diff options
| author | darrenr <darrenr@FreeBSD.org> | 2007-10-18 21:52:14 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2007-10-18 21:52:14 +0000 |
| commit | fd172ed3272b523c5499832d7098b6766bac7e4f (patch) | |
| tree | 7eb0ed562f560c2289c5b113e742797727d126db /contrib/ipfilter | |
| parent | 6f755e940898e80d77f95031600e671c36e0a7a6 (diff) | |
| download | FreeBSD-src-fd172ed3272b523c5499832d7098b6766bac7e4f.zip FreeBSD-src-fd172ed3272b523c5499832d7098b6766bac7e4f.tar.gz | |
Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after: 7 days
Diffstat (limited to 'contrib/ipfilter')
| -rw-r--r-- | contrib/ipfilter/Makefile | 19 | ||||
| -rw-r--r-- | contrib/ipfilter/ip_fil.c | 9 | ||||
| -rw-r--r-- | contrib/ipfilter/ipsend/iptests.c | 8 | ||||
| -rw-r--r-- | contrib/ipfilter/ipsend/sock.c | 8 | ||||
| -rw-r--r-- | contrib/ipfilter/l4check/l4check.c | 43 | ||||
| -rw-r--r-- | contrib/ipfilter/lib/ipft_tx.c | 37 | ||||
| -rw-r--r-- | contrib/ipfilter/lib/printnat.c | 13 | ||||
| -rw-r--r-- | contrib/ipfilter/lib/printpacket.c | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/lib/printstate.c | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ippool.5 | 2 | ||||
| -rw-r--r-- | contrib/ipfilter/md5.h | 2 | ||||
| -rw-r--r-- | contrib/ipfilter/radix.c | 6 | ||||
| -rw-r--r-- | contrib/ipfilter/radix_ipf.h | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipf_y.y | 24 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipfstat.c | 6 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipmon.c | 35 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipnat.c | 65 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/ipnat_y.y | 1 | ||||
| -rw-r--r-- | contrib/ipfilter/tools/lexer.c | 55 |
19 files changed, 264 insertions, 81 deletions
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 9b4673e..334cd45 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -6,7 +6,7 @@ # to the original author and the contributors. # # $FreeBSD$ -# Id: Makefile,v 2.76.2.19 2006/03/17 10:38:38 darrenr Exp $ +# Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin @@ -132,10 +132,7 @@ all: @echo "openbsd - compile for OpenBSD" @echo "freebsd20 - compile for FreeBSD 2.0, 2.1 or earlier" @echo "freebsd22 - compile for FreeBSD-2.2 or greater" - @echo "freebsd3 - compile for FreeBSD-3.x" - @echo "freebsd4 - compile for FreeBSD-4.x" - @echo "freebsd5 - compile for FreeBSD-5.x" - @echo "freebsd6 - compile for FreeBSD-6.x" + @echo "freebsd - compile for all other versions of FreeBSD" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -152,6 +149,7 @@ retest: else echo test directory not present, sorry; fi include: + -mkdir -p net netinet if [ ! -f netinet/done ] ; then \ (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \ (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \ @@ -167,6 +165,9 @@ sunos solaris: include MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \ CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos +freebsd: + make freebsd`uname -r|cut -c1` + freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @@ -351,13 +352,9 @@ sunos4 solaris1: (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) sunos5 solaris2: null - (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) + (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..) (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) -sunos5x86 solaris2x86: null - (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) - (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) - linux: include (cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..) (cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..) @@ -374,7 +371,7 @@ install-sunos4: solaris (cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install) install-sunos5: solaris null - (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install) + (cd SunOS5; $(MAKE) TOP=.. install) install-aix: (cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 45bbf94..a3efa87 