diff options
author | darrenr <darrenr@FreeBSD.org> | 2007-10-18 21:52:14 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2007-10-18 21:52:14 +0000 |
commit | fd172ed3272b523c5499832d7098b6766bac7e4f (patch) | |
tree | 7eb0ed562f560c2289c5b113e742797727d126db /contrib/ipfilter/tools | |
parent | 6f755e940898e80d77f95031600e671c36e0a7a6 (diff) | |
download | FreeBSD-src-fd172ed3272b523c5499832d7098b6766bac7e4f.zip FreeBSD-src-fd172ed3272b523c5499832d7098b6766bac7e4f.tar.gz |
Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after: 7 days
Diffstat (limited to 'contrib/ipfilter/tools')
-rw-r--r-- | contrib/ipfilter/tools/ipf_y.y | 24 | ||||
-rw-r--r-- | contrib/ipfilter/tools/ipfstat.c | 6 | ||||
-rw-r--r-- | contrib/ipfilter/tools/ipmon.c | 35 | ||||
-rw-r--r-- | contrib/ipfilter/tools/ipnat.c | 65 | ||||
-rw-r--r-- | contrib/ipfilter/tools/ipnat_y.y | 1 | ||||
-rw-r--r-- | contrib/ipfilter/tools/lexer.c | 55 |
6 files changed, 161 insertions, 25 deletions
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index e8789e0..2ce4291 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -772,8 +772,20 @@ fromport: srcportlist: portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } | srcportlist lmore portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } + | srcportlist lmore portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } + | srcportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } ; dstobject: @@ -838,8 +850,20 @@ toport: dstportlist: portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } | dstportlist lmore portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } + | dstportlist lmore portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } + | dstportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } ; addr: pool '/' YY_NUMBER { pooled = 1; diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index 481282a..3c5bfdd 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -71,7 +71,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $"; #endif #ifdef __hpux @@ -1120,7 +1120,7 @@ ips_stat_t *ipsp; PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ? (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0); - minlen = ipsp->iss_max; + minlen = ipsp->iss_inuse; totallen = 0; maxlen = 0; @@ -1128,7 +1128,7 @@ ips_stat_t *ipsp; if (buckets[i] > maxlen) maxlen = buckets[i]; if (buckets[i] < minlen) - minlen = buckets[i]; + minlen = buckets[i]; totallen += buckets[i]; } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index f651f86..ceaed82 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -78,7 +78,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $"; #endif @@ -752,6 +752,8 @@ int blen; strcpy(t, "NAT:MAPBLOCK "); else if (nl->nl_type == NL_CLONE) strcpy(t, "NAT:CLONE "); + else if (nl->nl_type == NL_DESTROY) + strcpy(t, "NAT:DESTROY "); else sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); @@ -764,8 +766,9 @@ int blen; (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip), portname(res, proto, (u_int)nl->nl_outport)); t += strlen(t); - (void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip), - portname(res, proto, (u_int)nl->nl_origport)); + (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip), + portname(res, proto, (u_int)nl->nl_origport), + getproto(nl->nl_p)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T @@ -1002,7 +1005,10 @@ int blen; ipflog_t *ipf; iplog_t *ipl; #ifdef USE_INET6 + struct ip6_ext *ehp; + u_short ehl; ip6_t *ip6; + int go; #endif ipl = (iplog_t *)buf; @@ -1111,6 +1117,29 @@ int blen; s = (u_32_t *)&ip6->ip6_src; d = (u_32_t *)&ip6->ip6_dst; plen = hl + ntohs(ip6->ip6_plen); + go = 1; + ehp = (struct ip6_ext *)((char *)ip6 + hl); + while (go == 1) { + switch (p) + { + case IPPROTO_HOPOPTS : + case IPPROTO_MOBILITY : + case IPPROTO_DSTOPTS : + case IPPROTO_ROUTING : + case IPPROTO_AH : + p = ehp->ip6e_nxt; + ehl = 8 + (ehp->ip6e_len << 3); + hl += ehl; + ehp = (struct ip6_ext *)((char *)ehp + ehl); + break; + case IPPROTO_FRAGMENT : + hl += sizeof(struct ip6_frag); + /* FALLTHROUGH */ + default : + go = 0; + break; + } + } #else sprintf(t, "ipv6"); goto printipflog; diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c index c9954ab..28e29ec 100644 --- a/contrib/ipfilter/tools/ipnat.c +++ b/contrib/ipfilter/tools/ipnat.c @@ -67,7 +67,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $"; #endif @@ -80,6 +80,7 @@ char thishost[MAXHOSTNAMELEN]; extern char *optarg; void dostats __P((int, natstat_t *, int, int)); +void dotable __P((natstat_t *, int, int)); void flushtable __P((int, int)); void usage __P((char *)); int main __P((int, char*[])); @@ -359,9 +360,10 @@ int fd, opts, alive; nsp->ns_added, nsp->ns_expire); printf("no memory\t%lu\tbad