
}
sl->sl_len = sz;
/*
* Create the log entry to be read by a user daemon. When it has been
@ -757,6 +867,7 @@ void *ptr;
bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr,
sizeof(sle->sle_hdr));
sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num);
sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len);
if (ptr != NULL) {
bcopy((char *)ptr, (char *)&sle->sle_un, sz);
if (tab == SMC_STATE) {
@ -813,10 +924,12 @@ synclist_t *sl;
sl->sl_idx = su_idx++;
bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr,
sizeof(slu->sup_hdr));
slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC);
slu->sup_hdr.sm_sl = sl;
slu->sup_hdr.sm_cmd = SMC_UPDATE;
slu->sup_hdr.sm_table = tab;
slu->sup_hdr.sm_num = htonl(sl->sl_num);
slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update));
slu->sup_hdr.sm_rev = fin->fin_rev;
# if 0
if (fin->fin_p == IPPROTO_TCP) {

33
dist/ipf/ip_sync.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_sync.h,v 1.1.1.1 2004/03/28 08:55:46 martti Exp $ */
/* $NetBSD: ip_sync.h,v 1.1.1.2 2005/02/08 06:53:02 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -6,20 +6,27 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_sync.h,v 2.11 2004/01/03 13:34:59 darrenr Exp
* Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
*/
#ifndef __IP_SYNC_H__
#define __IP_SYNC_H__
typedef struct synchdr {
u_char sm_v; /* version: 4,6 */
u_char sm_p; /* protocol */
u_char sm_cmd; /* command */
u_char sm_table; /* NAT, STATE, etc */
u_int sm_num; /* table entry number */
int sm_rev; /* forward/reverse */
u_32_t sm_magic; /* magic */
u_char sm_v; /* version: 4,6 */
u_char sm_p; /* protocol */
u_char sm_cmd; /* command */
u_char sm_table; /* NAT, STATE, etc */
u_int sm_num; /* table entry number */
int sm_rev; /* forward/reverse */
int sm_len; /* length of the data section */
struct synclist *sm_sl; /* back pointer to parent */
} synchdr_t;
#define SYNHDRMAGIC 0x0FF51DE5
/*
* Commands
* No delete required as expirey will take care of that!
@ -43,7 +50,7 @@ typedef struct synchdr {
typedef struct synctcp_update {
u_long stu_age;
tcpdata_t stu_data[2];
u_char stu_state[2];
int stu_state[2];
} synctcp_update_t;
@ -62,12 +69,14 @@ typedef struct synclist {
#define sl_ptr sl_un.slu_ptr
#define sl_ips sl_un.slu_ips
#define sl_ipn sl_un.slu_ipn
#define sl_magic sl_hdr.sm_magic
#define sl_v sl_hdr.sm_v
#define sl_p sl_hdr.sm_p
#define sl_cmd sl_hdr.sm_cmd
#define sl_rev sl_hdr.sm_rev
#define sl_table sl_hdr.sm_table
#define sl_num sl_hdr.sm_num
#define sl_len sl_hdr.sm_len
/*
* NOTE: SYNCLOG_SZ is defined *low*. It should be the next power of two
@ -100,7 +109,9 @@ extern synclist_t *ipfsync_new __P((int, fr_info_t *, void *));
extern void ipfsync_del __P((synclist_t *));
extern void ipfsync_update __P((int, fr_info_t *, synclist_t *));
extern int ipfsync_init __P((void));
extern int ipfsync_nat __P((synchdr_t *sp, struct uio *uio));
extern int ipfsync_state __P((synchdr_t *sp, struct uio *uio));
extern int ipfsync_nat __P((synchdr_t *sp, void *data));
extern int ipfsync_state __P((synchdr_t *sp, void *data));
extern int ipfsync_read __P((struct uio *uio));
extern int ipfsync_write __P((struct uio *uio));
#endif /* IP_SYNC */

5
dist/ipf/lib/gethost.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: gethost.c,v 1.1.1.1 2004/03/28 08:56:18 martti Exp $ */
/* $NetBSD: gethost.c,v 1.1.1.2 2005/02/08 06:53:15 martti Exp $ */
#include "ipf.h"
@ -15,6 +15,9 @@ u_32_t *hostp;
return 0;
}
if (!strcmp(name, "<thishost>"))
name = thishost;
h = gethostbyname(name);
if (h != NULL) {
if ((h->h_addr != NULL) && (h->h_length == sizeof(addr))) {

30
dist/ipf/lib/printfr.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: printfr.c,v 1.1.1.2 2004/07/23 05:34:36 martti Exp $ */
/* $NetBSD: printfr.c,v 1.1.1.3 2005/02/08 06:53:17 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: printfr.c,v 1.43.2.4 2004/04/20 11:51:33 darrenr Exp
* Id: printfr.c,v 1.43.2.8 2005/01/09 01:53:11 darrenr Exp
*/
#include "ipf.h"
@ -169,10 +169,12 @@ ioctlfunc_t iocfunc;
printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
putchar(' ');
if (*fp->fr_dif.fd_ifname)
if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP))
print_toif("dup-to", &fp->fr_dif);
if (*fp->fr_tif.fd_ifname)
print_toif("to", &fp->fr_tif);
if (*fp->fr_rif.fd_ifname)
print_toif("reply-to", &fp->fr_rif);
if (fp->fr_flags & FR_FASTROUTE)
printf("fastroute ");
@ -366,7 +368,7 @@ ioctlfunc_t iocfunc;
if (fp->fr_flags & FR_KEEPSTATE) {
printf(" keep state");
if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR)) ||
if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) ||
(fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
char *comma = "";
printf(" (");
@ -386,6 +388,10 @@ ioctlfunc_t iocfunc;
printf("%sno-icmp-err", comma);
comma = ",";
}
if (fp->fr_flags & FR_STATESYNC) {
printf("%ssync", comma);
comma = ",";
}
if (fp->fr_age[0] || fp->fr_age[1])
printf("%sage %d/%d", comma, fp->fr_age[0],
fp->fr_age[1]);
@ -412,8 +418,20 @@ ioctlfunc_t iocfunc;
printf(" head %s", fp->fr_grhead);
if (*fp->fr_group != '\0')
printf(" group %s", fp->fr_group);
if (fp->fr_logtag != FR_NOLOGTAG)
printf(" log-tag %u", fp->fr_logtag);
if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
char *s = "";
printf(" set-tag(");
if (fp->fr_logtag != FR_NOLOGTAG) {
printf("log=%u", fp->fr_logtag);
s = ", ";
}
if (*fp->fr_nattag.ipt_tag) {
printf("%snat=%-.*s", s, IPFTAG_LEN,
fp->fr_nattag.ipt_tag);
}
printf(")");
}
if (fp->fr_pps)
printf(" pps %d", fp->fr_pps);
(void)putchar('\n');

28
dist/ipf/lib/printnat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: printnat.c,v 1.1.1.2 2004/07/23 05:34:37 martti Exp $ */
/* $NetBSD: printnat.c,v 1.1.1.3 2005/02/08 06:53:17 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -13,7 +13,7 @@
#if !defined(lint)
static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.4 2004/05/11 01:41:16 darrenr Exp";
static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.6 2004/10/17 06:45:22 darrenr Exp";
#endif
@ -89,20 +89,24 @@ int opts;
printf("%s", inet_ntoa(np->in_out[0].in4));
bits = count4bits(np->in_outmsk);
if (bits != -1)
printf("/%d ", bits);
printf("/%d", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1].in4));
printf("port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("-%d", ntohs(np->in_pmax));
printf("/%s", inet_ntoa(np->in_out[1].in4));
if (np->in_flags & IPN_TCPUDP) {
printf(" port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("-%d", ntohs(np->in_pmax));
}
}
printf(" -> %s", inet_ntoa(np->in_in[0].in4));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1].in4));
if ((np->in_flags & IPN_FIXEDDPORT) != 0)
printf(" port = %d", ntohs(np->in_pnext));
else
printf(" port %d", ntohs(np->in_pnext));
if (np->in_flags & IPN_TCPUDP) {
if ((np->in_flags & IPN_FIXEDDPORT) != 0)
printf(" port = %d", ntohs(np->in_pnext));
else
printf(" port %d", ntohs(np->in_pnext));
}
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
@ -129,6 +133,8 @@ int opts;
if (*np->in_plabel != '\0')
printf(" proxy %.*s", (int)sizeof(np->in_plabel),
np->in_plabel);
if (np->in_tag.ipt_tag[0] != '\0')
printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag);
printf("\n");
if (opts & OPT_DEBUG)
printf("\tpmax %u\n", np->in_pmax);

