diff options
| author | cy <cy@FreeBSD.org> | 2013-07-19 05:41:57 +0000 |
|---|---|---|
| committer | cy <cy@FreeBSD.org> | 2013-07-19 05:41:57 +0000 |
| commit | 672af8808c0e7c15f330b401482f9271c2eb3fa6 (patch) | |
| tree | 225b5acf68c01bc6a260b386c2b2dbf4fa2839e3 /contrib/ipfilter/tools | |
| parent | 71e82d94e82560b20789833f60056506de34de8b (diff) | |
| download | FreeBSD-src-672af8808c0e7c15f330b401482f9271c2eb3fa6.zip FreeBSD-src-672af8808c0e7c15f330b401482f9271c2eb3fa6.tar.gz | |
As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.
To keep the tags consistent with dist, the tags are also flattened.
Approved by: glebius (Mentor)
Diffstat (limited to 'contrib/ipfilter/tools')
| -rw-r--r-- | contrib/ipfilter/tools/BNF.ipf | 80 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/BNF.ipnat | 28 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/Makefile | 107 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipf.c | 568 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipf_y.y | 2197 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipfcomp.c | 1358 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipfs.c | 890 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipfstat.c | 2112 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipftest.c | 804 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipmon.c | 1732 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipmon_y.y | 698 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipnat.c | 576 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipnat_y.y | 871 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ippool.c | 876 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ippool_y.y | 520 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipscan_y.y | 569 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipsyncm.c | 254 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipsyncs.c | 272 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/lex_var.h | 58 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/lexer.c | 661 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/lexer.h | 40 |
21 files changed, 0 insertions, 15271 deletions
diff --git a/contrib/ipfilter/tools/BNF.ipf b/contrib/ipfilter/tools/BNF.ipf deleted file mode 100644 index 0e84332..0000000 --- a/contrib/ipfilter/tools/BNF.ipf +++ /dev/null @@ -1,80 +0,0 @@ -filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] - [ proto ] [ ip ] [ group ] [ tag ] [ pps ] . - -insert = "@" decnumber . -action = block | "pass" | log | "count" | auth | call . -in-out = "in" | "out" . -options = [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] . -tos = "tos" decnumber | "tos" hexnumber . -ttl = "ttl" decnumber . -proto = "proto" protocol . -ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . -group = [ "head" decnumber ] [ "group" decnumber ] . -pps = "pps" decnumber . - -onif = "on" interface-name [ "out-via" interface-name ] . -block = "block" [ return-icmp[return-code] | "return-rst" ] . -auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . -tag = "tag" tagid . -call = "call" [ "now" ] function-name . -dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . -protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . -srcdst = "all" | fromto . -fromto = "from" object "to" object . - -return-icmp = "return-icmp" | "return-icmp-as-dest" . -loglevel = facility"."priority | priority . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . -flags = "flags" flag { flag } [ "/" flag { flag } ] . -with = "with" | "and" . -icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "("icmp-code")" . -keep = "keep" "state" [ "limit" number ] | "keep" "frags" . - -nummask = host-name [ "/" decnumber ] . -host-name = ipaddr | hostname | "any" . -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . -port-num = service-name | decnumber . - -withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" | - "mbcast" | "opt" ipopts . -optname = ipopts [ "," optname ] . -ipopts = optlist | "sec-class" [ secname ] . -secname = seclvl [ "," secname ] . -seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | - "reserv-4" | "secret" | "topsecret" . -icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | - "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | - "inforep" | "maskreq" | "maskrep" | "routerad" | - "routersol" | decnumber . -icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | - "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | - "visa" | "imitd" | "eip" | "finn" . -facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | - "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | - "audit" | "logalert" | "local0" | "local1" | "local2" | - "local3" | "local4" | "local5" | "local6" | "local7" . -priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . - -hexnumber = "0" "x" hexstring . -hexstring = hexdigit [ hexstring ] . -decnumber = digit [ decnumber ] . - -compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" | - "le" | "ge" . -range = "<>" | "><" . -hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . -digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -flag = "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" . diff --git a/contrib/ipfilter/tools/BNF.ipnat b/contrib/ipfilter/tools/BNF.ipnat deleted file mode 100644 index 69ed8a2..0000000 --- a/contrib/ipfilter/tools/BNF.ipnat +++ /dev/null @@ -1,28 +0,0 @@ -ipmap :: = mapblock | redir | map . - -map ::= mapit ifname ipmask "->" ipmask [ mapport | mapicmpid ] . -map ::= mapit ifname fromto "->" ipmask [ mapport | mapicmpid ] . -mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . - -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -mapit ::= "map" | "bimap" . -fromto ::= "from" object "to" object . -ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . -mapport ::= "portmap" tcpudp portnumber ":" portnumber . -mapicmpid ::= "icmpidmap" icmp idnumber ":" idnumber . -options ::= [ tcpudp ] [ rr ] . - -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . - -rr ::= "round-robin" . -tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } | "auto" . -idnumber ::= number { numbers } . -ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . - -numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . diff --git a/contrib/ipfilter/tools/Makefile b/contrib/ipfilter/tools/Makefile deleted file mode 100644 index 43ec1a8..0000000 --- a/contrib/ipfilter/tools/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -# -# Copyright (C) 1993-2001 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# -DEST=. - -all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \ - $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c \ - $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c \ - $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c \ - $(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c \ - $(DEST)/ipf_l.h $(DEST)/ipnat_l.h $(DEST)/ipscan_l.h \ - $(DEST)/ippool_l.h $(DEST)/ipmon_l.h - -$(DEST)/ipf_y.h: $(DEST)/ipf_y.c - -$(DEST)/ipf_y.c: ipf_y.y - yacc -d ipf_y.y - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \ - -e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \ - y.tab.c > $(DEST)/ipf_y.c - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' y.tab.h > $(DEST)/ipf_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipf_l.c: lexer.c - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \ - -e 's/lexer.h/ipf_l.h/' lexer.c > $@ - -$(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c - -$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y - yacc -d ipmon_y.y - sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \ - y.tab.c > $(DEST)/ipmon_y.c - sed -e 's/yy/ipmon_yy/g' y.tab.h > $(DEST)/ipmon_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipmon_l.c: lexer.c - sed -e 's/yy/ipmon_yy/g' -e 's/y.tab.h/ipmon_y.h/' \ - -e 's/lexer.h/ipmon_l.h/' lexer.c > $@ - -$(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c - -$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y - yacc -d ipscan_y.y - sed -e 's/yy/ipscan_yy/g' \ - -e 's/"ipscan_y.y"/"..\/tools\/ipscan_y.y"/' \ - y.tab.c > $(DEST)/ipscan_y.c - sed -e 's/yy/ipscan_yy/g' y.tab.h > $(DEST)/ipscan_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipscan_l.c: lexer.c - sed -e 's/yy/ipscan_yy/g' -e 's/y.tab.h/ipscan_y.h/' \ - -e 's/lexer.h/ipscan_l.h/' lexer.c > $@ - -$(DEST)/ippool_y.h: $(DEST)/ippool_y.c - -$(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y - yacc -d ippool_y.y - sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \ - y.tab.c > $(DEST)/ippool_y.c - sed -e 's/yy/ippool_yy/g' y.tab.h > $(DEST)/ippool_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ippool_l.c: lexer.c - sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \ - -e 's/lexer.h/ippool_l.h/' lexer.c > $@ - -$(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c - -$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y - yacc -d ipnat_y.y - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \ - -e s/\"ipnat_y.y\"/\"..\\/tools\\/ipnat_y.y\"/ \ - y.tab.c > $(DEST)/ipnat_y.c - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ - y.tab.h > $(DEST)/ipnat_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipnat_l.c: lexer.c - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ - -e 's/lexer.h/ipnat_l.h/' lexer.c > $@ - -$(DEST)/ipf_l.h: lexer.h - sed -e 's/yy/ipf_yy/g' lexer.h > $@ - -$(DEST)/ipmon_l.h: lexer.h - sed -e 's/yy/ipmon_yy/g' lexer.h > $@ - -$(DEST)/ipscan_l.h: lexer.h - sed -e 's/yy/ipscan_yy/g' lexer.h > $@ - -$(DEST)/ippool_l.h: lexer.h - sed -e 's/yy/ippool_yy/g' lexer.h > $@ - -$(DEST)/ipnat_l.h: lexer.h - sed -e 's/yy/ipnat_yy/g' lexer.h > $@ - -clean: - /bin/rm -f $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c - /bin/rm -f $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c - /bin/rm -f $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c - /bin/rm -f $(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c - /bin/rm -f $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c - /bin/rm -f $(DEST)/ipf_l.h $(DEST)/ipmon_l.h $(DEST)/ippool_l.h - /bin/rm -f $(DEST)/ipscan_l.h $(DEST)/ipnat_l.h diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c deleted file mode 100644 index 063ecf0..0000000 --- a/contrib/ipfilter/tools/ipf.c +++ /dev/null @@ -1,568 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#ifdef __FreeBSD__ -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif -#endif -#include "ipf.h" -#include <fcntl.h> -#include <sys/ioctl.h> -#include "netinet/ipl.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.8 2007/05/10 06:12:01 darrenr Exp $"; -#endif - -#if !defined(__SVR4) && defined(__GNUC__) -extern char *index __P((const char *, int)); -#endif - -extern char *optarg; -extern int optind; -extern frentry_t *frtop; - - -void ipf_frsync __P((void)); -void zerostats __P((void)); -int main __P((int, char *[])); - -int opts = 0; -int outputc = 0; -int use_inet6 = 0; - -static void procfile __P((char *, char *)), flushfilter __P((char *)); -static void set_state __P((u_int)), showstats __P((friostat_t *)); -static void packetlogon __P((char *)), swapactive __P((void)); -static int opendevice __P((char *, int)); -static void closedevice __P((void)); -static char *ipfname = IPL_NAME; -static void usage __P((void)); -static int showversion __P((void)); -static int get_flags __P((void)); -static void ipf_interceptadd __P((int, ioctlfunc_t, void *)); - -static int fd = -1; -static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl, - ioctl, ioctl, ioctl, - ioctl, ioctl }; - - -static void usage() -{ - fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n", - "[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]", - "[-f filename] [-T <tuneopts>]"); - exit(1); -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - int c; - - if (argc < 2) - usage(); - - while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) { - switch (c) - { - case '?' : - usage(); - break; -#ifdef USE_INET6 - case '6' : - use_inet6 = 1; - break; -#endif - case 'A' : - opts &= ~OPT_INACTIVE; - break; - case 'c' : - if (strcmp(optarg, "c") == 0) - outputc = 1; - break; - case 'E' : - set_state((u_int)1); - break; - case 'D' : - set_state((u_int)0); - break; - case 'd' : - opts ^= OPT_DEBUG; - break; - case 'f' : - procfile(argv[0], optarg); - break; - case 'F' : - flushfilter(optarg); - break; - case 'I' : - opts ^= OPT_INACTIVE; - break; - case 'l' : - packetlogon(optarg); - break; - case 'n' : - opts ^= OPT_DONOTHING; - break; - case 'o' : - break; - case 'P' : - ipfname = IPAUTH_NAME; - break; - case 'R' : - opts ^= OPT_NORESOLVE; - break; - case 'r' : - opts ^= OPT_REMOVE; - break; - case 's' : - swapactive(); - break; - case 'T' : - if (opendevice(ipfname, 1) >= 0) - ipf_dotuning(fd, optarg, ioctl); - break; - case 'v' : - opts += OPT_VERBOSE; - break; - case 'V' : - if (showversion()) - exit(1); - break; - case 'y' : - ipf_frsync(); - break; - case 'z' : - opts ^= OPT_ZERORULEST; - break; - case 'Z' : - zerostats(); - break; - } - } - - if (optind < 2) - usage(); - - if (fd != -1) - (void) close(fd); - - return(0); - /* NOTREACHED */ -} - - -static int opendevice(ipfdev, check) -char *ipfdev; -int check; -{ - if (opts & OPT_DONOTHING) - return -2; - - if (check && checkrev(ipfname) == -1) { - fprintf(stderr, "User/kernel version check failed\n"); - return -2; - } - - if (!ipfdev) - ipfdev = ipfname; - - if (fd == -1) - if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) - perror("open device"); - return fd; -} - - -static void closedevice() -{ - close(fd); - fd = -1; -} - - -static int get_flags() -{ - int i = 0; - - if ((opendevice(ipfname, 1) != -2) && - (ioctl(fd, SIOCGETFF, &i) == -1)) { - perror("SIOCGETFF"); - return 0; - } - return i; -} - - -static void set_state(enable) -u_int enable; -{ - if (opendevice(ipfname, 0) != -2) - if (ioctl(fd, SIOCFRENB, &enable) == -1) { - if (errno == EBUSY) - fprintf(stderr, - "IP FIlter: already initialized\n"); - else - perror("SIOCFRENB"); - } - return; -} - - -static void procfile(name, file) -char *name, *file; -{ - (void) opendevice(ipfname, 1); - - initparse(); - - ipf_parsefile(fd, ipf_interceptadd, iocfunctions, file); - - if (outputc) { - printC(0); - printC(1); - emit(-1, -1, NULL, NULL); - } -} - - -static void ipf_interceptadd(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; -{ - if (outputc) - printc(ptr); - - ipf_addrule(fd, ioctlfunc, ptr); -} - - -static void packetlogon(opt) -char *opt; -{ - int flag, xfd, logopt, change = 0; - - flag = get_flags(); - if (flag != 0) { - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) - printf("log flag is currently %#x\n", flag); - } - - flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK); - - if (strstr(opt, "pass")) { - flag |= FF_LOGPASS; - if (opts & OPT_VERBOSE) - printf("set log flag: pass\n"); - change = 1; - } - if (strstr(opt, "nomatch")) { - flag |= FF_LOGNOMATCH; - if (opts & OPT_VERBOSE) - printf("set log flag: nomatch\n"); - change = 1; - } - if (strstr(opt, "block") || index(opt, 'd')) { - flag |= FF_LOGBLOCK; - if (opts & OPT_VERBOSE) - printf("set log flag: block\n"); - change = 1; - } - if (strstr(opt, "none")) { - if (opts & OPT_VERBOSE) - printf("disable all log flags\n"); - change = 1; - } - - if (change == 1) { - if (opendevice(ipfname, 1) != -2 && - (ioctl(fd, SIOCSETFF, &flag) != 0)) - perror("ioctl(SIOCSETFF)"); - } - - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - flag = get_flags(); - printf("log flags are now %#x\n", flag); - } - - if (strstr(opt, "state")) { - if (opts & OPT_VERBOSE) - printf("set state log flag\n"); - xfd = open(IPSTATE_NAME, O_RDWR); - if (xfd >= 0) { - logopt = 0; - if (ioctl(xfd, SIOCGETLG, &logopt)) - perror("ioctl(SIOCGETLG)"); - else { - logopt = 1 - logopt; - if (ioctl(xfd, SIOCSETLG, &logopt)) - perror("ioctl(SIOCSETLG)"); - } - close(xfd); - } - } - - if (strstr(opt, "nat")) { - if (opts & OPT_VERBOSE) - printf("set nat log flag\n"); - xfd = open(IPNAT_NAME, O_RDWR); - if (xfd >= 0) { - logopt = 0; - if (ioctl(xfd, SIOCGETLG, &logopt)) - perror("ioctl(SIOCGETLG)"); - else { - logopt = 1 - logopt; - if (ioctl(xfd, SIOCSETLG, &logopt)) - perror("ioctl(SIOCSETLG)"); - } - close(xfd); - } - } -} - - -static void flushfilter(arg) -char *arg; -{ - int fl = 0, rem; - - if (!arg || !*arg) - return; - if (!strcmp(arg, "s") || !strcmp(arg, "S") || ISDIGIT(*arg)) { - if (*arg == 'S') - fl = 0; - else if (*arg == 's') - fl = 1; - else - fl = atoi(arg); - rem = fl; - - closedevice(); - if (opendevice(IPSTATE_NAME, 1) == -2) - exit(1); - - if (!(opts & OPT_DONOTHING)) { - if (use_inet6) { - if (ioctl(fd, SIOCIPFL6, &fl) == -1) { - perror("ioctl(SIOCIPFL6)"); - exit(1); - } - } else { - if (ioctl(fd, SIOCIPFFL, &fl) == -1) { - perror("ioctl(SIOCIPFFL)"); - exit(1); - } - } - } - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - printf("remove flags %s (%d)\n", arg, rem); - printf("removed %d entries\n", fl); - } - closedevice(); - return; - } - -#ifdef SIOCIPFFA - if (!strcmp(arg, "u")) { - closedevice(); - /* - * Flush auth rules and packets - */ - if (opendevice(IPL_AUTH, 1) == -1) - perror("open(IPL_AUTH)"); - else { - if (ioctl(fd, SIOCIPFFA, &fl) == -1) - perror("ioctl(SIOCIPFFA)"); - } - closedevice(); - return; - } -#endif - - if (strchr(arg, 'i') || strchr(arg, 'I')) - fl = FR_INQUE; - if (strchr(arg, 'o') || strchr(arg, 'O')) - fl = FR_OUTQUE; - if (strchr(arg, 'a') || strchr(arg, 'A')) - fl = FR_OUTQUE|FR_INQUE; - if (opts & OPT_INACTIVE) - fl |= FR_INACTIVE; - rem = fl; - - if (opendevice(ipfname, 1) == -2) - exit(1); - - if (!(opts & OPT_DONOTHING)) { - if (use_inet6) { - if (ioctl(fd, SIOCIPFL6, &fl) == -1) { - perror("ioctl(SIOCIPFL6)"); - exit(1); - } - } else { - if (ioctl(fd, SIOCIPFFL, &fl) == -1) { - perror("ioctl(SIOCIPFFL)"); - exit(1); - } - } - } - - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "", - (rem & FR_OUTQUE) ? "O" : "", rem); - printf("removed %d filter rules\n", fl); - } - return; -} - - -static void swapactive() -{ - int in = 2; - - if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1) - perror("ioctl(SIOCSWAPA)"); - else - printf("Set %d now inactive\n", in); -} - - -void ipf_frsync() -{ - int frsyn = 0; - - if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) - perror("SIOCFRSYN"); - else - printf("filter sync'd\n"); -} - - -void zerostats() -{ - ipfobj_t obj; - friostat_t fio; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_IPFSTAT; - obj.ipfo_size = sizeof(fio); - obj.ipfo_ptr = &fio; - obj.ipfo_offset = 0; - - if (opendevice(ipfname, 1) != -2) { - if (ioctl(fd, SIOCFRZST, &obj) == -1) { - perror("ioctl(SIOCFRZST)"); - exit(-1); - } - showstats(&fio); - } - -} - - -/* - * read the kernel stats for packets blocked and passed - */ -static void showstats(fp) -friostat_t *fp; -{ - printf("bad packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); - printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[0].fr_block, fp->f_st[0].fr_pass, - fp->f_st[0].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); - printf("output packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[1].fr_block, fp->f_st[1].fr_pass, - fp->f_st[1].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); - printf(" input packets logged:\tblocked %lu passed %lu\n", - fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - printf("output packets logged:\tblocked %lu passed %lu\n", - fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n", - fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip, - fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip); -} - - -static int showversion() -{ - struct friostat fio; - ipfobj_t ipfo; - u_32_t flags; - char *s; - int vfd; - - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_size = sizeof(fio); - ipfo.ipfo_ptr = (void *)&fio; - ipfo.ipfo_type = IPFOBJ_IPFSTAT; - - printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t)); - - if ((vfd = open(ipfname, O_RDONLY)) == -1) { - perror("open device"); - return 1; - } - - if (ioctl(vfd, SIOCGETFS, &ipfo)) { - perror("ioctl(SIOCGETFS)"); - close(vfd); - return 1; - } - close(vfd); - flags = get_flags(); - - printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), - (int)sizeof(fio.f_version), fio.f_version); - printf("Running: %s\n", (fio.f_running > 0) ? "yes" : "no"); - printf("Log Flags: %#x = ", flags); - s = ""; - if (flags & FF_LOGPASS) { - printf("pass"); - s = ", "; - } - if (flags & FF_LOGBLOCK) { - printf("%sblock", s); - s = ", "; - } - if (flags & FF_LOGNOMATCH) { - printf("%snomatch", s); - s = ", "; - } - if (flags & FF_BLOCKNONIP) { - printf("%snonip", s); - s = ", "; - } - if (!*s) - printf("none set"); - putchar('\n'); - - printf("Default: "); - if (FR_ISPASS(fio.f_defpass)) - s = "pass"; - else if (FR_ISBLOCK(fio.f_defpass)) - s = "block"; - else - s = "nomatch -> block"; - printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); - printf("Active list: %d\n", fio.f_active); - printf("Feature mask: %#x\n", fio.f_features); - - return 0; -} diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y deleted file mode 100644 index 4156250..0000000 --- a/contrib/ipfilter/tools/ipf_y.y +++ /dev/null @@ -1,2197 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#include "ipf.h" -#include <sys/ioctl.h> -#include <syslog.h> -#ifdef IPFILTER_BPF -# include "pcap-bpf.h" -# define _NET_BPF_H_ -# include <pcap.h> -#endif -#include "netinet/ip_pool.h" -#include "netinet/ip_htable.h" -#include "netinet/ipl.h" -#include "ipf_l.h" - -#define YYDEBUG 1 -#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } -#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } - -extern void yyerror __P((char *)); -extern int yyparse __P((void)); -extern int yylex __P((void)); -extern int yydebug; -extern FILE *yyin; -extern int yylineNum; - -static void newrule __P((void)); -static void setipftype __P((void)); -static u_32_t lookuphost __P((char *)); -static void dobpf __P((int, char *)); -static void resetaddr __P((void)); -static struct alist_s *newalist __P((struct alist_s *)); -static u_int makehash __P((struct alist_s *)); -static int makepool __P((struct alist_s *)); -static frentry_t *addrule __P((void)); -static void setsyslog __P((void)); -static void unsetsyslog __P((void)); -static void fillgroup __P((frentry_t *)); - -frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; - -static int ifpflag = 0; -static int nowith = 0; -static int dynamic = -1; -static int pooled = 0; -static int hashed = 0; -static int nrules = 0; -static int newlist = 0; -static int added = 0; -static int ipffd = -1; -static int *yycont = 0; -static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; -static addfunc_t ipfaddfunc = NULL; -static struct wordtab ipfwords[95]; -static struct wordtab addrwords[4]; -static struct wordtab maskwords[5]; -static struct wordtab icmpcodewords[17]; -static struct wordtab icmptypewords[16]; -static struct wordtab ipv4optwords[25]; -static struct wordtab ipv4secwords[9]; -static struct wordtab ipv6optwords[9]; -static struct wordtab logwords[33]; - -%} -%union { - char *str; - u_32_t num; - struct in_addr ipa; - frentry_t fr; - frtuc_t *frt; - struct alist_s *alist; - u_short port; - struct { - u_short p1; - u_short p2; - int pc; - } pc; - struct { - union i6addr a; - union i6addr m; - } ipp; - union i6addr ip6; - struct { - char *if1; - char *if2; - } ifs; -}; - -%type <port> portnum -%type <num> facility priority icmpcode seclevel secname icmptype -%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr -%type <num> portc porteq -%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24 -%type <ip6> ipv6mask -%type <ipp> addr ipaddr -%type <str> servicename name interfacename -%type <pc> portrange portcomp -%type <alist> addrlist poollist -%type <ifs> onname - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 - -%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH -%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST -%token IPFY_IN IPFY_OUT -%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA -%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO -%token IPFY_TOS IPFY_TTL IPFY_PROTO -%token IPFY_HEAD IPFY_GROUP -%token IPFY_AUTH IPFY_PREAUTH -%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK -%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP -%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH -%token IPFY_PPS -%token IPFY_ESP IPFY_AH -%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT -%token IPFY_TCPUDP IPFY_TCP IPFY_UDP -%token IPFY_FLAGS IPFY_MULTICAST -%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER -%token IPFY_PORT -%token IPFY_NOW -%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE -%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG -%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR -%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE -%token IPFY_SYNC IPFY_FRAGBODY -%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP -%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR -%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO -%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA -%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS -%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP -%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 -%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 - -%token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS -%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING -%token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG - -%token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH -%token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST -%token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP -%token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD -%token IPFY_ICMPT_ROUTERSOL - -%token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR -%token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK -%token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO -%token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE -%token IPFY_ICMPC_CUTPRE - -%token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH -%token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON -%token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 -%token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 -%token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT -%token IPFY_FAC_LFMT IPFY_FAC_CONSOLE - -%token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN -%token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG -%% -file: line - | assign - | file line - | file assign - ; - -line: rule { while ((fr = frtop) != NULL) { - frtop = fr->fr_next; - fr->fr_next = NULL; - (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); - fr->fr_next = frold; - frold = fr; - } - resetlexer(); - } - | YY_COMMENT - ; - -xx: { newrule(); } - ; - -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -rule: inrule eol - | outrule eol - ; - -eol: | ';' - ; - -inrule: - rulehead markin inopts rulemain ruletail intag ruletail2 - ; - -outrule: - rulehead markout outopts rulemain ruletail outtag ruletail2 - ; - -rulehead: - xx collection action - | xx insert collection action - ; - -markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } - ; - -markout: - IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } - ; - -rulemain: - ipfrule - | bpfrule - ; - -ipfrule: - tos ttl proto ip - ; - -bpfrule: - IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } - | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } - ; - -ruletail: - with keep head group - ; - -ruletail2: - pps age new - ; - -intag: settagin matchtagin - ; - -outtag: settagout matchtagout - ; - -insert: - '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } - ; - -collection: - | YY_NUMBER { fr->fr_collect = $1; } - ; - -action: block - | IPFY_PASS { fr->fr_flags |= FR_PASS; } - | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } - | log - | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } - | auth - | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; - fr->fr_arg = $2; } - | IPFY_CALL func - | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } - ; - -block: blocked - | blocked blockreturn - ; - -blocked: - IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } - ; -blockreturn: - IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } - | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } - | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } - | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } - | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } - ; - -log: IPFY_LOG { fr->fr_flags |= FR_LOG; } - | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } - ; - -auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } - | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;} - | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } - ; - -func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, - ipfioctl[IPL_LOGIPF]); - fr->fr_arg = $3; - free($1); } - ; - -inopts: - | inopts inopt - ; - -inopt: - logopt - | quick - | on - | dup - | froute - | proute - | replyto - ; - -outopts: - | outopts outopt - ; - -outopt: - logopt - | quick - | on - | dup - | proute - | replyto - ; - -tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } - | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } - | settos lstart toslist lend - ; - -settos: IPFY_TOS { setipftype(); } - ; - -toslist: - YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } - | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } - | toslist lmore YY_NUMBER - { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } - | toslist lmore YY_HEX - { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } - ; - -ttl: | setttl YY_NUMBER - { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } - | setttl lstart ttllist lend - ; - -lstart: '(' { newlist = 1; fr = frc; added = 0; } - ; - -lend: ')' { nrules += added; } - ; - -lmore: lanother { if (newlist == 1) { - newlist = 0; - } - fr = addrule(); - if (yycont != NULL) - *yycont = 1; - } - ; - -lanother: - | ',' - ; - -setttl: IPFY_TTL { setipftype(); } - ; - -ttllist: - YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } - | ttllist lmore YY_NUMBER - { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } - ; - -proto: | protox protocol { yyresetdict(); } - ; - -protox: IPFY_PROTO { setipftype(); - fr = frc; - yysetdict(NULL); } - ; - -ip: srcdst flags icmp - ; - -group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ - FR_GROUPLEN); \ - fillgroup(fr);); - free($2); } - | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ - $2); \ - fillgroup(fr);) } - ; - -head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ - FR_GROUPLEN);); - free($2); } - | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ - $2);) } - ; - -settagin: - | IPFY_SETTAG '(' taginlist ')' - ; - -taginlist: - taginspec - | taginlist ',' taginspec - ; - -taginspec: - logtag - ; - -nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ - $3, IPFTAG_LEN);); - free($3); } - | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ - "%d", $3 & 0xffffffff);) } - ; - -logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } - ; - -settagout: - | IPFY_SETTAG '(' tagoutlist ')' - ; - -tagoutlist: - tagoutspec - | tagoutlist ',' tagoutspec - ; - -tagoutspec: - logtag - | nattag - ; - -matchtagin: - | IPFY_MATCHTAG '(' tagoutlist ')' - ; - -matchtagout: - | IPFY_MATCHTAG '(' taginlist ')' - ; - -pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } - ; - -new: | savegroup file restoregroup - ; - -savegroup: - '{' - ; - -restoregroup: - '}' - ; - -logopt: log - ; - -quick: - IPFY_QUICK { fr->fr_flags |= FR_QUICK; } - ; - -on: IPFY_ON onname - | IPFY_ON lstart onlist lend - | IPFY_ON onname IPFY_INVIA vianame - | IPFY_ON onname IPFY_OUTVIA vianame - ; - -onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \ - sizeof(fr->fr_ifnames[0])); \ - if ($1.if2 != NULL) { \ - strncpy(fr->fr_ifnames[1], \ - $1.if2, \ - sizeof(fr->fr_ifnames[1]));\ - } \ - ) } - | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \ - sizeof(fr->fr_ifnames[0])); \ - if ($3.if2 != NULL) { \ - strncpy(fr->fr_ifnames[1], \ - $3.if2, \ - sizeof(fr->fr_ifnames[1]));\ - } \ - ) } - ; - -onname: interfacename - { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); - $$.if1 = fr->fr_ifnames[0]; - $$.if2 = NULL; - free($1); - } - | interfacename ',' interfacename - { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); - $$.if1 = fr->fr_ifnames[0]; - free($1); - strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); - $$.if1 = fr->fr_ifnames[1]; - free($3); - } - ; - -vianame: - name - { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); - free($1); - } - | name ',' name - { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); - free($1); - strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); - free($3); - } - ; - -dup: IPFY_DUPTO name - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); - free($2); - } - | IPFY_DUPTO name duptoseparator hostname - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); - fr->fr_dif.fd_ip = $4; - yyexpectaddr = 0; - free($2); - } - | IPFY_DUPTO name duptoseparator YY_IPV6 - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); - bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); - yyexpectaddr = 0; - free($2); - } - ; - -duptoseparator: - ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } - ; - -froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } - ; - -proute: routeto name - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); - free($2); - } - | routeto name duptoseparator hostname - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); - fr->fr_tif.fd_ip = $4; - yyexpectaddr = 0; - free($2); - } - | routeto name duptoseparator YY_IPV6 - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); - bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); - yyexpectaddr = 0; - free($2); - } - ; - -routeto: - IPFY_TO - | IPFY_ROUTETO - ; - -replyto: - IPFY_REPLY_TO name - { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); - free($2); - } - | IPFY_REPLY_TO name duptoseparator hostname - { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); - fr->fr_rif.fd_ip = $4; - free($2); - } - ; - -logoptions: - logoption - | logoptions logoption - ; - -logoption: - IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } - | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } - | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } - | level loglevel { unsetsyslog(); } - ; - -returncode: - starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } - ; - -starticmpcode: - '(' { yysetdict(icmpcodewords); } - ; - -srcdst: | IPFY_ALL - | fromto - ; - -protocol: - YY_NUMBER { DOREM(fr->fr_proto = $1; \ - fr->fr_mproto = 0xff;) } - | YY_STR { if (!strcmp($1, "tcp-udp")) { - DOREM(fr->fr_flx |= FI_TCPUDP; \ - fr->fr_mflx |= FI_TCPUDP;) - } else { - int p = getproto($1); - if (p == -1) - yyerror("protocol unknown"); - DOREM(fr->fr_proto = p; \ - fr->fr_mproto = 0xff;) - } - free($1); - } - | YY_STR nextstring YY_STR - { if (!strcmp($1, "tcp") && - !strcmp($3, "udp")) { - DOREM(fr->fr_flx |= FI_TCPUDP; \ - fr->fr_mflx |= FI_TCPUDP;) - } else - YYERROR; - free($1); - free($3); - } - ; - -nextstring: - '/' { yysetdict(NULL); } - ; - -fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } - | to dstobject { yyexpectaddr = 0; yycont = NULL; } - | from srcobject { yyexpectaddr = 0; yycont = NULL; } - ; - -from: IPFY_FROM { setipftype(); - if (fr == NULL) - fr = frc; - yyexpectaddr = 1; - if (yydebug) - printf("set yyexpectaddr\n"); - yycont = &yyexpectaddr; - yysetdict(addrwords); - resetaddr(); } - ; - -to: IPFY_TO { if (fr == NULL) - fr = frc; - yyexpectaddr = 1; - if (yydebug) - printf("set yyexpectaddr\n"); - yycont = &yyexpectaddr; - yysetdict(addrwords); - resetaddr(); } - ; - -with: | andwith withlist - ; - -andwith: - IPFY_WITH { nowith = 0; setipftype(); } - | IPFY_AND { nowith = 0; setipftype(); } - ; - -flags: | startflags flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | startflags flagset '/' flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags '/' flagset - { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | startflags YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | startflags '/' YY_NUMBER - { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | startflags YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags flagset '/' YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags YY_NUMBER '/' flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - ; - -startflags: - IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) - yyerror("flags with non-ipf type rule"); - if (frc->fr_proto != IPPROTO_TCP) - yyerror("flags with non-TCP rule"); - } - ; - -flagset: - YY_STR { $$ = tcpflags($1); free($1); } - | YY_HEX { $$ = $1; } - ; - -srcobject: - { yyresetdict(); } fromport - | srcaddr srcport - | '!' srcaddr srcport - { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } - ; - -srcaddr: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } - | lstart srcaddrlist lend - ; - -srcaddrlist: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } - | srcaddrlist lmore addr - { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ - bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } - ; - -srcport: - | portcomp - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } - | portrange - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ - fr->fr_stop = $1.p2;) } - | porteq lstart srcportlist lend - { yyresetdict(); } - ; - -fromport: - portcomp - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } - | portrange - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ - fr->fr_stop = $1.p2;) } - | porteq lstart srcportlist lend - { yyresetdict(); } - ; - -srcportlist: - portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } - | portnum ':' portnum - { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ - fr->fr_stop = $3;) } - | portnum YY_RANGE_IN portnum - { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ - fr->fr_stop = $3;) } - | srcportlist lmore portnum - { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } - | srcportlist lmore portnum ':' portnum - { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ - fr->fr_stop = $5;) } - | srcportlist lmore portnum YY_RANGE_IN portnum - { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ - fr->fr_stop = $5;) } - ; - -dstobject: - { yyresetdict(); } toport - | dstaddr dstport - | '!' dstaddr dstport - { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } - ; - -dstaddr: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) - } - | lstart dstaddrlist lend - ; - -dstaddrlist: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) - } - | dstaddrlist lmore addr - { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ - bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) - } - ; - - -dstport: - | portcomp - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } - | portrange - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ - fr->fr_dtop = $1.p2;) } - | porteq lstart dstportlist lend - { yyresetdict(); } - ; - -toport: - portcomp - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } - | portrange - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ - fr->fr_dtop = $1.p2;) } - | porteq lstart dstportlist lend - { yyresetdict(); } - ; - -dstportlist: - portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } - | portnum ':' portnum - { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ - fr->fr_dtop = $3;) } - | portnum YY_RANGE_IN portnum - { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ - fr->fr_dtop = $3;) } - | dstportlist lmore portnum - { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } - | dstportlist