Import ip-filter 3.2beta5
This commit is contained in:
parent
4f72ff44fd
commit
985ac74a98
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_auth.h,v 1.1.1.1 1997/07/06 04:58:52 thorpej Exp $ */
|
||||
/* $NetBSD: ip_auth.h,v 1.1.1.2 1997/09/21 16:49:28 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1997 by Darren Reed & Guido Van Rooij.
|
||||
@ -7,7 +7,7 @@
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp
|
||||
* Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp
|
||||
*
|
||||
*/
|
||||
#ifndef __IP_AUTH_H__
|
||||
|
432
sys/netinet/ip_log.c
Normal file
432
sys/netinet/ip_log.c
Normal file
@ -0,0 +1,432 @@
|
||||
/* $NetBSD: ip_log.c,v 1.1.1.1 1997/09/21 16:49:48 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1997 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* Id: ip_log.c,v 2.0.2.6 1997/09/10 13:08:18 darrenr Exp
|
||||
*/
|
||||
#ifdef IPFILTER_LOG
|
||||
# ifndef SOLARIS
|
||||
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
# endif
|
||||
|
||||
# ifdef __FreeBSD__
|
||||
# if defined(KERNEL) && !defined(_KERNEL)
|
||||
# define _KERNEL
|
||||
# endif
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# include <sys/osreldate.h>
|
||||
# else
|
||||
# include <osreldate.h>
|
||||
# endif
|
||||
# endif
|
||||
# ifndef _KERNEL
|
||||
# include <stdio.h>
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
# include <ctype.h>
|
||||
# endif
|
||||
# include <sys/errno.h>
|
||||
# include <sys/types.h>
|
||||
# include <sys/param.h>
|
||||
# include <sys/file.h>
|
||||
# if __FreeBSD_version >= 220000 && defined(_KERNEL)
|
||||
# include <sys/fcntl.h>
|
||||
# include <sys/filio.h>
|
||||
# else
|
||||
# include <sys/ioctl.h>
|
||||
# endif
|
||||
# include <sys/time.h>
|
||||
# ifdef _KERNEL
|
||||
# include <sys/systm.h>
|
||||
# endif
|
||||
# include <sys/uio.h>
|
||||
# if !SOLARIS
|
||||
# if NetBSD > 199609
|
||||
# include <sys/dirent.h>
|
||||
# else
|
||||
# include <sys/dir.h>
|
||||
# endif
|
||||
# include <sys/mbuf.h>
|
||||
# else
|
||||
# include <sys/filio.h>
|
||||
# include <sys/cred.h>
|
||||
# include <sys/ddi.h>
|
||||
# include <sys/sunddi.h>
|
||||
# include <sys/ksynch.h>
|
||||
# include <sys/kmem.h>
|
||||
# include <sys/mkdev.h>
|
||||
# include <sys/dditypes.h>
|
||||
# include <sys/cmn_err.h>
|
||||
# endif
|
||||
# include <sys/protosw.h>
|
||||
# include <sys/socket.h>
|
||||
|
||||
# include <net/if.h>
|
||||
# ifdef sun
|
||||
# include <net/af.h>
|
||||
# endif
|
||||
# if __FreeBSD_version >= 300000
|
||||
# include <net/if_var.h>
|
||||
# endif
|
||||
# include <net/route.h>
|
||||
# include <netinet/in.h>
|
||||
# include <netinet/in_var.h>
|
||||
# include <netinet/in_systm.h>
|
||||
# include <netinet/ip.h>
|
||||
# include <netinet/ip_var.h>
|
||||
# include <netinet/tcp.h>
|
||||
# include <netinet/udp.h>
|
||||
# include <netinet/tcpip.h>
|
||||
# include <netinet/ip_icmp.h>
|
||||
# ifndef _KERNEL
|
||||
# include <syslog.h>
|
||||
# endif
|
||||
# include "netinet/ip_compat.h"
|
||||
# include "netinet/ip_fil.h"
|
||||
# include "netinet/ip_proxy.h"
|
||||
# include "netinet/ip_nat.h"
|
||||
# include "netinet/ip_frag.h"
|
||||
# include "netinet/ip_state.h"
|
||||
# include "netinet/ip_auth.h"
|
||||
# ifndef MIN
|
||||
# define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
# endif
|
||||
|
||||
|
||||
#if SOLARIS
|
||||
extern kmutex_t ipl_mutex;
|
||||
extern kcondvar_t iplwait;
|
||||
#endif
|
||||
|
||||
iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
|
||||
int iplused[IPL_LOGMAX+1];
|
||||
u_long iplcrc[IPL_LOGMAX+1];
|
||||
u_long iplcrcinit;
|
||||
|
||||
|
||||
/*
|
||||
* Initialise log buffers & pointers. Also iniialised the CRC to a local
|
||||
* secret for use in calculating the "last log checksum".
|
||||
*/
|
||||
void ipflog_init()
|
||||
{
|
||||
struct timeval tv;
|
||||
int i;
|
||||
|
||||
for (i = IPL_LOGMAX; i >= 0; i--) {
|
||||
iplt[i] = NULL;
|
||||
iplh[i] = &iplt[i];
|
||||
iplused[i] = 0;
|
||||
}
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
microtime(&tv);
|
||||
# else
|
||||
uniqtime(&tv);
|
||||
# endif
|
||||
iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* ipflog
|
||||
* Create a log record for a packet given that it has been triggered by a
|
||||
* rule (or the default setting). Calculate the transport protocol header
|
||||
* size using predetermined size of a couple of popular protocols and thus
|
||||
* how much data to copy into the log, including part of the data body if
|
||||
* requested.
|
||||
*/
|
||||
int ipflog(flags, ip, fin, m)
|
||||
u_int flags;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
mb_t *m;
|
||||
{
|
||||
ipflog_t ipfl;
|
||||
register int mlen, hlen;
|
||||
u_long crc;
|
||||
size_t sizes[2];
|
||||
void *ptrs[2];
|
||||
int types[2];
|
||||
# if SOLARIS
|
||||
ill_t *ifp = fin->fin_ifp;
|
||||
# else
|
||||
struct ifnet *ifp = fin->fin_ifp;
|
||||
# endif
|
||||
|
||||
/*
|
||||
* calculate header size.
|
||||
*/
|
||||
hlen = fin->fin_hlen;
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
|
||||
else if (ip->ip_p == IPPROTO_ICMP) {
|
||||
struct icmp *icmp = (struct icmp *)((char *)ip + hlen);
|
||||
|
||||
/*
|
||||
* For ICMP, if the packet is an error packet, also include
|
||||
* the information about the packet which caused the error.
|
||||
*/
|
||||
switch (icmp->icmp_type)
|
||||
{
|
||||
case ICMP_UNREACH :
|
||||
case ICMP_SOURCEQUENCH :
|
||||
case ICMP_REDIRECT :
|
||||
case ICMP_TIMXCEED :
|
||||
case ICMP_PARAMPROB :
|
||||
hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
|
||||
break;
|
||||
default :
|
||||
hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
|
||||
break;
|
||||
}
|
||||
}
|
||||
/*
|
||||
* Get the interface number and name to which this packet is
|
||||
* currently associated.
|
||||
*/
|
||||
# if SOLARIS
|
||||
ipfl.fl_unit = (u_char)ifp->ill_ppa;
|
||||
bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4));
|
||||
mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
|
||||
# else
|
||||
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
|
||||
strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
|
||||
# else
|
||||
ipfl.fl_unit = (u_char)ifp->if_unit;
|
||||
if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
|
||||
if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
|
||||
if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
|
||||
ipfl.fl_ifname[3] = ifp->if_name[3];
|
||||
# endif
|
||||
mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
|
||||
# endif
|
||||
ipfl.fl_plen = (u_char)mlen;
|
||||
ipfl.fl_hlen = (u_char)hlen;
|
||||
ipfl.fl_rule = fin->fin_rule;
|
||||
ipfl.fl_flags = flags;
|
||||
ptrs[0] = (void *)&ipfl;
|
||||
sizes[0] = sizeof(ipfl);
|
||||
types[0] = 0;
|
||||
#if SOLARIS
|
||||
/*
|
||||
* Are we copied from the mblk or an aligned array ?
|
||||
*/
|
||||
if (ip == (ip_t *)m->b_rptr) {
|
||||
ptrs[1] = m;
|
||||
sizes[1] = hlen + mlen;
|
||||
types[1] = 1;
|
||||
} else {
|
||||
ptrs[1] = ip;
|
||||
sizes[1] = hlen + mlen;
|
||||
types[1] = 0;
|
||||
}
|
||||
#else
|
||||
ptrs[1] = m;
|
||||
sizes[1] = hlen + mlen;
|
||||
types[1] = 1;
|
||||
#endif
|
||||
crc = (ipf_cksum((u_short *)fin, FI_CSIZE) << 8) + iplcrcinit;
|
||||
return ipllog(IPL_LOGIPF, crc, ptrs, sizes, types, 2);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* ipllog
|
||||
*/
|
||||
int ipllog(dev, crc, items, itemsz, types, cnt)
|
||||
int dev;
|
||||
u_long crc;
|
||||
void **items;
|
||||
size_t *itemsz;
|
||||
int *types, cnt;
|
||||
{
|
||||
iplog_t *ipl;
|
||||
caddr_t buf, s;
|
||||
int len, i;
|
||||
|
||||
/*
|
||||
* Check to see if this log record has a CRC which matches the last
|
||||
* record logged. If it does, just up the count on the previous one
|
||||
* rather than create a new one.
|
||||
*/
|
||||
if (crc) {
|
||||
MUTEX_ENTER(&ipl_mutex);
|
||||
if ((iplcrc[dev] == crc) && *iplh[dev]) {
|
||||
(*iplh[dev])->ipl_count++;
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
return 1;
|
||||
}
|
||||
iplcrc[dev] = crc;
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the total amount of data to be logged.
|
||||
*/
|
||||
for (i = 0, len = sizeof(iplog_t); i < cnt; i++)
|
||||
len += itemsz[i];
|
||||
|
||||
/*
|
||||
* check that we have space to record this information and can
|
||||
* allocate that much.
|
||||
*/
|
||||
KMALLOC(buf, caddr_t, len);
|
||||
if (!buf)
|
||||
return 0;
|
||||
MUTEX_ENTER(&ipl_mutex);
|
||||
if ((iplused[dev] + len) > IPLLOGSIZE) {
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
KFREES(buf, len);
|
||||
return 0;
|
||||
}
|
||||
iplused[dev] += len;
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
|
||||
/*
|
||||
* advance the log pointer to the next empty record and deduct the
|
||||
* amount of space we're going to use.
|
||||
*/
|
||||
ipl = (iplog_t *)buf;
|
||||
ipl->ipl_count = 1;
|
||||
ipl->ipl_next = NULL;
|
||||
ipl->ipl_dsize = len;
|
||||
# if SOLARIS
|
||||
uniqtime((struct timeval *)&ipl->ipl_sec);
|
||||
# else
|
||||
# ifdef sun
|
||||
uniqtime((struct timeval *)&ipl->ipl_sec);
|
||||
# endif
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
microtime((struct timeval *)&ipl->ipl_sec);
|
||||
# endif
|
||||
# endif
|
||||
|
||||
/*
|
||||
* Loop through all the items to be logged, copying each one to the
|
||||
* buffer. Use bcopy for normal data or the mb_t copyout routine.
|
||||
*/
|
||||
for (i = 0, s = buf + sizeof(*ipl); i < cnt; i++) {
|
||||
if (types[i] == 0)
|
||||
bcopy(items[i], s, itemsz[i]);
|
||||
else if (types[i] == 1) {
|
||||
# if SOLARIS
|
||||
copyout_mblk(items[i], 0, itemsz[i], s);
|
||||
# else
|
||||
m_copydata(items[i], 0, itemsz[i], s);
|
||||
# endif
|
||||
}
|
||||
s += itemsz[i];
|
||||
}
|
||||
MUTEX_ENTER(&ipl_mutex);
|
||||
*iplh[dev] = ipl;
|
||||
iplh[dev] = &ipl->ipl_next;
|
||||
# if SOLARIS
|
||||
cv_signal(&iplwait);
|
||||
mutex_exit(&ipl_mutex);
|
||||
# else
|
||||
wakeup(iplh[dev]);
|
||||
# endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
int ipflog_read(unit, uio)
|
||||
int unit;
|
||||
struct uio *uio;
|
||||
{
|
||||
iplog_t *ipl;
|
||||
int error = 0, dlen;
|
||||
# if defined(_KERNEL) && !SOLARIS
|
||||
int s;
|
||||
# endif
|
||||
|
||||
/*
|
||||
* Sanity checks. Make sure the minor # is valid and we're copying
|
||||
* a valid chunk of data.
|
||||
*/
|
||||
if ((IPL_LOGMAX < unit) || (unit < 0))
|
||||
return ENXIO;
|
||||
if (!uio->uio_resid)
|
||||
return 0;
|
||||
if ((uio->uio_resid < sizeof(iplog_t)) ||
|
||||
(uio->uio_resid > IPLLOGSIZE))
|
||||
return EINVAL;
|
||||
|
||||
/*
|
||||
* Lock the log so we can snapshot the variables. Wait for a signal
|
||||
* if the log is empty.
|
||||
*/
|
||||
SPLNET(s);
|
||||
MUTEX_ENTER(&ipl_mutex);
|
||||
|
||||
# if SOLARIS && defined(_KERNEL)
|
||||
while (!iplused[unit])
|
||||
if (!cv_wait_sig(&iplwait, &ipl_mutex)) {
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
return EINTR;
|
||||
}
|
||||
# else
|
||||
while (!iplused[unit]) {
|
||||
SPLX(s);
|
||||
error = SLEEP(iplh[unit], "ipl sleep");
|
||||
if (error)
|
||||
return error;
|
||||
SPLNET(s);
|
||||
}
|
||||
# endif
|
||||
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
uio->uio_rw = UIO_READ;
|
||||
# endif
|
||||
|
||||
while ((ipl = iplt[unit])) {
|
||||
dlen = ipl->ipl_dsize;
|
||||
if (dlen + sizeof(iplog_t) > uio->uio_resid)
|
||||
break;
|
||||
/*
|
||||
* Don't hold the mutex over the uiomove call.
