diff options
Diffstat (limited to 'contrib/ipfilter')
579 files changed, 39290 insertions, 11711 deletions
diff --git a/contrib/ipfilter/.cvsignore b/contrib/ipfilter/.cvsignore deleted file mode 100644 index 616828f..0000000 --- a/contrib/ipfilter/.cvsignore +++ /dev/null @@ -1,28 +0,0 @@ -ipf -sparcv7 -sparcv9 -h -ipf-darren -bugs -ipftest -patches -state -cbits -CVS -old -new -netinet -import -bak -streams -cvs.diff -threads -glibc -hp -windows -ipnat -opt_inet6.h -ippool -ipmon -ip_rules.c -ip_rules.h diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF index 404cc28..ef35d25 100644 --- a/contrib/ipfilter/BNF +++ b/contrib/ipfilter/BNF @@ -67,7 +67,7 @@ facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | "audit" | "logalert" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7" . priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . + "info" | "debug" . hexnumber = "0" "x" hexstring . hexstring = hexdigit [ hexstring ] . diff --git a/contrib/ipfilter/BSD/.cvsignore b/contrib/ipfilter/BSD/.cvsignore deleted file mode 100644 index c149a00..0000000 --- a/contrib/ipfilter/BSD/.cvsignore +++ /dev/null @@ -1,22 +0,0 @@ -ipf -ipfs -ipfstat -ipftest -ipmon -ipnat -ipresend -ipsend -iptest -vnode_if.h -if_ipl -i386 -amiga -FreeBSD* -BSDOS* -NetBSD* -OpenBSD* -*_lex_var.h -*_y.c -*_l.c -*_y.h -ip_rules.* diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index fe8a4d4..4f2c2b9 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -1,9 +1,8 @@ # -# Copyright (C) 1993-1998 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # -TOP=../.. BINDEST=/usr/sbin SBINDEST=/sbin MANDIR=/usr/share/man @@ -17,13 +16,14 @@ CFLAGS=-g -I$(TOP) # DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p' CPU!=uname -m -INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch +COMPDIR!=/bin/ls -1tr /usr/src/sys/arch/${CPU}/compile | tail -1 +INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch -I/usr/src/sys/arch/${CPU}/compile/${COMPDIR} DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) -fno-builtin IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST VNODESHDIR=/sys/kern MLD=$(ML) ML=mln_ipl.c -LKM=if_ipl.o +LKM=ipflkm.o LKMR=ipfrule.o DLKM= OBJ=. @@ -44,15 +44,15 @@ INSTALL=install # MODOBJS=ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \ ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o ip_rules.o \ - ip_scan.o ip_sync.o + ip_scan.o ip_sync.o ip_nat6.o ip_dstlist.o radix_ipf.o # ip_trafcon.o DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF) -IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o bpf_filter_u.o -IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \ +IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o +IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_nat6_u.o \ ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \ ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \ ippool_y.o ippool_l.o ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o \ - md5_u.o radix_u.o bpf_filter_u.o + md5_u.o radix_ipf_u.o ip_dstlist_u.o # ip_syn_u.o #ip_trafcon_u.o TOOL=$(TOP)/tools @@ -60,9 +60,9 @@ IPNAT=ipnat.o ipnat_y.o ipnat_l.o IPMON=ipmon.o ipmon_y.o ipmon_l.o IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o IPTRAFCON=iptrafcon.o -PROXYLIST=$(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_irc_pxy.c \ - $(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c $(TOP)/ip_rcmd_pxy.c \ - $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c +PROXYLIST=$(TOP)/ip_dns_pxy.c $(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c \ + $(TOP)/ip_irc_pxy.c $(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c \ + $(TOP)/ip_rcmd_pxy.c $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c FILS=ipfstat.o LIBSRC=$(TOP)/lib RANLIB=ranlib @@ -70,6 +70,11 @@ AROPTS=cq HERE!=pwd CCARGS=-I. $(DEBUG) $(CFLAGS) $(UFLAGS) KCARGS=-I. $(DEBUG) $(CFLAGS) +.if ${MACHINE_ARCH} == amd64 +KCARGS+=-mcmodel=kernel -mno-red-zone -fno-omit-frame-pointer \ + -mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow \ + -msoft-float -fno-asynchronous-unwind-tables +.endif # # Extra is option kernel things we always want in user space. # @@ -77,9 +82,11 @@ EXTRA=$(ALLOPTS) include $(TOP)/lib/Makefile -build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \ - ippool ipscan ipsyncm ipsyncs $(LKM) $(LKMR) - -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' +build all: machine $(OBJ)/libipf.a tools $(LKM) $(LKMR) + +tools: ipf ipfs ipfstat ipftest ipmon ipnat ippool ipscan ipsyncm \ + ipsyncs ipfsyncd + -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs ipfsyncd; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' -/bin/rm -f ../tools ./tools -ln -s ../tools . -ln -s ../tools .. @@ -122,12 +129,18 @@ ipsyncm: ipsyncm.o $(OBJ)/libipf.a ipsyncs: ipsyncs.o $(OBJ)/libipf.a $(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS) +ipfsyncd: ipfsyncd.o $(OBJ)/libipf.a + $(CC) $(CCARGS) ipfsyncd.o -o $@ $(LIBS) + ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h $(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@ ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h $(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@ +ipfsyncd.o: $(TOOL)/ipfsyncd.c $(TOP)/ip_sync.h + $(CC) $(CCARGS) -c $(TOOL)/ipfsyncd.c -o $@ + tests: (cd test; make ) @@ -146,7 +159,7 @@ fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \ fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \ $(TOP)/ip_rules.h - $(CC) $(KCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) \ + $(CC) $(KCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) $(COMPATIPF) \ -c $(TOP)/fil.c -o $@ ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h @@ -163,7 +176,7 @@ ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \ $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@ -ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h +ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h $(TOP)/ip_fil.h $(TOP)/ip_nat.h $(CC) $(CCARGS) -c ipnat_y.c -o $@ ipnat_l.o: ipnat_l.c ipnat_y.h @@ -183,6 +196,9 @@ ipnat_l.h: $(TOOL)/lexer.h ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@ +ip_nat6_u.o: $(TOP)/ip_nat6.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat6.c -o $@ + ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@ @@ -222,8 +238,13 @@ ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_htable.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@ +ip_dstlist_u.o: $(TOP)/ip_dstlist.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_dstlist.c -o $@ + ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ - $(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h + $(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h \ + $(TOP)/ip_dstlist.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@ ip_trafcon_u.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ @@ -236,19 +257,28 @@ ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h md5_u.o: $(TOP)/md5.c $(TOP)/md5.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/md5.c -o $@ -radix_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h - $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix.c -o $@ +radix_ipf_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h + $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix_ipf.c -o $@ bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/bpf_filter.c -o $@ -if_ipl.o: $(MODOBJS) +ipflkm.o: $(MODOBJS) ld -r $(MODOBJS) -o $(LKM) - ${RM} -f if_ipl + ${RM} -f ipflkm ipfrule.ko.5: ip_rulesx.o $(MLR) +.if ${MACHINE_ARCH} != amd64 ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) ip_rulesx.o $(MLR) - ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/) + ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/) +.else + ld -warn-common -r -d -o $(.TARGET:S/.5$//) ip_rulesx.o $(MLR) + nm -g $(.TARGET:S/.5$//) | \ + awk '/^[^[:space:]]+ [^AU] (.*)$$/ { print ($$2=="C" ? "-N" : "-L") $$3 }' | \ + xargs -J% objcopy % $(.TARGET:S/.5$//) + +.endif + ipfrule.ko: ip_rulesx.o $(MLR) gensetdefs ip_rulesx.o $(MLR) $(CC) $(KCARGS) -c setdef0.c @@ -256,10 +286,17 @@ ipfrule.ko: ip_rulesx.o $(MLR) ld -Bshareable -o $@ setdef0.o ip_rulesx.o $(MLR) setdef1.o ipf.ko.5 ipl.ko.5: $(MODOBJS) +.if ${MACHINE_ARCH} != amd64 ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) $(MODOBJS) ld -Bshareable -d -warn-common -o $(LKM:S/.5$//) $(.TARGET:S/.ko/.kld/) - -ipf.ko ipl.ko: $(MODOBJS) +.else + ld -warn-common -r -d -o $(.TARGET:S/.5$//) $(MODOBJS) + nm -g $(.TARGET:S/.5$//) | \ + awk '/^[^[:space:]]+ [^AU] (.*)$$/ { print ($$2=="C" ? "-N" : "-L") $$3 }' | \ + xargs -J% objcopy % $(.TARGET:S/.5$//) +.endif + +ipf.ko ipl.ko: $(MODOBJS) gensetdefs $(MODOBJS) $(CC) $(KCARGS) -c setdef0.c $(CC) $(KCARGS) -c setdef1.c @@ -268,6 +305,9 @@ ipf.ko ipl.ko: $(MODOBJS) ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ +ip_nat6.o: $(TOP)/ip_nat6.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat6.c -o $@ + ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ @@ -290,6 +330,11 @@ ip_fil.c: ip_fil.o: ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h $(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@ +ip_fil_compat.o: $(TOP)/ip_fil_compat.c $(TOP)/ipl.h $(TOP)/ip_fil.h \ + $(TOP)/ip_compat.h $(TOP)/ip_nat.h $(TOP)/ip_state.h + $(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) $(COMPATIPF) \ + -c $(TOP)/ip_fil_compat.c -o $@ + ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ @@ -307,16 +352,26 @@ ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_lookup.h $(TOP)/ip_htable.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@ +ip_dstlist.o: $(TOP)/ip_dstlist.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ + $(TOP)/ip_lookup.h $(TOP)/ip_dstlist.h + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_dstlist.c -o $@ + ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ - $(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h + $(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h \ + $(TOP)/ip_dstlist.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@ +radix_ipf.o: $(TOP)/md5.c $(TOP)/radix_ipf.h + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/radix_ipf.c -o $@ + ip_trafcon.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_trafcon.h $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@ vnode_if.h: $(VNODESHDIR)/vnode_if.src mkdir -p ../sys + mkdir -p ../rump/include/rump + mkdir -p ../rump/librump/rumpvfs if [ -f $(VNODESHDIR)/vnode_if.sh ] ; then \ sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src; \ fi @@ -325,10 +380,11 @@ vnode_if.h: $(VNODESHDIR)/vnode_if.src fi if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi rmdir ../sys + rm -rf ../rump ml_ipl.o: vnode_if.h $(TOP)/$(MLD) $(TOP)/ipl.h -/bin/rm -f vnode_if.c - $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ + $(CC) -I. $(KCARGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ ip_rules.o: ip_rules.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) $(COMPIPF) -c ip_rules.c -o $@ @@ -344,7 +400,7 @@ $(TOP)/ip_rules.h: ip_rules.c fi ip_rulesx.o: ip_rules.c $(TOP)/ip_rules.h - $(CC) -I. $(CFLAGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@ + $(CC) -I. $(KCARGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@ mlf_rule.o: $(TOP)/mlf_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlf_rule.c -o $@ @@ -356,7 +412,7 @@ mlo_rule.o: $(TOP)/mlo_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlo_rule.c -o $@ mlfk_rule.o: $(TOP)/mlfk_rule.c $(TOP)/ip_rules.h - $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@ + $(CC) -I. $(KCARGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@ ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h $(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@ @@ -427,10 +483,11 @@ ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h $(CC) $(CCARGS) -I. -c ippool_l.c -o $@ -ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h +ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h ippool_y.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) -ippool_y.h: ippool_y.c +ippool_y.h: $(TOOL)/ippool_y.y + (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ippool_l.c: $(TOOL)/lexer.c $(TOP)/ip_pool.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) @@ -449,10 +506,10 @@ iptrafcon: $(IPTRAFCON) $(OBJ)/libipf.a .l.c: clean: - ${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest + ${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest ${RM} -f ../ipscan ../ipsyncm ../ipsyncs ${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon - ${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* ipfrule.kld* + ${RM} -f ipflkm ipnat ipfrule.ko* ipf.kld* ipfrule.kld* ${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h ${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h @@ -481,8 +538,8 @@ install: /bin/cp $(TOP)/$$i /usr/include/netinet/; \ $(CHMOD) 444 /usr/include/netinet/$$i; \ done - -if [ -d /lkm -a -f if_ipl.o ] ; then \ - cp if_ipl.o /lkm; \ + -if [ -d /lkm -a -f ipflkm.o ] ; then \ + cp ipflkm.o /lkm; \ fi -if [ -d /modules -a -f ipf.ko ] ; then \ if [ -f /modules/ipl.ko ] ; then \ @@ -494,6 +551,7 @@ install: -if [ -d /modules -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /modules; \ fi +.if ${MACHINE_ARCH} != amd64 -if [ -d /boot/kernel -a -f ipf.ko ] ; then \ if [ -f /boot/kernel/ipl.ko ] ; then \ cp ipf.ko /boot/kernel/ipl.ko; \ @@ -504,8 +562,29 @@ install: -if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /boot/kernel; \ fi - -if [ -d /usr/lkm -a -f if_ipl.o ] ; then \ - cp if_ipl.o /usr/lkm; \ +.else + -if [ -d /boot/kernel -a -f ipf.ko ] ; then \ + if [ -f /boot/kernel/ipl.ko ] ; then \ + objcopy --only-keep-debug ipf.ko + /boot/kernel/ipl.ko.symbols; \ + objcopy --strip-debug \ + --add-gnu-debuglink=ipl.ko.symbols \ + ipf.ko /boot/kernel/ipl.ko; \ + else \ + objcopy --only-keep-debug ipf.ko \ + /boot/kernel/ipf.ko.symbols; \ + objcopy --strip-debug \ + --add-gnu-debuglink=ipl.ko.symbols \ + ipf.ko /boot/kernel/ipf.ko; \ + fi \ + fi + -if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \ + objcopy --only-keep-debug ipfrule.ko /boot/kernel/ipfrule.ko.symbols; \ + objcopy --strip-debug --add-gnu-debuglink=ipfrule.ko.symbols ipfrule.ko /boot/kernel/ipfrule.ko; \ + fi +.endif + -if [ -d /usr/lkm -a -f ipflkm.o ] ; then \ + cp ipflkm.o /usr/lkm; \ fi -$(INSTALL) -cs -g wheel -m 755 -o root ipscan $(SBINDEST) (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) @@ -533,8 +612,8 @@ install: (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) coverage: - ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -k 1n -k 3n > report - sort -k 1n -k 3n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += ($$F[0]/100)*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,($$t/$$lc)*100;' >> report + ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -n > report + sort -n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += $$F[0]/100*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,$$t/$$lc*100;' >> report clean-coverage: /bin/rm -f *.gcov *.da diff --git a/contrib/ipfilter/BSD/Makefile.ipsend b/contrib/ipfilter/BSD/Makefile.ipsend index a83de1c..68edf1a 100644 --- a/contrib/ipfilter/BSD/Makefile.ipsend +++ b/contrib/ipfilter/BSD/Makefile.ipsend @@ -1,5 +1,5 @@ # -# $Id: Makefile.ipsend,v 2.8 2002/05/22 16:15:36 darrenr Exp $ +# $Id$ # BINDEST=/usr/sbin @@ -23,7 +23,8 @@ MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" # -all build bsd-bpf : ipsend ipresend iptest +build: +all bsd-bpf : ipsend ipresend iptest iplang_y.o: $(TOP)/iplang/iplang_y.y (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) @@ -103,6 +104,6 @@ dlcommon.o: $(TOP)/ipsend/dlcommon.c sdlpi.o: $(TOP)/ipsend/sdlpi.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@ -install: +install: -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST) diff --git a/contrib/ipfilter/BSD/ipfadm-rcd b/contrib/ipfilter/BSD/ipfadm-rcd index 41f62b0..dbbd151 100755 --- a/contrib/ipfilter/BSD/ipfadm-rcd +++ b/contrib/ipfilter/BSD/ipfadm-rcd @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2006 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 04b257d..30df454 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -2,7 +2,7 @@ # PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH argv0=`basename $0` - + os=`uname -s` rev=`uname -r` maj=`expr $rev : '\([0-9]*\)\.'` @@ -23,6 +23,7 @@ fi if [ -d /sys/dist/ipf ] ; then ipfdir=/sys/dist/ipf/netinet fi +mkdir -m 755 -p $ipfdir/../net confdir="$archdir/conf" if [ -f /dev/ipnat ] ; then major=`ls -l /dev/ipnat | sed -e 's/.* \([0-9]*\),.*/\1/'` @@ -30,7 +31,7 @@ if [ -f /dev/ipnat ] ; then else major=x fi - + if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then echo "Trying to build ip_rules.c and ip_rules.h" make ip_rules.c @@ -43,8 +44,9 @@ if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then fi fi -echo -n "Installing " -for j in auth frag nat proxy scan state sync pool htable lookup rules; do +echo -n "Installing into $ipfdir" +for j in auth frag nat proxy scan state sync pool dstlist htable lookup rules \ + dstlist; do for i in ip_$j.[ch]; do if [ -f "$i" ] ; then echo -n " $i" @@ -53,6 +55,12 @@ for j in auth frag nat proxy scan state sync pool htable lookup rules; do fi done done +echo -n " net/radix_ipf.h" +cp radix_ipf.h $ipfdir +chmod 644 $ipfdir/radix_ipf.h +echo -n " radix_ipf.c -> $ipfdir/radix_ipf.c" +cp radix_ipf.c $ipfdir/radix_ipf.c +chmod 644 $ipfdir/radix_ipf.c case $os in SunOS) @@ -88,14 +96,16 @@ if [ -f $ipfdir/ip_fil.c ] ; then chmod 644 $ipfdir/ip_fil.c fi -for i in ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c; do +for i in ip_nat6.c ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c \ + ip_fil_compat.c ipf_rb.h; do echo -n " $i" cp $i $ipfdir chmod 644 $ipfdir/$i done echo "" echo -n "Installing into /usr/include/netinet" -for j in auth compat fil frag nat proxy scan state sync pool htable lookup; do +for j in auth compat fil frag nat proxy scan state sync pool htable dstlist \ + lookup; do i=ip_$j.h if [ -f "$i" ] ; then echo -n " $i" @@ -103,7 +113,7 @@ for j in auth compat fil frag nat proxy scan state sync pool htable lookup; do chmod 644 /usr/include/netinet/$i fi done -for j in ipl.h; do +for j in ipl.h ipf_rb.h; do if [ -f "$j" ] ; then echo -n " $j" cp $j /usr/include/netinet/$j @@ -157,15 +167,19 @@ if [ $os = FreeBSD -a -f /sys/conf/files ] ; then mv files files.preipf4 cp -p files.preipf4 files fi - for i in htable pool lookup; do + for i in dstlist htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "contrib/ipfilter/netinet/ip_$i.c optional ipfilter inet ipfilter_lookup" >> files fi done + grep ip_fil_compat.c files >/dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo 'contrib/ipfilter/netinet/ip_fil_compat.c optional ipfilter inet ipfilter_compat' >> files + fi grep ip_sync.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then - echo 'contrib/ipfilter/netinet/ip_sync.c optional ipfilter inet ipfilter_sync' >> files + echo 'contrib/ipfilter/netinet/ip_sync.c optional ipfilter inet' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then @@ -177,13 +191,19 @@ if [ $os = FreeBSD -a -f /sys/conf/files ] ; then fi fi if [ $os = NetBSD -a -f /sys/conf/files ] ; then + if [ -f /sys/netinet/files.ipfilter ] ; then + if ! grep -q ip_fil_compat.c /sys/netinet/files.ipfilter; then + echo 'file dist/ipf/netinet/ip_fil_compat.c ipfilter & ipfilter_compat' >> /sys/netinet/files.ipfilter + echo 'defflag opt_ipfilter.h IPFILTER_COMPAT' >> /sys/netinet/files.ipfilter + fi + fi cd /sys/conf if [ ! -f files.preipf4 ] ; then mv files files.preipf4 cp -p files.preipf4 files fi if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then - for i in htable pool lookup; do + for i in dstlist htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files @@ -191,7 +211,7 @@ if [ $os = NetBSD -a -f /sys/conf/files ] ; then done grep ip_sync.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then - echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files + echo 'file netinet/ip_sync.c ipfilter' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then @@ -210,15 +230,18 @@ if [ $os = OpenBSD -a -f /sys/conf/files ] ; then cp -p files.preipf4 files fi if [ $fullrev -ge 030400 ] ; then - for i in htable pool lookup; do + for i in dstlist htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files fi done - grep ip_sync.c files >/dev/null 2>&1 + grep ip_fil_compat.c files >/dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo 'file netinet/ip_fil_compat.c ipfilter & ipfilter_compat' >> files + fi if [ $? -ne 0 ] ; then - echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files + echo 'file netinet/ip_sync.c ipfilter' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then @@ -241,7 +264,7 @@ cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__ KMOD= ipl SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\ ! ip_log.c ip_fil.c fil.c - + .if !defined(NOINET6) CFLAGS+= -DUSE_INET6 .endif @@ -249,10 +272,10 @@ cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__ ! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS --- 5,15 ---- KMOD= ipl - SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\ -! ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_htable.c \\ -! ip_sync.c ip_scan.c ip_rules.c - + SRCS= mlfk_ipl.c ip_nat.c ip_nat6.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\ +! ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_dstlist.c ip_htable.c \\ +! ip_sync.c ip_scan.c ip_rules.c ip_fil_compat.c + .if !defined(NOINET6) CFLAGS+= -DUSE_INET6 .endif @@ -261,4 +284,29 @@ cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__ ! -DIPFILTER_LOOKUP -DIPFILTER_COMPILED __EOF__ fi + +CONF=/sys/netinet/files.ipfilter +if [ -f $CONF -a $os = NetBSD ] ; then + for i in ip_nat6.c ip_dstlist.c radix_ipf.c; do + echo "Checking for $i in $CONF" + grep $i $CONF >/dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo "Adding $i to $CONF" + sed -n -e /ip_nat.c/s/ip_nat.c/$i/p $CONF >> $CONF + fi + done +fi + +CONF=/sys/conf/files +if [ -f $CONF -a $os = FreeBSD ] ; then + for i in ip_nat6.c ip_dstlist.c radix_ipf.c; do + echo "Checking for $i in $CONF" + grep $i $CONF >/dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo "Adding $i to $CONF" + sed -n -e /ip_nat.c/,/NORMAL/p $CONF | \ + sed -e s/ip_nat.c/$i/p >> $CONF + fi + done +fi exit 0 diff --git a/contrib/ipfilter/BSD/upgrade b/contrib/ipfilter/BSD/upgrade new file mode 100755 index 0000000..d5f8154 --- /dev/null +++ b/contrib/ipfilter/BSD/upgrade @@ -0,0 +1,46 @@ +#!/bin/sh +# +PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH +argv0=`basename $0` + +case `pwd` in +*BSD) + ;; +*) + cd BSD + ;; +esac +os=`uname -s` +rev=`uname -r` +maj=`expr $rev : '\([0-9]*\)\.'` +min=`expr $rev : '[0-9]*\.\([0-9]*\)'` +sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'` +plat=`uname -p` +objdir=${os}-${rev}-${plat} + +# try to bomb out fast if anything fails.... +set -e + +for i in ipf ipfstat ipmon ipnat ippool; do + if [ ! -f /sbin/${i}.dist -a -f /sbin/${i} ] ; then + mv /sbin/${i} /sbin/${i}.dist + cp -p /sbin/${i}.dist /sbin/${i} + cp ${objdir}/${i} /sbin/ + fi + if [ ! -f /usr/sbin/${i}.dist -a -f /usr/sbin/${i} ] ; then + mv /usr/sbin/${i} /usr/sbin/${i}.dist + cp -p /usr/sbin/${i}.dist /usr/sbin/${i} + cp ${objdir}/${i} /usr/sbin/ + fi +done +if [ -f /boot/kernel/ipl.ko ] ; then + if [ ! -f /boot/kernel/ipl.ko.dist ] ; then + mv /boot/kernel/ipl.ko /boot/kernel/ipl.ko.dist + cp -p /boot/kernel/ipl.ko.dist /boot/kernel/ipl.ko + fi + if [ ! -f /boot/kernel/ipl.ko.symbols.dist ] ; then + mv /boot/kernel/ipl.ko.symbols /boot/kernel/ipl.ko.symbols.dist + fi + cp ${objdir}/ipf.ko /boot/kernel/ipl.ko +fi +exit 0 diff --git a/contrib/ipfilter/FAQ.FreeBSD b/contrib/ipfilter/FAQ.FreeBSD index 3b069c9..6539b4f 100644 --- a/contrib/ipfilter/FAQ.FreeBSD +++ b/contrib/ipfilter/FAQ.FreeBSD @@ -1,4 +1,4 @@ -These are Instructions for Configuring A FreeBSD Box For NAT +These are Instructions for Configuring A FreeBSD Box For NAT After you have installed IP-Filter. You will need to change three files: @@ -54,7 +54,7 @@ fpx0 is the interface with the real internet address. /32 is the subnet mask 255.255.255.255, ie only use this ip address. -portmap tcp/udp 10000:65000 +portmap tcp/udp 10000:65000 tells it to use the ports to redirect the tcp/udp calls through @@ -67,7 +67,7 @@ reboots. In your /etc/rc.local put the line: -ipnat -f /etc/natrules +ipnat -f /etc/natrules To check and see if it is loaded, as root type ipnat -ls diff --git a/contrib/ipfilter/FWTK/ftp-gw.diff b/contrib/ipfilter/FWTK/ftp-gw.diff index be61342..a47eba0 100644 --- a/contrib/ipfilter/FWTK/ftp-gw.diff +++ b/contrib/ipfilter/FWTK/ftp-gw.diff @@ -4,7 +4,7 @@ *** 11,31 **** --- 11,41 ---- */ - static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.1 1999/08/04 17:30:30 darrenr Exp $"; + static char RcsId[] = "$Header$"; + /* + * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96 diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff index a6c21fa..8f0aeb4 100644 --- a/contrib/ipfilter/FWTK/fwtk_transparent.diff +++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff @@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris *************** *** 11,30 **** # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $" + # RcsId: "$Header$" # Your C compiler (eg, "cc" or "gcc") @@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ --- 11,34 ---- # - # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $" + # RcsId: "$Header$" + # + # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall index 5a4368e..421681f 100755 --- a/contrib/ipfilter/FreeBSD-2.2/kinstall +++ b/contrib/ipfilter/FreeBSD-2.2/kinstall @@ -17,8 +17,8 @@ foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ case *.h: /bin/cp $i /usr/include/netinet/$i chmod 644 /usr/include/netinet/$i - breaksw - endsw + breaksw + endsw end echo "" echo "Copying /usr/include/osreldate.h to /sys/sys" diff --git a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 index 5c30b57..5b9de7c 100644 --- a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 +++ b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 @@ -10,7 +10,7 @@ To build a kernel with the IP filter, follow these seven steps: 4. build a new kernel 5. install the new kernel - + 6. If not using DEVFS, create devices for IP Filter as follows: mknod /dev/ipl c 79 0 mknod /dev/ipnat c 79 1 @@ -18,7 +18,7 @@ To build a kernel with the IP filter, follow these seven steps: mknod /dev/ipauth c 79 3 mknod /dev/ipsync c 79 4 mknod /dev/ipscan c 79 5 - + 7. reboot diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall index 20f0369..294e795 100755 --- a/contrib/ipfilter/FreeBSD-3/kinstall +++ b/contrib/ipfilter/FreeBSD-3/kinstall @@ -18,8 +18,8 @@ foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ case *.h: /bin/cp $i /usr/include/netinet/$i chmod 644 /usr/include/netinet/$i - breaksw - endsw + breaksw + endsw end echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index ebd6e2e..9233199 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -20,8 +20,8 @@ foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ case *.h: /bin/cp $i /usr/include/netinet/$i chmod 644 /usr/include/netinet/$i - breaksw - endsw + breaksw + endsw end echo "" echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h" diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall index 2b67b9a..7d08503 100755 --- a/contrib/ipfilter/FreeBSD/kinstall +++ b/contrib/ipfilter/FreeBSD/kinstall @@ -17,8 +17,8 @@ foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \ case *.h: /bin/cp $i /usr/include/netinet/$i chmod 644 /usr/include/netinet/$i - breaksw - endsw + breaksw + endsw end echo "" grep iplopen $archdir/$karch/conf.c >& /dev/null diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index b500c20..8b67de7 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -10,745 +10,268 @@ # and especially those who have found the time to port IP Filter to new # platforms. # -4.1.28 - Release 16 October 2007 - -backout changes (B1) & (B2) as they've caused NAT entries to persist for -too long and possibly other side effects. - -Still need to compile in our own radix.c for Solaris as the one in S10U4 -has a different alignment of structure members (causes panic) - -keep state doesn't work with multicast/broadcast packets (makes UPnP easier) - -ippool -l may only lists every 2nd pool's contents - -4.1.27 - Released 29 September 2007 - -SunOS5/replace script does not deal with i386 systems that have the -i86/amd64 directory pair. - -make BSD/kupgrade try to build ip_rules.