diff options
| author | guido <guido@FreeBSD.org> | 1999-11-08 20:51:23 +0000 |
|---|---|---|
| committer | guido <guido@FreeBSD.org> | 1999-11-08 20:51:23 +0000 |
| commit | 9452e54400ecec551a4b57dc17af015ef8547da2 (patch) | |
| tree | c26b3cb2a5ac0f433db1690d23b00e9fd542ddac /contrib | |
| parent | 0f2adb8c13cbc2d3004cfbd4942482a49c6cb35e (diff) | |
| parent | 0539756f3d2277bd1ecc19afb014c074426e2f35 (diff) | |
| download | FreeBSD-src-9452e54400ecec551a4b57dc17af015ef8547da2.zip FreeBSD-src-9452e54400ecec551a4b57dc17af015ef8547da2.tar.gz | |
This commit was generated by cvs2svn to compensate for changes in r53024,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib')
201 files changed, 19836 insertions, 4214 deletions
diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF index 15c14fb..a30c743 100644 --- a/contrib/ipfilter/BNF +++ b/contrib/ipfilter/BNF @@ -11,9 +11,9 @@ proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ "return-icmp"[return-code] | "return-rst" ] . +block = "block" [ icmp [return-code] | "return-rst" ] . auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] . +log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . @@ -22,6 +22,8 @@ protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . +icmp = "return-icmp" | "return-icmp-as-dest" . +loglevel = facility"."priority | priority . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . port-comp = "port" compare port-num . @@ -55,6 +57,12 @@ icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" . +facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | + "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | + "audit" | "logalert" | "local0" | "local1" | "local2" | + "local3" | "local4" | "local5" | "local6" | "local7" . +priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | + "info" | "debug" . hexnumber = "0" "x" hexstring . hexstring = hexdigit [ hexstring ] . diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile new file mode 100644 index 0000000..7718a81 --- /dev/null +++ b/contrib/ipfilter/BSD/Makefile @@ -0,0 +1,213 @@ +# +# Copyright (C) 1993-1998 by Darren Reed. +# +# Redistribution and use in source and binary forms are permitted +# provided that this notice is preserved and due credit is given +# to the original author and the contributors. +# +BINDEST=/usr/sbin +SBINDEST=/sbin +MANDIR=/usr/share/man +CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O +CFLAGS=-g -I$(TOP) +# +# For NetBSD/FreeBSD +# +DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p' +CPU!=uname -m +INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch +DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) +IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST +VNODESHDIR=/sys/kern +MLD=$(ML) vnode_if.h +ML=mln_ipl.c +IPFILC=ip_fil.c +LKM=if_ipl.o +DLKM= +MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ + "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ + "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ + "CPUDIR=$(CPUDIR)" +# +########## ########## ########## ########## ########## ########## ########## +# +CP=/bin/cp +RM=/bin/rm +CHMOD=/bin/chmod +INSTALL=install +# +MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \ + ip_auth.o ip_log.o +DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF) $(DLKM) +IPF=ipf.o parse.o opt.o facpri.o +IPT=ipt.o parse.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o opt.o \ + ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \ + ip_auth_u.o ipft_hx.o ip_fil_u.o natparse.o facpri.o +FILS=fils.o parse.o kmem.o opt.o facpri.o + +build all: ipf ipfstat ipftest ipmon ipnat $(LKM) + +ipfstat: $(FILS) + $(CC) $(DEBUG) $(CFLAGS) $(FILS) -o $@ $(LIBS) + +ipf: $(IPF) + $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + +ipftest: $(IPT) + $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + +ipnat: ipnat.o kmem.o natparse.o + $(CC) $(DEBUG) $(CFLAGS) ipnat.o kmem.o natparse.o -o $@ $(LIBS) + +tests: + (cd test; make ) + +fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ + $(TOP)/ip_compat.h $(TOP)/ip_state.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fils.c -o $@ + +fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fil.c -o $@ + +fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ + +ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipf.c -o $@ + +ipt.o: $(TOP)/ipt.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipt.c -o $@ + +misc.o: $(TOP)/misc.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/misc.c -o $@ + +opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ + +ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ + +natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@ + +ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ + $(TOP)/snoop.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ + +ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_ef.c -o $@ + +ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_td.c -o $@ + +ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ + +ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_tx.c -o $@ + +ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_hx.c -o $@ + +ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@ + +ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@ + +ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_frag.c -o $@ + +ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_state.c -o $@ + +ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_auth.c -o $@ + +ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@ + +if_ipl.o: $(MODOBJS) + ld -r $(MODOBJS) -o $(LKM) + ${RM} -f if_ipl + +ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ + +ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ + +ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ + +ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \ + $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ + +ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ + +ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ + +ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ + +vnode_if.h: $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src + mkdir -p ../sys + sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src + if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi + rmdir ../sys + +ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h + -/bin/rm -f vnode_if.c + $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ + +kmem.o: $(TOP)/kmem.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/kmem.c -o $@ + +parse.o: $(TOP)/parse.c $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/parse.c -o $@ + +facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/facpri.c -o $@ + +ipmon: $(TOP)/ipmon.c + $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) + +clean: + ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ + vnode_if.h $(LKM) ioconf.h + ${MAKE} -f Makefile.ipsend ${MFLAGS} clean + -(for i in *; do \ + if [ -d $${i} -a -f $${i}/Makefile ] ; then \ + cd $${i}; (make clean); cd ..; \ + rm $${i}/Makefile $${i}/Makefile.ipsend; \ + rmdir $${i}; \ + fi \ + done) + +install: + -$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h + -$(CHMOD) 444 /usr/include/netinet/ip_fil.h + -if [ -d /lkm -a -f if_ipl.o ] ; then \ + cp if_ipl.o /lkm; \ + fi + -$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipftest ipftest $(BINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipf ipftest $(SBINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipnat ipftest $(SBINDEST) + (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) diff --git a/contrib/ipfilter/BSD/Makefile.ipsend b/contrib/ipfilter/BSD/Makefile.ipsend new file mode 100644 index 0000000..e9c4a10 --- /dev/null +++ b/contrib/ipfilter/BSD/Makefile.ipsend @@ -0,0 +1,101 @@ +OBJS=ipsend.o ip.o ipsopt.o y.tab.o lex.yy.o +IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o +ROBJS=ipresend.o ip.o resend.o $(IPFTO) opt.o +TOBJS=iptest.o iptests.o ip.o +UNIXOBJS=sbpf.o sock.o 44arp.o + +CC=gcc -Wuninitialized -Wstrict-prototypes -O +CFLAGS=-g -I$(TOP) +# +MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ + "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ + "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ + "CPUDIR=$(CPUDIR)" +# +all build bsd-bpf : ipsend ipresend iptest + +y.tab.o: $(TOP)/iplang/iplang_y.y + (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) + +lex.yy.o: $(TOP)/iplang/iplang_l.l + (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) + +.c.o: + $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ + +ipsend: $(OBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll + +ipresend: $(ROBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS) + +iptest: $(TOBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS) + +clean: + rm -rf *.o core a.out ipsend ipresend iptest + +ipsend.o: $(TOP)/ipsend/ipsend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@ + +ipsopt.o: $(TOP)/ipsend/ipsopt.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@ + +ipresend.o: $(TOP)/ipsend/ipresend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@ + +ip.o: $(TOP)/ipsend/ip.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@ + +resend.o: $(TOP)/ipsend/resend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@ + +ipft_sn.o: $(TOP)/ipft_sn.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ + +ipft_pc.o: $(TOP)/ipft_pc.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ + +iptest.o: $(TOP)/ipsend/iptest.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@ + +iptests.o: $(TOP)/ipsend/iptests.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@ + +sbpf.o: $(TOP)/ipsend/sbpf.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sbpf.c -o $@ + +snit.o: $(TOP)/ipsend/snit.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/snit.c -o $@ + +sock.o: $(TOP)/ipsend/sock.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@ + +arp.o: $(TOP)/ipsend/arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ + +44arp.o: $(TOP)/ipsend/44arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/44arp.c -o $@ + +lsock.o: $(TOP)/ipsend/lsock.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/lsock.c -o $@ + +slinux.o: $(TOP)/ipsend/slinux.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/slinux.c -o $@ + +larp.o: $(TOP)/ipsend/larp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/larp.c -o $@ + +dlcommon.o: $(TOP)/ipsend/dlcommon.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/dlcommon.c -o $@ + +sdlpi.o: $(TOP)/ipsend/sdlpi.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@ + +arp.o: $(TOP)/ipsend/arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ + +install: + -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST) + diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade new file mode 100644 index 0000000..2159a29 --- /dev/null +++ b/contrib/ipfilter/BSD/kupgrade @@ -0,0 +1,26 @@ +#!/bin/sh +# +PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH + +# try to bomb out fast if anything fails.... +set -e + +argv0=`basename $0` +dir=`pwd` +karch=`uname -m` +archdir="/sys/arch/$karch" +confdir="$archdir/conf" + +echo -n "Installing " +for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c ; do + echo -n "$i " + cp $i /sys/netinet/ + chmod 644 /sys/netinet/$i +done +echo "" +if [ -f /sys/netinet/ip_fil_compat.h ] ; then + echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h" + rm /sys/netinet/ip_fil_compat.h + ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h +fi +exit 0 diff --git a/contrib/ipfilter/BSD/make-devices b/contrib/ipfilter/BSD/make-devices new file mode 100755 index 0000000..320bd80 --- /dev/null +++ b/contrib/ipfilter/BSD/make-devices @@ -0,0 +1,28 @@ +#!/bin/sh + +os=`uname -s`-`uname -r` + +case "$os" in + FreeBSD-2.2*) + major=79 + ;; + FreeBSD-*) + major=20 + ;; + NetBSD-*) + echo "see /dev/MAKEDEV" + exit 0 + ;; + OpenBSD-*) + echo "see /dev/MAKEDEV" + exit 0 + ;; + *) + ;; +esac + +umask 037 +mknod /dev/ipl c $major 0 +mknod /dev/ipnat c $major 1 +mknod /dev/ipstate c $major 2 +mknod /dev/ipauth c $major 3 diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5 index 45442c5..ae550f8 100644 --- a/contrib/ipfilter/COMPILE.2.5 +++ b/contrib/ipfilter/COMPILE.2.5 @@ -1,7 +1,3 @@ -If you have BOTH GNU make and the normal make shipped with your system, -DO NOT use the GNU make to build this package. If you have any errors -relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as -shipped with Solaris 2. If you get the following error whilst compiling: @@ -10,10 +6,6 @@ In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/ from ../ip_nat.c:15: /usr/include/sys/psw.h:19: #error Kernel include of psw.h -That means that you have a version of gcc build under on older release -of Solaris 2.x - -You need to reinstall gcc after each Solaris upgrade; gcc creates its own -set of modified system include files which are only valid for the exact -release on which gcc was build. - +Remove (comment out) the line in +/usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3include/sys/user.h +which includes psw.h diff --git a/contrib/ipfilter/COMPILE.Solaris2 b/contrib/ipfilter/COMPILE.Solaris2 new file mode 100644 index 0000000..45442c5 --- /dev/null +++ b/contrib/ipfilter/COMPILE.Solaris2 @@ -0,0 +1,19 @@ +If you have BOTH GNU make and the normal make shipped with your system, +DO NOT use the GNU make to build this package. If you have any errors +relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as +shipped with Solaris 2. + +If you get the following error whilst compiling: + +In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48, + from /usr/include/sys/file.h:15, + from ../ip_nat.c:15: +/usr/include/sys/psw.h:19: #error Kernel include of psw.h + +That means that you have a version of gcc build under on older release +of Solaris 2.x + +You need to reinstall gcc after each Solaris upgrade; gcc creates its own +set of modified system include files which are only valid for the exact +release on which gcc was build. + diff --git a/contrib/ipfilter/FWTK/ftp-gw.diff b/contrib/ipfilter/FWTK/ftp-gw.diff index 3052eba..be61342 100644 --- a/contrib/ipfilter/FWTK/ftp-gw.diff +++ b/contrib/ipfilter/FWTK/ftp-gw.diff @@ -4,7 +4,7 @@ *** 11,31 **** --- 11,41 ---- */ - static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.2.3 1997/06/22 07:06:02 darrenr Exp $"; + static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.1 1999/08/04 17:30:30 darrenr Exp $"; + /* + * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96 diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff index 6a5c376..69962b6 100644 --- a/contrib/ipfilter/FWTK/fwtk_transparent.diff +++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff @@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris *************** *** 11,30 **** # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $" # Your C compiler (eg, "cc" or "gcc") @@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ --- 11,34 ---- # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $" + # + # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) diff --git a/contrib/ipfilter/FWTK/tproxy.diff b/contrib/ipfilter/FWTK/tproxy.diff new file mode 100644 index 0000000..234404b --- /dev/null +++ b/contrib/ipfilter/FWTK/tproxy.diff @@ -0,0 +1,82 @@ +*** tproxy.c.orig Fri Dec 20 10:53:24 1996 +--- tproxy.c Sun Jan 3 11:33:55 1999 +*************** +*** 135,140 **** +--- 135,144 ---- + #include <netinet/in.h> + #include <sys/signal.h> + #include <syslog.h> ++ #include <unistd.h> ++ #include <fcntl.h> ++ #include <sys/ioctl.h> ++ #include <net/if.h> + #include "tproxy.h" + + #ifdef AIX +*************** +*** 147,152 **** +--- 151,159 ---- + #define bzero(buf,size) memset(buf, '\0', size); + #endif /* SYSV */ + ++ #include "ip_compat.h" ++ #include "ip_fil.h" ++ #include "ip_nat.h" + + + /* socket to audio server */ +*************** +*** 324,329 **** +--- 331,369 ---- + char localbuf[2048]; + void timeout(); + extern int errno; ++ /* ++ * IP-Filter block ++ */ ++ struct sockaddr_in laddr, faddr; ++ struct natlookup natlookup; ++ int slen, natfd; ++ ++ bzero((char *)&laddr, sizeof(laddr)); ++ bzero((char *)&faddr, sizeof(faddr)); ++ slen = sizeof(laddr); ++ if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0) ++ return -1; ++ slen = sizeof(faddr); ++ if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0) ++ return -1; ++ natlookup.nl_inport = laddr.sin_port; ++ natlookup.nl_outport = faddr.sin_port; ++ natlookup.nl_inip = laddr.sin_addr; ++ natlookup.nl_outip = faddr.sin_addr; ++ natlookup.nl_flags = IPN_TCP; ++ if ((natfd = open(IPL_NAT, O_RDONLY)) < 0) ++ return -1; ++ if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) { ++ syslog(LOG_ERR, "SIOCGNATL failed: %m\n"); ++ close(natfd); ++ return -1; ++ } ++ close(natfd); ++ strcpy(hostname, inet_ntoa(natlookup.nl_realip)); ++ serverport = ntohs(natlookup.nl_realport); ++ /* ++ * End of IP-Filter block ++ */ + + /* setup a timeout in case dialog doesn't finish */ + signal(SIGALRM, timeout); +*************** +*** 337,344 **** +--- 377,386 ---- + * and modify the call to (and subroutine) serverconnect() as + * appropriate. + */ ++ #if 0 + strcpy(hostname, "randomhostname"); + serverport = 7070; ++ #endif + /* Can we connect to the server */ + if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) { + /* errno may still be set from previous call */ diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall index 26b0e8f..94b5009 100755 --- a/contrib/ipfilter/FreeBSD-2.2/kinstall +++ b/contrib/ipfilter/FreeBSD-2.2/kinstall @@ -9,7 +9,7 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h \ + ip_proxy.[ch] ip_{ftp,rcmd}_pxy.c mlf_ipl.c ipl.h ip_compat.h \ ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet diff --git a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 new file mode 100644 index 0000000..8c7b8ef --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 @@ -0,0 +1,24 @@ +To build a kernel with the IP filter, follow these steps: + + 1. do "make freebsd3" + + 2. do "make install-bsd" + (probably has to be done as root) + + 3. run "FreeBSD-3/kinstall" as root + + 4. build a new kernel + + 5. install the new kernel + + 6. If not using DEVFS, create devices for IP Filter as follows: + mknod /dev/ipl c 79 0 + mknod /dev/ipnat c 79 1 + mknod /dev/ipstate c 79 2 + mknod /dev/ipauth c 79 3 + + 7. reboot + + +Darren Reed +darrenr@pobox.com diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall new file mode 100755 index 0000000..c77f446 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/kinstall @@ -0,0 +1,46 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Installing " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ + ip_compat.h ip_auth.[ch] ip_log.c) + echo -n "$i "; + cp $i /sys/netinet + chmod 644 /sys/netinet/$i +end +echo "" +echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" +ln -s /usr/include/osreldate.h /sys/sys/osreldate.h + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Rewriting $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\ + $confdir/$newconfig.bak > $confdir/$newconfig +echo "You will now need to run config on $newconfig and build a new kernel." +exit 0 diff --git a/contrib/ipfilter/FreeBSD-3/unkinstall b/contrib/ipfilter/FreeBSD-3/unkinstall new file mode 100755 index 0000000..aa39c5b --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/unkinstall @@ -0,0 +1,44 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Uninstalling " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ + ip_log.c mlf_ipl.c ipl.h) + echo -n "$i "; + /bin/rm -f /sys/netinet/$i +end +echo "" + +echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h" +rm /sys/sys/osreldate.h + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/conf.c.diffs b/contrib/ipfilter/FreeBSD/conf.c.diffs new file mode 100644 index 0000000..afd2880 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/conf.c.diffs @@ -0,0 +1,46 @@ +*** conf.c.orig Sun Jan 14 15:39:32 1996 +--- conf.c Sun Jan 14 15:48:21 1996 +*************** +*** 1128,1133 **** +--- 1128,1149 ---- + #define labpcioctl nxioctl + #endif + ++ #ifdef IPFILTER ++ d_open_t iplopen; ++ d_close_t iplclose; ++ d_ioctl_t iplioctl; ++ # ifdef IPFILTER_LOG ++ d_read_t iplread; ++ # else ++ #define iplread nxread ++ # endif ++ #else ++ #define iplopen nxopen ++ #define iplclose nxclose ++ #define iplioctl nxioctl ++ #define iplread nxread ++ #endif ++ + /* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */ + struct cdevsw cdevsw[] = + { +*************** +*** 1199,1206 **** + * Otherwise, simply use the one reserved for local use. + */ + /* character device 20 is reserved for local use */ +! { nxopen, nxclose, nxread, nxwrite, /*20*/ +! nxioctl, nxstop, nxreset, nxdevtotty,/* reserved */ + nxselect, nxmmap, NULL }, + { psmopen, psmclose, psmread, nowrite, /*21*/ + psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ +--- 1215,1222 ---- + * Otherwise, simply use the one reserved for local use. + */ + /* character device 20 is reserved for local use */ +! { iplopen, iplclose, iplread, nxwrite, /*20*/ +! iplioctl, nxstop, nxreset, nxdevtotty,/* reserved */ + nxselect, nxmmap, NULL }, + { psmopen, psmclose, psmread, nowrite, /*21*/ + psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ diff --git a/contrib/ipfilter/FreeBSD/files.diffs b/contrib/ipfilter/FreeBSD/files.diffs new file mode 100644 index 0000000..84893d4 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.diffs @@ -0,0 +1,19 @@ +*** files.orig Sat Sep 30 18:01:55 1995 +--- files Sun Jan 14 14:32:25 1996 +*************** +*** 208,213 **** +--- 208,221 ---- + netinet/tcp_timer.c optional inet + netinet/tcp_usrreq.c optional inet + netinet/udp_usrreq.c optional inet ++ netinet/ip_fil.c optional ipfilter inet ++ netinet/fil.c optional ipfilter inet ++ netinet/ip_nat.c optional ipfilter inet ++ netinet/ip_frag.c optional ipfilter inet ++ netinet/ip_state.c optional ipfilter inet ++ netinet/ip_auth.c optional ipfilter inet ++ netinet/ip_proxy.c optional ipfilter inet ++ netinet/ip_log.c optional ipfilter inet + netiso/clnp_debug.c optional iso + netiso/clnp_er.c optional iso + netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/files.newconf.diffs b/contrib/ipfilter/FreeBSD/files.newconf.diffs new file mode 100644 index 0000000..cc7cf41 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.newconf.diffs @@ -0,0 +1,19 @@ +*** files.newconf.orig Sun Jun 25 02:17:29 1995 +--- files.newconf Sun Jun 25 02:19:10 1995 +*************** +*** 161,166 **** +--- 161,174 ---- + file netinet/ip_input.c inet + file netinet/ip_mroute.c inet + file netinet/ip_output.c inet ++ file netinet/ip_fil.c ipfilter ++ file netinet/fil.c ipfilter ++ file netinet/ip_nat.c ipfilter ++ file netinet/ip_frag.c ipfilter ++ file netinet/ip_state.c ipfilter ++ file netinet/ip_proxy.c ipfilter ++ file netinet/ip_auth.c ipfilter ++ file netinet/ip_log.c ipfilter + file netinet/raw_ip.c inet + file netinet/tcp_debug.c inet + file netinet/tcp_input.c inet diff --git a/contrib/ipfilter/FreeBSD/files.oldconf.diffs b/contrib/ipfilter/FreeBSD/files.oldconf.diffs new file mode 100644 index 0000000..55b526f --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.oldconf.diffs @@ -0,0 +1,19 @@ +*** files.oldconf.orig Sat Apr 29 19:59:31 1995 +--- files.oldconf Sun Apr 23 17:54:18 1995 +*************** +*** 180,185 **** +--- 180,193 ---- + netinet/tcp_timer.c optional inet + netinet/tcp_usrreq.c optional inet + netinet/udp_usrreq.c optional inet ++ netinet/ip_fil.c optional ipfilter requires inet ++ netinet/fil.c optional ipfilter requires inet ++ netinet/ip_nat.c optional ipfilter requires inet ++ netinet/ip_frag.c optional ipfilter requires inet ++ netinet/ip_state.c optional ipfilter requires inet ++ netinet/ip_proxy.c optional ipfilter requires inet ++ netinet/ip_auth.c optional ipfilter requires inet ++ netinet/ip_log.c optional ipfilter requires inet + netiso/clnp_debug.c optional iso + netiso/clnp_er.c optional iso + netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/filez.diffs b/contrib/ipfilter/FreeBSD/filez.diffs new file mode 100644 index 0000000..52492e8 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/filez.diffs @@ -0,0 +1,19 @@ +*** files.orig Sat Apr 29 20:00:02 1995 +--- files Sun Apr 23 17:53:58 1995 +*************** +*** 222,227 **** +--- 222,235 ---- + file netinet/tcp_timer.c inet + file netinet/tcp_usrreq.c inet + file netinet/udp_usrreq.c inet ++ file netinet/ip_fil.c ipfilter ++ file netinet/fil.c ipfilter ++ file netinet/ip_nat.c ipfilter ++ file netinet/ip_frag.c ipfilter ++ file netinet/ip_state.c ipfilter ++ file netinet/ip_proxy.c ipfilter ++ file netinet/ip_auth.c ipfilter ++ file netinet/ip_log.c ipfilter + file netiso/clnp_debug.c iso + file netiso/clnp_er.c iso + file netiso/clnp_frag.c iso diff --git a/contrib/ipfilter/FreeBSD/in_proto.c.diffs b/contrib/ipfilter/FreeBSD/in_proto.c.diffs new file mode 100644 index 0000000..052dd51 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/in_proto.c.diffs @@ -0,0 +1,16 @@ +*** in_proto.c.orig Wed Sep 6 20:31:34 1995 +--- in_proto.c Mon Mar 11 22:40:03 1996 +*************** +*** 81,86 **** +--- 81,91 ---- + void eoninput(), eonctlinput(), eonprotoinit(); + #endif /* EON */ + ++ #ifdef IPFILTER ++ void iplinit(); ++ #define ip_init iplinit ++ #endif ++ + void rsvp_input(struct mbuf *, int); + void ipip_input(struct mbuf *, int); + diff --git a/contrib/ipfilter/FreeBSD/ip_input.c.diffs b/contrib/ipfilter/FreeBSD/ip_input.c.diffs new file mode 100644 index 0000000..a70be89 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/ip_input.c.diffs @@ -0,0 +1,88 @@ +*** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996 +--- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997 +*************** +*** 93,98 **** +--- 93,102 ---- + int ipqmaxlen = IFQ_MAXLEN; + struct in_ifaddr *in_ifaddr; /* first inet address */ + struct ifqueue ipintrq; ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif + + struct ipstat ipstat; + struct ipq ipq; +*************** +*** 219,226 **** + } + ip = mtod(m, struct ip *); + } +! ip->ip_sum = in_cksum(m, hlen); +! if (ip->ip_sum) { + ipstat.ips_badsum++; + goto bad; + } +--- 223,229 ---- + } + ip = mtod(m, struct ip *); + } +! if (in_cksum(m, hlen)) { + ipstat.ips_badsum++; + goto bad; + } +*************** +*** 267,272 **** +--- 270,288 ---- + goto next; + } + ++ #if defined(IPFILTER) || defined(IPFILTER_LKM) ++ /* ++ * Check if we want to allow this packet to be processed. ++ * Consider it to be bad if not. ++ */ ++ if (fr_checkp) { ++ struct mbuf *m1 = m; ++ ++ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ++ goto next; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + /* + * Process options and, if not destined for us, + * ship it on. ip_dooptions returns 1 when an +*************** +*** 527,532 **** +--- 533,540 ---- + * if they are completely covered, dequeue them. + */ + while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) { ++ struct mbuf *m0; ++ + i = (ip->ip_off + ip->ip_len) - q->ip_off; + if (i < q->ip_len) { + q->ip_len -= i; +*************** +*** 526,534 **** + m_adj(dtom(q), i); + break; + } + q = q->ipf_next; +- m_freem(dtom(q->ipf_prev)); + ip_deq(q->ipf_prev); + } + + insert: +--- 542,551 ---- + m_adj(dtom(q), i); + break; + } ++ m0 = dtom(q); + q = q->ipf_next; + ip_deq(q->ipf_prev); ++ m_freem(m0); + } + + insert: diff --git a/contrib/ipfilter/FreeBSD/ip_output.c.diffs b/contrib/ipfilter/FreeBSD/ip_output.c.diffs new file mode 100644 index 0000000..f1fe9ac --- /dev/null +++ b/contrib/ipfilter/FreeBSD/ip_output.c.diffs @@ -0,0 +1,36 @@ +*** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996 +--- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997 +*************** +*** 65,70 **** +--- 65,74 ---- + static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *)); + static void ip_mloopback + __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif + + /* + * IP output. The packet in mbuf chain m contains a skeletal IP +*************** +*** 330,335 **** +--- 334,351 ---- + m->m_flags &= ~M_BCAST; + + sendit: ++ #if defined(IPFILTER) || defined(IPFILTER_LKM) ++ /* ++ * looks like most checking has been done now...do a filter check ++ */ ++ if (fr_checkp) { ++ struct mbuf *m1 = m; ++ ++ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) ++ goto done; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + /* + * Check with the firewall... + */ diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall new file mode 100755 index 0000000..42c2f09 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/kinstall @@ -0,0 +1,61 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo -n "Installing " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_proxy.[ch] ip_auth.[ch] ip_{ftp,rcmd}_pxy.c ip_compat.h ip_log.c) + echo -n "$i "; + cp $i /sys/netinet + chmod 644 /sys/netinet/$i +end +echo "" +echo "Patching $archdir/$karch/conf.c" +cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch) +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +if ( -f /sys/conf/files.newconf ) then + echo "Patching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Patching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/minstall b/contrib/ipfilter/FreeBSD/minstall new file mode 100755 index 0000000..0cfe7c3 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/minstall @@ -0,0 +1,51 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +if ( -f /sys/conf/files.newconf ) then + echo "Patching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Patching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/unkinstall b/contrib/ipfilter/FreeBSD/unkinstall new file mode 100755 index 0000000..8547fcd --- /dev/null +++ b/contrib/ipfilter/FreeBSD/unkinstall @@ -0,0 +1,58 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo -n "Uninstalling " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c) + echo -n "$i "; + /bin/rm -f /sys/netinet/$i +end +echo "" +echo "Unpatching $archdir/$karch/conf.c" +cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R) +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +if ( -f /sys/conf/files.newconf ) then + echo "Unpatching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Unpatching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/unminstall b/contrib/ipfilter/FreeBSD/unminstall new file mode 100755 index 0000000..a25746c --- /dev/null +++ b/contrib/ipfilter/FreeBSD/unminstall @@ -0,0 +1,49 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +if ( -f /sys/conf/files.newconf ) then + echo "Unpatching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Unpatching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak +endif +grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 50711ea..cc5dba7 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -2,15 +2,295 @@ # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. # -# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the -# loan of a machine to work on a Solaris 2.x port of this software. +# Thanks to the Coombs Computing Unit at the ANU for their continued support +# in providing a very available location for the IP Filter home page and +# distribution center. +# +# Thanks to Tel.Net Media for allowing me to maintain and further develop +# IP Filter as part of my job and supplying Sun equipment for testing the +# move to 64bits. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. # +# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the +# loan of a machine to work on a Solaris 2.x port of this software. +# # Thanks also to all those who have contributed patches and other code, # and especially those who have found the time to port IP Filter to new # platforms. +# +3.3.3 22/10/1999 - Released + +add -g command line option to ipfstat to show groups still define. + +fix problem with fragment table not recording rule pointer when called +from state functions (fin_fr not set). + +fixup fastroute problems with keep state rules. + +load rules into inactive set first, so we don't disable things like NIS +lookups half way through processing - found by Kevin Littlejohn + +fix handling of unaligned ip pointer for solaris + +patch for fr_newauth from Rudi Sluijtman + +fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short + +3.3.2 23/09/1999 - Released + +patches from Scott Presnell to fix rcmd proxy + +patches from Greg to fix Solaris detachment of interfaces + +add openbsd compatibility fixes + +fix free'ing already freed memory in ipfr_slowtimer() + +fix for deferencing invalid memory in cleaning up after a device disappears + +3.3.1 14/8/1999 - Released + +remove include file sys/user.h for irix + +prevent people from running buildsunos directly + +fix up some problems with the saving of rule pointers so that NAT saves +that information in case it should need to call fr_addstate() from a proxy. + +fix up scanning for the end of FTP messages + +don't remove /etc/opt/ipf in postremove + +attempt to prevent people running buildsolaris script without doing a +"make solaris" + +fix timeout losing on freebsd3 + +3.3 7/8/1999 - Released + +NAT: information (rules, mappings) are stored in hash tables; setup some +basic NAT regression testing. + +display version name of installed kernel code when initializing. + +add -V command line option to ipf, showing version (program and kernel +module) as well as the run-status of the kernel code. + +fix problem with "log" rules actually affecting result of filtering. + +automatically use SUNWspro if available and on a 64bit Solaris system for +compiling. + +add kernel proxies for rcmd(3) and RealAudio (PNA) + +use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking +ip_slowtimo + +fix IP headers generated through parsing of text information + +fix NAT rules to be in the correct order again. + +make keep-state work with to/fastroute keywords and enforce usage of those +interfaces. + +update keep-state code with new algorithm from Guido + +add FreeBSD-3 support + +add return-icmp-as-dest option to retrun an ICMP packet using the original +destination as the source rather than a local IP address + +add "level [facility.]<priority>" option to filter language + +add changes from Guido to state code. + +add code to return EPERM if the device is opened for writing and we're +in securelevel 2 or greater. + +authentication code patches from Guido + +fix real audio proxy + +fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon +log output. + +fix bimap rules with hash tables + +update addresses used in NAT mappings for 0/32 rules for any protocol but TCP +if it changes on the interface - check every ip_natexpire() + +add redirect regression test + +count buckets used in the state hash table. + +fix sending of RST's with return-rst to use the ack number provided in +the packet being replied to in addition to the sequence number. + +fix to compile as a 64bit application on solaris7-64bit + +add NAT IP mapping to ranges of IP addresses that aren't CIDR specified + +fix calculation of in_space parameter for NAT + +fix `wrapping' when incrementing the next ip address for use in NAT + +fix free'ing of kernel memory in ip_natunload on solaris + +fix -l/-U command line options from interfering with each other + +fix fastroute under solaris2 and cleanup compilation for solaris7 + +add install scripts and compile cleanly on BSD/OS 4.0 + +safely open files in /tmp for writing device output when testing. + +fix uninitialized pointer bug in NAT + +fix SIOCZRLST (zero list rule stats) bug with groups + +change some usage of u_short to u_int in function calling + +fix compilation for Solaris7 (SUNWspro) + +change solaris makefiles to build for either sparc or i386 rather than +per-cpu (sun4u, etc). + +fixed bug in ipllog + +add patches from George Michaelson for FreeBSD 3.0 + +add patch from Guido to provide ICMP checking for known state in the same +manner as is done for NAT. + +enable FTP PASV proxying and enable wildcarding in NAT/state code for ports +for better PORT/PASV support with FTP. + +bring into main tree static nat features: map-block and "auto" portmapping. + +add in source host filtering for redirects (alan jones) + +3.2.10 22/11/98 - Released + +3.2.10beta9 17/11/98 - Released + +fix fr_tcpsum problems in handling mbufs with an odd number of bytes +and/or split across an mbuf boundary + +fix NAT list entry comparisons and allow multiple entries for the same +proxy (but on different ports). + +don't create duplicate NAT entries for repeated PORT commands. + +3.2.10beta8 14/11/98 - Released + +always exit an rwlock before expecting to enter it again on solaris + +fix loop in nat_new for pre-existing nat + +don't setup state for an ftp connection if creating nat fails. + +3.2.10beta7 05/11/98 - Released + +set fake window in ipft_tx.c to ensure code passes tests. + +cleaned up/enhanced ipnat -l/ipnat -lv output + +fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. + +Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather +than mutexes. + +3.2.10beta6 03/11/98 - Released + +fix mixed use of krwlock_t and kmutex_t on Solaris2 + +fix FTP proxy back up, splitting pasv code out of port code. + +3.2.10beta5 02/11/98 - Released + +fixed port translation in ICMP reply handling + +3.2.10beta4 01/11/98 - Released + +increase useful statistic collection on solaris + +filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris + +disable PASV reply translation for now + +fail with an error if we try to load a NAT rule with a non-existant + proxy name - Guido + +fix portmap usage with 0/0 and 0/32 map rules + +remove ap_unload/ap_expire - automatically done when NAT is cleaned up + +print "STATE:CLOSED" from ipmon if the connection progresses past established + rather than "STATE:EXPIRED" + +3.2.10beta3 26/10/98 - Released + +fixed traceroute/nat problem + +rewrote nat/proxy interface + +ipnat now lists associated proxy sessions for each NAT where applicable + +3.2.10beta2 13/10/98 - Released + +use KRWLOCK_T in place of krwlock_t for solaris as well as irix + +disable use of read-write lock acquisition by default + +add in mb_t for linux, non-kernel + +some changes to progress compilation on linux with glibc + +change PASV as well as PORT when passed through kernel ftp proxy. + +don't allow window to become 0 in tcp state code + +make ipmon compile cleaner + +irix patches + +3.2.10beta 11/09/98 - Released + +stop fr_tcpsum() thinking it has run out of data when it hasn't. + +stop solaris panics due to fin_dp being something wild. + +revisit usage of ATOMIC_*() + +log closing state of TCP connection in "keep state" + +fix fake-arp table code for ipsend. + +ipmon now writes pid to a file. + +fix "ipmon -a" to actually activate all logging devices. + +add patches for BSDOS4. + +perl scripts for log analysis donated. + +3.2.9 22/06/98 - Released + +fix byte order for ICMP packets generated on Solaris + +fix some locking problems. + +fix malloc bug in NAT (introduced in 3.2.8). + +patch from guido for state connections that get fragmented + +3.2.8 08/06/98 - Released + +use readers/writers locks in Solaris2 in place of some mutexes. + +Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 3.2.7 24/05/98 - Released diff --git a/contrib/ipfilter/INSTALL.BSDOS b/contrib/ipfilter/INSTALL.BSDOS new file mode 100644 index 0000000..17d9602 --- /dev/null +++ b/contrib/ipfilter/INSTALL.BSDOS @@ -0,0 +1,35 @@ + +BSD/OS users. +------------- + +First, you need to build IP Filter. Do this from the "ip_fil3.2.x" +directory with the command "make bsdos". If this completes successfully, +install the various bits and pieces with "make install-bsd". + +Prior to starting, it is a good idea for you to know what your kernel config +file is (it appears that the script guesses incorrectly at present). + +Once you have that in mind, run the 'kinstall' script in the correct +BSDOS3 or BSDOS4 directory. This will attempt to patch a bunch of files +or install the relevant .o files if you don't have kernel source. +It will also go and install all the IP Filter .c and .h files where they +can be find when it comes time to build the kernel. + +The script will then pause and ask you for your kernel configuration +file. After you enter this, it will add "options IPFILTER" to your +kernel configuration file. IF YOU WANT TO DO LOGGING, ADD +"options IPFILTER_LOG" to your kernel configuration file NOW! + +Now that you've got your kernel configuration file done, use config +to setup a new kernel build and complete with make. + +When the kernel rebuilt is complete, put it into / and reboot with +your new kernel. If IP Filter has been configured into your kernel +correctly, you will see a message like this when your system boots: + +IP Filter: initialized. Default = pass all, Logging = enabled + +Upon logging in, the IP Filter commands ipfstat, et al, should all +function properly. + +Darren diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index 3f0a885..66ad297 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -1,5 +1,7 @@ -*** IF you are using FreeBSD 2.2 or later, see the file "INST.FreeBSD-2.2" *** +*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" *** +*** IF you are using FreeBSD 3 or later, see the file "INST.FreeBSD-3" *** +*** in the "FreeBSD-3" directory *** To build a kernel for use with the loadable kernel module, follow these diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2 index cc66007..5ba84b9 100644 --- a/contrib/ipfilter/INSTALL.Sol2 +++ b/contrib/ipfilter/INSTALL.Sol2 @@ -1,8 +1,9 @@ -For those running Solaris 2.5, please read COMPILE.2.5 before building -IP Filter. +For those running Solaris 2.5 or later, please read COMPILE.2.5 before +building IP Filter. -Type "make solaris" to build all the required binaries. +Type "make solaris" to build all the required binaries. DO NOT USE THE +GNU make!!! Once IP Filter has been successfully compiled, you may then install it using the usual package method (using pkgadd), however, the package needs to be diff --git a/contrib/ipfilter/LICENCE b/contrib/ipfilter/LICENCE index 63430af..903e886 100644 --- a/contrib/ipfilter/LICENCE +++ b/contrib/ipfilter/LICENCE @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * The author accepts no responsibility for the use of this software and * provides it on an ``as is'' basis without express or implied warranty. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 6554095..a71aa57 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -1,18 +1,18 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $ +# $Id: Makefile,v 2.2 1999/08/04 17:29:52 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/local/man #To test prototyping -#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror -CC=gcc +CC=gcc -Wstrict-prototypes -Wmissing-prototypes +#CC=gcc #CC=cc -Dconst= DEBUG=-g CFLAGS=-I$$(TOP) @@ -39,11 +39,12 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # POLICY=-DIPF_DEFAULT_PASS=FR_PASS # -MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ - 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ +MFLAGS1="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2)' \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" +MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)" # SHELL=/bin/sh # @@ -58,11 +59,12 @@ INSTALL=install all: @echo "Chose one of the following targets for making IP filter:" @echo "" - @echo "solaris - auto-selects SunOS4.1.x/Solaris 2.[45]/Solaris2.[45]-x86" + @echo "solaris - auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86" @echo "netbsd - compile for NetBSD" @echo "openbsd - compile for OpenBSD" @echo "freebsd - compile for FreeBSD 2.0, 2.1 or earlier" @echo "freebsd22 - compile for FreeBSD-2.2 or greater" + @echo "freebsd3 - compile for FreeBSD-3.x" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -74,9 +76,8 @@ tests: else echo test directory not present, sorry; fi include: - if [ ! -d netinet -o ! -f netinet/done ] ; then \ - mkdir -p netinet; \ - (cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .); \ + if [ ! -f netinet/done ] ; then \ + (cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .; ln -s ../ip_rcmd_pxy.c .; ln -s ../ip_raudio_pxy.c .); \ (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \ touch netinet/done; \ fi @@ -84,12 +85,12 @@ include: sunos solaris: include ./buildsunos -freebsd22 freebsd30: include +freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @if [ -n $(IPFILKERN) ] ; then \ - if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \ - ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \ + if [ -f /sys/compile/$(IPFILKERN)/ioconf.h ] ; then \ + ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ else \ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ fi \ @@ -102,6 +103,11 @@ freebsd22 freebsd30: include fi make freebsd +freebsd3 freebsd30: include + make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" LKM= ; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..) + netbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) @@ -146,10 +152,9 @@ setup: -ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile -ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend -clean: - ${RM} -rf netinet +clean: clean-include ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ - vnode_if.h $(LKM) + vnode_if.h $(LKM) *~ if [ "`uname -s`" = "SunOS" ]; then (cd SunOS4; make clean); fi if [ "`uname -s`" = "SunOS" ]; then (cd SunOS5; make clean); fi (cd BSD; make clean) @@ -158,19 +163,23 @@ clean: [ -d test ] && (cd test; make clean) (cd ipsend; make clean) -clean-bsd: +clean-include: + sh -c 'cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done' + ${RM} -f netinet/done + +clean-bsd: clean-include (cd BSD; make clean) -clean-sunos4: +clean-sunos4: clean-include (cd SunOS4; make clean) -clean-sunos5: +clean-sunos5: clean-include (cd SunOS5; make clean) -clean-irix: +clean-irix: clean-include (cd IRIX; make clean) -clean-linux: +clean-linux: clean-include (cd Linux; make clean) get: diff --git a/contrib/ipfilter/UPGRADE_NOTICE b/contrib/ipfilter/UPGRADE_NOTICE new file mode 100644 index 0000000..8b44760 --- /dev/null +++ b/contrib/ipfilter/UPGRADE_NOTICE @@ -0,0 +1,10 @@ + +NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT + AND setup ACL's to allow untranslated address through from outside, + + THIS HAS BEEN FIXED + + so your ACL's will now be `broken'. Please correct your ACL's to + match the the untranslated addresses (the way it was meant to work). + +Darren diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos index ed8a034..fa2474e 100755 --- a/contrib/ipfilter/buildsunos +++ b/contrib/ipfilter/buildsunos @@ -1,24 +1,49 @@ #! /bin/sh -# $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $ +if [ ! -f netinet/done ] ; then + echo "Do NOT run this script directly, do 'make solaris'!" + exit 1 +fi +# $Id: buildsunos,v 2.1.2.1 1999/08/08 13:55:20 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` -cpu=`uname -m` -cpudir=${cpu}-`uname -r` +if [ -d /usr/ccs/bin ] ; then + PATH=/usr/ccs/bin:${PATH} +fi if [ $rev = 5 ] ; then + cpu=`uname -p` + cpudir=${cpu}-`uname -r` solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` - mkdir -p SunOS5/${cpudir} + if [ ! -d SunOS5/${cpudir} -a ! -h SunOS5/${cpudir} ] ; then + mkdir -p SunOS5/${cpudir} + fi /bin/rm -f SunOS5/${cpudir}/Makefile /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend - ln -s ../Makefile SunOS5/${cpudir}/Makefile - ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend + ln -s `pwd`/SunOS5/Makefile SunOS5/${cpudir}/Makefile + ln -s `pwd`/SunOS5/Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend + ARCHINC= + XARCH= + if [ -d /opt/SUNWspro/bin ] ; then + CC="/opt/SUNWspro/bin/cc ${CFL}" + export CC + /bin/optisa sparcv9 >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + ARCHINC="-I/usr/include/v9" + XARCH="-xarch=v9 -xchip=ultra -dalign -xcode=abs32" + fi + else + CC=gcc + fi +else + cpu=`uname -m` + cpudir=${cpu}-`uname -r` fi -if [ $cpu = i86pc ] ; then - make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} +if [ $cpu = i386 ] ; then + make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH" XARCH="$XARCH" ARCHINC="$ARCHINC" exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi -make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} +make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH" XARCH="$XARCH" ARCHINC="$ARCHINC" exit $? diff --git a/contrib/ipfilter/etc/services b/contrib/ipfilter/etc/services index 90dd07a..7afcde8 100644 --- a/contrib/ipfilter/etc/services +++ b/contrib/ipfilter/etc/services @@ -1,731 +1,2535 @@ -tcpmux 1/tcp # TCP Port Service Multiplexer -tcpmux 1/udp # TCP Port Service Multiplexer -compressnet 2/tcp # Management Utility -compressnet 2/udp # Management Utility -compressnet 3/tcp # Compression Process -compressnet 3/udp # Compression Process -rje 5/tcp # Remote Job Entry -rje 5/udp # Remote Job Entry -echo 7/tcp # Echo -echo 7/udp # Echo -discard 9/tcp # Discard -discard 9/udp # Discard -systat 11/tcp # Active Users -systat 11/udp # Active Users -daytime 13/tcp # Daytime -daytime 13/udp # Daytime -qotd 17/tcp # Quote of the Day -qotd 17/udp # Quote of the Day -msp 18/tcp # Message Send Protocol -msp 18/udp # Message Send Protocol -chargen 19/tcp # Character Generator -chargen 19/udp # Character Generator -ftp-data 20/tcp # File Transfer -ftp-data 20/udp # File Transfer -ftp 21/tcp # File Transfer -ftp 21/udp # File Transfer -telnet 23/tcp # Telnet -telnet 23/udp # Telnet -smtp 25/tcp # Simple Mail Transfer -smtp 25/udp # Simple Mail Transfer -nsw-fe 27/tcp # NSW User System FE -nsw-fe 27/udp # NSW User System FE -msg-icp 29/tcp # MSG ICP -msg-icp 29/udp # MSG ICP -msg-auth 31/tcp # MSG Authentication -msg-auth 31/udp # MSG Authentication -dsp 33/tcp # Display Support Protocol -dsp 33/udp # Display Support Protocol -time 37/tcp # Time -time 37/udp # Time -rap 38/tcp # Route Access Protocol -rap 38/udp # Route Access Protocol -rlp 39/tcp # Resource Location Protocol -rlp 39/udp # Resource Location Protocol -graphics 41/tcp # Graphics -graphics 41/udp # Graphics -nameserver 42/tcp # Host Name Server -nameserver 42/udp # Host Name Server -nicname 43/tcp # Who Is -nicname 43/udp # Who Is -mpm-flags 44/tcp # MPM FLAGS Protocol -mpm-flags 44/udp # MPM FLAGS Protocol -mpm 45/tcp # Message Processing Module -mpm 45/udp # Message Processing Module -mpm-snd 46/tcp # MPM -mpm-snd 46/udp # MPM -ni-ftp 47/tcp # NI FTP -ni-ftp 47/udp # NI FTP -auditd 48/tcp # Digital Audit Daemon -auditd 48/udp # Digital Audit Daemon -re-mail-ck 50/tcp # Remote Mail Checking Protocol -re-mail-ck 50/udp # Remote Mail Checking Protocol -la-maint 51/tcp # IMP Logical Address Maintenance -la-maint 51/udp # IMP Logical Address Maintenance -xns-time 52/tcp # XNS Time Protocol -xns-time 52/udp # XNS Time Protocol -domain 53/tcp # Domain Name Server -domain 53/udp # Domain Name Server -xns-ch 54/tcp # XNS Clearinghouse -xns-ch 54/udp # XNS Clearinghouse -isi-gl 55/tcp # ISI Graphics Language -isi-gl 55/udp # ISI Graphics Language -xns-auth 56/tcp # XNS Authentication -xns-auth 56/udp # XNS Authentication -xns-mail 58/tcp # XNS Mail -xns-mail 58/udp # XNS Mail -ni-mail 61/tcp # NI MAIL -ni-mail 61/udp # NI MAIL -acas 62/tcp # ACA Services -acas 62/udp # ACA Services -covia 64/tcp # Communications Integrator (CI) -covia 64/udp # Communications Integrator (CI) -tacacs-ds 65/tcp # TACACS-Database Service -tacacs-ds 65/udp # TACACS-Database Service -sql*net 66/tcp # Oracle SQL*NET -sql*net 66/udp # Oracle SQL*NET -bootps 67/tcp # Bootstrap Protocol Server -bootps 67/udp # Bootstrap Protocol Server -bootpc 68/tcp # Bootstrap Protocol Client -bootpc 68/udp # Bootstrap Protocol Client -tftp 69/tcp # Trivial File Transfer -tftp 69/udp # Trivial File Transfer -gopher 70/tcp # Gopher -gopher 70/udp # Gopher -netrjs-1 71/tcp # Remote Job Service -netrjs-1 71/udp # Remote Job Service -netrjs-2 72/tcp # Remote Job Service -netrjs-2 72/udp # Remote Job Service -netrjs-3 73/tcp # Remote Job Service -netrjs-3 73/udp # Remote Job Service -netrjs-4 74/tcp # Remote Job Service -netrjs-4 74/udp # Remote Job Service -deos 76/tcp # Distributed External Object Store -deos 76/udp # Distributed External Object Store -vettcp 78/tcp # vettcp -vettcp 78/udp # vettcp -finger 79/tcp # Finger -finger 79/udp # Finger -www-http 80/tcp # World Wide Web HTTP -www-http 80/udp # World Wide Web HTTP -hosts2-ns 81/tcp # HOSTS2 Name Server -hosts2-ns 81/udp # HOSTS2 Name Server -xfer 82/tcp # XFER Utility -xfer 82/udp # XFER Utility -mit-ml-dev 83/tcp # MIT ML Device -mit-ml-dev 83/udp # MIT ML Device -ctf 84/tcp # Common Trace Facility -ctf 84/udp # Common Trace Facility -mit-ml-dev 85/tcp # MIT ML Device -mit-ml-dev 85/udp # MIT ML Device -mfcobol 86/tcp # Micro Focus Cobol -mfcobol 86/udp # Micro Focus Cobol -kerberos 88/tcp # Kerberos -kerberos 88/udp # Kerberos -su-mit-tg 89/tcp # SU/MIT Telnet Gateway -su-mit-tg 89/udp # SU/MIT Telnet Gateway -dnsix 90/tcp # DNSIX Securit Attribute Token Map -dnsix 90/udp # DNSIX Securit Attribute Token Map -mit-dov 91/tcp # MIT Dover Spooler -mit-dov 91/udp # MIT Dover Spooler -npp 92/tcp # Network Printing Protocol -npp 92/udp # Network Printing Protocol -dcp 93/tcp # Device Control Protocol -dcp 93/udp # Device Control Protocol -objcall 94/tcp # Tivoli Object Dispatcher -objcall 94/udp # Tivoli Object Dispatcher -supdup 95/tcp # SUPDUP -supdup 95/udp # SUPDUP -dixie 96/tcp # DIXIE Protocol Specification -dixie 96/udp # DIXIE Protocol Specification -swift-rvf 97/tcp # Swift Remote Vitural File Protocol -swift-rvf 97/udp # Swift Remote Vitural File Protocol -tacnews 98/tcp # TAC News -tacnews 98/udp # TAC News -metagram 99/tcp # Metagram Relay -metagram 99/udp # Metagram Relay -newacct 100/tcp -hostname 101/tcp # NIC Host Name Server -hostname 101/udp # NIC Host Name Server -iso-tsap 102/tcp # ISO-TSAP -iso-tsap 102/udp # ISO-TSAP -gppitnp 103/tcp # Genesis Point-to-Point Trans Net -gppitnp 103/udp # Genesis Point-to-Point Trans Net -acr-nema 104/tcp # ACR-NEMA Digital Imag. & Comm. 300 -acr-nema 104/udp # ACR-NEMA Digital Imag. & Comm. 300 -csnet-ns 105/tcp # Mailbox Name Nameserver -csnet-ns 105/udp # Mailbox Name Nameserver -3com-tsmux 106/tcp # 3COM-TSMUX -3com-tsmux 106/udp # 3COM-TSMUX -rtelnet 107/tcp # Remote Telnet Service -rtelnet 107/udp # Remote Telnet Service -snagas 108/tcp # SNA Gateway Access Server -snagas 108/udp # SNA Gateway Access Server -pop2 109/tcp # Post Office Protocol - Version 2 -pop2 109/udp # Post Office Protocol - Version 2 -pop3 110/tcp # Post Office Protocol - Version 3 -pop3 110/udp # Post Office Protocol - Version 3 -sunrpc 111/tcp # SUN Remote Procedure Call -sunrpc 111/udp # SUN Remote Procedure Call -mcidas 112/tcp # McIDAS Data Transmission Protocol -mcidas 112/udp # McIDAS Data Transmission Protocol -auth 113/tcp # Authentication Service -auth 113/udp # Authentication Service -audionews 114/tcp # Audio News Multicast -audionews 114/udp # Audio News Multicast -sftp 115/tcp # Simple File Transfer Protocol -sftp 115/udp # Simple File Transfer Protocol -ansanotify 116/tcp # ANSA REX Notify -ansanotify 116/udp # ANSA REX Notify -uucp-path 117/tcp # UUCP Path Service -uucp-path 117/udp # UUCP Path Service -sqlserv 118/tcp # SQL Services -sqlserv 118/udp # SQL Services -nntp 119/tcp # Network News Transfer Protocol -nntp 119/udp # Network News Transfer Protocol -cfdptkt 120/tcp # CFDPTKT -cfdptkt 120/udp # CFDPTKT -erpc 121/tcp # Encore Expedited Remote Pro.Call -erpc 121/udp # Encore Expedited Remote Pro.Call -smakynet 122/tcp # SMAKYNET -smakynet 122/udp # SMAKYNET -ntp 123/tcp # Network Time Protocol -ntp 123/udp # Network Time Protocol -ansatrader 124/tcp # ANSA REX Trader -ansatrader 124/udp # ANSA REX Trader -locus-map 125/tcp # Locus PC-Interface Net Map Ser -locus-map 125/udp # Locus PC-Interface Net Map Ser -unitary 126/tcp # Unisys Unitary Login -unitary 126/udp # Unisys Unitary Login -locus-con 127/tcp # Locus PC-Interface Conn Server -locus-con 127/udp # Locus PC-Interface Conn Server -gss-xlicen 128/tcp # GSS X License Verification -gss-xlicen 128/udp # GSS X License Verification -pwdgen 129/tcp # Password Generator Protocol -pwdgen 129/udp # Password Generator Protocol -cisco-fna 130/tcp # cisco FNATIVE -cisco-fna 130/udp # cisco FNATIVE -cisco-tna 131/tcp # cisco TNATIVE -cisco-tna 131/udp # cisco TNATIVE -cisco-sys 132/tcp # cisco SYSMAINT -cisco-sys 132/udp # cisco SYSMAINT -statsrv 133/tcp # Statistics Service -statsrv 133/udp # Statistics Service -ingres-net 134/tcp # INGRES-NET Service -ingres-net 134/udp # INGRES-NET Service -loc-srv 135/tcp # Location Service -loc-srv 135/udp # Location Service -profile 136/tcp # PROFILE Naming System -profile 136/udp # PROFILE Naming System -netbios-ns 137/tcp # NETBIOS Name Service -netbios-ns 137/udp # NETBIOS Name Service -netbios-dgm 138/tcp # NETBIOS Datagram Service -netbios-dgm 138/udp # NETBIOS Datagram Service -netbios-ssn 139/tcp # NETBIOS Session Service -netbios-ssn 139/udp # NETBIOS Session Service -emfis-data 140/tcp # EMFIS Data Service -emfis-data 140/udp # EMFIS Data Service -emfis-cntl 141/tcp # EMFIS Control Service -emfis-cntl 141/udp # EMFIS Control Service -bl-idm 142/tcp # Britton-Lee IDM -bl-idm 142/udp # Britton-Lee IDM -imap2 143/tcp # Interim Mail Access Protocol v2 -imap2 143/udp # Interim Mail Access Protocol v2 -news 144/tcp # NewS -news 144/udp # NewS -uaac 145/tcp # UAAC Protocol -uaac 145/udp # UAAC Protocol -iso-tp0 146/tcp # ISO-IP0 -iso-tp0 146/udp # ISO-IP0 -iso-ip 147/tcp # ISO-IP -iso-ip 147/udp # ISO-IP -cronus 148/tcp # CRONUS-SUPPORT -cronus 148/udp # CRONUS-SUPPORT -aed-512 149/tcp # AED 512 Emulation Service -aed-512 149/udp # AED 512 Emulation Service -sql-net 150/tcp # SQL-NET -sql-net 150/udp # SQL-NET -hems 151/tcp # HEMS -hems 151/udp # HEMS -bftp 152/tcp # Background File Transfer Program -bftp 152/udp # Background File Transfer Program -sgmp 153/tcp # SGMP -sgmp 153/udp # SGMP -netsc-prod 154/tcp # NETSC -netsc-prod 154/udp # NETSC -netsc-dev 155/tcp # NETSC -netsc-dev 155/udp # NETSC -sqlsrv 156/tcp # SQL Service -sqlsrv 156/udp # SQL Service -knet-cmp 157/tcp # KNET/VM Command/Message Protocol -knet-cmp 157/udp # KNET/VM Command/Message Protocol -pcmail-srv 158/tcp # PCMail Server -pcmail-srv 158/udp # PCMail Server -nss-routing 159/tcp # NSS-Routing -nss-routing 159/udp # NSS-Routing -sgmp-traps 160/tcp # SGMP-TRAPS -sgmp-traps 160/udp # SGMP-TRAPS -snmp 161/tcp # SNMP -snmp 161/udp # SNMP -snmptrap 162/tcp # SNMPTRAP -snmptrap 162/udp # SNMPTRAP -cmip-man 163/tcp # CMIP/TCP Manager -cmip-man 163/udp # CMIP/TCP Manager -cmip-agent 164/tcp # CMIP/TCP Agent -smip-agent 164/udp # CMIP/TCP Agent -xns-courier 165/tcp # Xerox -xns-courier 165/udp # Xerox -s-net 166/tcp # Sirius Systems -s-net 166/udp # Sirius Systems -namp 167/tcp # NAMP -namp 167/udp # NAMP -rsvd 168/tcp # RSVD -rsvd 168/udp # RSVD -send 169/tcp # SEND -send 169/udp # SEND -print-srv 170/tcp # Network PostScript -print-srv 170/udp # Network PostScript -multiplex 171/tcp # Network Innovations Multiplex -multiplex 171/udp # Network Innovations Multiplex -cl/1 172/tcp # Network Innovations CL/1 -cl/1 172/udp # Network Innovations CL/1 -xyplex-mux 173/tcp # Xyplex -xyplex-mux 173/udp # Xyplex -mailq 174/tcp # MAILQ -mailq 174/udp # MAILQ -vmnet 175/tcp # VMNET -vmnet 175/udp # VMNET -genrad-mux 176/tcp # GENRAD-MUX -genrad-mux 176/udp # GENRAD-MUX -xdmcp 177/tcp # X Display Manager Control Protocol -xdmcp 177/udp # X Display Manager Control Protocol -nextstep 178/tcp # NextStep Window Server -NextStep 178/udp # NextStep Window Server -bgp 179/tcp # Border Gateway Protocol -bgp 179/udp # Border Gateway Protocol -ris 180/tcp # Intergraph -ris 180/udp # Intergraph -unify 181/tcp # Unify -unify 181/udp # Unify -audit 182/tcp # Unisys Audit SITP -audit 182/udp # Unisys Audit SITP -ocbinder 183/tcp # OCBinder -ocbinder 183/udp # OCBinder -ocserver 184/tcp # OCServer -ocserver 184/udp # OCServer -remote-kis 185/tcp # Remote-KIS -remote-kis 185/udp # Remote-KIS -kis 186/tcp # KIS Protocol -kis 186/udp # KIS Protocol -aci 187/tcp # Application Communication Interface -aci 187/udp # Application Communication Interface -mumps 188/tcp # Plus Five's MUMPS -mumps 188/udp # Plus Five's MUMPS -qft 189/tcp # Queued File Transport -qft 189/udp # Queued File Transport -gacp 190/tcp # Gateway Access Control Protocol -cacp 190/udp # Gateway Access Control Protocol -prospero 191/tcp # Prospero Directory Service -prospero 191/udp # Prospero Directory Service -osu-nms 192/tcp # OSU Network Monitoring System -osu-nms 192/udp # OSU Network Monitoring System -srmp 193/tcp # Spider Remote Monitoring Protocol -srmp 193/udp # Spider Remote Monitoring Protocol -irc 194/tcp # Internet Relay Chat Protocol -irc 194/udp # Internet Relay Chat Protocol -dn6-nlm-aud 195/tcp # DNSIX Network Level Module Audit -dn6-nlm-aud 195/udp # DNSIX Network Level Module Audit -dn6-smm-red 196/tcp # DNSIX Session Mgt Module Audit Redir -dn6-smm-red 196/udp # DNSIX Session Mgt Module Audit Redir -dls 197/tcp # Directory Location Service -dls 197/udp # Directory Location Service -dls-mon 198/tcp # Directory Location Service Monitor -dls-mon 198/udp # Directory Location Service Monitor -smux 199/tcp # SMUX -smux 199/udp # SMUX -src 200/tcp # IBM System Resource Controller -src 200/udp # IBM System Resource Controller -at-rtmp 201/tcp # AppleTalk Routing Maintenance -at-rtmp 201/udp # AppleTalk Routing Maintenance -at-nbp 202/tcp # AppleTalk Name Binding -at-nbp 202/udp # AppleTalk Name Binding -at-3 203/tcp # AppleTalk Unused -at-3 203/udp # AppleTalk Unused -at-echo 204/tcp # AppleTalk Echo -at-echo 204/udp # AppleTalk Echo -at-5 205/tcp # AppleTalk Unused -at-5 205/udp # AppleTalk Unused -at-zis 206/tcp # AppleTalk Zone Information -at-zis 206/udp # AppleTalk Zone Information -at-7 207/tcp # AppleTalk Unused -at-7 207/udp # AppleTalk Unused -at-8 208/tcp # AppleTalk Unused -at-8 208/udp # AppleTalk Unused -tam 209/tcp # Trivial Authenticated Mail Protocol -tam 209/udp # Trivial Authenticated Mail Protocol -z39.50 210/tcp # ANSI Z39.50 -z39.50 210/udp # ANSI Z39.50 -914c/g 211/tcp # Texas Instruments 914C/G Terminal -914c/g 211/udp # Texas Instruments 914C/G Terminal -anet 212/tcp # ATEXSSTR -anet 212/udp # ATEXSSTR -ipx 213/tcp # IPX -ipx 213/udp # IPX -vmpwscs 214/tcp # VM PWSCS -vmpwscs 214/udp # VM PWSCS -softpc 215/tcp # Insignia Solutions -softpc 215/udp # Insignia Solutions -atls 216/tcp # Access Technology License Server -atls 216/udp # Access Technology License Server -dbase 217/tcp # dBASE Unix -dbase 217/udp # dBASE Unix -mpp 218/tcp # Netix Message Posting Protocol -mpp 218/udp # Netix Message Posting Protocol -uarps 219/tcp # Unisys ARPs -uarps 219/udp # Unisys ARPs -imap3 220/tcp # Interactive Mail Access Protocol v3 -imap3 220/udp # Interactive Mail Access Protocol v3 -fln-spx 221/tcp # Berkeley rlogind with SPX auth -fln-spx 221/udp # Berkeley rlogind with SPX auth -rsh-spx 222/tcp # Berkeley rshd with SPX auth -rsh-spx 222/udp # Berkeley rshd with SPX auth -cdc 223/tcp # Certificate Distribution Center -cdc 223/udp # Certificate Distribution Center -sur-meas 243/tcp # Survey Measurement -sur-meas 243/udp # Survey Measurement -link 245/tcp # LINK -link 245/udp # LINK -dsp3270 246/tcp # Display Systems Protocol -dsp3270 246/udp # Display Systems Protocol -pdap 344/tcp # Prospero Data Access Protocol -pdap 344/udp # Prospero Data Access Protocol -pawserv 345/tcp # Perf Analysis Workbench -pawserv 345/udp # Perf Analysis Workbench -zserv 346/tcp # Zebra server -zserv 346/udp # Zebra server -fatserv 347/tcp # Fatmen Server -fatserv 347/udp # Fatmen Server -csi-sgwp 348/tcp # Cabletron Management Protocol -csi-sgwp 348/udp # Cabletron Management Protocol -clearcase 371/tcp # Clearcase -clearcase 371/udp # Clearcase -ulistserv 372/tcp # Unix Listserv -ulistserv 372/udp # Unix Listserv -legent-1 373/tcp # Legent Corporation -legent-1 373/udp # Legent Corporation -legent-2 374/tcp # Legent Corporation -legent-2 374/udp # Legent Corporation -hassle 375/tcp # Hassle -hassle 375/udp # Hassle -nip 376/tcp # Amiga Envoy Network Inquiry Proto -nip 376/udp # Amiga Envoy Network Inquiry Proto -tnETOS 377/tcp # NEC Corporation -tnETOS 377/udp # NEC Corporation -dsETOS 378/tcp # NEC Corporation -dsETOS 378/udp # NEC Corporation -is99c 379/tcp # TIA/EIA/IS-99 modem client -is99c 379/udp # TIA/EIA/IS-99 modem client -is99s 380/tcp # TIA/EIA/IS-99 modem server -is99s 380/udp # TIA/EIA/IS-99 modem server -hp-collector 381/tcp # hp performance data collector -hp-collector 381/udp # hp performance data collector -hp-managed-node 382/tcp # hp performance data managed node -hp-managed-node 382/udp # hp performance data managed node -hp-alarm-mgr 383/tcp # hp performance data alarm manager -hp-alarm-mgr 383/udp # hp performance data alarm manager -arns 384/tcp # A Remote Network Server System -arns 384/udp # A Remote Network Server System -ibm-app 385/tcp # IBM Application -ibm-app 385/tcp # IBM Application -asa 386/tcp # ASA Message Router Object Def. -asa 386/udp # ASA Message Router Object Def. -aurp 387/tcp # Appletalk Update-Based Routing Pro. -aurp 387/udp # Appletalk Update-Based Routing Pro. -unidata-ldm 388/tcp # Unidata LDM Version 4 -unidata-ldm 388/udp # Unidata LDM Version 4 -ldap 389/tcp # Lightweight Directory Access Protocol -ldap 389/udp # Lightweight Directory Access Protocol -uis 390/tcp # UIS -uis 390/udp # UIS -synotics-relay 391/tcp # SynOptics SNMP Relay Port -synotics-relay 391/udp # SynOptics SNMP Relay Port -synotics-broker 392/tcp # SynOptics Port Broker Port -synotics-broker 392/udp # SynOptics Port Broker Port -dis 393/tcp # Data Interpretation System -dis 393/udp # Data Interpretation System -embl-ndt 394/tcp # EMBL Nucleic Data Transfer -embl-ndt 394/udp # EMBL Nucleic Data Transfer -netcp 395/tcp # NETscout Control Protocol -netcp 395/udp # NETscout Control Protocol -netware-ip 396/tcp # Novell Netware over IP -netware-ip 396/udp # Novell Netware over IP -mptn 397/tcp # Multi Protocol Trans. Net. -mptn 397/udp # Multi Protocol Trans. Net. -kryptolan 398/tcp # Kryptolan -kryptolan 398/udp # Kryptolan -work-sol 400/tcp # Workstation Solutions -work-sol 400/udp # Workstation Solutions -ups 401/tcp # Uninterruptible Power Supply -ups 401/udp # Uninterruptible Power Supply -genie 402/tcp # Genie Protocol -genie 402/udp # Genie Protocol -decap 403/tcp # decap -decap 403/udp # decap -nced 404/tcp # nced -nced 404/udp # nced -ncld 405/tcp # ncld -ncld 405/udp # ncld -imsp 406/tcp # Interactive Mail Support Protocol -imsp 406/udp # Interactive Mail Support Protocol -timbuktu 407/tcp # Timbuktu -timbuktu 407/udp # Timbuktu -prm-sm 408/tcp # Prospero Resource Manager Sys. Man. -prm-sm 408/udp # Prospero Resource Manager Sys. Man. -prm-nm 409/tcp # Prospero Resource Manager Node Man. -prm-nm 409/udp # Prospero Resource Manager Node Man. -decladebug 410/tcp # DECLadebug Remote Debug Protocol -decladebug 410/udp # DECLadebug Remote Debug Protocol -rmt 411/tcp # Remote MT Protocol -rmt 411/udp # Remote MT Protocol -synoptics-trap 412/tcp # Trap Convention Port -synoptics-trap 412/udp # Trap Convention Port -smsp 413/tcp # SMSP -smsp 413/udp # SMSP -infoseek 414/tcp # InfoSeek -infoseek 414/udp # InfoSeek -bnet 415/tcp # BNet -bnet 415/udp # BNet -silverplatter 416/tcp # Silverplatter -silverplatter 416/udp # Silverplatter -onmux 417/tcp # Onmux -onmux 417/udp # Onmux -hyper-g 418/tcp # Hyper-G -hyper-g 418/udp # Hyper-G -ariel1 419/tcp # Ariel -ariel1 419/udp # Ariel -smpte 420/tcp # SMPTE -smpte 420/udp # SMPTE -ariel2 421/tcp # Ariel -ariel2 421/udp # Ariel -ariel3 422/tcp # Ariel -ariel3 422/udp # Ariel -opc-job-start 423/tcp # IBM Operations Planning and Control Start -opc-job-start 423/udp # IBM Operations Planning and Control Start -opc-job-track 424/tcp # IBM Operations Planning and Control Track -opc-job-track 424/udp # IBM Operations Planning and Control Track -icad-el 425/tcp # ICAD -icad-el 425/udp # ICAD -smartsdp 426/tcp # smartsdp -smartsdp 426/udp # smartsdp -svrloc 427/tcp # Server Location -svrloc 427/udp # Server Location -ocs_cmu 428/tcp # OCS_CMU -ocs_cmu 428/udp # OCS_CMU -ocs_amu 429/tcp # OCS_AMU -ocs_amu 429/udp # OCS_AMU -utmpsd 430/tcp # UTMPSD -utmpsd 430/udp # UTMPSD -utmpcd 431/tcp # UTMPCD -utmpcd 431/udp # UTMPCD -iasd 432/tcp # IASD -iasd 432/udp # IASD -nnsp 433/tcp # NNSP -nnsp 433/udp # NNSP -mobileip-agent 434/tcp # MobileIP-Agent -mobileip-agent 434/udp # MobileIP-Agent -mobilip-mn 435/tcp # MobilIP-MN -mobilip-mn 435/udp # MobilIP-MN -dna-cml 436/tcp # DNA-CML -dna-cml 436/udp # DNA-CML -comscm 437/tcp # comscm -comscm 437/udp # comscm -dsfgw 438/tcp # dsfgw -dsfgw 438/udp # dsfgw -dasp 439/tcp # dasp Thomas Obermair -dasp 439/udp # dasp tommy@inlab.m.eunet.de -sgcp 440/tcp # sgcp -sgcp 440/udp # sgcp -decvms-sysmgt 441/tcp # decvms-sysmgt -decvms-sysmgt 441/udp # decvms-sysmgt -cvc_hostd 442/tcp # cvc_hostd -cvc_hostd 442/udp # cvc_hostd -https 443/tcp # https MCom -https 443/udp # https MCom -snpp 444/tcp # Simple Network Paging Protocol -snpp 444/udp # Simple Network Paging Protocol -microsoft-ds 445/tcp # Microsoft-DS -microsoft-ds 445/udp # Microsoft-DS -ddm-rdb 446/tcp # DDM-RDB -ddm-rdb 446/udp # DDM-RDB -ddm-dfm 447/tcp # DDM-RFM -ddm-dfm 447/udp # DDM-RFM -ddm-byte 448/tcp # DDM-BYTE -ddm-byte 448/udp # DDM-BYTE -as-servermap 449/tcp # AS Server Mapper -as-servermap 449/udp # AS Server Mapper -tserver 450/tcp # TServer -tserver 450/udp # TServer -exec 512/tcp # remote process execution; -biff 512/udp # used by mail system to notify users -login 513/tcp # remote login a la telnet; -who 513/udp # maintains data bases showing who's -cmd 514/tcp # like exec, but automatic -syslog 514/udp -printer 515/tcp # spooler -printer 515/udp # spooler -talk 517/tcp # like tenex link, but across -talk 517/udp # like tenex link, but across tcp connection is established) -ntalk 518/tcp -ntalk 518/udp -utime 519/tcp # unixtime -utime 519/udp # unixtime -efs 520/tcp # extended file name server -router 520/udp # local routing process (on site); -timed 525/tcp # timeserver -timed 525/udp # timeserver -tempo 526/tcp # newdate -tempo 526/udp # newdate -courier 530/tcp # rpc -courier 530/udp # rpc -conference 531/tcp # chat -conference 531/udp # chat -netnews 532/tcp # readnews -netnews 532/udp # readnews -netwall 533/tcp # for emergency broadcasts -netwall 533/udp # for emergency broadcasts -apertus-ldp 539/tcp # Apertus Technologies Load Determination -apertus-ldp 539/udp # Apertus Technologies Load Determination -uucp 540/tcp # uucpd -uucp 540/udp # uucpd -uucp-rlogin 541/tcp # uucp-rlogin Stuart Lynne -uucp-rlogin 541/udp # uucp-rlogin sl@wimsey.com -klogin 543/tcp -klogin 543/udp -kshell 544/tcp # krcmd -kshell 544/udp # krcmd -new-rwho 550/tcp # new-who -new-rwho 550/udp # new-who -dsf 555/tcp -dsf 555/udp -remotefs 556/tcp # rfs server -remotefs 556/udp # rfs server -rmonitor 560/tcp # rmonitord -rmonitor 560/udp # rmonitord -monitor 561/tcp -monitor 561/udp -chshell 562/tcp # chcmd -chshell 562/udp # chcmd -9pfs 564/tcp # plan 9 file service -9pfs 564/udp # plan 9 file service -whoami 565/tcp # whoami -whoami 565/udp # whoami -meter 570/tcp # demon -meter 570/udp # demon -meter 571/tcp # udemon -meter 571/udp # udemon -ipcserver 600/tcp # Sun IPC server -ipcserver 600/udp # Sun IPC server -nqs 607/tcp # nqs -nqs 607/udp # nqs -urm 606/tcp # Cray Unified Resource Manager -urm 606/udp # Cray Unified Resource Manager -sift-uft 608/tcp # Sender-Initiated/Unsolicited File Transfer -sift-uft 608/udp # Sender-Initiated/Unsolicited File Transfer -npmp-trap 609/tcp # npmp-trap -npmp-trap 609/udp # npmp-trap -npmp-local 610/tcp # npmp-local -npmp-local 610/udp # npmp-local -npmp-gui 611/tcp # npmp-gui -npmp-gui 611/udp # npmp-gui -ginad 634/tcp # ginad -ginad 634/udp # ginad -mdqs 666/tcp -mdqs 666/udp -doom 666/tcp # doom Id Software -doom 666/tcp # doom Id Software -elcsd 704/tcp # errlog copy/server daemon -elcsd 704/udp # errlog copy/server daemon -entrustmanager 709/tcp # EntrustManager -entrustmanager 709/udp # EntrustManager -netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client -netviewdm1 729/udp # IBM NetView DM/6000 Server/Client -netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp -netviewdm2 730/udp # IBM NetView DM/6000 send/tcp -netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp -netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp -netgw 741/tcp # netGW -netgw 741/udp # netGW -netrcs 742/tcp # Network based Rev. Cont. Sys. -netrcs 742/udp # Network based Rev. Cont. Sys. -flexlm 744/tcp # Flexible License Manager -flexlm 744/udp # Flexible License Manager -fujitsu-dev 747/tcp # Fujitsu Device Control -fujitsu-dev 747/udp # Fujitsu Device Control -ris-cm 748/tcp # Russell Info Sci Calendar Manager -ris-cm 748/udp # Russell Info Sci Calendar Manager -kerberos-adm 749/tcp # kerberos administration -kerberos-adm 749/udp # kerberos administration -rfile 750/tcp -loadav 750/udp -pump 751/tcp -pump 751/udp -qrh 752/tcp -qrh 752/udp -rrh 753/tcp -rrh 753/udp -tell 754/tcp # send -tell 754/udp # send -nlogin 758/tcp -nlogin 758/udp -con 759/tcp -con 759/udp -ns 760/tcp -ns 760/udp -rxe 761/tcp -rxe 761/udp -quotad 762/tcp -quotad 762/udp -cycleserv 763/tcp -cycleserv 763/udp -omserv 764/tcp -omserv 764/udp -webster 765/tcp -webster 765/udp -phonebook 767/tcp # phone -phonebook 767/udp # phone -vid 769/tcp -vid 769/udp -cadlock 770/tcp -cadlock 770/udp -rtip 771/tcp -rtip 771/udp -cycleserv2 772/tcp -cycleserv2 772/udp -submit 773/tcp -notify 773/udp -rpasswd 774/tcp -acmaint_dbd 774/udp -entomb 775/tcp -acmaint_transd 775/udp +tcpmux 1/tcp # TCP Port Service Multiplexer +tcpmux 1/udp # TCP Port Service Multiplexer +compressnet 2/tcp # Management Utility +compressnet 2/udp # Management Utility +compressnet 3/tcp # Compression Process +compressnet 3/udp # Compression Process +rje 5/tcp # Remote Job Entry +rje 5/udp # Remote Job Entry +echo 7/tcp # Echo +echo 7/udp # Echo +discard 9/tcp # Discard +discard 9/udp # Discard +systat 11/tcp # Active Users +systat 11/udp # Active Users +daytime 13/tcp # Daytime (RFC 867) +daytime 13/udp # Daytime (RFC 867) +qotd 17/tcp # Quote of the Day +qotd 17/udp # Quote of the Day +msp 18/tcp # Message Send Protocol +msp 18/udp # Message Send Protocol +chargen 19/tcp # Character Generator +chargen 19/udp # Character Generator +ftp 21/tcp # File Transfer [Control] +ftp 21/udp # File Transfer [Control] +ssh 22/tcp # SSH Remote Login Protocol +ssh 22/udp # SSH Remote Login Protocol +telnet 23/tcp # Telnet +telnet 23/udp # Telnet +smtp 25/tcp # Simple Mail Transfer +smtp 25/udp # Simple Mail Transfer +dsp 33/tcp # Display Support Protocol +dsp 33/udp # Display Support Protocol +time 37/tcp # Time +time 37/udp # Time +rap 38/tcp # Route Access Protocol +rap 38/udp # Route Access Protocol +rlp 39/tcp # Resource Location Protocol +rlp 39/udp # Resource Location Protocol +graphics 41/tcp # Graphics +graphics 41/udp # Graphics +name 42/tcp # Host Name Server +name 42/udp # Host Name Server +nameserver 42/tcp # Host Name Server +nameserver 42/udp # Host Name Server +nicname 43/tcp # Who Is +nicname 43/udp # Who Is +mpm 45/tcp # Message Processing Module [recv] +mpm 45/udp # Message Processing Module [recv] +auditd 48/tcp # Digital Audit Daemon +auditd 48/udp # Digital Audit Daemon +tacacs 49/tcp # Login Host Protocol (TACACS) +tacacs 49/udp # Login Host Protocol (TACACS) +domain 53/tcp # Domain Name Server +domain 53/udp # Domain Name Server +acas 62/tcp # ACA Services +acas 62/udp # ACA Services +covia 64/tcp # Communications Integrator (CI) +covia 64/udp # Communications Integrator (CI) +sql*net 66/tcp # Oracle SQL*NET +sql*net 66/udp # Oracle SQL*NET +bootps 67/tcp # Bootstrap Protocol Server +bootps 67/udp # Bootstrap Protocol Server +bootpc 68/tcp # Bootstrap Protocol Client +bootpc 68/udp # Bootstrap Protocol Client +tftp 69/tcp # Trivial File Transfer +tftp 69/udp # Trivial File Transfer +gopher 70/tcp # Gopher +gopher 70/udp # Gopher +deos 76/tcp # Distributed External Object Store +deos 76/udp # Distributed External Object Store +vettcp 78/tcp # vettcp +vettcp 78/udp # vettcp +finger 79/tcp # Finger +finger 79/udp # Finger +http 80/tcp # World Wide Web HTTP +http 80/udp # World Wide Web HTTP +www 80/tcp # World Wide Web HTTP +www 80/udp # World Wide Web HTTP +xfer 82/tcp # XFER Utility +xfer 82/udp # XFER Utility +ctf 84/tcp # Common Trace Facility +ctf 84/udp # Common Trace Facility +mfcobol 86/tcp # Micro Focus Cobol +mfcobol 86/udp # Micro Focus Cobol +kerberos 88/tcp # Kerberos +kerberos 88/udp # Kerberos +dnsix 90/tcp # DNSIX Securit Attribute Token Map +dnsix 90/udp # DNSIX Securit Attribute Token Map +npp 92/tcp # Network Printing Protocol +npp 92/udp # Network Printing Protocol +dcp 93/tcp # Device Control Protocol +dcp 93/udp # Device Control Protocol +objcall 94/tcp # Tivoli Object Dispatcher +objcall 94/udp # Tivoli Object Dispatcher +supdup 95/tcp # SUPDUP +supdup 95/udp # SUPDUP +dixie 96/tcp # DIXIE Protocol Specification +dixie 96/udp # DIXIE Protocol Specification +tacnews 98/tcp # TAC News +tacnews 98/udp # TAC News +metagram 99/tcp # Metagram Relay +metagram 99/udp # Metagram Relay +newacct 100/tcp [unauthorized use] +hostname 101/tcp # NIC Host Name Server +hostname 101/udp # NIC Host Name Server +gppitnp 103/tcp # Genesis Point-to-Point Trans Net +gppitnp 103/udp # Genesis Point-to-Point Trans Net +cso 105/tcp # CCSO name server protocol +cso 105/udp # CCSO name server protocol +rtelnet 107/tcp # Remote Telnet Service +rtelnet 107/udp # Remote Telnet Service +snagas 108/tcp # SNA Gateway Access Server +snagas 108/udp # SNA Gateway Access Server +pop2 109/tcp # Post Office Protocol - Version 2 +pop2 109/udp # Post Office Protocol - Version 2 +pop3 110/tcp # Post Office Protocol - Version 3 +pop3 110/udp # Post Office Protocol - Version 3 +sunrpc 111/tcp # SUN Remote Procedure Call +sunrpc 111/udp # SUN Remote Procedure Call +mcidas 112/tcp # McIDAS Data Transmission Protocol +mcidas 112/udp # McIDAS Data Transmission Protocol +ident 113/tcp +auth 113/tcp # Authentication Service +auth 113/udp # Authentication Service +audionews 114/tcp # Audio News Multicast +audionews 114/udp # Audio News Multicast +sftp 115/tcp # Simple File Transfer Protocol +sftp 115/udp # Simple File Transfer Protocol +ansanotify 116/tcp # ANSA REX Notify +ansanotify 116/udp # ANSA REX Notify +sqlserv 118/tcp # SQL Services +sqlserv 118/udp # SQL Services +nntp 119/tcp # Network News Transfer Protocol +nntp 119/udp # Network News Transfer Protocol +cfdptkt 120/tcp # CFDPTKT +cfdptkt 120/udp # CFDPTKT +erpc 121/tcp # Encore Expedited Remote Pro.Call +erpc 121/udp # Encore Expedited Remote Pro.Call +smakynet 122/tcp # SMAKYNET +smakynet 122/udp # SMAKYNET +ntp 123/tcp # Network Time Protocol +ntp 123/udp # Network Time Protocol +ansatrader 124/tcp # ANSA REX Trader +ansatrader 124/udp # ANSA REX Trader +nxedit 126/tcp # NXEdit +nxedit 126/udp # NXEdit +pwdgen 129/tcp # Password Generator Protocol +pwdgen 129/udp # Password Generator Protocol +statsrv 133/tcp # Statistics Service +statsrv 133/udp # Statistics Service +epmap 135/tcp # DCE endpoint resolution +epmap 135/udp # DCE endpoint resolution +profile 136/tcp # PROFILE Naming System +profile 136/udp # PROFILE Naming System +imap 143/tcp # Internet Message Access Protocol +imap 143/udp # Internet Message Access Protocol +uma 144/tcp # Universal Management Architecture +uma 144/udp # Universal Management Architecture +uaac 145/tcp # UAAC Protocol +uaac 145/udp # UAAC Protocol +jargon 148/tcp # Jargon +jargon 148/udp # Jargon +hems 151/tcp # HEMS +hems 151/udp # HEMS +bftp 152/tcp # Background File Transfer Program +bftp 152/udp # Background File Transfer Program +sgmp 153/tcp # SGMP +sgmp 153/udp # SGMP +sqlsrv 156/tcp # SQL Service +sqlsrv 156/udp # SQL Service +snmp 161/tcp # SNMP +snmp 161/udp # SNMP +snmptrap 162/tcp # SNMPTRAP +snmptrap 162/udp # SNMPTRAP +namp 167/tcp # NAMP +namp 167/udp # NAMP +rsvd 168/tcp # RSVD +rsvd 168/udp # RSVD +send 169/tcp # SEND +send 169/udp # SEND +multiplex 171/tcp # Network Innovations Multiplex +multiplex 171/udp # Network Innovations Multiplex +cl/1 172/tcp # Network Innovations CL/1 +cl/1 172/udp # Network Innovations CL/1 +mailq 174/tcp # MAILQ +mailq 174/udp # MAILQ +vmnet 175/tcp # VMNET +vmnet 175/udp # VMNET +xdmcp 177/tcp # X Display Manager Control Protocol +xdmcp 177/udp # X Display Manager Control Protocol +nextstep 178/tcp # NextStep Window Server +nextstep 178/udp # NextStep Window Server +bgp 179/tcp # Border Gateway Protocol +bgp 179/udp # Border Gateway Protocol +ris 180/tcp # Intergraph +ris 180/udp # Intergraph +unify 181/tcp # Unify +unify 181/udp # Unify +audit 182/tcp # Unisys Audit SITP +audit 182/udp # Unisys Audit SITP +ocbinder 183/tcp # OCBinder +ocbinder 183/udp # OCBinder +ocserver 184/tcp # OCServer +ocserver 184/udp # OCServer +kis 186/tcp # KIS Protocol +kis 186/udp # KIS Protocol +aci 187/tcp # Application Communication Interface +aci 187/udp # Application Communication Interface +mumps 188/tcp # Plus Five's MUMPS +mumps 188/udp # Plus Five's MUMPS +qft 189/tcp # Queued File Transport +qft 189/udp # Queued File Transport +gacp 190/tcp # Gateway Access Control Protocol +gacp 190/udp # Gateway Access Control Protocol +prospero 191/tcp # Prospero Directory Service +prospero 191/udp # Prospero Directory Service +srmp 193/tcp # Spider Remote Monitoring Protocol +srmp 193/udp # Spider Remote Monitoring Protocol +irc 194/tcp # Internet Relay Chat Protocol +irc 194/udp # Internet Relay Chat Protocol +dls 197/tcp # Directory Location Service +dls 197/udp # Directory Location Service +smux 199/tcp # SMUX +smux 199/udp # SMUX +src 200/tcp # IBM System Resource Controller +src 200/udp # IBM System Resource Controller +qmtp 209/tcp # The Quick Mail Transfer Protocol +qmtp 209/udp # The Quick Mail Transfer Protocol +anet 212/tcp # ATEXSSTR +anet 212/udp # ATEXSSTR +ipx 213/tcp # IPX +ipx 213/udp # IPX +vmpwscs 214/tcp # VM PWSCS +vmpwscs 214/udp # VM PWSCS +softpc 215/tcp # Insignia Solutions +softpc 215/udp # Insignia Solutions +dbase 217/tcp # dBASE Unix +dbase 217/udp # dBASE Unix +mpp 218/tcp # Netix Message Posting Protocol +mpp 218/udp # Netix Message Posting Protocol +uarps 219/tcp # Unisys ARPs +uarps 219/udp # Unisys ARPs +imap3 220/tcp # Interactive Mail Access Protocol v3 +imap3 220/udp # Interactive Mail Access Protocol v3 +cdc 223/tcp # Certificate Distribution Center +cdc 223/udp # Certificate Distribution Center +masqdialer 224/tcp # masqdialer +masqdialer 224/udp # masqdialer +direct 242/tcp # Direct +direct 242/udp # Direct +dayna 244/tcp # Dayna +dayna 244/udp # Dayna +link 245/tcp # LINK +link 245/udp # LINK +dsp3270 246/tcp # Display Systems Protocol +dsp3270 246/udp # Display Systems Protocol +bhfhs 248/tcp # bhfhs +bhfhs 248/udp # bhfhs +rap 256/tcp # RAP +rap 256/udp # RAP +set 257/tcp # Secure Electronic Transaction +set 257/udp # Secure Electronic Transaction +openport 260/tcp # Openport +openport 260/udp # Openport +nsiiops 261/tcp # IIOP Name Service over TLS/SSL +nsiiops 261/udp # IIOP Name Service over TLS/SSL +arcisdms 262/tcp # Arcisdms +arcisdms 262/udp Arcisdms +hdap 263/tcp # HDAP +hdap 263/udp # HDAP +bgmp 264/tcp # BGMP +bgmp 264/udp # BGMP +rescap 283/tcp # rescap +rescap 283/udp # rescap +novastorbakcup 308/tcp # Novastor Backup +novastorbakcup 308/udp # Novastor Backup +entrusttime 309/tcp # EntrustTime +entrusttime 309/udp # EntrustTime +bhmds 310/tcp # bhmds +bhmds 310/udp # bhmds +vslmp 312/tcp # VSLMP +vslmp 312/udp # VSLMP +dpsi 315/tcp # DPSI +dpsi 315/udp # DPSI +decauth 316/tcp # decAuth +decauth 316/udp # decAuth +zannet 317/tcp # Zannet +zannet 317/udp # Zannet +pip 321/tcp # PIP +pip 321/udp # PIP +rtsps 322/tcp # RTSPS +rtsps 322/udp # RTSPS +pdap 344/tcp # Prospero Data Access Protocol +pdap 344/udp # Prospero Data Access Protocol +pawserv 345/tcp # Perf Analysis Workbench +pawserv 345/udp # Perf Analysis Workbench +zserv 346/tcp # Zebra server +zserv 346/udp # Zebra server +fatserv 347/tcp # Fatmen Server +fatserv 347/udp # Fatmen Server +mftp 349/tcp # mftp +mftp 349/udp # mftp +bhoetty 351/tcp bhoetty (added 5/21/97) +bhoetty 351/udp # bhoetty +bhoedap4 352/tcp # bhoedap4 (added 5/21/97) +bhoedap4 352/udp # bhoedap4 +ndsauth 353/tcp # NDSAUTH +ndsauth 353/udp # NDSAUTH +bh611 354/tcp bh611 +bh611 354/udp # bh611 +bhevent 357/tcp bhevent +bhevent 357/udp # bhevent +shrinkwrap 358/tcp # Shrinkwrap +shrinkwrap 358/udp # Shrinkwrap +scoi2odialog 360/tcp # scoi2odialog +scoi2odialog 360/udp # scoi2odialog +semantix 361/tcp # Semantix +semantix 361/udp # Semantix +srssend 362/tcp # SRS Send +srssend 362/udp # SRS Send +dtk 365/tcp # DTK +dtk 365/udp # DTK +odmr 366/tcp # ODMR +odmr 366/udp # ODMR +mortgageware 367/tcp # MortgageWare +mortgageware 367/udp # MortgageWare +qbikgdp 368/tcp # QbikGDP +qbikgdp 368/udp # QbikGDP +rpc2portmap 369/tcp # rpc2portmap +rpc2portmap 369/udp # rpc2portmap +codaauth2 370/tcp # codaauth2 +codaauth2 370/udp # codaauth2 +clearcase 371/tcp # Clearcase +clearcase 371/udp # Clearcase +ulistproc 372/tcp # ListProcessor +ulistproc 372/udp # ListProcessor +hassle 375/tcp # Hassle +hassle 375/udp # Hassle +nip 376/tcp # Amiga Envoy Network Inquiry Proto +nip 376/udp # Amiga Envoy Network Inquiry Proto +tnETOS 377/tcp # NEC Corporation +tnETOS 377/udp # NEC Corporation +dsETOS 378/tcp # NEC Corporation +dsETOS 378/udp # NEC Corporation +is99c 379/tcp # TIA/EIA/IS-99 modem client +is99c 379/udp # TIA/EIA/IS-99 modem client +is99s 380/tcp # TIA/EIA/IS-99 modem server +is99s 380/udp # TIA/EIA/IS-99 modem server +arns 384/tcp # A Remote Network Server System +arns 384/udp # A Remote Network Server System +asa 386/tcp # ASA Message Router Object Def. +asa 386/udp # ASA Message Router Object Def. +aurp 387/tcp # Appletalk Update-Based Routing Pro. +aurp 387/udp # Appletalk Update-Based Routing Pro. +ldap 389/tcp # Lightweight Directory Access Protocol +ldap 389/udp # Lightweight Directory Access Protocol +uis 390/tcp # UIS +uis 390/udp # UIS +dis 393/tcp # Data Interpretation System +dis 393/udp # Data Interpretation System +netcp 395/tcp # NETscout Control Protocol +netcp 395/udp # NETscout Control Protocol +mptn 397/tcp # Multi Protocol Trans. Net. +mptn 397/udp # Multi Protocol Trans. Net. +kryptolan 398/tcp # Kryptolan +kryptolan 398/udp # Kryptolan +ups 401/tcp # Uninterruptible Power Supply +ups 401/udp # Uninterruptible Power Supply +genie 402/tcp # Genie Protocol +genie 402/udp # Genie Protocol +decap 403/tcp # decap +decap 403/udp # decap +nced 404/tcp # nced +nced 404/udp # nced +ncld 405/tcp # ncld +ncld 405/udp # ncld +imsp 406/tcp # Interactive Mail Support Protocol +imsp 406/udp # Interactive Mail Support Protocol +timbuktu 407/tcp # Timbuktu +timbuktu 407/udp # Timbuktu +decladebug 410/tcp # DECLadebug Remote Debug Protocol +decladebug 410/udp # DECLadebug Remote Debug Protocol +rmt 411/tcp # Remote MT Protocol +rmt 411/udp # Remote MT Protocol +smsp 413/tcp # SMSP +smsp 413/udp # SMSP +infoseek 414/tcp # InfoSeek +infoseek 414/udp # InfoSeek +bnet 415/tcp # BNet +bnet 415/udp # BNet +silverplatter 416/tcp # Silverplatter +silverplatter 416/udp # Silverplatter +onmux 417/tcp # Onmux +onmux 417/udp # Onmux +ariel1 419/tcp # Ariel +ariel1 419/udp # Ariel +smpte 420/tcp # SMPTE +smpte 420/udp # SMPTE +ariel2 421/tcp # Ariel +ariel2 421/udp # Ariel +ariel3 422/tcp # Ariel +ariel3 422/udp # Ariel +smartsdp 426/tcp # smartsdp +smartsdp 426/udp # smartsdp +svrloc 427/tcp # Server Location +svrloc 427/udp # Server Location +utmpsd 430/tcp # UTMPSD +utmpsd 430/udp # UTMPSD +utmpcd 431/tcp # UTMPCD +utmpcd 431/udp # UTMPCD +iasd 432/tcp # IASD +iasd 432/udp # IASD +nnsp 433/tcp # NNSP +nnsp 433/udp # NNSP +comscm 437/tcp # comscm +comscm 437/udp # comscm +dsfgw 438/tcp # dsfgw +dsfgw 438/udp # dsfgw +dasp 439/tcp # dasp Thomas Obermair +dasp 439/udp # dasp tommy@inlab.m.eunet.de +sgcp 440/tcp # sgcp +sgcp 440/udp # sgcp +https 443/tcp # http protocol over TLS/SSL +https 443/udp # http protocol over TLS/SSL +snpp 444/tcp # Simple Network Paging Protocol +snpp 444/udp # Simple Network Paging Protocol +tserver 450/tcp # TServer +tserver 450/udp # TServer +creativeserver 453/tcp # CreativeServer +creativeserver 453/udp # CreativeServer +contentserver 454/tcp # ContentServer +contentserver 454/udp # ContentServer +creativepartnr 455/tcp # CreativePartnr +creativepartnr 455/udp # CreativePartnr +scohelp 457/tcp # scohelp +scohelp 457/udp # scohelp +appleqtc 458/tcp # apple quick time +appleqtc 458/udp # apple quick time +skronk 460/tcp # skronk +skronk 460/udp # skronk +datasurfsrv 461/tcp # DataRampSrv +datasurfsrv 461/udp # DataRampSrv +datasurfsrvsec 462/tcp # DataRampSrvSec +datasurfsrvsec 462/udp # DataRampSrvSec +alpes 463/tcp # alpes +alpes 463/udp # alpes +kpasswd 464/tcp # kpasswd +kpasswd 464/udp # kpasswd +photuris 468/tcp # proturis +photuris 468/udp # proturis +rcp 469/tcp # Radio Control Protocol +rcp 469/udp # Radio Control Protocol +mondex 471/tcp # Mondex +mondex 471/udp # Mondex +tcp # nethaspsrv 475/tcp # tcpnethaspsrv +tcp # nethaspsrv 475/udp # tcp # nethaspsrv +ss7ns 477/tcp # ss7ns +ss7ns 477/udp # ss7ns +spsc 478/tcp # spsc +spsc 478/udp # spsc +iafserver 479/tcp # iafserver +iafserver 479/udp # iafserver +iafdbase 480/tcp # iafdbase +iafdbase 480/udp # iafdbase +ph 481/tcp # Ph service +ph 481/udp # Ph service +ulpnet 483/tcp # ulpnet +ulpnet 483/udp # ulpnet +powerburst 485/tcp # Air Soft Power Burst +powerburst 485/udp # Air Soft Power Burst +avian 486/tcp # avian +avian 486/udp # avian +saft 487/tcp # saft Simple Asynchronous File Transfer +saft 487/udp # saft Simple Asynchronous File Transfer +intecourier 495/tcp # intecourier +intecourier 495/udp # intecourier +dantz 497/tcp # dantz +dantz 497/udp # dantz +siam 498/tcp # siam +siam 498/udp # siam +isakmp 500/tcp # isakmp +isakmp 500/udp # isakmp +stmf 501/tcp # STMF +stmf 501/udp # STMF +intrinsa 503/tcp # Intrinsa +intrinsa 503/udp # Intrinsa +citadel 504/tcp # citadel +citadel 504/udp # citadel +ohimsrv 506/tcp # ohimsrv +ohimsrv 506/udp # ohimsrv +crs 507/tcp # crs +crs 507/udp # crs +xvttp 508/tcp # xvttp +xvttp 508/udp # xvttp +snare 509/tcp # snare +snare 509/udp # snare +fcp 510/tcp # FirstClass Protocol +fcp 510/udp # FirstClass Protocol +passgo 511/tcp # PassGo +passgo 511/udp # PassGo +exec 512/tcp # remote process execution; +comsat 512/udp +biff 512/udp # used by mail system to notify users +login 513/tcp # remote login a la telnet; +who 513/udp # maintains data bases showing who's +shell 514/tcp # cmd +syslog 514/udp +printer 515/tcp # spooler +printer 515/udp # spooler +videotex 516/tcp # videotex +videotex 516/udp # videotex +talk 517/tcp # like tenex link, but across +talk 517/udp # like tenex link, but across +ntalk 518/tcp +ntalk 518/udp +utime 519/tcp # unixtime +utime 519/udp # unixtime +efs 520/tcp # extended file name server +router 520/udp # local routing process (on site); +ripng 521/tcp # ripng +ripng 521/udp # ripng +ulp 522/tcp # ULP +ulp 522/udp # ULP +ncp 524/tcp # NCP +ncp 524/udp # NCP +timed 525/tcp # timeserver +timed 525/udp # timeserver +tempo 526/tcp # newdate +tempo 526/udp # newdate +stx 527/tcp # Stock IXChange +stx 527/udp # Stock IXChange +custix 528/tcp # Customer IXChange +custix 528/udp # Customer IXChange +courier 530/tcp # rpc +courier 530/udp # rpc +conference 531/tcp # chat +conference 531/udp # chat +netnews 532/tcp # readnews +netnews 532/udp # readnews +netwall 533/tcp # for emergency broadcasts +netwall 533/udp # for emergency broadcasts +iiop 535/tcp # iiop +iiop 535/udp # iiop +nmsp 537/tcp # Networked Media Streaming Protocol +nmsp 537/udp # Networked Media Streaming Protocol +gdomap 538/tcp # gdomap +gdomap 538/udp # gdomap +uucp 540/tcp # uucpd +uucp 540/udp # uucpd +commerce 542/tcp # commerce +commerce 542/udp # commerce +klogin 543/tcp +klogin 543/udp +kshell 544/tcp # krcmd +kshell 544/udp # krcmd +appleqtcsrvr 545/tcp # appleqtcsrvr +appleqtcsrvr 545/udp # appleqtcsrvr +afpovertcp 548/tcp # AFP over TCP +afpovertcp 548/udp # AFP over TCP +idfp 549/tcp # IDFP +idfp 549/udp # IDFP +cybercash 551/tcp # cybercash +cybercash 551/udp # cybercash +deviceshare 552/tcp # deviceshare +deviceshare 552/udp # deviceshare +pirp 553/tcp # pirp +pirp 553/udp # pirp +rtsp 554/tcp # Real Time Stream Control Protocol +rtsp 554/udp # Real Time Stream Control Protocol +dsf 555/tcp +dsf 555/udp +remotefs 556/tcp # rfs server +remotefs 556/udp # rfs server +sdnskmp 558/tcp # SDNSKMP +sdnskmp 558/udp # SDNSKMP +teedtap 559/tcp # TEEDTAP +teedtap 559/udp # TEEDTAP +rmonitor 560/tcp # rmonitord +rmonitor 560/udp # rmonitord +monitor 561/tcp +monitor 561/udp +chshell 562/tcp # chcmd +chshell 562/udp # chcmd +nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) +nntps 563/udp # nntp protocol over TLS/SSL (was snntp) +whoami 565/tcp # whoami +whoami 565/udp # whoami +streettalk 566/tcp # streettalk +streettalk 566/udp # streettalk +meter 570/tcp # demon +meter 570/udp # demon +meter 571/tcp # udemon +meter 571/udp # udemon +sonar 572/tcp # sonar +sonar 572/udp # sonar +vemmi 575/tcp # VEMMI +vemmi 575/udp # VEMMI +ipcd 576/tcp # ipcd +ipcd 576/udp # ipcd +vnas 577/tcp # vnas +vnas 577/udp # vnas +ipdd 578/tcp # ipdd +ipdd 578/udp # ipdd +decbsrv 579/tcp # decbsrv +decbsrv 579/udp # decbsrv +bdp 581/tcp # Bundle Discovery Protocol +bdp 581/udp # Bundle Discovery Protocol +keyserver 584/tcp # Key Server +keyserver 584/udp # Key Server +submission 587/tcp # Submission +submission 587/udp # Submission +cal 588/tcp # CAL +cal 588/udp # CAL +eyelink 589/tcp # EyeLink +eyelink 589/udp # EyeLink +tpip 594/tcp # TPIP +tpip 594/udp # TPIP +smsd 596/tcp # SMSD +smsd 596/udp # SMSD +ptcnameservice 597/tcp # PTC Name Service +ptcnameservice 597/udp # PTC Name Service +acp 599/tcp # Aeolon Core Protocol +acp 599/udp # Aeolon Core Protocol +ipcserver 600/tcp # Sun IPC server +ipcserver 600/udp # Sun IPC server +urm 606/tcp # Cray Unified Resource Manager +urm 606/udp # Cray Unified Resource Manager +nqs 607/tcp # nqs +nqs 607/udp # nqs +sshell 614/tcp # SSLshell +sshell 614/udp # SSLshell +collaborator 622/tcp # Collaborator +collaborator 622/udp # Collaborator +cryptoadmin 624/tcp # Crypto Admin +cryptoadmin 624/udp # Crypto Admin +asia 626/tcp # ASIA +asia 626/udp # ASIA +qmqp 628/tcp # QMQP +qmqp 628/udp # QMQP +rda 630/tcp # RDA +rda 630/udp # RDA +ipp 631/tcp # IPP (Internet Printing Protocol) +ipp 631/udp # IPP (Internet Printing Protocol) +bmpp 632/tcp # bmpp +bmpp 632/udp # bmpp +servstat 633/tcp # Service Status update (Sterling Software) +servstat 633/udp # Service Status update (Sterling Software) +ginad 634/tcp # ginad +ginad 634/udp # ginad +rlzdbase 635/tcp # RLZ DBase +rlzdbase 635/udp # RLZ DBase +ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) +ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) +lanserver 637/tcp # lanserver +lanserver 637/udp # lanserver +msdp 639/tcp # MSDP +msdp 639/udp # MSDP +repcmd 641/tcp # repcmd +repcmd 641/udp # repcmd +sanity 643/tcp # SANity +sanity 643/udp # SANity +dwr 644/tcp # dwr +dwr 644/udp # dwr +pssc 645/tcp # PSSC +pssc 645/udp # PSSC +ldp 646/tcp # LDP +ldp 646/udp # LDP +rrp 648/tcp # Registry Registrar Protocol (RRP) +rrp 648/udp # Registry Registrar Protocol (RRP) +aminet 649/tcp # Aminet +aminet 649/udp # Aminet +obex 650/tcp # OBEX +obex 650/udp # OBEX +repscmd 653/tcp # RepCmd +repscmd 653/udp # RepCmd +aodv 654/tcp # AODV +aodv 654/udp # AODV +tinc 655/tcp # TINC +tinc 655/udp # TINC +spmp 656/tcp # SPMP +spmp 656/udp # SPMP +mdqs 666/tcp +mdqs 666/udp +doom 666/tcp # doom Id Software +doom 666/udp # doom Id Software +disclose 667/tcp # campaign contribution disclosures - SDR Technologies +disclose 667/udp # campaign contribution disclosures - SDR Technologies +mecomm 668/tcp # MeComm +mecomm 668/udp # MeComm +meregister 669/tcp # MeRegister +meregister 669/udp # MeRegister +cimplex 673/tcp # CIMPLEX +cimplex 673/udp # CIMPLEX +acap 674/tcp # ACAP +acap 674/udp # ACAP +dctp 675/tcp # DCTP +dctp 675/udp # DCTP +vpp 677/tcp # Virtual Presence Protocol +vpp 677/udp # Virtual Presence Protocol +mrm 679/tcp # MRM +mrm 679/udp # MRM +xfr 682/tcp # XFR +xfr 682/udp # XFR +asipregistry 687/tcp # asipregistry +asipregistry 687/udp # asipregistry +elcsd 704/tcp # errlog copy/server daemon +elcsd 704/udp # errlog copy/server daemon +agentx 705/tcp # AgentX +agentx 705/udp # AgentX +netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client +netviewdm1 729/udp # IBM NetView DM/6000 Server/Client +netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp +netviewdm2 730/udp # IBM NetView DM/6000 send/tcp +netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp +netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp +netgw 741/tcp # netGW +netgw 741/udp # netGW +netrcs 742/tcp # Network based Rev. Cont. Sys. +netrcs 742/udp # Network based Rev. Cont. Sys. +flexlm 744/tcp # Flexible License Manager +flexlm 744/udp # Flexible License Manager +rfile 750/tcp +loadav 750/udp +pump 751/tcp +pump 751/udp +qrh 752/tcp +qrh 752/udp +rrh 753/tcp +rrh 753/udp +tell 754/tcp send +tell 754/udp send +nlogin 758/tcp +nlogin 758/udp +con 759/tcp +con 759/udp +ns 760/tcp +ns 760/udp +rxe 761/tcp +rxe 761/udp +quotad 762/tcp +quotad 762/udp +cycleserv 763/tcp +cycleserv 763/udp +omserv 764/tcp +omserv 764/udp +webster 765/tcp +webster 765/udp +phonebook 767/tcp phone +phonebook 767/udp phone +vid 769/tcp +vid 769/udp +cadlock 770/tcp +cadlock 770/udp +rtip 771/tcp +rtip 771/udp +cycleserv2 772/tcp +cycleserv2 772/udp +submit 773/tcp +notify 773/udp +rpasswd 774/tcp +entomb 775/tcp wpages 776/tcp -wpages 776/udp +wpages 776/udp wpgs 780/tcp wpgs 780/udp -concert 786/tcp # Concert -concert 786/udp # Concert -mdbs_daemon 800/tcp -mdbs_daemon 800/udp +concert 786/tcp # Concert +concert 786/udp # Concert +qsc 787/tcp # QSC +qsc 787/udp # QSC device 801/tcp device 801/udp -xtreelic 996/tcp # Central Point Software -xtreelic 996/udp # Central Point Software +rsync 873/tcp # rsync +rsync 873/udp # rsync +accessbuilder 888/tcp # AccessBuilder +accessbuilder 888/udp # AccessBuilder +cddbp 888/tcp # CD Database Protocol +omginitialrefs 900/tcp # OMG Initial Refs +omginitialrefs 900/udp # OMG Initial Refs +ftps 990/tcp # ftp protocol, control, over TLS/SSL +ftps 990/udp # ftp protocol, control, over TLS/SSL +nas 991/tcp # Netnews Administration System +nas 991/udp # Netnews Administration System +telnets 992/tcp # telnet protocol over TLS/SSL +telnets 992/udp # telnet protocol over TLS/SSL +imaps 993/tcp # imap4 protocol over TLS/SSL +imaps 993/udp # imap4 protocol over TLS/SSL +ircs 994/tcp # irc protocol over TLS/SSL +ircs 994/udp # irc protocol over TLS/SSL +pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) +pop3s 995/udp # pop3 protocol over TLS/SSL (was spop3) +vsinet 996/tcp # vsinet +vsinet 996/udp # vsinet maitrd 997/tcp maitrd 997/udp busboy 998/tcp puparp 998/udp garcon 999/tcp -applix 999/udp # Applix ac +applix 999/udp # Applix ac puprouter 999/tcp puprouter 999/udp cadlock 1000/tcp ock 1000/udp +surf 1010/tcp # surf +surf 1010/udp # surf +blackjack 1025/tcp # network blackjack +blackjack 1025/udp # network blackjack +iad1 1030/tcp # BBN IAD +iad1 1030/udp # BBN IAD +iad2 1031/tcp # BBN IAD +iad2 1031/udp # BBN IAD +iad3 1032/tcp # BBN IAD +iad3 1032/udp # BBN IAD +neod1 1047/tcp # Sun's NEO Object Request Broker +neod1 1047/udp # Sun's NEO Object Request Broker +neod2 1048/tcp # Sun's NEO Object Request Broker +neod2 1048/udp # Sun's NEO Object Request Broker +nim 1058/tcp # nim +nim 1058/udp # nim +nimreg 1059/tcp # nimreg +nimreg 1059/udp # nimreg +socks 1080/tcp # Socks +socks 1080/udp # Socks +sunclustermgr 1097/tcp # Sun Cluster Manager +sunclustermgr 1097/udp # Sun Cluster Manager +rmiactivation 1098/tcp # RMI Activation +rmiactivation 1098/udp # RMI Activation +rmiregistry 1099/tcp # RMI Registry +rmiregistry 1099/udp # RMI Registry +lmsocialserver 1111/tcp # LM Social Server +lmsocialserver 1111/udp # LM Social Server +murray 1123/tcp # Murray +murray 1123/udp # Murray +nfa 1155/tcp # Network File Access +nfa 1155/udp # Network File Access +caiccipc 1202/tcp # caiccipc +caiccipc 1202/udp # caiccipc +lupa 1212/tcp # lupa +lupa 1212/udp # lupa +nerv 1222/tcp # SNI R&D network +nerv 1222/udp # SNI R&D network +nmsd 1239/tcp # NMSD +nmsd 1239/udp # NMSD +hermes 1248/tcp +hermes 1248/udp +h323hostcallsc 1300/tcp # H323 Host Call Secure +h323hostcallsc 1300/udp # H323 Host Call Secure +husky 1310/tcp # Husky +husky 1310/udp # Husky +rxmon 1311/tcp # RxMon +rxmon 1311/udp # RxMon +pdps 1314/tcp # Photoscript Distributed Printing System +pdps 1314/udp # Photoscript Distributed Printing System +pip 1321/tcp # PIP +pip 1321/udp # PIP +vpjp 1345/tcp # VPJP +vpjp 1345/udp # VPJP +sbook 1349/tcp # Registration Network Protocol +sbook 1349/udp # Registration Network Protocol +editbench 1350/tcp # Registration Network Protocol +editbench 1350/udp # Registration Network Protocol +equationbuilder 1351/tcp # Digital Tool Works (MIT) +equationbuilder 1351/udp # Digital Tool Works (MIT) +lotusnote 1352/tcp # Lotus Note +lotusnote 1352/udp # Lotus Note +relief 1353/tcp # Relief Consulting +relief 1353/udp # Relief Consulting +rightbrain 1354/tcp # RightBrain Software +rightbrain 1354/udp # RightBrain Software +cuillamartin 1356/tcp # CuillaMartin Company +cuillamartin 1356/udp # CuillaMartin Company +pegboard 1357/tcp # Electronic PegBoard +pegboard 1357/udp # Electronic PegBoard +connlcli 1358/tcp # CONNLCLI +connlcli 1358/udp # CONNLCLI +ftsrv 1359/tcp # FTSRV +ftsrv 1359/udp # FTSRV +mimer 1360/tcp # MIMER +mimer 1360/udp # MIMER +linx 1361/tcp # LinX +linx 1361/udp # LinX +timeflies 1362/tcp # TimeFlies +timeflies 1362/udp # TimeFlies +dcs 1367/tcp # DCS +dcs 1367/udp # DCS +screencast 1368/tcp # ScreenCast +screencast 1368/udp # ScreenCast +chromagrafx 1373/tcp # Chromagrafx +chromagrafx 1373/udp # Chromagrafx +molly 1374/tcp # EPI Software Systems +molly 1374/udp # EPI Software Systems +bytex 1375/tcp # Bytex +bytex 1375/udp # Bytex +cichlid 1377/tcp # Cichlid License Manager +cichlid 1377/udp # Cichlid License Manager +elan 1378/tcp # Elan License Manager +elan 1378/udp # Elan License Manager +dbreporter 1379/tcp # Integrity Solutions +dbreporter 1379/udp # Integrity Solutions +gwha 1383/tcp # GW Hannaway Network License Manager +gwha 1383/udp # GW Hannaway Network License Manager +checksum 1386/tcp # CheckSum License Manager +checksum 1386/udp # CheckSum License Manager +hiq 1410/tcp # HiQ License Manager +hiq 1410/udp # HiQ License Manager +af 1411/tcp # AudioFile +af 1411/udp # AudioFile +innosys 1412/tcp # InnoSys +innosys 1412/udp # InnoSys +dbstar 1415/tcp # DBStar +dbstar 1415/udp # DBStar +essbase 1423/tcp # Essbase Arbor Software +essbase 1423/udp # Essbase Arbor Software +hybrid 1424/tcp # Hybrid Encryption Protocol +hybrid 1424/udp # Hybrid Encryption Protocol +sais 1426/tcp # Satellite-data Acquisition System 1 +sais 1426/udp # Satellite-data Acquisition System 1 +mloadd 1427/tcp # mloadd monitoring tool +mloadd 1427/udp # mloadd monitoring tool +nms 1429/tcp # Hypercom NMS +nms 1429/udp # Hypercom NMS +tpdu 1430/tcp # Hypercom TPDU +tpdu 1430/udp # Hypercom TPDU +rgtp 1431/tcp # Reverse Gossip Transport +rgtp 1431/udp # Reverse Gossip Transport +saism 1436/tcp # Satellite-data Acquisition System 2 +saism 1436/udp # Satellite-data Acquisition System 2 +tabula 1437/tcp # Tabula +tabula 1437/udp # Tabula +peport 1449/tcp # PEport +peport 1449/udp # PEport +dwf 1450/tcp # Tandem Distributed Workbench Facility +dwf 1450/udp # Tandem Distributed Workbench Facility +infoman 1451/tcp # IBM Information Management +infoman 1451/udp # IBM Information Management +dca 1456/tcp # DCA +dca 1456/udp # DCA +proshare1 1459/tcp # Proshare Notebook Application +proshare1 1459/udp # Proshare Notebook Application +proshare2 1460/tcp # Proshare Notebook Application +proshare2 1460/udp # Proshare Notebook Application +nucleus 1463/tcp # Nucleus +nucleus 1463/udp # Nucleus +pipes 1465/tcp # Pipes Platform +pipes 1465/udp # Pipes Platform mfarlin@peerlogic.com +csdmbase 1467/tcp # CSDMBASE +csdmbase 1467/udp # CSDMBASE +csdm 1468/tcp # CSDM +csdm 1468/udp # CSDM +uaiact 1470/tcp # Universal Analytics +uaiact 1470/udp # Universal Analytics +csdmbase 1471/tcp # csdmbase +csdmbase 1471/udp # csdmbase +csdm 1472/tcp # csdm +csdm 1472/udp # csdm +openmath 1473/tcp # OpenMath +openmath 1473/udp # OpenMath +telefinder 1474/tcp # Telefinder +telefinder 1474/udp # Telefinder +dberegister 1479/tcp # dberegister +dberegister 1479/udp # dberegister +pacerforum 1480/tcp # PacerForum +pacerforum 1480/udp # PacerForum +airs 1481/tcp # AIRS +airs 1481/udp # AIRS +afs 1483/tcp # AFS License Manager +afs 1483/udp # AFS License Manager +confluent 1484/tcp # Confluent License Manager +confluent 1484/udp # Confluent License Manager +lansource 1485/tcp # LANSource +lansource 1485/udp # LANSource +localinfosrvr 1487/tcp # LocalInfoSrvr +localinfosrvr 1487/udp # LocalInfoSrvr +docstor 1488/tcp # DocStor +docstor 1488/udp # DocStor +dmdocbroker 1489/tcp # dmdocbroker +dmdocbroker 1489/udp # dmdocbroker +anynetgateway 1491/tcp # anynetgateway +anynetgateway 1491/udp # anynetgateway +ica 1494/tcp # ica +ica 1494/udp # ica +cvc 1495/tcp # cvc +cvc 1495/udp # cvc +fhc 1499/tcp # Federico Heinz Consultora +fhc 1499/udp # Federico Heinz Consultora +saiscm 1501/tcp # Satellite-data Acquisition System 3 +saiscm 1501/udp # Satellite-data Acquisition System 3 +shivadiscovery 1502/tcp # Shiva +shivadiscovery 1502/udp # Shiva +funkproxy 1505/tcp # Funk Software, Inc. +funkproxy 1505/udp # Funk Software, Inc. +utcd 1506/tcp # Universal Time daemon (utcd) +utcd 1506/udp # Universal Time daemon (utcd) +symplex 1507/tcp # symplex +symplex 1507/udp # symplex +diagmond 1508/tcp # diagmond +diagmond 1508/udp # diagmond +wins 1512/tcp # Microsoft's Windows Internet Name Service +wins 1512/udp # Microsoft's Windows Internet Name Service +vpad 1516/tcp # Virtual Places Audio data +vpad 1516/udp # Virtual Places Audio data +vpac 1517/tcp # Virtual Places Audio control +vpac 1517/udp # Virtual Places Audio control +vpvd 1518/tcp # Virtual Places Video data +vpvd 1518/udp # Virtual Places Video data +vpvc 1519/tcp # Virtual Places Video control +vpvc 1519/udp # Virtual Places Video control +ingreslock 1524/tcp # ingres +ingreslock 1524/udp # ingres +orasrv 1525/tcp # oracle +orasrv 1525/udp # oracle +tlisrv 1527/tcp # oracle +tlisrv 1527/udp # oracle +mciautoreg 1528/tcp # micautoreg +mciautoreg 1528/udp # micautoreg +coauthor 1529/tcp # oracle +coauthor 1529/udp # oracle +miroconnect 1532/tcp # miroconnect +miroconnect 1532/udp # miroconnect +rds 1540/tcp # rds +rds 1540/udp # rds +rds2 1541/tcp # rds2 +rds2 1541/udp # rds2 +aspeclmd 1544/tcp # aspeclmd +aspeclmd 1544/udp # aspeclmd +abbaccuray 1546/tcp # abbaccuray +abbaccuray 1546/udp # abbaccuray +laplink 1547/tcp # laplink +laplink 1547/udp # laplink +shivahose 1549/tcp # Shiva Hose +shivasound 1549/udp # Shiva Sound +pciarray 1552/tcp # pciarray +pciarray 1552/udp # pciarray +livelan 1555/tcp # livelan +livelan 1555/udp # livelan +ashwin 1556/tcp # AshWin CI Tecnologies +ashwin 1556/udp # AshWin CI Tecnologies +xingmpeg 1558/tcp # xingmpeg +xingmpeg 1558/udp # xingmpeg +web2host 1559/tcp # web2host +web2host 1559/udp # web2host +facilityview 1561/tcp # facilityview +facilityview 1561/udp # facilityview +pconnectmgr 1562/tcp # pconnectmgr +pconnectmgr 1562/udp # pconnectmgr +winddlb 1565/tcp # WinDD +winddlb 1565/udp # WinDD +corelvideo 1566/tcp # CORELVIDEO +corelvideo 1566/udp # CORELVIDEO +jlicelmd 1567/tcp # jlicelmd +jlicelmd 1567/udp # jlicelmd +tsspmap 1568/tcp # tsspmap +tsspmap 1568/udp # tsspmap +ets 1569/tcp # ets +ets 1569/udp # ets +orbixd 1570/tcp # orbixd +orbixd 1570/udp # orbixd +oraclenames 1575/tcp # oraclenames +oraclenames 1575/udp # oraclenames +msims 1582/tcp # MSIMS +msims 1582/udp # MSIMS +simbaexpress 1583/tcp # simbaexpress +simbaexpress 1583/udp # simbaexpress +intv 1585/tcp # intv +intv 1585/udp # intv +vqp 1589/tcp # VQP +vqp 1589/udp # VQP +commonspace 1592/tcp # commonspace +commonspace 1592/udp # commonspace +sixtrak 1594/tcp # sixtrak +sixtrak 1594/udp # sixtrak +radio 1595/tcp # radio +radio 1595/udp # radio +picknfs 1598/tcp # picknfs +picknfs 1598/udp # picknfs +simbaservices 1599/tcp # simbaservices +simbaservices 1599/udp # simbaservices +issd 1600/tcp +issd 1600/udp +aas 1601/tcp # aas +aas 1601/udp # aas +inspect 1602/tcp # inspect +inspect 1602/udp # inspect +picodbc 1603/tcp # pickodbc +picodbc 1603/udp # pickodbc +icabrowser 1604/tcp # icabrowser +icabrowser 1604/udp # icabrowser +slp 1605/tcp # Salutation Manager (Salutation Protocol) +slp 1605/udp # Salutation Manager (Salutation Protocol) +stt 1607/tcp # stt +stt 1607/udp # stt +ill 1611/tcp # Inter Library Loan +ill 1611/udp # Inter Library Loan +skytelnet 1618/tcp # skytelnet +skytelnet 1618/udp # skytelnet +faxportwinport 1620/tcp # faxportwinport +faxportwinport 1620/udp # faxportwinport +softdataphone 1621/tcp # softdataphone +softdataphone 1621/udp # softdataphone +ontime 1622/tcp # ontime +ontime 1622/udp # ontime +jaleosnd 1623/tcp # jaleosnd +jaleosnd 1623/udp # jaleosnd +shockwave 1626/tcp # Shockwave +shockwave 1626/udp # Shockwave +oraclenet8cman 1630/tcp # Oracle Net8 Cman +oraclenet8cman 1630/udp # Oracle Net8 Cman +visitview 1631/tcp # Visit view +visitview 1631/udp # Visit view +pammratc 1632/tcp # PAMMRATC +pammratc 1632/udp # PAMMRATC +pammrpc 1633/tcp # PAMMRPC +pammrpc 1633/udp # PAMMRPC +loaprobe 1634/tcp # Log On America Probe +loaprobe 1634/udp # Log On America Probe +cncp 1636/tcp # CableNet Control Protocol +cncp 1636/udp # CableNet Control Protocol +cnap 1637/tcp # CableNet Admin Protocol +cnap 1637/udp # CableNet Admin Protocol +cnip 1638/tcp # CableNet Info Protocol +cnip 1638/udp # CableNet Info Protocol +invision 1641/tcp # InVision +invision 1641/udp # InVision +saiseh 1644/tcp # Satellite-data Acquisition System 4 +datametrics 1645/tcp # datametrics +datametrics 1645/udp # datametrics +rsap 1647/tcp # rsap +rsap 1647/udp # rsap +kermit 1649/tcp # kermit +kermit 1649/udp # kermit +nkd 1650/tcp # nkd +nkd 1650/udp # nkd +xnmp 1652/tcp # xnmp +xnmp 1652/udp # xnmp +stargatealerts 1654/tcp # stargatealerts +stargatealerts 1654/udp # stargatealerts +sixnetudr 1658/tcp # sixnetudr +sixnetudr 1658/udp # sixnetudr +pdp 1675/tcp # Pacific Data Products +pdp 1675/udp # Pacific Data Products +netcomm1 1676/tcp # netcomm1 +netcomm2 1676/udp # netcomm2 +groupwise 1677/tcp # groupwise +groupwise 1677/udp # groupwise +prolink 1678/tcp # prolink +prolink 1678/udp # prolink +snaresecure 1684/tcp # SnareSecure +snaresecure 1684/udp # SnareSecure +n2nremote 1685/tcp # n2nremote +n2nremote 1685/udp # n2nremote +cvmon 1686/tcp # cvmon +cvmon 1686/udp # cvmon +firefox 1689/tcp # firefox +firefox 1689/udp # firefox +rrirtr 1693/tcp # rrirtr +rrirtr 1693/udp # rrirtr +rrimwm 1694/tcp # rrimwm +rrimwm 1694/udp # rrimwm +rrilwm 1695/tcp # rrilwm +rrilwm 1695/udp # rrilwm +rrifmm 1696/tcp # rrifmm +rrifmm 1696/udp # rrifmm +rrisat 1697/tcp # rrisat +rrisat 1697/udp # rrisat +l2f 1701/tcp # l2f +l2f 1701/udp # l2f +l2tp 1701/tcp # l2tp +l2tp 1701/udp # l2tp +deskshare 1702/tcp # deskshare +deskshare 1702/udp # deskshare +slingshot 1705/tcp # slingshot +slingshot 1705/udp # slingshot +jetform 1706/tcp # jetform +jetform 1706/udp # jetform +vdmplay 1707/tcp # vdmplay +vdmplay 1707/udp # vdmplay +centra 1709/tcp # centra +centra 1709/udp # centra +impera 1710/tcp # impera +impera 1710/udp # impera +pptconference 1711/tcp # pptconference +pptconference 1711/udp # pptconference +registrar 1712/tcp # resource monitoring service +registrar 1712/udp # resource monitoring service +conferencetalk 1713/tcp # ConferenceTalk +conferencetalk 1713/udp # ConferenceTalk +xmsg 1716/tcp # xmsg +xmsg 1716/udp # xmsg +h323gatedisc 1718/tcp # h323gatedisc +h323gatedisc 1718/udp # h323gatedisc +h323gatestat 1719/tcp # h323gatestat +h323gatestat 1719/udp # h323gatestat +h323hostcall 1720/tcp # h323hostcall +h323hostcall 1720/udp # h323hostcall +caicci 1721/tcp # caicci +caicci 1721/udp # caicci +pptp 1723/tcp # pptp +pptp 1723/udp # pptp +csbphonemaster 1724/tcp # csbphonemaster +csbphonemaster 1724/udp # csbphonemaster +iberiagames 1726/tcp # IBERIAGAMES +iberiagames 1726/udp # IBERIAGAMES +winddx 1727/tcp # winddx +winddx 1727/udp # winddx +telindus 1728/tcp # TELINDUS +telindus 1728/udp # TELINDUS +citynl 1729/tcp # CityNL License Management +citynl 1729/udp # CityNL License Management +roketz 1730/tcp # roketz +roketz 1730/udp # roketz +msiccp 1731/tcp # MSICCP +msiccp 1731/udp # MSICCP +proxim 1732/tcp # proxim +proxim 1732/udp # proxim +siipat 1733/tcp # SIMS - SIIPAT Protocol for Alarm Transmission +siipat 1733/udp # SIMS - SIIPAT Protocol for Alarm Transmission +privatechat 1735/tcp # PrivateChat +privatechat 1735/udp # PrivateChat +ultimad 1737/tcp # ultimad +ultimad 1737/udp # ultimad +gamegen1 1738/tcp # GameGen1 +gamegen1 1738/udp # GameGen1 +webaccess 1739/tcp # webaccess +webaccess 1739/udp # webaccess +encore 1740/tcp # encore +encore 1740/udp # encore +sslp 1750/tcp # Simple Socket Library's PortMaster +sslp 1750/udp # Simple Socket Library's PortMaster +swiftnet 1751/tcp # SwiftNet +swiftnet 1751/udp # SwiftNet +cnhrp 1757/tcp # cnhrp +cnhrp 1757/udp # cnhrp +vaultbase 1771/tcp # vaultbase +vaultbase 1771/udp # vaultbase +kmscontrol 1773/tcp # KMSControl +kmscontrol 1773/udp # KMSControl +femis 1776/tcp # Federal Emergency Management Information System +femis 1776/udp # Federal Emergency Management Information System +powerguardian 1777/tcp # powerguardian +powerguardian 1777/udp # powerguardian +pharmasoft 1779/tcp # pharmasoft +pharmasoft 1779/udp # pharmasoft +dpkeyserv 1780/tcp # dpkeyserv +dpkeyserv 1780/udp # dpkeyserv +fjris 1783/tcp # Fujitsu Remote Install Service +fjris 1783/udp # Fujitsu Remote Install Service +windlm 1785/tcp # Wind River Systems License Manager +windlm 1785/udp # Wind River Systems License Manager +psmond 1788/tcp # psmond +psmond 1788/udp # psmond +hello 1789/tcp # hello +hello 1789/udp # hello +nmsp 1790/tcp # Narrative Media Streaming Protocol +nmsp 1790/udp # Narrative Media Streaming Protocol +ea1 1791/tcp # EA1 +ea1 1791/udp # EA1 +uma 1797/tcp # UMA +uma 1797/udp # UMA +etp 1798/tcp # Event Transfer Protocol +etp 1798/udp # Event Transfer Protocol +netrisk 1799/tcp # NETRISK +netrisk 1799/udp # NETRISK +msmq 1801/tcp # Microsoft Message Que +msmq 1801/udp # Microsoft Message Que +concomp1 1802/tcp # ConComp1 +concomp1 1802/udp # ConComp1 +enl 1804/tcp # ENL +enl 1804/udp # ENL +musiconline 1806/tcp # Musiconline +musiconline 1806/udp # Musiconline +fhsp 1807/tcp # Fujitsu Hot Standby Protocol +fhsp 1807/udp # Fujitsu Hot Standby Protocol +radius 1812/tcp # RADIUS +radius 1812/udp # RADIUS +mmpft 1815/tcp # MMPFT +mmpft 1815/udp # MMPFT +harp 1816/tcp # HARP +harp 1816/udp # HARP +etftp 1818/tcp # Enhanced Trivial File Transfer Protocol +etftp 1818/udp # Enhanced Trivial File Transfer Protocol +mcagent 1820/tcp # mcagent +mcagent 1820/udp # mcagent +donnyworld 1821/tcp # donnyworld +donnyworld 1821/udp # donnyworld +ardt 1826/tcp # ARDT +ardt 1826/udp # ARDT +asi 1827/tcp # ASI +asi 1827/udp # ASI +myrtle 1831/tcp # Myrtle +myrtle 1831/udp # Myrtle +udp # radio 1833/tcp # udp # radio +udp # radio 1833/udp # udpradio +ardusuni 1834/tcp # ARDUS Unicast +ardusuni 1834/udp # ARDUS Unicast +ardusmul 1835/tcp # ARDUS Multicast +ardusmul 1835/udp # ARDUS Multicast +csoft1 1837/tcp # csoft1 +csoft1 1837/udp # csoft1 +talnet 1838/tcp # TALNET +talnet 1838/udp # TALNET +gsi 1850/tcp # GSI +gsi 1850/udp # GSI +ctcd 1851/tcp # ctcd +ctcd 1851/udp # ctcd +msnp 1863/tcp # MSNP +msnp 1863/udp # MSNP +entp 1865/tcp # ENTP +entp 1865/udp # ENTP +canocentral0 1871/tcp # Cano Central 0 +canocentral0 1871/udp # Cano Central 0 +canocentral1 1872/tcp # Cano Central 1 +canocentral1 1872/udp # Cano Central 1 +fjmpjps 1873/tcp # Fjmpjps +fjmpjps 1873/udp # Fjmpjps +fjswapsnp 1874/tcp # Fjswapsnp +fjswapsnp 1874/udp # Fjswapsnp +mc2studios 1899/tcp # MC2Studios +mc2studios 1899/udp # MC2Studios +linkname 1903/tcp # Local Link Name Resolution +linkname 1903/udp # Local Link Name Resolution +sugp 1905/tcp # Secure UP.Link Gateway Protocol +sugp 1905/udp # Secure UP.Link Gateway Protocol +tpmd 1906/tcp # TPortMapperReq +tpmd 1906/udp # TPortMapperReq +intrastar 1907/tcp # IntraSTAR +intrastar 1907/udp # IntraSTAR +dawn 1908/tcp # Dawn +dawn 1908/udp # Dawn +ultrabac 1910/tcp # ultrabac +ultrabac 1910/udp # ultrabac +mtp 1911/tcp # Starlight Networks Multimedia Transport Protocol +mtp 1911/udp # Starlight Networks Multimedia Transport Protocol +armadp 1913/tcp # armadp +armadp 1913/udp # armadp +facelink 1915/tcp # FACELINK +facelink 1915/udp # FACELINK +persona 1916/tcp # Persoft Persona +persona 1916/udp # Persoft Persona +noagent 1917/tcp # nOAgent +noagent 1917/udp # nOAgent +noadmin 1921/tcp # NoAdmin +noadmin 1921/udp # NoAdmin +tapestry 1922/tcp # Tapestry +tapestry 1922/udp # Tapestry +spice 1923/tcp # SPICE +spice 1923/udp # SPICE +xiip 1924/tcp # XIIP +xiip 1924/udp # XIIP +tekpls 1946/tcp # tekpls +tekpls 1946/udp # tekpls +hlserver 1947/tcp # hlserver +hlserver 1947/udp # hlserver +eye2eye 1948/tcp # eye2eye +eye2eye 1948/udp # eye2eye +ismaeasdaqlive 1949/tcp # ISMA Easdaq Live +ismaeasdaqlive 1949/udp # ISMA Easdaq Live +ismaeasdaqtest 1950/tcp # ISMA Easdaq Test +ismaeasdaqtest 1950/udp # ISMA Easdaq Test +mpnjsc 1952/tcp # mpnjsc +mpnjsc 1952/udp # mpnjsc +rapidbase 1953/tcp # Rapid Base +rapidbase 1953/udp # Rapid Base +dlsrap 1973/tcp # Data Link Switching Remote Access Protocol +dlsrap 1973/udp # Data Link Switching Remote Access Protocol +bb 1984/tcp # BB +bb 1984/udp # BB +hsrp 1985/tcp # Hot Standby Router Protocol +hsrp 1985/udp # Hot Standby Router Protocol +licensedaemon 1986/tcp # cisco license management +licensedaemon 1986/udp # cisco license management +mshnet 1989/tcp # MHSnet system +mshnet 1989/udp # MHSnet system +ipsendmsg 1992/tcp # IPsendmsg +ipsendmsg 1992/udp # IPsendmsg +callbook 2000/tcp +callbook 2000/udp +dc 2001/tcp +wizard 2001/udp # curry +globe 2002/tcp +globe 2002/udp +mailbox 2004/tcp +emce 2004/udp # CCWS mm conf +berknet 2005/tcp +oracle 2005/udp +invokator 2006/tcp +dectalk 2007/tcp +conf 2008/tcp +terminaldb 2008/udp +news 2009/tcp +whosockami 2009/udp +search 2010/tcp +servserv 2011/udp +ttyinfo 2012/tcp +troff 2014/tcp +cypress 2015/tcp +bootserver 2016/tcp +bootserver 2016/udp +bootclient 2017/udp +terminaldb 2018/tcp +rellpack 2018/udp +whosockami 2019/tcp +about 2019/udp +xinupageserver 2020/tcp +xinupageserver 2020/udp +servexec 2021/tcp +xinuexpansion1 2021/udp +down 2022/tcp +xinuexpansion2 2022/udp +xinuexpansion3 2023/tcp +xinuexpansion3 2023/udp +xinuexpansion4 2024/tcp +xinuexpansion4 2024/udp +ellpack 2025/tcp +xribs 2025/udp +scrabble 2026/tcp +scrabble 2026/udp +shadowserver 2027/tcp +shadowserver 2027/udp +submitserver 2028/tcp +submitserver 2028/udp +device2 2030/tcp +device2 2030/udp +blackboard 2032/tcp +blackboard 2032/udp +glogger 2033/tcp +glogger 2033/udp +scoremgr 2034/tcp +scoremgr 2034/udp +imsldoc 2035/tcp +imsldoc 2035/udp +objectmanager 2038/tcp +objectmanager 2038/udp +lam 2040/tcp +lam 2040/udp +interbase 2041/tcp +interbase 2041/udp +isis 2042/tcp # isis +isis 2042/udp # isis +rimsl 2044/tcp +rimsl 2044/udp +cdfunc 2045/tcp +cdfunc 2045/udp +sdfunc 2046/tcp +sdfunc 2046/udp +dls 2047/tcp +dls 2047/udp +shilp 2049/tcp +shilp 2049/udp +nfs 2049/tcp # Network File System - Sun Microsystems +nfs 2049/udp # Network File System - Sun Microsystems +dlsrpn 2065/tcp # Data Link Switch Read Port Number +dlsrpn 2065/udp # Data Link Switch Read Port Number +dlswpn 2067/tcp # Data Link Switch Write Port Number +dlswpn 2067/udp # Data Link Switch Write Port Number +lrp 2090/tcp # Load Report Protocol +lrp 2090/udp # Load Report Protocol +prp 2091/tcp # PRP +prp 2091/udp # PRP +descent3 2092/tcp # Descent 3 +descent3 2092/udp # Descent 3 +jetformpreview 2097/tcp # Jet Form Preview +jetformpreview 2097/udp # Jet Form Preview +amiganetfs 2100/tcp # amiganetfs +amiganetfs 2100/udp # amiganetfs +minipay 2105/tcp # MiniPay +minipay 2105/udp # MiniPay +mzap 2106/tcp # MZAP +mzap 2106/udp # MZAP +comcam 2108/tcp # Comcam +comcam 2108/udp # Comcam +ergolight 2109/tcp # Ergolight +ergolight 2109/udp # Ergolight +ici 2200/tcp # ICI +ici 2200/udp # ICI +ats 2201/tcp # Advanced Training System Program +ats 2201/udp # Advanced Training System Program +kali 2213/tcp # Kali +kali 2213/udp # Kali +ganymede 2220/tcp # Ganymede +ganymede 2220/udp # Ganymede +infocrypt 2233/tcp # INFOCRYPT +infocrypt 2233/udp # INFOCRYPT +directplay 2234/tcp # DirectPlay +directplay 2234/udp # DirectPlay +nani 2236/tcp # Nani +nani 2236/udp # Nani +imagequery 2239/tcp # Image Query +imagequery 2239/udp # Image Query +recipe 2240/tcp # RECIPe +recipe 2240/udp # RECIPe +ivsd 2241/tcp # IVS Daemon +ivsd 2241/udp # IVS Daemon +foliocorp 2242/tcp # Folio Remote Server +foliocorp 2242/udp # Folio Remote Server +magicom 2243/tcp # Magicom Protocol +magicom 2243/udp # Magicom Protocol +nmsserver 2244/tcp # NMS Server +nmsserver 2244/udp # NMS Server +hao 2245/tcp # HaO +hao 2245/udp # HaO +xmquery 2279/tcp # xmquery +xmquery 2279/udp # xmquery +lnvpoller 2280/tcp # LNVPOLLER +lnvpoller 2280/udp # LNVPOLLER +lnvconsole 2281/tcp # LNVCONSOLE +lnvconsole 2281/udp # LNVCONSOLE +lnvalarm 2282/tcp # LNVALARM +lnvalarm 2282/udp # LNVALARM +lnvstatus 2283/tcp # LNVSTATUS +lnvstatus 2283/udp # LNVSTATUS +lnvmaps 2284/tcp # LNVMAPS +lnvmaps 2284/udp # LNVMAPS +lnvmailmon 2285/tcp # LNVMAILMON +lnvmailmon 2285/udp # LNVMAILMON +dna 2287/tcp # DNA +dna 2287/udp # DNA +netml 2288/tcp # NETML +netml 2288/udp # NETML +cvmmon 2300/tcp # CVMMON +cvmmon 2300/udp # CVMMON +binderysupport 2302/tcp # Bindery Support +binderysupport 2302/udp # Bindery Support +pehelp 2307/tcp # pehelp +pehelp 2307/udp # pehelp +sdhelp 2308/tcp # sdhelp +sdhelp 2308/udp # sdhelp +sdserver 2309/tcp # SD Server +sdserver 2309/udp # SD Server +sdclient 2310/tcp # SD Client +sdclient 2310/udp # SD Client +messageservice 2311/tcp # Message Service +messageservice 2311/udp # Message Service +iapp 2313/tcp # IAPP (Inter Access Point Protocol) +iapp 2313/udp # IAPP (Inter Access Point Protocol) +cadencecontrol 2318/tcp # Cadence Control +cadencecontrol 2318/udp # Cadence Control +infolibria 2319/tcp # InfoLibria +infolibria 2319/udp # InfoLibria +rdlap 2321/tcp # RDLAP over UDP +rdlap 2321/udp # RDLAP +ofsd 2322/tcp # ofsd +ofsd 2322/udp # ofsd +cosmocall 2324/tcp # Cosmocall +cosmocall 2324/udp # Cosmocall +idcp 2326/tcp # IDCP +idcp 2326/udp # IDCP +xingcsm 2327/tcp # xingcsm +xingcsm 2327/udp # xingcsm +nvd 2329/tcp # NVD +nvd 2329/udp # NVD +tscchat 2330/tcp # TSCCHAT +tscchat 2330/udp # TSCCHAT +agentview 2331/tcp # AGENTVIEW +agentview 2331/udp # AGENTVIEW +snapp 2333/tcp # SNAPP +snapp 2333/udp # SNAPP +appleugcontrol 2336/tcp # Apple UG Control +appleugcontrol 2336/udp # Apple UG Control +ideesrv 2337/tcp # ideesrv +ideesrv 2337/udp # ideesrv +xiostatus 2341/tcp # XIO Status +xiostatus 2341/udp # XIO Status +fcmsys 2344/tcp # fcmsys +fcmsys 2344/udp # fcmsys +dbm 2345/tcp # dbm +dbm 2345/udp # dbm +psbserver 2350/tcp # psbserver +psbserver 2350/udp # psbserver +psrserver 2351/tcp # psrserver +psrserver 2351/udp # psrserver +pslserver 2352/tcp # pslserver +pslserver 2352/udp # pslserver +pspserver 2353/tcp # pspserver +pspserver 2353/udp # pspserver +psprserver 2354/tcp # psprserver +psprserver 2354/udp # psprserver +psdbserver 2355/tcp # psdbserver +psdbserver 2355/udp # psdbserver +gxtelmd 2356/tcp # GXT License Managemant +gxtelmd 2356/udp # GXT License Managemant +futrix 2358/tcp # Futrix +futrix 2358/udp # Futrix +flukeserver 2359/tcp # FlukeServer +flukeserver 2359/udp # FlukeServer +nexstorindltd 2360/tcp # NexstorIndLtd +nexstorindltd 2360/udp # NexstorIndLtd +tl1 2361/tcp # TL1 +tl1 2361/udp # TL1 +ovsessionmgr 2389/tcp # OpenView Session Mgr +ovsessionmgr 2389/udp # OpenView Session Mgr +rsmtp 2390/tcp # RSMTP +rsmtp 2390/udp # RSMTP +tacticalauth 2392/tcp # Tactical Auth +tacticalauth 2392/udp # Tactical Auth +wusage 2396/tcp # Wusage +wusage 2396/udp # Wusage +ncl 2397/tcp # NCL +ncl 2397/udp # NCL +orbiter 2398/tcp # Orbiter +orbiter 2398/udp # Orbiter +cvspserver 2401/tcp # cvspserver +cvspserver 2401/udp # cvspserver +taskmaster2000 2402/tcp # TaskMaster 2000 Server +taskmaster2000 2402/udp # TaskMaster 2000 Server +taskmaster2000 2403/tcp # TaskMaster 2000 Web +taskmaster2000 2403/udp # TaskMaster 2000 Web +jediserver 2406/tcp # JediServer +jediserver 2406/udp # JediServer +orion 2407/tcp # Orion +orion 2407/udp # Orion +optimanet 2408/tcp # OptimaNet +optimanet 2408/udp # OptimaNet +cdn 2412/tcp # CDN +cdn 2412/udp # CDN +interlingua 2414/tcp # Interlingua +interlingua 2414/udp # Interlingua +comtest 2415/tcp # COMTEST +comtest 2415/udp # COMTEST +rmtserver 2416/tcp # RMT Server +rmtserver 2416/udp # RMT Server +cas 2418/tcp # cas +cas 2418/udp # cas +crmsbits 2422/tcp # CRMSBITS +crmsbits 2422/udp # CRMSBITS +rnrp 2423/tcp # RNRP +rnrp 2423/udp # RNRP +fjitsuappmgr 2425/tcp # Fujitsu App Manager +fjitsuappmgr 2425/udp # Fujitsu App Manager +applianttcp 2426/tcp # Appliant TCP +appliantudp 2426/udp # Appliant UDP +stgcp 2427/tcp # Simple telephony Gateway Control Protocol +stgcp 2427/udp # Simple telephony Gateway Control Protocol +ott 2428/tcp # One Way Trip Time +ott 2428/udp # One Way Trip Time +venus 2430/tcp # venus +venus 2430/udp # venus +codasrv 2432/tcp # codasrv +codasrv 2432/udp # codasrv +optilogic 2435/tcp # OptiLogic +optilogic 2435/udp # OptiLogic +topx 2436/tcp # TOP/X +topx 2436/udp # TOP/X +unicontrol 2437/tcp # UniControl +unicontrol 2437/udp # UniControl +msp 2438/tcp # MSP +msp 2438/udp # MSP +sybasedbsynch 2439/tcp # SybaseDBSynch +sybasedbsynch 2439/udp # SybaseDBSynch +spearway 2440/tcp # Spearway Lockers +spearway 2440/udp # Spearway Lockser +netangel 2442/tcp # Netangel +netangel 2442/udp # Netangel +powerclientcsf 2443/tcp # PowerClient Central Storage Facility +powerclientcsf 2443/udp # PowerClient Central Storage Facility +btpp2sectrans 2444/tcp # BT PP2 Sectrans +btpp2sectrans 2444/udp # BT PP2 Sectrans +dtn1 2445/tcp # DTN1 +dtn1 2445/udp # DTN1 +ovwdb 2447/tcp # OpenView NNM daemon +ovwdb 2447/udp # OpenView NNM daemon +hpppssvr 2448/tcp # hpppsvr +hpppssvr 2448/udp # hpppsvr +ratl 2449/tcp # RATL +ratl 2449/udp # RATL +netadmin 2450/tcp # netadmin +netadmin 2450/udp # netadmin +netchat 2451/tcp # netchat +netchat 2451/udp # netchat +snifferclient 2452/tcp # SnifferClient +snifferclient 2452/udp # SnifferClient +griffin 2458/tcp # griffin +griffin 2458/udp # griffin +community 2459/tcp # Community +community 2459/udp # Community +qadmifoper 2461/tcp # qadmifoper +qadmifoper 2461/udp # qadmifoper +qadmifevent 2462/tcp # qadmifevent +qadmifevent 2462/udp # qadmifevent +lbm 2465/tcp # Load Balance Management +lbm 2465/udp # Load Balance Management +lbf 2466/tcp # Load Balance Forwarding +lbf 2466/udp # Load Balance Forwarding +seaodbc 2471/tcp # SeaODBC +seaodbc 2471/udp # SeaODBC +c3 2472/tcp # C3 +c3 2472/udp # C3 +vitalanalysis 2474/tcp # Vital Analysis +vitalanalysis 2474/udp # Vital Analysis +lingwood 2480/tcp # Lingwood's Detail +lingwood 2480/udp # Lingwood's Detail +giop 2481/tcp # Oracle GIOP +giop 2481/udp # Oracle GIOP +ttc 2483/tcp # Oracle TTC +ttc 2483/udp # Oracel TTC +netobjects1 2485/tcp # Net Objects1 +netobjects1 2485/udp # Net Objects1 +netobjects2 2486/tcp # Net Objects2 +netobjects2 2486/udp # Net Objects2 +pns 2487/tcp # Policy Notice Service +pns 2487/udp # Policy Notice Service +tsilb 2489/tcp # TSILB +tsilb 2489/udp # TSILB +groove 2492/tcp # GROOVE +groove 2492/udp # GROOVE +dirgis 2496/tcp # DIRGIS +dirgis 2496/udp # DIRGIS +quaddb 2497/tcp # Quad DB +quaddb 2497/udp # Quad DB +unicontrol 2499/tcp # UniControl +unicontrol 2499/udp # UniControl +rtsserv 2500/tcp # Resource Tracking system server +rtsserv 2500/udp # Resource Tracking system server +rtsclient 2501/tcp # Resource Tracking system client +rtsclient 2501/udp # Resource Tracking system client +wlbs 2504/tcp # WLBS +wlbs 2504/udp # WLBS +jbroker 2506/tcp # jbroker +jbroker 2506/udp # jbroker +spock 2507/tcp # spock +spock 2507/udp # spock +datastore 2508/tcp # datastore +datastore 2508/udp # datastore +fjmpss 2509/tcp # fjmpss +fjmpss 2509/udp # fjmpss +fjappmgrbulk 2510/tcp # fjappmgrbulk +fjappmgrbulk 2510/udp # fjappmgrbulk +metastorm 2511/tcp # Metastorm +metastorm 2511/udp # Metastorm +citrixima 2512/tcp # Citrix IMA +citrixima 2512/udp # Citrix IMA +citrixadmin 2513/tcp # Citrix ADMIN +citrixadmin 2513/udp # Citrix ADMIN +maincontrol 2516/tcp # Main Control +maincontrol 2516/udp # Main Control +willy 2518/tcp # Willy +willy 2518/udp # Willy +globmsgsvc 2519/tcp # globmsgsvc +globmsgsvc 2519/udp # globmsgsvc +pvsw 2520/tcp # pvsw +pvsw 2520/udp # pvsw +adaptecmgr 2521/tcp # Adaptec Manager +adaptecmgr 2521/udp # Adaptec Manager +windb 2522/tcp # WinDb +windb 2522/udp # WinDb +iqserver 2527/tcp # IQ Server +iqserver 2527/udp # IQ Server +utsftp 2529/tcp # UTS FTP +utsftp 2529/udp # UTS FTP +vrcommerce 2530/tcp # VR Commerce +vrcommerce 2530/udp # VR Commerce +ovtopmd 2532/tcp # OVTOPMD +ovtopmd 2532/udp # OVTOPMD +snifferserver 2533/tcp # SnifferServer +snifferserver 2533/udp # SnifferServer +mdhcp 2535/tcp # MDHCP +mdhcp 2535/udp # MDHCP +btpp2audctr1 2536/tcp # btpp2audctr1 +btpp2audctr1 2536/udp # btpp2audctr1 +upgrade 2537/tcp # Upgrade Protocol +upgrade 2537/udp # Upgrade Protocol +vsiadmin 2539/tcp # VSI Admin +vsiadmin 2539/udp # VSI Admin +lonworks 2540/tcp # LonWorks +lonworks 2540/udp # LonWorks +lonworks2 2541/tcp # LonWorks2 +lonworks2 2541/udp # LonWorks2 +davinci 2542/tcp # daVinci +davinci 2542/udp # daVinci +reftek 2543/tcp # REFTEK +reftek 2543/udp # REFTEK +vytalvaultbrtp 2546/tcp # vytalvaultbrtp +vytalvaultbrtp 2546/udp # vytalvaultbrtp +vytalvaultvsmp 2547/tcp # vytalvaultvsmp +vytalvaultvsmp 2547/udp # vytalvaultvsmp +vytalvaultpipe 2548/tcp # vytalvaultpipe +vytalvaultpipe 2548/udp # vytalvaultpipe +ipass 2549/tcp # IPASS +ipass 2549/udp # IPASS +ads 2550/tcp # ADS +ads 2550/udp # ADS +efidiningport 2553/tcp # efidiningport +efidiningport 2553/udp # efidiningport +pclemultimedia 2558/tcp # PCLE Multi Media +pclemultimedia 2558/udp # PCLE Multi Media +lstp 2559/tcp # LSTP +lstp 2559/udp # LSTP +labrat 2560/tcp # labrat +labrat 2560/udp # labrat +mosaixcc 2561/tcp # MosaixCC +mosaixcc 2561/udp # MosaixCC +delibo 2562/tcp # Delibo +delibo 2562/udp # Delibo +clp 2567/tcp # Cisco Line Protocol +clp 2567/udp # Cisco Line Protocol +spamtrap 2568/tcp # SPAM TRAP +spamtrap 2568/udp # SPAM TRAP +sonuscallsig 2569/tcp # Sonus Call Signal +sonuscallsig 2569/udp # Sonus Call Signal +cecsvc 2571/tcp # CECSVC +cecsvc 2571/udp # CECSVC +ibp 2572/tcp # IBP +ibp 2572/udp # IBP +trustestablish 2573/tcp # Trust Establish +trustestablish 2573/udp # Trust Establish +hl7 2575/tcp # HL7 +hl7 2575/udp # HL7 +tclprodebugger 2576/tcp # TCL Pro Debugger +tclprodebugger 2576/udp # TCL Pro Debugger +scipticslsrvr 2577/tcp # Scriptics Lsrvr +scipticslsrvr 2577/udp # Scriptics Lsrvr +mpfoncl 2579/tcp # mpfoncl +mpfoncl 2579/udp # mpfoncl +tributary 2580/tcp # Tributary +tributary 2580/udp # Tributary +mon 2583/tcp # MON +mon 2583/udp # MON +cyaserv 2584/tcp # cyaserv +cyaserv 2584/udp # cyaserv +masc 2587/tcp # MASC +masc 2587/udp # MASC +privilege 2588/tcp # Privilege +privilege 2588/udp # Privilege +idotdist 2590/tcp # idotdist +idotdist 2590/udp # idotdist +maytagshuffle 2591/tcp # Maytag Shuffle +maytagshuffle 2591/udp # Maytag Shuffle +netrek 2592/tcp # netrek +netrek 2592/udp # netrek +dts 2594/tcp # Data Base Server +dts 2594/udp # Data Base Server +worldfusion1 2595/tcp # World Fusion 1 +worldfusion1 2595/udp # World Fusion 1 +worldfusion2 2596/tcp # World Fusion 2 +worldfusion2 2596/udp # World Fusion 2 +homesteadglory 2597/tcp # Homestead Glory +homesteadglory 2597/udp # Homestead Glory +citriximaclient 2598/tcp # Citrix MA Client +citriximaclient 2598/udp # Citrix MA Client +meridiandata 2599/tcp # Meridian Data +meridiandata 2599/udp # Meridian Data +hpstgmgr 2600/tcp # HPSTGMGR +hpstgmgr 2600/udp # HPSTGMGR +servicemeter 2603/tcp # Service Meter +servicemeter 2603/udp # Service Meter +netmon 2606/tcp # Dell Netmon +netmon 2606/udp # Dell Netmon +connection 2607/tcp # Dell Connection +connection 2607/udp # Dell Connection +lionhead 2611/tcp # LIONHEAD +lionhead 2611/udp # LIONHEAD +smntubootstrap 2613/tcp # SMNTUBootstrap +smntubootstrap 2613/udp # SMNTUBootstrap +neveroffline 2614/tcp # Never Off Line +neveroffline 2614/udp # Never Off Line +firepower 2615/tcp # firepower +firepower 2615/udp # firepower +cmadmin 2617/tcp # Clinical Context Managers +cmadmin 2617/udp # Clinical Context Managers +bruce 2619/tcp # bruce +bruce 2619/udp # bruce +lpsrecommender 2620/tcp # LPSRecommender +lpsrecommender 2620/udp # LPSRecommender +dict 2628/tcp # DICT +dict 2628/udp # DICT +sitaraserver 2629/tcp # Sitara Server +sitaraserver 2629/udp # Sitara Server +sitaramgmt 2630/tcp # Sitara Management +sitaramgmt 2630/udp # Sitara Management +sitaradir 2631/tcp # Sitara Dir +sitaradir 2631/udp # Sitara Dir +interintelli 2633/tcp # InterIntelli +interintelli 2633/udp # InterIntelli +backburner 2635/tcp # Back Burner +backburner 2635/udp # Back Burner +solve 2636/tcp # Solve +solve 2636/udp # Solve +imdocsvc 2637/tcp # Import Document Service +imdocsvc 2637/udp # Import Document Service +sybaseanywhere 2638/tcp # Sybase Anywhere +sybaseanywhere 2638/udp # Sybase Anywhere +aminet 2639/tcp # AMInet +aminet 2639/udp # AMInet +tragic 2642/tcp # Tragic +tragic 2642/udp # Tragic +syncserver 2647/tcp # SyncServer +syncserver 2647/udp # SyncServer +upsnotifyprot 2648/tcp # Upsnotifyprot +upsnotifyprot 2648/udp # Upsnotifyprot +vpsipport 2649/tcp # VPSIPPORT +vpsipport 2649/udp # VPSIPPORT +eristwoguns 2650/tcp # eristwoguns +eristwoguns 2650/udp # eristwoguns +ebinsite 2651/tcp # EBInSite +ebinsite 2651/udp # EBInSite +interpathpanel 2652/tcp # InterPathPanel +interpathpanel 2652/udp # InterPathPanel +sonus 2653/tcp # Sonus +sonus 2653/udp # Sonus +unglue 2655/tcp # UNIX Nt Glue +unglue 2655/udp # UNIX Nt Glue +kana 2656/tcp # Kana +kana 2656/udp # Kana +gcmonitor 2660/tcp # GC Monitor +gcmonitor 2660/udp # GC Monitor +olhost 2661/tcp # OLHOST +olhost 2661/udp # OLHOST +extensis 2666/tcp # extensis +extensis 2666/udp # extensis +toad 2669/tcp # TOAD +toad 2669/udp # TOAD +newlixreg 2671/tcp # newlixreg +newlixreg 2671/udp # newlixreg +nhserver 2672/tcp # nhserver +nhserver 2672/udp # nhserver +firstcall42 2673/tcp # First Call 42 +firstcall42 2673/udp # First Call 42 +ewnn 2674/tcp # ewnn +ewnn 2674/udp # ewnn +simslink 2676/tcp # SIMSLink +simslink 2676/udp # SIMSLink +gadgetgate1way 2677/tcp # Gadget Gate 1 Way +gadgetgate1way 2677/udp # Gadget Gate 1 Way +gadgetgate2way 2678/tcp # Gadget Gate 2 Way +gadgetgate2way 2678/udp # Gadget Gate 2 Way +syncserverssl 2679/tcp # Sync Server SSL +syncserverssl 2679/udp # Sync Server SSL +mpnjsomb 2681/tcp # mpnjsomb +mpnjsomb 2681/udp # mpnjsomb +srsp 2682/tcp # SRSP +srsp 2682/udp # SRSP +ncdloadbalance 2683/tcp # NCDLoadBalance +ncdloadbalance 2683/udp # NCDLoadBalance +mpnjsosv 2684/tcp # mpnjsosv +mpnjsosv 2684/udp # mpnjsosv +mpnjsocl 2685/tcp # mpnjsocl +mpnjsocl 2685/udp # mpnjsocl +mpnjsomg 2686/tcp # mpnjsomg +mpnjsomg 2686/udp # mpnjsomg +fastlynx 2689/tcp # FastLynx +fastlynx 2689/udp # FastLynx +tqdata 2700/tcp # tqdata +tqdata 2700/udp # tqdata +piccolo 2787/tcp # piccolo - Cornerstone Software +piccolo 2787/udp # piccolo - Cornerstone Software +fryeserv 2788/tcp # NetWare Loadable Module - Seagate Software +fryeserv 2788/udp # NetWare Loadable Module - Seagate Software +mao 2908/tcp # mao +mao 2908/udp # mao +tdaccess 2910/tcp # TDAccess +tdaccess 2910/udp # TDAccess +blockade 2911/tcp # Blockade +blockade 2911/udp # Blockade +epicon 2912/tcp # Epicon +epicon 2912/udp # Epicon +boosterware 2913/tcp # Booster Ware +boosterware 2913/udp # Booster Ware +gamelobby 2914/tcp # Game Lobby +gamelobby 2914/udp # Game Lobby +tksocket 2915/tcp # TK Socket +tksocket 2915/udp # TK Socket +kastenchasepad 2918/tcp # Kasten Chase Pad +kastenchasepad 2918/udp # Kasten Chase Pad +netclip 2971/tcp # Net Clip +netclip 2971/udp # Net Clip +svnetworks 2973/tcp # SV Networks +svnetworks 2973/udp # SV Networks +signal 2974/tcp # Signal +signal 2974/udp # Signal +fjmpcm 2975/tcp # Fujitsu Configuration Management Service +fjmpcm 2975/udp # Fujitsu Configuration Management Service +realsecure 2998/tcp # Real Secure +realsecure 2998/udp # Real Secure +hbci 3000/tcp # HBCI +hbci 3000/udp # HBCI +cgms 3003/tcp # CGMS +cgms 3003/udp # CGMS +csoftragent 3004/tcp # Csoft Agent +csoftragent 3004/udp # Csoft Agent +geniuslm 3005/tcp # Genius License Manager +geniuslm 3005/udp # Genius License Manager +lotusmtap 3007/tcp # Lotus Mail Tracking Agent Protocol +lotusmtap 3007/udp # Lotus Mail Tracking Agent Protocol +gw 3010/tcp # Telerate Workstation +twsdss 3012/tcp # Trusted Web Client +twsdss 3012/udp # Trusted Web Client +gilatskysurfer 3013/tcp # Gilat Sky Surfer +gilatskysurfer 3013/udp # Gilat Sky Surfer +cifs 3020/tcp # CIFS +cifs 3020/udp # CIFS +agriserver 3021/tcp # AGRI Server +agriserver 3021/udp # AGRI Server +csregagent 3022/tcp # CSREGAGENT +csregagent 3022/udp # CSREGAGENT +magicnotes 3023/tcp # magicnotes +magicnotes 3023/udp # magicnotes +agentvu 3031/tcp # AgentVU +agentvu 3031/udp # AgentVU +pdb 3033/tcp # PDB +pdb 3033/udp # PDB +cogitate 3039/tcp # Cogitate, Inc. +cogitate 3039/udp # Cogitate, Inc. +journee 3042/tcp # journee +journee 3042/udp # journee +brp 3043/tcp # BRP +brp 3043/udp # BRP +responsenet 3045/tcp # ResponseNet +responsenet 3045/udp # ResponseNet +hlserver 3047/tcp # Fast Security HL Server +hlserver 3047/udp # Fast Security HL Server +pctrader 3048/tcp # Sierra Net PC Trader +pctrader 3048/udp # Sierra Net PC Trader +nsws 3049/tcp # NSWS +nsws 3049/udp # NSWS +interserver 3060/tcp # interserver +interserver 3060/udp # interserver +cardbox 3105/tcp # Cardbox +cardbox 3105/udp # Cardbox +icpv2 3130/tcp # ICPv2 +icpv2 3130/udp # ICPv2 +netbookmark 3131/tcp # Net Book Mark +netbookmark 3131/udp # Net Book Mark +vmodem 3141/tcp # VMODEM +vmodem 3141/udp # VMODEM +seaview 3143/tcp # Sea View +seaview 3143/udp # Sea View +tarantella 3144/tcp # Tarantella +tarantella 3144/udp # Tarantella +rfio 3147/tcp # RFIO +rfio 3147/udp # RFIO +ccmail 3264/tcp # cc:mail/lotus +ccmail 3264/udp # cc:mail/lotus +verismart 3270/tcp # Verismart +verismart 3270/udp # Verismart +sxmp 3273/tcp # Simple Extensible Multiplexed Protocol +sxmp 3273/udp # Simple Extensible Multiplexed Protocol +samd 3275/tcp # SAMD +samd 3275/udp # SAMD +lkcmserver 3278/tcp # LKCM Server +lkcmserver 3278/udp # LKCM Server +admind 3279/tcp # admind +admind 3279/udp # admind +sysopt 3281/tcp # SYSOPT +sysopt 3281/udp # SYSOPT +datusorb 3282/tcp # Datusorb +datusorb 3282/udp # Datusorb +plato 3285/tcp # Plato +plato 3285/udp # Plato +directvdata 3287/tcp # DIRECTVDATA +directvdata 3287/udp # DIRECTVDATA +cops 3288/tcp # COPS +cops 3288/udp # COPS +enpc 3289/tcp # ENPC +enpc 3289/udp # ENPC +dyniplookup 3295/tcp # Dynamic IP Lookup +dyniplookup 3295/udp # Dynamic IP Lookup +transview 3298/tcp # Transview +transview 3298/udp # Transview +pdrncs 3299/tcp # pdrncs +pdrncs 3299/udp # pdrncs +bmcpatrolagent 3300/tcp # BMC Patrol Agent +bmcpatrolagent 3300/udp # BMC Patrol Agent +bmcpatrolrnvu 3301/tcp # BMC Patrol Rendezvous +bmcpatrolrnvu 3301/udp # BMC Patrol Rendezvous +mysql 3306/tcp # MySQL +mysql 3306/udp # MySQL +uorb 3313/tcp # Unify Object Broker +uorb 3313/udp # Unify Object Broker +uohost 3314/tcp # Unify Object Host +uohost 3314/udp # Unify Object Host +cdid 3315/tcp # CDID +cdid 3315/udp # CDID +vsaiport 3317/tcp # VSAI PORT +vsaiport 3317/udp # VSAI PORT +ssrip 3318/tcp # Swith to Swith Routing Information Protocol +ssrip 3318/udp # Swith to Swith Routing Information Protocol +officelink2000 3320/tcp # Office Link 2000 +officelink2000 3320/udp # Office Link 2000 +vnsstr 3321/tcp # VNSSTR +vnsstr 3321/udp # VNSSTR +sftu 3326/tcp # SFTU +sftu 3326/udp # SFTU +bbars 3327/tcp # BBARS +bbars 3327/udp # BBARS +egptlm 3328/tcp # Eaglepoint License Manager +egptlm 3328/udp # Eaglepoint License Manager +webtie 3342/tcp # WebTIE +webtie 3342/udp # WebTIE +influence 3345/tcp # Influence +influence 3345/udp # Influence +trnsprntproxy 3346/tcp # Trnsprnt Proxy +trnsprntproxy 3346/udp # Trnsprnt Proxy +chevinservices 3349/tcp # Chevin Services +chevinservices 3349/udp # Chevin Services +findviatv 3350/tcp # FINDVIATV +findviatv 3350/udp # FINDVIATV +btrieve 3351/tcp # BTRIEVE +btrieve 3351/udp # BTRIEVE +ssql 3352/tcp # SSQL +ssql 3352/udp # SSQL +fatpipe 3353/tcp # FATPIPE +fatpipe 3353/udp # FATPIPE +suitjd 3354/tcp # SUITJD +suitjd 3354/udp # SUITJD +upnotifyps 3356/tcp # UPNOTIFYPS +upnotifyps 3356/udp # UPNOTIFYPS +mpsysrmsvr 3358/tcp # Mp Sys Rmsvr +mpsysrmsvr 3358/udp # Mp Sys Rmsvr +creativeserver 3364/tcp # Creative Server +creativeserver 3364/udp # Creative Server +contentserver 3365/tcp # Content Server +contentserver 3365/udp # Content Server +creativepartnr 3366/tcp # Creative Partner +creativepartnr 3366/udp # Creative Partner +tip2 3372/tcp # TIP 2 +tip2 3372/udp # TIP 2 +cdborker 3376/tcp # CD Broker +cdbroker 3376/udp # CD Broker +wsicopy 3378/tcp # WSICOPY +wsicopy 3378/udp # WSICOPY +socorfs 3379/tcp # SOCORFS +socorfs 3379/udp # SOCORFS +geneous 3381/tcp # Geneous +geneous 3381/udp # Geneous +qnxnetman 3385/tcp # qnxnetman +qnxnetman 3385/udp # qnxnetman +backroomnet 3387/tcp # Back Room Net +backroomnet 3387/udp # Back Room Net +cbserver 3388/tcp # CB Server +cbserver 3388/udp # CB Server +dsc 3390/tcp # Distributed Service Coordinator +dsc 3390/udp # Distributed Service Coordinator +savant 3391/tcp # SAVANT +savant 3391/udp # SAVANT +mercantile 3398/tcp # Mercantile +mercantile 3398/udp # Mercantile +csms 3399/tcp # CSMS +csms 3399/udp # CSMS +csms2 3400/tcp # CSMS2 +csms2 3400/udp # CSMS2 +bmap 3421/tcp # Bull Apprise portmapper +bmap 3421/udp # Bull Apprise portmapper +mira 3454/tcp # Apple Remote Access Protocol +prsvp 3455/tcp # RSVP Port +prsvp 3455/udp # RSVP Port +vat 3456/tcp # VAT default data +vat 3456/udp # VAT default data +d3winosfi 3458/tcp # D3WinOsfi +d3winosfi 3458/udp # DsWinOSFI +integral 3459/tcp # Integral +integral 3459/udp # Integral +workflow 3466/tcp # WORKFLOW +workflow 3466/udp # WORKFLOW +rcst 3467/tcp # RCST +rcst 3467/udp # RCST +ttcmremotectrl 3468/tcp # TTCM Remote Controll +ttcmremotectrl 3468/udp # TTCM Remote Controll +pluribus 3469/tcp # Pluribus +pluribus 3469/udp # Pluribus +jt400 3470/tcp # jt400 +jt400 3470/udp # jt400 +watcomdebug 3563/tcp # Watcom Debug +watcomdebug 3563/udp # Watcom Debug +harlequinorb 3672/tcp # harlequinorb +harlequinorb 3672/udp # harlequinorb +centerline 3987/tcp # Centerline +centerline 3987/udp # Centerline +terabase 4000/tcp # Terabase +terabase 4000/udp # Terabase +newoak 4001/tcp # NewOak +newoak 4001/udp # NewOak +netcheque 4008/tcp # NetCheque accounting +netcheque 4008/udp # NetCheque accounting +altserviceboot 4011/tcp # Alternate Service Boot +altserviceboot 4011/udp # Alternate Service Boot +taiclock 4014/tcp # TAICLOCK +taiclock 4014/udp # TAICLOCK +bre 4096/tcp # BRE (Bridge Relay Element) +bre 4096/udp # BRE (Bridge Relay Element) +patrolview 4097/tcp # Patrol View +patrolview 4097/udp # Patrol View +drmsfsd 4098/tcp # drmsfsd +drmsfsd 4098/udp # drmsfsd +dpcp 4099/tcp # DPCP +dpcp 4099/udp # DPCP +oirtgsvc 4141/tcp # Workflow Server +oirtgsvc 4141/udp # Workflow Server +oidocsvc 4142/tcp # Document Server +oidocsvc 4142/udp # Document Server +oidsr 4143/tcp # Document Replication +oidsr 4143/udp # Document Replication +corelccam 4300/tcp # Corel CCam +corelccam 4300/udp # Corel CCam +rwhois 4321/tcp # Remote Who Is +rwhois 4321/udp # Remote Who Is +unicall 4343/tcp # UNICALL +unicall 4343/udp # UNICALL +vinainstall 4344/tcp # VinaInstall +vinainstall 4344/udp # VinaInstall +elanlm 4346/tcp # ELAN LM +elanlm 4346/udp # ELAN LM +lansurveyor 4347/tcp # LAN Surveyor +lansurveyor 4347/udp # LAN Surveyor +itose 4348/tcp # ITOSE +itose 4348/udp # ITOSE +fsportmap 4349/tcp # File System Port Map +fsportmap 4349/udp # File System Port Map +saris 4442/tcp # Saris +saris 4442/udp # Saris +pharos 4443/tcp # Pharos +pharos 4443/udp # Pharos +krb524 4444/tcp # KRB524 +krb524 4444/udp # KRB524 +upnotifyp 4445/tcp # UPNOTIFYP +upnotifyp 4445/udp # UPNOTIFYP +privatewire 4449/tcp # PrivateWire +privatewire 4449/udp # PrivateWire +camp 4450/tcp # Camp +camp 4450/udp # Camp +ctisystemmsg 4451/tcp # CTI System Msg +ctisystemmsg 4451/udp # CTI System Msg +ctiprogramload 4452/tcp # CTI Program Load +ctiprogramload 4452/udp # CTI Program Load +nssalertmgr 4453/tcp # NSS Alert Manager +nssalertmgr 4453/udp # NSS Alert Manager +nssagentmgr 4454/tcp # NSS Agent Manager +nssagentmgr 4454/udp # NSS Agent Manager +prRegister 4457/tcp # PR Register +prRegister 4457/udp # PR Register +worldscores 4545/tcp # WorldScores +worldscores 4545/udp # WorldScores +piranha1 4600/tcp # Piranha1 +piranha1 4600/udp # Piranha1 +piranha2 4601/tcp # Piranha2 +piranha2 4601/udp # Piranha2 +rfa 4672/tcp # remote file access server +rfa 4672/udp # remote file access server +iims 4800/tcp # Icona Instant Messenging System +iims 4800/udp # Icona Instant Messenging System +iwec 4801/tcp # Icona Web Embedded Chat +iwec 4801/udp # Icona Web Embedded Chat +ilss 4802/tcp # Icona License System Server +ilss 4802/udp # Icona License System Server +htcp 4827/tcp # HTCP +htcp 4827/udp # HTCP +phrelay 4868/tcp # Photon Relay +phrelay 4868/udp # Photon Relay +phrelaydbg 4869/tcp # Photon Relay Debug +phrelaydbg 4869/udp # Photon Relay Debug +abbs 4885/tcp # ABBS +abbs 4885/udp # ABBS +rfe 5002/tcp # radio free ethernet +rfe 5002/udp # radio free ethernet +telelpathstart 5010/tcp # TelepathStart +telelpathstart 5010/udp # TelepathStart +telelpathattack 5011/tcp # TelepathAttack +telelpathattack 5011/udp # TelepathAttack +asnaacceler8db 5042/tcp # asnaacceler8db +asnaacceler8db 5042/udp # asnaacceler8db +mmcc 5050/tcp # multimedia conference control tool +mmcc 5050/udp # multimedia conference control tool +sip 5060/tcp # SIP +sip 5060/udp # SIP +atmp 5150/tcp # Ascend Tunnel Management Protocol +atmp 5150/udp # Ascend Tunnel Management Protocol +aol 5190/tcp # America-Online +aol 5190/udp # America-Online +padl2sim 5236/tcp +padl2sim 5236/udp +pk 5272/tcp # PK +pk 5272/udp # PK +cfengine 5308/tcp # CFengine +cfengine 5308/udp # CFengine +jprinter 5309/tcp # J Printer +jprinter 5309/udp # J Printer +outlaws 5310/tcp # Outlaws +outlaws 5310/udp # Outlaws +tmlogin 5311/tcp # TM Login +tmlogin 5311/udp # TM Login +excerpt 5400/tcp # Excerpt Search +excerpt 5400/udp # Excerpt Search +excerpts 5401/tcp # Excerpt Search Secure +excerpts 5401/udp # Excerpt Search Secure +mftp 5402/tcp # MFTP +mftp 5402/udp # MFTP +netsupport 5405/tcp # NetSupport +netsupport 5405/udp # NetSupport +actnet 5411/tcp # ActNet +actnet 5411/udp # ActNet +continuus 5412/tcp # Continuus +continuus 5412/udp # Continuus +wwiotalk 5413/tcp # WWIOTALK +wwiotalk 5413/udp # WWIOTALK +statusd 5414/tcp # StatusD +statusd 5414/udp # StatusD +mcntp 5418/tcp # MCNTP +mcntp 5418/udp # MCNTP +esinstall 5599/tcp # Enterprise Security Remote Install +esinstall 5599/udp # Enterprise Security Remote Install +esmmanager 5600/tcp # Enterprise Security Manager +esmmanager 5600/udp # Enterprise Security Manager +esmagent 5601/tcp # Enterprise Security Agent +esmagent 5601/udp # Enterprise Security Agent +pcanywheredata 5631/tcp # pcANYWHEREdata +pcanywheredata 5631/udp # pcANYWHEREdata +pcanywherestat 5632/tcp # pcANYWHEREstat +pcanywherestat 5632/udp # pcANYWHEREstat +rrac 5678/tcp # Remote Replication Agent Connection +rrac 5678/udp # Remote Replication Agent Connection +dccm 5679/tcp # Direct Cable Connect Manager +dccm 5679/udp # Direct Cable Connect Manager +proshareaudio 5713/tcp # proshare conf audio +proshareaudio 5713/udp # proshare conf audio +prosharevideo 5714/tcp # proshare conf video +prosharevideo 5714/udp # proshare conf video +prosharedata 5715/tcp # proshare conf data +prosharedata 5715/udp # proshare conf data +prosharerequest 5716/tcp # proshare conf request +prosharerequest 5716/udp # proshare conf request +prosharenotify 5717/tcp # proshare conf notify +prosharenotify 5717/udp # proshare conf notify +openmail 5729/tcp # Openmail User Agent Layer +openmail 5729/udp # Openmail User Agent Layer +openmailg 5755/tcp # OpenMail Desk Gateway server +openmailg 5755/udp # OpenMail Desk Gateway server +x500ms 5757/tcp # OpenMail X.500 Directory Server +x500ms 5757/udp # OpenMail X.500 Directory Server +openmailns 5766/tcp # OpenMail NewMail Server +openmailns 5766/udp # OpenMail NewMail Server +openmailpxy 5768/tcp # OpenMail CMTS Server +openmailpxy 5768/udp # OpenMail CMTS Server +softcm 6110/tcp # HP SoftBench CM +softcm 6110/udp # HP SoftBench CM +spc 6111/tcp # HP SoftBench Sub-Process Control +spc 6111/udp # HP SoftBench Sub-Process Control +dtspcd 6112/tcp # dtspcd +dtspcd 6112/udp # dtspcd +crip 6253/tcp # CRIP +crip 6253/udp # CRIP +boks 6500/tcp # BoKS Master +boks 6500/udp # BoKS Master +xdsxdm 6558/tcp +xdsxdm 6558/udp +hnmp 6790/tcp # HNMP +hnmp 6790/udp # HNMP +jmact3 6961/tcp # JMACT3 +jmact3 6961/udp # JMACT3 +jmevt2 6962/tcp # jmevt2 +jmevt2 6962/udp # jmevt2 +swismgr1 6963/tcp # swismgr1 +swismgr1 6963/udp # swismgr1 +swismgr2 6964/tcp # swismgr2 +swismgr2 6964/udp # swismgr2 +swistrap 6965/tcp # swistrap +swistrap 6965/udp # swistrap +swispol 6966/tcp # swispol +swispol 6966/udp # swispol +acmsoda 6969/tcp # acmsoda +acmsoda 6969/udp # acmsoda +dpserve 7020/tcp # DP Serve +dpserve 7020/udp # DP Serve +dpserveadmin 7021/tcp # DP Serve Admin +dpserveadmin 7021/udp # DP Serve Admin +arcp 7070/tcp # ARCP +arcp 7070/udp # ARCP +clutild 7174/tcp # Clutild +clutild 7174/udp # Clutild +fodms 7200/tcp # FODMS FLIP +fodms 7200/udp # FODMS FLIP +dlip 7201/tcp # DLIP +dlip 7201/udp # DLIP +winqedit 7395/tcp # winqedit +winqedit 7395/udp # winqedit +pmdmgr 7426/tcp # OpenView DM Postmaster Manager +pmdmgr 7426/udp # OpenView DM Postmaster Manager +oveadmgr 7427/tcp # OpenView DM Event Agent Manager +oveadmgr 7427/udp # OpenView DM Event Agent Manager +ovladmgr 7428/tcp # OpenView DM Log Agent Manager +ovladmgr 7428/udp # OpenView DM Log Agent Manager +xmpv7 7430/tcp # OpenView DM xmpv7 api pipe +xmpv7 7430/udp # OpenView DM xmpv7 api pipe +pmd 7431/tcp # OpenView DM ovc/xmpv3 api pipe +pmd 7431/udp # OpenView DM ovc/xmpv3 api pipe +faximum 7437/tcp # Faximum +faximum 7437/udp # Faximum +pmdfmgt 7633/tcp # PMDF Management +pmdfmgt 7633/udp # PMDF Management +cbt 7777/tcp # cbt +cbt 7777/udp # cbt +supercell 7967/tcp # Supercell +supercell 7967/udp # Supercell +irdmi2 7999/tcp # iRDMI2 +irdmi2 7999/udp # iRDMI2 +irdmi 8000/tcp # iRDMI +irdmi 8000/udp # iRDMI +mindprint 8033/tcp # MindPrint +mindprint 8033/udp # MindPrint +trivnet1 8200/tcp # TRIVNET +trivnet1 8200/udp # TRIVNET +trivnet2 8201/tcp # TRIVNET +trivnet2 8201/udp # TRIVNET +cvd 8400/tcp # cvd +cvd 8400/udp # cvd +sabarsd 8401/tcp # sabarsd +sabarsd 8401/udp # sabarsd +abarsd 8402/tcp # abarsd +abarsd 8402/udp # abarsd +admind 8403/tcp # admind +admind 8403/udp # admind +npmp 8450/tcp # npmp +npmp 8450/udp # npmp +vp2p 8473/tcp # Virtual Point to Point +vp2p 8473/udp # Virtual Point to Point +ibus 8733/tcp # iBus +ibus 8733/udp # iBus +cslistener 9000/tcp # CSlistener +cslistener 9000/udp # CSlistener +sctp 9006/tcp # SCTP +sctp 9006/udp # SCTP +websm 9090/tcp # WebSM +websm 9090/udp # WebSM +guibase 9321/tcp # guibase +guibase 9321/udp # guibase +mpidcmgr 9343/tcp # MpIdcMgr +mpidcmgr 9343/udp # MpIdcMgr +fjdmimgr 9374/tcp # fjdmimgr +fjdmimgr 9374/udp # fjdmimgr +fjinvmgr 9396/tcp # fjinvmgr +fjinvmgr 9396/udp # fjinvmgr +mpidcagt 9397/tcp # MpIdcAgt +mpidcagt 9397/udp # MpIdcAgt +ismserver 9500/tcp # ismserver +ismserver 9500/udp # ismserver +man 9535/tcp +man 9535/udp +msgsys 9594/tcp # Message System +msgsys 9594/udp # Message System +pds 9595/tcp # Ping Discovery Service +pds 9595/udp # Ping Discovery Service +sd 9876/tcp # Session Director +sd 9876/udp # Session Director +monkeycom 9898/tcp # MonkeyCom +monkeycom 9898/udp # MonkeyCom +palace 9992/tcp # Palace +palace 9992/udp # Palace +palace 9993/tcp # Palace +palace 9993/udp # Palace +palace 9994/tcp # Palace +palace 9994/udp # Palace +palace 9995/tcp # Palace +palace 9995/udp # Palace +palace 9996/tcp # Palace +palace 9996/udp # Palace +palace 9997/tcp # Palace +palace 9997/udp # Palace +distinct32 9998/tcp # Distinct32 +distinct32 9998/udp # Distinct32 +distinct 9999/tcp # distinct +distinct 9999/udp # distinct +ndmp 10000/tcp # Network Data Management Protocol +ndmp 10000/udp # Network Data Management Protocol +amanda 10080/tcp # Amanda +amanda 10080/udp # Amanda +blocks 10288/tcp # Blocks +blocks 10288/udp # Blocks +irisa 11000/tcp # IRISA +irisa 11000/udp # IRISA +metasys 11001/tcp # Metasys +metasys 11001/udp # Metasys +vce 11111/tcp # Viral Computing Environment (VCE) +vce 11111/udp # Viral Computing Environment (VCE) +entextxid 12000/tcp # IBM Enterprise Extender SNA XID Exchange +entextxid 12000/udp # IBM Enterprise Extender SNA XID Exchange +entextnetwk 12001/tcp # IBM Enterprise Extender SNA COS Network Priority +entextnetwk 12001/udp # IBM Enterprise Extender SNA COS Network Priority +entexthigh 12002/tcp # IBM Enterprise Extender SNA COS High Priority +entexthigh 12002/udp # IBM Enterprise Extender SNA COS High Priority +entextmed 12003/tcp # IBM Enterprise Extender SNA COS Medium Priority +entextmed 12003/udp # IBM Enterprise Extender SNA COS Medium Priority +entextlow 12004/tcp # IBM Enterprise Extender SNA COS Low Priority +entextlow 12004/udp # IBM Enterprise Extender SNA COS Low Priority +tsaf 12753/tcp # tsaf port +tsaf 12753/udp # tsaf port +bprd 13720/tcp # BPRD Protocol (VERITAS NetBackup) +bprd 13720/udp # BPRD Protocol (VERITAS NetBackup) +bpbrm 13721/tcp # BPBRM Protocol (VERITAS NetBackup) +bpbrm 13721/udp # BPBRM Protocol (VERITAS NetBackup) +bpcd 13782/tcp # VERITAS NetBackup +bpcd 13782/udp # VERITAS NetBackup +vopied 13783/tcp # VOPIED Protocol +vopied 13783/udp # VOPIED Protocol +netserialext1 16360/tcp # netserialext1 +netserialext1 16360/udp # netserialext1 +netserialext2 16361/tcp # netserialext2 +netserialext2 16361/udp # netserialext2 +netserialext3 16367/tcp # netserialext3 +netserialext3 16367/udp # netserialext3 +netserialext4 16368/tcp # netserialext4 +netserialext4 16368/udp # netserialext4 +chipper 17219/tcp # Chipper +chipper 17219/udp # Chipper +biimenu 18000/tcp # Beckman Instruments, Inc. +biimenu 18000/udp # Beckman Instruments, Inc. +jcp 19541/tcp # JCP Client +jcp 19541/udp # JCP Client +dnp 20000/tcp # DNP +dnp 20000/udp # DNP +track 20670/tcp # Track +track 20670/udp # Track +webphone 21845/tcp # webphone +webphone 21845/udp # webphone +wnn6 22273/tcp # wnn6 +wnn6 22273/udp # wnn6 +quake 26000/tcp # quake +quake 26000/udp # quake +traceroute 33434/tcp # traceroute use +traceroute 33434/udp # traceroute use +kastenxpipe 36865/tcp # KastenX Pipe +kastenxpipe 36865/udp # KastenX Pipe +eba 45678/tcp # EBA PRISE +eba 45678/udp # EBA PRISE +dbbrowse 47557/tcp # Databeam Corporation +dbbrowse 47557/udp # Databeam Corporation +directplaysrvr 47624/tcp # Direct Play Server +directplaysrvr 47624/udp # Direct Play Server +ap 47806/tcp # ALC Protocol +ap 47806/udp # ALC Protocol +bacnet 47808/tcp # Building Automation and Control Networks +bacnet 47808/udp # Building Automation and Control Networks +nimcontroller 48000/tcp # Nimbus Controller +nimcontroller 48000/udp # Nimbus Controller +nimspooler 48001/tcp # Nimbus Spooler +nimspooler 48001/udp # Nimbus Spooler +nimhub 48002/tcp # Nimbus Hub +nimhub 48002/udp # Nimbus Hub +nimgtw 48003/tcp # Nimbus Gateway +nimgtw 48003/udp # Nimbus Gateway diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c new file mode 100644 index 0000000..510f3be --- /dev/null +++ b/contrib/ipfilter/facpri.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 1993-1998 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include <stdio.h> +#include <string.h> +#include <limits.h> +#include <sys/types.h> +#if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> +#endif +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> +#include <syslog.h> +#include "facpri.h" + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.2 1999/08/01 11:10:45 darrenr Exp $"; +#endif + +typedef struct table { + char *name; + int value; +} table_t; + +table_t facs[] = { + { "kern", LOG_KERN }, { "user", LOG_USER }, + { "mail", LOG_MAIL }, { "daemon", LOG_DAEMON }, + { "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG }, + { "lpr", LOG_LPR }, { "news", LOG_NEWS }, + { "uucp", LOG_UUCP }, +#if LOG_CRON == LOG_CRON2 + { "cron2", LOG_CRON1 }, +#else + { "cron", LOG_CRON1 }, +#endif +#ifdef LOG_FTP + { "ftp", LOG_FTP }, +#endif +#ifdef LOG_AUTHPRIV + { "authpriv", LOG_AUTHPRIV }, +#endif +#ifdef LOG_AUDIT + { "audit", LOG_AUDIT }, +#endif +#ifdef LOG_LFMT + { "logalert", LOG_LFMT }, +#endif +#if LOG_CRON == LOG_CRON1 + { "cron", LOG_CRON2 }, +#else + { "cron2", LOG_CRON2 }, +#endif + { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 }, + { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 }, + { "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 }, + { "local6", LOG_LOCAL6 }, { "local7", LOG_LOCAL7 }, + { NULL, 0 } +}; + + +/* + * map a facility number to its name + */ +char * +fac_toname(facpri) + int facpri; +{ + int i, j, fac; + + fac = facpri & LOG_FACMASK; + j = fac >> 3; + if (j < 24) { + if (facs[j].value == fac) + return facs[j].name; + for (i = 0; facs[i].name; i++) + if (fac == facs[i].value) + return facs[i].name; + } + + return NULL; +} + + +/* + * map a facility name to its number + */ +int +fac_findname(name) + char *name; +{ + int i; + + for (i = 0; facs[i].name; i++) + if (!strcmp(facs[i].name, name)) + return facs[i].value; + return -1; +} + + +table_t pris[] = { + { "emerg", LOG_EMERG }, { "alert", LOG_ALERT }, + { "crit", LOG_CRIT }, { "err", LOG_ERR }, + { "warn", LOG_WARNING }, { "notice", LOG_NOTICE }, + { "info", LOG_INFO }, { "debug", LOG_DEBUG }, + { NULL, 0 } +}; + + +/* + * map a priority name to its number + */ +int +pri_findname(name) + char *name; +{ + int i; + + for (i = 0; pris[i].name; i++) + if (!strcmp(pris[i].name, name)) + return pris[i].value; + return -1; +} + + +/* + * map a priority number to its name + */ +char * +pri_toname(facpri) + int facpri; +{ + int i, pri; + + pri = facpri & LOG_PRIMASK; + if (pris[pri].value == pri) + return pris[pri].name; + for (i = 0; pris[i].name; i++) + if (pri == pris[i].value) + return pris[i].name; + return NULL; +} diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h new file mode 100644 index 0000000..d39a159 --- /dev/null +++ b/contrib/ipfilter/facpri.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 1999 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + * $Id: facpri.h,v 1.2 1999/08/01 11:10:46 darrenr Exp $ + */ + +#ifndef __FACPRI_H__ +#define __FACPRI_H__ + +#ifndef __P +# define P_DEF +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + +extern char *fac_toname __P((int)); +extern int fac_findname __P((char *)); + +extern char *pri_toname __P((int)); +extern int pri_findname __P((char *)); + +#ifdef P_DEF +# undef __P +# undef P_DEF +#endif + +#if LOG_CRON == (9<<3) +# define LOG_CRON1 LOG_CRON +# define LOG_CRON2 (15<<3) +#endif +#if LOG_CRON == (15<<3) +# define LOG_CRON1 (9<<3) +# define LOG_CRON2 LOG_CRON +#endif + +#endif /* __FACPRI_H__ */ diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index f2b19a5..e132388 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.7 1999/10/21 14:21:40 darrenr Exp $"; #endif #include <sys/errno.h> @@ -15,7 +15,17 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif +#if defined(KERNEL) && defined(__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) +# include <sys/filio.h> +# include <sys/fcntl.h> +#else +# include <sys/ioctl.h> +#endif #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #else @@ -30,8 +40,10 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> -# include <sys/stream.h> +# if SOLARIS2 < 5 +# include <sys/dditypes.h> +# endif +# include <sys/stream.h> #endif #ifndef linux # include <sys/protosw.h> @@ -48,6 +60,10 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #ifndef linux # include <netinet/ip_var.h> #endif +#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ +# include <sys/hashing.h> +# include <netinet/in_var.h> +#endif #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> @@ -59,9 +75,16 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif +# endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif +#include "netinet/ipl.h" #ifndef _KERNEL # include "ipf.h" @@ -74,14 +97,9 @@ extern int opts; second; } # define FR_VERBOSE(verb_pr) verbose verb_pr # define FR_DEBUG(verb_pr) debug verb_pr -# define SEND_RESET(ip, qif, if, m) send_reset(ip, if) +# define SEND_RESET(ip, qif, if, m, fin) send_reset(ip, if) # define IPLLOG(a, c, d, e) ipllog() -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) -# if SOLARIS -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) -# else -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) -# endif +# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) #else /* #ifndef _KERNEL */ # define FR_IFVERBOSE(ex,second,verb_pr) ; # define FR_IFDEBUG(ex,second,verb_pr) ; @@ -89,38 +107,25 @@ extern int opts; # define FR_DEBUG(verb_pr) # define IPLLOG(a, c, d, e) ipflog(a, c, d, e) # if SOLARIS || defined(__sgi) -extern kmutex_t ipf_mutex, ipf_auth; +extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; +extern kmutex_t ipf_rw; # endif # if SOLARIS # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ ip, qif) -# define SEND_RESET(ip, qif, if) send_reset(ip, qif) -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(ip, t, c, if, src) +# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip, qif) +# define ICMP_ERROR(b, ip, t, c, if, dst) \ + icmp_error(ip, t, c, if, dst) # else /* SOLARIS */ # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # ifdef linux -# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\ - ifp) +# define SEND_RESET(ip, qif, if, fin) send_reset(ip, ifp) +# define ICMP_ERROR(b, ip, t, c, if, dst) icmp_send(b,t,c,0,if) # else -# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip) -# endif -# ifdef __sgi -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(b, t, c, if, src, if) -# else -# if BSD < 199103 -# ifdef linux -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_send(b,t,c,0,if) -# else -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(mtod(b, ip_t *), t, c, if, src) -# endif /* linux */ -# else -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(b, t, c, (src).s_addr, if) -# endif /* BSD < 199103 */ -# endif /* __sgi */ +# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip) +# define ICMP_ERROR(b, ip, t, c, if, dst) \ + send_icmp_err(ip, t, c, if, dst) +# endif /* linux */ # endif /* SOLARIS || __sgi */ #endif /* _KERNEL */ @@ -135,12 +140,12 @@ int fr_pass = FR_NOMATCH|FR_BLOCK; #else int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH); #endif +char ipfilter_version[] = IPL_VERSION; fr_info_t frcache[2]; -static void fr_makefrip __P((int, ip_t *, fr_info_t *)); static int fr_tcpudpchk __P((frentry_t *, fr_info_t *)); -static int frflushlist __P((int, int, int *, frentry_t *, frentry_t **)); +static int frflushlist __P((int, minor_t, int *, frentry_t **)); /* @@ -188,19 +193,19 @@ struct optlist secopt[8] = { * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ -static void fr_makefrip(hlen, ip, fin) +void fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; { struct optlist *op; tcphdr_t *tcp; - icmphdr_t *icmp; fr_ip_t *fi = &fin->fin_fi; u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off; u_char *s, opt; + fin->fin_rev = 0; fin->fin_fr = NULL; fin->fin_tcpf = 0; fin->fin_data[0] = 0; @@ -216,14 +221,13 @@ fr_info_t *fin; fin->fin_hlen = hlen; fin->fin_dlen = ip->ip_len - hlen; tcp = (tcphdr_t *)((char *)ip + hlen); - icmp = (icmphdr_t *)tcp; fin->fin_dp = (void *)tcp; (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); - (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3)); - (*(((u_32_t *)fi) + 2)) = (*(((u_32_t *)ip) + 4)); + fi->fi_src.s_addr = ip->ip_src.s_addr; + fi->fi_dst.s_addr = ip->ip_dst.s_addr; fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; - off = (ip->ip_off & 0x1fff) << 3; + off = (ip->ip_off & IP_OFFMASK) << 3; if (ip->ip_off & 0x3fff) fi->fi_fl |= FI_FRAG; switch (ip->ip_p) @@ -231,10 +235,12 @@ fr_info_t *fin; case IPPROTO_ICMP : { int minicmpsz = sizeof(struct icmp); + icmphdr_t *icmp; + + icmp = (icmphdr_t *)tcp; - if (!off && ip->ip_len > ICMP_MINLEN + hlen && - (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_UNREACH)) + if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || + icmp->icmp_type == ICMP_ECHO)) minicmpsz = ICMP_MINLEN; if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) @@ -267,8 +273,9 @@ getports: } - for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) { - if (!(opt = *s)) + for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen; ) { + opt = *s; + if (opt == '\0') break; ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1); if (opt > 1 && (ol < 2 || ol > hlen)) @@ -397,7 +404,7 @@ fr_info_t *fin; /* * Match the flags ? If not, abort this match. */ - if (fr->fr_tcpf && + if (fr->fr_tcpfm && fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) { FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, fr->fr_tcpfm, fr->fr_tcpf)); @@ -413,23 +420,24 @@ fr_info_t *fin; * kernel sauce. */ int fr_scanlist(pass, ip, fin, m) -int pass; +u_32_t pass; ip_t *ip; register fr_info_t *fin; void *m; { register struct frentry *fr; register fr_ip_t *fi = &fin->fin_fi; - int rulen, portcmp = 0, off, skip = 0; + int rulen, portcmp = 0, off, skip = 0, logged = 0; + u_32_t passt; fr = fin->fin_fr; fin->fin_fr = NULL; fin->fin_rule = 0; fin->fin_group = 0; - off = ip->ip_off & 0x1fff; + off = ip->ip_off & IP_OFFMASK; pass |= (fi->fi_fl << 24); - if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) + if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) portcmp = 1; for (rulen = 0; fr; fr = fr->fr_next, rulen++) { @@ -444,8 +452,16 @@ void *m; * check that we are working for the right interface */ #ifdef _KERNEL - if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) - continue; +# if BSD >= 199306 + if (fin->fin_out != 0) { + if ((fr->fr_oifa && + fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif) || + (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)) + continue; + } else +# endif + if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) + continue; #else if (opts & (OPT_VERBOSE|OPT_DEBUG)) printf("\n"); @@ -465,10 +481,12 @@ void *m; i = ((lip[0] & lm[0]) != ld[0]); FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n", lip[0], lm[0], ld[0])); - i |= ((lip[1] & lm[1]) != ld[1]) << 21; + i |= ((lip[1] & lm[1]) != ld[1]) << 19; + i ^= (fr->fr_flags & FR_NOTSRCIP); FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n", lip[1], lm[1], ld[1])); - i |= ((lip[2] & lm[2]) != ld[2]) << 22; + i |= ((lip[2] & lm[2]) != ld[2]) << 20; + i ^= (fr->fr_flags & FR_NOTDSTIP); FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n", lip[2], lm[2], ld[2])); i |= ((lip[3] & lm[3]) != ld[3]); @@ -477,7 +495,6 @@ void *m; i |= ((lip[4] & lm[4]) != ld[4]); FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n", lip[4], lm[4], ld[4])); - i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP)); if (i) continue; } @@ -507,26 +524,29 @@ void *m; /* * Just log this packet... */ - if (!(skip = fr->fr_skip)) - pass = fr->fr_flags; - if ((pass & FR_CALLNOW) && fr->fr_func) - pass = (*fr->fr_func)(pass, ip, fin); + passt = fr->fr_flags; + if ((passt & FR_CALLNOW) && fr->fr_func) + passt = (*fr->fr_func)(passt, ip, fin); + fin->fin_fr = fr; #ifdef IPFILTER_LOG - if ((pass & FR_LOGMASK) == FR_LOG) { - if (!IPLLOG(fr->fr_flags, ip, fin, m)) - frstats[fin->fin_out].fr_skip++; - frstats[fin->fin_out].fr_pkl++; + if ((passt & FR_LOGMASK) == FR_LOG) { + if (!IPLLOG(passt, ip, fin, m)) { + ATOMIC_INC(frstats[fin->fin_out].fr_skip); + } + ATOMIC_INC(frstats[fin->fin_out].fr_pkl); + logged = 1; } #endif /* IPFILTER_LOG */ + if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG) + pass = passt; FR_DEBUG(("pass %#x\n", pass)); - fr->fr_hits++; + ATOMIC_INC(fr->fr_hits); if (pass & FR_ACCOUNT) fr->fr_bytes += (U_QUAD_T)ip->ip_len; else fin->fin_icode = fr->fr_icode; fin->fin_rule = rulen; fin->fin_group = fr->fr_group; - fin->fin_fr = fr; if (fr->fr_grp) { fin->fin_fr = fr->fr_grp; pass = fr_scanlist(pass, ip, fin, m); @@ -535,17 +555,21 @@ void *m; fin->fin_group = fr->fr_group; fin->fin_fr = fr; } + if (pass & FR_DONTCACHE) + logged = 1; } if (pass & FR_QUICK) break; } + if (logged) + pass |= FR_DONTCACHE; return pass; } /* * frcheck - filter check - * check using source and destination addresses/pors in a packet whether + * check using source and destination addresses/ports in a packet whether * or not to pass it on or not. */ int fr_check(ip, hlen, ifp, out @@ -567,7 +591,8 @@ int out; fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; - int pass, changed, apass, error = EHOSTUNREACH; + int changed, error = EHOSTUNREACH; + u_32_t pass, apass; #if !SOLARIS || !defined(_KERNEL) register mb_t *m = *mp; #endif @@ -580,70 +605,78 @@ int out; # endif int up; -#ifdef M_CANFASTFWD +# ifdef M_CANFASTFWD /* * XXX For now, IP Filter and fast-forwarding of cached flows * XXX are mutually exclusive. Eventually, IP Filter should * XXX get a "can-fast-forward" filter rule. */ m->m_flags &= ~M_CANFASTFWD; -#endif /* M_CANFASTFWD */ +# endif /* M_CANFASTFWD */ if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_ICMP)) { int plen = 0; - switch(ip->ip_p) - { - case IPPROTO_TCP: - plen = sizeof(tcphdr_t); - break; - case IPPROTO_UDP: - plen = sizeof(udphdr_t); - break; - case IPPROTO_ICMP: + if ((ip->ip_off & IP_OFFMASK) == 0) + switch(ip->ip_p) + { + case IPPROTO_TCP: + plen = sizeof(tcphdr_t); + break; + case IPPROTO_UDP: + plen = sizeof(udphdr_t); + break; /* 96 - enough for complete ICMP error IP header */ - plen = sizeof(struct icmp) + sizeof(ip_t) + 8; - break; - } + case IPPROTO_ICMP: + plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); + break; + } up = MIN(hlen + plen, ip->ip_len); if (up > m->m_len) { -#ifdef __sgi /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ +# ifdef __sgi + /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ if ((up > sizeof(hbuf)) || (m_length(m) < up)) { - frstats[out].fr_pull[1]++; + ATOMIC_INC(frstats[out].fr_pull[1]); return -1; } m_copydata(m, 0, up, hbuf); - frstats[out].fr_pull[0]++; + ATOMIC_INC(frstats[out].fr_pull[0]); ip = (ip_t *)hbuf; -#else -# ifndef linux +# else /* __ sgi */ +# ifndef linux if ((*mp = m_pullup(m, up)) == 0) { - frstats[out].fr_pull[1]++; + ATOMIC_INC(frstats[out].fr_pull[1]); return -1; } else { - frstats[out].fr_pull[0]++; + ATOMIC_INC(frstats[out].fr_pull[0]); m = *mp; ip = mtod(m, ip_t *); } -# endif -#endif +# endif /* !linux */ +# endif /* __sgi */ } else up = 0; } else up = 0; -# endif +# endif /* !defined(__SVR4) && !defined(__svr4__) */ # if SOLARIS mb_t *m = qif->qf_m; + + if ((u_int)ip & 0x3) + return 2; + fin->fin_qfm = m; + fin->fin_qif = qif; # endif -#endif +#endif /* _KERNEL */ fr_makefrip(hlen, ip, fin); fin->fin_ifp = ifp; fin->fin_out = out; fin->fin_mp = mp; + pass = fr_pass; - MUTEX_ENTER(&ipf_mutex); + READ_ENTER(&ipf_mutex); /* * Check auth now. This, combined with the check below to see if apass @@ -655,14 +688,15 @@ int out; apass = fr_checkauth(ip, fin); if (!out) { - changed = ip_natin(ip, hlen, fin); + changed = ip_natin(ip, fin); if (!apass && (fin->fin_fr = ipacct[0][fr_active]) && - (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) - frstats[0].fr_acct++; + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[0].fr_acct); + } } - if (apass || (!(pass = ipfr_knownfrag(ip, fin)) && - !(pass = fr_checkstate(ip, fin)))) { + if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && + !(fr = fr_checkstate(ip, fin)))) { /* * If a packet is found in the auth table, then skip checking * the access lists for permission but we do need to consider @@ -676,19 +710,20 @@ int out; * earlier. */ bcopy((char *)fc, (char *)fin, FI_COPYSIZE); - frstats[out].fr_chit++; + ATOMIC_INC(frstats[out].fr_chit); if ((fr = fin->fin_fr)) { - fr->fr_hits++; + ATOMIC_INC(fr->fr_hits); pass = fr->fr_flags; - } else - pass = fr_pass; + } } else { - pass = fr_pass; if ((fin->fin_fr = ipfilter[out][fr_active])) - pass = FR_SCANLIST(fr_pass, ip, fin, m); - bcopy((char *)fin, (char *)fc, FI_COPYSIZE); - if (pass & FR_NOMATCH) - frstats[out].fr_nom++; + pass = fr_scanlist(fr_pass, ip, fin, m); + if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) + bcopy((char *)fin, (char *)fc, + FI_COPYSIZE); + if (pass & FR_NOMATCH) { + ATOMIC_INC(frstats[out].fr_nom); + } } fr = fin->fin_fr; } else @@ -708,30 +743,39 @@ int out; #endif if (pass & FR_PREAUTH) { - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); if ((fin->fin_fr = ipauth) && - (pass = FR_SCANLIST(0, ip, fin, m))) - fr_authstats.fas_hits++; - else - fr_authstats.fas_miss++; - MUTEX_EXIT(&ipf_auth); + (pass = fr_scanlist(0, ip, fin, m))) { + ATOMIC_INC(fr_authstats.fas_hits); + } else { + ATOMIC_INC(fr_authstats.fas_miss); + } + RWLOCK_EXIT(&ipf_auth); } - if (pass & FR_KEEPFRAG) { + fin->fin_fr = fr; + if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_fi.fi_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) - frstats[out].fr_bnfr++; - else - frstats[out].fr_nfr++; - } else - frstats[out].fr_cfr++; + if (ipfr_newfrag(ip, fin, pass) == -1) { + ATOMIC_INC(frstats[out].fr_bnfr); + } else { + ATOMIC_INC(frstats[out].fr_nfr); + } + } else { + ATOMIC_INC(frstats[out].fr_cfr); + } } if (pass & FR_KEEPSTATE) { - if (fr_addstate(ip, fin, pass) == -1) - frstats[out].fr_bads++; - else - frstats[out].fr_ads++; + if (fr_addstate(ip, fin, 0) == NULL) { + ATOMIC_INC(frstats[out].fr_bads); + } else { + ATOMIC_INC(frstats[out].fr_ads); + } } + } else if (fr != NULL) { + pass = fr->fr_flags; + if (pass & FR_LOGFIRST) + pass &= ~(FR_LOGFIRST|FR_LOG); } if (fr && fr->fr_func && !(pass & FR_CALLNOW)) @@ -743,34 +787,35 @@ int out; */ if (out && (pass & FR_PASS)) { if ((fin->fin_fr = ipacct[1][fr_active]) && - (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) - frstats[1].fr_acct++; - fin->fin_fr = NULL; - changed = ip_natout(ip, hlen, fin); - } - fin->fin_fr = fr; - MUTEX_EXIT(&ipf_mutex); + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = fr; + changed = ip_natout(ip, fin); + } else + fin->fin_fr = fr; + RWLOCK_EXIT(&ipf_mutex); #ifdef IPFILTER_LOG if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { pass |= FF_LOGNOMATCH; - frstats[out].fr_npkl++; + ATOMIC_INC(frstats[out].fr_npkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGP) || ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) { if ((pass & FR_LOGMASK) != FR_LOGP) pass |= FF_LOGPASS; - frstats[out].fr_ppkl++; + ATOMIC_INC(frstats[out].fr_ppkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGB) || ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) { if ((pass & FR_LOGMASK) != FR_LOGB) pass |= FF_LOGBLOCK; - frstats[out].fr_bpkl++; + ATOMIC_INC(frstats[out].fr_bpkl); logit: if (!IPLLOG(pass, ip, fin, m)) { - frstats[out].fr_skip++; + ATOMIC_INC(frstats[out].fr_skip); if ((pass & (FR_PASS|FR_LOGORBLOCK)) == (FR_PASS|FR_LOGORBLOCK)) pass ^= FR_PASS|FR_BLOCK; @@ -795,10 +840,10 @@ logit: # endif # endif #endif - if (pass & FR_PASS) - frstats[out].fr_pass++; - else if (pass & FR_BLOCK) { - frstats[out].fr_block++; + if (pass & FR_PASS) { + ATOMIC_INC(frstats[out].fr_pass); + } else if (pass & FR_BLOCK) { + ATOMIC_INC(frstats[out].fr_block); /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? @@ -810,29 +855,37 @@ logit: if (!out) { #ifdef _KERNEL if (pass & FR_RETICMP) { + struct in_addr dst; + + if ((pass & FR_RETMASK) == FR_FAKEICMP) + dst = ip->ip_dst; + else + dst.s_addr = 0; # if SOLARIS ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, - qif, ip->ip_src); + qif, dst); # else ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, - ifp, ip->ip_src); - m = *mp = NULL; /* freed by icmp_error() */ + ifp, dst); # endif - - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && + ATOMIC_INC(frstats[0].fr_ret); + } else if (((pass & FR_RETMASK) == FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, ifp) == 0) - frstats[1].fr_ret++; + if (SEND_RESET(ip, qif, ifp, fin) == 0) { + ATOMIC_INC(frstats[1].fr_ret); + } } #else - if (pass & FR_RETICMP) { + if ((pass & FR_RETMASK) == FR_RETICMP) { verbose("- ICMP unreachable sent\n"); - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && + ATOMIC_INC(frstats[0].fr_ret); + } else if ((pass & FR_RETMASK) == FR_FAKEICMP) { + verbose("- forged ICMP unreachable sent\n"); + ATOMIC_INC(frstats[0].fr_ret); + } else if (((pass & FR_RETMASK) == FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { verbose("- TCP RST sent\n"); - frstats[1].fr_ret++; + ATOMIC_INC(frstats[1].fr_ret); } #endif } else { @@ -854,10 +907,10 @@ logit: if (fr) { frdest_t *fdp = &fr->fr_tif; - if ((pass & FR_FASTROUTE) || + if (((pass & FR_FASTROUTE) && !out) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - ipfr_fastroute(m, fin, fdp); - m = *mp = NULL; + if (ipfr_fastroute(m, fin, fdp) == 0) + m = *mp = NULL; } if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); @@ -869,21 +922,20 @@ logit: m_copyback(m, 0, up, hbuf); # endif # endif /* !linux */ - return (pass & FR_PASS) ? 