import ipfilter 4.1.8 into the vendor branch

6 files changed, 240 insertions, 15 deletions

diff --git a/contrib/ipfilter/samples/.cvsignore b/contrib/ipfilter/samples/.cvsignore
new file mode 100644
index 0000000..4d38251
--- /dev/null
+++ b/contrib/ipfilter/samples/.cvsignore
@@ -0,0 +1,4 @@
+userauth
+proxy
+relay
+trans_relay
diff --git a/contrib/ipfilter/samples/Makefile b/contrib/ipfilter/samples/Makefile
index 1dad079..47ab4a2 100644
--- a/contrib/ipfilter/samples/Makefile
+++ b/contrib/ipfilter/samples/Makefile
@@ -11,14 +11,14 @@ all:
 	@echo "make sunos5"
 
 sunos5:
-	$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-		-I.. userauth.c -o userauth -lsocket -lnsl
-	$(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \
-		-I.. proxy.c -o proxy -lsocket -lnsl
+	$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
+	$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
+	$(CC) -I.. relay.c -o relay -lsocket -lnsl
 
 freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd:
 	$(CC) -I.. userauth.c -o userauth
 	$(CC) -I.. proxy.c -o proxy
+	$(CC) -I.. relay.c -o relay
 
 clean:
-	/bin/rm -f userauth proxy
+	/bin/rm -f userauth proxy relay
diff --git a/contrib/ipfilter/samples/ipfilter-pb.gif b/contrib/ipfilter/samples/ipfilter-pb.gif
index afaefa8..f729ab1 100644
--- a/contrib/ipfilter/samples/ipfilter-pb.gif
+++ b/contrib/ipfilter/samples/ipfilter-pb.gif
diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c
index ef9a69c..ccf2ac6 100644
--- a/contrib/ipfilter/samples/proxy.c
+++ b/contrib/ipfilter/samples/proxy.c
@@ -1,3 +1,5 @@
+/*	$NetBSD$	*/
+
 /*
  * Sample transparent proxy program.
  *
@@ -45,6 +47,7 @@
 #include "netinet/ip_state.h"
 #include "netinet/ip_proxy.h"
 #include "netinet/ip_nat.h"
+#include "netinet/ipl.h"
 
 
 main(argc, argv)
@@ -52,6 +55,7 @@ int argc;
 char *argv[];
 {
 	struct	sockaddr_in	sin, sloc, sout;
+	ipfobj_t	obj;
 	natlookup_t	natlook;
 	natlookup_t	*natlookp = &natlook;
 	char	buffer[512];
@@ -77,21 +81,27 @@ char *argv[];
 		exit(-1);
 	}
 
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_size = sizeof(natlook);
+	obj.ipfo_ptr = &natlook;
+	obj.ipfo_type = IPFOBJ_NATLOOKUP;
+
 	/*
 	 * Build up the NAT natlookup structure.
 	 */
 	bzero((char *)&natlook, sizeof(natlook));
 	natlook.nl_outip = sin.sin_addr;
 	natlook.nl_inip = sloc.sin_addr;
-	natlook.nl_flags = IPN_TCPUDP;
+	natlook.nl_flags = IPN_TCP;
 	natlook.nl_outport = ntohs(sin.sin_port);
 	natlook.nl_inport = ntohs(sloc.sin_port);
 
 	/*
 	 * Open the NAT device and lookup the mapping pair.
 	 */
-	fd = open(IPL_NAT, O_RDONLY);
-	if (ioctl(fd, SIOCGNATL, &natlookp) == -1) {
+	fd = open(IPNAT_NAME, O_RDONLY);
+	if (ioctl(fd, SIOCGNATL, &obj) == -1) {
 		perror("ioctl(SIOCGNATL)");
 		exit(-1);
 	}
@@ -131,6 +141,7 @@ char *extif;
 	struct sockaddr_in usin;
 	u_32_t sum1, sum2, sumd;
 	int onoff, ofd, slen;
+	ipfobj_t obj;
 	ipnat_t *ipn;
 	nat_t *nat;
 
