diff options
author | darrenr <darrenr@FreeBSD.org> | 1997-05-25 15:45:04 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 1997-05-25 15:45:04 +0000 |
commit | c44dbd7c3f13075bd51ec11e8e2c41c067a033c9 (patch) | |
tree | a0d4cf3124b601387d5da19c4f4c389403df8cbd /contrib | |
parent | 24604b167365edd20239eca75577c35ef759153c (diff) | |
parent | e0610b5498ab54082ddadbfebd47280245e3e0f8 (diff) | |
download | FreeBSD-src-c44dbd7c3f13075bd51ec11e8e2c41c067a033c9.zip FreeBSD-src-c44dbd7c3f13075bd51ec11e8e2c41c067a033c9.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r26119,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib')
65 files changed, 1522 insertions, 549 deletions
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs new file mode 100644 index 0000000..8bd40ac --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/files.diffs @@ -0,0 +1,18 @@ +*** /sys/conf/files.orig Sat May 24 14:05:28 1997 +--- /sys/conf/files Sat May 24 14:06:44 1997 +*************** +*** 217,222 **** +--- 217,228 ---- + netinet/tcp_timer.c optional inet + netinet/tcp_usrreq.c optional inet + netinet/udp_usrreq.c optional inet ++ netinet/ip_fil.c optional ipfilter inet ++ netinet/fil.c optional ipfilter inet ++ netinet/ip_nat.c optional ipfilter inet ++ netinet/ip_frag.c optional ipfilter inet ++ netinet/ip_state.c optional ipfilter inet ++ netinet/ip_proxy.c optional ipfilter inet ++ netinet/mlf_ipl.c optional ipfilter inet + netipx/ipx.c optional ipx + netipx/ipx_cksum.c optional ipx + netipx/ipx_error.c optional ipx diff --git a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs new file mode 100644 index 0000000..784ef5d --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs @@ -0,0 +1,16 @@ +*** files.newconf.orig Sun Jun 25 02:17:29 1995 +--- files.newconf Sun Jun 25 02:19:10 1995 +*************** +*** 161,166 **** +--- 161,171 ---- + file netinet/ip_input.c inet + file netinet/ip_mroute.c inet + file netinet/ip_output.c inet ++ file netinet/ip_fil.c ipfilter ++ file netinet/fil.c ipfilter ++ file netinet/ip_nat.c ipfilter ++ file netinet/ip_frag.c ipfilter ++ file netinet/ip_state.c ipfilter + file netinet/raw_ip.c inet + file netinet/tcp_debug.c inet + file netinet/tcp_input.c inet diff --git a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs index dfebbe8..c2822d3 100644 --- a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs +++ b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs @@ -1,5 +1,5 @@ -*** in_proto.c.orig Wed Apr 2 19:50:00 1997 ---- in_proto.c Wed Apr 2 19:51:21 1997 +*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997 +--- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997 *************** *** 89,94 **** --- 89,99 ---- diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs index 1339e01..c2b2b15 100644 --- a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs +++ b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs @@ -1,5 +1,5 @@ -*** ip_input.c.orig Wed Apr 2 19:41:44 1997 ---- /sys/netinet/ip_input.c Wed Apr 2 19:28:53 1997 +*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997 +--- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997 *************** *** 74,79 **** --- 74,82 ---- @@ -13,7 +13,7 @@ int rsvp_on = 0; static int ip_rsvp_on; *************** -*** 310,316 **** +*** 310,315 **** --- 313,327 ---- * - Wrap: fake packet's addr/port <unimpl.> * - Encapsulate: put it in another IP and send out. <unimp.> @@ -21,12 +21,12 @@ + #if defined(IPFILTER_LKM) || defined(IPFILTER) + if (fr_checkp) { + struct mbuf *m1 = m; - ++ + if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) + return; + ip = mtod(m = m1, struct ip *); + } + #endif + #ifdef COMPAT_IPFW if (ip_fw_chk_ptr) { - int action; diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs index 3f53ac7..d3cebd0 100644 --- a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs +++ b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs @@ -1,5 +1,5 @@ -*** ip_output.c.orig Wed Apr 2 19:41:48 1997 ---- /sys/netinet/ip_output.c Wed Apr 2 19:38:19 1997 +*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997 +--- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997 *************** *** 67,72 **** --- 67,76 ---- @@ -31,7 +31,7 @@ static int ip_setmoptions __P((int, struct ip_moptions **, struct mbuf *)); *************** -*** 338,344 **** +*** 338,343 **** --- 342,358 ---- * - Wrap: fake packet's addr/port <unimpl.> * - Encapsulate: put it in another IP and send out. <unimp.> @@ -39,17 +39,17 @@ + #if defined(IPFILTER_LKM) || defined(IPFILTER) + if (fr_checkp) { + struct mbuf *m1 = m; - ++ + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) + error = EHOSTUNREACH; -+ if (error || !m1) ++ if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); -+ } ++ } + #endif + #ifdef COMPAT_IPFW if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) { - error = EACCES; *************** *** 559,565 **** * Copy options from ip to jp, @@ -59,7 +59,7 @@ ip_optcopy(ip, jp) struct ip *ip, *jp; { ---- 573,579 ---- +--- 574,580 ---- * Copy options from ip to jp, * omitting those not copied during fragmentation. */ diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall new file mode 100755 index 0000000..0354685 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/kinstall @@ -0,0 +1,61 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Installing " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h) + echo -n "$i "; + cp $i /sys/netinet + chmod 644 /sys/netinet/$i +end +echo "" +echo "Copying /usr/include/osreldate.h to /sys/sys" +cp /usr/include/osreldate.h /sys/sys +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +if ( -f /sys/conf/files.newconf ) then + echo "Patching /sys/conf/files.newconf" + cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Patching /sys/conf/files.oldconf" + cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/unkinstall b/contrib/ipfilter/FreeBSD-2.2/unkinstall new file mode 100755 index 0000000..e31edfb --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/unkinstall @@ -0,0 +1,55 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Uninstalling " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c ip_compat.h) + echo -n "$i "; + /bin/rm -f /sys/netinet/$i +end +echo "" +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +if ( -f /sys/conf/files.newconf ) then + echo "Unpatching /sys/conf/files.newconf" + cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Unpatching /sys/conf/files.oldconf" + cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/unminstall b/contrib/ipfilter/FreeBSD-2.2/unminstall index abb2631..07aaac0 100755 --- a/contrib/ipfilter/FreeBSD-2.2/unminstall +++ b/contrib/ipfilter/FreeBSD-2.2/unminstall @@ -6,9 +6,9 @@ if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" if ( -d /sys/$karch ) set archdir="/sys/$karch" set confdir="$archdir/conf" -if ( $dir =~ */FreeBSD ) cd .. +if ( $dir =~ */FreeBSD* ) cd .. echo "Unpatching ip_input.c, ip_output.c and in_proto.c" -cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ (cd /sys/netinet; patch -R) set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 425aa24..8675350 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -5,6 +5,59 @@ # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # +3.2alpha7 25/5/97 - Released + +add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> + +setup bits and pieces for compiling into a FreeBSD-2.2 kernel. + +split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. +mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). + +fix (negative) host matching in filtering. + +add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels +or later. + +make all the candidates for kernel compiling include "netinet/..." and build +a subdirectory "netinet" when compiling and symlink all .h files into this. + +add install make target to Makefile.ipsend + +3.2alpha6 8/5/97 - Released + +Add "!" (not) to hostname/ip matching. + +Automatically add packet info to the fragment cache if it is a fragment +and we're translating addreses for. + +Automatically add packet info to the fragment cache if it is a fragment +and we're "keeping state" for the packet. + +Solaris2 patches - Anthony Baxter (arb@connect.com.au) + +change install procedure for FreeBSD 2.2 to allow building to a kernel +which is different to the running kernel. + +add FIONREAD for Solaris2! + +when expiring NAT table entries, if we would set a time to fr_tcpclosed +(which is 1), make it fr_tcplaskack(20) so that the state tables have a +chance to clear up. + +3.2alpha5 + +add proxying skeleton support and sample ftp transparent proxy code. + +add printfs at startup to tell user what is happening. + +add packets & bytes for EXPIRE NAT log records. + +fix the "install-bsd" target in the root Makefile. Chris Williams +<psion@mv.mv.com> + +Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. + 3.2alpha4 2/4/97 - Released Some compiler warnings cleaned up. @@ -656,4 +709,3 @@ added code for ouput filtering as well as input filtering and added support for 1.0 22/04/93 - Released First release cut. - diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2 index 400963d..b0bae03 100644 --- a/contrib/ipfilter/INST.FreeBSD-2.2 +++ b/contrib/ipfilter/INST.FreeBSD-2.2 @@ -1,21 +1,26 @@ To build a kernel for use with the loadable kernel module, follow these steps: - 1. do "make freebsd22" + 1. In /sys/i386/conf, create a new kernel config file (to be used + with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL" - 2. do "make install-bsd" + 2. build the object files, telling it the name of the kernel to be + used. "freebsd22" MUST be the target, so the command would be + something like this: "make freebsd22 IPFILKERN=FIREWALL" + + 3. do "make install-bsd" (probably has to be done as root) - 3. run "FreeBSD-2.2/minstall" as root + 4. run "FreeBSD-2.2/minstall" as root - 4. build a new kernel + 5. build a new kernel - 5. install and reboot with the new kernel + 6. install and reboot with the new kernel - 6. use modload(8) to load the packet filter with: + 7. use modload(8) to load the packet filter with: modload if_ipl.o - 7. do "modstat" to confirm that it has been loaded successfully. + 8. do "modstat" to confirm that it has been loaded successfully. There is no need to use mknod to create the device in /dev; - upon loading the module, it will create itself with the correct values, diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index fc35ecb..f642636 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -4,7 +4,7 @@ To build a kernel for use with the loadable kernel module, follow these steps: - 1. do "make bsd" + 1. do "make freebsd" 2. do "make install-bsd" (probably has to be done as root) @@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev; To build a kernel with the IP filter, follow these steps: - 1. do "make bsd" + 1. do "make freebsd" 2. do "make install-bsd" (probably has to be done as root) diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD index 2387827..cc48d17 100644 --- a/contrib/ipfilter/INSTALL.NetBSD +++ b/contrib/ipfilter/INSTALL.NetBSD @@ -1,7 +1,7 @@ To build a kernel for use with the loadable kernel module, follow these steps: - 1. do "make bsd" + 1. do "make netbsd" 2. do "make install-bsd" (probably has to be done as root) @@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev; To build a kernel with the IP filter, follow these steps: - 1. do "make bsd" + 1. do "make netbsd" 2. do "make install-bsd" (probably has to be done as root) diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 9c83fc4..80cebc7 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,13 +5,13 @@ # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # -# $Id: Makefile,v 2.0.2.7 1997/04/02 12:23:14 darrenr Exp $ +# $Id: Makefile,v 2.0.2.12 1997/05/24 08:13:34 darrenr Exp $ # # where to put things. # -BINDEST=/usr/local/ip_fil3.1.1/bin -SBINDEST=/usr/local/ip_fil3.1.1/sbin -MANDIR=/usr/local/ip_fil3.1.1/man +BINDEST=/usr/local/bin +SBINDEST=/sbin +MANDIR=/usr/local/man #To test prototyping #CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror CC=gcc @@ -65,20 +65,44 @@ tests: @if [ -d test ]; then (cd test; make) \ else echo test directory not present, sorry; fi -sunos solaris: +include: + mkdir -p netinet + (cd netinet; /bin/rm -f *; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .) + +sunos solaris: include ./buildsunos -freebsd22 freebsd30: +freebsd22 freebsd30: include -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi - @if [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ - echo "Can't find ioconf.h"; \ + -rm -f BSD/$(CPU)/ioconf.h + @if [ -n $(IPFILKERN) ] ; then \ + ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPU); \ + elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ + echo -n "Can't find ioconf.h in "; \ + echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \ exit 1;\ + else \ + ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \ fi - rm -f BSD/$(CPU)/ioconf.h - ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) - make