diff options
210 files changed, 20241 insertions, 4360 deletions
diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF index 15c14fb..a30c743 100644 --- a/contrib/ipfilter/BNF +++ b/contrib/ipfilter/BNF @@ -11,9 +11,9 @@ proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ "return-icmp"[return-code] | "return-rst" ] . +block = "block" [ icmp [return-code] | "return-rst" ] . auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] . +log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . @@ -22,6 +22,8 @@ protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . +icmp = "return-icmp" | "return-icmp-as-dest" . +loglevel = facility"."priority | priority . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . port-comp = "port" compare port-num . @@ -55,6 +57,12 @@ icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" . +facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | + "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | + "audit" | "logalert" | "local0" | "local1" | "local2" | + "local3" | "local4" | "local5" | "local6" | "local7" . +priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | + "info" | "debug" . hexnumber = "0" "x" hexstring . hexstring = hexdigit [ hexstring ] . diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile new file mode 100644 index 0000000..7718a81 --- /dev/null +++ b/contrib/ipfilter/BSD/Makefile @@ -0,0 +1,213 @@ +# +# Copyright (C) 1993-1998 by Darren Reed. +# +# Redistribution and use in source and binary forms are permitted +# provided that this notice is preserved and due credit is given +# to the original author and the contributors. +# +BINDEST=/usr/sbin +SBINDEST=/sbin +MANDIR=/usr/share/man +CC=cc -Wall -Wuninitialized -Wstrict-prototypes -Werror -O +CFLAGS=-g -I$(TOP) +# +# For NetBSD/FreeBSD +# +DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p' +CPU!=uname -m +INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch +DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) +IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST +VNODESHDIR=/sys/kern +MLD=$(ML) vnode_if.h +ML=mln_ipl.c +IPFILC=ip_fil.c +LKM=if_ipl.o +DLKM= +MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ + "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ + "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ + "CPUDIR=$(CPUDIR)" +# +########## ########## ########## ########## ########## ########## ########## +# +CP=/bin/cp +RM=/bin/rm +CHMOD=/bin/chmod +INSTALL=install +# +MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \ + ip_auth.o ip_log.o +DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF) $(DLKM) +IPF=ipf.o parse.o opt.o facpri.o +IPT=ipt.o parse.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o opt.o \ + ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \ + ip_auth_u.o ipft_hx.o ip_fil_u.o natparse.o facpri.o +FILS=fils.o parse.o kmem.o opt.o facpri.o + +build all: ipf ipfstat ipftest ipmon ipnat $(LKM) + +ipfstat: $(FILS) + $(CC) $(DEBUG) $(CFLAGS) $(FILS) -o $@ $(LIBS) + +ipf: $(IPF) + $(CC) $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS) + /bin/rm -f $(TOP)/ipf + ln -s `pwd`/ipf $(TOP) + +ipftest: $(IPT) + $(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS) + /bin/rm -f $(TOP)/ipftest + ln -s `pwd`/ipftest $(TOP) + +ipnat: ipnat.o kmem.o natparse.o + $(CC) $(DEBUG) $(CFLAGS) ipnat.o kmem.o natparse.o -o $@ $(LIBS) + +tests: + (cd test; make ) + +fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ + $(TOP)/ip_compat.h $(TOP)/ip_state.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fils.c -o $@ + +fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fil.c -o $@ + +fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@ + +ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipf.c -o $@ + +ipt.o: $(TOP)/ipt.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipt.c -o $@ + +misc.o: $(TOP)/misc.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/misc.c -o $@ + +opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ + +ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ + +natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@ + +ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ + $(TOP)/snoop.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ + +ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_ef.c -o $@ + +ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_td.c -o $@ + +ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ + +ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_tx.c -o $@ + +ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_hx.c -o $@ + +ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@ + +ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@ + +ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_frag.c -o $@ + +ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_state.c -o $@ + +ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_auth.c -o $@ + +ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@ + +if_ipl.o: $(MODOBJS) + ld -r $(MODOBJS) -o $(LKM) + ${RM} -f if_ipl + +ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ + +ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ + +ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ + +ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \ + $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ + +ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ + $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ + +ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ + +ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ + +vnode_if.h: $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src + mkdir -p ../sys + sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src + if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi + rmdir ../sys + +ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h + -/bin/rm -f vnode_if.c + $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ + +kmem.o: $(TOP)/kmem.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/kmem.c -o $@ + +parse.o: $(TOP)/parse.c $(TOP)/ip_fil.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/parse.c -o $@ + +facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/facpri.c -o $@ + +ipmon: $(TOP)/ipmon.c + $(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS) + +clean: + ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ + vnode_if.h $(LKM) ioconf.h + ${MAKE} -f Makefile.ipsend ${MFLAGS} clean + -(for i in *; do \ + if [ -d $${i} -a -f $${i}/Makefile ] ; then \ + cd $${i}; (make clean); cd ..; \ + rm $${i}/Makefile $${i}/Makefile.ipsend; \ + rmdir $${i}; \ + fi \ + done) + +install: + -$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h + -$(CHMOD) 444 /usr/include/netinet/ip_fil.h + -if [ -d /lkm -a -f if_ipl.o ] ; then \ + cp if_ipl.o /lkm; \ + fi + -$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipftest ipftest $(BINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipf ipftest $(SBINDEST) + -$(INSTALL) -cs -g wheel -m 755 -o root ipnat ipftest $(SBINDEST) + (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) diff --git a/contrib/ipfilter/BSD/Makefile.ipsend b/contrib/ipfilter/BSD/Makefile.ipsend new file mode 100644 index 0000000..e9c4a10 --- /dev/null +++ b/contrib/ipfilter/BSD/Makefile.ipsend @@ -0,0 +1,101 @@ +OBJS=ipsend.o ip.o ipsopt.o y.tab.o lex.yy.o +IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o +ROBJS=ipresend.o ip.o resend.o $(IPFTO) opt.o +TOBJS=iptest.o iptests.o ip.o +UNIXOBJS=sbpf.o sock.o 44arp.o + +CC=gcc -Wuninitialized -Wstrict-prototypes -O +CFLAGS=-g -I$(TOP) +# +MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ + "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ + "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ + "CPUDIR=$(CPUDIR)" +# +all build bsd-bpf : ipsend ipresend iptest + +y.tab.o: $(TOP)/iplang/iplang_y.y + (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) + +lex.yy.o: $(TOP)/iplang/iplang_l.l + (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) + +.c.o: + $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ + +ipsend: $(OBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll + +ipresend: $(ROBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS) + +iptest: $(TOBJS) $(UNIXOBJS) + $(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS) + +clean: + rm -rf *.o core a.out ipsend ipresend iptest + +ipsend.o: $(TOP)/ipsend/ipsend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@ + +ipsopt.o: $(TOP)/ipsend/ipsopt.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@ + +ipresend.o: $(TOP)/ipsend/ipresend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@ + +ip.o: $(TOP)/ipsend/ip.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@ + +resend.o: $(TOP)/ipsend/resend.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@ + +ipft_sn.o: $(TOP)/ipft_sn.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ + +ipft_pc.o: $(TOP)/ipft_pc.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ + +iptest.o: $(TOP)/ipsend/iptest.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@ + +iptests.o: $(TOP)/ipsend/iptests.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@ + +sbpf.o: $(TOP)/ipsend/sbpf.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sbpf.c -o $@ + +snit.o: $(TOP)/ipsend/snit.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/snit.c -o $@ + +sock.o: $(TOP)/ipsend/sock.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@ + +arp.o: $(TOP)/ipsend/arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ + +44arp.o: $(TOP)/ipsend/44arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/44arp.c -o $@ + +lsock.o: $(TOP)/ipsend/lsock.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/lsock.c -o $@ + +slinux.o: $(TOP)/ipsend/slinux.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/slinux.c -o $@ + +larp.o: $(TOP)/ipsend/larp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/larp.c -o $@ + +dlcommon.o: $(TOP)/ipsend/dlcommon.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/dlcommon.c -o $@ + +sdlpi.o: $(TOP)/ipsend/sdlpi.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@ + +arp.o: $(TOP)/ipsend/arp.c + $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ + +install: + -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST) + diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade new file mode 100644 index 0000000..2159a29 --- /dev/null +++ b/contrib/ipfilter/BSD/kupgrade @@ -0,0 +1,26 @@ +#!/bin/sh +# +PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH + +# try to bomb out fast if anything fails.... +set -e + +argv0=`basename $0` +dir=`pwd` +karch=`uname -m` +archdir="/sys/arch/$karch" +confdir="$archdir/conf" + +echo -n "Installing " +for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_ftp_pxy.c ip_rcmd_pxy.c ip_raudio_pxy.c ; do + echo -n "$i " + cp $i /sys/netinet/ + chmod 644 /sys/netinet/$i +done +echo "" +if [ -f /sys/netinet/ip_fil_compat.h ] ; then + echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h" + rm /sys/netinet/ip_fil_compat.h + ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h +fi +exit 0 diff --git a/contrib/ipfilter/BSD/make-devices b/contrib/ipfilter/BSD/make-devices new file mode 100755 index 0000000..320bd80 --- /dev/null +++ b/contrib/ipfilter/BSD/make-devices @@ -0,0 +1,28 @@ +#!/bin/sh + +os=`uname -s`-`uname -r` + +case "$os" in + FreeBSD-2.2*) + major=79 + ;; + FreeBSD-*) + major=20 + ;; + NetBSD-*) + echo "see /dev/MAKEDEV" + exit 0 + ;; + OpenBSD-*) + echo "see /dev/MAKEDEV" + exit 0 + ;; + *) + ;; +esac + +umask 037 +mknod /dev/ipl c $major 0 +mknod /dev/ipnat c $major 1 +mknod /dev/ipstate c $major 2 +mknod /dev/ipauth c $major 3 diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5 index 45442c5..ae550f8 100644 --- a/contrib/ipfilter/COMPILE.2.5 +++ b/contrib/ipfilter/COMPILE.2.5 @@ -1,7 +1,3 @@ -If you have BOTH GNU make and the normal make shipped with your system, -DO NOT use the GNU make to build this package. If you have any errors -relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as -shipped with Solaris 2. If you get the following error whilst compiling: @@ -10,10 +6,6 @@ In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/ from ../ip_nat.c:15: /usr/include/sys/psw.h:19: #error Kernel include of psw.h -That means that you have a version of gcc build under on older release -of Solaris 2.x - -You need to reinstall gcc after each Solaris upgrade; gcc creates its own -set of modified system include files which are only valid for the exact -release on which gcc was build. - +Remove (comment out) the line in +/usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3include/sys/user.h +which includes psw.h diff --git a/contrib/ipfilter/COMPILE.Solaris2 b/contrib/ipfilter/COMPILE.Solaris2 new file mode 100644 index 0000000..45442c5 --- /dev/null +++ b/contrib/ipfilter/COMPILE.Solaris2 @@ -0,0 +1,19 @@ +If you have BOTH GNU make and the normal make shipped with your system, +DO NOT use the GNU make to build this package. If you have any errors +relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as +shipped with Solaris 2. + +If you get the following error whilst compiling: + +In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48, + from /usr/include/sys/file.h:15, + from ../ip_nat.c:15: +/usr/include/sys/psw.h:19: #error Kernel include of psw.h + +That means that you have a version of gcc build under on older release +of Solaris 2.x + +You need to reinstall gcc after each Solaris upgrade; gcc creates its own +set of modified system include files which are only valid for the exact +release on which gcc was build. + diff --git a/contrib/ipfilter/FWTK/ftp-gw.diff b/contrib/ipfilter/FWTK/ftp-gw.diff index 3052eba..be61342 100644 --- a/contrib/ipfilter/FWTK/ftp-gw.diff +++ b/contrib/ipfilter/FWTK/ftp-gw.diff @@ -4,7 +4,7 @@ *** 11,31 **** --- 11,41 ---- */ - static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.2.3 1997/06/22 07:06:02 darrenr Exp $"; + static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.1 1999/08/04 17:30:30 darrenr Exp $"; + /* + * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96 diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff index 6a5c376..69962b6 100644 --- a/contrib/ipfilter/FWTK/fwtk_transparent.diff +++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff @@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris *************** *** 11,30 **** # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $" # Your C compiler (eg, "cc" or "gcc") @@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ --- 11,34 ---- # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.2.1 1997/02/23 10:38:36 darrenr Exp $" + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $" + # + # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) diff --git a/contrib/ipfilter/FWTK/tproxy.diff b/contrib/ipfilter/FWTK/tproxy.diff new file mode 100644 index 0000000..234404b --- /dev/null +++ b/contrib/ipfilter/FWTK/tproxy.diff @@ -0,0 +1,82 @@ +*** tproxy.c.orig Fri Dec 20 10:53:24 1996 +--- tproxy.c Sun Jan 3 11:33:55 1999 +*************** +*** 135,140 **** +--- 135,144 ---- + #include <netinet/in.h> + #include <sys/signal.h> + #include <syslog.h> ++ #include <unistd.h> ++ #include <fcntl.h> ++ #include <sys/ioctl.h> ++ #include <net/if.h> + #include "tproxy.h" + + #ifdef AIX +*************** +*** 147,152 **** +--- 151,159 ---- + #define bzero(buf,size) memset(buf, '\0', size); + #endif /* SYSV */ + ++ #include "ip_compat.h" ++ #include "ip_fil.h" ++ #include "ip_nat.h" + + + /* socket to audio server */ +*************** +*** 324,329 **** +--- 331,369 ---- + char localbuf[2048]; + void timeout(); + extern int errno; ++ /* ++ * IP-Filter block ++ */ ++ struct sockaddr_in laddr, faddr; ++ struct natlookup natlookup; ++ int slen, natfd; ++ ++ bzero((char *)&laddr, sizeof(laddr)); ++ bzero((char *)&faddr, sizeof(faddr)); ++ slen = sizeof(laddr); ++ if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0) ++ return -1; ++ slen = sizeof(faddr); ++ if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0) ++ return -1; ++ natlookup.nl_inport = laddr.sin_port; ++ natlookup.nl_outport = faddr.sin_port; ++ natlookup.nl_inip = laddr.sin_addr; ++ natlookup.nl_outip = faddr.sin_addr; ++ natlookup.nl_flags = IPN_TCP; ++ if ((natfd = open(IPL_NAT, O_RDONLY)) < 0) ++ return -1; ++ if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) { ++ syslog(LOG_ERR, "SIOCGNATL failed: %m\n"); ++ close(natfd); ++ return -1; ++ } ++ close(natfd); ++ strcpy(hostname, inet_ntoa(natlookup.nl_realip)); ++ serverport = ntohs(natlookup.nl_realport); ++ /* ++ * End of IP-Filter block ++ */ + + /* setup a timeout in case dialog doesn't finish */ + signal(SIGALRM, timeout); +*************** +*** 337,344 **** +--- 377,386 ---- + * and modify the call to (and subroutine) serverconnect() as + * appropriate. + */ ++ #if 0 + strcpy(hostname, "randomhostname"); + serverport = 7070; ++ #endif + /* Can we connect to the server */ + if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) { + /* errno may still be set from previous call */ diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall index 26b0e8f..94b5009 100755 --- a/contrib/ipfilter/FreeBSD-2.2/kinstall +++ b/contrib/ipfilter/FreeBSD-2.2/kinstall @@ -9,7 +9,7 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h \ + ip_proxy.[ch] ip_{ftp,rcmd}_pxy.c mlf_ipl.c ipl.h ip_compat.h \ ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet diff --git a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 new file mode 100644 index 0000000..8c7b8ef --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 @@ -0,0 +1,24 @@ +To build a kernel with the IP filter, follow these steps: + + 1. do "make freebsd3" + + 2. do "make install-bsd" + (probably has to be done as root) + + 3. run "FreeBSD-3/kinstall" as root + + 4. build a new kernel + + 5. install the new kernel + + 6. If not using DEVFS, create devices for IP Filter as follows: + mknod /dev/ipl c 79 0 + mknod /dev/ipnat c 79 1 + mknod /dev/ipstate c 79 2 + mknod /dev/ipauth c 79 3 + + 7. reboot + + +Darren Reed +darrenr@pobox.com diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall new file mode 100755 index 0000000..c77f446 --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/kinstall @@ -0,0 +1,46 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Installing " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ + ip_compat.h ip_auth.[ch] ip_log.c) + echo -n "$i "; + cp $i /sys/netinet + chmod 644 /sys/netinet/$i +end +echo "" +echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" +ln -s /usr/include/osreldate.h /sys/sys/osreldate.h + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Rewriting $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\ + $confdir/$newconfig.bak > $confdir/$newconfig +echo "You will now need to run config on $newconfig and build a new kernel." +exit 0 diff --git a/contrib/ipfilter/FreeBSD-3/unkinstall b/contrib/ipfilter/FreeBSD-3/unkinstall new file mode 100755 index 0000000..aa39c5b --- /dev/null +++ b/contrib/ipfilter/FreeBSD-3/unkinstall @@ -0,0 +1,44 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD* ) cd .. +echo -n "Uninstalling " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ + ip_log.c mlf_ipl.c ipl.h) + echo -n "$i "; + /bin/rm -f /sys/netinet/$i +end +echo "" + +echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h" +rm /sys/sys/osreldate.h + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/conf.c.diffs b/contrib/ipfilter/FreeBSD/conf.c.diffs new file mode 100644 index 0000000..afd2880 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/conf.c.diffs @@ -0,0 +1,46 @@ +*** conf.c.orig Sun Jan 14 15:39:32 1996 +--- conf.c Sun Jan 14 15:48:21 1996 +*************** +*** 1128,1133 **** +--- 1128,1149 ---- + #define labpcioctl nxioctl + #endif + ++ #ifdef IPFILTER ++ d_open_t iplopen; ++ d_close_t iplclose; ++ d_ioctl_t iplioctl; ++ # ifdef IPFILTER_LOG ++ d_read_t iplread; ++ # else ++ #define iplread nxread ++ # endif ++ #else ++ #define iplopen nxopen ++ #define iplclose nxclose ++ #define iplioctl nxioctl ++ #define iplread nxread ++ #endif ++ + /* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */ + struct cdevsw cdevsw[] = + { +*************** +*** 1199,1206 **** + * Otherwise, simply use the one reserved for local use. + */ + /* character device 20 is reserved for local use */ +! { nxopen, nxclose, nxread, nxwrite, /*20*/ +! nxioctl, nxstop, nxreset, nxdevtotty,/* reserved */ + nxselect, nxmmap, NULL }, + { psmopen, psmclose, psmread, nowrite, /*21*/ + psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ +--- 1215,1222 ---- + * Otherwise, simply use the one reserved for local use. + */ + /* character device 20 is reserved for local use */ +! { iplopen, iplclose, iplread, nxwrite, /*20*/ +! iplioctl, nxstop, nxreset, nxdevtotty,/* reserved */ + nxselect, nxmmap, NULL }, + { psmopen, psmclose, psmread, nowrite, /*21*/ + psmioctl, nostop, nullreset, nodevtotty,/* psm mice */ diff --git a/contrib/ipfilter/FreeBSD/files.diffs b/contrib/ipfilter/FreeBSD/files.diffs new file mode 100644 index 0000000..84893d4 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.diffs @@ -0,0 +1,19 @@ +*** files.orig Sat Sep 30 18:01:55 1995 +--- files Sun Jan 14 14:32:25 1996 +*************** +*** 208,213 **** +--- 208,221 ---- + netinet/tcp_timer.c optional inet + netinet/tcp_usrreq.c optional inet + netinet/udp_usrreq.c optional inet ++ netinet/ip_fil.c optional ipfilter inet ++ netinet/fil.c optional ipfilter inet ++ netinet/ip_nat.c optional ipfilter inet ++ netinet/ip_frag.c optional ipfilter inet ++ netinet/ip_state.c optional ipfilter inet ++ netinet/ip_auth.c optional ipfilter inet ++ netinet/ip_proxy.c optional ipfilter inet ++ netinet/ip_log.c optional ipfilter inet + netiso/clnp_debug.c optional iso + netiso/clnp_er.c optional iso + netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/files.newconf.diffs b/contrib/ipfilter/FreeBSD/files.newconf.diffs new file mode 100644 index 0000000..cc7cf41 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.newconf.diffs @@ -0,0 +1,19 @@ +*** files.newconf.orig Sun Jun 25 02:17:29 1995 +--- files.newconf Sun Jun 25 02:19:10 1995 +*************** +*** 161,166 **** +--- 161,174 ---- + file netinet/ip_input.c inet + file netinet/ip_mroute.c inet + file netinet/ip_output.c inet ++ file netinet/ip_fil.c ipfilter ++ file netinet/fil.c ipfilter ++ file netinet/ip_nat.c ipfilter ++ file netinet/ip_frag.c ipfilter ++ file netinet/ip_state.c ipfilter ++ file netinet/ip_proxy.c ipfilter ++ file netinet/ip_auth.c ipfilter ++ file netinet/ip_log.c ipfilter + file netinet/raw_ip.c inet + file netinet/tcp_debug.c inet + file netinet/tcp_input.c inet diff --git a/contrib/ipfilter/FreeBSD/files.oldconf.diffs b/contrib/ipfilter/FreeBSD/files.oldconf.diffs new file mode 100644 index 0000000..55b526f --- /dev/null +++ b/contrib/ipfilter/FreeBSD/files.oldconf.diffs @@ -0,0 +1,19 @@ +*** files.oldconf.orig Sat Apr 29 19:59:31 1995 +--- files.oldconf Sun Apr 23 17:54:18 1995 +*************** +*** 180,185 **** +--- 180,193 ---- + netinet/tcp_timer.c optional inet + netinet/tcp_usrreq.c optional inet + netinet/udp_usrreq.c optional inet ++ netinet/ip_fil.c optional ipfilter requires inet ++ netinet/fil.c optional ipfilter requires inet ++ netinet/ip_nat.c optional ipfilter requires inet ++ netinet/ip_frag.c optional ipfilter requires inet ++ netinet/ip_state.c optional ipfilter requires inet ++ netinet/ip_proxy.c optional ipfilter requires inet ++ netinet/ip_auth.c optional ipfilter requires inet ++ netinet/ip_log.c optional ipfilter requires inet + netiso/clnp_debug.c optional iso + netiso/clnp_er.c optional iso + netiso/clnp_frag.c optional iso diff --git a/contrib/ipfilter/FreeBSD/filez.diffs b/contrib/ipfilter/FreeBSD/filez.diffs new file mode 100644 index 0000000..52492e8 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/filez.diffs @@ -0,0 +1,19 @@ +*** files.orig Sat Apr 29 20:00:02 1995 +--- files Sun Apr 23 17:53:58 1995 +*************** +*** 222,227 **** +--- 222,235 ---- + file netinet/tcp_timer.c inet + file netinet/tcp_usrreq.c inet + file netinet/udp_usrreq.c inet ++ file netinet/ip_fil.c ipfilter ++ file netinet/fil.c ipfilter ++ file netinet/ip_nat.c ipfilter ++ file netinet/ip_frag.c ipfilter ++ file netinet/ip_state.c ipfilter ++ file netinet/ip_proxy.c ipfilter ++ file netinet/ip_auth.c ipfilter ++ file netinet/ip_log.c ipfilter + file netiso/clnp_debug.c iso + file netiso/clnp_er.c iso + file netiso/clnp_frag.c iso diff --git a/contrib/ipfilter/FreeBSD/in_proto.c.diffs b/contrib/ipfilter/FreeBSD/in_proto.c.diffs new file mode 100644 index 0000000..052dd51 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/in_proto.c.diffs @@ -0,0 +1,16 @@ +*** in_proto.c.orig Wed Sep 6 20:31:34 1995 +--- in_proto.c Mon Mar 11 22:40:03 1996 +*************** +*** 81,86 **** +--- 81,91 ---- + void eoninput(), eonctlinput(), eonprotoinit(); + #endif /* EON */ + ++ #ifdef IPFILTER ++ void iplinit(); ++ #define ip_init iplinit ++ #endif ++ + void rsvp_input(struct mbuf *, int); + void ipip_input(struct mbuf *, int); + diff --git a/contrib/ipfilter/FreeBSD/ip_input.c.diffs b/contrib/ipfilter/FreeBSD/ip_input.c.diffs new file mode 100644 index 0000000..a70be89 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/ip_input.c.diffs @@ -0,0 +1,88 @@ +*** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996 +--- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997 +*************** +*** 93,98 **** +--- 93,102 ---- + int ipqmaxlen = IFQ_MAXLEN; + struct in_ifaddr *in_ifaddr; /* first inet address */ + struct ifqueue ipintrq; ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif + + struct ipstat ipstat; + struct ipq ipq; +*************** +*** 219,226 **** + } + ip = mtod(m, struct ip *); + } +! ip->ip_sum = in_cksum(m, hlen); +! if (ip->ip_sum) { + ipstat.ips_badsum++; + goto bad; + } +--- 223,229 ---- + } + ip = mtod(m, struct ip *); + } +! if (in_cksum(m, hlen)) { + ipstat.ips_badsum++; + goto bad; + } +*************** +*** 267,272 **** +--- 270,288 ---- + goto next; + } + ++ #if defined(IPFILTER) || defined(IPFILTER_LKM) ++ /* ++ * Check if we want to allow this packet to be processed. ++ * Consider it to be bad if not. ++ */ ++ if (fr_checkp) { ++ struct mbuf *m1 = m; ++ ++ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ++ goto next; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + /* + * Process options and, if not destined for us, + * ship it on. ip_dooptions returns 1 when an +*************** +*** 527,532 **** +--- 533,540 ---- + * if they are completely covered, dequeue them. + */ + while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) { ++ struct mbuf *m0; ++ + i = (ip->ip_off + ip->ip_len) - q->ip_off; + if (i < q->ip_len) { + q->ip_len -= i; +*************** +*** 526,534 **** + m_adj(dtom(q), i); + break; + } + q = q->ipf_next; +- m_freem(dtom(q->ipf_prev)); + ip_deq(q->ipf_prev); + } + + insert: +--- 542,551 ---- + m_adj(dtom(q), i); + break; + } ++ m0 = dtom(q); + q = q->ipf_next; + ip_deq(q->ipf_prev); ++ m_freem(m0); + } + + insert: diff --git a/contrib/ipfilter/FreeBSD/ip_output.c.diffs b/contrib/ipfilter/FreeBSD/ip_output.c.diffs new file mode 100644 index 0000000..f1fe9ac --- /dev/null +++ b/contrib/ipfilter/FreeBSD/ip_output.c.diffs @@ -0,0 +1,36 @@ +*** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996 +--- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997 +*************** +*** 65,70 **** +--- 65,74 ---- + static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *)); + static void ip_mloopback + __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); ++ #if defined(IPFILTER_LKM) || defined(IPFILTER) ++ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); ++ #endif + + /* + * IP output. The packet in mbuf chain m contains a skeletal IP +*************** +*** 330,335 **** +--- 334,351 ---- + m->m_flags &= ~M_BCAST; + + sendit: ++ #if defined(IPFILTER) || defined(IPFILTER_LKM) ++ /* ++ * looks like most checking has been done now...do a filter check ++ */ ++ if (fr_checkp) { ++ struct mbuf *m1 = m; ++ ++ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) ++ goto done; ++ ip = mtod(m = m1, struct ip *); ++ } ++ #endif + /* + * Check with the firewall... + */ diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall new file mode 100755 index 0000000..42c2f09 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/kinstall @@ -0,0 +1,61 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo -n "Installing " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_proxy.[ch] ip_auth.[ch] ip_{ftp,rcmd}_pxy.c ip_compat.h ip_log.c) + echo -n "$i "; + cp $i /sys/netinet + chmod 644 /sys/netinet/$i +end +echo "" +echo "Patching $archdir/$karch/conf.c" +cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch) +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +if ( -f /sys/conf/files.newconf ) then + echo "Patching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Patching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/minstall b/contrib/ipfilter/FreeBSD/minstall new file mode 100755 index 0000000..0cfe7c3 --- /dev/null +++ b/contrib/ipfilter/FreeBSD/minstall @@ -0,0 +1,51 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo "Patching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch) + +if ( -f /sys/conf/files.newconf ) then + echo "Patching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Patching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch) + echo "Patching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +echo "Re-config'ing $newconfig..." +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak +endif +awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \ + $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/unkinstall b/contrib/ipfilter/FreeBSD/unkinstall new file mode 100755 index 0000000..8547fcd --- /dev/null +++ b/contrib/ipfilter/FreeBSD/unkinstall @@ -0,0 +1,58 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo -n "Uninstalling " +foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ + ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c) + echo -n "$i "; + /bin/rm -f /sys/netinet/$i +end +echo "" +echo "Unpatching $archdir/$karch/conf.c" +cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R) +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +if ( -f /sys/conf/files.newconf ) then + echo "Unpatching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Unpatching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak} +endif +egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/FreeBSD/unminstall b/contrib/ipfilter/FreeBSD/unminstall new file mode 100755 index 0000000..a25746c --- /dev/null +++ b/contrib/ipfilter/FreeBSD/unminstall @@ -0,0 +1,49 @@ +#!/bin/csh -f +# +set dir=`pwd` +set karch=`uname -m` +if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch" +if ( -d /sys/$karch ) set archdir="/sys/$karch" +set confdir="$archdir/conf" + +if ( $dir =~ */FreeBSD ) cd .. +echo "Unpatching ip_input.c, ip_output.c and in_proto.c" +cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ +(cd /sys/netinet; patch -R) + +if ( -f /sys/conf/files.newconf ) then + echo "Unpatching /sys/conf/files.newconf" + cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/files.diffs | (cd /sys/conf; patch -R) +endif +if ( -f /sys/conf/files.oldconf ) then + echo "Unpatching /sys/conf/files.oldconf" + cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R) + echo "Unpatching /sys/conf/files" + cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R) +endif + +set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` +echo -n "Kernel configuration to update [$config] " +set newconfig=$< +if ( "$newconfig" != "" ) then + set config="$confdir/$newconfig" +else + set newconfig=$config +endif +if ( -f $confdir/$newconfig ) then + mv $confdir/$newconfig $confdir/$newconfig.bak +endif +if ( -d $archdir/../compile/$newconfig ) then + set bak=".bak" + set dot=0 + while ( -d $archdir/../compile/${newconfig}.${bak} ) + set bak=".bak.$dot" + set dot=`expr 1 + $dot` + end + mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak +endif +grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig +echo 'You will now need to run "config" and build a new kernel.' +exit 0 diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 50711ea..cc5dba7 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -2,15 +2,295 @@ # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. # -# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the -# loan of a machine to work on a Solaris 2.x port of this software. +# Thanks to the Coombs Computing Unit at the ANU for their continued support +# in providing a very available location for the IP Filter home page and +# distribution center. +# +# Thanks to Tel.Net Media for allowing me to maintain and further develop +# IP Filter as part of my job and supplying Sun equipment for testing the +# move to 64bits. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. # +# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the +# loan of a machine to work on a Solaris 2.x port of this software. +# # Thanks also to all those who have contributed patches and other code, # and especially those who have found the time to port IP Filter to new # platforms. +# +3.3.3 22/10/1999 - Released + +add -g command line option to ipfstat to show groups still define. + +fix problem with fragment table not recording rule pointer when called +from state functions (fin_fr not set). + +fixup fastroute problems with keep state rules. + +load rules into inactive set first, so we don't disable things like NIS +lookups half way through processing - found by Kevin Littlejohn + +fix handling of unaligned ip pointer for solaris + +patch for fr_newauth from Rudi Sluijtman + +fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short + +3.3.2 23/09/1999 - Released + +patches from Scott Presnell to fix rcmd proxy + +patches from Greg to fix Solaris detachment of interfaces + +add openbsd compatibility fixes + +fix free'ing already freed memory in ipfr_slowtimer() + +fix for deferencing invalid memory in cleaning up after a device disappears + +3.3.1 14/8/1999 - Released + +remove include file sys/user.h for irix + +prevent people from running buildsunos directly + +fix up some problems with the saving of rule pointers so that NAT saves +that information in case it should need to call fr_addstate() from a proxy. + +fix up scanning for the end of FTP messages + +don't remove /etc/opt/ipf in postremove + +attempt to prevent people running buildsolaris script without doing a +"make solaris" + +fix timeout losing on freebsd3 + +3.3 7/8/1999 - Released + +NAT: information (rules, mappings) are stored in hash tables; setup some +basic NAT regression testing. + +display version name of installed kernel code when initializing. + +add -V command line option to ipf, showing version (program and kernel +module) as well as the run-status of the kernel code. + +fix problem with "log" rules actually affecting result of filtering. + +automatically use SUNWspro if available and on a 64bit Solaris system for +compiling. + +add kernel proxies for rcmd(3) and RealAudio (PNA) + +use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking +ip_slowtimo + +fix IP headers generated through parsing of text information + +fix NAT rules to be in the correct order again. + +make keep-state work with to/fastroute keywords and enforce usage of those +interfaces. + +update keep-state code with new algorithm from Guido + +add FreeBSD-3 support + +add return-icmp-as-dest option to retrun an ICMP packet using the original +destination as the source rather than a local IP address + +add "level [facility.]<priority>" option to filter language + +add changes from Guido to state code. + +add code to return EPERM if the device is opened for writing and we're +in securelevel 2 or greater. + +authentication code patches from Guido + +fix real audio proxy + +fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon +log output. + +fix bimap rules with hash tables + +update addresses used in NAT mappings for 0/32 rules for any protocol but TCP +if it changes on the interface - check every ip_natexpire() + +add redirect regression test + +count buckets used in the state hash table. + +fix sending of RST's with return-rst to use the ack number provided in +the packet being replied to in addition to the sequence number. + +fix to compile as a 64bit application on solaris7-64bit + +add NAT IP mapping to ranges of IP addresses that aren't CIDR specified + +fix calculation of in_space parameter for NAT + +fix `wrapping' when incrementing the next ip address for use in NAT + +fix free'ing of kernel memory in ip_natunload on solaris + +fix -l/-U command line options from interfering with each other + +fix fastroute under solaris2 and cleanup compilation for solaris7 + +add install scripts and compile cleanly on BSD/OS 4.0 + +safely open files in /tmp for writing device output when testing. + +fix uninitialized pointer bug in NAT + +fix SIOCZRLST (zero list rule stats) bug with groups + +change some usage of u_short to u_int in function calling + +fix compilation for Solaris7 (SUNWspro) + +change solaris makefiles to build for either sparc or i386 rather than +per-cpu (sun4u, etc). + +fixed bug in ipllog + +add patches from George Michaelson for FreeBSD 3.0 + +add patch from Guido to provide ICMP checking for known state in the same +manner as is done for NAT. + +enable FTP PASV proxying and enable wildcarding in NAT/state code for ports +for better PORT/PASV support with FTP. + +bring into main tree static nat features: map-block and "auto" portmapping. + +add in source host filtering for redirects (alan jones) + +3.2.10 22/11/98 - Released + +3.2.10beta9 17/11/98 - Released + +fix fr_tcpsum problems in handling mbufs with an odd number of bytes +and/or split across an mbuf boundary + +fix NAT list entry comparisons and allow multiple entries for the same +proxy (but on different ports). + +don't create duplicate NAT entries for repeated PORT commands. + +3.2.10beta8 14/11/98 - Released + +always exit an rwlock before expecting to enter it again on solaris + +fix loop in nat_new for pre-existing nat + +don't setup state for an ftp connection if creating nat fails. + +3.2.10beta7 05/11/98 - Released + +set fake window in ipft_tx.c to ensure code passes tests. + +cleaned up/enhanced ipnat -l/ipnat -lv output + +fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. + +Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather +than mutexes. + +3.2.10beta6 03/11/98 - Released + +fix mixed use of krwlock_t and kmutex_t on Solaris2 + +fix FTP proxy back up, splitting pasv code out of port code. + +3.2.10beta5 02/11/98 - Released + +fixed port translation in ICMP reply handling + +3.2.10beta4 01/11/98 - Released + +increase useful statistic collection on solaris + +filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris + +disable PASV reply translation for now + +fail with an error if we try to load a NAT rule with a non-existant + proxy name - Guido + +fix portmap usage with 0/0 and 0/32 map rules + +remove ap_unload/ap_expire - automatically done when NAT is cleaned up + +print "STATE:CLOSED" from ipmon if the connection progresses past established + rather than "STATE:EXPIRED" + +3.2.10beta3 26/10/98 - Released + +fixed traceroute/nat problem + +rewrote nat/proxy interface + +ipnat now lists associated proxy sessions for each NAT where applicable + +3.2.10beta2 13/10/98 - Released + +use KRWLOCK_T in place of krwlock_t for solaris as well as irix + +disable use of read-write lock acquisition by default + +add in mb_t for linux, non-kernel + +some changes to progress compilation on linux with glibc + +change PASV as well as PORT when passed through kernel ftp proxy. + +don't allow window to become 0 in tcp state code + +make ipmon compile cleaner + +irix patches + +3.2.10beta 11/09/98 - Released + +stop fr_tcpsum() thinking it has run out of data when it hasn't. + +stop solaris panics due to fin_dp being something wild. + +revisit usage of ATOMIC_*() + +log closing state of TCP connection in "keep state" + +fix fake-arp table code for ipsend. + +ipmon now writes pid to a file. + +fix "ipmon -a" to actually activate all logging devices. + +add patches for BSDOS4. + +perl scripts for log analysis donated. + +3.2.9 22/06/98 - Released + +fix byte order for ICMP packets generated on Solaris + +fix some locking problems. + +fix malloc bug in NAT (introduced in 3.2.8). + +patch from guido for state connections that get fragmented + +3.2.8 08/06/98 - Released + +use readers/writers locks in Solaris2 in place of some mutexes. + +Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 3.2.7 24/05/98 - Released diff --git a/contrib/ipfilter/INSTALL.BSDOS b/contrib/ipfilter/INSTALL.BSDOS new file mode 100644 index 0000000..17d9602 --- /dev/null +++ b/contrib/ipfilter/INSTALL.BSDOS @@ -0,0 +1,35 @@ + +BSD/OS users. +------------- + +First, you need to build IP Filter. Do this from the "ip_fil3.2.x" +directory with the command "make bsdos". If this completes successfully, +install the various bits and pieces with "make install-bsd". + +Prior to starting, it is a good idea for you to know what your kernel config +file is (it appears that the script guesses incorrectly at present). + +Once you have that in mind, run the 'kinstall' script in the correct +BSDOS3 or BSDOS4 directory. This will attempt to patch a bunch of files +or install the relevant .o files if you don't have kernel source. +It will also go and install all the IP Filter .c and .h files where they +can be find when it comes time to build the kernel. + +The script will then pause and ask you for your kernel configuration +file. After you enter this, it will add "options IPFILTER" to your +kernel configuration file. IF YOU WANT TO DO LOGGING, ADD +"options IPFILTER_LOG" to your kernel configuration file NOW! + +Now that you've got your kernel configuration file done, use config +to setup a new kernel build and complete with make. + +When the kernel rebuilt is complete, put it into / and reboot with +your new kernel. If IP Filter has been configured into your kernel +correctly, you will see a message like this when your system boots: + +IP Filter: initialized. Default = pass all, Logging = enabled + +Upon logging in, the IP Filter commands ipfstat, et al, should all +function properly. + +Darren diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index 3f0a885..66ad297 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -1,5 +1,7 @@ -*** IF you are using FreeBSD 2.2 or later, see the file "INST.FreeBSD-2.2" *** +*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" *** +*** IF you are using FreeBSD 3 or later, see the file "INST.FreeBSD-3" *** +*** in the "FreeBSD-3" directory *** To build a kernel for use with the loadable kernel module, follow these diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2 index cc66007..5ba84b9 100644 --- a/contrib/ipfilter/INSTALL.Sol2 +++ b/contrib/ipfilter/INSTALL.Sol2 @@ -1,8 +1,9 @@ -For those running Solaris 2.5, please read COMPILE.2.5 before building -IP Filter. +For those running Solaris 2.5 or later, please read COMPILE.2.5 before +building IP Filter. -Type "make solaris" to build all the required binaries. +Type "make solaris" to build all the required binaries. DO NOT USE THE +GNU make!!! Once IP Filter has been successfully compiled, you may then install it using the usual package method (using pkgadd), however, the package needs to be diff --git a/contrib/ipfilter/LICENCE b/contrib/ipfilter/LICENCE index 63430af..903e886 100644 --- a/contrib/ipfilter/LICENCE +++ b/contrib/ipfilter/LICENCE @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * The author accepts no responsibility for the use of this software and * provides it on an ``as is'' basis without express or implied warranty. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 6554095..a71aa57 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -1,18 +1,18 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $ +# $Id: Makefile,v 2.2 1999/08/04 17:29:52 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/local/man #To test prototyping -#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror -CC=gcc +CC=gcc -Wstrict-prototypes -Wmissing-prototypes +#CC=gcc #CC=cc -Dconst= DEBUG=-g CFLAGS=-I$$(TOP) @@ -39,11 +39,12 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0 # POLICY=-DIPF_DEFAULT_PASS=FR_PASS # -MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ - 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ +MFLAGS1="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ + 'CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2)' \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" +MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)" # SHELL=/bin/sh # @@ -58,11 +59,12 @@ INSTALL=install all: @echo "Chose one of the following targets for making IP filter:" @echo "" - @echo "solaris - auto-selects SunOS4.1.x/Solaris 2.[45]/Solaris2.[45]-x86" + @echo "solaris - auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86" @echo "netbsd - compile for NetBSD" @echo "openbsd - compile for OpenBSD" @echo "freebsd - compile for FreeBSD 2.0, 2.1 or earlier" @echo "freebsd22 - compile for FreeBSD-2.2 or greater" + @echo "freebsd3 - compile for FreeBSD-3.x" @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" @@ -74,9 +76,8 @@ tests: else echo test directory not present, sorry; fi include: - if [ ! -d netinet -o ! -f netinet/done ] ; then \ - mkdir -p netinet; \ - (cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .); \ + if [ ! -f netinet/done ] ; then \ + (cd netinet; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .; ln -s ../ip_rcmd_pxy.c .; ln -s ../ip_raudio_pxy.c .); \ (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \ touch netinet/done; \ fi @@ -84,12 +85,12 @@ include: sunos solaris: include ./buildsunos -freebsd22 freebsd30: include +freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @if [ -n $(IPFILKERN) ] ; then \ - if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \ - ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \ + if [ -f /sys/compile/$(IPFILKERN)/ioconf.h ] ; then \ + ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ else \ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ fi \ @@ -102,6 +103,11 @@ freebsd22 freebsd30: include fi make freebsd +freebsd3 freebsd30: include + make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" LKM= ; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..) + netbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) @@ -146,10 +152,9 @@ setup: -ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile -ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend -clean: - ${RM} -rf netinet +clean: clean-include ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ - vnode_if.h $(LKM) + vnode_if.h $(LKM) *~ if [ "`uname -s`" = "SunOS" ]; then (cd SunOS4; make clean); fi if [ "`uname -s`" = "SunOS" ]; then (cd SunOS5; make clean); fi (cd BSD; make clean) @@ -158,19 +163,23 @@ clean: [ -d test ] && (cd test; make clean) (cd ipsend; make clean) -clean-bsd: +clean-include: + sh -c 'cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done' + ${RM} -f netinet/done + +clean-bsd: clean-include (cd BSD; make clean) -clean-sunos4: +clean-sunos4: clean-include (cd SunOS4; make clean) -clean-sunos5: +clean-sunos5: clean-include (cd SunOS5; make clean) -clean-irix: +clean-irix: clean-include (cd IRIX; make clean) -clean-linux: +clean-linux: clean-include (cd Linux; make clean) get: diff --git a/contrib/ipfilter/UPGRADE_NOTICE b/contrib/ipfilter/UPGRADE_NOTICE new file mode 100644 index 0000000..8b44760 --- /dev/null +++ b/contrib/ipfilter/UPGRADE_NOTICE @@ -0,0 +1,10 @@ + +NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT + AND setup ACL's to allow untranslated address through from outside, + + THIS HAS BEEN FIXED + + so your ACL's will now be `broken'. Please correct your ACL's to + match the the untranslated addresses (the way it was meant to work). + +Darren diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos index ed8a034..fa2474e 100755 --- a/contrib/ipfilter/buildsunos +++ b/contrib/ipfilter/buildsunos @@ -1,24 +1,49 @@ #! /bin/sh -# $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $ +if [ ! -f netinet/done ] ; then + echo "Do NOT run this script directly, do 'make solaris'!" + exit 1 +fi +# $Id: buildsunos,v 2.1.2.1 1999/08/08 13:55:20 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` -cpu=`uname -m` -cpudir=${cpu}-`uname -r` +if [ -d /usr/ccs/bin ] ; then + PATH=/usr/ccs/bin:${PATH} +fi if [ $rev = 5 ] ; then + cpu=`uname -p` + cpudir=${cpu}-`uname -r` solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` - mkdir -p SunOS5/${cpudir} + if [ ! -d SunOS5/${cpudir} -a ! -h SunOS5/${cpudir} ] ; then + mkdir -p SunOS5/${cpudir} + fi /bin/rm -f SunOS5/${cpudir}/Makefile /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend - ln -s ../Makefile SunOS5/${cpudir}/Makefile - ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend + ln -s `pwd`/SunOS5/Makefile SunOS5/${cpudir}/Makefile + ln -s `pwd`/SunOS5/Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend + ARCHINC= + XARCH= + if [ -d /opt/SUNWspro/bin ] ; then + CC="/opt/SUNWspro/bin/cc ${CFL}" + export CC + /bin/optisa sparcv9 >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + ARCHINC="-I/usr/include/v9" + XARCH="-xarch=v9 -xchip=ultra -dalign -xcode=abs32" + fi + else + CC=gcc + fi +else + cpu=`uname -m` + cpudir=${cpu}-`uname -r` fi -if [ $cpu = i86pc ] ; then - make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} +if [ $cpu = i386 ] ; then + make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH" XARCH="$XARCH" ARCHINC="$ARCHINC" exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi -make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} +make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH" XARCH="$XARCH" ARCHINC="$ARCHINC" exit $? diff --git a/contrib/ipfilter/etc/services b/contrib/ipfilter/etc/services index 90dd07a..7afcde8 100644 --- a/contrib/ipfilter/etc/services +++ b/contrib/ipfilter/etc/services @@ -1,731 +1,2535 @@ -tcpmux 1/tcp # TCP Port Service Multiplexer -tcpmux 1/udp # TCP Port Service Multiplexer -compressnet 2/tcp # Management Utility -compressnet 2/udp # Management Utility -compressnet 3/tcp # Compression Process -compressnet 3/udp # Compression Process -rje 5/tcp # Remote Job Entry -rje 5/udp # Remote Job Entry -echo 7/tcp # Echo -echo 7/udp # Echo -discard 9/tcp # Discard -discard 9/udp # Discard -systat 11/tcp # Active Users -systat 11/udp # Active Users -daytime 13/tcp # Daytime -daytime 13/udp # Daytime -qotd 17/tcp # Quote of the Day -qotd 17/udp # Quote of the Day -msp 18/tcp # Message Send Protocol -msp 18/udp # Message Send Protocol -chargen 19/tcp # Character Generator -chargen 19/udp # Character Generator -ftp-data 20/tcp # File Transfer -ftp-data 20/udp # File Transfer -ftp 21/tcp # File Transfer -ftp 21/udp # File Transfer -telnet 23/tcp # Telnet -telnet 23/udp # Telnet -smtp 25/tcp # Simple Mail Transfer -smtp 25/udp # Simple Mail Transfer -nsw-fe 27/tcp # NSW User System FE -nsw-fe 27/udp # NSW User System FE -msg-icp 29/tcp # MSG ICP -msg-icp 29/udp # MSG ICP -msg-auth 31/tcp # MSG Authentication -msg-auth 31/udp # MSG Authentication -dsp 33/tcp # Display Support Protocol -dsp 33/udp # Display Support Protocol -time 37/tcp # Time -time 37/udp # Time -rap 38/tcp # Route Access Protocol -rap 38/udp # Route Access Protocol -rlp 39/tcp # Resource Location Protocol -rlp 39/udp # Resource Location Protocol -graphics 41/tcp # Graphics -graphics 41/udp # Graphics -nameserver 42/tcp # Host Name Server -nameserver 42/udp # Host Name Server -nicname 43/tcp # Who Is -nicname 43/udp # Who Is -mpm-flags 44/tcp # MPM FLAGS Protocol -mpm-flags 44/udp # MPM FLAGS Protocol -mpm 45/tcp # Message Processing Module -mpm 45/udp # Message Processing Module -mpm-snd 46/tcp # MPM -mpm-snd 46/udp # MPM -ni-ftp 47/tcp # NI FTP -ni-ftp 47/udp # NI FTP -auditd 48/tcp # Digital Audit Daemon -auditd 48/udp # Digital Audit Daemon -re-mail-ck 50/tcp # Remote Mail Checking Protocol -re-mail-ck 50/udp # Remote Mail Checking Protocol -la-maint 51/tcp # IMP Logical Address Maintenance -la-maint 51/udp # IMP Logical Address Maintenance -xns-time 52/tcp # XNS Time Protocol -xns-time 52/udp # XNS Time Protocol -domain 53/tcp # Domain Name Server -domain 53/udp # Domain Name Server -xns-ch 54/tcp # XNS Clearinghouse -xns-ch 54/udp # XNS Clearinghouse -isi-gl 55/tcp # ISI Graphics Language -isi-gl 55/udp # ISI Graphics Language -xns-auth 56/tcp # XNS Authentication -xns-auth 56/udp # XNS Authentication -xns-mail 58/tcp # XNS Mail -xns-mail 58/udp # XNS Mail -ni-mail 61/tcp # NI MAIL -ni-mail 61/udp # NI MAIL -acas 62/tcp # ACA Services -acas 62/udp # ACA Services -covia 64/tcp # Communications Integrator (CI) -covia 64/udp # Communications Integrator (CI) -tacacs-ds 65/tcp # TACACS-Database Service -tacacs-ds 65/udp # TACACS-Database Service -sql*net 66/tcp # Oracle SQL*NET -sql*net 66/udp # Oracle SQL*NET -bootps 67/tcp # Bootstrap Protocol Server -bootps 67/udp # Bootstrap Protocol Server -bootpc 68/tcp # Bootstrap Protocol Client -bootpc 68/udp # Bootstrap Protocol Client -tftp 69/tcp # Trivial File Transfer -tftp 69/udp # Trivial File Transfer -gopher 70/tcp # Gopher -gopher 70/udp # Gopher -netrjs-1 71/tcp # Remote Job Service -netrjs-1 71/udp # Remote Job Service -netrjs-2 72/tcp # Remote Job Service -netrjs-2 72/udp # Remote Job Service -netrjs-3 73/tcp # Remote Job Service -netrjs-3 73/udp # Remote Job Service -netrjs-4 74/tcp # Remote Job Service -netrjs-4 74/udp # Remote Job Service -deos 76/tcp # Distributed External Object Store -deos 76/udp # Distributed External Object Store -vettcp 78/tcp # vettcp -vettcp 78/udp # vettcp -finger 79/tcp # Finger -finger 79/udp # Finger -www-http 80/tcp # World Wide Web HTTP -www-http 80/udp # World Wide Web HTTP -hosts2-ns 81/tcp # HOSTS2 Name Server -hosts2-ns 81/udp # HOSTS2 Name Server -xfer 82/tcp # XFER Utility -xfer 82/udp # XFER Utility -mit-ml-dev 83/tcp # MIT ML Device -mit-ml-dev 83/udp # MIT ML Device -ctf 84/tcp # Common Trace Facility -ctf 84/udp # Common Trace Facility -mit-ml-dev 85/tcp # MIT ML Device -mit-ml-dev 85/udp # MIT ML Device -mfcobol 86/tcp # Micro Focus Cobol -mfcobol 86/udp # Micro Focus Cobol -kerberos 88/tcp # Kerberos -kerberos 88/udp # Kerberos -su-mit-tg 89/tcp # SU/MIT Telnet Gateway -su-mit-tg 89/udp # SU/MIT Telnet Gateway -dnsix 90/tcp # DNSIX Securit Attribute Token Map -dnsix 90/udp # DNSIX Securit Attribute Token Map -mit-dov 91/tcp # MIT Dover Spooler -mit-dov 91/udp # MIT Dover Spooler -npp 92/tcp # Network Printing Protocol -npp 92/udp # Network Printing Protocol -dcp 93/tcp # Device Control Protocol -dcp 93/udp # Device Control Protocol -objcall 94/tcp # Tivoli Object Dispatcher -objcall 94/udp # Tivoli Object Dispatcher -supdup 95/tcp # SUPDUP -supdup 95/udp # SUPDUP -dixie 96/tcp # DIXIE Protocol Specification -dixie 96/udp # DIXIE Protocol Specification -swift-rvf 97/tcp # Swift Remote Vitural File Protocol -swift-rvf 97/udp # Swift Remote Vitural File Protocol -tacnews 98/tcp # TAC News -tacnews 98/udp # TAC News -metagram 99/tcp # Metagram Relay -metagram 99/udp # Metagram Relay -newacct 100/tcp -hostname 101/tcp # NIC Host Name Server -hostname 101/udp # NIC Host Name Server -iso-tsap 102/tcp # ISO-TSAP -iso-tsap 102/udp # ISO-TSAP -gppitnp 103/tcp # Genesis Point-to-Point Trans Net -gppitnp 103/udp # Genesis Point-to-Point Trans Net -acr-nema 104/tcp # ACR-NEMA Digital Imag. & Comm. 300 -acr-nema 104/udp # ACR-NEMA Digital Imag. & Comm. 300 -csnet-ns 105/tcp # Mailbox Name Nameserver -csnet-ns 105/udp # Mailbox Name Nameserver -3com-tsmux 106/tcp # 3COM-TSMUX -3com-tsmux 106/udp # 3COM-TSMUX -rtelnet 107/tcp # Remote Telnet Service -rtelnet 107/udp # Remote Telnet Service -snagas 108/tcp # SNA Gateway Access Server -snagas 108/udp # SNA Gateway Access Server -pop2 109/tcp # Post Office Protocol - Version 2 -pop2 109/udp # Post Office Protocol - Version 2 -pop3 110/tcp # Post Office Protocol - Version 3 -pop3 110/udp # Post Office Protocol - Version 3 -sunrpc 111/tcp # SUN Remote Procedure Call -sunrpc 111/udp # SUN Remote Procedure Call -mcidas 112/tcp # McIDAS Data Transmission Protocol -mcidas 112/udp # McIDAS Data Transmission Protocol -auth 113/tcp # Authentication Service -auth 113/udp # Authentication Service -audionews 114/tcp # Audio News Multicast -audionews 114/udp # Audio News Multicast -sftp 115/tcp # Simple File Transfer Protocol -sftp 115/udp # Simple File Transfer Protocol -ansanotify 116/tcp # ANSA REX Notify -ansanotify 116/udp # ANSA REX Notify -uucp-path 117/tcp # UUCP Path Service -uucp-path 117/udp # UUCP Path Service -sqlserv 118/tcp # SQL Services -sqlserv 118/udp # SQL Services -nntp 119/tcp # Network News Transfer Protocol -nntp 119/udp # Network News Transfer Protocol -cfdptkt 120/tcp # CFDPTKT -cfdptkt 120/udp # CFDPTKT -erpc 121/tcp # Encore Expedited Remote Pro.Call -erpc 121/udp # Encore Expedited Remote Pro.Call -smakynet 122/tcp # SMAKYNET -smakynet 122/udp # SMAKYNET -ntp 123/tcp # Network Time Protocol -ntp 123/udp # Network Time Protocol -ansatrader 124/tcp # ANSA REX Trader -ansatrader 124/udp # ANSA REX Trader -locus-map 125/tcp # Locus PC-Interface Net Map Ser -locus-map 125/udp # Locus PC-Interface Net Map Ser -unitary 126/tcp # Unisys Unitary Login -unitary 126/udp # Unisys Unitary Login -locus-con 127/tcp # Locus PC-Interface Conn Server -locus-con 127/udp # Locus PC-Interface Conn Server -gss-xlicen 128/tcp # GSS X License Verification -gss-xlicen 128/udp # GSS X License Verification -pwdgen 129/tcp # Password Generator Protocol -pwdgen 129/udp # Password Generator Protocol -cisco-fna 130/tcp # cisco FNATIVE -cisco-fna 130/udp # cisco FNATIVE -cisco-tna 131/tcp # cisco TNATIVE -cisco-tna 131/udp # cisco TNATIVE -cisco-sys 132/tcp # cisco SYSMAINT -cisco-sys 132/udp # cisco SYSMAINT -statsrv 133/tcp # Statistics Service -statsrv 133/udp # Statistics Service -ingres-net 134/tcp # INGRES-NET Service -ingres-net 134/udp # INGRES-NET Service -loc-srv 135/tcp # Location Service -loc-srv 135/udp # Location Service -profile 136/tcp # PROFILE Naming System -profile 136/udp # PROFILE Naming System -netbios-ns 137/tcp # NETBIOS Name Service -netbios-ns 137/udp # NETBIOS Name Service -netbios-dgm 138/tcp # NETBIOS Datagram Service -netbios-dgm 138/udp # NETBIOS Datagram Service -netbios-ssn 139/tcp # NETBIOS Session Service -netbios-ssn 139/udp # NETBIOS Session Service -emfis-data 140/tcp # EMFIS Data Service -emfis-data 140/udp # EMFIS Data Service -emfis-cntl 141/tcp # EMFIS Control Service -emfis-cntl 141/udp # EMFIS Control Service -bl-idm 142/tcp # Britton-Lee IDM -bl-idm 142/udp # Britton-Lee IDM -imap2 143/tcp # Interim Mail Access Protocol v2 -imap2 143/udp # Interim Mail Access Protocol v2 -news 144/tcp # NewS -news 144/udp # NewS -uaac 145/tcp # UAAC Protocol -uaac 145/udp # UAAC Protocol -iso-tp0 146/tcp # ISO-IP0 -iso-tp0 146/udp # ISO-IP0 -iso-ip 147/tcp # ISO-IP -iso-ip 147/udp # ISO-IP -cronus 148/tcp # CRONUS-SUPPORT -cronus 148/udp # CRONUS-SUPPORT -aed-512 149/tcp # AED 512 Emulation Service -aed-512 149/udp # AED 512 Emulation Service -sql-net 150/tcp # SQL-NET -sql-net 150/udp # SQL-NET -hems 151/tcp # HEMS -hems 151/udp # HEMS -bftp 152/tcp # Background File Transfer Program -bftp 152/udp # Background File Transfer Program -sgmp 153/tcp # SGMP -sgmp 153/udp # SGMP -netsc-prod 154/tcp # NETSC -netsc-prod 154/udp # NETSC -netsc-dev 155/tcp # NETSC -netsc-dev 155/udp # NETSC -sqlsrv 156/tcp # SQL Service -sqlsrv 156/udp # SQL Service -knet-cmp 157/tcp # KNET/VM Command/Message Protocol -knet-cmp 157/udp # KNET/VM Command/Message Protocol -pcmail-srv 158/tcp # PCMail Server -pcmail-srv 158/udp # PCMail Server -nss-routing 159/tcp # NSS-Routing -nss-routing 159/udp # NSS-Routing -sgmp-traps 160/tcp # SGMP-TRAPS -sgmp-traps 160/udp # SGMP-TRAPS -snmp 161/tcp # SNMP -snmp 161/udp # SNMP -snmptrap 162/tcp # SNMPTRAP -snmptrap 162/udp # SNMPTRAP -cmip-man 163/tcp # CMIP/TCP Manager -cmip-man 163/udp # CMIP/TCP Manager -cmip-agent 164/tcp # CMIP/TCP Agent -smip-agent 164/udp # CMIP/TCP Agent -xns-courier 165/tcp # Xerox -xns-courier 165/udp # Xerox -s-net 166/tcp # Sirius Systems -s-net 166/udp # Sirius Systems -namp 167/tcp # NAMP -namp 167/udp # NAMP -rsvd 168/tcp # RSVD -rsvd 168/udp # RSVD -send 169/tcp # SEND -send 169/udp # SEND -print-srv 170/tcp # Network PostScript -print-srv 170/udp # Network PostScript -multiplex 171/tcp # Network Innovations Multiplex -multiplex 171/udp # Network Innovations Multiplex -cl/1 172/tcp # Network Innovations CL/1 -cl/1 172/udp # Network Innovations CL/1 -xyplex-mux 173/tcp # Xyplex -xyplex-mux 173/udp # Xyplex -mailq 174/tcp # MAILQ -mailq 174/udp # MAILQ -vmnet 175/tcp # VMNET -vmnet 175/udp # VMNET -genrad-mux 176/tcp # GENRAD-MUX -genrad-mux 176/udp # GENRAD-MUX -xdmcp 177/tcp # X Display Manager Control Protocol -xdmcp 177/udp # X Display Manager Control Protocol -nextstep 178/tcp # NextStep Window Server -NextStep 178/udp # NextStep Window Server -bgp 179/tcp # Border Gateway Protocol -bgp 179/udp # Border Gateway Protocol -ris 180/tcp # Intergraph -ris 180/udp # Intergraph -unify 181/tcp # Unify -unify 181/udp # Unify -audit 182/tcp # Unisys Audit SITP -audit 182/udp # Unisys Audit SITP -ocbinder 183/tcp # OCBinder -ocbinder 183/udp # OCBinder -ocserver 184/tcp # OCServer -ocserver 184/udp # OCServer -remote-kis 185/tcp # Remote-KIS -remote-kis 185/udp # Remote-KIS -kis 186/tcp # KIS Protocol -kis 186/udp # KIS Protocol -aci 187/tcp # Application Communication Interface -aci 187/udp # Application Communication Interface -mumps 188/tcp # Plus Five's MUMPS -mumps 188/udp # Plus Five's MUMPS -qft 189/tcp # Queued File Transport -qft 189/udp # Queued File Transport -gacp 190/tcp # Gateway Access Control Protocol -cacp 190/udp # Gateway Access Control Protocol -prospero 191/tcp # Prospero Directory Service -prospero 191/udp # Prospero Directory Service -osu-nms 192/tcp # OSU Network Monitoring System -osu-nms 192/udp # OSU Network Monitoring System -srmp 193/tcp # Spider Remote Monitoring Protocol -srmp 193/udp # Spider Remote Monitoring Protocol -irc 194/tcp # Internet Relay Chat Protocol -irc 194/udp # Internet Relay Chat Protocol -dn6-nlm-aud 195/tcp # DNSIX Network Level Module Audit -dn6-nlm-aud 195/udp # DNSIX Network Level Module Audit -dn6-smm-red 196/tcp # DNSIX Session Mgt Module Audit Redir -dn6-smm-red 196/udp # DNSIX Session Mgt Module Audit Redir -dls 197/tcp # Directory Location Service -dls 197/udp # Directory Location Service -dls-mon 198/tcp # Directory Location Service Monitor -dls-mon 198/udp # Directory Location Service Monitor -smux 199/tcp # SMUX -smux 199/udp # SMUX -src 200/tcp # IBM System Resource Controller -src 200/udp # IBM System Resource Controller -at-rtmp 201/tcp # AppleTalk Routing Maintenance -at-rtmp 201/udp # AppleTalk Routing Maintenance -at-nbp 202/tcp # AppleTalk Name Binding -at-nbp 202/udp # AppleTalk Name Binding -at-3 203/tcp # AppleTalk Unused -at-3 203/udp # AppleTalk Unused -at-echo 204/tcp # AppleTalk Echo -at-echo 204/udp # AppleTalk Echo -at-5 205/tcp # AppleTalk Unused -at-5 205/udp # AppleTalk Unused -at-zis 206/tcp # AppleTalk Zone Information -at-zis 206/udp # AppleTalk Zone Information -at-7 207/tcp # AppleTalk Unused -at-7 207/udp # AppleTalk Unused -at-8 208/tcp # AppleTalk Unused -at-8 208/udp # AppleTalk Unused -tam 209/tcp # Trivial Authenticated Mail Protocol -tam 209/udp # Trivial Authenticated Mail Protocol -z39.50 210/tcp # ANSI Z39.50 -z39.50 210/udp # ANSI Z39.50 -914c/g 211/tcp # Texas Instruments 914C/G Terminal -914c/g 211/udp # Texas Instruments 914C/G Terminal -anet 212/tcp # ATEXSSTR -anet 212/udp # ATEXSSTR -ipx 213/tcp # IPX -ipx 213/udp # IPX -vmpwscs 214/tcp # VM PWSCS -vmpwscs 214/udp # VM PWSCS -softpc 215/tcp # Insignia Solutions -softpc 215/udp # Insignia Solutions -atls 216/tcp # Access Technology License Server -atls 216/udp # Access Technology License Server -dbase 217/tcp # dBASE Unix -dbase 217/udp # dBASE Unix -mpp 218/tcp # Netix Message Posting Protocol -mpp 218/udp # Netix Message Posting Protocol -uarps 219/tcp # Unisys ARPs -uarps 219/udp # Unisys ARPs -imap3 220/tcp # Interactive Mail Access Protocol v3 -imap3 220/udp # Interactive Mail Access Protocol v3 -fln-spx 221/tcp # Berkeley rlogind with SPX auth -fln-spx 221/udp # Berkeley rlogind with SPX auth -rsh-spx 222/tcp # Berkeley rshd with SPX auth -rsh-spx 222/udp # Berkeley rshd with SPX auth -cdc 223/tcp # Certificate Distribution Center -cdc 223/udp # Certificate Distribution Center -sur-meas 243/tcp # Survey Measurement -sur-meas 243/udp # Survey Measurement -link 245/tcp # LINK -link 245/udp # LINK -dsp3270 246/tcp # Display Systems Protocol -dsp3270 246/udp # Display Systems Protocol -pdap 344/tcp # Prospero Data Access Protocol -pdap 344/udp # Prospero Data Access Protocol -pawserv 345/tcp # Perf Analysis Workbench -pawserv 345/udp # Perf Analysis Workbench -zserv 346/tcp # Zebra server -zserv 346/udp # Zebra server -fatserv 347/tcp # Fatmen Server -fatserv 347/udp # Fatmen Server -csi-sgwp 348/tcp # Cabletron Management Protocol -csi-sgwp 348/udp # Cabletron Management Protocol -clearcase 371/tcp # Clearcase -clearcase 371/udp # Clearcase -ulistserv 372/tcp # Unix Listserv -ulistserv 372/udp # Unix Listserv -legent-1 373/tcp # Legent Corporation -legent-1 373/udp # Legent Corporation -legent-2 374/tcp # Legent Corporation -legent-2 374/udp # Legent Corporation -hassle 375/tcp # Hassle -hassle 375/udp # Hassle -nip 376/tcp # Amiga Envoy Network Inquiry Proto -nip 376/udp # Amiga Envoy Network Inquiry Proto -tnETOS 377/tcp # NEC Corporation -tnETOS 377/udp # NEC Corporation -dsETOS 378/tcp # NEC Corporation -dsETOS 378/udp # NEC Corporation -is99c 379/tcp # TIA/EIA/IS-99 modem client -is99c 379/udp # TIA/EIA/IS-99 modem client -is99s 380/tcp # TIA/EIA/IS-99 modem server -is99s 380/udp # TIA/EIA/IS-99 modem server -hp-collector 381/tcp # hp performance data collector -hp-collector 381/udp # hp performance data collector -hp-managed-node 382/tcp # hp performance data managed node -hp-managed-node 382/udp # hp performance data managed node -hp-alarm-mgr 383/tcp # hp performance data alarm manager -hp-alarm-mgr 383/udp # hp performance data alarm manager -arns 384/tcp # A Remote Network Server System -arns 384/udp # A Remote Network Server System -ibm-app 385/tcp # IBM Application -ibm-app 385/tcp # IBM Application -asa 386/tcp # ASA Message Router Object Def. -asa 386/udp # ASA Message Router Object Def. -aurp 387/tcp # Appletalk Update-Based Routing Pro. -aurp 387/udp # Appletalk Update-Based Routing Pro. -unidata-ldm 388/tcp # Unidata LDM Version 4 -unidata-ldm 388/udp # Unidata LDM Version 4 -ldap 389/tcp # Lightweight Directory Access Protocol -ldap 389/udp # Lightweight Directory Access Protocol -uis 390/tcp # UIS -uis 390/udp # UIS -synotics-relay 391/tcp # SynOptics SNMP Relay Port -synotics-relay 391/udp # SynOptics SNMP Relay Port -synotics-broker 392/tcp # SynOptics Port Broker Port -synotics-broker 392/udp # SynOptics Port Broker Port -dis 393/tcp # Data Interpretation System -dis 393/udp # Data Interpretation System -embl-ndt 394/tcp # EMBL Nucleic Data Transfer -embl-ndt 394/udp # EMBL Nucleic Data Transfer -netcp 395/tcp # NETscout Control Protocol -netcp 395/udp # NETscout Control Protocol -netware-ip 396/tcp # Novell Netware over IP -netware-ip 396/udp # Novell Netware over IP -mptn 397/tcp # Multi Protocol Trans. Net. -mptn 397/udp # Multi Protocol Trans. Net. -kryptolan 398/tcp # Kryptolan -kryptolan 398/udp # Kryptolan -work-sol 400/tcp # Workstation Solutions -work-sol 400/udp # Workstation Solutions -ups 401/tcp # Uninterruptible Power Supply -ups 401/udp # Uninterruptible Power Supply -genie 402/tcp # Genie Protocol -genie 402/udp # Genie Protocol -decap 403/tcp # decap -decap 403/udp # decap -nced 404/tcp # nced -nced 404/udp # nced -ncld 405/tcp # ncld -ncld 405/udp # ncld -imsp 406/tcp # Interactive Mail Support Protocol -imsp 406/udp # Interactive Mail Support Protocol -timbuktu 407/tcp # Timbuktu -timbuktu 407/udp # Timbuktu -prm-sm 408/tcp # Prospero Resource Manager Sys. Man. -prm-sm 408/udp # Prospero Resource Manager Sys. Man. -prm-nm 409/tcp # Prospero Resource Manager Node Man. -prm-nm 409/udp # Prospero Resource Manager Node Man. -decladebug 410/tcp # DECLadebug Remote Debug Protocol -decladebug 410/udp # DECLadebug Remote Debug Protocol -rmt 411/tcp # Remote MT Protocol -rmt 411/udp # Remote MT Protocol -synoptics-trap 412/tcp # Trap Convention Port -synoptics-trap 412/udp # Trap Convention Port -smsp 413/tcp # SMSP -smsp 413/udp # SMSP -infoseek 414/tcp # InfoSeek -infoseek 414/udp # InfoSeek -bnet 415/tcp # BNet -bnet 415/udp # BNet -silverplatter 416/tcp # Silverplatter -silverplatter 416/udp # Silverplatter -onmux 417/tcp # Onmux -onmux 417/udp # Onmux -hyper-g 418/tcp # Hyper-G -hyper-g 418/udp # Hyper-G -ariel1 419/tcp # Ariel -ariel1 419/udp # Ariel -smpte 420/tcp # SMPTE -smpte 420/udp # SMPTE -ariel2 421/tcp # Ariel -ariel2 421/udp # Ariel -ariel3 422/tcp # Ariel -ariel3 422/udp # Ariel -opc-job-start 423/tcp # IBM Operations Planning and Control Start -opc-job-start 423/udp # IBM Operations Planning and Control Start -opc-job-track 424/tcp # IBM Operations Planning and Control Track -opc-job-track 424/udp # IBM Operations Planning and Control Track -icad-el 425/tcp # ICAD -icad-el 425/udp # ICAD -smartsdp 426/tcp # smartsdp -smartsdp 426/udp # smartsdp -svrloc 427/tcp # Server Location -svrloc 427/udp # Server Location -ocs_cmu 428/tcp # OCS_CMU -ocs_cmu 428/udp # OCS_CMU -ocs_amu 429/tcp # OCS_AMU -ocs_amu 429/udp # OCS_AMU -utmpsd 430/tcp # UTMPSD -utmpsd 430/udp # UTMPSD -utmpcd 431/tcp # UTMPCD -utmpcd 431/udp # UTMPCD -iasd 432/tcp # IASD -iasd 432/udp # IASD -nnsp 433/tcp # NNSP -nnsp 433/udp # NNSP -mobileip-agent 434/tcp # MobileIP-Agent -mobileip-agent 434/udp # MobileIP-Agent -mobilip-mn 435/tcp # MobilIP-MN -mobilip-mn 435/udp # MobilIP-MN -dna-cml 436/tcp # DNA-CML -dna-cml 436/udp # DNA-CML -comscm 437/tcp # comscm -comscm 437/udp # comscm -dsfgw 438/tcp # dsfgw -dsfgw 438/udp # dsfgw -dasp 439/tcp # dasp Thomas Obermair -dasp 439/udp # dasp tommy@inlab.m.eunet.de -sgcp 440/tcp # sgcp -sgcp 440/udp # sgcp -decvms-sysmgt 441/tcp # decvms-sysmgt -decvms-sysmgt 441/udp # decvms-sysmgt -cvc_hostd 442/tcp # cvc_hostd -cvc_hostd 442/udp # cvc_hostd -https 443/tcp # https MCom -https 443/udp # https MCom -snpp 444/tcp # Simple Network Paging Protocol -snpp 444/udp # Simple Network Paging Protocol -microsoft-ds 445/tcp # Microsoft-DS -microsoft-ds 445/udp # Microsoft-DS -ddm-rdb 446/tcp # DDM-RDB -ddm-rdb 446/udp # DDM-RDB -ddm-dfm 447/tcp # DDM-RFM -ddm-dfm 447/udp # DDM-RFM -ddm-byte 448/tcp # DDM-BYTE -ddm-byte 448/udp # DDM-BYTE -as-servermap 449/tcp # AS Server Mapper -as-servermap 449/udp # AS Server Mapper -tserver 450/tcp # TServer -tserver 450/udp # TServer -exec 512/tcp # remote process execution; -biff 512/udp # used by mail system to notify users -login 513/tcp # remote login a la telnet; -who 513/udp # maintains data bases showing who's -cmd 514/tcp # like exec, but automatic -syslog 514/udp -printer 515/tcp # spooler -printer 515/udp # spooler -talk 517/tcp # like tenex link, but across -talk 517/udp # like tenex link, but across tcp connection is established) -ntalk 518/tcp -ntalk 518/udp -utime 519/tcp # unixtime -utime 519/udp # unixtime -efs 520/tcp # extended file name server -router 520/udp # local routing process (on site); -timed 525/tcp # timeserver -timed 525/udp # timeserver -tempo 526/tcp # newdate -tempo 526/udp # newdate -courier 530/tcp # rpc -courier 530/udp # rpc -conference 531/tcp # chat -conference 531/udp # chat -netnews 532/tcp # readnews -netnews 532/udp # readnews -netwall 533/tcp # for emergency broadcasts -netwall 533/udp # for emergency broadcasts -apertus-ldp 539/tcp # Apertus Technologies Load Determination -apertus-ldp 539/udp # Apertus Technologies Load Determination -uucp 540/tcp # uucpd -uucp 540/udp # uucpd -uucp-rlogin 541/tcp # uucp-rlogin Stuart Lynne -uucp-rlogin 541/udp # uucp-rlogin sl@wimsey.com -klogin 543/tcp -klogin 543/udp -kshell 544/tcp # krcmd -kshell 544/udp # krcmd -new-rwho 550/tcp # new-who -new-rwho 550/udp # new-who -dsf 555/tcp -dsf 555/udp -remotefs 556/tcp # rfs server -remotefs 556/udp # rfs server -rmonitor 560/tcp # rmonitord -rmonitor 560/udp # rmonitord -monitor 561/tcp -monitor 561/udp -chshell 562/tcp # chcmd -chshell 562/udp # chcmd -9pfs 564/tcp # plan 9 file service -9pfs 564/udp # plan 9 file service -whoami 565/tcp # whoami -whoami 565/udp # whoami -meter 570/tcp # demon -meter 570/udp # demon -meter 571/tcp # udemon -meter 571/udp # udemon -ipcserver 600/tcp # Sun IPC server -ipcserver 600/udp # Sun IPC server -nqs 607/tcp # nqs -nqs 607/udp # nqs -urm 606/tcp # Cray Unified Resource Manager -urm 606/udp # Cray Unified Resource Manager -sift-uft 608/tcp # Sender-Initiated/Unsolicited File Transfer -sift-uft 608/udp # Sender-Initiated/Unsolicited File Transfer -npmp-trap 609/tcp # npmp-trap -npmp-trap 609/udp # npmp-trap -npmp-local 610/tcp # npmp-local -npmp-local 610/udp # npmp-local -npmp-gui 611/tcp # npmp-gui -npmp-gui 611/udp # npmp-gui -ginad 634/tcp # ginad -ginad 634/udp # ginad -mdqs 666/tcp -mdqs 666/udp -doom 666/tcp # doom Id Software -doom 666/tcp # doom Id Software -elcsd 704/tcp # errlog copy/server daemon -elcsd 704/udp # errlog copy/server daemon -entrustmanager 709/tcp # EntrustManager -entrustmanager 709/udp # EntrustManager -netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client -netviewdm1 729/udp # IBM NetView DM/6000 Server/Client -netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp -netviewdm2 730/udp # IBM NetView DM/6000 send/tcp -netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp -netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp -netgw 741/tcp # netGW -netgw 741/udp # netGW -netrcs 742/tcp # Network based Rev. Cont. Sys. -netrcs 742/udp # Network based Rev. Cont. Sys. -flexlm 744/tcp # Flexible License Manager -flexlm 744/udp # Flexible License Manager -fujitsu-dev 747/tcp # Fujitsu Device Control -fujitsu-dev 747/udp # Fujitsu Device Control -ris-cm 748/tcp # Russell Info Sci Calendar Manager -ris-cm 748/udp # Russell Info Sci Calendar Manager -kerberos-adm 749/tcp # kerberos administration -kerberos-adm 749/udp # kerberos administration -rfile 750/tcp -loadav 750/udp -pump 751/tcp -pump 751/udp -qrh 752/tcp -qrh 752/udp -rrh 753/tcp -rrh 753/udp -tell 754/tcp # send -tell 754/udp # send -nlogin 758/tcp -nlogin 758/udp -con 759/tcp -con 759/udp -ns 760/tcp -ns 760/udp -rxe 761/tcp -rxe 761/udp -quotad 762/tcp -quotad 762/udp -cycleserv 763/tcp -cycleserv 763/udp -omserv 764/tcp -omserv 764/udp -webster 765/tcp -webster 765/udp -phonebook 767/tcp # phone -phonebook 767/udp # phone -vid 769/tcp -vid 769/udp -cadlock 770/tcp -cadlock 770/udp -rtip 771/tcp -rtip 771/udp -cycleserv2 772/tcp -cycleserv2 772/udp -submit 773/tcp -notify 773/udp -rpasswd 774/tcp -acmaint_dbd 774/udp -entomb 775/tcp -acmaint_transd 775/udp +tcpmux 1/tcp # TCP Port Service Multiplexer +tcpmux 1/udp # TCP Port Service Multiplexer +compressnet 2/tcp # Management Utility +compressnet 2/udp # Management Utility +compressnet 3/tcp # Compression Process +compressnet 3/udp # Compression Process +rje 5/tcp # Remote Job Entry +rje 5/udp # Remote Job Entry +echo 7/tcp # Echo +echo 7/udp # Echo +discard 9/tcp # Discard +discard 9/udp # Discard +systat 11/tcp # Active Users +systat 11/udp # Active Users +daytime 13/tcp # Daytime (RFC 867) +daytime 13/udp # Daytime (RFC 867) +qotd 17/tcp # Quote of the Day +qotd 17/udp # Quote of the Day +msp 18/tcp # Message Send Protocol +msp 18/udp # Message Send Protocol +chargen 19/tcp # Character Generator +chargen 19/udp # Character Generator +ftp 21/tcp # File Transfer [Control] +ftp 21/udp # File Transfer [Control] +ssh 22/tcp # SSH Remote Login Protocol +ssh 22/udp # SSH Remote Login Protocol +telnet 23/tcp # Telnet +telnet 23/udp # Telnet +smtp 25/tcp # Simple Mail Transfer +smtp 25/udp # Simple Mail Transfer +dsp 33/tcp # Display Support Protocol +dsp 33/udp # Display Support Protocol +time 37/tcp # Time +time 37/udp # Time +rap 38/tcp # Route Access Protocol +rap 38/udp # Route Access Protocol +rlp 39/tcp # Resource Location Protocol +rlp 39/udp # Resource Location Protocol +graphics 41/tcp # Graphics +graphics 41/udp # Graphics +name 42/tcp # Host Name Server +name 42/udp # Host Name Server +nameserver 42/tcp # Host Name Server +nameserver 42/udp # Host Name Server +nicname 43/tcp # Who Is +nicname 43/udp # Who Is +mpm 45/tcp # Message Processing Module [recv] +mpm 45/udp # Message Processing Module [recv] +auditd 48/tcp # Digital Audit Daemon +auditd 48/udp # Digital Audit Daemon +tacacs 49/tcp # Login Host Protocol (TACACS) +tacacs 49/udp # Login Host Protocol (TACACS) +domain 53/tcp # Domain Name Server +domain 53/udp # Domain Name Server +acas 62/tcp # ACA Services +acas 62/udp # ACA Services +covia 64/tcp # Communications Integrator (CI) +covia 64/udp # Communications Integrator (CI) +sql*net 66/tcp # Oracle SQL*NET +sql*net 66/udp # Oracle SQL*NET +bootps 67/tcp # Bootstrap Protocol Server +bootps 67/udp # Bootstrap Protocol Server +bootpc 68/tcp # Bootstrap Protocol Client +bootpc 68/udp # Bootstrap Protocol Client +tftp 69/tcp # Trivial File Transfer +tftp 69/udp # Trivial File Transfer +gopher 70/tcp # Gopher +gopher 70/udp # Gopher +deos 76/tcp # Distributed External Object Store +deos 76/udp # Distributed External Object Store +vettcp 78/tcp # vettcp +vettcp 78/udp # vettcp +finger 79/tcp # Finger +finger 79/udp # Finger +http 80/tcp # World Wide Web HTTP +http 80/udp # World Wide Web HTTP +www 80/tcp # World Wide Web HTTP +www 80/udp # World Wide Web HTTP +xfer 82/tcp # XFER Utility +xfer 82/udp # XFER Utility +ctf 84/tcp # Common Trace Facility +ctf 84/udp # Common Trace Facility +mfcobol 86/tcp # Micro Focus Cobol +mfcobol 86/udp # Micro Focus Cobol +kerberos 88/tcp # Kerberos +kerberos 88/udp # Kerberos +dnsix 90/tcp # DNSIX Securit Attribute Token Map +dnsix 90/udp # DNSIX Securit Attribute Token Map +npp 92/tcp # Network Printing Protocol +npp 92/udp # Network Printing Protocol +dcp 93/tcp # Device Control Protocol +dcp 93/udp # Device Control Protocol +objcall 94/tcp # Tivoli Object Dispatcher +objcall 94/udp # Tivoli Object Dispatcher +supdup 95/tcp # SUPDUP +supdup 95/udp # SUPDUP +dixie 96/tcp # DIXIE Protocol Specification +dixie 96/udp # DIXIE Protocol Specification +tacnews 98/tcp # TAC News +tacnews 98/udp # TAC News +metagram 99/tcp # Metagram Relay +metagram 99/udp # Metagram Relay +newacct 100/tcp [unauthorized use] +hostname 101/tcp # NIC Host Name Server +hostname 101/udp # NIC Host Name Server +gppitnp 103/tcp # Genesis Point-to-Point Trans Net +gppitnp 103/udp # Genesis Point-to-Point Trans Net +cso 105/tcp # CCSO name server protocol +cso 105/udp # CCSO name server protocol +rtelnet 107/tcp # Remote Telnet Service +rtelnet 107/udp # Remote Telnet Service +snagas 108/tcp # SNA Gateway Access Server +snagas 108/udp # SNA Gateway Access Server +pop2 109/tcp # Post Office Protocol - Version 2 +pop2 109/udp # Post Office Protocol - Version 2 +pop3 110/tcp # Post Office Protocol - Version 3 +pop3 110/udp # Post Office Protocol - Version 3 +sunrpc 111/tcp # SUN Remote Procedure Call +sunrpc 111/udp # SUN Remote Procedure Call +mcidas 112/tcp # McIDAS Data Transmission Protocol +mcidas 112/udp # McIDAS Data Transmission Protocol +ident 113/tcp +auth 113/tcp # Authentication Service +auth 113/udp # Authentication Service +audionews 114/tcp # Audio News Multicast +audionews 114/udp # Audio News Multicast +sftp 115/tcp # Simple File Transfer Protocol +sftp 115/udp # Simple File Transfer Protocol +ansanotify 116/tcp # ANSA REX Notify +ansanotify 116/udp # ANSA REX Notify +sqlserv 118/tcp # SQL Services +sqlserv 118/udp # SQL Services +nntp 119/tcp # Network News Transfer Protocol +nntp 119/udp # Network News Transfer Protocol +cfdptkt 120/tcp # CFDPTKT +cfdptkt 120/udp # CFDPTKT +erpc 121/tcp # Encore Expedited Remote Pro.Call +erpc 121/udp # Encore Expedited Remote Pro.Call +smakynet 122/tcp # SMAKYNET +smakynet 122/udp # SMAKYNET +ntp 123/tcp # Network Time Protocol +ntp 123/udp # Network Time Protocol +ansatrader 124/tcp # ANSA REX Trader +ansatrader 124/udp # ANSA REX Trader +nxedit 126/tcp # NXEdit +nxedit 126/udp # NXEdit +pwdgen 129/tcp # Password Generator Protocol +pwdgen 129/udp # Password Generator Protocol +statsrv 133/tcp # Statistics Service +statsrv 133/udp # Statistics Service +epmap 135/tcp # DCE endpoint resolution +epmap 135/udp # DCE endpoint resolution +profile 136/tcp # PROFILE Naming System +profile 136/udp # PROFILE Naming System +imap 143/tcp # Internet Message Access Protocol +imap 143/udp # Internet Message Access Protocol +uma 144/tcp # Universal Management Architecture +uma 144/udp # Universal Management Architecture +uaac 145/tcp # UAAC Protocol +uaac 145/udp # UAAC Protocol +jargon 148/tcp # Jargon +jargon 148/udp # Jargon +hems 151/tcp # HEMS +hems 151/udp # HEMS +bftp 152/tcp # Background File Transfer Program +bftp 152/udp # Background File Transfer Program +sgmp 153/tcp # SGMP +sgmp 153/udp # SGMP +sqlsrv 156/tcp # SQL Service +sqlsrv 156/udp # SQL Service +snmp 161/tcp # SNMP +snmp 161/udp # SNMP +snmptrap 162/tcp # SNMPTRAP +snmptrap 162/udp # SNMPTRAP +namp 167/tcp # NAMP +namp 167/udp # NAMP +rsvd 168/tcp # RSVD +rsvd 168/udp # RSVD +send 169/tcp # SEND +send 169/udp # SEND +multiplex 171/tcp # Network Innovations Multiplex +multiplex 171/udp # Network Innovations Multiplex +cl/1 172/tcp # Network Innovations CL/1 +cl/1 172/udp # Network Innovations CL/1 +mailq 174/tcp # MAILQ +mailq 174/udp # MAILQ +vmnet 175/tcp # VMNET +vmnet 175/udp # VMNET +xdmcp 177/tcp # X Display Manager Control Protocol +xdmcp 177/udp # X Display Manager Control Protocol +nextstep 178/tcp # NextStep Window Server +nextstep 178/udp # NextStep Window Server +bgp 179/tcp # Border Gateway Protocol +bgp 179/udp # Border Gateway Protocol +ris 180/tcp # Intergraph +ris 180/udp # Intergraph +unify 181/tcp # Unify +unify 181/udp # Unify +audit 182/tcp # Unisys Audit SITP +audit 182/udp # Unisys Audit SITP +ocbinder 183/tcp # OCBinder +ocbinder 183/udp # OCBinder +ocserver 184/tcp # OCServer +ocserver 184/udp # OCServer +kis 186/tcp # KIS Protocol +kis 186/udp # KIS Protocol +aci 187/tcp # Application Communication Interface +aci 187/udp # Application Communication Interface +mumps 188/tcp # Plus Five's MUMPS +mumps 188/udp # Plus Five's MUMPS +qft 189/tcp # Queued File Transport +qft 189/udp # Queued File Transport +gacp 190/tcp # Gateway Access Control Protocol +gacp 190/udp # Gateway Access Control Protocol +prospero 191/tcp # Prospero Directory Service +prospero 191/udp # Prospero Directory Service +srmp 193/tcp # Spider Remote Monitoring Protocol +srmp 193/udp # Spider Remote Monitoring Protocol +irc 194/tcp # Internet Relay Chat Protocol +irc 194/udp # Internet Relay Chat Protocol +dls 197/tcp # Directory Location Service +dls 197/udp # Directory Location Service +smux 199/tcp # SMUX +smux 199/udp # SMUX +src 200/tcp # IBM System Resource Controller +src 200/udp # IBM System Resource Controller +qmtp 209/tcp # The Quick Mail Transfer Protocol +qmtp 209/udp # The Quick Mail Transfer Protocol +anet 212/tcp # ATEXSSTR +anet 212/udp # ATEXSSTR +ipx 213/tcp # IPX +ipx 213/udp # IPX +vmpwscs 214/tcp # VM PWSCS +vmpwscs 214/udp # VM PWSCS +softpc 215/tcp # Insignia Solutions +softpc 215/udp # Insignia Solutions +dbase 217/tcp # dBASE Unix +dbase 217/udp # dBASE Unix +mpp 218/tcp # Netix Message Posting Protocol +mpp 218/udp # Netix Message Posting Protocol +uarps 219/tcp # Unisys ARPs +uarps 219/udp # Unisys ARPs +imap3 220/tcp # Interactive Mail Access Protocol v3 +imap3 220/udp # Interactive Mail Access Protocol v3 +cdc 223/tcp # Certificate Distribution Center +cdc 223/udp # Certificate Distribution Center +masqdialer 224/tcp # masqdialer +masqdialer 224/udp # masqdialer +direct 242/tcp # Direct +direct 242/udp # Direct +dayna 244/tcp # Dayna +dayna 244/udp # Dayna +link 245/tcp # LINK +link 245/udp # LINK +dsp3270 246/tcp # Display Systems Protocol +dsp3270 246/udp # Display Systems Protocol +bhfhs 248/tcp # bhfhs +bhfhs 248/udp # bhfhs +rap 256/tcp # RAP +rap 256/udp # RAP +set 257/tcp # Secure Electronic Transaction +set 257/udp # Secure Electronic Transaction +openport 260/tcp # Openport +openport 260/udp # Openport +nsiiops 261/tcp # IIOP Name Service over TLS/SSL +nsiiops 261/udp # IIOP Name Service over TLS/SSL +arcisdms 262/tcp # Arcisdms +arcisdms 262/udp Arcisdms +hdap 263/tcp # HDAP +hdap 263/udp # HDAP +bgmp 264/tcp # BGMP +bgmp 264/udp # BGMP +rescap 283/tcp # rescap +rescap 283/udp # rescap +novastorbakcup 308/tcp # Novastor Backup +novastorbakcup 308/udp # Novastor Backup +entrusttime 309/tcp # EntrustTime +entrusttime 309/udp # EntrustTime +bhmds 310/tcp # bhmds +bhmds 310/udp # bhmds +vslmp 312/tcp # VSLMP +vslmp 312/udp # VSLMP +dpsi 315/tcp # DPSI +dpsi 315/udp # DPSI +decauth 316/tcp # decAuth +decauth 316/udp # decAuth +zannet 317/tcp # Zannet +zannet 317/udp # Zannet +pip 321/tcp # PIP +pip 321/udp # PIP +rtsps 322/tcp # RTSPS +rtsps 322/udp # RTSPS +pdap 344/tcp # Prospero Data Access Protocol +pdap 344/udp # Prospero Data Access Protocol +pawserv 345/tcp # Perf Analysis Workbench +pawserv 345/udp # Perf Analysis Workbench +zserv 346/tcp # Zebra server +zserv 346/udp # Zebra server +fatserv 347/tcp # Fatmen Server +fatserv 347/udp # Fatmen Server +mftp 349/tcp # mftp +mftp 349/udp # mftp +bhoetty 351/tcp bhoetty (added 5/21/97) +bhoetty 351/udp # bhoetty +bhoedap4 352/tcp # bhoedap4 (added 5/21/97) +bhoedap4 352/udp # bhoedap4 +ndsauth 353/tcp # NDSAUTH +ndsauth 353/udp # NDSAUTH +bh611 354/tcp bh611 +bh611 354/udp # bh611 +bhevent 357/tcp bhevent +bhevent 357/udp # bhevent +shrinkwrap 358/tcp # Shrinkwrap +shrinkwrap 358/udp # Shrinkwrap +scoi2odialog 360/tcp # scoi2odialog +scoi2odialog 360/udp # scoi2odialog +semantix 361/tcp # Semantix +semantix 361/udp # Semantix +srssend 362/tcp # SRS Send +srssend 362/udp # SRS Send +dtk 365/tcp # DTK +dtk 365/udp # DTK +odmr 366/tcp # ODMR +odmr 366/udp # ODMR +mortgageware 367/tcp # MortgageWare +mortgageware 367/udp # MortgageWare +qbikgdp 368/tcp # QbikGDP +qbikgdp 368/udp # QbikGDP +rpc2portmap 369/tcp # rpc2portmap +rpc2portmap 369/udp # rpc2portmap +codaauth2 370/tcp # codaauth2 +codaauth2 370/udp # codaauth2 +clearcase 371/tcp # Clearcase +clearcase 371/udp # Clearcase +ulistproc 372/tcp # ListProcessor +ulistproc 372/udp # ListProcessor +hassle 375/tcp # Hassle +hassle 375/udp # Hassle +nip 376/tcp # Amiga Envoy Network Inquiry Proto +nip 376/udp # Amiga Envoy Network Inquiry Proto +tnETOS 377/tcp # NEC Corporation +tnETOS 377/udp # NEC Corporation +dsETOS 378/tcp # NEC Corporation +dsETOS 378/udp # NEC Corporation +is99c 379/tcp # TIA/EIA/IS-99 modem client +is99c 379/udp # TIA/EIA/IS-99 modem client +is99s 380/tcp # TIA/EIA/IS-99 modem server +is99s 380/udp # TIA/EIA/IS-99 modem server +arns 384/tcp # A Remote Network Server System +arns 384/udp # A Remote Network Server System +asa 386/tcp # ASA Message Router Object Def. +asa 386/udp # ASA Message Router Object Def. +aurp 387/tcp # Appletalk Update-Based Routing Pro. +aurp 387/udp # Appletalk Update-Based Routing Pro. +ldap 389/tcp # Lightweight Directory Access Protocol +ldap 389/udp # Lightweight Directory Access Protocol +uis 390/tcp # UIS +uis 390/udp # UIS +dis 393/tcp # Data Interpretation System +dis 393/udp # Data Interpretation System +netcp 395/tcp # NETscout Control Protocol +netcp 395/udp # NETscout Control Protocol +mptn 397/tcp # Multi Protocol Trans. Net. +mptn 397/udp # Multi Protocol Trans. Net. +kryptolan 398/tcp # Kryptolan +kryptolan 398/udp # Kryptolan +ups 401/tcp # Uninterruptible Power Supply +ups 401/udp # Uninterruptible Power Supply +genie 402/tcp # Genie Protocol +genie 402/udp # Genie Protocol +decap 403/tcp # decap +decap 403/udp # decap +nced 404/tcp # nced +nced 404/udp # nced +ncld 405/tcp # ncld +ncld 405/udp # ncld +imsp 406/tcp # Interactive Mail Support Protocol +imsp 406/udp # Interactive Mail Support Protocol +timbuktu 407/tcp # Timbuktu +timbuktu 407/udp # Timbuktu +decladebug 410/tcp # DECLadebug Remote Debug Protocol +decladebug 410/udp # DECLadebug Remote Debug Protocol +rmt 411/tcp # Remote MT Protocol +rmt 411/udp # Remote MT Protocol +smsp 413/tcp # SMSP +smsp 413/udp # SMSP +infoseek 414/tcp # InfoSeek +infoseek 414/udp # InfoSeek +bnet 415/tcp # BNet +bnet 415/udp # BNet +silverplatter 416/tcp # Silverplatter +silverplatter 416/udp # Silverplatter +onmux 417/tcp # Onmux +onmux 417/udp # Onmux +ariel1 419/tcp # Ariel +ariel1 419/udp # Ariel +smpte 420/tcp # SMPTE +smpte 420/udp # SMPTE +ariel2 421/tcp # Ariel +ariel2 421/udp # Ariel +ariel3 422/tcp # Ariel +ariel3 422/udp # Ariel +smartsdp 426/tcp # smartsdp +smartsdp 426/udp # smartsdp +svrloc 427/tcp # Server Location +svrloc 427/udp # Server Location +utmpsd 430/tcp # UTMPSD +utmpsd 430/udp # UTMPSD +utmpcd 431/tcp # UTMPCD +utmpcd 431/udp # UTMPCD +iasd 432/tcp # IASD +iasd 432/udp # IASD +nnsp 433/tcp # NNSP +nnsp 433/udp # NNSP +comscm 437/tcp # comscm +comscm 437/udp # comscm +dsfgw 438/tcp # dsfgw +dsfgw 438/udp # dsfgw +dasp 439/tcp # dasp Thomas Obermair +dasp 439/udp # dasp tommy@inlab.m.eunet.de +sgcp 440/tcp # sgcp +sgcp 440/udp # sgcp +https 443/tcp # http protocol over TLS/SSL +https 443/udp # http protocol over TLS/SSL +snpp 444/tcp # Simple Network Paging Protocol +snpp 444/udp # Simple Network Paging Protocol +tserver 450/tcp # TServer +tserver 450/udp # TServer +creativeserver 453/tcp # CreativeServer +creativeserver 453/udp # CreativeServer +contentserver 454/tcp # ContentServer +contentserver 454/udp # ContentServer +creativepartnr 455/tcp # CreativePartnr +creativepartnr 455/udp # CreativePartnr +scohelp 457/tcp # scohelp +scohelp 457/udp # scohelp +appleqtc 458/tcp # apple quick time +appleqtc 458/udp # apple quick time +skronk 460/tcp # skronk +skronk 460/udp # skronk +datasurfsrv 461/tcp # DataRampSrv +datasurfsrv 461/udp # DataRampSrv +datasurfsrvsec 462/tcp # DataRampSrvSec +datasurfsrvsec 462/udp # DataRampSrvSec +alpes 463/tcp # alpes +alpes 463/udp # alpes +kpasswd 464/tcp # kpasswd +kpasswd 464/udp # kpasswd +photuris 468/tcp # proturis +photuris 468/udp # proturis +rcp 469/tcp # Radio Control Protocol +rcp 469/udp # Radio Control Protocol +mondex 471/tcp # Mondex +mondex 471/udp # Mondex +tcp # nethaspsrv 475/tcp # tcpnethaspsrv +tcp # nethaspsrv 475/udp # tcp # nethaspsrv +ss7ns 477/tcp # ss7ns +ss7ns 477/udp # ss7ns +spsc 478/tcp # spsc +spsc 478/udp # spsc +iafserver 479/tcp # iafserver +iafserver 479/udp # iafserver +iafdbase 480/tcp # iafdbase +iafdbase 480/udp # iafdbase +ph 481/tcp # Ph service +ph 481/udp # Ph service +ulpnet 483/tcp # ulpnet +ulpnet 483/udp # ulpnet +powerburst 485/tcp # Air Soft Power Burst +powerburst 485/udp # Air Soft Power Burst +avian 486/tcp # avian +avian 486/udp # avian +saft 487/tcp # saft Simple Asynchronous File Transfer +saft 487/udp # saft Simple Asynchronous File Transfer +intecourier 495/tcp # intecourier +intecourier 495/udp # intecourier +dantz 497/tcp # dantz +dantz 497/udp # dantz +siam 498/tcp # siam +siam 498/udp # siam +isakmp 500/tcp # isakmp +isakmp 500/udp # isakmp +stmf 501/tcp # STMF +stmf 501/udp # STMF +intrinsa 503/tcp # Intrinsa +intrinsa 503/udp # Intrinsa +citadel 504/tcp # citadel +citadel 504/udp # citadel +ohimsrv 506/tcp # ohimsrv +ohimsrv 506/udp # ohimsrv +crs 507/tcp # crs +crs 507/udp # crs +xvttp 508/tcp # xvttp +xvttp 508/udp # xvttp +snare 509/tcp # snare +snare 509/udp # snare +fcp 510/tcp # FirstClass Protocol +fcp 510/udp # FirstClass Protocol +passgo 511/tcp # PassGo +passgo 511/udp # PassGo +exec 512/tcp # remote process execution; +comsat 512/udp +biff 512/udp # used by mail system to notify users +login 513/tcp # remote login a la telnet; +who 513/udp # maintains data bases showing who's +shell 514/tcp # cmd +syslog 514/udp +printer 515/tcp # spooler +printer 515/udp # spooler +videotex 516/tcp # videotex +videotex 516/udp # videotex +talk 517/tcp # like tenex link, but across +talk 517/udp # like tenex link, but across +ntalk 518/tcp +ntalk 518/udp +utime 519/tcp # unixtime +utime 519/udp # unixtime +efs 520/tcp # extended file name server +router 520/udp # local routing process (on site); +ripng 521/tcp # ripng +ripng 521/udp # ripng +ulp 522/tcp # ULP +ulp 522/udp # ULP +ncp 524/tcp # NCP +ncp 524/udp # NCP +timed 525/tcp # timeserver +timed 525/udp # timeserver +tempo 526/tcp # newdate +tempo 526/udp # newdate +stx 527/tcp # Stock IXChange +stx 527/udp # Stock IXChange +custix 528/tcp # Customer IXChange +custix 528/udp # Customer IXChange +courier 530/tcp # rpc +courier 530/udp # rpc +conference 531/tcp # chat +conference 531/udp # chat +netnews 532/tcp # readnews +netnews 532/udp # readnews +netwall 533/tcp # for emergency broadcasts +netwall 533/udp # for emergency broadcasts +iiop 535/tcp # iiop +iiop 535/udp # iiop +nmsp 537/tcp # Networked Media Streaming Protocol +nmsp 537/udp # Networked Media Streaming Protocol +gdomap 538/tcp # gdomap +gdomap 538/udp # gdomap +uucp 540/tcp # uucpd +uucp 540/udp # uucpd +commerce 542/tcp # commerce +commerce 542/udp # commerce +klogin 543/tcp +klogin 543/udp +kshell 544/tcp # krcmd +kshell 544/udp # krcmd +appleqtcsrvr 545/tcp # appleqtcsrvr +appleqtcsrvr 545/udp # appleqtcsrvr +afpovertcp 548/tcp # AFP over TCP +afpovertcp 548/udp # AFP over TCP +idfp 549/tcp # IDFP +idfp 549/udp # IDFP +cybercash 551/tcp # cybercash +cybercash 551/udp # cybercash +deviceshare 552/tcp # deviceshare +deviceshare 552/udp # deviceshare +pirp 553/tcp # pirp +pirp 