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.16 2007/05/28 11:56:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $"; #endif #ifndef SOLARIS @@ -81,7 +81,7 @@ struct file; #include <sys/hashing.h> # endif #endif -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(SOLARIS2) # include "radix_ipf.h" #endif #ifndef __osf__ @@ -390,7 +390,7 @@ int v; *addr++ = '\0'; for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { - COPYIFNAME(ifp, ifname); + COPYIFNAME(v, ifp, ifname); if (!strcmp(name, ifname)) { if (addr != NULL) fr_setifpaddr(ifp, addr); @@ -429,6 +429,9 @@ int v; } ifp = ifneta[nifs - 1]; +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + TAILQ_INIT(&ifp->if_addrlist); +#endif #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index a58131d..0dd96b8 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.8 2007/02/17 12:41:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $"; #endif #include <sys/param.h> #include <sys/types.h> @@ -22,6 +22,9 @@ typedef int boolean_t; #endif #include <sys/time.h> #if !defined(__osf__) +# ifdef __NetBSD__ +# include <machine/lock.h> +# endif # define _KERNEL # define KERNEL # if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux) @@ -1097,7 +1100,8 @@ int ptest; struct tcpcb *tcbp, tcb; struct tcpiphdr ti; struct sockaddr_in sin; - int fd, slen; + int fd; + socklen_t slen; bzero((char *)&sin, sizeof(sin)); diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 7aac448..9a2cfc3 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.6 2007/02/17 12:41:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $"; #endif #include <sys/param.h> #include <sys/types.h> @@ -30,6 +30,9 @@ typedef int boolean_t; # include <sys/dir.h> #endif #if !defined(__osf__) +# ifdef __NetBSD__ +# include <machine/lock.h> +# endif # define _KERNEL # define KERNEL # ifdef ultrix @@ -385,7 +388,8 @@ struct in_addr gwip; { struct sockaddr_in rsin, lsin; struct tcpcb *t, tcb; - int fd, nfd, len; + int fd, nfd; + socklen_t len; printf("Dest. Port: %d\n", ti->ti_dport); diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c index 5c44a37..fd2753e 100644 --- a/contrib/ipfilter/l4check/l4check.c +++ b/contrib/ipfilter/l4check/l4check.c @@ -27,6 +27,7 @@ #include "ip_compat.h" #include "ip_fil.h" #include "ip_nat.h" +#include "ipl.h" #include "ipf.h" @@ -98,13 +99,21 @@ char *dst, *src; void addnat(l4) l4cfg_t *l4; { + ipnat_t *ipn = &l4->l4_nat; - printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]), + printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ntohs(ipn->in_pmin)); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext)); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext)); if (!(opts & OPT_DONOTHING)) { - if (ioctl(natfd, SIOCADNAT, &ipn) == -1) + ipfobj_t obj; + + bzero(&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*ipn); + obj.ipfo_ptr = ipn; + + if (ioctl(natfd, SIOCADNAT, &obj) == -1) perror("ioctl(SIOCADNAT)"); } } @@ -116,9 +125,16 @@ l4cfg_t *l4; ipnat_t *ipn = &l4->l4_nat; printf("Remove NAT rule for %s/%#x,%u -> ", - inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext); + inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext); if (!(opts & OPT_DONOTHING)) { + ipfobj_t obj; + + bzero(&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*ipn); + obj.ipfo_ptr = ipn; + if (ioctl(natfd, SIOCRMNAT, &ipn) == -1) perror("ioctl(SIOCRMNAT)"); } @@ -178,7 +194,6 @@ l4cfg_t *l4; void writefd(l4) l4cfg_t *l4; { - char buf[80], *ptr; int n, i, fd; fd = l4->l4_fd; @@ -410,7 +425,6 @@ u_short *portp; struct servent *sp; struct hostent *hp; char *host, *port; - struct in_addr ip; host = str; port = strchr(host, ','); @@ -555,7 +569,8 @@ char *filename; break; } - strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname)); + strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ); + strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ); if (!gethostport(t, num, &ipn->in_outip, &ipn->in_pmin)) { errtxt = line; @@ -567,11 +582,11 @@ char *filename; if (opts & OPT_VERBOSE) fprintf(stderr, "Interface %s %s/%#x port %u\n", - ipn->in_ifname, - inet_ntoa(ipn->in_out[0]), + ipn->in_ifnames[0], + inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin); } else if (!strcasecmp(t, "remote")) { - if (!