From e8fb8bd3a9dbfed0654af02e37e2baa74a02d00f Mon Sep 17 00:00:00 2001 From: darrenr Date: Sat, 29 Mar 1997 02:49:40 +0000 Subject: [PATCH] Properly import usr.sbin/ipf updates --- usr.sbin/ipf/ipfstat/Makefile | 6 +- usr.sbin/ipf/ipfstat/kmem.c | 7 +- usr.sbin/ipf/ipfstat/kmem.h | 17 +- usr.sbin/ipf/ipftest/Makefile | 8 +- usr.sbin/ipf/ipftest/ip_frag.c | 280 ++++ usr.sbin/ipf/ipftest/ip_nat.c | 928 ++++++++++++ usr.sbin/ipf/ipftest/ip_state.c | 544 +++++++ usr.sbin/ipf/ipftest/ipft_ef.c | 8 +- usr.sbin/ipf/ipftest/ipft_hx.c | 41 +- usr.sbin/ipf/ipftest/ipft_pc.c | 32 +- usr.sbin/ipf/ipftest/ipft_sn.c | 9 +- usr.sbin/ipf/ipftest/ipft_td.c | 9 +- usr.sbin/ipf/ipftest/ipft_tx.c | 24 +- usr.sbin/ipf/ipftest/ipt.c | 61 +- usr.sbin/ipf/ipftest/ipt.h | 19 +- usr.sbin/ipf/ipftest/misc.c | 38 +- usr.sbin/ipf/ipftest/opt.c | 137 ++ usr.sbin/ipf/ipftest/snoop.h | 4 +- usr.sbin/ipf/ipftest/test/.cvsignore | 24 + usr.sbin/ipf/ipftest/test/Makefile | 39 + usr.sbin/ipf/ipftest/test/dotest | 26 + usr.sbin/ipf/ipftest/test/expected/1 | 16 + usr.sbin/ipf/ipftest/test/expected/10 | 108 ++ usr.sbin/ipf/ipftest/test/expected/11 | 66 + usr.sbin/ipf/ipftest/test/expected/12 | 54 + usr.sbin/ipf/ipftest/test/expected/2 | 36 + usr.sbin/ipf/ipftest/test/expected/3 | 40 + usr.sbin/ipf/ipftest/test/expected/4 | 40 + usr.sbin/ipf/ipftest/test/expected/5 | 1344 +++++++++++++++++ usr.sbin/ipf/ipftest/test/expected/6 | 1344 +++++++++++++++++ usr.sbin/ipf/ipftest/test/expected/7 | 54 + usr.sbin/ipf/ipftest/test/expected/8 | 36 + usr.sbin/ipf/ipftest/test/expected/9 | 108 ++ .../ipf/ipftest/test/expected/expected.sed | 0 usr.sbin/ipf/ipftest/test/expected/i1 | 11 + usr.sbin/ipf/ipftest/test/expected/i10 | 4 + usr.sbin/ipf/ipftest/test/expected/i11 | 4 + usr.sbin/ipf/ipftest/test/expected/i2 | 6 + usr.sbin/ipf/ipftest/test/expected/i3 | 8 + usr.sbin/ipf/ipftest/test/expected/i4 | 7 + usr.sbin/ipf/ipftest/test/expected/i5 | 5 + usr.sbin/ipf/ipftest/test/expected/i6 | 4 + usr.sbin/ipf/ipftest/test/expected/i7 | 3 + usr.sbin/ipf/ipftest/test/expected/i8 | 2 + usr.sbin/ipf/ipftest/test/expected/i9 | 5 + usr.sbin/ipf/ipftest/test/hextest | 23 + usr.sbin/ipf/ipftest/test/input/1 | 4 + usr.sbin/ipf/ipftest/test/input/10 | 6 + usr.sbin/ipf/ipftest/test/input/11 | 11 + usr.sbin/ipf/ipftest/test/input/12 | 35 + usr.sbin/ipf/ipftest/test/input/13 | 39 + usr.sbin/ipf/ipftest/test/input/2 | 6 + usr.sbin/ipf/ipftest/test/input/3 | 5 + usr.sbin/ipf/ipftest/test/input/4 | 5 + usr.sbin/ipf/ipftest/test/input/5 | 28 + usr.sbin/ipf/ipftest/test/input/6 | 28 + usr.sbin/ipf/ipftest/test/input/7 | 9 + usr.sbin/ipf/ipftest/test/input/8 | 6 + usr.sbin/ipf/ipftest/test/input/9 | 6 + usr.sbin/ipf/ipftest/test/input/input.sed | 0 usr.sbin/ipf/ipftest/test/itest | 21 + usr.sbin/ipf/ipftest/test/regress/1 | 4 + usr.sbin/ipf/ipftest/test/regress/10 | 18 + usr.sbin/ipf/ipftest/test/regress/11 | 6 + usr.sbin/ipf/ipftest/test/regress/12 | 6 + usr.sbin/ipf/ipftest/test/regress/13 | 6 + usr.sbin/ipf/ipftest/test/regress/2 | 6 + usr.sbin/ipf/ipftest/test/regress/3 | 8 + usr.sbin/ipf/ipftest/test/regress/4 | 8 + usr.sbin/ipf/ipftest/test/regress/5 | 48 + usr.sbin/ipf/ipftest/test/regress/6 | 48 + usr.sbin/ipf/ipftest/test/regress/7 | 6 + usr.sbin/ipf/ipftest/test/regress/8 | 6 + usr.sbin/ipf/ipftest/test/regress/9 | 18 + usr.sbin/ipf/ipftest/test/regress/i1 | 11 + usr.sbin/ipf/ipftest/test/regress/i10 | 4 + usr.sbin/ipf/ipftest/test/regress/i11 | 4 + usr.sbin/ipf/ipftest/test/regress/i2 | 6 + usr.sbin/ipf/ipftest/test/regress/i3 | 8 + usr.sbin/ipf/ipftest/test/regress/i4 | 7 + usr.sbin/ipf/ipftest/test/regress/i5 | 5 + usr.sbin/ipf/ipftest/test/regress/i6 | 4 + usr.sbin/ipf/ipftest/test/regress/i7 | 3 + usr.sbin/ipf/ipftest/test/regress/i8 | 2 + usr.sbin/ipf/ipftest/test/regress/i9 | 5 + usr.sbin/ipf/ipftest/test/regress/regress.sed | 0 usr.sbin/ipf/ipftest/test/test.sed | 6 + usr.sbin/ipf/ipmon/Makefile | 5 +- usr.sbin/ipf/ipnat/Makefile | 6 +- usr.sbin/ipf/ipnat/ipnat.8 | 9 +- 90 files changed, 5971 insertions(+), 100 deletions(-) create mode 100644 usr.sbin/ipf/ipftest/ip_frag.c create mode 100644 usr.sbin/ipf/ipftest/ip_nat.c create mode 100644 usr.sbin/ipf/ipftest/ip_state.c create mode 100644 usr.sbin/ipf/ipftest/opt.c create mode 100644 usr.sbin/ipf/ipftest/test/.cvsignore create mode 100644 usr.sbin/ipf/ipftest/test/Makefile create mode 100644 usr.sbin/ipf/ipftest/test/dotest create mode 100644 usr.sbin/ipf/ipftest/test/expected/1 create mode 100644 usr.sbin/ipf/ipftest/test/expected/10 create mode 100644 usr.sbin/ipf/ipftest/test/expected/11 create mode 100644 usr.sbin/ipf/ipftest/test/expected/12 create mode 100644 usr.sbin/ipf/ipftest/test/expected/2 create mode 100644 usr.sbin/ipf/ipftest/test/expected/3 create mode 100644 usr.sbin/ipf/ipftest/test/expected/4 create mode 100644 usr.sbin/ipf/ipftest/test/expected/5 create mode 100644 usr.sbin/ipf/ipftest/test/expected/6 create mode 100644 usr.sbin/ipf/ipftest/test/expected/7 create mode 100644 usr.sbin/ipf/ipftest/test/expected/8 create mode 100644 usr.sbin/ipf/ipftest/test/expected/9 create mode 100644 usr.sbin/ipf/ipftest/test/expected/expected.sed create mode 100644 usr.sbin/ipf/ipftest/test/expected/i1 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i10 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i11 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i2 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i3 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i4 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i5 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i6 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i7 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i8 create mode 100644 usr.sbin/ipf/ipftest/test/expected/i9 create mode 100644 usr.sbin/ipf/ipftest/test/hextest create mode 100644 usr.sbin/ipf/ipftest/test/input/1 create mode 100644 usr.sbin/ipf/ipftest/test/input/10 create mode 100644 usr.sbin/ipf/ipftest/test/input/11 create mode 100644 usr.sbin/ipf/ipftest/test/input/12 create mode 100644 usr.sbin/ipf/ipftest/test/input/13 create mode 100644 usr.sbin/ipf/ipftest/test/input/2 create mode 100644 usr.sbin/ipf/ipftest/test/input/3 create mode 100644 usr.sbin/ipf/ipftest/test/input/4 create mode 100644 usr.sbin/ipf/ipftest/test/input/5 create mode 100644 usr.sbin/ipf/ipftest/test/input/6 create mode 100644 usr.sbin/ipf/ipftest/test/input/7 create mode 100644 usr.sbin/ipf/ipftest/test/input/8 create mode 100644 usr.sbin/ipf/ipftest/test/input/9 create mode 100644 usr.sbin/ipf/ipftest/test/input/input.sed create mode 100644 usr.sbin/ipf/ipftest/test/itest create mode 100644 usr.sbin/ipf/ipftest/test/regress/1 create mode 100644 usr.sbin/ipf/ipftest/test/regress/10 create mode 100644 usr.sbin/ipf/ipftest/test/regress/11 create mode 100644 usr.sbin/ipf/ipftest/test/regress/12 create mode 100644 usr.sbin/ipf/ipftest/test/regress/13 create mode 100644 usr.sbin/ipf/ipftest/test/regress/2 create mode 100644 usr.sbin/ipf/ipftest/test/regress/3 create mode 100644 usr.sbin/ipf/ipftest/test/regress/4 create mode 100644 usr.sbin/ipf/ipftest/test/regress/5 create mode 100644 usr.sbin/ipf/ipftest/test/regress/6 create mode 100644 usr.sbin/ipf/ipftest/test/regress/7 create mode 100644 usr.sbin/ipf/ipftest/test/regress/8 create mode 100644 usr.sbin/ipf/ipftest/test/regress/9 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i1 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i10 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i11 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i2 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i3 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i4 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i5 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i6 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i7 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i8 create mode 100644 usr.sbin/ipf/ipftest/test/regress/i9 create mode 100644 usr.sbin/ipf/ipftest/test/regress/regress.sed create mode 100644 usr.sbin/ipf/ipftest/test/test.sed diff --git a/usr.sbin/ipf/ipfstat/Makefile b/usr.sbin/ipf/ipfstat/Makefile index a9fe24ae0231..072c650c1d3e 100644 --- a/usr.sbin/ipf/ipfstat/Makefile +++ b/usr.sbin/ipf/ipfstat/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $ +# $NetBSD: Makefile,v 1.1.1.2 1997/03/29 02:49:43 darrenr Exp $ PROG= ipfstat SRCS= kmem.c fils.c opt.c parse.c MAN= ipfstat.8 -CFLAGS+= -I${.CURDIR}/../../../sbin/ipf +CFLAGS+= -I${.CURDIR}/../../sbin/ipf -.PATH: ${.CURDIR}/../../../sbin/ipf +.PATH: ${.CURDIR}/../../sbin/ipf .include diff --git a/usr.sbin/ipf/ipfstat/kmem.c b/usr.sbin/ipf/ipfstat/kmem.c index 4368e5ac60f1..8d8795d7fe7d 100644 --- a/usr.sbin/ipf/ipfstat/kmem.c +++ b/usr.sbin/ipf/ipfstat/kmem.c @@ -1,3 +1,5 @@ +/* $NetBSD: kmem.c,v 1.1.1.2 1997/03/29 02:49:40 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -16,12 +18,11 @@ #include #include #include - -#define KMEM "/dev/kmem" +#include "kmem.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static char rcsid[] = "$Id: kmem.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: kmem.c,v 1.1.1.2 1997/03/29 02:49:40 darrenr Exp $"; #endif static int kmemfd = -1; diff --git a/usr.sbin/ipf/ipfstat/kmem.h b/usr.sbin/ipf/ipfstat/kmem.h index f293290940db..2fa37f54459e 100644 --- a/usr.sbin/ipf/ipfstat/kmem.h +++ b/usr.sbin/ipf/ipfstat/kmem.h @@ -1,12 +1,23 @@ +/* $NetBSD: kmem.h,v 1.1.1.2 1997/03/29 02:49:41 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $ + * $Id: kmem.h,v 1.1.1.2 1997/03/29 02:49:41 darrenr Exp $ */ -extern int openkmem(); -extern int kmemcpy(); +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif +extern int openkmem __P((void)); +extern int kmemcpy __P((char *, long, int)); + +#define KMEM "/dev/kmem" diff --git a/usr.sbin/ipf/ipftest/Makefile b/usr.sbin/ipf/ipftest/Makefile index 56cdc7ca13cd..15d24db80541 100644 --- a/usr.sbin/ipf/ipftest/Makefile +++ b/usr.sbin/ipf/ipftest/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $ +# $NetBSD: Makefile,v 1.1.1.2 1997/03/29 02:49:55 darrenr Exp $ PROG= ipftest -SRCS= parse.c fil.c ipt.c ipft_sn.c ipft_ef.c ipft_td.c opt.c ipft_tx.c misc.c ip_frag.c ip_state.c ip_nat.c ipft_hx.c +SRCS= ipt.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c opt.c ipft_tx.c misc.c ip_frag.c ip_state.c ip_nat.c ipft_hx.c NOMAN= yes -CFLAGS+= -I${.CURDIR}/../../../sbin/ipf +CFLAGS+= -I${.CURDIR}/../../sbin/ipf -.PATH: ${.CURDIR}/../../../sbin/ipf ${.CURDIR}/../../../sys/netinet +.PATH: ${.CURDIR}/../../sbin/ipf .include diff --git a/usr.sbin/ipf/ipftest/ip_frag.c b/usr.sbin/ipf/ipftest/ip_frag.c new file mode 100644 index 000000000000..9db8be77bf37 --- /dev/null +++ b/usr.sbin/ipf/ipftest/ip_frag.c @@ -0,0 +1,280 @@ +/* $NetBSD: ip_frag.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $ */ + +/* + * (C)opyright 1993,1994,1995 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#if !defined(lint) && defined(LIBC_SCCS) +static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; +static char rcsid[] = "$Id: ip_frag.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $"; +#endif + +#if !defined(_KERNEL) && !defined(KERNEL) +# include +# include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef _KERNEL +# include +#endif +#if !defined(__SVR4) && !defined(__svr4__) +# include +#else +# include +# include +# include +# include +#endif + +#include +#ifdef sun +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +ipfr_t *ipfr_heads[IPFT_SIZE]; +ipfrstat_t ipfr_stats; +u_long ipfr_inuse = 0, + fr_ipfrttl = 120; /* 60 seconds */ +#ifdef _KERNEL +extern int ipfr_timer_id; +#endif +#if SOLARIS +# ifdef _KERNEL +extern kmutex_t ipf_frag; +# else +#define bcmp(a,b,c) memcmp(a,b,c) +#define bcopy(a,b,c) memmove(b,a,c) +# endif +#endif + + +ipfrstat_t *ipfr_fragstats() +{ + ipfr_stats.ifs_table = ipfr_heads; + ipfr_stats.ifs_inuse = ipfr_inuse; + return &ipfr_stats; +} + + +/* + * add a new entry to the fragment cache, registering it as having come + * through this box, with the result of the filter operation. + */ +int ipfr_newfrag(ip, fin, pass) +ip_t *ip; +fr_info_t *fin; +int pass; +{ + ipfr_t **fp, *fr, frag; + u_int idx; + + frag.ipfr_p = ip->ip_p; + idx = ip->ip_p; + frag.ipfr_id = ip->ip_id; + idx += ip->ip_id; + frag.ipfr_tos = ip->ip_tos; + frag.ipfr_src.s_addr = ip->ip_src.s_addr; + idx += ip->ip_src.s_addr; + frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; + idx += ip->ip_dst.s_addr; + idx *= 127; + idx %= IPFT_SIZE; + + /* + * first, make sure it isn't already there... + */ + MUTEX_ENTER(&ipf_frag); + for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next) + if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, + IPFR_CMPSZ)) { + ipfr_stats.ifs_exists++; + MUTEX_EXIT(&ipf_frag); + return -1; + } + + KMALLOC(fr, ipfr_t *, sizeof(*fr)); + if (fr == NULL) { + ipfr_stats.ifs_nomem++; + MUTEX_EXIT(&ipf_frag); + return -1; + } + if ((fr->ipfr_next = ipfr_heads[idx])) + ipfr_heads[idx]->ipfr_prev = fr; + fr->ipfr_prev = NULL; + ipfr_heads[idx] = fr; + bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ); + fr->ipfr_ttl = fr_ipfrttl; + fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); + fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); + ipfr_stats.ifs_new++; + ipfr_inuse++; + MUTEX_EXIT(&ipf_frag); + return 0; +} + + +/* + * check the fragment cache to see if there is already a record of this packet + * with its filter result known. + */ +int ipfr_knownfrag(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + ipfr_t *f, frag; + u_int idx; + int ret; + + /* + * For fragments, we record protocol, packet id, TOS and both IP#'s + * (these should all be the same for all fragments of a packet). + */ + frag.ipfr_p = ip->ip_p; + idx = ip->ip_p; + frag.ipfr_id = ip->ip_id; + idx += ip->ip_id; + frag.ipfr_tos = ip->ip_tos; + frag.ipfr_src.s_addr = ip->ip_src.s_addr; + idx += ip->ip_src.s_addr; + frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; + idx += ip->ip_dst.s_addr; + idx *= 127; + idx %= IPFT_SIZE; + + MUTEX_ENTER(&ipf_frag); + for (f = ipfr_heads[idx]; f; f = f->ipfr_next) + if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src, + IPFR_CMPSZ)) { + u_short atoff, off; + + if (f != ipfr_heads[idx]) { + /* + * move fragment info. to the top of the list + * to speed up searches. + */ + if ((f->ipfr_prev->ipfr_next = f->ipfr_next)) + f->ipfr_next->ipfr_prev = f->ipfr_prev; + f->ipfr_next = ipfr_heads[idx]; + ipfr_heads[idx]->ipfr_prev = f; + f->ipfr_prev = NULL; + ipfr_heads[idx] = f; + } + ret = f->ipfr_pass; + off = ip->ip_off; + atoff = (off & 0x1fff) - (fin->fin_dlen >> 3); + /* + * If we've follwed the fragments, and this is the + * last (in order), shrink expiration time. + */ + if (atoff == f->ipfr_off) { + if (!