lmore portnum ':' portnum - { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ - fr->fr_dtop = $5;) } - | dstportlist lmore portnum YY_RANGE_IN portnum - { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ - fr->fr_dtop = $5;) } - ; - -addr: pool '/' YY_NUMBER { pooled = 1; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = $3; } - | pool '/' YY_STR { pooled = 1; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 1; - strncpy($$.a.iplookupname, $3, - sizeof($$.a.iplookupname)); - } - | pool '=' '(' poollist ')' { pooled = 1; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makepool($4); } - | hash '/' YY_NUMBER { hashed = 1; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = $3; } - | hash '/' YY_STR { pooled = 1; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 1; - strncpy($$.a.iplookupname, $3, - sizeof($$.a.iplookupname)); - } - | hash '=' '(' addrlist ')' { hashed = 1; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makehash($4); } - | ipaddr { bcopy(&$1, &$$, sizeof($$)); - yyexpectaddr = 0; } - ; - -ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); - yyresetdict(); - yyexpectaddr = 0; } - | hostname { $$.a.in4 = $1; - $$.m.in4_addr = 0xffffffff; - yyexpectaddr = 0; } - | hostname { yyresetdict(); - $$.a.in4_addr = $1.s_addr; } - maskspace { yysetdict(maskwords); } - ipv4mask { $$.m.in4_addr = $5.s_addr; - $$.a.in4_addr &= $5.s_addr; - yyresetdict(); - yyexpectaddr = 0; } - | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); - fill6bits(128, (u_32_t *)&$$.m); - yyresetdict(); - yyexpectaddr = 0; } - | YY_IPV6 { yyresetdict(); - bcopy(&$1, &$$.a, sizeof($$.a)); } - maskspace { yysetdict(maskwords); } - ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); - yyresetdict(); - yyexpectaddr = 0; } - ; -maskspace: - '/' - | IPFY_MASK - ; - -ipv4mask: - ipv4 { $$ = $1; } - | YY_HEX { $$.s_addr = htonl($1); } - | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } - | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; - ifpflag = FRI_NETWORK; - } else - YYERROR; - } - | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; - ifpflag = FRI_NETMASKED; - } else - YYERROR; - } - | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; - ifpflag = FRI_PEERADDR; - } else - YYERROR; - } - ; - -ipv6mask: - YY_NUMBER { ntomask(6, $1, $$.i6); } - | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - ; - -hostname: - ipv4 { $$ = $1; } - | YY_NUMBER { $$.s_addr = $1; } - | YY_HEX { $$.s_addr = $1; } - | YY_STR { $$.s_addr = lookuphost($1); - free($1); - } - ; - -addrlist: - ipaddr { $$ = newalist(NULL); - bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); - bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } - | addrlist ',' ipaddr - { $$ = newalist($1); - bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); - bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } - ; - -pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } - ; - -hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } - ; - -poollist: - ipaddr { $$ = newalist(NULL); - bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); - bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } - | '!' ipaddr { $$ = newalist(NULL); - $$->al_not = 1; - bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); - bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } - | poollist ',' ipaddr - { $$ = newalist($1); - bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); - bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } - | poollist ',' '!' ipaddr - { $$ = newalist($1); - $$->al_not = 1; - bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); - bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } - ; - -port: IPFY_PORT { yyexpectaddr = 0; - yycont = NULL; - } - ; - -portc: port compare { $$ = $2; - yysetdict(NULL); } - | porteq { $$ = $1; } - ; - -porteq: port '=' { $$ = FR_EQUAL; - yysetdict(NULL); } - ; - -portr: IPFY_PORT { yyexpectaddr = 0; - yycont = NULL; - yysetdict(NULL); } - ; - -portcomp: - portc portnum { $$.pc = $1; - $$.p1 = $2; - yyresetdict(); } - ; - -portrange: - portr portnum range portnum { $$.p1 = $2; - $$.pc = $3; - $$.p2 = $4; - yyresetdict(); } - ; - -icmp: | itype icode - ; - -itype: seticmptype icmptype - { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); - yyresetdict(); - } - | seticmptype lstart typelist lend { yyresetdict(); } - ; - -seticmptype: - IPFY_ICMPTYPE { setipftype(); - yysetdict(icmptypewords); } - ; - -icode: | seticmpcode icmpcode - { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); - yyresetdict(); - } - | seticmpcode lstart codelist lend { yyresetdict(); } - ; - -seticmpcode: - IPFY_ICMPCODE { yysetdict(icmpcodewords); } - ; - -typelist: - icmptype - { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } - | typelist lmore icmptype - { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } - ; - -codelist: - icmpcode - { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } - | codelist lmore icmpcode - { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \ - fr->fr_icmpm |= htons(0xff);) } - ; - -age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $2;) } - | IPFY_AGE YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $4;) } - ; - -keep: | IPFY_KEEP keepstate keep - | IPFY_KEEP keepfrag keep - ; - -keepstate: - IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} - ; - -keepfrag: - IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } - | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } - ; - -fragoptlist: - | '(' fragopts ')' - ; - -fragopts: - fragopt lanother fragopts - | fragopt - ; - -fragopt: - IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } - ; - -stateoptlist: - | '(' stateopts ')' - ; - -stateopts: - stateopt lanother stateopts - | stateopt - ; - -stateopt: - IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } - | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ - YYERROR; \ - } else \ - fr->fr_flags |= FR_STSTRICT;) - } - | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ - YYERROR; \ - } else \ - fr->fr_flags |= FR_NEWISN;) - } - | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } - - | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } - | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $2;) } - | IPFY_AGE YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $4;) } - ; - -portnum: - servicename { if (getport(frc, $1, &($$)) == -1) - yyerror("service unknown"); - $$ = ntohs($$); - free($1); - } - | YY_NUMBER { if ($1 > 65535) /* Unsigned */ - yyerror("invalid port number"); - else - $$ = $1; - } - ; - -withlist: - withopt { nowith = 0; } - | withlist withopt { nowith = 0; } - | withlist ',' withopt { nowith = 0; } - ; - -withopt: - opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } - | notwith opttype { DOALL(fr->fr_mflx |= $2;) } - | ipopt ipopts { yyresetdict(); } - | notwith ipopt ipopts { yyresetdict(); } - | startv6hdrs ipv6hdrs { yyresetdict(); } - ; - -ipopt: IPFY_OPT { yysetdict(ipv4optwords); } - ; - -startv6hdrs: - IPF6_V6HDRS { if (use_inet6 == 0) - yyerror("only available with IPv6"); - yysetdict(ipv6optwords); - } - ; - -notwith: - IPFY_NOT { nowith = 1; } - | IPFY_NO { nowith = 1; } - ; - -opttype: - IPFY_IPOPTS { $$ = FI_OPTIONS; } - | IPFY_SHORT { $$ = FI_SHORT; } - | IPFY_NAT { $$ = FI_NATED; } - | IPFY_BAD { $$ = FI_BAD; } - | IPFY_BADNAT { $$ = FI_BADNAT; } - | IPFY_BADSRC { $$ = FI_BADSRC; } - | IPFY_LOWTTL { $$ = FI_LOWTTL; } - | IPFY_FRAG { $$ = FI_FRAG; } - | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } - | IPFY_FRAGS { $$ = FI_FRAG; } - | IPFY_MBCAST { $$ = FI_MBCAST; } - | IPFY_MULTICAST { $$ = FI_MULTICAST; } - | IPFY_BROADCAST { $$ = FI_BROADCAST; } - | IPFY_STATE { $$ = FI_STATE; } - | IPFY_OOW { $$ = FI_OOW; } - ; - -ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; - if (!nowith) - fr->fr_ip.fi_optmsk |= $1;) - } - ; - -optlist: - opt { $$ |= $1; } - | optlist ',' opt { $$ |= $1 | $3; } - ; - -ipv6hdrs: - ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; - if (!nowith) - fr->fr_ip.fi_optmsk |= $1;) - } - ; - -ipv6hdrlist: - ipv6hdr { $$ |= $1; } - | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } - ; - -secname: - seclevel { $$ |= $1; } - | secname ',' seclevel { $$ |= $1 | $3; } - ; - -seclevel: - IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } - | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } - | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } - | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } - | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } - | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } - | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } - | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } - ; - -icmptype: - YY_NUMBER { $$ = $1; } - | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } - | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } - | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } - | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } - | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } - | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } - | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } - | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } - | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } - | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } - | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } - | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } - | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } - | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } - | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } - ; - -icmpcode: - YY_NUMBER { $$ = $1; } - | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } - | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } - | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } - | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } - | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } - | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } - | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } - | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } - | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } - | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } - | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } - | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } - | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } - | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } - | IPFY_ICMPC_HSTPRE { $$ = 14; } - | IPFY_ICMPC_CUTPRE { $$ = 15; } - ; - -opt: - IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } - | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } - | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } - | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } - | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } - | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } - | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } - | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } - | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } - | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } - | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } - | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } - | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } - | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } - | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } - | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } - | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } - | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } - | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } - | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } - | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } - | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } - | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } - | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } - | setsecclass secname - { DOALL(fr->fr_mip.fi_secmsk |= $2; - if (!nowith) - fr->fr_ip.fi_secmsk |= $2;) - $$ = 0; - yyresetdict(); - } - ; - -setsecclass: - IPFY_SECCLASS { yysetdict(ipv4secwords); } - ; - -ipv6hdr: - IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } - | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } - | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } - | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } - | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } - | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } - | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } - | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } - | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); } - ; - -level: IPFY_LEVEL { setsyslog(); } - ; - -loglevel: - priority { fr->fr_loglevel = LOG_LOCAL0|$1; } - | facility '.' priority { fr->fr_loglevel = $1 | $3; } - ; - -facility: - IPFY_FAC_KERN { $$ = LOG_KERN; } - | IPFY_FAC_USER { $$ = LOG_USER; } - | IPFY_FAC_MAIL { $$ = LOG_MAIL; } - | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } - | IPFY_FAC_AUTH { $$ = LOG_AUTH; } - | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } - | IPFY_FAC_LPR { $$ = LOG_LPR; } - | IPFY_FAC_NEWS { $$ = LOG_NEWS; } - | IPFY_FAC_UUCP { $$ = LOG_UUCP; } - | IPFY_FAC_CRON { $$ = LOG_CRON; } - | IPFY_FAC_FTP { $$ = LOG_FTP; } - | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } - | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } - | IPFY_FAC_LFMT { $$ = LOG_LFMT; } - | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } - | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } - | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } - | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } - | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } - | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } - | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } - | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } - | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } - ; - -priority: - IPFY_PRI_EMERG { $$ = LOG_EMERG; } - | IPFY_PRI_ALERT { $$ = LOG_ALERT; } - | IPFY_PRI_CRIT { $$ = LOG_CRIT; } - | IPFY_PRI_ERR { $$ = LOG_ERR; } - | IPFY_PRI_WARN { $$ = LOG_WARNING; } - | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } - | IPFY_PRI_INFO { $$ = LOG_INFO; } - | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } - ; - -compare: - YY_CMP_EQ { $$ = FR_EQUAL; } - | YY_CMP_NE { $$ = FR_NEQUAL; } - | YY_CMP_LT { $$ = FR_LESST; } - | YY_CMP_LE { $$ = FR_LESSTE; } - | YY_CMP_GT { $$ = FR_GREATERT; } - | YY_CMP_GE { $$ = FR_GREATERTE; } - ; - -range: YY_RANGE_IN { $$ = FR_INRANGE; } - | YY_RANGE_OUT { $$ = FR_OUTRANGE; } - | ':' { $$ = FR_INCRANGE; } - ; - -servicename: - YY_STR { $$ = $1; } - ; - -interfacename: name { $$ = $1; } - | name ':' YY_NUMBER - { $$ = $1; - fprintf(stderr, "%d: Logical interface %s:%d unsupported, " - "use the physical interface %s instead.\n", - yylineNum, $1, $3, $1); - } - ; - -name: YY_STR { $$ = $1; } - | '-' { $$ = strdup("-"); } - ; - -ipv4_16: - YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr = ($1 << 24) | ($3 << 16); - $$.s_addr = htonl($$.s_addr); - } - ; - -ipv4_24: - ipv4_16 '.' YY_NUMBER - { if ($3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr |= htonl($3 << 8); - } - ; - -ipv4: ipv4_24 '.' YY_NUMBER - { if ($3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr |= htonl($3); - } - | ipv4_24 - | ipv4_16 - ; - -%% - - -static struct wordtab ipfwords[95] = { - { "age", IPFY_AGE }, - { "ah", IPFY_AH }, - { "all", IPFY_ALL }, - { "and", IPFY_AND }, - { "auth", IPFY_AUTH }, - { "bad", IPFY_BAD }, - { "bad-nat", IPFY_BADNAT }, - { "bad-src", IPFY_BADSRC }, - { "bcast", IPFY_BROADCAST }, - { "block", IPFY_BLOCK }, - { "body", IPFY_BODY }, - { "bpf-v4", IPFY_BPFV4 }, -#ifdef USE_INET6 - { "bpf-v6", IPFY_BPFV6 }, -#endif - { "call", IPFY_CALL }, - { "code", IPFY_ICMPCODE }, - { "count", IPFY_COUNT }, - { "dup-to", IPFY_DUPTO }, - { "eq", YY_CMP_EQ }, - { "esp", IPFY_ESP }, - { "fastroute", IPFY_FROUTE }, - { "first", IPFY_FIRST }, - { "flags", IPFY_FLAGS }, - { "frag", IPFY_FRAG }, - { "frag-body", IPFY_FRAGBODY }, - { "frags", IPFY_FRAGS }, - { "from", IPFY_FROM }, - { "ge", YY_CMP_GE }, - { "group", IPFY_GROUP }, - { "gt", YY_CMP_GT }, - { "head", IPFY_HEAD }, - { "icmp", IPFY_ICMP }, - { "icmp-type", IPFY_ICMPTYPE }, - { "in", IPFY_IN }, - { "in-via", IPFY_INVIA }, - { "ipopt", IPFY_IPOPTS }, - { "ipopts", IPFY_IPOPTS }, - { "keep", IPFY_KEEP }, - { "le", YY_CMP_LE }, - { "level", IPFY_LEVEL }, - { "limit", IPFY_LIMIT }, - { "log", IPFY_LOG }, - { "lowttl", IPFY_LOWTTL }, - { "lt", YY_CMP_LT }, - { "mask", IPFY_MASK }, - { "match-tag", IPFY_MATCHTAG }, - { "mbcast", IPFY_MBCAST }, - { "mcast", IPFY_MULTICAST }, - { "multicast", IPFY_MULTICAST }, - { "nat", IPFY_NAT }, - { "ne", YY_CMP_NE }, - { "net", IPFY_NETWORK }, - { "newisn", IPFY_NEWISN }, - { "no", IPFY_NO }, - { "no-icmp-err", IPFY_NOICMPERR }, - { "nomatch", IPFY_NOMATCH }, - { "now", IPFY_NOW }, - { "not", IPFY_NOT }, - { "oow", IPFY_OOW }, - { "on", IPFY_ON }, - { "opt", IPFY_OPT }, - { "or-block", IPFY_ORBLOCK }, - { "out", IPFY_OUT }, - { "out-via", IPFY_OUTVIA }, - { "pass", IPFY_PASS }, - { "port", IPFY_PORT }, - { "pps", IPFY_PPS }, - { "preauth", IPFY_PREAUTH }, - { "proto", IPFY_PROTO }, - { "quick", IPFY_QUICK }, - { "reply-to", IPFY_REPLY_TO }, - { "return-icmp", IPFY_RETICMP }, - { "return-icmp-as-dest", IPFY_RETICMPASDST }, - { "return-rst", IPFY_RETRST }, - { "route-to", IPFY_ROUTETO }, - { "sec-class", IPFY_SECCLASS }, - { "set-tag", IPFY_SETTAG }, - { "skip", IPFY_SKIP }, - { "short", IPFY_SHORT }, - { "state", IPFY_STATE }, - { "state-age", IPFY_AGE }, - { "strict", IPFY_STRICT }, - { "sync", IPFY_SYNC }, - { "tcp", IPFY_TCP }, - { "tcp-udp", IPFY_TCPUDP }, - { "tos", IPFY_TOS }, - { "to", IPFY_TO }, - { "ttl", IPFY_TTL }, - { "udp", IPFY_UDP }, - { "v6hdrs", IPF6_V6HDRS }, - { "with", IPFY_WITH }, - { NULL, 0 } -}; - -static struct wordtab addrwords[4] = { - { "any", IPFY_ANY }, - { "hash", IPFY_HASH }, - { "pool", IPFY_POOL }, - { NULL, 0 } -}; - -static struct wordtab maskwords[5] = { - { "broadcast", IPFY_BROADCAST }, - { "netmasked", IPFY_NETMASKED }, - { "network", IPFY_NETWORK }, - { "peer", IPFY_PEER }, - { NULL, 0 } -}; - -static struct wordtab icmptypewords[16] = { - { "echo", IPFY_ICMPT_ECHO }, - { "echorep", IPFY_ICMPT_ECHOR }, - { "inforeq", IPFY_ICMPT_INFOREQ }, - { "inforep", IPFY_ICMPT_INFOREP }, - { "maskrep", IPFY_ICMPT_MASKREP }, - { "maskreq", IPFY_ICMPT_MASKREQ }, - { "paramprob", IPFY_ICMPT_PARAMP }, - { "redir", IPFY_ICMPT_REDIR }, - { "unreach", IPFY_ICMPT_UNR }, - { "routerad", IPFY_ICMPT_ROUTERAD }, - { "routersol", IPFY_ICMPT_ROUTERSOL }, - { "squench", IPFY_ICMPT_SQUENCH }, - { "timest", IPFY_ICMPT_TIMEST }, - { "timestrep", IPFY_ICMPT_TIMESTREP }, - { "timex", IPFY_ICMPT_TIMEX }, - { NULL, 0 }, -}; - -static struct wordtab icmpcodewords[17] = { - { "cutoff-preced", IPFY_ICMPC_CUTPRE }, - { "filter-prohib", IPFY_ICMPC_FLTPRO }, - { "isolate", IPFY_ICMPC_ISOLATE }, - { "needfrag", IPFY_ICMPC_NEEDF }, - { "net-prohib", IPFY_ICMPC_NETPRO }, - { "net-tos", IPFY_ICMPC_NETTOS }, - { "host-preced", IPFY_ICMPC_HSTPRE }, - { "host-prohib", IPFY_ICMPC_HSTPRO }, - { "host-tos", IPFY_ICMPC_HSTTOS }, - { "host-unk", IPFY_ICMPC_HSTUNK }, - { "host-unr", IPFY_ICMPC_HSTUNR }, - { "net-unk", IPFY_ICMPC_NETUNK }, - { "net-unr", IPFY_ICMPC_NETUNR }, - { "port-unr", IPFY_ICMPC_PORUNR }, - { "proto-unr", IPFY_ICMPC_PROUNR }, - { "srcfail", IPFY_ICMPC_SRCFAIL }, - { NULL, 0 }, -}; - -static struct wordtab ipv4optwords[25] = { - { "addext", IPFY_IPOPT_ADDEXT }, - { "cipso", IPFY_IPOPT_CIPSO }, - { "dps", IPFY_IPOPT_DPS }, - { "e-sec", IPFY_IPOPT_ESEC }, - { "eip", IPFY_IPOPT_EIP }, - { "encode", IPFY_IPOPT_ENCODE }, - { "finn", IPFY_IPOPT_FINN }, - { "imitd", IPFY_IPOPT_IMITD }, - { "lsrr", IPFY_IPOPT_LSRR }, - { "mtup", IPFY_IPOPT_MTUP }, - { "mtur", IPFY_IPOPT_MTUR }, - { "nop", IPFY_IPOPT_NOP }, - { "nsapa", IPFY_IPOPT_NSAPA }, - { "rr", IPFY_IPOPT_RR }, - { "rtralrt", IPFY_IPOPT_RTRALRT }, - { "satid", IPFY_IPOPT_SATID }, - { "sdb", IPFY_IPOPT_SDB }, - { "sec", IPFY_IPOPT_SEC }, - { "ssrr", IPFY_IPOPT_SSRR }, - { "tr", IPFY_IPOPT_TR }, - { "ts", IPFY_IPOPT_TS }, - { "ump", IPFY_IPOPT_UMP }, - { "visa", IPFY_IPOPT_VISA }, - { "zsu", IPFY_IPOPT_ZSU }, - { NULL, 0 }, -}; - -static struct wordtab ipv4secwords[9] = { - { "confid", IPFY_SEC_CONF }, - { "reserv-1", IPFY_SEC_RSV1 }, - { "reserv-2", IPFY_SEC_RSV2 }, - { "reserv-3", IPFY_SEC_RSV3 }, - { "reserv-4", IPFY_SEC_RSV4 }, - { "secret", IPFY_SEC_SEC }, - { "topsecret", IPFY_SEC_TS }, - { "unclass", IPFY_SEC_UNC }, - { NULL, 0 }, -}; - -static struct wordtab ipv6optwords[9] = { - { "dstopts", IPFY_IPV6OPT_DSTOPTS }, - { "esp", IPFY_IPV6OPT_ESP }, - { "frag", IPFY_IPV6OPT_FRAG }, - { "hopopts", IPFY_IPV6OPT_HOPOPTS }, - { "ipv6", IPFY_IPV6OPT_IPV6 }, - { "mobility", IPFY_IPV6OPT_MOBILITY }, - { "none", IPFY_IPV6OPT_NONE }, - { "routing", IPFY_IPV6OPT_ROUTING }, - { NULL, 0 }, -}; - -static struct wordtab logwords[33] = { - { "kern", IPFY_FAC_KERN }, - { "user", IPFY_FAC_USER }, - { "mail", IPFY_FAC_MAIL }, - { "daemon", IPFY_FAC_DAEMON }, - { "auth", IPFY_FAC_AUTH }, - { "syslog", IPFY_FAC_SYSLOG }, - { "lpr", IPFY_FAC_LPR }, - { "news", IPFY_FAC_NEWS }, - { "uucp", IPFY_FAC_UUCP }, - { "cron", IPFY_FAC_CRON }, - { "ftp", IPFY_FAC_FTP }, - { "authpriv", IPFY_FAC_AUTHPRIV }, - { "audit", IPFY_FAC_AUDIT }, - { "logalert", IPFY_FAC_LFMT }, - { "console", IPFY_FAC_CONSOLE }, - { "security", IPFY_FAC_SECURITY }, - { "local0", IPFY_FAC_LOCAL0 }, - { "local1", IPFY_FAC_LOCAL1 }, - { "local2", IPFY_FAC_LOCAL2 }, - { "local3", IPFY_FAC_LOCAL3 }, - { "local4", IPFY_FAC_LOCAL4 }, - { "local5", IPFY_FAC_LOCAL5 }, - { "local6", IPFY_FAC_LOCAL6 }, - { "local7", IPFY_FAC_LOCAL7 }, - { "emerg", IPFY_PRI_EMERG }, - { "alert", IPFY_PRI_ALERT }, - { "crit", IPFY_PRI_CRIT }, - { "err", IPFY_PRI_ERR }, - { "warn", IPFY_PRI_WARN }, - { "notice", IPFY_PRI_NOTICE }, - { "info", IPFY_PRI_INFO }, - { "debug", IPFY_PRI_DEBUG }, - { NULL, 0 }, -}; - - - - -int ipf_parsefile(fd, addfunc, iocfuncs, filename) -int fd; -addfunc_t addfunc; -ioctlfunc_t *iocfuncs; -char *filename; -{ - FILE *fp = NULL; - char *s; - - yylineNum = 1; - yysettab(ipfwords); - - s = getenv("YYDEBUG"); - if (s != NULL) - yydebug = atoi(s); - else - yydebug = 0; - - if (strcmp(filename, "-")) { - fp = fopen(filename, "r"); - if (fp == NULL) { - fprintf(stderr, "fopen(%s) failed: %s\n", filename, - STRERROR(errno)); - return -1; - } - } else - fp = stdin; - - while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) - ; - if (fp != NULL) - fclose(fp); - return 0; -} - - -int ipf_parsesome(fd, addfunc, iocfuncs, fp) -int fd; -addfunc_t addfunc; -ioctlfunc_t *iocfuncs; -FILE *fp; -{ - char *s; - int i; - - ipffd = fd; - for (i = 0; i <= IPL_LOGMAX; i++) - ipfioctl[i] = iocfuncs[i]; - ipfaddfunc = addfunc; - - if (feof(fp)) - return 0; - i = fgetc(fp); - if (i == EOF) - return 0; - if (ungetc(i, fp) == 0) - return 0; - if (feof(fp)) - return 0; - s = getenv("YYDEBUG"); - if (s != NULL) - yydebug = atoi(s); - else - yydebug = 0; - - yyin = fp; - yyparse(); - return 1; -} - - -static void newrule() -{ - frentry_t *frn; - - frn = (frentry_t *)calloc(1, sizeof(frentry_t)); - for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) - ; - if (fr != NULL) - fr->fr_next = frn; - if (frtop == NULL) - frtop = frn; - fr = frn; - frc = frn; - fr->fr_loglevel = 0xffff; - fr->fr_isc = (void *)-1; - fr->fr_logtag = FR_NOLOGTAG; - fr->fr_type = FR_T_NONE; - if (use_inet6 != 0) - fr->fr_v = 6; - else - fr->fr_v = 4; - - nrules = 1; -} - - -static void setipftype() -{ - for (fr = frc; fr != NULL; fr = fr->fr_next) { - if (fr->fr_type == FR_T_NONE) { - fr->fr_type = FR_T_IPF; - fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); - fr->fr_dsize = sizeof(fripf_t); - fr->fr_ip.fi_v = frc->fr_v; - fr->fr_mip.fi_v = 0xf; - fr->fr_ipf->fri_sifpidx = -1; - fr->fr_ipf->fri_difpidx = -1; - } - if (fr->fr_type != FR_T_IPF) { - fprintf(stderr, "IPF Type not set\n"); - } - } -} - - -static frentry_t *addrule() -{ - frentry_t *f, *f1, *f2; - int count; - - for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) - ; - - count = nrules; - f = f2; - for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { - f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); - added++; - f = f->fr_next; - bcopy(f1, f, sizeof(*f)); - f->fr_next = NULL; - if (f->fr_caddr != NULL) { - f->fr_caddr = malloc(f->fr_dsize); - bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); - } - } - - return f2->fr_next; -} - - -static u_32_t lookuphost(name) -char *name; -{ - u_32_t addr; - int i; - - hashed = 0; - pooled = 0; - dynamic = -1; - - for (i = 0; i < 4; i++) { - if (strncmp(name, frc->fr_ifnames[i], - sizeof(frc->fr_ifnames[i])) == 0) { - ifpflag = FRI_DYNAMIC; - dynamic = i; - return 0; - } - } - - if (gethost(name, &addr) == -1) { - fprintf(stderr, "unknown name \"%s\"\n", name); - return 0; - } - return addr; -} - - -static void dobpf(v, phrase) -int v; -char *phrase; -{ -#ifdef IPFILTER_BPF - struct bpf_program bpf; - struct pcap *p; -#endif - fakebpf_t *fb; - u_32_t l; - char *s; - int i; - - for (fr = frc; fr != NULL; fr = fr->fr_next) { - if (fr->fr_type != FR_T_NONE) { - fprintf(stderr, "cannot mix IPF and BPF matching\n"); - return; - } - fr->fr_v = v; - fr->fr_type = FR_T_BPFOPC; - - if (!strncmp(phrase, "0x", 2)) { - fb = malloc(sizeof(fakebpf_t)); - - for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; - s = strtok(NULL, " \r\n\t"), i++) { - fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); - l = (u_32_t)strtol(s, NULL, 0); - switch (i & 3) - { - case 0 : - fb[i / 4].fb_c = l & 0xffff; - break; - case 1 : - fb[i / 4].fb_t = l & 0xff; - break; - case 2 : - fb[i / 4].fb_f = l & 0xff; - break; - case 3 : - fb[i / 4].fb_k = l; - break; - } - } - if ((i & 3) != 0) { - fprintf(stderr, - "Odd number of bytes in BPF code\n"); - exit(1); - } - i--; - fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); - fr->fr_data = fb; - return; - } - -#ifdef IPFILTER_BPF - bzero((char *)&bpf, sizeof(bpf)); - p = pcap_open_dead(DLT_RAW, 1); - if (!p) { - fprintf(stderr, "pcap_open_dead failed\n"); - return; - } - - if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { - pcap_perror(p, "ipf"); - pcap_close(p); - fprintf(stderr, "pcap parsing failed (%s)\n", phrase); - return; - } - pcap_close(p); - - fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); - fr->fr_data = malloc(fr->fr_dsize); - bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); - if (!bpf_validate(fr->fr_data, bpf.bf_len)) { - fprintf(stderr, "BPF validation failed\n"); - return; - } -#endif - } - -#ifdef IPFILTER_BPF - if (opts & OPT_DEBUG) - bpf_dump(&bpf, 0); -#else - fprintf(stderr, "BPF filter expressions not supported\n"); - exit(1); -#endif -} - - -static void resetaddr() -{ - hashed = 0; - pooled = 0; - dynamic = -1; -} - - -static alist_t *newalist(ptr) -alist_t *ptr; -{ - alist_t *al; - - al = malloc(sizeof(*al)); - if (al == NULL) - return NULL; - al->al_not = 0; - al->al_next = ptr; - return al; -} - - -static int makepool(list) -alist_t *list; -{ - ip_pool_node_t *n, *top; - ip_pool_t pool; - alist_t *a; - int num; - - if (list == NULL) - return 0; - top = calloc(1, sizeof(*top)); - if (top == NULL) - return 0; - - for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - n->ipn_addr.adf_addr.in4.s_addr = a->al_1; - n->ipn_mask.adf_addr.in4.s_addr = a->al_2; - n->ipn_info = a->al_not; - if (a->al_next != NULL) { - n->ipn_next = calloc(1, sizeof(*n)); - n = n->ipn_next; - } - } - - bzero((char *)&pool, sizeof(pool)); - pool.ipo_unit = IPL_LOGIPF; - pool.ipo_list = top; - num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); - - while ((n = top) != NULL) { - top = n->ipn_next; - free(n); - } - return num; -} - - -static u_int makehash(list) -alist_t *list; -{ - iphtent_t *n, *top; - iphtable_t iph; - alist_t *a; - int num; - - if (list == NULL) - return 0; - top = calloc(1, sizeof(*top)); - if (top == NULL) - return 0; - - for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - n->ipe_addr.in4_addr = a->al_1; - n->ipe_mask.in4_addr = a->al_2; - n->ipe_value = 0; - if (a->al_next != NULL) { - n->ipe_next = calloc(1, sizeof(*n)); - n = n->ipe_next; - } - } - - bzero((char *)&iph, sizeof(iph)); - iph.iph_unit = IPL_LOGIPF; - iph.iph_type = IPHASH_LOOKUP; - *iph.iph_name = '\0'; - - if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) - sscanf(iph.iph_name, "%u", &num); - else - num = 0; - - while ((n = top) != NULL) { - top = n->ipe_next; - free(n); - } - return num; -} - - -void ipf_addrule(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; -{ - ioctlcmd_t add, del; - frentry_t *fr; - ipfobj_t obj; - - if (ptr == NULL) - return; - - fr = ptr; - add = 0; - del = 0; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*fr); - obj.ipfo_type = IPFOBJ_FRENTRY; - obj.ipfo_ptr = ptr; - - if ((opts & OPT_DONOTHING) != 0) - fd = -1; - - if (opts & OPT_ZERORULEST) { - add = SIOCZRLST; - } else if (opts & OPT_INACTIVE) { - add = (u_int)fr->fr_hits ? SIOCINIFR : - SIOCADIFR; - del = SIOCRMIFR; - } else { - add = (u_int)fr->fr_hits ? SIOCINAFR : - SIOCADAFR; - del = SIOCRMAFR; - } - - if ((opts & OPT_OUTQUE) != 0) - fr->fr_flags |= FR_OUTQUE; - if (fr->fr_hits) - fr->fr_hits--; - if ((opts & OPT_VERBOSE) != 0) - printfr(fr, ioctlfunc); - - if ((opts & OPT_DEBUG) != 0) { - binprint(fr, sizeof(*fr)); - if (fr->fr_data != NULL) - binprint(fr->fr_data, fr->fr_dsize); - } - - if ((opts & OPT_ZERORULEST) != 0) { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(SIOCZRLST)"); - } - } else { -#ifdef USE_QUAD_T - printf("hits %qd bytes %qd ", - (long long)fr->fr_hits, - (long long)fr->fr_bytes); -#else - printf("hits %ld bytes %ld ", - fr->fr_hits, fr->fr_bytes); -#endif - printfr(fr, ioctlfunc); - } - } else if ((opts & OPT_REMOVE) != 0) { - if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) != 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(delete rule)"); - } - } - } else { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if (!(opts & OPT_DONOTHING)) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(add/insert rule)"); - } - } - } -} - -static void setsyslog() -{ - yysetdict(logwords); - yybreakondot = 1; -} - - -static void unsetsyslog() -{ - yyresetdict(); - yybreakondot = 0; -} - - -static void fillgroup(fr) -frentry_t *fr; -{ - frentry_t *f; - - for (f = frold; f != NULL; f = f->fr_next) - if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) - break; - if (f == NULL) - return; - - /* - * Only copy down matching fields if the rules are of the same type - * and are of ipf type. The only fields that are copied are those - * that impact the rule parsing itself, eg. need for knowing what the - * protocol should be for rules with port comparisons in them. - */ - if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) - return; - - if (fr->fr_v == 0 && f->fr_v != 0) - fr->fr_v = f->fr_v; - - if (fr->fr_mproto == 0 && f->fr_mproto != 0) - fr->fr_mproto = f->fr_mproto; - if (fr->fr_proto == 0 && f->fr_proto != 0) - fr->fr_proto = f->fr_proto; - - if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && - ((f->fr_flx & FI_TCPUDP) != 0)) - fr->fr_flx |= FI_TCPUDP; -} diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c deleted file mode 100644 index aa25c77..0000000 --- a/contrib/ipfilter/tools/ipfcomp.c +++ /dev/null @@ -1,1358 +0,0 @@ -/* - * Copyright (C) 2001-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $"; -#endif - -#include "ipf.h" - - -typedef struct { - int c; - int e; - int n; - int p; - int s; -} mc_t; - - -static char *portcmp[] = { "*", "==", "!=", "<", ">", "<=", ">=", "**", "***" }; -static int count = 0; - -int intcmp __P((const void *, const void *)); -static void indent __P((FILE *, int)); -static void printeq __P((FILE *, char *, int, int, int)); -static void printipeq __P((FILE *, char *, int, int, int)); -static void addrule __P((FILE *, frentry_t *)); -static void printhooks __P((FILE *, int, int, frgroup_t *)); -static void emitheader __P((frgroup_t *, u_int, u_int)); -static void emitGroup __P((int, int, void *, frentry_t *, char *, - u_int, u_int)); -static void emittail __P((void)); -static void printCgroup __P((int, frentry_t *, mc_t *, char *)); - -#define FRC_IFN 0 -#define FRC_V 1 -#define FRC_P 2 -#define FRC_FL 3 -#define FRC_TOS 4 -#define FRC_TTL 5 -#define FRC_SRC 6 -#define FRC_DST 7 -#define FRC_TCP 8 -#define FRC_SP 9 -#define FRC_DP 10 -#define FRC_OPT 11 -#define FRC_SEC 12 -#define FRC_ATH 13 -#define FRC_ICT 14 -#define FRC_ICC 15 -#define FRC_MAX 16 - - -static FILE *cfile = NULL; - -/* - * This is called once per filter rule being loaded to emit data structures - * required. - */ -void printc(fr) -frentry_t *fr; -{ - fripf_t *ipf; - u_long *ulp; - char *and; - FILE *fp; - int i; - - if (fr->fr_v != 4) - return; - if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE)) - return; - if ((fr->fr_type == FR_T_IPF) && - ((fr->fr_datype != FRI_NORMAL) || (fr->fr_satype != FRI_NORMAL))) - return; - ipf = fr->fr_ipf; - - if (cfile == NULL) - cfile = fopen("ip_rules.c", "w"); - if (cfile == NULL) - return; - fp = cfile; - if (count == 0) { - fprintf(fp, "/*\n"); - fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n"); - fprintf(fp, "*\n"); - fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n"); - fprintf(fp, "* provided that this notice is preserved and due credit is given\n"); - fprintf(fp, "* to the original author and the contributors.\n"); - fprintf(fp, "*/\n\n"); - - fprintf(fp, "#include <sys/param.h>\n"); - fprintf(fp, "#include <sys/types.h>\n"); - fprintf(fp, "#include <sys/time.h>\n"); - fprintf(fp, "#include <sys/socket.h>\n"); - fprintf(fp, "#if (__FreeBSD_version >= 40000)\n"); - fprintf(fp, "# if defined(_KERNEL)\n"); - fprintf(fp, "# include <sys/libkern.h>\n"); - fprintf(fp, "# else\n"); - fprintf(fp, "# include <sys/unistd.h>\n"); - fprintf(fp, "# endif\n"); - fprintf(fp, "#endif\n"); - fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n"); - fprintf(fp, "#else\n"); - fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n"); - fprintf(fp, "# include <sys/systm.h>\n"); - fprintf(fp, "# endif\n"); - fprintf(fp, "#endif\n"); - fprintf(fp, "#include <sys/errno.h>\n"); - fprintf(fp, "#include <sys/param.h>\n"); - fprintf(fp, -"#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux)\n"); - fprintf(fp, "# include <sys/mbuf.h>\n"); - fprintf(fp, "#endif\n"); - fprintf(fp, -"#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n"); - fprintf(fp, "# include <sys/sockio.h>\n"); - fprintf(fp, "#else\n"); - fprintf(fp, "# include <sys/ioctl.h>\n"); - fprintf(fp, "#endif /* FreeBSD */\n"); - fprintf(fp, "#include <net/if.h>\n"); - fprintf(fp, "#include <netinet/in.h>\n"); - fprintf(fp, "#include <netinet/in_systm.h>\n"); - fprintf(fp, "#include <netinet/ip.h>\n"); - fprintf(fp, "#include <netinet/tcp.h>\n"); - fprintf(fp, "#include \"netinet/ip_compat.h\"\n"); - fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n"); - fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n"); - fprintf(fp, "#ifndef _KERNEL\n"); - fprintf(fp, "# include <string.h>\n"); - fprintf(fp, "#endif /* _KERNEL */\n"); - fprintf(fp, "\n"); - fprintf(fp, "#ifdef IPFILTER_COMPILED\n"); - } - - addrule(fp, fr); - fr->fr_type |= FR_T_BUILTIN; - and = ""; - fr->fr_ref = 1; - i = sizeof(*fr); - if (i & -(1 - sizeof(*ulp))) - i += sizeof(u_long); - for (i /= sizeof(u_long), ulp = (u_long *)fr; i > 0; i--) { - fprintf(fp, "%s%#lx", and, *ulp++); - and = ", "; - } - fprintf(fp, "\n};\n"); - fr->fr_type &= ~FR_T_BUILTIN; - - count++; - - fflush(fp); -} - - -static frgroup_t *groups = NULL; - - -static void addrule(fp, fr) -FILE *fp; -frentry_t *fr; -{ - frentry_t *f, **fpp; - frgroup_t *g; - u_long *ulp; - char *and; - int i; - - f = (frentry_t *)malloc(sizeof(*f)); - bcopy((char *)fr, (char *)f, sizeof(*fr)); - if (fr->fr_ipf) { - f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf)); - bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf, - sizeof(*fr->fr_ipf)); - } - - f->fr_next = NULL; - for (g = groups; g != NULL; g = g->fg_next) - if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) && - (g->fg_flags == (f->fr_flags & FR_INOUT))) - break; - - if (g == NULL) { - g = (frgroup_t *)calloc(1, sizeof(*g)); - g->fg_next = groups; - groups = g; - g->fg_head = f; - bcopy(f->fr_group, g->fg_name, FR_GROUPLEN); - g->fg_ref = 0; - g->fg_flags = f->fr_flags & FR_INOUT; - } - - for (fpp = &g->fg_start; *fpp != NULL; ) - fpp = &((*fpp)->fr_next); - *fpp = f; - - if (fr->fr_dsize > 0) { - fprintf(fp, "\ -static u_long ipf%s_rule_data_%s_%u[] = {\n", - f->fr_flags & FR_INQUE ? "in" : "out", - g->fg_name, g->fg_ref); - and = ""; - i = fr->fr_dsize; - ulp = fr->fr_data; - for (i /= sizeof(u_long); i > 0; i--) { - fprintf(fp, "%s%#lx", and, *ulp++); - and = ", "; - } - fprintf(fp, "\n};\n"); - } - - fprintf(fp, "\nstatic u_long %s_rule_%s_%d[] = {\n", - f->fr_flags & FR_INQUE ? "in" : "out", g->fg_name, g->fg_ref); - - g->fg_ref++; - - if (f->fr_grhead != 0) { - for (g = groups; g != NULL; g = g->fg_next) - if ((strncmp(g->fg_name, f->fr_grhead, - FR_GROUPLEN) == 0) && - g->fg_flags == (f->fr_flags & FR_INOUT)) - break; - if (g == NULL) { - g = (frgroup_t *)calloc(1, sizeof(*g)); - g->fg_next = groups; - groups = g; - g->fg_head = f; - bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN); - g->fg_ref = 0; - g->fg_flags = f->fr_flags & FR_INOUT; - } - } -} - - -int intcmp(c1, c2) -const void *c1, *c2; -{ - const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2; - - if (i1->n == i2->n) { - return i1->c - i2->c; - } - return i2->n - i1->n; -} - - -static void indent(fp, in) -FILE *fp; -int in; -{ - for (; in; in--) - fputc('\t', fp); -} - -static void printeq(fp, var, m, max, v) -FILE *fp; -char *var; -int m, max, v; -{ - if (m == max) - fprintf(fp, "%s == %#x) {\n", var, v); - else - fprintf(fp, "(%s & %#x) == %#x) {\n", var, m, v); -} - -/* - * Parameters: var - IP# being compared - * fl - 0 for positive match, 1 for negative match - * m - netmask - * v - required address - */ -static void printipeq(fp, var, fl, m, v) -FILE *fp; -char *var; -int fl, m, v; -{ - if (m == 0xffffffff) - fprintf(fp, "%s ", var); - else - fprintf(fp, "(%s & %#x) ", var, m); - fprintf(fp, "%c", fl ? '!' : '='); - fprintf(fp, "= %#x) {\n", v); -} - - -void emit(num, dir, v, fr) -int num, dir; -void *v; -frentry_t *fr; -{ - u_int incnt, outcnt; - frgroup_t *g; - frentry_t *f; - - for (g = groups; g != NULL; g = g->fg_next) { - if (dir == 0 || dir == -1) { - if ((g->fg_flags & FR_INQUE) == 0) - continue; - for (incnt = 0, f = g->fg_start; f != NULL; - f = f->fr_next) - incnt++; - emitGroup(num, dir, v, fr, g->fg_name, incnt, 0); - } - if (dir == 1 || dir == -1) { - if ((g->fg_flags & FR_OUTQUE) == 0) - continue; - for (outcnt = 0, f = g->fg_start; f != NULL; - f = f->fr_next) - outcnt++; - emitGroup(num, dir, v, fr, g->fg_name, 0, outcnt); - } - } - - if (num == -1 && dir == -1) { - for (g = groups; g != NULL; g = g->fg_next) { - if ((g->fg_flags & FR_INQUE) != 0) { - for (incnt = 0, f = g->fg_start; f != NULL; - f = f->fr_next) - incnt++; - if (incnt > 0) - emitheader(g, incnt, 0); - } - if ((g->fg_flags & FR_OUTQUE) != 0) { - for (outcnt = 0, f = g->fg_start; f != NULL; - f = f->fr_next) - outcnt++; - if (outcnt > 0) - emitheader(g, 0, outcnt); - } - } - emittail(); - fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n"); - } - -} - - -static void emitheader(grp, incount, outcount) -frgroup_t *grp; -u_int incount, outcount; -{ - static FILE *fph = NULL; - frgroup_t *g; - - if (fph == NULL) { - fph = fopen("ip_rules.h", "w"); - if (fph == NULL) - return; - - fprintf(fph, "extern int ipfrule_add __P((void));\n"); - fprintf(fph, "extern int ipfrule_remove __P((void));\n"); - } - - printhooks(cfile, incount, outcount, grp); - - if (incount) { - fprintf(fph, "\n\ -extern frentry_t *ipfrule_match_in_%s __P((fr_info_t *, u_32_t *));\n\ -extern frentry_t *ipf_rules_in_%s[%d];\n", - grp->fg_name, grp->fg_name, incount); - - for (g = groups; g != grp; g = g->fg_next) - if ((strncmp(g->fg_name, grp->fg_name, - FR_GROUPLEN) == 0) && - g->fg_flags == grp->fg_flags) - break; - if (g == grp) { - fprintf(fph, "\n\ -extern int ipfrule_add_in_%s __P((void));\n\ -extern int ipfrule_remove_in_%s __P((void));\n", grp->fg_name, grp->fg_name); - } - } - if (outcount) { - fprintf(fph, "\n\ -extern frentry_t *ipfrule_match_out_%s __P((fr_info_t *, u_32_t *));\n\ -extern frentry_t *ipf_rules_out_%s[%d];\n", - grp->fg_name, grp->fg_name, outcount); - - for (g = groups; g != g; g = g->fg_next) - if ((strncmp(g->fg_name, grp->fg_name, - FR_GROUPLEN) == 0) && - g->fg_flags == grp->fg_flags) - break; - if (g == grp) { - fprintf(fph, "\n\ -extern int ipfrule_add_out_%s __P((void));\n\ -extern int ipfrule_remove_out_%s __P((void));\n", - grp->fg_name, grp->fg_name); - } - } -} - -static void emittail() -{ - frgroup_t *g; - - fprintf(cfile, "\n\ -int ipfrule_add()\n\ -{\n\ - int err;\n\ -\n"); - for (g = groups; g != NULL; g = g->fg_next) - fprintf(cfile, "\ - err = ipfrule_add_%s_%s();\n\ - if (err != 0)\n\ - return err;\n", - (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name); - fprintf(cfile, "\ - return 0;\n"); - fprintf(cfile, "}\n\ -\n"); - - fprintf(cfile, "\n\ -int ipfrule_remove()\n\ -{\n\ - int err;\n\ -\n"); - for (g = groups; g != NULL; g = g->fg_next) - fprintf(cfile, "\ - err = ipfrule_remove_%s_%s();\n\ - if (err != 0)\n\ - return err;\n", - (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name); - fprintf(cfile, "\ - return 0;\n"); - fprintf(cfile, "}\n"); -} - - -static void emitGroup(num, dir, v, fr, group, incount, outcount) -int num, dir; -void *v; -frentry_t *fr; -char *group; -u_int incount, outcount; -{ - static FILE *fp = NULL; - static int header[2] = { 0, 0 }; - static char egroup[FR_GROUPLEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; - static int openfunc = 0; - static mc_t *n = NULL; - static int sin = 0; - frentry_t *f; - frgroup_t *g; - fripf_t *ipf; - int i, in, j; - mc_t *m = v; - - if (fp == NULL) - fp = cfile; - if (fp == NULL) - return; - if (strncmp(egroup, group, FR_GROUPLEN)) { - for (sin--; sin > 0; sin--) { - indent(fp, sin); - fprintf(fp, "}\n"); - } - if (openfunc == 1) { - fprintf(fp, "\treturn fr;\n}\n"); - openfunc = 0; - if (n != NULL) { - free(n); - n = NULL; - } - } - sin = 0; - header[0] = 0; - header[1] = 0; - strncpy(egroup, group, FR_GROUPLEN); - } else if (openfunc == 1 && num < 0) { - if (n != NULL) { - free(n); - n = NULL; - } - for (sin--; sin > 0; sin--) { - indent(fp, sin); - fprintf(fp, "}\n"); - } - if (openfunc == 1) { - fprintf(fp, "\treturn fr;\n}\n"); - openfunc = 0; - } - } - - if (dir == -1) - return; - - for (g = groups; g != NULL; g = g->fg_next) { - if (dir == 0 && (g->fg_flags & FR_INQUE) == 0) - continue; - else if (dir == 1 && (g->fg_flags & FR_OUTQUE) == 0) - continue; - if (strncmp(g->fg_name, group, FR_GROUPLEN) != 0) - continue; - break; - } - - /* - * Output the array of pointers to rules for this group. - */ - if (g != NULL && num == -2 && dir == 0 && header[0] == 0 && - incount != 0) { - fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {", - group, incount); - for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { - if ((f->fr_flags & FR_INQUE) == 0) - continue; - if ((i & 1) == 0) { - fprintf(fp, "\n\t"); - } - fprintf(fp, - "(frentry_t *)&in_rule_%s_%d", - f->fr_group, i); - if (i + 1 < incount) - fprintf(fp, ", "); - i++; - } - fprintf(fp, "\n};\n"); - } - - if (g != NULL && num == -2 && dir == 1 && header[0] == 0 && - outcount != 0) { - fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {", - group, outcount); - for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { - if ((f->fr_flags & FR_OUTQUE) == 0) - continue; - if ((i & 1) == 0) { - fprintf(fp, "\n\t"); - } - fprintf(fp, - "(frentry_t *)&out_rule_%s_%d", - f->fr_group, i); - if (i + 1 < outcount) - fprintf(fp, ", "); - i++; - } - fprintf(fp, "\n};\n"); - fp = NULL; - } - - if (num < 0) - return; - - in = 0; - ipf = fr->fr_ipf; - - /* - * If the function header has not been printed then print it now. - */ - if (g != NULL && header[dir] == 0) { - int pdst = 0, psrc = 0; - - openfunc = 1; - fprintf(fp, "\nfrentry_t *ipfrule_match_%s_%s(fin, passp)\n", - (dir == 0) ? "in" : "out", group); - fprintf(fp, "fr_info_t *fin;\n"); - fprintf(fp, "u_32_t *passp;\n"); - fprintf(fp, "{\n"); - fprintf(fp, "\tfrentry_t *fr = NULL;\n"); - - /* - * Print out any variables that need to be declared. - */ - for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { - if (incount + outcount > m[FRC_SRC].e + 1) - psrc = 1; - if (incount + outcount > m[FRC_DST].e + 1) - pdst = 1; - } - if (psrc == 1) - fprintf(fp, "\tu_32_t src = ntohl(%s);\n", - "fin->fin_fi.fi_saddr"); - if (pdst == 1) - fprintf(fp, "\tu_32_t dst = ntohl(%s);\n", - "fin->fin_fi.fi_daddr"); - } - - for (i = 0; i < FRC_MAX; i++) { - switch(m[i].c) - { - case FRC_IFN : - if (*fr->fr_ifname) - m[i].s = 1; - break; - case FRC_V : - if (ipf != NULL && ipf->fri_mip.fi_v != 0) - m[i].s = 1; - break; - case FRC_FL : - if (ipf != NULL && ipf->fri_mip.fi_flx != 0) - m[i].s = 1; - break; - case FRC_P : - if (ipf != NULL && ipf->fri_mip.fi_p != 0) - m[i].s = 1; - break; - case FRC_TTL : - if (ipf != NULL && ipf->fri_mip.fi_ttl != 0) - m[i].s = 1; - break; - case FRC_TOS : - if (ipf != NULL && ipf->fri_mip.fi_tos != 0) - m[i].s = 1; - break; - case FRC_TCP : - if (ipf == NULL) - break; - if ((ipf->fri_ip.fi_p == IPPROTO_TCP) && - fr->fr_tcpfm != 0) - m[i].s = 1; - break; - case FRC_SP : - if (ipf == NULL) - break; - if (fr->fr_scmp == FR_INRANGE) - m[i].s = 1; - else if (fr->fr_scmp == FR_OUTRANGE) - m[i].s = 1; - else if (fr->fr_scmp != 0) - m[i].s = 1; - break; - case FRC_DP : - if (ipf == NULL) - break; - if (fr->fr_dcmp == FR_INRANGE) - m[i].s = 1; - else if (fr->fr_dcmp == FR_OUTRANGE) - m[i].s = 1; - else if (fr->fr_dcmp != 0) - m[i].s = 1; - break; - case FRC_SRC : - if (ipf == NULL) - break; - if (fr->fr_satype == FRI_LOOKUP) { - ; - } else if ((fr->fr_smask != 0) || - (fr->fr_flags & FR_NOTSRCIP) != 0) - m[i].s = 1; - break; - case FRC_DST : - if (ipf == NULL) - break; - if (fr->fr_datype == FRI_LOOKUP) { - ; - } else if ((fr->fr_dmask != 0) || - (fr->fr_flags & FR_NOTDSTIP) != 0) - m[i].s = 1; - break; - case FRC_OPT : - if (ipf == NULL) - break; - if (fr->fr_optmask != 0) - m[i].s = 1; - break; - case FRC_SEC : - if (ipf == NULL) - break; - if (fr->fr_secmask != 0) - m[i].s = 1; - break; - case FRC_ATH : - if (ipf == NULL) - break; - if (fr->fr_authmask != 0) - m[i].s = 1; - break; - case FRC_ICT : - if (ipf == NULL) - break; - if ((fr->fr_icmpm & 0xff00) != 0) - m[i].s = 1; - break; - case FRC_ICC : - if (ipf == NULL) - break; - if ((fr->fr_icmpm & 0xff) != 0) - m[i].s = 1; - break; - } - } - - if (!header[dir]) { - fprintf(fp, "\n"); - header[dir] = 1; - sin = 0; - } - - qsort(m, FRC_MAX, sizeof(mc_t), intcmp); - - if (n) { - /* - * Calculate the indentation interval upto the last common - * common comparison being made. - */ - for (i = 0, in = 1; i < FRC_MAX; i++) { - if (n[i].c != m[i].c) - break; - if (n[i].s != m[i].s) - break; - if (n[i].s) { - if (n[i].n && (n[i].n > n[i].e)) { - m[i].p++; - in += m[i].p; - break; - } - if (n[i].e > 0) { - in++; - } else - break; - } - } - if (sin != in) { - for (j = sin - 1; j >= in; j--) { - indent(fp, j); - fprintf(fp, "}\n"); - } - } - } else { - in = 1; - i = 0; - } - - /* - * print out C code that implements a filter rule. - */ - for (; i < FRC_MAX; i++) { - switch(m[i].c) - { - case FRC_IFN : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if (fin->fin_ifp == "); - fprintf(fp, "ipf_rules_%s_%s[%d]->fr_ifa) {\n", - dir ? "out" : "in", group, num); - in++; - } - break; - case FRC_V : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if (fin->fin_v == %d) {\n", - ipf->fri_ip.fi_v); - in++; - } - break; - case FRC_FL : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_flx", - ipf->fri_mip.fi_flx, 0xf, - ipf->fri_ip.fi_flx); - in++; - } - break; - case FRC_P : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if (fin->fin_p == %d) {\n", - ipf->fri_ip.fi_p); - in++; - } - break; - case FRC_TTL : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_ttl", - ipf->fri_mip.fi_ttl, 0xff, - ipf->fri_ip.fi_ttl); - in++; - } - break; - case FRC_TOS : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if (fin->fin_tos"); - printeq(fp, "fin->fin_tos", - ipf->fri_mip.fi_tos, 0xff, - ipf->fri_ip.fi_tos); - in++; - } - break; - case FRC_TCP : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_tcpf", fr->fr_tcpfm, - 0xff, fr->fr_tcpf); - in++; - } - break; - case FRC_SP : - if (!m[i].s) - break; - if (fr->fr_scmp == FR_INRANGE) { - indent(fp, in); - fprintf(fp, "if ((fin->fin_data[0] > %d) && ", - fr->fr_sport); - fprintf(fp, "(fin->fin_data[0] < %d)", - fr->fr_stop); - fprintf(fp, ") {\n"); - in++; - } else if (fr->fr_scmp == FR_OUTRANGE) { - indent(fp, in); - fprintf(fp, "if ((fin->fin_data[0] < %d) || ", - fr->fr_sport); - fprintf(fp, "(fin->fin_data[0] > %d)", - fr->fr_stop); - fprintf(fp, ") {\n"); - in++; - } else if (fr->fr_scmp) { - indent(fp, in); - fprintf(fp, "if (fin->fin_data[0] %s %d)", - portcmp[fr->fr_scmp], fr->fr_sport); - fprintf(fp, " {\n"); - in++; - } - break; - case FRC_DP : - if (!m[i].s) - break; - if (fr->fr_dcmp == FR_INRANGE) { - indent(fp, in); - fprintf(fp, "if ((fin->fin_data[1] > %d) && ", - fr->fr_dport); - fprintf(fp, "(fin->fin_data[1] < %d)", - fr->fr_dtop); - fprintf(fp, ") {\n"); - in++; - } else if (fr->fr_dcmp == FR_OUTRANGE) { - indent(fp, in); - fprintf(fp, "if ((fin->fin_data[1] < %d) || ", - fr->fr_dport); - fprintf(fp, "(fin->fin_data[1] > %d)", - fr->fr_dtop); - fprintf(fp, ") {\n"); - in++; - } else if (fr->fr_dcmp) { - indent(fp, in); - fprintf(fp, "if (fin->fin_data[1] %s %d)", - portcmp[fr->fr_dcmp], fr->fr_dport); - fprintf(fp, " {\n"); - in++; - } - break; - case FRC_SRC : - if (!m[i].s) - break; - if (fr->fr_satype == FRI_LOOKUP) { - ; - } else if ((fr->fr_smask != 0) || - (fr->fr_flags & FR_NOTSRCIP) != 0) { - indent(fp, in); - fprintf(fp, "if ("); - printipeq(fp, "src", - fr->fr_flags & FR_NOTSRCIP, - fr->fr_smask, fr->fr_saddr); - in++; - } - break; - case FRC_DST : - if (!m[i].s) - break; - if (fr->fr_datype == FRI_LOOKUP) { - ; - } else if ((fr->fr_dmask != 0) || - (fr->fr_flags & FR_NOTDSTIP) != 0) { - indent(fp, in); - fprintf(fp, "if ("); - printipeq(fp, "dst", - fr->fr_flags & FR_NOTDSTIP, - fr->fr_dmask, fr->fr_daddr); - in++; - } - break; - case FRC_OPT : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_fi.fi_optmsk", - fr->fr_optmask, 0xffffffff, - fr->fr_optbits); - in++; - } - break; - case FRC_SEC : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_fi.fi_secmsk", - fr->fr_secmask, 0xffff, - fr->fr_secbits); - in++; - } - break; - case FRC_ATH : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_fi.fi_authmsk", - fr->fr_authmask, 0xffff, - fr->fr_authbits); - in++; - } - break; - case FRC_ICT : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_data[0]", - fr->fr_icmpm & 0xff00, 0xffff, - fr->fr_icmp & 0xff00); - in++; - } - break; - case FRC_ICC : - if (m[i].s) { - indent(fp, in); - fprintf(fp, "if ("); - printeq(fp, "fin->fin_data[0]", - fr->fr_icmpm & 0xff, 0xffff, - fr->fr_icmp & 0xff); - in++; - } - break; - } - - } - - indent(fp, in); - if (fr->fr_flags & FR_QUICK) { - fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n", - fr->fr_flags & FR_INQUE ? "in" : "out", - fr->fr_group, num); - } else { - fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n", - fr->fr_flags & FR_INQUE ? "in" : "out", - fr->fr_group, num); - } - if (n == NULL) - n = (mc_t *)malloc(sizeof(*n) * FRC_MAX); - bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX); - sin = in; -} - - -void printC(dir) -int dir; -{ - static mc_t *m = NULL; - frgroup_t *g; - - if (m == NULL) - m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX); - - for (g = groups; g != NULL; g = g->fg_next) { - if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0)) - printCgroup(dir, g->fg_start, m, g->fg_name); - if ((dir == 1) && ((g->fg_flags & FR_OUTQUE) != 0)) - printCgroup(dir, g->fg_start, m, g->fg_name); - } - - emit(-1, dir, m, NULL); -} - - -/* - * Now print out code to implement all of the rules. - */ -static void printCgroup(dir, top, m, group) -int dir; -frentry_t *top; -mc_t *m; -char *group; -{ - frentry_t *fr, *fr1; - int i, n, rn; - u_int count; - - for (count = 0, fr1 = top; fr1 != NULL; fr1 = fr1->fr_next) { - if ((dir == 0) && ((fr1->fr_flags & FR_INQUE) != 0)) - count++; - else if ((dir == 1) && ((fr1->fr_flags & FR_OUTQUE) != 0)) - count++; - } - - if (dir == 0) - emitGroup(-2, dir, m, fr1, group, count, 0); - else if (dir == 1) - emitGroup(-2, dir, m, fr1, group, 0, count); - - /* - * Before printing each rule, check to see how many of its fields are - * matched by subsequent rules. - */ - for (fr1 = top, rn = 0; fr1 != NULL; fr1 = fr1->fr_next, rn++) { - if (!dir && !(fr1->fr_flags & FR_INQUE)) - continue; - if (dir && !(fr1->fr_flags & FR_OUTQUE)) - continue; - n = 0xfffffff; - - for (i = 0; i < FRC_MAX; i++) - m[i].e = 0; - qsort(m, FRC_MAX, sizeof(mc_t), intcmp); - - for (i = 0; i < FRC_MAX; i++) { - m[i].c = i; - m[i].e = 0; - m[i].n = 0; - m[i].s = 0; - } - - for (fr = fr1->fr_next; fr; fr = fr->fr_next) { - if (!dir && !(fr->fr_flags & FR_INQUE)) - continue; - if (dir && !(fr->fr_flags & FR_OUTQUE)) - continue; - - if ((n & 0x0001) && - !strcmp(fr1->fr_ifname, fr->fr_ifname)) { - m[FRC_IFN].e++; - m[FRC_IFN].n++; - } else - n &= ~0x0001; - - if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) { - m[FRC_V].e++; - m[FRC_V].n++; - } else - n &= ~0x0002; - - if ((n & 0x0004) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_mip.fi_flx == fr->fr_mip.fi_flx) && - (fr1->fr_ip.fi_flx == fr->fr_ip.fi_flx)) { - m[FRC_FL].e++; - m[FRC_FL].n++; - } else - n &= ~0x0004; - - if ((n & 0x0008) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_proto == fr->fr_proto)) { - m[FRC_P].e++; - m[FRC_P].n++; - } else - n &= ~0x0008; - - if ((n & 0x0010) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_ttl == fr->fr_ttl)) { - m[FRC_TTL].e++; - m[FRC_TTL].n++; - } else - n &= ~0x0010; - - if ((n & 0x0020) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_tos == fr->fr_tos)) { - m[FRC_TOS].e++; - m[FRC_TOS].n++; - } else - n &= ~0x0020; - - if ((n & 0x0040) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_tcpfm == fr->fr_tcpfm) && - (fr1->fr_tcpf == fr->fr_tcpf))) { - m[FRC_TCP].e++; - m[FRC_TCP].n++; - } else - n &= ~0x0040; - - if ((n & 0x0080) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_scmp == fr->fr_scmp) && - (fr1->fr_stop == fr->fr_stop) && - (fr1->fr_sport == fr->fr_sport))) { - m[FRC_SP].e++; - m[FRC_SP].n++; - } else - n &= ~0x0080; - - if ((n & 0x0100) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_dcmp == fr->fr_dcmp) && - (fr1->fr_dtop == fr->fr_dtop) && - (fr1->fr_dport == fr->fr_dport))) { - m[FRC_DP].e++; - m[FRC_DP].n++; - } else - n &= ~0x0100; - - if ((n & 0x0200) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_satype == FRI_LOOKUP) && - (fr->fr_satype == FRI_LOOKUP) && - (fr1->fr_srcnum == fr->fr_srcnum))) { - m[FRC_SRC].e++; - m[FRC_SRC].n++; - } else if ((n & 0x0200) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (((fr1->fr_flags & FR_NOTSRCIP) == - (fr->fr_flags & FR_NOTSRCIP)))) { - if ((fr1->fr_smask == fr->fr_smask) && - (fr1->fr_saddr == fr->fr_saddr)) - m[FRC_SRC].e++; - else - n &= ~0x0200; - if (fr1->fr_smask && - (fr1->fr_saddr & fr1->fr_smask) == - (fr->fr_saddr & fr1->fr_smask)) { - m[FRC_SRC].n++; - n |= 0x0200; - } - } else { - n &= ~0x0200; - } - - if ((n & 0x0400) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_datype == FRI_LOOKUP) && - (fr->fr_datype == FRI_LOOKUP) && - (fr1->fr_dstnum == fr->fr_dstnum))) { - m[FRC_DST].e++; - m[FRC_DST].n++; - } else if ((n & 0x0400) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (((fr1->fr_flags & FR_NOTDSTIP) == - (fr->fr_flags & FR_NOTDSTIP)))) { - if ((fr1->fr_dmask == fr->fr_dmask) && - (fr1->fr_daddr == fr->fr_daddr)) - m[FRC_DST].e++; - else - n &= ~0x0400; - if (fr1->fr_dmask && - (fr1->fr_daddr & fr1->fr_dmask) == - (fr->fr_daddr & fr1->fr_dmask)) { - m[FRC_DST].n++; - n |= 0x0400; - } - } else { - n &= ~0x0400; - } - - if ((n & 0x0800) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_optmask == fr->fr_optmask) && - (fr1->fr_optbits == fr->fr_optbits)) { - m[FRC_OPT].e++; - m[FRC_OPT].n++; - } else - n &= ~0x0800; - - if ((n & 0x1000) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_secmask == fr->fr_secmask) && - (fr1->fr_secbits == fr->fr_secbits)) { - m[FRC_SEC].e++; - m[FRC_SEC].n++; - } else - n &= ~0x1000; - - if ((n & 0x10000) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - (fr1->fr_authmask == fr->fr_authmask) && - (fr1->fr_authbits == fr->fr_authbits)) { - m[FRC_ATH].e++; - m[FRC_ATH].n++; - } else - n &= ~0x10000; - - if ((n & 0x20000) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_icmpm & 0xff00) == - (fr->fr_icmpm & 0xff00)) && - ((fr1->fr_icmp & 0xff00) == - (fr->fr_icmp & 0xff00))) { - m[FRC_ICT].e++; - m[FRC_ICT].n++; - } else - n &= ~0x20000; - - if ((n & 0x40000) && - (fr->fr_type == fr1->fr_type) && - (fr->fr_type == FR_T_IPF) && - ((fr1->fr_icmpm & 0xff) == (fr->fr_icmpm & 0xff)) && - ((fr1->fr_icmp & 0xff) == (fr->fr_icmp & 0xff))) { - m[FRC_ICC].e++; - m[FRC_ICC].n++; - } else - n &= ~0x40000; - } - /*msort(m);*/ - - if (dir == 0) - emitGroup(rn, dir, m, fr1, group, count, 0); - else if (dir == 1) - emitGroup(rn, dir, m, fr1, group, 0, count); - } -} - -static void printhooks(fp, in, out, grp) -FILE *fp; -int in; -int out; -frgroup_t *grp; -{ - frentry_t *fr; - char *group; - int dogrp, i; - char *instr; - - group = grp->fg_name; - dogrp = *group ? 1 : 0; - - if (in && out) { - fprintf(stderr, - "printhooks called with both in and out set\n"); - exit(1); - } - - if (in) { - instr = "in"; - } else if (out) { - instr = "out"; - } else { - instr = "???"; - } - fprintf(fp, "static frentry_t ipfrule_%s_%s;\n", instr, group); - - fprintf(fp, "\ -\n\ -int ipfrule_add_%s_%s()\n", instr, group); - fprintf(fp, "\ -{\n\ - int i, j, err = 0, max;\n\ - frentry_t *fp;\n"); - - if (dogrp) - fprintf(fp, "\ - frgroup_t *fg;\n"); - - fprintf(fp, "\n"); - - for (i = 0, fr = grp->fg_start; fr != NULL; i++, fr = fr->fr_next) - if (fr->fr_dsize > 0) { - fprintf(fp, "\ - ipf_rules_%s_%s[%d]->fr_data = &ipf%s_rule_data_%s_%u;\n", - instr, grp->fg_name, i, - instr, grp->fg_name, i); - } - fprintf(fp, "\ - max = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *);\n\ - for (i = 0; i < max; i++) {\n\ - fp = ipf_rules_%s_%s[i];\n\ - fp->fr_next = NULL;\n", instr, group, instr, group); - - fprintf(fp, "\ - for (j = i + 1; j < max; j++)\n\ - if (strncmp(fp->fr_group,\n\ - ipf_rules_%s_%s[j]->fr_group,\n\ - FR_GROUPLEN) == 0) {\n\ - fp->fr_next = ipf_rules_%s_%s[j];\n\ - break;\n\ - }\n", instr, group, instr, group); - if (dogrp) - fprintf(fp, "\ -\n\ - if (fp->fr_grhead != 0) {\n\ - fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\ - IPL_LOGIPF, 0);\n\ - if (fg != NULL)\n\ - fp->fr_grp = &fg->fg_start;\n\ - }\n"); - fprintf(fp, "\ - }\n\ -\n\ - fp = &ipfrule_%s_%s;\n", instr, group); - fprintf(fp, "\ - bzero((char *)fp, sizeof(*fp));\n\ - fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\ - fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\ - fp->fr_data = (void *)ipf_rules_%s_%s[0];\n", - (in != 0) ? "IN" : "OUT", instr, group); - fprintf(fp, "\ - fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n", - instr, group); - - fprintf(fp, "\ - fp->fr_v = 4;\n\ - fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\ - err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n", - instr, group); - fprintf(fp, "\treturn err;\n}\n"); - - fprintf(fp, "\n\n\ -int ipfrule_remove_%s_%s()\n", instr, group); - fprintf(fp, "\ -{\n\ - int err = 0, i;\n\ - frentry_t *fp;\n\ -\n\ - /*\n\ - * Try to remove the %sbound rule.\n", instr); - - fprintf(fp, "\ - */\n\ - if (ipfrule_%s_%s.fr_ref > 0) {\n", instr, group); - - fprintf(fp, "\ - err = EBUSY;\n\ - } else {\n"); - - fprintf(fp, "\ - i = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *) - 1;\n\ - for (; i >= 0; i--) {\n\ - fp = ipf_rules_%s_%s[i];\n\ - if (fp->fr_ref > 1) {\n\ - err = EBUSY;\n\ - break;\n\ - }\n\ - }\n\ - }\n\ - if (err == 0)\n\ - err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\ - (caddr_t)&ipfrule_%s_%s, fr_active, 0);\n", - instr, group, instr, group, instr, group); - fprintf(fp, "\ - if (err)\n\ - return err;\n\ -\n\n"); - - fprintf(fp, "\treturn err;\n}\n"); -} diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c deleted file mode 100644 index 3acb5d4..0000000 --- a/contrib/ipfilter/tools/ipfs.c +++ /dev/null @@ -1,890 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#ifdef __FreeBSD__ -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif -#endif -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#include <stdlib.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <sys/time.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netinet/ip.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include "ipf.h" -#include "netinet/ipl.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; -#endif - -#ifndef IPF_SAVEDIR -# define IPF_SAVEDIR "/var/db/ipf" -#endif -#ifndef IPF_NATFILE -# define IPF_NATFILE "ipnat.ipf" -#endif -#ifndef IPF_STATEFILE -# define IPF_STATEFILE "ipstate.ipf" -#endif - -#if !defined(__SVR4) && defined(__GNUC__) -extern char *index __P((const char *, int)); -#endif - -extern char *optarg; -extern int optind; - -int main __P((int, char *[])); -void usage __P((void)); -int changestateif __P((char *, char *)); -int changenatif __P((char *, char *)); -int readstate __P((int, char *)); -int readnat __P((int, char *)); -int writestate __P((int, char *)); -int opendevice __P((char *)); -void closedevice __P((int)); -int setlock __P((int, int)); -int writeall __P((char *)); -int readall __P((char *)); -int writenat __P((int, char *)); - -int opts = 0; -char *progname; - - -void usage() -{ - fprintf(stderr, "usage: %s [-nv] -l\n", progname); - fprintf(stderr, "usage: %s [-nv] -u\n", progname); - fprintf(stderr, "usage: %s [-nv] [-d <dir>] -R\n", progname); - fprintf(stderr, "usage: %s [-nv] [-d <dir>] -W\n", progname); - fprintf(stderr, "usage: %s [-nNSv] [-f <file>] -r\n", progname); - fprintf(stderr, "usage: %s [-nNSv] [-f <file>] -w\n", progname); - fprintf(stderr, "usage: %s [-nNSv] -f <filename> -i <if1>,<if2>\n", - progname); - exit(1); -} - - -/* - * Change interface names in state information saved out to disk. - */ -int changestateif(ifs, fname) -char *ifs, *fname; -{ - int fd, olen, nlen, rw; - ipstate_save_t ips; - off_t pos; - char *s; - - s = strchr(ifs, ','); - if (!s) - usage(); - *s++ = '\0'; - nlen = strlen(s); - olen = strlen(ifs); - if (nlen >= sizeof(ips.ips_is.is_ifname) || - olen >= sizeof(ips.ips_is.is_ifname)) - usage(); - - fd = open(fname, O_RDWR); - if (fd == -1) { - perror("open"); - exit(1); - } - - for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) { - rw = 0; - if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[0], s); - rw = 1; - } - if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[1], s); - rw = 1; - } - if (!strncmp(ips.ips_is.is_ifname[2], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[2], s); - rw = 1; - } - if (!strncmp(ips.ips_is.is_ifname[3], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[3], s); - rw = 1; - } - if (rw == 1) { - if (lseek(fd, pos, SEEK_SET) != pos) { - perror("lseek"); - exit(1); - } - if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) { - perror("write"); - exit(1); - } - } - pos = lseek(fd, 0, SEEK_CUR); - } - close(fd); - - return 0; -} - - -/* - * Change interface names in NAT information saved out to disk. - */ -int changenatif(ifs, fname) -char *ifs, *fname; -{ - int fd, olen, nlen, rw; - nat_save_t ipn; - nat_t *nat; - off_t pos; - char *s; - - s = strchr(ifs, ','); - if (!s) - usage(); - *s++ = '\0'; - nlen = strlen(s); - olen = strlen(ifs); - nat = &ipn.ipn_nat; - if (nlen >= sizeof(nat->nat_ifnames[0]) || - olen >= sizeof(nat->nat_ifnames[0])) - usage(); - - fd = open(fname, O_RDWR); - if (fd == -1) { - perror("open"); - exit(1); - } - - for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) { - rw = 0; - if (!strncmp(nat->nat_ifnames[0], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[0], s); - rw = 1; - } - if (!strncmp(nat->nat_ifnames[1], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[1], s); - rw = 1; - } - if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[2], s); - rw = 1; - } - if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[3], s); - rw = 1; - } - if (rw == 1) { - if (lseek(fd, pos, SEEK_SET) != pos) { - perror("lseek"); - exit(1); - } - if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) { - perror("write"); - exit(1); - } - } - pos = lseek(fd, 0, SEEK_CUR); - } - close(fd); - - return 0; -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; - char *dirname = NULL, *filename = NULL, *ifs = NULL; - - progname = argv[0]; - while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) - switch (c) - { - case 'd' : - if ((set == 0) && !dirname && !filename) - dirname = optarg; - else - usage(); - break; - case 'f' : - if ((set != 0) && !dirname && !filename) - filename = optarg; - else - usage(); - break; - case 'i' : - ifs = optarg; - set = 1; - break; - case 'l' : - if (filename || dirname || set) - usage(); - lock = 1; - set = 1; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'N' : - if ((ns >= 0) || dirname || (rw != -1) || set) - usage(); - ns = 0; - set = 1; - break; - case 'r' : - if (dirname || (rw != -1) || (ns == -1)) - usage(); - rw = 0; - set = 1; - break; - case 'R' : - rw = 2; - set = 1; - break; - case 'S' : - if ((ns >= 0) || dirname || (rw != -1) || set) - usage(); - ns = 1; - set = 1; - break; - case 'u' : - if (filename || dirname || set) - usage(); - lock = 0; - set = 1; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'w' : - if (dirname || (rw != -1) || (ns == -1)) - usage(); - rw = 1; - set = 1; - break; - case 'W' : - rw = 3; - set = 1; - break; - case '?' : - default : - usage(); - } - - if (ifs) { - if (!filename || ns < 0) - usage(); - if (ns == 0) - return changenatif(ifs, filename); - else - return changestateif(ifs, filename); - } - - if ((ns >= 0) || (lock >= 0)) { - if (lock >= 0) - devfd = opendevice(NULL); - else if (ns >= 0) { - if (ns == 1) - devfd = opendevice(IPSTATE_NAME); - else if (ns == 0) - devfd = opendevice(IPNAT_NAME); - } - if (devfd == -1) - exit(1); - } - - if (lock >= 0) - err = setlock(devfd, lock); - else if (rw >= 0) { - if (rw & 1) { /* WRITE */ - if (rw & 2) - err = writeall(dirname); - else { - if (ns == 0) - err = writenat(devfd, filename); - else if (ns == 1) - err = writestate(devfd, filename); - } - } else { - if (rw & 2) - err = readall(dirname); - else { - if (ns == 0) - err = readnat(devfd, filename); - else if (ns == 1) - err = readstate(devfd, filename); - } - } - } - return err; -} - - -int opendevice(ipfdev) -char *ipfdev; -{ - int fd = -1; - - if (opts & OPT_DONOTHING) - return -2; - - if (!ipfdev) - ipfdev = IPL_NAME; - - if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) - perror("open device"); - return fd; -} - - -void closedevice(fd) -int fd; -{ - close(fd); -} - - -int setlock(fd, lock) -int fd, lock; -{ - if (opts & OPT_VERBOSE) - printf("Turn lock %s\n", lock ? "on" : "off"); - if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, SIOCSTLCK, &lock) == -1) { - perror("SIOCSTLCK"); - return 1; - } - if (opts & OPT_VERBOSE) - printf("Lock now %s\n", lock ? "on" : "off"); - } - return 0; -} - - -int writestate(fd, file) -int fd; -char *file; -{ - ipstate_save_t ips, *ipsp; - ipfobj_t obj; - int wfd = -1; - - if (!file) - file = IPF_STATEFILE; - - wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); - if (wfd == -1) { - fprintf(stderr, "%s ", file); - perror("state:open"); - return 1; - } - - ipsp = &ips; - bzero((char *)&obj, sizeof(obj)); - bzero((char *)ipsp, sizeof(ips)); - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*ipsp); - obj.ipfo_type = IPFOBJ_STATESAVE; - obj.ipfo_ptr = ipsp; - - do { - - if (opts & OPT_VERBOSE) - printf("Getting state from addr %p\n", ips.ips_next); - if (ioctl(fd, SIOCSTGET, &obj)) { - if (errno == ENOENT) - break; - perror("state:SIOCSTGET"); - close(wfd); - return 1; - } - if (opts & OPT_VERBOSE) - printf("Got state next %p\n", ips.ips_next); - if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) { - perror("state:write"); - close(wfd); - return 1; - } - } while (ips.ips_next != NULL); - close(wfd); - - return 0; -} - - -int readstate(fd, file) -int fd; -char *file; -{ - ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; - int sfd = -1, i; - ipfobj_t obj; - - if (!file) - file = IPF_STATEFILE; - - sfd = open(file, O_RDONLY, 0600); - if (sfd == -1) { - fprintf(stderr, "%s ", file); - perror("open"); - return 1; - } - - bzero((char *)&ips, sizeof(ips)); - - /* - * 1. Read all state information in. - */ - do { - i = read(sfd, &ips, sizeof(ips)); - if (i == -1) { - perror("read"); - goto freeipshead; - } - if (i == 0) - break; - if (i != sizeof(ips)) { - fprintf(stderr, "state:incomplete read: %d != %d\n", - i, (int)sizeof(ips)); - goto freeipshead; - } - is = (ipstate_save_t *)malloc(sizeof(*is)); - if (is == NULL) { - fprintf(stderr, "malloc failed\n"); - goto freeipshead; - } - - bcopy((char *)&ips, (char *)is, sizeof(ips)); - - /* - * Check to see if this is the first state entry that will - * reference a particular rule and if so, flag it as such - * else just adjust the rule pointer to become a pointer to - * the other. We do this so we have a means later for tracking - * who is referencing us when we get back the real pointer - * in is_rule after doing the ioctl. - */ - for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next) - if (is1->ips_rule == is->ips_rule) - break; - if (is1 == NULL) - is->ips_is.is_flags |= SI_NEWFR; - else - is->ips_rule = (void *)&is1->ips_rule; - - /* - * Use a tail-queue type list (add things to the end).. - */ - is->ips_next = NULL; - if (!ipshead) - ipshead = is; - if (ipstail) - ipstail->ips_next = is; - ipstail = is; - } while (1); - - close(sfd); - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*is); - obj.ipfo_type = IPFOBJ_STATESAVE; - - while ((is = ipshead) != NULL) { - if (opts & OPT_VERBOSE) - printf("Loading new state table entry\n"); - if (is->ips_is.is_flags & SI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Loading new filter rule\n"); - } - - obj.ipfo_ptr = is; - if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &obj)) { - perror("SIOCSTPUT"); - goto freeipshead; - } - - if (is->ips_is.is_flags & SI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Real rule addr %p\n", is->ips_rule); - for (is1 = is->ips_next; is1; is1 = is1->ips_next) - if (is1->ips_rule == (frentry_t *)&is->ips_rule) - is1->ips_rule = is->ips_rule; - } - - ipshead = is->ips_next; - free(is); - } - - return 0; - -freeipshead: - while ((is = ipshead) != NULL) { - ipshead = is->ips_next; - free(is); - } - if (sfd != -1) - close(sfd); - return 1; -} - - -int readnat(fd, file) -int fd; -char *file; -{ - nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL; - ipfobj_t obj; - int nfd, i; - nat_t *nat; - char *s; - int n; - - nfd = -1; - in = NULL; - ipnhead = NULL; - ipntail = NULL; - - if (!file) - file = IPF_NATFILE; - - nfd = open(file, O_RDONLY); - if (nfd == -1) { - fprintf(stderr, "%s ", file); - perror("nat:open"); - return 1; - } - - bzero((char *)&ipn, sizeof(ipn)); - - /* - * 1. Read all state information in. - */ - do { - i = read(nfd, &ipn, sizeof(ipn)); - if (i == -1) { - perror("read"); - goto freenathead; - } - if (i == 0) - break; - if (i != sizeof(ipn)) { - fprintf(stderr, "nat:incomplete read: %d != %d\n", - i, (int)sizeof(ipn)); - goto freenathead; - } - - in = (nat_save_t *)malloc(ipn.ipn_dsize); - if (in == NULL) { - fprintf(stderr, "nat:cannot malloc nat save atruct\n"); - goto freenathead; - } - - if (ipn.ipn_dsize > sizeof(ipn)) { - n = ipn.ipn_dsize - sizeof(ipn); - if (n > 0) { - s = in->ipn_data + sizeof(in->ipn_data); - i = read(nfd, s, n); - if (i == 0) - break; - if (i != n) { - fprintf(stderr, - "nat:incomplete read: %d != %d\n", - i, n); - goto freenathead; - } - } - } - bcopy((char *)&ipn, (char *)in, sizeof(ipn)); - - /* - * Check to see if this is the first NAT entry that will - * reference a particular rule and if so, flag it as such - * else just adjust the rule pointer to become a pointer to - * the other. We do this so we have a means later for tracking - * who is referencing us when we get back the real pointer - * in is_rule after doing the ioctl. - */ - nat = &in->ipn_nat; - if (nat->nat_fr != NULL) { - for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next) - if (in1->ipn_rule == nat->nat_fr) - break; - if (in1 == NULL) - nat->nat_flags |= SI_NEWFR; - else - nat->nat_fr = &in1->ipn_fr; - } - - /* - * Use a tail-queue type list (add things to the end).. - */ - in->ipn_next = NULL; - if (!ipnhead) - ipnhead = in; - if (ipntail) - ipntail->ipn_next = in; - ipntail = in; - } while (1); - - close(nfd); - nfd = -1; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_NATSAVE; - - while ((in = ipnhead) != NULL) { - if (opts & OPT_VERBOSE) - printf("Loading new NAT table entry\n"); - nat = &in->ipn_nat; - if (nat->nat_flags & SI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Loading new filter rule\n"); - } - - obj.ipfo_ptr = in; - obj.ipfo_size = in->ipn_dsize; - if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &obj)) { - fprintf(stderr, "in=%p:", in); - perror("SIOCSTPUT"); - return 1; - } - - if (nat->nat_flags & SI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Real rule addr %p\n", nat->nat_fr); - for (in1 = in->ipn_next; in1; in1 = in1->ipn_next) - if (in1->ipn_rule == &in->ipn_fr) - in1->ipn_rule = nat->nat_fr; - } - - ipnhead = in->ipn_next; - free(in); - } - - return 0; - -freenathead: - while ((in = ipnhead) != NULL) { - ipnhead = in->ipn_next; - free(in); - } - if (nfd != -1) - close(nfd); - return 1; -} - - -int writenat(fd, file) -int fd; -char *file; -{ - nat_save_t *ipnp = NULL, *next = NULL; - ipfobj_t obj; - int nfd = -1; - natget_t ng; - - if (!file) - file = IPF_NATFILE; - - nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); - if (nfd == -1) { - fprintf(stderr, "%s ", file); - perror("nat:open"); - return 1; - } - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_NATSAVE; - - do { - if (opts & OPT_VERBOSE) - printf("Getting nat from addr %p\n", ipnp); - ng.ng_ptr = next; - ng.ng_sz = 0; - if (ioctl(fd, SIOCSTGSZ, &ng)) { - perror("nat:SIOCSTGSZ"); - close(nfd); - if (ipnp != NULL) - free(ipnp); - return 1; - } - - if (opts & OPT_VERBOSE) - printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr); - - if (ng.ng_sz == 0) - break; - - if (!ipnp) - ipnp = malloc(ng.ng_sz); - else - ipnp = realloc((char *)ipnp, ng.ng_sz); - if (!ipnp) { - fprintf(stderr, - "malloc for %d bytes failed\n", ng.ng_sz); - break; - } - - bzero((char *)ipnp, ng.ng_sz); - obj.ipfo_size = ng.ng_sz; - obj.ipfo_ptr = ipnp; - ipnp->ipn_dsize = ng.ng_sz; - ipnp->ipn_next = next; - if (ioctl(fd, SIOCSTGET, &obj)) { - if (errno == ENOENT) - break; - perror("nat:SIOCSTGET"); - close(nfd); - free(ipnp); - return 1; - } - - if (opts & OPT_VERBOSE) - printf("Got nat next %p ipn_dsize %d ng_sz %d\n", - ipnp->ipn_next, ipnp->ipn_dsize, ng.ng_sz); - if (write(nfd, ipnp, ipnp->ipn_dsize) != ipnp->ipn_dsize) { - perror("nat:write"); - close(nfd); - free(ipnp); - return 1; - } - next = ipnp->ipn_next; - } while (ipnp && next); - if (ipnp != NULL) - free(ipnp); - close(nfd); - - return 0; -} - - -int writeall(dirname) -char *dirname; -{ - int fd, devfd; - - if (!dirname) - dirname = IPF_SAVEDIR; - - if (chdir(dirname)) { - fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname); - perror("chdir(IPF_SAVEDIR)"); - return 1; - } - - fd = opendevice(NULL); - if (fd == -1) - return 1; - if (setlock(fd, 1)) { - close(fd); - return 1; - } - - devfd = opendevice(IPSTATE_NAME); - if (devfd == -1) - goto bad; - if (writestate(devfd, NULL)) - goto bad; - close(devfd); - - devfd = opendevice(IPNAT_NAME); - if (devfd == -1) - goto bad; - if (writenat(devfd, NULL)) - goto bad; - close(devfd); - - if (setlock(fd, 0)) { - close(fd); - return 1; - } - - close(fd); - return 0; - -bad: - setlock(fd, 0); - close(fd); - return 1; -} - - -int readall(dirname) -char *dirname; -{ - int fd, devfd; - - if (!dirname) - dirname = IPF_SAVEDIR; - - if (chdir(dirname)) { - perror("chdir(IPF_SAVEDIR)"); - return 1; - } - - fd = opendevice(NULL); - if (fd == -1) - return 1; - if (setlock(fd, 1)) { - close(fd); - return 1; - } - - devfd = opendevice(IPSTATE_NAME); - if (devfd == -1) - return 1; - if (readstate(devfd, NULL)) - return 1; - close(devfd); - - devfd = opendevice(IPNAT_NAME); - if (devfd == -1) - return 1; - if (readnat(devfd, NULL)) - return 1; - close(devfd); - - if (setlock(fd, 0)) { - close(fd); - return 1; - } - - return 0; -} diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c deleted file mode 100644 index e28fe4c..0000000 --- a/contrib/ipfilter/tools/ipfstat.c +++ /dev/null @@ -1,2112 +0,0 @@ -/* - * Copyright (C) 2002-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#ifdef __FreeBSD__ -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif -#endif -#include <sys/ioctl.h> -#include <fcntl.h> -#ifdef linux -# include <linux/a.out.h> -#else -# include <nlist.h> -#endif -#include <ctype.h> -#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) -# include <stddef.h> -#endif -#include "ipf.h" -#include "netinet/ipl.h" -#if defined(STATETOP) -# if defined(_BSDI_VERSION) -# undef STATETOP -# endif -# if defined(__FreeBSD__) && \ - (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000)) -# undef STATETOP -# endif -# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000) -# undef STATETOP -# endif -# if defined(sun) -# if defined(__svr4__) || defined(__SVR4) -# include <sys/select.h> -# else -# undef STATETOP /* NOT supported on SunOS4 */ -# endif -# endif -#endif -#if defined(STATETOP) && !defined(linux) -# include <netinet/ip_var.h> -# include <netinet/tcp_fsm.h> -#endif -#ifdef STATETOP -# include <ctype.h> -# include <signal.h> -# include <time.h> -# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \ - defined(__sgi) -# ifdef ERR -# undef ERR -# endif -# include <curses.h> -# else /* SOLARIS */ -# include <ncurses.h> -# endif /* SOLARIS */ -#endif /* STATETOP */ -#include "kmem.h" -#if defined(__NetBSD__) || (__OpenBSD__) -# include <paths.h> -#endif - -#if !defined(lint) -static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $"; -#endif - -#ifdef __hpux -# define nlist nlist64 -#endif - -extern char *optarg; -extern int optind; -extern int opterr; - -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", - "ipacct(in)", "ipacct(out)" }; -static int state_logging = -1; - -int opts = 0; -int use_inet6 = 0; -int live_kernel = 1; -int state_fd = -1; -int ipf_fd = -1; -int auth_fd = -1; -int nat_fd = -1; -frgroup_t *grtop = NULL; -frgroup_t *grtail = NULL; - -#ifdef STATETOP -#define STSTRSIZE 80 -#define