import ipfilter 4.1.8 into the vendor branch

3 files changed, 212 insertions, 2 deletions

diff --git a/contrib/ipfilter/perl/ipf-mrtg.pl b/contrib/ipfilter/perl/ipf-mrtg.pl
index cce30ab..a96a7cd 100644
--- a/contrib/ipfilter/perl/ipf-mrtg.pl
+++ b/contrib/ipfilter/perl/ipf-mrtg.pl
@@ -19,4 +19,4 @@ print "$in_pkts\n",
 my $uptime = `/usr/bin/uptime`;
 $uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/;
 print "$2 $3\n",
-      "$firewall\n";
\ No newline at end of file
+      "$firewall\n";
diff --git a/contrib/ipfilter/perl/ipfmeta.pl b/contrib/ipfilter/perl/ipfmeta.pl
new file mode 100644
index 0000000..1a7bb3f
--- /dev/null
+++ b/contrib/ipfilter/perl/ipfmeta.pl
@@ -0,0 +1,210 @@
+#!/usr/bin/perl -w
+#
+# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000
+# ipfmeta is in the Public Domain.
+#
+
+use strict;
+use Getopt::Std;
+
+## PROCESS COMMANDLINE
+our($opt_v); $opt_v=1;
+getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n";
+my $verbose = $opt_v + 0;
+my $objfile = shift || "ipf.objs";
+my $MAXRECURSION = 10;
+
+## READ OBJECTS
+open(FH, "$objfile") || die "cannot open $objfile: $!\n";
+my @tokens;
+while (<FH>) {
+	chomp;
+	s/#.*$//;	# remove comments
+	s/^\s+//;	# compress whitespace
+	s/\s+$//;
+	next if m/^$/;	# skip empty lines
+	push (@tokens, split);
+}
+close(FH) || die "cannot close $objfile: $!\n";
+# link objects with their values
+my $obj="";
+my %objs;
+while (@tokens) {
+	my $token = shift(@tokens);
+	if ($token =~ m/^\[([^]]*)\]$/) {
+		# new object
+		$obj = $1;
+	} else {
+		# new value
+		push(@{$objs{$obj}}, $token) unless ($obj eq "");
+	}
+}
+
+# sort objects: longest first
+my @objs = sort { length($b) <=> length($a) } keys %objs;
+
+## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN
+foreach (<STDIN>) {
+	foreach (expand($_, 0)) {
+		print;
+	}
+}
+
+## END
+
+sub expand {
+	my $line = shift;
+	my $level = shift;
+	my @retlines = $line;
+	my $obj;
+	my $val;
+
+	# coarse protection
+	if ($level > $MAXRECURSION) {
+		print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n";
+		return;
+	}
+
+	foreach $obj (@objs) {
+		if ($line =~ m/$obj/) {
+			@retlines = "";
+			if ($level < $verbose) {
+				# add metarule as a comment
+				push(@retlines, "# ".$line);
+			}
+			foreach $val (@{$objs{$obj}}) {
+				my $newline = $line;
+				$newline =~ s/$obj/$val/;
+				push(@retlines, expand($newline, $level+1));
+			}
+			last;
+		}
+	}
+
+	return @retlines;
+}
+				
+__END__
+
+=head1 NAME
+
+B<ipfmeta> - use objects in IP filter files
+
+=head1 SYNOPSIS
+
+B<ipfmeta> [F<options>] [F<objfile>]
+
+=head1 DESCRIPTION
+
+B<ipfmeta> is used to simplify the maintenance of your IP filter
+ruleset. It does this through the use of 'objects'.  A matching
+object gets replaced by its values at runtime.  This is similar to
+what a macro processor like m4 does.
+
+B<ipfmeta> is specifically geared towards IP filter. It is line
+oriented, if an object has multiple values, the line with the object
+is duplicated and substituted for each value. It is also recursive,
+an object may have another object as a value.
+
+Rules to be processed are read from stdin, output goes to stdout.
+
+The verbose option allows for the inclusion of the metarules in the
+output as comments.
+
+Definition of the objects and their values is done in a separate
+file, the filename defaults to F<ipf.objs>.  An object is delimited
+by square brackets. A value is delimited by whitespace.  Comments
+start with '#' and end with a newline. Empty lines and extraneous
+whitespace are allowed.  A value belongs to the first object that
+precedes it.
+
+It is recommended that you use all caps or another distinguishing
+feature for object names. You can use B<ipfmeta> for NAT rules also,
+for instance to keep them in sync with filter rules.  Combine
+B<ipfmeta> with a Makefile to save typing.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-v> I<verboselevel>
+
+Include metarules in output as comments. Default is 1, the top level
+metarules. Higher levels cause expanded metarules to be included.
+Level 0 does not add comments at all.
+
+=back
+
+=head1 BUGS
+
+A value can not have whitespace in it.
+
+=head1 EXAMPLE
+
+(this does not look good, formatted)
+
+I<ipf.objs>
+
+[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
+[MULTICAST] 224.0.0.0/4
+
+[UNWANTED] PRIVATE MULTICAST
+
+[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32
+
+[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32
+
+[MGMT-PORTS] 22 23
+
+I<ipf.metarules>
+
+block in from UNWANTED to any
+
+pass  in from NOC to WEBSERVERS port = MGMT-PORTS
+
+pass  out all
+ 
+I<Run>
+
+ipfmeta ipf.objs <ipf.metarules >ipf.rules
+
+I<Output>
+
+# block in from UNWANTED to any
+
+block in from 10.0.0.0/8 to any
+
+block in from 127.0.0.0/8 to any
+
+block in from 172.16.0.0/12 to any
+
+block in from 192.168.0.0/16 to any
+
+block in from 224.0.0.0/4 to any
+
+# pass  in from NOC to WEBSERVERS port = MGMT-PORTS
+
+pass  in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22
+
+pass  in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23
+
+pass  in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22
+
+pass  in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23
+
+pass  in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22
+
+pass  in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23
+
+pass  in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22
+
+pass  in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23
+
+pass  out all
+
+=head1 AUTHOR
+
+Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain.
+
+=cut
diff --git a/contrib/ipfilter/perl/logfilter.pl b/contrib/ipfilter/perl/logfilter.pl
index 6ebe401..a75eafd 100644
--- a/contrib/ipfilter/perl/logfilter.pl
+++ b/contrib/ipfilter/perl/logfilter.pl
@@ -178,4 +178,4 @@ tcp     6667      irc.log
 tcp     7070      realaudio.log
 tcp     8080      http.log
 tcp     12345     netbus.log
-udp     31337     backorifice.log
\ No newline at end of file
+udp     31337     backorifice.log