bsd + make freebsd + +netbsd: include + -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi + -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend + -ln -s ../Makefile BSD/$(CPU)/Makefile + -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend + (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mln_ipl.c"; cd ..) + (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + +freebsd freebsd20 freebsd21: include + -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi + -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend + -ln -s ../Makefile BSD/$(CPU)/Makefile + -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend + (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..) + (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) -bsd netbsd freebsd freebsd20 freebsd21: +bsd: include -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend -ln -s ../Makefile BSD/$(CPU)/Makefile @@ -86,7 +110,7 @@ bsd netbsd freebsd freebsd20 freebsd21: (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..) (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) -bsdi bsdos: +bsdi bsdos: include -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend -ln -s ../Makefile BSD/$(CPU)/Makefile @@ -138,20 +162,15 @@ sunos5x86 solaris2x86: (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) install-bsd: bsd - (cd BSD/$(CPU); $(MAKE) "CPU=$(CPU) TOP=../.." install) + (cd BSD/$(CPU); make install "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPU); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) + install-sunos4: solaris (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) + install-sunos5: solaris (cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install) -# XXX FIXME: bogus to depend on all! -install: all ip_fil.h - -$(CP) ip_fil.h /usr/include/netinet/ip_fil.h - -$(CHMOD) 444 /usr/include/netinet/ip_fil.h - -$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST) - -$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST) - (cd man; $(MAKE) INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd ..) - rcsget: -@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \ ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \ diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos index 5e39669..b3f6578 100755 --- a/contrib/ipfilter/buildsunos +++ b/contrib/ipfilter/buildsunos @@ -1,10 +1,10 @@ #! /bin/sh -# $Id: buildsunos,v 2.0.2.3 1997/03/30 15:37:34 darrenr Exp $ +# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` cpu=`uname -m` if [ $rev = 5 ] ; then - solrev=`uname -r | sed -e 's/^\([0-9]*\)\.\([0-9]*\)$/\2/'` + solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` mkdir -p SunOS5/${cpu} /bin/rm -f SunOS5/${cpu}/Makefile /bin/rm -f SunOS5/${cpu}/Makefile.ipsend diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 32b6068..b40695f 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $"; +static char rcsid[] = "$Id: fil.c,v 2.0.2.13 1997/05/24 07:33:37 darrenr Exp $"; #endif #include <sys/errno.h> @@ -45,11 +45,12 @@ static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $"; #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_nat.h" -#include "ip_frag.h" -#include "ip_state.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif @@ -70,7 +71,6 @@ extern int opts; # define IPLLOG(a, c, d, e) ipllog() # if SOLARIS # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) -# define bcmp memcmp # else # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) # endif @@ -100,19 +100,12 @@ extern kmutex_t ipf_mutex; # endif #endif -#ifndef IPF_LOGGING -#define IPF_LOGGING 0 -#endif -#ifdef IPF_DEFAULT_PASS -#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) -#else -#define IPF_NOMATCH (FR_PASS|FR_NOMATCH) -#endif struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; int fr_flags = IPF_LOGGING, fr_active = 0; +int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH); fr_info_t frcache[2]; @@ -417,7 +410,7 @@ void *m; #endif { register u_long *ld, *lm, *lip; - register int i; + register int i, j; lip = (u_long *)fi; lm = (u_long *)&fr->fr_mip; @@ -425,10 +418,10 @@ void *m; i = ((lip[0] & lm[0]) != ld[0]); FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n", lip[0], lm[0], ld[0])); - i |= ((lip[1] & lm[1]) != ld[1]); + i |= ((lip[1] & lm[1]) != ld[1]) << 21; FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n", lip[1], lm[1], ld[1])); - i |= ((lip[2] & lm[2]) != ld[2]); + i |= ((lip[2] & lm[2]) != ld[2]) << 22; FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n", lip[2], lm[2], ld[2])); i |= ((lip[3] & lm[3]) != ld[3]); @@ -437,6 +430,7 @@ void *m; i |= ((lip[4] & lm[4]) != ld[4]); FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n", lip[4], lm[4], ld[4])); + i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP)); if (i) continue; } @@ -557,6 +551,7 @@ int out; fr_makefrip(hlen, ip, fin); fin->fin_ifp = ifp; fin->fin_out = out; + fin->fin_mp = mp; MUTEX_ENTER(&ipf_mutex); if (!out) { @@ -566,24 +561,8 @@ int out; frstats[0].fr_acct++; } - if ((pass = ipfr_knownfrag(ip, fin))) { - if ((pass & FR_KEEPSTATE)) { - if (fr_addstate(ip, fin, pass) == -1) - frstats[out].fr_bads++; - else - frstats[out].fr_ads++; - } - } else if ((pass = fr_checkstate(ip, fin))) { - if ((pass & FR_KEEPFRAG)) { - if (fin->fin_fi.fi_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) - frstats[out].fr_bnfr++; - else - frstats[out].fr_nfr++; - } else - frstats[out].fr_cfr++; - } - } else { + if (!(pass = ipfr_knownfrag(ip, fin)) && + !(pass = fr_checkstate(ip, fin))) { fc = frcache + out; if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) { /* @@ -594,16 +573,16 @@ int out; frstats[out].fr_chit++; pass = fin->fin_fr->fr_flags; } else { - pass = IPF_NOMATCH; + pass = fr_pass; if ((fin->fin_fr = ipfilter[out][fr_active])) - pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m); + pass = FR_SCANLIST(fr_pass, ip, fin, m); bcopy((char *)fin, (char *)fc, FI_CSIZE); if (pass & FR_NOMATCH) frstats[out].fr_nom++; } fr = fin->fin_fr; - if ((pass & FR_KEEPFRAG)) { + if (pass & FR_KEEPFRAG) { if (fin->fin_fi.fi_fl & FI_FRAG) { if (ipfr_newfrag(ip, fin, pass) == -1) frstats[out].fr_bnfr++; @@ -660,6 +639,19 @@ logit: } } #endif /* IPFILTER_LOG */ +#ifdef _KERNEL + /* + * Only allow FR_DUP to work if a rule matched - it makes no sense to + * set FR_DUP as a "default" as there are no instructions about where + * to send the packet. + */ + if (fr && (pass & FR_DUP)) +# if SOLARIS + mc = dupmsg(m); +# else + mc = m_copy(m, 0, M_COPYALL); +# endif +#endif if (pass & FR_PASS) frstats[out].fr_pass++; @@ -703,10 +695,16 @@ logit: #endif } } + + /* + * If we didn't drop off the bottom of the list of rules (and thus + * the 'current' rule fr is not NULL), then we may have some extra + * instructions about what to do with a packet. + * Once we're finished return to our caller, freeing the packet if + * we are dropping it (* BSD ONLY *). + */ #ifdef _KERNEL # if !SOLARIS - if (pass & FR_DUP) - mc = m_copy(m, 0, M_COPYALL); if (fr) { frdest_t *fdp = &fr->fr_tif; @@ -722,8 +720,6 @@ logit: m_freem(m); return (pass & FR_PASS) ? 0 : -1; # else - if (pass & FR_DUP) - mc = dupmsg(m); if (fr) { frdest_t *fdp = &fr->fr_tif; @@ -777,3 +773,126 @@ int len; return len; } #endif + + +u_short ipf_cksum(addr, len) +register u_short *addr; +register int len; +{ + register u_long sum = 0; + + for (sum = 0; len > 1; len -= 2) + sum += *addr++; + + /* mop up an odd byte, if necessary */ + if (len == 1) + sum += *(u_char *)addr; + + /* + * add back carry outs from top 16 bits to low 16 bits + */ + sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ + sum += (sum >> 16); /* add carry */ + return (u_short)(~sum); +} + + +/* + * NB: This function assumes we've pullup'd enough for all of the IP header + * and the TCP header. We also assume that data blocks aren't allocated in + * odd sizes. + */ +u_short fr_tcpsum(m, ip, tcp) +#if SOLARIS +mblk_t *m; +#else +struct mbuf *m; +#endif +ip_t *ip; +tcphdr_t *tcp; +{ + union { + u_char c[2]; + u_short s; + } bytes; + u_long sum; + u_short *sp; + int len, add, hlen, ilen; + + /* + * Add up IP Header portion + */ + ilen = len = ip->ip_len - (ip->ip_hl << 2); + bytes.c[0] = 0; + bytes.c[1] = IPPROTO_TCP; + sum = bytes.s; + sum += htons((u_short)len); + sp = (u_short *)&ip->ip_src; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + if (sp != (u_short *)tcp) + sp = (u_short *)tcp; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp; + sp += 2; /* Skip over checksum */ + sum += *sp++; + +#if SOLARIS + /* + * In case we had to copy the IP & TCP header out of mblks, + * skip over the mblk bits which are the header + */ + if ((caddr_t)ip != (caddr_t)m->b_rptr) { + hlen = (caddr_t)sp - (caddr_t)ip; + while (hlen) { + add = MIN(hlen, m->b_wptr - m->b_rptr); + sp = (u_short *)((caddr_t)m->b_rptr + add); + if ((hlen -= add)) + m = m->b_cont; + } + } +#endif + + if (!(len -= sizeof(*tcp))) + goto nodata; + while (len > 1) { + sum += *sp++; + len -= 2; +#if SOLARIS + if ((caddr_t)sp > (caddr_t)m->b_wptr) { + m = m->b_cont; + PANIC((!m),("fr_tcpsum: not enough data")); + sp = (u_short *)m->b_rptr; + } +#else +# ifdef m_data + if ((caddr_t)sp > (m->m_data + m->m_len)) +# else + if ((caddr_t)sp > (caddr_t)(m->m_dat + m->m_off + m->m_len)) +# endif + { + m = m->m_next; + PANIC((!m),("fr_tcpsum: not enough data")); + sp = mtod(m, u_short *); + } +#endif /* SOLARIS */ + } + if (len) { + bytes.c[1] = 0; + bytes.c[0] = *(u_char *)sp; + sum += bytes.s; + } +nodata: + sum = (sum >> 16) + (sum & 0xffff); + sum += (sum >> 16); + sum = (u_short)((~sum) & 0xffff); + return sum; +} diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index ca6abe0..20384e0 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -30,9 +30,11 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> +#include <netinet/tcp.h> #include "ip_compat.h" #include "ip_fil.h" #include "ipf.h" +#include "ip_proxy.h" #include "ip_nat.h" #include "ip_frag.h" #include "ip_state.h" @@ -43,7 +45,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fils.c,v 2.0.2.7 1997/04/02 12:23:16 darrenr Exp $"; +static char rcsid[] = "$Id: fils.c,v 2.0.2.9 1997/05/08 10:11:31 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX @@ -95,7 +97,7 @@ char *argv[]; (void)setuid(getuid()); (void)setgid(getgid()); - while ((c = getopt(argc, argv, "afhIiosvd:")) != -1) + while ((c = getopt(argc, argv, "afhIinosvd:")) != -1) { switch (c) { @@ -148,9 +150,18 @@ char *argv[]; perror("ioctl(SIOCGETFS)"); exit(-1); } - if ((opts & OPT_IPSTATES) && (ioctl(fd, SIOCGIPST, &ipsst) == -1)) { - perror("ioctl(SIOCGIPST)"); - exit(-1); + if ((opts & OPT_IPSTATES)) { + int sfd = open(IPL_STATE, O_RDONLY); + + if (sfd == -1) { + perror("open"); + exit(-1); + } + if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) { + perror("ioctl(SIOCGIPST)"); + exit(-1); + } + close(sfd); } if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) { perror("ioctl(SIOCGFRST)"); diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index 3a91e7a..0a83f28 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -55,7 +55,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.3 1997/03/27 13:45:00 darrenr Exp $"; +static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.4 1997/05/08 10:11:34 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -179,7 +179,11 @@ inet_aton(cp, addr) * Ascii internet address interpretation routine. * The value returned is in network order. */ +#if defined(SOLARIS2) && (SOLARIS2 > 5) +u_int +#else u_long +#endif inet_addr(cp) register const char *cp; { diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index c1fbfce..cbb3239 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -1,15 +1,15 @@ /* - * (C)opyright 1993, 1994, 1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.2.6 1997/04/02 12:23:17 darrenr Exp $ + * $Id: ip_compat.h,v 2.0.2.11 1997/05/04 05:29:02 darrenr Exp $ */ -#ifndef __IP_COMPAT_H_ +#ifndef __IP_COMPAT_H__ #define __IP_COMPAT_H__ #ifndef __P @@ -24,6 +24,22 @@ #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif +#if defined(_KERNEL) && !defined(KERNEL) +#define KERNEL +#endif +#if defined(KERNEL) && !defined(_KERNEL) +#define _KERNEL +#endif + +#if defined(__SVR4) || defined(__svr4__) +#define index strchr +# ifndef _KERNEL +# define bzero(a,b) memset(a,0,b) +# define bcmp memcmp +# define bcopy(a,b,c) memmove(b,a,c) +# endif +#endif + #if SOLARIS # define MTYPE(m) ((m)->b_datap->db_type) # include <sys/ioccom.h> @@ -58,8 +74,10 @@ #if BSD > 199306 # define USE_QUAD_T # define U_QUAD_T u_quad_t +# define QUAD_T quad_t #else # define U_QUAD_T u_long +# define QUAD_T long #endif #ifndef MAX @@ -167,6 +185,7 @@ extern ill_t *get_unit __P((char *)); # define UIOMOVE(a,b,c,d) uiomove(a,b,c,d) # define SLEEP(id, n) sleep((id), PZERO+1) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) +# define KFREES(x,s) kmem_free((char *)(x), (s)) # if SOLARIS typedef struct qif { struct qif *qf_next; @@ -219,13 +238,16 @@ extern vm_map_t