diff options
82 files changed, 2686 insertions, 836 deletions
diff --git a/contrib/ipfilter/FWTK/FWTK.sed b/contrib/ipfilter/FWTK/FWTK.sed new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/FWTK/FWTK.sed diff --git a/contrib/ipfilter/FWTK/ftp-gw.diff b/contrib/ipfilter/FWTK/ftp-gw.diff index 075e6eb..715d2a7 100644 --- a/contrib/ipfilter/FWTK/ftp-gw.diff +++ b/contrib/ipfilter/FWTK/ftp-gw.diff @@ -3,7 +3,7 @@ *************** *** 11,31 **** */ - static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.1.1 1997/01/09 15:14:46 darrenr Exp $"; + static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.2.2 1997/02/23 10:38:35 darrenr Exp $"; #include <stdio.h> @@ -25,7 +25,7 @@ extern char *index(); --- 11,37 ---- */ - static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.1.1 1997/01/09 15:14:46 darrenr Exp $"; + static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.2.2 1997/02/23 10:38:35 darrenr Exp $"; + /* + * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96 diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff index 4fe5808..6a5c376 100644 --- a/contrib/ipfilter/FWTK/fwtk_transparent.diff +++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff @@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris *************** *** 11,30 **** # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" # Your C compiler (eg, "cc" or "gcc") @@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ --- 11,34 ---- # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" + # + # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) diff --git a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs new file mode 100644 index 0000000..dfebbe8 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs @@ -0,0 +1,16 @@ +*** in_proto.c.orig Wed Apr 2 19:50:00 1997 +--- in_proto.c Wed Apr 2 19:51:21 1997 +*************** +*** 89,94 **** +--- 89,99 ---- + void eoninput(), eonctlinput(), eonprotoinit(); + #endif /* EON */ + ++ #if defined(IPFILTER) && !defined(IPFILTER_LKM) ++ void iplinit(); ++ #define ip_init iplinit ++ #endif ++ + extern struct domain inetdomain; + + struct protosw inetsw[] = { diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs new file mode 100644 index 0000000..1339e01 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs @@ -0,0 +1,32 @@ +*** ip_input.c.orig Wed Apr 2 19:41:44 1997 +--- /sys/netinet/ip_input.c Wed Apr 2 19:28:53 1997 +*************** +*** 74,79 **** +--- 74,82 ---- + #ifdef IPFIREWALL + #include <netinet/ip_fw.h> + #endif ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif + + int rsvp_on = 0; + static int ip_rsvp_on; +*************** +*** 310,316 **** +--- 313,327 ---- + * - Wrap: fake packet's addr/port <unimpl.> + * - Encapsulate: put it in another IP and send out. <unimp.> + */ ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ if (fr_checkp) { ++ struct mbuf *m1 = m; + ++ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ++ return; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + #ifdef COMPAT_IPFW + if (ip_fw_chk_ptr) { + int action; diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs new file mode 100644 index 0000000..3f53ac7 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs @@ -0,0 +1,69 @@ +*** ip_output.c.orig Wed Apr 2 19:41:48 1997 +--- /sys/netinet/ip_output.c Wed Apr 2 19:38:19 1997 +*************** +*** 67,72 **** +--- 67,76 ---- + #else + #undef COMPAT_IPFW + #endif ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif ++ + + u_short ip_id; + +*************** +*** 75,81 **** + __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); + static int ip_getmoptions + __P((int, struct ip_moptions *, struct mbuf **)); +! static int ip_optcopy __P((struct ip *, struct ip *)); + static int ip_pcbopts __P((struct mbuf **, struct mbuf *)); + static int ip_setmoptions + __P((int, struct ip_moptions **, struct mbuf *)); +--- 79,85 ---- + __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); + static int ip_getmoptions + __P((int, struct ip_moptions *, struct mbuf **)); +! int ip_optcopy __P((struct ip *, struct ip *)); + static int ip_pcbopts __P((struct mbuf **, struct mbuf *)); + static int ip_setmoptions + __P((int, struct ip_moptions **, struct mbuf *)); +*************** +*** 338,344 **** +--- 342,358 ---- + * - Wrap: fake packet's addr/port <unimpl.> + * - Encapsulate: put it in another IP and send out. <unimp.> + */ ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ if (fr_checkp) { ++ struct mbuf *m1 = m; + ++ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ++ error = EHOSTUNREACH; ++ if (error || !m1) ++ goto done; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + #ifdef COMPAT_IPFW + if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) { + error = EACCES; +*************** +*** 559,565 **** + * Copy options from ip to jp, + * omitting those not copied during fragmentation. + */ +! static int + ip_optcopy(ip, jp) + struct ip *ip, *jp; + { +--- 573,579 ---- + * Copy options from ip to jp, + * omitting those not copied during fragmentation. + */ +! int + ip_optcopy(ip, jp) + struct ip *ip, *jp; + { diff --git a/contrib/ipfilter/FreeBSD-2.2/minstall b/contrib/ipfilter/FreeBSD-2.2/minstall new file mode 100755 index 0000000..832b68e --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/minstall @@ -0,0 +1,38 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD-2.2 ) cd .. +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}${bak} ) + set bak=".bak."$dot + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}$bak +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM\noptions IPFILTER_LOG"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD-2.2/unminstall b/contrib/ipfilter/FreeBSD-2.2/unminstall new file mode 100755 index 0000000..abb2631 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-2.2/unminstall @@ -0,0 +1,36 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak +endif +grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 41c94d1..425aa24 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -5,6 +5,89 @@ # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # +3.2alpha4 2/4/97 - Released + +Some compiler warnings cleaned up. + +FreeBSD-2.2 patches for LKM completed. + +3.2alpha3 31/3/97 - Released + +ipmon changes: -N for reading NAT logfile, -S for reading state logfile. +-a for reading all. -n now toggles hostname resolution. + +Add logging of new state entries and expiration of old state entries. +count log successes and failures. + +Add logging of new NAT entries and expiration of old NAT entries. +count log successes and failures. + +Use u_quad_t for records of bytes & packets where kept +(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). + +Fixup use of CPU and DCPU in Makefiles. + +Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> + +3.2alpha2 + +Implement mapping to 0/32 as being an alias for automatically using the +interface's first IP address. + +Implement separate minor devices for both NAT and IP state code. + +Fully prototype all functions. + +Fix Makefile problem due to attempt to fix Sun compiling problems. + +3.1.10 23/3/97 - Released + +ipfstat -a requires a -i or -o command line option too. Print an error +when not present rather than attempt to do something. + +patch updates for SunOS4 for kernel compiling. +patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr +<schorr@ead.dsa.com> + +too many people hit their heads hard when compiling code into the kernel +that doesn't let any packets through. (fil.c - IPF_NOMATCH) + +icmp-type parsing doesn't return any errors when it isn't constructed +correctly. Neil Readwin + +Using "-conf" with modload on SunOS4 doesn't work. +Timothy Demarest <demarest@arraycomm.com> + +Need to define ARCH in makefile for SunOS4 building. "make sunos4" +in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> +[all SunOS targets now run buildsunos] + +NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP +information. ArkanoiD <ark@paranoid.convey.ru> + +Need to check for __FreeBSD_version being 199511 rather than 199607 +in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> + +3.1.9 8/3/97 - Released + +fixed incorrect lookup of active NAT entries. + +patch for ip_deq() wrong for pre 2.1.6 FreeBSD. +fyeung@fyeung8.netific.com (Francis Yeung) + +check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi +(erkki@vlsi.fi) + +text_readip returns the interface pointer pointing to text on stack - +Neil Readwin + +fix from Pradeep Krishnan for printout rules "with not opt sec". + +3.1.8 18/2/97 - Released + +Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and +compiling warnings about reuse of m0. + prevent use of return-rst and return-icmp with rules blocking packets going out, preventing panics in certain situations. diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2 new file mode 100644 index 0000000..400963d --- /dev/null +++ b/contrib/ipfilter/INST.FreeBSD-2.2 @@ -0,0 +1,53 @@ + +To build a kernel for use with the loadable kernel module, follow these +steps: + 1. do "make freebsd22" + + 2. do "make install-bsd" + (probably has to be done as root) + + 3. run "FreeBSD-2.2/minstall" as root + + 4. build a new kernel + + 5. install and reboot with the new kernel + + 6. use modload(8) to load the packet filter with: + modload if_ipl.o + + 7. do "modstat" to confirm that it has been loaded successfully. + +There is no need to use mknod to create the device in /dev; +- upon loading the module, it will create itself with the correct values, + under the name (IPL_NAME) from the Makefile. It will also remove itself + from /dev when it is modunload'd. + +To build a kernel with the IP filter, follow these steps: + +*** KERNEL INSTALL CURRENTLY UNSUPPORTED *** + 1. do "make freebsd22" + + 2. do "make install-bsd" + (probably has to be done as root) + + 3. run "FreeBSD-2.2/kinstall" as root + + 4. build a new kernel + + 5a) For FreeBSD 2.2 (or later) + create devices for IP Filter as follows: + mknod /dev/ipl c 79 0 + mknod /dev/ipnat c 79 1 + mknod /dev/ipstate c 79 2 + + 5b) For versions prior to FreeBSD 2.2: + create devices for IP Filter as follows (assuming it was + installed into the device table as char dev 20): + mknod /dev/ipl c 20 0 + mknod /dev/ipnat c 20 1 + mknod /dev/ipstate c 20 2 + + 6. install and reboot with the new kernel + +Darren Reed +darrenr@cyber.com.au diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index 3910f4d..fc35ecb 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -1,4 +1,7 @@ +*** IF you are using FreeBSD 2.2 or later, see the file "INST.FreeBSD-2.2" *** + + To build a kernel for use with the loadable kernel module, follow these steps: 1. do "make bsd" @@ -33,7 +36,11 @@ To build a kernel with the IP filter, follow these steps: 4. build a new kernel - 5. create /dev/ipl with "mknod /dev/ipl c 20 0". + 5. create devices for IP Filter as follows (assuming it was + installed into the device table as char dev 20): + mknod /dev/ipl c 20 0 + mknod /dev/ipnat c 20 1 + mknod /dev/ipstate c 20 2 6. install and reboot with the new kernel diff --git a/contrib/ipfilter/INSTALL.SunOS b/contrib/ipfilter/INSTALL.SunOS index 836d121..64392fd 100644 --- a/contrib/ipfilter/INSTALL.SunOS +++ b/contrib/ipfilter/INSTALL.SunOS @@ -1,7 +1,7 @@ To install as a Loadable Kernel Module (LKM): - 1. do a "make sunos4" in this directory + 1. do a "make solaris" in this directory 2. Run the script "SunOS4/minstall" as root. @@ -22,7 +22,7 @@ To install as a Loadable Kernel Module (LKM): To install as part of a SunOS 4.1.x kernel: - 1. do a "make sunos4" in this directory + 1. do a "make solaris" in this directory 2. Run the script "SunOS4/kinstall" as root. NOTE: This script sets up /dev/ipl as char. device 59,0 diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 258074a..9c83fc4 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,17 +5,19 @@ # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # -# $Id: Makefile,v 2.0.1.5 1997/02/16 06:17:04 darrenr Exp $ +# $Id: Makefile,v 2.0.2.7 1997/04/02 12:23:14 darrenr Exp $ # # where to put things. # BINDEST=/usr/local/ip_fil3.1.1/bin SBINDEST=/usr/local/ip_fil3.1.1/sbin MANDIR=/usr/local/ip_fil3.1.1/man +#To test prototyping +#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror CC=gcc DEBUG=-g CFLAGS=-I$$(TOP) -DCPU=`uname -m` +CPU=`uname -m` # # To enable this to work as a Loadable Kernel Module... # @@ -40,7 +42,7 @@ POLICY=-DIPF_DEFAULT_PASS=FR_PASS MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ "CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ - "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "ARCH=$(ARCH)" + "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" # ########## ########## ########## ########## ########## ########## ########## # @@ -66,33 +68,31 @@ tests: sunos solaris: ./buildsunos -sunos4 solaris1: - (cd SunOS4; make build TOP=.. $(MFLAGS); cd ..) - (cd SunOS4; make -f Makefile.ipsend TOP=.. $(MFLAGS); cd ..) - -sunos5 solaris2: - (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) - (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) - -sunos5x86 solaris2x86: - (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) - (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) - -bsd netbsd freebsd: - -if [ ! -d BSD/$(DCPU) ] ; then mkdir BSD/$(DCPU); fi - -rm -f BSD/$(DCPU)/Makefile BSD/$(DCPU)/Makefile.ipsend - -ln -s ../Makefile BSD/$(DCPU)/Makefile - -ln -s ../Makefile.ipsend BSD/$(DCPU)/Makefile.ipsend - (cd BSD/$(DCPU); make build "TOP=../.." $(MFLAGS); cd ..) - (cd BSD/$(DCPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) +freebsd22 freebsd30: + -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi + @if [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ + echo "Can't find ioconf.h"; \ + exit 1;\ + fi + rm -f BSD/$(CPU)/ioconf.h + ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) + make bsd + +bsd netbsd freebsd freebsd20 freebsd21: + -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi + -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend + -ln -s ../Makefile BSD/$(CPU)/Makefile + -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend + (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) bsdi bsdos: - -if [ ! -d BSD/$(DCPU) ] ; then mkdir BSD/$(DCPU); fi - -rm -f BSD/$(DCPU)/Makefile BSD/$(DCPU)/Makefile.ipsend - -ln -s ../Makefile BSD/$(DCPU)/Makefile - -ln -s ../Makefile.ipsend BSD/$(DCPU)/Makefile.ipsend - (cd BSD/$(DCPU); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..) - (cd BSD/$(DCPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi + -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend + -ln -s ../Makefile BSD/$(CPU)/Makefile + -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend + (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..) + (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) clean: ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ @@ -125,12 +125,24 @@ get: fi \ done +sunos4 solaris1: + (cd SunOS4; make build TOP=.. $(MFLAGS); cd ..) + (cd SunOS4; make -f Makefile.ipsend TOP=.. $(MFLAGS); cd ..) + +sunos5 solaris2: + (cd SunOS5/$(CPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) + (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) + +sunos5x86 solaris2x86: + (cd SunOS5/$(CPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) + (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) + install-bsd: bsd - (cd BSD/$(DCPU); $(MAKE) "TOP=../.." install) + (cd BSD/$(CPU); $(MAKE) "CPU=$(CPU) TOP=../.." install) install-sunos4: solaris - (cd SunOS4; $(MAKE) "TOP=.." install) + (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) install-sunos5: solaris - (cd SunOS5; $(MAKE) "TOP=.." install) + (cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install) # XXX FIXME: bogus to depend on all! install: all ip_fil.h diff --git a/contrib/ipfilter/NAT.FreeBSD b/contrib/ipfilter/NAT.FreeBSD new file mode 100644 index 0000000..996b009 --- /dev/null +++ b/contrib/ipfilter/NAT.FreeBSD @@ -0,0 +1,104 @@ +These are Instructions for Configuring A FreeBSD Box For NAT +After you have installed IpFilter. + +You will need to change three files: + +/etc/rc.local +/etc/sysconfig +/etc/natrules + +You will have to: + +1) Load the kernel module +2) Make the ipnat rules +3) Load the ipnat rules +4) Enable routing between interfaces +5) Add static routes for the subnet ranges +6) Configure your network interfaces +7) reboot the computer for the changes to take effect. + +The FAQ was written by Chris Coleman <chris@@bbcc.ctc.edu> +This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE +_________________________________________________________ +1) Loading the Kernel Module + +If you are using a Kernal Loadable Module you need to edit your +/etc/rc.local file and load the module at boot time. +use the line: + + modload /lkm/if_ipl.o + +If you are not loading a kernel module, skip this step. +_________________________________________________________ +2) Setting up the NAT Rules + +Make a file called /etc/natrules +put in the rules that you need for your system. + +If you want to use the whole 10 Network. Try: + +map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000 + +_________________________________________________________ +Here is an explaination of each part of the command: + +map starts the command. + +fpx0 is the interface with the real internet address. + +10.0.0.0 is the subnet you want to use. + +/8 is the subnet mask. ie 255.0.0.0 + +208.8.0.1 is the real ip address that you use. + +/32 is the subnet mask 255.255.255.255, ie only use this ip address. + +portmap tcp/udp 10000:65000 + tells it to use the ports to redirect the tcp/udp calls through + + +The one line should work for the whole network. +_________________________________________________________ +3) Loading the NAT Rules: + +The NAT Rules will need to be loaded every time the computer +reboots. + +In your /etc/rc.local put the line: + +ipnat -f /etc/natrules + +To check and see if it is loaded, as root type + ipnat -ls +_________________________________________________________ +4) Enable Routing between interfaces. + +Tell the kernel to route these addresses. + +in the rc.local file put the line: + +sysctl -w net.inet.ip.forwarding=1 + +_________________________________________________________ +5) Static Routes to Subnet Ranges + +Now you have to add a static routes for the subnet ranges. +Edit your /etc/sysconfig to add them at bootup. + +static_routes="foo" +route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1" + + +_________________________________________________________ +6) Make sure that you have your interfaces configured. + +I have two Intel Ether Express Pro B cards. +One is on 208.8.0.1 The other is on 10.0.0.1 + +You need to configure these in the /etc/sysconfig + +network_interfaces="fxp0 fxp1" +ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0" +ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0" +_________________________________________________________ diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos index dd2aa38..5e39669 100755 --- a/contrib/ipfilter/buildsunos +++ b/contrib/ipfilter/buildsunos @@ -1,5 +1,5 @@ #! /bin/sh -# $Id: buildsunos,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ +# $Id: buildsunos,v 2.0.2.3 1997/03/30 15:37:34 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` cpu=`uname -m` @@ -12,12 +12,12 @@ if [ $rev = 5 ] ; then ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend fi if [ $cpu = i86pc ] ; then - make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" DCPU=${cpu} + make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi -make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" DCPU=${cpu} +make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} exit $? diff --git a/contrib/ipfilter/etc/etc.sed b/contrib/ipfilter/etc/etc.sed new file mode 100644 index 0000000..b14fc74 --- /dev/null +++ b/contrib/ipfilter/etc/etc.sed @@ -0,0 +1,2 @@ + . ..'