[ch] before complaining - -Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko - -Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs -to drive 32bit cc builds differently for sparc/i386 now. - -Update instructions for rebuilding FreeBSD kernels - -Make the target "freebsd" work for building ipfilter - -destroying NAT entries for blocked packets can lead to NAT table entry leak, -provide a counter of orphan'd NAT entries to track this problem. - -4.1.26 - Released 24 September 2007 - -Fix build problem for Solaris prior to S10U4 - -4.1.25 - Released 20 September 2007 - -stepping through structures with ioctls can lead to the wrong things -being free'd and panics - -if a NAT entry (such as an rdr) is created but the packet ends up being -blocked, tear down the NAT entry. - -fix fragment cache preventing keep state from functioning - -fix handling of \ to indicate a continued line in .conf files - -include port ranges in the allowed input for ipf when using "port = ()" - -only advance TCP state for packets on the leading edge of the window. (B1) - -using ipnat -l can lead to memory corruption in high stress situations - -track TCP sequence numbers with NAT so that it can do timeout advances -correctly inline with state - -ICMP checksums for some redirect'd packets are not adjusted correctly. - -IPv6 address components need to be explicitly cast to a 32bit pointer -boundary so that compilers don't try to access them as two 64bit -pieces (no guarantee is made that an Ipv6 address is on a 64bit -aligned address) - -filling up the ipauth packet queue can lead to no more packets being -processed. - -locking used to deref a nat entry causes a significant performance hit - -m_pulldown isn't properly handled, leading to possible panics with ICMPv6 -packets - -IPv6 fragment handling doesn't allow for "keep frag" to work - -build on Solaris10 Update4 with pfhooks in the kernel - -logging of Ipv6 packets with extension headers fix - Miroslaw Luc - -4.1.24 - Released 8 July 2007 - -patch from Stuart Remphrey to address recursive mutex lock with TCP state - -add hash table bucket stats display to ipnat -s - -give ASSERT some teeth for user compiles - -initialising ipf_global, ipf_frcache, ipf_mutex should all be done very -early on - -do some caddr_t cleanup, where possible - -fr_ref no longer tracks the number of children rules in a group for head rules - -make sure all BCOPY* have a value assigned to something - -fix possible use of icmp pointer after pullup makes it invalid - -resolve compile problems related to FreeBSD tree - -4.1.23 - Released 31 May 2007 - -NAT was not always correctly fixing ICMP headers for errors - -some TCP state steps when closing do not update timeouts, leading to -them being removed prematurely. (B2) - -fix compilation problems for netbsd 4.99 - -protect enumeration of lists in the kernel from callout interrupts on -BSD without locking - -fix various problems with IPv6 header checks: TCP/UDP checksum validation -was not being done, fragmentation header parsed dangerously and routing -header prevented others from being seen - -fix gcc 4.2 compiler warnings - -fix TCP/UDP checksum calculation for IPv6 - -fix reference after free'ing ipftoken memory - -4.1.22 - Released 13 May 2007 - -fix endless loop when flushing state/NAT by idle time - -4.1.21 - Released 12 May 2007 - -show the number of states created against a rule with "-v" for ipfstat - -fix build problems with FreeBSD - -make it possible to flush the state table by idle time and TCP state - -fix flushing out idle connections when state/NAT tables fill - -print out the TCP state population with ipfstat/ipnat - -stop creation of state table orphans via return-*/fastroute - -fix printing out of rule groups - they now only appear once - -4.1.20 - Released 30 April 2007 - -adjust TCP state numbers, making 11 closed (was 0) to better facilitate -detecting closing connections that we can wipe out when a SYN arrives -that matches the old - -make it compile on Solaris10 Update3 - -structures used for ipf command ioctls weren't being freed in timeout -fashion on solairs - -use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions - -adjust TCP timeout values and introduce a time-wait specifc timeout -to get a better TCP FSM emulation and one that can hopefully do a better -job of cleaning up in a speedy fashion than previous - -refactor the automatic flushing of TCP state entries when we fill up, -but use the same algorithm as before but now it hopefully works - -only 2 out of 4 interface names were being changed by ipfs when -interface renaming was being used for state entries - -add ipf_proxy_debug to ipf-T - -matching of last fragments that had a number of bytes that wasn't a -multiple of 8 failed - -some combinations of TCP flags are considered bad aren't picked up as such, -but these may be possible with T/TCP - -4.1.19 - Released 22 February 2007 - -Fix up compilation problems with NetBSD and Solaris. - -4.1.18 - Released 18 February 2007 - -fix compiling on Tru64 - -fix listing out filter rules with ipfstat (delete token at end of -the list and detect zero rule being returned.) - -fix extended flushing of NAT tables (was clearing out state tables) - -fix null-pointer deref in hash table lookup - -fix NAT and stateful filtering with to/reply-to on destination interface - -4.1.17 - Released 20 January 2007 - -make flushing pools that are still in use mark them for deletion and -have attempting to recreate them clear the delete flag - -walking through the NAT tables with ioctls caused lock recursion - -fix tracking TCP window scaling in the state code - -4.1.16 - Released 20 December 2006 - -allow rdr rules to only differ on the new port number - -when creating state entry orphans, leave them on the linked list but not -attached to the hash table and mark them visible as orphans in "ipfstat -sl" - -log state removed when unloading differently to allow visible cues - -return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl - -abort logging a packet if the mbuf pointer is null when ipflog is called - -Some NetBSD's have a selinfo.h instead of select.h - -SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth - -listing accounting rules using ioctl interface wasn't possible - -fix leakage of state entries due to packets not matching up with NAT - -improve ICMP error packet matching with state/NAT - -fix problems with parsing and printing "-" as an interface name in ipnat.conf - -4.1.15 - Released 03 November 2006 - -Add in automatic flushing of NAT, like state, table if it fills up too much - -Update comments in the code for NAT checksum adjustments - -Fix compiling on FreeBSD 5.4 and 6.0 - -prevent panics from read/write IOs trying to use uninitialised structures - -Newer NetBSD should use malloc() instead of MALLOC() in the kernel where -the size is not staticly defined - -Some gcc warning message cleanup from NetBSD - -Missing include for <sys/filio.h> on Solaris for poll work - -NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h - -4.1.14 - Released 04 October 2006 - -rewrite checksum alteration for ICMP packets being NAT'd to use a sane -algorithm that can be understood...now it needs better comments - -fix 1 byte error in checksum validation perl script - -remove unused files in lib directory - -ipftest will say "bad-packet" if it has been freed rather than just "blocked" - -make it possible to load IP address pools from external files in ippool.conf - -update copyright messages in tools directory - -consolidate ioctl hanlding source code into fil.c - -make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem - -4.1.13 - Released 4 April 2006 - -fix bug where null pointers introduced by proxies could cause a crash - -pass out the rule flags with SIOCAUTHW - -force loading NAT rules with bad proxy labels to cause an error - -nat_state is used unsafely in calls to fr_addstate - -make return-rst and return-icmp* work with auth rules - -4.1.12 - Released 28 March 2006 - -poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup - -make the fastroute code used by ipftest invoke state/NAT - -move verbose/debug macros out of fil.c and into ip_fil.h (for wider use) - -remove unused code in fr_fastroute - -fix NAT with rules that specify forward and reverise interfaces - -add missing ipfsync_canread() and ipfsync_canwrite() - -behaviour of \ on the end of a line in ipf.conf does not match older behaviour - -remove duplicate statistics line output with "ipfstat -s" - -4.1.11 - Released 19 March 2006 - -Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org - -NetBSD coverity report fixes (from run 5) - -Possible to reacquire ipf_auth without releasing it in some circumstances - -Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be - -Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux - -Using auth rules to return "keep state" got broken with pushing fr_addstate -call into fr_firewall - -all use of '!' in map/rdr rules to match use in ipf configs - -add -L command line option to ipmon to set the default syslog facility - -looking up a port number is more complex than needed in ipft_tx.c - -allow lib/getport to work when neither tcp or udp are specified in a rule - -remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c - -program in some more cases where TCP packets fail an initial in-window -check but should be allowed to match - -filter rule added with NAT/state handling of SIOCSTPUT doesn't properly -initialise all fields, making it possible to panic - -simplify NAT ICMP error handling where it updates checksums - -rename "min" variables to "xmin" on NetBSD to avoid problems with the -macro "min" - -#ifdef's for NetBSD compile incorrect for pfil interface - -support select/poll on NetBSD - -copying out a packet with an auth rule fails (EFAULT) because the wrong -pointer is passed to copyoutptr - -ip_len/ip_off where byte swapped twice instead of once for packets -going to be stored on the auth queue - -change timeout queue manipulation functions to make fewer mutex calls - -fix use of skip rules with groups -fix coding problems discovered by the coverity project for FreeBSD - -update BPF program validation with FreeBSD changes - -4.1.10 - Released 6 December 2005 - -Expand regression testing to cover more features - -Add "coverage" build target for BSD - -Fix building 64bit sparc target for Solaris - -Add IPv6 mobility header to list of accepted keywords for V6 headers - -Resolve locking problems on Solaris when sending RST/icmp packets - -#ifdef's for IPFILTER_BPF need to check if words are defined before -using them in comparisons - -Add checking for SACK permitted option in TCP SYN packets - -Fix loading anonymous pools from inline rule configuration groups - -Add -C command line option to ipftest - -Include extra "const" from NetBSD - -Don't require SIOCKSTLCK for SIOCSTPUT - -Fix some use of "sticky" on NAT rules - -Fix statistical counting of deleting state for TCP connections - -Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c - -Fix TCP out-of-window (OOW) problems: -- window scaling turned off if one chose for its scale factor -- Microsoft Windows TCP sends the "next packet" to the right of the window - when using SACK and filling in a hole - -4.1.9 - Released 13 August 2005 - -make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF -is defined when compiled. - -move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h - -make the BSD/upgrade script more instructive about the requiements for -ip_rules.[ch] when it is run - -register for interface events on FreeBSD (>5.2.1) and NetBSD so that -"ipf -y" is not not requried to tell ipfilter about interface changes. - -for "quick" rules that do "keep state", move the state adding into the rule -evaluation so that we can detect it failing as rules are evaluated and -continue on to the next rather than wait until we're done and it's too late -to recover for more rule processing. - -mark ICMP packets advertising an MTU that's too small as being bad - -rework ipv6 header parsing to get better code reuse and fix logic errors -in dealing with ipv6 packets containing fragment headers. Also, where a -protocol handler was doing both v4 & v6, make a seperate function for each. - -build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible - -include start of work to get IPFilter working on AIX 5.3 - -Use FI_ICMPERR flag rather than try to compute its equivalent all the time - -Rewrork IPv6 extension header parsing to get better code reuse - -Add missing timeout on Linux - -Fix for locking when reading from ipsync (Frank Volf) - -Fix insertion/appending of rules that use a collection number - -Somehow turning up the spl knob to splnet disappeared on platforms that still -use the spl interface. - -fix problems with "ipf -T" not listing multiple variables properly - -4.1.8 - Released 29 March 2005 - -include path from Phil Dibowitz for sorting ipfstat -t output by source or -destination port. - -fix a bug in printing rules where interface names could not be printed, -even if they're in the rule structure. - -fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD - -add 2 new features to SIOCGNATL: -- if IPN_FINDFORWARD is set, check if the respective MAP is already - present in the outbound table -- if IPN_IN is set, search for a matching MAP entry instead of RDR - (Peter Potsma) - -turn off function inlining for freebsd 5.3+ - -UDP doesn't pullup enough data which can sometimes cause a panic. -Fix other protocols, as required, where a similar problem may exist. - -overhaul the timeout queue management, especially that for user defined queues -which are now only freed in an orderly manner. - -4.1.7 - Released 13 March 2005 - -Using the GRE call field is almost impossible because it is unbalanced and -both call fields are not present in each v1 header. - -Fix a problem where it was possible to load duplicate rules into ipf - -patch from John Wehle to address problems with fastroute on solaris - -Copying data out for ipf -z failed because it tried to copy out to an address -that is a kernel pointer in user space. - -add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP - -synch up with NetBSD's changes - -fix problems parsing long lines of text in the ftp proxy where they would not -be parsed properly and stop the session from working - -enhance the PPTP proxy so that it tries to decode messages in the TCP stream -so it knows when to create and destroy the state/nat sessions for GRE. There -are also 4 new regression tests for it, testing map/rdr rules. - -impose some limits on the size of data that can be moved with SIOCSTPUT in -the NAT code and also prevent a duplicate session entry from being created -using this method. - -add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL -to check if it is possible to create an outgoing transparent NAT mapping to -compliment the redirect being investigated. - -Linux requires that the checksums in the IP header get adjusted - -only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers -in SIOCSTPUT to prevent bad data being loaded from userspace. - -make the byte counting for state correct (was counting data from ICMP packet -twice) - -print out the keyword "frag-body" if the flag is set. - -fix ipfs loading/restoring NAT sessions - -patch from Frank to correctly format IP addresses in ipfstat -t output - -parsing port numbers in ipf/ipnat was confusing as the port number was returned -in an int that was also overloaded to be the suceess/failure. instead, change -the port using pass by reference and only use the return value for indicating -success or failure. - -4.1.6 - Released 19 February 2005 - -add a new timeout number to NAT (fr_defnatipage) that is used for all -non-TCP/UDP/ICMP protocols - default 60 seconds. - -buffer leak with bad nat - David Gueluy - -fix memory leak with state entries created by proxies - -eliminate copying too much data into a scan buffer - -allow a trailing protocol name for map rules as well as rdr ones - -fix bug in parsing of <= and > for NAT rules (two were crossed over) - -FreeBSD's iplwrite hasn't kept pace with iplread's prototype - -expand documention on the karma of using "auto" in ipnat map rules - -add matching on IP protocol to ipnat map rules - -allow ippool definitions to contain no addresses to start with - -Linux NAT needs to modify the IP header checksum as it gets called after it -has been computed by IP. - -UDP was missing a pullup for packet header information before examining -the header - -4.1.5 - Released 9 January 2005 - -all rules were being converted into "dup-to" rules in the kernel - -fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in -complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied -over correctly. - -response to CWDs -revert ip_off back to network byte order in the ICMP error packet that -gets generated. - -4.1.4 - Released 9 January 2005 - -force NAT rules to only match ipv4 NAT rules (which all are, currently, -by default) - -include state synchronisation fixes from Frank Volf - -make the maximum log size for internally buffered log entries accessible -via "ipf -T" - -redesign start of fr_check() to avoid putting duplicate information in -ipfilter about how much data needs to be pulled up for a protocol to be -properly filtered. - -tidy up sending ICMP error messages - some bad inputs could result in -data not being freed and/or no error returned. - -make the maximum size of the log buffer run-time tunable - -fix bug in parsing TCP header when looking for MSS option that could make -the system hang - -change pool lookups that fail to find a match to return "no match" -rather than fail. - -add run-time tunable debugging for proxy support code and FTP proxy. - -fix state table updates for entries where the first packet as an ICMPv6 -multicast message - -fix hang when flushing state for v4/v6 and other (v6/v4) entries are present -too - -attaching filtering to ipv6 pfil hook wasn't present for solaris - -don't allow rules with "keep state" and "with oow" - -move a bunch of userland only code from fil.c to ip_fil.c - -make fr_coalesce() more resiliant to bad input, just returning an error -instead of crashing, making calling it easier in many places - -When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer -to the same mbuf passed in as the first arg. - -remove fr_unreach and use ENETUNREACH by default. - -printing out of tag data in ipf rules doesn't match input syntax - -ipftest(1) man page update - -ipfs command line option parsing still rejects some valid syntaxes - -SIGHUP handling by ipmon was not as safe as it could be - -fix various parsing regressions, including "<thishost>", "tcpudp", ordering -of "keep" options - -patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, -ICMP packet length not calculated correctly in send_icmp_err, reply-to -not printed by ipfstat, keep state with icmp passing (mtrr) - -patches for return-rst and return-icmp from Attila Fueloep -(lichtscheu@gesindel.org) - -4.1.3 - Released 18 July 2004 - -do some more fine tuning on NAT checksum adjustments - -correct IP address byte order in proxy setup for ipsec/pptp - -man page updates - -fix numerous problems with ipfs operation - -complete new syntax for ipmon.conf in its parser and update the sample file - -assign error value consistantly in fastroute code - -rewrite allocation of mbufs in send_reset/send_icmp_err to better use -mbuf clusters and size calculations - -resolve problem with linux panic'ing because the wrong flag was being -passed to skb_clone/skb_alloc - -enable use of shared/exclusive locks on freebsd5 and above - -do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD -and so use mbufchainlen to get the mbuf length instead - -replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is -going to be on the stack and not in userland - -packet buffer pointers were not refreshed & used properly in fr_check() - -include extra bits for OpenBSD 3.4 & 3.5. - -fix ipf/ipnat parsing regression problems with v3.4 - -4.1.2 - RELEASED - 27 May 2004 - -add state top for ipv6 - -fix numerous parsing regressions - -change sample proxies to use SIOCGNATL with the new API - -allow macro names to contain underscores (_) - -split the parser into a collection of dictionaries so that keywords do -not interfere with resolving hostnames and portnames - -fix ipfrule LKM loading on freebsd - -support mapping a fixed range of ports to a single port - -fix timeout queue use by proxies with private queues - -handle space-led ftp server replies properly - -fix timeout queue management - -fix fastroute, generation of RST & ICMP packets and operation with to/fastroute - -resolve further linux compatibility problems - -replace the use of COPYIN with BCOPYIN for platforms that provide ioctl -args on the stack - -allow flushing of ipv6 rules independant of ipv4 rules - -correct internal ipv6 checksum calculations - -if a 'keep state' rule fails to create state, block the packet rather -than let it through - -correct all checksums in regression tests and correct NAT code to adjust -checksums correctly. - -fix ipfs -R/-W - -4.1.1 - RELEASED - 24 March 2004 - -allow new connections with the same port numbers as an existing one -in the state table if the creating packet is a SYN - -timeout values have drifted, incorrectly, from what they were in 3.4 - -FreeBSD - compatibility changes for 5.2 - -don't match on sequence number (as well) for ICMO ECHO/REPLY, just the -ICMP Id. field as otherwise thre is a state/NAT entry per packet pair -rather than per "flow" - -fr_cksum() returned the wrong answer for ICMP - -Linux: -- get return-rst and return-icmp working -- treat the interface name the same as if_xname on BSD - -adjust expectations for TCP urgent bits based on observed traffic in the -wild - -openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called - -fix flushing of hash pool gorups (ippool -F) as well as displaying them -(ippool -l) - -passing of pointers to interface structures wrong for HP-UX/Solaris with -return-* rules. - -Make the solaris boot script able to run on 2.5.1 - -ippool related files missing from Solaris packages - -The name /dev/ippool should be /dev/iplookup - -add regression testing for parsing long interface names in nat rules, -along with mssclamp and tags. Also add test for mssclamp operation. - -ttl displayed for "ipfstat -t" is wrong because ttl is not computed. - -parse logical interface names (Sun) - -unloading LKMs was only working if they were enabled. - -sync'ing up NAT sessions when NICs change should cause NAT rules to -re-lookup name->pointer mappings - -not all of the ippool ioctl's are IOWR and they should be because they -use the ipfobj_t for passing information in/out of the kernel. leave the -old values defined and handle them, for compatibility. - -pool stats wrong: ippoolstate used where ipoolstat should be, hash table - statistics not reported at all - -fr_running not set correctly for OpenBSD when compiled into the kernel - -Allow SIOCGETFF while disabled - -Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes -altered. How do you say "untested" ?) +5.1.2 - RELEASED - 22 Jul 2012 + +3546266 macro letters could be more consistent +3546265 not all of the state statistics are displayed +3546261 scripts for updating BSD environment out of date +3546260 compiler warnings about non-integer array subscript +3546259 asserting numdereflists == 0 is not correct +3546258 expression matching does not see IPF_EXP_END +3544317 ipnat/ipfstat are not using ipfexp_t +3545324 proxy checksum calculation is not hardware aware +3545321 FTP sequence number adjustment incorrectly applied +3545320 EPSV is not recognised +3545319 move nat rule creation to ip_proxy.c +3545317 better feedback of checksum requirements for proxies +3545314 ftp proxy levels do not make sense +3545312 EPRT is not supported by ftp proxy +3544318 ipnat.conf parsing ignores LHS address family +3545309 non-ipv6 safe proxies do not fail with ipv6 +3545323 NAT updates the source port twice +3545322 ipv6 nat rules cannot start proxies +3544314 bucket copyout tries to copy too much data +3544313 remove nat encap feature +3546248 compat rule pointer type mismatch +3546247 UDP hardware checksum offload not recognised +3545311 ifp_ifaddr does not find the first set address +3545310 ipmon needs ipl_sec on 64bit boundary +3545326 reference count changes made without lock +3544315 stateful matching does not use ipfexp_t +3543493 tokens are not flushed when disabled +3543487 NAT rules do not always release lookup objects +3543491 function comments in ip_state.c are old +3543404 ipnat.conf parsing uses family/ip version badly +3543403 incorrect line number printed in ipnat parsing errors +3543402 Not all NAT statistics are printed +3542979 NAT session list management is too simple +3542978 ipv4 and ipv6 nat insert have common hash insertion +3542977 ipnat_t refence tracking incomplete +3542975 proxies must use ipnat_t separately +3542980 printing ipv6 expressions is wrong +3542983 ippool cannot handle more than one ipv6 address +3543018 mask array shifted incorrectly. +3542974 reason for dropping packet is lost +3542982 line numbers not recorded/displayed correctly by ipf +3542981 exclamation mark cuases trouble with pools +3541655 test suite checksums incorrect +3541653 display proxy fail status correctly +3540993 IP header offset excluded in pullup calculations +3540994 pullupmsg does not work as required +3540992 pointer to ipv6 frag header not updated on pullup +3541645 netmask management adds /32 for /0 +3541637 ipnat parser does not zero port fields for non-port protocol +3541635 pool names cannot by numbers +3540995 IPv6 fragment tracking does not always work +3540996 printing of nextip for ipv6 nat rules is wrong +3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6 +3540825 whois output parsing error for ipv6 +3540814 ipfd_lock serves no purpose +3540810 lookup objects need tail pointers +3540809 refactor hash table lookups for nat +3540819 radix tree does not work with ipv6 +3540820 mutex emulation should be logged +3540828 ipfstat filtering with -m fails tests +3536480 ippool could be more like the others +3536477 pool printing not uniform +3536483 flushing empty destination lists causes panic +3536481 more use of bzero after KMALLOC required +3536479 ipnat.conf line numbers not stored +3536484 Makefile missing dependency for ippool +3536199 TFTP proxy requires something extra +3536198 ICMP checksum out by one +3536203 ipnat does not return an error +3536201 ipf.conf parsing too address friendly +3536200 printing of bytes/packets not indented +3497941 ipv4 multicast detection incorrect on little endian +3535361 to interfaces printed out of order +3535363 ipf parser is inconsistent +3532306 deleting ipnat rules does not work +3532054 new error required for ipf_rx_create +3532053 icmp6 checksums wrong +3532052 icmpv6 state check with incorrect length +3531871 checksum verification wants too many icmp6 bytes +3531870 ipnat.conf parsing needs to support inet6 +3532048 error in ipf group parsing +3531868 ICMPV6 checksum not validated +3531893 ipftest exits without error for bad input +3531890 whois pool parsing builds bad structures +3531891 icmpv6 text parsing ignorant of icmp types +3531653 rewrite with icmp does not work +3530563 NAT operations fail with EPERM +3530544 first pass at gcc -Wextra cleanup +3530540 lookup create functions do not set error properly +3530539 ipf_main_soft_destroy doesn't need 2nd arg +3530541 reorder structure for better packing +3530543 ipnat purge needs documentation +3530515 BSD upgrade script required +3528029 ipmon bad-mutex panic +3530247 loading address pools light on input validation +3530255 radix tree delete uses wrong lookup +3530254 radix tree allocation support wrong +3530264 ipmon prints qd for some 64bit numbers +3530260 decapsulate rules not printed correctly. +3530266 ipfstat -v/-d flags confused +2939220 why a packet is blocked is not discernable +2939218 output interface not recorded +2941850 use of destination lists with to/dup-to beneficial +3457747 build errors introduced with radix change +3535360 timeout groups leak +3535359 memory leak with tokens +3535358 listing rules in groups requires tracking groups +3535357 rule head removal is problematic +3530259 not all ioctl error checked wth SIOCIPFINTERROR +3530258 error routine that uses fd required +3530253 inadequate function comment blocks +3530249 walking lookup tables leaks memory +3530241 extra lock padding required for freebsd +3529901 ipf returns 0 when rules fail to load +3529491 checksum validation could be better +3529486 tcp checksum wrong for ipv6 +3533779 ipv6 nat rules missing inet6 keyword +3532693 ipnat.conf rejects some ipv6 addresses +3532691 ipv4 should not be forced for icmp +3532689 ipv6 nat rules do not print inet6 +3532688 ipv6 address always printed with "to <if>" +3532687 with v6hdrs not supported like with ipopts +3532686 ipf expressions do not work with ipv6 +3540825 whois output parsing error for ipv6 +3540818 NAT for certain IPv6 ICMP packets should not be allowed +3540815 memory leak with destination lists +3540814 ipfd_lock serves no purpose +3540810 lookup objects need tail pointers +3540809 refactor hash table lookups for nat +3540808 completed tokens do not stop iteration +3530492 address hash table name not used +3528029 ipmon bad-mutex panic +3530256 hook memory leaked +3530271 pools parsing produces badly formed address structures +3488061 cleanup for illumos build +3484434 SIOCIPFINTERROR must work for all devices +3484067 mandoc -Tlint warnings to be fixed +3483343 compile warning in ipfcomp.c +3482893 building without IPFILTER_LOG fails +3482765 building netbsd kernel without inet6 fails +3482116 ipf_check frees packet from ipftest +3481663 does not compile on solaris 11 + +5.1.1 - RELEASED - 9 May 2012 + +3481322 ip_fil_compat.c needs a cleanup +3481211 add user errors to dtrace +3481152 compatibility for 4.1 needs more work +3481153 PRIu64 problems on FreeBSD +3481155 ipnat listing incorrect +3480543 change leads to compat problems +3480538 compiler errors from earlier patch +3480537 ipf_instance_destroy is incomplete +3480536 _fini order leads to panic +3479991 compiler warnings about size mismatches +3479974 copyright dates are wrong (fix) +3479464 add support for leaks testing +3479457 %qu is not the prefered way +3479451 iterators leak memory +3479453 nat rules with pools leak +3479454 memory leak in hostmap table +3479461 load_hash uses memory after free +3479462 printpool leaks memory +3479452 missing FREE_MB_T to freembt leaks +3479450 ipfdetach is called when detached +3479448 group mapping rules memory leak +3479455 memory leak from tuning +3479458 ipf must be running in global zone +3479460 driver replace is wrong +3479459 radix tree tries to free null pointer +3479463 rwlock emulation does not free memory +3479465 parser leaks memory +3475959 hardware checksum not correctly used +3475426 ip pseudo checksum wrong +3473566 radix tree does not delete dups right +3472987 compile is not clean +3472337 not everything is zero'd +3472344 interface setup needs to be after insert +3472340 wildcard counter drops twice +3472338 change fastroute interface +3472335 kernel lock defines not placed correctly +3472324 ICMP INFOREQ/REPLY not handled +3472330 multicast packets tagged by address +3472333 ipf_deliverlocal called incorrectly +3472345 mutex debug could be more granular +3472761 building i19 regression is flawed +3456457 use of bsd tree.h needs to be removed +3460522 code cleanup required for building on freebsd +3459734 trade some cpu for memory +3457747 build errors introduced with radix change +3457804 build errors from removal of pcap-int,h +3440163 rewrite radix tree +3428004 snoop, tcpdump, etherfind readers are unused +3439495 ipf_rand_push never called (fix brackets) +3437732 getnattype does not need to use ipnat_t (fix variable name) +3437696 fr_cksum is a nightmare +3439061 ipf_send_ip doesn't need 3rd arg +3439059 ipid needs to be file local +3437740 complete buildout of fnew +3438575 add dtrace probes to block events +3438347 comment blocks missing softc +3437687 description of ipf_makefrip wrong +3438340 more stats as dtrace probes +3438316 free on nat structure uses fixed size +3437745 nat iterator using the wrong size +3437710 fail checksum verification if packet is short +3437696 fr_cksum is a nightmare +3437732 getnattype does not need to use ipnat_t +3437735 rename ipf_allocmbt to allocmbt +3437697 fr_family to version assignment is wrong +3437746 ap_session_t has unused fields +3437747 move softc structure to .h file (ip_state.c) +3437704 there is no DTRACE_PROBE5 +3437748 wrong interface in qpktinfo_t +3437729 create function to hexdump mb_t +3438273 msgdsize should be easier to read +3437683 object direction not set for 32bit +3433767 calling ip_cksum could be easier +3433764 left over locking +3428015 printing proxy data size is useless +3428013 add M_ADJ to hide adjmsg/m_adj +3428012 interface name is not always returned correctly +3428002 ip_ttl is too low +3427997 ipft readers do not set buffer length +3426558 resistence is futile +3424495 various copy-paste errors +1826936 shall we allow ipf to be as dumb as its admin +3424477 specfuncs needs to go +3424484 missing fr_checkv6sum +3424478 one entry at a time +2998760 auth rules do not mix well with to/dup-to/fastroute +3424195 add ctfmerge to sunos5 makefile +3424132 some dtrace probes to start with +3423812 makefile needs ip_frag.h for some files +3423817 reference count useful in verbose output +3423800 walking lists does not drop reference +3423805 fragmentation stats not reported correclty +3423808 ip addresses reportied incorrectly with ipfstat -f +3423821 track packets and bytes for fragmentation +3423803 attempt to double free rule +3423805 fragmentation stats not reported correctly +3422712 system panic with ipfstat -f +3422619 pullup counter bumped for every packet +3422608 dummy rtentry required to build +3422018 frflush next to ipf_fini_all is redundant +3422012 instance cleanup is not clean +3421845 instance name not set +3005622 ip_fil5.1.0 does not load on Solaris 10 U8 +2976332 stateful filtering is incompatible with ipv4 options +3387509 ipftest needs help construction ip packets with options +2998746 passp can never be null +3064034 mbuf clobbering problem with ipv6 +3105725 ipnat divide by zero panic +2998750 ipf_htent_insert can leak memory +3064034 mbuf clobbering problem with ipv6 +3105725 ipnat divie by zero panic + +5.1 - RELEASED - 9 May 2010 + +* See WhatsNew50.txt 4.1 - RELEASED - 12 February 2004 @@ -1744,7 +1267,7 @@ loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> should use SPLNET/SPLX around expire routines in NAT/frag/state code. -redeclared malloc in 44arp.c - +redeclared malloc in 44arp.c - 3.1.7 8/2/97 - Released diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index a4a787a..2a16942 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -1,8 +1,11 @@ -This file is for use with FreeBSD 4.x and 5.x only. +Thi file is for use with FreeBSD 4.x and 5.x only. To build a kernel for use with the loadable kernel module, follow these steps: + 0. Run "config GENERIC" or similar in /sys/i386/conf or the + appropriate directory for your kernel. + 1. For FreeBSD version: 4.