28
dist/ipf/lib/printstate.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: printstate.c,v 1.1.1.1 2004/03/28 08:56:20 martti Exp $ */
/* $NetBSD: printstate.c,v 1.1.1.2 2005/02/08 06:53:17 martti Exp $ */
/*
* Copyright (C) 2002 by Darren Reed.
@ -18,6 +18,7 @@ int opts;
u_long now;
{
ipstate_t ips;
synclist_t ipsync;
if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
return NULL;
@ -56,8 +57,8 @@ u_long now;
|| ips.is_p == IPPROTO_ICMPV6
#endif
)
PRINTF(" id %hu seq %hu type %d\n", ntohs(ips.is_icmp.ici_id),
ntohs(ips.is_icmp.ici_seq), ips.is_icmp.ici_type);
PRINTF(" id %hu seq %hu type %d\n", ips.is_icmp.ici_id,
ips.is_icmp.ici_seq, ips.is_icmp.ici_type);
#ifdef USE_QUAD_T
PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n",
@ -129,8 +130,11 @@ u_long now;
if (ips.is_pass & FR_KEEPFRAG)
PRINTF(" keep frags");
/* a given; no? */
if (ips.is_pass & FR_KEEPSTATE)
if (ips.is_pass & FR_KEEPSTATE) {
PRINTF(" keep state");
if (ips.is_pass & FR_STATESYNC)
PRINTF(" ( sync )");
}
PRINTF("\tIPv%d", ips.is_v);
PRINTF("\n");
@ -162,5 +166,21 @@ u_long now;
PRINTF("/%p", ips.is_ifp[3]);
PRINTF("]\n");
if (ips.is_sync != NULL) {
if (kmemcpy((char *)&ipsync, (u_long)ips.is_sync, sizeof(ipsync))) {
PRINTF("\tSync status: status could not be retrieved\n");
return NULL;
}
PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n",
ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v,
ipsync.sl_p, ipsync.sl_rev);
} else {
PRINTF("\tSync status: not synchronized\n");
}
return ips.is_next;
}

18
dist/ipf/mlfk_ipl.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mlfk_ipl.c,v 1.1.1.6 2004/07/23 05:34:04 martti Exp $ */
/* $NetBSD: mlfk_ipl.c,v 1.1.1.7 2005/02/08 06:53:02 martti Exp $ */
/*
* Copyright (C) 2000 by Darren Reed.
@ -27,7 +27,11 @@
#include <netinet/ip_auth.h>
#include <netinet/ip_frag.h>
#if __FreeBSD_version >= 502116
static struct cdev *ipf_devs[IPL_LOGSIZE];
#else
static dev_t ipf_devs[IPL_LOGSIZE];
#endif
static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
static int ipf_modload(void);
@ -57,14 +61,14 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
&fr_tcpclosed, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
&fr_udptimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
&fr_udpacktimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
&fr_icmptimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
&fr_defnatage, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
&fr_ipfrttl, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_unreach, CTLFLAG_RW,
&fr_unreach, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
&fr_running, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
@ -91,6 +95,10 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
#define CDEV_MAJOR 79
#if __FreeBSD_version >= 501000
static struct cdevsw ipl_cdevsw = {
#if __FreeBSD_version >= 502103
.d_version = D_VERSION,
.d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */
#endif
.d_open = iplopen,
.d_close = iplclose,
.d_read = iplread,
@ -103,7 +111,7 @@ static struct cdevsw ipl_cdevsw = {
/* open */ iplopen,
/* close */ iplclose,
/* read */ iplread,
/* write */ nowrite,
/* write */ iplwrite,
/* ioctl */ iplioctl,
/* poll */ nopoll,
/* mmap */ nommap,
@ -121,7 +129,7 @@ static struct cdevsw ipl_cdevsw = {
#endif
static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
IPSCAN_NAME, IPSYNC_NAME, IPLOOKUP_NAME, NULL };
IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
static int

4
dist/ipf/mlo_ipl.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mlo_ipl.c,v 1.1.1.1 2004/03/28 08:55:48 martti Exp $ */
/* $NetBSD: mlo_ipl.c,v 1.1.1.2 2005/02/08 06:53:03 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -62,7 +62,7 @@ struct cdevsw ipldevsw =
iplopen, /* open */
iplclose, /* close */
iplread, /* read */
(void *)nullop, /* write */
iplwrite, /* write */
iplioctl, /* ioctl */
(void *)nullop, /* stop */
(void *)NULL, /* tty */

4
dist/ipf/test/expected/i15 vendored Normal file
View File

@ -0,0 +1,4 @@
pass out on fxp0(!) all set-tag(log=100)
pass out on fxp0(!) all set-tag(nat=foo)
pass out on fxp0(!) all set-tag(log=100, nat=200)
pass out on fxp0(!) all set-tag(log=2147483648, nat=overtherainbowis)

16
dist/ipf/test/expected/in5 vendored
View File

@ -1,22 +1,22 @@
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 ip
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/10
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag age 10/10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40

4
dist/ipf/test/expected/n12 vendored Normal file
View File

@ -0,0 +1,4 @@
4510 0040 2020 4000 4006 9478 c0a8 01bc c0a8 0303 2710 0017 4e33 298e 0000 0000 b002 4000 6ff8 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000
4500 003c 00b0 4000 fe06 7964 c0a8 0303 c0a8 7e53 0017 12c2 f674 e02c 4e33 298f a012 2798 7ace 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4
4510 0034 493b 4000 4006 6b69 c0a8 01bc c0a8 0303 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797
-------------------------------

2
dist/ipf/test/expected/ni10 vendored
View File

@ -1,5 +1,5 @@
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 113f 0000 0000 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0058 0001 0000 ff01 af98 0202 0202 0404 0404 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001
-------------------------------

2
dist/ipf/test/expected/ni11 vendored
View File

@ -1,5 +1,5 @@
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-------------------------------

18
dist/ipf/test/input/n12 vendored Normal file
View File

@ -0,0 +1,18 @@
[out,le0=192.168.1.188]
4510 0040 2020 4000 4006 17e1 c0a8 7e53
c0a8 0303 12c2 0017 4e33 298e 0000 0000
b002 4000 07af 0000 0204 05b4 0101 0402
0103 0300 0101 080a 0c72 549e 0000 0000
[in,le0]
4500 003c 00b0 4000 fe06 f5fb c0a8 0303
c0a8 01bc 0017 2710 f674 e02c 4e33 298f
a012 2798 e317 0000 0101 080a 2c05 b797
0c72 549e 0103 0300 0204 05b4
[out,le0]
4510 0034 493b 4000 4006 eed1 c0a8 7e53
c0a8 0303 12c2 0017 4e33 298f f674 e02d
8010 4000 8e2a 0000 0101 080a 0c72 549e
2c05 b797

4
dist/ipf/test/input/ni10 vendored
View File

@ -1,17 +1,21 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
# IP 4.4.4.4 2.2.2.2 TCP(20480,80)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 acab 0000 0000
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606
5000 0050 0000 0001
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 acab 0000 0000

5
dist/ipf/test/regress/i15 vendored Normal file
View File

@ -0,0 +1,5 @@
pass out on fxp0 all set-tag(log=100)
pass out on fxp0 all set-tag(nat=foo)
pass out on fxp0 all set-tag(log=100, nat=200)
pass out on fxp0 all set-tag(log=2147483648, nat=overtherainbowisapotof)

6
dist/ipf/test/regress/in5 vendored
View File

@ -5,16 +5,16 @@ rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 888 icmp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag age 10
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag age 10
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20

1
dist/ipf/test/regress/n12 vendored Normal file
View File

@ -0,0 +1 @@
map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000

2
dist/ipf/test/test.format vendored
View File

@ -32,6 +32,7 @@ i11 text text
i12 text text
i13 text text
i14 text text
i15 text text
in1 text text
in2 text text
in3 text text
@ -53,6 +54,7 @@ n8 hex hex fr_update_ipid=0
n9 hex hex fr_update_ipid=0
n10 hex hex fr_update_ipid=0
n11 text text
n12 hex hex fr_update_ipid=0
ni1 hex hex fr_update_ipid=1
ni2 hex hex fr_update_ipid=1
ni3 hex hex fr_update_ipid=1

27
dist/ipf/test/vfycksum.pl vendored
View File

@ -62,7 +62,7 @@ sub tcpcheck {
local($base) = $_[0];
local($hl) = $bytes[$base] / 256;
return if (($hl >> 4) != 4);
return if ($bytes[3] & 0x1fff);
return if ($bytes[$base + 3] & 0x1fff);
$hl &= 0xf;
$hl <<= 1;
@ -79,14 +79,27 @@ sub tcpcheck {
local($thl) = $bytes[$base + $hl + 6] >> 8;
$thl &= 0xf0;
$thl >>= 2;
$x = $bytes[$base + 1];
$y = ($cnt - $base) * 2;
$z = 0;
if ($bytes[$base + 1] > ($cnt - $base) * 2) {
print " TCP: missing data(1)";
return;
print "[cnt=$cnt base=$base]";
$x = $bytes[$base + 1];
$y = ($cnt - $base) * 2;
$z = 1;
} elsif (($cnt - $base) * 2 < $hl + 20) {
print " TCP: missing data(2)";
return;
$x = ($cnt - $base) * 2;
$y = $hl + 20;
$z = 2;
} elsif (($cnt - $base) * 2 < $hl + $thl) {
print " TCP: missing data(3)";
$x = ($cnt - $base) * 2;
$y = $hl + $thl;
$z = 3;
}
if ($z) {
print " TCP: missing data($x $y $z)";
return;
}
@ -99,7 +112,7 @@ sub tcpcheck {
$bytes[$tcpat + 8] = $osum;
printf " TCP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " TCP: ok";
print " TCP: ok ($x $y)";
}
}

10
dist/ipf/tools/ipf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.c,v 1.1.1.2 2004/07/23 05:34:47 martti Exp $ */
/* $NetBSD: ipf.c,v 1.1.1.3 2005/02/08 06:53:23 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -21,7 +21,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipf.c,v 1.35.2.2 2004/04/16 23:58:25 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp";
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@ -33,7 +33,7 @@ extern int optind;
extern frentry_t *frtop;
void frsync __P((void));
void ipf_frsync __P((void));
void zerostats __P((void));
int main __P((int, char *[]));
@ -144,7 +144,7 @@ char *argv[];
exit(1);
break;
case 'y' :
frsync();
ipf_frsync();
break;
case 'z' :
opts ^= OPT_ZERORULEST;
@ -440,7 +440,7 @@ static void swapactive()
}
void frsync()
void ipf_frsync()
{
int frsyn = 0;

