Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IP Filter 3.4.1

Browse Source
This commit is contained in:
veego 2000-05-03 10:56:46 +00:00
parent 24ff0c6e1f
commit ba17d31cd0
19 changed files with 1762 additions and 398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
dist/ipf/SunOS4/mkroutes vendored Normal file
View File

@ -0,0 +1,35 @@
#!/usr/local/bin/perl
# for best results, bring up all your interfaces before running this
open(I, "ifconfig -a|") || die $!;
while (<I>) {
chop;
if (/^[a-zA-Z]+\d+:/) {
($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
$ifaces{$iface} = $iface;
next;
}
if (/inet/) {
if (/\-\-\>/) { # PPP, (SLIP?)
($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
} else {
($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
}
}
if (/netmask/) {
($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
$mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
$netmask{$iface} = $mask;
}
if (/broadcast/) {
($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
}
}
foreach $i (keys %ifaces) {
$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
}
foreach $i (keys %ifaces) {
next if (($i =~ /lo/) || !defined($net{$i}));
# 8/25/97; removed || defined($ppp{$i})
system("route add $inet{$i} localhost 0");
}

41
dist/ipf/SunOS4/rc.ipf vendored Normal file
View File

@ -0,0 +1,41 @@
#!/bin/sh
# Id: rc.ipf,v 2.1 2000/01/14 15:29:06 darrenr Exp
cd /usr/local/ip_fil || exit 1
umask 022
#SYM='-sym'
if /usr/etc/modstat | grep -s 'IP Filter'; then
echo ip filter module already loaded
else
if [ ! -f if_ipl.o ]; then
echo missing if_ipl.o
exit 1
fi
if modload $SYM if_ipl.o; then
echo loaded if_ipl
else
echo if_ipl load failed
exit 1
fi
echo starting ipmon
# syslog any logged packets
/usr/local/bin/ipmon -s &
fi
# allow me to run ipfstat as myself (i'm in group kmem)
chmod 640 /dev/ipl /dev/ipauth /dev/ipnat /dev/ipstate
chgrp kmem /dev/ipl /dev/ipauth /dev/ipnat /dev/ipstate
# create loopback routes for all interface addrs
echo adding loopback routes
./mkroutes
echo loading filters
./reload
# pass reload status:
exit $?

21
dist/ipf/SunOS4/reload vendored Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
# Id: reload,v 2.1 2000/01/14 15:29:05 darrenr Exp
DIR=/usr/local/ip_fil
if [ -f $DIR/mkroutes ]; then
$DIR/mkroutes >/dev/null 2>&1
fi
#LOG=none
LOG=nomatch
# perform changes to inactive filter set
# clear all filters
# load filters
# select log flags
# swap filter sets
/usr/local/etc/ipf -I -Fa -f $DIR/filters -l $LOG -s
# load ip translations
/usr/local/etc/ipnat -Cf $DIR/trans

17
dist/ipf/iplang/Makefile vendored
View File

@ -6,13 +6,13 @@
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
all: $(DESTDIR)/y.tab.o $(DESTDIR)/lex.yy.o y.tab.o lex.yy.o
all: $(DESTDIR)/y.tab.o $(DESTDIR)/lex.yy.o
$(DESTDIR)/y.tab.o: y.tab.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c y.tab.c -o $@
$(DESTDIR)/y.tab.o: $(DESTDIR)/y.tab.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@
$(DESTDIR)/lex.yy.o: lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c lex.yy.c -o $@
$(DESTDIR)/lex.yy.o: $(DESTDIR)/lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/lex.yy.c -o $@
y.tab.o: y.tab.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c y.tab.c -o $@
@ -20,11 +20,14 @@ y.tab.o: y.tab.c
lex.yy.o: lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c lex.yy.c -o $@
lex.yy.c: iplang_l.l y.tab.h
$(DESTDIR)/lex.yy.c: iplang_l.l $(DESTDIR)/y.tab.h
lex iplang_l.l
mv lex.yy.c $(DESTDIR)
y.tab.c y.tab.h: iplang_y.y
$(DESTDIR)/y.tab.c $(DESTDIR)/y.tab.h: iplang_y.y
yacc -d iplang_y.y
mv y.tab.c $(DESTDIR)
mv y.tab.h $(DESTDIR)
clean:
/bin/rm -f *.o lex.yy.c y.tab.c y.tab.h