kmem_map; # define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c)) # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ sizeof(*(x))) +# define KFREES(x,s) kmem_free(kmem_map, (vm_offset_t)(x), (s)) */ # ifdef M_PFIL # define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KFREE(x) FREE((x), M_PFIL) +# define KFREES(x,s) FREE((x), M_PFIL) # else # define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KFREE(x) FREE((x), M_TEMP) +# define KFREES(x,s) FREE((x), M_TEMP) # endif # define UIOMOVE(a,b,c,d) uiomove(a,b,d) # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) @@ -238,7 +260,9 @@ extern vm_map_t kmem_map; # define SPLX(x) (void) splx(x) # endif # endif +# define PANIC(x,y) if (x) panic y #else +# define PANIC(x,y) ; # define MUTEX_ENTER(x) ; # define MUTEX_EXIT(x) ; # define SPLNET(x) ; @@ -246,6 +270,7 @@ extern vm_map_t kmem_map; # define SPLX(x) ; # define KMALLOC(a,b,c) (a) = (b)malloc(c) # define KFREE(x) free(x) +# define KFREES(x,s) free(x) # define GETUNIT(x) get_unit(x) # define IRCOPY(a,b,c) bcopy((a), (b), (c)) # define IWCOPY(a,b,c) bcopy((a), (b), (c)) @@ -365,6 +390,7 @@ struct ipovly { # define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KFREE(x) kfree_s((x), sizeof(*(x))) +# define KFREES(x,s) kfree_s((x), (s)) # define IRCOPY(a,b,c) { \ error = verify_area(VERIFY_READ, \ (b) ,sizeof((b))); \ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 353d7a6..b79c030 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $"; +static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.12 1997/05/24 07:39:56 darrenr Exp $"; #endif #ifndef SOLARIS @@ -15,7 +15,14 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $ #endif #ifdef __FreeBSD__ -#include <osreldate.h> +# if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL +# endif +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include <sys/osreldate.h> +# else +# include <osreldate.h> +# endif #endif #ifndef _KERNEL #include <stdio.h> @@ -25,7 +32,12 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $ #include <sys/types.h> #include <sys/param.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if __FreeBSD_version >= 220000 && defined(_KERNEL) +# include <sys/fcntl.h> +# include <sys/filio.h> +#else +# include <sys/ioctl.h> +#endif #include <sys/time.h> #ifdef _KERNEL #include <sys/systm.h> @@ -35,9 +47,6 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $ #include <sys/dir.h> #include <sys/mbuf.h> #else -#define bcmp memcmp -#define bzero(a,b) memset(a,0,b) -#define bcopy(a,b,c) memcpy(b,a,c) #include <sys/filio.h> #endif #include <sys/protosw.h> @@ -47,6 +56,9 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $ #ifdef sun #include <net/af.h> #endif +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_var.h> @@ -57,17 +69,23 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $ #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include <syslog.h> -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_frag.h" -#include "ip_nat.h" -#include "ip_state.h" +#ifndef _KERNEL +# include <syslog.h> +#endif +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif +#if !SOLARIS && defined(_KERNEL) +extern int ip_optcopy __P((struct ip *, struct ip *)); +#endif + -extern fr_flags, fr_active; extern struct protosw inetsw[]; #if BSD < 199306 static int (*fr_saveslowtimo) __P((void)); @@ -139,6 +157,7 @@ char *s; int iplattach() { + char *defpass; int s, i; SPLNET(s); @@ -157,11 +176,21 @@ int iplattach() /* * Set log buffer pointers for each of the log buffers */ +#ifdef IPFILTER_LOG for (i = 0; i <= 2; i++) { iplh[i] = iplbuf[i]; iplt[i] = iplbuf[i]; } +#endif SPLX(s); + if (fr_pass & FR_PASS) + defpass = "pass"; + else if (fr_pass & FR_BLOCK) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("IP Filter: initialized. Default = %s all\n", defpass); return 0; } @@ -258,7 +287,8 @@ caddr_t data; * Filter ioctl interface. */ int iplioctl(dev, cmd, data, mode -#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000)) && defined(_KERNEL) , p) struct proc *p; #else @@ -278,10 +308,21 @@ int mode; #endif SPLNET(s); + + if (unit == IPL_LOGNAT) { + error = nat_ioctl(data, cmd, mode); + SPLX(s); + return error; + } + if (unit == IPL_LOGSTATE) { + error = fr_state_ioctl(data, cmd, mode); + SPLX(s); + return error; + } switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG - *(int *)data = iplused[unit]; + *(int *)data = iplused[IPL_LOGIPF]; #endif break; #if !defined(IPFILTER_LKM) && defined(_KERNEL) @@ -373,24 +414,13 @@ int mode; else { *(int *)data = iplused[unit]; iplh[unit] = iplt[unit] = iplbuf[unit]; - iplused[unit] = 0; + iplused[unix] = 0; } break; #endif /* IPFILTER_LOG */ - case SIOCADNAT : - case SIOCRMNAT : - case SIOCGNATS : - case SIOCGNATL : - case SIOCFLNAT : - case SIOCCNATL : - error = nat_ioctl(data, cmd, mode); - break; case SIOCGFRST : IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); break; - case SIOCGIPST : - IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t)); - break; default : error = EINVAL; break; @@ -508,7 +538,8 @@ caddr_t data; * routines below for saving IP headers to buffer */ int iplopen(dev, flags -#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; @@ -529,7 +560,8 @@ int flags; int iplclose(dev, flags -#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; @@ -699,6 +731,9 @@ struct tcpiphdr *ti; struct tcphdr *tcp; struct mbuf *m; int tlen = 0; +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) + struct route ro; +#endif if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ @@ -710,6 +745,8 @@ struct tcpiphdr *ti; # endif if (m == NULL) return -1; +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) +#endif if (ti->ti_flags & TH_SYN) tlen = 1; @@ -743,18 +780,29 @@ struct tcpiphdr *ti; ip->ip_ttl = ip_defttl; # endif +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) + bzero((char *)&ro, sizeof(ro)); + (void) ip_output(m, (struct mbuf *)0, &ro, 0, 0); + if (ro.ro_rt) + RTFREE(ro.ro_rt); +#else /* * extra 0 in case of multicast */ (void) ip_output(m, (struct mbuf *)0, 0, 0, 0); +#endif return 0; } -# ifndef IPFILTER_LKM +# if !defined(IPFILTER_LKM) && !(__FreeBSD_version >= 300000) # if BSD < 199306 +int iplinit __P((void)); + int # else +void iplinit __P((void)); + void # endif iplinit() diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index f6acda7..661e109 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -1,12 +1,12 @@ /* - * (C)opyright 1993-1996 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.9 1997/04/02 12:23:20 darrenr Exp $ + * $Id: ip_fil.h,v 2.0.2.13 1997/05/24 07:41:55 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -97,6 +97,7 @@ typedef struct fr_info { u_short fin_dlen; char *fin_dp; /* start of data past IP header */ struct frentry *fin_fr; + void *fin_mp; } fr_info_t; #define FI_CSIZE (sizeof(struct fr_ip) + 11) @@ -179,16 +180,18 @@ typedef struct frentry { #define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */ #define FR_DUP 0x20000 /* duplicate packet */ #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ +#define FR_NOTSRCIP 0x80000 /* not the src IP# */ +#define FR_NOTDSTIP 0x100000 /* not the dst IP# */ #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) /* * recognized flags for SIOCGETFF and SIOCSETFF */ -#define FF_LOGPASS 0x100000 -#define FF_LOGBLOCK 0x200000 -#define FF_LOGNOMATCH 0x400000 +#define FF_LOGPASS 0x10000000 +#define FF_LOGBLOCK 0x20000000 +#define FF_LOGNOMATCH 0x40000000 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) -#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */ +#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ #define FR_NONE 0 #define FR_EQUAL 1 @@ -257,9 +260,9 @@ typedef struct ipl_ci { u_long flags; u_char ifname[IFNAMSIZ]; /* = 32 bytes */ #else - u_long flags:24; - u_long unit:8; - u_char ifname[4]; /* = 20 bytes */ + u_long flags; + u_int unit; + u_char ifname[4]; /* = 24 bytes */ #endif } ipl_ci_t; @@ -268,6 +271,13 @@ typedef struct ipl_ci { #define ICMP_UNREACH_FILTER 13 #endif +#ifndef IPF_LOGGING +#define IPF_LOGGING 0 +#endif +#ifndef IPF_DEFAULT_PASS +#define IPF_DEFAULT_PASS 0 +#endif + #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 @@ -301,7 +311,12 @@ extern int send_reset __P((struct ip *, struct ifnet *)); extern int icmp_error __P((struct ip *, struct ifnet *)); extern void ipllog __P((void)); extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *)); -#else +extern int iplioctl __P((dev_t, int, caddr_t, int)); +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +#else /* #ifndef _KERNEL */ +extern int iplattach __P((void)); +extern int ipldetach __P((void)); # if SOLARIS extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *, queue_t *, mblk_t **)); @@ -309,33 +324,6 @@ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, qif_t *, queue_t *, mblk_t *)); extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *, struct in_addr)); -# else -extern int fr_check __P((struct ip *, int, struct ifnet *, int, - struct mbuf **)); -extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, - struct mbuf **)); -extern int send_reset __P((struct tcpiphdr *)); -extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *)); -extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *)); -# endif -#endif -extern int fr_copytolog __P((int, char *, int)); -extern int ipl_unreach; -extern fr_info_t frcache[]; -extern char *iplh[3], *iplt[3]; -extern char iplbuf[3][IPLLOGSIZE]; -extern int iplused[3]; -extern struct frentry *ipfilter[2][2], *ipacct[2][2]; -extern struct filterstats frstats[]; - -#ifndef _KERNEL -extern int iplioctl __P((dev_t, int, caddr_t, int)); -extern int iplopen __P((dev_t, int)); -extern int iplclose __P((dev_t, int)); -#else -extern int iplattach __P((void)); -extern int ipldetach __P((void)); -# if SOLARIS extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); @@ -343,11 +331,21 @@ extern int ipfsync __P((void)); # ifdef IPFILTER_LOG extern int iplread __P((dev_t, struct uio *, cred_t *)); # endif -# else +extern u_short fr_tcpsum __P((mblk_t *, ip_t *, tcphdr_t *)); +# else /* SOLARIS */ +extern int fr_check __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int send_reset __P((struct tcpiphdr *)); +extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *)); +extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *)); # ifdef IPFILTER_LKM extern int iplidentify __P((char *)); # endif -# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612) +extern u_short fr_tcpsum __P((struct mbuf *, ip_t *, tcphdr_t *)); +# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ + (NetBSD >= 199511) extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); @@ -366,5 +364,18 @@ extern int iplread __P((dev_t, struct uio *)); # define iplread noread # endif /* IPFILTER_LOG */ # endif /* SOLARIS */ -#endif /* _KERNEL */ +#endif /* #ifndef _KERNEL */ +extern u_short ipf_cksum __P((u_short *, int)); +extern int fr_copytolog __P((int, char *, int)); +extern int ipl_unreach; +extern int ipl_inited; +extern int fr_pass; +extern int fr_flags; +extern int fr_active; +extern fr_info_t frcache[]; +extern char *iplh[3], *iplt[3]; +extern char iplbuf[3][IPLLOGSIZE]; +extern int iplused[3]; +extern struct frentry *ipfilter[2][2], *ipacct[2][2]; +extern struct filterstats frstats[]; #endif /* __IP_FIL_H__ */ diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 59dac40..9b9bce3 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp $"; +static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.10 1997/05/24 07:36:23 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -19,8 +19,7 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) -#include <sys/ioccom.h> +#if defined(KERNEL) && (__FreeBSD_version >= 220000) #include <sys/filio.h> #include <sys/fcntl.h> #else @@ -54,39 +53,36 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_frag.h" -#include "ip_nat.h" -#include "ip_state.