(off & IP_MF)) + f->ipfr_ttl = 1; + else + f->ipfr_off = off; + } + ipfr_stats.ifs_hits++; + MUTEX_EXIT(&ipf_frag); + return ret; + } + MUTEX_EXIT(&ipf_frag); + return 0; +} + + +/* + * Free memory in use by fragment state info. kept. + */ +void ipfr_unload() +{ + ipfr_t **fp, *fr; + int idx; +#if !SOLARIS && defined(_KERNEL) + int s; +#endif + + MUTEX_ENTER(&ipf_frag); + SPLNET(s); + for (idx = IPFT_SIZE - 1; idx >= 0; idx--) + for (fp = &ipfr_heads[idx]; (fr = *fp); ) { + *fp = fr->ipfr_next; + KFREE(fr); + } + SPLX(s); + MUTEX_EXIT(&ipf_frag); +} + + +#ifdef _KERNEL +/* + * Slowly expire held state for fragments. Timeouts are set * in expectation + * of this being called twice per second. + */ +# if (BSD >= 199306) || SOLARIS +void ipfr_slowtimer() +# else +int ipfr_slowtimer() +# endif +{ + ipfr_t **fp, *fr; + int s, idx; + + MUTEX_ENTER(&ipf_frag); + SPLNET(s); + + for (idx = IPFT_SIZE - 1; idx >= 0; idx--) + for (fp = &ipfr_heads[idx]; (fr = *fp); ) { + --fr->ipfr_ttl; + if (fr->ipfr_ttl == 0) { + if (fr->ipfr_prev) + fr->ipfr_prev->ipfr_next = + fr->ipfr_next; + if (fr->ipfr_next) + fr->ipfr_next->ipfr_prev = + fr->ipfr_prev; + *fp = fr->ipfr_next; + ipfr_stats.ifs_expire++; + ipfr_inuse--; + KFREE(fr); + } else + fp = &fr->ipfr_next; + } + SPLX(s); +# if SOLARIS + MUTEX_EXIT(&ipf_frag); + fr_timeoutstate(); + ip_natexpire(); + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2); +# else + fr_timeoutstate(); + ip_natexpire(); + ip_slowtimo(); +# if BSD < 199306 + return 0; +# endif +# endif +} +#endif /* defined(_KERNEL) */ diff --git a/usr.sbin/ipf/ipftest/ip_nat.c b/usr.sbin/ipf/ipftest/ip_nat.c new file mode 100644 index 000000000000..56c5902a72b7 --- /dev/null +++ b/usr.sbin/ipf/ipftest/ip_nat.c @@ -0,0 +1,928 @@ +/* $NetBSD: ip_nat.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $ */ + +/* + * (C)opyright 1995-1996 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + * + * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) + */ +#if !defined(lint) && defined(LIBC_SCCS) +static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; +static char rcsid[] = "$Id: ip_nat.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $"; +#endif + +#if !defined(_KERNEL) && !defined(KERNEL) +# include +# include +# include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef _KERNEL +# include +#endif +#if !defined(__SVR4) && !defined(__svr4__) +# include +#else +# include +# include +# include +# include +#endif + +#include +#ifdef sun +#include +#endif +#include +#include +#include +#include + +#ifdef RFC1825 +#include +#include +extern struct ifnet vpnif; +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef MIN +#define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; +ipnat_t *nat_list = NULL; +u_long nat_inuse = 0, + fr_defnatage = 1200; +natstat_t nat_stats; +#if SOLARIS +# ifndef _KERNEL +#define bzero(a,b) memset(a,0,b) +#define bcmp(a,b,c) memcpy(a,b,c) +#define bcopy(a,b,c) memmove(b,a,c) +# else +extern kmutex_t ipf_nat; +# endif +#endif + +static int flush_nattable __P((void)), clear_natlist __P((void)); +static void nattable_sync __P((void)), nat_delete __P((struct nat *)); +static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); +static void fix_outcksum __P((u_short *, u_long)); +static void fix_incksum __P((u_short *, u_long)); + +static void fix_outcksum(sp, n) +u_short *sp; +u_long n; +{ + register u_short sumshort; + register u_long sum1; + +#ifdef sparc + sum1 = (~(*sp)) & 0xffff; +#else + sum1 = (~ntohs(*sp)) & 0xffff; +#endif + sum1 += (n); + sum1 = (sum1 >> 16) + (sum1 & 0xffff); + /* Again */ + sum1 = (sum1 >> 16) + (sum1 & 0xffff); + sumshort = ~(u_short)sum1; + *(sp) = htons(sumshort); +} + + +static void fix_incksum(sp, n) +u_short *sp; +u_long n; +{ + register u_short sumshort; + register u_long sum1; + +#ifdef sparc + sum1 = (~(*sp)) & 0xffff; +#else + sum1 = (~ntohs(*sp)) & 0xffff; +#endif + sum1 += ~(n) & 0xffff; + sum1 = (sum1 >> 16) + (sum1 & 0xffff); + /* Again */ + sum1 = (sum1 >> 16) + (sum1 & 0xffff); + sumshort = ~(u_short)sum1; + *(sp) = htons(sumshort); +} + + +/* + * How the NAT is organised and works. + * + * Inside (interface y) NAT Outside (interface x) + * -------------------- -+- ------------------------------------- + * Packet going | out, processsed by ip_natout() for x + * ------------> | ------------> + * src=10.1.1.1 | src=192.1.1.1 + * | + * | in, processed by ip_natin() for x + * <------------ | <------------ + * dst=10.1.1.1 | dst=192.1.1.1 + * -------------------- -+- ------------------------------------- + * ip_natout() - changes ip_src and if required, sport + * - creates a new mapping, if required. + * ip_natin() - changes ip_dst and if required, dport + * + * In the NAT table, internal source is recorded as "in" and externally + * seen as "out". + */ + +/* + * Handle ioctls which manipulate the NAT. + */ +int nat_ioctl(data, cmd, mode) +caddr_t data; +int cmd, mode; +{ + register ipnat_t *nat, *n = NULL, **np = NULL; + ipnat_t natd; + int error = 0, ret, s; + + /* + * For add/delete, look to see if the NAT entry is already present + */ + MUTEX_ENTER(&ipf_nat); + SPLNET(s); + if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { + IRCOPY(data, (char *)&natd, sizeof(natd)); + nat = &natd; + for (np = &nat_list; (n = *np); np = &n->in_next) + if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, + IPN_CMPSIZ)) + break; + } + + switch (cmd) + { + case SIOCADNAT : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + if (n) { + error = EEXIST; + break; + } + KMALLOC(n, ipnat_t *, sizeof(*n)); + if (n == NULL) { + error = ENOMEM; + break; + } + IRCOPY((char *)data, (char *)n, sizeof(*n)); + n->in_ifp = (void *)GETUNIT(n->in_ifname); + n->in_next = *np; + n->in_use = 0; + n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); + if (n->in_space) /* lose 2: broadcast + network address */ + n->in_space -= 2; + else + n->in_space = 1; /* single IP# mapping */ + if (n->in_outmsk != 0xffffffff) + n->in_nip = ntohl(n->in_outip) + 1; + else + n->in_nip = ntohl(n->in_outip); + if (n->in_redir == NAT_MAP) { + n->in_pnext = ntohs(n->in_pmin); + /* + * Multiply by the number of ports made available. + */ + if (ntohs(n->in_pmax) > ntohs(n->in_pmin)) + n->in_space *= (ntohs(n->in_pmax) - + ntohs(n->in_pmin)); + } + /* Otherwise, these fields are preset */ + *np = n; + break; + case SIOCRMNAT : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + if (!n) { + error = ESRCH; + break; + } + *np = n->in_next; + + KFREE(n); + nattable_sync(); + break; + case SIOCGNATS : + nat_stats.ns_table[0] = nat_table[0]; + nat_stats.ns_table[1] = nat_table[1]; + nat_stats.ns_list = nat_list; + nat_stats.ns_inuse = nat_inuse; + IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); + break; + case SIOCGNATL : + { + natlookup_t nl; + + IRCOPY((char *)data, (char *)&nl, sizeof(nl)); + + if (nat_lookupredir(&nl)) + IWCOPY((char *)&nl, (char *)data, sizeof(nl)); + else + error = ESRCH; + break; + } + case SIOCFLNAT : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + ret = flush_nattable(); + IWCOPY((caddr_t)&ret, data, sizeof(ret)); + break; + case SIOCCNATL : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + ret = clear_natlist(); + IWCOPY((caddr_t)&ret, data, sizeof(ret)); + break; + } + SPLX(s); + MUTEX_EXIT(&ipf_nat); + return error; +} + + +static void nat_delete(natd) +struct nat *natd; +{ + register struct nat **natp, *nat; + + for (natp = natd->nat_hstart[0]; (nat = *natp); + natp = &nat->nat_hnext[0]) + if (nat == natd) { + *natp = nat->nat_hnext[0]; + break; + } + + for (natp = natd->nat_hstart[1]; (nat = *natp); + natp = &nat->nat_hnext[1]) + if (nat == natd) { + *natp = nat->nat_hnext[1]; + break; + } + + if (natd->nat_ptr) { + natd->nat_ptr->in_space++; + natd->nat_ptr->in_use--; + } + KFREE(natd); + nat_inuse--; +} + + +/* + * flush_nattable - clear the NAT table of all mapping entries. + */ +static int flush_nattable() +{ + register nat_t *nat, **natp; + register int j = 0; + + /* + * Everything will be deleted, so lets just make it the deletions + * quicker. + */ + bzero((char *)nat_table[0], sizeof(nat_table[0])); + bzero((char *)nat_table[1], sizeof(nat_table[1])); + + for (natp = &nat_instances; (nat = *natp); ) { + *natp = nat->nat_next; + nat_delete(nat); + j++; + } + + return j; +} + + +/* + * I know this is O(N*M), but it can't be avoided. + */ +static void nattable_sync() +{ + register nat_t *nat; + register ipnat_t *np; + int i; + + for (i = NAT_SIZE - 1; i >= 0; i--) + for (nat = nat_instances; nat; nat = nat->nat_next) { + for (np = nat_list; np; np = np->in_next) + if (nat->nat_ptr == np) + break; + /* + * XXX - is it better to remove this if ? works the + * same if it is just "nat->nat_ptr = np". + */ + if (!np) + nat->nat_ptr = NULL; + } +} + + +/* + * clear_natlist - delete all entries in the active NAT mapping list. + */ +static int clear_natlist() +{ + register ipnat_t *n, **np; + int i = 0; + + for (np = &nat_list; (n = *np); i++) { + *np = n->in_next; + KFREE(n); + } + + nattable_sync(); + return i; +} + + +/* + * Create a new NAT table entry. + */ +static nat_t *nat_new(np, ip, fin, flags, direction) +ipnat_t *np; +ip_t *ip; +fr_info_t *fin; +u_short flags; +int direction; +{ + register u_long sum1, sum2, sumd; + u_short port = 0, sport = 0, dport = 0, nport = 0; + struct in_addr in; + tcphdr_t *tcp = NULL; + nat_t *nat, **natp; + u_short nflags; + + nflags = flags & np->in_flags; + if (flags & IPN_TCPUDP) { + tcp = (tcphdr_t *)fin->fin_dp; + sport = tcp->th_sport; + dport = tcp->th_dport; + } + + /* Give me a new nat */ + KMALLOC(nat, nat_t *, sizeof(*nat)); + if (nat == NULL) + return NULL; + + bzero((char *)nat, sizeof(*nat)); + nat->nat_flags = flags; + + /* + * Search the current table for a match. + */ + if (direction == NAT_OUTBOUND) { +#if SOLARIS + ill_t *ill = fin->fin_ifp; +#else + struct ifnet *ifp = fin->fin_ifp; +#endif + /* + * If it's an outbound packet which doesn't match any existing + * record, then create a new port + */ + do { + port = 0; + in.s_addr = np->in_nip; + if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { +#if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +#else + struct ifaddr *ifa; + struct sockaddr_in *sin; + + ifa = ifp->if_addrlist; +# if BSD < 199306 + sin = (struct sockaddr_in *)&ifa->ifa_addr; +# else + sin = (struct sockaddr_in *)ifa->ifa_addr; +# endif + bcopy((char *)&sin->sin_addr, + (char *)&in.s_addr, + sizeof(in.s_addr)); +#endif + } + if (nflags & IPN_TCPUDP) { + port = htons(np->in_pnext++); + if (np->in_pnext >= ntohs(np->in_pmax)) { + np->in_pnext = ntohs(np->in_pmin); + np->in_space--; + if (np->in_outmsk != 0xffffffff) + np->in_nip++; + } + } else if (np->in_outmsk != 0xffffffff) { + np->in_space--; + np->in_nip++; + } + + if (!port && (flags & IPN_TCPUDP)) + port = sport; + if ((np->in_nip & ntohl(np->in_outmsk)) > + ntohl(np->in_outip)) + np->in_nip = ntohl(np->in_outip) + 1; + } while (nat_inlookup(flags, ip->ip_dst, dport, in, port)); + + /* Setup the NAT table */ + nat->nat_inip = ip->ip_src; + nat->nat_outip.s_addr = htonl(in.s_addr); + nat->nat_oip = ip->ip_dst; + + sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + + (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); + + sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port); + + if (flags & IPN_TCPUDP) { + nat->nat_inport = sport; + nat->nat_outport = port; + nat->nat_oport = dport; + } + } else { + + /* + * Otherwise, it's an inbound packet. Most likely, we don't + * want to rewrite source ports and source addresses. Instead, + * we want to rewrite to a fixed internal address and fixed + * internal port. + */ + in.s_addr = ntohl(np->in_inip); + if (!