4
dist/ipf/iplang/iplang_y.y vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: iplang_y.y,v 1.1.1.1 1999/12/11 22:24:07 veego Exp $ */
/* $NetBSD: iplang_y.y,v 1.1.1.2 2000/05/03 10:56:53 veego Exp $ */
%{
/*
@ -8,7 +8,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* Id: iplang_y.y,v 2.1.2.1 1999/11/21 11:05:09 darrenr Exp
* Id: iplang_y.y,v 2.2 1999/12/04 03:37:04 darrenr Exp
*/
#include <stdio.h>

4
dist/ipf/ipsend/ipsend.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsend.c,v 1.1.1.1 1999/12/11 22:24:09 veego Exp $ */
/* $NetBSD: ipsend.c,v 1.1.1.2 2000/05/03 10:57:02 veego Exp $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
@ -14,7 +14,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsend.c,v 2.1.2.2 1999/11/28 03:43:44 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipsend.c,v 2.2 1999/12/04 03:37:05 darrenr Exp";
#endif
#include <stdio.h>
#include <stdlib.h>

4
dist/ipf/ipsend/iptest.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: iptest.c,v 1.1.1.1 1999/12/11 22:24:10 veego Exp $ */
/* $NetBSD: iptest.c,v 1.1.1.2 2000/05/03 10:57:03 veego Exp $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
@ -14,7 +14,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: iptest.c,v 2.1.2.2 1999/11/28 03:43:45 darrenr Exp";
static const char rcsid[] = "@(#)Id: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr Exp";
#endif
#include <stdio.h>
#include <netdb.h>

10
dist/ipf/l4check/Makefile vendored Normal file
View File

@ -0,0 +1,10 @@
# For Solaris
#LIBS=-lsocket -lnsl
all: l4check
l4check: l4check.c
$(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@
clean:
/bin/rm -f l4check