0 : error; # else /* !SOLARIS */ if (fr) { frdest_t *fdp = &fr->fr_tif; - if ((pass & FR_FASTROUTE) || + if (((pass & FR_FASTROUTE) && !out) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - ipfr_fastroute(qif, ip, m, mp, fin, fdp); - m = *mp = NULL; + if (ipfr_fastroute(qif, ip, m, mp, fin, fdp) == 0) + m = *mp = NULL; } if (mc) ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } - return (pass & FR_PASS) ? changed : error; # endif /* !SOLARIS */ + return (pass & FR_PASS) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; @@ -928,76 +980,92 @@ register int len; * and the TCP header. We also assume that data blocks aren't allocated in * odd sizes. */ -u_short fr_tcpsum(m, ip, tcp, len) +u_short fr_tcpsum(m, ip, tcp) mb_t *m; ip_t *ip; tcphdr_t *tcp; -int len; +{ + u_short *sp, slen, ts; + u_int sum, sum2; + int hlen; + + /* + * Add up IP Header portion + */ + hlen = ip->ip_hl << 2; + slen = ip->ip_len - hlen; + sum = htons((u_short)ip->ip_p); + sum += htons(slen); + sp = (u_short *)&ip->ip_src; + sum += *sp++; /* ip_src */ + sum += *sp++; + sum += *sp++; /* ip_dst */ + sum += *sp++; + ts = tcp->th_sum; + tcp->th_sum = 0; +#ifdef KERNEL +# if SOLARIS + sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = ~sum2 & 0xffff; +# else /* SOLARIS */ +# if defined(BSD) || defined(sun) +# if BSD >= 199306 + m->m_data += hlen; +# else + m->m_off += hlen; +# endif + m->m_len -= hlen; + sum2 = in_cksum(m, slen); + m->m_len += hlen; +# if BSD >= 199306 + m->m_data -= hlen; +# else + m->m_off -= hlen; +# endif + /* + * Both sum and sum2 are partial sums, so combine them together. + */ + sum = (sum & 0xffff) + (sum >> 16); + sum = ~sum & 0xffff; + sum2 += sum; + sum2 = (sum2 & 0xffff) + (sum2 >> 16); +# else /* defined(BSD) || defined(sun) */ { union { u_char c[2]; u_short s; } bytes; - u_32_t sum; - u_short *sp; -# if SOLARIS || defined(__sgi) - int add, hlen; -# endif - -# if SOLARIS - /* skip any leading M_PROTOs */ - while(m && (MTYPE(m) != M_DATA)) - m = m->b_cont; - PANIC((!m),("fr_tcpsum: no M_DATA")); + u_short len = ip->ip_len; +# if defined(__sgi) + int add; # endif /* * Add up IP Header portion */ - bytes.c[0] = 0; - bytes.c[1] = IPPROTO_TCP; - len -= (ip->ip_hl << 2); - sum = bytes.s; - sum += htons((u_short)len); sp = (u_short *)&ip->ip_src; + len -= (ip->ip_hl << 2); + sum = ntohs(IPPROTO_TCP); + sum += htons(len); + sum += *sp++; /* ip_src */ sum += *sp++; - sum += *sp++; - sum += *sp++; + sum += *sp++; /* ip_dst */ sum += *sp++; if (sp != (u_short *)tcp) sp = (u_short *)tcp; + sum += *sp++; /* sport */ + sum += *sp++; /* dport */ + sum += *sp++; /* seq */ sum += *sp++; + sum += *sp++; /* ack */ sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp; - sp += 2; /* Skip over checksum */ - sum += *sp++; + sum += *sp++; /* off */ + sum += *sp++; /* win */ + sum += *sp++; /* Skip over checksum */ + sum += *sp++; /* urp */ -#if SOLARIS - /* - * In case we had to copy the IP & TCP header out of mblks, - * skip over the mblk bits which are the header - */ - if ((caddr_t)ip != (caddr_t)m->b_rptr) { - hlen = (caddr_t)sp - (caddr_t)ip; - while (hlen) { - add = MIN(hlen, m->b_wptr - m->b_rptr); - sp = (u_short *)((caddr_t)m->b_rptr + add); - hlen -= add; - if ((caddr_t)sp >= (caddr_t)m->b_wptr) { - m = m->b_cont; - PANIC((!m),("fr_tcpsum: not enough data")); - if (!hlen) - sp = (u_short *)m->b_rptr; - } - } - } -#endif -#ifdef __sgi +# ifdef __sgi /* * In case we had to copy the IP & TCP header out of mbufs, * skip over the mbuf bits which are the header @@ -1008,52 +1076,57 @@ int len; add = MIN(hlen, m->m_len); sp = (u_short *)(mtod(m, caddr_t) + add); hlen -= add; - if (add >= m->m_len) { + if (add == m->m_len) { m = m->m_next; - PANIC((!m),("fr_tcpsum: not enough data")); - if (!hlen) + if (!hlen) { + if (!m) + break; sp = mtod(m, u_short *); + } + PANIC((!m),("fr_tcpsum(1): not enough data")); } } } -#endif +# endif if (!(len -= sizeof(*tcp))) goto nodata; - while (len > 0) { -#if SOLARIS - while ((caddr_t)sp >= (caddr_t)m->b_wptr) { - m = m->b_cont; - PANIC((!m),("fr_tcpsum: not enough data")); - sp = (u_short *)m->b_rptr; + while (len > 1) { + if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { + m = m->m_next; + PANIC((!m),("fr_tcpsum(2): not enough data")); + sp = mtod(m, u_short *); } -#else - while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) - { + if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) { + bytes.c[0] = *(u_char *)sp; m = m->m_next; - PANIC((!m),("fr_tcpsum: not enough data")); + PANIC((!m),("fr_tcpsum(3): not enough data")); sp = mtod(m, u_short *); + bytes.c[1] = *(u_char *)sp; + sum += bytes.s; + sp = (u_short *)((u_char *)sp + 1); } -#endif /* SOLARIS */ - if (len < 2) - break; - if((u_32_t)sp & 1) { + if ((u_long)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else sum += *sp++; len -= 2; } - if (len) { - bytes.c[1] = 0; - bytes.c[0] = *(u_char *)sp; - sum += bytes.s; - } + if (len) + sum += ntohs(*(u_char *)sp << 8); nodata: - sum = (sum >> 16) + (sum & 0xffff); - sum += (sum >> 16); - sum = (u_short)((~sum) & 0xffff); - return sum; + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum2 = (u_short)(~sum & 0xffff); +} +# endif /* defined(BSD) || defined(sun) */ +# endif /* SOLARIS */ +#else /* KERNEL */ + sum2 = 0; +#endif /* KERNEL */ + tcp->th_sum = ts; + return sum2; } @@ -1091,7 +1164,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $ + * $Id: fil.c,v 2.3.2.7 1999/10/21 14:21:40 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1191,9 +1264,10 @@ out: frgroup_t *fr_findgroup(num, flags, which, set, fgpp) -u_short num; +u_int num; u_32_t flags; -int which, set; +minor_t which; +int set; frgroup_t ***fgpp; { frgroup_t *fg, **fgp; @@ -1206,6 +1280,7 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; + num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) @@ -1219,18 +1294,19 @@ frgroup_t ***fgpp; frgroup_t *fr_addgroup(num, fp, which, set) -u_short num; +u_int num; frentry_t *fp; -int which, set; +minor_t which; +int set; { frgroup_t *fg, **fgp; if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp))) return fg; - KMALLOC(fg, frgroup_t *, sizeof(*fg)); + KMALLOC(fg, frgroup_t *); if (fg) { - fg->fg_num = num; + fg->fg_num = num & 0xffff; fg->fg_next = *fgp; fg->fg_head = fp; fg->fg_start = &fp->fr_grp; @@ -1241,9 +1317,10 @@ int which, set; void fr_delgroup(num, flags, which, set) -u_short num; +u_int num; u_32_t flags; -int which, set; +minor_t which; +int set; { frgroup_t *fg, **fgp; @@ -1261,62 +1338,210 @@ int which, set; * encountered. if a rule is the head of a group and it has lost all its * group members, then also delete the group reference. */ -static int frflushlist(set, unit, nfreedp, list, listp) -int set, unit, *nfreedp; -frentry_t *list, **listp; +static int frflushlist(set, unit, nfreedp, listp) +int set; +minor_t unit; +int *nfreedp; +frentry_t **listp; { - register frentry_t *fp = list, *fpn; - register int freed = 0; + register int freed = 0, i; + register frentry_t *fp; - while (fp) { - fpn = fp->fr_next; + while ((fp = *listp)) { + *listp = fp->fr_next; if (fp->fr_grp) { - fp->fr_ref -= frflushlist(set, unit, nfreedp, - fp->fr_grp, &fp->fr_grp); + i = frflushlist(set, unit, nfreedp, &fp->fr_grp); + MUTEX_ENTER(&ipf_rw); + fp->fr_ref -= i; + MUTEX_EXIT(&ipf_rw); } - if (fp->fr_ref == 1) { + ATOMIC_DEC(fp->fr_ref); + if (fp->fr_ref == 0) { if (fp->fr_grhead) - fr_delgroup(fp->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)fp->fr_grhead, fp->fr_flags, + unit, set); KFREE(fp); - *listp = fpn; - freed++; - } - fp = fpn; + } else + fp->fr_next = NULL; + freed++; } *nfreedp += freed; return freed; } -void frflush(unit, result) -int unit; -int *result; +int frflush(unit, flags) +minor_t unit; +int flags; { - int flags = *result, flushed = 0, set = fr_active; + int flushed = 0, set; + if (unit != IPL_LOGIPF) + return 0; + WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache[0]) * 2); + set = fr_active; if (flags & FR_INACTIVE) set = 1 - set; - if (unit == IPL_LOGIPF) { - if (flags & FR_OUTQUE) { - (void) frflushlist(set, unit, &flushed, - ipfilter[1][set], - &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, - ipacct[1][set], &ipacct[1][set]); - } - if (flags & FR_INQUE) { - (void) frflushlist(set, unit, &flushed, - ipfilter[0][set], - &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, - ipacct[0][set], &ipacct[0][set]); + if (flags & FR_OUTQUE) { + (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); + (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); + } + if (flags & FR_INQUE) { + (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); + (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); + } + RWLOCK_EXIT(&ipf_mutex); + return flushed; +} + + +char *memstr(src, dst, slen, dlen) +char *src, *dst; +int slen, dlen; +{ + char *s = NULL; + + while (dlen >= slen) { + if (bcmp(src, dst, slen) == 0) { + s = dst; + break; } + dst++; + dlen--; } + return s; +} + + +void fixskip(listp, rp, addremove) +frentry_t **listp, *rp; +int addremove; +{ + frentry_t *fp; + int rules = 0, rn = 0; + + for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) + ; + + if (!fp) + return; + + for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) + if (fp->fr_skip && (rn + fp->fr_skip >= rules)) + fp->fr_skip += addremove; +} + + +#ifdef _KERNEL +/* + * count consecutive 1's in bit mask. If the mask generated by counting + * consecutive 1's is different to that passed, return -1, else return # + * of bits. + */ +int countbits(ip) +u_32_t ip; +{ + u_32_t ipn; + int cnt = 0, i, j; + + ip = ipn = ntohl(ip); + for (i = 32; i; i--, ipn *= 2) + if (ipn & 0x80000000) + cnt++; + else + break; + ipn = 0; + for (i = 32, j = cnt; i; i--, j--) { + ipn *= 2; + if (j > 0) + ipn++; + } + if (ipn == ip) + return cnt; + return -1; +} - *result = flushed; + +/* + * return the first IP Address associated with an interface + */ +int fr_ifpaddr(ifptr, inp) +void *ifptr; +struct in_addr *inp; +{ +# if SOLARIS + ill_t *ill = ifptr; +# else + struct ifnet *ifp = ifptr; +# endif + struct in_addr in; + +# if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +# else /* SOLARIS */ +# if linux + ; +# else /* linux */ + struct ifaddr *ifa; + struct sockaddr_in *sin; + +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_FIRST(&ifp->if_addrhead); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifp->if_addrlist.tqh_first; +# else +# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ + ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; +# else + ifa = ifp->if_addrlist; +# endif +# endif /* __NetBSD__ || __OpenBSD__ */ +# endif /* __FreeBSD_version >= 300000 */ +# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) + sin = (struct sockaddr_in *)&ifa->ifa_addr; +# else + sin = (struct sockaddr_in *)ifa->ifa_addr; + while (sin && ifa && + sin->sin_family != AF_INET) { +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_NEXT(ifa, ifa_link); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifa->ifa_list.tqe_next; +# else + ifa = ifa->ifa_next; +# endif +# endif /* __FreeBSD_version >= 300000 */ + if (ifa) + sin = (struct sockaddr_in *)ifa->ifa_addr; + } + if (ifa == NULL) + sin = NULL; + if (sin == NULL) + return -1; +# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ + in = sin->sin_addr; +# endif /* linux */ +# endif /* SOLARIS */ + in.s_addr = ntohl(in.s_addr); + *inp = in; + return 0; +} +#else + + +/* + * return the first IP Address associated with an interface + */ +int fr_ifpaddr(ifptr, inp) +void *ifptr; +struct in_addr *inp; +{ + return 0; } +#endif diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index cfcfd99..55382c5 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -1,15 +1,17 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ - +#ifdef __FreeBSD__ +# include <osreldate.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> +# include <strings.h> #endif #include <sys/types.h> #include <sys/time.h> @@ -27,6 +29,9 @@ #include <netinet/in_systm.h> #include <netinet/ip.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> @@ -41,17 +46,12 @@ #include "netinet/ip_auth.h" #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) -#include <paths.h> +# include <paths.h> #endif #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $"; -#endif -#ifdef _PATH_UNIX -#define VMUNIX _PATH_UNIX -#else -#define VMUNIX "/vmunix" +static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.3 1999/10/05 12:57:37 darrenr Exp $"; #endif extern char *optarg; @@ -72,8 +72,10 @@ static void showfrstates __P((int, ipfrstat_t *)); static void showlist __P((friostat_t *)); static void showipstates __P((int, ips_stat_t *)); static void showauthstates __P((int, fr_authstat_t *)); +static void showgroups __P((friostat_t *)); static void Usage __P((char *)); static void printlist __P((frentry_t *)); +static char *get_ifname __P((void *)); static void Usage(name) @@ -101,7 +103,7 @@ char *argv[]; (void)setuid(getuid()); (void)setgid(getgid()); - while ((c = getopt(argc, argv, "aAfhIinosvd:")) != -1) + while ((c = getopt(argc, argv, "aAfghIinosvd:")) != -1) { switch (c) { @@ -117,6 +119,9 @@ char *argv[]; case 'f' : opts |= OPT_FRSTATES; break; + case 'g' : + opts |= OPT_GROUPS; + break; case 'h' : opts |= OPT_HITS; break; @@ -197,6 +202,8 @@ char *argv[]; showfrstates(fd, &ifrst); else if (opts & OPT_AUTHSTATS) showauthstates(fd, &frauthst); + else if (opts & OPT_GROUPS) + showgroups(&fio); else showstats(fd, &fio); } @@ -211,7 +218,7 @@ static void showstats(fd, fp) int fd; struct friostat *fp; { - int frf = 0; + u_32_t frf = 0; if (ioctl(fd, SIOCGETFF, &frf) == -1) perror("ioctl(SIOCGETFF)"); @@ -219,6 +226,10 @@ struct friostat *fp; #if SOLARIS PRINTF("dropped packets:\tin %lu\tout %lu\n", fp->f_st[0].fr_drop, fp->f_st[1].fr_drop); + PRINTF("non-data packets:\tin %lu\tout %lu\n", + fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata); + PRINTF("no-data packets:\tin %lu\tout %lu\n", + fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata); PRINTF("non-ip packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); PRINTF(" bad packets:\t\tin %lu\tout %lu\n", @@ -365,19 +376,19 @@ ips_stat_t *ipsp; PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); - PRINTF("\t%lu maximum\n\t%lu no memory\n", - ipsp->iss_max, ipsp->iss_nomem); + PRINTF("\t%lu maximum\n\t%lu no memory\n\tbuckets in use\t%lu\n", + ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab))) return; - for (i = 0; i < IPSTATE_SIZE; i++) + for (i = 0; i < IPSTATE_SIZE; i++) { while (istab[i]) { if (kmemcpy((char *)&ips, (u_long)istab[i], sizeof(ips)) == -1) break; PRINTF("%s -> ", inet_ntoa(ips.is_src)); - PRINTF("%s ttl %ld pass %d pr %d state %d/%d\n", + PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n", inet_ntoa(ips.is_dst), ips.is_age, ips.is_pass, ips.is_p, ips.is_state[0], ips.is_state[1]); @@ -389,30 +400,48 @@ ips_stat_t *ipsp; ips.is_pkts, ips.is_bytes); #endif if (ips.is_p == IPPROTO_TCP) - PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n", +#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__) + PRINTF("\t%hu -> %hu %x:%x %hu:%hu", ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_seq, ips.is_ack, - ips.is_swin, ips.is_dwin); + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); +#else + PRINTF("\t%hu -> %hu %lx:%lx %hu:%hu", + ntohs(ips.is_sport), + ntohs(ips.is_dport), + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); +#endif else if (ips.is_p == IPPROTO_UDP) - PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport), + PRINTF(" %hu -> %hu", ntohs(ips.is_sport), ntohs(ips.is_dport)); else if (ips.is_p == IPPROTO_ICMP) - PRINTF(" %hu %hu %d\n", ips.is_icmp.ics_id, + PRINTF(" %hu %hu %d", ips.is_icmp.ics_id, ips.is_icmp.ics_seq, ips.is_icmp.ics_type); - /* phil@ultimate.com ... */ - PRINTF("\t"); - /* from "printfr()" */ + PRINTF("\n\t"); + if (ips.is_pass & FR_PASS) { PRINTF("pass"); } else if (ips.is_pass & FR_BLOCK) { PRINTF("block"); - if (ips.is_pass & FR_RETICMP) + switch (ips.is_pass & FR_RETMASK) + { + case FR_RETICMP : PRINTF(" return-icmp"); - if (ips.is_pass & FR_RETRST) + break; + case FR_FAKEICMP : + PRINTF(" return-icmp-as-dest"); + break; + case FR_RETRST : PRINTF(" return-rst"); + break; + default : + break; + } } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { PRINTF("log"); if (ips.is_pass & FR_LOGBODY) @@ -427,7 +456,7 @@ ips_stat_t *ipsp; else PRINTF(" in"); - if ((ips.is_pass & (FR_LOGB|FR_LOGP)) != 0) { + if ((ips.is_pass & FR_LOG) != 0) { PRINTF(" log"); if (ips.is_pass & FR_LOGBODY) PRINTF(" body"); @@ -444,10 +473,21 @@ ips_stat_t *ipsp; if (ips.is_pass & FR_KEEPSTATE) PRINTF(" keep state"); PRINTF("\n"); - /* ... phil@ultimate.com */ + PRINTF("\tpkt_flags & %x = %x,\t", ips.is_flags & 0xf, + ips.is_flags >> 4); + PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, + ips.is_opt); + PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", + ips.is_secmsk, ips.is_sec, ips.is_authmsk, + ips.is_auth); istab[i] = ips.is_next; + PRINTF("interfaces: in %s[%p] ", + get_ifname(ips.is_ifpin), ips.is_ifpin); + PRINTF("out %s[%p]\n", + get_ifname(ips.is_ifpout), ips.is_ifpout); } + } } @@ -456,6 +496,7 @@ int fd; ipfrstat_t *ifsp; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; + frentry_t fr; int i; PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", @@ -471,10 +512,13 @@ ipfrstat_t *ifsp; sizeof(ifr)) == -1) break; PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, + sizeof(fr)) == -1) + break; PRINTF("%s %d %d %d %#02x = %#x\n", inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id, ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - ifr.ipfr_pass); + fr.fr_flags); ipfrtab[i] = ifr.ipfr_next; } } @@ -484,6 +528,8 @@ static void showauthstates(fd, asp) int fd; fr_authstat_t *asp; { + frauthent_t *frap, fra; + #ifdef USE_QUAD_T printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits, asp->fas_miss); @@ -496,4 +542,98 @@ fr_authstat_t *asp; asp->fas_sendok); printf("queok %ld\nquefail %ld\nexpire %ld\n", asp->fas_queok, asp->fas_quefail, asp->fas_expire); + + frap = asp->fas_faelist; + while (frap) { + if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1) + break; + + printf("age %ld\t", fra.fae_age); + printfr(&fra.fae_fr); + frap = fra.fae_next; + } +} + + +static char *get_ifname(ptr) +void *ptr; +{ +#if SOLARIS + char *ifname; + ill_t ill; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) + return "X"; + ifname = malloc(ill.ill_name_length + 1); + if (kmemcpy(ifname, (u_long)ill.ill_name, + ill.ill_name_length) == -1) + return "X"; + return ifname; +#else +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) +#else + char buf[32]; + int len; +# endif + struct ifnet netif; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) + return "X"; +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) + return strdup(netif.if_xname); +# else + if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) + return "X"; + if (netif.if_unit < 10) + len = 2; + else if (netif.if_unit < 1000) + len = 3; + else if (netif.if_unit < 10000) + len = 4; + else + len = 5; + buf[sizeof(buf) - len] = '\0'; + sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); + return strdup(buf); +# endif +#endif +} + + +static void showgroups(fiop) +struct friostat *fiop; +{ + static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; + frgroup_t *fp, grp; + int on, off, i; + + on = fiop->f_active; + off = 1 - on; + + for (i = 0; i < 3; i++) { + printf("%s groups (active):\n", gnames[i]); + for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next) + if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) + break; + else + printf("%hu\n", grp.fg_num); + printf("%s groups (inactive):\n", gnames[i]); + for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next) + if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) + break; + else + printf("%hu\n", grp.fg_num); + } } diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index e7ca501..49278a8 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -55,7 +55,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.0.2.6 1997/10/19 15:39:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index bdb3114..443eefe 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -1,23 +1,24 @@ /* - * Copyright (C) 1997 by Darren Reed & Guido van Rooij. + * Copyright (C) 1998 by Darren Reed & Guido van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $"; #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdlib.h> -# include <string.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <stdlib.h> +# include <string.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> @@ -39,34 +40,39 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif +#if _BSDI_VERSION >= 199802 +# include <sys/queue.h> +#endif #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) # include <machine/cpu.h> #endif #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #ifndef KERNEL -#define KERNEL -#define NOT_KERNEL +# define KERNEL +# define NOT_KERNEL #endif #ifndef linux # include <netinet/ip_var.h> #endif #ifdef NOT_KERNEL -#undef KERNEL +# undef KERNEL #endif #ifdef __sgi # ifdef IFF_DRVRLOCK /* IRIX6 */ -#include <sys/hashing.h> +# include <sys/hashing.h> # endif #endif #include <netinet/tcp.h> @@ -74,6 +80,9 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: extern struct ifqueue ipintrq; /* ip packet input queue */ #else # ifndef linux +# if __FreeBSD_version >= 300000 +# include <net/if_var.h> +# endif # include <netinet/in_var.h> # include <netinet/tcp_fsm.h> # endif @@ -90,10 +99,19 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ # include <machine/cpufunc.h> # endif #endif +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +#endif + #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_auth; +extern KRWLOCK_T ipf_auth; +extern kmutex_t ipf_authmx; # if SOLARIS extern kcondvar_t ipfauthwait; # endif @@ -118,7 +136,7 @@ frentry_t *ipauth = NULL; * authorization result and that would result in a feedback loop (i.e. it * will end up returning FR_AUTH) then return FR_BLOCK instead. */ -int fr_checkauth(ip, fin) +u_32_t fr_checkauth(ip, fin) ip_t *ip; fr_info_t *fin; { @@ -126,7 +144,7 @@ fr_info_t *fin; u_32_t pass; int i; - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); for (i = fr_authstart; i != fr_authend; ) { /* * index becomes -2 only after an SIOCAUTHW. Check this in @@ -141,6 +159,8 @@ fr_info_t *fin; */ if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH)) pass = FR_BLOCK; + RWLOCK_EXIT(&ipf_auth); + WRITE_ENTER(&ipf_auth); fr_authstats.fas_hits++; fr_auth[i].fra_index = -1; fr_authused--; @@ -158,7 +178,7 @@ fr_info_t *fin; fr_authstart = fr_authend = 0; } } - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return pass; } i++; @@ -166,7 +186,7 @@ fr_info_t *fin; i = 0; } fr_authstats.fas_miss++; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; } @@ -189,16 +209,17 @@ ip_t *ip; { int i; - MUTEX_ENTER(&ipf_auth); - if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) { + WRITE_ENTER(&ipf_auth); + if (fr_authstart > fr_authend) { fr_authstats.fas_nospace++; - MUTEX_EXIT(&ipf_auth); - return 0; - } - if (fr_authend - fr_authstart == FR_NUMAUTH - 1) { - fr_authstats.fas_nospace++; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; + } else { + if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) { + fr_authstats.fas_nospace++; + RWLOCK_EXIT(&ipf_auth); + return 0; + } } fr_authstats.fas_added++; @@ -206,7 +227,7 @@ ip_t *ip; i = fr_authend++; if (fr_authend == FR_NUMAUTH) fr_authend = 0; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); fr_auth[i].fra_index = i; fr_auth[i].fra_pass = 0; fr_auth[i].fra_age = fr_defaultauthage; @@ -288,46 +309,58 @@ frentry_t *fr, **frptr; if (!fae) error = ESRCH; else { + WRITE_ENTER(&ipf_auth); *faep = fae->fae_next; *frptr = fr->fr_next; + RWLOCK_EXIT(&ipf_auth); KFREE(fae); } } else { - KMALLOC(fae, frauthent_t *, sizeof(*fae)); + KMALLOC(fae, frauthent_t *); if (fae != NULL) { IRCOPY((char *)data, (char *)&fae->fae_fr, sizeof(fae->fae_fr)); - if (!fae->fae_age) - fae->fae_age = fr_defaultauthage; + WRITE_ENTER(&ipf_auth); + fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; fae->fae_fr.fr_next = *frptr; *frptr = &fae->fae_fr; fae->fae_next = *faep; *faep = fae; + ipauth = &fae_list->fae_fr; + RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; } break; case SIOCATHST: + READ_ENTER(&ipf_auth); + fr_authstats.fas_faelist = fae_list; + RWLOCK_EXIT(&ipf_auth); IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats)); break; case SIOCAUTHW: fr_authioctlloop: - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { - IWCOPY((char *)&fr_auth[fr_authnext++], data, + IWCOPY((char *)&fr_auth[fr_authnext], data, sizeof(fr_info_t)); + RWLOCK_EXIT(&ipf_auth); + WRITE_ENTER(&ipf_auth); + fr_authnext++; if (fr_authnext == FR_NUMAUTH) fr_authnext = 0; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; } #ifdef _KERNEL # if SOLARIS - if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) { - mutex_exit(&ipf_auth); + mutex_enter(&ipf_authmx); + if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) { + mutex_exit(&ipf_authmx); return EINTR; } + mutex_exit(&ipf_authmx); # else # ifdef linux interruptible_sleep_on(&ipfauthwait); @@ -338,17 +371,17 @@ fr_authioctlloop: # endif # endif #endif - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); if (!error) goto fr_authioctlloop; break; case SIOCAUTHR: IRCOPY(data, (caddr_t)&auth, sizeof(auth)); - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); i = au->fra_index; if ((i < 0) || (i > FR_NUMAUTH) || (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) { - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return EINVAL; } m = fr_authpkts[i]; @@ -356,14 +389,19 @@ fr_authioctlloop: fr_auth[i].fra_pass = au->fra_pass; fr_authpkts[i] = NULL; #ifdef _KERNEL - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); SPL_NET(s); # ifndef linux if (m && au->fra_info.fin_out) { # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ +# if _BSDI_VERSION >= 199802 + error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, + NULL); +# else error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); +# endif # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; @@ -439,7 +477,7 @@ void fr_authunload() register frauthent_t *fae, **faep; mb_t *m; - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); for (i = 0; i < FR_NUMAUTH; i++) { if ((m = fr_authpkts[i])) { FREE_MB_T(m); @@ -453,7 +491,8 @@ void fr_authunload() *faep = fae->fae_next; KFREE(fae); } - MUTEX_EXIT(&ipf_auth); + ipauth = NULL; + RWLOCK_EXIT(&ipf_auth); } @@ -472,7 +511,7 @@ void fr_authexpire() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) { if ((!--fra->fra_age) && (m = fr_authpkts[i])) { FREE_MB_T(m); @@ -484,14 +523,15 @@ void fr_authexpire() } for (faep = &fae_list; (fae = *faep); ) { - if (!--fra->fra_age) { + if (!--fae->fae_age) { *faep = fae->fae_next; KFREE(fae); fr_authstats.fas_expire++; } else faep = &fae->fae_next; } - MUTEX_EXIT(&ipf_auth); + ipauth = &fae_list->fae_fr; + RWLOCK_EXIT(&ipf_auth); SPL_X(s); } #endif diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h index 06f7cf6..46b8d92 100644 --- a/contrib/ipfilter/ip_auth.h +++ b/contrib/ipfilter/ip_auth.h @@ -1,11 +1,11 @@ /* - * Copyright (C) 1997 by Darren Reed & Guido Van Rooij. + * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_auth.h,v 2.0.2.10 1997/10/29 12:14:07 darrenr Exp $ + * $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -13,18 +13,6 @@ #define FR_NUMAUTH 32 -typedef struct fr_authstat { - U_QUAD_T fas_hits; - U_QUAD_T fas_miss; - u_long fas_nospace; - u_long fas_added; - u_long fas_sendfail; - u_long fas_sendok; - u_long fas_queok; - u_long fas_quefail; - u_long fas_expire; -} fr_authstat_t; - typedef struct frauth { int fra_age; int fra_index; @@ -41,6 +29,19 @@ typedef struct frauthent { u_long fae_age; } frauthent_t; +typedef struct fr_authstat { + U_QUAD_T fas_hits; + U_QUAD_T fas_miss; + u_long fas_nospace; + u_long fas_added; + u_long fas_sendfail; + u_long fas_sendok; + u_long fas_queok; + u_long fas_quefail; + u_long fas_expire; + frauthent_t *fas_faelist; +} fr_authstat_t; + extern frentry_t *ipauth; extern struct fr_authstat fr_authstats; @@ -49,7 +50,7 @@ extern int fr_authstart; extern int fr_authend; extern int fr_authsize; extern int fr_authused; -extern int fr_checkauth __P((ip_t *, fr_info_t *)); +extern u_32_t fr_checkauth __P((ip_t *, fr_info_t *)); extern void fr_authexpire __P((void)); extern void fr_authunload __P((void)); extern mb_t *fr_authpkts[]; diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 1f91cf3..b92f722 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $ + * $Id: ip_compat.h,v 2.1.2.1 1999/09/18 15:03:51 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -17,33 +17,39 @@ # define __P(x) x # else # define __P(x) () -# define const # endif #endif +#ifndef __STDC__ +# undef const +# define const +#endif #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#if defined(_KERNEL) && !defined(KERNEL) +#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__) +# undef KERNEL +# undef _KERNEL +# undef __KERNEL__ # define KERNEL -#endif -#if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL -#endif -#if!defined(__KERNEL__) && defined(KERNEL) # define __KERNEL__ #endif #if defined(__SVR4) || defined(__svr4__) || defined(__sgi) #define index strchr -# if !defined(_KERNEL) +# if !defined(KERNEL) # define bzero(a,b) memset(a,0,b) # define bcmp memcmp # define bcopy(a,b,c) memmove(b,a,c) # endif #endif +#ifndef offsetof +#define offsetof(t,m) (int)((&((t *)0L)->m)) +#endif + #if defined(__sgi) || defined(bsdi) struct ether_addr { u_char ether_addr_octet[6]; @@ -69,6 +75,7 @@ struct ether_addr { #endif #if SOLARIS # define MTYPE(m) ((m)->b_datap->db_type) +# include <sys/isa_defs.h> # include <sys/ioccom.h> # include <sys/sysmacros.h> # include <sys/kmem.h> @@ -80,7 +87,7 @@ struct ether_addr { # undef IPOPT_LSRR # undef IPOPT_RR # undef IPOPT_SSRR -# ifndef _KERNEL +# ifndef KERNEL # define _KERNEL # undef RES_INIT # include <inet/common.h> @@ -92,6 +99,10 @@ struct ether_addr { # include <inet/ip.h> # include <inet/ip_ire.h> # endif /* _KERNEL */ +#else +# if !defined(__sgi) +typedef int minor_t; +#endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -118,7 +129,7 @@ typedef u_int32_t u_32_t; /* * Really, any arch where sizeof(long) != sizeof(int). */ -# if defined(__alpha__) || defined(__alpha) +# if defined(__alpha__) || defined(__alpha) || defined(_LP64) typedef unsigned int u_32_t; # else typedef unsigned long u_32_t; @@ -201,7 +212,32 @@ typedef unsigned long u_32_t; */ #ifdef KERNEL # if SOLARIS -# define MUTEX_ENTER(x) mutex_enter(x) +# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \ + mutex_exit(&ipf_rw); } +# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \ + mutex_exit(&ipf_rw); } +# define MUTEX_ENTER(x) mutex_enter(x) +# if 1 +# define KRWLOCK_T krwlock_t +# define READ_ENTER(x) rw_enter(x, RW_READER) +# define WRITE_ENTER(x) rw_enter(x, RW_WRITER) +# define RW_UPGRADE(x) { if (rw_tryupgrade(x) == 0) { \ + rw_exit(x); \ + rw_enter(x, RW_WRITER); } \ + } +# define MUTEX_DOWNGRADE(x) rw_downgrade(x) +# define RWLOCK_INIT(x, y, z) rw_init((x), (y), RW_DRIVER, (z)) +# define RWLOCK_EXIT(x) rw_exit(x) +# define RW_DESTROY(x) rw_destroy(x) +# else +# define KRWLOCK_T kmutex_t +# define READ_ENTER(x) mutex_enter(x) +# define WRITE_ENTER(x) mutex_enter(x) +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z)) +# define RWLOCK_EXIT(x) mutex_exit(x) +# define RW_DESTROY(x) mutex_destroy(x) +# endif # define MUTEX_EXIT(x) mutex_exit(x) # define MTOD(m,t) (t)((m)->b_rptr) # define IRCOPY(a,b,c) copyin((a), (b), (c)) @@ -217,7 +253,8 @@ typedef unsigned long u_32_t; # define htons(x) (x) # define htonl(x) (x) # endif /* sparc */ -# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) typedef struct qif { struct qif *qf_next; @@ -233,18 +270,19 @@ typedef struct qif { struct qinit qf_rqinit; mblk_t *qf_m; /* These three fields are for passing data up from */ queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ - int qf_off; - int qf_len; /* this field is used for in ipfr_fastroute */ + size_t qf_off; + size_t qf_len; /* this field is used for in ipfr_fastroute */ char qf_name[8]; /* * in case the ILL has disappeared... */ - int qf_hl; /* header length */ + size_t qf_hl; /* header length */ } qif_t; extern ill_t *get_unit __P((char *)); # define GETUNIT(n) get_unit((n)) # else /* SOLARIS */ # if defined(__sgi) +# define hz HZ # include <sys/ksynch.h> # define IPF_LOCK_PL plhi # include <sys/sema.h> @@ -253,10 +291,27 @@ typedef struct { lock_t *l; int pl; } kmutex_t; -# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL); +# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \ + (x)++; MUTEX_EXIT(&ipf_rw); } +# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \ + (x)--; MUTEX_EXIT(&ipf_rw); } +# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL); +# define KRWLOCK_T kmutex_t +# define READ_ENTER(x) MUTEX_ENTER(x) +# define WRITE_ENTER(x) MUTEX_ENTER(x) +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) MUTEX_EXIT(x) # define MUTEX_EXIT(x) UNLOCK((x)->l, (x)->pl); # else /* __sgi */ -# define MUTEX_ENTER(x) ; +# define ATOMIC_INC(x) (x)++ +# define ATOMIC_DEC(x) (x)-- +# define MUTEX_ENTER(x) ; +# define READ_ENTER(x) ; +# define WRITE_ENTER(x) ; +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) ; # define MUTEX_EXIT(x) ; # endif /* __sgi */ # ifndef linux @@ -291,11 +346,14 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); # ifdef __sgi # include <sys/kmem.h> # include <sys/ddi.h> -# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) # else # if !SOLARIS -# define KMALLOC(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)new_kmem_alloc(sizeof(*(a)), \ + KMEM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) # endif /* SOLARIS */ # endif /* __sgi */ # endif /* sun && !linux */ @@ -312,11 +370,13 @@ extern vm_map_t kmem_map; # include <vm/vm_kern.h> # endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ # ifdef M_PFIL -# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) +# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) +# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KFREE(x) FREE((x), M_PFIL) # define KFREES(x,s) FREE((x), M_PFIL) # else -# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) +# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT) +# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KFREE(x) FREE((x), M_TEMP) # define KFREES(x,s) FREE((x), M_TEMP) # endif /* M_PFIL */ @@ -339,13 +399,21 @@ extern vm_map_t kmem_map; # define SLEEP(x,y) ; # define WAKEUP(x) ; # define PANIC(x,y) ; +# define ATOMIC_INC(x) (x)++ +# define ATOMIC_DEC(x) (x)-- # define MUTEX_ENTER(x) ; +# define READ_ENTER(x) ; +# define WRITE_ENTER(x) ; +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) ; # define MUTEX_EXIT(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # undef SPL_X # define SPL_X(x) ; -# define KMALLOC(a,b,c) (a) = (b)malloc(c) +# define KMALLOC(a,b) (a) = (b)malloc(sizeof(*a)) +# define KMALLOCS(a,b,c) (a) = (b)malloc(c) # define KFREE(x) free(x) # define KFREES(x,s) free(x) # define GETUNIT(x) get_unit(x) @@ -355,9 +423,26 @@ extern vm_map_t kmem_map; #if SOLARIS typedef mblk_t mb_t; +# if SOLARIS2 >= 7 +# ifdef lint +# define ALIGN32(ptr) (ptr ? 0L : 0L) +# define ALIGN16(ptr) (ptr ? 0L : 0L) +# else +# define ALIGN32(ptr) (ptr) +# define ALIGN16(ptr) (ptr) +# endif +# endif #else # ifdef linux +# ifndef kernel +typedef struct mb { + struct mb *next; + u_int len; + u_char *data; +} mb_t; +# else typedef struct sk_buff mb_t; +# endif # else typedef struct mbuf mb_t; # endif @@ -492,6 +577,7 @@ typedef struct mbuf mb_t; #endif /* linux || __sgi */ #ifdef linux +#include <linux/in_systm.h> /* * TCP States */ @@ -513,8 +599,13 @@ typedef struct mbuf mb_t; /* * file flags. */ +#ifdef WRITE #define FWRITE WRITE #define FREAD READ +#else +#define FWRITE _IOC_WRITE +#define FREAD _IOC_READ +#endif /* * mbuf related problems. */ @@ -522,7 +613,10 @@ typedef struct mbuf mb_t; #define m_len len #define m_next next -#define IP_DF 0x8000 +#ifdef IP_DF +#undef IP_DF +#endif +#define IP_DF 0x4000 typedef struct { __u16 th_sport; @@ -574,15 +668,15 @@ typedef struct { * Structure of an icmp header. */ typedef struct icmp { - u_char icmp_type; /* type of message, see below */ - u_char icmp_code; /* type sub code */ - u_short icmp_cksum; /* ones complement cksum of struct */ + __u8 icmp_type; /* type of message, see below */ + __u8 icmp_code; /* type sub code */ + __u16 icmp_cksum; /* ones complement cksum of struct */ union { - u_char ih_pptr; /* ICMP_PARAMPROB */ - struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ - struct ih_idseq { - n_short icd_id; - n_short icd_seq; + __u8 ih_pptr; /* ICMP_PARAMPROB */ + struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ + struct ih_idseq { + __u16 icd_id; + __u16 icd_seq; } ih_idseq; int ih_void; } icmp_hun; @@ -664,7 +758,8 @@ typedef struct uio { # define UNITNAME(n) dev_get((n)) -# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) +# define KMALLOC(a,b) (a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC) +# define KMALLOCS(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KFREE(x) kfree_s((x), sizeof(*(x))) # define KFREES(x,s) kfree_s((x), (s)) # define IRCOPY(a,b,c) { \ @@ -723,5 +818,14 @@ struct ether_addr { #ifndef ICMP_ROUTERSOLICIT # define ICMP_ROUTERSOLICIT 10 #endif +/* + * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, + * another IP header and then 64 bits of data, totalling 56. Of course, + * the last 64 bits is dependant on that being available. + */ +#define ICMPERR_ICMPHLEN 8 +#define ICMPERR_IPICMPHLEN (20 + 8) +#define ICMPERR_MINPKTLEN (20 + 8 + 20) +#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #endif /* __IP_COMPAT_H__ */ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 09c4b6e..d9d7fe1 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.7 1999/10/15 13:49:43 darrenr Exp $"; #endif #ifndef SOLARIS @@ -17,6 +17,11 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif +#include <sys/param.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif #ifdef __FreeBSD__ # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include <sys/osreldate.h> @@ -29,10 +34,10 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 # include <string.h> # include <stdlib.h> # include <ctype.h> +# include <fcntl.h> #endif #include <sys/errno.h> #include <sys/types.h> -#include <sys/param.h> #include <sys/file.h> #if __FreeBSD_version >= 220000 && defined(_KERNEL) # include <sys/fcntl.h> @@ -46,7 +51,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #include <sys/uio.h> #if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) # include <sys/dirent.h> # else # include <sys/dir.h> @@ -64,6 +69,9 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #if __FreeBSD_version >= 300000 # include <net/if_var.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #endif #ifdef __sgi #include <sys/debug.h> @@ -74,7 +82,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include <net/route.h> #include <netinet/in.h> #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ -#include <netinet/in_var.h> +# include <netinet/in_var.h> #endif #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -84,6 +92,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> #ifndef _KERNEL +# include <unistd.h> # include <syslog.h> #endif #include "netinet/ip_compat.h" @@ -93,10 +102,14 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif -#if !SOLARIS && defined(_KERNEL) +#if !SOLARIS && defined(_KERNEL) && !defined(__sgi) +# include <sys/kernel.h> extern int ip_optcopy __P((struct ip *, struct ip *)); #endif @@ -108,11 +121,6 @@ extern struct protosw inetsw[]; static struct ifnet **ifneta = NULL; static int nifs = 0; #else -# if (BSD < 199306) && !defined(__sgi) -static int (*fr_saveslowtimo) __P((void)); -# else -static void (*fr_saveslowtimo) __P((void)); -# endif # if (BSD < 199306) || defined(__sgi) extern int tcp_ttl; # endif @@ -122,9 +130,7 @@ int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; -static void fixskip __P((frentry_t **, frentry_t *, int)); static void frzerostats __P((caddr_t)); -static void frsync __P((void)); #if defined(__NetBSD__) || defined(__OpenBSD__) static int frrequest __P((int, u_long, caddr_t, int)); #else @@ -132,6 +138,10 @@ static int frrequest __P((int, int, caddr_t, int)); #endif #ifdef _KERNEL static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); +static int send_ip __P((struct mbuf *, ip_t *)); +# ifdef __sgi +extern kmutex_t ipf_rw; +# endif #else int ipllog __P((void)); void init_ifp __P((void)); @@ -147,6 +157,15 @@ static int write_output __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *)); # endif #endif +#if defined(IPFILTER_LKM) +int fr_running = 1; +#else +int fr_running = 0; +#endif + +#if (__FreeBSD_version >= 300000) && defined(_KERNEL) +struct callout_handle ipfr_slowtimer_ch; +#endif #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include <sys/device.h> @@ -195,7 +214,8 @@ void ipfilterattach(count) int count; { - iplattach(); + if (iplattach() != 0) + printf("IP Filter failed to attach\n"); } # endif @@ -215,6 +235,16 @@ int iplattach() return EBUSY; } +# ifdef IPFILTER_LOG + ipflog_init(); +# endif + if (nat_init() == -1) + return -1; + if (fr_stateinit() == -1) + return -1; + if (appr_init() == -1) + return -1; + # ifdef NETBSD_PF pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif @@ -229,15 +259,9 @@ int iplattach() ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); - bzero((char *)nat_table, sizeof(nat_table)); fr_savep = fr_checkp; fr_checkp = fr_check; - fr_saveslowtimo = inetsw[0].pr_slowtimo; - inetsw[0].pr_slowtimo = ipfr_slowtimer; -# ifdef IPFILTER_LOG - ipflog_init(); -# endif SPL_X(s); if (fr_pass & FR_PASS) defpass = "pass"; @@ -253,6 +277,14 @@ int iplattach() # else "disabled"); # endif + printf("%s\n", ipfilter_version); +#ifdef _KERNEL +# if (__FreeBSD_version >= 300000) && defined(_KERNEL) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else + timeout(ipfr_slowtimer, NULL, hz/2); +# endif +#endif return 0; } @@ -265,6 +297,17 @@ int ipldetach() { int s, i = FR_INQUE|FR_OUTQUE; +#ifdef _KERNEL +# if (__FreeBSD_version >= 300000) + untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); +# else +# ifdef __sgi + untimeout(ipfr_slowtimer); +# else + untimeout(ipfr_slowtimer, NULL); +# endif +# endif +#endif SPL_NET(s); if (!ipl_inited) { @@ -274,8 +317,7 @@ int ipldetach() } fr_checkp = fr_savep; - inetsw[0].pr_slowtimo = fr_saveslowtimo; - frflush(IPL_LOGIPF, &i); + i = frflush(IPL_LOGIPF, i); ipl_inited = 0; # ifdef NETBSD_PF @@ -300,7 +342,7 @@ int ipldetach() static void frzerostats(data) caddr_t data; { - struct friostat fio; + friostat_t fio; bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); @@ -332,14 +374,15 @@ int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode #else int IPL_EXTERN(ioctl)(dev, cmd, data, mode #if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , p) struct proc *p; #else ) #endif dev_t dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) u_long cmd; #else int cmd; @@ -353,10 +396,16 @@ int mode; #endif int error = 0, unit = 0, tmp; +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel >= 2) && (mode & FWRITE)) + return EPERM; +#endif #ifdef _KERNEL unit = GET_MINOR(dev); if ((IPL_LOGMAX < unit) || (unit < 0)) return ENXIO; +#else + unit = dev; #endif SPL_NET(s); @@ -387,10 +436,15 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (enable) + if (enable) { error = iplattach(); - else + if (error == 0) + fr_running = 1; + } else { error = ipldetach(); + if (error == 0) + fr_running = 0; + } } break; } @@ -448,6 +502,21 @@ int mode; fio.f_active = fr_active; fio.f_froute[0] = ipl_frouteok[0]; fio.f_froute[1] = ipl_frouteok[1]; + fio.f_running = fr_running; + fio.f_groups[0][0] = ipfgroups[0][0]; + fio.f_groups[0][1] = ipfgroups[0][1]; + fio.f_groups[1][0] = ipfgroups[1][0]; + fio.f_groups[1][1] = ipfgroups[1][1]; + fio.f_groups[2][0] = ipfgroups[2][0]; + fio.f_groups[2][1] = ipfgroups[2][1]; +#ifdef IPFILTER_LOG + fio.f_logging = 1; +#else + fio.f_logging = 0; +#endif + fio.f_defpass = fr_pass; + strncpy(fio.f_version, ipfilter_version, + sizeof(fio.f_version)); IWCOPY((caddr_t)&fio, data, sizeof(fio)); break; } @@ -462,7 +531,7 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - frflush(unit, &tmp); + tmp = frflush(unit, tmp); IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } break; @@ -505,37 +574,62 @@ int mode; } -static void frsync() +void frsync() { #ifdef _KERNEL - struct ifnet *ifp; + register frentry_t *f; + register struct ifnet *ifp; -# if defined(__OpenBSD__) || (NetBSD >= 199511) +# if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \ + (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) +# if (NetBSD >= 199905) || defined(__OpenBSD__) for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) +# else + for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) +# endif # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif ip_natsync(ifp); + + WRITE_ENTER(&ipf_mutex); + for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + RWLOCK_EXIT(&ipf_mutex); #endif } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; +void fr_forgetifp(ifp) +void *ifp; { - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; + register frentry_t *f; + + WRITE_ENTER(&ipf_mutex); + for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + RWLOCK_EXIT(&ipf_mutex); + ip_natsync(ifp); } @@ -554,20 +648,22 @@ caddr_t data; frentry_t frd; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + fp->fr_ref = 0; /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) + if ((req != SIOCZRLST) && fp->fr_grhead && + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; - if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) + if ((req != SIOCZRLST) && fp->fr_group && + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) return ESRCH; in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -594,6 +690,13 @@ caddr_t data; if (!fp->fr_ifa) fp->fr_ifa = (void *)-1; } +#if BSD >= 199306 + if (*fp->fr_oifname) { + fp->fr_oifa = GETUNIT(fp->fr_oifname); + if (!fp->fr_oifa) + fp->fr_oifa = (void *)-1; + } +#endif fdp = &fp->fr_dif; fp->fr_flags &= ~FR_DUP; @@ -655,8 +758,8 @@ caddr_t data; if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); @@ -667,7 +770,7 @@ caddr_t data; else { if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -693,33 +796,33 @@ caddr_t data; /* * routines below for saving IP headers to buffer */ -#ifdef __sgi -# ifdef _KERNEL +# ifdef __sgi +# ifdef _KERNEL int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp) -# else +# else int IPL_EXTERN(open)(dev_t dev, int flags) -# endif -#else +# endif +# else int IPL_EXTERN(open)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) +# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -# else +# else ) -# endif +# endif dev_t dev; int flags; -#endif /* __sgi */ +# endif /* __sgi */ { -#if defined(__sgi) && defined(_KERNEL) +# if defined(__sgi) && defined(_KERNEL) u_int min = geteminor(*pdev); -#else +# else u_int min = GET_MINOR(dev); -#endif +# endif - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else min = 0; @@ -727,25 +830,25 @@ int flags; } -#ifdef __sgi +# ifdef __sgi int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp) #else int IPL_EXTERN(close)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) +# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -# else +# else ) -# endif +# endif dev_t dev; int flags; -#endif /* __sgi */ +# endif /* __sgi */ { u_int min = GET_MINOR(dev); - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else min = 0; @@ -758,9 +861,9 @@ int flags; * called during packet processing and cause an inconsistancy to appear in * the filter lists. */ -#ifdef __sgi +# ifdef __sgi int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp) -#else +# else # if BSD >= 199306 int IPL_EXTERN(read)(dev, uio, ioflag) int ioflag; @@ -769,13 +872,13 @@ int IPL_EXTERN(read)(dev, uio) # endif dev_t dev; register struct uio *uio; -#endif /* __sgi */ +# endif /* __sgi */ { -# ifdef IPFILTER_LOG +# ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); -# else +# else return ENXIO; -# endif +# endif } @@ -783,55 +886,72 @@ register struct uio *uio; * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ -int send_reset(ti) -struct tcpiphdr *ti; +int send_reset(fin, oip) +fr_info_t *fin; +struct ip *oip; { + struct tcphdr *tcp, *tcp2; struct tcpiphdr *tp; - struct tcphdr *tcp; struct mbuf *m; - int tlen = 0, err; + int tlen = 0; ip_t *ip; -# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) - struct route ro; -# endif - if (ti->ti_flags & TH_RST) + tcp = (struct tcphdr *)fin->fin_dp; + if (tcp->th_flags & TH_RST) return -1; /* feedback loop */ # if (BSD < 199306) || defined(__sgi) m = m_get(M_DONTWAIT, MT_HEADER); # else m = m_gethdr(M_DONTWAIT, MT_HEADER); - m->m_data += max_linkhdr; # endif if (m == NULL) + return ENOBUFS; + if (m == NULL) return -1; - if (ti->ti_flags & TH_SYN) + if (tcp->th_flags & TH_SYN) tlen = 1; - m->m_len = sizeof (struct tcpiphdr); + m->m_len = sizeof(*tcp2) + sizeof(*ip); # if BSD >= 199306 - m->m_pkthdr.len = sizeof (struct tcpiphdr); + m->m_data += max_linkhdr; + m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; # endif bzero(mtod(m, char *), sizeof(struct tcpiphdr)); ip = mtod(m, struct ip *); tp = mtod(m, struct tcpiphdr *); - tcp = (struct tcphdr *)((char *)ip + sizeof(struct ip)); - - ip->ip_src.s_addr = ti->ti_dst.s_addr; - ip->ip_dst.s_addr = ti->ti_src.s_addr; - tcp->th_dport = ti->ti_sport; - tcp->th_sport = ti->ti_dport; - tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); - tcp->th_off = sizeof(struct tcphdr) >> 2; - tcp->th_flags = TH_RST|TH_ACK; - tp->ti_pr = ((struct ip *)ti)->ip_p; + tcp2 = (struct tcphdr *)((char *)ip + sizeof(*ip)); + + ip->ip_src.s_addr = oip->ip_dst.s_addr; + ip->ip_dst.s_addr = oip->ip_src.s_addr; + tcp2->th_dport = tcp->th_sport; + tcp2->th_sport = tcp->th_dport; + tcp2->th_ack = ntohl(tcp->th_seq); + tcp2->th_ack += tlen; + tcp2->th_ack = htonl(tcp2->th_ack); + tcp2->th_off = sizeof(*tcp2) >> 2; + tcp2->th_flags = TH_RST|TH_ACK; + tp->ti_pr = oip->ip_p; tp->ti_len = htons(sizeof(struct tcphdr)); - tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr)); + tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2)); + + ip->ip_tos = oip->ip_tos; + ip->ip_p = oip->ip_p; + ip->ip_len = sizeof(*ip) + sizeof(*tcp2); + + return send_ip(m, ip); +} + + +static int send_ip(m, ip) +struct mbuf *m; +ip_t *ip; +{ +# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)) || \ + (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) + struct route ro; +# endif - ip->ip_tos = ((struct ip *)ti)->ip_tos; - ip->ip_p = ((struct ip *)ti)->ip_p; - ip->ip_len = sizeof (struct tcpiphdr); # if (BSD < 199306) || defined(__sgi) ip->ip_ttl = tcp_ttl; # else @@ -839,17 +959,91 @@ struct tcpiphdr *ti; # endif # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) + { + int err; + bzero((char *)&ro, sizeof(ro)); err = ip_output(m, (struct mbuf *)0, &ro, 0, 0); if (ro.ro_rt) RTFREE(ro.ro_rt); + return err; + } # else /* * extra 0 in case of multicast */ - err = ip_output(m, (struct mbuf *)0, 0, 0, 0); +# if _BSDI_VERSION >= 199802 + return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); +# else + return ip_output(m, (struct mbuf *)0, 0, 0, 0); +# endif # endif - return err; +} + + +int send_icmp_err(oip, type, code, ifp, dst) +ip_t *oip; +int type, code; +void *ifp; +struct in_addr dst; +{ + struct icmp *icmp; + struct mbuf *m; + ip_t *nip; + +# if (BSD < 199306) || defined(__sgi) + m = m_get(M_DONTWAIT, MT_HEADER); +# else + m = m_gethdr(M_DONTWAIT, MT_HEADER); +# endif + if (m == NULL) + return ENOBUFS; + m->m_len = sizeof(*nip) + sizeof(*icmp) + 8; +# if BSD >= 199306 + m->m_data += max_linkhdr; + m->m_pkthdr.len = sizeof(*nip) + sizeof(*icmp) + 8; + m->m_pkthdr.rcvif = (struct ifnet *)0; +# endif + + bzero(mtod(m, char *), (size_t)sizeof(*nip) + sizeof(*icmp) + 8); + nip = mtod(m, ip_t *); + icmp = (struct icmp *)(nip + 1); + + nip->ip_v = IPVERSION; + nip->ip_hl = (sizeof(*nip) >> 2); + nip->ip_p = IPPROTO_ICMP; + nip->ip_id = oip->ip_id; + nip->ip_sum = 0; + nip->ip_ttl = 60; + nip->ip_tos = oip->ip_tos; + nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8; + if (dst.s_addr == 0) { + if (fr_ifpaddr(ifp, &dst) == -1) + return -1; + dst.s_addr = htonl(dst.s_addr); + } + nip->ip_src = dst; + nip->ip_dst = oip->ip_src; + + icmp->icmp_type = type; + icmp->icmp_code = code; + icmp->icmp_cksum = 0; + bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); + bcopy((char *)oip + (oip->ip_hl << 2), + (char *)&icmp->icmp_ip + sizeof(*oip), 8); /* 64 bits */ +# ifndef sparc + { + register u_short __iplen, __ipoff; + ip_t *ip = &icmp->icmp_ip; + + __iplen = ip->ip_len; + __ipoff = ip->ip_off; + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + } +# endif + icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); + return send_ip(m, nip); } @@ -865,7 +1059,8 @@ void # endif iplinit() { - (void) iplattach(); + if (iplattach() != 0) + printf("IP Filter failed to attach\n"); ip_init(); } # endif /* ! __NetBSD__ */ @@ -882,7 +1077,7 @@ register struct mbuf *m0; } -void ipfr_fastroute(m0, fin, fdp) +int ipfr_fastroute(m0, fin, fdp) struct mbuf *m0; fr_info_t *fin; frdest_t *fdp; @@ -890,12 +1085,13 @@ frdest_t *fdp; register struct ip *ip, *mhip; register struct mbuf *m = m0; register struct route *ro; - struct ifnet *ifp = fdp->fd_ifp; - int len, off, error = 0; - int hlen = fin->fin_hlen; - struct route iproute; + int len, off, error = 0, hlen; struct sockaddr_in *dst; + struct route iproute; + struct ifnet *ifp; + frentry_t *fr; + hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); /* * Route packet. @@ -904,13 +1100,22 @@ frdest_t *fdp; bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; - dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; + + fr = fin->fin_fr; + ifp = fdp->fd_ifp; + /* + * In case we're here due to "to <if>" being used with "keep state", + * check that we're going in the correct direction. + */ + if ((fr != NULL) && (ifp != NULL) && (fin->fin_rev != 0) && + (fdp == &fr->fr_tif)) + return -1; # ifdef __bsdi__ dst->sin_len = sizeof(*dst); # endif # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \ !defined(__OpenBSD__) -# ifdef RTF_CLONING +# ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); # else rtalloc_ign(ro, RTF_PRCLONING); @@ -939,10 +1144,19 @@ frdest_t *fdp; /* * For input packets which are being "fastrouted", they won't * go back through output filtering and miss their chance to get - * NAT'd. + * NAT'd and counted. */ - (void) ip_natout(ip, hlen, fin); - if (fin->fin_out) + fin->fin_ifp = ifp; + if (fin->fin_out == 0) { + fin->fin_out = 1; + if ((fin->fin_fr = ipacct[1][fr_active]) && + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = NULL; + (void) fr_checkstate(ip, fin); + (void) ip_natout(ip, fin); + } else ip->ip_sum = 0; /* * If small enough for interface, can just send directly. @@ -988,7 +1202,11 @@ frdest_t *fdp; m0 = m; mhlen = sizeof (struct ip); for (off = hlen + len; off < ip->ip_len; off += len) { +# ifdef MGETHDR + MGETHDR(m, M_DONTWAIT, MT_HEADER); +# else MGET(m, M_DONTWAIT, MT_HEADER); +# endif if (m == 0) { error = ENOBUFS; goto bad; @@ -1057,10 +1275,9 @@ done: else ipl_frouteok[1]++; - if (ro->ro_rt) { + if (ro->ro_rt) RTFREE(ro->ro_rt); - } - return; + return 0; bad: m_freem(m); goto done; @@ -1068,53 +1285,50 @@ bad: #else /* #ifdef _KERNEL */ -#ifdef __sgi +# ifdef __sgi static int no_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s)) -#else +# else static int no_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s, struct rtentry *rt)) -#endif +# endif { return 0; } # ifdef __STDC__ -#ifdef __sgi +# ifdef __sgi static int write_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s)) -#else +# else static int write_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s, struct rtentry *rt)) -#endif +# endif { -# if !(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) ip_t *ip = (ip_t *)m; -# endif # else static int write_output(ifp, ip) struct ifnet *ifp; ip_t *ip; { # endif - FILE *fp; char fname[32]; + int fd; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) sprintf(fname, "/tmp/%s", ifp->if_xname); - if ((fp = fopen(fname, "a"))) { - fclose(fp); - } # else sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); - if ((fp = fopen(fname, "a"))) { - fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); - fclose(fp); - } # endif + fd = open(fname, O_WRONLY|O_APPEND); + if (fd == -1) { + perror("open"); + return -1; + } + write(fd, (char *)ip, ntohs(ip->ip_len)); + close(fd); return 0; } @@ -1177,30 +1391,37 @@ char *name; void init_ifp() { - FILE *fp; struct ifnet *ifp, **ifa; char fname[32]; + int fd; + # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); - if ((fp = fopen(fname, "w"))) - fclose(fp); + fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); + if (fd == -1) + perror("open"); + else + close(fd); } # else for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); - if ((fp = fopen(fname, "w"))) - fclose(fp); + fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); + if (fd == -1) + perror("open"); + else + close(fd); } # endif } -void ipfr_fastroute(ip, fin, fdp) +int ipfr_fastroute(ip, fin, fdp) ip_t *ip; fr_info_t *fin; frdest_t *fdp; @@ -1208,7 +1429,7 @@ frdest_t *fdp; struct ifnet *ifp = fdp->fd_ifp; if (!ifp) - return; /* no routing table out here */ + return 0; /* no routing table out here */ ip->ip_len = htons((u_short)ip->ip_len); ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); @@ -1218,6 +1439,7 @@ frdest_t *fdp; #else (*ifp->if_output)(ifp, (void *)ip, NULL, 0); #endif + return 0; } diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index edbd685..269cbad 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $ + * $Id: ip_fil.h,v 2.3.2.4 1999/10/15 13:42:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -21,11 +21,11 @@ #define IPAUTH_NAME "/dev/ipauth" #ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif #if defined(KERNEL) && !defined(_KERNEL) -#define _KERNEL +# define _KERNEL #endif #ifndef __P @@ -37,45 +37,45 @@ #endif #if defined(__STDC__) || defined(__GNUC__) -#define SIOCADAFR _IOW('r', 60, struct frentry) -#define SIOCRMAFR _IOW('r', 61, struct frentry) -#define SIOCSETFF _IOW('r', 62, u_int) -#define SIOCGETFF _IOR('r', 63, u_int) -#define SIOCGETFS _IOR('r', 64, struct friostat) -#define SIOCIPFFL _IOWR('r', 65, int) -#define SIOCIPFFB _IOR('r', 66, int) -#define SIOCADIFR _IOW('r', 67, struct frentry) -#define SIOCRMIFR _IOW('r', 68, struct frentry) -#define SIOCSWAPA _IOR('r', 69, u_int) -#define SIOCINAFR _IOW('r', 70, struct frentry) -#define SIOCINIFR _IOW('r', 71, struct frentry) -#define SIOCFRENB _IOW('r', 72, u_int) -#define SIOCFRSYN _IOW('r', 73, u_int) -#define SIOCFRZST _IOWR('r', 74, struct friostat) -#define SIOCZRLST _IOWR('r', 75, struct frentry) -#define SIOCAUTHW _IOWR('r', 76, struct fr_info) -#define SIOCAUTHR _IOWR('r', 77, struct fr_info) -#define SIOCATHST _IOWR('r', 78, struct fr_authstat) +# define SIOCADAFR _IOW('r', 60, struct frentry) +# define SIOCRMAFR _IOW('r', 61, struct frentry) +# define SIOCSETFF _IOW('r', 62, u_int) +# define SIOCGETFF _IOR('r', 63, u_int) +# define SIOCGETFS _IOR('r', 64, struct friostat) +# define SIOCIPFFL _IOWR('r', 65, int) +# define SIOCIPFFB _IOR('r', 66, int) +# define SIOCADIFR _IOW('r', 67, struct frentry) +# define SIOCRMIFR _IOW('r', 68, struct frentry) +# define SIOCSWAPA _IOR('r', 69, u_int) +# define SIOCINAFR _IOW('r', 70, struct frentry) +# define SIOCINIFR _IOW('r', 71, struct frentry) +# define SIOCFRENB _IOW('r', 72, u_int) +# define SIOCFRSYN _IOW('r', 73, u_int) +# define SIOCFRZST _IOWR('r', 74, struct friostat) +# define SIOCZRLST _IOWR('r', 75, struct frentry) +# define SIOCAUTHW _IOWR('r', 76, struct fr_info) +# define SIOCAUTHR _IOWR('r', 77, struct fr_info) +# define SIOCATHST _IOWR('r', 78, struct fr_authstat) #else -#define SIOCADAFR _IOW(r, 60, struct frentry) -#define SIOCRMAFR _IOW(r, 61, struct frentry) -#define SIOCSETFF _IOW(r, 62, u_int) -#define SIOCGETFF _IOR(r, 63, u_int) -#define SIOCGETFS _IOR(r, 64, struct friostat) -#define SIOCIPFFL _IOWR(r, 65, int) -#define SIOCIPFFB _IOR(r, 66, int) -#define SIOCADIFR _IOW(r, 67, struct frentry) -#define SIOCRMIFR _IOW(r, 68, struct frentry) -#define SIOCSWAPA _IOR(r, 69, u_int) -#define SIOCINAFR _IOW(r, 70, struct frentry) -#define SIOCINIFR _IOW(r, 71, struct frentry) -#define SIOCFRENB _IOW(r, 72, u_int) -#define SIOCFRSYN _IOW(r, 73, u_int) -#define SIOCFRZST _IOWR(r, 74, struct friostat) -#define SIOCZRLST _IOWR(r, 75, struct frentry) -#define SIOCAUTHW _IOWR(r, 76, struct fr_info) -#define SIOCAUTHR _IOWR(r, 77, struct fr_info) -#define SIOCATHST _IOWR(r, 78, struct fr_authstat) +# define SIOCADAFR _IOW(r, 60, struct frentry) +# define SIOCRMAFR _IOW(r, 61, struct frentry) +# define SIOCSETFF _IOW(r, 62, u_int) +# define SIOCGETFF _IOR(r, 63, u_int) +# define SIOCGETFS _IOR(r, 64, struct friostat) +# define SIOCIPFFL _IOWR(r, 65, int) +# define SIOCIPFFB _IOR(r, 66, int) +# define SIOCADIFR _IOW(r, 67, struct frentry) +# define SIOCRMIFR _IOW(r, 68, struct frentry) +# define SIOCSWAPA _IOR(r, 69, u_int) +# define SIOCINAFR _IOW(r, 70, struct frentry) +# define SIOCINIFR _IOW(r, 71, struct frentry) +# define SIOCFRENB _IOW(r, 72, u_int) +# define SIOCFRSYN _IOW(r, 73, u_int) +# define SIOCFRZST _IOWR(r, 74, struct friostat) +# define SIOCZRLST _IOWR(r, 75, struct frentry) +# define SIOCAUTHW _IOWR(r, 76, struct fr_info) +# define SIOCAUTHR _IOWR(r, 77, struct fr_info) +# define SIOCATHST _IOWR(r, 78, struct fr_authstat) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR @@ -84,47 +84,61 @@ typedef struct fr_ip { u_char fi_v:4; /* IP version */ u_char fi_fl:4; /* packet flags */ - u_char fi_tos; - u_char fi_ttl; - u_char fi_p; - struct in_addr fi_src; - struct in_addr fi_dst; + u_char fi_tos; /* IP packet TOS */ + u_char fi_ttl; /* IP packet TTL */ + u_char fi_p; /* IP packet protocol */ + struct in_addr fi_src; /* source address from packet */ + struct in_addr fi_dst; /* destination address from packet */ u_32_t fi_optmsk; /* bitmask composed from IP options */ u_short fi_secmsk; /* bitmask composed from IP security options */ - u_short fi_auth; + u_short fi_auth; /* authentication code from IP sec. options */ } fr_ip_t; #define FI_OPTIONS (FF_OPTIONS >> 24) #define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ #define FI_FRAG (FF_FRAG >> 24) #define FI_SHORT (FF_SHORT >> 24) +#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT) + +/* + * These are both used by the state and NAT code to indicate that one port or + * the other should be treated as a wildcard. + */ +#define FI_W_SPORT 0x00000100 +#define FI_W_DPORT 0x00000200 typedef struct fr_info { - struct fr_ip fin_fi; - u_short fin_data[2]; - u_short fin_out; - u_short fin_hlen; - u_char fin_tcpf; - u_char fin_icode; /* From here on is packet specific */ - u_short fin_rule; - u_short fin_group; - u_short fin_dlen; - u_short fin_id; - void *fin_ifp; - struct frentry *fin_fr; + void *fin_ifp; /* interface packet is `on' */ + struct fr_ip fin_fi; /* IP Packet summary */ + u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ + u_char fin_out; /* in or out ? 1 == out, 0 == in */ + u_char fin_rev; /* state only: 1 = reverse */ + u_short fin_hlen; /* length of IP header in bytes */ + u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ + /* From here on is packet specific */ + u_char fin_icode; /* ICMP error to return */ + u_short fin_rule; /* rule # last matched */ + u_short fin_group; /* group number, -1 for none */ + struct frentry *fin_fr; /* last matching rule */ char *fin_dp; /* start of data past IP header */ - void *fin_mp; + u_short fin_dlen; /* length of data portion of packet */ + u_short fin_id; /* IP packet id field */ + void *fin_mp; /* pointer to pointer to mbuf */ +#if SOLARIS && defined(_KERNEL) + void *fin_qfm; /* pointer to mblk where pkt starts */ + void *fin_qif; +#endif } fr_info_t; /* * Size for compares on fr_info structures */ -#define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \ - sizeof(u_char)) +#define FI_CSIZE offsetof(fr_info_t, fin_icode) + /* * Size for copying cache fr_info structure */ -#define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void *) * 2) +#define FI_COPYSIZE offsetof(fr_info_t, fin_dp) typedef struct frdest { void *fd_ifp; @@ -139,6 +153,9 @@ typedef struct frentry { struct frentry *fr_grp; int fr_ref; /* reference count - for grouping */ void *fr_ifa; +#if BSD >= 199306 + void *fr_oifa; +#endif /* * These are only incremented when a packet matches this rule and * it is the last match @@ -164,10 +181,14 @@ typedef struct frentry { u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ u_32_t fr_flags; /* per-rule flags && options (see below) */ - int fr_skip; /* # of rules to skip */ + u_short fr_skip; /* # of rules to skip */ + u_short fr_loglevel; /* syslog log facility + priority */ int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; +#if BSD >= 199306 + char fr_oifname[IFNAMSIZ]; +#endif struct frdest fr_tif; /* "to" interface */ struct frdest fr_dif; /* duplicate packet interfaces */ } frentry_t; @@ -199,6 +220,7 @@ typedef struct frentry { #define FR_LOGFIRST 0x00040 /* Log the first byte if state held */ #define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */ #define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */ +#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ #define FR_NOMATCH 0x00200 /* no match occured */ #define FR_ACCOUNT 0x00400 /* count packet bytes */ #define FR_KEEPFRAG 0x00800 /* keep fragment information */ @@ -213,8 +235,10 @@ typedef struct frentry { #define FR_NOTDSTIP 0x100000 /* not the dst IP# */ #define FR_AUTH 0x200000 /* use authentication */ #define FR_PREAUTH 0x400000 /* require preauthentication */ +#define FR_DONTCACHE 0x800000 /* don't cache the result */ #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) +#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) /* * These correspond to #define's for FI_* and are stored in fr_flags @@ -262,6 +286,8 @@ typedef struct filterstats { u_long fr_tcpbad; /* TCP checksum check failures */ u_long fr_pull[2]; /* good and bad pullup attempts */ #if SOLARIS + u_long fr_notdata; /* PROTO/PCPROTO that have no data */ + u_long fr_nodata; /* mblks that have no data */ u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ u_long fr_drop; /* packets dropped - no info for them! */ @@ -278,8 +304,13 @@ typedef struct friostat { struct frentry *f_acctin[2]; struct frentry *f_acctout[2]; struct frentry *f_auth; + struct frgroup *f_groups[3][2]; u_long f_froute[2]; - int f_active; + int f_active; /* 1 or 0 - active rule set */ + int f_defpass; /* default pass - from fr_pass */ + int f_running; /* 1 if running, else 0 */ + int f_logging; /* 1 if enabled, else 0 */ + char f_version[32]; /* version string */ } friostat_t; typedef struct optlist { @@ -305,11 +336,10 @@ typedef struct frgroup { * structure which is then followed by any packet data. */ typedef struct iplog { - u_long ipl_magic; + u_32_t ipl_magic; + u_int ipl_count; u_long ipl_sec; u_long ipl_usec; - u_int ipl_len; - u_int ipl_count; size_t ipl_dsize; struct iplog *ipl_next; } iplog_t; @@ -328,19 +358,21 @@ typedef struct ipflog { u_char fl_hlen; /* length of IP headers saved */ u_short fl_rule; /* assume never more than 64k rules, total */ u_short fl_group; + u_short fl_loglevel; /* syslog log level */ u_32_t fl_flags; + u_32_t fl_lflags; } ipflog_t; #ifndef ICMP_UNREACH_FILTER -#define ICMP_UNREACH_FILTER 13 +# define ICMP_UNREACH_FILTER 13 #endif #ifndef IPF_LOGGING -#define IPF_LOGGING 0 +# define IPF_LOGGING 0 #endif #ifndef IPF_DEFAULT_PASS -#define IPF_DEFAULT_PASS FR_PASS +# define IPF_DEFAULT_PASS FR_PASS #endif #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -372,16 +404,32 @@ typedef struct ipflog { # define CDEV_MAJOR 79 #endif +/* + * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns + * on those hooks. We don't need any special mods in non-IP Filter code + * with this! + */ +#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ + (defined(NetBSD1_2) && NetBSD1_2 > 1) +# if (NetBSD >= 199905) +# define PFIL_HOOKS +# endif +# ifdef PFIL_HOOKS +# define NETBSD_PF +# endif +#endif + + #ifndef _KERNEL extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); extern int icmp_error __P((ip_t *, struct ifnet *)); extern int ipf_log __P((void)); -extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); +extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); -# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +# if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); @@ -390,31 +438,34 @@ extern int iplopen __P((dev_t, int)); extern int iplclose __P((dev_t, int)); #else /* #ifndef _KERNEL */ # if defined(__NetBSD__) && defined(PFIL_HOOKS) -extern int ipfilterattach __P((int)); +extern void ipfilterattach __P((int)); # endif extern int iplattach __P((void)); extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); extern void ipflog_init __P((void)); -extern int ipflog_clear __P((int)); -extern int ipflog_read __P((int, struct uio *)); +extern int ipflog_clear __P((minor_t)); +extern int ipflog_read __P((minor_t, struct uio *)); extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); -extern int ipllog __P((int, u_long, void **, size_t *, int *, int)); +extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); # if SOLARIS extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, qif_t *, mb_t **)); -extern int icmp_error __P((ip_t *, int, int, qif_t *, - struct in_addr)); -extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); +extern int icmp_error __P((ip_t *, int, int, qif_t *, struct in_addr)); +# if SOLARIS2 >= 7 +extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *)); +# else +extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); +# endif extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int ipfsync __P((void)); -extern int send_reset __P((ip_t *, qif_t *)); +extern int send_reset __P((fr_info_t *, ip_t *, qif_t *)); extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **, fr_info_t *, frdest_t *)); -extern void copyin_mblk __P((mblk_t *, int, int, char *)); -extern void copyout_mblk __P((mblk_t *, int, int, char *)); +extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *)); +extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *)); extern int fr_qin __P((queue_t *, mblk_t *)); extern int fr_qout __P((queue_t *, mblk_t *)); # ifdef IPFILTER_LOG @@ -426,9 +477,10 @@ extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); # ifdef linux extern int send_reset __P((tcpiphdr_t *, struct ifnet *)); # else -extern int send_reset __P((tcpiphdr_t *)); +extern int send_reset __P((fr_info_t *, struct ip *)); +extern int send_icmp_err __P((ip_t *, int, int, void *, struct in_addr)); # endif -extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); +extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi # include <sys/cred.h> @@ -445,8 +497,9 @@ extern void ipfilter_sgi_intfsync __P((void)); extern int iplidentify __P((char *)); # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ - (NetBSD >= 199511) -# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) + (NetBSD >= 199511) || defined(__OpenBSD__) +# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ + defined(__OpenBSD__) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); @@ -454,19 +507,12 @@ extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); # else -# if defined(__OpenBSD__) -extern int iplioctl __P((dev_t, u_long, caddr_t, int)); -# else /* __OpenBSD__ */ -# ifndef linux -extern int iplioctl __P((dev_t, int, caddr_t, int)); -# else -extern int iplioctl(struct inode *, struct file *, u_int, u_long); -# endif -# endif /* __OpenBSD__ */ -# ifndef linux +# ifndef linux extern int iplopen __P((dev_t, int)); extern int iplclose __P((dev_t, int)); +extern int iplioctl __P((dev_t, int, caddr_t, int)); # else +extern int iplioctl(struct inode *, struct file *, u_int, u_long); extern int iplopen __P((struct inode *, struct file *)); extern void iplclose __P((struct inode *, struct file *)); # endif /* !linux */ @@ -484,26 +530,22 @@ extern int iplread(struct inode *, struct file *, char *, int); # endif /* SOLARIS */ #endif /* #ifndef _KERNEL */ -/* - * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns - * on those hooks. We don't need any special mods in non-IP Filter code - * with this! - */ -#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ - (defined(NetBSD1_2) && NetBSD1_2 > 1) -# define NETBSD_PF -#endif - +extern void fixskip __P((frentry_t **, frentry_t *, int)); +extern int countbits __P((u_32_t)); extern int ipldetach __P((void)); -extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int)); -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); +extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); +extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); extern u_short ipf_cksum __P((u_short *, int)); extern int fr_copytolog __P((int, char *, int)); -extern void frflush __P((int, int *)); -extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); -extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); -extern void fr_delgroup __P((u_short, u_32_t, int, int)); +extern void fr_forgetifp __P((void *)); +extern int frflush __P((minor_t, int)); +extern void frsync __P((void)); +extern frgroup_t *fr_addgroup __P((u_int, frentry_t *, minor_t, int)); +extern frgroup_t *fr_findgroup __P((u_int, u_32_t, minor_t, int, frgroup_t ***)); +extern void fr_delgroup __P((u_int, u_32_t, minor_t, int)); +extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); +extern int fr_ifpaddr __P((void *, struct in_addr *)); +extern char *memstr __P((char *, char *, int, int)); extern int ipl_unreach; extern int ipl_inited; extern u_long ipl_frouteok[2]; @@ -511,9 +553,10 @@ extern int fr_pass; extern int fr_flags; extern int fr_active; extern fr_info_t frcache[2]; +extern char ipfilter_version[]; #ifdef IPFILTER_LOG extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; -extern int iplused[IPL_LOGMAX + 1]; +extern size_t iplused[IPL_LOGMAX + 1]; #endif extern struct frentry *ipfilter[2][2], *ipacct[2][2]; extern struct frgroup *ipfgroups[3][2]; diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 923f685..3f0831f 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,53 +7,62 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.3 1999/09/18 15:03:54 darrenr Exp $"; #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <string.h> -# include <stdlib.h> +#if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL #endif + #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) -#include <sys/filio.h> -#include <sys/fcntl.h> +# include <sys/filio.h> +# include <sys/fcntl.h> #else -#include <sys/ioctl.h> +# include <sys/ioctl.h> #endif #include <sys/uio.h> #ifndef linux -#include <sys/protosw.h> +# include <sys/protosw.h> #endif #include <sys/socket.h> #if defined(_KERNEL) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) +# if defined(_KERNEL) && !defined(__sgi) +# include <sys/kernel.h> +# endif # ifndef linux # include <sys/mbuf.h> # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif - #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #ifndef linux -#include <netinet/ip_var.h> +# include <netinet/ip_var.h> #endif #include <netinet/tcp.h> #include <netinet/udp.h> @@ -66,6 +75,17 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50: #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(KERNEL) || defined(_KERNEL)) +# ifndef IPFILTER_LKM +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +extern struct callout_handle ipfr_slowtimer_ch; +# endif +#endif + ipfr_t *ipfr_heads[IPFT_SIZE]; ipfr_t *ipfr_nattab[IPFT_SIZE]; @@ -73,17 +93,26 @@ ipfrstat_t ipfr_stats; int ipfr_inuse = 0, fr_ipfrttl = 120; /* 60 seconds */ #ifdef _KERNEL +# if SOLARIS2 >= 7 +extern timeout_id_t ipfr_timer_id; +# else extern int ipfr_timer_id; +# endif #endif #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_frag; -extern kmutex_t ipf_natfrag; -extern kmutex_t ipf_nat; +extern KRWLOCK_T ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex; +# if SOLARIS +extern KRWLOCK_T ipf_solaris; +# else +KRWLOCK_T ipf_solaris; +# endif +extern kmutex_t ipf_rw; #endif -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **)); +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); +static void ipfr_delete __P((ipfr_t *)); ipfrstat_t *ipfr_fragstats() @@ -102,10 +131,10 @@ ipfrstat_t *ipfr_fragstats() static ipfr_t *ipfr_new(ip, fin, pass, table) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; ipfr_t *table[]; { - ipfr_t **fp, *fr, frag; + ipfr_t **fp, *fra, frag; u_int idx; frag.ipfr_p = ip->ip_p; @@ -123,10 +152,10 @@ ipfr_t *table[]; /* * first, make sure it isn't already there... */ - for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next) - if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, + for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next) + if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ)) { - ipfr_stats.ifs_exists++; + ATOMIC_INC(ipfr_stats.ifs_exists); return NULL; } @@ -134,45 +163,49 @@ ipfr_t *table[]; * allocate some memory, if possible, if not, just record that we * failed to do so. */ - KMALLOC(fr, ipfr_t *, sizeof(*fr)); - if (fr == NULL) { - ipfr_stats.ifs_nomem++; + KMALLOC(fra, ipfr_t *); + if (fra == NULL) { + ATOMIC_INC(ipfr_stats.ifs_nomem); return NULL; } + if ((fra->ipfr_rule = fin->fin_fr) != NULL) { + ATOMIC_INC(fin->fin_fr->fr_ref); + } + + /* * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. * Set the ttl to the default and mask out logging from "pass" */ - if ((fr->ipfr_next = table[idx])) - table[idx]->ipfr_prev = fr; - fr->ipfr_prev = NULL; - fr->ipfr_data = NULL; - table[idx] = fr; - bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ); - fr->ipfr_ttl = fr_ipfrttl; - fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); + if ((fra->ipfr_next = table[idx])) + table[idx]->ipfr_prev = fra; + fra->ipfr_prev = NULL; + fra->ipfr_data = NULL; + table[idx] = fra; + bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ); + fra->ipfr_ttl = fr_ipfrttl; /* * Compute the offset of the expected start of the next packet. */ - fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); - ipfr_stats.ifs_new++; - ipfr_inuse++; - return fr; + fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); + ATOMIC_INC(ipfr_stats.ifs_new); + ATOMIC_INC(ipfr_inuse); + return fra; } int ipfr_newfrag(ip, fin, pass) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; { ipfr_t *ipf; - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); ipf = ipfr_new(ip, fin, pass, ipfr_heads); - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); return ipf ? 0 : -1; } @@ -180,17 +213,18 @@ int pass; int ipfr_nat_newfrag(ip, fin, pass, nat) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; nat_t *nat; { ipfr_t *ipf; - MUTEX_ENTER(&ipf_natfrag); - if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) { + WRITE_ENTER(&ipf_natfrag); + ipf = ipfr_new(ip, fin, pass, ipfr_nattab); + if (ipf != NULL) { ipf->ipfr_data = nat; nat->nat_data = ipf; } - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); return ipf ? 0 : -1; } @@ -251,13 +285,13 @@ ipfr_t *table[]; * If we've follwed the fragments, and this is the * last (in order), shrink expiration time. */ - if ((off & 0x1fff) == f->ipfr_off) { + if ((off & IP_OFFMASK) == f->ipfr_off) { if (!