diff options
author | darrenr <darrenr@FreeBSD.org> | 2002-04-25 03:34:26 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2002-04-25 03:34:26 +0000 |
commit | e783fd269eb5c7968420f90776437412625caf50 (patch) | |
tree | 916878647b77c97c00dbc302c03bceb1680aa52a /contrib | |
parent | aa253ab58590afa73cf198c524f0255f45700d8b (diff) | |
parent | 49c8a23224d88e6d6d3be39c5024f4a7ba105108 (diff) | |
download | FreeBSD-src-e783fd269eb5c7968420f90776437412625caf50.zip FreeBSD-src-e783fd269eb5c7968420f90776437412625caf50.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r95419,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/ipfilter/BSD/Makefile | 20 | ||||
-rw-r--r-- | contrib/ipfilter/BSD/kupgrade | 9 | ||||
-rwxr-xr-x | contrib/ipfilter/FreeBSD-4.0/kinstall | 4 | ||||
-rw-r--r-- | contrib/ipfilter/HISTORY | 53 | ||||
-rw-r--r-- | contrib/ipfilter/fils.c | 16 | ||||
-rw-r--r-- | contrib/ipfilter/ip_sfil.c | 22 | ||||
-rw-r--r-- | contrib/ipfilter/ipf.c | 4 | ||||
-rw-r--r-- | contrib/ipfilter/ipfs.c | 4 | ||||
-rw-r--r-- | contrib/ipfilter/ipt.c | 8 | ||||
-rw-r--r-- | contrib/ipfilter/kmem.c | 28 | ||||
-rw-r--r-- | contrib/ipfilter/l4check/l4check.c | 5 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 9 | ||||
-rw-r--r-- | contrib/ipfilter/mlf_ipl.c | 18 | ||||
-rw-r--r-- | contrib/ipfilter/mls_ipl.c | 3 | ||||
-rw-r--r-- | contrib/ipfilter/natparse.c | 45 | ||||
-rw-r--r-- | contrib/ipfilter/printnat.c | 30 | ||||
-rw-r--r-- | contrib/ipfilter/printstate.c | 13 | ||||
-rw-r--r-- | contrib/ipfilter/solaris.c | 6 | ||||
-rw-r--r-- | contrib/ipfilter/test/Makefile | 27 | ||||
-rw-r--r-- | contrib/ipfilter/test/expected/f11 | 47 | ||||
-rw-r--r-- | contrib/ipfilter/test/expected/l1 | 72 | ||||
-rw-r--r-- | contrib/ipfilter/test/expected/l1.b | 72 | ||||
-rw-r--r-- | contrib/ipfilter/test/input/f11 | 5 | ||||
-rw-r--r-- | contrib/ipfilter/test/regress/f11 | 1 |
24 files changed, 350 insertions, 171 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 8d2b28d..afa9e52 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -7,6 +7,8 @@ # BINDEST=/usr/sbin SBINDEST=/sbin +SEARCHDIRS=$(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin \ + /usr/local/bin /usr/local/sbin MANDIR=/usr/share/man CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O CFLAGS=-g -I$(TOP) @@ -49,6 +51,14 @@ IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM) + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + /bin/rm -f $(TOP)/ipmon + ln -s `pwd`/ipmon $(TOP) + /bin/rm -f $(TOP)/ipnat + ln -s `pwd`/ipnat $(TOP) ipfstat: $(FILS) $(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ @@ -56,13 +66,9 @@ ipfstat: $(FILS) ipf: $(IPF) $(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipf - ln -s `pwd`/ipf $(TOP) ipftest: $(IPT) $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipftest - ln -s `pwd`/ipftest $(TOP) ipnat: $(IPNAT) $(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm @@ -220,8 +226,6 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h ipmon: $(TOP)/ipmon.c $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) - /bin/rm -f $(TOP)/ipmon - ln -s `pwd`/ipmon $(TOP) clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ @@ -250,8 +254,8 @@ install: ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ def="`expr $$i : '[^:]*:\(.*\)'`"; \ p="`expr $$i : '\([^:]*\):.*'`"; \ - for d in $(BINDEST) $(SBINDEST); do \ - if [ -f $$d/$$i ] ; then \ + for d in $(SEARCHDIRS); do \ + if [ -f $$d/$$p ] ; then \ echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ dd=$$d; \ diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 092f3ab..4d8573d 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -8,6 +8,15 @@ set -e argv0=`basename $0` dir=`pwd` karch=`uname -m` +os=`uname -s` +if [ $os = FreeBSD ] ; then + rev=`uname -r` + rev=`expr $rev : '\([0-9]*\)\..*'` + if [ $rev = 2 ] ; then + echo "Copying /usr/include/osreldate.h to /sys/sys" + cp /usr/include/osreldate.h /sys/sys + fi +fi archdir="/sys/arch/$karch" ipfdir=/sys/netinet if [ -d /sys/contrib/ipfilter ] ; then diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index 9e34e33..2598c6c 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -28,11 +28,13 @@ echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" ln -s /usr/include/osreldate.h /sys/sys/osreldate.h -patchfile=FreeBSd-4.0/ipv6-patch-$krev +set patchfile=FreeBSd-4.0/ipv6-patch-$krev if ( -f $patchfile ) then echo "" echo "Patching ip6_input.c and ip6_output.c" cat $patchfile | (cd /sys/netinet6; patch) +else + echo "IPv6 