2
dist/ipf/l4check/http.check vendored Normal file
View File

@ -0,0 +1,2 @@
GET /

1
dist/ipf/l4check/http.ok vendored Normal file
View File

@ -0,0 +1 @@
<HTML>

807
dist/ipf/l4check/l4check.c vendored Normal file
View File

@ -0,0 +1,807 @@
/* $NetBSD: l4check.c,v 1.1.1.1 2000/05/03 10:57:06 veego Exp $ */
/*
* (C)Copyright March, 2000 - Darren Reed.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <net/if.h>
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <ctype.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ipf.h"
extern char *optarg;
typedef struct l4cfg {
struct l4cfg *l4_next;
struct ipnat l4_nat; /* NAT rule */
struct sockaddr_in l4_sin; /* remote socket to connect */
time_t l4_last; /* when we last connected */
int l4_alive; /* 1 = remote alive */
int l4_fd;
int l4_rw; /* 0 = reading, 1 = writing */
char *l4_rbuf; /* read buffer */
int l4_rsize; /* size of buffer */
int l4_rlen; /* how much used */
char *l4_wptr; /* next byte to write */
int l4_wlen; /* length yet to be written */
} l4cfg_t;
l4cfg_t *l4list = NULL;
char *response = NULL;
char *probe = NULL;
l4cfg_t template;
int frequency = 20;
int ctimeout = 1;
int rtimeout = 1;
size_t plen = 0;
size_t rlen = 0;
int natfd = -1;
int opts = 0;
#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
# define strerror(x) sys_errlist[x]
#endif
char *copystr(dst, src)
char *dst, *src;
{
register char *s, *t, c;
register int esc = 0;
for (s = src, t = dst; s && t && (c = *s++); )
if (esc) {
esc = 0;
switch (c)
{
case 'n' :
*t++ = '\n';
break;
case 'r' :
*t++ = '\r';
break;
case 't' :
*t++ = '\t';
break;
}
} else if (c != '\\')
*t++ = c;
else
esc = 1;
*t = '\0';
return dst;
}
void addnat(l4)
l4cfg_t *l4;
{
ipnat_t *ipn = &l4->l4_nat;
printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]),
ipn->in_outmsk, ntohs(ipn->in_pmin));
printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext));
if (!(opts & OPT_DONOTHING)) {
if (ioctl(natfd, SIOCADNAT, &ipn) == -1)
perror("ioctl(SIOCADNAT)");
}
}
void delnat(l4)
l4cfg_t *l4;
{
ipnat_t *ipn = &l4->l4_nat;
printf("Remove NAT rule for %s/%#x,%u -> ",
inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin);
printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext);
if (!(opts & OPT_DONOTHING)) {
if (ioctl(natfd, SIOCRMNAT, &ipn) == -1)
perror("ioctl(SIOCRMNAT)");
}
}
void connectl4(l4)
l4cfg_t *l4;
{
l4->l4_rw = 1;
l4->l4_rlen = 0;
l4->l4_wlen = plen;
if (!l4->l4_wlen) {
l4->l4_alive = 1;
addnat(l4);
} else
l4->l4_wptr = probe;
}
void closel4(l4, dead)
l4cfg_t *l4;
int dead;
{
close(l4->l4_fd);
l4->l4_fd = -1;
l4->l4_rw = -1;
if (dead && l4->l4_alive) {
l4->l4_alive = 0;
delnat(l4);
}
}
void connectfd(l4)
l4cfg_t *l4;
{
if (connect(l4->l4_fd, (struct sockaddr *)&l4->l4_sin,
sizeof(l4->l4_sin)) == -1) {
if (errno == EISCONN) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "Connected fd %d\n",
l4->l4_fd);
connectl4(l4);
return;
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Connect failed fd %d: %s\n",
l4->l4_fd, strerror(errno));
closel4(l4, 1);
return;
}
l4->l4_rw = 1;
}
void writefd(l4)
l4cfg_t *l4;
{
char buf[80], *ptr;
int n, i, fd;
fd = l4->l4_fd;
if (l4->l4_rw == -2) {
connectfd(l4);
return;
}
n = l4->l4_wlen;
i = send(fd, l4->l4_wptr, n, 0);
if (i == 0 || i == -1) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "Send on fd %d failed: %s\n",
fd, strerror(errno));
closel4(l4, 1);
} else {
l4->l4_wptr += i;
l4->l4_wlen -= i;
if (l4->l4_wlen == 0)
l4->l4_rw = 0;