215
dist/ipf/tools/ipsyncm.c vendored
View File

@ -1,5 +1,14 @@
/* $NetBSD: ipsyncm.c,v 1.1.1.1 2004/03/28 08:56:35 martti Exp $ */
/* $NetBSD: ipsyncm.c,v 1.1.1.2 2005/02/08 06:53:24 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp";
#endif
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
@ -14,6 +23,8 @@
#include <fcntl.h>
#include <unistd.h>
#include <strings.h>
#include <syslog.h>
#include <signal.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
@ -24,27 +35,56 @@
int main __P((int, char *[]));
int terminate = 0;
void usage(const char *progname) {
fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname);
}
static void handleterm(int sig)
{
terminate = sig;
}
/* should be large enough to hold header + any datatype */
#define BUFFERLEN 1400
int main(argc, argv)
int argc;
char *argv[];
{
struct sockaddr_in sin;
char buff[1400], *s;
char buff[BUFFERLEN];
synclogent_t *sl;
syncupdent_t *su;
int nfd, lfd, n;
int nfd = -1, lfd = -1, n1, n2, n3, len;
int inbuf;
u_32_t magic;
synchdr_t *sh;
char *progname;
progname = strrchr(argv[0], '/');
if (progname) {
progname++;
} else {
progname = argv[0];
}
if (argc < 2)
exit(1);
lfd = open(IPSYNC_NAME, O_RDONLY);
if (lfd == -1) {
perror("open");
if (argc < 2) {
usage(progname);
exit(1);
}
#if 0
signal(SIGHUP, handleterm);
signal(SIGINT, handleterm);
signal(SIGTERM, handleterm);
#endif
openlog(progname, LOG_PID, LOG_SECURITY);
bzero((char *)&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
@ -53,22 +93,75 @@ char *argv[];
else
sin.sin_port = htons(43434);
nfd = socket(AF_INET, SOCK_STREAM, 0);
if (nfd == -1) {
perror("socket");
exit(1);
}
while (1) {
if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
perror("connect");
exit(1);
}
if (lfd != -1)
close(lfd);
if (nfd != -1)
close(nfd);
while ((n = read(lfd, buff, sizeof(buff))) > 0) {
for (s = buff; s < buff + n; ) {
sh = (synchdr_t *)s;
printf("(%d) v:%d p:%d", (int)(buff + n - s), sh->sm_v,
sh->sm_p);
lfd = open(IPSYNC_NAME, O_RDONLY);
if (lfd == -1) {
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
goto tryagain;
}
nfd = socket(AF_INET, SOCK_DGRAM, 0);
if (nfd == -1) {
syslog(LOG_ERR, "Socket :%m");
goto tryagain;
}
if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
syslog(LOG_ERR, "Connect: %m");
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
inet_ntoa(sin.sin_addr));
inbuf = 0;
while (1) {
n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf);
printf("header : %d bytes read (header = %d bytes)\n",
n1, sizeof(*sh));
if (n1 < 0) {
syslog(LOG_ERR, "Read error (header): %m");
goto tryagain;
}
if (n1 == 0) {
/* XXX can this happen??? */
syslog(LOG_ERR,
"Read error (header) : No data");
sleep(1);
continue;
}
inbuf += n1;
moreinbuf:
if (inbuf < sizeof(*sh)) {
continue; /* need more data */
}
sh = (synchdr_t *)buff;
len = ntohl(sh->sm_len);
magic = ntohl(sh->sm_magic);
if (magic != SYNHDRMAGIC) {
syslog(LOG_ERR,
"Invalid header magic %x", magic);
goto tryagain;
}
#define IPSYNC_DEBUG
#ifdef IPSYNC_DEBUG
printf("v:%d p:%d len:%d magic:%x", sh->sm_v,
sh->sm_p, len, magic);
if (sh->sm_cmd == SMC_CREATE)
printf(" cmd:CREATE");
@ -85,24 +178,76 @@ char *argv[];
printf(" table:Unknown(%d)", sh->sm_table);
printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
#endif
if (inbuf < sizeof(*sh) + len) {
continue; /* need more data */
goto tryagain;
}
#ifdef IPSYNC_DEBUG
if (sh->sm_cmd == SMC_CREATE) {
sl = (synclogent_t *)sh;
s += sizeof(*sl);
sl = (synclogent_t *)buff;
} else if (sh->sm_cmd == SMC_UPDATE) {
su = (syncupdent_t *)sh;
s += sizeof(*su);
su = (syncupdent_t *)buff;
if (sh->sm_p == IPPROTO_TCP) {
printf(" TCP Update: age %lu state %d/%d\n",
su->sup_tcp.stu_age,
su->sup_tcp.stu_state[0],
su->sup_tcp.stu_state[1]);
}
} else {
printf("Unknown command\n");
}
#endif
n2 = sizeof(*sh) + len;
n3 = write(nfd, buff, n2);
if (n3 <= 0) {
syslog(LOG_ERR, "Write error: %m");
goto tryagain;
}
if (n3 != n2) {
syslog(LOG_ERR, "Incomplete write (%d/%d)",
n3, n2);
goto tryagain;
}
/* signal received? */
if (terminate)
break;
/* move buffer to the front,we might need to make
* this more efficient, by using a rolling pointer
* over the buffer and only copying it, when
* we are reaching the end
*/
inbuf -= n2;
if (inbuf) {
bcopy(buff+n2, buff, inbuf);
printf("More data in buffer\n");
goto moreinbuf;
}
}
if (write(nfd, buff, n) != n) {
perror("write");
exit(1);
}
if (terminate)
break;
tryagain:
sleep(1);
}
close(lfd);
close(nfd);
exit(0);
/* terminate */
if (lfd != -1)
close(lfd);
if (nfd != -1)
close(nfd);
syslog(LOG_ERR, "signal %d received, exiting...", terminate);
exit(1);
}

266
dist/ipf/tools/ipsyncs.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsyncs.c,v 1.1.1.1 2004/03/28 08:56:35 martti Exp $ */
/* $NetBSD: ipsyncs.c,v 1.1.1.2 2005/02/08 06:53:24 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsyncs.c,v 1.5 2003/09/04 18:40:43 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp";
#endif
#include <sys/types.h>
#include <sys/time.h>
@ -23,26 +23,71 @@ static const char rcsid[] = "@(#)Id: ipsyncs.c,v 1.5 2003/09/04 18:40:43 darrenr
#include <fcntl.h>
#include <strings.h>
#include <unistd.h>
#include <syslog.h>
#include <errno.h>
#include <signal.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_state.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_sync.h"
int main __P((int, char *[]));
int terminate = 0;
void usage(const char *progname) {
fprintf(stderr,
"Usage: %s <destination IP> <destination port> [remote IP]\n",
progname);
}
static void handleterm(int sig)
{
terminate = sig;
}
#define BUFFERLEN 1400
int main(argc, argv)
int argc;
char *argv[];
{
int fd, nfd, lfd, i, n, slen;
struct sockaddr_in sin, san;
struct in_addr in;
char buff[1400];
int nfd = -1 , lfd = -1;
int n1, n2, n3, magic, len, inbuf;
struct sockaddr_in sin;
struct sockaddr_in in;
char buff[BUFFERLEN];
synclogent_t *sl;
syncupdent_t *su;
synchdr_t *sh;
char *progname;
progname = strrchr(argv[0], '/');
if (progname) {
progname++;
} else {
progname = argv[0];
}
if (argc < 2) {
usage(progname);
exit(1);
}
fd = open(IPSYNC_NAME, O_WRONLY);
if (fd == -1) {
perror("open");
#if 0
signal(SIGHUP, handleterm);
signal(SIGINT, handleterm);
signal(SIGTERM, handleterm);
#endif
openlog(progname, LOG_PID, LOG_SECURITY);
lfd = open(IPSYNC_NAME, O_WRONLY);
if (lfd == -1) {
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
exit(1);
}
@ -54,55 +99,174 @@ char *argv[];
sin.sin_port = htons(atoi(argv[2]));
else
sin.sin_port = htons(43434);
if (argc > 3)
in.s_addr = inet_addr(argv[3]);
if (argc > 3)
in.sin_addr.s_addr = inet_addr(argv[3]);
else
in.s_addr = 0;
in.sin_addr.s_addr = 0;
in.sin_port = 0;
lfd = socket(AF_INET, SOCK_STREAM, 0);
if (lfd == -1) {
perror("socket");
exit(1);
}
n = 1;
setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n));
if (bind(lfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
perror("bind");
exit(1);
}
listen(lfd, 1);
do {
slen = sizeof(san);
nfd = accept(lfd, (struct sockaddr *)&san, &slen);
if (nfd == -1) {
perror("accept");
continue;
}
n = 1;
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n));
printf("Connection from %s\n", inet_ntoa(san.sin_addr));
if (in.s_addr && (in.s_addr != san.sin_addr.s_addr)) {
while(1) {
if (lfd != -1)
close(lfd);
if (nfd != -1)
close(nfd);
continue;
lfd = open(IPSYNC_NAME, O_WRONLY);
if (lfd == -1) {
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
goto tryagain;
}
nfd = socket(AF_INET, SOCK_DGRAM, 0);
if (nfd == -1) {
syslog(LOG_ERR, "Socket :%m");
goto tryagain;
}
while ((n = read(nfd, buff, sizeof(buff))) > 0) {
i = write(fd, buff, n);
if (i != n) {
perror("write");
exit(1);
n1 = 1;
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n1, sizeof(n1));
if (bind(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
syslog(LOG_ERR, "Bind: %m");
goto tryagain;
}
syslog(LOG_INFO, "Established connection to %s",
inet_ntoa(sin.sin_addr));
inbuf = 0;
while (1) {
/*
* XXX currently we do not check the source address
* of a datagram, this can be a security risk
*/
n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf);
printf("header : %d bytes read (header = %d bytes)\n",
n1, sizeof(*sh));
if (n1 < 0) {
syslog(LOG_ERR, "Read error (header): %m");
goto tryagain;
}
if (n1 == 0) {
/* XXX can this happen??? */
syslog(LOG_ERR,
"Read error (header) : No data");
sleep(1);
continue;
}
inbuf += n1;
moreinbuf:
if (inbuf < sizeof(*sh)) {
continue; /* need more data */
}
sh = (synchdr_t *)buff;
len = ntohl(sh->sm_len);
magic = ntohl(sh->sm_magic);
if (magic != SYNHDRMAGIC) {
syslog(LOG_ERR, "Invalid header magic %x",
magic);
goto tryagain;
}
#define IPSYNC_DEBUG
#ifdef IPSYNC_DEBUG
printf("v:%d p:%d len:%d magic:%x", sh->sm_v,
sh->sm_p, len, magic);
if (sh->sm_cmd == SMC_CREATE)
printf(" cmd:CREATE");
else if (sh->sm_cmd == SMC_UPDATE)
printf(" cmd:UPDATE");
else
printf(" cmd:Unknown(%d)", sh->sm_cmd);
if (sh->sm_table == SMC_NAT)
printf(" table:NAT");
else if (sh->sm_table == SMC_STATE)
printf(" table:STATE");
else
printf(" table:Unknown(%d)", sh->sm_table);
printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
#endif
if (inbuf < sizeof(*sh) + len) {
continue; /* need more data */
goto tryagain;
}
#ifdef IPSYNC_DEBUG
if (sh->sm_cmd == SMC_CREATE) {
sl = (synclogent_t *)buff;
} else if (sh->sm_cmd == SMC_UPDATE) {
su = (syncupdent_t *)buff;
if (sh->sm_p == IPPROTO_TCP) {
printf(" TCP Update: age %lu state %d/%d\n",
su->sup_tcp.stu_age,
su->sup_tcp.stu_state[0],
su->sup_tcp.stu_state[1]);
}
} else {
printf("Unknown command\n");
}
#endif
n2 = sizeof(*sh) + len;
n3 = write(lfd, buff, n2);
if (n3 <= 0) {
syslog(LOG_ERR, "Write error: %m");
goto tryagain;
}
if (n3 != n2) {
syslog(LOG_ERR, "Incomplete write (%d/%d)",
n3, n2);
goto tryagain;
}
/* signal received? */
if (terminate)
break;
/* move buffer to the front,we might need to make
* this more efficient, by using a rolling pointer
* over the buffer and only copying it, when
* we are reaching the end
*/
inbuf -= n2;
if (inbuf) {
bcopy(buff+n2, buff, inbuf);
printf("More data in buffer\n");
goto moreinbuf;
}
}
if (terminate)
break;
tryagain:
sleep(1);
}
/* terminate */
if (lfd != -1)
close(lfd);
if (nfd != -1)
close(nfd);
} while (1);
close(lfd);
syslog(LOG_ERR, "signal %d received, exiting...", terminate);
exit(0);
exit(1);
}

