diff options
| author | darrenr <darrenr@FreeBSD.org> | 2002-03-19 11:45:20 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2002-03-19 11:45:20 +0000 |
| commit | 3140c087b9b8baeffe8e179f35a0d3188405bafb (patch) | |
| tree | 9e50f8834fcb9f15ad118e059ab45b8c742ab4ed /contrib/ipfilter | |
| parent | 369d6395e751e640146687047af62ff1032a6745 (diff) | |
| parent | 5df96985515dd8f51d4209b69c12cbab7c289fd0 (diff) | |
| download | FreeBSD-src-3140c087b9b8baeffe8e179f35a0d3188405bafb.zip FreeBSD-src-3140c087b9b8baeffe8e179f35a0d3188405bafb.tar.gz | |
This commit was generated by cvs2svn to compensate for changes in r92686,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib/ipfilter')
55 files changed, 2451 insertions, 1254 deletions
diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF index ac2381b..cf30ab6 100644 --- a/contrib/ipfilter/BNF +++ b/contrib/ipfilter/BNF @@ -2,27 +2,29 @@ filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] [ proto ] [ ip ] [ group ]. insert = "@" decnumber . -action = block | "pass" | log | "count" | skip | auth | call . +action = block | "no-match" | "pass" | log | "count" | skip | auth | call . in-out = "in" | "out" . -options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] . +options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] + [ via ] ] . tos = "tos" decnumber | "tos" hexnumber . ttl = "ttl" decnumber . proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ reutrn-icmp[return-code] | "return-rst" ] . +block = "block" [ return-icmp[return-code] | "return-rst" ] . auth = "auth" | "preauth" . log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . +via = "in-via" interface-name | "out-via" interface-name . froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . -reutrn-icmp = "return-icmp" | "return-icmp-as-dest" . +return-icmp = "return-icmp" | "return-icmp-as-dest" . loglevel = facility"."priority | priority . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . @@ -32,7 +34,8 @@ flags = "flags" flag { flag } [ "/" flag { flag } ] . with = "with" | "and" . icmp = "icmp-type" icmp-type [ "code" decnumber ] . return-code = "("icmp-code")" . -keep = "keep" "state" | "keep" "frags" . +keep = "keep" "state" | "keep" "frags" | "keep" "state-age" state-age . +state-age = decnmber [ "/" decnumber ] . nummask = host-name [ "/" decnumber ] . host-name = ipaddr | hostname | "any" . diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 5f1cbc0..8d2b28d 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -8,7 +8,7 @@ BINDEST=/usr/sbin SBINDEST=/sbin MANDIR=/usr/share/man -CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O +CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O CFLAGS=-g -I$(TOP) # # For NetBSD/FreeBSD @@ -39,22 +39,23 @@ INSTALL=install # MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \ ip_auth.o ip_log.o -DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF) $(DLKM) +DFLAGS=$(IPFLKM) $(DEF) $(DLKM) IPF=ipf.o parse.o common.o opt.o facpri.o IPT=ipt.o parse.o common.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o \ opt.o ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \ - ip_auth_u.o ipft_hx.o ip_fil_u.o natparse.o facpri.o -IPNAT=ipnat.o kmem.o natparse.o common.o -FILS=fils.o parse.o kmem.o opt.o facpri.o common.o + ip_auth_u.o ipft_hx.o ip_fil_u.o ip_log_u.o natparse.o facpri.o \ + printnat.o printstate.o +IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o +FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM) ipfstat: $(FILS) - $(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ - -o $@ $(LIBS) $(STATETOP_LIB) + $(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ + $(FILS) -o $@ $(LIBS) $(STATETOP_LIB) -lkvm ipf: $(IPF) - $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) + $(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) /bin/rm -f $(TOP)/ipf ln -s `pwd`/ipf $(TOP) @@ -64,10 +65,10 @@ ipftest: $(IPT) ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) - $(CC) $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) + $(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm ipfs: ipfs.o - $(CC) $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS) + $(CC) -static $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS) tests: (cd test; make ) @@ -107,6 +108,14 @@ natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \ $(TOP)/ip_compat.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@ +printnat.o: $(TOP)/printnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \ + $(TOP)/ip_compat.h $(TOP)/ip_proxy.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printnat.c -o $@ + +printstate.o: $(TOP)/printstate.c $(TOP)/ip_fil.h $(TOP)/ipf.h \ + $(TOP)/ip_state.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printstate.c -o $@ + ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ $(TOP)/snoop.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ @@ -130,7 +139,8 @@ ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ - $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_nat.h + $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c \ + $(TOP)/ip_raudio_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ @@ -148,6 +158,9 @@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@ +ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_log.c -o $@ + if_ipl.o: $(MODOBJS) ld -r $(MODOBJS) -o $(LKM) ${RM} -f if_ipl @@ -170,7 +183,7 @@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \ - $(TOP)/ip_nat.h + $(TOP)/ip_rcmd_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ @@ -207,6 +220,8 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) + /bin/rm -f $(TOP)/ipmon + ln -s `pwd`/ipmon $(TOP) clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ @@ -231,10 +246,20 @@ install: -if [ -d /modules -a -f ipf.ko ] ; then \ cp ipf.ko /modules; \ fi - -$(INSTALL) -cs -g wheel -m 755 -o root ipf $(SBINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipfs $(SBINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipnat $(SBINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipfstat $(SBINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipmon $(BINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipftest $(BINDEST) + @for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \ + ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ + def="`expr $$i : '[^:]*:\(.*\)'`"; \ + p="`expr $$i : '\([^:]*\):.*'`"; \ + for d in $(BINDEST) $(SBINDEST); do \ + if [ -f $$d/$$i ] ; then \ + echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ + $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ + dd=$$d; \ + fi; \ + done; \ + if [ -z "$$dd" ] ; then \ + echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \ + $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \ + fi \ + done (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 2159a29..092f3ab 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -9,13 +9,17 @@ argv0=`basename $0` dir=`pwd` karch=`uname -m` archdir="/sys/arch/$karch" +ipfdir=/sys/netinet +if [ -d /sys/contrib/ipfilter ] ; then + ipfdir=/sys/contrib/ipfilter/netinet +fi confdir="$archdir/conf" echo -n "Installing " -for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c ; do +for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_*_pxy.c ; do echo -n "$i " - cp $i /sys/netinet/ - chmod 644 /sys/netinet/$i + cp $i $ipfdir + chmod 644 $ipfdir/$i done echo "" if [ -f /sys/netinet/ip_fil_compat.h ] ; then diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall index 94b5009..9ecadc4 100755 --- a/contrib/ipfilter/FreeBSD-2.2/kinstall +++ b/contrib/ipfilter/FreeBSD-2.2/kinstall @@ -9,11 +9,17 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd}_pxy.c mlf_ipl.c ipl.h ip_compat.h \ + ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h \ ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet chmod 644 /sys/netinet/$i + switch ( $i ) + case *.h: + /bin/cp $i /usr/include/netinet/$i + chmod 644 /usr/include/netinet/$i + breaksw + endsw end echo "" echo "Copying /usr/include/osreldate.h to /sys/sys" diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall index c77f446..8282de7 100755 --- a/contrib/ipfilter/FreeBSD-3/kinstall +++ b/contrib/ipfilter/FreeBSD-3/kinstall @@ -9,11 +9,17 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ + ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h \ ip_compat.h ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet chmod 644 /sys/netinet/$i + switch ( $i ) + case *.h: + /bin/cp $i /usr/include/netinet/$i + chmod 644 /usr/include/netinet/$i + breaksw + endsw end echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index b3ed454..9e34e33 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -2,27 +2,38 @@ # set dir=`pwd` set karch=`uname -m` +set ipfdir=/sys/netinet set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'` if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" if ( -d /sys/$karch ) set archdir="/sys/$karch" +if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \ + ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c mlfk_ipl.c \ ipl.h ip_compat.h ip_auth.[ch] ip_log.c) echo -n "$i "; - cp $i /sys/netinet - chmod 644 /sys/netinet/$i + cp $i $ipfdir + chmod 644 $ipfdir/$i + switch ( $i ) + case *.h: + /bin/cp $i /usr/include/netinet/$i + chmod 644 /usr/include/netinet/$i + breaksw + endsw end echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h -echo "" -echo "Patching ip6_input.c and ip6_output.c" -cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch) +patchfile=FreeBSd-4.0/ipv6-patch-$krev +if ( -f $patchfile ) then + echo "" + echo "Patching ip6_input.c and ip6_output.c" + cat $patchfile | (cd /sys/netinet6; patch) +endif set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` echo -n "Kernel configuration to update [$config] " diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall index bb5aef5..ef2db54 100755 --- a/contrib/ipfilter/FreeBSD/kinstall +++ b/contrib/ipfilter/FreeBSD/kinstall @@ -9,10 +9,16 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_auth.[ch] ip_{ftp,rcmd}_pxy.c ip_compat.h ip_log.c) + ip_proxy.[ch] ip_auth.[ch] ip_*_pxy.c ip_compat.h ip_log.c) echo -n "$i "; cp $i /sys/netinet chmod 644 /sys/netinet/$i + switch ( $i ) + case *.h: + /bin/cp $i /usr/include/netinet/$i + chmod 644 /usr/include/netinet/$i + breaksw + endsw end echo "" grep iplopen $archdir/$karch/conf.c >& /dev/null diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 584f4f2..80632b4 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,219 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.25 13/03/2002 - Released + +retain rule # in state information + +log the direction of a packet so ipmon gets it right rather than incorrectly +deriving it from the rule flags + +add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD +kernel config files to increase that buffer size) + +recognise return-* rules differently to block in ipftest + +fix bug in ipmon output for solaris + +add regression testing for skip rules, logging and using head/group + +fix output of ipmon: was displaying large unsigned ints rather than -1 +when no rules matched. + +make logging code compile into ipftest and add -l command line option to +dump binary log file (read with ipmon -f) when it finishes. + +protect rule # and group # from interference when checking accounting rules + +add regression testing for log output (text) from ipmon. + +document -b command line option for ipmon + +fix double-quick in Solaris startup script + +3.4.24 01/03/2002 - Released + +fix how files are installed on SunOS5 + +fix some minor problems in SunOS5 ipfboot script + +by default, compile all OpenBSD tools in 3.0 for IPv6 + +fix NULL-pointer dereference in NAT code + +make a better attempt at replacing the appropriate binaries on BSD systems + +always print IPv6 icmp-types as a number + +impose some rules about what "skip" can be used with + +fix parsing problems with "keep state" and "keep state-age" + +Try to read as much data as is in the log device in ipmon + +remove some redundant checks when searching for rdr/nat rules + +fix bug in handling of ACCT with FTP proxy + +increase array size for interface names, using LIFNAMSIZ + +include H.323 proxy from QNX + +3.4.23 16/01/2002 - Released + +Include patches to install IPFilter into OpenBSD 3.0, both for just kernel +compiles and complete system builds. + +Fix bug in automatic flushing of state table which would cause it to hang +in an infinite loop bug introduced in 3.4.20. + +Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for +the outgoing connection to make it look like it comes from the real source. + +Only support ICMPv6 with IPv6. + +Move ipnat.1 to ipnat.8 + +Enhance ipmon to print textual ICMP[v6] types and subtypes where possible. + +Make it possible to do IPv6 regression testing with ipftest. + +Use kvm library for kmem access, rather than trying to do it manually with +open/lseek/read. + +Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute. + +Remove Berkeley advertising licence clause. Reference: +ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change + +Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded +and fragmentation required. + +Fix ipfboot script on Solaris to deal with no nameservers or no route to +them in a clean manner. + +Support per-rule set timeouts for non-TCP NAT and state + +Add netbios proxy + +Add ICMPv6 stateful checking, including handling multicast destination +addresses for neighbour discovery. + +Fix problems with internals of ICMP messages for MTU discovery and +unreachables not being correctly adjust on little endian boxes. + +Add "in-via" and "out-via" to filtering rules grammar. It is now possible +to bind a rule to both incoming and outgoing interfaces, in both forward +and reverse directions (4 directions in total). allows for asymetric flows +through a firewall. + +Fix ipfstat and ipnat for working on crash dumps. + +Don't let USE_INET6 stay defined for SunOS4 + +Count things we see for each interface on solaris. + +Include <netinet/icmp6.h> when compiling with USE_INET6 defined and +also include a whole bunch of #define's to make sure the symbols expected +can be used. + +Fix up fastroute on BSD systems. + +Make fastrouting work for IPv6 just a bit better. doesn't split up big +packets into fragments like the IPv4 one does. You can now do a +"to <if>:<ipv6_addr>" + +Remove some of the differences between user-space and kernel-space code +that is internal to ipfilter. + +Call ipfr_slowtimer() after each packet is processed in ipftest to artificially +create the illusion of passing time and include the expire functions in the +code compiled for user-space. + +Fix issues with the IPSec proxy not working or leading to a system crash. + +Junk all processing of SPIs and special handling for ESP. + +Add "no-match" as a filter rule action (resets _LAST_ match) + +Add hack to workaround problems with Cassini interface cards on +Solaris and VLANs + +Add some protocols to etc/protocols + +3.4.22 03/12/2001 - Released + +various openbsd changes + +sorting based on IP numbers for ipfstat top output + +fix various IPv6 code & compile problems + +modify ip_fil.c to be more netbsd friendly + +fix fastroute bug where it modified a packet post-sending + +fix get_unit() - don't understand why it was broken. + +add FI_IGNOREPKT and don't count so marked packets when doing stats or +state/nat. + +extend the interface name saved to log output + +make proxies capable of extending the matching done on a packet with a +particular nat session + +change interfaces inside NAT & state code to accomodate redesign to allow +IPsec proxy to work. + +fix bug when free'ing loaded rules that results in a memory leak +(only an issue with "ipf -rf -", not flush) + +make ipftest capable of loading > 1 file or rules, making it now possible +to load both NAT & filter rules + +fix hex input for ipftest to allow interface name & direction to work + +show ipsec proxy details in ipnat output + +if OPT_HEX is set in opts, print a packet out as hex + +don't modify b_next or preseve it or preserve b_prev for solaris + +fix up kinstall scripts to install all the files everywhere they need to + +fix overflowing of bits in ip_off inside iptest + +make userauth and proxy in samples directory compile + +fix minimum size when doing a pullup for ESP & ICMPv6 + +3.4.21 24/10/2001 - Released + +include ipsec proxy + +make state work for non-tcp/udp/icmp in a very simple way + +include diffs for ipv6 firewall on openbsd-2.9 + +add compatibility filter wrapper for NetBSD-current + +fix command line option problems with ipfs + +if we fill the state table and a automated flush doesn't purge any +expiring entries, remove all entries idle for more than half a day + +fix bug with sending resets/icmp errors where the pointer to the data +section of the packet was not being set (BSD only) + +split out validating ftp commands and responses into different halves, +one for each of server & client. + +do not compile in STATETOP support for specific architectures + +fix INSTALL.FreeBSD to no longer provide directions and properly direct +people to the right file for the right version of FreeBSD. + 3.4.20 24/07/2001 - Released adjust NAT hashing to give a better spread across the table diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index 66ad297..c732bac 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -1,51 +1,7 @@ -*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" *** -*** IF you are using FreeBSD 3 or later, see the file "INST.FreeBSD-3" *** -*** in the "FreeBSD-3" directory *** - - -To build a kernel for use with the loadable kernel module, follow these -steps: - 1. do "make freebsd" - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. run "FreeBSD/minstall" as root - - 4. build a new kernel - - 5. install and reboot with the new kernel - - 6. use modload(8) to load the packet filter with: - modload if_ipl.o - - 7. do "modstat" to confirm that it has been loaded successfully. - -There is no need to use mknod to create the device in /dev; -- upon loading the module, it will create itself with the correct values, - under the name (IPL_NAME) from the Makefile. It will also remove itself - from /dev when it is modunload'd. - -To build a kernel with the IP filter, follow these steps: - - 1. do "make freebsd" - - 2. do "make install-bsd" - (probably has to be done as root) - - 3. run "FreeBSD/kinstall" as root - - 4. build a new kernel - - 5. create devices for IP Filter as follows (assuming it was - installed into the device table as char dev 20): - mknod /dev/ipl c 20 0 - mknod /dev/ipnat c 20 1 - mknod /dev/ipstate c 20 2 - mknod /dev/ipauth c 20 3 - - 6. install and reboot with the new kernel +*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" *** +*** IF you are using FreeBSD 3.x, see the file "FreeBSD-3/INST.FreeBSD-3" *** +*** IF you are using FreeBSD 4.x, see the file "FreeBSD-4.0/INST.FreeBSD-4" *** Darren Reed darrenr@pobox.com diff --git a/contrib/ipfilter/IPFILTER.LICENCE b/contrib/ipfilter/IPFILTER.LICENCE index a8f6abb..2b4b67e 100644 --- a/contrib/ipfilter/IPFILTER.LICENCE +++ b/contrib/ipfilter/IPFILTER.LICENCE @@ -1,4 +1,4 @@ -Copyright (C) 1993-2001 by Darren Reed. +Copyright (C) 1993-2002 by Darren Reed. The author accepts no responsibility for the use of this software and provides it on an ``as is'' basis without express or implied warranty. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 09b5db6..9cc636b 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -3,7 +3,7 @@ # # See the IPFILTER.LICENCE file for details on licencing. # -# $Id: Makefile,v 2.11.2.8 2001/06/26 10:43:10 darrenr Exp $ +# $Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -34,7 +34,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # # Uncomment the next 3 lines if you want to view the state table a la top(1) # (requires that you have installed ncurses). -#STATETOP_CFLAGS=-DSTATETOP +STATETOP_CFLAGS=-DSTATETOP # # Where to find the ncurses include files (if not in default path), # @@ -43,7 +43,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # # How to link the ncurses library # -#STATETOP_LIB=-lncurses +STATETOP_LIB=-lcurses #STATETOP_LIB=-L/usr/local/lib -lncurses # @@ -59,7 +59,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # POLICY=-DIPF_DEFAULT_PASS=FR_PASS # -MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6)' \ +MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6) $(IPFLOG)' \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' \ @@ -100,7 +100,7 @@ tests: include: if [ ! -f netinet/done ] ; then \ - (cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .; ln -s ../ip_rcmd_pxy.c .; ln -s ../ip_raudio_pxy.c .); \ + (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); \ (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \ touch netinet/done; \ fi @@ -168,8 +168,8 @@ bsdi bsdos: include irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" - -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;) - -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) SGI=`../getrev` $(MFLAGS); else smake build SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi;) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi) linux: include make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)" @@ -258,7 +258,7 @@ install-bsd: (cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) install-sunos4: solaris - (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) + (cd SunOS4; $(MAKE) "CPU=$(CPU)" "TOP=.." install) install-sunos5: solaris (cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install) diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c index e46e63e..b3319c5 100644 --- a/contrib/ipfilter/common.c +++ b/contrib/ipfilter/common.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) #include <strings.h> @@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da extern struct ipopt_names ionames[], secclass[]; extern int opts; -#ifdef USE_INET6 extern int use_inet6; -#endif char *proto = NULL; @@ -54,10 +55,8 @@ char flagset[] = "FSRPAUEC"; u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECN, TH_CWR }; -#ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); int count6bits __P((u_32_t *)); -#endif static char thishost[MAXHOSTNAMELEN]; @@ -95,30 +94,24 @@ u_32_t *mskp; * set x most significant bits */ bits = (int)strtol(msk, &endptr, 0); -#ifdef USE_INET6 if ((*endptr != '\0') || ((bits > 32) && !use_inet6) || (bits < 0) || ((bits > 128) && use_inet6)) -#else - if (*endptr != '\0' || bits > 32 || bits < 0) -#endif return -1; -#ifdef USE_INET6 if (use_inet6) fill6bits(bits, mskp); - else -#endif - if (bits == 0) - *mskp = 0; - else - *mskp = htonl(0xffffffff << (32 - bits)); + else { + if (bits == 0) + *mskp = 0; + else + *mskp = htonl(0xffffffff << (32 - bits)); + } } return 0; } -#ifdef USE_INET6 void fill6bits(bits, msk) int bits; u_32_t *msk; @@ -134,7 +127,6 @@ u_32_t *msk; while (i < 4) msk[i++] = 0; } -#endif /* @@ -197,7 +189,6 @@ int linenum; return -1; } (*seg)++; -#ifdef USE_INET6 if (use_inet6) { u_32_t k = 0; if (sa[0] || sa[1] || sa[2] || sa[3]) @@ -205,8 +196,7 @@ int linenum; msk[0] = msk[1] = msk[2] = msk[3] = k; } else -#endif - *msk = *sa ? 0xffffffff : 0; + *msk = *sa ? 0xffffffff : 0; return ports(seg, pp, cp, tp, linenum); } fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); @@ -448,7 +438,6 @@ u_32_t ip; } -#ifdef USE_INET6 int count6bits(msk) u_32_t *msk; { @@ -465,7 +454,6 @@ u_32_t *msk; } return i; } -#endif char *portname(pr, port) @@ -596,3 +584,27 @@ int len, zend; break; } } + + + +char *hostname(v, ip) +int v; +void *ip; +{ +#ifdef USE_INET6 + static char hostbuf[MAXHOSTNAMELEN+1]; +#endif + struct in_addr ipa; + + if (v == 4) { + ipa.s_addr = *(u_32_t *)ip; + return inet_ntoa(ipa); + } +#ifdef USE_INET6 + (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); + hostbuf[MAXHOSTNAMELEN] = '\0'; + return hostbuf; +#else + return "IPv6"; +#endif +} diff --git a/contrib/ipfilter/etc/protocols b/contrib/ipfilter/etc/protocols index b41aa1d..fd7a1d2 100644 --- a/contrib/ipfilter/etc/protocols +++ b/contrib/ipfilter/etc/protocols @@ -47,11 +47,15 @@ rsvp 46 RSVP # Reservation Protocol gre 47 GRE # General Routing Encapsulation mhrp 48 MHRP # Mobile Host Routing Protocol bna 49 BNA # BNA -sipp-esp 50 SIPP-ESP # SIPP Encap Security Payload -sipp-ah 51 SIPP-AH # SIPP Authentication Header +esp 50 esp # Encap Security Payload +ah 51 AH # Authentication Header i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA swipe 53 SWIPE # IP with Encryption nhrp 54 NHRP # NBMA Next Hop Resolution Protocol +mobile 55 MOBILE # IP Mobility (IP tunneling) +ipv6-icmp 58 icmpv6 IPv6-ICMP ICMPv6 # ICMP version 6 +ipv6-nonxt 59 IPv6-Nonxt # No Next Header for IPv6 +ipv6-opts 60 IPv6-Opts # Destination Options for IPv6 any 61 any # host internal protocol cftp 62 CFTP # CFTP any 63 any # local network @@ -92,4 +96,6 @@ etherip 97 ETHERIP # Ethernet-within-IP Encapsulation encap 98 ENCAP # Encapsulation Header any 99 any # private encryption scheme gmtp 100 GMTP # GMTP +pim 103 PIM # Protocol Independant Multicast +ipcomp 108 IPCOMP # IP Payload Compression Protocol reserved 255 Reserved # diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index 3ed698a..b3bfae2 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -12,6 +12,9 @@ # endif # endif #endif +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__svr4__) @@ -21,8 +24,24 @@ #include <sys/time.h> #include <sys/param.h> #include <sys/file.h> -#if defined(STATETOP) && defined(sun) && !defined(__svr4__) && !defined(__SVR4) -#include <sys/select.h> +#if defined(STATETOP) +# if defined(_BSDI_VERSION) +# undef STATETOP) +# endif +# if defined(__FreeBSD__) && \ + (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000)) +# undef STATETOP +# endif +# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000) +# undef STATETOP +# endif +# if defined(sun) +# if defined(__svr4__) || defined(__SVR4) +# include <sys/select.h> +# else +# undef STATETOP /* NOT supported on SunOS4 */ +# endif +# endif #endif #include <stdlib.h> #include <unistd.h> @@ -50,15 +69,16 @@ #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" #include "ipf.h" -#include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" #include "netinet/ip_frag.h" #include "netinet/ip_state.h" +#include "netinet/ip_proxy.h" #include "netinet/ip_auth.h" #ifdef STATETOP # include "netinet/ipl.h" # include <ctype.h> -# if SOLARIS +# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \ + defined(__sgi) # ifdef ERR # undef ERR # endif @@ -74,7 +94,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.17 2001/07/19 12:24:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $"; #endif extern char *optarg; @@ -89,9 +109,8 @@ static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; int opts = 0; -#ifdef USE_INET6 int use_inet6 = 0; -#endif +int live_kernel = 1; #ifdef STATETOP #define STSTRSIZE 80 @@ -102,7 +121,9 @@ int use_inet6 = 0; #define STSORT_PKTS 1 #define STSORT_BYTES 2 #define STSORT_TTL 3 -#define STSORT_MAX STSORT_TTL +#define STSORT_SRCIP 4 +#define STSORT_DSTIP 5 +#define STSORT_MAX STSORT_DSTIP #define STSORT_DEFAULT STSORT_BYTES @@ -120,51 +141,33 @@ typedef struct statetop { #endif extern int main __P((int, char *[])); -static void showstats __P((int, friostat_t *)); -static void showfrstates __P((int, ipfrstat_t *)); +static void showstats __P((friostat_t *, u_32_t)); +static void showfrstates __P((ipfrstat_t *)); static void showlist __P((friostat_t *)); -static void showipstates __P((int, ips_stat_t *)); -static void showauthstates __P((int, fr_authstat_t *)); +static void showipstates __P((ips_stat_t *)); +static void showauthstates __P((fr_authstat_t *)); static void showgroups __P((friostat_t *)); static void Usage __P((char *)); static void printlist __P((frentry_t *)); -static char *get_ifname __P((void *)); -static char *hostname __P((int, void *)); static void parse_ipportstr __P((const char *, struct in_addr *, int *)); +static int ipfstate_live __P((char *, friostat_t **, ips_stat_t **, + ipfrstat_t **, fr_authstat_t **, u_32_t *)); +static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, + ipfrstat_t **, fr_authstat_t **, u_32_t *)); #ifdef STATETOP -static void topipstates __P((int, struct in_addr, struct in_addr, int, int, int, int, int)); +static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int)); static char *ttl_to_string __P((long)); static int sort_p __P((const void *, const void *)); static int sort_pkts __P((const void *, const void *)); static int sort_bytes __P((const void *, const void *)); static int sort_ttl __P((const void *, const void *)); +static int sort_srcip __P((const void *, const void *)); +static int sort_dstip __P((const void *, const void *)); #endif #if SOLARIS void showqiflist __P((char *)); #endif -static char *hostname(v, ip) -int v; -void *ip; -{ -#ifdef USE_INET6 - static char hostbuf[MAXHOSTNAMELEN+1]; -#endif - struct in_addr ipa; - - if (v == 4) { - ipa.s_addr = *(u_32_t *)ip; - return inet_ntoa(ipa); - } -#ifdef USE_INET6 - (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); - hostbuf[MAXHOSTNAMELEN] = '\0'; - return hostbuf; -#else - return "IPv6"; -#endif -} - static void Usage(name) char *name; @@ -174,11 +177,8 @@ char *name; #else fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name); #endif - fprintf(stderr, "\t\t[-M corefile]"); -#if SOLARIS - fprintf(stderr, " [-N symbol-list]"); -#endif - fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); + fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n"); + fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); exit(1); } @@ -190,15 +190,13 @@ char *argv[]; fr_authstat_t frauthst; fr_authstat_t *frauthstp = &frauthst; friostat_t fio; - friostat_t *fiop=&fio; + friostat_t *fiop = &fio; ips_stat_t ipsst; ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; - char *name = NULL, *device = IPL_NAME, *memf = NULL; -#if SOLARIS + char *device = IPL_NAME, *memf = NULL; char *kern = NULL; -#endif int c, fd, myoptind; struct protoent *proto; @@ -208,6 +206,8 @@ char *argv[]; int dport = -1; /* -1 = wild card for any dest port */ int topclosed = 0; /* do not show closed tcp sessions */ struct in_addr saddr, daddr; + u_32_t frf; + saddr.s_addr = INADDR_ANY; /* default any source addr */ daddr.s_addr = INADDR_ANY; /* default any dest addr */ @@ -216,45 +216,33 @@ char *argv[]; * in the parsing of the rest. */ myoptind = optind; -#if SOLARIS while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) -#else - while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1) -#endif switch (c) { case 'M' : memf = optarg; + live_kernel = 0; break; -#if SOLARIS case 'N' : kern = optarg; + live_kernel = 0; break; -#endif } optind = myoptind; -#if SOLARIS if (kern != NULL || memf != NULL) -#else - if (memf != NULL) -#endif { (void)setuid(getuid()); (void)setgid(getgid()); } - if (openkmem(memf) == -1) + if (openkmem(kern, memf) == -1) exit(-1); (void)setuid(getuid()); (void)setgid(getgid()); -#if SOLARIS while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) -#else - while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:M:P:S:T:")) != -1) -#endif { switch (c) { @@ -265,7 +253,8 @@ char *argv[]; #endif case 'a' : opts |= OPT_ACCNT|OPT_SHOWLIST; - break; case 'A' : + break; + case 'A' : device = IPAUTH_NAME; opts |= OPT_AUTHSTATS; break; @@ -316,11 +305,15 @@ char *argv[]; exit(-2); } break; -#if SOLARIS case 'q' : +#if SOLARIS showqiflist(kern); exit(0); break; +#else + fprintf(stderr, "-q only availble on Solaris\n"); + exit(1); + break; #endif case 's' : opts |= OPT_IPSTATES; @@ -356,19 +349,67 @@ char *argv[]; } } + if (live_kernel == 1) { + bzero((char *)&fio, sizeof(fio)); + bzero((char *)&ipsst, sizeof(ipsst)); + bzero((char *)&ifrst, sizeof(ifrst)); + + fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp, + &frauthstp, &frf); + } else + ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); + + if (opts & OPT_IPSTATES) { + showipstates(ipsstp); + } else if (opts & OPT_SHOWLIST) { + showlist(fiop); + if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ + opts &= ~OPT_OUTQUE; + showlist(fiop); + } + } else { + if (opts & OPT_FRSTATES) + showfrstates(ifrstp); +#ifdef STATETOP + else if (opts & OPT_STATETOP) + topipstates(saddr, daddr, sport, dport, + protocol, refreshtime, topclosed); +#endif + else if (opts & OPT_AUTHSTATS) + showauthstates(frauthstp); + else if (opts & OPT_GROUPS) + showgroups(fiop); + else + showstats(fiop, frf); + } + return 0; +} + + +/* + * Fill in the stats structures from the live kernel, using a combination + * of ioctl's and copying directly from kernel memory. + */ +int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) +char *device; +friostat_t **fiopp; +ips_stat_t **ipsstpp; +ipfrstat_t **ifrstpp; +fr_authstat_t **frauthstpp; +u_32_t *frfp; +{ + int fd; + if ((fd = open(device, O_RDONLY)) < 0) { perror("open"); exit(-1); } - bzero((char *)&fio, sizeof(fio)); - bzero((char *)&ipsst, sizeof(ipsst)); - bzero((char *)&ifrst, sizeof(ifrst)); - - if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, &fiop) == -1) { + if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, fiopp) == -1) { perror("ioctl(ipf:SIOCGETFS)"); exit(-1); } + if ((opts & OPT_IPSTATES)) { int sfd = open(IPL_STATE, O_RDONLY); @@ -376,64 +417,237 @@ char *argv[]; perror("open"); exit(-1); } - if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { + if ((ioctl(sfd, SIOCGETFS, ipsstpp) == -1)) { perror("ioctl(state:SIOCGETFS)"); exit(-1); } close(sfd); } - if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrstp) == -1)) { + if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, ifrstpp) == -1)) { perror("ioctl(SIOCGFRST)"); exit(-1); } if (opts & OPT_VERBOSE) - PRINTF("opts %#x name %s\n", opts, name ? name : "<>"); + PRINTF("opts %#x name %s\n", opts, device); if ((opts & OPT_AUTHSTATS) && - (ioctl(fd, SIOCATHST, &frauthstp) == -1)) { + (ioctl(fd, SIOCATHST, frauthstpp) == -1)) { perror("ioctl(SIOCATHST)"); exit(-1); } - if (opts & OPT_IPSTATES) { - showipstates(fd, ipsstp); - } else if (opts & OPT_SHOWLIST) { - showlist(&fio); - if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ - opts &= ~OPT_OUTQUE; - showlist(&fio); - } - } else { - if (opts & OPT_FRSTATES) - showfrstates(fd, ifrstp); -#ifdef STATETOP - else if (opts & OPT_STATETOP) - topipstates(fd, saddr, daddr, sport, dport, - protocol, refreshtime, topclosed); -#endif - else if (opts & OPT_AUTHSTATS) - showauthstates(fd, frauthstp); - else if (opts & OPT_GROUPS) - showgroups(&fio); - else - showstats(fd, &fio); + if (ioctl(fd, SIOCGETFF, frfp) == -1) + perror("ioctl(SIOCGETFF)"); + + return fd; +} + + +/* + * Build up the stats structures from data held in the "core" memory. + * This is mainly useful when looking at data in crash dumps and ioctl's + * just won't work any more. + */ +void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) +char *kernel; +friostat_t **fiopp; +ips_stat_t **ipsstpp; +ipfrstat_t **ifrstpp; +fr_authstat_t **frauthstpp; +u_32_t *frfp; +{ + static fr_authstat_t frauthst, *frauthstp; + static ips_stat_t ipsst, *ipsstp; + static ipfrstat_t ifrst, *ifrstp; + static friostat_t fio, *fiop; + + void *rules[2][2]; + struct nlist deadlist[42] = { + { "fr_authstats" }, /* 0 */ + { "fae_list" }, + { "ipauth" }, + { "fr_authlist" }, + { "fr_authstart" }, + { "fr_authend" }, /* 5 */ + { "fr_authnext" }, + { "fr_auth" }, + { "fr_authused" }, + { "fr_authsize" }, + { "fr_defaultauthage" }, /* 10 */ + { "fr_authpkts" }, + { "fr_auth_lock" }, + { "frstats" }, + { "ips_stats" }, + { "ips_num" }, /* 15 */ + { "ips_wild" }, + { "ips_list" }, + { "ips_table" }, + { "fr_statemax" }, + { "fr_statesize" }, /* 20 */ + { "fr_state_doflush" }, + { "fr_state_lock" }, + { "ipfr_heads" }, + { "ipfr_nattab" }, + { "ipfr_stats" }, /* 25 */ + { "ipfr_inuse" }, + { "fr_ipfrttl" }, + { "fr_frag_lock" }, + { "ipfr_timer_id" }, + { "fr_nat_lock" }, /* 30 */ + { "ipfilter" }, + { "ipfilter6" }, + { "ipacct" }, + { "ipacct6" }, + { "ipl_frouteok" }, /* 35 */ + { "fr_running" }, + { "ipfgroups" }, + { "fr_active" }, + { "fr_pass" }, + { "fr_flags" }, /* 40 */ + { NULL } + }; + + + frauthstp = &frauthst; + ipsstp = &ipsst; + ifrstp = &ifrst; + fiop = &fio; + + *frfp = 0; + *fiopp = fiop; + *ipsstpp = ipsstp; + *ifrstpp = ifrstp; + *frauthstpp = frauthstp; + + bzero((char *)fiop, sizeof(*fiop)); + bzero((char *)ipsstp, sizeof(*ipsstp)); + bzero((char *)ifrstp, sizeof(*ifrstp)); + bzero((char *)frauthstp, sizeof(*frauthstp)); + + if (nlist(kernel, deadlist) == -1) { + fprintf(stderr, "nlist error\n"); + return; } - return 0; + + /* + * This is for SIOCGETFF. + */ + kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp)); + + /* + * f_locks is a combination of the lock variable from each part of + * ipfilter (state, auth, nat, fragments). + */ + kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop)); + kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value, + sizeof(fiop->f_locks[0])); + kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value, + sizeof(fiop->f_locks[1])); + kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value, + sizeof(fiop->f_locks[2])); + kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value, + sizeof(fiop->f_locks[3])); + + /* + * Get pointers to each list of rules (active, inactive, in, out) + */ + kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules)); + fiop->f_fin[0] = rules[0][0]; + fiop->f_fin[1] = rules[0][1]; + fiop->f_fout[0] = rules[1][0]; + fiop->f_fout[1] = rules[1][1]; + + /* + * Same for IPv6, except make them null if support for it is not + * being compiled in. + */ +#ifdef USE_INET6 + kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules)); + fiop->f_fin6[0] = rules[0][0]; + fiop->f_fin6[1] = rules[0][1]; + fiop->f_fout6[0] = rules[1][0]; + fiop->f_fout6[1] = rules[1][1]; +#else + fiop->f_fin6[0] = NULL; + fiop->f_fin6[1] = NULL; + fiop->f_fout6[0] = NULL; + fiop->f_fout6[1] = NULL; +#endif + + /* + * Now get accounting rules pointers. + */ + kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules)); + fiop->f_acctin[0] = rules[0][0]; + fiop->f_acctin[1] = rules[0][1]; + fiop->f_acctout[0] = rules[1][0]; + fiop->f_acctout[1] = rules[1][1]; + +#ifdef USE_INET6 + kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules)); + fiop->f_acctin6[0] = rules[0][0]; + fiop->f_acctin6[1] = rules[0][1]; + fiop->f_acctout6[0] = rules[1][0]; + fiop->f_acctout6[1] = rules[1][1]; +#else + fiop->f_acctin6[0] = NULL; + fiop->f_acctin6[1] = NULL; + fiop->f_acctout6[0] = NULL; + fiop->f_acctout6[1] = NULL; +#endif + + /* + * A collection of "global" variables used inside the kernel which + * are all collected in friostat_t via ioctl. + */ + kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value, + sizeof(fiop->f_froute)); + kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value, + sizeof(fiop->f_running)); + kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value, + sizeof(fiop->f_groups)); + kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value, + sizeof(fiop->f_active)); + kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value, + sizeof(fiop->f_defpass)); + + /* + * Build up the state information stats structure. + */ + kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); + kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value, + sizeof(ipsstp->iss_active)); + ipsstp->iss_table = (void *)deadlist[18].n_value; + ipsstp->iss_list = (void *)deadlist[17].n_value; + + /* + * Build up the authentiation information stats structure. + */ + kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value, + sizeof(*frauthstp)); + frauthstp->fas_faelist = (void *)deadlist[1].n_value; + + /* + * Build up the fragment information stats structure. + */ + kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value, + sizeof(*ifrstp)); + ifrstp->ifs_table = (void *)deadlist[23].n_value; + ifrstp->ifs_nattab = (void *)deadlist[24].n_value; + kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value, + sizeof(ifrstp->ifs_inuse)); } /* - * read the kernel stats for packets blocked and passed + * Display the kernel stats for packets blocked and passed and other + * associated running totals which are kept. */ -static void showstats(fd, fp) -int fd; +static void showstats(fp, frf) struct friostat *fp; +u_32_t frf; { - u_32_t frf = 0; - - if (ioctl(fd, SIOCGETFF, &frf) == -1) - perror("ioctl(SIOCGETFF)"); #if SOLARIS PRINTF("dropped packets:\tin %lu\tout %lu\n", @@ -505,6 +719,9 @@ struct friostat *fp; } +/* + * Print out a list of rules from the kernel, starting at the one passed. + */ static void printlist(fp) frentry_t *fp; { @@ -543,7 +760,8 @@ frentry_t *fp; } /* - * print out filter rule list + * print out all of the asked for rule sets, using the stats struct as + * the base from which to get the pointers. */ static void showlist(fiop) struct friostat *fiop; @@ -598,12 +816,17 @@ struct friostat *fiop; } -static void showipstates(fd, ipsp) -int fd; +/* + * Display ipfilter stateful filtering information + */ +static void showipstates(ipsp) ips_stat_t *ipsp; { - ipstate_t *istab[IPSTATE_SIZE], ips; + ipstate_t *istab[IPSTATE_SIZE]; + /* + * If a list of states hasn't been asked for, only print out stats + */ if (!(opts & OPT_SHOWLIST)) { PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); @@ -619,116 +842,20 @@ ips_stat_t *ipsp; if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab))) return; - while (ipsp->iss_list) { - if (kmemcpy((char *)&ips, (u_long)ipsp->iss_list, sizeof(ips))) - break; - ipsp->iss_list = ips.is_next; - PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4)); - PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n", - hostname(ips.is_v, &ips.is_dst.in4), - ips.is_age, ips.is_pass, ips.is_p, - ips.is_state[0], ips.is_state[1]); -#ifdef USE_QUAD_T - PRINTF("\tpkts %qu bytes %qu", - (unsigned long long) ips.is_pkts, - (unsigned long long) ips.is_bytes); -#else - PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes); -#endif - if (ips.is_p == IPPROTO_TCP) -#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - (__FreeBSD_version >= 220000) || defined(__OpenBSD__) - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", - ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); -#else - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", - ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); -#endif - else if (ips.is_p == IPPROTO_UDP) - PRINTF(" %hu -> %hu", ntohs(ips.is_sport), - ntohs(ips.is_dport)); - else if (ips.is_p == IPPROTO_ICMP -#ifdef USE_INET6 - || ips.is_p == IPPROTO_ICMPV6 -#endif - ) - PRINTF(" %hu %hu %d", ips.is_icmp.ics_id, - ips.is_icmp.ics_seq, ips.is_icmp.ics_type); - - PRINTF("\n\t"); - - if (ips.is_pass & FR_PASS) { - PRINTF("pass"); - } else if (ips.is_pass & FR_BLOCK) { - PRINTF("block"); - switch (ips.is_pass & FR_RETMASK) - { - case FR_RETICMP : - PRINTF(" return-icmp"); - break; - case FR_FAKEICMP : - PRINTF(" return-icmp-as-dest"); - break; - case FR_RETRST : - PRINTF(" return-rst"); - break; - default : - break; - } - } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { - PRINTF("log"); - if (ips.is_pass & FR_LOGBODY) - PRINTF(" body"); - if (ips.is_pass & FR_LOGFIRST) - PRINTF(" first"); - } else if (ips.is_pass & FR_ACCOUNT) - PRINTF("count"); - - if (ips.is_pass & FR_OUTQUE) - PRINTF(" out"); - else - PRINTF(" in"); - - if ((ips.is_pass & FR_LOG) != 0) { - PRINTF(" log"); - if (ips.is_pass & FR_LOGBODY) - PRINTF(" body"); - if (ips.is_pass & FR_LOGFIRST) - PRINTF(" first"); - if (ips.is_pass & FR_LOGORBLOCK) - PRINTF(" or-block"); - } - if (ips.is_pass & FR_QUICK) - PRINTF(" quick"); - if (ips.is_pass & FR_KEEPFRAG) - PRINTF(" keep frags"); - /* a given; no? */ - if (ips.is_pass & FR_KEEPSTATE) - PRINTF(" keep state"); - PRINTF("\tIPv%d", ips.is_v); - PRINTF("\n"); - - PRINTF("\tpkt_flags & %x(%x) = %x,\t", - ips.is_flags & 0xf, ips.is_flags, - ips.is_flags >> 4); - PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, - ips.is_opt); - PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", - ips.is_secmsk, ips.is_sec, ips.is_authmsk, - ips.is_auth); - PRINTF("\tinterfaces: in %s[%p] ", - get_ifname(ips.is_ifpin), ips.is_ifpin); - PRINTF("out %s[%p]\n", - get_ifname(ips.is_ifpout), ips.is_ifpout); + /* + * Print out all the state information currently held in the kernel. + */ + while (ipsp->iss_list != NULL) { + ipsp->iss_list = printstate(ipsp->iss_list, opts); } } #if SOLARIS +/* + * Displays the list of interfaces of which IPFilter has taken control in + * Solaris. + */ void showqiflist(kern) char *kern; { @@ -737,6 +864,7 @@ char *kern; { NULL } }; qif_t qif, *qf; + ill_t ill; if (kern == NULL) kern = "/dev/ksyms"; @@ -752,24 +880,27 @@ char *kern; while (qf) { if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif))) break; - printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n", + if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill))) + ill.ill_ppa = -1; + printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d", qif.qf_name, qif.qf_hl, #ifdef IP6_DL_SAP (qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4" #else "IPv4" #endif - , qif.qf_sap); + , qif.qf_sap, ill.ill_ppa); + printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt); qf = qif.qf_next; + putchar('\n'); } } #endif #ifdef STATETOP -static void topipstates(fd, saddr, daddr, sport, dport, protocol, +static void topipstates(saddr, daddr, sport, dport, protocol, refreshtime, topclosed) -int fd; struct in_addr saddr; struct in_addr daddr; int sport; @@ -841,8 +972,8 @@ int topclosed; ((dport < 0) || (htons(dport) == ips.is_dport)))) && (topclosed || (ips.is_p != IPPROTO_TCP) || - (ips.is_state[0] < TCPS_CLOSE_WAIT) || - (ips.is_state[1] < TCPS_CLOSE_WAIT))) { + (ips.is_state[0] < TCPS_LAST_ACK) || + (ips.is_state[1] < TCPS_LAST_ACK))) { /* * if necessary make room for this state * entry @@ -899,6 +1030,14 @@ int topclosed; qsort(tstable, tsentry + 1, sizeof(statetop_t), sort_ttl); break; + case STSORT_SRCIP: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_srcip); + break; + case STSORT_DSTIP: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_dstip); + break; default: break; } @@ -957,6 +1096,12 @@ int topclosed; case STSORT_TTL: sprintf(str4, "ttl"); break; + case STSORT_SRCIP: + sprintf(str4, "srcip"); + break; + case STSORT_DSTIP: + sprintf(str4, "dstip"); + break; default: sprintf(str4, "unknown"); break; @@ -1079,14 +1224,20 @@ int topclosed; } #endif -static void showfrstates(fd, ifsp) -int fd; + +/* + * Show fragment cache information that's held in the kernel. + */ +static void showfrstates(ifsp) ipfrstat_t *ifsp; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; frentry_t fr; int i; + /* + * print out the numeric statistics + */ PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); PRINTF("\t%lu no memory\n\t%lu already exist\n", @@ -1094,6 +1245,10 @@ ipfrstat_t *ifsp; PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab))) return; + + /* + * Print out the contents (if any) of the fragment cache table. + */ for (i = 0; i < IPFT_SIZE; i++) while (ipfrtab[i]) { if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], @@ -1129,8 +1284,10 @@ ipfrstat_t *ifsp; } -static void showauthstates(fd, asp) -int fd; +/* + * Show stats on how auth within IPFilter has been used + */ +static void showauthstates(asp) fr_authstat_t *asp; { frauthent_t *frap, fra; @@ -1161,63 +1318,10 @@ fr_authstat_t *asp; } -static char *get_ifname(ptr) -void *ptr; -{ -#if SOLARIS - char *ifname; - ill_t ill; - - if (ptr == (void *)-1) - return "!"; - if (ptr == NULL) - return "-"; - - if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) - return "X"; - ifname = malloc(ill.ill_name_length + 1); - if (kmemcpy(ifname, (u_long)ill.ill_name, - ill.ill_name_length) == -1) - return "X"; - return ifname; -#else -# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) -#else - char buf[32]; - int len; -# endif - struct ifnet netif; - - if (ptr == (void *)-1) - return "!"; - if (ptr == NULL) - return "-"; - - if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) - return "X"; -# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) - return strdup(netif.if_xname); -# else - if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) - return "X"; - if (netif.if_unit < 10) - len = 2; - else if (netif.if_unit < 1000) - len = 3; - else if (netif.if_unit < 10000) - len = 4; - else - len = 5; - buf[sizeof(buf) - len] = '\0'; - sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); - return strdup(buf); -# endif -#endif -} - - +/* + * Display groups used for each of filter rules, accounting rules and + * authentication, separately. + */ static void showgroups(fiop) struct friostat *fiop; { @@ -1370,4 +1474,32 @@ const void *b; return 1; return -1; } + +static int sort_srcip(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr)) + return 0; + else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr)) + return 1; + return -1; +} + +static int sort_dstip(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr)) + return 0; + else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr)) + return 1; + return -1; +} #endif diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index 03bcf23..e940280 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -65,7 +65,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.1 2001/07/15 22:06:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -182,7 +182,8 @@ inet_aton(cp, addr) * Ascii internet address interpretation routine. * The value returned is in network order. */ -#if defined(SOLARIS2) && (SOLARIS2 > 5) +#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \ + (defined(IRIX) && (IRIX >= 605)) in_addr_t #else u_long diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index 14e6b42..4393c3b 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.4 2002/03/06 09:44:11 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -16,7 +16,6 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da #include <sys/file.h> #include <sys/ioctl.h> #include <sys/time.h> -#include <sys/uio.h> #include <sys/dir.h> #include <sys/socket.h> #ifndef _KERNEL @@ -42,8 +41,8 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 da #include "netinet/ip_compat.h" #include <netinet/tcpip.h> #include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" +#include "netinet/ip_proxy.h" #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 26ef65f..e134f65 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.12 2001/07/18 14:57:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $"; #endif #include <sys/types.h> @@ -375,14 +375,14 @@ caddr_t data; { register frentry_t *fp, *f, **fprev; register frentry_t **ftail; - frentry_t fr; - frdest_t *fdp; frgroup_t *fg = NULL; - u_int *p, *pp; - int error = 0, in; + int error = 0, in, i; + u_int *p, *pp; + frdest_t *fdp; + frentry_t fr; u_32_t group; - ill_t *ill; ipif_t *ipif; + ill_t *ill; ire_t *ire; fp = &fr; @@ -448,11 +448,16 @@ caddr_t data; bzero((char *)frcache, sizeof(frcache[0]) * 2); - if (*fp->fr_ifname) { - fp->fr_ifa = (void *)get_unit((char *)fp->fr_ifname, - (int)fp->fr_v); - if (!fp->fr_ifa) - fp->fr_ifa = (struct ifnet *)-1; + for (i = 0; i < 4; i++) { + if ((fp->fr_ifnames[i][1] == '\0') && + ((fp->fr_ifnames[i][0] == '-') || + (fp->fr_ifnames[i][0] == '*'))) { + fp->fr_ifas[i] = NULL; + } else if (*fp->fr_ifnames[i]) { + fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v); + if (!fp->fr_ifas[i]) + fp->fr_ifas[i] = (void *)-1; + } } fdp = &fp->fr_dif; @@ -583,6 +588,7 @@ caddr_t data; fixskip(fprev, f, -1); *ftail = f->fr_next; f->fr_next = NULL; + f->fr_ref--; if (f->fr_ref == 0) KFREE(f); } diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index 4d25fce..b983781 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -12,6 +12,9 @@ # endif # endif #endif +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <unistd.h> #include <string.h> @@ -47,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.10 2001/07/18 11:34:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $"; #endif #if SOLARIS @@ -64,9 +67,7 @@ void zerostats __P((void)); int main __P((int, char *[])); int opts = 0; -#ifdef USE_INET6 int use_inet6 = 0; -#endif static int fd = -1; @@ -105,11 +106,9 @@ char *argv[]; while ((c = getopt(argc, argv, OPTS)) != -1) { switch (c) { -#ifdef USE_INET6 case '6' : use_inet6 = 1; break; -#endif case 'A' : opts &= ~OPT_INACTIVE; break; diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index e7a70ca..e9c3a02 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.9.2.3 2001/06/26 10:43:18 darrenr Exp $ + * $Id: ipf.h,v 2.9.2.6 2002/01/03 08:00:12 darrenr Exp $ */ #ifndef __IPF_H__ @@ -38,6 +38,7 @@ #define OPT_STATETOP 0x400000 #define OPT_FLUSH 0x800000 #define OPT_CLEAR 0x1000000 +#define OPT_HEX 0x2000000 #define OPT_NODO 0x80000000 #define OPT_STAT OPT_FRSTATES @@ -52,7 +53,10 @@ # endif #endif +struct ipstate; struct frpcmp; +struct ipnat; +struct nat; #ifdef ultrix extern char *strdup __P((char *)); @@ -90,9 +94,15 @@ extern int genmask __P((char *, u_32_t *)); extern int hostnum __P((u_32_t *, char *, int)); extern u_32_t optname __P((char ***, u_short *, int)); extern void printpacket __P((ip_t *)); +extern void printpacket6 __P((ip_t *)); extern void printportcmp __P((int, struct frpcmp *)); extern void printhostmask __P((int, u_32_t *, u_32_t *)); extern void printbuf __P((char *, int, int)); +extern char *hostname __P((int, void *)); +extern struct ipstate *printstate __P((struct ipstate *, int)); +extern void printnat __P((struct ipnat *, int)); +extern void printactivenat __P((struct nat *, int)); + #if SOLARIS extern int inet_aton __P((const char *, struct in_addr *)); extern int gethostname __P((char *, int )); diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index baf3d1c..b111bfd 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -45,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.7 