553/udp # pirp +rtsp 554/tcp # Real Time Stream Control Protocol +rtsp 554/udp # Real Time Stream Control Protocol +dsf 555/tcp +dsf 555/udp +remotefs 556/tcp # rfs server +remotefs 556/udp # rfs server +sdnskmp 558/tcp # SDNSKMP +sdnskmp 558/udp # SDNSKMP +teedtap 559/tcp # TEEDTAP +teedtap 559/udp # TEEDTAP +rmonitor 560/tcp # rmonitord +rmonitor 560/udp # rmonitord +monitor 561/tcp +monitor 561/udp +chshell 562/tcp # chcmd +chshell 562/udp # chcmd +nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) +nntps 563/udp # nntp protocol over TLS/SSL (was snntp) +whoami 565/tcp # whoami +whoami 565/udp # whoami +streettalk 566/tcp # streettalk +streettalk 566/udp # streettalk +meter 570/tcp # demon +meter 570/udp # demon +meter 571/tcp # udemon +meter 571/udp # udemon +sonar 572/tcp # sonar +sonar 572/udp # sonar +vemmi 575/tcp # VEMMI +vemmi 575/udp # VEMMI +ipcd 576/tcp # ipcd +ipcd 576/udp # ipcd +vnas 577/tcp # vnas +vnas 577/udp # vnas +ipdd 578/tcp # ipdd +ipdd 578/udp # ipdd +decbsrv 579/tcp # decbsrv +decbsrv 579/udp # decbsrv +bdp 581/tcp # Bundle Discovery Protocol +bdp 581/udp # Bundle Discovery Protocol +keyserver 584/tcp # Key Server +keyserver 584/udp # Key Server +submission 587/tcp # Submission +submission 587/udp # Submission +cal 588/tcp # CAL +cal 588/udp # CAL +eyelink 589/tcp # EyeLink +eyelink 589/udp # EyeLink +tpip 594/tcp # TPIP +tpip 594/udp # TPIP +smsd 596/tcp # SMSD +smsd 596/udp # SMSD +ptcnameservice 597/tcp # PTC Name Service +ptcnameservice 597/udp # PTC Name Service +acp 599/tcp # Aeolon Core Protocol +acp 599/udp # Aeolon Core Protocol +ipcserver 600/tcp # Sun IPC server +ipcserver 600/udp # Sun IPC server +urm 606/tcp # Cray Unified Resource Manager +urm 606/udp # Cray Unified Resource Manager +nqs 607/tcp # nqs +nqs 607/udp # nqs +sshell 614/tcp # SSLshell +sshell 614/udp # SSLshell +collaborator 622/tcp # Collaborator +collaborator 622/udp # Collaborator +cryptoadmin 624/tcp # Crypto Admin +cryptoadmin 624/udp # Crypto Admin +asia 626/tcp # ASIA +asia 626/udp # ASIA +qmqp 628/tcp # QMQP +qmqp 628/udp # QMQP +rda 630/tcp # RDA +rda 630/udp # RDA +ipp 631/tcp # IPP (Internet Printing Protocol) +ipp 631/udp # IPP (Internet Printing Protocol) +bmpp 632/tcp # bmpp +bmpp 632/udp # bmpp +servstat 633/tcp # Service Status update (Sterling Software) +servstat 633/udp # Service Status update (Sterling Software) +ginad 634/tcp # ginad +ginad 634/udp # ginad +rlzdbase 635/tcp # RLZ DBase +rlzdbase 635/udp # RLZ DBase +ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) +ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) +lanserver 637/tcp # lanserver +lanserver 637/udp # lanserver +msdp 639/tcp # MSDP +msdp 639/udp # MSDP +repcmd 641/tcp # repcmd +repcmd 641/udp # repcmd +sanity 643/tcp # SANity +sanity 643/udp # SANity +dwr 644/tcp # dwr +dwr 644/udp # dwr +pssc 645/tcp # PSSC +pssc 645/udp # PSSC +ldp 646/tcp # LDP +ldp 646/udp # LDP +rrp 648/tcp # Registry Registrar Protocol (RRP) +rrp 648/udp # Registry Registrar Protocol (RRP) +aminet 649/tcp # Aminet +aminet 649/udp # Aminet +obex 650/tcp # OBEX +obex 650/udp # OBEX +repscmd 653/tcp # RepCmd +repscmd 653/udp # RepCmd +aodv 654/tcp # AODV +aodv 654/udp # AODV +tinc 655/tcp # TINC +tinc 655/udp # TINC +spmp 656/tcp # SPMP +spmp 656/udp # SPMP +mdqs 666/tcp +mdqs 666/udp +doom 666/tcp # doom Id Software +doom 666/udp # doom Id Software +disclose 667/tcp # campaign contribution disclosures - SDR Technologies +disclose 667/udp # campaign contribution disclosures - SDR Technologies +mecomm 668/tcp # MeComm +mecomm 668/udp # MeComm +meregister 669/tcp # MeRegister +meregister 669/udp # MeRegister +cimplex 673/tcp # CIMPLEX +cimplex 673/udp # CIMPLEX +acap 674/tcp # ACAP +acap 674/udp # ACAP +dctp 675/tcp # DCTP +dctp 675/udp # DCTP +vpp 677/tcp # Virtual Presence Protocol +vpp 677/udp # Virtual Presence Protocol +mrm 679/tcp # MRM +mrm 679/udp # MRM +xfr 682/tcp # XFR +xfr 682/udp # XFR +asipregistry 687/tcp # asipregistry +asipregistry 687/udp # asipregistry +elcsd 704/tcp # errlog copy/server daemon +elcsd 704/udp # errlog copy/server daemon +agentx 705/tcp # AgentX +agentx 705/udp # AgentX +netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client +netviewdm1 729/udp # IBM NetView DM/6000 Server/Client +netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp +netviewdm2 730/udp # IBM NetView DM/6000 send/tcp +netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp +netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp +netgw 741/tcp # netGW +netgw 741/udp # netGW +netrcs 742/tcp # Network based Rev. Cont. Sys. +netrcs 742/udp # Network based Rev. Cont. Sys. +flexlm 744/tcp # Flexible License Manager +flexlm 744/udp # Flexible License Manager +rfile 750/tcp +loadav 750/udp +pump 751/tcp +pump 751/udp +qrh 752/tcp +qrh 752/udp +rrh 753/tcp +rrh 753/udp +tell 754/tcp send +tell 754/udp send +nlogin 758/tcp +nlogin 758/udp +con 759/tcp +con 759/udp +ns 760/tcp +ns 760/udp +rxe 761/tcp +rxe 761/udp +quotad 762/tcp +quotad 762/udp +cycleserv 763/tcp +cycleserv 763/udp +omserv 764/tcp +omserv 764/udp +webster 765/tcp +webster 765/udp +phonebook 767/tcp phone +phonebook 767/udp phone +vid 769/tcp +vid 769/udp +cadlock 770/tcp +cadlock 770/udp +rtip 771/tcp +rtip 771/udp +cycleserv2 772/tcp +cycleserv2 772/udp +submit 773/tcp +notify 773/udp +rpasswd 774/tcp +entomb 775/tcp wpages 776/tcp -wpages 776/udp +wpages 776/udp wpgs 780/tcp wpgs 780/udp -concert 786/tcp # Concert -concert 786/udp # Concert -mdbs_daemon 800/tcp -mdbs_daemon 800/udp +concert 786/tcp # Concert +concert 786/udp # Concert +qsc 787/tcp # QSC +qsc 787/udp # QSC device 801/tcp device 801/udp -xtreelic 996/tcp # Central Point Software -xtreelic 996/udp # Central Point Software +rsync 873/tcp # rsync +rsync 873/udp # rsync +accessbuilder 888/tcp # AccessBuilder +accessbuilder 888/udp # AccessBuilder +cddbp 888/tcp # CD Database Protocol +omginitialrefs 900/tcp # OMG Initial Refs +omginitialrefs 900/udp # OMG Initial Refs +ftps 990/tcp # ftp protocol, control, over TLS/SSL +ftps 990/udp # ftp protocol, control, over TLS/SSL +nas 991/tcp # Netnews Administration System +nas 991/udp # Netnews Administration System +telnets 992/tcp # telnet protocol over TLS/SSL +telnets 992/udp # telnet protocol over TLS/SSL +imaps 993/tcp # imap4 protocol over TLS/SSL +imaps 993/udp # imap4 protocol over TLS/SSL +ircs 994/tcp # irc protocol over TLS/SSL +ircs 994/udp # irc protocol over TLS/SSL +pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) +pop3s 995/udp # pop3 protocol over TLS/SSL (was spop3) +vsinet 996/tcp # vsinet +vsinet 996/udp # vsinet maitrd 997/tcp maitrd 997/udp busboy 998/tcp puparp 998/udp garcon 999/tcp -applix 999/udp # Applix ac +applix 999/udp # Applix ac puprouter 999/tcp puprouter 999/udp cadlock 1000/tcp ock 1000/udp +surf 1010/tcp # surf +surf 1010/udp # surf +blackjack 1025/tcp # network blackjack +blackjack 1025/udp # network blackjack +iad1 1030/tcp # BBN IAD +iad1 1030/udp # BBN IAD +iad2 1031/tcp # BBN IAD +iad2 1031/udp # BBN IAD +iad3 1032/tcp # BBN IAD +iad3 1032/udp # BBN IAD +neod1 1047/tcp # Sun's NEO Object Request Broker +neod1 1047/udp # Sun's NEO Object Request Broker +neod2 1048/tcp # Sun's NEO Object Request Broker +neod2 1048/udp # Sun's NEO Object Request Broker +nim 1058/tcp # nim +nim 1058/udp # nim +nimreg 1059/tcp # nimreg +nimreg 1059/udp # nimreg +socks 1080/tcp # Socks +socks 1080/udp # Socks +sunclustermgr 1097/tcp # Sun Cluster Manager +sunclustermgr 1097/udp # Sun Cluster Manager +rmiactivation 1098/tcp # RMI Activation +rmiactivation 1098/udp # RMI Activation +rmiregistry 1099/tcp # RMI Registry +rmiregistry 1099/udp # RMI Registry +lmsocialserver 1111/tcp # LM Social Server +lmsocialserver 1111/udp # LM Social Server +murray 1123/tcp # Murray +murray 1123/udp # Murray +nfa 1155/tcp # Network File Access +nfa 1155/udp # Network File Access +caiccipc 1202/tcp # caiccipc +caiccipc 1202/udp # caiccipc +lupa 1212/tcp # lupa +lupa 1212/udp # lupa +nerv 1222/tcp # SNI R&D network +nerv 1222/udp # SNI R&D network +nmsd 1239/tcp # NMSD +nmsd 1239/udp # NMSD +hermes 1248/tcp +hermes 1248/udp +h323hostcallsc 1300/tcp # H323 Host Call Secure +h323hostcallsc 1300/udp # H323 Host Call Secure +husky 1310/tcp # Husky +husky 1310/udp # Husky +rxmon 1311/tcp # RxMon +rxmon 1311/udp # RxMon +pdps 1314/tcp # Photoscript Distributed Printing System +pdps 1314/udp # Photoscript Distributed Printing System +pip 1321/tcp # PIP +pip 1321/udp # PIP +vpjp 1345/tcp # VPJP +vpjp 1345/udp # VPJP +sbook 1349/tcp # Registration Network Protocol +sbook 1349/udp # Registration Network Protocol +editbench 1350/tcp # Registration Network Protocol +editbench 1350/udp # Registration Network Protocol +equationbuilder 1351/tcp # Digital Tool Works (MIT) +equationbuilder 1351/udp # Digital Tool Works (MIT) +lotusnote 1352/tcp # Lotus Note +lotusnote 1352/udp # Lotus Note +relief 1353/tcp # Relief Consulting +relief 1353/udp # Relief Consulting +rightbrain 1354/tcp # RightBrain Software +rightbrain 1354/udp # RightBrain Software +cuillamartin 1356/tcp # CuillaMartin Company +cuillamartin 1356/udp # CuillaMartin Company +pegboard 1357/tcp # Electronic PegBoard +pegboard 1357/udp # Electronic PegBoard +connlcli 1358/tcp # CONNLCLI +connlcli 1358/udp # CONNLCLI +ftsrv 1359/tcp # FTSRV +ftsrv 1359/udp # FTSRV +mimer 1360/tcp # MIMER +mimer 1360/udp # MIMER +linx 1361/tcp # LinX +linx 1361/udp # LinX +timeflies 1362/tcp # TimeFlies +timeflies 1362/udp # TimeFlies +dcs 1367/tcp # DCS +dcs 1367/udp # DCS +screencast 1368/tcp # ScreenCast +screencast 1368/udp # ScreenCast +chromagrafx 1373/tcp # Chromagrafx +chromagrafx 1373/udp # Chromagrafx +molly 1374/tcp # EPI Software Systems +molly 1374/udp # EPI Software Systems +bytex 1375/tcp # Bytex +bytex 1375/udp # Bytex +cichlid 1377/tcp # Cichlid License Manager +cichlid 1377/udp # Cichlid License Manager +elan 1378/tcp # Elan License Manager +elan 1378/udp # Elan License Manager +dbreporter 1379/tcp # Integrity Solutions +dbreporter 1379/udp # Integrity Solutions +gwha 1383/tcp # GW Hannaway Network License Manager +gwha 1383/udp # GW Hannaway Network License Manager +checksum 1386/tcp # CheckSum License Manager +checksum 1386/udp # CheckSum License Manager +hiq 1410/tcp # HiQ License Manager +hiq 1410/udp # HiQ License Manager +af 1411/tcp # AudioFile +af 1411/udp # AudioFile +innosys 1412/tcp # InnoSys +innosys 1412/udp # InnoSys +dbstar 1415/tcp # DBStar +dbstar 1415/udp # DBStar +essbase 1423/tcp # Essbase Arbor Software +essbase 1423/udp # Essbase Arbor Software +hybrid 1424/tcp # Hybrid Encryption Protocol +hybrid 1424/udp # Hybrid Encryption Protocol +sais 1426/tcp # Satellite-data Acquisition System 1 +sais 1426/udp # Satellite-data Acquisition System 1 +mloadd 1427/tcp # mloadd monitoring tool +mloadd 1427/udp # mloadd monitoring tool +nms 1429/tcp # Hypercom NMS +nms 1429/udp # Hypercom NMS +tpdu 1430/tcp # Hypercom TPDU +tpdu 1430/udp # Hypercom TPDU +rgtp 1431/tcp # Reverse Gossip Transport +rgtp 1431/udp # Reverse Gossip Transport +saism 1436/tcp # Satellite-data Acquisition System 2 +saism 1436/udp # Satellite-data Acquisition System 2 +tabula 1437/tcp # Tabula +tabula 1437/udp # Tabula +peport 1449/tcp # PEport +peport 1449/udp # PEport +dwf 1450/tcp # Tandem Distributed Workbench Facility +dwf 1450/udp # Tandem Distributed Workbench Facility +infoman 1451/tcp # IBM Information Management +infoman 1451/udp # IBM Information Management +dca 1456/tcp # DCA +dca 1456/udp # DCA +proshare1 1459/tcp # Proshare Notebook Application +proshare1 1459/udp # Proshare Notebook Application +proshare2 1460/tcp # Proshare Notebook Application +proshare2 1460/udp # Proshare Notebook Application +nucleus 1463/tcp # Nucleus +nucleus 1463/udp # Nucleus +pipes 1465/tcp # Pipes Platform +pipes 1465/udp # Pipes Platform mfarlin@peerlogic.com +csdmbase 1467/tcp # CSDMBASE +csdmbase 1467/udp # CSDMBASE +csdm 1468/tcp # CSDM +csdm 1468/udp # CSDM +uaiact 1470/tcp # Universal Analytics +uaiact 1470/udp # Universal Analytics +csdmbase 1471/tcp # csdmbase +csdmbase 1471/udp # csdmbase +csdm 1472/tcp # csdm +csdm 1472/udp # csdm +openmath 1473/tcp # OpenMath +openmath 1473/udp # OpenMath +telefinder 1474/tcp # Telefinder +telefinder 1474/udp # Telefinder +dberegister 1479/tcp # dberegister +dberegister 1479/udp # dberegister +pacerforum 1480/tcp # PacerForum +pacerforum 1480/udp # PacerForum +airs 1481/tcp # AIRS +airs 1481/udp # AIRS +afs 1483/tcp # AFS License Manager +afs 1483/udp # AFS License Manager +confluent 1484/tcp # Confluent License Manager +confluent 1484/udp # Confluent License Manager +lansource 1485/tcp # LANSource +lansource 1485/udp # LANSource +localinfosrvr 1487/tcp # LocalInfoSrvr +localinfosrvr 1487/udp # LocalInfoSrvr +docstor 1488/tcp # DocStor +docstor 1488/udp # DocStor +dmdocbroker 1489/tcp # dmdocbroker +dmdocbroker 1489/udp # dmdocbroker +anynetgateway 1491/tcp # anynetgateway +anynetgateway 1491/udp # anynetgateway +ica 1494/tcp # ica +ica 1494/udp # ica +cvc 1495/tcp # cvc +cvc 1495/udp # cvc +fhc 1499/tcp # Federico Heinz Consultora +fhc 1499/udp # Federico Heinz Consultora +saiscm 1501/tcp # Satellite-data Acquisition System 3 +saiscm 1501/udp # Satellite-data Acquisition System 3 +shivadiscovery 1502/tcp # Shiva +shivadiscovery 1502/udp # Shiva +funkproxy 1505/tcp # Funk Software, Inc. +funkproxy 1505/udp # Funk Software, Inc. +utcd 1506/tcp # Universal Time daemon (utcd) +utcd 1506/udp # Universal Time daemon (utcd) +symplex 1507/tcp # symplex +symplex 1507/udp # symplex +diagmond 1508/tcp # diagmond +diagmond 1508/udp # diagmond +wins 1512/tcp # Microsoft's Windows Internet Name Service +wins 1512/udp # Microsoft's Windows Internet Name Service +vpad 1516/tcp # Virtual Places Audio data +vpad 1516/udp # Virtual Places Audio data +vpac 1517/tcp # Virtual Places Audio control +vpac 1517/udp # Virtual Places Audio control +vpvd 1518/tcp # Virtual Places Video data +vpvd 1518/udp # Virtual Places Video data +vpvc 1519/tcp # Virtual Places Video control +vpvc 1519/udp # Virtual Places Video control +ingreslock 1524/tcp # ingres +ingreslock 1524/udp # ingres +orasrv 1525/tcp # oracle +orasrv 1525/udp # oracle +tlisrv 1527/tcp # oracle +tlisrv 1527/udp # oracle +mciautoreg 1528/tcp # micautoreg +mciautoreg 1528/udp # micautoreg +coauthor 1529/tcp # oracle +coauthor 1529/udp # oracle +miroconnect 1532/tcp # miroconnect +miroconnect 1532/udp # miroconnect +rds 1540/tcp # rds +rds 1540/udp # rds +rds2 1541/tcp # rds2 +rds2 1541/udp # rds2 +aspeclmd 1544/tcp # aspeclmd +aspeclmd 1544/udp # aspeclmd +abbaccuray 1546/tcp # abbaccuray +abbaccuray 1546/udp # abbaccuray +laplink 1547/tcp # laplink +laplink 1547/udp # laplink +shivahose 1549/tcp # Shiva Hose +shivasound 1549/udp # Shiva Sound +pciarray 1552/tcp # pciarray +pciarray 1552/udp # pciarray +livelan 1555/tcp # livelan +livelan 1555/udp # livelan +ashwin 1556/tcp # AshWin CI Tecnologies +ashwin 1556/udp # AshWin CI Tecnologies +xingmpeg 1558/tcp # xingmpeg +xingmpeg 1558/udp # xingmpeg +web2host 1559/tcp # web2host +web2host 1559/udp # web2host +facilityview 1561/tcp # facilityview +facilityview 1561/udp # facilityview +pconnectmgr 1562/tcp # pconnectmgr +pconnectmgr 1562/udp # pconnectmgr +winddlb 1565/tcp # WinDD +winddlb 1565/udp # WinDD +corelvideo 1566/tcp # CORELVIDEO +corelvideo 1566/udp # CORELVIDEO +jlicelmd 1567/tcp # jlicelmd +jlicelmd 1567/udp # jlicelmd +tsspmap 1568/tcp # tsspmap +tsspmap 1568/udp # tsspmap +ets 1569/tcp # ets +ets 1569/udp # ets +orbixd 1570/tcp # orbixd +orbixd 1570/udp # orbixd +oraclenames 1575/tcp # oraclenames +oraclenames 1575/udp # oraclenames +msims 1582/tcp # MSIMS +msims 1582/udp # MSIMS +simbaexpress 1583/tcp # simbaexpress +simbaexpress 1583/udp # simbaexpress +intv 1585/tcp # intv +intv 1585/udp # intv +vqp 1589/tcp # VQP +vqp 1589/udp # VQP +commonspace 1592/tcp # commonspace +commonspace 1592/udp # commonspace +sixtrak 1594/tcp # sixtrak +sixtrak 1594/udp # sixtrak +radio 1595/tcp # radio +radio 1595/udp # radio +picknfs 1598/tcp # picknfs +picknfs 1598/udp # picknfs +simbaservices 1599/tcp # simbaservices +simbaservices 1599/udp # simbaservices +issd 1600/tcp +issd 1600/udp +aas 1601/tcp # aas +aas 1601/udp # aas +inspect 1602/tcp # inspect +inspect 1602/udp # inspect +picodbc 1603/tcp # pickodbc +picodbc 1603/udp # pickodbc +icabrowser 1604/tcp # icabrowser +icabrowser 1604/udp # icabrowser +slp 1605/tcp # Salutation Manager (Salutation Protocol) +slp 1605/udp # Salutation Manager (Salutation Protocol) +stt 1607/tcp # stt +stt 1607/udp # stt +ill 1611/tcp # Inter Library Loan +ill 1611/udp # Inter Library Loan +skytelnet 1618/tcp # skytelnet +skytelnet 1618/udp # skytelnet +faxportwinport 1620/tcp # faxportwinport +faxportwinport 1620/udp # faxportwinport +softdataphone 1621/tcp # softdataphone +softdataphone 1621/udp # softdataphone +ontime 1622/tcp # ontime +ontime 1622/udp # ontime +jaleosnd 1623/tcp # jaleosnd +jaleosnd 1623/udp # jaleosnd +shockwave 1626/tcp # Shockwave +shockwave 1626/udp # Shockwave +oraclenet8cman 1630/tcp # Oracle Net8 Cman +oraclenet8cman 1630/udp # Oracle Net8 Cman +visitview 1631/tcp # Visit view +visitview 1631/udp # Visit view +pammratc 1632/tcp # PAMMRATC +pammratc 1632/udp # PAMMRATC +pammrpc 1633/tcp # PAMMRPC +pammrpc 1633/udp # PAMMRPC +loaprobe 1634/tcp # Log On America Probe +loaprobe 1634/udp # Log On America Probe +cncp 1636/tcp # CableNet Control Protocol +cncp 1636/udp # CableNet Control Protocol +cnap 1637/tcp # CableNet Admin Protocol +cnap 1637/udp # CableNet Admin Protocol +cnip 1638/tcp # CableNet Info Protocol +cnip 1638/udp # CableNet Info Protocol +invision 1641/tcp # InVision +invision 1641/udp # InVision +saiseh 1644/tcp # Satellite-data Acquisition System 4 +datametrics 1645/tcp # datametrics +datametrics 1645/udp # datametrics +rsap 1647/tcp # rsap +rsap 1647/udp # rsap +kermit 1649/tcp # kermit +kermit 1649/udp # kermit +nkd 1650/tcp # nkd +nkd 1650/udp # nkd +xnmp 1652/tcp # xnmp +xnmp 1652/udp # xnmp +stargatealerts 1654/tcp # stargatealerts +stargatealerts 1654/udp # stargatealerts +sixnetudr 1658/tcp # sixnetudr +sixnetudr 1658/udp # sixnetudr +pdp 1675/tcp # Pacific Data Products +pdp 1675/udp # Pacific Data Products +netcomm1 1676/tcp # netcomm1 +netcomm2 1676/udp # netcomm2 +groupwise 1677/tcp # groupwise +groupwise 1677/udp # groupwise +prolink 1678/tcp # prolink +prolink 1678/udp # prolink +snaresecure 1684/tcp # SnareSecure +snaresecure 1684/udp # SnareSecure +n2nremote 1685/tcp # n2nremote +n2nremote 1685/udp # n2nremote +cvmon 1686/tcp # cvmon +cvmon 1686/udp # cvmon +firefox 1689/tcp # firefox +firefox 1689/udp # firefox +rrirtr 1693/tcp # rrirtr +rrirtr 1693/udp # rrirtr +rrimwm 1694/tcp # rrimwm +rrimwm 1694/udp # rrimwm +rrilwm 1695/tcp # rrilwm +rrilwm 1695/udp # rrilwm +rrifmm 1696/tcp # rrifmm +rrifmm 1696/udp # rrifmm +rrisat 1697/tcp # rrisat +rrisat 1697/udp # rrisat +l2f 1701/tcp # l2f +l2f 1701/udp # l2f +l2tp 1701/tcp # l2tp +l2tp 1701/udp # l2tp +deskshare 1702/tcp # deskshare +deskshare 1702/udp # deskshare +slingshot 1705/tcp # slingshot +slingshot 1705/udp # slingshot +jetform 1706/tcp # jetform +jetform 1706/udp # jetform +vdmplay 1707/tcp # vdmplay +vdmplay 1707/udp # vdmplay +centra 1709/tcp # centra +centra 1709/udp # centra +impera 1710/tcp # impera +impera 1710/udp # impera +pptconference 1711/tcp # pptconference +pptconference 1711/udp # pptconference +registrar 1712/tcp # resource monitoring service +registrar 1712/udp # resource monitoring service +conferencetalk 1713/tcp # ConferenceTalk +conferencetalk 1713/udp # ConferenceTalk +xmsg 1716/tcp # xmsg +xmsg 1716/udp # xmsg +h323gatedisc 1718/tcp # h323gatedisc +h323gatedisc 1718/udp # h323gatedisc +h323gatestat 1719/tcp # h323gatestat +h323gatestat 1719/udp # h323gatestat +h323hostcall 1720/tcp # h323hostcall +h323hostcall 1720/udp # h323hostcall +caicci 1721/tcp # caicci +caicci 1721/udp # caicci +pptp 1723/tcp # pptp +pptp 1723/udp # pptp +csbphonemaster 1724/tcp # csbphonemaster +csbphonemaster 1724/udp # csbphonemaster +iberiagames 1726/tcp # IBERIAGAMES +iberiagames 1726/udp # IBERIAGAMES +winddx 1727/tcp # winddx +winddx 1727/udp # winddx +telindus 1728/tcp # TELINDUS +telindus 1728/udp # TELINDUS +citynl 1729/tcp # CityNL License Management +citynl 1729/udp # CityNL License Management +roketz 1730/tcp # roketz +roketz 1730/udp # roketz +msiccp 1731/tcp # MSICCP +msiccp 1731/udp # MSICCP +proxim 1732/tcp # proxim +proxim 1732/udp # proxim +siipat 1733/tcp # SIMS - SIIPAT Protocol for Alarm Transmission +siipat 1733/udp # SIMS - SIIPAT Protocol for Alarm Transmission +privatechat 1735/tcp # PrivateChat +privatechat 1735/udp # PrivateChat +ultimad 1737/tcp # ultimad +ultimad 1737/udp # ultimad +gamegen1 1738/tcp # GameGen1 +gamegen1 1738/udp # GameGen1 +webaccess 1739/tcp # webaccess +webaccess 1739/udp # webaccess +encore 1740/tcp # encore +encore 1740/udp # encore +sslp 1750/tcp # Simple Socket Library's PortMaster +sslp 1750/udp # Simple Socket Library's PortMaster +swiftnet 1751/tcp # SwiftNet +swiftnet 1751/udp # SwiftNet +cnhrp 1757/tcp # cnhrp +cnhrp 1757/udp # cnhrp +vaultbase 1771/tcp # vaultbase +vaultbase 1771/udp # vaultbase +kmscontrol 1773/tcp # KMSControl +kmscontrol 1773/udp # KMSControl +femis 1776/tcp # Federal Emergency Management Information System +femis 1776/udp # Federal Emergency Management Information System +powerguardian 1777/tcp # powerguardian +powerguardian 1777/udp # powerguardian +pharmasoft 1779/tcp # pharmasoft +pharmasoft 1779/udp # pharmasoft +dpkeyserv 1780/tcp # dpkeyserv +dpkeyserv 1780/udp # dpkeyserv +fjris 1783/tcp # Fujitsu Remote Install Service +fjris 1783/udp # Fujitsu Remote Install Service +windlm 1785/tcp # Wind River Systems License Manager +windlm 1785/udp # Wind River Systems License Manager +psmond 1788/tcp # psmond +psmond 1788/udp # psmond +hello 1789/tcp # hello +hello 1789/udp # hello +nmsp 1790/tcp # Narrative Media Streaming Protocol +nmsp 1790/udp # Narrative Media Streaming Protocol +ea1 1791/tcp # EA1 +ea1 1791/udp # EA1 +uma 1797/tcp # UMA +uma 1797/udp # UMA +etp 1798/tcp # Event Transfer Protocol +etp 1798/udp # Event Transfer Protocol +netrisk 1799/tcp # NETRISK +netrisk 1799/udp # NETRISK +msmq 1801/tcp # Microsoft Message Que +msmq 1801/udp # Microsoft Message Que +concomp1 1802/tcp # ConComp1 +concomp1 1802/udp # ConComp1 +enl 1804/tcp # ENL +enl 1804/udp # ENL +musiconline 1806/tcp # Musiconline +musiconline 1806/udp # Musiconline +fhsp 1807/tcp # Fujitsu Hot Standby Protocol +fhsp 1807/udp # Fujitsu Hot Standby Protocol +radius 1812/tcp # RADIUS +radius 1812/udp # RADIUS +mmpft 1815/tcp # MMPFT +mmpft 1815/udp # MMPFT +harp 1816/tcp # HARP +harp 1816/udp # HARP +etftp 1818/tcp # Enhanced Trivial File Transfer Protocol +etftp 1818/udp # Enhanced Trivial File Transfer Protocol +mcagent 1820/tcp # mcagent +mcagent 1820/udp # mcagent +donnyworld 1821/tcp # donnyworld +donnyworld 1821/udp # donnyworld +ardt 1826/tcp # ARDT +ardt 1826/udp # ARDT +asi 1827/tcp # ASI +asi 1827/udp # ASI +myrtle 1831/tcp # Myrtle +myrtle 1831/udp # Myrtle +udp # radio 1833/tcp # udp # radio +udp # radio 1833/udp # udpradio +ardusuni 1834/tcp # ARDUS Unicast +ardusuni 1834/udp # ARDUS Unicast +ardusmul 1835/tcp # ARDUS Multicast +ardusmul 1835/udp # ARDUS Multicast +csoft1 1837/tcp # csoft1 +csoft1 1837/udp # csoft1 +talnet 1838/tcp # TALNET +talnet 1838/udp # TALNET +gsi 1850/tcp # GSI +gsi 1850/udp # GSI +ctcd 1851/tcp # ctcd +ctcd 1851/udp # ctcd +msnp 1863/tcp # MSNP +msnp 1863/udp # MSNP +entp 1865/tcp # ENTP +entp 1865/udp # ENTP +canocentral0 1871/tcp # Cano Central 0 +canocentral0 1871/udp # Cano Central 0 +canocentral1 1872/tcp # Cano Central 1 +canocentral1 1872/udp # Cano Central 1 +fjmpjps 1873/tcp # Fjmpjps +fjmpjps 1873/udp # Fjmpjps +fjswapsnp 1874/tcp # Fjswapsnp +fjswapsnp 1874/udp # Fjswapsnp +mc2studios 1899/tcp # MC2Studios +mc2studios 1899/udp # MC2Studios +linkname 1903/tcp # Local Link Name Resolution +linkname 1903/udp # Local Link Name Resolution +sugp 1905/tcp # Secure UP.Link Gateway Protocol +sugp 1905/udp # Secure UP.Link Gateway Protocol +tpmd 1906/tcp # TPortMapperReq +tpmd 1906/udp # TPortMapperReq +intrastar 1907/tcp # IntraSTAR +intrastar 1907/udp # IntraSTAR +dawn 1908/tcp # Dawn +dawn 1908/udp # Dawn +ultrabac 1910/tcp # ultrabac +ultrabac 1910/udp # ultrabac +mtp 1911/tcp # Starlight Networks Multimedia Transport Protocol +mtp 1911/udp # Starlight Networks Multimedia Transport Protocol +armadp 1913/tcp # armadp +armadp 1913/udp # armadp +facelink 1915/tcp # FACELINK +facelink 1915/udp # FACELINK +persona 1916/tcp # Persoft Persona +persona 1916/udp # Persoft Persona +noagent 1917/tcp # nOAgent +noagent 1917/udp # nOAgent +noadmin 1921/tcp # NoAdmin +noadmin 1921/udp # NoAdmin +tapestry 1922/tcp # Tapestry +tapestry 1922/udp # Tapestry +spice 1923/tcp # SPICE +spice 1923/udp # SPICE +xiip 1924/tcp # XIIP +xiip 1924/udp # XIIP +tekpls 1946/tcp # tekpls +tekpls 1946/udp # tekpls +hlserver 1947/tcp # hlserver +hlserver 1947/udp # hlserver +eye2eye 1948/tcp # eye2eye +eye2eye 1948/udp # eye2eye +ismaeasdaqlive 1949/tcp # ISMA Easdaq Live +ismaeasdaqlive 1949/udp # ISMA Easdaq Live +ismaeasdaqtest 1950/tcp # ISMA Easdaq Test +ismaeasdaqtest 1950/udp # ISMA Easdaq Test +mpnjsc 1952/tcp # mpnjsc +mpnjsc 1952/udp # mpnjsc +rapidbase 1953/tcp # Rapid Base +rapidbase 1953/udp # Rapid Base +dlsrap 1973/tcp # Data Link Switching Remote Access Protocol +dlsrap 1973/udp # Data Link Switching Remote Access Protocol +bb 1984/tcp # BB +bb 1984/udp # BB +hsrp 1985/tcp # Hot Standby Router Protocol +hsrp 1985/udp # Hot Standby Router Protocol +licensedaemon 1986/tcp # cisco license management +licensedaemon 1986/udp # cisco license management +mshnet 1989/tcp # MHSnet system +mshnet 1989/udp # MHSnet system +ipsendmsg 1992/tcp # IPsendmsg +ipsendmsg 1992/udp # IPsendmsg +callbook 2000/tcp +callbook 2000/udp +dc 2001/tcp +wizard 2001/udp # curry +globe 2002/tcp +globe 2002/udp +mailbox 2004/tcp +emce 2004/udp # CCWS mm conf +berknet 2005/tcp +oracle 2005/udp +invokator 2006/tcp +dectalk 2007/tcp +conf 2008/tcp +terminaldb 2008/udp +news 2009/tcp +whosockami 2009/udp +search 2010/tcp +servserv 2011/udp +ttyinfo 2012/tcp +troff 2014/tcp +cypress 2015/tcp +bootserver 2016/tcp +bootserver 2016/udp +bootclient 2017/udp +terminaldb 2018/tcp +rellpack 2018/udp +whosockami 2019/tcp +about 2019/udp +xinupageserver 2020/tcp +xinupageserver 2020/udp +servexec 2021/tcp +xinuexpansion1 2021/udp +down 2022/tcp +xinuexpansion2 2022/udp +xinuexpansion3 2023/tcp +xinuexpansion3 2023/udp +xinuexpansion4 2024/tcp +xinuexpansion4 2024/udp +ellpack 2025/tcp +xribs 2025/udp +scrabble 2026/tcp +scrabble 2026/udp +shadowserver 2027/tcp +shadowserver 2027/udp +submitserver 2028/tcp +submitserver 2028/udp +device2 2030/tcp +device2 2030/udp +blackboard 2032/tcp +blackboard 2032/udp +glogger 2033/tcp +glogger 2033/udp +scoremgr 2034/tcp +scoremgr 2034/udp +imsldoc 2035/tcp +imsldoc 2035/udp +objectmanager 2038/tcp +objectmanager 2038/udp +lam 2040/tcp +lam 2040/udp +interbase 2041/tcp +interbase 2041/udp +isis 2042/tcp # isis +isis 2042/udp # isis +rimsl 2044/tcp +rimsl 2044/udp +cdfunc 2045/tcp +cdfunc 2045/udp +sdfunc 2046/tcp +sdfunc 2046/udp +dls 2047/tcp +dls 2047/udp +shilp 2049/tcp +shilp 2049/udp +nfs 2049/tcp # Network File System - Sun Microsystems +nfs 2049/udp # Network File System - Sun Microsystems +dlsrpn 2065/tcp # Data Link Switch Read Port Number +dlsrpn 2065/udp # Data Link Switch Read Port Number +dlswpn 2067/tcp # Data Link Switch Write Port Number +dlswpn 2067/udp # Data Link Switch Write Port Number +lrp 2090/tcp # Load Report Protocol +lrp 2090/udp # Load Report Protocol +prp 2091/tcp # PRP +prp 2091/udp # PRP +descent3 2092/tcp # Descent 3 +descent3 2092/udp # Descent 3 +jetformpreview 2097/tcp # Jet Form Preview +jetformpreview 2097/udp # Jet Form Preview +amiganetfs 2100/tcp # amiganetfs +amiganetfs 2100/udp # amiganetfs +minipay 2105/tcp # MiniPay +minipay 2105/udp # MiniPay +mzap 2106/tcp # MZAP +mzap 2106/udp # MZAP +comcam 2108/tcp # Comcam +comcam 2108/udp # Comcam +ergolight 2109/tcp # Ergolight +ergolight 2109/udp # Ergolight +ici 2200/tcp # ICI +ici 2200/udp # ICI +ats 2201/tcp # Advanced Training System Program +ats 2201/udp # Advanced Training System Program +kali 2213/tcp # Kali +kali 2213/udp # Kali +ganymede 2220/tcp # Ganymede +ganymede 2220/udp # Ganymede +infocrypt 2233/tcp # INFOCRYPT +infocrypt 2233/udp # INFOCRYPT +directplay 2234/tcp # DirectPlay +directplay 2234/udp # DirectPlay +nani 2236/tcp # Nani +nani 2236/udp # Nani +imagequery 2239/tcp # Image Query +imagequery 2239/udp # Image Query +recipe 2240/tcp # RECIPe +recipe 2240/udp # RECIPe +ivsd 2241/tcp # IVS Daemon +ivsd 2241/udp # IVS Daemon +foliocorp 2242/tcp # Folio Remote Server +foliocorp 2242/udp # Folio Remote Server +magicom 2243/tcp # Magicom Protocol +magicom 2243/udp # Magicom Protocol +nmsserver 2244/tcp # NMS Server +nmsserver 2244/udp # NMS Server +hao 2245/tcp # HaO +hao 2245/udp # HaO +xmquery 2279/tcp # xmquery +xmquery 2279/udp # xmquery +lnvpoller 2280/tcp # LNVPOLLER +lnvpoller 2280/udp # LNVPOLLER +lnvconsole 2281/tcp # LNVCONSOLE +lnvconsole 2281/udp # LNVCONSOLE +lnvalarm 2282/tcp # LNVALARM +lnvalarm 2282/udp # LNVALARM +lnvstatus 2283/tcp # LNVSTATUS +lnvstatus 2283/udp # LNVSTATUS +lnvmaps 2284/tcp # LNVMAPS +lnvmaps 2284/udp # LNVMAPS +lnvmailmon 2285/tcp # LNVMAILMON +lnvmailmon 2285/udp # LNVMAILMON +dna 2287/tcp # DNA +dna 2287/udp # DNA +netml 2288/tcp # NETML +netml 2288/udp # NETML +cvmmon 2300/tcp # CVMMON +cvmmon 2300/udp # CVMMON +binderysupport 2302/tcp # Bindery Support +binderysupport 2302/udp # Bindery Support +pehelp 2307/tcp # pehelp +pehelp 2307/udp # pehelp +sdhelp 2308/tcp # sdhelp +sdhelp 2308/udp # sdhelp +sdserver 2309/tcp # SD Server +sdserver 2309/udp # SD Server +sdclient 2310/tcp # SD Client +sdclient 2310/udp # SD Client +messageservice 2311/tcp # Message Service +messageservice 2311/udp # Message Service +iapp 2313/tcp # IAPP (Inter Access Point Protocol) +iapp 2313/udp # IAPP (Inter Access Point Protocol) +cadencecontrol 2318/tcp # Cadence Control +cadencecontrol 2318/udp # Cadence Control +infolibria 2319/tcp # InfoLibria +infolibria 2319/udp # InfoLibria +rdlap 2321/tcp # RDLAP over UDP +rdlap 2321/udp # RDLAP +ofsd 2322/tcp # ofsd +ofsd 2322/udp # ofsd +cosmocall 2324/tcp # Cosmocall +cosmocall 2324/udp # Cosmocall +idcp 2326/tcp # IDCP +idcp 2326/udp # IDCP +xingcsm 2327/tcp # xingcsm +xingcsm 2327/udp # xingcsm +nvd 2329/tcp # NVD +nvd 2329/udp # NVD +tscchat 2330/tcp # TSCCHAT +tscchat 2330/udp # TSCCHAT +agentview 2331/tcp # AGENTVIEW +agentview 2331/udp # AGENTVIEW +snapp 2333/tcp # SNAPP +snapp 2333/udp # SNAPP +appleugcontrol 2336/tcp # Apple UG Control +appleugcontrol 2336/udp # Apple UG Control +ideesrv 2337/tcp # ideesrv +ideesrv 2337/udp # ideesrv +xiostatus 2341/tcp # XIO Status +xiostatus 2341/udp # XIO Status +fcmsys 2344/tcp # fcmsys +fcmsys 2344/udp # fcmsys +dbm 2345/tcp # dbm +dbm 2345/udp # dbm +psbserver 2350/tcp # psbserver +psbserver 2350/udp # psbserver +psrserver 2351/tcp # psrserver +psrserver 2351/udp # psrserver +pslserver 2352/tcp # pslserver +pslserver 2352/udp # pslserver +pspserver 2353/tcp # pspserver +pspserver 2353/udp # pspserver +psprserver 2354/tcp # psprserver +psprserver 2354/udp # psprserver +psdbserver 2355/tcp # psdbserver +psdbserver 2355/udp # psdbserver +gxtelmd 2356/tcp # GXT License Managemant +gxtelmd 2356/udp # GXT License Managemant +futrix 2358/tcp # Futrix +futrix 2358/udp # Futrix +flukeserver 2359/tcp # FlukeServer +flukeserver 2359/udp # FlukeServer +nexstorindltd 2360/tcp # NexstorIndLtd +nexstorindltd 2360/udp # NexstorIndLtd +tl1 2361/tcp # TL1 +tl1 2361/udp # TL1 +ovsessionmgr 2389/tcp # OpenView Session Mgr +ovsessionmgr 2389/udp # OpenView Session Mgr +rsmtp 2390/tcp # RSMTP +rsmtp 2390/udp # RSMTP +tacticalauth 2392/tcp # Tactical Auth +tacticalauth 2392/udp # Tactical Auth +wusage 2396/tcp # Wusage +wusage 2396/udp # Wusage +ncl 2397/tcp # NCL +ncl 2397/udp # NCL +orbiter 2398/tcp # Orbiter +orbiter 2398/udp # Orbiter +cvspserver 2401/tcp # cvspserver +cvspserver 2401/udp # cvspserver +taskmaster2000 2402/tcp # TaskMaster 2000 Server +taskmaster2000 2402/udp # TaskMaster 2000 Server +taskmaster2000 2403/tcp # TaskMaster 2000 Web +taskmaster2000 2403/udp # TaskMaster 2000 Web +jediserver 2406/tcp # JediServer +jediserver 2406/udp # JediServer +orion 2407/tcp # Orion +orion 2407/udp # Orion +optimanet 2408/tcp # OptimaNet +optimanet 2408/udp # OptimaNet +cdn 2412/tcp # CDN +cdn 2412/udp # CDN +interlingua 2414/tcp # Interlingua +interlingua 2414/udp # Interlingua +comtest 2415/tcp # COMTEST +comtest 2415/udp # COMTEST +rmtserver 2416/tcp # RMT Server +rmtserver 2416/udp # RMT Server +cas 2418/tcp # cas +cas 2418/udp # cas +crmsbits 2422/tcp # CRMSBITS +crmsbits 2422/udp # CRMSBITS +rnrp 2423/tcp # RNRP +rnrp 2423/udp # RNRP +fjitsuappmgr 2425/tcp # Fujitsu App Manager +fjitsuappmgr 2425/udp # Fujitsu App Manager +applianttcp 2426/tcp # Appliant TCP +appliantudp 2426/udp # Appliant UDP +stgcp 2427/tcp # Simple telephony Gateway Control Protocol +stgcp 2427/udp # Simple telephony Gateway Control Protocol +ott 2428/tcp # One Way Trip Time +ott 2428/udp # One Way Trip Time +venus 2430/tcp # venus +venus 2430/udp # venus +codasrv 2432/tcp # codasrv +codasrv 2432/udp # codasrv +optilogic 2435/tcp # OptiLogic +optilogic 2435/udp # OptiLogic +topx 2436/tcp # TOP/X +topx 2436/udp # TOP/X +unicontrol 2437/tcp # UniControl +unicontrol 2437/udp # UniControl +msp 2438/tcp # MSP +msp 2438/udp # MSP +sybasedbsynch 2439/tcp # SybaseDBSynch +sybasedbsynch 2439/udp # SybaseDBSynch +spearway 2440/tcp # Spearway Lockers +spearway 2440/udp # Spearway Lockser +netangel 2442/tcp # Netangel +netangel 2442/udp # Netangel +powerclientcsf 2443/tcp # PowerClient Central Storage Facility +powerclientcsf 2443/udp # PowerClient Central Storage Facility +btpp2sectrans 2444/tcp # BT PP2 Sectrans +btpp2sectrans 2444/udp # BT PP2 Sectrans +dtn1 2445/tcp # DTN1 +dtn1 2445/udp # DTN1 +ovwdb 2447/tcp # OpenView NNM daemon +ovwdb 2447/udp # OpenView NNM daemon +hpppssvr 2448/tcp # hpppsvr +hpppssvr 2448/udp # hpppsvr +ratl 2449/tcp # RATL +ratl 2449/udp # RATL +netadmin 2450/tcp # netadmin +netadmin 2450/udp # netadmin +netchat 2451/tcp # netchat +netchat 2451/udp # netchat +snifferclient 2452/tcp # SnifferClient +snifferclient 2452/udp # SnifferClient +griffin 2458/tcp # griffin +griffin 2458/udp # griffin +community 2459/tcp # Community +community 2459/udp # Community +qadmifoper 2461/tcp # qadmifoper +qadmifoper 2461/udp # qadmifoper +qadmifevent 2462/tcp # qadmifevent +qadmifevent 2462/udp # qadmifevent +lbm 2465/tcp # Load Balance Management +lbm 2465/udp # Load Balance Management +lbf 2466/tcp # Load Balance Forwarding +lbf 2466/udp # Load Balance Forwarding +seaodbc 2471/tcp # SeaODBC +seaodbc 2471/udp # SeaODBC +c3 2472/tcp # C3 +c3 2472/udp # C3 +vitalanalysis 2474/tcp # Vital Analysis +vitalanalysis 2474/udp # Vital Analysis +lingwood 2480/tcp # Lingwood's Detail +lingwood 2480/udp # Lingwood's Detail +giop 2481/tcp # Oracle GIOP +giop 2481/udp # Oracle GIOP +ttc 2483/tcp # Oracle TTC +ttc 2483/udp # Oracel TTC +netobjects1 2485/tcp # Net Objects1 +netobjects1 2485/udp # Net Objects1 +netobjects2 2486/tcp # Net Objects2 +netobjects2 2486/udp # Net Objects2 +pns 2487/tcp # Policy Notice Service +pns 2487/udp # Policy Notice Service +tsilb 2489/tcp # TSILB +tsilb 2489/udp # TSILB +groove 2492/tcp # GROOVE +groove 2492/udp # GROOVE +dirgis 2496/tcp # DIRGIS +dirgis 2496/udp # DIRGIS +quaddb 2497/tcp # Quad DB +quaddb 2497/udp # Quad DB +unicontrol 2499/tcp # UniControl +unicontrol 2499/udp # UniControl +rtsserv 2500/tcp # Resource Tracking system server +rtsserv 2500/udp # Resource Tracking system server +rtsclient 2501/tcp # Resource Tracking system client +rtsclient 2501/udp # Resource Tracking system client +wlbs 2504/tcp # WLBS +wlbs 2504/udp # WLBS +jbroker 2506/tcp # jbroker +jbroker 2506/udp # jbroker +spock 2507/tcp # spock +spock 2507/udp # spock +datastore 2508/tcp # datastore +datastore 2508/udp # datastore +fjmpss 2509/tcp # fjmpss +fjmpss 2509/udp # fjmpss +fjappmgrbulk 2510/tcp # fjappmgrbulk +fjappmgrbulk 2510/udp # fjappmgrbulk +metastorm 2511/tcp # Metastorm +metastorm 2511/udp # Metastorm +citrixima 2512/tcp # Citrix IMA +citrixima 2512/udp # Citrix IMA +citrixadmin 2513/tcp # Citrix ADMIN +citrixadmin 2513/udp # Citrix ADMIN +maincontrol 2516/tcp # Main Control +maincontrol 2516/udp # Main Control +willy 2518/tcp # Willy +willy 2518/udp # Willy +globmsgsvc 2519/tcp # globmsgsvc +globmsgsvc 2519/udp # globmsgsvc +pvsw 2520/tcp # pvsw +pvsw 2520/udp # pvsw +adaptecmgr 2521/tcp # Adaptec Manager +adaptecmgr 2521/udp # Adaptec Manager +windb 2522/tcp # WinDb +windb 2522/udp # WinDb +iqserver 2527/tcp # IQ Server +iqserver 2527/udp # IQ Server +utsftp 2529/tcp # UTS FTP +utsftp 2529/udp # UTS FTP +vrcommerce 2530/tcp # VR Commerce +vrcommerce 2530/udp # VR Commerce +ovtopmd 2532/tcp # OVTOPMD +ovtopmd 2532/udp # OVTOPMD +snifferserver 2533/tcp # SnifferServer +snifferserver 2533/udp # SnifferServer +mdhcp 2535/tcp # MDHCP +mdhcp 2535/udp # MDHCP +btpp2audctr1 2536/tcp # btpp2audctr1 +btpp2audctr1 2536/udp # btpp2audctr1 +upgrade 2537/tcp # Upgrade Protocol +upgrade 2537/udp # Upgrade Protocol +vsiadmin 2539/tcp # VSI Admin +vsiadmin 2539/udp # VSI Admin +lonworks 2540/tcp # LonWorks +lonworks 2540/udp # LonWorks +lonworks2 2541/tcp # LonWorks2 +lonworks2 2541/udp # LonWorks2 +davinci 2542/tcp # daVinci +davinci 2542/udp # daVinci +reftek 2543/tcp # REFTEK +reftek 2543/udp # REFTEK +vytalvaultbrtp 2546/tcp # vytalvaultbrtp +vytalvaultbrtp 2546/udp # vytalvaultbrtp +vytalvaultvsmp 2547/tcp # vytalvaultvsmp +vytalvaultvsmp 2547/udp # vytalvaultvsmp +vytalvaultpipe 2548/tcp # vytalvaultpipe +vytalvaultpipe 2548/udp # vytalvaultpipe +ipass 2549/tcp # IPASS +ipass 2549/udp # IPASS +ads 2550/tcp # ADS +ads 2550/udp # ADS +efidiningport 2553/tcp # efidiningport +efidiningport 2553/udp # efidiningport +pclemultimedia 2558/tcp # PCLE Multi Media +pclemultimedia 2558/udp # PCLE Multi Media +lstp 2559/tcp # LSTP +lstp 2559/udp # LSTP +labrat 2560/tcp # labrat +labrat 2560/udp # labrat +mosaixcc 2561/tcp # MosaixCC +mosaixcc 2561/udp # MosaixCC +delibo 2562/tcp # Delibo +delibo 2562/udp # Delibo +clp 2567/tcp # Cisco Line Protocol +clp 2567/udp # Cisco Line Protocol +spamtrap 2568/tcp # SPAM TRAP +spamtrap 2568/udp # SPAM TRAP +sonuscallsig 2569/tcp # Sonus Call Signal +sonuscallsig 2569/udp # Sonus Call Signal +cecsvc 2571/tcp # CECSVC +cecsvc 2571/udp # CECSVC +ibp 2572/tcp # IBP +ibp 2572/udp # IBP +trustestablish 2573/tcp # Trust Establish +trustestablish 2573/udp # Trust Establish +hl7 2575/tcp # HL7 +hl7 2575/udp # HL7 +tclprodebugger 2576/tcp # TCL Pro Debugger +tclprodebugger 2576/udp # TCL Pro Debugger +scipticslsrvr 2577/tcp # Scriptics Lsrvr +scipticslsrvr 2577/udp # Scriptics Lsrvr +mpfoncl 2579/tcp # mpfoncl +mpfoncl 2579/udp # mpfoncl +tributary 2580/tcp # Tributary +tributary 2580/udp # Tributary +mon 2583/tcp # MON +mon 2583/udp # MON +cyaserv 2584/tcp # cyaserv +cyaserv 2584/udp # cyaserv +masc 2587/tcp # MASC +masc 2587/udp # MASC +privilege 2588/tcp # Privilege +privilege 2588/udp # Privilege +idotdist 2590/tcp # idotdist +idotdist 2590/udp # idotdist +maytagshuffle 2591/tcp # Maytag Shuffle +maytagshuffle 2591/udp # Maytag Shuffle +netrek 2592/tcp # netrek +netrek 2592/udp # netrek +dts 2594/tcp # Data Base Server +dts 2594/udp # Data Base Server +worldfusion1 2595/tcp # World Fusion 1 +worldfusion1 2595/udp # World Fusion 1 +worldfusion2 2596/tcp # World Fusion 2 +worldfusion2 2596/udp # World Fusion 2 +homesteadglory 2597/tcp # Homestead Glory +homesteadglory 2597/udp # Homestead Glory +citriximaclient 2598/tcp # Citrix MA Client +citriximaclient 2598/udp # Citrix MA Client +meridiandata 2599/tcp # Meridian Data +meridiandata 2599/udp # Meridian Data +hpstgmgr 2600/tcp # HPSTGMGR +hpstgmgr 2600/udp # HPSTGMGR +servicemeter 2603/tcp # Service Meter +servicemeter 2603/udp # Service Meter +netmon 2606/tcp # Dell Netmon +netmon 2606/udp # Dell Netmon +connection 2607/tcp # Dell Connection +connection 2607/udp # Dell Connection +lionhead 2611/tcp # LIONHEAD +lionhead 2611/udp # LIONHEAD +smntubootstrap 2613/tcp # SMNTUBootstrap +smntubootstrap 2613/udp # SMNTUBootstrap +neveroffline 2614/tcp # Never Off Line +neveroffline 2614/udp # Never Off Line +firepower 2615/tcp # firepower +firepower 2615/udp # firepower +cmadmin 2617/tcp # Clinical Context Managers +cmadmin 2617/udp # Clinical Context Managers +bruce 2619/tcp # bruce +bruce 2619/udp # bruce +lpsrecommender 2620/tcp # LPSRecommender +lpsrecommender 2620/udp # LPSRecommender +dict 2628/tcp # DICT +dict 2628/udp # DICT +sitaraserver 2629/tcp # Sitara Server +sitaraserver 2629/udp # Sitara Server +sitaramgmt 2630/tcp # Sitara Management +sitaramgmt 2630/udp # Sitara Management +sitaradir 2631/tcp # Sitara Dir +sitaradir 2631/udp # Sitara Dir +interintelli 2633/tcp # InterIntelli +interintelli 2633/udp # InterIntelli +backburner 2635/tcp # Back Burner +backburner 2635/udp # Back Burner +solve 2636/tcp # Solve +solve 2636/udp # Solve +imdocsvc 2637/tcp # Import Document Service +imdocsvc 2637/udp # Import Document Service +sybaseanywhere 2638/tcp # Sybase Anywhere +sybaseanywhere 2638/udp # Sybase Anywhere +aminet 2639/tcp # AMInet +aminet 2639/udp # AMInet +tragic 2642/tcp # Tragic +tragic 2642/udp # Tragic +syncserver 2647/tcp # SyncServer +syncserver 2647/udp # SyncServer +upsnotifyprot 2648/tcp # Upsnotifyprot +upsnotifyprot 2648/udp # Upsnotifyprot +vpsipport 2649/tcp # VPSIPPORT +vpsipport 2649/udp # VPSIPPORT +eristwoguns 2650/tcp # eristwoguns +eristwoguns 2650/udp # eristwoguns +ebinsite 2651/tcp # EBInSite +ebinsite 2651/udp # EBInSite +interpathpanel 2652/tcp # InterPathPanel +interpathpanel 2652/udp # InterPathPanel +sonus 2653/tcp # Sonus +sonus 2653/udp # Sonus +unglue 2655/tcp # UNIX Nt Glue +unglue 2655/udp # UNIX Nt Glue +kana 2656/tcp # Kana +kana 2656/udp # Kana +gcmonitor 2660/tcp # GC Monitor +gcmonitor 2660/udp # GC Monitor +olhost 2661/tcp # OLHOST +olhost 2661/udp # OLHOST +extensis 2666/tcp # extensis +extensis 2666/udp # extensis +toad 2669/tcp # TOAD +toad 2669/udp # TOAD +newlixreg 2671/tcp # newlixreg +newlixreg 2671/udp # newlixreg +nhserver 2672/tcp # nhserver +nhserver 2672/udp # nhserver +firstcall42 2673/tcp # First Call 42 +firstcall42 2673/udp # First Call 42 +ewnn 2674/tcp # ewnn +ewnn 2674/udp # ewnn +simslink 2676/tcp # SIMSLink +simslink 2676/udp # SIMSLink +gadgetgate1way 2677/tcp # Gadget Gate 1 Way +gadgetgate1way 2677/udp # Gadget Gate 1 Way +gadgetgate2way 2678/tcp # Gadget Gate 2 Way +gadgetgate2way 2678/udp # Gadget Gate 2 Way +syncserverssl 2679/tcp # Sync Server SSL +syncserverssl 2679/udp # Sync Server SSL +mpnjsomb 2681/tcp # mpnjsomb +mpnjsomb 2681/udp # mpnjsomb +srsp 2682/tcp # SRSP +srsp 2682/udp # SRSP +ncdloadbalance 2683/tcp # NCDLoadBalance +ncdloadbalance 2683/udp # NCDLoadBalance +mpnjsosv 2684/tcp # mpnjsosv +mpnjsosv 2684/udp # mpnjsosv +mpnjsocl 2685/tcp # mpnjsocl +mpnjsocl 2685/udp # mpnjsocl +mpnjsomg 2686/tcp # mpnjsomg +mpnjsomg 2686/udp # mpnjsomg +fastlynx 2689/tcp # FastLynx +fastlynx 2689/udp # FastLynx +tqdata 2700/tcp # tqdata +tqdata 2700/udp # tqdata +piccolo 2787/tcp # piccolo - Cornerstone Software +piccolo 2787/udp # piccolo - Cornerstone Software +fryeserv 2788/tcp # NetWare Loadable Module - Seagate Software +fryeserv 2788/udp # NetWare Loadable Module - Seagate Software +mao 2908/tcp # mao +mao 2908/udp # mao +tdaccess 2910/tcp # TDAccess +tdaccess 2910/udp # TDAccess +blockade 2911/tcp # Blockade +blockade 2911/udp # Blockade +epicon 2912/tcp # Epicon +epicon 2912/udp # Epicon +boosterware 2913/tcp # Booster Ware +boosterware 2913/udp # Booster Ware +gamelobby 2914/tcp # Game Lobby +gamelobby 2914/udp # Game Lobby +tksocket 2915/tcp # TK Socket +tksocket 2915/udp # TK Socket +kastenchasepad 2918/tcp # Kasten Chase Pad +kastenchasepad 2918/udp # Kasten Chase Pad +netclip 2971/tcp # Net Clip +netclip 2971/udp # Net Clip +svnetworks 2973/tcp # SV Networks +svnetworks 2973/udp # SV Networks +signal 2974/tcp # Signal +signal 2974/udp # Signal +fjmpcm 2975/tcp # Fujitsu Configuration Management Service +fjmpcm 2975/udp # Fujitsu Configuration Management Service +realsecure 2998/tcp # Real Secure +realsecure 2998/udp # Real Secure +hbci 3000/tcp # HBCI +hbci 3000/udp # HBCI +cgms 3003/tcp # CGMS +cgms 3003/udp # CGMS +csoftragent 3004/tcp # Csoft Agent +csoftragent 3004/udp # Csoft Agent +geniuslm 3005/tcp # Genius License Manager +geniuslm 3005/udp # Genius License Manager +lotusmtap 3007/tcp # Lotus Mail Tracking Agent Protocol +lotusmtap 3007/udp # Lotus Mail Tracking Agent Protocol +gw 3010/tcp # Telerate Workstation +twsdss 3012/tcp # Trusted Web Client +twsdss 3012/udp # Trusted Web Client +gilatskysurfer 3013/tcp # Gilat Sky Surfer +gilatskysurfer 3013/udp # Gilat Sky Surfer +cifs 3020/tcp # CIFS +cifs 3020/udp # CIFS +agriserver 3021/tcp # AGRI Server +agriserver 3021/udp # AGRI Server +csregagent 3022/tcp # CSREGAGENT +csregagent 3022/udp # CSREGAGENT +magicnotes 3023/tcp # magicnotes +magicnotes 3023/udp # magicnotes +agentvu 3031/tcp # AgentVU +agentvu 3031/udp # AgentVU +pdb 3033/tcp # PDB +pdb 3033/udp # PDB +cogitate 3039/tcp # Cogitate, Inc. +cogitate 3039/udp # Cogitate, Inc. +journee 3042/tcp # journee +journee 3042/udp # journee +brp 3043/tcp # BRP +brp 3043/udp # BRP +responsenet 3045/tcp # ResponseNet +responsenet 3045/udp # ResponseNet +hlserver 3047/tcp # Fast Security HL Server +hlserver 3047/udp # Fast Security HL Server +pctrader 3048/tcp # Sierra Net PC Trader +pctrader 3048/udp # Sierra Net PC Trader +nsws 3049/tcp # NSWS +nsws 3049/udp # NSWS +interserver 3060/tcp # interserver +interserver 3060/udp # interserver +cardbox 3105/tcp # Cardbox +cardbox 3105/udp # Cardbox +icpv2 3130/tcp # ICPv2 +icpv2 3130/udp # ICPv2 +netbookmark 3131/tcp # Net Book Mark +netbookmark 3131/udp # Net Book Mark +vmodem 3141/tcp # VMODEM +vmodem 3141/udp # VMODEM +seaview 3143/tcp # Sea View +seaview 3143/udp # Sea View +tarantella 3144/tcp # Tarantella +tarantella 3144/udp # Tarantella +rfio 3147/tcp # RFIO +rfio 3147/udp # RFIO +ccmail 3264/tcp # cc:mail/lotus +ccmail 3264/udp # cc:mail/lotus +verismart 3270/tcp # Verismart +verismart 3270/udp # Verismart +sxmp 3273/tcp # Simple Extensible Multiplexed Protocol +sxmp 3273/udp # Simple Extensible Multiplexed Protocol +samd 3275/tcp # SAMD +samd 3275/udp # SAMD +lkcmserver 3278/tcp # LKCM Server +lkcmserver 3278/udp # LKCM Server +admind 3279/tcp # admind +admind 3279/udp # admind +sysopt 3281/tcp # SYSOPT +sysopt 3281/udp # SYSOPT +datusorb 3282/tcp # Datusorb +datusorb 3282/udp # Datusorb +plato 3285/tcp # Plato +plato 3285/udp # Plato +directvdata 3287/tcp # DIRECTVDATA +directvdata 3287/udp # DIRECTVDATA +cops 3288/tcp # COPS +cops 3288/udp # COPS +enpc 3289/tcp # ENPC +enpc 3289/udp # ENPC +dyniplookup 3295/tcp # Dynamic IP Lookup +dyniplookup 3295/udp # Dynamic IP Lookup +transview 3298/tcp # Transview +transview 3298/udp # Transview +pdrncs 3299/tcp # pdrncs +pdrncs 3299/udp # pdrncs +bmcpatrolagent 3300/tcp # BMC Patrol Agent +bmcpatrolagent 3300/udp # BMC Patrol Agent +bmcpatrolrnvu 3301/tcp # BMC Patrol Rendezvous +bmcpatrolrnvu 3301/udp # BMC Patrol Rendezvous +mysql 3306/tcp # MySQL +mysql 3306/udp # MySQL +uorb 3313/tcp # Unify Object Broker +uorb 3313/udp # Unify Object Broker +uohost 3314/tcp # Unify Object Host +uohost 3314/udp # Unify Object Host +cdid 3315/tcp # CDID +cdid 3315/udp # CDID +vsaiport 3317/tcp # VSAI PORT +vsaiport 3317/udp # VSAI PORT +ssrip 3318/tcp # Swith to Swith Routing Information Protocol +ssrip 3318/udp # Swith to Swith Routing Information Protocol +officelink2000 3320/tcp # Office Link 2000 +officelink2000 3320/udp # Office Link 2000 +vnsstr 3321/tcp # VNSSTR +vnsstr 3321/udp # VNSSTR +sftu 3326/tcp # SFTU +sftu 3326/udp # SFTU +bbars 3327/tcp # BBARS +bbars 3327/udp # BBARS +egptlm 3328/tcp # Eaglepoint License Manager +egptlm 3328/udp # Eaglepoint License Manager +webtie 3342/tcp # WebTIE +webtie 3342/udp # WebTIE +influence 3345/tcp # Influence +influence 3345/udp # Influence +trnsprntproxy 3346/tcp # Trnsprnt Proxy +trnsprntproxy 3346/udp # Trnsprnt Proxy +chevinservices 3349/tcp # Chevin Services +chevinservices 3349/udp # Chevin Services +findviatv 3350/tcp # FINDVIATV +findviatv 3350/udp # FINDVIATV +btrieve 3351/tcp # BTRIEVE +btrieve 3351/udp # BTRIEVE +ssql 3352/tcp # SSQL +ssql 3352/udp # SSQL +fatpipe 3353/tcp # FATPIPE +fatpipe 3353/udp # FATPIPE +suitjd 3354/tcp # SUITJD +suitjd 3354/udp # SUITJD +upnotifyps 3356/tcp # UPNOTIFYPS +upnotifyps 3356/udp # UPNOTIFYPS +mpsysrmsvr 3358/tcp # Mp Sys Rmsvr +mpsysrmsvr 3358/udp # Mp Sys Rmsvr +creativeserver 3364/tcp # Creative Server +creativeserver 3364/udp # Creative Server +contentserver 3365/tcp # Content Server +contentserver 3365/udp # Content Server +creativepartnr 3366/tcp # Creative Partner +creativepartnr 3366/udp # Creative Partner +tip2 3372/tcp # TIP 2 +tip2 3372/udp # TIP 2 +cdborker 3376/tcp # CD Broker +cdbroker 3376/udp # CD Broker +wsicopy 3378/tcp # WSICOPY +wsicopy 3378/udp # WSICOPY +socorfs 3379/tcp # SOCORFS +socorfs 3379/udp # SOCORFS +geneous 3381/tcp # Geneous +geneous 3381/udp # Geneous +qnxnetman 3385/tcp # qnxnetman +qnxnetman 3385/udp # qnxnetman +backroomnet 3387/tcp # Back Room Net +backroomnet 3387/udp # Back Room Net +cbserver 3388/tcp # CB Server +cbserver 3388/udp # CB Server +dsc 3390/tcp # Distributed Service Coordinator +dsc 3390/udp # Distributed Service Coordinator +savant 3391/tcp # SAVANT +savant 3391/udp # SAVANT +mercantile 3398/tcp # Mercantile +mercantile 3398/udp # Mercantile +csms 3399/tcp # CSMS +csms 3399/udp # CSMS +csms2 3400/tcp # CSMS2 +csms2 3400/udp # CSMS2 +bmap 3421/tcp # Bull Apprise portmapper +bmap 3421/udp # Bull Apprise portmapper +mira 3454/tcp # Apple Remote Access Protocol +prsvp 3455/tcp # RSVP Port +prsvp 3455/udp # RSVP Port +vat 3456/tcp # VAT default data +vat 3456/udp # VAT default data +d3winosfi 3458/tcp # D3WinOsfi +d3winosfi 3458/udp # DsWinOSFI +integral 3459/tcp # Integral +integral 3459/udp # Integral +workflow 3466/tcp # WORKFLOW +workflow 3466/udp # WORKFLOW +rcst 3467/tcp # RCST +rcst 3467/udp # RCST +ttcmremotectrl 3468/tcp # TTCM Remote Controll +ttcmremotectrl 3468/udp # TTCM Remote Controll +pluribus 3469/tcp # Pluribus +pluribus 3469/udp # Pluribus +jt400 3470/tcp # jt400 +jt400 3470/udp # jt400 +watcomdebug 3563/tcp # Watcom Debug +watcomdebug 3563/udp # Watcom Debug +harlequinorb 3672/tcp # harlequinorb +harlequinorb 3672/udp # harlequinorb +centerline 3987/tcp # Centerline +centerline 3987/udp # Centerline +terabase 4000/tcp # Terabase +terabase 4000/udp # Terabase +newoak 4001/tcp # NewOak +newoak 4001/udp # NewOak +netcheque 4008/tcp # NetCheque accounting +netcheque 4008/udp # NetCheque accounting +altserviceboot 4011/tcp # Alternate Service Boot +altserviceboot 4011/udp # Alternate Service Boot +taiclock 4014/tcp # TAICLOCK +taiclock 4014/udp # TAICLOCK +bre 4096/tcp # BRE (Bridge Relay Element) +bre 4096/udp # BRE (Bridge Relay Element) +patrolview 4097/tcp # Patrol View +patrolview 4097/udp # Patrol View +drmsfsd 4098/tcp # drmsfsd +drmsfsd 4098/udp # drmsfsd +dpcp 4099/tcp # DPCP +dpcp 4099/udp # DPCP +oirtgsvc 4141/tcp # Workflow Server +oirtgsvc 4141/udp # Workflow Server +oidocsvc 4142/tcp # Document Server +oidocsvc 4142/udp # Document Server +oidsr 4143/tcp # Document Replication +oidsr 4143/udp # Document Replication +corelccam 4300/tcp # Corel CCam +corelccam 4300/udp # Corel CCam +rwhois 4321/tcp # Remote Who Is +rwhois 4321/udp # Remote Who Is +unicall 4343/tcp # UNICALL +unicall 4343/udp # UNICALL +vinainstall 4344/tcp # VinaInstall +vinainstall 4344/udp # VinaInstall +elanlm 4346/tcp # ELAN LM +elanlm 4346/udp # ELAN LM +lansurveyor 4347/tcp # LAN Surveyor +lansurveyor 4347/udp # LAN Surveyor +itose 4348/tcp # ITOSE +itose 4348/udp # ITOSE +fsportmap 4349/tcp # File System Port Map +fsportmap 4349/udp # File System Port Map +saris 4442/tcp # Saris +saris 4442/udp # Saris +pharos 4443/tcp # Pharos +pharos 4443/udp # Pharos +krb524 4444/tcp # KRB524 +krb524 4444/udp # KRB524 +upnotifyp 4445/tcp # UPNOTIFYP +upnotifyp 4445/udp # UPNOTIFYP +privatewire 4449/tcp # PrivateWire +privatewire 4449/udp # PrivateWire +camp 4450/tcp # Camp +camp 4450/udp # Camp +ctisystemmsg 4451/tcp # CTI System Msg +ctisystemmsg 4451/udp # CTI System Msg +ctiprogramload 4452/tcp # CTI Program Load +ctiprogramload 4452/udp # CTI Program Load +nssalertmgr 4453/tcp # NSS Alert Manager +nssalertmgr 4453/udp # NSS Alert Manager +nssagentmgr 4454/tcp # NSS Agent Manager +nssagentmgr 4454/udp # NSS Agent Manager +prRegister 4457/tcp # PR Register +prRegister 4457/udp # PR Register +worldscores 4545/tcp # WorldScores +worldscores 4545/udp # WorldScores +piranha1 4600/tcp # Piranha1 +piranha1 4600/udp # Piranha1 +piranha2 4601/tcp # Piranha2 +piranha2 4601/udp # Piranha2 +rfa 4672/tcp # remote file access server +rfa 4672/udp # remote file access server +iims 4800/tcp # Icona Instant Messenging System +iims 4800/udp # Icona Instant Messenging System +iwec 4801/tcp # Icona Web Embedded Chat +iwec 4801/udp # Icona Web Embedded Chat +ilss 4802/tcp # Icona License System Server +ilss 4802/udp # Icona License System Server +htcp 4827/tcp # HTCP +htcp 4827/udp # HTCP +phrelay 4868/tcp # Photon Relay +phrelay 4868/udp # Photon Relay +phrelaydbg 4869/tcp # Photon Relay Debug +phrelaydbg 4869/udp # Photon Relay Debug +abbs 4885/tcp # ABBS +abbs 4885/udp # ABBS +rfe 5002/tcp # radio free ethernet +rfe 5002/udp # radio free ethernet +telelpathstart 5010/tcp # TelepathStart +telelpathstart 5010/udp # TelepathStart +telelpathattack 5011/tcp # TelepathAttack +telelpathattack 5011/udp # TelepathAttack +asnaacceler8db 5042/tcp # asnaacceler8db +asnaacceler8db 5042/udp # asnaacceler8db +mmcc 5050/tcp # multimedia conference control tool +mmcc 5050/udp # multimedia conference control tool +sip 5060/tcp # SIP +sip 5060/udp # SIP +atmp 5150/tcp # Ascend Tunnel Management Protocol +atmp 5150/udp # Ascend Tunnel Management Protocol +aol 5190/tcp # America-Online +aol 5190/udp # America-Online +padl2sim 5236/tcp +padl2sim 5236/udp +pk 5272/tcp # PK +pk 5272/udp # PK +cfengine 5308/tcp # CFengine +cfengine 5308/udp # CFengine +jprinter 5309/tcp # J Printer +jprinter 5309/udp # J Printer +outlaws 5310/tcp # Outlaws +outlaws 5310/udp # Outlaws +tmlogin 5311/tcp # TM Login +tmlogin 5311/udp # TM Login +excerpt 5400/tcp # Excerpt Search +excerpt 5400/udp # Excerpt Search +excerpts 5401/tcp # Excerpt Search Secure +excerpts 5401/udp # Excerpt Search Secure +mftp 5402/tcp # MFTP +mftp 5402/udp # MFTP +netsupport 5405/tcp # NetSupport +netsupport 5405/udp # NetSupport +actnet 5411/tcp # ActNet +actnet 5411/udp # ActNet +continuus 5412/tcp # Continuus +continuus 5412/udp # Continuus +wwiotalk 5413/tcp # WWIOTALK +wwiotalk 5413/udp # WWIOTALK +statusd 5414/tcp # StatusD +statusd 5414/udp # StatusD +mcntp 5418/tcp # MCNTP +mcntp 5418/udp # MCNTP +esinstall 5599/tcp # Enterprise Security Remote Install +esinstall 5599/udp # Enterprise Security Remote Install +esmmanager 5600/tcp # Enterprise Security Manager +esmmanager 5600/udp # Enterprise Security Manager +esmagent 5601/tcp # Enterprise Security Agent +esmagent 5601/udp # Enterprise Security Agent +pcanywheredata 5631/tcp # pcANYWHEREdata +pcanywheredata 5631/udp # pcANYWHEREdata +pcanywherestat 5632/tcp # pcANYWHEREstat +pcanywherestat 5632/udp # pcANYWHEREstat +rrac 5678/tcp # Remote Replication Agent Connection +rrac 5678/udp # Remote Replication Agent Connection +dccm 5679/tcp # Direct Cable Connect Manager +dccm 5679/udp # Direct Cable Connect Manager +proshareaudio 5713/tcp # proshare conf audio +proshareaudio 5713/udp # proshare conf audio +prosharevideo 5714/tcp # proshare conf video +prosharevideo 5714/udp # proshare conf video +prosharedata 5715/tcp # proshare conf data +prosharedata 5715/udp # proshare conf data +prosharerequest 5716/tcp # proshare conf request +prosharerequest 5716/udp # proshare conf request +prosharenotify 5717/tcp # proshare conf notify +prosharenotify 5717/udp # proshare conf notify +openmail 5729/tcp # Openmail User Agent Layer +openmail 5729/udp # Openmail User Agent Layer +openmailg 5755/tcp # OpenMail Desk Gateway server +openmailg 5755/udp # OpenMail Desk Gateway server +x500ms 5757/tcp # OpenMail X.500 Directory Server +x500ms 5757/udp # OpenMail X.500 Directory Server +openmailns 5766/tcp # OpenMail NewMail Server +openmailns 5766/udp # OpenMail NewMail Server +openmailpxy 5768/tcp # OpenMail CMTS Server +openmailpxy 5768/udp # OpenMail CMTS Server +softcm 6110/tcp # HP SoftBench CM +softcm 6110/udp # HP SoftBench CM +spc 6111/tcp # HP SoftBench Sub-Process Control +spc 6111/udp # HP SoftBench Sub-Process Control +dtspcd 6112/tcp # dtspcd +dtspcd 6112/udp # dtspcd +crip 6253/tcp # CRIP +crip 6253/udp # CRIP +boks 6500/tcp # BoKS Master +boks 6500/udp # BoKS Master +xdsxdm 6558/tcp +xdsxdm 6558/udp +hnmp 6790/tcp # HNMP +hnmp 6790/udp # HNMP +jmact3 6961/tcp # JMACT3 +jmact3 6961/udp # JMACT3 +jmevt2 6962/tcp # jmevt2 +jmevt2 6962/udp # jmevt2 +swismgr1 6963/tcp # swismgr1 +swismgr1 6963/udp # swismgr1 +swismgr2 6964/tcp # swismgr2 +swismgr2 6964/udp # swismgr2 +swistrap 6965/tcp # swistrap +swistrap 6965/udp # swistrap +swispol 6966/tcp # swispol +swispol 6966/udp # swispol +acmsoda 6969/tcp # acmsoda +acmsoda 6969/udp # acmsoda +dpserve 7020/tcp # DP Serve +dpserve 7020/udp # DP Serve +dpserveadmin 7021/tcp # DP Serve Admin +dpserveadmin 7021/udp # DP Serve Admin +arcp 7070/tcp # ARCP +arcp 7070/udp # ARCP +clutild 7174/tcp # Clutild +clutild 7174/udp # Clutild +fodms 7200/tcp # FODMS FLIP +fodms 7200/udp # FODMS FLIP +dlip 7201/tcp # DLIP +dlip 7201/udp # DLIP +winqedit 7395/tcp # winqedit +winqedit 7395/udp # winqedit +pmdmgr 7426/tcp # OpenView DM Postmaster Manager +pmdmgr 7426/udp # OpenView DM Postmaster Manager +oveadmgr 7427/tcp # OpenView DM Event Agent Manager +oveadmgr 7427/udp # OpenView DM Event Agent Manager +ovladmgr 7428/tcp # OpenView DM Log Agent Manager +ovladmgr 7428/udp # OpenView DM Log Agent Manager +xmpv7 7430/tcp # OpenView DM xmpv7 api pipe +xmpv7 7430/udp # OpenView DM xmpv7 api pipe +pmd 7431/tcp # OpenView DM ovc/xmpv3 api pipe +pmd 7431/udp # OpenView DM ovc/xmpv3 api pipe +faximum 7437/tcp # Faximum +faximum 7437/udp # Faximum +pmdfmgt 7633/tcp # PMDF Management +pmdfmgt 7633/udp # PMDF Management +cbt 7777/tcp # cbt +cbt 7777/udp # cbt +supercell 7967/tcp # Supercell +supercell 7967/udp # Supercell +irdmi2 7999/tcp # iRDMI2 +irdmi2 7999/udp # iRDMI2 +irdmi 8000/tcp # iRDMI +irdmi 8000/udp # iRDMI +mindprint 8033/tcp # MindPrint +mindprint 8033/udp # MindPrint +trivnet1 8200/tcp # TRIVNET +trivnet1 8200/udp # TRIVNET +trivnet2 8201/tcp # TRIVNET +trivnet2 8201/udp # TRIVNET +cvd 8400/tcp # cvd +cvd 8400/udp # cvd +sabarsd 8401/tcp # sabarsd +sabarsd 8401/udp # sabarsd +abarsd 8402/tcp # abarsd +abarsd 8402/udp # abarsd +admind 8403/tcp # admind +admind 8403/udp # admind +npmp 8450/tcp # npmp +npmp 8450/udp # npmp +vp2p 8473/tcp # Virtual Point to Point +vp2p 8473/udp # Virtual Point to Point +ibus 8733/tcp # iBus +ibus 8733/udp # iBus +cslistener 9000/tcp # CSlistener +cslistener 9000/udp # CSlistener +sctp 9006/tcp # SCTP +sctp 9006/udp # SCTP +websm 9090/tcp # WebSM +websm 9090/udp # WebSM +guibase 9321/tcp # guibase +guibase 9321/udp # guibase +mpidcmgr 9343/tcp # MpIdcMgr +mpidcmgr 9343/udp # MpIdcMgr +fjdmimgr 9374/tcp # fjdmimgr +fjdmimgr 9374/udp # fjdmimgr +fjinvmgr 9396/tcp # fjinvmgr +fjinvmgr 9396/udp # fjinvmgr +mpidcagt 9397/tcp # MpIdcAgt +mpidcagt 9397/udp # MpIdcAgt +ismserver 9500/tcp # ismserver +ismserver 9500/udp # ismserver +man 9535/tcp +man 9535/udp +msgsys 9594/tcp # Message System +msgsys 9594/udp # Message System +pds 9595/tcp # Ping Discovery Service +pds 9595/udp # Ping Discovery Service +sd 9876/tcp # Session Director +sd 9876/udp # Session Director +monkeycom 9898/tcp # MonkeyCom +monkeycom 9898/udp # MonkeyCom +palace 9992/tcp # Palace +palace 9992/udp # Palace +palace 9993/tcp # Palace +palace 9993/udp # Palace +palace 9994/tcp # Palace +palace 9994/udp # Palace +palace 9995/tcp # Palace +palace 9995/udp # Palace +palace 9996/tcp # Palace +palace 9996/udp # Palace +palace 9997/tcp # Palace +palace 9997/udp # Palace +distinct32 9998/tcp # Distinct32 +distinct32 9998/udp # Distinct32 +distinct 9999/tcp # distinct +distinct 9999/udp # distinct +ndmp 10000/tcp # Network Data Management Protocol +ndmp 10000/udp # Network Data Management Protocol +amanda 10080/tcp # Amanda +amanda 10080/udp # Amanda +blocks 10288/tcp # Blocks +blocks 10288/udp # Blocks +irisa 11000/tcp # IRISA +irisa 11000/udp # IRISA +metasys 11001/tcp # Metasys +metasys 11001/udp # Metasys +vce 11111/tcp # Viral Computing Environment (VCE) +vce 11111/udp # Viral Computing Environment (VCE) +entextxid 12000/tcp # IBM Enterprise Extender SNA XID Exchange +entextxid 12000/udp # IBM Enterprise Extender SNA XID Exchange +entextnetwk 12001/tcp # IBM Enterprise Extender SNA COS Network Priority +entextnetwk 12001/udp # IBM Enterprise Extender SNA COS Network Priority +entexthigh 12002/tcp # IBM Enterprise Extender SNA COS High Priority +entexthigh 12002/udp # IBM Enterprise Extender SNA COS High Priority +entextmed 12003/tcp # IBM Enterprise Extender SNA COS Medium Priority +entextmed 12003/udp # IBM Enterprise Extender SNA COS Medium Priority +entextlow 12004/tcp # IBM Enterprise Extender SNA COS Low Priority +entextlow 12004/udp # IBM Enterprise Extender SNA COS Low Priority +tsaf 12753/tcp # tsaf port +tsaf 12753/udp # tsaf port +bprd 13720/tcp # BPRD Protocol (VERITAS NetBackup) +bprd 13720/udp # BPRD Protocol (VERITAS NetBackup) +bpbrm 13721/tcp # BPBRM Protocol (VERITAS NetBackup) +bpbrm 13721/udp # BPBRM Protocol (VERITAS NetBackup) +bpcd 13782/tcp # VERITAS NetBackup +bpcd 13782/udp # VERITAS NetBackup +vopied 13783/tcp # VOPIED Protocol +vopied 13783/udp # VOPIED Protocol +netserialext1 16360/tcp # netserialext1 +netserialext1 16360/udp # netserialext1 +netserialext2 16361/tcp # netserialext2 +netserialext2 16361/udp # netserialext2 +netserialext3 16367/tcp # netserialext3 +netserialext3 16367/udp # netserialext3 +netserialext4 16368/tcp # netserialext4 +netserialext4 16368/udp # netserialext4 +chipper 17219/tcp # Chipper +chipper 17219/udp # Chipper +biimenu 18000/tcp # Beckman Instruments, Inc. +biimenu 18000/udp # Beckman Instruments, Inc. +jcp 19541/tcp # JCP Client +jcp 19541/udp # JCP Client +dnp 20000/tcp # DNP +dnp 20000/udp # DNP +track 20670/tcp # Track +track 20670/udp # Track +webphone 21845/tcp # webphone +webphone 21845/udp # webphone +wnn6 22273/tcp # wnn6 +wnn6 22273/udp # wnn6 +quake 26000/tcp # quake +quake 26000/udp # quake +traceroute 33434/tcp # traceroute use +traceroute 33434/udp # traceroute use +kastenxpipe 36865/tcp # KastenX Pipe +kastenxpipe 36865/udp # KastenX Pipe +eba 45678/tcp # EBA PRISE +eba 45678/udp # EBA PRISE +dbbrowse 47557/tcp # Databeam Corporation +dbbrowse 47557/udp # Databeam Corporation +directplaysrvr 47624/tcp # Direct Play Server +directplaysrvr 47624/udp # Direct Play Server +ap 47806/tcp # ALC Protocol +ap 47806/udp # ALC Protocol +bacnet 47808/tcp # Building Automation and Control Networks +bacnet 47808/udp # Building Automation and Control Networks +nimcontroller 48000/tcp # Nimbus Controller +nimcontroller 48000/udp # Nimbus Controller +nimspooler 48001/tcp # Nimbus Spooler +nimspooler 48001/udp # Nimbus Spooler +nimhub 48002/tcp # Nimbus Hub +nimhub 48002/udp # Nimbus Hub +nimgtw 48003/tcp # Nimbus Gateway +nimgtw 48003/udp # Nimbus Gateway diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c new file mode 100644 index 0000000..510f3be --- /dev/null +++ b/contrib/ipfilter/facpri.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 1993-1998 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include <stdio.h> +#include <string.h> +#include <limits.h> +#include <sys/types.h> +#if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> +#endif +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> +#include <syslog.h> +#include "facpri.h" + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.2 1999/08/01 11:10:45 darrenr Exp $"; +#endif + +typedef struct table { + char *name; + int value; +} table_t; + +table_t facs[] = { + { "kern", LOG_KERN }, { "user", LOG_USER }, + { "mail", LOG_MAIL }, { "daemon", LOG_DAEMON }, + { "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG }, + { "lpr", LOG_LPR }, { "news", LOG_NEWS }, + { "uucp", LOG_UUCP }, +#if LOG_CRON == LOG_CRON2 + { "cron2", LOG_CRON1 }, +#else + { "cron", LOG_CRON1 }, +#endif +#ifdef LOG_FTP + { "ftp", LOG_FTP }, +#endif +#ifdef LOG_AUTHPRIV + { "authpriv", LOG_AUTHPRIV }, +#endif +#ifdef LOG_AUDIT + { "audit", LOG_AUDIT }, +#endif +#ifdef LOG_LFMT + { "logalert", LOG_LFMT }, +#endif +#if LOG_CRON == LOG_CRON1 + { "cron", LOG_CRON2 }, +#else + { "cron2", LOG_CRON2 }, +#endif + { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 }, + { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 }, + { "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 }, + { "local6", LOG_LOCAL6 }, { "local7", LOG_LOCAL7 }, + { NULL, 0 } +}; + + +/* + * map a facility number to its name + */ +char * +fac_toname(facpri) + int facpri; +{ + int i, j, fac; + + fac = facpri & LOG_FACMASK; + j = fac >> 3; + if (j < 24) { + if (facs[j].value == fac) + return facs[j].name; + for (i = 0; facs[i].name; i++) + if (fac == facs[i].value) + return facs[i].name; + } + + return NULL; +} + + +/* + * map a facility name to its number + */ +int +fac_findname(name) + char *name; +{ + int i; + + for (i = 0; facs[i].name; i++) + if (!strcmp(facs[i].name, name)) + return facs[i].value; + return -1; +} + + +table_t pris[] = { + { "emerg", LOG_EMERG }, { "alert", LOG_ALERT }, + { "crit", LOG_CRIT }, { "err", LOG_ERR }, + { "warn", LOG_WARNING }, { "notice", LOG_NOTICE }, + { "info", LOG_INFO }, { "debug", LOG_DEBUG }, + { NULL, 0 } +}; + + +/* + * map a priority name to its number + */ +int +pri_findname(name) + char *name; +{ + int i; + + for (i = 0; pris[i].name; i++) + if (!strcmp(pris[i].name, name)) + return pris[i].value; + return -1; +} + + +/* + * map a priority number to its name + */ +char * +pri_toname(facpri) + int facpri; +{ + int i, pri; + + pri = facpri & LOG_PRIMASK; + if (pris[pri].value == pri) + return pris[pri].name; + for (i = 0; pris[i].name; i++) + if (pri == pris[i].value) + return pris[i].name; + return NULL; +} diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h new file mode 100644 index 0000000..d39a159 --- /dev/null +++ b/contrib/ipfilter/facpri.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 1999 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + * $Id: facpri.h,v 1.2 1999/08/01 11:10:46 darrenr Exp $ + */ + +#ifndef __FACPRI_H__ +#define __FACPRI_H__ + +#ifndef __P +# define P_DEF +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + +extern char *fac_toname __P((int)); +extern int fac_findname __P((char *)); + +extern char *pri_toname __P((int)); +extern int pri_findname __P((char *)); + +#ifdef P_DEF +# undef __P +# undef P_DEF +#endif + +#if LOG_CRON == (9<<3) +# define LOG_CRON1 LOG_CRON +# define LOG_CRON2 (15<<3) +#endif +#if LOG_CRON == (15<<3) +# define LOG_CRON1 (9<<3) +# define LOG_CRON2 LOG_CRON +#endif + +#endif /* __FACPRI_H__ */ diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index f2b19a5..e132388 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.7 1999/10/21 14:21:40 darrenr Exp $"; #endif #include <sys/errno.h> @@ -15,7 +15,17 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif +#if defined(KERNEL) && defined(__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) +# include <sys/filio.h> +# include <sys/fcntl.h> +#else +# include <sys/ioctl.h> +#endif #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #else @@ -30,8 +40,10 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> -# include <sys/stream.h> +# if SOLARIS2 < 5 +# include <sys/dditypes.h> +# endif +# include <sys/stream.h> #endif #ifndef linux # include <sys/protosw.h> @@ -48,6 +60,10 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #ifndef linux # include <netinet/ip_var.h> #endif +#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ +# include <sys/hashing.h> +# include <netinet/in_var.h> +#endif #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> @@ -59,9 +75,16 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif +# endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif +#include "netinet/ipl.h" #ifndef _KERNEL # include "ipf.h" @@ -74,14 +97,9 @@ extern int opts; second; } # define FR_VERBOSE(verb_pr) verbose verb_pr # define FR_DEBUG(verb_pr) debug verb_pr -# define SEND_RESET(ip, qif, if, m) send_reset(ip, if) +# define SEND_RESET(ip, qif, if, m, fin) send_reset(ip, if) # define IPLLOG(a, c, d, e) ipllog() -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) -# if SOLARIS -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) -# else -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) -# endif +# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) #else /* #ifndef _KERNEL */ # define FR_IFVERBOSE(ex,second,verb_pr) ; # define FR_IFDEBUG(ex,second,verb_pr) ; @@ -89,38 +107,25 @@ extern int opts; # define FR_DEBUG(verb_pr) # define IPLLOG(a, c, d, e) ipflog(a, c, d, e) # if SOLARIS || defined(__sgi) -extern kmutex_t ipf_mutex, ipf_auth; +extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; +extern kmutex_t ipf_rw; # endif # if SOLARIS # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ ip, qif) -# define SEND_RESET(ip, qif, if) send_reset(ip, qif) -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(ip, t, c, if, src) +# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip, qif) +# define ICMP_ERROR(b, ip, t, c, if, dst) \ + icmp_error(ip, t, c, if, dst) # else /* SOLARIS */ # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # ifdef linux -# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\ - ifp) +# define SEND_RESET(ip, qif, if, fin) send_reset(ip, ifp) +# define ICMP_ERROR(b, ip, t, c, if, dst) icmp_send(b,t,c,0,if) # else -# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip) -# endif -# ifdef __sgi -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(b, t, c, if, src, if) -# else -# if BSD < 199103 -# ifdef linux -# define ICMP_ERROR(b, ip, t, c, if, src) icmp_send(b,t,c,0,if) -# else -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(mtod(b, ip_t *), t, c, if, src) -# endif /* linux */ -# else -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(b, t, c, (src).s_addr, if) -# endif /* BSD < 199103 */ -# endif /* __sgi */ +# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip) +# define ICMP_ERROR(b, ip, t, c, if, dst) \ + send_icmp_err(ip, t, c, if, dst) +# endif /* linux */ # endif /* SOLARIS || __sgi */ #endif /* _KERNEL */ @@ -135,12 +140,12 @@ int fr_pass = FR_NOMATCH|FR_BLOCK; #else int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH); #endif +char ipfilter_version[] = IPL_VERSION; fr_info_t frcache[2]; -static void fr_makefrip __P((int, ip_t *, fr_info_t *)); static int fr_tcpudpchk __P((frentry_t *, fr_info_t *)); -static int frflushlist __P((int, int, int *, frentry_t *, frentry_t **)); +static int frflushlist __P((int, minor_t, int *, frentry_t **)); /* @@ -188,19 +193,19 @@ struct optlist secopt[8] = { * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ -static void fr_makefrip(hlen, ip, fin) +void fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; { struct optlist *op; tcphdr_t *tcp; - icmphdr_t *icmp; fr_ip_t *fi = &fin->fin_fi; u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off; u_char *s, opt; + fin->fin_rev = 0; fin->fin_fr = NULL; fin->fin_tcpf = 0; fin->fin_data[0] = 0; @@ -216,14 +221,13 @@ fr_info_t *fin; fin->fin_hlen = hlen; fin->fin_dlen = ip->ip_len - hlen; tcp = (tcphdr_t *)((char *)ip + hlen); - icmp = (icmphdr_t *)tcp; fin->fin_dp = (void *)tcp; (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); - (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3)); - (*(((u_32_t *)fi) + 2)) = (*(((u_32_t *)ip) + 4)); + fi->fi_src.s_addr = ip->ip_src.s_addr; + fi->fi_dst.s_addr = ip->ip_dst.s_addr; fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; - off = (ip->ip_off & 0x1fff) << 3; + off = (ip->ip_off & IP_OFFMASK) << 3; if (ip->ip_off & 0x3fff) fi->fi_fl |= FI_FRAG; switch (ip->ip_p) @@ -231,10 +235,12 @@ fr_info_t *fin; case IPPROTO_ICMP : { int minicmpsz = sizeof(struct icmp); + icmphdr_t *icmp; + + icmp = (icmphdr_t *)tcp; - if (!off && ip->ip_len > ICMP_MINLEN + hlen && - (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_UNREACH)) + if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || + icmp->icmp_type == ICMP_ECHO)) minicmpsz = ICMP_MINLEN; if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) @@ -267,8 +273,9 @@ getports: } - for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) { - if (!(opt = *s)) + for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen; ) { + opt = *s; + if (opt == '\0') break; ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1); if (opt > 1 && (ol < 2 || ol > hlen)) @@ -397,7 +404,7 @@ fr_info_t *fin; /* * Match the flags ? If not, abort this match. */ - if (fr->fr_tcpf && + if (fr->fr_tcpfm && fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) { FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, fr->fr_tcpfm, fr->fr_tcpf)); @@ -413,23 +420,24 @@ fr_info_t *fin; * kernel sauce. */ int fr_scanlist(pass, ip, fin, m) -int pass; +u_32_t pass; ip_t *ip; register fr_info_t *fin; void *m; { register struct frentry *fr; register fr_ip_t *fi = &fin->fin_fi; - int rulen, portcmp = 0, off, skip = 0; + int rulen, portcmp = 0, off, skip = 0, logged = 0; + u_32_t passt; fr = fin->fin_fr; fin->fin_fr = NULL; fin->fin_rule = 0; fin->fin_group = 0; - off = ip->ip_off & 0x1fff; + off = ip->ip_off & IP_OFFMASK; pass |= (fi->fi_fl << 24); - if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) + if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) portcmp = 1; for (rulen = 0; fr; fr = fr->fr_next, rulen++) { @@ -444,8 +452,16 @@ void *m; * check that we are working for the right interface */ #ifdef _KERNEL - if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) - continue; +# if BSD >= 199306 + if (fin->fin_out != 0) { + if ((fr->fr_oifa && + fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif) || + (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)) + continue; + } else +# endif + if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) + continue; #else if (opts & (OPT_VERBOSE|OPT_DEBUG)) printf("\n"); @@ -465,10 +481,12 @@ void *m; i = ((lip[0] & lm[0]) != ld[0]); FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n", lip[0], lm[0], ld[0])); - i |= ((lip[1] & lm[1]) != ld[1]) << 21; + i |= ((lip[1] & lm[1]) != ld[1]) << 19; + i ^= (fr->fr_flags & FR_NOTSRCIP); FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n", lip[1], lm[1], ld[1])); - i |= ((lip[2] & lm[2]) != ld[2]) << 22; + i |= ((lip[2] & lm[2]) != ld[2]) << 20; + i ^= (fr->fr_flags & FR_NOTDSTIP); FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n", lip[2], lm[2], ld[2])); i |= ((lip[3] & lm[3]) != ld[3]); @@ -477,7 +495,6 @@ void *m; i |= ((lip[4] & lm[4]) != ld[4]); FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n", lip[4], lm[4], ld[4])); - i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP)); if (i) continue; } @@ -507,26 +524,29 @@ void *m; /* * Just log this packet... */ - if (!(skip = fr->fr_skip)) - pass = fr->fr_flags; - if ((pass & FR_CALLNOW) && fr->fr_func) - pass = (*fr->fr_func)(pass, ip, fin); + passt = fr->fr_flags; + if ((passt & FR_CALLNOW) && fr->fr_func) + passt = (*fr->fr_func)(passt, ip, fin); + fin->fin_fr = fr; #ifdef IPFILTER_LOG - if ((pass & FR_LOGMASK) == FR_LOG) { - if (!IPLLOG(fr->fr_flags, ip, fin, m)) - frstats[fin->fin_out].fr_skip++; - frstats[fin->fin_out].fr_pkl++; + if ((passt & FR_LOGMASK) == FR_LOG) { + if (!IPLLOG(passt, ip, fin, m)) { + ATOMIC_INC(frstats[fin->fin_out].fr_skip); + } + ATOMIC_INC(frstats[fin->fin_out].fr_pkl); + logged = 1; } #endif /* IPFILTER_LOG */ + if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG) + pass = passt; FR_DEBUG(("pass %#x\n", pass)); - fr->fr_hits++; + ATOMIC_INC(fr->fr_hits); if (pass & FR_ACCOUNT) fr->fr_bytes += (U_QUAD_T)ip->ip_len; else fin->fin_icode = fr->fr_icode; fin->fin_rule = rulen; fin->fin_group = fr->fr_group; - fin->fin_fr = fr; if (fr->fr_grp) { fin->fin_fr = fr->fr_grp; pass = fr_scanlist(pass, ip, fin, m); @@ -535,17 +555,21 @@ void *m; fin->fin_group = fr->fr_group; fin->fin_fr = fr; } + if (pass & FR_DONTCACHE) + logged = 1; } if (pass & FR_QUICK) break; } + if (logged) + pass |= FR_DONTCACHE; return pass; } /* * frcheck - filter check - * check using source and destination addresses/pors in a packet whether + * check using source and destination addresses/ports in a packet whether * or not to pass it on or not. */ int fr_check(ip, hlen, ifp, out @@ -567,7 +591,8 @@ int out; fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; - int pass, changed, apass, error = EHOSTUNREACH; + int changed, error = EHOSTUNREACH; + u_32_t pass, apass; #if !SOLARIS || !defined(_KERNEL) register mb_t *m = *mp; #endif @@ -580,70 +605,78 @@ int out; # endif int up; -#ifdef M_CANFASTFWD +# ifdef M_CANFASTFWD /* * XXX For now, IP Filter and fast-forwarding of cached flows * XXX are mutually exclusive. Eventually, IP Filter should * XXX get a "can-fast-forward" filter rule. */ m->m_flags &= ~M_CANFASTFWD; -#endif /* M_CANFASTFWD */ +# endif /* M_CANFASTFWD */ if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_ICMP)) { int plen = 0; - switch(ip->ip_p) - { - case IPPROTO_TCP: - plen = sizeof(tcphdr_t); - break; - case IPPROTO_UDP: - plen = sizeof(udphdr_t); - break; - case IPPROTO_ICMP: + if ((ip->ip_off & IP_OFFMASK) == 0) + switch(ip->ip_p) + { + case IPPROTO_TCP: + plen = sizeof(tcphdr_t); + break; + case IPPROTO_UDP: + plen = sizeof(udphdr_t); + break; /* 96 - enough for complete ICMP error IP header */ - plen = sizeof(struct icmp) + sizeof(ip_t) + 8; - break; - } + case IPPROTO_ICMP: + plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); + break; + } up = MIN(hlen + plen, ip->ip_len); if (up > m->m_len) { -#ifdef __sgi /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ +# ifdef __sgi + /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ if ((up > sizeof(hbuf)) || (m_length(m) < up)) { - frstats[out].fr_pull[1]++; + ATOMIC_INC(frstats[out].fr_pull[1]); return -1; } m_copydata(m, 0, up, hbuf); - frstats[out].fr_pull[0]++; + ATOMIC_INC(frstats[out].fr_pull[0]); ip = (ip_t *)hbuf; -#else -# ifndef linux +# else /* __ sgi */ +# ifndef linux if ((*mp = m_pullup(m, up)) == 0) { - frstats[out].fr_pull[1]++; + ATOMIC_INC(frstats[out].fr_pull[1]); return -1; } else { - frstats[out].fr_pull[0]++; + ATOMIC_INC(frstats[out].fr_pull[0]); m = *mp; ip = mtod(m, ip_t *); } -# endif -#endif +# endif /* !linux */ +# endif /* __sgi */ } else up = 0; } else up = 0; -# endif +# endif /* !defined(__SVR4) && !defined(__svr4__) */ # if SOLARIS mb_t *m = qif->qf_m; + + if ((u_int)ip & 0x3) + return 2; + fin->fin_qfm = m; + fin->fin_qif = qif; # endif -#endif +#endif /* _KERNEL */ fr_makefrip(hlen, ip, fin); fin->fin_ifp = ifp; fin->fin_out = out; fin->fin_mp = mp; + pass = fr_pass; - MUTEX_ENTER(&ipf_mutex); + READ_ENTER(&ipf_mutex); /* * Check auth now. This, combined with the check below to see if apass @@ -655,14 +688,15 @@ int out; apass = fr_checkauth(ip, fin); if (!out) { - changed = ip_natin(ip, hlen, fin); + changed = ip_natin(ip, fin); if (!apass && (fin->fin_fr = ipacct[0][fr_active]) && - (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) - frstats[0].fr_acct++; + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[0].fr_acct); + } } - if (apass || (!(pass = ipfr_knownfrag(ip, fin)) && - !(pass = fr_checkstate(ip, fin)))) { + if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && + !(fr = fr_checkstate(ip, fin)))) { /* * If a packet is found in the auth table, then skip checking * the access lists for permission but we do need to consider @@ -676,19 +710,20 @@ int out; * earlier. */ bcopy((char *)fc, (char *)fin, FI_COPYSIZE); - frstats[out].fr_chit++; + ATOMIC_INC(frstats[out].fr_chit); if ((fr = fin->fin_fr)) { - fr->fr_hits++; + ATOMIC_INC(fr->fr_hits); pass = fr->fr_flags; - } else - pass = fr_pass; + } } else { - pass = fr_pass; if ((fin->fin_fr = ipfilter[out][fr_active])) - pass = FR_SCANLIST(fr_pass, ip, fin, m); - bcopy((char *)fin, (char *)fc, FI_COPYSIZE); - if (pass & FR_NOMATCH) - frstats[out].fr_nom++; + pass = fr_scanlist(fr_pass, ip, fin, m); + if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) + bcopy((char *)fin, (char *)fc, + FI_COPYSIZE); + if (pass & FR_NOMATCH) { + ATOMIC_INC(frstats[out].fr_nom); + } } fr = fin->fin_fr; } else @@ -708,30 +743,39 @@ int out; #endif if (pass & FR_PREAUTH) { - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); if ((fin->fin_fr = ipauth) && - (pass = FR_SCANLIST(0, ip, fin, m))) - fr_authstats.fas_hits++; - else - fr_authstats.fas_miss++; - MUTEX_EXIT(&ipf_auth); + (pass = fr_scanlist(0, ip, fin, m))) { + ATOMIC_INC(fr_authstats.fas_hits); + } else { + ATOMIC_INC(fr_authstats.fas_miss); + } + RWLOCK_EXIT(&ipf_auth); } - if (pass & FR_KEEPFRAG) { + fin->fin_fr = fr; + if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_fi.fi_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) - frstats[out].fr_bnfr++; - else - frstats[out].fr_nfr++; - } else - frstats[out].fr_cfr++; + if (ipfr_newfrag(ip, fin, pass) == -1) { + ATOMIC_INC(frstats[out].fr_bnfr); + } else { + ATOMIC_INC(frstats[out].fr_nfr); + } + } else { + ATOMIC_INC(frstats[out].fr_cfr); + } } if (pass & FR_KEEPSTATE) { - if (fr_addstate(ip, fin, pass) == -1) - frstats[out].fr_bads++; - else - frstats[out].fr_ads++; + if (fr_addstate(ip, fin, 0) == NULL) { + ATOMIC_INC(frstats[out].fr_bads); + } else { + ATOMIC_INC(frstats[out].fr_ads); + } } + } else if (fr != NULL) { + pass = fr->fr_flags; + if (pass & FR_LOGFIRST) + pass &= ~(FR_LOGFIRST|FR_LOG); } if (fr && fr->fr_func && !(pass & FR_CALLNOW)) @@ -743,34 +787,35 @@ int out; */ if (out && (pass & FR_PASS)) { if ((fin->fin_fr = ipacct[1][fr_active]) && - (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) - frstats[1].fr_acct++; - fin->fin_fr = NULL; - changed = ip_natout(ip, hlen, fin); - } - fin->fin_fr = fr; - MUTEX_EXIT(&ipf_mutex); + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = fr; + changed = ip_natout(ip, fin); + } else + fin->fin_fr = fr; + RWLOCK_EXIT(&ipf_mutex); #ifdef IPFILTER_LOG if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { pass |= FF_LOGNOMATCH; - frstats[out].fr_npkl++; + ATOMIC_INC(frstats[out].fr_npkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGP) || ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) { if ((pass & FR_LOGMASK) != FR_LOGP) pass |= FF_LOGPASS; - frstats[out].fr_ppkl++; + ATOMIC_INC(frstats[out].fr_ppkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGB) || ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) { if ((pass & FR_LOGMASK) != FR_LOGB) pass |= FF_LOGBLOCK; - frstats[out].fr_bpkl++; + ATOMIC_INC(frstats[out].fr_bpkl); logit: if (!IPLLOG(pass, ip, fin, m)) { - frstats[out].fr_skip++; + ATOMIC_INC(frstats[out].fr_skip); if ((pass & (FR_PASS|FR_LOGORBLOCK)) == (FR_PASS|FR_LOGORBLOCK)) pass ^= FR_PASS|FR_BLOCK; @@ -795,10 +840,10 @@ logit: # endif # endif #endif - if (pass & FR_PASS) - frstats[out].fr_pass++; - else if (pass & FR_BLOCK) { - frstats[out].fr_block++; + if (pass & FR_PASS) { + ATOMIC_INC(frstats[out].fr_pass); + } else if (pass & FR_BLOCK) { + ATOMIC_INC(frstats[out].fr_block); /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? @@ -810,29 +855,37 @@ logit: if (!out) { #ifdef _KERNEL if (pass & FR_RETICMP) { + struct in_addr dst; + + if ((pass & FR_RETMASK) == FR_FAKEICMP) + dst = ip->ip_dst; + else + dst.s_addr = 0; # if SOLARIS ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, - qif, ip->ip_src); + qif, dst); # else ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, - ifp, ip->ip_src); - m = *mp = NULL; /* freed by icmp_error() */ + ifp, dst); # endif - - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && + ATOMIC_INC(frstats[0].fr_ret); + } else if (((pass & FR_RETMASK) == FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, ifp) == 0) - frstats[1].fr_ret++; + if (SEND_RESET(ip, qif, ifp, fin) == 0) { + ATOMIC_INC(frstats[1].fr_ret); + } } #else - if (pass & FR_RETICMP) { + if ((pass & FR_RETMASK) == FR_RETICMP) { verbose("- ICMP unreachable sent\n"); - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && + ATOMIC_INC(frstats[0].fr_ret); + } else if ((pass & FR_RETMASK) == FR_FAKEICMP) { + verbose("- forged ICMP unreachable sent\n"); + ATOMIC_INC(frstats[0].fr_ret); + } else if (((pass & FR_RETMASK) == FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { verbose("- TCP RST sent\n"); - frstats[1].fr_ret++; + ATOMIC_INC(frstats[1].fr_ret); } #endif } else { @@ -854,10 +907,10 @@ logit: if (fr) { frdest_t *fdp = &fr->fr_tif; - if ((pass & FR_FASTROUTE) || + if (((pass & FR_FASTROUTE) && !out) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - ipfr_fastroute(m, fin, fdp); - m = *mp = NULL; + if (ipfr_fastroute(m, fin, fdp) == 0) + m = *mp = NULL; } if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); @@ -869,21 +922,20 @@ logit: m_copyback(m, 0, up, hbuf); # endif # endif /* !linux */ - return (pass & FR_PASS) ? 0 : error; # else /* !SOLARIS */ if (fr) { frdest_t *fdp = &fr->fr_tif; - if ((pass & FR_FASTROUTE) || + if (((pass & FR_FASTROUTE) && !out) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - ipfr_fastroute(qif, ip, m, mp, fin, fdp); - m = *mp = NULL; + if (ipfr_fastroute(qif, ip, m, mp, fin, fdp) == 0) + m = *mp = NULL; } if (mc) ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } - return (pass & FR_PASS) ? changed : error; # endif /* !SOLARIS */ + return (pass & FR_PASS) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; @@ -928,76 +980,92 @@ register int len; * and the TCP header. We also assume that data blocks aren't allocated in * odd sizes. */ -u_short fr_tcpsum(m, ip, tcp, len) +u_short fr_tcpsum(m, ip, tcp) mb_t *m; ip_t *ip; tcphdr_t *tcp; -int len; +{ + u_short *sp, slen, ts; + u_int sum, sum2; + int hlen; + + /* + * Add up IP Header portion + */ + hlen = ip->ip_hl << 2; + slen = ip->ip_len - hlen; + sum = htons((u_short)ip->ip_p); + sum += htons(slen); + sp = (u_short *)&ip->ip_src; + sum += *sp++; /* ip_src */ + sum += *sp++; + sum += *sp++; /* ip_dst */ + sum += *sp++; + ts = tcp->th_sum; + tcp->th_sum = 0; +#ifdef KERNEL +# if SOLARIS + sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = ~sum2 & 0xffff; +# else /* SOLARIS */ +# if defined(BSD) || defined(sun) +# if BSD >= 199306 + m->m_data += hlen; +# else + m->m_off += hlen; +# endif + m->m_len -= hlen; + sum2 = in_cksum(m, slen); + m->m_len += hlen; +# if BSD >= 199306 + m->m_data -= hlen; +# else + m->m_off -= hlen; +# endif + /* + * Both sum and sum2 are partial sums, so combine them together. + */ + sum = (sum & 0xffff) + (sum >> 16); + sum = ~sum & 0xffff; + sum2 += sum; + sum2 = (sum2 & 0xffff) + (sum2 >> 16); +# else /* defined(BSD) || defined(sun) */ { union { u_char c[2]; u_short s; } bytes; - u_32_t sum; - u_short *sp; -# if SOLARIS || defined(__sgi) - int add, hlen; -# endif - -# if SOLARIS - /* skip any leading M_PROTOs */ - while(m && (MTYPE(m) != M_DATA)) - m = m->b_cont; - PANIC((!m),("fr_tcpsum: no M_DATA")); + u_short len = ip->ip_len; +# if defined(__sgi) + int add; # endif /* * Add up IP Header portion */ - bytes.c[0] = 0; - bytes.c[1] = IPPROTO_TCP; - len -= (ip->ip_hl << 2); - sum = bytes.s; - sum += htons((u_short)len); sp = (u_short *)&ip->ip_src; + len -= (ip->ip_hl << 2); + sum = ntohs(IPPROTO_TCP); + sum += htons(len); + sum += *sp++; /* ip_src */ sum += *sp++; - sum += *sp++; - sum += *sp++; + sum += *sp++; /* ip_dst */ sum += *sp++; if (sp != (u_short *)tcp) sp = (u_short *)tcp; + sum += *sp++; /* sport */ + sum += *sp++; /* dport */ + sum += *sp++; /* seq */ sum += *sp++; + sum += *sp++; /* ack */ sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp; - sp += 2; /* Skip over checksum */ - sum += *sp++; + sum += *sp++; /* off */ + sum += *sp++; /* win */ + sum += *sp++; /* Skip over checksum */ + sum += *sp++; /* urp */ -#if SOLARIS - /* - * In case we had to copy the IP & TCP header out of mblks, - * skip over the mblk bits which are the header - */ - if ((caddr_t)ip != (caddr_t)m->b_rptr) { - hlen = (caddr_t)sp - (caddr_t)ip; - while (hlen) { - add = MIN(hlen, m->b_wptr - m->b_rptr); - sp = (u_short *)((caddr_t)m->b_rptr + add); - hlen -= add; - if ((caddr_t)sp >= (caddr_t)m->b_wptr) { - m = m->b_cont; - PANIC((!m),("fr_tcpsum: not enough data")); - if (!hlen) - sp = (u_short *)m->b_rptr; - } - } - } -#endif -#ifdef __sgi +# ifdef __sgi /* * In case we had to copy the IP & TCP header out of mbufs, * skip over the mbuf bits which are the header @@ -1008,52 +1076,57 @@ int len; add = MIN(hlen, m->m_len); sp = (u_short *)(mtod(m, caddr_t) + add); hlen -= add; - if (add >= m->m_len) { + if (add == m->m_len) { m = m->m_next; - PANIC((!m),("fr_tcpsum: not enough data")); - if (!hlen) + if (!hlen) { + if (!m) + break; sp = mtod(m, u_short *); + } + PANIC((!m),("fr_tcpsum(1): not enough data")); } } } -#endif +# endif if (!(len -= sizeof(*tcp))) goto nodata; - while (len > 0) { -#if SOLARIS - while ((caddr_t)sp >= (caddr_t)m->b_wptr) { - m = m->b_cont; - PANIC((!m),("fr_tcpsum: not enough data")); - sp = (u_short *)m->b_rptr; + while (len > 1) { + if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { + m = m->m_next; + PANIC((!m),("fr_tcpsum(2): not enough data")); + sp = mtod(m, u_short *); } -#else - while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) - { + if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) { + bytes.c[0] = *(u_char *)sp; m = m->m_next; - PANIC((!m),("fr_tcpsum: not enough data")); + PANIC((!m),("fr_tcpsum(3): not enough data")); sp = mtod(m, u_short *); + bytes.c[1] = *(u_char *)sp; + sum += bytes.s; + sp = (u_short *)((u_char *)sp + 1); } -#endif /* SOLARIS */ - if (len < 2) - break; - if((u_32_t)sp & 1) { + if ((u_long)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else sum += *sp++; len -= 2; } - if (len) { - bytes.c[1] = 0; - bytes.c[0] = *(u_char *)sp; - sum += bytes.s; - } + if (len) + sum += ntohs(*(u_char *)sp << 8); nodata: - sum = (sum >> 16) + (sum & 0xffff); - sum += (sum >> 16); - sum = (u_short)((~sum) & 0xffff); - return sum; + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum2 = (u_short)(~sum & 0xffff); +} +# endif /* defined(BSD) || defined(sun) */ +# endif /* SOLARIS */ +#else /* KERNEL */ + sum2 = 0; +#endif /* KERNEL */ + tcp->th_sum = ts; + return sum2; } @@ -1091,7 +1164,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $ + * $Id: fil.c,v 2.3.2.7 1999/10/21 14:21:40 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1191,9 +1264,10 @@ out: frgroup_t *fr_findgroup(num, flags, which, set, fgpp) -u_short num; +u_int num; u_32_t flags; -int which, set; +minor_t which; +int set; frgroup_t ***fgpp; { frgroup_t *fg, **fgp; @@ -1206,6 +1280,7 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; + num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) @@ -1219,18 +1294,19 @@ frgroup_t ***fgpp; frgroup_t *fr_addgroup(num, fp, which, set) -u_short num; +u_int num; frentry_t *fp; -int which, set; +minor_t which; +int set; { frgroup_t *fg, **fgp; if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp))) return fg; - KMALLOC(fg, frgroup_t *, sizeof(*fg)); + KMALLOC(fg, frgroup_t *); if (fg) { - fg->fg_num = num; + fg->fg_num = num & 0xffff; fg->fg_next = *fgp; fg->fg_head = fp; fg->fg_start = &fp->fr_grp; @@ -1241,9 +1317,10 @@ int which, set; void fr_delgroup(num, flags, which, set) -u_short num; +u_int num; u_32_t flags; -int which, set; +minor_t which; +int set; { frgroup_t *fg, **fgp; @@ -1261,62 +1338,210 @@ int which, set; * encountered. if a rule is the head of a group and it has lost all its * group members, then also delete the group reference. */ -static int frflushlist(set, unit, nfreedp, list, listp) -int set, unit, *nfreedp; -frentry_t *list, **listp; +static int frflushlist(set, unit, nfreedp, listp) +int set; +minor_t unit; +int *nfreedp; +frentry_t **listp; { - register frentry_t *fp = list, *fpn; - register int freed = 0; + register int freed = 0, i; + register frentry_t *fp; - while (fp) { - fpn = fp->fr_next; + while ((fp = *listp)) { + *listp = fp->fr_next; if (fp->fr_grp) { - fp->fr_ref -= frflushlist(set, unit, nfreedp, - fp->fr_grp, &fp->fr_grp); + i = frflushlist(set, unit, nfreedp, &fp->fr_grp); + MUTEX_ENTER(&ipf_rw); + fp->fr_ref -= i; + MUTEX_EXIT(&ipf_rw); } - if (fp->fr_ref == 1) { + ATOMIC_DEC(fp->fr_ref); + if (fp->fr_ref == 0) { if (fp->fr_grhead) - fr_delgroup(fp->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)fp->fr_grhead, fp->fr_flags, + unit, set); KFREE(fp); - *listp = fpn; - freed++; - } - fp = fpn; + } else + fp->fr_next = NULL; + freed++; } *nfreedp += freed; return freed; } -void frflush(unit, result) -int unit; -int *result; +int frflush(unit, flags) +minor_t unit; +int flags; { - int flags = *result, flushed = 0, set = fr_active; + int flushed = 0, set; + if (unit != IPL_LOGIPF) + return 0; + WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache[0]) * 2); + set = fr_active; if (flags & FR_INACTIVE) set = 1 - set; - if (unit == IPL_LOGIPF) { - if (flags & FR_OUTQUE) { - (void) frflushlist(set, unit, &flushed, - ipfilter[1][set], - &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, - ipacct[1][set], &ipacct[1][set]); - } - if (flags & FR_INQUE) { - (void) frflushlist(set, unit, &flushed, - ipfilter[0][set], - &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, - ipacct[0][set], &ipacct[0][set]); + if (flags & FR_OUTQUE) { + (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); + (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); + } + if (flags & FR_INQUE) { + (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); + (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); + } + RWLOCK_EXIT(&ipf_mutex); + return flushed; +} + + +char *memstr(src, dst, slen, dlen) +char *src, *dst; +int slen, dlen; +{ + char *s = NULL; + + while (dlen >= slen) { + if (bcmp(src, dst, slen) == 0) { + s = dst; + break; } + dst++; + dlen--; } + return s; +} + + +void fixskip(listp, rp, addremove) +frentry_t **listp, *rp; +int addremove; +{ + frentry_t *fp; + int rules = 0, rn = 0; + + for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) + ; + + if (!fp) + return; + + for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) + if (fp->fr_skip && (rn + fp->fr_skip >= rules)) + fp->fr_skip += addremove; +} + + +#ifdef _KERNEL +/* + * count consecutive 1's in bit mask. If the mask generated by counting + * consecutive 1's is different to that passed, return -1, else return # + * of bits. + */ +int countbits(ip) +u_32_t ip; +{ + u_32_t ipn; + int cnt = 0, i, j; + + ip = ipn = ntohl(ip); + for (i = 32; i; i--, ipn *= 2) + if (ipn & 0x80000000) + cnt++; + else + break; + ipn = 0; + for (i = 32, j = cnt; i; i--, j--) { + ipn *= 2; + if (j > 0) + ipn++; + } + if (ipn == ip) + return cnt; + return -1; +} - *result = flushed; + +/* + * return the first IP Address associated with an interface + */ +int fr_ifpaddr(ifptr, inp) +void *ifptr; +struct in_addr *inp; +{ +# if SOLARIS + ill_t *ill = ifptr; +# else + struct ifnet *ifp = ifptr; +# endif + struct in_addr in; + +# if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +# else /* SOLARIS */ +# if linux + ; +# else /* linux */ + struct ifaddr *ifa; + struct sockaddr_in *sin; + +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_FIRST(&ifp->if_addrhead); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifp->if_addrlist.tqh_first; +# else +# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ + ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; +# else + ifa = ifp->if_addrlist; +# endif +# endif /* __NetBSD__ || __OpenBSD__ */ +# endif /* __FreeBSD_version >= 300000 */ +# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) + sin = (struct sockaddr_in *)&ifa->ifa_addr; +# else + sin = (struct sockaddr_in *)ifa->ifa_addr; + while (sin && ifa && + sin->sin_family != AF_INET) { +# if (__FreeBSD_version >= 300000) + ifa = TAILQ_NEXT(ifa, ifa_link); +# else +# if defined(__NetBSD__) || defined(__OpenBSD__) + ifa = ifa->ifa_list.tqe_next; +# else + ifa = ifa->ifa_next; +# endif +# endif /* __FreeBSD_version >= 300000 */ + if (ifa) + sin = (struct sockaddr_in *)ifa->ifa_addr; + } + if (ifa == NULL) + sin = NULL; + if (sin == NULL) + return -1; +# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ + in = sin->sin_addr; +# endif /* linux */ +# endif /* SOLARIS */ + in.s_addr = ntohl(in.s_addr); + *inp = in; + return 0; +} +#else + + +/* + * return the first IP Address associated with an interface + */ +int fr_ifpaddr(ifptr, inp) +void *ifptr; +struct in_addr *inp; +{ + return 0; } +#endif diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index cfcfd99..55382c5 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -1,15 +1,17 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ - +#ifdef __FreeBSD__ +# include <osreldate.h> +#endif #include <stdio.h> #include <string.h> #if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> +# include <strings.h> #endif #include <sys/types.h> #include <sys/time.h> @@ -27,6 +29,9 @@ #include <netinet/in_systm.h> #include <netinet/ip.