(off & IP_MF)) f->ipfr_ttl = 1; else f->ipfr_off = atoff; } - ipfr_stats.ifs_hits++; + ATOMIC_INC(ipfr_stats.ifs_hits); return f; } return NULL; @@ -274,20 +308,20 @@ fr_info_t *fin; nat_t *nat; ipfr_t *ipf; - MUTEX_ENTER(&ipf_natfrag); + READ_ENTER(&ipf_natfrag); ipf = ipfr_lookup(ip, fin, ipfr_nattab); - if (ipf) { + if (ipf != NULL) { nat = ipf->ipfr_data; /* * This is the last fragment for this packet. */ - if (ipf->ipfr_ttl == 1) { + if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { nat->nat_data = NULL; ipf->ipfr_data = NULL; } } else nat = NULL; - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); return nat; } @@ -295,18 +329,19 @@ fr_info_t *fin; /* * functional interface for normal lookups of the fragment cache */ -int ipfr_knownfrag(ip, fin) +frentry_t *ipfr_knownfrag(ip, fin) ip_t *ip; fr_info_t *fin; { - int ret; - ipfr_t *ipf; - - MUTEX_ENTER(&ipf_frag); - ipf = ipfr_lookup(ip, fin, ipfr_heads); - ret = ipf ? ipf->ipfr_pass : 0; - MUTEX_EXIT(&ipf_frag); - return ret; + frentry_t *fr = NULL; + ipfr_t *fra; + + READ_ENTER(&ipf_frag); + fra = ipfr_lookup(ip, fin, ipfr_heads); + if (fra != NULL) + fr = fra->ipfr_rule; + RWLOCK_EXIT(&ipf_frag); + return fr; } @@ -319,13 +354,32 @@ void *nat; ipfr_t *fr; int idx; - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next) if (fr->ipfr_data == nat) fr->ipfr_data = NULL; - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); +} + + +static void ipfr_delete(fra) +ipfr_t *fra; +{ + frentry_t *fr; + + fr = fra->ipfr_rule; + if (fr != NULL) { + ATOMIC_DEC(fr->fr_ref); + if (fr->fr_ref == 0) + KFREE(fr); + } + if (fra->ipfr_prev) + fra->ipfr_prev->ipfr_next = fra->ipfr_next; + if (fra->ipfr_next) + fra->ipfr_next->ipfr_prev = fra->ipfr_prev; + KFREE(fra); } @@ -334,31 +388,32 @@ void *nat; */ void ipfr_unload() { - ipfr_t **fp, *fr; + ipfr_t **fp, *fra; nat_t *nat; int idx; - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fr = *fp); ) { - *fp = fr->ipfr_next; - KFREE(fr); + for (fp = &ipfr_heads[idx]; (fra = *fp); ) { + *fp = fra->ipfr_next; + ipfr_delete(fra); } - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); - MUTEX_ENTER(&ipf_nat); - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { - *fp = fr->ipfr_next; - if ((nat = (nat_t *)fr->ipfr_data)) { - if (nat->nat_data == fr) + for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { + *fp = fra->ipfr_next; + nat = fra->ipfr_data; + if (nat != NULL) { + if (nat->nat_data == fra) nat->nat_data = NULL; } - KFREE(fr); + ipfr_delete(fra); } - MUTEX_EXIT(&ipf_natfrag); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_nat); } @@ -368,21 +423,36 @@ void ipfr_unload() * of this being called twice per second. */ # if (BSD >= 199306) || SOLARIS || defined(__sgi) +# if defined(SOLARIS2) && (SOLARIS2 < 7) void ipfr_slowtimer() +# else +void ipfr_slowtimer __P((void *ptr)) +# endif # else int ipfr_slowtimer() # endif { - ipfr_t **fp, *fr; + ipfr_t **fp, *fra; nat_t *nat; - int s, idx; + int idx; +#if defined(_KERNEL) +# if !SOLARIS + int s; +# else + extern int fr_running; + + if (fr_running <= 0) + return; +# endif +#endif + READ_ENTER(&ipf_solaris); #ifdef __sgi ipfilter_sgi_intfsync(); #endif SPL_NET(s); - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); /* * Go through the entire table, looking for entries to expire, @@ -390,23 +460,17 @@ int ipfr_slowtimer() * remove it from the chain and free it. */ for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fr = *fp); ) { - --fr->ipfr_ttl; - if (fr->ipfr_ttl == 0) { - if (fr->ipfr_prev) - fr->ipfr_prev->ipfr_next = - fr->ipfr_next; - if (fr->ipfr_next) - fr->ipfr_next->ipfr_prev = - fr->ipfr_prev; - *fp = fr->ipfr_next; - ipfr_stats.ifs_expire++; - ipfr_inuse--; - KFREE(fr); + for (fp = &ipfr_heads[idx]; (fra = *fp); ) { + --fra->ipfr_ttl; + if (fra->ipfr_ttl == 0) { + *fp = fra->ipfr_next; + ipfr_delete(fra); + ATOMIC_INC(ipfr_stats.ifs_expire); + ATOMIC_DEC(ipfr_inuse); } else - fp = &fr->ipfr_next; + fp = &fra->ipfr_next; } - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); /* * Same again for the NAT table, except that if the structure also @@ -415,31 +479,26 @@ int ipfr_slowtimer() * NOTE: We need to grab both mutex's early, and in this order so as * to prevent a deadlock if both try to expire at the same time. */ - MUTEX_ENTER(&ipf_nat); - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { - --fr->ipfr_ttl; - if (fr->ipfr_ttl == 0) { - if (fr->ipfr_prev) - fr->ipfr_prev->ipfr_next = - fr->ipfr_next; - if (fr->ipfr_next) - fr->ipfr_next->ipfr_prev = - fr->ipfr_prev; - *fp = fr->ipfr_next; - ipfr_stats.ifs_expire++; - ipfr_inuse--; - if ((nat = (nat_t *)fr->ipfr_data)) { - if (nat->nat_data == fr) + for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { + --fra->ipfr_ttl; + if (fra->ipfr_ttl == 0) { + ATOMIC_INC(ipfr_stats.ifs_expire); + ATOMIC_DEC(ipfr_inuse); + nat = fra->ipfr_data; + if (nat != NULL) { + if (nat->nat_data == fra) nat->nat_data = NULL; } - KFREE(fr); + *fp = fra->ipfr_next; + ipfr_delete(fra); } else - fp = &fr->ipfr_next; + fp = &fra->ipfr_next; } - MUTEX_EXIT(&ipf_natfrag); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); fr_timeoutstate(); ip_natexpire(); @@ -448,11 +507,16 @@ int ipfr_slowtimer() ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); # else # ifndef linux - ip_slowtimo(); +# if (__FreeBSD_version >= 300000) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else + timeout(ipfr_slowtimer, NULL, hz/2); +# endif # endif # if (BSD < 199306) && !defined(__sgi) return 0; # endif # endif + RWLOCK_EXIT(&ipf_solaris); } #endif /* defined(_KERNEL) */ diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 9122f17..1097dec 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $ + * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -24,7 +24,7 @@ typedef struct ipfr { u_char ipfr_tos; u_short ipfr_off; u_short ipfr_ttl; - u_char ipfr_pass; + frentry_t *ipfr_rule; } ipfr_t; @@ -43,15 +43,19 @@ typedef struct ipfrstat { extern int fr_ipfrttl; extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); -extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); +extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); extern void ipfr_unload __P((void)); #if (BSD >= 199306) || SOLARIS || defined(__sgi) +# if defined(SOLARIS2) && (SOLARIS2 < 7) extern void ipfr_slowtimer __P((void)); +# else +extern void ipfr_slowtimer __P((void *)); +# endif #else extern int ipfr_slowtimer __P((void)); #endif diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 7ff8adb..98f00fa 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,6 +2,9 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. */ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif #define isdigit(x) ((x) >= '0' && (x) <= '9') @@ -9,67 +12,29 @@ #define IPF_MINPORTLEN 18 #define IPF_MAXPORTLEN 30 +#define IPF_MIN227LEN 39 +#define IPF_MAX227LEN 51 -int ippr_ftp_init __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -u_short ipf_ftp_atoi __P((char **)); - - -int ippr_ftp_init __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); +int ippr_ftp_init __P((void)); +int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *)); +int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *)); u_short ipf_ftp_atoi __P((char **)); +static frentry_t natfr; /* - * FTP application proxy initialization. + * Initialize local structures. */ -int ippr_ftp_init(fin, ip, tcp, aps, nat) -fr_info_t *fin; -ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; -nat_t *nat; +int ippr_ftp_init() { - aps->aps_sport = tcp->th_sport; - aps->aps_dport = tcp->th_dport; - return 0; -} - - -int ippr_ftp_in(fin, ip, tcp, aps, nat) -fr_info_t *fin; -ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; -nat_t *nat; -{ - u_32_t sum1, sum2; - short sel; - - if (tcp->th_sport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_ack); - sel = aps->aps_sel; - if ((aps->aps_after[!sel] > aps->aps_after[sel]) && - (sum2 > aps->aps_after[!sel])) { - sel = aps->aps_sel = !sel; /* switch to other set */ - } - if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { - sum1 = (u_32_t)aps->aps_seqoff[sel]; - tcp->th_ack = htonl(sum2 - sum1); - return 2; - } - } + bzero((char *)&natfr, sizeof(natfr)); + natfr.fr_ref = 1; + natfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; return 0; } @@ -103,46 +68,51 @@ char **ptr; } -int ippr_ftp_out(fin, ip, tcp, aps, nat) +int ippr_ftp_portmsg(fin, ip, nat) fr_info_t *fin; ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; nat_t *nat; { - register u_32_t sum1, sum2; - char newbuf[IPF_MAXPORTLEN+1]; - char portbuf[IPF_MAXPORTLEN+1], *s; - int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); - u_int a1, a2, a3, a4; - u_short a5, a6; - int olen, dlen, nlen = 0, inc = 0; - tcphdr_t tcph, *tcp2 = &tcph; - void *savep; - nat_t *ipn; - struct in_addr swip; - mb_t *m = *(mb_t **)fin->fin_mp; - + char portbuf[IPF_MAXPORTLEN + 1], newbuf[IPF_MAXPORTLEN + 1], *s; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + size_t nlen = 0, dlen, olen; + u_short a5, a6, sp, dp; + u_int a1, a2, a3, a4; + struct in_addr swip; + int off, inc = 0; + fr_info_t fi; + nat_t *ipn; + mb_t *m; #if SOLARIS mb_t *m1; +#endif - /* skip any leading M_PROTOs */ - while(m && (MTYPE(m) != M_DATA)) - m = m->b_cont; - PANIC((!m),("ippr_ftp_out: no M_DATA")); + tcp = (tcphdr_t *)fin->fin_dp; + bzero(portbuf, sizeof(portbuf)); + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + +#if SOLARIS + m = fin->fin_qfm; dlen = msgdsize(m) - off; - bzero(portbuf, sizeof(portbuf)); - copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); + if (dlen > 0) + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); #else + m = *(mb_t **)fin->fin_mp; + dlen = mbufchainlen(m) - off; - bzero(portbuf, sizeof(portbuf)); - m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); + if (dlen > 0) + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif - portbuf[IPF_MAXPORTLEN] = '\0'; - - if ((dlen < IPF_MINPORTLEN) || strncmp(portbuf, "PORT ", 5)) - goto adjust_seqack; + if (dlen == 0) + return 0; + portbuf[sizeof(portbuf) - 1] = '\0'; + *newbuf = '\0'; + if (!strncmp(portbuf, "PORT ", 5)) { + if (dlen < IPF_MINPORTLEN) + return 0; + } else + return 0; /* * Skip the PORT command + space @@ -151,21 +121,38 @@ nat_t *nat; /* * Pick out the address components, two at a time. */ - (void) ipf_ftp_atoi(&s); + a1 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; - (void) ipf_ftp_atoi(&s); + return 0; + a2 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; + return 0; + + /* + * check that IP address in the PORT/PASV reply is the same as the + * sender of the command - prevents using PORT for port scanning. + */ + a1 <<= 16; + a1 |= a2; + if (a1 != ntohl(nat->nat_inip.s_addr)) + return 0; + a5 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; + return 0; + if (*s == ')') + s++; + /* * check for CR-LF at the end. */ - if (*s != '\n' || *(s - 1) != '\r') - goto adjust_seqack; - a6 = a5 & 0xff; + if (*s == '\n') + s--; + if ((*s == '\r') && (*(s + 1) == '\n')) { + s += 2; + a6 = a5 & 0xff; + } else + return 0; a5 >>= 8; /* * Calculate new address parts for PORT command @@ -175,29 +162,34 @@ nat_t *nat; a3 = (a1 >> 8) & 0xff; a4 = a1 & 0xff; a1 >>= 24; - olen = s - portbuf + 1; - (void) sprintf(newbuf, "PORT %d,%d,%d,%d,%d,%d\r\n", - a1, a2, a3, a4, a5, a6); + olen = s - portbuf; + (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", + "PORT", a1, a2, a3, a4, a5, a6); + nlen = strlen(newbuf); inc = nlen - olen; #if SOLARIS for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; - if (inc > 0) { + if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { mblk_t *nm; /* alloc enough to keep same trailer space for lower driver */ - nm = allocb(nlen + m1->b_datap->db_lim - m1->b_wptr, BPRI_MED); + nm = allocb(nlen, BPRI_MED); PANIC((!nm),("ippr_ftp_out: allocb failed")); nm->b_band = m1->b_band; nm->b_wptr += nlen; m1->b_wptr -= olen; - PANIC((m1->b_wptr < m1->b_rptr),("ippr_ftp_out: cannot handle fragmented data block")); + PANIC((m1->b_wptr < m1->b_rptr), + ("ippr_ftp_out: cannot handle fragmented data block")); linkb(m1, nm); } else { + if (m1->b_datap->db_struiolim == m1->b_wptr) + m1->b_datap->db_struiolim += inc; + m1->b_datap->db_struioflag &= ~STRUIO_IP; m1->b_wptr += inc; } copyin_mblk(m, off, nlen, newbuf); @@ -207,8 +199,10 @@ nat_t *nat; /* the mbuf chain will be extended if necessary by m_copyback() */ m_copyback(m, off, nlen, newbuf); #endif - if (inc) { + if (inc != 0) { #if SOLARIS || defined(__sgi) + register u_32_t sum1, sum2; + sum1 = ip->ip_len; sum2 = ip->ip_len + inc; @@ -222,48 +216,242 @@ nat_t *nat; #endif ip->ip_len += inc; } - ch = 1; /* * Add skeleton NAT entry for connection which will come back the * other way. */ - savep = fin->fin_dp; - fin->fin_dp = (char *)tcp2; - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_sport = htons(a5 << 8 | a6); - tcp2->th_dport = htons(20); - swip = ip->ip_src; - ip->ip_src = nat->nat_inip; - if ((ipn = nat_new(nat->nat_ptr, ip, fin, IPN_TCP, NAT_OUTBOUND))) - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, fin, FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE); - ip->ip_src = swip; - fin->fin_dp = (char *)savep; - -adjust_seqack: - if (tcp->th_dport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_seq); - off = aps->aps_sel; - if ((aps->aps_after[!off] > aps->aps_after[off]) && - (sum2 > aps->aps_after[!off])) { - off = aps->aps_sel = !off; /* switch to other set */ - } - if (aps->aps_seqoff[off]) { - sum1 = (u_32_t)aps->aps_after[off] - - aps->aps_seqoff[off]; - if (sum2 > sum1) { - sum1 = (u_32_t)aps->aps_seqoff[off]; - sum2 += sum1; - tcp->th_seq = htonl(sum2); - ch = 1; - } + sp = htons(a5 << 8 | a6); + /* + * The server may not make the connection back from port 20, but + * it is the most likely so use it here to check for a conflicting + * mapping. + */ + dp = htons(fin->fin_data[1] - 1); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = sp; + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + fi.fin_data[0] = ntohs(sp); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_DPORT); } + ip->ip_src = swip; + } + return inc; +} + - if (inc && (sum2 > aps->aps_after[!off])) { - aps->aps_after[!off] = sum2 + nlen - 1; - aps->aps_seqoff[!off] = aps->aps_seqoff[off] + inc; +int ippr_ftp_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + return ippr_ftp_portmsg(fin, ip, nat); +} + + +int ippr_ftp_pasvmsg(fin, ip, nat) +fr_info_t *fin; +ip_t *ip; +nat_t *nat; +{ + char portbuf[IPF_MAX227LEN + 1], newbuf[IPF_MAX227LEN + 1], *s; + int off, olen, dlen, nlen = 0, inc = 0; + tcphdr_t tcph, *tcp2 = &tcph; + struct in_addr swip, swip2; + u_short a5, a6, dp, sp; + u_int a1, a2, a3, a4; + tcphdr_t *tcp; + fr_info_t fi; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + bzero(portbuf, sizeof(portbuf)); + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen > 0) + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#else + dlen = mbufchainlen(m) - off; + if (dlen > 0) + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#endif + if (dlen == 0) + return 0; + portbuf[sizeof(portbuf) - 1] = '\0'; + *newbuf = '\0'; + + if (!strncmp(portbuf, "227 ", 4)) { + if (dlen < IPF_MIN227LEN) + return 0; + else if (strncmp(portbuf, "227 Entering Passive Mode", 25)) + return 0; + } else + return 0; + /* + * Skip the PORT command + space + */ + s = portbuf + 25; + while (*s && !isdigit(*s)) + s++; + /* + * Pick out the address components, two at a time. + */ + a1 = ipf_ftp_atoi(&s); + if (!s) + return 0; + a2 = ipf_ftp_atoi(&s); + if (!s) + return 0; + + /* + * check that IP address in the PORT/PASV reply is the same as the + * sender of the command - prevents using PORT for port scanning. + */ + a1 <<= 16; + a1 |= a2; + if (a1 != ntohl(nat->nat_oip.s_addr)) + return 0; + + a5 = ipf_ftp_atoi(&s); + if (!s) + return 0; + + if (*s == ')') + s++; + if (*s == '\n') + s--; + /* + * check for CR-LF at the end. + */ + if ((*s == '\r') && (*(s + 1) == '\n')) { + s += 2; + a6 = a5 & 0xff; + } else + return 0; + a5 >>= 8; + /* + * Calculate new address parts for 227 reply + */ + a1 = ntohl(ip->ip_src.s_addr); + a2 = (a1 >> 16) & 0xff; + a3 = (a1 >> 8) & 0xff; + a4 = a1 & 0xff; + a1 >>= 24; + olen = s - portbuf; + (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", + "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6); + + nlen = strlen(newbuf); + inc = nlen - olen; +#if SOLARIS + for (m1 = m; m1->b_cont; m1 = m1->b_cont) + ; + if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { + mblk_t *nm; + + /* alloc enough to keep same trailer space for lower driver */ + nm = allocb(nlen, BPRI_MED); + PANIC((!nm),("ippr_ftp_out: allocb failed")); + + nm->b_band = m1->b_band; + nm->b_wptr += nlen; + + m1->b_wptr -= olen; + PANIC((m1->b_wptr < m1->b_rptr), + ("ippr_ftp_out: cannot handle fragmented data block")); + + linkb(m1, nm); + } else { + m1->b_wptr += inc; + } + copyin_mblk(m, off, nlen, newbuf); +#else + if (inc < 0) + m_adj(m, inc); + /* the mbuf chain will be extended if necessary by m_copyback() */ + m_copyback(m, off, nlen, newbuf); +#endif + if (inc != 0) { +#if SOLARIS || defined(__sgi) + register u_32_t sum1, sum2; + + sum1 = ip->ip_len; + sum2 = ip->ip_len + inc; + + /* Because ~1 == -2, We really need ~1 == -1 */ + if (sum1 > sum2) + sum2--; + sum2 -= sum1; + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + fix_outcksum(&ip->ip_sum, sum2); +#endif + ip->ip_len += inc; + } + + /* + * Add skeleton NAT entry for connection which will come back the + * other way. + */ + sp = 0; + dp = htons(fin->fin_data[1] - 1); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = 0; /* XXX - fake it for nat_new */ + fi.fin_data[0] = a5 << 8 | a6; + tcp2->th_dport = htons(fi.fin_data[0]); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + swip2 = ip->ip_dst; + ip->ip_dst = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_SPORT); } + ip->ip_src = swip; + ip->ip_dst = swip2; } - return ch ? 2 : 0; + return inc; +} + + +int ippr_ftp_in(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + + return ippr_ftp_pasvmsg(fin, ip, nat); } diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index b64fb02..fe073ff 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -1,25 +1,17 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.1 1999/08/04 17:29:57 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#ifndef _KERNEL -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -# include <ctype.h> -#else -# include <linux/module.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> @@ -29,6 +21,14 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:5 #include <sys/uio.h> #include <sys/dir.h> #include <sys/socket.h> +#ifndef _KERNEL +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +# include <ctype.h> +#else +# include <linux/module.h> +#endif #include <net/if.h> #include <net/route.h> @@ -67,7 +67,6 @@ int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; -static void fixskip __P((frentry_t **, frentry_t *, int)); static int frzerostats __P((caddr_t)); static void frsync __P((void)); #if defined(__NetBSD__) || defined(__OpenBSD__) @@ -146,7 +145,7 @@ int ipldetach() } fr_checkp = fr_savep; - frflush(IPL_LOGIPF, &i); + i = frflush(IPL_LOGIPF, i); ipl_inited = 0; ipfr_unload(); @@ -310,7 +309,7 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) error = EPERM; else { IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - frflush(unit, &tmp); + tmp = frflush(unit, tmp); IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } break; @@ -363,25 +362,6 @@ static void frsync() } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; -{ - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; -} - - static int frrequest(unit, req, data, set) int unit; u_long req; @@ -393,7 +373,8 @@ caddr_t data; frentry_t frd; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); @@ -405,10 +386,10 @@ caddr_t data; * has been specified, doesn't exist. */ if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) return ESRCH; in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -498,8 +479,8 @@ caddr_t data; if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); @@ -510,7 +491,7 @@ caddr_t data; else { if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -540,7 +521,7 @@ int iplopen(struct inode *inode, struct file *file) { u_int min = GET_MINOR(inode->i_rdev); - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else { MOD_INC_USE_COUNT; @@ -554,7 +535,7 @@ void iplclose(struct inode *inode, struct file *file) { u_int min = GET_MINOR(inode->i_rdev); - if (2 >= min) { + if (IPL_LOGMAX >= min) { MOD_DEC_USE_COUNT; } } @@ -628,7 +609,7 @@ struct ifnet *ifp; ip->ip_sum = 0; ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t)); - tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t)); + tcp->th_sum = fr_tcpsum(m, ip, tcp); return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr); } diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index 81e89e5..1b92cfe 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -1,27 +1,33 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $ + * $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $ */ +#include <sys/param.h> +#if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL +#endif +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) +# include "opt_ipfilter_log.h" +#endif +#ifdef __FreeBSD__ +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include <sys/osreldate.h> +# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include "opt_ipfilter.h" +# endif +# else +# include <osreldate.h> +# endif +#endif #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) # endif - -# if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -# endif -# ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include <sys/osreldate.h> -# else -# include <osreldate.h> -# endif -# endif # ifndef _KERNEL # include <stdio.h> # include <string.h> @@ -30,7 +36,6 @@ # endif # include <sys/errno.h> # include <sys/types.h> -# include <sys/param.h> # include <sys/file.h> # if __FreeBSD_version >= 220000 && defined(_KERNEL) # include <sys/fcntl.h> @@ -44,7 +49,7 @@ # endif # include <sys/uio.h> # if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) # include <sys/dirent.h> # else # include <sys/dir.h> @@ -105,6 +110,10 @@ # include "netinet/ip_frag.h" # include "netinet/ip_state.h" # include "netinet/ip_auth.h" +# if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# endif + # ifndef MIN # define MIN(a,b) (((a)<(b))?(a):(b)) # endif @@ -117,13 +126,12 @@ extern kcondvar_t iplwait; # endif # endif -iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; -int iplused[IPL_LOGMAX+1]; -u_long iplcrc[IPL_LOGMAX+1]; -u_long iplcrcinit; -#ifdef linux +iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1]; +size_t iplused[IPL_LOGMAX+1]; +fr_info_t iplcrc[IPL_LOGMAX+1]; +# ifdef linux static struct wait_queue *iplwait[IPL_LOGMAX+1]; -#endif +# endif /* @@ -132,20 +140,15 @@ static struct wait_queue *iplwait[IPL_LOGMAX+1]; */ void ipflog_init() { - struct timeval tv; int i; for (i = IPL_LOGMAX; i >= 0; i--) { iplt[i] = NULL; + ipll[i] = NULL; iplh[i] = &iplt[i]; iplused[i] = 0; + bzero((char *)&iplcrc[i], sizeof(iplcrc[i])); } -# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) - microtime(&tv); -# else - uniqtime(&tv); -# endif - iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec; } @@ -164,8 +167,7 @@ fr_info_t *fin; mb_t *m; { ipflog_t ipfl; - register int mlen, hlen; - u_long crc; + register size_t mlen, hlen; size_t sizes[2]; void *ptrs[2]; int types[2]; @@ -179,29 +181,36 @@ mb_t *m; * calculate header size. */ hlen = fin->fin_hlen; - if (ip->ip_p == IPPROTO_TCP) - hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); - else if (ip->ip_p == IPPROTO_UDP) - hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); - else if (ip->ip_p == IPPROTO_ICMP) { - struct icmp *icmp = (struct icmp *)((char *)ip + hlen); - - /* - * For ICMP, if the packet is an error packet, also include - * the information about the packet which caused the error. - */ - switch (icmp->icmp_type) - { - case ICMP_UNREACH : - case ICMP_SOURCEQUENCH : - case ICMP_REDIRECT : - case ICMP_TIMXCEED : - case ICMP_PARAMPROB : - hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen); - break; - default : - hlen += MIN(sizeof(struct icmp), fin->fin_dlen); - break; + if ((ip->ip_off & IP_OFFMASK) == 0) { + if (ip->ip_p == IPPROTO_TCP) + hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); + else if (ip->ip_p == IPPROTO_UDP) + hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); + else if (ip->ip_p == IPPROTO_ICMP) { + struct icmp *icmp; + + icmp = (struct icmp *)((char *)ip + hlen); + + /* + * For ICMP, if the packet is an error packet, also + * include the information about the packet which + * caused the error. + */ + switch (icmp->icmp_type) + { + case ICMP_UNREACH : + case ICMP_SOURCEQUENCH : + case ICMP_REDIRECT : + case ICMP_TIMXCEED : + case ICMP_PARAMPROB : + hlen += MIN(sizeof(struct icmp) + 8, + fin->fin_dlen); + break; + default : + hlen += MIN(sizeof(struct icmp), + fin->fin_dlen); + break; + } } } /* @@ -231,11 +240,15 @@ mb_t *m; ipfl.fl_hlen = (u_char)hlen; ipfl.fl_rule = fin->fin_rule; ipfl.fl_group = fin->fin_group; + if (fin->fin_fr != NULL) + ipfl.fl_loglevel = fin->fin_fr->fr_loglevel; + else + ipfl.fl_loglevel = 0xffff; ipfl.fl_flags = flags; ptrs[0] = (void *)&ipfl; sizes[0] = sizeof(ipfl); types[0] = 0; -#if SOLARIS +# if SOLARIS /* * Are we copied from the mblk or an aligned array ? */ @@ -248,45 +261,47 @@ mb_t *m; sizes[1] = hlen + mlen; types[1] = 0; } -#else +# else ptrs[1] = m; sizes[1] = hlen + mlen; types[1] = 1; -#endif - crc = (ipf_cksum((u_short *)fin, FI_CSIZE) << 8) + iplcrcinit; - return ipllog(IPL_LOGIPF, crc, ptrs, sizes, types, 2); +# endif + return ipllog(IPL_LOGIPF, fin, ptrs, sizes, types, 2); } /* * ipllog */ -int ipllog(dev, crc, items, itemsz, types, cnt) +int ipllog(dev, fin, items, itemsz, types, cnt) int dev; -u_long crc; +fr_info_t *fin; void **items; size_t *itemsz; int *types, cnt; { - iplog_t *ipl; caddr_t buf, s; - int len, i; + iplog_t *ipl; + size_t len; + int i; /* * Check to see if this log record has a CRC which matches the last * record logged. If it does, just up the count on the previous one * rather than create a new one. */ - if (crc) { - MUTEX_ENTER(&ipl_mutex); - if ((iplcrc[dev] == crc) && *iplh[dev]) { - (*iplh[dev])->ipl_count++; + MUTEX_ENTER(&ipl_mutex); + if (fin != NULL) { + if ((ipll[dev] != NULL) && + bcmp((char *)fin, (char *)&iplcrc[dev], FI_CSIZE) == 0) { + ipll[dev]->ipl_count++; MUTEX_EXIT(&ipl_mutex); return 1; } - iplcrc[dev] = crc; - MUTEX_EXIT(&ipl_mutex); - } + bcopy((char *)fin, (char *)&iplcrc[dev], FI_CSIZE); + } else + bzero((char *)&iplcrc[dev], FI_CSIZE); + MUTEX_EXIT(&ipl_mutex); /* * Get the total amount of data to be logged. @@ -298,7 +313,7 @@ int *types, cnt; * check that we have space to record this information and can * allocate that much. */ - KMALLOC(buf, caddr_t, len); + KMALLOCS(buf, caddr_t, len); if (!buf) return 0; MUTEX_ENTER(&ipl_mutex); @@ -344,6 +359,7 @@ int *types, cnt; s += itemsz[i]; } MUTEX_ENTER(&ipl_mutex); + ipll[dev] = ipl; *iplh[dev] = ipl; iplh[dev] = &ipl->ipl_next; # if SOLARIS @@ -362,11 +378,12 @@ int *types, cnt; int ipflog_read(unit, uio) -int unit; +minor_t unit; struct uio *uio; { + size_t dlen, copied; + int error = 0; iplog_t *ipl; - int error = 0, dlen, copied; # if defined(_KERNEL) && !SOLARIS int s; # endif @@ -375,7 +392,7 @@ struct uio *uio; * Sanity checks. Make sure the minor # is valid and we're copying * a valid chunk of data. */ - if ((IPL_LOGMAX < unit) || (unit < 0)) + if (IPL_LOGMAX < unit) return ENXIO; if (!uio->uio_resid) return 0; @@ -419,55 +436,63 @@ struct uio *uio; for (copied = 0; (ipl = iplt[unit]); copied += dlen) { dlen = ipl->ipl_dsize; - if (dlen + sizeof(iplog_t) > uio->uio_resid) + if (dlen > uio->uio_resid) break; /* * Don't hold the mutex over the uiomove call. */ iplt[unit] = ipl->ipl_next; + iplused[unit] -= dlen; MUTEX_EXIT(&ipl_mutex); SPL_X(s); - error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio); - KFREES((caddr_t)ipl, ipl->ipl_dsize); - if (error) + error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); + if (error) { + SPL_NET(s); + MUTEX_ENTER(&ipl_mutex); + ipl->ipl_next = iplt[unit]; + iplt[unit] = ipl; + iplused[unit] += dlen; break; + } + KFREES((caddr_t)ipl, dlen); SPL_NET(s); MUTEX_ENTER(&ipl_mutex); - iplused[unit] -= dlen; } - if (!ipl) { + if (!iplt[unit]) { iplused[unit] = 0; iplh[unit] = &iplt[unit]; + ipll[unit] = NULL; } - if (!error) { - MUTEX_EXIT(&ipl_mutex); - SPL_X(s); - } -#ifdef linux + MUTEX_EXIT(&ipl_mutex); + SPL_X(s); +# ifdef linux if (!error) - return copied; + return (int)copied; return -error; -#else +# else return error; -#endif +# endif } int ipflog_clear(unit) -int unit; +minor_t unit; { iplog_t *ipl; int used; + MUTEX_ENTER(&ipl_mutex); while ((ipl = iplt[unit])) { iplt[unit] = ipl->ipl_next; KFREES((caddr_t)ipl, ipl->ipl_dsize); } iplh[unit] = &iplt[unit]; + ipll[unit] = NULL; used = iplused[unit]; iplused[unit] = 0; - iplcrc[unit] = 0; + bzero((char *)&iplcrc[unit], FI_CSIZE); + MUTEX_EXIT(&ipl_mutex); return used; } #endif /* IPFILTER_LOG */ diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 102d57f..eff284e 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -9,23 +9,27 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.5 1999/10/05 12:58:33 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> @@ -48,7 +52,9 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif @@ -58,9 +64,12 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #include <net/if.h> #if __FreeBSD_version >= 300000 # include <net/if_var.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #endif #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> @@ -75,8 +84,8 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #endif #ifdef RFC1825 -#include <vpn/md5.h> -#include <vpn/ipsec.h> +# include <vpn/md5.h> +# include <vpn/ipsec.h> extern struct ifnet vpnif; #endif @@ -93,40 +102,101 @@ extern struct ifnet vpnif; #include "netinet/ip_nat.h" #include "netinet/ip_frag.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif #undef SOCKADDR_IN #define SOCKADDR_IN struct sockaddr_in -nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; +nat_t **nat_table[2] = { NULL, NULL }, + *nat_instances = NULL; ipnat_t *nat_list = NULL; -u_long fr_defnatage = 1200, /* 10 minutes (600 seconds) */ - fr_defnaticmpage = 6; /* 3 seconds */ +u_int ipf_nattable_sz = NAT_TABLE_SZ; +u_int ipf_natrules_sz = NAT_SIZE; +u_int ipf_rdrrules_sz = RDR_SIZE; +u_32_t nat_masks = 0; +u_32_t rdr_masks = 0; +ipnat_t **nat_rules = NULL; +ipnat_t **rdr_rules = NULL; + +u_long fr_defnatage = DEF_NAT_AGE, + fr_defnaticmpage = 6; /* 3 seconds */ natstat_t nat_stats; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_nat; +extern kmutex_t ipf_rw; +extern KRWLOCK_T ipf_nat; #endif static int nat_flushtable __P((void)); static int nat_clearlist __P((void)); static void nat_delete __P((struct nat *)); -static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *)); +static void nat_delrdr __P((struct ipnat *)); +static void nat_delnat __P((struct ipnat *)); + + +int nat_init() +{ + KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); + if (nat_table[0] != NULL) + bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *)); + else + return -1; + + KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); + if (nat_table[1] != NULL) + bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *)); + else + return -1; + + KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz); + if (nat_rules != NULL) + bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *)); + else + return -1; + + KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz); + if (rdr_rules != NULL) + bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *)); + else + return -1; + return 0; +} + + +void nat_delrdr(n) +ipnat_t *n; +{ + ipnat_t **n1; + u_32_t iph; + u_int hv; + + iph = n->in_outip & n->in_outmsk; + hv = NAT_HASH_FN(iph, ipf_rdrrules_sz); + for (n1 = &rdr_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_rnext) + ; + if (*n1) + *n1 = n->in_rnext; +} -#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) +static void nat_delnat(n) +ipnat_t *n; +{ + ipnat_t **n1; + u_32_t iph; + u_int hv; + + iph = n->in_inip & n->in_inmsk; + hv = NAT_HASH_FN(iph, ipf_natrules_sz); + for (n1 = &nat_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_mnext) + ; + if (*n1) + *n1 = n->in_mnext; +} -#define CALC_SUMD(s1, s2, sd) { \ - /* Do it twice */ \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - /* Do it twice */ \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - /* Because ~1 == -2, We really need ~1 == -1 */ \ - if ((s1) > (s2)) (s2)--; \ - (sd) = (s2) - (s1); \ - (sd) = ((sd) & 0xffff) + ((sd) >> 16); } void fix_outcksum(sp, n) u_short *sp; @@ -203,25 +273,37 @@ int cmd; caddr_t data; int mode; { - register ipnat_t *nat, *n = NULL, **np = NULL; + register ipnat_t *nat, *nt, *n = NULL, **np = NULL; + int error = 0, ret, k; ipnat_t natd; - int error = 0, ret; + u_32_t i, j; #if defined(_KERNEL) && !SOLARIS int s; #endif +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel >= 2) && (mode & FWRITE)) + return EPERM; +#endif + nat = NULL; /* XXX gcc -Wuninitialized */ + KMALLOC(nt, ipnat_t *); + if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) + IRCOPY(data, (char *)&natd, sizeof(natd)); /* * For add/delete, look to see if the NAT entry is already present */ SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { - IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; - nat->in_inip &= nat->in_inmsk; - nat->in_outip &= nat->in_outmsk; + nat->in_flags &= IPN_USERFLAGS; + if ((nat->in_redir & NAT_MAPBLK) == 0) { + nat->in_inip &= nat->in_inmsk; + if ((nat->in_flags & IPN_RANGE) == 0) + nat->in_outip &= nat->in_outmsk; + } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, IPN_CMPSIZ)) @@ -239,24 +321,82 @@ int mode; error = EEXIST; break; } - KMALLOC(n, ipnat_t *, sizeof(*n)); - if (n == NULL) { + if (nt == NULL) { error = ENOMEM; break; } + n = nt; + nt = NULL; bcopy((char *)nat, (char *)n, sizeof(*n)); n->in_ifp = (void *)GETUNIT(n->in_ifname); if (!n->in_ifp) n->in_ifp = (void *)-1; - n->in_apr = ap_match(n->in_p, n->in_plabel); - n->in_next = *np; + if (n->in_plabel[0] != '\0') { + n->in_apr = appr_match(n->in_p, n->in_plabel); + if (!n->in_apr) { + error = ENOENT; + break; + } + } + n->in_next = NULL; + *np = n; + + if (n->in_redir & NAT_REDIRECT) { + u_int hv; + + k = countbits(n->in_outmsk); + if ((k >= 0) && (k != 32)) + rdr_masks |= 1 << k; + j = (n->in_outip & n->in_outmsk); + hv = NAT_HASH_FN(j, ipf_rdrrules_sz); + np = rdr_rules + hv; + while (*np != NULL) + np = &(*np)->in_rnext; + n->in_rnext = NULL; + *np = n; + } + if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) { + u_int hv; + + k = countbits(n->in_inmsk); + if ((k >= 0) && (k != 32)) + nat_masks |= 1 << k; + j = (n->in_inip & n->in_inmsk); + hv = NAT_HASH_FN(j, ipf_natrules_sz); + np = nat_rules + hv; + while (*np != NULL) + np = &(*np)->in_mnext; + n->in_mnext = NULL; + *np = n; + } + n->in_use = 0; - n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); - if (n->in_space) /* lose 2: broadcast + network address */ - n->in_space -= 2; + if (n->in_redir & NAT_MAPBLK) + n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); + else if (n->in_flags & IPN_AUTOPORTMAP) + n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk); + else if (n->in_flags & IPN_RANGE) + n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip); else - n->in_space = 1; /* single IP# mapping */ - if ((n->in_outmsk != 0xffffffff) && n->in_outmsk) + n->in_space = ~ntohl(n->in_outmsk); + /* + * Calculate the number of valid IP addresses in the output + * mapping range. In all cases, the range is inclusive of + * the start and ending IP addresses. + * If to a CIDR address, lose 2: broadcast + network address + * (so subtract 1) + * If to a range, add one. + * If to a single IP address, set to 1. + */ + if (n->in_space) { + if ((n->in_flags & IPN_RANGE) != 0) + n->in_space += 1; + else + n->in_space -= 1; + } else + n->in_space = 1; + if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) && + ((n->in_flags & IPN_RANGE) == 0)) n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); @@ -265,44 +405,87 @@ int mode; /* * Multiply by the number of ports made available. */ - if (ntohs(n->in_pmax) > ntohs(n->in_pmin)) + if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) { n->in_space *= (ntohs(n->in_pmax) - - ntohs(n->in_pmin)); + ntohs(n->in_pmin) + 1); + /* + * Because two different sources can map to + * different destinations but use the same + * local IP#/port #. + * If the result is smaller than in_space, then + * we may have wrapped around 32bits. + */ + i = n->in_inmsk; + if ((i != 0) && (i != 0xffffffff)) { + j = n->in_space * (~ntohl(i) + 1); + if (j >= n->in_space) + n->in_space = j; + else + n->in_space = 0xffffffff; + } + } + /* + * If no protocol is specified, multiple by 256. + */ + if ((n->in_flags & IPN_TCPUDP) == 0) { + j = n->in_space * 256; + if (j >= n->in_space) + n->in_space = j; + else + n->in_space = 0xffffffff; + } } /* Otherwise, these fields are preset */ - *np = n; + n = NULL; nat_stats.ns_rules++; break; case SIOCRMNAT : if (!(mode & FWRITE)) { error = EPERM; + n = NULL; break; } if (!n) { error = ESRCH; break; } + if (n->in_redir & NAT_REDIRECT) + nat_delrdr(n); + if (n->in_redir & (NAT_MAPBLK|NAT_MAP)) + nat_delnat(n); + if (nat_list == NULL) { + nat_masks = 0; + rdr_masks = 0; + } *np = n->in_next; if (!n->in_use) { if (n->in_apr) - ap_free(n->in_apr); + appr_free(n->in_apr); KFREE(n); nat_stats.ns_rules--; } else { n->in_flags |= IPN_DELETE; n->in_next = NULL; } + n = NULL; break; case SIOCGNATS : + MUTEX_DOWNGRADE(&ipf_nat); nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; + nat_stats.ns_nattab_sz = ipf_nattable_sz; + nat_stats.ns_rultab_sz = ipf_natrules_sz; + nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz; + nat_stats.ns_instances = nat_instances; + nat_stats.ns_apslist = ap_sess_list; IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); break; case SIOCGNATL : { natlookup_t nl; + MUTEX_DOWNGRADE(&ipf_nat); IRCOPY((char *)data, (char *)&nl, sizeof(nl)); if (nat_lookupredir(&nl)) { @@ -317,7 +500,7 @@ int mode; break; } ret = nat_flushtable(); - (void) ap_unload(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : @@ -326,17 +509,24 @@ int mode; break; } ret = nat_clearlist(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case FIONREAD : #ifdef IPFILTER_LOG + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, sizeof(iplused[IPL_LOGNAT])); #endif break; + default : + error = EINVAL; + break; } - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ SPL_X(s); + if (nt) + KFREE(nt); return error; } @@ -364,17 +554,21 @@ struct nat *natd; break; } + if (natd->nat_fr != NULL) { + ATOMIC_DEC(natd->nat_fr->fr_ref); + } /* * If there is an active reference from the nat entry to its parent * rule, decrement the rule's reference count and free it too if no * longer being used. */ - if ((ipn = natd->nat_ptr)) { + ipn = natd->nat_ptr; + if (ipn != NULL) { ipn->in_space++; ipn->in_use--; if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) { if (ipn->in_apr) - ap_free(ipn->in_apr); + appr_free(ipn->in_apr); KFREE(ipn); nat_stats.ns_rules--; } @@ -385,6 +579,8 @@ struct nat *natd; * dereference that as well. */ ipfr_forget((void *)natd); + aps_free(natd->nat_aps); + nat_stats.ns_inuse--; KFREE(natd); } @@ -398,135 +594,76 @@ static int nat_flushtable() register int j = 0; /* - * Everything will be deleted, so lets just make it the deletions + * ALL NAT mappings deleted, so lets just make the deletions * quicker. */ - bzero((char *)nat_table[0], sizeof(nat_table[0])); - bzero((char *)nat_table[1], sizeof(nat_table[1])); + if (nat_table[0] != NULL) + bzero((char *)nat_table[0], + sizeof(nat_table[0]) * ipf_nattable_sz); + if (nat_table[1] != NULL) + bzero((char *)nat_table[1], + sizeof(nat_table[1]) * ipf_nattable_sz); for (natp = &nat_instances; (nat = *natp); ) { *natp = nat->nat_next; nat_delete(nat); j++; } - + nat_stats.ns_inuse = 0; return j; } /* - * nat_clearlist - delete all entries in the active NAT mapping list. + * nat_clearlist - delete all rules in the active NAT mapping list. */ static int nat_clearlist() { register ipnat_t *n, **np = &nat_list; int i = 0; + if (nat_rules != NULL) + bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz); + if (rdr_rules != NULL) + bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz); + while ((n = *np)) { *np = n->in_next; if (!n->in_use) { if (n->in_apr) - ap_free(n->in_apr); + appr_free(n->in_apr); KFREE(n); nat_stats.ns_rules--; - i++; } else { n->in_flags |= IPN_DELETE; n->in_next = NULL; } + i++; } - nat_stats.ns_inuse = 0; + nat_masks = 0; + rdr_masks = 0; return i; } /* - * return the first IP Address associated with an interface - */ -static int nat_ifpaddr(nat, ifptr, inp) -nat_t *nat; -void *ifptr; -struct in_addr *inp; -{ -#if SOLARIS - ill_t *ill = ifptr; -#else - struct ifnet *ifp = ifptr; -#endif - struct in_addr in; - -#if SOLARIS - in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr); -#else /* SOLARIS */ -# if linux - ; -# else /* linux */ - struct ifaddr *ifa; - struct sockaddr_in *sin; - -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_FIRST(&ifp->if_addrhead); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifp->if_addrlist.tqh_first; -# else -# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ - ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; -# else - ifa = ifp->if_addrlist; -# endif -# endif /* __NetBSD__ || __OpenBSD__ */ -# endif /* __FreeBSD_version >= 300000 */ -# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) - sin = (SOCKADDR_IN *)&ifa->ifa_addr; -# else - sin = (SOCKADDR_IN *)ifa->ifa_addr; - while (sin && ifa && - sin->sin_family != AF_INET) { -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_NEXT(ifa, ifa_link); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifa->ifa_list.tqe_next; -# else - ifa = ifa->ifa_next; -# endif -# endif /* __FreeBSD_version >= 300000 */ - if (ifa) - sin = (SOCKADDR_IN *)ifa->ifa_addr; - } - if (!ifa) - sin = NULL; - if (!sin) { - KFREE(nat); - return -1; - } -# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ - in = sin->sin_addr; - in.s_addr = ntohl(in.s_addr); -# endif /* linux */ -#endif /* SOLARIS */ - *inp = in; - return 0; -} - - -/* * Create a new NAT table entry. + * NOTE: assumes write lock on ipf_nat has been obtained already. */ nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; -u_short flags; +u_int flags; int direction; { register u_32_t sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; - struct in_addr in; + nat_t *nat, **natp, *natl = NULL; + struct in_addr in, inb; tcphdr_t *tcp = NULL; - nat_t *nat, **natp; u_short nflags; + u_int hv; nflags = flags & np->in_flags; if (flags & IPN_TCPUDP) { @@ -536,78 +673,194 @@ int direction; } /* Give me a new nat */ - KMALLOC(nat, nat_t *, sizeof(*nat)); + KMALLOC(nat, nat_t *); if (nat == NULL) return NULL; bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; - /* * Search the current table for a match. */ if (direction == NAT_OUTBOUND) { /* + * Values at which the search for a free resouce starts. + */ + u_32_t st_ip; + u_short st_port; + + /* * If it's an outbound packet which doesn't match any existing * record, then create a new port */ l = 0; + st_ip = np->in_nip; + st_port = np->in_pnext; + do { - l++; port = 0; in.s_addr = np->in_nip; - if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { - if ((l > 1) || - nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) { + if (l == 0) { + natl = nat_maplookup(fin->fin_ifp, flags, + ip->ip_src, ip->ip_dst); + if (natl != NULL) { + in = natl->nat_outip; +#ifndef sparc + in.s_addr = ntohl(in.s_addr); +#endif + } + } + + if ((np->in_outmsk == 0xffffffff) && + (np->in_pnext == 0)) { + if (l > 0) { + KFREE(nat); + return NULL; + } + } + + if (np->in_redir & NAT_MAPBLK) { + if ((l >= np->in_ppip) || ((l > 0) && + !(flags & IPN_TCPUDP))) { + KFREE(nat); + return NULL; + } + /* + * map-block - Calculate destination address. + */ + in.s_addr = ntohl(ip->ip_src.s_addr); + in.s_addr &= ntohl(~np->in_inmsk); + inb.s_addr = in.s_addr; + in.s_addr /= np->in_ippip; + in.s_addr &= ntohl(~np->in_outmsk); + in.s_addr += ntohl(np->in_outip); + /* + * Calculate destination port. + */ + if ((flags & IPN_TCPUDP) && + (np->in_ppip != 0)) { + port = ntohs(sport) + l; + port %= np->in_ppip; + port += np->in_ppip * + (inb.s_addr % np->in_ippip); + port += MAPBLK_MINPORT; + port = htons(port); + } + } else if (!in.s_addr && + (np->in_outmsk == 0xffffffff)) { + /* + * 0/32 - use the interface's IP address. + */ + if ((l > 0) || + fr_ifpaddr(fin->fin_ifp, &in) == -1) { KFREE(nat); return NULL; } } else if (!in.s_addr && !np->in_outmsk) { - if (l > 1) { + /* + * 0/0 - use the original source address/port. + */ + if (l > 0) { KFREE(nat); return NULL; } in.s_addr = ntohl(ip->ip_src.s_addr); - if (nflags & IPN_TCPUDP) - port = sport; - } else if (nflags & IPN_TCPUDP) { + } else if ((np->in_outmsk != 0xffffffff) && + (np->in_pnext == 0) && + ((l > 0) || (natl == NULL))) + np->in_nip++; + natl = NULL; + + if ((nflags & IPN_TCPUDP) && + ((np->in_redir & NAT_MAPBLK) == 0) && + (np->in_flags & IPN_AUTOPORTMAP)) { + if ((l > 0) && (l % np->in_ppip == 0)) { + if (l > np->in_space) { + KFREE(nat); + return NULL; + } else if ((l > np->in_ppip) && + np->in_outmsk != 0xffffffff) + np->in_nip++; + } + if (np->in_ppip != 0) { + port = ntohs(sport); + port += (l % np->in_ppip); + port %= np->in_ppip; + port += np->in_ppip * + (ntohl(ip->ip_src.s_addr) % + np->in_ippip); + port += MAPBLK_MINPORT; + port = htons(port); + } + } else if (((np->in_redir & NAT_MAPBLK) == 0) && + (nflags & IPN_TCPUDP) && + (np->in_pnext != 0)) { port = htons(np->in_pnext++); - if (np->in_pnext >= ntohs(np->in_pmax)) { + if (np->in_pnext > ntohs(np->in_pmax)) { np->in_pnext = ntohs(np->in_pmin); - np->in_space--; if (np->in_outmsk != 0xffffffff) np->in_nip++; } - } else if (np->in_outmsk != 0xffffffff) { - np->in_space--; - np->in_nip++; + } + + if (np->in_flags & IPN_RANGE) { + if (np->in_nip >= ntohl(np->in_outmsk)) + np->in_nip = ntohl(np->in_outip); + } else { + if ((np->in_outmsk != 0xffffffff) && + ((np->in_nip + 1) & ntohl(np->in_outmsk)) > + ntohl(np->in_outip)) + np->in_nip = ntohl(np->in_outip) + 1; } if (!port && (flags & IPN_TCPUDP)) port = sport; - if ((np->in_nip & ntohl(np->in_outmsk)) > - ntohl(np->in_outip)) - np->in_nip = ntohl(np->in_outip) + 1; - } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst, - dport, in, port)); + + /* + * Here we do a lookup of the connection as seen from + * the outside. If an IP# pair already exists, try + * again. So if you have A->B becomes C->B, you can + * also have D->E become C->E but not D->B causing + * another C->B. Also take protocol and ports into + * account when determining whether a pre-existing + * NAT setup will cause an external conflict where + * this is appropriate. + */ + inb.s_addr = htonl(in.s_addr); + natl = nat_inlookup(fin->fin_ifp, flags, + (u_int)ip->ip_p, ip->ip_dst, inb, + (port << 16) | dport); + + /* + * Has the search wrapped around and come back to the + * start ? + */ + if ((natl != NULL) && + (np->in_pnext != 0) && (st_port == np->in_pnext) && + (np->in_nip != 0) && (st_ip == np->in_nip)) { + KFREE(nat); + return NULL; + } + l++; + } while (natl != NULL); + + if (np->in_space > 0) + np->in_space--; /* Setup the NAT table */ nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); nat->nat_oip = ip->ip_dst; - sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + - (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port); + sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport); + sum2 = LONG_SUM(in.s_addr) + ntohs(port); if (flags & IPN_TCPUDP) { nat->nat_inport = sport; - nat->nat_outport = port; + nat->nat_outport = port; /* sport */ nat->nat_oport = dport; } } else { - /* * Otherwise, it's an inbound packet. Most likely, we don't * want to rewrite source ports and source addresses. Instead, @@ -618,14 +871,22 @@ int direction; if (!(nport = np->in_pnext)) nport = dport; + /* + * When the redirect-to address is set to 0.0.0.0, just + * assume a blank `forwarding' of the packet. We don't + * setup any translation for this either. + */ + if ((in.s_addr == 0) && (nport == dport)) { + KFREE(nat); + return NULL; + } + nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = ip->ip_dst; nat->nat_oip = ip->ip_src; - sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + - (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport); + sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)) + ntohs(dport); + sum2 = LONG_SUM(in.s_addr) + ntohs(nport); if (flags & IPN_TCPUDP) { nat->nat_inport = nport; @@ -634,42 +895,18 @@ int direction; } } - /* Do it twice */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - if (sum1 > sum2) - sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); + CALC_SUMD(sum1, sum2, sumd); nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) { if (direction == NAT_OUTBOUND) - sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + - (ntohl(ip->ip_src.s_addr) >> 16); + sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); else - sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + - (ntohl(ip->ip_dst.s_addr) >> 16); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16); - - /* Do it twice */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)); - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = LONG_SUM(in.s_addr); - if (sum1 > sum2) - sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); + CALC_SUMD(sum1, sum2, sumd); nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); } else nat->nat_ipsumd = nat->nat_sumd; @@ -677,19 +914,27 @@ int direction; in.s_addr = htonl(in.s_addr); nat->nat_next = nat_instances; nat_instances = nat; - natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(nat->nat_inip.s_addr, ipf_nattable_sz); + natp = &nat_table[0][hv]; nat->nat_hstart[0] = natp; nat->nat_hnext[0] = *natp; *natp = nat; - natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(nat->nat_outip.s_addr, ipf_nattable_sz); + natp = &nat_table[1][hv]; nat->nat_hstart[1] = natp; nat->nat_hnext[1] = *natp; *natp = nat; + nat->nat_dir = direction; + nat->nat_ifp = fin->fin_ifp; nat->nat_ptr = np; + nat->nat_p = ip->ip_p; nat->nat_bytes = 0; nat->nat_pkts = 0; - nat->nat_ifp = fin->fin_ifp; - nat->nat_dir = direction; + nat->nat_age = fr_defnatage; + nat->nat_fr = fin->fin_fr; + if (nat->nat_fr != NULL) { + ATOMIC_INC(nat->nat_fr->fr_ref); + } if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = port; @@ -719,7 +964,7 @@ fr_info_t *fin; * Only a basic IP header (no options) should be with an ICMP error * header. */ - if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t))) + if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) return NULL; type = icmp->icmp_type; /* @@ -731,16 +976,20 @@ fr_info_t *fin; return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); + if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + return NULL; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; if (flags & IPN_TCPUDP) { tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); - return nat_inlookup(fin->fin_ifp, flags, oip->ip_dst, - tcp->th_dport, oip->ip_src, tcp->th_sport); + return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, + oip->ip_dst, oip->ip_src, + (tcp->th_sport << 16) | tcp->th_dport); } - return nat_inlookup(fin->fin_ifp, 0, oip->ip_src, 0, oip->ip_dst, 0); + return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, oip->ip_dst, + oip->ip_src, 0); } @@ -751,8 +1000,10 @@ fr_info_t *fin; nat_t *nat_icmpin(ip, fin, nflags) ip_t *ip; fr_info_t *fin; -int *nflags; +u_int *nflags; { + u_32_t sum1, sum2, sumd; + struct in_addr in; icmphdr_t *icmp; nat_t *nat; ip_t *oip; @@ -760,10 +1011,9 @@ int *nflags; if (!(nat = nat_icmpinlookup(ip, fin))) return NULL; - *nflags = IPN_ICMPERR; icmp = (icmphdr_t *)fin->fin_dp; - oip = (ip_t *)((char *)icmp + 8); + oip = (ip_t *)&icmp->icmp_ip; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) @@ -777,54 +1027,61 @@ int *nflags; * to only modify the checksum once for the port # and twice * for the IP#. */ - if (flags & IPN_TCPUDP) { - tcphdr_t *tcp = (tcphdr_t *)(oip + 1); - u_32_t sum1, sum2, sumd; - struct in_addr in; + if (nat->nat_dir == NAT_OUTBOUND) { + sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); + in = nat->nat_inip; + oip->ip_src = in; + } else { + sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); + in = nat->nat_outip; + oip->ip_dst = in; + } - if (nat->nat_dir == NAT_OUTBOUND) { - sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); - in = nat->nat_outip; - oip->ip_src = in; - tcp->th_sport = nat->nat_outport; - } else { - sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); - in = nat->nat_inip; - oip->ip_dst = in; - tcp->th_dport = nat->nat_inport; - } + sum2 = LONG_SUM(ntohl(in.s_addr)); - sum2 = LONG_SUM(in.s_addr); + CALC_SUMD(sum1, sum2, sumd); - CALC_SUMD(sum1, sum2, sumd); - sumd = (sumd & 0xffff) + (sumd >> 16); + if (nat->nat_dir == NAT_OUTBOUND) { + fix_incksum(&oip->ip_sum, sumd); - if (nat->nat_dir == NAT_OUTBOUND) { - fix_incksum(&oip->ip_sum, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); - } else { - fix_outcksum(&oip->ip_sum, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); - } + sumd += (sumd & 0xffff); + while (sumd > 0xffff) + sumd = (sumd & 0xffff) + (sumd >> 16); + fix_outcksum(&icmp->icmp_cksum, sumd); + } else { + fix_outcksum(&oip->ip_sum, sumd); - /* - * TCP checksum doesn't make it into the 1st eight - * bytes but UDP does. - */ - if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; + sumd += (sumd & 0xffff); + while (sumd > 0xffff) + sumd = (sumd & 0xffff) + (sumd >> 16); + fix_incksum(&icmp->icmp_cksum, sumd); + } - if (udp->uh_sum) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&udp->uh_sum, - nat->nat_sumd); - else - fix_outcksum(&udp->uh_sum, - nat->nat_sumd); + + if ((flags & IPN_TCPUDP) != 0) { + tcphdr_t *tcp; + + /* XXX - what if this is bogus hl and we go off the end ? */ + tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); + + if (nat->nat_dir == NAT_OUTBOUND) { + if (tcp->th_sport != nat->nat_inport) { + sum1 = ntohs(tcp->th_sport); + sum2 = ntohs(nat->nat_inport); + CALC_SUMD(sum1, sum2, sumd); + tcp->th_sport = nat->nat_inport; + fix_outcksum(&icmp->icmp_cksum, sumd); + } + } else { + if (tcp->th_dport != nat->nat_outport) { + sum1 = ntohs(tcp->th_dport); + sum2 = ntohs(nat->nat_outport); + CALC_SUMD(sum1, sum2, sumd); + tcp->th_dport = nat->nat_outport; + fix_incksum(&icmp->icmp_cksum, sumd); } } - } else - ip->ip_dst = nat->nat_outip; + } nat->nat_age = fr_defnaticmpage; return nat; } @@ -840,29 +1097,35 @@ int *nflags; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -#ifdef __STDC__ -nat_t *nat_inlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr mapdst, u_short mapdport) -#else -nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport) +nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports) void *ifp; -register int flags; +register u_int flags, p; struct in_addr src , mapdst; -u_short sport, mapdport; -#endif +u_32_t ports; { + register u_short sport, mapdport; register nat_t *nat; + register int nflags; + u_int hv; + mapdport = ports >> 16; + sport = ports & 0xffff; flags &= IPN_TCPUDP; - nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_hnext[1]) + hv = NAT_HASH_FN(mapdst.s_addr, ipf_nattable_sz); + nat = nat_table[1][hv]; + for (; nat; nat = nat->nat_hnext[1]) { + nflags = nat->nat_flags; if ((!ifp || ifp == nat->nat_ifp) && nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_oport == sport && - nat->nat_outport == mapdport))) + (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + || (p == nat->nat_p)) && (!flags || + (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && + ((nat->nat_outport == mapdport) || + (nflags & FI_W_SPORT))))) return nat; + } return NULL; } @@ -873,27 +1136,33 @@ u_short sport, mapdport; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -#ifdef __STDC__ -nat_t *nat_outlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr dst, u_short dport) -#else -nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport) +nat_t *nat_outlookup(ifp, flags, p, src, dst, ports) void *ifp; -register int flags; +register u_int flags, p; struct in_addr src , dst; -u_short sport, dport; -#endif +u_32_t ports; { + register u_short sport, dport; register nat_t *nat; + register int nflags; + u_int hv; + sport = ports & 0xffff; + dport = ports >> 16; flags &= IPN_TCPUDP; - nat = nat_table[0][src.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz); + nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { + nflags = nat->nat_flags; + if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_inport == sport && nat->nat_oport == dport))) + (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + || (p == nat->nat_p)) && (!flags || + ((nat->nat_inport == sport || nflags & FI_W_SPORT) && + (nat->nat_oport == dport || nflags & FI_W_DPORT)))) return nat; } return NULL; @@ -901,33 +1170,30 @@ u_short sport, dport; /* - * Lookup a nat entry based on the mapped source ip address/port and - * real destination address/port. We use this lookup when sending a packet - * out, we're looking for a table entry, based on the source address. + * check if an ip address has already been allocated for a given mapping that + * is not doing port based translation. */ -#ifdef __STDC__ -nat_t *nat_lookupmapip(void *ifp, int flags, struct in_addr mapsrc, u_short mapsport, struct in_addr dst, u_short dport) -#else -nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport) +nat_t *nat_maplookup(ifp, flags, src, dst) void *ifp; -register int flags; -struct in_addr mapsrc , dst; -u_short mapsport, dport; -#endif +register u_int flags; +struct in_addr src , dst; { register nat_t *nat; + register int oflags; + u_int hv; - flags &= IPN_TCPUDP; + hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz); + nat = nat_table[0][hv]; + for (; nat; nat = nat->nat_hnext[0]) { + oflags = (flags & IPN_TCPUDP) & nat->nat_ptr->in_flags; + if (oflags != 0) + continue; - nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_hnext[0]) if ((!ifp || ifp == nat->nat_ifp) && - nat->nat_oip.s_addr == dst.s_addr && - nat->nat_outip.s_addr == mapsrc.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_outport == mapsport && - nat->nat_oport == dport))) + nat->nat_inip.s_addr == src.s_addr && + nat->nat_oip.s_addr == dst.s_addr) return nat; + } return NULL; } @@ -938,15 +1204,16 @@ u_short mapsport, dport; nat_t *nat_lookupredir(np) register natlookup_t *np; { + u_32_t ports; nat_t *nat; + ports = (np->nl_outport << 16) | np->nl_inport; /* * If nl_inip is non null, this is a lookup based on the real * ip address. Else, we use the fake. */ - if ((nat = nat_outlookup(NULL, np->nl_flags, np->nl_inip, - np->nl_inport, np->nl_outip, - np->nl_outport))) { + if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip, + np->nl_outip, ports))) { np->nl_realip = nat->nat_outip; np->nl_realport = nat->nat_outport; } @@ -958,19 +1225,24 @@ register natlookup_t *np; * Packets going out on the external interface go through this. * Here, the source address requires alteration, if anything. */ -int ip_natout(ip, hlen, fin) +int ip_natout(ip, fin) ip_t *ip; -int hlen; fr_info_t *fin; { - register ipnat_t *np; + register ipnat_t *np = NULL; register u_32_t ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; + int natadd = 1; frentry_t *fr; + u_int hv, msk; + u_32_t iph; nat_t *nat; - int natadd = 1; + int i; + + if (nat_list == NULL) + return 0; if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) @@ -978,12 +1250,12 @@ fr_info_t *fin; else ifp = fin->fin_ifp; - if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; - if (nflags) { + if ((nflags & IPN_TCPUDP)) { tcp = (tcphdr_t *)fin->fin_dp; sport = tcp->th_sport; dport = tcp->th_dport; @@ -992,25 +1264,46 @@ fr_info_t *fin; ipa = ip->ip_src.s_addr; - MUTEX_ENTER(&ipf_nat); + READ_ENTER(&ipf_nat); if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport, - ip->ip_dst, dport))) - ; - else + else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src, + ip->ip_dst, (dport << 16) | sport))) { + nflags = nat->nat_flags; + if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { + if ((nflags & FI_W_SPORT) && + (nat->nat_inport != sport)) + nat->nat_inport = sport; + else if ((nflags & FI_W_DPORT) && + (nat->nat_oport != dport)) + nat->nat_oport = dport; + if (nat->nat_outport == 0) + nat->nat_outport = sport; + nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); + nflags = nat->nat_flags; + } + } else { + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_nat); /* * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). */ - for (np = nat_list; np; np = np->in_next) + msk = 0xffffffff; + i = 32; +maskloop: + iph = ipa & htonl(msk); + hv = NAT_HASH_FN(iph, ipf_natrules_sz); + for (np = nat_rules[hv]; np; np = np->in_mnext) + { if ((np->in_ifp == ifp) && np->in_space && - (!np->in_flags || (np->in_flags & nflags)) && + (!(np->in_flags & IPN_RF) || + (np->in_flags & nflags)) && ((ipa & np->in_inmsk) == np->in_inip) && - ((np->in_redir & NAT_MAP) || + ((np->in_redir & (NAT_MAP|NAT_MAPBLK)) || (np->in_pnext == sport))) { - if (*np->in_plabel && !ap_ok(ip, tcp, np)) + if (*np->in_plabel && !appr_ok(ip, tcp, np)) continue; /* * If it's a redirection, then we don't want to @@ -1018,80 +1311,100 @@ fr_info_t *fin; * Redirections are only for incoming * connections. */ - if (!(np->in_redir & NAT_MAP)) + if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK))) continue; - if ((nat = nat_new(np, ip, fin, nflags, - NAT_OUTBOUND))) + if ((nat = nat_new(np, ip, fin, (u_int)nflags, + NAT_OUTBOUND))) { + np->in_hits++; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); -#else - ; + nat_log(nat, (u_int)np->in_redir); #endif - break; + break; + } } + } + if ((np == NULL) && (i > 0)) { + do { + i--; + msk <<= 1; + } while ((i >= 0) && ((nat_masks & (1 << i)) == 0)); + if (i >= 0) + goto maskloop; + } + MUTEX_DOWNGRADE(&ipf_nat); + } if (nat) { - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) - ipfr_nat_newfrag(ip, fin, 0, nat); - nat->nat_age = fr_defnatage; - ip->ip_src = nat->nat_outip; - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; + np = nat->nat_ptr; + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + ip->ip_src = nat->nat_outip; + MUTEX_ENTER(&ipf_rw); + nat->nat_age = fr_defnatage; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; + MUTEX_EXIT(&ipf_rw); - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ #if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + if (nat->nat_dir == NAT_OUTBOUND) + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); #endif - if (nflags && !(ip->ip_off & 0x1fff) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if (nat->nat_outport) - tcp->th_sport = nat->nat_outport; - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - fr_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,1); - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - icmphdr_t *ic = (icmphdr_t *)tcp; - - csump = &ic->icmp_cksum; - } - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(csump, - nat->nat_sumd); - else - fix_incksum(csump, - nat->nat_sumd); - } + if (!(ip->ip_off & IP_OFFMASK) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) { + tcp->th_sport = nat->nat_outport; + fin->fin_data[0] = ntohs(tcp->th_sport); + } + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + MUTEX_ENTER(&ipf_rw); + fr_tcp_age(&nat->nat_age, + nat->nat_tcpstate, ip, fin, 1); + if (nat->nat_age < fr_defnaticmpage) + nat->nat_age = fr_defnaticmpage; +#ifdef LARGE_NAT + else if (nat->nat_age > DEF_NAT_AGE) + nat->nat_age = DEF_NAT_AGE; +#endif + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; + MUTEX_EXIT(&ipf_rw); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } + if (csump) { + if (nat->nat_dir == NAT_OUTBOUND) + fix_outcksum(csump, nat->nat_sumd); + else + fix_incksum(csump, nat->nat_sumd); } - (void) ap_check(ip, tcp, fin, nat); - nat_stats.ns_mapped[1]++; - MUTEX_EXIT(&ipf_nat); - return -2; } - MUTEX_EXIT(&ipf_nat); + if ((np->in_apr != NULL) && (np->in_dport == 0 || + (tcp != NULL && dport == np->in_dport))) + (void) appr_check(ip, fin, nat); + ATOMIC_INC(nat_stats.ns_mapped[1]); + RWLOCK_EXIT(&ipf_nat); /* READ */ + return 1; + } + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ return 0; } @@ -1100,127 +1413,172 @@ fr_info_t *fin; * Packets coming in from the external interface go through this. * Here, the destination address requires alteration, if anything. */ -int ip_natin(ip, hlen, fin) +int ip_natin(ip, fin) ip_t *ip; -int hlen; fr_info_t *fin; { - register ipnat_t *np; + register struct in_addr src; register struct in_addr in; + register ipnat_t *np; + u_int nflags = 0, natadd = 1, hv, msk; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; u_short sport = 0, dport = 0, *csump = NULL; nat_t *nat; - int nflags = 0, natadd = 1; + u_32_t iph; + int i; + + if (nat_list == NULL) + return 0; - if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; - if (nflags) { - tcp = (tcphdr_t *)((char *)ip + hlen); + if ((nflags & IPN_TCPUDP)) { + tcp = (tcphdr_t *)fin->fin_dp; dport = tcp->th_dport; sport = tcp->th_sport; } } in = ip->ip_dst; + /* make sure the source address is to be redirected */ + src = ip->ip_src; - MUTEX_ENTER(&ipf_nat); + READ_ENTER(&ipf_nat); if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags))) ; else if ((ip->ip_off & IP_OFFMASK) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport, - ip->ip_dst, dport))) - ; - else + else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, + ip->ip_src, in, (dport << 16) | sport))) { + nflags = nat->nat_flags; + if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { + if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT)) + nat->nat_oport = sport; + else if ((nat->nat_outport != dport) && + (nflags & FI_W_SPORT)) + nat->nat_outport = dport; + nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); + nflags = nat->nat_flags; + } + } else { + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_nat); /* * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). */ - for (np = nat_list; np; np = np->in_next) + msk = 0xffffffff; + i = 32; +maskloop: + iph = in.s_addr & htonl(msk); + hv = NAT_HASH_FN(iph, ipf_rdrrules_sz); + for (np = rdr_rules[hv]; np; np = np->in_rnext) if ((np->in_ifp == ifp) && (!np->in_flags || (nflags & np->in_flags)) && ((in.s_addr & np->in_outmsk) == np->in_outip) && + ((src.s_addr & np->in_srcmsk) == np->in_srcip) && (np->in_redir & NAT_REDIRECT) && (!np->in_pmin || np->in_pmin == dport)) { if ((nat = nat_new(np, ip, fin, nflags, - NAT_INBOUND))) + NAT_INBOUND))) { + np->in_hits++; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); -#else - ; + nat_log(nat, (u_int)np->in_redir); #endif - break; + break; + } } + if ((np == NULL) && (i > 0)) { + do { + i--; + msk <<= 1; + } while ((i >= 0) && ((rdr_masks & (1 << i)) == 0)); + if (i >= 0) + goto maskloop; + } + MUTEX_DOWNGRADE(&ipf_nat); + } if (nat) { - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) - ipfr_nat_newfrag(ip, fin, 0, nat); - (void) ap_check(ip, tcp, fin, nat); - - if (nflags != IPN_ICMPERR) - nat->nat_age = fr_defnatage; + np = nat->nat_ptr; + fin->fin_fr = nat->nat_fr; + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + if ((np->in_apr != NULL) && (np->in_dport == 0 || + (tcp != NULL && sport == np->in_dport))) + (void) appr_check(ip, fin, nat); + + MUTEX_ENTER(&ipf_rw); + if (nflags != IPN_ICMPERR) + nat->nat_age = fr_defnatage; - ip->ip_dst = nat->nat_inip; - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; + MUTEX_EXIT(&ipf_rw); + ip->ip_dst = nat->nat_inip; + fin->fin_fi.fi_dst = nat->nat_inip; - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ #if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif - if ((nflags & IPN_TCPUDP) && !(ip->ip_off & 0x1fff) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if (nat->nat_inport) - tcp->th_dport = nat->nat_inport; - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - fr_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,0); - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - icmphdr_t *ic = (icmphdr_t *)tcp; - - csump = &ic->icmp_cksum; - } - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(csump, - nat->nat_sumd); - else - fix_outcksum(csump, - nat->nat_sumd); - } + if (!(ip->ip_off & IP_OFFMASK) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) { + tcp->th_dport = nat->nat_inport; + fin->fin_data[1] = ntohs(tcp->th_dport); + } + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + MUTEX_ENTER(&ipf_rw); + fr_tcp_age(&nat->nat_age, + nat->nat_tcpstate, ip, fin, 0); + if (nat->nat_age < fr_defnaticmpage) + nat->nat_age = fr_defnaticmpage; +#ifdef LARGE_NAT + else if (nat->nat_age > DEF_NAT_AGE) + nat->nat_age = DEF_NAT_AGE; +#endif + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; + MUTEX_EXIT(&ipf_rw); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } + if (csump) { + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(csump, nat->nat_sumd); + else + fix_outcksum(csump, nat->nat_sumd); } - nat_stats.ns_mapped[0]++; - MUTEX_EXIT(&ipf_nat); - return -2; } - MUTEX_EXIT(&ipf_nat); + ATOMIC_INC(nat_stats.ns_mapped[0]); + RWLOCK_EXIT(&ipf_nat); /* READ */ + return 1; + } + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ return 0; } @@ -1230,11 +1588,27 @@ fr_info_t *fin; */ void ip_natunload() { - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); (void) nat_clearlist(); (void) nat_flushtable(); - (void) ap_unload(); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); + + if (nat_table[0] != NULL) { + KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz); + nat_table[0] = NULL; + } + if (nat_table[1] != NULL) { + KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz); + nat_table[1] = NULL; + } + if (nat_rules != NULL) { + KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz); + nat_rules = NULL; + } + if (rdr_rules != NULL) { + KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz); + rdr_rules = NULL; + } } @@ -1250,9 +1624,10 @@ void ip_natexpire() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (natp = &nat_instances; (nat = *natp); ) { - if (--nat->nat_age) { + nat->nat_age--; + if (nat->nat_age) { natp = &nat->nat_next; continue; } @@ -1263,79 +1638,69 @@ void ip_natexpire() nat_delete(nat); nat_stats.ns_expire++; } - - ap_expire(); - - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); } /* */ -#ifdef __STDC__ -void ip_natsync(void *ifp) -#else void ip_natsync(ifp) void *ifp; -#endif { + register ipnat_t *n; register nat_t *nat; register u_32_t sum1, sum2, sumd; struct in_addr in; ipnat_t *np; + void *ifp2; #if defined(_KERNEL) && !SOLARIS int s; #endif + /* + * Change IP addresses for NAT sessions for any protocol except TCP + * since it will break the TCP connection anyway. + */ SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (nat = nat_instances; nat; nat = nat->nat_next) - if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr)) - if ((np->in_outmsk == 0xffffffff) && !np->in_nip) { - /* - * Change the map-to address to be the same - * as the new one. - */ - sum1 = nat->nat_outip.s_addr; - if (nat_ifpaddr(nat, ifp, &in) == -1) + if (((ifp == NULL) || (ifp == nat->nat_ifp)) && + !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr) && + (np->in_outmsk == 0xffffffff) && !np->in_nip) { + ifp2 = nat->nat_ifp; + /* + * Change the map-to address to be the same as the + * new one. + */ + sum1 = nat->nat_outip.s_addr; + if (fr_ifpaddr(ifp2, &in) != -1) nat->nat_outip.s_addr = htonl(in.s_addr); - sum2 = nat->nat_outip.s_addr; + sum2 = nat->nat_outip.s_addr; - /* - * Readjust the checksum adjustment to take - * into account the new IP#. - * - * Do it twice - */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - /* Because ~1 == -2, We really need ~1 == -1 */ - if (sum1 > sum2) - sum2--; - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); - sumd += nat->nat_sumd; - nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); - } - MUTEX_EXIT(&ipf_nat); + if (sum1 == sum2) + continue; + /* + * Readjust the checksum adjustment to take into + * account the new IP#. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd += nat->nat_sumd; + nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); + } + + for (n = nat_list; (n != NULL); n = n->in_next) + if (n->in_ifp == ifp) + n->in_ifp = (void *)GETUNIT(n->in_ifname); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); } #ifdef IPFILTER_LOG -# ifdef __STDC__ -void nat_log(struct nat *nat, u_short type) -# else void nat_log(nat, type) struct nat *nat; -u_short type; -# endif +u_int type; { struct ipnat *np; struct natlog natl; @@ -1353,17 +1718,19 @@ u_short type; natl.nl_outport = nat->nat_outport; natl.nl_type = type; natl.nl_rule = -1; - if (nat->nat_ptr) { +#ifndef LARGE_NAT + if (nat->nat_ptr != NULL) { for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++) if (np == nat->nat_ptr) { natl.nl_rule = rulen; break; } } +#endif items[0] = &natl; sizes[0] = sizeof(natl); types[0] = 0; - (void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1); + (void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1); } #endif diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 49f5d50..137f3d6 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $ + * $Id: ip_nat.h,v 2.1.2.1 1999/08/14 04:47:54 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -36,28 +36,50 @@ #define SIOCCNATL _IOWR(r, 87, int) #endif -#define NAT_SIZE 367 +#undef LARGE_NAT /* define this if you're setting up a system to NAT + * LARGE numbers of networks/hosts - i.e. in the + * hundreds or thousands. In such a case, you should + * also change the RDR_SIZE and NAT_SIZE below to more + * appropriate sizes. The figures below were used for + * a setup with 1000-2000 networks to NAT. + */ +#define NAT_SIZE 127 +#define RDR_SIZE 127 +#define NAT_TABLE_SZ 127 +#ifdef LARGE_NAT +#undef NAT_SIZE +#undef RDR_SIZE +#undef NAT_TABLE_SZ +#define NAT_SIZE 2047 +#define RDR_SIZE 2047 +#define NAT_TABLE_SZ 16383 +#endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 #endif +#define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ + typedef struct nat { u_long nat_age; int nat_flags; u_32_t nat_sumd; u_32_t nat_ipsumd; void *nat_data; + void *nat_aps; /* proxy session */ + frentry_t *nat_fr; /* filter rule ptr if appropriate */ struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ U_QUAD_T nat_pkts; U_QUAD_T nat_bytes; - u_short nat_oport; /* other port */ + u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; u_short nat_use; - u_char nat_state[2]; - struct ipnat *nat_ptr; + u_char nat_tcpstate[2]; + u_char nat_p; /* protocol for NAT */ + struct ipnat *nat_ptr; /* pointer back to the rule */ struct nat *nat_next; struct nat *nat_hnext[2]; struct nat **nat_hstart[2]; @@ -67,16 +89,22 @@ typedef struct nat { typedef struct ipnat { struct ipnat *in_next; + struct ipnat *in_rnext; + struct ipnat *in_mnext; void *in_ifp; void *in_apr; - u_int in_space; + u_long in_space; u_int in_use; + u_int in_hits; struct in_addr in_nextip; u_short in_pnext; - u_short in_flags; - u_short in_port[2]; + u_short in_ppip; /* ports per IP */ + u_short in_ippip; /* IP #'s per IP# */ + u_short in_flags; /* From here to in_dport must be reflected */ + u_short in_port[2]; /* correctly in IPN_CMPSIZ */ struct in_addr in_in[2]; struct in_addr in_out[2]; + struct in_addr in_src[2]; int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ char in_ifname[IFNAMSIZ]; char in_plabel[APR_LABELLEN]; /* proxy label */ @@ -91,6 +119,8 @@ typedef struct ipnat { #define in_inmsk in_in[1].s_addr #define in_outip in_out[0].s_addr #define in_outmsk in_out[1].s_addr +#define in_srcip in_src[0].s_addr +#define in_srcmsk in_src[1].s_addr #define NAT_OUTBOUND 0 #define NAT_INBOUND 1 @@ -98,9 +128,12 @@ typedef struct ipnat { #define NAT_MAP 0x01 #define NAT_REDIRECT 0x02 #define NAT_BIMAP (NAT_MAP|NAT_REDIRECT) +#define NAT_MAPBLK 0x04 + +#define MAPBLK_MINPORT 1024 /* don't use reserved ports for src port */ +#define USABLE_PORTS (65536 - MAPBLK_MINPORT) -#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \ - sizeof(int) + IFNAMSIZ + APR_LABELLEN + sizeof(char)) +#define IPN_CMPSIZ (sizeof(ipnat_t) - offsetof(ipnat_t, in_flags)) typedef struct natlookup { struct in_addr nl_inip; @@ -122,14 +155,23 @@ typedef struct natstat { u_long ns_logfail; nat_t **ns_table[2]; ipnat_t *ns_list; + void *ns_apslist; + u_int ns_nattab_sz; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + nat_t *ns_instances; } natstat_t; #define IPN_ANY 0x00 #define IPN_TCP 0x01 #define IPN_UDP 0x02 -#define IPN_TCPUDP 0x03 +#define IPN_TCPUDP (IPN_TCP|IPN_UDP) #define IPN_DELETE 0x04 #define IPN_ICMPERR 0x08 +#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR) +#define IPN_AUTOPORTMAP 0x10 +#define IPN_RANGE 0x20 +#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_RANGE) typedef struct natlog { @@ -150,31 +192,54 @@ typedef struct natlog { #define NL_NEWRDR NAT_REDIRECT #define NL_EXPIRE 0xffff +#define NAT_HASH_FN(k,m) (((k) + ((k) >> 12)) % (m)) + +#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) + +#define CALC_SUMD(s1, s2, sd) { \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + /* Do it twice */ \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + /* Because ~1 == -2, We really need ~1 == -1 */ \ + if ((s1) > (s2)) (s2)--; \ + (sd) = (s2) - (s1); \ + (sd) = ((sd) & 0xffff) + ((sd) >> 16); } + +extern u_int ipf_nattable_sz; +extern u_int ipf_natrules_sz; +extern u_int ipf_rdrrules_sz; extern void ip_natsync __P((void *)); extern u_long fr_defnatage; extern u_long fr_defnaticmpage; -extern nat_t *nat_table[2][NAT_SIZE]; +extern nat_t **nat_table[2]; +extern nat_t *nat_instances; +extern ipnat_t **nat_rules; +extern ipnat_t **rdr_rules; +extern natstat_t nat_stats; #if defined(__NetBSD__) || defined(__OpenBSD__) extern int nat_ioctl __P((caddr_t, u_long, int)); #else extern int nat_ioctl __P((caddr_t, int, int)); #endif -extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); -extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); -extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); +extern int nat_init __P((void)); +extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int)); +extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr, + struct in_addr, u_32_t)); +extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr, + struct in_addr, u_32_t)); +extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, + struct in_addr)); extern nat_t *nat_lookupredir __P((natlookup_t *)); -extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); extern nat_t *nat_icmpinlookup __P((ip_t *, fr_info_t *)); -extern nat_t *nat_icmpin __P((ip_t *, fr_info_t *, int *)); +extern nat_t *nat_icmpin __P((ip_t *, fr_info_t *, u_int *)); -extern int ip_natout __P((ip_t *, int, fr_info_t *)); -extern int ip_natin __P((ip_t *, int, fr_info_t *)); +extern int ip_natout __P((ip_t *, fr_info_t *)); +extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); -extern void nat_log __P((struct nat *, u_short)); +extern void nat_log __P((struct nat *, u_int)); extern void fix_incksum __P((u_short *, u_32_t)); extern void fix_outcksum __P((u_short *, u_32_t)); diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index 0fb7e95..ccf9c12 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -1,31 +1,33 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if !defined(__FreeBSD_version) +# include <sys/ioctl.h> +#endif #include <sys/fcntl.h> #include <sys/uio.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #ifndef linux # include <sys/protosw.h> #endif @@ -43,7 +45,9 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif @@ -70,31 +74,48 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 #include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif + #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -static ap_session_t *ap_find __P((ip_t *, tcphdr_t *)); -static ap_session_t *ap_new_session __P((aproxy_t *, ip_t *, tcphdr_t *, - fr_info_t *, nat_t *)); +static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *, + fr_info_t *, nat_t *)); +static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); + #define AP_SESS_SIZE 53 #if defined(_KERNEL) && !defined(linux) #include "netinet/ip_ftp_pxy.c" +#include "netinet/ip_rcmd_pxy.c" +#include "netinet/ip_raudio_pxy.c" #endif ap_session_t *ap_sess_tab[AP_SESS_SIZE]; +ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY - { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_in, ippr_ftp_out }, + { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, + ippr_ftp_in, ippr_ftp_out }, +#endif +#ifdef IPF_RCMD_PROXY + { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new, + NULL, ippr_rcmd_out }, +#endif +#ifdef IPF_RAUDIO_PROXY + { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, + ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, #endif { "", '\0', 0, 0, NULL, NULL } }; -int ap_ok(ip, tcp, nat) +int appr_ok(ip, tcp, nat) ip_t *ip; tcphdr_t *tcp; ipnat_t *nat; @@ -102,7 +123,7 @@ ipnat_t *nat; aproxy_t *apr = nat->in_apr; u_short dport = nat->in_dport; - if (!apr || (apr && (apr->apr_flags & APR_DELETE)) || + if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p)) return 0; if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport)) @@ -111,108 +132,36 @@ ipnat_t *nat; } -static int -ap_matchsrcdst(aps, src, dst, tcp, sport, dport) -ap_session_t *aps; -struct in_addr src, dst; -void *tcp; -u_short sport, dport; -{ - if (aps->aps_dst.s_addr == dst.s_addr) { - if ((aps->aps_src.s_addr == src.s_addr) && - (!tcp || (sport == aps->aps_sport) && - (dport == aps->aps_dport))) - return 1; - } else if (aps->aps_dst.s_addr == src.s_addr) { - if ((aps->aps_src.s_addr == dst.s_addr) && - (!tcp || (sport == aps->aps_dport) && - (dport == aps->aps_sport))) - return 1; - } - return 0; -} - - -static ap_session_t *ap_find(ip, tcp) -ip_t *ip; -tcphdr_t *tcp; -{ - register u_char p = ip->ip_p; - register ap_session_t *aps; - register u_short sp, dp; - register u_long hv; - struct in_addr src, dst; - - src = ip->ip_src, dst = ip->ip_dst; - sp = dp = 0; /* XXX gcc -Wunitialized */ - - hv = ip->ip_src.s_addr ^ ip->ip_dst.s_addr; - hv *= 651733; - if (tcp) { - sp = tcp->th_sport; - dp = tcp->th_dport; - hv ^= (sp + dp); - hv *= 5; - } - hv %= AP_SESS_SIZE; - - for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) - if ((aps->aps_p == p) && - ap_matchsrcdst(aps, src, dst, tcp, sp, dp)) - break; - return aps; -} - - /* * Allocate a new application proxy structure and fill it in with the * relevant details. call the init function once complete, prior to * returning. */ -static ap_session_t *ap_new_session(apr, ip, tcp, fin, nat) +static ap_session_t *appr_new_session(apr, ip, fin, nat) aproxy_t *apr; ip_t *ip; -tcphdr_t *tcp; fr_info_t *fin; nat_t *nat; { register ap_session_t *aps; - u_short dport; - u_long hv; - if (!apr || (apr && (apr->apr_flags & APR_DELETE)) || - (ip->ip_p != apr->apr_p)) - return NULL; - dport = nat->nat_ptr->in_dport; - if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport)) + if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p)) return NULL; - hv = ip->ip_src.s_addr ^ ip->ip_dst.s_addr; - hv *= 651733; - if (tcp) { - hv ^= (tcp->th_sport + tcp->th_dport); - hv *= 5; - } - hv %= AP_SESS_SIZE; - - KMALLOC(aps, ap_session_t *, sizeof(*aps)); + KMALLOC(aps, ap_session_t *); if (!aps) return NULL; bzero((char *)aps, sizeof(*aps)); - aps->aps_apr = apr; - aps->aps_src = ip->ip_src; - aps->aps_dst = ip->ip_dst; + aps->aps_next = ap_sess_list; aps->aps_p = ip->ip_p; - aps->aps_tout = 1200; /* XXX */ - if (tcp) { - aps->aps_sport = tcp->th_sport; - aps->aps_dport = tcp->th_dport; - } aps->aps_data = NULL; + aps->aps_apr = apr; aps->aps_psiz = 0; - aps->aps_next = ap_sess_tab[hv]; - ap_sess_tab[hv] = aps; - (void) (*apr->apr_init)(fin, ip, tcp, aps, nat); + ap_sess_list = aps; + aps->aps_nat = nat; + nat->nat_aps = aps; + if (apr->apr_new != NULL) + (void) (*apr->apr_new)(fin, ip, aps, nat); return aps; } @@ -221,59 +170,67 @@ nat_t *nat; * check to see if a packet should be passed through an active proxy routine * if one has been setup for it. */ -int ap_check(ip, tcp, fin, nat) +int appr_check(ip, fin, nat) ip_t *ip; -tcphdr_t *tcp; fr_info_t *fin; nat_t *nat; { ap_session_t *aps; aproxy_t *apr; + tcphdr_t *tcp = NULL; + u_32_t sum; int err; - if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) - tcp = NULL; - - if ((aps = ap_find(ip, tcp)) || - (aps = ap_new_session(nat->nat_ptr->in_apr, ip, tcp, fin, nat))) { + if (nat->nat_aps == NULL) + nat->nat_aps = appr_new_session(nat->nat_ptr->in_apr, ip, + fin, nat); + aps = nat->nat_aps; + if ((aps != NULL) && (aps->aps_p == ip->ip_p)) { if (ip->ip_p == IPPROTO_TCP) { + tcp = (tcphdr_t *)fin->fin_dp; /* * verify that the checksum is correct. If not, then * don't do anything with this packet. */ - if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp, - ip, tcp, ip->ip_len)) { +#if SOLARIS && defined(_KERNEL) + sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#else + sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); +#endif + if (sum != tcp->th_sum) { frstats[fin->fin_out].fr_tcpbad++; return -1; } - fr_tcp_age(&aps->aps_tout, aps->aps_state, ip, fin, - tcp->th_sport == aps->aps_sport); } apr = aps->aps_apr; err = 0; - if (fin->fin_out) { - if (apr->apr_outpkt) - err = (*apr->apr_outpkt)(fin, ip, tcp, - aps, nat); + if (fin->fin_out != 0) { + if (apr->apr_outpkt != NULL) + err = (*apr->apr_outpkt)(fin, ip, aps, nat); } else { - if (apr->apr_inpkt) - err = (*apr->apr_inpkt)(fin, ip, tcp, - aps, nat); + if (apr->apr_inpkt != NULL) + err = (*apr->apr_inpkt)(fin, ip, aps, nat); } - if (err == 2) { - tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, - tcp, ip->ip_len); - err = 0; + + if (tcp != NULL) { + err = appr_fixseqack(fin, ip, aps, err); +#if SOLARIS && defined(_KERNEL) + tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#else + tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); +#endif } - return err; + aps->aps_bytes += ip->ip_len; + aps->aps_pkts++; + return 2; } return -1; } -aproxy_t *ap_match(pr, name) -u_char pr; +aproxy_t *appr_match(pr, name) +u_int pr; char *name; { aproxy_t *ap; @@ -288,7 +245,7 @@ char *name; } -void ap_free(ap) +void appr_free(ap) aproxy_t *ap; { ap->apr_ref--; @@ -298,38 +255,133 @@ aproxy_t *ap; void aps_free(aps) ap_session_t *aps; { - if (aps->aps_data && aps->aps_psiz) - KFREES(aps->aps_data, aps->aps_psiz); - KFREE(aps); + ap_session_t *a, **ap; + + if (!aps) + return; + + for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next) + if (a == aps) { + *ap = a->aps_next; + break; + } + + if (a) { + if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) + KFREES(aps->aps_data, aps->aps_psiz); + KFREE(aps); + } } -void ap_unload() +static int appr_fixseqack(fin, ip, aps, inc) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +int inc; { - ap_session_t *aps; - int i; + int sel, ch = 0, out, nlen; + u_32_t seq1, seq2; + tcphdr_t *tcp; + + tcp = (tcphdr_t *)fin->fin_dp; + out = fin->fin_out; + nlen = ip->ip_len; + nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + + if (out != 0) { + seq1 = (u_32_t)ntohl(tcp->th_seq); + sel = aps->aps_sel[out]; + + /* switch to other set ? */ + if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && + (seq1 > aps->aps_seqmin[!sel])) + sel = aps->aps_sel[out] = !sel; + + if (aps->aps_seqoff[sel]) { + seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; + if (seq1 > seq2) { + seq2 = aps->aps_seqoff[sel]; + seq1 += seq2; + tcp->th_seq = htonl(seq1); + ch = 1; + } + } - for (i = 0; i < AP_SESS_SIZE; i++) - while ((aps = ap_sess_tab[i])) { - ap_sess_tab[i] = aps->aps_next; - aps_free(aps); + if (inc && (seq1 > aps->aps_seqmin[!sel])) { + aps->aps_seqmin[!sel] = seq1 + nlen - 1; + aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; } + + /***/ + + seq1 = ntohl(tcp->th_ack); + sel = aps->aps_sel[1 - out]; + + /* switch to other set ? */ + if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && + (seq1 > aps->aps_ackmin[!sel])) + sel = aps->aps_sel[1 - out] = !sel; + + if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { + seq2 = aps->aps_ackoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } + } else { + seq1 = ntohl(tcp->th_seq); + sel = aps->aps_sel[out]; + + /* switch to other set ? */ + if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && + (seq1 > aps->aps_ackmin[!sel])) + sel = aps->aps_sel[out] = !sel; + + if (aps->aps_ackoff[sel]) { + seq2 = aps->aps_ackmin[sel] - + aps->aps_ackoff[sel]; + if (seq1 > seq2) { + seq2 = aps->aps_ackoff[sel]; + seq1 += seq2; + tcp->th_seq = htonl(seq1); + ch = 1; + } + } + + if (inc && (seq1 > aps->aps_ackmin[!sel])) { + aps->aps_ackmin[!sel] = seq1 + nlen - 1; + aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; + } + + /***/ + + seq1 = ntohl(tcp->th_ack); + sel = aps->aps_sel[1 - out]; + + /* switch to other set ? */ + if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && + (seq1 > aps->aps_seqmin[!sel])) + sel = aps->aps_sel[1 - out] = !sel; + + if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } + } + return ch ? 2 : 0; } -void ap_expire() +int appr_init() { - ap_session_t *aps, **apsp; - int i; - - for (i = 0; i < AP_SESS_SIZE; i++) - for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) { - aps->aps_tout--; - if (!aps->aps_tout) { - ap_sess_tab[i] = aps->aps_next; - aps_free(aps); - *apsp = aps->aps_next; - } else - apsp = &aps->aps_next; - } + aproxy_t *ap; + int err = 0; + + for (ap = ap_proxies; ap->apr_p; ap++) { + err = (*ap->apr_init)(); + if (err != 0) + break; + } + return err; } diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index a361e93..08409b0 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -1,11 +1,11 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $ + * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -26,9 +26,11 @@ struct ipnat; typedef struct ap_tcp { u_short apt_sport; /* source port */ u_short apt_dport; /* destination port */ - short apt_sel; /* seqoff/after set selector */ + short apt_sel[2]; /* {seq,ack}{off,min} set selector */ short apt_seqoff[2]; /* sequence # difference */ - tcp_seq apt_after[2]; /* don't change seq-off until after this */ + tcp_seq apt_seqmin[2]; /* don't change seq-off until after this */ + short apt_ackoff[2]; /* sequence # difference */ + tcp_seq apt_ackmin[2]; /* don't change seq-off until after this */ u_char apt_state[2]; /* connection state */ } ap_tcp_t; @@ -39,19 +41,18 @@ typedef struct ap_udp { typedef struct ap_session { struct aproxy *aps_apr; - struct in_addr aps_src; /* source IP# */ - struct in_addr aps_dst; /* destination IP# */ - u_char aps_p; /* protocol */ union { struct ap_tcp apu_tcp; struct ap_udp apu_udp; } aps_un; u_int aps_flags; - QUAD_T aps_bytes; /* bytes sent */ - QUAD_T aps_pkts; /* packets sent */ - u_long aps_tout; /* time left before expiring */ + U_QUAD_T aps_bytes; /* bytes sent */ + U_QUAD_T aps_pkts; /* packets sent */ + void *aps_nat; /* pointer back to nat struct */ void *aps_data; /* private data */ + int aps_p; /* protocol */ int aps_psiz; /* size of private data */ + struct ap_session *aps_hnext; struct ap_session *aps_next; } ap_session_t ; @@ -59,8 +60,10 @@ typedef struct ap_session { #define aps_dport aps_un.apu_tcp.apt_dport #define aps_sel aps_un.apu_tcp.apt_sel #define aps_seqoff aps_un.apu_tcp.apt_seqoff -#define aps_after aps_un.apu_tcp.apt_after +#define aps_seqmin aps_un.apu_tcp.apt_seqmin #define aps_state aps_un.apu_tcp.apt_state +#define aps_ackoff aps_un.apu_tcp.apt_ackoff +#define aps_ackmin aps_un.apu_tcp.apt_ackmin typedef struct aproxy { @@ -68,26 +71,59 @@ typedef struct aproxy { u_char apr_p; /* protocol */ int apr_ref; /* +1 per rule referencing it */ int apr_flags; - int (* apr_init) __P((fr_info_t *, ip_t *, tcphdr_t *, + int (* apr_init) __P((void)); + int (* apr_new) __P((fr_info_t *, ip_t *, + ap_session_t *, struct nat *)); + int (* apr_inpkt) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); - int (* apr_inpkt) __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, struct nat *)); - int (* apr_outpkt) __P((fr_info_t *, ip_t *, tcphdr_t *, + int (* apr_outpkt) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); } aproxy_t; #define APR_DELETE 1 +/* + * Real audio proxy structure and #defines + */ +typedef struct { + int rap_seenpna; + int rap_seenver; + int rap_version; + int rap_eos; /* End Of Startup */ + int rap_gotid; + int rap_gotlen; + int rap_mode; + int rap_sdone; + u_short rap_plport; + u_short rap_prport; + u_short rap_srport; + char rap_svr[19]; + u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have + * been filled + */ + tcp_seq rap_sseq; +} raudio_t; + +#define RA_ID_END 0 +#define RA_ID_UDP 1 +#define RA_ID_ROBUST 7 + +#define RAP_M_UDP 1 +#define RAP_M_ROBUST 2 +#define RAP_M_TCP 4 +#define RAP_M_UDP_ROBUST (RAP_M_UDP|RAP_M_ROBUST) + + extern ap_session_t *ap_sess_tab[AP_SESS_SIZE]; +extern ap_session_t *ap_sess_list; extern aproxy_t ap_proxies[]; -extern int ap_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); -extern void ap_unload __P((void)); -extern void ap_free __P((aproxy_t *)); +extern int appr_init __P((void)); +extern int appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); +extern void appr_free __P((aproxy_t *)); extern void aps_free __P((ap_session_t *)); -extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *)); -extern aproxy_t *ap_match __P((u_char, char *)); -extern void ap_expire __P((void)); +extern int appr_check __P((ip_t *, fr_info_t *, struct nat *)); +extern aproxy_t *appr_match __P((u_int, char *)); #endif /* __IP_PROXY_H__ */ diff --git a/contrib/ipfilter/ip_raudio_pxy.c b/contrib/ipfilter/ip_raudio_pxy.c new file mode 100644 index 0000000..c04b834 --- /dev/null +++ b/contrib/ipfilter/ip_raudio_pxy.c @@ -0,0 +1,270 @@ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif + +#define IPF_RAUDIO_PROXY + + +int ippr_raudio_init __P((void)); +int ippr_raudio_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_raudio_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_raudio_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); + +static frentry_t raudiofr; + + +/* + * Real Audio application proxy initialization. + */ +int ippr_raudio_init() +{ + bzero((char *)&raudiofr, sizeof(raudiofr)); + raudiofr.fr_ref = 1; + raudiofr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; + return 0; +} + + +/* + * Setup for a new proxy to handle Real Audio. + */ +int ippr_raudio_new(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + raudio_t *rap; + + + KMALLOCS(aps->aps_data, void *, sizeof(raudio_t)); + if (aps->aps_data != NULL) { + bzero(aps->aps_data, sizeof(raudio_t)); + rap = aps->aps_data; + aps->aps_psiz = sizeof(raudio_t); + rap->rap_mode = RAP_M_TCP; /* default is for TCP */ + } + return 0; +} + + + +int ippr_raudio_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char membuf[512 + 1], *s; + int off, dlen, inc = 0; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + raudio_t *rap = aps->aps_data; + u_short sp, dp, id = 0; + struct in_addr swip; + fr_info_t fi; + int len = 0; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + /* + * If we've already processed the start messages, then nothing left + * for the proxy to do. + */ + if (rap->rap_eos == 1) + return 0; + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + bzero(membuf, sizeof(membuf)); +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen <= 0) + return 0; + copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf); +#else + m = *(mb_t **)fin->fin_mp; + + dlen = mbufchainlen(m) - off; + if (dlen <= 0) + return 0; + m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf); +#endif + /* + * In all the startup parsing, ensure that we don't go outside + * the packet buffer boundary. + */ + /* + * Look for the start of connection "PNA" string if not seen yet. + */ + if (rap->rap_seenpna == 0) { + s = memstr("PNA", membuf, 3, dlen); + if (s == NULL) + return 0; + s += 3; + rap->rap_seenpna = 1; + } else + s = membuf; + + /* + * Directly after the PNA will be the version number of this + * connection. + */ + if (rap->rap_seenpna == 1 && rap->rap_seenver == 0) { + if ((s + 1) - membuf < dlen) { + rap->rap_version = (*s << 8) | *(s + 1); + s += 2; + rap->rap_seenver = 1; + } else + return 0; + } + + /* + * Now that we've been past the PNA and version number, we're into the + * startup messages block. This ends when a message with an ID of 0. + */ + while ((rap->rap_eos == 0) && ((s + 1) - membuf < dlen)) { + if (rap->rap_gotid == 0) { + id = (*s << 8) | *(s + 1); + s += 2; + rap->rap_gotid = 1; + if (id == RA_ID_END) { + rap->rap_eos = 1; + break; + } + } else if (rap->rap_gotlen == 0) { + len = (*s << 8) | *(s + 1); + s += 2; + rap->rap_gotlen = 1; + } + + if (rap->rap_gotid == 1 && rap->rap_gotlen == 1) { + if (id == RA_ID_UDP) { + rap->rap_mode &= ~RAP_M_TCP; + rap->rap_mode |= RAP_M_UDP; + rap->rap_plport = (*s << 8) | *(s + 1); + } else if (id == RA_ID_ROBUST) { + rap->rap_mode |= RAP_M_ROBUST; + rap->rap_prport = (*s << 8) | *(s + 1); + } + s += len; + rap->rap_gotlen = 0; + rap->rap_gotid = 0; + } + } + + /* + * Wait until we've seen the end of the start messages and even then + * only proceed further if we're using UDP. + */ + if ((rap->rap_eos == 0) || ((rap->rap_mode & RAP_M_UDP) != RAP_M_UDP)) + return 0; + sp = rap->rap_plport; + dp = 0; + + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_sport = htons(sp); + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + tcp2->th_win = htons(8192); + fi.fin_dp = (char *)tcp2; + fi.fin_data[0] = sp; + fi.fin_data[1] = 0; + fi.fin_fr = &raudiofr; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_DPORT); + } + ip->ip_src = swip; + + if ((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) { + sp = rap->rap_prport; + } + return inc; +} + + +int ippr_raudio_in(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char membuf[IPF_MAXPORTLEN + 1], *s; + int off, dlen; + raudio_t *rap = aps->aps_data; + u_int a1, a2, a3, a4; + tcphdr_t *tcp; + tcp_seq seq; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + if ((rap->rap_sdone != 0) || + ((rap->rap_mode & RAP_M_UDP_ROBUST) != RAP_M_UDP_ROBUST)) + return 0; + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen <= 0) + return 0; + bzero(membuf, sizeof(membuf)); + copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf); +#else + dlen = mbufchainlen(m) - off; + if (dlen <= 0) + return 0; + bzero(membuf, sizeof(membuf)); + m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf); +#endif + + seq = ntohl(tcp->th_seq); + /* + * Check to see if the data in this packet is of interest to us. + * We only care for the first 19 bytes coming back from the server. + */ + if (rap->rap_sseq == 0) { + s = memstr("PNA", membuf, 3, dlen); + if (s == NULL) + return 0; + a1 = s - membuf; + dlen -= a1; + a1 = 0; + rap->rap_sseq = seq; + a2 = MIN(dlen, sizeof(rap->rap_svr)); + } else if (seq <= rap->rap_sseq + sizeof(rap->rap_svr)) { + /* + * seq # which is the start of data and from that the offset + * into the buffer array. + */ + a1 = seq - rap->rap_sseq; + a2 = MIN(dlen, sizeof(rap->rap_svr)); + a2 -= a1; + s = membuf; + } else + return 0; + + for (a3 = a1, a4 = a2; a4 > 0; a4--, a3++) { + rap->rap_sbf |= (1 << a3); + rap->rap_svr[a3] = *s++; + } + if (rap->rap_sbf == 0x7ffff) { /* 19 bits */ + s = rap->rap_svr + 13; + rap->rap_srport = (*s << 8) | *(s + 1); + } + return 0; +} diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c new file mode 100644 index 0000000..2b67ee5 --- /dev/null +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -0,0 +1,156 @@ +/* + * Simple RCMD transparent proxy for in-kernel use. For use with the NAT + * code. + */ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif + +#define isdigit(x) ((x) >= '0' && (x) <= '9') + +#define IPF_RCMD_PROXY + + +int ippr_rcmd_init __P((void)); +int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +u_short ipf_rcmd_atoi __P((char *)); +int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); + +static frentry_t rcmdfr; + + +/* + * RCMD application proxy initialization. + */ +int ippr_rcmd_init() +{ + bzero((char *)&rcmdfr, sizeof(rcmdfr)); + rcmdfr.fr_ref = 1; + rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; + return 0; +} + + +/* + * Setup for a new RCMD proxy. + */ +int ippr_rcmd_new(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; + + aps->aps_psiz = sizeof(u_32_t); + KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t)); + if (aps->aps_data == NULL) + return -1; + *(u_32_t *)aps->aps_data = 0; + aps->aps_sport = tcp->th_sport; + aps->aps_dport = tcp->th_dport; + return 0; +} + + +/* + * ipf_rcmd_atoi - implement a simple version of atoi + */ +u_short ipf_rcmd_atoi(ptr) +char *ptr; +{ + register char *s = ptr, c; + register u_short i = 0; + + while ((c = *s++) && isdigit(c)) { + i *= 10; + i += c - '0'; + } + return i; +} + + +int ippr_rcmd_portmsg(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char portbuf[8], *s; + struct in_addr swip; + u_short sp, dp; + int off, dlen; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + fr_info_t fi; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + bzero(portbuf, sizeof(portbuf)); + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#else + dlen = mbufchainlen(m) - off; + bzero(portbuf, sizeof(portbuf)); + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#endif + if ((*(u_32_t *)aps->aps_data != 0) && + (tcp->th_seq != *(u_32_t *)aps->aps_data)) + return 0; + + portbuf[sizeof(portbuf) - 1] = '\0'; + s = portbuf; + sp = ipf_rcmd_atoi(s); + if (!sp) + return 0; + + /* + * Add skeleton NAT entry for connection which will come back the + * other way. + */ + sp = htons(sp); + dp = htons(fin->fin_data[1]); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = sp; + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + fi.fin_data[0] = ntohs(sp); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + fi.fin_fr = &rcmdfr; + (void) fr_addstate(ip, &fi, FI_W_DPORT); + } + ip->ip_src = swip; + } + return 0; +} + + +int ippr_rcmd_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + return ippr_rcmd_portmsg(fin, ip, aps, nat); +} diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 0677b94..4fa0df7 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.2 1999/10/05 12:59:08 darrenr Exp $"; #endif #include <sys/types.h> @@ -52,16 +52,18 @@ static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55: #define MIN(a,b) (((a)<(b))?