Import IPFilter 4.1.28

6 files changed, 163 insertions, 26 deletions

diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
index dfda237..4156250 100644
--- a/contrib/ipfilter/tools/ipf_y.y
+++ b/contrib/ipfilter/tools/ipf_y.y
@@ -770,8 +770,20 @@ fromport:
 
 srcportlist:
 	portnum		{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
+	| portnum ':' portnum	
+			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
+				fr->fr_stop = $3;) }
+	| portnum YY_RANGE_IN portnum	
+			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
+				fr->fr_stop = $3;) }
 	| srcportlist lmore portnum
 			{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
+	| srcportlist lmore portnum ':' portnum
+			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
+				fr->fr_stop = $5;) }
+	| srcportlist lmore portnum YY_RANGE_IN portnum
+			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
+				fr->fr_stop = $5;) }
 	;
 
 dstobject:
@@ -836,8 +848,20 @@ toport:
 
 dstportlist:
 	portnum		{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
+	| portnum ':' portnum	
+			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
+				fr->fr_dtop = $3;) }
+	| portnum YY_RANGE_IN portnum	
+			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
+				fr->fr_dtop = $3;) }
 	| dstportlist lmore portnum
 			{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
+	| dstportlist lmore portnum ':' portnum
+			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
+				fr->fr_dtop = $5;) }
+	| dstportlist lmore portnum YY_RANGE_IN portnum
+			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
+				fr->fr_dtop = $5;) }
 	;
 
 addr:	pool '/' YY_NUMBER		{ pooled = 1;
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
index db8de45..e28fe4c 100644
--- a/contrib/ipfilter/tools/ipfstat.c
+++ b/contrib/ipfilter/tools/ipfstat.c
@@ -69,7 +69,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $";
 #endif
 
 #ifdef __hpux
@@ -1118,7 +1118,7 @@ ips_stat_t *ipsp;
 		PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
 			(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
 
-		minlen = ipsp->iss_max;
+		minlen = ipsp->iss_inuse;
 		totallen = 0;
 		maxlen = 0;
 
@@ -1126,7 +1126,7 @@ ips_stat_t *ipsp;
 			if (buckets[i] > maxlen)
 				maxlen = buckets[i];
 			if (buckets[i] < minlen)
-					minlen = buckets[i];
+				minlen = buckets[i];
 			totallen += buckets[i];
 		}
 
@@ -1809,7 +1809,7 @@ int *port;
 			*port = -1;
 		} else if (!sscanf(comma + 1, "%d", port) ||
 			   (*port < 0) || (*port > 65535)) {
-			fprintf(stderr, "Invalid port specfication in %s\n",
+			fprintf(stderr, "Invalid port specification in %s\n",
 				argument);
 			free(s);
 			exit(-2);
@@ -1821,6 +1821,7 @@ int *port;
 	/* get ip address */
 	if (!strcasecmp(s, "any")) {
 		ip->in4.s_addr = INADDR_ANY;
+		ok = 1;
 #ifdef	USE_INET6
 		ip->in6 = in6addr_any;
 	} else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) {
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
index 3bc0555..f07396d 100644
--- a/contrib/ipfilter/tools/ipmon.c
+++ b/contrib/ipfilter/tools/ipmon.c
@@ -76,7 +76,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $";
 #endif
 
 
@@ -750,6 +750,8 @@ int	blen;
 		strcpy(t, "NAT:MAPBLOCK ");
 	else if (nl->nl_type == NL_CLONE)
 		strcpy(t, "NAT:CLONE ");
+	else if (nl->nl_type == NL_DESTROY)
+		strcpy(t, "NAT:DESTROY ");
 	else
 		sprintf(t, "Type: %d ", nl->nl_type);
 	t += strlen(t);
@@ -762,8 +764,9 @@ int	blen;
 	(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
 		portname(res, proto, (u_int)nl->nl_outport));
 	t += strlen(t);
-	(void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
-		portname(res, proto, (u_int)nl->nl_origport));
+	(void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip),
+		portname(res, proto, (u_int)nl->nl_origport),
+		getproto(nl->nl_p));
 	t += strlen(t);
 	if (nl->nl_type == NL_EXPIRE) {
 #ifdef	USE_QUAD_T
@@ -1000,7 +1003,10 @@ int	blen;
 	ipflog_t *ipf;
 	iplog_t	*ipl;
 #ifdef	USE_INET6
+	struct ip6_ext *ehp;
+	u_short ehl;
 	ip6_t *ip6;
+	int go;
 #endif
 