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> @@ -41,17 +46,12 @@ #include "netinet/ip_auth.h" #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) -#include <paths.h> +# include <paths.h> #endif #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $"; -#endif -#ifdef _PATH_UNIX -#define VMUNIX _PATH_UNIX -#else -#define VMUNIX "/vmunix" +static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.3 1999/10/05 12:57:37 darrenr Exp $"; #endif extern char *optarg; @@ -72,8 +72,10 @@ static void showfrstates __P((int, ipfrstat_t *)); static void showlist __P((friostat_t *)); static void showipstates __P((int, ips_stat_t *)); static void showauthstates __P((int, fr_authstat_t *)); +static void showgroups __P((friostat_t *)); static void Usage __P((char *)); static void printlist __P((frentry_t *)); +static char *get_ifname __P((void *)); static void Usage(name) @@ -101,7 +103,7 @@ char *argv[]; (void)setuid(getuid()); (void)setgid(getgid()); - while ((c = getopt(argc, argv, "aAfhIinosvd:")) != -1) + while ((c = getopt(argc, argv, "aAfghIinosvd:")) != -1) { switch (c) { @@ -117,6 +119,9 @@ char *argv[]; case 'f' : opts |= OPT_FRSTATES; break; + case 'g' : + opts |= OPT_GROUPS; + break; case 'h' : opts |= OPT_HITS; break; @@ -197,6 +202,8 @@ char *argv[]; showfrstates(fd, &ifrst); else if (opts & OPT_AUTHSTATS) showauthstates(fd, &frauthst); + else if (opts & OPT_GROUPS) + showgroups(&fio); else showstats(fd, &fio); } @@ -211,7 +218,7 @@ static void showstats(fd, fp) int fd; struct friostat *fp; { - int frf = 0; + u_32_t frf = 0; if (ioctl(fd, SIOCGETFF, &frf) == -1) perror("ioctl(SIOCGETFF)"); @@ -219,6 +226,10 @@ struct friostat *fp; #if SOLARIS PRINTF("dropped packets:\tin %lu\tout %lu\n", fp->f_st[0].fr_drop, fp->f_st[1].fr_drop); + PRINTF("non-data packets:\tin %lu\tout %lu\n", + fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata); + PRINTF("no-data packets:\tin %lu\tout %lu\n", + fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata); PRINTF("non-ip packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); PRINTF(" bad packets:\t\tin %lu\tout %lu\n", @@ -365,19 +376,19 @@ ips_stat_t *ipsp; PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); - PRINTF("\t%lu maximum\n\t%lu no memory\n", - ipsp->iss_max, ipsp->iss_nomem); + PRINTF("\t%lu maximum\n\t%lu no memory\n\tbuckets in use\t%lu\n", + ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab))) return; - for (i = 0; i < IPSTATE_SIZE; i++) + for (i = 0; i < IPSTATE_SIZE; i++) { while (istab[i]) { if (kmemcpy((char *)&ips, (u_long)istab[i], sizeof(ips)) == -1) break; PRINTF("%s -> ", inet_ntoa(ips.is_src)); - PRINTF("%s ttl %ld pass %d pr %d state %d/%d\n", + PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n", inet_ntoa(ips.is_dst), ips.is_age, ips.is_pass, ips.is_p, ips.is_state[0], ips.is_state[1]); @@ -389,30 +400,48 @@ ips_stat_t *ipsp; ips.is_pkts, ips.is_bytes); #endif if (ips.is_p == IPPROTO_TCP) - PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n", +#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__) + PRINTF("\t%hu -> %hu %x:%x %hu:%hu", ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_seq, ips.is_ack, - ips.is_swin, ips.is_dwin); + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); +#else + PRINTF("\t%hu -> %hu %lx:%lx %hu:%hu", + ntohs(ips.is_sport), + ntohs(ips.is_dport), + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); +#endif else if (ips.is_p == IPPROTO_UDP) - PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport), + PRINTF(" %hu -> %hu", ntohs(ips.is_sport), ntohs(ips.is_dport)); else if (ips.is_p == IPPROTO_ICMP) - PRINTF(" %hu %hu %d\n", ips.is_icmp.ics_id, + PRINTF(" %hu %hu %d", ips.is_icmp.ics_id, ips.is_icmp.ics_seq, ips.is_icmp.ics_type); - /* phil@ultimate.com ... */ - PRINTF("\t"); - /* from "printfr()" */ + PRINTF("\n\t"); + if (ips.is_pass & FR_PASS) { PRINTF("pass"); } else if (ips.is_pass & FR_BLOCK) { PRINTF("block"); - if (ips.is_pass & FR_RETICMP) + switch (ips.is_pass & FR_RETMASK) + { + case FR_RETICMP : PRINTF(" return-icmp"); - if (ips.is_pass & FR_RETRST) + break; + case FR_FAKEICMP : + PRINTF(" return-icmp-as-dest"); + break; + case FR_RETRST : PRINTF(" return-rst"); + break; + default : + break; + } } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { PRINTF("log"); if (ips.is_pass & FR_LOGBODY) @@ -427,7 +456,7 @@ ips_stat_t *ipsp; else PRINTF(" in"); - if ((ips.is_pass & (FR_LOGB|FR_LOGP)) != 0) { + if ((ips.is_pass & FR_LOG) != 0) { PRINTF(" log"); if (ips.is_pass & FR_LOGBODY) PRINTF(" body"); @@ -444,10 +473,21 @@ ips_stat_t *ipsp; if (ips.is_pass & FR_KEEPSTATE) PRINTF(" keep state"); PRINTF("\n"); - /* ... phil@ultimate.com */ + PRINTF("\tpkt_flags & %x = %x,\t", ips.is_flags & 0xf, + ips.is_flags >> 4); + PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, + ips.is_opt); + PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", + ips.is_secmsk, ips.is_sec, ips.is_authmsk, + ips.is_auth); istab[i] = ips.is_next; + PRINTF("interfaces: in %s[%p] ", + get_ifname(ips.is_ifpin), ips.is_ifpin); + PRINTF("out %s[%p]\n", + get_ifname(ips.is_ifpout), ips.is_ifpout); } + } } @@ -456,6 +496,7 @@ int fd; ipfrstat_t *ifsp; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; + frentry_t fr; int i; PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", @@ -471,10 +512,13 @@ ipfrstat_t *ifsp; sizeof(ifr)) == -1) break; PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, + sizeof(fr)) == -1) + break; PRINTF("%s %d %d %d %#02x = %#x\n", inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id, ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - ifr.ipfr_pass); + fr.fr_flags); ipfrtab[i] = ifr.ipfr_next; } } @@ -484,6 +528,8 @@ static void showauthstates(fd, asp) int fd; fr_authstat_t *asp; { + frauthent_t *frap, fra; + #ifdef USE_QUAD_T printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits, asp->fas_miss); @@ -496,4 +542,98 @@ fr_authstat_t *asp; asp->fas_sendok); printf("queok %ld\nquefail %ld\nexpire %ld\n", asp->fas_queok, asp->fas_quefail, asp->fas_expire); + + frap = asp->fas_faelist; + while (frap) { + if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1) + break; + + printf("age %ld\t", fra.fae_age); + printfr(&fra.fae_fr); + frap = fra.fae_next; + } +} + + +static char *get_ifname(ptr) +void *ptr; +{ +#if SOLARIS + char *ifname; + ill_t ill; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) + return "X"; + ifname = malloc(ill.ill_name_length + 1); + if (kmemcpy(ifname, (u_long)ill.ill_name, + ill.ill_name_length) == -1) + return "X"; + return ifname; +#else +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) +#else + char buf[32]; + int len; +# endif + struct ifnet netif; + + if (ptr == (void *)-1) + return "!"; + if (ptr == NULL) + return "-"; + + if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) + return "X"; +# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ + defined(__OpenBSD__) + return strdup(netif.if_xname); +# else + if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) + return "X"; + if (netif.if_unit < 10) + len = 2; + else if (netif.if_unit < 1000) + len = 3; + else if (netif.if_unit < 10000) + len = 4; + else + len = 5; + buf[sizeof(buf) - len] = '\0'; + sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); + return strdup(buf); +# endif +#endif +} + + +static void showgroups(fiop) +struct friostat *fiop; +{ + static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; + frgroup_t *fp, grp; + int on, off, i; + + on = fiop->f_active; + off = 1 - on; + + for (i = 0; i < 3; i++) { + printf("%s groups (active):\n", gnames[i]); + for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next) + if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) + break; + else + printf("%hu\n", grp.fg_num); + printf("%s groups (inactive):\n", gnames[i]); + for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next) + if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) + break; + else + printf("%hu\n", grp.fg_num); + } } diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index e7ca501..49278a8 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -55,7 +55,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.0.2.6 1997/10/19 15:39:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index bdb3114..443eefe 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -1,23 +1,24 @@ /* - * Copyright (C) 1997 by Darren Reed & Guido van Rooij. + * Copyright (C) 1998 by Darren Reed & Guido van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $"; #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdlib.h> -# include <string.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <stdlib.h> +# include <string.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> @@ -39,34 +40,39 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif +#if _BSDI_VERSION >= 199802 +# include <sys/queue.h> +#endif #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) # include <machine/cpu.h> #endif #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #ifndef KERNEL -#define KERNEL -#define NOT_KERNEL +# define KERNEL +# define NOT_KERNEL #endif #ifndef linux # include <netinet/ip_var.h> #endif #ifdef NOT_KERNEL -#undef KERNEL +# undef KERNEL #endif #ifdef __sgi # ifdef IFF_DRVRLOCK /* IRIX6 */ -#include <sys/hashing.h> +# include <sys/hashing.h> # endif #endif #include <netinet/tcp.h> @@ -74,6 +80,9 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: extern struct ifqueue ipintrq; /* ip packet input queue */ #else # ifndef linux +# if __FreeBSD_version >= 300000 +# include <net/if_var.h> +# endif # include <netinet/in_var.h> # include <netinet/tcp_fsm.h> # endif @@ -90,10 +99,19 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ # include <machine/cpufunc.h> # endif #endif +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +#endif + #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_auth; +extern KRWLOCK_T ipf_auth; +extern kmutex_t ipf_authmx; # if SOLARIS extern kcondvar_t ipfauthwait; # endif @@ -118,7 +136,7 @@ frentry_t *ipauth = NULL; * authorization result and that would result in a feedback loop (i.e. it * will end up returning FR_AUTH) then return FR_BLOCK instead. */ -int fr_checkauth(ip, fin) +u_32_t fr_checkauth(ip, fin) ip_t *ip; fr_info_t *fin; { @@ -126,7 +144,7 @@ fr_info_t *fin; u_32_t pass; int i; - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); for (i = fr_authstart; i != fr_authend; ) { /* * index becomes -2 only after an SIOCAUTHW. Check this in @@ -141,6 +159,8 @@ fr_info_t *fin; */ if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH)) pass = FR_BLOCK; + RWLOCK_EXIT(&ipf_auth); + WRITE_ENTER(&ipf_auth); fr_authstats.fas_hits++; fr_auth[i].fra_index = -1; fr_authused--; @@ -158,7 +178,7 @@ fr_info_t *fin; fr_authstart = fr_authend = 0; } } - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return pass; } i++; @@ -166,7 +186,7 @@ fr_info_t *fin; i = 0; } fr_authstats.fas_miss++; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; } @@ -189,16 +209,17 @@ ip_t *ip; { int i; - MUTEX_ENTER(&ipf_auth); - if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) { + WRITE_ENTER(&ipf_auth); + if (fr_authstart > fr_authend) { fr_authstats.fas_nospace++; - MUTEX_EXIT(&ipf_auth); - return 0; - } - if (fr_authend - fr_authstart == FR_NUMAUTH - 1) { - fr_authstats.fas_nospace++; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; + } else { + if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) { + fr_authstats.fas_nospace++; + RWLOCK_EXIT(&ipf_auth); + return 0; + } } fr_authstats.fas_added++; @@ -206,7 +227,7 @@ ip_t *ip; i = fr_authend++; if (fr_authend == FR_NUMAUTH) fr_authend = 0; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); fr_auth[i].fra_index = i; fr_auth[i].fra_pass = 0; fr_auth[i].fra_age = fr_defaultauthage; @@ -288,46 +309,58 @@ frentry_t *fr, **frptr; if (!fae) error = ESRCH; else { + WRITE_ENTER(&ipf_auth); *faep = fae->fae_next; *frptr = fr->fr_next; + RWLOCK_EXIT(&ipf_auth); KFREE(fae); } } else { - KMALLOC(fae, frauthent_t *, sizeof(*fae)); + KMALLOC(fae, frauthent_t *); if (fae != NULL) { IRCOPY((char *)data, (char *)&fae->fae_fr, sizeof(fae->fae_fr)); - if (!fae->fae_age) - fae->fae_age = fr_defaultauthage; + WRITE_ENTER(&ipf_auth); + fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; fae->fae_fr.fr_next = *frptr; *frptr = &fae->fae_fr; fae->fae_next = *faep; *faep = fae; + ipauth = &fae_list->fae_fr; + RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; } break; case SIOCATHST: + READ_ENTER(&ipf_auth); + fr_authstats.fas_faelist = fae_list; + RWLOCK_EXIT(&ipf_auth); IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats)); break; case SIOCAUTHW: fr_authioctlloop: - MUTEX_ENTER(&ipf_auth); + READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { - IWCOPY((char *)&fr_auth[fr_authnext++], data, + IWCOPY((char *)&fr_auth[fr_authnext], data, sizeof(fr_info_t)); + RWLOCK_EXIT(&ipf_auth); + WRITE_ENTER(&ipf_auth); + fr_authnext++; if (fr_authnext == FR_NUMAUTH) fr_authnext = 0; - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return 0; } #ifdef _KERNEL # if SOLARIS - if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) { - mutex_exit(&ipf_auth); + mutex_enter(&ipf_authmx); + if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) { + mutex_exit(&ipf_authmx); return EINTR; } + mutex_exit(&ipf_authmx); # else # ifdef linux interruptible_sleep_on(&ipfauthwait); @@ -338,17 +371,17 @@ fr_authioctlloop: # endif # endif #endif - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); if (!error) goto fr_authioctlloop; break; case SIOCAUTHR: IRCOPY(data, (caddr_t)&auth, sizeof(auth)); - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); i = au->fra_index; if ((i < 0) || (i > FR_NUMAUTH) || (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) { - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); return EINVAL; } m = fr_authpkts[i]; @@ -356,14 +389,19 @@ fr_authioctlloop: fr_auth[i].fra_pass = au->fra_pass; fr_authpkts[i] = NULL; #ifdef _KERNEL - MUTEX_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_auth); SPL_NET(s); # ifndef linux if (m && au->fra_info.fin_out) { # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ +# if _BSDI_VERSION >= 199802 + error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, + NULL); +# else error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); +# endif # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; @@ -439,7 +477,7 @@ void fr_authunload() register frauthent_t *fae, **faep; mb_t *m; - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); for (i = 0; i < FR_NUMAUTH; i++) { if ((m = fr_authpkts[i])) { FREE_MB_T(m); @@ -453,7 +491,8 @@ void fr_authunload() *faep = fae->fae_next; KFREE(fae); } - MUTEX_EXIT(&ipf_auth); + ipauth = NULL; + RWLOCK_EXIT(&ipf_auth); } @@ -472,7 +511,7 @@ void fr_authexpire() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_auth); + WRITE_ENTER(&ipf_auth); for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) { if ((!--fra->fra_age) && (m = fr_authpkts[i])) { FREE_MB_T(m); @@ -484,14 +523,15 @@ void fr_authexpire() } for (faep = &fae_list; (fae = *faep); ) { - if (!--fra->fra_age) { + if (!--fae->fae_age) { *faep = fae->fae_next; KFREE(fae); fr_authstats.fas_expire++; } else faep = &fae->fae_next; } - MUTEX_EXIT(&ipf_auth); + ipauth = &fae_list->fae_fr; + RWLOCK_EXIT(&ipf_auth); SPL_X(s); } #endif diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h index 06f7cf6..46b8d92 100644 --- a/contrib/ipfilter/ip_auth.h +++ b/contrib/ipfilter/ip_auth.h @@ -1,11 +1,11 @@ /* - * Copyright (C) 1997 by Darren Reed & Guido Van Rooij. + * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_auth.h,v 2.0.2.10 1997/10/29 12:14:07 darrenr Exp $ + * $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -13,18 +13,6 @@ #define FR_NUMAUTH 32 -typedef struct fr_authstat { - U_QUAD_T fas_hits; - U_QUAD_T fas_miss; - u_long fas_nospace; - u_long fas_added; - u_long fas_sendfail; - u_long fas_sendok; - u_long fas_queok; - u_long fas_quefail; - u_long fas_expire; -} fr_authstat_t; - typedef struct frauth { int fra_age; int fra_index; @@ -41,6 +29,19 @@ typedef struct frauthent { u_long fae_age; } frauthent_t; +typedef struct fr_authstat { + U_QUAD_T fas_hits; + U_QUAD_T fas_miss; + u_long fas_nospace; + u_long fas_added; + u_long fas_sendfail; + u_long fas_sendok; + u_long fas_queok; + u_long fas_quefail; + u_long fas_expire; + frauthent_t *fas_faelist; +} fr_authstat_t; + extern frentry_t *ipauth; extern struct fr_authstat fr_authstats; @@ -49,7 +50,7 @@ extern int fr_authstart; extern int fr_authend; extern int fr_authsize; extern int fr_authused; -extern int fr_checkauth __P((ip_t *, fr_info_t *)); +extern u_32_t fr_checkauth __P((ip_t *, fr_info_t *)); extern void fr_authexpire __P((void)); extern void fr_authunload __P((void)); extern mb_t *fr_authpkts[]; diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 1f91cf3..b92f722 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $ + * $Id: ip_compat.h,v 2.1.2.1 1999/09/18 15:03:51 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -17,33 +17,39 @@ # define __P(x) x # else # define __P(x) () -# define const # endif #endif +#ifndef __STDC__ +# undef const +# define const +#endif #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#if defined(_KERNEL) && !defined(KERNEL) +#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__) +# undef KERNEL +# undef _KERNEL +# undef __KERNEL__ # define KERNEL -#endif -#if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL -#endif -#if!defined(__KERNEL__) && defined(KERNEL) # define __KERNEL__ #endif #if defined(__SVR4) || defined(__svr4__) || defined(__sgi) #define index strchr -# if !defined(_KERNEL) +# if !defined(KERNEL) # define bzero(a,b) memset(a,0,b) # define bcmp memcmp # define bcopy(a,b,c) memmove(b,a,c) # endif #endif +#ifndef offsetof +#define offsetof(t,m) (int)((&((t *)0L)->m)) +#endif + #if defined(__sgi) || defined(bsdi) struct ether_addr { u_char ether_addr_octet[6]; @@ -69,6 +75,7 @@ struct ether_addr { #endif #if SOLARIS # define MTYPE(m) ((m)->b_datap->db_type) +# include <sys/isa_defs.h> # include <sys/ioccom.h> # include <sys/sysmacros.h> # include <sys/kmem.h> @@ -80,7 +87,7 @@ struct ether_addr { # undef IPOPT_LSRR # undef IPOPT_RR # undef IPOPT_SSRR -# ifndef _KERNEL +# ifndef KERNEL # define _KERNEL # undef RES_INIT # include <inet/common.h> @@ -92,6 +99,10 @@ struct ether_addr { # include <inet/ip.h> # include <inet/ip_ire.h> # endif /* _KERNEL */ +#else +# if !defined(__sgi) +typedef int minor_t; +#endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -118,7 +129,7 @@ typedef u_int32_t u_32_t; /* * Really, any arch where sizeof(long) != sizeof(int). */ -# if defined(__alpha__) || defined(__alpha) +# if defined(__alpha__) || defined(__alpha) || defined(_LP64) typedef unsigned int u_32_t; # else typedef unsigned long u_32_t; @@ -201,7 +212,32 @@ typedef unsigned long u_32_t; */ #ifdef KERNEL # if SOLARIS -# define MUTEX_ENTER(x) mutex_enter(x) +# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \ + mutex_exit(&ipf_rw); } +# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \ + mutex_exit(&ipf_rw); } +# define MUTEX_ENTER(x) mutex_enter(x) +# if 1 +# define KRWLOCK_T krwlock_t +# define READ_ENTER(x) rw_enter(x, RW_READER) +# define WRITE_ENTER(x) rw_enter(x, RW_WRITER) +# define RW_UPGRADE(x) { if (rw_tryupgrade(x) == 0) { \ + rw_exit(x); \ + rw_enter(x, RW_WRITER); } \ + } +# define MUTEX_DOWNGRADE(x) rw_downgrade(x) +# define RWLOCK_INIT(x, y, z) rw_init((x), (y), RW_DRIVER, (z)) +# define RWLOCK_EXIT(x) rw_exit(x) +# define RW_DESTROY(x) rw_destroy(x) +# else +# define KRWLOCK_T kmutex_t +# define READ_ENTER(x) mutex_enter(x) +# define WRITE_ENTER(x) mutex_enter(x) +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z)) +# define RWLOCK_EXIT(x) mutex_exit(x) +# define RW_DESTROY(x) mutex_destroy(x) +# endif # define MUTEX_EXIT(x) mutex_exit(x) # define MTOD(m,t) (t)((m)->b_rptr) # define IRCOPY(a,b,c) copyin((a), (b), (c)) @@ -217,7 +253,8 @@ typedef unsigned long u_32_t; # define htons(x) (x) # define htonl(x) (x) # endif /* sparc */ -# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) typedef struct qif { struct qif *qf_next; @@ -233,18 +270,19 @@ typedef struct qif { struct qinit qf_rqinit; mblk_t *qf_m; /* These three fields are for passing data up from */ queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ - int qf_off; - int qf_len; /* this field is used for in ipfr_fastroute */ + size_t qf_off; + size_t qf_len; /* this field is used for in ipfr_fastroute */ char qf_name[8]; /* * in case the ILL has disappeared... */ - int qf_hl; /* header length */ + size_t qf_hl; /* header length */ } qif_t; extern ill_t *get_unit __P((char *)); # define GETUNIT(n) get_unit((n)) # else /* SOLARIS */ # if defined(__sgi) +# define hz HZ # include <sys/ksynch.h> # define IPF_LOCK_PL plhi # include <sys/sema.h> @@ -253,10 +291,27 @@ typedef struct { lock_t *l; int pl; } kmutex_t; -# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL); +# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \ + (x)++; MUTEX_EXIT(&ipf_rw); } +# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \ + (x)--; MUTEX_EXIT(&ipf_rw); } +# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL); +# define KRWLOCK_T kmutex_t +# define READ_ENTER(x) MUTEX_ENTER(x) +# define WRITE_ENTER(x) MUTEX_ENTER(x) +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) MUTEX_EXIT(x) # define MUTEX_EXIT(x) UNLOCK((x)->l, (x)->pl); # else /* __sgi */ -# define MUTEX_ENTER(x) ; +# define ATOMIC_INC(x) (x)++ +# define ATOMIC_DEC(x) (x)-- +# define MUTEX_ENTER(x) ; +# define READ_ENTER(x) ; +# define WRITE_ENTER(x) ; +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) ; # define MUTEX_EXIT(x) ; # endif /* __sgi */ # ifndef linux @@ -291,11 +346,14 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); # ifdef __sgi # include <sys/kmem.h> # include <sys/ddi.h> -# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) # else # if !SOLARIS -# define KMALLOC(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) +# define KMALLOC(a,b) (a) = (b)new_kmem_alloc(sizeof(*(a)), \ + KMEM_NOSLEEP) +# define KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) # endif /* SOLARIS */ # endif /* __sgi */ # endif /* sun && !linux */ @@ -312,11 +370,13 @@ extern vm_map_t kmem_map; # include <vm/vm_kern.h> # endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ # ifdef M_PFIL -# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) +# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) +# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KFREE(x) FREE((x), M_PFIL) # define KFREES(x,s) FREE((x), M_PFIL) # else -# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) +# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT) +# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KFREE(x) FREE((x), M_TEMP) # define KFREES(x,s) FREE((x), M_TEMP) # endif /* M_PFIL */ @@ -339,13 +399,21 @@ extern vm_map_t kmem_map; # define SLEEP(x,y) ; # define WAKEUP(x) ; # define PANIC(x,y) ; +# define ATOMIC_INC(x) (x)++ +# define ATOMIC_DEC(x) (x)-- # define MUTEX_ENTER(x) ; +# define READ_ENTER(x) ; +# define WRITE_ENTER(x) ; +# define RW_UPGRADE(x) ; +# define MUTEX_DOWNGRADE(x) ; +# define RWLOCK_EXIT(x) ; # define MUTEX_EXIT(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; # undef SPL_X # define SPL_X(x) ; -# define KMALLOC(a,b,c) (a) = (b)malloc(c) +# define KMALLOC(a,b) (a) = (b)malloc(sizeof(*a)) +# define KMALLOCS(a,b,c) (a) = (b)malloc(c) # define KFREE(x) free(x) # define KFREES(x,s) free(x) # define GETUNIT(x) get_unit(x) @@ -355,9 +423,26 @@ extern vm_map_t kmem_map; #if SOLARIS typedef mblk_t mb_t; +# if SOLARIS2 >= 7 +# ifdef lint +# define ALIGN32(ptr) (ptr ? 0L : 0L) +# define ALIGN16(ptr) (ptr ? 0L : 0L) +# else +# define ALIGN32(ptr) (ptr) +# define ALIGN16(ptr) (ptr) +# endif +# endif #else # ifdef linux +# ifndef kernel +typedef struct mb { + struct mb *next; + u_int len; + u_char *data; +} mb_t; +# else typedef struct sk_buff mb_t; +# endif # else typedef struct mbuf mb_t; # endif @@ -492,6 +577,7 @@ typedef struct mbuf mb_t; #endif /* linux || __sgi */ #ifdef linux +#include <linux/in_systm.h> /* * TCP States */ @@ -513,8 +599,13 @@ typedef struct mbuf mb_t; /* * file flags. */ +#ifdef WRITE #define FWRITE WRITE #define FREAD READ +#else +#define FWRITE _IOC_WRITE +#define FREAD _IOC_READ +#endif /* * mbuf related problems. */ @@ -522,7 +613,10 @@ typedef struct mbuf mb_t; #define m_len len #define m_next next -#define IP_DF 0x8000 +#ifdef IP_DF +#undef IP_DF +#endif +#define IP_DF 0x4000 typedef struct { __u16 th_sport; @@ -574,15 +668,15 @@ typedef struct { * Structure of an icmp header. */ typedef struct icmp { - u_char icmp_type; /* type of message, see below */ - u_char icmp_code; /* type sub code */ - u_short icmp_cksum; /* ones complement cksum of struct */ + __u8 icmp_type; /* type of message, see below */ + __u8 icmp_code; /* type sub code */ + __u16 icmp_cksum; /* ones complement cksum of struct */ union { - u_char ih_pptr; /* ICMP_PARAMPROB */ - struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ - struct ih_idseq { - n_short icd_id; - n_short icd_seq; + __u8 ih_pptr; /* ICMP_PARAMPROB */ + struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ + struct ih_idseq { + __u16 icd_id; + __u16 icd_seq; } ih_idseq; int ih_void; } icmp_hun; @@ -664,7 +758,8 @@ typedef struct uio { # define UNITNAME(n) dev_get((n)) -# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) +# define KMALLOC(a,b) (a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC) +# define KMALLOCS(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KFREE(x) kfree_s((x), sizeof(*(x))) # define KFREES(x,s) kfree_s((x), (s)) # define IRCOPY(a,b,c) { \ @@ -723,5 +818,14 @@ struct ether_addr { #ifndef ICMP_ROUTERSOLICIT # define ICMP_ROUTERSOLICIT 10 #endif +/* + * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, + * another IP header and then 64 bits of data, totalling 56. Of course, + * the last 64 bits is dependant on that being available. + */ +#define ICMPERR_ICMPHLEN 8 +#define ICMPERR_IPICMPHLEN (20 + 8) +#define ICMPERR_MINPKTLEN (20 + 8 + 20) +#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #endif /* __IP_COMPAT_H__ */ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 09c4b6e..d9d7fe1 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.7 1999/10/15 13:49:43 darrenr Exp $"; #endif #ifndef SOLARIS @@ -17,6 +17,11 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif +#include <sys/param.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif #ifdef __FreeBSD__ # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include <sys/osreldate.h> @@ -29,10 +34,10 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 # include <string.h> # include <stdlib.h> # include <ctype.h> +# include <fcntl.h> #endif #include <sys/errno.h> #include <sys/types.h> -#include <sys/param.h> #include <sys/file.h> #if __FreeBSD_version >= 220000 && defined(_KERNEL) # include <sys/fcntl.h> @@ -46,7 +51,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #include <sys/uio.h> #if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) # include <sys/dirent.h> # else # include <sys/dir.h> @@ -64,6 +69,9 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #if __FreeBSD_version >= 300000 # include <net/if_var.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #endif #ifdef __sgi #include <sys/debug.h> @@ -74,7 +82,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include <net/route.h> #include <netinet/in.h> #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ -#include <netinet/in_var.h> +# include <netinet/in_var.h> #endif #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -84,6 +92,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> #ifndef _KERNEL +# include <unistd.h> # include <syslog.h> #endif #include "netinet/ip_compat.h" @@ -93,10 +102,14 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif -#if !SOLARIS && defined(_KERNEL) +#if !SOLARIS && defined(_KERNEL) && !defined(__sgi) +# include <sys/kernel.h> extern int ip_optcopy __P((struct ip *, struct ip *)); #endif @@ -108,11 +121,6 @@ extern struct protosw inetsw[]; static struct ifnet **ifneta = NULL; static int nifs = 0; #else -# if (BSD < 199306) && !defined(__sgi) -static int (*fr_saveslowtimo) __P((void)); -# else -static void (*fr_saveslowtimo) __P((void)); -# endif # if (BSD < 199306) || defined(__sgi) extern int tcp_ttl; # endif @@ -122,9 +130,7 @@ int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; -static void fixskip __P((frentry_t **, frentry_t *, int)); static void frzerostats __P((caddr_t)); -static void frsync __P((void)); #if defined(__NetBSD__) || defined(__OpenBSD__) static int frrequest __P((int, u_long, caddr_t, int)); #else @@ -132,6 +138,10 @@ static int frrequest __P((int, int, caddr_t, int)); #endif #ifdef _KERNEL static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); +static int send_ip __P((struct mbuf *, ip_t *)); +# ifdef __sgi +extern kmutex_t ipf_rw; +# endif #else int ipllog __P((void)); void init_ifp __P((void)); @@ -147,6 +157,15 @@ static int write_output __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *)); # endif #endif +#if defined(IPFILTER_LKM) +int fr_running = 1; +#else +int fr_running = 0; +#endif + +#if (__FreeBSD_version >= 300000) && defined(_KERNEL) +struct callout_handle ipfr_slowtimer_ch; +#endif #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include <sys/device.h> @@ -195,7 +214,8 @@ void ipfilterattach(count) int count; { - iplattach(); + if (iplattach() != 0) + printf("IP Filter failed to attach\n"); } # endif @@ -215,6 +235,16 @@ int iplattach() return EBUSY; } +# ifdef IPFILTER_LOG + ipflog_init(); +# endif + if (nat_init() == -1) + return -1; + if (fr_stateinit() == -1) + return -1; + if (appr_init() == -1) + return -1; + # ifdef NETBSD_PF pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif @@ -229,15 +259,9 @@ int iplattach() ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); - bzero((char *)nat_table, sizeof(nat_table)); fr_savep = fr_checkp; fr_checkp = fr_check; - fr_saveslowtimo = inetsw[0].pr_slowtimo; - inetsw[0].pr_slowtimo = ipfr_slowtimer; -# ifdef IPFILTER_LOG - ipflog_init(); -# endif SPL_X(s); if (fr_pass & FR_PASS) defpass = "pass"; @@ -253,6 +277,14 @@ int iplattach() # else "disabled"); # endif + printf("%s\n", ipfilter_version); +#ifdef _KERNEL +# if (__FreeBSD_version >= 300000) && defined(_KERNEL) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else + timeout(ipfr_slowtimer, NULL, hz/2); +# endif +#endif return 0; } @@ -265,6 +297,17 @@ int ipldetach() { int s, i = FR_INQUE|FR_OUTQUE; +#ifdef _KERNEL +# if (__FreeBSD_version >= 300000) + untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); +# else +# ifdef __sgi + untimeout(ipfr_slowtimer); +# else + untimeout(ipfr_slowtimer, NULL); +# endif +# endif +#endif SPL_NET(s); if (!ipl_inited) { @@ -274,8 +317,7 @@ int ipldetach() } fr_checkp = fr_savep; - inetsw[0].pr_slowtimo = fr_saveslowtimo; - frflush(IPL_LOGIPF, &i); + i = frflush(IPL_LOGIPF, i); ipl_inited = 0; # ifdef NETBSD_PF @@ -300,7 +342,7 @@ int ipldetach() static void frzerostats(data) caddr_t data; { - struct friostat fio; + friostat_t fio; bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); @@ -332,14 +374,15 @@ int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode #else int IPL_EXTERN(ioctl)(dev, cmd, data, mode #if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , p) struct proc *p; #else ) #endif dev_t dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) u_long cmd; #else int cmd; @@ -353,10 +396,16 @@ int mode; #endif int error = 0, unit = 0, tmp; +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel >= 2) && (mode & FWRITE)) + return EPERM; +#endif #ifdef _KERNEL unit = GET_MINOR(dev); if ((IPL_LOGMAX < unit) || (unit < 0)) return ENXIO; +#else + unit = dev; #endif SPL_NET(s); @@ -387,10 +436,15 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (enable) + if (enable) { error = iplattach(); - else + if (error == 0) + fr_running = 1; + } else { error = ipldetach(); + if (error == 0) + fr_running = 0; + } } break; } @@ -448,6 +502,21 @@ int mode; fio.f_active = fr_active; fio.f_froute[0] = ipl_frouteok[0]; fio.f_froute[1] = ipl_frouteok[1]; + fio.f_running = fr_running; + fio.f_groups[0][0] = ipfgroups[0][0]; + fio.f_groups[0][1] = ipfgroups[0][1]; + fio.f_groups[1][0] = ipfgroups[1][0]; + fio.f_groups[1][1] = ipfgroups[1][1]; + fio.f_groups[2][0] = ipfgroups[2][0]; + fio.f_groups[2][1] = ipfgroups[2][1]; +#ifdef IPFILTER_LOG + fio.f_logging = 1; +#else + fio.f_logging = 0; +#endif + fio.f_defpass = fr_pass; + strncpy(fio.f_version, ipfilter_version, + sizeof(fio.f_version)); IWCOPY((caddr_t)&fio, data, sizeof(fio)); break; } @@ -462,7 +531,7 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - frflush(unit, &tmp); + tmp = frflush(unit, tmp); IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } break; @@ -505,37 +574,62 @@ int mode; } -static void frsync() +void frsync() { #ifdef _KERNEL - struct ifnet *ifp; + register frentry_t *f; + register struct ifnet *ifp; -# if defined(__OpenBSD__) || (NetBSD >= 199511) +# if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \ + (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) +# if (NetBSD >= 199905) || defined(__OpenBSD__) for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) +# else + for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) +# endif # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif ip_natsync(ifp); + + WRITE_ENTER(&ipf_mutex); + for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == (void *)-1) + f->fr_ifa = GETUNIT(f->fr_ifname); + RWLOCK_EXIT(&ipf_mutex); #endif } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; +void fr_forgetifp(ifp) +void *ifp; { - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; + register frentry_t *f; + + WRITE_ENTER(&ipf_mutex); + for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + RWLOCK_EXIT(&ipf_mutex); + ip_natsync(ifp); } @@ -554,20 +648,22 @@ caddr_t data; frentry_t frd; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + fp->fr_ref = 0; /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) + if ((req != SIOCZRLST) && fp->fr_grhead && + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; - if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) + if ((req != SIOCZRLST) && fp->fr_group && + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) return ESRCH; in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -594,6 +690,13 @@ caddr_t data; if (!fp->fr_ifa) fp->fr_ifa = (void *)-1; } +#if BSD >= 199306 + if (*fp->fr_oifname) { + fp->fr_oifa = GETUNIT(fp->fr_oifname); + if (!fp->fr_oifa) + fp->fr_oifa = (void *)-1; + } +#endif fdp = &fp->fr_dif; fp->fr_flags &= ~FR_DUP; @@ -655,8 +758,8 @@ caddr_t data; if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); @@ -667,7 +770,7 @@ caddr_t data; else { if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -693,33 +796,33 @@ caddr_t data; /* * routines below for saving IP headers to buffer */ -#ifdef __sgi -# ifdef _KERNEL +# ifdef __sgi +# ifdef _KERNEL int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp) -# else +# else int IPL_EXTERN(open)(dev_t dev, int flags) -# endif -#else +# endif +# else int IPL_EXTERN(open)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) +# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -# else +# else ) -# endif +# endif dev_t dev; int flags; -#endif /* __sgi */ +# endif /* __sgi */ { -#if defined(__sgi) && defined(_KERNEL) +# if defined(__sgi) && defined(_KERNEL) u_int min = geteminor(*pdev); -#else +# else u_int min = GET_MINOR(dev); -#endif +# endif - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else min = 0; @@ -727,25 +830,25 @@ int flags; } -#ifdef __sgi +# ifdef __sgi int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp) #else int IPL_EXTERN(close)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000)) && defined(_KERNEL) +# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ + (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -# else +# else ) -# endif +# endif dev_t dev; int flags; -#endif /* __sgi */ +# endif /* __sgi */ { u_int min = GET_MINOR(dev); - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else min = 0; @@ -758,9 +861,9 @@ int flags; * called during packet processing and cause an inconsistancy to appear in * the filter lists. */ -#ifdef __sgi +# ifdef __sgi int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp) -#else +# else # if BSD >= 199306 int IPL_EXTERN(read)(dev, uio, ioflag) int ioflag; @@ -769,13 +872,13 @@ int IPL_EXTERN(read)(dev, uio) # endif dev_t dev; register struct uio *uio; -#endif /* __sgi */ +# endif /* __sgi */ { -# ifdef IPFILTER_LOG +# ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); -# else +# else return ENXIO; -# endif +# endif } @@ -783,55 +886,72 @@ register struct uio *uio; * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ -int send_reset(ti) -struct tcpiphdr *ti; +int send_reset(fin, oip) +fr_info_t *fin; +struct ip *oip; { + struct tcphdr *tcp, *tcp2; struct tcpiphdr *tp; - struct tcphdr *tcp; struct mbuf *m; - int tlen = 0, err; + int tlen = 0; ip_t *ip; -# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) - struct route ro; -# endif - if (ti->ti_flags & TH_RST) + tcp = (struct tcphdr *)fin->fin_dp; + if (tcp->th_flags & TH_RST) return -1; /* feedback loop */ # if (BSD < 199306) || defined(__sgi) m = m_get(M_DONTWAIT, MT_HEADER); # else m = m_gethdr(M_DONTWAIT, MT_HEADER); - m->m_data += max_linkhdr; # endif if (m == NULL) + return ENOBUFS; + if (m == NULL) return -1; - if (ti->ti_flags & TH_SYN) + if (tcp->th_flags & TH_SYN) tlen = 1; - m->m_len = sizeof (struct tcpiphdr); + m->m_len = sizeof(*tcp2) + sizeof(*ip); # if BSD >= 199306 - m->m_pkthdr.len = sizeof (struct tcpiphdr); + m->m_data += max_linkhdr; + m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; # endif bzero(mtod(m, char *), sizeof(struct tcpiphdr)); ip = mtod(m, struct ip *); tp = mtod(m, struct tcpiphdr *); - tcp = (struct tcphdr *)((char *)ip + sizeof(struct ip)); - - ip->ip_src.s_addr = ti->ti_dst.s_addr; - ip->ip_dst.s_addr = ti->ti_src.s_addr; - tcp->th_dport = ti->ti_sport; - tcp->th_sport = ti->ti_dport; - tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); - tcp->th_off = sizeof(struct tcphdr) >> 2; - tcp->th_flags = TH_RST|TH_ACK; - tp->ti_pr = ((struct ip *)ti)->ip_p; + tcp2 = (struct tcphdr *)((char *)ip + sizeof(*ip)); + + ip->ip_src.s_addr = oip->ip_dst.s_addr; + ip->ip_dst.s_addr = oip->ip_src.s_addr; + tcp2->th_dport = tcp->th_sport; + tcp2->th_sport = tcp->th_dport; + tcp2->th_ack = ntohl(tcp->th_seq); + tcp2->th_ack += tlen; + tcp2->th_ack = htonl(tcp2->th_ack); + tcp2->th_off = sizeof(*tcp2) >> 2; + tcp2->th_flags = TH_RST|TH_ACK; + tp->ti_pr = oip->ip_p; tp->ti_len = htons(sizeof(struct tcphdr)); - tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr)); + tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2)); + + ip->ip_tos = oip->ip_tos; + ip->ip_p = oip->ip_p; + ip->ip_len = sizeof(*ip) + sizeof(*tcp2); + + return send_ip(m, ip); +} + + +static int send_ip(m, ip) +struct mbuf *m; +ip_t *ip; +{ +# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)) || \ + (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) + struct route ro; +# endif - ip->ip_tos = ((struct ip *)ti)->ip_tos; - ip->ip_p = ((struct ip *)ti)->ip_p; - ip->ip_len = sizeof (struct tcpiphdr); # if (BSD < 199306) || defined(__sgi) ip->ip_ttl = tcp_ttl; # else @@ -839,17 +959,91 @@ struct tcpiphdr *ti; # endif # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) + { + int err; + bzero((char *)&ro, sizeof(ro)); err = ip_output(m, (struct mbuf *)0, &ro, 0, 0); if (ro.ro_rt) RTFREE(ro.ro_rt); + return err; + } # else /* * extra 0 in case of multicast */ - err = ip_output(m, (struct mbuf *)0, 0, 0, 0); +# if _BSDI_VERSION >= 199802 + return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); +# else + return ip_output(m, (struct mbuf *)0, 0, 0, 0); +# endif # endif - return err; +} + + +int send_icmp_err(oip, type, code, ifp, dst) +ip_t *oip; +int type, code; +void *ifp; +struct in_addr dst; +{ + struct icmp *icmp; + struct mbuf *m; + ip_t *nip; + +# if (BSD < 199306) || defined(__sgi) + m = m_get(M_DONTWAIT, MT_HEADER); +# else + m = m_gethdr(M_DONTWAIT, MT_HEADER); +# endif + if (m == NULL) + return ENOBUFS; + m->m_len = sizeof(*nip) + sizeof(*icmp) + 8; +# if BSD >= 199306 + m->m_data += max_linkhdr; + m->m_pkthdr.len = sizeof(*nip) + sizeof(*icmp) + 8; + m->m_pkthdr.rcvif = (struct ifnet *)0; +# endif + + bzero(mtod(m, char *), (size_t)sizeof(*nip) + sizeof(*icmp) + 8); + nip = mtod(m, ip_t *); + icmp = (struct icmp *)(nip + 1); + + nip->ip_v = IPVERSION; + nip->ip_hl = (sizeof(*nip) >> 2); + nip->ip_p = IPPROTO_ICMP; + nip->ip_id = oip->ip_id; + nip->ip_sum = 0; + nip->ip_ttl = 60; + nip->ip_tos = oip->ip_tos; + nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8; + if (dst.s_addr == 0) { + if (fr_ifpaddr(ifp, &dst) == -1) + return -1; + dst.s_addr = htonl(dst.s_addr); + } + nip->ip_src = dst; + nip->ip_dst = oip->ip_src; + + icmp->icmp_type = type; + icmp->icmp_code = code; + icmp->icmp_cksum = 0; + bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); + bcopy((char *)oip + (oip->ip_hl << 2), + (char *)&icmp->icmp_ip + sizeof(*oip), 8); /* 64 bits */ +# ifndef sparc + { + register u_short __iplen, __ipoff; + ip_t *ip = &icmp->icmp_ip; + + __iplen = ip->ip_len; + __ipoff = ip->ip_off; + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + } +# endif + icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); + return send_ip(m, nip); } @@ -865,7 +1059,8 @@ void # endif iplinit() { - (void) iplattach(); + if (iplattach() != 0) + printf("IP Filter failed to attach\n"); ip_init(); } # endif /* ! __NetBSD__ */ @@ -882,7 +1077,7 @@ register struct mbuf *m0; } -void ipfr_fastroute(m0, fin, fdp) +int ipfr_fastroute(m0, fin, fdp) struct mbuf *m0; fr_info_t *fin; frdest_t *fdp; @@ -890,12 +1085,13 @@ frdest_t *fdp; register struct ip *ip, *mhip; register struct mbuf *m = m0; register struct route *ro; - struct ifnet *ifp = fdp->fd_ifp; - int len, off, error = 0; - int hlen = fin->fin_hlen; - struct route iproute; + int len, off, error = 0, hlen; struct sockaddr_in *dst; + struct route iproute; + struct ifnet *ifp; + frentry_t *fr; + hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); /* * Route packet. @@ -904,13 +1100,22 @@ frdest_t *fdp; bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; - dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; + + fr = fin->fin_fr; + ifp = fdp->fd_ifp; + /* + * In case we're here due to "to <if>" being used with "keep state", + * check that we're going in the correct direction. + */ + if ((fr != NULL) && (ifp != NULL) && (fin->fin_rev != 0) && + (fdp == &fr->fr_tif)) + return -1; # ifdef __bsdi__ dst->sin_len = sizeof(*dst); # endif # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \ !defined(__OpenBSD__) -# ifdef RTF_CLONING +# ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); # else rtalloc_ign(ro, RTF_PRCLONING); @@ -939,10 +1144,19 @@ frdest_t *fdp; /* * For input packets which are being "fastrouted", they won't * go back through output filtering and miss their chance to get - * NAT'd. + * NAT'd and counted. */ - (void) ip_natout(ip, hlen, fin); - if (fin->fin_out) + fin->fin_ifp = ifp; + if (fin->fin_out == 0) { + fin->fin_out = 1; + if ((fin->fin_fr = ipacct[1][fr_active]) && + (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = NULL; + (void) fr_checkstate(ip, fin); + (void) ip_natout(ip, fin); + } else ip->ip_sum = 0; /* * If small enough for interface, can just send directly. @@ -988,7 +1202,11 @@ frdest_t *fdp; m0 = m; mhlen = sizeof (struct ip); for (off = hlen + len; off < ip->ip_len; off += len) { +# ifdef MGETHDR + MGETHDR(m, M_DONTWAIT, MT_HEADER); +# else MGET(m, M_DONTWAIT, MT_HEADER); +# endif if (m == 0) { error = ENOBUFS; goto bad; @@ -1057,10 +1275,9 @@ done: else ipl_frouteok[1]++; - if (ro->ro_rt) { + if (ro->ro_rt) RTFREE(ro->ro_rt); - } - return; + return 0; bad: m_freem(m); goto done; @@ -1068,53 +1285,50 @@ bad: #else /* #ifdef _KERNEL */ -#ifdef __sgi +# ifdef __sgi static int no_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s)) -#else +# else static int no_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s, struct rtentry *rt)) -#endif +# endif { return 0; } # ifdef __STDC__ -#ifdef __sgi +# ifdef __sgi static int write_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s)) -#else +# else static int write_output __P((struct ifnet *ifp, struct mbuf *m, struct sockaddr *s, struct rtentry *rt)) -#endif +# endif { -# if !(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) ip_t *ip = (ip_t *)m; -# endif # else static int write_output(ifp, ip) struct ifnet *ifp; ip_t *ip; { # endif - FILE *fp; char fname[32]; + int fd; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) sprintf(fname, "/tmp/%s", ifp->if_xname); - if ((fp = fopen(fname, "a"))) { - fclose(fp); - } # else sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); - if ((fp = fopen(fname, "a"))) { - fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); - fclose(fp); - } # endif + fd = open(fname, O_WRONLY|O_APPEND); + if (fd == -1) { + perror("open"); + return -1; + } + write(fd, (char *)ip, ntohs(ip->ip_len)); + close(fd); return 0; } @@ -1177,30 +1391,37 @@ char *name; void init_ifp() { - FILE *fp; struct ifnet *ifp, **ifa; char fname[32]; + int fd; + # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); - if ((fp = fopen(fname, "w"))) - fclose(fp); + fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); + if (fd == -1) + perror("open"); + else + close(fd); } # else for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); - if ((fp = fopen(fname, "w"))) - fclose(fp); + fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); + if (fd == -1) + perror("open"); + else + close(fd); } # endif } -void ipfr_fastroute(ip, fin, fdp) +int ipfr_fastroute(ip, fin, fdp) ip_t *ip; fr_info_t *fin; frdest_t *fdp; @@ -1208,7 +1429,7 @@ frdest_t *fdp; struct ifnet *ifp = fdp->fd_ifp; if (!ifp) - return; /* no routing table out here */ + return 0; /* no routing table out here */ ip->ip_len = htons((u_short)ip->ip_len); ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); @@ -1218,6 +1439,7 @@ frdest_t *fdp; #else (*ifp->if_output)(ifp, (void *)ip, NULL, 0); #endif + return 0; } diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index edbd685..269cbad 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $ + * $Id: ip_fil.h,v 2.3.2.4 1999/10/15 13:42:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -21,11 +21,11 @@ #define IPAUTH_NAME "/dev/ipauth" #ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif #if defined(KERNEL) && !defined(_KERNEL) -#define _KERNEL +# define _KERNEL #endif #ifndef __P @@ -37,45 +37,45 @@ #endif #if defined(__STDC__) || defined(__GNUC__) -#define SIOCADAFR _IOW('r', 60, struct frentry) -#define SIOCRMAFR _IOW('r', 61, struct frentry) -#define SIOCSETFF _IOW('r', 62, u_int) -#define SIOCGETFF _IOR('r', 63, u_int) -#define SIOCGETFS _IOR('r', 64, struct friostat) -#define SIOCIPFFL _IOWR('r', 65, int) -#define SIOCIPFFB _IOR('r', 66, int) -#define SIOCADIFR _IOW('r', 67, struct frentry) -#define SIOCRMIFR _IOW('r', 68, struct frentry) -#define SIOCSWAPA _IOR('r', 69, u_int) -#define SIOCINAFR _IOW('r', 70, struct frentry) -#define SIOCINIFR _IOW('r', 71, struct frentry) -#define SIOCFRENB _IOW('r', 72, u_int) -#define SIOCFRSYN _IOW('r', 73, u_int) -#define SIOCFRZST _IOWR('r', 74, struct friostat) -#define SIOCZRLST _IOWR('r', 75, struct frentry) -#define SIOCAUTHW _IOWR('r', 76, struct fr_info) -#define SIOCAUTHR _IOWR('r', 77, struct fr_info) -#define SIOCATHST _IOWR('r', 78, struct fr_authstat) +# define SIOCADAFR _IOW('r', 60, struct frentry) +# define SIOCRMAFR _IOW('r', 61, struct frentry) +# define SIOCSETFF _IOW('r', 62, u_int) +# define SIOCGETFF _IOR('r', 63, u_int) +# define SIOCGETFS _IOR('r', 64, struct friostat) +# define SIOCIPFFL _IOWR('r', 65, int) +# define SIOCIPFFB _IOR('r', 66, int) +# define SIOCADIFR _IOW('r', 67, struct frentry) +# define SIOCRMIFR _IOW('r', 68, struct frentry) +# define SIOCSWAPA _IOR('r', 69, u_int) +# define SIOCINAFR _IOW('r', 70, struct frentry) +# define SIOCINIFR _IOW('r', 71, struct frentry) +# define SIOCFRENB _IOW('r', 72, u_int) +# define SIOCFRSYN _IOW('r', 73, u_int) +# define SIOCFRZST _IOWR('r', 74, struct friostat) +# define SIOCZRLST _IOWR('r', 75, struct frentry) +# define SIOCAUTHW _IOWR('r', 76, struct fr_info) +# define SIOCAUTHR _IOWR('r', 77, struct fr_info) +# define SIOCATHST _IOWR('r', 78, struct fr_authstat) #else -#define SIOCADAFR _IOW(r, 60, struct frentry) -#define SIOCRMAFR _IOW(r, 61, struct frentry) -#define SIOCSETFF _IOW(r, 62, u_int) -#define SIOCGETFF _IOR(r, 63, u_int) -#define SIOCGETFS _IOR(r, 64, struct friostat) -#define SIOCIPFFL _IOWR(r, 65, int) -#define SIOCIPFFB _IOR(r, 66, int) -#define SIOCADIFR _IOW(r, 67, struct frentry) -#define SIOCRMIFR _IOW(r, 68, struct frentry) -#define SIOCSWAPA _IOR(r, 69, u_int) -#define SIOCINAFR _IOW(r, 70, struct frentry) -#define SIOCINIFR _IOW(r, 71, struct frentry) -#define SIOCFRENB _IOW(r, 72, u_int) -#define SIOCFRSYN _IOW(r, 73, u_int) -#define SIOCFRZST _IOWR(r, 74, struct friostat) -#define SIOCZRLST _IOWR(r, 75, struct frentry) -#define SIOCAUTHW _IOWR(r, 76, struct fr_info) -#define SIOCAUTHR _IOWR(r, 77, struct fr_info) -#define SIOCATHST _IOWR(r, 78, struct fr_authstat) +# define SIOCADAFR _IOW(r, 60, struct frentry) +# define SIOCRMAFR _IOW(r, 61, struct frentry) +# define SIOCSETFF _IOW(r, 62, u_int) +# define SIOCGETFF _IOR(r, 63, u_int) +# define SIOCGETFS _IOR(r, 64, struct friostat) +# define SIOCIPFFL _IOWR(r, 65, int) +# define SIOCIPFFB _IOR(r, 66, int) +# define SIOCADIFR _IOW(r, 67, struct frentry) +# define SIOCRMIFR _IOW(r, 68, struct frentry) +# define SIOCSWAPA _IOR(r, 69, u_int) +# define SIOCINAFR _IOW(r, 70, struct frentry) +# define SIOCINIFR _IOW(r, 71, struct frentry) +# define SIOCFRENB _IOW(r, 72, u_int) +# define SIOCFRSYN _IOW(r, 73, u_int) +# define SIOCFRZST _IOWR(r, 74, struct friostat) +# define SIOCZRLST _IOWR(r, 75, struct frentry) +# define SIOCAUTHW _IOWR(r, 76, struct fr_info) +# define SIOCAUTHR _IOWR(r, 77, struct fr_info) +# define SIOCATHST _IOWR(r, 78, struct fr_authstat) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR @@ -84,47 +84,61 @@ typedef struct fr_ip { u_char fi_v:4; /* IP version */ u_char fi_fl:4; /* packet flags */ - u_char fi_tos; - u_char fi_ttl; - u_char fi_p; - struct in_addr fi_src; - struct in_addr fi_dst; + u_char fi_tos; /* IP packet TOS */ + u_char fi_ttl; /* IP packet TTL */ + u_char fi_p; /* IP packet protocol */ + struct in_addr fi_src; /* source address from packet */ + struct in_addr fi_dst; /* destination address from packet */ u_32_t fi_optmsk; /* bitmask composed from IP options */ u_short fi_secmsk; /* bitmask composed from IP security options */ - u_short fi_auth; + u_short fi_auth; /* authentication code from IP sec. options */ } fr_ip_t; #define FI_OPTIONS (FF_OPTIONS >> 24) #define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ #define FI_FRAG (FF_FRAG >> 24) #define FI_SHORT (FF_SHORT >> 24) +#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT) + +/* + * These are both used by the state and NAT code to indicate that one port or + * the other should be treated as a wildcard. + */ +#define FI_W_SPORT 0x00000100 +#define FI_W_DPORT 0x00000200 typedef struct fr_info { - struct fr_ip fin_fi; - u_short fin_data[2]; - u_short fin_out; - u_short fin_hlen; - u_char fin_tcpf; - u_char fin_icode; /* From here on is packet specific */ - u_short fin_rule; - u_short fin_group; - u_short fin_dlen; - u_short fin_id; - void *fin_ifp; - struct frentry *fin_fr; + void *fin_ifp; /* interface packet is `on' */ + struct fr_ip fin_fi; /* IP Packet summary */ + u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ + u_char fin_out; /* in or out ? 1 == out, 0 == in */ + u_char fin_rev; /* state only: 1 = reverse */ + u_short fin_hlen; /* length of IP header in bytes */ + u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ + /* From here on is packet specific */ + u_char fin_icode; /* ICMP error to return */ + u_short fin_rule; /* rule # last matched */ + u_short fin_group; /* group number, -1 for none */ + struct frentry *fin_fr; /* last matching rule */ char *fin_dp; /* start of data past IP header */ - void *fin_mp; + u_short fin_dlen; /* length of data portion of packet */ + u_short fin_id; /* IP packet id field */ + void *fin_mp; /* pointer to pointer to mbuf */ +#if SOLARIS && defined(_KERNEL) + void *fin_qfm; /* pointer to mblk where pkt starts */ + void *fin_qif; +#endif } fr_info_t; /* * Size for compares on fr_info structures */ -#define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \ - sizeof(u_char)) +#define FI_CSIZE offsetof(fr_info_t, fin_icode) + /* * Size for copying cache fr_info structure */ -#define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void *) * 2) +#define FI_COPYSIZE offsetof(fr_info_t, fin_dp) typedef struct frdest { void *fd_ifp; @@ -139,6 +153,9 @@ typedef struct frentry { struct frentry *fr_grp; int fr_ref; /* reference count - for grouping */ void *fr_ifa; +#if BSD >= 199306 + void *fr_oifa; +#endif /* * These are only incremented when a packet matches this rule and * it is the last match @@ -164,10 +181,14 @@ typedef struct frentry { u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ u_32_t fr_flags; /* per-rule flags && options (see below) */ - int fr_skip; /* # of rules to skip */ + u_short fr_skip; /* # of rules to skip */ + u_short fr_loglevel; /* syslog log facility + priority */ int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; +#if BSD >= 199306 + char fr_oifname[IFNAMSIZ]; +#endif struct frdest fr_tif; /* "to" interface */ struct frdest fr_dif; /* duplicate packet interfaces */ } frentry_t; @@ -199,6 +220,7 @@ typedef struct frentry { #define FR_LOGFIRST 0x00040 /* Log the first byte if state held */ #define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */ #define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */ +#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ #define FR_NOMATCH 0x00200 /* no match occured */ #define FR_ACCOUNT 0x00400 /* count packet bytes */ #define FR_KEEPFRAG 0x00800 /* keep fragment information */ @@ -213,8 +235,10 @@ typedef struct frentry { #define FR_NOTDSTIP 0x100000 /* not the dst IP# */ #define FR_AUTH 0x200000 /* use authentication */ #define FR_PREAUTH 0x400000 /* require preauthentication */ +#define FR_DONTCACHE 0x800000 /* don't cache the result */ #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) +#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) /* * These correspond to #define's for FI_* and are stored in fr_flags @@ -262,6 +286,8 @@ typedef struct filterstats { u_long fr_tcpbad; /* TCP checksum check failures */ u_long fr_pull[2]; /* good and bad pullup attempts */ #if SOLARIS + u_long fr_notdata; /* PROTO/PCPROTO that have no data */ + u_long fr_nodata; /* mblks that have no data */ u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ u_long fr_drop; /* packets dropped - no info for them! */ @@ -278,8 +304,13 @@ typedef struct friostat { struct frentry *f_acctin[2]; struct frentry *f_acctout[2]; struct frentry *f_auth; + struct frgroup *f_groups[3][2]; u_long f_froute[2]; - int f_active; + int f_active; /* 1 or 0 - active rule set */ + int f_defpass; /* default pass - from fr_pass */ + int f_running; /* 1 if running, else 0 */ + int f_logging; /* 1 if enabled, else 0 */ + char f_version[32]; /* version string */ } friostat_t; typedef struct optlist { @@ -305,11 +336,10 @@ typedef struct frgroup { * structure which is then followed by any packet data. */ typedef struct iplog { - u_long ipl_magic; + u_32_t ipl_magic; + u_int ipl_count; u_long ipl_sec; u_long ipl_usec; - u_int ipl_len; - u_int ipl_count; size_t ipl_dsize; struct iplog *ipl_next; } iplog_t; @@ -328,19 +358,21 @@ typedef struct ipflog { u_char fl_hlen; /* length of IP headers saved */ u_short fl_rule; /* assume never more than 64k rules, total */ u_short fl_group; + u_short fl_loglevel; /* syslog log level */ u_32_t fl_flags; + u_32_t fl_lflags; } ipflog_t; #ifndef ICMP_UNREACH_FILTER -#define ICMP_UNREACH_FILTER 13 +# define ICMP_UNREACH_FILTER 13 #endif #ifndef IPF_LOGGING -#define IPF_LOGGING 0 +# define IPF_LOGGING 0 #endif #ifndef IPF_DEFAULT_PASS -#define IPF_DEFAULT_PASS FR_PASS +# define IPF_DEFAULT_PASS FR_PASS #endif #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -372,16 +404,32 @@ typedef struct ipflog { # define CDEV_MAJOR 79 #endif +/* + * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns + * on those hooks. We don't need any special mods in non-IP Filter code + * with this! + */ +#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ + (defined(NetBSD1_2) && NetBSD1_2 > 1) +# if (NetBSD >= 199905) +# define PFIL_HOOKS +# endif +# ifdef PFIL_HOOKS +# define NETBSD_PF +# endif +#endif + + #ifndef _KERNEL extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); extern int icmp_error __P((ip_t *, struct ifnet *)); extern int ipf_log __P((void)); -extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); +extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); -# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +# if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); @@ -390,31 +438,34 @@ extern int iplopen __P((dev_t, int)); extern int iplclose __P((dev_t, int)); #else /* #ifndef _KERNEL */ # if defined(__NetBSD__) && defined(PFIL_HOOKS) -extern int ipfilterattach __P((int)); +extern void ipfilterattach __P((int)); # endif extern int iplattach __P((void)); extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); extern void ipflog_init __P((void)); -extern int ipflog_clear __P((int)); -extern int ipflog_read __P((int, struct uio *)); +extern int ipflog_clear __P((minor_t)); +extern int ipflog_read __P((minor_t, struct uio *)); extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); -extern int ipllog __P((int, u_long, void **, size_t *, int *, int)); +extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); # if SOLARIS extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, qif_t *, mb_t **)); -extern int icmp_error __P((ip_t *, int, int, qif_t *, - struct in_addr)); -extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); +extern int icmp_error __P((ip_t *, int, int, qif_t *, struct in_addr)); +# if SOLARIS2 >= 7 +extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *)); +# else +extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); +# endif extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int ipfsync __P((void)); -extern int send_reset __P((ip_t *, qif_t *)); +extern int send_reset __P((fr_info_t *, ip_t *, qif_t *)); extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **, fr_info_t *, frdest_t *)); -extern void copyin_mblk __P((mblk_t *, int, int, char *)); -extern void copyout_mblk __P((mblk_t *, int, int, char *)); +extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *)); +extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *)); extern int fr_qin __P((queue_t *, mblk_t *)); extern int fr_qout __P((queue_t *, mblk_t *)); # ifdef IPFILTER_LOG @@ -426,9 +477,10 @@ extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); # ifdef linux extern int send_reset __P((tcpiphdr_t *, struct ifnet *)); # else -extern int send_reset __P((tcpiphdr_t *)); +extern int send_reset __P((fr_info_t *, struct ip *)); +extern int send_icmp_err __P((ip_t *, int, int, void *, struct in_addr)); # endif -extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); +extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi # include <sys/cred.h> @@ -445,8 +497,9 @@ extern void ipfilter_sgi_intfsync __P((void)); extern int iplidentify __P((char *)); # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ - (NetBSD >= 199511) -# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) + (NetBSD >= 199511) || defined(__OpenBSD__) +# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ + defined(__OpenBSD__) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); @@ -454,19 +507,12 @@ extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); # else -# if defined(__OpenBSD__) -extern int iplioctl __P((dev_t, u_long, caddr_t, int)); -# else /* __OpenBSD__ */ -# ifndef linux -extern int iplioctl __P((dev_t, int, caddr_t, int)); -# else -extern int iplioctl(struct inode *, struct file *, u_int, u_long); -# endif -# endif /* __OpenBSD__ */ -# ifndef linux +# ifndef linux extern int iplopen __P((dev_t, int)); extern int iplclose __P((dev_t, int)); +extern int iplioctl __P((dev_t, int, caddr_t, int)); # else +extern int iplioctl(struct inode *, struct file *, u_int, u_long); extern int iplopen __P((struct inode *, struct file *)); extern void iplclose __P((struct inode *, struct file *)); # endif /* !linux */ @@ -484,26 +530,22 @@ extern int iplread(struct inode *, struct file *, char *, int); # endif /* SOLARIS */ #endif /* #ifndef _KERNEL */ -/* - * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns - * on those hooks. We don't need any special mods in non-IP Filter code - * with this! - */ -#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ - (defined(NetBSD1_2) && NetBSD1_2 > 1) -# define NETBSD_PF -#endif - +extern void fixskip __P((frentry_t **, frentry_t *, int)); +extern int countbits __P((u_32_t)); extern int ipldetach __P((void)); -extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int)); -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); +extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); +extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); extern u_short ipf_cksum __P((u_short *, int)); extern int fr_copytolog __P((int, char *, int)); -extern void frflush __P((int, int *)); -extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); -extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); -extern void fr_delgroup __P((u_short, u_32_t, int, int)); +extern void fr_forgetifp __P((void *)); +extern int frflush __P((minor_t, int)); +extern void frsync __P((void)); +extern frgroup_t *fr_addgroup __P((u_int, frentry_t *, minor_t, int)); +extern frgroup_t *fr_findgroup __P((u_int, u_32_t, minor_t, int, frgroup_t ***)); +extern void fr_delgroup __P((u_int, u_32_t, minor_t, int)); +extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); +extern int fr_ifpaddr __P((void *, struct in_addr *)); +extern char *memstr __P((char *, char *, int, int)); extern int ipl_unreach; extern int ipl_inited; extern u_long ipl_frouteok[2]; @@ -511,9 +553,10 @@ extern int fr_pass; extern int fr_flags; extern int fr_active; extern fr_info_t frcache[2]; +extern char ipfilter_version[]; #ifdef IPFILTER_LOG extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; -extern int iplused[IPL_LOGMAX + 1]; +extern size_t iplused[IPL_LOGMAX + 1]; #endif extern struct frentry *ipfilter[2][2], *ipacct[2][2]; extern struct frgroup *ipfgroups[3][2]; diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 923f685..3f0831f 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,53 +7,62 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.3 1999/09/18 15:03:54 darrenr Exp $"; #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <string.h> -# include <stdlib.h> +#if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL #endif + #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) -#include <sys/filio.h> -#include <sys/fcntl.h> +# include <sys/filio.h> +# include <sys/fcntl.h> #else -#include <sys/ioctl.h> +# include <sys/ioctl.h> #endif #include <sys/uio.h> #ifndef linux -#include <sys/protosw.h> +# include <sys/protosw.h> #endif #include <sys/socket.h> #if defined(_KERNEL) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) +# if defined(_KERNEL) && !defined(__sgi) +# include <sys/kernel.h> +# endif # ifndef linux # include <sys/mbuf.h> # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif - #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #ifndef linux -#include <netinet/ip_var.h> +# include <netinet/ip_var.h> #endif #include <netinet/tcp.h> #include <netinet/udp.h> @@ -66,6 +75,17 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50: #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(KERNEL) || defined(_KERNEL)) +# ifndef IPFILTER_LKM +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +extern struct callout_handle ipfr_slowtimer_ch; +# endif +#endif + ipfr_t *ipfr_heads[IPFT_SIZE]; ipfr_t *ipfr_nattab[IPFT_SIZE]; @@ -73,17 +93,26 @@ ipfrstat_t ipfr_stats; int ipfr_inuse = 0, fr_ipfrttl = 120; /* 60 seconds */ #ifdef _KERNEL +# if SOLARIS2 >= 7 +extern timeout_id_t ipfr_timer_id; +# else extern int ipfr_timer_id; +# endif #endif #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_frag; -extern kmutex_t ipf_natfrag; -extern kmutex_t ipf_nat; +extern KRWLOCK_T ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex; +# if SOLARIS +extern KRWLOCK_T ipf_solaris; +# else +KRWLOCK_T ipf_solaris; +# endif +extern kmutex_t ipf_rw; #endif -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **)); +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); +static void ipfr_delete __P((ipfr_t *)); ipfrstat_t *ipfr_fragstats() @@ -102,10 +131,10 @@ ipfrstat_t *ipfr_fragstats() static ipfr_t *ipfr_new(ip, fin, pass, table) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; ipfr_t *table[]; { - ipfr_t **fp, *fr, frag; + ipfr_t **fp, *fra, frag; u_int idx; frag.ipfr_p = ip->ip_p; @@ -123,10 +152,10 @@ ipfr_t *table[]; /* * first, make sure it isn't already there... */ - for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next) - if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, + for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next) + if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ)) { - ipfr_stats.ifs_exists++; + ATOMIC_INC(ipfr_stats.ifs_exists); return NULL; } @@ -134,45 +163,49 @@ ipfr_t *table[]; * allocate some memory, if possible, if not, just record that we * failed to do so. */ - KMALLOC(fr, ipfr_t *, sizeof(*fr)); - if (fr == NULL) { - ipfr_stats.ifs_nomem++; + KMALLOC(fra, ipfr_t *); + if (fra == NULL) { + ATOMIC_INC(ipfr_stats.ifs_nomem); return NULL; } + if ((fra->ipfr_rule = fin->fin_fr) != NULL) { + ATOMIC_INC(fin->fin_fr->fr_ref); + } + + /* * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. * Set the ttl to the default and mask out logging from "pass" */ - if ((fr->ipfr_next = table[idx])) - table[idx]->ipfr_prev = fr; - fr->ipfr_prev = NULL; - fr->ipfr_data = NULL; - table[idx] = fr; - bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ); - fr->ipfr_ttl = fr_ipfrttl; - fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); + if ((fra->ipfr_next = table[idx])) + table[idx]->ipfr_prev = fra; + fra->ipfr_prev = NULL; + fra->ipfr_data = NULL; + table[idx] = fra; + bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ); + fra->ipfr_ttl = fr_ipfrttl; /* * Compute the offset of the expected start of the next packet. */ - fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); - ipfr_stats.ifs_new++; - ipfr_inuse++; - return fr; + fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); + ATOMIC_INC(ipfr_stats.ifs_new); + ATOMIC_INC(ipfr_inuse); + return fra; } int ipfr_newfrag(ip, fin, pass) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; { ipfr_t *ipf; - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); ipf = ipfr_new(ip, fin, pass, ipfr_heads); - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); return ipf ? 0 : -1; } @@ -180,17 +213,18 @@ int pass; int ipfr_nat_newfrag(ip, fin, pass, nat) ip_t *ip; fr_info_t *fin; -int pass; +u_int pass; nat_t *nat; { ipfr_t *ipf; - MUTEX_ENTER(&ipf_natfrag); - if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) { + WRITE_ENTER(&ipf_natfrag); + ipf = ipfr_new(ip, fin, pass, ipfr_nattab); + if (ipf != NULL) { ipf->ipfr_data = nat; nat->nat_data = ipf; } - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); return ipf ? 0 : -1; } @@ -251,13 +285,13 @@ ipfr_t *table[]; * If we've follwed the fragments, and this is the * last (in order), shrink expiration time. */ - if ((off & 0x1fff) == f->ipfr_off) { + if ((off & IP_OFFMASK) == f->ipfr_off) { if (!(off & IP_MF)) f->ipfr_ttl = 1; else f->ipfr_off = atoff; } - ipfr_stats.ifs_hits++; + ATOMIC_INC(ipfr_stats.ifs_hits); return f; } return NULL; @@ -274,20 +308,20 @@ fr_info_t *fin; nat_t *nat; ipfr_t *ipf; - MUTEX_ENTER(&ipf_natfrag); + READ_ENTER(&ipf_natfrag); ipf = ipfr_lookup(ip, fin, ipfr_nattab); - if (ipf) { + if (ipf != NULL) { nat = ipf->ipfr_data; /* * This is the last fragment for this packet. */ - if (ipf->ipfr_ttl == 1) { + if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { nat->nat_data = NULL; ipf->ipfr_data = NULL; } } else nat = NULL; - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); return nat; } @@ -295,18 +329,19 @@ fr_info_t *fin; /* * functional interface for normal lookups of the fragment cache */ -int ipfr_knownfrag(ip, fin) +frentry_t *ipfr_knownfrag(ip, fin) ip_t *ip; fr_info_t *fin; { - int ret; - ipfr_t *ipf; - - MUTEX_ENTER(&ipf_frag); - ipf = ipfr_lookup(ip, fin, ipfr_heads); - ret = ipf ? ipf->ipfr_pass : 0; - MUTEX_EXIT(&ipf_frag); - return ret; + frentry_t *fr = NULL; + ipfr_t *fra; + + READ_ENTER(&ipf_frag); + fra = ipfr_lookup(ip, fin, ipfr_heads); + if (fra != NULL) + fr = fra->ipfr_rule; + RWLOCK_EXIT(&ipf_frag); + return fr; } @@ -319,13 +354,32 @@ void *nat; ipfr_t *fr; int idx; - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next) if (fr->ipfr_data == nat) fr->ipfr_data = NULL; - MUTEX_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_natfrag); +} + + +static void ipfr_delete(fra) +ipfr_t *fra; +{ + frentry_t *fr; + + fr = fra->ipfr_rule; + if (fr != NULL) { + ATOMIC_DEC(fr->fr_ref); + if (fr->fr_ref == 0) + KFREE(fr); + } + if (fra->ipfr_prev) + fra->ipfr_prev->ipfr_next = fra->ipfr_next; + if (fra->ipfr_next) + fra->ipfr_next->ipfr_prev = fra->ipfr_prev; + KFREE(fra); } @@ -334,31 +388,32 @@ void *nat; */ void ipfr_unload() { - ipfr_t **fp, *fr; + ipfr_t **fp, *fra; nat_t *nat; int idx; - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fr = *fp); ) { - *fp = fr->ipfr_next; - KFREE(fr); + for (fp = &ipfr_heads[idx]; (fra = *fp); ) { + *fp = fra->ipfr_next; + ipfr_delete(fra); } - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); - MUTEX_ENTER(&ipf_nat); - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { - *fp = fr->ipfr_next; - if ((nat = (nat_t *)fr->ipfr_data)) { - if (nat->nat_data == fr) + for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { + *fp = fra->ipfr_next; + nat = fra->ipfr_data; + if (nat != NULL) { + if (nat->nat_data == fra) nat->nat_data = NULL; } - KFREE(fr); + ipfr_delete(fra); } - MUTEX_EXIT(&ipf_natfrag); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_nat); } @@ -368,21 +423,36 @@ void ipfr_unload() * of this being called twice per second. */ # if (BSD >= 199306) || SOLARIS || defined(__sgi) +# if defined(SOLARIS2) && (SOLARIS2 < 7) void ipfr_slowtimer() +# else +void ipfr_slowtimer __P((void *ptr)) +# endif # else int ipfr_slowtimer() # endif { - ipfr_t **fp, *fr; + ipfr_t **fp, *fra; nat_t *nat; - int s, idx; + int idx; +#if defined(_KERNEL) +# if !SOLARIS + int s; +# else + extern int fr_running; + + if (fr_running <= 0) + return; +# endif +#endif + READ_ENTER(&ipf_solaris); #ifdef __sgi ipfilter_sgi_intfsync(); #endif SPL_NET(s); - MUTEX_ENTER(&ipf_frag); + WRITE_ENTER(&ipf_frag); /* * Go through the entire table, looking for entries to expire, @@ -390,23 +460,17 @@ int ipfr_slowtimer() * remove it from the chain and free it. */ for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fr = *fp); ) { - --fr->ipfr_ttl; - if (fr->ipfr_ttl == 0) { - if (fr->ipfr_prev) - fr->ipfr_prev->ipfr_next = - fr->ipfr_next; - if (fr->ipfr_next) - fr->ipfr_next->ipfr_prev = - fr->ipfr_prev; - *fp = fr->ipfr_next; - ipfr_stats.ifs_expire++; - ipfr_inuse--; - KFREE(fr); + for (fp = &ipfr_heads[idx]; (fra = *fp); ) { + --fra->ipfr_ttl; + if (fra->ipfr_ttl == 0) { + *fp = fra->ipfr_next; + ipfr_delete(fra); + ATOMIC_INC(ipfr_stats.ifs_expire); + ATOMIC_DEC(ipfr_inuse); } else - fp = &fr->ipfr_next; + fp = &fra->ipfr_next; } - MUTEX_EXIT(&ipf_frag); + RWLOCK_EXIT(&ipf_frag); /* * Same again for the NAT table, except that if the structure also @@ -415,31 +479,26 @@ int ipfr_slowtimer() * NOTE: We need to grab both mutex's early, and in this order so as * to prevent a deadlock if both try to expire at the same time. */ - MUTEX_ENTER(&ipf_nat); - MUTEX_ENTER(&ipf_natfrag); + WRITE_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fr = *fp); ) { - --fr->ipfr_ttl; - if (fr->ipfr_ttl == 0) { - if (fr->ipfr_prev) - fr->ipfr_prev->ipfr_next = - fr->ipfr_next; - if (fr->ipfr_next) - fr->ipfr_next->ipfr_prev = - fr->ipfr_prev; - *fp = fr->ipfr_next; - ipfr_stats.ifs_expire++; - ipfr_inuse--; - if ((nat = (nat_t *)fr->ipfr_data)) { - if (nat->nat_data == fr) + for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { + --fra->ipfr_ttl; + if (fra->ipfr_ttl == 0) { + ATOMIC_INC(ipfr_stats.ifs_expire); + ATOMIC_DEC(ipfr_inuse); + nat = fra->ipfr_data; + if (nat != NULL) { + if (nat->nat_data == fra) nat->nat_data = NULL; } - KFREE(fr); + *fp = fra->ipfr_next; + ipfr_delete(fra); } else - fp = &fr->ipfr_next; + fp = &fra->ipfr_next; } - MUTEX_EXIT(&ipf_natfrag); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_natfrag); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); fr_timeoutstate(); ip_natexpire(); @@ -448,11 +507,16 @@ int ipfr_slowtimer() ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); # else # ifndef linux - ip_slowtimo(); +# if (__FreeBSD_version >= 300000) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else + timeout(ipfr_slowtimer, NULL, hz/2); +# endif # endif # if (BSD < 199306) && !defined(__sgi) return 0; # endif # endif + RWLOCK_EXIT(&ipf_solaris); } #endif /* defined(_KERNEL) */ diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 9122f17..1097dec 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $ + * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -24,7 +24,7 @@ typedef struct ipfr { u_char ipfr_tos; u_short ipfr_off; u_short ipfr_ttl; - u_char ipfr_pass; + frentry_t *ipfr_rule; } ipfr_t; @@ -43,15 +43,19 @@ typedef struct ipfrstat { extern int fr_ipfrttl; extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); -extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); +extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); extern void ipfr_unload __P((void)); #if (BSD >= 199306) || SOLARIS || defined(__sgi) +# if defined(SOLARIS2) && (SOLARIS2 < 7) extern void ipfr_slowtimer __P((void)); +# else +extern void ipfr_slowtimer __P((void *)); +# endif #else extern int ipfr_slowtimer __P((void)); #endif diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 7ff8adb..98f00fa 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,6 +2,9 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. */ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif #define isdigit(x) ((x) >= '0' && (x) <= '9') @@ -9,67 +12,29 @@ #define IPF_MINPORTLEN 18 #define IPF_MAXPORTLEN 30 +#define IPF_MIN227LEN 39 +#define IPF_MAX227LEN 51 -int ippr_ftp_init __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, nat_t *)); -u_short ipf_ftp_atoi __P((char **)); - - -int ippr_ftp_init __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); +int ippr_ftp_init __P((void)); +int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *)); +int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *)); u_short ipf_ftp_atoi __P((char **)); +static frentry_t natfr; /* - * FTP application proxy initialization. + * Initialize local structures. */ -int ippr_ftp_init(fin, ip, tcp, aps, nat) -fr_info_t *fin; -ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; -nat_t *nat; +int ippr_ftp_init() { - aps->aps_sport = tcp->th_sport; - aps->aps_dport = tcp->th_dport; - return 0; -} - - -int ippr_ftp_in(fin, ip, tcp, aps, nat) -fr_info_t *fin; -ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; -nat_t *nat; -{ - u_32_t sum1, sum2; - short sel; - - if (tcp->th_sport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_ack); - sel = aps->aps_sel; - if ((aps->aps_after[!sel] > aps->aps_after[sel]) && - (sum2 > aps->aps_after[!sel])) { - sel = aps->aps_sel = !sel; /* switch to other set */ - } - if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { - sum1 = (u_32_t)aps->aps_seqoff[sel]; - tcp->th_ack = htonl(sum2 - sum1); - return 2; - } - } + bzero((char *)&natfr, sizeof(natfr)); + natfr.fr_ref = 1; + natfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; return 0; } @@ -103,46 +68,51 @@ char **ptr; } -int ippr_ftp_out(fin, ip, tcp, aps, nat) +int ippr_ftp_portmsg(fin, ip, nat) fr_info_t *fin; ip_t *ip; -tcphdr_t *tcp; -ap_session_t *aps; nat_t *nat; { - register u_32_t sum1, sum2; - char newbuf[IPF_MAXPORTLEN+1]; - char portbuf[IPF_MAXPORTLEN+1], *s; - int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); - u_int a1, a2, a3, a4; - u_short a5, a6; - int olen, dlen, nlen = 0, inc = 0; - tcphdr_t tcph, *tcp2 = &tcph; - void *savep; - nat_t *ipn; - struct in_addr swip; - mb_t *m = *(mb_t **)fin->fin_mp; - + char portbuf[IPF_MAXPORTLEN + 1], newbuf[IPF_MAXPORTLEN + 1], *s; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + size_t nlen = 0, dlen, olen; + u_short a5, a6, sp, dp; + u_int a1, a2, a3, a4; + struct in_addr swip; + int off, inc = 0; + fr_info_t fi; + nat_t *ipn; + mb_t *m; #if SOLARIS mb_t *m1; +#endif - /* skip any leading M_PROTOs */ - while(m && (MTYPE(m) != M_DATA)) - m = m->b_cont; - PANIC((!m),("ippr_ftp_out: no M_DATA")); + tcp = (tcphdr_t *)fin->fin_dp; + bzero(portbuf, sizeof(portbuf)); + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + +#if SOLARIS + m = fin->fin_qfm; dlen = msgdsize(m) - off; - bzero(portbuf, sizeof(portbuf)); - copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); + if (dlen > 0) + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); #else + m = *(mb_t **)fin->fin_mp; + dlen = mbufchainlen(m) - off; - bzero(portbuf, sizeof(portbuf)); - m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); + if (dlen > 0) + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif - portbuf[IPF_MAXPORTLEN] = '\0'; - - if ((dlen < IPF_MINPORTLEN) || strncmp(portbuf, "PORT ", 5)) - goto adjust_seqack; + if (dlen == 0) + return 0; + portbuf[sizeof(portbuf) - 1] = '\0'; + *newbuf = '\0'; + if (!strncmp(portbuf, "PORT ", 5)) { + if (dlen < IPF_MINPORTLEN) + return 0; + } else + return 0; /* * Skip the PORT command + space @@ -151,21 +121,38 @@ nat_t *nat; /* * Pick out the address components, two at a time. */ - (void) ipf_ftp_atoi(&s); + a1 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; - (void) ipf_ftp_atoi(&s); + return 0; + a2 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; + return 0; + + /* + * check that IP address in the PORT/PASV reply is the same as the + * sender of the command - prevents using PORT for port scanning. + */ + a1 <<= 16; + a1 |= a2; + if (a1 != ntohl(nat->nat_inip.s_addr)) + return 0; + a5 = ipf_ftp_atoi(&s); if (!s) - goto adjust_seqack; + return 0; + if (*s == ')') + s++; + /* * check for CR-LF at the end. */ - if (*s != '\n' || *(s - 1) != '\r') - goto adjust_seqack; - a6 = a5 & 0xff; + if (*s == '\n') + s--; + if ((*s == '\r') && (*(s + 1) == '\n')) { + s += 2; + a6 = a5 & 0xff; + } else + return 0; a5 >>= 8; /* * Calculate new address parts for PORT command @@ -175,29 +162,34 @@ nat_t *nat; a3 = (a1 >> 8) & 0xff; a4 = a1 & 0xff; a1 >>= 24; - olen = s - portbuf + 1; - (void) sprintf(newbuf, "PORT %d,%d,%d,%d,%d,%d\r\n", - a1, a2, a3, a4, a5, a6); + olen = s - portbuf; + (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", + "PORT", a1, a2, a3, a4, a5, a6); + nlen = strlen(newbuf); inc = nlen - olen; #if SOLARIS for (m1 = m; m1->b_cont; m1 = m1->b_cont) ; - if (inc > 0) { + if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { mblk_t *nm; /* alloc enough to keep same trailer space for lower driver */ - nm = allocb(nlen + m1->b_datap->db_lim - m1->b_wptr, BPRI_MED); + nm = allocb(nlen, BPRI_MED); PANIC((!nm),("ippr_ftp_out: allocb failed")); nm->b_band = m1->b_band; nm->b_wptr += nlen; m1->b_wptr -= olen; - PANIC((m1->b_wptr < m1->b_rptr),("ippr_ftp_out: cannot handle fragmented data block")); + PANIC((m1->b_wptr < m1->b_rptr), + ("ippr_ftp_out: cannot handle fragmented data block")); linkb(m1, nm); } else { + if (m1->b_datap->db_struiolim == m1->b_wptr) + m1->b_datap->db_struiolim += inc; + m1->b_datap->db_struioflag &= ~STRUIO_IP; m1->b_wptr += inc; } copyin_mblk(m, off, nlen, newbuf); @@ -207,8 +199,10 @@ nat_t *nat; /* the mbuf chain will be extended if necessary by m_copyback() */ m_copyback(m, off, nlen, newbuf); #endif - if (inc) { + if (inc != 0) { #if SOLARIS || defined(__sgi) + register u_32_t sum1, sum2; + sum1 = ip->ip_len; sum2 = ip->ip_len + inc; @@ -222,48 +216,242 @@ nat_t *nat; #endif ip->ip_len += inc; } - ch = 1; /* * Add skeleton NAT entry for connection which will come back the * other way. */ - savep = fin->fin_dp; - fin->fin_dp = (char *)tcp2; - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_sport = htons(a5 << 8 | a6); - tcp2->th_dport = htons(20); - swip = ip->ip_src; - ip->ip_src = nat->nat_inip; - if ((ipn = nat_new(nat->nat_ptr, ip, fin, IPN_TCP, NAT_OUTBOUND))) - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, fin, FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE); - ip->ip_src = swip; - fin->fin_dp = (char *)savep; - -adjust_seqack: - if (tcp->th_dport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_seq); - off = aps->aps_sel; - if ((aps->aps_after[!off] > aps->aps_after[off]) && - (sum2 > aps->aps_after[!off])) { - off = aps->aps_sel = !off; /* switch to other set */ - } - if (aps->aps_seqoff[off]) { - sum1 = (u_32_t)aps->aps_after[off] - - aps->aps_seqoff[off]; - if (sum2 > sum1) { - sum1 = (u_32_t)aps->aps_seqoff[off]; - sum2 += sum1; - tcp->th_seq = htonl(sum2); - ch = 1; - } + sp = htons(a5 << 8 | a6); + /* + * The server may not make the connection back from port 20, but + * it is the most likely so use it here to check for a conflicting + * mapping. + */ + dp = htons(fin->fin_data[1] - 1); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = sp; + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + fi.fin_data[0] = ntohs(sp); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_DPORT); } + ip->ip_src = swip; + } + return inc; +} + - if (inc && (sum2 > aps->aps_after[!off])) { - aps->aps_after[!off] = sum2 + nlen - 1; - aps->aps_seqoff[!off] = aps->aps_seqoff[off] + inc; +int ippr_ftp_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + return ippr_ftp_portmsg(fin, ip, nat); +} + + +int ippr_ftp_pasvmsg(fin, ip, nat) +fr_info_t *fin; +ip_t *ip; +nat_t *nat; +{ + char portbuf[IPF_MAX227LEN + 1], newbuf[IPF_MAX227LEN + 1], *s; + int off, olen, dlen, nlen = 0, inc = 0; + tcphdr_t tcph, *tcp2 = &tcph; + struct in_addr swip, swip2; + u_short a5, a6, dp, sp; + u_int a1, a2, a3, a4; + tcphdr_t *tcp; + fr_info_t fi; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + bzero(portbuf, sizeof(portbuf)); + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen > 0) + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#else + dlen = mbufchainlen(m) - off; + if (dlen > 0) + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#endif + if (dlen == 0) + return 0; + portbuf[sizeof(portbuf) - 1] = '\0'; + *newbuf = '\0'; + + if (!strncmp(portbuf, "227 ", 4)) { + if (dlen < IPF_MIN227LEN) + return 0; + else if (strncmp(portbuf, "227 Entering Passive Mode", 25)) + return 0; + } else + return 0; + /* + * Skip the PORT command + space + */ + s = portbuf + 25; + while (*s && !isdigit(*s)) + s++; + /* + * Pick out the address components, two at a time. + */ + a1 = ipf_ftp_atoi(&s); + if (!s) + return 0; + a2 = ipf_ftp_atoi(&s); + if (!s) + return 0; + + /* + * check that IP address in the PORT/PASV reply is the same as the + * sender of the command - prevents using PORT for port scanning. + */ + a1 <<= 16; + a1 |= a2; + if (a1 != ntohl(nat->nat_oip.s_addr)) + return 0; + + a5 = ipf_ftp_atoi(&s); + if (!s) + return 0; + + if (*s == ')') + s++; + if (*s == '\n') + s--; + /* + * check for CR-LF at the end. + */ + if ((*s == '\r') && (*(s + 1) == '\n')) { + s += 2; + a6 = a5 & 0xff; + } else + return 0; + a5 >>= 8; + /* + * Calculate new address parts for 227 reply + */ + a1 = ntohl(ip->ip_src.s_addr); + a2 = (a1 >> 16) & 0xff; + a3 = (a1 >> 8) & 0xff; + a4 = a1 & 0xff; + a1 >>= 24; + olen = s - portbuf; + (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", + "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6); + + nlen = strlen(newbuf); + inc = nlen - olen; +#if SOLARIS + for (m1 = m; m1->b_cont; m1 = m1->b_cont) + ; + if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { + mblk_t *nm; + + /* alloc enough to keep same trailer space for lower driver */ + nm = allocb(nlen, BPRI_MED); + PANIC((!nm),("ippr_ftp_out: allocb failed")); + + nm->b_band = m1->b_band; + nm->b_wptr += nlen; + + m1->b_wptr -= olen; + PANIC((m1->b_wptr < m1->b_rptr), + ("ippr_ftp_out: cannot handle fragmented data block")); + + linkb(m1, nm); + } else { + m1->b_wptr += inc; + } + copyin_mblk(m, off, nlen, newbuf); +#else + if (inc < 0) + m_adj(m, inc); + /* the mbuf chain will be extended if necessary by m_copyback() */ + m_copyback(m, off, nlen, newbuf); +#endif + if (inc != 0) { +#if SOLARIS || defined(__sgi) + register u_32_t sum1, sum2; + + sum1 = ip->ip_len; + sum2 = ip->ip_len + inc; + + /* Because ~1 == -2, We really need ~1 == -1 */ + if (sum1 > sum2) + sum2--; + sum2 -= sum1; + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + fix_outcksum(&ip->ip_sum, sum2); +#endif + ip->ip_len += inc; + } + + /* + * Add skeleton NAT entry for connection which will come back the + * other way. + */ + sp = 0; + dp = htons(fin->fin_data[1] - 1); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = 0; /* XXX - fake it for nat_new */ + fi.fin_data[0] = a5 << 8 | a6; + tcp2->th_dport = htons(fi.fin_data[0]); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + swip2 = ip->ip_dst; + ip->ip_dst = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_SPORT); } + ip->ip_src = swip; + ip->ip_dst = swip2; } - return ch ? 2 : 0; + return inc; +} + + +int ippr_ftp_in(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + + return ippr_ftp_pasvmsg(fin, ip, nat); } diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index b64fb02..fe073ff 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -1,25 +1,17 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.1 1999/08/04 17:29:57 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#ifndef _KERNEL -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -# include <ctype.h> -#else -# include <linux/module.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> @@ -29,6 +21,14 @@ static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.5 1997/12/02 13:55:5 #include <sys/uio.h> #include <sys/dir.h> #include <sys/socket.h> +#ifndef _KERNEL +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +# include <ctype.h> +#else +# include <linux/module.h> +#endif #include <net/if.h> #include <net/route.h> @@ -67,7 +67,6 @@ int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; -static void fixskip __P((frentry_t **, frentry_t *, int)); static int frzerostats __P((caddr_t)); static void frsync __P((void)); #if defined(__NetBSD__) || defined(__OpenBSD__) @@ -146,7 +145,7 @@ int ipldetach() } fr_checkp = fr_savep; - frflush(IPL_LOGIPF, &i); + i = frflush(IPL_LOGIPF, i); ipl_inited = 0; ipfr_unload(); @@ -310,7 +309,7 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) error = EPERM; else { IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - frflush(unit, &tmp); + tmp = frflush(unit, tmp); IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } break; @@ -363,25 +362,6 @@ static void frsync() } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; -{ - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; -} - - static int frrequest(unit, req, data, set) int unit; u_long req; @@ -393,7 +373,8 @@ caddr_t data; frentry_t frd; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); @@ -405,10 +386,10 @@ caddr_t data; * has been specified, doesn't exist. */ if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) return ESRCH; in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -498,8 +479,8 @@ caddr_t data; if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); @@ -510,7 +491,7 @@ caddr_t data; else { if (unit == IPL_LOGAUTH) return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -540,7 +521,7 @@ int iplopen(struct inode *inode, struct file *file) { u_int min = GET_MINOR(inode->i_rdev); - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else { MOD_INC_USE_COUNT; @@ -554,7 +535,7 @@ void iplclose(struct inode *inode, struct file *file) { u_int min = GET_MINOR(inode->i_rdev); - if (2 >= min) { + if (IPL_LOGMAX >= min) { MOD_DEC_USE_COUNT; } } @@ -628,7 +609,7 @@ struct ifnet *ifp; ip->ip_sum = 0; ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t)); - tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t)); + tcp->th_sum = fr_tcpsum(m, ip, tcp); return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr); } diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index 81e89e5..1b92cfe 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -1,27 +1,33 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $ + * $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $ */ +#include <sys/param.h> +#if defined(KERNEL) && !defined(_KERNEL) +# define _KERNEL +#endif +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) +# include "opt_ipfilter_log.h" +#endif +#ifdef __FreeBSD__ +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include <sys/osreldate.h> +# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include "opt_ipfilter.h" +# endif +# else +# include <osreldate.h> +# endif +#endif #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) # endif - -# if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -# endif -# ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include <sys/osreldate.h> -# else -# include <osreldate.h> -# endif -# endif # ifndef _KERNEL # include <stdio.h> # include <string.h> @@ -30,7 +36,6 @@ # endif # include <sys/errno.h> # include <sys/types.h> -# include <sys/param.h> # include <sys/file.h> # if __FreeBSD_version >= 220000 && defined(_KERNEL) # include <sys/fcntl.h> @@ -44,7 +49,7 @@ # endif # include <sys/uio.h> # if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) # include <sys/dirent.h> # else # include <sys/dir.h> @@ -105,6 +110,10 @@ # include "netinet/ip_frag.h" # include "netinet/ip_state.h" # include "netinet/ip_auth.h" +# if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# endif + # ifndef MIN # define MIN(a,b) (((a)<(b))?