patching not required for your OS version" endif set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 80632b4..ec317dc 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,59 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.26 25/04/2002 - Released + +fix parsing and printing of NAT rules with regression tests. + +add code to adjust TCP checksums inside ICMP errors where present and as +required for NAT. + +fix documentation problems in instal documents + +fix locking problem with auth code on Solaris + +fix use of version macros for FreeBSD and make the use of __FreeBSD_version +override previous hacks except when not present + +fix the macros defined for SIOCAUTHR and SIOCAUTHW + +fix the H.323 proxy so it no longer panics (multiple issues: re-entry into +nat_ioctl with lock held on Solaris, trying to copy data from kernel space +with copyin, unaligned access to get 32bit & 16bit numbers) + +use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets +generated by IPFilter + +fix comparing state information to delete state table entries + +flag packets as being "bad state" if they're outside the window and prevent +them from being able to cause new state to be created - except for SYN packets + +be stricter about what packets match a TCP state table entry if its creation +was triggered by a SYN packet. + +add patches to handle TCP window scaling + +don't update TCP state table entries if the packet is not considered to be +part of the connection + +ipfs wasn't allowing -i command line option in getopt + +IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 + regardless of user compile, fix the getkflags script to prune down the + output more so it is acceptable + +change building in Makefiles to create links to the application in $(TOP) +at the end of "build" rather than when each is created. + +update BSD/kupgrade for FreeBSD + +l4check wasn't properly closing things when a connection fails + +man page updates for ipmon(8) and ipnat(5) + +more regression tests added. + 3.4.25 13/03/2002 - Released retain rule # in state information diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index b3bfae2..dcf74e5 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -94,7 +94,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; #endif extern char *optarg; @@ -1200,15 +1200,15 @@ int topclosed; if (c == ERR) continue; - if (tolower(c) == 'l') { + if (isalpha(c) && isupper(c)) + c = tolower(c); + if (c == 'l') { redraw = 1; - } else if (tolower(c) == 'q') { - nocbreak(); - endwin(); - exit(0); - } else if (tolower(c) == 'r') { + } else if (c == 'q') { + break; /* exits while() loop */ + } else if (c == 'r') { reverse = !reverse; - } else if (tolower(c) == 's') { + } else if (c == 's') { sorting++; if (sorting > STSORT_MAX) sorting = 0; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index e134f65..a00d8fd 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $"; #endif #include <sys/types.h> @@ -61,6 +61,7 @@ int fr_running = 0; int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); +static u_long *ip_ttl_ptr; static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); @@ -107,6 +108,8 @@ int ipldetach() int iplattach __P((void)) { + int i; + #ifdef IPFDEBUG cmn_err(CE_CONT, "iplattach()\n"); #endif @@ -133,6 +136,19 @@ int iplattach __P((void)) return -1; if (appr_init() == -1) return -1; + + ip_ttl_ptr = NULL; + /* + * XXX - There is no terminator for this array, so it is not possible + * to tell if what we are looking for is missing and go off the end + * of the array. + */ + for (i = 0; ; i++) { + if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { + ip_ttl_ptr = &ip_param_arr[i].ip_param_value; + break; + } + } return 0; } @@ -774,7 +790,7 @@ mblk_t *m; ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; - ip->ip_ttl = 60; + ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); @@ -894,7 +910,7 @@ int dst; ip->ip_p = IPPROTO_ICMP; ip->ip_id = oip->ip_id; ip->ip_sum = 0; - ip->ip_ttl = 60; + ip->ip_ttl = (u_char)(*ip_ttl_ptr); ip->ip_tos = oip->ip_tos; ip->ip_len = (u_short)htons(sz); if (dst == 0) { diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index b983781..fc35b31 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $"; #endif #if SOLARIS @@ -225,7 +225,7 @@ u_int enable; if (ioctl(fd, SIOCFRENB, &enable) == -1) { if (errno == EBUSY) fprintf(stderr, - "IP FIlter: already initialized\n"); + "IP Filter: already initialized\n"); else perror("SIOCFRENB"); } diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index