!CVS + protocols diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 9f95361..32b6068 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,12 +7,13 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; +static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $"; #endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <sys/file.h> #include <sys/ioctl.h> #if defined(_KERNEL) || defined(KERNEL) @@ -44,8 +45,8 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_nat.h" #include "ip_frag.h" #include "ip_state.h" @@ -54,46 +55,48 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #endif #ifndef _KERNEL -#include "ipf.h" +# include "ipf.h" +# include "ipt.h" extern int opts; -extern void debug(), verbose(); -#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; } -#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; } -#define FR_VERBOSE(verb_pr) verbose verb_pr -#define FR_DEBUG(verb_pr) debug verb_pr -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi) +# define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; \ + second; } +# define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; \ + second; } +# define FR_VERBOSE(verb_pr) verbose verb_pr +# define FR_DEBUG(verb_pr) debug verb_pr +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define SEND_RESET(ip, qif, q, if) send_reset(ip, if) +# define IPLLOG(a, c, d, e) ipllog() # if SOLARIS +# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) # define bcmp memcmp -# endif -#else -#define FR_IFVERBOSE(ex,second,verb_pr) ; -#define FR_IFDEBUG(ex,second,verb_pr) ; -#define FR_VERBOSE(verb_pr) -#define FR_DEBUG(verb_pr) -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -extern int send_reset(); -# if SOLARIS -extern int icmp_error(), ipfr_fastroute(); -extern kmutex_t ipf_mutex, ipl_mutex; # else -extern void ipfr_fastroute(); +# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) # endif -extern int ipl_unreach, ipllog(); -#endif -#if SOLARIS -# define SEND_RESET(ip, if, q) send_reset(ip, qif, q) -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(b, ip, t, c, if, src) -#else -# define SEND_RESET(ip, if, q) send_reset(ip) -# if BSD < 199103 +#else /* #ifndef _KERNEL */ +# define FR_IFVERBOSE(ex,second,verb_pr) ; +# define FR_IFDEBUG(ex,second,verb_pr) ; +# define FR_VERBOSE(verb_pr) +# define FR_DEBUG(verb_pr) +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define IPLLOG(a, c, d, e) ipllog(a, IPL_LOGIPF, c, d, e) +# if SOLARIS +extern kmutex_t ipf_mutex; +# define SEND_RESET(ip, qif, q, if) send_reset(ip, qif, q) # define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(mtod(b, ip_t *), t, c, if, src) + icmp_error(b, ip, t, c, if, src) # else -# define ICMP_ERROR(b, ip, t, c, if, src) \ +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define SEND_RESET(ip, qif, q, if) send_reset((struct tcpiphdr *)ip) +# if BSD < 199103 +# define ICMP_ERROR(b, ip, t, c, if, src) \ + icmp_error(mtod(b, ip_t *), t, c, if, src) +# else +# define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, t, c, (src).s_addr, if) +# endif # endif #endif @@ -103,7 +106,7 @@ extern int ipl_unreach, ipllog(); #ifdef IPF_DEFAULT_PASS #define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) #else -#define IPF_NOMATCH (FR_NOMATCH) +#define IPF_NOMATCH (FR_PASS|FR_NOMATCH) #endif struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; @@ -113,6 +116,10 @@ int fr_flags = IPF_LOGGING, fr_active = 0; fr_info_t frcache[2]; +static void fr_makefrip __P((int, ip_t *, fr_info_t *)); +static int fr_tcpudpchk __P((frentry_t *, fr_info_t *)); +static int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); + /* * bit values for identifying presence of individual IP options @@ -159,7 +166,7 @@ struct optlist secopt[8] = { * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ -void fr_makefrip(hlen, ip, fin) +static void fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; @@ -278,7 +285,7 @@ getports: /* * check an IP packet for TCP/UDP characteristics such as ports and flags. */ -int fr_tcpudpchk(fr, fin) +static int fr_tcpudpchk(fr, fin) frentry_t *fr; fr_info_t *fin; { @@ -371,7 +378,7 @@ fr_info_t *fin; * Could be per interface, but this gets real nasty when you don't have * kernel sauce. */ -int fr_scanlist(pass, ip, fin, m) +static int fr_scanlist(pass, ip, fin, m) int pass; ip_t *ip; register fr_info_t *fin; @@ -404,8 +411,7 @@ void *m; if (opts & (OPT_VERBOSE|OPT_DEBUG)) printf("\n"); FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b')); - if (fin->fin_ifp && *fr->fr_ifname && - strcasecmp((char *)fin->fin_ifp, fr->fr_ifname)) + if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) continue; FR_VERBOSE((":i")); #endif @@ -467,7 +473,7 @@ void *m; pass = (*fr->fr_func)(pass, ip, fin); #ifdef IPFILTER_LOG if ((pass & FR_LOGMASK) == FR_LOG) { - if (!ipllog(fr->fr_flags, ip, fin, m)) + if (!IPLLOG(fr->fr_flags, ip, fin, m)) frstats[fin->fin_out].fr_skip++; frstats[fin->fin_out].fr_pkl++; } @@ -475,7 +481,7 @@ void *m; FR_DEBUG(("pass %#x\n", pass)); fr->fr_hits++; if (pass & FR_ACCOUNT) - fr->fr_bytes += ip->ip_len; + fr->fr_bytes += (U_QUAD_T)ip->ip_len; else fin->fin_icode = fr->fr_icode; fin->fin_rule = rulen; @@ -504,7 +510,8 @@ mblk_t **mp; struct mbuf **mp; # endif #else -) +, mp) +char *mp; #endif ip_t *ip; int hlen; @@ -518,8 +525,12 @@ int out; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; int pass, changed; +#ifndef _KERNEL + char *mc = mp, *m = mp; +#endif -#if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL) +#ifdef _KERNEL +# if !defined(__SVR4) && !defined(__svr4__) register struct mbuf *m = *mp; struct mbuf *mc = NULL; @@ -538,9 +549,10 @@ int out; } } } -#endif -#if SOLARIS && defined(_KERNEL) +# endif +# if SOLARIS mblk_t *mc = NULL, *m = qif->qf_m; +# endif #endif fr_makefrip(hlen, ip, fin); fin->fin_ifp = ifp; @@ -608,7 +620,7 @@ int out; } } - if (fr && fr->fr_func) + if (fr && fr->fr_func && !(pass & FR_CALLNOW)) pass = (*fr->fr_func)(pass, ip, fin); if (out) { @@ -639,7 +651,7 @@ int out; pass |= FF_LOGBLOCK; frstats[out].fr_bpkl++; logit: - if (!ipllog(pass, ip, fin, m)) { + if (!IPLLOG(pass, ip, fin, m)) { frstats[out].fr_skip++; if ((pass & (FR_PASS|FR_LOGORBLOCK)) == (FR_PASS|FR_LOGORBLOCK)) @@ -676,7 +688,7 @@ logit: frstats[0].fr_ret++; } else if ((pass & FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, q) == 0) + if (SEND_RESET(ip, qif, q, ifp) == 0) frstats[1].fr_ret++; } #else @@ -736,37 +748,32 @@ logit: #ifdef IPFILTER_LOG -# if !(defined(_KERNEL)) -static void ipllog() -{ - verbose("l"); -} -# endif - - -int fr_copytolog(buf, len) +int fr_copytolog(dev, buf, len) +int dev; char *buf; int len; { - int clen, tail; + register char *bufp = iplbuf[dev], *tp = iplt[dev], *hp = iplh[dev]; + register int clen, tail; - tail = (iplh >= iplt) ? (iplbuf + IPLLOGSIZE - iplh) : (iplt - iplh); + tail = (hp >= tp) ? (bufp + IPLLOGSIZE - hp) : (tp - hp); clen = MIN(tail, len); - bcopy(buf, iplh, clen); + bcopy(buf, hp, clen); len -= clen; tail -= clen; - iplh += clen; + hp += clen; buf += clen; - if (iplh == iplbuf + IPLLOGSIZE) { - iplh = iplbuf; - tail = iplt - iplh; + if (hp == bufp + IPLLOGSIZE) { + hp = bufp; + tail = tp - hp; } if (len && tail) { clen = MIN(tail, len); - bcopy(buf, iplh, clen); + bcopy(buf, hp, clen); len -= clen; - iplh += clen; + hp += clen; } + iplh[dev] = hp; return len; } #endif diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index 249611b..ca6abe0 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -12,6 +12,7 @@ #include <strings.h> #endif #include <sys/types.h> +#include <sys/time.h> #include <sys/param.h> #include <sys/file.h> #include <stdlib.h> @@ -26,15 +27,15 @@ #include <netinet/in_systm.h> #include <netinet/ip.h> #include <net/if.h> -#include "ip_fil.h" -#include "ip_compat.h" -#include "ip_nat.h" -#include "ip_frag.h" -#include "ip_state.h" #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> +#include "ip_compat.h" +#include "ip_fil.h" #include "ipf.h" +#include "ip_nat.h" +#include "ip_frag.h" +#include "ip_state.h" #include "kmem.h" #ifdef __NetBSD__ #include <paths.h> @@ -42,7 +43,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fils.c,v 2.0.1.2 1997/01/30 10:21:48 darrenr Exp $"; +static char rcsid[] = "$Id: fils.c,v 2.0.2.7 1997/04/02 12:23:16 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX @@ -62,10 +63,15 @@ static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", int opts = 0; -static void showstats(), showfrstates(); -static void showlist(), showipstates(); +extern int main __P((int, char *[])); +static void showstats __P((int, friostat_t *)); +static void showfrstates __P((int, ipfrstat_t *)); +static void showlist __P((friostat_t *)); +static void showipstates __P((int, ips_stat_t *)); +static void Usage __P((char *)); + -void Usage(name) +static void Usage(name) char *name; { fprintf(stderr, "Usage: %s [-afhIiosv] [-d <device>]\n", name); @@ -253,6 +259,10 @@ struct friostat *fiop; i++; } else if (opts & OPT_INQUE) fp = (struct frentry *)fiop->f_acctin[set]; + else { + FPRINTF(stderr, "No -i or -o given with -a\n"); + return; + } } else if (opts & OPT_OUTQUE) { i = F_OUT; fp = (struct frentry *)fiop->f_fout[set]; @@ -281,9 +291,17 @@ struct friostat *fiop; if (opts & OPT_OUTQUE) fp->fr_flags |= FR_OUTQUE; if (opts & (OPT_HITS|OPT_VERBOSE)) +#ifdef USE_QUAD_T + PRINTF("%qd ", fp->fr_hits); +#else PRINTF("%ld ", fp->fr_hits); +#endif if (opts & (OPT_ACCNT|OPT_VERBOSE)) +#ifdef USE_QUAD_T + PRINTF("%qd ", fp->fr_bytes); +#else PRINTF("%ld ", fp->fr_bytes); +#endif if (opts & OPT_SHOWLINENO) PRINTF("@%d ", n); printfr(fp); @@ -312,13 +330,16 @@ ips_stat_t *ipsp; return; for (i = 0; i < IPSTATE_SIZE; i++) while (istab[i]) { - if (kmemcpy(&ips, istab[i], sizeof(ips)) == -1) + if (kmemcpy((char *)&ips, (u_long)istab[i], + sizeof(ips)) == -1) break; PRINTF("%s -> ", inet_ntoa(ips.is_src)); - PRINTF("%s age %d pass %d pr %d state %d/%d\n", + PRINTF("%s age %ld pass %d pr %d state %d/%d\n", inet_ntoa(ips.is_dst), ips.is_age, ips.is_pass, ips.is_p, ips.is_state[0], ips.is_state[1]); + PRINTF("\tpkts %ld bytes %ld", + ips.is_pkts, ips.is_bytes); if (ips.is_p == IPPROTO_TCP) PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n", ntohs(ips.is_sport), @@ -326,10 +347,10 @@ ips_stat_t *ipsp; ips.is_seq, ips.is_ack, ips.is_swin, ips.is_dwin); else if (ips.is_p == IPPROTO_UDP) - PRINTF("\t%hu -> %hu\n", ntohs(ips.is_sport), + PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport), ntohs(ips.is_dport)); else if (ips.is_p == IPPROTO_ICMP) - PRINTF("\t%hu %hu %d\n", ips.is_icmp.ics_id, + PRINTF(" %hu %hu %d\n", ips.is_icmp.ics_id, ips.is_icmp.ics_seq, ips.is_icmp.ics_type); istab[i] = ips.is_next; @@ -353,7 +374,7 @@ ipfrstat_t *ifsp; return; for (i = 0; i < IPFT_SIZE; i++) while (ipfrtab[i]) { - if (kmemcpy(&ifr, (u_long)ipfrtab[i], + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], sizeof(ifr)) == -1) break; PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src)); diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index 91faec3..3a91e7a 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -55,7 +55,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static char rcsid[] = "$Id: inet_addr.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; +static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.3 1997/03/27 13:45:00 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -63,6 +63,15 @@ static char rcsid[] = "$Id: inet_addr.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Ex #include <arpa/inet.h> #include <ctype.h> +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif +int inet_aton __P((const char *, struct in_addr *)); + /* * Check whether "cp" is a valid ascii representation * of an Internet address and convert to a binary address. diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 5a36cc3..c1fbfce 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -6,17 +6,48 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.1.4 1997/02/04 14:24:25 darrenr Exp $ + * $Id: ip_compat.h,v 2.0.2.6 1997/04/02 12:23:17 darrenr Exp $ */ #ifndef __IP_COMPAT_H_ #define __IP_COMPAT_H__ +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif + #if SOLARIS -#define MTYPE(m) ((m)->b_datap->db_type) +# define MTYPE(m) ((m)->b_datap->db_type) +# include <sys/ioccom.h> +# include <sys/sysmacros.h> +/* + * because Solaris 2 defines these in two places :-/ + */ +# undef IPOPT_EOL +# undef IPOPT_NOP +# undef IPOPT_LSRR +# undef IPOPT_RR +# undef IPOPT_SSRR +# ifndef _KERNEL +# define _KERNEL +# undef RES_INIT +# include <inet/common.h> +# include <inet/ip.h> +# include <inet/ip_ire.h> +# undef _KERNEL +# else +# include <inet/common.h> +# include <inet/ip.h> +# include <inet/ip_ire.h> +# endif #endif #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -24,6 +55,13 @@ #define IP_OFFMASK 0x1fff #endif +#if BSD > 199306 +# define USE_QUAD_T +# define U_QUAD_T u_quad_t +#else +# define U_QUAD_T u_long +#endif + #ifndef MAX #define MAX(a,b) (((a) > (b)) ? (a) : (b)) #endif @@ -85,11 +123,18 @@ #define IPOPT_FINN 205 /* FINN */ +#ifdef __FreeBSD__ +# include <machine/spl.h> +# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) +# define ACTUALLY_LKM_NOT_KERNEL +# endif +#endif + /* * Build some macros and #defines to enable the same code to compile anywhere * Well, that's the idea, anyway :-) */ -#ifdef _KERNEL +#if defined(_KERNEL) || defined(KERNEL) # if SOLARIS # define MUTEX_ENTER(x) mutex_enter(x) # define MUTEX_EXIT(x) mutex_exit(x) @@ -108,6 +153,7 @@ # ifdef sun # if defined(__svr4__) || defined(__SVR4) +extern ill_t *get_unit __P((char *)); # define GETUNIT(n) get_unit((n)) # else # include <sys/kmem_alloc.h> @@ -132,8 +178,8 @@ typedef struct qif { queue_t *qf_out; void *qf_wqinfo; void *qf_rqinfo; - int (*qf_inp)(); - int (*qf_outp)(); + int (*qf_inp) __P((queue_t *, mblk_t *)); + int (*qf_outp) __P((queue_t *, mblk_t *)); mblk_t *qf_m; int qf_len; char qf_name[8]; @@ -151,10 +197,10 @@ typedef struct qif { # define htons(x) (x) # define htonl(x) (x) # endif -# define KMALLOC(x) kmem_alloc((x), KM_NOSLEEP) +# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) # else -# define KMALLOC(x) new_kmem_alloc((x), KMEM_NOSLEEP) +# define KMALLOC(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) # endif /* __svr4__ */ # endif /* sun && !linux */ # ifndef GET_MINOR @@ -162,7 +208,7 @@ typedef struct qif { # endif # if BSD >= 199306 || defined(__FreeBSD__) # include <vm/vm.h> -# if !defined(__FreeBSD__) +# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3) # include <vm/vm_extern.h> # include <sys/proc.h> extern vm_map_t kmem_map; @@ -170,15 +216,15 @@ extern vm_map_t kmem_map; # include <vm/vm_kern.h> # endif /* __FreeBSD__ */ /* -** # define KMALLOC(x) kmem_alloc(kmem_map, (x)) -** # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ +# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c)) +# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ sizeof(*(x))) */ # ifdef M_PFIL -# define KMALLOC(x) malloc((x), M_PFIL, M_NOWAIT) +# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KFREE(x) FREE((x), M_PFIL) # else -# define KMALLOC(x) malloc((x), M_TEMP, M_NOWAIT) +# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KFREE(x) FREE((x), M_TEMP) # endif # define UIOMOVE(a,b,c,d) uiomove(a,b,d) @@ -193,17 +239,16 @@ extern vm_map_t kmem_map; # endif # endif #else -# ifndef linux -# define MUTEX_ENTER(x) ; -# define MUTEX_EXIT(x) ; -# define SPLNET(x) ; -# define SPLX(x) ; -# define KMALLOC(x) malloc(x) -# define KFREE(x) free(x) -# define GETUNIT(x) (x) -# define IRCOPY(a,b,c) bcopy((a), (b), (c)) -# define IWCOPY(a,b,c) bcopy((a), (b), (c)) -# endif +# define MUTEX_ENTER(x) ; +# define MUTEX_EXIT(x) ; +# define SPLNET(x) ; +# undef SPLX +# define SPLX(x) ; +# define KMALLOC(a,b,c) (a) = (b)malloc(c) +# define KFREE(x) free(x) +# define GETUNIT(x) get_unit(x) +# define IRCOPY(a,b,c) bcopy((a), (b), (c)) +# define IWCOPY(a,b,c) bcopy((a), (b), (c)) #endif /* KERNEL */ #ifdef linux @@ -318,7 +363,7 @@ struct ipovly { # define UNITNAME(n) dev_get((n)) # define ifnet device -# define KMALLOC(x) kmalloc((x), GFP_ATOMIC) +# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KFREE(x) kfree_s((x), sizeof(*(x))) # define IRCOPY(a,b,c) { \ error = verify_area(VERIFY_READ, \ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index fec4846..353d7a6 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,17 +7,39 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $"; +static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $"; #endif +#ifndef SOLARIS +#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +#endif + +#ifdef __FreeBSD__ +#include <osreldate.h> +#endif +#ifndef _KERNEL +#include <stdio.h> +#include <string.h> +#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/file.h> #include <sys/ioctl.h> +#include <sys/time.h> +#ifdef _KERNEL #include <sys/systm.h> +#endif #include <sys/uio.h> +#if !SOLARIS +#include <sys/dir.h> #include <sys/mbuf.h> +#else +#define bcmp memcmp +#define bzero(a,b) memset(a,0,b) +#define bcopy(a,b,c) memcpy(b,a,c) +#include <sys/filio.h> +#endif #include <sys/protosw.h> #include <sys/socket.h> @@ -36,8 +58,8 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $ #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> #include <syslog.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_frag.h" #include "ip_nat.h" #include "ip_state.h" @@ -47,45 +69,49 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $ extern fr_flags, fr_active; extern struct protosw inetsw[]; -extern int (*fr_checkp)(); #if BSD < 199306 -extern int ipfr_slowtimer(); -static int (*fr_saveslowtimo)(); +static int (*fr_saveslowtimo) __P((void)); extern int tcp_ttl; #else -extern void ipfr_slowtimer(); -static void (*fr_saveslowtimo)(); +static void (*fr_saveslowtimo) __P((void)); #endif int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; -int send_reset(); + +#ifndef _KERNEL +#include "ipt.h" +static struct ifnet **ifneta = NULL; +static int nifs = 0; +struct ifnet *get_unit __P((char *)); +#endif #ifdef IPFILTER_LOG -# define LOGSIZE 8192 -int ipllog(); -char iplbuf[LOGSIZE]; -caddr_t iplh = iplbuf, iplt = iplbuf; -static int iplused = 0; +char iplbuf[3][IPLLOGSIZE]; +caddr_t iplh[3], iplt[3]; +int iplused[3] = {0,0,0}; #endif /* IPFILTER_LOG */ -static void frflush(); -static int frrequest(); -static int (*fr_savep)() = NULL; +static void frflush __P((caddr_t)); +static int frrequest __P((int, caddr_t, int)); +static void frzerostats __P((caddr_t)); +#ifdef _KERNEL +static int (*fr_savep) __P((struct ip *, int, struct ifnet *, + int, struct mbuf **)); +#else +void init_ifp __P((void)); +static int (*fr_savep) __P((struct ip *, int, struct ifnet *, + int, char *)); +static int no_output __P((struct ifnet *, struct mbuf *, + struct sockaddr *, struct rtentry *)); +static int write_output __P((struct ifnet *, struct mbuf *, + struct sockaddr *, struct rtentry *)); +#endif + -#if _BSDI_VERSION >= 199501 +#if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include <sys/device.h> # include <sys/conf.h> -int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); -int iplopen __P((dev_t, int, int, struct proc *)); -int iplclose __P((dev_t, int, int, struct proc *)); -# ifdef IPFILTER_LOG -int iplread __P((dev_t, struct uio *, int)); -# else -# define iplread noread -# endif -int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); - struct cfdriver iplcd = { NULL, "ipl", NULL, NULL, DV_DULL, 0 }; @@ -96,9 +122,11 @@ struct devsw iplsw = { nostrat, nodump, nopsize, 0, nostop }; -#endif /* _BSDI_VERSION >= 199501 */ +#endif /* _BSDI_VERSION >= 199510 && _KERNEL */ + -#ifdef IPFILTER_LKM +#ifdef _KERNEL +# ifdef IPFILTER_LKM int iplidentify(s) char *s; { @@ -106,12 +134,12 @@ char *s; return 1; return 0; } -#endif /* IPFILTER_LKM */ +# endif /* IPFILTER_LKM */ int iplattach() { - int s; + int s, i; SPLNET(s); if (ipl_inited || (fr_checkp == fr_check)) { @@ -125,6 +153,14 @@ int iplattach() fr_checkp = fr_check; fr_saveslowtimo = inetsw[0].pr_slowtimo; inetsw[0].pr_slowtimo = ipfr_slowtimer; + + /* + * Set log buffer pointers for each of the log buffers + */ + for (i = 0; i <= 2; i++) { + iplh[i] = iplbuf[i]; + iplt[i] = iplbuf[i]; + } SPLX(s); return 0; } @@ -142,7 +178,9 @@ int ipldetach() return EBUSY; } +#if defined(IPFILTER_LKM) || defined(IPFILTER) fr_checkp = fr_savep; +#endif inetsw[0].pr_slowtimo = fr_saveslowtimo; frflush((caddr_t)&i); ipl_inited = 0; @@ -154,6 +192,7 @@ int ipldetach() SPLX(s); return 0; } +#endif /* _KERNEL */ static void frzerostats(data) @@ -219,7 +258,7 @@ caddr_t data; * Filter ioctl interface. */ int iplioctl(dev, cmd, data, mode -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , p) struct proc *p; #else @@ -232,18 +271,20 @@ int mode; { int error = 0, s, unit; +#ifdef _KERNEL unit = minor(dev); - if (unit != 0) + if ((2 < unit) || (unit < 0)) return ENXIO; +#endif SPLNET(s); switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG - *(int *)data = iplused; + *(int *)data = iplused[unit]; #endif break; -#ifndef IPFILTER_LKM +#if !defined(IPFILTER_LKM) && defined(_KERNEL) case SIOCFRENB : { u_int enable; @@ -330,9 +371,9 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - *(int *)data = iplused; - iplh = iplt = iplbuf; - iplused = 0; + *(int *)data = iplused[unit]; + iplh[unit] = iplt[unit] = iplbuf[unit]; + iplused[unit] = 0; } break; #endif /* IPFILTER_LOG */ @@ -365,16 +406,13 @@ caddr_t data; { register frentry_t *fp, *f, **fprev; register frentry_t **ftail; - frentry_t fr; + frentry_t frd; frdest_t *fdp; - struct frentry frd; int error = 0, in; - fp = &fr; + fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); - bzero((char *)frcache, sizeof(frcache[0]) * 2); - in = (fp->fr_flags & FR_INQUE) ? 