(a):(b)) # endif @@ -117,13 +126,12 @@ extern kcondvar_t iplwait; # endif # endif -iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; -int iplused[IPL_LOGMAX+1]; -u_long iplcrc[IPL_LOGMAX+1]; -u_long iplcrcinit; -#ifdef linux +iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1]; +size_t iplused[IPL_LOGMAX+1]; +fr_info_t iplcrc[IPL_LOGMAX+1]; +# ifdef linux static struct wait_queue *iplwait[IPL_LOGMAX+1]; -#endif +# endif /* @@ -132,20 +140,15 @@ static struct wait_queue *iplwait[IPL_LOGMAX+1]; */ void ipflog_init() { - struct timeval tv; int i; for (i = IPL_LOGMAX; i >= 0; i--) { iplt[i] = NULL; + ipll[i] = NULL; iplh[i] = &iplt[i]; iplused[i] = 0; + bzero((char *)&iplcrc[i], sizeof(iplcrc[i])); } -# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) - microtime(&tv); -# else - uniqtime(&tv); -# endif - iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec; } @@ -164,8 +167,7 @@ fr_info_t *fin; mb_t *m; { ipflog_t ipfl; - register int mlen, hlen; - u_long crc; + register size_t mlen, hlen; size_t sizes[2]; void *ptrs[2]; int types[2]; @@ -179,29 +181,36 @@ mb_t *m; * calculate header size. */ hlen = fin->fin_hlen; - if (ip->ip_p == IPPROTO_TCP) - hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); - else if (ip->ip_p == IPPROTO_UDP) - hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); - else if (ip->ip_p == IPPROTO_ICMP) { - struct icmp *icmp = (struct icmp *)((char *)ip + hlen); - - /* - * For ICMP, if the packet is an error packet, also include - * the information about the packet which caused the error. - */ - switch (icmp->icmp_type) - { - case ICMP_UNREACH : - case ICMP_SOURCEQUENCH : - case ICMP_REDIRECT : - case ICMP_TIMXCEED : - case ICMP_PARAMPROB : - hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen); - break; - default : - hlen += MIN(sizeof(struct icmp), fin->fin_dlen); - break; + if ((ip->ip_off & IP_OFFMASK) == 0) { + if (ip->ip_p == IPPROTO_TCP) + hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); + else if (ip->ip_p == IPPROTO_UDP) + hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); + else if (ip->ip_p == IPPROTO_ICMP) { + struct icmp *icmp; + + icmp = (struct icmp *)((char *)ip + hlen); + + /* + * For ICMP, if the packet is an error packet, also + * include the information about the packet which + * caused the error. + */ + switch (icmp->icmp_type) + { + case ICMP_UNREACH : + case ICMP_SOURCEQUENCH : + case ICMP_REDIRECT : + case ICMP_TIMXCEED : + case ICMP_PARAMPROB : + hlen += MIN(sizeof(struct icmp) + 8, + fin->fin_dlen); + break; + default : + hlen += MIN(sizeof(struct icmp), + fin->fin_dlen); + break; + } } } /* @@ -231,11 +240,15 @@ mb_t *m; ipfl.fl_hlen = (u_char)hlen; ipfl.fl_rule = fin->fin_rule; ipfl.fl_group = fin->fin_group; + if (fin->fin_fr != NULL) + ipfl.fl_loglevel = fin->fin_fr->fr_loglevel; + else + ipfl.fl_loglevel = 0xffff; ipfl.fl_flags = flags; ptrs[0] = (void *)&ipfl; sizes[0] = sizeof(ipfl); types[0] = 0; -#if SOLARIS +# if SOLARIS /* * Are we copied from the mblk or an aligned array ? */ @@ -248,45 +261,47 @@ mb_t *m; sizes[1] = hlen + mlen; types[1] = 0; } -#else +# else ptrs[1] = m; sizes[1] = hlen + mlen; types[1] = 1; -#endif - crc = (ipf_cksum((u_short *)fin, FI_CSIZE) << 8) + iplcrcinit; - return ipllog(IPL_LOGIPF, crc, ptrs, sizes, types, 2); +# endif + return ipllog(IPL_LOGIPF, fin, ptrs, sizes, types, 2); } /* * ipllog */ -int ipllog(dev, crc, items, itemsz, types, cnt) +int ipllog(dev, fin, items, itemsz, types, cnt) int dev; -u_long crc; +fr_info_t *fin; void **items; size_t *itemsz; int *types, cnt; { - iplog_t *ipl; caddr_t buf, s; - int len, i; + iplog_t *ipl; + size_t len; + int i; /* * Check to see if this log record has a CRC which matches the last * record logged. If it does, just up the count on the previous one * rather than create a new one. */ - if (crc) { - MUTEX_ENTER(&ipl_mutex); - if ((iplcrc[dev] == crc) && *iplh[dev]) { - (*iplh[dev])->ipl_count++; + MUTEX_ENTER(&ipl_mutex); + if (fin != NULL) { + if ((ipll[dev] != NULL) && + bcmp((char *)fin, (char *)&iplcrc[dev], FI_CSIZE) == 0) { + ipll[dev]->ipl_count++; MUTEX_EXIT(&ipl_mutex); return 1; } - iplcrc[dev] = crc; - MUTEX_EXIT(&ipl_mutex); - } + bcopy((char *)fin, (char *)&iplcrc[dev], FI_CSIZE); + } else + bzero((char *)&iplcrc[dev], FI_CSIZE); + MUTEX_EXIT(&ipl_mutex); /* * Get the total amount of data to be logged. @@ -298,7 +313,7 @@ int *types, cnt; * check that we have space to record this information and can * allocate that much. */ - KMALLOC(buf, caddr_t, len); + KMALLOCS(buf, caddr_t, len); if (!buf) return 0; MUTEX_ENTER(&ipl_mutex); @@ -344,6 +359,7 @@ int *types, cnt; s += itemsz[i]; } MUTEX_ENTER(&ipl_mutex); + ipll[dev] = ipl; *iplh[dev] = ipl; iplh[dev] = &ipl->ipl_next; # if SOLARIS @@ -362,11 +378,12 @@ int *types, cnt; int ipflog_read(unit, uio) -int unit; +minor_t unit; struct uio *uio; { + size_t dlen, copied; + int error = 0; iplog_t *ipl; - int error = 0, dlen, copied; # if defined(_KERNEL) && !SOLARIS int s; # endif @@ -375,7 +392,7 @@ struct uio *uio; * Sanity checks. Make sure the minor # is valid and we're copying * a valid chunk of data. */ - if ((IPL_LOGMAX < unit) || (unit < 0)) + if (IPL_LOGMAX < unit) return ENXIO; if (!uio->uio_resid) return 0; @@ -419,55 +436,63 @@ struct uio *uio; for (copied = 0; (ipl = iplt[unit]); copied += dlen) { dlen = ipl->ipl_dsize; - if (dlen + sizeof(iplog_t) > uio->uio_resid) + if (dlen > uio->uio_resid) break; /* * Don't hold the mutex over the uiomove call. */ iplt[unit] = ipl->ipl_next; + iplused[unit] -= dlen; MUTEX_EXIT(&ipl_mutex); SPL_X(s); - error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio); - KFREES((caddr_t)ipl, ipl->ipl_dsize); - if (error) + error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); + if (error) { + SPL_NET(s); + MUTEX_ENTER(&ipl_mutex); + ipl->ipl_next = iplt[unit]; + iplt[unit] = ipl; + iplused[unit] += dlen; break; + } + KFREES((caddr_t)ipl, dlen); SPL_NET(s); MUTEX_ENTER(&ipl_mutex); - iplused[unit] -= dlen; } - if (!ipl) { + if (!iplt[unit]) { iplused[unit] = 0; iplh[unit] = &iplt[unit]; + ipll[unit] = NULL; } - if (!error) { - MUTEX_EXIT(&ipl_mutex); - SPL_X(s); - } -#ifdef linux + MUTEX_EXIT(&ipl_mutex); + SPL_X(s); +# ifdef linux if (!error) - return copied; + return (int)copied; return -error; -#else +# else return error; -#endif +# endif } int ipflog_clear(unit) -int unit; +minor_t unit; { iplog_t *ipl; int used; + MUTEX_ENTER(&ipl_mutex); while ((ipl = iplt[unit])) { iplt[unit] = ipl->ipl_next; KFREES((caddr_t)ipl, ipl->ipl_dsize); } iplh[unit] = &iplt[unit]; + ipll[unit] = NULL; used = iplused[unit]; iplused[unit] = 0; - iplcrc[unit] = 0; + bzero((char *)&iplcrc[unit], FI_CSIZE); + MUTEX_EXIT(&ipl_mutex); return used; } #endif /* IPFILTER_LOG */ diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 102d57f..eff284e 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -9,23 +9,27 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.5 1999/10/05 12:58:33 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> @@ -48,7 +52,9 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif @@ -58,9 +64,12 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #include <net/if.h> #if __FreeBSD_version >= 300000 # include <net/if_var.h> +# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #endif #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> @@ -75,8 +84,8 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #endif #ifdef RFC1825 -#include <vpn/md5.h> -#include <vpn/ipsec.h> +# include <vpn/md5.h> +# include <vpn/ipsec.h> extern struct ifnet vpnif; #endif @@ -93,40 +102,101 @@ extern struct ifnet vpnif; #include "netinet/ip_nat.h" #include "netinet/ip_frag.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif #undef SOCKADDR_IN #define SOCKADDR_IN struct sockaddr_in -nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; +nat_t **nat_table[2] = { NULL, NULL }, + *nat_instances = NULL; ipnat_t *nat_list = NULL; -u_long fr_defnatage = 1200, /* 10 minutes (600 seconds) */ - fr_defnaticmpage = 6; /* 3 seconds */ +u_int ipf_nattable_sz = NAT_TABLE_SZ; +u_int ipf_natrules_sz = NAT_SIZE; +u_int ipf_rdrrules_sz = RDR_SIZE; +u_32_t nat_masks = 0; +u_32_t rdr_masks = 0; +ipnat_t **nat_rules = NULL; +ipnat_t **rdr_rules = NULL; + +u_long fr_defnatage = DEF_NAT_AGE, + fr_defnaticmpage = 6; /* 3 seconds */ natstat_t nat_stats; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_nat; +extern kmutex_t ipf_rw; +extern KRWLOCK_T ipf_nat; #endif static int nat_flushtable __P((void)); static int nat_clearlist __P((void)); static void nat_delete __P((struct nat *)); -static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *)); +static void nat_delrdr __P((struct ipnat *)); +static void nat_delnat __P((struct ipnat *)); + + +int nat_init() +{ + KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); + if (nat_table[0] != NULL) + bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *)); + else + return -1; + + KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); + if (nat_table[1] != NULL) + bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *)); + else + return -1; + + KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz); + if (nat_rules != NULL) + bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *)); + else + return -1; + + KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz); + if (rdr_rules != NULL) + bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *)); + else + return -1; + return 0; +} + + +void nat_delrdr(n) +ipnat_t *n; +{ + ipnat_t **n1; + u_32_t iph; + u_int hv; + + iph = n->in_outip & n->in_outmsk; + hv = NAT_HASH_FN(iph, ipf_rdrrules_sz); + for (n1 = &rdr_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_rnext) + ; + if (*n1) + *n1 = n->in_rnext; +} -#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) +static void nat_delnat(n) +ipnat_t *n; +{ + ipnat_t **n1; + u_32_t iph; + u_int hv; + + iph = n->in_inip & n->in_inmsk; + hv = NAT_HASH_FN(iph, ipf_natrules_sz); + for (n1 = &nat_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_mnext) + ; + if (*n1) + *n1 = n->in_mnext; +} -#define CALC_SUMD(s1, s2, sd) { \ - /* Do it twice */ \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - /* Do it twice */ \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - /* Because ~1 == -2, We really need ~1 == -1 */ \ - if ((s1) > (s2)) (s2)--; \ - (sd) = (s2) - (s1); \ - (sd) = ((sd) & 0xffff) + ((sd) >> 16); } void fix_outcksum(sp, n) u_short *sp; @@ -203,25 +273,37 @@ int cmd; caddr_t data; int mode; { - register ipnat_t *nat, *n = NULL, **np = NULL; + register ipnat_t *nat, *nt, *n = NULL, **np = NULL; + int error = 0, ret, k; ipnat_t natd; - int error = 0, ret; + u_32_t i, j; #if defined(_KERNEL) && !SOLARIS int s; #endif +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel >= 2) && (mode & FWRITE)) + return EPERM; +#endif + nat = NULL; /* XXX gcc -Wuninitialized */ + KMALLOC(nt, ipnat_t *); + if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) + IRCOPY(data, (char *)&natd, sizeof(natd)); /* * For add/delete, look to see if the NAT entry is already present */ SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { - IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; - nat->in_inip &= nat->in_inmsk; - nat->in_outip &= nat->in_outmsk; + nat->in_flags &= IPN_USERFLAGS; + if ((nat->in_redir & NAT_MAPBLK) == 0) { + nat->in_inip &= nat->in_inmsk; + if ((nat->in_flags & IPN_RANGE) == 0) + nat->in_outip &= nat->in_outmsk; + } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, IPN_CMPSIZ)) @@ -239,24 +321,82 @@ int mode; error = EEXIST; break; } - KMALLOC(n, ipnat_t *, sizeof(*n)); - if (n == NULL) { + if (nt == NULL) { error = ENOMEM; break; } + n = nt; + nt = NULL; bcopy((char *)nat, (char *)n, sizeof(*n)); n->in_ifp = (void *)GETUNIT(n->in_ifname); if (!n->in_ifp) n->in_ifp = (void *)-1; - n->in_apr = ap_match(n->in_p, n->in_plabel); - n->in_next = *np; + if (n->in_plabel[0] != '\0') { + n->in_apr = appr_match(n->in_p, n->in_plabel); + if (!n->in_apr) { + error = ENOENT; + break; + } + } + n->in_next = NULL; + *np = n; + + if (n->in_redir & NAT_REDIRECT) { + u_int hv; + + k = countbits(n->in_outmsk); + if ((k >= 0) && (k != 32)) + rdr_masks |= 1 << k; + j = (n->in_outip & n->in_outmsk); + hv = NAT_HASH_FN(j, ipf_rdrrules_sz); + np = rdr_rules + hv; + while (*np != NULL) + np = &(*np)->in_rnext; + n->in_rnext = NULL; + *np = n; + } + if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) { + u_int hv; + + k = countbits(n->in_inmsk); + if ((k >= 0) && (k != 32)) + nat_masks |= 1 << k; + j = (n->in_inip & n->in_inmsk); + hv = NAT_HASH_FN(j, ipf_natrules_sz); + np = nat_rules + hv; + while (*np != NULL) + np = &(*np)->in_mnext; + n->in_mnext = NULL; + *np = n; + } + n->in_use = 0; - n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); - if (n->in_space) /* lose 2: broadcast + network address */ - n->in_space -= 2; + if (n->in_redir & NAT_MAPBLK) + n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); + else if (n->in_flags & IPN_AUTOPORTMAP) + n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk); + else if (n->in_flags & IPN_RANGE) + n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip); else - n->in_space = 1; /* single IP# mapping */ - if ((n->in_outmsk != 0xffffffff) && n->in_outmsk) + n->in_space = ~ntohl(n->in_outmsk); + /* + * Calculate the number of valid IP addresses in the output + * mapping range. In all cases, the range is inclusive of + * the start and ending IP addresses. + * If to a CIDR address, lose 2: broadcast + network address + * (so subtract 1) + * If to a range, add one. + * If to a single IP address, set to 1. + */ + if (n->in_space) { + if ((n->in_flags & IPN_RANGE) != 0) + n->in_space += 1; + else + n->in_space -= 1; + } else + n->in_space = 1; + if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) && + ((n->in_flags & IPN_RANGE) == 0)) n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); @@ -265,44 +405,87 @@ int mode; /* * Multiply by the number of ports made available. */ - if (ntohs(n->in_pmax) > ntohs(n->in_pmin)) + if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) { n->in_space *= (ntohs(n->in_pmax) - - ntohs(n->in_pmin)); + ntohs(n->in_pmin) + 1); + /* + * Because two different sources can map to + * different destinations but use the same + * local IP#/port #. + * If the result is smaller than in_space, then + * we may have wrapped around 32bits. + */ + i = n->in_inmsk; + if ((i != 0) && (i != 0xffffffff)) { + j = n->in_space * (~ntohl(i) + 1); + if (j >= n->in_space) + n->in_space = j; + else + n->in_space = 0xffffffff; + } + } + /* + * If no protocol is specified, multiple by 256. + */ + if ((n->in_flags & IPN_TCPUDP) == 0) { + j = n->in_space * 256; + if (j >= n->in_space) + n->in_space = j; + else + n->in_space = 0xffffffff; + } } /* Otherwise, these fields are preset */ - *np = n; + n = NULL; nat_stats.ns_rules++; break; case SIOCRMNAT : if (!(mode & FWRITE)) { error = EPERM; + n = NULL; break; } if (!n) { error = ESRCH; break; } + if (n->in_redir & NAT_REDIRECT) + nat_delrdr(n); + if (n->in_redir & (NAT_MAPBLK|NAT_MAP)) + nat_delnat(n); + if (nat_list == NULL) { + nat_masks = 0; + rdr_masks = 0; + } *np = n->in_next; if (!n->in_use) { if (n->in_apr) - ap_free(n->in_apr); + appr_free(n->in_apr); KFREE(n); nat_stats.ns_rules--; } else { n->in_flags |= IPN_DELETE; n->in_next = NULL; } + n = NULL; break; case SIOCGNATS : + MUTEX_DOWNGRADE(&ipf_nat); nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; + nat_stats.ns_nattab_sz = ipf_nattable_sz; + nat_stats.ns_rultab_sz = ipf_natrules_sz; + nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz; + nat_stats.ns_instances = nat_instances; + nat_stats.ns_apslist = ap_sess_list; IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); break; case SIOCGNATL : { natlookup_t nl; + MUTEX_DOWNGRADE(&ipf_nat); IRCOPY((char *)data, (char *)&nl, sizeof(nl)); if (nat_lookupredir(&nl)) { @@ -317,7 +500,7 @@ int mode; break; } ret = nat_flushtable(); - (void) ap_unload(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : @@ -326,17 +509,24 @@ int mode; break; } ret = nat_clearlist(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case FIONREAD : #ifdef IPFILTER_LOG + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, sizeof(iplused[IPL_LOGNAT])); #endif break; + default : + error = EINVAL; + break; } - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ SPL_X(s); + if (nt) + KFREE(nt); return error; } @@ -364,17 +554,21 @@ struct nat *natd; break; } + if (natd->nat_fr != NULL) { + ATOMIC_DEC(natd->nat_fr->fr_ref); + } /* * If there is an active reference from the nat entry to its parent * rule, decrement the rule's reference count and free it too if no * longer being used. */ - if ((ipn = natd->nat_ptr)) { + ipn = natd->nat_ptr; + if (ipn != NULL) { ipn->in_space++; ipn->in_use--; if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) { if (ipn->in_apr) - ap_free(ipn->in_apr); + appr_free(ipn->in_apr); KFREE(ipn); nat_stats.ns_rules--; } @@ -385,6 +579,8 @@ struct nat *natd; * dereference that as well. */ ipfr_forget((void *)natd); + aps_free(natd->nat_aps); + nat_stats.ns_inuse--; KFREE(natd); } @@ -398,135 +594,76 @@ static int nat_flushtable() register int j = 0; /* - * Everything will be deleted, so lets just make it the deletions + * ALL NAT mappings deleted, so lets just make the deletions * quicker. */ - bzero((char *)nat_table[0], sizeof(nat_table[0])); - bzero((char *)nat_table[1], sizeof(nat_table[1])); + if (nat_table[0] != NULL) + bzero((char *)nat_table[0], + sizeof(nat_table[0]) * ipf_nattable_sz); + if (nat_table[1] != NULL) + bzero((char *)nat_table[1], + sizeof(nat_table[1]) * ipf_nattable_sz); for (natp = &nat_instances; (nat = *natp); ) { *natp = nat->nat_next; nat_delete(nat); j++; } - + nat_stats.ns_inuse = 0; return j; } /* - * nat_clearlist - delete all entries in the active NAT mapping list. + * nat_clearlist - delete all rules in the active NAT mapping list. */ static int nat_clearlist() { register ipnat_t *n, **np = &nat_list; int i = 0; + if (nat_rules != NULL) + bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz); + if (rdr_rules != NULL) + bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz); + while ((n = *np)) { *np = n->in_next; if (!n->in_use) { if (n->in_apr) - ap_free(n->in_apr); + appr_free(n->in_apr); KFREE(n); nat_stats.ns_rules--; - i++; } else { n->in_flags |= IPN_DELETE; n->in_next = NULL; } + i++; } - nat_stats.ns_inuse = 0; + nat_masks = 0; + rdr_masks = 0; return i; } /* - * return the first IP Address associated with an interface - */ -static int nat_ifpaddr(nat, ifptr, inp) -nat_t *nat; -void *ifptr; -struct in_addr *inp; -{ -#if SOLARIS - ill_t *ill = ifptr; -#else - struct ifnet *ifp = ifptr; -#endif - struct in_addr in; - -#if SOLARIS - in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr); -#else /* SOLARIS */ -# if linux - ; -# else /* linux */ - struct ifaddr *ifa; - struct sockaddr_in *sin; - -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_FIRST(&ifp->if_addrhead); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifp->if_addrlist.tqh_first; -# else -# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ - ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; -# else - ifa = ifp->if_addrlist; -# endif -# endif /* __NetBSD__ || __OpenBSD__ */ -# endif /* __FreeBSD_version >= 300000 */ -# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) - sin = (SOCKADDR_IN *)&ifa->ifa_addr; -# else - sin = (SOCKADDR_IN *)ifa->ifa_addr; - while (sin && ifa && - sin->sin_family != AF_INET) { -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_NEXT(ifa, ifa_link); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifa->ifa_list.tqe_next; -# else - ifa = ifa->ifa_next; -# endif -# endif /* __FreeBSD_version >= 300000 */ - if (ifa) - sin = (SOCKADDR_IN *)ifa->ifa_addr; - } - if (!ifa) - sin = NULL; - if (!sin) { - KFREE(nat); - return -1; - } -# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ - in = sin->sin_addr; - in.s_addr = ntohl(in.s_addr); -# endif /* linux */ -#endif /* SOLARIS */ - *inp = in; - return 0; -} - - -/* * Create a new NAT table entry. + * NOTE: assumes write lock on ipf_nat has been obtained already. */ nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; -u_short flags; +u_int flags; int direction; { register u_32_t sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; - struct in_addr in; + nat_t *nat, **natp, *natl = NULL; + struct in_addr in, inb; tcphdr_t *tcp = NULL; - nat_t *nat, **natp; u_short nflags; + u_int hv; nflags = flags & np->in_flags; if (flags & IPN_TCPUDP) { @@ -536,78 +673,194 @@ int direction; } /* Give me a new nat */ - KMALLOC(nat, nat_t *, sizeof(*nat)); + KMALLOC(nat, nat_t *); if (nat == NULL) return NULL; bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; - /* * Search the current table for a match. */ if (direction == NAT_OUTBOUND) { /* + * Values at which the search for a free resouce starts. + */ + u_32_t st_ip; + u_short st_port; + + /* * If it's an outbound packet which doesn't match any existing * record, then create a new port */ l = 0; + st_ip = np->in_nip; + st_port = np->in_pnext; + do { - l++; port = 0; in.s_addr = np->in_nip; - if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { - if ((l > 1) || - nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) { + if (l == 0) { + natl = nat_maplookup(fin->fin_ifp, flags, + ip->ip_src, ip->ip_dst); + if (natl != NULL) { + in = natl->nat_outip; +#ifndef sparc + in.s_addr = ntohl(in.s_addr); +#endif + } + } + + if ((np->in_outmsk == 0xffffffff) && + (np->in_pnext == 0)) { + if (l > 0) { + KFREE(nat); + return NULL; + } + } + + if (np->in_redir & NAT_MAPBLK) { + if ((l >= np->in_ppip) || ((l > 0) && + !(flags & IPN_TCPUDP))) { + KFREE(nat); + return NULL; + } + /* + * map-block - Calculate destination address. + */ + in.s_addr = ntohl(ip->ip_src.s_addr); + in.s_addr &= ntohl(~np->in_inmsk); + inb.s_addr = in.s_addr; + in.s_addr /= np->in_ippip; + in.s_addr &= ntohl(~np->in_outmsk); + in.s_addr += ntohl(np->in_outip); + /* + * Calculate destination port. + */ + if ((flags & IPN_TCPUDP) && + (np->in_ppip != 0)) { + port = ntohs(sport) + l; + port %= np->in_ppip; + port += np->in_ppip * + (inb.s_addr % np->in_ippip); + port += MAPBLK_MINPORT; + port = htons(port); + } + } else if (!in.s_addr && + (np->in_outmsk == 0xffffffff)) { + /* + * 0/32 - use the interface's IP address. + */ + if ((l > 0) || + fr_ifpaddr(fin->fin_ifp, &in) == -1) { KFREE(nat); return NULL; } } else if (!in.s_addr && !np->in_outmsk) { - if (l > 1) { + /* + * 0/0 - use the original source address/port. + */ + if (l > 0) { KFREE(nat); return NULL; } in.s_addr = ntohl(ip->ip_src.s_addr); - if (nflags & IPN_TCPUDP) - port = sport; - } else if (nflags & IPN_TCPUDP) { + } else if ((np->in_outmsk != 0xffffffff) && + (np->in_pnext == 0) && + ((l > 0) || (natl == NULL))) + np->in_nip++; + natl = NULL; + + if ((nflags & IPN_TCPUDP) && + ((np->in_redir & NAT_MAPBLK) == 0) && + (np->in_flags & IPN_AUTOPORTMAP)) { + if ((l > 0) && (l % np->in_ppip == 0)) { + if (l > np->in_space) { + KFREE(nat); + return NULL; + } else if ((l > np->in_ppip) && + np->in_outmsk != 0xffffffff) + np->in_nip++; + } + if (np->in_ppip != 0) { + port = ntohs(sport); + port += (l % np->in_ppip); + port %= np->in_ppip; + port += np->in_ppip * + (ntohl(ip->ip_src.s_addr) % + np->in_ippip); + port += MAPBLK_MINPORT; + port = htons(port); + } + } else if (((np->in_redir & NAT_MAPBLK) == 0) && + (nflags & IPN_TCPUDP) && + (np->in_pnext != 0)) { port = htons(np->in_pnext++); - if (np->in_pnext >= ntohs(np->in_pmax)) { + if (np->in_pnext > ntohs(np->in_pmax)) { np->in_pnext = ntohs(np->in_pmin); - np->in_space--; if (np->in_outmsk != 0xffffffff) np->in_nip++; } - } else if (np->in_outmsk != 0xffffffff) { - np->in_space--; - np->in_nip++; + } + + if (np->in_flags & IPN_RANGE) { + if (np->in_nip >= ntohl(np->in_outmsk)) + np->in_nip = ntohl(np->in_outip); + } else { + if ((np->in_outmsk != 0xffffffff) && + ((np->in_nip + 1) & ntohl(np->in_outmsk)) > + ntohl(np->in_outip)) + np->in_nip = ntohl(np->in_outip) + 1; } if (!port && (flags & IPN_TCPUDP)) port = sport; - if ((np->in_nip & ntohl(np->in_outmsk)) > - ntohl(np->in_outip)) - np->in_nip = ntohl(np->in_outip) + 1; - } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst, - dport, in, port)); + + /* + * Here we do a lookup of the connection as seen from + * the outside. If an IP# pair already exists, try + * again. So if you have A->B becomes C->B, you can + * also have D->E become C->E but not D->B causing + * another C->B. Also take protocol and ports into + * account when determining whether a pre-existing + * NAT setup will cause an external conflict where + * this is appropriate. + */ + inb.s_addr = htonl(in.s_addr); + natl = nat_inlookup(fin->fin_ifp, flags, + (u_int)ip->ip_p, ip->ip_dst, inb, + (port << 16) | dport); + + /* + * Has the search wrapped around and come back to the + * start ? + */ + if ((natl != NULL) && + (np->in_pnext != 0) && (st_port == np->in_pnext) && + (np->in_nip != 0) && (st_ip == np->in_nip)) { + KFREE(nat); + return NULL; + } + l++; + } while (natl != NULL); + + if (np->in_space > 0) + np->in_space--; /* Setup the NAT table */ nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); nat->nat_oip = ip->ip_dst; - sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + - (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port); + sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport); + sum2 = LONG_SUM(in.s_addr) + ntohs(port); if (flags & IPN_TCPUDP) { nat->nat_inport = sport; - nat->nat_outport = port; + nat->nat_outport = port; /* sport */ nat->nat_oport = dport; } } else { - /* * Otherwise, it's an inbound packet. Most likely, we don't * want to rewrite source ports and source addresses. Instead, @@ -618,14 +871,22 @@ int direction; if (!(nport = np->in_pnext)) nport = dport; + /* + * When the redirect-to address is set to 0.0.0.0, just + * assume a blank `forwarding' of the packet. We don't + * setup any translation for this either. + */ + if ((in.s_addr == 0) && (nport == dport)) { + KFREE(nat); + return NULL; + } + nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = ip->ip_dst; nat->nat_oip = ip->ip_src; - sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + - (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport); + sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)) + ntohs(dport); + sum2 = LONG_SUM(in.s_addr) + ntohs(nport); if (flags & IPN_TCPUDP) { nat->nat_inport = nport; @@ -634,42 +895,18 @@ int direction; } } - /* Do it twice */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - if (sum1 > sum2) - sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); + CALC_SUMD(sum1, sum2, sumd); nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) { if (direction == NAT_OUTBOUND) - sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + - (ntohl(ip->ip_src.s_addr) >> 16); + sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); else - sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + - (ntohl(ip->ip_dst.s_addr) >> 16); - - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16); - - /* Do it twice */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)); - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = LONG_SUM(in.s_addr); - if (sum1 > sum2) - sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); + CALC_SUMD(sum1, sum2, sumd); nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); } else nat->nat_ipsumd = nat->nat_sumd; @@ -677,19 +914,27 @@ int direction; in.s_addr = htonl(in.s_addr); nat->nat_next = nat_instances; nat_instances = nat; - natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(nat->nat_inip.s_addr, ipf_nattable_sz); + natp = &nat_table[0][hv]; nat->nat_hstart[0] = natp; nat->nat_hnext[0] = *natp; *natp = nat; - natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(nat->nat_outip.s_addr, ipf_nattable_sz); + natp = &nat_table[1][hv]; nat->nat_hstart[1] = natp; nat->nat_hnext[1] = *natp; *natp = nat; + nat->nat_dir = direction; + nat->nat_ifp = fin->fin_ifp; nat->nat_ptr = np; + nat->nat_p = ip->ip_p; nat->nat_bytes = 0; nat->nat_pkts = 0; - nat->nat_ifp = fin->fin_ifp; - nat->nat_dir = direction; + nat->nat_age = fr_defnatage; + nat->nat_fr = fin->fin_fr; + if (nat->nat_fr != NULL) { + ATOMIC_INC(nat->nat_fr->fr_ref); + } if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = port; @@ -719,7 +964,7 @@ fr_info_t *fin; * Only a basic IP header (no options) should be with an ICMP error * header. */ - if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t))) + if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) return NULL; type = icmp->icmp_type; /* @@ -731,16 +976,20 @@ fr_info_t *fin; return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); + if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + return NULL; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; if (flags & IPN_TCPUDP) { tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); - return nat_inlookup(fin->fin_ifp, flags, oip->ip_dst, - tcp->th_dport, oip->ip_src, tcp->th_sport); + return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, + oip->ip_dst, oip->ip_src, + (tcp->th_sport << 16) | tcp->th_dport); } - return nat_inlookup(fin->fin_ifp, 0, oip->ip_src, 0, oip->ip_dst, 0); + return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, oip->ip_dst, + oip->ip_src, 0); } @@ -751,8 +1000,10 @@ fr_info_t *fin; nat_t *nat_icmpin(ip, fin, nflags) ip_t *ip; fr_info_t *fin; -int *nflags; +u_int *nflags; { + u_32_t sum1, sum2, sumd; + struct in_addr in; icmphdr_t *icmp; nat_t *nat; ip_t *oip; @@ -760,10 +1011,9 @@ int *nflags; if (!(nat = nat_icmpinlookup(ip, fin))) return NULL; - *nflags = IPN_ICMPERR; icmp = (icmphdr_t *)fin->fin_dp; - oip = (ip_t *)((char *)icmp + 8); + oip = (ip_t *)&icmp->icmp_ip; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) @@ -777,54 +1027,61 @@ int *nflags; * to only modify the checksum once for the port # and twice * for the IP#. */ - if (flags & IPN_TCPUDP) { - tcphdr_t *tcp = (tcphdr_t *)(oip + 1); - u_32_t sum1, sum2, sumd; - struct in_addr in; + if (nat->nat_dir == NAT_OUTBOUND) { + sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); + in = nat->nat_inip; + oip->ip_src = in; + } else { + sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); + in = nat->nat_outip; + oip->ip_dst = in; + } - if (nat->nat_dir == NAT_OUTBOUND) { - sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); - in = nat->nat_outip; - oip->ip_src = in; - tcp->th_sport = nat->nat_outport; - } else { - sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); - in = nat->nat_inip; - oip->ip_dst = in; - tcp->th_dport = nat->nat_inport; - } + sum2 = LONG_SUM(ntohl(in.s_addr)); - sum2 = LONG_SUM(in.s_addr); + CALC_SUMD(sum1, sum2, sumd); - CALC_SUMD(sum1, sum2, sumd); - sumd = (sumd & 0xffff) + (sumd >> 16); + if (nat->nat_dir == NAT_OUTBOUND) { + fix_incksum(&oip->ip_sum, sumd); - if (nat->nat_dir == NAT_OUTBOUND) { - fix_incksum(&oip->ip_sum, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); - } else { - fix_outcksum(&oip->ip_sum, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); - } + sumd += (sumd & 0xffff); + while (sumd > 0xffff) + sumd = (sumd & 0xffff) + (sumd >> 16); + fix_outcksum(&icmp->icmp_cksum, sumd); + } else { + fix_outcksum(&oip->ip_sum, sumd); - /* - * TCP checksum doesn't make it into the 1st eight - * bytes but UDP does. - */ - if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; + sumd += (sumd & 0xffff); + while (sumd > 0xffff) + sumd = (sumd & 0xffff) + (sumd >> 16); + fix_incksum(&icmp->icmp_cksum, sumd); + } - if (udp->uh_sum) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&udp->uh_sum, - nat->nat_sumd); - else - fix_outcksum(&udp->uh_sum, - nat->nat_sumd); + + if ((flags & IPN_TCPUDP) != 0) { + tcphdr_t *tcp; + + /* XXX - what if this is bogus hl and we go off the end ? */ + tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); + + if (nat->nat_dir == NAT_OUTBOUND) { + if (tcp->th_sport != nat->nat_inport) { + sum1 = ntohs(tcp->th_sport); + sum2 = ntohs(nat->nat_inport); + CALC_SUMD(sum1, sum2, sumd); + tcp->th_sport = nat->nat_inport; + fix_outcksum(&icmp->icmp_cksum, sumd); + } + } else { + if (tcp->th_dport != nat->nat_outport) { + sum1 = ntohs(tcp->th_dport); + sum2 = ntohs(nat->nat_outport); + CALC_SUMD(sum1, sum2, sumd); + tcp->th_dport = nat->nat_outport; + fix_incksum(&icmp->icmp_cksum, sumd); } } - } else - ip->ip_dst = nat->nat_outip; + } nat->nat_age = fr_defnaticmpage; return nat; } @@ -840,29 +1097,35 @@ int *nflags; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -#ifdef __STDC__ -nat_t *nat_inlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr mapdst, u_short mapdport) -#else -nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport) +nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports) void *ifp; -register int flags; +register u_int flags, p; struct in_addr src , mapdst; -u_short sport, mapdport; -#endif +u_32_t ports; { + register u_short sport, mapdport; register nat_t *nat; + register int nflags; + u_int hv; + mapdport = ports >> 16; + sport = ports & 0xffff; flags &= IPN_TCPUDP; - nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_hnext[1]) + hv = NAT_HASH_FN(mapdst.s_addr, ipf_nattable_sz); + nat = nat_table[1][hv]; + for (; nat; nat = nat->nat_hnext[1]) { + nflags = nat->nat_flags; if ((!ifp || ifp == nat->nat_ifp) && nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_oport == sport && - nat->nat_outport == mapdport))) + (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + || (p == nat->nat_p)) && (!flags || + (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && + ((nat->nat_outport == mapdport) || + (nflags & FI_W_SPORT))))) return nat; + } return NULL; } @@ -873,27 +1136,33 @@ u_short sport, mapdport; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -#ifdef __STDC__ -nat_t *nat_outlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr dst, u_short dport) -#else -nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport) +nat_t *nat_outlookup(ifp, flags, p, src, dst, ports) void *ifp; -register int flags; +register u_int flags, p; struct in_addr src , dst; -u_short sport, dport; -#endif +u_32_t ports; { + register u_short sport, dport; register nat_t *nat; + register int nflags; + u_int hv; + sport = ports & 0xffff; + dport = ports >> 16; flags &= IPN_TCPUDP; - nat = nat_table[0][src.s_addr % NAT_SIZE]; + hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz); + nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { + nflags = nat->nat_flags; + if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_inport == sport && nat->nat_oport == dport))) + (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + || (p == nat->nat_p)) && (!flags || + ((nat->nat_inport == sport || nflags & FI_W_SPORT) && + (nat->nat_oport == dport || nflags & FI_W_DPORT)))) return nat; } return NULL; @@ -901,33 +1170,30 @@ u_short sport, dport; /* - * Lookup a nat entry based on the mapped source ip address/port and - * real destination address/port. We use this lookup when sending a packet - * out, we're looking for a table entry, based on the source address. + * check if an ip address has already been allocated for a given mapping that + * is not doing port based translation. */ -#ifdef __STDC__ -nat_t *nat_lookupmapip(void *ifp, int flags, struct in_addr mapsrc, u_short mapsport, struct in_addr dst, u_short dport) -#else -nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport) +nat_t *nat_maplookup(ifp, flags, src, dst) void *ifp; -register int flags; -struct in_addr mapsrc , dst; -u_short mapsport, dport; -#endif +register u_int flags; +struct in_addr src , dst; { register nat_t *nat; + register int oflags; + u_int hv; - flags &= IPN_TCPUDP; + hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz); + nat = nat_table[0][hv]; + for (; nat; nat = nat->nat_hnext[0]) { + oflags = (flags & IPN_TCPUDP) & nat->nat_ptr->in_flags; + if (oflags != 0) + continue; - nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_hnext[0]) if ((!ifp || ifp == nat->nat_ifp) && - nat->nat_oip.s_addr == dst.s_addr && - nat->nat_outip.s_addr == mapsrc.s_addr && - flags == nat->nat_flags && (!flags || - (nat->nat_outport == mapsport && - nat->nat_oport == dport))) + nat->nat_inip.s_addr == src.s_addr && + nat->nat_oip.s_addr == dst.s_addr) return nat; + } return NULL; } @@ -938,15 +1204,16 @@ u_short mapsport, dport; nat_t *nat_lookupredir(np) register natlookup_t *np; { + u_32_t ports; nat_t *nat; + ports = (np->nl_outport << 16) | np->nl_inport; /* * If nl_inip is non null, this is a lookup based on the real * ip address. Else, we use the fake. */ - if ((nat = nat_outlookup(NULL, np->nl_flags, np->nl_inip, - np->nl_inport, np->nl_outip, - np->nl_outport))) { + if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip, + np->nl_outip, ports))) { np->nl_realip = nat->nat_outip; np->nl_realport = nat->nat_outport; } @@ -958,19 +1225,24 @@ register natlookup_t *np; * Packets going out on the external interface go through this. * Here, the source address requires alteration, if anything. */ -int ip_natout(ip, hlen, fin) +int ip_natout(ip, fin) ip_t *ip; -int hlen; fr_info_t *fin; { - register ipnat_t *np; + register ipnat_t *np = NULL; register u_32_t ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; + int natadd = 1; frentry_t *fr; + u_int hv, msk; + u_32_t iph; nat_t *nat; - int natadd = 1; + int i; + + if (nat_list == NULL) + return 0; if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) @@ -978,12 +1250,12 @@ fr_info_t *fin; else ifp = fin->fin_ifp; - if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; - if (nflags) { + if ((nflags & IPN_TCPUDP)) { tcp = (tcphdr_t *)fin->fin_dp; sport = tcp->th_sport; dport = tcp->th_dport; @@ -992,25 +1264,46 @@ fr_info_t *fin; ipa = ip->ip_src.s_addr; - MUTEX_ENTER(&ipf_nat); + READ_ENTER(&ipf_nat); if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport, - ip->ip_dst, dport))) - ; - else + else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src, + ip->ip_dst, (dport << 16) | sport))) { + nflags = nat->nat_flags; + if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { + if ((nflags & FI_W_SPORT) && + (nat->nat_inport != sport)) + nat->nat_inport = sport; + else if ((nflags & FI_W_DPORT) && + (nat->nat_oport != dport)) + nat->nat_oport = dport; + if (nat->nat_outport == 0) + nat->nat_outport = sport; + nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); + nflags = nat->nat_flags; + } + } else { + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_nat); /* * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). */ - for (np = nat_list; np; np = np->in_next) + msk = 0xffffffff; + i = 32; +maskloop: + iph = ipa & htonl(msk); + hv = NAT_HASH_FN(iph, ipf_natrules_sz); + for (np = nat_rules[hv]; np; np = np->in_mnext) + { if ((np->in_ifp == ifp) && np->in_space && - (!np->in_flags || (np->in_flags & nflags)) && + (!(np->in_flags & IPN_RF) || + (np->in_flags & nflags)) && ((ipa & np->in_inmsk) == np->in_inip) && - ((np->in_redir & NAT_MAP) || + ((np->in_redir & (NAT_MAP|NAT_MAPBLK)) || (np->in_pnext == sport))) { - if (*np->in_plabel && !ap_ok(ip, tcp, np)) + if (*np->in_plabel && !appr_ok(ip, tcp, np)) continue; /* * If it's a redirection, then we don't want to @@ -1018,80 +1311,100 @@ fr_info_t *fin; * Redirections are only for incoming * connections. */ - if (!(np->in_redir & NAT_MAP)) + if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK))) continue; - if ((nat = nat_new(np, ip, fin, nflags, - NAT_OUTBOUND))) + if ((nat = nat_new(np, ip, fin, (u_int)nflags, + NAT_OUTBOUND))) { + np->in_hits++; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); -#else - ; + nat_log(nat, (u_int)np->in_redir); #endif - break; + break; + } } + } + if ((np == NULL) && (i > 0)) { + do { + i--; + msk <<= 1; + } while ((i >= 0) && ((nat_masks & (1 << i)) == 0)); + if (i >= 0) + goto maskloop; + } + MUTEX_DOWNGRADE(&ipf_nat); + } if (nat) { - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) - ipfr_nat_newfrag(ip, fin, 0, nat); - nat->nat_age = fr_defnatage; - ip->ip_src = nat->nat_outip; - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; + np = nat->nat_ptr; + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + ip->ip_src = nat->nat_outip; + MUTEX_ENTER(&ipf_rw); + nat->nat_age = fr_defnatage; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; + MUTEX_EXIT(&ipf_rw); - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ #if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + if (nat->nat_dir == NAT_OUTBOUND) + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); #endif - if (nflags && !(ip->ip_off & 0x1fff) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if (nat->nat_outport) - tcp->th_sport = nat->nat_outport; - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - fr_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,1); - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - icmphdr_t *ic = (icmphdr_t *)tcp; - - csump = &ic->icmp_cksum; - } - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(csump, - nat->nat_sumd); - else - fix_incksum(csump, - nat->nat_sumd); - } + if (!(ip->ip_off & IP_OFFMASK) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) { + tcp->th_sport = nat->nat_outport; + fin->fin_data[0] = ntohs(tcp->th_sport); + } + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + MUTEX_ENTER(&ipf_rw); + fr_tcp_age(&nat->nat_age, + nat->nat_tcpstate, ip, fin, 1); + if (nat->nat_age < fr_defnaticmpage) + nat->nat_age = fr_defnaticmpage; +#ifdef LARGE_NAT + else if (nat->nat_age > DEF_NAT_AGE) + nat->nat_age = DEF_NAT_AGE; +#endif + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; + MUTEX_EXIT(&ipf_rw); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } + if (csump) { + if (nat->nat_dir == NAT_OUTBOUND) + fix_outcksum(csump, nat->nat_sumd); + else + fix_incksum(csump, nat->nat_sumd); } - (void) ap_check(ip, tcp, fin, nat); - nat_stats.ns_mapped[1]++; - MUTEX_EXIT(&ipf_nat); - return -2; } - MUTEX_EXIT(&ipf_nat); + if ((np->in_apr != NULL) && (np->in_dport == 0 || + (tcp != NULL && dport == np->in_dport))) + (void) appr_check(ip, fin, nat); + ATOMIC_INC(nat_stats.ns_mapped[1]); + RWLOCK_EXIT(&ipf_nat); /* READ */ + return 1; + } + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ return 0; } @@ -1100,127 +1413,172 @@ fr_info_t *fin; * Packets coming in from the external interface go through this. * Here, the destination address requires alteration, if anything. */ -int ip_natin(ip, hlen, fin) +int ip_natin(ip, fin) ip_t *ip; -int hlen; fr_info_t *fin; { - register ipnat_t *np; + register struct in_addr src; register struct in_addr in; + register ipnat_t *np; + u_int nflags = 0, natadd = 1, hv, msk; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; u_short sport = 0, dport = 0, *csump = NULL; nat_t *nat; - int nflags = 0, natadd = 1; + u_32_t iph; + int i; + + if (nat_list == NULL) + return 0; - if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; - if (nflags) { - tcp = (tcphdr_t *)((char *)ip + hlen); + if ((nflags & IPN_TCPUDP)) { + tcp = (tcphdr_t *)fin->fin_dp; dport = tcp->th_dport; sport = tcp->th_sport; } } in = ip->ip_dst; + /* make sure the source address is to be redirected */ + src = ip->ip_src; - MUTEX_ENTER(&ipf_nat); + READ_ENTER(&ipf_nat); if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags))) ; else if ((ip->ip_off & IP_OFFMASK) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport, - ip->ip_dst, dport))) - ; - else + else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, + ip->ip_src, in, (dport << 16) | sport))) { + nflags = nat->nat_flags; + if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { + if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT)) + nat->nat_oport = sport; + else if ((nat->nat_outport != dport) && + (nflags & FI_W_SPORT)) + nat->nat_outport = dport; + nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); + nflags = nat->nat_flags; + } + } else { + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_nat); /* * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). */ - for (np = nat_list; np; np = np->in_next) + msk = 0xffffffff; + i = 32; +maskloop: + iph = in.s_addr & htonl(msk); + hv = NAT_HASH_FN(iph, ipf_rdrrules_sz); + for (np = rdr_rules[hv]; np; np = np->in_rnext) if ((np->in_ifp == ifp) && (!np->in_flags || (nflags & np->in_flags)) && ((in.s_addr & np->in_outmsk) == np->in_outip) && + ((src.s_addr & np->in_srcmsk) == np->in_srcip) && (np->in_redir & NAT_REDIRECT) && (!np->in_pmin || np->in_pmin == dport)) { if ((nat = nat_new(np, ip, fin, nflags, - NAT_INBOUND))) + NAT_INBOUND))) { + np->in_hits++; #ifdef IPFILTER_LOG - nat_log(nat, (u_short)np->in_redir); -#else - ; + nat_log(nat, (u_int)np->in_redir); #endif - break; + break; + } } + if ((np == NULL) && (i > 0)) { + do { + i--; + msk <<= 1; + } while ((i >= 0) && ((rdr_masks & (1 << i)) == 0)); + if (i >= 0) + goto maskloop; + } + MUTEX_DOWNGRADE(&ipf_nat); + } if (nat) { - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) - ipfr_nat_newfrag(ip, fin, 0, nat); - (void) ap_check(ip, tcp, fin, nat); - - if (nflags != IPN_ICMPERR) - nat->nat_age = fr_defnatage; + np = nat->nat_ptr; + fin->fin_fr = nat->nat_fr; + if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + ipfr_nat_newfrag(ip, fin, 0, nat); + if ((np->in_apr != NULL) && (np->in_dport == 0 || + (tcp != NULL && sport == np->in_dport))) + (void) appr_check(ip, fin, nat); + + MUTEX_ENTER(&ipf_rw); + if (nflags != IPN_ICMPERR) + nat->nat_age = fr_defnatage; - ip->ip_dst = nat->nat_inip; - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; + nat->nat_bytes += ip->ip_len; + nat->nat_pkts++; + MUTEX_EXIT(&ipf_rw); + ip->ip_dst = nat->nat_inip; + fin->fin_fi.fi_dst = nat->nat_inip; - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ + /* + * Fix up checksums, not by recalculating them, but + * simply computing adjustments. + */ #if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + else + fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif - if ((nflags & IPN_TCPUDP) && !(ip->ip_off & 0x1fff) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if (nat->nat_inport) - tcp->th_dport = nat->nat_inport; - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - fr_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,0); - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - icmphdr_t *ic = (icmphdr_t *)tcp; - - csump = &ic->icmp_cksum; - } - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(csump, - nat->nat_sumd); - else - fix_outcksum(csump, - nat->nat_sumd); - } + if (!(ip->ip_off & IP_OFFMASK) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + + if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) { + tcp->th_dport = nat->nat_inport; + fin->fin_data[1] = ntohs(tcp->th_dport); + } + + if (ip->ip_p == IPPROTO_TCP) { + csump = &tcp->th_sum; + MUTEX_ENTER(&ipf_rw); + fr_tcp_age(&nat->nat_age, + nat->nat_tcpstate, ip, fin, 0); + if (nat->nat_age < fr_defnaticmpage) + nat->nat_age = fr_defnaticmpage; +#ifdef LARGE_NAT + else if (nat->nat_age > DEF_NAT_AGE) + nat->nat_age = DEF_NAT_AGE; +#endif + /* + * Increase this because we may have + * "keep state" following this too and + * packet storms can occur if this is + * removed too quickly. + */ + if (nat->nat_age == fr_tcpclosed) + nat->nat_age = fr_tcplastack; + MUTEX_EXIT(&ipf_rw); + } else if (ip->ip_p == IPPROTO_UDP) { + udphdr_t *udp = (udphdr_t *)tcp; + + if (udp->uh_sum) + csump = &udp->uh_sum; + } + if (csump) { + if (nat->nat_dir == NAT_OUTBOUND) + fix_incksum(csump, nat->nat_sumd); + else + fix_outcksum(csump, nat->nat_sumd); } - nat_stats.ns_mapped[0]++; - MUTEX_EXIT(&ipf_nat); - return -2; } - MUTEX_EXIT(&ipf_nat); + ATOMIC_INC(nat_stats.ns_mapped[0]); + RWLOCK_EXIT(&ipf_nat); /* READ */ + return 1; + } + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ return 0; } @@ -1230,11 +1588,27 @@ fr_info_t *fin; */ void ip_natunload() { - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); (void) nat_clearlist(); (void) nat_flushtable(); - (void) ap_unload(); - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); + + if (nat_table[0] != NULL) { + KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz); + nat_table[0] = NULL; + } + if (nat_table[1] != NULL) { + KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz); + nat_table[1] = NULL; + } + if (nat_rules != NULL) { + KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz); + nat_rules = NULL; + } + if (rdr_rules != NULL) { + KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz); + rdr_rules = NULL; + } } @@ -1250,9 +1624,10 @@ void ip_natexpire() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (natp = &nat_instances; (nat = *natp); ) { - if (--nat->nat_age) { + nat->nat_age--; + if (nat->nat_age) { natp = &nat->nat_next; continue; } @@ -1263,79 +1638,69 @@ void ip_natexpire() nat_delete(nat); nat_stats.ns_expire++; } - - ap_expire(); - - MUTEX_EXIT(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); } /* */ -#ifdef __STDC__ -void ip_natsync(void *ifp) -#else void ip_natsync(ifp) void *ifp; -#endif { + register ipnat_t *n; register nat_t *nat; register u_32_t sum1, sum2, sumd; struct in_addr in; ipnat_t *np; + void *ifp2; #if defined(_KERNEL) && !SOLARIS int s; #endif + /* + * Change IP addresses for NAT sessions for any protocol except TCP + * since it will break the TCP connection anyway. + */ SPL_NET(s); - MUTEX_ENTER(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (nat = nat_instances; nat; nat = nat->nat_next) - if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr)) - if ((np->in_outmsk == 0xffffffff) && !np->in_nip) { - /* - * Change the map-to address to be the same - * as the new one. - */ - sum1 = nat->nat_outip.s_addr; - if (nat_ifpaddr(nat, ifp, &in) == -1) + if (((ifp == NULL) || (ifp == nat->nat_ifp)) && + !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr) && + (np->in_outmsk == 0xffffffff) && !np->in_nip) { + ifp2 = nat->nat_ifp; + /* + * Change the map-to address to be the same as the + * new one. + */ + sum1 = nat->nat_outip.s_addr; + if (fr_ifpaddr(ifp2, &in) != -1) nat->nat_outip.s_addr = htonl(in.s_addr); - sum2 = nat->nat_outip.s_addr; + sum2 = nat->nat_outip.s_addr; - /* - * Readjust the checksum adjustment to take - * into account the new IP#. - * - * Do it twice - */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - /* Because ~1 == -2, We really need ~1 == -1 */ - if (sum1 > sum2) - sum2--; - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); - sumd += nat->nat_sumd; - nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); - } - MUTEX_EXIT(&ipf_nat); + if (sum1 == sum2) + continue; + /* + * Readjust the checksum adjustment to take into + * account the new IP#. + */ + CALC_SUMD(sum1, sum2, sumd); + sumd += nat->nat_sumd; + nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); + } + + for (n = nat_list; (n != NULL); n = n->in_next) + if (n->in_ifp == ifp) + n->in_ifp = (void *)GETUNIT(n->in_ifname); + RWLOCK_EXIT(&ipf_nat); SPL_X(s); } #ifdef IPFILTER_LOG -# ifdef __STDC__ -void nat_log(struct nat *nat, u_short type) -# else void nat_log(nat, type) struct nat *nat; -u_short type; -# endif +u_int type; { struct ipnat *np; struct natlog natl; @@ -1353,17 +1718,19 @@ u_short type; natl.nl_outport = nat->nat_outport; natl.nl_type = type; natl.nl_rule = -1; - if (nat->nat_ptr) { +#ifndef LARGE_NAT + if (nat->nat_ptr != NULL) { for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++) if (np == nat->nat_ptr) { natl.nl_rule = rulen; break; } } +#endif items[0] = &natl; sizes[0] = sizeof(natl); types[0] = 0; - (void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1); + (void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1); } #endif diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 49f5d50..137f3d6 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $ + * $Id: ip_nat.h,v 2.1.2.1 1999/08/14 04:47:54 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -36,28 +36,50 @@ #define SIOCCNATL _IOWR(r, 87, int) #endif -#define NAT_SIZE 367 +#undef LARGE_NAT /* define this if you're setting up a system to NAT + * LARGE numbers of networks/hosts - i.e. in the + * hundreds or thousands. In such a case, you should + * also change the RDR_SIZE and NAT_SIZE below to more + * appropriate sizes. The figures below were used for + * a setup with 1000-2000 networks to NAT. + */ +#define NAT_SIZE 127 +#define RDR_SIZE 127 +#define NAT_TABLE_SZ 127 +#ifdef LARGE_NAT +#undef NAT_SIZE +#undef RDR_SIZE +#undef NAT_TABLE_SZ +#define NAT_SIZE 2047 +#define RDR_SIZE 2047 +#define NAT_TABLE_SZ 16383 +#endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 #endif +#define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ + typedef struct nat { u_long nat_age; int nat_flags; u_32_t nat_sumd; u_32_t nat_ipsumd; void *nat_data; + void *nat_aps; /* proxy session */ + frentry_t *nat_fr; /* filter rule ptr if appropriate */ struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ U_QUAD_T nat_pkts; U_QUAD_T nat_bytes; - u_short nat_oport; /* other port */ + u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; u_short nat_use; - u_char nat_state[2]; - struct ipnat *nat_ptr; + u_char nat_tcpstate[2]; + u_char nat_p; /* protocol for NAT */ + struct ipnat *nat_ptr; /* pointer back to the rule */ struct nat *nat_next; struct nat *nat_hnext[2]; struct nat **nat_hstart[2]; @@ -67,16 +89,22 @@ typedef struct nat { typedef struct ipnat { struct ipnat *in_next; + struct ipnat *in_rnext; + struct ipnat *in_mnext; void *in_ifp; void *in_apr; - u_int in_space; + u_long in_space; u_int in_use; + u_int in_hits; struct in_addr in_nextip; u_short in_pnext; - u_short in_flags; - u_short in_port[2]; + u_short in_ppip; /* ports per IP */ + u_short in_ippip; /* IP #'s per IP# */ + u_short in_flags; /* From here to in_dport must be reflected */ + u_short in_port[2]; /* correctly in IPN_CMPSIZ */ struct in_addr in_in[2]; struct in_addr in_out[2]; + struct in_addr in_src[2]; int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ char in_ifname[IFNAMSIZ]; char in_plabel[APR_LABELLEN]; /* proxy label */ @@ -91,6 +119,8 @@ typedef struct ipnat { #define in_inmsk in_in[1].s_addr #define in_outip in_out[0].s_addr #define in_outmsk in_out[1].s_addr +#define in_srcip in_src[0].s_addr +#define in_srcmsk in_src[1].s_addr #define NAT_OUTBOUND 0 #define NAT_INBOUND 1 @@ -98,9 +128,12 @@ typedef struct ipnat { #define NAT_MAP 0x01 #define NAT_REDIRECT 0x02 #define NAT_BIMAP (NAT_MAP|NAT_REDIRECT) +#define NAT_MAPBLK 0x04 + +#define MAPBLK_MINPORT 1024 /* don't use reserved ports for src port */ +#define USABLE_PORTS (65536 - MAPBLK_MINPORT) -#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \ - sizeof(int) + IFNAMSIZ + APR_LABELLEN + sizeof(char)) +#define IPN_CMPSIZ (sizeof(ipnat_t) - offsetof(ipnat_t, in_flags)) typedef struct natlookup { struct in_addr nl_inip; @@ -122,14 +155,23 @@ typedef struct natstat { u_long ns_logfail; nat_t **ns_table[2]; ipnat_t *ns_list; + void *ns_apslist; + u_int ns_nattab_sz; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + nat_t *ns_instances; } natstat_t; #define IPN_ANY 0x00 #define IPN_TCP 0x01 #define IPN_UDP 0x02 -#define IPN_TCPUDP 0x03 +#define IPN_TCPUDP (IPN_TCP|IPN_UDP) #define IPN_DELETE 0x04 #define IPN_ICMPERR 0x08 +#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR) +#define IPN_AUTOPORTMAP 0x10 +#define IPN_RANGE 0x20 +#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_RANGE) typedef struct natlog { @@ -150,31 +192,54 @@ typedef struct natlog { #define NL_NEWRDR NAT_REDIRECT #define NL_EXPIRE 0xffff +#define NAT_HASH_FN(k,m) (((k) + ((k) >> 12)) % (m)) + +#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) + +#define CALC_SUMD(s1, s2, sd) { \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + /* Do it twice */ \ + (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ + (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ + /* Because ~1 == -2, We really need ~1 == -1 */ \ + if ((s1) > (s2)) (s2)--; \ + (sd) = (s2) - (s1); \ + (sd) = ((sd) & 0xffff) + ((sd) >> 16); } + +extern u_int ipf_nattable_sz; +extern u_int ipf_natrules_sz; +extern u_int ipf_rdrrules_sz; extern void ip_natsync __P((void *)); extern u_long fr_defnatage; extern u_long fr_defnaticmpage; -extern nat_t *nat_table[2][NAT_SIZE]; +extern nat_t **nat_table[2]; +extern nat_t *nat_instances; +extern ipnat_t **nat_rules; +extern ipnat_t **rdr_rules; +extern natstat_t nat_stats; #if defined(__NetBSD__) || defined(__OpenBSD__) extern int nat_ioctl __P((caddr_t, u_long, int)); #else extern int nat_ioctl __P((caddr_t, int, int)); #endif -extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); -extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); -extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); +extern int nat_init __P((void)); +extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int)); +extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr, + struct in_addr, u_32_t)); +extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr, + struct in_addr, u_32_t)); +extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, + struct in_addr)); extern nat_t *nat_lookupredir __P((natlookup_t *)); -extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short, - struct in_addr, u_short)); extern nat_t *nat_icmpinlookup __P((ip_t *, fr_info_t *)); -extern nat_t *nat_icmpin __P((ip_t *, fr_info_t *, int *)); +extern nat_t *nat_icmpin __P((ip_t *, fr_info_t *, u_int *)); -extern int ip_natout __P((ip_t *, int, fr_info_t *)); -extern int ip_natin __P((ip_t *, int, fr_info_t *)); +extern int ip_natout __P((ip_t *, fr_info_t *)); +extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); -extern void nat_log __P((struct nat *, u_short)); +extern void nat_log __P((struct nat *, u_int)); extern void fix_incksum __P((u_short *, u_32_t)); extern void fix_outcksum __P((u_short *, u_32_t)); diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index 0fb7e95..ccf9c12 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -1,31 +1,33 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if !defined(__FreeBSD_version) +# include <sys/ioctl.h> +#endif #include <sys/fcntl.h> #include <sys/uio.h> +#if !defined(_KERNEL) && !defined(KERNEL) +# include <stdio.h> +# include <string.h> +# include <stdlib.h> +#endif #ifndef linux # include <sys/protosw.h> #endif @@ -43,7 +45,9 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 # endif #else # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif @@ -70,31 +74,48 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 #include "netinet/ip_proxy.h" #include "netinet/ip_nat.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif + #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -static ap_session_t *ap_find __P((ip_t *, tcphdr_t *)); -static ap_session_t *ap_new_session __P((aproxy_t *, ip_t *, tcphdr_t *, - fr_info_t *, nat_t *)); +static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *, + fr_info_t *, nat_t *)); +static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); + #define AP_SESS_SIZE 53 #if defined(_KERNEL) && !defined(linux) #include "netinet/ip_ftp_pxy.c" +#include "netinet/ip_rcmd_pxy.c" +#include "netinet/ip_raudio_pxy.c" #endif ap_session_t *ap_sess_tab[AP_SESS_SIZE]; +ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY - { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_in, ippr_ftp_out }, + { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, + ippr_ftp_in, ippr_ftp_out }, +#endif +#ifdef IPF_RCMD_PROXY + { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new, + NULL, ippr_rcmd_out }, +#endif +#ifdef IPF_RAUDIO_PROXY + { "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, + ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, #endif { "", '\0', 0, 0, NULL, NULL } }; -int ap_ok(ip, tcp, nat) +int appr_ok(ip, tcp, nat) ip_t *ip; tcphdr_t *tcp; ipnat_t *nat; @@ -102,7 +123,7 @@ ipnat_t *nat; aproxy_t *apr = nat->in_apr; u_short dport = nat->in_dport; - if (!apr || (apr && (apr->apr_flags & APR_DELETE)) || + if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p)) return 0; if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport)) @@ -111,108 +132,36 @@ ipnat_t *nat; } -static int -ap_matchsrcdst(aps, src, dst, tcp, sport, dport) -ap_session_t *aps; -struct in_addr src, dst; -void *tcp; -u_short sport, dport; -{ - if (aps->aps_dst.s_addr == dst.s_addr) { - if ((aps->aps_src.s_addr == src.s_addr) && - (!tcp || (sport == aps->aps_sport) && - (dport == aps->aps_dport))) - return 1; - } else if (aps->aps_dst.s_addr == src.s_addr) { - if ((aps->aps_src.s_addr == dst.s_addr) && - (!tcp || (sport == aps->aps_dport) && - (dport == aps->aps_sport))) - return 1; - } - return 0; -} - - -static ap_session_t *ap_find(ip, tcp) -ip_t *ip; -tcphdr_t *tcp; -{ - register u_char p = ip->ip_p; - register ap_session_t *aps; - register u_short sp, dp; - register u_long hv; - struct in_addr src, dst; - - src = ip->ip_src, dst = ip->ip_dst; - sp = dp = 0; /* XXX gcc -Wunitialized */ - - hv = ip->ip_src.s_addr ^ ip->ip_dst.s_addr; - hv *= 651733; - if (tcp) { - sp = tcp->th_sport; - dp = tcp->th_dport; - hv ^= (sp + dp); - hv *= 5; - } - hv %= AP_SESS_SIZE; - - for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) - if ((aps->aps_p == p) && - ap_matchsrcdst(aps, src, dst, tcp, sp, dp)) - break; - return aps; -} - - /* * Allocate a new application proxy structure and fill it in with the * relevant details. call the init function once complete, prior to * returning. */ -static ap_session_t *ap_new_session(apr, ip, tcp, fin, nat) +static ap_session_t *appr_new_session(apr, ip, fin, nat) aproxy_t *apr; ip_t *ip; -tcphdr_t *tcp; fr_info_t *fin; nat_t *nat; { register ap_session_t *aps; - u_short dport; - u_long hv; - if (!apr || (apr && (apr->apr_flags & APR_DELETE)) || - (ip->ip_p != apr->apr_p)) - return NULL; - dport = nat->nat_ptr->in_dport; - if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport)) + if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p)) return NULL; - hv = ip->ip_src.s_addr ^ ip->ip_dst.s_addr; - hv *= 651733; - if (tcp) { - hv ^= (tcp->th_sport + tcp->th_dport); - hv *= 5; - } - hv %= AP_SESS_SIZE; - - KMALLOC(aps, ap_session_t *, sizeof(*aps)); + KMALLOC(aps, ap_session_t *); if (!aps) return NULL; bzero((char *)aps, sizeof(*aps)); - aps->aps_apr = apr; - aps->aps_src = ip->ip_src; - aps->aps_dst = ip->ip_dst; + aps->aps_next = ap_sess_list; aps->aps_p = ip->ip_p; - aps->aps_tout = 1200; /* XXX */ - if (tcp) { - aps->aps_sport = tcp->th_sport; - aps->aps_dport = tcp->th_dport; - } aps->aps_data = NULL; + aps->aps_apr = apr; aps->aps_psiz = 0; - aps->aps_next = ap_sess_tab[hv]; - ap_sess_tab[hv] = aps; - (void) (*apr->apr_init)(fin, ip, tcp, aps, nat); + ap_sess_list = aps; + aps->aps_nat = nat; + nat->nat_aps = aps; + if (apr->apr_new != NULL) + (void) (*apr->apr_new)(fin, ip, aps, nat); return aps; } @@ -221,59 +170,67 @@ nat_t *nat; * check to see if a packet should be passed through an active proxy routine * if one has been setup for it. */ -int ap_check(ip, tcp, fin, nat) +int appr_check(ip, fin, nat) ip_t *ip; -tcphdr_t *tcp; fr_info_t *fin; nat_t *nat; { ap_session_t *aps; aproxy_t *apr; + tcphdr_t *tcp = NULL; + u_32_t sum; int err; - if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) - tcp = NULL; - - if ((aps = ap_find(ip, tcp)) || - (aps = ap_new_session(nat->nat_ptr->in_apr, ip, tcp, fin, nat))) { + if (nat->nat_aps == NULL) + nat->nat_aps = appr_new_session(nat->nat_ptr->in_apr, ip, + fin, nat); + aps = nat->nat_aps; + if ((aps != NULL) && (aps->aps_p == ip->ip_p)) { if (ip->ip_p == IPPROTO_TCP) { + tcp = (tcphdr_t *)fin->fin_dp; /* * verify that the checksum is correct. If not, then * don't do anything with this packet. */ - if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp, - ip, tcp, ip->ip_len)) { +#if SOLARIS && defined(_KERNEL) + sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#else + sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); +#endif + if (sum != tcp->th_sum) { frstats[fin->fin_out].fr_tcpbad++; return -1; } - fr_tcp_age(&aps->aps_tout, aps->aps_state, ip, fin, - tcp->th_sport == aps->aps_sport); } apr = aps->aps_apr; err = 0; - if (fin->fin_out) { - if (apr->apr_outpkt) - err = (*apr->apr_outpkt)(fin, ip, tcp, - aps, nat); + if (fin->fin_out != 0) { + if (apr->apr_outpkt != NULL) + err = (*apr->apr_outpkt)(fin, ip, aps, nat); } else { - if (apr->apr_inpkt) - err = (*apr->apr_inpkt)(fin, ip, tcp, - aps, nat); + if (apr->apr_inpkt != NULL) + err = (*apr->apr_inpkt)(fin, ip, aps, nat); } - if (err == 2) { - tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, - tcp, ip->ip_len); - err = 0; + + if (tcp != NULL) { + err = appr_fixseqack(fin, ip, aps, err); +#if SOLARIS && defined(_KERNEL) + tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#else + tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); +#endif } - return err; + aps->aps_bytes += ip->ip_len; + aps->aps_pkts++; + return 2; } return -1; } -aproxy_t *ap_match(pr, name) -u_char pr; +aproxy_t *appr_match(pr, name) +u_int pr; char *name; { aproxy_t *ap; @@ -288,7 +245,7 @@ char *name; } -void ap_free(ap) +void appr_free(ap) aproxy_t *ap; { ap->apr_ref--; @@ -298,38 +255,133 @@ aproxy_t *ap; void aps_free(aps) ap_session_t *aps; { - if (aps->aps_data && aps->aps_psiz) - KFREES(aps->aps_data, aps->aps_psiz); - KFREE(aps); + ap_session_t *a, **ap; + + if (!aps) + return; + + for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next) + if (a == aps) { + *ap = a->aps_next; + break; + } + + if (a) { + if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) + KFREES(aps->aps_data, aps->aps_psiz); + KFREE(aps); + } } -void ap_unload() +static int appr_fixseqack(fin, ip, aps, inc) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +int inc; { - ap_session_t *aps; - int i; + int sel, ch = 0, out, nlen; + u_32_t seq1, seq2; + tcphdr_t *tcp; + + tcp = (tcphdr_t *)fin->fin_dp; + out = fin->fin_out; + nlen = ip->ip_len; + nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + + if (out != 0) { + seq1 = (u_32_t)ntohl(tcp->th_seq); + sel = aps->aps_sel[out]; + + /* switch to other set ? */ + if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && + (seq1 > aps->aps_seqmin[!sel])) + sel = aps->aps_sel[out] = !sel; + + if (aps->aps_seqoff[sel]) { + seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; + if (seq1 > seq2) { + seq2 = aps->aps_seqoff[sel]; + seq1 += seq2; + tcp->th_seq = htonl(seq1); + ch = 1; + } + } - for (i = 0; i < AP_SESS_SIZE; i++) - while ((aps = ap_sess_tab[i])) { - ap_sess_tab[i] = aps->aps_next; - aps_free(aps); + if (inc && (seq1 > aps->aps_seqmin[!sel])) { + aps->aps_seqmin[!sel] = seq1 + nlen - 1; + aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; } + + /***/ + + seq1 = ntohl(tcp->th_ack); + sel = aps->aps_sel[1 - out]; + + /* switch to other set ? */ + if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && + (seq1 > aps->aps_ackmin[!sel])) + sel = aps->aps_sel[1 - out] = !sel; + + if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { + seq2 = aps->aps_ackoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } + } else { + seq1 = ntohl(tcp->th_seq); + sel = aps->aps_sel[out]; + + /* switch to other set ? */ + if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && + (seq1 > aps->aps_ackmin[!sel])) + sel = aps->aps_sel[out] = !sel; + + if (aps->aps_ackoff[sel]) { + seq2 = aps->aps_ackmin[sel] - + aps->aps_ackoff[sel]; + if (seq1 > seq2) { + seq2 = aps->aps_ackoff[sel]; + seq1 += seq2; + tcp->th_seq = htonl(seq1); + ch = 1; + } + } + + if (inc && (seq1 > aps->aps_ackmin[!sel])) { + aps->aps_ackmin[!sel] = seq1 + nlen - 1; + aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; + } + + /***/ + + seq1 = ntohl(tcp->th_ack); + sel = aps->aps_sel[1 - out]; + + /* switch to other set ? */ + if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && + (seq1 > aps->aps_seqmin[!sel])) + sel = aps->aps_sel[1 - out] = !sel; + + if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } + } + return ch ? 2 : 0; } -void ap_expire() +int appr_init() { - ap_session_t *aps, **apsp; - int i; - - for (i = 0; i < AP_SESS_SIZE; i++) - for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) { - aps->aps_tout--; - if (!aps->aps_tout) { - ap_sess_tab[i] = aps->aps_next; - aps_free(aps); - *apsp = aps->aps_next; - } else - apsp = &aps->aps_next; - } + aproxy_t *ap; + int err = 0; + + for (ap = ap_proxies; ap->apr_p; ap++) { + err = (*ap->apr_init)(); + if (err != 0) + break; + } + return err; } diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index a361e93..08409b0 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -1,11 +1,11 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $ + * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -26,9 +26,11 @@ struct ipnat; typedef struct ap_tcp { u_short apt_sport; /* source port */ u_short apt_dport; /* destination port */ - short apt_sel; /* seqoff/after set selector */ + short apt_sel[2]; /* {seq,ack}{off,min} set selector */ short apt_seqoff[2]; /* sequence # difference */ - tcp_seq apt_after[2]; /* don't change seq-off until after this */ + tcp_seq apt_seqmin[2]; /* don't change seq-off until after this */ + short apt_ackoff[2]; /* sequence # difference */ + tcp_seq apt_ackmin[2]; /* don't change seq-off until after this */ u_char apt_state[2]; /* connection state */ } ap_tcp_t; @@ -39,19 +41,18 @@ typedef struct ap_udp { typedef struct ap_session { struct aproxy *aps_apr; - struct in_addr aps_src; /* source IP# */ - struct in_addr aps_dst; /* destination IP# */ - u_char aps_p; /* protocol */ union { struct ap_tcp apu_tcp; struct ap_udp apu_udp; } aps_un; u_int aps_flags; - QUAD_T aps_bytes; /* bytes sent */ - QUAD_T aps_pkts; /* packets sent */ - u_long aps_tout; /* time left before expiring */ + U_QUAD_T aps_bytes; /* bytes sent */ + U_QUAD_T aps_pkts; /* packets sent */ + void *aps_nat; /* pointer back to nat struct */ void *aps_data; /* private data */ + int aps_p; /* protocol */ int aps_psiz; /* size of private data */ + struct ap_session *aps_hnext; struct ap_session *aps_next; } ap_session_t ; @@ -59,8 +60,10 @@ typedef struct ap_session { #define aps_dport aps_un.apu_tcp.apt_dport #define aps_sel aps_un.apu_tcp.apt_sel #define aps_seqoff aps_un.apu_tcp.apt_seqoff -#define aps_after aps_un.apu_tcp.apt_after +#define aps_seqmin aps_un.apu_tcp.apt_seqmin #define aps_state aps_un.apu_tcp.apt_state +#define aps_ackoff aps_un.apu_tcp.apt_ackoff +#define aps_ackmin aps_un.apu_tcp.apt_ackmin typedef struct aproxy { @@ -68,26 +71,59 @@ typedef struct aproxy { u_char apr_p; /* protocol */ int apr_ref; /* +1 per rule referencing it */ int apr_flags; - int (* apr_init) __P((fr_info_t *, ip_t *, tcphdr_t *, + int (* apr_init) __P((void)); + int (* apr_new) __P((fr_info_t *, ip_t *, + ap_session_t *, struct nat *)); + int (* apr_inpkt) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); - int (* apr_inpkt) __P((fr_info_t *, ip_t *, tcphdr_t *, - ap_session_t *, struct nat *)); - int (* apr_outpkt) __P((fr_info_t *, ip_t *, tcphdr_t *, + int (* apr_outpkt) __P((fr_info_t *, ip_t *, ap_session_t *, struct nat *)); } aproxy_t; #define APR_DELETE 1 +/* + * Real audio proxy structure and #defines + */ +typedef struct { + int rap_seenpna; + int rap_seenver; + int rap_version; + int rap_eos; /* End Of Startup */ + int rap_gotid; + int rap_gotlen; + int rap_mode; + int rap_sdone; + u_short rap_plport; + u_short rap_prport; + u_short rap_srport; + char rap_svr[19]; + u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have + * been filled + */ + tcp_seq rap_sseq; +} raudio_t; + +#define RA_ID_END 0 +#define RA_ID_UDP 1 +#define RA_ID_ROBUST 7 + +#define RAP_M_UDP 1 +#define RAP_M_ROBUST 2 +#define RAP_M_TCP 4 +#define RAP_M_UDP_ROBUST (RAP_M_UDP|RAP_M_ROBUST) + + extern ap_session_t *ap_sess_tab[AP_SESS_SIZE]; +extern ap_session_t *ap_sess_list; extern aproxy_t ap_proxies[]; -extern int ap_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); -extern void ap_unload __P((void)); -extern void ap_free __P((aproxy_t *)); +extern int appr_init __P((void)); +extern int appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); +extern void appr_free __P((aproxy_t *)); extern void aps_free __P((ap_session_t *)); -extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *)); -extern aproxy_t *ap_match __P((u_char, char *)); -extern void ap_expire __P((void)); +extern int appr_check __P((ip_t *, fr_info_t *, struct nat *)); +extern aproxy_t *appr_match __P((u_int, char *)); #endif /* __IP_PROXY_H__ */ diff --git a/contrib/ipfilter/ip_raudio_pxy.c b/contrib/ipfilter/ip_raudio_pxy.c new file mode 100644 index 0000000..c04b834 --- /dev/null +++ b/contrib/ipfilter/ip_raudio_pxy.c @@ -0,0 +1,270 @@ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif + +#define IPF_RAUDIO_PROXY + + +int ippr_raudio_init __P((void)); +int ippr_raudio_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_raudio_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_raudio_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); + +static frentry_t raudiofr; + + +/* + * Real Audio application proxy initialization. + */ +int ippr_raudio_init() +{ + bzero((char *)&raudiofr, sizeof(raudiofr)); + raudiofr.fr_ref = 1; + raudiofr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; + return 0; +} + + +/* + * Setup for a new proxy to handle Real Audio. + */ +int ippr_raudio_new(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + raudio_t *rap; + + + KMALLOCS(aps->aps_data, void *, sizeof(raudio_t)); + if (aps->aps_data != NULL) { + bzero(aps->aps_data, sizeof(raudio_t)); + rap = aps->aps_data; + aps->aps_psiz = sizeof(raudio_t); + rap->rap_mode = RAP_M_TCP; /* default is for TCP */ + } + return 0; +} + + + +int ippr_raudio_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char membuf[512 + 1], *s; + int off, dlen, inc = 0; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + raudio_t *rap = aps->aps_data; + u_short sp, dp, id = 0; + struct in_addr swip; + fr_info_t fi; + int len = 0; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + /* + * If we've already processed the start messages, then nothing left + * for the proxy to do. + */ + if (rap->rap_eos == 1) + return 0; + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + bzero(membuf, sizeof(membuf)); +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen <= 0) + return 0; + copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf); +#else + m = *(mb_t **)fin->fin_mp; + + dlen = mbufchainlen(m) - off; + if (dlen <= 0) + return 0; + m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf); +#endif + /* + * In all the startup parsing, ensure that we don't go outside + * the packet buffer boundary. + */ + /* + * Look for the start of connection "PNA" string if not seen yet. + */ + if (rap->rap_seenpna == 0) { + s = memstr("PNA", membuf, 3, dlen); + if (s == NULL) + return 0; + s += 3; + rap->rap_seenpna = 1; + } else + s = membuf; + + /* + * Directly after the PNA will be the version number of this + * connection. + */ + if (rap->rap_seenpna == 1 && rap->rap_seenver == 0) { + if ((s + 1) - membuf < dlen) { + rap->rap_version = (*s << 8) | *(s + 1); + s += 2; + rap->rap_seenver = 1; + } else + return 0; + } + + /* + * Now that we've been past the PNA and version number, we're into the + * startup messages block. This ends when a message with an ID of 0. + */ + while ((rap->rap_eos == 0) && ((s + 1) - membuf < dlen)) { + if (rap->rap_gotid == 0) { + id = (*s << 8) | *(s + 1); + s += 2; + rap->rap_gotid = 1; + if (id == RA_ID_END) { + rap->rap_eos = 1; + break; + } + } else if (rap->rap_gotlen == 0) { + len = (*s << 8) | *(s + 1); + s += 2; + rap->rap_gotlen = 1; + } + + if (rap->rap_gotid == 1 && rap->rap_gotlen == 1) { + if (id == RA_ID_UDP) { + rap->rap_mode &= ~RAP_M_TCP; + rap->rap_mode |= RAP_M_UDP; + rap->rap_plport = (*s << 8) | *(s + 1); + } else if (id == RA_ID_ROBUST) { + rap->rap_mode |= RAP_M_ROBUST; + rap->rap_prport = (*s << 8) | *(s + 1); + } + s += len; + rap->rap_gotlen = 0; + rap->rap_gotid = 0; + } + } + + /* + * Wait until we've seen the end of the start messages and even then + * only proceed further if we're using UDP. + */ + if ((rap->rap_eos == 0) || ((rap->rap_mode & RAP_M_UDP) != RAP_M_UDP)) + return 0; + sp = rap->rap_plport; + dp = 0; + + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_sport = htons(sp); + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + tcp2->th_win = htons(8192); + fi.fin_dp = (char *)tcp2; + fi.fin_data[0] = sp; + fi.fin_data[1] = 0; + fi.fin_fr = &raudiofr; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + (void) fr_addstate(ip, &fi, FI_W_DPORT); + } + ip->ip_src = swip; + + if ((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) { + sp = rap->rap_prport; + } + return inc; +} + + +int ippr_raudio_in(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char membuf[IPF_MAXPORTLEN + 1], *s; + int off, dlen; + raudio_t *rap = aps->aps_data; + u_int a1, a2, a3, a4; + tcphdr_t *tcp; + tcp_seq seq; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + if ((rap->rap_sdone != 0) || + ((rap->rap_mode & RAP_M_UDP_ROBUST) != RAP_M_UDP_ROBUST)) + return 0; + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + if (dlen <= 0) + return 0; + bzero(membuf, sizeof(membuf)); + copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf); +#else + dlen = mbufchainlen(m) - off; + if (dlen <= 0) + return 0; + bzero(membuf, sizeof(membuf)); + m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf); +#endif + + seq = ntohl(tcp->th_seq); + /* + * Check to see if the data in this packet is of interest to us. + * We only care for the first 19 bytes coming back from the server. + */ + if (rap->rap_sseq == 0) { + s = memstr("PNA", membuf, 3, dlen); + if (s == NULL) + return 0; + a1 = s - membuf; + dlen -= a1; + a1 = 0; + rap->rap_sseq = seq; + a2 = MIN(dlen, sizeof(rap->rap_svr)); + } else if (seq <= rap->rap_sseq + sizeof(rap->rap_svr)) { + /* + * seq # which is the start of data and from that the offset + * into the buffer array. + */ + a1 = seq - rap->rap_sseq; + a2 = MIN(dlen, sizeof(rap->rap_svr)); + a2 -= a1; + s = membuf; + } else + return 0; + + for (a3 = a1, a4 = a2; a4 > 0; a4--, a3++) { + rap->rap_sbf |= (1 << a3); + rap->rap_svr[a3] = *s++; + } + if (rap->rap_sbf == 0x7ffff) { /* 19 bits */ + s = rap->rap_svr + 13; + rap->rap_srport = (*s << 8) | *(s + 1); + } + return 0; +} diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c new file mode 100644 index 0000000..2b67ee5 --- /dev/null +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -0,0 +1,156 @@ +/* + * Simple RCMD transparent proxy for in-kernel use. For use with the NAT + * code. + */ +#if SOLARIS && defined(_KERNEL) +extern kmutex_t ipf_rw; +#endif + +#define isdigit(x) ((x) >= '0' && (x) <= '9') + +#define IPF_RCMD_PROXY + + +int ippr_rcmd_init __P((void)); +int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); +u_short ipf_rcmd_atoi __P((char *)); +int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); + +static frentry_t rcmdfr; + + +/* + * RCMD application proxy initialization. + */ +int ippr_rcmd_init() +{ + bzero((char *)&rcmdfr, sizeof(rcmdfr)); + rcmdfr.fr_ref = 1; + rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; + return 0; +} + + +/* + * Setup for a new RCMD proxy. + */ +int ippr_rcmd_new(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; + + aps->aps_psiz = sizeof(u_32_t); + KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t)); + if (aps->aps_data == NULL) + return -1; + *(u_32_t *)aps->aps_data = 0; + aps->aps_sport = tcp->th_sport; + aps->aps_dport = tcp->th_dport; + return 0; +} + + +/* + * ipf_rcmd_atoi - implement a simple version of atoi + */ +u_short ipf_rcmd_atoi(ptr) +char *ptr; +{ + register char *s = ptr, c; + register u_short i = 0; + + while ((c = *s++) && isdigit(c)) { + i *= 10; + i += c - '0'; + } + return i; +} + + +int ippr_rcmd_portmsg(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + char portbuf[8], *s; + struct in_addr swip; + u_short sp, dp; + int off, dlen; + tcphdr_t *tcp, tcph, *tcp2 = &tcph; + fr_info_t fi; + nat_t *ipn; + mb_t *m; +#if SOLARIS + mb_t *m1; +#endif + + tcp = (tcphdr_t *)fin->fin_dp; + off = (ip->ip_hl << 2) + (tcp->th_off << 2); + m = *(mb_t **)fin->fin_mp; + +#if SOLARIS + m = fin->fin_qfm; + + dlen = msgdsize(m) - off; + bzero(portbuf, sizeof(portbuf)); + copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#else + dlen = mbufchainlen(m) - off; + bzero(portbuf, sizeof(portbuf)); + m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); +#endif + if ((*(u_32_t *)aps->aps_data != 0) && + (tcp->th_seq != *(u_32_t *)aps->aps_data)) + return 0; + + portbuf[sizeof(portbuf) - 1] = '\0'; + s = portbuf; + sp = ipf_rcmd_atoi(s); + if (!sp) + return 0; + + /* + * Add skeleton NAT entry for connection which will come back the + * other way. + */ + sp = htons(sp); + dp = htons(fin->fin_data[1]); + ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, + ip->ip_dst, (dp << 16) | sp); + if (ipn == NULL) { + bcopy((char *)fin, (char *)&fi, sizeof(fi)); + bzero((char *)tcp2, sizeof(*tcp2)); + tcp2->th_win = htons(8192); + tcp2->th_sport = sp; + tcp2->th_dport = 0; /* XXX - don't specify remote port */ + fi.fin_data[0] = ntohs(sp); + fi.fin_data[1] = 0; + fi.fin_dp = (char *)tcp2; + swip = ip->ip_src; + ip->ip_src = nat->nat_inip; + ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, + NAT_OUTBOUND); + if (ipn != NULL) { + ipn->nat_age = fr_defnatage; + fi.fin_fr = &rcmdfr; + (void) fr_addstate(ip, &fi, FI_W_DPORT); + } + ip->ip_src = swip; + } + return 0; +} + + +int ippr_rcmd_out(fin, ip, aps, nat) +fr_info_t *fin; +ip_t *ip; +ap_session_t *aps; +nat_t *nat; +{ + return ippr_rcmd_portmsg(fin, ip, aps, nat); +} diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 0677b94..4fa0df7 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.2 1999/10/05 12:59:08 darrenr Exp $"; #endif #include <sys/types.h> @@ -52,16 +52,18 @@ static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.5 1997/12/02 13:55: #define MIN(a,b) (((a)<(b))?(a):(b)) #endif + extern fr_flags, fr_active; -int ipfr_timer_id = 0; +int fr_running = 0; int ipl_unreach = ICMP_UNREACH_HOST; u_long ipl_frouteok[2] = {0, 0}; static void frzerostats __P((caddr_t)); -static int frrequest __P((int, int, caddr_t, int)); -kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; -kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; +static int frrequest __P((minor_t, int, caddr_t, int)); +kmutex_t ipl_mutex, ipf_authmx, ipf_rw; +KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris; +KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; @@ -72,49 +74,62 @@ int ipldetach() #ifdef IPFDEBUG cmn_err(CE_CONT, "ipldetach()\n"); #endif +#ifdef IPFILTER_LOG for (i = IPL_LOGMAX; i >= 0; i--) ipflog_clear(i); - untimeout(ipfr_timer_id); +#endif i = FR_INQUE|FR_OUTQUE; - frflush(IPL_LOGIPF, &i); + (void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); ipfr_unload(); fr_stateunload(); ip_natunload(); cv_destroy(&iplwait); cv_destroy(&ipfauthwait); + mutex_destroy(&ipf_authmx); mutex_destroy(&ipl_mutex); - mutex_destroy(&ipf_mutex); - mutex_destroy(&ipfs_mutex); - mutex_destroy(&ipf_frag); - mutex_destroy(&ipf_state); - mutex_destroy(&ipf_natfrag); - mutex_destroy(&ipf_nat); - mutex_destroy(&ipf_auth); + mutex_destroy(&ipf_rw); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frag); + RW_DESTROY(&ipf_state); + RW_DESTROY(&ipf_natfrag); + RW_DESTROY(&ipf_nat); + RW_DESTROY(&ipf_auth); + RW_DESTROY(&ipfs_mutex); + /* NOTE: This lock is acquired in ipf_detach */ + RWLOCK_EXIT(&ipf_solaris); + RW_DESTROY(&ipf_solaris); return 0; } int iplattach __P((void)) { - int i; - #ifdef IPFDEBUG cmn_err(CE_CONT, "iplattach()\n"); #endif - bzero((char *)nat_table, sizeof(nat_table)); bzero((char *)frcache, sizeof(frcache)); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_mutex, "ipf filter mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipfs_mutex, "ipf solaris mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_auth, "ipf IP User-Auth mutex", MUTEX_DRIVER, NULL); + mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); + mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); + RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL); + RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL); + RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL); + RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL); + RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL); + RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL); + RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL); + RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL); - ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); +#ifdef IPFILTER_LOG ipflog_init(); +#endif + if (nat_init() == -1) + return -1; + if (fr_stateinit() == -1) + return -1; + if (appr_init() == -1) + return -1; return 0; } @@ -122,7 +137,7 @@ int iplattach __P((void)) static void frzerostats(data) caddr_t data; { - struct friostat fio; + friostat_t fio; bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); @@ -148,27 +163,38 @@ caddr_t data; int iplioctl(dev, cmd, data, mode, cp, rp) dev_t dev; int cmd; -int data; +#if SOLARIS2 >= 7 +intptr_t data; +#else +int *data; +#endif int mode; cred_t *cp; int *rp; { - int error = 0, unit, tmp; + int error = 0, tmp; + minor_t unit; #ifdef IPFDEBUG cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n", dev, cmd, data, mode, cp, rp); #endif unit = getminor(dev); - if ((IPL_LOGMAX < unit) || (unit < 0)) + if (IPL_LOGMAX < unit) return ENXIO; + if (fr_running <= 0) + return 0; + + READ_ENTER(&ipf_solaris); if (unit == IPL_LOGNAT) { error = nat_ioctl((caddr_t)data, cmd, mode); + RWLOCK_EXIT(&ipf_solaris); return error; } if (unit == IPL_LOGSTATE) { error = fr_state_ioctl((caddr_t)data, cmd, mode); + RWLOCK_EXIT(&ipf_solaris); return error; } @@ -178,16 +204,20 @@ int *rp; u_int enable; if (!(mode & FWRITE)) - return EPERM; - IRCOPY((caddr_t)data, (caddr_t)&enable, sizeof(enable)); + error = EPERM; + else + IRCOPY((caddr_t)data, (caddr_t)&enable, sizeof(enable)); break; } case SIOCSETFF : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - IRCOPY((caddr_t)data, (caddr_t)&fr_flags, sizeof(fr_flags)); - mutex_exit(&ipf_mutex); + error = EPERM; + else { + WRITE_ENTER(&ipf_mutex); + IRCOPY((caddr_t)data, (caddr_t)&fr_flags, + sizeof(fr_flags)); + RWLOCK_EXIT(&ipf_mutex); + } break; case SIOCGETFF : IWCOPY((caddr_t)&fr_flags, (caddr_t)data, sizeof(fr_flags)); @@ -197,34 +227,36 @@ int *rp; case SIOCADAFR : case SIOCZRLST : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - error = frrequest(unit, cmd, (caddr_t)data, fr_active); - mutex_exit(&ipf_mutex); + error = EPERM; + else + error = frrequest(unit, cmd, (caddr_t)data, fr_active); break; case SIOCINIFR : case SIOCRMIFR : case SIOCADIFR : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - error = frrequest(unit, cmd, (caddr_t)data, 1 - fr_active); - mutex_exit(&ipf_mutex); + error = EPERM; + else + error = frrequest(unit, cmd, (caddr_t)data, + 1 - fr_active); break; case SIOCSWAPA : if (!(mode & FWRITE)) - return EPERM; - mutex_enter(&ipf_mutex); - bzero((char *)frcache, sizeof(frcache[0]) * 2); - IWCOPY((caddr_t)&fr_active, (caddr_t)data, sizeof(fr_active)); - fr_active = 1 - fr_active; - mutex_exit(&ipf_mutex); + error = EPERM; + else { + WRITE_ENTER(&ipf_mutex); + bzero((char *)frcache, sizeof(frcache[0]) * 2); + IWCOPY((caddr_t)&fr_active, (caddr_t)data, + sizeof(fr_active)); + fr_active = 1 - fr_active; + RWLOCK_EXIT(&ipf_mutex); + } break; case SIOCGETFS : { struct friostat fio; - mutex_enter(&ipf_mutex); + READ_ENTER(&ipf_mutex); bcopy((char *)frstats, (char *)fio.f_st, sizeof(struct filterstats) * 2); fio.f_fin[0] = ipfilter[0][0]; @@ -238,51 +270,75 @@ int *rp; fio.f_active = fr_active; fio.f_froute[0] = ipl_frouteok[0]; fio.f_froute[1] = ipl_frouteok[1]; - mutex_exit(&ipf_mutex); + fio.f_running = fr_running; + fio.f_groups[0][0] = ipfgroups[0][0]; + fio.f_groups[0][1] = ipfgroups[0][1]; + fio.f_groups[1][0] = ipfgroups[1][0]; + fio.f_groups[1][1] = ipfgroups[1][1]; + fio.f_groups[2][0] = ipfgroups[2][0]; + fio.f_groups[2][1] = ipfgroups[2][1]; +#ifdef IPFILTER_LOG + fio.f_logging = 1; +#else + fio.f_logging = 0; +#endif + fio.f_defpass = fr_pass; + strncpy(fio.f_version, fio.f_version, + sizeof(fio.f_version)); + RWLOCK_EXIT(&ipf_mutex); IWCOPY((caddr_t)&fio, (caddr_t)data, sizeof(fio)); break; } case SIOCFRZST : if (!(mode & FWRITE)) - return EPERM; - frzerostats((caddr_t)data); + error = EPERM; + else + frzerostats((caddr_t)data); break; case SIOCIPFFL : if (!(mode & FWRITE)) - return EPERM; - IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); - mutex_enter(&ipf_mutex); - frflush(unit, &tmp); - mutex_exit(&ipf_mutex); - IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + error = EPERM; + else { + IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); + tmp = frflush(unit, tmp); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + } break; #ifdef IPFILTER_LOG case SIOCIPFFB : if (!(mode & FWRITE)) - return EPERM; - tmp = ipflog_clear(unit); - IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + error = EPERM; + else { + tmp = ipflog_clear(unit); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); + } break; #endif /* IPFILTER_LOG */ case SIOCFRSYN : if (!(mode & FWRITE)) - return EPERM; - error = ipfsync(); + error = EPERM; + else + error = ipfsync(); break; case SIOCGFRST : IWCOPY((caddr_t)ipfr_fragstats(), (caddr_t)data, sizeof(ipfrstat_t)); break; case FIONREAD : + { #ifdef IPFILTER_LOG - IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); + int copy = (int)iplused[IPL_LOGIPF]; + + IWCOPY((caddr_t)©, (caddr_t)data, sizeof(copy)); #endif break; + } case SIOCAUTHW : case SIOCAUTHR : - if (!(mode & FWRITE)) - return EPERM; + if (!(mode & FWRITE)) { + error = EPERM; + break; + } case SIOCATHST : error = fr_auth_ioctl((caddr_t)data, cmd, NULL, NULL); break; @@ -290,6 +346,7 @@ int *rp; error = EINVAL; break; } + RWLOCK_EXIT(&ipf_solaris); return error; } @@ -297,8 +354,8 @@ int *rp; ill_t *get_unit(name) char *name; { + size_t len = strlen(name) + 1; /* includes \0 */ ill_t *il; - int len = strlen(name) + 1; /* includes \0 */ for (il = ill_g_head; il; il = il->ill_next) if ((len == il->ill_name_length) && @@ -308,27 +365,8 @@ char *name; } -static void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; -{ - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; -} - - static int frrequest(unit, req, data, set) -int unit; +minor_t unit; int req, set; caddr_t data; { @@ -337,24 +375,31 @@ caddr_t data; frentry_t fr; frdest_t *fdp; frgroup_t *fg = NULL; - int error = 0, in, group; + int error = 0, in; + u_int group; ill_t *ill; ipif_t *ipif; ire_t *ire; fp = &fr; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + fp->fr_ref = 0; + WRITE_ENTER(&ipf_mutex); /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if (fp->fr_grhead && - fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) - return EEXIST; - if (fp->fr_group && - !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) - return ESRCH; + if ((req != SIOCZRLST) && fp->fr_grhead && + fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) { + error = EEXIST; + goto out; + } + if ((req != SIOCZRLST) && fp->fr_group && + !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) { + error = ESRCH; + goto out; + } in = (fp->fr_flags & FR_INQUE) ? 0 : 1; @@ -364,12 +409,18 @@ caddr_t data; ftail = fprev = &ipacct[in][set]; else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE)) ftail = fprev = &ipfilter[in][set]; - else - return ESRCH; + else { + error = ESRCH; + goto out; + } - if ((group = fp->fr_group)) { - if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL))) - return ESRCH; + group = fp->fr_group; + if (group != NULL) { + fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL); + if (fg == NULL) { + error = ESRCH; + goto out; + } ftail = fprev = fg->fg_start; } @@ -435,12 +486,15 @@ caddr_t data; * If zero'ing statistics, copy current to caller and zero. */ if (req == SIOCZRLST) { - if (!f) - return ESRCH; + if (!f) { + error = ESRCH; + goto out; + } + MUTEX_DOWNGRADE(&ipf_mutex); IWCOPY((caddr_t)f, data, sizeof(*f)); f->fr_hits = 0; f->fr_bytes = 0; - return 0; + goto out; } if (!f) { @@ -458,26 +512,32 @@ caddr_t data; if (!f) error = ESRCH; else { - if (f->fr_ref > 1) - return EBUSY; + if (f->fr_ref > 1) { + error = EBUSY; + goto out; + } if (fg && fg->fg_head) fg->fg_head->fr_ref--; - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); + if (unit == IPL_LOGAUTH) { + error = fr_auth_ioctl(data, req, f, ftail); + goto out; + } if (f->fr_grhead) - fr_delgroup(f->fr_grhead, fp->fr_flags, unit, - set); + fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, + unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; KFREE(f); } } else { - if (f) + if (f) { error = EEXIST; - else { - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); - KMALLOC(f, frentry_t *, sizeof(*f)); + } else { + if (unit == IPL_LOGAUTH) { + error = fr_auth_ioctl(data, req, f, ftail); + goto out; + } + KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) fg->fg_head->fr_ref++; @@ -489,12 +549,15 @@ caddr_t data; if (req == SIOCINIFR || req == SIOCINAFR) fixskip(fprev, f, 1); f->fr_grp = NULL; - if ((group = f->fr_grhead)) + group = f->fr_grhead; + if (group != NULL) fg = fr_addgroup(group, f, unit, set); } else error = ENOMEM; } } +out: + RWLOCK_EXIT(&ipf_mutex); return (error); } @@ -507,14 +570,14 @@ dev_t *devp; int flags, otype; cred_t *cred; { - u_int min = getminor(*devp); + minor_t min = getminor(*devp); #ifdef IPFDEBUG cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred); #endif - if (!