STGROWSIZE 16 -#define HOSTNMLEN 40 - -#define STSORT_PR 0 -#define STSORT_PKTS 1 -#define STSORT_BYTES 2 -#define STSORT_TTL 3 -#define STSORT_SRCIP 4 -#define STSORT_SRCPT 5 -#define STSORT_DSTIP 6 -#define STSORT_DSTPT 7 -#define STSORT_MAX STSORT_DSTPT -#define STSORT_DEFAULT STSORT_BYTES - - -typedef struct statetop { - i6addr_t st_src; - i6addr_t st_dst; - u_short st_sport; - u_short st_dport; - u_char st_p; - u_char st_v; - u_char st_state[2]; - U_QUAD_T st_pkts; - U_QUAD_T st_bytes; - u_long st_age; -} statetop_t; -#endif - -int main __P((int, char *[])); - -static int fetchfrag __P((int, int, ipfr_t *)); -static void showstats __P((friostat_t *, u_32_t)); -static void showfrstates __P((ipfrstat_t *, u_long)); -static void showlist __P((friostat_t *)); -static void showipstates __P((ips_stat_t *)); -static void showauthstates __P((fr_authstat_t *)); -static void showgroups __P((friostat_t *)); -static void usage __P((char *)); -static void showtqtable_live __P((int)); -static void printlivelist __P((int, int, frentry_t *, char *, char *)); -static void printdeadlist __P((int, int, frentry_t *, char *, char *)); -static void parse_ipportstr __P((const char *, i6addr_t *, int *)); -static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **, - ipfrstat_t **, fr_authstat_t **, u_32_t *)); -static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, - ipfrstat_t **, fr_authstat_t **, u_32_t *)); -static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *)); -#ifdef STATETOP -static void topipstates __P((i6addr_t, i6addr_t, int, int, int, - int, int, int)); -static void sig_break __P((int)); -static void sig_resize __P((int)); -static char *getip __P((int, i6addr_t *)); -static char *ttl_to_string __P((long)); -static int sort_p __P((const void *, const void *)); -static int sort_pkts __P((const void *, const void *)); -static int sort_bytes __P((const void *, const void *)); -static int sort_ttl __P((const void *, const void *)); -static int sort_srcip __P((const void *, const void *)); -static int sort_srcpt __P((const void *, const void *)); -static int sort_dstip __P((const void *, const void *)); -static int sort_dstpt __P((const void *, const void *)); -#endif - - -static void usage(name) -char *name; -{ -#ifdef USE_INET6 - fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name); -#else - fprintf(stderr, "Usage: %s [-aAdfghIilnoRsv]\n", name); -#endif - fprintf(stderr, " %s [-M corefile] [-N symbol-list]\n", name); -#ifdef USE_INET6 - fprintf(stderr, " %s -t [-6C] ", name); -#else - fprintf(stderr, " %s -t [-C] ", name); -#endif - fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n"); - exit(1); -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - fr_authstat_t frauthst; - fr_authstat_t *frauthstp = &frauthst; - friostat_t fio; - friostat_t *fiop = &fio; - ips_stat_t ipsst; - ips_stat_t *ipsstp = &ipsst; - ipfrstat_t ifrst; - ipfrstat_t *ifrstp = &ifrst; - char *memf = NULL; - char *options, *kern = NULL; - int c, myoptind; - - int protocol = -1; /* -1 = wild card for any protocol */ - int refreshtime = 1; /* default update time */ - int sport = -1; /* -1 = wild card for any source port */ - int dport = -1; /* -1 = wild card for any dest port */ - int topclosed = 0; /* do not show closed tcp sessions */ - i6addr_t saddr, daddr; - u_32_t frf; - -#ifdef USE_INET6 - options = "6aACdfghIilnostvD:M:N:P:RS:T:"; -#else - options = "aACdfghIilnostvD:M:N:P:RS:T:"; -#endif - - saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */ - daddr.in4.s_addr = INADDR_ANY; /* default any v4 dest addr */ -#ifdef USE_INET6 - saddr.in6 = in6addr_any; /* default any v6 source addr */ - daddr.in6 = in6addr_any; /* default any v6 dest addr */ -#endif - - /* Don't warn about invalid flags when we run getopt for the 1st time */ - opterr = 0; - - /* - * Parse these two arguments now lest there be any buffer overflows - * in the parsing of the rest. - */ - myoptind = optind; - while ((c = getopt(argc, argv, options)) != -1) { - switch (c) - { - case 'M' : - memf = optarg; - live_kernel = 0; - break; - case 'N' : - kern = optarg; - live_kernel = 0; - break; - } - } - optind = myoptind; - - if (live_kernel == 1) { - if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) { - perror("open(IPSTATE_NAME)"); - exit(-1); - } - if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) { - perror("open(IPAUTH_NAME)"); - exit(-1); - } - if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) { - perror("open(IPAUTH_NAME)"); - exit(-1); - } - if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) { - fprintf(stderr, "open(%s)", IPL_NAME); - perror(""); - exit(-1); - } - } - - if (kern != NULL || memf != NULL) { - (void)setgid(getgid()); - (void)setuid(getuid()); - } - - if (live_kernel == 1) { - (void) checkrev(IPL_NAME); - } else { - if (openkmem(kern, memf) == -1) - exit(-1); - } - - (void)setgid(getgid()); - (void)setuid(getuid()); - - opterr = 1; - - while ((c = getopt(argc, argv, options)) != -1) - { - switch (c) - { -#ifdef USE_INET6 - case '6' : - use_inet6 = 1; - break; -#endif - case 'a' : - opts |= OPT_ACCNT|OPT_SHOWLIST; - break; - case 'A' : - opts |= OPT_AUTHSTATS; - break; - case 'C' : - topclosed = 1; - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'D' : - parse_ipportstr(optarg, &daddr, &dport); - break; - case 'f' : - opts |= OPT_FRSTATES; - break; - case 'g' : - opts |= OPT_GROUPS; - break; - case 'h' : - opts |= OPT_HITS; - break; - case 'i' : - opts |= OPT_INQUE|OPT_SHOWLIST; - break; - case 'I' : - opts |= OPT_INACTIVE; - break; - case 'l' : - opts |= OPT_SHOWLIST; - break; - case 'M' : - break; - case 'N' : - break; - case 'n' : - opts |= OPT_SHOWLINENO; - break; - case 'o' : - opts |= OPT_OUTQUE|OPT_SHOWLIST; - break; - case 'P' : - protocol = getproto(optarg); - if (protocol == -1) { - fprintf(stderr, "%s: Invalid protocol: %s\n", - argv[0], optarg); - exit(-2); - } - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 's' : - opts |= OPT_IPSTATES; - break; - case 'S' : - parse_ipportstr(optarg, &saddr, &sport); - break; - case 't' : -#ifdef STATETOP - opts |= OPT_STATETOP; - break; -#else - fprintf(stderr, - "%s: state top facility not compiled in\n", - argv[0]); - exit(-2); -#endif - case 'T' : - if (!sscanf(optarg, "%d", &refreshtime) || - (refreshtime <= 0)) { - fprintf(stderr, - "%s: Invalid refreshtime < 1 : %s\n", - argv[0], optarg); - exit(-2); - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - default : - usage(argv[0]); - break; - } - } - - if (live_kernel == 1) { - bzero((char *)&fio, sizeof(fio)); - bzero((char *)&ipsst, sizeof(ipsst)); - bzero((char *)&ifrst, sizeof(ifrst)); - - ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp, - &frauthstp, &frf); - } else - ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); - - if (opts & OPT_IPSTATES) { - showipstates(ipsstp); - } else if (opts & OPT_SHOWLIST) { - showlist(fiop); - if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ - opts &= ~OPT_OUTQUE; - showlist(fiop); - } - } else if (opts & OPT_FRSTATES) - showfrstates(ifrstp, fiop->f_ticks); -#ifdef STATETOP - else if (opts & OPT_STATETOP) - topipstates(saddr, daddr, sport, dport, protocol, - use_inet6 ? 6 : 4, refreshtime, topclosed); -#endif - else if (opts & OPT_AUTHSTATS) - showauthstates(frauthstp); - else if (opts & OPT_GROUPS) - showgroups(fiop); - else - showstats(fiop, frf); - - return 0; -} - - -/* - * Fill in the stats structures from the live kernel, using a combination - * of ioctl's and copying directly from kernel memory. - */ -static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) -char *device; -friostat_t **fiopp; -ips_stat_t **ipsstpp; -ipfrstat_t **ifrstpp; -fr_authstat_t **frauthstpp; -u_32_t *frfp; -{ - ipfobj_t ipfo; - - if (checkrev(device) == -1) { - fprintf(stderr, "User/kernel version check failed\n"); - exit(1); - } - - if ((opts & OPT_AUTHSTATS) == 0) { - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_type = IPFOBJ_IPFSTAT; - ipfo.ipfo_size = sizeof(friostat_t); - ipfo.ipfo_ptr = (void *)*fiopp; - - if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) { - perror("ioctl(ipf:SIOCGETFS)"); - exit(-1); - } - - if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1) - perror("ioctl(SIOCGETFF)"); - } - - if ((opts & OPT_IPSTATES) != 0) { - - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_type = IPFOBJ_STATESTAT; - ipfo.ipfo_size = sizeof(ips_stat_t); - ipfo.ipfo_ptr = (void *)*ipsstpp; - - if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { - perror("ioctl(state:SIOCGETFS)"); - exit(-1); - } - if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) { - perror("ioctl(state:SIOCGETLG)"); - exit(-1); - } - } - - if ((opts & OPT_FRSTATES) != 0) { - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_type = IPFOBJ_FRAGSTAT; - ipfo.ipfo_size = sizeof(ipfrstat_t); - ipfo.ipfo_ptr = (void *)*ifrstpp; - - if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) { - perror("ioctl(SIOCGFRST)"); - exit(-1); - } - } - - if (opts & OPT_DEBUG) - PRINTF("opts %#x name %s\n", opts, device); - - if ((opts & OPT_AUTHSTATS) != 0) { - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_type = IPFOBJ_AUTHSTAT; - ipfo.ipfo_size = sizeof(fr_authstat_t); - ipfo.ipfo_ptr = (void *)*frauthstpp; - - if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) { - perror("ioctl(SIOCATHST)"); - exit(-1); - } - } -} - - -/* - * Build up the stats structures from data held in the "core" memory. - * This is mainly useful when looking at data in crash dumps and ioctl's - * just won't work any more. - */ -static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) -char *kernel; -friostat_t **fiopp; -ips_stat_t **ipsstpp; -ipfrstat_t **ifrstpp; -fr_authstat_t **frauthstpp; -u_32_t *frfp; -{ - static fr_authstat_t frauthst, *frauthstp; - static ips_stat_t ipsst, *ipsstp; - static ipfrstat_t ifrst, *ifrstp; - static friostat_t fio, *fiop; - static ipftq_t ipssttab[IPF_TCP_NSTATES]; - int temp; - - void *rules[2][2]; - struct nlist deadlist[44] = { - { "fr_authstats" }, /* 0 */ - { "fae_list" }, - { "ipauth" }, - { "fr_authlist" }, - { "fr_authstart" }, - { "fr_authend" }, /* 5 */ - { "fr_authnext" }, - { "fr_auth" }, - { "fr_authused" }, - { "fr_authsize" }, - { "fr_defaultauthage" }, /* 10 */ - { "fr_authpkts" }, - { "fr_auth_lock" }, - { "frstats" }, - { "ips_stats" }, - { "ips_num" }, /* 15 */ - { "ips_wild" }, - { "ips_list" }, - { "ips_table" }, - { "fr_statemax" }, - { "fr_statesize" }, /* 20 */ - { "fr_state_doflush" }, - { "fr_state_lock" }, - { "ipfr_heads" }, - { "ipfr_nattab" }, - { "ipfr_stats" }, /* 25 */ - { "ipfr_inuse" }, - { "fr_ipfrttl" }, - { "fr_frag_lock" }, - { "ipfr_timer_id" }, - { "fr_nat_lock" }, /* 30 */ - { "ipfilter" }, - { "ipfilter6" }, - { "ipacct" }, - { "ipacct6" }, - { "ipl_frouteok" }, /* 35 */ - { "fr_running" }, - { "ipfgroups" }, - { "fr_active" }, - { "fr_pass" }, - { "fr_flags" }, /* 40 */ - { "ipstate_logging" }, - { "ips_tqtqb" }, - { NULL } - }; - - - frauthstp = &frauthst; - ipsstp = &ipsst; - ifrstp = &ifrst; - fiop = &fio; - - *frfp = 0; - *fiopp = fiop; - *ipsstpp = ipsstp; - *ifrstpp = ifrstp; - *frauthstpp = frauthstp; - - bzero((char *)fiop, sizeof(*fiop)); - bzero((char *)ipsstp, sizeof(*ipsstp)); - bzero((char *)ifrstp, sizeof(*ifrstp)); - bzero((char *)frauthstp, sizeof(*frauthstp)); - - if (nlist(kernel, deadlist) == -1) { - fprintf(stderr, "nlist error\n"); - return; - } - - /* - * This is for SIOCGETFF. - */ - kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp)); - - /* - * f_locks is a combination of the lock variable from each part of - * ipfilter (state, auth, nat, fragments). - */ - kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop)); - kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value, - sizeof(fiop->f_locks[0])); - kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value, - sizeof(fiop->f_locks[1])); - kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value, - sizeof(fiop->f_locks[2])); - kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value, - sizeof(fiop->f_locks[3])); - - /* - * Get pointers to each list of rules (active, inactive, in, out) - */ - kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules)); - fiop->f_fin[0] = rules[0][0]; - fiop->f_fin[1] = rules[0][1]; - fiop->f_fout[0] = rules[1][0]; - fiop->f_fout[1] = rules[1][1]; - - /* - * Same for IPv6, except make them null if support for it is not - * being compiled in. - */ -#ifdef USE_INET6 - kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules)); - fiop->f_fin6[0] = rules[0][0]; - fiop->f_fin6[1] = rules[0][1]; - fiop->f_fout6[0] = rules[1][0]; - fiop->f_fout6[1] = rules[1][1]; -#else - fiop->f_fin6[0] = NULL; - fiop->f_fin6[1] = NULL; - fiop->f_fout6[0] = NULL; - fiop->f_fout6[1] = NULL; -#endif - - /* - * Now get accounting rules pointers. - */ - kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules)); - fiop->f_acctin[0] = rules[0][0]; - fiop->f_acctin[1] = rules[0][1]; - fiop->f_acctout[0] = rules[1][0]; - fiop->f_acctout[1] = rules[1][1]; - -#ifdef USE_INET6 - kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules)); - fiop->f_acctin6[0] = rules[0][0]; - fiop->f_acctin6[1] = rules[0][1]; - fiop->f_acctout6[0] = rules[1][0]; - fiop->f_acctout6[1] = rules[1][1]; -#else - fiop->f_acctin6[0] = NULL; - fiop->f_acctin6[1] = NULL; - fiop->f_acctout6[0] = NULL; - fiop->f_acctout6[1] = NULL; -#endif - - /* - * A collection of "global" variables used inside the kernel which - * are all collected in friostat_t via ioctl. - */ - kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value, - sizeof(fiop->f_froute)); - kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value, - sizeof(fiop->f_running)); - kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value, - sizeof(fiop->f_groups)); - kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value, - sizeof(fiop->f_active)); - kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value, - sizeof(fiop->f_defpass)); - - /* - * Build up the state information stats structure. - */ - kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); - kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp)); - kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value, - sizeof(ipssttab)); - ipsstp->iss_active = temp; - ipsstp->iss_table = (void *)deadlist[18].n_value; - ipsstp->iss_list = (void *)deadlist[17].n_value; - ipsstp->iss_tcptab = ipssttab; - - /* - * Build up the authentiation information stats structure. - */ - kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value, - sizeof(*frauthstp)); - frauthstp->fas_faelist = (void *)deadlist[1].n_value; - - /* - * Build up the fragment information stats structure. - */ - kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value, - sizeof(*ifrstp)); - ifrstp->ifs_table = (void *)deadlist[23].n_value; - ifrstp->ifs_nattab = (void *)deadlist[24].n_value; - kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value, - sizeof(ifrstp->ifs_inuse)); - - /* - * Get logging on/off switches - */ - kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value, - sizeof(state_logging)); -} - - -/* - * Display the kernel stats for packets blocked and passed and other - * associated running totals which are kept. - */ -static void showstats(fp, frf) -struct friostat *fp; -u_32_t frf; -{ - - PRINTF("bad packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); -#ifdef USE_INET6 - PRINTF(" IPv6 packets:\t\tin %lu out %lu\n", - fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6); -#endif - PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[0].fr_block, fp->f_st[0].fr_pass, - fp->f_st[0].fr_nom); - PRINTF(" counted %lu short %lu\n", - fp->f_st[0].fr_acct, fp->f_st[0].fr_short); - PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[1].fr_block, fp->f_st[1].fr_pass, - fp->f_st[1].fr_nom); - PRINTF(" counted %lu short %lu\n", - fp->f_st[1].fr_acct, fp->f_st[1].fr_short); - PRINTF(" input packets logged:\tblocked %lu passed %lu\n", - fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - PRINTF("output packets logged:\tblocked %lu passed %lu\n", - fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - PRINTF(" packets logged:\tinput %lu output %lu\n", - fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); - PRINTF(" log failures:\t\tinput %lu output %lu\n", - fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); - PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n", - fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, - fp->f_st[0].fr_cfr); - PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n", - fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, - fp->f_st[0].fr_cfr); - PRINTF("packet state(in):\tkept %lu\tlost %lu\n", - fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); - PRINTF("packet state(out):\tkept %lu\tlost %lu\n", - fp->f_st[1].fr_ads, fp->f_st[1].fr_bads); - PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", - fp->f_st[0].fr_ret, fp->f_st[1].fr_ret); - PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc); - PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_chit, fp->f_st[1].fr_chit); - PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]); - PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); - PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", - fp->f_froute[0], fp->f_froute[1]); - PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); - PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks); - - PRINTF("Packet log flags set: (%#x)\n", frf); - if (frf & FF_LOGPASS) - PRINTF("\tpackets passed through filter\n"); - if (frf & FF_LOGBLOCK) - PRINTF("\tpackets blocked by filter\n"); - if (frf & FF_LOGNOMATCH) - PRINTF("\tpackets not matched by filter\n"); - if (!frf) - PRINTF("\tnone\n"); -} - - -/* - * Print out a list of rules from the kernel, starting at the one passed. - */ -static void printlivelist(out, set, fp, group, comment) -int out, set; -frentry_t *fp; -char *group, *comment; -{ - struct frentry fb; - ipfruleiter_t rule; - frentry_t zero; - frgroup_t *g; - ipfobj_t obj; - int n; - - if (use_inet6 == 1) - fb.fr_v = 6; - else - fb.fr_v = 4; - fb.fr_next = fp; - n = 0; - - rule.iri_inout = out; - rule.iri_active = set; - rule.iri_rule = &fb; - rule.iri_nrules = 1; - rule.iri_v = use_inet6 ? 6 : 4; - if (group != NULL) - strncpy(rule.iri_group, group, FR_GROUPLEN); - else - rule.iri_group[0] = '\0'; - - bzero((char *)&zero, sizeof(zero)); - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_IPFITER; - obj.ipfo_size = sizeof(rule); - obj.ipfo_ptr = &rule; - - do { - u_long array[1000]; - - memset(array, 0xff, sizeof(array)); - fp = (frentry_t *)array; - rule.iri_rule = fp; - if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) { - perror("ioctl(SIOCIPFITER)"); - n = IPFGENITER_IPF; - ioctl(ipf_fd, SIOCIPFDELTOK, &n); - return; - } - if (bcmp(fp, &zero, sizeof(zero)) == 0) - break; - if (fp->fr_data != NULL) - fp->fr_data = (char *)fp + sizeof(*fp); - - n++; - - if (opts & (OPT_HITS|OPT_VERBOSE)) -#ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fp->fr_hits); -#else - PRINTF("%lu ", fp->fr_hits); -#endif - if (opts & (OPT_ACCNT|OPT_VERBOSE)) -#ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fp->fr_bytes); -#else - PRINTF("%lu ", fp->fr_bytes); -#endif - if (opts & OPT_SHOWLINENO) - PRINTF("@%d ", n); - - printfr(fp, ioctl); - if (opts & OPT_DEBUG) { - binprint(fp, sizeof(*fp)); - if (fp->fr_data != NULL && fp->fr_dsize > 0) - binprint(fp->fr_data, fp->fr_dsize); - } - if (fp->fr_grhead[0] != '\0') { - for (g = grtop; g != NULL; g = g->fg_next) { - if (!strncmp(fp->fr_grhead, g->fg_name, - FR_GROUPLEN)) - break; - } - if (g == NULL) { - g = calloc(1, sizeof(*g)); - - if (g != NULL) { - strncpy(g->fg_name, fp->fr_grhead, - FR_GROUPLEN); - if (grtop == NULL) { - grtop = g; - grtail = g; - } else { - grtail->fg_next = g; - grtail = g; - } - } - } - } - if (fp->fr_type == FR_T_CALLFUNC) { - printlivelist(out, set, fp->fr_data, group, - "# callfunc: "); - } - } while (fp->fr_next != NULL); - - n = IPFGENITER_IPF; - ioctl(ipf_fd, SIOCIPFDELTOK, &n); - - if (group == NULL) { - while ((g = grtop) != NULL) { - printf("# Group %s\n", g->fg_name); - printlivelist(out, set, NULL, g->fg_name, comment); - grtop = g->fg_next; - free(g); - } - } -} - - -static void printdeadlist(out, set, fp, group, comment) -int out, set; -frentry_t *fp; -char *group, *comment; -{ - frgroup_t *grtop, *grtail, *g; - struct frentry fb; - char *data; - u_32_t type; - int n; - - fb.fr_next = fp; - n = 0; - grtop = NULL; - grtail = NULL; - - do { - fp = fb.fr_next; - if (kmemcpy((char *)&fb, (u_long)fb.fr_next, - sizeof(fb)) == -1) { - perror("kmemcpy"); - return; - } - - data = NULL; - type = fb.fr_type & ~FR_T_BUILTIN; - if (type == FR_T_IPF || type == FR_T_BPFOPC) { - if (fb.fr_dsize) { - data = malloc(fb.fr_dsize); - - if (kmemcpy(data, (u_long)fb.fr_data, - fb.fr_dsize) == -1) { - perror("kmemcpy"); - return; - } - fb.fr_data = data; - } - } - - n++; - - if (opts & (OPT_HITS|OPT_VERBOSE)) -#ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fb.fr_hits); -#else - PRINTF("%lu ", fb.fr_hits); -#endif - if (opts & (OPT_ACCNT|OPT_VERBOSE)) -#ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fb.fr_bytes); -#else - PRINTF("%lu ", fb.fr_bytes); -#endif - if (opts & OPT_SHOWLINENO) - PRINTF("@%d ", n); - - printfr(fp, ioctl); - if (opts & OPT_DEBUG) { - binprint(fp, sizeof(*fp)); - if (fb.fr_data != NULL && fb.fr_dsize > 0) - binprint(fb.fr_data, fb.fr_dsize); - } - if (data != NULL) - free(data); - if (fb.fr_grhead[0] != '\0') { - g = calloc(1, sizeof(*g)); - - if (g != NULL) { - strncpy(g->fg_name, fb.fr_grhead, - FR_GROUPLEN); - if (grtop == NULL) { - grtop = g; - grtail = g; - } else { - grtail->fg_next = g; - grtail = g; - } - } - } - if (type == FR_T_CALLFUNC) { - printdeadlist(out, set, fb.fr_data, group, - "# callfunc: "); - } - } while (fb.fr_next != NULL); - - while ((g = grtop) != NULL) { - printdeadlist(out, set, NULL, g->fg_name, comment); - grtop = g->fg_next; - free(g); - } -} - -/* - * print out all of the asked for rule sets, using the stats struct as - * the base from which to get the pointers. - */ -static void showlist(fiop) -struct friostat *fiop; -{ - struct frentry *fp = NULL; - int i, set; - - set = fiop->f_active; - if (opts & OPT_INACTIVE) - set = 1 - set; - if (opts & OPT_ACCNT) { -#ifdef USE_INET6 - if ((use_inet6) && (opts & OPT_OUTQUE)) { - i = F_ACOUT; - fp = (struct frentry *)fiop->f_acctout6[set]; - } else if ((use_inet6) && (opts & OPT_INQUE)) { - i = F_ACIN; - fp = (struct frentry *)fiop->f_acctin6[set]; - } else -#endif - if (opts & OPT_OUTQUE) { - i = F_ACOUT; - fp = (struct frentry *)fiop->f_acctout[set]; - } else if (opts & OPT_INQUE) { - i = F_ACIN; - fp = (struct frentry *)fiop->f_acctin[set]; - } else { - FPRINTF(stderr, "No -i or -o given with -a\n"); - return; - } - } else { -#ifdef USE_INET6 - if ((use_inet6) && (opts & OPT_OUTQUE)) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout6[set]; - } else if ((use_inet6) && (opts & OPT_INQUE)) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin6[set]; - } else -#endif - if (opts & OPT_OUTQUE) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout[set]; - } else if (opts & OPT_INQUE) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin[set]; - } else - return; - } - if (opts & OPT_DEBUG) - FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i); - - if (opts & OPT_DEBUG) - PRINTF("fp %p set %d\n", fp, set); - if (!fp) { - FPRINTF(stderr, "empty list for %s%s\n", - (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); - return; - } - if (live_kernel == 1) - printlivelist(i, set, fp, NULL, NULL); - else - printdeadlist(i, set, fp, NULL, NULL); -} - - -/* - * Display ipfilter stateful filtering information - */ -static void showipstates(ipsp) -ips_stat_t *ipsp; -{ - u_long minlen, maxlen, totallen, *buckets; - ipftable_t table; - ipfobj_t obj; - int i, sz; - - /* - * If a list of states hasn't been asked for, only print out stats - */ - if (!(opts & OPT_SHOWLIST)) { - - sz = sizeof(*buckets) * ipsp->iss_statesize; - buckets = (u_long *)malloc(sz); - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GTABLE; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = &table; - - table.ita_type = IPFTABLE_BUCKETS; - table.ita_table = buckets; - - if (live_kernel == 1) { - if (ioctl(state_fd, SIOCGTABL, &obj) != 0) { - free(buckets); - return; - } - } else { - if (kmemcpy((char *)buckets, - (u_long)ipsp->iss_bucketlen, sz)) { - free(buckets); - return; - } - } - - PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", - ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); - PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, - ipsp->iss_miss); - PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull); - PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); - PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", - ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); - - PRINTF("State logging %sabled\n", - state_logging ? "en" : "dis"); - - PRINTF("\nState table bucket statistics:\n"); - PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); - PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ? - (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0); - - minlen = ipsp->iss_inuse; - totallen = 0; - maxlen = 0; - - for (i = 0; i < ipsp->iss_statesize; i++) { - if (buckets[i] > maxlen) - maxlen = buckets[i]; - if (buckets[i] < minlen) - minlen = buckets[i]; - totallen += buckets[i]; - } - - PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n", - ((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0, - minlen); - PRINTF("\t%lu maximal length\n\t%.3f average length\n", - maxlen, - ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse : - 0.0); - -#define ENTRIES_PER_LINE 5 - - if (opts & OPT_VERBOSE) { - PRINTF("\nCurrent bucket sizes :\n"); - for (i = 0; i < ipsp->iss_statesize; i++) { - if ((i % ENTRIES_PER_LINE) == 0) - PRINTF("\t"); - PRINTF("%4d -> %4lu", i, buckets[i]); - if ((i % ENTRIES_PER_LINE) == - (ENTRIES_PER_LINE - 1)) - PRINTF("\n"); - else - PRINTF(" "); - } - PRINTF("\n"); - } - PRINTF("\n"); - - free(buckets); - - if (live_kernel == 1) { - showtqtable_live(state_fd); - } else { - printtqtable(ipsp->iss_tcptab); - } - - return; - - } - - /* - * Print out all the state information currently held in the kernel. - */ - while (ipsp->iss_list != NULL) { - ipstate_t ips; - - ipsp->iss_list = fetchstate(ipsp->iss_list, &ips); - - if (ipsp->iss_list != NULL) { - ipsp->iss_list = ips.is_next; - printstate(&ips, opts, ipsp->iss_ticks); - } - } -} - - -#ifdef STATETOP -static int handle_resize = 0, handle_break = 0; - -static void topipstates(saddr, daddr, sport, dport, protocol, ver, - refreshtime, topclosed) -i6addr_t saddr; -i6addr_t daddr; -int sport; -int dport; -int protocol; -int ver; -int refreshtime; -int topclosed; -{ - char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; - int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; - int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0; - int len, srclen, dstlen, forward = 1, c = 0; - ips_stat_t ipsst, *ipsstp = &ipsst; - statetop_t *tstable = NULL, *tp; - const char *errstr = ""; - ipstate_t ips; - ipfobj_t ipfo; - struct timeval selecttimeout; - char hostnm[HOSTNMLEN]; - struct protoent *proto; - fd_set readfd; - time_t t; - - /* install signal handlers */ - signal(SIGINT, sig_break); - signal(SIGQUIT, sig_break); - signal(SIGTERM, sig_break); - signal(SIGWINCH, sig_resize); - - /* init ncurses stuff */ - initscr(); - cbreak(); - noecho(); - curs_set(0); - timeout(0); - getmaxyx(stdscr, maxy, maxx); - - /* init hostname */ - gethostname(hostnm, sizeof(hostnm) - 1); - hostnm[sizeof(hostnm) - 1] = '\0'; - - /* init ipfobj_t stuff */ - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_type = IPFOBJ_STATESTAT; - ipfo.ipfo_size = sizeof(*ipsstp); - ipfo.ipfo_ptr = (void *)ipsstp; - - /* repeat until user aborts */ - while ( 1 ) { - - /* get state table */ - bzero((char *)&ipsst, sizeof(ipsst)); - if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { - errstr = "ioctl(SIOCGETFS)"; - ret = -1; - goto out; - } - - /* clear the history */ - tsentry = -1; - - /* reset max str len */ - srclen = dstlen = 0; - - /* read the state table and store in tstable */ - for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) { - - ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips); - if (ipsstp->iss_list == NULL) - break; - - if (ips.is_v != ver) - continue; - - /* check v4 src/dest addresses */ - if (ips.is_v == 4) { - if ((saddr.in4.s_addr != INADDR_ANY && - saddr.in4.s_addr != ips.is_saddr) || - (daddr.in4.s_addr != INADDR_ANY && - daddr.in4.s_addr != ips.is_daddr)) - continue; - } -#ifdef USE_INET6 - /* check v6 src/dest addresses */ - if (ips.is_v == 6) { - if ((IP6_NEQ(&saddr, &in6addr_any) && - IP6_NEQ(&saddr, &ips.is_src)) || - (IP6_NEQ(&daddr, &in6addr_any) && - IP6_NEQ(&daddr, &ips.is_dst))) - continue; - } -#endif - /* check protocol */ - if (protocol > 0 && protocol != ips.is_p) - continue; - - /* check ports if protocol is TCP or UDP */ - if (((ips.is_p == IPPROTO_TCP) || - (ips.is_p == IPPROTO_UDP)) && - (((sport > 0) && (htons(sport) != ips.is_sport)) || - ((dport > 0) && (htons(dport) != ips.is_dport)))) - continue; - - /* show closed TCP sessions ? */ - if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) && - (ips.is_state[0] >= IPF_TCPS_LAST_ACK) && - (ips.is_state[1] >= IPF_TCPS_LAST_ACK)) - continue; - - /* - * if necessary make room for this state - * entry - */ - tsentry++; - if (!maxtsentries || tsentry == maxtsentries) { - maxtsentries += STGROWSIZE; - tstable = realloc(tstable, - maxtsentries * sizeof(statetop_t)); - if (tstable == NULL) { - perror("realloc"); - exit(-1); - } - } - - /* get max src/dest address string length */ - len = strlen(getip(ips.is_v, &ips.is_src)); - if (srclen < len) - srclen = len; - len = strlen(getip(ips.is_v, &ips.is_dst)); - if (dstlen < len) - dstlen = len; - - /* fill structure */ - tp = tstable + tsentry; - tp->st_src = ips.is_src; - tp->st_dst = ips.is_dst; - tp->st_p = ips.is_p; - tp->st_v = ips.is_v; - tp->st_state[0] = ips.is_state[0]; - tp->st_state[1] = ips.is_state[1]; - if (forward) { - tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1]; - tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1]; - } else { - tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3]; - tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3]; - } - tp->st_age = ips.is_die - ipsstp->iss_ticks; - if ((ips.is_p == IPPROTO_TCP) || - (ips.is_p == IPPROTO_UDP)) { - tp->st_sport = ips.is_sport; - tp->st_dport = ips.is_dport; - } - } - - - /* sort the array */ - if (tsentry != -1) { - switch (sorting) - { - case STSORT_PR: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_p); - break; - case STSORT_PKTS: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_pkts); - break; - case STSORT_BYTES: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_bytes); - break; - case STSORT_TTL: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_ttl); - break; - case STSORT_SRCIP: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_srcip); - break; - case STSORT_SRCPT: - qsort(tstable, tsentry +1, - sizeof(statetop_t), sort_srcpt); - break; - case STSORT_DSTIP: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_dstip); - break; - case STSORT_DSTPT: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_dstpt); - break; - default: - break; - } - } - - /* handle window resizes */ - if (handle_resize) { - endwin(); - initscr(); - cbreak(); - noecho(); - curs_set(0); - timeout(0); - getmaxyx(stdscr, maxy, maxx); - redraw = 1; - handle_resize = 0; - } - - /* stop program? */ - if (handle_break) - break; - - /* print title */ - erase(); - attron(A_BOLD); - winy = 0; - move(winy,0); - sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION); - for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) - printw(" "); - printw("%s", str1); - attroff(A_BOLD); - - /* just for fun add a clock */ - move(winy, maxx - 8); - t = time(NULL); - strftime(str1, 80, "%T", localtime(&t)); - printw("%s\n", str1); - - /* - * print the display filters, this is placed in the loop, - * because someday I might add code for changing these - * while the programming is running :-) - */ - if (sport >= 0) - sprintf(str1, "%s,%d", getip(ver, &saddr), sport); - else - sprintf(str1, "%s", getip(ver, &saddr)); - - if (dport >= 0) - sprintf(str2, "%s,%d", getip(ver, &daddr), dport); - else - sprintf(str2, "%s", getip(ver, &daddr)); - - if (protocol < 0) - strcpy(str3, "any"); - else if ((proto = getprotobynumber(protocol)) != NULL) - sprintf(str3, "%s", proto->p_name); - else - sprintf(str3, "%d", protocol); - - switch (sorting) - { - case STSORT_PR: - sprintf(str4, "proto"); - break; - case STSORT_PKTS: - sprintf(str4, "# pkts"); - break; - case STSORT_BYTES: - sprintf(str4, "# bytes"); - break; - case STSORT_TTL: - sprintf(str4, "ttl"); - break; - case STSORT_SRCIP: - sprintf(str4, "src ip"); - break; - case STSORT_SRCPT: - sprintf(str4, "src port"); - break; - case STSORT_DSTIP: - sprintf(str4, "dest ip"); - break; - case STSORT_DSTPT: - sprintf(str4, "dest port"); - break; - default: - sprintf(str4, "unknown"); - break; - } - - if (reverse) - strcat(str4, " (reverse)"); - - winy += 2; - move(winy,0); - printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n", - str1, str2, str3, str4); - - /* - * For an IPv4 IP address we need at most 15 characters, - * 4 tuples of 3 digits, separated by 3 dots. Enforce this - * length, so the colums do not change positions based - * on the size of the IP address. This length makes the - * output fit in a 80 column terminal. - * We are lacking a good solution for IPv6 addresses (that - * can be longer that 15 characters), so we do not enforce - * a maximum on the IP field size. - */ - if (srclen < 15) - srclen = 15; - if (dstlen < 15) - dstlen = 15; - - /* print column description */ - winy += 2; - move(winy,0); - attron(A_BOLD); - printw("%-*s %-*s %3s %4s %7s %9s %9s\n", - srclen + 6, "Source IP", dstlen + 6, "Destination IP", - "ST", "PR", "#pkts", "#bytes", "ttl"); - attroff(A_BOLD); - - /* print all the entries */ - tp = tstable; - if (reverse) - tp += tsentry; - - if (tsentry > maxy - 6) - tsentry = maxy - 6; - for (i = 0; i <= tsentry; i++) { - /* print src/dest and port */ - if ((tp->st_p == IPPROTO_TCP) || - (tp->st_p == IPPROTO_UDP)) { - sprintf(str1, "%s,%hu", - getip(tp->st_v, &tp->st_src), - ntohs(tp->st_sport)); - sprintf(str2, "%s,%hu", - getip(tp->st_v, &tp->st_dst), - ntohs(tp->st_dport)); - } else { - sprintf(str1, "%s", getip(tp->st_v, - &tp->st_src)); - sprintf(str2, "%s", getip(tp->st_v, - &tp->st_dst)); - } - winy++; - move(winy, 0); - printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2); - - /* print state */ - sprintf(str1, "%X/%X", tp->st_state[0], - tp->st_state[1]); - printw(" %3s", str1); - - /* print protocol */ - proto = getprotobynumber(tp->st_p); - if (proto) { - strncpy(str1, proto->p_name, 4); - str1[4] = '\0'; - } else { - sprintf(str1, "%d", tp->st_p); - } - /* just print icmp for IPv6-ICMP */ - if (tp->st_p == IPPROTO_ICMPV6) - strcpy(str1, "icmp"); - printw(" %4s", str1); - - /* print #pkt/#bytes */ -#ifdef USE_QUAD_T - printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, - (unsigned long long) tp->st_bytes); -#else - printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes); -#endif - printw(" %9s", ttl_to_string(tp->st_age)); - - if (reverse) - tp--; - else - tp++; - } - - /* screen data structure is filled, now update the screen */ - if (redraw) - clearok(stdscr,1); - - if (refresh() == ERR) - break; - if (redraw) { - clearok(stdscr,0); - redraw = 0; - } - - /* wait for key press or a 1 second time out period */ - selecttimeout.tv_sec = refreshtime; - selecttimeout.tv_usec = 0; - FD_ZERO(&readfd); - FD_SET(0, &readfd); - select(1, &readfd, NULL, NULL, &selecttimeout); - - /* if key pressed, read all waiting keys */ - if (FD_ISSET(0, &readfd)) { - c = wgetch(stdscr); - if (c == ERR) - continue; - - if (ISALPHA(c) && ISUPPER(c)) - c = TOLOWER(c); - if (c == 'l') { - redraw = 1; - } else if (c == 'q') { - break; - } else if (c == 'r') { - reverse = !reverse; - } else if (c == 'b') { - forward = 0; - } else if (c == 'f') { - forward = 1; - } else if (c == 's') { - if (++sorting > STSORT_MAX) - sorting = 0; - } - } - } /* while */ - -out: - printw("\n"); - curs_set(1); - /* nocbreak(); XXX - endwin() should make this redundant */ - endwin(); - - free(tstable); - if (ret != 0) - perror(errstr); -} -#endif - - -/* - * Show fragment cache information that's held in the kernel. - */ -static void showfrstates(ifsp, ticks) -ipfrstat_t *ifsp; -u_long ticks; -{ - struct ipfr *ipfrtab[IPFT_SIZE], ifr; - int i; - - /* - * print out the numeric statistics - */ - PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", - ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); - PRINTF("\t%lu retrans\n\t%lu too short\n", - ifsp->ifs_retrans0, ifsp->ifs_short); - PRINTF("\t%lu no memory\n\t%lu already exist\n", - ifsp->ifs_nomem, ifsp->ifs_exists); - PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); - PRINTF("\n"); - - if (live_kernel == 0) { - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, - sizeof(ipfrtab))) - return; - } - - /* - * Print out the contents (if any) of the fragment cache table. - */ - if (live_kernel == 1) { - do { - if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0) - break; - if (ifr.ipfr_ifp == NULL) - break; - ifr.ipfr_ttl -= ticks; - printfraginfo("", &ifr); - } while (1); - } else { - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i] != NULL) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) - break; - printfraginfo("", &ifr); - ipfrtab[i] = ifr.ipfr_next; - } - } - /* - * Print out the contents (if any) of the NAT fragment cache table. - */ - - if (live_kernel == 0) { - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab, - sizeof(ipfrtab))) - return; - } - - if (live_kernel == 1) { - do { - if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0) - break; - if (ifr.ipfr_ifp == NULL) - break; - ifr.ipfr_ttl -= ticks; - printfraginfo("NAT: ", &ifr); - } while (1); - } else { - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i] != NULL) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) - break; - printfraginfo("NAT: ", &ifr); - ipfrtab[i] = ifr.ipfr_next; - } - } -} - - -/* - * Show stats on how auth within IPFilter has been used - */ -static void showauthstates(asp) -fr_authstat_t *asp; -{ - frauthent_t *frap, fra; - ipfgeniter_t auth; - ipfobj_t obj; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GENITER; - obj.ipfo_size = sizeof(auth); - obj.ipfo_ptr = &auth; - - auth.igi_type = IPFGENITER_AUTH; - auth.igi_nitems = 1; - auth.igi_data = &fra; - -#ifdef USE_QUAD_T - printf("Authorisation hits: %qu\tmisses %qu\n", - (unsigned long long) asp->fas_hits, - (unsigned long long) asp->fas_miss); -#else - printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits, - asp->fas_miss); -#endif - printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n", - asp->fas_nospace, asp->fas_added, asp->fas_sendfail, - asp->fas_sendok); - printf("queok %ld\nquefail %ld\nexpire %ld\n", - asp->fas_queok, asp->fas_quefail, asp->fas_expire); - - frap = asp->fas_faelist; - while (frap) { - if (live_kernel == 1) { - if (ioctl(auth_fd, SIOCGENITER, &obj)) - break; - } else { - if (kmemcpy((char *)&fra, (u_long)frap, - sizeof(fra)) == -1) - break; - } - printf("age %ld\t", fra.fae_age); - printfr(&fra.fae_fr, ioctl); - frap = fra.fae_next; - } -} - - -/* - * Display groups used for each of filter rules, accounting rules and - * authentication, separately. - */ -static void