diff options
author | darrenr <darrenr@FreeBSD.org> | 2000-07-19 13:52:47 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2000-07-19 13:52:47 +0000 |
commit | 243b2e7424c14d7d41860dd8fe2023d41dfa7e76 (patch) | |
tree | 7220c5dde03d34eb2ad3b1112bff1f1f7d5949b3 /contrib/ipfilter | |
parent | 2988979ab5899a26edd8ffbaeae8da177220e24b (diff) | |
parent | 90778a716059d6db7810bad8d8a4e1b787dc4a06 (diff) | |
download | FreeBSD-src-243b2e7424c14d7d41860dd8fe2023d41dfa7e76.zip FreeBSD-src-243b2e7424c14d7d41860dd8fe2023d41dfa7e76.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r63516,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib/ipfilter')
28 files changed, 914 insertions, 160 deletions
diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall index 42c2f09..bb5aef5 100755 --- a/contrib/ipfilter/FreeBSD/kinstall +++ b/contrib/ipfilter/FreeBSD/kinstall @@ -15,12 +15,17 @@ foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ chmod 644 /sys/netinet/$i end echo "" -echo "Patching $archdir/$karch/conf.c" -cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch) -echo "Patching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ -(cd /sys/netinet; patch) - +grep iplopen $archdir/$karch/conf.c >& /dev/null +if ( $status != 0 ) then + echo "Patching $archdir/$karch/conf.c" + cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch) +endif +grep fr_checkp /sys/netinet/ip_input.c >& /dev/null +if ( $status != 0 ) then + echo "Patching ip_input.c, ip_output.c and in_proto.c" + cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ + (cd /sys/netinet; patch) +endif if ( -f /sys/conf/files.newconf ) then echo "Patching /sys/conf/files.newconf" cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index ea2f478..b794c9a 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -20,6 +20,55 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.8 19/07/2000 - Released + +create fake opt_inet6.h for FreeBSD-4 compile as LKM + +add #ifdef's for KLD_MODULE sanity + +NAT fastroute'd packets which come out of return-* + +fix upper/lower case crap in ftp proxy and get seq# checking fixed up. + +3.4.7 08/07/2000 - Released + +make "ipf -y" lookup NAT if's which are unknown + +prepend line numbers to ioctl error messages in ipf/ipnat + +don't apply patches to FreeBSD twice + +allow for ip_len to be on an unaligned boundary early on in fr_precheck + +fix printing of icmp code when it is 0 + +correct printing of port numbers in map rules with from/to + +don't allow fr_func to be called at securelevel > 0 or rules to be added +if securelevel > 0 if they have a non-zero fr_func. + +3.4.6 11/06/2000 - Released + +add extra regression tests for new nat functionality + +place restrictions on using '!' in map/rdr rules + +fix up solaris compile problems + +3.4.5 10/06/2000 - Released + +mention -sl in ipfstat.8 + +fix/support '!' in from/to rules (rdr) for NAT + +add from/to support to rdr NAT rules + +don't send ICMP errors in response to ICMP errors + +fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot + +input accounting list used for both outbound and inbound packets + 3.4.4 23/05/2000 - Released don't add TCP state if it is an RST packet and (attempt) to send out diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 050aac6..cb4199e 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.11.2.1 2000/04/26 12:14:58 darrenr Exp $ +# $Id: Makefile,v 2.11.2.2 2000/07/18 13:58:10 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -126,6 +126,11 @@ freebsd22: include make freebsd freebsd4: include + if [ x$INET6 = x ] ; then \ + echo "#undef INET6" > opt_inet6.h; \ + else \ + echo "#define INET6" > opt_inet6.h; \ + fi make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "DLKM=-DKLD_MODULE"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..) @@ -181,7 +186,7 @@ setup: clean: clean-include ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ - vnode_if.h $(LKM) *~ + vnode_if.h $(LKM) *~ opt_inet6.h (cd SunOS4; make clean) (cd SunOS5; make clean) (cd BSD; make clean) diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index 78aff43..9fa24d6 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.3 2000/06/17 06:24:31 darrenr Exp $"; #endif #include <sys/errno.h> @@ -46,7 +46,7 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 d # include <sys/stream.h> # include <sys/kmem.h> #endif -#if _BSDI_VERSION >= 199802 +#if (_BSDI_VERSION >= 199802) || (__FreeBSD_Version >= 400000) # include <sys/queue.h> #endif #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 9216b3c..fe6af66 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.9 2000/05/22 12:48:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.14 2000/07/18 13:57:55 darrenr Exp $"; #endif #ifndef SOLARIS @@ -692,6 +692,10 @@ caddr_t data; if (error) return EFAULT; fp->fr_ref = 0; +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel > 0) && (fp->fr_func != NULL)) + return EPERM; +#endif /* * Check that the group number does exist and that if a head group @@ -764,7 +768,7 @@ caddr_t data; * interface pointer in the comparison (fr_next, fr_ifa). */ for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum; - p != pp; p++) + p < pp; p++) fp->fr_cksum += *p; for (; (f = *ftail); ftail = &f->fr_next) @@ -1088,6 +1092,19 @@ int dst; m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { + if ((oip->ip_p == IPPROTO_ICMP) && + !