(otype & OTYP_CHR)) + if ((fr_running <= 0) || !(otype & OTYP_CHR)) return ENXIO; - min = (2 < min || min < 0) ? ENXIO : 0; + min = (IPL_LOGMAX < min) ? ENXIO : 0; return min; } @@ -524,12 +587,12 @@ dev_t dev; int flags, otype; cred_t *cred; { - u_int min = getminor(dev); + minor_t min = getminor(dev); #ifdef IPFDEBUG cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred); #endif - min = (2 < min || min < 0) ? ENXIO : 0; + min = (IPL_LOGMAX < min) ? ENXIO : 0; return min; } @@ -557,72 +620,76 @@ cred_t *cp; * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ -int send_reset(iphdr, qif) +int send_reset(fin, iphdr, qif) +fr_info_t *fin; ip_t *iphdr; qif_t *qif; { - struct tcpiphdr *ti = (struct tcpiphdr *)iphdr; - struct ip *ip; - struct tcphdr *tcp; - queue_t *q = qif->qf_q; - mblk_t *m; + tcphdr_t *tcp, *tcp2; int tlen = 0; + mblk_t *m; + ip_t *ip; - if (ti->ti_flags & TH_RST) + tcp = (struct tcphdr *)fin->fin_dp; + if (tcp->th_flags & TH_RST) return -1; - if (ti->ti_flags & TH_SYN) + if (tcp->th_flags & TH_SYN) tlen = 1; - if ((m = (mblk_t *)allocb(sizeof(struct tcpiphdr), BPRI_HI)) == NULL) + if ((m = (mblk_t *)allocb(sizeof(*ip) + sizeof(*tcp),BPRI_HI)) == NULL) return -1; MTYPE(m) = M_DATA; - m->b_wptr += sizeof(struct tcpiphdr); - bzero((char *)m->b_rptr, sizeof(struct tcpiphdr)); + m->b_wptr += sizeof(*ip) + sizeof(*tcp); + bzero((char *)m->b_rptr, sizeof(*ip) + sizeof(*tcp)); ip = (ip_t *)m->b_rptr; - tcp = (struct tcphdr *)(m->b_rptr + sizeof(*ip)); - - ip->ip_src.s_addr = ti->ti_dst.s_addr; - ip->ip_dst.s_addr = ti->ti_src.s_addr; - tcp->th_dport = ti->ti_sport; - tcp->th_sport = ti->ti_dport; - tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); - tcp->th_off = sizeof(struct tcphdr) >> 2; - tcp->th_flags = TH_RST|TH_ACK; + tcp2 = (struct tcphdr *)(m->b_rptr + sizeof(*ip)); + + ip->ip_src.s_addr = iphdr->ip_dst.s_addr; + ip->ip_dst.s_addr = iphdr->ip_src.s_addr; + tcp2->th_dport = tcp->th_sport; + tcp2->th_sport = tcp->th_dport; + tcp2->th_ack = htonl(ntohl(tcp->th_seq) + tlen); + tcp2->th_seq = tcp->th_ack; + tcp2->th_off = sizeof(struct tcphdr) >> 2; + tcp2->th_flags = TH_RST|TH_ACK; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum * computation that is done by their put routine. */ - tcp->th_sum = htons(0x14); + tcp2->th_sum = htons(0x14); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_v = IPVERSION; ip->ip_p = IPPROTO_TCP; - ip->ip_len = htons(sizeof(struct tcpiphdr)); - ip->ip_tos = ((struct ip *)ti)->ip_tos; + ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp)); + ip->ip_tos = iphdr->ip_tos; ip->ip_off = 0; ip->ip_ttl = 60; ip->ip_sum = 0; + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); ip_wput(qif->qf_ill->ill_wq, m); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); return 0; } -int icmp_error(ip, type, code, qif, src) +int icmp_error(ip, type, code, qif, dst) ip_t *ip; int type, code; qif_t *qif; -struct in_addr src; +struct in_addr dst; { - queue_t *q = qif->qf_q; mblk_t *mb; struct icmp *icmp; ip_t *nip; - int sz = sizeof(*nip) + sizeof(*icmp) + 8; + u_short sz = sizeof(*nip) + sizeof(*icmp) + 8; - if ((mb = (mblk_t *)allocb(sz, BPRI_HI)) == NULL) + if ((mb = (mblk_t *)allocb((size_t)sz, BPRI_HI)) == NULL) return -1; MTYPE(mb) = M_DATA; mb->b_wptr += sz; - bzero((char *)mb->b_rptr, sz); + bzero((char *)mb->b_rptr, (size_t)sz); nip = (ip_t *)mb->b_rptr; icmp = (struct icmp *)(nip + 1); @@ -633,9 +700,13 @@ struct in_addr src; nip->ip_sum = 0; nip->ip_ttl = 60; nip->ip_tos = ip->ip_tos; - nip->ip_len = htons(sz); - nip->ip_src.s_addr = ip->ip_dst.s_addr; - nip->ip_dst.s_addr = ip->ip_src.s_addr; + nip->ip_len = (u_short)htons(sz); + if (dst.s_addr == 0) { + if (fr_ifpaddr(qif->qf_ill, &dst) == -1) + return -1; + } + nip->ip_src = dst; + nip->ip_dst = ip->ip_src; icmp->icmp_type = type; icmp->icmp_code = code; @@ -643,7 +714,26 @@ struct in_addr src; bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip)); bcopy((char *)ip + (ip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */ +#ifndef sparc + ip = &icmp->icmp_ip; + { + u_short __iplen, __ipoff; + + __iplen = ip->ip_len; + __ipoff = ip->ip_len; + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + } +#endif icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); + /* + * Need to exit out of these so we don't recursively call rw_enter + * from fr_qout. + */ + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); ip_wput(qif->qf_ill->ill_wq, mb); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); return 0; } diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 89a2c3b..c14c23f 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,10 +7,19 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.9 1999/10/21 14:31:09 darrenr Exp $"; #endif +#include <sys/errno.h> +#include <sys/types.h> +#include <sys/param.h> +#include <sys/file.h> +#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ + defined(_KERNEL) +# include "opt_ipfilter_log.h" +#endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) +# include <stdio.h> # include <stdlib.h> # include <string.h> #else @@ -19,20 +28,19 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 # include <linux/module.h> # endif #endif -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> +# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) +# include "opt_ipfilter.h" +# endif #else # include <sys/ioctl.h> #endif #include <sys/time.h> #include <sys/uio.h> #ifndef linux -#include <sys/protosw.h> +# include <sys/protosw.h> #endif #include <sys/socket.h> #if defined(_KERNEL) && !defined(linux) @@ -45,14 +53,16 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 #else # include <sys/filio.h> # include <sys/byteorder.h> -# include <sys/dditypes.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif # include <sys/stream.h> # include <sys/kmem.h> #endif #include <net/if.h> #ifdef sun -#include <net/af.h> +# include <net/af.h> #endif #include <net/route.h> #include <netinet/in.h> @@ -72,34 +82,60 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 #include "netinet/ip_frag.h" #include "netinet/ip_proxy.h" #include "netinet/ip_state.h" +#if (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) +# include <sys/libkern.h> +# include <sys/systm.h> +# endif +#endif + #ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) #endif #define TCP_CLOSE (TH_FIN|TH_RST) -ipstate_t *ips_table[IPSTATE_SIZE]; +ipstate_t **ips_table = NULL; int ips_num = 0; ips_stat_t ips_stats; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_state; +extern KRWLOCK_T ipf_state, ipf_mutex; +extern kmutex_t ipf_rw; #endif static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr, - fr_info_t *, void *, u_short, u_short)); + fr_info_t *, tcphdr_t *)); +static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *)); static int fr_state_flush __P((int)); static ips_stat_t *fr_statetstats __P((void)); +static void fr_delstate __P((ipstate_t *)); #define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ +#define TCP_MSL 240 /* 2 minutes */ u_long fr_tcpidletimeout = FIVE_DAYS, - fr_tcpclosewait = 60, - fr_tcplastack = 20, - fr_tcptimeout = 120, + fr_tcpclosewait = 2 * TCP_MSL, + fr_tcplastack = 2 * TCP_MSL, + fr_tcptimeout = 2 * TCP_MSL, fr_tcpclosed = 1, - fr_udptimeout = 120, + fr_udptimeout = 240, fr_icmptimeout = 120; +int fr_statemax = IPSTATE_MAX, + fr_statesize = IPSTATE_SIZE; +int fr_state_doflush = 0; + + +int fr_stateinit() +{ + KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *)); + if (ips_table != NULL) + bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *)); + else + return -1; + return 0; +} static ips_stat_t *fr_statetstats() @@ -127,8 +163,8 @@ int which; int delete, removed = 0; SPL_NET(s); - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) { delete = 0; @@ -153,16 +189,22 @@ int which; ips_stats.iss_fin++; else ips_stats.iss_expire++; + if (ips_table[i] == NULL) + ips_stats.iss_inuse--; #ifdef IPFILTER_LOG ipstate_log(is, ISL_FLUSH); #endif - KFREE(is); + fr_delstate(is); ips_num--; removed++; } else isp = &is->is_next; } - MUTEX_EXIT(&ipf_state); + if (fr_state_doflush) { + (void) fr_state_flush(1); + fr_state_doflush = 0; + } + RWLOCK_EXIT(&ipf_state); SPL_X(s); return removed; } @@ -199,7 +241,8 @@ int mode; #endif break; default : - return EINVAL; + error = EINVAL; + break; } return error; } @@ -208,21 +251,25 @@ int mode; /* * Create a new ipstate structure and hang it off the hash table. */ -int fr_addstate(ip, fin, pass) +ipstate_t *fr_addstate(ip, fin, flags) ip_t *ip; fr_info_t *fin; -u_int pass; +u_int flags; { - ipstate_t ips; - register ipstate_t *is = &ips; + register ipstate_t *is; register u_int hv; + ipstate_t ips; + u_int pass; - if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) - return -1; - if (ips_num == IPSTATE_MAX) { + if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT)) + return NULL; + if (ips_num == fr_statemax) { ips_stats.iss_max++; - return -1; + fr_state_doflush = 1; + return NULL; } + is = &ips; + bzero((char *)is, sizeof(*is)); ips.is_age = 1; ips.is_state[0] = 0; ips.is_state[1] = 0; @@ -252,9 +299,9 @@ u_int pass; is->is_icmp.ics_type = ic->icmp_type + 1; break; default : - return -1; + return NULL; } - ips_stats.iss_icmp++; + ATOMIC_INC(ips_stats.iss_icmp); is->is_age = fr_icmptimeout; break; } @@ -266,66 +313,93 @@ u_int pass; * The endian of the ports doesn't matter, but the ack and * sequence numbers do as we do mathematics on them later. */ - hv += (is->is_dport = tcp->th_dport); - hv += (is->is_sport = tcp->th_sport); - is->is_seq = ntohl(tcp->th_seq); - is->is_ack = ntohl(tcp->th_ack); - is->is_swin = ntohs(tcp->th_win); - is->is_dwin = is->is_swin; /* start them the same */ - ips_stats.iss_tcp++; + is->is_dport = tcp->th_dport; + is->is_sport = tcp->th_sport; + if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { + hv += tcp->th_dport; + hv += tcp->th_sport; + } + if (tcp->th_seq != 0) { + is->is_send = ntohl(tcp->th_seq) + ip->ip_len - + fin->fin_hlen - (tcp->th_off << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + is->is_maxsend = is->is_send + 1; + } + is->is_dend = 0; + is->is_maxswin = ntohs(tcp->th_win); + if (is->is_maxswin == 0) + is->is_maxswin = 1; /* * If we're creating state for a starting connection, start the * timer on it as we'll never see an error if it fails to * connect. */ - if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) - is->is_ack = 0; /* Trumpet WinSock 'ism */ + MUTEX_ENTER(&ipf_rw); + ips_stats.iss_tcp++; fr_tcp_age(&is->is_age, is->is_state, ip, fin, tcp->th_sport == is->is_sport); + MUTEX_EXIT(&ipf_rw); break; } case IPPROTO_UDP : { register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; - hv += (is->is_dport = tcp->th_dport); - hv += (is->is_sport = tcp->th_sport); - ips_stats.iss_udp++; + if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { + hv += (is->is_dport = tcp->th_dport); + hv += (is->is_sport = tcp->th_sport); + } + ATOMIC_INC(ips_stats.iss_udp); is->is_age = fr_udptimeout; break; } default : - return -1; + return NULL; } - KMALLOC(is, ipstate_t *, sizeof(*is)); + KMALLOC(is, ipstate_t *); if (is == NULL) { - ips_stats.iss_nomem++; - return -1; + ATOMIC_INC(ips_stats.iss_nomem); + return NULL; } bcopy((char *)&ips, (char *)is, sizeof(*is)); - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); - + hv %= fr_statesize; + RW_UPGRADE(&ipf_mutex); + is->is_rule = fin->fin_fr; + if (is->is_rule != NULL) { + is->is_rule->fr_ref++; + pass = is->is_rule->fr_flags; + } else + pass = fr_flags; + MUTEX_DOWNGRADE(&ipf_mutex); + WRITE_ENTER(&ipf_state); + + is->is_rout = pass & FR_OUTQUE ? 1 : 0; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; /* - * Copy these from the rule itself. + * We want to check everything that is a property of this packet, + * but we don't (automatically) care about it's fragment status as + * this may change. */ - is->is_opt = fin->fin_fr->fr_ip.fi_optmsk; - is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk; - is->is_sec = fin->fin_fr->fr_ip.fi_secmsk; - is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk; - is->is_auth = fin->fin_fr->fr_ip.fi_auth; - is->is_authmsk = fin->fin_fr->fr_mip.fi_auth; - is->is_flags = fin->fin_fr->fr_ip.fi_fl; - is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4; + is->is_opt = fin->fin_fi.fi_optmsk; + is->is_optmsk = 0xffffffff; + is->is_sec = fin->fin_fi.fi_secmsk; + is->is_secmsk = 0xffff; + is->is_auth = fin->fin_fi.fi_auth; + is->is_authmsk = 0xffff; + is->is_flags = fin->fin_fi.fi_fl & FI_CMP; + is->is_flags |= FI_CMP << 4; + is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT); /* * add into table. */ is->is_next = ips_table[hv]; ips_table[hv] = is; + if (is->is_next == NULL) + ips_stats.iss_inuse++; if (fin->fin_out) { is->is_ifpin = NULL; is->is_ifpout = fin->fin_ifp; @@ -335,17 +409,19 @@ u_int pass; } if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); - ips_num++; + ATOMIC_INC(ips_num); #ifdef IPFILTER_LOG ipstate_log(is, ISL_NEW); #endif - MUTEX_EXIT(&ipf_state); + RWLOCK_EXIT(&ipf_state); + fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr); if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); - return 0; + return is; } + /* * check to see if a packet with TCP headers fits within the TCP window. * change timeout depending on whether new packet is a SYN-ACK returning for a @@ -357,168 +433,337 @@ fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; { - register int seqskew, ackskew; - register u_short swin, dwin; - register tcp_seq seq, ack; + register tcp_seq seq, ack, end; + register int ackskew; + tcpdata_t *fdata, *tdata; + u_short win, maxwin; + int ret = 0; int source; /* * Find difference between last checked packet and this packet. */ + source = (ip->ip_src.s_addr == is->is_src.s_addr); + fdata = &is->is_tcp.ts_data[!source]; + tdata = &is->is_tcp.ts_data[source]; seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); - source = (ip->ip_src.s_addr == is->is_src.s_addr); - - if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ - ack = source ? is->is_ack : is->is_seq; + win = ntohs(tcp->th_win); + end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); - if (source) { - if (!is->is_seq) - /* - * Must be an outgoing SYN-ACK in reply to a SYN. - */ - is->is_seq = seq; - seqskew = seq - is->is_seq; - ackskew = ack - is->is_ack; - } else { - if (!is->is_ack) - /* - * Must be a SYN-ACK in reply to a SYN. - */ - is->is_ack = seq; - ackskew = seq - is->is_ack; - seqskew = ack - is->is_seq; + if (fdata->td_end == 0) { + /* + * Must be a (outgoing) SYN-ACK in reply to a SYN. + */ + fdata->td_end = end; + fdata->td_maxwin = 1; + fdata->td_maxend = end + 1; } - /* - * Make skew values absolute - */ - if (seqskew < 0) - seqskew = -seqskew; - if (ackskew < 0) - ackskew = -ackskew; - - /* - * If the difference in sequence and ack numbers is within the - * window size of the connection, store these values and match - * the packet. - */ - if (source) { - swin = is->is_swin; - dwin = is->is_dwin; - } else { - dwin = is->is_swin; - swin = is->is_dwin; + if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ + ack = tdata->td_end; + win = 1; + } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && + (ack == 0)) { + /* gross hack to get around certain broken tcp stacks */ + ack = tdata->td_end; } - if ((seqskew <= dwin) && (ackskew <= swin)) { - if (source) { - is->is_seq = seq; - is->is_ack = ack; - is->is_swin = ntohs(tcp->th_win); - } else { - is->is_seq = ack; - is->is_ack = seq; - is->is_dwin = ntohs(tcp->th_win); + if (seq == end) + seq = end = fdata->td_end; + + maxwin = tdata->td_maxwin; + ackskew = tdata->td_end - ack; + +#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) + if ((SEQ_GE(fdata->td_maxend, end)) && + (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) && +/* XXX what about big packets */ +#define MAXACKWINDOW 66000 + (ackskew >= -MAXACKWINDOW) && + (ackskew <= MAXACKWINDOW)) { + /* if ackskew < 0 then this should be due to fragented + * packets. There is no way to know the length of the + * total packet in advance. + * We do know the total length from the fragment cache though. + * Note however that there might be more sessions with + * exactly the same source and destination paramters in the + * state cache (and source and destination is the only stuff + * that is saved in the fragment cache). Note further that + * some TCP connections in the state cache are hashed with + * sport and dport as well which makes it not worthwhile to + * look for them. + * Thus, when ackskew is negative but still seems to belong + * to this session, we bump up the destinations end value. + */ + if (ackskew < 0) + tdata->td_end = ack; + + /* update max window seen */ + if (fdata->td_maxwin < win) + fdata->td_maxwin = win; + if (SEQ_GT(end, fdata->td_end)) + fdata->td_end = end; + if (SEQ_GE(ack + win, tdata->td_maxend)) { + tdata->td_maxend = ack + win; + if (win == 0) + tdata->td_maxend++; } - ips_stats.iss_hits++; + + ATOMIC_INC(ips_stats.iss_hits); is->is_pkts++; is->is_bytes += ip->ip_len; /* * Nearing end of connection, start timeout. */ + MUTEX_ENTER(&ipf_rw); fr_tcp_age(&is->is_age, is->is_state, ip, fin, source); - return 1; + MUTEX_EXIT(&ipf_rw); + ret = 1; } - return 0; + return ret; } -static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp) +static int fr_matchsrcdst(is, src, dst, fin, tcp) ipstate_t *is; struct in_addr src, dst; fr_info_t *fin; -void *tcp; -u_short sp, dp; +tcphdr_t *tcp; { - int ret = 0, rev, out; + int ret = 0, rev, out, flags; + u_short sp, dp; void *ifp; - rev = (is->is_dst.s_addr != dst.s_addr); + rev = fin->fin_rev = (is->is_dst.s_addr != dst.s_addr); ifp = fin->fin_ifp; out = fin->fin_out; - if (!rev) { - if (out) { - if (!is->is_ifpout) - is->is_ifpout = ifp; + if (tcp != NULL) { + flags = is->is_flags; + sp = tcp->th_sport; + dp = tcp->th_dport; + } else { + flags = 0; + sp = 0; + dp = 0; + } + + if (rev == 0) { + if (!out) { + if (is->is_ifpin == ifp) + ret = 1; } else { - if (!is->is_ifpin) - is->is_ifpin = ifp; + if (is->is_ifpout == NULL || is->is_ifpout == ifp) + ret = 1; } } else { if (out) { - if (!is->is_ifpin) - is->is_ifpin = ifp; + if (is->is_ifpin == ifp) + ret = 1; } else { - if (!is->is_ifpout) - is->is_ifpout = ifp; + if (is->is_ifpout == NULL || is->is_ifpout == ifp) + ret = 1; } } + if (ret == 0) + return 0; + ret = 0; - if (!rev) { - if (((out && is->is_ifpout == ifp) || - (!out && is->is_ifpin == ifp)) && - (is->is_dst.s_addr == dst.s_addr) && + if (rev == 0) { + if ((is->is_dst.s_addr == dst.s_addr) && (is->is_src.s_addr == src.s_addr) && - (!tcp || (sp == is->is_sport) && - (dp == is->is_dport))) { + (!tcp || ((sp == is->is_sport || flags & FI_W_SPORT) && + (dp == is->is_dport || flags & FI_W_DPORT)))) { ret = 1; } } else { - if (((out && is->is_ifpin == ifp) || - (!out && is->is_ifpout == ifp)) && - (is->is_dst.s_addr == src.s_addr) && + if ((is->is_dst.s_addr == src.s_addr) && (is->is_src.s_addr == dst.s_addr) && - (!tcp || (sp == is->is_dport) && - (dp == is->is_sport))) { + (!tcp || ((sp == is->is_dport || flags & FI_W_DPORT) && + (dp == is->is_sport || flags & FI_W_SPORT)))) { ret = 1; } } + if (ret == 0) + return 0; /* * Whether or not this should be here, is questionable, but the aim * is to get this out of the main line. */ - if (ret) { - if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || - ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || - ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) || - ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) != - (is->is_flags & 0xf))) - ret = 0; + if (tcp == NULL) + flags = is->is_flags & (FI_CMP|(FI_CMP<<4)); + + if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) || + ((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || + ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || + ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth)) + return 0; + + if ((flags & (FI_W_SPORT|FI_W_DPORT))) { + if ((flags & FI_W_SPORT) != 0) { + if (rev == 0) { + is->is_sport = sp; + is->is_send = htonl(tcp->th_seq); + } else { + is->is_sport = dp; + is->is_send = htonl(tcp->th_ack); + } + is->is_maxsend = is->is_send + 1; + } else if ((flags & FI_W_DPORT) != 0) { + if (rev == 0) { + is->is_dport = dp; + is->is_dend = htonl(tcp->th_ack); + } else { + is->is_dport = sp; + is->is_dend = htonl(tcp->th_seq); + } + is->is_maxdend = is->is_dend + 1; + } + is->is_flags &= ~(FI_W_SPORT|FI_W_DPORT); } - return ret; + + if (!rev) { + if (out && (out == is->is_rout)) { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } else { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } + } else { + if (!out && (out != is->is_rout)) { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } else { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } + } + return 1; } +frentry_t *fr_checkicmpmatchingstate(ip, fin) +ip_t *ip; +fr_info_t *fin; +{ + register struct in_addr dst, src; + register ipstate_t *is, **isp; + register u_short sport, dport; + register u_char pr; + struct icmp *ic; + fr_info_t ofin; + u_int hv, dest; + tcphdr_t *tcp; + frentry_t *fr; + ip_t *oip; + int type; + + /* + * Does it at least have the return (basic) IP header ? + * Only a basic IP header (no options) should be with + * an ICMP error header. + */ + if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) + return NULL; + ic = (struct icmp *)((char *)ip + fin->fin_hlen); + type = ic->icmp_type; + /* + * If it's not an error type, then return + */ + if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && + (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && + (type != ICMP_PARAMPROB)) + return NULL; + + oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); + if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + return NULL; + if ((oip->ip_p != IPPROTO_TCP) && (oip->ip_p != IPPROTO_UDP)) + return NULL; + + tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); + dport = tcp->th_dport; + sport = tcp->th_sport; + + hv = (pr = oip->ip_p); + hv += (src.s_addr = oip->ip_src.s_addr); + hv += (dst.s_addr = oip->ip_dst.s_addr); + hv += dport; + hv += sport; + hv %= fr_statesize; + /* + * we make an fin entry to be able to feed it to + * matchsrcdst note that not all fields are encessary + * but this is the cleanest way. Note further we fill + * in fin_mp such that if someone uses it we'll get + * a kernel panic. fr_matchsrcdst does not use this. + * + * watch out here, as ip is in host order and oip in network + * order. Any change we make must be undone afterwards. + */ + oip->ip_len = ntohs(oip->ip_len); + fr_makefrip(oip->ip_hl << 2, oip, &ofin); + oip->ip_len = htons(oip->ip_len); + ofin.fin_ifp = fin->fin_ifp; + ofin.fin_out = !fin->fin_out; + ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ + READ_ENTER(&ipf_state); + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { + /* + * Only allow this icmp though if the + * encapsulated packet was allowed through the + * other way around. Note that the minimal amount + * of info present does not allow for checking against + * tcp internals such as seq and ack numbers. + */ + if ((is->is_p == pr) && + fr_matchsrcdst(is, src, dst, &ofin, tcp)) { + fr = is->is_rule; + ips_stats.iss_hits++; + /* + * we must swap src and dst here because the icmp + * comes the other way around + */ + dest = (is->is_dst.s_addr != src.s_addr); + is->is_pkts++; + is->is_bytes += ip->ip_len; + /* + * we deliberately do not touch the timeouts + * for the accompanying state table entry. + * It remains to be seen if that is correct. XXX + */ + RWLOCK_EXIT(&ipf_state); + return fr; + } + } + RWLOCK_EXIT(&ipf_state); + return NULL; +} /* * Check if a packet has a registered state. */ -int fr_checkstate(ip, fin) +frentry_t *fr_checkstate(ip, fin) ip_t *ip; fr_info_t *fin; { register struct in_addr dst, src; register ipstate_t *is, **isp; register u_char pr; + u_int hv, hvm, hlen, tryagain, pass; struct icmp *ic; + frentry_t *fr; tcphdr_t *tcp; - u_int hv, hlen, pass; - if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) - return 0; + if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT)) + return NULL; + is = NULL; hlen = fin->fin_hlen; tcp = (tcphdr_t *)((char *)ip + hlen); ic = (struct icmp *)tcp; @@ -534,86 +779,134 @@ fr_info_t *fin; case IPPROTO_ICMP : hv += ic->icmp_id; hv += ic->icmp_seq; - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); + hv %= fr_statesize; + READ_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && - fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) { - if (is->is_icmp.ics_type != ic->icmp_type) + fr_matchsrcdst(is, src, dst, fin, NULL)) { + if ((is->is_type == ICMP_ECHOREPLY) && + (ic->icmp_type == ICMP_ECHO)) + ; + else if (is->is_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; - is->is_pkts++; - is->is_bytes += ip->ip_len; - ips_stats.iss_hits++; - pass = is->is_pass; - MUTEX_EXIT(&ipf_state); - return pass; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + /* + * No matching icmp state entry. Perhaps this is a + * response to another state entry. + */ + fr = fr_checkicmpmatchingstate(ip, fin); + if (fr) + return fr; break; case IPPROTO_TCP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; - hv += dport; - hv += sport; - hv %= IPSTATE_SIZE; - MUTEX_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) + tryagain = 0; +retry_tcp: + hvm = hv % fr_statesize; + WRITE_ENTER(&ipf_state); + for (isp = &ips_table[hvm]; (is = *isp); + isp = &is->is_next) if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, tcp, - sport, dport)) { + fr_matchsrcdst(is, src, dst, fin, tcp)) { if (fr_tcpstate(is, fin, ip, tcp)) { - pass = is->is_pass; -#ifdef _KERNEL - MUTEX_EXIT(&ipf_state); -#else - + break; +#ifndef _KERNEL if (tcp->th_flags & TCP_CLOSE) { *isp = is->is_next; - isp = &ips_table[hv]; - KFREE(is); + isp = &ips_table[hvm]; + if (ips_table[hvm] == NULL) + ips_stats.iss_inuse--; + fr_delstate(is); + ips_num--; } #endif - return pass; + break; } + is = NULL; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + hv += dport; + hv += sport; + if (tryagain == 0) { + tryagain = 1; + goto retry_tcp; + } break; } case IPPROTO_UDP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; - hv += dport; - hv += sport; - hv %= IPSTATE_SIZE; + tryagain = 0; +retry_udp: + hvm = hv % fr_statesize; /* * Nothing else to match on but ports. and IP#'s */ - MUTEX_ENTER(&ipf_state); - for (is = ips_table[hv]; is; is = is->is_next) + READ_ENTER(&ipf_state); + for (is = ips_table[hvm]; is; is = is->is_next) if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, - tcp, sport, dport)) { - ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += ip->ip_len; + fr_matchsrcdst(is, src, dst, fin, tcp)) { is->is_age = fr_udptimeout; - pass = is->is_pass; - MUTEX_EXIT(&ipf_state); - return pass; + break; } - MUTEX_EXIT(&ipf_state); + if (is != NULL) + break; + RWLOCK_EXIT(&ipf_state); + hv += dport; + hv += sport; + if (tryagain == 0) { + tryagain = 1; + goto retry_udp; + } break; } default : break; } - ips_stats.iss_miss++; - return 0; + if (is == NULL) { + ATOMIC_INC(ips_stats.iss_miss); + return NULL; + } + MUTEX_ENTER(&ipf_rw); + is->is_bytes += ip->ip_len; + ips_stats.iss_hits++; + is->is_pkts++; + MUTEX_EXIT(&ipf_rw); + fr = is->is_rule; + fin->fin_fr = fr; + pass = is->is_pass; + RWLOCK_EXIT(&ipf_state); + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + return fr; +} + + +static void fr_delstate(is) +ipstate_t *is; +{ + frentry_t *fr; + + fr = is->is_rule; + if (fr != NULL) { + ATOMIC_DEC(fr->fr_ref); + if (fr->fr_ref == 0) + KFREE(fr); + } + KFREE(is); } @@ -625,13 +918,18 @@ void fr_stateunload() register int i; register ipstate_t *is, **isp; - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) { *isp = is->is_next; - KFREE(is); + fr_delstate(is); + ips_num--; } - MUTEX_EXIT(&ipf_state); + ips_stats.iss_inuse = 0; + ips_num = 0; + RWLOCK_EXIT(&ipf_state); + KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); + ips_table = NULL; } @@ -648,8 +946,8 @@ void fr_timeoutstate() #endif SPL_NET(s); - MUTEX_ENTER(&ipf_state); - for (i = 0; i < IPSTATE_SIZE; i++) + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) for (isp = &ips_table[i]; (is = *isp); ) if (is->is_age && !--is->is_age) { *isp = is->is_next; @@ -657,14 +955,16 @@ void fr_timeoutstate() ips_stats.iss_fin++; else ips_stats.iss_expire++; + if (ips_table[i] == NULL) + ips_stats.iss_inuse--; #ifdef IPFILTER_LOG ipstate_log(is, ISL_EXPIRE); #endif - KFREE(is); + fr_delstate(is); ips_num--; } else isp = &is->is_next; - MUTEX_EXIT(&ipf_state); + RWLOCK_EXIT(&ipf_state); SPL_X(s); } @@ -703,23 +1003,29 @@ int dir; switch(state[dir]) { - case TCPS_FIN_WAIT_2: case TCPS_CLOSED: + if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { + state[dir] = TCPS_ESTABLISHED; + *age = fr_tcpidletimeout; + } + case TCPS_FIN_WAIT_2: if ((flags & TH_OPENING) == TH_OPENING) state[dir] = TCPS_SYN_RECEIVED; else if (flags & TH_SYN) state[dir] = TCPS_SYN_SENT; break; case TCPS_SYN_RECEIVED: - if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { - state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; - } - break; case TCPS_SYN_SENT: if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) { state[dir] = TCPS_ESTABLISHED; *age = fr_tcpidletimeout; + } else if ((flags & (TH_FIN|TH_ACK)) == (TH_FIN|TH_ACK)) { + state[dir] = TCPS_CLOSE_WAIT; + if (!(flags & TH_PUSH) && !dlen && + ostate > TCPS_ESTABLISHED) + *age = fr_tcplastack; + else + *age = fr_tcpclosewait; } break; case TCPS_ESTABLISHED: @@ -730,8 +1036,10 @@ int dir; *age = fr_tcplastack; else *age = fr_tcpclosewait; - } else - *age = fr_tcpidletimeout; + } else { + if (ostate < TCPS_CLOSE_WAIT) + *age = fr_tcpidletimeout; + } break; case TCPS_CLOSE_WAIT: if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen && @@ -760,23 +1068,27 @@ int dir; #ifdef IPFILTER_LOG void ipstate_log(is, type) struct ipstate *is; -u_short type; +u_int type; { struct ipslog ipsl; void *items[1]; size_t sizes[1]; int types[1]; + ipsl.isl_type = type; ipsl.isl_pkts = is->is_pkts; ipsl.isl_bytes = is->is_bytes; ipsl.isl_src = is->is_src; ipsl.isl_dst = is->is_dst; ipsl.isl_p = is->is_p; ipsl.isl_flags = is->is_flags; - ipsl.isl_type = type; if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { ipsl.isl_sport = is->is_sport; ipsl.isl_dport = is->is_dport; + if (ipsl.isl_p == IPPROTO_TCP) { + ipsl.isl_state[0] = is->is_state[0]; + ipsl.isl_state[1] = is->is_state[1]; + } } else if (ipsl.isl_p == IPPROTO_ICMP) ipsl.isl_itype = is->is_icmp.ics_type; else { @@ -787,6 +1099,6 @@ u_short type; sizes[0] = sizeof(ipsl); types[0] = 0; - (void) ipllog(IPL_LOGSTATE, 0, items, sizes, types, 1); + (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index f2ae94b..ae8b5c1 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $ + * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -31,13 +31,16 @@ typedef struct icmpstate { u_char ics_type; } icmpstate_t; +typedef struct tcpdata { + u_32_t td_end; + u_32_t td_maxend; + u_short td_maxwin; +} tcpdata_t; + typedef struct tcpstate { u_short ts_sport; u_short ts_dport; - u_long ts_seq; - u_long ts_ack; - u_short ts_swin; - u_short ts_dwin; + tcpdata_t ts_data[2]; u_char ts_state[2]; } tcpstate_t; @@ -49,16 +52,18 @@ typedef struct ipstate { U_QUAD_T is_bytes; void *is_ifpin; void *is_ifpout; + frentry_t *is_rule; struct in_addr is_src; struct in_addr is_dst; - u_char is_p; - u_char is_flags; - u_32_t is_opt; - u_32_t is_optmsk; - u_short is_sec; - u_short is_secmsk; - u_short is_auth; - u_short is_authmsk; + u_char is_p; /* Protocol */ + u_char is_rout; /* Is rule in/out ? */ + u_32_t is_flags; + u_32_t is_opt; /* packet options set */ + u_32_t is_optmsk; /* " " mask */ + u_short is_sec; /* security options set */ + u_short is_secmsk; /* " " mask */ + u_short is_auth; /* authentication options set */ + u_short is_authmsk; /* " " mask */ union { icmpstate_t is_ics; tcpstate_t is_ts; @@ -67,17 +72,29 @@ typedef struct ipstate { } ipstate_t; #define is_icmp is_ps.is_ics +#define is_type is_icmp.ics_type +#define is_code is_icmp.ics_code #define is_tcp is_ps.is_ts #define is_udp is_ps.is_us -#define is_seq is_tcp.ts_seq -#define is_ack is_tcp.ts_ack -#define is_dwin is_tcp.ts_dwin -#define is_swin is_tcp.ts_swin +#define is_send is_tcp.ts_data[0].td_end +#define is_dend is_tcp.ts_data[1].td_end +#define is_maxswin is_tcp.ts_data[0].td_maxwin +#define is_maxdwin is_tcp.ts_data[1].td_maxwin +#define is_maxsend is_tcp.ts_data[0].td_maxend +#define is_maxdend is_tcp.ts_data[1].td_maxend #define is_sport is_tcp.ts_sport #define is_dport is_tcp.ts_dport #define is_state is_tcp.ts_state #define TH_OPENING (TH_SYN|TH_ACK) +/* + * is_flags: + * Bits 0 - 3 are use as a mask with the current packet's bits to check for + * whether it is short, tcp/udp, a fragment or the presence of IP options. + * Bits 4 - 7 are set from the initial packet and contain what the packet + * anded with bits 0-3 must match. + * Bits 8,9 are used to indicate wildcard source/destination port matching. + */ typedef struct ipslog { @@ -87,6 +104,7 @@ typedef struct ipslog { struct in_addr isl_dst; u_char isl_p; u_char isl_flags; + u_char isl_state[2]; u_short isl_type; union { u_short isl_filler[2]; @@ -117,6 +135,7 @@ typedef struct ips_stat { u_long iss_active; u_long iss_logged; u_long iss_logfail; + u_long iss_inuse; ipstate_t **iss_table; } ips_stat_t; @@ -128,13 +147,14 @@ extern u_long fr_tcptimeout; extern u_long fr_tcpclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; +extern int fr_stateinit __P((void)); extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); -extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); -extern int fr_checkstate __P((ip_t *, fr_info_t *)); +extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); +extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); -extern void ipstate_log __P((struct ipstate *, u_short)); +extern void ipstate_log __P((struct ipstate *, u_int)); #if defined(__NetBSD__) || defined(__OpenBSD__) extern int fr_state_ioctl __P((caddr_t, u_long, int)); #else diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index 2850019..a20852d 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -36,14 +36,16 @@ #include <resolv.h> #include "ip_compat.h" #include "ip_fil.h" +#include "ip_nat.h" +#include "ip_state.h" #include "ipf.h" +#include "ipl.h" #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.2 1999/08/06 15:26:08 darrenr Exp $"; #endif -static void frsync __P((void)); #if SOLARIS static void blockunknown __P((void)); #endif @@ -53,6 +55,7 @@ extern char *index __P((const char *, int)); extern char *optarg; +void frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); @@ -67,6 +70,18 @@ static int opendevice __P((char *)); static void closedevice __P((void)); static char *getline __P((char *, size_t, FILE *)); static char *ipfname = IPL_NAME; +static void usage __P((void)); +static void showversion __P((void)); +static int get_flags __P((void)); + + +static void usage() +{ + fprintf(stderr, "usage: ipf [-AdDEInoPrsUvVyzZ] %s %s %s\n", + "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); + exit(1); +} + int main(argc,argv) int argc; @@ -74,9 +89,11 @@ char *argv[]; { int c; - while ((c = getopt(argc, argv, "AdDEf:F:Il:noPrsUvyzZ")) != -1) { + while ((c = getopt(argc, argv, "AdDEf:F:Il:noPrsUvVyzZ")) != -1) { switch (c) { + case '?' : + usage(); case 'A' : opts &= ~OPT_INACTIVE; break; @@ -124,6 +141,9 @@ char *argv[]; case 'v' : opts |= OPT_VERBOSE; break; + case 'V' : + showversion(); + break; case 'y' : frsync(); break; @@ -168,6 +188,18 @@ static void closedevice() } +static int get_flags() +{ + int i; + + if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { + perror("SIOCFRENB"); + return 0; + } + return i; +} + + static void set_state(enable) u_int enable; { @@ -183,13 +215,17 @@ char *name, *file; FILE *fp; char line[513], *s; struct frentry *fr; - u_int add = SIOCADAFR, del = SIOCRMAFR; + u_int add, del; + int linenum = 0; (void) opendevice(ipfname); if (opts & OPT_INACTIVE) { add = SIOCADIFR; del = SIOCRMIFR; + } else { + add = SIOCADAFR; + del = SIOCRMAFR; } if (opts & OPT_DEBUG) printf("add %x del %x\n", add, del); @@ -205,6 +241,7 @@ char *name, *file; } while (getline(line, sizeof(line), fp)) { + linenum++; /* * treat CR as EOL. LF is converted to NUL by getline(). */ @@ -222,7 +259,7 @@ char *name, *file; if (opts & OPT_VERBOSE) (void)fprintf(stderr, "[%s]\n", line); - fr = parse(line); + fr = parse(line, linenum); (void)fflush(stdout); if (fr) { @@ -309,13 +346,12 @@ FILE *file; static void packetlogon(opt) char *opt; { - int err, flag = 0; + int flag, err; - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if ((err = ioctl(fd, SIOCGETFF, &flag))) - perror("ioctl(SIOCGETFF)"); - - printf("log flag is currently %#x\n", flag); + err = get_flags(); + if (err != 0) { + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) + printf("log flag is currently %#x\n", flag); } flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK); @@ -340,9 +376,7 @@ char *opt; perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if ((err = ioctl(fd, SIOCGETFF, &flag))) - perror("ioctl(SIOCGETFF)"); - + flag = get_flags(); printf("log flag is now %#x\n", flag); } } @@ -404,7 +438,7 @@ static void swapactive() } -static void frsync() +void frsync() { int frsyn = 0; @@ -465,17 +499,14 @@ friostat_t *fp; #if SOLARIS static void blockunknown() { - int flag; + u_32_t flag; if (opendevice(ipfname) == -1) return; - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if (ioctl(fd, SIOCGETFF, &flag)) - perror("ioctl(SIOCGETFF)"); - + flag = get_flags(); + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); - } flag ^= FF_BLOCKNONIP; @@ -490,3 +521,54 @@ static void blockunknown() } } #endif + + +static void showversion() +{ + struct friostat fio; + u_32_t flags; + char *s; + + printf("ipf: %s (%d)\n", IPL_VERSION, sizeof(frentry_t)); + + if (opendevice(ipfname) != -2 && ioctl(fd, SIOCGETFS, &fio)) { + perror("ioctl(SIOCGETFS"); + return; + } + flags = get_flags(); + + printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), + (int)sizeof(fio.f_version), fio.f_version); + printf("Running: %s\n", fio.f_running ? "yes" : "no"); + printf("Log Flags: %#x = ", flags); + s = ""; + if (flags & FF_LOGPASS) { + printf("pass"); + s = ", "; + } + if (flags & FF_LOGBLOCK) { + printf("%sblock", s); + s = ", "; + } + if (flags & FF_LOGNOMATCH) { + printf("%snomatch", s); + s = ", "; + } + if (flags & FF_BLOCKNONIP) { + printf("%snonip", s); + s = ", "; + } + if (!*s) + printf("none set"); + putchar('\n'); + + printf("Default: "); + if (fio.f_defpass & FR_PASS) + s = "pass"; + else if (fio.f_defpass & FR_BLOCK) + s = "block"; + else + s = "nomatch -> block"; + printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); + printf("Active list: %d\n", fio.f_active); +} diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 5c55502..2971bfe 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.0.2.12 1997/09/28 07:11:50 darrenr Exp $ + * $Id: ipf.h,v 2.1.2.1 1999/10/05 12:59:25 darrenr Exp $ */ #ifndef __IPF_H__ @@ -15,26 +15,28 @@ #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#define OPT_REMOVE 0x00001 -#define OPT_DEBUG 0x00002 -#define OPT_OUTQUE FR_OUTQUE /* 0x0004 */ -#define OPT_INQUE FR_INQUE /* 0x0008 */ -#define OPT_LOG FR_LOG /* 0x0010 */ -#define OPT_SHOWLIST 0x00020 -#define OPT_VERBOSE 0x00040 -#define OPT_DONOTHING 0x00080 -#define OPT_HITS 0x00100 -#define OPT_BRIEF 0x00200 +#define OPT_REMOVE 0x000001 +#define OPT_DEBUG 0x000002 +#define OPT_OUTQUE FR_OUTQUE /* 0x00004 */ +#define OPT_INQUE FR_INQUE /* 0x00008 */ +#define OPT_LOG FR_LOG /* 0x00010 */ +#define OPT_SHOWLIST 0x000020 +#define OPT_VERBOSE 0x000040 +#define OPT_DONOTHING 0x000080 +#define OPT_HITS 0x000100 +#define OPT_BRIEF 0x000200 #define OPT_ACCNT FR_ACCOUNT /* 0x0400 */ #define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */ #define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */ #define OPT_INACTIVE FR_INACTIVE /* 0x2000 */ -#define OPT_SHOWLINENO 0x04000 -#define OPT_PRINTFR 0x08000 -#define OPT_ZERORULEST 0x10000 -#define OPT_SAVEOUT 0x20000 -#define OPT_AUTHSTATS 0x40000 -#define OPT_RAW 0x80000 +#define OPT_SHOWLINENO 0x004000 +#define OPT_PRINTFR 0x008000 +#define OPT_ZERORULEST 0x010000 +#define OPT_SAVEOUT 0x020000 +#define OPT_AUTHSTATS 0x040000 +#define OPT_RAW 0x080000 +#define OPT_NAT 0x100000 +#define OPT_GROUPS 0x200000 #ifndef __P # ifdef __STDC__ @@ -48,11 +50,11 @@ extern char *strdup __P((char *)); #endif -extern struct frentry *parse __P((char *)); +extern struct frentry *parse __P((char *, int)); extern void printfr __P((struct frentry *)); extern void binprint __P((struct frentry *)), initparse __P((void)); -extern u_short portnum __P((char *)); +extern int portnum __P((char *, u_short *, int)); struct ipopt_names { @@ -64,18 +66,20 @@ struct ipopt_names { extern u_32_t buildopts __P((char *, char *, int)); -extern u_32_t hostnum __P((char *, int *)); -extern u_32_t optname __P((char ***, u_short *)); +extern u_32_t hostnum __P((char *, int *, int)); +extern u_32_t optname __P((char ***, u_short *, int)); extern void printpacket __P((ip_t *)); #if SOLARIS extern int inet_aton __P((const char *, struct in_addr *)); +extern int gethostname __P((char *, int )); +extern void sync __P((void)); #endif -#ifdef sun -#define STRERROR(x) sys_errlist[x] +#if defined(sun) && !SOLARIS +# define STRERROR(x) sys_errlist[x] extern char *sys_errlist[]; #else -#define STRERROR(x) strerror(x) +# define STRERROR(x) strerror(x) #endif #ifndef MIN diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index ee6e5c5..1029ae8 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -51,7 +51,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.0.2.7.2.1 1997/11/12 10:56:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.1 1999/08/04 17:30:02 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index c7fcd92..9f25fb0 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -42,7 +42,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.0.2.8.2.1 1997/11/12 10:56:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 1524143..e924341 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -29,11 +29,11 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "pcap.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.0.2.6.2.1 1997/11/12 10:56:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.1 1999/08/04 17:30:03 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index fc9183e..8dc0fa1 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -33,11 +33,11 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "snoop.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.0.2.6.2.1 1997/11/12 10:56:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif struct llc { diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index de22b94..7ea43ea 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -60,7 +60,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.0.2.6.2.1 1997/11/12 10:56:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.1 1999/08/04 17:30:04 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 36372a1..9a5f139 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.1 1999/08/04 17:30:05 darrenr Exp $"; #endif extern int opts; @@ -196,7 +196,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(struct tcpiphdr); + return sizeof(*ip) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif @@ -263,6 +263,9 @@ int *out; tx_proto = "icmp"; } cpp++; + } else if (isdigit(**cpp) && !index(*cpp, '.')) { + ip->ip_p = atoi(*cpp); + cpp++; } else ip->ip_p = IPPROTO_IP; @@ -308,6 +311,8 @@ int *out; if (tcp->th_flags) cpp++; assert(tcp->th_flags != 0); + tcp->th_win = htons(4096); + tcp->th_off = sizeof(*tcp) >> 2; } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; @@ -340,5 +345,6 @@ int *out; else if (ip->ip_p == IPPROTO_ICMP) bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2), sizeof(*ic)); + ip->ip_len = htons(ip->ip_len); return 0; } diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index d92ec79..fd61ead 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1999 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,6 +11,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.2.7" +#define IPL_VERSION "IP Filter: v3.3.3" #endif diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h index a7a13f9..d8986c8 100644 --- a/contrib/ipfilter/iplang/iplang.h +++ b/contrib/ipfilter/iplang/iplang.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -49,3 +49,6 @@ typedef struct aniphdr { #define ah_tcp ah_un.ahu_tcp #define ah_udp ah_un.ahu_udp #define ah_icmp ah_un.ahu_icmp + +extern int get_arpipv4 __P((char *, char *)); + diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index 89b7732..36a4ec8 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -1,12 +1,12 @@ %{ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_l.l,v 2.0.2.15.2.5 1997/12/28 01:32:13 darrenr Exp $ + * $Id: iplang_l.l,v 2.1 1999/08/04 17:30:53 darrenr Exp $ */ #include <stdio.h> #include <string.h> @@ -310,7 +310,9 @@ int nstate, fornext; void swallow() { - int c = input(); + int c; + + c = input(); if (c == '#') { while ((c != '\n') && (c != EOF)) diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index e01bb37..6dacd99 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -1,14 +1,14 @@ %{ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $ + * $Id: iplang_y.y,v 2.1 1999/08/04 17:30:53 darrenr Exp $ */ - + #include <stdio.h> #include <string.h> #include <fcntl.h> @@ -1431,6 +1431,21 @@ char **arg; } +int arp_getipv4(ip, addr) +char *ip; +char *addr; +{ + arp_t *a; + + for (a = arplist; a; a = a->arp_next) + if (!bcmp(ip, (char *)&a->arp_addr, 4)) { + bcopy((char *)&a->arp_eaddr, addr, 6); + return 0; + } + return -1; +} + + void reset_send() { sending.snd_if = iflist; diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 283e9ff..e9fb96e 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -1,41 +1,51 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $"; +static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.1 1999/08/14 04:46:07 darrenr Exp $"; #endif +#ifndef SOLARIS +#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) +#endif + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/param.h> +#include <sys/file.h> +#include <sys/time.h> +#include <sys/socket.h> +#include <sys/ioctl.h> + #include <stdio.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <errno.h> -#include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#include <signal.h> -#include <sys/dir.h> +# if (__FreeBSD_version >= 300000) +# include <sys/dirent.h> +# else +# include <sys/dir.h> +# endif #else -#include <sys/filio.h> -#include <sys/byteorder.h> +# include <sys/filio.h> +# include <sys/byteorder.h> #endif -#include <sys/stat.h> -#include <sys/param.h> -#include <sys/file.h> -#include <sys/time.h> +#include <strings.h> +#include <signal.h> #include <stdlib.h> #include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <net/if.h> #include <netinet/ip.h> +#include <netinet/tcp_fsm.h> #include <netdb.h> #include <arpa/inet.h> #include <arpa/nameser.h> @@ -44,7 +54,6 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 #include <sys/uio.h> #ifndef linux # include <sys/protosw.h> -# include <sys/user.h> # include <netinet/ip_var.h> #endif @@ -85,6 +94,15 @@ struct flags tcpfl[] = { { 0, '\0' } }; +#if SOLARIS +static char *pidfile = "/etc/opt/ipf/ipmon.pid"; +#else +# if BSD >= 199306 +static char *pidfile = "/var/run/ipmon.pid"; +# else +static char *pidfile = "/etc/ipmon.pid"; +# endif +#endif static char line[2048]; static int opts = 0; @@ -92,19 +110,27 @@ static FILE *newlog = NULL; static char *logfile = NULL; static int donehup = 0; static void usage __P((char *)); -static void handlehup __P((void)); +static void handlehup __P((int)); static void flushlogs __P((char *, FILE *)); static void print_log __P((int, FILE *, char *, int)); static void print_ipflog __P((FILE *, char *, int)); static void print_natlog __P((FILE *, char *, int)); static void print_statelog __P((FILE *, char *, int)); static void dumphex __P((FILE *, u_char *, int)); -static int read_log __P((int, int *, char *, int, FILE *)); +static int read_log __P((int, int *, char *, int)); +static void write_pid __P((char *)); + char *hostname __P((int, struct in_addr)); -char *portname __P((int, char *, u_short)); +char *portname __P((int, char *, u_int)); int main __P((int, char *[])); static void logopts __P((int, char *)); +static void init_tabs __P((void)); +static char *getproto __P((u_int)); + +static char **protocols = NULL; +static char **udp_ports = NULL; +static char **tcp_ports = NULL; #define OPT_SYSLOG 0x001 @@ -117,28 +143,106 @@ static void logopts __P((int, char *)); #define OPT_STATE 0x100 #define OPT_FILTER 0x200 #define OPT_PORTNUM 0x400 -#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER) +#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif -static void handlehup() +void handlehup(sig) +int sig; { FILE *fp; signal(SIGHUP, handlehup); if (logfile && (fp = fopen(logfile, "a"))) newlog = fp; + init_tabs(); donehup = 1; } -static int read_log(fd, lenp, buf, bufsize, log) +static void init_tabs() +{ + struct protoent *p; + struct servent *s; + char *name, **tab; + u_int port; + + if (protocols != NULL) { + free(protocols); + protocols = NULL; + } + protocols = (char **)malloc(256 * sizeof(*protocols)); + if (protocols != NULL) { + bzero((char *)protocols, 256 * sizeof(*protocols)); + + setprotoent(1); + while ((p = getprotoent()) != NULL) + if (p->p_proto >= 0 && p->p_proto <= 255 && + p->p_name != NULL) + protocols[p->p_proto] = strdup(p->p_name); + endprotoent(); + } + + if (udp_ports != NULL) { + free(udp_ports); + udp_ports = NULL; + } + udp_ports = (char **)malloc(65536 * sizeof(*udp_ports)); + if (udp_ports != NULL) + bzero((char *)udp_ports, 65536 * sizeof(*udp_ports)); + + if (tcp_ports != NULL) { + free(tcp_ports); + tcp_ports = NULL; + } + tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports)); + if (tcp_ports != NULL) + bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports)); + + setservent(1); + while ((s = getservent()) != NULL) { + if (s->s_proto == NULL) + continue; + else if (!strcmp(s->s_proto, "tcp")) { + port = (u_int)s->s_port; + name = s->s_name; + tab = tcp_ports; + } else if (!strcmp(s->s_proto, "udp")) { + port = (u_int)s->s_port; + name = s->s_name; + tab = udp_ports; + } else + continue; + if ((port < 0 || port > 65535) || (name == NULL)) + continue; + tab[port] = strdup(name); + } + endservent(); +} + + +static char *getproto(p) +u_int p; +{ + static char pnum[4]; + char *s; + + p &= 0xff; + s = protocols ? protocols[p] : NULL; + if (s == NULL) { + sprintf(pnum, "%u", p); + s = pnum; + } + return s; +} + + +static int read_log(fd, lenp, buf, bufsize) int fd, bufsize, *lenp; char *buf; -FILE *log; { int nr; @@ -170,18 +274,24 @@ struct in_addr ip; char *portname(res, proto, port) int res; char *proto; -u_short port; +u_int port; { static char pname[8]; - struct servent *serv; + char *s; - (void) sprintf(pname, "%hu", htons(port)); + port = ntohs(port); + port &= 0xffff; + (void) sprintf(pname, "%u", port); if (!res || (opts & OPT_PORTNUM)) return pname; - serv = getservbyport((int)port, proto); - if (!serv) - return pname; - return serv->s_name; + s = NULL; + if (!strcmp(proto, "tcp")) + s = tcp_ports[port]; + else if (!strcmp(proto, "udp")) + s = udp_ports[port]; + if (s == NULL) + s = pname; + return s; } @@ -271,20 +381,20 @@ int blen; strcpy(t, "NAT:MAP "); else if (nl->nl_type == NL_NEWRDR) strcpy(t, "NAT:RDR "); - else if (nl->nl_type == ISL_EXPIRE) + else if (nl->nl_type == NL_EXPIRE) strcpy(t, "NAT:EXPIRE "); else sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), - portname(res, NULL, nl->nl_inport)); + portname(res, NULL, (u_int)nl->nl_inport)); t += strlen(t); (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), - portname(res, NULL, nl->nl_outport)); + portname(res, NULL, (u_int)nl->nl_outport)); t += strlen(t); (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), - portname(res, NULL, nl->nl_origport)); + portname(res, NULL, (u_int)nl->nl_origport)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T @@ -312,8 +422,7 @@ int blen; { struct ipslog *sl; iplog_t *ipl = (iplog_t *)buf; - struct protoent *pr; - char *t = line, *proto, pname[6]; + char *t = line, *proto; struct tm *tm; int res, i, len; @@ -334,27 +443,29 @@ int blen; if (sl->isl_type == ISL_NEW) strcpy(t, "STATE:NEW "); - else if (sl->isl_type == ISL_EXPIRE) - strcpy(t, "STATE:EXPIRE "); + else if (sl->isl_type == ISL_EXPIRE) { + if ((sl->isl_p == IPPROTO_TCP) && + (sl->isl_state[0] > TCPS_ESTABLISHED || + sl->isl_state[1] > TCPS_ESTABLISHED)) + strcpy(t, "STATE:CLOSE "); + else + strcpy(t, "STATE:EXPIRE "); + } else if (sl->isl_type == ISL_FLUSH) + strcpy(t, "STATE:FLUSH "); else sprintf(t, "Type: %d ", sl->isl_type); t += strlen(t); - pr = getprotobynumber((int)sl->isl_p); - if (!pr) { - proto = pname; - sprintf(proto, "%d", (u_int)sl->isl_p); - } else - proto = pr->p_name; + proto = getproto(sl->isl_p); if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) { (void) sprintf(t, "%s,%s -> ", hostname(res, sl->isl_src), - portname(res, proto, sl->isl_sport)); + portname(res, proto, (u_int)sl->isl_sport)); t += strlen(t); (void) sprintf(t, "%s,%s PR %s", hostname(res, sl->isl_dst), - portname(res, proto, sl->isl_dport), proto); + portname(res, proto, (u_int)sl->isl_dport), proto); } else if (sl->isl_p == IPPROTO_ICMP) { (void) sprintf(t, "%s -> ", hostname(res, sl->isl_src)); t += strlen(t); @@ -436,11 +547,10 @@ FILE *log; char *buf; int blen; { - struct protoent *pr; - struct tcphdr *tp; + tcphdr_t *tp; struct icmp *ic; struct tm *tm; - char c[3], pname[8], *t, *proto; + char *t, *proto; u_short hl, p; int i, lvl, res, len; ip_t *ipc, *ip; @@ -480,60 +590,62 @@ int blen; (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux) len = (int)sizeof(ipf->fl_ifname); (void) sprintf(t, "%*.*s", len, len, ipf->fl_ifname); + t += strlen(t); +# if SOLARIS + if (isalpha(*(t - 1))) + *t++ = '0' + ipf->fl_unit; +# endif #else for (len = 0; len < 3; len++) - if (!ipf->fl_ifname[len]) + if (ipf->fl_ifname[len] == '\0') break; if (ipf->fl_ifname[len]) len++; (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); -#endif t += strlen(t); +#endif (void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1); - pr = getprotobynumber((int)p); - if (!pr) { - proto = pname; - sprintf(proto, "%d", (u_int)p); - } else - proto = pr->p_name; + t += strlen(t); + proto = getproto(p); if (ipf->fl_flags & FF_SHORT) { - c[0] = 'S'; + *t++ = 'S'; lvl = LOG_ERR; } else if (ipf->fl_flags & FR_PASS) { if (ipf->fl_flags & FR_LOGP) - c[0] = 'p'; + *t++ = 'p'; else - c[0] = 'P'; + *t++ = 'P'; lvl = LOG_NOTICE; } else if (ipf->fl_flags & FR_BLOCK) { if (ipf->fl_flags & FR_LOGB) - c[0] = 'b'; + *t++ = 'b'; else - c[0] = 'B'; + *t++ = 'B'; lvl = LOG_WARNING; } else if (ipf->fl_flags & FF_LOGNOMATCH) { - c[0] = 'n'; + *t++ = 'n'; lvl = LOG_NOTICE; } else { - c[0] = 'L'; + *t++ = 'L'; lvl = LOG_INFO; } - c[1] = ' '; - c[2] = '\0'; - (void) strcat(line, c); - t = line + strlen(line); + if (ipf->fl_loglevel != 0xffff) + lvl = ipf->fl_loglevel; + *t++ = ' '; + *t = '\0'; - if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) { - tp = (struct tcphdr *)((char *)ip + hl); + if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && + !(ip->ip_off & IP_OFFMASK)) { + tp = (tcphdr_t *)((char *)ip + hl); if (!(ipf->fl_flags & (FI_SHORT << 16))) { (void) sprintf(t, "%s,%s -> ", hostname(res, ip->ip_src), - portname(res, proto, tp->th_sport)); + portname(res, proto, (u_int)tp->th_sport)); t += strlen(t); (void) sprintf(t, "%s,%s PR %s len %hu %hu ", hostname(res, ip->ip_dst), - portname(res, proto, tp->th_dport), + portname(res, proto, (u_int)tp->th_dport), proto, hl, ip->ip_len); t += strlen(t); @@ -542,12 +654,13 @@ int blen; for (i = 0; tcpfl[i].value; i++) if (tp->th_flags & tcpfl[i].value) *t++ = tcpfl[i].flag; - } - if (opts & OPT_VERBOSE) { - (void) sprintf(t, " %lu %lu %hu", - (u_long)tp->th_seq, - (u_long)tp->th_ack, tp->th_win); - t += strlen(t); + if (opts & OPT_VERBOSE) { + (void) sprintf(t, " %lu %lu %hu", + (u_long)(ntohl(tp->th_seq)), + (u_long)(ntohl(tp->th_ack)), + ntohs(tp->th_win)); + t += strlen(t); + } } *t = '\0'; } else { @@ -570,24 +683,18 @@ int blen; ic->icmp_type == ICMP_REDIRECT || ic->icmp_type == ICMP_TIMXCEED) { ipc = &ic->icmp_ip; - tp = (struct tcphdr *)((char *)ipc + hl); + tp = (tcphdr_t *)((char *)ipc + hl); - p = (u_short)ipc->ip_p; - pr = getprotobynumber((int)p); - if (!pr) { - proto = pname; - (void) sprintf(proto, "%d", (int)p); - } else - proto = pr->p_name; + proto = getproto(ipc->ip_p); t += strlen(t); (void) sprintf(t, " for %s,%s -", hostname(res, ipc->ip_src), - portname(res, proto, tp->th_sport)); + portname(res, proto, (u_int)tp->th_sport)); t += strlen(t); (void) sprintf(t, " %s,%s PR %s len %hu %hu", hostname(res, ipc->ip_dst), - portname(res, proto, tp->th_dport), + portname(res, proto, (u_int)tp->th_dport), proto, ipc->ip_hl << 2, ipc->ip_len); } } else { @@ -596,11 +703,12 @@ int blen; (void) sprintf(t, "%s PR %s len %hu (%hu)", hostname(res, ip->ip_dst), proto, hl, ip->ip_len); t += strlen(t); - if (ip->ip_off & 0x1fff) + if (ip->ip_off & IP_OFFMASK) (void) sprintf(t, " frag %s%s%hu@%hu", ip->ip_off & IP_MF ? "+" : "", ip->ip_off & IP_DF ? "-" : "", - ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3); + ip->ip_len - hl, + (ip->ip_off & IP_OFFMASK) << 3); } t += strlen(t); @@ -614,6 +722,11 @@ int blen; t += strlen(t); } + if (ipf->fl_flags & FR_INQUE) + strcpy(t, " IN"); + else if (ipf->fl_flags & FR_OUTQUE) + strcpy(t, " OUT"); + t += strlen(t); *t++ = '\n'; *t++ = '\0'; if (opts & OPT_SYSLOG) @@ -621,7 +734,7 @@ int blen; else (void) fprintf(log, "%s", line); if (opts & OPT_HEXHDR) - dumphex(log, (u_char *)buf, sizeof(iplog_t)); + dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf)); if (opts & OPT_HEXBODY) dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen); } @@ -635,6 +748,25 @@ char *prog; } +static void write_pid(file) +char *file; +{ + FILE *fp = NULL; + int fd; + + if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0) + fp = fdopen(fd, "w"); + if (!fp) { + close(fd); + fprintf(stderr, "unable to open/create pid file: %s\n", file); + return; + } + fprintf(fp, "%d", getpid()); + fclose(fp); + close(fd); +} + + static void flushlogs(file, log) char *file; FILE *log; @@ -706,7 +838,7 @@ char *argv[]; int fd[3], doread, n, i; int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; - char buf[512], *iplfile[3]; + char buf[512], *iplfile[3], *s; extern int optind; extern char *optarg; @@ -716,11 +848,14 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1) + while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : - opts |= OPT_ALL; + opts |= OPT_LOGALL; + fdt[0] = IPL_LOGIPF; + fdt[1] = IPL_LOGNAT; + fdt[2] = IPL_LOGSTATE; break; case 'D' : make_daemon = 1; @@ -756,8 +891,17 @@ char *argv[]; case 'p' : opts |= OPT_PORTNUM; break; + case 'P' : + pidfile = optarg; + break; case 's' : - openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC); + s = strrchr(argv[0], '/'); + if (s == NULL) + s = argv[0]; + else + s++; + openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); + s = NULL; opts |= OPT_SYSLOG; break; case 'S' : @@ -783,6 +927,8 @@ char *argv[]; usage(argv[0]); } + init_tabs(); + /* * Default action is to only open the filter log file. */ @@ -822,16 +968,19 @@ char *argv[]; exit(-1); } setvbuf(log, NULL, _IONBF, 0); - } + } else + log = NULL; if (make_daemon && (log != stdout)) { if (fork() > 0) exit(0); + write_pid(pidfile); close(0); close(1); close(2); setsid(); - } + } else + write_pid(pidfile); signal(SIGHUP, handlehup); @@ -856,7 +1005,7 @@ char *argv[]; continue; nr += tr; - tr = read_log(fd[i], &n, buf, sizeof(buf), log); + tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { donehup = 0; if (newlog) { diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index ae0f71d..11997a3 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -1,20 +1,11 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) - * - * Broken still: - * Displaying the nat with redirect entries is way confusing - * - * Example redirection line: - * rdr le1 0.0.0.0/0 port 79 -> 199.165.219.129 port 9901 - * - * Will redirect all incoming packets on le1 to any machine, port 79 to - * host 199.165.219.129, port 9901 */ #include <stdio.h> #include <string.h> @@ -42,6 +33,9 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> @@ -62,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.1 1999/08/04 17:30:07 darrenr Exp $"; #endif @@ -71,18 +65,18 @@ static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 #endif extern char *optarg; +extern ipnat_t *natparse __P((char *, int)); +extern void natparsefile __P((int, char *, int)); +extern void printnat __P((ipnat_t *, int, void *)); -ipnat_t *parse __P((char *)); -u_32_t hostnum __P((char *, int *)); +u_32_t hostnum __P((char *, int *, int)); u_32_t hostmask __P((char *)); -u_short portnum __P((char *, char *)); void dostats __P((int, int)), flushtable __P((int, int)); -void printnat __P((ipnat_t *, int, void *)); -void parsefile __P((int, char *, int)); void usage __P((char *)); int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); +void printaps __P((ap_session_t *, int)); #define OPT_REM 1 #define OPT_NODO 2 @@ -91,12 +85,13 @@ int main __P((int, char*[])); #define OPT_VERBOSE 16 #define OPT_FLUSH 32 #define OPT_CLEAR 64 +#define OPT_HITS 128 void usage(name) char *name; { - fprintf(stderr, "%s: [-CFlnrsv] [-f filename]\n", name); + fprintf(stderr, "%s: [-CFhlnrsv] [-f filename]\n", name); exit(1); } @@ -106,9 +101,9 @@ int argc; char *argv[]; { char *file = NULL; - int fd = -1, opts = 1, c; + int fd = -1, opts = 0, c; - while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1) + while ((c = getopt(argc, argv, "CFf:hlnrsv")) != -1) switch (c) { case 'C' : @@ -120,6 +115,9 @@ char *argv[]; case 'F' : opts |= OPT_FLUSH; break; + case 'h' : + opts |=OPT_HITS; + break; case 'l' : opts |= OPT_LIST; break; @@ -127,7 +125,7 @@ char *argv[]; opts |= OPT_NODO; break; case 'r' : - opts &= ~OPT_REM; + opts |= OPT_REM; break; case 's' : opts |= OPT_STAT; @@ -149,7 +147,7 @@ char *argv[]; if (opts & (OPT_FLUSH|OPT_CLEAR)) flushtable(fd, opts); if (file) - parsefile(fd, file, opts); + natparsefile(fd, file, opts); if (opts & (OPT_LIST|OPT_STAT)) dostats(fd, opts); return 0; @@ -185,94 +183,58 @@ u_32_t ip; } -void printnat(np, verbose, ptr) -ipnat_t *np; -int verbose; -void *ptr; +void printaps(aps, opts) +ap_session_t *aps; +int opts; { - int bits; - struct protoent *pr; + ap_session_t ap; + aproxy_t apr; + raudio_t ra; - switch (np->in_redir) - { - case NAT_REDIRECT : - printf("rdr "); - break; - case NAT_MAP : - printf("map "); - break; - case NAT_BIMAP : - printf("bimap "); - break; - default : - fprintf(stderr, "unknown value for in_redir: %#x\n", - np->in_redir); - break; + if (kmemcpy((char *)&ap, (long)aps, sizeof(ap))) + return; + if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr))) + return; + printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label, + apr.apr_p, apr.apr_ref, apr.apr_flags); + printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); +#ifdef USE_QUAD_T + printf("%qu pkts %qu", ap.aps_bytes, ap.aps_pkts); +#else + printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); +#endif + printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz); + if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { + printf("\t\tstate[%u,%u], sel[%d,%d]\n", + ap.aps_state[0], ap.aps_state[1], + ap.aps_sel[0], ap.aps_sel[1]); +#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \ + (__FreeBSD_version >= 300000) || defined(OpenBSD) + printf("\t\tseq: off %hd/%hd min %x/%x\n", + ap.aps_seqoff[0], ap.aps_seqoff[1], + ap.aps_seqmin[0], ap.aps_seqmin[1]); + printf("\t\tack: off %hd/%hd min %x/%x\n", + ap.aps_ackoff[0], ap.aps_ackoff[1], + ap.aps_ackmin[0], ap.aps_ackmin[1]); +#else + printf("\t\tseq: off %hd/%hd min %lx/%lx\n", + ap.aps_seqoff[0], ap.aps_seqoff[1], + ap.aps_seqmin[0], ap.aps_seqmin[1]); + printf("\t\tack: off %hd/%hd min %lx/%lx\n", + ap.aps_ackoff[0], ap.aps_ackoff[1], + ap.aps_ackmin[0], ap.aps_ackmin[1]); +#endif } - if (np->in_redir == NAT_REDIRECT) { - printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("/%d ", bits); - else - printf("/%s ", inet_ntoa(np->in_out[1])); - if (np->in_pmin) - printf("port %d ", ntohs(np->in_pmin)); - printf("-> %s", inet_ntoa(np->in_in[0])); - if (np->in_pnext) - printf(" port %d", ntohs(np->in_pnext)); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if ((np->in_flags & IPN_TCP) == IPN_TCP) - printf(" tcp"); - else if ((np->in_flags & IPN_UDP) == IPN_UDP) - printf(" udp"); - printf("\n"); - if (verbose) - printf("\t%p %u %x %u %p %d\n", np->in_ifp, - np->in_space, np->in_flags, np->in_pnext, np, - np->in_use); - } else { - np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); - bits = countbits(np->in_in[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_in[1])); - printf(" -> %s/", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_out[1])); - if (*np->in_plabel) { - printf(" proxy port"); - if (np->in_dport) - printf(" %hu", ntohs(np->in_dport)); - printf(" %.*s/", (int)sizeof(np->in_plabel), - np->in_plabel); - if ((pr = getprotobynumber(np->in_p))) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); - } else if (np->in_pmin || np->in_pmax) { - printf(" portmap"); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); - printf(" %d:%d", ntohs(np->in_pmin), - ntohs(np->in_pmax)); - } - printf("\n"); - if (verbose) - printf("\t%p %u %s %d %x\n", np->in_ifp, - np->in_space, inet_ntoa(np->in_nextip), - np->in_pnext, np->in_flags); + if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) { + if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra))) + return; + printf("\tReal Audio Proxy:\n"); + printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", + ra.rap_seenpna, ra.rap_version, ra.rap_eos); + printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); + printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", + ra.rap_plport, ra.rap_prport, ra.rap_srport); } } @@ -286,8 +248,8 @@ ipnat_t *ipnat; char *which; ipnat_t ipnatbuff; - if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, - sizeof(ipnatbuff))) + if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, + sizeof(ipnatbuff)))) return "???"; switch (ipnatbuff.in_redir) @@ -295,6 +257,9 @@ ipnat_t *ipnat; case NAT_MAP : which = "MAP"; break; + case NAT_MAPBLK : + which = "MAP-BLOCK"; + break; case NAT_REDIRECT : which = "RDR"; break; @@ -341,6 +306,8 @@ int fd, opts; perror("kmemcpy"); break; } + if (opts & OPT_HITS) + printf("%d ", ipn.in_hits); printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list); ns.ns_list = ipn.in_next; } @@ -354,66 +321,39 @@ int fd, opts; printf("\nList of active sessions:\n"); - for (i = 0; i < NAT_SIZE; i++) - for (np = nt[0][i]; np; np = nat.nat_hnext[0]) { - if (kmemcpy((char *)&nat, (long)np, - sizeof(nat))) - break; - - printf("%s %-15s %-5hu <- ->", - getnattype(nat.nat_ptr), - inet_ntoa(nat.nat_inip), - ntohs(nat.nat_inport)); - printf(" %-15s %-5hu", - inet_ntoa(nat.nat_outip), - ntohs(nat.nat_outport)); - printf(" [%s %hu]", inet_ntoa(nat.nat_oip), - ntohs(nat.nat_oport)); - printf(" %ld %hu %lx", nat.nat_age, - nat.nat_use, nat.nat_sumd); + for (np = ns.ns_instances; np; np = nat.nat_next) { + if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) + break; + + printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr), + inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); + printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip), + ntohs(nat.nat_outport)); + printf(" [%s %hu]", inet_ntoa(nat.nat_oip), + ntohs(nat.nat_oport)); + if (opts & OPT_VERBOSE) { + printf("\n\tage %lu use %hu sumd %x pr %u", + nat.nat_age, nat.nat_use, nat.nat_sumd, + nat.nat_p); + printf(" bkt %d flags %x ", i, nat.nat_flags); +#ifdef USE_QUAD_T + printf("bytes %qu pkts %qu", + nat.nat_bytes, nat.nat_pkts); +#else + printf("bytes %lu pkts %lu", + nat.nat_bytes, nat.nat_pkts); +#endif #if SOLARIS printf(" %lx", nat.nat_ipsumd); #endif - putchar('\n'); } - free(nt[0]); - } -} - + putchar('\n'); + if (nat.nat_aps) + printaps(nat.nat_aps, opts); + } -u_short portnum(name, proto) -char *name, *proto; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - - if (isdigit(*name)) - return htons((u_short)atoi(name)); - if (!proto) - proto = "tcp/udp"; - if (strcasecmp(proto, "tcp/udp")) { - sp = getservbyname(name, proto); - if (sp) - return sp->s_port; - (void) fprintf(stderr, "unknown service \"%s\".\n", name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); - return 0; - } - if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); - return 0; + free(nt[0]); } - return p1; } @@ -445,9 +385,10 @@ char *msk; * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_32_t hostnum(host, resolved) +u_32_t hostnum(host, resolved, linenum) char *host; int *resolved; +int linenum; { struct hostent *hp; struct netent *np; @@ -461,7 +402,7 @@ int *resolved; if (!(hp = gethostbyname(host))) { if (!(np = getnetbyname(host))) { *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); + fprintf(stderr, "Line %d: can't resolve hostname: %s\n", linenum, host); return 0; } return htonl(np->n_net); @@ -470,336 +411,6 @@ int *resolved; } -ipnat_t *parse(line) -char *line; -{ - struct protoent *pr; - static ipnat_t ipn; - char *s, *t; - char *shost, *snetm, *dhost, *proto; - char *dnetm = NULL, *dport = NULL, *tport = NULL; - int resolved; - - bzero((char *)&ipn, sizeof(ipn)); - if ((s = strchr(line, '\n'))) - *s = '\0'; - if ((s = strchr(line, '#'))) - *s = '\0'; - if (!*line) - return NULL; - if (!(s = strtok(line, " \t"))) - return NULL; - if (!strcasecmp(s, "map")) - ipn.in_redir = NAT_MAP; - else if (!strcasecmp(s, "rdr")) - ipn.in_redir = NAT_REDIRECT; - else if (!strcasecmp(s, "bimap")) - ipn.in_redir = NAT_BIMAP; - else { - (void)fprintf(stderr, - "expected map/rdr/bimap, got \"%s\"\n", s); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (interface)\n"); - return NULL; - } - strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1); - ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s)\n", - ipn.in_redir ? "destination": "source"); - return NULL; - } - shost = s; - - if (ipn.in_redir == NAT_REDIRECT) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - if (strcasecmp(s, "port")) { - fprintf(stderr, "missing fields (port)\n"); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - dport = s; - } - - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (->)\n"); - return NULL; - } - if (!strcmp(s, "->")) { - snetm = strrchr(shost, '/'); - if (!snetm) { - fprintf(stderr, "missing fields (%s netmask)\n", - ipn.in_redir ? "destination":"source"); - return NULL; - } - } else { - if (strcasecmp(s, "netmask")) { - fprintf(stderr, "missing fields (netmask)\n"); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s netmask)\n", - ipn.in_redir ? "destination":"source"); - return NULL; - } - snetm = s; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (%s)\n", - ipn.in_redir ? "destination":"target"); - return NULL; - } - dhost = s; - - if (ipn.in_redir & NAT_MAP) { - if (!(s = strtok(NULL, " \t"))) { - dnetm = strrchr(dhost, '/'); - if (!dnetm) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - } - if (!s || !strcasecmp(s, "portmap") || - !strcasecmp(s, "proxy")) { - dnetm = strrchr(dhost, '/'); - if (!dnetm) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - } else { - if (strcasecmp(s, "netmask")) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing fields (dest netmask)\n"); - return NULL; - } - dnetm = s; - } - if (*dnetm == '/') - *dnetm++ = '\0'; - } else { - /* If it's a in_redir, expect target port */ - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - - if (strcasecmp(s, "port")) { - fprintf(stderr, "missing fields (port)\n"); - return NULL; - } - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing fields (destination port)\n"); - return NULL; - } - tport = s; - } - - - if (*snetm == '/') - *snetm++ = '\0'; - - if (ipn.in_redir & NAT_MAP) { - ipn.in_inip = hostnum(shost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_inmsk = hostmask(snetm); - ipn.in_outip = hostnum(dhost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_outmsk = hostmask(dnetm); - } else { - ipn.in_inip = hostnum(dhost, &resolved); /* Inside is target */ - if (resolved == -1) - return NULL; - ipn.in_inmsk = hostmask("255.255.255.255"); - ipn.in_outip = hostnum(shost, &resolved); - if (resolved == -1) - return NULL; - ipn.in_outmsk = hostmask(snetm); - if (!(s = strtok(NULL, " \t"))) { - ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */ - proto = "tcp"; - } else { - if (!strcasecmp(s, "tcp")) - ipn.in_flags = IPN_TCP; - else if (!strcasecmp(s, "udp")) - ipn.in_flags = IPN_UDP; - else if (!strcasecmp(s, "tcp/udp")) - ipn.in_flags = IPN_TCPUDP; - else if (!strcasecmp(s, "tcpudp")) - ipn.in_flags = IPN_TCPUDP; - else { - fprintf(stderr, - "expected protocol - got \"%s\"\n", s); - return NULL; - } - proto = s; - if ((s = strtok(NULL, " \t"))) { - fprintf(stderr, - "extra junk at the end of rdr: %s\n", - s); - return NULL; - } - } - ipn.in_pmin = portnum(dport, proto); /* dest port */ - ipn.in_pmax = ipn.in_pmin; /* NECESSARY of removing nats */ - ipn.in_pnext = portnum(tport, proto); /* target port */ - s = NULL; /* That's all she wrote! */ - } - ipn.in_inip &= ipn.in_inmsk; - ipn.in_outip &= ipn.in_outmsk; - - if (!s) - return &ipn; - - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, "extra words at the end of bimap line: %s\n", - s); - return NULL; - } - if (!strcasecmp(s, "proxy")) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "missing parameter for \"proxy\"\n"); - return NULL; - } - dport = NULL; - - if (!strcasecmp(s, "port")) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing parameter for \"port\"\n"); - return NULL; - } - - dport = s; - - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "missing parameter for \"proxy\"\n"); - return NULL; - } - } - if ((proto = index(s, '/'))) { - *proto++ = '\0'; - if ((pr = getprotobyname(proto))) - ipn.in_p = pr->p_proto; - else - ipn.in_p = atoi(proto); - if (dport) - ipn.in_dport = portnum(dport, proto); - } else { - ipn.in_p = 0; - if (dport) - ipn.in_dport = portnum(dport, NULL); - } - - (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); - if ((s = strtok(NULL, " \t"))) { - fprintf(stderr, "too many parameters for \"proxy\"\n"); - return NULL; - } - return &ipn; - - } - if (strcasecmp(s, "portmap")) { - fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) - return NULL; - if (!strcasecmp(s, "tcp")) - ipn.in_flags = IPN_TCP; - else if (!strcasecmp(s, "udp")) - ipn.in_flags = IPN_UDP; - else if (!strcasecmp(s, "tcpudp")) - ipn.in_flags = IPN_TCPUDP; - else if (!strcasecmp(s, "tcp/udp")) - ipn.in_flags = IPN_TCPUDP; - else { - fprintf(stderr, "expected protocol name - got \"%s\"\n", s); - return NULL; - } - proto = s; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "no port range found\n"); - return NULL; - } - if (!(t = strchr(s, ':'))) { - fprintf(stderr, "no port range in \"%s\"\n", s); - return NULL; - } - *t++ = '\0'; - ipn.in_pmin = portnum(s, proto); - ipn.in_pmax = portnum(t, proto); - return &ipn; -} - - -void parsefile(fd, file, opts) -int fd; -char *file; -int opts; -{ - char line[512], *s; - ipnat_t *np; - FILE *fp; - int linenum = 1; - - if (strcmp(file, "-")) { - if (!(fp = fopen(file, "r"))) { - (void) fprintf(stderr, "%s: open: %s\n", file, - STRERROR(errno)); - exit(1); - } - } else - fp = stdin; - - while (fgets(line, sizeof(line) - 1, fp)) { - line[sizeof(line) - 1] = '\0'; - if ((s = strchr(line, '\n'))) - *s = '\0'; - if (!(np = parse(line))) { - if (*line) - fprintf(stderr, "%d: syntax error in \"%s\"\n", - linenum, line); - } else if (!(opts & OPT_NODO)) { - if ((opts & OPT_VERBOSE) && np) - printnat(np, opts & OPT_VERBOSE, NULL); - if (opts & OPT_REM) { - if (ioctl(fd, SIOCADNAT, np) == -1) - perror("ioctl(SIOCADNAT)"); - } else if (ioctl(fd, SIOCRMNAT, np) == -1) - perror("ioctl(SIOCRMNAT)"); - } - linenum++; - } - if (fp != stdin) - fclose(fp); -} - - void flushtable(fd, opts) int fd, opts; { diff --git a/contrib/ipfilter/ipsd/Celler/ip_compat.h b/contrib/ipfilter/ipsd/Celler/ip_compat.h new file mode 100644 index 0000000..a911fd8 --- /dev/null +++ b/contrib/ipfilter/ipsd/Celler/ip_compat.h @@ -0,0 +1,201 @@ +/* + * (C)opyright 1995 by Darren Reed. + * + * This code may be freely distributed as long as it retains this notice + * and is not changed in any way. The author accepts no responsibility + * for the use of this software. I hate legaleese, don't you ? + * + * @(#)ip_compat.h 1.1 9/14/95 + */ + +/* + * These #ifdef's are here mainly for linux, but who knows, they may + * not be in other places or maybe one day linux will grow up and some + * of these will turn up there too. + */ +#ifndef ICMP_UNREACH +# define ICMP_UNREACH ICMP_DEST_UNREACH +#endif +#ifndef ICMP_SOURCEQUENCH +# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH +#endif +#ifndef ICMP_TIMXCEED +# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED +#endif +#ifndef ICMP_PARAMPROB +# define ICMP_PARAMPROB ICMP_PARAMETERPROB +#endif +#ifndef IPVERSION +# define IPVERSION 4 +#endif +#ifndef IPOPT_MINOFF +# define IPOPT_MINOFF 4 +#endif +#ifndef IPOPT_COPIED +# define IPOPT_COPIED(x) ((x)&0x80) +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IP_MF +# define IP_MF ((u_short)0x2000) +#endif +#ifndef ETHERTYPE_IP +# define ETHERTYPE_IP ((u_short)0x0800) +#endif +#ifndef TH_FIN +# define TH_FIN 0x01 +#endif +#ifndef TH_SYN +# define TH_SYN 0x02 +#endif +#ifndef TH_RST +# define TH_RST 0x04 +#endif +#ifndef TH_PUSH +# define TH_PUSH 0x08 +#endif +#ifndef TH_ACK +# define TH_ACK 0x10 +#endif +#ifndef TH_URG +# define TH_URG 0x20 +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IPOPT_RR +# define IPOPT_RR 7 +#endif +#ifndef IPOPT_TS +# define IPOPT_TS 68 +#endif +#ifndef IPOPT_SECURITY +# define IPOPT_SECURITY 130 +#endif +#ifndef IPOPT_LSRR +# define IPOPT_LSRR 131 +#endif +#ifndef IPOPT_SATID +# define IPOPT_SATID 136 +#endif +#ifndef IPOPT_SSRR +# define IPOPT_SSRR 137 +#endif +#ifndef IPOPT_SECUR_UNCLASS +# define IPOPT_SECUR_UNCLASS ((u_short)0x0000) +#endif +#ifndef IPOPT_SECUR_CONFID +# define IPOPT_SECUR_CONFID ((u_short)0xf135) +#endif +#ifndef IPOPT_SECUR_EFTO +# define IPOPT_SECUR_EFTO ((u_short)0x789a) +#endif +#ifndef IPOPT_SECUR_MMMM +# define IPOPT_SECUR_MMMM ((u_short)0xbc4d) +#endif +#ifndef IPOPT_SECUR_RESTR +# define IPOPT_SECUR_RESTR ((u_short)0xaf13) +#endif +#ifndef IPOPT_SECUR_SECRET +# define IPOPT_SECUR_SECRET ((u_short)0xd788) +#endif +#ifndef IPOPT_SECUR_TOPSECRET +# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) +#endif + +#ifdef linux +# define icmp icmphdr +# define icmp_type type +# define icmp_code code + +/* + * From /usr/include/netinet/ip_var.h + * !%@#!$@# linux... + */ +struct ipovly { + caddr_t ih_next, ih_prev; /* for protocol sequence q's */ + u_char ih_x1; /* (unused) */ + u_char ih_pr; /* protocol */ + short ih_len; /* protocol length */ + struct in_addr ih_src; /* source internet address */ + struct in_addr ih_dst; /* destination internet address */ +}; + +typedef struct { + __u16 th_sport; + __u16 th_dport; + __u32 th_seq; + __u32 th_ack; +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 th_res:4; + __u8 th_off:4; +#else + __u8 th_off:4; + __u8 th_res:4; +#endif + __u8 th_flags; + __u16 th_win; + __u16 th_sum; + __u16 th_urp; +} tcphdr_t; + +typedef struct { + __u16 uh_sport; + __u16 uh_dport; + __s16 uh_ulen; + __u16 uh_sum; +} udphdr_t; + +typedef struct { +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 ip_hl:4; + __u8 ip_v:4; +# else + __u8 ip_hl:4; + __u8 ip_v:4; +# endif + __u8 ip_tos; + __u16 ip_len; + __u16 ip_id; + __u16 ip_off; + __u8 ip_ttl; + __u8 ip_p; + __u16 ip_sum; + struct in_addr ip_src; + struct in_addr ip_dst; +} ip_t; + +typedef struct { + __u8 ether_dhost[6]; + __u8 ether_shost[6]; + __u16 ether_type; +} ether_header_t; + +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) + +# define ifnet device + +#else + +typedef struct udphdr udphdr_t; +typedef struct tcphdr tcphdr_t; +typedef struct ip ip_t; +typedef struct ether_header ether_header_t; + +#endif + +#ifdef solaris +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) +# define bzero(a,b) memset(a,0,b) +#endif diff --git a/contrib/ipfilter/ipsd/Makefile b/contrib/ipfilter/ipsd/Makefile index 37f0327..b9ad044 100644 --- a/contrib/ipfilter/ipsd/Makefile +++ b/contrib/ipfilter/ipsd/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c index d72c932..4ed6d70 100644 --- a/contrib/ipfilter/ipsd/ipsd.c +++ b/contrib/ipfilter/ipsd/ipsd.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -37,7 +37,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.0.2.4 1997/09/28 07:13:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1 1999/08/04 17:30:56 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h index 27d55ce..1dbe1c4 100644 --- a/contrib/ipfilter/ipsd/ipsd.h +++ b/contrib/ipfilter/ipsd/ipsd.h @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c index e814bd4..3b95ca0 100644 --- a/contrib/ipfilter/ipsd/ipsdr.c +++ b/contrib/ipfilter/ipsd/ipsdr.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. + * (C)opyright 1995-1998 Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -38,7 +38,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.0.2.3 1997/09/28 07:13:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1 1999/08/04 17:30:57 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h index b5e710f..61f52b3 100644 --- a/contrib/ipfilter/ipsd/linux.h +++ b/contrib/ipfilter/ipsd/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1997 by Darren Reed. + * Copyright (C) 1997-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 5cb520b..5d128c4 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. (from tcplog) + * (C)opyright 1995-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c index c06aa5f..9ec7b3f 100644 --- a/contrib/ipfilter/ipsd/sdlpi.c +++ b/contrib/ipfilter/ipsd/sdlpi.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c index 29c7c41..5b2734b 100644 --- a/contrib/ipfilter/ipsd/slinux.c +++ b/contrib/ipfilter/ipsd/slinux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c index ba097f0..3f3aa50 100644 --- a/contrib/ipfilter/ipsd/snit.c +++ b/contrib/ipfilter/ipsd/snit.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsend/.OLD/ip_compat.h b/contrib/ipfilter/ipsend/.OLD/ip_compat.h new file mode 100644 index 0000000..c38fa59 --- /dev/null +++ b/contrib/ipfilter/ipsend/.OLD/ip_compat.h @@ -0,0 +1,242 @@ +/* + * (C)opyright 1995 by Darren Reed. + * + * This code may be freely distributed as long as it retains this notice + * and is not changed in any way. The author accepts no responsibility + * for the use of this software. I hate legaleese, don't you ? + * + * @(#)ip_compat.h 1.2 12/7/95 + */ + +/* + * These #ifdef's are here mainly for linux, but who knows, they may + * not be in other places or maybe one day linux will grow up and some + * of these will turn up there too. + */ +#ifndef ICMP_UNREACH +# define ICMP_UNREACH ICMP_DEST_UNREACH +#endif +#ifndef ICMP_SOURCEQUENCH +# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH +#endif +#ifndef ICMP_TIMXCEED +# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED +#endif +#ifndef ICMP_PARAMPROB +# define ICMP_PARAMPROB ICMP_PARAMETERPROB +#endif +#ifndef IPVERSION +# define IPVERSION 4 +#endif +#ifndef IPOPT_MINOFF +# define IPOPT_MINOFF 4 +#endif +#ifndef IPOPT_COPIED +# define IPOPT_COPIED(x) ((x)&0x80) +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IP_MF +# define IP_MF ((u_short)0x2000) +#endif +#ifndef ETHERTYPE_IP +# define ETHERTYPE_IP ((u_short)0x0800) +#endif +#ifndef TH_FIN +# define TH_FIN 0x01 +#endif +#ifndef TH_SYN +# define TH_SYN 0x02 +#endif +#ifndef TH_RST +# define TH_RST 0x04 +#endif +#ifndef TH_PUSH +# define TH_PUSH 0x08 +#endif +#ifndef TH_ACK +# define TH_ACK 0x10 +#endif +#ifndef TH_URG +# define TH_URG 0x20 +#endif +#ifndef IPOPT_EOL +# define IPOPT_EOL 0 +#endif +#ifndef IPOPT_NOP +# define IPOPT_NOP 1 +#endif +#ifndef IPOPT_RR +# define IPOPT_RR 7 +#endif +#ifndef IPOPT_TS +# define IPOPT_TS 68 +#endif +#ifndef IPOPT_SECURITY +# define IPOPT_SECURITY 130 +#endif +#ifndef IPOPT_LSRR +# define IPOPT_LSRR 131 +#endif +#ifndef IPOPT_SATID +# define IPOPT_SATID 136 +#endif +#ifndef IPOPT_SSRR +# define IPOPT_SSRR 137 +#endif +#ifndef IPOPT_SECUR_UNCLASS +# define IPOPT_SECUR_UNCLASS ((u_short)0x0000) +#endif +#ifndef IPOPT_SECUR_CONFID +# define IPOPT_SECUR_CONFID ((u_short)0xf135) +#endif +#ifndef IPOPT_SECUR_EFTO +# define IPOPT_SECUR_EFTO ((u_short)0x789a) +#endif +#ifndef IPOPT_SECUR_MMMM +# define IPOPT_SECUR_MMMM ((u_short)0xbc4d) +#endif +#ifndef IPOPT_SECUR_RESTR +# define IPOPT_SECUR_RESTR ((u_short)0xaf13) +#endif +#ifndef IPOPT_SECUR_SECRET +# define IPOPT_SECUR_SECRET ((u_short)0xd788) +#endif +#ifndef IPOPT_SECUR_TOPSECRET +# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) +#endif + +#ifdef linux +# if LINUX < 0200 +# define icmp icmphdr +# define icmp_type type +# define icmp_code code +# endif + +/* + * From /usr/include/netinet/ip_var.h + * !%@#!$@# linux... + */ +struct ipovly { + caddr_t ih_next, ih_prev; /* for protocol sequence q's */ + u_char ih_x1; /* (unused) */ + u_char ih_pr; /* protocol */ + short ih_len; /* protocol length */ + struct in_addr ih_src; /* source internet address */ + struct in_addr ih_dst; /* destination internet address */ +}; + +typedef struct { + __u16 th_sport; + __u16 th_dport; + __u32 th_seq; + __u32 th_ack; +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 th_res:4; + __u8 th_off:4; +#else + __u8 th_off:4; + __u8 th_res:4; +#endif + __u8 th_flags; + __u16 th_win; + __u16 th_sum; + __u16 th_urp; +} tcphdr_t; + +typedef struct { + __u16 uh_sport; + __u16 uh_dport; + __s16 uh_ulen; + __u16 uh_sum; +} udphdr_t; + +typedef struct { +# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ + defined(vax) + __u8 ip_hl:4; + __u8 ip_v:4; +# else + __u8 ip_hl:4; + __u8 ip_v:4; +# endif + __u8 ip_tos; + __u16 ip_len; + __u16 ip_id; + __u16 ip_off; + __u8 ip_ttl; + __u8 ip_p; + __u16 ip_sum; + struct in_addr ip_src; + struct in_addr ip_dst; +} ip_t; + +typedef struct { + __u8 ether_dhost[6]; + __u8 ether_shost[6]; + __u16 ether_type; +} ether_header_t; + +typedef struct icmp { + u_char icmp_type; /* type of message, see below */ + u_char icmp_code; /* type sub code */ + u_short icmp_cksum; /* ones complement cksum of struct */ + union { + u_char ih_pptr; /* ICMP_PARAMPROB */ + struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ + struct ih_idseq { + n_short icd_id; + n_short icd_seq; + } ih_idseq; + int ih_void; + } icmp_hun; +#define icmp_pptr icmp_hun.ih_pptr +#define icmp_gwaddr icmp_hun.ih_gwaddr +#define icmp_id icmp_hun.ih_idseq.icd_id +#define icmp_seq icmp_hun.ih_idseq.icd_seq +#define icmp_void icmp_hun.ih_void + union { + struct id_ts { + n_time its_otime; + n_time its_rtime; + n_time its_ttime; + } id_ts; + struct id_ip { + ip_t idi_ip; + /* options and then 64 bits of data */ + } id_ip; + u_long id_mask; + char id_data[1]; + } icmp_dun; +#define icmp_otime icmp_dun.id_ts.its_otime +#define icmp_rtime icmp_dun.id_ts.its_rtime +#define icmp_ttime icmp_dun.id_ts.its_ttime +#define icmp_ip icmp_dun.id_ip.idi_ip +#define icmp_mask icmp_dun.id_mask +#define icmp_data icmp_dun.id_data +} icmphdr_t; + +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) + +# define ifnet device + +#else + +typedef struct udphdr udphdr_t; +typedef struct tcphdr tcphdr_t; +typedef struct ip ip_t; +typedef struct ether_header ether_header_t; + +#endif + +#if defined(__SVR4) || defined(__svr4__) +# define bcopy(a,b,c) memmove(b,a,c) +# define bcmp(a,b,c) memcmp(a,b,c) +# define bzero(a,b) memset(a,0,b) +#endif diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 290e676..f19fe5f 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -26,6 +26,7 @@ # include <net/if_var.h> #endif #include "ipsend.h" +#include "iplang/iplang.h" /* @@ -65,6 +66,11 @@ char *addr, *eaddr; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl; +#ifdef IPSEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif + mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile index 49fdb67..bb8000f 100644 --- a/contrib/ipfilter/ipsend/Makefile +++ b/contrib/ipfilter/ipsend/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given @@ -67,7 +67,7 @@ install: bpf sunos4-bpf : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ @@ -75,7 +75,7 @@ bpf sunos4-bpf : nit sunos4 sunos4-nit : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \ @@ -83,7 +83,8 @@ nit sunos4 sunos4-nit : dlpi sunos5 : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl" "LLIB=-ll" + CFLAGS="$(CFLAGS) -Dsolaris -DIPSEND" "LIBS=-lsocket -lnsl" \ + "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \ @@ -91,7 +92,7 @@ dlpi sunos5 : bsd-bpf : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ - "CFLAGS=$(CFLAGS) -DDOSOCKET" "LLIB=-ll" + "CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ "CFLAGS=$(CFLAGS) -DDOSOCKET" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \ @@ -99,7 +100,7 @@ bsd-bpf : linuxrev : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK) + CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET -DIPSEND" $(LINUXK) make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK) make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \ @@ -119,7 +120,7 @@ linux20: ultrix : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS)" "LIBS=" "LLIB=-ll" + CFLAGS="$(CFLAGS) -DIPSEND" "LIBS=" "LLIB=-ll" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS)" "LIBS=" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \ @@ -127,7 +128,7 @@ ultrix : hpux9 : make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ - CFLAGS="$(CFLAGS)" "LIBS=" + CFLAGS="$(CFLAGS) -DIPSEND" "LIBS=" make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ CFLAGS="$(CFLAGS)" "LIBS=" make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \ diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 27a27c3..e4159fa 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -1,5 +1,5 @@ /* - * arp.c (C) 1995-1997 Darren Reed + * arp.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Exp $"; #endif #include <stdio.h> #include <errno.h> @@ -20,6 +20,7 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darren #include <netdb.h> #include <netinet/in.h> #include <net/if.h> +#include <netinet/if_ether.h> #ifndef ultrix #include <net/if_arp.h> #endif @@ -27,6 +28,7 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.0.2.6 1997/09/28 07:13:25 darren #include <netinet/ip_var.h> #include <netinet/tcp.h> #include "ipsend.h" +#include "iplang/iplang.h" /* @@ -71,6 +73,10 @@ char *ether; struct hostent *hp; int fd; +#ifdef IPSEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif if (!bcmp(ipsave, ip, 4)) { bcopy(ethersave, ether, 6); return 0; diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c index e4e5dc3..42078e3 100644 --- a/contrib/ipfilter/ipsend/hpux.c +++ b/contrib/ipfilter/ipsend/hpux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1997 Darren Reed. (from tcplog) + * (C)opyright 1997-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 6914924..e81c890 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -1,5 +1,5 @@ /* - * ip.c (C) 1995-1997 Darren Reed + * ip.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.3 1997/12/21 12:17:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; #endif #include <errno.h> #include <stdio.h> diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1 index 448fa41..ab90471 100644 --- a/contrib/ipfilter/ipsend/ipresend.1 +++ b/contrib/ipfilter/ipsend/ipresend.1 @@ -44,6 +44,7 @@ MTU's without setting them so. .TP .BR \-r \0<filename> Specify the filename from which to take input. Default is stdin. +.TP .B \-E The input file is to be text output from etherfind. The text formats which are currently supported are those which result from the following etherfind @@ -91,7 +92,7 @@ option combinations: .TP .B \-X The input file is composed of text descriptions of IP packets. -.TP +.DT .