(nport = np->in_pnext)) + nport = dport; + + nat->nat_inip.s_addr = htonl(in.s_addr); + nat->nat_outip = ip->ip_dst; + nat->nat_oip = ip->ip_src; + + sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + + (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport); + + sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport); + + if (flags & IPN_TCPUDP) { + nat->nat_inport = nport; + nat->nat_outport = dport; + nat->nat_oport = sport; + } + } + + /* Do it twice */ + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + + /* Do it twice */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + if (sum1 > sum2) + sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ + sumd = sum2 - sum1; + sumd = (sumd & 0xffff) + (sumd >> 16); + nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); + + if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) { + if (direction == NAT_OUTBOUND) + sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + + (ntohl(ip->ip_src.s_addr) >> 16); + else + sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + + (ntohl(ip->ip_dst.s_addr) >> 16); + + sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16); + + /* Do it twice */ + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + + /* Do it twice */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + if (sum1 > sum2) + sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ + sumd = sum2 - sum1; + sumd = (sumd & 0xffff) + (sumd >> 16); + nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); + } else + nat->nat_ipsumd = nat->nat_sumd; + + in.s_addr = htonl(in.s_addr); + nat->nat_next = nat_instances; + nat_instances = nat; + natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; + nat->nat_hstart[0] = natp; + nat->nat_hnext[0] = *natp; + *natp = nat; + natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE]; + nat->nat_hstart[1] = natp; + nat->nat_hnext[1] = *natp; + *natp = nat; + nat->nat_ptr = np; + np->in_use++; + if (direction == NAT_OUTBOUND) { + if (flags & IPN_TCPUDP) + tcp->th_sport = htons(port); + } else { + if (flags & IPN_TCPUDP) + tcp->th_dport = htons(nport); + } + nat_stats.ns_added++; + nat_inuse++; + return nat; +} + + +/* + * NB: these lookups don't lock access to the list, it assume it has already + * been done! + */ +/* + * Lookup a nat entry based on the mapped destination ip address/port and + * real source address/port. We use this lookup when receiving a packet, + * we're looking for a table entry, based on the destination address. + * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. + */ +nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport) +register int flags; +struct in_addr src , mapdst; +u_short sport, mapdport; +{ + register nat_t *nat; + + flags &= IPN_TCPUDP; + + nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; + for (; nat; nat = nat->nat_hnext[1]) + if (nat->nat_oip.s_addr == src.s_addr && + nat->nat_outip.s_addr == mapdst.s_addr && + flags == nat->nat_flags && (!flags || + (nat->nat_oport == sport && + nat->nat_outport == mapdport))) + return nat; + return NULL; +} + + +/* + * Lookup a nat entry based on the source 'real' ip address/port and + * destination address/port. We use this lookup when sending a packet out, + * we're looking for a table entry, based on the source address. + * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. + */ +nat_t *nat_outlookup(flags, src, sport, dst, dport) +register int flags; +struct in_addr src , dst; +u_short sport, dport; +{ + register nat_t *nat; + + flags &= IPN_TCPUDP; + + nat = nat_table[0][src.s_addr % NAT_SIZE]; + for (; nat; nat = nat->nat_hnext[0]) + if (nat->nat_inip.s_addr == src.s_addr && + nat->nat_oip.s_addr == dst.s_addr && + flags == nat->nat_flags && (!flags || + (nat->nat_inport == sport && nat->nat_oport == dport))) + return nat; + return NULL; +} + + +/* + * Lookup a nat entry based on the mapped source ip address/port and + * real destination address/port. We use this lookup when sending a packet + * out, we're looking for a table entry, based on the source address. + */ +nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport) +register int flags; +struct in_addr mapsrc , dst; +u_short mapsport, dport; +{ + register nat_t *nat; + + flags &= IPN_TCPUDP; + + nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; + for (; nat; nat = nat->nat_hnext[0]) + if (nat->nat_outip.s_addr == mapsrc.s_addr && + nat->nat_oip.s_addr == dst.s_addr && + flags == nat->nat_flags && (!flags || + (nat->nat_outport == mapsport && + nat->nat_oport == dport))) + return nat; + return NULL; +} + + +/* + * Lookup the NAT tables to search for a matching redirect + */ +nat_t *nat_lookupredir(np) +register natlookup_t *np; +{ + nat_t *nat; + + /* + * If nl_inip is non null, this is a lookup based on the real + * ip address. Else, we use the fake. + */ + if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport, + np->nl_outip, np->nl_outport))) { + np->nl_inip = nat->nat_outip; + np->nl_inport = nat->nat_outport; + } + return nat; +} + + +/* + * Packets going out on the external interface go through this. + * Here, the source address requires alteration, if anything. + */ +int ip_natout(ip, hlen, fin) +ip_t *ip; +int hlen; +fr_info_t *fin; +{ + register ipnat_t *np; + register u_long ipa; + tcphdr_t *tcp = NULL; + nat_t *nat; + u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; + struct ifnet *ifp; + frentry_t *fr; + + if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && + fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) + ifp = fr->fr_tif.fd_ifp; + else + ifp = fin->fin_ifp; + + if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (ip->ip_p == IPPROTO_TCP) + nflags = IPN_TCP; + else if (ip->ip_p == IPPROTO_UDP) + nflags = IPN_UDP; + if (nflags) { + tcp = (tcphdr_t *)fin->fin_dp; + sport = tcp->th_sport; + dport = tcp->th_dport; + } + } + + ipa = ip->ip_src.s_addr; + + MUTEX_ENTER(&ipf_nat); + for (np = nat_list; np; np = np->in_next) + if ((np->in_ifp == ifp) && np->in_space && + (!np->in_flags || (np->in_flags & nflags)) && + ((ipa & np->in_inmsk) == np->in_inip) && + ((np->in_redir == NAT_MAP) || + (np->in_pnext == sport))) { + /* + * If there is no current entry in the nat table for + * this IP#, create one for it. + */ + if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, + ip->ip_dst, dport))) { + if (np->in_redir == NAT_REDIRECT) + continue; + /* + * if it's a redirection, then we don't want + * to create new outgoing port stuff. + * Redirections are only for incoming + * connections. + */ + if (!(nat = nat_new(np, ip, fin, nflags, + NAT_OUTBOUND))) + break; + } + ip->ip_src = nat->nat_outip; + + nat->nat_age = fr_defnatage; /* 5 mins */ + + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ +#if SOLARIS + if (np->in_redir == NAT_MAP) + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); +#endif + + if (nflags && !(ip->ip_off & 0x1fff) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if (nat->nat_outport) + tcp->th_sport = nat->nat_outport; + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,1); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } else if (ip->ip_p == IPPROTO_ICMP) { + icmphdr_t *ic = (icmphdr_t *)tcp; + + csump = &ic->icmp_cksum; + } + if (csump) { + if (np->in_redir == NAT_MAP) + fix_outcksum(csump, + nat->nat_sumd); + else + fix_incksum(csump, + nat->nat_sumd); + } + } + nat_stats.ns_mapped[1]++; + MUTEX_EXIT(&ipf_nat); + return 1; + } + MUTEX_EXIT(&ipf_nat); + return 0; +} + + +/* + * Packets coming in from the external interface go through this. + * Here, the destination address requires alteration, if anything. + */ +int ip_natin(ip, hlen, fin) +ip_t *ip; +int hlen; +fr_info_t *fin; +{ + register ipnat_t *np; + register struct in_addr in; + struct ifnet *ifp = fin->fin_ifp; + tcphdr_t *tcp = NULL; + u_short sport = 0, dport = 0, nflags = 0, *csump = NULL; + nat_t *nat; + + if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (ip->ip_p == IPPROTO_TCP) + nflags = IPN_TCP; + else if (ip->ip_p == IPPROTO_UDP) + nflags = IPN_UDP; + if (nflags) { + tcp = (tcphdr_t *)((char *)ip + hlen); + dport = tcp->th_dport; + sport = tcp->th_sport; + } + } + + in = ip->ip_dst; + + MUTEX_ENTER(&ipf_nat); + for (np = nat_list; np; np = np->in_next) + if ((np->in_ifp == ifp) && + (!np->in_flags || (nflags & np->in_flags)) && + ((in.s_addr & np->in_outmsk) == np->in_outip) && + (np->in_redir == NAT_MAP || np->in_pmin == dport)) { + if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, + ip->ip_dst, dport))) { + if (np->in_redir == NAT_MAP) + continue; + else { + /* + * If this rule (np) is a redirection, + * rather than a mapping, then do a + * nat_new. Otherwise, if it's just a + * mapping, do a continue; + */ + if (!(nat = nat_new(np, ip, fin, + nflags, + NAT_INBOUND))) + break; + } + } + ip->ip_dst = nat->nat_inip; + + nat->nat_age = fr_defnatage; + + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ +#if SOLARIS + if (np->in_redir == NAT_MAP) + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); +#endif + if (nflags && !(ip->ip_off & 0x1fff) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if (nat->nat_inport) + tcp->th_dport = nat->nat_inport; + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,0); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } else if (ip->ip_p == IPPROTO_ICMP) { + icmphdr_t *ic = (icmphdr_t *)tcp; + + csump = &ic->icmp_cksum; + } + if (csump) { + if (np->in_redir == NAT_MAP) + fix_incksum(csump, + nat->nat_sumd); + else + fix_outcksum(csump, + nat->nat_sumd); + } + } + nat_stats.ns_mapped[0]++; + MUTEX_EXIT(&ipf_nat); + return 1; + } + MUTEX_EXIT(&ipf_nat); + return 0; +} + + +/* + * Free all memory used by NAT structures allocated at runtime. + */ +void ip_natunload() +{ + int s; + + MUTEX_ENTER(&ipf_nat); + SPLNET(s); + (void) clear_natlist(); + (void) flush_nattable(); + SPLX(s) + MUTEX_EXIT(&ipf_nat); +} + + +/* + * Slowly expire held state for NAT entries. Timeouts are set in + * expectation of this being called twice per second. + */ +void ip_natexpire() +{ + register struct nat *nat, **natp; + int s; + + MUTEX_ENTER(&ipf_nat); + SPLNET(s); + for (natp = &nat_instances; (nat = *natp); ) { + if (--nat->nat_age) { + natp = &nat->nat_next; + continue; + } + *natp = nat->nat_next; + nat_delete(nat); + nat_stats.ns_expire++; + } + SPLX(s); + MUTEX_EXIT(&ipf_nat); +} diff --git a/usr.sbin/ipf/ipftest/ip_state.c b/usr.sbin/ipf/ipftest/ip_state.c new file mode 100644 index 000000000000..3a0eea287825 --- /dev/null +++ b/usr.sbin/ipf/ipftest/ip_state.c @@ -0,0 +1,544 @@ +/* $NetBSD: ip_state.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $ */ + +/* + * (C)opyright 1995 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#if !defined(lint) && defined(LIBC_SCCS) +static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; +static char rcsid[] = "$Id: ip_state.c,v 1.1.1.1 1997/03/29 02:49:52 darrenr Exp $"; +#endif + +#if !defined(_KERNEL) && !defined(KERNEL) +# include +# include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef _KERNEL +# include +#endif +#if !defined(__SVR4) && !defined(__svr4__) +# include +#else +# include +# include +# include +# include +#endif + +#include +#ifdef sun +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef MIN +#define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +#define TCP_CLOSE (TH_FIN|TH_RST) + +ipstate_t *ips_table[IPSTATE_SIZE]; +int ips_num = 0; +ips_stat_t ips_stats; +#if SOLARIS +extern kmutex_t ipf_state; +# if !defined(_KERNEL) +#define bcopy(a,b,c) memmove(b,a,c) +# endif +#endif + + +#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ + +u_long fr_tcpidletimeout = FIVE_DAYS, + fr_tcpclosewait = 60, + fr_tcplastack = 20, + fr_tcptimeout = 120, + fr_tcpclosed = 1, + fr_udptimeout = 120, + fr_icmptimeout = 120; + + +ips_stat_t *fr_statetstats() +{ + ips_stats.iss_active = ips_num; + ips_stats.iss_table = ips_table; + return &ips_stats; +} + + +#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ + (((s1) == (d2)) && ((d1) == (s2)))) +#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ + (s2).s_addr, (d2).s_addr) + +/* + * Create a new ipstate structure and hang it off the hash table. + */ +int fr_addstate(ip, fin, pass) +ip_t *ip; +fr_info_t *fin; +u_int pass; +{ + ipstate_t ips; + register ipstate_t *is = &ips; + register u_int hv; + + if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) + return -1; + if (ips_num == IPSTATE_MAX) { + ips_stats.iss_max++; + return -1; + } + ips.is_age = 1; + ips.is_state[0] = 0; + ips.is_state[1] = 0; + /* + * Copy and calculate... + */ + hv = (is->is_p = ip->ip_p); + hv += (is->is_src.s_addr = ip->ip_src.s_addr); + hv += (is->is_dst.s_addr = ip->ip_dst.s_addr); + + switch (ip->ip_p) + { + case IPPROTO_ICMP : + { + struct icmp *ic = (struct icmp *)fin->fin_dp; + + switch (ic->icmp_type) + { + case ICMP_ECHO : + is->is_icmp.ics_type = 0; + hv += (is->is_icmp.ics_id = ic->icmp_id); + hv += (is->is_icmp.ics_seq = ic->icmp_seq); + break; + case ICMP_TSTAMP : + case ICMP_IREQ : + case ICMP_MASKREQ : + is->is_icmp.ics_type = ic->icmp_type + 1; + break; + default : + return -1; + } + ips_stats.iss_icmp++; + is->is_age = fr_icmptimeout; + break; + } + case IPPROTO_TCP : + { + register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; + + /* + * The endian of the ports doesn't matter, but the ack and + * sequence numbers do as we do mathematics on them later. + */ + hv += (is->is_dport = tcp->th_dport); + hv += (is->is_sport = tcp->th_sport); + is->is_seq = ntohl(tcp->th_seq); + is->is_ack = ntohl(tcp->th_ack); + is->is_swin = ntohs(tcp->th_win); + is->is_dwin = is->is_swin; /* start them the same */ + ips_stats.iss_tcp++; + /* + * If we're creating state for a starting connectoin, start the + * timer on it as we'll never see an error if it fails to + * connect. + */ + if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) + is->is_ack = 0; /* Trumpet WinSock 'ism */ + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); + break; + } + case IPPROTO_UDP : + { + register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; + + hv += (is->is_dport = tcp->th_dport); + hv += (is->is_sport = tcp->th_sport); + ips_stats.iss_udp++; + is->is_age = fr_udptimeout; + break; + } + default : + return -1; + } + + KMALLOC(is, ipstate_t *, sizeof(*is)); + if (is == NULL) { + ips_stats.iss_nomem++; + return -1; + } + bcopy((char *)&ips, (char *)is, sizeof(*is)); + hv %= IPSTATE_SIZE; + MUTEX_ENTER(&ipf_state); + is->is_next = ips_table[hv]; + ips_table[hv] = is; + is->is_pass = pass; + is->is_pkts = 1; + is->is_bytes = ip->ip_len; + if (pass & FR_LOGFIRST) + is->is_pass &= ~(FR_LOGFIRST|FR_LOG); + ips_num++; + MUTEX_EXIT(&ipf_state); + return 0; +} + + +/* + * check to see if a packet with TCP headers fits within the TCP window. + * change timeout depending on whether new packet is a SYN-ACK returning for a + * SYN or a RST or FIN which indicate time to close up shop. + */ +int fr_tcpstate(is, fin, ip, tcp, sport) +register ipstate_t *is; +fr_info_t *fin; +ip_t *ip; +tcphdr_t *tcp; +u_short sport; +{ + register int seqskew, ackskew; + register u_short swin, dwin; + register tcp_seq seq, ack; + int source; + + /* + * Find difference between last checked packet and this packet. + */ + seq = ntohl(tcp->th_seq); + ack = ntohl(tcp->th_ack); + if (sport == is->is_sport) { + seqskew = seq - is->is_seq; + ackskew = ack - is->is_ack; + } else { + seqskew = ack - is->is_seq; + if (!is->is_ack) + /* + * Must be a SYN-ACK in reply to a SYN. + */ + is->is_ack = seq; + ackskew = seq - is->is_ack; + } + + /* + * Make skew values absolute + */ + if (seqskew < 0) + seqskew = -seqskew; + if (ackskew < 0) + ackskew = -ackskew; + + /* + * If the difference in sequence and ack numbers is within the + * window size of the connection, store these values and match + * the packet. + */ + if ((source = (sport == is->is_sport))) { + swin = is->is_swin; + dwin = is->is_dwin; + } else { + dwin = is->is_swin; + swin = is->is_dwin; + } + + if ((seqskew <= swin) && (ackskew <= dwin)) { + if (source) { + is->is_seq = seq; + is->is_ack = ack; + is->is_swin = ntohs(tcp->th_win); + } else { + is->is_seq = ack; + is->is_ack = seq; + is->is_dwin = ntohs(tcp->th_win); + } + ips_stats.iss_hits++; + /* + * Nearing end of connection, start timeout. + */ + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); + return 1; + } + return 0; +} + + +/* + * Check if a packet has a registered state. + */ +int fr_checkstate(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + register struct in_addr dst, src; + register ipstate_t *is, **isp; + register u_char pr; + struct icmp *ic; + tcphdr_t *tcp; + u_int hv, hlen, pass; + + if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) + return 0; + + hlen = fin->fin_hlen; + tcp = (tcphdr_t *)((char *)ip + hlen); + ic = (struct icmp *)tcp; + hv = (pr = ip->ip_p); + hv += (src.s_addr = ip->ip_src.s_addr); + hv += (dst.s_addr = ip->ip_dst.s_addr); + + /* + * Search the hash table for matching packet header info. + */ + switch (ip->ip_p) + { + case IPPROTO_ICMP : + hv += ic->icmp_id; + hv += ic->icmp_seq; + hv %= IPSTATE_SIZE; + MUTEX_ENTER(&ipf_state); + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) + if ((is->is_p == pr) && + (ic->icmp_id == is->is_icmp.ics_id) && + (ic->icmp_seq == is->is_icmp.ics_seq) && + IPPAIR(src, dst, is->is_src, is->is_dst)) { + /* + * If we have type 0 stored, allow any icmp + * replies through. + */ + if (is->is_icmp.ics_type && + is->is_icmp.ics_type != ic->icmp_type) + continue; + is->is_age = fr_icmptimeout; + is->is_pkts++; + is->is_bytes += ip->ip_len; + ips_stats.iss_hits++; + MUTEX_EXIT(&ipf_state); + return is->is_pass; + } + MUTEX_EXIT(&ipf_state); + break; + case IPPROTO_TCP : + { + register u_short dport = tcp->th_dport, sport = tcp->th_sport; + + hv += dport; + hv += sport; + hv %= IPSTATE_SIZE; + MUTEX_ENTER(&ipf_state); + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { + if ((is->is_p == pr) && + PAIRS(sport, dport, is->is_sport, is->is_dport) && + IPPAIR(src, dst, is->is_src, is->is_dst)) + if (fr_tcpstate(is, fin, ip, tcp, sport)) { +#ifdef _KERNEL + MUTEX_EXIT(&ipf_state); + return pass; +#else + int pass = is->is_pass; + + if (tcp->th_flags & TCP_CLOSE) { + *isp = is->is_next; + isp = &ips_table[hv]; + KFREE(is); + } + return pass; +#endif + } + } + MUTEX_EXIT(&ipf_state); + break; + } + case IPPROTO_UDP : + { + register u_short dport = tcp->th_dport, sport = tcp->th_sport; + + hv += dport; + hv += sport; + hv %= IPSTATE_SIZE; + /* + * Nothing else to match on but ports. and IP#'s + */ + MUTEX_ENTER(&ipf_state); + for (is = ips_table[hv]; is; is = is->is_next) + if ((is->is_p == pr) && + PAIRS(sport, dport, is->is_sport, is->is_dport) && + IPPAIR(src, dst, is->is_src, is->is_dst)) { + ips_stats.iss_hits++; + is->is_pkts++; + is->is_bytes += ip->ip_len; + is->is_age = fr_udptimeout; + pass = is->is_pass; + MUTEX_EXIT(&ipf_state); + return pass; + } + MUTEX_EXIT(&ipf_state); + break; + } + default : + break; + } + ips_stats.iss_miss++; + return 0; +} + + +/* + * Free memory in use by all state info. kept. + */ +void fr_stateunload() +{ + register int i; + register ipstate_t *is, **isp; + int s; + + MUTEX_ENTER(&ipf_state); + SPLNET(s); + for (i = 0; i < IPSTATE_SIZE; i++) + for (isp = &ips_table[i]; (is = *isp); ) { + *isp = is->is_next; + KFREE(is); + } + SPLX(s); + MUTEX_EXIT(&ipf_state); +} + + +/* + * Slowly expire held state for thingslike UDP and ICMP. Timeouts are set + * in expectation of this being called twice per second. + */ +void fr_timeoutstate() +{ + register int i; + register ipstate_t *is, **isp; + int s; + + MUTEX_ENTER(&ipf_state); + SPLNET(s); + for (i = 0; i < IPSTATE_SIZE; i++) + for (isp = &ips_table[i]; (is = *isp); ) + if (is->is_age && !--is->is_age) { + *isp = is->is_next; + if (is->is_p == IPPROTO_TCP) + ips_stats.iss_fin++; + else + ips_stats.iss_expire++; + KFREE(is); + ips_num--; + } else + isp = &is->is_next; + SPLX(s); + MUTEX_EXIT(&ipf_state); +} + + +/* + * Original idea freom Pradeep Krishnan for use primarily with NAT code. + * (pkrishna@netcom.com) + */ +void fr_tcp_age(age, state, ip, fin, dir) +u_long *age; +u_char *state; +ip_t *ip; +fr_info_t *fin; +int dir; +{ + tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; + u_char flags = tcp->th_flags; + int dlen, ostate; + + ostate = state[1 - dir]; + + dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2); + + if (flags & TH_RST) { + if (!(tcp->th_flags & TH_PUSH) && !dlen) { + *age = fr_tcpclosed; + state[dir] = TCPS_CLOSED; + } else { + *age = fr_tcpclosewait; + state[dir] = TCPS_CLOSE_WAIT; + } + return; + } + + *age = fr_tcptimeout; /* 1 min */ + + switch(state[dir]) + { + case TCPS_FIN_WAIT_2: + case TCPS_CLOSED: + if ((flags & TH_OPENING) == TH_OPENING) + state[dir] = TCPS_SYN_RECEIVED; + else if (flags & TH_SYN) + state[dir] = TCPS_SYN_SENT; + break; + case TCPS_SYN_RECEIVED: + if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { + state[dir] = TCPS_ESTABLISHED; + *age = fr_tcpidletimeout; + } + break; + case TCPS_SYN_SENT: + if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { + state[dir] = TCPS_ESTABLISHED; + *age = fr_tcpidletimeout; + } + break; + case TCPS_ESTABLISHED: + if (flags & TH_FIN) { + state[dir] = TCPS_CLOSE_WAIT; + if (!(flags & TH_PUSH) && !dlen && + ostate > TCPS_ESTABLISHED) + *age = fr_tcplastack; + else + *age = fr_tcpclosewait; + } else + *age = fr_tcpidletimeout; + break; + case TCPS_CLOSE_WAIT: + if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen && + ostate > TCPS_ESTABLISHED) { + *age = fr_tcplastack; + state[dir] = TCPS_LAST_ACK; + } else + *age = fr_tcpclosewait; + break; + case TCPS_LAST_ACK: + if (flags & TH_ACK) { + state[dir] = TCPS_FIN_WAIT_2; + if (!(flags & TH_PUSH) && !dlen && + ostate > TCPS_ESTABLISHED) + *age = fr_tcplastack; + else { + *age = fr_tcpclosewait; + state[dir] = TCPS_CLOSE_WAIT; + } + } + break; + } +} diff --git a/usr.sbin/ipf/ipftest/ipft_ef.c b/usr.sbin/ipf/ipftest/ipft_ef.c index 168501696eab..46cbb29a4dfa 100644 --- a/usr.sbin/ipf/ipftest/ipft_ef.c +++ b/usr.sbin/ipf/ipftest/ipft_ef.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_ef.c,v 1.1.1.2 1997/03/29 02:49:48 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -47,10 +49,12 @@ etherfind -n -t #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_ef.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: ipft_ef.c,v 1.1.1.2 1997/03/29 02:49:48 darrenr Exp $"; #endif -static int etherf_open(), etherf_close(), etherf_readip(); +static int etherf_open __P((char *)); +static int etherf_close __P((void)); +static int etherf_readip __P((char *, int, char **, int *)); struct ipread etherf = { etherf_open, etherf_close, etherf_readip }; diff --git a/usr.sbin/ipf/ipftest/ipft_hx.c b/usr.sbin/ipf/ipftest/ipft_hx.c index 0426c43e6a91..354b2b196759 100644 --- a/usr.sbin/ipf/ipftest/ipft_hx.c +++ b/usr.sbin/ipf/ipftest/ipft_hx.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_hx.c,v 1.1.1.2 1997/03/29 02:49:52 darrenr Exp $ */ + /* * (C)opyright 1995 by Darren Reed. * @@ -38,15 +40,15 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static char rcsid[] = "$Id: ipft_hx.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: ipft_hx.c,v 1.1.1.2 1997/03/29 02:49:52 darrenr Exp $"; #endif extern int opts; -extern u_short portnum(); -extern u_long buildopts(); -static int hex_open(), hex_close(), hex_readip(); -static char *readhex(); +static int hex_open __P((char *)); +static int hex_close __P((void)); +static int hex_readip __P((char *, int, char **, int *)); +static char *readhex __P((char *, char *)); struct ipread iphex = { hex_open, hex_close, hex_readip }; static FILE *tfp = NULL; @@ -85,7 +87,7 @@ static int hex_readip(buf, cnt, ifn, dir) char *buf, **ifn; int cnt, *dir; { - register char *s; + register char *s, *t, *u; struct ip *ip; char line[513]; @@ -96,8 +98,6 @@ int cnt, *dir; return (char *)ip - buf; *s = '\0'; } - if ((s = index(line, '\r'))) - *s = '\0'; if ((s = index(line, '#'))) *s = '\0'; if (!*line) @@ -106,7 +106,30 @@ int cnt, *dir; printf("input: %s\n", line); fflush(stdout); } - ip = (struct ip *)readhex(line, (char *)ip); + + /* + * interpret start of line as possibly "[ifname]" or + * "[in/out,ifname]". + */ + *ifn = NULL; + *dir = 0; + if ((*buf == '[') && (s = index(line, ']'))) { + t = buf + 1; + if (t - s > 0) { + if ((u = index(t, ',')) && (u < s)) { + u++; + *ifn = u; + if (*t == 'i') + *dir = 0; + else if (*t == 'o') + *dir = 1; + } else + *ifn = t; + *s++ = '\0'; + } + } else + s = line; + ip = (struct ip *)readhex(s, (char *)ip); } return -1; } diff --git a/usr.sbin/ipf/ipftest/ipft_pc.c b/usr.sbin/ipf/ipftest/ipft_pc.c index b570db05b186..39b492244ac3 100644 --- a/usr.sbin/ipf/ipftest/ipft_pc.c +++ b/usr.sbin/ipf/ipftest/ipft_pc.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_pc.c,v 1.1.1.2 1997/03/29 02:49:50 darrenr Exp $ */ + /* * (C)opyright 1993-1996 by Darren Reed. * @@ -30,7 +32,7 @@ #include "pcap.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_pc.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: ipft_pc.c,v 1.1.1.2 1997/03/29 02:49:50 darrenr Exp $"; #endif struct llc { @@ -59,11 +61,15 @@ static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 } /* DLT_FDDI */ }; -static int ipft_pcap_open(), ipft_pcap_close(), ipft_pcap_readip(); +static int pcap_open __P((char *)); +static int pcap_close __P((void)); +static int pcap_readip __P((char *, int, char **, int *)); +static void swap_hdr __P((pcaphdr_t *)); +static int pcap_read_rec __P((struct pcap_pkthdr *)); static int pfd = -1, s_type = -1, swapped = 0; -struct ipread pcap = { ipft_pcap_open, ipft_pcap_close, ipft_pcap_readip }; +struct ipread pcap = { pcap_open, pcap_close, pcap_readip }; #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) @@ -81,7 +87,7 @@ pcaphdr_t *p; p->pc_type = SWAPLONG(p->pc_type); } -static int ipft_pcap_open(fname) +static int pcap_open(fname) char *fname; { pcaphdr_t ph; @@ -122,7 +128,7 @@ char *fname; } -static int ipft_ipft_pcap_close() +static int pcap_close() { return close(pfd); } @@ -132,8 +138,8 @@ static int ipft_ipft_pcap_close() * read in the header (and validate) which should be the first record * in a pcap file. */ -static int ipft_pcap_read_rec(rec) -struct ipft_pcap_pkthdr *rec; +static int pcap_read_rec(rec) +struct pcap_pkthdr *rec; { int n, p; @@ -160,15 +166,15 @@ struct ipft_pcap_pkthdr *rec; * read an entire pcap packet record. only the data part is copied into * the available buffer, with the number of bytes copied returned. */ -static int ipft_pcap_read(buf, cnt) +static int pcap_read(buf, cnt) char *buf; int cnt; { - struct ipft_pcap_pkthdr rec; + struct pcap_pkthdr rec; static char *bufp = NULL; int i, n; - if ((i = ipft_pcap_read_rec(&rec)) <= 0) + if ((i = pcap_read_rec(&rec)) <= 0) return i; if (!bufp) @@ -189,18 +195,18 @@ int cnt; /* * return only an IP packet read into buf */ -static int ipft_ipft_pcap_readip(buf, cnt, ifn, dir) +static int pcap_readip(buf, cnt, ifn, dir) char *buf, **ifn; int cnt, *dir; { static char *bufp = NULL; - struct ipft_pcap_pkthdr rec; + struct pcap_pkthdr rec; struct llc *l; char *s, ty[4]; int i, n; do { - if ((i = ipft_pcap_read_rec(&rec)) <= 0) + if ((i = pcap_read_rec(&rec)) <= 0) return i; if (!bufp) diff --git a/usr.sbin/ipf/ipftest/ipft_sn.c b/usr.sbin/ipf/ipftest/ipft_sn.c index 715be143c862..289d972d3b85 100644 --- a/usr.sbin/ipf/ipftest/ipft_sn.c +++ b/usr.sbin/ipf/ipftest/ipft_sn.