|
||||
*/
|
||||
iplt[unit] = ipl->ipl_next;
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
SPLX(s);
|
||||
error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio);
|
||||
KFREES((caddr_t)ipl, ipl->ipl_dsize);
|
||||
if (error)
|
||||
break;
|
||||
SPLNET(s);
|
||||
MUTEX_ENTER(&ipl_mutex);
|
||||
iplused[unit] -= dlen;
|
||||
}
|
||||
if (!ipl)
|
||||
iplh[unit] = &iplt[unit];
|
||||
|
||||
if (!error) {
|
||||
MUTEX_EXIT(&ipl_mutex);
|
||||
SPLX(s);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
||||
int ipflog_clear(unit)
|
||||
int unit;
|
||||
{
|
||||
iplog_t *ipl;
|
||||
int used;
|
||||
|
||||
while ((ipl = iplt[unit])) {
|
||||
iplt[unit] = ipl->ipl_next;
|
||||
KFREES((caddr_t)ipl, ipl->ipl_dsize);
|
||||
}
|
||||
iplh[unit] = &iplt[unit];
|
||||
used = iplused[unit];
|
||||
iplused[unit] = 0;
|
||||
iplcrc[unit] = 0;
|
||||
return used;
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
@ -2,7 +2,8 @@
|
||||
.SH NAME
|
||||
ipf \- packet filtering kernel interface
|
||||
.SH SYNOPSIS
|
||||
#include <sys/ip_fil.h>
|
||||
#include <netinet/ip_compat.h>
|
||||
#include <netinet/ip_fil.h>
|
||||
.SH IOCTLS
|
||||
.PP
|
||||
To add and delete rules to the filter list, three 'basic' ioctls are provided
|
||||
@ -41,10 +42,17 @@ which it is inserted is stored in the "fr_hits" field, below.
|
||||
.nf
|
||||
typedef struct frentry {
|
||||
struct frentry *fr_next;
|
||||
u_short fr_group; /* group to which this rule belongs */
|
||||
u_short fr_head; /* group # which this rule starts */
|
||||
struct frentry *fr_grp;
|
||||
int fr_ref; /* reference count - for grouping */
|
||||
struct ifnet *fr_ifa;
|
||||
u_long fr_hits;
|
||||
u_long fr_bytes; /* this is only incremented when a packet */
|
||||
/* stops matching on this rule */
|
||||
/*
|
||||
* These are only incremented when a packet matches this rule and
|
||||
* it is the last match
|
||||
*/
|
||||
U_QUAD_T fr_hits;
|
||||
U_QUAD_T fr_bytes;
|
||||
/*
|
||||
* Fields after this may not change whilst in the kernel.
|
||||
*/
|
||||
@ -64,6 +72,7 @@ typedef struct frentry {
|
||||
u_short fr_stop; /* top port for <> and >< */
|
||||
u_short fr_dtop; /* top port for <> and >< */
|
||||
u_long fr_flags; /* per-rule flags && options (see below) */
|
||||
int fr_skip; /* # of rules to skip */
|
||||
int (*fr_func)(); /* call this function */
|
||||
char fr_icode; /* return ICMP code */
|
||||
char fr_ifname[IFNAMSIZ];
|
||||
@ -81,26 +90,31 @@ be put in the "fr_hits" field (the first rule is number 0).
|
||||
Flags which are recognised in fr_pass:
|
||||
.nf
|
||||
|
||||
FR_BLOCK 0x00001 /* do not allow packet to pass */
|
||||
FR_PASS 0x00002 /* allow packet to pass */
|
||||
FR_OUTQUE 0x00004 /* outgoing packets */
|
||||
FR_INQUE 0x00008 /* ingoing packets */
|
||||
FR_LOG 0x00010 /* Log */
|
||||
FR_LOGP 0x00011 /* Log-pass */
|
||||
FR_LOGB 0x00012 /* Log-fail */
|
||||
FR_LOGBODY 0x00020 /* log the body of packets too */
|
||||
FR_LOGFIRST 0x00040 /* log only the first packet to match */
|
||||
FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
|
||||
FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
|
||||
FR_NOMATCH 0x00200 /* no match occured */
|
||||
FR_ACCOUNT 0x00400 /* count packet bytes */
|
||||
FR_KEEPFRAG 0x00800
|
||||
FR_KEEPSTATE 0x01000 /* keep packet flow state information */
|
||||
FR_INACTIVE 0x02000
|
||||
FR_QUICK 0x04000 /* quick-match and return */
|
||||
FR_FASTROUTE 0x08000
|
||||
FR_CALLNOW 0x10000
|
||||
FR_DUP 0x20000 /* duplicate the packet (not Solaris2)
|
||||
FR_BLOCK 0x000001 /* do not allow packet to pass */
|
||||
FR_PASS 0x000002 /* allow packet to pass */
|
||||
FR_OUTQUE 0x000004 /* outgoing packets */
|
||||
FR_INQUE 0x000008 /* ingoing packets */
|
||||
FR_LOG 0x000010 /* Log */
|
||||
FR_LOGP 0x000011 /* Log-pass */
|
||||
FR_LOGB 0x000012 /* Log-fail */
|
||||
FR_LOGBODY 0x000020 /* log the body of packets too */
|
||||
FR_LOGFIRST 0x000040 /* log only the first packet to match */
|
||||
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
|
||||
FR__RETICMP 0x000100 /* return an ICMP packet if blocked */
|
||||
FR_NOMATCH 0x000200 /* no match occured */
|
||||
FR_ACCOUNT 0x000400 /* count packet bytes */
|
||||
FR_KEEPFRAG 0x000800 /* keep fragment information */
|
||||
FR_KEEPSTATE 0x001000 /* keep `connection' state information */
|
||||
FR_INACTIVE 0x002000
|
||||
FR_QUICK 0x004000 /* match & stop processing list */
|
||||
FR_FASTROUTE 0x008000 /* bypass normal routing */
|
||||
FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */
|
||||
FR_DUP 0x020000 /* duplicate the packet */
|
||||
FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */
|
||||
FR_NOTSRCIP 0x080000 /* not the src IP# */
|
||||
FR_NOTDSTIP 0x100000 /* not the dst IP# */
|
||||
FR_AUTH 0x200000 /* use authentication */
|
||||
FR_PREAUTH 0x400000 /* require preauthentication */
|
||||
|
||||
.fi
|
||||
.PP
|
||||
@ -134,8 +148,10 @@ Takes an unsigned integer as the parameter. The flags are then set to
|
||||
those provided (clearing/setting all in one).
|
||||
.nf
|
||||
|
||||
FF_LOGPASS 1
|
||||
FF_LOGBLOCK 2
|
||||
FF_LOGPASS 0x10000000
|
||||
FF_LOGBLOCK 0x20000000
|
||||
FF_LOGNOMATCH 0x40000000
|
||||
FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */
|
||||
.fi
|
||||
.IP SIOCGETFF 16
|
||||
Takes a pointer to an unsigned integer as the parameter. A copy of the
|
||||
@ -149,10 +165,14 @@ through the kernel. To retrieve this structure, use this ioctl:
|
||||
|
||||
ioctl(fd, SIOCGETFS, struct friostat *)
|
||||
|
||||
struct friostat {
|
||||
struct filterstats f_st[2];
|
||||
struct frentry *f_fin;
|
||||
struct frentry *f_fout;
|
||||
struct friostat {
|
||||
struct filterstats f_st[2];
|
||||
struct frentry *f_fin[2];
|
||||
struct frentry *f_fout[2];
|
||||
struct frentry *f_acctin[2];
|
||||
struct frentry *f_acctout[2];
|
||||
struct frentry *f_auth;
|
||||
int f_active;
|
||||
};
|
||||
|
||||
struct filterstats {
|
||||
@ -172,6 +192,7 @@ struct filterstats {
|
||||
u_long fr_bads; /* bad attempts to allocate packet state */
|
||||
u_long fr_ads; /* new packet state kept */
|
||||
u_long fr_chit; /* cached hit */
|
||||
u_long fr_pull[2]; /* good and bad pullup attempts */
|
||||
#if SOLARIS
|
||||
u_long fr_bad; /* bad IP packets to the filter */
|
||||
u_long fr_notip; /* packets passed through no on ip queue */
|
||||
|
@ -18,28 +18,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
|
||||
described using the following grammar in BNF:
|
||||
\fC
|
||||
.nf
|
||||
filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
|
||||
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
|
||||
[ proto ] [ ip ] [ group ].
|
||||
|
||||
insert = "@" decnumber .
|
||||
action = block | "pass" | log | "count" | skip | "auth" | "preauth" | call .
|
||||
action = block | "pass" | log | "count" | skip | auth | call .
|
||||
in-out = "in" | "out" .
|
||||
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
|
||||
match = [ tos ] [ ttl ] [ proto ] [ ip ] .
|
||||
keep = "keep state" | "keep frags" .
|
||||
tos = "tos" decnumber | "tos" hexnumber .
|
||||
ttl = "ttl" decnumber .
|
||||
proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
group = [ "head" decnumber ] [ "group" decnumber ] .
|
||||
|
||||
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
auth = "auth" | "preauth" .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
skip = "skip" decnumber .
|
||||
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
froute = "fastroute" | "to" interface-name .
|
||||
|
||||
tos = "tos" decnumber | "tos" hexnumber .
|
||||
ttl = "ttl" decnumber .
|
||||
proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
|
||||
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
||||
srcdst = "all" | fromto .
|
||||
fromto = "from" object "to" object .
|
||||
@ -48,11 +46,11 @@ object = addr [ port-comp | port-range ] .
|
||||
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
||||
port-comp = "port" compare port-num .
|
||||
port-range = "port" port-num range port-num .
|
||||
|
||||
flags = "flags" flag { flag } [ "/" flag { flag } ] .
|
||||
with = "with" | "and" .
|
||||
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
||||
return-code = "("icmp-code")" .
|
||||
keep = "keep" "state" | "keep" "frags" .
|
||||
|
||||
nummask = host-name [ "/" decnumber ] .
|
||||
host-name = ipaddr | hostname | "any" .
|
||||
@ -73,16 +71,16 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
|
||||
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
||||
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
|
||||
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
|
||||
"sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
|
||||
"visa" | "imitd" | "eip" | "finn" .
|
||||
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
|
||||
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
|
||||
"addext" | "visa" | "imitd" | "eip" | "finn" .
|
||||
|
||||
hexnumber = "0" "x" hexstring .
|
||||
hexstring = hexdigit [ hexstring ] .
|
||||
decnumber = digit [ decnumber ] .
|
||||
|
||||
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
|
||||
"le" | "ge" .
|
||||
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
|
||||
"gt" | "le" | "ge" .
|
||||
range = "<>" | "><" .
|
||||
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
|
||||
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
|
||||
@ -95,19 +93,10 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
|
||||
.SH FILTER RULES
|
||||
.PP
|
||||
The "briefest" valid rules are (currently) no-ops and are of the form:
|
||||
.nf
|
||||
block in
|
||||
pass in
|
||||
log in
|
||||
count in
|
||||
.fi
|
||||
.PP
|
||||
These are supposed to be the same as, but currently differ from:
|
||||
.\" XXX How, why do they differ??
|
||||
.nf
|
||||
block in all
|
||||
pass in from any to any
|
||||
log in all
|
||||
pass in all
|
||||
log out all
|
||||
count in all
|
||||
.fi
|
||||
.PP
|
||||
@ -154,6 +143,12 @@ must conform to a specific calling interface. Customised actions and
|
||||
semantics can thus be implemented to supplement those available. This
|
||||
feature is for use by knowledgeable hackers, and is not currently
|
||||
documented.
|
||||
.TP
|
||||
.B "skip <n>"
|
||||
.TP
|
||||
.B auth
|
||||
.TP
|
||||
.B preauth
|
||||
.PP
|
||||
The next word must be either \fBin\fP or \fBout\fP. Each packet
|
||||
moving through the kernel is either inbound (just been received on an
|
||||
@ -222,7 +217,6 @@ packets with different Type-Of-Service values can be filtered.
|
||||
Individual service levels or combinations can be filtered upon. The
|
||||
value for the TOS mask can either be represented as a hex number or a
|
||||
decimal integer value.
|
||||
.\" XXX TOS mask?? not in grammar!
|
||||
.TP
|
||||
.B ttl
|
||||
packets may also be selected by their Time-To-Live value. The value given in
|
||||
@ -357,8 +351,9 @@ with which they are associated can be used. The most important from
|
||||
a security point of view is the ICMP redirect.
|
||||
.SH KEEP HISTORY
|
||||
.PP
|
||||
The last parameter which can be set for a filter rule is whether on not to
|
||||
record historical information for that packet, and what sort to keep. The following information can be kept:
|
||||
The second last parameter which can be set for a filter rule is whether on not
|
||||
to record historical information for that packet, and what sort to keep. The
|
||||
following information can be kept:
|
||||
.TP
|
||||
.B state
|
||||
keeps information about the flow of a communication session. State can
|
||||
@ -370,6 +365,23 @@ fragments.
|
||||
.PP
|
||||
allowing packets which match these to flow straight through, rather
|
||||
than going through the access control list.
|
||||
.SH GROUPS
|
||||
The last pair of parameters control filter rule "grouping". By default, all
|
||||
filter rules are placed in group 0 if no other group is specified. To add a
|
||||
rule to a non-default group, the group must first be started by creating a
|
||||
group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
|
||||
group, the filter processing then switches to the group, using that rule as
|
||||
the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
|
||||
processing isn't stopped until it has returned from processing the group.
|
||||
.PP
|
||||
A rule may be both the head for a new group and a member of a non-default
|
||||
group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
|
||||
.TP
|
||||
.B "head <n>"
|
||||
indicates that a new group (number n) should be created.
|
||||
.TP
|
||||
.B "group <n>"
|
||||
indicates that the rule should be put in group (number n) rather than group 0.
|
||||
.SH LOGGING
|
||||
.PP
|
||||
When a packet is logged, with either the \fBlog\fP action or option,
|
||||
@ -428,7 +440,42 @@ rule such as:
|
||||
pass in quick from any to any port < 1024
|
||||
.fi
|
||||
.PP
|
||||
would be needed before the first block.