4
regress/sys/kern/ipf/expected/i15 Normal file
View File

@ -0,0 +1,4 @@
pass out on fxp0(!) all set-tag(log=100)
pass out on fxp0(!) all set-tag(nat=foo)
pass out on fxp0(!) all set-tag(log=100, nat=200)
pass out on fxp0(!) all set-tag(log=2147483648, nat=overtherainbowis)

1
regress/sys/kern/ipf/expected/i4
View File

@ -5,3 +5,4 @@ pass in proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000
block in proto udp from any port != 123 to any port < 7
block in proto tcp from any port = 25 to any port > 25
pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3
pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state

57
regress/sys/kern/ipf/expected/in2
View File

@ -1,26 +1,67 @@
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp frag
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/10
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp frag age 10/10
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag nattagcacheline
rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp
rdr le0 0.0.0.0/0 -> 254.220.186.152 ip
rdr le0 0.0.0.0/0 -> 254.220.186.152,254.220.186.152 ip

16
regress/sys/kern/ipf/expected/in5
View File

@ -1,22 +1,22 @@
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 ip
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/10
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag age 10/10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40

4
regress/sys/kern/ipf/expected/n12 Normal file
View File

@ -0,0 +1,4 @@
4510 0040 2020 4000 4006 9478 c0a8 01bc c0a8 0303 2710 0017 4e33 298e 0000 0000 b002 4000 6ff8 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000
4500 003c 00b0 4000 fe06 7964 c0a8 0303 c0a8 7e53 0017 12c2 f674 e02c 4e33 298f a012 2798 7ace 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4
4510 0034 493b 4000 4006 6b69 c0a8 01bc c0a8 0303 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797
-------------------------------

18
regress/sys/kern/ipf/input/n12 Normal file
View File

@ -0,0 +1,18 @@
[out,le0=192.168.1.188]
4510 0040 2020 4000 4006 17e1 c0a8 7e53
c0a8 0303 12c2 0017 4e33 298e 0000 0000
b002 4000 07af 0000 0204 05b4 0101 0402
0103 0300 0101 080a 0c72 549e 0000 0000
[in,le0]
4500 003c 00b0 4000 fe06 f5fb c0a8 0303
c0a8 01bc 0017 2710 f674 e02c 4e33 298f
a012 2798 e317 0000 0101 080a 2c05 b797
0c72 549e 0103 0300 0204 05b4
[out,le0]
4510 0034 493b 4000 4006 eed1 c0a8 7e53
c0a8 0303 12c2 0017 4e33 298f f674 e02d
8010 4000 8e2a 0000 0101 080a 0c72 549e
2c05 b797

4
regress/sys/kern/ipf/input/ni10
View File

@ -1,17 +1,21 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
# IP 4.4.4.4 2.2.2.2 TCP(20480,80)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 acab 0000 0000
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606
5000 0050 0000 0001
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 acab 0000 0000

5
regress/sys/kern/ipf/regress/i15 Normal file
View File

@ -0,0 +1,5 @@
pass out on fxp0 all set-tag(log=100)
pass out on fxp0 all set-tag(nat=foo)
pass out on fxp0 all set-tag(log=100, nat=200)
pass out on fxp0 all set-tag(log=2147483648, nat=overtherainbowisapotof)

1
regress/sys/kern/ipf/regress/i4
View File

@ -5,3 +5,4 @@ pass in proto 17 from localhost port > 32000 to localhost port < 29000
block in proto udp from any port != \ntp to any port < echo
block in proto tcp from any port = smtp to any port > 25
pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3
pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S keep state

45
regress/sys/kern/ipf/regress/in2
View File

@ -1,7 +1,7 @@
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 ip
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp
@ -14,13 +14,54 @@ rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10
rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip tag nattagcacheline
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000 tag nattagcacheline
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000 tag nattagcacheline
rdr ge0 9.8.7.6/32 -> 1.1.1.1 proxy port 21 ftp/tcp
rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp
rdr le0 0/0 -> test.host.dots
rdr le0 0/0 -> test.host.dots,test.host.dots

6
regress/sys/kern/ipf/regress/in5
View File

@ -5,16 +5,16 @@ rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 ip
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 888 icmp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10
rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag age 10
rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag age 10
rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20

1
regress/sys/kern/ipf/regress/n12 Normal file
View File

@ -0,0 +1 @@
map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000

2
regress/sys/kern/ipf/test.format
View File

@ -32,6 +32,7 @@ i11 text text
i12 text text
i13 text text
i14 text text
i15 text text
in1 text text
in2 text text
in3 text text
@ -53,6 +54,7 @@ n8 hex hex fr_update_ipid=0
n9 hex hex fr_update_ipid=0
n10 hex hex fr_update_ipid=0
n11 text text
n12 hex hex fr_update_ipid=0
ni1 hex hex fr_update_ipid=1
ni2 hex hex fr_update_ipid=1
ni3 hex hex fr_update_ipid=1

27
regress/sys/kern/ipf/vfycksum.pl
View File

@ -62,7 +62,7 @@ sub tcpcheck {
local($base) = $_[0];
local($hl) = $bytes[$base] / 256;
return if (($hl >> 4) != 4);
return if ($bytes[3] & 0x1fff);
return if ($bytes[$base + 3] & 0x1fff);
$hl &= 0xf;
$hl <<= 1;
@ -79,14 +79,27 @@ sub tcpcheck {
local($thl) = $bytes[$base + $hl + 6] >> 8;
$thl &= 0xf0;
$thl >>= 2;
$x = $bytes[$base + 1];
$y = ($cnt - $base) * 2;
$z = 0;
if ($bytes[$base + 1] > ($cnt - $base) * 2) {
print " TCP: missing data(1)";
return;
print "[cnt=$cnt base=$base]";
$x = $bytes[$base + 1];
$y = ($cnt - $base) * 2;
$z = 1;
} elsif (($cnt - $base) * 2 < $hl + 20) {
print " TCP: missing data(2)";
return;
$x = ($cnt - $base) * 2;
$y = $hl + 20;
$z = 2;
} elsif (($cnt - $base) * 2 < $hl + $thl) {
print " TCP: missing data(3)";
$x = ($cnt - $base) * 2;
$y = $hl + $thl;
$z = 3;
}
if ($z) {
print " TCP: missing data($x $y $z)";
return;
}
@ -99,7 +112,7 @@ sub tcpcheck {
$bytes[$tcpat + 8] = $osum;
printf " TCP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " TCP: ok";
print " TCP: ok ($x $y)";
}
}