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_sn.c,v 1.1.1.2 1997/03/29 02:49:47 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -33,7 +35,7 @@ #include "snoop.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_sn.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: ipft_sn.c,v 1.1.1.2 1997/03/29 02:49:47 darrenr Exp $"; #endif struct llc { @@ -59,9 +61,12 @@ static struct llc llcs[SDL_MAX+1] = { { 0, 0, 0 }, /* SDL_OTHER */ }; -static int snoop_open(), snoop_close(), snoop_readip(); +static int snoop_open __P((char *)); +static int snoop_close __P((void)); +static int snoop_readip __P((char *, int, char **, int *)); static int sfd = -1, s_type = -1; +static int snoop_read_rec __P((struct snooppkt *)); struct ipread snoop = { snoop_open, snoop_close, snoop_readip }; diff --git a/usr.sbin/ipf/ipftest/ipft_td.c b/usr.sbin/ipf/ipftest/ipft_td.c index 6bc5612f710b..4a8552bba3c1 100644 --- a/usr.sbin/ipf/ipftest/ipft_td.c +++ b/usr.sbin/ipf/ipftest/ipft_td.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_td.c,v 1.1.1.2 1997/03/29 02:49:49 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -56,10 +58,13 @@ tcpdump -nqte #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_td.c,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $"; +static char rcsid[] = "$Id: ipft_td.c,v 1.1.1.2 1997/03/29 02:49:49 darrenr Exp $"; #endif -static int tcpd_open(), tcpd_close(), tcpd_readip(); +static int tcpd_open __P((char *)); +static int tcpd_close __P((void)); +static int tcpd_readip __P((char *, int, char **, int *)); +static int count_dots __P((char *)); struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip }; diff --git a/usr.sbin/ipf/ipftest/ipft_tx.c b/usr.sbin/ipf/ipftest/ipft_tx.c index eeb03a084297..acfe2b7702ef 100644 --- a/usr.sbin/ipf/ipftest/ipft_tx.c +++ b/usr.sbin/ipf/ipftest/ipft_tx.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipft_tx.c,v 1.1.1.2 1997/03/29 02:49:51 darrenr Exp $ */ + /* * (C)opyright 1995 by Darren Reed. * @@ -40,15 +42,17 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipft_tx.c,v 1.1.1.1 1997/01/05 13:09:05 mrg Exp $"; +static char rcsid[] = "$Id: ipft_tx.c,v 1.1.1.2 1997/03/29 02:49:51 darrenr Exp $"; #endif extern int opts; -extern u_long buildopts(); +extern u_long buildopts __P((char *, char *)); static char *tx_proto = ""; -static int text_open(), text_close(), text_readip(), parseline(); +static int text_open __P((char *)), text_close __P((void)); +static int text_readip __P((char *, int, char **, int *)); +static int parseline __P((char *, struct ip *, char **, int *)); static char tcp_flagset[] = "FSRPAU"; static u_char tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, @@ -58,15 +62,15 @@ struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; static int tfd = -1; -static u_long tx_hostnum(); -static u_short tx_portnum(); +static u_long tx_hostnum __P((char *, int *)); +static u_short tx_portnum __P((char *)); /* * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_long tx_hostnum(host, resolved) +static u_long tx_hostnum(host, resolved) char *host; int *resolved; { @@ -95,7 +99,7 @@ int *resolved; * find the port number given by the name, either from getservbyname() or * straight atoi() */ -u_short tx_portnum(name) +static u_short tx_portnum(name) char *name; { struct servent *sp, *sp2; @@ -190,7 +194,7 @@ int cnt, *dir; printf("input: %s\n", line); *ifn = NULL; *dir = 0; - if (!parseline(line, buf, ifn, dir)) + if (!parseline(line, (struct ip *)buf, ifn, dir)) #if 0 return sizeof(struct tcpiphdr); #else @@ -211,6 +215,8 @@ int *out; char *cps[20], **cpp, c, ipopts[68]; int i, r; + if (*ifn) + free(*ifn); bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip)); bzero((char *)tcp, sizeof(*tcp)); bzero((char *)ic, sizeof(*ic)); @@ -236,7 +242,7 @@ int *out; cpp++; if (!*cpp) return 1; - *ifn = *cpp++; + *ifn = strdup(*cpp++); } c = **cpp; diff --git a/usr.sbin/ipf/ipftest/ipt.c b/usr.sbin/ipf/ipftest/ipt.c index 5487200cbec0..ec4ab9a1a30f 100644 --- a/usr.sbin/ipf/ipftest/ipt.c +++ b/usr.sbin/ipf/ipftest/ipt.c @@ -1,3 +1,5 @@ +/* $NetBSD: ipt.c,v 1.1.1.2 1997/03/29 02:49:46 darrenr Exp $ */ + /* * (C)opyright 1993-1996 by Darren Reed. * @@ -12,6 +14,7 @@ #include #else #include +#include #endif #include #include @@ -29,30 +32,29 @@ #include #include #include -#include #include #include #include #include +#include +#include +#include #include "ipf.h" #include "ipt.h" -#include #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: ipt.c,v 1.1.1.1 1997/01/05 13:09:05 mrg Exp $"; +static char rcsid[] = "$Id: ipt.c,v 1.1.1.2 1997/03/29 02:49:46 darrenr Exp $"; #endif -extern int fr_check(); extern char *optarg; -extern struct frentry *ipfilter[2][2]; -/*extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;*/ -extern struct ipread snoop, etherf, tcpd, iptext, iphex; -extern void debug(), verbose(); - -struct frentry *ft_in = NULL, *ft_out = NULL; +extern struct frentry *ipfilter[2][2]; +extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; +extern struct ifnet *get_unit __P((char *)); +extern void init_ifp __P((void)); int opts = 0; +int main __P((int, char *[])); int main(argc,argv) int argc; @@ -62,11 +64,12 @@ char *argv[]; struct frentry *f; struct ip *ip; u_long buf[64]; + struct ifnet *ifp; char c; char *rules = NULL, *datain = NULL, *iface = NULL; int fd, i, dir = 0; - while ((c = getopt(argc, argv, "bdEHi:I:Pr:STvX")) != -1) + while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) switch (c) { case 'b' : @@ -81,6 +84,9 @@ char *argv[]; case 'I' : iface = optarg; break; + case 'o' : + opts |= OPT_SAVEOUT; + break; case 'r' : rules = optarg; break; @@ -93,11 +99,9 @@ char *argv[]; case 'H' : r = &iphex; break; -#if 0 case 'P' : r = &pcap; break; -#endif case 'S' : r = &snoop; break; @@ -148,23 +152,18 @@ char *argv[]; if (!(fr = parse(line))) continue; - f = (struct frentry *)malloc(sizeof(*f)); - if (fr->fr_flags & FR_INQUE) { - if (!ft_in) - ft_in = ipfilter[0][0] = f; - else - ft_in->fr_next = f, ft_in = f; - } else if (fr->fr_flags & FR_OUTQUE) { - if (!ft_out) - ft_out = ipfilter[1][0] = f; - else - ft_out->fr_next = f, ft_out = f; - } - bcopy((char *)fr, (char *)f, sizeof(*fr)); + /* fake an `ioctl' call :) */ + i = iplioctl(0, SIOCADDFR, (caddr_t)fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(SIOCADDFR,%x,1) = %d\n", i); } (void)fclose(fp); } + if (opts & OPT_SAVEOUT) + init_ifp(); + if (datain) fd = (*r->r_open)(datain); else @@ -174,10 +173,12 @@ char *argv[]; exit(-1); ip = (struct ip *)buf; - while ((i = (*r->r_readip)(buf, sizeof(buf), &iface, &dir)) > 0) { + while ((i = (*r->r_readip)((char *)buf, sizeof(buf), + &iface, &dir)) > 0) { + ifp = iface ? get_unit(iface) : NULL; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); - switch (fr_check(ip, ip->ip_hl << 2, iface, dir)) + switch (fr_check(ip, ip->ip_hl << 2, ifp, dir, (char *)buf)) { case -1 : (void)printf("block"); @@ -191,9 +192,11 @@ char *argv[]; } if (!(opts & OPT_BRIEF)) { putchar(' '); - printpacket(buf); + printpacket((struct ip *)buf); printf("--------------"); } + if (dir && ifp && ip->ip_v) + (*ifp->if_output)(ifp, (void *)buf, NULL, 0); putchar('\n'); dir = 0; } diff --git a/usr.sbin/ipf/ipftest/ipt.h b/usr.sbin/ipf/ipftest/ipt.h index 586366a68cf0..d7b66662e76a 100644 --- a/usr.sbin/ipf/ipftest/ipt.h +++ b/usr.sbin/ipf/ipftest/ipt.h @@ -1,16 +1,27 @@ +/* $NetBSD: ipt.h,v 1.1.1.2 1997/03/29 02:49:53 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 1.1.1.1 1997/01/05 13:09:05 mrg Exp $ + * $Id: ipt.h,v 1.1.1.2 1997/03/29 02:49:53 darrenr Exp $ */ #include +#ifdef __STDC__ +#include +#else +#include +#endif + struct ipread { - int (*r_open)(); - int (*r_close)(); - int (*r_readip)(); + int (*r_open) __P((char *)); + int (*r_close) __P((void)); + int (*r_readip) __P((char *, int, char **, int *)); }; + +extern void debug __P((char *, ...)); +extern void verbose __P((char *, ...)); diff --git a/usr.sbin/ipf/ipftest/misc.c b/usr.sbin/ipf/ipftest/misc.c index 930124f68ae3..9de193489b73 100644 --- a/usr.sbin/ipf/ipftest/misc.c +++ b/usr.sbin/ipf/ipftest/misc.c @@ -1,3 +1,5 @@ +/* $NetBSD: misc.c,v 1.1.1.2 1997/03/29 02:49:51 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -30,20 +32,18 @@ #include #include #include -#include #include #include #include +#include #include "ipf.h" #include "ipt.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: misc.c,v 1.1.1.1 1997/01/05 13:09:05 mrg Exp $"; +static char rcsid[] = "$Id: misc.c,v 1.1.1.2 1997/03/29 02:49:51 darrenr Exp $"; #endif -void debug(), verbose(); - extern int opts; @@ -69,17 +69,35 @@ struct ip *ip; } -void verbose(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9) -char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9; +#ifdef __STDC__ +void verbose(char *fmt, ...) +#else +void verbose(fmt, va_alist) +char *fmt; +va_dcl +#endif { + va_list pvar; + + va_start(pvar, fmt); if (opts & OPT_VERBOSE) - printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9); + vprintf(fmt, pvar); + va_end(pvar); } -void debug(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9) -char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9; +#ifdef __STDC__ +void debug(char *fmt, ...) +#else +void debug(fmt, va_alist) +char *fmt; +va_dcl +#endif { + va_list pvar; + + va_start(pvar, fmt); if (opts & OPT_DEBUG) - printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9); + vprintf(fmt, pvar); + va_end(pvar); } diff --git a/usr.sbin/ipf/ipftest/opt.c b/usr.sbin/ipf/ipftest/opt.c new file mode 100644 index 000000000000..9b282052ae95 --- /dev/null +++ b/usr.sbin/ipf/ipftest/opt.c @@ -0,0 +1,137 @@ +/* $NetBSD: opt.c,v 1.1.1.1 1997/03/29 02:49:50 darrenr Exp $ */ + +/* + * (C)opyright 1993,1994,1995 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "ipf.h" + +#if !defined(lint) && defined(LIBC_SCCS) +static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; +static char rcsid[] = "$Id: opt.c,v 1.1.1.1 1997/03/29 02:49:50 darrenr Exp $"; +#endif + +extern int opts; + +struct ipopt_names ionames[] ={ + { IPOPT_NOP, 0x000001, 1, "nop" }, + { IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */ + { IPOPT_ZSU, 0x000004, 3, "zsu" }, + { IPOPT_MTUP, 0x000008, 3, "mtup" }, + { IPOPT_MTUR, 0x000010, 3, "mtur" }, + { IPOPT_ENCODE, 0x000020, 3, "encode" }, + { IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */ + { IPOPT_TR, 0x000080, 3, "tr" }, + { IPOPT_SECURITY,0x000100, 11, "sec" }, + { IPOPT_SECURITY,0x000100, 11, "sec-class" }, + { IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */ + { IPOPT_E_SEC, 0x000400, 3, "e-sec" }, + { IPOPT_CIPSO, 0x000800, 3, "cipso" }, + { IPOPT_SATID, 0x001000, 4, "satid" }, + { IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */ + { IPOPT_ADDEXT, 0x004000, 3, "addext" }, + { IPOPT_VISA, 0x008000, 3, "visa" }, + { IPOPT_IMITD, 0x010000, 3, "imitd" }, + { IPOPT_EIP, 0x020000, 3, "eip" }, + { IPOPT_FINN, 0x040000, 3, "finn" }, + { 0, 0, 0, (char *)NULL } /* must be last */ +}; + +struct ipopt_names secclass[] = { + { IPSO_CLASS_RES4, 0x01, 0, "reserv-4" }, + { IPSO_CLASS_TOPS, 0x02, 0, "topsecret" }, + { IPSO_CLASS_SECR, 0x04, 0, "secret" }, + { IPSO_CLASS_RES3, 0x08, 0, "reserv-3" }, + { IPSO_CLASS_CONF, 0x10, 0, "confid" }, + { IPSO_CLASS_UNCL, 0x20, 0, "unclass" }, + { IPSO_CLASS_RES2, 0x40, 0, "reserv-2" }, + { IPSO_CLASS_RES1, 0x80, 0, "reserv-1" }, + { 0, 0, 0, NULL } /* must be last */ +}; + +static u_char seclevel __P((char *)); + +static u_char seclevel(slevel) +char *slevel; +{ + struct ipopt_names *so; + + for (so = secclass; so->on_name; so++) + if (!strcasecmp(slevel, so->on_name)) + break; + + if (!so->on_name) { + fprintf(stderr, "no such security level: %s\n", slevel); + return 0; + } + return (u_char)so->on_value; +} + + +u_long buildopts(cp, op) +char *cp, *op; +{ + struct ipopt_names *io; + u_char lvl; + u_long msk = 0; + char *s, *t; + int len = 0; + + for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) { + if ((t = strchr(s, '='))) + *t++ = '\0'; + for (io = ionames; io->on_name; io++) { + if (strcasecmp(s, io->on_name) || (msk & io->on_bit)) + continue; + if ((len + io->on_siz) > 48) { + fprintf(stderr, "options too long\n"); + return 0; + } + len += io->on_siz; + *op++ = io->on_value; + if (io->on_siz > 1) { + *op++ = io->on_siz; + *op++ = IPOPT_MINOFF; + + if (t && !strcasecmp(s, "sec-class")) { + lvl = seclevel(t); + *(op - 1) = lvl; + } + op += io->on_siz - 3; + if (len & 3) { + *op++ = IPOPT_NOP; + len++; + } + } + if (opts & OPT_DEBUG) + fprintf(stderr, "bo: %s %d %#x: %d\n", + io->on_name, io->on_value, + io->on_bit, len); + msk |= io->on_bit; + break; + } + if (!io->on_name) { + fprintf(stderr, "unknown IP option name %s\n", s); + return 