(fin->fin_fi.fi_fl & FI_SHORT)) + switch (ntohs(fin->fin_data[0]) >> 8) + { + case ICMP_ECHO : + case ICMP_TSTAMP : + case ICMP_IREQ : + case ICMP_MASKREQ : + break; + default : + return 0; + } + # if (BSD < 199306) || defined(__sgi) avail = MLEN; m = m_get(M_DONTWAIT, MT_HEADER); @@ -1325,10 +1342,9 @@ frdest_t *fdp; ATOMIC_INCL(frstats[1].fr_acct); } fin->fin_fr = NULL; - if (!fr || !(fr->fr_flags & FR_RETMASK)) { + if (!fr || !(fr->fr_flags & FR_RETMASK)) (void) fr_checkstate(ip, fin); - (void) ip_natout(ip, fin); - } + (void) ip_natout(ip, fin); } else ip->ip_sum = 0; /* @@ -1585,15 +1601,29 @@ int v; if (!ifneta) { ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2); + if (!ifneta) + return NULL; ifneta[1] = NULL; ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp)); + if (!ifneta[0]) { + free(ifneta); + return NULL; + } nifs = 1; } else { nifs++; ifneta = (struct ifnet **)realloc(ifneta, (nifs + 1) * sizeof(*ifa)); + if (!ifneta) { + nifs = 0; + return NULL; + } ifneta[nifs] = NULL; ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp)); + if (!ifneta[nifs - 1]) { + nifs--; + return NULL; + } } ifp = ifneta[nifs - 1]; diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 3e0a7f3..5019c60 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.3 2000/05/05 15:10:23 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.4 2000/06/06 15:49:15 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -144,6 +144,9 @@ ipfr_t *table[]; ipfr_t **fp, *fra, frag; u_int idx; + if (ipfr_inuse >= IPFT_SIZE) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 691e0ad..5ea94a1 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,14 +2,17 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.7 2000/05/13 14:28:14 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.12 2000/07/19 13:06:13 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; #endif #define isdigit(x) ((x) >= '0' && (x) <= '9') -#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A') +#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z')) +#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z')) +#define isalpha(x) (isupper(x) || islower(x)) +#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A') #define IPF_FTP_PROXY @@ -35,6 +38,7 @@ u_short ippr_ftp_atoi __P((char **)); static frentry_t natfr; int ippr_ftp_pasvonly = 0; +int ippr_ftp_insecure = 0; /* @@ -97,21 +101,12 @@ int dlen; #endif tcp = (tcphdr_t *)fin->fin_dp; - off = f->ftps_seq - ntohl(tcp->th_seq); - if (off < 0) - return 0; /* * Check for client sending out PORT message. */ if (dlen < IPF_MINPORTLEN) return 0; - /* - * Count the number of bytes in the PORT message is. - */ - if (off < 0) - return 0; - - off += fin->fin_hlen + (tcp->th_off << 2); + off = fin->fin_hlen + (tcp->th_off << 2); /* * Skip the PORT command + space */ @@ -201,6 +196,10 @@ int dlen; m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ m_copyback(m, off, nlen, newbuf); +# ifdef M_PKTHDR + if (!(m->m_flags & M_PKTHDR)) + m->m_pkthdr.len += inc; +# endif #endif if (inc != 0) { #if SOLARIS || defined(__sgi) @@ -275,27 +274,39 @@ ftpinfo_t *ftp; ip_t *ip; int dlen; { - char *rptr, *wptr; + char *rptr, *wptr, cmd[6], c; ftpside_t *f; - int inc; + int inc, i; inc = 0; f = &ftp->ftp_side[0]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; - if ((ftp->ftp_passok == 0) && !strncmp(rptr, "USER ", 5)) + for (i = 0; (i < 5) && (i < dlen); i++) { + c = rptr[i]; + if (isalpha(c)) { + cmd[i] = toupper(c); + } else { + cmd[i] = c; + } + } + cmd[i] = '\0'; + + if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5)) ftp->ftp_passok = 1; - else if ((ftp->ftp_passok == 2) && !strncmp(rptr, "PASS ", 5)) + else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5)) ftp->ftp_passok = 3; else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly && - !strncmp(rptr, "PORT ", 5)) { + !strncmp(cmd, "PORT ", 5)) { + inc = ippr_ftp_port(fin, ip, nat, f, dlen); + } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly && + !strncmp(cmd, "PORT ", 5)) { inc = ippr_ftp_port(fin, ip, nat, f, dlen); } while ((*rptr++ != '\n') && (rptr < wptr)) ; - f->ftps_seq += rptr - f->ftps_rptr; f->ftps_rptr = rptr; return inc; } @@ -313,8 +324,8 @@ int dlen; u_short a5, a6, sp, dp; u_int a1, a2, a3, a4; fr_info_t fi; - int inc, off; nat_t *ipn; + int inc; char *s; /* @@ -325,15 +336,8 @@ int dlen; else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25)) return 0; - /* - * Count the number of bytes in the 227 reply is. - */ tcp = (tcphdr_t *)fin->fin_dp; - off = f->ftps_seq - ntohl(tcp->th_seq); - if (off < 0) - return 0; - off += fin->fin_hlen + (tcp->th_off << 2); /* * Skip the PORT command + space */ @@ -417,13 +421,13 @@ int dlen; m1->b_wptr += inc; } /*copyin_mblk(m, off, nlen, newbuf);*/ -#else +#else /* SOLARIS */ m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ /*m_copyback(m, off, nlen, newbuf);*/ -#endif +#endif /* SOLARIS */ if (inc != 0) { #if SOLARIS || defined(__sgi) register u_32_t sum1, sum2; @@ -438,10 +442,10 @@ int dlen; sum2 = (sum2 & 0xffff) + (sum2 >> 16); fix_outcksum(&ip->ip_sum, sum2, 0); -#endif +#endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } -#endif +#endif /* 0 */ /* * Add skeleton NAT entry for connection which will come back the @@ -507,10 +511,11 @@ int dlen; ftp->ftp_passok = 0; else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { + inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } while ((*rptr++ != '\n') && (rptr < wptr)) ; - f->ftps_seq += rptr - f->ftps_rptr; f->ftps_rptr = rptr; return inc; } @@ -548,16 +553,16 @@ size_t len; return 1; } else return 1; - } else if (isupper(c)) { + } else if (isalpha(c)) { c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { c = *s++; i--; if ((c != ' ') && (c != '\r')) @@ -586,10 +591,10 @@ nat_t *nat; ftpinfo_t *ftp; int rv; { - int mlen, len, off, inc, i; + int mlen, len, off, inc, i, sel; char *rptr, *wptr; + ftpside_t *f, *t; tcphdr_t *tcp; - ftpside_t *f; mb_t *m; tcp = (tcphdr_t *)fin->fin_dp; @@ -606,23 +611,29 @@ int rv; #else mlen = mbufchainlen(m) - off; #endif - if (!mlen) + t = &ftp->ftp_side[1 - rv]; + if (!mlen) { + t->ftps_seq = ntohl(tcp->th_ack); return 0; + } inc = 0; f = &ftp->ftp_side[rv]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; - if ((wptr == f->ftps_buf) && (f->ftps_seq <= ntohl(tcp->th_seq))) - f->ftps_seq = ntohl(tcp->th_seq); + sel = nat->nat_aps->aps_sel[1 - rv]; + if (rv) + i = nat->nat_aps->aps_ackoff[sel]; + else + i = nat->nat_aps->aps_seqoff[sel]; /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (ntohl(tcp->th_seq) != f->ftps_seq + (wptr - rptr)) { - return APR_ERR(0); + if (ntohl(tcp->th_seq) + i != f->ftps_seq) { + return APR_ERR(-1); } while (mlen > 0) { @@ -666,7 +677,6 @@ int rv; } else rptr++; } - f->ftps_seq += rptr - f->ftps_rptr; f->ftps_rptr = rptr; } @@ -677,7 +687,6 @@ int rv; i = wptr - rptr; if ((rptr == f->ftps_buf) || (wptr - rptr > FTP_BUFSZ / 2)) { - f->ftps_seq += i; f->ftps_junk = 1; rptr = wptr = f->ftps_buf; } else { @@ -691,6 +700,7 @@ int rv; } } + t->ftps_seq = ntohl(tcp->th_ack); f->ftps_rptr = rptr; f->ftps_wptr = wptr; return inc; diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 64f50b6..d25f3f7 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.10 2000/05/19 15:54:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.16 2000/07/18 13:57:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -473,10 +473,14 @@ int mode; n->in_next = NULL; *np = n; - if (n->in_redir & NAT_REDIRECT) + if (n->in_redir & NAT_REDIRECT) { + n->in_flags &= ~IPN_NOTDST; nat_addrdr(n); - if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) + } + if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) { + n->in_flags &= ~IPN_NOTSRC; nat_addnat(n); + } n->in_use = 0; if (n->in_redir & NAT_MAPBLK) @@ -1517,6 +1521,8 @@ int dir; ip_t *oip; int flags = 0; + if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) + return NULL; if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir))) return NULL; *nflags = IPN_ICMPERR; @@ -1559,14 +1565,14 @@ int dir; fix_outcksum(&icmp->icmp_cksum, sumd, 0); } else { fix_outcksum(&oip->ip_sum, sumd, 0); - +#if !SOLARIS && !defined(__sgi) sumd += (sumd & 0xffff); while (sumd > 0xffff) sumd = (sumd & 0xffff) + (sumd >> 16); -/* fix_incksum(&icmp->icmp_cksum, sumd, 0); */ + fix_incksum(&icmp->icmp_cksum, sumd, 0); +#endif } - if ((flags & IPN_TCPUDP) != 0) { tcphdr_t *tcp; @@ -1714,19 +1720,28 @@ ip_t *ip; if (np->in_p && ip->ip_p != np->in_p) return 0; if (fin->fin_out) { - if (!(np->in_redir && (NAT_MAP|NAT_MAPBLK))) + if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK))) return 0; - if ((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip) + if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip) + ^ ((np->in_flags & IPN_NOTSRC) != 0)) return 0; - if ((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip) + if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip) + ^ ((np->in_flags & IPN_NOTDST) != 0)) return 0; } else { - if (!(np->in_redir && NAT_REDIRECT)) + if (!(np->in_redir & NAT_REDIRECT)) + return 0; + if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip) + ^ ((np->in_flags & IPN_NOTSRC) != 0)) + return 0; + if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip) + ^ ((np->in_flags & IPN_NOTDST) != 0)) return 0; } ft = &np->in_tuc; - if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) { + if (!