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_state.h" ipfr_t *ipfr_heads[IPFT_SIZE]; +ipfr_t *ipfr_nattab[IPFT_SIZE]; ipfrstat_t ipfr_stats; u_long ipfr_inuse = 0, fr_ipfrttl = 120; /* 60 seconds */ #ifdef _KERNEL extern int ipfr_timer_id; #endif -#if SOLARIS -# ifdef _KERNEL +#if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_frag; -# else -#define bcmp(a,b,c) memcmp(a,b,c) -#define bcopy(a,b,c) memmove(b,a,c) -# endif +extern kmutex_t ipf_natfrag; +extern kmutex_t ipf_nat; #endif -#ifdef __FreeBSD__ -# if BSD < 199306 -int ipfr_slowtimer __P((void)); -# else -void ipfr_slowtimer __P((void)); -# endif -#endif /* __FreeBSD__ */ + +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **)); +static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); + ipfrstat_t *ipfr_fragstats() { ipfr_stats.ifs_table = ipfr_heads; + ipfr_stats.ifs_nattab = ipfr_nattab; ipfr_stats.ifs_inuse = ipfr_inuse; return &ipfr_stats; } @@ -96,10 +92,11 @@ ipfrstat_t *ipfr_fragstats() * add a new entry to the fragment cache, registering it as having come * through this box, with the result of the filter operation. */ -int ipfr_newfrag(ip, fin, pass) +static ipfr_t *ipfr_new(ip, fin, pass, table) ip_t *ip; fr_info_t *fin; int pass; +ipfr_t *table[]; { ipfr_t **fp, *fr, frag; u_int idx; @@ -119,33 +116,77 @@ int pass; /* * first, make sure it isn't already there... */ - MUTEX_ENTER(&ipf_frag); - for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next) + for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next) if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ)) { ipfr_stats.ifs_exists++; MUTEX_EXIT(&ipf_frag); - return -1; + return NULL; } + /* + * allocate some memory, if possible, if not, just record that we + * failed to do so. + */ KMALLOC(fr, ipfr_t *, sizeof(*fr)); if (fr == NULL) { ipfr_stats.ifs_nomem++; MUTEX_EXIT(&ipf_frag); - return -1; + return NULL; } - if ((fr->ipfr_next = ipfr_heads[idx])) - ipfr_heads[idx]->ipfr_prev = fr; + + /* + * Instert the fragment into the fragment table, copy the struct used + * in the search using bcopy rather than reassign each field. + * Set the ttl to the default and mask out logging from "pass" + */ + if ((fr->ipfr_next = table[idx])) + table[idx]->ipfr_prev = fr; fr->ipfr_prev = NULL; - ipfr_heads[idx] = fr; + fr->ipfr_data = NULL; + table[idx] = fr; bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ); fr->ipfr_ttl = fr_ipfrttl; fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); + /* + * Compute the offset of the expected start of the next packet. + */ fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); ipfr_stats.ifs_new++; ipfr_inuse++; + return fr; +} + + +int ipfr_newfrag(ip, fin, pass) +ip_t *ip; +fr_info_t *fin; +int pass; +{ + ipfr_t *ipf; + + MUTEX_ENTER(&ipf_frag); + ipf = ipfr_new(ip, fin, pass, ipfr_heads); MUTEX_EXIT(&ipf_frag); - return 0; + return ipf ? 0 : -1; +} + + +int ipfr_nat_newfrag(ip, fin, pass, nat) +ip_t *ip; +fr_info_t *fin; +int pass; +nat_t *nat; +{ + ipfr_t *ipf; + + MUTEX_ENTER(&ipf_natfrag); + if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) { + ipf->ipfr_data = nat; + nat->nat_frag = ipf; + } + MUTEX_EXIT(&ipf_natfrag); + return ipf ? 0 : -1; } @@ -153,9 +194,10 @@ int pass; * check the fragment cache to see if there is already a record of this packet * with its filter result known. */ -int ipfr_knownfrag(ip, fin) +static ipfr_t *ipfr_lookup(ip, fin, table) ip_t *ip; fr_info_t *fin; +ipfr_t *table[]; { ipfr_t *f, frag; u_int idx; @@ -164,6 +206,8 @@ fr_info_t *fin; /* * For fragments, we record protocol, packet id, TOS and both IP#'s * (these should all be the same for all fragments of a packet). + * + * build up a hash value to index the table with. */ frag.ipfr_p = ip->ip_p; idx = ip->ip_p; @@ -177,25 +221,26 @@ fr_info_t *fin; idx *= 127; idx %= IPFT_SIZE; - MUTEX_ENTER(&ipf_frag); - for (f = ipfr_heads[idx]; f; f = f->ipfr_next) + /* + * check the table, careful to only compare the right amount of data + */ + for (f = table[idx]; f; f = f->ipfr_next) if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src, IPFR_CMPSZ)) { u_short atoff, off; - if (f != ipfr_heads[idx]) { + if (f != table[idx]) { /* * move fragment info. to the top of the list * to speed up searches. */ if ((f->ipfr_prev->ipfr_next = f->ipfr_next)) f->ipfr_next->ipfr_prev = f->ipfr_prev; - f->ipfr_next = ipfr_heads[idx]; - ipfr_heads[idx]->ipfr_prev = f; + f->ipfr_next = table[idx]; + table[idx]->ipfr_prev = f; f->ipfr_prev = NULL; - ipfr_heads[idx] = f; + table[idx] = f; } - ret = f->ipfr_pass; off = ip->ip_off; atoff = (off & 0x1fff) - (fin->fin_dlen >> 3); /* @@ -209,11 +254,45 @@ fr_info_t *fin; f->ipfr_off = off; } ipfr_stats.ifs_hits++; - MUTEX_EXIT(&ipf_frag); - return ret; + return f; } + return NULL; +} + + +/* + * functional interface for normal lookups of the fragment cache + */ +nat_t *ipfr_nat_knownfrag(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + nat_t *nat; + ipfr_t *ipf; + + MUTEX_ENTER(&ipf_natfrag); + ipf = ipfr_lookup(ip, fin, ipfr_heads); + nat = ipf ? ipf->ipfr_data : NULL; + MUTEX_EXIT(&ipf_natfrag); + return nat; +} + + +/* + * functional interface for NAT lookups of the NAT fragment cache + */ +int ipfr_knownfrag(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + int ret; + ipfr_t *ipf; + + MUTEX_ENTER(&ipf_frag); + ipf = ipfr_lookup(ip, fin, ipfr_heads); + ret = ipf ? ipf->ipfr_pass : 0; MUTEX_EXIT(&ipf_frag); - return 0; + return ret; } @@ -223,20 +302,35 @@ fr_info_t *fin; void ipfr_unload() { ipfr_t **fp, *fr; + nat_t *nat; int idx; #if !SOLARIS && defined(_KERNEL) int s; #endif - MUTEX_ENTER(&ipf_frag); SPLNET(s); + MUTEX_ENTER(&ipf_frag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (fp = &ipfr_heads[idx]; (fr = *fp); ) { *fp = fr->ipfr_next; KFREE(fr); } - SPLX(s); MUTEX_EXIT(&ipf_frag); + + MUTEX_ENTER(&ipf_nat); + MUTEX_ENTER(&ipf_natfrag); + for (idx = IPFT_SIZE - 1; idx >= 0; idx--) + for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { + *fp = fr->ipfr_next; + if ((nat = (nat_t *)fr->ipfr_data)) { + if (nat->nat_frag == fr) + nat->nat_frag = NULL; + } + KFREE(fr); + } + MUTEX_EXIT(&ipf_natfrag); + MUTEX_EXIT(&ipf_nat); + SPLX(s); } @@ -252,11 +346,17 @@ int ipfr_slowtimer() # endif { ipfr_t **fp, *fr; + nat_t *nat; int s, idx; MUTEX_ENTER(&ipf_frag); SPLNET(s); + /* + * Go through the entire table, looking for entries to expire, + * decreasing the ttl by one for each entry. If it reaches 0, + * remove it from the chain and free it. + */ for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (fp = &ipfr_heads[idx]; (fr = *fp); ) { --fr->ipfr_ttl; @@ -274,12 +374,45 @@ int ipfr_slowtimer() } else fp = &fr->ipfr_next; } + MUTEX_EXIT(&ipf_frag); + + /* + * Same again for the NAT table, except that if the structure also + * still points to a NAT structure, and the NAT structure points back + * at the one to be free'd, NULL the reference from the NAT struct. + * NOTE: We need to grab both mutex's early, and in this order so as + * to prevent a deadlock if both try to expire at the same time. + */ + MUTEX_ENTER(&ipf_nat); + MUTEX_ENTER(&ipf_natfrag); + for (idx = IPFT_SIZE - 1; idx >= 0; idx--) + for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { + --fr->ipfr_ttl; + if (fr->ipfr_ttl == 0) { + if (fr->ipfr_prev) + fr->ipfr_prev->ipfr_next = + fr->ipfr_next; + if (fr->ipfr_next) + fr->ipfr_next->ipfr_prev = + fr->ipfr_prev; + *fp = fr->ipfr_next; + ipfr_stats.ifs_expire++; + ipfr_inuse--; + if ((nat = (nat_t *)fr->ipfr_data)) { + if (nat->nat_frag == fr) + nat->nat_frag = NULL; + } + KFREE(fr); + } else + fp = &fr->ipfr_next; + } + MUTEX_EXIT(&ipf_natfrag); + MUTEX_EXIT(&ipf_nat); SPLX(s); # if SOLARIS - MUTEX_EXIT(&ipf_frag); fr_timeoutstate(); ip_natexpire(); - ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2); + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); # else fr_timeoutstate(); ip_natexpire(); diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 28b314c..df275ba 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -1,21 +1,22 @@ /* - * (C)opyright 1993, 1994, 1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.2.4 1997/03/27 13:45:09 darrenr Exp $ + * $Id: ip_frag.h,v 2.0.2.7 1997/05/08 10:10:18 darrenr Exp $ */ -#ifndef __IP_FRAG_H_ +#ifndef __IP_FRAG_H__ #define __IP_FRAG_H__ #define IPFT_SIZE 257 typedef struct ipfr { struct ipfr *ipfr_next, *ipfr_prev; + void *ipfr_data; struct in_addr ipfr_src; struct in_addr ipfr_dst; u_short ipfr_id; @@ -35,14 +36,18 @@ typedef struct ipfrstat { u_long ifs_expire; u_long ifs_inuse; struct ipfr **ifs_table; + struct ipfr **ifs_nattab; } ipfrstat_t; #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) extern ipfrstat_t *ipfr_fragstats __P((void)); extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *)); +extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_unload __P((void)); + #if (BSD >= 199306) || SOLARIS extern void ipfr_slowtimer __P((void)); #else diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 7e0e381..3c9476f 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,10 +9,10 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $"; +static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $"; #endif -#if defined(__FreeBSD__) && defined(KERNEL) +#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif @@ -26,7 +26,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $ #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if defined(KERNEL) && (__FreeBSD_version >= 220000) +# include <sys/filio.h> +# include <sys/fnctl.h> +#else +# include <sys/ioctl.h> +#endif +#include <sys/fcntl.h> #include <sys/uio.h> #include <sys/protosw.h> #include <sys/socket.h> @@ -36,13 +42,19 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $ #if !defined(__SVR4) && !defined(__svr4__) # include <sys/mbuf.h> #else +# include <sys/filio.h> # include <sys/byteorder.h> # include <sys/dditypes.h> # include <sys/stream.h> # include <sys/kmem.h> #endif - +#if __FreeBSD_version >= 300000 +# include <sys/queue.h> +#endif #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #ifdef sun #include <net/af.h> #endif @@ -62,36 +74,30 @@ extern struct ifnet vpnif; #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_nat.h" -#include "ip_state.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif +#undef SOCKADDR_IN +#define SOCKADDR_IN struct sockaddr_in nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; ipnat_t *nat_list = NULL; -u_long nat_inuse = 0, - fr_defnatage = 1200; +u_long fr_defnatage = 1200; natstat_t nat_stats; -#if SOLARIS -# ifndef _KERNEL -#define bzero(a,b) memset(a,0,b) -#define bcmp(a,b,c) memcpy(a,b,c) -#define bcopy(a,b,c) memmove(b,a,c) -# else +#if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_nat; -# endif +extern kmutex_t ipf_natfrag; #endif static int flush_nattable __P((void)), clear_natlist __P((void)); -static void nattable_sync __P((void)), nat_delete __P((struct nat *)); -static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); -static void fix_outcksum __P((u_short *, u_long)); -static void fix_incksum __P((u_short *, u_long)); -static void fix_outcksum(sp, n) +void fix_outcksum(sp, n) u_short *sp; u_long n; { @@ -112,7 +118,7 @@ u_long n; } -static void fix_incksum(sp, n) +void fix_incksum(sp, n) u_short *sp; u_long n; { @@ -197,6 +203,7 @@ int cmd, mode; } IRCOPY((char *)data, (char *)n, sizeof(*n)); n->in_ifp = (void *)GETUNIT(n->in_ifname); + n->in_apr = ap_match(n->in_p, n->in_plabel); n->in_next = *np; n->in_use = 0; n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); @@ -208,7 +215,7 @@ int cmd, mode; n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); - if (n->in_redir == NAT_MAP) { + if (n->in_redir & NAT_MAP) { n->in_pnext = ntohs(n->in_pmin); /* * Multiply by the number of ports made available. @@ -219,6 +226,7 @@ int cmd, mode; } /* Otherwise, these fields are preset */ *np = n; + nat_stats.ns_rules++; break; case SIOCRMNAT : if (!(mode & FWRITE)) { @@ -230,15 +238,20 @@ int cmd, mode; break; } *np = n->in_next; - - KFREE(n); - nattable_sync(); + if (!n->in_use) { + if (n->in_apr) + ap_free(n->in_apr); + KFREE(n); + nat_stats.ns_rules--; + } else { + n->in_flags |= IPN_DELETE; + n->in_next = NULL; + } break; case SIOCGNATS : nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; - nat_stats.ns_inuse = nat_inuse; IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); break; case SIOCGNATL : @@ -269,6 +282,11 @@ int cmd, mode; ret = clear_natlist(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; + case FIONREAD : +#ifdef IPFILTER_LOG + *(int *)data = iplused[IPL_LOGNAT]; +#endif + break; } SPLX(s); MUTEX_EXIT(&ipf_nat); @@ -280,6 +298,7 @@ static void nat_delete(natd) struct nat *natd; { register struct nat **natp, *nat; + struct ipnat *ipn; for (natp = natd->nat_hstart[0]; (nat = *natp); natp = &nat->nat_hnext[0]) @@ -295,12 +314,21 @@ struct nat *natd; break; } - if (natd->nat_ptr) { - natd->nat_ptr->in_space++; - natd->nat_ptr->in_use--; + if ((ipn = natd->nat_ptr)) { + ipn->in_space++; + ipn->in_use--; + if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) { + if (ipn->in_apr) + ap_free(ipn->in_apr); + KFREE(ipn); + nat_stats.ns_rules--; + } } + MUTEX_ENTER(&ipf_natfrag); + if (nat->nat_frag && nat->nat_frag->ipfr_data == nat) + nat->nat_frag->ipfr_data = NULL; + MUTEX_EXIT(&ipf_natfrag); KFREE(natd); - nat_inuse--; } @@ -330,43 +358,27 @@ static int flush_nattable() /* - * I know this is O(N*M), but it can't be avoided. - */ -static void nattable_sync() -{ - register nat_t *nat; - register ipnat_t *np; - int i; - - for (i = NAT_SIZE - 1; i >= 0; i--) - for (nat = nat_instances; nat; nat = nat->nat_next) { - for (np = nat_list; np; np = np->in_next) - if (nat->nat_ptr == np) - break; - /* - * XXX - is it better to remove this if ? works the - * same if it is just "nat->nat_ptr = np". - */ - if (!np) - nat->nat_ptr = NULL; - } -} - - -/* * clear_natlist - delete all entries in the active NAT mapping list. */ static int clear_natlist() { - register ipnat_t *n, **np; + register ipnat_t *n, **np = &nat_list; int i = 0; - for (np = &nat_list; (n = *np); i++) { + while ((n = *np)) { *np = n->in_next; - KFREE(n); + if (!n->in_use) { + if (n->in_apr) + ap_free(n->in_apr); + KFREE(n); + nat_stats.ns_rules--; + i++; + } else { + n->in_flags |= IPN_DELETE; + n->in_next = NULL; + } } - - nattable_sync(); + nat_stats.ns_inuse = 0; return i; } @@ -374,7 +386,7 @@ static int clear_natlist() /* * Create a new NAT table entry. */ -static nat_t *nat_new(np, ip, fin, flags, direction) +nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; @@ -426,15 +438,31 @@ int direction; struct ifaddr *ifa; struct sockaddr_in *sin; +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_FIRST(&ifp->if_addrhead); +# else +# ifdef __NetBSD__ + ifa = ifp->if_addrlist.tqh_first; +# else ifa = ifp->if_addrlist; +# endif +# endif # if BSD < 199306 - sin = (struct sockaddr_in *)&ifa->ifa_addr; + sin = (SOCKADDR_IN *)&ifa->ifa_addr; # else - sin = (struct sockaddr_in *)ifa->ifa_addr; + sin = (SOCKADDR_IN *)ifa->ifa_addr; while (sin && ifa && sin->sin_family != AF_INET) { +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_NEXT(ifa, ifa_link); +# else +# ifdef __NetBSD__ + ifa = ifa->ifa_list.tqe_next; +# else ifa = ifa->ifa_next; - sin = (struct sockaddr_in *)ifa->ifa_addr; +# endif +# endif + sin = (SOCKADDR_IN *)ifa->ifa_addr; } if (!ifa) sin = NULL; @@ -465,7 +493,8 @@ int direction; if ((np->in_nip & ntohl(np->in_outmsk)) > ntohl(np->in_outip)) np->in_nip = ntohl(np->in_outip) + 1; - } while (nat_inlookup(flags, ip->ip_dst, dport, in, port)); + } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst, + dport, in, port)); /* Setup the NAT table */ nat->nat_inip = ip->ip_src; @@ -562,7 +591,10 @@ int direction; nat->nat_hnext[1] = *natp; *natp = nat; nat->nat_ptr = np; - np->in_use++; + nat->nat_bytes = 0; + nat->nat_pkts = 0; + nat->nat_ifp = fin->fin_ifp; + nat->nat_dir = direction; if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = htons(port); @@ -571,7 +603,8 @@ int direction; tcp->th_dport = htons(nport); } nat_stats.ns_added++; - nat_inuse++; + nat_stats.ns_inuse++; + np->in_use++; return nat; } @@ -586,7 +619,8 @@ int direction; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport) +nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport) +void *ifp; register int flags; struct in_addr src , mapdst; u_short sport, mapdport; @@ -597,7 +631,8 @@ u_short sport, mapdport; nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; for (; nat; nat = nat->nat_hnext[1]) - if (nat->nat_oip.s_addr == src.s_addr && + if ((!ifp || ifp == nat->nat_ifp) && + nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && flags == nat->nat_flags && (!flags || (nat->nat_oport == sport && @@ -613,7 +648,8 @@ u_short sport, mapdport; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_outlookup(flags, src, sport, dst, dport) +nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport) +void *ifp; register int flags; struct in_addr src , dst; u_short sport, dport; @@ -624,7 +660,8 @@ u_short sport, dport; nat = nat_table[0][src.s_addr % NAT_SIZE]; for (; nat; nat = nat->nat_hnext[0]) - if (nat->nat_inip.s_addr == src.s_addr && + if ((!ifp || ifp == nat->nat_ifp) && + nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && flags == nat->nat_flags && (!flags || (nat->nat_inport == sport && nat->nat_oport == dport))) @@ -638,7 +675,8 @@ u_short sport, dport; * real destination address/port. We use this lookup when sending a packet * out, we're looking for a table entry, based on the source address. */ -nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport) +nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport) +void *ifp; register int flags; struct in_addr mapsrc , dst; u_short mapsport, dport; @@ -649,8 +687,9 @@ u_short mapsport, dport; nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; for (; nat; nat = nat->nat_hnext[0]) - if (nat->nat_outip.s_addr == mapsrc.s_addr && + if ((!ifp || ifp == nat->nat_ifp) && nat->nat_oip.s_addr == dst.s_addr && + nat->nat_outip.s_addr == mapsrc.s_addr && flags == nat->nat_flags && (!flags || (nat->nat_outport == mapsport && nat->nat_oport == dport))) @@ -671,7 +710,7 @@ register natlookup_t *np; * If nl_inip is non null, this is a lookup based on the real * ip address. Else, we use the fake. */ - if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport, + if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport, np->nl_outip, np->nl_outport))) { np->nl_inip = nat->nat_outip; np->nl_inport = nat->nat_outport; @@ -718,43 +757,56 @@ fr_info_t *fin; ipa = ip->ip_src.s_addr; MUTEX_ENTER(&ipf_nat); - for (np = nat_list; np; np = np->in_next) - if ((np->in_ifp == ifp) && np->in_space && - (!np->in_flags || (np->in_flags & nflags)) && - ((ipa & np->in_inmsk) == np->in_inip) && - ((np->in_redir == NAT_MAP) || - (np->in_pnext == sport))) { - /* - * If there is no current entry in the nat table for - * this IP#, create one for it. - */ - if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, - ip->ip_dst, dport))) { + if ((nat = ipfr_nat_knownfrag(ip, fin))) + ; + else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport, + ip->ip_dst, dport))) + np = nat->nat_ptr; + else + /* + * If there is no current entry in the nat table for this IP#, + * create one for it (if there is a matching rule). + */ + for (np = nat_list; np; np = np->in_next) + if ((np->in_ifp == ifp) && np->in_space && + (!np->in_flags || (np->in_flags & nflags)) && + ((ipa & np->in_inmsk) == np->in_inip) && + ((np->in_redir & NAT_MAP) || + (np->in_pnext == sport))) { + if (*np->in_plabel && !ap_ok(ip, tcp, np)) + continue; /* - * If it's a redirection, then we don't want - * to create new outgoing port stuff. + * If it's a redirection, then we don't want to + * create new outgoing port stuff. * Redirections are only for incoming * connections. */ - if (np->in_redir == NAT_REDIRECT) + if (!(np->in_redir & NAT_MAP)) continue; - if (!(nat = nat_new(np, ip, fin, nflags, + if ((nat = nat_new(np, ip, fin, nflags, NAT_OUTBOUND))) - break; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); + nat_log(nat, (u_short)np->in_redir); +#else + ; #endif + break; } - ip->ip_src = nat->nat_outip; - nat->nat_age = fr_defnatage; /* 5 mins */ + if (nat) { + if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + nat->nat_age = fr_defnatage; + ip->ip_src = nat->nat_outip; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; /* * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ #if SOLARIS - if (np->in_redir == NAT_MAP) + if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); else fix_incksum(&ip->ip_sum, nat->nat_ipsumd); @@ -770,6 +822,14 @@ fr_info_t *fin; csump = &tcp->th_sum; fr_tcp_age(&nat->nat_age, nat->nat_state, ip, fin,1); + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -781,7 +841,7 @@ fr_info_t *fin; csump = &ic->icmp_cksum; } if (csump) { - if (np->in_redir == NAT_MAP) + if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(csump, nat->nat_sumd); else @@ -789,6 +849,7 @@ fr_info_t *fin; nat->nat_sumd); } } + (void) ap_check(ip, tcp, fin, nat); nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); return 1; @@ -829,38 +890,55 @@ fr_info_t *fin; in = ip->ip_dst; MUTEX_ENTER(&ipf_nat); - for (np = nat_list; np; np = np->in_next) - if ((np->in_ifp == ifp) && - (!np->in_flags || (nflags & np->in_flags)) && - ((in.s_addr & np->in_outmsk) == np->in_outip) && - (np->in_redir == NAT_MAP || np->in_pmin == dport)) { - if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, - ip->ip_dst, dport))) { + + if ((nat = ipfr_nat_knownfrag(ip, fin))) + ; + else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport, + ip->ip_dst, dport))) + np = nat->nat_ptr; + else + /* + * If there is no current entry in the nat table for this IP#, + * create one for it (if there is a matching rule). + */ + for (np = nat_list; np; np = np->in_next) + if ((np->in_ifp == ifp) && + (!np->in_flags || (nflags & np->in_flags)) && + ((in.s_addr & np->in_outmsk) == np->in_outip) && + (np->in_redir & NAT_REDIRECT || + np->in_pmin == dport)) { /* * If this rule (np) is a redirection, rather * than a mapping, then do a nat_new. * Otherwise, if it's just a mapping, do a * continue; */ - if (np->in_redir == NAT_MAP) + if (!(np->in_redir & NAT_REDIRECT)) continue; - if (!(nat = nat_new(np, ip, fin, nflags, + if ((nat = nat_new(np, ip, fin, nflags, NAT_INBOUND))) - break; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); + nat_log(nat, (u_short)np->in_redir); +#else + ; #endif + break; } - ip->ip_dst = nat->nat_inip; - + if (nat) { + if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + (void) ap_check(ip, tcp, fin, nat); nat->nat_age = fr_defnatage; + ip->ip_dst = nat->nat_inip; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; /* * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ #if SOLARIS - if (np->in_redir == NAT_MAP) + if (nat->nat_dir == NAT_OUTBOUND) fix_incksum(&ip->ip_sum, nat->nat_ipsumd); else fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); @@ -875,6 +953,14 @@ fr_info_t *fin; csump = &tcp->th_sum; fr_tcp_age(&nat->nat_age, nat->nat_state, ip, fin,0); + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -886,7 +972,7 @@ fr_info_t *fin; csump = &ic->icmp_cksum; } if (csump) { - if (np->in_redir == NAT_MAP) + if (nat->nat_dir == NAT_OUTBOUND) fix_incksum(csump, nat->nat_sumd); else @@ -914,6 +1000,7 @@ void ip_natunload() SPLNET(s); (void) clear_natlist(); (void) flush_nattable(); + (void) ap_unload(); SPLX(s) MUTEX_EXIT(&ipf_nat); } @@ -970,12 +1057,14 @@ u_short type; # if BSD >= 199306 || defined(__FreeBSD__) microtime((struct timeval *)&natl); # endif + natl.nl_inip = nat->nat_inip; + natl.nl_outip = nat->nat_outip; + natl.nl_origip = nat->nat_oip; + natl.nl_bytes = nat->nat_bytes; + natl.nl_pkts = nat->nat_pkts; natl.nl_origport = nat->nat_oport; - natl.nl_outport = nat->nat_outport; natl.nl_inport = nat->nat_inport; - natl.nl_origip = nat->nat_oip; - natl.nl_outip = nat->nat_outip; - natl.nl_inip = nat->nat_inip; + natl.nl_outport = nat->nat_outport; natl.nl_type = type; natl.nl_rule = -1; if (nat->nat_ptr) { diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index bf435e0..add4a9a 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -1,17 +1,21 @@ /* - * (C)opyright 1995 by Darren Reed. + * (C)opyright 1995-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.2.6 1997/03/31 10:05:30 darrenr Exp $ + * $Id: ip_nat.h,v 2.0.2.12 1997/05/24 07:35:20 darrenr Exp $ */ -#ifndef __IP_NAT_H_ +#ifndef __IP_NAT_H__ #define __IP_NAT_H__ +#ifndef __IP_PROXY_H__ +#include "netinet/ip_proxy.h" +#endif + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif @@ -44,9 +48,12 @@ typedef struct nat { int nat_flags; u_long nat_sumd; u_long nat_ipsumd; + struct ipfr *nat_frag; struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ + U_QUAD_T nat_pkts; + U_QUAD_T nat_bytes; u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; @@ -56,6 +63,8 @@ typedef struct nat { struct nat *nat_next; struct nat *nat_hnext[2]; struct nat **nat_hstart[2]; + void *nat_ifp; + int nat_dir; } nat_t; typedef struct ipnat { @@ -69,8 +78,12 @@ typedef struct ipnat { u_short in_port[2]; struct in_addr in_in[2]; struct in_addr in_out[2]; + struct aproxy *in_apr; int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ char in_ifname[IFNAMSIZ]; + char in_plabel[APR_LABELLEN]; /* proxy label */ + char in_p; /* protocol */ + u_short in_dport; } ipnat_t; #define in_pmin in_port[0] /* Also holds static redir port */ @@ -81,11 +94,12 @@ typedef struct ipnat { #define in_outip in_out[0].s_addr #define in_outmsk in_out[1].s_addr -#define NAT_INBOUND 0 -#define NAT_OUTBOUND 1 +#define NAT_OUTBOUND 0 +#define NAT_INBOUND 1 -#define NAT_MAP 0 -#define NAT_REDIRECT 1 +#define NAT_MAP 0x01 +#define NAT_REDIRECT 0x02 +#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT) #define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \ sizeof(int)) @@ -99,6 +113,7 @@ typedef struct natlookup { typedef struct natstat { u_long ns_mapped[2]; + u_long ns_rules; u_long ns_added; u_long ns_expire; u_long ns_inuse; @@ -108,10 +123,11 @@ typedef struct natstat { ipnat_t *ns_list; } natstat_t; -#define IPN_ANY 0 -#define IPN_TCP 1 -#define IPN_UDP 2 -#define IPN_TCPUDP 3 +#define IPN_ANY 0x00 +#define IPN_TCP 0x01 +#define IPN_UDP 0x02 +#define IPN_TCPUDP 0x03 +#define IPN_DELETE 0x04 typedef struct natlog { @@ -124,6 +140,8 @@ typedef struct natlog { u_short nl_inport; u_short nl_type; int nl_rule; + U_QUAD_T nl_pkts; + U_QUAD_T nl_bytes; } natlog_t; @@ -132,18 +150,22 @@ typedef struct natlog { #define NL_EXPIRE 0xffff +extern u_long fr_defnatage; extern nat_t *nat_table[2][NAT_SIZE]; extern int nat_ioctl __P((caddr_t, int, int)); -extern nat_t *nat_outlookup __P((int, struct in_addr, u_short, +extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); +extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short, struct in_addr, u_short)); -extern nat_t *nat_inlookup __P((int, struct in_addr, u_short, +extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short, struct in_addr, u_short)); extern nat_t *nat_lookupredir __P((natlookup_t *)); -extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short, +extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short, struct in_addr, u_short)); extern int ip_natout __P((ip_t *, int, fr_info_t *)); extern int ip_natin __P((ip_t *, int, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_short)); +extern void fix_incksum __P((u_short *, u_long)); +extern void fix_outcksum __P((u_short *, u_long)); #endif /* __IP_NAT_H__ */ diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 5d0e8fe..5a5a330 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp $"; +static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.8 1997/05/24 07:42:56 darrenr Exp $"; #endif #include <sys/types.h> @@ -18,6 +18,7 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp #include <sys/cpuvar.h> #include <sys/open.h> #include <sys/ioctl.h> +#include <sys/filio.h> #include <sys/systm.h> #include <sys/cred.h> #include <sys/ddi.h> @@ -43,8 +44,8 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp #include "ip_compat.h" #include "ip_fil.h" #include "ip_state.h" -#include "ip_frag.h" #include "ip_nat.h" +#include "ip_frag.h" #include <inet/ip_ire.h> #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) @@ -63,11 +64,11 @@ int ipllog __P((u_int, int, ip_t *, fr_info_t *, mblk_t *)); static void frflush __P((caddr_t)); char iplbuf[3][IPLLOGSIZE]; caddr_t iplh[3], iplt[3]; -static int iplused[3] = {0, 0, 0}; +int iplused[3] = {0, 0, 0}; #endif /* IPFILTER_LOG */ static int frrequest __P((int, caddr_t, int)); kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; -kmutex_t ipf_frag, ipf_state, ipf_nat; +kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag; kcondvar_t iplwait; @@ -86,6 +87,7 @@ int ipldetach() mutex_destroy(&ipfs_mutex); mutex_destroy(&ipf_frag); mutex_destroy(&ipf_state); + mutex_destroy(&ipf_natfrag); mutex_destroy(&ipf_nat); return 0; } @@ -107,8 +109,9 @@ int iplattach __P((void)) mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL); + mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); - ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2); + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); return 0; } @@ -190,6 +193,17 @@ int *rp; int error = 0, unit; unit = getminor(dev); + if ((2 < unit) || (unit < 0)) + return ENXIO; + + if (unit == IPL_LOGNAT) { + error = nat_ioctl((caddr_t)data, cmd, mode); + return error; + } + if (unit == IPL_LOGSTATE) { + error = fr_state_ioctl((caddr_t)data, cmd, mode); + return error; + } switch (cmd) { case SIOCFRENB : @@ -304,6 +318,11 @@ int *rp; IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data, sizeof(ips_stat_t)); break; + case FIONREAD : +#ifdef IPFILTER_LOG + *(int *)data = iplused[IPL_LOGIPF]; +#endif + break; default : error = EINVAL; break; @@ -365,7 +384,11 @@ caddr_t data; if (!ill) ire = (ire_t *)-1; else if ((ipif = ill->ill_ipif)) { +#if SOLARIS2 > 5 + ire = ipif_to_ire(ipif); +#else ire = ire_lookup_myaddr(ipif->ipif_local_addr); +#endif if (!ire) ire = (ire_t *)-1; else @@ -380,7 +403,11 @@ caddr_t data; if (!ill) ire = (ire_t *)-1; else if ((ipif = ill->ill_ipif)) { +#if SOLARIS2 > 5 + ire = ipif_to_ire(ipif); +#else ire = ire_lookup_myaddr(ipif->ipif_local_addr); +#endif if (!ire) ire = (ire_t *)-1; } @@ -629,27 +656,6 @@ mblk_t *m; #endif /* IPFILTER_LOG */ -u_short ipf_cksum(addr, len) -register u_short *addr; -register int len; -{ - register u_long sum = 0; - - for (sum = 0; len > 1; len -= 2) - sum += *addr++; - - /* mop up an odd byte, if necessary */ - if (len == 1) - sum += *(u_char *)addr; - - /* - * add back carry outs from top 16 bits to low 16 bits - */ - sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ - sum += (sum >> 16); /* add carry */ - return (u_short)(~sum); -} - /* * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index edd05b8..a6bda8a 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp $"; +static char rcsid[] = "$Id: ip_state.c,v 2.0.2.12 1997/05/24 07:34:10 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -19,12 +19,11 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) -#include <sys/ioccom.h> -#include <sys/filio.h> -#include <sys/fcntl.h> +#if defined(KERNEL) && (__FreeBSD_version >= 220000) +# include <sys/filio.h> +# include <sys/fcntl.h> #else -#include <sys/ioctl.h> +# include <sys/ioctl.h> #endif #include <sys/uio.h> #include <sys/protosw.h> @@ -35,6 +34,7 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp #if !defined(__SVR4) && !defined(__svr4__) # include <sys/mbuf.h> #else +# include <sys/filio.h> # include <sys/byteorder.h> # include <sys/dditypes.h> # include <sys/stream.h> @@ -55,9 +55,10 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_state.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif @@ -67,11 +68,8 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp ipstate_t *ips_table[IPSTATE_SIZE]; int ips_num = 0; ips_stat_t ips_stats; -#if SOLARIS +#if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_state; -# if !defined(_KERNEL) -#define bcopy(a,b,c) memmove(b,a,c) -# endif #endif @@ -94,10 +92,27 @@ ips_stat_t *fr_statetstats() } -#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ - (((s1) == (d2)) && ((d1) == (s2)))) -#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ - (s2).s_addr, (d2).s_addr) +int fr_state_ioctl(data, cmd, mode) +caddr_t data; +int cmd; +int mode; +{ + switch (cmd) + { + case SIOCGIPST : + IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t)); + break; + case FIONREAD : +#ifdef IPFILTER_LOG + *(int *)data = iplused[IPL_LOGSTATE]; +#endif + break; + default : + return -1; + } + return 0; +} + /* * Create a new ipstate structure and hang it off the hash table. @@ -212,6 +227,8 @@ u_int pass; ipstate_log(is, ISL_NEW); #endif MUTEX_EXIT(&ipf_state); + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return 0; } @@ -346,8 +363,9 @@ fr_info_t *fin; is->is_pkts++; is->is_bytes += ip->ip_len; ips_stats.iss_hits++; + pass = is->is_pass; MUTEX_EXIT(&ipf_state); - return is->is_pass; + return pass; } MUTEX_EXIT(&ipf_state); break; @@ -364,10 +382,10 @@ fr_info_t *fin; PAIRS(sport, dport, is->is_sport, is->is_dport) && IPPAIR(src, dst, is->is_src, is->is_dst)) if (fr_tcpstate(is, fin, ip, tcp, sport)) { + pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); #else - int pass = is->is_pass; if (tcp->th_flags & TCP_CLOSE) { *isp = is->is_next; diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index 33395fc..9301101 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -1,12 +1,12 @@ /* - * (C)opyright 1995 by Darren Reed. + * (C)opyright 1995-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.2.5 1997/03/31 10:05:32 darrenr Exp $ + * $Id: ip_state.h,v 2.0.2.9 1997/05/24 07:35:11 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -14,6 +14,12 @@ #define IPSTATE_SIZE 257 #define IPSTATE_MAX 2048 /* Maximum number of states held */ +#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ + (((s1) == (d2)) && ((d1) == (s2)))) +#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ + (s2).s_addr, (d2).s_addr) + + typedef struct udpstate { u_short us_sport; u_short us_dport; @@ -106,6 +112,14 @@ typedef struct ips_stat { ipstate_t **iss_table; } ips_stat_t; + +extern u_long fr_tcpidletimeout; +extern u_long fr_tcpclosewait; +extern u_long fr_tcplastack; +extern u_long fr_tcptimeout; +extern u_long fr_tcpclosed; +extern u_long fr_udptimeout; +extern u_long fr_icmptimeout; extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *, u_short)); extern ips_stat_t *fr_statetstats __P((void)); @@ -115,4 +129,5 @@ extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_short)); +extern int fr_state_ioctl __P((caddr_t, int, int)); #endif /* __IP_STATE_H__ */ diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index d4747a1..326ffe3 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -5,6 +5,9 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#ifdef __FreeBSD__ +# include <osreldate.h> +#endif #include <stdio.h> #include <unistd.h> #include <string.h> @@ -22,7 +25,11 @@ #include <sys/ioctl.h> #include <netinet/in.h> #include <netinet/in_systm.h> +#include <sys/time.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netinet/ip.h> #include <netdb.h> #include <arpa/nameser.h> @@ -33,7 +40,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ipf.c,v 2.0.2.5 1997/03/31 10:05:33 darrenr Exp $"; +static char rcsid[] = "$Id: ipf.c,v 2.0.2.6 1997/04/30 13:59:59 darrenr Exp $"; #endif #if SOLARIS diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 4d35281..67554cb 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,14 +1,17 @@ /* - * (C)opyright 1993-1996 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.0.2.4 1997/03/27 13:45:18 darrenr Exp $ + * $Id: ipf.h,v 2.0.2.6 1997/04/30 13:49:05 darrenr Exp $ */ +#ifndef __IPF_H__ +#define __IPF_H__ + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif @@ -46,12 +49,6 @@ extern void binprint __P((struct frentry *)), initparse __P((void)); extern u_short portnum __P((char *)); -#if defined(__SVR4) || defined(__svr4__) -#define index strchr -#define bzero(a,b) memset(a, 0, b) -#define bcopy(a,b,c) memmove(b,a,c) -#endif - struct ipopt_names { int on_value; int on_bit; @@ -79,3 +76,4 @@ extern char *sys_errlist[]; #define MIN(a,b) ((a) > (b) ? (b) : (a)) #endif +#endif /* __IPF_H__ */ diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index 13e8557..e1f228f 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -31,6 +31,7 @@ etherfind -n -t #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/param.h> +#include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netinet/in_systm.h> @@ -42,12 +43,13 @@ etherfind -n -t #include <netinet/tcpip.h> #include <net/if.h> #include <netdb.h> +#include "ip_compat.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.3 1997/03/10 08:10:24 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index e57eeda..30b3d6d 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -16,6 +16,7 @@ #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -33,12 +34,13 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> +#include "ip_compat.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.3 1997/03/10 08:10:25 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.4 1997/04/30 13:55:07 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 5b8967a..948a892 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -25,12 +25,13 @@ #include <netinet/tcp.h> #include <netinet/tcpip.h> #include <net/if.h> +#include "ip_compat.h" #include "ipf.h" #include "ipt.h" #include "pcap.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.3 1997/03/10 08:10:26 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index e8c098a..11a878f 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -21,6 +21,7 @@ #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/param.h> +#include <sys/time.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip_var.h> @@ -28,12 +29,13 @@ #include <netinet/tcp.h> #include <netinet/tcpip.h> #include <net/if.h> +#include "ip_compat.h" #include "ipf.h" #include "ipt.h" #include "snoop.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.3 1997/03/10 08:10:29 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index ef39bf0..f70a08f 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -35,6 +35,7 @@ tcpdump -nqte #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -51,12 +52,13 @@ tcpdump -nqte #include <netinet/tcpip.h> #include <net/if.h> #include <netdb.h> +#include "ip_compat.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.3 1997/03/10 08:10:30 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index cce9af7..04e5e3f 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -16,6 +16,7 @@ #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -40,7 +41,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.3 1997/03/10 08:10:31 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.4 1997/04/30 13:55:13 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 1057a58..a7a5828 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -1,5 +1,5 @@ /* - * (C)opyright 1993-1996 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -8,9 +8,9 @@ * @(#)ipl.h 1.21 6/5/96 */ -#ifndef __IPL_H_ +#ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.2alpha4" +#define IPL_VERSION "IP Filter v3.2alpha7" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index cb71ff7..f8b339d 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -15,6 +15,7 @@ #include <strings.h> #include <sys/dir.h> #else +#include <sys/filio.h> #include <sys/byteorder.h> #endif #include <sys/types.h> @@ -48,12 +49,13 @@ #include "ip_compat.h" #include "ip_fil.h" +#include "ip_proxy.h" #include "ip_nat.h" #include "ip_state.