if (opts & OPT_VERBOSE)
fprintf(stderr, "Sent %d bytes to fd %d\n", i, fd);
}
}
void readfd(l4)
l4cfg_t *l4;
{
char buf[80], *ptr;
int n, i, fd;
fd = l4->l4_fd;
if (l4->l4_rw == -2) {
connectfd(l4);
return;
}
if (l4->l4_rsize) {
n = l4->l4_rsize - l4->l4_rlen;
ptr = l4->l4_rbuf + l4->l4_rlen;
} else {
n = sizeof(buf) - 1;
ptr = buf;
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Read %d bytes on fd %d to %p\n",
n, fd, ptr);
i = recv(fd, ptr, n, 0);
if (i == 0 || i == -1) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "Read error on fd %d: %s\n",
fd, (i == 0) ? "EOF" : strerror(errno));
closel4(l4, 1);
} else {
if (ptr == buf)
ptr[i] = '\0';
if (opts & OPT_VERBOSE)
fprintf(stderr, "%d: Read %d bytes [%*.*s]\n",
fd, i, i, i, ptr);
if (ptr != buf) {
l4->l4_rlen += i;
if (l4->l4_rlen >= l4->l4_rsize) {
if (!strncmp(response, l4->l4_rbuf,
l4->l4_rsize)) {
printf("%d: Good response\n",
fd);
if (!l4->l4_alive) {
l4->l4_alive = 1;
addnat(l4);
}
closel4(l4, 0);
} else {
if (opts & OPT_VERBOSE)
printf("%d: Bad response\n",
fd);
closel4(l4, 1);
}
}
} else if (!l4->l4_alive) {
l4->l4_alive = 1;
addnat(l4);
closel4(l4, 0);
}
}
}
int runconfig()
{
int fd, opt, res, mfd, i;
struct timeval tv;
time_t now, now1;
fd_set rfd, wfd;
l4cfg_t *l4;
mfd = 0;
opt = 1;
now = time(NULL);
/*
* First, initiate connections that are closed, as required.
*/
for (l4 = l4list; l4; l4 = l4->l4_next) {
if ((l4->l4_last + frequency < now) && (l4->l4_fd == -1)) {
l4->l4_last = now;
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd == -1)
continue;
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt,
sizeof(opt));
#ifdef O_NONBLOCK
if ((res = fcntl(fd, F_GETFL, 0)) != -1)
fcntl(fd, F_SETFL, res | O_NONBLOCK);
#endif
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Connecting to %s,%d (fd %d)...",
inet_ntoa(l4->l4_sin.sin_addr),
ntohs(l4->l4_sin.sin_port), fd);
if (connect(fd, (struct sockaddr *)&l4->l4_sin,
sizeof(l4->l4_sin)) == -1) {
if (errno != EINPROGRESS) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "failed\n");
perror("connect");
close(fd);
fd = -1;
} else {
if (opts & OPT_VERBOSE)
fprintf(stderr, "waiting\n");
l4->l4_rw = -2;
}
} else {
if (opts & OPT_VERBOSE)
fprintf(stderr, "connected\n");
connectl4(l4);
}
l4->l4_fd = fd;
}
}
/*
* Now look for fd's which we're expecting to read/write from.
*/
FD_ZERO(&rfd);
FD_ZERO(&wfd);
tv.tv_sec = MIN(rtimeout, ctimeout);
tv.tv_usec = 0;
for (l4 = l4list; l4; l4 = l4->l4_next)
if (l4->l4_rw == 0) {
if (now - l4->l4_last > rtimeout) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "%d: Read timeout\n",
l4->l4_fd);
closel4(l4, 1);
continue;
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Wait for read on fd %d\n",
l4->l4_fd);
FD_SET(l4->l4_fd, &rfd);
if (l4->l4_fd > mfd)
mfd = l4->l4_fd;
} else if ((l4->l4_rw == 1 && l4->l4_wlen) ||
l4->l4_rw == -2) {
if ((l4->l4_rw == -2) &&
(now - l4->l4_last > ctimeout)) {
if (opts & OPT_VERBOSE)
fprintf(stderr,
"%d: connect timeout\n",
l4->l4_fd);
closel4(l4);
continue;
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Wait for write on fd %d\n",
l4->l4_fd);
FD_SET(l4->l4_fd, &wfd);
if (l4->l4_fd > mfd)
mfd = l4->l4_fd;
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Select: max fd %d wait %d\n", mfd + 1,
tv.tv_sec);
i = select(mfd + 1, &rfd, &wfd, NULL, &tv);
if (i == -1) {
perror("select");
return -1;
}
now1 = time(NULL);
for (l4 = l4list; (i > 0) && l4; l4 = l4->l4_next) {
if (l4->l4_fd < 0)
continue;