b111bfd..a2ccf89 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -45,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -208,7 +208,7 @@ char *argv[]; int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; - while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1) + while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) switch (c) { case 'd' : diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 189e35f..0c3b50c 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -13,6 +13,7 @@ # endif #endif #ifdef __sgi +# define _KMEMUSER # include <sys/ptimers.h> #endif #include <stdio.h> @@ -63,7 +64,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $"; #endif extern char *optarg; @@ -113,10 +114,13 @@ char *argv[]; while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1) switch (c) { -#ifdef USE_INET6 case '6' : +#ifdef USE_INET6 use_inet6 = 1; break; +#else + fprintf(stderr, "IPv6 not supported\n"); + exit(1); #endif case 'b' : opts |= OPT_BRIEF; diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index eec8b3c..254bbf9 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -46,18 +46,13 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; #endif -#ifndef __sgi +#ifdef __sgi +typedef int kvm_t; -static kvm_t *kvm_f = NULL; - -#else - -typedef int kvm_t; - -static kvm_t kvm_f = -1; +static int kvm_fd = -1; static char *kvm_errstr; kvm_t kvm_open(kernel, core, swap, mode, errstr) @@ -65,12 +60,12 @@ char *kernel, *core, *swap; int mode; char *errstr; { - kvm_t fd; - kvm_errstr = errstr; - fd = open(core, mode); - return fd; + if (core == NULL) + core = "/dev/kmem"; + kvm_fd = open(core, mode); + return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) @@ -82,21 +77,22 @@ size_t size; int r, left; char *bufp; - if (lseek(kvm, pos, 0) == -1) { + if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); perror("lseek"); return -1; } for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { - r = read(kvm, bufp, 1); + r = read(*kvm, bufp, 1); if (r <= 0) return -1; } - return 0; + return size; } #endif +static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c index 6945b1c..23ac79a 100644 --- a/contrib/ipfilter/l4check/l4check.c +++ b/contrib/ipfilter/l4check/l4check.c @@ -141,7 +141,8 @@ void closel4(l4, dead) l4cfg_t *l4; int dead; { - close(l4->l4_fd); + if (l4->l4_fd != -1) + close(l4->l4_fd); l4->l4_fd = -1; l4->l4_rw = -1; if (dead && l4->l4_alive) { @@ -307,7 +308,7 @@ int runconfig() if (opts & OPT_VERBOSE) fprintf(stderr, "failed\n"); perror("connect"); - close(fd); + closel4(l4, 1); fd = -1; } else { if (opts & OPT_VERBOSE) diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 7fb2e90..16c1752 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -7,8 +7,8 @@ The format for files accepted by ipnat is described by the following grammar: .nf ipmap :: = mapblock | redir | map . -map ::= mapit ifname ipmask "->" ipmask [ mapport ] . -map ::= mapit ifname fromto "->" ipmask [ mapport ] . +map ::= mapit ifname ipmask "->" dstipmask [ mapport ] . +map ::= mapit ifname fromto "->" dstipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . @@ -18,6 +18,7 @@ rdrport ::= "port" portnum . mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . +dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portnumber ":" portnumber . options ::= [ tcpudp ] [ rr ] . @@ -34,6 +35,10 @@ ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . .fi .PP +In addition to this, # is used to mark the start of a comment and may +appear at the end of a line with a NAT rule (as described above) or on its +own lines. Blank lines are ignored. +.PP For standard NAT functionality, a rule should start with \fBmap\fP and then proceeds to specify the interface for which outgoing packets will have their source address rewritten. diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 00f7d22..84d2a95 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -12,23 +12,11 @@ #include <sys/param.h> #if defined(__FreeBSD__) +# ifndef __FreeBSD_version +# include <sys/osreldate.h> +# endif # ifdef IPFILTER_LKM -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif # define ACTUALLY_LKM_NOT_KERNEL -# else -# ifndef __FreeBSD_cc_version -# include <sys/osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <sys/osreldate.h> -# endif -# endif # endif #endif #include <sys/systm.h> diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index bc8f3ed..5a70ab9 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $"; #endif extern int ipldetach __P((void)); @@ -49,6 +49,7 @@ extern int ipldetach __P((void)); #endif extern int nulldev __P((void)); extern int errno; +extern int iplidentify __P((char *)); extern int nodev __P((void)); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index e484316..e1c3a49 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -56,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $"; #endif @@ -394,15 +394,24 @@ int linenum; cpp++; if (ipn.in_redir & NAT_MAPBLK) { - if (*cpp && strcasecmp(*cpp, "ports")) { - fprintf(stderr, - "%d: expected \"ports\" - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - cpp++; if (*cpp) { - ipn.in_pmin = atoi(*cpp); + if (strcasecmp(*cpp, "ports")) { + fprintf(stderr, + "%d: expected \"ports\" - got \"%s\"\n", + linenum, *cpp); + return NULL; + } + cpp++; + if (*cpp == NULL) { + fprintf(stderr, + "%d: missing argument to \"ports\"\n", + linenum); + return NULL; + } + if (!strcasecmp(*cpp, "auto")) + ipn.in_flags |= IPN_AUTOPORTMAP; + else + ipn.in_pmin = atoi(*cpp); cpp++; } else ipn.in_pmin = 0; @@ -483,6 +492,10 @@ int linenum; ipn.in_p = atoi(proto); } } + if ((ipn.in_flags & IPN_TCPUDP) == 0) { + port1a = "0"; + port2a = "0"; + } if (*cpp && !strcasecmp(*cpp, "round-robin")) { cpp++; @@ -548,7 +561,7 @@ int linenum; if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); - if (*cpp && !strcasecmp(*cpp, "frag")) { + if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) { cpp++; ipn.in_flags |= IPN_FRAG; } @@ -618,12 +631,6 @@ int linenum; (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; - if (*cpp) { - fprintf(stderr, - "%d: too many parameters for \"proxy\"\n", - linenum); - return NULL; - } } else if (!strcasecmp(*cpp, "portmap")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use portmap with bimap\n", @@ -683,6 +690,11 @@ int linenum; } } + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (*cpp && !strcasecmp(*cpp, "age")) { cpp++; if (!*cpp) { @@ -690,6 +702,7 @@ int linenum; linenum); return NULL; } + ipn.in_age[0] = atoi(*cpp); s = index(*cpp, '/'); if (s != NULL) ipn.in_age[1] = atoi(s + 1); diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index 647c92e..dd59272 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.7 2002/04/24 17:35:37 darrenr Exp $"; #endif @@ -298,6 +298,9 @@ int opts; struct servent *sv; int bits; + if (np->in_p != 0) + pr = getprotobynumber(np->in_p); + switch (np->in_redir) { case NAT_REDIRECT : @@ -372,12 +375,18 @@ int opts; printf(" udp"); else if (np->in_p == 0) printf(" ip"); - else if (np->in_p != 0) - printf(" %d", np->in_p); + else if (np->in_p != 0) { + if (pr != NULL) + printf(" %s", pr->p_name); + else + printf(" %d", np->in_p); + } if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) printf("\tspc %lu flg %#x max %u use %d\n", @@ -389,7 +398,7 @@ int opts; printf("%s/", inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); if (bits != -1) - printf("%d ", bits); + printf("%d", bits); else printf("%s", inet_ntoa(np->in_in[1])); } @@ -401,12 +410,11 @@ int opts; printf("%s/", inet_ntoa(np->in_out[0])); bits = countbits(np->in_out[1].s_addr); if (bits != -1) - printf("%d ", bits); + printf("%d", bits); else printf("%s", inet_ntoa(np->in_out[1])); } if (*np->in_plabel) { - pr = getprotobynumber(np->in_p); printf(" proxy port"); if (np->in_dport != 0) { if (pr != NULL) @@ -426,8 +434,12 @@ int opts; else printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { - printf(" ports %d", np->in_pmin); - if (opts & OPT_VERBOSE) + if ((np->in_pmin == 0) && + (np->in_flags & IPN_AUTOPORTMAP)) + printf(" ports auto"); + else + printf(" ports %d", np->in_pmin); + if (opts & OPT_DEBUG) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); @@ -451,6 +463,8 @@ int opts; } if (np->in_flags & IPN_FRAG) printf(" frag"); + if (np->in_age[0]) + printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) { printf("\tspace %lu nextip %s pnext %d", np->in_space, diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c index 16bda9b..d462a22 100644 --- a/contrib/ipfilter/printstate.c +++ b/contrib/ipfilter/printstate.c @@ -15,6 +15,9 @@ #include <netinet/in_systm.h> #include <net/if.h> #include <stdio.