0 : 1; if (fp->fr_flags & FR_ACCOUNT) { ftail = fprev = &ipacct[in][set]; @@ -383,8 +421,8 @@ caddr_t data; else return ESRCH; - IRCOPY((char *)fp, (char *)&frd, sizeof(frd)); - fp = &frd; + bzero((char *)frcache, sizeof(frcache[0]) * 2); + if (*fp->fr_ifname) { fp->fr_ifa = GETUNIT(fp->fr_ifname); if (!fp->fr_ifa) @@ -451,7 +489,8 @@ caddr_t data; if (f) error = EEXIST; else { - if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) { + KMALLOC(f, frentry_t *, sizeof(*f)); + if (f != NULL) { bcopy((char *)fp, (char *)f, sizeof(*f)); f->fr_hits = 0; f->fr_next = *ftail; @@ -464,44 +503,48 @@ caddr_t data; } -#if !defined(linux) +#ifdef _KERNEL /* * routines below for saving IP headers to buffer */ int iplopen(dev, flags -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -#else +# else ) -#endif +# endif dev_t dev; int flags; { u_int min = minor(dev); - if (min) + if (2 < min) min = ENXIO; + else + min = 0; return min; } int iplclose(dev, flags -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -#else +# else ) -#endif +# endif dev_t dev; int flags; { u_int min = minor(dev); - if (min) + if (2 < min) min = ENXIO; + else + min = 0; return min; } @@ -521,52 +564,57 @@ int iplread(dev, uio) dev_t dev; register struct uio *uio; { - register int ret, s; + register int ret, s, unit; register size_t sz, sx; int error; + unit = minor(dev); + if ((2 < unit) || (unit < 0)) + return ENXIO; + if (!uio->uio_resid) return 0; - while (!iplused) { - error = SLEEP(iplbuf, "ipl sleep"); + + while (!iplused[unit]) { + error = SLEEP(iplbuf[unit], "ipl sleep"); if (error) return error; } SPLNET(s); - sx = sz = MIN(uio->uio_resid, iplused); - if (iplh < iplt) - sz = MIN(sz, LOGSIZE - (iplt - iplbuf)); + sx = sz = MIN(uio->uio_resid, iplused[unit]); + if (iplh[unit] < iplt[unit]) + sz = MIN(sz, IPLLOGSIZE - (iplt[unit] - iplbuf[unit])); sx -= sz; # if BSD >= 199306 || defined(__FreeBSD__) uio->uio_rw = UIO_READ; # endif - if (!(ret = UIOMOVE(iplt, sz, UIO_READ, uio))) { - iplt += sz; - iplused -= sz; - if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE)) - iplt = iplbuf; - - if (sx && !(ret = UIOMOVE(iplt, sx, UIO_READ, uio))) { - iplt += sx; - iplused -= sx; - if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE)) - iplt = iplbuf; + if (!(ret = UIOMOVE(iplt[unit], sz, UIO_READ, uio))) { + iplt[unit] += sz; + iplused[unit] -= sz; + if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE)) + iplt[unit] = iplbuf[unit]; + + if (sx && !(ret = UIOMOVE(iplt[unit], sx, UIO_READ, uio))) { + iplt[unit] += sx; + iplused[unit] -= sx; + if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE)) + iplt[unit] = iplbuf[unit]; } - if (!iplused) /* minimise wrapping around the end */ - iplh = iplt = iplbuf; + if (!iplused[unit]) /* minimise wrapping around the end */ + iplh[unit] = iplt[unit] = iplbuf[unit]; } SPLX(s); return ret; } # endif /* IPFILTER_LOG */ -#endif /* linux */ -#ifdef IPFILTER_LOG -int ipllog(flags, ip, fin, m) +# ifdef IPFILTER_LOG +int ipllog(flags, dev, ip, fin, m) u_int flags; +int dev; ip_t *ip; register fr_info_t *fin; struct mbuf *m; @@ -597,16 +645,16 @@ struct mbuf *m; mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0; len = hlen + sizeof(iplci) + mlen; - if (iplused + len > LOGSIZE) + if (iplused[dev] + len > IPLLOGSIZE) return 0; - iplused += len; + iplused[dev] += len; -# ifdef sun +# ifdef sun uniqtime(&iplci); -# endif -# if BSD >= 199306 || defined(__FreeBSD__) +# endif +# if BSD >= 199306 || defined(__FreeBSD__) microtime((struct timeval *)&iplci); -# endif +# endif iplci.flags = flags; iplci.hlen = (u_char)hlen; iplci.plen = (u_char)mlen; @@ -619,22 +667,25 @@ struct mbuf *m; if ((iplci.ifname[1] = ifp->if_name[1])) if ((iplci.ifname[2] = ifp->if_name[2])) iplci.ifname[3] = ifp->if_name[3]; -# endif +# endif + if (iplh[dev] == iplbuf[dev] + IPLLOGSIZE) + iplh[dev] = iplbuf[dev]; + /* * Gauranteed to succeed from above */ - (void) fr_copytolog(&iplci, sizeof(iplci)); + (void) fr_copytolog(dev, (char *)&iplci, sizeof(iplci)); for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) { hlen = MIN(len, m->m_len); - if (fr_copytolog(mtod(m, char *), hlen)) + if (fr_copytolog(dev, mtod(m, char *), hlen)) break; } - wakeup(iplbuf); + wakeup(iplbuf[dev]); return 1; } -#endif /* IPFILTER_LOG */ +# endif /* IPFILTER_LOG */ /* * send_reset - this could conceivably be a call to tcp_respond(), but that @@ -651,22 +702,22 @@ struct tcpiphdr *ti; if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ -#if BSD < 199306 +# if BSD < 199306 m = m_get(M_DONTWAIT, MT_HEADER); -#else +# else m = m_gethdr(M_DONTWAIT, MT_HEADER); m->m_data += max_linkhdr; -#endif +# endif if (m == NULL) return -1; if (ti->ti_flags & TH_SYN) tlen = 1; m->m_len = sizeof (struct tcpiphdr); -#if BSD >= 199306 +# if BSD >= 199306 m->m_pkthdr.len = sizeof (struct tcpiphdr); m->m_pkthdr.rcvif = (struct ifnet *)0; -#endif +# endif bzero(mtod(m, char *), sizeof(struct tcpiphdr)); ip = mtod(m, struct ip *); tp = mtod(m, struct tcpiphdr *); @@ -686,11 +737,11 @@ struct tcpiphdr *ti; ip->ip_tos = ((struct ip *)ti)->ip_tos; ip->ip_p = ((struct ip *)ti)->ip_p; ip->ip_len = sizeof (struct tcpiphdr); -#if BSD < 199306 +# if BSD < 199306 ip->ip_ttl = tcp_ttl; -#else +# else ip->ip_ttl = ip_defttl; -#endif +# endif /* * extra 0 in case of multicast @@ -700,13 +751,18 @@ struct tcpiphdr *ti; } -#ifndef IPFILTER_LKM -void iplinit() +# ifndef IPFILTER_LKM +# if BSD < 199306 +int +# else +void +# endif +iplinit() { (void) iplattach(); ip_init(); } -#endif +# endif void ipfr_fastroute(m0, fin, fdp) @@ -738,12 +794,12 @@ frdest_t *fdp; #if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) # ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); -# else +# else rtalloc_ign(ro, RTF_PRCLONING); -# endif -#else +# endif +# else rtalloc(ro); -#endif +# endif if (!ifp) { if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -773,19 +829,19 @@ frdest_t *fdp; * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { -#ifndef sparc +# ifndef sparc ip->ip_id = htons(ip->ip_id); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); -#endif +# endif if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); -#if BSD >= 199306 +# if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); -#else +# else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); -#endif +# endif goto done; } /* @@ -818,11 +874,11 @@ frdest_t *fdp; error = ENOBUFS; goto bad; } -#if BSD >= 199306 +# if BSD >= 199306 m->m_data += max_linkhdr; -#else +# else m->m_off = MMAXOFF - hlen; -#endif +# endif mhip = mtod(m, struct ip *); bcopy((char *)ip, (char *)mhip, sizeof(*ip)); if (hlen > sizeof (struct ip)) { @@ -843,9 +899,9 @@ frdest_t *fdp; error = ENOBUFS; /* ??? */ goto sendorfree; } -#ifndef sparc +# ifndef sparc mhip->ip_off = htons((u_short)mhip->ip_off); -#endif +# endif mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); *mnext = m; @@ -865,13 +921,13 @@ sendorfree: m0 = m->m_act; m->m_act = 0; if (error == 0) -#if BSD >= 199306 +# if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); -#else +# else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); -#endif +# endif else m_freem(m); } @@ -885,3 +941,159 @@ bad: m_freem(m); goto done; } +#else /* #ifdef _KERNEL */ + + +static int no_output __P((struct ifnet *ifp, struct mbuf *m, + struct sockaddr *s, struct rtentry *rt)) +{ + return 0; +} + + +# ifdef __STDC__ +static int write_output __P((struct ifnet *ifp, struct mbuf *m, + struct sockaddr *s, struct rtentry *rt)) +{ + ip_t *ip = (ip_t *)m; +# else +static int write_output(ifp, ip) +struct ifnet *ifp; +ip_t *ip; +{ +# endif + FILE *fp; + char fname[32]; + +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + sprintf(fname, "/tmp/%s", ifp->if_xname); + if ((fp = fopen(fname, "a"))) { + fclose(fp); + } +#else + sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); + if ((fp = fopen(fname, "a"))) { + fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); + fclose(fp); + } +#endif +} + + +struct ifnet *get_unit(name) +char *name; +{ + struct ifnet *ifp, **ifa; +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + if (!strcmp(name, ifp->if_xname)) + return ifp; + } +#else + char ifname[32], *s; + + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + (void) sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); + if (!strcmp(name, ifname)) + return ifp; + } +#endif + + if (!ifneta) { + ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2); + ifneta[1] = NULL; + ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp)); + nifs = 1; + } else { + nifs++; + ifneta = (struct ifnet **)realloc(ifneta, + (nifs + 1) * sizeof(*ifa)); + ifneta[nifs] = NULL; + ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp)); + } + ifp = ifneta[nifs - 1]; + +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); +#else + for (s = name; *s && !isdigit(*s); s++) + ; + if (*s && isdigit(*s)) { + ifp->if_unit = atoi(s); + ifp->if_name = (char *)malloc(s - name + 1); + strncpy(ifp->if_name, name, s - name); + ifp->if_name[s - name] = '\0'; + } else { + ifp->if_name = strdup(name); + ifp->if_unit = -1; + } +#endif + ifp->if_output = no_output; + return ifp; +} + + +void init_ifp() +{ + FILE *fp; + struct ifnet *ifp, **ifa; + char fname[32]; +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + ifp->if_output = write_output; + sprintf(fname, "/tmp/%s", ifp->if_xname); + if ((fp = fopen(fname, "w"))) + fclose(fp); + } +#else + + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + ifp->if_output = write_output; + sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); + if ((fp = fopen(fname, "w"))) + fclose(fp); + } +#endif +} + + +void ipfr_fastroute(ip, fin, fdp) +ip_t *ip; +fr_info_t *fin; +frdest_t *fdp; +{ + struct ifnet *ifp = fdp->fd_ifp; + + if (!ifp) + return; /* no routing table out here */ + + ip->ip_len = htons((u_short)ip->ip_len); + ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); + ip->ip_sum = 0; + (*ifp->if_output)(ifp, (void *)ip, NULL, 0); +} + + +void ipllog() +{ + verbose("l"); +} + + +int send_reset(ip, ifp) +ip_t *ip; +struct ifnet *ifp; +{ + verbose("- TCP RST sent\n"); + return 0; +} + + +int icmp_error(ip, ifp) +ip_t *ip; +struct ifnet *ifp; +{ + verbose("- TCP RST sent\n"); + return 0; +} +#endif /* _KERNEL */ diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 389a161..f6acda7 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp $ + * $Id: ip_fil.h,v 2.0.2.9 1997/04/02 12:23:20 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -19,20 +19,12 @@ #if defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif -#if SOLARIS -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -# ifdef _KERNEL -# include <inet/common.h> -/* - * because Solaris 2 defines these in two places :-/ - */ -#undef IPOPT_EOL -#undef IPOPT_NOP -#undef IPOPT_LSRR -#undef IPOPT_RR -#undef IPOPT_SSRR -# include <inet/ip.h> + +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () # endif #endif @@ -118,9 +110,12 @@ typedef struct frdest { typedef struct frentry { struct frentry *fr_next; struct ifnet *fr_ifa; - u_long fr_hits; - u_long fr_bytes; /* this is only incremented when a packet */ - /* matches this rule and it is the last match*/ + /* + * There are only incremented when a packet matches this rule and + * it is the last match + */ + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; /* * Fields after this may not change whilst in the kernel. */ @@ -140,7 +135,7 @@ typedef struct frentry { u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ u_long fr_flags; /* per-rule flags && options (see below) */ - int (*fr_func)(); /* call this function */ + int (*fr_func) __P((int, struct ip *, fr_info_t *)); /* call this function */ char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; struct frdest fr_tif; /* "to" interface */ @@ -162,7 +157,7 @@ typedef struct frentry { /* * fr_flags -*/ + */ #define FR_BLOCK 0x00001 #define FR_PASS 0x00002 #define FR_OUTQUE 0x00004 @@ -276,18 +271,100 @@ typedef struct ipl_ci { #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 -extern int fr_check(); -extern int fr_copytolog(); -extern fr_info_t frcache[]; -extern char *iplh, *iplt; -extern char iplbuf[IPLLOGSIZE]; +/* + * Device filenames. Use ipf on Solaris2 because ipl is already a name used + * by something else. + */ +#ifndef IPL_NAME +# if SOLARIS +# define IPL_NAME "/dev/ipf" +# else +# define IPL_NAME "/dev/ipl" +# endif +#endif +#define IPL_NAT "/dev/ipnat" +#define IPL_STATE "/dev/ipstate" +#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ +#define IPL_LOGNAT 1 +#define IPL_LOGSTATE 2 -#ifdef _KERNEL +#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) +# define CDEV_MAJOR 79 +#endif -extern struct frentry *ipfilter[2][2], *ipacct[2][2]; -extern struct filterstats frstats[]; +#ifndef _KERNEL +extern int fr_check __P((struct ip *, int, struct ifnet *, int, char *)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, + int, char *)); +extern int send_reset __P((struct ip *, struct ifnet *)); +extern int icmp_error __P((struct ip *, struct ifnet *)); +extern void ipllog __P((void)); +extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *)); +#else # if SOLARIS -extern int ipfsync(); +extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *, + queue_t *, mblk_t **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, + int, qif_t *, queue_t *, mblk_t *)); +extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *, + struct in_addr)); +# else +extern int fr_check __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int send_reset __P((struct tcpiphdr *)); +extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *)); +extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *)); # endif +#endif +extern int fr_copytolog __P((int, char *, int)); +extern int ipl_unreach; +extern fr_info_t frcache[]; +extern char *iplh[3], *iplt[3]; +extern char iplbuf[3][IPLLOGSIZE]; +extern int iplused[3]; +extern struct frentry *ipfilter[2][2], *ipacct[2][2]; +extern struct filterstats frstats[]; + +#ifndef _KERNEL +extern int iplioctl __P((dev_t, int, caddr_t, int)); +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +#else +extern int iplattach __P((void)); +extern int ipldetach __P((void)); +# if SOLARIS +extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); +extern int iplopen __P((dev_t *, int, int, cred_t *)); +extern int iplclose __P((dev_t, int, int, cred_t *)); +extern int ipfsync __P((void)); +# ifdef IPFILTER_LOG +extern int iplread __P((dev_t, struct uio *, cred_t *)); +# endif +# else +# ifdef IPFILTER_LKM +extern int iplidentify __P((char *)); +# endif +# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612) +extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); +extern int iplopen __P((dev_t, int, int, struct proc *)); +extern int iplclose __P((dev_t, int, int, struct proc *)); +# else +extern int iplioctl __P((dev_t, int, caddr_t, int)); +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +# endif /* (_BSDI_VERSION >= 199510) */ +# ifdef IPFILTER_LOG +# if BSD >= 199306 +extern int iplread __P((dev_t, struct uio *, int)); +# else +extern int iplread __P((dev_t, struct uio *)); +# endif /* BSD >= 199306 */ +# else +# define iplread noread +# endif /* IPFILTER_LOG */ +# endif /* SOLARIS */ #endif /* _KERNEL */ #endif /* __IP_FIL_H__ */ diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 7ed97ce..59dac40 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $"; +static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <sys/file.h> +#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) +#include <sys/ioccom.h> +#include <sys/filio.h> +#include <sys/fcntl.h> +#else #include <sys/ioctl.h> +#endif #include <sys/uio.h> #include <sys/protosw.h> #include <sys/socket.h> -#ifdef _KERNEL +#ifdef _KERNEL # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -47,8 +54,8 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_frag.h" #include "ip_nat.h" #include "ip_state.h" @@ -69,6 +76,13 @@ extern kmutex_t ipf_frag; # endif #endif +#ifdef __FreeBSD__ +# if BSD < 199306 +int ipfr_slowtimer __P((void)); +# else +void ipfr_slowtimer __P((void)); +# endif +#endif /* __FreeBSD__ */ ipfrstat_t *ipfr_fragstats() { @@ -114,7 +128,8 @@ int pass; return -1; } - if (!(fr = (ipfr_t *)KMALLOC(sizeof(*fr)))) { + KMALLOC(fr, ipfr_t *, sizeof(*fr)); + if (fr == NULL) { ipfr_stats.ifs_nomem++; MUTEX_EXIT(&ipf_frag); return -1; @@ -230,10 +245,10 @@ void ipfr_unload() * Slowly expire held state for fragments. Timeouts are set * in expectation * of this being called twice per second. */ -# if BSD < 199306 -int ipfr_slowtimer() -# else +# if (BSD >= 199306) || SOLARIS void ipfr_slowtimer() +# else +int ipfr_slowtimer() # endif { ipfr_t **fp, *fr; diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index a356785..28b314c 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ + * $Id: ip_frag.h,v 2.0.2.4 1997/03/27 13:45:09 darrenr Exp $ */ #ifndef __IP_FRAG_H_ @@ -39,9 +39,13 @@ typedef struct ipfrstat { #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) -extern ipfrstat_t *ipfr_fragstats(); -extern int ipfr_newfrag(), ipfr_knownfrag(); -# ifdef _KERNEL -extern void ipfr_unload(); -# endif +extern ipfrstat_t *ipfr_fragstats __P((void)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); +extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); +extern void ipfr_unload __P((void)); +#if (BSD >= 199306) || SOLARIS +extern void ipfr_slowtimer __P((void)); +#else +extern int ipfr_slowtimer __P((void)); +#endif #endif /* __IP_FIL_H__ */ diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index ee59a6c..7e0e381 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,11 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; +static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $"; +#endif + +#if defined(__FreeBSD__) && defined(KERNEL) +#define _KERNEL #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -20,12 +24,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <sys/file.h> #include <sys/ioctl.h> #include <sys/uio.h> #include <sys/protosw.h> #include <sys/socket.h> -#ifdef _KERNEL +#ifdef _KERNEL # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -57,8 +62,8 @@ extern struct ifnet vpnif; #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_nat.h" #include "ip_state.h" #ifndef MIN @@ -80,10 +85,13 @@ extern kmutex_t ipf_nat; # endif #endif -static int flush_nattable(), clear_natlist(); -static void nattable_sync(); +static int flush_nattable __P((void)), clear_natlist __P((void)); +static void nattable_sync __P((void)), nat_delete __P((struct nat *)); +static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); +static void fix_outcksum __P((u_short *, u_long)); +static void fix_incksum __P((u_short *, u_long)); -void fix_outcksum(sp, n) +static void fix_outcksum(sp, n) u_short *sp; u_long n; { @@ -104,7 +112,7 @@ u_long n; } -void fix_incksum(sp, n) +static void fix_incksum(sp, n) u_short *sp; u_long n; { @@ -182,7 +190,8 @@ int cmd, mode; error = EEXIST; break; } - if (!(n = (ipnat_t *)KMALLOC(sizeof(*n)))) { + KMALLOC(n, ipnat_t *, sizeof(*n)); + if (n == NULL) { error = ENOMEM; break; } @@ -365,7 +374,7 @@ static int clear_natlist() /* * Create a new NAT table entry. */ -nat_t *nat_new(np, ip, fin, flags, direction) +static nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; @@ -387,15 +396,22 @@ int direction; } /* Give me a new nat */ - if (!