nat\t%lu\n", nsp->ns_memfail, nsp->ns_badnat); - printf("inuse\t%lu\nrules\t%lu\n", - nsp->ns_inuse, nsp->ns_rules); + printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n", + nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules); printf("wilds\t%u\n", nsp->ns_wilds); + dotable(nsp, fd, alive); if (opts & OPT_VERBOSE) printf("table %p list %p\n", nsp->ns_table, nsp->ns_list); @@ -378,6 +380,63 @@ int fd, opts, alive; } +void dotable(nsp, fd, alive) +natstat_t *nsp; +int fd, alive; +{ + int sz, i, used, totallen, maxlen, minlen; + ipftable_t table; + u_long *buckets; + ipfobj_t obj; + + sz = sizeof(*buckets) * nsp->ns_nattab_sz; + buckets = (u_long *)malloc(sz); + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GTABLE; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = &table; + + table.ita_type = IPFTABLE_BUCKETS_NATIN; + table.ita_table = buckets; + + if (alive) { + if (ioctl(fd, SIOCGTABL, &obj) != 0) { + free(buckets); + return; + } + } else { + if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) { + free(buckets); + return; + } + } + + totallen = 0; + maxlen = 0; + minlen = nsp->ns_inuse; + used = 0; + + for (i = 0; i < nsp->ns_nattab_sz; i++) { + if (buckets[i] > maxlen) + maxlen = buckets[i]; + if (buckets[i] < minlen) + minlen = buckets[i]; + if (buckets[i] != 0) + used++; + totallen += buckets[i]; + } + + printf("hash efficiency\t%2.2f%%\n", + totallen ? ((float)used / totallen) * 100.0 : 0.0); + printf("bucket usage\t%2.2f%%\n", + ((float)used / nsp->ns_nattab_sz) * 100.0); + printf("minimal length\t%d\n", minlen); + printf("maximal length\t%d\n", maxlen); + printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0); +} + + /* * Display NAT statistics. */ diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index 1857219..cce717d 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -611,6 +611,7 @@ compare: range: YY_RANGE_OUT { $$ = FR_OUTRANGE; } | YY_RANGE_IN { $$ = FR_INRANGE; } + | ':' { $$ = FR_INCRANGE; } ; ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 2969f86..989643c 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -38,6 +38,7 @@ extern int yydebug; char *yystr = NULL; int yytext[YYBUFSIZ+1]; +char yychars[YYBUFSIZ+1]; int yylineNum = 1; int yypos = 0; int yylast = -1; @@ -51,13 +52,15 @@ wordtab_t *yysavewords[30]; static wordtab_t *yyfindkey __P((char *)); -static int yygetc __P((void)); +static int yygetc __P((int)); static void yyunputc __P((int)); static int yyswallow __P((int)); static char *yytexttostr __P((int, int)); static void yystrtotext __P((char *)); +static char *yytexttochar __P((void)); -static int yygetc() +static int yygetc(docont) +int docont; { int c; @@ -76,6 +79,13 @@ static int yygetc() yypos++; } else { c = fgetc(yyin); + if (docont && (c == '\\')) { + c = fgetc(yyin); + if (c == '\n') { + yylineNum++; + c = fgetc(yyin); + } + } } if (c == '\n') yylineNum++; @@ -101,7 +111,7 @@ int last; { int c; - while (((c = yygetc()) > '\0') && (c != last)) + while (((c = yygetc(0)) > '\0') && (c != last)) ; if (c != EOF) @@ -112,6 +122,17 @@ int last; } +static char *yytexttochar() +{ + int i; + + for (i = 0; i < yypos; i++) + yychars[i] = (char)(yytext[i] & 0xff); + yychars[i] = '\0'; + return yychars; +} + + static void yystrtotext(str) char *str; { @@ -167,7 +188,9 @@ int yylex() } nextchar: - c = yygetc(); + c = yygetc(0); + if (yydebug > 1) + printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar()); switch (c) { @@ -230,20 +253,20 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '{') { if (yyswallow('}') == -1) { rval = -2; goto done; } - (void) yygetc(); + (void) yygetc(0); } else { if (!ISALPHA(n)) { yyunputc(n); break; } do { - n = yygetc(); + n = yygetc(1); } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); yyunputc(n); } @@ -275,7 +298,7 @@ nextchar: goto done; } do { - n = yygetc(); + n = yygetc(1); if (n == EOF || n == TOOLONG) { rval = -2; goto done; @@ -325,7 +348,7 @@ nextchar: break; if (isbuilding == 1) break; - n = yygetc(); + n = yygetc(0); if (n == '>') { isbuilding = 1; goto done; @@ -339,7 +362,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_NE; goto done; @@ -355,7 +378,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_LE; goto done; @@ -375,7 +398,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_GE; goto done; @@ -412,7 +435,7 @@ nextchar: */ do { *s++ = c; - c = yygetc(); + c = yygetc(1); } while ((ishex(c) || c == ':' || c == '.') && (s - ipv6buf < 46)); yyunputc(c); @@ -438,10 +461,10 @@ nextchar: } if (isbuilding == 0 && c == '0') { - n = yygetc(); + n = yygetc(0); if (n == 'x') { do { - n = yygetc(); + n = yygetc(1); } while (ishex(n)); yyunputc(n); rval = YY_HEX; @@ -455,7 +478,7 @@ nextchar: */ if (isbuilding == 0 && ISDIGIT(c)) { do { - n = yygetc(); + n = yygetc(1); } while (ISDIGIT(n)); yyunputc(n); rval = YY_NUMBER; |