*ipn->in_ifname) { + if (!*ipn->in_ifnames[0]) { fprintf(stderr, "%d: ifname not set prior to remote\n", num); @@ -606,7 +621,7 @@ char *filename; break; } bcopy((char *)&template, (char *)l4, sizeof(*l4)); - l4->l4_sin.sin_addr = ipn->in_in[0]; + l4->l4_sin.sin_addr = ipn->in_in[0].in4; l4->l4_sin.sin_port = ipn->in_pnext; l4->l4_next = l4list; l4list = l4; @@ -793,7 +808,7 @@ char *argv[]; } if (!(opts & OPT_DONOTHING)) { - natfd = open(IPL_NAT, O_RDWR); + natfd = open(IPNAT_NAME, O_RDWR); if (natfd == -1) { perror("open(IPL_NAT)"); exit(1); @@ -804,4 +819,6 @@ char *argv[]; fprintf(stderr, "Starting...\n"); while (runconfig() == 0) ; + + exit(1); } diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c index c613d6b..f4475e3 100644 --- a/contrib/ipfilter/lib/ipft_tx.c +++ b/contrib/ipfilter/lib/ipft_tx.c @@ -5,11 +5,11 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.15.2.9 2006/06/16 17:21:04 darrenr Exp $ + * $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.9 2006/06/16 17:21:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $"; #endif #include <ctype.h> @@ -259,19 +259,30 @@ int *out; } ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); cpp++; - if (*cpp && ip->ip_p == IPPROTO_TCP) { - char *s, *t; - - tcp->th_flags = 0; - for (s = *cpp; *s; s++) - if ((t = strchr(myflagset, *s))) - tcp->th_flags |= myflags[t - myflagset]; - if (tcp->th_flags) - cpp++; - if (tcp->th_flags == 0) - abort(); + if (ip->ip_p == IPPROTO_TCP) { + if (*cpp != NULL) { + char *s, *t; + + tcp->th_flags = 0; + for (s = *cpp; *s; s++) + if ((t = strchr(myflagset, *s))) + tcp->th_flags |= myflags[t-myflagset]; + if (tcp->th_flags) + cpp++; + } + if (tcp->th_flags & TH_URG) tcp->th_urp = htons(1); + + if (*cpp && !strncasecmp(*cpp, "seq=", 4)) { + tcp->th_seq = htonl(atoi(*cpp + 4)); + cpp++; + } + + if (*cpp && !strncasecmp(*cpp, "ack=", 4)) { + tcp->th_ack = htonl(atoi(*cpp + 4)); + cpp++; + } } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c index 06ed9a3..62942ce 100644 --- a/contrib/ipfilter/lib/printnat.c +++ b/contrib/ipfilter/lib/printnat.c @@ -13,7 +13,7 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.13 2006/12/09 10:37:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.14 2007/09/06 16:40:11 darrenr Exp $"; #endif /* @@ -136,6 +136,8 @@ int opts; if (opts & OPT_DEBUG) printf("\tpmax %u\n", np->in_pmax); } else { + int protoprinted = 0; + if (!(np->in_flags & IPN_FILTER)) { printf("%s/", inet_ntoa(np->in_in[0].in4)); bits = count4bits(np->in_inmsk); @@ -172,6 +174,7 @@ int opts; printf(" %.*s/", (int)sizeof(np->in_plabel), np->in_plabel); printproto(pr, np->in_p, NULL); + protoprinted = 1; } else if (np->in_redir == NAT_MAPBLK) { if ((np->in_pmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) @@ -187,6 +190,7 @@ int opts; printf(" portmap "); } printproto(pr, np->in_p, np); + protoprinted = 1; if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) @@ -198,9 +202,6 @@ int opts; printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } - } else if (np->in_flags & IPN_TCPUDP || np->in_p) { - putchar(' '); - printproto(pr, np->in_p, np); } if (np->in_flags & IPN_FRAG) @@ -212,6 +213,10 @@ int opts; printf(" mssclamp %d", np->in_mssclamp); if (np->in_tag.ipt_tag[0] != '\0') printf(" tag %s", np->in_tag.ipt_tag); + if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) { + putchar(' '); + printproto(pr, np->in_p, np); + } printf("\n"); if (opts & OPT_DEBUG) { struct in_addr nip; diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c index cff13eb..25a4d5a 100644 --- a/contrib/ipfilter/lib/printpacket.c +++ b/contrib/ipfilter/lib/printpacket.c @@ -5,7 +5,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printpacket.c,v 1.12.4.4 2006/09/30 21:44:43 darrenr Exp $ + * $Id: printpacket.c,v 1.12.4.5 2007/09/09 22:15:30 darrenr Exp $ */ #include "ipf.h" @@ -56,7 +56,7 @@ struct ip *ip; printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len), IP_HL(ip) << 2, ip->ip_p); if (off & IP_OFFMASK) - printf(" @%d", off << 3); + printf(" @%d", (off & IP_OFFMASK) << 3); printf(" %s", inet_ntoa(ip->ip_src)); if (!