showgroups(fiop) -struct friostat *fiop; -{ - static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; - static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH }; - frgroup_t *fp, grp; - int on, off, i; - - on = fiop->f_active; - off = 1 - on; - - for (i = 0; i < 3; i++) { - printf("%s groups (active):\n", gnames[i]); - for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL; - fp = grp.fg_next) - if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) - break; - else - printf("%s\n", grp.fg_name); - printf("%s groups (inactive):\n", gnames[i]); - for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL; - fp = grp.fg_next) - if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) - break; - else - printf("%s\n", grp.fg_name); - } -} - -static void parse_ipportstr(argument, ip, port) -const char *argument; -i6addr_t *ip; -int *port; -{ - char *s, *comma; - int ok = 0; - - /* make working copy of argument, Theoretically you must be able - * to write to optarg, but that seems very ugly to me.... - */ - s = strdup(argument); - if (s == NULL) - return; - - /* get port */ - if ((comma = strchr(s, ',')) != NULL) { - if (!strcasecmp(comma + 1, "any")) { - *port = -1; - } else if (!sscanf(comma + 1, "%d", port) || - (*port < 0) || (*port > 65535)) { - fprintf(stderr, "Invalid port specification in %s\n", - argument); - free(s); - exit(-2); - } - *comma = '\0'; - } - - - /* get ip address */ - if (!strcasecmp(s, "any")) { - ip->in4.s_addr = INADDR_ANY; - ok = 1; -#ifdef USE_INET6 - ip->in6 = in6addr_any; - } else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) { - ok = 1; -#endif - } else if (inet_aton(s, &ip->in4)) - ok = 1; - - if (ok == 0) { - fprintf(stderr, "Invalid IP address: %s\n", s); - free(s); - exit(-2); - } - - /* free allocated memory */ - free(s); -} - - -#ifdef STATETOP -static void sig_resize(s) -int s; -{ - handle_resize = 1; -} - -static void sig_break(s) -int s; -{ - handle_break = 1; -} - -static char *getip(v, addr) -int v; -i6addr_t *addr; -{ -#ifdef USE_INET6 - static char hostbuf[MAXHOSTNAMELEN+1]; -#endif - - if (v == 4) - return inet_ntoa(addr->in4); - -#ifdef USE_INET6 - (void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1); - hostbuf[MAXHOSTNAMELEN] = '\0'; - return hostbuf; -#else - return "IPv6"; -#endif -} - - -static char *ttl_to_string(ttl) -long int ttl; -{ - static char ttlbuf[STSTRSIZE]; - int hours, minutes, seconds; - - /* ttl is in half seconds */ - ttl /= 2; - - hours = ttl / 3600; - ttl = ttl % 3600; - minutes = ttl / 60; - seconds = ttl % 60; - - if (hours > 0) - sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds); - else - sprintf(ttlbuf, "%2d:%02d", minutes, seconds); - return ttlbuf; -} - - -static int sort_pkts(a, b) -const void *a; -const void *b; -{ - - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_pkts == bp->st_pkts) - return 0; - else if (ap->st_pkts < bp->st_pkts) - return 1; - return -1; -} - - -static int sort_bytes(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_bytes == bp->st_bytes) - return 0; - else if (ap->st_bytes < bp->st_bytes) - return 1; - return -1; -} - - -static int sort_p(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_p == bp->st_p) - return 0; - else if (ap->st_p < bp->st_p) - return 1; - return -1; -} - - -static int sort_ttl(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_age == bp->st_age) - return 0; - else if (ap->st_age < bp->st_age) - return 1; - return -1; -} - -static int sort_srcip(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - -#ifdef USE_INET6 - if (use_inet6) { - if (IP6_EQ(&ap->st_src, &bp->st_src)) - return 0; - else if (IP6_GT(&ap->st_src, &bp->st_src)) - return 1; - } else -#endif - { - if (ntohl(ap->st_src.in4.s_addr) == - ntohl(bp->st_src.in4.s_addr)) - return 0; - else if (ntohl(ap->st_src.in4.s_addr) > - ntohl(bp->st_src.in4.s_addr)) - return 1; - } - return -1; -} - -static int sort_srcpt(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (htons(ap->st_sport) == htons(bp->st_sport)) - return 0; - else if (htons(ap->st_sport) > htons(bp->st_sport)) - return 1; - return -1; -} - -static int sort_dstip(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - -#ifdef USE_INET6 - if (use_inet6) { - if (IP6_EQ(&ap->st_dst, &bp->st_dst)) - return 0; - else if (IP6_GT(&ap->st_dst, &bp->st_dst)) - return 1; - } else -#endif - { - if (ntohl(ap->st_dst.in4.s_addr) == - ntohl(bp->st_dst.in4.s_addr)) - return 0; - else if (ntohl(ap->st_dst.in4.s_addr) > - ntohl(bp->st_dst.in4.s_addr)) - return 1; - } - return -1; -} - -static int sort_dstpt(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (htons(ap->st_dport) == htons(bp->st_dport)) - return 0; - else if (htons(ap->st_dport) > htons(bp->st_dport)) - return 1; - return -1; -} - -#endif - - -ipstate_t *fetchstate(src, dst) -ipstate_t *src, *dst; -{ - int i; - - if (live_kernel == 1) { - ipfgeniter_t state; - ipfobj_t obj; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GENITER; - obj.ipfo_size = sizeof(state); - obj.ipfo_ptr = &state; - - state.igi_type = IPFGENITER_STATE; - state.igi_nitems = 1; - state.igi_data = dst; - - if (ioctl(state_fd, SIOCGENITER, &obj) != 0) - return NULL; - if (dst->is_next == NULL) { - i = IPFGENITER_STATE; - ioctl(state_fd, SIOCIPFDELTOK, &i); - } - } else { - if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst))) - return NULL; - } - return dst; -} - - -static int fetchfrag(fd, type, frp) -int fd, type; -ipfr_t *frp; -{ - ipfgeniter_t frag; - ipfobj_t obj; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GENITER; - obj.ipfo_size = sizeof(frag); - obj.ipfo_ptr = &frag; - - frag.igi_type = type; - frag.igi_nitems = 1; - frag.igi_data = frp; - - if (ioctl(fd, SIOCGENITER, &obj)) - return EFAULT; - return 0; -} - - -static void showtqtable_live(fd) -int fd; -{ - ipftq_t table[IPF_TCP_NSTATES]; - ipfobj_t obj; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = (void *)table; - obj.ipfo_type = IPFOBJ_STATETQTAB; - - if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { - printtqtable(table); - } -} diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c deleted file mode 100644 index 8343b2c..0000000 --- a/contrib/ipfilter/tools/ipftest.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2002-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#include "ipf.h" -#include "ipt.h" -#include <sys/ioctl.h> -#include <sys/file.h> - -#if !defined(lint) -static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $"; -#endif - -extern char *optarg; -extern struct frentry *ipfilter[2][2]; -extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; -extern struct ifnet *get_unit __P((char *, int)); -extern void init_ifp __P((void)); -extern ipnat_t *natparse __P((char *, int)); -extern int fr_running; -extern hostmap_t **ipf_hm_maptable; -extern hostmap_t *ipf_hm_maplist; - -ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; -ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; -ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache; -ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens; -int opts = OPT_DONOTHING; -int use_inet6 = 0; -int docksum = 0; -int pfil_delayed_copy = 0; -int main __P((int, char *[])); -int loadrules __P((char *, int)); -int kmemcpy __P((char *, long, int)); -int kstrncpy __P((char *, long, int n)); -void dumpnat __P((void)); -void dumpstate __P((void)); -void dumplookups __P((void)); -void dumpgroups __P((void)); -void drain_log __P((char *)); -void fixv4sums __P((mb_t *, ip_t *)); - -#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ - defined(__osf__) || defined(linux) -int ipftestioctl __P((int, ioctlcmd_t, ...)); -int ipnattestioctl __P((int, ioctlcmd_t, ...)); -int ipstatetestioctl __P((int, ioctlcmd_t, ...)); -int ipauthtestioctl __P((int, ioctlcmd_t, ...)); -int ipscantestioctl __P((int, ioctlcmd_t, ...)); -int ipsynctestioctl __P((int, ioctlcmd_t, ...)); -int ipooltestioctl __P((int, ioctlcmd_t, ...)); -#else -int ipftestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipnattestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipstatetestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipauthtestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipsynctestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipscantestioctl __P((dev_t, ioctlcmd_t, void *)); -int ipooltestioctl __P((dev_t, ioctlcmd_t, void *)); -#endif - -static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ipftestioctl, - ipnattestioctl, - ipstatetestioctl, - ipauthtestioctl, - ipsynctestioctl, - ipscantestioctl, - ipooltestioctl, - NULL }; - - -int main(argc,argv) -int argc; -char *argv[]; -{ - char *datain, *iface, *ifname, *logout; - int fd, i, dir, c, loaded, dump, hlen; - struct in_addr sip; - struct ifnet *ifp; - struct ipread *r; - mb_t mb, *m; - ip_t *ip; - - m = &mb; - dir = 0; - dump = 0; - hlen = 0; - loaded = 0; - r = &iptext; - iface = NULL; - logout = NULL; - datain = NULL; - sip.s_addr = 0; - ifname = "anon0"; - - MUTEX_INIT(&ipf_rw, "ipf rw mutex"); - MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock"); - RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); - RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); - RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); - RWLOCK_INIT(&ipf_frcache, "ipf filter cache"); - RWLOCK_INIT(&ipf_tokens, "ipf token rwlock"); - - initparse(); - if (fr_initialise() == -1) - abort(); - fr_running = 1; - - while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1) - switch (c) - { - case '6' : -#ifdef USE_INET6 - use_inet6 = 1; -#else - fprintf(stderr, "IPv6 not supported\n"); - exit(1); -#endif - break; - case 'b' : - opts |= OPT_BRIEF; - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'C' : - docksum = 1; - break; - case 'D' : - dump = 1; - break; - case 'F' : - if (strcasecmp(optarg, "pcap") == 0) - r = &pcap; - else if (strcasecmp(optarg, "etherfind") == 0) - r = ðerf; - else if (strcasecmp(optarg, "snoop") == 0) - r = &snoop; - else if (strcasecmp(optarg, "tcpdump") == 0) - r = &tcpd; - else if (strcasecmp(optarg, "hex") == 0) - r = &iphex; - else if (strcasecmp(optarg, "text") == 0) - r = &iptext; - break; - case 'i' : - datain = optarg; - break; - case 'I' : - ifname = optarg; - break; - case 'l' : - logout = optarg; - break; - case 'N' : - if (ipnat_parsefile(-1, ipnat_addrule, ipnattestioctl, - optarg) == -1) - return -1; - loaded = 1; - opts |= OPT_NAT; - break; - case 'o' : - opts |= OPT_SAVEOUT; - break; - case 'P' : - if (ippool_parsefile(-1, optarg, ipooltestioctl) == -1) - return -1; - loaded = 1; - break; - case 'r' : - if (ipf_parsefile(-1, ipf_addrule, iocfunctions, - optarg) == -1) - return -1; - loaded = 1; - break; - case 'S' : - sip.s_addr = inet_addr(optarg); - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 'T' : - ipf_dotuning(-1, optarg, ipftestioctl); - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'x' : - opts |= OPT_HEX; - break; - } - - if (loaded == 0) { - (void)fprintf(stderr,"no rules loaded\n"); - exit(-1); - } - - if (opts & OPT_SAVEOUT) - init_ifp(); - - if (datain) - fd = (*r->r_open)(datain); - else - fd = (*r->r_open)("-"); - - if (fd < 0) - exit(-1); - - ip = MTOD(m, ip_t *); - while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf), - &iface, &dir)) > 0) { - if ((iface == NULL) || (*iface == '\0')) - iface = ifname; - ifp = get_unit(iface, IP_V(ip)); - if (!use_inet6) { - ip->ip_off = ntohs(ip->ip_off); - ip->ip_len = ntohs(ip->ip_len); - if ((r->r_flags & R_DO_CKSUM) || docksum) - fixv4sums(m, ip); - hlen = IP_HL(ip) << 2; - if (sip.s_addr) - dir = !(sip.s_addr == ip->ip_src.s_addr); - } -#ifdef USE_INET6 - else - hlen = sizeof(ip6_t); -#endif - /* ipfr_slowtimer(); */ - m = &mb; - m->mb_len = i; - i = fr_check(ip, hlen, ifp, dir, &m); - if ((opts & OPT_NAT) == 0) - switch (i) - { - case -4 : - (void)printf("preauth"); - break; - case -3 : - (void)printf("account"); - break; - case -2 : - (void)printf("auth"); - break; - case -1 : - (void)printf("block"); - break; - case 0 : - (void)printf("pass"); - break; - case 1 : - if (m == NULL) - (void)printf("bad-packet"); - else - (void)printf("nomatch"); - break; - case 3 : - (void)printf("block return-rst"); - break; - case 4 : - (void)printf("block return-icmp"); - break; - case 5 : - (void)printf("block return-icmp-as-dest"); - break; - default : - (void)printf("recognised return %#x\n", i); - break; - } - if (!use_inet6) { - ip->ip_off = htons(ip->ip_off); - ip->ip_len = htons(ip->ip_len); - } - - if (!(opts & OPT_BRIEF)) { - putchar(' '); - printpacket(ip); - printf("--------------"); - } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) - printpacket(ip); - if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL)) -#if defined(__sgi) && (IRIX < 60500) - (*ifp->if_output)(ifp, (void *)m, NULL); -#else -# if TRU64 >= 1885 - (*ifp->if_output)(ifp, (void *)m, NULL, 0, 0); -# else - (*ifp->if_output)(ifp, (void *)m, NULL, 0); -# endif -#endif - if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) - putchar('\n'); - dir = 0; - if (iface != ifname) { - free(iface); - iface = ifname; - } - m = &mb; - } - - if (i != 0) - fprintf(stderr, "readip failed: %d\n", i); - (*r->r_close)(); - - if (logout != NULL) { - drain_log(logout); - } - - if (dump == 1) { - dumpnat(); - dumpstate(); - dumplookups(); - dumpgroups(); - } - - fr_deinitialise(); - - return 0; -} - - -#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ - defined(__osf__) || defined(linux) -int ipftestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipnattestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipstatetestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipauthtestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipscantestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipsynctestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipooltestioctl(int dev, ioctlcmd_t cmd, ...) -{ - caddr_t data; - va_list ap; - int i; - - va_start(ap, cmd); - data = va_arg(ap, caddr_t); - va_end(ap); - - i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", - (u_int)cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} -#else -int ipftestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipnattestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipstatetestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipauthtestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipsynctestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipscantestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD); - if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} - - -int ipooltestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; -{ - int i; - - i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i); - if (i != 0) { - errno = i; - return -1; - } - return 0; -} -#endif - - -int kmemcpy(addr, offset, size) -char *addr; -long offset; -int size; -{ - bcopy((char *)offset, addr, size); - return 0; -} - - -int kstrncpy(buf, pos, n) -char *buf; -long pos; -int n; -{ - char *ptr; - - ptr = (char *)pos; - - while ((n > 0) && (*buf++ = *ptr++)) - ; - return 0; -} - - -/* - * Display the built up NAT table rules and mapping entries. - */ -void dumpnat() -{ - hostmap_t *hm; - ipnat_t *ipn; - nat_t *nat; - - printf("List of active MAP/Redirect filters:\n"); - for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next) - printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - printf("\nList of active sessions:\n"); - for (nat = nat_instances; nat; nat = nat->nat_next) { - printactivenat(nat, opts, 0, 0); - if (nat->nat_aps) - printaps(nat->nat_aps, opts); - } - - printf("\nHostmap table:\n"); - for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next) - printhostmap(hm, 0); -} - - -/* - * Display the built up state table rules and mapping entries. - */ -void dumpstate() -{ - ipstate_t *ips; - - printf("List of active state sessions:\n"); - for (ips = ips_list; ips != NULL; ) - ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE), - fr_ticks); -} - - -void dumplookups() -{ - iphtable_t *iph; - ip_pool_t *ipl; - int i; - - printf("List of configured pools\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next) - printpool(ipl, bcopywrap, NULL, opts); - - printf("List of configured hash tables\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next) - printhash(iph, bcopywrap, NULL, opts); -} - - -void dumpgroups() -{ - frgroup_t *fg; - frentry_t *fr; - int i; - - printf("List of groups configured (set 0)\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (fg = ipfgroups[i][0]; fg != NULL; fg = fg->fg_next) { - printf("Dev.%d. Group %s Ref %d Flags %#x\n", - i, fg->fg_name, fg->fg_ref, fg->fg_flags); - for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) { -#ifdef USE_QUAD_T - printf("%qu ",(unsigned long long)fr->fr_hits); -#else - printf("%ld ", fr->fr_hits); -#endif - printfr(fr, ipftestioctl); - } - } - - printf("List of groups configured (set 1)\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (fg = ipfgroups[i][1]; fg != NULL; fg = fg->fg_next) { - printf("Dev.%d. Group %s Ref %d Flags %#x\n", - i, fg->fg_name, fg->fg_ref, fg->fg_flags); - for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) { -#ifdef USE_QUAD_T - printf("%qu ",(unsigned long long)fr->fr_hits); -#else - printf("%ld ", fr->fr_hits); -#endif - printfr(fr, ipftestioctl); - } - } -} - - -void drain_log(filename) -char *filename; -{ - char buffer[DEFAULT_IPFLOGSIZE]; - struct iovec iov; - struct uio uio; - size_t resid; - int fd, i; - - fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644); - if (fd == -1) { - perror("drain_log:open"); - return; - } - - for (i = 0; i <= IPL_LOGMAX; i++) - while (1) { - bzero((char *)&iov, sizeof(iov)); - iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); - - bzero((char *)&uio, sizeof(uio)); - uio.uio_iov = &iov; - uio.uio_iovcnt = 1; - uio.uio_resid = iov.iov_len; - resid = uio.uio_resid; - - if (ipflog_read(i, &uio) == 0) { - /* - * If nothing was read then break out. - */ - if (uio.uio_resid == resid) - break; - write(fd, buffer, resid - uio.uio_resid); - } else - break; - } - - close(fd); -} - - -void fixv4sums(m, ip) -mb_t *m; -ip_t *ip; -{ - u_char *csump, *hdr; - - ip->ip_sum = 0; - ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2); - - csump = (u_char *)ip; - csump += IP_HL(ip) << 2; - - switch (ip->ip_p) - { - case IPPROTO_TCP : - hdr = csump; - csump += offsetof(tcphdr_t, th_sum); - break; - case IPPROTO_UDP : - hdr = csump; - csump += offsetof(udphdr_t, uh_sum); - break; - case IPPROTO_ICMP : - hdr = csump; - csump += offsetof(icmphdr_t, icmp_cksum); - break; - default : - csump = NULL; - hdr = NULL; - break; - } - if (hdr != NULL) { - *csump = 0; - *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len); - } -} diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c deleted file mode 100644 index f07396d..0000000 --- a/contrib/ipfilter/tools/ipmon.c +++ /dev/null @@ -1,1732 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#ifndef SOLARIS -#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) -#endif - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> -#include <sys/file.h> -#include <sys/time.h> -#define _KERNEL -#include <sys/uio.h> -#undef _KERNEL -#include <sys/socket.h> -#include <sys/ioctl.h> - -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#include <time.h> -#if !defined(__SVR4) && !defined(__svr4__) -# if (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -# else -# include <sys/dir.h> -# endif -#else -# include <sys/filio.h> -# include <sys/byteorder.h> -#endif -#if !defined(__hpux) && (!defined(__SVR4) && !defined(__GNUC__)) -# include <strings.h> -#endif -#include <signal.h> -#include <stdlib.h> -#include <stddef.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <net/if.h> -#include <netinet/ip.h> -#if !defined(__hpux) && !defined(linux) -# include <netinet/tcp_fsm.h> -#endif -#include <netdb.h> -#include <arpa/inet.h> -#include <arpa/nameser.h> -#ifdef __hpux -# undef NOERROR -#endif -#include <resolv.h> - -#if !defined(linux) -# include <sys/protosw.h> -# include <netinet/ip_var.h> -#endif - -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> - -#include <ctype.h> -#include <syslog.h> - -#include "netinet/ip_compat.h" -#include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" -#include "netinet/ip_proxy.h" -#include "ipmon.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $"; -#endif - - -#if defined(sun) && !defined(SOLARIS2) -#define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -#define STRERROR(x) strerror(x) -#endif - - -struct flags { - int value; - char flag; -}; - - -typedef struct icmp_subtype { - int ist_val; - char *ist_name; -} icmp_subtype_t; - -typedef struct icmp_type { - int it_val; - struct icmp_subtype *it_subtable; - size_t it_stsize; - char *it_name; -} icmp_type_t; - - -#define IST_SZ(x) (sizeof(x)/sizeof(icmp_subtype_t)) - - -struct flags tcpfl[] = { - { TH_ACK, 'A' }, - { TH_RST, 'R' }, - { TH_SYN, 'S' }, - { TH_FIN, 'F' }, - { TH_URG, 'U' }, - { TH_PUSH,'P' }, - { TH_ECN, 'E' }, - { TH_CWR, 'C' }, - { 0, '\0' } -}; - -#ifdef MENTAT -static char *pidfile = "/etc/opt/ipf/ipmon.pid"; -#else -# if BSD >= 199306 -static char *pidfile = "/var/run/ipmon.pid"; -# else -static char *pidfile = "/etc/ipmon.pid"; -# endif -#endif - -static char line[2048]; -static int opts = 0; -static char *logfile = NULL; -static FILE *binarylog = NULL; -static char *binarylogfile = NULL; -static int donehup = 0; -static void usage __P((char *)); -static void handlehup __P((int)); -static void flushlogs __P((char *, FILE *)); -static void print_log __P((int, FILE *, char *, int)); -static void print_ipflog __P((FILE *, char *, int)); -static void print_natlog __P((FILE *, char *, int)); -static void print_statelog __P((FILE *, char *, int)); -static int read_log __P((int, int *, char *, int)); -static void write_pid __P((char *)); -static char *icmpname __P((u_int, u_int)); -static char *icmpname6 __P((u_int, u_int)); -static icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t)); -static icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t)); -#ifdef __hpux -static struct tm *get_tm __P((u_32_t)); -#else -static struct tm *get_tm __P((time_t)); -#endif - -char *hostname __P((int, int, u_32_t *)); -char *portname __P((int, char *, u_int)); -int main __P((int, char *[])); - -static void logopts __P((int, char *)); -static void init_tabs __P((void)); -static char *getproto __P((u_int)); - -static char **protocols = NULL; -static char **udp_ports = NULL; -static char **tcp_ports = NULL; -static char *conf_file = NULL; - - -#define OPT_SYSLOG 0x001 -#define OPT_RESOLVE 0x002 -#define OPT_HEXBODY 0x004 -#define OPT_VERBOSE 0x008 -#define OPT_HEXHDR 0x010 -#define OPT_TAIL 0x020 -#define OPT_NAT 0x080 -#define OPT_STATE 0x100 -#define OPT_FILTER 0x200 -#define OPT_PORTNUM 0x400 -#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) -#define OPT_LOGBODY 0x800 - -#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) - -#ifndef LOGFAC -#define LOGFAC LOG_LOCAL0 -#endif -int logfac = LOGFAC; - - -static icmp_subtype_t icmpunreachnames[] = { - { ICMP_UNREACH_NET, "net" }, - { ICMP_UNREACH_HOST, "host" }, - { ICMP_UNREACH_PROTOCOL, "protocol" }, - { ICMP_UNREACH_PORT, "port" }, - { ICMP_UNREACH_NEEDFRAG, "needfrag" }, - { ICMP_UNREACH_SRCFAIL, "srcfail" }, - { ICMP_UNREACH_NET_UNKNOWN, "net_unknown" }, - { ICMP_UNREACH_HOST_UNKNOWN, "host_unknown" }, - { ICMP_UNREACH_NET, "isolated" }, - { ICMP_UNREACH_NET_PROHIB, "net_prohib" }, - { ICMP_UNREACH_NET_PROHIB, "host_prohib" }, - { ICMP_UNREACH_TOSNET, "tosnet" }, - { ICMP_UNREACH_TOSHOST, "toshost" }, - { ICMP_UNREACH_ADMIN_PROHIBIT, "admin_prohibit" }, - { -2, NULL } -}; - -static icmp_subtype_t redirectnames[] = { - { ICMP_REDIRECT_NET, "net" }, - { ICMP_REDIRECT_HOST, "host" }, - { ICMP_REDIRECT_TOSNET, "tosnet" }, - { ICMP_REDIRECT_TOSHOST, "toshost" }, - { -2, NULL } -}; - -static icmp_subtype_t timxceednames[] = { - { ICMP_TIMXCEED_INTRANS, "transit" }, - { ICMP_TIMXCEED_REASS, "reassem" }, - { -2, NULL } -}; - -static icmp_subtype_t paramnames[] = { - { ICMP_PARAMPROB_ERRATPTR, "errata_pointer" }, - { ICMP_PARAMPROB_OPTABSENT, "optmissing" }, - { ICMP_PARAMPROB_LENGTH, "length" }, - { -2, NULL } -}; - -static icmp_type_t icmptypes[] = { - { ICMP_ECHOREPLY, NULL, 0, "echoreply" }, - { -1, NULL, 0, NULL }, - { -1, NULL, 0, NULL }, - { ICMP_UNREACH, icmpunreachnames, - IST_SZ(icmpunreachnames),"unreach" }, - { ICMP_SOURCEQUENCH, NULL, 0, "sourcequench" }, - { ICMP_REDIRECT, redirectnames, - IST_SZ(redirectnames), "redirect" }, - { -1, NULL, 0, NULL }, - { -1, NULL, 0, NULL }, - { ICMP_ECHO, NULL, 0, "echo" }, - { ICMP_ROUTERADVERT, NULL, 0, "routeradvert" }, - { ICMP_ROUTERSOLICIT, NULL, 0, "routersolicit" }, - { ICMP_TIMXCEED, timxceednames, - IST_SZ(timxceednames), "timxceed" }, - { ICMP_PARAMPROB, paramnames, - IST_SZ(paramnames), "paramprob" }, - { ICMP_TSTAMP, NULL, 0, "timestamp" }, - { ICMP_TSTAMPREPLY, NULL, 0, "timestampreply" }, - { ICMP_IREQ, NULL, 0, "inforeq" }, - { ICMP_IREQREPLY, NULL, 0, "inforeply" }, - { ICMP_MASKREQ, NULL, 0, "maskreq" }, - { ICMP_MASKREPLY, NULL, 0, "maskreply" }, - { -2, NULL, 0, NULL } -}; - -static icmp_subtype_t icmpredirect6[] = { - { ICMP6_DST_UNREACH_NOROUTE, "noroute" }, - { ICMP6_DST_UNREACH_ADMIN, "admin" }, - { ICMP6_DST_UNREACH_NOTNEIGHBOR, "neighbour" }, - { ICMP6_DST_UNREACH_ADDR, "address" }, - { ICMP6_DST_UNREACH_NOPORT, "noport" }, - { -2, NULL } -}; - -static icmp_subtype_t icmptimexceed6[] = { - { ICMP6_TIME_EXCEED_TRANSIT, "intransit" }, - { ICMP6_TIME_EXCEED_REASSEMBLY, "reassem" }, - { -2, NULL } -}; - -static icmp_subtype_t icmpparamprob6[] = { - { ICMP6_PARAMPROB_HEADER, "header" }, - { ICMP6_PARAMPROB_NEXTHEADER, "nextheader" }, - { ICMP6_PARAMPROB_OPTION, "option" }, - { -2, NULL } -}; - -static icmp_subtype_t icmpquerysubject6[] = { - { ICMP6_NI_SUBJ_IPV6, "ipv6" }, - { ICMP6_NI_SUBJ_FQDN, "fqdn" }, - { ICMP6_NI_SUBJ_IPV4, "ipv4" }, - { -2, NULL }, -}; - -static icmp_subtype_t icmpnodeinfo6[] = { - { ICMP6_NI_SUCCESS, "success" }, - { ICMP6_NI_REFUSED, "refused" }, - { ICMP6_NI_UNKNOWN, "unknown" }, - { -2, NULL } -}; - -static icmp_subtype_t icmprenumber6[] = { - { ICMP6_ROUTER_RENUMBERING_COMMAND, "command" }, - { ICMP6_ROUTER_RENUMBERING_RESULT, "result" }, - { ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET, "seqnum_reset" }, - { -2, NULL } -}; - -static icmp_type_t icmptypes6[] = { - { 0, NULL, 0, NULL }, - { ICMP6_DST_UNREACH, icmpredirect6, - IST_SZ(icmpredirect6), "unreach" }, - { ICMP6_PACKET_TOO_BIG, NULL, 0, "toobig" }, - { ICMP6_TIME_EXCEEDED, icmptimexceed6, - IST_SZ(icmptimexceed6), "timxceed" }, - { ICMP6_PARAM_PROB, icmpparamprob6, - IST_SZ(icmpparamprob6), "paramprob" }, - { ICMP6_ECHO_REQUEST, NULL, 0, "echo" }, - { ICMP6_ECHO_REPLY, NULL, 0, "echoreply" }, - { ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6, - IST_SZ(icmpquerysubject6), "groupmemberquery" }, - { ICMP6_MEMBERSHIP_REPORT,NULL, 0, "groupmemberreport" }, - { ICMP6_MEMBERSHIP_REDUCTION,NULL, 0, "groupmemberterm" }, - { ND_ROUTER_SOLICIT, NULL, 0, "routersolicit" }, - { ND_ROUTER_ADVERT, NULL, 0, "routeradvert" }, - { ND_NEIGHBOR_SOLICIT, NULL, 0, "neighborsolicit" }, - { ND_NEIGHBOR_ADVERT, NULL, 0, "neighboradvert" }, - { ND_REDIRECT, NULL, 0, "redirect" }, - { ICMP6_ROUTER_RENUMBERING, icmprenumber6, - IST_SZ(icmprenumber6), "routerrenumber" }, - { ICMP6_WRUREQUEST, NULL, 0, "whoareyourequest" }, - { ICMP6_WRUREPLY, NULL, 0, "whoareyoureply" }, - { ICMP6_FQDN_QUERY, NULL, 0, "fqdnquery" }, - { ICMP6_FQDN_REPLY, NULL, 0, "fqdnreply" }, - { ICMP6_NI_QUERY, icmpnodeinfo6, - IST_SZ(icmpnodeinfo6), "nodeinforequest" }, - { ICMP6_NI_REPLY, NULL, 0, "nodeinforeply" }, - { MLD6_MTRACE_RESP, NULL, 0, "mtraceresponse" }, - { MLD6_MTRACE, NULL, 0, "mtracerequest" }, - { -2, NULL, 0, NULL } -}; - -static icmp_subtype_t *find_icmpsubtype(type, table, tablesz) -int type; -icmp_subtype_t *table; -size_t tablesz; -{ - icmp_subtype_t *ist; - int i; - - if (tablesz < 2) - return NULL; - - if ((type < 0) || (type > table[tablesz - 2].ist_val)) - return NULL; - - i = type; - if (table[type].ist_val == type) - return table + type; - - for (i = 0, ist = table; ist->ist_val != -2; i++, ist++) - if (ist->ist_val == type) - return ist; - return NULL; -} - - -static icmp_type_t *find_icmptype(type, table, tablesz) -int type; -icmp_type_t *table; -size_t tablesz; -{ - icmp_type_t *it; - int i; - - if (tablesz < 2) - return NULL; - - if ((type < 0) || (type > table[tablesz - 2].it_val)) - return NULL; - - i = type; - if (table[type].it_val == type) - return table + type; - - for (i = 0, it = table; it->it_val != -2; i++, it++) - if (it->it_val == type) - return it; - return NULL; -} - - -static void handlehup(sig) -int sig; -{ - signal(SIGHUP, handlehup); - donehup = 1; -} - - -static void init_tabs() -{ - struct protoent *p; - struct servent *s; - char *name, **tab; - int port, i; - - if (protocols != NULL) { - for (i = 0; i < 256; i++) - if (protocols[i] != NULL) { - free(protocols[i]); - protocols[i] = NULL; - } - free(protocols); - protocols = NULL; - } - protocols = (char **)malloc(256 * sizeof(*protocols)); - if (protocols != NULL) { - bzero((char *)protocols, 256 * sizeof(*protocols)); - - setprotoent(1); - while ((p = getprotoent()) != NULL) - if (p->p_proto >= 0 && p->p_proto <= 255 && - p->p_name != NULL && protocols[p->p_proto] == NULL) - protocols[p->p_proto] = strdup(p->p_name); - endprotoent(); -#if defined(_AIX51) - if (protocols[0]) - free(protocols[0]); - if (protocols[252]) - free(protocols[252]); - protocols[0] = "ip"; - protocols[252] = NULL; -#endif - } - - if (udp_ports != NULL) { - for (i = 0; i < 65536; i++) - if (udp_ports[i] != NULL) { - free(udp_ports[i]); - udp_ports[i] = NULL; - } - free(udp_ports); - udp_ports = NULL; - } - udp_ports = (char **)malloc(65536 * sizeof(*udp_ports)); - if (udp_ports != NULL) - bzero((char *)udp_ports, 65536 * sizeof(*udp_ports)); - - if (tcp_ports != NULL) { - for (i = 0; i < 65536; i++) - if (tcp_ports[i] != NULL) { - free(tcp_ports[i]); - tcp_ports[i] = NULL; - } - free(tcp_ports); - tcp_ports = NULL; - } - tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports)); - if (tcp_ports != NULL) - bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports)); - - setservent(1); - while ((s = getservent()) != NULL) { - if (s->s_proto == NULL) - continue; - else if (!strcmp(s->s_proto, "tcp")) { - port = ntohs(s->s_port); - name = s->s_name; - tab = tcp_ports; - } else if (!strcmp(s->s_proto, "udp")) { - port = ntohs(s->s_port); - name = s->s_name; - tab = udp_ports; - } else - continue; - if ((port < 0 || port > 65535) || (name == NULL)) - continue; - if (tab != NULL) - tab[port] = strdup(name); - } - endservent(); -} - - -static char *getproto(p) -u_int p; -{ - static char pnum[4]; - char *s; - - p &= 0xff; - s = protocols ? protocols[p] : NULL; - if (s == NULL) { - sprintf(pnum, "%u", p); - s = pnum; - } - return s; -} - - -static int read_log(fd, lenp, buf, bufsize) -int fd, bufsize, *lenp; -char *buf; -{ - int nr; - - nr = read(fd, buf, bufsize); - if (!nr) - return 2; - if ((nr < 0) && (errno != EINTR)) - return -1; - *lenp = nr; - return 0; -} - - -char *hostname(res, v, ip) -int res, v; -u_32_t *ip; -{ -# define MAX_INETA 16 - static char hname[MAXHOSTNAMELEN + MAX_INETA + 3]; -#ifdef USE_INET6 - static char hostbuf[MAXHOSTNAMELEN+1]; -#endif - struct hostent *hp; - struct in_addr ipa; - - if (v == 4) { - ipa.s_addr = *ip; - if (!res) - return inet_ntoa(ipa); - hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET); - if (!hp) - return inet_ntoa(ipa); - sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name, - inet_ntoa(ipa)); - return hname; - } -#ifdef USE_INET6 - (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); - hostbuf[MAXHOSTNAMELEN] = '\0'; - return hostbuf; -#else - return "IPv6"; -#endif -} - - -char *portname(res, proto, port) -int res; -char *proto; -u_int port; -{ - static char pname[8]; - char *s; - - port = ntohs(port); - port &= 0xffff; - (void) sprintf(pname, "%u", port); - if (!res || (opts & OPT_PORTNUM)) - return pname; - s = NULL; - if (!strcmp(proto, "tcp")) - s = tcp_ports[port]; - else if (!strcmp(proto, "udp")) - s = udp_ports[port]; - if (s == NULL) - s = pname; - return s; -} - - -static char *icmpname(type, code) -u_int type; -u_int code; -{ - static char name[80]; - icmp_subtype_t *ist; - icmp_type_t *it; - char *s; - - s = NULL; - it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it)); - if (it != NULL) - s = it->it_name; - - if (s == NULL) - sprintf(name, "icmptype(%d)/", type); - else - sprintf(name, "%s/", s); - - ist = NULL; - if (it != NULL && it->it_subtable != NULL) - ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize); - - if (ist != NULL && ist->ist_name != NULL) - strcat(name, ist->ist_name); - else - sprintf(name + strlen(name), "%d", code); - - return name; -} - -static char *icmpname6(type, code) -u_int type; -u_int code; -{ - static char name[80]; - icmp_subtype_t *ist; - icmp_type_t *it; - char *s; - - s = NULL; - it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it)); - if (it != NULL) - s = it->it_name; - - if (s == NULL) - sprintf(name, "icmpv6type(%d)/", type); - else - sprintf(name, "%s/", s); - - ist = NULL; - if (it != NULL && it->it_subtable != NULL) - ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize); - - if (ist != NULL && ist->ist_name != NULL) - strcat(name, ist->ist_name); - else - sprintf(name + strlen(name), "%d", code); - - return name; -} - - -void dumphex(log, dopts, buf, len) -FILE *log; -int dopts; -char *buf; -int len; -{ - char hline[80]; - int i, j, k; - u_char *s = (u_char *)buf, *t = (u_char *)hline; - - if (buf == NULL || len == 0) - return; - - *hline = '\0'; - - for (i = len, j = 0; i; i--, j++, s++) { - if (j && !(j & 0xf)) { - *t++ = '\n'; - *t = '\0'; - if ((dopts & OPT_SYSLOG)) - syslog(LOG_INFO, "%s", hline); - else if (log != NULL) - fputs(hline, log); - t = (u_char *)hline; - *t = '\0'; - } - sprintf((char *)t, "%02x", *s & 0xff); - t += 2; - if (!((j + 1) & 0xf)) { - s -= 15; - sprintf((char *)t, " "); - t += 8; - for (k = 16; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); - s--; - } - - if ((j + 1) & 0xf) - *t++ = ' ';; - } - - if (j & 0xf) { - for (k = 16 - (j & 0xf); k; k--) { - *t++ = ' '; - *t++ = ' '; - *t++ = ' '; - } - sprintf((char *)t, " "); - t += 7; - s -= j & 0xf; - for (k = j & 0xf; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); - *t++ = '\n'; - *t = '\0'; - } - if ((dopts & OPT_SYSLOG) != 0) - syslog(LOG_INFO, "%s", hline); - else if (log != NULL) { - fputs(hline, log); - fflush(log); - } -} - - -static struct tm *get_tm(sec) -#ifdef __hpux -u_32_t sec; -#else -time_t sec; -#endif -{ - struct tm *tm; - time_t t; - - t = sec; - tm = localtime(&t); - return tm; -} - -static void print_natlog(log, buf, blen) -FILE *log; -char *buf; -int blen; -{ - struct natlog *nl; - iplog_t *ipl = (iplog_t *)buf; - char *t = line; - struct tm *tm; - int res, i, len; - char *proto; - - nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); - res = (opts & OPT_RESOLVE) ? 1 : 0; - tm = get_tm(ipl->ipl_sec); - len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { - (void) strftime(t, len, "%d/%m/%Y ", tm); - i = strlen(t); - len -= i; - t += i; - } - (void) strftime(t, len, "%T", tm); - t += strlen(t); - (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1); - t += strlen(t); - - if (nl->nl_type == NL_NEWMAP) - strcpy(t, "NAT:MAP "); - else if (nl->nl_type == NL_NEWRDR) - strcpy(t, "NAT:RDR "); - else if (nl->nl_type == NL_FLUSH) - strcpy(t, "NAT:FLUSH "); - else if (nl->nl_type == NL_EXPIRE) - strcpy(t, "NAT:EXPIRE "); - else if (nl->nl_type == NL_NEWBIMAP) - strcpy(t, "NAT:BIMAP "); - else if (nl->nl_type == NL_NEWBLOCK) - strcpy(t, "NAT:MAPBLOCK "); - else if (nl->nl_type == NL_CLONE) - strcpy(t, "NAT:CLONE "); - else if (nl->nl_type == NL_DESTROY) - strcpy(t, "NAT:DESTROY "); - else - sprintf(t, "Type: %d ", nl->nl_type); - t += strlen(t); - - proto = getproto(nl->nl_p); - - (void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip), - portname(res, proto, (u_int)nl->nl_inport)); - t += strlen(t); - (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip), - portname(res, proto, (u_int)nl->nl_outport)); - t += strlen(t); - (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip), - portname(res, proto, (u_int)nl->nl_origport), - getproto(nl->nl_p)); - t += strlen(t); - if (nl->nl_type == NL_EXPIRE) { -#ifdef USE_QUAD_T - (void) sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd", - (long long)nl->nl_pkts[0], - (long long)nl->nl_pkts[1], - (long long)nl->nl_bytes[0], - (long long)nl->nl_bytes[1]); -#else - (void) sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld", - nl->nl_pkts[0], nl->nl_pkts[1], - nl->nl_bytes[0], nl->nl_bytes[1]); -#endif - t += strlen(t); - } - - *t++ = '\n'; - *t++ = '\0'; - if (opts & OPT_SYSLOG) - syslog(LOG_INFO, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); -} - - -static void print_statelog(log, buf, blen) -FILE *log; -char *buf; -int blen; -{ - struct ipslog *sl; - iplog_t *ipl = (iplog_t *)buf; - char *t = line, *proto; - struct tm *tm; - int res, i, len; - - sl = (struct ipslog *)((char *)ipl + sizeof(*ipl)); - res = (opts & OPT_RESOLVE) ? 1 : 0; - tm = get_tm(ipl->ipl_sec); - len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { - (void) strftime(t, len, "%d/%m/%Y ", tm); - i = strlen(t); - len -= i; - t += i; - } - (void) strftime(t, len, "%T", tm); - t += strlen(t); - (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); - t += strlen(t); - - switch (sl->isl_type) - { - case ISL_NEW : - strcpy(t, "STATE:NEW "); - break; - - case ISL_CLONE : - strcpy(t, "STATE:CLONED "); - break; - - case ISL_EXPIRE : - if ((sl->isl_p == IPPROTO_TCP) && - (sl->isl_state[0] > IPF_TCPS_ESTABLISHED || - sl->isl_state[1] > IPF_TCPS_ESTABLISHED)) - strcpy(t, "STATE:CLOSE "); - else - strcpy(t, "STATE:EXPIRE "); - break; - - case ISL_FLUSH : - strcpy(t, "STATE:FLUSH "); - break; - - case ISL_INTERMEDIATE : - strcpy(t, "STATE:INTERMEDIATE "); - break; - - case ISL_REMOVE : - strcpy(t, "STATE:REMOVE "); - break; - - case ISL_KILLED : - strcpy(t, "STATE:KILLED "); - break; - - case ISL_UNLOAD : - strcpy(t, "STATE:UNLOAD "); - break; - - default : - sprintf(t, "Type: %d ", sl->isl_type); - break; - } - t += strlen(t); - - proto = getproto(sl->isl_p); - - if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) { - (void) sprintf(t, "%s,%s -> ", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src), - portname(res, proto, (u_int)sl->isl_sport)); - t += strlen(t); - (void) sprintf(t, "%s,%s PR %s", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - portname(res, proto, (u_int)sl->isl_dport), proto); - } else if (sl->isl_p == IPPROTO_ICMP) { - (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v, - (u_32_t *)&sl->isl_src)); - t += strlen(t); - (void) sprintf(t, "%s PR icmp %d", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - sl->isl_itype); - } else if (sl->isl_p == IPPROTO_ICMPV6) { - (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v, - (u_32_t *)&sl->isl_src)); - t += strlen(t); - (void) sprintf(t, "%s PR icmpv6 %d", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - sl->isl_itype); - } else { - (void) sprintf(t, "%s -> ", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src)); - t += strlen(t); - (void) sprintf(t, "%s PR %s", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - proto); - } - t += strlen(t); - if (sl->isl_tag != FR_NOLOGTAG) { - (void) sprintf(t, " tag %u", sl->isl_tag); - t += strlen(t); - } - if (sl->isl_type != ISL_NEW) { - sprintf(t, -#ifdef USE_QUAD_T -#ifdef PRId64 - " Forward: Pkts in %" PRId64 " Bytes in %" PRId64 - " Pkts out %" PRId64 " Bytes out %" PRId64 - " Backward: Pkts in %" PRId64 " Bytes in %" PRId64 - " Pkts out %" PRId64 " Bytes out %" PRId64, -#else - " Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd", -#endif /* PRId64 */ -#else - " Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld", -#endif - sl->isl_pkts[0], sl->isl_bytes[0], - sl->isl_pkts[1], sl->isl_bytes[1], - sl->isl_pkts[2], sl->isl_bytes[2], - sl->isl_pkts[3], sl->isl_bytes[3]); - - t += strlen(t); - } - - *t++ = '\n'; - *t++ = '\0'; - if (opts & OPT_SYSLOG) - syslog(LOG_INFO, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); -} - - -static void print_log(logtype, log, buf, blen) -FILE *log; -char *buf; -int logtype, blen; -{ - iplog_t *ipl; - char *bp = NULL, *bpo = NULL; - int psize; - - while (blen > 0) { - ipl = (iplog_t *)buf; - if ((u_long)ipl & (sizeof(long)-1)) { - if (bp) - bpo = bp; - bp = (char *)malloc(blen); - bcopy((char *)ipl, bp, blen); - if (bpo) { - free(bpo); - bpo = NULL; - } - buf = bp; - continue; - } - - psize = ipl->ipl_dsize; - if (psize > blen) - break; - - if (binarylog) { - fwrite(buf, psize, 1, binarylog); - fflush(binarylog); - } - - if (logtype == IPL_LOGIPF) { - if (ipl->ipl_magic == IPL_MAGIC) - print_ipflog(log, buf, psize); - - } else if (logtype == IPL_LOGNAT) { - if (ipl->ipl_magic == IPL_MAGIC_NAT) - print_natlog(log, buf, psize); - - } else if (logtype == IPL_LOGSTATE) { - if (ipl->ipl_magic == IPL_MAGIC_STATE) - print_statelog(log, buf, psize); - } - - blen -= psize; - buf += psize; - } - if (bp) - free(bp); - return; -} - - -static void print_ipflog(log, buf, blen) -FILE *log; -char *buf; -int blen; -{ - tcphdr_t *tp; - struct icmp *ic; - struct icmp *icmp; - struct tm *tm; - char *t, *proto; - int i, v, lvl, res, len, off, plen, ipoff, defaction; - ip_t *ipc, *ip; - u_32_t *s, *d; - u_short hl, p; - ipflog_t *ipf; - iplog_t *ipl; -#ifdef USE_INET6 - struct ip6_ext *ehp; - u_short ehl; - ip6_t *ip6; - int go; -#endif - - ipl = (iplog_t *)buf; - ipf = (ipflog_t *)((char *)buf + sizeof(*ipl)); - ip = (ip_t *)((char *)ipf + sizeof(*ipf)); - v = IP_V(ip); - res = (opts & OPT_RESOLVE) ? 