(fin->fin_fi.fi_fl & FI_TCPUDP) || + (fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) { if (ft->ftu_scmp || ft->ftu_dcmp) return 0; return 1; @@ -1863,7 +1878,6 @@ maskloop: np = nat->nat_ptr; if (natadd && fin->fin_fi.fi_fl & FI_FRAG) ipfr_nat_newfrag(ip, fin, 0, nat); - ip->ip_src = nat->nat_outip; MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; nat->nat_bytes += ip->ip_len; @@ -1874,12 +1888,27 @@ maskloop: * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ + if (nflags == IPN_ICMPERR) { + u_32_t s1, s2, sumd; + + s1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); + s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)); + CALC_SUMD(s1, s2, sumd); + + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(&ip->ip_sum, sumd, 0); + else + fix_outcksum(&ip->ip_sum, sumd, 0); + } #if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0); - else - fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0); + else { + if (nat->nat_dir == NAT_OUTBOUND) + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0); + else + fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0); + } #endif + ip->ip_src = nat->nat_outip; if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { @@ -1917,6 +1946,7 @@ maskloop: } else if (ip->ip_p == IPPROTO_ICMP) { nat->nat_age = fr_defnaticmpage; } + if (csump) { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(csump, nat->nat_sumd[1], @@ -1986,7 +2016,7 @@ fr_info_t *fin; if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND))) ; - else if ((ip->ip_off & IP_OFFMASK) && + else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, @@ -2024,7 +2054,7 @@ maskloop: } else if ((in.s_addr & np->in_outmsk) != np->in_outip) continue; if ((np->in_redir & NAT_REDIRECT) && - (!np->in_pmin || + (!np->in_pmin || (np->in_flags & IPN_FILTER) || ((ntohs(np->in_pmax) >= ntohs(dport)) && (ntohs(dport) >= ntohs(np->in_pmin))))) if ((nat = nat_new(np, ip, fin, nflags, diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index f1a339f..26fed25 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.1 2000/05/15 06:50:14 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.6 2000/07/15 14:50:06 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -103,9 +103,10 @@ typedef struct ipnat { u_int in_hits; struct in_addr in_nextip; u_short in_pnext; - u_short in_ppip; /* ports per IP */ u_short in_ippip; /* IP #'s per IP# */ - u_short in_flags; /* From here to in_dport must be reflected */ + u_32_t in_flags; /* From here to in_dport must be reflected */ + u_short in_spare; + u_short in_ppip; /* ports per IP */ u_short in_port[2]; /* correctly in IPN_CMPSIZ */ struct in_addr in_in[2]; struct in_addr in_out[2]; @@ -212,11 +213,13 @@ typedef struct natstat { #define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR) #define IPN_AUTOPORTMAP 0x010 #define IPN_IPRANGE 0x020 -#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|\ - IPN_SPLIT|IPN_ROUNDR|IPN_FILTER) +#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\ + IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST) #define IPN_FILTER 0x040 #define IPN_SPLIT 0x080 #define IPN_ROUNDR 0x100 +#define IPN_NOTSRC 0x080000 +#define IPN_NOTDST 0x100000 typedef struct natlog { @@ -236,6 +239,8 @@ typedef struct natlog { #define NL_NEWMAP NAT_MAP #define NL_NEWRDR NAT_REDIRECT +#define NL_NEWBIMAP NAT_BIMAP +#define NL_NEWBLOCK NAT_MAPBLK #define NL_EXPIRE 0xffff #define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m)) diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c index daea94f..1d6264d 100644 --- a/contrib/ipfilter/ip_rcmd_pxy.c +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.1 2000/05/06 11:19:34 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.2 2000/07/15 12:38:30 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -93,8 +93,17 @@ nat_t *nat; #endif tcp = (tcphdr_t *)fin->fin_dp; + + if (tcp->th_flags & TH_SYN) { + *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1); + return 0; + } + + if ((*(u_32_t *)aps->aps_data != 0) && + (tcp->th_seq != *(u_32_t *)aps->aps_data)) + return 0; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); - m = *(mb_t **)fin->fin_mp; #if SOLARIS m = fin->fin_qfm; @@ -103,13 +112,11 @@ nat_t *nat; bzero(portbuf, sizeof(portbuf)); copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); #else + m = *(mb_t **)fin->fin_mp; dlen = mbufchainlen(m) - off; bzero(portbuf, sizeof(portbuf)); m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif - if ((*(u_32_t *)aps->aps_data != 0) && - (tcp->th_seq != *(u_32_t *)aps->aps_data)) - return 0; portbuf[sizeof(portbuf) - 1] = '\0'; s = portbuf; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 40766e0..615e57f 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.2 2000/05/22 10:26:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.3 2000/07/08 02:20:14 darrenr Exp $"; #endif #include <sys/types.h> @@ -515,7 +515,7 @@ caddr_t data; * interface pointer in the comparison (fr_next, fr_ifa). */ for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum; - p != pp; p++) + p < pp; p++) fp->fr_cksum += *p; for (; (f = *ftail); ftail = &f->fr_next) diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index c9a28af..fa8e050 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.9 2000/05/22 10:26:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.12 2000/06/19 02:38:37 darrenr Exp $"; #endif #include <sys/errno.h> @@ -381,8 +381,8 @@ caddr_t data; { register ipstate_t *is, *isn; ipstate_save_t ips, *ipsp; + int error, out; frentry_t *fr; - int error; error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp)); if (error) @@ -405,8 +405,26 @@ caddr_t data; return ENOMEM; } bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr)); + out = fr->fr_flags & FR_OUTQUE ? 