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed"; -static char rcsid[] = "$Id: ipmon.c,v 2.0.2.6 1997/04/02 12:23:27 darrenr Exp $"; +static char rcsid[] = "$Id: ipmon.c,v 2.0.2.9 1997/04/30 13:54:10 darrenr Exp $"; #endif @@ -443,6 +445,15 @@ int blen; (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), portname(res, NULL, nl->nl_origport)); t += strlen(t); + if (nl->nl_type == NL_EXPIRE) { +#ifdef USE_QUAD_T + (void) sprintf(t, " Pkts %qd Bytes %qd", +#else + (void) sprintf(t, " Pkts %ld Bytes %ld", +#endif + nl->nl_pkts, nl->nl_bytes); + t += strlen(t); + } *t++ = '\n'; *t++ = '\0'; @@ -495,21 +506,21 @@ int blen; hostname(res, sl->isl_src), portname(res, proto, sl->isl_sport)); t += strlen(t); - (void) sprintf(t, "%s,%s PR %s ", + (void) sprintf(t, "%s,%s PR %s", hostname(res, sl->isl_dst), portname(res, proto, sl->isl_dport), proto); } else if (sl->isl_p == IPPROTO_ICMP) { (void) sprintf(t, "%s -> ", hostname(res, sl->isl_src)); t += strlen(t); - (void) sprintf(t, "%s PR icmp %d ", + (void) sprintf(t, "%s PR icmp %d", hostname(res, sl->isl_dst), sl->isl_itype); } t += strlen(t); if (sl->isl_type != ISL_NEW) { #ifdef USE_QUAD_T - (void) sprintf(t, "Pkts %qd Bytes %qd", + (void) sprintf(t, " Pkts %qd Bytes %qd", #else - (void) sprintf(t, "Pkts %ld Bytes %ld", + (void) sprintf(t, " Pkts %ld Bytes %ld", #endif sl->isl_pkts, sl->isl_bytes); t += strlen(t); diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 8c731e3..1896402 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -48,13 +48,14 @@ #include <ctype.h> #include "ip_compat.h" #include "ip_fil.h" +#include "ip_proxy.h" #include "ip_nat.h" #include "kmem.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipnat.c,v 2.0.2.6 1997/04/02 12:23:29 darrenr Exp $"; +static char rcsid[] = "$Id: ipnat.c,v 2.0.2.9 1997/05/05 14:03:55 darrenr Exp $"; #endif #if SOLARIS @@ -130,8 +131,8 @@ char *argv[]; usage(argv[0]); } - if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) && - ((fd = open(IPL_NAME, O_RDONLY)) == -1)) { + if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) && + ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { perror("open"); exit(-1); } @@ -182,8 +183,25 @@ void *ptr; { int bits; + switch (np->in_redir) + { + case NAT_REDIRECT : + printf("redir "); + break; + case NAT_MAP : + printf("map "); + break; + case NAT_BIMAP : + printf("bimap "); + break; + default : + fprintf(stderr, "unknown value for in_redir: %#x\n", + np->in_redir); + break; + } + if (np->in_redir == NAT_REDIRECT) { - printf("rdr %s %s", np->in_ifname, inet_ntoa(np->in_out[0])); + printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0])); bits = countbits(np->in_out[1].s_addr); if (bits != -1) printf("/%d ", bits); @@ -207,7 +225,7 @@ void *ptr; np->in_use); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); + printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); if (bits != -1) printf("%d ", bits); @@ -219,7 +237,13 @@ void *ptr; printf("%d ", bits); else printf("%s", inet_ntoa(np->in_out[1])); - if (np->in_pmin || np->in_pmax) { + if (*np->in_plabel) { + printf(" proxy"); + if (np->in_dport) + printf(" %hu", ntohs(np->in_dport)); + printf(" %.*s/%d", sizeof(np->in_plabel), + np->in_plabel, np->in_p); + } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) printf(" tcp/udp"); @@ -245,13 +269,29 @@ void *ptr; char *getnattype(ipnat) ipnat_t *ipnat; { + char *which; ipnat_t ipnatbuff; if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, sizeof(ipnatbuff))) return "???"; - return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR"; + switch (ipnatbuff.in_redir) + { + case NAT_MAP : + which = "MAP"; + break; + case NAT_REDIRECT : + which = "RDR"; + break; + case NAT_BIMAP : + which = "BIMAP"; + break; + default : + which = "unknown"; + break; + } + return which; } @@ -275,7 +315,7 @@ int fd, opts; ns.ns_mapped[0], ns.ns_mapped[1]); printf("added\t%lu\texpired\t%lu\n", ns.ns_added, ns.ns_expire); - printf("inuse\t%lu\n", ns.ns_inuse); + printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); if (opts & OPT_VERBOSE) printf("table %p list %p\n", ns.ns_table, ns.ns_list); } @@ -419,6 +459,7 @@ int *resolved; ipnat_t *parse(line) char *line; { + struct protoent *pr; static ipnat_t ipn; char *s, *t; char *shost, *snetm, *dhost, *proto; @@ -438,9 +479,11 @@ char *line; ipn.in_redir = NAT_MAP; else if (!strcasecmp(s, "rdr")) ipn.in_redir = NAT_REDIRECT; + else if (!strcasecmp(s, "bimap")) + ipn.in_redir = NAT_BIMAP; else { (void)fprintf(stderr, - "expected \"map\" or \"rdr\", got \"%s\"\n", s); + "expected map/rdr/bimap, got \"%s\"\n", s); return NULL; } @@ -508,7 +551,7 @@ char *line; } dhost = s; - if (ipn.in_redir == NAT_MAP) { + if (ipn.in_redir & NAT_MAP) { if (!(s = strtok(NULL, " \t"))) { dnetm = strrchr(dhost, '/'); if (!dnetm) { @@ -517,7 +560,8 @@ char *line; return NULL; } } - if (!s || !strcasecmp(s, "portmap")) { + if (!s || !strcasecmp(s, "portmap") || + !strcasecmp(s, "proxy")) { dnetm = strrchr(dhost, '/'); if (!dnetm) { fprintf(stderr, @@ -562,7 +606,7 @@ char *line; if (*snetm == '/') *snetm++ = '\0'; - if (ipn.in_redir == NAT_MAP) { + if (ipn.in_redir & NAT_MAP) { ipn.in_inip = hostnum(shost, &resolved); if (resolved == -1) return NULL; @@ -612,6 +656,55 @@ char *line; } if (!s) return &ipn; + if (ipn.in_redir == NAT_BIMAP) { + fprintf(stderr, "extra words at the end of bimap line: %s\n", + s); + return NULL; + } + if (!strcasecmp(s, "proxy")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "missing parameter for \"proxy\"\n"); + return NULL; + } + dport = NULL; + + if (!strcasecmp(s, "port")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "missing parameter for \"port\"\n"); + return NULL; + } + + dport = s; + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "missing parameter for \"proxy\"\n"); + return NULL; + } + } + if ((proto = index(s, '/'))) { + *proto++ = '\0'; + if ((pr = getprotobyname(proto))) + ipn.in_p = pr->p_proto; + else + ipn.in_p = atoi(proto); + if (dport) + ipn.in_dport = portnum(dport, proto); + } else { + ipn.in_p = 0; + if (dport) + ipn.in_dport = portnum(dport, NULL); + } + + (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); + if ((s = strtok(NULL, " \t"))) { + fprintf(stderr, "too many parameters for \"proxy\"\n"); + return NULL; + } + return &ipn; + + } if (strcasecmp(s, "portmap")) { fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s); return NULL; diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile index 1f04912..df650aa 100644 --- a/contrib/ipfilter/ipsend/Makefile +++ b/contrib/ipfilter/ipsend/Makefile @@ -32,6 +32,9 @@ all: .c.o: $(CC) $(CFLAGS) $(LINUXK) -c $< -o $@ +install: + -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST) + bpf sunos4-bpf : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index e010b9b..10f27cd 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -25,11 +25,6 @@ static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; #include <netinet/tcp.h> #include "ipsend.h" -#if defined(__SVR4) || defined(__svr4__) -#define bcopy(a,b,c) memmove(b,a,c) -#define bzero(a,c) memset(a,0,c) -#define bcmp(a,b,c) memcmp(a,b,c) -#endif /* * lookup host and return diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 4c37557..ecc6473 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -175,7 +175,7 @@ char **argv; ip->ip_len = sizeof(*ip); ip->ip_hl = sizeof(*ip) >> 2; - while ((c = getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1) + while ((c = (char)getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1) switch (c) { case 'I' : diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index 00b51fb..93d7f4a 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -108,7 +108,8 @@ char **argv; ip->ip_len = sizeof(*ip); ip->ip_hl = sizeof(*ip) >> 2; - while ((c = getopt(argc, argv, "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1) + while ((c = (char)getopt(argc, argv, + "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1) switch (c) { case '1' : diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 4de99c4..6b5ecb9 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -27,6 +27,9 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed"; #endif #include <kvm.h> #include <sys/socket.h> +#if defined(solaris) +# include <sys/stream.h> +#endif #include <sys/socketvar.h> #ifdef sun #include <sys/systm.h> diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 1e0f3e4..cc0c223 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -5,6 +5,9 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#ifdef __FreeBSD__ +# include <osreldate.h> +#endif #include <stdio.h> #include <assert.h> #include <string.h> @@ -16,6 +19,7 @@ #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -30,6 +34,9 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> @@ -42,7 +49,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: ipt.c,v 2.0.2.4 1997/04/02 12:23:30 darrenr Exp $"; +static char rcsid[] = "$Id: ipt.c,v 2.0.2.5 1997/04/30 13:59:39 darrenr Exp $"; #endif extern char *optarg; @@ -66,7 +73,7 @@ char *argv[]; char *rules = NULL, *datain = NULL, *iface = NULL; int fd, i, dir = 0; - while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) + while ((c = (char)getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) switch (c) { case 'b' : diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index e91190b..f7cc61f 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -1,12 +1,15 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 2.0.2.4 1997/03/27 13:45:23 darrenr Exp $ + * $Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp $ */ +#ifndef __IPT_H__ +#define __IPT_H__ + #include <fcntl.h> #ifdef __STDC__ #include <stdarg.h> @@ -23,3 +26,5 @@ struct ipread { extern void debug __P((char *, ...)); extern void verbose __P((char *, ...)); + +#endif /* __IPT_H__ */ diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index 38d6430..d98f391 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -1,12 +1,15 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 2.0.2.3 1997/03/10 08:10:38 darrenr Exp $ + * $Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp $ */ +#ifndef __KMEM_H__ +#define __KMEM_H__ + #ifndef __P # ifdef __STDC__ # define __P(x) x @@ -19,3 +22,4 @@ extern int kmemcpy __P((char *, long, int)); #define KMEM "/dev/kmem" +#endif /* __KMEM_H__ */ diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h index 3f28724..75aec95 100644 --- a/contrib/ipfilter/linux.h +++ b/contrib/ipfilter/linux.h @@ -1,5 +1,5 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ * responsibility and is not changed in any way. * * I hate legaleese, don't you ? - * $Id: linux.h,v 2.0.2.2 1997/02/23 10:38:08 darrenr Exp $ + * $Id: linux.h,v 2.0.2.3 1997/04/07 09:59:01 darrenr Exp $ */ #include <linux/config.h> diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1 index 912d7ef..5ea06fa 100644 --- a/contrib/ipfilter/man/ipf.1 +++ b/contrib/ipfilter/man/ipf.1 @@ -99,7 +99,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT .SH SEE ALSO -ipfstat(1), ipftest(1), ipf(5) +ipfstat(1), ipftest(1), ipf(5), mkfilters(1) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 417a0ea..f8ceedd 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -277,7 +277,10 @@ packets from both protocols are compared. This is equivalent to "proto tcp/udp". When composing \fBport\fP comparisons, either the service name or an integer port number may be used. Port comparisons may be done in a number of forms, with a number of comparison operators, or -port ranges may be specified. See the examples for more information. +port ranges may be specified. When the port appears as part of the +\fBfrom\fP object, it matches the source port number, when it appears +as part of the \fBto\fP object, it matches the destination port number. +See the examples for more information. .PP The \fBall\fP keyword is essentially a synonym for "from any to any" with no other match parameters. @@ -430,4 +433,4 @@ would be needed before the first block. .br /etc/hosts .SH SEE ALSO -ipf(1), ipftest(1) +ipf(1), ipftest(1), mkfilters(1) diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5 index 03a87a5..40175e4 100644 --- a/contrib/ipfilter/man/ipfilter.5 +++ b/contrib/ipfilter/man/ipfilter.5 @@ -4,4 +4,4 @@ IP FIlter .SH DESCRIPTION .PP .SH SEE ALSO -ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5) +ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1 new file mode 100644 index 0000000..e55054c --- /dev/null +++ b/contrib/ipfilter/man/mkfilters.1 @@ -0,0 +1,13 @@ +.TH IPF 1 +.SH NAME +mkfilters \- generate a minimal firewall ruleset for ipfilter +.SH SYNOPSIS +.B mkfilters +.SH DESCRIPTION +.PP +\fBmkfilters\fP is a perl script that generates a minimal filter rule set for +use with \fBipfilter\fP by parsing the output of \fBifconfig\fP. +.DT +.SH SEE ALSO +ipf(1), ipf(5), ipfilter(5), ifconfig(8) + diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index c0e415c..3ff46ba 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -15,6 +15,7 @@ #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -40,7 +41,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: misc.c,v 2.0.2.5 1997/03/31 10:05:36 darrenr Exp $"; +static char rcsid[] = "$Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 068a9ff..fe035da 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -13,19 +13,12 @@ #include <sys/param.h> -/* - * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns - * on those hooks. We don't need any special mods with this! - */ -#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ - (defined(NetBSD1_2) && NetBSD1_2 > 1) -# define NETBSD_PF -#endif - #if defined(__FreeBSD__) && (__FreeBSD__ > 1) -# include <osreldate.h> # ifdef IPFILTER_LKM +# include <osreldate.h> # define ACTUALLY_LKM_NOT_KERNEL +# else +# include <sys/osreldate.h> # endif #endif #include <sys/systm.h> @@ -48,8 +41,10 @@ #include <sys/mount.h> #include <sys/exec.h> #include <sys/mbuf.h> -#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 199511)) +#if BSD >= 199506 +# include <sys/sysctl.h> +#endif +#if (__FreeBSD_version >= 199511) #include <net/if.h> #include <netinet/in_systm.h> #include <netinet/in.h> @@ -59,13 +54,13 @@ #include <netinet/tcp.h> #include <netinet/tcpip.h> #endif -#ifndef __NetBSD__ -#include <sys/sysent.h> +#if (__FreeBSD__ > 1) +# include <sys/sysent.h> #endif #include <sys/lkm.h> -#include "ipl.h" -#include "ip_compat.h" -#include "ip_fil.h" +#include "netinet/ipl.