1 : 0; - t = line; - *t = '\0'; - tm = get_tm(ipl->ipl_sec); - - len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { - (void) strftime(t, len, "%d/%m/%Y ", tm); - i = strlen(t); - len -= i; - t += i; - } - (void) strftime(t, len, "%T", tm); - t += strlen(t); - (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); - t += strlen(t); - if (ipl->ipl_count > 1) { - (void) sprintf(t, "%dx ", ipl->ipl_count); - t += strlen(t); - } -#if (defined(MENTAT) || \ - (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ - (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux) - { - char ifname[sizeof(ipf->fl_ifname) + 1]; - - strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname)); - ifname[sizeof(ipf->fl_ifname)] = '\0'; - (void) sprintf(t, "%s", ifname); - t += strlen(t); -# if defined(MENTAT) || defined(linux) - if (ISALPHA(*(t - 1))) { - sprintf(t, "%d", ipf->fl_unit); - t += strlen(t); - } -# endif - } -#else - for (len = 0; len < 3; len++) - if (ipf->fl_ifname[len] == '\0') - break; - if (ipf->fl_ifname[len]) - len++; - (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); - t += strlen(t); -#endif - if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0')) - strcat(t, " @-1:"); - else if (ipf->fl_group[0] == '\0') - (void) strcpy(t, " @0:"); - else - (void) sprintf(t, " @%s:", ipf->fl_group); - t += strlen(t); - if (ipf->fl_rule == 0xffffffff) - strcat(t, "-1 "); - else - (void) sprintf(t, "%u ", ipf->fl_rule + 1); - t += strlen(t); - - lvl = LOG_NOTICE; - - if (ipf->fl_lflags & FI_SHORT) { - *t++ = 'S'; - lvl = LOG_ERR; - } - - if (FR_ISPASS(ipf->fl_flags)) { - if (ipf->fl_flags & FR_LOGP) - *t++ = 'p'; - else - *t++ = 'P'; - } else if (FR_ISBLOCK(ipf->fl_flags)) { - if (ipf->fl_flags & FR_LOGB) - *t++ = 'b'; - else - *t++ = 'B'; - lvl = LOG_WARNING; - } else if ((ipf->fl_flags & FR_LOGMASK) == FR_LOG) { - *t++ = 'L'; - lvl = LOG_INFO; - } else if (ipf->fl_flags & FF_LOGNOMATCH) { - *t++ = 'n'; - } else { - *t++ = '?'; - lvl = LOG_EMERG; - } - if (ipf->fl_loglevel != 0xffff) - lvl = ipf->fl_loglevel; - *t++ = ' '; - *t = '\0'; - - if (v == 6) { -#ifdef USE_INET6 - off = 0; - ipoff = 0; - hl = sizeof(ip6_t); - ip6 = (ip6_t *)ip; - p = (u_short)ip6->ip6_nxt; - s = (u_32_t *)&ip6->ip6_src; - d = (u_32_t *)&ip6->ip6_dst; - plen = hl + ntohs(ip6->ip6_plen); - go = 1; - ehp = (struct ip6_ext *)((char *)ip6 + hl); - while (go == 1) { - switch (p) - { - case IPPROTO_HOPOPTS : - case IPPROTO_MOBILITY : - case IPPROTO_DSTOPTS : - case IPPROTO_ROUTING : - case IPPROTO_AH : - p = ehp->ip6e_nxt; - ehl = 8 + (ehp->ip6e_len << 3); - hl += ehl; - ehp = (struct ip6_ext *)((char *)ehp + ehl); - break; - case IPPROTO_FRAGMENT : - hl += sizeof(struct ip6_frag); - /* FALLTHROUGH */ - default : - go = 0; - break; - } - } -#else - sprintf(t, "ipv6"); - goto printipflog; -#endif - } else if (v == 4) { - hl = IP_HL(ip) << 2; - ipoff = ip->ip_off; - off = ipoff & IP_OFFMASK; - p = (u_short)ip->ip_p; - s = (u_32_t *)&ip->ip_src; - d = (u_32_t *)&ip->ip_dst; - plen = ip->ip_len; - } else { - goto printipflog; - } - proto = getproto(p); - - if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) { - tp = (tcphdr_t *)((char *)ip + hl); - if (!(ipf->fl_lflags & FI_SHORT)) { - (void) sprintf(t, "%s,%s -> ", hostname(res, v, s), - portname(res, proto, (u_int)tp->th_sport)); - t += strlen(t); - (void) sprintf(t, "%s,%s PR %s len %hu %hu", - hostname(res, v, d), - portname(res, proto, (u_int)tp->th_dport), - proto, hl, plen); - t += strlen(t); - - if (p == IPPROTO_TCP) { - *t++ = ' '; - *t++ = '-'; - for (i = 0; tcpfl[i].value; i++) - if (tp->th_flags & tcpfl[i].value) - *t++ = tcpfl[i].flag; - if (opts & OPT_VERBOSE) { - (void) sprintf(t, " %lu %lu %hu", - (u_long)(ntohl(tp->th_seq)), - (u_long)(ntohl(tp->th_ack)), - ntohs(tp->th_win)); - t += strlen(t); - } - } - *t = '\0'; - } else { - (void) sprintf(t, "%s -> ", hostname(res, v, s)); - t += strlen(t); - (void) sprintf(t, "%s PR %s len %hu %hu", - hostname(res, v, d), proto, hl, plen); - } - } else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) { - ic = (struct icmp *)((char *)ip + hl); - (void) sprintf(t, "%s -> ", hostname(res, v, s)); - t += strlen(t); - (void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s", - hostname(res, v, d), hl, plen, - icmpname6(ic->icmp_type, ic->icmp_code)); - } else if ((p == IPPROTO_ICMP) && !off && (v == 4)) { - ic = (struct icmp *)((char *)ip + hl); - (void) sprintf(t, "%s -> ", hostname(res, v, s)); - t += strlen(t); - (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s", - hostname(res, v, d), hl, plen, - icmpname(ic->icmp_type, ic->icmp_code)); - if (ic->icmp_type == ICMP_UNREACH || - ic->icmp_type == ICMP_SOURCEQUENCH || - ic->icmp_type == ICMP_PARAMPROB || - ic->icmp_type == ICMP_REDIRECT || - ic->icmp_type == ICMP_TIMXCEED) { - ipc = &ic->icmp_ip; - i = ntohs(ipc->ip_len); - /* - * XXX - try to guess endian of ip_len in ICMP - * returned data. - */ - if (i > 1500) - i = ipc->ip_len; - ipoff = ntohs(ipc->ip_off); - proto = getproto(ipc->ip_p); - - if (!(ipoff & IP_OFFMASK) && - ((ipc->ip_p == IPPROTO_TCP) || - (ipc->ip_p == IPPROTO_UDP))) { - tp = (tcphdr_t *)((char *)ipc + hl); - t += strlen(t); - (void) sprintf(t, " for %s,%s -", - HOSTNAME_V4(res, ipc->ip_src), - portname(res, proto, - (u_int)tp->th_sport)); - t += strlen(t); - (void) sprintf(t, " %s,%s PR %s len %hu %hu", - HOSTNAME_V4(res, ipc->ip_dst), - portname(res, proto, - (u_int)tp->th_dport), - proto, IP_HL(ipc) << 2, i); - } else if (!(ipoff & IP_OFFMASK) && - (ipc->ip_p == IPPROTO_ICMP)) { - icmp = (icmphdr_t *)((char *)ipc + hl); - - t += strlen(t); - (void) sprintf(t, " for %s -", - HOSTNAME_V4(res, ipc->ip_src)); - t += strlen(t); - (void) sprintf(t, - " %s PR icmp len %hu %hu icmp %d/%d", - HOSTNAME_V4(res, ipc->ip_dst), - IP_HL(ipc) << 2, i, - icmp->icmp_type, icmp->icmp_code); - } else { - t += strlen(t); - (void) sprintf(t, " for %s -", - HOSTNAME_V4(res, ipc->ip_src)); - t += strlen(t); - (void) sprintf(t, " %s PR %s len %hu (%hu)", - HOSTNAME_V4(res, ipc->ip_dst), proto, - IP_HL(ipc) << 2, i); - t += strlen(t); - if (ipoff & IP_OFFMASK) { - (void) sprintf(t, - "(frag %d:%hu@%hu%s%s)", - ntohs(ipc->ip_id), - i - (IP_HL(ipc) << 2), - (ipoff & IP_OFFMASK) << 3, - ipoff & IP_MF ? "+" : "", - ipoff & IP_DF ? "-" : ""); - } - } - - } - } else { - (void) sprintf(t, "%s -> ", hostname(res, v, s)); - t += strlen(t); - (void) sprintf(t, "%s PR %s len %hu (%hu)", - hostname(res, v, d), proto, hl, plen); - t += strlen(t); - if (off & IP_OFFMASK) - (void) sprintf(t, " (frag %d:%hu@%hu%s%s)", - ntohs(ip->ip_id), - plen - hl, (off & IP_OFFMASK) << 3, - ipoff & IP_MF ? "+" : "", - ipoff & IP_DF ? "-" : ""); - } - t += strlen(t); - -printipflog: - if (ipf->fl_flags & FR_KEEPSTATE) { - (void) strcpy(t, " K-S"); - t += strlen(t); - } - - if (ipf->fl_flags & FR_KEEPFRAG) { - (void) strcpy(t, " K-F"); - t += strlen(t); - } - - if (ipf->fl_dir == 0) - strcpy(t, " IN"); - else if (ipf->fl_dir == 1) - strcpy(t, " OUT"); - t += strlen(t); - if (ipf->fl_logtag != 0) { - sprintf(t, " log-tag %d", ipf->fl_logtag); - t += strlen(t); - } - if (ipf->fl_nattag.ipt_num[0] != 0) { - strcpy(t, " nat-tag "); - t += strlen(t); - strncpy(t, ipf->fl_nattag.ipt_tag, sizeof(ipf->fl_nattag)); - t += strlen(t); - } - if ((ipf->fl_lflags & FI_LOWTTL) != 0) { - strcpy(t, " low-ttl"); - t += 8; - } - if ((ipf->fl_lflags & FI_OOW) != 0) { - strcpy(t, " OOW"); - t += 4; - } - if ((ipf->fl_lflags & FI_BAD) != 0) { - strcpy(t, " bad"); - t += 4; - } - if ((ipf->fl_lflags & FI_NATED) != 0) { - strcpy(t, " NAT"); - t += 4; - } - if ((ipf->fl_lflags & FI_BADNAT) != 0) { - strcpy(t, " bad-NAT"); - t += 8; - } - if ((ipf->fl_lflags & FI_BADSRC) != 0) { - strcpy(t, " bad-src"); - t += 8; - } - if ((ipf->fl_lflags & FI_MULTICAST) != 0) { - strcpy(t, " multicast"); - t += 10; - } - if ((ipf->fl_lflags & FI_BROADCAST) != 0) { - strcpy(t, " broadcast"); - t += 10; - } - if ((ipf->fl_lflags & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST)) == - FI_MBCAST) { - strcpy(t, " mbcast"); - t += 7; - } - *t++ = '\n'; - *t++ = '\0'; - defaction = 0; - if (conf_file != NULL) - defaction = check_action(buf, line, opts, lvl); - if (defaction == 0) { - if (opts & OPT_SYSLOG) - syslog(lvl, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); - - if (opts & OPT_HEXHDR) - dumphex(log, opts, buf, - sizeof(iplog_t) + sizeof(*ipf)); - if (opts & OPT_HEXBODY) - dumphex(log, opts, (char *)ip, - ipf->fl_plen + ipf->fl_hlen); - else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) - dumphex(log, opts, (char *)ip + ipf->fl_hlen, - ipf->fl_plen); - } -} - - -static void usage(prog) -char *prog; -{ - fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog); - exit(1); -} - - -static void write_pid(file) -char *file; -{ - FILE *fp = NULL; - int fd; - - if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0) { - fp = fdopen(fd, "w"); - if (fp == NULL) { - close(fd); - fprintf(stderr, - "unable to open/create pid file: %s\n", file); - return; - } - fprintf(fp, "%d", getpid()); - fclose(fp); - } -} - - -static void flushlogs(file, log) -char *file; -FILE *log; -{ - int fd, flushed = 0; - - if ((fd = open(file, O_RDWR)) == -1) { - (void) fprintf(stderr, "%s: open: %s\n", - file, STRERROR(errno)); - exit(1); - } - - if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { - printf("%d bytes flushed from log buffer\n", - flushed); - fflush(stdout); - } else - perror("SIOCIPFFB"); - (void) close(fd); - - if (flushed) { - if (opts & OPT_SYSLOG) { - syslog(LOG_INFO, "%d bytes flushed from log\n", - flushed); - } else if ((log != stdout) && (log != NULL)) { - fprintf(log, "%d bytes flushed from log\n", flushed); - } - } -} - - -static void logopts(turnon, options) -int turnon; -char *options; -{ - int flags = 0; - char *s; - - for (s = options; *s; s++) - { - switch (*s) - { - case 'N' : - flags |= OPT_NAT; - break; - case 'S' : - flags |= OPT_STATE; - break; - case 'I' : - flags |= OPT_FILTER; - break; - default : - fprintf(stderr, "Unknown log option %c\n", *s); - exit(1); - } - } - - if (turnon) - opts |= flags; - else - opts &= ~(flags); -} - - -int main(argc, argv) -int argc; -char *argv[]; -{ - struct stat sb; - FILE *log = stdout; - FILE *fp; - int fd[3], doread, n, i; - int tr, nr, regular[3], c; - int fdt[3], devices = 0, make_daemon = 0; - char buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s; - extern int optind; - extern char *optarg; - - fd[0] = fd[1] = fd[2] = -1; - fdt[0] = fdt[1] = fdt[2] = -1; - iplfile[0] = IPL_NAME; - iplfile[1] = IPNAT_NAME; - iplfile[2] = IPSTATE_NAME; - - while ((c = getopt(argc, argv, - "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1) - switch (c) - { - case 'a' : - opts |= OPT_LOGALL; - fdt[0] = IPL_LOGIPF; - fdt[1] = IPL_LOGNAT; - fdt[2] = IPL_LOGSTATE; - break; - case 'b' : - opts |= OPT_LOGBODY; - break; - case 'B' : - binarylogfile = optarg; - binarylog = fopen(optarg, "a"); - break; - case 'C' : - conf_file = optarg; - break; - case 'D' : - make_daemon = 1; - break; - case 'f' : case 'I' : - opts |= OPT_FILTER; - fdt[0] = IPL_LOGIPF; - iplfile[0] = optarg; - break; - case 'F' : - flushlogs(iplfile[0], log); - flushlogs(iplfile[1], log); - flushlogs(iplfile[2], log); - break; - case 'L' : - logfac = fac_findname(optarg); - if (logfac == -1) { - fprintf(stderr, - "Unknown syslog facility '%s'\n", - optarg); - exit(1); - } - break; - case 'n' : - opts |= OPT_RESOLVE; - break; - case 'N' : - opts |= OPT_NAT; - fdt[1] = IPL_LOGNAT; - iplfile[1] = optarg; - break; - case 'o' : case 'O' : - logopts(c == 'o', optarg); - fdt[0] = fdt[1] = fdt[2] = -1; - if (opts & OPT_FILTER) - fdt[0] = IPL_LOGIPF; - if (opts & OPT_NAT) - fdt[1] = IPL_LOGNAT; - if (opts & OPT_STATE) - fdt[2] = IPL_LOGSTATE; - break; - case 'p' : - opts |= OPT_PORTNUM; - break; - case 'P' : - pidfile = optarg; - break; - case 's' : - s = strrchr(argv[0], '/'); - if (s == NULL) - s = argv[0]; - else - s++; - openlog(s, LOG_NDELAY|LOG_PID, logfac); - s = NULL; - opts |= OPT_SYSLOG; - log = NULL; - break; - case 'S' : - opts |= OPT_STATE; - fdt[2] = IPL_LOGSTATE; - iplfile[2] = optarg; - break; - case 't' : - opts |= OPT_TAIL; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'x' : - opts |= OPT_HEXBODY; - break; - case 'X' : - opts |= OPT_HEXHDR; - break; - default : - case 'h' : - case '?' : - usage(argv[0]); - } - - init_tabs(); - if (conf_file) - if (load_config(conf_file) == -1) - exit(1); - - /* - * Default action is to only open the filter log file. - */ - if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1)) - fdt[0] = IPL_LOGIPF; - - for (i = 0; i < 3; i++) { - if (fdt[i] == -1) - continue; - if (!strcmp(iplfile[i], "-")) - fd[i] = 0; - else { - if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) { - (void) fprintf(stderr, - "%s: open: %s\n", iplfile[i], - STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - if (fstat(fd[i], &sb) == -1) { - (void) fprintf(stderr, "%d: fstat: %s\n", - fd[i], STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - if (!(regular[i] = !S_ISCHR(sb.st_mode))) - devices++; - } - } - - if (!(opts & OPT_SYSLOG)) { - logfile = argv[optind]; - log = logfile ? fopen(logfile, "a") : stdout; - if (log == NULL) { - (void) fprintf(stderr, "%s: fopen: %s\n", - argv[optind], STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - setvbuf(log, NULL, _IONBF, 0); - } else - log = NULL; - - if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) { -#if BSD >= 199306 - daemon(0, !(opts & OPT_SYSLOG)); -#else - int pid; - if ((pid = fork()) > 0) - exit(0); - if (pid < 0) { - (void) fprintf(stderr, "%s: fork() failed: %s\n", - argv[0], STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - setsid(); - if ((opts & OPT_SYSLOG)) - close(2); -#endif /* !BSD */ - close(0); - close(1); - write_pid(pidfile); - } - - signal(SIGHUP, handlehup); - - for (doread = 1; doread; ) { - nr = 0; - - for (i = 0; i < 3; i++) { - tr = 0; - if (fdt[i] == -1) - continue; - if (!regular[i]) { - if (ioctl(fd[i], FIONREAD, &tr) == -1) { - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, - "ioctl(FIONREAD): %m"); - else - perror("ioctl(FIONREAD)"); - exit(1); - /* NOTREACHED */ - } - } else { - tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size); - if (!tr && !(opts & OPT_TAIL)) - doread = 0; - } - if (!tr) - continue; - nr += tr; - n = 0; - - tr = read_log(fd[i], &n, buf, sizeof(buf)); - if (donehup) { - if (logfile && (fp = fopen(logfile, "a"))) { - fclose(log); - log = fp; - } - if (binarylogfile && - (fp = fopen(binarylogfile, "a"))) { - fclose(binarylog); - binarylog = fp; - } - init_tabs(); - if (conf_file != NULL) - load_config(conf_file); - donehup = 0; - } - - switch (tr) - { - case -1 : - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, "read: %m\n"); - else - perror("read"); - doread = 0; - break; - case 1 : - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, "aborting logging\n"); - else if (log != NULL) - fprintf(log, "aborting logging\n"); - doread = 0; - break; - case 2 : - break; - case 0 : - if (n > 0) { - print_log(fdt[i], log, buf, n); - if (!(opts & OPT_SYSLOG)) - fflush(log); - } - break; - } - } - if (!nr && ((opts & OPT_TAIL) || devices)) - sleep(1); - } - return(0); - /* NOTREACHED */ -} diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y deleted file mode 100644 index bc3ec6d..0000000 --- a/contrib/ipfilter/tools/ipmon_y.y +++ /dev/null @@ -1,698 +0,0 @@ -/* - * Copyright (C) 2001-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#include "ipf.h" -#include <syslog.h> -#undef OPT_NAT -#undef OPT_VERBOSE -#include "ipmon_l.h" -#include "ipmon.h" - -#define YYDEBUG 1 - -extern void yyerror __P((char *)); -extern int yyparse __P((void)); -extern int yylex __P((void)); -extern int yydebug; -extern FILE *yyin; -extern int yylineNum; - -typedef struct opt { - struct opt *o_next; - int o_line; - int o_type; - int o_num; - char *o_str; - struct in_addr o_ip; -} opt_t; - -static void build_action __P((struct opt *)); -static opt_t *new_opt __P((int)); -static void free_action __P((ipmon_action_t *)); - -static ipmon_action_t *alist = NULL; -%} - -%union { - char *str; - u_32_t num; - struct in_addr addr; - struct opt *opt; - union i6addr ip6; -} - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token <ip6> YY_IPV6 -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN - -%token IPM_MATCH IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT -%token IPM_EVERY IPM_EXECUTE IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT -%token IPM_PACKET IPM_PACKETS IPM_POOL IPM_PROTOCOL IPM_RESULT IPM_RULE -%token IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_LOGTAG IPM_WITH -%token IPM_DO IPM_SAVE IPM_SYSLOG IPM_NOTHING IPM_RAW IPM_TYPE IPM_NAT -%token IPM_STATE IPM_NATTAG IPM_IPF -%type <addr> ipv4 -%type <opt> direction dstip dstport every execute group interface -%type <opt> protocol result rule srcip srcport logtag matching -%type <opt> matchopt nattag type doopt doing save syslog nothing -%type <num> saveopts saveopt typeopt - -%% -file: line - | assign - | file line - | file assign - ; - -line: IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';' - { build_action($3); resetlexer(); } - | IPM_COMMENT - | YY_COMMENT - ; - -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -matching: - matchopt { $$ = $1; } - | matchopt ',' matching { $1->o_next = $3; $$ = $1; } - ; - -matchopt: - direction { $$ = $1; } - | dstip { $$ = $1; } - | dstport { $$ = $1; } - | every { $$ = $1; } - | group { $$ = $1; } - | interface { $$ = $1; } - | protocol { $$ = $1; } - | result { $$ = $1; } - | rule { $$ = $1; } - | srcip { $$ = $1; } - | srcport { $$ = $1; } - | logtag { $$ = $1; } - | nattag { $$ = $1; } - | type { $$ = $1; } - ; - -doing: - doopt { $$ = $1; } - | doopt ',' doing { $1->o_next = $3; $$ = $1; } - ; - -doopt: - execute { $$ = $1; } - | save { $$ = $1; } - | syslog { $$ = $1; } - | nothing { $$ = $1; } - ; - -direction: - IPM_DIRECTION '=' IPM_IN { $$ = new_opt(IPM_DIRECTION); - $$->o_num = IPM_IN; } - | IPM_DIRECTION '=' IPM_OUT { $$ = new_opt(IPM_DIRECTION); - $$->o_num = IPM_OUT; } - ; - -dstip: IPM_DSTIP '=' ipv4 '/' YY_NUMBER { $$ = new_opt(IPM_DSTIP); - $$->o_ip = $3; - $$->o_num = $5; } - ; - -dstport: - IPM_DSTPORT '=' YY_NUMBER { $$ = new_opt(IPM_DSTPORT); - $$->o_num = $3; } - | IPM_DSTPORT '=' YY_STR { $$ = new_opt(IPM_DSTPORT); - $$->o_str = $3; } - ; - -every: IPM_EVERY IPM_SECOND { $$ = new_opt(IPM_SECOND); - $$->o_num = 1; } - | IPM_EVERY YY_NUMBER IPM_SECONDS { $$ = new_opt(IPM_SECOND); - $$->o_num = $2; } - | IPM_EVERY IPM_PACKET { $$ = new_opt(IPM_PACKET); - $$->o_num = 1; } - | IPM_EVERY YY_NUMBER IPM_PACKETS { $$ = new_opt(IPM_PACKET); - $$->o_num = $2; } - ; - -group: IPM_GROUP '=' YY_NUMBER { $$ = new_opt(IPM_GROUP); - $$->o_num = $3; } - | IPM_GROUP '=' YY_STR { $$ = new_opt(IPM_GROUP); - $$->o_str = $3; } - ; - -interface: - IPM_INTERFACE '=' YY_STR { $$ = new_opt(IPM_INTERFACE); - $$->o_str = $3; } - ; - -logtag: IPM_LOGTAG '=' YY_NUMBER { $$ = new_opt(IPM_LOGTAG); - $$->o_num = $3; } - ; - -nattag: IPM_NATTAG '=' YY_STR { $$ = new_opt(IPM_NATTAG); - $$->o_str = $3; } - ; - -protocol: - IPM_PROTOCOL '=' YY_NUMBER { $$ = new_opt(IPM_PROTOCOL); - $$->o_num = $3; } - | IPM_PROTOCOL '=' YY_STR { $$ = new_opt(IPM_PROTOCOL); - $$->o_num = getproto($3); - free($3); - } - ; - -result: IPM_RESULT '=' YY_STR { $$ = new_opt(IPM_RESULT); - $$->o_str = $3; } - ; - -rule: IPM_RULE '=' YY_NUMBER { $$ = new_opt(IPM_RULE); - $$->o_num = YY_NUMBER; } - ; - -srcip: IPM_SRCIP '=' ipv4 '/' YY_NUMBER { $$ = new_opt(IPM_SRCIP); - $$->o_ip = $3; - $$->o_num = $5; } - ; - -srcport: - IPM_SRCPORT '=' YY_NUMBER { $$ = new_opt(IPM_SRCPORT); - $$->o_num = $3; } - | IPM_SRCPORT '=' YY_STR { $$ = new_opt(IPM_SRCPORT); - $$->o_str = $3; } - ; - -type: IPM_TYPE '=' typeopt { $$ = new_opt(IPM_TYPE); - $$->o_num = $3; } - ; - -typeopt: - IPM_IPF { $$ = IPL_MAGIC; } - | IPM_NAT { $$ = IPL_MAGIC_NAT; } - | IPM_STATE { $$ = IPL_MAGIC_STATE; } - ; - -execute: - IPM_EXECUTE YY_STR { $$ = new_opt(IPM_EXECUTE); - $$->o_str = $2; } - ; - -save: IPM_SAVE saveopts YY_STR { $$ = new_opt(IPM_SAVE); - $$->o_num = $2; - $$->o_str = $3; } - ; - -saveopts: { $$ = 0; } - | saveopt { $$ = $1; } - | saveopt ',' saveopts { $$ = $1 | $3; } - ; - -saveopt: - IPM_RAW { $$ = IPMDO_SAVERAW; } - ; - -syslog: IPM_SYSLOG { $$ = new_opt(IPM_SYSLOG); } - ; - -nothing: - IPM_NOTHING { $$ = 0; } - ; - -ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; - $$.s_addr = htonl($$.s_addr); - } -%% -static struct wordtab yywords[] = { - { "body", IPM_BODY }, - { "direction", IPM_DIRECTION }, - { "do", IPM_DO }, - { "dstip", IPM_DSTIP }, - { "dstport", IPM_DSTPORT }, - { "every", IPM_EVERY }, - { "execute", IPM_EXECUTE }, - { "group", IPM_GROUP }, - { "in", IPM_IN }, - { "interface", IPM_INTERFACE }, - { "ipf", IPM_IPF }, - { "logtag", IPM_LOGTAG }, - { "match", IPM_MATCH }, - { "nat", IPM_NAT }, - { "nattag", IPM_NATTAG }, - { "no", IPM_NO }, - { "nothing", IPM_NOTHING }, - { "out", IPM_OUT }, - { "packet", IPM_PACKET }, - { "packets", IPM_PACKETS }, - { "protocol", IPM_PROTOCOL }, - { "result", IPM_RESULT }, - { "rule", IPM_RULE }, - { "save", IPM_SAVE }, - { "second", IPM_SECOND }, - { "seconds", IPM_SECONDS }, - { "srcip", IPM_SRCIP }, - { "srcport", IPM_SRCPORT }, - { "state", IPM_STATE }, - { "syslog", IPM_SYSLOG }, - { "with", IPM_WITH }, - { NULL, 0 } -}; - -static int macflags[17][2] = { - { IPM_DIRECTION, IPMAC_DIRECTION }, - { IPM_DSTIP, IPMAC_DSTIP }, - { IPM_DSTPORT, IPMAC_DSTPORT }, - { IPM_GROUP, IPMAC_GROUP }, - { IPM_INTERFACE, IPMAC_INTERFACE }, - { IPM_LOGTAG, IPMAC_LOGTAG }, - { IPM_NATTAG, IPMAC_NATTAG }, - { IPM_PACKET, IPMAC_EVERY }, - { IPM_PROTOCOL, IPMAC_PROTOCOL }, - { IPM_RESULT, IPMAC_RESULT }, - { IPM_RULE, IPMAC_RULE }, - { IPM_SECOND, IPMAC_EVERY }, - { IPM_SRCIP, IPMAC_SRCIP }, - { IPM_SRCPORT, IPMAC_SRCPORT }, - { IPM_TYPE, IPMAC_TYPE }, - { IPM_WITH, IPMAC_WITH }, - { 0, 0 } -}; - -static opt_t *new_opt(type) -int type; -{ - opt_t *o; - - o = (opt_t *)malloc(sizeof(*o)); - o->o_type = type; - o->o_line = yylineNum; - o->o_num = 0; - o->o_str = (char *)0; - o->o_next = NULL; - return o; -} - -static void build_action(olist) -opt_t *olist; -{ - ipmon_action_t *a; - opt_t *o; - char c; - int i; - - a = (ipmon_action_t *)calloc(1, sizeof(*a)); - if (a == NULL) - return; - while ((o = olist) != NULL) { - /* - * Check to see if the same comparator is being used more than - * once per matching statement. - */ - for (i = 0; macflags[i][0]; i++) - if (macflags[i][0] == o->o_type) - break; - if (macflags[i][1] & a->ac_mflag) { - fprintf(stderr, "%s redfined on line %d\n", - yykeytostr(o->o_type), yylineNum); - if (o->o_str != NULL) - free(o->o_str); - olist = o->o_next; - free(o); - continue; - } - - a->ac_mflag |= macflags[i][1]; - - switch (o->o_type) - { - case IPM_DIRECTION : - a->ac_direction = o->o_num; - break; - case IPM_DSTIP : - a->ac_dip = o->o_ip.s_addr; - a->ac_dmsk = htonl(0xffffffff << (32 - o->o_num)); - break; - case IPM_DSTPORT : - a->ac_dport = htons(o->o_num); - break; - case IPM_EXECUTE : - a->ac_exec = o->o_str; - c = *o->o_str; - if (c== '"'|| c == '\'') { - if (o->o_str[strlen(o->o_str) - 1] == c) { - a->ac_run = strdup(o->o_str + 1); - a->ac_run[strlen(a->ac_run) - 1] ='\0'; - } else - a->ac_run = o->o_str; - } else - a->ac_run = o->o_str; - o->o_str = NULL; - break; - case IPM_INTERFACE : - a->ac_iface = o->o_str; - o->o_str = NULL; - break; - case IPM_GROUP : - if (o->o_str != NULL) - strncpy(a->ac_group, o->o_str, FR_GROUPLEN); - else - sprintf(a->ac_group, "%d", o->o_num); - break; - case IPM_LOGTAG : - a->ac_logtag = o->o_num; - break; - case IPM_NATTAG : - strncpy(a->ac_nattag, o->o_str, sizeof(a->ac_nattag)); - break; - case IPM_PACKET : - a->ac_packet = o->o_num; - break; - case IPM_PROTOCOL : - a->ac_proto = o->o_num; - break; - case IPM_RULE : - a->ac_rule = o->o_num; - break; - case IPM_RESULT : - if (!strcasecmp(o->o_str, "pass")) - a->ac_result = IPMR_PASS; - else if (!strcasecmp(o->o_str, "block")) - a->ac_result = IPMR_BLOCK; - else if (!strcasecmp(o->o_str, "nomatch")) - a->ac_result = IPMR_NOMATCH; - else if (!strcasecmp(o->o_str, "log")) - a->ac_result = IPMR_LOG; - break; - case IPM_SECOND : - a->ac_second = o->o_num; - break; - case IPM_SRCIP : - a->ac_sip = o->o_ip.s_addr; - a->ac_smsk = htonl(0xffffffff << (32 - o->o_num)); - break; - case IPM_SRCPORT : - a->ac_sport = htons(o->o_num); - break; - case IPM_SAVE : - if (a->ac_savefile != NULL) { - fprintf(stderr, "%s redfined on line %d\n", - yykeytostr(o->o_type), yylineNum); - break; - } - a->ac_savefile = strdup(o->o_str); - a->ac_savefp = fopen(o->o_str, "a"); - a->ac_dflag |= o->o_num & IPMDO_SAVERAW; - break; - case IPM_SYSLOG : - if (a->ac_syslog != 0) { - fprintf(stderr, "%s redfined on line %d\n", - yykeytostr(o->o_type), yylineNum); - break; - } - a->ac_syslog = 1; - break; - case IPM_TYPE : - a->ac_type = o->o_num; - break; - case IPM_WITH : - break; - default : - break; - } - - olist = o->o_next; - if (o->o_str != NULL) - free(o->o_str); - free(o); - } - a->ac_next = alist; - alist = a; -} - - -int check_action(buf, log, opts, lvl) -char *buf, *log; -int opts, lvl; -{ - ipmon_action_t *a; - struct timeval tv; - ipflog_t *ipf; - tcphdr_t *tcp; - iplog_t *ipl; - int matched; - u_long t1; - ip_t *ip; - - matched = 0; - ipl = (iplog_t *)buf; - ipf = (ipflog_t *)(ipl +1); - ip = (ip_t *)(ipf + 1); - tcp = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2)); - - for (a = alist; a != NULL; a = a->ac_next) { - if ((a->ac_mflag & IPMAC_DIRECTION) != 0) { - if (a->ac_direction == IPM_IN) { - if ((ipf->fl_flags & FR_INQUE) == 0) - continue; - } else if (a->ac_direction == IPM_OUT) { - if ((ipf->fl_flags & FR_OUTQUE) == 0) - continue; - } - } - - if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic)) - continue; - - if ((a->ac_mflag & IPMAC_EVERY) != 0) { - gettimeofday(&tv, NULL); - t1 = tv.tv_sec - a->ac_lastsec; - if (tv.tv_usec <= a->ac_lastusec) - t1--; - if (a->ac_second != 0) { - if (t1 < a->ac_second) - continue; - a->ac_lastsec = tv.tv_sec; - a->ac_lastusec = tv.tv_usec; - } - - if (a->ac_packet != 0) { - if (a->ac_pktcnt == 0) - a->ac_pktcnt++; - else if (a->ac_pktcnt == a->ac_packet) { - a->ac_pktcnt = 0; - continue; - } else { - a->ac_pktcnt++; - continue; - } - } - } - - if ((a->ac_mflag & IPMAC_DSTIP) != 0) { - if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip) - continue; - } - - if ((a->ac_mflag & IPMAC_DSTPORT) != 0) { - if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) - continue; - if (tcp->th_dport != a->ac_dport) - continue; - } - - if ((a->ac_mflag & IPMAC_GROUP) != 0) { - if (strncmp(a->ac_group, ipf->fl_group, - FR_GROUPLEN) != 0) - continue; - } - - if ((a->ac_mflag & IPMAC_INTERFACE) != 0) { - if (strcmp(a->ac_iface, ipf->fl_ifname)) - continue; - } - - if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) { - if (a->ac_proto != ip->ip_p) - continue; - } - - if ((a->ac_mflag & IPMAC_RESULT) != 0) { - if ((ipf->fl_flags & FF_LOGNOMATCH) != 0) { - if (a->ac_result != IPMR_NOMATCH) - continue; - } else if (FR_ISPASS(ipf->fl_flags)) { - if (a->ac_result != IPMR_PASS) - continue; - } else if (FR_ISBLOCK(ipf->fl_flags)) { - if (a->ac_result != IPMR_BLOCK) - continue; - } else { /* Log only */ - if (a->ac_result != IPMR_LOG) - continue; - } - } - - if ((a->ac_mflag & IPMAC_RULE) != 0) { - if (a->ac_rule != ipf->fl_rule) - continue; - } - - if ((a->ac_mflag & IPMAC_SRCIP) != 0) { - if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip) - continue; - } - - if ((a->ac_mflag & IPMAC_SRCPORT) != 0) { - if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) - continue; - if (tcp->th_sport != a->ac_sport) - continue; - } - - if ((a->ac_mflag & IPMAC_LOGTAG) != 0) { - if (a->ac_logtag != ipf->fl_logtag) - continue; - } - - if ((a->ac_mflag & IPMAC_NATTAG) != 0) { - if (strncmp(a->ac_nattag, ipf->fl_nattag.ipt_tag, - IPFTAG_LEN) != 0) - continue; - } - - matched = 1; - - /* - * It matched so now execute the command - */ - if (a->ac_syslog != 0) { - syslog(lvl, "%s", log); - } - - if (a->ac_savefp != NULL) { - if (a->ac_dflag & IPMDO_SAVERAW) - fwrite(ipl, 1, ipl->ipl_dsize, a->ac_savefp); - else - fputs(log, a->ac_savefp); - } - - if (a->ac_exec != NULL) { - switch (fork()) - { - case 0 : - { - FILE *pi; - - pi = popen(a->ac_run, "w"); - if (pi != NULL) { - fprintf(pi, "%s\n", log); - if ((opts & OPT_HEXHDR) != 0) { - dumphex(pi, 0, buf, - sizeof(*ipl) + - sizeof(*ipf)); - } - if ((opts & OPT_HEXBODY) != 0) { - dumphex(pi, 0, (char *)ip, - ipf->fl_hlen + - ipf->fl_plen); - } - pclose(pi); - } - exit(1); - } - case -1 : - break; - default : - break; - } - } - } - - return matched; -} - - -static void free_action(a) -ipmon_action_t *a; -{ - if (a->ac_savefile != NULL) { - free(a->ac_savefile); - a->ac_savefile = NULL; - } - if (a->ac_savefp != NULL) { - fclose(a->ac_savefp); - a->ac_savefp = NULL; - } - if (a->ac_exec != NULL) { - free(a->ac_exec); - if (a->ac_run == a->ac_exec) - a->ac_run = NULL; - a->ac_exec = NULL; - } - if (a->ac_run != NULL) { - free(a->ac_run); - a->ac_run = NULL; - } - if (a->ac_iface != NULL) { - free(a->ac_iface); - a->ac_iface = NULL; - } - a->ac_next = NULL; - free(a); -} - - -int load_config(file) -char *file; -{ - ipmon_action_t *a; - FILE *fp; - char *s; - - s = getenv("YYDEBUG"); - if (s != NULL) - yydebug = atoi(s); - else - yydebug = 0; - - while ((a = alist) != NULL) { - alist = a->ac_next; - free_action(a); - } - - yylineNum = 1; - - (void) yysettab(yywords); - - fp = fopen(file, "r"); - if (!fp) { - perror("load_config:fopen:"); - return -1; - } - yyin = fp; - while (!feof(fp)) - yyparse(); - fclose(fp); - return 0; -} diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c deleted file mode 100644 index 038df6d..0000000 --- a/contrib/ipfilter/tools/ipnat.c +++ /dev/null @@ -1,576 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) - */ -#include <stdio.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/time.h> -#include <sys/param.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/file.h> -#define _KERNEL -#include <sys/uio.h> -#undef _KERNEL -#include <sys/socket.h> -#include <sys/ioctl.h> -#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -#endif -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#if defined(linux) -# include <linux/a.out.h> -#else -# include <nlist.h> -#endif -#include "ipf.h" -#include "netinet/ipl.h" -#include "kmem.h" - -#ifdef __hpux -# define nlist nlist64 -#endif - -#if defined(sun) && !SOLARIS2 -# define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -# define STRERROR(x) strerror(x) -#endif - -#if !defined(lint) -static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $"; -#endif - - -#if SOLARIS -#define bzero(a,b) memset(a,0,b) -#endif -int use_inet6 = 0; -char thishost[MAXHOSTNAMELEN]; - -extern char *optarg; - -void dostats __P((int, natstat_t *, int, int)); -void dotable __P((natstat_t *, int, int)); -void flushtable __P((int, int)); -void usage __P((char *)); -int main __P((int, char*[])); -void showhostmap __P((natstat_t *nsp)); -void natstat_dead __P((natstat_t *, char *)); -void dostats_live __P((int, natstat_t *, int)); -void showhostmap_dead __P((natstat_t *)); -void showhostmap_live __P((int, natstat_t *)); -void dostats_dead __P((natstat_t *, int)); -void showtqtable_live __P((int)); - -int opts; - -void usage(name) -char *name; -{ - fprintf(stderr, "Usage: %s [-CFhlnrRsv] [-f filename]\n", name); - exit(1); -} - - -int main(argc, argv) -int argc; -char *argv[]; -{ - char *file, *core, *kernel; - natstat_t ns, *nsp; - int fd, c, mode; - ipfobj_t obj; - - fd = -1; - opts = 0; - nsp = &ns; - file = NULL; - core = NULL; - kernel = NULL; - mode = O_RDWR; - - while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1) - switch (c) - { - case 'C' : - opts |= OPT_CLEAR; - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'f' : - file = optarg; - break; - case 'F' : - opts |= OPT_FLUSH; - break; - case 'h' : - opts |=OPT_HITS; - break; - case 'l' : - opts |= OPT_LIST; - mode = O_RDONLY; - break; - case 'M' : - core = optarg; - break; - case 'N' : - kernel = optarg; - break; - case 'n' : - opts |= OPT_DONOTHING; - mode = O_RDONLY; - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 'r' : - opts |= OPT_REMOVE; - break; - case 's' : - opts |= OPT_STAT; - mode = O_RDONLY; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - default : - usage(argv[0]); - } - - initparse(); - - if ((kernel != NULL) || (core != NULL)) { - (void) setgid(getgid()); - (void) setuid(getuid()); - } - - if (!(opts & OPT_DONOTHING)) { - if (((fd = open(IPNAT_NAME, mode)) == -1) && - ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) { - (void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME, - STRERROR(errno)); - exit(1); - } - } - - bzero((char *)&ns, sizeof(ns)); - - if ((opts & OPT_DONOTHING) == 0) { - if (checkrev(IPL_NAME) == -1) { - fprintf(stderr, "User/kernel version check failed\n"); - exit(1); - } - } - - if (!(opts & OPT_DONOTHING) && (kernel == NULL) && (core == NULL)) { - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_NATSTAT; - obj.ipfo_size = sizeof(*nsp); - obj.ipfo_ptr = (void *)nsp; - if (ioctl(fd, SIOCGNATS, &obj) == -1) { - perror("ioctl(SIOCGNATS)"); - exit(1); - } - (void) setgid(getgid()); - (void) setuid(getuid()); - } else if ((kernel != NULL) || (core != NULL)) { - if (openkmem(kernel, core) == -1) - exit(1); - - natstat_dead(nsp, kernel); - if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, nsp, opts, 0); - exit(0); - } - - if (opts & (OPT_FLUSH|OPT_CLEAR)) - flushtable(fd, opts); - if (file) { - ipnat_parsefile(fd, ipnat_addrule, ioctl, file); - } - if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, nsp, opts, 1); - return 0; -} - - -/* - * Read NAT statistic information in using a symbol table and memory file - * rather than doing ioctl's. - */ -void natstat_dead(nsp, kernel) -natstat_t *nsp; -char *kernel; -{ - struct nlist nat_nlist[10] = { - { "nat_table" }, /* 0 */ - { "nat_list" }, - { "maptable" }, - { "ipf_nattable_sz" }, - { "ipf_natrules_sz" }, - { "ipf_rdrrules_sz" }, /* 5 */ - { "ipf_hostmap_sz" }, - { "nat_instances" }, - { "ap_sess_list" }, - { NULL } - }; - void *tables[2]; - - if (nlist(kernel, nat_nlist) == -1) { - fprintf(stderr, "nlist error\n"); - return; - } - - /* - * Normally the ioctl copies all of these values into the structure - * for us, before returning it to userland, so here we must copy each - * one in individually. - */ - kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables)); - nsp->ns_table[0] = tables[0]; - nsp->ns_table[1] = tables[1]; - - kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value, - sizeof(nsp->ns_list)); - kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value, - sizeof(nsp->ns_maptable)); - kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value, - sizeof(nsp->ns_nattab_sz)); - kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value, - sizeof(nsp->ns_rultab_sz)); - kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value, - sizeof(nsp->ns_rdrtab_sz)); - kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value, - sizeof(nsp->ns_hostmap_sz)); - kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value, - sizeof(nsp->ns_instances)); - kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value, - sizeof(nsp->ns_apslist)); -} - - -/* - * Issue an ioctl to flush either the NAT rules table or the active mapping - * table or both. - */ -void flushtable(fd, opts) -int fd, opts; -{ - int n = 0; - - if (opts & OPT_FLUSH) { - n = 0; - if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCFLNAT)"); - else - printf("%d entries flushed from NAT table\n", n); - } - - if (opts & OPT_CLEAR) { - n = 1; - if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCCNATL)"); - else - printf("%d entries flushed from NAT list\n", n); - } -} - - -/* - * Display NAT statistics. - */ -void dostats_dead(nsp, opts) -natstat_t *nsp; -int opts; -{ - nat_t *np, nat; - ipnat_t ipn; - - printf("List of active MAP/Redirect filters:\n"); - while (nsp->ns_list) { - if (kmemcpy((char *)&ipn, (long)nsp->ns_list, - sizeof(ipn))) { - perror("kmemcpy"); - break; - } - if (opts & OPT_HITS) - printf("%lu ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - nsp->ns_list = ipn.in_next; - } - - printf("\nList of active sessions:\n"); - - for (np = nsp->ns_instances; np; np = nat.nat_next) { - if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) - break; - printactivenat(&nat, opts, 0, nsp->ns_ticks); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); - } - - if (opts & OPT_VERBOSE) - showhostmap_dead(nsp); -} - - -void dostats(fd, nsp, opts, alive) -natstat_t *nsp; -int fd, opts, alive; -{ - /* - * Show statistics ? - */ - if (opts & OPT_STAT) { - printf("mapped\tin\t%lu\tout\t%lu\n", - nsp->ns_mapped[0], nsp->ns_mapped[1]); - printf("added\t%lu\texpired\t%lu\n", - nsp->ns_added, nsp->ns_expire); - printf("no memory\t%lu\tbad nat\t%lu\n", - nsp->ns_memfail, nsp->ns_badnat); - printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n", - nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules); - printf("wilds\t%u\n", nsp->ns_wilds); - dotable(nsp, fd, alive); - if (opts & OPT_VERBOSE) - printf("table %p list %p\n", - nsp->ns_table, nsp->ns_list); - if (alive) - showtqtable_live(fd); - } - - if (opts & OPT_LIST) { - if (alive) - dostats_live(fd, nsp, opts); - else - dostats_dead(nsp, opts); - } -} - - -void dotable(nsp, fd, alive) -natstat_t *nsp; -int fd, alive; -{ - int sz, i, used, totallen, maxlen, minlen; - ipftable_t table; - u_long *buckets; - ipfobj_t obj; - - sz = sizeof(*buckets) * nsp->ns_nattab_sz; - buckets = (u_long *)malloc(sz); - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GTABLE; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = &table; - - table.ita_type = IPFTABLE_BUCKETS_NATIN; - table.ita_table = buckets; - - if (alive) { - if (ioctl(fd, SIOCGTABL, &obj) != 0) { - free(buckets); - return; - } - } else { - if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) { - free(buckets); - return; - } - } - - totallen = 0; - maxlen = 0; - minlen = nsp->ns_inuse; - used = 0; - - for (i = 0; i < nsp->ns_nattab_sz; i++) { - if (buckets[i] > maxlen) - maxlen = buckets[i]; - if (buckets[i] < minlen) - minlen = buckets[i]; - if (buckets[i] != 0) - used++; - totallen += buckets[i]; - } - - printf("hash efficiency\t%2.2f%%\n", - totallen ? ((float)used / totallen) * 100.0 : 0.0); - printf("bucket usage\t%2.2f%%\n", - ((float)used / nsp->ns_nattab_sz) * 100.0); - printf("minimal length\t%d\n", minlen); - printf("maximal length\t%d\n", maxlen); - printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0); -} - - -/* - * Display NAT statistics. - */ -void dostats_live(fd, nsp, opts) -natstat_t *nsp; -int fd, opts; -{ - ipfgeniter_t iter; - ipfobj_t obj; - ipnat_t ipn; - nat_t nat; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GENITER; - obj.ipfo_size = sizeof(iter); - obj.ipfo_ptr = &iter; - - iter.igi_type = IPFGENITER_IPNAT; - iter.igi_nitems = 1; - iter.igi_data = &ipn; - - /* - * Show list of NAT rules and NAT sessions ? - */ - printf("List of active MAP/Redirect filters:\n"); - while (nsp->ns_list) { - if (ioctl(fd, SIOCGENITER, &obj) == -1) - break; - if (opts & OPT_HITS) - printf("%lu ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - nsp->ns_list = ipn.in_next; - } - - printf("\nList of active sessions:\n"); - - iter.igi_type = IPFGENITER_NAT; - iter.igi_nitems = 1; - iter.igi_data = &nat; - - while (nsp->ns_instances != NULL) { - if (ioctl(fd, SIOCGENITER, &obj) == -1) - break; - printactivenat(&nat, opts, 1, nsp->ns_ticks); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); - nsp->ns_instances = nat.nat_next; - } - - if (opts & OPT_VERBOSE) - showhostmap_live(fd, nsp); -} - - -/* - * Display the active host mapping table. - */ -void showhostmap_dead(nsp) -natstat_t *nsp; -{ - hostmap_t hm, *hmp, **maptable; - u_int hv; - - printf("\nList of active host mappings:\n"); - - maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) * - nsp->ns_hostmap_sz); - if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable, - sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) { - perror("kmemcpy (maptable)"); - return; - } - - for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) { - hmp = maptable[hv]; - - while (hmp) { - if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) { - perror("kmemcpy (hostmap)"); - return; - } - - printhostmap(&hm, hv); - hmp = hm.hm_next; - } - } - free(maptable); -} - - -/* - * Display the active host mapping table. - */ -void showhostmap_live(fd, nsp) -int fd; -natstat_t *nsp; -{ - ipfgeniter_t iter; - hostmap_t hm; - ipfobj_t obj; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GENITER; - obj.ipfo_size = sizeof(iter); - obj.ipfo_ptr = &iter; - - iter.igi_type = IPFGENITER_HOSTMAP; - iter.igi_nitems = 1; - iter.igi_data = &hm; - - printf("\nList of active host mappings:\n"); - - while (nsp->ns_maplist != NULL) { - if (ioctl(fd, SIOCGENITER, &obj) == -1) - break; - printhostmap(&hm, 0); - nsp->ns_maplist = hm.hm_next; - } -} - - -void showtqtable_live(fd) -int fd; -{ - ipftq_t table[IPF_TCP_NSTATES]; - ipfobj_t obj; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = (void *)table; - obj.ipfo_type = IPFOBJ_STATETQTAB; - - if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { - printtqtable(table); - } -} diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y deleted file mode 100644 index 6208c98..0000000 --- a/contrib/ipfilter/tools/ipnat_y.y +++ /dev/null @@ -1,871 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#ifdef __FreeBSD__ -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif -#endif -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#include <stdlib.