|
||||
would be needed before the first block. To create a new group for
|
||||
processing all inbould packets on le0/le1/lo0, with the default being to block
|
||||
all inbound packets, we would do something like:
|
||||
.LP
|
||||
.nf
|
||||
block in all
|
||||
block in on le0 quick all head 100
|
||||
block in on le1 quick all head 200
|
||||
block in on lo0 quick all head 300
|
||||
.fi
|
||||
.PP
|
||||
|
||||
and to then allow ICMP packets in on le0, only, we would do:
|
||||
.LP
|
||||
.nf
|
||||
pass in proto icmp all group 100
|
||||
.fi
|
||||
.PP
|
||||
Note that because only inbound packets on le0 are used processed by group 100,
|
||||
there is no need to respecify the interface name. Likewise, we could further
|
||||
breakup processing of TCP, etc, as follows:
|
||||
.LP
|
||||
.nf
|
||||
block in proto tcp all head 110 group 100
|
||||
pass in from any to any port = 23 group 110
|
||||
.fi
|
||||
.PP
|
||||
and so on. The last line, if written without the groups would be:
|
||||
.LP
|
||||
.nf
|
||||
pass in on le0 proto tcp from any to any port = telnet
|
||||
.fi
|
||||
.PP
|
||||
Note, that if we wanted to say "port = telnet", "proto tcp" would
|
||||
need to be specified as the parser interprets each rule on its own and
|
||||
qualifies all service/port names with the protocol specified.
|
||||
.SH FILES
|
||||
/etc/services
|
||||
.br
|
||||
|
@ -87,8 +87,8 @@ recognised as IP packets. They will be printed out on the console.
|
||||
Turn verbose mode on. Displays information relating to rule processing.
|
||||
.TP
|
||||
.B \-y
|
||||
(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
|
||||
by IP Filter with the current interface status list.
|
||||
Manually resync the in-kernel interface list maintained by IP Filter with
|
||||
the current interface status list.
|
||||
.TP
|
||||
.B \-z
|
||||
For each rule in the input file, reset the statistics for it to zero and
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $ */
|
||||
/* $NetBSD: ipf.h,v 1.1.1.6 1997/09/21 16:47:51 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1997 by Darren Reed.
|
||||
@ -8,7 +8,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ipf.h 1.12 6/5/96
|
||||
* $Id: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $
|
||||
* Id: ipf.h,v 2.0.2.9 1997/08/26 12:52:46 darrenr Exp
|
||||
*/
|
||||
|
||||
#ifndef __IPF_H__
|
||||
@ -36,6 +36,7 @@
|
||||
#define OPT_ZERORULEST 0x10000
|
||||
#define OPT_SAVEOUT 0x20000
|
||||
#define OPT_AUTHSTATS 0x40000
|
||||
#define OPT_RAW 0x80000
|
||||
|
||||
#ifndef __P
|
||||
# ifdef __STDC__
|
||||
@ -60,7 +61,7 @@ struct ipopt_names {
|
||||
};
|
||||
|
||||
|
||||
extern u_32_t buildopts __P((char *, char *));
|
||||
extern u_32_t buildopts __P((char *, char *, int));
|
||||
extern u_32_t hostnum __P((char *, int *));
|
||||
extern u_32_t optname __P((char ***, u_short *));
|
||||
extern void printpacket __P((struct ip *));
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $ */
|
||||
/* $NetBSD: opt.c,v 1.1.1.6 1997/09/21 16:47:50 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -9,6 +9,7 @@
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
@ -19,12 +20,13 @@
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/ip_compat.h>
|
||||
#include "ipf.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $";
|
||||
static char rcsid[] = "Id: opt.c,v 2.0.2.7 1997/09/10 13:08:23 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -65,7 +67,9 @@ struct ipopt_names secclass[] = {
|
||||
{ 0, 0, 0, NULL } /* must be last */
|
||||
};
|
||||
|
||||
|
||||
static u_char seclevel __P((char *));
|
||||
int addipopt __P((char *, struct ipopt_names *, int, char *));
|
||||
|
||||
static u_char seclevel(slevel)
|
||||
char *slevel;
|
||||
@ -84,14 +88,70 @@ char *slevel;
|
||||
}
|
||||
|
||||
|
||||
u_32_t buildopts(cp, op)
|
||||
int addipopt(op, io, len, class)
|
||||
char *op;
|
||||
struct ipopt_names *io;
|
||||
int len;
|
||||
char *class;
|
||||
{
|
||||
int olen = len;
|
||||
struct in_addr ipadr;
|
||||
u_short val;
|
||||
u_char lvl;
|
||||
char *s;
|
||||
|
||||
if ((len + io->on_siz) > 48) {
|
||||
fprintf(stderr, "options too long\n");
|
||||
return 0;
|
||||
}
|
||||
len += io->on_siz;
|
||||
*op++ = io->on_value;
|
||||
if (io->on_siz > 1) {
|
||||
s = op;
|
||||
*op++ = io->on_siz;
|
||||
*op++ = IPOPT_MINOFF;
|
||||
|
||||
if (class) {
|
||||
switch (io->on_value)
|
||||
{
|
||||
case IPOPT_SECURITY :
|
||||
lvl = seclevel(class);
|
||||
*(op - 1) = lvl;
|
||||
break;
|
||||
case IPOPT_LSRR :
|
||||
case IPOPT_SSRR :
|
||||
ipadr.s_addr = inet_addr(class);
|
||||
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
|
||||
bcopy((char *)&ipadr, op, sizeof(ipadr));
|
||||
break;
|
||||
case IPOPT_SATID :
|
||||
val = atoi(class);
|
||||
bcopy((char *)&val, op, 2);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
op += io->on_siz - 3;
|
||||
if (len & 3) {
|
||||
*op++ = IPOPT_NOP;
|
||||
len++;
|
||||
}
|
||||
}
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr, "bo: %s %d %#x: %d\n",
|
||||
io->on_name, io->on_value, io->on_bit, len);
|
||||
return len - olen;
|
||||
}
|
||||
|
||||
|
||||
u_32_t buildopts(cp, op, len)
|
||||
char *cp, *op;
|
||||
int len;
|
||||
{
|
||||
struct ipopt_names *io;
|
||||
u_char lvl;
|
||||
u_32_t msk = 0;
|
||||
char *s, *t;
|
||||
int len = 0;
|
||||
int inc;
|
||||
|
||||
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
|
||||
if ((t = strchr(s, '=')))
|
||||
@ -99,30 +159,10 @@ char *cp, *op;
|
||||
for (io = ionames; io->on_name; io++) {
|
||||
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
|
||||
continue;
|
||||
if ((len + io->on_siz) > 48) {
|
||||
fprintf(stderr, "options too long\n");
|
||||
return 0;
|
||||
if ((inc = addipopt(op, io, len, t))) {
|
||||
op += inc;
|
||||
len += inc;
|
||||
}
|
||||
len += io->on_siz;
|
||||
*op++ = io->on_value;
|
||||
if (io->on_siz > 1) {
|
||||
*op++ = io->on_siz;
|
||||
*op++ = IPOPT_MINOFF;
|
||||
|
||||
if (t && !strcasecmp(s, "sec-class")) {
|
||||
lvl = seclevel(t);
|
||||
*(op - 1) = lvl;
|
||||
}
|
||||
op += io->on_siz - 3;
|
||||
if (len & 3) {
|
||||
*op++ = IPOPT_NOP;
|
||||
len++;
|
||||
}
|
||||
}
|
||||
if (opts & OPT_DEBUG)
|
||||
fprintf(stderr, "bo: %s %d %#x: %d\n",
|
||||
io->on_name, io->on_value,
|
||||
io->on_bit, len);
|
||||
msk |= io->on_bit;
|
||||
break;
|
||||
}
|
||||
|
@ -4,7 +4,7 @@ ipfstat \- reports on packet filter statistics and filter list
|
||||
.SH SYNOPSIS
|
||||
.B ipfstat
|
||||
[
|
||||
.B \-hIinov
|
||||
.B \-aAfhIinosv
|
||||
] [
|
||||
.B \-d
|
||||
<device>
|
||||
@ -24,6 +24,9 @@ accumulated over time as the kernel has put packets through the filter.
|
||||
.B \-a
|
||||
Display the accounting filter list and show bytes counted against each rule.
|
||||
.TP
|
||||
.B \-A
|
||||
Display packet authentication statistics.
|
||||
.TP
|
||||
.BR \-d \0<device>
|
||||
Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
|
||||
.TP
|
||||
@ -68,6 +71,6 @@ kernel.
|
||||
.br
|
||||
/vmunix
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipfstat(1)
|
||||
ipf(1)
|
||||
.SH BUGS
|
||||
none known.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $ */
|
||||
/* $NetBSD: kmem.c,v 1.1.1.6 1997/09/21 16:47:59 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -22,7 +22,7 @@
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
|
||||
static char rcsid[] = "$Id: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $";
|
||||
static char rcsid[] = "Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
static int kmemfd = -1;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $ */
|
||||
/* $NetBSD: kmem.h,v 1.1.1.6 1997/09/21 16:48:00 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1997 by Darren Reed.
|
||||
@ -6,7 +6,7 @@
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
* $Id: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $
|
||||
* Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp
|
||||
*/
|
||||
|
||||
#ifndef __KMEM_H__
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_ef.c,v 1.1.1.6 1997/09/21 16:48:07 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -51,7 +51,7 @@ etherfind -n -t
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
static int etherf_open __P((char *));
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_hx.c,v 1.1.1.6 1997/09/21 16:48:13 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
@ -42,7 +42,7 @@
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_hx.c,v 2.0.2.5 1997/07/20 11:10:32 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -113,19 +113,24 @@ int cnt, *dir;
|
||||
* interpret start of line as possibly "[ifname]" or
|
||||
* "[in/out,ifname]".
|
||||
*/
|
||||
*ifn = NULL;
|
||||
*dir = 0;
|
||||
if (ifn)
|
||||
*ifn = NULL;
|
||||
if (dir)
|
||||
*dir = 0;
|
||||
if ((*buf == '[') && (s = index(line, ']'))) {
|
||||
t = buf + 1;
|
||||
if (t - s > 0) {
|
||||
if ((u = index(t, ',')) && (u < s)) {
|
||||
u++;
|
||||
*ifn = u;
|
||||
if (*t == 'i')
|
||||
*dir = 0;
|
||||
else if (*t == 'o')
|
||||
*dir = 1;
|
||||
} else
|
||||
if (ifn)
|
||||
*ifn = u;
|
||||
if (dir) {
|
||||
if (*t == 'i')
|
||||
*dir = 0;
|
||||
else if (*t == 'o')
|
||||
*dir = 1;
|
||||
}
|
||||
} else if (ifn)
|
||||
*ifn = t;
|
||||
*s++ = '\0';
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_pc.c,v 1.1.1.6 1997/09/21 16:48:09 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
@ -33,7 +33,7 @@
|
||||
#include "pcap.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char rcsid[] = "$Id: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_sn.c,v 1.1.1.6 1997/09/21 16:48:06 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -37,7 +37,7 @@
|
||||
#include "snoop.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char rcsid[] = "$Id: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_td.c,v 1.1.1.6 1997/09/21 16:48:08 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -60,7 +60,7 @@ tcpdump -nqte
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
static int tcpd_open __P((char *));
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $ */
|
||||
/* $NetBSD: ipft_tx.c,v 1.1.1.6 1997/09/21 16:48:10 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
@ -43,7 +43,7 @@
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $";
|
||||
static char rcsid[] = "Id: ipft_tx.c,v 2.0.2.7 1997/08/26 12:52:03 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
@ -328,7 +328,7 @@ int *out;
|
||||
u_long olen;
|
||||
|
||||
cpp++;
|
||||
olen = buildopts(*cpp, ipopts);
|
||||
olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
|
||||
if (olen) {
|
||||
bcopy(ipopts, (char *)(ip + 1), olen);
|
||||
ip->ip_hl += olen >> 2;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $ */
|
||||
/* $NetBSD: ipt.h,v 1.1.1.6 1997/09/21 16:48:14 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1997 by Darren Reed.
|
||||
@ -6,7 +6,7 @@
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
* $Id: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
|
||||
* Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp
|
||||
*/
|
||||
|
||||
#ifndef __IPT_H__
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $ */
|
||||
/* $NetBSD: misc.c,v 1.1.1.6 1997/09/21 16:48:11 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
@ -43,7 +43,7 @@
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $";
|
||||
static char rcsid[] = "Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp ";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: pcap.h,v 1.1.1.2 1997/05/27 22:17:14 thorpej Exp $ */
|
||||
/* $NetBSD: pcap.h,v 1.1.1.3 1997/09/21 16:48:16 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1997 by Darren Reed.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $ */
|
||||
/* $NetBSD: snoop.h,v 1.1.1.6 1997/09/21 16:48:15 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1993-1997 by Darren Reed.
|
||||
@ -13,7 +13,7 @@
|
||||
|
||||
/*
|
||||
* written to comply with the RFC (1761) from Sun.
|
||||
* $Id: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
|
||||
* Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp
|
||||
*/
|
||||
struct snoophdr {
|
||||
char s_id[8];
|
||||
|
@ -1,11 +1,9 @@
|
||||
#
|
||||
# (C)opyright 1993-1996 by Darren Reed.
|
||||
#
|
||||
# This code may be freely distributed as long as it retains this notice
|
||||
# and is not changed in any way. The author accepts no responsibility
|
||||
# for the use of this software. I hate legaleese, don't you ?
|
||||
#
|
||||
# where to put things.
|
||||
# Redistribution and use in source and binary forms are permitted
|
||||
# provided that this notice is preserved and due credit is given
|
||||
# to the original author and the contributors.
|
||||
#
|
||||
BINDEST=/usr/local/bin
|
||||
SBINDEST=/sbin
|
||||
@ -26,13 +24,13 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
||||
@(cd ..; make ipftest; )
|
||||
|
||||
1 2 3 4 5 6 7 8 9 10 11 14:
|
||||
@./dotest $@
|
||||
@/bin/sh ./dotest $@
|
||||
|
||||
12:
|
||||
@./hextest $@
|
||||
@/bin/sh ./hextest $@
|
||||
|
||||
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
|
||||
@./itest $@
|
||||
@/bin/sh ./itest $@
|
||||
|
||||
clean:
|
||||
/bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/*
|
||||
|
@ -4,9 +4,11 @@ ipmon \- monitors /dev/ipl for logged packets
|
||||
.SH SYNOPSIS
|
||||
.B ipmon
|
||||
[
|
||||
.B \-asfnSN
|
||||
.B \-aFhnNsStvxX
|
||||
] [
|
||||
<filename>
|
||||
.B "\-f <device>"
|
||||
] [
|
||||
.B <filename>
|
||||
]
|
||||
.SH DESCRIPTION
|
||||
.LP
|
||||
@ -20,6 +22,24 @@ via syslog have the day, month and year removed from the message, but the
|
||||
time (including microseconds), as recorded in the log, is still included.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-a
|
||||
Open all of the device logfiles for reading log entries from. All entries
|
||||
are displayed to the same output 'device' (stderr or syslog).