* do make freebsd4 5.* do make freebsd5 @@ -16,10 +19,12 @@ steps: 5. install and reboot with the new kernel - 6. use modload(8) to load the packet filter with: + 6. use modload(8)/kldload(8) to load the packet filter with: modload if_ipl.o + kldload ipf.ko - 7. do "modstat" to confirm that it has been loaded successfully. + 7. do "modstat" or "kldstat" to confirm that it has been loaded + successfully. There is no need to use mknod to create the device in /dev; - upon loading the module, it will create itself with the correct values, diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 334cd45..1ac9c94 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-2001 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given @@ -13,8 +13,7 @@ BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/local/man #To test prototyping -#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -# -Wunused -Wuninitialized +CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Wunused -Wuninitialized #CC=gcc #CC=cc -Dconst= DEBUG=-g @@ -36,13 +35,13 @@ IPFLOG=-DIPFILTER_LOG # #COMPIPF=-DIPFILTER_COMPILED # -# To enable synchronisation between IPFilter hosts +# To enable IPFilter compatibility with older CLI utilities # -#SYNC=-DIPFILTER_SYNC +#COMPATIPF=-DIPFILTER_COMPAT # -# To enable extended IPFilter functionality +# To enable synchronisation between IPFilter hosts # -LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN +#SYNC=-DIPFILTER_SYNC # # The facility you wish to log messages from ipmon to syslogd with. # @@ -65,22 +64,27 @@ LOGFAC=-DLOGFAC=LOG_SECURITY # By default IPFilter looks for /usr/src/linux, but you may have to change # it to /usr/src/linux-2.4 or similar. # -LINUXKERNEL=/usr/src/linux +LINUXKERNEL=/usr/src/kernels/2.6.29.5-191.fc11.i586 LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i<NF&&i<3;i++){printf("%02d",$$(i+1));}}'` +# +# +# +#BUILDROOT=/usr/src/redhat/BUILD/ipfilter +BUILDROOT=${HOME}/rpmbuild/BUILDROOT/ipfilter-4.1.32-1.i386 # # All of the compile-time options are here, used for compiling the userland # tools for regression testing. Well, all except for IPFILTER_LKM, of course. # ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \ - -DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM + -DIPFILTER_SYNC -DIPFILTER_CKSUM # # Uncomment the next 3 lines if you want to view the state table a la top(1) # (requires that you have installed ncurses). #STATETOP_CFLAGS=-DSTATETOP # -# Where to find the ncurses include files (if not in default path), +# Where to find the ncurses include files (if not in default path), # #STATETOP_INC= #STATETOP_INC=-I/usr/local/include @@ -93,7 +97,7 @@ ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \ # # Uncomment this when building IPv6 capability. # -#INET6=-DUSE_INET6 +INET6=-DUSE_INET6 # # For packets which don't match any pass rules or any block rules, set either # FR_PASS or FR_BLOCK (respectively). It defaults to FR_PASS if left @@ -110,6 +114,7 @@ MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(SGIREV) $(INET6)' \ 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' "BPFILTER=$(BPFILTER)" \ 'STATETOP_INC=$(STATETOP_INC)' 'STATETOP_LIB=$(STATETOP_LIB)' \ "BITS=$(BITS)" "OBJ=$(OBJ)" "LOOKUP=$(LOOKUP)" "COMPIPF=$(COMPIPF)" \ + "COMPATIPF=$(COMPATIPF)" \ 'SYNC=$(SYNC)' 'ALLOPTS=$(ALLOPTS)' 'LIBBPF=$(LIBBPF)' MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)" MACHASSERT=`/bin/ls -1 /usr/sys/*/mach_assert.h | head -1` @@ -156,10 +161,6 @@ include: touch netinet/done; \ fi -(cd netinet; ln -s ../ip_rules.h ip_rules.h) - if [ ! -f net/done ] ; then \ - (cd net; ln -s ../radix_ipf.h .; ); \ - touch net/done; \ - fi sunos solaris: include MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \ @@ -189,7 +190,7 @@ freebsd22: include fi make freebsd20 -freebsd5 freebsd6 freebsd7: include +freebsd5 freebsd6 freebsd7 freebsd8: include if [ x$(INET6) = x ] ; then \ echo "#undef INET6" > opt_inet6.h; \ else \ @@ -212,7 +213,7 @@ freebsd5 freebsd6 freebsd7: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) +# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) freebsd4 : include if [ x$(INET6) = x ] ; then \ @@ -241,7 +242,7 @@ netbsd: include exit 1; \ fi (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) +# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) openbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" @@ -294,7 +295,7 @@ setup: clean: clean-include /bin/rm -rf h y.output - ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ + ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipflkm \ vnode_if.h $(LKM) *~ /bin/rm -rf sparcv7 sparcv9 mdbgen_build (cd SunOS4; $(MAKE) TOP=.. clean) @@ -352,7 +353,7 @@ sunos4 solaris1: (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) sunos5 solaris2: null - (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..) + (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" INSTANCE=$(INSTANCE); cd ..) (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) linux: include @@ -361,7 +362,7 @@ linux: include # (cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..) install-linux: linux - (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..) + (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) ROOTDIR=$(BUILDROOT) install ; cd ..) install-bsd: (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) @@ -407,4 +408,3 @@ mdb: -DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \ -I/home/dr146992/pfil -I/home/dr146992/ipf -f \ /usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h - diff --git a/contrib/ipfilter/NAT.FreeBSD b/contrib/ipfilter/NAT.FreeBSD index 8a7e952..4a1a7ed 100644 --- a/contrib/ipfilter/NAT.FreeBSD +++ b/contrib/ipfilter/NAT.FreeBSD @@ -1,4 +1,4 @@ -These are Instructions for Configuring A FreeBSD Box For NAT +These are Instructions for Configuring A FreeBSD Box For NAT After you have installed IpFilter. You will need to change three files: @@ -54,7 +54,7 @@ fpx0 is the interface with the real internet address. /32 is the subnet mask 255.255.255.255, ie only use this ip address. -portmap tcp/udp 10000:65000 +portmap tcp/udp 10000:65000 tells it to use the ports to redirect the tcp/udp calls through @@ -67,7 +67,7 @@ reboots. In your /etc/rc.local put the line: -ipnat -f /etc/natrules +ipnat -f /etc/natrules To check and see if it is loaded, as root type ipnat -ls diff --git a/contrib/ipfilter/WhatsNew50.txt b/contrib/ipfilter/WhatsNew50.txt new file mode 100644 index 0000000..adbf0a9 --- /dev/null +++ b/contrib/ipfilter/WhatsNew50.txt @@ -0,0 +1,83 @@ +What's new in 5.1 +================= + +General +------- +* all of the tuneables can now be set at any time, not just whilst disabled + or prior to loading rules; + +* group identifiers may now be a number or name (universal); + +* man pages rewritten + +* tunables can now be set via ipf.conf; + +Logging +------- +* ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using + information from log entries from the kernel; + +NAT changes +----------- +* DNS proxy for the kernel that can block queries based on domain names; + +* FTP proxy can be configured to limit data connections to one or many + connections per client; + +* NAT on IPv6 is now supported; + +* rewrite command allows changing both the source and destination address + in a single NAT rule; + +* simple encapsulation can now be configured with ipnat.conf, + +* TFTP proxy now included; + +Packet Filtering +---------------- +* acceptance of ICMP packets for "keep state" rules can be refined through + the use of filtering rules; + +* alternative form for writing rules using simple filtering expressions; + +* CIPSO headers now recognised and analysed for filtering on DOI; + +* comments can now be a part of a rule and loaded into the kernel and + thus displayed with ipfstat; + +* decapsulation rules allow filtering on inner headers, providing they + are not encrypted; + +* interface names, aside from that the packet is on, can be present in + filter rules; + +* internally now a single list of filter rules, there is no longer an + IPv4 and IPv6 list; + +* rules can now be added with an expiration time, allowing for their + automatic removal after some period of time; + +* single file, ipf.conf, can now be used for both IPv4 and IPv6 rules; + +* stateful filtering now allows for limits to be placed on the number + of distinct hosts allowed per rule; + +Pools +----- +* addresses added to a pool via the command line (only!) can be given + an expiration timeout; + +* destination lists are a new type of address pool, primarily for use with + NAT rdr rules, supporting newer algorithms for target selection; + +* raw whois information saved to a file can be used to populate a pool; + +Solaris +------- +* support for use in zones with exclusive IP instances fully supported. + +Tools +----- +* use of matching expressions allows for refining what is displayed or + flushed; + diff --git a/contrib/ipfilter/arc4random.c b/contrib/ipfilter/arc4random.c new file mode 100644 index 0000000..04b0797 --- /dev/null +++ b/contrib/ipfilter/arc4random.c @@ -0,0 +1,277 @@ +/*- + * THE BEER-WARE LICENSE + * + * <dan@FreeBSD.ORG> wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you + * think this stuff is worth it, you can buy me a beer in return. + * + * Dan Moschuk + */ +#if !defined(SOLARIS2) && !defined(__osf__) +# include <sys/cdefs.h> +#endif + +#include <sys/types.h> +#include <sys/param.h> +#ifdef __FreeBSD__ +# include <sys/kernel.h> +#endif +#if !defined(__osf__) +# include <sys/random.h> +#endif +#ifdef __FreeBSD__ +# include <sys/libkern.h> +#endif +#include <sys/lock.h> +#ifndef __osf__ +# include <sys/mutex.h> +#endif +#include <sys/time.h> + +#if defined(SOLARIS2) && (SOLARIS2 < 9) +# include <netinet/in_systm.h> +#endif +#include <sys/socket.h> +#include <net/if.h> +#ifdef __osf__ +# include <net/route.h> +#endif +#include <netinet/in.h> +#include <netinet/ip.h> +#include "netinet/ip_compat.h" +#ifdef HAS_SYS_MD5_H +# include <sys/md5.h> +#else +# include "md5.h" +#endif + +#ifdef NEED_LOCAL_RAND +#if !defined(__GNUC__) +# define __inline +#endif + +#define ARC4_RESEED_BYTES 65536 +#define ARC4_RESEED_SECONDS 300 +#define ARC4_KEYBYTES (256 / 8) + +static u_int8_t arc4_i, arc4_j; +static int arc4_numruns = 0; +static u_int8_t arc4_sbox[256]; +static time_t arc4_t_reseed; +static ipfmutex_t arc4_mtx; +static MD5_CTX md5ctx; + +static u_int8_t arc4_randbyte(void); +static int ipf_read_random(void *dest, int length); + +static __inline void +arc4_swap(u_int8_t *a, u_int8_t *b) +{ + u_int8_t c; + + c = *a; + *a = *b; + *b = c; +} + +/* + * Stir our S-box. + */ +static void +arc4_randomstir (void) +{ + u_int8_t key[256]; + int r, n; + struct timeval tv_now; + + /* + * XXX read_random() returns unsafe numbers if the entropy + * device is not loaded -- MarkM. + */ + r = ipf_read_random(key, ARC4_KEYBYTES); + GETKTIME(&tv_now); + MUTEX_ENTER(&arc4_mtx); + /* If r == 0 || -1, just use what was on the stack. */ + if (r > 0) { + for (n = r; n < sizeof(key); n++) + key[n] = key[n % r]; + } + + for (n = 0; n < 256; n++) { + arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256; + arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]); + } + + /* Reset for next reseed cycle. */ + arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS; + arc4_numruns = 0; + + /* + * Throw away the first N words of output, as suggested in the + * paper "Weaknesses in the Key Scheduling Algorithm of RC4" + * by Fluher, Mantin, and Shamir. (N = 256 in our case.) + */ + for (n = 0; n < 256*4; n++) + arc4_randbyte(); + MUTEX_EXIT(&arc4_mtx); +} + +/* + * Initialize our S-box to its beginning defaults. + */ +static void +arc4_init(void) +{ + int n; + + MD5Init(&md5ctx); + + MUTEX_INIT(&arc4_mtx, "arc4_mtx"); + arc4_i = arc4_j = 0; + for (n = 0; n < 256; n++) + arc4_sbox[n] = (u_int8_t) n; + + arc4_t_reseed = 0; +} + + +/* + * Generate a random byte. + */ +static u_int8_t +arc4_randbyte(void) +{ + u_int8_t arc4_t; + + arc4_i = (arc4_i + 1) % 256; + arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256; + + arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]); + + arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256; + return arc4_sbox[arc4_t]; +} + +/* + * MPSAFE + */ +void +arc4rand(void *ptr, u_int len, int reseed) +{ + u_int8_t *p; + struct timeval tv; + + GETKTIME(&tv); + if (reseed || + (arc4_numruns > ARC4_RESEED_BYTES) || + (tv.tv_sec > arc4_t_reseed)) + arc4_randomstir(); + + MUTEX_ENTER(&arc4_mtx); + arc4_numruns += len; + p = ptr; + while (len--) + *p++ = arc4_randbyte(); + MUTEX_EXIT(&arc4_mtx); +} + +uint32_t +ipf_random(void) +{ + uint32_t ret; + + arc4rand(&ret, sizeof ret, 0); + return ret; +} + + +static u_char pot[ARC4_RESEED_BYTES]; +static u_char *pothead = pot, *pottail = pot; +static int inpot = 0; + +/* + * This is not very strong, and this is understood, but the aim isn't to + * be cryptographically strong - it is just to make up something that is + * pseudo random. + */ +void +ipf_rand_push(void *src, int length) +{ + static int arc4_inited = 0; + u_char *nsrc; + int mylen; + + if (arc4_inited == 0) { + arc4_init(); + arc4_inited = 1; + } + + if (length < 64) { + MD5Update(&md5ctx, src, length); + return; + } + + nsrc = src; + mylen = length; + +#if defined(_SYS_MD5_H) && defined(SOLARIS2) +# define buf buf_un.buf8 +#endif + MUTEX_ENTER(&arc4_mtx); + while ((mylen > 64) && (sizeof(pot) - inpot > sizeof(md5ctx.buf))) { + MD5Update(&md5ctx, nsrc, 64); + mylen -= 64; + nsrc += 64; + if (pottail + sizeof(md5ctx.buf) > pot + sizeof(pot)) { + int left, numbytes; + + numbytes = pot + sizeof(pot) - pottail; + bcopy(md5ctx.buf, pottail, numbytes); + left = sizeof(md5ctx.buf) - numbytes; + pottail = pot; + bcopy(md5ctx.buf + sizeof(md5ctx.buf) - left, + pottail, left); + pottail += left; + } else { + bcopy(md5ctx.buf, pottail, sizeof(md5ctx.buf)); + pottail += sizeof(md5ctx.buf); + } + inpot += 64; + } + MUTEX_EXIT(&arc4_mtx); +#if defined(_SYS_MD5_H) && defined(SOLARIS2) +# undef buf +#endif +} + + +static int +ipf_read_random(void *dest, int length) +{ + if (length > inpot) + return 0; + + MUTEX_ENTER(&arc4_mtx); + if (pothead + length > pot + sizeof(pot)) { + int left, numbytes; + + left = length; + numbytes = pot + sizeof(pot) - pothead; + bcopy(pothead, dest, numbytes); + left -= numbytes; + pothead = pot; + bcopy(pothead, dest + length - left, left); + pothead += left; + } else { + bcopy(pothead, dest, length); + pothead += length; + } + inpot -= length; + if (inpot == 0) + pothead = pottail = pot; + MUTEX_EXIT(&arc4_mtx); + + return length; +} + +#endif /* NEED_LOCAL_RAND */ diff --git a/contrib/ipfilter/etc/protocols b/contrib/ipfilter/etc/protocols index 30c5b76..dec8fb9 100644 --- a/contrib/ipfilter/etc/protocols +++ b/contrib/ipfilter/etc/protocols @@ -101,4 +101,4 @@ any 99 any # private encryption scheme gmtp 100 GMTP # GMTP pim 103 PIM # Protocol Independant Multicast ipcomp 108 IPCOMP # IP Payload Compression Protocol -reserved 255 Reserved # +reserved 255 Reserved # diff --git a/contrib/ipfilter/etc/services b/contrib/ipfilter/etc/services index d8aa0d5..ad83348 100644 --- a/contrib/ipfilter/etc/services +++ b/contrib/ipfilter/etc/services @@ -228,7 +228,7 @@ qmtp 209/tcp # The Quick Mail Transfer Protocol qmtp 209/udp # The Quick Mail Transfer Protocol anet 212/tcp # ATEXSSTR anet 212/udp # ATEXSSTR -ipx 213/tcp # IPX +ipx 213/tcp # IPX ipx 213/udp # IPX vmpwscs 214/tcp # VM PWSCS vmpwscs 214/udp # VM PWSCS @@ -1104,8 +1104,8 @@ shockwave 1626/tcp # Shockwave shockwave 1626/udp # Shockwave oraclenet8cman 1630/tcp # Oracle Net8 Cman oraclenet8cman 1630/udp # Oracle Net8 Cman -visitview 1631/tcp # Visit view -visitview 1631/udp # Visit view +visitview 1631/tcp # Visit view +visitview 1631/udp # Visit view pammratc 1632/tcp # PAMMRATC pammratc 1632/udp # PAMMRATC pammrpc 1633/tcp # PAMMRPC diff --git a/contrib/ipfilter/genmask.c b/contrib/ipfilter/genmask.c new file mode 100644 index 0000000..75193e3 --- /dev/null +++ b/contrib/ipfilter/genmask.c @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ + +#include "ipf.h" + + +int genmask(family, msk, mskp) + int family; + char *msk; + i6addr_t *mskp; +{ + char *endptr = 0L; + u_32_t addr; + int bits; + + if (strchr(msk, '.') || strchr(msk, 'x') || strchr(msk, ':')) { + /* possibly of the form xxx.xxx.xxx.xxx + * or 0xYYYYYYYY */ + switch (family) + { +#ifdef USE_INET6 + case AF_INET6 : + if (inet_pton(AF_INET6, msk, &mskp->in4) != 1) + return -1; + break; +#endif + case AF_INET : + if (inet_aton(msk, &mskp->in4) == 0) + return -1; + break; + default : + return -1; + /*NOTREACHED*/ + } + } else { + /* + * set x most significant bits + */ + bits = (int)strtol(msk, &endptr, 0); + + switch (family) + { + case AF_INET6 : + if ((*endptr != '\0') || (bits < 0) || (bits > 128)) + return -1; + fill6bits(bits, mskp->i6); + break; + case AF_INET : + if (*endptr != '\0' || bits > 32 || bits < 0) + return -1; + if (bits == 0) + addr = 0; + else + addr = htonl(0xffffffff << (32 - bits)); + mskp->in4.s_addr = addr; + break; + default : + return -1; + /*NOTREACHED*/ + } + } + return 0; +} diff --git a/contrib/ipfilter/ip_dstlist.c b/contrib/ipfilter/ip_dstlist.c new file mode 100644 index 0000000..ce2e72e --- /dev/null +++ b/contrib/ipfilter/ip_dstlist.c @@ -0,0 +1,1351 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +#if defined(KERNEL) || defined(_KERNEL) +# undef KERNEL +# undef _KERNEL +# define KERNEL 1 +# define _KERNEL 1 +#endif +#if defined(__osf__) +# define _PROTO_NET_H_ +#endif +#include <sys/errno.h> +#include <sys/types.h> +#include <sys/param.h> +#include <sys/file.h> +#if !defined(_KERNEL) && !defined(__KERNEL__) +# include <stdio.h> +# include <stdlib.h> +# include <string.h> +# define _KERNEL +# ifdef __OpenBSD__ +struct file; +# endif +# include <sys/uio.h> +# undef _KERNEL +#else +# include <sys/systm.h> +# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000) +# include <sys/proc.h> +# endif +#endif +#include <sys/time.h> +#if !defined(linux) +# include <sys/protosw.h> +#endif +#include <sys/socket.h> +#if defined(_KERNEL) && (!defined(__SVR4) && !defined(__svr4__)) +# include <sys/mbuf.h> +#endif +#if defined(__SVR4) || defined(__svr4__) +# include <sys/filio.h> +# include <sys/byteorder.h> +# ifdef _KERNEL +# include <sys/dditypes.h> +# endif +# include <sys/stream.h> +# include <sys/kmem.h> +#endif +#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif + +#include <net/if.h> +#include <netinet/in.h> + +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_lookup.h" +#include "netinet/ip_dstlist.h" + +/* END OF INCLUDES */ + +#ifdef HAS_SYS_MD5_H +# include <sys/md5.h> +#else +# include "md5.h" +#endif + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: ip_dstlist.c,v 1.13.2.12 2012/07/20 08:40:19 darren_r Exp $"; +#endif + +typedef struct ipf_dstl_softc_s { + ippool_dst_t *dstlist[LOOKUP_POOL_SZ]; + ippool_dst_t **tails[LOOKUP_POOL_SZ]; + ipf_dstl_stat_t stats; +} ipf_dstl_softc_t; + + +static void *ipf_dstlist_soft_create __P((ipf_main_softc_t *)); +static void ipf_dstlist_soft_destroy __P((ipf_main_softc_t *, void *)); +static int ipf_dstlist_soft_init __P((ipf_main_softc_t *, void *)); +static void ipf_dstlist_soft_fini __P((ipf_main_softc_t *, void *)); +static int ipf_dstlist_addr_find __P((ipf_main_softc_t *, void *, int, + void *, u_int)); +static size_t ipf_dstlist_flush __P((ipf_main_softc_t *, void *, + iplookupflush_t *)); +static int ipf_dstlist_iter_deref __P((ipf_main_softc_t *, void *, int, int, + void *)); +static int ipf_dstlist_iter_next __P((ipf_main_softc_t *, void *, ipftoken_t *, + ipflookupiter_t *)); +static int ipf_dstlist_node_add __P((ipf_main_softc_t *, void *, + iplookupop_t *, int)); +static int ipf_dstlist_node_del __P((ipf_main_softc_t *, void *, + iplookupop_t *, int)); +static int ipf_dstlist_stats_get __P((ipf_main_softc_t *, void *, + iplookupop_t *)); +static int ipf_dstlist_table_add __P((ipf_main_softc_t *, void *, + iplookupop_t *)); +static int ipf_dstlist_table_del __P((ipf_main_softc_t *, void *, + iplookupop_t *)); +static int ipf_dstlist_table_deref __P((ipf_main_softc_t *, void *, void *)); +static void *ipf_dstlist_table_find __P((void *, int, char *)); +static void ipf_dstlist_table_free __P((ipf_dstl_softc_t *, ippool_dst_t *)); +static void ipf_dstlist_table_remove __P((ipf_main_softc_t *, + ipf_dstl_softc_t *, ippool_dst_t *)); +static void ipf_dstlist_table_clearnodes __P((ipf_dstl_softc_t *, + ippool_dst_t *)); +static ipf_dstnode_t *ipf_dstlist_select __P((fr_info_t *, ippool_dst_t *)); +static void *ipf_dstlist_select_ref __P((void *, int, char *)); +static void ipf_dstlist_node_free __P((ipf_dstl_softc_t *, ippool_dst_t *, ipf_dstnode_t *)); +static int ipf_dstlist_node_deref __P((void *, ipf_dstnode_t *)); +static void ipf_dstlist_expire __P((ipf_main_softc_t *, void *)); +static void ipf_dstlist_sync __P((ipf_main_softc_t *, void *)); + +ipf_lookup_t ipf_dstlist_backend = { + IPLT_DSTLIST, + ipf_dstlist_soft_create, + ipf_dstlist_soft_destroy, + ipf_dstlist_soft_init, + ipf_dstlist_soft_fini, + ipf_dstlist_addr_find, + ipf_dstlist_flush, + ipf_dstlist_iter_deref, + ipf_dstlist_iter_next, + ipf_dstlist_node_add, + ipf_dstlist_node_del, + ipf_dstlist_stats_get, + ipf_dstlist_table_add, + ipf_dstlist_table_del, + ipf_dstlist_table_deref, + ipf_dstlist_table_find, + ipf_dstlist_select_ref, + ipf_dstlist_select_node, + ipf_dstlist_expire, + ipf_dstlist_sync +}; + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_soft_create */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* */ +/* Allocating a chunk of memory filled with 0's is enough for the current */ +/* soft context used with destination lists. */ +/* ------------------------------------------------------------------------ */ +static void * +ipf_dstlist_soft_create(softc) + ipf_main_softc_t *softc; +{ + ipf_dstl_softc_t *softd; + int i; + + KMALLOC(softd, ipf_dstl_softc_t *); + if (softd == NULL) { + IPFERROR(120028); + return NULL; + } + + bzero((char *)softd, sizeof(*softd)); + for (i = 0; i <= IPL_LOGMAX; i++) + softd->tails[i] = &softd->dstlist[i]; + + return softd; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_soft_destroy */ +/* Returns: Nil */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* */ +/* For destination lists, the only thing we have to do when destroying the */ +/* soft context is free it! */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_soft_destroy(softc, arg) + ipf_main_softc_t *softc; + void *arg; +{ + ipf_dstl_softc_t *softd = arg; + + KFREE(softd); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_soft_init */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* */ +/* There is currently no soft context for destination list management. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_soft_init(softc, arg) + ipf_main_softc_t *softc; + void *arg; +{ + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_soft_fini */ +/* Returns: Nil */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* */ +/* There is currently no soft context for destination list management. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_soft_fini(softc, arg) + ipf_main_softc_t *softc; + void *arg; +{ + ipf_dstl_softc_t *softd = arg; + int i; + + for (i = -1; i <= IPL_LOGMAX; i++) { + while (softd->dstlist[i + 1] != NULL) { + ipf_dstlist_table_remove(softc, softd, + softd->dstlist[i + 1]); + } + } + + ASSERT(softd->stats.ipls_numderefnodes == 0); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_addr_find */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg1(I) - pointer to local context to use */ +/* arg2(I) - pointer to local context to use */ +/* arg3(I) - pointer to local context to use */ +/* arg4(I) - pointer to local context to use */ +/* */ +/* There is currently no such thing as searching a destination list for an */ +/* address so this function becomes a no-op. Its presence is required as */ +/* ipf_lookup_res_name() stores the "addr_find" function pointer in the */ +/* pointer passed in to it as funcptr, although it could be a generic null- */ +/* op function rather than a specific one. */ +/* ------------------------------------------------------------------------ */ +/*ARGSUSED*/ +static int +ipf_dstlist_addr_find(softc, arg1, arg2, arg3, arg4) + ipf_main_softc_t *softc; + void *arg1, *arg3; + int arg2; + u_int arg4; +{ + return -1; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_flush */ +/* Returns: int - number of objects deleted */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* fop(I) - pointer to lookup flush operation data */ +/* */ +/* Flush all of the destination tables that match the data passed in with */ +/* the iplookupflush_t. There are two ways to match objects: the device for */ +/* which they are to be used with and their name. */ +/* ------------------------------------------------------------------------ */ +static size_t +ipf_dstlist_flush(softc, arg, fop) + ipf_main_softc_t *softc; + void *arg; + iplookupflush_t *fop; +{ + ipf_dstl_softc_t *softd = arg; + ippool_dst_t *node, *next; + int n, i; + + for (n = 0, i = -1; i <= IPL_LOGMAX; i++) { + if (fop->iplf_unit != IPLT_ALL && fop->iplf_unit != i) + continue; + for (node = softd->dstlist[i + 1]; node != NULL; node = next) { + next = node->ipld_next; + + if ((*fop->iplf_name != '\0') && + strncmp(fop->iplf_name, node->ipld_name, + FR_GROUPLEN)) + continue; + + ipf_dstlist_table_remove(softc, softd, node); + n++; + } + } + return n; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_iter_deref */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* otype(I) - type of data structure to iterate through */ +/* unit(I) - device we are working with */ +/* data(I) - address of object in kernel space */ +/* */ +/* This function is called when the iteration token is being free'd and is */ +/* responsible for dropping the reference count of the structure it points */ +/* to. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_iter_deref(softc, arg, otype, unit, data) + ipf_main_softc_t *softc; + void *arg; + int otype, unit; + void *data; +{ + if (data == NULL) { + IPFERROR(120001); + return EINVAL; + } + + if (unit < -1 || unit > IPL_LOGMAX) { + IPFERROR(120002); + return EINVAL; + } + + switch (otype) + { + case IPFLOOKUPITER_LIST : + ipf_dstlist_table_deref(softc, arg, (ippool_dst_t *)data); + break; + + case IPFLOOKUPITER_NODE : + ipf_dstlist_node_deref(arg, (ipf_dstnode_t *)data); + break; + } + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_iter_next */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* uid(I) - uid of process doing the ioctl */ +/* */ +/* This function is responsible for either selecting the next destination */ +/* list or node on a destination list to be returned as a user process */ +/* iterates through the list of destination lists or nodes. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_iter_next(softc, arg, token, iter) + ipf_main_softc_t *softc; + void *arg; + ipftoken_t *token; + ipflookupiter_t *iter; +{ + ipf_dstnode_t zn, *nextnode = NULL, *node = NULL; + ippool_dst_t zero, *next = NULL, *dsttab = NULL; + ipf_dstl_softc_t *softd = arg; + int err = 0; + void *hint; + + switch (iter->ili_otype) + { + case IPFLOOKUPITER_LIST : + dsttab = token->ipt_data; + if (dsttab == NULL) { + next = softd->dstlist[(int)iter->ili_unit + 1]; + } else { + next = dsttab->ipld_next; + } + + if (next != NULL) { + ATOMIC_INC32(next->ipld_ref); + token->ipt_data = next; + hint = next->ipld_next; + } else { + bzero((char *)&zero, sizeof(zero)); + next = &zero; + token->ipt_data = NULL; + hint = NULL; + } + break; + + case IPFLOOKUPITER_NODE : + node = token->ipt_data; + if (node == NULL) { + dsttab = ipf_dstlist_table_find(arg, iter->ili_unit, + iter->ili_name); + if (dsttab == NULL) { + IPFERROR(120004); + err = ESRCH; + nextnode = NULL; + } else { + if (dsttab->ipld_dests == NULL) + nextnode = NULL; + else + nextnode = *dsttab->ipld_dests; + dsttab = NULL; + } + } else { + nextnode = node->ipfd_next; + } + + if (nextnode != NULL) { + MUTEX_ENTER(&nextnode->ipfd_lock); + nextnode->ipfd_ref++; + MUTEX_EXIT(&nextnode->ipfd_lock); + token->ipt_data = nextnode; + hint = nextnode->ipfd_next; + } else { + bzero((char *)&zn, sizeof(zn)); + nextnode = &zn; + token->ipt_data = NULL; + hint = NULL; + } + break; + default : + IPFERROR(120003); + err = EINVAL; + break; + } + + if (err != 0) + return err; + + switch (iter->ili_otype) + { + case IPFLOOKUPITER_LIST : + if (dsttab != NULL) + ipf_dstlist_table_deref(softc, arg, dsttab); + err = COPYOUT(next, iter->ili_data, sizeof(*next)); + if (err != 0) { + IPFERROR(120005); + err = EFAULT; + } + break; + + case IPFLOOKUPITER_NODE : + if (node != NULL) + ipf_dstlist_node_deref(arg, node); + err = COPYOUT(nextnode, iter->ili_data, sizeof(*nextnode)); + if (err != 0) { + IPFERROR(120006); + err = EFAULT; + } + break; + } + + if (hint == NULL) + ipf_token_mark_complete(token); + + return err; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_node_add */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* uid(I) - uid of process doing the ioctl */ +/* Locks: WRITE(ipf_poolrw) */ +/* */ +/* Add a new node to a destination list. To do this, we only copy in the */ +/* frdest_t structure because that contains the only data required from the */ +/* application to create a new node. The frdest_t doesn't contain the name */ +/* itself. When loading filter rules, fd_name is a 'pointer' to the name. */ +/* In this case, the 'pointer' does not work, instead it is the length of */ +/* the name and the name is immediately following the frdest_t structure. */ +/* fd_name must include the trailing \0, so it should be strlen(str) + 1. */ +/* For simple sanity checking, an upper bound on the size of fd_name is */ +/* imposed - 128. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_node_add(softc, arg, op, uid) + ipf_main_softc_t *softc; + void *arg; + iplookupop_t *op; + int uid; +{ + ipf_dstl_softc_t *softd = arg; + ipf_dstnode_t *node, **nodes; + ippool_dst_t *d; + frdest_t dest; + int err; + + if (op->iplo_size < sizeof(frdest_t)) { + IPFERROR(120007); + return EINVAL; + } + + err = COPYIN(op->iplo_struct, &dest, sizeof(dest)); + if (err != 0) { + IPFERROR(120009); + return EFAULT; + } + + d = ipf_dstlist_table_find(arg, op->iplo_unit, op->iplo_name); + if (d == NULL) { + IPFERROR(120010); + return ESRCH; + } + + switch (dest.fd_addr.adf_family) + { + case AF_INET : + case AF_INET6 : + break; + default : + IPFERROR(120019); + return EINVAL; + } + + if (dest.fd_name < -1 || dest.fd_name > 128) { + IPFERROR(120018); + return EINVAL; + } + + KMALLOCS(node, ipf_dstnode_t *, sizeof(*node) + dest.fd_name); + if (node == NULL) { + softd->stats.ipls_nomem++; + IPFERROR(120008); + return ENOMEM; + } + bzero((char *)node, sizeof(*node) + dest.fd_name); + + bcopy(&dest, &node->ipfd_dest, sizeof(dest)); + node->ipfd_size = sizeof(*node) + dest.fd_name; + + if (dest.fd_name > 0) { + /* + * fd_name starts out as the length of the string to copy + * in (including \0) and ends up being the offset from + * fd_names (0). + */ + err = COPYIN((char *)op->iplo_struct + sizeof(dest), + node->ipfd_names, dest.fd_name); + if (err != 0) { + IPFERROR(120017); + KFREES(node, node->ipfd_size); + return EFAULT; + } + node->ipfd_dest.fd_name = 0; + } else { + node->ipfd_dest.fd_name = -1; + } + + if (d->ipld_nodes == d->ipld_maxnodes) { + KMALLOCS(nodes, ipf_dstnode_t **, + sizeof(*nodes) * (d->ipld_maxnodes + 1)); + if (nodes == NULL) { + softd->stats.ipls_nomem++; + IPFERROR(120022); + KFREES(node, node->ipfd_size); + return ENOMEM; + } + if (d->ipld_dests != NULL) { + bcopy(d->ipld_dests, nodes, + sizeof(*nodes) * d->ipld_maxnodes); + KFREES(d->ipld_dests, sizeof(*nodes) * d->ipld_nodes); + nodes[0]->ipfd_pnext = nodes; + } + d->ipld_dests = nodes; + d->ipld_maxnodes++; + } + d->ipld_dests[d->ipld_nodes] = node; + d->ipld_nodes++; + + if (d->ipld_nodes == 1) { + node->ipfd_pnext = d->ipld_dests; + } else if (d->ipld_nodes > 1) { + node->ipfd_pnext = &d->ipld_dests[d->ipld_nodes - 2]->ipfd_next; + } + *node->ipfd_pnext = node; + + MUTEX_INIT(&node->ipfd_lock, "ipf dst node lock"); + node->ipfd_uid = uid; + node->ipfd_ref = 1; + if (node->ipfd_dest.fd_name == 0) + (void) ipf_resolvedest(softc, node->ipfd_names, + &node->ipfd_dest, AF_INET); +#ifdef USE_INET6 + if (node->ipfd_dest.fd_name == 0 && + node->ipfd_dest.fd_ptr == (void *)-1) + (void) ipf_resolvedest(softc, node->ipfd_names, + &node->ipfd_dest, AF_INET6); +#endif + + softd->stats.ipls_numnodes++; + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_node_deref */ +/* Returns: int - 0 = success, else error */ +/* Parameters: arg(I) - pointer to local context to use */ +/* node(I) - pointer to destionation node to free */ +/* */ +/* Dereference the use count by one. If it drops to zero then we can assume */ +/* that it has been removed from any lists/tables and is ripe for freeing. */ +/* The pointer to context is required for the purpose of maintaining */ +/* statistics. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_node_deref(arg, node) + void *arg; + ipf_dstnode_t *node; +{ + ipf_dstl_softc_t *softd = arg; + int ref; + + MUTEX_ENTER(&node->ipfd_lock); + ref = --node->ipfd_ref; + MUTEX_EXIT(&node->ipfd_lock); + + if (ref > 0) + return 0; + + if ((node->ipfd_flags & IPDST_DELETE) != 0) + softd->stats.ipls_numderefnodes--; + MUTEX_DESTROY(&node->ipfd_lock); + KFREES(node, node->ipfd_size); + softd->stats.ipls_numnodes--; + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_node_del */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* uid(I) - uid of process doing the ioctl */ +/* */ +/* Look for a matching destination node on the named table and free it if */ +/* found. Because the name embedded in the frdest_t is variable in length, */ +/* it is necessary to allocate some memory locally, to complete this op. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_node_del(softc, arg, op, uid) + ipf_main_softc_t *softc; + void *arg; + iplookupop_t *op; + int uid; +{ + ipf_dstl_softc_t *softd = arg; + ipf_dstnode_t *node; + frdest_t frd, *temp; + ippool_dst_t *d; + size_t size; + int err; + + d = ipf_dstlist_table_find(arg, op->iplo_unit, op->iplo_name); + if (d == NULL) { + IPFERROR(120012); + return ESRCH; + } + + err = COPYIN(op->iplo_struct, &frd, sizeof(frd)); + if (err != 0) { + IPFERROR(120011); + return EFAULT; + } + + size = sizeof(*temp) + frd.fd_name; + KMALLOCS(temp, frdest_t *, size); + if (temp == NULL) { + softd->stats.ipls_nomem++; + IPFERROR(120026); + return ENOMEM; + } + + err = COPYIN(op->iplo_struct, temp, size); + if (err != 0) { + IPFERROR(120027); + return EFAULT; + } + + MUTEX_ENTER(&d->ipld_lock); + for (node = *d->ipld_dests; node != NULL; node = node->ipfd_next) { + if ((uid != 0) && (node->ipfd_uid != uid)) + continue; + if (node->ipfd_size != size) + continue; + if (!bcmp(&node->ipfd_dest.fd_ip6, &frd.fd_ip6, + size - offsetof(frdest_t, fd_ip6))) { + ipf_dstlist_node_free(softd, d, node); + MUTEX_EXIT(&d->ipld_lock); + KFREES(temp, size); + return 0; + } + } + MUTEX_EXIT(&d->ipld_lock); + KFREES(temp, size); + + return ESRCH; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_node_free */ +/* Returns: Nil */ +/* Parameters: softd(I) - pointer to the destination list context */ +/* d(I) - pointer to destination list */ +/* node(I) - pointer to node to free */ +/* Locks: MUTEX(ipld_lock) or WRITE(ipf_poolrw) */ +/* */ +/* Free the destination node by first removing it from any lists and then */ +/* checking if this was the last reference held to the object. While the */ +/* array of pointers to nodes is compacted, its size isn't reduced (by way */ +/* of allocating a new smaller one and copying) because the belief is that */ +/* it is likely the array will again reach that size. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_node_free(softd, d, node) + ipf_dstl_softc_t *softd; + ippool_dst_t *d; + ipf_dstnode_t *node; +{ + int i; + + /* + * Compact the array of pointers to nodes. + */ + for (i = 0; i < d->ipld_nodes; i++) + if (d->ipld_dests[i] == node) + break; + if (d->ipld_nodes - i > 1) { + bcopy(&d->ipld_dests[i + 1], &d->ipld_dests[i], + sizeof(*d->ipld_dests) * (d->ipld_nodes - i - 1)); + } + d->ipld_nodes--; + + if (node->ipfd_pnext != NULL) + *node->ipfd_pnext = node->ipfd_next; + if (node->ipfd_next != NULL) + node->ipfd_next->ipfd_pnext = node->ipfd_pnext; + node->ipfd_pnext = NULL; + node->ipfd_next = NULL; + + if ((node->ipfd_flags & IPDST_DELETE) == 0) { + softd->stats.ipls_numderefnodes++; + node->ipfd_flags |= IPDST_DELETE; + } + + ipf_dstlist_node_deref(softd, node); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_stats_get */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* */ +/* Return the current statistics for destination lists. This may be for all */ +/* of them or just information pertaining to a particular table. */ +/* ------------------------------------------------------------------------ */ +/*ARGSUSED*/ +static int +ipf_dstlist_stats_get(softc, arg, op) + ipf_main_softc_t *softc; + void *arg; + iplookupop_t *op; +{ + ipf_dstl_softc_t *softd = arg; + ipf_dstl_stat_t stats; + int unit, i, err = 0; + + if (op->iplo_size != sizeof(ipf_dstl_stat_t)) { + IPFERROR(120023); + return EINVAL; + } + + stats = softd->stats; + unit = op->iplo_unit; + if (unit == IPL_LOGALL) { + for (i = 0; i <= IPL_LOGMAX; i++) + stats.ipls_list[i] = softd->dstlist[i]; + } else if (unit >= 0 && unit <= IPL_LOGMAX) { + void *ptr; + + if (op->iplo_name[0] != '\0') + ptr = ipf_dstlist_table_find(softd, unit, + op->iplo_name); + else + ptr = softd->dstlist[unit + 1]; + stats.ipls_list[unit] = ptr; + } else { + IPFERROR(120024); + err = EINVAL; + } + + if (err == 0) { + err = COPYOUT(&stats, op->iplo_struct, sizeof(stats)); + if (err != 0) { + IPFERROR(120025); + return EFAULT; + } + } + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_add */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* */ +/* Add a new destination table to the list of those available for the given */ +/* device. Because we seldom operate on these objects (find/add/delete), */ +/* they are just kept in a simple linked list. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_table_add(softc, arg, op) + ipf_main_softc_t *softc; + void *arg; + iplookupop_t *op; +{ + ipf_dstl_softc_t *softd = arg; + ippool_dst_t user, *d, *new; + int unit, err; + + d = ipf_dstlist_table_find(arg, op->iplo_unit, op->iplo_name); + if (d != NULL) { + IPFERROR(120013); + return EEXIST; + } + + err = COPYIN(op->iplo_struct, &user, sizeof(user)); + if (err != 0) { + IPFERROR(120021); + return EFAULT; + } + + KMALLOC(new, ippool_dst_t *); + if (new == NULL) { + softd->stats.ipls_nomem++; + IPFERROR(120014); + return ENOMEM; + } + bzero((char *)new, sizeof(*new)); + + MUTEX_INIT(&new->ipld_lock, "ipf dst table lock"); + + strncpy(new->ipld_name, op->iplo_name, FR_GROUPLEN); + unit = op->iplo_unit; + new->ipld_unit = unit; + new->ipld_policy = user.ipld_policy; + new->ipld_seed = ipf_random(); + new->ipld_ref = 1; + + new->ipld_pnext = softd->tails[unit + 1]; + *softd->tails[unit + 1] = new; + softd->tails[unit + 1] = &new->ipld_next; + softd->stats.ipls_numlists++; + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_del */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* */ +/* Find a named destinstion list table and delete it. If there are other */ +/* references to it, the caller isn't told. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_table_del(softc, arg, op) + ipf_main_softc_t *softc; + void *arg; + iplookupop_t *op; +{ + ippool_dst_t *d; + + d = ipf_dstlist_table_find(arg, op->iplo_unit, op->iplo_name); + if (d == NULL) { + IPFERROR(120015); + return ESRCH; + } + + if (d->ipld_dests != NULL) { + IPFERROR(120016); + return EBUSY; + } + + ipf_dstlist_table_remove(softc, arg, d); + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_remove */ +/* Returns: Nil */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* softd(I) - pointer to the destination list context */ +/* d(I) - pointer to destination list */ +/* */ +/* Remove a given destination list from existance. While the IPDST_DELETE */ +/* flag is set every time we call this function and the reference count is */ +/* non-zero, the "numdereflists" counter is always incremented because the */ +/* decision about whether it will be freed or not is not made here. This */ +/* means that the only action the code can take here is to treat it as if */ +/* it will become a detached. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_table_remove(softc, softd, d) + ipf_main_softc_t *softc; + ipf_dstl_softc_t *softd; + ippool_dst_t *d; +{ + + if (softd->tails[d->ipld_unit + 1] == &d->ipld_next) + softd->tails[d->ipld_unit + 1] = d->ipld_pnext; + + if (d->ipld_pnext != NULL) + *d->ipld_pnext = d->ipld_next; + if (d->ipld_next != NULL) + d->ipld_next->ipld_pnext = d->ipld_pnext; + d->ipld_pnext = NULL; + d->ipld_next = NULL; + + ipf_dstlist_table_clearnodes(softd, d); + + softd->stats.ipls_numdereflists++; + d->ipld_flags |= IPDST_DELETE; + + ipf_dstlist_table_deref(softc, softd, d); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_free */ +/* Returns: Nil */ +/* Parameters: softd(I) - pointer to the destination list context */ +/* d(I) - pointer to destination list */ +/* */ +/* Free up a destination list data structure and any other memory that was */ +/* directly allocated as part of creating it. Individual destination list */ +/* nodes are not freed. It is assumed the caller will have already emptied */ +/* the destination list. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_table_free(softd, d) + ipf_dstl_softc_t *softd; + ippool_dst_t *d; +{ + MUTEX_DESTROY(&d->ipld_lock); + + if ((d->ipld_flags & IPDST_DELETE) != 0) + softd->stats.ipls_numdereflists--; + softd->stats.ipls_numlists--; + + if (d->ipld_dests != NULL) { + KFREES(d->ipld_dests, + d->ipld_maxnodes * sizeof(*d->ipld_dests)); + } + + KFREE(d); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_deref */ +/* Returns: int - 0 = success, else error */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* op(I) - pointer to lookup operation data */ +/* */ +/* Drops the reference count on a destination list table object and free's */ +/* it if 0 has been reached. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_dstlist_table_deref(softc, arg, table) + ipf_main_softc_t *softc; + void *arg; + void *table; +{ + ippool_dst_t *d = table; + + d->ipld_ref--; + if (d->ipld_ref > 0) + return d->ipld_ref; + + ipf_dstlist_table_free(arg, d); + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_clearnodes */ +/* Returns: Nil */ +/* Parameters: softd(I) - pointer to the destination list context */ +/* dst(I) - pointer to destination list */ +/* */ +/* Free all of the destination nodes attached to the given table. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_table_clearnodes(softd, dst) + ipf_dstl_softc_t *softd; + ippool_dst_t *dst; +{ + ipf_dstnode_t *node; + + if (dst->ipld_dests == NULL) + return; + + while ((node = *dst->ipld_dests) != NULL) { + ipf_dstlist_node_free(softd, dst, node); + } +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_table_find */ +/* Returns: int - 0 = success, else error */ +/* Parameters: arg(I) - pointer to local context to use */ +/* unit(I) - device we are working with */ +/* name(I) - destination table name to find */ +/* */ +/* Return a pointer to a destination table that matches the unit+name that */ +/* is passed in. */ +/* ------------------------------------------------------------------------ */ +static void * +ipf_dstlist_table_find(arg, unit, name) + void *arg; + int unit; + char *name; +{ + ipf_dstl_softc_t *softd = arg; + ippool_dst_t *d; + + for (d = softd->dstlist[unit + 1]; d != NULL; d = d->ipld_next) { + if ((d->ipld_unit == unit) && + !strncmp(d->ipld_name, name, FR_GROUPLEN)) { + return d; + } + } + + return NULL; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_select_ref */ +/* Returns: void * - NULL = failure, else pointer to table */ +/* Parameters: arg(I) - pointer to local context to use */ +/* unit(I) - device we are working with */ +/* name(I) - destination table name to find */ +/* */ +/* Attempt to find a destination table that matches the name passed in and */ +/* if successful, bump up the reference count on it because we intend to */ +/* store the pointer to it somewhere else. */ +/* ------------------------------------------------------------------------ */ +static void * +ipf_dstlist_select_ref(arg, unit, name) + void *arg; + int unit; + char *name; +{ + ippool_dst_t *d; + + d = ipf_dstlist_table_find(arg, unit, name); + if (d != NULL) { + MUTEX_ENTER(&d->ipld_lock); + d->ipld_ref++; + MUTEX_EXIT(&d->ipld_lock); + } + return d; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_select */ +/* Returns: void * - NULL = failure, else pointer to table */ +/* Parameters: fin(I) - pointer to packet information */ +/* d(I) - pointer to destination list */ +/* */ +/* Find the next node in the destination list to be used according to the */ +/* defined policy. Of these, "connection" is the most expensive policy to */ +/* implement as it always looks for the node with the least number of */ +/* connections associated with it. */ +/* */ +/* The hashes exclude the port numbers so that all protocols map to the */ +/* same destination. Otherwise, someone doing a ping would target a */ +/* different server than their TCP connection, etc. MD-5 is used to */ +/* transform the addressese into something random that the other end could */ +/* not easily guess and use in an attack. ipld_seed introduces an unknown */ +/* into the hash calculation to increase the difficult of an attacker */ +/* guessing the bucket. */ +/* */ +/* One final comment: mixing different address families in a single pool */ +/* will currently result in failures as the address family of the node is */ +/* only matched up with that in the packet as the last step. While this can */ +/* be coded around for the weighted connection and round-robin models, it */ +/* cannot be supported for the hash/random models as they do not search and */ +/* nor is the algorithm conducive to searching. */ +/* ------------------------------------------------------------------------ */ +static ipf_dstnode_t * +ipf_dstlist_select(fin, d) + fr_info_t *fin; + ippool_dst_t *d; +{ + ipf_dstnode_t *node, *sel; + int connects; + u_32_t hash[4]; + MD5_CTX ctx; + int family; + int x; + + if (d->ipld_dests == NULL || *d->ipld_dests == NULL) + return NULL; + + family = fin->fin_family; + + MUTEX_ENTER(&d->ipld_lock); + + switch (d->ipld_policy) + { + case IPLDP_ROUNDROBIN: + sel = d->ipld_selected; + if (sel == NULL) { + sel = *d->ipld_dests; + } else { + sel = sel->ipfd_next; + if (sel == NULL) + sel = *d->ipld_dests; + } + break; + + case IPLDP_CONNECTION: + if (d->ipld_selected == NULL) { + sel = *d->ipld_dests; + break; + } + + sel = d->ipld_selected; + connects = 0x7fffffff; + node = sel->ipfd_next; + if (node == NULL) + node = *d->ipld_dests; + while (node != d->ipld_selected) { + if (node->ipfd_states == 0) { + sel = node; + break; + } + if (node->ipfd_states < connects) { + sel = node; + connects = node->ipfd_states; + } + node = node->ipfd_next; + if (node == NULL) + node = *d->ipld_dests; + } + break; + + case IPLDP_RANDOM : + x = ipf_random() % d->ipld_nodes; + sel = d->ipld_dests[x]; + break; + + case IPLDP_HASHED : + MD5Init(&ctx); + MD5Update(&ctx, (u_char *)&d->ipld_seed, sizeof(d->ipld_seed)); + MD5Update(&ctx, (u_char *)&fin->fin_src6, + sizeof(fin->fin_src6)); + MD5Update(&ctx, (u_char *)&fin->fin_dst6, + sizeof(fin->fin_dst6)); + MD5Final((u_char *)hash, &ctx); + x = hash[0] % d->ipld_nodes; + sel = d->ipld_dests[x]; + break; + + case IPLDP_SRCHASH : + MD5Init(&ctx); + MD5Update(&ctx, (u_char *)&d->ipld_seed, sizeof(d->ipld_seed)); + MD5Update(&ctx, (u_char *)&fin->fin_src6, + sizeof(fin->fin_src6)); + MD5Final((u_char *)hash, &ctx); + x = hash[0] % d->ipld_nodes; + sel = d->ipld_dests[x]; + break; + + case IPLDP_DSTHASH : + MD5Init(&ctx); + MD5Update(&ctx, (u_char *)&d->ipld_seed, sizeof(d->ipld_seed)); + MD5Update(&ctx, (u_char *)&fin->fin_dst6, + sizeof(fin->fin_dst6)); + MD5Final((u_char *)hash, &ctx); + x = hash[0] % d->ipld_nodes; + sel = d->ipld_dests[x]; + break; + + default : + sel = NULL; + break; + } + + if (sel->ipfd_dest.fd_addr.adf_family != family) + sel = NULL; + d->ipld_selected = sel; + + MUTEX_EXIT(&d->ipld_lock); + + return sel; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_select_node */ +/* Returns: int - -1 == failure, 0 == success */ +/* Parameters: fin(I) - pointer to packet information */ +/* group(I) - destination pool to search */ +/* addr(I) - pointer to store selected address */ +/* pfdp(O) - pointer to storage for selected destination node */ +/* */ +/* This function is only responsible for obtaining the next IP address for */ +/* use and storing it in the caller's address space (addr). "addr" is only */ +/* used for storage if pfdp is NULL. No permanent reference is currently */ +/* kept on the node. */ +/* ------------------------------------------------------------------------ */ +int +ipf_dstlist_select_node(fin, group, addr, pfdp) + fr_info_t *fin; + void *group; + u_32_t *addr; + frdest_t *pfdp; +{ +#ifdef USE_MUTEXES + ipf_main_softc_t *softc = fin->fin_main_soft; +#endif + ippool_dst_t *d = group; + ipf_dstnode_t *node; + frdest_t *fdp; + + READ_ENTER(&softc->ipf_poolrw); + + node = ipf_dstlist_select(fin, d); + if (node == NULL) { + RWLOCK_EXIT(&softc->ipf_poolrw); + return -1; + } + + if (pfdp != NULL) { + bcopy(&node->ipfd_dest, pfdp, sizeof(*pfdp)); + } else { + if (fin->fin_family == AF_INET) { + addr[0] = node->ipfd_dest.fd_addr.adf_addr.i6[0]; + } else if (fin->fin_family == AF_INET6) { + addr[0] = node->ipfd_dest.fd_addr.adf_addr.i6[0]; + addr[1] = node->ipfd_dest.fd_addr.adf_addr.i6[1]; + addr[2] = node->ipfd_dest.fd_addr.adf_addr.i6[2]; + addr[3] = node->ipfd_dest.fd_addr.adf_addr.i6[3]; + } + } + + fdp = &node->ipfd_dest; + if (fdp->fd_ptr == NULL) + fdp->fd_ptr = fin->fin_ifp; + + MUTEX_ENTER(&node->ipfd_lock); + node->ipfd_states++; + MUTEX_EXIT(&node->ipfd_lock); + + RWLOCK_EXIT(&softc->ipf_poolrw); + + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_expire */ +/* Returns: Nil */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* */ +/* There are currently no objects to expire in destination lists. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_dstlist_expire(softc, arg) + ipf_main_softc_t *softc; + void *arg; +{ + return; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_dstlist_sync */ +/* Returns: Nil */ +/* Parameters: softc(I) - pointer to soft context main structure */ +/* arg(I) - pointer to local context to use */ +/* */ +/* When a network interface appears or disappears, we need to revalidate */ +/* all of the network interface names that have been configured as a target */ +/* in a destination list. */ +/* ------------------------------------------------------------------------ */ +void +ipf_dstlist_sync(softc, arg) + ipf_main_softc_t *softc; + void *arg; +{ + ipf_dstl_softc_t *softd = arg; + ipf_dstnode_t *node; + ippool_dst_t *list; + int i; + int j; + + for (i = 0; i < IPL_LOGMAX; i++) { + for (list = softd->dstlist[i]; list != NULL; + list = list->ipld_next) { + for (j = 0; j < list->ipld_maxnodes; j++) { + node = list->ipld_dests[j]; + if (node == NULL) + continue; + if (node->ipfd_dest.fd_name == -1) + continue; + (void) ipf_resolvedest(softc, + node->ipfd_names, + &node->ipfd_dest, + AF_INET); + } + } + } +} diff --git a/contrib/ipfilter/ip_dstlist.h b/contrib/ipfilter/ip_dstlist.h new file mode 100644 index 0000000..e2885e5 --- /dev/null +++ b/contrib/ipfilter/ip_dstlist.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: ip_dstlist.h,v 1.5.2.6 2012/07/22 08:04:23 darren_r Exp $ + */ + +#ifndef __IP_DSTLIST_H__ +#define __IP_DSTLIST_H__ + +typedef struct ipf_dstnode { + struct ipf_dstnode *ipfd_next; + struct ipf_dstnode **ipfd_pnext; + ipfmutex_t ipfd_lock; + frdest_t ipfd_dest; + u_long ipfd_syncat; + int ipfd_flags; + int ipfd_size; + int ipfd_states; + int ipfd_ref; + int ipfd_uid; + char ipfd_names[1]; +} ipf_dstnode_t; + +typedef enum ippool_policy_e { + IPLDP_NONE = 0, + IPLDP_ROUNDROBIN, + IPLDP_CONNECTION, + IPLDP_RANDOM, + IPLDP_HASHED, + IPLDP_SRCHASH, + IPLDP_DSTHASH +} ippool_policy_t; + +typedef struct ippool_dst { + struct ippool_dst *ipld_next; + struct ippool_dst **ipld_pnext; + ipfmutex_t ipld_lock; + int ipld_seed; + int ipld_unit; + int ipld_ref; + int ipld_flags; + int ipld_nodes; + int ipld_maxnodes; + ippool_policy_t ipld_policy; + ipf_dstnode_t **ipld_dests; + ipf_dstnode_t *ipld_selected; + char ipld_name[FR_GROUPLEN]; +} ippool_dst_t; + +#define IPDST_DELETE 0x01 + +typedef struct dstlist_stat_s { + void *ipls_list[LOOKUP_POOL_SZ]; + int ipls_numlists; + u_long ipls_nomem; + int ipls_numnodes; + int ipls_numdereflists; + int ipls_numderefnodes; +} ipf_dstl_stat_t; + +extern ipf_lookup_t ipf_dstlist_backend; + +extern int ipf_dstlist_select_node __P((fr_info_t *, void *, u_32_t *, + frdest_t *)); + +#endif /* __IP_DSTLIST_H__ */ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 0518672..208602a 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -1,154 +1,29 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $"; -#endif - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif - -#include <sys/param.h> -#if defined(__FreeBSD__) && !defined(__FreeBSD_version) -# if defined(IPFILTER_LKM) -# ifndef __FreeBSD_cc_version -# include <osreldate.h> -# else -# if __FreeBSD_cc_version < 430000 -# include <osreldate.h> -# endif -# endif -# endif -#endif -#include <sys/errno.h> -#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL) -# include <sys/kern_svcs.h> -#endif -#include <sys/types.h> -#define _KERNEL -#define KERNEL -#ifdef __OpenBSD__ -struct file; -#endif -#include <sys/uio.h> -#undef _KERNEL -#undef KERNEL -#include <sys/file.h> -#include <sys/ioctl.h> -#ifdef __sgi -# include <sys/ptimers.h> -#endif -#include <sys/time.h> -#if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -# else -# include <sys/dir.h> -# endif -#else -# include <sys/filio.h> +static const char rcsid[] = "@(#)$Id$"; #endif -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <ctype.h> -#include <fcntl.h> -#ifdef __hpux -# define _NET_ROUTE_INCLUDED -#endif -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#ifdef __sgi -#include <sys/debug.h> -# ifdef IFF_DRVRLOCK /* IRIX6 */ -#include <sys/hashing.h> -# endif -#endif -#if defined(__FreeBSD__) || defined(SOLARIS2) -# include "radix_ipf.h" -#endif -#ifndef __osf__ -# include <net/route.h> -#endif -#include <netinet/in.h> -#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \ - !defined(__hpux) && !defined(linux) -# include <netinet/in_var.h> -#endif -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#if !defined(linux) -# include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#if defined(__osf__) -# include <netinet/tcp_timer.h> -#endif -#if defined(__osf__) || defined(__hpux) || defined(__sgi) -# include "radix_ipf_local.h" -# define _RADIX_H_ -#endif -#include <netinet/udp.h> -#include <netinet/tcpip.h> -#include <netinet/ip_icmp.h> -#include <unistd.h> -#include <syslog.h> -#include <arpa/inet.h> -#ifdef __hpux -# undef _NET_ROUTE_INCLUDED -#endif -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_frag.h" -#include "netinet/ip_state.