(nat = (nat_t *)KMALLOC(sizeof(*nat)))) + KMALLOC(nat, nat_t *, sizeof(*nat)); + if (nat == NULL) return NULL; bzero((char *)nat, sizeof(*nat)); + nat->nat_flags = flags; /* * Search the current table for a match. */ if (direction == NAT_OUTBOUND) { +#if SOLARIS + ill_t *ill = fin->fin_ifp; +#else + struct ifnet *ifp = fin->fin_ifp; +#endif /* * If it's an outbound packet which doesn't match any existing * record, then create a new port @@ -403,6 +419,34 @@ int direction; do { port = 0; in.s_addr = np->in_nip; + if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { +#if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +#else + struct ifaddr *ifa; + struct sockaddr_in *sin; + + ifa = ifp->if_addrlist; +# if BSD < 199306 + sin = (struct sockaddr_in *)&ifa->ifa_addr; +# else + sin = (struct sockaddr_in *)ifa->ifa_addr; + while (sin && ifa && + sin->sin_family != AF_INET) { + ifa = ifa->ifa_next; + sin = (struct sockaddr_in *)ifa->ifa_addr; + } + if (!ifa) + sin = NULL; + if (!sin) { + KFREE(nat); + return NULL; + } +# endif + in = sin->sin_addr; + in.s_addr = ntohl(in.s_addr); +#endif + } if (nflags & IPN_TCPUDP) { port = htons(np->in_pnext++); if (np->in_pnext >= ntohs(np->in_pmax)) { @@ -555,8 +599,9 @@ u_short sport, mapdport; for (; nat; nat = nat->nat_hnext[1]) if (nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && - (!flags || (nat->nat_oport == sport && - nat->nat_outport == mapdport))) + flags == nat->nat_flags && (!flags || + (nat->nat_oport == sport && + nat->nat_outport == mapdport))) return nat; return NULL; } @@ -581,8 +626,8 @@ u_short sport, dport; for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && - (!flags || (nat->nat_inport == sport && - nat->nat_oport == dport))) + flags == nat->nat_flags && (!flags || + (nat->nat_inport == sport && nat->nat_oport == dport))) return nat; return NULL; } @@ -606,8 +651,9 @@ u_short mapsport, dport; for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_outip.s_addr == mapsrc.s_addr && nat->nat_oip.s_addr == dst.s_addr && - (!flags || (nat->nat_outport == mapsport && - nat->nat_oport == dport))) + flags == nat->nat_flags && (!flags || + (nat->nat_outport == mapsport && + nat->nat_oport == dport))) return nat; return NULL; } @@ -684,17 +730,20 @@ fr_info_t *fin; */ if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, ip->ip_dst, dport))) { - if (np->in_redir == NAT_REDIRECT) - continue; /* - * if it's a redirection, then we don't want + * If it's a redirection, then we don't want * to create new outgoing port stuff. * Redirections are only for incoming * connections. */ + if (np->in_redir == NAT_REDIRECT) + continue; if (!(nat = nat_new(np, ip, fin, nflags, NAT_OUTBOUND))) break; +#ifdef IPFILTER_LOG + nat_log(nat, (u_short)np->in_redir); +#endif } ip->ip_src = nat->nat_outip; @@ -719,8 +768,8 @@ fr_info_t *fin; if (ip->ip_p == IPPROTO_TCP) { csump = &tcp->th_sum; - set_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,1); + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,1); } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -787,20 +836,20 @@ fr_info_t *fin; (np->in_redir == NAT_MAP || np->in_pmin == dport)) { if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, ip->ip_dst, dport))) { + /* + * If this rule (np) is a redirection, rather + * than a mapping, then do a nat_new. + * Otherwise, if it's just a mapping, do a + * continue; + */ if (np->in_redir == NAT_MAP) continue; - else { - /* - * If this rule (np) is a redirection, - * rather than a mapping, then do a - * nat_new. Otherwise, if it's just a - * mapping, do a continue; - */ - if (!(nat = nat_new(np, ip, fin, - nflags, - NAT_INBOUND))) - break; - } + if (!(nat = nat_new(np, ip, fin, nflags, + NAT_INBOUND))) + break; +#ifdef IPFILTER_LOG + nat_log(nat, (u_short)np->in_redir); +#endif } ip->ip_dst = nat->nat_inip; @@ -824,8 +873,8 @@ fr_info_t *fin; if (ip->ip_p == IPPROTO_TCP) { csump = &tcp->th_sum; - set_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,0); + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,0); } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -887,9 +936,61 @@ void ip_natexpire() continue; } *natp = nat->nat_next; +#ifdef IPFILTER_LOG + nat_log(nat, NL_EXPIRE); +#endif nat_delete(nat); nat_stats.ns_expire++; } SPLX(s); MUTEX_EXIT(&ipf_nat); } + + +#ifdef IPFILTER_LOG +void nat_log(nat, type) +struct nat *nat; +u_short type; +{ + struct ipnat *np; + struct natlog natl; + int rulen; + + if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) { + nat_stats.ns_logfail++; + return; + } + + if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE) + iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT]; + +# ifdef sun + uniqtime(&natl); +# endif +# if BSD >= 199306 || defined(__FreeBSD__) + microtime((struct timeval *)&natl); +# endif + natl.nl_origport = nat->nat_oport; + natl.nl_outport = nat->nat_outport; + natl.nl_inport = nat->nat_inport; + natl.nl_origip = nat->nat_oip; + natl.nl_outip = nat->nat_outip; + natl.nl_inip = nat->nat_inip; + natl.nl_type = type; + natl.nl_rule = -1; + if (nat->nat_ptr) { + for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++) + if (np == nat->nat_ptr) { + natl.nl_rule = rulen; + break; + } + } + + if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) { + iplused[IPL_LOGNAT] += sizeof(natl); + nat_stats.ns_logged++; + } else + nat_stats.ns_logfail++; + wakeup(iplbuf[IPL_LOGNAT]); +} +#endif diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index d64183a..bf435e0 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $ + * $Id: ip_nat.h,v 2.0.2.6 1997/03/31 10:05:30 darrenr Exp $ */ #ifndef __IP_NAT_H_ @@ -40,7 +40,8 @@ #define NAT_SIZE 367 typedef struct nat { - int nat_age; + u_long nat_age; + int nat_flags; u_long nat_sumd; u_long nat_ipsumd; struct in_addr nat_inip; @@ -101,6 +102,8 @@ typedef struct natstat { u_long ns_added; u_long ns_expire; u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; nat_t **ns_table[2]; ipnat_t *ns_list; } natstat_t; @@ -110,9 +113,37 @@ typedef struct natstat { #define IPN_UDP 2 #define IPN_TCPUDP 3 + +typedef struct natlog { + struct timeval nl_tv; + struct in_addr nl_origip; + struct in_addr nl_outip; + struct in_addr nl_inip; + u_short nl_origport; + u_short nl_outport; + u_short nl_inport; + u_short nl_type; + int nl_rule; +} natlog_t; + + +#define NL_NEWMAP NAT_MAP +#define NL_NEWRDR NAT_REDIRECT +#define NL_EXPIRE 0xffff + + extern nat_t *nat_table[2][NAT_SIZE]; -extern int nat_ioctl(); -extern nat_t *nat_outlookup(), *nat_inlookup(), *nat_lookupredir(); -extern int ip_natout(), ip_natin(); -extern void ip_natunload(), ip_natexpire(); +extern int nat_ioctl __P((caddr_t, int, int)); +extern nat_t *nat_outlookup __P((int, struct in_addr, u_short, + struct in_addr, u_short)); +extern nat_t *nat_inlookup __P((int, struct in_addr, u_short, + struct in_addr, u_short)); +extern nat_t *nat_lookupredir __P((natlookup_t *)); +extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short, + struct in_addr, u_short)); + +extern int ip_natout __P((ip_t *, int, fr_info_t *)); +extern int ip_natin __P((ip_t *, int, fr_info_t *)); +extern void ip_natunload __P((void)), ip_natexpire __P((void)); +extern void nat_log __P((struct nat *, u_short)); #endif /* __IP_NAT_H__ */ diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index debc512..5d0e8fe 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.3 1997/02/04 14:49:15 darrenr Exp $"; +static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp $"; #endif #include <sys/types.h> @@ -40,8 +40,8 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.3 1997/02/04 14:49:15 darrenr Exp #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_state.h" #include "ip_frag.h" #include "ip_nat.h" @@ -54,22 +54,22 @@ extern fr_flags, fr_active; int ipfr_timer_id = 0; int ipl_unreach = ICMP_UNREACH_HOST; -int send_reset(); +int send_reset __P((struct tcpiphdr *, qif_t *, queue_t *)); +u_short ipf_cksum __P((u_short *, int)); +static void frzerostats __P((caddr_t)); #ifdef IPFILTER_LOG -int ipllog(); -static void frflush(); -char iplbuf[IPLLOGSIZE]; -caddr_t iplh = iplbuf, iplt = iplbuf; -static int iplused = 0; +int ipllog __P((u_int, int, ip_t *, fr_info_t *, mblk_t *)); +static void frflush __P((caddr_t)); +char iplbuf[3][IPLLOGSIZE]; +caddr_t iplh[3], iplt[3]; +static int iplused[3] = {0, 0, 0}; #endif /* IPFILTER_LOG */ -static int frrequest(); +static int frrequest __P((int, caddr_t, int)); kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; kmutex_t ipf_frag, ipf_state, ipf_nat; kcondvar_t iplwait; -extern void ipfr_slowtimer(); - int ipldetach() { @@ -91,8 +91,15 @@ int ipldetach() } -int iplattach() +int iplattach __P((void)) { + int i; + + for (i = 0; i <= 2; i++) { + iplt[i] = iplbuf[i]; + iplh[i] = iplbuf[i]; + } + bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_mutex, "ipf filter mutex", MUTEX_DRIVER, NULL); @@ -175,12 +182,14 @@ caddr_t data; int iplioctl(dev, cmd, data, mode, cp, rp) dev_t dev; int cmd; -caddr_t data; +int data; int mode; cred_t *cp; int *rp; { - int error = 0; + int error = 0, unit; + + unit = getminor(dev); switch (cmd) { case SIOCFRENB : @@ -189,18 +198,18 @@ int *rp; if (!(mode & FWRITE)) return EPERM; - IRCOPY(data, (caddr_t)&enable, sizeof(enable)); + IRCOPY((caddr_t)data, (caddr_t)&enable, sizeof(enable)); break; } case SIOCSETFF : if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipf_mutex); - IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags)); + IRCOPY((caddr_t)data, (caddr_t)&fr_flags, sizeof(fr_flags)); mutex_exit(&ipf_mutex); break; case SIOCGETFF : - IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags)); + IWCOPY((caddr_t)&fr_flags, (caddr_t)data, sizeof(fr_flags)); break; case SIOCINAFR : case SIOCRMAFR : @@ -209,7 +218,7 @@ int *rp; if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipf_mutex); - error = frrequest(cmd, data, fr_active); + error = frrequest(cmd, (caddr_t)data, fr_active); mutex_exit(&ipf_mutex); break; case SIOCINIFR : @@ -218,7 +227,7 @@ int *rp; if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipf_mutex); - error = frrequest(cmd, data, 1 - fr_active); + error = frrequest(cmd, (caddr_t)data, 1 - fr_active); mutex_exit(&ipf_mutex); break; case SIOCSWAPA : @@ -247,29 +256,30 @@ int *rp; fio.f_acctout[1] = ipacct[1][1]; fio.f_active = fr_active; mutex_exit(&ipf_mutex); - IWCOPY((caddr_t)&fio, data, sizeof(fio)); + IWCOPY((caddr_t)&fio, (caddr_t)data, sizeof(fio)); break; } case SIOCFRZST : if (!(mode & FWRITE)) return EPERM; - frzerostats(data); + frzerostats((caddr_t)data); break; #ifdef IPFILTER_LOG case SIOCIPFFL : if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipf_mutex); - frflush(data); + frflush((caddr_t)data); mutex_exit(&ipf_mutex); break; case SIOCIPFFB : if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipl_mutex); - IWCOPY((caddr_t)&iplused, data, sizeof(iplused)); - iplh = iplt = iplbuf; - iplused = 0; + IWCOPY((caddr_t)&iplused[unit], (caddr_t)data, + sizeof(iplused[unit])); + iplh[unit] = iplt[unit] = iplbuf[unit]; + iplused[unit] = 0; mutex_exit(&ipl_mutex); break; #endif /* IPFILTER_LOG */ @@ -284,13 +294,15 @@ int *rp; case SIOCGNATL : case SIOCFLNAT : case SIOCCNATL : - error = nat_ioctl(data, cmd, mode); + error = nat_ioctl((caddr_t)data, cmd, mode); break; case SIOCGFRST : - IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); + IWCOPY((caddr_t)ipfr_fragstats(), (caddr_t)data, + sizeof(ipfrstat_t)); break; case SIOCGIPST : - IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t)); + IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data, + sizeof(ips_stat_t)); break; default : error = EINVAL; @@ -418,7 +430,8 @@ caddr_t data; if (f) error = EEXIST; else { - if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) { + KMALLOC(f, frentry_t *, sizeof(*f)); + if (f != NULL) { bcopy((char *)fp, (char *)f, sizeof(*f)); f->fr_hits = 0; f->fr_next = *ftail; @@ -443,8 +456,7 @@ cred_t *cred; if (!(otype & OTYP_CHR)) return ENXIO; - if (min) - min = ENXIO; + min = (2 < min || min < 0) ? ENXIO : 0; return min; } @@ -456,8 +468,7 @@ cred_t *cred; { u_int min = getminor(dev); - if (min) - min = ENXIO; + min = (2 < min || min < 0) ? ENXIO : 0; return min; } @@ -476,7 +487,9 @@ cred_t *cp; register int ret; register size_t sz, sx; char *h, *t; - int error, used, usedo, copied; + int error, used, usedo, copied, unit; + + unit = getminor(dev); if (!uio->uio_resid) return 0; @@ -488,16 +501,16 @@ cred_t *cp; * if the log is empty. */ mutex_enter(&ipl_mutex); - while (!iplused) { + while (!iplused[unit]) { error = cv_wait_sig(&iplwait, &ipl_mutex); if (!error) { mutex_exit(&ipl_mutex); return EINTR; } } - h = iplh; - t = iplt; - used = iplused; + h = iplh[unit]; + t = iplt[unit]; + used = iplused[unit]; mutex_exit(&ipl_mutex); usedo = used; @@ -507,14 +520,14 @@ cred_t *cp; */ sx = sz = MIN(uio->uio_resid, used); if (h <= t) - sz = MIN(sz, IPLLOGSIZE + iplbuf - t); + sz = MIN(sz, IPLLOGSIZE + iplbuf[unit] - t); if (!(ret = uiomove(t, sz, UIO_READ, uio))) { t += sz; sx -= sz; used -= sz; - if ((h < t) && (t >= iplbuf + IPLLOGSIZE)) - t = iplbuf; + if ((h < t) && (t >= iplbuf[unit] + IPLLOGSIZE)) + t = iplbuf[unit]; if (sx && !(ret = uiomove(t, sx, UIO_READ, uio))) used -= sx; @@ -525,24 +538,25 @@ cred_t *cp; */ mutex_enter(&ipl_mutex); copied = usedo - used; - iplused -= copied; + iplused[unit] -= copied; - if (!iplused) /* minimise wrapping around the end */ - iplh = iplt = iplbuf; + if (!iplused[unit]) /* minimise wrapping around the end */ + iplh[unit] = iplt[unit] = iplbuf[unit]; else { - iplt += copied; - if (iplt >= iplbuf + IPLLOGSIZE) - iplt -= IPLLOGSIZE; - if (iplt == iplbuf + IPLLOGSIZE) - iplt = iplbuf; + iplt[unit] += copied; + if (iplt[unit] >= iplbuf[unit] + IPLLOGSIZE) + iplt[unit] -= IPLLOGSIZE; + if (iplt[unit] == iplbuf[unit] + IPLLOGSIZE) + iplt[unit] = iplbuf[unit]; } mutex_exit(&ipl_mutex); return ret; } -int ipllog(flags, ip, fin, m) +int ipllog(flags, dev, ip, fin, m) u_int flags; +int dev; ip_t *ip; fr_info_t *fin; mblk_t *m; @@ -575,11 +589,11 @@ mblk_t *m; mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0; len = hlen + sizeof(iplci) + mlen; mutex_enter(&ipl_mutex); - if ((iplused + len) > IPLLOGSIZE) { + if ((iplused[dev] + len) > IPLLOGSIZE) { mutex_exit(&ipl_mutex); return 0; } - iplused += len; + iplused[dev] += len; uniqtime((struct timeval *)&iplci); iplci.flags = flags; @@ -592,14 +606,14 @@ mblk_t *m; /* * Gauranteed to succeed from above */ - (void) fr_copytolog(&iplci, sizeof(iplci)); + (void) fr_copytolog(dev, (char *)&iplci, sizeof(iplci)); len -= sizeof(iplci); if (len && m) { s = m->b_rptr; do { if ((hlen = MIN(m->b_wptr - s, len))) { - if (fr_copytolog(s, hlen)) + if (fr_copytolog(dev, s, hlen)) break; len -= hlen; } @@ -725,7 +739,7 @@ struct in_addr src; bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip)); bcopy((char *)ip + (ip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */ - icmp->icmp_cksum = ipf_cksum(icmp, sizeof(*icmp) + 8); + icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); ip_wput(qif->qf_ill->ill_wq, mb); return 0; } diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 2643ce9..edd05b8 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $"; +static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> +#include <sys/time.h> #include <sys/file.h> +#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) +#include <sys/ioccom.h> +#include <sys/filio.h> +#include <sys/fcntl.h> +#else #include <sys/ioctl.h> +#endif #include <sys/uio.h> #include <sys/protosw.h> #include <sys/socket.h> -#ifdef _KERNEL +#ifdef _KERNEL # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -48,15 +55,13 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -void set_tcp_age(); - #define TCP_CLOSE (TH_FIN|TH_RST) ipstate_t *ips_table[IPSTATE_SIZE]; @@ -169,8 +174,8 @@ u_int pass; */ if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) is->is_ack = 0; /* Trumpet WinSock 'ism */ - set_tcp_age(&is->is_age, is->is_state, ip, fin, - tcp->th_sport == is->is_sport); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); break; } case IPPROTO_UDP : @@ -187,7 +192,8 @@ u_int pass; return -1; } - if (!(is = (ipstate_t *)KMALLOC(sizeof(*is)))) { + KMALLOC(is, ipstate_t *, sizeof(*is)); + if (is == NULL) { ips_stats.iss_nomem++; return -1; } @@ -197,9 +203,14 @@ u_int pass; is->is_next = ips_table[hv]; ips_table[hv] = is; is->is_pass = pass; + is->is_pkts = 1; + is->is_bytes = ip->ip_len; if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; +#ifdef IPFILTER_LOG + ipstate_log(is, ISL_NEW); +#endif MUTEX_EXIT(&ipf_state); return 0; } @@ -210,13 +221,7 @@ u_int pass; * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ -int fr_tcpstate(is, fin, ip, tcp, sport -#ifndef _KERNEL -,isp) -ipstate_t **isp; -#else -) -#endif +int fr_tcpstate(is, fin, ip, tcp, sport) register ipstate_t *is; fr_info_t *fin; ip_t *ip; @@ -278,11 +283,13 @@ u_short sport; is->is_dwin = ntohs(tcp->th_win); } ips_stats.iss_hits++; + is->is_pkts++; + is->is_bytes += ip->ip_len; /* * Nearing end of connection, start timeout. */ - set_tcp_age(&is->is_age, is->is_state, ip, fin, - tcp->th_sport == is->is_sport); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); return 1; } return 0; @@ -301,7 +308,7 @@ fr_info_t *fin; register u_char pr; struct icmp *ic; tcphdr_t *tcp; - u_int hv, hlen; + u_int hv, hlen, pass; if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) return 0; @@ -336,6 +343,8 @@ fr_info_t *fin; is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; + is->is_pkts++; + is->is_bytes += ip->ip_len; ips_stats.iss_hits++; MUTEX_EXIT(&ipf_state); return is->is_pass; @@ -357,7 +366,6 @@ fr_info_t *fin; if (fr_tcpstate(is, fin, ip, tcp, sport)) { #ifdef _KERNEL MUTEX_EXIT(&ipf_state); - return is->is_pass; #else int pass = is->is_pass; @@ -366,8 +374,8 @@ fr_info_t *fin; isp = &ips_table[hv]; KFREE(is); } - return pass; #endif + return pass; } } MUTEX_EXIT(&ipf_state); @@ -389,9 +397,12 @@ fr_info_t *fin; PAIRS(sport, dport, is->is_sport, is->is_dport) && IPPAIR(src, dst, is->is_src, is->is_dst)) { ips_stats.iss_hits++; + is->is_pkts++; + is->is_bytes += ip->ip_len; is->is_age = fr_udptimeout; + pass = is->is_pass; MUTEX_EXIT(&ipf_state); - return is->is_pass; + return pass; } MUTEX_EXIT(&ipf_state); break; @@ -445,6 +456,9 @@ void fr_timeoutstate() ips_stats.iss_fin++; else ips_stats.iss_expire++; +#ifdef IPFILTER_LOG + ipstate_log(is, ISL_EXPIRE); +#endif KFREE(is); ips_num--; } else @@ -458,8 +472,8 @@ void fr_timeoutstate() * Original idea freom Pradeep Krishnan for use primarily with NAT code. * (pkrishna@netcom.com) */ -void set_tcp_age(age, state, ip, fin, dir) -int *age; +void fr_tcp_age(age, state, ip, fin, dir) +u_long *age; u_char *state; ip_t *ip; fr_info_t *fin; @@ -540,3 +554,51 @@ int dir; break; } } + + +#ifdef IPFILTER_LOG +void ipstate_log(is, type) +struct ipstate *is; +u_short type; +{ + struct ipslog ipsl; + + if (iplused[IPL_LOGSTATE] + sizeof(ipsl) > IPLLOGSIZE) { + ips_stats.iss_logfail++; + return; + } + + if (iplh[IPL_LOGSTATE] == iplbuf[IPL_LOGSTATE] + IPLLOGSIZE) + iplh[IPL_LOGSTATE] = iplbuf[IPL_LOGSTATE]; + +# ifdef sun + uniqtime(&ipsl); +# endif +# if BSD >= 199306 || defined(__FreeBSD__) + microtime((struct timeval *)&ipsl); +# endif + ipsl.isl_pkts = is->is_pkts; + ipsl.isl_bytes = is->is_bytes; + ipsl.isl_src = is->is_src; + ipsl.isl_dst = is->is_dst; + ipsl.isl_p = is->is_p; + ipsl.isl_flags = is->is_flags; + ipsl.isl_type = type; + if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { + ipsl.isl_sport = is->is_sport; + ipsl.isl_dport = is->is_dport; + } else if (ipsl.isl_p == IPPROTO_ICMP) + ipsl.isl_itype = is->is_icmp.ics_type; + else { + ipsl.isl_ps.isl_filler[0] = 0; + ipsl.isl_ps.isl_filler[1] = 0; + } + + if (!fr_copytolog(IPL_LOGSTATE, (char *)&ipsl, sizeof(ipsl))) { + iplused[IPL_LOGSTATE] += sizeof(ipsl); + ips_stats.iss_logged++; + } else + ips_stats.iss_logfail++; + wakeup(iplbuf[IPL_LOGSTATE]); +} +#endif diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index ee30b98..33395fc 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ + * $Id: ip_state.h,v 2.0.2.5 1997/03/31 10:05:32 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -37,8 +37,10 @@ typedef struct tcpstate { typedef struct ipstate { struct ipstate *is_next; - int is_age; + u_long is_age; u_int is_pass; + U_QUAD_T is_pkts; + U_QUAD_T is_bytes; struct in_addr is_src; struct in_addr is_dst; u_char is_p; @@ -63,6 +65,31 @@ typedef struct ipstate { #define TH_OPENING (TH_SYN|TH_ACK) + +typedef struct ipslog { + struct timeval isl_tv; + U_QUAD_T isl_pkts; + U_QUAD_T isl_bytes; + struct in_addr isl_src; + struct in_addr isl_dst; + u_char isl_p; + u_char isl_flags; + u_short isl_type; + union { + u_short isl_filler[2]; + u_short isl_ports[2]; + u_short isl_icmp; + } isl_ps; +} ipslog_t; + +#define isl_sport isl_ps.isl_ports[0] +#define isl_dport isl_ps.isl_ports[1] +#define isl_itype isl_ps.isl_icmp + +#define ISL_NEW 0 +#define ISL_EXPIRE 0xffff + + typedef struct ips_stat { u_long iss_hits; u_long iss_miss; @@ -74,13 +101,18 @@ typedef struct ips_stat { u_long iss_expire; u_long iss_fin; u_long iss_active; + u_long iss_logged; + u_long iss_logfail; ipstate_t **iss_table; } ips_stat_t; -extern ips_stat_t *fr_statetstats(); -extern int fr_addstate(), fr_checkstate(); -extern void fr_timeoutstate(), set_tcp_age(); -# ifdef _KERNEL -extern void fr_stateunload(); -# endif +extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, + tcphdr_t *, u_short)); +extern ips_stat_t *fr_statetstats __P((void)); +extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); +extern int fr_checkstate __P((ip_t *, fr_info_t *)); +extern void fr_timeoutstate __P((void)); +extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); +extern void fr_stateunload __P((void)); +extern void ipstate_log __P((struct ipstate *, u_short)); #endif /* __IP_STATE_H__ */ diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index da6baa2..d4747a1 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -13,14 +13,10 @@ #if !defined(__SVR4) && !defined(__GNUC__) #include <strings.h> #endif -#if !defined(__SVR4) && defined(__GNUC__) -extern char *index(); -#endif #include <sys/types.h> #include <sys/param.h> #include <sys/file.h> #include <stdlib.h> -#include <unistd.h> #include <stddef.h> #include <sys/socket.h> #include <sys/ioctl.h> @@ -28,31 +24,40 @@ extern char *index(); #include <netinet/in_systm.h> #include <net/if.h> #include <netinet/ip.h> -#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> +#include "ip_compat.h" +#include "ip_fil.h" #include "ipf.