if (FD_ISSET(l4->l4_fd, &rfd)) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "Ready to read on fd %d\n",
l4->l4_fd);
readfd(l4);
i--;
}
if ((l4->l4_fd >= 0) && FD_ISSET(l4->l4_fd, &wfd)) {
if (opts & OPT_VERBOSE)
fprintf(stderr, "Ready to write on fd %d\n",
l4->l4_fd);
writefd(l4);
i--;
}
}
return 0;
}
int gethostport(str, lnum, ipp, portp)
char *str;
int lnum;
u_32_t *ipp;
u_short *portp;
{
struct servent *sp;
struct hostent *hp;
char *host, *port;
struct in_addr ip;
host = str;
port = strchr(host, ',');
if (port)
*port++ = '\0';
#ifdef HAVE_INET_ATON
if (isdigit(*host) && inet_aton(host, &ip))
*ipp = ip.s_addr;
#else
if (isdigit(*host))
*ipp = inet_addr(host);
#endif
else {
if (!(hp = gethostbyname(host))) {
fprintf(stderr, "%d: can't resolve hostname: %s\n",
lnum, host);
return 0;
}
*ipp = *(u_32_t *)hp->h_addr;
}
if (port) {
if (isdigit(*port))
*portp = htons(atoi(port));
else {
sp = getservbyname(port, "tcp");
if (sp)
*portp = sp->s_port;
else {
fprintf(stderr, "%d: unknown service %s\n",
lnum, port);
return 0;
}
}
} else
*portp = 0;
return 1;
}
char *mapfile(file, sizep)
char *file;
size_t *sizep;
{
struct stat sb;
caddr_t addr;
int fd;
fd = open(file, O_RDONLY);
if (fd == -1) {
perror("open(mapfile)");
return NULL;
}
if (fstat(fd, &sb) == -1) {
perror("fstat(mapfile)");
close(fd);
return NULL;
}
addr = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
if (addr == (caddr_t)-1) {
perror("mmap(mapfile)");
close(fd);
return NULL;
}
close(fd);
*sizep = sb.st_size;
return (char *)addr;
}
int readconfig(filename)
char *filename;
{
char c, buf[512], *s, *t, *errtxt = NULL, *line;
int num, err = 0;
ipnat_t *ipn;
l4cfg_t *l4;
FILE *fp;
fp = fopen(filename, "r");
if (!fp) {
perror("open(configfile)");
return -1;
}
bzero((char *)&template, sizeof(template));
template.l4_fd = -1;
template.l4_rw = -1;
template.l4_sin.sin_family = AF_INET;
ipn = &template.l4_nat;
ipn->in_flags = IPN_TCP|IPN_ROUNDR;
ipn->in_redir = NAT_REDIRECT;
for (num = 1; fgets(buf, sizeof(buf), fp); num++) {
s = strchr(buf, '\n');
if (!s) {
fprintf(stderr, "%d: line too long\n", num);
fclose(fp);
return -1;
}
*s = '\0';
/*
* lines which are comments
*/
s = strchr(buf, '#');
if (s)
*s = '\0';
/*
* Skip leading whitespace
*/
for (line = buf; (c = *line) && isspace(c); line++)
;
if (!*line)
continue;
if (opts & OPT_VERBOSE)
fprintf(stderr, "Parsing: [%s]\n", line);
t = strtok(line, " \t");
if (!t)
continue;
if (!strcasecmp(t, "interface")) {
s = strtok(NULL, " \t");
if (s)
t = strtok(NULL, "\t");
if (!s || !t) {
errtxt = line;
err = -1;
break;
}
if (!strchr(t, ',')) {
fprintf(stderr,
"%d: local address,port missing\n",
num);
err = -1;
break;
}
strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname));
if (!gethostport(t, num, &ipn->in_outip,
&ipn->in_pmin)) {
errtxt = line;
err = -1;
break;
}
ipn->in_outmsk = 0xffffffff;
ipn->in_pmax = ipn->in_pmin;
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Interface %s %s/%#x port %u\n",
ipn->in_ifname,
inet_ntoa(ipn->in_out[0]),
ipn->in_outmsk, ipn->in_pmin);
} else if (!strcasecmp(t, "remote")) {
if (!*ipn->in_ifname) {
fprintf(stderr,
"%d: ifname not set prior to remote\n",
num);
err = -1;
break;
}
s = strtok(NULL, " \t");
if (s)
t = strtok(NULL, "");
if (!s || !t || strcasecmp(s, "server")) {
errtxt = line;
err = -1;
break;
}
ipn->in_pnext = 0;
if (!gethostport(t, num, &ipn->in_inip,
&ipn->in_pnext)) {
errtxt = line;
err = -1;
break;
}
ipn->in_inmsk = 0xffffffff;
if (ipn->in_pnext == 0)