1 : 0; isn->is_rule = fr; ips.ips_is.is_rule = fr; + if (*fr->fr_ifname) { + fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_v); + if (fr->fr_ifa == NULL) + fr->fr_ifa = (void *)-1; +#ifdef _KERNEL + else { + strncpy(isn->is_ifname[out], + IFNAME(fr->fr_ifa), IFNAMSIZ); + isn->is_ifp[out] = fr->fr_ifa; + } +#endif + } else + fr->fr_ifa = NULL; + /* + * send a copy back to userland of what we ended up + * to allow for verification. + */ error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips)); if (error) { KFREE(isn); @@ -1582,8 +1600,8 @@ fr_info_t *fin; (oic->icmp6_type == ICMP6_ECHO_REQUEST)) || (is->is_type - 1 == oic->icmp6_type )) { ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += fin->fin_plen; + is->is_pkts++; + is->is_bytes += fin->fin_plen; return is->is_rule; } } diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index 01c26a0..a5643af 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.13 2000/03/13 22:10:23 darrenr Exp $ + * $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -17,8 +17,8 @@ # define SIOCDELST _IOW(r, 61, struct ipstate *) #endif -#define IPSTATE_SIZE 257 -#define IPSTATE_MAX 2048 /* Maximum number of states held */ +#define IPSTATE_SIZE 5737 +#define IPSTATE_MAX 4013 /* Maximum number of states held */ #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ (((s1) == (d2)) && ((d1) == (s2)))) diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index ac975e5..a1a0bfc 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10 2000/03/13 22:10:23 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.1 2000/07/08 02:19:46 darrenr Exp $"; #endif #if SOLARIS @@ -295,9 +295,10 @@ char *name, *file; if ((opts & OPT_ZERORULEST) && !(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, &fr) == -1) + if (ioctl(fd, add, &fr) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(SIOCZRLST)"); - else { + } else { #ifdef USE_QUAD_T printf("hits %qd bytes %qd ", (long long)fr->fr_hits, @@ -310,11 +311,15 @@ char *name, *file; } } else if ((opts & OPT_REMOVE) && !(opts & OPT_DONOTHING)) { - if (ioctl(fd, del, &fr) == -1) + if (ioctl(fd, del, &fr) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(delete rule)"); + } } else if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, &fr) == -1) + if (ioctl(fd, add, &fr) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(add/insert rule)"); + } } } } @@ -339,7 +344,7 @@ FILE *file; int s, len; do { - for (p = str, s = size;; p += len, s -= len) { + for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { /* * if an error occured, EOF was encounterd, or there * was no room to put NUL, return NULL. @@ -347,12 +352,21 @@ FILE *file; if (fgets(p, s, file) == NULL) return (NULL); len = strlen(p); + if (p[len - 1] != '\n') { + p[len] = '\0'; + break; + } p[len - 1] = '\0'; - if (p[len - 1] != '\\') + if (len < 2 || p[len - 2] != '\\') break; - size -= len; + else + /* + * Convert '\\' to a space so words don't + * run together + */ + p[len - 2] = ' '; } - } while (*str == '\0' || *str == '\n'); + } while (*str == '\0'); return (str); } diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 12d866c..bb2523d 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -6,12 +6,12 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.5 2000/05/22 10:26:16 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.9 2000/07/19 13:40:04 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.4" +#define IPL_VERSION "IP Filter: v3.4.8" #endif diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index 1069dbd..9655615 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -54,7 +54,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.1 2000/04/28 18:08:00 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $"; #endif @@ -103,25 +103,35 @@ void *ptr; printf(" %s ", np->in_ifname); if (np->in_flags & IPN_FILTER) { + if (np->in_flags & IPN_NOTSRC) + printf("! "); printf("from "); - if (np->in_redir == NAT_REDIRECT) + if (np->in_redir == NAT_REDIRECT) { printhostmask(4, (u_32_t *)&np->in_srcip, (u_32_t *)&np->in_srcmsk); - else + if (np->in_scmp) + printportcmp(np->in_p, &np->in_tuc.ftu_src); + } else { printhostmask(4, (u_32_t *)&np->in_inip, (u_32_t *)&np->in_inmsk); - if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); + if (np->in_dcmp) + printportcmp(np->in_p, &np->in_tuc.ftu_dst); + } + if (np->in_flags & IPN_NOTDST) + printf(" !"); printf(" to "); - if (np->in_redir == NAT_REDIRECT) - printhostmask(4, (u_32_t *)&np->in_inip, - (u_32_t *)&np->in_inmsk); - else + if (np->in_redir == NAT_REDIRECT) { + printhostmask(4, (u_32_t *)&np->in_outip, + (u_32_t *)&np->in_outmsk); + if (np->in_dcmp) + printportcmp(np->in_p, &np->in_tuc.ftu_dst); + } else { printhostmask(4, (u_32_t *)&np->in_srcip, (u_32_t *)&np->in_srcmsk); - if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); + if (np->in_scmp) + printportcmp(np->in_p, &np->in_tuc.ftu_src); + } } if (np->in_redir == NAT_REDIRECT) { @@ -132,12 +142,12 @@ void *ptr; printf("/%d ", bits); else printf("/%s ", inet_ntoa(np->in_out[1])); + if (np->in_pmin) + printf("port %d", ntohs(np->in_pmin)); + if (np->in_pmax != np->in_pmin) + printf("- %d", ntohs(np->in_pmax)); } - if (np->in_pmin) - printf("port %d ", ntohs(np->in_pmin)); - if (np->in_pmax != np->in_pmin) - printf("- %d ", ntohs(np->in_pmax)); - printf("-> %s", inet_ntoa(np->in_in[0])); + printf(" -> %s", inet_ntoa(np->in_in[0])); if (np->in_flags & IPN_SPLIT) printf(",%s", inet_ntoa(np->in_in[1])); if (np->in_pnext) @@ -312,7 +322,27 @@ int linenum; ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; cpp++; - if (!strcasecmp(*cpp, "from")) { + if (!strcasecmp(*cpp, "from") || (**cpp == '!')) { + if (!strcmp(*cpp, "!")) { + cpp++; + if (strcasecmp(*cpp, "from")) { + fprintf(stderr, "Missing from after !\n"); + return NULL; + } + ipn.in_flags |= IPN_NOTSRC; + } else if (**cpp == '!') { + if (strcasecmp(*cpp + 1, "from")) { + fprintf(stderr, "Missing from after !\n"); + return NULL; + } + ipn.in_flags |= IPN_NOTSRC; + } + if ((ipn.in_flags & IPN_NOTSRC) && + (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) { + fprintf(stderr, "Cannot use '! from' with map\n"); + return NULL; + } + ipn.in_flags |= IPN_FILTER; cpp++; if (ipn.in_redir == NAT_REDIRECT) { @@ -325,34 +355,48 @@ int linenum; } else { if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, (u_32_t *)&ipn.in_inmsk, - &ipn.in_dport, &ipn.in_dcmp, - &ipn.in_dtop, linenum)) { + &ipn.in_sport, &ipn.in_scmp, + &ipn.in_stop, linenum)) { return NULL; } } + if (!strcmp(*cpp, "!")) { + cpp++; + ipn.in_flags |= IPN_NOTDST; + } else if (**cpp == '!') { + (*cpp)++; + ipn.in_flags |= IPN_NOTDST; + } + if (strcasecmp(*cpp, "to")) { fprintf(stderr, "%d: unexpected keyword (%s) - to\n", linenum, *cpp); return NULL; } + if ((ipn.in_flags & IPN_NOTDST) && + (ipn.in_redir & (NAT_REDIRECT))) { + fprintf(stderr, "Cannot use '! to' with rdr\n"); + return NULL; + } if (!*++cpp) { fprintf(stderr, "%d: missing host after to\n", linenum); return NULL; } if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, - (u_32_t *)&ipn.in_inmsk, + if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, + (u_32_t *)&ipn.in_outmsk, &ipn.in_dport, &ipn.in_dcmp, &ipn.in_dtop, linenum)) { return NULL; } + ipn.in_pmin = htons(ipn.in_dport); } else { if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, (u_32_t *)&ipn.in_srcmsk, - &ipn.in_sport, &ipn.in_scmp, - &ipn.in_stop, linenum)) { + &ipn.in_dport, &ipn.in_dcmp, + &ipn.in_dtop, linenum)) { return NULL; } } @@ -673,8 +717,11 @@ int linenum; return NULL; } cpp++; - if (!*cpp) + if (!*cpp) { + fprintf(stderr, "%d: missing expression following portmap\n", + linenum); return NULL; + } if (!strcasecmp(*cpp, "tcp")) ipn.in_flags |= IPN_TCP; @@ -741,7 +788,7 @@ int opts; fp = stdin; while (fgets(line, sizeof(line) - 1, fp)) { - linenum++; + linenum++; line[sizeof(line) - 1] = '\0'; if ((s = strchr(line, '\n'))) *s = '\0'; @@ -755,10 +802,15 @@ int opts; printnat(np, opts, NULL); if (!(opts & OPT_NODO)) { if (!(opts & OPT_REMOVE)) { - if (ioctl(fd, SIOCADNAT, &np) == -1) + if (ioctl(fd, SIOCADNAT, &np) == -1) { + fprintf(stderr, "%d:", + linenum); perror("ioctl(SIOCADNAT)"); - } else if (ioctl(fd, SIOCRMNAT, &np) == -1) + } + } else if (ioctl(fd, SIOCRMNAT, &np) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(SIOCRMNAT)"); + } } } } diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 0f05c15..ab1e08c 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -939,14 +939,20 @@ int linenum; linenum, **cp); return -1; } - fp->fr_icmp |= (u_short)i; - fp->fr_icmpm = (u_short)0xffff; - (*cp)++; - return 0; + } else { + i = icmpcode(**cp); + if (i == -1) { + fprintf(stderr, + "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); + return -1; + } } - fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; + i &= 0xff; + fp->fr_icmp |= (u_short)i; + fp->fr_icmpm = (u_short)0xffff; + (*cp)++; + return 0; } @@ -966,9 +972,8 @@ char *str; char *s; int i, len; - if (!