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ipf.c,v 2.0.1.2 1997/02/04 14:37:46 darrenr Exp $"; +static char rcsid[] = "$Id: ipf.c,v 2.0.2.5 1997/03/31 10:05:33 darrenr Exp $"; #endif #if SOLARIS -void frsync(), blockunknown(); +static void frsync __P((void)); +static void blockunknown __P((void)); +#endif +#if !defined(__SVR4) && defined(__GNUC__) +extern char *index __P((const char *, int)); #endif -void zerostats(); extern char *optarg; +void zerostats __P((void)); +int main __P((int, char *[])); + int opts = 0; static int fd = -1; -static void procfile(), flushfilter(), set_state(); -static void packetlogon(), swapactive(), showstats(); -static char *getline(); +static void procfile __P((char *, char *)), flushfilter __P((char *)); +static void set_state __P((u_int)), showstats __P((friostat_t *)); +static void packetlogon __P((char *)), swapactive __P((void)); +static int opendevice __P((void)); +static char *getline __P((char *, size_t, FILE *)); int main(argc,argv) int argc; @@ -64,10 +69,10 @@ char *argv[]; switch (c) { case 'E' : - set_state(1); + set_state((u_int)1); break; case 'D' : - set_state(0); + set_state((u_int)0); break; case 'A' : opts &= ~OPT_INACTIVE; @@ -208,9 +213,11 @@ char *name, *file; if (opts & OPT_ZERORULEST) add = SIOCZRLST; else if (opts & OPT_INACTIVE) - add = fr->fr_hits ? SIOCINIFR : SIOCADIFR; + add = (u_int)fr->fr_hits ? SIOCINIFR : + SIOCADIFR; else - add = fr->fr_hits ? SIOCINAFR : SIOCADAFR; + add = (u_int)fr->fr_hits ? SIOCINAFR : + SIOCADAFR; if (fr->fr_hits) fr->fr_hits--; if (fr && (opts & OPT_VERBOSE)) @@ -226,7 +233,11 @@ char *name, *file; if (ioctl(fd, add, fr) == -1) perror("ioctl(SIOCZRLST)"); else { +#ifdef USE_QUAD_T + printf("hits %qd bytes %qd ", +#else printf("hits %ld bytes %ld ", +#endif fr->fr_hits, fr->fr_bytes); printfr(fr); } @@ -347,7 +358,7 @@ static void swapactive() #if defined(sun) && (defined(__SVR4) || defined(__svr4__)) -void frsync() +static void frsync() { if (opendevice() != -2 && ioctl(fd, SIOCFRSYN, 0) == -1) perror("SIOCFRSYN"); @@ -405,7 +416,7 @@ friostat_t *fp; #if SOLARIS -void blockunknown() +static void blockunknown() { int flag; diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 3ac76fc..4d35281 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ + * $Id: ipf.h,v 2.0.2.4 1997/03/27 13:45:18 darrenr Exp $ */ #ifndef SOLARIS @@ -29,10 +29,22 @@ #define OPT_SHOWLINENO 0x04000 #define OPT_PRINTFR 0x08000 #define OPT_ZERORULEST 0x10000 +#define OPT_SAVEOUT 0x20000 -extern struct frentry *parse(); +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + +extern struct frentry *parse __P((char *)); + +extern void printfr __P((struct frentry *)); +extern void binprint __P((struct frentry *)), initparse __P((void)); +extern u_short portnum __P((char *)); -extern void printfr(), binprint(), initparse(); #if defined(__SVR4) || defined(__svr4__) #define index strchr @@ -48,10 +60,12 @@ struct ipopt_names { }; -extern u_long hostnum(), optname(); -extern void printpacket(); +extern u_long buildopts __P((char *, char *)); +extern u_long hostnum __P((char *, int *)); +extern u_long optname __P((char ***, u_short *)); +extern void printpacket __P((struct ip *)); #if SOLARIS -extern int inet_aton(); +extern int inet_aton __P((const char *, struct in_addr *)); #endif #ifdef sun diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index 2c4cc0f..13e8557 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -47,10 +47,12 @@ etherfind -n -t #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_ef.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.3 1997/03/10 08:10:24 darrenr Exp $"; #endif -static int etherf_open(), etherf_close(), etherf_readip(); +static int etherf_open __P((char *)); +static int etherf_close __P((void)); +static int etherf_readip __P((char *, int, char **, int *)); struct ipread etherf = { etherf_open, etherf_close, etherf_readip }; diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index 26dbc83..e57eeda 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -38,15 +38,15 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static char rcsid[] = "$Id: ipft_hx.c,v 2.0.1.2 1997/02/04 13:57:56 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.3 1997/03/10 08:10:25 darrenr Exp $"; #endif extern int opts; -extern u_short portnum(); -extern u_long buildopts(); -static int hex_open(), hex_close(), hex_readip(); -static char *readhex(); +static int hex_open __P((char *)); +static int hex_close __P((void)); +static int hex_readip __P((char *, int, char **, int *)); +static char *readhex __P((char *, char *)); struct ipread iphex = { hex_open, hex_close, hex_readip }; static FILE *tfp = NULL; @@ -85,7 +85,7 @@ static int hex_readip(buf, cnt, ifn, dir) char *buf, **ifn; int cnt, *dir; { - register char *s; + register char *s, *t, *u; struct ip *ip; char line[513]; @@ -104,7 +104,30 @@ int cnt, *dir; printf("input: %s\n", line); fflush(stdout); } - ip = (struct ip *)readhex(line, (char *)ip); + + /* + * interpret start of line as possibly "[ifname]" or + * "[in/out,ifname]". + */ + *ifn = NULL; + *dir = 0; + if ((*buf == '[') && (s = index(line, ']'))) { + t = buf + 1; + if (t - s > 0) { + if ((u = index(t, ',')) && (u < s)) { + u++; + *ifn = u; + if (*t == 'i') + *dir = 0; + else if (*t == 'o') + *dir = 1; + } else + *ifn = t; + *s++ = '\0'; + } + } else + s = line; + ip = (struct ip *)readhex(s, (char *)ip); } return -1; } diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 3d3d887..5b8967a 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -30,7 +30,7 @@ #include "pcap.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_pc.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.3 1997/03/10 08:10:26 darrenr Exp $"; #endif struct llc { @@ -59,7 +59,11 @@ static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 } /* DLT_FDDI */ }; -static int pcap_open(), pcap_close(), pcap_readip(); +static int pcap_open __P((char *)); +static int pcap_close __P((void)); +static int pcap_readip __P((char *, int, char **, int *)); +static void swap_hdr __P((pcaphdr_t *)); +static int pcap_read_rec __P((struct pcap_pkthdr *)); static int pfd = -1, s_type = -1, swapped = 0; diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index 3185b56..e8c098a 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -33,7 +33,7 @@ #include "snoop.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipft_sn.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.3 1997/03/10 08:10:29 darrenr Exp $"; #endif struct llc { @@ -59,9 +59,12 @@ static struct llc llcs[SDL_MAX+1] = { { 0, 0, 0 }, /* SDL_OTHER */ }; -static int snoop_open(), snoop_close(), snoop_readip(); +static int snoop_open __P((char *)); +static int snoop_close __P((void)); +static int snoop_readip __P((char *, int, char **, int *)); static int sfd = -1, s_type = -1; +static int snoop_read_rec __P((struct snooppkt *)); struct ipread snoop = { snoop_open, snoop_close, snoop_readip }; diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index ecd2bad..ef39bf0 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -56,10 +56,13 @@ tcpdump -nqte #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static char rcsid[] = "$Id: ipft_td.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.3 1997/03/10 08:10:30 darrenr Exp $"; #endif -static int tcpd_open(), tcpd_close(), tcpd_readip(); +static int tcpd_open __P((char *)); +static int tcpd_close __P((void)); +static int tcpd_readip __P((char *, int, char **, int *)); +static int count_dots __P((char *)); struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip }; diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 0522f96..cce9af7 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -40,15 +40,17 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.2 1997/01/19 04:52:25 darrenr Exp $"; +static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.3 1997/03/10 08:10:31 darrenr Exp $"; #endif extern int opts; -extern u_long buildopts(); +extern u_long buildopts __P((char *, char *)); static char *tx_proto = ""; -static int text_open(), text_close(), text_readip(), parseline(); +static int text_open __P((char *)), text_close __P((void)); +static int text_readip __P((char *, int, char **, int *)); +static int parseline __P((char *, struct ip *, char **, int *)); static char tcp_flagset[] = "FSRPAU"; static u_char tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, @@ -58,8 +60,8 @@ struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; static int tfd = -1; -static u_long tx_hostnum(); -static u_short tx_portnum(); +static u_long tx_hostnum __P((char *, int *)); +static u_short tx_portnum __P((char *)); /* @@ -190,7 +192,7 @@ int cnt, *dir; printf("input: %s\n", line); *ifn = NULL; *dir = 0; - if (!parseline(line, buf, ifn, dir)) + if (!parseline(line, (struct ip *)buf, ifn, dir)) #if 0 return sizeof(struct tcpiphdr); #else @@ -211,6 +213,8 @@ int *out; char *cps[20], **cpp, c, ipopts[68]; int i, r; + if (*ifn) + free(*ifn); bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip)); bzero((char *)tcp, sizeof(*tcp)); bzero((char *)ic, sizeof(*ic)); @@ -236,7 +240,7 @@ int *out; cpp++; if (!*cpp) return 1; - *ifn = *cpp++; + *ifn = strdup(*cpp++); } c = **cpp; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 9a2e43d..1057a58 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -11,6 +11,6 @@ #ifndef __IPL_H_ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.1.7 - 8/2/97" +#define IPL_VERSION "IP Filter v3.2alpha4" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 2ea34ef..cb71ff7 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -7,45 +7,55 @@ */ #include <stdio.h> -#include <assert.h> #include <unistd.h> -#include <fcntl.h> #include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <sys/errno.h> -#include <sys/file.h> -#include <sys/ioctl.h> -#include <sys/param.h> -#include <sys/uio.h> +#include <fcntl.h> +#include <errno.h> #if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> #include <sys/dir.h> -#include <sys/mbuf.h> #else #include <sys/byteorder.h> #endif -#include <sys/protosw.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/param.h> +#include <sys/file.h> +#include <stdlib.h> +#include <stddef.h> #include <sys/socket.h> -#include <sys/user.h> - -#include <net/if.h> +#include <sys/ioctl.h> #include <netinet/in.h> #include <netinet/in_systm.h> +#include <net/if.h> #include <netinet/ip.h> +#include <netdb.h> +#include <arpa/inet.h> +#include <arpa/nameser.h> +#include <resolv.h> + +#include <sys/uio.h> +#include <sys/protosw.h> +#include <sys/user.h> + #include <netinet/ip_var.h> #include <netinet/tcp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include <netdb.h> -#include <arpa/inet.h> + #include <ctype.h> +#include <syslog.h> + +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_nat.h" +#include "ip_state.h" #if !defined(lint) && defined(LIBC_SCCS) -static char rcsid[] = "$Id: ipmon.c,v 2.0.1.2 1997/02/04 14:49:19 darrenr Exp $"; +static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed"; +static char rcsid[] = "$Id: ipmon.c,v 2.0.2.6 1997/04/02 12:23:27 darrenr Exp $"; #endif -#include "ip_fil.h" - struct flags { int value; @@ -64,20 +74,42 @@ struct flags tcpfl[] = { static char line[2048]; -static void printpacket(), dumphex(); static int opts = 0; - -#define OPT_SYSLOG 0x01 -#define OPT_RESOLVE 0x02 -#define OPT_HEXBODY 0x04 -#define OPT_VERBOSE 0x08 -#define OPT_HEXHDR 0x10 +static void usage __P((char *)); +static void print_ipflog __P((FILE *, char *, int)); +static void print_natlog __P((FILE *, char *, int)); +static void print_statelog __P((FILE *, char *, int)); +static void dumphex __P((FILE *, u_char *, int)); +static void printiplci __P((struct ipl_ci *)); +static void resynclog __P((int, struct ipl_ci *, FILE *)); +static int read_ipflog __P((int, int *, char *, int, FILE *)); +static int read_natlog __P((int, int *, char *, int, FILE *)); +static int read_statelog __P((int, int *, char *, int, FILE *)); +char *hostname __P((int, struct in_addr)); +char *portname __P((int, char *, u_short)); +int main __P((int, char *[])); + +static int (*readfunc[3]) __P((int, int *, char *, int, FILE *)) = + { read_ipflog, read_natlog, read_statelog }; +static void (*printfunc[3]) __P((FILE *, char *, int)) = + { print_ipflog, print_natlog, print_statelog }; + + +#define OPT_SYSLOG 0x001 +#define OPT_RESOLVE 0x002 +#define OPT_HEXBODY 0x004 +#define OPT_VERBOSE 0x008 +#define OPT_HEXHDR 0x010 +#define OPT_TAIL 0x020 +#define OPT_ALL 0x040 +#define OPT_NAT 0x080 +#define OPT_STATE 0x100 #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif -void printiplci(icp) +static void printiplci(icp) struct ipl_ci *icp; { printf("sec %ld usec %ld hlen %d plen %d\n", icp->sec, icp->usec, @@ -161,7 +193,73 @@ FILE *log; } -int readlogentry(fd, lenp, buf, bufsize, log) +static int read_natlog(fd, lenp, buf, bufsize, log) +int fd, bufsize, *lenp; +char *buf; +FILE *log; +{ + int len, avail = 0, want = sizeof(struct natlog); + + *lenp = 0; + + if (ioctl(fd, FIONREAD, &avail) == -1) { + perror("ioctl(FIONREAD"); + return 1; + } + + if (avail < want) + return 2; + + while (want) { + len = read(fd, buf, want); + if (len > 0) + want -= len; + else + break; + } + + if (!want) { + *lenp = sizeof(struct natlog); + return 0; + } + return !len ? 2 : -1; +} + + +static int read_statelog(fd, lenp, buf, bufsize, log) +int fd, bufsize, *lenp; +char *buf; +FILE *log; +{ + int len, avail = 0, want = sizeof(struct ipslog); + + *lenp = 0; + + if (ioctl(fd, FIONREAD, &avail) == -1) { + perror("ioctl(FIONREAD"); + return 1; + } + + if (avail < want) + return 2; + + while (want) { + len = read(fd, buf, want); + if (len > 0) + want -= len; + else + break; + } + + if (!want) { + *lenp = sizeof(struct ipslog); + return 0; + } + return !len ? 2 : -1; +} + + +static int read_ipflog(fd, lenp, buf, bufsize, log) int fd, bufsize, *lenp; char *buf; FILE *log; @@ -185,9 +283,9 @@ FILE *log; if ((icp->hlen > 92) || (now < icp->sec) || ((now - icp->sec) > (86400*5))) { if (opts & OPT_SYSLOG) - syslog(LOG_INFO, "Out of sync! (1,%x)\n", now); + syslog(LOG_INFO, "Out of sync! (1,%lx)\n", now); else - fprintf(log, "Out of sync! (1,%x)\n", now); + fprintf(log, "Out of sync! (1,%lx)\n", now); dumphex(log, buf, sizeof(struct ipl_ci)); resynclog(fd, icp, log); } @@ -304,7 +402,129 @@ int len; } -static void printpacket(log, buf, blen) +static void print_natlog(log, buf, blen) +FILE *log; +char *buf; +int blen; +{ + struct natlog *nl = (struct natlog *)buf; + char *t = line; + struct tm *tm; + int res; + + res = (opts & OPT_RESOLVE) ? 1 : 0; + tm = localtime((time_t *)&nl->nl_tv.tv_sec); + if (!(opts & OPT_SYSLOG)) { + (void) sprintf(t, "%2d/%02d/%4d ", + tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); + t += strlen(t); + } + (void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ", + tm->tm_hour, tm->tm_min, tm->tm_sec, nl->nl_tv.tv_usec, + nl->nl_rule); + t += strlen(t); + + if (nl->nl_type == NL_NEWMAP) + strcpy(t, "NAT:MAP "); + else if (nl->nl_type == NL_NEWRDR) + strcpy(t, "NAT:RDR "); + else if (nl->nl_type == ISL_EXPIRE) + strcpy(t, "NAT:EXPIRE "); + else + sprintf(t, "Type: %d ", nl->nl_type); + t += strlen(t); + + (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), + portname(res, NULL, nl->nl_inport)); + t += strlen(t); + (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), + portname(res, NULL, nl->nl_outport)); + t += strlen(t); + (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), + portname(res, NULL, nl->nl_origport)); + t += strlen(t); + + *t++ = '\n'; + *t++ = '\0'; + if (opts & OPT_SYSLOG) + syslog(LOG_INFO, "%s", line); + else + (void) fprintf(log, "%s", line); +} + + +static void print_statelog(log, buf, blen) +FILE *log; +char *buf; +int blen; +{ + struct ipslog *sl = (struct ipslog *)buf; + struct protoent *pr; + char *t = line, *proto, pname[6]; + struct tm *tm; + int res; + + res = (opts & OPT_RESOLVE) ? 1 : 0; + tm = localtime((time_t *)&sl->isl_tv.tv_sec); + if (!(opts & OPT_SYSLOG)) { + (void) sprintf(t, "%2d/%02d/%4d ", + tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); + t += strlen(t); + } + (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", + tm->tm_hour, tm->tm_min, tm->tm_sec, sl->isl_tv.tv_usec); + t += strlen(t); + + if (sl->isl_type == ISL_NEW) + strcpy(t, "STATE:NEW "); + else if (sl->isl_type == ISL_EXPIRE) + strcpy(t, "STATE:EXPIRE "); + else + sprintf(t, "Type: %d ", sl->isl_type); + t += strlen(t); + + pr = getprotobynumber((int)sl->isl_p); + if (!pr) { + proto = pname; + sprintf(proto, "%d", (u_int)sl->isl_p); + } else + proto = pr->p_name; + + if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) { + (void) sprintf(t, "%s,%s -> ", + hostname(res, sl->isl_src), + portname(res, proto, sl->isl_sport)); + t += strlen(t); + (void) sprintf(t, "%s,%s PR %s ", + hostname(res, sl->isl_dst), + portname(res, proto, sl->isl_dport), proto); + } else if (sl->isl_p == IPPROTO_ICMP) { + (void) sprintf(t, "%s -> ", hostname(res, sl->isl_src)); + t += strlen(t); + (void) sprintf(t, "%s PR icmp %d ", + hostname(res, sl->isl_dst), sl->isl_itype); + } + t += strlen(t); + if (sl->isl_type != ISL_NEW) { +#ifdef USE_QUAD_T + (void) sprintf(t, "Pkts %qd Bytes %qd", +#else + (void) sprintf(t, "Pkts %ld Bytes %ld", +#endif + sl->isl_pkts, sl->isl_bytes); + t += strlen(t); + } + + *t++ = '\n'; + *t++ = '\0'; + if (opts & OPT_SYSLOG) + syslog(LOG_INFO, "%s", line); + else + (void) fprintf(log, "%s", line); +} + + +static void print_ipflog(log, buf, blen) FILE *log; char *buf; int blen; @@ -483,47 +703,102 @@ int blen; if (opts & OPT_HEXHDR) dumphex(log, buf, sizeof(struct ipl_ci)); if (opts & OPT_HEXBODY) - dumphex(log, ip, lp->plen + lp->hlen); - fflush(log); + dumphex(log, (u_char *)ip, lp->plen + lp->hlen); +} + + +void static usage(prog) +char *prog; +{ + fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog); + exit(1); +} + + +void flushlogs(file, log) +char *file; +FILE *log; +{ + int fd, flushed = 0; + + if ((fd = open(file, O_RDWR)) == -1) { + (void) fprintf(stderr, "%s: ", file); + perror("open"); + exit(-1); + } + + if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { + printf("%d bytes flushed from log buffer\n", + flushed); + fflush(stdout); + } else + perror("SIOCIPFFB"); + (void) close(fd); + + if (flushed) { + if (opts & OPT_SYSLOG) + syslog(LOG_INFO, "%d bytes flushed from log\n", + flushed); + else + fprintf(log, "%d bytes flushed from log\n", flushed); + } } + int main(argc, argv) int argc; char *argv[]; { + struct stat stat; FILE *log = NULL; - int fd = -1, flushed = 0, doread, n; + int fd[3] = {-1, -1, -1}, flushed = 0, doread, n, i, nfd = 1; + int tr, nr, regular; + int fdt[3] = {IPL_LOGIPF, IPL_LOGNAT, IPL_LOGSTATE}; char buf[512], c, *iplfile = IPL_NAME; extern int optind; extern char *optarg; - while ((c = getopt(argc, argv, "Nf:FsvxX")) != -1) + while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1) switch (c) { + case 'a' : + opts |= OPT_ALL; + nfd = 3; + break; case 'f' : iplfile = optarg; break; case 'F' : - if ((fd == -1) && - (fd = open(iplfile, O_RDWR)) == -1) { - (void) fprintf(stderr, "%s: ", IPL_NAME); - perror("open"); - exit(-1); + if (!