@@ -140,8 +151,12 @@ char *extif;
 	nat->nat_p = IPPROTO_TCP;
 	nat->nat_dir = NAT_OUTBOUND;
 	if ((extif != NULL) && (*extif != '\0')) {
-		strncpy(nat->nat_ifname, extif, sizeof(nat->nat_ifname));
-		nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
+		strncpy(nat->nat_ifnames[0], extif,
+			sizeof(nat->nat_ifnames[0]));
+		strncpy(nat->nat_ifnames[1], extif,
+			sizeof(nat->nat_ifnames[1]));
+		nat->nat_ifnames[0][sizeof(nat->nat_ifnames[0]) - 1] = '\0';
+		nat->nat_ifnames[1][sizeof(nat->nat_ifnames[1]) - 1] = '\0';
 	}
 
 	ofd = socket(AF_INET, SOCK_DGRAM, 0);
@@ -186,9 +201,15 @@ printf("local port# to use: %d\n", ntohs(usin.sin_port));
 
 	nat->nat_flags = IPN_TCPUDP;
 
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_size = sizeof(*nsp);
+	obj.ipfo_ptr = nsp;
+	obj.ipfo_type = IPFOBJ_NATSAVE;
+
 	onoff = 1;
 	if (ioctl(fd, SIOCSTLCK, &onoff) == 0) {
-		if (ioctl(fd, SIOCSTPUT, &nsp) != 0)
+		if (ioctl(fd, SIOCSTPUT, &obj) != 0)
 			perror("SIOCSTPUT");
 		onoff = 0;
 		if (ioctl(fd, SIOCSTLCK, &onoff) != 0)
diff --git a/contrib/ipfilter/samples/relay.c b/contrib/ipfilter/samples/relay.c
new file mode 100644
index 0000000..b91779a
--- /dev/null
+++ b/contrib/ipfilter/samples/relay.c
@@ -0,0 +1,196 @@
+/*	$NetBSD$	*/
+
+/*
+ * Sample program to be used as a transparent proxy.
+ *
+ * Must be executed with permission enough to do an ioctl on /dev/ipl
+ * or equivalent.  This is just a sample and is only alpha quality.
+ * - Darren Reed (8 April 1996)
+ */
+#include <unistd.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/syslog.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include "ip_compat.h"
+#include "ip_fil.h"
+#include "ip_nat.h"
+#include "ipl.h"
+
+#define	RELAY_BUFSZ	8192
+
+char	ibuff[RELAY_BUFSZ];
+char	obuff[RELAY_BUFSZ];
+
+int relay(ifd, ofd, rfd)
+int ifd, ofd, rfd;
+{
+	fd_set	rfds, wfds;
+	char	*irh, *irt, *rrh, *rrt;
+	char	*iwh, *iwt, *rwh, *rwt;
+	int	nfd, n, rw;
+
+	irh = irt = ibuff;
+	iwh = iwt = obuff;
+	nfd = ifd;
+	if (nfd < ofd)
+		nfd = ofd;
+	if (nfd < rfd)
+		nfd = rfd;
+
+	while (1) {
+		FD_ZERO(&rfds);
+		FD_ZERO(&wfds);
+		if (irh > irt)
+			FD_SET(rfd, &wfds);
+		if (irh < (ibuff + RELAY_BUFSZ))
+			FD_SET(ifd, &rfds);
+		if (iwh > iwt)
+			FD_SET(ofd, &wfds);
+		if (iwh < (obuff + RELAY_BUFSZ))
+			FD_SET(rfd, &rfds);
+
+		switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
+		{
+		case -1 :
+		case 0 :
+			return -1;
+		default :
+			if (FD_ISSET(ifd, &rfds)) {
+				rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
+				if (rw == -1)
+					return -1;
+				if (rw == 0)
+					return 0;
+				irh += rw;
+				n--;
+			}
+			if (n && FD_ISSET(ofd, &wfds)) {
+				rw = write(ofd, iwt, iwh  - iwt);
+				if (rw == -1)
+					return -1;
+				iwt += rw;
+				n--;
+			}
+			if (n && FD_ISSET(rfd, &rfds)) {
+				rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
+				if (rw == -1)
+					return -1;
+				if (rw == 0)
+					return 0;
+				iwh += rw;
+				n--;
+			}
+			if (n && FD_ISSET(rfd, &wfds)) {
+				rw = write(rfd, irt, irh  - irt);
+				if (rw == -1)
+					return -1;
+				irt += rw;
+				n--;
+			}
+			if (irh == irt)
+				irh = irt = ibuff;
+			if (iwh == iwt)
+				iwh = iwt = obuff;
+		}
+	}
+}
+
+main(argc, argv)
+int argc;
+char *argv[];
+{
+	struct	sockaddr_in	sin;
+	ipfobj_t	obj;
+	natlookup_t	nl;
+	natlookup_t	*nlp = &nl;
+	int	fd, sl = sizeof(sl), se;
+
+	openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
+	if ((fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
+		se = errno;
+		perror("open");
+		errno = se;
+		syslog(LOG_ERR, "open: %m\n");
+		exit(-1);
+	}
+
+	bzero(&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_size = sizeof(nl);
+	obj.ipfo_ptr = &nl;
+	obj.ipfo_type = IPFOBJ_NATLOOKUP;
+
+	bzero(&nl, sizeof(nl));
+	nl.nl_flags = IPN_TCP;
+
+	bzero(&sin, sizeof(sin));
+	sin.sin_family = AF_INET;
+	sl = sizeof(sin);
+	if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
+		se = errno;
+		perror("getsockname");
+		errno = se;
+		syslog(LOG_ERR, "getsockname: %m\n");
+		exit(-1);
+	} else {
+		nl.nl_inip.s_addr = sin.sin_addr.s_addr;
+		nl.nl_inport = sin.sin_port;
+	}
+
+	bzero(&sin, sizeof(sin));
+	sin.sin_family = AF_INET;
+	sl = sizeof(sin);
+	if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
+		se = errno;
+		perror("getpeername");
+		errno = se;
+		syslog(LOG_ERR, "getpeername: %m\n");
+		exit(-1);
+	} else {
+		nl.nl_outip.s_addr = sin.sin_addr.s_addr;
+		nl.nl_outport = sin.sin_port;
+	}
+
+	if (ioctl(fd, SIOCGNATL, &obj) == -1) {
+		se = errno;
+		perror("ioctl");
+		errno = se;
+		syslog(LOG_ERR, "ioctl: %m\n");
+		exit(-1);
+	}
+
+	sin.sin_port = nl.nl_realport;
+	sin.sin_addr = nl.nl_realip;
+	sl = sizeof(sin);
+
+	fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
+		se = errno;
+		perror("connect");
+		errno = se;
+		syslog(LOG_ERR, "connect: %m\n");
+		exit(-1);
+	}
+
+	(void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
+	(void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
+	(void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
+
+	syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
+		ntohs(sin.sin_port));
+	if (relay(0, 1, fd) == -1) {
+		se = errno;
+		perror("relay");
+		errno = se;
+		syslog(LOG_ERR, "relay: %m\n");
+		exit(-1);
+	}
+	exit(0);
+}
diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c
index 5b50a94..ef059ac 100644
--- a/contrib/ipfilter/samples/userauth.c
+++ b/contrib/ipfilter/samples/userauth.c
@@ -1,3 +1,5 @@
+/*	$NetBSD$	*/
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <fcntl.h>
@@ -21,7 +23,9 @@ main()
 	char yn[16];
 	int fd;
 
