Import ipfilter 3.2.1 (update from 3.1.8)

3 files changed, 180 insertions, 0 deletions

diff --git a/contrib/ipfilter/samples/Makefile b/contrib/ipfilter/samples/Makefile
new file mode 100644
index 0000000..5bd03b31
--- /dev/null
+++ b/contrib/ipfilter/samples/Makefile
@@ -0,0 +1,12 @@
+CC=gcc
+
+sunos5:
+	$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
+	$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
+
+freebsd freebsd22 netbsd bsd bsdi sunos4:
+	$(CC) -I.. userauth.c -o userauth
+	$(CC) -I.. proxy.c -o proxy
+
+clean:
+	/bin/rm -f userauth proxy
diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c
new file mode 100644
index 0000000..8d77cf0
--- /dev/null
+++ b/contrib/ipfilter/samples/proxy.c
@@ -0,0 +1,111 @@
+/*
+ * Sample transparent proxy program.
+ *
+ * Sample implementation of a program which intercepts a TCP connectiona and
+ * just echos all data back to the origin.  Written to work via inetd as a
+ * "nonwait" program running as root; ie.
+ * tcpmux          stream  tcp     nowait root /usr/local/bin/proxy proxy
+ * with a NAT rue like this:
+ * rdr smc0 0/0 port 80 -> 127.0.0.1/32 port 1
+ */
+#include <stdio.h>
+#include <string.h>
+#include <fcntl.h>
+#include <syslog.h>
+#if !defined(__SVR4) && !defined(__svr4__)
+#include <strings.h>
+#else
+#include <sys/byteorder.h>
+#endif
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/param.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
+# include <sys/ioccom.h>
+# include <sys/sysmacros.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <net/if.h>
+#include <netdb.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <ctype.h>
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+
+
+main(argc, argv)
+int argc;
+char *argv[];
+{
+	struct	sockaddr_in	sin, sloc, sout;
+	natlookup_t	natlook;
+	char	buffer[512];
+	int	namelen, fd, n;
+
+	/*
+	 * get IP# and port # of the remote end of the connection (at the
+	 * origin).
+	 */
+	namelen = sizeof(sin);
+	if (getpeername(0, (struct sockaddr *)&sin, &namelen) == -1) {
+		perror("getpeername");
+		exit(-1);
+	}
+
+	/*
+	 * get IP# and port # of the local end of the connection (at the
+	 * man-in-the-middle).
+	 */
+	namelen = sizeof(sin);
+	if (getsockname(0, (struct sockaddr *)&sloc, &namelen) == -1) {
+		perror("getsockname");
+		exit(-1);
+	}
+
+	/*
+	 * Build up the NAT natlookup structure.
+	 */
+	bzero((char *)&natlook, sizeof(natlook));
+	natlook.nl_outip = sin.sin_addr;
+	natlook.nl_inip = sloc.sin_addr;
+	natlook.nl_flags = IPN_TCP;
+	natlook.nl_outport = sin.sin_port;
+	natlook.nl_inport = sloc.sin_port;
+
+	/*
+	 * Open the NAT device and lookup the mapping pair.
+	 */
+	fd = open(IPL_NAT, O_RDONLY);
+	if (ioctl(fd, SIOCGNATL, &natlook) == -1) {
+		perror("ioctl");
+		exit(-1);
+	}
+	close(fd);
+	/*
+	 * Log it
+	 */
+	syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d",
+		inet_ntoa(natlook.nl_realip), natlook.nl_realport);
+	printf("connect to %s,%d\n",
+		inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
+
+	/*
+	 * Just echo data read in from stdin to stdout
+	 */
+	while ((n = read(0, buffer, sizeof(buffer))) > 0)
+		if (write(1, buffer, n) != n)
+			break;
+	close(0);
+}
diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c
new file mode 100644
index 0000000..9cecffd
--- /dev/null
+++ b/contrib/ipfilter/samples/userauth.c
@@ -0,0 +1,57 @@
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include "ip_compat.h"
+#include "ip_fil.h"
+#include "ip_auth.h"
+
+extern	int	errno;
+
+main()
+{
+	struct frauth fra;
+	fr_info_t *fin = &fra.fra_info;
+	fr_ip_t	*fi = &fin->fin_fi;
+	char yn[16];
+	int fd;
+
+	fd = open(IPL_NAME, O_RDWR);
+	while (ioctl(fd, SIOCAUTHW, &fra) == 0) {
+		if (fra.fra_info.fin_out)
+			fra.fra_pass = FR_OUTQUE;
+		else
+			fra.fra_pass = FR_INQUE;
+
+		printf("%s ", inet_ntoa(fi->fi_src));
+		if (fi->fi_fl & FI_TCPUDP)
+			printf("port %d ", fin->fin_data[0]);
+		printf("-> %s ", inet_ntoa(fi->fi_dst));
+		if (fi->fi_fl & FI_TCPUDP)
+			printf("port %d ", fin->fin_data[1]);
+		printf("\n");
+		printf("Allow packet through ? [y/n]");
+		fflush(stdout);
+		if (!fgets(yn, sizeof(yn), stdin))
+			break;
+		fflush(stdin);
+		if (yn[0] == 'n' || yn[0] == 'N')
+			fra.fra_pass |= FR_BLOCK;
+		else if (yn[0] == 'y' || yn[0] == 'Y') {
+			fra.fra_pass |= FR_PASS;
+			if (fra.fra_info.fin_fi.fi_fl & FI_TCPUDP)
+				fra.fra_pass |= FR_KEEPSTATE;
+		} else
+			fra.fra_pass |= FR_NOMATCH;
+		printf("answer = %c (%x), id %d idx %d\n", yn[0],
+			fra.fra_pass, fra.fra_info.fin_id, fra.fra_index);
+		if (ioctl(fd, SIOCAUTHR, &fra) != 0)
+			perror("SIOCAUTHR");
+	}
+	fprintf(stderr, "errno=%d \n", errno);
+	perror("frauth-SIOCAUTHW");
+}