|
||||
.TP
|
||||
.B "\-f <device>"
|
||||
specify an alternative device/file from which to read the log information.
|
||||
.TP
|
||||
.B \-F
|
||||
Flush the current packet log buffer. The number of bytes flushed is displayed,
|
||||
even should the result be zero.
|
||||
.TP
|
||||
.B \-n
|
||||
IP addresses and port numbers will be mapped, where possible, back into
|
||||
hostnames and service names.
|
||||
.TP
|
||||
.B \-N
|
||||
Treat the logfile as being composed of NAT log records.
|
||||
.TP
|
||||
.B \-s
|
||||
Packet information read in will be sent through syslogd rather than
|
||||
saved to a file. The following levels are used:
|
||||
@ -38,22 +58,17 @@ than pass or block.
|
||||
\- packets which have been logged and which can be considered
|
||||
"short".
|
||||
.TP
|
||||
.B \-a
|
||||
Open all of the device logfiles for reading log entries from.
|
||||
.TP
|
||||
.B \-f
|
||||
Flush the current packet log buffer. The number of bytes flushed is displayed,
|
||||
even should the result be zero.
|
||||
.TP
|
||||
.B \-n
|
||||
IP addresses and port numbers will be mapped, where possible, back into
|
||||
hostnames and service names.
|
||||
.TP
|
||||
.B \-N
|
||||
Treat the logfile as being composed of NAT log records.
|
||||
.TP
|
||||
.B \-S
|
||||
Treat the logfile as being composed of state log records.
|
||||
.TP
|
||||
.B \-t
|
||||
read the input file/device in a manner akin to tail(1).
|
||||
.TP
|
||||
.B \-x
|
||||
show the packet data in hex.
|
||||
.TP
|
||||
.B \-X
|
||||
show the log header record data in hex.
|
||||
.SH DIAGNOSTICS
|
||||
\fBipmon\fP expects data that it reads to be consistant with how it should be
|
||||
saved and will abort if it fails an assertion which detects an anomoly in the
|
||||
|
@ -2,7 +2,10 @@
|
||||
.SH NAME
|
||||
ipnat \- Network Address Translation kernel interface
|
||||
.SH SYNOPSIS
|
||||
#include <sys/ip_fil.h>
|
||||
#include <netinet/ip_compat.h>
|
||||
#include <netinet/ip_fil.h>
|
||||
#include <netinet/ip_proxy.h>
|
||||
#include <netinet/ip_nat.h>
|
||||
.SH IOCTLS
|
||||
.PP
|
||||
To add and delete rules to the NAT list, two 'basic' ioctls are provided
|
||||
|
107
usr.sbin/ipf/ipresend/ipresend.1
Normal file
107
usr.sbin/ipf/ipresend/ipresend.1
Normal file
@ -0,0 +1,107 @@
|
||||
.TH IPRESEND 1
|
||||
.SH NAME
|
||||
ipresend \- resend IP packets out to network
|
||||
.SH SYNOPSIS
|
||||
.B ipsend
|
||||
[
|
||||
.B \-EHPRSTX
|
||||
] [
|
||||
.B \-d
|
||||
<device>
|
||||
] [
|
||||
.B \-g
|
||||
<\fIgateway\fP>
|
||||
] [
|
||||
.B \-m
|
||||
<\fIMTU\fP>
|
||||
] [
|
||||
.B \-r
|
||||
<\fIfilename\fP>
|
||||
]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipresend\fP was designed to allow packets to be resent, once captured,
|
||||
back out onto the network for use in testing. \fIipresend\fP supports a
|
||||
number of different file formats as input, including saved snoop/tcpdump
|
||||
binary data.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.BR \-d \0<interface>
|
||||
Set the interface name to be the name supplied. This is useful with the
|
||||
\fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is not otherwise possible
|
||||
to associate a packet with an interface. Normal "text packets" can override
|
||||
this setting.
|
||||
.TP
|
||||
.BR \-g \0<gateway>
|
||||
Specify the hostname of the gateway through which to route packets. This
|
||||
is required whenever the destination host isn't directly attached to the
|
||||
same network as the host from which you're sending.
|
||||
.TP
|
||||
.BR \-m \0<MTU>
|
||||
Specify the MTU to be used when sending out packets. This option allows you
|
||||
to set a fake MTU, allowing the simulation of network interfaces with small
|
||||
MTU's without setting them so.
|
||||
.TP
|
||||
.BR \-r \0<filename>
|
||||
Specify the filename from which to take input. Default is stdin.
|
||||
.B \-E
|
||||
The input file is to be text output from etherfind. The text formats which
|
||||
are currently supported are those which result from the following etherfind
|
||||
option combinations:
|
||||
.PP
|
||||
.nf
|
||||
etherfind -n
|
||||
etherfind -n -t
|
||||
.fi
|
||||
.LP
|
||||
.TP
|
||||
.B \-H
|
||||
The input file is to be hex digits, representing the binary makeup of the
|
||||
packet. No length correction is made, if an incorrect length is put in
|
||||
the IP header.
|
||||
.TP
|
||||
.B \-P
|
||||
The input file specified by \fB\-i\fP is a binary file produced using libpcap
|
||||
(i.e., tcpdump version 3). Packets are read from this file as being input
|
||||
(for rule purposes).
|
||||
.TP
|
||||
.B \-R
|
||||
When sending packets out, send them out "raw" (the way they came in). The
|
||||
only real significance here is that it will expect the link layer (i.e.
|
||||
ethernet) headers to be prepended to the IP packet being output.
|
||||
.TP
|
||||
.B \-S
|
||||
The input file is to be in "snoop" format (see RFC 1761). Packets are read
|
||||
from this file and used as input from any interface. This is perhaps the
|
||||
most useful input type, currently.
|
||||
.TP
|
||||
.B \-T
|
||||
The input file is to be text output from tcpdump. The text formats which
|
||||
are currently supported are those which result from the following tcpdump
|
||||
option combinations:
|
||||
.PP
|
||||
.nf
|
||||
tcpdump -n
|
||||
tcpdump -nq
|
||||
tcpdump -nqt
|
||||
tcpdump -nqtt
|
||||
tcpdump -nqte
|
||||
.fi
|
||||
.LP
|
||||
.TP
|
||||
.B \-X
|
||||
The input file is composed of text descriptions of IP packets.
|
||||
.TP
|
||||
.SH FILES
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
|
||||
.SH DIAGNOSTICS
|
||||
.PP
|
||||
Needs to be run as root.
|
||||
.SH BUGS
|
||||
.PP
|
||||
Not all of the input formats are sufficiently capable of introducing a
|
||||
wide enough variety of packets for them to be all useful in testing.
|
||||
If you find any, please send email to me at darrenr@cyber.com.au
|
||||
|
@ -1,20 +1,16 @@
|
||||
/* $NetBSD: ipresend.c,v 1.1.1.2 1997/05/27 22:18:08 thorpej Exp $ */
|
||||
/* $NetBSD: ipresend.c,v 1.1.1.3 1997/09/21 16:49:04 veego Exp $ */
|
||||
|
||||
/*
|
||||
* ipsend.c (C) 1995 Darren Reed
|
||||
* ipresend.c (C) 1995-1997 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
* conditions, enough of the TCP header is missing for unpredictable
|
||||
* results unless the filter is aware that this can happen.
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*
|
||||
* This was written and tested (successfully) on SunOS 4.1.x.
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
@ -96,10 +92,10 @@ char **argv;
|
||||
struct in_addr gwip;
|
||||
struct ipread *ipr = NULL;
|
||||
char *name = argv[0], *gateway = NULL, *dev = NULL;
|
||||
char c, *resend = NULL;
|
||||
int mtu = 1500;
|
||||
char *resend = NULL;
|
||||
int mtu = 1500, c;
|
||||
|
||||
while ((c = getopt(argc, argv, "EHPSTXd:g:m:r:")) != -1)
|
||||
while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'd' :
|
||||
@ -118,6 +114,9 @@ char **argv;
|
||||
case 'r' :
|
||||
resend = optarg;
|
||||
break;
|
||||
case 'R' :
|
||||
opts |= OPT_RAW;
|
||||
break;
|
||||
#ifndef NO_IPF
|
||||
case 'E' :
|
||||
ipr = ðerf;
|
||||
|
53
usr.sbin/ipf/ipsend/iplang.h
Normal file
53
usr.sbin/ipf/ipsend/iplang.h
Normal file
@ -0,0 +1,53 @@
|
||||
/* $NetBSD: iplang.h,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1997 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
typedef struct iface {
|
||||
int if_MTU;
|
||||
char *if_name;
|
||||
struct in_addr if_addr;
|
||||
struct ether_addr if_eaddr;
|
||||
struct iface *if_next;
|
||||
int if_fd;
|
||||
} iface_t;
|
||||
|
||||
|
||||
typedef struct send {
|
||||
struct iface *snd_if;
|
||||
struct in_addr snd_gw;
|
||||
} send_t;
|
||||
|
||||
|
||||
typedef struct arp {
|
||||
struct in_addr arp_addr;
|
||||
struct ether_addr arp_eaddr;
|
||||
struct arp *arp_next;
|
||||
} arp_t;
|
||||
|
||||
|
||||
typedef struct aniphdr {
|
||||
union {
|
||||
ip_t *ahu_ip;
|
||||
char *ahu_data;
|
||||
tcphdr_t *ahu_tcp;
|
||||
udphdr_t *ahu_udp;
|
||||
icmphdr_t *ahu_icmp;
|
||||
} ah_un;
|
||||
int ah_optlen;
|
||||
int ah_lastopt;
|
||||
int ah_p;
|
||||
size_t ah_len;
|
||||
struct aniphdr *ah_next;
|
||||
struct aniphdr *ah_prev;
|
||||
} aniphdr_t;
|
||||
|
||||
#define ah_ip ah_un.ahu_ip
|
||||
#define ah_data ah_un.ahu_data
|
||||
#define ah_tcp ah_un.ahu_tcp
|
||||
#define ah_udp ah_un.ahu_udp
|
||||
#define ah_icmp ah_un.ahu_icmp
|
20
usr.sbin/ipf/ipsend/iplang.tst
Normal file
20
usr.sbin/ipf/ipsend/iplang.tst
Normal file
@ -0,0 +1,20 @@
|
||||
#
|
||||
interface { ifname le0; mtu 1500; }
|
||||
|
||||
ipv4 {
|
||||
src 10.1.1.49; dst 10.1.1.50; id 123; opt { rr 7; };
|
||||
tcp {
|
||||
seq 12345; ack 0; sport 9999; dport 23; flags S;
|
||||
opt { mss 65535; }; data { value "abcdef"; } ;
|
||||
}
|
||||
}
|
||||
send { via 10.1.1.50; }
|
||||
#
|
||||
ipv4 {
|
||||
src 10.1.1.49; dst 10.1.1.50; id 1; opt { lsrr 1.1.1.1; };
|
||||
tcp {
|
||||
seq 12345; ack 0; sport 9999; dport 23; flags S;
|
||||
opt { wscale 2 ; eol; mss 1; }; data { value "abcdef"; } ;
|
||||
}
|
||||
}
|
||||
send { via 10.1.1.50; }
|
246
usr.sbin/ipf/ipsend/iplang_l.l
Normal file
246
usr.sbin/ipf/ipsend/iplang_l.l
Normal file
@ -0,0 +1,246 @@
|
||||
/* $NetBSD: iplang_l.l,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */
|
||||
|
||||
%{
|
||||
/*
|
||||
* (C)opyright 1997 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* Id: iplang_l.l,v 2.0.2.8 1997/09/13 07:14:23 darrenr Exp
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/param.h>
|
||||
#include "y.tab.h"
|
||||
|
||||
#ifndef __P
|
||||
# ifdef __STDC__
|
||||
# define __P(x) x
|
||||
# else
|
||||
# define __P(x) ()
|
||||
# endif
|
||||
#endif
|
||||
|
||||
int lineNum = 0, proto = 0, oldproto = 0, next = -1, laststate = 0;
|
||||
int *prstack = NULL, numpr = 0, state = 0, token = 0;
|
||||
|
||||
void push_proto __P((void));
|
||||
void pop_proto __P((void));
|
||||
int next_state __P((int, int));
|
||||
int next_item __P((int));
|
||||
int save_token __P((void));
|
||||
void swallow __P((void));
|
||||
int yylex __P((void));
|
||||
%}
|
||||
|
||||
%%
|
||||
[ \t\r] ;
|
||||
\n { lineNum++; swallow(); }
|
||||
interface |
|
||||
iface { return next_state(IL_INTERFACE, -1); }
|
||||
name |
|
||||
ifname { return next_state(IL_IFNAME, IL_TOKEN); }
|
||||
router { return next_state(IL_DEFROUTER, IL_TOKEN); }
|
||||
mtu { return next_state(IL_MTU, IL_NUMBER); }
|
||||
eaddr { return next_state(IL_EADDR, IL_TOKEN); }
|
||||
v4addr { return next_state(IL_V4ADDR, IL_TOKEN); }
|
||||
ipv4 { return next_state(IL_IPV4, -1); }
|
||||
v { return next_state(IL_V4V, IL_TOKEN); }
|
||||
proto { return next_state(IL_V4PROTO, IL_TOKEN); }
|
||||
hl { return next_state(IL_V4HL, IL_TOKEN); }
|
||||
id { return next_state(IL_V4ID, IL_TOKEN); }
|
||||
ttl { return next_state(IL_V4TTL, IL_TOKEN); }
|
||||
tos { return next_state(IL_V4TOS, IL_TOKEN); }
|
||||
src { return next_state(IL_V4SRC, IL_TOKEN); }