 	ipl = (iplog_t *)buf;
@@ -1109,6 +1115,29 @@ int	blen;
 		s = (u_32_t *)&ip6->ip6_src;
 		d = (u_32_t *)&ip6->ip6_dst;
 		plen = hl + ntohs(ip6->ip6_plen);
+		go = 1;
+		ehp = (struct ip6_ext *)((char *)ip6 + hl);
+		while (go == 1) {
+			switch (p)
+			{
+			case IPPROTO_HOPOPTS :
+			case IPPROTO_MOBILITY :
+			case IPPROTO_DSTOPTS :
+			case IPPROTO_ROUTING :
+			case IPPROTO_AH :
+				p = ehp->ip6e_nxt;
+				ehl = 8 + (ehp->ip6e_len << 3);
+				hl += ehl;
+				ehp = (struct ip6_ext *)((char *)ehp + ehl);
+				break;
+			case IPPROTO_FRAGMENT :
+				hl += sizeof(struct ip6_frag);
+				/* FALLTHROUGH */
+			default :
+				go = 0;
+				break;
+			}
+		}
 #else
 		sprintf(t, "ipv6");
 		goto printipflog;
diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c
index 83eb5be..038df6d 100644
--- a/contrib/ipfilter/tools/ipnat.c
+++ b/contrib/ipfilter/tools/ipnat.c
@@ -65,7 +65,7 @@ extern	char	*sys_errlist[];
 
 #if !defined(lint)
 static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $";
 #endif
 
 
@@ -78,6 +78,7 @@ char	thishost[MAXHOSTNAMELEN];
 extern	char	*optarg;
 
 void	dostats __P((int, natstat_t *, int, int));
+void	dotable __P((natstat_t *, int, int));
 void	flushtable __P((int, int));
 void	usage __P((char *));
 int	main __P((int, char*[]));
@@ -357,9 +358,10 @@ int fd, opts, alive;
 			nsp->ns_added, nsp->ns_expire);
 		printf("no memory\t%lu\tbad nat\t%lu\n",
 			nsp->ns_memfail, nsp->ns_badnat);
-		printf("inuse\t%lu\nrules\t%lu\n",
-			nsp->ns_inuse, nsp->ns_rules);
+		printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n",
+			nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules);
 		printf("wilds\t%u\n", nsp->ns_wilds);
+		dotable(nsp, fd, alive);
 		if (opts & OPT_VERBOSE)
 			printf("table %p list %p\n",
 				nsp->ns_table, nsp->ns_list);
@@ -376,6 +378,63 @@ int fd, opts, alive;
 }
 
 
+void dotable(nsp, fd, alive)
+natstat_t *nsp;
+int fd, alive;
+{
+	int sz, i, used, totallen, maxlen, minlen;
+	ipftable_t table;
+	u_long *buckets;
+	ipfobj_t obj;
+
+	sz = sizeof(*buckets) * nsp->ns_nattab_sz;
+	buckets = (u_long *)malloc(sz);
+
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_GTABLE;
+	obj.ipfo_size = sizeof(table);
+	obj.ipfo_ptr = &table;
+
+	table.ita_type = IPFTABLE_BUCKETS_NATIN;
+	table.ita_table = buckets;
+
+	if (alive) {
+		if (ioctl(fd, SIOCGTABL, &obj) != 0) {
+			free(buckets);
+			return;
+		}
+	} else {
+		if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) {
+			free(buckets);
+			return;
+		}
+	}
+
+	totallen = 0;
+	maxlen = 0;
+	minlen = nsp->ns_inuse;
+	used = 0;
+
+	for (i = 0; i < nsp->ns_nattab_sz; i++) {
+		if (buckets[i] > maxlen)
+			maxlen = buckets[i];
+		if (buckets[i] < minlen)
+			minlen = buckets[i];
+		if (buckets[i] != 0)
+			used++;
+		totallen += buckets[i];
+	}
+
+	printf("hash efficiency\t%2.2f%%\n",
+	       totallen ? ((float)used / totallen) * 100.0 : 0.0);
+	printf("bucket usage\t%2.2f%%\n",
+		((float)used / nsp->ns_nattab_sz) * 100.0);
+	printf("minimal length\t%d\n", minlen);
+	printf("maximal length\t%d\n", maxlen);
+	printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0);
+}
+
+
 /*
  * Display NAT statistics.
  */
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index b20f623..6208c98 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -609,6 +609,7 @@ compare:
 range:
 	YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
 	| YY_RANGE_IN			{ $$ = FR_INRANGE; }
+	| ':'				{ $$ = FR_INCRANGE; }
 	;
 
 ipv4:	YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
index 9810345..1ad00c4 100644
--- a/contrib/ipfilter/tools/lexer.c
+++ b/contrib/ipfilter/tools/lexer.c
@@ -36,6 +36,7 @@ extern int	yydebug;
 
 char		*yystr = NULL;
 int		yytext[YYBUFSIZ+1];
+char		yychars[YYBUFSIZ+1];
 int		yylineNum = 1;
 int		yypos = 0;
 int		yylast = -1;
@@ -49,13 +50,15 @@ wordtab_t	*yysavewords[30];
 
 
 static	wordtab_t	*yyfindkey __P((char *));
-static	int		yygetc __P((void));
+static	int		yygetc __P((int));
 static	void		yyunputc __P((int));
 static	int		yyswallow __P((int));
 static	char		*yytexttostr __P((int, int));
 static	void		yystrtotext __P((char *));
+static	char		*yytexttochar __P((void));
 