(a):(b)) #endif + extern fr_flags, fr_active; -int ipfr_timer_id = 0; +int fr_running = 0; int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static void frzerostats __P((caddr_t)); -static int frrequest __P((int, int, caddr_t, int)); -kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; -kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; +static int frrequest __P((minor_t, int, caddr_t, int)); +kmutex_t ipl_mutex, ipf_authmx, ipf_rw; +KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris; +KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; @@ -72,49 +74,62 @@ int ipldetach() #ifdef IPFDEBUG cmn_err(CE_CONT, "ipldetach()\n"); #endif +#ifdef IPFILTER_LOG for (i = IPL_LOGMAX; i >= 0; i--) ipflog_clear(i); - untimeout(ipfr_timer_id); +#endif i = FR_INQUE|FR_OUTQUE; - frflush(IPL_LOGIPF, &i); + (void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); ipfr_unload(); fr_stateunload(); ip_natunload(); cv_destroy(&iplwait); cv_destroy(&ipfauthwait); + mutex_destroy(&ipf_authmx); mutex_destroy(&ipl_mutex); - mutex_destroy(&ipf_mutex); - mutex_destroy(&ipfs_mutex); - mutex_destroy(&ipf_frag); - mutex_destroy(&ipf_state); - mutex_destroy(&ipf_natfrag); - mutex_destroy(&ipf_nat); - mutex_destroy(&ipf_auth); + mutex_destroy(&ipf_rw); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frag); + RW_DESTROY(&ipf_state); + RW_DESTROY(&ipf_natfrag); + RW_DESTROY(&ipf_nat); + RW_DESTROY(&ipf_auth); + RW_DESTROY(&ipfs_mutex); + /* NOTE: This lock is acquired in ipf_detach */ + RWLOCK_EXIT(&ipf_solaris); + RW_DESTROY(&ipf_solaris); return 0; } int iplattach __P((void)) { - int i; - #ifdef IPFDEBUG cmn_err(CE_CONT, "iplattach()\n"); #endif - bzero((char *)nat_table, sizeof(nat_table)); bzero((char *)frcache, sizeof(frcache)); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_mutex, "ipf filter mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipfs_mutex, "ipf solaris mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_auth, "ipf IP User-Auth mutex", MUTEX_DRIVER, NULL); + mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); + mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); + RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL); + RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL); + RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL); + RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL); + RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL); + RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL); + RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL); + RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL); - ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); +#ifdef IPFILTER_LOG ipflog_init(); +#endif + if (nat_init() == -1) + return -1; + if (fr_stateinit() == -1) + return -1; + if (appr_init() == -1) + return -1; return 0; } @@ -122,7 +137,7 @@ int iplattach __P((void)) static void frzerostats(data) caddr_t data; { - struct friostat fio; + friostat_t fio; bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); @@ -148,27 +163,38 @@ caddr_t data; int iplioctl(dev, cmd, data, mode, cp, rp) dev_t dev; int cmd; -int data; +#if SOLARIS2 >= 7 +intptr_t data; +#else +int *data; +#endif int mode; cred_t *cp; int *rp; { - int error = 0, unit, tmp; + int error = 0, tmp; + minor_t unit; #ifdef IPFDEBUG cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n", dev, cmd, data, mode, cp, rp); #endif unit = getminor(dev); - if ((IPL_LOGMAX < unit) || (unit < 0)) + if (IPL_LOGMAX < unit) return ENXIO; + if (fr_running <= 0) + return 0; + + READ_ENTER(&ipf_solaris); if (unit == IPL_LOGNAT) { error = nat_ioctl((caddr_t)data, cmd, mode); + RWLOCK_EXIT(&ipf_solaris); return error; } if (unit == IPL_LOGSTATE) { error = fr_state_ioctl((caddr_t)data, cmd, mode); + RWLOCK_EXIT(&ipf_solaris); return error; } @@ -178,16 +204,20 @@ int *rp; u_int enable; if (!(mode & FWRITE)) - return EPERM; - IRCOPY((caddr_t)data, (caddr_t)&enable, sizeof(enable)); + error = EPERM; + else + IRCOPY((caddr_t)data, (caddr_t)&enable, sizeof(enable)); break; } case SIOCSETFF : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - IRCOPY((caddr_t)data, (caddr_t)&fr_flags, sizeof(fr_flags)); - mutex_exit(&ipf_mutex); + error = EPERM; + else { + WRITE_ENTER(&ipf_mutex); + IRCOPY((caddr_t)data, (caddr_t)&fr_flags, + sizeof(fr_flags)); + RWLOCK_EXIT(&ipf_mutex); + } break; case SIOCGETFF : IWCOPY((caddr_t)&fr_flags, (caddr_t)data, sizeof(fr_flags)); @@ -197,34 +227,36 @@ int *rp; case SIOCADAFR : case SIOCZRLST : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - error = frrequest(unit, cmd, (caddr_t)data, fr_active); - mutex_exit(&ipf_mutex); + error = EPERM; + else + error = frrequest(unit, cmd, (caddr_t)data, fr_active); break; case SIOCINIFR : case SIOCRMIFR : case SIOCADIFR : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - error = frrequest(unit, cmd, (caddr_t)data, 1 - fr_active); - mutex_exit(&ipf_mutex); + error = EPERM; + else + error = frrequest(unit, cmd, (caddr_t)data, + 1 - fr_active); break; case SIOCSWAPA : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - bzero((char *)frcache, sizeof(frcache[0]) * 2); - IWCOPY((caddr_t)&fr_active, (caddr_t)data, sizeof(fr_active)); - fr_active = 1 - fr_active; - mutex_exit(&ipf_mutex); + error = EPERM; + else { + WRITE_ENTER(&ipf_mutex); + bzero((char *)frcache, sizeof(frcache[0]) * 2); + IWCOPY((caddr_t)&fr_active, (caddr_t)data, + sizeof(fr_active)); + fr_active = 1 - fr_active; + RWLOCK_EXIT(&ipf_mutex); + } break; case SIOCGETFS : { struct friostat fio; - mutex_enter(&ipf_mutex); + READ_ENTER(&ipf_mutex); bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); fio.f_fin[0] = ipfilter[0][0]; @@ -238,51 +270,75 @@ int *rp; fio.f_active = fr_active; fio.f_froute[0] = ipl_frouteok[0]; fio.f_froute[1] = ipl_frouteok[1]; - mutex_exit(&ipf_mutex); + fio.f_running = fr_running; + fio.f_groups[0][0] = ipfgroups[0][0]; + fio.f_groups[0][1] = ipfgroups[0][1]; + fio.f_groups[1][0] = ipfgroups[1][0]; + fio.f_groups[1][1] = ipfgroups[1][1]; + fio.f_groups[2][0] = ipfgroups[2][0]; + fio.f_groups[2][1] = ipfgroups[2][1]; +#ifdef IPFILTER_LOG + fio.f_logging = 1; +#else + fio.f_logging = 0; +#endif + fio.f_defpass = fr_pass; + strncpy(fio.f_version, fio.f_version, + sizeof(fio.f_version)); + RWLOCK_EXIT(&ipf_mutex); IWCOPY((caddr_t)&fio, (caddr_t)data, sizeof(fio)); break; } case SIOCFRZST : if (!(mode & FWRITE)) - return EPERM; - frzerostats((caddr_t)data); + error = EPERM; + else + frzerostats((caddr_t)data); break; case SIOCIPFFL : if (!(mode & FWRITE)) - return EPERM; - IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); - mutex_enter(&ipf_mutex); - frflush(unit, &tmp); - mutex_exit(&ipf_mutex); - IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + error = EPERM; + else { + IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); + tmp = frflush(unit, tmp); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + } break; #ifdef IPFILTER_LOG case SIOCIPFFB : if (!(mode & FWRITE)) - return EPERM; - tmp = ipflog_clear(unit); - IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + error = EPERM; + else { + tmp = ipflog_clear(unit); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + } break; #endif /* IPFILTER_LOG */ case SIOCFRSYN : if (!(mode & FWRITE)) - return EPERM; - error = ipfsync(); + error = EPERM; + else + error = ipfsync(); break; case SIOCGFRST : IWCOPY((caddr_t)ipfr_fragstats(), (caddr_t)data, sizeof(ipfrstat_t)); break; case FIONREAD : + { #ifdef IPFILTER_LOG - IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); + int copy = (int)iplused[IPL_LOGIPF]; + + IWCOPY((caddr_t)©, (caddr_t)data, sizeof(copy)); #endif break; + } case SIOCAUTHW : case SIOCAUTHR : - if (!(mode & FWRITE)) - return EPERM; + if (!(mode & FWRITE)) { + error = EPERM; + break; + } case SIOCATHST : error = fr_auth_ioctl((caddr_t)data, cmd, NULL, NULL); break; @@ -290,6 +346,7 @@ int *rp; error = EINVAL; break; } + RWLOCK_EXIT(&ipf_solaris); return error; } @@ -297,8 +354,8 @@ int *rp; ill_t *get_unit(name) char *name; { + size_t len = strlen(name) + 1; /* includes \0 */ ill_t *il; - int len = strlen(name) + 1; /* includes \0 */ for (il = ill_g_head; il; il = il->ill_next) if ((len == il->ill_name_length) && @@ -308,27 +365,8 @@ char *name; } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; -{ - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; -} - - static int frrequest(unit, req, data, set) -int unit; +minor_t unit; int req, set; caddr_t data; { @@ -337,24 +375,31 @@ caddr_t data; frentry_t fr; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; ill_t *ill; ipif_t *ipif; ire_t *ire; fp = &fr; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + fp->fr_ref = 0; + WRITE_ENTER(&ipf_mutex); /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) - return EEXIST; - if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) - return ESRCH; + if ((req != SIOCZRLST) && fp->fr_grhead && + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) { + error = EEXIST; + goto out; + } + if ((req != SIOCZRLST) && fp->fr_group && + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) { + error = ESRCH; + goto out; + } in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -364,12 +409,18 @@ caddr_t data; ftail = fprev = &ipacct[in][set]; else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE)) ftail = fprev = &ipfilter[in][set]; - else - return ESRCH; + else { + error = ESRCH; + goto out; + } - if ((group = fp->fr_group)) { - if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL))) - return ESRCH; + group = fp->fr_group; + if (group != NULL) { + fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL); + if (fg == NULL) { + error = ESRCH; + goto out; + } ftail = fprev = fg->fg_start; } @@ -435,12 +486,15 @@ caddr_t data; * If zero'ing statistics, copy current to caller and zero. */ if (req == SIOCZRLST) { - if (!f) - return ESRCH; + if (!f) { + error = ESRCH; + goto out; + } + MUTEX_DOWNGRADE(&ipf_mutex); IWCOPY((caddr_t)f, data, sizeof(*f)); f->fr_hits = 0; f->fr_bytes = 0; - return 0; + goto out; } if (!f) { @@ -458,26 +512,32 @@ caddr_t data; if (!f) error = ESRCH; else { - if (f->fr_ref > 1) - return EBUSY; + if (f->fr_ref > 1) { + error = EBUSY; + goto out; + } if (fg && fg->fg_head) fg->fg_head->fr_ref--; - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); + if (unit == IPL_LOGAUTH) { + error = fr_auth_ioctl(data, req, f, ftail); + goto out; + } if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); } } else { - if (f) + if (f) { error = EEXIST; - else { - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + } else { + if (unit == IPL_LOGAUTH) { + error = fr_auth_ioctl(data, req, f, ftail); + goto out; + } + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -489,12 +549,15 @@ caddr_t data; if (req == SIOCINIFR || req == SIOCINAFR) fixskip(fprev, f, 1); f->fr_grp = NULL; - if ((group = f->fr_grhead)) + group = f->fr_grhead; + if (group != NULL) fg = fr_addgroup(group, f, unit, set); } else error = ENOMEM; } } +out: + RWLOCK_EXIT(&ipf_mutex); return (error); } @@ -507,14 +570,14 @@ dev_t *devp; int flags, otype; cred_t *cred; { - u_int min = getminor(*devp); + minor_t min = getminor(*devp); #ifdef IPFDEBUG cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred); #endif - if (!(otype & OTYP_CHR)) + if ((fr_running <= 0) || !(otype & OTYP_CHR)) return ENXIO; - min = (2 < min || min < 0) ? ENXIO : 0; + min = (IPL_LOGMAX < min) ? ENXIO : 0; return min; } @@ -524,12 +587,12 @@ dev_t dev; int flags, otype; cred_t *cred; { - u_int min = getminor(dev); + minor_t min = getminor(dev); #ifdef IPFDEBUG cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred); #endif - min = (2 < min || min < 0) ? ENXIO : 0; + min = (IPL_LOGMAX < min) ? ENXIO : 0; return min; } @@ -557,72 +620,76 @@ cred_t *cp; * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ -int send_reset(iphdr, qif) +int send_reset(fin, iphdr, qif) +fr_info_t *fin; ip_t *iphdr; qif_t *qif; { - struct tcpiphdr *ti = (struct tcpiphdr *)iphdr; - struct ip *ip; - struct tcphdr *tcp; - queue_t *q = qif->qf_q; - mblk_t *m; + tcphdr_t *tcp, *tcp2; int tlen = 0; + mblk_t *m; + ip_t *ip; - if (ti->ti_flags & TH_RST) + tcp = (struct tcphdr *)fin->fin_dp; + if (tcp->th_flags & TH_RST) return -1; - if (ti->ti_flags & TH_SYN) + if (tcp->th_flags & TH_SYN) tlen = 1; - if ((m = (mblk_t *)allocb(sizeof(struct tcpiphdr), BPRI_HI)) == NULL) + if ((m = (mblk_t *)allocb(sizeof(*ip) + sizeof(*tcp),BPRI_HI)) == NULL) return -1; MTYPE(m) = M_DATA; - m->b_wptr += sizeof(struct tcpiphdr); - bzero((char *)m->b_rptr, sizeof(struct tcpiphdr)); + m->b_wptr += sizeof(*ip) + sizeof(*tcp); + bzero((char *)m->b_rptr, sizeof(*ip) + sizeof(*tcp)); ip = (ip_t *)m->b_rptr; - tcp = (struct tcphdr *)(m->b_rptr + sizeof(*ip)); - - ip->ip_src.s_addr = ti->ti_dst.s_addr; - ip->ip_dst.s_addr = ti->ti_src.s_addr; - tcp->th_dport = ti->ti_sport; - tcp->th_sport = ti->ti_dport; - tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); - tcp->th_off = sizeof(struct tcphdr) >> 2; - tcp->th_flags = TH_RST|TH_ACK; + tcp2 = (struct tcphdr *)(m->b_rptr + sizeof(*ip)); + + ip->ip_src.s_addr = iphdr->ip_dst.s_addr; + ip->ip_dst.s_addr = iphdr->ip_src.s_addr; + tcp2->th_dport = tcp->th_sport; + tcp2->th_sport = tcp->th_dport; + tcp2->th_ack = htonl(ntohl(tcp->th_seq) + tlen); + tcp2->th_seq = tcp->th_ack; + tcp2->th_off = sizeof(struct tcphdr) >> 2; + tcp2->th_flags = TH_RST|TH_ACK; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum * computation that is done by their put routine. */ - tcp->th_sum = htons(0x14); + tcp2->th_sum = htons(0x14); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_v = IPVERSION; ip->ip_p = IPPROTO_TCP; - ip->ip_len = htons(sizeof(struct tcpiphdr)); - ip->ip_tos = ((struct ip *)ti)->ip_tos; + ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp)); + ip->ip_tos = iphdr->ip_tos; ip->ip_off = 0; ip->ip_ttl = 60; ip->ip_sum = 0; + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); ip_wput(qif->qf_ill->ill_wq, m); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); return 0; } -int icmp_error(ip, type, code, qif, src) +int icmp_error(ip, type, code, qif, dst) ip_t *ip; int type, code; qif_t *qif; -struct in_addr src; +struct in_addr dst; { - queue_t *q = qif->qf_q; mblk_t *mb; struct icmp *icmp; ip_t *nip; - int sz = sizeof(*nip) + sizeof(*icmp) + 8; + u_short sz = sizeof(*nip) + sizeof(*icmp) + 8; - if ((mb = (mblk_t *)allocb(sz, BPRI_HI)) == NULL) + if ((mb = (mblk_t *)allocb((size_t)sz, BPRI_HI)) == NULL) return -1; MTYPE(mb) = M_DATA; mb->b_wptr += sz; - bzero((char *)mb->b_rptr, sz); + bzero((char *)mb->b_rptr, (size_t)sz); nip = (ip_t *)mb->b_rptr; icmp = (struct icmp *)(nip + 1); @@ -633,9 +700,13 @@ struct in_addr src; nip->ip_sum = 0; nip->ip_ttl = 60; nip->ip_tos = ip->ip_tos; - nip->ip_len = htons(sz); - nip->ip_src.s_addr = ip->ip_dst.s_addr; - nip->ip_dst.s_addr = ip->ip_src.s_addr; + nip->ip_len = (u_short)htons(sz); + if (dst.s_addr == 0) { + if (fr_ifpaddr(qif->qf_ill, &dst) == -1) + return -1; + } + nip->ip_src = dst; + nip->ip_dst = ip->ip_src; icmp->icmp_type = type; icmp->icmp_code = code; @@ -643,7 +714,26 @@ struct in_addr src; bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip)); bcopy((char *)ip + (ip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */ +#ifndef sparc + ip = &icmp->icmp_ip; + { + u_short __iplen, __ipoff; + + __iplen = ip->ip_len; + __ipoff = ip->ip_len; + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + } +#endif icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); + /* + * Need to exit out of these so we don't recursively call rw_enter + * from fr_qout. + */ + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); ip_wput(qif->qf_ill->ill_wq, mb); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); return 0; } diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 89a2c3b..c14c23f 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,10 +7,19 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.9 1999/10/21 14:31:09 darrenr Exp $"; #endif +#include <sys/errno.h> +#include <sys/types.h> +#include <sys/param.h> +#include <sys/file.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) +# include <stdio.h> # include <stdlib.h> # include <string.h> #else @@ -19,20 +28,19 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 # include <linux/module.h> # endif #endif -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> +# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #else # include <sys/ioctl.h> #endif #include <sys/time.h> #include <sys/uio.h> #ifndef linux -#include <sys/protosw.h> +# include <sys/protosw.h> #endif #include <sys/socket.h> #if defined(_KERNEL) && !defined(linux) @@ -45,14 +53,16 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> @@ -72,34 +82,60 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 #include "netinet/ip_frag.h" #include "netinet/ip_proxy.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +#endif + #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif #define TCP_CLOSE (TH_FIN|TH_RST) -ipstate_t *ips_table[IPSTATE_SIZE]; +ipstate_t **ips_table = NULL; int ips_num = 0; ips_stat_t ips_stats; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_state; +extern KRWLOCK_T ipf_state, ipf_mutex; +extern kmutex_t ipf_rw; #endif static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr, - fr_info_t *, void *, u_short, u_short)); + fr_info_t *, tcphdr_t *)); +static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *)); static int fr_state_flush __P((int)); static ips_stat_t *fr_statetstats __P((void)); +static void fr_delstate __P((ipstate_t *)); #define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ +#define TCP_MSL 240 /* 2 minutes */ u_long fr_tcpidletimeout = FIVE_DAYS, - fr_tcpclosewait = 60, - fr_tcplastack = 20, - fr_tcptimeout = 120, + fr_tcpclosewait = 2 * TCP_MSL, + fr_tcplastack = 2 * TCP_MSL, + fr_tcptimeout = 2 * TCP_MSL, fr_tcpclosed = 1, - fr_udptimeout = 120, + fr_udptimeout = 240, fr_icmptimeout = 120; +int fr_statemax = IPSTATE_MAX, + fr_statesize = IPSTATE_SIZE; +int fr_state_doflush = 0; + + +int fr_stateinit() +{ + KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *)); + if (ips_table != NULL) + bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *)); + else + return -1; + return 0; +} static ips_stat_t *fr_statetstats() @@ -127,8 +163,8 @@ int which; int delete, removed = 0; SPL_NET(s); - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) { delete = 0; @@ -153,16 +189,22 @@ int which; ips_stats.iss_fin++; else ips_stats.iss_expire++; + if (ips_table[i] == NULL) + ips_stats.iss_inuse--; #ifdef IPFILTER_LOG ipstate_log(is, ISL_FLUSH); #endif - KFREE(is); + fr_delstate(is); ips_num--; removed++; } else isp = &is->is_next; } - MUTEX_EXIT(&ipf_state); + if (fr_state_doflush) { + (void) fr_state_flush(1); + fr_state_doflush = 0; + } + RWLOCK_EXIT(&ipf_state); SPL_X(s); return removed; } @@ -199,7 +241,8 @@ int mode; #endif break; default : - return EINVAL; + error = EINVAL; + break; } return error; } @@ -208,21 +251,25 @@ int mode; /* * Create a new ipstate structure and hang it off the hash table. */ -int fr_addstate(ip, fin, pass) +ipstate_t *fr_addstate(ip, fin, flags) ip_t *ip; fr_info_t *fin; -u_int pass; +u_int flags; { - ipstate_t ips; - register ipstate_t *is = &ips; + register ipstate_t *is; register u_int hv; + ipstate_t ips; + u_int pass; - if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) - return -1; - if (ips_num == IPSTATE_MAX) { + if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT)) + return NULL; + if (ips_num == fr_statemax) { ips_stats.iss_max++; - return -1; + fr_state_doflush = 1; + return NULL; } + is = &ips; + bzero((char *)is, sizeof(*is)); ips.is_age = 1; ips.is_state[0] = 0; ips.is_state[1] = 0; @@ -252,9 +299,9 @@ u_int pass; is->is_icmp.ics_type = ic->icmp_type + 1; break; default : - return -1; + return NULL; } - ips_stats.iss_icmp++; + ATOMIC_INC(ips_stats.iss_icmp); is->is_age = fr_icmptimeout; break; } @@ -266,66 +313,93 @@ u_int pass; * The endian of the ports doesn't matter, but the ack and * sequence numbers do as we do mathematics on them later. */ - hv += (is->is_dport = tcp->th_dport); - hv += (is->is_sport = tcp->th_sport); - is->is_seq = ntohl(tcp->th_seq); - is->is_ack = ntohl(tcp->th_ack); - is->is_swin = ntohs(tcp->th_win); - is->is_dwin = is->is_swin; /* start them the same */ - ips_stats.iss_tcp++; + is->is_dport = tcp->th_dport; + is->is_sport = tcp->th_sport; + if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { + hv += tcp->th_dport; + hv += tcp->th_sport; + } + if (tcp->th_seq != 0) { + is->is_send = ntohl(tcp->th_seq) + ip->ip_len - + fin->fin_hlen - (tcp->th_off << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + is->is_maxsend = is->is_send + 1; + } + is->is_dend = 0; + is->is_maxswin = ntohs(tcp->th_win); + if (is->is_maxswin == 0) + is->is_maxswin = 1; /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to * connect. */ - if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) - is->is_ack = 0; /* Trumpet WinSock 'ism */ + MUTEX_ENTER(&ipf_rw); + ips_stats.iss_tcp++; fr_tcp_age(&is->is_age, is->is_state, ip, fin, tcp->th_sport == is->is_sport); + MUTEX_EXIT(&ipf_rw); break; } case IPPROTO_UDP : { register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; - hv += (is->is_dport = tcp->th_dport); - hv += (is->is_sport = tcp->th_sport); - ips_stats.iss_udp++; + if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { + hv += (is->is_dport = tcp->th_dport); + hv += (is->is_sport = tcp->th_sport); + } + ATOMIC_INC(ips_stats.iss_udp); is->is_age = fr_udptimeout; break; } default : - return -1; + return NULL; } - KMALLOC(is, ipstate_t *, sizeof(*is)); + KMALLOC(is, ipstate_t *); if (is == NULL) { - ips_stats.iss_nomem++; - return -1; + ATOMIC_INC(ips_stats.iss_nomem); + return NULL; } bcopy((char *)&ips, (char *)is, sizeof(*is)); - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); - + hv %= fr_statesize; + RW_UPGRADE(&ipf_mutex); + is->is_rule = fin->fin_fr; + if (is->is_rule != NULL) { + is->is_rule->fr_ref++; + pass = is->is_rule->fr_flags; + } else + pass = fr_flags; + MUTEX_DOWNGRADE(&ipf_mutex); + WRITE_ENTER(&ipf_state); + + is->is_rout = pass & FR_OUTQUE ? 1 : 0; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; /* - * Copy these from the rule itself. + * We want to check everything that is a property of this packet, + * but we don't (automatically) care about it's fragment status as + * this may change. */ - is->is_opt = fin->fin_fr->fr_ip.fi_optmsk; - is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk; - is->is_sec = fin->fin_fr->fr_ip.fi_secmsk; - is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk; - is->is_auth = fin->fin_fr->fr_ip.fi_auth; - is->is_authmsk = fin->fin_fr->fr_mip.fi_auth; - is->is_flags = fin->fin_fr->fr_ip.fi_fl; - is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4; + is->is_opt = fin->fin_fi.fi_optmsk; + is->is_optmsk = 0xffffffff; + is->is_sec = fin->fin_fi.fi_secmsk; + is->is_secmsk = 0xffff; + is->is_auth = fin->fin_fi.fi_auth; + is->is_authmsk = 0xffff; + is->is_flags = fin->fin_fi.fi_fl & FI_CMP; + is->is_flags |= FI_CMP << 4; + is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT); /* * add into table. */ is->is_next = ips_table[hv]; ips_table[hv] = is; + if (is->is_next == NULL) + ips_stats.iss_inuse++; if (fin->fin_out) { is->is_ifpin = NULL; is->is_ifpout = fin->fin_ifp; @@ -335,17 +409,19 @@ u_int pass; } if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); - ips_num++; + ATOMIC_INC(ips_num); #ifdef IPFILTER_LOG ipstate_log(is, ISL_NEW); #endif - MUTEX_EXIT(&ipf_state); + RWLOCK_EXIT(&ipf_state); + fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr); if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); - return 0; + return is; } + /* * check to see if a packet with TCP headers fits within the TCP window. * change timeout depending on whether new packet is a SYN-ACK returning for a @@ -357,168 +433,337 @@ fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; { - register int seqskew, ackskew; - register u_short swin, dwin; - register tcp_seq seq, ack; + register tcp_seq seq, ack, end; + register int ackskew; + tcpdata_t *fdata, *tdata; + u_short win, maxwin; + int ret = 0; int source; /* * Find difference between last checked packet and this packet. */ + source = (ip->ip_src.s_addr == is->is_src.s_addr); + fdata = &is->is_tcp.ts_data[!source]; + tdata = &is->is_tcp.ts_data[source]; seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); - source = (ip->ip_src.s_addr == is->is_src.s_addr); - - if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ - ack = source ? is->is_ack : is->is_seq; + win = ntohs(tcp->th_win); + end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); - if (source) { - if (!is->is_seq) - /* - * Must be an outgoing SYN-ACK in reply to a SYN. - */ - is->is_seq = seq; - seqskew = seq - is->is_seq; - ackskew = ack - is->is_ack; - } else { - if (!is->is_ack) - /* - * Must be a SYN-ACK in reply to a SYN. - */ - is->is_ack = seq; - ackskew = seq - is->is_ack; - seqskew = ack - is->is_seq; + if (fdata->td_end == 0) { + /* + * Must be a (outgoing) SYN-ACK in reply to a SYN. + */ + fdata->td_end = end; + fdata->td_maxwin = 1; + fdata->td_maxend = end + 1; } - /* - * Make skew values absolute - */ - if (seqskew < 0) - seqskew = -seqskew; - if (ackskew < 0) - ackskew = -ackskew; - - /* - * If the difference in sequence and ack numbers is within the - * window size of the connection, store these values and match - * the packet. - */ - if (source) { - swin = is->is_swin; - dwin = is->is_dwin; - } else { - dwin = is->is_swin; - swin = is->is_dwin; + if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ + ack = tdata->td_end; + win = 1; + } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && + (ack == 0)) { + /* gross hack to get around certain broken tcp stacks */ + ack = tdata->td_end; } - if ((seqskew <= dwin) && (ackskew <= swin)) { - if (source) { - is->is_seq = seq; - is->is_ack = ack; - is->is_swin = ntohs(tcp->th_win); - } else { - is->is_seq = ack; - is->is_ack = seq; - is->is_dwin = ntohs(tcp->th_win); + if (seq == end) + seq = end = fdata->td_end; + + maxwin = tdata->td_maxwin; + ackskew = tdata->td_end - ack; + +#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) + if ((SEQ_GE(fdata->td_maxend, end)) && + (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) && +/* XXX what about big packets */ +#define MAXACKWINDOW 66000 + (ackskew >= -MAXACKWINDOW) && + (ackskew <= MAXACKWINDOW)) { + /* if ackskew < 0 then this should be due to fragented + * packets. There is no way to know the length of the + * total packet in advance. + * We do know the total length from the fragment cache though. + * Note however that there might be more sessions with + * exactly the same source and destination paramters in the + * state cache (and source and destination is the only stuff + * that is saved in the fragment cache). Note further that + * some TCP connections in the state cache are hashed with + * sport and dport as well which makes it not worthwhile to + * look for them. + * Thus, when ackskew is negative but still seems to belong + * to this session, we bump up the destinations end value. + */ + if (ackskew < 0) + tdata->td_end = ack; + + /* update max window seen */ + if (fdata->td_maxwin < win) + fdata->td_maxwin = win; + if (SEQ_GT(end, fdata->td_end)) + fdata->td_end = end; + if (SEQ_GE(ack + win, tdata->td_maxend)) { + tdata->td_maxend = ack + win; + if (win == 0) + tdata->td_maxend++; } - ips_stats.iss_hits++; + + ATOMIC_INC(ips_stats.iss_hits); is->is_pkts++; is->is_bytes += ip->ip_len; /* * Nearing end of connection, start timeout. */ + MUTEX_ENTER(&ipf_rw); fr_tcp_age(&is->is_age, is->is_state, ip, fin, source); - return 1; + MUTEX_EXIT(&ipf_rw); + ret = 1; } - return 0; + return ret; } -static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp) +static int fr_matchsrcdst(is, src, dst, fin, tcp) ipstate_t *is; struct in_addr src, dst; fr_info_t *fin; -void *tcp; -u_short sp, dp; +tcphdr_t *tcp; { - int ret = 0, rev, out; + int ret = 0, rev, out, flags; + u_short sp, dp; void *ifp; - rev = (is->is_dst.s_addr != dst.s_addr); + rev = fin->fin_rev = (is->is_dst.s_addr != dst.s_addr); ifp = fin->fin_ifp; out = fin->fin_out; - if (!rev) { - if (out) { - if (!is->is_ifpout) - is->is_ifpout = ifp; + if (tcp != NULL) { + flags = is->is_flags; + sp = tcp->th_sport; + dp = tcp->th_dport; + } else { + flags = 0; + sp = 0; + dp = 0; + } + + if (rev == 0) { + if (!out) { + if (is->is_ifpin == ifp) + ret = 1; } else { - if (!is->is_ifpin) - is->is_ifpin = ifp; + if (is->is_ifpout == NULL || is->is_ifpout == ifp) + ret = 1; } } else { if (out) { - if (!is->is_ifpin) - is->is_ifpin = ifp; + if (is->is_ifpin == ifp) + ret = 1; } else { - if (!is->is_ifpout) - is->is_ifpout = ifp; + if (is->is_ifpout == NULL || is->is_ifpout == ifp) + ret = 1; } } + if (ret == 0) + return 0; + ret = 0; - if (!rev) { - if (((out && is->is_ifpout == ifp) || - (!out && is->is_ifpin == ifp)) && - (is->is_dst.s_addr == dst.s_addr) && + if (rev == 0) { + if ((is->is_dst.s_addr == dst.s_addr) && (is->is_src.s_addr == src.s_addr) && - (!tcp || (sp == is->is_sport) && - (dp == is->is_dport))) { + (!tcp || ((sp == is->is_sport || flags & FI_W_SPORT) && + (dp == is->is_dport || flags & FI_W_DPORT)))) { ret = 1; } } else { - if (((out && is->is_ifpin == ifp) || - (!out && is->is_ifpout == ifp)) && - (is->is_dst.s_addr == src.s_addr) && + if ((is->is_dst.s_addr == src.s_addr) && (is->is_src.s_addr == dst.s_addr) && - (!tcp || (sp == is->is_dport) && - (dp == is->is_sport))) { + (!tcp || ((sp == is->is_dport || flags & FI_W_DPORT) && + (dp == is->is_sport || flags & FI_W_SPORT)))) { ret = 1; } } + if (ret == 0) + return 0; /* * Whether or not this should be here, is questionable, but the aim * is to get this out of the main line. */ - if (ret) { - if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || - ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || - ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) || - ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) != - (is->is_flags & 0xf))) - ret = 0; + if (tcp == NULL) + flags = is->is_flags & (FI_CMP|(FI_CMP<<4)); + + if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) || + ((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || + ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || + ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth)) + return 0; + + if ((flags & (FI_W_SPORT|FI_W_DPORT))) { + if ((flags & FI_W_SPORT) != 0) { + if (rev == 0) { + is->is_sport = sp; + is->is_send = htonl(tcp->th_seq); + } else { + is->is_sport = dp; + is->is_send = htonl(tcp->th_ack); + } + is->is_maxsend = is->is_send + 1; + } else if ((flags & FI_W_DPORT) != 0) { + if (rev == 0) { + is->is_dport = dp; + is->is_dend = htonl(tcp->th_ack); + } else { + is->is_dport = sp; + is->is_dend = htonl(tcp->th_seq); + } + is->is_maxdend = is->is_dend + 1; + } + is->is_flags &= ~(FI_W_SPORT|FI_W_DPORT); } - return ret; + + if (!rev) { + if (out && (out == is->is_rout)) { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } else { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } + } else { + if (!out && (out != is->is_rout)) { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } else { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } + } + return 1; } +frentry_t *fr_checkicmpmatchingstate(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + register struct in_addr dst, src; + register ipstate_t *is, **isp; + register u_short sport, dport; + register u_char pr; + struct icmp *ic; + fr_info_t ofin; + u_int hv, dest; + tcphdr_t *tcp; + frentry_t *fr; + ip_t *oip; + int type; + + /* + * Does it at least have the return (basic) IP header ? + * Only a basic IP header (no options) should be with + * an ICMP error header. + */ + if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) + return NULL; + ic = (struct icmp *)((char *)ip + fin->fin_hlen); + type = ic->icmp_type; + /* + * If it's not an error type, then return + */ + if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && + (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && + (type != ICMP_PARAMPROB)) + return NULL; + + oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); + if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + return NULL; + if ((oip->ip_p != IPPROTO_TCP) && (oip->ip_p != IPPROTO_UDP)) + return NULL; + + tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); + dport = tcp->th_dport; + sport = tcp->th_sport; + + hv = (pr = oip->ip_p); + hv += (src.s_addr = oip->ip_src.s_addr); + hv += (dst.s_addr = oip->ip_dst.s_addr); + hv += dport; + hv += sport; + hv %= fr_statesize; + /* + * we make an fin entry to be able to feed it to + * matchsrcdst note that not all fields are encessary + * but this is the cleanest way. Note further we fill + * in fin_mp such that if someone uses it we'll get + * a kernel panic. fr_matchsrcdst does not use this. + * + * watch out here, as ip is in host order and oip in network + * order. Any change we make must be undone afterwards. + */ + oip->ip_len = ntohs(oip->ip_len); + fr_makefrip(oip->ip_hl << 2, oip, &ofin); + oip->ip_len = htons(oip->ip_len); + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_out = !fin->fin_out; + ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ + READ_ENTER(&ipf_state); + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { + /* + * Only allow this icmp though if the + * encapsulated packet was allowed through the + * other way around. Note that the minimal amount + * of info present does not allow for checking against + * tcp internals such as seq and ack numbers. + */ + if ((is->is_p == pr) && + fr_matchsrcdst(is, src, dst, &ofin, tcp)) { + fr = is->is_rule; + ips_stats.iss_hits++; + /* + * we must swap src and dst here because the icmp + * comes the other way around + */ + dest = (is->is_dst.s_addr != src.s_addr); + is->is_pkts++; + is->is_bytes += ip->ip_len; + /* + * we deliberately do not touch the timeouts + * for the accompanying state table entry. + * It remains to be seen if that is correct. XXX + */ + RWLOCK_EXIT(&ipf_state); + return fr; + } + } + RWLOCK_EXIT(&ipf_state); + return NULL; +} /* * Check if a packet has a registered state. */ -int fr_checkstate(ip, fin) +frentry_t *fr_checkstate(ip, fin) ip_t *ip; fr_info_t *fin; { register struct in_addr dst, src; register ipstate_t *is, **isp; register u_char pr; + u_int hv, hvm, hlen, tryagain, pass; struct icmp *ic; + frentry_t *fr; tcphdr_t *tcp; - u_int hv, hlen, pass; - if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) - return 0; + if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT)) + return NULL; + is = NULL; hlen = fin->fin_hlen; tcp = (tcphdr_t *)((char *)ip + hlen); ic = (struct icmp *)tcp; @@ -534,86 +779,134 @@ fr_info_t *fin; case IPPROTO_ICMP : hv += ic->icmp_id; hv += ic->icmp_seq; - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); + hv %= fr_statesize; + READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && - fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) { - if (is->is_icmp.ics_type != ic->icmp_type) + fr_matchsrcdst(is, src, dst, fin, NULL)) { + if ((is->is_type == ICMP_ECHOREPLY) && + (ic->icmp_type == ICMP_ECHO)) + ; + else if (is->is_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; - is->is_pkts++; - is->is_bytes += ip->ip_len; - ips_stats.iss_hits++; - pass = is->is_pass; - MUTEX_EXIT(&ipf_state); - return pass; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + /* + * No matching icmp state entry. Perhaps this is a + * response to another state entry. + */ + fr = fr_checkicmpmatchingstate(ip, fin); + if (fr) + return fr; break; case IPPROTO_TCP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; - hv += dport; - hv += sport; - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) + tryagain = 0; +retry_tcp: + hvm = hv % fr_statesize; + WRITE_ENTER(&ipf_state); + for (isp = &ips_table[hvm]; (is = *isp); + isp = &is->is_next) if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, tcp, - sport, dport)) { + fr_matchsrcdst(is, src, dst, fin, tcp)) { if (fr_tcpstate(is, fin, ip, tcp)) { - pass = is->is_pass; -#ifdef _KERNEL - MUTEX_EXIT(&ipf_state); -#else - + break; +#ifndef _KERNEL if (tcp->th_flags & TCP_CLOSE) { *isp = is->is_next; - isp = &ips_table[hv]; - KFREE(is); + isp = &ips_table[hvm]; + if (ips_table[hvm] == NULL) + ips_stats.iss_inuse--; + fr_delstate(is); + ips_num--; } #endif - return pass; + break; } + is = NULL; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + hv += dport; + hv += sport; + if (tryagain == 0) { + tryagain = 1; + goto retry_tcp; + } break; } case IPPROTO_UDP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; - hv += dport; - hv += sport; - hv %= IPSTATE_SIZE; + tryagain = 0; +retry_udp: + hvm = hv % fr_statesize; /* * Nothing else to match on but ports. and IP#'s */ - MUTEX_ENTER(&ipf_state); - for (is = ips_table[hv]; is; is = is->is_next) + READ_ENTER(&ipf_state); + for (is = ips_table[hvm]; is; is = is->is_next) if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, - tcp, sport, dport)) { - ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += ip->ip_len; + fr_matchsrcdst(is, src, dst, fin, tcp)) { is->is_age = fr_udptimeout; - pass = is->is_pass; - MUTEX_EXIT(&ipf_state); - return pass; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + hv += dport; + hv += sport; + if (tryagain == 0) { + tryagain = 1; + goto retry_udp; + } break; } default : break; } - ips_stats.iss_miss++; - return 0; + if (is == NULL) { + ATOMIC_INC(ips_stats.iss_miss); + return NULL; + } + MUTEX_ENTER(&ipf_rw); + is->is_bytes += ip->ip_len; + ips_stats.iss_hits++; + is->is_pkts++; + MUTEX_EXIT(&ipf_rw); + fr = is->is_rule; + fin->fin_fr = fr; + pass = is->is_pass; + RWLOCK_EXIT(&ipf_state); + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + return fr; +} + + +static void fr_delstate(is) +ipstate_t *is; +{ + frentry_t *fr; + + fr = is->is_rule; + if (fr != NULL) { + ATOMIC_DEC(fr->fr_ref); + if (fr->fr_ref == 0) + KFREE(fr); + } + KFREE(is); } @@ -625,13 +918,18 @@ void fr_stateunload() register int i; register ipstate_t *is, **isp; - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) { *isp = is->is_next; - KFREE(is); + fr_delstate(is); + ips_num--; } - MUTEX_EXIT(&ipf_state); + ips_stats.iss_inuse = 0; + ips_num = 0; + RWLOCK_EXIT(&ipf_state); + KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); + ips_table = NULL; } @@ -648,8 +946,8 @@ void fr_timeoutstate() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) if (is->is_age && !--is->is_age) { *isp = is->is_next; @@ -657,14 +955,16 @@ void fr_timeoutstate() ips_stats.iss_fin++; else ips_stats.iss_expire++; + if (ips_table[i] == NULL) + ips_stats.iss_inuse--; #ifdef IPFILTER_LOG ipstate_log(is, ISL_EXPIRE); #endif - KFREE(is); + fr_delstate(is); ips_num--; } else isp = &is->is_next; - MUTEX_EXIT(&ipf_state); + RWLOCK_EXIT(&ipf_state); SPL_X(s); } @@ -703,23 +1003,29 @@ int dir; switch(state[dir]) { - case TCPS_FIN_WAIT_2: case TCPS_CLOSED: + if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { + state[dir] = TCPS_ESTABLISHED; + *age = fr_tcpidletimeout; + } + case TCPS_FIN_WAIT_2: if ((flags & TH_OPENING) == TH_OPENING) state[dir] = TCPS_SYN_RECEIVED; else if (flags & TH_SYN) state[dir] = TCPS_SYN_SENT; break; case TCPS_SYN_RECEIVED: - if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { - state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; - } - break; case TCPS_SYN_SENT: if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { state[dir] = TCPS_ESTABLISHED; *age = fr_tcpidletimeout; + } else if ((flags & (TH_FIN|TH_ACK)) == (TH_FIN|TH_ACK)) { + state[dir] = TCPS_CLOSE_WAIT; + if (!(flags & TH_PUSH) && !dlen && + ostate > TCPS_ESTABLISHED) + *age = fr_tcplastack; + else + *age = fr_tcpclosewait; } break; case TCPS_ESTABLISHED: @@ -730,8 +1036,10 @@ int dir; *age = fr_tcplastack; else *age = fr_tcpclosewait; - } else - *age = fr_tcpidletimeout; + } else { + if (ostate < TCPS_CLOSE_WAIT) + *age = fr_tcpidletimeout; + } break; case TCPS_CLOSE_WAIT: if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen && @@ -760,23 +1068,27 @@ int dir; #ifdef IPFILTER_LOG void ipstate_log(is, type) struct ipstate *is; -u_short type; +u_int type; { struct ipslog ipsl; void *items[1]; size_t sizes[1]; int types[1]; + ipsl.isl_type = type; ipsl.isl_pkts = is->is_pkts; ipsl.isl_bytes = is->is_bytes; ipsl.isl_src = is->is_src; ipsl.isl_dst = is->is_dst; ipsl.isl_p = is->is_p; ipsl.isl_flags = is->is_flags; - ipsl.isl_type = type; if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { ipsl.isl_sport = is->is_sport; ipsl.isl_dport = is->is_dport; + if (ipsl.isl_p == IPPROTO_TCP) { + ipsl.isl_state[0] = is->is_state[0]; + ipsl.isl_state[1] = is->is_state[1]; + } } else if (ipsl.isl_p == IPPROTO_ICMP) ipsl.isl_itype = is->is_icmp.ics_type; else { @@ -787,6 +1099,6 @@ u_short type; sizes[0] = sizeof(ipsl); types[0] = 0; - (void) ipllog(IPL_LOGSTATE, 0, items, sizes, types, 1); + (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index f2ae94b..ae8b5c1 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $ + * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -31,13 +31,16 @@ typedef struct icmpstate { u_char ics_type; } icmpstate_t; +typedef struct tcpdata { + u_32_t td_end; + u_32_t td_maxend; + u_short td_maxwin; +} tcpdata_t; + typedef struct tcpstate { u_short ts_sport; u_short ts_dport; - u_long ts_seq; - u_long ts_ack; - u_short ts_swin; - u_short ts_dwin; + tcpdata_t ts_data[2]; u_char ts_state[2]; } tcpstate_t; @@ -49,16 +52,18 @@ typedef struct ipstate { U_QUAD_T is_bytes; void *is_ifpin; void *is_ifpout; + frentry_t *is_rule; struct in_addr is_src; struct in_addr is_dst; - u_char is_p; - u_char is_flags; - u_32_t is_opt; - u_32_t is_optmsk; - u_short is_sec; - u_short is_secmsk; - u_short is_auth; - u_short is_authmsk; + u_char is_p; /* Protocol */ + u_char is_rout; /* Is rule in/out ? */ + u_32_t is_flags; + u_32_t is_opt; /* packet options set */ + u_32_t is_optmsk; /* " " mask */ + u_short is_sec; /* security options set */ + u_short is_secmsk; /* " " mask */ + u_short is_auth; /* authentication options set */ + u_short is_authmsk; /* " " mask */ union { icmpstate_t is_ics; tcpstate_t is_ts; @@ -67,17 +72,29 @@ typedef struct ipstate { } ipstate_t; #define is_icmp is_ps.is_ics +#define is_type is_icmp.ics_type +#define is_code is_icmp.ics_code #define is_tcp is_ps.is_ts #define is_udp is_ps.is_us -#define is_seq is_tcp.ts_seq -#define is_ack is_tcp.ts_ack -#define is_dwin is_tcp.ts_dwin -#define is_swin is_tcp.ts_swin +#define is_send is_tcp.ts_data[0].td_end +#define is_dend is_tcp.ts_data[1].td_end +#define is_maxswin is_tcp.ts_data[0].td_maxwin +#define is_maxdwin is_tcp.ts_data[1].td_maxwin +#define is_maxsend is_tcp.ts_data[0].td_maxend +#define is_maxdend is_tcp.ts_data[1].td_maxend #define is_sport is_tcp.ts_sport #define is_dport is_tcp.ts_dport #define is_state is_tcp.ts_state #define TH_OPENING (TH_SYN|TH_ACK) +/* + * is_flags: + * Bits 0 - 3 are use as a mask with the current packet's bits to check for + * whether it is short, tcp/udp, a fragment or the presence of IP options. + * Bits 4 - 7 are set from the initial packet and contain what the packet + * anded with bits 0-3 must match. + * Bits 8,9 are used to indicate wildcard source/destination port matching. + */ typedef struct ipslog { @@ -87,6 +104,7 @@ typedef struct ipslog { struct in_addr isl_dst; u_char isl_p; u_char isl_flags; + u_char isl_state[2]; u_short isl_type; union { u_short isl_filler[2]; @@ -117,6 +135,7 @@ typedef struct ips_stat { u_long iss_active; u_long iss_logged; u_long iss_logfail; + u_long iss_inuse; ipstate_t **iss_table; } ips_stat_t; @@ -128,13 +147,14 @@ extern u_long fr_tcptimeout; extern u_long fr_tcpclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; +extern int fr_stateinit __P((void)); extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); -extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); -extern int fr_checkstate __P((ip_t *, fr_info_t *)); +extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); +extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); -extern void ipstate_log __P((struct ipstate *, u_short)); +extern void ipstate_log __P((struct ipstate *, u_int)); #if defined(__NetBSD__) || defined(__OpenBSD__) extern int fr_state_ioctl __P((caddr_t, u_long, int)); #else diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index 2850019..a20852d 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -36,14 +36,16 @@ #include <resolv.h> #include "ip_compat.h" #include "ip_fil.h" +#include "ip_nat.h" +#include "ip_state.h" #include "ipf.h" +#include "ipl.h" #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; #endif -static void frsync __P((void)); #if SOLARIS static void blockunknown __P((void)); #endif @@ -53,6 +55,7 @@ extern char *index __P((const char *, int)); extern char *optarg; +void frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); @@ -67,6 +70,18 @@ static int opendevice __P((char *)); static void closedevice __P((void)); static char *getline __P((char *, size_t, FILE *)); static char *ipfname = IPL_NAME; +static void usage __P((void)); +static void showversion __P((void)); +static int get_flags __P((void)); + + +static void usage() +{ + fprintf(stderr, "usage: ipf [-AdDEInoPrsUvVyzZ] %s %s %s\n", + "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); + exit(1); +} + int main(argc,argv) int argc; @@ -74,9 +89,11 @@ char *argv[]; { int c; - while ((c = getopt(argc, argv, "AdDEf:F:Il:noPrsUvyzZ")) != -1) { + while ((c = getopt(argc, argv, "AdDEf:F:Il:noPrsUvVyzZ")) != -1) { switch (c) { + case '?' : + usage(); case 'A' : opts &= ~OPT_INACTIVE; break; @@ -124,6 +141,9 @@ char *argv[]; case 'v' : opts |= OPT_VERBOSE; break; + case 'V' : + showversion(); + break; case 'y' : frsync(); break; @@ -168,6 +188,18 @@ static void closedevice() } +static int get_flags() +{ + int i; + + if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { + perror("SIOCFRENB"); + return 0; + } + return i; +} + + static void set_state(enable) u_int enable; { @@ -183,13 +215,17 @@ char *name, *file; FILE *fp; char line[513], *s; struct frentry *fr; - u_int add = SIOCADAFR, del = SIOCRMAFR; + u_int add, del; + int linenum = 0; (void) opendevice(ipfname); if (opts & OPT_INACTIVE) { add = SIOCADIFR; del = SIOCRMIFR; + } else { + add = SIOCADAFR; + del = SIOCRMAFR; } if (opts & OPT_DEBUG) printf("add %x del %x\n", add, del); @@ -205,6 +241,7 @@ char *name, *file; } while (getline(line, sizeof(line), fp)) { + linenum++; /* * treat CR as EOL. LF is converted to NUL by getline(). */ @@ -222,7 +259,7 @@ char *name, *file; if (opts & OPT_VERBOSE) (void)fprintf(stderr, "[%s]\n", line); - fr = parse(line); + fr = parse(line, linenum); (void)fflush(stdout); if (fr) { @@ -309,13 +346,12 @@ FILE *file; static void packetlogon(opt) char *opt; { - int err, flag = 0; + int flag, err; - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if ((err = ioctl(fd, SIOCGETFF, &flag))) - perror("ioctl(SIOCGETFF)"); - - printf("log flag is currently %#x\n", flag); + err = get_flags(); + if (err != 0) { + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) + printf("log flag is currently %#x\n", flag); } flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK); @@ -340,9 +376,7 @@ char *opt; perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if ((err = ioctl(fd, SIOCGETFF, &flag))) - perror("ioctl(SIOCGETFF)"); - + flag = get_flags(); printf("log flag is now %#x\n", flag); } } @@ -404,7 +438,7 @@ static void swapactive() } -static void frsync() +void frsync() { int frsyn = 0; @@ -465,17 +499,14 @@ friostat_t *fp; #if SOLARIS static void blockunknown() { - int flag; + u_32_t flag; if (opendevice(ipfname) == -1) return; - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if (ioctl(fd, SIOCGETFF, &flag)) - perror("ioctl(SIOCGETFF)"); - + flag = get_flags(); + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); - } flag ^= FF_BLOCKNONIP; @@ -490,3 +521,54 @@ static void blockunknown() } } #endif + + +static void showversion() +{ + struct friostat fio; + u_32_t flags; + char *s; + + printf("ipf: %s (%d)\n", IPL_VERSION, sizeof(frentry_t)); + + if (opendevice(ipfname) != -2 && ioctl(fd, SIOCGETFS, &fio)) { + perror("ioctl(SIOCGETFS"); + return; + } + flags = get_flags(); + + printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), + (int)sizeof(fio.f_version), fio.f_version); + printf("Running: %s\n", fio.f_running ? "yes" : "no"); + printf("Log Flags: %#x = ", flags); + s = ""; + if (flags & FF_LOGPASS) { + printf("pass"); + s = ", "; + } + if (flags & FF_LOGBLOCK) { + printf("%sblock", s); + s = ", "; + } + if (flags & FF_LOGNOMATCH) { + printf("%snomatch", s); + s = ", "; + } + if (flags & FF_BLOCKNONIP) { + printf("%snonip", s); + s = ", "; + } + if (!*s) + printf("none set"); + putchar('\n'); + + printf("Default: "); + if (fio.f_defpass & FR_PASS) + s = "pass"; + else if (fio.f_defpass & FR_BLOCK) + s = "block"; + else + s = "nomatch -> block"; + printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); + printf("Active list: %d\n", fio.f_active); +} diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 5c55502..2971bfe 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.0.2.12 1997/09/28 07:11:50 darrenr Exp $ + * $Id: ipf.h,v 2.1.2.1 1999/10/05 12:59:25 darrenr Exp $ */ #ifndef __IPF_H__ @@ -15,26 +15,28 @@ #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#define OPT_REMOVE 0x00001 -#define OPT_DEBUG 0x00002 -#define OPT_OUTQUE FR_OUTQUE /* 0x0004 */ -#define OPT_INQUE FR_INQUE /* 0x0008 */ -#define OPT_LOG FR_LOG /* 0x0010 */ -#define OPT_SHOWLIST 0x00020 -#define OPT_VERBOSE 0x00040 -#define OPT_DONOTHING 0x00080 -#define OPT_HITS 0x00100 -#define OPT_BRIEF 0x00200 +#define OPT_REMOVE 0x000001 +#define OPT_DEBUG 0x000002 +#define OPT_OUTQUE FR_OUTQUE /* 0x00004 */ +#define OPT_INQUE FR_INQUE /* 0x00008 */ +#define OPT_LOG FR_LOG /* 0x00010 */ +#define OPT_SHOWLIST 0x000020 +#define OPT_VERBOSE 0x000040 +#define OPT_DONOTHING 0x000080 +#define OPT_HITS 0x000100 +#define OPT_BRIEF 0x000200 #define OPT_ACCNT FR_ACCOUNT /* 0x0400 */ #define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */ #define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */ #define OPT_INACTIVE FR_INACTIVE /* 0x2000 */ -#define OPT_SHOWLINENO 0x04000 -#define OPT_PRINTFR 0x08000 -#define OPT_ZERORULEST 0x10000 -#define OPT_SAVEOUT 0x20000 -#define OPT_AUTHSTATS 0x40000 -#define OPT_RAW 0x80000 +#define OPT_SHOWLINENO 0x004000 +#define OPT_PRINTFR 0x008000 +#define OPT_ZERORULEST 0x010000 +#define OPT_SAVEOUT 0x020000 +#define OPT_AUTHSTATS 0x040000 +#define OPT_RAW 0x080000 +#define OPT_NAT 0x100000 +#define OPT_GROUPS 0x200000 #ifndef __P # ifdef __STDC__ @@ -48,11 +50,11 @@ extern char *strdup __P((char *)); #endif -extern struct frentry *parse __P((char *)); +extern struct frentry *parse __P((char *, int)); extern void printfr __P((struct frentry *)); extern void binprint __P((struct frentry *)), initparse __P((void)); -extern u_short portnum __P((char *)); +extern int portnum __P((char *, u_short *, int)); struct ipopt_names { @@ -64,18 +66,20 @@ struct ipopt_names { extern u_32_t buildopts __P((char *, char *, int)); -extern u_32_t hostnum __P((char *, int *)); -extern u_32_t optname __P((char ***, u_short *)); +extern u_32_t hostnum __P((char *, int *, int)); +extern u_32_t optname __P((char ***, u_short *, int)); extern void printpacket __P((ip_t *)); #if SOLARIS extern int inet_aton __P((const char *, struct in_addr *)); +extern int gethostname __P((char *, int )); +extern void sync __P((void)); #endif -#ifdef sun -#define STRERROR(x) sys_errlist[x] +#if defined(sun) && !SOLARIS +# define STRERROR(x) sys_errlist[x] extern char *sys_errlist[]; #else -#define STRERROR(x) strerror(x) +# define STRERROR(x) strerror(x) #endif #ifndef MIN diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index ee6e5c5..1029ae8 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -51,7 +51,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.0.2.7.2.1 1997/11/12 10:56:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.1 1999/08/04 17:30:02 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index c7fcd92..9f25fb0 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -42,7 +42,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.0.2.8.2.1 1997/11/12 10:56:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 1524143..e924341 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -29,11 +29,11 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "pcap.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.0.2.6.2.1 1997/11/12 10:56:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index fc9183e..8dc0fa1 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -33,11 +33,11 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "snoop.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.0.2.6.2.1 1997/11/12 10:56:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index de22b94..7ea43ea 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -60,7 +60,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.0.2.6.2.1 1997/11/12 10:56:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 36372a1..9a5f139 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.1 1999/08/04 17:30:05 darrenr Exp $"; #endif extern int opts; @@ -196,7 +196,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(struct tcpiphdr); + return sizeof(*ip) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif @@ -263,6 +263,9 @@ int *out; tx_proto = "icmp"; } cpp++; + } else if (isdigit(**cpp) && !index(*cpp, '.')) { + ip->ip_p = atoi(*cpp); + cpp++; } else ip->ip_p = IPPROTO_IP; @@ -308,6 +311,8 @@ int *out; if (tcp->th_flags) cpp++; assert(tcp->th_flags != 0); + tcp->th_win = htons(4096); + tcp->th_off = sizeof(*tcp) >> 2; } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; @@ -340,5 +345,6 @@ int *out; else if (ip->ip_p == IPPROTO_ICMP) bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2), sizeof(*ic)); + ip->ip_len = htons(ip->ip_len); return 0; } diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index d92ec79..fd61ead 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1999 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,6 +11,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.2.7" +#define IPL_VERSION "IP Filter: v3.3.3" #endif diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h index a7a13f9..d8986c8 100644 --- a/contrib/ipfilter/iplang/iplang.h +++ b/contrib/ipfilter/iplang/iplang.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -49,3 +49,6 @@ typedef struct aniphdr { #define ah_tcp ah_un.ahu_tcp #define ah_udp ah_un.ahu_udp #define ah_icmp ah_un.ahu_icmp + +extern int get_arpipv4 __P((char *, char *)); + diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index 89b7732..36a4ec8 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -1,12 +1,12 @@ %{ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_l.l,v 2.0.2.15.2.5 1997/12/28 01:32:13 darrenr Exp $ + * $Id: iplang_l.l,v 2.1 1999/08/04 17:30:53 darrenr Exp $ */ #include <stdio.h> #include <string.h> @@ -310,7 +310,9 @@ int nstate, fornext; void swallow() { - int c = input(); + int c; + + c = input(); if (c == '#') { while ((c != '\n') && (c != EOF)) diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index e01bb37..6dacd99 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -1,14 +1,14 @@ %{ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $ + * $Id: iplang_y.y,v 2.1 1999/08/04 17:30:53 darrenr Exp $ */ - + #include <stdio.h> #include <string.h> #include <fcntl.h> @@ -1431,6 +1431,21 @@ char **arg; } +int arp_getipv4(ip, addr) +char *ip; +char *addr; +{ + arp_t *a; + + for (a = arplist; a; a = a->arp_next) + if (!bcmp(ip, (char *)&a->arp_addr, 4)) { + bcopy((char *)&a->arp_eaddr, addr, 6); + return 0; + } + return -1; +} + + void reset_send() { sending.snd_if = iflist; diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index ae0f71d..11997a3 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -1,20 +1,11 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) - * - * Broken still: - * Displaying the nat with redirect entries is way confusing - * - * Example redirection line: - * rdr le1 0.0.0.0/0 port 79 -> 199.165.219.129 port 9901 - * - * Will redirect all incoming packets on le1 to any machine, port 79 to - * host 199.165.219.129, port 9901 */ #include <stdio.h> #include <string.h> @@ -42,6 +33,9 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> @@ -62,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.1 1999/08/04 17:30:07 darrenr Exp $"; #endif @@ -71,18 +65,18 @@ static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 #endif extern char *optarg; +extern ipnat_t *natparse __P((char *, int)); +extern void natparsefile __P((int, char *, int)); +extern void printnat __P((ipnat_t *, int, void *)); -ipnat_t *parse __P((char *)); -u_32_t hostnum __P((char *, int *)); +u_32_t hostnum __P((char *, int *, int)); u_32_t hostmask __P((char *)); -u_short portnum __P((char *, char *)); void dostats __P((int, int)), flushtable __P((int, int)); -void printnat __P((ipnat_t *, int, void *)); -void parsefile __P((int, char *, int)); void usage __P((char *)); int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); +void printaps __P((ap_session_t *, int)); #define OPT_REM 1 #define OPT_NODO 2 @@ -91,12 +85,13 @@ int main __P((int, char*[])); #define OPT_VERBOSE 16 #define OPT_FLUSH 32 #define OPT_CLEAR 64 +#define OPT_HITS 128 void usage(name) char *name; { - fprintf(stderr, "%s: [-CFlnrsv] [-f filename]\n", name); + fprintf(stderr, "%s: [-CFhlnrsv] [-f filename]\n", name); exit(1); } @@ -106,9 +101,9 @@ int argc; char *argv[]; { char *file = NULL; - int fd = -1, opts = 1, c; + int fd = -1, opts = 0, c; - while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1) + while ((c = getopt(argc, argv, "CFf:hlnrsv")) != -1) switch (c) { case 'C' : @@ -120,6 +115,9 @@ char *argv[]; case 'F' : opts |= OPT_FLUSH; break; + case 'h' : + opts |=OPT_HITS; + break; case 'l' : opts |= OPT_LIST; break; @@ -127,7 +125,7 @@ char *argv[]; opts |= OPT_NODO; break; case 'r' : - opts &= ~OPT_REM; + opts |= OPT_REM; break; case 's' : opts |= OPT_STAT; @@ -149,7 +147,7 @@ char *argv[]; if (opts & (OPT_FLUSH|OPT_CLEAR)) flushtable(fd, opts); if (file) - parsefile(fd, file, opts); + natparsefile(fd, file, opts); if (opts & (OPT_LIST|OPT_STAT)) dostats(fd, opts); return 0; @@ -185,94 +183,58 @@ u_32_t ip; } -void printnat(np, verbose, ptr) -ipnat_t *np; -int verbose; -void *ptr; +void printaps(aps, opts) +ap_session_t *aps; +int opts; { - int bits; - struct protoent *pr; + ap_session_t ap; + aproxy_t apr; + raudio_t ra; - switch (np->in_redir) - { - case NAT_REDIRECT : - printf("rdr "); - break; - case NAT_MAP : - printf("map "); - break; - case NAT_BIMAP : - printf("bimap "); - break; - default : - fprintf(stderr, "unknown value for in_redir: %#x\n", - np->in_redir); - break; + if (kmemcpy((char *)&ap, (long)aps, sizeof(ap))) + return; + if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr))) + return; + printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label, + apr.apr_p, apr.apr_ref, apr.apr_flags); + printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); +#ifdef USE_QUAD_T + printf("%qu pkts %qu", ap.aps_bytes, ap.aps_pkts); +#else + printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); +#endif + printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz); + if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { + printf("\t\tstate[%u,%u], sel[%d,%d]\n", + ap.aps_state[0], ap.aps_state[1], + ap.aps_sel[0], ap.aps_sel[1]); +#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \ + (__FreeBSD_version >= 300000) || defined(OpenBSD) + printf("\t\tseq: off %hd/%hd min %x/%x\n", + ap.aps_seqoff[0], ap.aps_seqoff[1], + ap.aps_seqmin[0], ap.aps_seqmin[1]); + printf("\t\tack: off %hd/%hd min %x/%x\n", + ap.aps_ackoff[0], ap.aps_ackoff[1], + ap.aps_ackmin[0], ap.aps_ackmin[1]); +#else + printf("\t\tseq: off %hd/%hd min %lx/%lx\n", + ap.aps_seqoff[0], ap.aps_seqoff[1], + ap.aps_seqmin[0], ap.aps_seqmin[1]); + printf("\t\tack: off %hd/%hd min %lx/%lx\n", + ap.aps_ackoff[0], ap.aps_ackoff[1], + ap.aps_ackmin[0], ap.aps_ackmin[1]); +#endif } - if (np->in_redir == NAT_REDIRECT) { - printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("/%d ", bits); - else - printf("/%s ", inet_ntoa(np->in_out[1])); - if (np->in_pmin) - printf("port %d ", ntohs(np->in_pmin)); - printf("-> %s", inet_ntoa(np->in_in[0])); - if (np->in_pnext) - printf(" port %d", ntohs(np->in_pnext)); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if ((np->in_flags & IPN_TCP) == IPN_TCP) - printf(" tcp"); - else if ((np->in_flags & IPN_UDP) == IPN_UDP) - printf(" udp"); - printf("\n"); - if (verbose) - printf("\t%p %u %x %u %p %d\n", np->in_ifp, - np->in_space, np->in_flags, np->in_pnext, np, - np->in_use); - } else { - np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); - bits = countbits(np->in_in[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_in[1])); - printf(" -> %s/", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_out[1])); - if (*np->in_plabel) { - printf(" proxy port"); - if (np->in_dport) - printf(" %hu", ntohs(np->in_dport)); - printf(" %.*s/", (int)sizeof(np->in_plabel), - np->in_plabel); - if ((pr = getprotobynumber(np->in_p))) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); - } else if (np->in_pmin || np->in_pmax) { - printf(" portmap"); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); - printf(" %d:%d", ntohs(np->in_pmin), - ntohs(np->in_pmax)); - } - printf("\n"); - if (verbose) - printf("\t%p %u %s %d %x\n", np->in_ifp, - np->in_space, inet_ntoa(np->in_nextip), - np->in_pnext, np->in_flags); + if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) { + if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra))) + return; + printf("\tReal Audio Proxy:\n"); + printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", + ra.rap_seenpna, ra.rap_version, ra.rap_eos); + printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); + printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", + ra.rap_plport, ra.rap_prport, ra.rap_srport); } } @@ -286,8 +248,8 @@ ipnat_t *ipnat; char *which; ipnat_t ipnatbuff; - if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, - sizeof(ipnatbuff))) + if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, + sizeof(ipnatbuff)))) return "???"; switch (ipnatbuff.in_redir) @@ -295,6 +257,9 @@ ipnat_t *ipnat; case NAT_MAP : which = "MAP"; break; + case NAT_MAPBLK : + which = "MAP-BLOCK"; + break; case NAT_REDIRECT : which = "RDR"; break; @@ -341,6 +306,8 @@ int fd, opts; perror("kmemcpy"); break; } + if (opts & OPT_HITS) + printf("%d ", ipn.in_hits); printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list); ns.ns_list = ipn.in_next; } @@ -354,66 +321,39 @@ int fd, opts; printf("\nList of active sessions:\n"); - for (i = 0; i < NAT_SIZE; i++) - for (np = nt[0][i]; np; np = nat.nat_hnext[0]) { - if (kmemcpy((char *)&nat, (long)np, - sizeof(nat))) - break; - - printf("%s %-15s %-5hu <- ->", - getnattype(nat.nat_ptr), - inet_ntoa(nat.nat_inip), - ntohs(nat.nat_inport)); - printf(" %-15s %-5hu", - inet_ntoa(nat.nat_outip), - ntohs(nat.nat_outport)); - printf(" [%s %hu]", inet_ntoa(nat.nat_oip), - ntohs(nat.nat_oport)); - printf(" %ld %hu %lx", nat.nat_age, - nat.nat_use, nat.nat_sumd); + for (np = ns.ns_instances; np; np = nat.nat_next) { + if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) + break; + + printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr), + inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); + printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip), + ntohs(nat.nat_outport)); + printf(" [%s %hu]", inet_ntoa(nat.nat_oip), + ntohs(nat.nat_oport)); + if (opts & OPT_VERBOSE) { + printf("\n\tage %lu use %hu sumd %x pr %u", + nat.nat_age, nat.nat_use, nat.nat_sumd, + nat.nat_p); + printf(" bkt %d flags %x ", i, nat.nat_flags); +#ifdef USE_QUAD_T + printf("bytes %qu pkts %qu", + nat.nat_bytes, nat.nat_pkts); +#else + printf("bytes %lu pkts %lu", + nat.nat_bytes, nat.nat_pkts); +#endif #if SOLARIS printf(" %lx", nat.nat_ipsumd); #endif - putchar('\n'); } - free(nt[0]); - } -} - + putchar('\n'); + if (nat.nat_aps) + printaps(nat.nat_aps, opts); + } -u_short portnum(name, proto) -char *name, *proto; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - - if (isdigit(*name)) - return htons((u_short)atoi(name)); - if (!proto) - proto = "tcp/udp"; - if (strcasecmp(proto, "tcp/udp")) { - sp = getservbyname(name, proto); - if (sp) - return sp->s_port; - (void) fprintf(stderr, "unknown service \"%s\".\n", name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); - return 0; - } - if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); - return 0; + free(nt[0]); } - return p1; } @@ -445,9 +385,10 @@ char *msk; * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_32_t hostnum(host, resolved) +u_32_t hostnum(host, resolved, linenum) char *host; int *resolved; +int linenum; { struct hostent *hp; struct netent *np; @@ -461,7 +402,7 @@ int *resolved; if (!(hp = gethostbyname(host))) { if (!(np = getnetbyname(host))) { *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); + fprintf(stderr, "Line %d: can't resolve hostname: %s\n", linenum, host); return 0; } return htonl(np->n_net); @@ -470,336 +411,6 @@ int *resolved; } -ipnat_t *parse(line) -char *line; -{ - struct protoent *pr; - static ipnat_t ipn; - char *s, *t; - char *shost, *snetm, *dhost, *proto; - char *dnetm = NULL, *dport = NULL, *tport = NULL; - int resolved; - - bzero((char *)&ipn, sizeof(ipn)); - if ((s = strchr(line, '\n'))) - *s = '\0'; - if ((s = strchr(line, '#'))) - *s = '\0'; - if (!*line) - return NULL; - if (!(s = strtok(line, " \t"))) - return NULL; - if (!strcasecmp(s, "map")) - ipn.in_redir = NAT_MAP; - else if (!strcasecmp(s, "rdr")) - ipn.in_redir = NAT_REDIRECT; - else if (!strcasecmp(s, "bimap")) - ipn.in_redir = NAT_BIMAP; - else { - (void)fprintf(stderr, - "expected map/rdr/bimap, got \"%s\"\n", s); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (interface)\n"); - return NULL; - } - strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1); - ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s)\n", - ipn.in_redir ? "destination": "source"); - return NULL; - } - shost = s; - - if (ipn.in_redir == NAT_REDIRECT) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - if (strcasecmp(s, "port")) { - fprintf(stderr, "missing fields (port)\n"); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - dport = s; - } - - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (->)\n"); - return NULL; - } - if (!strcmp(s, "->")) { - snetm = strrchr(shost, '/'); - if (!snetm) { - fprintf(stderr, "missing fields (%s netmask)\n", - ipn.in_redir ? "destination":"source"); - return NULL; - } - } else { - if (strcasecmp(s, "netmask")) { - fprintf(stderr, "missing fields (netmask)\n"); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s netmask)\n", - ipn.in_redir ? "destination":"source"); - return NULL; - } - snetm = s; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s)\n", - ipn.in_redir ? "destination":"target"); - return NULL; - } - dhost = s; - - if (ipn.in_redir & NAT_MAP) { - if (!(s = strtok(NULL, " \t"))) { - dnetm = strrchr(dhost, '/'); - if (!dnetm) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - } - if (!s || !strcasecmp(s, "portmap") || - !strcasecmp(s, "proxy")) { - dnetm = strrchr(dhost, '/'); - if (!dnetm) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - } else { - if (strcasecmp(s, "netmask")) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - dnetm = s; - } - if (*dnetm == '/') - *dnetm++ = '\0'; - } else { - /* If it's a in_redir, expect target port */ - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - if (strcasecmp(s, "port")) { - fprintf(stderr, "missing fields (port)\n"); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - tport = s; - } - - - if (*snetm == '/') - *snetm++ = '\0'; - - if (ipn.in_redir & NAT_MAP) { - ipn.in_inip = hostnum(shost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_inmsk = hostmask(snetm); - ipn.in_outip = hostnum(dhost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_outmsk = hostmask(dnetm); - } else { - ipn.in_inip = hostnum(dhost, &resolved); /* Inside is target */ - if (resolved == -1) - return NULL; - ipn.in_inmsk = hostmask("255.255.255.255"); - ipn.in_outip = hostnum(shost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_outmsk = hostmask(snetm); - if (!(s = strtok(NULL, " \t"))) { - ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */ - proto = "tcp"; - } else { - if (!strcasecmp(s, "tcp")) - ipn.in_flags = IPN_TCP; - else if (!strcasecmp(s, "udp")) - ipn.in_flags = IPN_UDP; - else if (!strcasecmp(s, "tcp/udp")) - ipn.in_flags = IPN_TCPUDP; - else if (!strcasecmp(s, "tcpudp")) - ipn.in_flags = IPN_TCPUDP; - else { - fprintf(stderr, - "expected protocol - got \"%s\"\n", s); - return NULL; - } - proto = s; - if ((s = strtok(NULL, " \t"))) { - fprintf(stderr, - "extra junk at the end of rdr: %s\n", - s); - return NULL; - } - } - ipn.in_pmin = portnum(dport, proto); /* dest port */ - ipn.in_pmax = ipn.in_pmin; /* NECESSARY of removing nats */ - ipn.in_pnext = portnum(tport, proto); /* target port */ - s = NULL; /* That's all she wrote! */ - } - ipn.in_inip &= ipn.in_inmsk; - ipn.in_outip &= ipn.in_outmsk; - - if (!s) - return &ipn; - - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, "extra words at the end of bimap line: %s\n", - s); - return NULL; - } - if (!strcasecmp(s, "proxy")) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing parameter for \"proxy\"\n"); - return NULL; - } - dport = NULL; - - if (!strcasecmp(s, "port")) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing parameter for \"port\"\n"); - return NULL; - } - - dport = s; - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing parameter for \"proxy\"\n"); - return NULL; - } - } - if ((proto = index(s, '/'))) { - *proto++ = '\0'; - if ((pr = getprotobyname(proto))) - ipn.in_p = pr->p_proto; - else - ipn.in_p = atoi(proto); - if (dport) - ipn.in_dport = portnum(dport, proto); - } else { - ipn.in_p = 0; - if (dport) - ipn.in_dport = portnum(dport, NULL); - } - - (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); - if ((s = strtok(NULL, " \t"))) { - fprintf(stderr, "too many parameters for \"proxy\"\n"); - return NULL; - } - return &ipn; - - } - if (strcasecmp(s, "portmap")) { - fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) - return NULL; - if (!strcasecmp(s, "tcp")) - ipn.in_flags = IPN_TCP; - else if (!strcasecmp(s, "udp")) - ipn.in_flags = IPN_UDP; - else if (!strcasecmp(s, "tcpudp")) - ipn.in_flags = IPN_TCPUDP; - else if (!strcasecmp(s, "tcp/udp")) - ipn.in_flags = IPN_TCPUDP; - else { - fprintf(stderr, "expected protocol name - got \"%s\"\n", s); - return NULL; - } - proto = s; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "no port range found\n"); - return NULL; - } - if (!(t = strchr(s, ':'))) { - fprintf(stderr, "no port range in \"%s\"\n", s); - return NULL; - } - *t++ = '\0'; - ipn.in_pmin = portnum(s, proto); - ipn.in_pmax = portnum(t, proto); - return &ipn; -} - - -void parsefile(fd, file, opts) -int fd; -char *file; -int opts; -{ - char line[512], *s; - ipnat_t *np; - FILE *fp; - int linenum = 1; - - if (strcmp(file, "-")) { - if (!(fp = fopen(file, "r"))) { - (void) fprintf(stderr, "%s: open: %s\n", file, - STRERROR(errno)); - exit(1); - } - } else - fp = stdin; - - while (fgets(line, sizeof(line) - 1, fp)) { - line[sizeof(line) - 1] = '\0'; - if ((s = strchr(line, '\n'))) - *s = '\0'; - if (!(np = parse(line))) { - if (*line) - fprintf(stderr, "%d: syntax error in \"%s\"\n", - linenum, line); - } else if (!(opts & OPT_NODO)) { - if ((opts & OPT_VERBOSE) && np) - printnat(np, opts & OPT_VERBOSE, NULL); - if (opts & OPT_REM) { - if (ioctl(fd, SIOCADNAT, np) == -1) - perror("ioctl(SIOCADNAT)"); - } else if (ioctl(fd, SIOCRMNAT, np) == -1) - perror("ioctl(SIOCRMNAT)"); - } - linenum++; - } - if (fp != stdin) - fclose(fp); -} - - void flushtable(fd, opts) int fd, opts; { diff --git a/contrib/ipfilter/ipsd/Celler/ip_compat.h b/contrib/ipfilter/ipsd/Celler/ip_compat.h new file mode 100644 index 0000000..a911fd8 --- /dev/null +++ b/contrib/ipfilter/ipsd/Celler/ip_compat.h @@ -0,0 +1,201 @@ +/* + * (C)opyright 1995 by Darren Reed. + * + * This code may be freely distributed as long as it retains this notice + * and is not changed in any way. The author accepts no responsibility + * for the use of this software. I hate legaleese, don't you ? + * + * @(#)ip_compat.h 1.1 9/14/95 + */ + +/* + * These #ifdef's are here mainly for linux, but who knows, they may + * not be in other places or maybe one day linux will grow up and some + * of these will turn up there too. + */ +#ifndef ICMP_UNREACH +# define ICMP_UNREACH ICMP_DEST_UNREACH +#endif +#ifndef ICMP_SOURCEQUENCH +# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH +#endif +#ifndef ICMP_TIMXCEED +# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED +#endif +#ifndef ICMP_PARAMPROB +# define ICMP_PARAMPROB ICMP_PARAMETERPROB +#endif +#ifndef IPVERSION +# define IPVERSION 4 +#endif +#ifndef IPOPT_MINOFF +# define IPOPT_MINOFF 4 +#endif +#ifndef IPOPT_COPIED +# define IPOPT_COPIED(x) ((x)&0x80) +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IP_MF +# define IP_MF ((u_short)0x2000) +#endif +#ifndef ETHERTYPE_IP +# define ETHERTYPE_IP ((u_short)0x0800) +#endif +#ifndef TH_FIN +# define TH_FIN 0x01 +#endif +#ifndef TH_SYN +# define TH_SYN 0x02 +#endif +#ifndef TH_RST +# define TH_RST 0x04 +#endif +#ifndef TH_PUSH +# define TH_PUSH 0x08 +#endif +#ifndef TH_ACK +# define TH_ACK 0x10 +#endif +#ifndef TH_URG +# define TH_URG 0x20 +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IPOPT_RR +# define IPOPT_RR 7 +#endif +#ifndef IPOPT_TS +# define IPOPT_TS 68 +#endif +#ifndef IPOPT_SECURITY +# define IPOPT_SECURITY 130 +#endif +#ifndef IPOPT_LSRR +# define IPOPT_LSRR 131 +#endif +#ifndef IPOPT_SATID +# define IPOPT_SATID 136 +#endif +#ifndef IPOPT_SSRR +# define IPOPT_SSRR 137 +#endif +#ifndef IPOPT_SECUR_UNCLASS +# define IPOPT_SECUR_UNCLASS ((u_short)0x0000) +#endif +#ifndef IPOPT_SECUR_CONFID +# define IPOPT_SECUR_CONFID ((u_short)0xf135) +#endif +#ifndef IPOPT_SECUR_EFTO +# define IPOPT_SECUR_EFTO ((u_short)0x789a) +#endif +#ifndef IPOPT_SECUR_MMMM +# define IPOPT_SECUR_MMMM ((u_short)0xbc4d) +#endif +#ifndef IPOPT_SECUR_RESTR +# define IPOPT_SECUR_RESTR ((u_short)0xaf13) +#endif +#ifndef IPOPT_SECUR_SECRET +# define IPOPT_SECUR_SECRET ((u_short)0xd788) +#endif +#ifndef IPOPT_SECUR_TOPSECRET +# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) +#endif + +#ifdef linux +# define icmp icmphdr +# define icmp_type type +# define icmp_code code + +/* + * From /usr/include/netinet/ip_var.h + * !%@#!$@# linux... + */ +struct ipovly { + caddr_t ih_next, ih_prev; /* for protocol sequence q's */ + u_char ih_x1; /* (unused) */ + u_char ih_pr; /* protocol */ + short ih_len; /* protocol length */ + struct in_addr ih_src; /* source internet address */ + struct in_addr ih_dst; /* destination internet address */ +}; + +typedef struct { + __u16 th_sport; + __u16 th_dport; + __u32 th_seq; + __u32 th_ack; +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 th_res:4; + __u8 th_off:4; +#else + __u8 th_off:4; + __u8 th_res:4; +#endif + __u8 th_flags; + __u16 th_win; + __u16 th_sum; + __u16 th_urp; +} tcphdr_t; + +typedef struct { + __u16 uh_sport; + __u16 uh_dport; + __s16 uh_ulen; + __u16 uh_sum; +} udphdr_t; + +typedef struct { +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 ip_hl:4; + __u8 ip_v:4; +# else + __u8 ip_hl:4; + __u8 ip_v:4; +# endif + __u8 ip_tos; + __u16 ip_len; + __u16 ip_id; + __u16 ip_off; + __u8 ip_ttl; + __u8 ip_p; + __u16 ip_sum; + struct in_addr ip_src; + struct in_addr ip_dst; +} ip_t; + +typedef struct { + __u8 ether_dhost[6]; + __u8 ether_shost[6]; + __u16 ether_type; +} ether_header_t; + +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) + +# define ifnet device + +#else + +typedef struct udphdr udphdr_t; +typedef struct tcphdr tcphdr_t; +typedef struct ip ip_t; +typedef struct ether_header ether_header_t; + +#endif + +#ifdef solaris +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) +# define bzero(a,b) memset(a,0,b) +#endif diff --git a/contrib/ipfilter/ipsd/Makefile b/contrib/ipfilter/ipsd/Makefile index 37f0327..b9ad044 100644 --- a/contrib/ipfilter/ipsd/Makefile +++ b/contrib/ipfilter/ipsd/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c index d72c932..4ed6d70 100644 --- a/contrib/ipfilter/ipsd/ipsd.c +++ b/contrib/ipfilter/ipsd/ipsd.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -37,7 +37,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.0.2.4 1997/09/28 07:13:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1 1999/08/04 17:30:56 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h index 27d55ce..1dbe1c4 100644 --- a/contrib/ipfilter/ipsd/ipsd.h +++ b/contrib/ipfilter/ipsd/ipsd.h @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c index e814bd4..3b95ca0 100644 --- a/contrib/ipfilter/ipsd/ipsdr.c +++ b/contrib/ipfilter/ipsd/ipsdr.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -38,7 +38,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.0.2.3 1997/09/28 07:13:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1 1999/08/04 17:30:57 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h index b5e710f..61f52b3 100644 --- a/contrib/ipfilter/ipsd/linux.h +++ b/contrib/ipfilter/ipsd/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 5cb520b..5d128c4 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. (from tcplog) + * (C)opyright 1995-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c index c06aa5f..9ec7b3f 100644 --- a/contrib/ipfilter/ipsd/sdlpi.c +++ b/contrib/ipfilter/ipsd/sdlpi.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c index 29c7c41..5b2734b 100644 --- a/contrib/ipfilter/ipsd/slinux.c +++ b/contrib/ipfilter/ipsd/slinux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c index ba097f0..3f3aa50 100644 --- a/contrib/ipfilter/ipsd/snit.c +++ b/contrib/ipfilter/ipsd/snit.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsend/.OLD/ip_compat.h b/contrib/ipfilter/ipsend/.OLD/ip_compat.h new file mode 100644 index 0000000..c38fa59 --- /dev/null +++ b/contrib/ipfilter/ipsend/.OLD/ip_compat.h @@ -0,0 +1,242 @@ +/* + * (C)opyright 1995 by Darren Reed. + * + * This code may be freely distributed as long as it retains this notice + * and is not changed in any way. The author accepts no responsibility + * for the use of this software. I hate legaleese, don't you ? + * + * @(#)ip_compat.h 1.2 12/7/95 + */ + +/* + * These #ifdef's are here mainly for linux, but who knows, they may + * not be in other places or maybe one day linux will grow up and some + * of these will turn up there too. + */ +#ifndef ICMP_UNREACH +# define ICMP_UNREACH ICMP_DEST_UNREACH +#endif +#ifndef ICMP_SOURCEQUENCH +# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH +#endif +#ifndef ICMP_TIMXCEED +# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED +#endif +#ifndef ICMP_PARAMPROB +# define ICMP_PARAMPROB ICMP_PARAMETERPROB +#endif +#ifndef IPVERSION +# define IPVERSION 4 +#endif +#ifndef IPOPT_MINOFF +# define IPOPT_MINOFF 4 +#endif +#ifndef IPOPT_COPIED +# define IPOPT_COPIED(x) ((x)&0x80) +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IP_MF +# define IP_MF ((u_short)0x2000) +#endif +#ifndef ETHERTYPE_IP +# define ETHERTYPE_IP ((u_short)0x0800) +#endif +#ifndef TH_FIN +# define TH_FIN 0x01 +#endif +#ifndef TH_SYN +# define TH_SYN 0x02 +#endif +#ifndef TH_RST +# define TH_RST 0x04 +#endif +#ifndef TH_PUSH +# define TH_PUSH 0x08 +#endif +#ifndef TH_ACK +# define TH_ACK 0x10 +#endif +#ifndef TH_URG +# define TH_URG 0x20 +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IPOPT_RR +# define IPOPT_RR 7 +#endif +#ifndef IPOPT_TS +# define IPOPT_TS 68 +#endif +#ifndef IPOPT_SECURITY +# define IPOPT_SECURITY 130 +#endif +#ifndef IPOPT_LSRR +# define IPOPT_LSRR 131 +#endif +#ifndef IPOPT_SATID +# define IPOPT_SATID 136 +#endif +#ifndef IPOPT_SSRR +# define IPOPT_SSRR 137 +#endif +#ifndef IPOPT_SECUR_UNCLASS +# define IPOPT_SECUR_UNCLASS ((u_short)0x0000) +#endif +#ifndef IPOPT_SECUR_CONFID +# define IPOPT_SECUR_CONFID ((u_short)0xf135) +#endif +#ifndef IPOPT_SECUR_EFTO +# define IPOPT_SECUR_EFTO ((u_short)0x789a) +#endif +#ifndef IPOPT_SECUR_MMMM +# define IPOPT_SECUR_MMMM ((u_short)0xbc4d) +#endif +#ifndef IPOPT_SECUR_RESTR +# define IPOPT_SECUR_RESTR ((u_short)0xaf13) +#endif +#ifndef IPOPT_SECUR_SECRET +# define IPOPT_SECUR_SECRET ((u_short)0xd788) +#endif +#ifndef IPOPT_SECUR_TOPSECRET +# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) +#endif + +#ifdef linux +# if LINUX < 0200 +# define icmp icmphdr +# define icmp_type type +# define icmp_code code +# endif + +/* + * From /usr/include/netinet/ip_var.h + * !%@#!