|
||||
dst { return next_state(IL_V4DST, IL_TOKEN); }
|
||||
opt { return next_state(IL_OPT, -1); }
|
||||
len { return next_state(IL_LEN, IL_TOKEN); }
|
||||
off { return next_state(IL_OFF, IL_TOKEN); }
|
||||
sum { return next_state(IL_SUM, IL_TOKEN); }
|
||||
tcp { return next_state(IL_TCP, -1); }
|
||||
sport { return next_state(IL_SPORT, IL_TOKEN); }
|
||||
dport { return next_state(IL_DPORT, IL_TOKEN); }
|
||||
seq { return next_state(IL_TCPSEQ, IL_TOKEN); }
|
||||
ack { return next_state(IL_TCPACK, IL_TOKEN); }
|
||||
flags { return next_state(IL_TCPFL, IL_TOKEN); }
|
||||
urp { return next_state(IL_TCPURP, IL_TOKEN); }
|
||||
win { return next_state(IL_TCPWIN, IL_TOKEN); }
|
||||
udp { return next_state(IL_UDP, -1); }
|
||||
send { return next_state(IL_SEND, -1); }
|
||||
via { return next_state(IL_VIA, IL_TOKEN); }
|
||||
arp { return next_state(IL_ARP, -1); }
|
||||
data { return next_state(IL_DATA, -1); }
|
||||
value { return next_state(IL_DVALUE, IL_TOKEN); }
|
||||
file { return next_state(IL_DFILE, IL_TOKEN); }
|
||||
nop { return next_state(IL_IPO_NOP, -1); }
|
||||
eol { return next_state(IL_IPO_EOL, -1); }
|
||||
rr { return next_state(IL_IPO_RR, -1); }
|
||||
zsu { return next_state(IL_IPO_ZSU, -1); }
|
||||
mtup { return next_state(IL_IPO_MTUP, -1); }
|
||||
mtur { return next_state(IL_IPO_MTUR, -1); }
|
||||
encode { return next_state(IL_IPO_ENCODE, -1); }
|
||||
ts { return next_state(IL_IPO_TS, -1); }
|
||||
tr { return next_state(IL_IPO_TR, -1); }
|
||||
sec { return next_state(IL_IPO_SEC, -1); }
|
||||
secclass { return next_state(IL_IPO_SECCLASS, IL_TOKEN); }
|
||||
lsrr { return next_state(IL_IPO_LSRR, -1); }
|
||||
esec { return next_state(IL_IPO_ESEC, -1); }
|
||||
cipso { return next_state(IL_IPO_CIPSO, -1); }
|
||||
satid { return next_state(IL_IPO_SATID, -1); }
|
||||
ssrr { return next_state(IL_IPO_SSRR, -1); }
|
||||
addext { return next_state(IL_IPO_ADDEXT, -1); }
|
||||
visa { return next_state(IL_IPO_VISA, -1); }
|
||||
imitd { return next_state(IL_IPO_IMITD, -1); }
|
||||
eip { return next_state(IL_IPO_EIP, -1); }
|
||||
finn { return next_state(IL_IPO_FINN, -1); }
|
||||
mss { return next_state(IL_TCPO_MSS, IL_TOKEN); }
|
||||
wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); }
|
||||
reserv-4 { return next_state(IL_IPS_RESERV4, -1); }
|
||||
topsecret { return next_state(IL_IPS_TOPSECRET, -1); }
|
||||
secret { return next_state(IL_IPS_SECRET, -1); }
|
||||
reserv-3 { return next_state(IL_IPS_RESERV3, -1); }
|
||||
confid { return next_state(IL_IPS_CONFID, -1); }
|
||||
unclass { return next_state(IL_IPS_UNCLASS, -1); }
|
||||
reserv-2 { return next_state(IL_IPS_RESERV2, -1); }
|
||||
reserv-1 { return next_state(IL_IPS_RESERV1, -1); }
|
||||
\{ { push_proto(); return next_item(IL_LBRACE); }
|
||||
\} { pop_proto(); return next_item(IL_RBRACE); }
|
||||
\. { return next_item(IL_DOT); }
|
||||
; { return next_item(IL_SEMICOLON); }
|
||||
[0-9]+ { return next_item(IL_NUMBER); }
|
||||
[0-9a-fA-F] { return next_item(IL_HEXDIGIT); }
|
||||
: { return next_item(IL_COLON); }
|
||||
#[^\n]* { return next_item(IL_COMMENT); }
|
||||
[^ {}\n\t;]* { return next_item(IL_TOKEN); }
|
||||
\"[^\"]*\" { return next_item(IL_TOKEN); }
|
||||
%%
|
||||
void push_proto()
|
||||
{
|
||||
numpr++;
|
||||
if (!prstack)
|
||||
prstack = (int *)malloc(sizeof(int));
|
||||
else
|
||||
prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
|
||||
prstack[numpr - 1] = oldproto;
|
||||
}
|
||||
|
||||
|
||||
void pop_proto()
|
||||
{
|
||||
numpr--;
|
||||
proto = prstack[numpr];
|
||||
if (!numpr) {
|
||||
free(prstack);
|
||||
prstack = NULL;
|
||||
return;
|
||||
}
|
||||
prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
|
||||
}
|
||||
|
||||
|
||||
int save_token()
|
||||
{
|
||||
static char *buf = NULL;
|
||||
|
||||
if (buf && (buf == yylval.str))
|
||||
free(buf);
|
||||
buf = yylval.str = strdup(yytext);
|
||||
return IL_TOKEN;
|
||||
}
|
||||
|
||||
|
||||
int next_item(nstate)
|
||||
int nstate;
|
||||
{
|
||||
if (next == IL_TOKEN) {
|
||||
next = -1;
|
||||
return save_token();
|
||||
}
|
||||
next = -1;
|
||||
if (nstate == IL_NUMBER)
|
||||
yylval.num = atoi(yytext);
|
||||
token++;
|
||||
return nstate;
|
||||
}
|
||||
|
||||
|
||||
int next_state(nstate, fornext)
|
||||
int nstate, fornext;
|
||||
{
|
||||
token++;
|
||||
|
||||
if (next == IL_TOKEN) {
|
||||
next = -1;
|
||||
return save_token();
|
||||
}
|
||||
|
||||
next = fornext;
|
||||
|
||||
switch (nstate)
|
||||
{
|
||||
case IL_IPV4 :
|
||||
case IL_TCP :
|
||||
case IL_UDP :
|
||||
case IL_ICMP :
|
||||
case IL_DATA :
|
||||
case IL_INTERFACE :
|
||||
case IL_ARP :
|
||||
oldproto = proto;
|
||||
proto = nstate;
|
||||
break;
|
||||
case IL_SUM :
|
||||
if (proto == IL_IPV4)
|
||||
nstate = IL_V4SUM;
|
||||
else if (proto == IL_TCP)
|
||||
nstate = IL_TCPSUM;
|
||||
else if (proto == IL_UDP)
|
||||
nstate = IL_UDPSUM;
|
||||
break;
|
||||
case IL_OPT :
|
||||
if (proto == IL_IPV4)
|
||||
nstate = IL_V4OPT;
|
||||
else if (proto == IL_TCP)
|
||||
nstate = IL_TCPOPT;
|
||||
break;
|
||||
case IL_IPO_NOP :
|
||||
if (proto == IL_TCP)
|
||||
nstate = IL_TCPO_NOP;
|
||||
break;
|
||||
case IL_IPO_EOL :
|
||||
if (proto == IL_TCP)
|
||||
nstate = IL_TCPO_EOL;
|
||||
break;
|
||||
case IL_IPO_TS :
|
||||
if (proto == IL_TCP)
|
||||
nstate = IL_TCPO_TS;
|
||||
break;
|
||||
case IL_OFF :
|
||||
if (proto == IL_IPV4)
|
||||
nstate = IL_V4OFF;
|
||||
else if (proto == IL_TCP)
|
||||
nstate = IL_TCPOFF;
|
||||
break;
|
||||
case IL_LEN :
|
||||
if (proto == IL_IPV4)
|
||||
nstate = IL_V4LEN;
|
||||
else if (proto == IL_UDP)
|
||||
nstate = IL_UDPLEN;
|
||||
break;
|
||||
}
|
||||
return nstate;
|
||||
}
|
||||
|
||||
|
||||
void swallow()
|
||||
{
|
||||
int c = input();
|
||||
|
||||
if (c == '#') {
|
||||
while ((c != '\n') && (c != EOF))
|
||||
c = input();
|
||||
}
|
||||
unput(c);
|
||||
}
|
1808
usr.sbin/ipf/ipsend/iplang_y.y
Normal file
1808
usr.sbin/ipf/ipsend/iplang_y.y
Normal file
File diff suppressed because it is too large
Load Diff
102
usr.sbin/ipf/ipsend/ipsend.1
Normal file
102
usr.sbin/ipf/ipsend/ipsend.1
Normal file
@ -0,0 +1,102 @@
|
||||
.TH IPSEND 1
|
||||
.SH NAME
|
||||
ipsend \- sends IP packets
|
||||
.SH SYNOPSIS
|
||||
.B ipsend
|
||||
[
|
||||
.B \-ITU
|
||||
] [
|
||||
.B \-d
|
||||
<interface>
|
||||
] [
|
||||
.B \-f
|
||||
<\fIoffset\fP>
|
||||
] [
|
||||
.B \-g
|
||||
<\fIgateway\fP>
|
||||
] [
|
||||
.B \-m
|
||||
<\fIMTU\fP>
|
||||
] [
|
||||
.B \-o
|
||||
<\fIoption\fP>
|
||||
] [
|
||||
.B \-P
|
||||
<protocol>
|
||||
] [
|
||||
.B \-s
|
||||
<\fIsource\fP>
|
||||
] [
|
||||
.B \-t
|
||||
<\fIdest. port\fP>
|
||||
] [
|
||||
.B \-w
|
||||
<\fIwindow\fP>
|
||||
] <destination> [TCP-flags]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipsend\fP can be compiled in two ways. The first is used to send one-off
|
||||
packets to a destination host, using command line options to specify various
|
||||
attributes present in the headers. The \fIdestination\fP must be given as
|
||||
the last command line option, except for when TCP flags are specified as
|
||||
a combination of A, S, F, U, P and R, last.
|
||||
.PP
|
||||
The other way it may be compiled, with DOSOCKET defined, is to allow an
|
||||
attempt at making a TCP connection using a with ipsend resending the SYN
|
||||
packet as per the command line options.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.BR \-d \0<interface>
|
||||
Set the interface name to be the name supplied.
|
||||
.TP
|
||||
.BR \-f \0<offset>
|
||||
The \fI-f\fP allows the IP offset field in the IP header to be set to an
|
||||
arbitrary value, which can be specified in decimal or hexidecimal.
|
||||
.TP
|
||||
.BR \-g \0<gateway>
|
||||
Specify the hostname of the gateway through which to route packets. This
|
||||
is required whenever the destination host isn't directly attached to the
|
||||
same network as the host from which you're sending.
|
||||
.TP
|
||||
.BR \-m \0<MTU>
|
||||
Specify the MTU to be used when sending out packets. This option allows you
|
||||
to set a fake MTU, allowing the simulation of network interfaces with small
|
||||
MTU's without setting them so.
|
||||
.TP
|
||||
.BR \-o \0<option>
|
||||
Specify options to be included at the end of the IP header. An EOL option
|
||||
is automatically appended and need not be given. If an option would also
|
||||
have data associated with it (source as an IP# for a lsrr option), then
|
||||
this will not be initialised.
|
||||
.TP
|
||||
.BR \-s \0<source>
|
||||
Set the source address in the packet to that provided - maybe either a
|
||||
hostname or IP#.
|
||||
.TP
|
||||
.BR \-t \0<dest. port>
|
||||
Set the destination port for TCP/UDP packets.
|
||||
.TP
|
||||
.BR \-w \0<window>
|
||||
Set the window size for TCP packets.
|
||||
.TP
|
||||
.B \-I
|
||||
Set the protocol to ICMP.
|
||||
.TP
|
||||
.B \-P <protocol>
|
||||
Set the protocol to the value given. If the parameter is a name, the name
|
||||
is looked up in the \fI/etc/protocols\fP file.
|
||||
.TP
|
||||
.B \-T
|
||||
Set the protocol to TCP.
|
||||
.TP
|
||||
.B \-U
|
||||
Set the protocol to UDP.
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
|
||||
.SH DIAGNOSTICS
|
||||
.PP
|
||||
Needs to be run as root.
|
||||
.SH BUGS
|
||||
.PP
|
||||
If you find any, please send email to me at darrenr@cyber.com.au
|
236
usr.sbin/ipf/ipsend/ipsend.5
Normal file
236
usr.sbin/ipf/ipsend/ipsend.5
Normal file
@ -0,0 +1,236 @@
|
||||
.TH IPSEND 5
|
||||
.SH NAME
|
||||
ipsend \- IP packet description language
|
||||
.SH DESCRIPTION
|
||||
The \fBipsend\fP program expects, with the \fB-L\fP option, input to be a
|
||||
text file which fits the grammar described below. The purpose of this
|
||||
grammar is to allow IP packets to be described in an arbitary way which
|
||||
also allows encapsulation to be so done to an arbitary level.
|
||||
.SH GRAMMAR
|
||||
.LP
|
||||
.nf
|
||||
line ::= iface | arp | send | defrouter | ipv4line .
|
||||
|
||||
iface ::= ifhdr "{" ifaceopts "}" .
|
||||
ifhdr ::= "interface" | "iface" .
|
||||
ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | "eaddr" eaddr .
|
||||
|
||||
send ::= "send" ";" | "send" "{" sendbodyopts "}" .
|
||||
sendbodyopts ::= sendbody [ sendbodyopts ] .
|
||||
sendbody ::= "ifname" name | "via" ipaddr .
|
||||
|
||||
defrouter ::= "router" ipaddr .
|
||||
|
||||
arp ::= "arp" "{" arpbodyopts "}" .
|
||||
arpbodyopts ::= arpbody [ arpbodyopts ] .
|
||||
arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .
|
||||
|
||||
ipv4line ::= "ipv4" "{" ipv4bodyopts "}" .
|
||||
ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] .
|
||||
ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
|
||||
"off" number | "v" number | "hl" number| "id" number |
|
||||
"ttl" number | "tos" number | "sum" number | "len" number |
|
||||
"opt" "{" ipv4optlist "}" | tcpline | udpline | icmpline |
|
||||
ipv4line .
|
||||
ipv4optlist ::= ipv4option [ ipv4optlist ] .