-static int yygetc()
+static int yygetc(docont)
+int docont;
 {
 	int c;
 
@@ -74,6 +77,13 @@ static int yygetc()
 		yypos++;
 	} else {
 		c = fgetc(yyin);
+		if (docont && (c == '\\')) {
+			c = fgetc(yyin);
+			if (c == '\n') {
+				yylineNum++;
+				c = fgetc(yyin);
+			}
+		}
 	}
 	if (c == '\n')
 		yylineNum++;
@@ -99,7 +109,7 @@ int last;
 {
 	int c;
 
-	while (((c = yygetc()) > '\0') && (c != last))
+	while (((c = yygetc(0)) > '\0') && (c != last))
 		;
 
 	if (c != EOF)
@@ -110,6 +120,17 @@ int last;
 }
 
 
+static char *yytexttochar()
+{
+	int i;
+
+	for (i = 0; i < yypos; i++)
+		yychars[i] = (char)(yytext[i] & 0xff);
+	yychars[i] = '\0';
+	return yychars;
+}
+
+
 static void yystrtotext(str)
 char *str;
 {
@@ -165,7 +186,9 @@ int yylex()
 	}
 
 nextchar:
-	c = yygetc();
+	c = yygetc(0);
+	if (yydebug > 1)
+		printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar());
 
 	switch (c)
 	{
@@ -228,20 +251,20 @@ nextchar:
 			yyunputc(c);
 			goto done;
 		}
-		n = yygetc();
+		n = yygetc(0);
 		if (n == '{') {
 			if (yyswallow('}') == -1) {
 				rval = -2;
 				goto done;
 			}
-			(void) yygetc();
+			(void) yygetc(0);
 		} else {
 			if (!ISALPHA(n)) {
 				yyunputc(n);
 				break;
 			}
 			do {
-				n = yygetc();
+				n = yygetc(1);
 			} while (ISALPHA(n) || ISDIGIT(n) || n == '_');
 			yyunputc(n);
 		}
@@ -273,7 +296,7 @@ nextchar:
 			goto done;
 		}
 		do {
-			n = yygetc();
+			n = yygetc(1);
 			if (n == EOF || n == TOOLONG) {
 				rval = -2;
 				goto done;
@@ -323,7 +346,7 @@ nextchar:
 			break;
 		if (isbuilding == 1)
 			break;
-		n = yygetc();
+		n = yygetc(0);
 		if (n == '>') {
 			isbuilding = 1;
 			goto done;
@@ -337,7 +360,7 @@ nextchar:
 			yyunputc(c);
 			goto done;
 		}
-		n = yygetc();
+		n = yygetc(0);
 		if (n == '=') {
 			rval = YY_CMP_NE;
 			goto done;
@@ -353,7 +376,7 @@ nextchar:
 			yyunputc(c);
 			goto done;
 		}
-		n = yygetc();
+		n = yygetc(0);
 		if (n == '=') {
 			rval = YY_CMP_LE;
 			goto done;
@@ -373,7 +396,7 @@ nextchar:
 			yyunputc(c);
 			goto done;
 		}
-		n = yygetc();
+		n = yygetc(0);
 		if (n == '=') {
 			rval = YY_CMP_GE;
 			goto done;
@@ -410,7 +433,7 @@ nextchar:
 		 */
 		do {
 			*s++ = c;
-			c = yygetc();
+			c = yygetc(1);
 		} while ((ishex(c) || c == ':' || c == '.') &&
 			 (s - ipv6buf < 46));
 		yyunputc(c);
@@ -436,10 +459,10 @@ nextchar:
 	}
 
 	if (isbuilding == 0 && c == '0') {
-		n = yygetc();
+		n = yygetc(0);
 		if (n == 'x') {
 			do {
-				n = yygetc();
+				n = yygetc(1);
 			} while (ishex(n));
 			yyunputc(n);
 			rval = YY_HEX;
@@ -453,7 +476,7 @@ nextchar:
 	 */
 	if (isbuilding == 0 && ISDIGIT(c)) {
 		do {
-			n = yygetc();
+			n = yygetc(1);
 		} while (ISDIGIT(n));
 		yyunputc(n);
 		rval = YY_NUMBER;