-	fd = open(IPL_AUTH, O_RDWR);
+	fd = open(IPL_NAME, O_RDWR);
+	fra.fra_len = 0;
+	fra.fra_buf = NULL;
 	while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
 		if (fra.fra_info.fin_out)
 			fra.fra_pass = FR_OUTQUE;
@@ -29,10 +33,10 @@ main()
 			fra.fra_pass = FR_INQUE;
 
 		printf("%s ", inet_ntoa(fi->fi_src));
-		if (fi->fi_fl & FI_TCPUDP)
+		if (fi->fi_flx & FI_TCPUDP)
 			printf("port %d ", fin->fin_data[0]);
 		printf("-> %s ", inet_ntoa(fi->fi_dst));
-		if (fi->fi_fl & FI_TCPUDP)
+		if (fi->fi_flx & FI_TCPUDP)
 			printf("port %d ", fin->fin_data[1]);
 		printf("\n");
 		printf("Allow packet through ? [y/n]");
@@ -44,7 +48,7 @@ main()
 			fra.fra_pass |= FR_BLOCK;
 		else if (yn[0] == 'y' || yn[0] == 'Y') {
 			fra.fra_pass |= FR_PASS;
-			if (fra.fra_info.fin_fi.fi_fl & FI_TCPUDP)
+			if (fra.fra_info.fin_fi.fi_flx & FI_TCPUDP)
 				fra.fra_pass |= FR_KEEPSTATE;
 		} else
 			fra.fra_pass |= FR_NOMATCH;