|
||||
ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
|
||||
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
|
||||
"ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
|
||||
"secclass" ipv4secclass.
|
||||
ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
|
||||
"reserv-3" | "reserv-4" | "secret" | "topsecret" .
|
||||
|
||||
tcpline ::= "tcp" "{" tcpbodyopts "}" .
|
||||
tcpbodyopts ::= tcpbody [ tcpbodyopts ] .
|
||||
tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
|
||||
"off" number | "urp" number | "win" number | "sum" number |
|
||||
"flags" tcpflags | data .
|
||||
|
||||
udpline ::= "udp" "{" udpbodyopts "}" .
|
||||
udpbodyopts ::= udpbody [ udpbodyopts ] .
|
||||
udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
|
||||
data .
|
||||
|
||||
icmpline ::= "icmp" "{" icmpbodyopts "}" .
|
||||
icmpbodyopts ::= icmpbody [ icmpbodyopts ] .
|
||||
icmpbody ::= "type" icmptype [ typeopts ] [ "code" icmpcode ] .
|
||||
icmptype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
||||
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
|
||||
.fi
|
||||
.SH COMMANDS
|
||||
.PP
|
||||
Before sending any packets or defining any packets, it is necessary to
|
||||
describe the interface(s) which will be used to send packets out.
|
||||
.TP
|
||||
.B interface
|
||||
is used to describe a network interface. The description included need
|
||||
not match the actual configuration currently employed by the operating
|
||||
system.
|
||||
.TP
|
||||
.B send
|
||||
is used to actually send out a packet across the network. If the
|
||||
destination is not specified, it will attempt to send the packet
|
||||
directly out on the network to the destination without routing it.
|
||||
.TP
|
||||
.B router
|
||||
configures the default router for ipsend, as distinct from the default
|
||||
route installed in the kernel.
|
||||
.TP
|
||||
.B ipv4
|
||||
is used to describe an IP (version 4) packet. IP header fields can be
|
||||
specified, including options, followed by a data section which may contain
|
||||
further protocol headers.
|
||||
.SH IPV4
|
||||
.TP
|
||||
.B hl <number>
|
||||
manually specifies the IP header length (automatically adjusts with the
|
||||
presence of IP options and defaults to 5);
|
||||
.TP
|
||||
.B v <number>
|
||||
set the IP version. Default is 4.
|
||||
.TP
|
||||
.B tos <number>
|
||||
set the type of service (TOS) field in the IP header. Default is 0.
|
||||
.TP
|
||||
.B len <number>
|
||||
manually specifies the length of the IP packet. The length will automatically
|
||||
be adjusted to accomodate data or further protocol headers.
|
||||
.TP
|
||||
.B off <number>
|
||||
sets the fragment offset field of the IP packet. Default is 0.
|
||||
.TP
|
||||
.B ttl <number>
|
||||
sets the time to live (TTL) field of the IP header. Default is 60.
|
||||
.TP
|
||||
.B proto <protocol>
|
||||
sets the protocol field of the IP header. The protocol can either be a
|
||||
number or a name found in \fB/etc/protocols\fP.
|
||||
.TP
|
||||
.B sum
|
||||
manually specifies the checksum for the IP header. If left unset (0), it
|
||||
will be calculated prior to being sent.
|
||||
.TP
|
||||
.B src
|
||||
manually specifies the source address of the IP header. If left unset, it
|
||||
will default to the host's IP address.
|
||||
.TP
|
||||
.B dst
|
||||
sets the destination of the IP packet. The default is 0.0.0.0.
|
||||
.TP
|
||||
.B opt
|
||||
is used to include IP options in the IP header.
|
||||
.TP
|
||||
.B tcp
|
||||
is used to indicate the a TCP protocol header is to follow. See the \fBTCP\fP
|
||||
section for TCP header options.
|
||||
.TP
|
||||
.B udp
|
||||
is used to indicate the a UDP protocol header is to follow. See the \fBUDP\fP
|
||||
section for UDP header options.
|
||||
.TP
|
||||
.B icmp
|
||||
is used to indicate the a ICMP protocol header is to follow. See the
|
||||
\fBICMP\fP section for ICMP header options.
|
||||
.TP
|
||||
.B data
|
||||
is used to indicate that raw data is to be included in the IP packet. See the
|
||||
\fBDATA\fP section for details on options available.
|
||||
.SH TCP
|
||||
.TP
|
||||
.B sport <port>
|
||||
sets the source port to the number/name given. Default is 0.
|
||||
.TP
|
||||
.B dport <port>
|
||||
sets the destination port to the number/name given. Default is 0.
|
||||
.TP
|
||||
.B seq <number>
|
||||
sets the sequence number to the number specified. Default is 0.
|
||||
.TP
|
||||
.B ack <number>
|
||||
sets the acknowledge number to the number specified. Default is 0.
|
||||
.TP
|
||||
.B off <number>
|
||||
sets the offset value for the start of data to the number specified. This
|
||||
implies the size of the TCP header. It is automatically adjusted if TCP
|
||||
options are included and defaults to 5.
|
||||
.TP
|
||||
.B urp <number>
|
||||
sets the value of the urgent data pointer to the number specified. Default
|
||||
is 0.
|
||||
.TP
|
||||
.B win <number>
|
||||
sets the size of the TCP window to the number specified. Default is 4096.
|
||||
.TP
|
||||
.B sum <number>
|
||||
manually specifies the checksum for the TCP pseudo-header and data. If left
|
||||
unset, it defaults to 0 and is automatically calculated.
|
||||
.TP
|
||||
.B flags <tcp-flags>
|
||||
sets the TCP flags field to match the flags specified. Valid flags are
|
||||
"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH).
|
||||
.TP
|
||||
.B opt
|
||||
indicates that TCP header options follow. As TCP options are added to the
|
||||
TCP header, the \fBoff\fP field is updated to match.
|
||||
.TP
|
||||
.B data
|
||||
indicates that a data section is to follow and is to be included as raw
|
||||
data, being appended to the header.
|
||||
.SH UDP
|
||||
.TP
|
||||
.B sport <port>
|
||||
sets the source port to the number/name given. Default is 0.
|
||||
.TP
|
||||
.B dport <port>
|
||||
sets the destination port to the number/name given. Default is 0.
|
||||
.TP
|
||||
.B len <number>
|
||||
manually specifies the length of the UDP header and data. If left unset,
|
||||
it is automatically adjusted to match the header presence and any data if
|
||||
present.
|
||||
.TP
|
||||
.B sum <number>
|
||||
manually specifies the checksum for the UDP pseudo-header and data. If left
|
||||
unset, it defaults to 0 and is automatically calculated.
|
||||
.TP
|
||||
.B data
|
||||
indicates that a data section is to follow and is to be included as raw
|
||||
data, being appended to the header.
|
||||
.SH ICMP
|
||||
.TP
|
||||
.B type <icmptype>
|
||||
sets the ICMP type according the to the icmptype tag. This may either be
|
||||
a number or one of the recognised tags (see the ICMP TYPES section for a
|
||||
list of names recognised).
|
||||
.TP
|
||||
.B code <icmpcode>
|
||||
sets the ICMP code.
|
||||
.TP
|
||||
.B data
|
||||
indicates that a data section is to follow and is to be included as raw
|
||||
data, being appended to the header.
|
||||
.SH DATA
|
||||
Each of the following extend the packet in a different way. \fBLen\fP just
|
||||
increases the length (without adding any content), \fBvalue\fP uses a string
|
||||
and \fBfile\fP a file.
|
||||
.TP
|
||||
.B len <number>
|
||||
extend the length of the packet by \fBnumber\fP bytes (without filling those
|
||||
bytes with any particular data).
|
||||
.TP
|
||||
.B value <string>
|
||||
indicates that the string provided should be added to the current packet as
|
||||
data. A string may be a consecutive list of characters and numbers (with
|
||||
no white spaces) or bounded by "'s (may not contain them, even if \\'d).
|
||||
The \\ charcater is recognised with the appropriate C escaped values, including
|
||||
octal numbers.
|
||||
.TP
|
||||
.B file <filename>
|
||||
reads data in from the specified file and appends it to the current packet.
|
||||
If the new total length would exceed 64k, an error will be reported.
|
||||
.SH FILES
|
||||
/etc/protocols
|
||||
/etc/services
|
||||
/etc/hosts
|
||||
.SH SEE ALSO
|
@ -1,23 +1,25 @@
|
||||
/* $NetBSD: ipsopt.c,v 1.1.1.2 1997/05/27 22:18:17 thorpej Exp $ */
|
||||
/* $NetBSD: ipsopt.c,v 1.1.1.3 1997/09/21 16:49:13 veego Exp $ */
|
||||
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
* (C)opyright 1995-1997 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/ip_compat.h>
|
||||
|
||||
|
||||
@ -40,7 +42,7 @@ struct ipopt_names {
|
||||
struct ipopt_names ionames[] = {
|
||||
{ IPOPT_EOL, 0x01, 1, "eol" },
|
||||
{ IPOPT_NOP, 0x02, 1, "nop" },
|
||||
{ IPOPT_RR, 0x04, 7, "rr" }, /* 1 route */
|
||||
{ IPOPT_RR, 0x04, 3, "rr" }, /* 1 route */
|
||||
{ IPOPT_TS, 0x08, 8, "ts" }, /* 1 TS */
|
||||
{ IPOPT_SECURITY, 0x08, 11, "sec-level" },
|
||||
{ IPOPT_LSRR, 0x10, 7, "lsrr" }, /* 1 route */
|
||||
@ -61,8 +63,10 @@ struct ipopt_names secnames[] = {
|
||||
};
|
||||
|
||||
|
||||
u_short seclevel __P((char *));
|
||||
u_long optname __P((char *, char *));
|
||||
u_short seclevel __P((char *));
|
||||
u_long optname __P((char *, char *));
|
||||
int addipopt __P((char *, struct ipopt_names *, int, char *));
|
||||
u_32_t buildopts __P((char *, char *, int));
|
||||
|
||||
|
||||
u_short seclevel(slevel)
|
||||
@ -82,14 +86,82 @@ char *slevel;
|
||||
}
|
||||
|
||||
|
||||
u_long optname(cp, op)
|
||||
int addipopt(op, io, len, class)
|
||||
char *op;
|
||||
struct ipopt_names *io;
|
||||
int len;
|
||||
char *class;
|
||||
{
|
||||
struct in_addr ipadr;
|
||||
int olen = len, srr = 0;
|
||||
u_short val;
|
||||
u_char lvl;
|
||||
char *s = op, *t;
|
||||
|
||||
if ((len + io->on_siz) > 48) {
|
||||
fprintf(stderr, "options too long\n");
|
||||
return 0;
|
||||
}
|
||||
len += io->on_siz;
|
||||
*op++ = io->on_value;
|
||||
if (io->on_siz > 1) {
|
||||
/*
|
||||
* Allow option to specify RR buffer length in bytes.
|
||||
*/
|
||||
if (io->on_value == IPOPT_RR) {
|
||||
val = (class && *class) ? atoi(class) : 4;
|
||||
*op++ = val + io->on_siz;
|
||||
len += val;
|
||||
} else
|
||||
*op++ = io->on_siz;
|
||||
*op++ = IPOPT_MINOFF;
|
||||
|
||||
while (class && *class) {
|
||||
t = NULL;
|
||||
switch (io->on_value)
|
||||
{
|
||||
case IPOPT_SECURITY :
|
||||
lvl = seclevel(class);
|
||||
*(op - 1) = lvl;
|
||||
break;
|
||||
case IPOPT_LSRR :
|
||||
case IPOPT_SSRR :
|
||||
if ((t = strchr(class, ',')))
|
||||
*t = '\0';
|
||||
ipadr.s_addr = inet_addr(class);
|
||||
srr++;
|
||||
bcopy((char *)&ipadr, op, sizeof(ipadr));
|
||||
op += sizeof(ipadr);
|
||||
break;
|
||||
case IPOPT_SATID :
|
||||
val = atoi(class);
|
||||
bcopy((char *)&val, op, 2);
|
||||
break;
|
||||
}
|
||||
|
||||
if (t)
|
||||
*t++ = ',';
|
||||
class = t;
|
||||
}
|
||||
if (srr)
|
||||
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr;
|
||||
if (io->on_value == IPOPT_RR)
|
||||
op += val;
|
||||
else
|
||||
op += io->on_siz - 3;
|
||||
}
|
||||
return len - olen;
|
||||
}
|
||||
|
||||
|
||||
u_32_t buildopts(cp, op, len)
|
||||
char *cp, *op;
|
||||
int len;
|
||||
{
|
||||
struct ipopt_names *io;
|
||||
u_short lvl;
|
||||
u_long msk = 0;
|
||||
u_32_t msk = 0;
|
||||
char *s, *t;
|
||||
int len = 0;
|
||||
int inc, lastop = -1;
|
||||
|
||||
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
|
||||
if ((t = strchr(s, '=')))
|
||||
@ -97,21 +169,10 @@ char *cp, *op;
|
||||
for (io = ionames; io->on_name; io++) {
|
||||
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
|
||||
continue;
|
||||
if ((len + io->on_siz) > 48) {
|
||||
fprintf(stderr, "options too long\n");
|
||||
return 0;
|
||||
}
|
||||
len += io->on_siz;
|
||||
*op++ = io->on_value;
|
||||
if (io->on_siz > 1) {
|
||||
*op++ = io->on_siz;
|
||||
*op++ = IPOPT_MINOFF;
|
||||
|
||||
if (t && !strcasecmp(s, "sec-level")) {
|
||||
lvl = seclevel(t);
|
||||
bcopy(&lvl, op, sizeof(lvl));
|
||||
}
|
||||
op += io->on_siz - 3;
|
||||
lastop = io->on_value;
|
||||
if ((inc = addipopt(op, io, len, t))) {
|
||||
op += inc;
|
||||
len += inc;
|
||||
}
|
||||
msk |= io->on_bit;
|
||||
break;
|
||||
@ -121,7 +182,24 @@ char *cp, *op;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
*op++ = IPOPT_EOL;
|
||||
len++;
|
||||
|
||||
if (len & 3) {
|
||||
while (len & 3) {
|
||||
*op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP;
|
||||
len++;
|
||||
}
|
||||
} else {
|
||||
if (lastop != IPOPT_EOL) {
|
||||
if (lastop == IPOPT_NOP)
|
||||
*(op - 1) = IPOPT_EOL;
|
||||
else {
|
||||
*op++ = IPOPT_NOP;
|
||||
*op++ = IPOPT_NOP;
|
||||
*op++ = IPOPT_NOP;
|
||||
*op = IPOPT_EOL;
|
||||
len += 4;
|
||||
}
|
||||
}
|
||||
}
|
||||
return len;
|
||||
}
|
||||
|
77
usr.sbin/ipf/ipsend/tcpip.h
Normal file
77
usr.sbin/ipf/ipsend/tcpip.h
Normal file
@ -0,0 +1,77 @@
|
||||
/* $NetBSD: tcpip.h,v 1.1.1.1 1997/09/21 16:49:15 veego Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986, 1993
|
||||
* The Regents of the University of California. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the University of
|
||||
* California, Berkeley and its contributors.