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 4de8e41..bad0f67 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -1,5 +1,5 @@ /* - * ipresend.c (C) 1995-1997 Darren Reed + * ipresend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.0.2.9 1997/10/12 09:48:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darrenr Exp $"; #endif #include <stdio.h> #include <stdlib.h> diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 5f0ca43..87c36d5 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -1,5 +1,5 @@ /* - * ipsend.c (C) 1995-1997 Darren Reed + * ipsend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.1 1999/08/04 17:31:06 darrenr Exp $"; #endif #include <stdio.h> #include <stdlib.h> diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h index a2ff49c..e2f8ff8 100644 --- a/contrib/ipfilter/ipsend/ipsend.h +++ b/contrib/ipfilter/ipsend/ipsend.h @@ -1,5 +1,5 @@ /* - * ipsend.h (C) 1997 Darren Reed + * ipsend.h (C) 1997-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -64,4 +64,6 @@ extern int kmemcpy __P((char *, void *, int)); #define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c)) +#ifndef OPT_RAW #define OPT_RAW 0x80000 +#endif diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 3c9a21d..2827c77 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.0.2.10 1997/09/28 07:13:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr Exp $"; #endif #include <stdio.h> #include <string.h> diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index 415e4fc..c1f42d2 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -1,5 +1,5 @@ /* - * ipsend.c (C) 1995-1997 Darren Reed + * ipsend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.1 1999/08/04 17:31:08 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 16c830a..0eb263b 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17:38 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> @@ -16,12 +16,18 @@ static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17: #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> +#define _KERNEL +#define KERNEL #if !defined(solaris) && !defined(linux) && !defined(__sgi) -# define _KERNEL -# define KERNEL # include <sys/file.h> -# undef _KERNEL -# undef KERNEL +#else +# ifdef solaris +# include <sys/dditypes.h> +# endif +#endif +#undef _KERNEL +#undef KERNEL +#if !defined(solaris) && !defined(linux) && !defined(__sgi) # include <nlist.h> # include <sys/user.h> # include <sys/proc.h> diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c index 7d38ddf..d64e701 100644 --- a/contrib/ipfilter/ipsend/larp.c +++ b/contrib/ipfilter/ipsend/larp.c @@ -1,5 +1,5 @@ /* - * larp.c (C) 1995-1997 Darren Reed + * larp.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: larp.c,v 2.0.2.3 1997/09/28 07:13:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: larp.c,v 2.1 1999/08/04 17:31:10 darrenr Exp $"; #endif #include <stdio.h> #include <errno.h> @@ -19,6 +19,9 @@ static const char rcsid[] = "@(#)$Id: larp.c,v 2.0.2.3 1997/09/28 07:13:31 darre #include <net/if.h> #include <net/if_arp.h> +#include "ip_compat.h" +#include "iplang/iplang.h" + /* * lookup host and return * its IP address in address @@ -59,6 +62,10 @@ char *ether; struct sockaddr_in *sin; char *inet_ntoa(); +#ifdef IP_SEND + if (arp_getipv4(ip, ether) == 0) + return 0; +#endif bzero((char *)&ar, sizeof(ar)); sin = (struct sockaddr_in *)&ar.arp_pa; sin->sin_family = AF_INET; diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h index c7bb5a5..ae2e05f 100644 --- a/contrib/ipfilter/ipsend/linux.h +++ b/contrib/ipfilter/ipsend/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1995-1997 by Darren Reed. + * Copyright (C) 1995-1998 by Darren Reed. * * This code may be freely distributed as long as it retains this notice * and is not changed in any way. The author accepts no responsibility diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index db81dfd..a430e19 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -1,5 +1,5 @@ /* - * lsock.c (C) 1995-1997 Darren Reed + * lsock.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.0.2.7 1997/09/28 07:13:32 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1 1999/08/04 17:31:11 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index dcf7cc7..e4397ce 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -1,5 +1,5 @@ /* - * resend.c (C) 1995-1997 Darren Reed + * resend.c (C) 1995-1998 Darren Reed * * This was written to test what size TCP fragments would get through * various TCP/IP packet filters, as used in IP firewalls. In certain @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.0.2.12 1997/10/23 11:42:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> @@ -41,7 +41,7 @@ static const char rcsid[] = "@(#)$Id: resend.c,v 2.0.2.12 1997/10/23 11:42:46 da extern int opts; -static u_char buf[65536]; /* 1 big packet */ +static u_char pbuf[65536]; /* 1 big packet */ void printpacket __P((ip_t *)); @@ -95,7 +95,7 @@ char *datain; if (fd < 0) exit(-1); - ip = (struct ip *)buf; + ip = (struct ip *)pbuf; eh = (ether_header_t *)malloc(sizeof(*eh)); bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); @@ -105,7 +105,7 @@ char *datain; return -2; } - while ((i = (*r->r_readip)(buf, sizeof(buf), NULL, NULL)) > 0) + while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0) { if (!(opts & OPT_RAW)) { len = ntohs(ip->ip_len); @@ -127,7 +127,7 @@ char *datain; len += sizeof(*eh); printpacket(ip); } else { - eh = (ether_header_t *)buf; + eh = (ether_header_t *)pbuf; len = i; } diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index d3df96f..f84deb9 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1995-1997 Darren Reed. (from tcplog) + * (C)opyright 1995-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -24,7 +24,11 @@ #if BSD < 199103 #include <sys/fcntlcom.h> #endif -#include <sys/dir.h> +#if (__FreeBSD_version >= 300000) +# include <sys/dirent.h> +#else +# include <sys/dir.h> +#endif #include <net/bpf.h> #include <net/if.h> @@ -39,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.0.2.7 1997/10/23 11:42:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; #endif /* diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index 1f181c2..3d797c1 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.0.2.6 1997/10/15 14:49:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index a1933e0..5317a90 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. + * (C)opyright 1992-1998 Darren Reed. * (C)opyright 1997 Marc Boucher. * * Redistribution and use in source and binary forms are permitted diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c index 29dbcd9..353f3ad 100644 --- a/contrib/ipfilter/ipsend/slinux.c +++ b/contrib/ipfilter/ipsend/slinux.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -29,7 +29,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95"; -static const char rcsid[] = "@(#)$Id: slinux.c,v 2.0.2.6 1997/09/28 07:13:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1 1999/08/04 17:31:14 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c index 65b8e67..40aaae5 100644 --- a/contrib/ipfilter/ipsend/snit.c +++ b/contrib/ipfilter/ipsend/snit.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1992-1997 Darren Reed. (from tcplog) + * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: snit.c,v 2.0.2.4 1997/09/28 07:13:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: snit.c,v 2.1 1999/08/04 17:31:15 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index fc4e866..cef71fe 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -1,5 +1,5 @@ /* - * sock.c (C) 1995-1997 Darren Reed + * sock.c (C) 1995-1998 Darren Reed * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> @@ -22,7 +22,11 @@ static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 d #ifndef ultrix #include <fcntl.h> #endif -#include <sys/dir.h> +#if (__FreeBSD_version >= 300000) +# include <sys/dirent.h> +#else +# include <sys/dir.h> +#endif #define _KERNEL #define KERNEL #ifdef ultrix diff --git a/contrib/ipfilter/ipsend/tcpip.h b/contrib/ipfilter/ipsend/tcpip.h index d92d9f8..c735593 100644 --- a/contrib/ipfilter/ipsend/tcpip.h +++ b/contrib/ipfilter/ipsend/tcpip.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcpip.h 8.1 (Berkeley) 6/10/93 - * $Id: tcpip.h,v 2.0.2.3.2.1 1997/11/12 11:01:12 darrenr Exp $ + * $Id: tcpip.h,v 2.1 1999/08/04 17:31:16 darrenr Exp $ */ #ifndef _NETINET_TCPIP_H_ diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c index 186d269..ffab2ce 100644 --- a/contrib/ipfilter/ipsend/ultrix.c +++ b/contrib/ipfilter/ipsend/ultrix.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1997 Darren Reed. (from tcplog) + * (C)opyright 1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index adf0f91..c87b5b2 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -48,12 +48,14 @@ #include "ip_compat.h" #include <netinet/tcpip.h> #include "ip_fil.h" +#include "ip_nat.h" +#include "ip_state.h" #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.0.2.12.2.1 1997/11/12 10:58:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.1 1999/08/04 17:30:08 darrenr Exp $"; #endif extern char *optarg; @@ -61,6 +63,7 @@ extern struct frentry *ipfilter[2][2]; extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *)); extern void init_ifp __P((void)); +extern ipnat_t *natparse __P((char *, int)); int opts = 0; int main __P((int, char *[])); @@ -70,13 +73,13 @@ int argc; char *argv[]; { struct ipread *r = &iptext; - u_long buf[64]; + u_long buf[2048]; struct ifnet *ifp; char *rules = NULL, *datain = NULL, *iface = NULL; ip_t *ip; int fd, i, dir = 0, c; - while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) + while ((c = getopt(argc, argv, "bdEHi:I:NoPr:STvX")) != -1) switch (c) { case 'b' : @@ -106,6 +109,9 @@ char *argv[]; case 'H' : r = &iphex; break; + case 'N' : + opts |= OPT_NAT; + break; case 'P' : r = &pcap; break; @@ -125,12 +131,15 @@ char *argv[]; exit(-1); } + nat_init(); + fr_stateinit(); initparse(); if (rules) { - struct frentry *fr; char line[513], *s; + void *fr; FILE *fp; + int linenum = 0; if (!strcmp(rules, "-")) fp = stdin; @@ -141,6 +150,7 @@ char *argv[]; if (!(opts & OPT_BRIEF)) (void)printf("opening rule file \"%s\"\n", rules); while (fgets(line, sizeof(line)-1, fp)) { + linenum++; /* * treat both CR and LF as EOL */ @@ -157,14 +167,27 @@ char *argv[]; if (!*line) continue; - if (!(fr = parse(line))) - continue; /* fake an `ioctl' call :) */ - i = IPL_EXTERN(ioctl)(0, SIOCADDFR, (caddr_t)fr, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(SIOCADDFR,%p,1) = %d\n", - fr, i); + + if ((opts & OPT_NAT) != 0) { + if (!(fr = natparse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + if (!(fr = parse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(0, SIOCADDFR, fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADDFR,%p,1) = %d\n", + fr, i); + } } (void)fclose(fp); } @@ -186,26 +209,30 @@ char *argv[]; ifp = iface ? get_unit(iface) : NULL; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); - switch (fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf)) - { - case -2 : - (void)printf("auth"); - break; - case -1 : - (void)printf("block"); - break; - case 0 : - (void)printf("pass"); - break; - case 1 : - (void)printf("nomatch"); - break; - } + i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf); + if ((opts & OPT_NAT) == 0) + switch (i) + { + case -2 : + (void)printf("auth"); + break; + case -1 : + (void)printf("block"); + break; + case 0 : + (void)printf("pass"); + break; + case 1 : + (void)printf("nomatch"); + break; + } + if (!(opts & OPT_BRIEF)) { putchar(' '); printpacket((ip_t *)buf); printf("--------------"); - } + } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) + printpacket((ip_t *)buf); #ifndef linux if (dir && ifp && ip->ip_v) # ifdef __sgi @@ -214,7 +241,8 @@ char *argv[]; (*ifp->if_output)(ifp, (void *)buf, NULL, 0); # endif #endif - putchar('\n'); + if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) + putchar('\n'); dir = 0; } (*r->r_close)(); diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index 650700c..9184090 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -1,22 +1,26 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 2.0.2.7 1997/09/28 07:12:00 darrenr Exp $ + * $Id: ipt.h,v 2.1 1999/08/04 17:30:08 darrenr Exp $ */ #ifndef __IPT_H__ #define __IPT_H__ -#include <fcntl.h> -#ifdef __STDC__ -#include <stdarg.h> -#else -#include <varargs.h> +#ifndef __P +# define P_DEF +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif #endif +#include <fcntl.h> + struct ipread { int (*r_open) __P((char *)); @@ -27,4 +31,9 @@ struct ipread { extern void debug __P((char *, ...)); extern void verbose __P((char *, ...)); +#ifdef P_DEF +# undef __P +# undef P_DEF +#endif + #endif /* __IPT_H__ */ diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 75d8a80..1dd6890 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -20,7 +20,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.0.2.5 1997/10/23 14:50:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.1 1999/08/04 17:30:09 darrenr Exp $"; #endif static int kmemfd = -1; @@ -65,3 +65,38 @@ register int n; } return 0; } + +int kstrncpy(buf, pos, n) +register char *buf; +long pos; +register int n; +{ + register int r; + + if (!n) + return 0; + if (kmemfd == -1) + if (openkmem() == -1) + return -1; + if (lseek(kmemfd, pos, 0) == -1) + { + perror("kmemcpy:lseek"); + return -1; + } + while (n > 0) { + r = read(kmemfd, buf, 1); + if (r <= 0) + { + perror("kmemcpy:read"); + return -1; + } + else + { + if (*buf == '\0') + break; + buf++; + n--; + } + } + return 0; +} diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index 13e1f3c..33ba8da 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -1,10 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: kmem.h,v 2.0.2.6 1997/09/28 07:12:02 darrenr Exp $ + * $Id: kmem.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ */ #ifndef __KMEM_H__ @@ -19,7 +19,16 @@ #endif extern int openkmem __P((void)); extern int kmemcpy __P((char *, long, int)); +extern int kstrncpy __P((char *, long, int)); -#define KMEM "/dev/kmem" +#if defined(__NetBSD__) || defined(__OpenBSD) +# include <paths.h> +#endif + +#ifdef _PATH_KMEM +# define KMEM _PATH_KMEM +#else +# define KMEM "/dev/kmem" +#endif #endif /* __KMEM_H__ */ diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h index 63f400a..61fd821 100644 --- a/contrib/ipfilter/linux.h +++ b/contrib/ipfilter/linux.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -7,7 +7,7 @@ * responsibility and is not changed in any way. * * I hate legaleese, don't you ? - * $Id: linux.h,v 2.0.2.4 1997/09/28 07:12:03 darrenr Exp $ + * $Id: linux.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ */ #include <linux/config.h> diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile index 972fbf5..5e029de 100644 --- a/contrib/ipfilter/man/Makefile +++ b/contrib/ipfilter/man/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1997 by Darren Reed. +# Copyright (C) 1993-1998 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index 3519d52..eb836e7 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -25,7 +25,19 @@ However, the full complement is as follows: ioctl(fd, SIOCRMIFR, struct frentry *) ioctl(fd, SIOCINAFR, struct frentry *) ioctl(fd, SIOCINIFR, struct frentry *) + ioctl(fd, SIOCSETFF, u_int *) + ioctl(fd, SIOGGETFF, u_int *) + ioctl(fd, SIOCGETFS, struct friostat *) ioctl(fd, SIOCIPFFL, int *) + ioctl(fd, SIOCIPFFB, int *) + ioctl(fd, SIOCSWAPA, u_int *) + ioctl(fd, SIOCFRENB, u_int *) + ioctl(fd, SIOCFRSYN, u_int *) + ioctl(fd, SIOCFRZST, struct friostat *) + ioctl(fd, SIOCZRLST, struct frentry *) + ioctl(fd, SIOCAUTHW, struct fr_info *) + ioctl(fd, SIOCAUTHR, struct fr_info *) + ioctl(fd, SIOCATHST, struct fr_authstat *) .fi .PP The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists, @@ -44,21 +56,24 @@ which it is inserted is stored in the "fr_hits" field, below. typedef struct frentry { struct frentry *fr_next; u_short fr_group; /* group to which this rule belongs */ - u_short fr_head; /* group # which this rule starts */ + u_short fr_grhead; /* group # which this rule starts */ struct frentry *fr_grp; int fr_ref; /* reference count - for grouping */ - struct ifnet *fr_ifa; + void *fr_ifa; +#if BSD >= 199306 + void *fr_oifa; +#endif /* * These are only incremented when a packet matches this rule and * it is the last match */ - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; /* * Fields after this may not change whilst in the kernel. */ struct fr_ip fr_ip; - struct fr_ip fr_mip; + struct fr_ip fr_mip; /* mask structure */ u_char fr_tcpfm; /* tcp flags mask */ u_char fr_tcpf; /* tcp flags */ @@ -67,16 +82,20 @@ typedef struct frentry { u_short fr_icmp; u_char fr_scmp; /* data for port comparisons */ - u_char fr_dcmp; + u_char fr_dcmp; u_short fr_dport; u_short fr_sport; - u_short fr_stop; /* top port for <> and >< */ + u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ - u_long fr_flags; /* per-rule flags && options (see below) */ - int fr_skip; /* # of rules to skip */ - int (*fr_func)(); /* call this function */ + u_32_t fr_flags; /* per-rule flags && options (see below) */ + u_short fr_skip; /* # of rules to skip */ + u_short fr_loglevel; /* syslog log facility + priority */ + int (*fr_func) __P((int, ip_t *, fr_info_t *)); char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; +#if BSD > 199306 + char fr_oifname[IFNAMSIZ]; +#endif struct frdest fr_tif; /* "to" interface */ struct frdest fr_dif; /* duplicate packet interfaces */ } frentry_t; @@ -101,7 +120,8 @@ Flags which are recognised in fr_pass: FR_LOGBODY 0x000020 /* log the body of packets too */ FR_LOGFIRST 0x000040 /* log only the first packet to match */ FR_RETRST 0x000080 /* return a TCP RST packet if blocked */ - FR__RETICMP 0x000100 /* return an ICMP packet if blocked */ + FR_RETICMP 0x000100 /* return an ICMP packet if blocked */ + FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ FR_NOMATCH 0x000200 /* no match occured */ FR_ACCOUNT 0x000400 /* count packet bytes */ FR_KEEPFRAG 0x000800 /* keep fragment information */ @@ -137,9 +157,11 @@ comparisons) : The third ioctl, SIOCIPFFL, flushes either the input filter list, the output filter list or both and it returns the number of filters removed from the list(s). The values which it will take and recognise are FR_INQUE -and FR_OUTQUE (see above). +and FR_OUTQUE (see above). This ioctl is also implemented for +\fB/dev/ipstate\fP and will flush all state tables entries if passed 0 +or just all those which are not established if passed 1. -\fBGeneral Logging Flags\fP +.IP "\fBGeneral Logging Flags\fP" 0 There are two flags which can be set to log packets independantly of the rules used. These allow for packets which are either passed or blocked to be logged. To set (and clear)/get these flags, two ioctls are @@ -157,8 +179,7 @@ those provided (clearing/setting all in one). .IP SIOCGETFF 16 Takes a pointer to an unsigned integer as the parameter. A copy of the flags currently in used is copied to user space. -.LP -\fBFilter statistics\fP +.IP "\fBFilter statistics\fP" 0 Statistics on the various operations performed by this package on packets is kept inside the kernel. These statistics apply to packets traversing through the kernel. To retrieve this structure, use this ioctl: @@ -173,7 +194,12 @@ struct friostat { struct frentry *f_acctin[2]; struct frentry *f_acctout[2]; struct frentry *f_auth; - int f_active; + u_long f_froute[2]; + int f_active; /* 1 or 0 - active rule set */ + int f_defpass; /* default pass - from fr_pass */ + int f_running; /* 1 if running, else 0 */ + int f_logging; /* 1 if enabled, else 0 */ + char f_version[32]; /* version string */ }; struct filterstats { @@ -195,12 +221,28 @@ struct filterstats { u_long fr_chit; /* cached hit */ u_long fr_pull[2]; /* good and bad pullup attempts */ #if SOLARIS + u_long fr_notdata; /* PROTO/PCPROTO that have no data */ + u_long fr_nodata; /* mblks that have no data */ u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ u_long fr_drop; /* packets dropped - no info for them! */ #endif }; .fi +If we wanted to retrieve all the statistics and reset the counters back to +0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS. +In addition to the statistics above, each rule keeps a hit count, counting +both number of packets and bytes. To reset these counters for a rule, +load the various rule information into a frentry structure and call +SIOCZRLST. +.IP "Swapping Active lists" 0 +IP Filter supports two lists of rules for filtering and accounting: an +active list and an inactive list. This allows for large scale rule base +changes to be put in place atomically with otherwise minimal interruption. +Which of the two is active can be changed using the SIOCSWAPA ioctl. It +is important to note that no passed argument is recognised and that the +value returned is that of the list which is now inactive. +.br .SH FILES /dev/ipauth .br diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 79ab393..efc9b63 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -31,17 +31,18 @@ proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ "return-icmp"[return-code] | "return-rst" ] . +block = "block" [ icmp[return-code] | "return-rst" ] . auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] . +log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . froute = "fastroute" | "to" interface-name . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . -fromto = "from" object "to" object . +fromto = "from" [ "!" ] object "to" [ "!" ] object . +icmp = "return-icmp" | "return-icmp-as-dest" . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . port-comp = "port" compare port-num . @@ -51,6 +52,7 @@ with = "with" | "and" . icmp = "icmp-type" icmp-type [ "code" decnumber ] . return-code = "("icmp-code")" . keep = "keep" "state" | "keep" "frags" . +loglevel = facility"."priority | priority . nummask = host-name [ "/" decnumber ] . host-name = ipaddr | hostname | "any" . @@ -74,6 +76,12 @@ icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" . +facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | + "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | + "audit" | "logalert" | "local0" | "local1" | "local2" | + "local3" | "local4" | "local5" | "local6" | "local7" . +priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | + "info" | "debug" . hexnumber = "0" "x" hexstring . hexstring = hexdigit [ hexstring ] . @@ -118,11 +126,23 @@ actions are recognised: .B block indicates that the packet should be flagged to be dropped. In response to blocking a packet, the filter may be instructed to send a reply -packet, either an ICMP packet (\fBreturn-icmp\fP) or a TCP "reset" -(\fBreturn-rst\fP). An ICMP packet may be generated in response to -any IP packet, and its type may optionally be specified, but a TCP -reset may only be used with a rule which is being applied to TCP -packets. +packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet +masquerading as being from the original packet's destination +(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An +ICMP packet may be generated in response to any IP packet, and its +type may optionally be specified, but a TCP reset may only be used +with a rule which is being applied to TCP packets. When using +\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify +the actual unreachable `type'. That is, whether it is a network +unreachable, port unreachable or even administratively +prohibitied. This is done by enclosing the ICMP code associated with +it in parenthesis directly following \fBreturn-icmp\fP or +\fBreturn-icmp-as-dest\fP as follows: +.nf + block return-icmp(11) ... +.fi +.PP +Would return a Type-Of-Service (TOS) ICMP unreachable error. .TP .B pass will flag the packet to be let through the filter. @@ -145,10 +165,27 @@ feature is for use by knowledgeable hackers, and is not currently documented. .TP .B "skip <n>" +causes the filter to skip over the next \fIn\fP filter rules. If a rule is +inserted or deleted inside the region being skipped over, then the value of +\fIn\fP is adjusted appropriately. .TP .B auth +this allows authentication to be performed by a user-space program running +and waiting for packet information to validate. The packet is held for a +period of time in an internal buffer whilst it waits for the program to return +to the kernel the \fIreal\fP flags for whether it should be allowed through +or not. Such a program might look at the source address and request some sort +of authentication from the user (such as a password) before allowing the +packet through or telling the kernel to drop it if from an unrecognised source. .TP .B preauth +tells the filter that for packets of this class, it should look in the +pre-authenticated list for further clarification. If no further matching +rule is found, the packet will be dropped (the FR_PREAUTH is not the same +as FR_PASS). If a further matching rule is found, the result from that is +used in its instead. This might be used in a situation where a person +\fIlogs in\fP to the firewall and it sets up some temporary rules defining +the access for that person. .PP The next word must be either \fBin\fP or \fBout\fP. Each packet moving through the kernel is either inbound (just been received on an @@ -195,7 +232,10 @@ which the specified source address would be expected, others may be logged and/or dropped. .TP .B dup-to -causes the packet to be copied, and the duplicate packet to be sent outbound on the specified interface, optionally with the destination IP address changed to that specified. This is useful for off-host logging, using a network sniffer. +causes the packet to be copied, and the duplicate packet to be sent +outbound on the specified interface, optionally with the destination +IP address changed to that specified. This is useful for off-host +logging, using a network sniffer. .TP .B to causes the packet to be moved to the outbound queue on the @@ -351,7 +391,7 @@ with which they are associated can be used. The most important from a security point of view is the ICMP redirect. .SH KEEP HISTORY .PP -The second last parameter which can be set for a filter rule is whether on not +The second last parameter which can be set for a filter rule is whether or not to record historical information for that packet, and what sort to keep. The following information can be kept: .TP @@ -394,10 +434,19 @@ indicates that the first 128 bytes of the packet contents will be logged after the headers. .TP .B first -?? +If log is being used in conjunction with a "keep" option, it is recommended +that this option is also applied so that only the triggering packet is logged +and not every packet which thereafter matches state information. .TP .B or-block -indicates that, if for some reason the filter is unable to log the packet (such as the log reader being too slow) then the rule should be interpreted as if the action was \fBblock\fP for this packet. +indicates that, if for some reason the filter is unable to log the +packet (such as the log reader being too slow) then the rule should be +interpreted as if the action was \fBblock\fP for this packet. +.TP +.B "level <loglevel>" +indicates what logging facility and priority, or just priority with +the default facility being used, will be used to log information about +this packet using ipmon's -s option. .PP See ipl(4) for the format of records written to this device. The ipmon(8) program can be used to read and format @@ -419,7 +468,7 @@ The "fall-through" rule parsing allows for effects such as this: .nf block in from any to any port < 6000 pass in from any to any port >= 6000 - block in from any to port > 6003 + block in from any to any port > 6003 .fi .PP which sets up the range 6000-6003 as being permitted and all others being @@ -446,9 +495,9 @@ all inbound packets, we would do something like: .LP .nf block in all - block in on le0 quick all head 100 - block in on le1 quick all head 200 - block in on lo0 quick all head 300 + block in quick on le0 all head 100 + block in quick on le1 all head 200 + block in quick on lo0 all head 300 .fi .PP diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index 06d2723..65734ce 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -4,7 +4,7 @@ ipf \- alters packet filtering lists for IP packet input and output .SH SYNOPSIS .B ipf [ -.B \-AdDEInorsUvyzZ +.B \-AdDEInoPrsUvVyzZ ] [ .B \-l <block|pass|nomatch> @@ -81,6 +81,9 @@ calls or doing anything which would alter the currently running kernel. Force rules by default to be added/deleted to/from the output list, rather than the (default) input list. .TP +.B \-P +Add rules as temporary entries in the authentication rule table. +.TP .B \-r Remove matching filter rules rather than add them to the internal lists .TP @@ -94,6 +97,13 @@ recognised as IP packets. They will be printed out on the console. .B \-v Turn verbose mode on. Displays information relating to rule processing. .TP +.B \-V +Show version information. This will display the version information compiled +into the ipf binary and retrieve it from the kernel code (if running/present). +If it is present in the kernel, information about its current state will be +displayed (whether logging is active, default filtering, etc). +.TP +.TP .B \-y Manually resync the in-kernel interface list maintained by IP Filter with the current interface status list. diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5 index 2826359..95116e2 100644 --- a/contrib/ipfilter/man/ipfilter.5 +++ b/contrib/ipfilter/man/ipfilter.5 @@ -3,5 +3,8 @@ IP FIlter .SH DESCRIPTION .PP +IP Filter is a package providing packet filtering capabilities for a variety +of operating systems. On a properly setup system, it can be used to build a +firewall. .SH SEE ALSO ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 3fba05f..11c1263 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -42,9 +42,6 @@ for normal IP Filter log records. Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP -.B "\-N <device>" -Set the logfile to be opened for reading NAT log records from to <device>. -.TP .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. @@ -64,7 +61,8 @@ as for \fB-o\fP. .TP .B \-s Packet information read in will be sent through syslogd rather than -saved to a file. The following levels are used: +saved to a file. The default facility when compiled and installed is +\fBlocal0\fP. The following levels are used: .TP .B "\-S <device>" Set the logfile to be opened for reading state log records from to <device>. @@ -84,12 +82,12 @@ than pass or block. \- packets which have been logged and which can be considered "short". .TP -.B \-S -Treat the logfile as being composed of state log records. -.TP .B \-t read the input file/device in a manner akin to tail(1). .TP +.B \-v +show tcp window, ack and sequence fields. +.TP .B \-x show the packet data in hex. .TP diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1 index 01b5100..f241415 100644 --- a/contrib/ipfilter/man/ipnat.1 +++ b/contrib/ipfilter/man/ipnat.1 @@ -19,11 +19,11 @@ which they appear when given to \fBipnat\fP. .SH OPTIONS .TP .B \-C -delete all entries in the current NAT listing (NAT rules) +delete all entries in the current NAT rule listing (NAT rules) .TP .B \-F -delete all active entries in the current NAT table (currently active -NAT mappings) +delete all active entries in the current NAT translation table (currently +active NAT mappings) .TP .B \-l Show the list of current NAT table entry mappings. @@ -39,7 +39,8 @@ Retrieve and display NAT statistics Remove matching NAT rules rather than add them to the internal lists .TP .B \-v -Turn verbose mode on. Displays information relating to rule processing. +Turn verbose mode on. Displays information relating to rule processing +and active rules/table entries. .DT .SH FILES /dev/ipnat diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 576e9c2..e15fa0d 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -5,14 +5,19 @@ ipnat, ipnat.conf \- IP NAT file format The format for files accepted by ipnat is described by the following grammar: .LP .nf -ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] . +ipmap :: = mapblock | redir | map . -mapit ::= "map" | "rdr" . +map ::= mapit ifname ipmask "->" ipmask [ mapport ] . +mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . +redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] . +ports ::= "ports" numports | "auto" . +mapit ::= "map" | "bimap" . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . mapport ::= "portmap" tcpudp portnumber ":" portnumber . +fromspec ::= "from" ip "/" ipmask . tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } . +portnumber ::= number { numbers } | "auto" . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . @@ -34,7 +39,63 @@ addresses. When remapping TCP and UDP packets, it is also possible to change the source port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as \fBport-number:port-number\fP. -.SH Examples +.SH COMMANDS +There are found commands recognised by IP Filter's NAT code: +.TP +.B map +that is used for mapping one address or network to another in an unregulated +round robin fashion; +.TP +.B rdr +that is used for redirecting packets to one IP address and port pair to +another; +.TP +.B bimap +for setting up bidirectional NAT between an external IP address and an internal +IP address and +.TP +.B map-block +which sets up static IP address based translation, based on a algorithm to +squeeze the addresses to be translated into the destination range. +.SH MATCHING +.PP +For basic NAT and redirection of packets, the address subject to change is used +along with its protocol to check if a packet should be altered. In the case +of redirects, it is also possible to select packets on a source address basis +using the \fBfrom\fP keyword, as well as the manditory destination port. The +packet \fImatching\fP part of the rule is to the left of the "->" in each rule. +.SH TRANSLATION +.PP +To the right of the "->" is the address and port specificaton which will be +written into the packet providing it has already successful matched the +prior constraints. The case of redirections (\fBrdr\fP) is the simpliest: +the new destination address is that specified in the rule. For \fBmap\fP +rules, the destination address will be one for which the tuple combining +the new source and destination is known to be unique. If the packet is +either a TCP or UDP packet, the destination and source ports come into the +equation too. If the tuple already exists, IP Filter will increment the +port number first, within the available range specified with \fBportmap\fP +and if there exists no unique tuple, the source address will be incremented +within the specified netmask. If a unique tuple cannot be determined, then +the packet will not be translated. The \fBmap-block\fP is more limited in +how it searches for a new, free and unique tuple, in that it will used an +algorithm to determine what the new source address should be, along with the +range of available ports - the IP address is never changed and nor does the +port number ever exceed its alloted range. +.SH KERNEL PROXIES +.PP +IP Filter comes with a few, simple, proxies built into the code that is loaded +into the kernel to allow secondary channels to be opened without forcing the +packets through a user program. +.SH TRNSPARENT PROXIES +.PP +True transparent proxying should be performed using the redirect (\fBrdr\fP) +rules directing ports to localhost (127.0.0.1) with the proxy program doing +a lookup through \fB/dev/ipnat\fP to determine the real source and address +of the connection. +.SH EXAMPLES +.PP +This section deals with the \fBmap\fP command and it's variations. .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used: @@ -61,8 +122,33 @@ map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. -.SH FILES +ICMP, only have their IP# changed. In some instaces, it is more appropriate +to use the keyword \fBauto\fP in place of an actual range of port numbers if +you want to guarantee simultaneous access to all within the given range. +However, in the above case, it would default to 1 port per IP address, since +we need to squeeze 24 bits of address space into 8. A good example of how +this is used might be: +.LP +.nf +map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto +.fi +.PP +which would result in each IP address being given a small range of ports to +use (252). The problem here is that the \fBmap\fP directive tells the NAT +code to use the next address/port pair available for an outgoing connection, +resulting in no easily discernable relation between external addresses/ports +and internal ones. This is overcome by using \fBmap-block\fP as follows: +.LP +.nf +map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto +.fi +.PP +For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 +with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its +own. As opposed to the above use of \fBmap\fP, if for some reason the user +of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would +be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next +IP address with the \fBmap\fP command. /dev/ipnat .br /etc/services diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index 082b5d6..bd89be0 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -1,10 +1,19 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#if (SOLARIS2 >= 7) +# define _SYS_VARARGS_H +# define _VARARGS_H +#endif +#if defined(__STDC__) +# include <stdarg.h> +#else +# include <varargs.h> +#endif #include <stdio.h> #include <assert.h> #include <string.h> @@ -43,7 +52,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 2.0.2.8.2.1 1997/11/12 10:58:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 2.1 1999/08/04 17:30:11 darrenr Exp $"; #endif extern int opts; @@ -52,26 +61,26 @@ extern int opts; void printpacket(ip) ip_t *ip; { - struct tcphdr *tcp; + tcphdr_t *tcp; tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2)); - printf("ip %d(%d) %d ", ip->ip_len, ip->ip_hl << 2, ip->ip_p); - if (ip->ip_off & 0x1fff) - printf("@%d", ip->ip_off << 3); + printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p); + if (ip->ip_off & IP_OFFMASK) + printf(" @%d", ip->ip_off << 3); (void)printf(" %s", inet_ntoa(ip->ip_src)); - if (!(ip->ip_off & 0x1fff)) + if (!(ip->ip_off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) (void)printf(",%d", ntohs(tcp->th_sport)); (void)printf(" > "); (void)printf("%s", inet_ntoa(ip->ip_dst)); - if (!(ip->ip_off & 0x1fff)) + if (!(ip->ip_off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) (void)printf(",%d", ntohs(tcp->th_dport)); putchar('\n'); } -#ifdef __STDC__ +#if defined(__STDC__) void verbose(char *fmt, ...) #else void verbose(fmt, va_alist) diff --git a/contrib/ipfilter/mkfilters b/contrib/ipfilter/mkfilters index 53c9a7f..f0e6ff4 100644 --- a/contrib/ipfilter/mkfilters +++ b/contrib/ipfilter/mkfilters @@ -1,30 +1,15 @@ #!/usr/local/bin/perl # for best results, bring up all your interfaces before running this -open(I, "ifconfig -a|") || die $!; -while (<I>) { - chop; - if (/^[a-zA-Z]+\d+:/) { - ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; - $ifaces{$iface} = $iface; - next; - } - if (/inet/) { - if (/\-\-\>/) { # PPP, (SLIP?) - ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; - ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; - } else { - ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; - } - } - if (/netmask/) { - ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; - $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); - $netmask{$iface} = $mask; - } - if (/broadcast/) { - ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; - } + +if ($^O =~ m/^irix/i) +{ + &irix_mkfilters || regular_mkfilters || die $!; } +else +{ + ®ular_mkfilters || irix_mkfilters || die $!; +} + foreach $i (keys %ifaces) { $net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i})); } @@ -71,3 +56,61 @@ foreach $i (keys %ifaces) { } } } + +sub irix_mkfilters +{ + open(NETSTAT, "/usr/etc/netstat -i|") || return 0; + + while (defined($line = <NETSTAT>)) + { + if ($line =~ m/^Name/) + { + next; + } + elsif ($line =~ m/^(\S+)/) + { + open(I, "/usr/etc/ifconfig $1|") || return 0; + &scan_ifconfig; + close I; # being neat... - Allen + } + } + close NETSTAT; # again, being neat... - Allen + return 1; +} + +sub regular_mkfilters +{ + open(I, "ifconfig -a|") || return 0; + &scan_ifconfig; + close I; # being neat... - Allen + return 1; +} + +sub scan_ifconfig +{ + while (<I>) { + chop; + if (/^[a-zA-Z]+\d+:/) { + ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; + $ifaces{$iface} = $iface; + next; + } + if (/inet/) { + if (/\-\-\>/) { # PPP, (SLIP?) + ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; + ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; + } else { + ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; + } + } + if (/netmask/) { + ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; + $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); + $netmask{$iface} = $mask; + } + if (/broadcast/) { + ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; + } + } +} + diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c index 430cb9e..4408a75 100644 --- a/contrib/ipfilter/ml_ipl.c +++ b/contrib/ipfilter/ml_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 3cda6c1..ef4b00f 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -23,17 +23,20 @@ #endif #include <sys/systm.h> #if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) +# ifndef ACTUALLY_LKM_NOT_KERNEL +# include "opt_devfs.h" +# endif # include <sys/conf.h> # include <sys/kernel.h> # ifdef DEVFS # include <sys/devfsext.h> -# if defined(IPFILTER) && defined(_KERNEL) -# include "opt_devfs.h" -# endif # endif /*DEVFS*/ #endif #include <sys/conf.h> #include <sys/file.h> +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/lock.h> +#endif #include <sys/stat.h> #include <sys/proc.h> #include <sys/uio.h> @@ -47,6 +50,9 @@ #if BSD >= 199506 # include <sys/sysctl.h> #endif +#if (__FreeBSD_version >= 300000) +# include <sys/socket.h> +#endif #if (__FreeBSD_version >= 199511) #include <net/if.h> #include <netinet/in_systm.h> @@ -78,31 +84,8 @@ #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -extern int lkmenodev __P((void)); - -static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, - NULL }; -static int if_ipl_unload __P((struct lkm_table *, int)); -static int if_ipl_load __P((struct lkm_table *, int)); -static int if_ipl_remove __P((void)); int xxxinit __P((struct lkm_table *, int, int)); - -struct cdevsw ipldevsw = -{ - iplopen, /* open */ - iplclose, /* close */ - iplread, /* read */ - (void *)nullop, /* write */ - iplioctl, /* ioctl */ - (void *)nullop, /* stop */ - (void *)nullop, /* reset */ - (void *)NULL, /* tty */ - (void *)nullop, /* select */ - (void *)nullop, /* mmap */ - NULL /* strategy */ -}; - #ifdef SYSCTL_INT SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); @@ -139,32 +122,58 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, #endif #ifdef DEVFS -void *ipf_devfs[IPL_LOGMAX + 1]; +static void *ipf_devfs[IPL_LOGMAX + 1]; #endif #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) int ipl_major = 0; +static struct cdevsw ipldevsw = +{ + iplopen, /* open */ + iplclose, /* close */ + iplread, /* read */ + (void *)nullop, /* write */ + iplioctl, /* ioctl */ + (void *)nullop, /* stop */ + (void *)nullop, /* reset */ + (void *)NULL, /* tty */ + (void *)nullop, /* select */ + (void *)nullop, /* mmap */ + NULL /* strategy */ +}; + MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); extern struct cdevsw cdevsw[]; extern int vd_unuseddev __P((void)); extern int nchrdev; #else -int ipl_major = CDEV_MAJOR; static struct cdevsw ipl_cdevsw = { iplopen, iplclose, iplread, nowrite, /* 79 */ iplioctl, nostop, noreset, nodevtotty, +#if (__FreeBSD_version >= 300000) + seltrue, nommap, nostrategy, "ipl", +#else noselect, nommap, nostrategy, "ipl", +#endif NULL, -1 }; #endif +static void ipl_drvinit __P((void *)); + +#ifdef ACTUALLY_LKM_NOT_KERNEL +static int if_ipl_unload __P((struct lkm_table *, int)); +static int if_ipl_load __P((struct lkm_table *, int)); +static int if_ipl_remove __P((void)); +static int ipl_major = CDEV_MAJOR; static int iplaction __P((struct lkm_table *, int)); -static void ipl_drvinit __P((void *)); +static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, NULL }; +extern int lkmenodev __P((void)); static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; @@ -206,7 +215,7 @@ int cmd; if (!err) { printf("IP Filter: unloaded from slot %d\n", ipl_major); -# ifdef DEVFS +#ifdef DEVFS if (ipf_devfs[IPL_LOGIPF]) devfs_remove_dev(ipf_devfs[IPL_LOGIPF]); if (ipf_devfs[IPL_LOGNAT]) @@ -215,7 +224,7 @@ int cmd; devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]); if (ipf_devfs[IPL_LOGAUTH]) devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]); -# endif +#endif } return err; case LKM_E_STAT : @@ -239,9 +248,22 @@ static int if_ipl_remove __P((void)) if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#if (__FreeBSD_version >= 300000) + VOP_LOCK(nd.ni_vp, LK_RETRY | LK_EXCLUSIVE, curproc); + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + if (nd.ni_vp != NULLVP) + vput(nd.ni_vp); +#else VOP_LOCK(nd.ni_vp); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); +#endif } return 0; @@ -294,12 +316,16 @@ int cmd; vattr.va_rdev = (ipl_major << 8) | i; VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); +#if (__FreeBSD_version >= 300000) + vput(nd.ni_dvp); +#endif if (error) return error; } return 0; } +#endif /* actually LKM */ #if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) /* @@ -322,10 +348,13 @@ int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } -#else +#else /* __FREEBSD_version >= 220000 */ # ifdef IPFILTER_LKM # include <sys/exec.h> +# if (__FreeBSD_version >= 300000) +MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw); +# else MOD_DECL(if_ipl); @@ -337,6 +366,7 @@ static struct lkm_dev _module = { LM_DT_CHAR, { (void *)&ipl_cdevsw } }; +# endif int if_ipl __P((struct lkm_table *, int, int)); @@ -346,9 +376,13 @@ int if_ipl(lkmtp, cmd, ver) struct lkm_table *lkmtp; int cmd, ver; { +# if (__FreeBSD_version >= 300000) + MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction); +# else DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); +# endif } -# endif +# endif /* IPFILTER_LKM */ static ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index e4490c3..dce52fc 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * (C)opyright 1997 by Marc Boucher. * * Redistribution and use in source and binary forms are permitted @@ -49,7 +49,7 @@ unsigned IPL_EXTERN(devflag) = D_MP; char *IPL_EXTERN(mversion) = M_VERSION; #endif -kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; +kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw; kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); @@ -80,12 +80,12 @@ ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) { nif_t *nif; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (nif = nif_head; nif; nif = nif->nf_next) if (nif->nf_ifp == ifp) break; - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); if (!nif) { printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp); return ENETDOWN; @@ -217,7 +217,7 @@ ipfilterattach(void) if (!addr_fk) return ESRCH; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ ipff_addr = (int *)addr_ff; @@ -245,7 +245,7 @@ ipfilterattach(void) *ipff_addr = 1; /* enable ipfilter_kernel */ - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); #else extern int ipfilterflag; @@ -266,7 +266,7 @@ nifattach() struct frentry *f; ipnat_t *np; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (ifp = ifnet; ifp; ifp = ifp->if_next) { if ((!(ifp->if_flags & IFF_RUNNING)) || @@ -291,7 +291,7 @@ nifattach() printf("IP Filter: nifattach nif %x opt %x\n", ifp, ifp->if_output); #endif - KMALLOC(nif, nif_t *, sizeof(*nif)); + KMALLOC(nif, nif_t *); if (!nif) { printf("IP Filter: malloc(%d) for nif_t failed\n", sizeof(nif_t)); @@ -351,7 +351,7 @@ nifattach() nif_interfaces = in_interfaces; - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); return; } @@ -368,7 +368,7 @@ ipfsync(void) register nif_t *nif, **qp; register struct ifnet *ifp; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ for (qp = &nif_head; (nif = *qp); ) { for (ifp = ifnet; ifp; ifp = ifp->if_next) if ((nif->nf_ifp == ifp) && @@ -403,7 +403,7 @@ ipfsync(void) KFREE(nif); nif = *qp; } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); nifattach(); @@ -420,7 +420,7 @@ nifdetach() nif_t *nif, *qf2, **qp; struct ifnet *ifp; - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ /* * Make two passes, first get rid of all the unknown devices, next * unlink known devices. @@ -455,7 +455,7 @@ nifdetach() } KFREE(nif); } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); return; } @@ -465,7 +465,7 @@ static void ipfilterdetach(void) { #ifdef IPFILTER_LKM - MUTEX_ENTER(&ipfs_mutex); /* sets interrupt priority level to splhi */ + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ if (ipff_addr) { *ipff_addr = 0; @@ -476,7 +476,7 @@ ipfilterdetach(void) *ipff_addr = ipff_value; } - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); #else extern int ipfilterflag; @@ -514,13 +514,13 @@ ipfilter_sgi_attach(void) void ipfilter_sgi_intfsync(void) { - MUTEX_ENTER(&ipfs_mutex); + MUTEX_ENTER(&ipfi_mutex); if (nif_interfaces != in_interfaces) { /* if the number of interfaces has changed, resync */ - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); ipfsync(); } else - MUTEX_EXIT(&ipfs_mutex); + MUTEX_EXIT(&ipfi_mutex); } #ifdef IPFILTER_LKM @@ -536,13 +536,14 @@ IPL_EXTERN(unload)(void) error = ipldetach(); LOCK_DEALLOC(ipl_mutex.l); + LOCK_DEALLOC(ipf_rw.l); LOCK_DEALLOC(ipf_auth.l); LOCK_DEALLOC(ipf_natfrag.l); LOCK_DEALLOC(ipf_nat.l); LOCK_DEALLOC(ipf_state.l); LOCK_DEALLOC(ipf_frag.l); LOCK_DEALLOC(ipf_mutex.l); - LOCK_DEALLOC(ipfs_mutex.l); + LOCK_DEALLOC(ipfi_mutex.l); return error; } @@ -555,17 +556,19 @@ IPL_EXTERN(init)(void) int error; #endif - ipfs_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); - if (!ipfs_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || - !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipl_mutex.l) + if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || + !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || + !ipl_mutex.l) panic("IP Filter: LOCK_ALLOC failed"); #ifdef IPFILTER_LKM diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 7f2166e..47ed9e5 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -66,8 +66,12 @@ extern int lkmenodev __P((void)); #if NetBSD >= 199706 int if_ipl_lkmentry __P((struct lkm_table *, int, int)); #else +#if defined(OpenBSD) +int if_ipl __P((struct lkm_table *, int, int)); +#else int xxxinit __P((struct lkm_table *, int, int)); #endif +#endif static int ipl_unload __P((void)); static int ipl_load __P((void)); static int ipl_remove __P((void)); @@ -100,7 +104,9 @@ struct cdevsw ipldevsw = (void *)nullop, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ +#ifndef OpenBSD (void *)nullop, /* reset */ +#endif (void *)NULL, /* tty */ (void *)nullop, /* select */ (void *)nullop, /* mmap */ @@ -119,14 +125,21 @@ extern int nchrdev; #if NetBSD >= 199706 int if_ipl_lkmentry(lkmtp, cmd, ver) #else +#if defined(OpenBSD) +int if_ipl(lkmtp, cmd, ver) +#else int xxxinit(lkmtp, cmd, ver) #endif +#endif struct lkm_table *lkmtp; int cmd, ver; { DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); } +#ifdef OpenBSD +int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */ +#endif static int iplaction(lkmtp, cmd) struct lkm_table *lkmtp; @@ -182,7 +195,11 @@ static int ipl_remove() if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#ifdef OpenBSD + VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc); +#else vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); +#endif VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index dc91037..58f2ded 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -42,7 +42,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.0.2.9 1997/09/28 07:12:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.1 1999/08/04 17:30:14 darrenr Exp $"; #endif extern int ipldetach __P((void)); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c new file mode 100644 index 0000000..9c08be7 --- /dev/null +++ b/contrib/ipfilter/natparse.c @@ -0,0 +1,793 @@ +/* + * Copyright (C) 1993-1998 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include <stdio.h> +#include <string.h> +#include <fcntl.h> +#include <errno.h> +#include <sys/types.h> +#if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> +#else +#include <sys/byteorder.h> +#endif +#include <sys/time.h> +#include <sys/param.h> +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) +# include <sys/ioccom.h> +# include <sys/sysmacros.h> +#endif +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif +#include <netdb.h> +#include <arpa/nameser.h> +#include <arpa/inet.h> +#include <resolv.h> +#include <ctype.h> +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" + +#if defined(sun) && !SOLARIS2 +# define STRERROR(x) sys_errlist[x] +extern char *sys_errlist[]; +#else +# define STRERROR(x) strerror(x) +#endif + +#if !defined(lint) +static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.2 1999/08/01 11:17:18 darrenr Exp $"; +#endif + + +#if SOLARIS +#define bzero(a,b) memset(a,0,b) +#endif + +extern int countbits __P((u_32_t)); +extern u_32_t hostnum __P((char *, int *, int)); + +ipnat_t *natparse __P((char *, int)); +void printnat __P((ipnat_t *, int, void *)); +void natparsefile __P((int, char *, int)); +u_32_t n_hostmask __P((char *)); +u_short n_portnum __P((char *, char *, int)); +void nat_setgroupmap __P((struct ipnat *)); + +#define OPT_REM 1 +#define OPT_NODO 2 +#define OPT_STAT 4 +#define OPT_LIST 8 +#define OPT_VERBOSE 16 +#define OPT_FLUSH 32 +#define OPT_CLEAR 64 + + +void printnat(np, verbose, ptr) +ipnat_t *np; +int verbose; +void *ptr; +{ + struct protoent *pr; + struct servent *sv; + int bits; + + switch (np->in_redir) + { + case NAT_REDIRECT : + printf("rdr "); + break; + case NAT_MAP : + printf("map "); + break; + case NAT_MAPBLK : + printf("map-block "); + break; + case NAT_BIMAP : + printf("bimap "); + break; + default : + fprintf(stderr, "unknown value for in_redir: %#x\n", + np->in_redir); + break; + } + + if (np->in_redir == NAT_REDIRECT) { + printf("%s ", np->in_ifname); + if (np->in_src[0].s_addr || np->in_src[1].s_addr) { + printf("from %s",inet_ntoa(np->in_src[0])); + bits = countbits(np->in_src[1].s_addr); + if (bits != -1) + printf("/%d ", bits); + else + printf("/%s ", inet_ntoa(np->in_src[1])); + } + printf("%s",inet_ntoa(np->in_out[0])); + bits = countbits(np->in_out[1].s_addr); + if (bits != -1) + printf("/%d ", bits); + else + printf("/%s ", inet_ntoa(np->in_out[1])); + if (np->in_pmin) + printf("port %d ", ntohs(np->in_pmin)); + printf("-> %s", inet_ntoa(np->in_in[0])); + if (np->in_pnext) + printf(" port %d", ntohs(np->in_pnext)); + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf(" tcp/udp"); + else if ((np->in_flags & IPN_TCP) == IPN_TCP) + printf(" tcp"); + else if ((np->in_flags & IPN_UDP) == IPN_UDP) + printf(" udp"); + printf("\n"); + if (verbose) + printf("\t%p %lu %x %u %p %d\n", np->in_ifp, + np->in_space, np->in_flags, np->in_pnext, np, + np->in_use); + } else { + np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); + printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); + bits = countbits(np->in_in[1].s_addr); + if (bits != -1) + printf("%d ", bits); + else + printf("%s", inet_ntoa(np->in_in[1])); + printf(" -> "); + if (np->in_flags & IPN_RANGE) { + printf("range %s-", inet_ntoa(np->in_out[0])); + printf("%s", inet_ntoa(np->in_out[1])); + } else { + printf("%s/", inet_ntoa(np->in_out[0])); + bits = countbits(np->in_out[1].s_addr); + if (bits != -1) + printf("%d ", bits); + else + printf("%s", inet_ntoa(np->in_out[1])); + } + if (*np->in_plabel) { + pr = getprotobynumber(np->in_p); + printf(" proxy port"); + if (np->in_dport != 0) { + if (pr != NULL) + sv = getservbyport(np->in_dport, + pr->p_name); + else + sv = getservbyport(np->in_dport, NULL); + if (sv != NULL) + printf(" %s", sv->s_name); + else + printf(" %hu", ntohs(np->in_dport)); + } + printf(" %.*s/", (int)sizeof(np->in_plabel), + np->in_plabel); + if (pr != NULL) + fputs(pr->p_name, stdout); + else + printf("%d", np->in_p); + } else if (np->in_redir == NAT_MAPBLK) { + printf(" ports %d", np->in_pmin); + if (verbose) + printf("\n\tip modulous %d", np->in_pmax); + } else if (np->in_pmin || np->in_pmax) { + printf(" portmap"); + if (np->in_flags & IPN_AUTOPORTMAP) { + printf(" auto"); + if (verbose) + printf(" [%d:%d %d %d]", + ntohs(np->in_pmin), + ntohs(np->in_pmax), + np->in_ippip, np->in_ppip); + } else { + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf(" tcp/udp"); + else if (np->in_flags & IPN_TCP) + printf(" tcp"); + else if (np->in_flags & IPN_UDP) + printf(" udp"); + printf(" %d:%d", ntohs(np->in_pmin), + ntohs(np->in_pmax)); + } + } + printf("\n"); + if (verbose) { + printf("\tifp %p space %lu nextip %s pnext %d", + np->in_ifp, np->in_space, + inet_ntoa(np->in_nextip), np->in_pnext); + printf(" flags %x use %u\n", + np->in_flags, np->in_use); + } + } +} + + +void nat_setgroupmap(n) +ipnat_t *n; +{ + if (n->in_outmsk == n->in_inmsk) + n->in_ippip = 1; + else if (n->in_flags & IPN_AUTOPORTMAP) { + n->in_ippip = ~ntohl(n->in_inmsk); + if (n->in_outmsk != 0xffffffff) + n->in_ippip /= (~ntohl(n->in_outmsk) + 1); + n->in_ippip++; + if (n->in_ippip == 0) + n->in_ippip = 1; + n->in_ppip = USABLE_PORTS / n->in_ippip; + } else { + n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); + n->in_nip = 0; + if (!(n->in_ppip = n->in_pmin)) + n->in_ppip = 1; + n->in_ippip = USABLE_PORTS / n->in_ppip; + } +} + + + +ipnat_t *natparse(line, linenum) +char *line; +int linenum; +{ + struct protoent *pr; + static ipnat_t ipn; + char *s, *t; + char *shost, *snetm, *dhost, *proto, *srchost, *srcnetm; + char *dnetm = NULL, *dport = NULL, *tport = NULL; + int resolved; + + srchost = NULL; + srcnetm = NULL; + + bzero((char *)&ipn, sizeof(ipn)); + if ((s = strchr(line, '\n'))) + *s = '\0'; + if ((s = strchr(line, '#'))) + *s = '\0'; + if (!*line) + return NULL; + if (!(s = strtok(line, " \t"))) + return NULL; + if (!strcasecmp(s, "map")) + ipn.in_redir = NAT_MAP; + else if (!strcasecmp(s, "map-block")) + ipn.in_redir = NAT_MAPBLK; + else if (!strcasecmp(s, "rdr")) + ipn.in_redir = NAT_REDIRECT; + else if (!strcasecmp(s, "bimap")) + ipn.in_redir = NAT_BIMAP; + else { + fprintf(stderr, "%d: unknown mapping: \"%s\"\n", + linenum, s); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (interface)\n", + linenum); + return NULL; + } + + strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1); + ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", linenum, + ipn.in_redir ? "from source | destination" : "source"); + return NULL; + } + + if ((ipn.in_redir == NAT_REDIRECT) && !strcasecmp(s, "from")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source address)\n", + linenum); + return NULL; + } + + srchost = s; + srcnetm = strrchr(srchost, '/'); + + if (srcnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source netmask)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "netmask")) { + fprintf(stderr, + "%d: missing fields (netmask)\n", + linenum); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (source netmask)\n", + linenum); + return NULL; + } + srcnetm = s; + } + if (*srcnetm == '/') + *srcnetm++ = '\0'; + + /* re read the next word -- destination */ + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination)\n", linenum); + return NULL; + } + + } + + shost = s; + + if (ipn.in_redir == NAT_REDIRECT) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "port")) { + fprintf(stderr, "%d: missing fields (port)\n", linenum); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + dport = s; + } + + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (->)\n", linenum); + return NULL; + } + if (!strcmp(s, "->")) { + snetm = strrchr(shost, '/'); + if (!snetm) { + fprintf(stderr, + "%d: missing fields (%s netmask)\n", linenum, + ipn.in_redir ? "destination" : "source"); + return NULL; + } + } else { + if (strcasecmp(s, "netmask")) { + fprintf(stderr, "%d: missing fields (netmask)\n", + linenum); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (%s netmask)\n", linenum, + ipn.in_redir ? "destination" : "source"); + return NULL; + } + snetm = s; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", + linenum, ipn.in_redir ? "destination":"target"); + return NULL; + } + + if (ipn.in_redir == NAT_MAP) { + if (!strcasecmp(s, "range")) { + ipn.in_flags |= IPN_RANGE; + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: missing fields (%s)\n", + linenum, + ipn.in_redir ? "destination":"target"); + return NULL; + } + } + } + dhost = s; + + if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { + if (ipn.in_flags & IPN_RANGE) { + dnetm = strrchr(dhost, '-'); + if (dnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) + dnetm = NULL; + else { + if (strcmp(s, "-")) + s = NULL; + else if ((s = strtok(NULL, " \t"))) { + dnetm = s; + } + } + } else + *dnetm++ = '\0'; + if (dnetm == NULL || *dnetm == '\0') { + fprintf(stderr, + "%d: desination range not specified\n", + linenum); + return NULL; + } + } else { + dnetm = strrchr(dhost, '/'); + if (dnetm == NULL) { + if (!(s = strtok(NULL, " \t"))) + dnetm = NULL; + else if (!strcasecmp(s, "netmask")) + if ((s = strtok(NULL, " \t")) != NULL) + dnetm = s; + } + if (dnetm == NULL) { + fprintf(stderr, + "%d: missing fields (dest netmask)\n", + linenum); + return NULL; + } + if (*dnetm == '/') + *dnetm++ = '\0'; + } + s = strtok(NULL, " \t"); + } + + if (ipn.in_redir & NAT_MAPBLK) { + if (s && strcasecmp(s, "ports")) { + fprintf(stderr, + "%d: expected \"ports\" - got \"%s\"\n", + linenum, s); + return NULL; + } + if (s != NULL) { + if ((s = strtok(NULL, " \t")) == NULL) + return NULL; + ipn.in_pmin = atoi(s); + s = strtok(NULL, " \t"); + } else + ipn.in_pmin = 0; + } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { + if (strrchr(dhost, '/') != NULL) { + fprintf(stderr, "%d: No netmask supported in %s\n", + linenum, "destination host for redirect"); + return NULL; + } + /* If it's a in_redir, expect target port */ + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + + if (strcasecmp(s, "port")) { + fprintf(stderr, "%d: missing fields (port)\n", + linenum); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing fields (destination port)\n", + linenum); + return NULL; + } + tport = s; + } + if (dnetm && *dnetm == '/') + *dnetm++ = '\0'; + if (snetm && *snetm == '/') + *snetm++ = '\0'; + + if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { + ipn.in_inip = hostnum(shost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_inmsk = n_hostmask(snetm); + ipn.in_outip = hostnum(dhost, &resolved, linenum); + if (resolved == -1) + return NULL; + if (ipn.in_flags & IPN_RANGE) { + ipn.in_outmsk = hostnum(dnetm, &resolved, linenum); + if (resolved == -1) + return NULL; + } else + ipn.in_outmsk = n_hostmask(dnetm); + if (srchost) { + ipn.in_srcip = hostnum(srchost, &resolved, linenum); + if (resolved == -1) + return NULL; + } + if (srcnetm) + ipn.in_srcmsk = n_hostmask(srcnetm); + } else { + if (srchost) { + ipn.in_srcip = hostnum(srchost, &resolved, linenum); + if (resolved == -1) + return NULL; + } + if (srcnetm) + ipn.in_srcmsk = n_hostmask(srcnetm); + ipn.in_inip = hostnum(dhost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_inmsk = n_hostmask("255.255.255.255"); + ipn.in_outip = hostnum(shost, &resolved, linenum); + if (resolved == -1) + return NULL; + ipn.in_outmsk = n_hostmask(snetm); + if (!(s = strtok(NULL, " \t"))) { + ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */ + proto = "tcp"; + } else { + if (!strcasecmp(s, "tcp")) + ipn.in_flags = IPN_TCP; + else if (!strcasecmp(s, "udp")) + ipn.in_flags = IPN_UDP; + else if (!strcasecmp(s, "tcp/udp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "tcpudp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "ip")) + ipn.in_flags = IPN_ANY; + else { + fprintf(stderr, + "%d: expected protocol - got \"%s\"\n", + linenum, s); + return NULL; + } + proto = s; + if ((s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: extra junk at the end of rdr: %s\n", + linenum, s); + return NULL; + } + } + ipn.in_pmin = n_portnum(dport, proto, linenum); + ipn.in_pmax = ipn.in_pmin; + ipn.in_pnext = n_portnum(tport, proto, linenum); + s = NULL; + } + ipn.in_inip &= ipn.in_inmsk; + if ((ipn.in_flags & IPN_RANGE) == 0) + ipn.in_outip &= ipn.in_outmsk; + ipn.in_srcip &= ipn.in_srcmsk; + + if ((ipn.in_redir & NAT_MAPBLK) != 0) + nat_setgroupmap(&ipn); + + if (!s) + return &ipn; + + if (ipn.in_redir == NAT_BIMAP) { + fprintf(stderr, + "%d: extra words at the end of bimap line: %s\n", + linenum, s); + return NULL; + } + if (!strcasecmp(s, "proxy")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"proxy\"\n", + linenum); + return NULL; + } + dport = NULL; + + if (!strcasecmp(s, "port")) { + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"port\"\n", + linenum); + return NULL; + } + + dport = s; + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: missing parameter for \"proxy\"\n", + linenum); + return NULL; + } + } else { + fprintf(stderr, + "%d: missing keyword \"port\"\n", linenum); + return NULL; + } + if ((proto = index(s, '/'))) { + *proto++ = '\0'; + if ((pr = getprotobyname(proto))) + ipn.in_p = pr->p_proto; + else + ipn.in_p = atoi(proto); + if (dport) + ipn.in_dport = n_portnum(dport, proto, linenum); + } else { + ipn.in_p = 0; + if (dport) + ipn.in_dport = n_portnum(dport, NULL, linenum); + } + + (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); + if ((s = strtok(NULL, " \t"))) { + fprintf(stderr, + "%d: too many parameters for \"proxy\"\n", + linenum); + return NULL; + } + return &ipn; + + } + + if (strcasecmp(s, "portmap")) { + fprintf(stderr, + "%d: expected \"portmap\" - got \"%s\"\n", linenum, s); + return NULL; + } + if (!(s = strtok(NULL, " \t"))) + return NULL; + if (!strcasecmp(s, "tcp")) + ipn.in_flags = IPN_TCP; + else if (!strcasecmp(s, "udp")) + ipn.in_flags = IPN_UDP; + else if (!strcasecmp(s, "tcpudp")) + ipn.in_flags = IPN_TCPUDP; + else if (!strcasecmp(s, "tcp/udp")) + ipn.in_flags = IPN_TCPUDP; + else { + fprintf(stderr, + "%d: expected protocol name - got \"%s\"\n", + linenum, s); + return NULL; + } + + if (!(s = strtok(NULL, " \t"))) { + fprintf(stderr, "%d: no port range found\n", linenum); + return NULL; + } + + if (!strcasecmp(s, "auto")) { + ipn.in_flags |= IPN_AUTOPORTMAP; + ipn.in_pmin = htons(1024); + ipn.in_pmax = htons(65535); + nat_setgroupmap(&ipn); + return &ipn; + } + proto = s; + if (!(t = strchr(s, ':'))) { + fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, s); + return NULL; + } + *t++ = '\0'; + ipn.in_pmin = n_portnum(s, proto, linenum); + ipn.in_pmax = n_portnum(t, proto, linenum); + return &ipn; +} + + +void natparsefile(fd, file, opts) +int fd; +char *file; +int opts; +{ + char line[512], *s; + ipnat_t *np; + FILE *fp; + int linenum = 0; + + if (strcmp(file, "-")) { + if (!(fp = fopen(file, "r"))) { + fprintf(stderr, "%s: open: %s\n", file, + STRERROR(errno)); + exit(1); + } + } else + fp = stdin; + + while (fgets(line, sizeof(line) - 1, fp)) { + linenum++; + line[sizeof(line) - 1] = '\0'; + if ((s = strchr(line, '\n'))) + *s = '\0'; + + if (!(np = natparse(line, linenum))) { + if (*line) + fprintf(stderr, "%d: syntax error in \"%s\"\n", + linenum, line); + } else { + if ((opts & OPT_VERBOSE) && np) + printnat(np, opts & OPT_VERBOSE, NULL); + if (!(opts & OPT_NODO)) { + if (!(opts & OPT_REM)) { + if (ioctl(fd, SIOCADNAT, np) == -1) + perror("ioctl(SIOCADNAT)"); + } else if (ioctl(fd, SIOCRMNAT, np) == -1) + perror("ioctl(SIOCRMNAT)"); + } + } + } + if (fp != stdin) + fclose(fp); +} + + +u_32_t n_hostmask(msk) +char *msk; +{ + int bits = -1; + u_32_t mask; + + if (!isdigit(*msk)) + return (u_32_t)-1; + if (strchr(msk, '.')) + return inet_addr(msk); + if (strchr(msk, 'x')) + return (u_32_t)strtol(msk, NULL, 0); + /* + * set x most significant bits + */ + for (mask = 0, bits = atoi(msk); bits; bits--) { + mask /= 2; + mask |= ntohl(inet_addr("128.0.0.0")); + } + mask = htonl(mask); + return mask; +} + + +u_short n_portnum(name, proto, linenum) +char *name, *proto; +int linenum; +{ + struct servent *sp, *sp2; + u_short p1 = 0; + + if (isdigit(*name)) + return htons((u_short)atoi(name)); + if (!proto) + proto = "tcp/udp"; + if (strcasecmp(proto, "tcp/udp")) { + sp = getservbyname(name, proto); + if (sp) + return sp->s_port; + fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); + return 0; + } + sp = getservbyname(name, "tcp"); + if (sp) + p1 = sp->s_port; + sp2 = getservbyname(name, "udp"); + if (!sp || !sp2) { + fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", + linenum, name); + return 0; + } + if (p1 != sp2->s_port) { + fprintf(stderr, "%d: %s %d/tcp is a different port to ", + linenum, name, p1); + fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); + return 0; + } + return p1; +} diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index 4ed646b..78e34a2 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -27,7 +27,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 2.0.2.9.2.1 1997/11/12 10:58:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: opt.c,v 2.1 1999/08/04 17:30:15 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 76ee474..77d867f 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ -#include <stdio.h> -#include <string.h> #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) #include <strings.h> @@ -15,57 +13,66 @@ #endif #include <sys/param.h> #include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif +#include <stdio.h> +#include <string.h> +#include <limits.h> +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> +#include <syslog.h> #include "ip_compat.h" #include "ip_fil.h" #include "ipf.h" +#include "facpri.h" #if !defined(lint) -static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $"; +static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; +static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.1 1999/09/11 05:32:10 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; extern int opts; -u_short portnum __P((char *)); -u_char tcp_flags __P((char *, u_char *)); -int addicmp __P((char ***, struct frentry *)); -int extras __P((char ***, struct frentry *)); +int portnum __P((char *, u_short *, int)); +u_char tcp_flags __P((char *, u_char *, int)); +int addicmp __P((char ***, struct frentry *, int)); +int extras __P((char ***, struct frentry *, int)); char ***seg; u_long *sa, *msk; u_short *pp, *tp; u_char *cp; int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, u_char *, - u_short *)); -int ports __P((char ***, u_short *, u_char *, u_short *)); -int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *)); -int to_interface __P((frdest_t *, char *)); + u_short *, int)); +int ports __P((char ***, u_short *, u_char *, u_short *, int)); +int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int)); +int to_interface __P((frdest_t *, char *, int)); void print_toif __P((char *, frdest_t *)); -void optprint __P((u_short, u_short, u_long, u_long)); +void optprint __P((u_short *, u_long, u_long)); int countbits __P((u_32_t)); char *portname __P((int, int)); +int ratoi __P((char *, int *, int, int)); char *proto = NULL; char flagset[] = "FSRPAU"; u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; -static char thishost[64]; +static char thishost[MAXHOSTNAMELEN]; void initparse() @@ -79,12 +86,13 @@ void initparse() * * parse a line read from the input filter rule file */ -struct frentry *parse(line) +struct frentry *parse(line, linenum) char *line; +int linenum; { static struct frentry fil; struct protoent *p = NULL; - char *cps[31], **cpp; + char *cps[31], **cpp, *endptr; u_char ch; int i, cnt = 1; @@ -96,6 +104,8 @@ char *line; bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; fil.fr_ip.fi_v = 4; + fil.fr_loglevel = 0xffff; + /* * break line up into max of 20 segments */ @@ -106,7 +116,7 @@ char *line; cps[i] = NULL; if (cnt < 3) { - (void)fprintf(stderr,"not enough segments in line\n"); + fprintf(stderr, "%d: not enough segments in line\n", linenum); return NULL; } @@ -117,15 +127,18 @@ char *line; if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp", 11)) { + if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19)) + fil.fr_flags |= FR_FAKEICMP; + else if (!strncasecmp(*(cpp+1), "return-icmp", 11)) fil.fr_flags |= FR_RETICMP; + if (fil.fr_flags & FR_RETICMP) { cpp++; if (*(*cpp + 11) == '(') { i = icmpcode(*cpp + 12); if (i == -1) { fprintf(stderr, - "uncrecognised icmp code %s\n", - *cpp + 12); + "%d: unrecognised icmp code %s\n", + linenum, *cpp + 12); return NULL; } fil.fr_icode = i; @@ -144,11 +157,13 @@ char *line; fil.fr_flags |= FR_PREAUTH; } else if (!strcasecmp("skip", *cpp)) { cpp++; - if (!isdigit(**cpp)) { - (void)fprintf(stderr, "integer must follow skip\n"); + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_skip = i; + else { + fprintf(stderr, "%d: integer must follow skip\n", + linenum); return NULL; } - fil.fr_skip = atoi(*cpp); } else if (!strcasecmp("log", *cpp)) { fil.fr_flags |= FR_LOG; if (!strcasecmp(*(cpp+1), "body")) { @@ -157,13 +172,45 @@ char *line; } if (!strcasecmp(*(cpp+1), "first")) { fil.fr_flags |= FR_LOGFIRST; + } + if (!strcasecmp(*(cpp+1), "level")) { + int fac, pri; + char *s; + + fac = 0; + pri = 0; + cpp++; + s = index(*cpp, '.'); + if (s) { + *s++ = '\0'; + fac = fac_findname(*cpp); + if (fac == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown facility", *cpp); + return NULL; + } + pri = pri_findname(s); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", s); + return NULL; + } + } else { + pri = pri_findname(*cpp); + if (pri == -1) { + fprintf(stderr, "%d: %s %s\n", linenum, + "Unknown priority", *cpp); + return NULL; + } + } + fil.fr_loglevel = fac|pri; cpp++; } } else { /* * Doesn't start with one of the action words */ - (void)fprintf(stderr, "unknown keyword (%s)\n", *cpp); + fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); return NULL; } cpp++; @@ -173,17 +220,19 @@ char *line; else if (!strcasecmp("out", *cpp)) { fil.fr_flags |= FR_OUTQUE; if (fil.fr_flags & FR_RETICMP) { - (void)fprintf(stderr, - "Can only use return-icmp with 'in'\n"); + fprintf(stderr, + "%d: Can only use return-icmp with 'in'\n", + linenum); return NULL; } else if (fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "Can only use return-rst with 'in'\n"); + fprintf(stderr, + "%d: Can only use return-rst with 'in'\n", + linenum); return NULL; } } else { - (void)fprintf(stderr, - "missing 'in'/'out' keyword (%s)\n", *cpp); + fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n", + linenum, *cpp); return NULL; } if (!*++cpp) @@ -205,8 +254,9 @@ char *line; } if (!strcasecmp(*cpp, "or-block")) { if (!(fil.fr_flags & FR_PASS)) { - (void)fprintf(stderr, - "or-block must be used with pass\n"); + fprintf(stderr, + "%d: or-block must be used with pass\n", + linenum); return NULL; } fil.fr_flags |= FR_LOGORBLOCK; @@ -222,17 +272,18 @@ char *line; *fil.fr_ifname = '\0'; if (*cpp && !strcasecmp(*cpp, "on")) { if (!*++cpp) { - (void)fprintf(stderr, "interface name missing\n"); + fprintf(stderr, "%d: interface name missing\n", + linenum); return NULL; } (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1); fil.fr_ifname[IFNAMSIZ-1] = '\0'; cpp++; if (!*cpp) { - if (fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "%s can only be used with TCP\n", - "return-rst"); + if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) { + fprintf(stderr, + "%d: %s can only be used with TCP\n", + linenum, "return-rst"); return NULL; } return &fil; @@ -241,16 +292,22 @@ char *line; if (*cpp) { if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { cpp++; - if (to_interface(&fil.fr_dif, *cpp)) + if (to_interface(&fil.fr_dif, *cpp, linenum)) return NULL; cpp++; } if (!strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; - if (to_interface(&fil.fr_tif, *cpp)) + if (to_interface(&fil.fr_tif, *cpp, linenum)) return NULL; cpp++; } else if (!strcasecmp(*cpp, "fastroute")) { + if (!(fil.fr_flags & FR_INQUE)) { + fprintf(stderr, + "can only use %s with 'in'\n", + "fastroute"); + return NULL; + } fil.fr_flags |= FR_FASTROUTE; cpp++; } @@ -258,7 +315,7 @@ char *line; } if (*cpp && !strcasecmp(*cpp, "tos")) { if (!*++cpp) { - (void)fprintf(stderr, "tos missing value\n"); + fprintf(stderr, "%d: tos missing value\n", linenum); return NULL; } fil.fr_tos = strtol(*cpp, NULL, 0); @@ -268,10 +325,17 @@ char *line; if (*cpp && !strcasecmp(*cpp, "ttl")) { if (!*++cpp) { - (void)fprintf(stderr, "ttl missing hopcount value\n"); + fprintf(stderr, "%d: ttl missing hopcount value\n", + linenum); + return NULL; + } + if (ratoi(*cpp, &i, 0, 255)) + fil.fr_ttl = i; + else { + fprintf(stderr, "%d: invalid ttl (%s)\n", + linenum, *cpp); return NULL; } - fil.fr_ttl = atoi(*cpp); fil.fr_mip.fi_ttl = 0xff; cpp++; } @@ -282,37 +346,39 @@ char *line; proto = NULL; if (*cpp && !strcasecmp(*cpp, "proto")) { if (!*++cpp) { - (void)fprintf(stderr, "protocol name missing\n"); + fprintf(stderr, "%d: protocol name missing\n", linenum); return NULL; } - if (!strcasecmp(*cpp, "tcp/udp")) { + proto = *cpp++; + if (!strcasecmp(proto, "tcp/udp")) { fil.fr_ip.fi_fl |= FI_TCPUDP; fil.fr_mip.fi_fl |= FI_TCPUDP; } else { - if (!(p = getprotobyname(*cpp)) && !isdigit(**cpp)) { - (void)fprintf(stderr, - "unknown protocol (%s)\n", *cpp); + if (!(p = getprotobyname(proto)) && !isdigit(*proto)) { + fprintf(stderr, + "%d: unknown protocol (%s)\n", + linenum, proto); return NULL; } if (p) fil.fr_proto = p->p_proto; - else if (isdigit(**cpp)) - fil.fr_proto = atoi(*cpp); + else if (isdigit(*proto)) { + i = (int)strtol(proto, &endptr, 0); + if (*endptr != '\0' || i < 0 || i > 255) { + fprintf(stderr, + "%d: unknown protocol (%s)\n", + linenum, proto); + return NULL; + } + fil.fr_proto = i; + } fil.fr_mip.fi_p = 0xff; } - proto = *cpp; - if (fil.fr_proto != IPPROTO_TCP && fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, - "%s can only be used with TCP\n", - "return-rst"); - return NULL; - } - if (!*++cpp) - return &fil; } - if (fil.fr_proto != IPPROTO_TCP && fil.fr_flags & FR_RETRST) { - (void)fprintf(stderr, "%s can only be used with TCP\n", - "return-rst"); + if ((fil.fr_proto != IPPROTO_TCP) && + ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) { + fprintf(stderr, "%d: %s can only be used with TCP\n", + linenum, "return-rst"); return NULL; } @@ -321,7 +387,7 @@ char *line; */ if (!*cpp) { - fprintf(stderr, "missing source specification\n"); + fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; } if (!strcasecmp(*cpp, "all")) { @@ -330,12 +396,13 @@ char *line; return &fil; } else { if (strcasecmp(*cpp, "from")) { - (void)fprintf(stderr, - "unexpected keyword (%s) - from\n", *cpp); + fprintf(stderr, "%d: unexpected keyword (%s) - from\n", + linenum, *cpp); return NULL; } if (!*++cpp) { - (void)fprintf(stderr, "missing host after from\n"); + fprintf(stderr, "%d: missing host after from\n", + linenum); return NULL; } ch = 0; @@ -345,13 +412,12 @@ char *line; } if (hostmask(&cpp, (u_32_t *)&fil.fr_src, (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch, - &fil.fr_stop)) { - (void)fprintf(stderr, "bad host (%s)\n", *cpp); + &fil.fr_stop, linenum)) { return NULL; } fil.fr_scmp = ch; if (!*cpp) { - (void)fprintf(stderr, "missing to fields\n"); + fprintf(stderr, "%d: missing to fields\n", linenum); return NULL; } @@ -359,12 +425,12 @@ char *line; * do the same for the to field (destination host) */ if (strcasecmp(*cpp, "to")) { - (void)fprintf(stderr, - "unexpected keyword (%s) - to\n", *cpp); + fprintf(stderr, "%d: unexpected keyword (%s) - to\n", + linenum, *cpp); return NULL; } if (!*++cpp) { - (void)fprintf(stderr, "missing host after to\n"); + fprintf(stderr, "%d: missing host after to\n", linenum); return NULL; } ch = 0; @@ -374,8 +440,7 @@ char *line; } if (hostmask(&cpp, (u_32_t *)&fil.fr_dst, (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch, - &fil.fr_dtop)) { - (void)fprintf(stderr, "bad host (%s)\n", *cpp); + &fil.fr_dtop, linenum)) { return NULL; } fil.fr_dcmp = ch; @@ -387,11 +452,12 @@ char *line; */ if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) && fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) { - (void)fprintf(stderr, "port operation on non tcp/udp\n"); + fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum); return NULL; } if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) { - (void)fprintf(stderr, "icmp comparisons on wrong protocol\n"); + fprintf(stderr, "%d: icmp comparisons on wrong protocol\n", + linenum); return NULL; } @@ -400,10 +466,10 @@ char *line; if (*cpp && !strcasecmp(*cpp, "flags")) { if (!*++cpp) { - (void)fprintf(stderr, "no flags present\n"); + fprintf(stderr, "%d: no flags present\n", linenum); return NULL; } - fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm); + fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum); cpp++; } @@ -411,7 +477,7 @@ char *line; * extras... */ if (*cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and"))) - if (extras(&cpp, &fil)) + if (extras(&cpp, &fil, linenum)) return NULL; /* @@ -419,12 +485,12 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "icmp-type")) { if (fil.fr_proto != IPPROTO_ICMP) { - (void)fprintf(stderr, - "icmp with wrong protocol (%d)\n", - fil.fr_proto); + fprintf(stderr, + "%d: icmp with wrong protocol (%d)\n", + linenum, fil.fr_proto); return NULL; } - if (addicmp(&cpp, &fil)) + if (addicmp(&cpp, &fil, linenum)) return NULL; fil.fr_icmp = htons(fil.fr_icmp); fil.fr_icmpm = htons(fil.fr_icmpm); @@ -434,7 +500,7 @@ char *line; * Keep something... */ while (*cpp && !strcasecmp(*cpp, "keep")) - if (addkeep(&cpp, &fil)) + if (addkeep(&cpp, &fil, linenum)) return NULL; /* @@ -442,10 +508,16 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "head")) { if (!*++cpp) { - (void)fprintf(stderr, "head without group #\n"); + fprintf(stderr, "%d: head without group #\n", linenum); + return NULL; + } + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_grhead = i; + else { + fprintf(stderr, "%d: invalid group (%s)\n", + linenum, *cpp); return NULL; } - fil.fr_grhead = atoi(*cpp); cpp++; } @@ -454,10 +526,17 @@ char *line; */ if (*cpp && !strcasecmp(*cpp, "group")) { if (!*++cpp) { - (void)fprintf(stderr, "group without group #\n"); + fprintf(stderr, "%d: group without group #\n", + linenum); return NULL; } - fil.fr_group = atoi(*cpp); + if (ratoi(*cpp, &i, 0, USHRT_MAX)) + fil.fr_group = i; + else { + fprintf(stderr, "%d: invalid group (%s)\n", + linenum, *cpp); + return NULL; + } cpp++; } @@ -465,10 +544,10 @@ char *line; * leftovers...yuck */ if (*cpp && **cpp) { - fprintf(stderr, "unknown words at end: ["); + fprintf(stderr, "%d: unknown words at end: [", linenum); for (; *cpp; cpp++) - (void)fprintf(stderr, "%s ", *cpp); - (void)fprintf(stderr, "]\n"); + fprintf(stderr, "%s ", *cpp); + fprintf(stderr, "]\n"); return NULL; } @@ -476,7 +555,7 @@ char *line; * lazy users... */ if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { - (void)fprintf(stderr, "TCP protocol not specified\n"); + fprintf(stderr, "%d: TCP protocol not specified\n", linenum); return NULL; } if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && @@ -485,16 +564,18 @@ char *line; fil.fr_ip.fi_fl |= FI_TCPUDP; fil.fr_mip.fi_fl |= FI_TCPUDP; } else { - (void)fprintf(stderr, - "port comparisons for non-TCP/UDP\n"); + fprintf(stderr, + "%d: port comparisons for non-TCP/UDP\n", + linenum); return NULL; } } /* if ((fil.fr_flags & FR_KEEPFRAG) && (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { - (void)fprintf(stderr, - "must use 'with frags' with 'keep frags'\n"); + fprintf(stderr, + "%d: must use 'with frags' with 'keep frags'\n", + linenum); return NULL; } */ @@ -502,9 +583,10 @@ char *line; } -int to_interface(fdp, to) +int to_interface(fdp, to, linenum) frdest_t *fdp; char *to; +int linenum; { int r = 0; char *s; @@ -513,7 +595,7 @@ char *to; fdp->fd_ifp = NULL; if (s) { *s++ = '\0'; - fdp->fd_ip.s_addr = hostnum(s, &r); + fdp->fd_ip.s_addr = hostnum(s, &r, linenum); if (r == -1) return -1; } @@ -527,81 +609,101 @@ void print_toif(tag, fdp) char *tag; frdest_t *fdp; { - (void)printf("%s %s%s", tag, fdp->fd_ifname, + printf("%s %s%s", tag, fdp->fd_ifname, (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)"); if (fdp->fd_ip.s_addr) - (void)printf(":%s", inet_ntoa(fdp->fd_ip)); + printf(":%s", inet_ntoa(fdp->fd_ip)); putchar(' '); } /* - * returns false if neither "hostmask/num" or "hostmask mask addr" are - * found in the line segments + * returns -1 if neither "hostmask/num" or "hostmask mask addr" are + * found in the line segments, there is an error processing this information, + * or there is an error processing ports information. */ -int hostmask(seg, sa, msk, pp, cp, tp) +int hostmask(seg, sa, msk, pp, cp, tp, linenum) char ***seg; u_32_t *sa, *msk; u_short *pp, *tp; u_char *cp; +int linenum; { - char *s; + char *s, *endptr; int bits = -1, resolved; + struct in_addr maskaddr; /* * is it possibly hostname/num ? */ if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) { *s++ = '\0'; - if (!isdigit(*s)) - return -1; - if (index(s, '.')) - *msk = inet_addr(s); - if (!index(s, '.') && !index(s, 'x')) { + if (index(s, '.') || index(s, 'x')) { + /* possibly of the form xxx.xxx.xxx.xxx + * or 0xYYYYYYYY */ + if (inet_aton(s, &maskaddr) == 0) { + fprintf(stderr, "%d: bad mask (%s)\n", + linenum, s); + return -1; + } + *msk = maskaddr.s_addr; + } else { /* * set x most significant bits */ - for (bits = atoi(s); bits; bits--) { - *msk /= 2; - *msk |= ntohl(inet_addr("128.0.0.0")); - } - *msk = htonl(*msk); - } else { - if (inet_aton(s, (struct in_addr *)msk) == -1) + bits = (int)strtol(s, &endptr, 0); + if (*endptr != '\0' || bits > 32 || bits < 0) { + fprintf(stderr, "%d: bad mask (/%s)\n", + linenum, s); return -1; + } + if (bits == 0) + *msk = 0; + else + *msk = htonl(0xffffffff << (32 - bits)); } - *sa = hostnum(**seg, &resolved) & *msk; - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum) & *msk; + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } /* * look for extra segments if "mask" found in right spot */ if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { - *sa = hostnum(**seg, &resolved); - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum); + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; (*seg)++; - if (inet_aton(**seg, (struct in_addr *)msk) == -1) + if (inet_aton(**seg, &maskaddr) == 0) { + fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); return -1; + } + *msk = maskaddr.s_addr; (*seg)++; *sa &= *msk; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } if (**seg) { - *sa = hostnum(**seg, &resolved); - if (resolved == -1) + *sa = hostnum(**seg, &resolved, linenum); + if (resolved == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; + } (*seg)++; *msk = (*sa ? inet_addr("255.255.255.255") : 0L); *sa &= *msk; - return ports(seg, pp, cp, tp); + return ports(seg, pp, cp, tp, linenum); } + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); return -1; } @@ -609,25 +711,29 @@ u_char *cp; * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_32_t hostnum(host, resolved) +u_32_t hostnum(host, resolved, linenum) char *host; int *resolved; +int linenum; { struct hostent *hp; struct netent *np; + struct in_addr ip; *resolved = 0; - if (!strcasecmp("any",host)) - return 0L; - if (isdigit(*host)) - return inet_addr(host); + if (!strcasecmp("any", host)) + return 0; + if (isdigit(*host) && inet_aton(host, &ip)) + return ip.s_addr; + if (!strcasecmp("<thishost>", host)) host = thishost; if (!(hp = gethostbyname(host))) { if (!(np = getnetbyname(host))) { *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); + fprintf(stderr, "%d: can't resolve hostname: %s\n", + linenum, host); return 0; } return htonl(np->n_net); @@ -638,10 +744,11 @@ int *resolved; /* * check for possible presence of the port fields in the line */ -int ports(seg, pp, cp, tp) +int ports(seg, pp, cp, tp, linenum) char ***seg; u_short *pp, *tp; u_char *cp; +int linenum; { int comp = -1; @@ -650,14 +757,27 @@ u_char *cp; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; if (isdigit(***seg) && *(*seg + 2)) { - *pp = portnum(**seg); + if (portnum(**seg, pp, linenum) == 0) + return -1; (*seg)++; if (!strcmp(**seg, "<>")) comp = FR_OUTRANGE; else if (!strcmp(**seg, "><")) comp = FR_INRANGE; + else { + fprintf(stderr, + "%d: unknown range operator (%s)\n", + linenum, **seg); + return -1; + } (*seg)++; - *tp = portnum(**seg); + if (**seg == NULL) { + fprintf(stderr, "%d: missing 2nd port value\n", + linenum); + return -1; + } + if (portnum(**seg, tp, linenum) == 0) + return -1; } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) comp = FR_EQUAL; else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) @@ -671,13 +791,14 @@ u_char *cp; else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) comp = FR_GREATERTE; else { - (void)fprintf(stderr,"unknown comparator (%s)\n", - **seg); + fprintf(stderr, "%d: unknown comparator (%s)\n", + linenum, **seg); return -1; } if (comp != FR_OUTRANGE && comp != FR_INRANGE) { (*seg)++; - *pp = portnum(**seg); + if (portnum(**seg, pp, linenum) == 0) + return -1; } *cp = comp; (*seg)++; @@ -687,47 +808,57 @@ u_char *cp; /* * find the port number given by the name, either from getservbyname() or - * straight atoi() + * straight atoi(). Return 1 on success, 0 on failure */ -u_short portnum(name) +int portnum(name, port, linenum) char *name; +u_short *port; +int linenum; { struct servent *sp, *sp2; u_short p1 = 0; - - if (isdigit(*name)) - return (u_short)atoi(name); - if (!proto) - proto = "tcp/udp"; - if (strcasecmp(proto, "tcp/udp")) { + int i; + if (isdigit(*name)) { + if (ratoi(name, &i, 0, USHRT_MAX)) { + *port = (u_short)i; + return 1; + } + fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); + return 0; + } + if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { sp = getservbyname(name, proto); - if (sp) - return ntohs(sp->s_port); - (void) fprintf(stderr, "unknown service \"%s\".\n", name); + if (sp) { + *port = ntohs(sp->s_port); + return 1; + } + fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); return 0; } sp = getservbyname(name, "tcp"); - if (sp) + if (sp) p1 = sp->s_port; sp2 = getservbyname(name, "udp"); if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); + fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", + linenum, name); return 0; } if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); + fprintf(stderr, "%d: %s %d/tcp is a different port to ", + linenum, name, p1); + fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); return 0; } - return ntohs(p1); + *port = ntohs(p1); + return 1; } -u_char tcp_flags(flgs, mask) +u_char tcp_flags(flgs, mask, linenum) char *flgs; u_char *mask; +int linenum; { u_char tcpf = 0, tcpfm = 0, *fp = &tcpf; char *s, *t; @@ -738,7 +869,7 @@ u_char *mask; continue; } if (!(t = index(flagset, *s))) { - (void)fprintf(stderr, "unknown flag (%c)\n", *s); + fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s); return 0; } *fp |= flags[t - flagset]; @@ -753,9 +884,10 @@ u_char *mask; /* * deal with extra bits on end of the line */ -int extras(cp, fr) +int extras(cp, fr, linenum) char ***cp; struct frentry *fr; +int linenum; { u_short secmsk; u_long opts; @@ -789,18 +921,20 @@ struct frentry *fr; goto nextopt; } else if (***cp == 'o' || ***cp == 'O') { if (!*(*cp + 1)) { - (void)fprintf(stderr, - "opt missing arguements\n"); + fprintf(stderr, + "%d: opt missing arguements\n", + linenum); return -1; } (*cp)++; - if (!(opts = optname(cp, &secmsk))) + if (!(opts = optname(cp, &secmsk, linenum))) return -1; oflags = FI_OPTIONS; } else if (***cp == 's' || ***cp == 'S') { if (fr->fr_tcpf) { - (void) fprintf(stderr, - "short cannot be used with TCP flags\n"); + fprintf(stderr, + "%d: short cannot be used with TCP flags\n", + linenum); return -1; } @@ -813,13 +947,15 @@ struct frentry *fr; if (!notopt || !opts) fr->fr_mip.fi_fl |= oflags; - if (notopt) - if (!secmsk) + if (notopt) { + if (!secmsk) { fr->fr_mip.fi_optmsk |= opts; - else + } else { fr->fr_mip.fi_optmsk |= (opts & ~0x0100); - else + } + } else { fr->fr_mip.fi_optmsk |= opts; + } fr->fr_mip.fi_secmsk |= secmsk; if (notopt) { @@ -842,9 +978,10 @@ nextopt: } -u_32_t optname(cp, sp) +u_32_t optname(cp, sp, linenum) char ***cp; u_short *sp; +int linenum; { struct ipopt_names *io, *so; u_long msk = 0; @@ -859,7 +996,8 @@ u_short *sp; break; } if (!io->on_name) { - fprintf(stderr, "unknown IP option name %s\n", s); + fprintf(stderr, "%d: unknown IP option name %s\n", + linenum, s); return 0; } if (!strcasecmp(s, "sec-class")) @@ -867,7 +1005,8 @@ u_short *sp; } if (sec && !*(*cp + 1)) { - fprintf(stderr, "missing security level after sec-class\n"); + fprintf(stderr, "%d: missing security level after sec-class\n", + linenum); return 0; } @@ -880,8 +1019,9 @@ u_short *sp; break; } if (!so->on_name) { - fprintf(stderr, "no such security level: %s\n", - s); + fprintf(stderr, + "%d: no such security level: %s\n", + linenum, s); return 0; } } @@ -893,13 +1033,14 @@ u_short *sp; #ifdef __STDC__ -void optprint(u_short secmsk, u_short secbits, u_long optmsk, u_long optbits) +void optprint(u_short *sec, u_long optmsk, u_long optbits) #else -void optprint(secmsk, secbits, optmsk, optbits) -u_short secmsk, secbits; +void optprint(sec, optmsk, optbits) +u_short *sec; u_long optmsk, optbits; #endif { + u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; char *s; int secflag = 0; @@ -975,9 +1116,10 @@ char *icmptypes[] = { /* * set the icmp field to the correct type if "icmp" word is found */ -int addicmp(cp, fp) +int addicmp(cp, fp, linenum) char ***cp; struct frentry *fp; +int linenum; { char **t; int i; @@ -988,7 +1130,12 @@ struct frentry *fp; if (!fp->fr_proto) /* to catch lusers */ fp->fr_proto = IPPROTO_ICMP; if (isdigit(***cp)) { - i = atoi(**cp); + if (!ratoi(**cp, &i, 0, 255)) { + fprintf(stderr, + "%d: Invalid icmp-type (%s) specified\n", + linenum, **cp); + return -1; + } } else { for (t = icmptypes, i = 0; ; t++, i++) { if (!*t) @@ -1001,8 +1148,9 @@ struct frentry *fp; break; } if (i == -1) { - (void)fprintf(stderr, - "Invalid icmp-type (%s) specified\n", **cp); + fprintf(stderr, + "%d: Invalid icmp-type (%s) specified\n", + linenum, **cp); return -1; } } @@ -1016,12 +1164,19 @@ struct frentry *fp; return 0; (*cp)++; if (isdigit(***cp)) { - i = atoi(**cp); + if (!ratoi(**cp, &i, 0, 255)) { + fprintf(stderr, + "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); + return -1; + } fp->fr_icmp |= (u_short)i; fp->fr_icmpm = (u_short)0xffff; (*cp)++; return 0; } + fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); return -1; } @@ -1044,8 +1199,12 @@ char *str; if (!