(opts & OPT_ALL)) + flushlogs(iplfile, log); + else { + flushlogs(IPL_NAME, log); + flushlogs(IPL_NAT, log); + flushlogs(IPL_STATE, log); } - if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { - printf("%d bytes flushed from log buffer\n", - flushed); - fflush(stdout); - } else - perror("SIOCIPFFB"); break; - case 'N' : + case 'n' : opts |= OPT_RESOLVE; break; + case 'N' : + opts |= OPT_NAT; + fdt[0] = IPL_LOGNAT; + readfunc[0] = read_natlog; + printfunc[0] = print_natlog; + break; case 's' : openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC); opts |= OPT_SYSLOG; break; + case 'S' : + opts |= OPT_STATE; + fdt[0] = IPL_LOGSTATE; + readfunc[0] = read_statelog; + printfunc[0] = print_statelog; + break; + case 't' : + opts |= OPT_TAIL; + break; case 'v' : opts |= OPT_VERBOSE; break; @@ -533,50 +808,95 @@ char *argv[]; case 'X' : opts |= OPT_HEXHDR; break; + default : + case 'h' : + case '?' : + usage(argv[0]); } - if ((fd == -1) && (fd = open(iplfile, O_RDONLY)) == -1) { - (void) fprintf(stderr, "%s: ", IPL_NAME); + if ((fd[0] == -1) && (fd[0] = open(iplfile, O_RDONLY)) == -1) { + (void) fprintf(stderr, "%s: ", iplfile); perror("open"); exit(-1); } + if ((opts & OPT_ALL)) { + if ((fd[1] = open(IPL_NAT, O_RDONLY)) == -1) { + (void) fprintf(stderr, "%s: ", IPL_NAT); + perror("open"); + exit(-1); + } + if ((fd[2] = open(IPL_STATE, O_RDONLY)) == -1) { + (void) fprintf(stderr, "%s: ", IPL_STATE); + perror("open"); + exit(-1); + } + } + if (!(opts & OPT_SYSLOG)) { log = argv[optind] ? fopen(argv[optind], "a") : stdout; setvbuf(log, NULL, _IONBF, 0); } - if (flushed) { - if (opts & OPT_SYSLOG) - syslog(LOG_INFO, "%d bytes flushed from log\n", - flushed); - else - fprintf(log, "%d bytes flushed from log\n", flushed); + if (fstat(fd[0], &stat) == -1) { + fprintf(stderr, "%s :", iplfile); + perror("fstat"); + exit(-1); } - for (doread = 1; doread; ) - switch (readlogentry(fd, &n, buf, sizeof(buf), log)) - { - case -1 : - if (opts & OPT_SYSLOG) - syslog(LOG_ERR, "read: %m\n"); - else - perror("read"); - doread = 0; - break; - case 1 : - if (opts & OPT_SYSLOG) - syslog(LOG_ERR, "aborting logging\n"); - else - fprintf(log, "aborting logging\n"); - doread = 0; - break; - case 2 : - break; - case 0 : - printpacket(log, buf, n, opts); - break; + regular = !S_ISCHR(stat.st_mode); + + for (doread = 1; doread; ) { + nr = 0; + + for (i = 0; i < nfd; i++) { + tr = 0; + if (!regular) { + if (ioctl(fd[i], FIONREAD, &tr) == -1) { + perror("ioctl(FIONREAD)"); + exit(-1); + } + } else { + tr = (lseek(fd[i], 0, SEEK_CUR) < + stat.st_size); + if (!tr && !(opts & OPT_TAIL)) + doread = 0; + } + if (!tr) + continue; + nr += tr; + + tr = (*readfunc[i])(fd[i], &n, buf, sizeof(buf), log); + switch (tr) + { + case -1 : + if (opts & OPT_SYSLOG) + syslog(LOG_ERR, "read: %m\n"); + else + perror("read"); + doread = 0; + break; + case 1 : + if (opts & OPT_SYSLOG) + syslog(LOG_ERR, "aborting logging\n"); + else + fprintf(log, "aborting logging\n"); + doread = 0; + break; + case 2 : + break; + case 0 : + if (n > 0) { + (*printfunc[i])(log, buf, n); + if (!(opts & OPT_SYSLOG)) + fflush(log); + } + break; + } } + if (!nr && regular && (opts & OPT_TAIL)) + sleep(1); + } exit(0); /* NOTREACHED */ } diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index d759228..8c731e3 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -25,6 +25,7 @@ #include <sys/byteorder.h> #endif #include <sys/types.h> +#include <sys/time.h> #include <sys/param.h> #include <stdlib.h> #include <unistd.h> @@ -40,18 +41,20 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> -#include "ip_compat.h" #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> #include <resolv.h> -#include "ip_nat.h" #include <ctype.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_nat.h" +#include "kmem.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static char rcsid[] = "$Id: ipnat.c,v 2.0.1.8 1997/02/16 21:23:40 darrenr Exp $"; +static char rcsid[] = "$Id: ipnat.c,v 2.0.2.6 1997/04/02 12:23:29 darrenr Exp $"; #endif #if SOLARIS @@ -59,9 +62,18 @@ static char rcsid[] = "$Id: ipnat.c,v 2.0.1.8 1997/02/16 21:23:40 darrenr Exp $" #endif extern char *optarg; -extern int kmemcpy(); -void dostats(), printnat(), parsefile(), flushtable(); +ipnat_t *parse __P((char *)); +u_long hostnum __P((char *, int *)); +u_long hostmask __P((char *)); +u_short portnum __P((char *, char *)); +void dostats __P((int, int)), flushtable __P((int, int)); +void printnat __P((ipnat_t *, int, void *)); +void parsefile __P((int, char *, int)); +void usage __P((char *)); +int countbits __P((u_long)); +char *getnattype __P((ipnat_t *)); +int main __P((int, char*[])); #define OPT_REM 1 #define OPT_NODO 2 @@ -190,7 +202,7 @@ void *ptr; printf(" udp"); printf("\n"); if (verbose) - printf("\t%p %u %x %u %x %d\n", (u_int)np->in_ifp, + printf("\t%p %u %x %u %p %d\n", np->in_ifp, np->in_space, np->in_flags, np->in_pnext, np, np->in_use); } else { @@ -220,7 +232,7 @@ void *ptr; } printf("\n"); if (verbose) - printf("\t%p %u %s %d %x\n", (u_int)np->in_ifp, + printf("\t%p %u %s %d %x\n", np->in_ifp, np->in_space, inet_ntoa(np->in_nextip), np->in_pnext, np->in_flags); } @@ -235,7 +247,8 @@ ipnat_t *ipnat; { ipnat_t ipnatbuff; - if (ipnat && kmemcpy(&ipnatbuff, ipnat, sizeof(ipnatbuff))) + if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, + sizeof(ipnatbuff))) return "???"; return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR"; @@ -264,13 +277,13 @@ int fd, opts; ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); if (opts & OPT_VERBOSE) - printf("table %p list %p\n", - (u_int)ns.ns_table, (u_int)ns.ns_list); + printf("table %p list %p\n", ns.ns_table, ns.ns_list); } if (opts & OPT_LIST) { printf("List of active MAP/Redirect filters:\n"); while (ns.ns_list) { - if (kmemcpy(&ipn, ns.ns_list, sizeof(ipn))) { + if (kmemcpy((char *)&ipn, (long)ns.ns_list, + sizeof(ipn))) { perror("kmemcpy"); break; } @@ -279,7 +292,8 @@ int fd, opts; } nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE); - if (kmemcpy(nt[0], ns.ns_table[0], sizeof(**nt) * NAT_SIZE)) { + if (kmemcpy((char *)nt[0], (long)ns.ns_table[0], + sizeof(**nt) * NAT_SIZE)) { perror("kmemcpy"); return; } @@ -288,7 +302,8 @@ int fd, opts; for (i = 0; i < NAT_SIZE; i++) for (np = nt[0][i]; np; np = nat.nat_hnext[0]) { - if (kmemcpy(&nat, np, sizeof(nat))) + if (kmemcpy((char *)&nat, (long)np, + sizeof(nat))) break; printf("%s %-15s %-5hu <- ->", @@ -300,7 +315,7 @@ int fd, opts; ntohs(nat.nat_outport)); printf(" [%s %hu]", inet_ntoa(nat.nat_oip), ntohs(nat.nat_oport)); - printf(" %d %hu %lx", nat.nat_age, + printf(" %ld %hu %lx", nat.nat_age, nat.nat_use, nat.nat_sumd); #if SOLARIS printf(" %lx", nat.nat_ipsumd); diff --git a/contrib/ipfilter/ipsd/ipsd.sed b/contrib/ipfilter/ipsd/ipsd.sed new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/ipsd/ipsd.sed diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index aa42859..f46bc55 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -19,6 +19,11 @@ #include <errno.h> #include <nlist.h> #include <stdio.h> +#include <netinet/in.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include "ipsend.h" + /* * lookup host and return diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 47f6fce..e010b9b 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -20,6 +20,10 @@ static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; #include <netinet/in.h> #include <net/if.h> #include <net/if_arp.h> +#include <netinet/in.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include "ipsend.h" #if defined(__SVR4) || defined(__svr4__) #define bcopy(a,b,c) memmove(b,a,c) @@ -67,7 +71,6 @@ char *ether; struct arpreq ar; struct sockaddr_in *sin, san; struct hostent *hp; - char *inet_ntoa(); int fd; if (!bcmp(ipsave, ip, 4)) { diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 2c7f7ff..1b08222 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -27,17 +27,12 @@ static char sccsid[] = "%W% %G% (C)1995"; #ifndef linux #include <netinet/if_ether.h> #include <netinet/ip_var.h> -#include <netinet/tcpip.h> -#endif -#include "ip_compat.h" -#ifdef linux -#include "tcpip.h" #endif +#include "ipsend.h" static char *ipbuf = NULL, *ethbuf = NULL; -extern int arp(), sendip(); u_short chksum(buf,len) u_short *buf; @@ -73,7 +68,7 @@ struct in_addr gwip; bcopy((char *)buf, s + sizeof(*eh), len); if (gwip.s_addr == last_gw.s_addr) bcopy(last_arp, (char *)&eh->ether_dhost, 6); - else if (arp((char *)&gwip, &eh->ether_dhost) == -1) + else if (arp((char *)&gwip, (char *)&eh->ether_dhost) == -1) { perror("arp"); return -2; @@ -107,7 +102,7 @@ int frag; bzero((char *)&eh->ether_shost, sizeof(eh->ether_shost)); if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr)) bcopy(last_arp, (char *)&eh->ether_dhost, 6); - else if (arp((char *)&gwip, &eh->ether_dhost) == -1) + else if (arp((char *)&gwip, (char *)&eh->ether_dhost) == -1) { perror("arp"); return -2; @@ -129,7 +124,7 @@ int frag; if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu)) { ip->ip_sum = 0; - ip->ip_sum = chksum(ip, ip->ip_hl << 2); + ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len)); err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len)); @@ -202,7 +197,7 @@ int frag; ts += hlen; ip->ip_len = htons(ts); ip->ip_sum = 0; - ip->ip_sum = chksum(ip, hlen); + ip->ip_sum = chksum((u_short *)ip, hlen); bcopy((char *)ip, ipbuf + sizeof(*eh), hlen); bcopy(s + sent, ipbuf + sizeof(*eh) + hlen, ts - hlen); err = sendip(nfd, ipbuf, sizeof(*eh) + ts); @@ -268,7 +263,7 @@ struct in_addr gwip; ti->ti_len = htons(thlen); ip->ip_len = (ip->ip_hl << 2) + thlen; ti->ti_sum = 0; - ti->ti_sum = chksum(ti, thlen + sizeof(ip_t)); + ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); bcopy((char *)&ti->ti_sport, (char *)ip + (ip->ip_hl << 2), thlen); @@ -300,7 +295,7 @@ struct in_addr gwip; ti->ti_len = htons(thlen); ip->ip_len = (ip->ip_hl << 2) + thlen; ti->ti_sum = 0; - ti->ti_sum = chksum(ti, thlen + sizeof(ip_t)); + ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); bcopy((char *)&ti->ti_sport, (char *)ip + (ip->ip_hl << 2), sizeof(udphdr_t)); @@ -321,7 +316,7 @@ struct in_addr gwip; ic = (struct icmp *)((char *)ip + (ip->ip_hl << 2)); ic->icmp_cksum = 0; - ic->icmp_cksum = chksum((char *)ic, sizeof(struct icmp)); + ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp)); return send_ip(nfd, mtu, ip, gwip, 1); } diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 6fd91bf..9402104a 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -34,14 +34,8 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed"; #include <netinet/ip_icmp.h> #ifndef linux #include <netinet/ip_var.h> -#include <netinet/tcpip.h> #endif -#include "ip_compat.h" -#ifdef linux -#include <linux/sockios.h> -#include "tcpip.h" -#endif -#include "ipt.h" +#include "ipsend.h" extern char *optarg; @@ -49,7 +43,6 @@ extern int optind; #ifndef NO_IPF extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext; #endif -extern int resolve(), ip_resend(); int opts = 0; #ifndef DEFAULT_DEVICE @@ -75,7 +68,11 @@ char default_device[] = DEFAULT_DEVICE; #endif -void usage(prog) +static void usage __P((char *)); +int main __P((int, char **)); + + +static void usage(prog) char *prog; { fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\ diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index e45d3ee..4c37557 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -34,21 +34,13 @@ static char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; #include <netinet/ip_icmp.h> #ifndef linux #include <netinet/ip_var.h> -#include <netinet/tcpip.h> #endif -#include "ip_compat.h" -#ifdef linux -#include <linux/sockios.h> -#include "tcpip.h" -#endif -#include "ipt.h" +#include "ipsend.h" extern char *optarg; extern int optind; -extern int resolve(), optname(), initdevice(), send_packet(); - char options[68]; #ifdef linux char default_device[] = "eth0"; @@ -69,7 +61,12 @@ char default_device[] = "lan0"; #endif -void usage(prog) +static void usage __P((char *)); +static void do_icmp __P((ip_t *, char *)); +int main __P((int, char **)); + + +static void usage(prog) char *prog; { fprintf(stderr, "Usage: %s [options] dest [flags]\n\ @@ -346,5 +343,5 @@ char **argv; if (tcp->th_dport) return do_socket(dev, mtu, ti, gwip); #endif - return send_packets(dev, mtu, ti, gwip); + return send_packets(dev, mtu, (ip_t *)ti, gwip); } diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h new file mode 100644 index 0000000..362e273 --- /dev/null +++ b/contrib/ipfilter/ipsend/ipsend.h @@ -0,0 +1,64 @@ +/* + * ipsend.h (C) 1997 Darren Reed + * + * This was written to test what size TCP fragments would get through + * various TCP/IP packet filters, as used in IP firewalls. In certain + * conditions, enough of the TCP header is missing for unpredictable + * results unless the filter is aware that this can happen. + * + * The author provides this program as-is, with no gaurantee for its + * suitability for any specific purpose. The author takes no responsibility + * for the misuse/abuse of this program and provides it for the sole purpose + * of testing packet filter policies. This file maybe distributed freely + * providing it is not modified and that this notice remains in tact. + * + */ +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + +#include "ip_compat.h" +#ifdef linux +#include <linux/sockios.h> +#endif +#include "tcpip.h" +#include "ipt.h" + +extern int resolve __P((char *, char *)); +extern int arp __P((char *, char *)); +extern u_short chksum __P((u_short *, int)); +extern int send_ether __P((int, char *, int, struct in_addr)); +extern int send_ip __P((int, int, ip_t *, struct in_addr, int)); +extern int send_tcp __P((int, int, ip_t *, struct in_addr)); +extern int send_udp __P((int, int, ip_t *, struct in_addr)); +extern int send_icmp __P((int, int, ip_t *, struct in_addr)); +extern int send_packet __P((int, int, ip_t *, struct in_addr)); +extern int send_packets __P((char *, int, ip_t *, struct in_addr)); +extern u_short seclevel __P((char *)); +extern u_long optname __P((char *, char *)); +extern int initdevice __P((char *, int, int)); +extern int sendip __P((int, char *, int)); +#ifdef linux +extern struct sock *find_tcp __P((int, struct tcpiphdr *)); +#else +extern struct tcpcb *find_tcp __P((int, struct tcpiphdr *)); +#endif +extern int ip_resend __P((char *, int, struct ipread *, struct in_addr, char *)); + +extern void ip_test1 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test2 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test3 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test4 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test5 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test6 __P((char *, int, ip_t *, struct in_addr, int)); +extern void ip_test7 __P((char *, int, ip_t *, struct in_addr, int)); +extern int do_socket __P((char *, int, struct tcpiphdr *, struct in_addr)); + +extern int openkmem __P((void)); +extern int kmemcpy __P((char *, void *, int)); + +#define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c)) diff --git a/contrib/ipfilter/ipsend/ipsend.sed b/contrib/ipfilter/ipsend/ipsend.sed new file mode 100644 index 0000000..774c0e2 --- /dev/null +++ b/contrib/ipfilter/ipsend/ipsend.sed @@ -0,0 +1,3 @@ +0. ,..+CVS0 +.cvsignore044arp.c0 Crashable0Makefile0arp.c0 +dlcommon.c0dltest.h0in_var.h0ip.c0ip_compat.h0ip_var.h0 diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 75c4f16..8313559 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -18,6 +18,16 @@ static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; #include <netinet/ip.h> #include "ip_compat.h" + +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + + struct ipopt_names { int on_value; int on_bit; @@ -49,6 +59,10 @@ struct ipopt_names secnames[] = { }; +u_short seclevel __P((char *)); +u_long optname __P((char *, char *)); + + u_short seclevel(slevel) char *slevel; { diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index c5d48fa..00b51fb 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -34,23 +34,16 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed"; #include <netinet/ip_icmp.h> #ifndef linux #include <netinet/ip_var.h> -#include <netinet/tcpip.h> #endif -#include "ip_compat.h" #ifdef linux #include <linux/sockios.h> -#include "tcpip.h" #endif -#include "ipt.h" +#include "ipsend.h" extern char *optarg; extern int optind; -extern int initdevice(), resolve(); -extern int ip_test1(), ip_test2(), ip_test3(), ip_test4(), ip_test5(); -extern int ip_test6(), ip_test7(); - char options[68]; #ifdef linux char default_device[] = "eth0"; @@ -70,9 +63,12 @@ char default_device[] = "lan0"; # endif #endif +static void usage __P((char *)); +int main __P((int, char **)); + -void usage(prog) -char *prog; +static void usage(prog) +char *prog; { fprintf(stderr, "Usage: %s [options] dest\n\ \toptions:\n\ @@ -94,8 +90,8 @@ char *prog; int main(argc, argv) -int argc; -char **argv; +int argc; +char **argv; { struct tcpiphdr *ti; struct in_addr gwip; @@ -191,19 +187,26 @@ char **argv; switch (tests) { case 1 : - return ip_test1(dev, mtu, ti, gwip, pointtest); + ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 2 : - return ip_test2(dev, mtu, ti, gwip, pointtest); + ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 3 : - return ip_test3(dev, mtu, ti, gwip, pointtest); + ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 4 : - return ip_test4(dev, mtu, ti, gwip, pointtest); + ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 5 : - return ip_test5(dev, mtu, ti, gwip, pointtest); + ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 6 : - return ip_test6(dev, mtu, ti, gwip, pointtest); + ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; case 7 : - return ip_test7(dev, mtu, ti, gwip, pointtest); + ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); + break; default : break; } diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index b9da7b2..4de99c4 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -52,23 +52,15 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed"; #include <netinet/in_pcb.h> #include <netinet/tcp_timer.h> #include <netinet/tcp_var.h> -#include "ip_compat.h" -#ifdef linux -#include "tcpip.h" -#else -#include <netinet/tcpip.h> # if defined(__SVR4) || defined(__svr4__) #include <sys/sysmacros.h> # endif -#endif +#include "ipsend.h" + #define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \ (void) select(0, NULL, NULL, NULL, &tv) -extern int send_ip(), send_tcp(), send_udp(), send_icmp(), send_ether(); -extern int initdevice(), kmemcpy(); -extern u_short chksum(); -extern struct tcpcb *find_tcp(); void ip_test1(dev, mtu, ip, gwip, ptest) char *dev; @@ -178,8 +170,8 @@ int ptest; for (; i < (ntohs(ip->ip_len) * 2); i++) { ip->ip_id = htons(id++); ip->ip_sum = 0; - ip->ip_sum = chksum(ip, ip->ip_hl << 2); - (void) send_ether(nfd, ip, i, gwip); + ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); + (void) send_ether(nfd, (char *)ip, i, gwip); printf("%d\r", i); fflush(stdout); PAUSE(); @@ -190,8 +182,8 @@ int ptest; ip->ip_id = htons(id++); ip->ip_len = htons(i); ip->ip_sum = 0; - ip->ip_sum = chksum(ip, ip->ip_hl << 2); - (void) send_ether(nfd, ip, len, gwip); + ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); + (void) send_ether(nfd, (char *)ip, len, gwip); printf("%d\r", i); fflush(stdout); PAUSE(); @@ -209,8 +201,8 @@ int ptest; ip->ip_id = htons(id++); ip->ip_len = htons(i); ip->ip_sum = 0; - ip->ip_sum = chksum(ip, ip->ip_hl << 2); - (void) send_ether(nfd, ip, len, gwip); + ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); + (void) send_ether(nfd, (char *)ip, len, gwip); printf("%d\r", i); fflush(stdout); PAUSE(); @@ -221,8 +213,8 @@ int ptest; for (i = len; i > 0; i--) { ip->ip_id = htons(id++); ip->ip_sum = 0; - ip->ip_sum = chksum(ip, ip->ip_hl << 2); - (void) send_ether(nfd, ip, i, gwip); + ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); + (void) send_ether(nfd, (char *)ip, i, gwip); printf("%d\r", i); fflush(stdout); PAUSE(); @@ -1043,7 +1035,7 @@ int ptest; printf("Can't find PCB\n"); goto skip_five_and_six; } - kmemcpy((char*)&tcb, (void *)t, sizeof(tcb)); + KMCPY(&tcb, t, sizeof(tcb)); ti.ti_win = tcb.rcv_adv; ti.ti_seq = tcb.snd_nxt - 1; ti.ti_ack = tcb.rcv_nxt; diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index 89b6ab7..5cc3122 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -48,8 +48,7 @@ static char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; #if LINUX < 0103 #include <net/inet/sock.h> #endif -#include "ip_compat.h" -#include "tcpip.h" +#include "ipsend.h" int nproc; struct task_struct *proc; @@ -108,21 +107,20 @@ struct task_struct *getproc() fprintf(stderr, "nlist(%#x) == %d\n", names, n); return NULL; } - if (kmemcpy((char *)&nproc, (void *)names[1].n_value, - sizeof(nproc)) == -1) + if (KMCPY(&nproc, names[1].n_value, sizeof(nproc)) == -1) { fprintf(stderr, "read nproc (%#x)\n", names[1].n_value); return NULL; } siz = nproc * sizeof(struct task_struct *); - if (kmemcpy((char *)&v, (void *)names[0].n_value, sizeof(v)) == -1) + if (KMCPY(&v, names[0].n_value, sizeof(v)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) proc\n", names[0].n_value, &v, sizeof(v)); return NULL; } pp = (struct task_struct **)malloc(siz); - if (kmemcpy((char *)pp, (void *)v, siz) == -1) + if (KMCPY(pp, v, siz) == -1) { fprintf(stderr, "read(%#x,%#x,%d) proc\n", v, pp, siz); @@ -131,8 +129,7 @@ struct task_struct *getproc() proc = (struct task_struct *)malloc(siz); for (n = 0; n < NR_TASKS; n++) { - if (kmemcpy((char *)(proc + n), (void *)pp[n], - sizeof(*proc)) == -1) + if (KMCPY((proc + n), pp[n], sizeof(*proc)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) proc\n", pp[n], proc + n, sizeof(*proc)); @@ -167,15 +164,14 @@ struct tcpiphdr *ti; fs = p->files; o = (struct file **)calloc(1, sizeof(*o) * (fs->count + 1)); - if (kmemcpy((char *)o, (void *)fs->fd, - (fs->count + 1) * sizeof(*o)) == -1) + if (KMCPY(o, fs->fd, (fs->count + 1) * sizeof(*o)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - fd - failed\n", fs->fd, o, sizeof(*o)); return NULL; } f = (struct file *)calloc(1, sizeof(*f)); - if (kmemcpy((char *)f, (void *)o[fd], sizeof(*f)) == -1) + if (KMCPY(f, o[fd], sizeof(*f)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n", o[fd], f, sizeof(*f)); @@ -183,7 +179,7 @@ struct tcpiphdr *ti; } i = (struct inode *)calloc(1, sizeof(*i)); - if (kmemcpy((char *)i, (void *)f->f_inode, sizeof(*i)) == -1) + if (KMCPY(i, f->f_inode, sizeof(*i)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - f_inode - failed\n", f->f_inode, i, sizeof(*i)); @@ -247,7 +243,7 @@ int flags; perror("connect"); return -1; } - kmemcpy((char*)&sk, (void *)s, sizeof(sk)); + KMCPY(&sk, s, sizeof(sk)); ti->ti_win = sk.window; ti->ti_seq = sk.sent_seq - 1; ti->ti_ack = sk.rcv_ack_seq; diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 59ed75e..84d3215 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -28,22 +28,16 @@ static char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; #include <netinet/ip_icmp.h> #ifndef linux #include <netinet/ip_var.h> -#include <netinet/tcpip.h> #include <netinet/if_ether.h> #endif -#include "ip_compat.h" -#ifdef linux -#include <linux/sockios.h> -#include "tcpip.h" -#endif -#include "ipt.h" +#include "ipsend.h" static u_char buf[65536]; /* 1 big packet */ +static void printpacket __P((ip_t *)); -extern int initdevice(), arp(), sendip(); -void printpacket(ip) +static void printpacket(ip) ip_t *ip; { tcphdr_t *t; @@ -119,7 +113,7 @@ char *datain; bcopy(ip, (char *)(eh + 1), len); printpacket(ip); - if (sendip(wfd, eh, sizeof(*eh) + len) == -1) + if (sendip(wfd, (char *)eh, sizeof(*eh) + len) == -1) { perror("send_packet"); break; diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index 5eb9d9b..dd781ab 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -36,7 +36,7 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/tcp.h> -#include <netinet/tcpip.h> +#include "ipsend.h" #if !defined(lint) && defined(LIBC_SCCS) static char sbpf[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index eabd61e..94d71ae 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -36,9 +36,8 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/tcp.h> -#include <netinet/tcpip.h> -#include "ip_compat.h" +#include "ipsend.h" #if !defined(lint) && defined(LIBC_SCCS) static char snitid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c index 1767dfe..7e4c7bf 100644 --- a/contrib/ipfilter/ipsend/slinux.c +++ b/contrib/ipfilter/ipsend/slinux.c @@ -28,8 +28,7 @@ #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> -#include "ip_compat.h" -#include "tcpip.h" +#include "ipsend.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)slinux.c 1.2 8/25/95"; diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c index d022192..e738fdb 100644 --- a/contrib/ipfilter/ipsend/snit.c +++ b/contrib/ipfilter/ipsend/snit.c @@ -38,7 +38,8 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/tcp.h> -#include <netinet/tcpip.h> + +#include "ipsend.h" #if !defined(lint) && defined(LIBC_SCCS) static char snitid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 58949c5..b753426 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -53,13 +53,11 @@ static char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; #include <netinet/in_pcb.h> #include <netinet/tcp_timer.h> #include <netinet/tcp_var.h> -#include <netinet/tcpip.h> +#include "ipsend.h" int nproc; struct proc *proc; -extern int initdevice(), send_tcp(); - #ifndef KMEM # ifdef _PATH_KMEM # define KMEM _PATH_KMEM @@ -77,9 +75,17 @@ extern int initdevice(), send_tcp(); # define KERNEL "/vmunix" #endif + +#if BSD < 199103 +static struct proc *getproc __P((void)); +#else +static struct kinfo_proc *getproc __P((void)); +#endif + + int kmemcpy(buf, pos, n) char *buf; -off_t pos; +void *pos; int n; { static int kfd = -1; @@ -87,7 +93,7 @@ int n; if (kfd == -1) kfd = open(KMEM, O_RDONLY); - if (lseek(kfd, pos, SEEK_SET) == -1) + if (lseek(kfd, (off_t)pos, SEEK_SET) == -1) { perror("lseek"); return -1; @@ -107,7 +113,7 @@ struct nlist names[3] = { }; #if BSD < 199103 -struct proc *getproc() +static struct proc *getproc() { struct proc *p; pid_t pid = getpid(); @@ -119,21 +125,20 @@ struct proc *getproc() fprintf(stderr, "nlist(%#x) == %d\n", names, n); return NULL; } - if (kmemcpy((char *)&nproc, (off_t)names[1].n_value, - sizeof(nproc)) == -1) + if (KMCPY(&nproc, names[1].n_value, sizeof(nproc)) == -1) { fprintf(stderr, "read nproc (%#x)\n", names[1].n_value); return NULL; } siz = nproc * sizeof(struct proc); - if (kmemcpy((char *)&p, (off_t)names[0].n_value, sizeof(p)) == -1) + if (KMCPY(&p, names[0].n_value, sizeof(p)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) proc\n", names[0].n_value, &p, sizeof(p)); return NULL; } proc = (struct proc *)malloc(siz); - if (kmemcpy((char *)proc, (off_t)p, siz) == -1) + if (KMCPY(proc, p, siz) == -1) { fprintf(stderr, "read(%#x,%#x,%d) proc\n", p, proc, siz); @@ -167,22 +172,21 @@ struct tcpiphdr *ti; return NULL; up = (struct user *)malloc(sizeof(*up)); - if (kmemcpy((char *)up, (off_t)p->p_uarea, sizeof(*up)) == -1) + if (KMCPY(up, p->p_uarea, sizeof(*up)) == -1) { fprintf(stderr, "read(%#x,%#x) failed\n", p, p->p_uarea); return NULL; } o = (struct file **)calloc(1, sizeof(*o) * (up->u_lastfile + 1)); - if (kmemcpy((char *)o, (off_t)up->u_ofile, - (up->u_lastfile + 1) * sizeof(*o)) == -1) + if (KMCPY(o, up->u_ofile, (up->u_lastfile + 1) * sizeof(*o)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - u_ofile - failed\n", up->u_ofile_arr, o, sizeof(*o)); return NULL; } f = (struct file *)calloc(1, sizeof(*f)); - if (kmemcpy((char *)f, (off_t)o[fd], sizeof(*f)) == -1) + if (KMCPY(f, o[fd], sizeof(*f)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n", up->u_ofile_arr[fd], f, sizeof(*f)); @@ -190,7 +194,7 @@ struct tcpiphdr *ti; } s = (struct socket *)calloc(1, sizeof(*s)); - if (kmemcpy((char *)s, (off_t)f->f_data, sizeof(*s)) == -1) + if (KMCPY(s, f->f_data, sizeof(*s)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - f_data - failed\n", o[fd], s, sizeof(*s)); @@ -198,7 +202,7 @@ struct tcpiphdr *ti; } i = (struct inpcb *)calloc(1, sizeof(*i)); - if (kmemcpy((char *)i, (off_t)s->so_pcb, sizeof(*i)) == -1) + if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1) { fprintf(stderr, "kvm_read(%#x,%#x,%d) - so_pcb - failed\n", s->so_pcb, i, sizeof(*i)); @@ -206,7 +210,7 @@ struct tcpiphdr *ti; } t = (struct tcpcb *)calloc(1, sizeof(*t)); - if (kmemcpy((char *)t, (off_t)i->inp_ppcb, sizeof(*t)) == -1) + if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1) { fprintf(stderr, "read(%#x,%#x,%d) - inp_ppcb - failed\n", i->inp_ppcb, t, sizeof(*t)); @@ -215,7 +219,7 @@ struct tcpiphdr *ti; return (struct tcpcb *)i->inp_ppcb; } #else -struct kinfo_proc *getproc() +static struct kinfo_proc *getproc() { static struct kinfo_proc kp; pid_t pid = getpid(); @@ -251,7 +255,7 @@ struct tcpiphdr *ti; return NULL; fd = (struct filedesc *)malloc(sizeof(*fd)); - if (kmemcpy((char *)fd, (void *)p->kp_proc.p_fd, sizeof(*fd)) == -1) + if (KMCPY(fd, p->kp_proc.p_fd, sizeof(*fd)) == -1) { fprintf(stderr, "read(%#lx,%#lx) failed\n", (u_long)p, (u_long)p->kp_proc.p_fd); @@ -259,15 +263,14 @@ struct tcpiphdr *ti; } o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1)); - if (kmemcpy((char *)o, (void *)fd->fd_ofiles, - (fd->fd_lastfile + 1) * sizeof(*o)) == -1) + if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%d) - u_ofile - failed\n", (u_long)fd->fd_ofiles, (u_long)o, sizeof(*o)); return NULL; } f = (struct file *)calloc(1, sizeof(*f)); - if (kmemcpy((char *)f, (void *)o[tfd], sizeof(*f)) == -1) + if (KMCPY(f, o[tfd], sizeof(*f)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%d) - o[tfd] - failed\n", (u_long)o[tfd], (u_long)f, sizeof(*f)); @@ -275,7 +278,7 @@ struct tcpiphdr *ti; } s = (struct socket *)calloc(1, sizeof(*s)); - if (kmemcpy((char *)s, (void *)f->f_data, sizeof(*s)) == -1) + if (KMCPY(s, f->f_data, sizeof(*s)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%d) - f_data - failed\n", (u_long)f->f_data, (u_long)s, sizeof(*s)); @@ -283,7 +286,7 @@ struct tcpiphdr *ti; } i = (struct inpcb *)calloc(1, sizeof(*i)); - if (kmemcpy((char *)i, (void *)s->so_pcb, sizeof(*i)) == -1) + if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1) { fprintf(stderr, "kvm_read(%#lx,%#lx,%d) - so_pcb - failed\n", (u_long)s->so_pcb, (u_long)i, sizeof(*i)); @@ -291,7 +294,7 @@ struct tcpiphdr *ti; } t = (struct tcpcb *)calloc(1, sizeof(*t)); - if (kmemcpy((char *)t, (void *)i->inp_ppcb, sizeof(*t)) == -1) + if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1) { fprintf(stderr, "read(%#lx,%#lx,%d) - inp_ppcb - failed\n", (u_long)i->inp_ppcb, (u_long)t, sizeof(*t)); @@ -301,12 +304,11 @@ struct tcpiphdr *ti; } #endif /* BSD < 199301 */ -int do_socket(dev, mtu, ti, gwip, flags) +int do_socket(dev, mtu, ti, gwip) char *dev; int mtu; struct tcpiphdr *ti; struct in_addr gwip; -int flags; { struct sockaddr_in rsin, lsin; struct tcpcb *t, tcb; @@ -340,7 +342,7 @@ int flags; (void) getsockname(fd, (struct sockaddr *)&lsin, &len); ti->ti_sport = lsin.sin_port; printf("sport %d\n", ntohs(lsin.sin_port)); - nfd = initdevice(dev, ntohs(lsin.sin_port)); + nfd = initdevice(dev, ntohs(lsin.sin_port), 1); if (!(t = find_tcp(fd, ti))) return -1; @@ -356,12 +358,12 @@ int flags; perror("connect"); return -1; } - kmemcpy((char*)&tcb, (void *)t, sizeof(tcb)); + KMCPY(&tcb, t, sizeof(tcb)); ti->ti_win = tcb.rcv_adv; ti->ti_seq = tcb.snd_nxt - 1; ti->ti_ack = tcb.rcv_nxt; - if (send_tcp(nfd, mtu, ti, gwip, TH_SYN) == -1) + if (send_tcp(nfd, mtu, (ip_t *)ti, gwip) == -1) return -1; (void)write(fd, "Hello World\n", 12); sleep(2); diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index b934c2f..1e0f3e4 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -12,6 +12,7 @@ #include <strings.h> #else #include <sys/byteorder.h> +#include <sys/file.h> #endif #include <sys/types.h> #include <sys/param.h> @@ -29,43 +30,43 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> #include <resolv.h> +#include <ctype.h> +#include "ip_compat.h" +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" -#include <ctype.h> #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: ipt.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: ipt.c,v 2.0.2.4 1997/04/02 12:23:30 darrenr Exp $"; #endif -extern int fr_check(); extern char *optarg; -extern struct frentry *ipfilter[2][2]; -extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; -extern void debug(), verbose(); - -struct frentry *ft_in = NULL, *ft_out = NULL; +extern struct frentry *ipfilter[2][2]; +extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; +extern struct ifnet *get_unit __P((char *)); +extern void init_ifp __P((void)); int opts = 0; +int main __P((int, char *[])); int main(argc,argv) int argc; char *argv[]; { struct ipread *r = &iptext; - struct frentry *f; struct ip *ip; u_long buf[64]; + struct ifnet *ifp; char c; char *rules = NULL, *datain = NULL, *iface = NULL; int fd, i, dir = 0; - while ((c = getopt(argc, argv, "bdEHi:I:Pr:STvX")) != -1) + while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) switch (c) { case 'b' : @@ -80,6 +81,9 @@ char *argv[]; case 'I' : iface = optarg; break; + case 'o' : + opts |= OPT_SAVEOUT; + break; case 'r' : rules = optarg; break; @@ -145,23 +149,18 @@ char *argv[]; if (!(fr = parse(line))) continue; - f = (struct frentry *)malloc(sizeof(*f)); - if (fr->fr_flags & FR_INQUE) { - if (!ft_in) - ft_in = ipfilter[0][0] = f; - else - ft_in->fr_next = f, ft_in = f; - } else if (fr->fr_flags & FR_OUTQUE) { - if (!ft_out) - ft_out = ipfilter[1][0] = f; - else - ft_out->fr_next = f, ft_out = f; - } - bcopy((char *)fr, (char *)f, sizeof(*fr)); + /* fake an `ioctl' call :) */ + i = iplioctl(0, SIOCADDFR, (caddr_t)fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(SIOCADDFR,%x,1) = %d\n", i); } (void)fclose(fp); } + if (opts & OPT_SAVEOUT) + init_ifp(); + if (datain) fd = (*r->r_open)(datain); else @@ -171,10 +170,12 @@ char *argv[]; exit(-1); ip = (struct ip *)buf; - while ((i = (*r->r_readip)(buf, sizeof(buf), &iface, &dir)) > 0) { + while ((i = (*r->r_readip)((char *)buf, sizeof(buf), + &iface, &dir)) > 0) { + ifp = iface ? get_unit(iface) : NULL; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); - switch (fr_check(ip, ip->ip_hl << 2, iface, dir)) + switch (fr_check(ip, ip->ip_hl << 2, ifp, dir, (char *)buf)) { case -1 : (void)printf("block"); @@ -188,9 +189,11 @@ char *argv[]; } if (!(opts & OPT_BRIEF)) { putchar(' '); - printpacket(buf); + printpacket((struct ip *)buf); printf("--------------"); } + if (dir && ifp && ip->ip_v) + (*ifp->if_output)(ifp, (void *)buf, NULL, 0); putchar('\n'); dir = 0; } diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index be481ca..e91190b 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -4,13 +4,22 @@ * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $ + * $Id: ipt.h,v 2.0.2.4 1997/03/27 13:45:23 darrenr Exp $ */ #include <fcntl.h> +#ifdef __STDC__ +#include <stdarg.h> +#else +#include <varargs.h> +#endif + struct ipread { - int (*r_open)(); - int (*r_close)(); - int (*r_readip)(); + int (*r_open) __P((char *)); + int (*r_close) __P((void)); + int (*r_readip) __P((char *, int, char **, int *)); }; + +extern void debug __P((char *, ...)); +extern void verbose __P((char *, ...)); diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 3334580..33b6595 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -16,12 +16,11 @@ #include <unistd.h> #include <fcntl.h> #include <sys/file.h> - -#define KMEM "/dev/kmem" +#include "kmem.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static char rcsid[] = "$Id: kmem.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp $"; #endif static int kmemfd = -1; diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index 18c1c23..38d6430 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -4,9 +4,18 @@ * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $ + * $Id: kmem.h,v 2.0.2.3 1997/03/10 08:10:38 darrenr Exp $ */ -extern int openkmem(); -extern int kmemcpy(); +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif +extern int openkmem __P((void)); +extern int kmemcpy __P((char *, long, int)); + +#define KMEM "/dev/kmem" diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h index f4d3bda..3f28724 100644 --- a/contrib/ipfilter/linux.h +++ b/contrib/ipfilter/linux.h @@ -7,7 +7,7 @@ * responsibility and is not changed in any way. * * I hate legaleese, don't you ? - * $Id: linux.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $ + * $Id: linux.h,v 2.0.2.2 1997/02/23 10:38:08 darrenr Exp $ */ #include <linux/config.h> diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index ff17f4f..ebeaceb 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -99,9 +99,8 @@ Flags which are recognised in fr_pass: FR_INACTIVE 0x02000 FR_QUICK 0x04000 /* quick-match and return */ FR_FASTROUTE 0x08000 - FR_CALLFUNC 0x10000 - FR_CALLNOW 0x20000 - FR_DUP 0x40000 /* duplicate the packet (not Solaris2) + FR_CALLNOW 0x10000 + FR_DUP 0x20000 /* duplicate the packet (not Solaris2) .fi .PP diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5 new file mode 100644 index 0000000..03a87a5 --- /dev/null +++ b/contrib/ipfilter/man/ipfilter.5 @@ -0,0 +1,7 @@ +.TH IPFILTER 1 +.SH NAME +IP FIlter +.SH DESCRIPTION +.PP +.SH SEE ALSO +ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5) diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 11ac23a..e793352 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -4,7 +4,7 @@ ipmon \- monitors /dev/ipl for logged packets .SH SYNOPSIS .B ipmon [ -.B \-sfN +.B \-asfnSN ] [ <filename> ] @@ -38,13 +38,22 @@ than pass or block. \- packets which have been logged and which can be considered "short". .TP +.B \-a +Open all of the device logfiles for reading log entries from. +.TP .B \-f Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP -.B \-N +.B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. +.TP +.B \-N +Treat the logfile as being composed of NAT log records. +.TP +.B \-S +Treat the logfile as being composed of state log records. .SH DIAGNOSTICS \fBipmon\fP expects data that it reads to be consistant with how it should be saved and will abort if it fails an assertion which detects an anomoly in the diff --git a/contrib/ipfilter/man/man.sed b/contrib/ipfilter/man/man.sed new file mode 100644 index 0000000..0be8dab --- /dev/null +++ b/contrib/ipfilter/man/man.sed @@ -0,0 +1 @@ +DF. ..CVSD~MakefileDipf.1Dipf.4Dipf.5D diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index dc6e92c..c0e415c 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -30,20 +30,19 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> +#include "ip_compat.h" +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: misc.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: misc.c,v 2.0.2.5 1997/03/31 10:05:36 darrenr Exp $"; #endif -void debug(), verbose(); - extern int opts; @@ -69,17 +68,35 @@ struct ip *ip; } -void verbose(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9) -char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9; +#ifdef __STDC__ +void verbose(char *fmt, ...) +#else +void verbose(fmt, va_alist) +char *fmt; +va_dcl +#endif { + va_list pvar; + + va_start(pvar, fmt); if (opts & OPT_VERBOSE) - printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9); + vprintf(fmt, pvar); + va_end(pvar); } -void debug(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9) -char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9; +#ifdef __STDC__ +void debug(char *fmt, ...) +#else +void debug(fmt, va_alist) +char *fmt; +va_dcl +#endif { + va_list pvar; + + va_start(pvar, fmt); if (opts & OPT_DEBUG) - printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9); + vprintf(fmt, pvar); + va_end(pvar); } diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 08a9c36..068a9ff 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -24,8 +24,18 @@ #if defined(__FreeBSD__) && (__FreeBSD__ > 1) # include <osreldate.h> +# ifdef IPFILTER_LKM +# define ACTUALLY_LKM_NOT_KERNEL +# endif #endif #include <sys/systm.h> +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) +# include <sys/conf.h> +# include <sys/kernel.h> +# ifdef DEVFS +# include <sys/devfsext.h> +# endif /*DEVFS*/ +#endif #include <sys/conf.h> #include <sys/file.h> #include <sys/stat.h> @@ -39,22 +49,30 @@ #include <sys/exec.h> #include <sys/mbuf.h> #if defined(__NetBSD__) || (defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 199607)) + (__FreeBSD_version >= 199511)) #include <net/if.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> +#include <net/route.