(s = strrchr(str, ')'))) - return -1; - *s = '\0'; + if ((s = strrchr(str, ')'))) + *s = '\0'; if (isdigit(*str)) { if (!ratoi(str, &i, 0, 255)) return -1; @@ -1153,7 +1158,7 @@ struct frentry *fp; printf(" icmp-type %s", icmptypes[type]); else printf(" icmp-type %d", type); - if (code) + if (ntohs(fp->fr_icmpm) & 0xff) printf(" code %d", code); } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 5187bca..ce25337 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.3 2000/05/22 10:26:17 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.6 2000/07/18 13:56:33 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -625,15 +625,28 @@ tryagain: sap = qif->qf_ill->ill_sap; if (sap == 0x800) { + u_short tlen; + hlen = sizeof(*ip); - plen = ntohs(ip->ip_len); + + /* XXX - might not be aligned (from ppp?) */ + ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0]; + ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1]; + + plen = ntohs(tlen); + sap = 0; } #if SOLARIS2 >= 8 else if (sap == IP6_DL_SAP) { + u_short tlen; + hlen = sizeof(ip6_t); ip6 = (ip6_t *)ip; - plen = ntohs(ip6->ip6_plen); + /* XXX - might not be aligned (from ppp?) */ + ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0]; + ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1]; + plen = ntohs(tlen); sap = IP6_DL_SAP; } #endif @@ -670,7 +683,7 @@ fixalign: s = m->b_rptr; } *mp = m2; - MTYPE(m2) = M_DATA; + MTYPE(m2) = MTYPE(mt); freemsg(mt); mt = m2; @@ -678,7 +691,6 @@ fixalign: synced = 1; off = 0; goto tryagain; - } if (((sap == 0) && (ip->ip_v != IP_VERSION)) @@ -1590,8 +1602,7 @@ ire_t *ire; #endif -int ipfr_fastroute(qf, ip, mb, mpp, fin, fdp) -qif_t *qf; +int ipfr_fastroute(ip, mb, mpp, fin, fdp) ip_t *ip; mblk_t *mb, **mpp; fr_info_t *fin; @@ -1608,13 +1619,15 @@ frdest_t *fdp; frentry_t *fr; frdest_t fd; ill_t *ifp; - qif_t *qif; u_char *s; + qif_t *qf; int p; #ifndef sparc u_short __iplen, __ipoff; #endif + qf = fin->fin_qif; + /* * If this is a duplicate mblk then we want ip to point at that * data, not the original, if and only if it is already pointing at @@ -1718,10 +1731,9 @@ frdest_t *fdp; ATOMIC_INCL(frstats[1].fr_acct); } fin->fin_fr = NULL; - if (!fr || !(fr->fr_flags & FR_RETMASK)) { + if (!fr || !(fr->fr_flags & FR_RETMASK)) (void) fr_checkstate(ip, fin); - (void) ip_natout(ip, fin); - } + (void) ip_natout(ip, fin); } #ifndef sparc if (fin->fin_v == 4) { diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index a6d73ef..0726cdd 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -20,7 +20,7 @@ ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 -ntests: n1 n2 n3 n4 +ntests: n1 n2 n3 n4 n5 n6 n7 0: @(cd ..; make ipftest; ) @@ -34,10 +34,10 @@ f12: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ -n1 n2 n3 n4: +n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/* /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 - /bin/rm -f n1 n2 n3 n4 + /bin/rm -f n1 n2 n3 n4 n5 n6 n7 diff --git a/contrib/ipfilter/test/expected/n5 b/contrib/ipfilter/test/expected/n5 new file mode 100644 index 0000000..75f174b --- /dev/null +++ b/contrib/ipfilter/test/expected/n5 @@ -0,0 +1,330 @@ +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.2.2.2 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.2.2.2 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.1.1.1 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.2.2.2 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 20(20) 255 10.3.4.5 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.3.4.5 > 10.1.1.1 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.0 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 48(20) 1 10.1.1.1 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.3.4.5 > 10.1.1.2 +ip 20(20) 0 10.3.4.5 > 10.1.2.1 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.3.4.1 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.3.4.1 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.3.4.1 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.3.4.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.3.4.2 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.3.4.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.3.4.1,1025 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.3.4.1,1025 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.1.1.1 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.1.1.1 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.1.1.1 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n6 b/contrib/ipfilter/test/expected/n6 new file mode 100644 index 0000000..d28d4f1 --- /dev/null +++ b/contrib/ipfilter/test/expected/n6 @@ -0,0 +1,70 @@ +ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +ip 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 +ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n7 b/contrib/ipfilter/test/expected/n7 new file mode 100644 index 0000000..51aa987 --- /dev/null +++ b/contrib/ipfilter/test/expected/n7 @@ -0,0 +1,20 @@ +ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 +ip 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023 +ip 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050 +ip 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079 +ip 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80 +ip 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80 +ip 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80 +ip 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80 +ip 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80 +------------------------------- +ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 +ip 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23 +ip 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50 +ip 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79 +ip 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128 +ip 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128 +ip 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128 +ip 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128 +ip 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128 +------------------------------- diff --git a/contrib/ipfilter/test/input/n5 b/contrib/ipfilter/test/input/n5 new file mode 100644 index 0000000..579210b --- /dev/null +++ b/contrib/ipfilter/test/input/n5 @@ -0,0 +1,54 @@ +out on zx0 255 10.1.1.0 10.1.1.2 +out on zx0 255 10.1.1.1 10.1.1.2 +out on zx0 255 10.1.1.2 10.1.1.