(off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c index 43621ef..a8777b2 100644 --- a/contrib/ipfilter/lib/printstate.c +++ b/contrib/ipfilter/lib/printstate.c @@ -35,8 +35,8 @@ u_long now; sp->is_send, sp->is_dend, sp->is_maxswin, sp->is_swinscale, sp->is_maxdwin, sp->is_dwinscale); - PRINTF("\tcmsk %04x smsk %04x isc %p s0 %08x/%08x\n", - sp->is_smsk[0], sp->is_smsk[1], sp->is_isc, + PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n", + sp->is_smsk[0], sp->is_smsk[1], sp->is_s0[0], sp->is_s0[1]); PRINTF("\tFWD:ISN inc %x sumd %x\n", sp->is_isninc[0], sp->is_sumd[0]); diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5 index 974a0e8..367eb8d 100644 --- a/contrib/ipfilter/man/ippool.5 +++ b/contrib/ipfilter/man/ippool.5 @@ -94,7 +94,7 @@ to use the tree data storage type with configuration entries. .SH POOL ROLES .PP -When a pool is defined in the configruation file, it must have an associated +When a pool is defined in the configuration file, it must have an associated role. At present the only supported role is .B ipf. Future development will see futher expansion of their use by other sections diff --git a/contrib/ipfilter/md5.h b/contrib/ipfilter/md5.h index 8270531..914df74 100644 --- a/contrib/ipfilter/md5.h +++ b/contrib/ipfilter/md5.h @@ -39,7 +39,7 @@ *********************************************************************** */ -#ifndef __MD5_INCLUDE__ +#if !defined(__MD5_INCLUDE__) && !defined(_SYS_MD5_H) #ifndef __P # ifdef __STDC__ diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c index e0c69ed..8c67562 100644 --- a/contrib/ipfilter/radix.c +++ b/contrib/ipfilter/radix.c @@ -76,8 +76,14 @@ void panic __P((char *str)); #include <netinet/in.h> #include <sys/socket.h> #include <net/if.h> +#ifdef SOLARIS2 +# define _RADIX_H_ +#endif #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" +#ifdef SOLARIS2 +# undef _RADIX_H_ +#endif /* END OF INCLUDES */ #include "radix_ipf.h" #ifndef min diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h index 220a389..11e4ba7 100644 --- a/contrib/ipfilter/radix_ipf.h +++ b/contrib/ipfilter/radix_ipf.h @@ -42,7 +42,7 @@ # endif #endif -#if defined(__sgi) || defined(__osf__) +#if defined(__sgi) || defined(__osf__) || defined(sun) # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node # define radix_node_head ipf_radix_node_head @@ -163,7 +163,7 @@ struct radix_node_head { #define FreeS(p, z) KFREES(p, z) #define Free(p) KFREE(p) -#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516)) && defined(_KERNEL) +#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL) # define rn_init ipf_rn_init # define rn_fini ipf_rn_fini # define rn_inithead ipf_rn_inithead diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index e8789e0..2ce4291 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -772,8 +772,20 @@ fromport: srcportlist: portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ + fr->fr_stop = $3;) } | srcportlist lmore portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } + | srcportlist lmore portnum ':' portnum + { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } + | srcportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ + fr->fr_stop = $5;) } ; dstobject: @@ -838,8 +850,20 @@ toport: dstportlist: portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } + | portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } + | portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ + fr->fr_dtop = $3;) } | dstportlist lmore portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } + | dstportlist lmore portnum ':' portnum + { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } + | dstportlist