0; + } + } + *op++ = IPOPT_EOL; + len++; + return len; +} diff --git a/usr.sbin/ipf/ipftest/snoop.h b/usr.sbin/ipf/ipftest/snoop.h index d49ab2b7d6d1..0075a5940894 100644 --- a/usr.sbin/ipf/ipftest/snoop.h +++ b/usr.sbin/ipf/ipftest/snoop.h @@ -1,3 +1,5 @@ +/* $NetBSD: snoop.h,v 1.1.1.2 1997/03/29 02:49:55 darrenr Exp $ */ + /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -8,7 +10,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 1.1.1.1 1997/01/05 13:09:05 mrg Exp $ + * $Id: snoop.h,v 1.1.1.2 1997/03/29 02:49:55 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/usr.sbin/ipf/ipftest/test/.cvsignore b/usr.sbin/ipf/ipftest/test/.cvsignore new file mode 100644 index 000000000000..d1b984295fe7 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/.cvsignore @@ -0,0 +1,24 @@ +results +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 +11 +12 +i1 +i2 +i3 +i4 +i5 +i6 +i7 +i8 +i9 +i10 +i11 diff --git a/usr.sbin/ipf/ipftest/test/Makefile b/usr.sbin/ipf/ipftest/test/Makefile new file mode 100644 index 000000000000..d3bdcc24d2ff --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/Makefile @@ -0,0 +1,39 @@ +# +# (C)opyright 1993-1996 by Darren Reed. +# +# This code may be freely distributed as long as it retains this notice +# and is not changed in any way. The author accepts no responsibility +# for the use of this software. I hate legaleese, don't you ? +# +# where to put things. +# +BINDEST=/usr/local/bin +SBINDEST=/sbin +MANDIR=/usr/share/man + +tests: first 0 ftests ptests + +first: + -mkdir -p results + +# Filtering tests +ftests: 1 2 3 4 5 6 7 8 9 10 11 12 + +# Rule parsing tests +ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 + +0: + @(cd ..; make ipftest; ) + +1 2 3 4 5 6 7 8 9 10 11: + @./dotest $@ + +12: + @./hextest $@ + +i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: + @./itest $@ + +clean: + /bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/* + /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 diff --git a/usr.sbin/ipf/ipftest/test/dotest b/usr.sbin/ipf/ipftest/test/dotest new file mode 100644 index 000000000000..06d04c5e8c31 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/dotest @@ -0,0 +1,26 @@ +#!/bin/sh +if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch +else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi +fi +echo "$1..."; +/bin/cp /dev/null results/$1 +( while read rule; do + echo "$rule" | ../ipftest -br - -i input/$1 >> results/$1; + if [ $? -ne 0 ] ; then + exit 1; + fi +done ) < regress/$1 +cmp expected/$1 results/$1 +status=$? +if [ $status = 0 ] ; then + $TOUCH $1 +fi +exit $status diff --git a/usr.sbin/ipf/ipftest/test/expected/1 b/usr.sbin/ipf/ipftest/test/expected/1 new file mode 100644 index 000000000000..93b733336d39 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/1 @@ -0,0 +1,16 @@ +block +block +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +pass +pass diff --git a/usr.sbin/ipf/ipftest/test/expected/10 b/usr.sbin/ipf/ipftest/test/expected/10 new file mode 100644 index 000000000000..bc0d83ec88f2 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/10 @@ -0,0 +1,108 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +pass +block +block +block +nomatch +nomatch +block +pass +pass +pass +nomatch +nomatch +pass +block +block +nomatch +nomatch +nomatch +block +pass +pass +nomatch +nomatch +nomatch +pass +block +block +block +block +block +block +pass +pass +pass +pass +pass +pass +nomatch +block +block +block +nomatch +block +nomatch +pass +pass +pass +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +pass +pass +pass +pass +pass +block +block +nomatch +block +nomatch +block +pass +pass +nomatch +pass +nomatch +pass +block +block +block +block +block +block +pass +pass +pass +pass +pass +pass +block +block +block +nomatch +nomatch +block diff --git a/usr.sbin/ipf/ipftest/test/expected/11 b/usr.sbin/ipf/ipftest/test/expected/11 new file mode 100644 index 000000000000..eb00875e01a9 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/11 @@ -0,0 +1,66 @@ +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch diff --git a/usr.sbin/ipf/ipftest/test/expected/12 b/usr.sbin/ipf/ipftest/test/expected/12 new file mode 100644 index 000000000000..f94cf768273a --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/12 @@ -0,0 +1,54 @@ +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block diff --git a/usr.sbin/ipf/ipftest/test/expected/2 b/usr.sbin/ipf/ipftest/test/expected/2 new file mode 100644 index 000000000000..03b71cdb9ea9 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/2 @@ -0,0 +1,36 @@ +block +block +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +pass +pass diff --git a/usr.sbin/ipf/ipftest/test/expected/3 b/usr.sbin/ipf/ipftest/test/expected/3 new file mode 100644 index 000000000000..d06d92b3e02a --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/3 @@ -0,0 +1,40 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +pass +pass +pass +nomatch +block +block +block +block +block +pass +pass +pass +pass +pass diff --git a/usr.sbin/ipf/ipftest/test/expected/4 b/usr.sbin/ipf/ipftest/test/expected/4 new file mode 100644 index 000000000000..d06d92b3e02a --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/4 @@ -0,0 +1,40 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +pass +pass +pass +nomatch +block +block +block +block +block +pass +pass +pass +pass +pass diff --git a/usr.sbin/ipf/ipftest/test/expected/5 b/usr.sbin/ipf/ipftest/test/expected/5 new file mode 100644 index 000000000000..bc805805f136 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/5 @@ -0,0 +1,1344 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch diff --git a/usr.sbin/ipf/ipftest/test/expected/6 b/usr.sbin/ipf/ipftest/test/expected/6 new file mode 100644 index 000000000000..bc805805f136 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/6 @@ -0,0 +1,1344 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch diff --git a/usr.sbin/ipf/ipftest/test/expected/7 b/usr.sbin/ipf/ipftest/test/expected/7 new file mode 100644 index 000000000000..c53d6eaa0cb9 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/7 @@ -0,0 +1,54 @@ +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass diff --git a/usr.sbin/ipf/ipftest/test/expected/8 b/usr.sbin/ipf/ipftest/test/expected/8 new file mode 100644 index 000000000000..398058a5ec52 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/8 @@ -0,0 +1,36 @@ +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +block +nomatch +nomatch +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch diff --git a/usr.sbin/ipf/ipftest/test/expected/9 b/usr.sbin/ipf/ipftest/test/expected/9 new file mode 100644 index 000000000000..a4572e6e94e0 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/9 @@ -0,0 +1,108 @@ +block +block +block +block +block +block +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +block +block +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch diff --git a/usr.sbin/ipf/ipftest/test/expected/expected.sed b/usr.sbin/ipf/ipftest/test/expected/expected.sed new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/usr.sbin/ipf/ipftest/test/expected/i1 b/usr.sbin/ipf/ipftest/test/expected/i1 new file mode 100644 index 000000000000..f69e0553a874 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i1 @@ -0,0 +1,11 @@ +pass in from any to any +block out from any to any +log in from any to any +log body in from any to any +count in from any to any +pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32 +block in log first on lo0(!) from any to any +pass in log body quick from any to any +block return-rst in quick on le0(!) proto tcp from any to any +block return-icmp in on qe0(!) from any to any +block return-icmp(host-unr) in on qe0(!) from any to any diff --git a/usr.sbin/ipf/ipftest/test/expected/i10 b/usr.sbin/ipf/ipftest/test/expected/i10 new file mode 100644 index 000000000000..57bd4ef6867f --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i10 @@ -0,0 +1,4 @@ +pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt sec +block in from any to any with not opt sec-class topsecret +block in from any to any with not opt sec-class topsecret,secret +pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass diff --git a/usr.sbin/ipf/ipftest/test/expected/i11 b/usr.sbin/ipf/ipftest/test/expected/i11 new file mode 100644 index 000000000000..9268c66a5abc --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i11 @@ -0,0 +1,4 @@ +pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state +block in log first on lo0(!) proto tcp/udp from any to any keep state +pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags +pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags diff --git a/usr.sbin/ipf/ipftest/test/expected/i2 b/usr.sbin/ipf/ipftest/test/expected/i2 new file mode 100644 index 000000000000..9d3398d3e11f --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i2 @@ -0,0 +1,6 @@ +log in proto tcp from any to any +pass in proto tcp from any to any +pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 +block in proto udp from any to any +block in proto 250 from any to any +pass in proto tcp/udp from any to any diff --git a/usr.sbin/ipf/ipftest/test/expected/i3 b/usr.sbin/ipf/ipftest/test/expected/i3 new file mode 100644 index 000000000000..4d70a94dd3d2 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i3 @@ -0,0 +1,8 @@ +log in from any to any +pass in from 128.0.0.0/24 to 128.0.0.0/16 +pass in from 128.0.0.0/24 to 128.0.0.0/16 +pass in from 128.0.0.0/24 to 128.0.0.0/16 +pass in from 128.0.0.0/24 to 128.0.0.0/16 +pass in from 128.0.0.0/24 to 128.0.0.0/16 +pass in from 127.0.0.1/32 to 127.0.0.1/32 +block in log from any to any diff --git a/usr.sbin/ipf/ipftest/test/expected/i4 b/usr.sbin/ipf/ipftest/test/expected/i4 new file mode 100644 index 000000000000..dfa3674db2a6 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i4 @@ -0,0 +1,7 @@ +log in proto tcp from any port > 0 to any +log in proto tcp from any to any port > 0 +pass in proto tcp from any port != 0 to any port 0 >< 65535 +pass in proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000 +block in proto udp from any port != 123 to any port < 123 +block in proto tcp from any port = 25 to any port > 25 +pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 diff --git a/usr.sbin/ipf/ipftest/test/expected/i5 b/usr.sbin/ipf/ipftest/test/expected/i5 new file mode 100644 index 000000000000..3bcb10bf205e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i5 @@ -0,0 +1,5 @@ +log in from any to any +count in tos 0x80 from any to any +pass in on ed0(!) tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32 +block in log on lo0(!) ttl 0 from any to any +pass in quick ttl 1 from any to any diff --git a/usr.sbin/ipf/ipftest/test/expected/i6 b/usr.sbin/ipf/ipftest/test/expected/i6 new file mode 100644 index 000000000000..4849626fdcf0 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i6 @@ -0,0 +1,4 @@ +pass in on lo0(!) fastroute from any to any +pass in on lo0(!) dup-to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32 +pass in on qe0(!) dup-to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32 +block in quick on qe0(!) to qe1(!) from any to any diff --git a/usr.sbin/ipf/ipftest/test/expected/i7 b/usr.sbin/ipf/ipftest/test/expected/i7 new file mode 100644 index 000000000000..2414f57b8281 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i7 @@ -0,0 +1,3 @@ +pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA +block in on lo0(!) proto tcp from any to any flags A/FSRPAU +pass in on lo0(!) proto tcp from any to any flags /SPA diff --git a/usr.sbin/ipf/ipftest/test/expected/i8 b/usr.sbin/ipf/ipftest/test/expected/i8 new file mode 100644 index 000000000000..77dc1775763e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i8 @@ -0,0 +1,2 @@ +pass in proto icmp from 127.0.0.1/32 to 127.0.0.1/32 icmp-type timest +block in proto icmp from any to any icmp-type unreach code 1 diff --git a/usr.sbin/ipf/ipftest/test/expected/i9 b/usr.sbin/ipf/ipftest/test/expected/i9 new file mode 100644 index 000000000000..b36d864a6e5e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/expected/i9 @@ -0,0 +1,5 @@ +pass in from 127.0.0.1/32 to 127.0.0.1/32 with short +block in from any to any with ipopt +pass in from any to any with opt nop,rr,zsu +pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr +pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag diff --git a/usr.sbin/ipf/ipftest/test/hextest b/usr.sbin/ipf/ipftest/test/hextest new file mode 100644 index 000000000000..76e1af5dcb02 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/hextest @@ -0,0 +1,23 @@ +#!