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 255 10.2.2.1 10.1.2.1 +out on zx0 255 10.2.2.2 10.1.2.1 +in on zx0 255 10.1.1.1 10.1.1.2 +in on zx0 255 10.1.1.2 10.1.1.1 +in on zx0 255 10.2.2.1 10.2.1.1 +in on zx0 255 10.2.2.2 10.2.1.1 +in on zx0 255 10.2.2.3 10.1.1.1 +in on zx0 255 10.2.3.4 10.2.2.2 +in on zx0 255 10.1.1.1 10.2.2.2 +in on zx0 255 10.1.1.2 10.2.2.2 +in on zx0 255 10.1.1.0 10.3.4.5 +in on zx0 255 10.1.1.1 10.3.4.5 +in on zx0 255 10.1.1.2 10.3.4.5 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025 +out on zx0 icmp 10.1.1.1 10.4.3.2 +in on zx0 icmp 10.4.3.2 10.2.2.2 +in on zx0 icmp 10.4.3.2 10.3.4.3 +in on zx0 icmp 10.4.3.2 10.3.4.5 +out on zx0 34 10.1.1.2 10.4.3.2 +in on zx0 34 10.4.3.2 10.3.4.4 +out on zx0 34 10.1.1.2 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.5 +out on zx0 34 10.1.1.3 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.6 +out on zx0 35 10.1.1.3 10.4.3.4 +in on zx0 35 10.4.3.4 10.3.4.7 +out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +out on zx0 10.1.1.0 10.1.1.2 +out on zx0 10.1.1.1 10.1.2.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80 +out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80 +out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80 +out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80 +in on zx0 10.1.1.1 10.1.1.2 +in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +in on zx0 10.1.1.2 10.1.1.1 +out on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000 +in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000 +out on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000 +out on zx0 udp 10.1.1.2,1025 10.3.4.5,40001 +in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001 +out on zx0 tcp 10.1.2.1,80 10.3.4.5,40001 +in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001 diff --git a/contrib/ipfilter/test/input/n6 b/contrib/ipfilter/test/input/n6 new file mode 100644 index 0000000..8a0c924 --- /dev/null +++ b/contrib/ipfilter/test/input/n6 @@ -0,0 +1,13 @@ +in on zx0 tcp 10.2.2.2,12345 10.1.1.1,23 +in on zx0 tcp 10.2.2.2,12345 10.1.1.2,23 +in on zx0 tcp 10.3.0.1,12345 10.1.2.2,23 +in on zx0 tcp 10.3.0.1,12345 10.2.2.2,23 +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23 +in on zx0 tcp 10.2.2.2,12345 10.1.1.1,53 +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53 +in on zx0 tcp 10.2.2.2,12345 10.1.0.0,23 +in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23 +in on zx0 udp 10.2.2.2,12345 10.1.1.0,53 +in on zx0 udp 10.3.3.3,12345 10.1.1.0,53 +in on zx0 tcp 10.2.2.2,12345 10.1.1.0,53 +in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53 diff --git a/contrib/ipfilter/test/input/n7 b/contrib/ipfilter/test/input/n7 new file mode 100644 index 0000000..79af901 --- /dev/null +++ b/contrib/ipfilter/test/input/n7 @@ -0,0 +1,9 @@ +in on zx0 tcp 10.2.3.1,1230 10.1.1.1,22 +in on zx0 tcp 10.2.3.1,1231 10.1.1.1,23 +in on zx0 tcp 10.2.3.1,1232 10.1.1.1,50 +in on zx0 tcp 10.2.3.1,1233 10.1.1.1,79 +in on zx0 tcp 10.2.3.1,1234 10.1.1.1,80 +in on zx0 tcp 10.2.3.1,1235 10.1.1.2,80 +in on zx0 tcp 10.2.3.1,1236 10.1.1.3,80 +in on zx0 tcp 10.2.3.1,1237 10.1.1.4,80 +in on zx0 tcp 10.2.3.1,1238 10.1.1.4,80 diff --git a/contrib/ipfilter/test/regress/n5 b/contrib/ipfilter/test/regress/n5 new file mode 100644 index 0000000..e55cea0 --- /dev/null +++ b/contrib/ipfilter/test/regress/n5 @@ -0,0 +1,6 @@ +map zx0 10.1.1.1/32 -> 10.2.2.2/32 +map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32 +map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 +map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 diff --git a/contrib/ipfilter/test/regress/n6 b/contrib/ipfilter/test/regress/n6 new file mode 100644 index 0000000..79f11a4 --- /dev/null +++ b/contrib/ipfilter/test/regress/n6 @@ -0,0 +1,5 @@ +rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 from any to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 from 10.2.0.0/16 to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 from 10.3.0.0/16 to 10.1.0.0/16 port = 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 ! from 10.2.0.0/16 to 10.1.1.0/24 port = 53 -> 10.2.2.1 port 10053 udp diff --git a/contrib/ipfilter/test/regress/n7 b/contrib/ipfilter/test/regress/n7 new file mode 100644 index 0000000..4abde53 --- /dev/null +++ b/contrib/ipfilter/test/regress/n7 @@ -0,0 +1,2 @@ +rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1 port 10023 tcp +rdr zx0 10.1.1.0/24 port 80 -> 10.2.2.1,1.2.2.129 port 3128 tcp |