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -237,13 +237,13 @@ char *argv[]; opts |= OPT_DONOTHING; break; case 'N' : - if ((ns > 0) || dirname || (rw != -1) || set) + if ((ns >= 0) || dirname || (rw != -1) || set) usage(); ns = 0; set = 1; break; case 'r' : - if ((ns > 0) || dirname || (rw != -1)) + if ((ns >= 0) || dirname || (rw != -1)) usage(); rw = 0; set = 1; @@ -253,7 +253,7 @@ char *argv[]; set = 1; break; case 'S' : - if ((ns > 0) || dirname || (rw != -1) || set) + if ((ns >= 0) || dirname || (rw != -1) || set) usage(); ns = 1; set = 1; @@ -268,7 +268,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'w' : - if ((ns > 0) || dirname || (rw != -1) || (ns == -1)) + if (dirname || (rw != -1) || (ns == -1)) usage(); rw = 1; set = 1; @@ -283,7 +283,7 @@ char *argv[]; } if (ifs) { - if (!filename || ns<0) + if (!filename || ns < 0) usage(); if (ns == 0) return changenatif(ifs, filename); diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index 0cb4623..8344d5f 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -17,6 +17,9 @@ etherfind -n -t 0.32 91 04 131.170.1.10 128.250.133.13 0.33 566 udp 128.250.37.155 128.250.133.3 901 901 */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__GNUC__) @@ -49,7 +52,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index 2be1698..2ce2335 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <ctype.h> #include <assert.h> @@ -40,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp $"; #endif extern int opts; @@ -91,6 +94,14 @@ int cnt, *dir; char line[513]; ip_t *ip; + /* + * interpret start of line as possibly "[ifname]" or + * "[in/out,ifname]". + */ + if (ifn) + *ifn = NULL; + if (dir) + *dir = 0; ip = (ip_t *)buf; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = index(line, '\n'))) { @@ -107,21 +118,14 @@ int cnt, *dir; fflush(stdout); } - /* - * interpret start of line as possibly "[ifname]" or - * "[in/out,ifname]". - */ - if (ifn) - *ifn = NULL; - if (dir) - *dir = 0; - if ((*buf == '[') && (s = index(line, ']'))) { - t = buf + 1; - if (t - s > 0) { + if ((*line == '[') && (s = index(line, ']'))) { + t = line + 1; + if (s - t > 0) { + *s++ = '\0'; if ((u = index(t, ',')) && (u < s)) { u++; if (ifn) - *ifn = u; + *ifn = strdup(u); if (dir) { if (*t == 'i') *dir = 0; @@ -130,7 +134,6 @@ int cnt, *dir; } } else if (ifn) *ifn = t; - *s++ = '\0'; } } else s = line; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index eced91f..8b80fec 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__GNUC__) @@ -31,7 +34,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index 1b5e219..1a8f5a2 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -7,6 +7,9 @@ /* * Written to comply with the recent RFC 1761 from Sun. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__GNUC__) @@ -35,7 +38,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index 5f470ee..253aa86 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -26,6 +26,9 @@ tcpdump -nqte 8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__GNUC__) @@ -58,7 +61,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 1e650f5..f61b0d0 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <ctype.h> #include <assert.h> @@ -41,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.4 2001/06/26 10:43:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $"; #endif extern int opts; @@ -261,7 +264,7 @@ int *out; tx_proto = "udp"; } else { ip->ip_p = IPPROTO_ICMP; - ip->ip_len += sizeof(struct icmp); + ip->ip_len += ICMPERR_IPICMPHLEN; tx_proto = "icmp"; } cpp++; diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index b8cb37e..e19edb8 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -1,10 +1,13 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #include <fcntl.h> @@ -39,10 +42,12 @@ #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> +#include <nlist.h> #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" +#include "netinet/ip_state.h" +#include "netinet/ip_proxy.h" #include "ipf.h" #include "kmem.h" @@ -55,32 +60,32 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.9 2001/07/18 15:06:33 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $"; #endif #if SOLARIS #define bzero(a,b) memset(a,0,b) #endif -#ifdef USE_INET6 int use_inet6 = 0; -#endif - -static char thishost[MAXHOSTNAMELEN]; - +char thishost[MAXHOSTNAMELEN]; extern char *optarg; extern ipnat_t *natparse __P((char *, int)); extern void natparsefile __P((int, char *, int)); -extern void printnat __P((ipnat_t *, int, void *)); +extern void printnat __P((ipnat_t *, int)); +extern void printactivenat __P((nat_t *, int)); +extern void printhostmap __P((hostmap_t *, u_int)); +extern char *getsumd __P((u_32_t)); -void dostats __P((int, int)), flushtable __P((int, int)); +void dostats __P((natstat_t *, int)), flushtable __P((int, int)); void usage __P((char *)); int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); void printaps __P((ap_session_t *, int)); -char *getsumd __P((u_32_t)); +void showhostmap __P((natstat_t *nsp)); +void natstat_dead __P((natstat_t *, char *)); void usage(name) @@ -91,27 +96,22 @@ char *name; } -char *getsumd(sum) -u_32_t sum; -{ - static char sumdbuf[17]; - - if (sum & NAT_HW_CKSUM) - sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff); - else - sprintf(sumdbuf, "%#0x", sum); - return sumdbuf; -} - - int main(argc, argv) int argc; char *argv[]; { - int fd = -1, opts = 0, c, mode = O_RDWR; - char *file = NULL, *core = NULL; + natstat_t ns, *nsp = &ns; + char *file, *core, *kernel; + int fd, opts, c, mode; + + fd = -1; + opts = 0; + file = NULL; + core = NULL; + kernel = NULL; + mode = O_RDWR; - while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1) + while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1) switch (c) { case 'C' : @@ -136,6 +136,9 @@ char *argv[]; case 'M' : core = optarg; break; + case 'N' : + kernel = optarg; + break; case 'n' : opts |= OPT_NODO; mode = O_RDONLY; @@ -154,21 +157,40 @@ char *argv[]; usage(argv[0]); } - if (core != NULL) { - if (openkmem(core) == -1) - exit(1); + if ((kernel != NULL) || (core != NULL)) { (void) setgid(getgid()); (void) setuid(getuid()); } + bzero((char *)&ns, sizeof(ns)); + gethostname(thishost, sizeof(thishost)); thishost[sizeof(thishost) - 1] = '\0'; - if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) && - ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { - (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, - STRERROR(errno)); - exit(-1); + if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) { + if (openkmem(kernel, core) == -1) + exit(1); + + if (((fd = open(IPL_NAT, mode)) == -1) && + ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { + (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, + STRERROR(errno)); + exit(1); + } + if (ioctl(fd, SIOCGNATS, &nsp) == -1) { + perror("ioctl(SIOCGNATS)"); + exit(1); + } + (void) setgid(getgid()); + (void) setuid(getuid()); + } else if ((kernel != NULL) || (core != NULL)) { + if (openkmem(kernel, core) == -1) + exit(1); + + natstat_dead(nsp, kernel); + if (opts & (OPT_LIST|OPT_STAT)) + dostats(nsp, opts); + exit(0); } if (opts & (OPT_FLUSH|OPT_CLEAR)) @@ -176,172 +198,113 @@ char *argv[]; if (file) natparsefile(fd, file, opts); if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, opts); + dostats(nsp, opts); return 0; } -void printaps(aps, opts) -ap_session_t *aps; -int opts; +/* + * Read nat statistic information in using a symbol table and memory file + * rather than doing ioctl's. + */ +void natstat_dead(nsp, kernel) +natstat_t *nsp; +char *kernel; { - ap_session_t ap; - ftpinfo_t ftp; - aproxy_t apr; - raudio_t ra; - - if (kmemcpy((char *)&ap, (long)aps, sizeof(ap))) - return; - if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr))) + struct nlist nat_nlist[10] = { + { "nat_table" }, /* 0 */ + { "nat_list" }, + { "maptable" }, + { "ipf_nattable_sz" }, + { "ipf_natrules_sz" }, + { "ipf_rdrrules_sz" }, /* 5 */ + { "ipf_hostmap_sz" }, + { "nat_instances" }, + { "ap_sess_list" }, + { NULL } + }; + void *tables[2]; + + if (nlist(kernel, nat_nlist) == -1) { + fprintf(stderr, "nlist error\n"); return; - printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label, - apr.apr_p, apr.apr_ref, apr.apr_flags); - printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); -#ifdef USE_QUAD_T - printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes, - (unsigned long long)ap.aps_pkts); -#else - printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); -#endif - printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz); - if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { - printf("\t\tstate[%u,%u], sel[%d,%d]\n", - ap.aps_state[0], ap.aps_state[1], - ap.aps_sel[0], ap.aps_sel[1]); -#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \ - (__FreeBSD_version >= 300000) || defined(OpenBSD) - printf("\t\tseq: off %hd/%hd min %x/%x\n", - ap.aps_seqoff[0], ap.aps_seqoff[1], - ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %x/%x\n", - ap.aps_ackoff[0], ap.aps_ackoff[1], - ap.aps_ackmin[0], ap.aps_ackmin[1]); -#else - printf("\t\tseq: off %hd/%hd min %lx/%lx\n", - ap.aps_seqoff[0], ap.aps_seqoff[1], - ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %lx/%lx\n", - ap.aps_ackoff[0], ap.aps_ackoff[1], - ap.aps_ackmin[0], ap.aps_ackmin[1]); -#endif } - if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) { - if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra))) - return; - printf("\tReal Audio Proxy:\n"); - printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", - ra.rap_seenpna, ra.rap_version, ra.rap_eos); - printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); - printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", - ra.rap_plport, ra.rap_prport, ra.rap_srport); - } else if (!strcmp(apr.apr_label, "ftp") && - (ap.aps_psiz == sizeof(ftp))) { - if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp))) - return; - printf("\tFTP Proxy:\n"); - printf("\t\tpassok: %d\n", ftp.ftp_passok); - ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; - ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; - printf("\tClient:\n"); - printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", - ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr, - ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, - ftp.ftp_side[0].ftps_junk); - printf("\t\tbuf ["); - printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); - printf("]\n\tServer:\n"); - printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", - ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr, - ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, - ftp.ftp_side[1].ftps_junk); - printf("\t\tbuf ["); - printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); - printf("]\n"); - } + /* + * Normally the ioctl copies all of these values into the structure + * for us, before returning it to useland, so here we must copy each + * one in individually. + */ + kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables)); + nsp->ns_table[0] = tables[0]; + nsp->ns_table[1] = tables[1]; + + kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value, + sizeof(nsp->ns_list)); + kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value, + sizeof(nsp->ns_maptable)); + kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value, + sizeof(nsp->ns_nattab_sz)); + kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value, + sizeof(nsp->ns_rultab_sz)); + kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value, + sizeof(nsp->ns_rdrtab_sz)); + kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value, + sizeof(nsp->ns_hostmap_sz)); + kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value, + sizeof(nsp->ns_instances)); + kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value, + sizeof(nsp->ns_apslist)); } /* - * Get a nat filter type given its kernel address. + * Display NAT statistics. */ -char *getnattype(ipnat) -ipnat_t *ipnat; -{ - char *which; - ipnat_t ipnatbuff; - - if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, - sizeof(ipnatbuff)))) - return "???"; - - switch (ipnatbuff.in_redir) - { - case NAT_MAP : - which = "MAP"; - break; - case NAT_MAPBLK : - which = "MAP-BLOCK"; - break; - case NAT_REDIRECT : - which = "RDR"; - break; - case NAT_BIMAP : - which = "BIMAP"; - break; - default : - which = "unknown"; - break; - } - return which; -} - - -void dostats(fd, opts) -int fd, opts; +void dostats(nsp, opts) +natstat_t *nsp; +int opts; { - hostmap_t hm, *hmp, **maptable; - natstat_t ns, *nsp = &ns; nat_t **nt[2], *np, nat; - u_int hv, hv1, hv2; ipnat_t ipn; - bzero((char *)&ns, sizeof(ns)); - - if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &nsp) == -1) { - perror("ioctl(SIOCGNATS)"); - return; - } - + /* + * Show statistics ? + */ if (opts & OPT_STAT) { printf("mapped\tin\t%lu\tout\t%lu\n", - ns.ns_mapped[0], ns.ns_mapped[1]); + nsp->ns_mapped[0], nsp->ns_mapped[1]); printf("added\t%lu\texpired\t%lu\n", - ns.ns_added, ns.ns_expire); + nsp->ns_added, nsp->ns_expire); printf("no memory\t%lu\tbad nat\t%lu\n", - ns.ns_memfail, ns.ns_badnat); - printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); - printf("wilds\t%u\n", ns.ns_wilds); + nsp->ns_memfail, nsp->ns_badnat); + printf("inuse\t%lu\nrules\t%lu\n", + nsp->ns_inuse, nsp->ns_rules); + printf("wilds\t%u\n", nsp->ns_wilds); if (opts & OPT_VERBOSE) - printf("table %p list %p\n", ns.ns_table, ns.ns_list); + printf("table %p list %p\n", + nsp->ns_table, nsp->ns_list); } + + /* + * Show list of NAT rules and NAT sessions ? + */ if (opts & OPT_LIST) { printf("List of active MAP/Redirect filters:\n"); - while (ns.ns_list) { - if (kmemcpy((char *)&ipn, (long)ns.ns_list, + while (nsp->ns_list) { + if (kmemcpy((char *)&ipn, (long)nsp->ns_list, sizeof(ipn))) { perror("kmemcpy"); break; } if (opts & OPT_HITS) printf("%d ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE), - (void *)ns.ns_list); - ns.ns_list = ipn.in_next; + printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + nsp->ns_list = ipn.in_next; } nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE); - if (kmemcpy((char *)nt[0], (long)ns.ns_table[0], + if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0], sizeof(**nt) * NAT_SIZE)) { perror("kmemcpy"); return; @@ -349,89 +312,59 @@ int fd, opts; printf("\nList of active sessions:\n"); - for (np = ns.ns_instances; np; np = nat.nat_next) { + for (np = nsp->ns_instances; np; np = nat.nat_next) { if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; - - printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr), - inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); - printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip), - ntohs(nat.nat_outport)); - printf(" [%s %hu]", inet_ntoa(nat.nat_oip), - ntohs(nat.nat_oport)); - if (opts & OPT_VERBOSE) { - printf("\n\tage %lu use %hu sumd %s/", - nat.nat_age, nat.nat_use, - getsumd(nat.nat_sumd[0])); - hv1 = NAT_HASH_FN(nat.nat_inip.s_addr, - nat.nat_inport, - 0xffffffff), - hv1 = NAT_HASH_FN(nat.nat_oip.s_addr, - hv1 + nat.nat_oport, - NAT_TABLE_SZ), - hv2 = NAT_HASH_FN(nat.nat_outip.s_addr, - nat.nat_outport, - 0xffffffff), - hv2 = NAT_HASH_FN(nat.nat_oip.s_addr, - hv2 + nat.nat_oport, - NAT_TABLE_SZ), - printf("%s pr %u bkt %d/%d flags %x ", - getsumd(nat.nat_sumd[1]), nat.nat_p, - hv1, hv2, nat.nat_flags); -#ifdef USE_QUAD_T - printf("bytes %qu pkts %qu", - (unsigned long long)nat.nat_bytes, - (unsigned long long)nat.nat_pkts); -#else - printf("bytes %lu pkts %lu", - nat.nat_bytes, nat.nat_pkts); -#endif -#if SOLARIS - printf(" %lx", nat.nat_ipsumd); -#endif - } - putchar('\n'); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); + printactivenat(&nat, opts); } - if (opts & OPT_VERBOSE) { - printf("\nList of active host mappings:\n"); - - maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) * - ns.ns_hostmap_sz); - if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable, - sizeof(hostmap_t *) * ns.ns_hostmap_sz)) { - perror("kmemcpy (maptable)"); + if (opts & OPT_VERBOSE) + showhostmap(nsp); + free(nt[0]); + } +} + + +/* + * display the active host mapping table. + */ +void showhostmap(nsp) +natstat_t *nsp; +{ + hostmap_t hm, *hmp, **maptable; + u_int hv; + + printf("\nList of active host mappings:\n"); + + maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) * + nsp->ns_hostmap_sz); + if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable, + sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) { + perror("kmemcpy (maptable)"); + return; + } + + for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) { + hmp = maptable[hv]; + + while (hmp) { + if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) { + perror("kmemcpy (hostmap)"); return; } - for (hv = 0; hv < ns.ns_hostmap_sz; hv++) { - hmp = maptable[hv]; - - while(hmp) { - - if (kmemcpy((char *)&hm, (u_long)hmp, - sizeof(hostmap_t))) { - perror("kmemcpy (hostmap)"); - return; - } - - printf("%s -> ", - inet_ntoa(hm.hm_realip)); - printf("%s ", inet_ntoa(hm.hm_mapip)); - printf("(use = %d hv = %u)\n", - hm.hm_ref, hv); - hmp = hm.hm_next; - } - } - free(maptable); + printhostmap(&hm, hv); + hmp = hm.hm_next; } - free(nt[0]); } + free(maptable); } +/* + * Issue an ioctl to flush either the NAT rules table or the active mapping + * table or both. + */ void flushtable(fd, opts) int fd, opts; { diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 7a16c5a..920c7e1 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -1,6 +1,9 @@ /* * Based upon 4.4BSD's /usr/sbin/arp */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <unistd.h> #include <string.h> #include <stdlib.h> diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 898815a..307f4cb 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <errno.h> #include <sys/types.h> @@ -26,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index db6d477..dc2b816 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <errno.h> #include <stdio.h> #include <stdlib.h> @@ -29,7 +32,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.3 2001/07/15 22:00:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp $"; #endif static char *ipbuf = NULL, *ethbuf = NULL; diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 4a4ec1c..ea63ab2 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -8,12 +8,16 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netdb.h> #include <string.h> #include <sys/types.h> +#include <sys/param.