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include "kmem.h" #include "netinet/ip_compat.h" #include "ipf.h" @@ -47,15 +50,17 @@ int opts; if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + ips.is_maxswin>>ips.is_swscale, ips.is_swscale, + ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #else - PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + ips.is_maxswin>>ips.is_swscale, ips.is_swscale, + ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #endif else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 4ff13df..aa139d3 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -1112,7 +1112,7 @@ again: freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); - return 0; + return 1; } @@ -1263,7 +1263,7 @@ again: freemsg(mb); } RWLOCK_EXIT(&ipf_solaris); - return 0; + return 1; } diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 2d93c7f..334abc2 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -9,23 +9,27 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -tests: first 0 ftests ptests ntests nitests logtests +tests: first 0 ftests ptests ntests nitests logtests ipv6 intests first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ntests: n1 n2 n3 n4 n5 n6 n7 -nitests: ni1 ni2 +nitests: ni1 ni2 ni3 ni4 + +intests: in1 in2 in3 in4 logtests: l1 +ipv6: ipv6.1 ipv6.2 + 0: @(cd ..; make ipftest; ) @@ -38,22 +42,33 @@ f12 f13: f15 f16: @/bin/sh ./mtest $@ +f17: + @/bin/sh ./mhtest $@ + i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ -ni1 ni2: +ni1 ni2 ni3 ni4: @/bin/sh ./natipftest $@ +in1 in2 in3 in4: + @/bin/sh ./intest $@ + l1: @/bin/sh ./logtest $@ +ipv6.1 ipv6.2: + @/bin/sh ./dotest6 $@ + clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17 /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 - /bin/rm -f ni1 ni2 + /bin/rm -f ni1 ni2 ni3 ni4 + /bin/rm -f in1 in2 in3 in4 /bin/rm -f l1 + /bin/rm -f ipv6.1 ipv6.2 /bin/rm -f results/* diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 index ac37783..b977e41 100644 --- a/contrib/ipfilter/test/expected/f11 +++ b/contrib/ipfilter/test/expected/f11 @@ -1,6 +1,11 @@ pass +nomatch +nomatch +pass pass +nomatch pass +nomatch pass nomatch nomatch @@ -11,8 +16,13 @@ nomatch nomatch -------- block +nomatch +nomatch +block block +nomatch block +nomatch block nomatch nomatch @@ -28,6 +38,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch pass pass nomatch @@ -40,6 +55,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch block block nomatch @@ -52,6 +72,11 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch pass pass pass @@ -64,9 +89,31 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch +nomatch +nomatch +nomatch block block block nomatch nomatch -------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1 index c158752..dbd6b01 100644 --- a/contrib/ipfilter/test/expected/l1 +++ b/contrib/ipfilter/test/expected/l1 @@ -1,49 +1,49 @@ log in all -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- pass in on anon0 all head 100 -------- pass in log quick from 3.3.3.3 to any group 100 -------- pass in log body quick from 2.2.2.2 to any -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- pass in log quick proto tcp from 1.1.1.1 to any flags S keep state -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b index eef3660..e5c1077 100644 --- a/contrib/ipfilter/test/expected/l1.b +++ b/contrib/ipfilter/test/expected/l1.b @@ -1,47 +1,47 @@ -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- -------- -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN +01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN -01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN -01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT -01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN -01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN +01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN +01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT +01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN +01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a 42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN -01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11 index 4eda58e..25c670d 100644 --- a/contrib/ipfilter/test/input/f11 +++ b/contrib/ipfilter/test/input/f11 @@ -1,6 +1,11 @@ in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S +in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA +in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A +in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11 index 0bf0a2a..a71e528 100644 --- a/contrib/ipfilter/test/regress/f11 +++ b/contrib/ipfilter/test/regress/f11 @@ -4,3 +4,4 @@ pass in proto udp from any to any port = 53 keep frags block in proto udp from any to any port = 53 keep frags pass in proto udp from any to any port = 53 keep state block in proto udp from any to any port = 53 keep state +pass in on e0 proto tcp from any to any port = 25 keep state |