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_auth.h" -#ifdef IPFILTER_SYNC -#include "netinet/ip_sync.h" -#endif -#ifdef IPFILTER_SCAN -#include "netinet/ip_scan.h" -#endif -#include "netinet/ip_pool.h" -#ifdef IPFILTER_COMPILED -# include "netinet/ip_rules.h" -#endif -#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -#endif -#ifdef __hpux -struct rtentry; -#endif +#include "ipf.h" #include "md5.h" +#include "ipt.h" +ipf_main_softc_t ipfmain; -#if !defined(__osf__) && !defined(__linux__) -extern struct protosw inetsw[]; -#endif - -#include "ipt.h" static struct ifnet **ifneta = NULL; static int nifs = 0; -static void fr_setifpaddr __P((struct ifnet *, char *)); +struct rtentry; + +static void ipf_setifpaddr __P((struct ifnet *, char *)); void init_ifp __P((void)); #if defined(__sgi) && (IRIX < 60500) static int no_output __P((struct ifnet *, struct mbuf *, @@ -170,16 +45,18 @@ static int write_output __P((struct ifnet *, struct mbuf *, #endif -int ipfattach() +int +ipfattach(softc) + ipf_main_softc_t *softc; { - fr_running = 1; return 0; } -int ipfdetach() +int +ipfdetach(softc) + ipf_main_softc_t *softc; { - fr_running = -1; return 0; } @@ -187,101 +64,96 @@ int ipfdetach() /* * Filter ioctl interface. */ -int iplioctl(dev, cmd, data, mode) -int dev; -ioctlcmd_t cmd; -caddr_t data; -int mode; +int +ipfioctl(softc, dev, cmd, data, mode) + ipf_main_softc_t *softc; + int dev; + ioctlcmd_t cmd; + caddr_t data; + int mode; { int error = 0, unit = 0, uid; - SPL_INT(s); uid = getuid(); unit = dev; SPL_NET(s); - error = fr_ioctlswitch(unit, data, cmd, mode, uid, NULL); + error = ipf_ioctlswitch(softc, unit, data, cmd, mode, uid, NULL); if (error != -1) { SPL_X(s); return error; } - SPL_X(s); return error; } -void fr_forgetifp(ifp) -void *ifp; +void +ipf_forgetifp(softc, ifp) + ipf_main_softc_t *softc; + void *ifp; { register frentry_t *f; - WRITE_ENTER(&ipf_mutex); - for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) + WRITE_ENTER(&softc->ipf_mutex); + for (f = softc->ipf_acct[0][softc->ipf_active]; (f != NULL); + f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; - for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) + for (f = softc->ipf_acct[1][softc->ipf_active]; (f != NULL); + f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; - for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) + for (f = softc->ipf_rules[0][softc->ipf_active]; (f != NULL); + f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; -#ifdef USE_INET6 - for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next) + for (f = softc->ipf_rules[1][softc->ipf_active]; (f != NULL); + f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; -#endif - RWLOCK_EXIT(&ipf_mutex); - fr_natsync(ifp); + RWLOCK_EXIT(&softc->ipf_mutex); + ipf_nat_sync(softc, ifp); + ipf_lookup_sync(softc, ifp); } +static int #if defined(__sgi) && (IRIX < 60500) -static int no_output(ifp, m, s) +no_output(ifp, m, s) #else # if TRU64 >= 1885 -static int no_output (ifp, m, s, rt, cp) -char *cp; +no_output (ifp, m, s, rt, cp) + char *cp; # else -static int no_output(ifp, m, s, rt) +no_output(ifp, m, s, rt) # endif -struct rtentry *rt; + struct rtentry *rt; #endif -struct ifnet *ifp; -struct mbuf *m; -struct sockaddr *s; + struct ifnet *ifp; + struct mbuf *m; + struct sockaddr *s; { return 0; } +static int #if defined(__sgi) && (IRIX < 60500) -static int write_output(ifp, m, s) +write_output(ifp, m, s) #else # if TRU64 >= 1885 -static int write_output (ifp, m, s, rt, cp) -char *cp; +write_output (ifp, m, s, rt, cp) + char *cp; # else -static int write_output(ifp, m, s, rt) +write_output(ifp, m, s, rt) # endif -struct rtentry *rt; + struct rtentry *rt; #endif -struct ifnet *ifp; -struct mbuf *m; -struct sockaddr *s; + struct ifnet *ifp; + struct mbuf *m; + struct sockaddr *s; { char fname[32]; mb_t *mb; @@ -309,9 +181,10 @@ struct sockaddr *s; } -static void fr_setifpaddr(ifp, addr) -struct ifnet *ifp; -char *addr; +static void +ipf_setifpaddr(ifp, addr) + struct ifnet *ifp; + char *addr; { #ifdef __sgi struct in_ifaddr *ifa; @@ -349,15 +222,28 @@ char *addr; #else sin = (struct sockaddr_in *)&ifa->ifa_addr; #endif - sin->sin_addr.s_addr = inet_addr(addr); - if (sin->sin_addr.s_addr == 0) - abort(); +#ifdef USE_INET6 + if (index(addr, ':') != NULL) { + struct sockaddr_in6 *sin6; + + sin6 = (struct sockaddr_in6 *)&ifa->ifa_addr; + sin6->sin6_family = AF_INET6; + inet_pton(AF_INET6, addr, &sin6->sin6_addr); + } else +#endif + { + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = inet_addr(addr); + if (sin->sin_addr.s_addr == 0) + abort(); + } } } -struct ifnet *get_unit(name, v) -char *name; -int v; +struct ifnet * +get_unit(name, family) + char *name; + int family; { struct ifnet *ifp, **ifpp, **old_ifneta; char *addr; @@ -365,6 +251,9 @@ int v; (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) + if (!*name) + return NULL; + if (name == NULL) name = "anon0"; @@ -375,7 +264,7 @@ int v; for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { if (!strcmp(name, ifp->if_xname)) { if (addr != NULL) - fr_setifpaddr(ifp, addr); + ipf_setifpaddr(ifp, addr); return ifp; } } @@ -390,10 +279,10 @@ int v; *addr++ = '\0'; for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { - COPYIFNAME(v, ifp, ifname); + COPYIFNAME(family, ifp, ifname); if (!strcmp(name, ifname)) { if (addr != NULL) - fr_setifpaddr(ifp, addr); + ipf_setifpaddr(ifp, addr); return ifp; } } @@ -437,9 +326,15 @@ int v; (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) (void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); #else - for (s = name; *s && !ISDIGIT(*s); s++) - ; - if (*s && ISDIGIT(*s)) { + s = name + strlen(name) - 1; + for (; s > name; s--) { + if (!ISDIGIT(*s)) { + s++; + break; + } + } + + if ((s > name) && (*s != 0) && ISDIGIT(*s)) { ifp->if_unit = atoi(s); ifp->if_name = (char *)malloc(s - name + 1); (void) strncpy(ifp->if_name, name, s - name); @@ -452,15 +347,16 @@ int v; ifp->if_output = (void *)no_output; if (addr != NULL) { - fr_setifpaddr(ifp, addr); + ipf_setifpaddr(ifp, addr); } return ifp; } -char *get_ifname(ifp) -struct ifnet *ifp; +char * +get_ifname(ifp) + struct ifnet *ifp; { static char ifname[LIFNAMSIZ]; @@ -468,14 +364,18 @@ struct ifnet *ifp; (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) sprintf(ifname, "%s", ifp->if_xname); #else - sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); + if (ifp->if_unit != -1) + sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); + else + strcpy(ifname, ifp->if_name); #endif return ifname; } -void init_ifp() +void +init_ifp() { struct ifnet *ifp, **ifpp; char fname[32]; @@ -496,7 +396,7 @@ void init_ifp() #else for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { - ifp->if_output = write_output; + ifp->if_output = (void *)write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); if (fd == -1) @@ -508,36 +408,48 @@ void init_ifp() } -int fr_fastroute(m, mpp, fin, fdp) -mb_t *m, **mpp; -fr_info_t *fin; -frdest_t *fdp; +int +ipf_fastroute(m, mpp, fin, fdp) + mb_t *m, **mpp; + fr_info_t *fin; + frdest_t *fdp; { - struct ifnet *ifp = fdp->fd_ifp; + struct ifnet *ifp; ip_t *ip = fin->fin_ip; + frdest_t node; int error = 0; frentry_t *fr; void *sifp; + int sout; - if (!ifp) - return 0; /* no routing table out here */ - + sifp = fin->fin_ifp; + sout = fin->fin_out; fr = fin->fin_fr; ip->ip_sum = 0; + if (!(fr->fr_flags & FR_KEEPSTATE) && (fdp != NULL) && + (fdp->fd_type == FRD_DSTLIST)) { + bzero(&node, sizeof(node)); + ipf_dstlist_select_node(fin, fdp->fd_ptr, NULL, &node); + fdp = &node; + } + ifp = fdp->fd_ptr; + + if (ifp == NULL) + return 0; /* no routing table out here */ + if (fin->fin_out == 0) { - sifp = fin->fin_ifp; fin->fin_ifp = ifp; fin->fin_out = 1; - (void) fr_acctpkt(fin, NULL); + (void) ipf_acctpkt(fin, NULL); fin->fin_fr = NULL; if (!fr || !(fr->fr_flags & FR_RETMASK)) { u_32_t pass; - (void) fr_checkstate(fin, &pass); + (void) ipf_state_check(fin, &pass); } - switch (fr_checknatout(fin, NULL)) + switch (ipf_nat_checkout(fin, NULL)) { case 0 : break; @@ -550,10 +462,11 @@ frdest_t *fdp; break; } - fin->fin_ifp = sifp; - fin->fin_out = 0; } + m->mb_ifp = ifp; + printpacket(fin->fin_out, m); + #if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)ip, NULL); # if TRU64 >= 1885 @@ -563,55 +476,55 @@ frdest_t *fdp; # endif #endif done: + fin->fin_ifp = sifp; + fin->fin_out = sout; return error; } -int fr_send_reset(fin) -fr_info_t *fin; +int +ipf_send_reset(fin) + fr_info_t *fin; { - verbose("- TCP RST sent\n"); + ipfkverbose("- TCP RST sent\n"); return 0; } -int fr_send_icmp_err(type, fin, dst) -int type; -fr_info_t *fin; -int dst; +int +ipf_send_icmp_err(type, fin, dst) + int type; + fr_info_t *fin; + int dst; { - verbose("- ICMP unreachable sent\n"); + ipfkverbose("- ICMP unreachable sent\n"); return 0; } -void frsync(ifp) -void *ifp; -{ - return; -} - - -void m_freem(m) -mb_t *m; +void +m_freem(m) + mb_t *m; { return; } -void m_copydata(m, off, len, cp) -mb_t *m; -int off, len; -caddr_t cp; +void +m_copydata(m, off, len, cp) + mb_t *m; + int off, len; + caddr_t cp; { bcopy((char *)m + off, cp, len); } -int ipfuiomove(buf, len, rwflag, uio) -caddr_t buf; -int len, rwflag; -struct uio *uio; +int +ipfuiomove(buf, len, rwflag, uio) + caddr_t buf; + int len, rwflag; + struct uio *uio; { int left, ioc, num, offset; struct iovec *io; @@ -648,8 +561,9 @@ struct uio *uio; } -u_32_t fr_newisn(fin) -fr_info_t *fin; +u_32_t +ipf_newisn(fin) + fr_info_t *fin; { static int iss_seq_off = 0; u_char hash[16]; @@ -688,50 +602,76 @@ fr_info_t *fin; /* ------------------------------------------------------------------------ */ -/* Function: fr_nextipid */ +/* Function: ipf_nextipid */ /* Returns: int - 0 == success, -1 == error (packet should be droppped) */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* Returns the next IPv4 ID to use for this packet. */ /* ------------------------------------------------------------------------ */ -INLINE u_short fr_nextipid(fin) -fr_info_t *fin; +INLINE u_short +ipf_nextipid(fin) + fr_info_t *fin; { static u_short ipid = 0; + ipf_main_softc_t *softc = fin->fin_main_soft; u_short id; - MUTEX_ENTER(&ipf_rw); - id = ipid++; - MUTEX_EXIT(&ipf_rw); + MUTEX_ENTER(&softc->ipf_rw); + if (fin->fin_pktnum != 0) { + /* + * The -1 is for aligned test results. + */ + id = (fin->fin_pktnum - 1) & 0xffff; + } else { + } + id = ipid++; + MUTEX_EXIT(&softc->ipf_rw); return id; } -INLINE void fr_checkv4sum(fin) -fr_info_t *fin; +INLINE int +ipf_checkv4sum(fin) + fr_info_t *fin; { - if (fr_checkl4sum(fin) == -1) + + if (fin->fin_flx & FI_SHORT) + return 1; + + if (ipf_checkl4sum(fin) == -1) { fin->fin_flx |= FI_BAD; + return -1; + } + return 0; } #ifdef USE_INET6 -INLINE void fr_checkv6sum(fin) -fr_info_t *fin; +INLINE int +ipf_checkv6sum(fin) + fr_info_t *fin; { - if (fr_checkl4sum(fin) == -1) + if (fin->fin_flx & FI_SHORT) + return 1; + + if (ipf_checkl4sum(fin) == -1) { fin->fin_flx |= FI_BAD; + return -1; + } + return 0; } #endif +#if 0 /* * See above for description, except that all addressing is in user space. */ -int copyoutptr(src, dst, size) -void *src, *dst; -size_t size; +int +copyoutptr(softc, src, dst, size) + void *src, *dst; + size_t size; { caddr_t ca; @@ -744,9 +684,10 @@ size_t size; /* * See above for description, except that all addressing is in user space. */ -int copyinptr(src, dst, size) -void *src, *dst; -size_t size; +int +copyinptr(src, dst, size) + void *src, *dst; + size_t size; { caddr_t ca; @@ -754,15 +695,18 @@ size_t size; bcopy(ca, dst, size); return 0; } +#endif /* * return the first IP Address associated with an interface */ -int fr_ifpaddr(v, atype, ifptr, inp, inpmask) -int v, atype; -void *ifptr; -struct in_addr *inp, *inpmask; +int +ipf_ifpaddr(softc, v, atype, ifptr, inp, inpmask) + ipf_main_softc_t *softc; + int v, atype; + void *ifptr; + i6addr_t *inp, *inpmask; { struct ifnet *ifp = ifptr; #ifdef __sgi @@ -781,40 +725,145 @@ struct in_addr *inp, *inpmask; # endif #endif if (ifa != NULL) { - struct sockaddr_in *sin, mask; + if (v == 4) { + struct sockaddr_in *sin, mask; - mask.sin_addr.s_addr = 0xffffffff; + mask.sin_addr.s_addr = 0xffffffff; #ifdef __sgi - sin = (struct sockaddr_in *)&ifa->ia_addr; + sin = (struct sockaddr_in *)&ifa->ia_addr; #else - sin = (struct sockaddr_in *)&ifa->ifa_addr; + sin = (struct sockaddr_in *)&ifa->ifa_addr; #endif - return fr_ifpfillv4addr(atype, sin, &mask, inp, inpmask); + return ipf_ifpfillv4addr(atype, sin, &mask, + &inp->in4, &inpmask->in4); + } +#ifdef USE_INET6 + if (v == 6) { + struct sockaddr_in6 *sin6, mask; + + sin6 = (struct sockaddr_in6 *)&ifa->ifa_addr; + ((i6addr_t *)&mask.sin6_addr)->i6[0] = 0xffffffff; + ((i6addr_t *)&mask.sin6_addr)->i6[1] = 0xffffffff; + ((i6addr_t *)&mask.sin6_addr)->i6[2] = 0xffffffff; + ((i6addr_t *)&mask.sin6_addr)->i6[3] = 0xffffffff; + return ipf_ifpfillv6addr(atype, sin6, &mask, + inp, inpmask); + } +#endif } return 0; } -int ipfsync() +/* + * This function is not meant to be random, rather just produce a + * sequence of numbers that isn't linear to show "randomness". + */ +u_32_t +ipf_random() { + static unsigned int last = 0xa5a5a5a5; + static int calls = 0; + int number; + + calls++; + + /* + * These are deliberately chosen to ensure that there is some + * attempt to test whether the output covers the range in test n18. + */ + switch (calls) + { + case 1 : + number = 0; + break; + case 2 : + number = 4; + break; + case 3 : + number = 3999; + break; + case 4 : + number = 4000; + break; + case 5 : + number = 48999; + break; + case 6 : + number = 49000; + break; + default : + number = last; + last *= calls; + last++; + number ^= last; + break; + } + return number; +} + + +int +ipf_verifysrc(fin) + fr_info_t *fin; +{ + return 1; +} + + +int +ipf_inject(fin, m) + fr_info_t *fin; + mb_t *m; +{ + FREE_MB_T(m); + return 0; } -#ifndef ipf_random -u_32_t ipf_random() +u_int +ipf_pcksum(fin, hlen, sum) + fr_info_t *fin; + int hlen; + u_int sum; { - static int seeded = 0; + u_short *sp; + u_int sum2; + int slen; + + slen = fin->fin_plen - hlen; + sp = (u_short *)((u_char *)fin->fin_ip + hlen); + + for (; slen > 1; slen -= 2) + sum += *sp++; + if (slen) + sum += ntohs(*(u_char *)sp << 8); + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum2 = (u_short)(~sum & 0xffff); + + return sum2; +} + + +void * +ipf_pullup(m, fin, plen) + mb_t *m; + fr_info_t *fin; + int plen; +{ + if (M_LEN(m) >= plen) + return fin->fin_ip; /* - * Choose a non-random seed so that "randomness" can be "tested." + * Fake ipf_pullup failing */ - if (seeded == 0) { - srand(0); - seeded = 1; - } - return rand(); + fin->fin_reason = FRB_PULLUP; + *fin->fin_mp = NULL; + fin->fin_m = NULL; + fin->fin_ip = NULL; + return NULL; } -#endif diff --git a/contrib/ipfilter/ip_fil_compat.c b/contrib/ipfilter/ip_fil_compat.c new file mode 100644 index 0000000..d0b356f --- /dev/null +++ b/contrib/ipfilter/ip_fil_compat.c @@ -0,0 +1,4854 @@ +/* + * Copyright (C) 2002-2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +#if defined(KERNEL) || defined(_KERNEL) +# undef KERNEL +# undef _KERNEL +# define KERNEL 1 +# define _KERNEL 1 +#endif +#if defined(__osf__) +# define _PROTO_NET_H_ +#endif +#include <sys/param.h> +#include <sys/errno.h> +#include <sys/types.h> +#include <sys/time.h> +#include <sys/file.h> +#if __FreeBSD_version >= 220000 && defined(_KERNEL) +# include <sys/fcntl.h> +# include <sys/filio.h> +#else +# include <sys/ioctl.h> +#endif +#if !defined(_KERNEL) +# include <string.h> +# define _KERNEL +# ifdef __OpenBSD__ +struct file; +# endif +# include <sys/uio.h> +# undef _KERNEL +#endif +#include <sys/socket.h> +#if (defined(__osf__) || defined(AIX) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL) +# include "radix_ipf_local.h" +# define _RADIX_H_ +#endif +#include <net/if.h> +#if defined(__FreeBSD__) +# include <sys/cdefs.h> +# include <sys/proc.h> +#endif +#if defined(_KERNEL) +# include <sys/systm.h> +# if !defined(__SVR4) && !defined(__svr4__) +# include <sys/mbuf.h> +# endif +#endif +#include <netinet/in.h> + +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_pool.h" +#include "netinet/ip_htable.h" +#include "netinet/ip_lookup.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_state.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_auth.h" +/* END OF INCLUDES */ + +/* + * NetBSD has moved to 64bit time_t for all architectures. + * For some, such as sparc64, there is no change because long is already + * 64bit, but for others (i386), there is... + */ +#ifdef IPFILTER_COMPAT + +# ifdef __NetBSD__ +typedef struct timeval_l { + long tv_sec; + long tv_usec; +} timeval_l_t; +# endif + +/* ------------------------------------------------------------------------ */ + +typedef struct tcpinfo4 { + u_short ts_sport; + u_short ts_dport; + tcpdata_t ts_data[2]; +} tcpinfo4_t; + +static void ipf_v5tcpinfoto4 __P((tcpinfo_t *, tcpinfo4_t *)); + +static void +ipf_v5tcpinfoto4(v5, v4) + tcpinfo_t *v5; + tcpinfo4_t *v4; +{ + v4->ts_sport = v5->ts_sport; + v4->ts_dport = v5->ts_dport; + v4->ts_data[0] = v5->ts_data[0]; + v4->ts_data[1] = v5->ts_data[1]; +} + +typedef struct fr_ip4 { + u_32_t fi_v:4; + u_32_t fi_xx:4; + u_32_t fi_tos:8; + u_32_t fi_ttl:8; + u_32_t fi_p:8; + u_32_t fi_optmsk; + i6addr_t fi_src; + i6addr_t fi_dst; + u_short ofi_secmsk; + u_short ofi_auth; + u_32_t fi_flx; + u_32_t fi_tcpmsk; + u_32_t fi_res1; +} frip4_t; + +typedef struct frpcmp4 { + int frp_cmp; + u_short frp_port; + u_short frp_top; +} frpcmp4_t; + +typedef struct frtuc4 { + u_char ftu_tcpfm; + u_char ftu_tcpf; + frpcmp4_t ftu_src; + frpcmp4_t ftu_dst; +} frtuc4_t; + +typedef struct fripf4 { + frip4_t fri_ip; + frip4_t fri_mip; + + u_short fri_icmpm; + u_short fri_icmp; + + frtuc4_t fri_tuc; + int fri_satype; + int fri_datype; + int fri_sifpidx; + int fri_difpidx; +} fripf4_t; + +typedef struct frdest_4 { + void *fd_ifp; + i6addr_t ofd_ip6; + char fd_ifname[LIFNAMSIZ]; +} frdest_4_t; + +/* ------------------------------------------------------------------------ */ + +/* 5.1.0 new release (current) + * 4.1.34 changed the size of the time structure used for pps + * 4.1.16 moved the location of fr_flineno + * 4.1.0 base version + */ +typedef struct frentry_4_1_34 { + ipfmutex_t fr_lock; + struct frentry *fr_next; + struct frentry **fr_grp; + struct ipscan *fr_isc; + void *fr_ifas[4]; + void *fr_ptr; /* for use with fr_arg */ + char *fr_comment; /* text comment for rule */ + int fr_ref; /* reference count - for grouping */ + int fr_statecnt; /* state count - for limit rules */ + int fr_flineno; /* line number from conf file */ + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; + union { + struct timeval frp_lastpkt; + char frp_bytes[12]; + } fr_lpu; + int fr_curpps; + union { + void *fru_data; + char *fru_caddr; + fripf4_t *fru_ipf; + frentfunc_t fru_func; + } fr_dun; + ipfunc_t fr_func; /* call this function */ + int fr_dsize; + int fr_pps; + int fr_statemax; /* max reference count */ + u_32_t fr_type; + u_32_t fr_flags; /* per-rule flags && options (see below) */ + u_32_t fr_logtag; /* user defined log tag # */ + u_32_t fr_collect; /* collection number */ + u_int fr_arg; /* misc. numeric arg for rule */ + u_int fr_loglevel; /* syslog log facility + priority */ + u_int fr_age[2]; /* non-TCP timeouts */ + u_char fr_v; + u_char fr_icode; /* return ICMP code */ + char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */ + char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */ + ipftag_t fr_nattag; + char fr_ifnames[4][LIFNAMSIZ]; + char fr_isctag[16]; + frdest_4_t fr_tifs[2]; /* "to"/"reply-to" interface */ + frdest_4_t fr_dif; /* duplicate packet interface */ + u_int fr_cksum; /* checksum on filter rules for performance */ +} frentry_4_1_34_t; + +typedef struct frentry_4_1_16 { + ipfmutex_t fr_lock; + struct frentry *fr_next; + struct frentry **fr_grp; + struct ipscan *fr_isc; + void *fr_ifas[4]; + void *fr_ptr; + char *fr_comment; + int fr_ref; + int fr_statecnt; + int fr_flineno; + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; + union { +#ifdef __NetBSD__ + timeval_l_t frp_lastpkt; +#else + struct timeval frp_lastpkt; +#endif + } fr_lpu; + int fr_curpps; + union { + void *fru_data; + caddr_t fru_caddr; + fripf4_t *fru_ipf; + frentfunc_t fru_func; + } fr_dun; + ipfunc_t fr_func; + int fr_dsize; + int fr_pps; + int fr_statemax; + u_32_t fr_type; + u_32_t fr_flags; + u_32_t fr_logtag; + u_32_t fr_collect; + u_int fr_arg; + u_int fr_loglevel; + u_int fr_age[2]; + u_char fr_v; + u_char fr_icode; + char fr_group[FR_GROUPLEN]; + char fr_grhead[FR_GROUPLEN]; + ipftag_t fr_nattag; + char fr_ifnames[4][LIFNAMSIZ]; + char fr_isctag[16]; + frdest_4_t fr_tifs[2]; + frdest_4_t fr_dif; + u_int fr_cksum; +} frentry_4_1_16_t; + +typedef struct frentry_4_1_0 { + ipfmutex_t fr_lock; + struct frentry *fr_next; + struct frentry **fr_grp; + struct ipscan *fr_isc; + void *fr_ifas[4]; + void *fr_ptr; + char *fr_comment; + int fr_ref; + int fr_statecnt; + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; + union { +#ifdef __NetBSD__ + timeval_l_t frp_lastpkt; +#else + struct timeval frp_lastpkt; +#endif + } fr_lpu; + int fr_curpps; + + union { + void *fru_data; + caddr_t fru_caddr; + fripf4_t *fru_ipf; + frentfunc_t fru_func; + } fr_dun; + /* + * Fields after this may not change whilst in the kernel. + */ + ipfunc_t fr_func; + int fr_dsize; + int fr_pps; + int fr_statemax; + int fr_flineno; + u_32_t fr_type; + u_32_t fr_flags; + u_32_t fr_logtag; + u_32_t fr_collect; + u_int fr_arg; + u_int fr_loglevel; + u_int fr_age[2]; + u_char fr_v; + u_char fr_icode; + char fr_group[FR_GROUPLEN]; + char fr_grhead[FR_GROUPLEN]; + ipftag_t fr_nattag; + char fr_ifnames[4][LIFNAMSIZ]; + char fr_isctag[16]; + frdest_4_t fr_tifs[2]; + frdest_4_t fr_dif; + u_int fr_cksum; +} frentry_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.32 removed both fin_state and fin_nat, added fin_pktnum + * 4.1.24 added fin_cksum + * 4.1.23 added fin_exthdr + * 4.1.11 added fin_ifname + * 4.1.4 added fin_hbuf + */ +typedef struct fr_info_4_1_32 { + void *fin_ifp; /* interface packet is `on' */ + frip4_t fin_fi; /* IP Packet summary */ + union { + u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */ + u_32_t fid_32; + } fin_dat; + int fin_out; /* in or out ? 1 == out, 0 == in */ + int fin_rev; /* state only: 1 = reverse */ + u_short fin_hlen; /* length of IP header in bytes */ + u_char ofin_tcpf; /* TCP header flags (SYN, ACK, etc) */ + u_char fin_icode; /* ICMP error to return */ + u_32_t fin_rule; /* rule # last matched */ + char fin_group[FR_GROUPLEN]; /* group number, -1 for none */ + struct frentry *fin_fr; /* last matching rule */ + void *fin_dp; /* start of data past IP header */ + int fin_dlen; /* length of data portion of packet */ + int fin_plen; + int fin_ipoff; /* # bytes from buffer start to hdr */ + u_short fin_id; /* IP packet id field */ + u_short fin_off; + int fin_depth; /* Group nesting depth */ + int fin_error; /* Error code to return */ + int fin_cksum; /* -1 bad, 1 good, 0 not done */ + u_int fin_pktnum; + void *fin_nattag; + void *fin_exthdr; + ip_t *ofin_ip; + mb_t **fin_mp; /* pointer to pointer to mbuf */ + mb_t *fin_m; /* pointer to mbuf */ +#ifdef MENTAT + mb_t *fin_qfm; /* pointer to mblk where pkt starts */ + void *fin_qpi; + char fin_ifname[LIFNAMSIZ]; +#endif +#ifdef __sgi + void *fin_hbuf; +#endif +} fr_info_4_1_32_t; + +typedef struct fr_info_4_1_24 { + void *fin_ifp; + frip4_t fin_fi; + union { + u_short fid_16[2]; + u_32_t fid_32; + } fin_dat; + int fin_out; + int fin_rev; + u_short fin_hlen; + u_char ofin_tcpf; + u_char fin_icode; + u_32_t fin_rule; + char fin_group[FR_GROUPLEN]; + struct frentry *fin_fr; + void *fin_dp; + int fin_dlen; + int fin_plen; + int fin_ipoff; + u_short fin_id; + u_short fin_off; + int fin_depth; + int fin_error; + int fin_cksum; + void *fin_state; + void *fin_nat; + void *fin_nattag; + void *fin_exthdr; + ip_t *ofin_ip; + mb_t **fin_mp; + mb_t *fin_m; +#ifdef MENTAT + mb_t *fin_qfm; + void *fin_qpi; + char fin_ifname[LIFNAMSIZ]; +#endif +#ifdef __sgi + void *fin_hbuf; +#endif +} fr_info_4_1_24_t; + +typedef struct fr_info_4_1_23 { + void *fin_ifp; + frip4_t fin_fi; + union { + u_short fid_16[2]; + u_32_t fid_32; + } fin_dat; + int fin_out; + int fin_rev; + u_short fin_hlen; + u_char ofin_tcpf; + u_char fin_icode; + u_32_t fin_rule; + char fin_group[FR_GROUPLEN]; + struct frentry *fin_fr; + void *fin_dp; + int fin_dlen; + int fin_plen; + int fin_ipoff; + u_short fin_id; + u_short fin_off; + int fin_depth; + int fin_error; + void *fin_state; + void *fin_nat; + void *fin_nattag; + void *fin_exthdr; + ip_t *ofin_ip; + mb_t **fin_mp; + mb_t *fin_m; +#ifdef MENTAT + mb_t *fin_qfm; + void *fin_qpi; + char fin_ifname[LIFNAMSIZ]; +#endif +#ifdef __sgi + void *fin_hbuf; +#endif +} fr_info_4_1_23_t; + +typedef struct fr_info_4_1_11 { + void *fin_ifp; + frip4_t fin_fi; + union { + u_short fid_16[2]; + u_32_t fid_32; + } fin_dat; + int fin_out; + int fin_rev; + u_short fin_hlen; + u_char ofin_tcpf; + u_char fin_icode; + u_32_t fin_rule; + char fin_group[FR_GROUPLEN]; + struct frentry *fin_fr; + void *fin_dp; + int fin_dlen; + int fin_plen; + int fin_ipoff; + u_short fin_id; + u_short fin_off; + int fin_depth; + int fin_error; + void *fin_state; + void *fin_nat; + void *fin_nattag; + ip_t *ofin_ip; + mb_t **fin_mp; + mb_t *fin_m; +#ifdef MENTAT + mb_t *fin_qfm; + void *fin_qpi; + char fin_ifname[LIFNAMSIZ]; +#endif +#ifdef __sgi + void *fin_hbuf; +#endif +} fr_info_4_1_11_t; + +/* ------------------------------------------------------------------------ */ + +typedef struct filterstats_4_1 { + u_long fr_pass; /* packets allowed */ + u_long fr_block; /* packets denied */ + u_long fr_nom; /* packets which don't match any rule */ + u_long fr_short; /* packets which are short */ + u_long fr_ppkl; /* packets allowed and logged */ + u_long fr_bpkl; /* packets denied and logged */ + u_long fr_npkl; /* packets unmatched and logged */ + u_long fr_pkl; /* packets logged */ + u_long fr_skip; /* packets to be logged but buffer full */ + u_long fr_ret; /* packets for which a return is sent */ + u_long fr_acct; /* packets for which counting was performed */ + u_long fr_bnfr; /* bad attempts to allocate fragment state */ + u_long fr_nfr; /* new fragment state kept */ + u_long fr_cfr; /* add new fragment state but complete pkt */ + u_long fr_bads; /* bad attempts to allocate packet state */ + u_long fr_ads; /* new packet state kept */ + u_long fr_chit; /* cached hit */ + u_long fr_tcpbad; /* TCP checksum check failures */ + u_long fr_pull[2]; /* good and bad pullup attempts */ + u_long fr_badsrc; /* source received doesn't match route */ + u_long fr_badttl; /* TTL in packet doesn't reach minimum */ + u_long fr_bad; /* bad IP packets to the filter */ + u_long fr_ipv6; /* IPv6 packets in/out */ + u_long fr_ppshit; /* dropped because of pps ceiling */ + u_long fr_ipud; /* IP id update failures */ +} filterstats_4_1_t; + +/* + * 5.1.0 new release (current) + * 4.1.33 changed the size of f_locks from IPL_LOGMAX to IPL_LOGSIZE + */ +typedef struct friostat_4_1_33 { + struct filterstats_4_1 of_st[2]; + struct frentry *f_ipf[2][2]; + struct frentry *f_acct[2][2]; + struct frentry *f_ipf6[2][2]; + struct frentry *f_acct6[2][2]; + struct frentry *f_auth; + struct frgroup *f_groups[IPL_LOGSIZE][2]; + u_long f_froute[2]; + u_long f_ticks; + int f_locks[IPL_LOGSIZE]; + size_t f_kmutex_sz; + size_t f_krwlock_sz; + int f_defpass; /* default pass - from fr_pass */ + int f_active; /* 1 or 0 - active rule set */ + int f_running; /* 1 if running, else 0 */ + int f_logging; /* 1 if enabled, else 0 */ + int f_features; + char f_version[32]; /* version string */ +} friostat_4_1_33_t; + +typedef struct friostat_4_1_0 { + struct filterstats_4_1 of_st[2]; + struct frentry *f_ipf[2][2]; + struct frentry *f_acct[2][2]; + struct frentry *f_ipf6[2][2]; + struct frentry *f_acct6[2][2]; + struct frentry *f_auth; + struct frgroup *f_groups[IPL_LOGSIZE][2]; + u_long f_froute[2]; + u_long f_ticks; + int f_locks[IPL_LOGMAX]; + size_t f_kmutex_sz; + size_t f_krwlock_sz; + int f_defpass; + int f_active; + int f_running; + int f_logging; + int f_features; + char f_version[32]; +} friostat_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.14 added in_lock + */ +typedef struct ipnat_4_1_14 { + ipfmutex_t in_lock; + struct ipnat *in_next; /* NAT rule list next */ + struct ipnat *in_rnext; /* rdr rule hash next */ + struct ipnat **in_prnext; /* prior rdr next ptr */ + struct ipnat *in_mnext; /* map rule hash next */ + struct ipnat **in_pmnext; /* prior map next ptr */ + struct ipftq *in_tqehead[2]; + void *in_ifps[2]; + void *in_apr; + char *in_comment; + i6addr_t in_next6; + u_long in_space; + u_long in_hits; + u_int in_use; + u_int in_hv; + int in_flineno; /* conf. file line number */ + u_short in_pnext; + u_char in_v; + u_char in_xxx; + /* From here to the end is covered by IPN_CMPSIZ */ + u_32_t in_flags; + u_32_t in_mssclamp; /* if != 0 clamp MSS to this */ + u_int in_age[2]; + int in_redir; /* see below for values */ + int in_p; /* protocol. */ + i6addr_t in_in[2]; + i6addr_t in_out[2]; + i6addr_t in_src[2]; + frtuc4_t in_tuc; + u_short in_port[2]; + u_short in_ppip; /* ports per IP. */ + u_short in_ippip; /* IP #'s per IP# */ + char in_ifnames[2][LIFNAMSIZ]; + char in_plabel[APR_LABELLEN]; /* proxy label. */ + ipftag_t