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> #endif #ifndef __NetBSD__ #include <sys/sysent.h> #endif #include <sys/lkm.h> #include "ipl.h" +#include "ip_compat.h" #include "ip_fil.h" #ifndef IPL_NAME #define IPL_NAME "/dev/ipl" #endif +#define IPL_NAT "/dev/ipnat" +#define IPL_STATE "/dev/ipstate" + #if !defined(VOP_LEASE) && defined(LEASE_CHECK) #define VOP_LEASE LEASE_CHECK #endif @@ -63,28 +81,30 @@ #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -extern int lkmenodev(), lkmexists(), lkmdispatch(); +extern int lkmenodev __P((void)); + -extern int iplattach(), iplopen(), iplclose(), iplioctl(), ipldetach(); #ifdef NETBSD_PF #include <net/pfil.h> #endif -#ifdef IPFILTER_LOG -extern int iplread(); -#else -#ifdef NETBSD_PF -#define iplread enodev -#else -#define iplread nodev -#endif +#ifndef IPFILTER_LOG +# ifdef NETBSD_PF +# define iplread enodev +# else +# define iplread nodev +# endif #endif -extern int iplidentify(); #ifdef NETBSD_PF int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL; #endif -static int ipl_unload(), ipl_load(); +static int ipl_unload __P((void)); +static int ipl_load __P((void)); +static int ipl_remove __P((void)); +int xxxinit __P((struct lkm_table *, int, int)); + + #if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \ (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511)) struct cdevsw ipldevsw = @@ -116,20 +136,33 @@ struct cdevsw ipldevsw = NULL /* strategy */ }; #endif -static struct cdevsw cdev_sav; + +#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) int ipl_major = 0; MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); -extern int vd_unuseddev(); extern struct cdevsw cdevsw[]; +extern int vd_unuseddev __P((void)); extern int nchrdev; +#else +int ipl_major = CDEV_MAJOR; + +static struct cdevsw ipl_cdevsw = { + iplopen, iplclose, iplread, nowrite, /* 79 */ + iplioctl, nostop, noreset, nodevtotty, + noselect, nommap, nostrategy, "ipl", + NULL, -1 +}; +#endif + + static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; int cmd; { - int i; + int i = ipl_major; struct lkm_dev *args = lkmtp->private.lkm_dev; int err = 0; @@ -139,6 +172,7 @@ int cmd; if (lkmexists(lkmtp)) return EEXIST; +#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) for (i = 0; i < nchrdev; i++) if (cdevsw[i].d_open == lkmenodev || cdevsw[i].d_open == iplopen) @@ -150,8 +184,10 @@ int cmd; ipl_major = i; args->lkm_offset = i; /* slot in cdevsw[] */ +#endif printf("IP Filter: loaded into slot %d\n", ipl_major); return ipl_load(); + break; case LKM_E_UNLOAD : printf("IP Filter: unloaded from slot %d\n", ipl_major); return ipl_unload(); @@ -165,7 +201,7 @@ int cmd; } -static int ipl_remove() +static int ipl_remove __P((void)) { struct nameidata nd; int error; @@ -176,13 +212,29 @@ static int ipl_remove() VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); VOP_LOCK(nd.ni_vp); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); - return VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + + NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, IPL_NAT, curproc); + if ((error = namei(&nd))) + return (error); + VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); + VOP_LOCK(nd.ni_vp); + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + + NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, IPL_STATE, curproc); + if ((error = namei(&nd))) + return (error); + VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); + VOP_LOCK(nd.ni_vp); + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } static int ipl_unload() { - int error; + int error = 0; error = ipldetach(); #ifdef NETBSD_PF @@ -198,7 +250,7 @@ static int ipl_load() { struct nameidata nd; struct vattr vattr; - int error, fmode = S_IFCHR|0600; + int error = 0, fmode = S_IFCHR|0600; error = iplattach(); #ifdef NETBSD_PF @@ -207,7 +259,7 @@ static int ipl_load() if (error) return error; (void) ipl_remove(); - error = 0; + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, IPL_NAME, curproc); if (error = namei(&nd)) return error; @@ -225,13 +277,98 @@ static int ipl_load() vattr.va_mode = (fmode & 07777); vattr.va_rdev = ipl_major<<8; VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); - return VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + if (error) + return error; + + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, IPL_NAT, curproc); + if (error = namei(&nd)) + return error; + if (nd.ni_vp != NULL) { + VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + vrele(nd.ni_vp); + return (EEXIST); + } + VATTR_NULL(&vattr); + vattr.va_type = VCHR; + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipl_major<<8)|1; + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + if (error) + return error; + + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, IPL_STATE, curproc); + if (error = namei(&nd)) + return error; + if (nd.ni_vp != NULL) { + VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + vrele(nd.ni_vp); + return (EEXIST); + } + VATTR_NULL(&vattr); + vattr.va_type = VCHR; + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipl_major<<8)|2; + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + if (error) + return error; + return 0; } +#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) int xxxinit(lkmtp, cmd, ver) struct lkm_table *lkmtp; int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } +#else +#include <sys/exec.h> +#include <sys/sysent.h> + +MOD_DECL(if_ipl); + +static struct lkm_dev _module = { + LM_DEV, + LKM_VERSION, + IPL_VERSION, + CDEV_MAJOR, + LM_DT_CHAR, + (void *)&ipl_cdevsw +}; + +int if_ipl(lkmtp, cmd, ver) +struct lkm_table *lkmtp; +int cmd, ver; +{ + DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); +} + +/* +static ipl_devsw_installed = 0; + +static void ipl_drvinit __P((void *unused)) +{ + dev_t dev; + + if( ! ipl_devsw_installed ) { + dev = makedev(CDEV_MAJOR,0); + cdevsw_add(&dev, &ipl_cdevsw,NULL); + ipl_devsw_installed = 1; + } +} + +SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) +*/ +#endif /* __FreeBSD__ */ diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index 22e2db9..ba89346 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -27,25 +27,40 @@ # include <sun/openprom.h> #endif #include "ipl.h" +#include "ip_compat.h" + #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: mls_ipl.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: mls_ipl.c,v 2.0.2.3 1997/03/27 13:45:26 darrenr Exp $"; #endif #ifndef IPL_NAME #define IPL_NAME "/dev/ipl" #endif - -extern int iplattach(), iplopen(), iplclose(), iplioctl(), ipldetach(); +#define IPL_NAT "/dev/ipnat" +#define IPL_STATE "/dev/ipstate" + +extern int iplattach __P((void)); +extern int iplopen __P((void)); +extern int iplclose __P((void)); +extern int iplioctl __P((void)); +extern int ipldetach __P((void)); #ifdef IPFILTER_LOG -extern int iplread(); +extern int iplread __P((void)); #else #define iplread nulldev #endif -extern int nulldev(), iplidentify(), errno; +extern int nulldev __P((void)); +extern int iplidentify __P((void)); +extern int errno; + +extern int nodev __P((void)); + +static int unload __P((void)); +static int ipl_attach __P((void)); +int xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *)); -static int unload(), ipl_attach(); struct cdevsw ipldevsw = { @@ -111,27 +126,41 @@ struct vdldrv vd = }; #endif /* sun4m */ -extern int vd_unuseddev(); +extern int vd_unuseddev __P((void)); extern struct cdevsw cdevsw[]; extern int nchrdev; -xxxinit(fc, vdp, vdi, vds) +xxxinit(fc, vdp, data, vds) u_int fc; struct vddrv *vdp; -caddr_t vdi; +caddr_t data; struct vdstat *vds; { + struct vdioctl_load *vdi = (struct vdioctl_load *)data; + switch (fc) { case VDLOAD: - while (ipl_major < nchrdev && - cdevsw[ipl_major].d_open != vd_unuseddev) - ipl_major++; - if (ipl_major == nchrdev) - return ENODEV; - vd.Drv_charmajor = ipl_major; + { + struct vdconf *vdc; + if (vdi && vdi->vdi_userconf) + for (vdc = vdi->vdi_userconf; vdc->vdc_type; vdc++) + if (vdc->vdc_type == VDCCHARMAJOR) { + ipl_major = vdc->vdc_data; + break; + } + + if (!ipl_major) { + while (ipl_major < nchrdev && + cdevsw[ipl_major].d_open != vd_unuseddev) + ipl_major++; + if (ipl_major == nchrdev) + return ENODEV; + } vdp->vdd_vdtab = (struct vdlinkage *)&vd; + vd.Drv_charmajor = ipl_major; return ipl_attach(); + } case VDUNLOAD: return unload(); case VDSTAT: @@ -170,5 +199,25 @@ static int ipl_attach() error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp); if (error == 0) VN_RELE(vp); + + (void) vn_remove(IPL_NAT, UIO_SYSSPACE, FILE); + vattr_null(&vattr); + vattr.va_type = MFTOVT(fmode); + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipl_major<<8)|1; + + error = vn_create(IPL_NAT, UIO_SYSSPACE, &vattr, EXCL, 0, &vp); + if (error == 0) + VN_RELE(vp); + + (void) vn_remove(IPL_STATE, UIO_SYSSPACE, FILE); + vattr_null(&vattr); + vattr.va_type = MFTOVT(fmode); + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipl_major<<8)|2; + + error = vn_create(IPL_STATE, UIO_SYSSPACE, &vattr, EXCL, 0, &vp); + if (error == 0) + VN_RELE(vp); return error; } diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index 4576b55..e52f7bc 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -22,7 +22,7 @@ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: opt.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; +static char rcsid[] = "$Id: opt.c,v 2.0.2.3 1997/03/10 08:10:40 darrenr Exp $"; #endif extern int opts; @@ -63,6 +63,7 @@ struct ipopt_names secclass[] = { { 0, 0, 0, NULL } /* must be last */ }; +static u_char seclevel __P((char *)); static u_char seclevel(slevel) char *slevel; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 0236053..432fb99 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -23,30 +23,41 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> -#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> #include <resolv.h> -#include "ipf.h" #include <ctype.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ipf.h" #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $"; +static char rcsid[] = "$Id: parse.c,v 2.0.2.5 1997/03/31 10:05:38 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; extern int opts; -extern int gethostname(); -u_long hostnum(), optname(); -u_short portnum(); -u_char tcp_flags(); -struct frentry *parse(); -void binprint(), printfr(); -int addicmp(), extras(), hostmask(), ports(), icmpcode(), addkeep(); -int to_interface(); +u_short portnum __P((char *)); +u_char tcp_flags __P((char *, u_char *)); +int addicmp __P((char ***, struct frentry *)); +int extras __P((char ***, struct frentry *)); +char ***seg; +u_long *sa, *msk; +u_short *pp, *tp; +u_char *cp; + +int hostmask __P((char ***, u_long *, u_long *, u_short *, u_char *, + u_short *)); +int ports __P((char ***, u_short *, u_char *, u_short *)); +int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *)); +int to_interface __P((frdest_t *, char *)); +void print_toif __P((char *, frdest_t *)); +void optprint __P((u_short, u_short, u_long, u_long)); +int countbits __P((u_long)); +char *portname __P((int, int)); char *proto = NULL; @@ -100,7 +111,7 @@ char *line; cpp = cps; if (**cpp == '@') - fil.fr_hits = atoi(*cpp++ + 1) + 1; + fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1; if (!strcasecmp("block", *cpp)) { fil.fr_flags = FR_BLOCK; @@ -143,8 +154,10 @@ char *line; } cpp++; - if (!strcasecmp("in", *cpp)) { + if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; + else if (!strcasecmp("out", *cpp)) { + fil.fr_flags |= FR_OUTQUE; if (fil.fr_flags & FR_RETICMP) { (void)fprintf(stderr, "Can only use return-icmp with 'in'\n"); @@ -154,9 +167,7 @@ char *line; "Can only use return-rst with 'in'\n"); return NULL; } - } else if (!strcasecmp("out", *cpp)) - fil.fr_flags |= FR_OUTQUE; - else { + } else { (void)fprintf(stderr, "missing 'in'/'out' keyword (%s)\n", *cpp); return NULL; @@ -314,8 +325,9 @@ char *line; return NULL; } ch = 0; - if (hostmask(&cpp, &fil.fr_src, &fil.fr_smsk, - &fil.fr_sport, &ch, &fil.fr_stop)) { + if (hostmask(&cpp, (u_long *)&fil.fr_src, + (u_long *)&fil.fr_smsk, &fil.fr_sport, &ch, + &fil.fr_stop)) { (void)fprintf(stderr, "bad host (%s)\n", *cpp); return NULL; } @@ -338,8 +350,9 @@ char *line; return NULL; } ch = 0; - if (hostmask(&cpp, &fil.fr_dst, &fil.fr_dmsk, - &fil.fr_dport, &ch, &fil.fr_dtop)) { + if (hostmask(&cpp, (u_long *)&fil.fr_dst, + (u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch, + &fil.fr_dtop)) { (void)fprintf(stderr, "bad host (%s)\n", *cpp); return NULL; } @@ -870,6 +883,9 @@ u_long optmsk, optbits; (!secmsk && !secbits)) { printf("%s%s", s, io->on_name); s = ","; + if (io->on_value == + IPOPT_SECURITY) + io++; } else io++; } @@ -925,8 +941,11 @@ struct frentry *fp; if (!strcasecmp(*t, **cp)) break; } - if (i == -1) + if (i == -1) { + (void)fprintf(stderr, + "Invalid icmp-type (%s) specified\n", **cp); return -1; + } } fp->fr_icmp = (u_short)(i << 8); fp->fr_icmpm = (u_short)0xff00; diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h index c909297..1eee3c6 100644 --- a/contrib/ipfilter/pcap.h +++ b/contrib/ipfilter/pcap.h @@ -4,7 +4,7 @@ * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 2.0.1.1 1997/01/09 15:14:45 darrenr Exp $ + * $Id: pcap.h,v 2.0.2.2 1997/02/23 10:38:17 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c index 9a181a1..d6acd10 100644 --- a/contrib/ipfilter/relay.c +++ b/contrib/ipfilter/relay.c @@ -9,6 +9,7 @@ #include <stdio.h> #include <fcntl.h> #include <sys/types.h> +#include <sys/time.h> #include <sys/errno.h> #include <sys/syslog.h> #include <sys/ioctl.h> diff --git a/contrib/ipfilter/rules/rules.sed b/contrib/ipfilter/rules/rules.sed new file mode 100644 index 0000000..050d9b6 --- /dev/null +++ b/contrib/ipfilter/rules/rules.sed @@ -0,0 +1,5 @@ +W. ..'&CVSW example.1W +example.10W +example.11W +example.12W +example.13W example.2W example.3W example.4W example.5W example.6W example.7W example.8W example.9W diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index fdebcef..e257be5 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -8,7 +8,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.0.1.1 1997/01/09 15:14:45 darrenr Exp $ + * $Id: snoop.h,v 2.0.2.2 1997/02/23 10:38:19 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 73db28f..8f158fc 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "$Id: solaris.c,v 2.0.1.4 1997/02/08 06:38:30 darrenr Exp $"; +#pragma ident "$Id: solaris.c,v 2.0.2.3 1997/03/27 13:45:28 darrenr Exp $"; #include <sys/systm.h> #include <sys/types.h> @@ -39,20 +39,19 @@ #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> -#include "ipl.h" -#include "ip_fil.h" -#include "ip_compat.h" #include <sys/ddi.h> #include <sys/sunddi.h> -#include <inet/ip_ire.h> +#include "ip_compat.h" +#include "ipl.h" +#include "ip_fil.h" char _depends_on[] = "drv/ip"; -extern int iplopen(), iplclose(), iplread(), iplioctl(); -extern int iplattach(), ipldetach(); -extern void copyout_mblk(), copyin_mblk(); +extern void copyout_mblk __P((mblk_t *, int, char *, int)); +extern void copyin_mblk __P((mblk_t *, int, char *, int)); -int solattach(), soldetach(); +int solattach __P((void)); +int soldetach __P((void)); extern struct filterstats frstats[]; extern kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; @@ -60,8 +59,22 @@ extern int fr_flags; static qif_t *qif_head = NULL; -static int ipl_getinfo(), ipl_probe(), ipl_identify(), ipl_attach(); -static int ipl_detach(); +static int ipl_getinfo __P((dev_info_t *, ddi_info_cmd_t, + void *, void **)); +static int ipl_probe __P((dev_info_t *)); +static int ipl_identify __P((dev_info_t *)); +static int ipl_attach __P((dev_info_t *, ddi_attach_cmd_t)); +static int ipl_detach __P((dev_info_t *, ddi_detach_cmd_t)); +static qif_t *qif_from_queue __P((queue_t *)); +static int fr_qin __P((queue_t *, mblk_t *)); +static int fr_qout __P((queue_t *, mblk_t *)); +static void fr_donotip __P((int, qif_t *, queue_t *, mblk_t *, + mblk_t *, ip_t *, int)); +void printire __P((ire_t *)); +int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **, + fr_info_t *, frdest_t *)); +int fr_precheck __P((mblk_t **, queue_t *, qif_t *, int)); + static struct cb_ops ipl_cb_ops = { iplopen, @@ -149,7 +162,9 @@ static int ipl_identify(dev_info_t *dip) } -static int ipl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd) +static int ipl_attach(dip, cmd) +dev_info_t *dip; +ddi_attach_cmd_t cmd; { int instance; @@ -167,6 +182,16 @@ static int ipl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd) ddi_remove_minor_node(dip, NULL); goto attach_failed; } + if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, instance, + DDI_PSEUDO, 1) == DDI_FAILURE) { + ddi_remove_minor_node(dip, NULL); + goto attach_failed; + } + if (ddi_create_minor_node(dip, "ipstate", S_IFCHR, instance, + DDI_PSEUDO, 2) == DDI_FAILURE) { + ddi_remove_minor_node(dip, NULL); + goto attach_failed; + } ipf_dev_info = dip; sync(); /* @@ -249,7 +274,7 @@ void *arg, **result; /* * find the filter structure setup for this queue */ -qif_t *qif_from_queue(q) +static qif_t *qif_from_queue(q) queue_t *q; { qif_t *qif; @@ -380,7 +405,7 @@ tryagain: */ if (!OK_32PTR(ip)) { len = MIN(mlen, sizeof(ip_t)); - copyout_mblk(m, 0, lbuf, len); + copyout_mblk(m, 0, (char *)lbuf, len); frstats[out].fr_pull[0]++; ip = (ip_t *)lbuf; } else @@ -426,7 +451,7 @@ tryagain: if ((hlen > len)) { len = MIN(hlen, sizeof(lbuf)); len = MIN(mlen, len); - copyout_mblk(m, 0, lbuf, len); + copyout_mblk(m, 0, (char *)lbuf, len); frstats[out].fr_pull[0]++; ip = (ip_t *)lbuf; } @@ -450,7 +475,8 @@ tryagain: qif->qf_m = m; qif->qf_len = len; - err = fr_check(ip, iphlen, qif->qf_ill, out, qif, q, mp); + err = fr_check(ip, iphlen, (struct ifnet *)qif->qf_ill, out, qif, + q, mp); /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. @@ -463,7 +489,7 @@ tryagain: #endif if (err == 1) { if (*mp && (ip == (ip_t *)lbuf)) { - copyin_mblk(m, 0, lbuf, len); + copyin_mblk(m, 0, (char *)lbuf, len); frstats[out].fr_pull[1]++; } err = 0; @@ -473,11 +499,11 @@ tryagain: } -int fr_qin(q, mb) +static int fr_qin(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext)(), type, synced = 0; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; qif_t qfb, *qif; again: @@ -543,11 +569,11 @@ again: } -int fr_qout(q, mb) +static int fr_qout(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext)(), type, synced = 0; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; qif_t qfb, *qif; again: @@ -658,7 +684,7 @@ int solattach() il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo); #endif - qif = (qif_t *)KMALLOC(sizeof(*qif)); + KMALLOC(qif, qif_t *, sizeof(*qif)); if (in->q_qinfo->qi_putp == fr_qin) { for (qf2 = qif_head; qf2; qf2 = qf2->qf_next) @@ -845,7 +871,7 @@ int soldetach() } -printire(ire) +void printire(ire) ire_t *ire; { printf("ire: ll_hdr_mp %x rfq %x stq %x src_addr %x max_frag %d\n", @@ -897,7 +923,7 @@ frdest_t *fdp; #endif if (ip != (ip_t *)mb->b_rptr) { - copyin_mblk(mb, 0, ip, qf->qf_len); + copyin_mblk(mb, 0, (char *)ip, qf->qf_len); frstats[fin->fin_out].fr_pull[1]++; } diff --git a/contrib/ipfilter/test/expected/expected.sed b/contrib/ipfilter/test/expected/expected.sed new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/expected/expected.sed diff --git a/contrib/ipfilter/test/input/input.sed b/contrib/ipfilter/test/input/input.sed new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/input/input.sed diff --git a/contrib/ipfilter/test/regress/regress.sed b/contrib/ipfilter/test/regress/regress.sed new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/regress/regress.sed diff --git a/contrib/ipfilter/test/test.sed b/contrib/ipfilter/test/test.sed new file mode 100644 index 0000000..3ce0cb1 --- /dev/null +++ b/contrib/ipfilter/test/test.sed @@ -0,0 +1,6 @@ + . ..0CVSGexpected0inputDG$regress + +.cvsignore +!Makefile +"dotest +#hextest diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index f1664c0..3914bef 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -1,4 +1,6 @@ * automatically use the interface's IP# for NAT rather than any specific IP# + - Done. Use "0/32" as destination address/mask. Uses first interface IP# + set for an interface. * use fr_tcpstate() with NAT code for increased NAT usage security or even fr_checkstate() @@ -17,3 +19,9 @@ time permitting: * modular application proxying * invesitgate making logging better + +* add reverse nat (similar to rdr) to map addresses going in both directions + +* add 'tail' switch to ipmon + (this might just be some changes to rdr). In 1:1 relationships maybe make + it an option. |