lmore portnum YY_RANGE_IN portnum + { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ + fr->fr_dtop = $5;) } ; addr: pool '/' YY_NUMBER { pooled = 1; diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index 481282a..3c5bfdd 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -71,7 +71,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $"; #endif #ifdef __hpux @@ -1120,7 +1120,7 @@ ips_stat_t *ipsp; PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ? (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0); - minlen = ipsp->iss_max; + minlen = ipsp->iss_inuse; totallen = 0; maxlen = 0; @@ -1128,7 +1128,7 @@ ips_stat_t *ipsp; if (buckets[i] > maxlen) maxlen = buckets[i]; if (buckets[i] < minlen) - minlen = buckets[i]; + minlen = buckets[i]; totallen += buckets[i]; } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index f651f86..ceaed82 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -78,7 +78,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $"; #endif @@ -752,6 +752,8 @@ int blen; strcpy(t, "NAT:MAPBLOCK "); else if (nl->nl_type == NL_CLONE) strcpy(t, "NAT:CLONE "); + else if (nl->nl_type == NL_DESTROY) + strcpy(t, "NAT:DESTROY "); else sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); @@ -764,8 +766,9 @@ int blen; (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip), portname(res, proto, (u_int)nl->nl_outport)); t += strlen(t); - (void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip), - portname(res, proto, (u_int)nl->nl_origport)); + (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip), + portname(res, proto, (u_int)nl->nl_origport), + getproto(nl->nl_p)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T @@ -1002,7 +1005,10 @@ int blen; ipflog_t *ipf; iplog_t *ipl; #ifdef USE_INET6 + struct ip6_ext *ehp; + u_short ehl; ip6_t *ip6; + int go; #endif ipl = (iplog_t *)buf; @@ -1111,6 +1117,29 @@ int blen; s = (u_32_t *)&ip6->ip6_src; d = (u_32_t *)&ip6->ip6_dst; plen = hl + ntohs(ip6->ip6_plen); + go = 1; + ehp = (struct ip6_ext *)((char *)ip6 + hl); + while (go == 1) { + switch (p) + { + case IPPROTO_HOPOPTS : + case IPPROTO_MOBILITY : + case IPPROTO_DSTOPTS : + case IPPROTO_ROUTING : + case IPPROTO_AH : + p = ehp->ip6e_nxt; + ehl = 8 + (ehp->ip6e_len << 3); + hl += ehl; + ehp = (struct ip6_ext *)((char *)ehp + ehl); + break; + case IPPROTO_FRAGMENT : + hl += sizeof(struct ip6_frag); + /* FALLTHROUGH */ + default : + go = 0; + break; + } + } #else sprintf(t, "ipv6"); goto printipflog; diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c index c9954ab..28e29ec 100644 --- a/contrib/ipfilter/tools/ipnat.c +++ b/contrib/ipfilter/tools/ipnat.c @@ -67,7 +67,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $"; #endif @@ -80,6 +80,7 @@ char thishost[MAXHOSTNAMELEN]; extern char *optarg; void dostats __P((int, natstat_t *, int, int)); +void dotable __P((natstat_t *, int, int)); void flushtable __P((int, int)); void usage __P((char *)); int main __P((int, char*[])); @@ -359,9 +360,10 @@ int fd, opts, alive; nsp->ns_added, nsp->ns_expire); printf("no memory\t%lu\tbad nat\t%lu\n", nsp->ns_memfail, nsp->ns_badnat); - printf("inuse\t%lu\nrules\t%lu\n", - nsp->ns_inuse, nsp->ns_rules); + printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n", + nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules); printf("wilds\t%u\n", nsp->ns_wilds); + dotable(nsp, fd, alive); if (opts & OPT_VERBOSE) printf("table %p list %p\n", nsp->ns_table, nsp->ns_list); @@ -378,6 +380,63 @@ int fd, opts, alive; } +void dotable(nsp, fd, alive) +natstat_t *nsp; +int fd, alive; +{ + int sz, i, used, totallen, maxlen, minlen; + ipftable_t table; + u_long *buckets; + ipfobj_t obj; + + sz = sizeof(*buckets) * nsp->ns_nattab_sz; + buckets = (u_long *)malloc(sz); + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GTABLE; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = &table; + + table.ita_type = IPFTABLE_BUCKETS_NATIN; + table.ita_table = buckets; + + if (alive) { + if (ioctl(fd, SIOCGTABL, &obj) != 0) { + free(buckets); + return; + } + } else { + if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) { + free(buckets); + return; + } + } + + totallen = 0; + maxlen = 0; + minlen = nsp->ns_inuse; + used = 0; + + for (i = 0; i < nsp->ns_nattab_sz; i++) { + if (buckets[i] > maxlen) + maxlen = buckets[i]; + if (buckets[i] < minlen) + minlen = buckets[i]; + if (buckets[i] != 0) + used++; + totallen += buckets[i]; + } + + printf("hash efficiency\t%2.2f%%\n", + totallen ? ((float)used / totallen) * 100.0 : 0.0); + printf("bucket usage\t%2.2f%%\n", + ((float)used / nsp->ns_nattab_sz) * 100.0); + printf("minimal length\t%d\n", minlen); + printf("maximal length\t%d\n", maxlen); + printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0); +} + + /* * Display NAT statistics. */ diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index 1857219..cce717d 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -611,6 +611,7 @@ compare: range: YY_RANGE_OUT { $$ = FR_OUTRANGE; } | YY_RANGE_IN { $$ = FR_INRANGE; } + | ':' { $$ = FR_INCRANGE; } ; ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 2969f86..989643c 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -38,6 +38,7 @@ extern int yydebug; char *yystr = NULL; int yytext[YYBUFSIZ+1]; +char yychars[YYBUFSIZ+1]; int yylineNum = 1; int yypos = 0; int yylast = -1; @@ -51,13 +52,15 @@ wordtab_t *yysavewords[30]; static wordtab_t *yyfindkey __P((char *)); -static int yygetc __P((void)); +static int yygetc __P((int)); static void yyunputc __P((int)); static int yyswallow __P((int)); static char *yytexttostr __P((int, int)); static void yystrtotext __P((char *)); +static char *yytexttochar __P((void)); -static int yygetc() +static int yygetc(docont) +int docont; { int c; @@ -76,6 +79,13 @@ static int yygetc() yypos++; } else { c = fgetc(yyin); + if (docont && (c == '\\')) { + c = fgetc(yyin); + if (c == '\n') { + yylineNum++; + c = fgetc(yyin); + } + } } if (c == '\n') yylineNum++; @@ -101,7 +111,7 @@ int last; { int c; - while (((c = yygetc()) > '\0') && (c != last)) + while (((c = yygetc(0)) > '\0') && (c != last)) ; if (c != EOF) @@ -112,6 +122,17 @@ int last; } +static char *yytexttochar() +{ + int i; + + for (i = 0; i < yypos; i++) + yychars[i] = (char)(yytext[i] & 0xff); + yychars[i] = '\0'; + return yychars; +} + + static void yystrtotext(str) char *str; { @@ -167,7 +188,9 @@ int yylex() } nextchar: - c = yygetc(); + c = yygetc(0); + if (yydebug > 1) + printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar()); switch (c) { @@ -230,20 +253,20 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '{') { if (yyswallow('}') == -1) { rval = -2; goto done; } - (void) yygetc(); + (void) yygetc(0); } else { if (!ISALPHA(n)) { yyunputc(n); break; } do { - n = yygetc(); + n = yygetc(1); } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); yyunputc(n); } @@ -275,7 +298,7 @@ nextchar: goto done; } do { - n = yygetc(); + n = yygetc(1); if (n == EOF || n == TOOLONG) { rval = -2; goto done; @@ -325,7 +348,7 @@ nextchar: break; if (isbuilding == 1) break; - n = yygetc(); + n = yygetc(0); if (n == '>') { isbuilding = 1; goto done; @@ -339,7 +362,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_NE; goto done; @@ -355,7 +378,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_LE; goto done; @@ -375,7 +398,7 @@ nextchar: yyunputc(c); goto done; } - n = yygetc(); + n = yygetc(0); if (n == '=') { rval = YY_CMP_GE; goto done; @@ -412,7 +435,7 @@ nextchar: */ do { *s++ = c; - c = yygetc(); + c = yygetc(1); } while ((ishex(c) || c == ':' || c == '.') && (s - ipv6buf < 46)); yyunputc(c); @@ -438,10 +461,10 @@ nextchar: } if (isbuilding == 0 && c == '0') { - n = yygetc(); + n = yygetc(0); if (n == 'x') { do { - n = yygetc(); + n = yygetc(1); } while (ishex(n)); yyunputc(n); rval = YY_HEX; @@ -455,7 +478,7 @@ nextchar: */ if (isbuilding == 0 && ISDIGIT(c)) { do { - n = yygetc(); + n = yygetc(1); } while (ISDIGIT(n)); yyunputc(n); rval = YY_NUMBER; |