(s = strrchr(str, ')'))) return -1; *s = '\0'; - if (isdigit(*str)) - return atoi(str); + if (isdigit(*str)) { + if (!ratoi(str, &i, 0, 255)) + return -1; + else + return i; + } len = strlen(str); for (i = 0; icmpcodes[i]; i++) if (!strncasecmp(str, icmpcodes[i], MIN(len, @@ -1058,20 +1217,22 @@ char *str; /* * set the icmp field to the correct type if "icmp" word is found */ -int addkeep(cp, fp) +int addkeep(cp, fp, linenum) char ***cp; struct frentry *fp; +int linenum; { if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP && fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) { - (void)fprintf(stderr, "Can only use keep with UDP/ICMP/TCP\n"); + fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n", + linenum); return -1; } (*cp)++; if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { - (void)fprintf(stderr, "Unrecognised state keyword \"%s\"\n", - **cp); + fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", + linenum, **cp); return -1; } @@ -1121,17 +1282,17 @@ int pr, port; struct servent *sv = NULL, *sv1 = NULL; if (pr == -1) { - if ((sv = getservbyport(port, "tcp"))) { + if ((sv = getservbyport(htons(port), "tcp"))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(port, "udp"); + sv1 = getservbyport(htons(port), "udp"); sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? NULL : sv1; } if (sv) return buf; } else if (pr && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(port, p->p_name))) { + if ((sv = getservbyport(htons(port), p->p_name))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; return buf; @@ -1153,143 +1314,164 @@ struct frentry *fp; "<>", "><"}; struct protoent *p; int ones = 0, pr; - char *s; + char *s, *u; u_char *t; + u_short sec[2]; if (fp->fr_flags & FR_PASS) - (void)printf("pass"); + printf("pass"); else if (fp->fr_flags & FR_BLOCK) { - (void)printf("block"); + printf("block"); if (fp->fr_flags & FR_RETICMP) { - (void)printf(" return-icmp"); - if (fp->fr_icode) + if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) + printf(" return-icmp-as-dest"); + else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) + printf(" return-icmp"); + if (fp->fr_icode) { if (fp->fr_icode <= MAX_ICMPCODE) printf("(%s)", icmpcodes[(int)fp->fr_icode]); else printf("(%d)", fp->fr_icode); - } - if (fp->fr_flags & FR_RETRST) - (void)printf(" return-rst"); + } + } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) + printf(" return-rst"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { - (void)printf("log"); + printf("log"); if (fp->fr_flags & FR_LOGBODY) - (void)printf(" body"); + printf(" body"); if (fp->fr_flags & FR_LOGFIRST) - (void)printf(" first"); + printf(" first"); } else if (fp->fr_flags & FR_ACCOUNT) - (void)printf("count"); + printf("count"); else if (fp->fr_flags & FR_AUTH) - (void)printf("auth"); + printf("auth"); else if (fp->fr_flags & FR_PREAUTH) - (void)printf("preauth"); + printf("preauth"); else if (fp->fr_skip) - (void)printf("skip %d", fp->fr_skip); + printf("skip %hu", fp->fr_skip); if (fp->fr_flags & FR_OUTQUE) - (void)printf(" out "); + printf(" out "); else - (void)printf(" in "); + printf(" in "); if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { - (void)printf("log "); + printf("log "); if (fp->fr_flags & FR_LOGBODY) - (void)printf("body "); + printf("body "); if (fp->fr_flags & FR_LOGFIRST) - (void)printf("first "); + printf("first "); if (fp->fr_flags & FR_LOGORBLOCK) - (void)printf("or-block "); + printf("or-block "); + if (fp->fr_loglevel != 0xffff) { + if (fp->fr_loglevel & LOG_FACMASK) { + s = fac_toname(fp->fr_loglevel); + if (s == NULL) + s = "!!!"; + } else + s = ""; + u = pri_toname(fp->fr_loglevel); + if (u == NULL) + u = "!!!"; + if (*s) + printf("%s.%s ", s, u); + else + printf("%s ", u); + } + } if (fp->fr_flags & FR_QUICK) - (void)printf("quick "); + printf("quick "); if (*fp->fr_ifname) { - (void)printf("on %s%s ", fp->fr_ifname, + printf("on %s%s ", fp->fr_ifname, (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)"); if (*fp->fr_dif.fd_ifname) print_toif("dup-to", &fp->fr_dif); if (*fp->fr_tif.fd_ifname) print_toif("to", &fp->fr_tif); if (fp->fr_flags & FR_FASTROUTE) - (void)printf("fastroute "); + printf("fastroute "); } if (fp->fr_mip.fi_tos) - (void)printf("tos %#x ", fp->fr_tos); + printf("tos %#x ", fp->fr_tos); if (fp->fr_mip.fi_ttl) - (void)printf("ttl %d ", fp->fr_ttl); + printf("ttl %d ", fp->fr_ttl); if (fp->fr_ip.fi_fl & FI_TCPUDP) { - (void)printf("proto tcp/udp "); + printf("proto tcp/udp "); pr = -1; } else if ((pr = fp->fr_mip.fi_p)) { if ((p = getprotobynumber(fp->fr_proto))) - (void)printf("proto %s ", p->p_name); + printf("proto %s ", p->p_name); else - (void)printf("proto %d ", fp->fr_proto); + printf("proto %d ", fp->fr_proto); } printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr) - (void)printf("any "); + if (!fp->fr_src.s_addr && !fp->fr_smsk.s_addr) + printf("any "); else { - (void)printf("%s", inet_ntoa(fp->fr_src)); + printf("%s", inet_ntoa(fp->fr_src)); if ((ones = countbits(fp->fr_smsk.s_addr)) == -1) - (void)printf("/%s ", inet_ntoa(fp->fr_smsk)); + printf("/%s ", inet_ntoa(fp->fr_smsk)); else - (void)printf("/%d ", ones); + printf("/%d ", ones); } - if (fp->fr_scmp) + if (fp->fr_scmp) { if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE) - (void)printf("port %d %s %d ", fp->fr_sport, + printf("port %d %s %d ", fp->fr_sport, pcmp1[fp->fr_scmp], fp->fr_stop); else - (void)printf("port %s %s ", pcmp1[fp->fr_scmp], + printf("port %s %s ", pcmp1[fp->fr_scmp], portname(pr, fp->fr_sport)); + } printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr) - (void)printf("any"); + if (!fp->fr_dst.s_addr && !fp->fr_dmsk.s_addr) + printf("any"); else { - (void)printf("%s", inet_ntoa(fp->fr_dst)); + printf("%s", inet_ntoa(fp->fr_dst)); if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1) - (void)printf("/%s", inet_ntoa(fp->fr_dmsk)); + printf("/%s", inet_ntoa(fp->fr_dmsk)); else - (void)printf("/%d", ones); + printf("/%d", ones); } if (fp->fr_dcmp) { if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE) - (void)printf(" port %d %s %d", fp->fr_dport, + printf(" port %d %s %d", fp->fr_dport, pcmp1[fp->fr_dcmp], fp->fr_dtop); else - (void)printf(" port %s %s", pcmp1[fp->fr_dcmp], + printf(" port %s %s", pcmp1[fp->fr_dcmp], portname(pr, fp->fr_dport)); } if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) || (fp->fr_mip.fi_fl & ~FI_TCPUDP) || fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { - (void)printf(" with"); + printf(" with"); if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || - fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) - optprint(fp->fr_mip.fi_secmsk, - fp->fr_ip.fi_secmsk, - fp->fr_mip.fi_optmsk, - fp->fr_ip.fi_optmsk); - else if (fp->fr_mip.fi_fl & FI_OPTIONS) { + fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { + sec[0] = fp->fr_mip.fi_secmsk; + sec[1] = fp->fr_ip.fi_secmsk; + optprint(sec, + fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk); + } else if (fp->fr_mip.fi_fl & FI_OPTIONS) { if (!(fp->fr_ip.fi_fl & FI_OPTIONS)) - (void)printf(" not"); - (void)printf(" ipopt"); + printf(" not"); + printf(" ipopt"); } if (fp->fr_mip.fi_fl & FI_SHORT) { if (!(fp->fr_ip.fi_fl & FI_SHORT)) - (void)printf(" not"); - (void)printf(" short"); + printf(" not"); + printf(" short"); } if (fp->fr_mip.fi_fl & FI_FRAG) { if (!(fp->fr_ip.fi_fl & FI_FRAG)) - (void)printf(" not"); - (void)printf(" frag"); + printf(" not"); + printf(" frag"); } } if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { @@ -1300,14 +1482,14 @@ struct frentry *fp; type /= 256; if (type < (sizeof(icmptypes) / sizeof(char *)) && icmptypes[type]) - (void)printf(" icmp-type %s", icmptypes[type]); + printf(" icmp-type %s", icmptypes[type]); else - (void)printf(" icmp-type %d", type); + printf(" icmp-type %d", type); if (code) - (void)printf(" code %d", code); + printf(" code %d", code); } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { - (void)printf(" flags "); + printf(" flags "); for (s = flagset, t = flags; *s; s++, t++) if (fp->fr_tcpf & *t) (void)putchar(*s); @@ -1338,12 +1520,27 @@ struct frentry *fp; for (s = (u_char *)fp; i; i--, s++) { j++; - (void)printf("%02x ",*s); + printf("%02x ", *s); if (j == 16) { - (void)printf("\n"); + printf("\n"); j = 0; } } putchar('\n'); (void)fflush(stdout); } + + +int ratoi(ps, pi, min, max) +char *ps; +int *pi, min, max; +{ + int i; + char *pe; + + i = (int)strtol(ps, &pe, 0); + if (*pe != '\0' || i < min || i > max) + return 0; + *pi = i; + return 1; +} diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h index b76a2f0..8025bc6 100644 --- a/contrib/ipfilter/pcap.h +++ b/contrib/ipfilter/pcap.h @@ -1,10 +1,10 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 2.0.2.4 1997/09/28 07:12:10 darrenr Exp $ + * $Id: pcap.h,v 2.1 1999/08/04 17:30:17 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/contrib/ipfilter/perl/Ipfanaly.pl b/contrib/ipfilter/perl/Ipfanaly.pl new file mode 100644 index 0000000..0fa7c17 --- /dev/null +++ b/contrib/ipfilter/perl/Ipfanaly.pl @@ -0,0 +1,639 @@ +#!/usr/local/bin/perl +# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com) +# +############### START SUBROUTINE DECLARATIONS ########### + + +sub usage { + print "\n" x 24; + print "USAGE: ipfanalyze.pl -h [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n"; + print "\n arguments to -p -f -o REQUIRED\n"; + print "\n -h show this help\n"; + print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n"; + print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n"; + print " -s make security report only (no graphical or full port info generated) \n"; + print " -o lowest port number incoming traffic can talk to and be regarded as safe\n"; + print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n"; + print " -t the ip address of the inerface on which you collected data!\n"; + print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n"; + print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n"; + print "Will look at traffic to/from all ports and make graphs from file log1\n"; + print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n"; + print "Will look at SMTP traffic and make graphs from file log2\n"; + print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n"; + print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n"; + print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n"; + print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n"; +} + + + + +sub makegifs { +local ($maxin,$maxout,$lookat,$xmax)=@_; +$YMAX=$maxin; +$XMAX=$xmax; + +if ($maxout > $maxin) + { $YMAX=$maxout;} + +($dateis,$junk)=split " " , @recs[0]; +($dayis,$monthis,$yearis)=split "/",$dateis; +$month=$months{$monthis}; +$dateis="$dayis " . "$month " . "$yearis "; +# split graphs in to 6 four hour spans for 24 hours +$numgraphs=int($XMAX/240); + +$junk=0; +$junk=$XMAX - 240*($numgraphs); +if($junk gt 0 ) +{ +$numgraphs++; +} + +$cnt1=0; +$end=0; +$loop=0; + +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n"; + open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n"; + + $loop=$end; + $end=($end + 240); + +# write all files as x time coord from 1 to 240 minutes +# set hour in graph via conf file + $arraycnt=0; + while ($loop++ < $end ) + { + $arraycnt++; + $val1=""; + $val2=""; + $val1=$inwards[$loop] [1]; + if($val1 eq "") + {$val1=0}; + $val2=$outwards[$loop] [1]; + if($val2 eq "") + {$val2=0}; + print INDATA "$arraycnt:$val1\n"; + print OUTDATA "$arraycnt:$val2\n"; + } + close INDATA; + close OUTDATA; + $gnum=($cnt1 - 1); + open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n"; + print INCONFIG "NUMBERYCELLGRIDSIZE:5\n"; + print INCONFIG "MAXYVALUE:$YMAX\n"; + print INCONFIG "MINYVALUE:0\n"; + print INCONFIG "XCELLGRIDSIZE:1.3\n"; + print INCONFIG "XMAX: 240\n"; + print INCONFIG "Bar:0\n"; + print INCONFIG "Average:0\n"; + print INCONFIG "Graphnum:$gnum\n"; + print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis \n"; + print INCONFIG "Transparent:no\n"; + print INCONFIG "Rbgcolour:0\n"; + print INCONFIG "Gbgcolour:255\n"; + print INCONFIG "Bbgcolour:255\n"; + print INCONFIG "Rfgcolour:0\n"; + print INCONFIG "Gfgcolour:0\n"; + print INCONFIG "Bfgcolour:0\n"; + print INCONFIG "Rcolour:0\n"; + print INCONFIG "Gcolour:0\n"; + print INCONFIG "Bcolour:255\n"; + print INCONFIG "Racolour:255\n"; + print INCONFIG "Gacolour:255\n"; + print INCONFIG "Bacolour:0\n"; + print INCONFIG "Rincolour:100\n"; + print INCONFIG "Gincolour:100\n"; + print INCONFIG "Bincolour:60\n"; + print INCONFIG "Routcolour:60\n"; + print INCONFIG "Goutcolour:100\n"; + print INCONFIG "Boutcolour:100\n"; + close INCONFIG; + +} + + +$cnt1=0; +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $out="out$cnt1.gif"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + system( "cp ./$filename1 ./in.dat; + cp ./$filename2 ./out.dat; + cp ./$filename3 ./graph.conf"); + system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out"); + system(" cp $out /isb/local/etc/httpd/htdocs/."); + +} + +} # end of subroutine make gifs + + + + +sub packbytime { +local ($xmax)=@_; +$XMAX=$xmax; +# pass in the dest port number or get graph for all packets +# at 1 minute intervals +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +# +# dont uses hashes to store how many packets per minite as they +# return random x coordinate order +@inwards=(); +@outwards=(); +$cnt=-1; +$value5=0; +$maxin=0; +$maxout=0; +$xpos=0; +while ($cnt++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$cnt]; + $bit=substr(@recs[$cnt],11); + ($bit,$junkit)= split " " , $bit ; + ($hour,$minute,$sec,$junk) = split ":", $bit; +# +# covert the time to decimal minutes and bucket to nearest minute +# + $xpos=($hour * 3600) + ($minute * 60) + ($sec) ; +# xpos is number of seconds since 00:00:00 on day...... + $xpos=int($xpos / 60); +# if we just want to see all packet in/out activity + if("$lookat" eq "all") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; +# $maxin = $value5 if $maxin < $value5 ; + + if($value5 > $maxin) + { + $maxin=$value5; + $timemaxin="$hour:$minute"; + } + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; +# $maxout = $value4 if $maxout < $value4 ; + if($value4 > $maxout) + { + $maxout=$value4; + $timemaxout="$hour:$minute"; + } + + $outwards[$xpos][1]=$value4; + } + } + + + + + if("$destport" eq "$lookat") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; + $maxin = $value5 if $maxin < $value5 ; + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; + $maxout = $value4 if $maxout < $value4 ; + $outwards[$xpos][1]=$value4; + } + } + } # end while + +# now call gif making stuff +if("$opt_g" eq "1") +{ + print "Making plots of in files outN.gif\n";; + makegifs($maxin,$maxout,$lookat,$#inwards); +} +if ("$timemaxin" ne "") +{print "\nTime of peak packets/minute in was $timemaxin\n";} +if ("$timemaxout" ne "") +{print "\nTime of peak packets/minute OUT was $timemaxout\n";} + +} # end of subroutine packets by time + + + + + +sub posbadones { + +$safenam=""; +@dummy=$saferports; +foreach $it (split " ",$saferports) { +if ($it eq "icmp" ) + { + $safenam = $safenam . " icmp"; + } +else + { + $safenam = $safenam . " $services{$it}" ; + } + +} +print "\n\n########################################################################\n"; +print "well known ports are 0->1023\n"; +print "Registered ports are 1024->49151\n"; +print "Dynamic/Private ports are 49152->65535\n\n"; +print "Sites that contacted gatekeep on 'less safe' ports (<$ITRUSTABOVE)\n"; + +print " 'safe' ports are $safenam \n"; +print "\n variables saferports and safehosts hardwire what/who we trust\n"; +print "########################################################################\n"; + +$loop=-1; +while ($loop++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; + if ("$destip" eq "$gatekeep") + { + if ($destport < $ITRUSTABOVE ) + { +# if index not found (ie < 0) then we have a low port attach to gatekeep +# that is not to a safer port (see top of this file) +# ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp + $where=index($saferports,$destport); + if ($where < 0) + { + $nameis=$services{$destport}; + if ("$nameis" eq "" ) + { + $nameis=$destport; + } + print " Warning: $srcip contacted gatekeep $nameis\n"; + } + } + } + } +print "\n\n"; +} # end of subroutine posbadones + + + + +sub toobusy_site { +$percsafe=1; +print "\n\n########################################################################\n"; +print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n"; +print "Trusted hosts are $safehosts\n"; +print "\nTOTAL packets were $#recs \n"; +print "########################################################################\n"; +while(($ipadd,$numpacketsent)=each %numpacks) +{ +$perc=$numpacketsent/$#recs*100; +if ($perc > $percsafe) +# dont believe safehosts are attacking! + { + $where=index($safehosts,$ipadd); +# if not found (ie < 0 then the source host IP address +# isn't in the saferhosts list, a list we trust...... + if ($where < 0 ) + { + printf "$ipadd sent %4.1f (\045) of all packets to gatekeep\n",$perc; + } + } +} + +print "\n\n"; +} # end of subroutine toobusy_site + + +############### END SUBROUTINE DECLARATIONS ########### + +use Getopt::Std; + +getopt('pfot'); + +if("$opt_t" eq "0") + {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n"; +exit; +} + +if("$opt_h" eq "1") + {usage;exit 0}; +if("$opt_H" eq "1") + {usage;exit 0}; + +if("$opt_v" eq "1") +{ +$ITRUSTABOVE=1024; +$opt_s=1; +$opt_o=$ITRUSTABOVE; +print "\n" x 5; +print "NOTE: when the final section of the verbose report is generated\n"; +print " every host IP address that contacted $gatekeep has \n"; +print " a tally of how many times packets from a particular port on that host\n"; +print " reached $gatekeep, and WHICH source port or source portname \n"; +print " these packets originated from.\n"; +print " Many non RFC obeying boxes do not use high ports and respond to requests from\n"; +print " $gatekeep using reserved low ports... hence you'll see things like\n"; +print " #### with 207.50.191.60 as the the source for packets ####\n"; +print " 1 connections from topx to gatekeep\n\n\n\n"; + +} + +if("$opt_o" eq "") + {usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0} +else +{ +$ITRUSTABOVE=$opt_o;$opt_s=1;} + +if("$opt_f" eq "") + {usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0}; +$FILENAME=$opt_f; + +if("$opt_p" eq "") + {usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0}; + +# -p arg must be all or AN INTEGER in range 1<=N<=64K +if ("$opt_p" ne "all") + { + $_=$opt_p; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n"; + exit 0; + } + } + + +# if we get here then the port option is either 'all' or an integer... +# good enough..... +$lookat=$opt_p; + +# -o arg must be all or AN INTEGER in range 1<=N<=64K + $_=$opt_o; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) with -o \n"; + exit 0; + } + + +#--------------------------------------------------------------------- + + +%danger=(); +%numpacks=(); + +$saferports="25 53 113 123 icmp"; +$gatekeep="192.216.16.2"; +#genmagic is 192.216.25.254 +$safehosts="$gatekeep 192.216.25.254"; + + + +# load hash with service numbers versus names + +# hash called $services +print "Creating hash of service names / numbers \n"; +$SERV="./services"; +open (INFILE, $SERV) || die "Cant open $SERV: $!n"; +while(<INFILE>) +{ + ($servnum,$servname,$junk)=split(/ /,$_); +# chop off null trailing..... + $servname =~ s/\n$//; + $services{$servnum}=$servname; +} +print "Create hash of month numbers as month names\n"; +%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December"); + +print "Reading log file into an array\n"; +#$FILENAME="./ipfilter.log"; +open (REC, $FILENAME) || die "Cant open $FILENAME: \n"; +($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC; +print "Log file $FILENAME is $size bytes in size\n"; +#each record is an element of array rec[] now +while(<REC>) + { + @recs[$numrec++]=$_; + } + + +# get list of UNIQUE source IP addresses now, records look like +# 192.216.25.254,62910 -> 192.216.16.2,113 PR tcp len 20 40 -R +# this is slow on big log files, about 1minute for every 2.5M log file +print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n"; +$loop=-1; +$where=-1; +while ($loop++ < $#recs ) + { +# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly + $bit=substr(@recs[$loop],39); + $bit =~ s/,/ /g; + ($sourceip,$junkit)= split " " , $bit ; + +# NOTE the . is the string concat command NOT + .......!!!! + + $sourceip =~ split " ", $sourceip; + $where=index($allips,$sourceip); +# if not found (ie < 0, add it) + if ($where < 0 ) + { + $allips = $allips . "$sourceip " ; + } + } + +print "Put all unique ip addresses into a 1D array\n"; +@allips=split " ", $allips; + +#set loop back to -1 as first array element in recs is element 0 NOT 1 !! +print "Making compact array of logged entries\n"; +$loop=-1; +$icmp=" icmp "; +$ptr=" -> "; +$lenst=" len "; +$numpackets=0; + +while ($loop++ < $#recs ) + { +# this prints from 39 char to EOR + $a=substr(@recs[$loop],39); + ($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " , $a ; +# need to rewrite icmp ping records.... they dont have service numbers + $whereicmp=index($a,"PR icmp"); + if($whereicmp > 0 ) + { + $a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ; + } + +# dump the "->" and commas from logging + $a =~ s/->//g; + $a =~ s/PR//g; + $a =~ s/,/ /g; +# shortrec has records that look like +# 209.24.1.217 123 192.216.16.2 123 udp len 20 76 + @shortrecs[$loop]= "$a"; + +# count number packets from each IP address into hash + ($srcip,$junk) = split " ","$a"; + $numpackets=$numpacks{"$srcip"}; + $numpackets++ ; + $numpacks{"$srcip"}=$numpackets; + +} + + + +# call sub to analyse packets by time +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +packbytime($XMAX); + +if("$opt_s" eq "1") +{ +# call subroutine to scan for connections to ports on gatekeep +# other than those listed in saferports, connections to high +# ports are assumed OK..... +posbadones; + +# call subroutine to print out which sites had sent more than +# a defined % of packets to gatekeep +toobusy_site; +} + + +# verbose reporting? +if ("$opt_v" eq "1") +{ +$cnt=-1; +# loop over ALL unique IP source destinations +while ($cnt++ < $#allips) +{ + %tally=(); + %unknownsrcports=(); + $uniqip=@allips[$cnt]; + $loop=-1; + $value=0; + $value1=0; + $value2=0; + $value3=0; + $set="N"; + + while ($loop++ < $#recs ) + { +# get src IP num, src port number, +# destination IP num, destnation port number,protocol + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; +# loop over all records for the machine $uniqip +# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!! + if( "$uniqip" eq "$srcip") + { +# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT??? +# its more than likely a request coming back in on a high port +# ....So... +# find out the destination port from the unknown (high) src port +# and tally these as they may be a port attack + if ("$srcport" eq "icmp") + { $srcportnam="icmp";} + else + { + $srcportnam=$services{$srcport}; + } +# try and get dest portname, if not there, leave it as the +# dest portnumber + if ("$destport" eq "icmp") + { $destportnam="icmp";} + else + { + $destportnam=$services{$destport}; + } + + if ($destportnam eq "") + { + $destportnam=$destport; + } + + if ($srcportnam eq "") + { +# increment number of times a (high)/unknown port has gone to destport + $value1=$unknownsrcports{$destportnam}; + $value1++ ; + $unknownsrcports{$destportnam}=$value1; + } + else + { +# want tally(srcport) counter to be increased by 1 + $value3=$tally{$srcportnam}; + $value3++ ; + $tally{$srcportnam}=$value3; + } + } + + + } +# end of loop over ALL IP's + +if ($set eq "N") +{ +$set="Y"; + +print "\n#### with $uniqip as the the source for packets ####\n"; +while(($key,$value)=each %tally) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value connections from $key to gatekeep\n"; + } + else + { + print "$value connections from gatekeep to $key\n"; + } + } + + + +while(($key2,$value2)=each %unknownsrcports) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value2 high port connections to $key2 on gatekeep\n"; + } + else + { + print "$value2 high port connections to $key2 from gatekeep\n"; + } + } + +} +# print if rests for UNIQIP IF flag is set to N then toggle flag + +} # end of all IPs loop +} # end of if verbose option set block + + + diff --git a/contrib/ipfilter/perl/Isbgraph b/contrib/ipfilter/perl/Isbgraph new file mode 100644 index 0000000..c68b672 --- /dev/null +++ b/contrib/ipfilter/perl/Isbgraph @@ -0,0 +1,297 @@ +#!/usr/local/bin/perl + +# isbgraph +# an example in not so hot perl programming.... +# based around GraphMaker from Fabrizio Pivari +# A graph maker perl script + +use GD; +use Getopt::Long; +$hr=0; + +sub main{ + +$opt_conf="./graphmaker.cnf"; + +@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX", + "Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour", + "Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour", + "Gcolour","Bcolour","Racolour","Gacolour","Bacolour"); + +%option=( + NUMBERYCELLGRIDSIZE => '8', + MAXYVALUE => '7748', + MINYVALUE => '6500', + XCELLGRIDSIZE => '18', + XMAX => '1000', + Data => './graphmaker.dat', + Graph => './graphmaker.gif', + Bar => '1', + Average => '1', + Graphnum => '1', + Title => 'GraphMaker 2.1', + Transparent => 'yes', + Rbgcolour => '255', + Gbgcolour => '255', + Bbgcolour => '255', + Rfgcolour => '0', + Gfgcolour => '0', + Bfgcolour => '0', + Rcolour => '0', + Gcolour => '0', + Bcolour => '255', + Racolour => '255', + Gacolour => '255', + Bacolour => '0'); + +&GetOptions("conf=s","help") || &printusage ; + + +if ($opt_help) {&printusage}; + +open (CNF, $opt_conf) || die; +while (<CNF>) { +s/\t/ /g; #replace tabs by space +next if /^\s*\#/; #ignore comment lines +next if /^\s*$/; #ignore empty lines +foreach $elem (@elem) + { + if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; } + } +} +close(CNF); +######################################### +# +# +# +# number datapoints/24 hours is 1440 (minutes) +# +# Split into N graphs where each graph has max of 240 datapoints (4 hours) +# + +$barset=0; +$m=0; +$YGRIDSIZE = 400; +$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'}; +$XINIT = 30; +$XEND = 8; +$YINIT =20; +$YEND = 20; +#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'}); +#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'}); +$XGRIDSIZE = 620; +$XGIF = $XGRIDSIZE + $XINIT + $XEND; +$XGRAPH = $XGRIDSIZE + $XINIT; +$YGIF = $YGRIDSIZE + $YEND + $YINIT; +$YGRAPH = $YGRIDSIZE + $YINIT; +$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'}; +$SCALE=$YGRIDSIZE/$RANGE; + +# NEW IMAGE + $im=new GD::Image($XGIF,$YGIF); + +$white=$im->colorAllocate(255,255,255); +$black=$im->colorAllocate(0,0,0); +$pink=$im->colorAllocate(255,153,153); +$red=$im->colorAllocate(255,0,0); +$blue=$im->colorAllocate(0,0,255); +$green=$im->colorAllocate(0,192,51); +$orange=$im->colorAllocate(255,102,0); +$pink=$im->colorAllocate(255,153,153); +$teal=$im->colorAllocate(51,153,153); +# gif background is $bg + $bg=$white; + $fg=$blue; +# LINE COLOUR HELP BY VAR $colour + $colour=$red; + $acolour=$yellow; + # GRID + if ($option{'Transparent'} eq "yes") {$im->transparent($bg)}; + $im->filledRectangle(0,0,$XGIF,$YGIF,$bg); + +# Dot style +# vertical markers on Y axis grid + $im->setStyle($fg,$bg,$bg,$bg); + for $i (0..$option{'XMAX'}) + { + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i; + # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled); + $num = $i+1; + + use integer; + { + $posis=$num - ($num/60)*60; + } + if ($posis eq 0) + { + $outhr=0; + $hr=($hr + 1) ; + $outhr=$hr+$option{'Graphnum'}*4; +# shift minutes coords to correct stat hour! + $im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg); + } + + } # end of scan over X values (minutes) + + $YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'}; + for $i (0..$option{'NUMBERYCELLGRIDSIZE'}) + { + $num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i); + $im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg); + } + $im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg); + + $odd_even = $option{'XCELLGRIDSIZE'}%2; + #odd + if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + +# start reading data +# open (DATA,$option{'Data'}) || die "cant open $option{'Data'}"; +# nextdata becomes Y on reading of second data set.... +$nextdata="N"; +@datafiles=("./in.dat" , "./out.dat" ); + foreach ( @datafiles ) +{ + $m=0; + $count=0; + $i=0; + $fname=$_; + + print "fname $fname\n"; +# change entry for red in colour table to green for packets LEAVING target host + + open (DATA,$_) || die "cant open $_"; + print "$nextdata nextdata\n"; + while (<DATA>) + { + /(.*):(.*)/; + if ($option{'Average'} eq 1) {$m+=$2;$i++;} + if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next} + $X=$1; $Y=$2; +# +($X-1) are the pixel of the line + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1); + $xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1); + $yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE; + $yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE; + $barset=$option{'Bar'}; + if ($barset eq 0) + { + + if($nextdata eq "Y") + { + + #$im->line($XINIT,$YGRAPH,$X,$Y,$orange); + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green); + } + else + { + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red); + } + } + else + { + if ($1 eq 2) + { + $im->filledRectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + } + $XOLD=$X; $YOLD=$Y; + + } # end of while DATA loop + + $im->line(500,40,530,40,$red); + $im->line(500,60,530,60,$green); + $im->string(gdSmallFont,535,35,"Packets IN",$fg); + $im->string(gdSmallFont,535,55,"Packets OUT",$fg); + + if ($option{'Bar'} ne 0) + { + if ($X eq $option{'XMAX'}) + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$fg); + } + } + close (DATA); + + + $nextdata="Y"; +# TOP LEFT is 0,0 on GIF (image) +# origin of plot is xinit,yinit + # print "little line\n"; + $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue); + $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue); +# (0,0) in cartesian space time=0 minutes, rate 0 packets/s + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue); + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green); + +} # close foreach loop on data file names + + + + + if ($option{'Average'} eq 1) + { + # Line style + $im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg); + $m=$m/$i; + $ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE; + $im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled) + } + $im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg); + $im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg); + $im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg); + $im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg); + + $im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg); + open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n"; + print GRAPH $im -> gif; + close (GRAPH); + + + + +} # end of subroutine main + +main; +exit(0); + +sub printusage { + print <<USAGEDESC; + +usage: + graphmaker [-options ...] + +where options include: + -help print out this message + -conf file the configuration file (default graphmaker.cnf) + +If you want to know more about this tool, you might want +to read the docs. They came together with graphmaker! + +Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html + +USAGEDESC + exit(1); +} + diff --git a/contrib/ipfilter/perl/LICENSE b/contrib/ipfilter/perl/LICENSE new file mode 100644 index 0000000..4ae42df --- /dev/null +++ b/contrib/ipfilter/perl/LICENSE @@ -0,0 +1,6 @@ +These shell scripts are provided "as is" by Ivan S. Bishop and any +express or implied warranties, including, but not limited to, the +implied warranties of merchantability and fitness for a particular +purpose are disclaimed. + +Permission has been granted for their redistribution within this package. diff --git a/contrib/ipfilter/perl/Services b/contrib/ipfilter/perl/Services new file mode 100644 index 0000000..4649727 --- /dev/null +++ b/contrib/ipfilter/perl/Services @@ -0,0 +1,2146 @@ +1 tcpmux TCPPortServiceMultiplexer +3 compressnet CompressionProcess +5 rje RemoteJobEntry +7 echo +9 discard +11 systat +13 daytime +15 netstat +17 qotd QuoteoftheDay +18 msp MessageSendProtocol +19 chargen +20 ftp-data +21 ftp +22 ssh SSHRemoteLoginProtocol +23 telnet +25 smtp +27 nsw-fe NSWUserSystemFE +29 msg-icp MSGICP +31 msg-auth MSGAuthentication +33 dsp DisplaySupportProtocol +37 time Time +38 rap RouteAccessProtocol +39 rlp ResourceLocationProtocol +41 graphics Graphics +42 nameserver HostNameServer +43 whois +44 mpm-flags MPMFLAGSProtocol +45 mpm MessageProcessingModule[recv] +46 mpm-snd MPM[defaultsend] +47 ni-ftp NIFTP +48 auditd DigitalAuditDaemon +49 tacacs LoginHostProtocol(TACACS) +50 re-mail-ck RemoteMailCheckingProtocol +51 la-maint IMPLogicalAddressMaintenance +52 xns-time XNSTimeProtocol +53 domain DomainNameServer +54 xns-ch XNSClearinghouse +55 isi-gl ISIGraphicsLanguage +56 xns-auth XNSAuthentication +58 xns-mail XNSMail +61 ni-mail NIMAIL +62 acas ACAServices +63 whois++ whois++ +64 covia CommunicationsIntegrator(CI) +65 tacacs-ds TACACS-DatabaseService +66 sqlnet OracleSQL*NET +67 bootps BootstrapProtocolServer +68 bootpc BootstrapProtocolClient +69 tftp TrivialFileTransfer +70 gopher Gopher +71 netrjs-1 RemoteJobService +72 netrjs-2 RemoteJobService +73 netrjs-3 RemoteJobService +74 netrjs-4 RemoteJobService +76 deos DistributedExternalObjectStore +77 rje +78 vettcp vettcp +79 finger Finger +80 www-http WorldWideWebHTTP +81 hosts2-ns HOSTS2NameServer +82 xfer XFERUtility +83 mit-ml-dev MITMLDevice +84 ctf CommonTraceFacility +85 mit-ml-dev MITMLDevice +86 mfcobol MicroFocusCobol +87 link +88 kerberos Kerberos +89 su-mit-tg SU/MITTelnetGateway +90 dnsix DNSIXSecuritAttributeTokenMap +91 mit-dov MITDoverSpooler +92 npp NetworkPrintingProtocol +93 dcp DeviceControlProtocol +94 objcall TivoliObjectDispatcher +95 supdup SUPDUP +96 dixie DIXIEProtocolSpecification +97 swift-rvf SwiftRemoteVirturalFileProtocol +98 tacnews TACNews +99 metagram MetagramRelay +100 newacct [unauthorizeduse] +101 hostname NICHostNameServer +102 iso-tsap ISO-TSAPClass0 +103 x400 +104 x400-snd +105 cso CCSOnameserverprotocol +106 3com-tsmux 3COM-TSMUX +107 rtelnet RemoteTelnetService +108 snagas SNAGatewayAccessServer +109 pop2 PostOfficeProtocol-Version2 +110 pop3 PostOfficeProtocol-Version3 +111 sunrpc SUNRemoteProcedureCall +112 mcidas McIDASDataTransmissionProtocol +113 ident +114 audionews AudioNewsMulticast +115 sftp SimpleFileTransferProtocol +116 ansanotify ANSAREXNotify +117 uucp-path UUCPPathService +118 sqlserv SQLServices +119 nntp NetworkNewsTransferProtocol +120 cfdptkt CFDPTKT +121 erpc EncoreExpeditedRemotePro.Call +122 smakynet SMAKYNET +123 ntp NetworkTimeProtocol +124 ansatrader ANSAREXTrader +125 locus-map LocusPC-InterfaceNetMapSer +126 unitary UnisysUnitaryLogin +127 locus-con LocusPC-InterfaceConnServer +128 gss-xlicen GSSXLicenseVerification +129 pwdgen PasswordGeneratorProtocol +130 cisco-fna ciscoFNATIVE +131 cisco-tna ciscoTNATIVE +132 cisco-sys ciscoSYSMAINT +133 statsrv StatisticsService +134 ingres-net INGRES-NETService +135 epmap DCEendpointresolution +136 profile PROFILENamingSystem +137 netbios-ns NETBIOSNameService +138 netbios-dgm NETBIOSDatagramService +139 netbios-ssn NETBIOSSessionService +140 emfis-data EMFISDataService +141 emfis-cntl EMFISControlService +142 bl-idm Britton-LeeIDM +143 imap InternetMessageAccessProtocol +144 NeWS +145 uaac UAACProtocol +146 iso-tp0 ISO-IP0 +147 iso-ip ISO-IP +148 jargon Jargon +149 aed-512 AED512EmulationService +150 sql-net SQL-NET +151 hems HEMS +152 bftp BackgroundFileTransferProgram +153 sgmp SGMP +154 netsc-prod NETSC +155 netsc-dev NETSC +156 sqlsrv SQLService +157 knet-cmp KNET/VMCommand/MessageProtocol +158 pcmail-srv PCMailServer +159 nss-routing NSS-Routing +160 sgmp-traps SGMP-TRAPS +161 snmp SNMP +162 snmptrap SNMPTRAP +163 cmip-man CMIP/TCPManager +164 cmip-agent CMIP/TCPAgent +165 xns-courier Xerox +166 s-net SiriusSystems +167 namp NAMP +168 rsvd RSVD +169 send SEND +170 print-srv NetworkPostScript +171 multiplex NetworkInnovationsMultiplex +172 cl/1 NetworkInnovationsCL/1 +173 xyplex-mux Xyplex +174 mailq MAILQ +175 vmnet VMNET +176 genrad-mux GENRAD-MUX +177 xdmcp XDisplayManagerControlProtocol +178 nextstep NextStepWindowServer +179 bgp BorderGatewayProtocol +180 ris Intergraph +181 unify Unify +182 audit UnisysAuditSITP +183 ocbinder OCBinder +184 ocserver OCServer +185 remote-kis Remote-KIS +186 kis KISProtocol +187 aci ApplicationCommunicationInterface +188 mumps PlusFive'sMUMPS +189 qft QueuedFileTransport +190 gacp GatewayAccessControlProtocol +191 prospero ProsperoDirectoryService +192 osu-nms OSUNetworkMonitoringSystem +193 srmp SpiderRemoteMonitoringProtocol +194 irc InternetRelayChatProtocol +195 dn6-nlm-aud DNSIXNetworkLevelModuleAudit +196 dn6-smm-red DNSIXSessionMgtModuleAuditRedir +197 dls DirectoryLocationService +198 dls-mon DirectoryLocationServiceMonitor +199 smux SMUX +200 src IBMSystemResourceController +201 at-rtmp AppleTalkRoutingMaintenance +202 at-nbp AppleTalkNameBinding +203 at-3 AppleTalkUnused +204 at-echo AppleTalkEcho +205 at-5 AppleTalkUnused +206 at-zis AppleTalkZoneInformation +207 at-7 AppleTalkUnused +208 at-8 AppleTalkUnused +209 qmtp TheQuickMailTransferProtocol +210 z39.50 ANSIZ39.50 +211 914c/g TexasInstruments914C/GTerminal +212 anet ATEXSSTR +213 ipx IPX +214 vmpwscs VMPWSCS +215 softpc InsigniaSolutions +216 CAIlic ComputerAssociatesInt'lLicenseServer +217 dbase dBASEUnix +218 mpp NetixMessagePostingProtocol +219 uarps UnisysARPs +220 imap3 InteractiveMailAccessProtocolv3 +221 fln-spx BerkeleyrlogindwithSPXauth +222 rsh-spx BerkeleyrshdwithSPXauth +223 cdc CertificateDistributionCenter +224 Reserved +225 Reserved +226 Reserved +227 Reserved +228 Reserved +229 Reserved +230 Reserved +231 Reserved +232 Reserved +233 Reserved +234 Reserved +235 Reserved +236 Reserved +237 Reserved +238 Reserved +239 Reserved +240 Reserved +241 Reserved +242 direct Direct +243 sur-meas SurveyMeasurement +244 dayna Dayna +245 link LINK +246 dsp3270 DisplaySystemsProtocol +247 subntbcst_tftp SUBNTBCST_TFTP +248 bhfhs bhfhs +249 +250 Reserved +251 Reserved +252 Reserved +253 Reserved +254 Reserved +255 Reserved +256 rap RAP +257 set SecureElectronicTransaction +258 yak-chat YakWinsockPersonalChat +259 esro-gen EfficientShortRemoteOperations +260 openport Openport +261 nsiiops IIOPNameServiceoverTLS/SSL +262 arcisdms Arcisdms +263 hdap HDAP +280 http-mgmt http-mgmt +281 personal-link PersonalLink +282 cableport-ax CablePortA/X +309 entrusttime EntrustTime +310 bhmds bhmds +311 asip-webadmin AppleShareIPWebAdmin +312 vslmp VSLMP +313 magenta-logic MagentaLogic +314 opalis-robot OpalisRobot +315 dpsi DPSI +316 decauth decAuth +317 zannet Zannet +344 pdap ProsperoDataAccessProtocol +345 pawserv PerfAnalysisWorkbench +346 zserv Zebraserver +347 fatserv FatmenServer +348 csi-sgwp CabletronManagementProtocol +349 mftp mftp +350 matip-type-a MATIPTypeA +351 bhoetty bhoetty(added5/21/97) +352 dtag-ste-sb DTAG +353 ndsauth NDSAUTH +354 bh611 bh611 +355 datex-asn DATEX-ASN +356 cloanto-net-1 CloantoNet1 +357 bhevent bhevent +358 shrinkwrap Shrinkwrap +359 tenebris_nts TenebrisNetworkTraceService +360 scoi2odialog scoi2odialog +361 semantix Semantix +362 srssend SRSSend +363 rsvp_tunnel RSVPTunnel +364 aurora-cmgr AuroraCMGR +365 dtk DTK +366 odmr ODMR +367 mortgageware MortgageWare +368 qbikgdp QbikGDP +369 rpc2portmap rpc2portmap +370 codaauth2 codaauth2 +371 clearcase Clearcase +372 ulistproc ListProcessor +373 legent-1 LegentCorporation +374 legent-2 LegentCorporation +375 hassle Hassle +376 nip AmigaEnvoyNetworkInquiryProto +377 tnETOS NECCorporation +378 dsETOS NECCorporation +379 is99c TIA/EIA/IS-99modemclient +380 is99s TIA/EIA/IS-99modemserver +381 hp-collector hpperformancedatacollector +382 hp-managed-node hpperformancedatamanagednode +383 hp-alarm-mgr hpperformancedataalarmmanager +384 arns ARemoteNetworkServerSystem +385 ibm-app IBMApplication +386 asa ASAMessageRouterObjectDef. +387 aurp AppletalkUpdate-BasedRoutingPro. +388 unidata-ldm UnidataLDMVersion4 +389 ldap LightweightDirectoryAccessProtocol +390 uis UIS +391 synotics-relay SynOpticsSNMPRelayPort +392 synotics-broker SynOpticsPortBrokerPort +393 dis DataInterpretationSystem +394 embl-ndt EMBLNucleicDataTransfer +395 netcp NETscoutControlProtocol +396 netware-ip NovellNetwareoverIP +397 mptn MultiProtocolTrans.Net. +398 kryptolan Kryptolan +399 iso-tsap-c2 ISOTransportClass2Non-Controlover +400 work-sol WorkstationSolutions +401 ups UninterruptiblePowerSupply +402 genie GenieProtocol +403 decap decap +404 nced nced +405 ncld ncld +406 imsp InteractiveMailSupportProtocol +407 timbuktu Timbuktu +408 prm-sm ProsperoResourceManagerSys.Man. +409 prm-nm ProsperoResourceManagerNodeMan. +410 decladebug DECLadebugRemoteDebugProtocol +411 rmt RemoteMTProtocol +412 synoptics-trap TrapConventionPort +413 smsp SMSP +414 infoseek InfoSeek +415 bnet BNet +416 silverplatter Silverplatter +417 onmux Onmux +418 hyper-g Hyper-G +419 ariel1 Ariel +420 smpte SMPTE +421 ariel2 Ariel +422 ariel3 Ariel +423 opc-job-start IBMOperationsPlanningandControlStart +424 opc-job-track IBMOperationsPlanningandControlTrack +425 icad-el ICAD +426 smartsdp smartsdp +427 svrloc ServerLocation +428 ocs_cmu OCS_CMU +429 ocs_amu OCS_AMU +430 utmpsd UTMPSD +431 utmpcd UTMPCD +432 iasd IASD +433 nnsp NNSP +434 mobileip-agent MobileIP-Agent +435 mobilip-mn MobilIP-MN +436 dna-cml DNA-CML +437 comscm comscm +438 dsfgw dsfgw +439 dasp daspThomasObermair +440 sgcp sgcp +441 decvms-sysmgt decvms-sysmgt +442 cvc_hostd cvc_hostd +443 https httpprotocoloverTLS/SSL +444 snpp SimpleNetworkPagingProtocol +445 microsoft-ds Microsoft-DS +446 ddm-rdb DDM-RDB +447 ddm-dfm DDM-RFM +448 ddm-ssl DDM-SSL +449 as-servermap ASServerMapper +450 tserver TServer +451 sfs-smp-net CrayNetworkSemaphoreserver +452 sfs-config CraySFSconfigserver +453 creativeserver CreativeServer +454 contentserver ContentServer +455 creativepartnr CreativePartnr +456 macon-udp macon-udp +457 scohelp scohelp +458 appleqtc applequicktime +459 ampr-rcmd ampr-rcmd +460 skronk skronk +461 datasurfsrv DataRampSrv +462 datasurfsrvsec DataRampSrvSec +463 alpes alpes +464 kpasswd kpasswd +465 smtps smtpprotocoloverTLS/SSL(wasssmtp) +466 digital-vrc digital-vrc +467 mylex-mapd mylex-mapd +468 photuris proturis +469 rcp RadioControlProtocol +470 scx-proxy scx-proxy +471 mondex Mondex +472 ljk-login ljk-login +473 hybrid-pop hybrid-pop +474 tn-tl-w1 tn-tl-w1 +475 tcpnethaspsrv tcpnethaspsrv +476 tn-tl-fd1 tn-tl-fd1 +477 ss7ns ss7ns +478 spsc spsc +479 iafserver iafserver +480 iafdbase iafdbase +481 ph Phservice +482 bgs-nsi bgs-nsi +483 ulpnet ulpnet +484 integra-sme IntegraSoftwareManagementEnvironment +485 powerburst AirSoftPowerBurst +486 avian avian +487 saft saftSimpleAsynchronousFileTransfer +488 gss-http gss-http +489 nest-protocol nest-protocol +490 micom-pfs micom-pfs +491 go-login go-login +492 ticf-1 TransportIndependentConvergenceforFNA +493 ticf-2 TransportIndependentConvergenceforFNA +494 pov-ray POV-Ray +495 intecourier intecourier +496 pim-rp-disc PIM-RP-DISC +497 dantz dantz +498 siam siam +499 iso-ill ISOILLProtocol +500 isakmp isakmp +501 stmf STMF +502 asa-appl-proto asa-appl-proto +503 intrinsa Intrinsa +504 citadel citadel +505 mailbox-lm mailbox-lm +506 ohimsrv ohimsrv +507 crs crs +508 xvttp xvttp +509 snare snare +510 fcp FirstClassProtocol +511 mynet mynet-as +512 exec-or-biff +513 login-or-who +514 shell-or-syslog +515 printer spooler +516 videotex videotex +517 talk liketenexlink,butacross +518 ntalk +519 utime unixtime +520 route +521 ripng ripng +522 ulp ULP +523 ibm-db2 IBM-DB2 +524 ncp NCP +525 timed timeserver +526 tempo newdate +527 stx StockIXChange +528 custix CustomerIXChange +529 irc-serv IRC-SERV +530 courier rpc +531 conference chat +532 netnews readnews +533 netwall foremergencybroadcasts +534 mm-admin MegaMediaAdmin +535 iiop iiop +536 opalis-rdv opalis-rdv +537 nmsp NetworkedMediaStreamingProtocol +538 gdomap gdomap +539 apertus-ldp ApertusTechnologiesLoadDetermination +540 uucp uucpd +541 uucp-rlogin uucp-rlogin +542 commerce commerce +543 klogin +544 kshell krcmd +545 appleqtcsrvr appleqtcsrvr +546 dhcpv6-client DHCPv6Client +547 dhcpv6-server DHCPv6Server +548 afpovertcp AFPoverTCP +549 idfp IDFP +550 new-rwho new-who +551 cybercash cybercash +552 deviceshare deviceshare +553 pirp pirp +554 rtsp RealTimeStreamControlProtocol +555 dsf +556 remotefs rfsserver +557 openvms-sysipc openvms-sysipc +558 sdnskmp SDNSKMP +559 teedtap TEEDTAP +560 rmonitor rmonitord +561 monitor +562 chshell chcmd +563 nntps nntpprotocoloverTLS/SSL(wassnntp) +564 9pfs plan9fileservice +565 whoami whoami +566 streettalk streettalk +567 banyan-rpc banyan-rpc +568 ms-shuttle microsoftshuttle +569 ms-rome microsoftrome +570 meter demon +571 meter udemon +573 banyan-vip banyan-vip +574 ftp-agent FTPSoftwareAgentSystem +575 vemmi VEMMI +576 ipcd ipcd +577 vnas vnas +578 ipdd ipdd +579 decbsrv decbsrv +580 sntp-heartbeat SNTPHEARTBEAT +581 bdp BundleDiscoveryProtocol +582 scc-security SCCSecurity +583 philips-vc PhilipsVideo-Conferencing +584 keyserver KeyServer +585 imap4-ssl IMAP4+SSL(use993instead) +586 password-chg PasswordChange +587 submission Submission +588 cal CAL +589 eyelink EyeLink +590 tns-cml TNSCML +591 http-alt FileMaker,Inc.-HTTPAlternate(see +592 eudora-set EudoraSet +593 http-rpc-epmap HTTPRPCEpMap +594 tpip TPIP +595 cab-protocol CABProtocol +596 smsd SMSD +597 ptcnameservice PTCNameService +598 sco-websrvrmg3 SCOWebServerManager3 +599 acp AeolonCoreProtocol +600 ipcserver SunIPCserver +606 urm CrayUnifiedResourceManager +607 nqs nqs +608 sift-uft Sender-Initiated/UnsolicitedFileTransfer +609 npmp-trap npmp-trap +610 npmp-local npmp-local +611 npmp-gui npmp-gui +612 hmmp-ind HMMPIndication +613 hmmp-op HMMPOperation +614 sshell SSLshell +615 sco-inetmgr InternetConfigurationManager +616 sco-sysmgr SCOSystemAdministrationServer +617 sco-dtmgr SCODesktopAdministrationServer +618 dei-icda DEI-ICDA +619 digital-evm DigitalEVM +620 sco-websrvrmgr SCOWebServerManager +621 escp-ip ESCP +622 collaborator Collaborator +623 aux_bus_shunt AuxBusShunt +624 cryptoadmin CryptoAdmin +625 dec_dlm DECDLM +626 asia ASIA +627 cks-tivioli CKS&TIVIOLI +628 qmqp QMQP +629 3com-amp3 3ComAMP3 +630 rda RDA +631 ipp IPP(InternetPrintingProtocol) +632 bmpp bmpp +633 servstat ServiceStatusupdate(SterlingSoftware) +634 ginad ginad +635 rlzdbase RLZDBase +636 ldaps ldapprotocoloverTLS/SSL(wassldap) +637 lanserver lanserver +638 mcns-sec mcns-sec +639 msdp MSDP +666 mdqs +667 disclose campaigncontributiondisclosures-SDRTechnologies +668 mecomm MeComm +669 meregister MeRegister +670 vacdsm-sws VACDSM-SWS +671 vacdsm-app VACDSM-APP +672 vpps-qua VPPS-QUA +673 cimplex CIMPLEX +674 acap ACAP +675 dctp DCTP +676 vpps-via VPPSVia +704 elcsd errlogcopy/serverdaemon +705 agentx AgentX +707 borland-dsj BorlandDSJ +709 entrust-kmsh EntrustKeyManagementServiceHandler +710 entrust-ash EntrustAdministrationServiceHandler +711 cisco-tdp CiscoTDP +729 netviewdm1 IBMNetViewDM/6000Server/Client +730 netviewdm2 IBMNetViewDM/6000send +731 netviewdm3 IBMNetViewDM/6000receive +741 netgw netGW +742 netrcs NetworkbasedRev.Cont.Sys. +744 flexlm FlexibleLicenseManager +747 fujitsu-dev FujitsuDeviceControl +748 ris-cm RussellInfoSciCalendarManager +749 kerberos-adm kerberosadministration +750 kerberos-iv kerberosversioniv +751 pump +752 qrh +753 rrh +754 tell send +758 nlogin +759 con +760 ns +761 rxe +762 quotad +763 cycleserv +764 omserv +765 webster +767 phonebook phone +769 vid +770 cadlock +771 rtip +772 cycleserv2 +773 notify +774 rpasswd +775 acmaint_transd +776 wpages +780 wpgs +786 concert Concert +787 qsc QSC +800 mdbs_daemon +801 device +829 pkix-3-ca-ra PKIX-3CA/RA +873 rsync rsync +886 iclcnet-locate ICLcoNETionlocateserver +887 iclcnet_svinfo ICLcoNETionserverinfo +888 accessbuilder AccessBuilder +900 omginitialrefs OMGInitialRefs +911 xact-backup xact-backup +989 ftps-data ftpprotocol,data,overTLS/SSL +990 ftps ftpprotocol,control,overTLS/SSL +991 nas NetnewsAdministrationSystem +992 telnets telnetprotocoloverTLS/SSL +993 imaps imap4protocoloverTLS/SSL +994 ircs ircprotocoloverTLS/SSL +995 pop3s pop3protocoloverTLS/SSL(wasspop3) +996 vsinet vsinet +997 maitrd +998 busboy +999 garcon +1000 cadlock +1008 ufsd +1010 surf surf +1011 Reserved +1012 Reserved +1013 Reserved +1014 Reserved +1015 Reserved +1016 Reserved +1017 Reserved +1018 Reserved +1019 Reserved +1020 Reserved +1021 Reserved +1022 Reserved +1025 blackjack networkblackjack +1030 iad1 BBNIAD +1031 iad2 BBNIAD +1032 iad3 BBNIAD +1047 neod1 Sun'sNEOObjectRequestBroker +1048 neod2 Sun'sNEOObjectRequestBroker +1058 nim nim +1059 nimreg nimreg +1067 instl_boots InstallationBootstrapProto.Serv. +1068 instl_bootc InstallationBootstrapProto.Cli. +1080 socks Socks +1083 ansoft-lm-1 AnasoftLicenseManager +1084 ansoft-lm-2 AnasoftLicenseManager +1099 rmiSun +1103 xaudio +1110 nfsd-status Clusterstatusinfo +1111 lmsocialserver LMSocialServer +1123 murray Murray +1155 nfa NetworkFileAccess +1161 health-polling HealthPolling +1162 health-trap HealthTrap +1180 mc-client MillicentClientProxy +1212 lupa lupa +1222 nerv SNIR&Dnetwork +1234 search-agent InfoseekSearchAgent +1239 nmsd NMSD +1248 hermes +1300 h323hostcallsc H323HostCallSecure +1313 bmc_patroldb BMC_PATROLDB +1314 pdps PhotoscriptDistributedPrintingSystem +1345 vpjp VPJP +1346 alta-ana-lm AltaAnalyticsLicenseManager +1347 bbn-mmc multimediaconferencing +1348 bbn-mmx multimediaconferencing +1349 sbook RegistrationNetworkProtocol +1350 editbench RegistrationNetworkProtocol +1351 equationbuilder DigitalToolWorks(MIT) +1352 lotusnote LotusNote +1353 relief ReliefConsulting +1354 rightbrain RightBrainSoftware +1355 intuitive-edge IntuitiveEdge +1356 cuillamartin CuillaMartinCompany +1357 pegboard ElectronicPegBoard +1358 connlcli CONNLCLI +1359 ftsrv FTSRV +1360 mimer MIMER +1361 linx LinX +1362 timeflies TimeFlies +1363 ndm-requester NetworkDataMoverRequester +1364 ndm-server NetworkDataMoverServer +1365 adapt-sna NetworkSoftwareAssociates +1366 netware-csp NovellNetWareCommServicePlatform +1367 dcs DCS +1368 screencast ScreenCast +1369 gv-us GlobalViewtoUnixShell +1370 us-gv UnixShelltoGlobalView +1371 fc-cli FujitsuConfigProtocol +1372 fc-ser FujitsuConfigProtocol +1373 chromagrafx Chromagrafx +1374 molly EPISoftwareSystems +1375 bytex Bytex +1376 ibm-pps IBMPersontoPersonSoftware +1377 cichlid CichlidLicenseManager +1378 elan ElanLicenseManager +1379 dbreporter IntegritySolutions +1380 telesis-licman TelesisNetworkLicenseManager +1381 apple-licman AppleNetworkLicenseManager +1382 udt_os +1383 gwha GWHannawayNetworkLicenseManager +1384 os-licman ObjectiveSolutionsLicenseManager +1385 atex_elmd AtexPublishingLicenseManager +1386 checksum CheckSumLicenseManager +1387 cadsi-lm ComputerAidedDesignSoftwareIncLM +1388 objective-dbc ObjectiveSolutionsDataBaseCache +1389 iclpv-dm DocumentManager +1390 iclpv-sc StorageController +1391 iclpv-sas StorageAccessServer +1392 iclpv-pm PrintManager +1393 iclpv-nls NetworkLogServer +1394 iclpv-nlc NetworkLogClient +1395 iclpv-wsm PCWorkstationManagersoftware +1396 dvl-activemail DVLActiveMail +1397 audio-activmail AudioActiveMail +1398 video-activmail VideoActiveMail +1399 cadkey-licman CadkeyLicenseManager +1400 cadkey-tablet CadkeyTabletDaemon +1401 goldleaf-licman GoldleafLicenseManager +1402 prm-sm-np ProsperoResourceManager +1403 prm-nm-np ProsperoResourceManager +1404 igi-lm InfiniteGraphicsLicenseManager +1405 ibm-res IBMRemoteExecutionStarter +1406 netlabs-lm NetLabsLicenseManager +1407 dbsa-lm DBSALicenseManager +1408 sophia-lm SophiaLicenseManager +1409 here-lm HereLicenseManager +1410 hiq HiQLicenseManager +1411 af AudioFile +1412 innosys InnoSys +1413 innosys-acl Innosys-ACL +1414 ibm-mqseries IBMMQSeries +1415 dbstar DBStar +1416 novell-lu6.2 NovellLU6.2 +1417 timbuktu-srv1 TimbuktuService1Port +1418 timbuktu-srv2 TimbuktuService2Port +1419 timbuktu-srv3 TimbuktuService3Port +1420 timbuktu-srv4 TimbuktuService4Port +1421 gandalf-lm GandalfLicenseManager +1422 autodesk-lm AutodeskLicenseManager +1423 essbase EssbaseArborSoftware +1424 hybrid HybridEncryptionProtocol +1425 zion-lm ZionSoftwareLicenseManager +1426 sais Satellite-dataAcquisitionSystem1 +1427 mloadd mloaddmonitoringtool +1428 informatik-lm InformatikLicenseManager +1429 nms HypercomNMS +1430 tpdu HypercomTPDU +1431 rgtp ReverseGossipTransport +1432 blueberry-lm BlueberrySoftwareLicenseManager +1433 ms-sql-s Microsoft-SQL-Server +1434 ms-sql-m Microsoft-SQL-Monitor +1435 ibm-cics IBMCICS +1436 saism Satellite-dataAcquisitionSystem2 +1437 tabula Tabula +1438 eicon-server EiconSecurityAgent/Server +1439 eicon-x25 EiconX25/SNAGateway +1440 eicon-slp EiconServiceLocationProtocol +1441 cadis-1 CadisLicenseManagement +1442 cadis-2 CadisLicenseManagement +1443 ies-lm IntegratedEngineeringSoftware +1444 marcam-lm MarcamLicenseManagement +1445 proxima-lm ProximaLicenseManager +1446 ora-lm OpticalResearchAssociatesLicenseManager +1447 apri-lm AppliedParallelResearchLM +1448 oc-lm OpenConnectLicenseManager +1449 peport PEport +1450 dwf TandemDistributedWorkbenchFacility +1451 infoman IBMInformationManagement +1452 gtegsc-lm GTEGovernmentSystemsLicenseMan +1453 genie-lm GenieLicenseManager +1454 interhdl_elmd interHDLLicenseManager +1455 esl-lm ESLLicenseManager +1456 dca DCA +1457 valisys-lm ValisysLicenseManager +1458 nrcabq-lm NicholsResearchCorp. +1459 proshare1 ProshareNotebookApplication +1460 proshare2 ProshareNotebookApplication +1461 ibm_wrless_lan IBMWirelessLAN +1462 world-lm WorldLicenseManager +1463 nucleus Nucleus +1464 msl_lmd MSLLicenseManager +1465 pipes PipesPlatformmfarlin@peerlogic.com +1466 oceansoft-lm OceanSoftwareLicenseManager +1467 csdmbase CSDMBASE +1468 csdm CSDM +1469 aal-lm ActiveAnalysisLimitedLicenseManager +1470 uaiact UniversalAnalytics +1471 csdmbase csdmbase +1472 csdm csdm +1473 openmath OpenMath +1474 telefinder Telefinder +1475 taligent-lm TaligentLicenseManager +1476 clvm-cfg clvm-cfg +1477 ms-sna-server ms-sna-server +1478 ms-sna-base ms-sna-base +1479 dberegister dberegister +1480 pacerforum PacerForum +1481 airs AIRS +1482 miteksys-lm MiteksysLicenseManager +1483 afs AFSLicenseManager +1484 confluent ConfluentLicenseManager +1485 lansource LANSource +1486 nms_topo_serv nms_topo_serv +1487 localinfosrvr LocalInfoSrvr +1488 docstor DocStor +1489 dmdocbroker dmdocbroker +1490 insitu-conf insitu-conf +1491 anynetgateway anynetgateway +1492 stone-design-1 stone-design-1 +1493 netmap_lm netmap_lm +1494 ica ica +1495 cvc cvc +1496 liberty-lm liberty-lm +1497 rfx-lm rfx-lm +1498 sybase-sqlany SybaseSQLAny +1499 fhc FedericoHeinzConsultora +1500 vlsi-lm VLSILicenseManager +1501 saiscm Satellite-dataAcquisitionSystem3 +1502 shivadiscovery Shiva +1503 imtc-mcs Databeam +1504 evb-elm EVBSoftwareEngineeringLicenseManager +1505 funkproxy FunkSoftware,Inc. +1506 utcd UniversalTimedaemon(utcd) +1507 symplex symplex +1508 diagmond diagmond +1509 robcad-lm Robcad,Ltd.LicenseManager +1510 mvx-lm MidlandValleyExplorationLtd.Lic.Man. +1511 3l-l1 3l-l1 +1512 wins Microsoft'sWindowsInternetNameService +1513 fujitsu-dtc FujitsuSystemsBusinessofAmerica,Inc +1514 fujitsu-dtcns FujitsuSystemsBusinessofAmerica,Inc +1515 ifor-protocol ifor-protocol +1516 vpad VirtualPlacesAudiodata +1517 vpac VirtualPlacesAudiocontrol +1518 vpvd VirtualPlacesVideodata +1519 vpvc VirtualPlacesVideocontrol +1520 atm-zip-office atmzipoffice +1521 ncube-lm nCubeLicenseManager +1522 ricardo-lm RicardoNorthAmericaLicenseManager +1523 cichild-lm cichild +1524 ingreslock ingres +1525 orasrv oracle +1526 pdap-np ProsperoDataAccessProtnon-priv +1527 tlisrv oracle +1528 mciautoreg micautoreg +1529 coauthor oracle +1530 rap-service rap-service +1531 rap-listen rap-listen +1532 miroconnect miroconnect +1533 virtual-places VirtualPlacesSoftware +1534 micromuse-lm micromuse-lm +1535 ampr-info ampr-info +1536 ampr-inter ampr-inter +1537 sdsc-lm isi-lm +1538 3ds-lm 3ds-lm +1539 intellistor-lm IntellistorLicenseManager +1540 rds rds +1541 rds2 rds2 +1542 gridgen-elmd gridgen-elmd +1543 simba-cs simba-cs +1544 aspeclmd aspeclmd +1545 vistium-share vistium-share +1546 abbaccuray abbaccuray +1547 laplink laplink +1548 axon-lm AxonLicenseManager +1549 shivahose ShivaHose +1550 3m-image-lm ImageStoragelicensemanager3MCompany +1551 hecmtl-db HECMTL-DB +1552 pciarray pciarray +1553 sna-cs sna-cs +1554 caci-lm CACIProductsCompanyLicenseManager +1555 livelan livelan +1556 ashwin AshWinCITecnologies +1557 arbortext-lm ArborTextLicenseManager +1558 xingmpeg xingmpeg +1559 web2host web2host +1560 asci-val asci-val +1561 facilityview facilityview +1562 pconnectmgr pconnectmgr +1563 cadabra-lm CadabraLicenseManager +1564 pay-per-view Pay-Per-View +1565 winddlb WinDD +1566 corelvideo CORELVIDEO +1567 jlicelmd jlicelmd +1568 tsspmap tsspmap +1569 ets ets +1570 orbixd orbixd +1571 rdb-dbs-disp OracleRemoteDataBase +1572 chip-lm ChipcomLicenseManager +1573 itscomm-ns itscomm-ns +1574 mvel-lm mvel-lm +1575 oraclenames oraclenames +1576 moldflow-lm moldflow-lm +1577 hypercube-lm hypercube-lm +1578 jacobus-lm JacobusLicenseManager +1579 ioc-sea-lm ioc-sea-lm +1580 tn-tl-r2 tn-tl-r2 +1581 mil-2045-47001 MIL-2045-47001 +1582 msims MSIMS +1583 simbaexpress simbaexpress +1584 tn-tl-fd2 tn-tl-fd2 +1585 intv intv +1586 ibm-abtact ibm-abtact +1587 pra_elmd pra_elmd +1588 triquest-lm triquest-lm +1589 vqp VQP +1590 gemini-lm gemini-lm +1591 ncpm-pm ncpm-pm +1592 commonspace commonspace +1593 mainsoft-lm mainsoft-lm +1594 sixtrak sixtrak +1595 radio radio +1596 radio-bc radio-bc +1597 orbplus-iiop orbplus-iiop +1598 picknfs picknfs +1599 simbaservices simbaservices +1600 issd +1601 aas aas +1602 inspect inspect +1603 picodbc pickodbc +1604 icabrowser icabrowser +1605 slp SalutationManager(SalutationProtocol) +1606 slm-api SalutationManager(SLM-API) +1607 stt stt +1608 smart-lm SmartCorp.LicenseManager +1609 isysg-lm isysg-lm +1610 taurus-wh taurus-wh +1611 ill InterLibraryLoan +1612 netbill-trans NetBillTransactionServer +1613 netbill-keyrep NetBillKeyRepository +1614 netbill-cred NetBillCredentialServer +1615 netbill-auth NetBillAuthorizationServer +1616 netbill-prod NetBillProductServer +1617 nimrod-agent NimrodInter-AgentCommunication +1618 skytelnet skytelnet +1619 xs-openstorage xs-openstorage +1620 faxportwinport faxportwinport +1621 softdataphone softdataphone +1622 ontime ontime +1623 jaleosnd jaleosnd +1624 udp-sr-port udp-sr-port +1625 svs-omagent svs-omagent +1630 oraclenet8cman OracleNet8Cman +1636 cncp CableNetControlProtocol +1637 cnap CableNetAdminProtocol +1638 cnip CableNetInfoProtocol +1639 cert-initiator cert-initiator +1640 cert-responder cert-responder +1641 invision InVision +1642 isis-am isis-am +1643 isis-ambc isis-ambc +1644 saiseh Satellite-dataAcquisitionSystem4 +1645 datametrics datametrics +1646 sa-msg-port sa-msg-port +1647 rsap rsap +1648 concurrent-lm concurrent-lm +1649 inspect inspect +1650 nkd nkd +1651 shiva_confsrvr shiva_confsrvr +1652 xnmp xnmp +1653 alphatech-lm alphatech-lm +1654 stargatealerts stargatealerts +1655 dec-mbadmin dec-mbadmin +1656 dec-mbadmin-h dec-mbadmin-h +1657 fujitsu-mmpdc fujitsu-mmpdc +1658 sixnetudr sixnetudr +1659 sg-lm SiliconGrailLicenseManager +1660 skip-mc-gikreq skip-mc-gikreq +1661 netview-aix-1 netview-aix-1 +1662 netview-aix-2 netview-aix-2 +1663 netview-aix-3 netview-aix-3 +1664 netview-aix-4 netview-aix-4 +1665 netview-aix-5 netview-aix-5 +1666 netview-aix-6 netview-aix-6 +1667 netview-aix-7 netview-aix-7 +1668 netview-aix-8 netview-aix-8 +1669 netview-aix-9 netview-aix-9 +1670 netview-aix-10 netview-aix-10 +1671 netview-aix-11 netview-aix-11 +1672 netview-aix-12 netview-aix-12 +1673 proshare-mc-1 IntelProshareMulticast +1674 proshare-mc-2 IntelProshareMulticast +1675 pdp PacificDataProducts +1676 netcomm1 netcomm1 +1677 groupwise groupwise +1678 prolink prolink +1679 darcorp-lm darcorp-lm +1680 microcom-sbp microcom-sbp +1681 sd-elmd sd-elmd +1682 lanyon-lantern lanyon-lantern +1683 ncpm-hip ncpm-hip +1684 snaresecure SnareSecure +1685 n2nremote n2nremote +1686 cvmon cvmon +1687 nsjtp-ctrl nsjtp-ctrl +1688 nsjtp-data nsjtp-data +1689 firefox firefox +1690 ng-umds ng-umds +1691 empire-empuma empire-empuma +1692 sstsys-lm sstsys-lm +1693 rrirtr rrirtr +1694 rrimwm rrimwm +1695 rrilwm rrilwm +1696 rrifmm rrifmm +1697 rrisat rrisat +1698 rsvp-encap-1 RSVP-ENCAPSULATION-1 +1699 rsvp-encap-2 RSVP-ENCAPSULATION-2 +1700 mps-raft mps-raft +1701 l2f l2f +1702 deskshare deskshare +1703 hb-engine hb-engine +1704 bcs-broker bcs-broker +1705 slingshot slingshot +1706 jetform jetform +1707 vdmplay vdmplay +1708 gat-lmd gat-lmd +1709 centra centra +1710 impera impera +1711 pptconference pptconference +1712 registrar resourcemonitoringservice +1713 conferencetalk ConferenceTalk +1714 sesi-lm sesi-lm +1715 houdini-lm houdini-lm +1716 xmsg xmsg +1717 fj-hdnet fj-hdnet +1718 h323gatedisc h323gatedisc +1719 h323gatestat h323gatestat +1720 h323hostcall h323hostcall +1721 caicci caicci +1722 hks-lm HKSLicenseManager +1723 pptp pptp +1724 csbphonemaster csbphonemaster +1725 iden-ralp iden-ralp +1726 iberiagames IBERIAGAMES +1727 winddx winddx +1728 telindus TELINDUS +1729 citynl CityNLLicenseManagement +1730 roketz roketz +1731 msiccp MSICCP +1732 proxim proxim +1733 siipat SIMS-SIIPATProtocolforAlarm +1734 cambertx-lm CamberCorporationLicenseManagement +1735 privatechat PrivateChat +1736 street-stream street-stream +1737 ultimad ultimad +1738 gamegen1 GameGen1 +1739 webaccess webaccess +1740 encore encore +1741 cisco-net-mgmt cisco-net-mgmt +1742 3Com-nsd 3Com-nsd +1743 cinegrfx-lm CinemaGraphicsLicenseManager +1744 ncpm-ft ncpm-ft +1745 remote-winsock remote-winsock +1746 ftrapid-1 ftrapid-1 +1747 ftrapid-2 ftrapid-2 +1748 oracle-em1 oracle-em1 +1749 aspen-services aspen-services +1750 sslp SimpleSocketLibrary'sPortMaster +1751 swiftnet SwiftNet +1752 lofr-lm LeapofFaithResearchLicenseManager +1753 translogic-lm TranslogicLicenseManager +1754 oracle-em2 oracle-em2 +1755 ms-streaming ms-streaming +1756 capfast-lmd capfast-lmd +1757 cnhrp cnhrp +1758 tftp-mcast tftp-mcast +1759 spss-lm SPSSLicenseManager +1760 www-ldap-gw www-ldap-gw +1761 cft-0 cft-0 +1762 cft-1 cft-1 +1763 cft-2 cft-2 +1764 cft-3 cft-3 +1765 cft-4 cft-4 +1766 cft-5 cft-5 +1767 cft-6 cft-6 +1768 cft-7 cft-7 +1769 bmc-net-adm bmc-net-adm +1770 bmc-net-svc bmc-net-svc +1771 vaultbase vaultbase +1772 essweb-gw EssWebGateway +1773 kmscontrol KMSControl +1774 global-dtserv global-dtserv +1775 Unknown +1776 femis FederalEmergencyManagementInformationSystem +1777 powerguardian powerguardian +1778 prodigy-intrnet prodigy-internet +1779 pharmasoft pharmasoft +1780 dpkeyserv dpkeyserv +1781 answersoft-lm answersoft-lm +1782 hp-hcip hp-hcip +1783 fjris FujitsuRemoteInstallService +1784 finle-lm FinleLicenseManager +1785 windlm WindRiverSystemsLicenseManager +1786 funk-logger funk-logger +1787 funk-license funk-license +1788 psmond psmond +1789 hello hello +1790 nmsp NarrativeMediaStreamingProtocol +1791 ea1 EA1 +1792 ibm-dt-2 ibm-dt-2 +1793 rsc-robot rsc-robot +1794 cera-bcm cera-bcm +1795 dpi-proxy dpi-proxy +1796 vocaltec-admin VocaltecServerAdministration +1797 uma UMA +1798 etp EventTransferProtocol +1799 netrisk NETRISK +1800 ansys-lm ANSYS-Licensemanager +1801 msmq MicrosoftMessageQue +1802 concomp1 ConComp1 +1803 hp-hcip-gwy HP-HCIP-GWY +1804 enl ENL +1805 enl-name ENL-Name +1806 musiconline Musiconline +1807 fhsp FujitsuHotStandbyProtocol +1808 oracle-vp2 Oracle-VP2 +1809 oracle-vp1 Oracle-VP1 +1810 jerand-lm JerandLicenseManager +1811 scientia-sdb Scientia-SDB +1812 radius RADIUS +1813 radius-acct RADIUSAccounting +1814 tdp-suite TDPSuite +1815 mmpft MMPFT +1816 harp HARP +1818 etftp EnhancedTrivialFileTransferProtocol +1819 plato-lm PlatoLicenseManager +1820 mcagent mcagent +1821 donnyworld donnyworld +1822 es-elmd es-elmd +1823 unisys-lm UnisysNaturalLanguageLicenseManager +1824 metrics-pas metrics-pas +1850 gsi GSI +1860 sunscalar-svc SunSCALARServices +1861 lecroy-vicp LeCroyVICP +1862 techra-server techra-server +1863 msnp MSNP +1864 paradym-31port Paradym31Port +1865 entp ENTP +1870 sunscalar-dns SunSCALARDNSService +1881 ibm-mqseries2 IBMMQSeries +1901 fjicl-tep-a FujitsuICLTerminalEmulatorProgramA +1902 fjicl-tep-b FujitsuICLTerminalEmulatorProgramB +1903 linkname LocalLinkNameResolution +1904 fjicl-tep-c FujitsuICLTerminalEmulatorProgramC +1905 sugp SecureUP.LinkGatewayProtocol +1906 tpmd TPortMapperReq +1907 intrastar IntraSTAR +1908 dawn Dawn +1909 global-wlink GlobalWorldLink +1911 mtp StarlightNetworksMultimediaTransportProtocol +1913 armadp armadp +1914 elm-momentum Elm-Momentum +1915 facelink FACELINK +1916 persona PersoftPersona +1917 noagent nOAgent +1918 can-nds CandleDirectoryService-NDS +1919 can-dch CandleDirectoryService-DCH +1920 can-ferret CandleDirectoryService-FERRET +1921 noadmin NoAdmin +1944 close-combat close-combat +1945 dialogic-elmd dialogic-elmd +1946 tekpls tekpls +1947 hlserver hlserver +1948 eye2eye eye2eye +1949 ismaeasdaqlive ISMAEasdaqLive +1950 ismaeasdaqtest ISMAEasdaqTest +1951 bcs-lmserver bcs-lmserver +1973 dlsrap DataLinkSwitchingRemoteAccessProtocol +1985 hsrp HotStandbyRouterProtocol +1986 licensedaemon ciscolicensemanagement +1987 tr-rsrb-p1 ciscoRSRBPriority1port +1988 tr-rsrb-p2 ciscoRSRBPriority2port +1989 tr-rsrb-p3 ciscoRSRBPriority3port +1990 stun-p1 ciscoSTUNPriority1port +1991 stun-p2 ciscoSTUNPriority2port +1992 stun-p3 ciscoSTUNPriority3port +1993 snmp-tcp-port ciscoSNMPTCPport +1994 stun-port ciscoserialtunnelport +1995 perf-port ciscoperfport +1996 tr-rsrb-port ciscoRemoteSRBport +1997 gdp-port ciscoGatewayDiscoveryProtocol +1998 x25-svc-port ciscoX.25service(XOT) +1999 tcp-id-port ciscoidentificationport +2000 callbook +2001 dc +2002 globe +2004 mailbox +2005 berknet +2006 invokator +2007 dectalk +2008 conf +2009 news +2010 search +2011 raid-cc raid +2012 ttyinfo +2013 raid-am +2014 troff +2015 cypress +2016 bootserver +2017 cypress-stat +2018 terminaldb +2019 whosockami +2020 xinupageserver +2021 servexec +2022 down +2023 xinuexpansion3 +2024 xinuexpansion4 +2025 ellpack +2026 scrabble +2027 shadowserver +2028 submitserver +2030 device2 +2032 blackboard +2033 glogger +2034 scoremgr +2035 imsldoc +2038 objectmanager +2040 lam +2041 interbase +2042 isis isis +2043 isis-bcast isis-bcast +2044 rimsl +2045 cdfunc +2046 sdfunc +2047 dls +2048 dls-monitor +2049 nfsd-or-shilp +2065 dlsrpn DataLinkSwitchReadPortNumber +2067 dlswpn DataLinkSwitchWritePortNumber +2090 lrp LoadReportProtocol +2091 prp PRP +2102 zephyr-srv Zephyrserver +2103 zephyr-clt Zephyrserv-hmconnection +2104 zephyr-hm Zephyrhostmanager +2105 minipay MiniPay +2180 mc-gt-srv MillicentVendorGatewayServer +2200 ici ICI +2201 ats AdvancedTrainingSystemProgram +2202 imtc-map Int.MultimediaTeleconferencingCosortium +2213 kali Kali +2220 ganymede Ganymede +2221 unreg-ab1 Allen-Bradleyunregisteredport +2222 unreg-ab2 Allen-Bradleyunregisteredport +2223 inreg-ab3 Allen-Bradleyunregisteredport +2232 ivs-video IVSVideodefault +2233 infocrypt INFOCRYPT +2234 directplay DirectPlay +2235 sercomm-wlink Sercomm-WLink +2236 nani Nani +2237 optech-port1-lm OptechPort1LicenseManager +2238 aviva-sna AVIVASNASERVER +2239 imagequery ImageQuery +2240 recipe RECIPe +2241 ivsd IVSDaemon +2242 foliocorp FolioRemoteServer +2279 xmquery xmquery +2280 lnvpoller LNVPOLLER +2281 lnvconsole LNVCONSOLE +2282 lnvalarm LNVALARM +2283 lnvstatus LNVSTATUS +2284 lnvmaps LNVMAPS +2285 lnvmailmon LNVMAILMON +2286 nas-metering NAS-Metering +2287 dna DNA +2288 netml NETML +2295 advant-lm AdvantLicenseManager +2296 theta-lm ThetaLicenseManager(Rainbow) +2297 d2k-datamover1 D2KDataMover1 +2298 d2k-datamover2 D2KDataMover2 +2299 pc-telecommute PCTelecommute +2300 cvmmon CVMMON +2301 cpq-wbem CompaqHTTP +2302 binderysupport BinderySupport +2303 proxy-gateway ProxyGateway +2304 attachmate-uts AttachmateUTS +2305 mt-scaleserver MTScaleServer +2306 tappi-boxnet TAPPIBoxNet +2307 pehelp pehelp +2308 sdhelp sdhelp +2309 sdserver SDServer +2310 sdclient SDClient +2311 messageservice MessageService +2313 iapp IAPP(InterAccessPointProtocol) +2314 cr-websystems CRWebSystems +2315 precise-sft PreciseSft. +2316 sent-lm SENTLicenseManager +2317 attachmate-g32 AttachmateG32 +2318 cadencecontrol CadenceControl +2319 infolibria InfoLibria +2320 siebel-ns SiebelNS +2321 rdlap RDLAPoverUDP +2322 ofsd ofsd +2323 3d-nfsd 3d-nfsd +2324 cosmocall Cosmocall +2325 designspace-lm DesignSpaceLicenseManagement +2326 idcp IDCP +2327 xingcsm xingcsm +2328 netrix-sftm NetrixSFTM +2329 nvd NVD +2330 tscchat TSCCHAT +2331 agentview AGENTVIEW +2332 rcc-host RCCHost +2333 snapp SNAPP +2334 ace-client ACEClientAuth +2335 ace-proxy ACEProxy +2336 appleugcontrol AppleUGControl +2337 ideesrv ideesrv +2338 norton-lambert NortonLambert +2339 3com-webview 3ComWebView +2340 wrs_registry WRSRegistry +2341 xiostatus XIOStatus +2342 manage-exec SeagateManageExec +2343 nati-logos natilogos +2344 fcmsys fcmsys +2345 dbm dbm +2346 redstorm_join GameConnectionPort +2347 redstorm_find GameAnnouncementandLocation +2348 redstorm_info Informationtoqueryforgamestatus +2349 redstorm_diag DisgnosticsPort +2350 psbserver psbserver +2351 psrserver psrserver +2352 pslserver pslserver +2353 pspserver pspserver +2354 psprserver psprserver +2355 psdbserver psdbserver +2356 gxtelmd GXTLicenseManagemant +2357 unihub-server UniHubServer +2358 futrix Futrix +2359 flukeserver FlukeServer +2389 ovsessionmgr OpenViewSessionMgr +2390 rsmtp RSMTP +2391 3com-net-mgmt 3COMNetManagement +2392 tacticalauth TacticalAuth +2393 ms-olap1 MSOLAP1 +2394 ms-olap2 MSOLAP2 +2395 lan900_remote LAN900Remote +2396 wusage Wusage +2397 ncl NCL +2398 orbiter Orbiter +2399 fmpro-fdal FileMaker,Inc.-DataAccessLayer +2400 opequus-server OpEquusServer +2401 cvspserver cvspserver +2402 taskmaster2000 TaskMaster2000Server +2403 taskmaster2000 TaskMaster2000Web +2404 iec870-5-104 IEC870-5-104 +2405 trc-netpoll TRCNetpoll +2406 jediserver JediServer +2407 orion Orion +2408 optimanet OptimaNet +2409 sns-protocol SNSProtocol +2410 vrts-registry VRTSRegistry +2411 netwave-ap-mgmt NetwaveAPManagement +2412 cdn CDN +2413 orion-rmi-reg orion-rmi-reg +2414 interlingua Interlingua +2415 comtest COMTEST +2416 rmtserver RMTServer +2417 composit-server CompositServer +2418 cas cas +2419 attachmate-s2s AttachmateS2S +2420 dslremote-mgmt DSLRemoteManagement +2421 g-talk G-Talk +2422 crmsbits CRMSBITS +2423 rnrp RNRP +2424 kofax-svr KOFAX-SVR +2425 fjitsuappmgr FujitsuAppManager +2426 appliantudp AppliantUDP +2427 stgcp SimpletelephonyGatewayControlProtocol +2428 ott OneWayTripTime +2429 ft-role FT-ROLE +2430 venus venus +2431 venus-se venus-se +2432 codasrv codasrv +2433 codasrv-se codasrv-se +2434 pxc-epmap pxc-epmap +2435 optilogic OptiLogic +2436 topx TOP/X +2437 unicontrol UniControl +2438 msp MSP +2439 sybasedbsynch SybaseDBSynch +2440 spearway SpearwayLockser +2441 pvsw-inet pvsw-inet +2442 netangel Netangel +2500 rtsserv ResourceTrackingsystemserver +2501 rtsclient ResourceTrackingsystemclient +2524 optiwave-lm OptiwaveLicenseManagement +2525 ms-v-worlds MSV-Worlds +2526 ema-sent-lm EMALicenseManager +2527 iqserver IQServer +2528 ncr_ccl NCRCCL +2529 utsftp UTSFTP +2530 vrcommerce VRCommerce +2531 ito-e-gui ITO-EGUI +2532 ovtopmd OVTOPMD +2534 combox-web-acc ComboxWebAccess +2564 hp-3000-telnet HP3000NS/VTblockmodetelnet +2592 netrek netrek +2593 mns-mail MNSMailNoticeService +2628 dict DICT +2629 sitaraserver SitaraServer +2630 sitaramgmt SitaraManagement +2631 sitaradir SitaraDir +2632 irdg-post IRdgPost +2633 interintelli InterIntelli +2634 pk-electronics PKElectronics +2635 backburner BackBurner +2636 solve Solve +2637 imdocsvc ImportDocumentService +2638 sybaseanywhere SybaseAnywhere +2639 aminet AMInet +2640 sai_sentlm SabbaghAssociatesLicenceManager +2641 hdl-srv HDLServer +2642 tragic Tragic +2643 gte-samp GTE-SAMP +2644 travsoft-ipx-t TravsoftIPXTunnel +2645 novell-ipx-cmd NovellIPXCMD +2646 and-lm ANDLicenceManager +2647 syncserver SyncServer +2648 upsnotifyprot Upsnotifyprot +2649 vpsipport VPSIPPORT +2650 eristwoguns eristwoguns +2651 ebinsite EBInSite +2652 interpathpanel InterPathPanel +2653 sonus Sonus +2654 corel_vncadmin CorelVNCAdmin +2655 unglue UNIXNtGlue +2656 kana Kana +2657 sns-dispatcher SNSDispatcher +2658 sns-admin SNSAdmin +2659 sns-query SNSQuery +2700 tqdata tqdata +2766 listen +2784 www-dev worldwideweb-development +2785 aic-np aic-np +2786 aic-oncrpc aic-oncrpc-DestinyMCDdatabase +2787 piccolo piccolo-CornerstoneSoftware +2788 fryeserv NetWareLoadableModule-SeagateSoftware +2908 mao mao +2909 funk-dialout FunkDialout +2910 tdaccess TDAccess +2911 blockade Blockade +2912 epicon Epicon +2913 boosterware BoosterWare +2914 gamelobby GameLobby +2915 tksocket TKSocket +2916 elvin_server ElvinServer +2917 elvin_client ElvinClient +2918 kastenchasepad KastenChasePad +2971 netclip NetClip +2972 pmsm-webrctl PMSMWebrctl +2973 svnetworks SVNetworks +2974 signal Signal +2975 fjmpcm FujitsuConfigurationManagementService +2998 realsecure RealSecure +3000 hbci HBCI +3001 redwood-broker RedwoodBroker +3002 exlm-agent EXLMAgent +3003 cgms CGMS +3004 csoftragent CsoftAgent +3005 geniuslm GeniusLicenseManager +3006 ii-admin InstantInternetAdmin +3007 lotusmtap LotusMailTrackingAgentProtocol +3008 midnight-tech MidnightTechnologies +3009 pxc-ntfy PXC-NTFY +3010 gw TelerateWorkstation +3011 trusted-web TrustedWeb +3012 twsdss TrustedWebClient +3013 gilatskysurfer GilatSkySurfer +3014 broker_service BrokerService +3015 nati-dstp NATIDSTP +3016 notify_srvr NotifyServer +3017 event_listener EventListener +3018 srvc_registry ServiceRegistry +3019 resource_mgr ResourceManager +3020 cifs CIFS +3021 agriserver AGRIServer +3047 hlserver FastSecurityHLServer +3048 pctrader SierraNetPCTrader +3049 nsws NSWS +3080 stm_pproc stm_pproc +3105 cardbox Cardbox +3106 cardbox-http CardboxHTTP +3130 icpv2 ICPv2 +3131 netbookmark NetBookMark +3141 vmodem VMODEM +3142 rdc-wh-eos RDCWHEOS +3143 seaview SeaView +3144 tarantella Tarantella +3145 csi-lfap CSI-LFAP +3147 rfio RFIO +3180 mc-brk-srv MillicentBrokerServer +3264 ccmail cc:mail/lotus +3265 altav-tunnel AltavTunnel +3266 ns-cfg-server NSCFGServer +3267 ibm-dial-out IBMDialOut +3268 msft-gc MicrosoftGlobalCatalog +3269 msft-gc-ssl MicrosoftGlobalCatalogwithLDAP/SSL +3270 verismart Verismart +3271 csoft-prev CSoftPrevPort +3272 user-manager FujitsuUserManager +3273 sxmp SimpleExtensibleMultiplexedProtocol +3274 ordinox-server OrdinoxServer +3275 samd SAMD +3276 maxim-asics MaximASICs +3277 awg-proxy AWGProxy +3278 lkcmserver LKCMServer +3279 admind admind +3280 vs-server VSServer +3281 sysopt SYSOPT +3282 datusorb Datusorb +3283 net-assistant NetAssistant +3284 4talk 4Talk +3285 plato Plato +3286 e-net E-Net +3287 directvdata DIRECTVDATA +3288 cops COPS +3289 enpc ENPC +3290 caps-lm CAPSLOGISTICSTOOLKIT-LM +3291 sah-lm SAHolditch&Associates- +3292 cart-o-rama CartORama +3293 fg-fps fg-fps +3294 fg-gip fg-gip +3295 dyniplookup DynamicIPLookup +3296 rib-slm RibLicenseManager +3297 cytel-lm CytelLicenseManager +3298 transview Transview +3299 pdrncs pdrncs +3300 bmcpatrolagent BMCPatrolAgent +3301 bmcpatrolrnvu BMCPatrolRendezvous +3302 mcs-fastmail MCSFastmail +3303 opsession-clnt OPSessionClient +3304 opsession-srvr OPSessionServer +3305 odette-ftp ODETTE-FTP +3306 mysql MySQL +3307 opsession-prxy OPSessionProxy +3308 tns-server TNSServer +3309 tns-adv TNDADV +3310 dyna-access DynaAccess +3311 mcns-tel-ret MCNSTelRet +3312 appman-server ApplicationManagementServer +3313 uorb UnifyObjectBroker +3314 uohost UnifyObjectHost +3315 cdid CDID +3316 aicc-cmi AICC/CMI +3317 vsaiport VSAIPORT +3318 ssrip SwithtoSwithRoutingInformationProtocol +3319 sdt-lmd SDTLicenseManager +3320 officelink2000 OfficeLink2000 +3321 vnsstr VNSSTR +3322 active-net +3323 active-net +3324 active-net +3325 active-net +3326 sftu SFTU +3327 bbars BBARS +3328 egptlm EaglepointLicenseManager +3329 hp-device-disc HPDeviceDisc +3330 mcs-calypsoicf MCSCalypsoICF +3331 mcs-messaging MCSMessaging +3332 mcs-mailsvr MCSMailServer +3333 dec-notes DECNotes +3334 directv-web DirectTVWebcasting +3335 directv-soft DirectTVSoftwareUpdates +3336 directv-tick DirectTVTickers +3337 directv-catlg DirectTVDataCatalog +3338 anet-b OMFdatab +3339 anet-l OMFdatal +3340 anet-m OMFdatam +3341 anet-h OMFdatah +3342 webtie WebTIE +3343 ms-cluster-net MSClusterNet +3344 bnt-manager BNTManager +3345 influence Influence +3346 trnsprntproxy TrnsprntProxy +3347 phoenix-rpc PhoenixRPC +3348 pangolin-laser PangolinLaser +3349 chevinservices ChevinServices +3350 findviatv FINDVIATV +3351 btrieve BTRIEVE +3352 ssql SSQL +3353 fatpipe FATPIPE +3354 suitjd SUITJD +3355 ordinox-dbase OrdinoxDbase +3356 upnotifyps UPNOTIFYPS +3357 adtech-test AdtechTestIP +3358 mpsysrmsvr MpSysRmsvr +3359 wg-netforce WGNetForce +3360 kv-server KVServer +3361 kv-agent KVAgent +3362 dj-ilm DJILM +3363 nati-vi-server NATIViServer +3364 creativeserver CreativeServer +3365 contentserver ContentServer +3366 creativepartnr CreativePartner +3367 satvid-dtalnk +3368 satvid-dtalnk +3369 satvid-dtalnk +3370 satvid-dtalnk +3371 satvid-dtalnk +3372 tip2 TIP2 +3373 lavenir-lm LavenirLicenseManager +3374 cluster-disc ClusterDisc +3375 vsnm-agent VSNMAgent +3376 cdbroker CDBroker +3377 cogsys-lm CogsysNetworkLicenseManager +3378 wsicopy WSICOPY +3379 socorfs SOCORFS +3380 sns-channels SNSChannels +3381 geneous Geneous +3382 fujitsu-neat FujitsuNetworkEnhancedAntitheftfunction +3383 esp-lm EnterpriseSoftwareProductsLicenseManager +3384 hp-clic HardwareManagement +3385 qnxnetman qnxnetman +3386 gprs-sig GPRSSIG +3387 backroomnet BackRoomNet +3388 cbserver CBServer +3389 ms-wbt-server MSWBTServer +3390 dsc DistributedServiceCoordinator +3391 savant SAVANT +3392 efi-lm EFILicenseManagement +3393 d2k-tapestry1 D2KTapestryClienttoServer +3394 d2k-tapestry2 D2KTapestryServertoServer +3395 dyna-lm DynaLicenseManager(Elam) +3396 printer_agent PrinterAgent +3397 cloanto-lm CloantoLicenseManager +3398 mercantile Mercantile +3421 bmap BullAppriseportmapper +3454 mira AppleRemoteAccessProtocol +3455 prsvp RSVPPort +3456 vat VATdefaultdata +3457 vat-control VATdefaultcontrol +3458 d3winosfi DsWinOSFI +3459 integral Integral +3460 edm-manager EDMManger +3461 edm-stager EDMStager +3462 edm-std-notify EDMSTDNotify +3463 edm-adm-notify EDMADMNotify +3464 edm-mgr-sync EDMMGRSync +3465 edm-mgr-cntrl EDMMGRCntrl +3466 workflow WORKFLOW +3563 watcomdebug WatcomDebug +3900 udt_os UnidataUDTOS +3984 mapper-nodemgr MAPPERnetworknodemanager +3985 mapper-mapethd MAPPERTCP/IPserver +3986 mapper-ws_ethd MAPPERworkstationserver +3987 centerline Centerline +4000 terabase Terabase +4001 newoak NewOak +4008 netcheque NetChequeaccounting +4009 chimera-hwm ChimeraHWM +4010 samsung-unidex SamsungUnidex +4011 altserviceboot AlternateServiceBoot +4012 pda-gate PDAGate +4013 acl-manager ACLManager +4014 taiclock TAICLOCK +4045 lockd +4096 bre BRE(BridgeRelayElement) +4132 nuts_dem NUTSDaemon +4133 nuts_bootp NUTSBootpServer +4134 nifty-hmi NIFTY-ServeHMIprotocol +4141 oirtgsvc WorkflowServer +4142 oidocsvc DocumentServer +4143 oidsr DocumentReplication +4200 VRML +4201 VRML +4202 VRML +4203 VRML +4204 VRML +4205 VRML +4206 VRML +4207 VRML +4208 VRML +4209 VRML +4210 VRML +4211 VRML +4212 VRML +4213 VRML +4214 VRML +4215 VRML +4216 VRML +4217 VRML +4218 VRML +4219 VRML +4220 VRML +4221 VRML +4222 VRML +4223 VRML +4224 VRML +4225 VRML +4226 VRML +4227 VRML +4228 VRML +4229 VRML +4230 VRML +4231 VRML +4232 VRML +4233 VRML +4234 VRML +4235 VRML +4236 VRML +4237 VRML +4238 VRML +4239 VRML +4240 VRML +4241 VRML +4242 VRML +4243 VRML +4244 VRML +4245 VRML +4246 VRML +4247 VRML +4248 VRML +4249 VRML +4250 VRML +4251 VRML +4252 VRML +4253 VRML +4254 VRML +4255 VRML +4256 VRML +4257 VRML +4258 VRML +4259 VRML +4260 VRML +4261 VRML +4262 VRML +4263 VRML +4264 VRML +4265 VRML +4266 VRML +4267 VRML +4268 VRML +4269 VRML +4270 VRML +4271 VRML +4272 VRML +4273 VRML +4274 VRML +4275 VRML +4276 VRML +4277 VRML +4278 VRML +4279 VRML +4280 VRML +4281 VRML +4282 VRML +4283 VRML +4284 VRML +4285 VRML +4286 VRML +4287 VRML +4288 VRML +4289 VRML +4290 VRML +4291 VRML +4292 VRML +4293 VRML +4294 VRML +4295 VRML +4296 VRML +4297 VRML +4298 VRML +4299 VRML +4300 corelccam CorelCCam +4321 rwhois RemoteWhoIs +4343 unicall UNICALL +4344 vinainstall VinaInstall +4345 m4-network-as Macro4NetworkAS +4346 elanlm ELANLM +4347 lansurveyor LANSurveyor +4348 itose ITOSE +4349 fsportmap FileSystemPortMap +4350 net-device NetDevice +4351 plcy-net-svcs PLCYNetServices +4444 krb524 KRB524 +4445 upnotifyp UPNOTIFYP +4446 n1-fwp N1-FWP +4447 n1-rmgmt N1-RMGMT +4448 asc-slmd ASCLicenceManager +4449 privatewire PrivateWire +4450 camp Camp +4451 ctisystemmsg CTISystemMsg +4452 ctiprogramload CTIProgramLoad +4453 nssalertmgr NSSAlertManager +4454 nssagentmgr NSSAgentManager +4455 prchat-user PRChatUser +4456 prchat-server PRChatServer +4457 prRegister PRRegister +4500 sae-urn sae-urn +4501 urn-x-cdchoice urn-x-cdchoice +4545 highscore Highscore +4546 sf-lm SFLicenseManager(Sentinel) +4547 lanner-lm LannerLicenseManager +4672 rfa remotefileaccessserver +4800 iims IconaInstantMessengingSystem +4801 iwec IconaWebEmbeddedChat +4802 ilss IconaLicenseSystemServer +4827 htcp HTCP +4868 phrelay PhotonRelay +4869 phrelaydbg PhotonRelayDebug +4885 abbs ABBS +5000 commplex-main +5001 commplex-link +5002 rfe radiofreeethernet +5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding +5004 avt-profile-1 avt-profile-1 +5005 avt-profile-2 avt-profile-2 +5010 telelpathstart TelepathStart +5011 telelpathattack TelepathAttack +5020 zenginkyo-1 zenginkyo-1 +5021 zenginkyo-2 zenginkyo-2 +5050 mmcc multimediaconferencecontroltool +5051 ita-agent ITAAgent +5052 ita-manager ITAManager +5060 sip SIP +5145 rmonitor_secure +5150 atmp AscendTunnelManagementProtocol +5190 aol America-Online +5191 aol-1 AmericaOnline1 +5192 aol-2 AmericaOnline2 +5193 aol-3 AmericaOnline3 +5236 padl2sim +5272 pk PK +5300 hacl-hb #HAclusterheartbeat +5301 hacl-gs #HAclustergeneralservices +5302 hacl-cfg #HAclusterconfiguration +5303 hacl-probe #HAclusterprobing +5304 hacl-local #HAClusterCommands +5305 hacl-test #HAClusterTest +5306 sun-mc-grp SunMCGroup +5307 sco-aip SCOAIP +5308 cfengine CFengine +5309 jprinter JPrinter +5310 outlaws Outlaws +5311 tmlogin TMLogin +5400 excerpt ExcerptSearch +5401 excerpts ExcerptSearchSecure +5402 mftp MFTP +5403 hpoms-ci-lstn HPOMS-CI-LSTN +5404 hpoms-dps-lstn HPOMS-DPS-LSTN +5405 netsupport NetSupport +5406 systemics-sox SystemicsSox +5407 foresyte-clear Foresyte-Clear +5408 foresyte-sec Foresyte-Sec +5409 salient-dtasrv SalientDataServer +5410 salient-usrmgr SalientUserManager +5411 actnet ActNet +5412 continuus Continuus +5413 wwiotalk WWIOTALK +5414 statusd StatusD +5415 ns-server NSServer +5416 sns-gateway SNSGateway +5417 sns-agent SNSAgent +5418 mcntp MCNTP +5419 dj-ice DJ-ICE +5420 cylink-c Cylink-C +5500 fcp-addr-srvr1 fcp-addr-srvr1 +5501 fcp-addr-srvr2 fcp-addr-srvr2 +5502 fcp-srvr-inst1 fcp-srvr-inst1 +5503 fcp-srvr-inst2 fcp-srvr-inst2 +5504 fcp-cics-gw1 fcp-cics-gw1 +5555 personal-agent PersonalAgent +5599 esinstall EnterpriseSecurityRemoteInstall +5600 esmmanager EnterpriseSecurityManager +5601 esmagent EnterpriseSecurityAgent +5602 a1-msc A1-MSC +5603 a1-bs A1-BS +5604 a3-sdunode A3-SDUNode +5605 a4-sdunode A4-SDUNode +5631 pcanywheredata pcANYWHEREdata +5632 pcanywherestat pcANYWHEREstat +5678 rrac RemoteReplicationAgentConnection +5679 dccm DirectCableConnectManager +5713 proshareaudio proshareconfaudio +5714 prosharevideo proshareconfvideo +5715 prosharedata proshareconfdata +5716 prosharerequest proshareconfrequest +5717 prosharenotify proshareconfnotify +5729 openmail OpenmailUserAgentLayer +5741 ida-discover1 IDADiscoverPort1 +5742 ida-discover2 IDADiscoverPort2 +5745 fcopy-server fcopy-server +5746 fcopys-server fcopys-server +5755 openmailg OpenMailDeskGatewayserver +5757 x500ms OpenMailX.500DirectoryServer +5766 openmailns OpenMailNewMailServer +5767 s-openmail OpenMailSuerAgentLayer(Secure) +5768 openmailpxy OpenMailCMTSServer +6000 X11 +6001 X11 +6002 X11 +6003 X11 +6004 X11 +6005 X11 +6006 X11 +6007 X11 +6008 X11 +6009 X11 +6010 X11 +6011 X11 +6012 X11 +6013 X11 +6014 X11 +6015 X11 +6016 X11 +6017 X11 +6018 X11 +6019 X11 +6020 X11 +6021 X11 +6022 X11 +6023 X11 +6024 X11 +6025 X11 +6026 X11 +6027 X11 +6028 X11 +6029 X11 +6030 X11 +6031 X11 +6032 X11 +6033 X11 +6034 X11 +6035 X11 +6036 X11 +6037 X11 +6038 X11 +6039 X11 +6040 X11 +6041 X11 +6042 X11 +6043 X11 +6044 X11 +6045 X11 +6046 X11 +6047 X11 +6048 X11 +6049 X11 +6050 X11 +6051 X11 +6052 X11 +6053 X11 +6054 X11 +6055 X11 +6056 X11 +6057 X11 +6058 X11 +6059 X11 +6060 X11 +6061 X11 +6062 X11 +6063 X11 +6110 softcm HPSoftBenchCM +6111 spc HPSoftBenchSub-ProcessControl +6112 dtspcd dtspcd +6123 backup-express BackupExpress +6141 meta-corp MetaCorporationLicenseManager +6142 aspentec-lm AspenTechnologyLicenseManager +6143 watershed-lm WatershedLicenseManager +6144 statsci1-lm StatSciLicenseManager-1 +6145 statsci2-lm StatSciLicenseManager-2 +6146 lonewolf-lm LoneWolfSystemsLicenseManager +6147 montage-lm MontageLicenseManager +6148 ricardo-lm RicardoNorthAmericaLicenseManager +6149 tal-pod tal-pod +6253 crip CRIP +6389 clariion-evr01 clariion-evr01 +6455 skip-cert-recv SKIPCertificateReceive +6456 skip-cert-send SKIPCertificateSend +6471 lvision-lm LVisionLicenseManager +6500 boks BoKSMaster +6501 boks_servc BoKSServc +6502 boks_servm BoKSServm +6503 boks_clntd BoKSClntd +6505 badm_priv BoKSAdminPrivatePort +6506 badm_pub BoKSAdminPublicPort +6507 bdir_priv BoKSDirServer,PrivatePort +6508 bdir_pub BoKSDirServer,PublicPort +6558 xdsxdm +6665 ircu +6666 ircu +6667 ircu +6668 ircu +6669 ircu IRCU +6670 vocaltec-gold VocaltecGlobalOnlineDirectory +6672 vision_server vision_server +6673 vision_elmd vision_elmd +6701 kti-icad-srvr KTI/ICADNameserver +6790 hnmp HNMP +6831 ambit-lm ambit-lm +6969 acmsoda acmsoda +7000 afs3-fileserver fileserveritself +7001 afs3-callback callbackstocachemanagers +7002 afs3-prserver users&groupsdatabase +7003 afs3-vlserver volumelocationdatabase +7004 afs3-kaserver AFS/Kerberosauthenticationservice +7005 afs3-volser volumemanagmentserver +7006 afs3-errors errorinterpretationservice +7007 afs3-bos basicoverseerprocess +7008 afs3-update server-to-serverupdater +7009 afs3-rmtsys remotecachemanagerservice +7010 ups-onlinet onlinetuninterruptablepowersupplies +7020 dpserve DPServe +7021 dpserveadmin DPServeAdmin +7070 arcp ARCP +7099 lazy-ptop lazy-ptop +7100 font-service XFontService +7121 virprot-lm VirtualPrototypesLicenseManager +7174 clutild Clutild +7200 fodms FODMSFLIP +7201 dlip DLIP +7395 winqedit winqedit +7426 pmdmgr OpenViewDMPostmasterManager +7427 oveadmgr OpenViewDMEventAgentManager +7428 ovladmgr OpenViewDMLogAgentManager +7429 opi-sock OpenViewDMrqtcommunication +7430 xmpv7 OpenViewDMxmpv7apipipe +7431 pmd OpenViewDMovc/xmpv3apipipe +7491 telops-lmd telops-lmd +7511 pafec-lm pafec-lm +7544 nta-ds FlowAnalyzerDisplayServer +7545 nta-us FlowAnalyzerUtilityServer +7570 aries-kfinder AriesKfinder +7588 sun-lm SunLicenseManager +7777 cbt cbt +7781 accu-lmgr accu-lmgr +7932 t2-drm Tier2DataResourceManager +7933 t2-brm Tier2BusinessRulesManager +7980 quest-vista QuestVista +7999 irdmi2 iRDMI2 +8000 irdmi iRDMI +8001 vcom-tunnel VCOMTunnel +8008 http-alt HTTPAlternate +8032 pro-ed ProEd +8033 mindprint MindPrint +8080 http-alt HTTPAlternate(seeport80) +8200 trivnet1 TRIVNET +8201 trivnet2 TRIVNET +8376 cruise-enum CruiseENUM +8377 cruise-swroute CruiseSWROUTE +8378 cruise-config CruiseCONFIG +8379 cruise-diags CruiseDIAGS +8380 cruise-update CruiseUPDATE +8400 cvd cvd +8401 sabarsd sabarsd +8402 abarsd abarsd +8403 admind admind +8450 npmp npmp +8473 vp2p VitualPointtoPoint +8554 rtsp-alt RTSPAlternate(seeport554) +8765 ultraseek-http UltraseekHTTP +8880 cddbp-alt CDDBP +8888 ddi-tcp-1 NewsEDGEserverTCP(TCP1) +8889 ddi-tcp-2 DesktopDataTCP1 +8890 ddi-tcp-3 DesktopDataTCP2 +8891 ddi-tcp-4 DesktopDataTCP3:NESSapplication +8892 ddi-tcp-5 DesktopDataTCP4:FARMproduct +8893 ddi-tcp-6 DesktopDataTCP5:NewsEDGE/Webapplication +8894 ddi-tcp-7 DesktopDataTCP6:COALapplication +9000 cslistener CSlistener +9006 sctp SCTP +9090 websm WebSM +9535 man +9594 msgsys MessageSystem +9595 pds PingDiscoveryService +9876 sd SessionDirector +9888 cyborg-systems CYBORGSystems +9898 monkeycom MonkeyCom +9992 palace Palace +9993 palace Palace +9994 palace Palace +9995 palace Palace +9996 palace Palace +9997 palace Palace +9998 distinct32 Distinct32 +9999 distinct distinct +10000 ndmp NetworkDataManagementProtocol +10007 mvs-capacity MVSCapacity +11001 metasys Metasys +11367 atm-uhas ATMUHAS +12000 entextxid IBMEnterpriseExtenderSNAXIDExchange +12001 entextnetwk IBMEnterpriseExtenderSNACOSNetwork +12002 entexthigh IBMEnterpriseExtenderSNACOSHigh +12003 entextmed IBMEnterpriseExtenderSNACOSMedium +12004 entextlow IBMEnterpriseExtenderSNACOSLow +12753 tsaf tsafport +13160 i-zipqd I-ZIPQD +13720 bprd BPRDProtocol(VERITASNetBackup) +13721 bpbrm BPBRMProtocol(VERITASNetBackup) +13782 bpcd VERITASNetBackup +13818 dsmcc-config DSMCCConfig +13819 dsmcc-session DSMCCSessionMessages +13820 dsmcc-passthru DSMCCPass-ThruMessages +13821 dsmcc-download DSMCCDownloadProtocol +13822 dsmcc-ccp DSMCCChannelChangeProtocol +14001 itu-sccp-ss7 ITUSCCP(SS7) +17007 isode-dua +17219 chipper Chipper +18000 biimenu BeckmanInstruments,Inc. +19541 jcp JCPClient +21845 webphone webphone +21846 netspeak-is NetSpeakCorp.DirectoryServices +21847 netspeak-cs NetSpeakCorp.ConnectionServices +21848 netspeak-acd NetSpeakCorp.AutomaticCallDistribution +21849 netspeak-cps NetSpeakCorp.CreditProcessingSystem +22273 wnn6 wnn6 +22555 vocaltec-wconf VocaltecWebConference +22800 aws-brf TelerateInformationPlatformLAN +22951 brf-gw TelerateInformationPlatformWAN +24000 med-ltp med-ltp +24001 med-fsp-rx med-fsp-rx +24002 med-fsp-tx med-fsp-tx +24003 med-supp med-supp +24004 med-ovw med-ovw +24005 med-ci med-ci +24006 med-net-svc med-net-svc +25000 icl-twobase1 icl-twobase1 +25001 icl-twobase2 icl-twobase2 +25002 icl-twobase3 icl-twobase3 +25003 icl-twobase4 icl-twobase4 +25004 icl-twobase5 icl-twobase5 +25005 icl-twobase6 icl-twobase6 +25006 icl-twobase7 icl-twobase7 +25007 icl-twobase8 icl-twobase8 +25008 icl-twobase9 icl-twobase9 +25009 icl-twobase10 icl-twobase10 +25793 vocaltec-hos VocaltecAddressServer +26000 quake quake +26208 wnn6-ds wnn6-ds +27000 flex-lm +27001 flex-lm FLEXLM(1-10) +27002 flex-lm FLEXLM(1-10) +27003 flex-lm FLEXLM(1-10) +27004 flex-lm FLEXLM(1-10) +27005 flex-lm FLEXLM(1-10) +27006 flex-lm FLEXLM(1-10) +27007 flex-lm FLEXLM(1-10) +27008 flex-lm FLEXLM(1-10) +27009 flex-lm FLEXLM(1-10) +27999 tw-auth-key TWAuthentication/KeyDistributionand +33434 traceroute tracerouteuse +44818 rockwell-encap RockwellEncapsulation +45678 eba EBAPRISE +47557 dbbrowse DatabeamCorporation +47624 directplaysrvr DirectPlayServer +47806 ap ALCProtocol +47808 bacnet BuildingAutomationandControlNetworks diff --git a/contrib/ipfilter/perl/logfilter.pl b/contrib/ipfilter/perl/logfilter.pl new file mode 100644 index 0000000..6ebe401 --- /dev/null +++ b/contrib/ipfilter/perl/logfilter.pl @@ -0,0 +1,181 @@ +#!perl.exe + +# Author: Chris Grant +# Copyright 1999, Codetalker Communications, Inc. +# +# This script takes a firewall log and breaks it into several +# different files. Each file is named based on the service that +# runs on the port that was recognized in log line. After +# this script has run, you should end up with several files. +# Of course you will have the original log file and then files +# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log, +# netbus.log, and unknown.log. +# +# The number of entries in unknown.log should be minimal. The +# mappings of the port numbers and file names are stored in the bottom +# of this file in the data section. Simply look at the ports being hit, +# find out what these ports do, and add them to the data section. +# +# You may be wondering why I haven't simply parsed RFC1700 to come up +# with a list of port numbers and files. The reason is that I don't +# believe reading firewall logs should be all that automated. You +# should be familiar with what probes are hitting your system. By +# manually adding entries to the data section this ensures that I +# have at least educated myself about what this protocol is, what +# the potential exposure is, and why you might be seeing this traffic. + +%icmp = (); +%udp = (); +%tcp = (); +%openfiles = (); +$TIDBITSFILE = "unknown.log"; + +# Read the ports data from the end of this file and build the three hashes +while (<DATA>) { + chomp; # trim the newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + $_ = lc; # switch to lowercase + ($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/; + SWITCH: { + if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; }; + die "An unknown protocol listed in the proto defs\n$_\n"; + } +} + +$filename = shift; +unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; } +open(LOGFILE, $filename) || die "Could not open the firewall log file.\n"; +$openfiles{$filename} = "LOGFILE"; + +$linenum = 0; +while($line = <LOGFILE>) { + + chomp($line); + $linenum++; + + # determine the protocol - send to unknown.log if not found + SWITCH: { + + ($line =~ m /\sicmp\s/) && do { + + # + # ICMP Protocol + # + # Extract the icmp packet information specifying the type. + # + # Note: Must check for ICMP first because this may be an ICMP reply + # to a TCP or UDP connection (eg Port Unreachable). + + ($icmptype) = $line =~ m/icmp (\d+)\/\d+/; + + $filename = $TIDBITSFILE; + $filename = $icmp{$icmptype} if (defined($icmp{$icmptype})); + + last SWITCH; + }; + + ($line =~ m /\stcp\s/) && do { + + # + # TCP Protocol + # + # extract the source and destination ports and compare them to + # known ports in the tcp hash. For the first match, place this + # line in the file specified by the tcp hash. Ignore one of the + # port matches if both ports happen to be known services. + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + #print "$line\n" unless (defined($sport) && defined($dport)); + + $filename = $TIDBITSFILE; + $filename = $tcp{$sport} if (defined($tcp{$sport})); + $filename = $tcp{$dport} if (defined($tcp{$dport})); + + last SWITCH; + }; + + ($line =~ m /\sudp\s/) && do { + + # + # UDP Protocol - same procedure as with TCP, different hash + # + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + + $filename = $TIDBITSFILE; + $filename = $udp{$sport} if (defined($udp{$sport})); + $filename = $udp{$dport} if (defined($udp{$dport})); + + last SWITCH; + }; + + # + # The default case is that the protocol was unknown + # + $filename = $TIDBITSFILE; + } + + # + # write the line to the appropriate file as determined above + # + # check for filename in the openfiles hash. if it exists then write + # to the given handle. otherwise open a handle to the file and add + # it to the hash of open files. + + if (defined($openfiles{$filename})) { + $handle = $openfiles{$filename}; + } else { + $handle = "HANDLE" . keys %openfiles; + open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename"; + $openfiles{$filename} = $handle; + } + print $handle "#$linenum\t $line\n"; + +} + +# close all open file handles + +foreach $key (keys %openfiles) { + close($openfiles{$key}); +} + +close(LOGFILE); + +__DATA__ +icmp 3 destunreach.log +icmp 8 ping.log +icmp 9 router.log +icmp 10 router.log +icmp 11 ttl.log +tcp 23 telnet.log +tcp 25 smtp.log +udp 25 smtp.log +udp 53 dns.log +tcp 80 http.log +tcp 110 pop3.log +tcp 111 rpc.log +udp 111 rpc.log +tcp 137 netbios.log +udp 137 netbios.log +tcp 143 imap.log +udp 161 snmp.log +udp 370 backweb.log +udp 371 backweb.log +tcp 443 https.log +udp 443 https.log +udp 512 syslog.log +tcp 635 nfs.log # NFS mount services +udp 635 nfs.log # NFS mount services +tcp 1080 socks.log +udp 1080 socks.log +tcp 6112 games.log # Battle net +tcp 6667 irc.log +tcp 7070 realaudio.log +tcp 8080 http.log +tcp 12345 netbus.log +udp 31337 backorifice.log