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" #ifndef IPL_NAME #define IPL_NAME "/dev/ipl" @@ -84,43 +79,12 @@ extern int lkmenodev __P((void)); -#ifdef NETBSD_PF -#include <net/pfil.h> -#endif -#ifndef IPFILTER_LOG -# ifdef NETBSD_PF -# define iplread enodev -# else -# define iplread nodev -# endif -#endif - -#ifdef NETBSD_PF -int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL; -#endif - static int ipl_unload __P((void)); static int ipl_load __P((void)); static int ipl_remove __P((void)); int xxxinit __P((struct lkm_table *, int, int)); -#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \ - (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511)) -struct cdevsw ipldevsw = -{ - iplopen, /* open */ - iplclose, /* close */ - iplread, /* read */ - 0, /* write */ - iplioctl, /* ioctl */ - 0, /* stop */ - 0, /* tty */ - 0, /* select */ - 0, /* mmap */ - NULL /* strategy */ -}; -#else struct cdevsw ipldevsw = { iplopen, /* open */ @@ -135,6 +99,16 @@ struct cdevsw ipldevsw = (void *)nullop, /* mmap */ NULL /* strategy */ }; + +#ifdef SYSCTL_INT +SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW, + &ipl_unreach, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD, + &ipl_inited, 0, ""); #endif #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) @@ -149,7 +123,7 @@ extern int nchrdev; int ipl_major = CDEV_MAJOR; static struct cdevsw ipl_cdevsw = { - iplopen, iplclose, iplread, nowrite, /* 79 */ + iplopen, iplclose, iplread, nowrite, /* 79 */ iplioctl, nostop, noreset, nodevtotty, noselect, nommap, nostrategy, "ipl", NULL, -1 @@ -157,6 +131,8 @@ static struct cdevsw ipl_cdevsw = { #endif +static int iplaction __P((struct lkm_table *, int)); + static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; @@ -229,6 +205,7 @@ static int ipl_remove __P((void)) VOP_LOCK(nd.ni_vp); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + return 0; } @@ -237,9 +214,6 @@ static int ipl_unload() int error = 0; error = ipldetach(); -#ifdef NETBSD_PF - pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT); -#endif if (!error) error = ipl_remove(); return error; @@ -253,9 +227,6 @@ static int ipl_load() int error = 0, fmode = S_IFCHR|0600; error = iplattach(); -#ifdef NETBSD_PF - pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT); -#endif if (error) return error; (void) ipl_remove(); @@ -327,6 +298,20 @@ static int ipl_load() #if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) +/* + * strlen isn't present in 2.1.* kernels. + */ +size_t strlen(string) +char *string; +{ + register char *s; + + for (s = string; *s; s++) + ; + return (size_t)(s - string); +} + + int xxxinit(lkmtp, cmd, ver) struct lkm_table *lkmtp; int cmd, ver; @@ -334,8 +319,8 @@ int cmd, ver; DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } #else -#include <sys/exec.h> -#include <sys/sysent.h> +# ifdef IPFILTER_LKM +# include <sys/exec.h> MOD_DECL(if_ipl); @@ -354,21 +339,39 @@ int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } +# else -/* +#ifdef DEVFS +static void *ipf_devfs_token[3]; +#endif static ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) { - dev_t dev; + dev_t dev; +#ifdef DEVFS + void **tp = ipf_devfs_token; +#endif - if( ! ipl_devsw_installed ) { - dev = makedev(CDEV_MAJOR,0); - cdevsw_add(&dev, &ipl_cdevsw,NULL); - ipl_devsw_installed = 1; - } + if (!ipl_devsw_installed ) { + dev = makedev(CDEV_MAJOR, 0); + cdevsw_add(&dev, &ipl_cdevsw, NULL); + ipl_devsw_installed = 1; + +#ifdef DEVFS + tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF, + DV_CHR, 0, 0, 0600, + "ipf", IPL_LOGIPF); + tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT, + DV_CHR, 0, 0, 0600, + "ipnat", IPL_LOGNAT); + tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE, + DV_CHR, 0, 0, 0600, + "ipstate", IPL_LOGSTATE); +#endif + } } SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) -*/ -#endif /* __FreeBSD__ */ +# endif /* IPFILTER_LKM */ +#endif /* _FreeBSD_version */ diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 432fb99..92487a4 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -14,6 +14,7 @@ #endif #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <stdlib.h> #include <unistd.h> #include <stddef.h> @@ -34,7 +35,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: parse.c,v 2.0.2.5 1997/03/31 10:05:38 darrenr Exp $"; +static char rcsid[] = "$Id: parse.c,v 2.0.2.7 1997/05/08 11:24:09 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -325,6 +326,10 @@ char *line; return NULL; } ch = 0; + if (**cpp == '!') { + fil.fr_flags |= FR_NOTSRCIP; + (*cpp)++; + } if (hostmask(&cpp, (u_long *)&fil.fr_src, (u_long *)&fil.fr_smsk, &fil.fr_sport, &ch, &fil.fr_stop)) { @@ -350,6 +355,10 @@ char *line; return NULL; } ch = 0; + if (**cpp == '!') { + fil.fr_flags |= FR_NOTDSTIP; + (*cpp)++; + } if (hostmask(&cpp, (u_long *)&fil.fr_dst, (u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch, &fil.fr_dtop)) { @@ -1164,10 +1173,11 @@ struct frentry *fp; (void)printf("proto %d ", fp->fr_proto); } + printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr) - (void)printf("from any "); + (void)printf("any "); else { - (void)printf("from %s", inet_ntoa(fp->fr_src)); + (void)printf("%s", inet_ntoa(fp->fr_src)); if ((ones = countbits(fp->fr_smsk.s_addr)) == -1) (void)printf("/%s ", inet_ntoa(fp->fr_smsk)); else @@ -1180,10 +1190,12 @@ struct frentry *fp; else (void)printf("port %s %s ", pcmp1[fp->fr_scmp], portname(pr, fp->fr_sport)); + + printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr) - (void)printf("to any"); + (void)printf("any"); else { - (void)printf("to %s", inet_ntoa(fp->fr_dst)); + (void)printf("%s", inet_ntoa(fp->fr_dst)); if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1) (void)printf("/%s", inet_ntoa(fp->fr_dmsk)); else diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h index 1eee3c6..f915a1a 100644 --- a/contrib/ipfilter/pcap.h +++ b/contrib/ipfilter/pcap.h @@ -1,10 +1,10 @@ /* - * (C)opyright 1993-1996 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 2.0.2.2 1997/02/23 10:38:17 darrenr Exp $ + * $Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy new file mode 100755 index 0000000..2c42c52 --- /dev/null +++ b/contrib/ipfilter/rules/ftppxy @@ -0,0 +1,6 @@ +#!/bin/sh +# The proxy bit is as follows: +# proxy [port <portname>] <tag>/<protocol> +# the <tag> should match a tagname in the proxy table, as does the protocol. +# this format isn't finalised yet +echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f - diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index e257be5..076a7af 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -1,14 +1,17 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#ifndef __SNOOP_H__ +#define __SNOOP_H__ + /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.0.2.2 1997/02/23 10:38:19 darrenr Exp $ + * $Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp $ */ struct snoophdr { char s_id[8]; @@ -40,3 +43,5 @@ struct snooppkt { int sp_sec; int sp_usec; }; + +#endif /* __SNOOP_H__ */ diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 8f158fc..10d397f 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "$Id: solaris.c,v 2.0.2.3 1997/03/27 13:45:28 darrenr Exp $"; +#pragma ident "$Id: solaris.c,v 2.0.2.5 1997/05/08 10:11:04 darrenr Exp $"; #include <sys/systm.h> #include <sys/types.h> @@ -177,18 +177,18 @@ ddi_attach_cmd_t cmd; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance); #endif - if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance, + if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF, DDI_PSEUDO, 0) == DDI_FAILURE) { ddi_remove_minor_node(dip, NULL); goto attach_failed; } - if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, instance, - DDI_PSEUDO, 1) == DDI_FAILURE) { + if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT, + DDI_PSEUDO, 0) == DDI_FAILURE) { ddi_remove_minor_node(dip, NULL); goto attach_failed; } - if (ddi_create_minor_node(dip, "ipstate", S_IFCHR, instance, - DDI_PSEUDO, 2) == DDI_FAILURE) { + if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE, + DDI_PSEUDO, 0) == DDI_FAILURE) { ddi_remove_minor_node(dip, NULL); goto attach_failed; } @@ -942,7 +942,11 @@ frdest_t *fdp; else dst = fin->fin_fi.fi_dst; +#if SOLARIS2 > 5 + if (dir = ire_cache_lookup(dst.s_addr)) +#else if (dir = ire_lookup(dst.s_addr)) +#endif if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length) dir = NULL; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index d3bdcc2..f2e3ca9 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -17,7 +17,7 @@ first: -mkdir -p results # Filtering tests -ftests: 1 2 3 4 5 6 7 8 9 10 11 12 +ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 @@ -25,7 +25,7 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 0: @(cd ..; make ipftest; ) -1 2 3 4 5 6 7 8 9 10 11: +1 2 3 4 5 6 7 8 9 10 11 14: @./dotest $@ 12: diff --git a/contrib/ipfilter/test/expected/14 b/contrib/ipfilter/test/expected/14 new file mode 100644 index 0000000..d06d92b --- /dev/null +++ b/contrib/ipfilter/test/expected/14 @@ -0,0 +1,40 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +pass +pass +pass +nomatch +block +block +block +block +block +pass +pass +pass +pass +pass diff --git a/contrib/ipfilter/test/expected/i1 b/contrib/ipfilter/test/expected/i1 index f69e055..3eb14be 100644 --- a/contrib/ipfilter/test/expected/i1 +++ b/contrib/ipfilter/test/expected/i1 @@ -3,6 +3,8 @@ block out from any to any log in from any to any log body in from any to any count in from any to any +pass in from !any to any +block in from any to !any pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32 block in log first on lo0(!) from any to any pass in log body quick from any to any diff --git a/contrib/ipfilter/test/input/14 b/contrib/ipfilter/test/input/14 new file mode 100644 index 0000000..16a806f --- /dev/null +++ b/contrib/ipfilter/test/input/14 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/contrib/ipfilter/test/regress/14 b/contrib/ipfilter/test/regress/14 new file mode 100644 index 0000000..aa54af8 --- /dev/null +++ b/contrib/ipfilter/test/regress/14 @@ -0,0 +1,8 @@ +block in from !1.1.1.1 to any +pass in from 1.1.1.1 to !any +block in from 1.1.1.1/24 to !any +pass in from !1.1.1.1/24 to any +block in from !1.1.1.1/16 to any +pass in from 1.1.1.1/16 to !any +block in from 1.1.1.1/0 to !any +pass in from !1.1.1.1/0 to any diff --git a/contrib/ipfilter/test/regress/i1 b/contrib/ipfilter/test/regress/i1 index 583cd8b..736801e 100644 --- a/contrib/ipfilter/test/regress/i1 +++ b/contrib/ipfilter/test/regress/i1 @@ -3,6 +3,8 @@ block out all log in all log body in all count in from any to any +pass in from !any to any +block in from any to !any pass in on ed0 from localhost to localhost block in log first on lo0 from any to any pass in log body quick from any to any diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index 3914bef..d90d75d 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -1,12 +1,5 @@ -* automatically use the interface's IP# for NAT rather than any specific IP# - - Done. Use "0/32" as destination address/mask. Uses first interface IP# - set for an interface. - * use fr_tcpstate() with NAT code for increased NAT usage security or even - fr_checkstate() - -* use minor devices for controlling access to alternate parts of IP Filter - such as filtering, accounting, state, NAT, etc. + fr_checkstate() - suspect this is not possible. * see if the Solaris2 and dynamic plumb/unplumb problem is solvable @@ -17,11 +10,17 @@ time permitting: * record buffering for TCP/UDP * modular application proxying +on the way * invesitgate making logging better +done ? * add reverse nat (similar to rdr) to map addresses going in both directions - -* add 'tail' switch to ipmon (this might just be some changes to rdr). In 1:1 relationships maybe make it an option. + +* keep fragment information for NAT/state entries automatically. +done + +* support traceroute through the firewall + |