/bin/sh +if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch +else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi +fi +echo "$1..."; +/bin/cp /dev/null results/$1 +( while read rule; do + echo "$rule" | ../ipftest -br - -Hi input/$1 >> results/$1; +done ) < regress/$1 +cmp expected/$1 results/$1 +status=$? +if [ $status = 0 ] ; then + $TOUCH $1 +fi +exit $status diff --git a/usr.sbin/ipf/ipftest/test/input/1 b/usr.sbin/ipf/ipftest/test/input/1 new file mode 100644 index 000000000000..7c3ae8a3a3db --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/1 @@ -0,0 +1,4 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +out 127.0.0.1 127.0.0.1 +out 1.1.1.1 1.2.1.1 diff --git a/usr.sbin/ipf/ipftest/test/input/10 b/usr.sbin/ipf/ipftest/test/input/10 new file mode 100644 index 000000000000..254cee7316ff --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/10 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/usr.sbin/ipf/ipftest/test/input/11 b/usr.sbin/ipf/ipftest/test/input/11 new file mode 100644 index 000000000000..b6e2c1d977ad --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/11 @@ -0,0 +1,11 @@ +in tcp 1.1.1.1,1 2.1.2.2,23 S +in tcp 1.1.1.1,1 2.1.2.2,23 A +in tcp 2.1.2.2,23 1.1.1.1,1 A +in tcp 1.1.1.1,1 2.1.2.2,23 F +in tcp 1.1.1.1,1 2.1.2.2,23 A +in tcp 1.1.1.1,2 2.1.2.2,23 A +in udp 1.1.1.1,1 4.4.4.4,53 +in udp 2.2.2.2,2 4.4.4.4,53 +in udp 4.4.4.4,53 1.1.1.1,1 +in udp 4.4.4.4,1023 1.1.1.1,2049 +in udp 4.4.4.4,2049 1.1.1.1,1023 diff --git a/usr.sbin/ipf/ipftest/test/input/12 b/usr.sbin/ipf/ipftest/test/input/12 new file mode 100644 index 000000000000..5d9c1de3590d --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/12 @@ -0,0 +1,35 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF SYN +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF ACK +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK +45 00 0028 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK +45 00 001c 0000 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0000 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0001 0001 0004 0000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 0004 0000 + diff --git a/usr.sbin/ipf/ipftest/test/input/13 b/usr.sbin/ipf/ipftest/test/input/13 new file mode 100644 index 000000000000..56ec16d99b83 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/13 @@ -0,0 +1,39 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,MF,FO=0 SYN +45 00 0028 0001 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF ACK +45 00 0024 0002 2000 3f 06 0000 01010101 02010101 +0401001900000000 0000000050102000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2 ACK +45 00 002c 0002 0002 3f 06 0000 01010101 02010101 +0000000000010203 0405060708090a0b 0c0d0e0f10111213 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN +45 00 0028 0003 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0004 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN +45 00 001c 0005 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0006 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0007 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0008 2000 3f 11 0000 01010101 02010101 +0035003500040000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 +45 00 001c 0008 0001 3f 11 0000 01010101 02010101 +0000000000000000 + diff --git a/usr.sbin/ipf/ipftest/test/input/2 b/usr.sbin/ipf/ipftest/test/input/2 new file mode 100644 index 000000000000..d168af0c716a --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/2 @@ -0,0 +1,6 @@ +in tcp 127.0.0.1,1 127.0.0.1,21 +in tcp 1.1.1.1,1 1.2.1.1,21 +in udp 127.0.0.1,1 127.0.0.1,21 +in udp 1.1.1.1,1 1.2.1.1,21 +in icmp 127.0.0.1 127.0.0.1 +in icmp 1.1.1.1 1.2.1.1 diff --git a/usr.sbin/ipf/ipftest/test/input/3 b/usr.sbin/ipf/ipftest/test/input/3 new file mode 100644 index 000000000000..16a806ffec7b --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/3 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/usr.sbin/ipf/ipftest/test/input/4 b/usr.sbin/ipf/ipftest/test/input/4 new file mode 100644 index 000000000000..2956d1b15454 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/4 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.1.1.1 +in 1.1.1.1 1.1.1.2 +in 1.1.1.1 1.1.2.2 +in 1.1.1.1 1.2.2.2 diff --git a/usr.sbin/ipf/ipftest/test/input/5 b/usr.sbin/ipf/ipftest/test/input/5 new file mode 100644 index 000000000000..41600c10763b --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/5 @@ -0,0 +1,28 @@ +in tcp 1.1.1.1,0 2.2.2.2,2222 +in tcp 1.1.1.1,1 2.2.2.2,2222 +in tcp 1.1.1.1,23 2.2.2.2,2222 +in tcp 1.1.1.1,21 2.2.2.2,2222 +in tcp 1.1.1.1,1023 2.2.2.2,2222 +in tcp 1.1.1.1,1024 2.2.2.2,2222 +in tcp 1.1.1.1,1025 2.2.2.2,2222 +in tcp 1.1.1.1,32767 2.2.2.2,2222 +in tcp 1.1.1.1,32768 2.2.2.2,2222 +in tcp 1.1.1.1,65535 2.2.2.2,2222 +in tcp 1.1.1.1,5999 2.2.2.2,2222 +in tcp 1.1.1.1,6000 2.2.2.2,2222 +in tcp 1.1.1.1,6009 2.2.2.2,2222 +in tcp 1.1.1.1,6010 2.2.2.2,2222 +in udp 1.1.1.1,0 2.2.2.2,2222 +in udp 1.1.1.1,1 2.2.2.2,2222 +in udp 1.1.1.1,23 2.2.2.2,2222 +in udp 1.1.1.1,21 2.2.2.2,2222 +in udp 1.1.1.1,1023 2.2.2.2,2222 +in udp 1.1.1.1,1024 2.2.2.2,2222 +in udp 1.1.1.1,1025 2.2.2.2,2222 +in udp 1.1.1.1,32767 2.2.2.2,2222 +in udp 1.1.1.1,32768 2.2.2.2,2222 +in udp 1.1.1.1,65535 2.2.2.2,2222 +in udp 1.1.1.1,5999 2.2.2.2,2222 +in udp 1.1.1.1,6000 2.2.2.2,2222 +in udp 1.1.1.1,6009 2.2.2.2,2222 +in udp 1.1.1.1,6010 2.2.2.2,2222 diff --git a/usr.sbin/ipf/ipftest/test/input/6 b/usr.sbin/ipf/ipftest/test/input/6 new file mode 100644 index 000000000000..21f0be3336c5 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/6 @@ -0,0 +1,28 @@ +in tcp 2.2.2.2,2222 1.1.1.1,0 +in tcp 2.2.2.2,2222 1.1.1.1,1 +in tcp 2.2.2.2,2222 1.1.1.1,23 +in tcp 2.2.2.2,2222 1.1.1.1,21 +in tcp 2.2.2.2,2222 1.1.1.1,1023 +in tcp 2.2.2.2,2222 1.1.1.1,1024 +in tcp 2.2.2.2,2222 1.1.1.1,1025 +in tcp 2.2.2.2,2222 1.1.1.1,32767 +in tcp 2.2.2.2,2222 1.1.1.1,32768 +in tcp 2.2.2.2,2222 1.1.1.1,65535 +in tcp 2.2.2.2,2222 1.1.1.1,5999 +in tcp 2.2.2.2,2222 1.1.1.1,6000 +in tcp 2.2.2.2,2222 1.1.1.1,6009 +in tcp 2.2.2.2,2222 1.1.1.1,6010 +in udp 2.2.2.2,2222 1.1.1.1,0 +in udp 2.2.2.2,2222 1.1.1.1,1 +in udp 2.2.2.2,2222 1.1.1.1,23 +in udp 2.2.2.2,2222 1.1.1.1,21 +in udp 2.2.2.2,2222 1.1.1.1,1023 +in udp 2.2.2.2,2222 1.1.1.1,1024 +in udp 2.2.2.2,2222 1.1.1.1,1025 +in udp 2.2.2.2,2222 1.1.1.1,32767 +in udp 2.2.2.2,2222 1.1.1.1,32768 +in udp 2.2.2.2,2222 1.1.1.1,65535 +in udp 2.2.2.2,2222 1.1.1.1,5999 +in udp 2.2.2.2,2222 1.1.1.1,6000 +in udp 2.2.2.2,2222 1.1.1.1,6009 +in udp 2.2.2.2,2222 1.1.1.1,6010 diff --git a/usr.sbin/ipf/ipftest/test/input/7 b/usr.sbin/ipf/ipftest/test/input/7 new file mode 100644 index 000000000000..2721af2fb71e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/7 @@ -0,0 +1,9 @@ +in icmp 1.1.1.1 2.1.1.1 echo +in icmp 1.1.1.1 2.1.1.1 echo,1 +in icmp 1.1.1.1 2.1.1.1 echo,3 +in icmp 1.1.1.1 2.1.1.1 unreach +in icmp 1.1.1.1 2.1.1.1 unreach,1 +in icmp 1.1.1.1 2.1.1.1 unreach,3 +in icmp 1.1.1.1 2.1.1.1 echorep +in icmp 1.1.1.1 2.1.1.1 echorep,1 +in icmp 1.1.1.1 2.1.1.1 echorep,3 diff --git a/usr.sbin/ipf/ipftest/test/input/8 b/usr.sbin/ipf/ipftest/test/input/8 new file mode 100644 index 000000000000..cace511fbeb8 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/8 @@ -0,0 +1,6 @@ +in tcp 1.1.1.1,1 2.1.2.2,1 S +in tcp 1.1.1.1,1 2.1.2.2,1 SA +in tcp 1.1.1.1,1 2.1.2.2,1 SF +in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR +in tcp 1.1.1.1,1 2.1.2.2,1 PAU +in tcp 1.1.1.1,1 2.1.2.2,1 A diff --git a/usr.sbin/ipf/ipftest/test/input/9 b/usr.sbin/ipf/ipftest/test/input/9 new file mode 100644 index 000000000000..33f3be392a7d --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/input/9 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 opt lsrr,ssrr +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/usr.sbin/ipf/ipftest/test/input/input.sed b/usr.sbin/ipf/ipftest/test/input/input.sed new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/usr.sbin/ipf/ipftest/test/itest b/usr.sbin/ipf/ipftest/test/itest new file mode 100644 index 000000000000..c1b5f573d543 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/itest @@ -0,0 +1,21 @@ +#!/bin/sh +if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch +else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi +fi +echo "$1..."; +/bin/cp /dev/null results/$1 +../ipf -nvf regress/$1 2>/dev/null > results/$1 +cmp expected/$1 results/$1 +status=$? +if [ $status = 0 ] ; then + $TOUCH $1 +fi +exit $status diff --git a/usr.sbin/ipf/ipftest/test/regress/1 b/usr.sbin/ipf/ipftest/test/regress/1 new file mode 100644 index 000000000000..6a2ede9e31c0 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/1 @@ -0,0 +1,4 @@ +block in all +pass in all +block out all +pass out all diff --git a/usr.sbin/ipf/ipftest/test/regress/10 b/usr.sbin/ipf/ipftest/test/regress/10 new file mode 100644 index 000000000000..444737a59b1c --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/10 @@ -0,0 +1,18 @@ +block in from any to any and not ipopts +pass in from any to any and not opt sec-class topsecret +block in from any to any and not opt ssrr,sec-class topsecret +pass in from any to any and not opt ssrr,sec-class topsecret +block in from any to any and not opt ts,sec-class topsecret +pass in from any to any and not opt ts,sec-class topsecret +block in from any to any and not opt sec-class secret +pass in from any to any and not opt sec-class secret +block in from any to any and not opt lsrr,ssrr +pass in from any to any and not opt lsrr,ssrr +pass in from any to any and not ipopts +block in from any to any and not opt lsrr +pass in from any to any and not opt lsrr +block in from any to any and not opt ssrr,ts +pass in from any to any and not opt ssrr,ts +block in from any to any and not opt rr +pass in from any to any and not opt rr +block in from any to any and not opt sec-class topsecret diff --git a/usr.sbin/ipf/ipftest/test/regress/11 b/usr.sbin/ipf/ipftest/test/regress/11 new file mode 100644 index 000000000000..0bf0a2a7322d --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/11 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 23 flags S/SA keep state +block in proto tcp from any to any port = 23 flags S/SA keep state +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto udp from any to any port = 53 keep state +block in proto udp from any to any port = 53 keep state diff --git a/usr.sbin/ipf/ipftest/test/regress/12 b/usr.sbin/ipf/ipftest/test/regress/12 new file mode 100644 index 000000000000..c29f839aa502 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/12 @@ -0,0 +1,6 @@ +pass in proto tcp from any port > 1024 to any port = 25 with not short +pass in proto tcp from any port > 1024 to any port = 25 +block in proto tcp from any to any with short +block in proto tcp from any to any with frag +pass in proto udp from any port = 53 to any port = 53 +block in proto udp from any port = 53 to any port = 53 with not short diff --git a/usr.sbin/ipf/ipftest/test/regress/13 b/usr.sbin/ipf/ipftest/test/regress/13 new file mode 100644 index 000000000000..f123e4781c86 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/13 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 25 flags S/SA keep frags +block in proto tcp from any to any port = 25 flags S/SA keep frags +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags +block in proto tcp from any to any port = 25 flags S/SA keep state keep frags diff --git a/usr.sbin/ipf/ipftest/test/regress/2 b/usr.sbin/ipf/ipftest/test/regress/2 new file mode 100644 index 000000000000..e2f02a46e283 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/2 @@ -0,0 +1,6 @@ +block in proto tcp from any to any +pass in proto tcp from any to any +block in proto udp from any to any +pass in proto udp from any to any +block in proto icmp from any to any +pass in proto icmp from any to any diff --git a/usr.sbin/ipf/ipftest/test/regress/3 b/usr.sbin/ipf/ipftest/test/regress/3 new file mode 100644 index 000000000000..ee80729cfc9b --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/3 @@ -0,0 +1,8 @@ +block in from 1.1.1.1 to any +pass in from 1.1.1.1 to any +block in from 1.1.1.1/24 to any +pass in from 1.1.1.1/24 to any +block in from 1.1.1.1/16 to any +pass in from 1.1.1.1/16 to any +block in from 1.1.1.1/0 to any +pass in from 1.1.1.1/0 to any diff --git a/usr.sbin/ipf/ipftest/test/regress/4 b/usr.sbin/ipf/ipftest/test/regress/4 new file mode 100644 index 000000000000..bc8af2f0cae2 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/4 @@ -0,0 +1,8 @@ +block in from any to 1.1.1.1 +pass in from any to 1.1.1.1 +block in from any to 1.1.1.1/24 +pass in from any to 1.1.1.1/24 +block in from any to 1.1.1.1/16 +pass in from any to 1.1.1.1/16 +block in from any to 1.1.1.1/0 +pass in from any to 1.1.1.1/0 diff --git a/usr.sbin/ipf/ipftest/test/regress/5 b/usr.sbin/ipf/ipftest/test/regress/5 new file mode 100644 index 000000000000..998eabd4b10b --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/5 @@ -0,0 +1,48 @@ +block in proto tcp from any port = 23 to any +block in proto udp from any port = 23 to any +block in proto tcp/udp from any port = 23 to any +pass in proto tcp from any port <= 1023 to any +pass in proto udp from any port <= 1023 to any +pass in proto tcp/udp from any port <= 1023 to any +block in proto tcp from any port >= 1024 to any +block in proto udp from any port >= 1024 to any +block in proto tcp/udp from any port >= 1024 to any +pass in proto tcp from any port >= 1024 to any +pass in proto udp from any port >= 1024 to any +pass in proto tcp/udp from any port >= 1024 to any +block in proto tcp from any port 0 >< 512 to any +block in proto udp from any port 0 >< 512 to any +block in proto tcp/udp from any port 0 >< 512 to any +pass in proto tcp from any port 0 >< 512 to any +pass in proto udp from any port 0 >< 512 to any +pass in proto tcp/udp from any port 0 >< 512 to any +block in proto tcp from any port 6000 <> 6009 to any +block in proto udp from any port 6000 <> 6009 to any +block in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port 6000 <> 6009 to any +pass in proto udp from any port 6000 <> 6009 to any +pass in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port = 23 to any +pass in proto udp from any port = 23 to any +pass in proto tcp/udp from any port = 23 to any +block in proto tcp from any port != 21 to any +block in proto udp from any port != 21 to any +block in proto tcp/udp from any port != 21 to any +pass in proto tcp from any port != 21 to any +pass in proto udp from any port != 21 to any +pass in proto tcp/udp from any port != 21 to any +block in proto tcp from any port < 1024 to any +block in proto udp from any port < 1024 to any +block in proto tcp/udp from any port < 1024 to any +pass in proto tcp from any port < 1024 to any +pass in proto udp from any port < 1024 to any +pass in proto tcp/udp from any port < 1024 to any +block in proto tcp from any port > 1023 to any +block in proto udp from any port > 1023 to any +block in proto tcp/udp from any port > 1023 to any +pass in proto tcp from any port > 1023 to any +pass in proto udp from any port > 1023 to any +pass in proto tcp/udp from any port > 1023 to any +block in proto tcp from any port <= 1023 to any +block in proto udp from any port <= 1023 to any +block in proto tcp/udp from any port <= 1023 to any diff --git a/usr.sbin/ipf/ipftest/test/regress/6 b/usr.sbin/ipf/ipftest/test/regress/6 new file mode 100644 index 000000000000..291f09adcdbc --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/6 @@ -0,0 +1,48 @@ +block in proto tcp from any to any port = 23 +block in proto udp from any to any port = 23 +block in proto tcp/udp from any to any port = 23 +pass in proto tcp from any to any port <= 1023 +pass in proto udp from any to any port <= 1023 +pass in proto tcp/udp from any to any port <= 1023 +block in proto tcp from any to any port >= 1024 +block in proto udp from any to any port >= 1024 +block in proto tcp/udp from any to any port >= 1024 +pass in proto tcp from any to any port >= 1024 +pass in proto udp from any to any port >= 1024 +pass in proto tcp/udp from any to any port >= 1024 +block in proto tcp from any to any port 0 >< 512 +block in proto udp from any to any port 0 >< 512 +block in proto tcp/udp from any to any port 0 >< 512 +pass in proto tcp from any to any port 0 >< 512 +pass in proto udp from any to any port 0 >< 512 +pass in proto tcp/udp from any to any port 0 >< 512 +block in proto tcp from any to any port 6000 <> 6009 +block in proto udp from any to any port 6000 <> 6009 +block in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port 6000 <> 6009 +pass in proto udp from any to any port 6000 <> 6009 +pass in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port = 23 +pass in proto udp from any to any port = 23 +pass in proto tcp/udp from any to any port = 23 +block in proto tcp from any to any port != 21 +block in proto udp from any to any port != 21 +block in proto tcp/udp from any to any port != 21 +pass in proto tcp from any to any port != 21 +pass in proto udp from any to any port != 21 +pass in proto tcp/udp from any to any port != 21 +block in proto tcp from any to any port < 1024 +block in proto udp from any to any port < 1024 +block in proto tcp/udp from any to any port < 1024 +pass in proto tcp from any to any port < 1024 +pass in proto udp from any to any port < 1024 +pass in proto tcp/udp from any to any port < 1024 +block in proto tcp from any to any port > 1023 +block in proto udp from any to any port > 1023 +block in proto tcp/udp from any to any port > 1023 +pass in proto tcp from any to any port > 1023 +pass in proto udp from any to any port > 1023 +pass in proto tcp/udp from any to any port > 1023 +block in proto tcp from any to any port <= 1023 +block in proto udp from any to any port <= 1023 +block in proto tcp/udp from any to any port <= 1023 diff --git a/usr.sbin/ipf/ipftest/test/regress/7 b/usr.sbin/ipf/ipftest/test/regress/7 new file mode 100644 index 000000000000..6848a688a374 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/7 @@ -0,0 +1,6 @@ +block in proto icmp from any to any icmp-type echo +pass in proto icmp from any to any icmp-type echo +block in proto icmp from any to any icmp-type unreach code 3 +pass in proto icmp from any to any icmp-type unreach code 3 +block in proto icmp from any to any icmp-type echorep +pass in proto icmp from any to any icmp-type echorep diff --git a/usr.sbin/ipf/ipftest/test/regress/8 b/usr.sbin/ipf/ipftest/test/regress/8 new file mode 100644 index 000000000000..0f28fd261148 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/8 @@ -0,0 +1,6 @@ +block in proto tcp from any to any flags S +pass in proto tcp from any to any flags S +block in proto tcp from any to any flags S/SA +pass in proto tcp from any to any flags S/SA +block in proto tcp from any to any flags S/APU +pass in proto tcp from any to any flags S/APU diff --git a/usr.sbin/ipf/ipftest/test/regress/9 b/usr.sbin/ipf/ipftest/test/regress/9 new file mode 100644 index 000000000000..17bc96737877 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/9 @@ -0,0 +1,18 @@ +block in from any to any with ipopts +pass in from any to any with opt sec-class topsecret +block in from any to any with opt ssrr,sec-class topsecret +pass in from any to any with opt ssrr,sec-class topsecret +block in from any to any with opt ts,sec-class topsecret +pass in from any to any with opt ts,sec-class topsecret +block in from any to any with opt sec-class secret +pass in from any to any with opt sec-class secret +block in from any to any with opt lsrr,ssrr +pass in from any to any with opt lsrr,ssrr +pass in from any to any with ipopts +block in from any to any with opt lsrr +pass in from any to any with opt lsrr +block in from any to any with opt ssrr,ts +pass in from any to any with opt ssrr,ts +block in from any to any with opt rr +pass in from any to any with opt rr +block in from any to any with opt sec-class topsecret diff --git a/usr.sbin/ipf/ipftest/test/regress/i1 b/usr.sbin/ipf/ipftest/test/regress/i1 new file mode 100644 index 000000000000..583cd8b5b770 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i1 @@ -0,0 +1,11 @@ +pass in all +block out all +log in all +log body in all +count in from any to any +pass in on ed0 from localhost to localhost +block in log first on lo0 from any to any +pass in log body quick from any to any +block return-rst in quick on le0 proto tcp from any to any +block return-icmp in on qe0 from any to any +block return-icmp(1) in on qe0 from any to any diff --git a/usr.sbin/ipf/ipftest/test/regress/i10 b/usr.sbin/ipf/ipftest/test/regress/i10 new file mode 100644 index 000000000000..ece27126f0af --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i10 @@ -0,0 +1,4 @@ +pass in from localhost to localhost with opt sec +block in from any to any with not opt sec-class topsecret +block in from any to any with not opt sec-class topsecret,secret +pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass diff --git a/usr.sbin/ipf/ipftest/test/regress/i11 b/usr.sbin/ipf/ipftest/test/regress/i11 new file mode 100644 index 000000000000..c257f513eab3 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i11 @@ -0,0 +1,4 @@ +pass in on ed0 proto tcp from localhost to localhost port = telnet keep state +block in log first on lo0 proto tcp/udp from any to any keep state +pass in proto udp from localhost to localhost port = 2049 keep frags +pass in proto udp from localhost to localhost port = 53 keep state keep frags diff --git a/usr.sbin/ipf/ipftest/test/regress/i2 b/usr.sbin/ipf/ipftest/test/regress/i2 new file mode 100644 index 000000000000..101deaa30512 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i2 @@ -0,0 +1,6 @@ +log in proto tcp all +pass in proto 6 from any to any +pass in proto udp from localhost to localhost +block in proto 17 from any to any +block in proto 250 from any to any +pass in proto tcp/udp from any to any diff --git a/usr.sbin/ipf/ipftest/test/regress/i3 b/usr.sbin/ipf/ipftest/test/regress/i3 new file mode 100644 index 000000000000..e69663ee7a0d --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i3 @@ -0,0 +1,8 @@ +log in all +pass in from 128.0.0.1/24 to 128.0.0.1/16 +pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000 +pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0 +pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000 +pass in from 128.0.0.1 mask 255.255.255.0 to 128.0.0.1 mask 255.255.0.0 +pass in from localhost to localhost +block in log from 0/0 to 0/0 diff --git a/usr.sbin/ipf/ipftest/test/regress/i4 b/usr.sbin/ipf/ipftest/test/regress/i4 new file mode 100644 index 000000000000..1095ed97c91a --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i4 @@ -0,0 +1,7 @@ +log in proto tcp from any port > 0 to any +log in proto tcp from any to any port > 0 +pass in proto 6 from any port != 0 to any port 0 >< 65535 +pass in proto 17 from localhost port > 32000 to localhost port < 29000 +block in proto udp from any port != ntp to any port < ntp +block in proto tcp from any port = smtp to any port > 25 +pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 diff --git a/usr.sbin/ipf/ipftest/test/regress/i5 b/usr.sbin/ipf/ipftest/test/regress/i5 new file mode 100644 index 000000000000..38482f3a584e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i5 @@ -0,0 +1,5 @@ +log in all +count in tos 0x80 from any to any +pass in on ed0 tos 64 from localhost to localhost +block in log on lo0 ttl 0 from any to any +pass in quick ttl 1 from any to any diff --git a/usr.sbin/ipf/ipftest/test/regress/i6 b/usr.sbin/ipf/ipftest/test/regress/i6 new file mode 100644 index 000000000000..a35633bfd411 --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i6 @@ -0,0 +1,4 @@ +pass in on lo0 fastroute from any to any +pass in on lo0 dup-to qe0 from localhost to localhost +pass in on qe0 dup-to qe0:127.0.0.1 from localhost to localhost +block in quick on qe0 to qe1 from any to any diff --git a/usr.sbin/ipf/ipftest/test/regress/i7 b/usr.sbin/ipf/ipftest/test/regress/i7 new file mode 100644 index 000000000000..9cb35723c67e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i7 @@ -0,0 +1,3 @@ +pass in on ed0 proto tcp from localhost to localhost port = 23 flags S/SA +block in on lo0 proto tcp from any to any flags A +pass in on lo0 proto tcp from any to any flags /SAP diff --git a/usr.sbin/ipf/ipftest/test/regress/i8 b/usr.sbin/ipf/ipftest/test/regress/i8 new file mode 100644 index 000000000000..bde6ed52900e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i8 @@ -0,0 +1,2 @@ +pass in proto icmp from localhost to localhost icmp-type timest +block in proto icmp from any to any icmp-type unreach code 1 diff --git a/usr.sbin/ipf/ipftest/test/regress/i9 b/usr.sbin/ipf/ipftest/test/regress/i9 new file mode 100644 index 000000000000..327cff45651d --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/regress/i9 @@ -0,0 +1,5 @@ +pass in from localhost to localhost with short +block in from any to any with ipopts +pass in from any to any with opt nop,rr,zsu +pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr +pass in from localhost to localhost with not frag diff --git a/usr.sbin/ipf/ipftest/test/regress/regress.sed b/usr.sbin/ipf/ipftest/test/regress/regress.sed new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/usr.sbin/ipf/ipftest/test/test.sed b/usr.sbin/ipf/ipftest/test/test.sed new file mode 100644 index 000000000000..3ce0cb16415e --- /dev/null +++ b/usr.sbin/ipf/ipftest/test/test.sed @@ -0,0 +1,6 @@ + Ç . Ä..0þ CVSGexpected0ÇinputDG$regress +  +.cvsignore +!Makefile +"dotest +#hextest diff --git a/usr.sbin/ipf/ipmon/Makefile b/usr.sbin/ipf/ipmon/Makefile index 1b117ac6c62b..3db67ba382a5 100644 --- a/usr.sbin/ipf/ipmon/Makefile +++ b/usr.sbin/ipf/ipmon/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $ +# $NetBSD: Makefile,v 1.1.1.2 1997/03/29 02:49:46 darrenr Exp $ PROG= ipmon MAN= ipmon.8 -CFLAGS+= -DLOGFAC=LOG_LOCAL0 -I${.CURDIR}/../../../sbin/ipf +CFLAGS+= -DLOGFAC=LOG_LOCAL0 -I${.CURDIR}/../../sbin/ipf +.PATH: .${CURDIR}/../../sbin/ipf .include diff --git a/usr.sbin/ipf/ipnat/Makefile b/usr.sbin/ipf/ipnat/Makefile index 7993f0192731..7f53aed91ae9 100644 --- a/usr.sbin/ipf/ipnat/Makefile +++ b/usr.sbin/ipf/ipnat/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.1.1.1 1997/01/05 13:09:04 mrg Exp $ +# $NetBSD: Makefile,v 1.1.1.2 1997/03/29 02:50:04 darrenr Exp $ PROG= ipnat SRCS= kmem.c ipnat.c MAN= ipnat.8 ipnat.4 ipnat.5 -CFLAGS+= -I${.CURDIR}/../../../sbin/ipf -I${.CURDIR}/../ipfstat +CFLAGS+= -I${.CURDIR}/../../sbin/ipf -I${.CURDIR}/../ipfstat -.PATH: ${.CURDIR}/../ipfstat +.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../ipfstat .include diff --git a/usr.sbin/ipf/ipnat/ipnat.8 b/usr.sbin/ipf/ipnat/ipnat.8 index 1eb4254c4311..c61e03bcd359 100644 --- a/usr.sbin/ipf/ipnat/ipnat.8 +++ b/usr.sbin/ipf/ipnat/ipnat.8 @@ -4,7 +4,7 @@ ipnat \- user interface to the NAT .SH SYNOPSIS .B ipnat [ -.B \-lnrsv +.B \-lnrsvCF ] .B \-f <\fIfilename\fP> .SH DESCRIPTION @@ -18,6 +18,13 @@ Rules are added to the end of the internal lists, matching the order in which they appear when given to \fBipnat\fP. .SH OPTIONS .TP +.B \-C +delete all entries in the current NAT listing (NAT rules) +.TP +.B \-F +delete all active entries in the current NAT table (currently active +NAT mappings) +.TP .B \-l Show the list of current NAT table entry mappings. .TP