|
||||
* 4. Neither the name of the University nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)tcpip.h 8.1 (Berkeley) 6/10/93
|
||||
* Id: tcpip.h,v 2.0.2.2 1997/05/28 13:49:45 darrenr Exp
|
||||
*/
|
||||
|
||||
#ifndef _NETINET_TCPIP_H_
|
||||
#define _NETINET_TCPIP_H_
|
||||
|
||||
/*
|
||||
* Tcp+ip header, after ip options removed.
|
||||
*/
|
||||
struct tcpiphdr {
|
||||
struct ipovly ti_i; /* overlaid ip structure */
|
||||
struct tcphdr ti_t; /* tcp header */
|
||||
};
|
||||
#ifdef notyet
|
||||
/*
|
||||
* Tcp+ip header, after ip options removed but including TCP options.
|
||||
*/
|
||||
struct full_tcpiphdr {
|
||||
struct ipovly ti_i; /* overlaid ip structure */
|
||||
struct tcphdr ti_t; /* tcp header */
|
||||
char ti_o[TCP_MAXOLEN]; /* space for tcp options */
|
||||
};
|
||||
#endif /* notyet */
|
||||
#define ti_next ti_i.ih_next
|
||||
#define ti_prev ti_i.ih_prev
|
||||
#define ti_x1 ti_i.ih_x1
|
||||
#define ti_pr ti_i.ih_pr
|
||||
#define ti_len ti_i.ih_len
|
||||
#define ti_src ti_i.ih_src
|
||||
#define ti_dst ti_i.ih_dst
|
||||
#define ti_sport ti_t.th_sport
|
||||
#define ti_dport ti_t.th_dport
|
||||
#define ti_seq ti_t.th_seq
|
||||
#define ti_ack ti_t.th_ack
|
||||
#define ti_x2 ti_t.th_x2
|
||||
#define ti_off ti_t.th_off
|
||||
#define ti_flags ti_t.th_flags
|
||||
#define ti_win ti_t.th_win
|
||||
#define ti_sum ti_t.th_sum
|
||||
#define ti_urp ti_t.th_urp
|
||||
|
||||
#endif
|
101
usr.sbin/ipf/iptest/iptest.1
Normal file
101
usr.sbin/ipf/iptest/iptest.1
Normal file
@ -0,0 +1,101 @@
|
||||
.TH IPTEST 1
|
||||
.SH NAME
|
||||
iptest \- automatically generate a packets to test IP functionality
|
||||
.SH SYNOPSIS
|
||||
.B iptest
|
||||
[
|
||||
.B \-1234567
|
||||
] [
|
||||
.B \-d
|
||||
<device>
|
||||
] [
|
||||
.B \-g
|
||||
<gateway>
|
||||
] [
|
||||
.B \-m
|
||||
<\fIMTU\fP>
|
||||
] [
|
||||
.B \-p
|
||||
<\fIpointtest\fP>
|
||||
] [
|
||||
.B \-s
|
||||
<\fIsource\fP>
|
||||
] <destination>
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBiptest\fP ...
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-1
|
||||
Run IP test group #1. This group of tests generates packets with the IP
|
||||
header fields set to invalid values given other packet characteristics.
|
||||
The point tests are: 1 (ip_hl < ip_len), 2 (ip_hl > ip_len),
|
||||
3 (ip_v < 4), 4 (ip_v > 4), 5 (ip_len < packetsize, long packets),
|
||||
6 (ip_len > packet size, short packets), 7 (Zero length fragments),
|
||||
8 (packet > 64k after reassembly), 9 (IP offset with MSB set), 10 (ttl
|
||||
variations).
|
||||
.TP
|
||||
.B \-2
|
||||
Run IP test group #2. This group of tests generates packets with the IP
|
||||
options constructed with invalud values given other packet characteristics.
|
||||
The point tests are: 1 (option length > packet length), 2 (option length = 0).
|
||||
.TP
|
||||
.B \-3
|
||||
Run IP test group #3. This group of tests generates packets with the ICMP
|
||||
header fields set to non-standard values. The point tests are: 1 (ICMP types
|
||||
0-31 & 255), 2 (type 3 & code 0 - 31), 3 (type 4 & code 0, 127, 128, 255),
|
||||
4 (type 5 & code 0, 127, 128, 255), 5 (types 8-10,13-18 with codes 0, 127,
|
||||
128 and 255), 6 (type 12 & code 0, 127, 128, 129, 255) and 7 (type 3 & codes
|
||||
9-10, 13-14 and 17-18 - shortened packets).
|
||||
.TP
|
||||
.B \-4
|
||||
Run IP test group #4. This group of tests generates packets with the UDP
|
||||
header fields set to non-standard values. The point tests are: 1 (UDP length
|
||||
> packet size), 2 (UDP length < packetsize), 3 (sport = 0, 1, 32767, 32768,
|
||||
65535), 4 (dport = 0, 1, 32767, 32768, 65535) and 5 (sizeof(struct ip) <= MTU
|
||||
<= sizeof(struct udphdr) + sizeof(struct ip)).
|
||||
.TP
|
||||
.B \-5
|
||||
Run IP test group #5. This group of tests generates packets with the TCP
|
||||
header fields set to non-standard values. The point tests are: 1 (TCP flags
|
||||
variations, all combinations), 2 (seq = 0, 0x7fffffff, 0x8000000, 0xa0000000,
|
||||
0xffffffff), 3 (ack = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff),
|
||||
4 (SYN packet with window of 0, 32768, 65535), 5 (set urgent pointer to 1,
|
||||
0x7fff, 0x8000, 0xffff), 6 (data offset), 7 (sport = 0, 1, 32767, 32768,
|
||||
65535) and 8 (dport = 0, 1, 32767, 32768, 65535).
|
||||
.TP
|
||||
.B \-6
|
||||
Run IP test group #6. This test generates a large number of fragments in
|
||||
an attempt to exhaust the network buffers used for holding packets for later
|
||||
reassembly. WARNING: this may crash or cause serious performance degradation
|
||||
to the target host.
|
||||
.TP
|
||||
.B \-7
|
||||
Run IP test group #7. This test generates 1024 random IP packets with only
|
||||
the IP version, checksum, length and IP offset field correct.
|
||||
.TP
|
||||
.BR \-d \0<interface>
|
||||
Set the interface name to be the name supplied.
|
||||
.TP
|
||||
.BR \-g \0<gateway>
|
||||
Specify the hostname of the gateway through which to route packets. This
|
||||
is required whenever the destination host isn't directly attached to the
|
||||
same network as the host from which you're sending.
|
||||
.TP
|
||||
.BR \-m \0<MTU>
|
||||
Specify the MTU to be used when sending out packets. This option allows you
|
||||
to set a fake MTU, allowing the simulation of network interfaces with small
|
||||
MTU's without setting them so.
|
||||
.TP
|
||||
.B \-p <test>
|
||||
Run a...
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipsend(1), ipresend(1), bpf(4), dlpi(7p)
|
||||
.SH DIAGNOSTICS
|
||||
Only one of the numeric test options may be given when \fIiptest\fP is run.
|
||||
.PP
|
||||
Needs to be run as root.
|
||||
.SH BUGS
|
||||
.PP
|
||||
If you find any, please send email to me at darrenr@cyber.com.au
|
12
usr.sbin/ipf/rules/Makefile
Normal file
12
usr.sbin/ipf/rules/Makefile
Normal file
@ -0,0 +1,12 @@
|
||||
# $NetBSD: Makefile,v 1.1.1.1 1997/09/21 16:49:25 veego Exp $
|
||||
|
||||
FILESDIR= /usr/share/samples/ipf
|
||||
|
||||
FILES= example.1 example.2 example.3 example.4 example.5 example.6 example.7 \
|
||||
example.8 example.9 example.10 example.sr firewall ftp-proxy ftppxy \
|
||||
nat-setup nat.eg server tcpstate
|
||||
|
||||
all:
|
||||
|
||||
.include <bsd.own.mk>
|
||||
.include <bsd.files.mk>
|
4
usr.sbin/ipf/rules/example.1
Normal file
4
usr.sbin/ipf/rules/example.1
Normal file
@ -0,0 +1,4 @@
|
||||
#
|
||||
# block all incoming TCP packets on le0 from host "foo" to any destination.
|
||||
#
|
||||
block in on le0 proto tcp from foo/32 to any
|
12
usr.sbin/ipf/rules/example.10
Normal file
12
usr.sbin/ipf/rules/example.10
Normal file
@ -0,0 +1,12 @@
|
||||
#
|
||||
# pass ack packets (ie established connection)
|
||||
#
|
||||
pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
|
||||
pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
|
||||
#
|
||||
# block incoming connection requests to my internal network from the big bad
|
||||
# internet.
|
||||
#
|
||||
block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
|
||||
# to block the replies:
|
||||
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
|
26
usr.sbin/ipf/rules/example.11
Normal file
26
usr.sbin/ipf/rules/example.11
Normal file
@ -0,0 +1,26 @@
|
||||
#
|
||||
# allow any TCP packets from the same subnet as foo is on through to host
|
||||
# 10.1.1.2 if they are destined for port 6667.
|
||||
#
|
||||
pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
|
||||
#
|
||||
# allow in UDP packets which are NOT from port 53 and are destined for
|
||||
# localhost
|
||||
#
|
||||
pass in proto udp from fubar port != 53 to localhost
|
||||
#
|
||||
# block anything trying to get to X terminal ports, X:0 to X:9
|
||||
#
|
||||
block in proto tcp from any to any port 5999 >< 6010
|
||||
#
|
||||
# allow any connections to be made, except to BSD print/r-services
|
||||
# this will also protect syslog.
|
||||
#
|
||||
block in proto tcp/udp all
|
||||
pass in proto tcp/udp from any to any port 512 <> 515
|
||||
#
|
||||
# allow any connections to be made, except to BSD print/r-services
|
||||
# this will also protect syslog.
|
||||
#
|
||||
pass in proto tcp/udp all
|
||||
block in proto tcp/udp from any to any port 511 >< 516
|
17
usr.sbin/ipf/rules/example.12
Normal file
17
usr.sbin/ipf/rules/example.12
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# get rid of all short IP fragments (too small for valid comparison)
|
||||
#
|
||||
block in proto tcp all with short
|
||||
#
|
||||
# drop and log any IP packets with options set in them.
|
||||
#
|
||||
block in log all with ipopts
|
||||
#
|
||||
# log packets with BOTH ssrr and lsrr set
|
||||
#
|
||||
log in all with opt lsrr,ssrr
|
||||
#
|
||||
# drop any source routing options
|
||||
#
|
||||
block in quick all with opt lsrr
|
||||
block in quick all with opt ssrr
|
17
usr.sbin/ipf/rules/example.13
Normal file
17
usr.sbin/ipf/rules/example.13
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# Log all short TCP packets to qe3, with "packetlog" as the intended