in_tag; +} ipnat_4_1_14_t; + +typedef struct ipnat_4_1_0 { + struct ipnat *in_next; + struct ipnat *in_rnext; + struct ipnat **in_prnext; + struct ipnat *in_mnext; + struct ipnat **in_pmnext; + struct ipftq *in_tqehead[2]; + void *in_ifps[2]; + void *in_apr; + char *in_comment; + i6addr_t in_next6; + u_long in_space; + u_long in_hits; + u_int in_use; + u_int in_hv; + int in_flineno; + u_short in_pnext; + u_char in_v; + u_char in_xxx; + u_32_t in_flags; + u_32_t in_mssclamp; + u_int in_age[2]; + int in_redir; + int in_p; + i6addr_t in_in[2]; + i6addr_t in_out[2]; + i6addr_t in_src[2]; + frtuc4_t in_tuc; + u_short in_port[2]; + u_short in_ppip; + u_short in_ippip; + char in_ifnames[2][LIFNAMSIZ]; + char in_plabel[APR_LABELLEN]; + ipftag_t in_tag; +} ipnat_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +typedef struct natlookup_4_1_1 { + struct in_addr onl_inip; + struct in_addr onl_outip; + struct in_addr onl_realip; + int nl_flags; + u_short nl_inport; + u_short nl_outport; + u_short nl_realport; +} natlookup_4_1_1_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 4.1.25 added nat_seqnext (current) + * 4.1.14 added nat_redir + * 4.1.3 moved nat_rev + * 4.1.2 added nat_rev + */ +typedef struct nat_4_1_25 { + ipfmutex_t nat_lock; + struct nat_4_1_25 *nat_next; + struct nat_4_1_25 **nat_pnext; + struct nat_4_1_25 *nat_hnext[2]; + struct nat_4_1_25 **nat_phnext[2]; + struct hostmap *nat_hm; + void *nat_data; + struct nat_4_1_25 **nat_me; + struct ipstate *nat_state; + struct ap_session *nat_aps; + frentry_t *nat_fr; + struct ipnat_4_1_14 *nat_ptr; + void *nat_ifps[2]; + void *nat_sync; + ipftqent_t nat_tqe; + u_32_t nat_flags; + u_32_t nat_sumd[2]; + u_32_t nat_ipsumd; + u_32_t nat_mssclamp; + i6addr_t nat_inip6; + i6addr_t nat_outip6; + i6addr_t nat_oip6; + U_QUAD_T nat_pkts[2]; + U_QUAD_T nat_bytes[2]; + union { + udpinfo_t nat_unu; + tcpinfo4_t nat_unt; + icmpinfo_t nat_uni; + greinfo_t nat_ugre; + } nat_un; + u_short nat_oport; + u_short nat_use; + u_char nat_p; + int nat_dir; + int nat_ref; + int nat_hv[2]; + char nat_ifnames[2][LIFNAMSIZ]; + int nat_rev; + int nat_redir; + u_32_t nat_seqnext[2]; +} nat_4_1_25_t; + +typedef struct nat_4_1_14 { + ipfmutex_t nat_lock; + struct nat *nat_next; + struct nat **nat_pnext; + struct nat *nat_hnext[2]; + struct nat **nat_phnext[2]; + struct hostmap *nat_hm; + void *nat_data; + struct nat **nat_me; + struct ipstate *nat_state; + struct ap_session *nat_aps; + frentry_t *nat_fr; + struct ipnat *nat_ptr; + void *nat_ifps[2]; + void *nat_sync; + ipftqent_t nat_tqe; + u_32_t nat_flags; + u_32_t nat_sumd[2]; + u_32_t nat_ipsumd; + u_32_t nat_mssclamp; + i6addr_t nat_inip6; + i6addr_t nat_outip6; + i6addr_t nat_oip6; + U_QUAD_T nat_pkts[2]; + U_QUAD_T nat_bytes[2]; + union { + udpinfo_t nat_unu; + tcpinfo4_t nat_unt; + icmpinfo_t nat_uni; + greinfo_t nat_ugre; + } nat_un; + u_short nat_oport; + u_short nat_use; + u_char nat_p; + int nat_dir; + int nat_ref; + int nat_hv[2]; + char nat_ifnames[2][LIFNAMSIZ]; + int nat_rev; + int nat_redir; +} nat_4_1_14_t; + +typedef struct nat_4_1_3 { + ipfmutex_t nat_lock; + struct nat *nat_next; + struct nat **nat_pnext; + struct nat *nat_hnext[2]; + struct nat **nat_phnext[2]; + struct hostmap *nat_hm; + void *nat_data; + struct nat **nat_me; + struct ipstate *nat_state; + struct ap_session *nat_aps; + frentry_t *nat_fr; + struct ipnat *nat_ptr; + void *nat_ifps[2]; + void *nat_sync; + ipftqent_t nat_tqe; + u_32_t nat_flags; + u_32_t nat_sumd[2]; + u_32_t nat_ipsumd; + u_32_t nat_mssclamp; + i6addr_t nat_inip6; + i6addr_t nat_outip6; + i6addr_t nat_oip6; + U_QUAD_T nat_pkts[2]; + U_QUAD_T nat_bytes[2]; + union { + udpinfo_t nat_unu; + tcpinfo4_t nat_unt; + icmpinfo_t nat_uni; + greinfo_t nat_ugre; + } nat_un; + u_short nat_oport; + u_short nat_use; + u_char nat_p; + int nat_dir; + int nat_ref; + int nat_hv[2]; + char nat_ifnames[2][LIFNAMSIZ]; + int nat_rev; +} nat_4_1_3_t; + + + +typedef struct nat_save_4_1_34 { + void *ipn_next; + struct nat_4_1_25 ipn_nat; + struct ipnat_4_1_14 ipn_ipnat; + struct frentry_4_1_34 ipn_fr; + int ipn_dsize; + char ipn_data[4]; +} nat_save_4_1_34_t; + +typedef struct nat_save_4_1_16 { + void *ipn_next; + nat_4_1_14_t ipn_nat; + ipnat_t ipn_ipnat; + frentry_4_1_16_t ipn_fr; + int ipn_dsize; + char ipn_data[4]; +} nat_save_4_1_16_t; + +typedef struct nat_save_4_1_14 { + void *ipn_next; + nat_4_1_14_t ipn_nat; + ipnat_t ipn_ipnat; + frentry_4_1_0_t ipn_fr; + int ipn_dsize; + char ipn_data[4]; +} nat_save_4_1_14_t; + +typedef struct nat_save_4_1_3 { + void *ipn_next; + nat_4_1_3_t ipn_nat; + ipnat_4_1_0_t ipn_ipnat; + frentry_4_1_0_t ipn_fr; + int ipn_dsize; + char ipn_data[4]; +} nat_save_4_1_3_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.32 added ns_uncreate + * 4.1.27 added ns_orphans + * 4.1.16 added ns_ticks + */ +typedef struct natstat_4_1_32 { + u_long ns_mapped[2]; + u_long ns_rules; + u_long ns_added; + u_long ns_expire; + u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; + u_long ns_memfail; + u_long ns_badnat; + u_long ns_addtrpnt; + nat_t **ns_table[2]; + hostmap_t **ns_maptable; + ipnat_t *ns_list; + void *ns_apslist; + u_int ns_wilds; + u_int ns_nattab_sz; + u_int ns_nattab_max; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + u_int ns_trpntab_sz; + u_int ns_hostmap_sz; + nat_t *ns_instances; + hostmap_t *ns_maplist; + u_long *ns_bucketlen[2]; + u_long ns_ticks; + u_int ns_orphans; + u_long ns_uncreate[2][2]; +} natstat_4_1_32_t; + +typedef struct natstat_4_1_27 { + u_long ns_mapped[2]; + u_long ns_rules; + u_long ns_added; + u_long ns_expire; + u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; + u_long ns_memfail; + u_long ns_badnat; + u_long ns_addtrpnt; + nat_t **ns_table[2]; + hostmap_t **ns_maptable; + ipnat_t *ns_list; + void *ns_apslist; + u_int ns_wilds; + u_int ns_nattab_sz; + u_int ns_nattab_max; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + u_int ns_trpntab_sz; + u_int ns_hostmap_sz; + nat_t *ns_instances; + hostmap_t *ns_maplist; + u_long *ns_bucketlen[2]; + u_long ns_ticks; + u_int ns_orphans; +} natstat_4_1_27_t; + +typedef struct natstat_4_1_16 { + u_long ns_mapped[2]; + u_long ns_rules; + u_long ns_added; + u_long ns_expire; + u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; + u_long ns_memfail; + u_long ns_badnat; + u_long ns_addtrpnt; + nat_t **ns_table[2]; + hostmap_t **ns_maptable; + ipnat_t *ns_list; + void *ns_apslist; + u_int ns_wilds; + u_int ns_nattab_sz; + u_int ns_nattab_max; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + u_int ns_trpntab_sz; + u_int ns_hostmap_sz; + nat_t *ns_instances; + hostmap_t *ns_maplist; + u_long *ns_bucketlen[2]; + u_long ns_ticks; +} natstat_4_1_16_t; + +typedef struct natstat_4_1_0 { + u_long ns_mapped[2]; + u_long ns_rules; + u_long ns_added; + u_long ns_expire; + u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; + u_long ns_memfail; + u_long ns_badnat; + u_long ns_addtrpnt; + nat_t **ns_table[2]; + hostmap_t **ns_maptable; + ipnat_t *ns_list; + void *ns_apslist; + u_int ns_wilds; + u_int ns_nattab_sz; + u_int ns_nattab_max; + u_int ns_rultab_sz; + u_int ns_rdrtab_sz; + u_int ns_trpntab_sz; + u_int ns_hostmap_sz; + nat_t *ns_instances; + hostmap_t *ns_maplist; + u_long *ns_bucketlen[2]; +} natstat_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.32 fra_info:removed both fin_state & fin_nat, added fin_pktnum + * 4.1.29 added fra_flx + * 4.1.24 fra_info:added fin_cksum + * 4.1.23 fra_info:added fin_exthdr + * 4.1.11 fra_info:added fin_ifname + * 4.1.4 fra_info:added fin_hbuf + */ + +typedef struct frauth_4_1_32 { + int fra_age; + int fra_len; + int fra_index; + u_32_t fra_pass; + fr_info_4_1_32_t fra_info; + char *fra_buf; + u_32_t fra_flx; +#ifdef MENTAT + queue_t *fra_q; + mb_t *fra_m; +#endif +} frauth_4_1_32_t; + +typedef struct frauth_4_1_29 { + int fra_age; + int fra_len; + int fra_index; + u_32_t fra_pass; + fr_info_4_1_24_t fra_info; + char *fra_buf; + u_32_t fra_flx; +#ifdef MENTAT + queue_t *fra_q; + mb_t *fra_m; +#endif +} frauth_4_1_29_t; + +typedef struct frauth_4_1_24 { + int fra_age; + int fra_len; + int fra_index; + u_32_t fra_pass; + fr_info_4_1_24_t fra_info; + char *fra_buf; +#ifdef MENTAT + queue_t *fra_q; + mb_t *fra_m; +#endif +} frauth_4_1_24_t; + +typedef struct frauth_4_1_23 { + int fra_age; + int fra_len; + int fra_index; + u_32_t fra_pass; + fr_info_4_1_23_t fra_info; + char *fra_buf; +#ifdef MENTAT + queue_t *fra_q; + mb_t *fra_m; +#endif +} frauth_4_1_23_t; + +typedef struct frauth_4_1_11 { + int fra_age; + int fra_len; + int fra_index; + u_32_t fra_pass; + fr_info_4_1_11_t fra_info; + char *fra_buf; +#ifdef MENTAT + queue_t *fra_q; + mb_t *fra_m; +#endif +} frauth_4_1_11_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.16 removed is_nat + */ +typedef struct ipstate_4_1_16 { + ipfmutex_t is_lock; + struct ipstate *is_next; + struct ipstate **is_pnext; + struct ipstate *is_hnext; + struct ipstate **is_phnext; + struct ipstate **is_me; + void *is_ifp[4]; + void *is_sync; + frentry_t *is_rule; + struct ipftq *is_tqehead[2]; + struct ipscan *is_isc; + U_QUAD_T is_pkts[4]; + U_QUAD_T is_bytes[4]; + U_QUAD_T is_icmppkts[4]; + struct ipftqent is_sti; + u_int is_frage[2]; + int is_ref; /* reference count */ + int is_isninc[2]; + u_short is_sumd[2]; + i6addr_t is_src; + i6addr_t is_dst; + u_int is_pass; + u_char is_p; /* Protocol */ + u_char is_v; + u_32_t is_hv; + u_32_t is_tag; + u_32_t is_opt[2]; /* packet options set */ + u_32_t is_optmsk[2]; /* " " mask */ + u_short is_sec; /* security options set */ + u_short is_secmsk; /* " " mask */ + u_short is_auth; /* authentication options set */ + u_short is_authmsk; /* " " mask */ + union { + icmpinfo_t is_ics; + tcpinfo4_t is_ts; + udpinfo_t is_us; + greinfo_t is_ug; + } is_ps; + u_32_t is_flags; + int is_flx[2][2]; + u_32_t is_rulen; /* rule number when created */ + u_32_t is_s0[2]; + u_short is_smsk[2]; + char is_group[FR_GROUPLEN]; + char is_sbuf[2][16]; + char is_ifname[4][LIFNAMSIZ]; +} ipstate_4_1_16_t; + +typedef struct ipstate_4_1_0 { + ipfmutex_t is_lock; + struct ipstate *is_next; + struct ipstate **is_pnext; + struct ipstate *is_hnext; + struct ipstate **is_phnext; + struct ipstate **is_me; + void *is_ifp[4]; + void *is_sync; + void *is_nat[2]; + frentry_t *is_rule; + struct ipftq *is_tqehead[2]; + struct ipscan *is_isc; + U_QUAD_T is_pkts[4]; + U_QUAD_T is_bytes[4]; + U_QUAD_T is_icmppkts[4]; + struct ipftqent is_sti; + u_int is_frage[2]; + int is_ref; + int is_isninc[2]; + u_short is_sumd[2]; + i6addr_t is_src; + i6addr_t is_dst; + u_int is_pass; + u_char is_p; + u_char is_v; + u_32_t is_hv; + u_32_t is_tag; + u_32_t is_opt[2]; + u_32_t is_optmsk[2]; + u_short is_sec; + u_short is_secmsk; + u_short is_auth; + u_short is_authmsk; + union { + icmpinfo_t is_ics; + tcpinfo4_t is_ts; + udpinfo_t is_us; + greinfo_t is_ug; + } is_ps; + u_32_t is_flags; + int is_flx[2][2]; + u_32_t is_rulen; + u_32_t is_s0[2]; + u_short is_smsk[2]; + char is_group[FR_GROUPLEN]; + char is_sbuf[2][16]; + char is_ifname[4][LIFNAMSIZ]; +} ipstate_4_1_0_t; + +typedef struct ipstate_save_4_1_34 { + void *ips_next; + struct ipstate_4_1_16 ips_is; + struct frentry_4_1_34 ips_fr; +} ipstate_save_4_1_34_t; + +typedef struct ipstate_save_4_1_16 { + void *ips_next; + ipstate_4_1_0_t ips_is; + frentry_4_1_16_t ips_fr; +} ipstate_save_4_1_16_t; + +typedef struct ipstate_save_4_1_0 { + void *ips_next; + ipstate_4_1_0_t ips_is; + frentry_4_1_0_t ips_fr; +} ipstate_save_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +/* + * 5.1.0 new release (current) + * 4.1.21 added iss_tcptab + */ +typedef struct ips_stat_4_1_21 { + u_long iss_hits; + u_long iss_miss; + u_long iss_max; + u_long iss_maxref; + u_long iss_tcp; + u_long iss_udp; + u_long iss_icmp; + u_long iss_nomem; + u_long iss_expire; + u_long iss_fin; + u_long iss_active; + u_long iss_logged; + u_long iss_logfail; + u_long iss_inuse; + u_long iss_wild; + u_long iss_killed; + u_long iss_ticks; + u_long iss_bucketfull; + int iss_statesize; + int iss_statemax; + ipstate_t **iss_table; + ipstate_t *iss_list; + u_long *iss_bucketlen; + ipftq_t *iss_tcptab; +} ips_stat_4_1_21_t; + +typedef struct ips_stat_4_1_0 { + u_long iss_hits; + u_long iss_miss; + u_long iss_max; + u_long iss_maxref; + u_long iss_tcp; + u_long iss_udp; + u_long iss_icmp; + u_long iss_nomem; + u_long iss_expire; + u_long iss_fin; + u_long iss_active; + u_long iss_logged; + u_long iss_logfail; + u_long iss_inuse; + u_long iss_wild; + u_long iss_killed; + u_long iss_ticks; + u_long iss_bucketfull; + int iss_statesize; + int iss_statemax; + ipstate_t **iss_table; + ipstate_t *iss_list; + u_long *iss_bucketlen; +} ips_stat_4_1_0_t; + +/* ------------------------------------------------------------------------ */ + +typedef struct ipfrstat_4_1_1 { + u_long ifs_exists; /* add & already exists */ + u_long ifs_nomem; + u_long ifs_new; + u_long ifs_hits; + u_long ifs_expire; + u_long ifs_inuse; + u_long ifs_retrans0; + u_long ifs_short; + struct ipfr **ifs_table; + struct ipfr **ifs_nattab; +} ipfrstat_4_1_1_t; + +/* ------------------------------------------------------------------------ */ +static int ipf_addfrstr __P((char *, int, char *, int)); +static void ipf_v4iptov5 __P((frip4_t *, fr_ip_t *)); +static void ipf_v5iptov4 __P((fr_ip_t *, frip4_t *)); +static void ipfv4tuctov5 __P((frtuc4_t *, frtuc_t *)); +static void ipfv5tuctov4 __P((frtuc_t *, frtuc4_t *)); +static int ipf_v4fripftov5 __P((fripf4_t *, char *)); +static void ipf_v5fripftov4 __P((fripf_t *, fripf4_t *)); +static int fr_frflags4to5 __P((u_32_t)); +static int fr_frflags5to4 __P((u_32_t)); + +static void friostat_current_to_4_1_0 __P((void *, friostat_4_1_0_t *, int)); +static void friostat_current_to_4_1_33 __P((void *, friostat_4_1_33_t *, int)); +static void ipstate_current_to_4_1_0 __P((void *, ipstate_4_1_0_t *)); +static void ipstate_current_to_4_1_16 __P((void *, ipstate_4_1_16_t *)); +static void ipnat_current_to_4_1_0 __P((void *, ipnat_4_1_0_t *)); +static void ipnat_current_to_4_1_14 __P((void *, ipnat_4_1_14_t *)); +static void frauth_current_to_4_1_11 __P((void *, frauth_4_1_11_t *)); +static void frauth_current_to_4_1_23 __P((void *, frauth_4_1_23_t *)); +static void frauth_current_to_4_1_24 __P((void *, frauth_4_1_24_t *)); +static void frauth_current_to_4_1_29 __P((void *, frauth_4_1_29_t *)); +static void frentry_current_to_4_1_0 __P((void *, frentry_4_1_0_t *)); +static void frentry_current_to_4_1_16 __P((void *, frentry_4_1_16_t *)); +static void frentry_current_to_4_1_34 __P((void *, frentry_4_1_34_t *)); +static void fr_info_current_to_4_1_11 __P((void *, fr_info_4_1_11_t *)); +static void fr_info_current_to_4_1_23 __P((void *, fr_info_4_1_23_t *)); +static void fr_info_current_to_4_1_24 __P((void *, fr_info_4_1_24_t *)); +static void nat_save_current_to_4_1_3 __P((void *, nat_save_4_1_3_t *)); +static void nat_save_current_to_4_1_14 __P((void *, nat_save_4_1_14_t *)); +static void nat_save_current_to_4_1_16 __P((void *, nat_save_4_1_16_t *)); +static void ipstate_save_current_to_4_1_0 __P((void *, ipstate_save_4_1_0_t *)); +static void ipstate_save_current_to_4_1_16 __P((void *, ipstate_save_4_1_16_t *)); +static void ips_stat_current_to_4_1_0 __P((void *, ips_stat_4_1_0_t *)); +static void ips_stat_current_to_4_1_21 __P((void *, ips_stat_4_1_21_t *)); +static void natstat_current_to_4_1_0 __P((void *, natstat_4_1_0_t *)); +static void natstat_current_to_4_1_16 __P((void *, natstat_4_1_16_t *)); +static void natstat_current_to_4_1_27 __P((void *, natstat_4_1_27_t *)); +static void natstat_current_to_4_1_32 __P((void *, natstat_4_1_32_t *)); +static void nat_current_to_4_1_3 __P((void *, nat_4_1_3_t *)); +static void nat_current_to_4_1_14 __P((void *, nat_4_1_14_t *)); +static void nat_current_to_4_1_25 __P((void *, nat_4_1_25_t *)); + +static void friostat_4_1_0_to_current __P((friostat_4_1_0_t *, void *)); +static void friostat_4_1_33_to_current __P((friostat_4_1_33_t *, void *)); +static void ipnat_4_1_0_to_current __P((ipnat_4_1_0_t *, void *, int)); +static void ipnat_4_1_14_to_current __P((ipnat_4_1_14_t *, void *, int)); +static void frauth_4_1_11_to_current __P((frauth_4_1_11_t *, void *)); +static void frauth_4_1_23_to_current __P((frauth_4_1_23_t *, void *)); +static void frauth_4_1_24_to_current __P((frauth_4_1_24_t *, void *)); +static void frauth_4_1_29_to_current __P((frauth_4_1_29_t *, void *)); +static void frauth_4_1_32_to_current __P((frauth_4_1_32_t *, void *)); +static void frentry_4_1_0_to_current __P((ipf_main_softc_t *, frentry_4_1_0_t *, void *, int)); +static void frentry_4_1_16_to_current __P((ipf_main_softc_t *, frentry_4_1_16_t *, void *, int)); +static void frentry_4_1_34_to_current __P((ipf_main_softc_t *, frentry_4_1_34_t *, void *, int)); +static void fr_info_4_1_11_to_current __P((fr_info_4_1_11_t *, void *)); +static void fr_info_4_1_23_to_current __P((fr_info_4_1_23_t *, void *)); +static void fr_info_4_1_24_to_current __P((fr_info_4_1_24_t *, void *)); +static void fr_info_4_1_32_to_current __P((fr_info_4_1_32_t *, void *)); +static void nat_save_4_1_3_to_current __P((ipf_main_softc_t *, nat_save_4_1_3_t *, void *)); +static void nat_save_4_1_14_to_current __P((ipf_main_softc_t *, nat_save_4_1_14_t *, void *)); +static void nat_save_4_1_16_to_current __P((ipf_main_softc_t *, nat_save_4_1_16_t *, void *)); + +/* ------------------------------------------------------------------------ */ +/* In this section is a series of short routines that deal with translating */ +/* the smaller data structures used above as their internal changes make */ +/* them inappropriate for simple assignment. */ +/* ------------------------------------------------------------------------ */ + + +static int +ipf_addfrstr(char *names, int namelen, char *str, int maxlen) +{ + char *t; + int i; + + for (i = maxlen, t = str; (*t != '\0') && (i > 0); i--) { + names[namelen++] = *t++; + } + names[namelen++] = '\0'; + return namelen; +} + + +static void +ipf_v4iptov5(v4, v5) + frip4_t *v4; + fr_ip_t *v5; +{ + v5->fi_v = v4->fi_v; + v5->fi_p = v4->fi_p; + v5->fi_xx = v4->fi_xx; + v5->fi_tos = v4->fi_tos; + v5->fi_ttl = v4->fi_ttl; + v5->fi_p = v4->fi_p; + v5->fi_optmsk = v4->fi_optmsk; + v5->fi_src = v4->fi_src; + v5->fi_dst = v4->fi_dst; + v5->fi_secmsk = v4->ofi_secmsk; + v5->fi_auth = v4->ofi_auth; + v5->fi_flx = v4->fi_flx; + v5->fi_tcpmsk = v4->fi_tcpmsk; +} + +static void +ipf_v5iptov4(v5, v4) + fr_ip_t *v5; + frip4_t *v4; +{ + v4->fi_v = v5->fi_v; + v4->fi_p = v5->fi_p; + v4->fi_xx = v5->fi_xx; + v4->fi_tos = v5->fi_tos; + v4->fi_ttl = v5->fi_ttl; + v4->fi_p = v5->fi_p; + v4->fi_optmsk = v5->fi_optmsk; + v4->fi_src = v5->fi_src; + v4->fi_dst = v5->fi_dst; + v4->ofi_secmsk = v5->fi_secmsk; + v4->ofi_auth = v5->fi_auth; + v4->fi_flx = v5->fi_flx; + v4->fi_tcpmsk = v5->fi_tcpmsk; +} + + +static void +ipfv4tuctov5(v4, v5) + frtuc4_t *v4; + frtuc_t *v5; +{ + v5->ftu_src.frp_cmp = v4->ftu_src.frp_cmp; + v5->ftu_src.frp_port = v4->ftu_src.frp_port; + v5->ftu_src.frp_top = v4->ftu_src.frp_top; + v5->ftu_dst.frp_cmp = v4->ftu_dst.frp_cmp; + v5->ftu_dst.frp_port = v4->ftu_dst.frp_port; + v5->ftu_dst.frp_top = v4->ftu_dst.frp_top; +} + + +static void +ipfv5tuctov4(v5, v4) + frtuc_t *v5; + frtuc4_t *v4; +{ + v4->ftu_src.frp_cmp = v5->ftu_src.frp_cmp; + v4->ftu_src.frp_port = v5->ftu_src.frp_port; + v4->ftu_src.frp_top = v5->ftu_src.frp_top; + v4->ftu_dst.frp_cmp = v5->ftu_dst.frp_cmp; + v4->ftu_dst.frp_port = v5->ftu_dst.frp_port; + v4->ftu_dst.frp_top = v5->ftu_dst.frp_top; +} + + +static int +ipf_v4fripftov5(frp4, dst) + fripf4_t *frp4; + char *dst; +{ + fripf_t *frp; + + frp = (fripf_t *)dst; + + ipf_v4iptov5(&frp4->fri_ip, &frp->fri_ip); + ipf_v4iptov5(&frp4->fri_mip, &frp->fri_mip); + frp->fri_icmpm = frp4->fri_icmpm; + frp->fri_icmp = frp4->fri_icmp; + frp->fri_tuc.ftu_tcpfm = frp4->fri_tuc.ftu_tcpfm; + frp->fri_tuc.ftu_tcpf = frp4->fri_tuc.ftu_tcpf; + ipfv4tuctov5(&frp4->fri_tuc, &frp->fri_tuc); + frp->fri_satype = frp4->fri_satype; + frp->fri_datype = frp4->fri_datype; + frp->fri_sifpidx = frp4->fri_sifpidx; + frp->fri_difpidx = frp4->fri_difpidx; + return 0; +} + + +static void +ipf_v5fripftov4(frp, frp4) + fripf_t *frp; + fripf4_t *frp4; +{ + + ipf_v5iptov4(&frp->fri_ip, &frp4->fri_ip); + ipf_v5iptov4(&frp->fri_mip, &frp4->fri_mip); + frp4->fri_icmpm = frp->fri_icmpm; + frp4->fri_icmp = frp->fri_icmp; + frp4->fri_tuc.ftu_tcpfm = frp->fri_tuc.ftu_tcpfm; + frp4->fri_tuc.ftu_tcpf = frp->fri_tuc.ftu_tcpf; + ipfv5tuctov4(&frp->fri_tuc, &frp4->fri_tuc); + frp4->fri_satype = frp->fri_satype; + frp4->fri_datype = frp->fri_datype; + frp4->fri_sifpidx = frp->fri_sifpidx; + frp4->fri_difpidx = frp->fri_difpidx; +} + + +/* ------------------------------------------------------------------------ */ +/* ipf_in_compat is the first of two service routines. It is responsible for*/ +/* converting data structures from user space into what's required by the */ +/* kernel module. */ +/* ------------------------------------------------------------------------ */ +int +ipf_in_compat(softc, obj, ptr, size) + ipf_main_softc_t *softc; + ipfobj_t *obj; + void *ptr; + int size; +{ + int error; + int sz; + + IPFERROR(140000); + error = EINVAL; + + switch (obj->ipfo_type) + { + default : + break; + + case IPFOBJ_FRENTRY : + if (obj->ipfo_rev >= 4013400) { + frentry_4_1_34_t *old; + + KMALLOC(old, frentry_4_1_34_t *); + if (old == NULL) { + IPFERROR(140001); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + if (old->fr_type != FR_T_NONE && + old->fr_type != FR_T_IPF) { + IPFERROR(140002); + error = EINVAL; + KFREE(old); + break; + } + frentry_4_1_34_to_current(softc, old, + ptr, size); + } else { + IPFERROR(140003); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4011600) { + frentry_4_1_16_t *old; + + KMALLOC(old, frentry_4_1_16_t *); + if (old == NULL) { + IPFERROR(140004); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + if (old->fr_type != FR_T_NONE && + old->fr_type != FR_T_IPF) { + IPFERROR(140005); + error = EINVAL; + KFREE(old); + break; + } + frentry_4_1_16_to_current(softc, old, + ptr, size); + } else { + IPFERROR(140006); + } + KFREE(old); + } else { + frentry_4_1_0_t *old; + + KMALLOC(old, frentry_4_1_0_t *); + if (old == NULL) { + IPFERROR(140007); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + if (old->fr_type != FR_T_NONE && + old->fr_type != FR_T_IPF) { + IPFERROR(140008); + error = EINVAL; + KFREE(old); + break; + } + frentry_4_1_0_to_current(softc, old, ptr, size); + } else { + IPFERROR(140009); + } + KFREE(old); + } + break; + + case IPFOBJ_IPFSTAT : + if (obj->ipfo_rev >= 4013300) { + friostat_4_1_33_t *old; + + KMALLOC(old, friostat_4_1_33_t *); + if (old == NULL) { + IPFERROR(140010); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + friostat_4_1_33_to_current(old, ptr); + } else { + IPFERROR(140011); + } + } else { + friostat_4_1_0_t *old; + + KMALLOC(old, friostat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140012); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + friostat_4_1_0_to_current(old, ptr); + } else { + IPFERROR(140013); + } + } + break; + + case IPFOBJ_IPFINFO : /* unused */ + break; + + case IPFOBJ_IPNAT : + if (obj->ipfo_rev >= 4011400) { + ipnat_4_1_14_t *old; + + KMALLOC(old, ipnat_4_1_14_t *); + if (old == NULL) { + IPFERROR(140014); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + ipnat_4_1_14_to_current(old, ptr, size); + } else { + IPFERROR(140015); + } + KFREE(old); + } else { + ipnat_4_1_0_t *old; + + KMALLOC(old, ipnat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140016); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + ipnat_4_1_0_to_current(old, ptr, size); + } else { + IPFERROR(140017); + } + KFREE(old); + } + break; + + case IPFOBJ_NATSTAT : + /* + * Statistics are not copied in. + */ + break; + + case IPFOBJ_NATSAVE : + if (obj->ipfo_rev >= 4011600) { + nat_save_4_1_16_t *old16; + + KMALLOC(old16, nat_save_4_1_16_t *); + if (old16 == NULL) { + IPFERROR(140018); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old16, sizeof(*old16)); + if (error == 0) { + nat_save_4_1_16_to_current(softc, old16, ptr); + } else { + IPFERROR(140019); + } + KFREE(old16); + } else if (obj->ipfo_rev >= 4011400) { + nat_save_4_1_14_t *old14; + + KMALLOC(old14, nat_save_4_1_14_t *); + if (old14 == NULL) { + IPFERROR(140020); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old14, sizeof(*old14)); + if (error == 0) { + nat_save_4_1_14_to_current(softc, old14, ptr); + } else { + IPFERROR(140021); + } + KFREE(old14); + } else if (obj->ipfo_rev >= 4010300) { + nat_save_4_1_3_t *old3; + + KMALLOC(old3, nat_save_4_1_3_t *); + if (old3 == NULL) { + IPFERROR(140022); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old3, sizeof(*old3)); + if (error == 0) { + nat_save_4_1_3_to_current(softc, old3, ptr); + } else { + IPFERROR(140023); + } + KFREE(old3); + } + break; + + case IPFOBJ_STATESAVE : + if (obj->ipfo_rev >= 4013400) { + ipstate_save_4_1_34_t *old; + + KMALLOC(old, ipstate_save_4_1_34_t *); + if (old == NULL) { + IPFERROR(140024); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error != 0) { + IPFERROR(140025); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4011600) { + ipstate_save_4_1_16_t *old; + + KMALLOC(old, ipstate_save_4_1_16_t *); + if (old == NULL) { + IPFERROR(140026); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error != 0) { + IPFERROR(140027); + } + KFREE(old); + } else { + ipstate_save_4_1_0_t *old; + + KMALLOC(old, ipstate_save_4_1_0_t *); + if (old == NULL) { + IPFERROR(140028); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error != 0) { + IPFERROR(140029); + } + KFREE(old); + } + break; + + case IPFOBJ_IPSTATE : + /* + * This structure is not copied in by itself. + */ + break; + + case IPFOBJ_STATESTAT : + /* + * Statistics are not copied in. + */ + break; + + case IPFOBJ_FRAUTH : + if (obj->ipfo_rev >= 4013200) { + frauth_4_1_32_t *old32; + + KMALLOC(old32, frauth_4_1_32_t *); + if (old32 == NULL) { + IPFERROR(140030); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old32, sizeof(*old32)); + if (error == 0) { + frauth_4_1_32_to_current(old32, ptr); + } else { + IPFERROR(140031); + } + KFREE(old32); + } else if (obj->ipfo_rev >= 4012900) { + frauth_4_1_29_t *old29; + + KMALLOC(old29, frauth_4_1_29_t *); + if (old29 == NULL) { + IPFERROR(140032); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old29, sizeof(*old29)); + if (error == 0) { + frauth_4_1_29_to_current(old29, ptr); + } else { + IPFERROR(140033); + } + KFREE(old29); + } else if (obj->ipfo_rev >= 4012400) { + frauth_4_1_24_t *old24; + + KMALLOC(old24, frauth_4_1_24_t *); + if (old24 == NULL) { + IPFERROR(140034); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old24, sizeof(*old24)); + if (error == 0) { + frauth_4_1_24_to_current(old24, ptr); + } else { + IPFERROR(140035); + } + KFREE(old24); + } else if (obj->ipfo_rev >= 4012300) { + frauth_4_1_23_t *old23; + + KMALLOC(old23, frauth_4_1_23_t *); + if (old23 == NULL) { + IPFERROR(140036); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old23, sizeof(*old23)); + if (error == 0) + frauth_4_1_23_to_current(old23, ptr); + KFREE(old23); + } else if (obj->ipfo_rev >= 4011100) { + frauth_4_1_11_t *old11; + + KMALLOC(old11, frauth_4_1_11_t *); + if (old11 == NULL) { + IPFERROR(140037); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old11, sizeof(*old11)); + if (error == 0) { + frauth_4_1_11_to_current(old11, ptr); + } else { + IPFERROR(140038); + } + KFREE(old11); + } + break; + + case IPFOBJ_NAT : + if (obj->ipfo_rev >= 4011400) { + sz = sizeof(nat_4_1_14_t); + } else if (obj->ipfo_rev >= 4010300) { + sz = sizeof(nat_4_1_3_t); + } else { + break; + } + bzero(ptr, sizeof(nat_t)); + error = COPYIN(obj->ipfo_ptr, ptr, sz); + if (error != 0) { + IPFERROR(140039); + } + break; + + case IPFOBJ_FRIPF : + if (obj->ipfo_rev < 5000000) { + fripf4_t *old; + + KMALLOC(old, fripf4_t *); + if (old == NULL) { + IPFERROR(140040); + error = ENOMEM; + break; + } + error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); + if (error == 0) { + ipf_v4fripftov5(old, ptr); + } else { + IPFERROR(140041); + } + KFREE(old); + } + break; + } + + return error; +} +/* ------------------------------------------------------------------------ */ + + +/* + * flags is v4 flags, returns v5 flags. + */ +static int +fr_frflags4to5(flags) + u_32_t flags; +{ + u_32_t nflags = 0; + + switch (flags & 0xf) { + case 0x0 : + nflags |= FR_CALL; + break; + case 0x1 : + nflags |= FR_BLOCK; + break; + case 0x2 : + nflags |= FR_PASS; + break; + case 0x3 : + nflags |= FR_AUTH; + break; + case 0x4 : + nflags |= FR_PREAUTH; + break; + case 0x5 : + nflags |= FR_ACCOUNT; + break; + case 0x6 : + nflags |= FR_SKIP; + break; + default : + break; + } + + if (flags & 0x00010) + nflags |= FR_LOG; + if (flags & 0x00020) + nflags |= FR_CALLNOW; + if (flags & 0x00080) + nflags |= FR_NOTSRCIP; + if (flags & 0x00040) + nflags |= FR_NOTDSTIP; + if (flags & 0x00100) + nflags |= FR_QUICK; + if (flags & 0x00200) + nflags |= FR_KEEPFRAG; + if (flags & 0x00400) + nflags |= FR_KEEPSTATE; + if (flags & 0x00800) + nflags |= FR_FASTROUTE; + if (flags & 0x01000) + nflags |= FR_RETRST; + if (flags & 0x02000) + nflags |= FR_RETICMP; + if (flags & 0x03000) + nflags |= FR_FAKEICMP; + if (flags & 0x04000) + nflags |= FR_OUTQUE; + if (flags & 0x08000) + nflags |= FR_INQUE; + if (flags & 0x10000) + nflags |= FR_LOGBODY; + if (flags & 0x20000) + nflags |= FR_LOGFIRST; + if (flags & 0x40000) + nflags |= FR_LOGORBLOCK; + if (flags & 0x100000) + nflags |= FR_FRSTRICT; + if (flags & 0x200000) + nflags |= FR_STSTRICT; + if (flags & 0x400000) + nflags |= FR_NEWISN; + if (flags & 0x800000) + nflags |= FR_NOICMPERR; + if (flags & 0x1000000) + nflags |= FR_STATESYNC; + if (flags & 0x8000000) + nflags |= FR_NOMATCH; + if (flags & 0x40000000) + nflags |= FR_COPIED; + if (flags & 0x80000000) + nflags |= FR_INACTIVE; + + return nflags; +} + +static void +frentry_4_1_34_to_current(softc, old, current, size) + ipf_main_softc_t *softc; + frentry_4_1_34_t *old; + void *current; + int size; +{ + frentry_t *fr = (frentry_t *)current; + + fr->fr_comment = -1; + fr->fr_ref = old->fr_ref; + fr->fr_statecnt = old->fr_statecnt; + fr->fr_hits = old->fr_hits; + fr->fr_bytes = old->fr_bytes; + fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; + fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; + bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); + fr->fr_func = old->fr_func; + fr->fr_dsize = old->fr_dsize; + fr->fr_pps = old->fr_pps; + fr->fr_statemax = old->fr_statemax; + fr->fr_flineno = old->fr_flineno; + fr->fr_type = old->fr_type; + fr->fr_flags = fr_frflags4to5(old->fr_flags); + fr->fr_logtag = old->fr_logtag; + fr->fr_collect = old->fr_collect; + fr->fr_arg = old->fr_arg; + fr->fr_loglevel = old->fr_loglevel; + fr->fr_age[0] = old->fr_age[0]; + fr->fr_age[1] = old->fr_age[1]; + fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; + fr->fr_tifs[0].fd_type = FRD_NORMAL; + fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; + fr->fr_tifs[1].fd_type = FRD_NORMAL; + fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; + fr->fr_dif.fd_type = FRD_NORMAL; + if (old->fr_v == 4) + fr->fr_family = AF_INET; + if (old->fr_v == 6) + fr->fr_family = AF_INET6; + fr->fr_icode = old->fr_icode; + fr->fr_cksum = old->fr_cksum; + fr->fr_namelen = 0; + fr->fr_ifnames[0] = -1; + fr->fr_ifnames[1] = -1; + fr->fr_ifnames[2] = -1; + fr->fr_ifnames[3] = -1; + fr->fr_dif.fd_name = -1; + fr->fr_tifs[0].fd_name = -1; + fr->fr_tifs[1].fd_name = -1; + fr->fr_group = -1; + fr->fr_grhead = -1; + fr->fr_icmphead = -1; + if (size == 0) { + fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; + fr->fr_size += sizeof(fripf_t) + 16; + fr->fr_size += 9; /* room for \0's */ + } else { + char *names = fr->fr_names; + int nlen = fr->fr_namelen; + + fr->fr_size = size; + if (old->fr_ifnames[0][0] != '\0') { + fr->fr_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], + LIFNAMSIZ); + } + if (old->fr_ifnames[1][0] != '\0') { + fr->fr_ifnames[1] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], + LIFNAMSIZ); + } + if (old->fr_ifnames[2][0] != '\0') { + fr->fr_ifnames[2] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], + LIFNAMSIZ); + } + if (old->fr_ifnames[3][0] != '\0') { + fr->fr_ifnames[3] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], + LIFNAMSIZ); + } + if (old->fr_tifs[0].fd_ifname[0] != '\0') { + fr->fr_tifs[0].