$@# linux... + */ +struct ipovly { + caddr_t ih_next, ih_prev; /* for protocol sequence q's */ + u_char ih_x1; /* (unused) */ + u_char ih_pr; /* protocol */ + short ih_len; /* protocol length */ + struct in_addr ih_src; /* source internet address */ + struct in_addr ih_dst; /* destination internet address */ +}; + +typedef struct { + __u16 th_sport; + __u16 th_dport; + __u32 th_seq; + __u32 th_ack; +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 th_res:4; + __u8 th_off:4; +#else + __u8 th_off:4; + __u8 th_res:4; +#endif + __u8 th_flags; + __u16 th_win; + __u16 th_sum; + __u16 th_urp; +} tcphdr_t; + +typedef struct { + __u16 uh_sport; + __u16 uh_dport; + __s16 uh_ulen; + __u16 uh_sum; +} udphdr_t; + +typedef struct { +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 ip_hl:4; + __u8 ip_v:4; +# else + __u8 ip_hl:4; + __u8 ip_v:4; +# endif + __u8 ip_tos; + __u16 ip_len; + __u16 ip_id; + __u16 ip_off; + __u8 ip_ttl; + __u8 ip_p; + __u16 ip_sum; + struct in_addr ip_src; + struct in_addr ip_dst; +} ip_t; + +typedef struct { + __u8 ether_dhost[6]; + __u8 ether_shost[6]; + __u16 ether_type; +} ether_header_t; + +typedef struct icmp { + u_char icmp_type; /* type of message, see below */ + u_char icmp_code; /* type sub code */ + u_short icmp_cksum; /* ones complement cksum of struct */ + union { + u_char ih_pptr; /* ICMP_PARAMPROB */ + struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ + struct ih_idseq { + n_short icd_id; + n_short icd_seq; + } ih_idseq; + int ih_void; + } icmp_hun; +#define icmp_pptr icmp_hun.ih_pptr +#define icmp_gwaddr icmp_hun.ih_gwaddr +#define icmp_id icmp_hun.ih_idseq.icd_id +#define icmp_seq icmp_hun.ih_idseq.icd_seq +#define icmp_void icmp_hun.ih_void + union { + struct id_ts { + n_time its_otime; + n_time its_rtime; + n_time its_ttime; + } id_ts; + struct id_ip { + ip_t idi_ip; + /* options and then 64 bits of data */ + } id_ip; + u_long id_mask; + char id_data[1]; + } icmp_dun; +#define icmp_otime icmp_dun.id_ts.its_otime +#define icmp_rtime icmp_dun.id_ts.its_rtime +#define icmp_ttime icmp_dun.id_ts.its_ttime +#define icmp_ip icmp_dun.id_ip.idi_ip +#define icmp_mask icmp_dun.id_mask +#define icmp_data icmp_dun.id_data +} icmphdr_t; + +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) + +# define ifnet device + +#else + +typedef struct udphdr udphdr_t; +typedef struct tcphdr tcphdr_t; +typedef struct ip ip_t; +typedef struct ether_header ether_header_t; + +#endif + +#if defined(__SVR4) || defined(__svr4__) +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) +# define bzero(a,b) memset(a,0,b) +#endif diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 290e676..f19fe5f 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -26,6 +26,7 @@ # include <net/if_var.h> #endif #include "ipsend.h" +#include "iplang/iplang.h" /* @@ -65,6 +66,11 @@ char *addr, *eaddr; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl; +#ifdef IPSEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif + mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile index 49fdb67..bb8000f 100644 --- a/contrib/ipfilter/ipsend/Makefile +++ b/contrib/ipfilter/ipsend/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given @@ -67,7 +67,7 @@ install: bpf sunos4-bpf : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ @@ -75,7 +75,7 @@ bpf sunos4-bpf : nit sunos4 sunos4-nit : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ @@ -83,7 +83,8 @@ nit sunos4 sunos4-nit : dlpi sunos5 : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl" "LLIB=-ll" + CFLAGS="$(CFLAGS) -Dsolaris -DIPSEND" "LIBS=-lsocket -lnsl" \ + "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ @@ -91,7 +92,7 @@ dlpi sunos5 : bsd-bpf : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ @@ -99,7 +100,7 @@ bsd-bpf : linuxrev : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK) + CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET -DIPSEND" $(LINUXK) make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK) make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ @@ -119,7 +120,7 @@ linux20: ultrix : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS)" "LIBS=" "LLIB=-ll" + CFLAGS="$(CFLAGS) -DIPSEND" "LIBS=" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS)" "LIBS=" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ @@ -127,7 +128,7 @@ ultrix : hpux9 : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS)" "LIBS=" + CFLAGS="$(CFLAGS) -DIPSEND" "LIBS=" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS)" "LIBS=" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 27a27c3..e4159fa 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -1,5 +1,5 @@ /* - * arp.c (C) 1995-1997 Darren Reed + * arp.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Exp $"; #endif #include <stdio.h> #include <errno.h> @@ -20,6 +20,7 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darren #include <netdb.h> #include <netinet/in.h> #include <net/if.h> +#include <netinet/if_ether.h> #ifndef ultrix #include <net/if_arp.h> #endif @@ -27,6 +28,7 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darren #include <netinet/ip_var.h> #include <netinet/tcp.h> #include "ipsend.h" +#include "iplang/iplang.h" /* @@ -71,6 +73,10 @@ char *ether; struct hostent *hp; int fd; +#ifdef IPSEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif if (!bcmp(ipsave, ip, 4)) { bcopy(ethersave, ether, 6); return 0; diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c index e4e5dc3..42078e3 100644 --- a/contrib/ipfilter/ipsend/hpux.c +++ b/contrib/ipfilter/ipsend/hpux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1997 Darren Reed. (from tcplog) + * (C)opyright 1997-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 6914924..e81c890 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -1,5 +1,5 @@ /* - * ip.c (C) 1995-1997 Darren Reed + * ip.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.3 1997/12/21 12:17:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; #endif #include <errno.h> #include <stdio.h> diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1 index 448fa41..ab90471 100644 --- a/contrib/ipfilter/ipsend/ipresend.1 +++ b/contrib/ipfilter/ipsend/ipresend.1 @@ -44,6 +44,7 @@ MTU's without setting them so. .TP .BR \-r \0<filename> Specify the filename from which to take input. Default is stdin. +.TP .B \-E The input file is to be text output from etherfind. The text formats which are currently supported are those which result from the following etherfind @@ -91,7 +92,7 @@ option combinations: .TP .B \-X The input file is composed of text descriptions of IP packets. -.TP +.DT .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 4de8e41..bad0f67 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -1,5 +1,5 @@ /* - * ipresend.c (C) 1995-1997 Darren Reed + * ipresend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.0.2.9 1997/10/12 09:48:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darrenr Exp $"; #endif #include <stdio.h> #include <stdlib.h> diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h index a2ff49c..e2f8ff8 100644 --- a/contrib/ipfilter/ipsend/ipsend.h +++ b/contrib/ipfilter/ipsend/ipsend.h @@ -1,5 +1,5 @@ /* - * ipsend.h (C) 1997 Darren Reed + * ipsend.h (C) 1997-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -64,4 +64,6 @@ extern int kmemcpy __P((char *, void *, int)); #define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c)) +#ifndef OPT_RAW #define OPT_RAW 0x80000 +#endif diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 3c9a21d..2827c77 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.0.2.10 1997/09/28 07:13:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr Exp $"; #endif #include <stdio.h> #include <string.h> diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index 415e4fc..c1f42d2 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -1,5 +1,5 @@ /* - * ipsend.c (C) 1995-1997 Darren Reed + * ipsend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.1 1999/08/04 17:31:08 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 16c830a..0eb263b 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17:38 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> @@ -16,12 +16,18 @@ static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17: #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> +#define _KERNEL +#define KERNEL #if !defined(solaris) && !defined(linux) && !defined(__sgi) -# define _KERNEL -# define KERNEL # include <sys/file.h> -# undef _KERNEL -# undef KERNEL +#else +# ifdef solaris +# include <sys/dditypes.h> +# endif +#endif +#undef _KERNEL +#undef KERNEL +#if !defined(solaris) && !defined(linux) && !defined(__sgi) # include <nlist.h> # include <sys/user.h> # include <sys/proc.h> diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c index 7d38ddf..d64e701 100644 --- a/contrib/ipfilter/ipsend/larp.c +++ b/contrib/ipfilter/ipsend/larp.c @@ -1,5 +1,5 @@ /* - * larp.c (C) 1995-1997 Darren Reed + * larp.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: larp.c,v 2.0.2.3 1997/09/28 07:13:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: larp.c,v 2.1 1999/08/04 17:31:10 darrenr Exp $"; #endif #include <stdio.h> #include <errno.h> @@ -19,6 +19,9 @@ static const char rcsid[] = "@(#)$Id: larp.c,v 2.0.2.3 1997/09/28 07:13:31 darre #include <net/if.h> #include <net/if_arp.h> +#include "ip_compat.h" +#include "iplang/iplang.h" + /* * lookup host and return * its IP address in address @@ -59,6 +62,10 @@ char *ether; struct sockaddr_in *sin; char *inet_ntoa(); +#ifdef IP_SEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif bzero((char *)&ar, sizeof(ar)); sin = (struct sockaddr_in *)&ar.arp_pa; sin->sin_family = AF_INET; diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h index c7bb5a5..ae2e05f 100644 --- a/contrib/ipfilter/ipsend/linux.h +++ b/contrib/ipfilter/ipsend/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * This code may be freely distributed as long as it retains this notice * and is not changed in any way. The author accepts no responsibility diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index db81dfd..a430e19 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -1,5 +1,5 @@ /* - * lsock.c (C) 1995-1997 Darren Reed + * lsock.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.0.2.7 1997/09/28 07:13:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1 1999/08/04 17:31:11 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index dcf7cc7..e4397ce 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -1,5 +1,5 @@ /* - * resend.c (C) 1995-1997 Darren Reed + * resend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.0.2.12 1997/10/23 11:42:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> @@ -41,7 +41,7 @@ static const char rcsid[] = "@(#)$Id: resend.c,v 2.0.2.12 1997/10/23 11:42:46 da extern int opts; -static u_char buf[65536]; /* 1 big packet */ +static u_char pbuf[65536]; /* 1 big packet */ void printpacket __P((ip_t *)); @@ -95,7 +95,7 @@ char *datain; if (fd < 0) exit(-1); - ip = (struct ip *)buf; + ip = (struct ip *)pbuf; eh = (ether_header_t *)malloc(sizeof(*eh)); bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); @@ -105,7 +105,7 @@ char *datain; return -2; } - while ((i = (*r->r_readip)(buf, sizeof(buf), NULL, NULL)) > 0) + while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0) { if (!(opts & OPT_RAW)) { len = ntohs(ip->ip_len); @@ -127,7 +127,7 @@ char *datain; len += sizeof(*eh); printpacket(ip); } else { - eh = (ether_header_t *)buf; + eh = (ether_header_t *)pbuf; len = i; } diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index 1f181c2..3d797c1 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.0.2.6 1997/10/15 14:49:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index a1933e0..5317a90 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. + * (C)opyright 1992-1998 Darren Reed. * (C)opyright 1997 Marc Boucher. * * Redistribution and use in source and binary forms are permitted diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c index 29dbcd9..353f3ad 100644 --- a/contrib/ipfilter/ipsend/slinux.c +++ b/contrib/ipfilter/ipsend/slinux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -29,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95"; -static const char rcsid[] = "@(#)$Id: slinux.c,v 2.0.2.6 1997/09/28 07:13:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1 1999/08/04 17:31:14 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c index 65b8e67..40aaae5 100644 --- a/contrib/ipfilter/ipsend/snit.c +++ b/contrib/ipfilter/ipsend/snit.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: snit.c,v 2.0.2.4 1997/09/28 07:13:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: snit.c,v 2.1 1999/08/04 17:31:15 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/tcpip.h b/contrib/ipfilter/ipsend/tcpip.h index d92d9f8..c735593 100644 --- a/contrib/ipfilter/ipsend/tcpip.h +++ b/contrib/ipfilter/ipsend/tcpip.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcpip.h 8.1 (Berkeley) 6/10/93 - * $Id: tcpip.h,v 2.0.2.3.2.1 1997/11/12 11:01:12 darrenr Exp $ + * $Id: tcpip.h,v 2.1 1999/08/04 17:31:16 darrenr Exp $ */ #ifndef _NETINET_TCPIP_H_ diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c index 186d269..ffab2ce 100644 --- a/contrib/ipfilter/ipsend/ultrix.c +++ b/contrib/ipfilter/ipsend/ultrix.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1997 Darren Reed. (from tcplog) + * (C)opyright 1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index adf0f91..c87b5b2 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -48,12 +48,14 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ip_fil.h" +#include "ip_nat.h" +#include "ip_state.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.0.2.12.2.1 1997/11/12 10:58:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.1 1999/08/04 17:30:08 darrenr Exp $"; #endif extern char *optarg; @@ -61,6 +63,7 @@ extern struct frentry *ipfilter[2][2]; extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *)); extern void init_ifp __P((void)); +extern ipnat_t *natparse __P((char *, int)); int opts = 0; int main __P((int, char *[])); @@ -70,13 +73,13 @@ int argc; char *argv[]; { struct ipread *r = &iptext; - u_long buf[64]; + u_long buf[2048]; struct ifnet *ifp; char *rules = NULL, *datain = NULL, *iface = NULL; ip_t *ip; int fd, i, dir = 0, c; - while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) + while ((c = getopt(argc, argv, "bdEHi:I:NoPr:STvX")) != -1) switch (c) { case 'b' : @@ -106,6 +109,9 @@ char *argv[]; case 'H' : r = &iphex; break; + case 'N' : + opts |= OPT_NAT; + break; case 'P' : r = &pcap; break; @@ -125,12 +131,15 @@ char *argv[]; exit(-1); } + nat_init(); + fr_stateinit(); initparse(); if (rules) { - struct frentry *fr; char line[513], *s; + void *fr; FILE *fp; + int linenum = 0; if (!strcmp(rules, "-")) fp = stdin; @@ -141,6 +150,7 @@ char *argv[]; if (!(opts & OPT_BRIEF)) (void)printf("opening rule file \"%s\"\n", rules); while (fgets(line, sizeof(line)-1, fp)) { + linenum++; /* * treat both CR and LF as EOL */ @@ -157,14 +167,27 @@ char *argv[]; if (!*line) continue; - if (!(fr = parse(line))) - continue; /* fake an `ioctl' call :) */ - i = IPL_EXTERN(ioctl)(0, SIOCADDFR, (caddr_t)fr, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(SIOCADDFR,%p,1) = %d\n", - fr, i); + + if ((opts & OPT_NAT) != 0) { + if (!(fr = natparse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + if (!(fr = parse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(0, SIOCADDFR, fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADDFR,%p,1) = %d\n", + fr, i); + } } (void)fclose(fp); } @@ -186,26 +209,30 @@ char *argv[]; ifp = iface ? get_unit(iface) : NULL; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); - switch (fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf)) - { - case -2 : - (void)printf("auth"); - break; - case -1 : - (void)printf("block"); - break; - case 0 : - (void)printf("pass"); - break; - case 1 : - (void)printf("nomatch"); - break; - } + i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf); + if ((opts & OPT_NAT) == 0) + switch (i) + { + case -2 : + (void)printf("auth"); + break; + case -1 : + (void)printf("block"); + break; + case 0 : + (void)printf("pass"); + break; + case 1 : + (void)printf("nomatch"); + break; + } + if (!(opts & OPT_BRIEF)) { putchar(' '); printpacket((ip_t *)buf); printf("--------------"); - } + } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) + printpacket((ip_t *)buf); #ifndef linux if (dir && ifp && ip->ip_v) # ifdef __sgi @@ -214,7 +241,8 @@ char *argv[]; (*ifp->if_output)(ifp, (void *)buf, NULL, 0); # endif #endif - putchar('\n'); + if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) + putchar('\n'); dir = 0; } (*r->r_close)(); diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index 650700c..9184090 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -1,22 +1,26 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 2.0.2.7 1997/09/28 07:12:00 darrenr Exp $ + * $Id: ipt.h,v 2.1 1999/08/04 17:30:08 darrenr Exp $ */ #ifndef __IPT_H__ #define __IPT_H__ -#include <fcntl.h> -#ifdef __STDC__ -#include <stdarg.h> -#else -#include <varargs.h> +#ifndef __P +# define P_DEF +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif #endif +#include <fcntl.h> + struct ipread { int (*r_open) __P((char *)); @@ -27,4 +31,9 @@ struct ipread { extern void debug __P((char *, ...)); extern void verbose __P((char *, ...)); +#ifdef P_DEF +# undef __P +# undef P_DEF +#endif + #endif /* __IPT_H__ */ diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 75d8a80..1dd6890 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -20,7 +20,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.0.2.5 1997/10/23 14:50:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.1 1999/08/04 17:30:09 darrenr Exp $"; #endif static int kmemfd = -1; @@ -65,3 +65,38 @@ register int n; } return 0; } + +int kstrncpy(buf, pos, n) +register char *buf; +long pos; +register int n; +{ + register int r; + + if (!n) + return 0; + if (kmemfd == -1) + if (openkmem() == -1) + return -1; + if (lseek(kmemfd, pos, 0) == -1) + { + perror("kmemcpy:lseek"); + return -1; + } + while (n > 0) { + r = read(kmemfd, buf, 1); + if (r <= 0) + { + perror("kmemcpy:read"); + return -1; + } + else + { + if (*buf == '\0') + break; + buf++; + n--; + } + } + return 0; +} diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index 13e1f3c..33ba8da 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -1,10 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 2.0.2.6 1997/09/28 07:12:02 darrenr Exp $ + * $Id: kmem.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ */ #ifndef __KMEM_H__ @@ -19,7 +19,16 @@ #endif extern int openkmem __P((void)); extern int kmemcpy __P((char *, long, int)); +extern int kstrncpy __P((char *, long, int)); -#define KMEM "/dev/kmem" +#if defined(__NetBSD__) || defined(__OpenBSD) +# include <paths.h> +#endif + +#ifdef _PATH_KMEM +# define KMEM _PATH_KMEM +#else +# define KMEM "/dev/kmem" +#endif #endif /* __KMEM_H__ */ diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h index 63f400a..61fd821 100644 --- a/contrib/ipfilter/linux.h +++ b/contrib/ipfilter/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ * responsibility and is not changed in any way. * * I hate legaleese, don't you ? - * $Id: linux.h,v 2.0.2.4 1997/09/28 07:12:03 darrenr Exp $ + * $Id: linux.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ */ #include <linux/config.h> diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile index 972fbf5..5e029de 100644 --- a/contrib/ipfilter/man/Makefile +++ b/contrib/ipfilter/man/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1 index 01b5100..f241415 100644 --- a/contrib/ipfilter/man/ipnat.1 +++ b/contrib/ipfilter/man/ipnat.1 @@ -19,11 +19,11 @@ which they appear when given to \fBipnat\fP. .SH OPTIONS .TP .B \-C -delete all entries in the current NAT listing (NAT rules) +delete all entries in the current NAT rule listing (NAT rules) .TP .B \-F -delete all active entries in the current NAT table (currently active -NAT mappings) +delete all active entries in the current NAT translation table (currently +active NAT mappings) .TP .B \-l Show the list of current NAT table entry mappings. @@ -39,7 +39,8 @@ Retrieve and display NAT statistics Remove matching NAT rules rather than add them to the internal lists .TP .B \-v -Turn verbose mode on. Displays information relating to rule processing. +Turn verbose mode on. Displays information relating to rule processing +and active rules/table entries. .DT .SH FILES /dev/ipnat diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 576e9c2..e15fa0d 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -5,14 +5,19 @@ ipnat, ipnat.conf \- IP NAT file format The format for files accepted by ipnat is described by the following grammar: .LP .nf -ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] . +ipmap :: = mapblock | redir | map . -mapit ::= "map" | "rdr" . +map ::= mapit ifname ipmask "->" ipmask [ mapport ] . +mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . +redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] . +ports ::= "ports" numports | "auto" . +mapit ::= "map" | "bimap" . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . mapport ::= "portmap" tcpudp portnumber ":" portnumber . +fromspec ::= "from" ip "/" ipmask . tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } . +portnumber ::= number { numbers } | "auto" . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . @@ -34,7 +39,63 @@ addresses. When remapping TCP and UDP packets, it is also possible to change the source port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as \fBport-number:port-number\fP. -.SH Examples +.SH COMMANDS +There are found commands recognised by IP Filter's NAT code: +.TP +.B map +that is used for mapping one address or network to another in an unregulated +round robin fashion; +.TP +.B rdr +that is used for redirecting packets to one IP address and port pair to +another; +.TP +.B bimap +for setting up bidirectional NAT between an external IP address and an internal +IP address and +.TP +.B map-block +which sets up static IP address based translation, based on a algorithm to +squeeze the addresses to be translated into the destination range. +.SH MATCHING +.PP +For basic NAT and redirection of packets, the address subject to change is used +along with its protocol to check if a packet should be altered. In the case +of redirects, it is also possible to select packets on a source address basis +using the \fBfrom\fP keyword, as well as the manditory destination port. The +packet \fImatching\fP part of the rule is to the left of the "->" in each rule. +.SH TRANSLATION +.PP +To the right of the "->" is the address and port specificaton which will be +written into the packet providing it has already successful matched the +prior constraints. The case of redirections (\fBrdr\fP) is the simpliest: +the new destination address is that specified in the rule. For \fBmap\fP +rules, the destination address will be one for which the tuple combining +the new source and destination is known to be unique. If the packet is +either a TCP or UDP packet, the destination and source ports come into the +equation too. If the tuple already exists, IP Filter will increment the +port number first, within the available range specified with \fBportmap\fP +and if there exists no unique tuple, the source address will be incremented +within the specified netmask. If a unique tuple cannot be determined, then +the packet will not be translated. The \fBmap-block\fP is more limited in +how it searches for a new, free and unique tuple, in that it will used an +algorithm to determine what the new source address should be, along with the +range of available ports - the IP address is never changed and nor does the +port number ever exceed its alloted range. +.SH KERNEL PROXIES +.PP +IP Filter comes with a few, simple, proxies built into the code that is loaded +into the kernel to allow secondary channels to be opened without forcing the +packets through a user program. +.SH TRNSPARENT PROXIES +.PP +True transparent proxying should be performed using the redirect (\fBrdr\fP) +rules directing ports to localhost (127.0.0.1) with the proxy program doing +a lookup through \fB/dev/ipnat\fP to determine the real source and address +of the connection. +.SH EXAMPLES +.PP +This section deals with the \fBmap\fP command and it's variations. .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used: @@ -61,8 +122,33 @@ map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. -.SH FILES +ICMP, only have their IP# changed. In some instaces, it is more appropriate +to use the keyword \fBauto\fP in place of an actual range of port numbers if +you want to guarantee simultaneous access to all within the given range. +However, in the above case, it would default to 1 port per IP address, since +we need to squeeze 24 bits of address space into 8. A good example of how +this is used might be: +.LP +.nf +map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto +.fi +.PP +which would result in each IP address being given a small range of ports to +use (252). The problem here is that the \fBmap\fP directive tells the NAT +code to use the next address/port pair available for an outgoing connection, +resulting in no easily discernable relation between external addresses/ports +and internal ones. This is overcome by using \fBmap-block\fP as follows: +.LP +.nf +map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto +.fi +.PP +For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 +with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its +own. As opposed to the above use of \fBmap\fP, if for some reason the user +of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would +be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next +IP address with the \fBmap\fP command. /dev/ipnat .br /etc/services diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index 082b5d6..bd89be0 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -1,10 +1,19 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#if (SOLARIS2 >= 7) +# define _SYS_VARARGS_H +# define _VARARGS_H +#endif +#if defined(__STDC__) +# include <stdarg.h> +#else +# include <varargs.h> +#endif #include <stdio.h> #include <assert.h> #include <string.h> @@ -43,7 +52,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 2.0.2.8.2.1 1997/11/12 10:58:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 2.1 1999/08/04 17:30:11 darrenr Exp $"; #endif extern int opts; @@ -52,26 +61,26 @@ extern int opts; void printpacket(ip) ip_t *ip; { - struct tcphdr *tcp; + tcphdr_t *tcp; tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2)); - printf("ip %d(%d) %d ", ip->ip_len, ip->ip_hl << 2, ip->ip_p); - if (ip->ip_off & 0x1fff) - printf("@%d", ip->ip_off << 3); + printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p); + if (ip->ip_off & IP_OFFMASK) + printf(" @%d", ip->ip_off << 3); (void)printf(" %s", inet_ntoa(ip->ip_src)); - if (!(ip->ip_off & 0x1fff)) + if (!(ip->ip_off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) (void)printf(",%d", ntohs(tcp->th_sport)); (void)printf(" > "); (void)printf("%s", inet_ntoa(ip->ip_dst)); - if (!(ip->ip_off & 0x1fff)) + if (!(ip->ip_off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) (void)printf(",%d", ntohs(tcp->th_dport)); putchar('\n'); } -#ifdef __STDC__ +#if defined(__STDC__) void verbose(char *fmt, ...) #else void verbose(fmt, va_alist) diff --git a/contrib/ipfilter/mkfilters b/contrib/ipfilter/mkfilters index 53c9a7f..f0e6ff4 100644 --- a/contrib/ipfilter/mkfilters +++ b/contrib/ipfilter/mkfilters @@ -1,30 +1,15 @@ #!/usr/local/bin/perl # for best results, bring up all your interfaces before running this -open(I, "ifconfig -a|") || die $!; -while (<I>) { - chop; - if (/^[a-zA-Z]+\d+:/) { - ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; - $ifaces{$iface} = $iface; - next; - } - if (/inet/) { - if (/\-\-\>/) { # PPP, (SLIP?) - ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; - ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; - } else { - ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; - } - } - if (/netmask/) { - ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; - $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); - $netmask{$iface} = $mask; - } - if (/broadcast/) { - ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; - } + +if ($^O =~ m/^irix/i) +{ + &irix_mkfilters || regular_mkfilters || die $!; } +else +{ + ®ular_mkfilters || irix_mkfilters || die $!; +} + foreach $i (keys %ifaces) { $net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i})); } @@ -71,3 +56,61 @@ foreach $i (keys %ifaces) { } } } + +sub irix_mkfilters +{ + open(NETSTAT, "/usr/etc/netstat -i|") || return 0; + + while (defined($line = <NETSTAT>)) + { + if ($line =~ m/^Name/) + { + next; + } + elsif ($line =~ m/^(\S+)/) + { + open(I, "/usr/etc/ifconfig $1|") || return 0; + &scan_ifconfig; + close I; # being neat... - Allen + } + } + close NETSTAT; # again, being neat... - Allen + return 1; +} + +sub regular_mkfilters +{ + open(I, "ifconfig -a|") || return 0; + &scan_ifconfig; + close I; # being neat... - Allen + return 1; +} + +sub scan_ifconfig +{ + while (<I>) { + chop; + if (/^[a-zA-Z]+\d+:/) { + ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; + $ifaces{$iface} = $iface; + next; + } + if (/inet/) { + if (/\-\-\>/) { # PPP, (SLIP?) + ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; + ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; + } else { + ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; + } + } + if (/netmask/) { + ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; + $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); + $netmask{$iface} = $mask; + } + if (/broadcast/) { + ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; + } + } +} + diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c index 430cb9e..4408a75 100644 --- a/contrib/ipfilter/ml_ipl.c +++ b/contrib/ipfilter/ml_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 3cda6c1..ef4b00f 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -23,17 +23,20 @@ #endif #include <sys/systm.h> #if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) +# ifndef ACTUALLY_LKM_NOT_KERNEL +# include "opt_devfs.h" +# endif # include <sys/conf.h> # include <sys/kernel.h> # ifdef DEVFS # include <sys/devfsext.h> -# if defined(IPFILTER) && defined(_KERNEL) -# include "opt_devfs.h" -# endif # endif /*DEVFS*/ #endif #include <sys/conf.h> #include <sys/file.h> +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/lock.h> +#endif #include <sys/stat.h> #include <sys/proc.h> #include <sys/uio.h> @@ -47,6 +50,9 @@ #if BSD >= 199506 # include <sys/sysctl.h> #endif +#if (__FreeBSD_version >= 300000) +# include <sys/socket.h> +#endif #if (__FreeBSD_version >= 199511) #include <net/if.h> #include <netinet/in_systm.h> @@ -78,31 +84,8 @@ #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -extern int lkmenodev __P((void)); - -static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, - NULL }; -static int if_ipl_unload __P((struct lkm_table *, int)); -static int if_ipl_load __P((struct lkm_table *, int)); -static int if_ipl_remove __P((void)); int xxxinit __P((struct lkm_table *, int, int)); - -struct cdevsw ipldevsw = -{ - iplopen, /* open */ - iplclose, /* close */ - iplread, /* read */ - (void *)nullop, /* write */ - iplioctl, /* ioctl */ - (void *)nullop, /* stop */ - (void *)nullop, /* reset */ - (void *)NULL, /* tty */ - (void *)nullop, /* select */ - (void *)nullop, /* mmap */ - NULL /* strategy */ -}; - #ifdef SYSCTL_INT SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); @@ -139,32 +122,58 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, #endif #ifdef DEVFS -void *ipf_devfs[IPL_LOGMAX + 1]; +static void *ipf_devfs[IPL_LOGMAX + 1]; #endif #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) int ipl_major = 0; +static struct cdevsw ipldevsw = +{ + iplopen, /* open */ + iplclose, /* close */ + iplread, /* read */ + (void *)nullop, /* write */ + iplioctl, /* ioctl */ + (void *)nullop, /* stop */ + (void *)nullop, /* reset */ + (void *)NULL, /* tty */ + (void *)nullop, /* select */ + (void *)nullop, /* mmap */ + NULL /* strategy */ +}; + MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); extern struct cdevsw cdevsw[]; extern int vd_unuseddev __P((void)); extern int nchrdev; #else -int ipl_major = CDEV_MAJOR; static struct cdevsw ipl_cdevsw = { iplopen, iplclose, iplread, nowrite, /* 79 */ iplioctl, nostop, noreset, nodevtotty, +#if (__FreeBSD_version >= 300000) + seltrue, nommap, nostrategy, "ipl", +#else noselect, nommap, nostrategy, "ipl", +#endif NULL, -1 }; #endif +static void ipl_drvinit __P((void *)); + +#ifdef ACTUALLY_LKM_NOT_KERNEL +static int if_ipl_unload __P((struct lkm_table *, int)); +static int if_ipl_load __P((struct lkm_table *, int)); +static int if_ipl_remove __P((void)); +static int ipl_major = CDEV_MAJOR; static int iplaction __P((struct lkm_table *, int)); -static void ipl_drvinit __P((void *)); +static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, NULL }; +extern int lkmenodev __P((void)); static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; @@ -206,7 +215,7 @@ int cmd; if (!err) { printf("IP Filter: unloaded from slot %d\n", ipl_major); -# ifdef DEVFS +#ifdef DEVFS if (ipf_devfs[IPL_LOGIPF]) devfs_remove_dev(ipf_devfs[IPL_LOGIPF]); if (ipf_devfs[IPL_LOGNAT]) @@ -215,7 +224,7 @@ int cmd; devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]); if (ipf_devfs[IPL_LOGAUTH]) devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]); -# endif +#endif } return err; case LKM_E_STAT : @@ -239,9 +248,22 @@ static int if_ipl_remove __P((void)) if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#if (__FreeBSD_version >= 300000) + VOP_LOCK(nd.ni_vp, LK_RETRY | LK_EXCLUSIVE, curproc); + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + if (nd.ni_vp != NULLVP) + vput(nd.ni_vp); +#else VOP_LOCK(nd.ni_vp); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); +#endif } return 0; @@ -294,12 +316,16 @@ int cmd; vattr.va_rdev = (ipl_major << 8) | i; VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); +#if (__FreeBSD_version >= 300000) + vput(nd.ni_dvp); +#endif if (error) return error; } return 0; } +#endif /* actually LKM */ #if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) /* @@ -322,10 +348,13 @@ int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } -#else +#else /* __FREEBSD_version >= 220000 */ # ifdef IPFILTER_LKM # include <sys/exec.h> +# if (__FreeBSD_version >= 300000) +MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw); +# else MOD_DECL(if_ipl); @@ -337,6 +366,7 @@ static struct lkm_dev _module = { LM_DT_CHAR, { (void *)&ipl_cdevsw } }; +# endif int if_ipl __P((struct lkm_table *, int, int)); @@ -346,9 +376,13 @@ int if_ipl(lkmtp, cmd, ver) struct lkm_table *lkmtp; int cmd, ver; { +# if (__FreeBSD_version >= 300000) + MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction); +# else DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); +# endif } -# endif +# endif /* IPFILTER_LKM */ static ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index e4490c3..dce52fc 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * (C)opyright 1997 by Marc Boucher. * * Redistribution and use in source and binary forms are permitted @@ -49,7 +49,7 @@ unsigned IPL_EXTERN(devflag) = D_MP; char *IPL_EXTERN(mversion) = M_VERSION; #endif -kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; +kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw; kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); @@ -80,12 +80,12 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) { nif_t *nif; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (nif = nif_head; nif; nif = nif->nf_next) if (nif->nf_ifp == ifp) break; - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); if (!nif) { printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp); return ENETDOWN; @@ -217,7 +217,7 @@ ipfilterattach(void) if (!addr_fk) return ESRCH; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ ipff_addr = (int *)addr_ff; @@ -245,7 +245,7 @@ ipfilterattach(void) *ipff_addr = 1; /* enable ipfilter_kernel */ - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); #else extern int ipfilterflag; @@ -266,7 +266,7 @@ nifattach() struct frentry *f; ipnat_t *np; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (ifp = ifnet; ifp; ifp = ifp->if_next) { if ((!(ifp->if_flags & IFF_RUNNING)) || @@ -291,7 +291,7 @@ nifattach() printf("IP Filter: nifattach nif %x opt %x\n", ifp, ifp->if_output); #endif - KMALLOC(nif, nif_t *, sizeof(*nif)); + KMALLOC(nif, nif_t *); if (!nif) { printf("IP Filter: malloc(%d) for nif_t failed\n", sizeof(nif_t)); @@ -351,7 +351,7 @@ nifattach() nif_interfaces = in_interfaces; - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); return; } @@ -368,7 +368,7 @@ ipfsync(void) register nif_t *nif, **qp; register struct ifnet *ifp; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (qp = &nif_head; (nif = *qp); ) { for (ifp = ifnet; ifp; ifp = ifp->if_next) if ((nif->nf_ifp == ifp) && @@ -403,7 +403,7 @@ ipfsync(void) KFREE(nif); nif = *qp; } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); nifattach(); @@ -420,7 +420,7 @@ nifdetach() nif_t *nif, *qf2, **qp; struct ifnet *ifp; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ /* * Make two passes, first get rid of all the unknown devices, next * unlink known devices. @@ -455,7 +455,7 @@ nifdetach() } KFREE(nif); } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); return; } @@ -465,7 +465,7 @@ static void ipfilterdetach(void) { #ifdef IPFILTER_LKM - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ if (ipff_addr) { *ipff_addr = 0; @@ -476,7 +476,7 @@ ipfilterdetach(void) *ipff_addr = ipff_value; } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); #else extern int ipfilterflag; @@ -514,13 +514,13 @@ ipfilter_sgi_attach(void) void ipfilter_sgi_intfsync(void) { - MUTEX_ENTER(&ipfs_mutex); + MUTEX_ENTER(&ipfi_mutex); if (nif_interfaces != in_interfaces) { /* if the number of interfaces has changed, resync */ - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); ipfsync(); } else - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); } #ifdef IPFILTER_LKM @@ -536,13 +536,14 @@ IPL_EXTERN(unload)(void) error = ipldetach(); LOCK_DEALLOC(ipl_mutex.l); + LOCK_DEALLOC(ipf_rw.l); LOCK_DEALLOC(ipf_auth.l); LOCK_DEALLOC(ipf_natfrag.l); LOCK_DEALLOC(ipf_nat.l); LOCK_DEALLOC(ipf_state.l); LOCK_DEALLOC(ipf_frag.l); LOCK_DEALLOC(ipf_mutex.l); - LOCK_DEALLOC(ipfs_mutex.l); + LOCK_DEALLOC(ipfi_mutex.l); return error; } @@ -555,17 +556,19 @@ IPL_EXTERN(init)(void) int error; #endif - ipfs_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); - if (!ipfs_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || - !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipl_mutex.l) + if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || + !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || + !ipl_mutex.l) panic("IP Filter: LOCK_ALLOC failed"); #ifdef IPFILTER_LKM diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 7f2166e..47ed9e5 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -66,8 +66,12 @@ extern int lkmenodev __P((void)); #if NetBSD >= 199706 int if_ipl_lkmentry __P((struct lkm_table *, int, int)); #else +#if defined(OpenBSD) +int if_ipl __P((struct lkm_table *, int, int)); +#else int xxxinit __P((struct lkm_table *, int, int)); #endif +#endif static int ipl_unload __P((void)); static int ipl_load __P((void)); static int ipl_remove __P((void)); @@ -100,7 +104,9 @@ struct cdevsw ipldevsw = (void *)nullop, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ +#ifndef OpenBSD (void *)nullop, /* reset */ +#endif (void *)NULL, /* tty */ (void *)nullop, /* select */ (void *)nullop, /* mmap */ @@ -119,14 +125,21 @@ extern int nchrdev; #if NetBSD >= 199706 int if_ipl_lkmentry(lkmtp, cmd, ver) #else +#if defined(OpenBSD) +int if_ipl(lkmtp, cmd, ver) +#else int xxxinit(lkmtp, cmd, ver) #endif +#endif struct lkm_table *lkmtp; int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } +#ifdef OpenBSD +int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */ +#endif static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; @@ -182,7 +195,11 @@ static int ipl_remove() if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#ifdef OpenBSD + VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc); +#else vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); +#endif VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index dc91037..58f2ded 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -42,7 +42,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.0.2.9 1997/09/28 07:12:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.1 1999/08/04 17:30:14 darrenr Exp $"; #endif extern int ipldetach __P((void)); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c new file mode 100644 index 0000000..9c08be7 --- /dev/null +++ b/contrib/ipfilter/natparse.c @@ -0,0 +1,793 @@ +/* + * Copyright (C) 1993-1998 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include <stdio.h> +#include <string.h> +#include <fcntl.h> +#include <errno.h> +#include <sys/types.h> +#if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> +#else +#include <sys/byteorder.h> +#endif +#include <sys/time.h> +#include <sys/param.h> +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) +# include <sys/ioccom.h> +# include <sys/sysmacros.h> +#endif +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif +#include <netdb.h> +#include <arpa/nameser.h> +#include <arpa/inet.h> +#include <resolv.h> +#include <ctype.h> +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" + +#if defined(sun) && !SOLARIS2 +# define STRERROR(x) sys_errlist[x] +extern char *sys_errlist[]; +#else +# define STRERROR(x) strerror(x) +#endif + +#if !defined(lint) +static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.2 1999/08/01 11:17:18 darrenr Exp $"; +#endif + + +#if SOLARIS +#define bzero(a,b) memset(a,0,b) +#endif + +extern int countbits __P((u_32_t)); +extern u_32_t hostnum __P((char *, int *, int)); + +ipnat_t *natparse __P((char *, int)); +void printnat __P((ipnat_t *, int, void *)); +void natparsefile __P((int, char *, int)); +u_32_t n_hostmask __P((char *)); +u_short n_portnum __P((char *, char *, int)); +void nat_setgroupmap __P((struct ipnat *)); + +#define OPT_REM 1 +#define OPT_NODO 2 +#define OPT_STAT 4 +#define OPT_LIST 8 +#define OPT_VERBOSE 16 +#define OPT_FLUSH 32 +#define OPT_CLEAR 64 + + +void printnat(np, verbose, ptr) +ipnat_t *np; +int verbose; +void *ptr; +{ + struct protoent *pr; + struct servent *sv; + int bits; + + switch (np->in_redir) + { + case NAT_REDIRECT : + printf("rdr "); + break; + case NAT_MAP : + printf("map "); + break; + case NAT_MAPBLK : + printf("map-block "); + break; + case NAT_BIMAP : + printf("bimap "); + break; + default : + fprintf(stderr, "unknown value for in_redir: %#x\n", + np->in_redir); + break; + } + + if (np->in_redir == NAT_REDIRECT) { + printf("%s ", np->in_ifname); + if (np->in_src[0].s_addr || np->in_src[1].s_addr) { + printf("from %s",inet_ntoa(np->in_src[0])); + bits = countbits(np->in_src[1].s_addr); + if (bits != -1) + printf("/%d ", bits); + else + printf("/%s ", inet_ntoa(np->in_src[1])); + } + printf("%s",inet_ntoa(np->in_out[0])); + bits = countbits(np->in_out[1].s_addr); + if (bits != -1) + printf("/%d ", bits); + else + printf("/%s ", inet_ntoa(np->in_out[1])); + if (np->in_pmin) + printf("port %d ", ntohs(np->in_pmin)); + printf("-> %s", inet_ntoa(np->in_in[0])); + if (np->in_pnext) + printf(" port %d", ntohs(np->in_pnext)); + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf(" tcp/udp"); + else if ((np->in_flags & IPN_TCP) == IPN_TCP) + printf(" tcp"); + else if ((np->in_flags & IPN_UDP) == IPN_UDP) + printf(" udp"); + printf("\n"); + if (verbose) + printf("\t%p %lu %x %u %p %d\n", np->in_ifp, + np->in_space, np->in_flags, np->in_pnext, np, + np->in_use); + } else { + np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); + printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); + bits = countbits(np->in_in[1].s_addr); + if (bits != -1) + printf("%d ", bits); + else + printf("%s", inet_ntoa(np->in_in[1])); + printf(" -> "); + if (np->in_flags & IPN_RANGE) { + printf("range %s-", inet_ntoa(np->in_out[0])); + printf("%s", inet_ntoa(np->in_out[1])); + } else { + printf("%s/", inet_ntoa(np->in_out[0])); + bits = countbits(np->in_out[1].s_addr); + if (bits != -1) + printf("%d ", bits); + else + printf("%s", inet_ntoa(np->in_out[1])); + } + if (*np->in_plabel) { + pr = getprotobynumber(np->in_p); + printf(" proxy port"); + if (np->in_dport != 0) { + if (pr != NULL) + sv = getservbyport(np->in_dport, + pr->p_name); + else + sv = getservbyport(np->in_dport, NULL); + if (sv != NULL) + printf(" %s", sv->s_name); + else + printf(" %hu", ntohs(np->in_dport)); + } + printf(" %.*s/", (int)sizeof(np->in_plabel), + np->in_plabel); + if (pr != NULL) + fputs(pr->p_name, stdout); + else + printf("%d", np->in_p); + } else if (np->in_redir == NAT_MAPBLK) { + printf(" ports %d", np->in_pmin); + if (verbose) + printf("\n\tip modulous %d", np->in_pmax); + } else if (np->in_pmin || np->in_pmax) { + printf(" portmap"); + if (np->in_flags & IPN_AUTOPORTMAP) { + printf(" auto"); + if (verbose) + printf(" [%d:%d %d %d]", + ntohs(np->in_pmin), + ntohs(np->in_pmax), + np->in_ippip, np->in_ppip); + } else { + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf(" tcp/udp"); + else if (np->in_flags & IPN_TCP) + printf(" tcp"); + else if (np->in_flags & IPN_UDP) + printf(" udp"); + printf(" %d:%d", ntohs(np->in_pmin), + ntohs(np->in_pmax)); + } + } + printf("\n"); + if (verbose) { + printf("\tifp %p space %lu nextip %s pnext %d", + np->in_ifp, np->in_space, + inet_ntoa(np->in_nextip), np->in_pnext); + printf(" flags %x use %u\n", + np->in_flags, np->in_use); + } + } +} + + +void nat_setgroupmap(n) +ipnat_t *n; +{ + if (n->in_outmsk == n->in_inmsk) + n->in_ippip = 1; + else if (n->in_flags & IPN_AUTOPORTMAP) { + n->in_ippip = ~ntohl(n->in_inmsk); + if (n->in_outmsk != 0xffffffff) + n->in_ippip /= (~ntohl(n->in_outmsk) + 1); + n->in_ippip++; + if (n->in_ippip == 0) + n->in_ippip = 1; + n->in_ppip = USABLE_PORTS / n->in_ippip; + } else { + n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); + n->in_nip = 0; + if (!(n->in_ppip = n->in_pmin)) + n->in_ppip = 1; + n->in_ippip = USABLE_PORTS / n->in_ppip; + } +} + + + +ipnat_t *natparse(line, linenum) +char *line; +int linenum; +{ + struct protoent *pr; + static ipnat_t ipn; + char *s, *t; + char *shost, *snetm, *dhost, *proto, *srchost, *srcnetm; + char *dnetm = NULL, *dport = NULL, *tport = NULL; + int resolved; + + srchost = NULL; + srcnetm = NULL; + + bzero((char *)&ipn, sizeof(ipn)); + if ((s = strchr(line, '\n'))) + *s = '\0'; + if ((s = strchr(line, '#'))) + *s = '\0'; + if (!*line) + return NULL; + if (!(s = strtok(line, " \t"))) + return NULL; + if (!strcasecmp(s, "map")) + ipn.in_redir = NAT_MAP; + else if (!strcasecmp(s, "map-block")) + ipn.in_redir = NAT_MAPBLK; + else if (!strcasecmp(s, "rdr")) + ipn.in_redir = NAT_REDIRECT; + else if (!strcasecmp(s, "bimap")) + ipn.in_redir = NAT_BIMAP; + else { + fprintf(stderr, "%d: unknown mapping: \"%s\"\n", + linenum, s); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (interface)\n", + linenum); + return NULL; + } + + strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1); + ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", linenum, + ipn.in_redir ? "from source | destination" : "source"); + return NULL; + } + + if ((ipn.in_redir == NAT_REDIRECT) && !strcasecmp(s, "from")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source address)\n", + linenum); + return NULL; + } + + srchost = s; + srcnetm = strrchr(srchost, '/'); + + if (srcnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source netmask)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "netmask")) { + fprintf(stderr, + "%d: missing fields (netmask)\n", + linenum); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source netmask)\n", + linenum); + return NULL; + } + srcnetm = s; + } + if (*srcnetm == '/') + *srcnetm++ = '\0'; + + /* re read the next word -- destination */ + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination)\n", linenum); + return NULL; + } + + } + + shost = s; + + if (ipn.in_redir == NAT_REDIRECT) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "port")) { + fprintf(stderr, "%d: missing fields (port)\n", linenum); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + dport = s; + } + + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (->)\n", linenum); + return NULL; + } + if (!strcmp(s, "->")) { + snetm = strrchr(shost, '/'); + if (!snetm) { + fprintf(stderr, + "%d: missing fields (%s netmask)\n", linenum, + ipn.in_redir ? "destination" : "source"); + return NULL; + } + } else { + if (strcasecmp(s, "netmask")) { + fprintf(stderr, "%d: missing fields (netmask)\n", + linenum); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (%s netmask)\n", linenum, + ipn.in_redir ? "destination" : "source"); + return NULL; + } + snetm = s; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", + linenum, ipn.in_redir ? "destination":"target"); + return NULL; + } + + if (ipn.in_redir == NAT_MAP) { + if (!strcasecmp(s, "range")) { + ipn.in_flags |= IPN_RANGE; + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", + linenum, + ipn.in_redir ? "destination":"target"); + return NULL; + } + } + } + dhost = s; + + if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { + if (ipn.in_flags & IPN_RANGE) { + dnetm = strrchr(dhost, '-'); + if (dnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) + dnetm = NULL; + else { + if (strcmp(s, "-")) + s = NULL; + else if ((s = strtok(NULL, " \t"))) { + dnetm = s; + } + } + } else + *dnetm++ = '\0'; + if (dnetm == NULL || *dnetm == '\0') { + fprintf(stderr, + "%d: desination range not specified\n", + linenum); + return NULL; + } + } else { + dnetm = strrchr(dhost, '/'); + if (dnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) + dnetm = NULL; + else if (!strcasecmp(s, "netmask")) + if ((s = strtok(NULL, " \t")) != NULL) + dnetm = s; + } + if (dnetm == NULL) { + fprintf(stderr, + "%d: missing fields (dest netmask)\n", + linenum); + return NULL; + } + if (*dnetm == '/') + *dnetm++ = '\0'; + } + s = strtok(NULL, " \t"); + } + + if (ipn.in_redir & NAT_MAPBLK) { + if (s && strcasecmp(s, "ports")) { + fprintf(stderr, + "%d: expected \"ports\" - got \"%s\"\n", + linenum, s); + return NULL; + } + if (s != NULL) { + if ((s = strtok(NULL, " \t")) == NULL) + return NULL; + ipn.in_pmin = atoi(s); + s = strtok(NULL, " \t"); + } else + ipn.in_pmin = 0; + } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { + if (strrchr(dhost, '/') != NULL) { + fprintf(stderr, "%d: No netmask supported in %s\n", + linenum, "destination host for redirect"); + return NULL; + } + /* If it's a in_redir, expect target port */ + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "port")) { + fprintf(stderr, "%d: missing fields (port)\n", + linenum); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + tport = s; + } + if (dnetm && *dnetm == '/') + *dnetm++ = '\0'; + if (snetm && *snetm == '/') + *snetm++ = '\0'; + + if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { + ipn.in_inip = hostnum(shost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_inmsk = n_hostmask(snetm); + ipn.in_outip = hostnum(dhost, &resolved, linenum); + if (resolved == -1) + return NULL; + if (ipn.in_flags & IPN_RANGE) { + ipn.in_outmsk = hostnum(dnetm, &resolved, linenum); + if (resolved == -1) + return NULL; + } else + ipn.in_outmsk = n_hostmask(dnetm); + if (srchost) { + ipn.in_srcip = hostnum(srchost, &resolved, linenum); + if (resolved == -1) + return NULL; + } + if (srcnetm) + ipn.in_srcmsk = n_hostmask(srcnetm); + } else { + if (srchost) { + ipn.in_srcip = hostnum(srchost, &resolved, linenum); + if (resolved == -1) + return NULL; + } + if (srcnetm) + ipn.in_srcmsk = n_hostmask(srcnetm); + ipn.in_inip = hostnum(dhost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_inmsk = n_hostmask("255.255.255.255"); + ipn.in_outip = hostnum(shost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_outmsk = n_hostmask(snetm); + if (!(s = strtok(NULL, " \t"))) { + ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */ + proto = "tcp"; + } else { + if (!strcasecmp(s, "tcp")) + ipn.in_flags = IPN_TCP; + else if (!strcasecmp(s, "udp")) + ipn.in_flags = IPN_UDP; + else if (!strcasecmp(s, "tcp/udp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "tcpudp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "ip")) + ipn.in_flags = IPN_ANY; + else { + fprintf(stderr, + "%d: expected protocol - got \"%s\"\n", + linenum, s); + return NULL; + } + proto = s; + if ((s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: extra junk at the end of rdr: %s\n", + linenum, s); + return NULL; + } + } + ipn.in_pmin = n_portnum(dport, proto, linenum); + ipn.in_pmax = ipn.in_pmin; + ipn.in_pnext = n_portnum(tport, proto, linenum); + s = NULL; + } + ipn.in_inip &= ipn.in_inmsk; + if ((ipn.in_flags & IPN_RANGE) == 0) + ipn.in_outip &= ipn.in_outmsk; + ipn.in_srcip &= ipn.in_srcmsk; + + if ((ipn.in_redir & NAT_MAPBLK) != 0) + nat_setgroupmap(&ipn); + + if (!s) + return &ipn; + + if (ipn.in_redir == NAT_BIMAP) { + fprintf(stderr, + "%d: extra words at the end of bimap line: %s\n", + linenum, s); + return NULL; + } + if (!strcasecmp(s, "proxy")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"proxy\"\n", + linenum); + return NULL; + } + dport = NULL; + + if (!strcasecmp(s, "port")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"port\"\n", + linenum); + return NULL; + } + + dport = s; + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"proxy\"\n", + linenum); + return NULL; + } + } else { + fprintf(stderr, + "%d: missing keyword \"port\"\n", linenum); + return NULL; + } + if ((proto = index(s, '/'))) { + *proto++ = '\0'; + if ((pr = getprotobyname(proto))) + ipn.in_p = pr->p_proto; + else + ipn.in_p = atoi(proto); + if (dport) + ipn.in_dport = n_portnum(dport, proto, linenum); + } else { + ipn.in_p = 0; + if (dport) + ipn.in_dport = n_portnum(dport, NULL, linenum); + } + + (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); + if ((s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: too many parameters for \"proxy\"\n", + linenum); + return NULL; + } + return &ipn; + + } + + if (strcasecmp(s, "portmap")) { + fprintf(stderr, + "%d: expected \"portmap\" - got \"%s\"\n", linenum, s); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) + return NULL; + if (!strcasecmp(s, "tcp")) + ipn.in_flags = IPN_TCP; + else if (!strcasecmp(s, "udp")) + ipn.in_flags = IPN_UDP; + else if (!strcasecmp(s, "tcpudp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "tcp/udp")) + ipn.in_flags = IPN_TCPUDP; + else { + fprintf(stderr, + "%d: expected protocol name - got \"%s\"\n", + linenum, s); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: no port range found\n", linenum); + return NULL; + } + + if (!strcasecmp(s, "auto")) { + ipn.in_flags |= IPN_AUTOPORTMAP; + ipn.in_pmin = htons(1024); + ipn.in_pmax = htons(65535); + nat_setgroupmap(&ipn); + return &ipn; + } + proto = s; + if (!(t = strchr(s, ':'))) { + fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, s); + return NULL; + } + *t++ = '\0'; + ipn.in_pmin = n_portnum(s, proto, linenum); + ipn.in_pmax = n_portnum(t, proto, linenum); + return &ipn; +} + + +void natparsefile(fd, file, opts) +int fd; +char *file; +int opts; +{ + char line[512], *s; + ipnat_t *np; + FILE *fp; + int linenum = 0; + + if (strcmp(file, "-")) { + if (!(fp = fopen(file, "r"))) { + fprintf(stderr, "%s: open: %s\n", file, + STRERROR(errno)); + exit(1); + } + } else + fp = stdin; + + while (fgets(line, sizeof(line) - 1, fp)) { + linenum++; + line[sizeof(line) - 1] = '\0'; + if ((s = strchr(line, '\n'))) + *s = '\0'; + + if (!(np = natparse(line, linenum))) { + if (*line) + fprintf(stderr, "%d: syntax error in \"%s\"\n", + linenum, line); + } else { + if ((opts & OPT_VERBOSE) && np) + printnat(np, opts & OPT_VERBOSE, NULL); + if (!(opts & OPT_NODO)) { + if (!(opts & OPT_REM)) { + if (ioctl(fd, SIOCADNAT, np) == -1) + perror("ioctl(SIOCADNAT)"); + } else if (ioctl(fd, SIOCRMNAT, np) == -1) + perror("ioctl(SIOCRMNAT)"); + } + } + } + if (fp != stdin) + fclose(fp); +} + + +u_32_t n_hostmask(msk) +char *msk; +{ + int bits = -1; + u_32_t mask; + + if (!isdigit(*msk)) + return (u_32_t)-1; + if (strchr(msk, '.')) + return inet_addr(msk); + if (strchr(msk, 'x')) + return (u_32_t)strtol(msk, NULL, 0); + /* + * set x most significant bits + */ + for (mask = 0, bits = atoi(msk); bits; bits--) { + mask /= 2; + mask |= ntohl(inet_addr("128.0.0.0")); + } + mask = htonl(mask); + return mask; +} + + +u_short n_portnum(name, proto, linenum) +char *name, *proto; +int linenum; +{ + struct servent *sp, *sp2; + u_short p1 = 0; + + if (isdigit(*name)) + return htons((u_short)atoi(name)); + if (!proto) + proto = "tcp/udp"; + if (strcasecmp(proto, "tcp/udp")) { + sp = getservbyname(name, proto); + if (sp) + return sp->s_port; + fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); + return 0; + } + sp = getservbyname(name, "tcp"); + if (sp) + p1 = sp->s_port; + sp2 = getservbyname(name, "udp"); + if (!sp || !sp2) { + fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", + linenum, name); + return 0; + } + if (p1 != sp2->s_port) { + fprintf(stderr, "%d: %s %d/tcp is a different port to ", + linenum, name, p1); + fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); + return 0; + } + return p1; +} diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index 4ed646b..78e34a2 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -27,7 +27,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 2.0.2.9.2.1 1997/11/12 10:58:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: opt.c,v 2.1 1999/08/04 17:30:15 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 76ee474..77d867f 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ -#include <stdio.h> -#include <string.h> #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) #include <strings.h> @@ -15,57 +13,66 @@ #endif #include <sys/param.h> #include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif +#include <stdio.h> +#include <string.h> +#include <limits.h> +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> +#include <syslog.h> #include "ip_compat.h" #include "ip_fil.h" #include "ipf.h" +#include "facpri.h" #if !defined(lint) -static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $"; +static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; +static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.1 1999/09/11 05:32:10 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; extern int opts; -u_short portnum __P((char *)); -u_char tcp_flags __P((char *, u_char *)); -int addicmp __P((char ***, struct frentry *)); -int extras __P((char ***, struct frentry *)); +int portnum __P((char *, u_short *, int)); +u_char tcp_flags __P((char *, u_char *, int)); +int addicmp __P((char ***, struct frentry *, int)); +int extras __P((char ***, struct frentry *, int)); char ***seg; u_long *sa, *msk; u_short *pp, *tp; u_char *cp; int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, u_char *, - u_short *)); -int ports __P((char ***, u_short *, u_char *, u_short *)); -int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *)); -int to_interface __P((frdest_t *, char *)); + u_short *, int)); +int ports __P((char ***, u_short *, u_char *, u_short *, int)); +int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int)); +int to_interface __P((frdest_t *, char *, int)); void print_toif __P((char *, frdest_t *)); -void optprint __P((u_short, u_short, u_long, u_long)); +void optprint __P((u_short *, u_long, u_long)); int countbits __P((u_32_t)); char *portname __P((int, int)); +int ratoi __P((char *, int *, int, int)); char *proto = NULL; char flagset[] = "FSRPAU"; u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; -static char thishost[64]; +static char thishost[MAXHOSTNAMELEN]; void initparse() @@ -79,12 +86,13 @@ void initparse() * * parse a line read from the input filter rule file */ -struct frentry *parse(line) +struct frentry *parse(line, linenum) char *line; +int linenum; { static struct frentry fil; struct protoent *p = NULL; - char *cps[31], **cpp; + char *cps[31], **cpp, *endptr; u_char ch; int i, cnt = 1; @@ -96,6 +104,8 @@ char *line; bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; fil.fr_ip.fi_v = 4; + fil.fr_loglevel = 0xffff; + /* * break line up into max of 20 segments */ @@ -106,7 +116,7 @@ char *line; cps[i] = NULL; if (cnt < 3) { - (void)fprintf(stderr,"not enough segments in line\n"); + fprintf(stderr, "%d: not enough segments in line\n", linenum); return NULL; } @@ -117,15 +127,18 @@ char *line; if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp", 11)) { + if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19)) + fil.fr_flags |= FR_FAKEICMP; + else if (!strncasecmp(*(cpp+1), "return-icmp", 11)) fil.fr_flags |= FR_RETICMP; + if (fil.fr_flags & FR_RETICMP) { cpp++; if (*(*cpp + 11) == '(') { i = icmpcode(*cpp + 12); if (i == -1) { fprintf(stderr, - "uncrecognised icmp code %s\n", - *cpp + 12); + "%d: unrecognised icmp code %s\n", + linenum, *cpp + 12); return NULL; } fil.fr_icode = i; @@ -144,11 +157,13 @@ char *line; fil.fr_flags |= FR_PREAUTH; } else if (!strcasecmp("skip", *cpp)) { cpp++; - if (!isdigit(**cpp)) { - (void)fprintf(stderr, "integer must follow skip\n"); + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_skip = i; + else { + fprintf(stderr, "%d: integer must follow skip\n", + linenum); return NULL; } - fil.fr_skip = atoi(*cpp); } else if (!strcasecmp("log", *cpp)) { fil.fr_flags |= FR_LOG; if (!strcasecmp(*(cpp+1), "body")) { @@ -157,13 +172,45 @@ char *line; } if (!strcasecmp(*(cpp+1), "first")) { fil.fr_flags |= FR_LOGFIRST; + } + if (!strcasecmp(*(cpp+1), "level")) { + int fac, pri; + char *s; + + fac = 0; + pri = 0; + cpp++; + s = index(*cpp, '.'); + if (s) { + *s++ = '\0'; + fac = fac_findname(*cpp); + if (fac == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown facility", *cpp); + return NULL; + } + pri = pri_findname(s); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", s); + return NULL; + } + } else { + pri = pri_findname(*cpp); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", *cpp); + return NULL; + } + } + fil.fr_loglevel = fac|pri; cpp++; } } else { /* * Doesn't start with one of the action words */ - (void)fprintf(stderr, "unknown keyword (%s)\n", *cpp); + fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); return NULL; } cpp++; @@ -173,17 +220,19 @@ char *line; else if (!strcasecmp("out", *cpp)) { fil.fr_flags |= FR_OUTQUE; if (fil.fr_flags & FR_RETICMP) { - (void)fprintf(stderr, - "Can only use return-icmp with 'in'\n"); + fprintf(stderr, + "%d: Can only use return-icmp with 'in'\n", + linenum); return NULL; } else if (fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "Can only use return-rst with 'in'\n"); + fprintf(stderr, + "%d: Can only use return-rst with 'in'\n", + linenum); return NULL; } } else { - (void)fprintf(stderr, - "missing 'in'/'out' keyword (%s)\n", *cpp); + fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n", + linenum, *cpp); return NULL; } if (!*++cpp) @@ -205,8 +254,9 @@ char *line; } if (!strcasecmp(*cpp, "or-block")) { if (!(fil.fr_flags & FR_PASS)) { - (void)fprintf(stderr, - "or-block must be used with pass\n"); + fprintf(stderr, + "%d: or-block must be used with pass\n", + linenum); return NULL; } fil.fr_flags |= FR_LOGORBLOCK; @@ -222,17 +272,18 @@ char *line; *fil.fr_ifname = '\0'; if (*cpp && !strcasecmp(*cpp, "on")) { if (!*++cpp) { - (void)fprintf(stderr, "interface name missing\n"); + fprintf(stderr, "%d: interface name missing\n", + linenum); return NULL; } (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1); fil.fr_ifname[IFNAMSIZ-1] = '\0'; cpp++; if (!*cpp) { - if (fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "%s can only be used with TCP\n", - "return-rst"); + if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) { + fprintf(stderr, + "%d: %s can only be used with TCP\n", + linenum, "return-rst"); return NULL; } return &fil; @@ -241,16 +292,22 @@ char *line; if (*cpp) { if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { cpp++; - if (to_interface(&fil.fr_dif, *cpp)) + if (to_interface(&fil.fr_dif, *cpp, linenum)) return NULL; cpp++; } if (!strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; - if (to_interface(&fil.fr_tif, *cpp)) + if (to_interface(&fil.fr_tif, *cpp, linenum)) return NULL; cpp++; } else if (!strcasecmp(*cpp, "fastroute")) { + if (!(fil.fr_flags & FR_INQUE)) { + fprintf(stderr, + "can only use %s with 'in'\n", + "fastroute"); + return NULL; + } fil.fr_flags |= FR_FASTROUTE; cpp++; } @@ -258,7 +315,7 @@ char *line; } if (*cpp && !strcasecmp(*cpp, "tos")) { if (!*++cpp) { - (void)fprintf(stderr, "tos missing value\n"); + fprintf(stderr, "%d: tos missing value\n", linenum); return NULL; } fil.fr_tos = strtol(*cpp, NULL, 0); @@ -268,10 +325,17 @@ char *line; if (*cpp && !strcasecmp(*cpp, "ttl")) { if (!*++cpp) { - (void)fprintf(stderr, "ttl missing hopcount value\n"); + fprintf(stderr, "%d: ttl missing hopcount value\n", + linenum); + return NULL; + } + if (ratoi(*cpp, &i, 0, 255)) + fil.fr_ttl = i; + else { + fprintf(stderr, "%d: invalid ttl (%s)\n", + linenum, *cpp); return NULL; } - fil.fr_ttl = atoi(*cpp); fil.fr_mip.fi_ttl = 0xff; cpp++; } @@ -282,37 +346,39 @@ char *line; proto = NULL; if (*cpp && !strcasecmp(*cpp, "proto")) { if (!*++cpp) { - (void)fprintf(stderr, "protocol name missing\n"); + fprintf(stderr, "%d: protocol name missing\n", linenum); return NULL; } - if (!strcasecmp(*cpp, "tcp/udp")) { + proto = *cpp++; + if (!strcasecmp(proto, "tcp/udp")) { fil.fr_ip.fi_fl |= FI_TCPUDP; fil.fr_mip.fi_fl |= FI_TCPUDP; } else { - if (!(p = getprotobyname(*cpp)) && !isdigit(**cpp)) { - (void)fprintf(stderr, - "unknown protocol (%s)\n", *cpp); + if (!(p = getprotobyname(proto)) && !isdigit(*proto)) { + fprintf(stderr, + "%d: unknown protocol (%s)\n", + linenum, proto); return NULL; } if (p) fil.fr_proto = p->p_proto; - else if (isdigit(**cpp)) - fil.fr_proto = atoi(*cpp); + else if (isdigit(*proto)) { + i = (int)strtol(proto, &endptr, 0); + if (*endptr != '\0' || i < 0 || i > 255) { + fprintf(stderr, + "%d: unknown protocol (%s)\n", + linenum, proto); + return NULL; + } + fil.fr_proto = i; + } fil.fr_mip.fi_p = 0xff; } - proto = *cpp; - if (fil.fr_proto != IPPROTO_TCP && fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "%s can only be used with TCP\n", - "return-rst"); - return NULL; - } - if (!*++cpp) - return &fil; } - if (fil.fr_proto != IPPROTO_TCP && fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, "%s can only be used with TCP\n", - "return-rst"); + if ((fil.fr_proto != IPPROTO_TCP) && + ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) { + fprintf(stderr, "%d: %s can only be used with TCP\n", + linenum, "return-rst"); return NULL; } @@ -321,7 +387,7 @@ char *line; */ if (!*cpp) { - fprintf(stderr, "missing source specification\n"); + fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; } if (!strcasecmp(*cpp, "all")) { @@ -330,12 +396,13 @@ char *line; return &fil; } else { if (strcasecmp(*cpp, "from")) { - (void)fprintf(stderr, - "unexpected keyword (%s) - from\n", *cpp); + fprintf(stderr, "%d: unexpected keyword (%s) - from\n", + linenum, *cpp); return NULL; } if (!*++cpp) { - (void)fprintf(stderr, "missing host after from\n"); + fprintf(stderr, "%d: missing host after from\n", + linenum); return NULL; } ch = 0; @@ -345,13 +412,12 @@ char *line; } if (hostmask(&cpp, (u_32_t *)&fil.fr_src, (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch, - &fil.fr_stop)) { - (void)fprintf(stderr, "bad host (%s)\n", *cpp); + &fil.fr_stop, linenum)) { return NULL; } fil.fr_scmp = ch; if (!*cpp) { - (void)fprintf(stderr, "missing to fields\n"); + fprintf(stderr, "%d: missing to fields\n", linenum); return NULL; } @@ -359,12 +425,12 @@ char *line; * do the same for the to field (destination host) */ if (strcasecmp(*cpp, "to")) { - (void)fprintf(stderr, - "unexpected keyword (%s) - to\n", *cpp); + fprintf(stderr, "%d: unexpected keyword (%s) - to\n", + linenum, *cpp); return NULL; } if (!*++cpp) { - (void)fprintf(stderr, "missing host after to\n"); + fprintf(stderr, "%d: missing host after to\n", linenum); return NULL; } ch = 0; @@ -374,8 +440,7 @@ char *line; } if (hostmask(&cpp, (u_32_t *)&fil.fr_dst, (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch, - &fil.fr_dtop)) { - (void)fprintf(stderr, "bad host (%s)\n", *cpp); + &fil.fr_dtop, linenum)) { return NULL; } fil.fr_dcmp = ch; @@ -387,11 +452,12 @@ char *line; */ if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) && fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) { - (void)fprintf(stderr, "port operation on non tcp/udp\n"); + fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum); return NULL; } if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) { - (void)fprintf(stderr, "icmp comparisons on wrong protocol\n"); + fprintf(stderr, "%d: icmp comparisons on wrong protocol\n", + linenum); return NULL; } @@ -400,10 +466,10 @@ char *line; if (*cpp && !strcasecmp(*cpp, "flags")) { if (!*++cpp) { - (void)fprintf(stderr, "no flags present\n"); + fprintf(stderr, "%d: no flags present\n", linenum); return NULL; } - fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm); + fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum); cpp++; } @@ -411,7 +477,7 @@ char *line; * extras... */ if (*cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and"))) - if (extras(&cpp, &fil)) + if (extras(&cpp, &fil, linenum)) return NULL; /* @@ -419,12 +485,12 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "icmp-type")) { if (fil.fr_proto != IPPROTO_ICMP) { - (void)fprintf(stderr, - "icmp with wrong protocol (%d)\n", - fil.fr_proto); + fprintf(stderr, + "%d: icmp with wrong protocol (%d)\n", + linenum, fil.fr_proto); return NULL; } - if (addicmp(&cpp, &fil)) + if (addicmp(&cpp, &fil, linenum)) return NULL; fil.fr_icmp = htons(fil.fr_icmp); fil.fr_icmpm = htons(fil.fr_icmpm); @@ -434,7 +500,7 @@ char *line; * Keep something... */ while (*cpp && !strcasecmp(*cpp, "keep")) - if (addkeep(&cpp, &fil)) + if (addkeep(&cpp, &fil, linenum)) return NULL; /* @@ -442,10 +508,16 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "head")) { if (!*++cpp) { - (void)fprintf(stderr, "head without group #\n"); + fprintf(stderr, "%d: head without group #\n", linenum); + return NULL; + } + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_grhead = i; + else { + fprintf(stderr, "%d: invalid group (%s)\n", + linenum, *cpp); return NULL; } - fil.fr_grhead = atoi(*cpp); cpp++; } @@ -454,10 +526,17 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "group")) { if (!*++cpp) { - (void)fprintf(stderr, "group without group #\n"); + fprintf(stderr, "%d: group without group #\n", + linenum); return NULL; } - fil.fr_group = atoi(*cpp); + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_group = i; + else { + fprintf(stderr, "%d: invalid group (%s)\n", + linenum, *cpp); + return NULL; + } cpp++; } @@ -465,10 +544,10 @@ char *line; * leftovers...yuck */ if (*cpp && **cpp) { - fprintf(stderr, "unknown words at end: ["); + fprintf(stderr, "%d: unknown words at end: [", linenum); for (; *cpp; cpp++) - (void)fprintf(stderr, "%s ", *cpp); - (void)fprintf(stderr, "]\n"); + fprintf(stderr, "%s ", *cpp); + fprintf(stderr, "]\n"); return NULL; } @@ -476,7 +555,7 @@ char *line; * lazy users... */ if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { - (void)fprintf(stderr, "TCP protocol not specified\n"); + fprintf(stderr, "%d: TCP protocol not specified\n", linenum); return NULL; } if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && @@ -485,16 +564,18 @@ char *line; fil.fr_ip.fi_fl |= FI_TCPUDP; fil.fr_mip.fi_fl |= FI_TCPUDP; } else { - (void)fprintf(stderr, - "port comparisons for non-TCP/UDP\n"); + fprintf(stderr, + "%d: port comparisons for non-TCP/UDP\n", + linenum); return NULL; } } /* if ((fil.fr_flags & FR_KEEPFRAG) && (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { - (void)fprintf(stderr, - "must use 'with frags' with 'keep frags'\n"); + fprintf(stderr, + "%d: must use 'with frags' with 'keep frags'\n", + linenum); return NULL; } */ @@ -502,9 +583,10 @@ char *line; } -int to_interface(fdp, to) +int to_interface(fdp, to, linenum) frdest_t *fdp; char *to; +int linenum; { int r = 0; char *s; @@ -513,7 +595,7 @@ char *to; fdp->fd_ifp = NULL; if (s) { *s++ = '\0'; - fdp->fd_ip.s_addr = hostnum(s, &r); + fdp->fd_ip.s_addr = hostnum(s, &r, linenum); if (r == -1) return -1; } @@ -527,81 +609,101 @@ void print_toif(tag, fdp) char *tag; frdest_t *fdp; { - (void)printf("%s %s%s", tag, fdp->fd_ifname, + printf("%s %s%s", tag, fdp->fd_ifname, (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)"); if (fdp->fd_ip.s_addr) - (void)printf(":%s", inet_ntoa(fdp->fd_ip)); + printf(":%s", inet_ntoa(fdp->fd_ip)); putchar(' '); } /* - * returns false if neither "hostmask/num" or "hostmask mask addr" are - * found in the line segments + * returns -1 if neither "hostmask/num" or "hostmask mask addr" are + * found in the line segments, there is an error processing this information, + * or there is an error processing ports information. */ -int hostmask(seg, sa, msk, pp, cp, tp) +int hostmask(seg, sa, msk, pp, cp, tp, linenum) char ***seg; u_32_t *sa, *msk; u_short *pp, *tp; u_char *cp; +int linenum; { - char *s; + char *s, *endptr; int bits = -1, resolved; + struct in_addr maskaddr; /* * is it possibly hostname/num ? */ if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) { *s++ = '\0'; - if (!isdigit(*s)) - return -1; - if (index(s, '.')) - *msk = inet_addr(s); - if (!index(s, '.') && !index(s, 'x')) { + if (index(s, '.') || index(s, 'x')) { + /* possibly of the form xxx.xxx.xxx.xxx + * or 0xYYYYYYYY */ + if (inet_aton(s, &maskaddr) == 0) { + fprintf(stderr, "%d: bad mask (%s)\n", + linenum, s); + return -1; + } + *msk = maskaddr.s_addr; + } else { /* * set x most significant bits */ - for (bits = atoi(s); bits; bits--) { - *msk /= 2; - *msk |= ntohl(inet_addr("128.0.0.0")); - } - *msk = htonl(*msk); - } else { - if (inet_aton(s, (struct in_addr *)msk) == -1) + bits = (int)strtol(s, &endptr, 0); + if (*endptr != '\0' || bits > 32 || bits < 0) { + fprintf(stderr, "%d: bad mask (/%s)\n", + linenum, s); return -1; + } + if (bits == 0) + *msk = 0; + else + *msk = htonl(0xffffffff << (32 - bits)); } - *sa = hostnum(**seg, &resolved) & *msk; - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum) & *msk; + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } /* * look for extra segments if "mask" found in right spot */ if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { - *sa = hostnum(**seg, &resolved); - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum); + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; (*seg)++; - if (inet_aton(**seg, (struct in_addr *)msk) == -1) + if (inet_aton(**seg, &maskaddr) == 0) { + fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); return -1; + } + *msk = maskaddr.s_addr; (*seg)++; *sa &= *msk; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } if (**seg) { - *sa = hostnum(**seg, &resolved); - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum); + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; *msk = (*sa ? inet_addr("255.255.255.255") : 0L); *sa &= *msk; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; } @@ -609,25 +711,29 @@ u_char *cp; * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_32_t hostnum(host, resolved) +u_32_t hostnum(host, resolved, linenum) char *host; int *resolved; +int linenum; { struct hostent *hp; struct netent *np; + struct in_addr ip; *resolved = 0; - if (!strcasecmp("any",host)) - return 0L; - if (isdigit(*host)) - return inet_addr(host); + if (!strcasecmp("any", host)) + return 0; + if (isdigit(*host) && inet_aton(host, &ip)) + return ip.s_addr; + if (!strcasecmp("<thishost>", host)) host = thishost; if (!(hp = gethostbyname(host))) { if (!(np = getnetbyname(host))) { *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); + fprintf(stderr, "%d: can't resolve hostname: %s\n", + linenum, host); return 0; } return htonl(np->n_net); @@ -638,10 +744,11 @@ int *resolved; /* * check for possible presence of the port fields in the line */ -int ports(seg, pp, cp, tp) +int ports(seg, pp, cp, tp, linenum) char ***seg; u_short *pp, *tp; u_char *cp; +int linenum; { int comp = -1; @@ -650,14 +757,27 @@ u_char *cp; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; if (isdigit(***seg) && *(*seg + 2)) { - *pp = portnum(**seg); + if (portnum(**seg, pp, linenum) == 0) + return -1; (*seg)++; if (!strcmp(**seg, "<>")) comp = FR_OUTRANGE; else if (!strcmp(**seg, "><")) comp = FR_INRANGE; + else { + fprintf(stderr, + "%d: unknown range operator (%s)\n", + linenum, **seg); + return -1; + } (*seg)++; - *tp = portnum(**seg); + if (**seg == NULL) { + fprintf(stderr, "%d: missing 2nd port value\n", + linenum); + return -1; + } + if (portnum(**seg, tp, linenum) == 0) + return -1; } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) comp = FR_EQUAL; else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) @@ -671,13 +791,14 @@ u_char *cp; else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) comp = FR_GREATERTE; else { - (void)fprintf(stderr,"unknown comparator (%s)\n", - **seg); + fprintf(stderr, "%d: unknown comparator (%s)\n", + linenum, **seg); return -1; } if (comp != FR_OUTRANGE && comp != FR_INRANGE) { (*seg)++; - *pp = portnum(**seg); + if (portnum(**seg, pp, linenum) == 0) + return -1; } *cp = comp; (*seg)++; @@ -687,47 +808,57 @@ u_char *cp; /* * find the port number given by the name, either from getservbyname() or - * straight atoi() + * straight atoi(). Return 1 on success, 0 on failure */ -u_short portnum(name) +int portnum(name, port, linenum) char *name; +u_short *port; +int linenum; { struct servent *sp, *sp2; u_short p1 = 0; - - if (isdigit(*name)) - return (u_short)atoi(name); - if (!proto) - proto = "tcp/udp"; - if (strcasecmp(proto, "tcp/udp")) { + int i; + if (isdigit(*name)) { + if (ratoi(name, &i, 0, USHRT_MAX)) { + *port = (u_short)i; + return 1; + } + fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); + return 0; + } + if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { sp = getservbyname(name, proto); - if (sp) - return ntohs(sp->s_port); - (void) fprintf(stderr, "unknown service \"%s\".\n", name); + if (sp) { + *port = ntohs(sp->s_port); + return 1; + } + fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); return 0; } sp = getservbyname(name, "tcp"); - if (sp) + if (sp) p1 = sp->s_port; sp2 = getservbyname(name, "udp"); if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); + fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", + linenum, name); return 0; } if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); + fprintf(stderr, "%d: %s %d/tcp is a different port to ", + linenum, name, p1); + fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); return 0; } - return ntohs(p1); + *port = ntohs(p1); + return 1; } -u_char tcp_flags(flgs, mask) +u_char tcp_flags(flgs, mask, linenum) char *flgs; u_char *mask; +int linenum; { u_char tcpf = 0, tcpfm = 0, *fp = &tcpf; char *s, *t; @@ -738,7 +869,7 @@ u_char *mask; continue; } if (!(t = index(flagset, *s))) { - (void)fprintf(stderr, "unknown flag (%c)\n", *s); + fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s); return 0; } *fp |= flags[t - flagset]; @@ -753,9 +884,10 @@ u_char *mask; /* * deal with extra bits on end of the line */ -int extras(cp, fr) +int extras(cp, fr, linenum) char ***cp; struct frentry *fr; +int linenum; { u_short secmsk; u_long opts; @@ -789,18 +921,20 @@ struct frentry *fr; goto nextopt; } else if (***cp == 'o' || ***cp == 'O') { if (!*(*cp + 1)) { - (void)fprintf(stderr, - "opt missing arguements\n"); + fprintf(stderr, + "%d: opt missing arguements\n", + linenum); return -1; } (*cp)++; - if (!(opts = optname(cp, &secmsk))) + if (!(opts = optname(cp, &secmsk, linenum))) return -1; oflags = FI_OPTIONS; } else if (***cp == 's' || ***cp == 'S') { if (fr->fr_tcpf) { - (void) fprintf(stderr, - "short cannot be used with TCP flags\n"); + fprintf(stderr, + "%d: short cannot be used with TCP flags\n", + linenum); return -1; } @@ -813,13 +947,15 @@ struct frentry *fr; if (!notopt || !opts) fr->fr_mip.fi_fl |= oflags; - if (notopt) - if (!secmsk) + if (notopt) { + if (!secmsk) { fr->fr_mip.fi_optmsk |= opts; - else + } else { fr->fr_mip.fi_optmsk |= (opts & ~0x0100); - else + } + } else { fr->fr_mip.fi_optmsk |= opts; + } fr->fr_mip.fi_secmsk |= secmsk; if (notopt) { @@ -842,9 +978,10 @@ nextopt: } -u_32_t optname(cp, sp) +u_32_t optname(cp, sp, linenum) char ***cp; u_short *sp; +int linenum; { struct ipopt_names *io, *so; u_long msk = 0; @@ -859,7 +996,8 @@ u_short *sp; break; } if (!io->on_name) { - fprintf(stderr, "unknown IP option name %s\n", s); + fprintf(stderr, "%d: unknown IP option name %s\n", + linenum, s); return 0; } if (!strcasecmp(s, "sec-class")) @@ -867,7 +1005,8 @@ u_short *sp; } if (sec && !*(*cp + 1)) { - fprintf(stderr, "missing security level after sec-class\n"); + fprintf(stderr, "%d: missing security level after sec-class\n", + linenum); return 0; } @@ -880,8 +1019,9 @@ u_short *sp; break; } if (!so->on_name) { - fprintf(stderr, "no such security level: %s\n", - s); + fprintf(stderr, + "%d: no such security level: %s\n", + linenum, s); return 0; } } @@ -893,13 +1033,14 @@ u_short *sp; #ifdef __STDC__ -void optprint(u_short secmsk, u_short secbits, u_long optmsk, u_long optbits) +void optprint(u_short *sec, u_long optmsk, u_long optbits) #else -void optprint(secmsk, secbits, optmsk, optbits) -u_short secmsk, secbits; +void optprint(sec, optmsk, optbits) +u_short *sec; u_long optmsk, optbits; #endif { + u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; char *s; int secflag = 0; @@ -975,9 +1116,10 @@ char *icmptypes[] = { /* * set the icmp field to the correct type if "icmp" word is found */ -int addicmp(cp, fp) +int addicmp(cp, fp, linenum) char ***cp; struct frentry *fp; +int linenum; { char **t; int i; @@ -988,7 +1130,12 @@ struct frentry *fp; if (!fp->fr_proto) /* to catch lusers */ fp->fr_proto = IPPROTO_ICMP; if (isdigit(***cp)) { - i = atoi(**cp); + if (!ratoi(**cp, &i, 0, 255)) { + fprintf(stderr, + "%d: Invalid icmp-type (%s) specified\n", + linenum, **cp); + return -1; + } } else { for (t = icmptypes, i = 0; ; t++, i++) { if (!*t) @@ -1001,8 +1148,9 @@ struct frentry *fp; break; } if (i == -1) { - (void)fprintf(stderr, - "Invalid icmp-type (%s) specified\n", **cp); + fprintf(stderr, + "%d: Invalid icmp-type (%s) specified\n", + linenum, **cp); return -1; } } @@ -1016,12 +1164,19 @@ struct frentry *fp; return 0; (*cp)++; if (isdigit(***cp)) { - i = atoi(**cp); + if (!ratoi(**cp, &i, 0, 255)) { + fprintf(stderr, + "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); + return -1; + } fp->fr_icmp |= (u_short)i; fp->fr_icmpm = (u_short)0xffff; (*cp)++; return 0; } + fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); return -1; } @@ -1044,8 +1199,12 @@ char *str; if (!(s = strrchr(str, ')'))) return -1; *s = '\0'; - if (isdigit(*str)) - return atoi(str); + if (isdigit(*str)) { + if (!ratoi(str, &i, 0, 255)) + return -1; + else + return i; + } len = strlen(str); for (i = 0; icmpcodes[i]; i++) if (!strncasecmp(str, icmpcodes[i], MIN(len, @@ -1058,20 +1217,22 @@ char *str; /* * set the icmp field to the correct type if "icmp" word is found */ -int addkeep(cp, fp) +int addkeep(cp, fp, linenum) char ***cp; struct frentry *fp; +int linenum; { if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP && fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) { - (void)fprintf(stderr, "Can only use keep with UDP/ICMP/TCP\n"); + fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n", + linenum); return -1; } (*cp)++; if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { - (void)fprintf(stderr, "Unrecognised state keyword \"%s\"\n", - **cp); + fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", + linenum, **cp); return -1; } @@ -1121,17 +1282,17 @@ int pr, port; struct servent *sv = NULL, *sv1 = NULL; if (pr == -1) { - if ((sv = getservbyport(port, "tcp"))) { + if ((sv = getservbyport(htons(port), "tcp"))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(port, "udp"); + sv1 = getservbyport(htons(port), "udp"); sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? NULL : sv1; } if (sv) return buf; } else if (pr && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(port, p->p_name))) { + if ((sv = getservbyport(htons(port), p->p_name))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; return buf; @@ -1153,143 +1314,164 @@ struct frentry *fp; "<>", "><"}; struct protoent *p; int ones = 0, pr; - char *s; + char *s, *u; u_char *t; + u_short sec[2]; if (fp->fr_flags & FR_PASS) - (void)printf("pass"); + printf("pass"); else if (fp->fr_flags & FR_BLOCK) { - (void)printf("block"); + printf("block"); if (fp->fr_flags & FR_RETICMP) { - (void)printf(" return-icmp"); - if (fp->fr_icode) + if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) + printf(" return-icmp-as-dest"); + else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) + printf(" return-icmp"); + if (fp->fr_icode) { if (fp->fr_icode <= MAX_ICMPCODE) printf("(%s)", icmpcodes[(int)fp->fr_icode]); else printf("(%d)", fp->fr_icode); - } - if (fp->fr_flags & FR_RETRST) - (void)printf(" return-rst"); + } + } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) + printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { - (void)printf("log"); + printf("log"); if (fp->fr_flags & FR_LOGBODY) - (void)printf(" body"); + printf(" body"); if (fp->fr_flags & FR_LOGFIRST) - (void)printf(" first"); + printf(" first"); } else if (fp->fr_flags & FR_ACCOUNT) - (void)printf("count"); + printf("count"); else if (fp->fr_flags & FR_AUTH) - (void)printf("auth"); + printf("auth"); else if (fp->fr_flags & FR_PREAUTH) - (void)printf("preauth"); + printf("preauth"); else if (fp->fr_skip) - (void)printf("skip %d", fp->fr_skip); + printf("skip %hu", fp->fr_skip); if (fp->fr_flags & FR_OUTQUE) - (void)printf(" out "); + printf(" out "); else - (void)printf(" in "); + printf(" in "); if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { - (void)printf("log "); + printf("log "); if (fp->fr_flags & FR_LOGBODY) - (void)printf("body "); + printf("body "); if (fp->fr_flags & FR_LOGFIRST) - (void)printf("first "); + printf("first "); if (fp->fr_flags & FR_LOGORBLOCK) - (void)printf("or-block "); + printf("or-block "); + if (fp->fr_loglevel != 0xffff) { + if (fp->fr_loglevel & LOG_FACMASK) { + s = fac_toname(fp->fr_loglevel); + if (s == NULL) + s = "!!!"; + } else + s = ""; + u = pri_toname(fp->fr_loglevel); + if (u == NULL) + u = "!!!"; + if (*s) + printf("%s.%s ", s, u); + else + printf("%s ", u); + } + } if (fp->fr_flags & FR_QUICK) - (void)printf("quick "); + printf("quick "); if (*fp->fr_ifname) { - (void)printf("on %s%s ", fp->fr_ifname, + printf("on %s%s ", fp->fr_ifname, (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)"); if (*fp->fr_dif.fd_ifname) print_toif("dup-to", &fp->fr_dif); if (*fp->fr_tif.fd_ifname) print_toif("to", &fp->fr_tif); if (fp->fr_flags & FR_FASTROUTE) - (void)printf("fastroute "); + printf("fastroute "); } if (fp->fr_mip.fi_tos) - (void)printf("tos %#x ", fp->fr_tos); + printf("tos %#x ", fp->fr_tos); if (fp->fr_mip.fi_ttl) - (void)printf("ttl %d ", fp->fr_ttl); + printf("ttl %d ", fp->fr_ttl); if (fp->fr_ip.fi_fl & FI_TCPUDP) { - (void)printf("proto tcp/udp "); + printf("proto tcp/udp "); pr = -1; } else if ((pr = fp->fr_mip.fi_p)) { if ((p = getprotobynumber(fp->fr_proto))) - (void)printf("proto %s ", p->p_name); + printf("proto %s ", p->p_name); else - (void)printf("proto %d ", fp->fr_proto); + printf("proto %d ", fp->fr_proto); } printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr) - (void)printf("any "); + if (!fp->fr_src.s_addr && !fp->fr_smsk.s_addr) + printf("any "); else { - (void)printf("%s", inet_ntoa(fp->fr_src)); + printf("%s", inet_ntoa(fp->fr_src)); if ((ones = countbits(fp->fr_smsk.s_addr)) == -1) - (void)printf("/%s ", inet_ntoa(fp->fr_smsk)); + printf("/%s ", inet_ntoa(fp->fr_smsk)); else - (void)printf("/%d ", ones); + printf("/%d ", ones); } - if (fp->fr_scmp) + if (fp->fr_scmp) { if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE) - (void)printf("port %d %s %d ", fp->fr_sport, + printf("port %d %s %d ", fp->fr_sport, pcmp1[fp->fr_scmp], fp->fr_stop); else - (void)printf("port %s %s ", pcmp1[fp->fr_scmp], + printf("port %s %s ", pcmp1[fp->fr_scmp], portname(pr, fp->fr_sport)); + } printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr) - (void)printf("any"); + if (!fp->fr_dst.s_addr && !fp->fr_dmsk.s_addr) + printf("any"); else { - (void)printf("%s", inet_ntoa(fp->fr_dst)); + printf("%s", inet_ntoa(fp->fr_dst)); if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1) - (void)printf("/%s", inet_ntoa(fp->fr_dmsk)); + printf("/%s", inet_ntoa(fp->fr_dmsk)); else - (void)printf("/%d", ones); + printf("/%d", ones); } if (fp->fr_dcmp) { if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE) - (void)printf(" port %d %s %d", fp->fr_dport, + printf(" port %d %s %d", fp->fr_dport, pcmp1[fp->fr_dcmp], fp->fr_dtop); else - (void)printf(" port %s %s", pcmp1[fp->fr_dcmp], + printf(" port %s %s", pcmp1[fp->fr_dcmp], portname(pr, fp->fr_dport)); } if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) || (fp->fr_mip.fi_fl & ~FI_TCPUDP) || fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { - (void)printf(" with"); + printf(" with"); if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || - fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) - optprint(fp->fr_mip.fi_secmsk, - fp->fr_ip.fi_secmsk, - fp->fr_mip.fi_optmsk, - fp->fr_ip.fi_optmsk); - else if (fp->fr_mip.fi_fl & FI_OPTIONS) { + fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { + sec[0] = fp->fr_mip.fi_secmsk; + sec[1] = fp->fr_ip.fi_secmsk; + optprint(sec, + fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk); + } else if (fp->fr_mip.fi_fl & FI_OPTIONS) { if (!