53
sys/dist/ipf/netinet/ip_fil.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.h,v 1.1.1.1 2004/12/31 11:30:43 martti Exp $ */
/* $NetBSD: ip_fil.h,v 1.1.1.2 2005/02/08 06:53:27 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.170.2.5 2004/06/08 13:14:17 darrenr Exp
* Id: ip_fil.h,v 2.170.2.15 2005/01/08 14:26:18 darrenr Exp
*/
#ifndef __IP_FIL_H__
@ -232,10 +232,10 @@ typedef struct fr_ip {
#define FI_BAD 0x0400
#define FI_OOW 0x0800 /* Out of state window, else match */
#define FI_ICMPERR 0x1000
#define FI_FRAGTAIL 0x2000
#define FI_FRAGBODY 0x2000
#define FI_BADSRC 0x4000
#define FI_LOWTTL 0x8000
#define FI_CMP 0xcff3 /* Not FI_FRAG,FI_FRAGTAIL */
#define FI_CMP 0xcfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
#define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
#define FI_WITH 0xeffe /* Not FI_TCPUDP */
#define FI_V6EXTHDR 0x10000
@ -305,6 +305,9 @@ typedef struct fr_info {
mb_t *fin_qfm; /* pointer to mblk where pkt starts */
void *fin_qpi;
#endif
#ifdef __sgi
void *fin_hbuf;
#endif
} fr_info_t;
#define fin_v fin_fi.fi_v
@ -624,6 +627,7 @@ typedef struct frentry {
#define FR_STSTRICT 0x200000 /* strict keep state */
#define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
#define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
#define FR_STATESYNC 0x1000000 /* synchronize state to slave */
#define FR_NOMATCH 0x8000000 /* no match occured */
/* 0x10000000 FF_LOGPASS */
/* 0x20000000 FF_LOGBLOCK */
@ -765,8 +769,8 @@ typedef struct ipflog {
#ifndef IPFILTER_LOGSIZE
# define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
#else
# if IPF_LOGSIZE < DEFAULT_IPFLOGSIZE
# error IPFILTER_LOGSISZE too small. Must be >= DEFAULT_IPFLOGSIZE
# if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
# error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
# endif
#endif
@ -1036,6 +1040,7 @@ typedef struct ipftuneable {
u_long ipft_max;
int ipft_sz;
int ipft_flags;
struct ipftuneable *ipft_next;
} ipftuneable_t;
#define ipft_addr ipft_una.ipftp_void
@ -1115,7 +1120,6 @@ extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
extern void m_freem __P((mb_t *));
#else /* #ifndef _KERNEL */
extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern void ipfilterattach __P((int));
# endif
@ -1133,12 +1137,14 @@ extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int iplread __P((dev_t, uio_t *, cred_t *));
extern int iplwrite __P((dev_t, uio_t *, cred_t *));
# endif
# ifdef __hpux
extern int iplopen __P((dev_t, int, intptr_t, int));
extern int iplclose __P((dev_t, int, int));
extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplread __P((dev_t, uio_t *));
extern int iplwrite __P((dev_t, uio_t *));
extern int iplselect __P((dev_t, int));
# endif
extern int ipfsync __P((void));
@ -1153,6 +1159,7 @@ extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int iplread __P((dev_t, uio_t *, cred_t *));
extern int iplwrite __P((dev_t, uio_t *, cred_t *));
extern int ipfsync __P((void));
extern int ipfilter_sgi_attach __P((void));
extern void ipfilter_sgi_detach __P((void));
@ -1166,7 +1173,11 @@ extern int iplidentify __P((char *));
# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
# endif /* __FreeBSD_version >= 502116 */
# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
# endif /* __FreeBSD_version >= 500024 */
@ -1174,8 +1185,13 @@ extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
# endif
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
extern int iplopen __P((struct cdev*, int, int, struct thread *));
extern int iplclose __P((struct cdev*, int, int, struct thread *));
# else
extern int iplopen __P((dev_t, int, int, struct thread *));
extern int iplclose __P((dev_t, int, int, struct thread *));
# endif /* __FreeBSD_version >= 502116 */
# else
extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *));
@ -1190,8 +1206,13 @@ extern int iplioctl __P((dev_t, int, caddr_t, int));
# endif
# endif /* (_BSDI_VERSION >= 199510) */
# if BSD >= 199306
# if (__FreeBSD_version >= 502116)
extern int iplread __P((struct cdev*, struct uio *, int));
extern int iplwrite __P((struct cdev*, struct uio *, int));
# else
extern int iplread __P((dev_t, struct uio *, int));
extern int iplwrite __P((dev_t, struct uio *, int));
# endif /* __FreeBSD_version >= 502116 */
# else
# ifndef linux
extern int iplread __P((dev_t, struct uio *));
@ -1217,17 +1238,19 @@ extern int ipldetach __P((void));
extern u_short ipf_cksum __P((u_short *, int));
extern int copyinptr __P((void *, void *, size_t));
extern int copyoutptr __P((void *, void *, size_t));
extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
extern int fr_inobj __P((void *, void *, int));
extern int fr_inobjsz __P((void *, void *, int, int));
extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int));
extern int fr_ipftune __P((ioctlcmd_t, void *));
extern int fr_outobj __P((void *, void *, int));
extern int fr_outobjsz __P((void *, void *, int, int));
extern int fr_send_reset __P((fr_info_t *));
extern int fr_send_icmp_err __P((int, fr_info_t *, int));
extern void fr_resolvdest __P((struct frdest *, int));
extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
extern void fr_resolvedest __P((struct frdest *, int));
extern int fr_resolvefunc __P((void *));
extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
extern void *fr_resolvenic __P((char *, int));
extern int fr_send_icmp_err __P((int, fr_info_t *, int));
extern int fr_send_reset __P((fr_info_t *));
#if (__FreeBSD_version < 490000) || !defined(_KERNEL)
extern int ppsratecheck __P((struct timeval *, int *, int));
#endif
@ -1250,8 +1273,11 @@ extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
struct in_addr *));
#endif
extern int fr_addipftune __P((ipftuneable_t *));
extern int fr_delipftune __P((ipftuneable_t *));
extern int frflush __P((minor_t, int, int));
extern void frsync __P((void));
extern void frsync __P((void *));
extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
extern int fr_derefrule __P((frentry_t **));
extern void fr_delgroup __P((char *, minor_t, int));
@ -1274,6 +1300,7 @@ extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
extern void fr_forgetifp __P((void *));
extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
extern void fr_getstat __P((struct friostat *));
extern int fr_icmp4errortype __P((int));
extern int fr_ifpaddr __P((int, int, void *,
struct in_addr *, struct in_addr *));
extern int fr_initialise __P((void));
@ -1291,7 +1318,6 @@ extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
extern int fr_verifysrc __P((fr_info_t *fin));
extern int fr_zerostats __P((char *));
extern int fr_unreach;
extern int fr_running;
extern u_long fr_frouteok[2];
extern int fr_pass;
@ -1308,6 +1334,7 @@ extern int ipl_suppress;
extern int ipl_buffer_sz;
extern int ipl_logmax;
extern int ipl_logall;
extern int ipl_logsize;
extern u_long fr_ticks;
extern fr_info_t frcache[2][8];
extern char ipfilter_version[];

17
sys/dist/ipf/netinet/ip_htable.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_htable.c,v 1.1.1.1 2004/12/31 11:30:44 martti Exp $ */
/* $NetBSD: ip_htable.c,v 1.1.1.2 2005/02/08 06:53:27 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -53,7 +53,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.1 2004/03/06 14:32:58 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -377,6 +377,15 @@ void *tptr, *aptr;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_iphmfindip */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* aptr(I) - pointer to address information */
/* */
/* Search the hash table for a given address and return a search result. */
/* ------------------------------------------------------------------------ */
int fr_iphmfindip(tptr, version, aptr)
void *tptr, *aptr;
int version;
@ -387,10 +396,10 @@ int version;
int rval;
if (version != 4)
return 1;
return -1;
if (tptr == NULL || aptr == NULL)
return 1;
return -1;
iph = tptr;
addr = aptr;

9
sys/dist/ipf/netinet/ip_log.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_log.c,v 1.1.1.1 2004/12/31 11:30:44 martti Exp $ */
/* $NetBSD: ip_log.c,v 1.1.1.2 2005/02/08 06:53:27 martti Exp $ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_log.c,v 2.75.2.5 2004/07/13 14:25:36 darrenr Exp
* Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp
*/
#include <sys/param.h>
#if defined(KERNEL) || defined(_KERNEL)
@ -157,6 +157,7 @@ int ipl_buffer_sz;
int ipl_logmax = IPL_LOGMAX;
int ipl_logall = 0;
int ipl_log_init = 0;
int ipl_logsize = IPFILTER_LOGSIZE;
int ipl_magic[IPL_LOGSIZE] = { IPL_MAGIC, IPL_MAGIC_NAT, IPL_MAGIC_STATE,
IPL_MAGIC, IPL_MAGIC, IPL_MAGIC,
IPL_MAGIC, IPL_MAGIC };
@ -455,7 +456,7 @@ int *types, cnt;
return -1;
SPL_NET(s);
MUTEX_ENTER(&ipl_mutex);
if ((iplused[dev] + len) > IPFILTER_LOGSIZE) {
if ((iplused[dev] + len) > ipl_logsize) {
MUTEX_EXIT(&ipl_mutex);
SPL_X(s);
KFREES(buf, len);
@ -550,7 +551,7 @@ struct uio *uio;
if (uio->uio_resid == 0)
return 0;
if ((uio->uio_resid < sizeof(iplog_t)) ||
(uio->uio_resid > IPFILTER_LOGSIZE))
(uio->uio_resid > ipl_logsize))
return EINVAL;
/*