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> @@ -30,7 +34,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 691ee7d..27bb513 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -3,6 +3,10 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif +#include <sys/param.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -21,7 +25,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index d4d37ba..463fd4f 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -8,6 +8,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <netdb.h> #include <unistd.h> @@ -34,7 +37,7 @@ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.2 2001/07/15 22:00:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index 058ab40..56442c7 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -5,7 +5,10 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp $"; +#endif +#ifdef __sgi +# include <sys/ptimers.h> #endif #include <stdio.h> #include <unistd.h> diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 0d4102c..2cbfe75 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -8,6 +8,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <netdb.h> #include <string.h> @@ -35,7 +38,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index 4178c0e..403c7e9 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -4,6 +4,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <sys/types.h> #include <string.h> diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 4749e38..189e35f 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -12,6 +12,9 @@ # endif # endif #endif +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <assert.h> #include <string.h> @@ -54,12 +57,13 @@ #include "ip_fil.h" #include "ip_nat.h" #include "ip_state.h" +#include "ip_frag.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.2 2001/06/26 10:43:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $"; #endif extern char *optarg; @@ -71,23 +75,42 @@ extern ipnat_t *natparse __P((char *, int)); extern int fr_running; int opts = 0; -#ifdef USE_INET6 int use_inet6 = 0; -#endif int main __P((int, char *[])); +int loadrules __P((char *)); +int kmemcpy __P((char *, long, int)); +void dumpnat __P((void)); +void dumpstate __P((void)); +char *getifname __P((void *)); +void drain_log __P((char *)); int main(argc,argv) int argc; char *argv[]; { - struct ipread *r = &iptext; - u_long buf[2048]; + char *datain, *iface, *ifname, *packet, *logout; + int fd, i, dir, c, loaded, dump, hlen; struct ifnet *ifp; - char *rules = NULL, *datain = NULL, *iface = NULL; + struct ipread *r; + u_long buf[2048]; ip_t *ip; - int fd, i, dir = 0, c; - while ((c = getopt(argc, argv, "6bdEHi:I:NoPr:STvX")) != -1) + dir = 0; + dump = 0; + loaded = 0; + r = &iptext; + iface = NULL; + logout = NULL; + ifname = "anon0"; + datain = NULL; + + nat_init(); + fr_stateinit(); + initparse(); + ipflog_init(); + fr_running = 1; + + while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) switch (c) { #ifdef USE_INET6 @@ -101,17 +124,25 @@ char *argv[]; case 'd' : opts |= OPT_DEBUG; break; + case 'D' : + dump = 1; + break; case 'i' : datain = optarg; break; case 'I' : - iface = optarg; + ifname = optarg; + break; + case 'l' : + logout = optarg; break; case 'o' : opts |= OPT_SAVEOUT; break; case 'r' : - rules = optarg; + if (loadrules(optarg) == -1) + return -1; + loaded = 1; break; case 'v' : opts |= OPT_VERBOSE; @@ -134,80 +165,19 @@ char *argv[]; case 'T' : r = &tcpd; break; + case 'x' : + opts |= OPT_HEX; + break; case 'X' : r = &iptext; break; } - if (!rules) { - (void)fprintf(stderr,"no rule file present\n"); + if (loaded == 0) { + (void)fprintf(stderr,"no rules loaded\n"); exit(-1); } - nat_init(); - fr_stateinit(); - initparse(); - fr_running = 1; - - if (rules) { - char line[513], *s; - void *fr; - FILE *fp; - int linenum = 0; - - if (!strcmp(rules, "-")) - fp = stdin; - else if (!(fp = fopen(rules, "r"))) { - (void)fprintf(stderr, "couldn't open %s\n", rules); - exit(-1); - } - if (!(opts & OPT_BRIEF)) - (void)printf("opening rule file \"%s\"\n", rules); - while (fgets(line, sizeof(line)-1, fp)) { - linenum++; - /* - * treat both CR and LF as EOL - */ - if ((s = index(line, '\n'))) - *s = '\0'; - if ((s = index(line, '\r'))) - *s = '\0'; - /* - * # is comment marker, everything after is a ignored - */ - if ((s = index(line, '#'))) - *s = '\0'; - - if (!*line) - continue; - - /* fake an `ioctl' call :) */ - - if ((opts & OPT_NAT) != 0) { - if (!(fr = natparse(line, linenum))) - continue; - i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, - (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(ADNAT,%p,1) = %d\n", - fr, i); - } else { - if (!(fr = parse(line, linenum))) - continue; - i = IPL_EXTERN(ioctl)(0, SIOCADAFR, - (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(ADAFR,%p,1) = %d\n", - fr, i); - } - } - (void)fclose(fp); - } - if (opts & OPT_SAVEOUT) init_ifp(); @@ -222,13 +192,34 @@ char *argv[]; ip = (ip_t *)buf; while ((i = (*r->r_readip)((char *)buf, sizeof(buf), &iface, &dir)) > 0) { - ifp = iface ? get_unit(iface, ip->ip_v) : NULL; - ip->ip_off = ntohs(ip->ip_off); - ip->ip_len = ntohs(ip->ip_len); - i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf); + if (iface == NULL || *iface == '\0') + iface = ifname; + ifp = get_unit(iface, ip->ip_v); + hlen = 0; + if (!use_inet6) { + ip->ip_off = ntohs(ip->ip_off); + ip->ip_len = ntohs(ip->ip_len); + hlen = ip->ip_hl << 2; + } +#ifdef USE_INET6 + else + hlen = sizeof(ip6_t); +#endif + packet = (char *)buf; + /* ipfr_slowtimer(); */ + i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet); if ((opts & OPT_NAT) == 0) switch (i) { + case -5 : + (void)printf("block return-icmp-as-dest"); + break; + case -4 : + (void)printf("block return-icmp"); + break; + case -3 : + (void)printf("block return-rst"); + break; case -2 : (void)printf("auth"); break; @@ -242,6 +233,10 @@ char *argv[]; (void)printf("nomatch"); break; } + if (!use_inet6) { + ip->ip_off = htons(ip->ip_off); + ip->ip_len = htons(ip->ip_len); + } if (!(opts & OPT_BRIEF)) { putchar(' '); @@ -250,17 +245,232 @@ char *argv[]; } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) printpacket((ip_t *)buf); #ifndef linux - if (dir && ifp && ip->ip_v) -# ifdef __sgi - (*ifp->if_output)(ifp, (void *)buf, NULL); + if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL)) +# if defined(__sgi) && (IRIX < 605) + (*ifp->if_output)(ifp, (void *)packet, NULL); # else - (*ifp->if_output)(ifp, (void *)buf, NULL, 0); + (*ifp->if_output)(ifp, (void *)packet, NULL, 0); # endif #endif if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) putchar('\n'); dir = 0; + if (iface != ifname) { + free(iface); + iface = ifname; + } } (*r->r_close)(); + + if (logout != NULL) { + drain_log(logout); + } + + if (dump == 1) { + dumpnat(); + dumpstate(); + } + return 0; } + + +/* + * Load in either NAT or ipf rules from a file, which is treated as stdin + * if the name is "-". NOTE, stdin can only be used once as the file is + * closed after use. + */ +int loadrules(file) +char *file; +{ + char line[513], *s; + int linenum, i; + void *fr; + FILE *fp; + + if (!strcmp(file, "-")) + fp = stdin; + else if (!(fp = fopen(file, "r"))) { + (void)fprintf(stderr, "couldn't open %s\n", file); + return (-1); + } + + if (!(opts & OPT_BRIEF)) + (void)printf("opening rule file \"%s\"\n", file); + + linenum = 0; + + while (fgets(line, sizeof(line) - 1, fp)) { + linenum++; + + /* + * treat both CR and LF as EOL + */ + if ((s = index(line, '\n'))) + *s = '\0'; + if ((s = index(line, '\r'))) + *s = '\0'; + + /* + * # is comment marker, everything after is a ignored + */ + if ((s = index(line, '#'))) + *s = '\0'; + + if (!*line) + continue; + + /* fake an `ioctl' call :) */ + + if ((opts & OPT_NAT) != 0) { + if (!(fr = natparse(line, linenum))) + continue; + + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + (caddr_t)&fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + if (!(fr = parse(line, linenum))) + continue; + + i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n", + fr, i); + } + } + (void)fclose(fp); + + return 0; +} + + +int kmemcpy(addr, offset, size) +char *addr; +long offset; +int size; +{ + bcopy((char *)offset, addr, size); + return 0; +} + + +/* + * Display the built up NAT table rules and mapping entries. + */ +void dumpnat() +{ + ipnat_t *ipn; + nat_t *nat; + + printf("List of active MAP/Redirect filters:\n"); + for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next) + printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + printf("\nList of active sessions:\n"); + for (nat = nat_instances; nat; nat = nat->nat_next) + printactivenat(nat, opts); +} + + +/* + * Display the built up state table rules and mapping entries. + */ +void dumpstate() +{ + ipstate_t *ips; + + printf("List of active state sessions:\n"); + for (ips = ips_list; ips != NULL; ) + ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE)); +} + + +/* + * Given a pointer to an interface in the kernel, return a pointer to a + * string which is the interface name. + */ +char *getifname(ptr) +void *ptr; +{ +#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) +#else + char buf[32], *s; + int len; +#endif + struct ifnet netif; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) + return "X"; +#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) + return strdup(netif.if_xname); +#else + if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) + return "X"; + if (netif.if_unit < 10) + len = 2; + else if (netif.if_unit < 1000) + len = 3; + else if (netif.if_unit < 10000) + len = 4; + else + len = 5; + buf[sizeof(buf) - len] = '\0'; + for (s = buf; *s && !isdigit(*s); s++) + ; + if (isdigit(*s)) + *s = '\0'; + sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); + return strdup(buf); +#endif +} + + +void drain_log(filename) +char *filename; +{ + char buffer[IPLLOGSIZE]; + struct iovec iov; + struct uio uio; + size_t resid; + int fd; + + fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644); + if (fd == -1) { + perror("drain_log:open"); + return; + } + + while (1) { + bzero((char *)&iov, sizeof(iov)); + iov.iov_base = buffer; + iov.iov_len = sizeof(buffer); + + bzero((char *)&uio, sizeof(uio)); + uio.uio_iov = &iov; + uio.uio_iovcnt = 1; + uio.uio_resid = iov.iov_len; + resid = uio.uio_resid; + + if (ipflog_read(0, &uio) == 0) { + /* + * If nothing was read then break out. + */ + if (uio.uio_resid == resid) + break; + write(fd, buffer, resid - uio.uio_resid); + } else + break; + } + + close(fd); +} diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 3cad5a0..eec8b3c 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -8,13 +8,37 @@ * returns 0 on success, -1 on error. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> +#include <sys/param.h> #include <sys/types.h> -#include <sys/uio.h> #include <unistd.h> +#include <string.h> #include <fcntl.h> +#include <stdlib.h> #include <sys/file.h> +#ifndef __sgi +#include <kvm.h> +#endif +#include <fcntl.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif + #include "kmem.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "ipf.h" + #ifndef __STDC__ # define const @@ -22,23 +46,68 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.3 2001/07/15 22:06:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $"; #endif -static int kmemfd = -1; +#ifndef __sgi + +static kvm_t *kvm_f = NULL; -int openkmem(core) -char *core; +#else + +typedef int kvm_t; + +static kvm_t kvm_f = -1; +static char *kvm_errstr; + +kvm_t kvm_open(kernel, core, swap, mode, errstr) +char *kernel, *core, *swap; +int mode; +char *errstr; { - if (core == NULL) - core = KMEM; + kvm_t fd; + + kvm_errstr = errstr; + + fd = open(core, mode); + return fd; +} + +int kvm_read(kvm, pos, buffer, size) +kvm_t kvm; +u_long pos; +char *buffer; +size_t size; +{ + int r, left; + char *bufp; + + if (lseek(kvm, pos, 0) == -1) { + fprintf(stderr, "%s", kvm_errstr); + perror("lseek"); + return -1; + } + + for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { + r = read(kvm, bufp, 1); + if (r <= 0) + return -1; + } + return 0; +} +#endif - if ((kmemfd = open(core, O_RDONLY)) == -1) + +int openkmem(kern, core) +char *kern, *core; +{ + kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); + if (kvm_f == NULL) { - perror("kmeminit:open"); + perror("openkmem:open"); return -1; } - return kmemfd; + return (int)kvm_f; } int kmemcpy(buf, pos, n) @@ -50,23 +119,22 @@ register int n; if (!n) return 0; - if (kmemfd == -1) - if (openkmem(NULL) == -1) + + if (kvm_f == NULL) + if (openkmem(NULL, NULL) == -1) return -1; - if (lseek(kmemfd, pos, 0) == -1) - { - perror("kmemcpy:lseek"); - return -1; - } - while ((r = read(kmemfd, buf, n)) < n) + + while ((r = kvm_read(kvm_f, pos, buf, n)) < n) if (r <= 0) { + fprintf(stderr, "pos=0x%x ", (u_int)pos); perror("kmemcpy:read"); return -1; } else { buf += r; + pos += r; n -= r; } return 0; @@ -81,19 +149,18 @@ register int n; if (!n) return 0; - if (kmemfd == -1) - if (openkmem(NULL) == -1) + + if (kvm_f == NULL) + if (openkmem(NULL, NULL) == -1) return -1; - if (lseek(kmemfd, pos, 0) == -1) + + while (n > 0) { - perror("kmemcpy:lseek"); - return -1; - } - while (n > 0) { - r = read(kmemfd, buf, 1); + r = kvm_read(kvm_f, pos, buf, 1); if (r <= 0) { - perror("kmemcpy:read"); + fprintf(stderr, "pos=0x%x ", (u_int)pos); + perror("kstrncpy:read"); return -1; } else @@ -101,8 +168,70 @@ register int n; if (*buf == '\0') break; buf++; + pos++; n--; } - } + } return 0; } + + +/* + * Given a pointer to an interface in the kernel, return a pointer to a + * string which is the interface name. + */ +char *getifname(ptr) +void *ptr; +{ +#if SOLARIS + char *ifname; + ill_t ill; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) + return "X"; + ifname = malloc(ill.ill_name_length + 1); + if (kmemcpy(ifname, (u_long)ill.ill_name, + ill.ill_name_length) == -1) + return "X"; + return ifname; +#else +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) +#else + char buf[32]; + int len; +# endif + struct ifnet netif; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) + return "X"; +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) + return strdup(netif.if_xname); +# else + if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) + return "X"; + if (netif.if_unit < 10) + len = 2; + else if (netif.if_unit < 1000) + len = 3; + else if (netif.if_unit < 10000) + len = 4; + else + len = 5; + buf[sizeof(buf) - len] = '\0'; + sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); + return strdup(buf); +# endif +#endif +} diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index 08a6c5e..f7056c2 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -2,7 +2,7 @@ * Copyright (C) 1993-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * $Id: kmem.h,v 2.2.2.2 2001/06/26 10:43:19 darrenr Exp $ + * $Id: kmem.h,v 2.2.2.4 2002/01/01 13:43:48 darrenr Exp $ */ #ifndef __KMEM_H__ @@ -15,9 +15,10 @@ # define __P(x) () # endif #endif -extern int openkmem __P((char *)); +extern int openkmem __P((char *, char *)); extern int kmemcpy __P((char *, long, int)); extern int kstrncpy __P((char *, long, int)); +extern char *getifname __P((void *)); #if defined(__NetBSD__) || defined(__OpenBSD) # include <paths.h> diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile index c83337a..05164d7 100644 --- a/contrib/ipfilter/man/Makefile +++ b/contrib/ipfilter/man/Makefile @@ -10,7 +10,7 @@ all: install: $(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1 + $(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8 $(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4 $(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4 $(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4 diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8 index a120744..04b8863 100644 --- a/contrib/ipfilter/man/ipfs.8 +++ b/contrib/ipfilter/man/ipfs.8 @@ -52,6 +52,7 @@ Change the default directory used with and .B \-W options for saving state information. +.TP .B \-n Don't actually take any action that would effect information stored in the kernel or on disk. @@ -59,6 +60,11 @@ the kernel or on disk. .B \-v Provides a verbose description of what's being done. .TP +.B \-i <ifname1>,<ifname2> +Change all instances of interface name ifname1 in the state save file to +ifname2. Useful if you're restoring state information after a hardware +reconfiguration or change. +.TP .B \-N Operate on NAT information. .TP @@ -69,7 +75,7 @@ Operate on filtering state information. Unlock state tables in the kernel. .TP .B \-l -Unlock state tables in the kernel. +Lock state tables in the kernel. .TP .B \-r Read information in from the specified file and load it into the diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4 index 15f587b..7c6d46e 100644 --- a/contrib/ipfilter/man/ipl.4 +++ b/contrib/ipfilter/man/ipl.4 @@ -49,7 +49,7 @@ When reading from the \fBipl\fP device, it is necessary to call read(2) with a buffer big enough to hold at least 1 complete log record - reading of partial log records is not supported. .PP -If the packet contents is more then 128 bytes when \fBlog body\fP is used, +If the packet contents are more than 128 bytes when \fBlog body\fP is used, then only 128 bytes of the packet contents is logged. .PP Although it is only possible to read from the \fBipl\fP device, opening it diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index ec53059..7fb2e90 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -10,10 +10,11 @@ ipmap :: = mapblock | redir | map . map ::= mapit ifname ipmask "->" ipmask [ mapport ] . map ::= mapit ifname fromto "->" ipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . +redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . +rdrport ::= "port" portnum . mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . @@ -199,6 +200,7 @@ own. As opposed to the above use of \fBmap\fP, if for some reason the user of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next IP address with the \fBmap\fP command. +.SH FILES /dev/ipnat .br /etc/services diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index df65e2c..45c48a6 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -1,8 +1,11 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #if (SOLARIS2 >= 7) # define _SYS_VARARGS_H # define _VARARGS_H @@ -50,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.7 2002/02/22 15:32:55 darrenr Exp $"; #endif extern int opts; @@ -60,9 +63,38 @@ void printpacket(ip) ip_t *ip; { tcphdr_t *tcp; + u_short len; + + if (ip->ip_v == 4) + len = ntohs(ip->ip_len); + else if (ip->ip_v == 6) + len = ntohs(((u_short *)ip)[2]) + 40; + else + len = 0; + + if ((opts & OPT_HEX) == OPT_HEX) { + u_char *s; + int i; + + for (s = (u_char *)ip, i = 0; i < len; i++) { + printf("%02x", *s++ & 0xff); + if (len - i > 1) { + i++; + printf("%02x", *s++ & 0xff); + } + putchar(' '); + } + putchar('\n'); + return; + } + + if (ip->ip_v == 6) { + printpacket6(ip); + return; + } tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2)); - printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p); + printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p); if (ip->ip_off & IP_OFFMASK) printf(" @%d", ip->ip_off << 3); (void)printf(" %s", inet_ntoa(ip->ip_src)); @@ -78,6 +110,48 @@ ip_t *ip; } +/* + * This is meant to work without the IPv6 header files being present or + * the inet_ntop() library. + */ +void printpacket6(ip) +ip_t *ip; +{ + u_char *buf, p, hops; + u_short plen, *addrs; + tcphdr_t *tcp; + u_32_t flow; + + buf = (u_char *)ip; + tcp = (tcphdr_t *)(buf + 40); + p = buf[6]; + hops = buf[7]; + flow = ntohl(*(u_32_t *)buf); + flow &= 0xfffff; + plen = ntohs(*((u_short *)buf +2)); + addrs = (u_short *)buf + 4; + + printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p); + printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", + ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]), + ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]), + ntohs(addrs[6]), ntohs(addrs[7])); + if (plen >= 4) + if (p == IPPROTO_TCP || p == IPPROTO_UDP) + (void)printf(",%d", ntohs(tcp->th_sport)); + printf(" >"); + addrs += 8; + printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", + ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]), + ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]), + ntohs(addrs[6]), ntohs(addrs[7])); + if (plen >= 4) + if (p == IPPROTO_TCP || p == IPPROTO_UDP) + (void)printf(",%d", ntohs(tcp->th_dport)); + putchar('\n'); +} + + #if defined(__STDC__) void verbose(char *fmt, ...) #else diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 50c2d94..00f7d22 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -117,8 +117,12 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RW, &fr_tcpclosed, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RW, &fr_udptimeout, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RW, + &fr_udpacktimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RW, &fr_icmptimeout, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_icmpacktimeout, CTLFLAG_RW, + &fr_icmpacktimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RW, &fr_defnatage, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index 2412029..94b1bc2 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -62,7 +62,12 @@ static __psunsigned_t ipfk_code[4]; typedef struct nif { struct nif *nf_next; struct ifnet *nf_ifp; +#if IRIX < 605 int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *); +#else + int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *, + struct rtentry *); +#endif char nf_name[IFNAMSIZ]; int nf_unit; } nif_t; @@ -74,7 +79,12 @@ extern int in_interfaces; extern ipnat_t *nat_list; static int +#if IRIX < 605 ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) +#else +ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +#endif { nif_t *nif; @@ -112,19 +122,19 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) #if IPFDEBUG >= 4 if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) { printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off); - return (*nif->nf_output)(ifp, m, dst); + goto done; } #endif if (m->m_len < sizeof(char)) { printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags)); - return (*nif->nf_output)(ifp, m, dst); + goto done; } ip = mtod(m, struct ip *); if (ip->ip_v != IPVERSION) { #if IPFDEBUG >= 4 printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off); #endif - return (*nif->nf_output)(ifp, m, dst); + goto done; } hlen = ip->ip_hl << 2; @@ -142,7 +152,12 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) break; } } +done: +#if IRIX < 605 return (*nif->nf_output)(ifp, m, dst); +#else + return (*nif->nf_output)(ifp, m, dst, rt); +#endif } int diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index bda0f2e..33dce63 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -235,7 +235,7 @@ static int ipl_load() */ (void)ipl_remove(); - error = iplattach(); + error = ipl_enable(); if (error) return error; diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index f237708..e484316 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -1,8 +1,11 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #include <fcntl.h> @@ -39,8 +42,9 @@ #include <ctype.h> #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" -#include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" +#include "netinet/ip_state.h" +#include "netinet/ip_proxy.h" #include "ipf.h" #if defined(sun) && !SOLARIS2 @@ -52,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $"; #endif @@ -60,191 +64,15 @@ static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 #define bzero(a,b) memset(a,0,b) #endif +extern void printnat __P((ipnat_t *, int)); extern int countbits __P((u_32_t)); extern char *proto; ipnat_t *natparse __P((char *, int)); -void printnat __P((ipnat_t *, int, void *)); void natparsefile __P((int, char *, int)); void nat_setgroupmap __P((struct ipnat *)); -void printnat(np, opts, ptr) -ipnat_t *np; -int opts; -void *ptr; -{ - struct protoent *pr; - struct servent *sv; - int bits; - - switch (np->in_redir) - { - case NAT_REDIRECT : - printf("rdr"); - break; - case NAT_MAP : - printf("map"); - break; - case NAT_MAPBLK : - printf("map-block"); - break; - case NAT_BIMAP : - printf("bimap"); - break; - default : - fprintf(stderr, "unknown value for in_redir: %#x\n", - np->in_redir); - break; - } - - printf(" %s ", np->in_ifname); - - if (np->in_flags & IPN_FILTER) { - if (np->in_flags & IPN_NOTSRC) - printf("! "); - printf("from "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); - } else { - printhostmask(4, (u_32_t *)&np->in_inip, - (u_32_t *)&np->in_inmsk); - if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); - } - - if (np->in_flags & IPN_NOTDST) - printf(" !"); - printf(" to "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_outip, - (u_32_t *)&np->in_outmsk); - if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); - } else { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); - } - } - - if (np->in_redir == NAT_REDIRECT) { - if (!(np->in_flags & IPN_FILTER)) { - printf("%s", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("/%d ", bits); - else - printf("/%s ", inet_ntoa(np->in_out[1])); - if (np->in_pmin) - printf("port %d", ntohs(np->in_pmin)); - if (np->in_pmax != np->in_pmin) - printf("- %d", ntohs(np->in_pmax)); - } - printf(" -> %s", inet_ntoa(np->in_in[0])); - if (np->in_flags & IPN_SPLIT) - printf(",%s", inet_ntoa(np->in_in[1])); - if (np->in_pnext) - printf(" port %d", ntohs(np->in_pnext)); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if ((np->in_flags & IPN_TCP) == IPN_TCP) - printf(" tcp"); - else if ((np->in_flags & IPN_UDP) == IPN_UDP) - printf(" udp"); - if (np->in_flags & IPN_ROUNDR) - printf(" round-robin"); - if (np->in_flags & IPN_FRAG) - printf(" frag"); - printf("\n"); - if (opts & OPT_DEBUG) - printf("\t%p %lu %#x %u %p %d\n", np->in_ifp, - np->in_space, np->in_flags, np->in_pmax, np, - np->in_use); - } else { - np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - if (!(np->in_flags & IPN_FILTER)) { - printf("%s/", inet_ntoa(np->in_in[0])); - bits = countbits(np->in_in[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_in[1])); - } - printf(" -> "); - if (np->in_flags & IPN_IPRANGE) { - printf("range %s-", inet_ntoa(np->in_out[0])); - printf("%s", inet_ntoa(np->in_out[1])); - } else { - printf("%s/", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_out[1])); - } - if (*np->in_plabel) { - pr = getprotobynumber(np->in_p); - printf(" proxy port"); - if (np->in_dport != 0) { - if (pr != NULL) - sv = getservbyport(np->in_dport, - pr->p_name); - else - sv = getservbyport(np->in_dport, NULL); - if (sv != NULL) - printf(" %s", sv->s_name); - else - printf(" %hu", ntohs(np->in_dport)); - } - printf(" %.*s/", (int)sizeof(np->in_plabel), - np->in_plabel); - if (pr != NULL) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); - } else if (np->in_redir == NAT_MAPBLK) { - printf(" ports %d", np->in_pmin); - if (opts & OPT_VERBOSE) - printf("\n\tip modulous %d", np->in_pmax); - } else if (np->in_pmin || np->in_pmax) { - printf(" portmap"); - if (np->in_flags & IPN_AUTOPORTMAP) { - printf(" auto"); - if (opts & OPT_DEBUG) - printf(" [%d:%d %d %d]", - ntohs(np->in_pmin), - ntohs(np->in_pmax), - np->in_ippip, np->in_ppip); - } else { - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); - printf(" %d:%d", ntohs(np->in_pmin), - ntohs(np->in_pmax)); - } - } - if (np->in_flags & IPN_FRAG) - printf(" frag"); - printf("\n"); - if (opts & OPT_DEBUG) { - printf("\tifp %p space %lu nextip %s pnext %d", - np->in_ifp, np->in_space, - inet_ntoa(np->in_nextip), np->in_pnext); - printf(" flags %x use %u\n", - np->in_flags, np->in_use); - } - } -} - - void nat_setgroupmap(n) ipnat_t *n; { @@ -268,7 +96,9 @@ ipnat_t *n; } - +/* + * Parse a line of input from the ipnat configuration file + */ ipnat_t *natparse(line, linenum) char *line; int linenum; @@ -278,9 +108,13 @@ int linenum; char *dnetm = NULL, *dport = NULL; char *s, *t, *cps[31], **cpp; int i, cnt; + char *port1a = NULL, *port1b = NULL, *port2a = NULL; proto = NULL; + /* + * Search for end of line and comment marker, advance of leading spaces + */ if ((s = strchr(line, '\n'))) *s = '\0'; if ((s = strchr(line, '#'))) @@ -293,6 +127,9 @@ int linenum; bzero((char *)&ipn, sizeof(ipn)); cnt = 0; + /* + * split line upto into segments. + */ for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) cps[++i] = strtok(NULL, " \b\t\r\n"); @@ -305,6 +142,9 @@ int linenum; cpp = cps; + /* + * Check first word is a recognised keyword and then is the interface + */ if (!strcasecmp(*cpp, "map")) ipn.in_redir = NAT_MAP; else if (!strcasecmp(*cpp, "map-block")) @@ -325,6 +165,10 @@ int linenum; ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; cpp++; + /* + * If the first word after the interface is "from" or is a ! then + * the expanded syntax is being used so parse it differently. + */ if (!strcasecmp(*cpp, "from") || (**cpp == '!')) { if (!strcmp(*cpp, "!")) { cpp++; @@ -349,19 +193,17 @@ int linenum; ipn.in_flags |= IPN_FILTER; cpp++; if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, - &ipn.in_sport, &ipn.in_scmp, - &ipn.in_stop, linenum)) { - return NULL; - } + if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, + (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport, + &ipn.in_scmp, &ipn.in_stop, linenum)) { + return NULL; + } } else { - if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, - (u_32_t *)&ipn.in_inmsk, - &ipn.in_sport, &ipn.in_scmp, - &ipn.in_stop, linenum)) { - return NULL; - } + if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, + (u_32_t *)&ipn.in_inmsk, &ipn.in_sport, + &ipn.in_scmp, &ipn.in_stop, linenum)) { + return NULL; + } } if (!strcmp(*cpp, "!")) { @@ -388,28 +230,30 @@ int linenum; return NULL; } if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, - (u_32_t *)&ipn.in_outmsk, - &ipn.in_dport, &ipn.in_dcmp, - &ipn.in_dtop, linenum)) { - return NULL; - } - ipn.in_pmin = htons(ipn.in_dport); + if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, + (u_32_t *)&ipn.in_outmsk, &ipn.in_dport, + &ipn.in_dcmp, &ipn.in_dtop, linenum)) { + return NULL; + } + ipn.in_pmin = htons(ipn.in_dport); } else { - if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, - &ipn.in_dport, &ipn.in_dcmp, - &ipn.in_dtop, linenum)) { - return NULL; - } + if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, + (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport, + &ipn.in_dcmp, &ipn.in_dtop, linenum)) { + return NULL; + } } } else { s = *cpp; - if (!s) + if (!s) { + fprintf(stderr, "%d: short line\n", linenum); return NULL; + } t = strchr(s, '/'); - if (!t) + if (!t) { + fprintf(stderr, "%d: no netmask on LHS\n", linenum); return NULL; + } *t++ = '\0'; if (ipn.in_redir == NAT_REDIRECT) { if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1) @@ -425,10 +269,16 @@ int linenum; } } cpp++; - if (!*cpp) + if (!*cpp) { + fprintf(stderr, "%d: short line\n", linenum); return NULL; + } } + /* + * If it is a standard redirect then we expect it to have a port + * match after the hostmask. + */ if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { if (strcasecmp(*cpp, "port")) { fprintf(stderr, "%d: missing fields - 1st port\n", @@ -450,24 +300,23 @@ int linenum; else s = NULL; - if (!portnum(*cpp, &ipn.in_pmin, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_pmin); - cpp++; + port1a = *cpp++; if (!strcmp(*cpp, "-")) { cpp++; s = *cpp++; } - if (s) { - if (!portnum(s, &ipn.in_pmax, linenum)) - return NULL; - ipn.in_pmax = htons(ipn.in_pmax); - } else + if (s) + port1b = s; + else ipn.in_pmax = ipn.in_pmin; } + /* + * In the middle of the NAT rule syntax is -> to indicate the + * direction of translation. + */ if (!*cpp) { fprintf(stderr, "%d: missing fields (->)\n", linenum); return NULL; @@ -537,6 +386,8 @@ int linenum; if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) return NULL; } else { + if (!strcmp(*cpp, ipn.in_ifname)) + *cpp = "0"; if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) return NULL; } @@ -556,11 +407,18 @@ int linenum; } else ipn.in_pmin = 0; } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { - if (!*cpp || strrchr(*cpp, '/') != NULL) { + if (*cpp && (strrchr(*cpp, '/') != NULL)) { fprintf(stderr, "%d: No netmask supported in %s\n", linenum, "destination host for redirect"); return NULL; } + + if (!*cpp) { + fprintf(stderr, "%d: Missing destination port %s\n", + linenum, "in redirect"); + return NULL; + } + /* If it's a in_redir, expect target port */ if (strcasecmp(*cpp, "port")) { @@ -575,10 +433,8 @@ int linenum; linenum); return NULL; } - if (!portnum(*cpp, &ipn.in_pnext, linenum)) - return NULL; - ipn.in_pnext = htons(ipn.in_pnext); - cpp++; + + port2a = *cpp++; } if (dnetm && *dnetm == '/') *dnetm++ = '\0'; @@ -601,25 +457,32 @@ int linenum; ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */ proto = "tcp"; } else { - if (!strcasecmp(*cpp, "tcp")) + proto = *cpp++; + if (!strcasecmp(proto, "tcp")) ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) + else if (!strcasecmp(proto, "udp")) ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcp/udp")) + else if (!strcasecmp(proto, "tcp/udp")) ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcpudp")) + else if (!strcasecmp(proto, "tcpudp")) { ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "ip")) + proto = "tcp/udp"; + } else if (!strcasecmp(proto, "ip")) ipn.in_flags |= IPN_ANY; else { ipn.in_flags |= IPN_ANY; - if ((pr = getprotobyname(*cpp))) + if ((pr = getprotobyname(proto))) ipn.in_p = pr->p_proto; - else - ipn.in_p = atoi(*cpp); + else { + if (!isdigit(*proto)) { + fprintf(stderr, + "%d: Unknown protocol %s\n", + linenum, proto); + return NULL; + } else + ipn.in_p = atoi(proto); + } } - proto = *cpp; - cpp++; if (*cpp && !strcasecmp(*cpp, "round-robin")) { cpp++; @@ -631,15 +494,51 @@ int linenum; ipn.in_flags |= IPN_FRAG; } + if (*cpp && !strcasecmp(*cpp, "age")) { + cpp++; + if (!*cpp) { + fprintf(stderr, + "%d: age with no parameters\n", + linenum); + return NULL; + } + + ipn.in_age[0] = atoi(*cpp); + s = index(*cpp, '/'); + if (s != NULL) + ipn.in_age[1] = atoi(s + 1); + else + ipn.in_age[1] = ipn.in_age[0]; + cpp++; + } + if (*cpp) { fprintf(stderr, - "%d: extra junk at the end of rdr: %s\n", + "%d: extra junk at the end of the line: %s\n", linenum, *cpp); return NULL; } } } + if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { + if (!portnum(port1a, &ipn.in_pmin, linenum)) + return NULL; + ipn.in_pmin = htons(ipn.in_pmin); + if (port1b != NULL) { + if (!portnum(port1b, &ipn.in_pmax, linenum)) + return NULL; + ipn.in_pmax = htons(ipn.in_pmax); + } else + ipn.in_pmax = ipn.in_pmin; + } + + if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { + if (!portnum(port2a, &ipn.in_pnext, linenum)) + return NULL; + ipn.in_pnext = htons(ipn.in_pnext); + } + if (!(ipn.in_flags & IPN_SPLIT)) ipn.in_inip &= ipn.in_inmsk; if ((ipn.in_flags & IPN_IPRANGE) == 0) @@ -665,6 +564,11 @@ int linenum; } if (!strcasecmp(*cpp, "proxy")) { + if (ipn.in_redir == NAT_BIMAP) { + fprintf(stderr, "%d: cannot use proxy with bimap\n", + linenum); + return NULL; + } cpp++; if (!*cpp) { fprintf(stderr, @@ -720,63 +624,85 @@ int linenum; linenum); return NULL; } - return &ipn; - } + } else if (!strcasecmp(*cpp, "portmap")) { + if (ipn.in_redir == NAT_BIMAP) { + fprintf(stderr, "%d: cannot use portmap with bimap\n", + linenum); + return NULL; + } + cpp++; + if (!*cpp) { + fprintf(stderr, + "%d: missing expression following portmap\n", + linenum); + return NULL; + } - if (strcasecmp(*cpp, "portmap")) { - fprintf(stderr, - "%d: expected \"portmap\" - got \"%s\"\n", linenum, - *cpp); - return NULL; - } - cpp++; - if (!