(fp->fr_ip.fi_fl & FI_OPTIONS)) - (void)printf(" not"); - (void)printf(" ipopt"); + printf(" not"); + printf(" ipopt"); } if (fp->fr_mip.fi_fl & FI_SHORT) { if (!(fp->fr_ip.fi_fl & FI_SHORT)) - (void)printf(" not"); - (void)printf(" short"); + printf(" not"); + printf(" short"); } if (fp->fr_mip.fi_fl & FI_FRAG) { if (!(fp->fr_ip.fi_fl & FI_FRAG)) - (void)printf(" not"); - (void)printf(" frag"); + printf(" not"); + printf(" frag"); } } if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { @@ -1300,14 +1482,14 @@ struct frentry *fp; type /= 256; if (type < (sizeof(icmptypes) / sizeof(char *)) && icmptypes[type]) - (void)printf(" icmp-type %s", icmptypes[type]); + printf(" icmp-type %s", icmptypes[type]); else - (void)printf(" icmp-type %d", type); + printf(" icmp-type %d", type); if (code) - (void)printf(" code %d", code); + printf(" code %d", code); } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { - (void)printf(" flags "); + printf(" flags "); for (s = flagset, t = flags; *s; s++, t++) if (fp->fr_tcpf & *t) (void)putchar(*s); @@ -1338,12 +1520,27 @@ struct frentry *fp; for (s = (u_char *)fp; i; i--, s++) { j++; - (void)printf("%02x ",*s); + printf("%02x ", *s); if (j == 16) { - (void)printf("\n"); + printf("\n"); j = 0; } } putchar('\n'); (void)fflush(stdout); } + + +int ratoi(ps, pi, min, max) +char *ps; +int *pi, min, max; +{ + int i; + char *pe; + + i = (int)strtol(ps, &pe, 0); + if (*pe != '\0' || i < min || i > max) + return 0; + *pi = i; + return 1; +} diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h index b76a2f0..8025bc6 100644 --- a/contrib/ipfilter/pcap.h +++ b/contrib/ipfilter/pcap.h @@ -1,10 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 2.0.2.4 1997/09/28 07:12:10 darrenr Exp $ + * $Id: pcap.h,v 2.1 1999/08/04 17:30:17 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/contrib/ipfilter/perl/Ipfanaly.pl b/contrib/ipfilter/perl/Ipfanaly.pl new file mode 100644 index 0000000..0fa7c17 --- /dev/null +++ b/contrib/ipfilter/perl/Ipfanaly.pl @@ -0,0 +1,639 @@ +#!/usr/local/bin/perl +# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com) +# +############### START SUBROUTINE DECLARATIONS ########### + + +sub usage { + print "\n" x 24; + print "USAGE: ipfanalyze.pl -h [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n"; + print "\n arguments to -p -f -o REQUIRED\n"; + print "\n -h show this help\n"; + print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n"; + print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n"; + print " -s make security report only (no graphical or full port info generated) \n"; + print " -o lowest port number incoming traffic can talk to and be regarded as safe\n"; + print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n"; + print " -t the ip address of the inerface on which you collected data!\n"; + print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n"; + print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n"; + print "Will look at traffic to/from all ports and make graphs from file log1\n"; + print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n"; + print "Will look at SMTP traffic and make graphs from file log2\n"; + print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n"; + print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n"; + print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n"; + print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n"; +} + + + + +sub makegifs { +local ($maxin,$maxout,$lookat,$xmax)=@_; +$YMAX=$maxin; +$XMAX=$xmax; + +if ($maxout > $maxin) + { $YMAX=$maxout;} + +($dateis,$junk)=split " " , @recs[0]; +($dayis,$monthis,$yearis)=split "/",$dateis; +$month=$months{$monthis}; +$dateis="$dayis " . "$month " . "$yearis "; +# split graphs in to 6 four hour spans for 24 hours +$numgraphs=int($XMAX/240); + +$junk=0; +$junk=$XMAX - 240*($numgraphs); +if($junk gt 0 ) +{ +$numgraphs++; +} + +$cnt1=0; +$end=0; +$loop=0; + +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n"; + open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n"; + + $loop=$end; + $end=($end + 240); + +# write all files as x time coord from 1 to 240 minutes +# set hour in graph via conf file + $arraycnt=0; + while ($loop++ < $end ) + { + $arraycnt++; + $val1=""; + $val2=""; + $val1=$inwards[$loop] [1]; + if($val1 eq "") + {$val1=0}; + $val2=$outwards[$loop] [1]; + if($val2 eq "") + {$val2=0}; + print INDATA "$arraycnt:$val1\n"; + print OUTDATA "$arraycnt:$val2\n"; + } + close INDATA; + close OUTDATA; + $gnum=($cnt1 - 1); + open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n"; + print INCONFIG "NUMBERYCELLGRIDSIZE:5\n"; + print INCONFIG "MAXYVALUE:$YMAX\n"; + print INCONFIG "MINYVALUE:0\n"; + print INCONFIG "XCELLGRIDSIZE:1.3\n"; + print INCONFIG "XMAX: 240\n"; + print INCONFIG "Bar:0\n"; + print INCONFIG "Average:0\n"; + print INCONFIG "Graphnum:$gnum\n"; + print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis \n"; + print INCONFIG "Transparent:no\n"; + print INCONFIG "Rbgcolour:0\n"; + print INCONFIG "Gbgcolour:255\n"; + print INCONFIG "Bbgcolour:255\n"; + print INCONFIG "Rfgcolour:0\n"; + print INCONFIG "Gfgcolour:0\n"; + print INCONFIG "Bfgcolour:0\n"; + print INCONFIG "Rcolour:0\n"; + print INCONFIG "Gcolour:0\n"; + print INCONFIG "Bcolour:255\n"; + print INCONFIG "Racolour:255\n"; + print INCONFIG "Gacolour:255\n"; + print INCONFIG "Bacolour:0\n"; + print INCONFIG "Rincolour:100\n"; + print INCONFIG "Gincolour:100\n"; + print INCONFIG "Bincolour:60\n"; + print INCONFIG "Routcolour:60\n"; + print INCONFIG "Goutcolour:100\n"; + print INCONFIG "Boutcolour:100\n"; + close INCONFIG; + +} + + +$cnt1=0; +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $out="out$cnt1.gif"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + system( "cp ./$filename1 ./in.dat; + cp ./$filename2 ./out.dat; + cp ./$filename3 ./graph.conf"); + system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out"); + system(" cp $out /isb/local/etc/httpd/htdocs/."); + +} + +} # end of subroutine make gifs + + + + +sub packbytime { +local ($xmax)=@_; +$XMAX=$xmax; +# pass in the dest port number or get graph for all packets +# at 1 minute intervals +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +# +# dont uses hashes to store how many packets per minite as they +# return random x coordinate order +@inwards=(); +@outwards=(); +$cnt=-1; +$value5=0; +$maxin=0; +$maxout=0; +$xpos=0; +while ($cnt++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$cnt]; + $bit=substr(@recs[$cnt],11); + ($bit,$junkit)= split " " , $bit ; + ($hour,$minute,$sec,$junk) = split ":", $bit; +# +# covert the time to decimal minutes and bucket to nearest minute +# + $xpos=($hour * 3600) + ($minute * 60) + ($sec) ; +# xpos is number of seconds since 00:00:00 on day...... + $xpos=int($xpos / 60); +# if we just want to see all packet in/out activity + if("$lookat" eq "all") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; +# $maxin = $value5 if $maxin < $value5 ; + + if($value5 > $maxin) + { + $maxin=$value5; + $timemaxin="$hour:$minute"; + } + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; +# $maxout = $value4 if $maxout < $value4 ; + if($value4 > $maxout) + { + $maxout=$value4; + $timemaxout="$hour:$minute"; + } + + $outwards[$xpos][1]=$value4; + } + } + + + + + if("$destport" eq "$lookat") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; + $maxin = $value5 if $maxin < $value5 ; + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; + $maxout = $value4 if $maxout < $value4 ; + $outwards[$xpos][1]=$value4; + } + } + } # end while + +# now call gif making stuff +if("$opt_g" eq "1") +{ + print "Making plots of in files outN.gif\n";; + makegifs($maxin,$maxout,$lookat,$#inwards); +} +if ("$timemaxin" ne "") +{print "\nTime of peak packets/minute in was $timemaxin\n";} +if ("$timemaxout" ne "") +{print "\nTime of peak packets/minute OUT was $timemaxout\n";} + +} # end of subroutine packets by time + + + + + +sub posbadones { + +$safenam=""; +@dummy=$saferports; +foreach $it (split " ",$saferports) { +if ($it eq "icmp" ) + { + $safenam = $safenam . " icmp"; + } +else + { + $safenam = $safenam . " $services{$it}" ; + } + +} +print "\n\n########################################################################\n"; +print "well known ports are 0->1023\n"; +print "Registered ports are 1024->49151\n"; +print "Dynamic/Private ports are 49152->65535\n\n"; +print "Sites that contacted gatekeep on 'less safe' ports (<$ITRUSTABOVE)\n"; + +print " 'safe' ports are $safenam \n"; +print "\n variables saferports and safehosts hardwire what/who we trust\n"; +print "########################################################################\n"; + +$loop=-1; +while ($loop++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; + if ("$destip" eq "$gatekeep") + { + if ($destport < $ITRUSTABOVE ) + { +# if index not found (ie < 0) then we have a low port attach to gatekeep +# that is not to a safer port (see top of this file) +# ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp + $where=index($saferports,$destport); + if ($where < 0) + { + $nameis=$services{$destport}; + if ("$nameis" eq "" ) + { + $nameis=$destport; + } + print " Warning: $srcip contacted gatekeep $nameis\n"; + } + } + } + } +print "\n\n"; +} # end of subroutine posbadones + + + + +sub toobusy_site { +$percsafe=1; +print "\n\n########################################################################\n"; +print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n"; +print "Trusted hosts are $safehosts\n"; +print "\nTOTAL packets were $#recs \n"; +print "########################################################################\n"; +while(($ipadd,$numpacketsent)=each %numpacks) +{ +$perc=$numpacketsent/$#recs*100; +if ($perc > $percsafe) +# dont believe safehosts are attacking! + { + $where=index($safehosts,$ipadd); +# if not found (ie < 0 then the source host IP address +# isn't in the saferhosts list, a list we trust...... + if ($where < 0 ) + { + printf "$ipadd sent %4.1f (\045) of all packets to gatekeep\n",$perc; + } + } +} + +print "\n\n"; +} # end of subroutine toobusy_site + + +############### END SUBROUTINE DECLARATIONS ########### + +use Getopt::Std; + +getopt('pfot'); + +if("$opt_t" eq "0") + {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n"; +exit; +} + +if("$opt_h" eq "1") + {usage;exit 0}; +if("$opt_H" eq "1") + {usage;exit 0}; + +if("$opt_v" eq "1") +{ +$ITRUSTABOVE=1024; +$opt_s=1; +$opt_o=$ITRUSTABOVE; +print "\n" x 5; +print "NOTE: when the final section of the verbose report is generated\n"; +print " every host IP address that contacted $gatekeep has \n"; +print " a tally of how many times packets from a particular port on that host\n"; +print " reached $gatekeep, and WHICH source port or source portname \n"; +print " these packets originated from.\n"; +print " Many non RFC obeying boxes do not use high ports and respond to requests from\n"; +print " $gatekeep using reserved low ports... hence you'll see things like\n"; +print " #### with 207.50.191.60 as the the source for packets ####\n"; +print " 1 connections from topx to gatekeep\n\n\n\n"; + +} + +if("$opt_o" eq "") + {usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0} +else +{ +$ITRUSTABOVE=$opt_o;$opt_s=1;} + +if("$opt_f" eq "") + {usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0}; +$FILENAME=$opt_f; + +if("$opt_p" eq "") + {usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0}; + +# -p arg must be all or AN INTEGER in range 1<=N<=64K +if ("$opt_p" ne "all") + { + $_=$opt_p; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n"; + exit 0; + } + } + + +# if we get here then the port option is either 'all' or an integer... +# good enough..... +$lookat=$opt_p; + +# -o arg must be all or AN INTEGER in range 1<=N<=64K + $_=$opt_o; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) with -o \n"; + exit 0; + } + + +#--------------------------------------------------------------------- + + +%danger=(); +%numpacks=(); + +$saferports="25 53 113 123 icmp"; +$gatekeep="192.216.16.2"; +#genmagic is 192.216.25.254 +$safehosts="$gatekeep 192.216.25.254"; + + + +# load hash with service numbers versus names + +# hash called $services +print "Creating hash of service names / numbers \n"; +$SERV="./services"; +open (INFILE, $SERV) || die "Cant open $SERV: $!n"; +while(<INFILE>) +{ + ($servnum,$servname,$junk)=split(/ /,$_); +# chop off null trailing..... + $servname =~ s/\n$//; + $services{$servnum}=$servname; +} +print "Create hash of month numbers as month names\n"; +%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December"); + +print "Reading log file into an array\n"; +#$FILENAME="./ipfilter.log"; +open (REC, $FILENAME) || die "Cant open $FILENAME: \n"; +($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC; +print "Log file $FILENAME is $size bytes in size\n"; +#each record is an element of array rec[] now +while(<REC>) + { + @recs[$numrec++]=$_; + } + + +# get list of UNIQUE source IP addresses now, records look like +# 192.216.25.254,62910 -> 192.216.16.2,113 PR tcp len 20 40 -R +# this is slow on big log files, about 1minute for every 2.5M log file +print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n"; +$loop=-1; +$where=-1; +while ($loop++ < $#recs ) + { +# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly + $bit=substr(@recs[$loop],39); + $bit =~ s/,/ /g; + ($sourceip,$junkit)= split " " , $bit ; + +# NOTE the . is the string concat command NOT + .......!!!! + + $sourceip =~ split " ", $sourceip; + $where=index($allips,$sourceip); +# if not found (ie < 0, add it) + if ($where < 0 ) + { + $allips = $allips . "$sourceip " ; + } + } + +print "Put all unique ip addresses into a 1D array\n"; +@allips=split " ", $allips; + +#set loop back to -1 as first array element in recs is element 0 NOT 1 !! +print "Making compact array of logged entries\n"; +$loop=-1; +$icmp=" icmp "; +$ptr=" -> "; +$lenst=" len "; +$numpackets=0; + +while ($loop++ < $#recs ) + { +# this prints from 39 char to EOR + $a=substr(@recs[$loop],39); + ($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " , $a ; +# need to rewrite icmp ping records.... they dont have service numbers + $whereicmp=index($a,"PR icmp"); + if($whereicmp > 0 ) + { + $a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ; + } + +# dump the "->" and commas from logging + $a =~ s/->//g; + $a =~ s/PR//g; + $a =~ s/,/ /g; +# shortrec has records that look like +# 209.24.1.217 123 192.216.16.2 123 udp len 20 76 + @shortrecs[$loop]= "$a"; + +# count number packets from each IP address into hash + ($srcip,$junk) = split " ","$a"; + $numpackets=$numpacks{"$srcip"}; + $numpackets++ ; + $numpacks{"$srcip"}=$numpackets; + +} + + + +# call sub to analyse packets by time +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +packbytime($XMAX); + +if("$opt_s" eq "1") +{ +# call subroutine to scan for connections to ports on gatekeep +# other than those listed in saferports, connections to high +# ports are assumed OK..... +posbadones; + +# call subroutine to print out which sites had sent more than +# a defined % of packets to gatekeep +toobusy_site; +} + + +# verbose reporting? +if ("$opt_v" eq "1") +{ +$cnt=-1; +# loop over ALL unique IP source destinations +while ($cnt++ < $#allips) +{ + %tally=(); + %unknownsrcports=(); + $uniqip=@allips[$cnt]; + $loop=-1; + $value=0; + $value1=0; + $value2=0; + $value3=0; + $set="N"; + + while ($loop++ < $#recs ) + { +# get src IP num, src port number, +# destination IP num, destnation port number,protocol + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; +# loop over all records for the machine $uniqip +# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!! + if( "$uniqip" eq "$srcip") + { +# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT??? +# its more than likely a request coming back in on a high port +# ....So... +# find out the destination port from the unknown (high) src port +# and tally these as they may be a port attack + if ("$srcport" eq "icmp") + { $srcportnam="icmp";} + else + { + $srcportnam=$services{$srcport}; + } +# try and get dest portname, if not there, leave it as the +# dest portnumber + if ("$destport" eq "icmp") + { $destportnam="icmp";} + else + { + $destportnam=$services{$destport}; + } + + if ($destportnam eq "") + { + $destportnam=$destport; + } + + if ($srcportnam eq "") + { +# increment number of times a (high)/unknown port has gone to destport + $value1=$unknownsrcports{$destportnam}; + $value1++ ; + $unknownsrcports{$destportnam}=$value1; + } + else + { +# want tally(srcport) counter to be increased by 1 + $value3=$tally{$srcportnam}; + $value3++ ; + $tally{$srcportnam}=$value3; + } + } + + + } +# end of loop over ALL IP's + +if ($set eq "N") +{ +$set="Y"; + +print "\n#### with $uniqip as the the source for packets ####\n"; +while(($key,$value)=each %tally) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value connections from $key to gatekeep\n"; + } + else + { + print "$value connections from gatekeep to $key\n"; + } + } + + + +while(($key2,$value2)=each %unknownsrcports) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value2 high port connections to $key2 on gatekeep\n"; + } + else + { + print "$value2 high port connections to $key2 from gatekeep\n"; + } + } + +} +# print if rests for UNIQIP IF flag is set to N then toggle flag + +} # end of all IPs loop +} # end of if verbose option set block + + + diff --git a/contrib/ipfilter/perl/Isbgraph b/contrib/ipfilter/perl/Isbgraph new file mode 100644 index 0000000..c68b672 --- /dev/null +++ b/contrib/ipfilter/perl/Isbgraph @@ -0,0 +1,297 @@ +#!/usr/local/bin/perl + +# isbgraph +# an example in not so hot perl programming.... +# based around GraphMaker from Fabrizio Pivari +# A graph maker perl script + +use GD; +use Getopt::Long; +$hr=0; + +sub main{ + +$opt_conf="./graphmaker.cnf"; + +@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX", + "Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour", + "Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour", + "Gcolour","Bcolour","Racolour","Gacolour","Bacolour"); + +%option=( + NUMBERYCELLGRIDSIZE => '8', + MAXYVALUE => '7748', + MINYVALUE => '6500', + XCELLGRIDSIZE => '18', + XMAX => '1000', + Data => './graphmaker.dat', + Graph => './graphmaker.gif', + Bar => '1', + Average => '1', + Graphnum => '1', + Title => 'GraphMaker 2.1', + Transparent => 'yes', + Rbgcolour => '255', + Gbgcolour => '255', + Bbgcolour => '255', + Rfgcolour => '0', + Gfgcolour => '0', + Bfgcolour => '0', + Rcolour => '0', + Gcolour => '0', + Bcolour => '255', + Racolour => '255', + Gacolour => '255', + Bacolour => '0'); + +&GetOptions("conf=s","help") || &printusage ; + + +if ($opt_help) {&printusage}; + +open (CNF, $opt_conf) || die; +while (<CNF>) { +s/\t/ /g; #replace tabs by space +next if /^\s*\#/; #ignore comment lines +next if /^\s*$/; #ignore empty lines +foreach $elem (@elem) + { + if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; } + } +} +close(CNF); +######################################### +# +# +# +# number datapoints/24 hours is 1440 (minutes) +# +# Split into N graphs where each graph has max of 240 datapoints (4 hours) +# + +$barset=0; +$m=0; +$YGRIDSIZE = 400; +$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'}; +$XINIT = 30; +$XEND = 8; +$YINIT =20; +$YEND = 20; +#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'}); +#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'}); +$XGRIDSIZE = 620; +$XGIF = $XGRIDSIZE + $XINIT + $XEND; +$XGRAPH = $XGRIDSIZE + $XINIT; +$YGIF = $YGRIDSIZE + $YEND + $YINIT; +$YGRAPH = $YGRIDSIZE + $YINIT; +$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'}; +$SCALE=$YGRIDSIZE/$RANGE; + +# NEW IMAGE + $im=new GD::Image($XGIF,$YGIF); + +$white=$im->colorAllocate(255,255,255); +$black=$im->colorAllocate(0,0,0); +$pink=$im->colorAllocate(255,153,153); +$red=$im->colorAllocate(255,0,0); +$blue=$im->colorAllocate(0,0,255); +$green=$im->colorAllocate(0,192,51); +$orange=$im->colorAllocate(255,102,0); +$pink=$im->colorAllocate(255,153,153); +$teal=$im->colorAllocate(51,153,153); +# gif background is $bg + $bg=$white; + $fg=$blue; +# LINE COLOUR HELP BY VAR $colour + $colour=$red; + $acolour=$yellow; + # GRID + if ($option{'Transparent'} eq "yes") {$im->transparent($bg)}; + $im->filledRectangle(0,0,$XGIF,$YGIF,$bg); + +# Dot style +# vertical markers on Y axis grid + $im->setStyle($fg,$bg,$bg,$bg); + for $i (0..$option{'XMAX'}) + { + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i; + # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled); + $num = $i+1; + + use integer; + { + $posis=$num - ($num/60)*60; + } + if ($posis eq 0) + { + $outhr=0; + $hr=($hr + 1) ; + $outhr=$hr+$option{'Graphnum'}*4; +# shift minutes coords to correct stat hour! + $im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg); + } + + } # end of scan over X values (minutes) + + $YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'}; + for $i (0..$option{'NUMBERYCELLGRIDSIZE'}) + { + $num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i); + $im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg); + } + $im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg); + + $odd_even = $option{'XCELLGRIDSIZE'}%2; + #odd + if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + +# start reading data +# open (DATA,$option{'Data'}) || die "cant open $option{'Data'}"; +# nextdata becomes Y on reading of second data set.... +$nextdata="N"; +@datafiles=("./in.dat" , "./out.dat" ); + foreach ( @datafiles ) +{ + $m=0; + $count=0; + $i=0; + $fname=$_; + + print "fname $fname\n"; +# change entry for red in colour table to green for packets LEAVING target host + + open (DATA,$_) || die "cant open $_"; + print "$nextdata nextdata\n"; + while (<DATA>) + { + /(.*):(.*)/; + if ($option{'Average'} eq 1) {$m+=$2;$i++;} + if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next} + $X=$1; $Y=$2; +# +($X-1) are the pixel of the line + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1); + $xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1); + $yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE; + $yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE; + $barset=$option{'Bar'}; + if ($barset eq 0) + { + + if($nextdata eq "Y") + { + + #$im->line($XINIT,$YGRAPH,$X,$Y,$orange); + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green); + } + else + { + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red); + } + } + else + { + if ($1 eq 2) + { + $im->filledRectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + } + $XOLD=$X; $YOLD=$Y; + + } # end of while DATA loop + + $im->line(500,40,530,40,$red); + $im->line(500,60,530,60,$green); + $im->string(gdSmallFont,535,35,"Packets IN",$fg); + $im->string(gdSmallFont,535,55,"Packets OUT",$fg); + + if ($option{'Bar'} ne 0) + { + if ($X eq $option{'XMAX'}) + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$fg); + } + } + close (DATA); + + + $nextdata="Y"; +# TOP LEFT is 0,0 on GIF (image) +# origin of plot is xinit,yinit + # print "little line\n"; + $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue); + $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue); +# (0,0) in cartesian space time=0 minutes, rate 0 packets/s + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue); + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green); + +} # close foreach loop on data file names + + + + + if ($option{'Average'} eq 1) + { + # Line style + $im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg); + $m=$m/$i; + $ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE; + $im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled) + } + $im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg); + $im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg); + $im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg); + $im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg); + + $im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg); + open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n"; + print GRAPH $im -> gif; + close (GRAPH); + + + + +} # end of subroutine main + +main; +exit(0); + +sub printusage { + print <<USAGEDESC; + +usage: + graphmaker [-options ...] + +where options include: + -help print out this message + -conf file the configuration file (default graphmaker.cnf) + +If you want to know more about this tool, you might want +to read the docs. They came together with graphmaker! + +Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html + +USAGEDESC + exit(1); +} + diff --git a/contrib/ipfilter/perl/LICENSE b/contrib/ipfilter/perl/LICENSE new file mode 100644 index 0000000..4ae42df --- /dev/null +++ b/contrib/ipfilter/perl/LICENSE @@ -0,0 +1,6 @@ +These shell scripts are provided "as is" by Ivan S. Bishop and any +express or implied warranties, including, but not limited to, the +implied warranties of merchantability and fitness for a particular +purpose are disclaimed. + +Permission has been granted for their redistribution within this package. diff --git a/contrib/ipfilter/perl/Services b/contrib/ipfilter/perl/Services new file mode 100644 index 0000000..4649727 --- /dev/null +++ b/contrib/ipfilter/perl/Services @@ -0,0 +1,2146 @@ +1 tcpmux TCPPortServiceMultiplexer +3 compressnet CompressionProcess +5 rje RemoteJobEntry +7 echo +9 discard +11 systat +13 daytime +15 netstat +17 qotd QuoteoftheDay +18 msp MessageSendProtocol +19 chargen +20 ftp-data +21 ftp +22 ssh SSHRemoteLoginProtocol +23 telnet +25 smtp +27 nsw-fe NSWUserSystemFE +29 msg-icp MSGICP +31 msg-auth MSGAuthentication +33 dsp DisplaySupportProtocol +37 time Time +38 rap RouteAccessProtocol +39 rlp ResourceLocationProtocol +41 graphics Graphics +42 nameserver HostNameServer +43 whois +44 mpm-flags MPMFLAGSProtocol +45 mpm MessageProcessingModule[recv] +46 mpm-snd MPM[defaultsend] +47 ni-ftp NIFTP +48 auditd DigitalAuditDaemon +49 tacacs LoginHostProtocol(TACACS) +50 re-mail-ck RemoteMailCheckingProtocol +51 la-maint IMPLogicalAddressMaintenance +52 xns-time XNSTimeProtocol +53 domain DomainNameServer +54 xns-ch XNSClearinghouse +55 isi-gl ISIGraphicsLanguage +56 xns-auth XNSAuthentication +58 xns-mail XNSMail +61 ni-mail NIMAIL +62 acas ACAServices +63 whois++ whois++ +64 covia CommunicationsIntegrator(CI) +65 tacacs-ds TACACS-DatabaseService +66 sqlnet OracleSQL*NET +67 bootps BootstrapProtocolServer +68 bootpc BootstrapProtocolClient +69 tftp TrivialFileTransfer +70 gopher Gopher +71 netrjs-1 RemoteJobService +72 netrjs-2 RemoteJobService +73 netrjs-3 RemoteJobService +74 netrjs-4 RemoteJobService +76 deos DistributedExternalObjectStore +77 rje +78 vettcp vettcp +79 finger Finger +80 www-http WorldWideWebHTTP +81 hosts2-ns HOSTS2NameServer +82 xfer XFERUtility +83 mit-ml-dev MITMLDevice +84 ctf CommonTraceFacility +85 mit-ml-dev MITMLDevice +86 mfcobol MicroFocusCobol +87 link +88 kerberos Kerberos +89 su-mit-tg SU/MITTelnetGateway +90 dnsix DNSIXSecuritAttributeTokenMap +91 mit-dov MITDoverSpooler +92 npp NetworkPrintingProtocol +93 dcp DeviceControlProtocol +94 objcall TivoliObjectDispatcher +95 supdup SUPDUP +96 dixie DIXIEProtocolSpecification +97 swift-rvf SwiftRemoteVirturalFileProtocol +98 tacnews TACNews +99 metagram MetagramRelay +100 newacct [unauthorizeduse] +101 hostname NICHostNameServer +102 iso-tsap ISO-TSAPClass0 +103 x400 +104 x400-snd +105 cso CCSOnameserverprotocol +106 3com-tsmux 3COM-TSMUX +107 rtelnet RemoteTelnetService +108 snagas SNAGatewayAccessServer +109 pop2 PostOfficeProtocol-Version2 +110 pop3 PostOfficeProtocol-Version3 +111 sunrpc SUNRemoteProcedureCall +112 mcidas McIDASDataTransmissionProtocol +113 ident +114 audionews AudioNewsMulticast +115 sftp SimpleFileTransferProtocol +116 ansanotify ANSAREXNotify +117 uucp-path UUCPPathService +118 sqlserv SQLServices +119 nntp NetworkNewsTransferProtocol +120 cfdptkt CFDPTKT +121 erpc EncoreExpeditedRemotePro.Call +122 smakynet SMAKYNET +123 ntp NetworkTimeProtocol +124 ansatrader ANSAREXTrader +125 locus-map LocusPC-InterfaceNetMapSer +126 unitary UnisysUnitaryLogin +127 locus-con LocusPC-InterfaceConnServer +128 gss-xlicen GSSXLicenseVerification +129 pwdgen PasswordGeneratorProtocol +130 cisco-fna ciscoFNATIVE +131 cisco-tna ciscoTNATIVE +132 cisco-sys ciscoSYSMAINT +133 statsrv StatisticsService +134 ingres-net INGRES-NETService +135 epmap DCEendpointresolution +136 profile PROFILENamingSystem +137 netbios-ns NETBIOSNameService +138 netbios-dgm NETBIOSDatagramService +139 netbios-ssn NETBIOSSessionService +140 emfis-data EMFISDataService +141 emfis-cntl EMFISControlService +142 bl-idm Britton-LeeIDM +143 imap InternetMessageAccessProtocol +144 NeWS +145 uaac UAACProtocol +146 iso-tp0 ISO-IP0 +147 iso-ip ISO-IP +148 jargon Jargon +149 aed-512 AED512EmulationService +150 sql-net SQL-NET +151 hems HEMS +152 bftp BackgroundFileTransferProgram +153 sgmp SGMP +154 netsc-prod NETSC +155 netsc-dev NETSC +156 sqlsrv SQLService +157 knet-cmp KNET/VMCommand/MessageProtocol +158 pcmail-srv PCMailServer +159 nss-routing NSS-Routing +160 sgmp-traps SGMP-TRAPS +161 snmp SNMP +162 snmptrap SNMPTRAP +163 cmip-man CMIP/TCPManager +164 cmip-agent CMIP/TCPAgent +165 xns-courier Xerox +166 s-net SiriusSystems +167 namp NAMP +168 rsvd RSVD +169 send SEND +170 print-srv NetworkPostScript +171 multiplex NetworkInnovationsMultiplex +172 cl/1 NetworkInnovationsCL/1 +173 xyplex-mux Xyplex +174 mailq MAILQ +175 vmnet VMNET +176 genrad-mux GENRAD-MUX +177 xdmcp XDisplayManagerControlProtocol +178 nextstep NextStepWindowServer +179 bgp BorderGatewayProtocol +180 ris Intergraph +181 unify Unify +182 audit UnisysAuditSITP +183 ocbinder OCBinder +184 ocserver OCServer +185 remote-kis Remote-KIS +186 kis KISProtocol +187 aci ApplicationCommunicationInterface +188 mumps PlusFive'sMUMPS +189 qft QueuedFileTransport +190 gacp GatewayAccessControlProtocol +191 prospero ProsperoDirectoryService +192 osu-nms OSUNetworkMonitoringSystem +193 srmp SpiderRemoteMonitoringProtocol +194 irc InternetRelayChatProtocol +195 dn6-nlm-aud DNSIXNetworkLevelModuleAudit +196 dn6-smm-red DNSIXSessionMgtModuleAuditRedir +197 dls DirectoryLocationService +198 dls-mon DirectoryLocationServiceMonitor +199 smux SMUX +200 src IBMSystemResourceController +201 at-rtmp AppleTalkRoutingMaintenance +202 at-nbp AppleTalkNameBinding +203 at-3 AppleTalkUnused +204 at-echo AppleTalkEcho +205 at-5 AppleTalkUnused +206 at-zis AppleTalkZoneInformation +207 at-7 AppleTalkUnused +208 at-8 AppleTalkUnused +209 qmtp TheQuickMailTransferProtocol +210 z39.50 ANSIZ39.50 +211 914c/g TexasInstruments914C/GTerminal +212 anet ATEXSSTR +213 ipx IPX +214 vmpwscs VMPWSCS +215 softpc InsigniaSolutions +216 CAIlic ComputerAssociatesInt'lLicenseServer +217 dbase dBASEUnix +218 mpp NetixMessagePostingProtocol +219 uarps UnisysARPs +220 imap3 InteractiveMailAccessProtocolv3 +221 fln-spx BerkeleyrlogindwithSPXauth +222 rsh-spx BerkeleyrshdwithSPXauth +223 cdc CertificateDistributionCenter +224 Reserved +225 Reserved +226 Reserved +227 Reserved +228 Reserved +229 Reserved +230 Reserved +231 Reserved +232 Reserved +233 Reserved +234 Reserved +235 Reserved +236 Reserved +237 Reserved +238 Reserved +239 Reserved +240 Reserved +241 Reserved +242 direct Direct +243 sur-meas SurveyMeasurement +244 dayna Dayna +245 link LINK +246 dsp3270 DisplaySystemsProtocol +247 subntbcst_tftp SUBNTBCST_TFTP +248 bhfhs bhfhs +249 +250 Reserved +251 Reserved +252 Reserved +253 Reserved +254 Reserved +255 Reserved +256 rap RAP +257 set SecureElectronicTransaction +258 yak-chat YakWinsockPersonalChat +259 esro-gen EfficientShortRemoteOperations +260 openport Openport +261 nsiiops IIOPNameServiceoverTLS/SSL +262 arcisdms Arcisdms +263 hdap HDAP +280 http-mgmt http-mgmt +281 personal-link PersonalLink +282 cableport-ax CablePortA/X +309 entrusttime EntrustTime +310 bhmds bhmds +311 asip-webadmin AppleShareIPWebAdmin +312 vslmp VSLMP +313 magenta-logic MagentaLogic +314 opalis-robot OpalisRobot +315 dpsi DPSI +316 decauth decAuth +317 zannet Zannet +344 pdap ProsperoDataAccessProtocol +345 pawserv PerfAnalysisWorkbench +346 zserv Zebraserver +347 fatserv FatmenServer +348 csi-sgwp CabletronManagementProtocol +349 mftp mftp +350 matip-type-a MATIPTypeA +351 bhoetty bhoetty(added5/21/97) +352 dtag-ste-sb DTAG +353 ndsauth NDSAUTH +354 bh611 bh611 +355 datex-asn DATEX-ASN +356 cloanto-net-1 CloantoNet1 +357 bhevent bhevent +358 shrinkwrap Shrinkwrap +359 tenebris_nts TenebrisNetworkTraceService +360 scoi2odialog scoi2odialog +361 semantix Semantix +362 srssend SRSSend +363 rsvp_tunnel RSVPTunnel +364 aurora-cmgr AuroraCMGR +365 dtk DTK +366 odmr ODMR +367 mortgageware MortgageWare +368 qbikgdp QbikGDP +369 rpc2portmap rpc2portmap +370 codaauth2 codaauth2 +371 clearcase Clearcase +372 ulistproc ListProcessor +373 legent-1 LegentCorporation +374 legent-2 LegentCorporation +375 hassle Hassle +376 nip AmigaEnvoyNetworkInquiryProto +377 tnETOS NECCorporation +378 dsETOS NECCorporation +379 is99c TIA/EIA/IS-99modemclient +380 is99s TIA/EIA/IS-99modemserver +381 hp-collector hpperformancedatacollector +382 hp-managed-node hpperformancedatamanagednode +383 hp-alarm-mgr hpperformancedataalarmmanager +384 arns ARemoteNetworkServerSystem +385 ibm-app IBMApplication +386 asa ASAMessageRouterObjectDef. +387 aurp AppletalkUpdate-BasedRoutingPro. +388 unidata-ldm UnidataLDMVersion4 +389 ldap LightweightDirectoryAccessProtocol +390 uis UIS +391 synotics-relay SynOpticsSNMPRelayPort +392 synotics-broker SynOpticsPortBrokerPort +393 dis DataInterpretationSystem +394 embl-ndt EMBLNucleicDataTransfer +395 netcp NETscoutControlProtocol +396 netware-ip NovellNetwareoverIP +397 mptn MultiProtocolTrans.Net. +398 kryptolan Kryptolan +399 iso-tsap-c2 ISOTransportClass2Non-Controlover +400 work-sol WorkstationSolutions +401 ups UninterruptiblePowerSupply +402 genie GenieProtocol +403 decap decap +404 nced nced +405 ncld ncld +406 imsp InteractiveMailSupportProtocol +407 timbuktu Timbuktu +408 prm-sm ProsperoResourceManagerSys.Man. +409 prm-nm ProsperoResourceManagerNodeMan. +410 decladebug DECLadebugRemoteDebugProtocol +411 rmt RemoteMTProtocol +412 synoptics-trap TrapConventionPort +413 smsp SMSP +414 infoseek InfoSeek +415 bnet BNet +416 silverplatter Silverplatter +417 onmux Onmux +418 hyper-g Hyper-G +419 ariel1 Ariel +420 smpte SMPTE +421 ariel2 Ariel +422 ariel3 Ariel +423 opc-job-start IBMOperationsPlanningandControlStart +424 opc-job-track IBMOperationsPlanningandControlTrack +425 icad-el ICAD +426 smartsdp smartsdp +427 svrloc ServerLocation +428 ocs_cmu OCS_CMU +429 ocs_amu OCS_AMU +430 utmpsd UTMPSD +431 utmpcd UTMPCD +432 iasd IASD +433 nnsp NNSP +434 mobileip-agent MobileIP-Agent +435 mobilip-mn MobilIP-MN +436 dna-cml DNA-CML +437 comscm comscm +438 dsfgw dsfgw +439 dasp daspThomasObermair +440 sgcp sgcp +441 decvms-sysmgt decvms-sysmgt +442 cvc_hostd cvc_hostd +443 https httpprotocoloverTLS/SSL +444 snpp SimpleNetworkPagingProtocol +445 microsoft-ds Microsoft-DS +446 ddm-rdb DDM-RDB +447 ddm-dfm DDM-RFM +448 ddm-ssl DDM-SSL +449 as-servermap ASServerMapper +450 tserver TServer +451 sfs-smp-net CrayNetworkSemaphoreserver +452 sfs-config CraySFSconfigserver +453 creativeserver CreativeServer +454 contentserver ContentServer +455 creativepartnr CreativePartnr +456 macon-udp macon-udp +457 scohelp scohelp +458 appleqtc applequicktime +459 ampr-rcmd ampr-rcmd +460 skronk skronk +461 datasurfsrv DataRampSrv +462 datasurfsrvsec DataRampSrvSec +463 alpes alpes +464 kpasswd kpasswd +465 smtps smtpprotocoloverTLS/SSL(wasssmtp) +466 digital-vrc digital-vrc +467 mylex-mapd mylex-mapd +468 photuris proturis +469 rcp RadioControlProtocol +470 scx-proxy scx-proxy +471 mondex Mondex +472 ljk-login ljk-login +473 hybrid-pop hybrid-pop +474 tn-tl-w1 tn-tl-w1 +475 tcpnethaspsrv tcpnethaspsrv +476 tn-tl-fd1 tn-tl-fd1 +477 ss7ns ss7ns +478 spsc spsc +479 iafserver iafserver +480 iafdbase iafdbase +481 ph Phservice +482 bgs-nsi bgs-nsi +483 ulpnet ulpnet +484 integra-sme IntegraSoftwareManagementEnvironment +485 powerburst AirSoftPowerBurst +486 avian avian +487 saft saftSimpleAsynchronousFileTransfer +488 gss-http gss-http +489 nest-protocol nest-protocol +490 micom-pfs micom-pfs +491 go-login go-login +492 ticf-1 TransportIndependentConvergenceforFNA +493 ticf-2 TransportIndependentConvergenceforFNA +494 pov-ray POV-Ray +495 intecourier intecourier +496 pim-rp-disc PIM-RP-DISC +497 dantz dantz +498 siam siam +499 iso-ill ISOILLProtocol +500 isakmp isakmp +501 stmf STMF +502 asa-appl-proto asa-appl-proto +503 intrinsa Intrinsa +504 citadel citadel +505 mailbox-lm mailbox-lm +506 ohimsrv ohimsrv +507 crs crs +508 xvttp xvttp +509 snare snare +510 fcp FirstClassProtocol +511 mynet mynet-as +512 exec-or-biff +513 login-or-who +514 shell-or-syslog +515 printer spooler +516 videotex videotex +517 talk liketenexlink,butacross +518 ntalk +519 utime unixtime +520 route +521 ripng ripng +522 ulp ULP +523 ibm-db2 IBM-DB2 +524 ncp NCP +525 timed timeserver +526 tempo newdate +527 stx StockIXChange +528 custix CustomerIXChange +529 irc-serv IRC-SERV +530 courier rpc +531 conference chat +532 netnews readnews +533 netwall foremergencybroadcasts +534 mm-admin MegaMediaAdmin +535 iiop iiop +536 opalis-rdv opalis-rdv +537 nmsp NetworkedMediaStreamingProtocol +538 gdomap gdomap +539 apertus-ldp ApertusTechnologiesLoadDetermination +540 uucp uucpd +541 uucp-rlogin uucp-rlogin +542 commerce commerce +543 klogin +544 kshell krcmd +545 appleqtcsrvr appleqtcsrvr +546 dhcpv6-client DHCPv6Client +547 dhcpv6-server DHCPv6Server +548 afpovertcp AFPoverTCP +549 idfp IDFP +550 new-rwho new-who +551 cybercash cybercash +552 deviceshare deviceshare +553 pirp pirp +554 rtsp RealTimeStreamControlProtocol +555 dsf +556 remotefs rfsserver +557 openvms-sysipc openvms-sysipc +558 sdnskmp SDNSKMP +559 teedtap TEEDTAP +560 rmonitor rmonitord +561 monitor +562 chshell chcmd +563 nntps nntpprotocoloverTLS/SSL(wassnntp) +564 9pfs plan9fileservice +565 whoami whoami +566 streettalk streettalk +567 banyan-rpc banyan-rpc +568 ms-shuttle microsoftshuttle +569 ms-rome microsoftrome +570 meter demon +571 meter udemon +573 banyan-vip banyan-vip +574 ftp-agent FTPSoftwareAgentSystem +575 vemmi VEMMI +576 ipcd ipcd +577 vnas vnas +578 ipdd ipdd +579 decbsrv decbsrv +580 sntp-heartbeat SNTPHEARTBEAT +581 bdp BundleDiscoveryProtocol +582 scc-security SCCSecurity +583 philips-vc PhilipsVideo-Conferencing +584 keyserver KeyServer +585 imap4-ssl IMAP4+SSL(use993instead) +586 password-chg PasswordChange +587 submission Submission +588 cal CAL +589 eyelink EyeLink +590 tns-cml TNSCML +591 http-alt FileMaker,Inc.-HTTPAlternate(see +592 eudora-set EudoraSet +593 http-rpc-epmap HTTPRPCEpMap +594 tpip TPIP +595 cab-protocol CABProtocol +596 smsd SMSD +597 ptcnameservice PTCNameService +598 sco-websrvrmg3 SCOWebServerManager3 +599 acp AeolonCoreProtocol +600 ipcserver SunIPCserver +606 urm CrayUnifiedResourceManager +607 nqs nqs +608 sift-uft Sender-Initiated/UnsolicitedFileTransfer +609 npmp-trap npmp-trap +610 npmp-local npmp-local +611 npmp-gui npmp-gui +612 hmmp-ind HMMPIndication +613 hmmp-op HMMPOperation +614 sshell SSLshell +615 sco-inetmgr InternetConfigurationManager +616 sco-sysmgr SCOSystemAdministrationServer +617 sco-dtmgr SCODesktopAdministrationServer +618 dei-icda DEI-ICDA +619 digital-evm DigitalEVM +620 sco-websrvrmgr SCOWebServerManager +621 escp-ip ESCP +622 collaborator Collaborator +623 aux_bus_shunt AuxBusShunt +624 cryptoadmin CryptoAdmin +625 dec_dlm DECDLM +626 asia ASIA +627 cks-tivioli CKS&TIVIOLI +628 qmqp QMQP +629 3com-amp3 3ComAMP3 +630 rda RDA +631 ipp IPP(InternetPrintingProtocol) +632 bmpp bmpp +633 servstat ServiceStatusupdate(SterlingSoftware) +634 ginad ginad +635 rlzdbase RLZDBase +636 ldaps ldapprotocoloverTLS/SSL(wassldap) +637 lanserver lanserver +638 mcns-sec mcns-sec +639 msdp MSDP +666 mdqs +667 disclose campaigncontributiondisclosures-SDRTechnologies +668 mecomm MeComm +669 meregister MeRegister +670 vacdsm-sws VACDSM-SWS +671 vacdsm-app VACDSM-APP +672 vpps-qua VPPS-QUA +673 cimplex CIMPLEX +674 acap ACAP +675 dctp DCTP +676 vpps-via VPPSVia +704 elcsd errlogcopy/serverdaemon +705 agentx AgentX +707 borland-dsj BorlandDSJ +709 entrust-kmsh EntrustKeyManagementServiceHandler +710 entrust-ash EntrustAdministrationServiceHandler +711 cisco-tdp CiscoTDP +729 netviewdm1 IBMNetViewDM/6000Server/Client +730 netviewdm2 IBMNetViewDM/6000send +731 netviewdm3 IBMNetViewDM/6000receive +741 netgw netGW +742 netrcs NetworkbasedRev.Cont.Sys. +744 flexlm FlexibleLicenseManager +747 fujitsu-dev FujitsuDeviceControl +748 ris-cm RussellInfoSciCalendarManager +749 kerberos-adm kerberosadministration +750 kerberos-iv kerberosversioniv +751 pump +752 qrh +753 rrh +754 tell send +758 nlogin +759 con +760 ns +761 rxe +762 quotad +763 cycleserv +764 omserv +765 webster +767 phonebook phone +769 vid +770 cadlock +771 rtip +772 cycleserv2 +773 notify +774 rpasswd +775 acmaint_transd +776 wpages +780 wpgs +786 concert Concert +787 qsc QSC +800 mdbs_daemon +801 device +829 pkix-3-ca-ra PKIX-3CA/RA +873 rsync rsync +886 iclcnet-locate ICLcoNETionlocateserver +887 iclcnet_svinfo ICLcoNETionserverinfo +888 accessbuilder AccessBuilder +900 omginitialrefs OMGInitialRefs +911 xact-backup xact-backup +989 ftps-data ftpprotocol,data,overTLS/SSL +990 ftps ftpprotocol,control,overTLS/SSL +991 nas NetnewsAdministrationSystem +992 telnets telnetprotocoloverTLS/SSL +993 imaps imap4protocoloverTLS/SSL +994 ircs ircprotocoloverTLS/SSL +995 pop3s pop3protocoloverTLS/SSL(wasspop3) +996 vsinet vsinet +997 maitrd +998 busboy +999 garcon +1000 cadlock +1008 ufsd +1010 surf surf +1011 Reserved +1012 Reserved +1013 Reserved +1014 Reserved +1015 Reserved +1016 Reserved +1017 Reserved +1018 Reserved +1019 Reserved +1020 Reserved +1021 Reserved +1022 Reserved +1025 blackjack networkblackjack +1030 iad1 BBNIAD +1031 iad2 BBNIAD +1032 iad3 BBNIAD +1047 neod1 Sun'sNEOObjectRequestBroker +1048 neod2 Sun'sNEOObjectRequestBroker +1058 nim nim +1059 nimreg nimreg +1067 instl_boots InstallationBootstrapProto.Serv. +1068 instl_bootc InstallationBootstrapProto.Cli. +1080 socks Socks +1083 ansoft-lm-1 AnasoftLicenseManager +1084 ansoft-lm-2 AnasoftLicenseManager +1099 rmiSun +1103 xaudio +1110 nfsd-status Clusterstatusinfo +1111 lmsocialserver LMSocialServer +1123 murray Murray +1155 nfa NetworkFileAccess +1161 health-polling HealthPolling +1162 health-trap HealthTrap +1180 mc-client MillicentClientProxy +1212 lupa lupa +1222 nerv SNIR&Dnetwork +1234 search-agent InfoseekSearchAgent +1239 nmsd NMSD +1248 hermes +1300 h323hostcallsc H323HostCallSecure +1313 bmc_patroldb BMC_PATROLDB +1314 pdps PhotoscriptDistributedPrintingSystem +1345 vpjp VPJP +1346 alta-ana-lm AltaAnalyticsLicenseManager +1347 bbn-mmc multimediaconferencing +1348 bbn-mmx multimediaconferencing +1349 sbook RegistrationNetworkProtocol +1350 editbench RegistrationNetworkProtocol +1351 equationbuilder DigitalToolWorks(MIT) +1352 lotusnote LotusNote +1353 relief ReliefConsulting +1354 rightbrain RightBrainSoftware +1355 intuitive-edge IntuitiveEdge +1356 cuillamartin CuillaMartinCompany +1357 pegboard ElectronicPegBoard +1358 connlcli CONNLCLI +1359 ftsrv FTSRV +1360 mimer MIMER +1361 linx LinX +1362 timeflies TimeFlies +1363 ndm-requester NetworkDataMoverRequester +1364 ndm-server NetworkDataMoverServer +1365 adapt-sna NetworkSoftwareAssociates +1366 netware-csp NovellNetWareCommServicePlatform +1367 dcs DCS +1368 screencast ScreenCast +1369 gv-us GlobalViewtoUnixShell +1370 us-gv UnixShelltoGlobalView +1371 fc-cli FujitsuConfigProtocol +1372 fc-ser FujitsuConfigProtocol +1373 chromagrafx Chromagrafx +1374 molly EPISoftwareSystems +1375 bytex Bytex +1376 ibm-pps IBMPersontoPersonSoftware +1377 cichlid CichlidLicenseManager +1378 elan ElanLicenseManager +1379 dbreporter IntegritySolutions +1380 telesis-licman TelesisNetworkLicenseManager +1381 apple-licman AppleNetworkLicenseManager +1382 udt_os +1383 gwha GWHannawayNetworkLicenseManager +1384 os-licman ObjectiveSolutionsLicenseManager +1385 atex_elmd AtexPublishingLicenseManager +1386 checksum CheckSumLicenseManager +1387 cadsi-lm ComputerAidedDesignSoftwareIncLM +1388 objective-dbc ObjectiveSolutionsDataBaseCache +1389 iclpv-dm DocumentManager +1390 iclpv-sc StorageController +1391 iclpv-sas StorageAccessServer +1392 iclpv-pm PrintManager +1393 iclpv-nls NetworkLogServer +1394 iclpv-nlc NetworkLogClient +1395 iclpv-wsm PCWorkstationManagersoftware +1396 dvl-activemail DVLActiveMail +1397 audio-activmail AudioActiveMail +1398 video-activmail VideoActiveMail +1399 cadkey-licman CadkeyLicenseManager +1400 cadkey-tablet CadkeyTabletDaemon +1401 goldleaf-licman GoldleafLicenseManager +1402 prm-sm-np ProsperoResourceManager +1403 prm-nm-np ProsperoResourceManager +1404 igi-lm InfiniteGraphicsLicenseManager +1405 ibm-res IBMRemoteExecutionStarter +1406 netlabs-lm NetLabsLicenseManager +1407 dbsa-lm DBSALicenseManager +1408 sophia-lm SophiaLicenseManager +1409 here-lm HereLicenseManager +1410 hiq HiQLicenseManager +1411 af AudioFile +1412 innosys InnoSys +1413 innosys-acl Innosys-ACL +1414 ibm-mqseries IBMMQSeries +1415 dbstar DBStar +1416 novell-lu6.2 NovellLU6.2 +1417 timbuktu-srv1 TimbuktuService1Port +1418 timbuktu-srv2 TimbuktuService2Port +1419 timbuktu-srv3 TimbuktuService3Port +1420 timbuktu-srv4 TimbuktuService4Port +1421 gandalf-lm GandalfLicenseManager +1422 autodesk-lm AutodeskLicenseManager +1423 essbase EssbaseArborSoftware +1424 hybrid HybridEncryptionProtocol +1425 zion-lm ZionSoftwareLicenseManager +1426 sais Satellite-dataAcquisitionSystem1 +1427 mloadd mloaddmonitoringtool +1428 informatik-lm InformatikLicenseManager +1429 nms HypercomNMS +1430 tpdu HypercomTPDU +1431 rgtp ReverseGossipTransport +1432 blueberry-lm BlueberrySoftwareLicenseManager +1433 ms-sql-s Microsoft-SQL-Server +1434 ms-sql-m Microsoft-SQL-Monitor +1435 ibm-cics IBMCICS +1436 saism Satellite-dataAcquisitionSystem2 +1437 tabula Tabula +1438 eicon-server EiconSecurityAgent/Server +1439 eicon-x25 EiconX25/SNAGateway +1440 eicon-slp EiconServiceLocationProtocol +1441 cadis-1 CadisLicenseManagement +1442 cadis-2 CadisLicenseManagement +1443 ies-lm IntegratedEngineeringSoftware +1444 marcam-lm MarcamLicenseManagement +1445 proxima-lm ProximaLicenseManager +1446 ora-lm OpticalResearchAssociatesLicenseManager +1447 apri-lm AppliedParallelResearchLM +1448 oc-lm OpenConnectLicenseManager +1449 peport PEport +1450 dwf TandemDistributedWorkbenchFacility +1451 infoman IBMInformationManagement +1452 gtegsc-lm GTEGovernmentSystemsLicenseMan +1453 genie-lm GenieLicenseManager +1454 interhdl_elmd interHDLLicenseManager +1455 esl-lm ESLLicenseManager +1456 dca DCA +1457 valisys-lm ValisysLicenseManager +1458 nrcabq-lm NicholsResearchCorp. +1459 proshare1 ProshareNotebookApplication +1460 proshare2 ProshareNotebookApplication +1461 ibm_wrless_lan IBMWirelessLAN +1462 world-lm WorldLicenseManager +1463 nucleus Nucleus +1464 msl_lmd MSLLicenseManager +1465 pipes PipesPlatformmfarlin@peerlogic.com +1466 oceansoft-lm OceanSoftwareLicenseManager +1467 csdmbase CSDMBASE +1468 csdm CSDM +1469 aal-lm ActiveAnalysisLimitedLicenseManager +1470 uaiact UniversalAnalytics +1471 csdmbase csdmbase +1472 csdm csdm +1473 openmath OpenMath +1474 telefinder Telefinder +1475 taligent-lm TaligentLicenseManager +1476 clvm-cfg clvm-cfg +1477 ms-sna-server ms-sna-server +1478 ms-sna-base ms-sna-base +1479 dberegister dberegister +1480 pacerforum PacerForum +1481 airs AIRS +1482 miteksys-lm MiteksysLicenseManager +1483 afs AFSLicenseManager +1484 confluent ConfluentLicenseManager +1485 lansource LANSource +1486 nms_topo_serv nms_topo_serv +1487 localinfosrvr LocalInfoSrvr +1488 docstor DocStor +1489 dmdocbroker dmdocbroker +1490 insitu-conf insitu-conf +1491 anynetgateway anynetgateway +1492 stone-design-1 stone-design-1 +1493 netmap_lm netmap_lm +1494 ica ica +1495 cvc cvc +1496 liberty-lm liberty-lm +1497 rfx-lm rfx-lm +1498 sybase-sqlany SybaseSQLAny +1499 fhc FedericoHeinzConsultora +1500 vlsi-lm VLSILicenseManager +1501 saiscm Satellite-dataAcquisitionSystem3 +1502 shivadiscovery Shiva +1503 imtc-mcs Databeam +1504 evb-elm EVBSoftwareEngineeringLicenseManager +1505 funkproxy FunkSoftware,Inc. +1506 utcd UniversalTimedaemon(utcd) +1507 symplex symplex +1508 diagmond diagmond +1509 robcad-lm Robcad,Ltd.LicenseManager +1510 mvx-lm MidlandValleyExplorationLtd.Lic.Man. +1511 3l-l1 3l-l1 +1512 wins Microsoft'sWindowsInternetNameService +1513 fujitsu-dtc FujitsuSystemsBusinessofAmerica,Inc +1514 fujitsu-dtcns FujitsuSystemsBusinessofAmerica,Inc +1515 ifor-protocol ifor-protocol +1516 vpad VirtualPlacesAudiodata +1517 vpac VirtualPlacesAudiocontrol +1518 vpvd VirtualPlacesVideodata +1519 vpvc VirtualPlacesVideocontrol +1520 atm-zip-office atmzipoffice +1521 ncube-lm nCubeLicenseManager +1522 ricardo-lm RicardoNorthAmericaLicenseManager +1523 cichild-lm cichild +1524 ingreslock ingres +1525 orasrv oracle +1526 pdap-np ProsperoDataAccessProtnon-priv +1527 tlisrv oracle +1528 mciautoreg micautoreg +1529 coauthor oracle +1530 rap-service rap-service +1531 rap-listen rap-listen +1532 miroconnect miroconnect +1533 virtual-places VirtualPlacesSoftware +1534 micromuse-lm micromuse-lm +1535 ampr-info ampr-info +1536 ampr-inter ampr-inter +1537 sdsc-lm isi-lm +1538 3ds-lm 3ds-lm +1539 intellistor-lm IntellistorLicenseManager +1540 rds rds +1541 rds2 rds2 +1542 gridgen-elmd gridgen-elmd +1543 simba-cs simba-cs +1544 aspeclmd aspeclmd +1545 vistium-share vistium-share +1546 abbaccuray abbaccuray +1547 laplink laplink +1548 axon-lm AxonLicenseManager +1549 shivahose ShivaHose +1550 3m-image-lm ImageStoragelicensemanager3MCompany +1551 hecmtl-db HECMTL-DB +1552 pciarray pciarray +1553 sna-cs sna-cs +1554 caci-lm CACIProductsCompanyLicenseManager +1555 livelan livelan +1556 ashwin AshWinCITecnologies +1557 arbortext-lm ArborTextLicenseManager +1558 xingmpeg xingmpeg +1559 web2host web2host +1560 asci-val asci-val +1561 facilityview facilityview +1562 pconnectmgr pconnectmgr +1563 cadabra-lm CadabraLicenseManager +1564 pay-per-view Pay-Per-View +1565 winddlb WinDD +1566 corelvideo CORELVIDEO +1567 jlicelmd jlicelmd +1568 tsspmap tsspmap +1569 ets ets +1570 orbixd orbixd +1571 rdb-dbs-disp OracleRemoteDataBase +1572 chip-lm ChipcomLicenseManager +1573 itscomm-ns itscomm-ns +1574 mvel-lm mvel-lm +1575 oraclenames oraclenames +1576 moldflow-lm moldflow-lm +1577 hypercube-lm hypercube-lm +1578 jacobus-lm JacobusLicenseManager +1579 ioc-sea-lm ioc-sea-lm +1580 tn-tl-r2 tn-tl-r2 +1581 mil-2045-47001 MIL-2045-47001 +1582 msims MSIMS +1583 simbaexpress simbaexpress +1584 tn-tl-fd2 tn-tl-fd2 +1585 intv intv +1586 ibm-abtact ibm-abtact +1587 pra_elmd pra_elmd +1588 triquest-lm triquest-lm +1589 vqp VQP +1590 gemini-lm gemini-lm +1591 ncpm-pm ncpm-pm +1592 commonspace commonspace +1593 mainsoft-lm mainsoft-lm +1594 sixtrak sixtrak +1595 radio radio +1596 radio-bc radio-bc +1597 orbplus-iiop orbplus-iiop +1598 picknfs picknfs +1599 simbaservices simbaservices +1600 issd +1601 aas aas +1602 inspect inspect +1603 picodbc pickodbc +1604 icabrowser icabrowser +1605 slp SalutationManager(SalutationProtocol) +1606 slm-api SalutationManager(SLM-API) +1607 stt stt +1608 smart-lm SmartCorp.LicenseManager +1609 isysg-lm isysg-lm +1610 taurus-wh taurus-wh +1611 ill InterLibraryLoan +1612 netbill-trans NetBillTransactionServer +1613 netbill-keyrep NetBillKeyRepository +1614 netbill-cred NetBillCredentialServer +1615 netbill-auth NetBillAuthorizationServer +1616 netbill-prod NetBillProductServer +1617 nimrod-agent NimrodInter-AgentCommunication +1618 skytelnet skytelnet +1619 xs-openstorage xs-openstorage +1620 faxportwinport faxportwinport +1621 softdataphone softdataphone +1622 ontime ontime +1623 jaleosnd jaleosnd +1624 udp-sr-port udp-sr-port +1625 svs-omagent svs-omagent +1630 oraclenet8cman OracleNet8Cman +1636 cncp CableNetControlProtocol +1637 cnap CableNetAdminProtocol +1638 cnip CableNetInfoProtocol +1639 cert-initiator cert-initiator +1640 cert-responder cert-responder +1641 invision InVision +1642 isis-am isis-am +1643 isis-ambc isis-ambc +1644 saiseh Satellite-dataAcquisitionSystem4 +1645 datametrics datametrics +1646 sa-msg-port sa-msg-port +1647 rsap rsap +1648 concurrent-lm concurrent-lm +1649 inspect inspect +1650 nkd nkd +1651 shiva_confsrvr shiva_confsrvr +1652 xnmp xnmp +1653 alphatech-lm alphatech-lm +1654 stargatealerts stargatealerts +1655 dec-mbadmin dec-mbadmin +1656 dec-mbadmin-h dec-mbadmin-h +1657 fujitsu-mmpdc fujitsu-mmpdc +1658 sixnetudr sixnetudr +1659 sg-lm SiliconGrailLicenseManager +1660 skip-mc-gikreq skip-mc-gikreq +1661 netview-aix-1 netview-aix-1 +1662 netview-aix-2 netview-aix-2 +1663 netview-aix-3 netview-aix-3 +1664 netview-aix-4 netview-aix-4 +1665 netview-aix-5 netview-aix-5 +1666 netview-aix-6 netview-aix-6 +1667 netview-aix-7 netview-aix-7 +1668 netview-aix-8 netview-aix-8 +1669 netview-aix-9 netview-aix-9 +1670 netview-aix-10 netview-aix-10 +1671 netview-aix-11 netview-aix-11 +1672 netview-aix-12 netview-aix-12 +1673 proshare-mc-1 IntelProshareMulticast +1674 proshare-mc-2 IntelProshareMulticast +1675 pdp PacificDataProducts +1676 netcomm1 netcomm1 +1677 groupwise groupwise +1678 prolink prolink +1679 darcorp-lm darcorp-lm +1680 microcom-sbp microcom-sbp +1681 sd-elmd sd-elmd +1682 lanyon-lantern lanyon-lantern +1683 ncpm-hip ncpm-hip +1684 snaresecure SnareSecure +1685 n2nremote n2nremote +1686 cvmon cvmon +1687 nsjtp-ctrl nsjtp-ctrl +1688 nsjtp-data nsjtp-data +1689 firefox firefox +1690 ng-umds ng-umds +1691 empire-empuma empire-empuma +1692 sstsys-lm sstsys-lm +1693 rrirtr rrirtr +1694 rrimwm rrimwm +1695 rrilwm rrilwm +1696 rrifmm rrifmm +1697 rrisat rrisat +1698 rsvp-encap-1 RSVP-ENCAPSULATION-1 +1699 rsvp-encap-2 RSVP-ENCAPSULATION-2 +1700 mps-raft mps-raft +1701 l2f l2f +1702 deskshare deskshare +1703 hb-engine hb-engine +1704 bcs-broker bcs-broker +1705 slingshot slingshot +1706 jetform jetform +1707 vdmplay vdmplay +1708 gat-lmd gat-lmd +1709 centra centra +1710 impera impera +1711 pptconference pptconference +1712 registrar resourcemonitoringservice +1713 conferencetalk ConferenceTalk +1714 sesi-lm sesi-lm +1715 houdini-lm houdini-lm +1716 xmsg xmsg +1717 fj-hdnet fj-hdnet +1718 h323gatedisc h323gatedisc +1719 h323gatestat h323gatestat +1720 h323hostcall h323hostcall +1721 caicci caicci +1722 hks-lm HKSLicenseManager +1723 pptp pptp +1724 csbphonemaster csbphonemaster +1725 iden-ralp iden-ralp +1726 iberiagames IBERIAGAMES +1727 winddx winddx +1728 telindus TELINDUS +1729 citynl CityNLLicenseManagement +1730 roketz roketz +1731 msiccp MSICCP +1732 proxim proxim +1733 siipat SIMS-SIIPATProtocolforAlarm +1734 cambertx-lm CamberCorporationLicenseManagement +1735 privatechat PrivateChat +1736 street-stream street-stream +1737 ultimad ultimad +1738 gamegen1 GameGen1 +1739 webaccess webaccess +1740 encore encore +1741 cisco-net-mgmt cisco-net-mgmt +1742 3Com-nsd 3Com-nsd +1743 cinegrfx-lm CinemaGraphicsLicenseManager +1744 ncpm-ft ncpm-ft +1745 remote-winsock remote-winsock +1746 ftrapid-1 ftrapid-1 +1747 ftrapid-2 ftrapid-2 +1748 oracle-em1 oracle-em1 +1749 aspen-services aspen-services +1750 sslp SimpleSocketLibrary'sPortMaster +1751 swiftnet SwiftNet +1752 lofr-lm LeapofFaithResearchLicenseManager +1753 translogic-lm TranslogicLicenseManager +1754 oracle-em2 oracle-em2 +1755 ms-streaming ms-streaming +1756 capfast-lmd capfast-lmd +1757 cnhrp cnhrp +1758 tftp-mcast tftp-mcast +1759 spss-lm SPSSLicenseManager +1760 www-ldap-gw www-ldap-gw +1761 cft-0 cft-0 +1762 cft-1 cft-1 +1763 cft-2 cft-2 +1764 cft-3 cft-3 +1765 cft-4 cft-4 +1766 cft-5 cft-5 +1767 cft-6 cft-6 +1768 cft-7 cft-7 +1769 bmc-net-adm bmc-net-adm +1770 bmc-net-svc bmc-net-svc +1771 vaultbase vaultbase +1772 essweb-gw EssWebGateway +1773 kmscontrol KMSControl +1774 global-dtserv global-dtserv +1775 Unknown +1776 femis FederalEmergencyManagementInformationSystem +1777 powerguardian powerguardian +1778 prodigy-intrnet prodigy-internet +1779 pharmasoft pharmasoft +1780 dpkeyserv dpkeyserv +1781 answersoft-lm answersoft-lm +1782 hp-hcip hp-hcip +1783 fjris FujitsuRemoteInstallService +1784 finle-lm FinleLicenseManager +1785 windlm WindRiverSystemsLicenseManager +1786 funk-logger funk-logger +1787 funk-license funk-license +1788 psmond psmond +1789 hello hello +1790 nmsp NarrativeMediaStreamingProtocol +1791 ea1 EA1 +1792 ibm-dt-2 ibm-dt-2 +1793 rsc-robot rsc-robot +1794 cera-bcm cera-bcm +1795 dpi-proxy dpi-proxy +1796 vocaltec-admin VocaltecServerAdministration +1797 uma UMA +1798 etp EventTransferProtocol +1799 netrisk NETRISK +1800 ansys-lm ANSYS-Licensemanager +1801 msmq MicrosoftMessageQue +1802 concomp1 ConComp1 +1803 hp-hcip-gwy HP-HCIP-GWY +1804 enl ENL +1805 enl-name ENL-Name +1806 musiconline Musiconline +1807 fhsp FujitsuHotStandbyProtocol +1808 oracle-vp2 Oracle-VP2 +1809 oracle-vp1 Oracle-VP1 +1810 jerand-lm JerandLicenseManager +1811 scientia-sdb Scientia-SDB +1812 radius RADIUS +1813 radius-acct RADIUSAccounting +1814 tdp-suite TDPSuite +1815 mmpft MMPFT +1816 harp HARP +1818 etftp EnhancedTrivialFileTransferProtocol +1819 plato-lm PlatoLicenseManager +1820 mcagent mcagent +1821 donnyworld donnyworld +1822 es-elmd es-elmd +1823 unisys-lm UnisysNaturalLanguageLicenseManager +1824 metrics-pas metrics-pas +1850 gsi GSI +1860 sunscalar-svc SunSCALARServices +1861 lecroy-vicp LeCroyVICP +1862 techra-server techra-server +1863 msnp MSNP +1864 paradym-31port Paradym31Port +1865 entp ENTP +1870 sunscalar-dns SunSCALARDNSService +1881 ibm-mqseries2 IBMMQSeries +1901 fjicl-tep-a FujitsuICLTerminalEmulatorProgramA +1902 fjicl-tep-b FujitsuICLTerminalEmulatorProgramB +1903 linkname LocalLinkNameResolution +1904 fjicl-tep-c FujitsuICLTerminalEmulatorProgramC +1905 sugp SecureUP.LinkGatewayProtocol +1906 tpmd TPortMapperReq +1907 intrastar IntraSTAR +1908 dawn Dawn +1909 global-wlink GlobalWorldLink +1911 mtp StarlightNetworksMultimediaTransportProtocol +1913 armadp armadp +1914 elm-momentum Elm-Momentum +1915 facelink FACELINK +1916 persona PersoftPersona +1917 noagent nOAgent +1918 can-nds CandleDirectoryService-NDS +1919 can-dch CandleDirectoryService-DCH +1920 can-ferret CandleDirectoryService-FERRET +1921 noadmin NoAdmin +1944 close-combat close-combat +1945 dialogic-elmd dialogic-elmd +1946 tekpls tekpls +1947 hlserver hlserver +1948 eye2eye eye2eye +1949 ismaeasdaqlive ISMAEasdaqLive +1950 ismaeasdaqtest ISMAEasdaqTest +1951 bcs-lmserver bcs-lmserver +1973 dlsrap DataLinkSwitchingRemoteAccessProtocol +1985 hsrp HotStandbyRouterProtocol +1986 licensedaemon ciscolicensemanagement +1987 tr-rsrb-p1 ciscoRSRBPriority1port +1988 tr-rsrb-p2 ciscoRSRBPriority2port +1989 tr-rsrb-p3 ciscoRSRBPriority3port +1990 stun-p1 ciscoSTUNPriority1port +1991 stun-p2 ciscoSTUNPriority2port +1992 stun-p3 ciscoSTUNPriority3port +1993 snmp-tcp-port ciscoSNMPTCPport +1994 stun-port ciscoserialtunnelport +1995 perf-port ciscoperfport +1996 tr-rsrb-port ciscoRemoteSRBport +1997 gdp-port ciscoGatewayDiscoveryProtocol +1998 x25-svc-port ciscoX.25service(XOT) +1999 tcp-id-port ciscoidentificationport +2000 callbook +2001 dc +2002 globe +2004 mailbox +2005 berknet +2006 invokator +2007 dectalk +2008 conf +2009 news +2010 search +2011 raid-cc raid +2012 ttyinfo +2013 raid-am +2014 troff +2015 cypress +2016 bootserver +2017 cypress-stat +2018 terminaldb +2019 whosockami +2020 xinupageserver +2021 servexec +2022 down +2023 xinuexpansion3 +2024 xinuexpansion4 +2025 ellpack +2026 scrabble +2027 shadowserver +2028 submitserver +2030 device2 +2032 blackboard +2033 glogger +2034 scoremgr +2035 imsldoc +2038 objectmanager +2040 lam +2041 interbase +2042 isis isis +2043 isis-bcast isis-bcast +2044 rimsl +2045 cdfunc +2046 sdfunc +2047 dls +2048 dls-monitor +2049 nfsd-or-shilp +2065 dlsrpn DataLinkSwitchReadPortNumber +2067 dlswpn DataLinkSwitchWritePortNumber +2090 lrp LoadReportProtocol +2091 prp PRP +2102 zephyr-srv Zephyrserver +2103 zephyr-clt Zephyrserv-hmconnection +2104 zephyr-hm Zephyrhostmanager +2105 minipay MiniPay +2180 mc-gt-srv MillicentVendorGatewayServer +2200 ici ICI +2201 ats AdvancedTrainingSystemProgram +2202 imtc-map Int.MultimediaTeleconferencingCosortium +2213 kali Kali +2220 ganymede Ganymede +2221 unreg-ab1 Allen-Bradleyunregisteredport +2222 unreg-ab2 Allen-Bradleyunregisteredport +2223 inreg-ab3 Allen-Bradleyunregisteredport +2232 ivs-video IVSVideodefault +2233 infocrypt INFOCRYPT +2234 directplay DirectPlay +2235 sercomm-wlink Sercomm-WLink +2236 nani Nani +2237 optech-port1-lm OptechPort1LicenseManager +2238 aviva-sna AVIVASNASERVER +2239 imagequery ImageQuery +2240 recipe RECIPe +2241 ivsd IVSDaemon +2242 foliocorp FolioRemoteServer +2279 xmquery xmquery +2280 lnvpoller LNVPOLLER +2281 lnvconsole LNVCONSOLE +2282 lnvalarm LNVALARM +2283 lnvstatus LNVSTATUS +2284 lnvmaps LNVMAPS +2285 lnvmailmon LNVMAILMON +2286 nas-metering NAS-Metering +2287 dna DNA +2288 netml NETML +2295 advant-lm AdvantLicenseManager +2296 theta-lm ThetaLicenseManager(Rainbow) +2297 d2k-datamover1 D2KDataMover1 +2298 d2k-datamover2 D2KDataMover2 +2299 pc-telecommute PCTelecommute +2300 cvmmon CVMMON +2301 cpq-wbem CompaqHTTP +2302 binderysupport BinderySupport +2303 proxy-gateway ProxyGateway +2304 attachmate-uts AttachmateUTS +2305 mt-scaleserver MTScaleServer +2306 tappi-boxnet TAPPIBoxNet +2307 pehelp pehelp +2308 sdhelp sdhelp +2309 sdserver SDServer +2310 sdclient SDClient +2311 messageservice MessageService +2313 iapp IAPP(InterAccessPointProtocol) +2314 cr-websystems CRWebSystems +2315 precise-sft PreciseSft. +2316 sent-lm SENTLicenseManager +2317 attachmate-g32 AttachmateG32 +2318 cadencecontrol CadenceControl +2319 infolibria InfoLibria +2320 siebel-ns SiebelNS +2321 rdlap RDLAPoverUDP +2322 ofsd ofsd +2323 3d-nfsd 3d-nfsd +2324 cosmocall Cosmocall +2325 designspace-lm DesignSpaceLicenseManagement +2326 idcp IDCP +2327 xingcsm xingcsm +2328 netrix-sftm NetrixSFTM +2329 nvd NVD +2330 tscchat TSCCHAT +2331 agentview AGENTVIEW +2332 rcc-host RCCHost +2333 snapp SNAPP +2334 ace-client ACEClientAuth +2335 ace-proxy ACEProxy +2336 appleugcontrol AppleUGControl +2337 ideesrv ideesrv +2338 norton-lambert NortonLambert +2339 3com-webview 3ComWebView +2340 wrs_registry WRSRegistry +2341 xiostatus XIOStatus +2342 manage-exec SeagateManageExec +2343 nati-logos natilogos +2344 fcmsys fcmsys +2345 dbm dbm +2346 redstorm_join GameConnectionPort +2347 redstorm_find GameAnnouncementandLocation +2348 redstorm_info Informationtoqueryforgamestatus +2349 redstorm_diag DisgnosticsPort +2350 psbserver psbserver +2351 psrserver psrserver +2352 pslserver pslserver +2353 pspserver pspserver +2354 psprserver psprserver +2355 psdbserver psdbserver +2356 gxtelmd GXTLicenseManagemant +2357 unihub-server UniHubServer +2358 futrix Futrix +2359 flukeserver FlukeServer +2389 ovsessionmgr OpenViewSessionMgr +2390 rsmtp RSMTP +2391 3com-net-mgmt 3COMNetManagement +2392 tacticalauth TacticalAuth +2393 ms-olap1 MSOLAP1 +2394 ms-olap2 MSOLAP2 +2395 lan900_remote LAN900Remote +2396 wusage Wusage +2397 ncl NCL +2398 orbiter Orbiter +2399 fmpro-fdal FileMaker,Inc.-DataAccessLayer +2400 opequus-server OpEquusServer +2401 cvspserver cvspserver +2402 taskmaster2000 TaskMaster2000Server +2403 taskmaster2000 TaskMaster2000Web +2404 iec870-5-104 IEC870-5-104 +2405 trc-netpoll TRCNetpoll +2406 jediserver JediServer +2407 orion Orion +2408 optimanet OptimaNet +2409 sns-protocol SNSProtocol +2410 vrts-registry VRTSRegistry +2411 netwave-ap-mgmt NetwaveAPManagement +2412 cdn CDN +2413 orion-rmi-reg orion-rmi-reg +2414 interlingua Interlingua +2415 comtest COMTEST +2416 rmtserver RMTServer +2417 composit-server CompositServer +2418 cas cas +2419 attachmate-s2s AttachmateS2S +2420 dslremote-mgmt DSLRemoteManagement +2421 g-talk G-Talk +2422 crmsbits CRMSBITS +2423 rnrp RNRP +2424 kofax-svr KOFAX-SVR +2425 fjitsuappmgr FujitsuAppManager +2426 appliantudp AppliantUDP +2427 stgcp SimpletelephonyGatewayControlProtocol +2428 ott OneWayTripTime +2429 ft-role FT-ROLE +2430 venus venus +2431 venus-se venus-se +2432 codasrv codasrv +2433 codasrv-se codasrv-se +2434 pxc-epmap pxc-epmap +2435 optilogic OptiLogic +2436 topx TOP/X +2437 unicontrol UniControl +2438 msp MSP +2439 sybasedbsynch SybaseDBSynch +2440 spearway SpearwayLockser +2441 pvsw-inet pvsw-inet +2442 netangel Netangel +2500 rtsserv ResourceTrackingsystemserver +2501 rtsclient ResourceTrackingsystemclient +2524 optiwave-lm OptiwaveLicenseManagement +2525 ms-v-worlds MSV-Worlds +2526 ema-sent-lm EMALicenseManager +2527 iqserver IQServer +2528 ncr_ccl NCRCCL +2529 utsftp UTSFTP +2530 vrcommerce VRCommerce +2531 ito-e-gui ITO-EGUI +2532 ovtopmd OVTOPMD +2534 combox-web-acc ComboxWebAccess +2564 hp-3000-telnet HP3000NS/VTblockmodetelnet +2592 netrek netrek +2593 mns-mail MNSMailNoticeService +2628 dict DICT +2629 sitaraserver SitaraServer +2630 sitaramgmt SitaraManagement +2631 sitaradir SitaraDir +2632 irdg-post IRdgPost +2633 interintelli InterIntelli +2634 pk-electronics PKElectronics +2635 backburner BackBurner +2636 solve Solve +2637 imdocsvc ImportDocumentService +2638 sybaseanywhere SybaseAnywhere +2639 aminet AMInet +2640 sai_sentlm SabbaghAssociatesLicenceManager +2641 hdl-srv HDLServer +2642 tragic Tragic +2643 gte-samp GTE-SAMP +2644 travsoft-ipx-t TravsoftIPXTunnel +2645 novell-ipx-cmd NovellIPXCMD +2646 and-lm ANDLicenceManager +2647 syncserver SyncServer +2648 upsnotifyprot Upsnotifyprot +2649 vpsipport VPSIPPORT +2650 eristwoguns eristwoguns +2651 ebinsite EBInSite +2652 interpathpanel InterPathPanel +2653 sonus Sonus +2654 corel_vncadmin CorelVNCAdmin +2655 unglue UNIXNtGlue +2656 kana Kana +2657 sns-dispatcher SNSDispatcher +2658 sns-admin SNSAdmin +2659 sns-query SNSQuery +2700 tqdata tqdata +2766 listen +2784 www-dev worldwideweb-development +2785 aic-np aic-np +2786 aic-oncrpc aic-oncrpc-DestinyMCDdatabase +2787 piccolo piccolo-CornerstoneSoftware +2788 fryeserv NetWareLoadableModule-SeagateSoftware +2908 mao mao +2909 funk-dialout FunkDialout +2910 tdaccess TDAccess +2911 blockade Blockade +2912 epicon Epicon +2913 boosterware BoosterWare +2914 gamelobby GameLobby +2915 tksocket TKSocket +2916 elvin_server ElvinServer +2917 elvin_client ElvinClient +2918 kastenchasepad KastenChasePad +2971 netclip NetClip +2972 pmsm-webrctl PMSMWebrctl +2973 svnetworks SVNetworks +2974 signal Signal +2975 fjmpcm FujitsuConfigurationManagementService +2998 realsecure RealSecure +3000 hbci HBCI +3001 redwood-broker RedwoodBroker +3002 exlm-agent EXLMAgent +3003 cgms CGMS +3004 csoftragent CsoftAgent +3005 geniuslm GeniusLicenseManager +3006 ii-admin InstantInternetAdmin +3007 lotusmtap LotusMailTrackingAgentProtocol +3008 midnight-tech MidnightTechnologies +3009 pxc-ntfy PXC-NTFY +3010 gw TelerateWorkstation +3011 trusted-web TrustedWeb +3012 twsdss TrustedWebClient +3013 gilatskysurfer GilatSkySurfer +3014 broker_service BrokerService +3015 nati-dstp NATIDSTP +3016 notify_srvr NotifyServer +3017 event_listener EventListener +3018 srvc_registry ServiceRegistry +3019 resource_mgr ResourceManager +3020 cifs CIFS +3021 agriserver AGRIServer +3047 hlserver FastSecurityHLServer +3048 pctrader SierraNetPCTrader +3049 nsws NSWS +3080 stm_pproc stm_pproc +3105 cardbox Cardbox +3106 cardbox-http CardboxHTTP +3130 icpv2 ICPv2 +3131 netbookmark NetBookMark +3141 vmodem VMODEM +3142 rdc-wh-eos RDCWHEOS +3143 seaview SeaView +3144 tarantella Tarantella +3145 csi-lfap CSI-LFAP +3147 rfio RFIO +3180 mc-brk-srv MillicentBrokerServer +3264 ccmail cc:mail/lotus +3265 altav-tunnel AltavTunnel +3266 ns-cfg-server NSCFGServer +3267 ibm-dial-out IBMDialOut +3268 msft-gc MicrosoftGlobalCatalog +3269 msft-gc-ssl MicrosoftGlobalCatalogwithLDAP/SSL +3270 verismart Verismart +3271 csoft-prev CSoftPrevPort +3272 user-manager FujitsuUserManager +3273 sxmp SimpleExtensibleMultiplexedProtocol +3274 ordinox-server OrdinoxServer +3275 samd SAMD +3276 maxim-asics MaximASICs +3277 awg-proxy AWGProxy +3278 lkcmserver LKCMServer +3279 admind admind +3280 vs-server VSServer +3281 sysopt SYSOPT +3282 datusorb Datusorb +3283 net-assistant NetAssistant +3284 4talk 4Talk +3285 plato Plato +3286 e-net E-Net +3287 directvdata DIRECTVDATA +3288 cops COPS +3289 enpc ENPC +3290 caps-lm CAPSLOGISTICSTOOLKIT-LM +3291 sah-lm SAHolditch&Associates- +3292 cart-o-rama CartORama +3293 fg-fps fg-fps +3294 fg-gip fg-gip +3295 dyniplookup DynamicIPLookup +3296 rib-slm RibLicenseManager +3297 cytel-lm CytelLicenseManager +3298 transview Transview +3299 pdrncs pdrncs +3300 bmcpatrolagent BMCPatrolAgent +3301 bmcpatrolrnvu BMCPatrolRendezvous +3302 mcs-fastmail MCSFastmail +3303 opsession-clnt OPSessionClient +3304 opsession-srvr OPSessionServer +3305 odette-ftp ODETTE-FTP +3306 mysql MySQL +3307 opsession-prxy OPSessionProxy +3308 tns-server TNSServer +3309 tns-adv TNDADV +3310 dyna-access DynaAccess +3311 mcns-tel-ret MCNSTelRet +3312 appman-server ApplicationManagementServer +3313 uorb UnifyObjectBroker +3314 uohost UnifyObjectHost +3315 cdid CDID +3316 aicc-cmi AICC/CMI +3317 vsaiport VSAIPORT +3318 ssrip SwithtoSwithRoutingInformationProtocol +3319 sdt-lmd SDTLicenseManager +3320 officelink2000 OfficeLink2000 +3321 vnsstr VNSSTR +3322 active-net +3323 active-net +3324 active-net +3325 active-net +3326 sftu SFTU +3327 bbars BBARS +3328 egptlm EaglepointLicenseManager +3329 hp-device-disc HPDeviceDisc +3330 mcs-calypsoicf MCSCalypsoICF +3331 mcs-messaging MCSMessaging +3332 mcs-mailsvr MCSMailServer +3333 dec-notes DECNotes +3334 directv-web DirectTVWebcasting +3335 directv-soft DirectTVSoftwareUpdates +3336 directv-tick DirectTVTickers +3337 directv-catlg DirectTVDataCatalog +3338 anet-b OMFdatab +3339 anet-l OMFdatal +3340 anet-m OMFdatam +3341 anet-h OMFdatah +3342 webtie WebTIE +3343 ms-cluster-net MSClusterNet +3344 bnt-manager BNTManager +3345 influence Influence +3346 trnsprntproxy TrnsprntProxy +3347 phoenix-rpc PhoenixRPC +3348 pangolin-laser PangolinLaser +3349 chevinservices ChevinServices +3350 findviatv FINDVIATV +3351 btrieve BTRIEVE +3352 ssql SSQL +3353 fatpipe FATPIPE +3354 suitjd SUITJD +3355 ordinox-dbase OrdinoxDbase +3356 upnotifyps UPNOTIFYPS +3357 adtech-test AdtechTestIP +3358 mpsysrmsvr MpSysRmsvr +3359 wg-netforce WGNetForce +3360 kv-server KVServer +3361 kv-agent KVAgent +3362 dj-ilm DJILM +3363 nati-vi-server NATIViServer +3364 creativeserver CreativeServer +3365 contentserver ContentServer +3366 creativepartnr CreativePartner +3367 satvid-dtalnk +3368 satvid-dtalnk +3369 satvid-dtalnk +3370 satvid-dtalnk +3371 satvid-dtalnk +3372 tip2 TIP2 +3373 lavenir-lm LavenirLicenseManager +3374 cluster-disc ClusterDisc +3375 vsnm-agent VSNMAgent +3376 cdbroker CDBroker +3377 cogsys-lm CogsysNetworkLicenseManager +3378 wsicopy WSICOPY +3379 socorfs SOCORFS +3380 sns-channels SNSChannels +3381 geneous Geneous +3382 fujitsu-neat FujitsuNetworkEnhancedAntitheftfunction +3383 esp-lm EnterpriseSoftwareProductsLicenseManager +3384 hp-clic HardwareManagement +3385 qnxnetman qnxnetman +3386 gprs-sig GPRSSIG +3387 backroomnet BackRoomNet +3388 cbserver CBServer +3389 ms-wbt-server MSWBTServer +3390 dsc DistributedServiceCoordinator +3391 savant SAVANT +3392 efi-lm EFILicenseManagement +3393 d2k-tapestry1 D2KTapestryClienttoServer +3394 d2k-tapestry2 D2KTapestryServertoServer +3395 dyna-lm DynaLicenseManager(Elam) +3396 printer_agent PrinterAgent +3397 cloanto-lm CloantoLicenseManager +3398 mercantile Mercantile +3421 bmap BullAppriseportmapper +3454 mira AppleRemoteAccessProtocol +3455 prsvp RSVPPort +3456 vat VATdefaultdata +3457 vat-control VATdefaultcontrol +3458 d3winosfi DsWinOSFI +3459 integral Integral +3460 edm-manager EDMManger +3461 edm-stager EDMStager +3462 edm-std-notify EDMSTDNotify +3463 edm-adm-notify EDMADMNotify +3464 edm-mgr-sync EDMMGRSync +3465 edm-mgr-cntrl EDMMGRCntrl +3466 workflow WORKFLOW +3563 watcomdebug WatcomDebug +3900 udt_os UnidataUDTOS +3984 mapper-nodemgr MAPPERnetworknodemanager +3985 mapper-mapethd MAPPERTCP/IPserver +3986 mapper-ws_ethd MAPPERworkstationserver +3987 centerline Centerline +4000 terabase Terabase +4001 newoak NewOak +4008 netcheque NetChequeaccounting +4009 chimera-hwm ChimeraHWM +4010 samsung-unidex SamsungUnidex +4011 altserviceboot AlternateServiceBoot +4012 pda-gate PDAGate +4013 acl-manager ACLManager +4014 taiclock TAICLOCK +4045 lockd +4096 bre BRE(BridgeRelayElement) +4132 nuts_dem NUTSDaemon +4133 nuts_bootp NUTSBootpServer +4134 nifty-hmi NIFTY-ServeHMIprotocol +4141 oirtgsvc WorkflowServer +4142 oidocsvc DocumentServer +4143 oidsr DocumentReplication +4200 VRML +4201 VRML +4202 VRML +4203 VRML +4204 VRML +4205 VRML +4206 VRML +4207 VRML +4208 VRML +4209 VRML +4210 VRML +4211 VRML +4212 VRML +4213 VRML +4214 VRML +4215 VRML +4216 VRML +4217 VRML +4218 VRML +4219 VRML +4220 VRML +4221 VRML +4222 VRML +4223 VRML +4224 VRML +4225 VRML +4226 VRML +4227 VRML +4228 VRML +4229 VRML +4230 VRML +4231 VRML +4232 VRML +4233 VRML +4234 VRML +4235 VRML +4236 VRML +4237 VRML +4238 VRML +4239 VRML +4240 VRML +4241 VRML +4242 VRML +4243 VRML +4244 VRML +4245 VRML +4246 VRML +4247 VRML +4248 VRML +4249 VRML +4250 VRML +4251 VRML +4252 VRML +4253 VRML +4254 VRML +4255 VRML +4256 VRML +4257 VRML +4258 VRML +4259 VRML +4260 VRML +4261 VRML +4262 VRML +4263 VRML +4264 VRML +4265 VRML +4266 VRML +4267 VRML +4268 VRML +4269 VRML +4270 VRML +4271 VRML +4272 VRML +4273 VRML +4274 VRML +4275 VRML +4276 VRML +4277 VRML +4278 VRML +4279 VRML +4280 VRML +4281 VRML +4282 VRML +4283 VRML +4284 VRML +4285 VRML +4286 VRML +4287 VRML +4288 VRML +4289 VRML +4290 VRML +4291 VRML +4292 VRML +4293 VRML +4294 VRML +4295 VRML +4296 VRML +4297 VRML +4298 VRML +4299 VRML +4300 corelccam CorelCCam +4321 rwhois RemoteWhoIs +4343 unicall UNICALL +4344 vinainstall VinaInstall +4345 m4-network-as Macro4NetworkAS +4346 elanlm ELANLM +4347 lansurveyor LANSurveyor +4348 itose ITOSE +4349 fsportmap FileSystemPortMap +4350 net-device NetDevice +4351 plcy-net-svcs PLCYNetServices +4444 krb524 KRB524 +4445 upnotifyp UPNOTIFYP +4446 n1-fwp N1-FWP +4447 n1-rmgmt N1-RMGMT +4448 asc-slmd ASCLicenceManager +4449 privatewire PrivateWire +4450 camp Camp +4451 ctisystemmsg CTISystemMsg +4452 ctiprogramload CTIProgramLoad +4453 nssalertmgr NSSAlertManager +4454 nssagentmgr NSSAgentManager +4455 prchat-user PRChatUser +4456 prchat-server PRChatServer +4457 prRegister PRRegister +4500 sae-urn sae-urn +4501 urn-x-cdchoice urn-x-cdchoice +4545 highscore Highscore +4546 sf-lm SFLicenseManager(Sentinel) +4547 lanner-lm LannerLicenseManager +4672 rfa remotefileaccessserver +4800 iims IconaInstantMessengingSystem +4801 iwec IconaWebEmbeddedChat +4802 ilss IconaLicenseSystemServer +4827 htcp HTCP +4868 phrelay PhotonRelay +4869 phrelaydbg PhotonRelayDebug +4885 abbs ABBS +5000 commplex-main +5001 commplex-link +5002 rfe radiofreeethernet +5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding +5004 avt-profile-1 avt-profile-1 +5005 avt-profile-2 avt-profile-2 +5010 telelpathstart TelepathStart +5011 telelpathattack TelepathAttack +5020 zenginkyo-1 zenginkyo-1 +5021 zenginkyo-2 zenginkyo-2 +5050 mmcc multimediaconferencecontroltool +5051 ita-agent ITAAgent +5052 ita-manager ITAManager +5060 sip SIP +5145 rmonitor_secure +5150 atmp AscendTunnelManagementProtocol +5190 aol America-Online +5191 aol-1 AmericaOnline1 +5192 aol-2 AmericaOnline2 +5193 aol-3 AmericaOnline3 +5236 padl2sim +5272 pk PK +5300 hacl-hb #HAclusterheartbeat +5301 hacl-gs #HAclustergeneralservices +5302 hacl-cfg #HAclusterconfiguration +5303 hacl-probe #HAclusterprobing +5304 hacl-local #HAClusterCommands +5305 hacl-test #HAClusterTest +5306 sun-mc-grp SunMCGroup +5307 sco-aip SCOAIP +5308 cfengine CFengine +5309 jprinter JPrinter +5310 outlaws Outlaws +5311 tmlogin TMLogin +5400 excerpt ExcerptSearch +5401 excerpts ExcerptSearchSecure +5402 mftp MFTP +5403 hpoms-ci-lstn HPOMS-CI-LSTN +5404 hpoms-dps-lstn HPOMS-DPS-LSTN +5405 netsupport NetSupport +5406 systemics-sox SystemicsSox +5407 foresyte-clear Foresyte-Clear +5408 foresyte-sec Foresyte-Sec +5409 salient-dtasrv SalientDataServer +5410 salient-usrmgr SalientUserManager +5411 actnet ActNet +5412 continuus Continuus +5413 wwiotalk WWIOTALK +5414 statusd StatusD +5415 ns-server NSServer +5416 sns-gateway SNSGateway +5417 sns-agent SNSAgent +5418 mcntp MCNTP +5419 dj-ice DJ-ICE +5420 cylink-c Cylink-C +5500 fcp-addr-srvr1 fcp-addr-srvr1 +5501 fcp-addr-srvr2 fcp-addr-srvr2 +5502 fcp-srvr-inst1 fcp-srvr-inst1 +5503 fcp-srvr-inst2 fcp-srvr-inst2 +5504 fcp-cics-gw1 fcp-cics-gw1 +5555 personal-agent PersonalAgent +5599 esinstall EnterpriseSecurityRemoteInstall +5600 esmmanager EnterpriseSecurityManager +5601 esmagent EnterpriseSecurityAgent +5602 a1-msc A1-MSC +5603 a1-bs A1-BS +5604 a3-sdunode A3-SDUNode +5605 a4-sdunode A4-SDUNode +5631 pcanywheredata pcANYWHEREdata +5632 pcanywherestat pcANYWHEREstat +5678 rrac RemoteReplicationAgentConnection +5679 dccm DirectCableConnectManager +5713 proshareaudio proshareconfaudio +5714 prosharevideo proshareconfvideo +5715 prosharedata proshareconfdata +5716 prosharerequest proshareconfrequest +5717 prosharenotify proshareconfnotify +5729 openmail OpenmailUserAgentLayer +5741 ida-discover1 IDADiscoverPort1 +5742 ida-discover2 IDADiscoverPort2 +5745 fcopy-server fcopy-server +5746 fcopys-server fcopys-server +5755 openmailg OpenMailDeskGatewayserver +5757 x500ms OpenMailX.500DirectoryServer +5766 openmailns OpenMailNewMailServer +5767 s-openmail OpenMailSuerAgentLayer(Secure) +5768 openmailpxy OpenMailCMTSServer +6000 X11 +6001 X11 +6002 X11 +6003 X11 +6004 X11 +6005 X11 +6006 X11 +6007 X11 +6008 X11 +6009 X11 +6010 X11 +6011 X11 +6012 X11 +6013 X11 +6014 X11 +6015 X11 +6016 X11 +6017 X11 +6018 X11 +6019 X11 +6020 X11 +6021 X11 +6022 X11 +6023 X11 +6024 X11 +6025 X11 +6026 X11 +6027 X11 +6028 X11 +6029 X11 +6030 X11 +6031 X11 +6032 X11 +6033 X11 +6034 X11 +6035 X11 +6036 X11 +6037 X11 +6038 X11 +6039 X11 +6040 X11 +6041 X11 +6042 X11 +6043 X11 +6044 X11 +6045 X11 +6046 X11 +6047 X11 +6048 X11 +6049 X11 +6050 X11 +6051 X11 +6052 X11 +6053 X11 +6054 X11 +6055 X11 +6056 X11 +6057 X11 +6058 X11 +6059 X11 +6060 X11 +6061 X11 +6062 X11 +6063 X11 +6110 softcm HPSoftBenchCM +6111 spc HPSoftBenchSub-ProcessControl +6112 dtspcd dtspcd +6123 backup-express BackupExpress +6141 meta-corp MetaCorporationLicenseManager +6142 aspentec-lm AspenTechnologyLicenseManager +6143 watershed-lm WatershedLicenseManager +6144 statsci1-lm StatSciLicenseManager-1 +6145 statsci2-lm StatSciLicenseManager-2 +6146 lonewolf-lm LoneWolfSystemsLicenseManager +6147 montage-lm MontageLicenseManager +6148 ricardo-lm RicardoNorthAmericaLicenseManager +6149 tal-pod tal-pod +6253 crip CRIP +6389 clariion-evr01 clariion-evr01 +6455 skip-cert-recv SKIPCertificateReceive +6456 skip-cert-send SKIPCertificateSend +6471 lvision-lm LVisionLicenseManager +6500 boks BoKSMaster +6501 boks_servc BoKSServc +6502 boks_servm BoKSServm +6503 boks_clntd BoKSClntd +6505 badm_priv BoKSAdminPrivatePort +6506 badm_pub BoKSAdminPublicPort +6507 bdir_priv BoKSDirServer,PrivatePort +6508 bdir_pub BoKSDirServer,PublicPort +6558 xdsxdm +6665 ircu +6666 ircu +6667 ircu +6668 ircu +6669 ircu IRCU +6670 vocaltec-gold VocaltecGlobalOnlineDirectory +6672 vision_server vision_server +6673 vision_elmd vision_elmd +6701 kti-icad-srvr KTI/ICADNameserver +6790 hnmp HNMP +6831 ambit-lm ambit-lm +6969 acmsoda acmsoda +7000 afs3-fileserver fileserveritself +7001 afs3-callback callbackstocachemanagers +7002 afs3-prserver users&groupsdatabase +7003 afs3-vlserver volumelocationdatabase +7004 afs3-kaserver AFS/Kerberosauthenticationservice +7005 afs3-volser volumemanagmentserver +7006 afs3-errors errorinterpretationservice +7007 afs3-bos basicoverseerprocess +7008 afs3-update server-to-serverupdater +7009 afs3-rmtsys remotecachemanagerservice +7010 ups-onlinet onlinetuninterruptablepowersupplies +7020 dpserve DPServe +7021 dpserveadmin DPServeAdmin +7070 arcp ARCP +7099 lazy-ptop lazy-ptop +7100 font-service XFontService +7121 virprot-lm VirtualPrototypesLicenseManager +7174 clutild Clutild +7200 fodms FODMSFLIP +7201 dlip DLIP +7395 winqedit winqedit +7426 pmdmgr OpenViewDMPostmasterManager +7427 oveadmgr OpenViewDMEventAgentManager +7428 ovladmgr OpenViewDMLogAgentManager +7429 opi-sock OpenViewDMrqtcommunication +7430 xmpv7 OpenViewDMxmpv7apipipe +7431 pmd OpenViewDMovc/xmpv3apipipe +7491 telops-lmd telops-lmd +7511 pafec-lm pafec-lm +7544 nta-ds FlowAnalyzerDisplayServer +7545 nta-us FlowAnalyzerUtilityServer +7570 aries-kfinder AriesKfinder +7588 sun-lm SunLicenseManager +7777 cbt cbt +7781 accu-lmgr accu-lmgr +7932 t2-drm Tier2DataResourceManager +7933 t2-brm Tier2BusinessRulesManager +7980 quest-vista QuestVista +7999 irdmi2 iRDMI2 +8000 irdmi iRDMI +8001 vcom-tunnel VCOMTunnel +8008 http-alt HTTPAlternate +8032 pro-ed ProEd +8033 mindprint MindPrint +8080 http-alt HTTPAlternate(seeport80) +8200 trivnet1 TRIVNET +8201 trivnet2 TRIVNET +8376 cruise-enum CruiseENUM +8377 cruise-swroute CruiseSWROUTE +8378 cruise-config CruiseCONFIG +8379 cruise-diags CruiseDIAGS +8380 cruise-update CruiseUPDATE +8400 cvd cvd +8401 sabarsd sabarsd +8402 abarsd abarsd +8403 admind admind +8450 npmp npmp +8473 vp2p VitualPointtoPoint +8554 rtsp-alt RTSPAlternate(seeport554) +8765 ultraseek-http UltraseekHTTP +8880 cddbp-alt CDDBP +8888 ddi-tcp-1 NewsEDGEserverTCP(TCP1) +8889 ddi-tcp-2 DesktopDataTCP1 +8890 ddi-tcp-3 DesktopDataTCP2 +8891 ddi-tcp-4 DesktopDataTCP3:NESSapplication +8892 ddi-tcp-5 DesktopDataTCP4:FARMproduct +8893 ddi-tcp-6 DesktopDataTCP5:NewsEDGE/Webapplication +8894 ddi-tcp-7 DesktopDataTCP6:COALapplication +9000 cslistener CSlistener +9006 sctp SCTP +9090 websm WebSM +9535 man +9594 msgsys MessageSystem +9595 pds PingDiscoveryService +9876 sd SessionDirector +9888 cyborg-systems CYBORGSystems +9898 monkeycom MonkeyCom +9992 palace Palace +9993 palace Palace +9994 palace Palace +9995 palace Palace +9996 palace Palace +9997 palace Palace +9998 distinct32 Distinct32 +9999 distinct distinct +10000 ndmp NetworkDataManagementProtocol +10007 mvs-capacity MVSCapacity +11001 metasys Metasys +11367 atm-uhas ATMUHAS +12000 entextxid IBMEnterpriseExtenderSNAXIDExchange +12001 entextnetwk IBMEnterpriseExtenderSNACOSNetwork +12002 entexthigh IBMEnterpriseExtenderSNACOSHigh +12003 entextmed IBMEnterpriseExtenderSNACOSMedium +12004 entextlow IBMEnterpriseExtenderSNACOSLow +12753 tsaf tsafport +13160 i-zipqd I-ZIPQD +13720 bprd BPRDProtocol(VERITASNetBackup) +13721 bpbrm BPBRMProtocol(VERITASNetBackup) +13782 bpcd VERITASNetBackup +13818 dsmcc-config DSMCCConfig +13819 dsmcc-session DSMCCSessionMessages +13820 dsmcc-passthru DSMCCPass-ThruMessages +13821 dsmcc-download DSMCCDownloadProtocol +13822 dsmcc-ccp DSMCCChannelChangeProtocol +14001 itu-sccp-ss7 ITUSCCP(SS7) +17007 isode-dua +17219 chipper Chipper +18000 biimenu BeckmanInstruments,Inc. +19541 jcp JCPClient +21845 webphone webphone +21846 netspeak-is NetSpeakCorp.DirectoryServices +21847 netspeak-cs NetSpeakCorp.ConnectionServices +21848 netspeak-acd NetSpeakCorp.AutomaticCallDistribution +21849 netspeak-cps NetSpeakCorp.CreditProcessingSystem +22273 wnn6 wnn6 +22555 vocaltec-wconf VocaltecWebConference +22800 aws-brf TelerateInformationPlatformLAN +22951 brf-gw TelerateInformationPlatformWAN +24000 med-ltp med-ltp +24001 med-fsp-rx med-fsp-rx +24002 med-fsp-tx med-fsp-tx +24003 med-supp med-supp +24004 med-ovw med-ovw +24005 med-ci med-ci +24006 med-net-svc med-net-svc +25000 icl-twobase1 icl-twobase1 +25001 icl-twobase2 icl-twobase2 +25002 icl-twobase3 icl-twobase3 +25003 icl-twobase4 icl-twobase4 +25004 icl-twobase5 icl-twobase5 +25005 icl-twobase6 icl-twobase6 +25006 icl-twobase7 icl-twobase7 +25007 icl-twobase8 icl-twobase8 +25008 icl-twobase9 icl-twobase9 +25009 icl-twobase10 icl-twobase10 +25793 vocaltec-hos VocaltecAddressServer +26000 quake quake +26208 wnn6-ds wnn6-ds +27000 flex-lm +27001 flex-lm FLEXLM(1-10) +27002 flex-lm FLEXLM(1-10) +27003 flex-lm FLEXLM(1-10) +27004 flex-lm FLEXLM(1-10) +27005 flex-lm FLEXLM(1-10) +27006 flex-lm FLEXLM(1-10) +27007 flex-lm FLEXLM(1-10) +27008 flex-lm FLEXLM(1-10) +27009 flex-lm FLEXLM(1-10) +27999 tw-auth-key TWAuthentication/KeyDistributionand +33434 traceroute tracerouteuse +44818 rockwell-encap RockwellEncapsulation +45678 eba EBAPRISE +47557 dbbrowse DatabeamCorporation +47624 directplaysrvr DirectPlayServer +47806 ap ALCProtocol +47808 bacnet BuildingAutomationandControlNetworks diff --git a/contrib/ipfilter/perl/logfilter.pl b/contrib/ipfilter/perl/logfilter.pl new file mode 100644 index 0000000..6ebe401 --- /dev/null +++ b/contrib/ipfilter/perl/logfilter.pl @@ -0,0 +1,181 @@ +#!perl.exe + +# Author: Chris Grant +# Copyright 1999, Codetalker Communications, Inc. +# +# This script takes a firewall log and breaks it into several +# different files. Each file is named based on the service that +# runs on the port that was recognized in log line. After +# this script has run, you should end up with several files. +# Of course you will have the original log file and then files +# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log, +# netbus.log, and unknown.log. +# +# The number of entries in unknown.log should be minimal. The +# mappings of the port numbers and file names are stored in the bottom +# of this file in the data section. Simply look at the ports being hit, +# find out what these ports do, and add them to the data section. +# +# You may be wondering why I haven't simply parsed RFC1700 to come up +# with a list of port numbers and files. The reason is that I don't +# believe reading firewall logs should be all that automated. You +# should be familiar with what probes are hitting your system. By +# manually adding entries to the data section this ensures that I +# have at least educated myself about what this protocol is, what +# the potential exposure is, and why you might be seeing this traffic. + +%icmp = (); +%udp = (); +%tcp = (); +%openfiles = (); +$TIDBITSFILE = "unknown.log"; + +# Read the ports data from the end of this file and build the three hashes +while (<DATA>) { + chomp; # trim the newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + $_ = lc; # switch to lowercase + ($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/; + SWITCH: { + if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; }; + die "An unknown protocol listed in the proto defs\n$_\n"; + } +} + +$filename = shift; +unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; } +open(LOGFILE, $filename) || die "Could not open the firewall log file.\n"; +$openfiles{$filename} = "LOGFILE"; + +$linenum = 0; +while($line = <LOGFILE>) { + + chomp($line); + $linenum++; + + # determine the protocol - send to unknown.log if not found + SWITCH: { + + ($line =~ m /\sicmp\s/) && do { + + # + # ICMP Protocol + # + # Extract the icmp packet information specifying the type. + # + # Note: Must check for ICMP first because this may be an ICMP reply + # to a TCP or UDP connection (eg Port Unreachable). + + ($icmptype) = $line =~ m/icmp (\d+)\/\d+/; + + $filename = $TIDBITSFILE; + $filename = $icmp{$icmptype} if (defined($icmp{$icmptype})); + + last SWITCH; + }; + + ($line =~ m /\stcp\s/) && do { + + # + # TCP Protocol + # + # extract the source and destination ports and compare them to + # known ports in the tcp hash. For the first match, place this + # line in the file specified by the tcp hash. Ignore one of the + # port matches if both ports happen to be known services. + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + #print "$line\n" unless (defined($sport) && defined($dport)); + + $filename = $TIDBITSFILE; + $filename = $tcp{$sport} if (defined($tcp{$sport})); + $filename = $tcp{$dport} if (defined($tcp{$dport})); + + last SWITCH; + }; + + ($line =~ m /\sudp\s/) && do { + + # + # UDP Protocol - same procedure as with TCP, different hash + # + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + + $filename = $TIDBITSFILE; + $filename = $udp{$sport} if (defined($udp{$sport})); + $filename = $udp{$dport} if (defined($udp{$dport})); + + last SWITCH; + }; + + # + # The default case is that the protocol was unknown + # + $filename = $TIDBITSFILE; + } + + # + # write the line to the appropriate file as determined above + # + # check for filename in the openfiles hash. if it exists then write + # to the given handle. otherwise open a handle to the file and add + # it to the hash of open files. + + if (defined($openfiles{$filename})) { + $handle = $openfiles{$filename}; + } else { + $handle = "HANDLE" . keys %openfiles; + open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename"; + $openfiles{$filename} = $handle; + } + print $handle "#$linenum\t $line\n"; + +} + +# close all open file handles + +foreach $key (keys %openfiles) { + close($openfiles{$key}); +} + +close(LOGFILE); + +__DATA__ +icmp 3 destunreach.log +icmp 8 ping.log +icmp 9 router.log +icmp 10 router.log +icmp 11 ttl.log +tcp 23 telnet.log +tcp 25 smtp.log +udp 25 smtp.log +udp 53 dns.log +tcp 80 http.log +tcp 110 pop3.log +tcp 111 rpc.log +udp 111 rpc.log +tcp 137 netbios.log +udp 137 netbios.log +tcp 143 imap.log +udp 161 snmp.log +udp 370 backweb.log +udp 371 backweb.log +tcp 443 https.log +udp 443 https.log +udp 512 syslog.log +tcp 635 nfs.log # NFS mount services +udp 635 nfs.log # NFS mount services +tcp 1080 socks.log +udp 1080 socks.log +tcp 6112 games.log # Battle net +tcp 6667 irc.log +tcp 7070 realaudio.log +tcp 8080 http.log +tcp 12345 netbus.log +udp 31337 backorifice.log