8
sys/dist/ipf/netinet/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.1.1.1 2004/12/31 11:30:43 martti Exp $ */
/* $NetBSD: ip_pool.c,v 1.1.1.2 2005/02/08 06:53:27 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -79,7 +79,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.9 2004/06/13 23:45:18 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.11 2004/10/17 15:49:14 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -367,7 +367,7 @@ addrfamily_t *addr, *mask;
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_search */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve match */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* dptr(I) - pointer to address information */
@ -390,7 +390,7 @@ void *dptr;
if (ipo == NULL)
return -1;
rv = -1;
rv = 1;
m = NULL;
addr = (i6addr_t *)dptr;
bzero(&v, sizeof(v));

6
sys/dist/ipf/netinet/ip_pptp_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.1 2004/12/31 11:30:45 martti Exp $ */
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.2 2005/02/08 06:53:28 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed
@ -6,7 +6,7 @@
* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_pptp_pxy.c,v 2.10.2.5 2004/06/07 14:20:05 darrenr Exp
* Id: ip_pptp_pxy.c,v 2.10.2.6 2004/11/25 15:37:37 darrenr Exp
*
*/
#define IPF_PPTP_PROXY
@ -120,7 +120,7 @@ nat_t *nat;
fi.fin_flx &= ~FI_TCPUDP;
fi.fin_flx |= FI_IGNORE;
nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, 0, NAT_OUTBOUND);
nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, NAT_SLAVE, NAT_OUTBOUND);
pptp->pptp_nat = nat2;
if (nat2 != NULL) {
(void) nat_proto(&fi, nat2, 0);

218
sys/dist/ipf/netinet/ip_proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.1.1.1 2004/12/31 11:30:45 martti Exp $ */
/* $NetBSD: ip_proxy.c,v 1.1.1.2 2005/02/08 06:53:29 martti Exp $ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
@ -105,13 +105,18 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.7 2004/07/11 10:40:54 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.9 2004/10/17 15:21:28 darrenr Exp";
#endif
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define AP_SESS_SIZE 53
#if defined(_KERNEL)
int ipf_proxy_debug = 0;
#else
int ipf_proxy_debug = 2;
#endif
ap_session_t *ap_sess_tab[AP_SESS_SIZE];
ap_session_t *ap_sess_list = NULL;
aproxy_t *ap_proxylist = NULL;
@ -181,14 +186,22 @@ aproxy_t *ap;
for (a = ap_proxies; a->apr_p; a++)
if ((a->apr_p == ap->apr_p) &&
!strncmp(a->apr_label, ap->apr_label,
sizeof(ap->apr_label)))
sizeof(ap->apr_label))) {
if (ipf_proxy_debug > 1)
printf("appr_add: %s/%d already present (B)\n",
a->apr_label, a->apr_p);
return -1;
}
for (a = ap_proxylist; a->apr_p; a = a->apr_next)
if ((a->apr_p == ap->apr_p) &&
!strncmp(a->apr_label, ap->apr_label,
sizeof(ap->apr_label)))
sizeof(ap->apr_label))) {
if (ipf_proxy_debug > 1)
printf("appr_add: %s/%d already present (D)\n",
a->apr_label, a->apr_p);
return -1;
}
ap->apr_next = ap_proxylist;
ap_proxylist = ap;
if (ap->apr_init != NULL)
@ -209,12 +222,22 @@ ap_ctl_t *ctl;
int error;
a = appr_lookup(ctl->apc_p, ctl->apc_label);
if (a == NULL)
if (a == NULL) {
if (ipf_proxy_debug > 1)
printf("appr_ctl: can't find %s/%d\n",
ctl->apc_label, ctl->apc_p);
error = ESRCH;
else if (a->apr_ctl == NULL)
} else if (a->apr_ctl == NULL) {
if (ipf_proxy_debug > 1)
printf("appr_ctl: no ctl function for %s/%d\n",
ctl->apc_label, ctl->apc_p);
error = ENXIO;
else
} else {
error = (*a->apr_ctl)(a, ctl);
if ((error != 0) && (ipf_proxy_debug > 1))
printf("appr_ctl: %s/%d ctl error %d\n",
a->apr_label, a->apr_p, error);
}
return error;
}
@ -233,10 +256,16 @@ aproxy_t *ap;
if (a == ap) {
a->apr_flags |= APR_DELETE;
*app = a->apr_next;
if (ap->apr_ref != 0)
if (ap->apr_ref != 0) {
if (ipf_proxy_debug > 2)
printf("appr_del: orphaning %s/%d\n",
ap->apr_label, ap->apr_p);
return 1;
}
return 0;
}
if (ipf_proxy_debug > 1)
printf("appr_del: proxy %lx not found\n", (u_long)ap);
return -1;
}
@ -296,7 +325,8 @@ int mode;
if (error == 0)
error = appr_ctl(&ctl);
if (ctl.apc_dsize > 0 && ptr != NULL && ctl.apc_data == ptr) {
if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
(ctl.apc_data == ptr)) {
KFREES(ptr, ctl.apc_dsize);
}
break;
@ -318,23 +348,37 @@ nat_t *nat;
{
aproxy_t *apr;
ipnat_t *ipn;
#if PROXY_DEBUG
printf("appr_match(%lx,%lx)\n", fin, nat);
#endif
if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0)
return -1;
int result;
ipn = nat->nat_ptr;
if (ipn == NULL)
if (ipf_proxy_debug > 8)
printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
(u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
(u_long)ipn);
if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
if (ipf_proxy_debug > 0)
printf("appr_match: flx 0x%x (BAD|SHORT)\n",
fin->fin_flx);
return -1;
}
apr = ipn->in_apr;
if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
(nat->nat_aps == NULL))
if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
if (ipf_proxy_debug > 0)
printf("appr_match:apr %lx apr_flags 0x%x\n",
(u_long)apr, apr ? apr->apr_flags : 0);
return -1;
if (apr->apr_match != NULL)
if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0)
}
if (apr->apr_match != NULL) {
result = (*apr->apr_match)(fin, nat->nat_aps, nat);
if (result != 0) {
if (ipf_proxy_debug > 4)
printf("appr_match: result %d\n", result);
return -1;
}
}
return 0;
}
@ -351,21 +395,34 @@ nat_t *nat;
register ap_session_t *aps;
aproxy_t *apr;
#if PROXY_DEBUG
printf("appr_new(%lx,%lx)\n", fin, nat);
#endif
if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL))
if (ipf_proxy_debug > 8)
printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
if (ipf_proxy_debug > 0)
printf("appr_new: nat_ptr %lx nat_aps %lx\n",
(u_long)nat->nat_ptr, (u_long)nat->nat_aps);
return -1;
}
apr = nat->nat_ptr->in_apr;
if (!apr || (apr->apr_flags & APR_DELETE) ||
(fin->fin_p != apr->apr_p))
if ((apr->apr_flags & APR_DELETE) ||
(fin->fin_p != apr->apr_p)) {
if (ipf_proxy_debug > 2)
printf("appr_new: apr_flags 0x%x p %d/%d\n",
apr->apr_flags, fin->fin_p, apr->apr_p);
return -1;
}
KMALLOC(aps, ap_session_t *);
if (!aps)
if (!aps) {
if (ipf_proxy_debug > 0)
printf("appr_new: malloc failed (%u)\n",
sizeof(ap_session_t));
return -1;
}
bzero((char *)aps, sizeof(*aps));
aps->aps_p = fin->fin_p;
aps->aps_data = NULL;
@ -377,6 +434,9 @@ nat_t *nat;
KFREES(aps->aps_data, aps->aps_psiz);
}
KFREE(aps);
if (ipf_proxy_debug > 2)
printf("appr_new: new(%lx) failed\n",
(u_long)apr->apr_new);
return -1;
}
aps->aps_nat = nat;
@ -415,14 +475,17 @@ nat_t *nat;
u_32_t s1, s2, sd;
#endif
if (fin->fin_flx & FI_BAD)
if (fin->fin_flx & FI_BAD) {
if (ipf_proxy_debug > 0)
printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
return -1;
}
#ifndef IPFILTER_CKSUM
if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
# if PROXY_DEBUG || !defined(_KERNEL)
printf("proxy l4 checksum failure on %p\n", fin);
# endif
if (ipf_proxy_debug > 0)
printf("appr_check: l4 checksum failure %d\n",
fin->fin_p);
if (fin->fin_p == IPPROTO_TCP)
frstats[fin->fin_out].fr_tcpbad++;
return -1;
@ -437,8 +500,11 @@ nat_t *nat;
*/
#if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
if (fr_coalesce(fin) == -1)
if (fr_coalesce(fin) == -1) {
if (ipf_proxy_debug > 0)
printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
return -1;
}
#endif
ip = fin->fin_ip;
@ -477,17 +543,14 @@ nat_t *nat;
}
rv = APR_EXIT(err);
if (rv == 1) {
#if PROXY_DEBUG || !defined(_KERNEL)
printf("%d:proxy says bad packet received (%x)\n",
fin->fin_out, err);
#endif
if (((ipf_proxy_debug > 0) && (rv != 0)) ||
(ipf_proxy_debug > 8))
printf("appr_check: out %d err %x rv %d\n",
fin->fin_out, err, rv);
if (rv == 1)
return -1;
}
if (rv == 2) {
#if PROXY_DEBUG || !defined(_KERNEL)
printf("proxy says free app proxy data (%x)\n", err);
#endif
appr_free(apr);
nat->nat_aps = NULL;
return -1;
@ -555,9 +618,8 @@ char *name;
{
aproxy_t *ap;
#if PROXY_DEBUG
printf("appr_lookup(%d,%s)\n", pr, name);
#endif
if (ipf_proxy_debug > 8)
printf("appr_lookup(%d,%s)\n", pr, name);
for (ap = ap_proxies; ap->apr_p; ap++)
if ((ap->apr_p == pr) &&
@ -572,6 +634,8 @@ char *name;
ap->apr_ref++;
return ap;
}
if (ipf_proxy_debug > 2)
printf("appr_lookup: failed for %d/%s\n", pr, name);
return NULL;
}
@ -640,10 +704,10 @@ int inc;
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
if (ipf_proxy_debug > 7)
printf("proxy out switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1,
aps->aps_seqmin[!sel]);
sel = aps->aps_sel[out] = !sel;
}
@ -660,11 +724,10 @@ int inc;
if (inc && (seq1 > aps->aps_seqmin[!sel])) {
aps->aps_seqmin[sel] = seq1 + nlen - 1;
aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy seq set %d at %x to %d + %d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqoff[sel],
inc);
#endif
if (ipf_proxy_debug > 7)
printf("proxy seq set %d at %x to %d + %d\n",
sel, aps->aps_seqmin[sel],
aps->aps_seqoff[sel], inc);
}
/***/
@ -675,10 +738,10 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy out switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
if (ipf_proxy_debug > 7)
printf("proxy out switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1,
aps->aps_ackmin[!sel]);
sel = aps->aps_sel[1 - out] = !sel;
}
@ -694,10 +757,9 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
(seq1 > aps->aps_ackmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
if (ipf_proxy_debug > 7)
printf("proxy in switch set ack %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_ackmin[!sel]);
sel = aps->aps_sel[out] = !sel;
}
@ -714,11 +776,11 @@ int inc;
if (inc && (seq1 > aps->aps_ackmin[!sel])) {
aps->aps_ackmin[!sel] = seq1 + nlen - 1;
aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
#if PROXY_DEBUG
printf("proxy ack set %d at %x to %d + %d\n", !sel,
aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
inc);
#endif
if (ipf_proxy_debug > 7)
printf("proxy ack set %d at %x to %d + %d\n",
!sel, aps->aps_seqmin[!sel],
aps->aps_seqoff[sel], inc);
}
/***/
@ -729,19 +791,17 @@ int inc;
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
(seq1 > aps->aps_seqmin[!sel])) {
#if PROXY_DEBUG
printf("proxy in switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
if (ipf_proxy_debug > 7)
printf("proxy in switch set seq %d -> %d %x > %x\n",
sel, !sel, seq1, aps->aps_seqmin[!sel]);
sel = aps->aps_sel[1 - out] = !sel;
}
if (aps->aps_seqoff[sel] != 0) {
#if PROXY_DEBUG
printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
aps->aps_seqoff[sel], seq1,
aps->aps_seqmin[sel]);
#endif
if (ipf_proxy_debug > 7)
printf("sel %d seqoff %d seq1 %x seqmin %x\n",
sel, aps->aps_seqoff[sel], seq1,
aps->aps_seqmin[sel]);
if (seq1 > aps->aps_seqmin[sel]) {
seq2 = aps->aps_seqoff[sel];
tcp->th_ack = htonl(seq1 - seq2);
@ -749,10 +809,10 @@ int inc;
}
}
}
#if PROXY_DEBUG
printf("appr_fixseqack: seq %lx ack %lx\n", ntohl(tcp->th_seq),
ntohl(tcp->th_ack));
#endif
if (ipf_proxy_debug > 8)
printf("appr_fixseqack: seq %x ack %x\n",
ntohl(tcp->th_seq), ntohl(tcp->th_ack));
return ch ? 2 : 0;
}