|
||||
# destination for the packet.
|
||||
#
|
||||
block in to qe3:packetlog proto tcp all with short
|
||||
#
|
||||
# Log all connection attempts for TCP
|
||||
#
|
||||
pass in dup-to le0:packetlog proto tcp all flags S/SA
|
||||
#
|
||||
# Route all UDP packets through transparently.
|
||||
#
|
||||
pass in fastroute proto udp all
|
||||
#
|
||||
# Route all ICMP packets to network 10 out through le1, to "router"
|
||||
#
|
||||
pass in to le1:router proto icmp all
|
4
usr.sbin/ipf/rules/example.2
Normal file
4
usr.sbin/ipf/rules/example.2
Normal file
@ -0,0 +1,4 @@
|
||||
#
|
||||
# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
|
||||
#
|
||||
block out on le0 proto tcp from any to bar/32 port != 23
|
40
usr.sbin/ipf/rules/example.3
Normal file
40
usr.sbin/ipf/rules/example.3
Normal file
@ -0,0 +1,40 @@
|
||||
#
|
||||
# block all inbound packets.
|
||||
#
|
||||
block in from any to any
|
||||
#
|
||||
# pass through packets to and from localhost.
|
||||
#
|
||||
pass in from 127.0.0.1/32 to 127.0.0.1/32
|
||||
#
|
||||
# allow a variety of individual hosts to send any type of IP packet to any
|
||||
# other host.
|
||||
#
|
||||
pass in from 10.1.3.1/32 to any
|
||||
pass in from 10.1.3.2/32 to any
|
||||
pass in from 10.1.3.3/32 to any
|
||||
pass in from 10.1.3.4/32 to any
|
||||
pass in from 10.1.3.5/32 to any
|
||||
pass in from 10.1.0.13/32 to any
|
||||
pass in from 10.1.1.1/32 to any
|
||||
pass in from 10.1.2.1/32 to any
|
||||
#
|
||||
#
|
||||
# block all outbound packets.
|
||||
#
|
||||
block out from any to any
|
||||
#
|
||||
# allow any packets destined for localhost out.
|
||||
#
|
||||
pass out from any to 127.0.0.1/32
|
||||
#
|
||||
# allow any host to send any IP packet out to a limited number of hosts.
|
||||
#
|
||||
pass out from any to 10.1.3.1/32
|
||||
pass out from any to 10.1.3.2/32
|
||||
pass out from any to 10.1.3.3/32
|
||||
pass out from any to 10.1.3.4/32
|
||||
pass out from any to 10.1.3.5/32
|
||||
pass out from any to 10.1.0.13/32
|
||||
pass out from any to 10.1.1.1/32
|
||||
pass out from any to 10.1.2.1/32
|
4
usr.sbin/ipf/rules/example.4
Normal file
4
usr.sbin/ipf/rules/example.4
Normal file
@ -0,0 +1,4 @@
|
||||
#
|
||||
# block all ICMP packets.
|
||||
#
|
||||
block in proto icmp from any to any
|
25
usr.sbin/ipf/rules/example.5
Normal file
25
usr.sbin/ipf/rules/example.5
Normal file
@ -0,0 +1,25 @@
|
||||
#
|
||||
# test ruleset
|
||||
#
|
||||
# allow packets coming from foo to bar through.
|
||||
#
|
||||
pass from foo to bar
|
||||
#
|
||||
# allow any TCP packets from the same subnet as foo is on through to host
|
||||
# 10.1.1.2 if they are destined for port 6667.
|
||||
#
|
||||
pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
|
||||
#
|
||||
# allow in UDP packets which are NOT from port 53 and are destined for
|
||||
# localhost
|
||||
#
|
||||
pass proto udp from fubar port != 53 to localhost
|
||||
#
|
||||
# block all ICMP unreachables.
|
||||
#
|
||||
block from any to any icmp unreach
|
||||
#
|
||||
# allow packets through which have a non-standard IP header length (ie there
|
||||
# are IP options such as source-routing present).
|
||||
#
|
||||
pass from any to any with ipopts
|
5
usr.sbin/ipf/rules/example.6
Normal file
5
usr.sbin/ipf/rules/example.6
Normal file
@ -0,0 +1,5 @@
|
||||
#
|
||||
# block all TCP packets with only the SYN flag set (this is the first
|
||||
# packet sent to establish a connection) out of the SYN-ACK pair.
|
||||
#
|
||||
block in proto tcp from any to any flags S/SA
|
12
usr.sbin/ipf/rules/example.7
Normal file
12
usr.sbin/ipf/rules/example.7
Normal file
@ -0,0 +1,12 @@
|
||||
# block all ICMP packets.
|
||||
#
|
||||
block in proto icmp all
|
||||
#
|
||||
# allow in ICMP echos and echo-replies.
|
||||
#
|
||||
pass in on le1 proto icmp from any to any icmp-type echo
|
||||
pass in on le1 proto icmp from any to any icmp-type echorep
|
||||
#
|
||||
# block all ICMP destination unreachable packets which are port-unreachables
|
||||
#
|
||||
block in on le1 proto icmp from any to any icmp-type unreach code 3
|
10
usr.sbin/ipf/rules/example.8
Normal file
10
usr.sbin/ipf/rules/example.8
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# block all incoming TCP connections but send back a TCP-RST for ones to
|
||||
# the ident port
|
||||
#
|
||||
block in proto tcp from any to any flags S/SA
|
||||
block return-rst in quick proto tcp from any to any port = 113 flags S/SA
|
||||
#
|
||||
# block all inbound UDP packets and send back an ICMP error.
|
||||
#
|
||||
block return-icmp in proto udp from any to any
|
12
usr.sbin/ipf/rules/example.9
Normal file
12
usr.sbin/ipf/rules/example.9
Normal file
@ -0,0 +1,12 @@
|
||||
#
|
||||
# drop all packets without IP security options
|
||||
#
|
||||
block in all
|
||||
pass in all with opt sec
|
||||
#
|
||||
# only allow packets in and out on le0 which are top secret
|
||||
#
|
||||
block out on le1 all
|
||||
pass out on le1 all with opt sec-class topsecret
|
||||
block in on le1 all
|
||||
pass in on le1 all with opt sec-class topsecret
|
61
usr.sbin/ipf/rules/example.sr
Normal file
61
usr.sbin/ipf/rules/example.sr
Normal file
@ -0,0 +1,61 @@
|
||||
#
|
||||
# log all inbound packet on le0 which has IP options present
|
||||
#
|
||||
log in on le0 from any to any with ipopts
|
||||
#
|
||||
# block any inbound packets on le0 which are fragmented and "too short" to
|
||||
# do any meaningful comparison on. This actually only applies to TCP
|
||||
# packets which can be missing the flags/ports (depending on which part
|
||||
# of the fragment you see).
|
||||
#
|
||||
block in log quick on le0 from any to any with short frag
|
||||
#
|
||||
# log all inbound TCP packets with the SYN flag (only) set
|
||||
# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
|
||||
# had IP options present, this rule and the above would cause it
|
||||
# to be logged twice).
|
||||
#
|
||||
log in on le0 proto tcp from any to any flags S/SA
|
||||
#
|
||||
# block and log any inbound ICMP unreachables
|
||||
#
|
||||
block in log on le0 proto icmp from any to any icmp-type unreach
|
||||
#
|
||||
# block and log any inbound UDP packets on le0 which are going to port 2049
|
||||
# (the NFS port).
|
||||
#
|
||||
block in log on le0 proto udp from any to any port = 2049
|
||||
#
|
||||
# quickly allow any packets to/from a particular pair of hosts
|
||||
#
|
||||
pass in quick from any to 10.1.3.2/32
|
||||
pass in quick from any to 10.1.0.13/32
|
||||
pass in quick from 10.1.3.2/32 to any
|
||||
pass in quick from 10.1.0.13/32 to any
|
||||
#
|
||||
# block (and stop matching) any packet with IP options present.
|
||||
#
|
||||
block in quick on le0 from any to any with ipopts
|
||||
#
|
||||
# allow any packet through
|
||||
#
|
||||
pass in from any to any
|
||||
#
|
||||
# block any inbound UDP packets destined for these subnets.
|
||||
#
|
||||
block in on le0 proto udp from any to 10.1.3.0/24
|
||||
block in on le0 proto udp from any to 10.1.1.0/24
|
||||
block in on le0 proto udp from any to 10.1.2.0/24
|
||||
#
|
||||
# block any inbound TCP packets with only the SYN flag set that are
|
||||
# destined for these subnets.
|
||||
#
|
||||
block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
|
||||
block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
|
||||
block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
|
||||
#
|
||||
# block any inbound ICMP packets destined for these subnets.
|
||||
#
|
||||
block in on le0 proto icmp from any to 10.1.3.0/24
|
||||
block in on le0 proto icmp from any to 10.1.1.0/24
|
||||
block in on le0 proto icmp from any to 10.1.2.0/24
|
39
usr.sbin/ipf/rules/firewall
Normal file
39
usr.sbin/ipf/rules/firewall
Normal file
@ -0,0 +1,39 @@
|
||||
Configuring IP Filter for firewall usage.
|
||||
=========================================
|
||||
|
||||
Step 1 - Block out "bad" IP packets.
|
||||
------------------------------------
|
||||
|
||||
Run the perl script "mkfilters". This will generate a list of blocking
|
||||
rules which:
|
||||
a) blocks all packets which might belong to an IP Spoofing attack;
|
||||
b) blocks all packets with IP options;
|
||||
c) blocks all packets which have a length which is too short for
|
||||
any legal packet;
|
||||
|
||||
Step 2 - Convert Network Security Policy to filter rules.
|
||||
---------------------------------------------------------
|
||||
|
||||
Draw up a list of which services you want to allow users to use on the
|
||||
Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you
|
||||
want each host that is part of your firewall to be allowed to do, including
|
||||
communication with internal hosts.
|
||||
|
||||
Step 3 - Create TCP "keep state" rules.
|
||||
---------------------------------------
|
||||
|
||||
For each service that uses TCP, create a rule as follows:
|
||||
|
||||
pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
|
||||
|
||||
where
|
||||
* "int-a" is the internal interface of the firewall. That is, it is the
|
||||
closest to your internal network in terms of network hops.
|
||||
|
||||
* "int-net" is the internal network IP# subnet address range. This might
|
||||
be something like 10.1.0.0/16, or 128.33.1.0/24
|
||||
|
||||
* "ext-service" is the service to which you which to connect or if it doesn't
|
||||
have a proper name, a number can be used. The translation of "ext-service"
|
||||
as a name to a number is controlled with the /etc/services file.
|
||||
|
40
usr.sbin/ipf/rules/ftp-proxy
Normal file
40
usr.sbin/ipf/rules/ftp-proxy
Normal file
@ -0,0 +1,40 @@
|
||||
How to setup FTP proxying using the built in proxy code.
|
||||
========================================================
|
||||
|
||||
NOTE: Currently, the built-in FTP proxy is only available for use with NAT
|
||||
(i.e. only if you're already using "map" rules with ipnat).
|
||||
|
||||
Lets assume your network diagram looks something like this:
|
||||
|
||||
|
||||
[host A]
|
||||
|a
|
||||
---+-------------+----------
|
||||
|b
|
||||
[host B]
|
||||
|c
|
||||
---+-------------+----------
|
||||
|d
|
||||
[host C]
|
||||
|
||||
and IP Filter is running on host B. If you want to proxy FTP from A to C
|
||||
then you would do:
|
||||
|
||||
map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp
|
||||
|
||||
int-c = name of "interface c"
|
||||
ipaddr-a = ip# of interface a
|
||||
ipaddr-c-net = another ip# on the C-network (usually not the same as the
|
||||
interface).
|
||||
|
||||
e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
|
||||
which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
|
||||
203.45.67.90, you would do:
|
||||
|
||||
map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp
|
||||
|
||||
where:
|
||||
ipaddr-a = 10.1.1.1
|
||||
int-c = vx0
|
||||
ipaddr-c-net = 203.45.67.91
|
||||
|
6
usr.sbin/ipf/rules/ftppxy
Normal file
6
usr.sbin/ipf/rules/ftppxy
Normal file
@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
# The proxy bit is as follows:
|
||||
# proxy [port <portname>] <tag>/<protocol>
|
||||
# the <tag> should match a tagname in the proxy table, as does the protocol.
|
||||
# this format isn't finalised yet
|
||||
echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
|
77
usr.sbin/ipf/rules/nat-setup
Normal file
77
usr.sbin/ipf/rules/nat-setup
Normal file
@ -0,0 +1,77 @@
|
||||
Configuring NAT on your network.
|
||||
================================
|
||||
|
||||
To start setting up NAT, we need to define which is your "internal" interface
|
||||
and which is your "external" interface. The "internal" interface is the
|
||||
network adapter connected to the network with private IP addresses which
|
||||
you need to change for communicating on the Internet. The "external"
|
||||
interface is configured with a valid internet address.
|
||||
|
||||
For example, your internal interface might have an IP# of 10.1.1.1 and be
|
||||
connected to your ethernet, whilst your external interface might be a PPP
|
||||
connection with an IP number of 204.51.62.176.
|
||||
|
||||
Thus your network might look like this:
|
||||
|
||||
<Internal Network>
|
||||
[pc] [pc]
|
||||
| |
|
||||
+-+---------+------+
|
||||
|
|
||||
[firewall]
|
||||
|
|
||||
|
|
||||
Internet
|
||||
<External Network>
|
||||
|
||||
|
||||
Writing the map-rule.
|
||||
---------------------
|
||||
When you're connected to the Internet, you will either have a block of IP
|
||||
addresses assigned to you, maybe several different blocks, or you use a
|
||||
single IP address, i.e. with dialup PPP. If you have a block of addresses
|
||||
assigned, these can be used to create either a 1:1 mapping (if you have
|
||||
only a few internal IP addresses) or N:1 mappings, where groups of internal
|
||||
addresses map to a single IP address and unless you have enough Internet
|
||||
addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
|
||||
UDP port numbers.
|
||||
|
||||
For an N:1 situation, you might have:
|
||||
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
|
||||
|
||||
where if you had 16 addresses available, you could do:
|
||||
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
|
||||
|
||||
Or if you wanted to allocate subnets to each IP#, you might do:
|
||||
|
||||
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
|
||||
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
|
||||
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
|
||||
|
||||
*** NOTE: NAT rules are used on a first-match basis only!
|
||||
|
||||
|
||||
Filtering with NAT.
|
||||
-------------------
|
||||
IP Filter will always translate addresses in a packet _BEFORE_ it checks its
|
||||
access list for inbound packets and translates addresses _AFTER_ it has
|
||||
checked the access control lists for outbound packets.
|
||||
|
||||
For example (using the above NAT rules), if you wanted to prevent all hosts
|
||||
in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
|
||||
with ipf:
|
||||
|
||||
block out on ppp0 from 10.1.2.0/24 to any
|
||||
block in on ppp0 from any to 10.1.2.0/24
|
||||
|
||||
and use these with ipnat:
|
||||
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
|
||||
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
|
14
usr.sbin/ipf/rules/nat.eg
Normal file
14
usr.sbin/ipf/rules/nat.eg
Normal file
@ -0,0 +1,14 @@
|
||||
# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
|
||||
# port number to something between 10,000 and 20,000 inclusive. For all other
|
||||
# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
|
||||
# for each new user.
|
||||
#
|
||||
map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
|
||||
map ed1 10.1.0.0/16 -> 240.1.0.0/24
|
||||
#
|
||||
# Redirection is triggered for input packets.
|
||||
# For example, to redirect FTP connections through this box, to the local ftp
|
||||
# port, forcing them to connect through a proxy, you would use:
|
||||
#
|
||||
rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
|
||||
#
|
11
usr.sbin/ipf/rules/server
Normal file
11
usr.sbin/ipf/rules/server
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# For a network server, which has two interfaces, 128.1.40.1 (le0) and
|
||||
# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
|
||||
# connected to the majority of the network, whilst le0 is connected to a
|
||||
# leaf subnet. We're not concerned about filtering individual services
|
||||
# or
|
||||
#
|
||||
pass in quick on le0 from 128.1.40.0/24 to any
|
||||
block in quick log on le0 from any to any
|
||||
block in quick log on le1 from 128.1.1.0/24 to any
|
||||
pass in quick on le1 from any to any
|
13
usr.sbin/ipf/rules/tcpstate
Normal file
13
usr.sbin/ipf/rules/tcpstate
Normal file
@ -0,0 +1,13 @@
|
||||
#
|
||||
# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
|
||||
# somewhere, waiting for it.
|
||||
#
|
||||
pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
|
||||
block out on le0 proto tcp all
|
||||
block in on le0 proto tcp all
|
||||
#
|
||||
# allow nameserver queries and replies to pass through, but no other UDP
|
||||
#
|
||||
pass out quick on le0 proto udp from any to any port = 53 keep state
|
||||
block out on le0 proto udp all
|
||||
block in on le0 proto udp all
|
Loading…
Reference in New Issue
Block a user