\ No newline at end of file diff --git a/contrib/ipfilter/perl/plog b/contrib/ipfilter/perl/plog new file mode 100644 index 0000000..8f3f73c --- /dev/null +++ b/contrib/ipfilter/perl/plog @@ -0,0 +1,653 @@ +#!/usr/bin/perl -wT +# +# Author: Jefferson Ogata <jogata@nodc.noaa.gov> +# Date: 1998/11/01 +# Version: 0.4 +# +# Please feel free to use or redistribute this program if you find it useful. +# If you have suggestions, or even better, bits of new code, send them to me +# and I will add them when I have time. The current version of this script +# can always be found at the URL: +# +# http://pobox.com/~ogata/webtools/plog.txt +# +# Parse ipmon output into a coherent form. This program only handles the +# lines regarding filter actions. It does not parse nat and state lines. +# +# Present lines from ipmon to this program on standard input. One way I +# often use is: +# grep ' b ' logfile | plog +# since a ' b ' sequence indicates a blocked packet. +# +# TODO: +# - Handle output from ipmon -v. +# - Handle timestamps from other locales. Anyone with a timestamp problem +# please email me the format of your timestamps. +# +# CHANGES: +# 1999/05/03: +# - Now accepts hostnames in the source and destination address fields, as +# well as port names in the port fields. This allows the people who are +# using ipmon -n to still use plog. Note that if you are logging +# hostnames, you are vulnerable to forgery of DNS information, modified +# DNS information, and your log files will be larger also. If you are +# using this program you can have it look up the names for you (still +# vulnerable to forgery) and keep your addresses all in numeric format, +# so that packets from the same source will always show the same source +# address regardless of what's up with DNS. Nevertheless, some people +# wanted this, so here it is. +# - Added S and n flags to %acts hash. Thanks to Stephen J. Roznowski +# <sjr@home.net>. +# - Stopped reporting host IPs twice when numeric output was requested. +# Thanks, yet again, to Stephen J. Roznowski <sjr@home.net>. +# - Number of minor tweaks that might speed it up a bit, and some comments. +# - Put the script back up on the web site. I moved the site and forgot to +# move the tool. +# 1999/02/04: +# - Changed log line parser to accept fully-qualified name in the logging +# host field. Thanks to Stephen J. Roznowski <sjr@home.net>. +# 1999/01/22: +# - Changed high port strategy to use 65536 for unknown high ports so that +# they are sorted last. +# 1999/01/21: +# - Moved icmp parsing to output loop. +# - Added parsing of icmp codes, and more types. +# - Changed packet sort routine to sort by port number rather than service +# name. +# 1999/01/20: +# - Fixed problem matching ipmon log lines. Sometimes they have "/ipmon" in +# them, sometimes just "ipmon". +# - Added numeric parse option to turn off hostname lookups. +# - Moved summary to usage() sub. + +use strict; +use Socket; + +select STDOUT ; $| = 1 ; + +my %hosts; + +my $me = $0; +$me =~ s/^([^\/]*\/)*//; + +my $numeric = 0; + +# Under IPv4 port numbers are unsigned shorts. The value below is higher +# than the maximum value of an unsigned port, and is used in place of +# high port numbers that don't correspond to known services. This makes +# high ports get sorted behind all others. +my $highPort = 0x10000; + +# Map of log codes for various actions. Not all of these can occur, but +# I've included everything in print_ipflog() from ipmon.c. +my %acts = ( + 'p' => 'pass', + 'P' => 'pass', + 'b' => 'block', + 'B' => 'block', + 'L' => 'log', + 'S' => 'short', + 'n' => 'nomatch', +); + +while (defined ($_ = shift)) +{ + if (s/^-//) + { + $numeric += s/n//g; + &usage (0) if (s/[h\?]//g); + &usage (1) if (length ($_)); + next; + } + &usage (1); +} + +while (<STDIN>) +{ + chomp; + + # For ipmon output that came through syslog, we'll have an asctime + # timestamp, hostname, "ipmon"[process id]: prefixed to the line. For + # output that was written directly to a file by ipmon, we'll have a date + # prefix as dd/mm/yyyy (no y2k problem here!). Both formats then have a + # packet timestamp and the log info. + my ($time, $log); + if (/^(\w+\s+\d+\s+\d+:\d+:\d+)\s+([\w\.]+)\s+\S*ipmon\[\d+\]:\s+(\d+:\d+:\d+\.\d+)\s+(.+)/) + { + my ($logtime, $loghost); + ($logtime, $loghost, $time, $log) = ($1, $2, $3, $4); + } + elsif (/^(\d+\/\d+\/\d+)\s+(\d+:\d+:\d+\.\d+)\s+(.+)$/) + { + my $logdate; + ($logdate, $time, $log) = ($1, $2, $3); + } + else + { + # It don't look like no ipmon output to me, baby. + next; + } + next unless (defined ($log)); + + # Parse the log line. We're expecting interface name, rule group and + # number, an action code, a source host name or IP with possible port + # name or number, a destination host name or IP with possible port + # number, "PR", a protocol name or number, "len", a header length, a + # packet length, and maybe some additional info. + $log =~ /^(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([a-zA-Z0-9\-\.,]+)\s+->\s+([a-zA-Z0-9\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+(\d+)\s*(.*)$/; + my ($if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) + = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10); + unless (defined ($len)) + { + warn ("Bad input line at $.: \"$_\""); + next; + } + + my ($sport, $dport); + + if ($proto eq 'icmp') + { + if ($more =~ s/^icmp (\d+)\/(\d+)\s*//) + { + # We save icmp type and code in both sport and dport. + $dport = $sport = "$1.$2"; + } + else + { + $sport = ''; + $dport = ''; + } + } + else + { + $sport = (($src =~ s/,(\w+)$//) ? &portSimplify ($1, $proto) : ''); + $dport = (($dest =~ s/,(\w+)$//) ? &portSimplify ($1, $proto) : ''); + } + + # Make sure addresses are numeric at this point. We want to sort by + # IP address later. This has got to do some weird things, but if you + # want to use ipmon -n, be ready for weirdness. + $src = &hostNumber ($src); + $dest = &hostNumber ($dest); + + # Convert proto to proto number. + $proto = &protoNumber ($proto); + + sub countPacket + { + my ($host, $dir, $peer, $proto, $packet) = @_; + + # Make sure host is in the hosts hash. + $hosts{$host} = + +{ + 'out' => +{ }, + 'in' => +{ }, + } unless (exists ($hosts{$host})); + + # Get the incoming/outgoing traffic hash for the host in question. + my $trafficHash = $hosts{$host}->{$dir}; + + # Make sure there's a hash for the peer. + $trafficHash->{$peer} = +{ } unless (exists ($trafficHash->{$peer})); + + # Make sure the peer hash has a hash for the protocol number. + my $peerHash = $trafficHash->{$peer}; + $peerHash->{$proto} = +{ } unless (exists ($peerHash->{$proto})); + + # Make sure there's a counter for this packet type in the proto hash. + my $protoHash = $peerHash->{$proto}; + $protoHash->{$packet} = 0 unless (exists ($protoHash->{$packet})); + + # Increment the counter. + ++$protoHash->{$packet}; + } + + # Count the packet as outgoing traffic from the source address. + &countPacket ($src, 'out', $dest, $proto, "$sport:$dport:$if:$act"); + + # Count the packet as incoming traffic to the destination address. + &countPacket ($dest, 'in', $src, $proto, "$dport:$sport:$if:$act"); +} + +my $dir; +foreach $dir (qw(out in)) +{ + my $order = ($dir eq 'out' ? 'source' : 'destination'); + my $arrow = ($dir eq 'out' ? '->' : '<-'); + + print "### Traffic by $order address:\n"; + + sub ipSort + { + my @a = split (/\./, $a); + my @b = split (/\./, $b); + $a[0] != $b[0] ? $a[0] <=> $b[0] + : $a[1] != $b[1] ? $a[1] <=> $b[1] + : $a[2] != $b[2] ? $a[2] <=> $b[2] + : $a[3] != $b[3] ? $a[3] <=> $b[3] + : 0; + } + + my $host; + foreach $host (sort ipSort (keys %hosts)) + { + my $traffic = $hosts{$host}->{$dir}; + + # Skip hosts with no traffic. + next unless (scalar (keys (%{$traffic}))); + + if ($numeric) + { + print " $host\n"; + } + else + { + print " ", &hostName ($host), " \[$host\]\n"; + } + + my $peer; + foreach $peer (sort ipSort (keys %{$traffic})) + { + my $peerHash = $traffic->{$peer}; + my $peerName = &hostName ($peer); + my $proto; + foreach $proto (sort (keys (%{$peerHash}))) + { + my $protoHash = $peerHash->{$proto}; + my $protoName = &protoName ($proto); + + sub packetSort + { + my ($asport, $adport, $aif, $aact) = split (/:/, $a); + my ($bsport, $bdport, $bif, $bact) = split (/:/, $b); + return $bact cmp $aact if ($aact ne $bact); + return $aif cmp $bif if ($aif ne $bif); + return $asport <=> $bsport if ($asport != $bsport); + return $adport <=> $bdport if ($adport != $bdport); + } + + my $packet; + foreach $packet (sort packetSort (keys %{$protoHash})) + { + my ($sport, $dport, $if, $act) = split (/:/, $packet); + my $count = $protoHash->{$packet}; + $act = '?' unless (defined ($act = $acts{$act})); + if (($protoName eq 'tcp') || ($protoName eq 'udp')) + { + printf (" %-6s %7s %5d %6s %14s %2s %s.%s\n", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName)); + } + elsif ($protoName eq 'icmp') + { + printf (" %-6s %7s %5d %6s %14s %2s %s\n", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName); + } + else + { + printf (" %-6s %7s %5d %6s %14s %2s %s\n", $if, $act, $count, $protoName, '', $arrow, $peerName); + } + } + } + } + } + + print "\n\n"; +} + +exit (0); + +# We use this hash to cache port name -> number and number -> name mappings. +# Isn't is cool that we can use the same hash for both? +my %pn; + +# Translates a numeric port/named protocol to a port name. Reserved ports +# that do # not have an entry in the services database are left numeric. +# High ports that do not have an entry in the services database are mapped +# to '<high>'. +sub portName +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $name = getservbyport ($port, $proto); + $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '<high>')); + } + return $pn{$pname}; +} + +# Translates a named port/protocol to a port number. +sub portNumber +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $number = getservbyname ($port, $proto); + unless (defined ($number)) + { + # I don't think we need to recover from this. How did the port + # name get into the log file if we can't find it? Log file from + # a different machine? Fix /etc/services on this one if that's + # your problem. + die ("Unrecognized port name \"$port\" at $."); + } + $pn{$pname} = $number; + } + return $pn{$pname}; +} + +# Convert all unrecognized high ports to the same value so they are treated +# identically. The protocol should be by name. +sub portSimplify +{ + my $port = shift; + my $proto = shift; + + # Make sure port is numeric. + $port = &portNumber ($port, $proto) + unless ($port =~ /^\d+$/); + + # Look up port name. + my $portName = &portName ($port, $proto); + + # Port is an unknown high port. Return a value that is too high for a + # port number, so that high ports get sorted last. + return $highPort if ($portName eq '<high>'); + + # Return original port number. + return $port; +} + +# Again, we can use the same hash for both host name -> IP mappings and +# IP -> name mappings. +my %ip; + +# Translates a dotted quad into a hostname. Don't pass names to this +# function. +sub hostName +{ + my $ip = shift; + return $ip if ($numeric); + unless (exists ($ip{$ip})) + { + my $addr = inet_aton ($ip); + my $name = gethostbyaddr ($addr, AF_INET); + if (defined ($name)) + { + $ip{$ip} = $name; + + # While we're at it, cache the forward lookup. + $ip{$name} = $ip; + } + else + { + # Just map the IP address to itself. There's no reverse. + $ip{$ip} = $ip; + } + } + return $ip{$ip}; +} + +# Translates a hostname or dotted quad into a dotted quad. +sub hostNumber +{ + my $name = shift; + if ($name =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) + { + # Return original value for dotted quads. + my $or = int ($1) | int ($2) | int ($3) | int ($4); + return $name if ($or == ($or & 0xff)); + } + unless (exists ($ip{$name})) + { + my $addr = inet_aton ($name); + unless (defined ($addr)) + { + # Again, I don't think we need to recover from this. If we can't + # resolve a hostname that ended up in the log file, punt. We + # want to be able to sort hosts by IP address later, and letting + # hostnames through will snarl up that code. Users of ipmon -n + # will have to grin and bear it for now. + die ("Unable to resolve host \"$name\" at $."); + } + my $ip = inet_ntoa ($addr); + $ip{$name} = $ip; + + # While we're at it, cache the reverse lookup. + $ip{$ip} = $name; + } + return $ip{$name}; +} + +# Hash for protocol number <--> name mappings. +my %pr; + +# Translates a protocol number into a protocol name, or a number if no name +# is found in the protocol database. +sub protoName +{ + my $code = shift; + return $code if ($code !~ /^\d+$/); + unless (exists ($pr{$code})) + { + my $name = scalar (getprotobynumber ($code)); + if (defined ($name)) + { + $pr{$code} = $name; + } + else + { + $pr{$code} = $code; + } + } + return $pr{$code}; +} + +# Translates a protocol name or number into a protocol number. +sub protoNumber +{ + my $name = shift; + return $name if ($name =~ /^\d+$/); + unless (exists ($pr{$name})) + { + my $code = scalar (getprotobyname ($name)); + if (defined ($code)) + { + $pr{$name} = $code; + } + else + { + $pr{$name} = $name; + } + } + return $pr{$name}; +} + +sub icmpType +{ + my %icmp = ( + 0 => +{ + name => 'echo-reply', + codes => +{0 => undef}, + }, + 3 => +{ + name => 'dest-unr', + codes => +{ + 0 => 'net', + 1 => 'host', + 2 => 'proto', + 3 => 'port', + 4 => 'need-frag', + 5 => 'no-sroute', + 6 => 'net-unk', + 7 => 'host-unk', + 8 => 'shost-isol', + 9 => 'net-proh', + 10 => 'host-proh', + 11 => 'net-tos', + 12 => 'host-tos', + }, + }, + 4 => +{ + name => 'src-quench', + codes => +{0 => undef}, + }, + 5 => +{ + name => 'redirect', + codes => +{ + 0 => 'net', + 1 => 'host', + 2 => 'tos', + 3 => 'tos-host', + }, + }, + 6 => +{ + name => 'alt-host-addr', + codes => +{0 => undef}, + }, + 8 => +{ + name => 'echo', + codes => +{0 => undef}, + }, + 9 => +{ + name => 'rtr-advert', + codes => +{0 => undef}, + }, + 10 => +{ + name => 'rtr-select', + codes => +{0 => undef}, + }, + 11 => +{ + name => 'time-excd', + codes => +{ + 0 => 'in-transit', + 1 => 'frag-assy', + }, + }, + 12 => +{ + name => 'param-prob', + codes => +{ + 0 => 'ptr-err', + 1 => 'miss-opt', + 2 => 'bad-len', + }, + }, + 13 => +{ + name => 'time', + codes => +{0 => undef}, + }, + 14 => +{ + name => 'time-reply', + codes => +{0 => undef}, + }, + 15 => +{ + name => 'info', + codes => +{0 => undef}, + }, + 16 => +{ + name => 'info-req', + codes => +{0 => undef}, + }, + 17 => +{ + name => 'mask-req', + codes => +{0 => undef}, + }, + 18 => +{ + name => 'mask-reply', + codes => +{0 => undef}, + }, + 31 => +{ + name => 'dgram-conv-err', + codes => +{ }, + }, + 32 => +{ + name => 'mbl-host-redir', + codes => +{ }, + }, + 33 => +{ + name => 'ipv6-whereru?', + codes => +{ }, + }, + 34 => +{ + name => 'ipv6-iamhere', + codes => +{ }, + }, + 35 => +{ + name => 'mbl-reg-req', + codes => +{ }, + }, + 36 => +{ + name => 'mbl-reg-rep', + codes => +{ }, + }, + ); + + my $typeCode = shift; + my ($type, $code) = split ('\.', $typeCode); + + return "?" unless (defined ($code)); + + my $info = $icmp{$type}; + + return "\(type=$type/$code?\)" unless (defined ($info)); + + my $typeName = $info->{name}; + my $codeName; + if (exists ($info->{codes}->{$code})) + { + $codeName = $info->{codes}->{$code}; + $codeName = (defined ($codeName) ? "/$codeName" : ''); + } + else + { + $codeName = "/$code"; + } + return "$typeName$codeName"; +} + +sub usage +{ + my $ec = shift; + + print STDERR <<EOT; +usage: $me [-n] + +Parses logging from ipmon and presents it in a comprehensible format. +This program generates two tables: one organized by source address and +another organized by destination address. For the first table, source +addresses are sorted by IP address. For each address, all packets +originating at the address are presented in a tabular form, where all +packets with the same source and destination address and port are counted +as a single entry. The packet count for each entry is shown as the third +field. In addition, any port number greater than 1024 that doesn't match +an entry in the services table is treated as a "high" port, and high ports +are coalesced into the same entry. The entry fields for the source address +table are: + + iface action packet-count proto src-port dest-ip dest-port + +The entry fields for the destination table are: + + iface action packet-count proto dest-port src-ip src-port + +If the -n option is given, reverse hostname lookups are disabled and all +hosts are displayed as numeric addresses. + +Note: if you are logging traffic with ipmon -n, ipmon will already have +looked up and logged addresses as hostnames where possible. This has an +important side effect: this program will translate the hostnames back into +IP addresses which may not match the original addresses of the logged +packets because of numerous DNS issues. If you care about where packets +are really coming from, you simply cannot rely on ipmon -n. An attacker +with control of his reverse DNS can map the reverse lookup to anything he +likes. If you haven't logged the numeric IP address, there's no way to +discover the source of an attack reliably. For this reason, I strongly +recommend that you run ipmon without the -n option, and use this or a +similar script to do reverse lookups during analysis, rather than during +logging. +EOT + + exit ($ec); +} + diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT index 31bf1b3..df041d1 100644 --- a/contrib/ipfilter/rules/BASIC.NAT +++ b/contrib/ipfilter/rules/BASIC.NAT @@ -1,6 +1,6 @@ #!/sbin/ipnat -f - # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW index 42d2792..d2bd60a 100644 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ b/contrib/ipfilter/rules/BASIC_1.FW @@ -2,7 +2,7 @@ # # SAMPLE: RESTRICTIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW index b966dfb..46564f0 100644 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ b/contrib/ipfilter/rules/BASIC_2.FW @@ -2,7 +2,7 @@ # # SAMPLE: PERMISSIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # @@ -56,7 +56,7 @@ pass out quick on lo0 all # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # -pass in log quick proto tcp all SA flags S/SA keep state group 200 +pass in log quick proto tcp all flags S/SA keep state group 200 # # Support all UDP `connections' initiated from inside. # diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 index 604346e..ff93f49 100644 --- a/contrib/ipfilter/rules/example.1 +++ b/contrib/ipfilter/rules/example.1 @@ -1,4 +1,4 @@ # -# block all incoming TCP packets on le0 from host "foo" to any destination. +# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. # -block in on le0 proto tcp from foo/32 to any +block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 index 7fc26eb..c6b4e7f 100644 --- a/contrib/ipfilter/rules/example.11 +++ b/contrib/ipfilter/rules/example.11 @@ -2,12 +2,12 @@ # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass in proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block anything trying to get to X terminal ports, X:0 to X:9 # diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 index df13d0a..854f07f 100644 --- a/contrib/ipfilter/rules/example.13 +++ b/contrib/ipfilter/rules/example.13 @@ -1,17 +1,17 @@ # -# Log all short TCP packets to qe3, with "packetlog" as the intended +# Log all short TCP packets to qe3, with 10.3.3.3 as the intended # destination for the packet. # -block in to qe3:packetlog proto tcp all with short +block in on qe0 to qe3:10.3.3.3 proto tcp all with short # # Log all connection attempts for TCP # -pass in dup-to le0:packetlog proto tcp all flags S/SA +pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA # # Route all UDP packets through transparently. # -pass in fastroute proto udp all +pass in on ppp0 fastroute proto udp all # -# Route all ICMP packets to network 10 out through le1, to "router" +# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 # -pass in to le1:router proto icmp all +pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 index 8d8fe57..4f81725 100644 --- a/contrib/ipfilter/rules/example.2 +++ b/contrib/ipfilter/rules/example.2 @@ -1,4 +1,5 @@ # -# block all outgoing TCP packets on le0 from any host to port 23 of host bar. +# block all outgoing TCP packets on le0 from any host to port 23 of +# host 10.1.1.2 # -block out on le0 proto tcp from any to bar/32 port = 23 +block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 index 6e122e0..6d688b5 100644 --- a/contrib/ipfilter/rules/example.5 +++ b/contrib/ipfilter/rules/example.5 @@ -3,23 +3,23 @@ # # allow packets coming from foo to bar through. # -pass from foo to bar +pass in from 10.1.1.2 to 10.2.1.1 # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block all ICMP unreachables. # -block from any to any icmp unreach +block in proto icmp from any to any icmp-type unreach # # allow packets through which have a non-standard IP header length (ie there # are IP options such as source-routing present). # -pass from any to any with ipopts +pass in from any to any with ipopts diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall index af9cf98..681a81d 100644 --- a/contrib/ipfilter/rules/firewall +++ b/contrib/ipfilter/rules/firewall @@ -33,7 +33,7 @@ where * "int-net" is the internal network IP# subnet address range. This might be something like 10.1.0.0/16, or 128.33.1.0/24 -* "ext-service" is the service to which you which to connect or if it doesn't +* "ext-service" is the service to which you wish to connect or if it doesn't have a proper name, a number can be used. The translation of "ext-service" as a name to a number is controlled with the /etc/services file. diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy index a13ef1c..cafeeb6 100644 --- a/contrib/ipfilter/rules/ftp-proxy +++ b/contrib/ipfilter/rules/ftp-proxy @@ -20,7 +20,7 @@ Lets assume your network diagram looks something like this: and IP Filter is running on host B. If you want to proxy FTP from A to C then you would do: -map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp +map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp int-c = name of "interface c" ipaddr-a = ip# of interface a @@ -31,7 +31,7 @@ e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0 which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was 203.45.67.90, you would do: -map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp +map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp where: ipaddr-a = 10.1.1.1 diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server index 5eafc7c..f2fb204 100644 --- a/contrib/ipfilter/rules/server +++ b/contrib/ipfilter/rules/server @@ -6,6 +6,6 @@ # or # pass in quick on le0 from 128.1.40.0/24 to any -block in quick log on le0 from any to any -block in quick log on le1 from 128.1.1.0/24 to any +block in log quick on le0 from any to any +block in log quick on le1 from 128.1.1.0/24 to any pass in quick on le1 from any to any diff --git a/contrib/ipfilter/samples/ipfilter-pb.gif b/contrib/ipfilter/samples/ipfilter-pb.gif Binary files differnew file mode 100644 index 0000000..afaefa8 --- /dev/null +++ b/contrib/ipfilter/samples/ipfilter-pb.gif diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index 4e42bec..c5b2c88 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -11,7 +11,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.0.2.5 1997/09/28 07:12:11 darrenr Exp $ + * $Id: snoop.h,v 2.1 1999/08/04 17:30:19 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index fe2a243..b1cb19b 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -1,12 +1,12 @@ /* - * Copyright (C) 1993-1997 by Darren Reed. + * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.4 1998/02/28 02:35:21 darrenr Exp $"; +#pragma ident "@(#)$Id: solaris.c,v 2.1.2.5 1999/10/15 13:49:44 darrenr Exp $"; #include <sys/systm.h> #include <sys/types.h> @@ -27,6 +27,9 @@ #include <sys/autoconf.h> #include <sys/byteorder.h> #include <sys/socket.h> +#include <sys/dlpi.h> +#include <sys/stropts.h> +#include <sys/sockio.h> #include <net/if.h> #include <net/af.h> #include <net/route.h> @@ -46,6 +49,7 @@ #include "ip_fil.h" #include "ip_nat.h" + char _depends_on[] = "drv/ip"; @@ -56,13 +60,14 @@ void solattach __P((void)); int soldetach __P((void)); extern struct filterstats frstats[]; -extern kmutex_t ipf_mutex, ipfs_mutex, ipf_nat; +extern KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_nat, ipf_solaris; +extern kmutex_t ipf_rw; +extern int fr_running; extern int fr_flags; extern ipnat_t *nat_list; static qif_t *qif_head = NULL; - static int ipf_getinfo __P((dev_info_t *, ddi_info_cmd_t, void *, void **)); static int ipf_probe __P((dev_info_t *)); @@ -71,9 +76,22 @@ static int ipf_attach __P((dev_info_t *, ddi_attach_cmd_t)); static int ipf_detach __P((dev_info_t *, ddi_detach_cmd_t)); static qif_t *qif_from_queue __P((queue_t *)); static void fr_donotip __P((int, qif_t *, queue_t *, mblk_t *, - mblk_t *, ip_t *, int)); + mblk_t *, ip_t *, size_t)); static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, NULL }; +static int (*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL; + + +#if SOLARIS2 >= 7 +extern void ipfr_slowtimer __P((void *)); +timeout_id_t ipfr_timer_id; +static timeout_id_t synctimeoutid = 0; +#else +extern void ipfr_slowtimer __P((void)); +int ipfr_timer_id; +static int synctimeoutid = 0; +#endif + #ifdef IPFDEBUG void printire __P((ire_t *)); #endif @@ -127,46 +145,54 @@ static dev_info_t *ipf_dev_info = NULL; int _init() { -#ifdef IPFDEBUG - int ipfinst = mod_install(&modlink1); + int ipfinst; + if (fr_running < 0) + return -1; + ipfinst = mod_install(&modlink1); +#ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _init() = %d\n", ipfinst); - return ipfinst; -#else - return mod_install(&modlink1); #endif + return ipfinst; } int _fini(void) { -#ifdef IPFDEBUG - int ipfinst = mod_remove(&modlink1); + int ipfinst; + if (fr_running < 0) + return -1; + ipfinst = mod_remove(&modlink1); +#ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _fini() = %d\n", ipfinst); - return ipfinst; -#else - return mod_remove(&modlink1); #endif + return ipfinst; } int _info(modinfop) struct modinfo *modinfop; { + int ipfinst; + + if (fr_running < 0) + return -1; + ipfinst = mod_info(&modlink1, modinfop); #ifdef IPFDEBUG - int ipfinst = mod_info(&modlink1, modinfop); cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x\n", modinfop, ipfinst); - return ipfinst; -#else - return mod_info(&modlink1, modinfop); #endif + if (fr_running > 0) + ipfsync(); + return ipfinst; } static int ipf_probe(dip) dev_info_t *dip; { + if (fr_running < 0) + return DDI_PROBE_FAILURE; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip); #endif @@ -197,6 +223,8 @@ ddi_attach_cmd_t cmd; #endif switch (cmd) { case DDI_ATTACH: + if (fr_running < 0) + break; #ifdef IPFDEBUG instance = ddi_get_instance(dip); @@ -227,13 +255,26 @@ ddi_attach_cmd_t cmd; /* * Initialize mutex's */ - iplattach(); + if (iplattach() == -1) + goto attach_failed; + /* + * Lock people out while we set things up. + */ + WRITE_ENTER(&ipf_solaris); solattach(); solipdrvattach(); - cmn_err(CE_CONT, "IP Filter: attaching complete.\n"); - return (DDI_SUCCESS); + RWLOCK_EXIT(&ipf_solaris); + cmn_err(CE_CONT, "%s, attaching complete.\n", ipfilter_version); + sync(); + if (fr_running == 0) + fr_running = 1; + if (ipfr_timer_id == 0) + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, + drv_usectohz(500000)); + if (fr_running == 1) + return DDI_SUCCESS; default: - return (DDI_FAILURE); + return DDI_FAILURE; } attach_failed: @@ -243,7 +284,7 @@ attach_failed: * away any stuff we allocated above. */ (void) ipf_detach(dip, DDI_DETACH); - return (DDI_FAILURE); + return DDI_FAILURE; } @@ -251,13 +292,35 @@ static int ipf_detach(dip, cmd) dev_info_t *dip; ddi_detach_cmd_t cmd; { - int instance; + int i; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_DETACH: + if (fr_running <= 0) + break; + /* + * Make sure we're the only one's modifying things. With + * this lock others should just fall out of the loop. + */ + mutex_enter(&ipf_rw); + if (ipfr_timer_id != 0) { + untimeout(ipfr_timer_id); + ipfr_timer_id = 0; + } + mutex_exit(&ipf_rw); + WRITE_ENTER(&ipf_solaris); + mutex_enter(&ipf_rw); + if (fr_running <= 0) { + mutex_exit(&ipf_rw); + return DDI_FAILURE; + } + fr_running = -1; + mutex_exit(&ipf_rw); + /* NOTE: ipf_solaris rwlock is released in ipldetach */ + /* * Undo what we did in ipf_attach, freeing resources * and removing things we installed. The system @@ -265,10 +328,14 @@ ddi_detach_cmd_t cmd; * node in any other entry points at this time. */ ddi_prop_remove_all(dip); - instance = ddi_get_instance(dip); + i = ddi_get_instance(dip); ddi_remove_minor_node(dip, NULL); sync(); - solipdrvdetach(); + i = solipdrvdetach(); + if (i > 0) { + cmn_err(CE_CONT, "IP Filter: still attached (%d)\n", i); + return DDI_FAILURE; + } if (!soldetach()) { cmn_err(CE_CONT, "IP Filter: detached\n"); return (DDI_SUCCESS); @@ -276,6 +343,7 @@ ddi_detach_cmd_t cmd; default: return (DDI_FAILURE); } + return DDI_FAILURE; } @@ -284,10 +352,13 @@ dev_info_t *dip; ddi_info_cmd_t infocmd; void *arg, **result; { - int error = DDI_FAILURE; + int error; + if (fr_running <= 0) + return DDI_FAILURE; + error = DDI_FAILURE; #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x)", dip, infocmd); + cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)", dip, infocmd, arg); #endif switch (infocmd) { case DDI_INFO_DEVT2DEVINFO: @@ -331,7 +402,7 @@ qif_t *qif; queue_t *q; mblk_t *m, *mt; ip_t *ip; -int off; +size_t off; { u_char *s, outb[256], *t; int i; @@ -344,32 +415,35 @@ int off; if (!ip && (m == mt) && m->b_cont && (MTYPE(m) != M_DATA)) m = m->b_cont; - printf("!IP %s:%d %p %p %p %d %p %p %p %d %d %p\n%02x%02x%02x%02x\n", - qif ? qif->qf_name : "?", out, q, q ? q->q_ptr : NULL, - q ? q->q_qinfo : NULL, mt->b_wptr - mt->b_rptr, m, mt, - m->b_rptr, m->b_wptr - m->b_rptr, off, ip, - *s, *(s+1), *(s+2), *(s+3)); - if (m != mt) { + printf("!IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n", + qif ? qif->qf_name : "?", out, qif->qf_hl, q, + q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL, + mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr, + m->b_wptr - m->b_rptr, off, ip); + printf("%02x%02x%02x%02x\n", *s, *(s+1), *(s+2), *(s+3)); + while (m != mt) { i = 0; t = outb; s = mt->b_rptr; - sprintf(t, "%d:", MTYPE(mt)); - t += strlen(t); + sprintf((char *)t, "%d:", MTYPE(mt)); + t += strlen((char *)t); for (; (i < 100) && (s < mt->b_wptr); i++) { - sprintf(t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); + sprintf((char *)t, "%02x%s", *s++, + ((i & 3) == 3) ? " " : ""); t += ((i & 3) == 3) ? 3 : 2; } *t++ = '\n'; *t = '\0'; printf("%s", outb); + mt = mt->b_cont; } i = 0; t = outb; s = m->b_rptr; - sprintf(t, "%d:", MTYPE(m)); - t += strlen(t); + sprintf((char *)t, "%d:", MTYPE(m)); + t += strlen((char *)t); for (; (i < 100) && (s < m->b_wptr); i++) { - sprintf(t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); + sprintf((char *)t, "%02x%s", *s++, ((i & 3) == 3) ? " " : ""); t += ((i & 3) == 3) ? 3 : 2; } *t++ = '\n'; @@ -382,7 +456,7 @@ int off; * find the first data mblk, if present, in the chain we're processing. Also * make a few sanity checks to try prevent the filter from causing a panic - * none of the nice IP sanity checks (including checksumming) should have been - * done yet - dangerous! + * done yet (for incoming packets) - dangerous! */ static int fr_precheck(mp, q, qif, out) mblk_t **mp; @@ -390,10 +464,11 @@ queue_t *q; qif_t *qif; int out; { - u_long lbuf[48]; - mblk_t *m, *mt = *mp; + register mblk_t *m, *mt = *mp; register ip_t *ip; - int iphlen, hlen, len, err, mlen, off, synced = 0; + size_t hlen, len, off, mlen, iphlen; + int err, synced = 0; + u_char *bp; #ifndef sparc u_short __iplen, __ipoff; #endif @@ -407,14 +482,43 @@ tryagain: off = (out) ? qif->qf_hl : 0; /* + * If the message protocol block indicates that there isn't a data + * block following it, just return back. + */ + bp = (u_char *)ALIGN32(mt->b_rptr); + if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) { + dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; + if (dl->dl_primitive != DL_UNITDATA_IND && + dl->dl_primitive != DL_UNITDATA_REQ) { + frstats[out].fr_notdata++; + return 0; + } + } + + /* * Find the first data block, count the data blocks in this chain and * the total amount of data. */ for (m = mt; m && (MTYPE(m) != M_DATA); m = m->b_cont) off = 0; /* Any non-M_DATA cancels the offset */ - if (!m) + if (!m) { + frstats[out].fr_nodata++; return 0; /* No data blocks */ + } + + /* + * This is a complete kludge to try and work around some bizarre + * packets which drop through into fr_donotip. + */ + if ((mt != m) && (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO)) { + dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; + if ((dl->dl_primitive == DL_UNITDATA_IND) && + (dl->dl_group_address == 1)) + if (((*((u_char *)m->b_rptr) == 0x0) && + ((*((u_char *)m->b_rptr + 2) == 0x45)))) + off += 2; + } ip = (ip_t *)(m->b_rptr + off); /* MMM */ @@ -424,31 +528,58 @@ tryagain: */ while ((u_char *)ip >= m->b_wptr) { len = (u_char *)ip - m->b_wptr; - if (!(m = m->b_cont)) + m = m->b_cont; + if (m == NULL) return 0; /* not enough data for IP */ ip = (ip_t *)(m->b_rptr + len); } - if ((off = (u_char *)ip - m->b_rptr)) + off = (u_char *)ip - m->b_rptr; + if (off != 0) m->b_rptr = (u_char *)ip; mlen = msgdsize(m); + len = m->b_wptr - m->b_rptr; + if (m->b_wptr < m->b_rptr) { + cmn_err(CE_NOTE, "IP Filter: Bad packet: wptr %p < rptr %p", + m->b_wptr, m->b_rptr); + frstats[out].fr_bad++; + return -1; + } /* - * Ok, the IP header isn't on a 32bit aligned address. To get around - * this, we copy the data to an aligned buffer and work with that. + * Ok, the IP header isn't on a 32bit aligned address so junk it. */ - if (!OK_32PTR(ip)) { - len = MIN(mlen, sizeof(ip_t)); - copyout_mblk(m, 0, len, (char *)lbuf); + if (((u_int)ip & 0x3) || (len < sizeof(*ip))) { + /* + * We have link layer header and IP header in the same mbuf, + * problem being that a pullup without adjusting b_rptr will + * bring us back here again as it's likely that the start of + * the databuffer (b_datab->db_base) is already aligned. Hmm, + * should we pull it all up (length of -1 to pullupmsg) if we + * can, now ? + */ +fixalign: + if (off == (u_char *)ip - m->b_rptr) { + m->b_rptr += off; + off = 0; + } + if (!pullupmsg(m, sizeof(ip_t) + off)) { + cmn_err(CE_NOTE, "pullupmsg failed\n"); + frstats[out].fr_pull[1]++; + return -1; + } frstats[out].fr_pull[0]++; - ip = (ip_t *)lbuf; - } else - len = m->b_wptr - (u_char *)ip; + synced = 1; + off = 0; + goto tryagain; + } if (ip->ip_v != IPVERSION) { m->b_rptr -= off; if (!synced) { synced = 1; + RWLOCK_EXIT(&ipfs_mutex); ipfsync(); + READ_ENTER(&ipfs_mutex); goto tryagain; } fr_donotip(out, qif, q, m, mt, ip, off); @@ -456,13 +587,41 @@ tryagain: return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; } +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = ntohs(__iplen); + ip->ip_off = ntohs(__ipoff); +#endif + hlen = iphlen = ip->ip_hl << 2; + if ((iphlen < sizeof(ip_t)) || (iphlen > (u_short)ip->ip_len) || + (mlen < (u_short)ip->ip_len)) { + /* + * Bad IP packet or not enough data/data length mismatches + */ + cmn_err(CE_NOTE, + "IP Filter: Bad packet: iphlen %u ip_len %u mlen %u", + iphlen, ip->ip_len, mlen); +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); +#endif + m->b_rptr -= off; + frstats[out].fr_bad++; + return -1; + } + /* * Make hlen the total size of the IP header plus TCP/UDP/ICMP header * (if it is one of these three). */ - if (!(ntohs((u_short)ip->ip_off) & 0x1fff)) + if ((ip->ip_off & IP_OFFMASK) == 0) switch (ip->ip_p) { case IPPROTO_TCP : @@ -478,62 +637,51 @@ tryagain: default : break; } + + if (hlen > mlen) + hlen = mlen; + /* * If we don't have enough data in the mblk or we haven't yet copied * enough (above), then copy some more. */ if ((hlen > len)) { - len = MIN(hlen, sizeof(lbuf)); - len = MIN(mlen, len); - copyout_mblk(m, 0, len, (char *)lbuf); + if (!pullupmsg(m, (int)hlen)) { + cmn_err(CE_NOTE, "pullupmsg failed\n"); + frstats[out].fr_pull[1]++; + return -1; + } frstats[out].fr_pull[0]++; - ip = (ip_t *)lbuf; + ip = (ip_t *)ALIGN32(m->b_rptr); } - -#ifndef sparc - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; - - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); -#endif - - if ((iphlen < sizeof(ip_t)) || (iphlen > (u_short)ip->ip_len) || - (mlen < (u_short)ip->ip_len)) { - /* - * Bad IP packet or not enough data/data length mismatches - */ - m->b_rptr -= off; - frstats[out].fr_bad++; - return -1; - } - qif->qf_m = m; qif->qf_q = q; qif->qf_off = off; qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp); + if (err == 2) + goto fixalign; /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. + * BUT only do this if there were no changes to the buffer, else + * we can't be sure that the ip pointer is still correct! */ + if (*mp != NULL) { + if (*mp == mt) { + m->b_rptr -= off; #ifndef sparc - if (*mp) { - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); - } + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); #endif - if (err == -2) { - if (*mp && (ip == (ip_t *)lbuf)) { - copyin_mblk(m, 0, len, (char *)lbuf); - frstats[out].fr_pull[1]++; - } - err = 0; + } else + cmn_err(CE_NOTE, + "IP Filter: *mp %p mt %p %s\n", *mp, mt, + "mblk changed, cannot revert ip_len, ip_off"); } - m->b_rptr -= off; return err; } @@ -542,27 +690,41 @@ int fr_qin(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; - qif_t qfb, *qif; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; + qif_t qf, *qif; + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + + READ_ENTER(&ipf_solaris); again: - mutex_enter(&ipfs_mutex); - while (!(qif = qif_from_queue(q))) { + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + READ_ENTER(&ipfs_mutex); + if (!(qif = qif_from_queue(q))) { for (qif = qif_head; qif; qif = qif->qf_next) if (&qif->qf_rqinit == q->q_qinfo && qif->qf_rqinfo && qif->qf_rqinfo->qi_putp) { pnext = qif->qf_rqinfo->qi_putp; - mutex_exit(&ipfs_mutex); frstats[0].fr_notip++; + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; goto again; } + RWLOCK_EXIT(&ipf_solaris); /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ return (*pnext)(q, mb); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; @@ -584,31 +746,32 @@ again: #endif ); frstats[0].fr_drop++; + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; freemsg(mb); return 0; } - /* - * So we can be more re-entrant. - */ - bcopy((char *)qif, (char *)&qfb, sizeof(*qif)); - mutex_exit(&ipfs_mutex); - qif = &qfb; - pnext = qif->qf_rqinfo->qi_putp; + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + qif = &qf; type = MTYPE(mb); - if (type == M_DATA || type == M_PROTO || type == M_PCPROTO) - if (fr_precheck(&mb, q, qif, 0)) { - if (mb) - freemsg(mb); - return 0; - } + pnext = qif->qf_rqinfo->qi_putp; - if (mb) { + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, qif, 0); + + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); + + if ((err == 0) && (mb != NULL)) { if (pnext) return (*pnext)(q, mb); - cmn_err(CE_WARN, "IP Filter: inp NULL: qif %x %s q %x info %x", - qif, qif->qf_name, q, q->q_qinfo); + cmn_err(CE_WARN, "IP Filter: inp NULL: qif %x q %x info %x", + qif, q, q->q_qinfo); + } + if (mb) { + mb->b_prev = NULL; freemsg(mb); } return 0; @@ -619,17 +782,30 @@ int fr_qout(q, mb) queue_t *q; mblk_t *mb; { - int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0; - qif_t qfb, *qif; + int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0; + qif_t qf, *qif; + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + + READ_ENTER(&ipf_solaris); again: - mutex_enter(&ipfs_mutex); + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + READ_ENTER(&ipfs_mutex); if (!(qif = qif_from_queue(q))) { for (qif = qif_head; qif; qif = qif->qf_next) if (&qif->qf_wqinit == q->q_qinfo && qif->qf_wqinfo && qif->qf_wqinfo->qi_putp) { pnext = qif->qf_wqinfo->qi_putp; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); frstats[1].fr_notip++; if (!synced) { ipfsync(); @@ -637,9 +813,10 @@ again: goto again; } /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ + RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); if (!synced) { ipfsync(); synced = 1; @@ -671,63 +848,73 @@ again: q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next, q->q_nbsrv->q_ptr); frstats[1].fr_drop++; + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; freemsg(mb); return 0; } - /* - * So we can be more re-entrant. - */ - bcopy((char *)qif, (char *)&qfb, sizeof(*qif)); - mutex_exit(&ipfs_mutex); - qif = &qfb; - pnext = qif->qf_wqinfo->qi_putp; + bcopy((char *)qif, (char *)&qf, sizeof(qf)); + qif = &qf; type = MTYPE(mb); - if (type == M_DATA || type == M_PROTO || type == M_PCPROTO) - if (fr_precheck(&mb, q, qif, 1)) { - if (mb) - freemsg(mb); - return 0; - } + pnext = qif->qf_wqinfo->qi_putp; - if (mb) { + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, qif, 1); + + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); + + if ((err == 0) && (mb != NULL)) { if (pnext) return (*pnext)(q, mb); cmn_err(CE_WARN, "IP Filter: outp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); + } + if (mb) { + mb->b_prev = NULL; freemsg(mb); } return 0; } -static int (*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL; - -#include <sys/stropts.h> -#include <sys/sockio.h> - -static int synctimeoutid = 0; void ipf_synctimeout(arg) -caddr_t arg; +void *arg; { + READ_ENTER(&ipf_solaris); ipfsync(); - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); synctimeoutid = 0; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); } -static int ipf_ip_qin(q, mp) +static int ipf_ip_qin(q, mb) queue_t *q; -mblk_t *mp; +mblk_t *mb; { struct iocblk *ioc; int ret; + + if (fr_running <= 0) { + mb->b_prev = NULL; + freemsg(mb); + return 0; + } - if (mp->b_datap->db_type != M_IOCTL) - return (*ipf_ip_inp)(q, mp); + if (MTYPE(mb) != M_IOCTL) + return (*ipf_ip_inp)(q, mb); - ioc = (struct iocblk *)mp->b_rptr; + READ_ENTER(&ipf_solaris); + if (fr_running <= 0) { + RWLOCK_EXIT(&ipf_solaris); + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + ioc = (struct iocblk *)mb->b_rptr; switch (ioc->ioc_cmd) { case I_LINK: @@ -737,23 +924,23 @@ mblk_t *mp; #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ioc->ioc_cmd); #endif - ret = (*ipf_ip_inp)(q, mp); + ret = (*ipf_ip_inp)(q, mb); - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { - synctimeoutid = timeout( - ipf_synctimeout, + synctimeoutid = timeout(ipf_synctimeout, NULL, drv_usectohz(1000000) /*1 sec*/ ); - mutex_exit(&ipfs_mutex); - } else - mutex_exit(&ipfs_mutex); + } - return ret; + RWLOCK_EXIT(&ipfs_mutex); + break; default: - return (*ipf_ip_inp)(q, mp); + ret = (*ipf_ip_inp)(q, mb); } + RWLOCK_EXIT(&ipf_solaris); + return ret; } static int ipdrvattcnt = 0; @@ -762,7 +949,8 @@ extern struct streamtab ipinfo; void solipdrvattach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvattach() ipinfo=0x%lx\n", &ipinfo); + cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx\n", + ipdrvattcnt, &ipinfo); #endif if (++ipdrvattcnt == 1) { @@ -776,38 +964,39 @@ void solipdrvattach() int solipdrvdetach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() ipinfo=0x%lx\n", &ipinfo); + cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx\n", + ipdrvattcnt, &ipinfo); #endif + WRITE_ENTER(&ipfs_mutex); if (--ipdrvattcnt <= 0) { if (ipf_ip_inp && (ipinfo.st_wrinit->qi_putp == ipf_ip_qin)) { ipinfo.st_wrinit->qi_putp = ipf_ip_inp; ipf_ip_inp = NULL; } - mutex_enter(&ipfs_mutex); if (synctimeoutid) { - synctimeoutid = 0; - mutex_exit(&ipfs_mutex); untimeout(synctimeoutid); - } else - mutex_exit(&ipfs_mutex); + synctimeoutid = 0; + } } + RWLOCK_EXIT(&ipfs_mutex); + return ipdrvattcnt; } /* * attach the packet filter to each interface that is defined as having an * IP address associated with it and save some of the info. for that struct - * so we're not out of date as soon as te ill disappears - but we must sync + * so we're not out of date as soon as the ill disappears - but we must sync * to be correct! */ void solattach() { queue_t *in, *out; - qif_t *qif, *qf2; - ill_t *il; struct frentry *f; + qif_t *qif, *qf2; ipnat_t *np; - int len; + size_t len; + ill_t *il; for (il = ill_g_head; il; il = il->ill_next) { in = il->ill_rq; @@ -816,7 +1005,7 @@ void solattach() out = il->ill_wq->q_next; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); /* * Look for entry already setup for this device */ @@ -825,7 +1014,7 @@ void solattach() qif->qf_optr == out->q_ptr) break; if (qif) { - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); continue; } #ifdef IPFDEBUG @@ -834,11 +1023,12 @@ void solattach() il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo); #endif - KMALLOC(qif, qif_t *, sizeof(*qif)); + KMALLOC(qif, qif_t *); if (!qif) { cmn_err(CE_NOTE, "IP Filter: malloc(%d) for qif_t failed\n", sizeof(qif_t)); + RWLOCK_EXIT(&ipfs_mutex); continue; } @@ -855,7 +1045,7 @@ void solattach() il->ill_name, in->q_qinfo->qi_putp, in->q_qinfo); #endif - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); KFREE(qif); continue; } @@ -875,7 +1065,7 @@ void solattach() il->ill_name, out->q_qinfo->qi_putp, out->q_qinfo); #endif - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); KFREE(qif); continue; } @@ -883,6 +1073,8 @@ void solattach() qif->qf_wqinfo = out->q_qinfo; qif->qf_ill = il; + qif->qf_in = in; + qif->qf_out = out; qif->qf_iptr = in->q_ptr; qif->qf_optr = out->q_ptr; qif->qf_hl = il->ill_hdr_length; @@ -895,34 +1087,37 @@ void solattach() /* * Activate any rules directly associated with this interface */ - mutex_enter(&ipf_mutex); + WRITE_ENTER(&ipf_mutex); for (f = ipfilter[0][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { - len = strlen(f->fr_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(f->fr_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, f->fr_ifname, len)) f->fr_ifa = il; } } for (f = ipfilter[1][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { - len = strlen(f->fr_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(f->fr_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, f->fr_ifname, len)) f->fr_ifa = il; } } - mutex_exit(&ipf_mutex); - mutex_enter(&ipf_nat); + RWLOCK_EXIT(&ipf_mutex); + WRITE_ENTER(&ipf_nat); for (np = nat_list; np; np = np->in_next) { if ((np->in_ifp == (struct ifnet *)-1)) { - len = strlen(np->in_ifname)+1; /* includes \0 */ - if (len && (len == il->ill_name_length) && + len = strlen(np->in_ifname) + 1; + if ((len != 0) && + (len == (size_t)il->ill_name_length) && !strncmp(il->ill_name, np->in_ifname, len)) np->in_ifp = il; } } - mutex_exit(&ipf_nat); + RWLOCK_EXIT(&ipf_nat); bcopy((caddr_t)qif->qf_rqinfo, (caddr_t)&qif->qf_rqinit, sizeof(struct qinit)); @@ -946,7 +1141,7 @@ void solattach() #endif out->q_qinfo = &qif->qf_wqinit; - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); cmn_err(CE_CONT, "IP Filter: attach to [%s,%d]\n", qif->qf_name, il->ill_ppa); } @@ -968,7 +1163,7 @@ int ipfsync() register ill_t *il; queue_t *in, *out; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); for (qp = &qif_head; (qif = *qp); ) { for (il = ill_g_head; il; il = il->ill_next) if ((qif->qf_ill == il) && @@ -991,12 +1186,12 @@ int ipfsync() /* * Disable any rules directly associated with this interface */ - mutex_enter(&ipf_nat); + WRITE_ENTER(&ipf_nat); for (np = nat_list; np; np = np->in_next) if (np->in_ifp == (void *)qif->qf_ill) np->in_ifp = (struct ifnet *)-1; - mutex_exit(&ipf_nat); - mutex_enter(&ipf_mutex); + RWLOCK_EXIT(&ipf_nat); + WRITE_ENTER(&ipf_mutex); for (f = ipfilter[0][fr_active]; f; f = f->fr_next) if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; @@ -1004,39 +1199,42 @@ int ipfsync() if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; +#if 0 /* XXX */ + /* + * As well as the ill disappearing when a device is unplumb'd, + * it also appears that the associated queue structures also + * disappear - at least in the case of ppp, which is the most + * volatile here. Thanks to Greg for finding this problem. + */ /* * Restore q_qinfo pointers in interface queues */ - il = qif->qf_ill; - in = il->ill_rq; - out = NULL; - if (in && il->ill_wq) { - out = il->ill_wq->q_next; - } + out = qif->qf_out; + in = qif->qf_in; if (in) { -#ifdef IPFDEBUG +# ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx", in, in->q_qinfo, qif->qf_rqinfo ); -#endif +# endif in->q_qinfo = qif->qf_rqinfo; } if (out) { -#ifdef IPFDEBUG +# ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx", out, out->q_qinfo, qif->qf_wqinfo ); -#endif +# endif out->q_qinfo = qif->qf_wqinfo; } - mutex_exit(&ipf_mutex); - +#endif /* XXX */ + RWLOCK_EXIT(&ipf_mutex); KFREE(qif); qif = *qp; } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); solattach(); /* @@ -1054,10 +1252,10 @@ int ipfsync() int soldetach() { queue_t *in, *out; - qif_t *qif, *qf2, **qp; + qif_t *qif, **qp; ill_t *il; - mutex_enter(&ipfs_mutex); + WRITE_ENTER(&ipfs_mutex); /* * Make two passes, first get rid of all the unknown devices, next * unlink known devices. @@ -1081,8 +1279,8 @@ int soldetach() if (qif->qf_ill == il) break; if (il) { - in = il->ill_rq; - out = il->ill_wq->q_next; + in = qif->qf_in; + out = qif->qf_out; cmn_err(CE_CONT, "IP Filter: detaching [%s,%d]\n", qif->qf_name, il->ill_ppa); @@ -1105,7 +1303,7 @@ int soldetach() } KFREE(qif); } - mutex_exit(&ipfs_mutex); + RWLOCK_EXIT(&ipfs_mutex); return ipldetach(); } @@ -1133,16 +1331,18 @@ mblk_t *mb, **mpp; fr_info_t *fin; frdest_t *fdp; { - mblk_t *mp = NULL; + ire_t *ir, *dir, *gw; struct in_addr dst; - ire_t *ir, *dir; - int hlen = 0; - u_char *s; queue_t *q = NULL; + mblk_t *mp = NULL; + size_t hlen = 0; + frentry_t *fr; + void *ifp; + u_char *s; #ifndef sparc u_short __iplen, __ipoff; - +#endif /* * If this is a duplicate mblk then we want ip to point at that * data, not the original, if and only if it is already pointing at @@ -1150,29 +1350,13 @@ frdest_t *fdp; */ if (ip == (ip_t *)qf->qf_m->b_rptr && qf->qf_m != mb) ip = (ip_t *)mb->b_rptr; - /* - * In fr_precheck(), we modify ip_len and ip_off in an aligned data - * area. However, we only need to change it back if we didn't copy - * the IP header data out. - */ - - __iplen = (u_short)ip->ip_len, - __ipoff = (u_short)ip->ip_off; - - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); -#endif - - if (ip != (ip_t *)mb->b_rptr) { - copyin_mblk(mb, 0, qf->qf_len, (char *)ip); - frstats[fin->fin_out].fr_pull[1]++; - } /* * If there is another M_PROTO, we don't want it */ if (*mpp != mb) { (*mpp)->b_cont = NULL; + (*mpp)->b_prev = NULL; freemsg(*mpp); } @@ -1184,8 +1368,10 @@ frdest_t *fdp; dst = fin->fin_fi.fi_dst; #if SOLARIS2 > 5 - dir = ire_route_lookup(dst.s_addr, 0, 0, 0, NULL, NULL, NULL, - MATCH_IRE_DSTONLY); + gw = NULL; + dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL, &gw, NULL, + MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT| + MATCH_IRE_RECURSIVE); #else dir = ire_lookup(dst.s_addr); #endif @@ -1197,11 +1383,40 @@ frdest_t *fdp; ir = dir; if (ir && dir) { + ifp = ire_to_ill(ir); + fr = fin->fin_fr; + /* + * In case we're here due to "to <if>" being used with + * "keep state", check that we're going in the correct + * direction. + */ + if ((fr != NULL) && (fdp->fd_ifp != NULL) && + (fin->fin_rev != 0) && (fdp == &fr->fr_tif)) + return -1; + + fin->fin_ifp == ifp; + if (fin->fin_out == 0) { + fin->fin_fr = ipacct[1][fr_active]; + if ((fin->fin_fr != NULL) && + (fr_scanlist(FR_NOMATCH, ip, fin, mb)&FR_ACCOUNT)){ + ATOMIC_INC(frstats[1].fr_acct); + } + fin->fin_fr = NULL; + (void) fr_checkstate(ip, fin); + (void) ip_natout(ip, fin); + } +#ifndef sparc + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); +#endif + if ((mp = dir->ire_ll_hdr_mp)) { hlen = dir->ire_ll_hdr_length; s = mb->b_rptr; - if (hlen && (s - mb->b_datap->db_base) >= hlen) { s -= hlen; mb->b_rptr = (u_char *)s; @@ -1222,30 +1437,37 @@ frdest_t *fdp; else if (ir->ire_rfq) q = WR(ir->ire_rfq); if (q) { + mb->b_prev = NULL; + RWLOCK_EXIT(&ipfs_mutex); + RWLOCK_EXIT(&ipf_solaris); putnext(q, mb); + READ_ENTER(&ipf_solaris); + READ_ENTER(&ipfs_mutex); ipl_frouteok[0]++; return 0; } } bad_fastroute: - ipl_frouteok[0]++; + mb->b_prev = NULL; + freemsg(mb); + ipl_frouteok[1]++; return -1; } void copyout_mblk(m, off, len, buf) mblk_t *m; -int off, len; +size_t off, len; char *buf; { - char *s, *bp = buf; - int mlen, olen, clen; + u_char *s, *bp = (u_char *)buf; + size_t mlen, olen, clen; for (; m && len; m = m->b_cont) { if (MTYPE(m) != M_DATA) continue; s = m->b_rptr; - mlen = (char *)m->b_wptr - s; + mlen = m->b_wptr - s; olen = MIN(off, mlen); if ((olen == mlen) || (olen < off)) { off -= olen; @@ -1265,17 +1487,17 @@ char *buf; void copyin_mblk(m, off, len, buf) mblk_t *m; -int off, len; +size_t off, len; char *buf; { - char *s, *bp = buf; - int mlen, olen, clen; + u_char *s, *bp = (u_char *)buf; + size_t mlen, olen, clen; for (; m && len; m = m->b_cont) { if (MTYPE(m) != M_DATA) continue; s = m->b_rptr; - mlen = (char *)m->b_wptr - s; + mlen = m->b_wptr - s; olen = MIN(off, mlen); if ((olen == mlen) || (olen < off)) { off -= olen; diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index a0e07e7..a6d73ef 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -9,29 +9,35 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man -tests: first 0 ftests ptests +tests: first 0 ftests ptests ntests first: -mkdir -p results # Filtering tests -ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 +ntests: n1 n2 n3 n4 + 0: @(cd ..; make ipftest; ) -1 2 3 4 5 6 7 8 9 10 11 14: +f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: @/bin/sh ./dotest $@ -12: +f12: @/bin/sh ./hextest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @/bin/sh ./itest $@ +n1 n2 n3 n4: + @/bin/sh ./nattest $@ + clean: - /bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/* + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/* /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 + /bin/rm -f n1 n2 n3 n4 diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest index 06d04c5..5a11605 100644 --- a/contrib/ipfilter/test/dotest +++ b/contrib/ipfilter/test/dotest @@ -17,6 +17,7 @@ echo "$1..."; if [ $? -ne 0 ] ; then exit 1; fi + echo "--------" >> results/$1 done ) < regress/$1 cmp expected/$1 results/$1 status=$? diff --git a/contrib/ipfilter/test/expected/f1 b/contrib/ipfilter/test/expected/f1 new file mode 100644 index 0000000..86d9592 --- /dev/null +++ b/contrib/ipfilter/test/expected/f1 @@ -0,0 +1,20 @@ +block +block +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +block +block +-------- +nomatch +nomatch +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f10 b/contrib/ipfilter/test/expected/f10 new file mode 100644 index 0000000..da6c312 --- /dev/null +++ b/contrib/ipfilter/test/expected/f10 @@ -0,0 +1,126 @@ +nomatch +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +nomatch +nomatch +pass +-------- +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +nomatch +nomatch +pass +-------- +block +block +nomatch +nomatch +nomatch +block +-------- +pass +pass +nomatch +nomatch +nomatch +pass +-------- +block +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +block +-------- +nomatch +pass +pass +pass +nomatch +pass +-------- +nomatch +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +block +block +-------- +nomatch +pass +pass +pass +pass +pass +-------- +block +block +nomatch +block +nomatch +block +-------- +pass +pass +nomatch +pass +nomatch +pass +-------- +block +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +pass +-------- +block +block +block +nomatch +nomatch +block +-------- diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 new file mode 100644 index 0000000..ac37783 --- /dev/null +++ b/contrib/ipfilter/test/expected/f11 @@ -0,0 +1,72 @@ +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f12 b/contrib/ipfilter/test/expected/f12 new file mode 100644 index 0000000..88354d9 --- /dev/null +++ b/contrib/ipfilter/test/expected/f12 @@ -0,0 +1,60 @@ +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +block +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +-------- diff --git a/contrib/ipfilter/test/expected/f14 b/contrib/ipfilter/test/expected/f14 new file mode 100644 index 0000000..1c6ed5c --- /dev/null +++ b/contrib/ipfilter/test/expected/f14 @@ -0,0 +1,48 @@ +block +nomatch +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +pass +pass +-------- +block +nomatch +nomatch +nomatch +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f2 b/contrib/ipfilter/test/expected/f2 new file mode 100644 index 0000000..7093a41 --- /dev/null +++ b/contrib/ipfilter/test/expected/f2 @@ -0,0 +1,42 @@ +block +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +block +nomatch +nomatch +-------- +nomatch +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +block +block +-------- +nomatch +nomatch +nomatch +nomatch +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f3 b/contrib/ipfilter/test/expected/f3 new file mode 100644 index 0000000..5df3ac4 --- /dev/null +++ b/contrib/ipfilter/test/expected/f3 @@ -0,0 +1,48 @@ +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +block +block +nomatch +nomatch +-------- +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +-------- +nomatch +pass +pass +pass +nomatch +-------- +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f4 b/contrib/ipfilter/test/expected/f4 new file mode 100644 index 0000000..5df3ac4 --- /dev/null +++ b/contrib/ipfilter/test/expected/f4 @@ -0,0 +1,48 @@ +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +block +block +nomatch +nomatch +-------- +nomatch +pass +pass +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +-------- +nomatch +pass +pass +pass +nomatch +-------- +block +block +block +block +block +-------- +pass +pass +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f5 b/contrib/ipfilter/test/expected/f5 new file mode 100644 index 0000000..36c7d40 --- /dev/null +++ b/contrib/ipfilter/test/expected/f5 @@ -0,0 +1,1392 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f6 b/contrib/ipfilter/test/expected/f6 new file mode 100644 index 0000000..36c7d40 --- /dev/null +++ b/contrib/ipfilter/test/expected/f6 @@ -0,0 +1,1392 @@ +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +block +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +pass +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +block +block +block +nomatch +block +block +block +block +block +block +block +block +block +block +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +pass +pass +pass +pass +pass +pass +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f7 b/contrib/ipfilter/test/expected/f7 new file mode 100644 index 0000000..6aa7951 --- /dev/null +++ b/contrib/ipfilter/test/expected/f7 @@ -0,0 +1,60 @@ +block +block +block +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +block +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +block +block +block +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/f8 b/contrib/ipfilter/test/expected/f8 new file mode 100644 index 0000000..ad42ff2 --- /dev/null +++ b/contrib/ipfilter/test/expected/f8 @@ -0,0 +1,42 @@ +block +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +block +nomatch +block +nomatch +nomatch +nomatch +-------- +pass +nomatch +pass +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f9 b/contrib/ipfilter/test/expected/f9 new file mode 100644 index 0000000..709744d --- /dev/null +++ b/contrib/ipfilter/test/expected/f9 @@ -0,0 +1,126 @@ +block +block +block +block +block +block +-------- +nomatch +nomatch +nomatch +pass +pass +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +block +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +pass +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +block +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +pass +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +pass +-------- +block +block +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +block +block +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/n1 b/contrib/ipfilter/test/expected/n1 new file mode 100644 index 0000000..77365f8 --- /dev/null +++ b/contrib/ipfilter/test/expected/n1 @@ -0,0 +1,96 @@ +ip 20(20) 255 10.1.1.0 > 10.1.1.2 +ip 20(20) 255 10.2.2.2 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.2.2.2 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.1.1.1 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.1.1.2 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.1.1.2 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.1.1.3 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +------------------------------- +ip 20(20) 255 10.3.4.5 > 10.1.1.2 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.3.4.5 > 10.1.1.1 +ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.0 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 48(20) 1 10.3.4.5 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.1.1.1 +ip 20(20) 34 10.3.4.5 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.3.4.5 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.1.1.2 +ip 20(20) 34 10.1.1.3 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.6 +ip 20(20) 35 10.3.4.5 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.3.4.7 +------------------------------- +ip 20(20) 255 10.3.4.1 > 10.1.1.2 +ip 20(20) 255 10.3.4.2 > 10.1.1.2 +ip 20(20) 255 10.3.4.3 > 10.1.1.1 +ip 40(20) 6 10.3.4.3,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.3,1026 > 10.1.1.1,1025 +ip 20(20) 255 10.2.2.1 > 10.1.2.1 +ip 20(20) 255 10.2.2.2 > 10.1.2.1 +ip 20(20) 255 10.1.1.1 > 10.1.1.2 +ip 20(20) 255 10.1.1.2 > 10.1.1.1 +ip 20(20) 255 10.2.2.1 > 10.2.1.1 +ip 20(20) 255 10.2.2.2 > 10.2.1.1 +ip 20(20) 255 10.2.2.3 > 10.1.1.1 +ip 20(20) 255 10.2.3.4 > 10.2.2.2 +ip 20(20) 255 10.1.1.1 > 10.2.2.2 +ip 20(20) 255 10.1.1.2 > 10.2.2.2 +ip 20(20) 255 10.1.1.0 > 10.3.4.5 +ip 20(20) 255 10.1.1.1 > 10.3.4.5 +ip 20(20) 255 10.1.1.2 > 10.3.4.5 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +ip 48(20) 1 10.3.4.4 > 10.4.3.2 +ip 48(20) 1 10.4.3.2 > 10.2.2.2 +ip 48(20) 1 10.4.3.2 > 10.3.4.3 +ip 48(20) 1 10.4.3.2 > 10.3.4.5 +ip 20(20) 34 10.3.4.5 > 10.4.3.2 +ip 20(20) 34 10.4.3.2 > 10.3.4.4 +ip 20(20) 34 10.3.4.6 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.3.4.5 +ip 20(20) 34 10.3.4.7 > 10.4.3.4 +ip 20(20) 34 10.4.3.4 > 10.1.1.2 +ip 20(20) 35 10.3.4.7 > 10.4.3.4 +ip 20(20) 35 10.4.3.4 > 10.1.1.3 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n2 b/contrib/ipfilter/test/expected/n2 new file mode 100644 index 0000000..dc70138 --- /dev/null +++ b/contrib/ipfilter/test/expected/n2 @@ -0,0 +1,80 @@ +ip 40(20) 6 10.2.2.2,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.2.2.2,10001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10003 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +------------------------------- +ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.0 > 10.1.1.2 +ip 20(20) 0 10.1.1.1 > 10.1.2.1 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +ip 28(20) 17 10.3.4.5,40000 > 10.1.1.1,1025 +ip 40(20) 6 10.3.4.5,40001 > 10.1.2.1,80 +ip 40(20) 6 10.3.4.5,40000 > 10.1.3.1,80 +ip 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 +ip 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 +ip 20(20) 0 10.1.1.1 > 10.1.1.2 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +ip 20(20) 0 10.1.1.2 > 10.1.1.1 +ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +ip 40(20) 6 10.1.2.1,80 > 10.1.1.3,2000 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n3 b/contrib/ipfilter/test/expected/n3 new file mode 100644 index 0000000..03c0717 --- /dev/null +++ b/contrib/ipfilter/test/expected/n3 @@ -0,0 +1,12 @@ +ip 40(20) 6 192.168.2.1,1488 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,1276 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,1032 > 203.1.1.1,80 +ip 28(20) 17 192.168.2.1,1032 > 203.1.1.1,80 +ip 40(20) 6 192.168.2.1,65299 > 203.1.1.1,80 +------------------------------- +ip 40(20) 6 192.168.1.1,1488 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.1,1276 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.0,1032 > 203.1.1.1,80 +ip 28(20) 17 192.168.1.0,1032 > 203.1.1.1,80 +ip 40(20) 6 192.168.1.255,65299 > 203.1.1.1,80 +------------------------------- diff --git a/contrib/ipfilter/test/expected/n4 b/contrib/ipfilter/test/expected/n4 new file mode 100644 index 0000000..c6fb4d4 --- /dev/null +++ b/contrib/ipfilter/test/expected/n4 @@ -0,0 +1,30 @@ +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 +ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +------------------------------- +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +------------------------------- diff --git a/contrib/ipfilter/test/hextest b/contrib/ipfilter/test/hextest index 76e1af5..c500c6b 100644 --- a/contrib/ipfilter/test/hextest +++ b/contrib/ipfilter/test/hextest @@ -14,6 +14,10 @@ echo "$1..."; /bin/cp /dev/null results/$1 ( while read rule; do echo "$rule" | ../ipftest -br - -Hi input/$1 >> results/$1; + if [ $? -ne 0 ] ; then + exit 1; + fi + echo "--------" >> results/$1 done ) < regress/$1 cmp expected/$1 results/$1 status=$? diff --git a/contrib/ipfilter/test/input/f1 b/contrib/ipfilter/test/input/f1 new file mode 100644 index 0000000..7c3ae8a --- /dev/null +++ b/contrib/ipfilter/test/input/f1 @@ -0,0 +1,4 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +out 127.0.0.1 127.0.0.1 +out 1.1.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f10 b/contrib/ipfilter/test/input/f10 new file mode 100644 index 0000000..254cee7 --- /dev/null +++ b/contrib/ipfilter/test/input/f10 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11 new file mode 100644 index 0000000..4eda58e --- /dev/null +++ b/contrib/ipfilter/test/input/f11 @@ -0,0 +1,11 @@ +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A +in on e1 udp 1.1.1.1,1 4.4.4.4,53 +in on e1 udp 2.2.2.2,2 4.4.4.4,53 +in on e0 udp 4.4.4.4,53 1.1.1.1,1 +in on e0 udp 4.4.4.4,1023 1.1.1.1,2049 +in on e0 udp 4.4.4.4,2049 1.1.1.1,1023 diff --git a/contrib/ipfilter/test/input/f12 b/contrib/ipfilter/test/input/f12 new file mode 100644 index 0000000..5d9c1de --- /dev/null +++ b/contrib/ipfilter/test/input/f12 @@ -0,0 +1,35 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF SYN +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF ACK +45 00 0028 0000 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK +45 00 0028 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0000 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK +45 00 001c 0000 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0000 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0001 0001 0004 0000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 001c 0000 2000 3f 11 0000 01010101 02010101 +0035 0035 0004 0000 + diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 new file mode 100644 index 0000000..56ec16d --- /dev/null +++ b/contrib/ipfilter/test/input/f13 @@ -0,0 +1,39 @@ +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,MF,FO=0 SYN +45 00 0028 0001 4000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF ACK +45 00 0024 0002 2000 3f 06 0000 01010101 02010101 +0401001900000000 0000000050102000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2 ACK +45 00 002c 0002 0002 3f 06 0000 01010101 02010101 +0000000000010203 0405060708090a0b 0c0d0e0f10111213 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN +45 00 0028 0003 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 00000000 50 10 2000 0000 0000 + +# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0 +45 00 001c 0004 6000 3f 06 0000 01010101 02010101 +0401 0019 00000000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN +45 00 001c 0005 6001 3f 06 0000 01010101 02010101 +00000000 50 10 2000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0 +45 00 0014 0006 6000 3f 11 0000 01010101 02010101 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 +45 00 0018 0007 2000 3f 11 0000 01010101 02010101 +0035 0035 + +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +45 00 001c 0008 2000 3f 11 0000 01010101 02010101 +0035003500040000 + +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 +45 00 001c 0008 0001 3f 11 0000 01010101 02010101 +0000000000000000 + diff --git a/contrib/ipfilter/test/input/f14 b/contrib/ipfilter/test/input/f14 new file mode 100644 index 0000000..16a806f --- /dev/null +++ b/contrib/ipfilter/test/input/f14 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f2 b/contrib/ipfilter/test/input/f2 new file mode 100644 index 0000000..d168af0 --- /dev/null +++ b/contrib/ipfilter/test/input/f2 @@ -0,0 +1,6 @@ +in tcp 127.0.0.1,1 127.0.0.1,21 +in tcp 1.1.1.1,1 1.2.1.1,21 +in udp 127.0.0.1,1 127.0.0.1,21 +in udp 1.1.1.1,1 1.2.1.1,21 +in icmp 127.0.0.1 127.0.0.1 +in icmp 1.1.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f3 b/contrib/ipfilter/test/input/f3 new file mode 100644 index 0000000..16a806f --- /dev/null +++ b/contrib/ipfilter/test/input/f3 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +in 1.1.1.2 1.2.1.1 +in 1.1.2.2 1.2.1.1 +in 1.2.2.2 1.2.1.1 diff --git a/contrib/ipfilter/test/input/f4 b/contrib/ipfilter/test/input/f4 new file mode 100644 index 0000000..2956d1b --- /dev/null +++ b/contrib/ipfilter/test/input/f4 @@ -0,0 +1,5 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.1.1.1 +in 1.1.1.1 1.1.1.2 +in 1.1.1.1 1.1.2.2 +in 1.1.1.1 1.2.2.2 diff --git a/contrib/ipfilter/test/input/f5 b/contrib/ipfilter/test/input/f5 new file mode 100644 index 0000000..41600c1 --- /dev/null +++ b/contrib/ipfilter/test/input/f5 @@ -0,0 +1,28 @@ +in tcp 1.1.1.1,0 2.2.2.2,2222 +in tcp 1.1.1.1,1 2.2.2.2,2222 +in tcp 1.1.1.1,23 2.2.2.2,2222 +in tcp 1.1.1.1,21 2.2.2.2,2222 +in tcp 1.1.1.1,1023 2.2.2.2,2222 +in tcp 1.1.1.1,1024 2.2.2.2,2222 +in tcp 1.1.1.1,1025 2.2.2.2,2222 +in tcp 1.1.1.1,32767 2.2.2.2,2222 +in tcp 1.1.1.1,32768 2.2.2.2,2222 +in tcp 1.1.1.1,65535 2.2.2.2,2222 +in tcp 1.1.1.1,5999 2.2.2.2,2222 +in tcp 1.1.1.1,6000 2.2.2.2,2222 +in tcp 1.1.1.1,6009 2.2.2.2,2222 +in tcp 1.1.1.1,6010 2.2.2.2,2222 +in udp 1.1.1.1,0 2.2.2.2,2222 +in udp 1.1.1.1,1 2.2.2.2,2222 +in udp 1.1.1.1,23 2.2.2.2,2222 +in udp 1.1.1.1,21 2.2.2.2,2222 +in udp 1.1.1.1,1023 2.2.2.2,2222 +in udp 1.1.1.1,1024 2.2.2.2,2222 +in udp 1.1.1.1,1025 2.2.2.2,2222 +in udp 1.1.1.1,32767 2.2.2.2,2222 +in udp 1.1.1.1,32768 2.2.2.2,2222 +in udp 1.1.1.1,65535 2.2.2.2,2222 +in udp 1.1.1.1,5999 2.2.2.2,2222 +in udp 1.1.1.1,6000 2.2.2.2,2222 +in udp 1.1.1.1,6009 2.2.2.2,2222 +in udp 1.1.1.1,6010 2.2.2.2,2222 diff --git a/contrib/ipfilter/test/input/f6 b/contrib/ipfilter/test/input/f6 new file mode 100644 index 0000000..21f0be3 --- /dev/null +++ b/contrib/ipfilter/test/input/f6 @@ -0,0 +1,28 @@ +in tcp 2.2.2.2,2222 1.1.1.1,0 +in tcp 2.2.2.2,2222 1.1.1.1,1 +in tcp 2.2.2.2,2222 1.1.1.1,23 +in tcp 2.2.2.2,2222 1.1.1.1,21 +in tcp 2.2.2.2,2222 1.1.1.1,1023 +in tcp 2.2.2.2,2222 1.1.1.1,1024 +in tcp 2.2.2.2,2222 1.1.1.1,1025 +in tcp 2.2.2.2,2222 1.1.1.1,32767 +in tcp 2.2.2.2,2222 1.1.1.1,32768 +in tcp 2.2.2.2,2222 1.1.1.1,65535 +in tcp 2.2.2.2,2222 1.1.1.1,5999 +in tcp 2.2.2.2,2222 1.1.1.1,6000 +in tcp 2.2.2.2,2222 1.1.1.1,6009 +in tcp 2.2.2.2,2222 1.1.1.1,6010 +in udp 2.2.2.2,2222 1.1.1.1,0 +in udp 2.2.2.2,2222 1.1.1.1,1 +in udp 2.2.2.2,2222 1.1.1.1,23 +in udp 2.2.2.2,2222 1.1.1.1,21 +in udp 2.2.2.2,2222 1.1.1.1,1023 +in udp 2.2.2.2,2222 1.1.1.1,1024 +in udp 2.2.2.2,2222 1.1.1.1,1025 +in udp 2.2.2.2,2222 1.1.1.1,32767 +in udp 2.2.2.2,2222 1.1.1.1,32768 +in udp 2.2.2.2,2222 1.1.1.1,65535 +in udp 2.2.2.2,2222 1.1.1.1,5999 +in udp 2.2.2.2,2222 1.1.1.1,6000 +in udp 2.2.2.2,2222 1.1.1.1,6009 +in udp 2.2.2.2,2222 1.1.1.1,6010 diff --git a/contrib/ipfilter/test/input/f7 b/contrib/ipfilter/test/input/f7 new file mode 100644 index 0000000..2721af2 --- /dev/null +++ b/contrib/ipfilter/test/input/f7 @@ -0,0 +1,9 @@ +in icmp 1.1.1.1 2.1.1.1 echo +in icmp 1.1.1.1 2.1.1.1 echo,1 +in icmp 1.1.1.1 2.1.1.1 echo,3 +in icmp 1.1.1.1 2.1.1.1 unreach +in icmp 1.1.1.1 2.1.1.1 unreach,1 +in icmp 1.1.1.1 2.1.1.1 unreach,3 +in icmp 1.1.1.1 2.1.1.1 echorep +in icmp 1.1.1.1 2.1.1.1 echorep,1 +in icmp 1.1.1.1 2.1.1.1 echorep,3 diff --git a/contrib/ipfilter/test/input/f8 b/contrib/ipfilter/test/input/f8 new file mode 100644 index 0000000..cace511 --- /dev/null +++ b/contrib/ipfilter/test/input/f8 @@ -0,0 +1,6 @@ +in tcp 1.1.1.1,1 2.1.2.2,1 S +in tcp 1.1.1.1,1 2.1.2.2,1 SA +in tcp 1.1.1.1,1 2.1.2.2,1 SF +in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR +in tcp 1.1.1.1,1 2.1.2.2,1 PAU +in tcp 1.1.1.1,1 2.1.2.2,1 A diff --git a/contrib/ipfilter/test/input/f9 b/contrib/ipfilter/test/input/f9 new file mode 100644 index 0000000..33f3be3 --- /dev/null +++ b/contrib/ipfilter/test/input/f9 @@ -0,0 +1,6 @@ +in 1.1.1.1 2.1.1.1 opt lsrr +in 1.1.1.1 2.1.1.1 opt lsrr,ssrr +in 1.1.1.1 2.1.1.1 opt ts +in 1.1.1.1 2.1.1.1 opt sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret +in 1.1.1.1 2.1.1.1 opt sec diff --git a/contrib/ipfilter/test/input/n1 b/contrib/ipfilter/test/input/n1 new file mode 100644 index 0000000..a607390 --- /dev/null +++ b/contrib/ipfilter/test/input/n1 @@ -0,0 +1,31 @@ +out on zx0 255 10.1.1.0 10.1.1.2 +out on zx0 255 10.1.1.1 10.1.1.2 +out on zx0 255 10.1.1.2 10.1.1.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 255 10.2.2.1 10.1.2.1 +out on zx0 255 10.2.2.2 10.1.2.1 +in on zx0 255 10.1.1.1 10.1.1.2 +in on zx0 255 10.1.1.2 10.1.1.1 +in on zx0 255 10.2.2.1 10.2.1.1 +in on zx0 255 10.2.2.2 10.2.1.1 +in on zx0 255 10.2.2.3 10.1.1.1 +in on zx0 255 10.2.3.4 10.2.2.2 +in on zx0 255 10.1.1.1 10.2.2.2 +in on zx0 255 10.1.1.2 10.2.2.2 +in on zx0 255 10.1.1.0 10.3.4.5 +in on zx0 255 10.1.1.1 10.3.4.5 +in on zx0 255 10.1.1.2 10.3.4.5 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025 +out on zx0 icmp 10.1.1.1 10.4.3.2 +in on zx0 icmp 10.4.3.2 10.2.2.2 +in on zx0 icmp 10.4.3.2 10.3.4.3 +in on zx0 icmp 10.4.3.2 10.3.4.5 +out on zx0 34 10.1.1.2 10.4.3.2 +in on zx0 34 10.4.3.2 10.3.4.4 +out on zx0 34 10.1.1.2 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.5 +out on zx0 34 10.1.1.3 10.4.3.4 +in on zx0 34 10.4.3.4 10.3.4.6 +out on zx0 35 10.1.1.3 10.4.3.4 +in on zx0 35 10.4.3.4 10.3.4.7 diff --git a/contrib/ipfilter/test/input/n2 b/contrib/ipfilter/test/input/n2 new file mode 100644 index 0000000..476f16e --- /dev/null +++ b/contrib/ipfilter/test/input/n2 @@ -0,0 +1,19 @@ +out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +out on zx0 10.1.1.0 10.1.1.2 +out on zx0 10.1.1.1 10.1.2.1 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025 +out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025 +out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80 +out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80 +out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80 +out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80 +in on zx0 10.1.1.1 10.1.1.2 +in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025 +in on zx0 10.1.1.2 10.1.1.1 +in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000 +in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000 +in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001 +in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001 diff --git a/contrib/ipfilter/test/input/n3 b/contrib/ipfilter/test/input/n3 new file mode 100644 index 0000000..deca317 --- /dev/null +++ b/contrib/ipfilter/test/input/n3 @@ -0,0 +1,5 @@ +out on zz0 tcp 10.1.1.1,5000 203.1.1.1,80 +out on zz0 tcp 10.1.1.1,252 203.1.1.1,80 +out on zz0 tcp 10.1.0.0,32768 203.1.1.1,80 +out on zz0 udp 10.1.0.0,32768 203.1.1.1,80 +out on zz0 tcp 10.1.255.255,65535 203.1.1.1,80 diff --git a/contrib/ipfilter/test/input/n4 b/contrib/ipfilter/test/input/n4 new file mode 100644 index 0000000..52c2d88 --- /dev/null +++ b/contrib/ipfilter/test/input/n4 @@ -0,0 +1,5 @@ +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23 +in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53 +in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23 +in on zx0 udp 10.3.3.3,12345 10.1.1.0,53 +in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53 diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest new file mode 100755 index 0000000..2b3e931 --- /dev/null +++ b/contrib/ipfilter/test/nattest @@ -0,0 +1,27 @@ +#!/bin/sh +if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch +else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + fi + fi +fi +echo "$1..."; +/bin/cp /dev/null results/$1 +( while read rule; do + echo "$rule" | ../ipftest -Nbr - -i input/$1 >> results/$1; + if [ $? -ne 0 ] ; then + exit 1; + fi + echo "-------------------------------" >> results/$1 +done ) < regress/$1 +cmp expected/$1 results/$1 +status=$? +if [ $status = 0 ] ; then + $TOUCH $1 +fi +exit $status diff --git a/contrib/ipfilter/test/regress/f1 b/contrib/ipfilter/test/regress/f1 new file mode 100644 index 0000000..6a2ede9 --- /dev/null +++ b/contrib/ipfilter/test/regress/f1 @@ -0,0 +1,4 @@ +block in all +pass in all +block out all +pass out all diff --git a/contrib/ipfilter/test/regress/f10 b/contrib/ipfilter/test/regress/f10 new file mode 100644 index 0000000..3552983 --- /dev/null +++ b/contrib/ipfilter/test/regress/f10 @@ -0,0 +1,18 @@ +block in from any to any with not ipopts +pass in from any to any with not opt sec-class topsecret +block in from any to any with not opt ssrr,sec-class topsecret +pass in from any to any with not opt ssrr,sec-class topsecret +block in from any to any with not opt ts,sec-class topsecret +pass in from any to any with not opt ts,sec-class topsecret +block in from any to any with not opt sec-class secret +pass in from any to any with not opt sec-class secret +block in from any to any with not opt lsrr,ssrr +pass in from any to any with not opt lsrr,ssrr +pass in from any to any with not ipopts +block in from any to any with not opt lsrr +pass in from any to any with not opt lsrr +block in from any to any with not opt ssrr,ts +pass in from any to any with not opt ssrr,ts +block in from any to any with not opt rr +pass in from any to any with not opt rr +block in from any to any with not opt sec-class topsecret diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11 new file mode 100644 index 0000000..0bf0a2a --- /dev/null +++ b/contrib/ipfilter/test/regress/f11 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 23 flags S/SA keep state +block in proto tcp from any to any port = 23 flags S/SA keep state +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto udp from any to any port = 53 keep state +block in proto udp from any to any port = 53 keep state diff --git a/contrib/ipfilter/test/regress/f12 b/contrib/ipfilter/test/regress/f12 new file mode 100644 index 0000000..c29f839 --- /dev/null +++ b/contrib/ipfilter/test/regress/f12 @@ -0,0 +1,6 @@ +pass in proto tcp from any port > 1024 to any port = 25 with not short +pass in proto tcp from any port > 1024 to any port = 25 +block in proto tcp from any to any with short +block in proto tcp from any to any with frag +pass in proto udp from any port = 53 to any port = 53 +block in proto udp from any port = 53 to any port = 53 with not short diff --git a/contrib/ipfilter/test/regress/f13 b/contrib/ipfilter/test/regress/f13 new file mode 100644 index 0000000..f123e47 --- /dev/null +++ b/contrib/ipfilter/test/regress/f13 @@ -0,0 +1,6 @@ +pass in proto tcp from any to any port = 25 flags S/SA keep frags +block in proto tcp from any to any port = 25 flags S/SA keep frags +pass in proto udp from any to any port = 53 keep frags +block in proto udp from any to any port = 53 keep frags +pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags +block in proto tcp from any to any port = 25 flags S/SA keep state keep frags diff --git a/contrib/ipfilter/test/regress/f14 b/contrib/ipfilter/test/regress/f14 new file mode 100644 index 0000000..06ab519 --- /dev/null +++ b/contrib/ipfilter/test/regress/f14 @@ -0,0 +1,8 @@ +block in from !1.1.1.1 to any +pass in from 1.1.1.1 to !any +block in from 1.1.1.0/24 to !any +pass in from !1.1.1.0/24 to any +block in from !1.1.0.0/16 to any +pass in from 1.1.0.0/16 to !1.2.0.0/16 +block in from any to !127.0.0.0/8 +pass in from !any to any diff --git a/contrib/ipfilter/test/regress/f2 b/contrib/ipfilter/test/regress/f2 new file mode 100644 index 0000000..e2f02a4 --- /dev/null +++ b/contrib/ipfilter/test/regress/f2 @@ -0,0 +1,6 @@ +block in proto tcp from any to any +pass in proto tcp from any to any +block in proto udp from any to any +pass in proto udp from any to any +block in proto icmp from any to any +pass in proto icmp from any to any diff --git a/contrib/ipfilter/test/regress/f3 b/contrib/ipfilter/test/regress/f3 new file mode 100644 index 0000000..ee80729 --- /dev/null +++ b/contrib/ipfilter/test/regress/f3 @@ -0,0 +1,8 @@ +block in from 1.1.1.1 to any +pass in from 1.1.1.1 to any +block in from 1.1.1.1/24 to any +pass in from 1.1.1.1/24 to any +block in from 1.1.1.1/16 to any +pass in from 1.1.1.1/16 to any +block in from 1.1.1.1/0 to any +pass in from 1.1.1.1/0 to any diff --git a/contrib/ipfilter/test/regress/f4 b/contrib/ipfilter/test/regress/f4 new file mode 100644 index 0000000..bc8af2f --- /dev/null +++ b/contrib/ipfilter/test/regress/f4 @@ -0,0 +1,8 @@ +block in from any to 1.1.1.1 +pass in from any to 1.1.1.1 +block in from any to 1.1.1.1/24 +pass in from any to 1.1.1.1/24 +block in from any to 1.1.1.1/16 +pass in from any to 1.1.1.1/16 +block in from any to 1.1.1.1/0 +pass in from any to 1.1.1.1/0 diff --git a/contrib/ipfilter/test/regress/f5 b/contrib/ipfilter/test/regress/f5 new file mode 100644 index 0000000..998eabd --- /dev/null +++ b/contrib/ipfilter/test/regress/f5 @@ -0,0 +1,48 @@ +block in proto tcp from any port = 23 to any +block in proto udp from any port = 23 to any +block in proto tcp/udp from any port = 23 to any +pass in proto tcp from any port <= 1023 to any +pass in proto udp from any port <= 1023 to any +pass in proto tcp/udp from any port <= 1023 to any +block in proto tcp from any port >= 1024 to any +block in proto udp from any port >= 1024 to any +block in proto tcp/udp from any port >= 1024 to any +pass in proto tcp from any port >= 1024 to any +pass in proto udp from any port >= 1024 to any +pass in proto tcp/udp from any port >= 1024 to any +block in proto tcp from any port 0 >< 512 to any +block in proto udp from any port 0 >< 512 to any +block in proto tcp/udp from any port 0 >< 512 to any +pass in proto tcp from any port 0 >< 512 to any +pass in proto udp from any port 0 >< 512 to any +pass in proto tcp/udp from any port 0 >< 512 to any +block in proto tcp from any port 6000 <> 6009 to any +block in proto udp from any port 6000 <> 6009 to any +block in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port 6000 <> 6009 to any +pass in proto udp from any port 6000 <> 6009 to any +pass in proto tcp/udp from any port 6000 <> 6009 to any +pass in proto tcp from any port = 23 to any +pass in proto udp from any port = 23 to any +pass in proto tcp/udp from any port = 23 to any +block in proto tcp from any port != 21 to any +block in proto udp from any port != 21 to any +block in proto tcp/udp from any port != 21 to any +pass in proto tcp from any port != 21 to any +pass in proto udp from any port != 21 to any +pass in proto tcp/udp from any port != 21 to any +block in proto tcp from any port < 1024 to any +block in proto udp from any port < 1024 to any +block in proto tcp/udp from any port < 1024 to any +pass in proto tcp from any port < 1024 to any +pass in proto udp from any port < 1024 to any +pass in proto tcp/udp from any port < 1024 to any +block in proto tcp from any port > 1023 to any +block in proto udp from any port > 1023 to any +block in proto tcp/udp from any port > 1023 to any +pass in proto tcp from any port > 1023 to any +pass in proto udp from any port > 1023 to any +pass in proto tcp/udp from any port > 1023 to any +block in proto tcp from any port <= 1023 to any +block in proto udp from any port <= 1023 to any +block in proto tcp/udp from any port <= 1023 to any diff --git a/contrib/ipfilter/test/regress/f6 b/contrib/ipfilter/test/regress/f6 new file mode 100644 index 0000000..291f09ad --- /dev/null +++ b/contrib/ipfilter/test/regress/f6 @@ -0,0 +1,48 @@ +block in proto tcp from any to any port = 23 +block in proto udp from any to any port = 23 +block in proto tcp/udp from any to any port = 23 +pass in proto tcp from any to any port <= 1023 +pass in proto udp from any to any port <= 1023 +pass in proto tcp/udp from any to any port <= 1023 +block in proto tcp from any to any port >= 1024 +block in proto udp from any to any port >= 1024 +block in proto tcp/udp from any to any port >= 1024 +pass in proto tcp from any to any port >= 1024 +pass in proto udp from any to any port >= 1024 +pass in proto tcp/udp from any to any port >= 1024 +block in proto tcp from any to any port 0 >< 512 +block in proto udp from any to any port 0 >< 512 +block in proto tcp/udp from any to any port 0 >< 512 +pass in proto tcp from any to any port 0 >< 512 +pass in proto udp from any to any port 0 >< 512 +pass in proto tcp/udp from any to any port 0 >< 512 +block in proto tcp from any to any port 6000 <> 6009 +block in proto udp from any to any port 6000 <> 6009 +block in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port 6000 <> 6009 +pass in proto udp from any to any port 6000 <> 6009 +pass in proto tcp/udp from any to any port 6000 <> 6009 +pass in proto tcp from any to any port = 23 +pass in proto udp from any to any port = 23 +pass in proto tcp/udp from any to any port = 23 +block in proto tcp from any to any port != 21 +block in proto udp from any to any port != 21 +block in proto tcp/udp from any to any port != 21 +pass in proto tcp from any to any port != 21 +pass in proto udp from any to any port != 21 +pass in proto tcp/udp from any to any port != 21 +block in proto tcp from any to any port < 1024 +block in proto udp from any to any port < 1024 +block in proto tcp/udp from any to any port < 1024 +pass in proto tcp from any to any port < 1024 +pass in proto udp from any to any port < 1024 +pass in proto tcp/udp from any to any port < 1024 +block in proto tcp from any to any port > 1023 +block in proto udp from any to any port > 1023 +block in proto tcp/udp from any to any port > 1023 +pass in proto tcp from any to any port > 1023 +pass in proto udp from any to any port > 1023 +pass in proto tcp/udp from any to any port > 1023 +block in proto tcp from any to any port <= 1023 +block in proto udp from any to any port <= 1023 +block in proto tcp/udp from any to any port <= 1023 diff --git a/contrib/ipfilter/test/regress/f7 b/contrib/ipfilter/test/regress/f7 new file mode 100644 index 0000000..6848a68 --- /dev/null +++ b/contrib/ipfilter/test/regress/f7 @@ -0,0 +1,6 @@ +block in proto icmp from any to any icmp-type echo +pass in proto icmp from any to any icmp-type echo +block in proto icmp from any to any icmp-type unreach code 3 +pass in proto icmp from any to any icmp-type unreach code 3 +block in proto icmp from any to any icmp-type echorep +pass in proto icmp from any to any icmp-type echorep diff --git a/contrib/ipfilter/test/regress/f8 b/contrib/ipfilter/test/regress/f8 new file mode 100644 index 0000000..0f28fd2 --- /dev/null +++ b/contrib/ipfilter/test/regress/f8 @@ -0,0 +1,6 @@ +block in proto tcp from any to any flags S +pass in proto tcp from any to any flags S +block in proto tcp from any to any flags S/SA +pass in proto tcp from any to any flags S/SA +block in proto tcp from any to any flags S/APU +pass in proto tcp from any to any flags S/APU diff --git a/contrib/ipfilter/test/regress/f9 b/contrib/ipfilter/test/regress/f9 new file mode 100644 index 0000000..17bc967 --- /dev/null +++ b/contrib/ipfilter/test/regress/f9 @@ -0,0 +1,18 @@ +block in from any to any with ipopts +pass in from any to any with opt sec-class topsecret +block in from any to any with opt ssrr,sec-class topsecret +pass in from any to any with opt ssrr,sec-class topsecret +block in from any to any with opt ts,sec-class topsecret +pass in from any to any with opt ts,sec-class topsecret +block in from any to any with opt sec-class secret +pass in from any to any with opt sec-class secret +block in from any to any with opt lsrr,ssrr +pass in from any to any with opt lsrr,ssrr +pass in from any to any with ipopts +block in from any to any with opt lsrr +pass in from any to any with opt lsrr +block in from any to any with opt ssrr,ts +pass in from any to any with opt ssrr,ts +block in from any to any with opt rr +pass in from any to any with opt rr +block in from any to any with opt sec-class topsecret diff --git a/contrib/ipfilter/test/regress/n1 b/contrib/ipfilter/test/regress/n1 new file mode 100644 index 0000000..9bcf29b --- /dev/null +++ b/contrib/ipfilter/test/regress/n1 @@ -0,0 +1,3 @@ +map zx0 10.1.1.1/32 -> 10.2.2.2/32 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 +map zx0 10.1.1.0/24 -> 10.3.4.0/24 diff --git a/contrib/ipfilter/test/regress/n2 b/contrib/ipfilter/test/regress/n2 new file mode 100644 index 0000000..dbce5aa --- /dev/null +++ b/contrib/ipfilter/test/regress/n2 @@ -0,0 +1,4 @@ +map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 +map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 diff --git a/contrib/ipfilter/test/regress/n3 b/contrib/ipfilter/test/regress/n3 new file mode 100644 index 0000000..82c83dd --- /dev/null +++ b/contrib/ipfilter/test/regress/n3 @@ -0,0 +1,2 @@ +map zz0 10.1.0.0/16 -> 192.168.2.0/24 portmap tcp/udp auto +map-block zz0 10.1.0.0/16 -> 192.168.1.0/24 ports 252 diff --git a/contrib/ipfilter/test/regress/n4 b/contrib/ipfilter/test/regress/n4 new file mode 100644 index 0000000..b066c7a --- /dev/null +++ b/contrib/ipfilter/test/regress/n4 @@ -0,0 +1,5 @@ +rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 10.1.1.0/24 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 0/0 port 23 -> 10.2.2.1 port 10023 tcp +rdr zx0 10.1.1.0/24 port 53 -> 10.2.2.1 port 10053 udp +rdr zx0 10.1.1.0/24 port 0 -> 10.2.2.1 port 0 tcp diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index 6900056..ac41ba2 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -1,9 +1,15 @@ +BUGS: +----- +* fix "to <ifname>" bug on FreeBSD 2.2.8 +fastroute works + +=============================================================================== +GENERAL: +-------- + * use fr_tcpstate() with NAT code for increased NAT usage security or even fr_checkstate() - suspect this is not possible. -* see if the Solaris2 and dynamic plumb/unplumb problem is solvable -done ? - time permitting: * load balancing across interfaces @@ -16,26 +22,20 @@ on the way * keep fragment information for state entries automatically. done for NAT -* support traceroute through the firewall - (i.e. fix up ICMP errors coming back for NAT) -done - * allow multiple ip addresses in a source route list for ipsend * complete Linux port to implement all the IP Filter features return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-( -* add switches to ipmon for better selective control over which logs are - read/not read -done - * add a flag to automate src spoofing * ipfsync() should change IP#'s in current mappings as well as what's in rules. -document bimap +* document bimap + +* document NAT rule order processing -document NAT rule order processing +* add more docs +in progress -add more docs |