\ No newline at end of file diff --git a/contrib/ipfilter/perl/plog b/contrib/ipfilter/perl/plog new file mode 100644 index 0000000..8f3f73c --- /dev/null +++ b/contrib/ipfilter/perl/plog @@ -0,0 +1,653 @@ +#!/usr/bin/perl -wT +# +# Author: Jefferson Ogata <jogata@nodc.noaa.gov> +# Date: 1998/11/01 +# Version: 0.4 +# +# Please feel free to use or redistribute this program if you find it useful. +# If you have suggestions, or even better, bits of new code, send them to me +# and I will add them when I have time. The current version of this script +# can always be found at the URL: +# +# http://pobox.com/~ogata/webtools/plog.txt +# +# Parse ipmon output into a coherent form. This program only handles the +# lines regarding filter actions. It does not parse nat and state lines. +# +# Present lines from ipmon to this program on standard input. One way I +# often use is: +# grep ' b ' logfile | plog +# since a ' b ' sequence indicates a blocked packet. +# +# TODO: +# - Handle output from ipmon -v. +# - Handle timestamps from other locales. Anyone with a timestamp problem +# please email me the format of your timestamps. +# +# CHANGES: +# 1999/05/03: +# - Now accepts hostnames in the source and destination address fields, as +# well as port names in the port fields. This allows the people who are +# using ipmon -n to still use plog. Note that if you are logging +# hostnames, you are vulnerable to forgery of DNS information, modified +# DNS information, and your log files will be larger also. If you are +# using this program you can have it look up the names for you (still +# vulnerable to forgery) and keep your addresses all in numeric format, +# so that packets from the same source will always show the same source +# address regardless of what's up with DNS. Nevertheless, some people +# wanted this, so here it is. +# - Added S and n flags to %acts hash. Thanks to Stephen J. Roznowski +# <sjr@home.net>. +# - Stopped reporting host IPs twice when numeric output was requested. +# Thanks, yet again, to Stephen J. Roznowski <sjr@home.net>. +# - Number of minor tweaks that might speed it up a bit, and some comments. +# - Put the script back up on the web site. I moved the site and forgot to +# move the tool. +# 1999/02/04: +# - Changed log line parser to accept fully-qualified name in the logging +# host field. Thanks to Stephen J. Roznowski <sjr@home.net>. +# 1999/01/22: +# - Changed high port strategy to use 65536 for unknown high ports so that +# they are sorted last. +# 1999/01/21: +# - Moved icmp parsing to output loop. +# - Added parsing of icmp codes, and more types. +# - Changed packet sort routine to sort by port number rather than service +# name. +# 1999/01/20: +# - Fixed problem matching ipmon log lines. Sometimes they have "/ipmon" in +# them, sometimes just "ipmon". +# - Added numeric parse option to turn off hostname lookups. +# - Moved summary to usage() sub. + +use strict; +use Socket; + +select STDOUT ; $| = 1 ; + +my %hosts; + +my $me = $0; +$me =~ s/^([^\/]*\/)*//; + +my $numeric = 0; + +# Under IPv4 port numbers are unsigned shorts. The value below is higher +# than the maximum value of an unsigned port, and is used in place of +# high port numbers that don't correspond to known services. This makes +# high ports get sorted behind all others. +my $highPort = 0x10000; + +# Map of log codes for various actions. Not all of these can occur, but +# I've included everything in print_ipflog() from ipmon.c. +my %acts = ( + 'p' => 'pass', + 'P' => 'pass', + 'b' => 'block', + 'B' => 'block', + 'L' => 'log', + 'S' => 'short', + 'n' => 'nomatch', +); + +while (defined ($_ = shift)) +{ + if (s/^-//) + { + $numeric += s/n//g; + &usage (0) if (s/[h\?]//g); + &usage (1) if (length ($_)); + next; + } + &usage (1); +} + +while (<STDIN>) +{ + chomp; + + # For ipmon output that came through syslog, we'll have an asctime + # timestamp, hostname, "ipmon"[process id]: prefixed to the line. For + # output that was written directly to a file by ipmon, we'll have a date + # prefix as dd/mm/yyyy (no y2k problem here!). Both formats then have a + # packet timestamp and the log info. + my ($time, $log); + if (/^(\w+\s+\d+\s+\d+:\d+:\d+)\s+([\w\.]+)\s+\S*ipmon\[\d+\]:\s+(\d+:\d+:\d+\.\d+)\s+(.+)/) + { + my ($logtime, $loghost); + ($logtime, $loghost, $time, $log) = ($1, $2, $3, $4); + } + elsif (/^(\d+\/\d+\/\d+)\s+(\d+:\d+:\d+\.\d+)\s+(.+)$/) + { + my $logdate; + ($logdate, $time, $log) = ($1, $2, $3); + } + else + { + # It don't look like no ipmon output to me, baby. + next; + } + next unless (defined ($log)); + + # Parse the log line. We're expecting interface name, rule group and + # number, an action code, a source host name or IP with possible port + # name or number, a destination host name or IP with possible port + # number, "PR", a protocol name or number, "len", a header length, a + # packet length, and maybe some additional info. + $log =~ /^(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([a-zA-Z0-9\-\.,]+)\s+->\s+([a-zA-Z0-9\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+(\d+)\s*(.*)$/; + my ($if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) + = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10); + unless (defined ($len)) + { + warn ("Bad input line at $.: \"$_\""); + next; + } + + my ($sport, $dport); + + if ($proto eq 'icmp') + { + if ($more =~ s/^icmp (\d+)\/(\d+)\s*//) + { + # We save icmp type and code in both sport and dport. + $dport = $sport = "$1.$2"; + } + else + { + $sport = ''; + $dport = ''; + } + } + else + { + $sport = (($src =~ s/,(\w+)$//) ? &portSimplify ($1, $proto) : ''); + $dport = (($dest =~ s/,(\w+)$//) ? &portSimplify ($1, $proto) : ''); + } + + # Make sure addresses are numeric at this point. We want to sort by + # IP address later. This has got to do some weird things, but if you + # want to use ipmon -n, be ready for weirdness. + $src = &hostNumber ($src); + $dest = &hostNumber ($dest); + + # Convert proto to proto number. + $proto = &protoNumber ($proto); + + sub countPacket + { + my ($host, $dir, $peer, $proto, $packet) = @_; + + # Make sure host is in the hosts hash. + $hosts{$host} = + +{ + 'out' => +{ }, + 'in' => +{ }, + } unless (exists ($hosts{$host})); + + # Get the incoming/outgoing traffic hash for the host in question. + my $trafficHash = $hosts{$host}->{$dir}; + + # Make sure there's a hash for the peer. + $trafficHash->{$peer} = +{ } unless (exists ($trafficHash->{$peer})); + + # Make sure the peer hash has a hash for the protocol number. + my $peerHash = $trafficHash->{$peer}; + $peerHash->{$proto} = +{ } unless (exists ($peerHash->{$proto})); + + # Make sure there's a counter for this packet type in the proto hash. + my $protoHash = $peerHash->{$proto}; + $protoHash->{$packet} = 0 unless (exists ($protoHash->{$packet})); + + # Increment the counter. + ++$protoHash->{$packet}; + } + + # Count the packet as outgoing traffic from the source address. + &countPacket ($src, 'out', $dest, $proto, "$sport:$dport:$if:$act"); + + # Count the packet as incoming traffic to the destination address. + &countPacket ($dest, 'in', $src, $proto, "$dport:$sport:$if:$act"); +} + +my $dir; +foreach $dir (qw(out in)) +{ + my $order = ($dir eq 'out' ? 'source' : 'destination'); + my $arrow = ($dir eq 'out' ? '->' : '<-'); + + print "### Traffic by $order address:\n"; + + sub ipSort + { + my @a = split (/\./, $a); + my @b = split (/\./, $b); + $a[0] != $b[0] ? $a[0] <=> $b[0] + : $a[1] != $b[1] ? $a[1] <=> $b[1] + : $a[2] != $b[2] ? $a[2] <=> $b[2] + : $a[3] != $b[3] ? $a[3] <=> $b[3] + : 0; + } + + my $host; + foreach $host (sort ipSort (keys %hosts)) + { + my $traffic = $hosts{$host}->{$dir}; + + # Skip hosts with no traffic. + next unless (scalar (keys (%{$traffic}))); + + if ($numeric) + { + print " $host\n"; + } + else + { + print " ", &hostName ($host), " \[$host\]\n"; + } + + my $peer; + foreach $peer (sort ipSort (keys %{$traffic})) + { + my $peerHash = $traffic->{$peer}; + my $peerName = &hostName ($peer); + my $proto; + foreach $proto (sort (keys (%{$peerHash}))) + { + my $protoHash = $peerHash->{$proto}; + my $protoName = &protoName ($proto); + + sub packetSort + { + my ($asport, $adport, $aif, $aact) = split (/:/, $a); + my ($bsport, $bdport, $bif, $bact) = split (/:/, $b); + return $bact cmp $aact if ($aact ne $bact); + return $aif cmp $bif if ($aif ne $bif); + return $asport <=> $bsport if ($asport != $bsport); + return $adport <=> $bdport if ($adport != $bdport); + } + + my $packet; + foreach $packet (sort packetSort (keys %{$protoHash})) + { + my ($sport, $dport, $if, $act) = split (/:/, $packet); + my $count = $protoHash->{$packet}; + $act = '?' unless (defined ($act = $acts{$act})); + if (($protoName eq 'tcp') || ($protoName eq 'udp')) + { + printf (" %-6s %7s %5d %6s %14s %2s %s.%s\n", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName)); + } + elsif ($protoName eq 'icmp') + { + printf (" %-6s %7s %5d %6s %14s %2s %s\n", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName); + } + else + { + printf (" %-6s %7s %5d %6s %14s %2s %s\n", $if, $act, $count, $protoName, '', $arrow, $peerName); + } + } + } + } + } + + print "\n\n"; +} + +exit (0); + +# We use this hash to cache port name -> number and number -> name mappings. +# Isn't is cool that we can use the same hash for both? +my %pn; + +# Translates a numeric port/named protocol to a port name. Reserved ports +# that do # not have an entry in the services database are left numeric. +# High ports that do not have an entry in the services database are mapped +# to '<high>'. +sub portName +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $name = getservbyport ($port, $proto); + $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '<high>')); + } + return $pn{$pname}; +} + +# Translates a named port/protocol to a port number. +sub portNumber +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $number = getservbyname ($port, $proto); + unless (defined ($number)) + { + # I don't think we need to recover from this. How did the port + # name get into the log file if we can't find it? Log file from + # a different machine? Fix /etc/services on this one if that's + # your problem. + die ("Unrecognized port name \"$port\" at $."); + } + $pn{$pname} = $number; + } + return $pn{$pname}; +} + +# Convert all unrecognized high ports to the same value so they are treated +# identically. The protocol should be by name. +sub portSimplify +{ + my $port = shift; + my $proto = shift; + + # Make sure port is numeric. + $port = &portNumber ($port, $proto) + unless ($port =~ /^\d+$/); + + # Look up port name. + my $portName = &portName ($port, $proto); + + # Port is an unknown high port. Return a value that is too high for a + # port number, so that high ports get sorted last. + return $highPort if ($portName eq '<high>'); + + # Return original port number. + return $port; +} + +# Again, we can use the same hash for both host name -> IP mappings and +# IP -> name mappings. +my %ip; + +# Translates a dotted quad into a hostname. Don't pass names to this +# function. +sub hostName +{ + my $ip = shift; + return $ip if ($numeric); + unless (exists ($ip{$ip})) + { + my $addr = inet_aton ($ip); + my $name = gethostbyaddr ($addr, AF_INET); + if (defined ($name)) + { + $ip{$ip} = $name; + + # While we're at it, cache the forward lookup. + $ip{$name} = $ip; + } + else + { + # Just map the IP address to itself. There's no reverse. + $ip{$ip} = $ip; + } + } + return $ip{$ip}; +} + +# Translates a hostname or dotted quad into a dotted quad. +sub hostNumber +{ + my $name = shift; + if ($name =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) + { + # Return original value for dotted quads. + my $or = int ($1) | int ($2) | int ($3) | int ($4); + return $name if ($or == ($or & 0xff)); + } + unless (exists ($ip{$name})) + { + my $addr = inet_aton ($name); + unless (defined ($addr)) + { + # Again, I don't think we need to recover from this. If we can't + # resolve a hostname that ended up in the log file, punt. We + # want to be able to sort hosts by IP address later, and letting + # hostnames through will snarl up that code. Users of ipmon -n + # will have to grin and bear it for now. + die ("Unable to resolve host \"$name\" at $."); + } + my $ip = inet_ntoa ($addr); + $ip{$name} = $ip; + + # While we're at it, cache the reverse lookup. + $ip{$ip} = $name; + } + return $ip{$name}; +} + +# Hash for protocol number <--> name mappings. +my %pr; + +# Translates a protocol number into a protocol name, or a number if no name +# is found in the protocol database. +sub protoName +{ + my $code = shift; + return $code if ($code !~ /^\d+$/); + unless (exists ($pr{$code})) + { + my $name = scalar (getprotobynumber ($code)); + if (defined ($name)) + { + $pr{$code} = $name; + } + else + { + $pr{$code} = $code; + } + } + return $pr{$code}; +} + +# Translates a protocol name or number into a protocol number. +sub protoNumber +{ + my $name = shift; + return $name if ($name =~ /^\d+$/); + unless (exists ($pr{$name})) + { + my $code = scalar (getprotobyname ($name)); + if (defined ($code)) + { + $pr{$name} = $code; + } + else + { + $pr{$name} = $name; + } + } + return $pr{$name}; +} + +sub icmpType +{ + my %icmp = ( + 0 => +{ + name => 'echo-reply', + codes => +{0 => undef}, + }, + 3 => +{ + name => 'dest-unr', + codes => +{ + 0 => 'net', + 1 => 'host', + 2 => 'proto', + 3 => 'port', + 4 => 'need-frag', + 5 => 'no-sroute', + 6 => 'net-unk', + 7 => 'host-unk', + 8 => 'shost-isol', + 9 => 'net-proh', + 10 => 'host-proh', + 11 => 'net-tos', + 12 => 'host-tos', + }, + }, + 4 => +{ + name => 'src-quench', + codes => +{0 => undef}, + }, + 5 => +{ + name => 'redirect', + codes => +{ + 0 => 'net', + 1 => 'host', + 2 => 'tos', + 3 => 'tos-host', + }, + }, + 6 => +{ + name => 'alt-host-addr', + codes => +{0 => undef}, + }, + 8 => +{ + name => 'echo', + codes => +{0 => undef}, + }, + 9 => +{ + name => 'rtr-advert', + codes => +{0 => undef}, + }, + 10 => +{ + name => 'rtr-select', + codes => +{0 => undef}, + }, + 11 => +{ + name => 'time-excd', + codes => +{ + 0 => 'in-transit', + 1 => 'frag-assy', + }, + }, + 12 => +{ + name => 'param-prob', + codes => +{ + 0 => 'ptr-err', + 1 => 'miss-opt', + 2 => 'bad-len', + }, + }, + 13 => +{ + name => 'time', + codes => +{0 => undef}, + }, + 14 => +{ + name => 'time-reply', + codes => +{0 => undef}, + }, + 15 => +{ + name => 'info', + codes => +{0 => undef}, + }, + 16 => +{ + name => 'info-req', + codes => +{0 => undef}, + }, + 17 => +{ + name => 'mask-req', + codes => +{0 => undef}, + }, + 18 => +{ + name => 'mask-reply', + codes => +{0 => undef}, + }, + 31 => +{ + name => 'dgram-conv-err', + codes => +{ }, + }, + 32 => +{ + name => 'mbl-host-redir', + codes => +{ }, + }, + 33 => +{ + name => 'ipv6-whereru?', + codes => +{ }, + }, + 34 => +{ + name => 'ipv6-iamhere', + codes => +{ }, + }, + 35 => +{ + name => 'mbl-reg-req', + codes => +{ }, + }, + 36 => +{ + name => 'mbl-reg-rep', + codes => +{ }, + }, + ); + + my $typeCode = shift; + my ($type, $code) = split ('\.', $typeCode); + + return "?" unless (defined ($code)); + + my $info = $icmp{$type}; + + return "\(type=$type/$code?\)" unless (defined ($info)); + + my $typeName = $info->{name}; + my $codeName; + if (exists ($info->{codes}->{$code})) + { + $codeName = $info->{codes}->{$code}; + $codeName = (defined ($codeName) ? "/$codeName" : ''); + } + else + { + $codeName = "/$code"; + } + return "$typeName$codeName"; +} + +sub usage +{ + my $ec = shift; + + print STDERR <<EOT; +usage: $me [-n] + +Parses logging from ipmon and presents it in a comprehensible format. +This program generates two tables: one organized by source address and +another organized by destination address. For the first table, source +addresses are sorted by IP address. For each address, all packets +originating at the address are presented in a tabular form, where all +packets with the same source and destination address and port are counted +as a single entry. The packet count for each entry is shown as the third +field. In addition, any port number greater than 1024 that doesn't match +an entry in the services table is treated as a "high" port, and high ports +are coalesced into the same entry. The entry fields for the source address +table are: + + iface action packet-count proto src-port dest-ip dest-port + +The entry fields for the destination table are: + + iface action packet-count proto dest-port src-ip src-port + +If the -n option is given, reverse hostname lookups are disabled and all +hosts are displayed as numeric addresses. + +Note: if you are logging traffic with ipmon -n, ipmon will already have +looked up and logged addresses as hostnames where possible. This has an +important side effect: this program will translate the hostnames back into +IP addresses which may not match the original addresses of the logged +packets because of numerous DNS issues. If you care about where packets +are really coming from, you simply cannot rely on ipmon -n. An attacker +with control of his reverse DNS can map the reverse lookup to anything he +likes. If you haven't logged the numeric IP address, there's no way to +discover the source of an attack reliably. For this reason, I strongly +recommend that you run ipmon without the -n option, and use this or a +similar script to do reverse lookups during analysis, rather than during +logging. +EOT + + exit ($ec); +} + diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT index 31bf1b3..df041d1 100644 --- a/contrib/ipfilter/rules/BASIC.NAT +++ b/contrib/ipfilter/rules/BASIC.NAT @@ -1,6 +1,6 @@ #!/sbin/ipnat -f - # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW index 42d2792..d2bd60a 100644 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ b/contrib/ipfilter/rules/BASIC_1.FW @@ -2,7 +2,7 @@ # # SAMPLE: RESTRICTIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW index b966dfb..46564f0 100644 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ b/contrib/ipfilter/rules/BASIC_2.FW @@ -2,7 +2,7 @@ # # SAMPLE: PERMISSIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # @@ -56,7 +56,7 @@ pass out quick on lo0 all # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # -pass in log quick proto tcp all SA flags S/SA keep state group 200 +pass in log quick proto tcp all flags S/SA keep state group 200 # # Support all UDP `connections' initiated from inside. # diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 index 604346e..ff93f49 100644 --- a/contrib/ipfilter/rules/example.1 +++ b/contrib/ipfilter/rules/example.1 @@ -1,4 +1,4 @@ # -# block all incoming TCP packets on le0 from host "foo" to any destination. +# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. # -block in on le0 proto tcp from foo/32 to any +block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 index 7fc26eb..c6b4e7f 100644 --- a/contrib/ipfilter/rules/example.11 +++ b/contrib/ipfilter/rules/example.11 @@ -2,12 +2,12 @@ # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass in proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block anything trying to get to X terminal ports, X:0 to X:9 # diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 index df13d0a..854f07f 100644 --- a/contrib/ipfilter/rules/example.13 +++ b/contrib/ipfilter/rules/example.13 @@ -1,17 +1,17 @@ # -# Log all short TCP packets to qe3, with "packetlog" as the intended +# Log all short TCP packets to qe3, with 10.3.3.3 as the intended # destination for the packet. # -block in to qe3:packetlog proto tcp all with short +block in on qe0 to qe3:10.3.3.3 proto tcp all with short # # Log all connection attempts for TCP # -pass in dup-to le0:packetlog proto tcp all flags S/SA +pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA # # Route all UDP packets through transparently. # -pass in fastroute proto udp all +pass in on ppp0 fastroute proto udp all # -# Route all ICMP packets to network 10 out through le1, to "router" +# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 # -pass in to le1:router proto icmp all +pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 index 8d8fe57..4f81725 100644 --- a/contrib/ipfilter/rules/example.2 +++ b/contrib/ipfilter/rules/example.2 @@ -1,4 +1,5 @@ # -# block all outgoing TCP packets on le0 from any host to port 23 of host bar. +# block all outgoing TCP packets on le0 from any host to port 23 of +# host 10.1.1.2 # -block out on le0 proto tcp from any to bar/32 port = 23 +block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 index 6e122e0..6d688b5 100644 --- a/contrib/ipfilter/rules/example.5 +++ b/contrib/ipfilter/rules/example.5 @@ -3,23 +3,23 @@ # # allow packets coming from foo to bar through. # -pass from foo to bar +pass in from 10.1.1.2 to 10.2.1.1 # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block all ICMP unreachables. # -block from any to any icmp unreach +block in proto icmp from any to any icmp-type unreach # # allow packets through which have a non-standard IP header length (ie there # are IP options such as source-routing present). # -pass from any to any with ipopts +pass in from any to any with ipopts diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall index af9cf98..681a81d 100644 --- a/contrib/ipfilter/rules/firewall +++ b/contrib/ipfilter/rules/firewall @@ -33,7 +33,7 @@ where * "int-net" is the internal network IP# subnet address range. This might be something like 10.1.0.0/16, or 128.33.1.0/24 -* "ext-service" is the service to which you which to connect or if it doesn't +* "ext-service" is the service to which you wish to connect or if it doesn't have a proper name, a number can be used. The translation of "ext-service" as a name to a number is controlled with the /etc/services file. diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy index a13ef1c..cafeeb6 100644 --- a/contrib/ipfilter/rules/ftp-proxy +++ b/contrib/ipfilter/rules/ftp-proxy @@ -20,7 +20,7 @@ Lets assume your network diagram looks something like this: and IP Filter is running on host B. If you want to proxy FTP from A to C then you would do: -map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp +map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp int-c = name of "interface c" ipaddr-a = ip# of interface a @@ -31,7 +31,7 @@ e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0 which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was 203.45.67.90, you would do: -map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp +map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp where: ipaddr-a = 10.1.1.1 diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server index 5eafc7c..f2fb204 100644 --- a/contrib/ipfilter/rules/server +++ b/contrib/ipfilter/rules/server @@ -6,6 +6,6 @@ # or # pass in quick on le0 from 128.1.40.0/24 to any -block in quick log on le0 from any to any -block in quick log on le1 from 128.1.1.0/24 to any +block in log quick on le0 from any to any +block in log quick on le1 from 128.1.1.0/24 to any pass in quick on le1 from any to any diff --git a/contrib/ipfilter/samples/ipfilter-pb.gif b/contrib/ipfilter/samples/ipfilter-pb.gif Binary files differnew file mode 100644 index 0000000..afaefa8 --- /dev/null +++ b/contrib/ipfilter/samples/ipfilter-pb.gif diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index 4e42bec..c5b2c88 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,7 +11,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.0.2.5 1997/09/28 07:12:11 darrenr Exp $ + * $Id: snoop.h,v 2.1 1999/08/04 17:30:19 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index fe2a243..b1cb19b 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.4 1998/02/28 02:35:21 darrenr Exp $"; +#pragma ident "@(#)$Id: solaris.c,v 2.1.2.5 1999/10/15 13:49:44 darrenr Exp $"; #include <sys/systm.h> #include <sys/types.h> @@ -27,6 +27,9 @@ #include <sys/autoconf.h> #include <sys/byteorder.h> #include <sys/socket.h> +#include <sys/dlpi.h> +#include <sys/stropts.h> +#include <sys/sockio.h> #include <net/if.h> #include <net/af.h> #include <net/route.h> @@ -46,6 +49,7 @@ #include "ip_fil.h" #include "ip_nat.h" + char _depends_on[] = "drv/ip"; @@ -56,13 +60,14 @@ void solattach __P((void)); int soldetach __P((void)); extern struct filterstats frstats[]; -extern kmutex_t ipf_mutex, ipfs_mutex, ipf_nat; +extern KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_nat, ipf_solaris; +extern kmutex_t ipf_rw; +extern int fr_running; extern int fr_flags; extern ipnat_t *nat_list; static qif_t *qif_head = NULL; - static int ipf_getinfo __P((dev_info_t *, ddi_info_cmd_t, void *, void **)); static int ipf_probe __P((dev_info_t *)); @@ -71,9 +76,22 @@ static int ipf_attach __P((dev_info_t *, ddi_attach_cmd_t)); static int ipf_detach __P((dev_info_t *, ddi_detach_cmd_t)); static qif_t *qif_from_queue __P((queue_t *)); static void fr_donotip __P((int, qif_t *, queue_t *, mblk_t *, - mblk_t *, ip_t *, int)); + mblk_t *, ip_t *, size_t)); static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, NULL }; +static int (*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL; + + +#if SOLARIS2 >= 7 +extern void ipfr_slowtimer __P((void *)); +timeout_id_t ipfr_timer_id; +static timeout_id_t synctimeoutid = 0; +#else +extern void ipfr_slowtimer __P((void)); +int ipfr_timer_id; +static int synctimeoutid = 0; +#endif + #ifdef IPFDEBUG void printire __P((ire_t *)); #endif @@ -127,46 +145,54 @@ static dev_info_t *ipf_dev_info = NULL; int _init() { -#ifdef IPFDEBUG - int ipfinst = mod_install(&modlink1); + int ipfinst; + if (fr_running < 0) + return -1; + ipfinst = mod_install(&modlink1); +#ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _init() = %d\n", ipfinst); - return ipfinst; -#else - return mod_install(&modlink1); #endif + return ipfinst; } int _fini(void) { -#ifdef IPFDEBUG - int ipfinst = mod_remove(&modlink1); + int ipfinst; + if (fr_running < 0) + return -1; + ipfinst = mod_remove(&modlink1); +#ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _fini() = %d\n", ipfinst); - return ipfinst; -#else - return mod_remove(&modlink1); #endif + return ipfinst; } int _info(modinfop) struct modinfo *modinfop; { + int ipfinst; + + if (fr_running < 0) + return -1; + ipfinst = mod_info(&modlink1, modinfop); #ifdef IPFDEBUG - int ipfinst = mod_info(&modlink1, modinfop); cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x\n", modinfop, ipfinst); - return ipfinst; -#else - return mod_info(&modlink1, modinfop); #endif + if (fr_running > 0) + ipfsync(); + return ipfinst; } static int ipf_probe(dip) dev_info_t *dip; { + if (fr_running < 0) + return DDI_PROBE_FAILURE; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip); #endif @@ -197,6 +223,8 @@ ddi_attach_cmd_t cmd; #endif switch (cmd) { case DDI_ATTACH: + if (fr_running < 0) + break; #ifdef IPFDEBUG instance = ddi_get_instance(dip); @@ -227,13 +255,26 @@ ddi_attach_cmd_t cmd; /* * Initialize mutex's */ - iplattach(); + if (iplattach() == -1) + goto attach_failed; + /* + * Lock people out while we set things up. + */ + WRITE_ENTER(&ipf_solaris); solattach(); solipdrvattach(); - cmn_err(CE_CONT, "IP Filter: attaching complete.\n"); - return (DDI_SUCCESS); + RWLOCK_EXIT(&ipf_solaris); + cmn_err(CE_CONT, "%s, attaching complete.\n", ipfilter_version); + sync(); + if (fr_running == 0) + fr_running = 1; + if (ipfr_timer_id == 0) + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, + drv_usectohz(500000)); + if (fr_running == 1) + return DDI_SUCCESS; default: - return (DDI_FAILURE); + return DDI_FAILURE; } attach_failed: @@ -243,7 +284,7 @@ attach_failed: * away any stuff we allocated above. */ (void) ipf_detach(dip, DDI_DETACH); - return (DDI_FAILURE); + return DDI_FAILURE; } @@ -251,13 +292,35 @@ static int ipf_detach(dip, cmd) dev_info_t *dip; ddi_detach_cmd_t cmd; { - int instance; + int i; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_DETACH: + if (fr_running <= 0) + break; + /* + * Make sure we're the only one's modifying things. With + * this lock others should just fall out of the loop. + */ + mutex_enter(&ipf_rw); + if (ipfr_timer_id != 0) { + untimeout(ipfr_timer_id); + ipfr_timer_id = 0; + } + mutex_exit(&ipf_rw); + WRITE_ENTER(&ipf_solaris); + mutex_enter(&ipf_rw); + if (fr_running <= 0) { + mutex_exit(&ipf_rw); + return DDI_FAILURE; + } + fr_running = -1; + mutex_exit(&ipf_rw); + /* NOTE: ipf_solaris rwlock is released in ipldetach */ + /* * Undo what we did in ipf_attach, freeing resources * and removing things we installed. The system @@ -265,10 +328,14 @@ ddi_detach_cmd_t cmd; * node in any other entry points at this time. */ ddi_prop_remove_all(dip); - instance = ddi_get_instance(dip); + i = ddi_get_instance(dip); ddi_remove_minor_node(dip, NULL); sync(); - solipdrvdetach(); + i = solipdrvdetach(); + if (i > 0) { + cmn_err(CE_CONT, "IP Filter: still attached (%d)\n", i); + return DDI_FAILURE; + } if (!soldetach()) { cmn_err(CE_CONT, "IP Filter: detached\n"); return (DDI_SUCCESS); @@ -276,6 +343,7 @@ ddi_detach_cmd_t cmd; default: return (DDI_FAILURE); } + return DDI_FAILURE; } @@ -284,10 +352,13 @@ dev_info_t *dip; ddi_info_cmd_t infocmd; void *arg, **result; { - int error = DDI_FAILURE; + int error; + if (fr_running <= 0) + return DDI_FAILURE; + error = DDI_FAILURE; #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x)", dip, infocmd); + cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", dip, infocmd, arg); #endif switch (infocmd) { case DDI_INFO_DEVT2DEVINFO: @@ -331,7 +402,7 @@ qif_t *qif; queue_t *q; mblk_t *m, *mt; ip_t *ip; -int off; +size_t off; { u_char *s, outb[256], *t; int i; @@ -344,32 +415,35 @@ int off; if (!ip && (m == mt) && m->b_cont && (MTYPE(m) != M_DATA)) m = m->b_cont; - printf("!IP %s:%d %p %p %p %d %p %p %p %d %d %p\n%02x%02x%02x%02x\n", - qif ? qif->qf_name : "?", out, q, q ? q->q_ptr : NULL, - q ? q->q_qinfo : NULL, mt->b_wptr - mt->b_rptr, m, mt, - m->b_rptr, m->b_wptr - m->b_rptr, off, ip, - *s, *(s+1), *(s+2), *(s+3)); - if (m != mt) { + printf("!IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n", + qif ? qif->qf_name : "?", out, qif->qf_hl, q, + q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL, + mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr, + m->b_wptr - m->b_rptr, off, ip); + printf("%02x%02x%02x%02x\n", *s, *(s+1), *(s+2), *(s+3)); + while (m != mt) { i = 0; t = outb; s = mt->b_rptr; - sprintf(t, "%d:", MTYPE(mt)); - t += strlen(t); + sprintf((char *)t, "%d:", MTYPE(mt)); + t += strlen((char *)t); for (; (i < 100) && (s < mt->b_wptr); i++) { - sprintf(t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); + sprintf((char *)t, "%02x%s", *s++, + ((i & 3) == 3) ? " " : ""); t += ((i & 3) == 3) ? 3 : 2; } *t++ = '\n'; *t = '\0'; printf("%s", outb); + mt = mt->b_cont; } i = 0; t = outb; s = m->b_rptr; - sprintf(t, "%d:", MTYPE(m)); - t += strlen(t); + sprintf((char *)t, "%d:", MTYPE(m)); + t += strlen((char *)t); for (; (i < 100) && (s < m->b_wptr); i++) { - sprintf(t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); + sprintf((char *)t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); t += ((i & 3) == 3) ? 3 : 2; } *t++ = '\n'; @@ -382,7 +456,7 @@ int off; * find the first data mblk, if present, in the chain we're processing. Also * make a few sanity checks to try prevent the filter from causing a panic - * none of the nice IP sanity checks (including checksumming) should have been - * done yet - dangerous! + * done yet (for incoming packets) - dangerous! */ static int fr_precheck(mp, q, qif, out) mblk_t **mp; @@ -390,10 +464,11 @@ queue_t *q; qif_t *qif; int out; { - u_long lbuf[48]; - mblk_t *m, *mt = *mp; + register mblk_t *m, *mt = *mp; register ip_t *ip; - int iphlen, hlen, len, err, mlen, off, synced = 0; + size_t hlen, len, off, mlen, iphlen; + int err, synced = 0; + u_char *bp; #ifndef sparc u_short __iplen, __ipoff; #endif @@ -407,14 +482,43 @@ tryagain: off = (out) ? qif->qf_hl : 0; /* + * If the message protocol block indicates that there isn't a data + * block following it, just return back. + */ + bp = (u_char *)ALIGN32(mt->b_rptr); + if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) { + dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; + if (dl->dl_primitive != DL_UNITDATA_IND && + dl->dl_primitive != DL_UNITDATA_REQ) { + frstats[out].fr_notdata++; + return 0; + } + } + + /* * Find the first data block, count the data blocks in this chain and * the total amount of data. */ for (m = mt; m && (MTYPE(m) != M_DATA); m = m->b_cont) off = 0; /* Any non-M_DATA cancels the offset */ - if (!m) + if (!m) { + frstats[out].fr_nodata++; return 0; /* No data blocks */ + } + + /* + * This is a complete kludge to try and work around some bizarre + * packets which drop through into fr_donotip. + */ + if ((mt != m) && (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO)) { + dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; + if ((dl->dl_primitive == DL_UNITDATA_IND) && + (dl->dl_group_address == 1)) + if (((*((u_char *)m->b_rptr) == 0x0) && + ((*((u_char *)m->b_rptr + 2) == 0x45)))) + off += 2; + } ip = (ip_t *)(m->b_rptr + off); /* MMM */ @@ -424,31 +528,58 @@ tryagain: */ while ((u_char *)ip >= m->b_wptr) { len = (u_char *)ip - m->b_wptr; - if (!(m = m->b_cont)) + m = m->b_cont; + if (m == NULL) return 0; /* not enough data for IP */ ip = (ip_t *)(m->b_rptr + len); } - if ((off = (u_char *)ip - m->b_rptr)) + off = (u_char *)ip - m->b_rptr; + if (off != 0) m->b_rptr = (u_char *)ip; mlen = msgdsize(m); + len = m->b_wptr - m->b_rptr; + if (m->b_wptr < m->b_rptr) { + cmn_err(CE_NOTE, "IP Filter: Bad packet: wptr %p < rptr %p", + m->b_wptr, m->b_rptr); + frstats[out].fr_bad++; + return -1; + } /* - * Ok, the IP header isn't on a 32bit aligned address. To get around - * this, we copy the data to an aligned buffer and work with that. + * Ok, the IP header isn't on a 32bit aligned address so junk it. */ - if (!OK_32PTR(ip)) { - len = MIN(mlen, sizeof(ip_t)); - copyout_mblk(m, 0, len, (char *)lbuf); + if (((u_int)ip & 0x3) || (len < sizeof(*ip))) { + /* + * We have link layer header and IP header in the same mbuf, + * problem being that a pullup without adjusting b_rptr will + * bring us back here again as it's likely that the start of + * the databuffer (b_datab->db_base) is already aligned. Hmm, + * should we pull it all up (length of -1 to pullupmsg) if we + * can, now ? + */ +fixalign: + if (off == (u_char *)ip - m->b_rptr) { + m->b_rptr += off; + off = 0; + } + if (!pullupmsg(m, sizeof(ip_t) + off)) { + cmn_err(CE_NOTE, "pullupmsg failed\n"); + frstats[out].fr_pull[1]++; + return -1; + } frstats[out].fr_pull[0]++; - ip = (ip_t *)lbuf; - } else - len = m->b_wptr - (u_char *)ip; + synced = 1; + off = 0; + goto tryagain; + } if (ip->ip_v != IPVERSION) { m->b_rptr -= off; if (!synced) { synced = 1; + RWLOCK_EXIT(&ipfs_mutex); ipfsync(); + READ_ENTER(&ipfs_mutex); goto tryagain; } fr_donotip(out, qif, q, m, mt, ip, off); @@ -456,13 +587,41 @@ tryagain: return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; } +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = ntohs(__iplen); + ip->ip_off = ntohs(__ipoff); +#endif + hlen = iphlen = ip->ip_hl << 2; + if ((iphlen < sizeof(ip_t)) || (iphlen > (u_short)ip->ip_len) || + (mlen < (u_short)ip->ip_len)) { + /* + * Bad IP packet or not enough data/data length mismatches + */ + cmn_err(CE_NOTE, + "IP Filter: Bad packet: iphlen %u ip_len %u mlen %u", + iphlen, ip->ip_len, mlen); +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); +#endif + m->b_rptr -= off; + frstats[out].fr_bad++; + return -1; + } + /* * Make hlen the total size of the IP header plus TCP/UDP/ICMP header * (if it is one of these three). */ - if (!(ntohs((u_short)ip->ip_off) & 0x1fff)) + if ((ip->ip_off & IP_OFFMASK) == 0) switch (ip->ip_p) { case IPPROTO_TCP : @@ -478,62 +637,51 @@ tryagain: default : break; } + + if (hlen > mlen) + hlen = mlen; + /* * If we don't have enough data in the mblk or we haven't yet copied * enough (above), then copy some more. */ if ((hlen > len)) { - len = MIN(hlen, sizeof(lbuf)); - len = MIN(mlen, len); - copyout_mblk(m, 0, len, (char *)lbuf); + if (!pullupmsg(m, (int)hlen)) { + cmn_err(CE_NOTE, "pullupmsg failed\n"); + frstats[out].fr_pull[1]++; + return -1; + } frstats[out].fr_pull[0]++; - ip = (ip_t *)lbuf; + ip = (ip_t *)ALIGN32(m->b_rptr); } - -#ifndef sparc - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; - - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); -#endif - - if ((iphlen < sizeof(ip_t)) || (iphlen > (u_short)ip->ip_len) || - (mlen < (u_short)ip->ip_len)) { - /* - * Bad IP packet or not enough data/data length mismatches - */ - m->b_rptr -= off; - frstats[out].fr_bad++; - return -1; - } - qif->qf_m = m; qif->qf_q = q; qif->qf_off = off; qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp); + if (err == 2) + goto fixalign; /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. + * BUT only do this if there were no changes to the buffer, else + * we can't be sure that the ip pointer is still correct! */ + if (*mp != NULL) { + if (*mp == mt) { + m->b_rptr -= off; #ifndef sparc - if (*mp) { - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); - } + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); #endif - if (err == -2) { - if (*mp && (ip == (ip_t *)lbuf)) { - copyin_mblk(m, 0, len, (char *)lbuf); - frstats[out].fr_pull[1]++; - } - err = 0; + } else + cmn_err(CE_NOTE, + "IP Filter: *mp %p mt %p %s\n", *mp, mt, + "mblk changed, cannot revert ip_len, ip_off"); } - m->b_rptr -= off; return err; } @@ -542,27 +690,41 @@ int fr_qin(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; - qif_t qfb, *qif; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; + qif_t qf, *qif; + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + + READ_ENTER(&ipf_solaris); again: - mutex_enter(&ipfs_mutex); - while (!(qif = qif_from_queue(q))) { + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + READ_ENTER(&ipfs_mutex); + if (!(qif = qif_from_queue(q))) { for (qif = qif_head; qif; qif = qif->qf_next) if (&qif->qf_rqinit == q->q_qinfo && qif->qf_rqinfo && qif->qf_rqinfo->qi_putp) { pnext = qif->qf_rqinfo->qi_putp; - mutex_exit(&ipfs_mutex); frstats[0].fr_notip++; + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; goto again; } + RWLOCK_EXIT(&ipf_solaris); /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ return (*pnext)(q, mb); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; @@ -584,31 +746,32 @@ again: #endif ); frstats[0].fr_drop++; + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; freemsg(mb); return 0; } - /* - * So we can be more re-entrant. - */ - bcopy((char *)qif, (char *)&qfb, sizeof(*qif)); - mutex_exit(&ipfs_mutex); - qif = &qfb; - pnext = qif->qf_rqinfo->qi_putp; + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + qif = &qf; type = MTYPE(mb); - if (type == M_DATA || type == M_PROTO || type == M_PCPROTO) - if (fr_precheck(&mb, q, qif, 0)) { - if (mb) - freemsg(mb); - return 0; - } + pnext = qif->qf_rqinfo->qi_putp; - if (mb) { + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, qif, 0); + + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); + + if ((err == 0) && (mb != NULL)) { if (pnext) return (*pnext)(q, mb); - cmn_err(CE_WARN, "IP Filter: inp NULL: qif %x %s q %x info %x", - qif, qif->qf_name, q, q->q_qinfo); + cmn_err(CE_WARN, "IP Filter: inp NULL: qif %x q %x info %x", + qif, q, q->q_qinfo); + } + if (mb) { + mb->b_prev = NULL; freemsg(mb); } return 0; @@ -619,17 +782,30 @@ int fr_qout(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; - qif_t qfb, *qif; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; + qif_t qf, *qif; + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + + READ_ENTER(&ipf_solaris); again: - mutex_enter(&ipfs_mutex); + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + READ_ENTER(&ipfs_mutex); if (!(qif = qif_from_queue(q))) { for (qif = qif_head; qif; qif = qif->qf_next) if (&qif->qf_wqinit == q->q_qinfo && qif->qf_wqinfo && qif->qf_wqinfo->qi_putp) { pnext = qif->qf_wqinfo->qi_putp; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); frstats[1].fr_notip++; if (!synced) { ipfsync(); @@ -637,9 +813,10 @@ again: goto again; } /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ + RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; @@ -671,63 +848,73 @@ again: q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next, q->q_nbsrv->q_ptr); frstats[1].fr_drop++; + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; freemsg(mb); return 0; } - /* - * So we can be more re-entrant. - */ - bcopy((char *)qif, (char *)&qfb, sizeof(*qif)); - mutex_exit(&ipfs_mutex); - qif = &qfb; - pnext = qif->qf_wqinfo->qi_putp; + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + qif = &qf; type = MTYPE(mb); - if (type == M_DATA || type == M_PROTO || type == M_PCPROTO) - if (fr_precheck(&mb, q, qif, 1)) { - if (mb) - freemsg(mb); - return 0; - } + pnext = qif->qf_wqinfo->qi_putp; - if (mb) { + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, qif, 1); + + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); + + if ((err == 0) && (mb != NULL)) { if (pnext) return (*pnext)(q, mb); cmn_err(CE_WARN, "IP Filter: outp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); + } + if (mb) { + mb->b_prev = NULL; freemsg(mb); } return 0; } -static int (*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL; - -#include <sys/stropts.h> -#include <sys/sockio.h> - -static int synctimeoutid = 0; void ipf_synctimeout(arg) -caddr_t arg; +void *arg; { + READ_ENTER(&ipf_solaris); ipfsync(); - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); synctimeoutid = 0; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); } -static int ipf_ip_qin(q, mp) +static int ipf_ip_qin(q, mb) queue_t *q; -mblk_t *mp; +mblk_t *mb; { struct iocblk *ioc; int ret; + + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } - if (mp->b_datap->db_type != M_IOCTL) - return (*ipf_ip_inp)(q, mp); + if (MTYPE(mb) != M_IOCTL) + return (*ipf_ip_inp)(q, mb); - ioc = (struct iocblk *)mp->b_rptr; + READ_ENTER(&ipf_solaris); + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + ioc = (struct iocblk *)mb->b_rptr; switch (ioc->ioc_cmd) { case I_LINK: @@ -737,23 +924,23 @@ mblk_t *mp; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ioc->ioc_cmd); #endif - ret = (*ipf_ip_inp)(q, mp); + ret = (*ipf_ip_inp)(q, mb); - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { - synctimeoutid = timeout( - ipf_synctimeout, + synctimeoutid = timeout(ipf_synctimeout, NULL, drv_usectohz(1000000) /*1 sec*/ ); - mutex_exit(&ipfs_mutex); - } else - mutex_exit(&ipfs_mutex); + } - return ret; + RWLOCK_EXIT(&ipfs_mutex); + break; default: - return (*ipf_ip_inp)(q, mp); + ret = (*ipf_ip_inp)(q, mb); } + RWLOCK_EXIT(&ipf_solaris); + return ret; } static int ipdrvattcnt = 0; @@ -762,7 +949,8 @@ extern struct streamtab ipinfo; void solipdrvattach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvattach() ipinfo=0x%lx\n", &ipinfo); + cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx\n", + ipdrvattcnt, &ipinfo); #endif if (++ipdrvattcnt == 1) { @@ -776,38 +964,39 @@ void solipdrvattach() int solipdrvdetach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() ipinfo=0x%lx\n", &ipinfo); + cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx\n", + ipdrvattcnt, &ipinfo); #endif + WRITE_ENTER(&ipfs_mutex); if (--ipdrvattcnt <= 0) { if (ipf_ip_inp && (ipinfo.st_wrinit->qi_putp == ipf_ip_qin)) { ipinfo.st_wrinit->qi_putp = ipf_ip_inp; ipf_ip_inp = NULL; } - mutex_enter(&ipfs_mutex); if (synctimeoutid) { - synctimeoutid = 0; - mutex_exit(&ipfs_mutex); untimeout(synctimeoutid); - } else - mutex_exit(&ipfs_mutex); + synctimeoutid = 0; + } } + RWLOCK_EXIT(&ipfs_mutex); + return ipdrvattcnt; } /* * attach the packet filter to each interface that is defined as having an * IP address associated with it and save some of the info. for that struct - * so we're not out of date as soon as te ill disappears - but we must sync + * so we're not out of date as soon as the ill disappears - but we must sync * to be correct! */ void solattach() { queue_t *in, *out; - qif_t *qif, *qf2; - ill_t *il; struct frentry *f; + qif_t *qif, *qf2; ipnat_t *np; - int len; + size_t len; + ill_t *il; for (il = ill_g_head; il; il = il->ill_next) { in = il->ill_rq; @@ -816,7 +1005,7 @@ void solattach() out = il->ill_wq->q_next; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); /* * Look for entry already setup for this device */ @@ -825,7 +1014,7 @@ void solattach() qif->qf_optr == out->q_ptr) break; if (qif) { - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); continue; } #ifdef IPFDEBUG @@ -834,11 +1023,12 @@ void solattach() il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo); #endif - KMALLOC(qif, qif_t *, sizeof(*qif)); + KMALLOC(qif, qif_t *); if (!qif) { cmn_err(CE_NOTE, "IP Filter: malloc(%d) for qif_t failed\n", sizeof(qif_t)); + RWLOCK_EXIT(&ipfs_mutex); continue; } @@ -855,7 +1045,7 @@ void solattach() il->ill_name, in->q_qinfo->qi_putp, in->q_qinfo); #endif - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); KFREE(qif); continue; } @@ -875,7 +1065,7 @@ void solattach() il->ill_name, out->q_qinfo->qi_putp, out->q_qinfo); #endif - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); KFREE(qif); continue; } @@ -883,6 +1073,8 @@ void solattach() qif->qf_wqinfo = out->q_qinfo; qif->qf_ill = il; + qif->qf_in = in; + qif->qf_out = out; qif->qf_iptr = in->q_ptr; qif->qf_optr = out->q_ptr; qif->qf_hl = il->ill_hdr_length; @@ -895,34 +1087,37 @@ void solattach() /* * Activate any rules directly associated with this interface */ - mutex_enter(&ipf_mutex); + WRITE_ENTER(&ipf_mutex); for (f = ipfilter[0][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { - len = strlen(f->fr_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(f->fr_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, f->fr_ifname, len)) f->fr_ifa = il; } } for (f = ipfilter[1][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { - len = strlen(f->fr_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(f->fr_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, f->fr_ifname, len)) f->fr_ifa = il; } } - mutex_exit(&ipf_mutex); - mutex_enter(&ipf_nat); + RWLOCK_EXIT(&ipf_mutex); + WRITE_ENTER(&ipf_nat); for (np = nat_list; np; np = np->in_next) { if ((np->in_ifp == (struct ifnet *)-1)) { - len = strlen(np->in_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(np->in_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, np->in_ifname, len)) np->in_ifp = il; } } - mutex_exit(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); bcopy((caddr_t)qif->qf_rqinfo, (caddr_t)&qif->qf_rqinit, sizeof(struct qinit)); @@ -946,7 +1141,7 @@ void solattach() #endif out->q_qinfo = &qif->qf_wqinit; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); cmn_err(CE_CONT, "IP Filter: attach to [%s,%d]\n", qif->qf_name, il->ill_ppa); } @@ -968,7 +1163,7 @@ int ipfsync() register ill_t *il; queue_t *in, *out; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); for (qp = &qif_head; (qif = *qp); ) { for (il = ill_g_head; il; il = il->ill_next) if ((qif->qf_ill == il) && @@ -991,12 +1186,12 @@ int ipfsync() /* * Disable any rules directly associated with this interface */ - mutex_enter(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (np = nat_list; np; np = np->in_next) if (np->in_ifp == (void *)qif->qf_ill) np->in_ifp = (struct ifnet *)-1; - mutex_exit(&ipf_nat); - mutex_enter(&ipf_mutex); + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_mutex); for (f = ipfilter[0][fr_active]; f; f = f->fr_next) if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; @@ -1004,39 +1199,42 @@ int ipfsync() if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; +#if 0 /* XXX */ + /* + * As well as the ill disappearing when a device is unplumb'd, + * it also appears that the associated queue structures also + * disappear - at least in the case of ppp, which is the most + * volatile here. Thanks to Greg for finding this problem. + */ /* * Restore q_qinfo pointers in interface queues */ - il = qif->qf_ill; - in = il->ill_rq; - out = NULL; - if (in && il->ill_wq) { - out = il->ill_wq->q_next; - } + out = qif->qf_out; + in = qif->qf_in; if (in) { -#ifdef IPFDEBUG +# ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx", in, in->q_qinfo, qif->qf_rqinfo ); -#endif +# endif in->q_qinfo = qif->qf_rqinfo; } if (out) { -#ifdef IPFDEBUG +# ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx", out, out->q_qinfo, qif->qf_wqinfo ); -#endif +# endif out->q_qinfo = qif->qf_wqinfo; } - mutex_exit(&ipf_mutex); - +#endif /* XXX */ + RWLOCK_EXIT(&ipf_mutex); KFREE(qif); qif = *qp; } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); solattach(); /* @@ -1054,10 +1252,10 @@ int ipfsync() int soldetach() { queue_t *in, *out; - qif_t *qif, *qf2, **qp; + qif_t *qif, **qp; ill_t *il; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); /* * Make two passes, first get rid of all the unknown devices, next * unlink known devices. @@ -1081,8 +1279,8 @@ int soldetach() if (qif->qf_ill == il) break; if (il) { - in = il->ill_rq; - out = il->ill_wq->q_next; + in = qif->qf_in; + out = qif->qf_out; cmn_err(CE_CONT, "IP Filter: detaching [%s,%d]\n", qif->qf_name, il->ill_ppa); @@ -1105,7 +1303,7 @@ int soldetach() } KFREE(qif); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); return ipldetach(); } @@ -1133,16 +1331,18 @@ mblk_t *mb, **mpp; fr_info_t *fin; frdest_t *fdp; { - mblk_t *mp = NULL; + ire_t *ir, *dir, *gw; struct in_addr dst; - ire_t *ir, *dir; - int hlen = 0; - u_char *s; queue_t *q = NULL; + mblk_t *mp = NULL; + size_t hlen = 0; + frentry_t *fr; + void *ifp; + u_char *s; #ifndef sparc u_short __iplen, __ipoff; - +#endif /* * If this is a duplicate mblk then we want ip to point at that * data, not the original, if and only if it is already pointing at @@ -1150,29 +1350,13 @@ frdest_t *fdp; */ if (ip == (ip_t *)qf->qf_m->b_rptr && qf->qf_m != mb) ip = (ip_t *)mb->b_rptr; - /* - * In fr_precheck(), we modify ip_len and ip_off in an aligned data - * area. However, we only need to change it back if we didn't copy - * the IP header data out. - */ - - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; - - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); -#endif - - if (ip != (ip_t *)mb->b_rptr) { - copyin_mblk(mb, 0, qf->qf_len, (char *)ip); - frstats[fin->fin_out].fr_pull[1]++; - } /* * If there is another M_PROTO, we don't want it */ if (*mpp != mb) { (*mpp)->b_cont = NULL; + (*mpp)->b_prev = NULL; freemsg(*mpp); } @@ -1184,8 +1368,10 @@ frdest_t *fdp; dst = fin->fin_fi.fi_dst; #if SOLARIS2 > 5 - dir = ire_route_lookup(dst.s_addr, 0, 0, 0, NULL, NULL, NULL, - MATCH_IRE_DSTONLY); + gw = NULL; + dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL, &gw, NULL, + MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT| + MATCH_IRE_RECURSIVE); #else dir = ire_lookup(dst.s_addr); #endif @@ -1197,11 +1383,40 @@ frdest_t *fdp; ir = dir; if (ir && dir) { + ifp = ire_to_ill(ir); + fr = fin->fin_fr; + /* + * In case we're here due to "to <if>" being used with + * "keep state", check that we're going in the correct + * direction. + */ + if ((fr != NULL) && (fdp->fd_ifp != NULL) && + (fin->fin_rev != 0) && (fdp == &fr->fr_tif)) + return -1; + + fin->fin_ifp == ifp; + if (fin->fin_out == 0) { + fin->fin_fr = ipacct[1][fr_active]; + if ((fin->fin_fr != NULL) && + (fr_scanlist(FR_NOMATCH, ip, fin, mb)&FR_ACCOUNT)){ + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = NULL; + (void) fr_checkstate(ip, fin); + (void) ip_natout(ip, fin); + } +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); +#endif + if ((mp = dir->ire_ll_hdr_mp)) { hlen = dir->ire_ll_hdr_length; s = mb->b_rptr; - if (hlen && (s - mb->b_datap->db_base) >= hlen) { s -= hlen; mb->b_rptr = (u_char *)s; @@ -1222,30 +1437,37 @@ frdest_t *fdp; else if (ir->ire_rfq) q = WR(ir->ire_rfq); if (q) { + mb->b_prev = NULL; + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); putnext(q, mb); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); ipl_frouteok[0]++; return 0; } } bad_fastroute: - ipl_frouteok[0]++; + mb->b_prev = NULL; + freemsg(mb); + ipl_frouteok[1]++; return -1; } void copyout_mblk(m, off, len, buf) mblk_t *m; -int off, len; +size_t off, len; char *buf; { - char *s, *bp = buf; - int mlen, olen, clen; + u_char *s, *bp = (u_char *)buf; + size_t mlen, olen, clen; for (; m && len; m = m->b_cont) { if (MTYPE(m) != M_DATA) continue; s = m->b_rptr; - mlen = (char *)m->b_wptr - s; + mlen = m->b_wptr - s; olen = MIN(off, mlen); if ((olen == mlen) || (olen < off)) { off -= olen; @@ -1265,17 +1487,17 @@ char *buf; void copyin_mblk(m, off, len, buf) mblk_t *m; -int off, len; +size_t off, len; char *buf; { - char *s, *bp = buf; - int mlen, olen, clen; + u_char *s, *bp = (u_char *)buf; + size_t mlen, olen, clen; for (; m && len; m = m->b_cont) { if (MTYPE(m) != M_DATA) continue; s = m->b_rptr; - mlen = (char *)m->b_wptr - s; + mlen = m->b_wptr - s; olen = MIN(off, mlen); if ((olen == mlen) || (olen < off)) { off -= olen; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index a0e07e7..a6d73ef 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -9,29 +9,35 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -tests: first 0 ftests ptests +tests: first 0 ftests ptests ntests first: -mkdir -p results # Filtering tests -ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 +ntests: n1 n2 n3 n4 + 0: @(cd ..; make ipftest; ) -1 2 3 4 5 6 7 8 9 10 11 14: +f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: @/bin/sh ./dotest $@ -12: +f12: @/bin/sh ./hextest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ +n1 n2 n3 n4: + @/bin/sh ./nattest $@ + clean: - /bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/* + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/* /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 + /bin/rm -f n1 n2 n3 n4 diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest index 06d04c5..5a11605 100644 --- a/contrib/ipfilter/test/dotest +++ b/contrib/ipfilter/test/dotest @@ -17,6 +17,7 @@ echo "$1..."; if [ $? -ne 0 ] ; then exit 1; fi + echo "--------" >> results/$1 done ) < regress/$1 cmp expected/$1 results/$1 status=$? diff --git a/contrib/ipfilter/test/expected/f1 b/contrib/ipfilter/test/expected/f1 new file mode 100644 index 0000000..86d9592 --- /dev/null +++ b/contrib/ipfilter/test/expected/f1 @@ -0,0 +1,20 @@ +block +block +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +block +block +-------- +nomatch +nomatch +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f10 b/contrib/ipfilter/test/expected/f10 new file mode 100644 index 0000000..da6c312 --- /dev/null +++ b/contrib/ipfilter/test/expected/f10 @@ -0,0 +1,126 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +nomatch +nomatch +pass +-------- +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +nomatch +nomatch +pass +-------- +block +block +nomatch +nomatch +nomatch +block +-------- +pass +pass +nomatch +nomatch +nomatch +pass +-------- +block +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +block +-------- +nomatch +pass +pass +pass +nomatch +pass +-------- +nomatch +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +block +block +-------- +nomatch +pass +pass +pass +pass +pass +-------- +block +block +nomatch +block +nomatch +block +-------- +pass +pass +nomatch +pass +nomatch +pass +-------- +block +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +pass +-------- +block +block +block +nomatch +nomatch +block +-------- diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 new file mode 100644 index 0000000..ac37783 --- /dev/null +++ b/contrib/ipfilter/test/expected/f11 @@ -0,0 +1,72 @@ +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f12 b/contrib/ipfilter/test/expected/f12 new file mode 100644 index 0000000..88354d9 --- /dev/null +++ b/contrib/ipfilter/test/expected/f12 @@ -0,0 +1,60 @@ +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +-------- diff --git a/contrib/ipfilter/test/expected/f14 b/contrib/ipfilter/test/expected/f14 new file mode 100644 index 0000000..1c6ed5c --- /dev/null +++ b/contrib/ipfilter/test/expected/f14 @@ -0,0 +1,48 @@ +block +nomatch +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +pass +pass +-------- +block +nomatch +nomatch +nomatch +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f2 b/contrib/ipfilter/test/expected/f2 new file mode 100644 index 0000000..7093a41 --- /dev/null +++ b/contrib/ipfilter/test/expected/f2 @@ -0,0 +1,42 @@ +block +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +block +nomatch +nomatch +-------- +nomatch +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +block +block +-------- +nomatch +nomatch +nomatch +nomatch +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f3 b/contrib/ipfilter/test/expected/f3 new file mode 100644 index 0000000..5df3ac4 --- /dev/null +++ b/contrib/ipfilter/test/expected/f3 @@ -0,0 +1,48 @@ +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +block +block +nomatch +nomatch +-------- +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +-------- +nomatch +pass +pass +pass +nomatch +-------- +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f4 b/contrib/ipfilter/test/expected/f4 new file mode 100644 index 0000000..5df3ac4 --- /dev/null +++ b/contrib/ipfilter/test/expected/f4 @@ -0,0 +1,48 @@ +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +block +block +nomatch +nomatch +-------- +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +-------- +nomatch +pass +pass +pass +nomatch +-------- +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f5 b/contrib/ipfilter/test/expected/f5 new file mode 100644 index 0000000..36c7d40 --- /dev/null +++ b/contrib/ipfilter/test/expected/f5 @@ -0,0 +1,1392 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f6 b/contrib/ipfilter/test/expected/f6 new file mode 100644 index 0000000..36c7d40 --- /dev/null +++ b/contrib/ipfilter/test/expected/f6 @@ -0,0 +1,1392 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f7 b/contrib/ipfilter/test/expected/f7 new file mode 100644 index 0000000..6aa7951 --- /dev/null +++ b/contrib/ipfilter/test/expected/f7 @@ -0,0 +1,60 @@ +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f8 b/contrib/ipfilter/test/expected/f8 new file mode 100644 index 0000000..ad42ff2 --- /dev/null +++ b/contrib/ipfilter/test/expected/f8 @@ -0,0 +1,42 @@ +block +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +nomatch +block +nomatch +nomatch +nomatch +-------- +pass +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f9 b/contrib/ipfilter/test/expected/f9 new file mode 100644 index 0000000..709744d --- /dev/null +++ b/contrib/ipfilter/test/expected/f9 @@ -0,0 +1,126 @@ +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +pass +pass +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +block +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +pass +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +pass +-------- +block +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +block +block +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/n1 b/contrib/ipfilter/test/expected/n1 new file mode 100644 index 0000000..77365f8 --- /dev/null +++ b/contrib/ipfilter/test/expected/n1 @@ -0,0 +1,96 @@ +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.2.2.2 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.2.2.2 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.1.1.1 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +------------------------------- +ip 20(20) 255 10.3.4.5 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.3.4.5 > 10.1.1.1 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.0 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 48(20) 1 10.3.4.5 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.1.1.1 +ip 20(20) 34 10.3.4.5 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.3.4.5 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.1.1.2 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.3.4.5 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +------------------------------- +ip 20(20) 255 10.3.4.1 > 10.1.1.2 +ip 20(20) 255 10.3.4.2 > 10.1.1.2 +ip 20(20) 255 10.3.4.3 > 10.1.1.1 +ip 40(20) 6 10.3.4.3,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.3,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.3.4.4 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.3.4.5 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.3.4.6 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.3.4.7 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.1.1.2 +ip 20(20) 35 10.3.4.7 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.1.1.3 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n2 b/contrib/ipfilter/test/expected/n2 new file mode 100644 index 0000000..dc70138 --- /dev/null +++ b/contrib/ipfilter/test/expected/n2 @@ -0,0 +1,80 @@ +ip 40(20) 6 10.2.2.2,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.2.2.2,10001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10003 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.5,40000 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.1.1.3,2000 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n3 b/contrib/ipfilter/test/expected/n3 new file mode 100644 index 0000000..03c0717 --- /dev/null +++ b/contrib/ipfilter/test/expected/n3 @@ -0,0 +1,12 @@ +ip 40(20) 6 192.168.2.1,1488 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,1276 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,1032 > 203.1.1.1,80 +ip 28(20) 17 192.168.2.1,1032 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,65299 > 203.1.1.1,80 +------------------------------- +ip 40(20) 6 192.168.1.1,1488 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.1,1276 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.0,1032 > 203.1.1.1,80 +ip 28(20) 17 192.168.1.0,1032 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.255,65299 > 203.1.1.1,80 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n4 b/contrib/ipfilter/test/expected/n4 new file mode 100644 index 0000000..c6fb4d4 --- /dev/null +++ b/contrib/ipfilter/test/expected/n4 @@ -0,0 +1,30 @@ +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +------------------------------- diff --git a/contrib/ipfilter/test/hextest b/contrib/ipfilter/test/hextest index 76e1af5..c500c6b 100644 --- a/contrib/ipfilter/test/hextest +++ b/contrib/ipfilter/test/hextest @@ -14,6 +14,10 @@ echo "$1..."; /bin/cp /dev/null results/$1 ( while read rule; do echo "$rule" | ../ipftest -br - -Hi input/$1 >> results/$1; + if [ $? -ne 0 ] ; then + exit 1; + fi + echo "--------" >> results/$1 done ) < regress/$1 cmp expected/$1 results/$1 status=$? diff --git a/contrib/ipfilter/test/input/f1 b/contrib/ipfilter/test/input/f1 new file mode 100644 index 0000000..7c3ae8a --- /dev/null +++ b/contrib/ipfilter/test/input/f1 @@ -0,0 +1,4 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +out 127.0.0.1 127.0.0.1 +out 1.1.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f10 b/contrib/ipfilter/test/input/f10 new file mode 100644 index 0000000..254cee7 --- /dev/null +++ b/contrib/ipfilter/test/input/f10 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11 new file mode 100644 index 0000000..4eda58e --- /dev/null +++ b/contrib/ipfilter/test/input/f11 @@ -0,0 +1,11 @@ +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A +in on e1 udp 1.1.1.1,1 4.4.4.4,53 +in on e1 udp 2.2.2.2,2 4.4.4.4,53 +in on e0 udp 4.4.4.4,53 1.1.1.1,1 +in on e0 udp 4.4.4.4,1023 1.1.1.1,2049 +in on e0 udp 4.4.4.4,2049 1.1.1.1,1023 diff --git a/contrib/ipfilter/test/input/f12 b/contrib/ipfilter/test/input/f12 new file mode 100644 index 0000000..5d9c1de --- /dev/null +++ b/contrib/ipfilter/test/input/f12 @@ -0,0 +1,35 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF SYN +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF ACK +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK +45 00 0028 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK +45 00 001c 0000 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0000 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0001 0001 0004 0000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 0004 0000 + diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 new file mode 100644 index 0000000..56ec16d --- /dev/null +++ b/contrib/ipfilter/test/input/f13 @@ -0,0 +1,39 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,MF,FO=0 SYN +45 00 0028 0001 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF ACK +45 00 0024 0002 2000 3f 06 0000 01010101 02010101 +0401001900000000 0000000050102000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2 ACK +45 00 002c 0002 0002 3f 06 0000 01010101 02010101 +0000000000010203 0405060708090a0b 0c0d0e0f10111213 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN +45 00 0028 0003 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0004 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN +45 00 001c 0005 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0006 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0007 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0008 2000 3f 11 0000 01010101 02010101 +0035003500040000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 +45 00 001c 0008 0001 3f 11 0000 01010101 02010101 +0000000000000000 + diff --git a/contrib/ipfilter/test/input/f14 b/contrib/ipfilter/test/input/f14 new file mode 100644 index 0000000..16a806f --- /dev/null +++ b/contrib/ipfilter/test/input/f14 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f2 b/contrib/ipfilter/test/input/f2 new file mode 100644 index 0000000..d168af0 --- /dev/null +++ b/contrib/ipfilter/test/input/f2 @@ -0,0 +1,6 @@ +in tcp 127.0.0.1,1 127.0.0.1,21 +in tcp 1.1.1.1,1 1.2.1.1,21 +in udp 127.0.0.1,1 127.0.0.1,21 +in udp 1.1.1.1,1 1.2.1.1,21 +in icmp 127.0.0.1 127.0.0.1 +in icmp 1.1.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f3 b/contrib/ipfilter/test/input/f3 new file mode 100644 index 0000000..16a806f --- /dev/null +++ b/contrib/ipfilter/test/input/f3 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f4 b/contrib/ipfilter/test/input/f4 new file mode 100644 index 0000000..2956d1b --- /dev/null +++ b/contrib/ipfilter/test/input/f4 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.1.1.1 +in 1.1.1.1 1.1.1.2 +in 1.1.1.1 1.1.2.2 +in 1.1.1.1 1.2.2.2 diff --git a/contrib/ipfilter/test/input/f5 b/contrib/ipfilter/test/input/f5 new file mode 100644 index 0000000..41600c1 --- /dev/null +++ b/contrib/ipfilter/test/input/f5 @@ -0,0 +1,28 @@ +in tcp 1.1.1.1,0 2.2.2.2,2222 +in tcp 1.1.1.1,1 2.2.2.2,2222 +in tcp 1.1.1.1,23 2.2.2.2,2222 +in tcp 1.1.1.1,21 2.2.2.2,2222 +in tcp 1.1.1.1,1023 2.2.2.2,2222 +in tcp 1.1.1.1,1024 2.2.2.2,2222 +in tcp 1.1.1.1,1025 2.2.2.2,2222 +in tcp 1.1.1.1,32767 2.2.2.2,2222 +in tcp 1.1.1.1,32768 2.2.2.2,2222 +in tcp 1.1.1.1,65535 2.2.2.2,2222 +in tcp 1.1.1.1,5999 2.2.2.2,2222 +in tcp 1.1.1.1,6000 2.2.2.2,2222 +in tcp 1.1.1.1,6009 2.2.2.2,2222 +in tcp 1.1.1.1,6010 2.2.2.2,2222 +in udp 1.1.1.1,0 2.2.2.2,2222 +in udp 1.1.1.1,1 2.2.2.2,2222 +in udp 1.1.1.1,23 2.2.2.2,2222 +in udp 1.1.1.1,21 2.2.2.2,2222 +in udp 1.1.1.1,1023 2.2.2.2,2222 +in udp 1.1.1.1,1024 2.2.2.2,2222 +in udp 1.1.1.1,1025 2.2.2.2,2222 +in udp 1.1.1.1,32767 2.2.2.2,2222 +in udp 1.1.1.1,32768 2.2.2.2,2222 +in udp 1.1.1.1,65535 2.2.2.2,2222 +in udp 1.1.1.1,5999 2.2.2.2,2222 +in udp 1.1.1.1,6000 2.2.2.2,2222 +in udp 1.1.1.1,6009 2.2.2.2,2222 +in udp 1.1.1.1,6010 2.2.2.2,2222 diff --git a/contrib/ipfilter/test/input/f6 b/contrib/ipfilter/test/input/f6 new file mode 100644 index 0000000..21f0be3 --- /dev/null +++ b/contrib/ipfilter/test/input/f6 @@ -0,0 +1,28 @@ +in tcp 2.2.2.2,2222 1.1.1.1,0 +in tcp 2.2.2.2,2222 1.1.1.1,1 +in tcp 2.2.2.2,2222 1.1.1.1,23 +in tcp 2.2.2.2,2222 1.1.1.1,21 +in tcp 2.2.2.2,2222 1.1.1.1,1023 +in tcp 2.2.2.2,2222 1.1.1.1,1024 +in tcp 2.2.2.2,2222 1.1.1.1,1025 +in tcp 2.2.2.2,2222 1.1.1.1,32767 +in tcp 2.2.2.2,2222 1.1.1.1,32768 +in tcp 2.2.2.2,2222 1.1.1.1,65535 +in tcp 2.2.2.2,2222 1.1.1.1,5999 +in tcp 2.2.2.2,2222 1.1.1.1,6000 +in tcp 2.2.2.2,2222 1.1.1.1,6009 +in tcp 2.2.2.2,2222 1.1.1.1,6010 +in udp 2.2.2.2,2222 1.1.1.1,0 +in udp 2.2.2.2,2222 1.1.1.1,1 +in udp 2.2.2.2,2222 1.1.1.1,23 +in udp 2.2.2.2,2222 1.1.1.1,21 +in udp 2.2.2.2,2222 1.1.1.1,1023 +in udp 2.2.2.2,2222 1.1.1.1,1024 +in udp 2.2.2.2,2222 1.1.1.1,1025 +in udp 2.2.2.2,2222 1.1.1.1,32767 +in udp 2.2.2.2,2222 1.1.1.1,32768 +in udp 2.2.2.2,2222 1.1.1.1,65535 +in udp 2.2.2.2,2222 1.1.1.1,5999 +in udp 2.2.2.2,2222 1.1.1.1,6000 +in udp 2.2.2.2,2222 1.1.1.1,6009 +in udp 2.2.2.2,2222 1.1.1.1,6010 diff --git a/contrib/ipfilter/test/input/f7 b/contrib/ipfilter/test/input/f7 new file mode 100644 index 0000000..2721af2 --- /dev/null +++ b/contrib/ipfilter/test/input/f7 @@ -0,0 +1,9 @@ +in icmp 1.1.1.1 2.1.1.1 echo +in icmp 1.1.1.1 2.1.1.1 echo,1 +in icmp 1.1.1.1 2.1.1.1 echo,3 +in icmp 1.1.1.1 2.1.1.1 unreach +in icmp 1.1.1.1 2.1.1.1 unreach,1 +in icmp 1.1.1.1 2.1.1.1 unreach,3 +in icmp 1.1.1.1 2.1.1.1 echorep +in icmp 1.1.1.1 2.1.1.1 echorep,1 +in icmp 1.1.1.1 2.1.1.1 echorep,3 diff --git a/contrib/ipfilter/test/input/f8 b/contrib/ipfilter/test/input/f8 new file mode 100644 index 0000000..cace511 --- /dev/null +++ b/contrib/ipfilter/test/input/f8 @@ -0,0 +1,6 @@ +in tcp 1.1.1.1,1 2.1.2.2,1 S +in tcp 1.1.1.1,1 2.1.2.2,1 SA +in tcp 1.1.1.1,1 2.1.2.2,1 SF +in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR +in tcp 1.1.1.1,1 2.1.2.2,1 PAU +in tcp 1.1.1.1,1 2.1.2.2,1 A diff --git a/contrib/ipfilter/test/input/f9 b/contrib/ipfilter/test/input/f9 new file mode 100644 index 0000000..33f3be3 --- /dev/null +++ b/contrib/ipfilter/test/input/f9 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 opt lsrr,ssrr +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/contrib/ipfilter/test/input/n1 b/contrib/ipfilter/test/input/n1 new file mode 100644 index 0000000..a607390 --- /dev/null +++ b/contrib/ipfilter/test/input/n1 @@ -0,0 +1,31 @@ +out on zx0 255 10.1.1.0 10.1.1.2 +out on zx0 255 10.1.1.1 10.1.1.2 +out on zx0 255 10.1.1.2 10.1.1.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 255 10.2.2.1 10.1.2.1 +out on zx0 255 10.2.2.2 10.1.2.1 +in on zx0 255 10.1.1.1 10.1.1.2 +in on zx0 255 10.1.1.2 10.1.1.1 +in on zx0 255 10.2.2.1 10.2.1.1 +in on zx0 255 10.2.2.2 10.2.1.1 +in on zx0 255 10.2.2.3 10.1.1.1 +in on zx0 255 10.2.3.4 10.2.2.2 +in on zx0 255 10.1.1.1 10.2.2.2 +in on zx0 255 10.1.1.2 10.2.2.2 +in on zx0 255 10.1.1.0 10.3.4.5 +in on zx0 255 10.1.1.1 10.3.4.5 +in on zx0 255 10.1.1.2 10.3.4.5 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025 +out on zx0 icmp 10.1.1.1 10.4.3.2 +in on zx0 icmp 10.4.3.2 10.2.2.2 +in on zx0 icmp 10.4.3.2 10.3.4.3 +in on zx0 icmp 10.4.3.2 10.3.4.5 +out on zx0 34 10.1.1.2 10.4.3.2 +in on zx0 34 10.4.3.2 10.3.4.4 +out on zx0 34 10.1.1.2 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.5 +out on zx0 34 10.1.1.3 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.6 +out on zx0 35 10.1.1.3 10.4.3.4 +in on zx0 35 10.4.3.4 10.3.4.7 diff --git a/contrib/ipfilter/test/input/n2 b/contrib/ipfilter/test/input/n2 new file mode 100644 index 0000000..476f16e --- /dev/null +++ b/contrib/ipfilter/test/input/n2 @@ -0,0 +1,19 @@ +out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +out on zx0 10.1.1.0 10.1.1.2 +out on zx0 10.1.1.1 10.1.2.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80 +out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80 +out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80 +out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80 +in on zx0 10.1.1.1 10.1.1.2 +in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +in on zx0 10.1.1.2 10.1.1.1 +in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000 +in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001 +in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001 diff --git a/contrib/ipfilter/test/input/n3 b/contrib/ipfilter/test/input/n3 new file mode 100644 index 0000000..deca317 --- /dev/null +++ b/contrib/ipfilter/test/input/n3 @@ -0,0 +1,5 @@ +out on zz0 tcp 10.1.1.1,5000 203.1.1.1,80 +out on zz0 tcp 10.1.1.1,252 203.1.1.1,80 +out on zz0 tcp 10.1.0.0,32768 203.1.1.1,80 +out on zz0 udp 10.1.0.0,32768 203.1.1.1,80 +out on zz0 tcp 10.1.255.255,65535 203.1.1.1,80 diff --git a/contrib/ipfilter/test/input/n4 b/contrib/ipfilter/test/input/n4 new file mode 100644 index 0000000..52c2d88 --- /dev/null +++ b/contrib/ipfilter/test/input/n4 @@ -0,0 +1,5 @@ +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23 +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53 +in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23 +in on zx0 udp 10.3.3.3,12345 10.1.1.0,53 +in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53 diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest new file mode 100755 index 0000000..2b3e931 --- /dev/null +++ b/contrib/ipfilter/test/nattest @@ -0,0 +1,27 @@ +#!/bin/sh +if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch +else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi +fi +echo "$1..."; +/bin/cp /dev/null results/$1 +( while read rule; do + echo "$rule" | ../ipftest -Nbr - -i input/$1 >> results/$1; + if [ $? -ne 0 ] ; then + exit 1; + fi + echo "-------------------------------" >> results/$1 +done ) < regress/$1 +cmp expected/$1 results/$1 +status=$? +if [ $status = 0 ] ; then + $TOUCH $1 +fi +exit $status diff --git a/contrib/ipfilter/test/regress/f1 b/contrib/ipfilter/test/regress/f1 new file mode 100644 index 0000000..6a2ede9 --- /dev/null +++ b/contrib/ipfilter/test/regress/f1 @@ -0,0 +1,4 @@ +block in all +pass in all +block out all +pass out all diff --git a/contrib/ipfilter/test/regress/f10 b/contrib/ipfilter/test/regress/f10 new file mode 100644 index 0000000..3552983 --- /dev/null +++ b/contrib/ipfilter/test/regress/f10 @@ -0,0 +1,18 @@ +block in from any to any with not ipopts +pass in from any to any with not opt sec-class topsecret +block in from any to any with not opt ssrr,sec-class topsecret +pass in from any to any with not opt ssrr,sec-class topsecret +block in from any to any with not opt ts,sec-class topsecret +pass in from any to any with not opt ts,sec-class topsecret +block in from any to any with not opt sec-class secret +pass in from any to any with not opt sec-class secret +block in from any to any with not opt lsrr,ssrr +pass in from any to any with not opt lsrr,ssrr +pass in from any to any with not ipopts +block in from any to any with not opt lsrr +pass in from any to any with not opt lsrr +block in from any to any with not opt ssrr,ts +pass in from any to any with not opt ssrr,ts +block in from any to any with not opt rr +pass in from any to any with not opt rr +block in from any to any with not opt sec-class topsecret diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11 new file mode 100644 index 0000000..0bf0a2a --- /dev/null +++ b/contrib/ipfilter/test/regress/f11 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 23 flags S/SA keep state +block in proto tcp from any to any port = 23 flags S/SA keep state +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto udp from any to any port = 53 keep state +block in proto udp from any to any port = 53 keep state diff --git a/contrib/ipfilter/test/regress/f12 b/contrib/ipfilter/test/regress/f12 new file mode 100644 index 0000000..c29f839 --- /dev/null +++ b/contrib/ipfilter/test/regress/f12 @@ -0,0 +1,6 @@ +pass in proto tcp from any port > 1024 to any port = 25 with not short +pass in proto tcp from any port > 1024 to any port = 25 +block in proto tcp from any to any with short +block in proto tcp from any to any with frag +pass in proto udp from any port = 53 to any port = 53 +block in proto udp from any port = 53 to any port = 53 with not short diff --git a/contrib/ipfilter/test/regress/f13 b/contrib/ipfilter/test/regress/f13 new file mode 100644 index 0000000..f123e47 --- /dev/null +++ b/contrib/ipfilter/test/regress/f13 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 25 flags S/SA keep frags +block in proto tcp from any to any port = 25 flags S/SA keep frags +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags +block in proto tcp from any to any port = 25 flags S/SA keep state keep frags diff --git a/contrib/ipfilter/test/regress/f14 b/contrib/ipfilter/test/regress/f14 new file mode 100644 index 0000000..06ab519 --- /dev/null +++ b/contrib/ipfilter/test/regress/f14 @@ -0,0 +1,8 @@ +block in from !1.1.1.1 to any +pass in from 1.1.1.1 to !any +block in from 1.1.1.0/24 to !any +pass in from !1.1.1.0/24 to any +block in from !1.1.0.0/16 to any +pass in from 1.1.0.0/16 to !1.2.0.0/16 +block in from any to !127.0.0.0/8 +pass in from !any to any diff --git a/contrib/ipfilter/test/regress/f2 b/contrib/ipfilter/test/regress/f2 new file mode 100644 index 0000000..e2f02a4 --- /dev/null +++ b/contrib/ipfilter/test/regress/f2 @@ -0,0 +1,6 @@ +block in proto tcp from any to any +pass in proto tcp from any to any +block in proto udp from any to any +pass in proto udp from any to any +block in proto icmp from any to any +pass in proto icmp from any to any diff --git a/contrib/ipfilter/test/regress/f3 b/contrib/ipfilter/test/regress/f3 new file mode 100644 index 0000000..ee80729 --- /dev/null +++ b/contrib/ipfilter/test/regress/f3 @@ -0,0 +1,8 @@ +block in from 1.1.1.1 to any +pass in from 1.1.1.1 to any +block in from 1.1.1.1/24 to any +pass in from 1.1.1.1/24 to any +block in from 1.1.1.1/16 to any +pass in from 1.1.1.1/16 to any +block in from 1.1.1.1/0 to any +pass in from 1.1.1.1/0 to any diff --git a/contrib/ipfilter/test/regress/f4 b/contrib/ipfilter/test/regress/f4 new file mode 100644 index 0000000..bc8af2f --- /dev/null +++ b/contrib/ipfilter/test/regress/f4 @@ -0,0 +1,8 @@ +block in from any to 1.1.1.1 +pass in from any to 1.1.1.1 +block in from any to 1.1.1.1/24 +pass in from any to 1.1.1.1/24 +block in from any to 1.1.1.1/16 +pass in from any to 1.1.1.1/16 +block in from any to 1.1.1.1/0 +pass in from any to 1.1.1.1/0 diff --git a/contrib/ipfilter/test/regress/f5 b/contrib/ipfilter/test/regress/f5 new file mode 100644 index 0000000..998eabd --- /dev/null +++ b/contrib/ipfilter/test/regress/f5 @@ -0,0 +1,48 @@ +block in proto tcp from any port = 23 to any +block in proto udp from any port = 23 to any +block in proto tcp/udp from any port = 23 to any +pass in proto tcp from any port <= 1023 to any +pass in proto udp from any port <= 1023 to any +pass in proto tcp/udp from any port <= 1023 to any +block in proto tcp from any port >= 1024 to any +block in proto udp from any port >= 1024 to any +block in proto tcp/udp from any port >= 1024 to any +pass in proto tcp from any port >= 1024 to any +pass in proto udp from any port >= 1024 to any +pass in proto tcp/udp from any port >= 1024 to any +block in proto tcp from any port 0 >< 512 to any +block in proto udp from any port 0 >< 512 to any +block in proto tcp/udp from any port 0 >< 512 to any +pass in proto tcp from any port 0 >< 512 to any +pass in proto udp from any port 0 >< 512 to any +pass in proto tcp/udp from any port 0 >< 512 to any +block in proto tcp from any port 6000 <> 6009 to any +block in proto udp from any port 6000 <> 6009 to any +block in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port 6000 <> 6009 to any +pass in proto udp from any port 6000 <> 6009 to any +pass in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port = 23 to any +pass in proto udp from any port = 23 to any +pass in proto tcp/udp from any port = 23 to any +block in proto tcp from any port != 21 to any +block in proto udp from any port != 21 to any +block in proto tcp/udp from any port != 21 to any +pass in proto tcp from any port != 21 to any +pass in proto udp from any port != 21 to any +pass in proto tcp/udp from any port != 21 to any +block in proto tcp from any port < 1024 to any +block in proto udp from any port < 1024 to any +block in proto tcp/udp from any port < 1024 to any +pass in proto tcp from any port < 1024 to any +pass in proto udp from any port < 1024 to any +pass in proto tcp/udp from any port < 1024 to any +block in proto tcp from any port > 1023 to any +block in proto udp from any port > 1023 to any +block in proto tcp/udp from any port > 1023 to any +pass in proto tcp from any port > 1023 to any +pass in proto udp from any port > 1023 to any +pass in proto tcp/udp from any port > 1023 to any +block in proto tcp from any port <= 1023 to any +block in proto udp from any port <= 1023 to any +block in proto tcp/udp from any port <= 1023 to any diff --git a/contrib/ipfilter/test/regress/f6 b/contrib/ipfilter/test/regress/f6 new file mode 100644 index 0000000..291f09ad --- /dev/null +++ b/contrib/ipfilter/test/regress/f6 @@ -0,0 +1,48 @@ +block in proto tcp from any to any port = 23 +block in proto udp from any to any port = 23 +block in proto tcp/udp from any to any port = 23 +pass in proto tcp from any to any port <= 1023 +pass in proto udp from any to any port <= 1023 +pass in proto tcp/udp from any to any port <= 1023 +block in proto tcp from any to any port >= 1024 +block in proto udp from any to any port >= 1024 +block in proto tcp/udp from any to any port >= 1024 +pass in proto tcp from any to any port >= 1024 +pass in proto udp from any to any port >= 1024 +pass in proto tcp/udp from any to any port >= 1024 +block in proto tcp from any to any port 0 >< 512 +block in proto udp from any to any port 0 >< 512 +block in proto tcp/udp from any to any port 0 >< 512 +pass in proto tcp from any to any port 0 >< 512 +pass in proto udp from any to any port 0 >< 512 +pass in proto tcp/udp from any to any port 0 >< 512 +block in proto tcp from any to any port 6000 <> 6009 +block in proto udp from any to any port 6000 <> 6009 +block in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port 6000 <> 6009 +pass in proto udp from any to any port 6000 <> 6009 +pass in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port = 23 +pass in proto udp from any to any port = 23 +pass in proto tcp/udp from any to any port = 23 +block in proto tcp from any to any port != 21 +block in proto udp from any to any port != 21 +block in proto tcp/udp from any to any port != 21 +pass in proto tcp from any to any port != 21 +pass in proto udp from any to any port != 21 +pass in proto tcp/udp from any to any port != 21 +block in proto tcp from any to any port < 1024 +block in proto udp from any to any port < 1024 +block in proto tcp/udp from any to any port < 1024 +pass in proto tcp from any to any port < 1024 +pass in proto udp from any to any port < 1024 +pass in proto tcp/udp from any to any port < 1024 +block in proto tcp from any to any port > 1023 +block in proto udp from any to any port > 1023 +block in proto tcp/udp from any to any port > 1023 +pass in proto tcp from any to any port > 1023 +pass in proto udp from any to any port > 1023 +pass in proto tcp/udp from any to any port > 1023 +block in proto tcp from any to any port <= 1023 +block in proto udp from any to any port <= 1023 +block in proto tcp/udp from any to any port <= 1023 diff --git a/contrib/ipfilter/test/regress/f7 b/contrib/ipfilter/test/regress/f7 new file mode 100644 index 0000000..6848a68 --- /dev/null +++ b/contrib/ipfilter/test/regress/f7 @@ -0,0 +1,6 @@ +block in proto icmp from any to any icmp-type echo +pass in proto icmp from any to any icmp-type echo +block in proto icmp from any to any icmp-type unreach code 3 +pass in proto icmp from any to any icmp-type unreach code 3 +block in proto icmp from any to any icmp-type echorep +pass in proto icmp from any to any icmp-type echorep diff --git a/contrib/ipfilter/test/regress/f8 b/contrib/ipfilter/test/regress/f8 new file mode 100644 index 0000000..0f28fd2 --- /dev/null +++ b/contrib/ipfilter/test/regress/f8 @@ -0,0 +1,6 @@ +block in proto tcp from any to any flags S +pass in proto tcp from any to any flags S +block in proto tcp from any to any flags S/SA +pass in proto tcp from any to any flags S/SA +block in proto tcp from any to any flags S/APU +pass in proto tcp from any to any flags S/APU diff --git a/contrib/ipfilter/test/regress/f9 b/contrib/ipfilter/test/regress/f9 new file mode 100644 index 0000000..17bc967 --- /dev/null +++ b/contrib/ipfilter/test/regress/f9 @@ -0,0 +1,18 @@ +block in from any to any with ipopts +pass in from any to any with opt sec-class topsecret +block in from any to any with opt ssrr,sec-class topsecret +pass in from any to any with opt ssrr,sec-class topsecret +block in from any to any with opt ts,sec-class topsecret +pass in from any to any with opt ts,sec-class topsecret +block in from any to any with opt sec-class secret +pass in from any to any with opt sec-class secret +block in from any to any with opt lsrr,ssrr +pass in from any to any with opt lsrr,ssrr +pass in from any to any with ipopts +block in from any to any with opt lsrr +pass in from any to any with opt lsrr +block in from any to any with opt ssrr,ts +pass in from any to any with opt ssrr,ts +block in from any to any with opt rr +pass in from any to any with opt rr +block in from any to any with opt sec-class topsecret diff --git a/contrib/ipfilter/test/regress/n1 b/contrib/ipfilter/test/regress/n1 new file mode 100644 index 0000000..9bcf29b --- /dev/null +++ b/contrib/ipfilter/test/regress/n1 @@ -0,0 +1,3 @@ +map zx0 10.1.1.1/32 -> 10.2.2.2/32 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 +map zx0 10.1.1.0/24 -> 10.3.4.0/24 diff --git a/contrib/ipfilter/test/regress/n2 b/contrib/ipfilter/test/regress/n2 new file mode 100644 index 0000000..dbce5aa --- /dev/null +++ b/contrib/ipfilter/test/regress/n2 @@ -0,0 +1,4 @@ +map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 +map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 diff --git a/contrib/ipfilter/test/regress/n3 b/contrib/ipfilter/test/regress/n3 new file mode 100644 index 0000000..82c83dd --- /dev/null +++ b/contrib/ipfilter/test/regress/n3 @@ -0,0 +1,2 @@ +map zz0 10.1.0.0/16 -> 192.168.2.0/24 portmap tcp/udp auto +map-block zz0 10.1.0.0/16 -> 192.168.1.0/24 ports 252 diff --git a/contrib/ipfilter/test/regress/n4 b/contrib/ipfilter/test/regress/n4 new file mode 100644 index 0000000..b066c7a --- /dev/null +++ b/contrib/ipfilter/test/regress/n4 @@ -0,0 +1,5 @@ +rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 10.1.1.0/24 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 0/0 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 10.1.1.0/24 port 53 -> 10.2.2.1 port 10053 udp +rdr zx0 10.1.1.0/24 port 0 -> 10.2.2.1 port 0 tcp diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index 6900056..ac41ba2 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -1,9 +1,15 @@ +BUGS: +----- +* fix "to <ifname>" bug on FreeBSD 2.2.8 +fastroute works + +=============================================================================== +GENERAL: +-------- + * use fr_tcpstate() with NAT code for increased NAT usage security or even fr_checkstate() - suspect this is not possible. -* see if the Solaris2 and dynamic plumb/unplumb problem is solvable -done ? - time permitting: * load balancing across interfaces @@ -16,26 +22,20 @@ on the way * keep fragment information for state entries automatically. done for NAT -* support traceroute through the firewall - (i.e. fix up ICMP errors coming back for NAT) -done - * allow multiple ip addresses in a source route list for ipsend * complete Linux port to implement all the IP Filter features return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-( -* add switches to ipmon for better selective control over which logs are - read/not read -done - * add a flag to automate src spoofing * ipfsync() should change IP#'s in current mappings as well as what's in rules. -document bimap +* document bimap + +* document NAT rule order processing -document NAT rule order processing +* add more docs +in progress -add more docs |