*cpp) { - fprintf(stderr, "%d: missing expression following portmap\n", - linenum); - return NULL; - } + if (!strcasecmp(*cpp, "tcp")) + ipn.in_flags |= IPN_TCP; + else if (!strcasecmp(*cpp, "udp")) + ipn.in_flags |= IPN_UDP; + else if (!strcasecmp(*cpp, "tcpudp")) + ipn.in_flags |= IPN_TCPUDP; + else if (!strcasecmp(*cpp, "tcp/udp")) + ipn.in_flags |= IPN_TCPUDP; + else { + fprintf(stderr, + "%d: expected protocol name - got \"%s\"\n", + linenum, *cpp); + return NULL; + } + proto = *cpp; + cpp++; - if (!strcasecmp(*cpp, "tcp")) - ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) - ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcpudp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcp/udp")) - ipn.in_flags |= IPN_TCPUDP; - else { - fprintf(stderr, - "%d: expected protocol name - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - proto = *cpp; - cpp++; + if (!*cpp) { + fprintf(stderr, "%d: no port range found\n", linenum); + return NULL; + } - if (!*cpp) { - fprintf(stderr, "%d: no port range found\n", linenum); - return NULL; + if (!strcasecmp(*cpp, "auto")) { + ipn.in_flags |= IPN_AUTOPORTMAP; + ipn.in_pmin = htons(1024); + ipn.in_pmax = htons(65535); + nat_setgroupmap(&ipn); + cpp++; + } else { + if (!(t = strchr(*cpp, ':'))) { + fprintf(stderr, + "%d: no port range in \"%s\"\n", + linenum, *cpp); + return NULL; + } + *t++ = '\0'; + if (!portnum(*cpp, &ipn.in_pmin, linenum) || + !portnum(t, &ipn.in_pmax, linenum)) + return NULL; + ipn.in_pmin = htons(ipn.in_pmin); + ipn.in_pmax = htons(ipn.in_pmax); + cpp++; + } } - if (!strcasecmp(*cpp, "auto")) { - ipn.in_flags |= IPN_AUTOPORTMAP; - ipn.in_pmin = htons(1024); - ipn.in_pmax = htons(65535); - nat_setgroupmap(&ipn); - return &ipn; + if (*cpp && !strcasecmp(*cpp, "age")) { + cpp++; + if (!*cpp) { + fprintf(stderr, "%d: age with no parameters\n", + linenum); + return NULL; + } + s = index(*cpp, '/'); + if (s != NULL) + ipn.in_age[1] = atoi(s + 1); + else + ipn.in_age[1] = ipn.in_age[0]; + cpp++; } - if (!(t = strchr(*cpp, ':'))) { - fprintf(stderr, "%d: no port range in \"%s\"\n", + if (*cpp) { + fprintf(stderr, "%d: extra junk at the end of the line: %s\n", linenum, *cpp); return NULL; } - *t++ = '\0'; - if (!portnum(*cpp, &ipn.in_pmin, linenum) || - !portnum(t, &ipn.in_pmax, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_pmin); - ipn.in_pmax = htons(ipn.in_pmax); return &ipn; } @@ -812,7 +738,7 @@ int opts; linenum, line); } else { if ((opts & OPT_VERBOSE) && np) - printnat(np, opts, NULL); + printnat(np, opts); if (!(opts & OPT_NODO)) { if (!(opts & OPT_REMOVE)) { if (ioctl(fd, SIOCADNAT, &np) == -1) { diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index e0dd125..cad1045 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -25,7 +28,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 56bc3fc..6a2a04e 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -3,6 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ +#ifdef __sgi +# include <sys/ptimers.h> +#endif #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) #include <strings.h> @@ -44,9 +47,7 @@ static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 da extern struct ipopt_names ionames[], secclass[]; extern int opts; -#ifdef USE_INET6 extern int use_inet6; -#endif int addicmp __P((char ***, struct frentry *, int)); int extras __P((char ***, struct frentry *, int)); @@ -57,6 +58,7 @@ void print_toif __P((char *, frdest_t *)); void optprint __P((u_short *, u_long, u_long)); int loglevel __P((char **, u_int *, int)); void printlog __P((frentry_t *)); +void printifname __P((char *, char *, void *)); extern char *proto; extern char flagset[]; @@ -72,8 +74,8 @@ char *line; int linenum; { static struct frentry fil; + char *cps[31], **cpp, *endptr, *s; struct protoent *p = NULL; - char *cps[31], **cpp, *endptr; int i, cnt = 1, j, ch; u_int k; @@ -84,11 +86,7 @@ int linenum; bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; -#ifdef USE_INET6 fil.fr_ip.fi_v = use_inet6 ? 6 : 4; -#else - fil.fr_ip.fi_v = 4; -#endif fil.fr_loglevel = 0xffff; /* @@ -106,10 +104,18 @@ int linenum; } cpp = cps; + /* + * The presence of an '@' followed by a number gives the position in + * the current rule list to insert this one. + */ if (**cpp == '@') fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1; + /* + * Check the first keyword in the rule and any options that are + * expected to follow it. + */ if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && @@ -149,6 +155,8 @@ int linenum; fil.fr_flags |= FR_ACCOUNT; } else if (!strcasecmp("pass", *cpp)) { fil.fr_flags |= FR_PASS; + } else if (!strcasecmp("nomatch", *cpp)) { + fil.fr_flags |= FR_NOMATCH; } else if (!strcasecmp("auth", *cpp)) { fil.fr_flags |= FR_AUTH; } else if (!strcasecmp("preauth", *cpp)) { @@ -194,6 +202,10 @@ int linenum; return NULL; } + /* + * Get the direction for filtering. Impose restrictions on direction + * if blocking with returning ICMP or an RST has been requested. + */ if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; else if (!strcasecmp("out", *cpp)) { @@ -252,19 +264,39 @@ int linenum; } if (*cpp && !strcasecmp("quick", *cpp)) { + if (fil.fr_skip != 0) { + fprintf(stderr, "%d: cannot use skip with quick\n", + linenum); + return NULL; + } cpp++; fil.fr_flags |= FR_QUICK; } + /* + * Parse rule options that are available if a rule is tied to an + * interface. + */ *fil.fr_ifname = '\0'; + *fil.fr_oifname = '\0'; if (*cpp && !strcasecmp(*cpp, "on")) { if (!*++cpp) { fprintf(stderr, "%d: interface name missing\n", linenum); return NULL; } - (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1); - fil.fr_ifname[IFNAMSIZ-1] = '\0'; + + s = index(*cpp, ','); + if (s != NULL) { + *s++ = '\0'; + (void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1); + fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0'; + } else + strcpy(fil.fr_ifnames[1], "*"); + + (void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1); + fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0'; + cpp++; if (!*cpp) { if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) { @@ -299,6 +331,33 @@ int linenum; cpp++; } } + + /* + * Set the "other" interface name. Lets you specify both + * inbound and outbound interfaces for state rules. Do not + * prevent both interfaces from being the same. + */ + strcpy(fil.fr_ifnames[3], "*"); + if ((*cpp != NULL) && (*(cpp + 1) != NULL) && + ((((fil.fr_flags & FR_INQUE) != 0) && + (strcasecmp(*cpp, "out-via") == 0)) || + (((fil.fr_flags & FR_OUTQUE) != 0) && + (strcasecmp(*cpp, "in-via") == 0)))) { + cpp++; + + s = index(*cpp, ','); + if (s != NULL) { + *s++ = '\0'; + (void)strncpy(fil.fr_ifnames[3], s, + IFNAMSIZ - 1); + fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0'; + } + + (void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1); + fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0'; + cpp++; + } else + strcpy(fil.fr_ifnames[2], "*"); } if (*cpp && !strcasecmp(*cpp, "tos")) { if (!*++cpp) { @@ -340,6 +399,10 @@ int linenum; if (!strcasecmp(proto, "tcp/udp")) { fil.fr_ip.fi_fl |= FI_TCPUDP; fil.fr_mip.fi_fl |= FI_TCPUDP; + } else if (use_inet6 && !strcasecmp(proto, "icmp")) { + fprintf(stderr, +"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n", + linenum); } else { if (!(p = getprotobyname(proto)) && !isdigit(*proto)) { fprintf(stderr, @@ -411,6 +474,15 @@ int linenum; return NULL; } + if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) && + (fil.fr_proto != IPPROTO_UDP) && + !(fil.fr_ip.fi_fl & FI_TCPUDP)) { + fprintf(stderr, + "%d: cannot use port and neither tcp or udp\n", + linenum); + return NULL; + } + fil.fr_scmp = ch; if (!*cpp) { fprintf(stderr, "%d: missing to fields\n", linenum); @@ -447,6 +519,15 @@ int linenum; &fil.fr_dtop, linenum)) { return NULL; } + if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) && + (fil.fr_proto != IPPROTO_UDP) && + !(fil.fr_ip.fi_fl & FI_TCPUDP)) { + fprintf(stderr, + "%d: cannot use port and neither tcp or udp\n", + linenum); + return NULL; + } + fil.fr_dcmp = ch; } @@ -489,7 +570,8 @@ int linenum; * icmp types for use with the icmp protocol */ if (*cpp && !strcasecmp(*cpp, "icmp-type")) { - if (fil.fr_proto != IPPROTO_ICMP) { + if (fil.fr_proto != IPPROTO_ICMP && + fil.fr_proto != IPPROTO_ICMPV6) { fprintf(stderr, "%d: icmp with wrong protocol (%d)\n", linenum, fil.fr_proto); @@ -509,9 +591,27 @@ int linenum; return NULL; /* + * This is here to enforce the old interface binding behaviour. + * That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X" + */ + if (fil.fr_flags & FR_KEEPSTATE) { + if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) { + bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3], + sizeof(fil.fr_ifnames[3])); + strncpy(fil.fr_ifnames[2], "*", + sizeof(fil.fr_ifnames[3])); + } + } + + /* * head of a new group ? */ if (*cpp && !strcasecmp(*cpp, "head")) { + if (fil.fr_skip != 0) { + fprintf(stderr, "%d: cannot use skip with head\n", + linenum); + return NULL; + } if (!*++cpp) { fprintf(stderr, "%d: head without group #\n", linenum); return NULL; @@ -658,6 +758,15 @@ frdest_t *fdp; { printf("%s %s%s", tag, fdp->fd_ifname, (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)"); +#ifdef USE_INET6 + if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) { + char ipv6addr[80]; + + inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr, + sizeof(fdp->fd_ip6)); + printf(":%s", ipv6addr); + } else +#endif if (fdp->fd_ip.s_addr) printf(":%s", inet_ntoa(fdp->fd_ip)); putchar(' '); @@ -685,9 +794,9 @@ int linenum; return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || - !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || - !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || - !strncasecmp(**cp, "short", 5))) { + !strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) || + !strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") || + !strcasecmp(**cp, "short"))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; (*cp)++; @@ -899,10 +1008,10 @@ char *icmptypes[] = { /* * set the icmp field to the correct type if "icmp" word is found */ -int addicmp(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; +int addicmp(cp, fp, linenum) +char ***cp; +struct frentry *fp; +int linenum; { char **t; int i; @@ -910,8 +1019,7 @@ int linenum; (*cp)++; if (!**cp) return -1; - if (!fp->fr_proto) /* to catch lusers */ - fp->fr_proto = IPPROTO_ICMP; + if (isdigit(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, @@ -919,6 +1027,10 @@ int linenum; linenum, **cp); return -1; } + } else if (fp->fr_proto == IPPROTO_ICMPV6) { + fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s", + linenum, **cp, "(use numeric value instead\n"); + return -1; } else { for (t = icmptypes, i = 0; ; t++, i++) { if (!*t) @@ -973,10 +1085,10 @@ int linenum; #define MAX_ICMPCODE 15 char *icmpcodes[] = { - "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", - "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", - NULL }; + "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", + "srcfail", "net-unk", "host-unk", "isolate", "net-prohib", + "host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced", + "preced-cutoff", NULL }; /* * Return the number for the associated ICMP unreachable code. */ @@ -1006,47 +1118,73 @@ char *str; /* * set the icmp field to the correct type if "icmp" word is found */ -int addkeep(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; +int addkeep(cp, fp, linenum) +char ***cp; +struct frentry *fp; +int linenum; { - if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP && -#ifdef USE_INET6 - fp->fr_proto != IPPROTO_ICMPV6 && -#endif - fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) { - fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n", - linenum); - return -1; - } + char *s; (*cp)++; if (!**cp) { - fprintf(stderr, "%d: Missing state/frag after keep\n", + fprintf(stderr, "%d: Missing keyword after keep\n", linenum); return -1; } - if (strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { + + if (strcasecmp(**cp, "state") == 0) + fp->fr_flags |= FR_KEEPSTATE; + else if (strncasecmp(**cp, "frag", 4) == 0) + fp->fr_flags |= FR_KEEPFRAG; + else if (strcasecmp(**cp, "state-age") == 0) { + if (fp->fr_ip.fi_p == IPPROTO_TCP) { + fprintf(stderr, "%d: cannot use state-age with tcp\n", + linenum); + return -1; + } + if ((fp->fr_flags & FR_KEEPSTATE) == 0) { + fprintf(stderr, "%d: state-age with no 'keep state'\n", + linenum); + return -1; + } + (*cp)++; + if (!**cp) { + fprintf(stderr, "%d: state-age with no arg\n", + linenum); + return -1; + } + fp->fr_age[0] = atoi(**cp); + s = index(**cp, '/'); + if (s != NULL) { + s++; + fp->fr_age[1] = atoi(s); + } else + fp->fr_age[1] = fp->fr_age[0]; + } else { fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", linenum, **cp); return -1; } - - if (***cp == 's' || ***cp == 'S') - fp->fr_flags |= FR_KEEPSTATE; - else if (***cp == 'f' || ***cp == 'F') - fp->fr_flags |= FR_KEEPFRAG; (*cp)++; return 0; } +void printifname(format, name, ifp) +char *format, *name; +void *ifp; +{ + printf("%s%s", format, name); + if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*")) + printf("(!)"); +} + + /* * print the filter structure in a useful way */ -void printfr(fp) -struct frentry *fp; +void printfr(fp) +struct frentry *fp; { struct protoent *p; u_short sec[2]; @@ -1056,6 +1194,8 @@ struct frentry *fp; if (fp->fr_flags & FR_PASS) printf("pass"); + if (fp->fr_flags & FR_NOMATCH) + printf("nomatch"); else if (fp->fr_flags & FR_BLOCK) { printf("block"); if (fp->fr_flags & FR_RETICMP) { @@ -1098,8 +1238,11 @@ struct frentry *fp; printf("quick "); if (*fp->fr_ifname) { - printf("on %s%s ", fp->fr_ifname, - (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)"); + printifname("on ", fp->fr_ifname, fp->fr_ifa); + if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) + printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); + putchar(' '); + if (*fp->fr_dif.fd_ifname) print_toif("dup-to", &fp->fr_dif); if (*fp->fr_tif.fd_ifname) @@ -1107,7 +1250,26 @@ struct frentry *fp; if (fp->fr_flags & FR_FASTROUTE) printf("fastroute "); + if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || + (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { + if (fp->fr_flags & FR_OUTQUE) + printf("in-via "); + else + printf("out-via "); + + if (*fp->fr_ifnames[2]) { + printifname("", fp->fr_ifnames[2], + fp->fr_ifas[2]); + putchar(','); + } + + if (*fp->fr_ifnames[3]) + printifname("", fp->fr_ifnames[3], + fp->fr_ifas[3]); + putchar(' '); + } } + if (fp->fr_mip.fi_tos) printf("tos %#x ", fp->fr_tos); if (fp->fr_mip.fi_ttl) @@ -1161,7 +1323,7 @@ struct frentry *fp; printf(" frag"); } } - if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { + if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) { int type = fp->fr_icmp, code; type = ntohs(fp->fr_icmp); @@ -1175,6 +1337,16 @@ struct frentry *fp; if (ntohs(fp->fr_icmpm) & 0xff) printf(" code %d", code); } + if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) { + int type = fp->fr_icmp, code; + + type = ntohs(fp->fr_icmp); + code = type & 0xff; + type /= 256; + printf(" icmp-type %d", type); + if (ntohs(fp->fr_icmpm) & 0xff) + printf(" code %d", code); + } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { printf(" flags "); if (fp->fr_tcpf & ~TCPF_ALL) @@ -1198,6 +1370,8 @@ struct frentry *fp; printf(" keep state"); if (fp->fr_flags & FR_KEEPFRAG) printf(" keep frags"); + if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0) + printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]); if (fp->fr_grhead) printf(" head %d", fp->fr_grhead); if (fp->fr_group) diff --git a/contrib/ipfilter/samples/Makefile b/contrib/ipfilter/samples/Makefile index 5bd03b31..1dad079 100644 --- a/contrib/ipfilter/samples/Makefile +++ b/contrib/ipfilter/samples/Makefile @@ -1,10 +1,22 @@ CC=gcc +all: + @echo "Please do one of the following:" + @echo "make bsd" + @echo "make bsdi" + @echo "make freebsd" + @echo "make freebsd22" + @echo "make netbsd" + @echo "make openbsd" + @echo "make sunos4" + @echo "make sunos5" sunos5: - $(CC) -I.. userauth.c -o userauth -lsocket -lnsl - $(CC) -I.. proxy.c -o proxy -lsocket -lnsl + $(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \ + -I.. userauth.c -o userauth -lsocket -lnsl + $(CC) -DSOLARIS2=`uname -r | sh -c 'IFS=. read j n x; echo $$n'` \ + -I.. proxy.c -o proxy -lsocket -lnsl -freebsd freebsd22 netbsd bsd bsdi sunos4: +freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd: $(CC) -I.. userauth.c -o userauth $(CC) -I.. proxy.c -o proxy diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c index 7ac6ec9..ef9a69c 100644 --- a/contrib/ipfilter/samples/proxy.c +++ b/contrib/ipfilter/samples/proxy.c @@ -41,6 +41,8 @@ #include <ctype.h> #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_state.h" #include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" @@ -81,19 +83,25 @@ char *argv[]; bzero((char *)&natlook, sizeof(natlook)); natlook.nl_outip = sin.sin_addr; natlook.nl_inip = sloc.sin_addr; - natlook.nl_flags = IPN_TCP; - natlook.nl_outport = sin.sin_port; - natlook.nl_inport = sloc.sin_port; + natlook.nl_flags = IPN_TCPUDP; + natlook.nl_outport = ntohs(sin.sin_port); + natlook.nl_inport = ntohs(sloc.sin_port); /* * Open the NAT device and lookup the mapping pair. */ fd = open(IPL_NAT, O_RDONLY); if (ioctl(fd, SIOCGNATL, &natlookp) == -1) { - perror("ioctl"); + perror("ioctl(SIOCGNATL)"); exit(-1); } - close(fd); + +#define DO_NAT_OUT +#ifdef DO_NAT_OUT + if (argc > 1) + do_nat_out(0, 1, fd, &natlook, argv[1]); +#else + /* * Log it */ @@ -109,4 +117,181 @@ char *argv[]; if (write(1, buffer, n) != n) break; close(0); +#endif } + + +#ifdef DO_NAT_OUT +do_nat_out(in, out, fd, nlp, extif) +int fd; +natlookup_t *nlp; +char *extif; +{ + nat_save_t ns, *nsp = &ns; + struct sockaddr_in usin; + u_32_t sum1, sum2, sumd; + int onoff, ofd, slen; + ipnat_t *ipn; + nat_t *nat; + + bzero((char *)&ns, sizeof(ns)); + + nat = &ns.ipn_nat; + nat->nat_p = IPPROTO_TCP; + nat->nat_dir = NAT_OUTBOUND; + if ((extif != NULL) && (*extif != '\0')) { + strncpy(nat->nat_ifname, extif, sizeof(nat->nat_ifname)); + nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0'; + } + + ofd = socket(AF_INET, SOCK_DGRAM, 0); + bzero((char *)&usin, sizeof(usin)); + usin.sin_family = AF_INET; + usin.sin_addr = nlp->nl_realip; + usin.sin_port = nlp->nl_realport; + (void) connect(ofd, (struct sockaddr *)&usin, sizeof(usin)); + slen = sizeof(usin); + (void) getsockname(ofd, (struct sockaddr *)&usin, &slen); + close(ofd); +printf("local IP# to use: %s\n", inet_ntoa(usin.sin_addr)); + + if ((ofd = socket(AF_INET, SOCK_STREAM, 0)) == -1) + perror("socket"); + usin.sin_port = 0; + if (bind(ofd, (struct sockaddr *)&usin, sizeof(usin))) + perror("bind"); + slen = sizeof(usin); + if (getsockname(ofd, (struct sockaddr *)&usin, &slen)) + perror("getsockname"); +printf("local port# to use: %d\n", ntohs(usin.sin_port)); + + nat->nat_inip = usin.sin_addr; + nat->nat_outip = nlp->nl_outip; + nat->nat_oip = nlp->nl_realip; + + sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)) + ntohs(usin.sin_port); + sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)) + ntohs(nlp->nl_outport); + CALC_SUMD(sum1, sum2, sumd); + nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); + nat->nat_sumd[1] = nat->nat_sumd[0]; + + sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)); + sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)); + CALC_SUMD(sum1, sum2, sumd); + nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); + + nat->nat_inport = usin.sin_port; + nat->nat_outport = nlp->nl_outport; + nat->nat_oport = nlp->nl_realport; + + nat->nat_flags = IPN_TCPUDP; + + onoff = 1; + if (ioctl(fd, SIOCSTLCK, &onoff) == 0) { + if (ioctl(fd, SIOCSTPUT, &nsp) != 0) + perror("SIOCSTPUT"); + onoff = 0; + if (ioctl(fd, SIOCSTLCK, &onoff) != 0) + perror("SIOCSTLCK"); + } + + usin.sin_addr = nlp->nl_realip; + usin.sin_port = nlp->nl_realport; +printf("remote end for connection: %s,%d\n", inet_ntoa(usin.sin_addr), +ntohs(usin.sin_port)); +fflush(stdout); + if (connect(ofd, (struct sockaddr *)&usin, sizeof(usin))) + perror("connect"); + + relay(in, out, ofd); +} + + +relay(in, out, net) +int in, out, net; +{ + char netbuf[1024], outbuf[1024]; + char *nwptr, *nrptr, *owptr, *orptr; + size_t nsz, osz; + fd_set rd, wr; + int i, n, maxfd; + + n = 0; + maxfd = in; + if (out > maxfd) + maxfd = out; + if (net > maxfd) + maxfd = net; + + nrptr = netbuf; + nwptr = netbuf; + nsz = sizeof(netbuf); + orptr = outbuf; + owptr = outbuf; + osz = sizeof(outbuf); + + while (n >= 0) { + FD_ZERO(&rd); + FD_ZERO(&wr); + + if (nrptr - netbuf < sizeof(netbuf)) + FD_SET(in, &rd); + if (orptr - outbuf < sizeof(outbuf)) + FD_SET(net, &rd); + + if (nsz < sizeof(netbuf)) + FD_SET(net, &wr); + if (osz < sizeof(outbuf)) + FD_SET(out, &wr); + + n = select(maxfd + 1, &rd, &wr, NULL, NULL); + + if ((n > 0) && FD_ISSET(in, &rd)) { + i = read(in, nrptr, sizeof(netbuf) - (nrptr - netbuf)); + if (i <= 0) + break; + nsz -= i; + nrptr += i; + n--; + } + + if ((n > 0) && FD_ISSET(net, &rd)) { + i = read(net, orptr, sizeof(outbuf) - (orptr - outbuf)); + if (i <= 0) + break; + osz -= i; + orptr += i; + n--; + } + + if ((n > 0) && FD_ISSET(out, &wr)) { + i = write(out, owptr, orptr - owptr); + if (i <= 0) + break; + osz += i; + if (osz == sizeof(outbuf) || owptr == orptr) { + orptr = outbuf; + owptr = outbuf; + } else + owptr += i; + n--; + } + + if ((n > 0) && FD_ISSET(net, &wr)) { + i = write(net, nwptr, nrptr - nwptr); + if (i <= 0) + break; + nsz += i; + if (nsz == sizeof(netbuf) || nwptr == nrptr) { + nrptr = netbuf; + nwptr = netbuf; + } else + nwptr += i; + } + } + + close(net); + close(out); + close(in); +} +#endif diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index b526327..4ff13df 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -1,10 +1,10 @@ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 1993-2002 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.20 2001/07/18 14:58:28 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -93,10 +93,16 @@ extern void ipfr_slowtimer __P((void)); int ipfr_timer_id; static int synctimeoutid = 0; #endif +int ipf_debug = 0; +int ipf_debug_verbose = 0; +/* #undef IPFDEBUG 1 */ +/* #undef IPFDEBUG_VERBOSE 1 */ #ifdef IPFDEBUG void printire __P((ire_t *)); #endif +#define isdigit(x) ((x) >= '0' && (x) <= '9') + static int fr_precheck __P((mblk_t **, queue_t *, qif_t *, int)); @@ -150,7 +156,7 @@ static size_t hdrsizes[57][2] = { { IFT_X25DDN, 0 }, { IFT_X25, 0 }, { IFT_ETHER, 14 }, - { IFT_ISO88023, 0 }, + { IFT_ISO88023, 14 }, { IFT_ISO88024, 0 }, { IFT_ISO88025, 0 }, { IFT_ISO88026, 0 }, @@ -210,7 +216,8 @@ int _init() ipfinst = mod_install(&modlink1); #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst); #endif return ipfinst; } @@ -222,7 +229,8 @@ int _fini(void) ipfinst = mod_remove(&modlink1); #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst); #endif return ipfinst; } @@ -235,7 +243,9 @@ struct modinfo *modinfop; ipfinst = mod_info(&modlink1, modinfop); #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", + modinfop, ipfinst); #endif if (fr_running > 0) ipfsync(); @@ -249,7 +259,8 @@ dev_info_t *dip; if (fr_running < 0) return DDI_PROBE_FAILURE; #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip); #endif return DDI_PROBE_SUCCESS; } @@ -259,7 +270,8 @@ static int ipf_identify(dip) dev_info_t *dip; { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip); #endif if (strcmp(ddi_get_name(dip), "ipf") == 0) return (DDI_IDENTIFIED); @@ -299,7 +311,8 @@ ddi_attach_cmd_t cmd; #ifdef IPFDEBUG int instance; - cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_ATTACH: @@ -308,6 +321,7 @@ ddi_attach_cmd_t cmd; #ifdef IPFDEBUG instance = ddi_get_instance(dip); + if (ipf_debug) cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance); #endif if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF, @@ -344,7 +358,8 @@ ddi_attach_cmd_t cmd; solattach(); solipdrvattach(); RWLOCK_EXIT(&ipf_solaris); - cmn_err(CE_CONT, "%s, attaching complete.\n", ipfilter_version); + cmn_err(CE_CONT, "%s, attaching complete.\n", + ipfilter_version); sync(); if (fr_running == 0) fr_running = 1; @@ -383,7 +398,8 @@ ddi_detach_cmd_t cmd; int i; #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_DETACH: @@ -459,7 +475,9 @@ void *arg, **result; return DDI_FAILURE; error = DDI_FAILURE; #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", dip, infocmd, arg); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", + dip, infocmd, arg); #endif switch (infocmd) { case DDI_INFO_DEVT2DEVINFO: @@ -784,15 +802,7 @@ fixalign: #endif ) { m->b_rptr -= off; - if (!synced) { - synced = 1; - RWLOCK_EXIT(&ipfs_mutex); - ipfsync(); - READ_ENTER(&ipfs_mutex); - goto tryagain; - } - frstats[out].fr_notip++; - return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; + return -2; } #ifndef sparc @@ -969,27 +979,40 @@ mblk_t *mb; int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; qif_t qf, *qif; +#ifdef IPFDEBUG_VERBOSE + if (ipf_debug_verbose) + cmn_err(CE_CONT, + "fr_qin(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n", + q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref, + msgdsize(mb)); +#endif + + /* + * IPFilter is still in the packet path but not enabled. Drop whatever + * it is that has come through. + */ if (fr_running <= 0) { mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); return 0; } + type = MTYPE(mb); + + /* + * If a mblk has more than one reference, make a copy, filter that and + * free a reference to the original. + */ if (mb->b_datap->db_ref > 1) { mblk_t *m1; m1 = copymsg(mb); if (!m1) { frstats[0].fr_drop++; - mb->b_next = NULL; mb->b_prev = NULL; freemsg(mb); return 0; } - m1->b_next = mb->b_next; - mb->b_next = NULL; - m1->b_prev = mb->b_prev; mb->b_prev = NULL; freemsg(mb); mb = m1; @@ -999,10 +1022,9 @@ mblk_t *mb; READ_ENTER(&ipf_solaris); again: if (fr_running <= 0) { - RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); + RWLOCK_EXIT(&ipf_solaris); return 0; } READ_ENTER(&ipfs_mutex); @@ -1030,7 +1052,7 @@ again: } cmn_err(CE_WARN, "!IP Filter: dropped: fr_qin(%x,%x): type %x qif %x", - q, mb, MTYPE(mb), qif); + q, mb, type, qif); cmn_err(CE_CONT, "!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, @@ -1044,40 +1066,52 @@ again: #endif ); frstats[0].fr_drop++; - RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); + RWLOCK_EXIT(&ipf_solaris); return 0; } + qif->qf_incnt++; pnext = qif->qf_rqinfo->qi_putp; - type = MTYPE(mb); if (type == M_IOCACK) fr_qif_update(qif, mb); - else { - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - - if (datamsg(type) || (type == M_BREAK)) - err = fr_precheck(&mb, q, &qf, 0); - } + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, &qf, 0); RWLOCK_EXIT(&ipfs_mutex); - RWLOCK_EXIT(&ipf_solaris); if ((err == 0) && (mb != NULL)) { - if (pnext) + if (pnext) { + RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); + } cmn_err(CE_WARN, "!IP Filter: inp NULL: qif %x %s q %x info %x", - &qf, qf.qf_name, q, q->q_qinfo); + qif, qf.qf_name, q, q->q_qinfo); + } + + if (err == -2) { + if (synced == 0) { + ipfsync(); + synced = 1; + goto again; + } + frstats[0].fr_notip++; + if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) { + RWLOCK_EXIT(&ipf_solaris); + return (*pnext)(q, mb); + } } + + if (mb) { mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); } + RWLOCK_EXIT(&ipf_solaris); return 0; } @@ -1089,13 +1123,22 @@ mblk_t *mb; int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; qif_t qf, *qif; +#ifdef IPFDEBUG_VERBOSE + if (ipf_debug_verbose) + cmn_err(CE_CONT, + "fr_qout(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n", + q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref, + msgdsize(mb)); +#endif + if (fr_running <= 0) { mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); return 0; } + type = MTYPE(mb); + #if SOLARIS2 >= 6 if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) && (mb->b_datap->db_ref > 1)) @@ -1108,14 +1151,10 @@ mblk_t *mb; m1 = copymsg(mb); if (!m1) { frstats[1].fr_drop++; - mb->b_next = NULL; mb->b_prev = NULL; freemsg(mb); return 0; } - m1->b_next = mb->b_next; - mb->b_next = NULL; - m1->b_prev = mb->b_prev; mb->b_prev = NULL; freemsg(mb); mb = m1; @@ -1125,10 +1164,9 @@ mblk_t *mb; READ_ENTER(&ipf_solaris); again: if (fr_running <= 0) { - RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); + RWLOCK_EXIT(&ipf_solaris); return 0; } READ_ENTER(&ipfs_mutex); @@ -1156,7 +1194,7 @@ again: } cmn_err(CE_WARN, "!IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x", - q, mb, MTYPE(mb), qif); + q, mb, type, qif); cmn_err(CE_CONT, "!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, @@ -1180,40 +1218,51 @@ again: q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next, q->q_nbsrv->q_ptr); frstats[1].fr_drop++; - RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); + RWLOCK_EXIT(&ipf_solaris); return 0; } + qif->qf_outcnt++; pnext = qif->qf_wqinfo->qi_putp; - type = MTYPE(mb); if (type == M_IOCACK) fr_qif_update(qif, mb); - else { - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - - if (datamsg(type) || (type == M_BREAK)) - err = fr_precheck(&mb, q, &qf, 1); - } + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, &qf, 1); RWLOCK_EXIT(&ipfs_mutex); - RWLOCK_EXIT(&ipf_solaris); if ((err == 0) && (mb != NULL)) { - if (pnext) + if (pnext) { + RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); + } cmn_err(CE_WARN, "!IP Filter: outp NULL: qif %x %s q %x info %x", - &qf, qf.qf_name, q, q->q_qinfo); + qif, qf.qf_name, q, q->q_qinfo); } + + if (err == -2) { + if (synced == 0) { + ipfsync(); + synced = 1; + goto again; + } + frstats[1].fr_notip++; + if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) { + RWLOCK_EXIT(&ipf_solaris); + return (*pnext)(q, mb); + } + } + if (mb) { mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); } + RWLOCK_EXIT(&ipf_solaris); return 0; } @@ -1241,7 +1290,6 @@ mblk_t *mb; if (fr_running <= 0) { mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); return 0; } @@ -1253,7 +1301,6 @@ mblk_t *mb; if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); return 0; } @@ -1269,8 +1316,10 @@ mblk_t *mb; case SIOCSIFADDR: case SIOCSIFFLAGS: #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x", - ioc->ioc_cmd); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x", + ioc->ioc_cmd); #endif WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { @@ -1294,8 +1343,9 @@ extern struct streamtab ipinfo; void solipdrvattach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx", - ipdrvattcnt, &ipinfo); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx", + ipdrvattcnt, &ipinfo); #endif if (++ipdrvattcnt == 1) { @@ -1309,8 +1359,9 @@ void solipdrvattach() int solipdrvdetach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx", - ipdrvattcnt, &ipinfo); + if (ipf_debug) + cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx", + ipdrvattcnt, &ipinfo); #endif WRITE_ENTER(&ipfs_mutex); @@ -1362,7 +1413,8 @@ void solattach() RWLOCK_EXIT(&ipfs_mutex); continue; } -#ifdef IPFDEBUG +#ifdef IPFDEBUGX + if (ipf_debug) cmn_err(CE_NOTE, "IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x", il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, @@ -1384,7 +1436,8 @@ void solattach() break; } if (!qf2) { -#ifdef IPFDEBUG +#ifdef IPFDEBUGX + if (ipf_debug) cmn_err(CE_WARN, "IP Filter: rq:%s put %x qi %x", il->ill_name, in->q_qinfo->qi_putp, @@ -1404,7 +1457,8 @@ void solattach() break; } if (!qf2) { -#ifdef IPFDEBUG +#ifdef IPFDEBUGX + if (ipf_debug) cmn_err(CE_WARN, "IP Filter: wq:%s put %x qi %x", il->ill_name, out->q_qinfo->qi_putp, @@ -1447,6 +1501,15 @@ void solattach() (hdrsizes[il->ill_type][0] == il->ill_type)) qif->qf_hl = hdrsizes[il->ill_type][1]; + /* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */ + if (il->ill_type == IFT_ETHER && + il->ill_name[0] == 'c' && il->ill_name[1] == 'e' && + isdigit(il->ill_name[2]) && il->ill_name_length >= 6) { + cmn_err(CE_NOTE, "VLAN HACK ENABLED"); + qif->qf_hl += 4; + } + /* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */ + if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER) cmn_err(CE_WARN, "Unknown layer 2 header size for %s type %d", @@ -1524,10 +1587,10 @@ void solattach() sizeof(struct qinit)); qif->qf_rqinit.qi_putp = fr_qin; #ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx", - in, in->q_qinfo, &qif->qf_rqinit - ); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx", + in, in->q_qinfo, &qif->qf_rqinit); #endif in->q_qinfo = &qif->qf_rqinit; @@ -1535,10 +1598,10 @@ void solattach() sizeof(struct qinit)); qif->qf_wqinit.qi_putp = fr_qout; #ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx", - out, out->q_qinfo, &qif->qf_wqinit - ); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx", + out, out->q_qinfo, &qif->qf_wqinit); #endif out->q_qinfo = &qif->qf_wqinit; @@ -1638,19 +1701,19 @@ int ipfsync() in = qif->qf_in; if (in) { # ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx", - in, in->q_qinfo, qif->qf_rqinfo - ); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx", + in, in->q_qinfo, qif->qf_rqinfo); # endif in->q_qinfo = qif->qf_rqinfo; } if (out) { # ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx", - out, out->q_qinfo, qif->qf_wqinfo - ); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx", + out, out->q_qinfo, qif->qf_wqinfo); # endif out->q_qinfo = qif->qf_wqinfo; } @@ -1719,9 +1782,10 @@ int soldetach() ); #ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx", - in, in->q_qinfo, qif->qf_rqinfo); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx", + in, in->q_qinfo, qif->qf_rqinfo); #endif in->q_qinfo = qif->qf_rqinfo; @@ -1729,9 +1793,10 @@ int soldetach() * and the write queue... */ #ifdef IPFDEBUG - cmn_err(CE_NOTE, - "IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx", - out, out->q_qinfo, qif->qf_wqinfo); + if (ipf_debug) + cmn_err(CE_NOTE, + "IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx", + out, out->q_qinfo, qif->qf_wqinfo); #endif out->q_qinfo = qif->qf_wqinfo; } @@ -1746,6 +1811,8 @@ int soldetach() void printire(ire) ire_t *ire; { + if (!ipf_debug) + return; printf("ire: ll_hdr_mp %p rfq %p stq %p src_addr %x max_frag %d\n", # if SOLARIS2 >= 8 NULL, @@ -1812,7 +1879,6 @@ frdest_t *fdp; mp = (*mpp)->b_cont; (*mpp)->b_cont = NULL; (*mpp)->b_prev = NULL; - (*mpp)->b_next = NULL; freemsg(*mpp); *mpp = mp; } @@ -1951,7 +2017,6 @@ frdest_t *fdp; q = WR(ir->ire_rfq); if (q) { mb->b_prev = NULL; - mb->b_next = NULL; mb->b_queue = q; RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); @@ -1979,7 +2044,6 @@ frdest_t *fdp; } bad_fastroute: mb->b_prev = NULL; - mb->b_next = NULL; freemsg(mb); ipl_frouteok[1]++; *mpp = NULL; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 385c1de..2d93c7f 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -9,19 +9,23 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -tests: first 0 ftests ptests ntests +tests: first 0 ftests ptests ntests nitests logtests first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ntests: n1 n2 n3 n4 n5 n6 n7 +nitests: ni1 ni2 + +logtests: l1 + 0: @(cd ..; make ipftest; ) @@ -31,13 +35,25 @@ f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: f12 f13: @/bin/sh ./hextest $@ +f15 f16: + @/bin/sh ./mtest $@ + i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ +ni1 ni2: + @/bin/sh ./natipftest $@ + +l1: + @/bin/sh ./logtest $@ + clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 results/* + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 + /bin/rm -f ni1 ni2 + /bin/rm -f l1 + /bin/rm -f results/* diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index 1a7bdb5..4c2adf1 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -91,6 +91,7 @@ IPv6: BSD: * "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is. +fixed. Solaris: * "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are. |