ipn->in_pnext = ipn->in_pmin;
l4 = (l4cfg_t *)malloc(sizeof(*l4));
if (!l4) {
fprintf(stderr, "%d: out of memory (%d)\n",
num, sizeof(*l4));
err = -1;
break;
}
bcopy((char *)&template, (char *)l4, sizeof(*l4));
l4->l4_sin.sin_addr = ipn->in_in[0];
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_next = l4list;
l4list = l4;
} else if (!strcasecmp(t, "connect")) {
s = strtok(NULL, " \t");
if (s)
t = strtok(NULL, "\t");
if (!s || !t) {
errtxt = line;
err = -1;
break;
} else if (!strcasecmp(s, "timeout")) {
ctimeout = atoi(t);
if (opts & OPT_VERBOSE)
fprintf(stderr, "connect timeout %d\n",
ctimeout);
} else if (!strcasecmp(s, "frequency")) {
frequency = atoi(t);
if (opts & OPT_VERBOSE)
fprintf(stderr,
"connect frequency %d\n",
frequency);
} else {
errtxt = line;
err = -1;
break;
}
} else if (!strcasecmp(t, "probe")) {
s = strtok(NULL, " \t");
if (!s) {
errtxt = line;
err = -1;
break;
} else if (!strcasecmp(s, "string")) {
if (probe) {
fprintf(stderr,
"%d: probe already set\n",
num);
err = -1;
break;
}
t = strtok(NULL, "");
if (!t) {
fprintf(stderr,
"%d: No probe string\n", num);
err = -1;
break;
}
probe = malloc(strlen(t));
copystr(probe, t);
plen = strlen(probe);
if (opts & OPT_VERBOSE)
fprintf(stderr, "Probe string [%s]\n",
probe);
} else if (!strcasecmp(s, "file")) {
t = strtok(NULL, " \t");
if (!t) {
errtxt = line;
err = -1;
break;
}
if (probe) {
fprintf(stderr,
"%d: probe already set\n",
num);
err = -1;
break;
}
probe = mapfile(t, &plen);
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Probe file %s len %u@%p\n",
t, plen, probe);
}
} else if (!strcasecmp(t, "response")) {
s = strtok(NULL, " \t");
if (!s) {
errtxt = line;
err = -1;
break;
} else if (!strcasecmp(s, "timeout")) {
t = strtok(NULL, " \t");
if (!t) {
errtxt = line;
err = -1;
break;
}
rtimeout = atoi(t);
if (opts & OPT_VERBOSE)
fprintf(stderr,
"response timeout %d\n",
rtimeout);
} else if (!strcasecmp(s, "string")) {
if (response) {
fprintf(stderr,
"%d: response already set\n",
num);
err = -1;
break;
}
response = strdup(strtok(NULL, ""));
rlen = strlen(response);
template.l4_rsize = rlen;
template.l4_rbuf = malloc(rlen);
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Response string [%s]\n",
response);
} else if (!strcasecmp(s, "file")) {
t = strtok(NULL, " \t");
if (!t) {
errtxt = line;
err = -1;
break;
}
if (response) {
fprintf(stderr,
"%d: response already set\n",
num);
err = -1;
break;
}
response = mapfile(t, &rlen);
template.l4_rsize = rlen;
template.l4_rbuf = malloc(rlen);
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Response file %s len %u@%p\n",
t, rlen, response);
}
} else {
errtxt = line;
err = -1;
break;
}
}
if (errtxt)
fprintf(stderr, "%d: syntax error at \"%s\"\n", num, errtxt);
fclose(fp);
return err;
}
void usage(prog)
char *prog;
{
fprintf(stderr, "Usage: %s -f <configfile>\n", prog);
exit(1);
}
int main(argc, argv)
int argc;
char *argv[];
{
char *config = NULL;
int c;
while ((c = getopt(argc, argv, "f:nv")) != -1)
switch (c)
{
case 'f' :
config = optarg;
break;
case 'n' :
opts |= OPT_DONOTHING;
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
}
if (config == NULL)
usage(argv[0]);
if (readconfig(config))
exit(1);
if (!l4list) {
fprintf(stderr, "No remote servers, exiting.");
exit(1);
}
if (!(opts & OPT_DONOTHING)) {
natfd = open(IPL_NAT, O_RDWR);
if (natfd == -1) {
perror("open(IPL_NAT)");
exit(1);
}
}
if (opts & OPT_VERBOSE)
fprintf(stderr, "Starting...\n");
while (runconfig() == 0)
;
}