5
sys/dist/ipf/netinet/ip_state.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.h,v 1.1.1.1 2004/12/31 11:30:48 martti Exp $ */
/* $NetBSD: ip_state.h,v 1.1.1.2 2005/02/08 06:53:30 martti Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* Id: ip_state.h,v 2.68.2.1 2004/06/30 11:26:12 darrenr Exp
* Id: ip_state.h,v 2.68.2.2 2004/10/31 18:44:39 darrenr Exp
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@ -119,6 +119,7 @@ typedef struct ipstate {
#define IS_STRICT 0x20000
#define IS_ISNSYN 0x40000
#define IS_ISNACK 0x80000
#define IS_STATESYNC 0x100000
/*
* IS_SC flags are for scan-operations that need to be recognised in state.
*/

215
sys/dist/ipf/netinet/ip_sync.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_sync.c,v 1.1.1.1 2004/12/31 11:30:48 martti Exp $ */
/* $NetBSD: ip_sync.c,v 1.1.1.2 2005/02/08 06:53:30 martti Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@ -98,7 +98,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.1 2004/03/22 12:21:54 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.2 2004/10/31 18:45:58 darrenr Exp";
#endif
#define SYNC_STATETABSZ 256
@ -120,6 +120,7 @@ u_int sl_idx = 0, /* next available sync log entry */
su_idx = 0, /* next available sync update entry */
sl_tail = 0, /* next sync log entry to read */
su_tail = 0; /* next sync update entry to read */
int ipf_sync_debug = 0;
# if !defined(sparc) && !defined(__hppa)
@ -263,6 +264,7 @@ ipstate_t *ips;
# define ipfsync_storder(x,y)
# endif /* !defined(sparc) && !defined(__hppa) */
/* enable this for debugging */
# ifdef _KERNEL
/* ------------------------------------------------------------------------ */
@ -277,37 +279,129 @@ int ipfsync_write(uio)
struct uio *uio;
{
synchdr_t sh;
/*
* THIS MUST BE SUFFICIENT LARGE TO STORE
* ANY POSSIBLE DATA TYPE
*/
char data[2048];
int err = 0;
/*
* All writes will be in multiples of 4 and at least 8 bytes.
*/
if ((uio->uio_resid & 3) || (uio->uio_resid < 8))
return EINVAL;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
while ((uio->uio_resid > 0) &&
UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio) == 0) {
sh.sm_num = ntohl(sh.sm_num);
if (sh.sm_v != 4 && sh.sm_v != 6)
continue;
/* Try to get bytes */
while (uio->uio_resid > 0) {
if (uio->uio_resid >= sizeof(sh)) {
err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio);
if (err) {
if (ipf_sync_debug > 2)
printf("uiomove(header) failed: %d\n",
err);
return err;
}
/* convert to host order */
sh.sm_magic = ntohl(sh.sm_magic);
sh.sm_len = ntohl(sh.sm_len);
sh.sm_num = ntohl(sh.sm_num);
if (ipf_sync_debug > 8)
printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n",
sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd,
sh.sm_table, sh.sm_rev, sh.sm_len,
sh.sm_magic);
if (sh.sm_magic != SYNHDRMAGIC) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalud %x\n",
"magic");
return EINVAL;
}
if (sh.sm_v != 4 && sh.sm_v != 6) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"protocol");
return EINVAL;
}
if (sh.sm_cmd > SMC_MAXCMD) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"command");
return EINVAL;
}
if (sh.sm_table > SMC_MAXTBL) {
if (ipf_sync_debug > 2)
printf("uiomove(header) invalid %s\n",
"table");
return EINVAL;
}
} else {
/* unsufficient data, wait until next call */
if (ipf_sync_debug > 2)
printf("uiomove(header) insufficient data");
return EAGAIN;
}
if ((sh.sm_cmd > SMC_MAXCMD) || (sh.sm_table > SMC_MAXTBL))
continue;
/*
* We currently only synchronise state information and NAT
* information - and even then, the NAT information is not
* yet sync'd for proxied connections.
* We have a header, so try to read the amount of data
* needed for the request
*/
if (sh.sm_table == SMC_STATE)
err = ipfsync_state(&sh, uio);
else if (sh.sm_table == SMC_NAT)
err = ipfsync_nat(&sh, uio);
if (err)
break;
}
return err;
/* not supported */
if (sh.sm_len == 0) {
if (ipf_sync_debug > 2)
printf("uiomove(data zero length %s\n",
"not supported");
return EINVAL;
}
if (uio->uio_resid >= sh.sm_len) {
err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio);
if (err) {
if (ipf_sync_debug > 2)
printf("uiomove(data) failed: %d\n",
err);
return err;
}
if (ipf_sync_debug > 7)
printf("uiomove(data) %d bytes read\n",
sh.sm_len);
if (sh.sm_table == SMC_STATE)
err = ipfsync_state(&sh, data);
else if (sh.sm_table == SMC_NAT)
err = ipfsync_nat(&sh, data);
if (ipf_sync_debug > 7)
printf("[%d] Finished with error %d\n",
sh.sm_num, err);
} else {
/* insufficient data, wait until next call */
if (ipf_sync_debug > 2)
printf("uiomove(data) %s %d bytes, got %d\n",
"insufficient data, need",
sh.sm_len, uio->uio_resid);
return EAGAIN;
}
}
/* no more data */
return 0;
}
@ -408,28 +502,24 @@ struct uio *uio;
/* create a new state entry or update one. Deletion is left to the state */
/* structures being timed out correctly. */
/* ------------------------------------------------------------------------ */
int ipfsync_state(sp, uio)
int ipfsync_state(sp, data)
synchdr_t *sp;
struct uio *uio;
void *data;
{
synctcp_update_t su;
ipstate_t *is, sn;
synclist_t *sl;
frentry_t *fr;
u_int hv;
int err;
int err = 0;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
hv = sp->sm_num & (SYNC_STATETABSZ - 1);
switch (sp->sm_cmd)
{
case SMC_CREATE :
err = UIOMOVE((caddr_t)&sn, sizeof(sn), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &sn, sizeof(sn));
KMALLOC(is, ipstate_t *);
if (is == NULL) {
err = ENOMEM;
@ -462,12 +552,15 @@ struct uio *uio;
}
RWLOCK_EXIT(&ipf_mutex);
if (ipf_sync_debug > 4)
printf("[%d] Filter rules = %p\n", sp->sm_num, fr);
is->is_rule = fr;
is->is_sync = sl;
sl->sl_idx = -1;
sl->sl_ips = is;
sl->sl_num = ntohl(sp->sm_num);
bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr));
WRITE_ENTER(&ipf_syncstate);
WRITE_ENTER(&ipf_state);
@ -486,19 +579,25 @@ struct uio *uio;
*
* Put this state entry on its timeout queue.
*/
fr_setstatequeue(is, sp->sm_rev);
/*fr_setstatequeue(is, sp->sm_rev);*/
break;
case SMC_UPDATE :
err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &su, sizeof(su));
if (ipf_sync_debug > 4)
printf("[%d] Update age %lu state %d/%d \n",
sp->sm_num, su.stu_age, su.stu_state[0],
su.stu_state[1]);
READ_ENTER(&ipf_syncstate);