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <sys/time.h> -#include <syslog.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include "ipf.h" -#include "netinet/ipl.h" -#include "ipnat_l.h" - -#define YYDEBUG 1 - -extern void yyerror __P((char *)); -extern int yyparse __P((void)); -extern int yylex __P((void)); -extern int yydebug; -extern FILE *yyin; -extern int yylineNum; - -static ipnat_t *nattop = NULL; -static ipnat_t *nat = NULL; -static int natfd = -1; -static ioctlfunc_t natioctlfunc = NULL; -static addfunc_t nataddfunc = NULL; -static int suggest_port = 0; - -static void newnatrule __P((void)); -static void setnatproto __P((int)); - -%} -%union { - char *str; - u_32_t num; - struct in_addr ipa; - frentry_t fr; - frtuc_t *frt; - u_short port; - struct { - u_short p1; - u_short p2; - int pc; - } pc; - struct { - struct in_addr a; - struct in_addr m; - } ipp; - union i6addr ip6; -}; - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 - -%token IPNY_MAPBLOCK IPNY_RDR IPNY_PORT IPNY_PORTS IPNY_AUTO IPNY_RANGE -%token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY -%token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY -%token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG -%token IPNY_TLATE -%type <port> portspec -%type <num> hexnumber compare range proto -%type <ipa> hostname ipv4 -%type <ipp> addr nummask rhaddr -%type <pc> portstuff -%% -file: line - | assign - | file line - | file assign - ; - -line: xx rule { while ((nat = nattop) != NULL) { - nattop = nat->in_next; - (*nataddfunc)(natfd, natioctlfunc, nat); - free(nat); - } - resetlexer(); - } - | YY_COMMENT - ; - -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -xx: { newnatrule(); } - ; - -rule: map eol - | mapblock eol - | redir eol - ; - -eol: | ';' - ; - -map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); - } - | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); - } - | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions - { nat->in_v = 4; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); - } - | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions - { nat->in_v = 4; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); - } - ; - -mapblock: - mapblockit ifnames addr IPNY_TLATE addr ports mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); - } - ; - -redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions - { nat->in_v = 4; - nat->in_outip = $3.a.s_addr; - nat->in_outmsk = $3.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_p == 0) && - ((nat->in_flags & IPN_TCPUDP) == 0) && - (nat->in_pmin != 0 || - nat->in_pmax != 0 || - nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); - } - | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions - { nat->in_v = 4; - if ((nat->in_p == 0) && - ((nat->in_flags & IPN_TCPUDP) == 0) && - (nat->in_pmin != 0 || - nat->in_pmax != 0 || - nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - } - | rdrit ifnames addr IPNY_TLATE dip setproto rdroptions - { nat->in_v = 4; - nat->in_outip = $3.a.s_addr; - nat->in_outmsk = $3.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - } - | rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions - { nat->in_v = 4; - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - } - ; - -proxy: | IPNY_PROXY port portspec YY_STR '/' proto - { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); - if (nat->in_dcmp == 0) { - nat->in_dport = htons($3); - } else if ($3 != nat->in_dport) { - yyerror("proxy port numbers not consistant"); - } - setnatproto($6); - free($4); - } - | IPNY_PROXY port YY_STR YY_STR '/' proto - { int pnum; - strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); - pnum = getportproto($3, $6); - if (pnum == -1) - yyerror("invalid port number"); - nat->in_dport = pnum; - setnatproto($6); - free($3); - free($4); - } - ; - -setproto: - | proto { if (nat->in_p != 0 || - nat->in_flags & IPN_TCPUDP) - yyerror("protocol set twice"); - setnatproto($1); - } - | IPNY_TCPUDP { if (nat->in_p != 0 || - nat->in_flags & IPN_TCPUDP) - yyerror("protocol set twice"); - nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; - } - | IPNY_TCP '/' IPNY_UDP { if (nat->in_p != 0 || - nat->in_flags & IPN_TCPUDP) - yyerror("protocol set twice"); - nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; - } - ; - -rhaddr: addr { $$.a = $1.a; $$.m = $1.m; } - | IPNY_RANGE ipv4 '-' ipv4 - { $$.a = $2; $$.m = $4; - nat->in_flags |= IPN_IPRANGE; } - ; - -dip: - hostname { nat->in_inip = $1.s_addr; - nat->in_inmsk = 0xffffffff; } - | hostname '/' YY_NUMBER { if ($3 != 0 || $1.s_addr != 0) - yyerror("Only 0/0 supported"); - nat->in_inip = 0; - nat->in_inmsk = 0; - } - | hostname ',' hostname { nat->in_flags |= IPN_SPLIT; - nat->in_inip = $1.s_addr; - nat->in_inmsk = $3.s_addr; } - ; - -port: IPNY_PORT { suggest_port = 1; } - ; - -portspec: - YY_NUMBER { if ($1 > 65535) /* Unsigned */ - yyerror("invalid port number"); - else - $$ = $1; - } - | YY_STR { if (getport(NULL, $1, &($$)) == -1) - yyerror("invalid port number"); - $$ = ntohs($$); - } - ; - -dport: | port portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($2); } - | port portspec '-' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } - | port portspec ':' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } - ; - -nport: port portspec { nat->in_pnext = htons($2); } - | port '=' portspec { nat->in_pnext = htons($3); - nat->in_flags |= IPN_FIXEDDPORT; - } - ; - -ports: | IPNY_PORTS YY_NUMBER { nat->in_pmin = $2; } - | IPNY_PORTS IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; } - ; - -mapit: IPNY_MAP { nat->in_redir = NAT_MAP; } - | IPNY_BIMAP { nat->in_redir = NAT_BIMAP; } - ; - -rdrit: IPNY_RDR { nat->in_redir = NAT_REDIRECT; } - ; - -mapblockit: - IPNY_MAPBLOCK { nat->in_redir = NAT_MAPBLK; } - ; - -mapfrom: - from sobject IPNY_TO dobject - | from sobject '!' IPNY_TO dobject - { nat->in_flags |= IPN_NOTDST; } - | from sobject IPNY_TO '!' dobject - { nat->in_flags |= IPN_NOTDST; } - ; - -rdrfrom: - from sobject IPNY_TO dobject - | '!' from sobject IPNY_TO dobject - { nat->in_flags |= IPN_NOTSRC; } - | from '!' sobject IPNY_TO dobject - { nat->in_flags |= IPN_NOTSRC; } - ; - -from: IPNY_FROM { nat->in_flags |= IPN_FILTER; } - ; - -ifnames: - ifname - | ifname ',' otherifname - ; - -ifname: YY_STR { strncpy(nat->in_ifnames[0], $1, - sizeof(nat->in_ifnames[0])); - nat->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; - free($1); - } - ; - -otherifname: - YY_STR { strncpy(nat->in_ifnames[1], $1, - sizeof(nat->in_ifnames[1])); - nat->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; - free($1); - } - ; - -mapport: - IPNY_PORTMAP tcpudp portspec ':' portspec - { nat->in_pmin = htons($3); - nat->in_pmax = htons($5); - } - | IPNY_PORTMAP tcpudp IPNY_AUTO - { nat->in_flags |= IPN_AUTOPORTMAP; - nat->in_pmin = htons(1024); - nat->in_pmax = htons(65535); - } - | IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER - { if (strcmp($2, "icmp") != 0) { - yyerror("icmpidmap not followed by icmp"); - } - free($2); - if ($3 < 0 || $3 > 65535) - yyerror("invalid ICMP Id number"); - if ($5 < 0 || $5 > 65535) - yyerror("invalid ICMP Id number"); - nat->in_flags = IPN_ICMPQUERY; - nat->in_pmin = htons($3); - nat->in_pmax = htons($5); - } - ; - -sobject: - saddr - | saddr port portstuff { nat->in_sport = $3.p1; - nat->in_stop = $3.p2; - nat->in_scmp = $3.pc; } - ; - -saddr: addr { if (nat->in_redir == NAT_REDIRECT) { - nat->in_srcip = $1.a.s_addr; - nat->in_srcmsk = $1.m.s_addr; - } else { - nat->in_inip = $1.a.s_addr; - nat->in_inmsk = $1.m.s_addr; - } - } - ; - -dobject: - daddr - | daddr port portstuff { nat->in_dport = $3.p1; - nat->in_dtop = $3.p2; - nat->in_dcmp = $3.pc; - if (nat->in_redir == NAT_REDIRECT) - nat->in_pmin = htons($3.p1); - } - ; - -daddr: addr { if (nat->in_redir == NAT_REDIRECT) { - nat->in_outip = $1.a.s_addr; - nat->in_outmsk = $1.m.s_addr; - } else { - nat->in_srcip = $1.a.s_addr; - nat->in_srcmsk = $1.m.s_addr; - } - } - ; - -addr: IPNY_ANY { $$.a.s_addr = 0; $$.m.s_addr = 0; } - | nummask { $$.a = $1.a; $$.m = $1.m; - $$.a.s_addr &= $$.m.s_addr; } - | hostname '/' ipv4 { $$.a = $1; $$.m = $3; - $$.a.s_addr &= $$.m.s_addr; } - | hostname '/' hexnumber { $$.a = $1; $$.m.s_addr = htonl($3); - $$.a.s_addr &= $$.m.s_addr; } - | hostname IPNY_MASK ipv4 { $$.a = $1; $$.m = $3; - $$.a.s_addr &= $$.m.s_addr; } - | hostname IPNY_MASK hexnumber { $$.a = $1; $$.m.s_addr = htonl($3); - $$.a.s_addr &= $$.m.s_addr; } - ; - -nummask: - hostname { $$.a = $1; - $$.m.s_addr = 0xffffffff; } - | hostname '/' YY_NUMBER { $$.a = $1; - ntomask(4, $3, &$$.m.s_addr); } - ; - -portstuff: - compare portspec { $$.pc = $1; $$.p1 = $2; } - | portspec range portspec { $$.pc = $2; $$.p1 = $1; $$.p2 = $3; } - ; - -mapoptions: - rr frag age mssclamp nattag setproto - ; - -rdroptions: - rr frag age sticky mssclamp rdrproxy nattag - ; - -nattag: | IPNY_TAG YY_STR { strncpy(nat->in_tag.ipt_tag, $2, - sizeof(nat->in_tag.ipt_tag)); - } -rr: | IPNY_ROUNDROBIN { nat->in_flags |= IPN_ROUNDR; } - ; - -frag: | IPNY_FRAG { nat->in_flags |= IPN_FRAG; } - ; - -age: | IPNY_AGE YY_NUMBER { nat->in_age[0] = $2; - nat->in_age[1] = $2; } - | IPNY_AGE YY_NUMBER '/' YY_NUMBER { nat->in_age[0] = $2; - nat->in_age[1] = $4; } - ; - -sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) && - !(nat->in_flags & IPN_SPLIT)) { - fprintf(stderr, - "'sticky' for use with round-robin/IP splitting only\n"); - } else - nat->in_flags |= IPN_STICKY; - } - ; - -mssclamp: - | IPNY_MSSCLAMP YY_NUMBER { nat->in_mssclamp = $2; } - ; - -tcpudp: | IPNY_TCP { setnatproto(IPPROTO_TCP); } - | IPNY_UDP { setnatproto(IPPROTO_UDP); } - | IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; - } - | IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; - } - ; - -rdrproxy: - IPNY_PROXY YY_STR - { strncpy(nat->in_plabel, $2, - sizeof(nat->in_plabel)); - nat->in_dport = nat->in_pnext; - nat->in_dport = htons(nat->in_dport); - free($2); - } - | proxy { if (nat->in_plabel[0] != '\0') { - nat->in_pmin = nat->in_dport; - nat->in_pmax = nat->in_pmin; - nat->in_pnext = nat->in_pmin; - } - } - ; - -proto: YY_NUMBER { $$ = $1; - if ($$ != IPPROTO_TCP && - $$ != IPPROTO_UDP) - suggest_port = 0; - } - | IPNY_TCP { $$ = IPPROTO_TCP; } - | IPNY_UDP { $$ = IPPROTO_UDP; } - | YY_STR { $$ = getproto($1); free($1); - if ($$ != IPPROTO_TCP && - $$ != IPPROTO_UDP) - suggest_port = 0; - } - ; - -hexnumber: - YY_HEX { $$ = $1; } - ; - -hostname: - YY_STR { if (gethost($1, &$$.s_addr) == -1) - fprintf(stderr, - "Unknown host '%s'\n", - $1); - free($1); - } - | YY_NUMBER { $$.s_addr = htonl($1); } - | ipv4 { $$.s_addr = $1.s_addr; } - ; - -compare: - '=' { $$ = FR_EQUAL; } - | YY_CMP_EQ { $$ = FR_EQUAL; } - | YY_CMP_NE { $$ = FR_NEQUAL; } - | YY_CMP_LT { $$ = FR_LESST; } - | YY_CMP_LE { $$ = FR_LESSTE; } - | YY_CMP_GT { $$ = FR_GREATERT; } - | YY_CMP_GE { $$ = FR_GREATERTE; } - -range: - YY_RANGE_OUT { $$ = FR_OUTRANGE; } - | YY_RANGE_IN { $$ = FR_INRANGE; } - | ':' { $$ = FR_INCRANGE; } - ; - -ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; - $$.s_addr = htonl($$.s_addr); - } - ; - -%% - - -static wordtab_t yywords[] = { - { "age", IPNY_AGE }, - { "any", IPNY_ANY }, - { "auto", IPNY_AUTO }, - { "bimap", IPNY_BIMAP }, - { "frag", IPNY_FRAG }, - { "from", IPNY_FROM }, - { "icmpidmap", IPNY_ICMPIDMAP }, - { "mask", IPNY_MASK }, - { "map", IPNY_MAP }, - { "map-block", IPNY_MAPBLOCK }, - { "mssclamp", IPNY_MSSCLAMP }, - { "netmask", IPNY_MASK }, - { "port", IPNY_PORT }, - { "portmap", IPNY_PORTMAP }, - { "ports", IPNY_PORTS }, - { "proxy", IPNY_PROXY }, - { "range", IPNY_RANGE }, - { "rdr", IPNY_RDR }, - { "round-robin",IPNY_ROUNDROBIN }, - { "sticky", IPNY_STICKY }, - { "tag", IPNY_TAG }, - { "tcp", IPNY_TCP }, - { "tcpudp", IPNY_TCPUDP }, - { "to", IPNY_TO }, - { "udp", IPNY_UDP }, - { "-", '-' }, - { "->", IPNY_TLATE }, - { "eq", YY_CMP_EQ }, - { "ne", YY_CMP_NE }, - { "lt", YY_CMP_LT }, - { "gt", YY_CMP_GT }, - { "le", YY_CMP_LE }, - { "ge", YY_CMP_GE }, - { NULL, 0 } -}; - - -int ipnat_parsefile(fd, addfunc, ioctlfunc, filename) -int fd; -addfunc_t addfunc; -ioctlfunc_t ioctlfunc; -char *filename; -{ - FILE *fp = NULL; - char *s; - - (void) yysettab(yywords); - - s = getenv("YYDEBUG"); - if (s) - yydebug = atoi(s); - else - yydebug = 0; - - if (strcmp(filename, "-")) { - fp = fopen(filename, "r"); - if (!fp) { - fprintf(stderr, "fopen(%s) failed: %s\n", filename, - STRERROR(errno)); - return -1; - } - } else - fp = stdin; - - while (ipnat_parsesome(fd, addfunc, ioctlfunc, fp) == 1) - ; - if (fp != NULL) - fclose(fp); - return 0; -} - - -int ipnat_parsesome(fd, addfunc, ioctlfunc, fp) -int fd; -addfunc_t addfunc; -ioctlfunc_t ioctlfunc; -FILE *fp; -{ - char *s; - int i; - - yylineNum = 1; - - natfd = fd; - nataddfunc = addfunc; - natioctlfunc = ioctlfunc; - - if (feof(fp)) - return 0; - i = fgetc(fp); - if (i == EOF) - return 0; - if (ungetc(i, fp) == EOF) - return 0; - if (feof(fp)) - return 0; - s = getenv("YYDEBUG"); - if (s) - yydebug = atoi(s); - else - yydebug = 0; - - yyin = fp; - yyparse(); - return 1; -} - - -static void newnatrule() -{ - ipnat_t *n; - - n = calloc(1, sizeof(*n)); - if (n == NULL) - return; - - if (nat == NULL) - nattop = nat = n; - else { - nat->in_next = n; - nat = n; - } - - suggest_port = 0; -} - - -static void setnatproto(p) -int p; -{ - nat->in_p = p; - - switch (p) - { - case IPPROTO_TCP : - nat->in_flags |= IPN_TCP; - nat->in_flags &= ~IPN_UDP; - break; - case IPPROTO_UDP : - nat->in_flags |= IPN_UDP; - nat->in_flags &= ~IPN_TCP; - break; - case IPPROTO_ICMP : - nat->in_flags &= ~IPN_TCPUDP; - if (!(nat->in_flags & IPN_ICMPQUERY)) { - nat->in_dcmp = 0; - nat->in_scmp = 0; - nat->in_pmin = 0; - nat->in_pmax = 0; - nat->in_pnext = 0; - } - break; - default : - if ((nat->in_redir & NAT_MAPBLK) == 0) { - nat->in_flags &= ~IPN_TCPUDP; - nat->in_dcmp = 0; - nat->in_scmp = 0; - nat->in_pmin = 0; - nat->in_pmax = 0; - nat->in_pnext = 0; - } - break; - } - - if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT) - nat->in_flags &= ~IPN_FIXEDDPORT; -} - - -void ipnat_addrule(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; -{ - ioctlcmd_t add, del; - ipfobj_t obj; - ipnat_t *ipn; - - ipn = ptr; - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(ipnat_t); - obj.ipfo_type = IPFOBJ_IPNAT; - obj.ipfo_ptr = ptr; - add = 0; - del = 0; - - if ((opts & OPT_DONOTHING) != 0) - fd = -1; - - if (opts & OPT_ZERORULEST) { - add = SIOCZRLST; - } else if (opts & OPT_INACTIVE) { - add = SIOCADNAT; - del = SIOCRMNAT; - } else { - add = SIOCADNAT; - del = SIOCRMNAT; - } - - if ((opts & OPT_VERBOSE) != 0) - printnat(ipn, opts); - - if (opts & OPT_DEBUG) - binprint(ipn, sizeof(*ipn)); - - if ((opts & OPT_ZERORULEST) != 0) { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(SIOCZRLST)"); - } - } else { -#ifdef USE_QUAD_T -/* - printf("hits %qd bytes %qd ", - (long long)fr->fr_hits, - (long long)fr->fr_bytes); -*/ -#else -/* - printf("hits %ld bytes %ld ", - fr->fr_hits, fr->fr_bytes); -*/ -#endif - printnat(ipn, opts); - } - } else if ((opts & OPT_REMOVE) != 0) { - if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(delete nat rule)"); - } - } - } else { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(add/insert nat rule)"); - } - } - } -} diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c deleted file mode 100644 index cbdfd69..0000000 --- a/contrib/ipfilter/tools/ippool.c +++ /dev/null @@ -1,876 +0,0 @@ -/* - * Copyright (C) 2002-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#include <sys/types.h> -#include <sys/time.h> -#include <sys/param.h> -#include <sys/socket.h> -#if defined(BSD) && (BSD >= 199306) -# include <sys/cdefs.h> -#endif -#include <sys/ioctl.h> - -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netinet/in.h> - -#include <arpa/inet.h> - -#include <stdio.h> -#include <fcntl.h> -#include <stdlib.h> -#include <string.h> -#include <netdb.h> -#include <ctype.h> -#include <unistd.h> -#ifdef linux -# include <linux/a.out.h> -#else -# include <nlist.h> -#endif - -#include "ipf.h" -#include "netinet/ipl.h" -#include "netinet/ip_lookup.h" -#include "netinet/ip_pool.h" -#include "netinet/ip_htable.h" -#include "kmem.h" - - -extern int ippool_yyparse __P((void)); -extern int ippool_yydebug; -extern FILE *ippool_yyin; -extern char *optarg; -extern int lineNum; - -void usage __P((char *)); -int main __P((int, char **)); -int poolcommand __P((int, int, char *[])); -int poolnodecommand __P((int, int, char *[])); -int loadpoolfile __P((int, char *[], char *)); -int poollist __P((int, char *[])); -void poollist_dead __P((int, char *, int, char *, char *)); -void poollist_live __P((int, char *, int, int)); -int poolflush __P((int, char *[])); -int poolstats __P((int, char *[])); -int gettype __P((char *, u_int *)); -int getrole __P((char *)); -int setnodeaddr __P((ip_pool_node_t *node, char *arg)); -void showpools_live __P((int, int, ip_pool_stat_t *, char *)); -void showhashs_live __P((int, int, iphtstat_t *, char *)); - -int opts = 0; -int fd = -1; -int use_inet6 = 0; - - -void usage(prog) -char *prog; -{ - fprintf(stderr, "Usage:\t%s\n", prog); - fprintf(stderr, "\t\t\t-a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n"); - fprintf(stderr, "\t\t\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-f <file> [-dnuv]\n"); - fprintf(stderr, "\t\t\t-F [-dv] [-o <role>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-l [-dv] [-m <name>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n"); - fprintf(stderr, "\t\t\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-s [-dtv] [-M <core>] [-N <namelist>]\n"); - exit(1); -} - - -int main(argc, argv) -int argc; -char *argv[]; -{ - int err; - - if (argc < 2) - usage(argv[0]); - - switch (getopt(argc, argv, "aAf:FlrRs")) - { - case 'a' : - err = poolnodecommand(0, argc, argv); - break; - case 'A' : - err = poolcommand(0, argc, argv); - break; - case 'f' : - err = loadpoolfile(argc, argv, optarg); - break; - case 'F' : - err = poolflush(argc, argv); - break; - case 'l' : - err = poollist(argc, argv); - break; - case 'r' : - err = poolnodecommand(1, argc, argv); - break; - case 'R' : - err = poolcommand(1, argc, argv); - break; - case 's' : - err = poolstats(argc, argv); - break; - default : - exit(1); - } - - if (err != 0) - exit(1); - return 0; -} - - -int poolnodecommand(remove, argc, argv) -int remove, argc; -char *argv[]; -{ - int err, c, ipset, role; - char *poolname = NULL; - ip_pool_node_t node; - - ipset = 0; - role = IPL_LOGIPF; - bzero((char *)&node, sizeof(node)); - - while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - ippool_yydebug++; - break; - case 'i' : - if (setnodeaddr(&node, optarg) == 0) - ipset = 1; - break; - case 'm' : - poolname = optarg; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) - return -1; - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (argv[optind] != NULL && ipset == 0) { - if (setnodeaddr(&node, argv[optind]) == 0) - ipset = 1; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poolnodecommand: opts = %#x\n", opts); - - if (ipset == 0) { - fprintf(stderr, "no IP address given with -i\n"); - return -1; - } - - if (poolname == NULL) { - fprintf(stderr, "poolname not given with add/remove node\n"); - return -1; - } - - if (remove == 0) - err = load_poolnode(0, poolname, &node, ioctl); - else - err = remove_poolnode(0, poolname, &node, ioctl); - return err; -} - - -int poolcommand(remove, argc, argv) -int remove, argc; -char *argv[]; -{ - int type, role, c, err; - char *poolname; - iphtable_t iph; - ip_pool_t pool; - - err = 1; - role = 0; - type = 0; - poolname = NULL; - role = IPL_LOGIPF; - bzero((char *)&iph, sizeof(iph)); - bzero((char *)&pool, sizeof(pool)); - - while ((c = getopt(argc, argv, "dm:no:RSt:v")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - ippool_yydebug++; - break; - case 'm' : - poolname = optarg; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) { - fprintf(stderr, "unknown role '%s'\n", optarg); - return -1; - } - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 'S' : - iph.iph_seed = atoi(optarg); - break; - case 't' : - type = gettype(optarg, &iph.iph_type); - if (type == IPLT_NONE) { - fprintf(stderr, "unknown type '%s'\n", optarg); - return -1; - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poolcommand: opts = %#x\n", opts); - - if (poolname == NULL) { - fprintf(stderr, "poolname not given with add/remove pool\n"); - return -1; - } - - if (type == IPLT_HASH) { - strncpy(iph.iph_name, poolname, sizeof(iph.iph_name)); - iph.iph_name[sizeof(iph.iph_name) - 1] = '\0'; - iph.iph_unit = role; - } else if (type == IPLT_POOL) { - strncpy(pool.ipo_name, poolname, sizeof(pool.ipo_name)); - pool.ipo_name[sizeof(pool.ipo_name) - 1] = '\0'; - pool.ipo_unit = role; - } - - if (remove == 0) { - switch (type) - { - case IPLT_HASH : - err = load_hash(&iph, NULL, ioctl); - break; - case IPLT_POOL : - err = load_pool(&pool, ioctl); - break; - } - } else { - switch (type) - { - case IPLT_HASH : - err = remove_hash(&iph, ioctl); - break; - case IPLT_POOL : - err = remove_pool(&pool, ioctl); - break; - } - } - return err; -} - - -int loadpoolfile(argc, argv, infile) -int argc; -char *argv[], *infile; -{ - int c; - - infile = optarg; - - while ((c = getopt(argc, argv, "dnRuv")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - ippool_yydebug++; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 'u' : - opts |= OPT_REMOVE; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "loadpoolfile: opts = %#x\n", opts); - - if (!(opts & OPT_DONOTHING) && (fd == -1)) { - fd = open(IPLOOKUP_NAME, O_RDWR); - if (fd == -1) { - perror("open(IPLOOKUP_NAME)"); - exit(1); - } - } - - if (ippool_parsefile(fd, infile, ioctl) != 0) - return -1; - return 0; -} - - -int poolstats(argc, argv) -int argc; -char *argv[]; -{ - int c, type, role, live_kernel; - ip_pool_stat_t plstat; - char *kernel, *core; - iphtstat_t htstat; - iplookupop_t op; - - core = NULL; - kernel = NULL; - live_kernel = 1; - type = IPLT_ALL; - role = IPL_LOGALL; - - bzero((char *)&op, sizeof(op)); - - while ((c = getopt(argc, argv, "dM:N:o:t:v")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - break; - case 'M' : - live_kernel = 0; - core = optarg; - break; - case 'N' : - live_kernel = 0; - kernel = optarg; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) { - fprintf(stderr, "unknown role '%s'\n", optarg); - return -1; - } - break; - case 't' : - type = gettype(optarg, NULL); - if (type != IPLT_POOL) { - fprintf(stderr, - "-s not supported for this type yet\n"); - return -1; - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poolstats: opts = %#x\n", opts); - - if (!(opts & OPT_DONOTHING) && (fd == -1)) { - fd = open(IPLOOKUP_NAME, O_RDWR); - if (fd == -1) { - perror("open(IPLOOKUP_NAME)"); - exit(1); - } - } - - if (type == IPLT_ALL || type == IPLT_POOL) { - op.iplo_type = IPLT_POOL; - op.iplo_struct = &plstat; - op.iplo_size = sizeof(plstat); - if (!(opts & OPT_DONOTHING)) { - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return -1; - } - printf("Pools:\t%lu\n", plstat.ipls_pools); - printf("Nodes:\t%lu\n", plstat.ipls_nodes); - } - } - - if (type == IPLT_ALL || type == IPLT_HASH) { - op.iplo_type = IPLT_HASH; - op.iplo_struct = &htstat; - op.iplo_size = sizeof(htstat); - if (!(opts & OPT_DONOTHING)) { - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return -1; - } - printf("Hash Tables:\t%lu\n", htstat.iphs_numtables); - printf("Nodes:\t%lu\n", htstat.iphs_numnodes); - printf("Out of Memory:\t%lu\n", htstat.iphs_nomem); - } - } - return 0; -} - - -int poolflush(argc, argv) -int argc; -char *argv[]; -{ - int c, role, type, arg; - iplookupflush_t flush; - - arg = IPLT_ALL; - type = IPLT_ALL; - role = IPL_LOGALL; - - while ((c = getopt(argc, argv, "do:t:v")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) { - fprintf(stderr, "unknown role '%s'\n", optarg); - return -1; - } - break; - case 't' : - type = gettype(optarg, NULL); - if (type == IPLT_NONE) { - fprintf(stderr, "unknown type '%s'\n", optarg); - return -1; - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poolflush: opts = %#x\n", opts); - - if (!(opts & OPT_DONOTHING) && (fd == -1)) { - fd = open(IPLOOKUP_NAME, O_RDWR); - if (fd == -1) { - perror("open(IPLOOKUP_NAME)"); - exit(1); - } - } - - bzero((char *)&flush, sizeof(flush)); - flush.iplf_type = type; - flush.iplf_unit = role; - flush.iplf_arg = arg; - - if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, SIOCLOOKUPFLUSH, &flush) == -1) { - perror("ioctl(SIOCLOOKUPFLUSH)"); - exit(1); - } - - } - printf("%u object%s flushed\n", flush.iplf_count, - (flush.iplf_count == 1) ? "" : "s"); - - return 0; -} - - -int getrole(rolename) -char *rolename; -{ - int role; - - if (!strcasecmp(rolename, "ipf")) { - role = IPL_LOGIPF; -#if 0 - } else if (!strcasecmp(rolename, "nat")) { - role = IPL_LOGNAT; - } else if (!strcasecmp(rolename, "state")) { - role = IPL_LOGSTATE; - } else if (!strcasecmp(rolename, "auth")) { - role = IPL_LOGAUTH; - } else if (!strcasecmp(rolename, "sync")) { - role = IPL_LOGSYNC; - } else if (!strcasecmp(rolename, "scan")) { - role = IPL_LOGSCAN; - } else if (!strcasecmp(rolename, "pool")) { - role = IPL_LOGLOOKUP; - } else if (!strcasecmp(rolename, "count")) { - role = IPL_LOGCOUNT; -#endif - } else { - role = IPL_LOGNONE; - } - - return role; -} - - -int gettype(typename, minor) -char *typename; -u_int *minor; -{ - int type; - - if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) { - type = IPLT_POOL; - } else if (!strcasecmp(optarg, "hash")) { - type = IPLT_HASH; - if (minor != NULL) - *minor = IPHASH_LOOKUP; - } else if (!strcasecmp(optarg, "group-map")) { - type = IPLT_HASH; - if (minor != NULL) - *minor = IPHASH_GROUPMAP; - } else { - type = IPLT_NONE; - } - return type; -} - - -int poollist(argc, argv) -int argc; -char *argv[]; -{ - char *kernel, *core, *poolname; - int c, role, type, live_kernel; - iplookupop_t op; - - core = NULL; - kernel = NULL; - live_kernel = 1; - type = IPLT_ALL; - poolname = NULL; - role = IPL_LOGALL; - - while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - break; - case 'm' : - poolname = optarg; - break; - case 'M' : - live_kernel = 0; - core = optarg; - break; - case 'N' : - live_kernel = 0; - kernel = optarg; - break; - case 'o' : - role = getrole(optarg); - if (role == IPL_LOGNONE) { - fprintf(stderr, "unknown role '%s'\n", optarg); - return -1; - } - break; - case 'R' : - opts |= OPT_NORESOLVE; - break; - case 't' : - type = gettype(optarg, NULL); - if (type == IPLT_NONE) { - fprintf(stderr, "unknown type '%s'\n", optarg); - return -1; - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (opts & OPT_DEBUG) - fprintf(stderr, "poollist: opts = %#x\n", opts); - - if (!(opts & OPT_DONOTHING) && (fd == -1)) { - fd = open(IPLOOKUP_NAME, O_RDWR); - if (fd == -1) { - perror("open(IPLOOKUP_NAME)"); - exit(1); - } - } - - bzero((char *)&op, sizeof(op)); - if (poolname != NULL) { - strncpy(op.iplo_name, poolname, sizeof(op.iplo_name)); - op.iplo_name[sizeof(op.iplo_name) - 1] = '\0'; - } - op.iplo_unit = role; - - if (live_kernel) - poollist_live(role, poolname, type, fd); - else - poollist_dead(role, poolname, type, kernel, core); - return 0; -} - - -void poollist_dead(role, poolname, type, kernel, core) -int role, type; -char *poolname, *kernel, *core; -{ - iphtable_t *hptr; - ip_pool_t *ptr; - - if (openkmem(kernel, core) == -1) - exit(-1); - - if (type == IPLT_ALL || type == IPLT_POOL) { - ip_pool_t *pools[IPL_LOGSIZE]; - struct nlist names[2] = { { "ip_pool_list" } , { "" } }; - - if (nlist(kernel, names) != 1) - return; - - bzero(&pools, sizeof(pools)); - if (kmemcpy((char *)&pools, names[0].n_value, sizeof(pools))) - return; - - if (role != IPL_LOGALL) { - ptr = pools[role]; - while (ptr != NULL) { - ptr = printpool(ptr, kmemcpywrap, poolname, - opts); - } - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - ptr = pools[role]; - while (ptr != NULL) { - ptr = printpool(ptr, kmemcpywrap, - poolname, opts); - } - } - role = IPL_LOGALL; - } - } - if (type == IPLT_ALL || type == IPLT_HASH) { - iphtable_t *tables[IPL_LOGSIZE]; - struct nlist names[2] = { { "ipf_htables" } , { "" } }; - - if (nlist(kernel, names) != 1) - return; - - bzero(&tables, sizeof(tables)); - if (kmemcpy((char *)&tables, names[0].n_value, sizeof(tables))) - return; - - if (role != IPL_LOGALL) { - hptr = tables[role]; - while (hptr != NULL) { - hptr = printhash(hptr, kmemcpywrap, - poolname, opts); - } - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - hptr = tables[role]; - while (hptr != NULL) { - hptr = printhash(hptr, kmemcpywrap, - poolname, opts); - } - } - } - } -} - - -void poollist_live(role, poolname, type, fd) -int role, type, fd; -char *poolname; -{ - ip_pool_stat_t plstat; - iphtstat_t htstat; - iplookupop_t op; - int c; - - if (type == IPLT_ALL || type == IPLT_POOL) { - op.iplo_type = IPLT_POOL; - op.iplo_size = sizeof(plstat); - op.iplo_struct = &plstat; - op.iplo_name[0] = '\0'; - op.iplo_arg = 0; - - if (role != IPL_LOGALL) { - op.iplo_unit = role; - - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return; - } - - showpools_live(fd, role, &plstat, poolname); - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - op.iplo_unit = role; - - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return; - } - - showpools_live(fd, role, &plstat, poolname); - } - - role = IPL_LOGALL; - } - } - - if (type == IPLT_ALL || type == IPLT_HASH) { - op.iplo_type = IPLT_HASH; - op.iplo_size = sizeof(htstat); - op.iplo_struct = &htstat; - op.iplo_name[0] = '\0'; - op.iplo_arg = 0; - - if (role != IPL_LOGALL) { - op.iplo_unit = role; - - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return; - } - showhashs_live(fd, role, &htstat, poolname); - } else { - for (role = 0; role <= IPL_LOGMAX; role++) { - - op.iplo_unit = role; - c = ioctl(fd, SIOCLOOKUPSTAT, &op); - if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); - return; - } - - showhashs_live(fd, role, &htstat, poolname); - } - } - } -} - - -void showpools_live(fd, role, plstp, poolname) -int fd, role; -ip_pool_stat_t *plstp; -char *poolname; -{ - ipflookupiter_t iter; - ip_pool_t pool; - ipfobj_t obj; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_LOOKUPITER; - obj.ipfo_size = sizeof(iter); - obj.ipfo_ptr = &iter; - - iter.ili_type = IPLT_POOL; - iter.ili_otype = IPFLOOKUPITER_LIST; - iter.ili_ival = IPFGENITER_LOOKUP; - iter.ili_nitems = 1; - iter.ili_data = &pool; - iter.ili_unit = role; - *iter.ili_name = '\0'; - - while (plstp->ipls_list[role] != NULL) { - if (ioctl(fd, SIOCLOOKUPITER, &obj)) { - perror("ioctl(SIOCLOOKUPITER)"); - break; - } - printpool_live(&pool, fd, poolname, opts); - - plstp->ipls_list[role] = pool.ipo_next; - } -} - - -void showhashs_live(fd, role, htstp, poolname) -int fd, role; -iphtstat_t *htstp; -char *poolname; -{ - ipflookupiter_t iter; - iphtable_t table; - ipfobj_t obj; - - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_LOOKUPITER; - obj.ipfo_size = sizeof(iter); - obj.ipfo_ptr = &iter; - - iter.ili_type = IPLT_HASH; - iter.ili_otype = IPFLOOKUPITER_LIST; - iter.ili_ival = IPFGENITER_LOOKUP; - iter.ili_nitems = 1; - iter.ili_data = &table; - iter.ili_unit = role; - *iter.ili_name = '\0'; - - while (htstp->iphs_tables != NULL) { - if (ioctl(fd, SIOCLOOKUPITER, &obj)) { - perror("ioctl(SIOCLOOKUPITER)"); - break; - } - - printhash_live(&table, fd, poolname, opts); - - htstp->iphs_tables = table.iph_next; - } -} - - -int setnodeaddr(ip_pool_node_t *node, char *arg) -{ - struct in_addr mask; - char *s; - - s = strchr(arg, '/'); - if (s == NULL) - mask.s_addr = 0xffffffff; - else if (strchr(s, '.') == NULL) { - if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0) - return -1; - } else { - mask.s_addr = inet_addr(s + 1); - } - if (s != NULL) - *s = '\0'; - node->ipn_addr.adf_len = sizeof(node->ipn_addr); - node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg); - node->ipn_mask.adf_len = sizeof(node->ipn_mask); - node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr; - - return 0; -} diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y deleted file mode 100644 index 4aa5108..0000000 --- a/contrib/ipfilter/tools/ippool_y.y +++ /dev/null @@ -1,520 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#include <sys/types.h> -#include <sys/time.h> -#include <sys/param.h> -#include <sys/socket.h> -#if defined(BSD) && (BSD >= 199306) -# include <sys/cdefs.h> -#endif -#include <sys/ioctl.h> - -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netinet/in.h> - -#include <arpa/inet.h> - -#include <stdio.h> -#include <fcntl.h> -#include <stdlib.h> -#include <string.h> -#include <netdb.h> -#include <ctype.h> -#include <unistd.h> - -#include "ipf.h" -#include "netinet/ip_lookup.h" -#include "netinet/ip_pool.h" -#include "netinet/ip_htable.h" -#include "ippool_l.h" -#include "kmem.h" - -#define YYDEBUG 1 -#define YYSTACKSIZE 0x00ffffff - -extern int yyparse __P((void)); -extern int yydebug; -extern FILE *yyin; - -static iphtable_t ipht; -static iphtent_t iphte; -static ip_pool_t iplo; -static ioctlfunc_t poolioctl = NULL; -static char poolname[FR_GROUPLEN]; - -static iphtent_t *add_htablehosts __P((char *)); -static ip_pool_node_t *add_poolhosts __P((char *)); - -%} - -%union { - char *str; - u_32_t num; - struct in_addr addr; - struct alist_s *alist; - struct in_addr adrmsk[2]; - iphtent_t *ipe; - ip_pool_node_t *ipp; - union i6addr ip6; -} - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 - -%token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT -%token IPT_TABLE IPT_GROUPMAP IPT_HASH -%token IPT_ROLE IPT_TYPE IPT_TREE -%token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME -%type <num> role table inout -%type <ipp> ipftree range addrlist -%type <adrmsk> addrmask -%type <ipe> ipfgroup ipfhash hashlist hashentry -%type <ipe> groupentry setgrouplist grouplist -%type <addr> ipaddr mask ipv4 -%type <str> number setgroup - -%% -file: line - | assign - | file line - | file assign - ; - -line: table role ipftree eol { iplo.ipo_unit = $2; - iplo.ipo_list = $3; - load_pool(&iplo, poolioctl); - resetlexer(); - } - | table role ipfhash eol { ipht.iph_unit = $2; - ipht.iph_type = IPHASH_LOOKUP; - load_hash(&ipht, $3, poolioctl); - resetlexer(); - } - | groupmap role number ipfgroup eol - { ipht.iph_unit = $2; - strncpy(ipht.iph_name, $3, - sizeof(ipht.iph_name)); - ipht.iph_type = IPHASH_GROUPMAP; - load_hash(&ipht, $4, poolioctl); - resetlexer(); - } - | YY_COMMENT - ; - -eol: ';' - ; - -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht)); - bzero((char *)&iphte, sizeof(iphte)); - bzero((char *)&iplo, sizeof(iplo)); - *ipht.iph_name = '\0'; - iplo.ipo_flags = IPHASH_ANON; - iplo.ipo_name[0] = '\0'; - } - ; - -groupmap: - IPT_GROUPMAP inout { bzero((char *)&ipht, sizeof(ipht)); - bzero((char *)&iphte, sizeof(iphte)); - *ipht.iph_name = '\0'; - ipht.iph_unit = IPHASH_GROUPMAP; - ipht.iph_flags = $2; - } - ; - -inout: IPT_IN { $$ = FR_INQUE; } - | IPT_OUT { $$ = FR_OUTQUE; } - ; -role: - IPT_ROLE '=' IPT_IPF { $$ = IPL_LOGIPF; } - | IPT_ROLE '=' IPT_NAT { $$ = IPL_LOGNAT; } - | IPT_ROLE '=' IPT_AUTH { $$ = IPL_LOGAUTH; } - | IPT_ROLE '=' IPT_COUNT { $$ = IPL_LOGCOUNT; } - ; - -ipftree: - IPT_TYPE '=' IPT_TREE number start addrlist end - { strncpy(iplo.ipo_name, $4, - sizeof(iplo.ipo_name)); - $$ = $6; - } - ; - -ipfhash: - IPT_TYPE '=' IPT_HASH number hashopts start hashlist end - { strncpy(ipht.iph_name, $4, - sizeof(ipht.iph_name)); - $$ = $7; - } - ; - -ipfgroup: - setgroup hashopts start grouplist end - { iphtent_t *e; - for (e = $4; e != NULL; - e = e->ipe_next) - if (e->ipe_group[0] == '\0') - strncpy(e->ipe_group, - $1, - FR_GROUPLEN); - $$ = $4; - } - | hashopts start setgrouplist end { $$ = $3; } - ; - -number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3); - $$ = poolname; - } - | IPT_NAME '=' YY_STR { $$ = $3; } - | { $$ = ""; } - ; - -setgroup: - IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1]; - strncpy(tmp, $3, FR_GROUPLEN); - $$ = strdup(tmp); - } - | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1]; - sprintf(tmp, "%u", $3); - $$ = strdup(tmp); - } - ; - -hashopts: - | size - | seed - | size seed - ; - -addrlist: - next { $$ = NULL; } - | range next addrlist { $1->ipn_next = $3; $$ = $1; } - | range next { $$ = $1; } - ; - -grouplist: - next { $$ = NULL; } - | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; } - | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - $$->ipe_next = $3; - } - | groupentry next { $$ = $1; } - | addrmask next { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - } - ; - -setgrouplist: - next { $$ = NULL; } - | groupentry next { $$ = $1; } - | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; } - ; - -groupentry: - addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - strncpy($$->ipe_group, $3, - FR_GROUPLEN); - free($3); - } - | YY_STR { $$ = add_htablehosts($1); } - ; - -range: addrmask { $$ = calloc(1, sizeof(*$$)); - $$->ipn_info = 0; - $$->ipn_addr.adf_len = sizeof($$->ipn_addr); - $$->ipn_addr.adf_addr.in4.s_addr = $1[0].s_addr; - $$->ipn_mask.adf_len = sizeof($$->ipn_mask); - $$->ipn_mask.adf_addr.in4.s_addr = $1[1].s_addr; - } - | '!' addrmask { $$ = calloc(1, sizeof(*$$)); - $$->ipn_info = 1; - $$->ipn_addr.adf_len = sizeof($$->ipn_addr); - $$->ipn_addr.adf_addr.in4.s_addr = $2[0].s_addr; - $$->ipn_mask.adf_len = sizeof($$->ipn_mask); - $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr; - } - | YY_STR { $$ = add_poolhosts($1); } - -hashlist: - next { $$ = NULL; } - | hashentry next { $$ = $1; } - | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; } - ; - -hashentry: - addrmask { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - } - | YY_STR { $$ = add_htablehosts($1); } - ; - -addrmask: - ipaddr '/' mask { $$[0] = $1; $$[1].s_addr = $3.s_addr; - yyexpectaddr = 0; - } - | ipaddr { $$[0] = $1; $$[1].s_addr = 0xffffffff; - yyexpectaddr = 0; - } - ; - -ipaddr: ipv4 { $$ = $1; } - | YY_NUMBER { $$.s_addr = htonl($1); } - ; - -mask: YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$.s_addr); } - | ipv4 { $$ = $1; } - ; - -start: '{' { yyexpectaddr = 1; } - ; - -end: '}' { yyexpectaddr = 0; } - ; - -next: ';' { yyexpectaddr = 1; } - ; - -size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; } - ; - -seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; } - ; - -ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; - $$.s_addr = htonl($$.s_addr); - } - ; -%% -static wordtab_t yywords[] = { - { "auth", IPT_AUTH }, - { "count", IPT_COUNT }, - { "group", IPT_GROUP }, - { "group-map", IPT_GROUPMAP }, - { "hash", IPT_HASH }, - { "in", IPT_IN }, - { "ipf", IPT_IPF }, - { "name", IPT_NAME }, - { "nat", IPT_NAT }, - { "number", IPT_NUM }, - { "out", IPT_OUT }, - { "role", IPT_ROLE }, - { "seed", IPT_SEED }, - { "size", IPT_SIZE }, - { "table", IPT_TABLE }, - { "tree", IPT_TREE }, - { "type", IPT_TYPE }, - { NULL, 0 } -}; - - -int ippool_parsefile(fd, filename, iocfunc) -int fd; -char *filename; -ioctlfunc_t iocfunc; -{ - FILE *fp = NULL; - char *s; - - yylineNum = 1; - (void) yysettab(yywords); - - s = getenv("YYDEBUG"); - if (s) - yydebug = atoi(s); - else - yydebug = 0; - - if (strcmp(filename, "-")) { - fp = fopen(filename, "r"); - if (!fp) { - fprintf(stderr, "fopen(%s) failed: %s\n", filename, - STRERROR(errno)); - return -1; - } - } else - fp = stdin; - - while (ippool_parsesome(fd, fp, iocfunc) == 1) - ; - if (fp != NULL) - fclose(fp); - return 0; -} - - -int ippool_parsesome(fd, fp, iocfunc) -int fd; -FILE *fp; -ioctlfunc_t iocfunc; -{ - char *s; - int i; - - poolioctl = iocfunc; - - if (feof(fp)) - return 0; - i = fgetc(fp); - if (i == EOF) - return 0; - if (ungetc(i, fp) == EOF) - return 0; - if (feof(fp)) - return 0; - s = getenv("YYDEBUG"); - if (s) - yydebug = atoi(s); - else - yydebug = 0; - - yyin = fp; - yyparse(); - return 1; -} - - -static iphtent_t * -add_htablehosts(url) -char *url; -{ - iphtent_t *htop, *hbot, *h; - alist_t *a, *hlist; - - if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) { - hlist = load_url(url); - } else { - use_inet6 = 0; - - hlist = calloc(1, sizeof(*hlist)); - if (hlist == NULL) - return NULL; - - if (gethost(url, &hlist->al_addr) == -1) - yyerror("Unknown hostname"); - } - - hbot = NULL; - htop = NULL; - - for (a = hlist; a != NULL; a = a->al_next) { - h = calloc(1, sizeof(*h)); - if (h == NULL) - break; - - bcopy((char *)&a->al_addr, (char *)&h->ipe_addr, - sizeof(h->ipe_addr)); - bcopy((char *)&a->al_mask, (char *)&h->ipe_mask, - sizeof(h->ipe_mask)); - - if (hbot != NULL) - hbot->ipe_next = h; - else - htop = h; - hbot = h; - } - - alist_free(hlist); - - return htop; -} - - -static ip_pool_node_t * -add_poolhosts(url) -char *url; -{ - ip_pool_node_t *ptop, *pbot, *p; - alist_t *a, *hlist; - - if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) { - hlist = load_url(url); - } else { - use_inet6 = 0; - - hlist = calloc(1, sizeof(*hlist)); - if (hlist == NULL) - return NULL; - - if (gethost(url, &hlist->al_addr) == -1) - yyerror("Unknown hostname"); - } - - pbot = NULL; - ptop = NULL; - - for (a = hlist; a != NULL; a = a->al_next) { - p = calloc(1, sizeof(*p)); - if (p == NULL) - break; - - p->ipn_addr.adf_len = 8; - p->ipn_mask.adf_len = 8; - - p->ipn_info = a->al_not; - - bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr, - sizeof(p->ipn_addr.adf_addr)); - bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr, - sizeof(p->ipn_mask.adf_addr)); - - if (pbot != NULL) - pbot->ipn_next = p; - else - ptop = p; - pbot = p; - } - - alist_free(hlist); - - return ptop; -} diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y deleted file mode 100644 index 5d7e7e6..0000000 --- a/contrib/ipfilter/tools/ipscan_y.y +++ /dev/null @@ -1,569 +0,0 @@ -/* - * Copyright (C) 2001-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#include <sys/types.h> -#include <sys/ioctl.h> -#include "ipf.h" -#include "opts.h" -#include "kmem.h" -#include "ipscan_l.h" -#include "netinet/ip_scan.h" - -#define YYDEBUG 1 - -extern char *optarg; -extern void yyerror __P((char *)); -extern int yyparse __P((void)); -extern int yylex __P((void)); -extern int yydebug; -extern FILE *yyin; -extern int yylineNum; -extern void printbuf __P((char *, int, int)); - - -void printent __P((ipscan_t *)); -void showlist __P((void)); -int getportnum __P((char *)); -struct in_addr gethostip __P((char *)); -struct in_addr combine __P((int, int, int, int)); -char **makepair __P((char *, char *)); -void addtag __P((char *, char **, char **, struct action *)); -int cram __P((char *, char *)); -void usage __P((char *)); -int main __P((int, char **)); - -int opts = 0; -int fd = -1; - - -%} - -%union { - char *str; - char **astr; - u_32_t num; - struct in_addr ipa; - struct action act; - union i6addr ip6; -} - -%type <str> tag -%type <act> action redirect result -%type <ipa> ipaddr -%type <num> portnum -%type <astr> matchup onehalf twohalves - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 -%token IPSL_START IPSL_STARTGROUP IPSL_CONTENT - -%token IPSL_CLOSE IPSL_TRACK IPSL_EOF IPSL_REDIRECT IPSL_ELSE - -%% -file: line ';' - | assign ';' - | file line ';' - | file assign ';' - | YY_COMMENT - ; - -line: IPSL_START dline - | IPSL_STARTGROUP gline - | IPSL_CONTENT oline - ; - -dline: cline { resetlexer(); } - | sline { resetlexer(); } - | csline { resetlexer(); } - ; - -gline: YY_STR ':' glist '=' action - ; - -oline: cline - | sline - | csline - ; - -assign: YY_STR assigning YY_STR - { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -cline: tag ':' matchup '=' action { addtag($1, $3, NULL, &$5); } - ; - -sline: tag ':' '(' ')' ',' matchup '=' action { addtag($1, NULL, $6, &$8); } - ; - -csline: tag ':' matchup ',' matchup '=' action { addtag($1, $3, $5, &$7); } - ; - -glist: YY_STR - | glist ',' YY_STR - ; - -tag: YY_STR { $$ = $1; } - ; - -matchup: - onehalf { $$ = $1; } - | twohalves { $$ = $1; } - ; - -action: result { $$.act_val = $1.act_val; - $$.act_ip = $1.act_ip; - $$.act_port = $1.act_port; } - | result IPSL_ELSE result { $$.act_val = $1.act_val; - $$.act_else = $3.act_val; - if ($1.act_val == IPSL_REDIRECT) { - $$.act_ip = $1.act_ip; - $$.act_port = $1.act_port; - } - if ($3.act_val == IPSL_REDIRECT) { - $$.act_eip = $3.act_eip; - $$.act_eport = $3.act_eport; - } - } - -result: IPSL_CLOSE { $$.act_val = IPSL_CLOSE; } - | IPSL_TRACK { $$.act_val = IPSL_TRACK; } - | redirect { $$.act_val = IPSL_REDIRECT; - $$.act_ip = $1.act_ip; - $$.act_port = $1.act_port; } - ; - -onehalf: - '(' YY_STR ')' { $$ = makepair($2, NULL); } - ; - -twohalves: - '(' YY_STR ',' YY_STR ')' { $$ = makepair($2, $4); } - ; - -redirect: - IPSL_REDIRECT '(' ipaddr ')' { $$.act_ip = $3; - $$.act_port = 0; } - | IPSL_REDIRECT '(' ipaddr ',' portnum ')' - { $$.act_ip = $3; - $$.act_port = $5; } - ; - - -ipaddr: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER - { $$ = combine($1,$3,$5,$7); } - | YY_STR { $$ = gethostip($1); - free($1); - } - ; - -portnum: - YY_NUMBER { $$ = htons($1); } - | YY_STR { $$ = getportnum($1); - free($1); - } - ; - -%% - - -static struct wordtab yywords[] = { - { "close", IPSL_CLOSE }, - { "content", IPSL_CONTENT }, - { "else", IPSL_ELSE }, - { "start-group", IPSL_STARTGROUP }, - { "redirect", IPSL_REDIRECT }, - { "start", IPSL_START }, - { "track", IPSL_TRACK }, - { NULL, 0 } -}; - - -int cram(dst, src) -char *dst; -char *src; -{ - char c, *s, *t, *u; - int i, j, k; - - c = *src; - s = src + 1; - t = strchr(s, c); - *t = '\0'; - for (u = dst, i = 0; (i <= ISC_TLEN) && (s < t); ) { - c = *s++; - if (c == '\\') { - if (s >= t) - break; - j = k = 0; - do { - c = *s++; - if (j && (!ISDIGIT(c) || (c > '7') || - (k >= 248))) { - *u++ = k, i++; - j = k = 0; - s--; - break; - } - i++; - - if (ISALPHA(c) || (c > '7')) { - switch (c) - { - case 'n' : - *u++ = '\n'; - break; - case 'r' : - *u++ = '\r'; - break; - case 't' : - *u++ = '\t'; - break; - default : - *u++ = c; - break; - } - } else if (ISDIGIT(c)) { - j = 1; - k <<= 3; - k |= (c - '0'); - i--; - } else - *u++ = c; - } while ((i <= ISC_TLEN) && (s <= t) && (j > 0)); - } else - *u++ = c, i++; - } - return i; -} - - -void printent(isc) -ipscan_t *isc; -{ - char buf[ISC_TLEN+1]; - u_char *u; - int i, j; - - buf[ISC_TLEN] = '\0'; - bcopy(isc->ipsc_ctxt, buf, ISC_TLEN); - printf("%s : (\"", isc->ipsc_tag); - printbuf(isc->ipsc_ctxt, isc->ipsc_clen, 0); - - bcopy(isc->ipsc_cmsk, buf, ISC_TLEN); - printf("\", \"%s\"), (\"", buf); - - printbuf(isc->ipsc_stxt, isc->ipsc_slen, 0); - - bcopy(isc->ipsc_smsk, buf, ISC_TLEN); - printf("\", \"%s\") = ", buf); - - switch (isc->ipsc_action) - { - case ISC_A_TRACK : - printf("track"); - break; - case ISC_A_REDIRECT : - printf("redirect"); - printf("(%s", inet_ntoa(isc->ipsc_ip)); - if (isc->ipsc_port) - printf(",%d", isc->ipsc_port); - printf(")"); - break; - case ISC_A_CLOSE : - printf("close"); - break; - default : - break; - } - - if (isc->ipsc_else != ISC_A_NONE) { - printf(" else "); - switch (isc->ipsc_else) - { - case ISC_A_TRACK : - printf("track"); - break; - case ISC_A_REDIRECT : - printf("redirect"); - printf("(%s", inet_ntoa(isc->ipsc_eip)); - if (isc->ipsc_eport) - printf(",%d", isc->ipsc_eport); - printf(")"); - break; - case ISC_A_CLOSE : - printf("close"); - break; - default : - break; - } - } - printf("\n"); - - if (opts & OPT_DEBUG) { - for (u = (u_char *)isc, i = sizeof(*isc); i; ) { - printf("#"); - for (j = 32; (j > 0) && (i > 0); j--, i--) - printf("%s%02x", (j & 7) ? "" : " ", *u++); - printf("\n"); - } - } - if (opts & OPT_VERBOSE) { - printf("# hits %d active %d fref %d sref %d\n", - isc->ipsc_hits, isc->ipsc_active, isc->ipsc_fref, - isc->ipsc_sref); - } -} - - -void addtag(tstr, cp, sp, act) -char *tstr; -char **cp, **sp; -struct action *act; -{ - ipscan_t isc, *iscp; - - bzero((char *)&isc, sizeof(isc)); - - strncpy(isc.ipsc_tag, tstr, sizeof(isc.ipsc_tag)); - isc.ipsc_tag[sizeof(isc.ipsc_tag) - 1] = '\0'; - - if (cp) { - isc.ipsc_clen = cram(isc.ipsc_ctxt, cp[0]); - if (cp[1]) { - if (cram(isc.ipsc_cmsk, cp[1]) != isc.ipsc_clen) { - fprintf(stderr, - "client text/mask strings different length\n"); - return; - } - } - } - - if (sp) { - isc.ipsc_slen = cram(isc.ipsc_stxt, sp[0]); - if (sp[1]) { - if (cram(isc.ipsc_smsk, sp[1]) != isc.ipsc_slen) { - fprintf(stderr, - "server text/mask strings different length\n"); - return; - } - } - } - - if (act->act_val == IPSL_CLOSE) { - isc.ipsc_action = ISC_A_CLOSE; - } else if (act->act_val == IPSL_TRACK) { - isc.ipsc_action = ISC_A_TRACK; - } else if (act->act_val == IPSL_REDIRECT) { - isc.ipsc_action = ISC_A_REDIRECT; - isc.ipsc_ip = act->act_ip; - isc.ipsc_port = act->act_port; - fprintf(stderr, "%d: redirect unsupported\n", yylineNum + 1); - } - - if (act->act_else == IPSL_CLOSE) { - isc.ipsc_else = ISC_A_CLOSE; - } else if (act->act_else == IPSL_TRACK) { - isc.ipsc_else = ISC_A_TRACK; - } else if (act->act_else == IPSL_REDIRECT) { - isc.ipsc_else = ISC_A_REDIRECT; - isc.ipsc_eip = act->act_eip; - isc.ipsc_eport = act->act_eport; - fprintf(stderr, "%d: redirect unsupported\n", yylineNum + 1); - } - - if (!(opts & OPT_DONOTHING)) { - iscp = &isc; - if (opts & OPT_REMOVE) { - if (ioctl(fd, SIOCRMSCA, &iscp) == -1) - perror("SIOCADSCA"); - } else { - if (ioctl(fd, SIOCADSCA, &iscp) == -1) - perror("SIOCADSCA"); - } - } - - if (opts & OPT_VERBOSE) - printent(&isc); -} - - -char **makepair(s1, s2) -char *s1, *s2; -{ - char **a; - - a = malloc(sizeof(char *) * 2); - a[0] = s1; - a[1] = s2; - return a; -} - - -struct in_addr combine(a1, a2, a3, a4) -int a1, a2, a3, a4; -{ - struct in_addr in; - - a1 &= 0xff; - in.s_addr = a1 << 24; - a2 &= 0xff; - in.s_addr |= (a2 << 16); - a3 &= 0xff; - in.s_addr |= (a3 << 8); - a4 &= 0xff; - in.s_addr |= a4; - in.s_addr = htonl(in.s_addr); - return in; -} - - -struct in_addr gethostip(host) -char *host; -{ - struct hostent *hp; - struct in_addr in; - - in.s_addr = 0; - - hp = gethostbyname(host); - if (!hp) - return in; - bcopy(hp->h_addr, (char *)&in, sizeof(in)); - return in; -} - - -int getportnum(port) -char *port; -{ - struct servent *s; - - s = getservbyname(port, "tcp"); - if (s == NULL) - return -1; - return s->s_port; -} - - -void showlist() -{ - ipscanstat_t ipsc, *ipscp = &ipsc; - ipscan_t isc; - - if (ioctl(fd, SIOCGSCST, &ipscp) == -1) - perror("ioctl(SIOCGSCST)"); - else if (opts & OPT_SHOWLIST) { - while (ipsc.iscs_list != NULL) { - if (kmemcpy((char *)&isc, (u_long)ipsc.iscs_list, - sizeof(isc)) == -1) { - perror("kmemcpy"); - break; - } else { - printent(&isc); - ipsc.iscs_list = isc.ipsc_next; - } - } - } else { - printf("scan entries loaded\t%d\n", ipsc.iscs_entries); - printf("scan entries matches\t%ld\n", ipsc.iscs_acted); - printf("negative matches\t%ld\n", ipsc.iscs_else); - } -} - - -void usage(prog) -char *prog; -{ - fprintf(stderr, "Usage:\t%s [-dnrv] -f <filename>\n", prog); - fprintf(stderr, "\t%s [-dlv]\n", prog); - exit(1); -} - - -int main(argc, argv) -int argc; -char *argv[]; -{ - FILE *fp = NULL; - int c; - - (void) yysettab(yywords); - - if (argc < 2) - usage(argv[0]); - - while ((c = getopt(argc, argv, "df:lnrsv")) != -1) - switch (c) - { - case 'd' : - opts |= OPT_DEBUG; - yydebug++; - break; - case 'f' : - if (!strcmp(optarg, "-")) - fp = stdin; - else { - fp = fopen(optarg, "r"); - if (!fp) { - perror("open"); - exit(1); - } - } - yyin = fp; - break; - case 'l' : - opts |= OPT_SHOWLIST; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'r' : - opts |= OPT_REMOVE; - break; - case 's' : - opts |= OPT_STAT; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - } - - if (!(opts & OPT_DONOTHING)) { - fd = open(IPL_SCAN, O_RDWR); - if (fd == -1) { - perror("open(IPL_SCAN)"); - exit(1); - } - } - - if (fp != NULL) { - yylineNum = 1; - - while (!feof(fp)) - yyparse(); - fclose(fp); - exit(0); - } - - if (opts & (OPT_SHOWLIST|OPT_STAT)) { - showlist(); - exit(0); - } - exit(1); -} diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c deleted file mode 100644 index fc79abb..0000000 --- a/contrib/ipfilter/tools/ipsyncm.c +++ /dev/null @@ -1,254 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.5 2006/08/26 11:21:14 darrenr Exp $"; -#endif -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> - -#include <netinet/in.h> -#include <net/if.h> - -#include <arpa/inet.h> - -#include <stdio.h> -#include <stdlib.h> -#include <fcntl.h> -#include <unistd.h> -#include <string.h> -#include <syslog.h> -#include <signal.h> - -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" -#include "netinet/ip_sync.h" - - -int main __P((int, char *[])); -void usage __P((const char *)); - -int terminate = 0; - -void usage(const char *progname) { - fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname); -} - -#if 0 -static void handleterm(int sig) -{ - terminate = sig; -} -#endif - - -/* should be large enough to hold header + any datatype */ -#define BUFFERLEN 1400 - -int main(argc, argv) -int argc; -char *argv[]; -{ - struct sockaddr_in sin; - char buff[BUFFERLEN]; - synclogent_t *sl; - syncupdent_t *su; - int nfd = -1, lfd = -1, n1, n2, n3, len; - int inbuf; - u_32_t magic; - synchdr_t *sh; - char *progname; - - progname = strrchr(argv[0], '/'); - if (progname) { - progname++; - } else { - progname = argv[0]; - } - - - if (argc < 2) { - usage(progname); - exit(1); - } - -#if 0 - signal(SIGHUP, handleterm); - signal(SIGINT, handleterm); - signal(SIGTERM, handleterm); -#endif - - openlog(progname, LOG_PID, LOG_SECURITY); - - bzero((char *)&sin, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = inet_addr(argv[1]); - if (argc > 2) - sin.sin_port = htons(atoi(argv[2])); - else - sin.sin_port = htons(43434); - - while (1) { - - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - lfd = open(IPSYNC_NAME, O_RDONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - goto tryagain; - } - - nfd = socket(AF_INET, SOCK_DGRAM, 0); - if (nfd == -1) { - syslog(LOG_ERR, "Socket :%m"); - goto tryagain; - } - - if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { - syslog(LOG_ERR, "Connect: %m"); - goto tryagain; - } - - syslog(LOG_INFO, "Sending data to %s", - inet_ntoa(sin.sin_addr)); - - inbuf = 0; - while (1) { - - n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); - - printf("header : %d bytes read (header = %d bytes)\n", - n1, sizeof(*sh)); - - if (n1 < 0) { - syslog(LOG_ERR, "Read error (header): %m"); - goto tryagain; - } - - if (n1 == 0) { - /* XXX can this happen??? */ - syslog(LOG_ERR, - "Read error (header) : No data"); - sleep(1); - continue; - } - - inbuf += n1; - -moreinbuf: - if (inbuf < sizeof(*sh)) { - continue; /* need more data */ - } - - sh = (synchdr_t *)buff; - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, - "Invalid header magic %x", magic); - goto tryagain; - } - -#define IPSYNC_DEBUG -#ifdef IPSYNC_DEBUG - printf("v:%d p:%d len:%d magic:%x", sh->sm_v, - sh->sm_p, len, magic); - - if (sh->sm_cmd == SMC_CREATE) - printf(" cmd:CREATE"); - else if (sh->sm_cmd == SMC_UPDATE) - printf(" cmd:UPDATE"); - else - printf(" cmd:Unknown(%d)", sh->sm_cmd); - - if (sh->sm_table == SMC_NAT) - printf(" table:NAT"); - else if (sh->sm_table == SMC_STATE) - printf(" table:STATE"); - else - printf(" table:Unknown(%d)", sh->sm_table); - - printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - - if (inbuf < sizeof(*sh) + len) { - continue; /* need more data */ - goto tryagain; - } - -#ifdef IPSYNC_DEBUG - if (sh->sm_cmd == SMC_CREATE) { - sl = (synclogent_t *)buff; - - } else if (sh->sm_cmd == SMC_UPDATE) { - su = (syncupdent_t *)buff; - if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", - su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], - su->sup_tcp.stu_state[1]); - } - } else { - printf("Unknown command\n"); - } -#endif - - n2 = sizeof(*sh) + len; - n3 = write(nfd, buff, n2); - if (n3 <= 0) { - syslog(LOG_ERR, "Write error: %m"); - goto tryagain; - } - - - if (n3 != n2) { - syslog(LOG_ERR, "Incomplete write (%d/%d)", - n3, n2); - goto tryagain; - } - - /* signal received? */ - if (terminate) - break; - - /* move buffer to the front,we might need to make - * this more efficient, by using a rolling pointer - * over the buffer and only copying it, when - * we are reaching the end - */ - inbuf -= n2; - if (inbuf) { - bcopy(buff+n2, buff, inbuf); - printf("More data in buffer\n"); - goto moreinbuf; - } - } - - if (terminate) - break; -tryagain: - sleep(1); - } - - - /* terminate */ - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - syslog(LOG_ERR, "signal %d received, exiting...", terminate); - - exit(1); -} - diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c deleted file mode 100644 index 3a8270f..0000000 --- a/contrib/ipfilter/tools/ipsyncs.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * Copyright (C) 2001-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.4 2006/08/26 11:21:15 darrenr Exp $"; -#endif -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> - -#include <netinet/in.h> -#include <net/if.h> - -#include <arpa/inet.h> - -#include <stdio.h> -#include <stdlib.h> -#include <fcntl.h> -#include <string.h> -#include <unistd.h> -#include <syslog.h> -#include <errno.h> -#include <signal.h> - -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_state.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_sync.h" - -int main __P((int, char *[])); -void usage __P((const char *progname)); - -int terminate = 0; - -void usage(const char *progname) { - fprintf(stderr, - "Usage: %s <destination IP> <destination port> [remote IP]\n", - progname); -} - -#if 0 -static void handleterm(int sig) -{ - terminate = sig; -} -#endif - -#define BUFFERLEN 1400 - -int main(argc, argv) -int argc; -char *argv[]; -{ - int nfd = -1 , lfd = -1; - int n1, n2, n3, magic, len, inbuf; - struct sockaddr_in sin; - struct sockaddr_in in; - char buff[BUFFERLEN]; - synclogent_t *sl; - syncupdent_t *su; - synchdr_t *sh; - char *progname; - - progname = strrchr(argv[0], '/'); - if (progname) { - progname++; - } else { - progname = argv[0]; - } - - if (argc < 2) { - usage(progname); - exit(1); - } - -#if 0 - signal(SIGHUP, handleterm); - signal(SIGINT, handleterm); - signal(SIGTERM, handleterm); -#endif - - openlog(progname, LOG_PID, LOG_SECURITY); - - lfd = open(IPSYNC_NAME, O_WRONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - exit(1); - } - - bzero((char *)&sin, sizeof(sin)); - sin.sin_family = AF_INET; - if (argc > 1) - sin.sin_addr.s_addr = inet_addr(argv[1]); - if (argc > 2) - sin.sin_port = htons(atoi(argv[2])); - else - sin.sin_port = htons(43434); - if (argc > 3) - in.sin_addr.s_addr = inet_addr(argv[3]); - else - in.sin_addr.s_addr = 0; - in.sin_port = 0; - - while(1) { - - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - lfd = open(IPSYNC_NAME, O_WRONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - goto tryagain; - } - - nfd = socket(AF_INET, SOCK_DGRAM, 0); - if (nfd == -1) { - syslog(LOG_ERR, "Socket :%m"); - goto tryagain; - } - - n1 = 1; - setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n1, sizeof(n1)); - - if (bind(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { - syslog(LOG_ERR, "Bind: %m"); - goto tryagain; - } - - syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr)); - - inbuf = 0; - while (1) { - - - /* - * XXX currently we do not check the source address - * of a datagram, this can be a security risk - */ - n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf); - - printf("header : %d bytes read (header = %d bytes)\n", - n1, sizeof(*sh)); - - if (n1 < 0) { - syslog(LOG_ERR, "Read error (header): %m"); - goto tryagain; - } - - if (n1 == 0) { - /* XXX can this happen??? */ - syslog(LOG_ERR, - "Read error (header) : No data"); - sleep(1); - continue; - } - - inbuf += n1; - -moreinbuf: - if (inbuf < sizeof(*sh)) { - continue; /* need more data */ - } - - sh = (synchdr_t *)buff; - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, "Invalid header magic %x", - magic); - goto tryagain; - } - -#define IPSYNC_DEBUG -#ifdef IPSYNC_DEBUG - printf("v:%d p:%d len:%d magic:%x", sh->sm_v, - sh->sm_p, len, magic); - - if (sh->sm_cmd == SMC_CREATE) - printf(" cmd:CREATE"); - else if (sh->sm_cmd == SMC_UPDATE) - printf(" cmd:UPDATE"); - else - printf(" cmd:Unknown(%d)", sh->sm_cmd); - - if (sh->sm_table == SMC_NAT) - printf(" table:NAT"); - else if (sh->sm_table == SMC_STATE) - printf(" table:STATE"); - else - printf(" table:Unknown(%d)", sh->sm_table); - - printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - - if (inbuf < sizeof(*sh) + len) { - continue; /* need more data */ - goto tryagain; - } - -#ifdef IPSYNC_DEBUG - if (sh->sm_cmd == SMC_CREATE) { - sl = (synclogent_t *)buff; - - } else if (sh->sm_cmd == SMC_UPDATE) { - su = (syncupdent_t *)buff; - if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", - su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], - su->sup_tcp.stu_state[1]); - } - } else { - printf("Unknown command\n"); - } -#endif - - n2 = sizeof(*sh) + len; - n3 = write(lfd, buff, n2); - if (n3 <= 0) { - syslog(LOG_ERR, "%s: Write error: %m", - IPSYNC_NAME); - goto tryagain; - } - - - if (n3 != n2) { - syslog(LOG_ERR, "%s: Incomplete write (%d/%d)", - IPSYNC_NAME, n3, n2); - goto tryagain; - } - - /* signal received? */ - if (terminate) - break; - - /* move buffer to the front,we might need to make - * this more efficient, by using a rolling pointer - * over the buffer and only copying it, when - * we are reaching the end - */ - inbuf -= n2; - if (inbuf) { - bcopy(buff+n2, buff, inbuf); - printf("More data in buffer\n"); - goto moreinbuf; - } - } - - if (terminate) - break; -tryagain: - sleep(1); - } - - - /* terminate */ - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - syslog(LOG_ERR, "signal %d received, exiting...", terminate); - - exit(1); -} diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h deleted file mode 100644 index a6f9cf6..0000000 --- a/contrib/ipfilter/tools/lex_var.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ - -extern long string_start; -extern long string_end; -extern char *string_val; -extern long pos; - -#define YY_INPUT(buf, result, max_size) \ - if (pos >= string_start && pos <= string_end) { \ - buf[0] = string_val[pos - string_start]; \ - pos++; \ - result = 1; \ - } else if ( yy_current_buffer->yy_is_interactive ) \ - { \ - int c = '*', n; \ - for ( n = 0; n < 1 && \ - (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ - buf[n] = (char) c; \ - if ( c == '\n' ) \ - buf[n++] = (char) c; \ - if ( c == EOF && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); \ - result = n; \ - pos++; \ - } \ - else if ( ((result = fread( buf, 1, 1, yyin )) == 0) \ - && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); - -#ifdef input -# undef input -# define input() (((pos >= string_start) && (pos < string_end)) ? \ - yysptr = yysbuf, string_val[pos++ - string_start] : \ - ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \ - getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \ - yytchar) == EOF ? (pos++, 0) : (pos++, yytchar)) -#endif - -#ifdef lex_input -# undef lex_input -# define lex_input() (((pos >= string_start) && (pos < string_end)) ? \ - yysptr = yysbuf, string_val[pos++ - string_start] : \ - ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \ - getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \ - yytchar) == EOF ? (pos++, 0) : (pos++, yytchar)) -#endif - -#ifdef unput -# undef unput -# define unput(c) { if (pos > 0) pos--; \ - yytchar = (c); if (yytchar == '\n') yylineno--; \ - *yysptr++ = yytchar; } -#endif - diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c deleted file mode 100644 index 1ad00c4..0000000 --- a/contrib/ipfilter/tools/lexer.c +++ /dev/null @@ -1,661 +0,0 @@ -/* - * Copyright (C) 2002-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#include <ctype.h> -#include "ipf.h" -#ifdef IPFILTER_SCAN -# include "netinet/ip_scan.h" -#endif -#include <sys/ioctl.h> -#include <syslog.h> -#ifdef TEST_LEXER -# define NO_YACC -union { - int num; - char *str; - struct in_addr ipa; - i6addr_t ip6; -} yylval; -#endif -#include "lexer.h" -#include "y.tab.h" - -FILE *yyin; - -#define ishex(c) (ISDIGIT(c) || ((c) >= 'a' && (c) <= 'f') || \ - ((c) >= 'A' && (c) <= 'F')) -#define TOOLONG -3 - -extern int string_start; -extern int string_end; -extern char *string_val; -extern int pos; -extern int yydebug; - -char *yystr = NULL; -int yytext[YYBUFSIZ+1]; -char yychars[YYBUFSIZ+1]; -int yylineNum = 1; -int yypos = 0; -int yylast = -1; -int yyexpectaddr = 0; -int yybreakondot = 0; -int yyvarnext = 0; -int yytokentype = 0; -wordtab_t *yywordtab = NULL; -int yysavedepth = 0; -wordtab_t *yysavewords[30]; - - -static wordtab_t *yyfindkey __P((char *)); -static int yygetc __P((int)); -static void yyunputc __P((int)); -static int yyswallow __P((int)); -static char *yytexttostr __P((int, int)); -static void yystrtotext __P((char *)); -static char *yytexttochar __P((void)); - -static int yygetc(docont) -int docont; -{ - int c; - - if (yypos < yylast) { - c = yytext[yypos++]; - if (c == '\n') - yylineNum++; - return c; - } - - if (yypos == YYBUFSIZ) - return TOOLONG; - - if (pos >= string_start && pos <= string_end) { - c = string_val[pos - string_start]; - yypos++; - } else { - c = fgetc(yyin); - if (docont && (c == '\\')) { - c = fgetc(yyin); - if (c == '\n') { - yylineNum++; - c = fgetc(yyin); - } - } - } - if (c == '\n') - yylineNum++; - yytext[yypos++] = c; - yylast = yypos; - yytext[yypos] = '\0'; - - return c; -} - - -static void yyunputc(c) -int c; -{ - if (c == '\n') - yylineNum--; - yytext[--yypos] = c; -} - - -static int yyswallow(last) -int last; -{ - int c; - - while (((c = yygetc(0)) > '\0') && (c != last)) - ; - - if (c != EOF) - yyunputc(c); - if (c == last) - return 0; - return -1; -} - - -static char *yytexttochar() -{ - int i; - - for (i = 0; i < yypos; i++) - yychars[i] = (char)(yytext[i] & 0xff); - yychars[i] = '\0'; - return yychars; -} - - -static void yystrtotext(str) -char *str; -{ - int len; - char *s; - - len = strlen(str); - if (len > YYBUFSIZ) - len = YYBUFSIZ; - - for (s = str; *s != '\0' && len > 0; s++, len--) - yytext[yylast++] = *s; - yytext[yylast] = '\0'; -} - - -static char *yytexttostr(offset, max) -int offset, max; -{ - char *str; - int i; - - if ((yytext[offset] == '\'' || yytext[offset] == '"') && - (yytext[offset] == yytext[offset + max - 1])) { - offset++; - max--; - } - - if (max > yylast) - max = yylast; - str = malloc(max + 1); - if (str != NULL) { - for (i = offset; i < max; i++) - str[i - offset] = (char)(yytext[i] & 0xff); - str[i - offset] = '\0'; - } - return str; -} - - -int yylex() -{ - int c, n, isbuilding, rval, lnext, nokey = 0; - char *name; - - isbuilding = 0; - lnext = 0; - rval = 0; - - if (yystr != NULL) { - free(yystr); - yystr = NULL; - } - -nextchar: - c = yygetc(0); - if (yydebug > 1) - printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar()); - - switch (c) - { - case '\n' : - lnext = 0; - nokey = 0; - case '\t' : - case '\r' : - case ' ' : - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - if (yylast > yypos) { - bcopy(yytext + yypos, yytext, - sizeof(yytext[0]) * (yylast - yypos + 1)); - } - yylast -= yypos; - yypos = 0; - lnext = 0; - nokey = 0; - goto nextchar; - - case '\\' : - if (lnext == 0) { - lnext = 1; - if (yylast == yypos) { - yylast--; - yypos--; - } else - yypos--; - if (yypos == 0) - nokey = 1; - goto nextchar; - } - break; - } - - if (lnext == 1) { - lnext = 0; - if ((isbuilding == 0) && !ISALNUM(c)) { - return c; - } - goto nextchar; - } - - switch (c) - { - case '#' : - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - yyswallow('\n'); - rval = YY_COMMENT; - goto nextchar; - - case '$' : - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - n = yygetc(0); - if (n == '{') { - if (yyswallow('}') == -1) { - rval = -2; - goto done; - } - (void) yygetc(0); - } else { - if (!ISALPHA(n)) { - yyunputc(n); - break; - } - do { - n = yygetc(1); - } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); - yyunputc(n); - } - - name = yytexttostr(1, yypos); /* skip $ */ - - if (name != NULL) { - string_val = get_variable(name, NULL, yylineNum); - free(name); - if (string_val != NULL) { - name = yytexttostr(yypos, yylast); - if (name != NULL) { - yypos = 0; - yylast = 0; - yystrtotext(string_val); - yystrtotext(name); - free(string_val); - free(name); - goto nextchar; - } - free(string_val); - } - } - break; - - case '\'': - case '"' : - if (isbuilding == 1) { - goto done; - } - do { - n = yygetc(1); - if (n == EOF || n == TOOLONG) { - rval = -2; - goto done; - } - if (n == '\n') { - yyunputc(' '); - yypos++; - } - } while (n != c); - rval = YY_STR; - goto done; - /* NOTREACHED */ - - case EOF : - yylineNum = 1; - yypos = 0; - yylast = -1; - yyexpectaddr = 0; - yybreakondot = 0; - yyvarnext = 0; - yytokentype = 0; - return 0; - } - - if (strchr("=,/;{}()@", c) != NULL) { - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - rval = c; - goto done; - } else if (c == '.') { - if (isbuilding == 0) { - rval = c; - goto done; - } - if (yybreakondot != 0) { - yyunputc(c); - goto done; - } - } - - switch (c) - { - case '-' : - if (yyexpectaddr) - break; - if (isbuilding == 1) - break; - n = yygetc(0); - if (n == '>') { - isbuilding = 1; - goto done; - } - yyunputc(n); - rval = '-'; - goto done; - - case '!' : - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - n = yygetc(0); - if (n == '=') { - rval = YY_CMP_NE; - goto done; - } - yyunputc(n); - rval = '!'; - goto done; - - case '<' : - if (yyexpectaddr) - break; - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - n = yygetc(0); - if (n == '=') { - rval = YY_CMP_LE; - goto done; - } - if (n == '>') { - rval = YY_RANGE_OUT; - goto done; - } - yyunputc(n); - rval = YY_CMP_LT; - goto done; - - case '>' : - if (yyexpectaddr) - break; - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - n = yygetc(0); - if (n == '=') { - rval = YY_CMP_GE; - goto done; - } - if (n == '<') { - rval = YY_RANGE_IN; - goto done; - } - yyunputc(n); - rval = YY_CMP_GT; - goto done; - } - - /* - * Now for the reason this is here...IPv6 address parsing. - * The longest string we can expect is of this form: - * 0000:0000:0000:0000:0000:0000:000.000.000.000 - * not: - * 0000:0000:0000:0000:0000:0000:0000:0000 - */ -#ifdef USE_INET6 - if (yyexpectaddr == 1 && isbuilding == 0 && (ishex(c) || c == ':')) { - char ipv6buf[45 + 1], *s, oc; - int start; - - start = yypos; - s = ipv6buf; - oc = c; - - /* - * Perhaps we should implement stricter controls on what we - * swallow up here, but surely it would just be duplicating - * the code in inet_pton() anyway. - */ - do { - *s++ = c; - c = yygetc(1); - } while ((ishex(c) || c == ':' || c == '.') && - (s - ipv6buf < 46)); - yyunputc(c); - *s = '\0'; - - if (inet_pton(AF_INET6, ipv6buf, &yylval.ip6) == 1) { - rval = YY_IPV6; - yyexpectaddr = 0; - goto done; - } - yypos = start; - c = oc; - } -#endif - - if (c == ':') { - if (isbuilding == 1) { - yyunputc(c); - goto done; - } - rval = ':'; - goto done; - } - - if (isbuilding == 0 && c == '0') { - n = yygetc(0); - if (n == 'x') { - do { - n = yygetc(1); - } while (ishex(n)); - yyunputc(n); - rval = YY_HEX; - goto done; - } - yyunputc(n); - } - - /* - * No negative numbers with leading - sign.. - */ - if (isbuilding == 0 && ISDIGIT(c)) { - do { - n = yygetc(1); - } while (ISDIGIT(n)); - yyunputc(n); - rval = YY_NUMBER; - goto done; - } - - isbuilding = 1; - goto nextchar; - -done: - yystr = yytexttostr(0, yypos); - - if (yydebug) - printf("isbuilding %d yyvarnext %d nokey %d\n", - isbuilding, yyvarnext, nokey); - if (isbuilding == 1) { - wordtab_t *w; - - w = NULL; - isbuilding = 0; - - if ((yyvarnext == 0) && (nokey == 0)) { - w = yyfindkey(yystr); - if (w == NULL && yywordtab != NULL) { - yyresetdict(); - w = yyfindkey(yystr); - } - } else - yyvarnext = 0; - if (w != NULL) - rval = w->w_value; - else - rval = YY_STR; - } - - if (rval == YY_STR && yysavedepth > 0) - yyresetdict(); - - yytokentype = rval; - - if (yydebug) - printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start, - string_end, pos, rval, yysavedepth); - - switch (rval) - { - case YY_NUMBER : - sscanf(yystr, "%u", &yylval.num); - break; - - case YY_HEX : - sscanf(yystr, "0x%x", (u_int *)&yylval.num); - break; - - case YY_STR : - yylval.str = strdup(yystr); - break; - - default : - break; - } - - if (yylast > 0) { - bcopy(yytext + yypos, yytext, - sizeof(yytext[0]) * (yylast - yypos + 1)); - yylast -= yypos; - yypos = 0; - } - - return rval; -} - - -static wordtab_t *yyfindkey(key) -char *key; -{ - wordtab_t *w; - - if (yywordtab == NULL) - return NULL; - - for (w = yywordtab; w->w_word != 0; w++) - if (strcasecmp(key, w->w_word) == 0) - return w; - return NULL; -} - - -char *yykeytostr(num) -int num; -{ - wordtab_t *w; - - if (yywordtab == NULL) - return "<unknown>"; - - for (w = yywordtab; w->w_word; w++) - if (w->w_value == num) - return w->w_word; - return "<unknown>"; -} - - -wordtab_t *yysettab(words) -wordtab_t *words; -{ - wordtab_t *save; - - save = yywordtab; - yywordtab = words; - return save; -} - - -void yyerror(msg) -char *msg; -{ - char *txt, letter[2]; - int freetxt = 0; - - if (yytokentype < 256) { - letter[0] = yytokentype; - letter[1] = '\0'; - txt = letter; - } else if (yytokentype == YY_STR || yytokentype == YY_HEX || - yytokentype == YY_NUMBER) { - if (yystr == NULL) { - txt = yytexttostr(yypos, YYBUFSIZ); - freetxt = 1; - } else - txt = yystr; - } else { - txt = yykeytostr(yytokentype); - } - fprintf(stderr, "%s error at \"%s\", line %d\n", msg, txt, yylineNum); - if (freetxt == 1) - free(txt); - exit(1); -} - - -void yysetdict(newdict) -wordtab_t *newdict; -{ - if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) { - fprintf(stderr, "%d: at maximum dictionary depth\n", - yylineNum); - return; - } - - yysavewords[yysavedepth++] = yysettab(newdict); - if (yydebug) - printf("yysavedepth++ => %d\n", yysavedepth); -} - -void yyresetdict() -{ - if (yydebug) - printf("yyresetdict(%d)\n", yysavedepth); - if (yysavedepth > 0) { - yysettab(yysavewords[--yysavedepth]); - if (yydebug) - printf("yysavedepth-- => %d\n", yysavedepth); - } -} - - - -#ifdef TEST_LEXER -int main(argc, argv) -int argc; -char *argv[]; -{ - int n; - - yyin = stdin; - - while ((n = yylex()) != 0) - printf("%d.n = %d [%s] %d %d\n", - yylineNum, n, yystr, yypos, yylast); -} -#endif diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h deleted file mode 100644 index b838d41..0000000 --- a/contrib/ipfilter/tools/lexer.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) 2002-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ - -typedef struct wordtab { - char *w_word; - int w_value; -} wordtab_t; - -#ifdef NO_YACC -#define YY_COMMENT 1000 -#define YY_CMP_NE 1001 -#define YY_CMP_LE 1002 -#define YY_RANGE_OUT 1003 -#define YY_CMP_GE 1004 -#define YY_RANGE_IN 1005 -#define YY_HEX 1006 -#define YY_NUMBER 1007 -#define YY_IPV6 1008 -#define YY_STR 1009 -#define YY_IPADDR 1010 -#endif - -#define YYBUFSIZ 8192 - -extern wordtab_t *yysettab __P((wordtab_t *)); -extern void yysetdict __P((wordtab_t *)); -extern int yylex __P((void)); -extern void yyerror __P((char *)); -extern char *yykeytostr __P((int)); -extern void yyresetdict __P((void)); - -extern FILE *yyin; -extern int yylineNum; -extern int yyexpectaddr; -extern int yybreakondot; -extern int yyvarnext; - |