31
dist/ipf/l4check/l4check.conf vendored Normal file
View File

@ -0,0 +1,31 @@
#
# NOTE: ORDER IS IMPORTANT IN THIS FILE
#
# Interface to do the redirections on and the IP address which will be
# targeted.
#
interface nf0 192.168.1.1,2100
#
connect timeout 1
connect frequency 20
#
# If no probe string is specified, a successful connection implies the
# server is still alive.
#
probe string GET /\n\n
#probe file http.check
#
response timeout 4
response string <HTML>
#response file http.ok
#
# Here we have multiple servers, listed because that's what happens to be
# used for testing of connect timeoutes, read timeouts, success and things
# which don't connect.
#
remote server 192.168.1.2,23
remote server 192.168.1.2,2101
remote server 192.168.1.3,25
remote server 192.168.1.254,8000
remote server 192.168.1.1,9
#

1
dist/ipf/man/Makefile vendored
View File

@ -17,6 +17,7 @@ install:
$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
$(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
@echo "Remember to rebuild the whatis database."

7
dist/ipf/man/ipf.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ipf.8,v 1.1.1.1 1999/12/11 22:24:10 veego Exp $
.\" $NetBSD: ipf.8,v 1.1.1.2 2000/05/03 10:57:12 veego Exp $
.\"
.TH IPF 8
.SH NAME
@ -6,7 +6,7 @@ ipf \- alters packet filtering lists for IP packet input and output
.SH SYNOPSIS
.B ipf
[
.B \-AdDEInoPrsUvVyzZ
.B \-6AdDEInoPrsUvVyzZ
] [
.B \-l
<block|pass|nomatch>
@ -32,6 +32,9 @@ Rules are added to the end of the internal lists, matching the order in
which they appear when given to \fBipf\fP.
.SH OPTIONS
.TP
.B \-6
This option is required to parse IPv6 rules and to have them loaded.
.TP
.B \-A
Set the list to make changes to the active list (default).
.TP

121
dist/ipf/man/ipfs.8 vendored Normal file
View File

@ -0,0 +1,121 @@
.\" $NetBSD: ipfs.8,v 1.1.1.1 2000/05/03 10:57:13 veego Exp $
.\"
.TH IPFS 8
.SH NAME
ipfs \- saves and restores information for NAT and state tables.
.SH SYNOPSIS
.B ipfs
[-nv] -l
.PP
.B ipfs
[-nv] -u
.PP
.B ipfs
[-nv] [
.B \-d
<\fIdirname\fP>
] -R
.PP
.B ipfs
[-nv] [
.B \-d
<\fIdirname\fP>
] -W
.PP
.B ipfs
[-nNSv] [
.B \-f
<\fIfilename\fP>
] -r
.PP
.B ipfs
[-nNSv] [
.B \-f
<\fIfilename\fP>
] -w
.PP
.B ipfs
[-nNSv]
.B \-f
<\fIfilename\fP>
.B \-i
<if1>,<if2>
.SH DESCRIPTION
.PP
\fBipfs\fP allows state information created for NAT entries and rules using
\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
allowing for the system to experience a reboot, followed by the restoration
of that information, resulting in connections not being interrupted.
.SH OPTIONS
.TP
.B \-d
Change the default directory used with
.B \-R
and
.B \-W
options for saving state information.
.B \-n
Don't actually take any action that would effect information stored in
the kernel or on disk.
.TP
.B \-v
Provides a verbose description of what's being done.
.TP
.B \-N
Operate on NAT information.
.TP
.B \-S
Operate on filtering state information.
.TP
.B \-u
Unlock state tables in the kernel.
.TP
.B \-l
Unlock state tables in the kernel.
.TP
.B \-r
Read information in from the specified file and load it into the
kernel. This requires the state tables to have already been locked
and does not change the lock once comlete.
.TP
.B \-w
Write information out to the specified file and from the kernel.
This requires the state tables to have already been locked
and does not change the lock once comlete.
.TP
.B \-R
Restores all saved state information, if any, from two files,
\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
directory unless otherwise specified the
.B \-d
option is used. The state tables are locked at the beginning of this
operation and unlocked once complete.
.TP
.B \-W
Saves in-kernel state information, if any, out to two files,
\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
directory unless otherwise specified the
.B \-d
option is used. The state tables are locked at the beginning of this
operation and unlocked once complete.
.DT
.SH FILES
/var/db/ipf/ipstate.ipf
.br
/var/db/ipf/ipnat.ipf
.br
/dev/ipl
.br
/dev/ipstate
.br
/dev/ipnat
.SH SEE ALSO
ipf(8), ipl(4), ipmon(8), ipnat(8)
.SH DIAGNOSTICS
.PP
Perhaps the -W and -R operations should set the locking but rather than
undo it, restore it to what it was previously. Fragment table information
is currently not saved.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@pobox.com