for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
if (sl->sl_hdr.sm_num == sp->sm_num)
break;
if (sl == NULL) {
if (ipf_sync_debug > 1)
printf("[%d] State not found - can't update\n",
sp->sm_num);
RWLOCK_EXIT(&ipf_syncstate);
err = ENOENT;
break;
@ -506,12 +605,19 @@ struct uio *uio;
READ_ENTER(&ipf_state);
if (ipf_sync_debug > 6)
printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n",
sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p,
sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table,
sl->sl_hdr.sm_rev);
is = sl->sl_ips;
MUTEX_ENTER(&is->is_lock);
switch (sp->sm_p)
{
case IPPROTO_TCP :
/* XXX FV --- shouldn't we do ntohl/htonl???? XXX */
is->is_send = su.stu_data[0].td_end;
is->is_maxsend = su.stu_data[0].td_maxend;
is->is_maxswin = su.stu_data[0].td_maxwin;
@ -524,7 +630,12 @@ struct uio *uio;
default :
break;
}
if (ipf_sync_debug > 6)
printf("[%d] Setting timers for state\n", sp->sm_num);
fr_setstatequeue(is, sp->sm_rev);
MUTEX_EXIT(&is->is_lock);
break;
@ -537,6 +648,11 @@ struct uio *uio;
RWLOCK_EXIT(&ipf_state);
RWLOCK_EXIT(&ipf_syncstate);
}
if (ipf_sync_debug > 6)
printf("[%d] Update completed with error %d\n",
sp->sm_num, err);
return err;
}
# endif /* _KERNEL */
@ -575,9 +691,9 @@ synclist_t *sl;
/* create a new NAT entry or update one. Deletion is left to the NAT */
/* structures being timed out correctly. */
/* ------------------------------------------------------------------------ */
int ipfsync_nat(sp, uio)
int ipfsync_nat(sp, data)
synchdr_t *sp;
struct uio *uio;
void *data;
{
synclogent_t sle;
syncupdent_t su;
@ -586,18 +702,12 @@ struct uio *uio;
u_int hv = 0;
int err;
# if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
uio->uio_rw = UIO_WRITE;
# endif
READ_ENTER(&ipf_syncstate);
switch (sp->sm_cmd)
{
case SMC_CREATE :
err = UIOMOVE((caddr_t)&sle, sizeof(sle), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &sle, sizeof(sle));
KMALLOC(n, nat_t *);
if (n == NULL) {
@ -634,9 +744,7 @@ struct uio *uio;
break;
case SMC_UPDATE :
err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio);
if (err != 0)
break;
bcopy(data, &su, sizeof(su));
READ_ENTER(&ipf_syncstate);
for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
@ -731,6 +839,7 @@ void *ptr;
sl->sl_num = ipf_syncnum;
MUTEX_EXIT(&ipf_syncadd);
sl->sl_magic = htonl(SYNHDRMAGIC);
sl->sl_v = fin->fin_v;
sl->sl_p = fin->fin_p;
sl->sl_cmd = SMC_CREATE;
@ -747,6 +856,7 @@ void *ptr;
ptr = NULL;
sz = 0;
}
sl->sl_len = sz;
/*
* Create the log entry to be read by a user daemon. When it has been
@ -757,6 +867,7 @@ void *ptr;
bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr,
sizeof(sle->sle_hdr));
sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num);
sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len);
if (ptr != NULL) {
bcopy((char *)ptr, (char *)&sle->sle_un, sz);
if (tab == SMC_STATE) {
@ -813,10 +924,12 @@ synclist_t *sl;
sl->sl_idx = su_idx++;
bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr,
sizeof(slu->sup_hdr));
slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC);
slu->sup_hdr.sm_sl = sl;
slu->sup_hdr.sm_cmd = SMC_UPDATE;
slu->sup_hdr.sm_table = tab;
slu->sup_hdr.sm_num = htonl(sl->sl_num);
slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update));
slu->sup_hdr.sm_rev = fin->fin_rev;
# if 0
if (fin->fin_p == IPPROTO_TCP) {

33
sys/dist/ipf/netinet/ip_sync.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_sync.h,v 1.1.1.1 2004/12/31 11:30:48 martti Exp $ */
/* $NetBSD: ip_sync.h,v 1.1.1.2 2005/02/08 06:53:30 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -6,20 +6,27 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_sync.h,v 2.11 2004/01/03 13:34:59 darrenr Exp
* Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
*/
#ifndef __IP_SYNC_H__
#define __IP_SYNC_H__
typedef struct synchdr {
u_char sm_v; /* version: 4,6 */
u_char sm_p; /* protocol */
u_char sm_cmd; /* command */
u_char sm_table; /* NAT, STATE, etc */
u_int sm_num; /* table entry number */
int sm_rev; /* forward/reverse */
u_32_t sm_magic; /* magic */
u_char sm_v; /* version: 4,6 */
u_char sm_p; /* protocol */
u_char sm_cmd; /* command */
u_char sm_table; /* NAT, STATE, etc */
u_int sm_num; /* table entry number */
int sm_rev; /* forward/reverse */
int sm_len; /* length of the data section */
struct synclist *sm_sl; /* back pointer to parent */
} synchdr_t;
#define SYNHDRMAGIC 0x0FF51DE5
/*
* Commands
* No delete required as expirey will take care of that!
@ -43,7 +50,7 @@ typedef struct synchdr {
typedef struct synctcp_update {
u_long stu_age;
tcpdata_t stu_data[2];
u_char stu_state[2];
int stu_state[2];
} synctcp_update_t;
@ -62,12 +69,14 @@ typedef struct synclist {
#define sl_ptr sl_un.slu_ptr
#define sl_ips sl_un.slu_ips
#define sl_ipn sl_un.slu_ipn
#define sl_magic sl_hdr.sm_magic
#define sl_v sl_hdr.sm_v
#define sl_p sl_hdr.sm_p
#define sl_cmd sl_hdr.sm_cmd
#define sl_rev sl_hdr.sm_rev
#define sl_table sl_hdr.sm_table
#define sl_num sl_hdr.sm_num
#define sl_len sl_hdr.sm_len
/*
* NOTE: SYNCLOG_SZ is defined *low*. It should be the next power of two
@ -100,7 +109,9 @@ extern synclist_t *ipfsync_new __P((int, fr_info_t *, void *));
extern void ipfsync_del __P((synclist_t *));
extern void ipfsync_update __P((int, fr_info_t *, synclist_t *));
extern int ipfsync_init __P((void));
extern int ipfsync_nat __P((synchdr_t *sp, struct uio *uio));
extern int ipfsync_state __P((synchdr_t *sp, struct uio *uio));
extern int ipfsync_nat __P((synchdr_t *sp, void *data));
extern int ipfsync_state __P((synchdr_t *sp, void *data));
extern int ipfsync_read __P((struct uio *uio));
extern int ipfsync_write __P((struct uio *uio));
#endif /* IP_SYNC */

8
sys/dist/ipf/netinet/ipl.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.1.1.1 2004/12/31 11:30:45 martti Exp $ */
/* $NetBSD: ipl.h,v 1.1.1.2 2005/02/08 06:53:28 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,14 +6,14 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.52.2.4 2004/07/18 04:13:45 darrenr Exp
* Id: ipl.h,v 2.52.2.6 2005/01/08 17:27:10 darrenr Exp
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v4.1.3"
#define IPL_VERSION "IP Filter: v4.1.5"
#define IPFILTER_VERSION 4010300
#define IPFILTER_VERSION 4010500
#endif