22
dist/ipf/perl/ipf-mrtg.pl vendored Normal file
View File

@ -0,0 +1,22 @@
#!/usr/local/bin/perl
# reads stats and uptime for ip-filter for mrtg
# ron@rosie.18james.com, 2 Jan 2000
my $firewall = "IP Filter v3.3.3";
my($in_pkts,$out_pkts) = (0,0);
open(FW, "/sbin/ipfstat -hi|") || die "cannot open ipfstat -hi\n";
while (<FW>) {
$in_pkts += $1 if (/^(\d+)\s+pass\s+in\s+quick.*group\s+1\d0/);
}
close(FW);
open(FW, "/sbin/ipfstat -ho|") || die "cannot open ipfstat -ho\n";
while (<FW>) {
$out_pkts += $1 if (/^(\d+)\s+pass\s+out\s+quick.*group\s+1\d0/);
}
print "$in_pkts\n",
"$out_pkts\n";
my $uptime = `/usr/bin/uptime`;
$uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/;
print "$2 $3\n",
"$firewall\n";

1020
dist/ipf/perl/plog vendored
View File

File diff suppressed because it is too large Load Diff

5
dist/ipf/samples/proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: proxy.c,v 1.1.1.1 1999/12/11 22:24:12 veego Exp $ */
/* $NetBSD: proxy.c,v 1.1.1.2 2000/05/03 10:57:27 veego Exp $ */
/*
* Sample transparent proxy program.
@ -53,6 +53,7 @@ char *argv[];
{
struct sockaddr_in sin, sloc, sout;
natlookup_t natlook;
natlookup_t *natlookp = &natlook;
char buffer[512];
int namelen, fd, n;
@ -90,7 +91,7 @@ char *argv[];
* Open the NAT device and lookup the mapping pair.
*/
fd = open(IPL_NAT, O_RDONLY);
if (ioctl(fd, SIOCGNATL, &natlook) == -1) {
if (ioctl(fd, SIOCGNATL, &natlookp) == -1) {
perror("ioctl");
exit(-1);
}

7
dist/ipf/samples/userauth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: userauth.c,v 1.1.1.1 1999/12/11 22:24:12 veego Exp $ */
/* $NetBSD: userauth.c,v 1.1.1.2 2000/05/03 10:57:27 veego Exp $ */
#include <sys/types.h>
#include <sys/socket.h>
@ -17,13 +17,14 @@ extern int errno;
main()
{
struct frauth fra;
struct frauth *frap = &fra;
fr_info_t *fin = &fra.fra_info;
fr_ip_t *fi = &fin->fin_fi;
char yn[16];
int fd;
fd = open(IPL_NAME, O_RDWR);
while (ioctl(fd, SIOCAUTHW, &fra) == 0) {
while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
if (fra.fra_info.fin_out)
fra.fra_pass = FR_OUTQUE;
else
@ -51,7 +52,7 @@ main()
fra.fra_pass |= FR_NOMATCH;
printf("answer = %c (%x), id %d idx %d\n", yn[0],
fra.fra_pass, fra.fra_info.fin_id, fra.fra_index);
if (ioctl(fd, SIOCAUTHR, &fra) != 0)
if (ioctl(fd, SIOCAUTHR, &frap) != 0)
perror("SIOCAUTHR");
}
fprintf(stderr, "errno=%d \n", errno);