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[0].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_tifs[1].fd_ifname[0] != '\0') { + fr->fr_tifs[1].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[1].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_dif.fd_ifname[0] != '\0') { + fr->fr_dif.fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_dif.fd_ifname, LIFNAMSIZ); + } + if (old->fr_group[0] != '\0') { + fr->fr_group = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_group, LIFNAMSIZ); + } + if (old->fr_grhead[0] != '\0') { + fr->fr_grhead = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_grhead, LIFNAMSIZ); + } + fr->fr_namelen = nlen; + + if (old->fr_type == FR_T_IPF) { + int offset = fr->fr_namelen; + ipfobj_t obj; + int error; + + obj.ipfo_type = IPFOBJ_FRIPF; + obj.ipfo_rev = 4010100; + obj.ipfo_ptr = old->fr_data; + + if ((offset & 7) != 0) + offset += 8 - (offset & 7); + error = ipf_in_compat(softc, &obj, + fr->fr_names + offset, 0); + if (error == 0) { + fr->fr_data = fr->fr_names + offset; + fr->fr_dsize = sizeof(fripf_t); + } + } + } +} + +static void +frentry_4_1_16_to_current(softc, old, current, size) + ipf_main_softc_t *softc; + frentry_4_1_16_t *old; + void *current; + int size; +{ + frentry_t *fr = (frentry_t *)current; + + fr->fr_comment = -1; + fr->fr_ref = old->fr_ref; + fr->fr_statecnt = old->fr_statecnt; + fr->fr_hits = old->fr_hits; + fr->fr_bytes = old->fr_bytes; + fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; + fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; + bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); + fr->fr_func = old->fr_func; + fr->fr_dsize = old->fr_dsize; + fr->fr_pps = old->fr_pps; + fr->fr_statemax = old->fr_statemax; + fr->fr_flineno = old->fr_flineno; + fr->fr_type = old->fr_type; + fr->fr_flags = fr_frflags4to5(old->fr_flags); + fr->fr_logtag = old->fr_logtag; + fr->fr_collect = old->fr_collect; + fr->fr_arg = old->fr_arg; + fr->fr_loglevel = old->fr_loglevel; + fr->fr_age[0] = old->fr_age[0]; + fr->fr_age[1] = old->fr_age[1]; + fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; + fr->fr_tifs[0].fd_type = FRD_NORMAL; + fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; + fr->fr_tifs[1].fd_type = FRD_NORMAL; + fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; + fr->fr_dif.fd_type = FRD_NORMAL; + if (old->fr_v == 4) + fr->fr_family = AF_INET; + if (old->fr_v == 6) + fr->fr_family = AF_INET6; + fr->fr_icode = old->fr_icode; + fr->fr_cksum = old->fr_cksum; + fr->fr_namelen = 0; + fr->fr_ifnames[0] = -1; + fr->fr_ifnames[1] = -1; + fr->fr_ifnames[2] = -1; + fr->fr_ifnames[3] = -1; + fr->fr_dif.fd_name = -1; + fr->fr_tifs[0].fd_name = -1; + fr->fr_tifs[1].fd_name = -1; + fr->fr_group = -1; + fr->fr_grhead = -1; + fr->fr_icmphead = -1; + if (size == 0) { + fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; + fr->fr_size += 9; /* room for \0's */ + } else { + char *names = fr->fr_names; + int nlen = fr->fr_namelen; + + fr->fr_size = size; + if (old->fr_ifnames[0][0] != '\0') { + fr->fr_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], + LIFNAMSIZ); + } + if (old->fr_ifnames[1][0] != '\0') { + fr->fr_ifnames[1] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], + LIFNAMSIZ); + } + if (old->fr_ifnames[2][0] != '\0') { + fr->fr_ifnames[2] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], + LIFNAMSIZ); + } + if (old->fr_ifnames[3][0] != '\0') { + fr->fr_ifnames[3] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], + LIFNAMSIZ); + } + if (old->fr_tifs[0].fd_ifname[0] != '\0') { + fr->fr_tifs[0].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[0].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_tifs[1].fd_ifname[0] != '\0') { + fr->fr_tifs[1].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[1].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_dif.fd_ifname[0] != '\0') { + fr->fr_dif.fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_dif.fd_ifname, LIFNAMSIZ); + } + if (old->fr_group[0] != '\0') { + fr->fr_group = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_group, LIFNAMSIZ); + } + if (old->fr_grhead[0] != '\0') { + fr->fr_grhead = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_grhead, LIFNAMSIZ); + } + fr->fr_namelen = nlen; + + if (old->fr_type == FR_T_IPF) { + int offset = fr->fr_namelen; + ipfobj_t obj; + int error; + + obj.ipfo_type = IPFOBJ_FRIPF; + obj.ipfo_rev = 4010100; + obj.ipfo_ptr = old->fr_data; + + if ((offset & 7) != 0) + offset += 8 - (offset & 7); + error = ipf_in_compat(softc, &obj, + fr->fr_names + offset, 0); + if (error == 0) { + fr->fr_data = fr->fr_names + offset; + fr->fr_dsize = sizeof(fripf_t); + } + } + } +} + + +static void +frentry_4_1_0_to_current(softc, old, current, size) + ipf_main_softc_t *softc; + frentry_4_1_0_t *old; + void *current; + int size; +{ + frentry_t *fr = (frentry_t *)current; + + fr->fr_size = sizeof(*fr); + fr->fr_comment = -1; + fr->fr_ref = old->fr_ref; + fr->fr_statecnt = old->fr_statecnt; + fr->fr_hits = old->fr_hits; + fr->fr_bytes = old->fr_bytes; + fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; + fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; + bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); + fr->fr_func = old->fr_func; + fr->fr_dsize = old->fr_dsize; + fr->fr_pps = old->fr_pps; + fr->fr_statemax = old->fr_statemax; + fr->fr_flineno = old->fr_flineno; + fr->fr_type = old->fr_type; + fr->fr_flags = fr_frflags4to5(old->fr_flags); + fr->fr_logtag = old->fr_logtag; + fr->fr_collect = old->fr_collect; + fr->fr_arg = old->fr_arg; + fr->fr_loglevel = old->fr_loglevel; + fr->fr_age[0] = old->fr_age[0]; + fr->fr_age[1] = old->fr_age[1]; + fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; + fr->fr_tifs[0].fd_type = FRD_NORMAL; + fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; + fr->fr_tifs[1].fd_type = FRD_NORMAL; + fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; + fr->fr_dif.fd_type = FRD_NORMAL; + if (old->fr_v == 4) + fr->fr_family = AF_INET; + if (old->fr_v == 6) + fr->fr_family = AF_INET6; + fr->fr_icode = old->fr_icode; + fr->fr_cksum = old->fr_cksum; + fr->fr_namelen = 0; + fr->fr_ifnames[0] = -1; + fr->fr_ifnames[1] = -1; + fr->fr_ifnames[2] = -1; + fr->fr_ifnames[3] = -1; + fr->fr_dif.fd_name = -1; + fr->fr_tifs[0].fd_name = -1; + fr->fr_tifs[1].fd_name = -1; + fr->fr_group = -1; + fr->fr_grhead = -1; + fr->fr_icmphead = -1; + if (size == 0) { + fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; + fr->fr_size += 9; /* room for \0's */ + } else { + char *names = fr->fr_names; + int nlen = fr->fr_namelen; + + fr->fr_size = size; + if (old->fr_ifnames[0][0] != '\0') { + fr->fr_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], + LIFNAMSIZ); + } + if (old->fr_ifnames[1][0] != '\0') { + fr->fr_ifnames[1] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], + LIFNAMSIZ); + } + if (old->fr_ifnames[2][0] != '\0') { + fr->fr_ifnames[2] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], + LIFNAMSIZ); + } + if (old->fr_ifnames[3][0] != '\0') { + fr->fr_ifnames[3] = nlen; + nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], + LIFNAMSIZ); + } + if (old->fr_tifs[0].fd_ifname[0] != '\0') { + fr->fr_tifs[0].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[0].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_tifs[1].fd_ifname[0] != '\0') { + fr->fr_tifs[1].fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_tifs[1].fd_ifname, + LIFNAMSIZ); + } + if (old->fr_dif.fd_ifname[0] != '\0') { + fr->fr_dif.fd_name = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_dif.fd_ifname, LIFNAMSIZ); + } + if (old->fr_group[0] != '\0') { + fr->fr_group = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_group, LIFNAMSIZ); + } + if (old->fr_grhead[0] != '\0') { + fr->fr_grhead = nlen; + nlen = ipf_addfrstr(names, nlen, + old->fr_grhead, LIFNAMSIZ); + } + fr->fr_namelen = nlen; + + if (old->fr_type == FR_T_IPF) { + int offset = fr->fr_namelen; + ipfobj_t obj; + int error; + + obj.ipfo_type = IPFOBJ_FRIPF; + obj.ipfo_rev = 4010100; + obj.ipfo_ptr = old->fr_data; + + if ((offset & 7) != 0) + offset += 8 - (offset & 7); + offset += 8 - (offset & 7); + error = ipf_in_compat(softc, &obj, + fr->fr_names + offset, 0); + if (error == 0) { + fr->fr_data = fr->fr_names + offset; + fr->fr_dsize = sizeof(fripf_t); + } + } + } +} + + +static void +friostat_4_1_33_to_current(old, current) + friostat_4_1_33_t *old; + void *current; +{ + friostat_t *fiop = (friostat_t *)current; + + bcopy(&old->of_st[0], &fiop->f_st[0].fr_pass, sizeof(old->of_st[0])); + bcopy(&old->of_st[1], &fiop->f_st[1].fr_pass, sizeof(old->of_st[1])); + + fiop->f_ipf[0][0] = old->f_ipf[0][0]; + fiop->f_ipf[0][1] = old->f_ipf[0][1]; + fiop->f_ipf[1][0] = old->f_ipf[1][0]; + fiop->f_ipf[1][1] = old->f_ipf[1][1]; + fiop->f_acct[0][0] = old->f_acct[0][0]; + fiop->f_acct[0][1] = old->f_acct[0][1]; + fiop->f_acct[1][0] = old->f_acct[1][0]; + fiop->f_acct[1][1] = old->f_acct[1][1]; + fiop->f_auth = fiop->f_auth; + bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups)); + bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute)); + fiop->f_ticks = old->f_ticks; + bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks)); + fiop->f_defpass = old->f_defpass; + fiop->f_active = old->f_active; + fiop->f_running = old->f_running; + fiop->f_logging = old->f_logging; + fiop->f_features = old->f_features; + bcopy(old->f_version, fiop->f_version, sizeof(old->f_version)); +} + + +static void +friostat_4_1_0_to_current(old, current) + friostat_4_1_0_t *old; + void *current; +{ + friostat_t *fiop = (friostat_t *)current; + + bcopy(&old->of_st[0], &fiop->f_st[0].fr_pass, sizeof(old->of_st[0])); + bcopy(&old->of_st[1], &fiop->f_st[1].fr_pass, sizeof(old->of_st[1])); + + fiop->f_ipf[0][0] = old->f_ipf[0][0]; + fiop->f_ipf[0][1] = old->f_ipf[0][1]; + fiop->f_ipf[1][0] = old->f_ipf[1][0]; + fiop->f_ipf[1][1] = old->f_ipf[1][1]; + fiop->f_acct[0][0] = old->f_acct[0][0]; + fiop->f_acct[0][1] = old->f_acct[0][1]; + fiop->f_acct[1][0] = old->f_acct[1][0]; + fiop->f_acct[1][1] = old->f_acct[1][1]; + fiop->f_auth = fiop->f_auth; + bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups)); + bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute)); + fiop->f_ticks = old->f_ticks; + bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks)); + fiop->f_defpass = old->f_defpass; + fiop->f_active = old->f_active; + fiop->f_running = old->f_running; + fiop->f_logging = old->f_logging; + fiop->f_features = old->f_features; + bcopy(old->f_version, fiop->f_version, sizeof(old->f_version)); +} + + +static void +ipnat_4_1_14_to_current(old, current, size) + ipnat_4_1_14_t *old; + void *current; + int size; +{ + ipnat_t *np = (ipnat_t *)current; + + np->in_space = old->in_space; + np->in_hv[0] = old->in_hv; + np->in_hv[1] = old->in_hv; + np->in_flineno = old->in_flineno; + if (old->in_redir == NAT_REDIRECT) + np->in_dpnext = old->in_pnext; + else + np->in_spnext = old->in_pnext; + np->in_v[0] = old->in_v; + np->in_v[1] = old->in_v; + np->in_flags = old->in_flags; + np->in_mssclamp = old->in_mssclamp; + np->in_age[0] = old->in_age[0]; + np->in_age[1] = old->in_age[1]; + np->in_redir = old->in_redir; + np->in_pr[0] = old->in_p; + np->in_pr[1] = old->in_p; + if (np->in_redir == NAT_REDIRECT) { + np->in_ndst.na_nextaddr = old->in_next6; + np->in_ndst.na_addr[0] = old->in_in[0]; + np->in_ndst.na_addr[1] = old->in_in[1]; + np->in_ndst.na_atype = FRI_NORMAL; + np->in_odst.na_addr[0] = old->in_out[0]; + np->in_odst.na_addr[1] = old->in_out[1]; + np->in_odst.na_atype = FRI_NORMAL; + np->in_osrc.na_addr[0] = old->in_src[0]; + np->in_osrc.na_addr[1] = old->in_src[1]; + np->in_osrc.na_atype = FRI_NORMAL; + } else { + np->in_nsrc.na_nextaddr = old->in_next6; + np->in_nsrc.na_addr[0] = old->in_out[0]; + np->in_nsrc.na_addr[1] = old->in_out[1]; + np->in_nsrc.na_atype = FRI_NORMAL; + np->in_osrc.na_addr[0] = old->in_in[0]; + np->in_osrc.na_addr[1] = old->in_in[1]; + np->in_osrc.na_atype = FRI_NORMAL; + np->in_odst.na_addr[0] = old->in_src[0]; + np->in_odst.na_addr[1] = old->in_src[1]; + np->in_odst.na_atype = FRI_NORMAL; + } + ipfv4tuctov5(&old->in_tuc, &np->in_tuc); + if (np->in_redir == NAT_REDIRECT) { + np->in_dpmin = old->in_port[0]; + np->in_dpmax = old->in_port[1]; + } else { + np->in_spmin = old->in_port[0]; + np->in_spmax = old->in_port[1]; + } + np->in_ppip = old->in_ppip; + np->in_ippip = old->in_ippip; + np->in_tag = old->in_tag; + + np->in_namelen = 0; + np->in_plabel = -1; + np->in_ifnames[0] = -1; + np->in_ifnames[1] = -1; + + if (size == 0) { + np->in_size = sizeof(*np); + np->in_size += LIFNAMSIZ * 2 + APR_LABELLEN; + np->in_size += 3; + } else { + int nlen = np->in_namelen; + char *names = np->in_names; + + if (old->in_ifnames[0][0] != '\0') { + np->in_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_ifnames[0], + LIFNAMSIZ); + } + if (old->in_ifnames[1][0] != '\0') { + np->in_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_ifnames[1], + LIFNAMSIZ); + } + if (old->in_plabel[0] != '\0') { + np->in_plabel = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_plabel, + LIFNAMSIZ); + } + np->in_namelen = nlen; + np->in_size = size; + } +} + + +static void +ipnat_4_1_0_to_current(old, current, size) + ipnat_4_1_0_t *old; + void *current; + int size; +{ + ipnat_t *np = (ipnat_t *)current; + + np->in_space = old->in_space; + np->in_hv[0] = old->in_hv; + np->in_hv[1] = old->in_hv; + np->in_flineno = old->in_flineno; + if (old->in_redir == NAT_REDIRECT) + np->in_dpnext = old->in_pnext; + else + np->in_spnext = old->in_pnext; + np->in_v[0] = old->in_v; + np->in_v[1] = old->in_v; + np->in_flags = old->in_flags; + np->in_mssclamp = old->in_mssclamp; + np->in_age[0] = old->in_age[0]; + np->in_age[1] = old->in_age[1]; + np->in_redir = old->in_redir; + np->in_pr[0] = old->in_p; + np->in_pr[1] = old->in_p; + if (np->in_redir == NAT_REDIRECT) { + np->in_ndst.na_nextaddr = old->in_next6; + bcopy(&old->in_in, &np->in_ndst.na_addr, sizeof(old->in_in)); + bcopy(&old->in_out, &np->in_odst.na_addr, sizeof(old->in_out)); + bcopy(&old->in_src, &np->in_osrc.na_addr, sizeof(old->in_src)); + } else { + np->in_nsrc.na_nextaddr = old->in_next6; + bcopy(&old->in_in, &np->in_osrc.na_addr, sizeof(old->in_in)); + bcopy(&old->in_out, &np->in_nsrc.na_addr, sizeof(old->in_out)); + bcopy(&old->in_src, &np->in_odst.na_addr, sizeof(old->in_src)); + } + ipfv4tuctov5(&old->in_tuc, &np->in_tuc); + if (np->in_redir == NAT_REDIRECT) { + np->in_dpmin = old->in_port[0]; + np->in_dpmax = old->in_port[1]; + } else { + np->in_spmin = old->in_port[0]; + np->in_spmax = old->in_port[1]; + } + np->in_ppip = old->in_ppip; + np->in_ippip = old->in_ippip; + bcopy(&old->in_tag, &np->in_tag, sizeof(np->in_tag)); + + np->in_namelen = 0; + np->in_plabel = -1; + np->in_ifnames[0] = -1; + np->in_ifnames[1] = -1; + + if (size == 0) { + np->in_size = sizeof(*np); + np->in_size += LIFNAMSIZ * 2 + APR_LABELLEN; + np->in_size += 3; + } else { + int nlen = np->in_namelen; + char *names = np->in_names; + + if (old->in_ifnames[0][0] != '\0') { + np->in_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_ifnames[0], + LIFNAMSIZ); + } + if (old->in_ifnames[1][0] != '\0') { + np->in_ifnames[0] = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_ifnames[1], + LIFNAMSIZ); + } + if (old->in_plabel[0] != '\0') { + np->in_plabel = nlen; + nlen = ipf_addfrstr(names, nlen, old->in_plabel, + LIFNAMSIZ); + } + np->in_namelen = nlen; + np->in_size = size; + } +} + + +static void +frauth_4_1_32_to_current(old, current) + frauth_4_1_32_t *old; + void *current; +{ + frauth_t *fra = (frauth_t *)current; + + fra->fra_age = old->fra_age; + fra->fra_len = old->fra_len; + fra->fra_index = old->fra_index; + fra->fra_pass = old->fra_pass; + fr_info_4_1_32_to_current(&old->fra_info, &fra->fra_info); + fra->fra_buf = old->fra_buf; + fra->fra_flx = old->fra_flx; +#ifdef MENTAT + fra->fra_q = old->fra_q; + fra->fra_m = old->fra_m; +#endif +} + + +static void +frauth_4_1_29_to_current(old, current) + frauth_4_1_29_t *old; + void *current; +{ + frauth_t *fra = (frauth_t *)current; + + fra->fra_age = old->fra_age; + fra->fra_len = old->fra_len; + fra->fra_index = old->fra_index; + fra->fra_pass = old->fra_pass; + fr_info_4_1_24_to_current(&old->fra_info, &fra->fra_info); + fra->fra_buf = old->fra_buf; + fra->fra_flx = old->fra_flx; +#ifdef MENTAT + fra->fra_q = old->fra_q; + fra->fra_m = old->fra_m; +#endif +} + + +static void +frauth_4_1_24_to_current(old, current) + frauth_4_1_24_t *old; + void *current; +{ + frauth_t *fra = (frauth_t *)current; + + fra->fra_age = old->fra_age; + fra->fra_len = old->fra_len; + fra->fra_index = old->fra_index; + fra->fra_pass = old->fra_pass; + fr_info_4_1_24_to_current(&old->fra_info, &fra->fra_info); + fra->fra_buf = old->fra_buf; +#ifdef MENTAT + fra->fra_q = old->fra_q; + fra->fra_m = old->fra_m; +#endif +} + + +static void +frauth_4_1_23_to_current(old, current) + frauth_4_1_23_t *old; + void *current; +{ + frauth_t *fra = (frauth_t *)current; + + fra->fra_age = old->fra_age; + fra->fra_len = old->fra_len; + fra->fra_index = old->fra_index; + fra->fra_pass = old->fra_pass; + fr_info_4_1_23_to_current(&old->fra_info, &fra->fra_info); + fra->fra_buf = old->fra_buf; +#ifdef MENTAT + fra->fra_q = old->fra_q; + fra->fra_m = old->fra_m; +#endif +} + + +static void +frauth_4_1_11_to_current(old, current) + frauth_4_1_11_t *old; + void *current; +{ + frauth_t *fra = (frauth_t *)current; + + fra->fra_age = old->fra_age; + fra->fra_len = old->fra_len; + fra->fra_index = old->fra_index; + fra->fra_pass = old->fra_pass; + fr_info_4_1_11_to_current(&old->fra_info, &fra->fra_info); + fra->fra_buf = old->fra_buf; +#ifdef MENTAT + fra->fra_q = old->fra_q; + fra->fra_m = old->fra_m; +#endif +} + + +static void +fr_info_4_1_32_to_current(old, current) + fr_info_4_1_32_t *old; + void *current; +{ + fr_info_t *fin = (fr_info_t *)current; + + fin->fin_ifp = old->fin_ifp; + ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); + bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); + fin->fin_out = old->fin_out; + fin->fin_rev = old->fin_rev; + fin->fin_hlen = old->fin_hlen; + fin->fin_tcpf = old->ofin_tcpf; + fin->fin_icode = old->fin_icode; + fin->fin_rule = old->fin_rule; + bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); + fin->fin_fr = old->fin_fr; + fin->fin_dp = old->fin_dp; + fin->fin_dlen = old->fin_dlen; + fin->fin_plen = old->fin_plen; + fin->fin_ipoff = old->fin_ipoff; + fin->fin_id = old->fin_id; + fin->fin_off = old->fin_off; + fin->fin_depth = old->fin_depth; + fin->fin_error = old->fin_error; + fin->fin_cksum = old->fin_cksum; + fin->fin_nattag = old->fin_nattag; + fin->fin_ip = old->ofin_ip; + fin->fin_mp = old->fin_mp; + fin->fin_m = old->fin_m; +#ifdef MENTAT + fin->fin_qfm = old->fin_qfm; + fin->fin_qpi = old->fin_qpi; +#endif +#ifdef __sgi + fin->fin_hbuf = old->fin_hbuf; +#endif +} + + +static void +fr_info_4_1_24_to_current(old, current) + fr_info_4_1_24_t *old; + void *current; +{ + fr_info_t *fin = (fr_info_t *)current; + + fin->fin_ifp = old->fin_ifp; + ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); + bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); + fin->fin_out = old->fin_out; + fin->fin_rev = old->fin_rev; + fin->fin_hlen = old->fin_hlen; + fin->fin_tcpf = old->ofin_tcpf; + fin->fin_icode = old->fin_icode; + fin->fin_rule = old->fin_rule; + bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); + fin->fin_fr = old->fin_fr; + fin->fin_dp = old->fin_dp; + fin->fin_dlen = old->fin_dlen; + fin->fin_plen = old->fin_plen; + fin->fin_ipoff = old->fin_ipoff; + fin->fin_id = old->fin_id; + fin->fin_off = old->fin_off; + fin->fin_depth = old->fin_depth; + fin->fin_error = old->fin_error; + fin->fin_cksum = old->fin_cksum; + fin->fin_nattag = old->fin_nattag; + fin->fin_ip = old->ofin_ip; + fin->fin_mp = old->fin_mp; + fin->fin_m = old->fin_m; +#ifdef MENTAT + fin->fin_qfm = old->fin_qfm; + fin->fin_qpi = old->fin_qpi; +#endif +#ifdef __sgi + fin->fin_hbuf = old->fin_hbuf; +#endif +} + + +static void +fr_info_4_1_23_to_current(old, current) + fr_info_4_1_23_t *old; + void *current; +{ + fr_info_t *fin = (fr_info_t *)current; + + fin->fin_ifp = old->fin_ifp; + ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); + bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); + fin->fin_out = old->fin_out; + fin->fin_rev = old->fin_rev; + fin->fin_hlen = old->fin_hlen; + fin->fin_tcpf = old->ofin_tcpf; + fin->fin_icode = old->fin_icode; + fin->fin_rule = old->fin_rule; + bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); + fin->fin_fr = old->fin_fr; + fin->fin_dp = old->fin_dp; + fin->fin_dlen = old->fin_dlen; + fin->fin_plen = old->fin_plen; + fin->fin_ipoff = old->fin_ipoff; + fin->fin_id = old->fin_id; + fin->fin_off = old->fin_off; + fin->fin_depth = old->fin_depth; + fin->fin_error = old->fin_error; + fin->fin_nattag = old->fin_nattag; + fin->fin_ip = old->ofin_ip; + fin->fin_mp = old->fin_mp; + fin->fin_m = old->fin_m; +#ifdef MENTAT + fin->fin_qfm = old->fin_qfm; + fin->fin_qpi = old->fin_qpi; +#endif +#ifdef __sgi + fin->fin_hbuf = fin->fin_hbuf; +#endif +} + + +static void +fr_info_4_1_11_to_current(old, current) + fr_info_4_1_11_t *old; + void *current; +{ + fr_info_t *fin = (fr_info_t *)current; + + fin->fin_ifp = old->fin_ifp; + ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); + bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); + fin->fin_out = old->fin_out; + fin->fin_rev = old->fin_rev; + fin->fin_hlen = old->fin_hlen; + fin->fin_tcpf = old->ofin_tcpf; + fin->fin_icode = old->fin_icode; + fin->fin_rule = old->fin_rule; + bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); + fin->fin_fr = old->fin_fr; + fin->fin_dp = old->fin_dp; + fin->fin_dlen = old->fin_dlen; + fin->fin_plen = old->fin_plen; + fin->fin_ipoff = old->fin_ipoff; + fin->fin_id = old->fin_id; + fin->fin_off = old->fin_off; + fin->fin_depth = old->fin_depth; + fin->fin_error = old->fin_error; + fin->fin_nattag = old->fin_nattag; + fin->fin_ip = old->ofin_ip; + fin->fin_mp = old->fin_mp; + fin->fin_m = old->fin_m; +#ifdef MENTAT + fin->fin_qfm = old->fin_qfm; + fin->fin_qpi = old->fin_qpi; +#endif +#ifdef __sgi + fin->fin_hbuf = fin->fin_hbuf; +#endif +} + + +static void +nat_4_1_3_to_current(nat_4_1_3_t *old, nat_t *current) +{ + bzero((void *)current, sizeof(*current)); + bcopy((void *)old, (void *)current, sizeof(*old)); +} + + +static void +nat_4_1_14_to_current(nat_4_1_14_t *old, nat_t *current) +{ + bzero((void *)current, sizeof(*current)); + bcopy((void *)old, (void *)current, sizeof(*old)); +} + + +static void +nat_save_4_1_16_to_current(softc, old, current) + ipf_main_softc_t *softc; + nat_save_4_1_16_t *old; + void *current; +{ + nat_save_t *nats = (nat_save_t *)current; + + nats->ipn_next = old->ipn_next; + nat_4_1_14_to_current(&old->ipn_nat, &nats->ipn_nat); + bcopy(&old->ipn_ipnat, &nats->ipn_ipnat, sizeof(old->ipn_ipnat)); + frentry_4_1_16_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); + nats->ipn_dsize = old->ipn_dsize; + bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +nat_save_4_1_14_to_current(softc, old, current) + ipf_main_softc_t *softc; + nat_save_4_1_14_t *old; + void *current; +{ + nat_save_t *nats = (nat_save_t *)current; + + nats->ipn_next = old->ipn_next; + nat_4_1_14_to_current(&old->ipn_nat, &nats->ipn_nat); + bcopy(&old->ipn_ipnat, &nats->ipn_ipnat, sizeof(old->ipn_ipnat)); + frentry_4_1_0_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); + nats->ipn_dsize = old->ipn_dsize; + bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +nat_save_4_1_3_to_current(softc, old, current) + ipf_main_softc_t *softc; + nat_save_4_1_3_t *old; + void *current; +{ + nat_save_t *nats = (nat_save_t *)current; + + nats->ipn_next = old->ipn_next; + nat_4_1_3_to_current(&old->ipn_nat, &nats->ipn_nat); + ipnat_4_1_0_to_current(&old->ipn_ipnat, &nats->ipn_ipnat, 0); + frentry_4_1_0_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); + nats->ipn_dsize = old->ipn_dsize; + bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +natstat_current_to_4_1_32(current, old) + void *current; + natstat_4_1_32_t *old; +{ + natstat_t *ns = (natstat_t *)current; + + old->ns_mapped[0] = ns->ns_side[0].ns_translated; + old->ns_mapped[1] = ns->ns_side[1].ns_translated; + old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; + old->ns_expire = ns->ns_expire; + old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_logged = ns->ns_log_ok; + old->ns_logfail = ns->ns_log_fail; + old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; + old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; + old->ns_addtrpnt = ns->ns_addtrpnt; + old->ns_table[0] = ns->ns_side[0].ns_table; + old->ns_table[1] = ns->ns_side[1].ns_table; + old->ns_maptable = NULL; + old->ns_list = ns->ns_list; + old->ns_apslist = NULL; + old->ns_wilds = ns->ns_wilds; + old->ns_nattab_sz = ns->ns_nattab_sz; + old->ns_nattab_max = ns->ns_nattab_max; + old->ns_rultab_sz = ns->ns_rultab_sz; + old->ns_rdrtab_sz = ns->ns_rdrtab_sz; + old->ns_trpntab_sz = ns->ns_trpntab_sz; + old->ns_hostmap_sz = 0; + old->ns_instances = ns->ns_instances; + old->ns_maplist = ns->ns_maplist; + old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; + old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; + old->ns_ticks = ns->ns_ticks; + old->ns_orphans = ns->ns_orphans; + old->ns_uncreate[0][0] = ns->ns_side[0].ns_uncreate[0]; + old->ns_uncreate[0][1] = ns->ns_side[0].ns_uncreate[1]; + old->ns_uncreate[1][0] = ns->ns_side[1].ns_uncreate[0]; + old->ns_uncreate[1][1] = ns->ns_side[1].ns_uncreate[1]; +} + + +static void +natstat_current_to_4_1_27(current, old) + void *current; + natstat_4_1_27_t *old; +{ + natstat_t *ns = (natstat_t *)current; + + old->ns_mapped[0] = ns->ns_side[0].ns_translated; + old->ns_mapped[1] = ns->ns_side[1].ns_translated; + old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; + old->ns_expire = ns->ns_expire; + old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_logged = ns->ns_log_ok; + old->ns_logfail = ns->ns_log_fail; + old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; + old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; + old->ns_addtrpnt = ns->ns_addtrpnt; + old->ns_table[0] = ns->ns_side[0].ns_table; + old->ns_table[1] = ns->ns_side[1].ns_table; + old->ns_maptable = NULL; + old->ns_list = ns->ns_list; + old->ns_apslist = NULL; + old->ns_wilds = ns->ns_wilds; + old->ns_nattab_sz = ns->ns_nattab_sz; + old->ns_nattab_max = ns->ns_nattab_max; + old->ns_rultab_sz = ns->ns_rultab_sz; + old->ns_rdrtab_sz = ns->ns_rdrtab_sz; + old->ns_trpntab_sz = ns->ns_trpntab_sz; + old->ns_hostmap_sz = 0; + old->ns_instances = ns->ns_instances; + old->ns_maplist = ns->ns_maplist; + old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; + old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; + old->ns_ticks = ns->ns_ticks; + old->ns_orphans = ns->ns_orphans; +} + + +static void +natstat_current_to_4_1_16(current, old) + void *current; + natstat_4_1_16_t *old; +{ + natstat_t *ns = (natstat_t *)current; + + old->ns_mapped[0] = ns->ns_side[0].ns_translated; + old->ns_mapped[1] = ns->ns_side[1].ns_translated; + old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; + old->ns_expire = ns->ns_expire; + old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_logged = ns->ns_log_ok; + old->ns_logfail = ns->ns_log_fail; + old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; + old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; + old->ns_addtrpnt = ns->ns_addtrpnt; + old->ns_table[0] = ns->ns_side[0].ns_table; + old->ns_table[1] = ns->ns_side[1].ns_table; + old->ns_maptable = NULL; + old->ns_list = ns->ns_list; + old->ns_apslist = NULL; + old->ns_wilds = ns->ns_wilds; + old->ns_nattab_sz = ns->ns_nattab_sz; + old->ns_nattab_max = ns->ns_nattab_max; + old->ns_rultab_sz = ns->ns_rultab_sz; + old->ns_rdrtab_sz = ns->ns_rdrtab_sz; + old->ns_trpntab_sz = ns->ns_trpntab_sz; + old->ns_hostmap_sz = 0; + old->ns_instances = ns->ns_instances; + old->ns_maplist = ns->ns_maplist; + old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; + old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; + old->ns_ticks = ns->ns_ticks; +} + + +static void +natstat_current_to_4_1_0(current, old) + void *current; + natstat_4_1_0_t *old; +{ + natstat_t *ns = (natstat_t *)current; + + old->ns_mapped[0] = ns->ns_side[0].ns_translated; + old->ns_mapped[1] = ns->ns_side[1].ns_translated; + old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; + old->ns_expire = ns->ns_expire; + old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; + old->ns_logged = ns->ns_log_ok; + old->ns_logfail = ns->ns_log_fail; + old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; + old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; + old->ns_addtrpnt = ns->ns_addtrpnt; + old->ns_table[0] = ns->ns_side[0].ns_table; + old->ns_table[1] = ns->ns_side[1].ns_table; + old->ns_maptable = NULL; + old->ns_list = ns->ns_list; + old->ns_apslist = NULL; + old->ns_wilds = ns->ns_wilds; + old->ns_nattab_sz = ns->ns_nattab_sz; + old->ns_nattab_max = ns->ns_nattab_max; + old->ns_rultab_sz = ns->ns_rultab_sz; + old->ns_rdrtab_sz = ns->ns_rdrtab_sz; + old->ns_trpntab_sz = ns->ns_trpntab_sz; + old->ns_hostmap_sz = 0; + old->ns_instances = ns->ns_instances; + old->ns_maplist = ns->ns_maplist; + old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; + old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; +} + + +static void +ipstate_save_current_to_4_1_16(current, old) + void *current; + ipstate_save_4_1_16_t *old; +{ + ipstate_save_t *ips = (ipstate_save_t *)current; + + old->ips_next = ips->ips_next; + ipstate_current_to_4_1_0(&ips->ips_is, &old->ips_is); + frentry_current_to_4_1_16(&ips->ips_fr, &old->ips_fr); +} + + +static void +ipstate_save_current_to_4_1_0(current, old) + void *current; + ipstate_save_4_1_0_t *old; +{ + ipstate_save_t *ips = (ipstate_save_t *)current; + + old->ips_next = ips->ips_next; + ipstate_current_to_4_1_0(&ips->ips_is, &old->ips_is); + frentry_current_to_4_1_0(&ips->ips_fr, &old->ips_fr); +} + + +int +ipf_out_compat(softc, obj, ptr) + ipf_main_softc_t *softc; + ipfobj_t *obj; + void *ptr; +{ + frentry_t *fr; + int error; + + IPFERROR(140042); + error = EINVAL; + + switch (obj->ipfo_type) + { + default : + break; + + case IPFOBJ_FRENTRY : + if (obj->ipfo_rev >= 4013400) { + frentry_4_1_34_t *old; + + KMALLOC(old, frentry_4_1_34_t *); + if (old == NULL) { + IPFERROR(140043); + error = ENOMEM; + break; + } + frentry_current_to_4_1_34(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error == 0 && old->fr_dsize > 0) { + char *dst = obj->ipfo_ptr; + + fr = ptr; + dst += sizeof(*old); + error = COPYOUT(fr->fr_data, dst, + old->fr_dsize); + if (error != 0) { + IPFERROR(140044); + } + } + KFREE(old); + obj->ipfo_size = sizeof(*old); + } else if (obj->ipfo_rev >= 4011600) { + frentry_4_1_16_t *old; + + KMALLOC(old, frentry_4_1_16_t *); + if (old == NULL) { + IPFERROR(140045); + error = ENOMEM; + break; + } + frentry_current_to_4_1_16(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140046); + } + KFREE(old); + obj->ipfo_size = sizeof(*old); + } else { + frentry_4_1_0_t *old; + + KMALLOC(old, frentry_4_1_0_t *); + if (old == NULL) { + IPFERROR(140047); + error = ENOMEM; + break; + } + frentry_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140048); + } + KFREE(old); + obj->ipfo_size = sizeof(*old); + } + break; + + case IPFOBJ_IPFSTAT : + if (obj->ipfo_rev >= 4013300) { + friostat_4_1_33_t *old; + + KMALLOC(old, friostat_4_1_33_t *); + if (old == NULL) { + IPFERROR(140049); + error = ENOMEM; + break; + } + friostat_current_to_4_1_33(ptr, old, obj->ipfo_rev); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140050); + } + KFREE(old); + } else { + friostat_4_1_0_t *old; + + KMALLOC(old, friostat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140051); + error = ENOMEM; + break; + } + friostat_current_to_4_1_0(ptr, old, obj->ipfo_rev); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140052); + } + KFREE(old); + } + break; + + case IPFOBJ_IPFINFO : /* unused */ + break; + + case IPFOBJ_IPNAT : + if (obj->ipfo_rev >= 4011400) { + ipnat_4_1_14_t *old; + + KMALLOC(old, ipnat_4_1_14_t *); + if (old == NULL) { + IPFERROR(140053); + error = ENOMEM; + break; + } + ipnat_current_to_4_1_14(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140054); + } + KFREE(old); + } else { + ipnat_4_1_0_t *old; + + KMALLOC(old, ipnat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140055); + error = ENOMEM; + break; + } + ipnat_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140056); + } + KFREE(old); + } + break; + + case IPFOBJ_NATSTAT : + if (obj->ipfo_rev >= 4013200) { + natstat_4_1_32_t *old; + + KMALLOC(old, natstat_4_1_32_t *); + if (old == NULL) { + IPFERROR(140057); + error = ENOMEM; + break; + } + natstat_current_to_4_1_32(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140058); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4012700) { + natstat_4_1_27_t *old; + + KMALLOC(old, natstat_4_1_27_t *); + if (old == NULL) { + IPFERROR(140059); + error = ENOMEM; + break; + } + natstat_current_to_4_1_27(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140060); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4011600) { + natstat_4_1_16_t *old; + + KMALLOC(old, natstat_4_1_16_t *); + if (old == NULL) { + IPFERROR(140061); + error = ENOMEM; + break; + } + natstat_current_to_4_1_16(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140062); + } + KFREE(old); + } else { + natstat_4_1_0_t *old; + + KMALLOC(old, natstat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140063); + error = ENOMEM; + break; + } + natstat_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140064); + } + KFREE(old); + } + break; + + case IPFOBJ_STATESAVE : + if (obj->ipfo_rev >= 4011600) { + ipstate_save_4_1_16_t *old; + + KMALLOC(old, ipstate_save_4_1_16_t *); + if (old == NULL) { + IPFERROR(140065); + error = ENOMEM; + break; + } + ipstate_save_current_to_4_1_16(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140066); + } + KFREE(old); + } else { + ipstate_save_4_1_0_t *old; + + KMALLOC(old, ipstate_save_4_1_0_t *); + if (old == NULL) { + IPFERROR(140067); + error = ENOMEM; + break; + } + ipstate_save_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140068); + } + KFREE(old); + } + break; + + case IPFOBJ_NATSAVE : + if (obj->ipfo_rev >= 4011600) { + nat_save_4_1_16_t *old16; + + KMALLOC(old16, nat_save_4_1_16_t *); + if (old16 == NULL) { + IPFERROR(140069); + error = ENOMEM; + break; + } + nat_save_current_to_4_1_16(ptr, old16); + error = COPYOUT(&old16, obj->ipfo_ptr, sizeof(*old16)); + if (error != 0) { + IPFERROR(140070); + } + KFREE(old16); + } else if (obj->ipfo_rev >= 4011400) { + nat_save_4_1_14_t *old14; + + KMALLOC(old14, nat_save_4_1_14_t *); + if (old14 == NULL) { + IPFERROR(140071); + error = ENOMEM; + break; + } + nat_save_current_to_4_1_14(ptr, old14); + error = COPYOUT(&old14, obj->ipfo_ptr, sizeof(*old14)); + if (error != 0) { + IPFERROR(140072); + } + KFREE(old14); + } else if (obj->ipfo_rev >= 4010300) { + nat_save_4_1_3_t *old3; + + KMALLOC(old3, nat_save_4_1_3_t *); + if (old3 == NULL) { + IPFERROR(140073); + error = ENOMEM; + break; + } + nat_save_current_to_4_1_3(ptr, old3); + error = COPYOUT(&old3, obj->ipfo_ptr, sizeof(*old3)); + if (error != 0) { + IPFERROR(140074); + } + KFREE(old3); + } + break; + + case IPFOBJ_IPSTATE : + if (obj->ipfo_rev >= 4011600) { + ipstate_4_1_16_t *old; + + KMALLOC(old, ipstate_4_1_16_t *); + if (old == NULL) { + IPFERROR(140075); + error = ENOMEM; + break; + } + ipstate_current_to_4_1_16(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140076); + } + KFREE(old); + } else { + ipstate_4_1_0_t *old; + + KMALLOC(old, ipstate_4_1_0_t *); + if (old == NULL) { + IPFERROR(140077); + error = ENOMEM; + break; + } + ipstate_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140078); + } + KFREE(old); + } + break; + + case IPFOBJ_STATESTAT : + if (obj->ipfo_rev >= 4012100) { + ips_stat_4_1_21_t *old; + + KMALLOC(old, ips_stat_4_1_21_t *); + if (old == NULL) { + IPFERROR(140079); + error = ENOMEM; + break; + } + ips_stat_current_to_4_1_21(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140080); + } + KFREE(old); + } else { + ips_stat_4_1_0_t *old; + + KMALLOC(old, ips_stat_4_1_0_t *); + if (old == NULL) { + IPFERROR(140081); + error = ENOMEM; + break; + } + ips_stat_current_to_4_1_0(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140082); + } + KFREE(old); + } + break; + + case IPFOBJ_FRAUTH : + if (obj->ipfo_rev >= 4012900) { + frauth_4_1_29_t *old29; + + KMALLOC(old29, frauth_4_1_29_t *); + if (old29 == NULL) { + IPFERROR(140083); + error = ENOMEM; + break; + } + frauth_current_to_4_1_29(ptr, old29); + error = COPYOUT(old29, obj->ipfo_ptr, sizeof(*old29)); + if (error != 0) { + IPFERROR(140084); + } + KFREE(old29); + } else if (obj->ipfo_rev >= 4012400) { + frauth_4_1_24_t *old24; + + KMALLOC(old24, frauth_4_1_24_t *); + if (old24 == NULL) { + IPFERROR(140085); + error = ENOMEM; + break; + } + frauth_current_to_4_1_24(ptr, old24); + error = COPYOUT(old24, obj->ipfo_ptr, sizeof(*old24)); + if (error != 0) { + IPFERROR(140086); + } + KFREE(old24); + } else if (obj->ipfo_rev >= 4012300) { + frauth_4_1_23_t *old23; + + KMALLOC(old23, frauth_4_1_23_t *); + if (old23 == NULL) { + IPFERROR(140087); + error = ENOMEM; + break; + } + frauth_current_to_4_1_23(ptr, old23); + error = COPYOUT(old23, obj->ipfo_ptr, sizeof(*old23)); + if (error != 0) { + IPFERROR(140088); + } + KFREE(old23); + } else if (obj->ipfo_rev >= 4011100) { + frauth_4_1_11_t *old11; + + KMALLOC(old11, frauth_4_1_11_t *); + if (old11 == NULL) { + IPFERROR(140089); + error = ENOMEM; + break; + } + frauth_current_to_4_1_11(ptr, old11); + error = COPYOUT(old11, obj->ipfo_ptr, sizeof(*old11)); + if (error != 0) { + IPFERROR(140090); + } + KFREE(old11); + } + break; + + case IPFOBJ_NAT : + if (obj->ipfo_rev >= 4012500) { + nat_4_1_25_t *old; + + KMALLOC(old, nat_4_1_25_t *); + if (old == NULL) { + IPFERROR(140091); + error = ENOMEM; + break; + } + nat_current_to_4_1_25(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140092); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4011400) { + nat_4_1_14_t *old; + + KMALLOC(old, nat_4_1_14_t *); + if (old == NULL) { + IPFERROR(140093); + error = ENOMEM; + break; + } + nat_current_to_4_1_14(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140094); + } + KFREE(old); + } else if (obj->ipfo_rev >= 4010300) { + nat_4_1_3_t *old; + + KMALLOC(old, nat_4_1_3_t *); + if (old == NULL) { + IPFERROR(140095); + error = ENOMEM; + break; + } + nat_current_to_4_1_3(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140096); + } + KFREE(old); + } + break; + + case IPFOBJ_FRIPF : + if (obj->ipfo_rev < 5000000) { + fripf4_t *old; + + KMALLOC(old, fripf4_t *); + if (old == NULL) { + IPFERROR(140097); + error = ENOMEM; + break; + } + ipf_v5fripftov4(ptr, old); + error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); + if (error != 0) { + IPFERROR(140098); + } + KFREE(old); + } + break; + } + return error; +} + + +static void +friostat_current_to_4_1_33(current, old, rev) + void *current; + friostat_4_1_33_t *old; + int rev; +{ + friostat_t *fiop = (friostat_t *)current; + + bcopy(&fiop->f_st[0].fr_pass, &old->of_st[0], sizeof(old->of_st[0])); + bcopy(&fiop->f_st[1].fr_pass, &old->of_st[1], sizeof(old->of_st[1])); + + old->f_ipf[0][0] = fiop->f_ipf[0][0]; + old->f_ipf[0][1] = fiop->f_ipf[0][1]; + old->f_ipf[1][0] = fiop->f_ipf[1][0]; + old->f_ipf[1][1] = fiop->f_ipf[1][1]; + old->f_acct[0][0] = fiop->f_acct[0][0]; + old->f_acct[0][1] = fiop->f_acct[0][1]; + old->f_acct[1][0] = fiop->f_acct[1][0]; + old->f_acct[1][1] = fiop->f_acct[1][1]; + old->f_ipf6[0][0] = NULL; + old->f_ipf6[0][1] = NULL; + old->f_ipf6[1][0] = NULL; + old->f_ipf6[1][1] = NULL; + old->f_acct6[0][0] = NULL; + old->f_acct6[0][1] = NULL; + old->f_acct6[1][0] = NULL; + old->f_acct6[1][1] = NULL; + old->f_auth = fiop->f_auth; + bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); + bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); + old->f_ticks = fiop->f_ticks; + bcopy(&fiop->f_locks, &old->f_locks, sizeof(old->f_locks)); + old->f_kmutex_sz = 0; + old->f_krwlock_sz = 0; + old->f_defpass = fiop->f_defpass; + old->f_active = fiop->f_active; + old->f_running = fiop->f_running; + old->f_logging = fiop->f_logging; + old->f_features = fiop->f_features; + sprintf(old->f_version, "IP Filter: v%d.%d.%d", + (rev / 1000000) % 100, + (rev / 10000) % 100, + (rev / 100) % 100); +} + + +static void +friostat_current_to_4_1_0(current, old, rev) + void *current; + friostat_4_1_0_t *old; + int rev; +{ + friostat_t *fiop = (friostat_t *)current; + + bcopy(&fiop->f_st[0].fr_pass, &old->of_st[0], sizeof(old->of_st[0])); + bcopy(&fiop->f_st[1].fr_pass, &old->of_st[1], sizeof(old->of_st[1])); + + old->f_ipf[0][0] = fiop->f_ipf[0][0]; + old->f_ipf[0][1] = fiop->f_ipf[0][1]; + old->f_ipf[1][0] = fiop->f_ipf[1][0]; + old->f_ipf[1][1] = fiop->f_ipf[1][1]; + old->f_acct[0][0] = fiop->f_acct[0][0]; + old->f_acct[0][1] = fiop->f_acct[0][1]; + old->f_acct[1][0] = fiop->f_acct[1][0]; + old->f_acct[1][1] = fiop->f_acct[1][1]; + old->f_ipf6[0][0] = NULL; + old->f_ipf6[0][1] = NULL; + old->f_ipf6[1][0] = NULL; + old->f_ipf6[1][1] = NULL; + old->f_acct6[0][0] = NULL; + old->f_acct6[0][1] = NULL; + old->f_acct6[1][0] = NULL; + old->f_acct6[1][1] = NULL; + old->f_auth = fiop->f_auth; + bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); + bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); + old->f_ticks = fiop->f_ticks; + old->f_ipf[0][0] = fiop->f_ipf[0][0]; + old->f_ipf[0][1] = fiop->f_ipf[0][1]; + old->f_ipf[1][0] = fiop->f_ipf[1][0]; + old->f_ipf[1][1] = fiop->f_ipf[1][1]; + old->f_acct[0][0] = fiop->f_acct[0][0]; + old->f_acct[0][1] = fiop->f_acct[0][1]; + old->f_acct[1][0] = fiop->f_acct[1][0]; + old->f_acct[1][1] = fiop->f_acct[1][1]; + old->f_ipf6[0][0] = NULL; + old->f_ipf6[0][1] = NULL; + old->f_ipf6[1][0] = NULL; + old->f_ipf6[1][1] = NULL; + old->f_acct6[0][0] = NULL; + old->f_acct6[0][1] = NULL; + old->f_acct6[1][0] = NULL; + old->f_acct6[1][1] = NULL; + old->f_auth = fiop->f_auth; + bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); + bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); + old->f_ticks = fiop->f_ticks; + bcopy(&fiop->f_locks, &old->f_locks, sizeof(old->f_locks)); + old->f_kmutex_sz = 0; + old->f_krwlock_sz = 0; + old->f_defpass = fiop->f_defpass; + old->f_active = fiop->f_active; + old->f_running = fiop->f_running; + old->f_logging = fiop->f_logging; + old->f_features = fiop->f_features; + sprintf(old->f_version, "IP Filter: v%d.%d.%d", + (rev / 1000000) % 100, + (rev / 10000) % 100, + (rev / 100) % 100); +} + + +/* + * nflags is v5 flags, returns v4 flags. + */ +static int +fr_frflags5to4(nflags) + u_32_t nflags; +{ + u_32_t oflags = 0; + + switch (nflags & FR_CMDMASK) { + case FR_CALL : + oflags = 0x0; + break; + case FR_BLOCK : + oflags = 0x1; + break; + case FR_PASS : + oflags = 0x2; + break; + case FR_AUTH : + oflags = 0x3; + break; + case FR_PREAUTH : + oflags = 0x4; + break; + case FR_ACCOUNT : + oflags = 0x5; + break; + case FR_SKIP : + oflags = 0x6; + break; + default : + break; + } + + if (nflags & FR_LOG) + oflags |= 0x00010; + if (nflags & FR_CALLNOW) + oflags |= 0x00020; + if (nflags & FR_NOTSRCIP) + oflags |= 0x00080; + if (nflags & FR_NOTDSTIP) + oflags |= 0x00040; + if (nflags & FR_QUICK) + oflags |= 0x00100; + if (nflags & FR_KEEPFRAG) + oflags |= 0x00200; + if (nflags & FR_KEEPSTATE) + oflags |= 0x00400; + if (nflags & FR_FASTROUTE) + oflags |= 0x00800; + if (nflags & FR_RETRST) + oflags |= 0x01000; + if (nflags & FR_RETICMP) + oflags |= 0x02000; + if (nflags & FR_FAKEICMP) + oflags |= 0x03000; + if (nflags & FR_OUTQUE) + oflags |= 0x04000; + if (nflags & FR_INQUE) + oflags |= 0x08000; + if (nflags & FR_LOGBODY) + oflags |= 0x10000; + if (nflags & FR_LOGFIRST) + oflags |= 0x20000; + if (nflags & FR_LOGORBLOCK) + oflags |= 0x40000; + if (nflags & FR_FRSTRICT) + oflags |= 0x100000; + if (nflags & FR_STSTRICT) + oflags |= 0x200000; + if (nflags & FR_NEWISN) + oflags |= 0x400000; + if (nflags & FR_NOICMPERR) + oflags |= 0x800000; + if (nflags & FR_STATESYNC) + oflags |= 0x1000000; + if (nflags & FR_NOMATCH) + oflags |= 0x8000000; + if (nflags & FR_COPIED) + oflags |= 0x40000000; + if (nflags & FR_INACTIVE) + oflags |= 0x80000000; + + return oflags; +} + + +static void +frentry_current_to_4_1_34(current, old) + void *current; + frentry_4_1_34_t *old; +{ + frentry_t *fr = (frentry_t *)current; + + old->fr_lock = fr->fr_lock; + old->fr_next = fr->fr_next; + old->fr_grp = (void *)fr->fr_grp; + old->fr_isc = fr->fr_isc; + old->fr_ifas[0] = fr->fr_ifas[0]; + old->fr_ifas[1] = fr->fr_ifas[1]; + old->fr_ifas[2] = fr->fr_ifas[2]; + old->fr_ifas[3] = fr->fr_ifas[3]; + old->fr_ptr = fr->fr_ptr; + old->fr_comment = NULL; + old->fr_ref = fr->fr_ref; + old->fr_statecnt = fr->fr_statecnt; + old->fr_hits = fr->fr_hits; + old->fr_bytes = fr->fr_bytes; + old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; + old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; + old->fr_curpps = fr->fr_curpps; + old->fr_dun.fru_data = fr->fr_dun.fru_data; + old->fr_func = fr->fr_func; + old->fr_dsize = fr->fr_dsize; + old->fr_pps = fr->fr_pps; + old->fr_statemax = fr->fr_statemax; + old->fr_flineno = fr->fr_flineno; + old->fr_type = fr->fr_type; + old->fr_flags = fr_frflags5to4(fr->fr_flags); + old->fr_logtag = fr->fr_logtag; + old->fr_collect = fr->fr_collect; + old->fr_arg = fr->fr_arg; + old->fr_loglevel = fr->fr_loglevel; + old->fr_age[0] = fr->fr_age[0]; + old->fr_age[1] = fr->fr_age[1]; + if (fr->fr_family == AF_INET) + old->fr_v = 4; + if (fr->fr_family == AF_INET6) + old->fr_v = 6; + old->fr_icode = fr->fr_icode; + old->fr_cksum = fr->fr_cksum; + old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; + if (fr->fr_ifnames[0] >= 0) { + strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], + LIFNAMSIZ); + old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[1] >= 0) { + strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], + LIFNAMSIZ); + old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[2] >= 0) { + strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], + LIFNAMSIZ); + old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[3] >= 0) { + strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], + LIFNAMSIZ); + old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[0].fd_name >= 0) { + strncpy(old->fr_tifs[0].fd_ifname, + fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); + old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[1].fd_name >= 0) { + strncpy(old->fr_tifs[1].fd_ifname, + fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); + old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_dif.fd_name >= 0) { + strncpy(old->fr_dif.fd_ifname, + fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); + old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_group >= 0) { + strncpy(old->fr_group, fr->fr_names + fr->fr_group, + FR_GROUPLEN); + old->fr_group[FR_GROUPLEN - 1] = '\0'; + } + if (fr->fr_grhead >= 0) { + strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, + FR_GROUPLEN); + old->fr_grhead[FR_GROUPLEN - 1] = '\0'; + } +} + + +static void +frentry_current_to_4_1_16(current, old) + void *current; + frentry_4_1_16_t *old; +{ + frentry_t *fr = (frentry_t *)current; + + old->fr_lock = fr->fr_lock; + old->fr_next = fr->fr_next; + old->fr_grp = (void *)fr->fr_grp; + old->fr_isc = fr->fr_isc; + old->fr_ifas[0] = fr->fr_ifas[0]; + old->fr_ifas[1] = fr->fr_ifas[1]; + old->fr_ifas[2] = fr->fr_ifas[2]; + old->fr_ifas[3] = fr->fr_ifas[3]; + old->fr_ptr = fr->fr_ptr; + old->fr_comment = NULL; + old->fr_ref = fr->fr_ref; + old->fr_statecnt = fr->fr_statecnt; + old->fr_hits = fr->fr_hits; + old->fr_bytes = fr->fr_bytes; + old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; + old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; + old->fr_curpps = fr->fr_curpps; + old->fr_dun.fru_data = fr->fr_dun.fru_data; + old->fr_func = fr->fr_func; + old->fr_dsize = fr->fr_dsize; + old->fr_pps = fr->fr_pps; + old->fr_statemax = fr->fr_statemax; + old->fr_flineno = fr->fr_flineno; + old->fr_type = fr->fr_type; + old->fr_flags = fr_frflags5to4(fr->fr_flags); + old->fr_logtag = fr->fr_logtag; + old->fr_collect = fr->fr_collect; + old->fr_arg = fr->fr_arg; + old->fr_loglevel = fr->fr_loglevel; + old->fr_age[0] = fr->fr_age[0]; + old->fr_age[1] = fr->fr_age[1]; + if (old->fr_v == 4) + fr->fr_family = AF_INET; + if (old->fr_v == 6) + fr->fr_family = AF_INET6; + old->fr_icode = fr->fr_icode; + old->fr_cksum = fr->fr_cksum; + old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; + if (fr->fr_ifnames[0] >= 0) { + strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], + LIFNAMSIZ); + old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[1] >= 0) { + strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], + LIFNAMSIZ); + old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[2] >= 0) { + strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], + LIFNAMSIZ); + old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[3] >= 0) { + strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], + LIFNAMSIZ); + old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[0].fd_name >= 0) { + strncpy(old->fr_tifs[0].fd_ifname, + fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); + old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[1].fd_name >= 0) { + strncpy(old->fr_tifs[1].fd_ifname, + fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); + old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_dif.fd_name >= 0) { + strncpy(old->fr_dif.fd_ifname, + fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); + old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_group >= 0) { + strncpy(old->fr_group, fr->fr_names + fr->fr_group, + FR_GROUPLEN); + old->fr_group[FR_GROUPLEN - 1] = '\0'; + } + if (fr->fr_grhead >= 0) { + strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, + FR_GROUPLEN); + old->fr_grhead[FR_GROUPLEN - 1] = '\0'; + } +} + + +static void +frentry_current_to_4_1_0(current, old) + void *current; + frentry_4_1_0_t *old; +{ + frentry_t *fr = (frentry_t *)current; + + old->fr_lock = fr->fr_lock; + old->fr_next = fr->fr_next; + old->fr_grp = (void *)fr->fr_grp; + old->fr_isc = fr->fr_isc; + old->fr_ifas[0] = fr->fr_ifas[0]; + old->fr_ifas[1] = fr->fr_ifas[1]; + old->fr_ifas[2] = fr->fr_ifas[2]; + old->fr_ifas[3] = fr->fr_ifas[3]; + old->fr_ptr = fr->fr_ptr; + old->fr_comment = NULL; + old->fr_ref = fr->fr_ref; + old->fr_statecnt = fr->fr_statecnt; + old->fr_hits = fr->fr_hits; + old->fr_bytes = fr->fr_bytes; + old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; + old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; + old->fr_curpps = fr->fr_curpps; + old->fr_dun.fru_data = fr->fr_dun.fru_data; + old->fr_func = fr->fr_func; + old->fr_dsize = fr->fr_dsize; + old->fr_pps = fr->fr_pps; + old->fr_statemax = fr->fr_statemax; + old->fr_flineno = fr->fr_flineno; + old->fr_type = fr->fr_type; + old->fr_flags = fr_frflags5to4(fr->fr_flags); + old->fr_logtag = fr->fr_logtag; + old->fr_collect = fr->fr_collect; + old->fr_arg = fr->fr_arg; + old->fr_loglevel = fr->fr_loglevel; + old->fr_age[0] = fr->fr_age[0]; + old->fr_age[1] = fr->fr_age[1]; + if (old->fr_v == 4) + fr->fr_family = AF_INET; + if (old->fr_v == 6) + fr->fr_family = AF_INET6; + old->fr_icode = fr->fr_icode; + old->fr_cksum = fr->fr_cksum; + old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; + old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; + if (fr->fr_ifnames[0] >= 0) { + strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], + LIFNAMSIZ); + old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[1] >= 0) { + strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], + LIFNAMSIZ); + old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[2] >= 0) { + strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], + LIFNAMSIZ); + old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_ifnames[3] >= 0) { + strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], + LIFNAMSIZ); + old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[0].fd_name >= 0) { + strncpy(old->fr_tifs[0].fd_ifname, + fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); + old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_tifs[1].fd_name >= 0) { + strncpy(old->fr_tifs[1].fd_ifname, + fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); + old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_dif.fd_name >= 0) { + strncpy(old->fr_dif.fd_ifname, + fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); + old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; + } + if (fr->fr_group >= 0) { + strncpy(old->fr_group, fr->fr_names + fr->fr_group, + FR_GROUPLEN); + old->fr_group[FR_GROUPLEN - 1] = '\0'; + } + if (fr->fr_grhead >= 0) { + strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, + FR_GROUPLEN); + old->fr_grhead[FR_GROUPLEN - 1] = '\0'; + } +} + + +static void +fr_info_current_to_4_1_24(current, old) + void *current; + fr_info_4_1_24_t *old; +{ + fr_info_t *fin = (fr_info_t *)current; + + old->fin_ifp = fin->fin_ifp; + ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); + bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); + old->fin_out = fin->fin_out; + old->fin_rev = fin->fin_rev; + old->fin_hlen = fin->fin_hlen; + old->ofin_tcpf = fin->fin_tcpf; + old->fin_icode = fin->fin_icode; + old->fin_rule = fin->fin_rule; + bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); + old->fin_fr = fin->fin_fr; + old->fin_dp = fin->fin_dp; + old->fin_dlen = fin->fin_dlen; + old->fin_plen = fin->fin_plen; + old->fin_ipoff = fin->fin_ipoff; + old->fin_id = fin->fin_id; + old->fin_off = fin->fin_off; + old->fin_depth = fin->fin_depth; + old->fin_error = fin->fin_error; + old->fin_cksum = fin->fin_cksum; + old->fin_state = NULL; + old->fin_nat = NULL; + old->fin_nattag = fin->fin_nattag; + old->fin_exthdr = NULL; + old->ofin_ip = fin->fin_ip; + old->fin_mp = fin->fin_mp; + old->fin_m = fin->fin_m; +#ifdef MENTAT + old->fin_qfm = fin->fin_qfm; + old->fin_qpi = fin->fin_qpi; + old->fin_ifname[0] = '\0'; +#endif +#ifdef __sgi + old->fin_hbuf = fin->fin_hbuf; +#endif +} + + +static void +fr_info_current_to_4_1_23(current, old) + void *current; + fr_info_4_1_23_t *old; +{ + fr_info_t *fin = (fr_info_t *)current; + + old->fin_ifp = fin->fin_ifp; + ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); + bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); + old->fin_out = fin->fin_out; + old->fin_rev = fin->fin_rev; + old->fin_hlen = fin->fin_hlen; + old->ofin_tcpf = fin->fin_tcpf; + old->fin_icode = fin->fin_icode; + old->fin_rule = fin->fin_rule; + bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); + old->fin_fr = fin->fin_fr; + old->fin_dp = fin->fin_dp; + old->fin_dlen = fin->fin_dlen; + old->fin_plen = fin->fin_plen; + old->fin_ipoff = fin->fin_ipoff; + old->fin_id = fin->fin_id; + old->fin_off = fin->fin_off; + old->fin_depth = fin->fin_depth; + old->fin_error = fin->fin_error; + old->fin_state = NULL; + old->fin_nat = NULL; + old->fin_nattag = fin->fin_nattag; + old->ofin_ip = fin->fin_ip; + old->fin_mp = fin->fin_mp; + old->fin_m = fin->fin_m; +#ifdef MENTAT + old->fin_qfm = fin->fin_qfm; + old->fin_qpi = fin->fin_qpi; + old->fin_ifname[0] = '\0'; +#endif +#ifdef __sgi + old->fin_hbuf = fin->fin_hbuf; +#endif +} + + +static void +fr_info_current_to_4_1_11(current, old) + void *current; + fr_info_4_1_11_t *old; +{ + fr_info_t *fin = (fr_info_t *)current; + + old->fin_ifp = fin->fin_ifp; + ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); + bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); + old->fin_out = fin->fin_out; + old->fin_rev = fin->fin_rev; + old->fin_hlen = fin->fin_hlen; + old->ofin_tcpf = fin->fin_tcpf; + old->fin_icode = fin->fin_icode; + old->fin_rule = fin->fin_rule; + bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); + old->fin_fr = fin->fin_fr; + old->fin_dp = fin->fin_dp; + old->fin_dlen = fin->fin_dlen; + old->fin_plen = fin->fin_plen; + old->fin_ipoff = fin->fin_ipoff; + old->fin_id = fin->fin_id; + old->fin_off = fin->fin_off; + old->fin_depth = fin->fin_depth; + old->fin_error = fin->fin_error; + old->fin_state = NULL; + old->fin_nat = NULL; + old->fin_nattag = fin->fin_nattag; + old->ofin_ip = fin->fin_ip; + old->fin_mp = fin->fin_mp; + old->fin_m = fin->fin_m; +#ifdef MENTAT + old->fin_qfm = fin->fin_qfm; + old->fin_qpi = fin->fin_qpi; + old->fin_ifname[0] = '\0'; +#endif +#ifdef __sgi + old->fin_hbuf = fin->fin_hbuf; +#endif +} + + +static void +frauth_current_to_4_1_29(current, old) + void *current; + frauth_4_1_29_t *old; +{ + frauth_t *fra = (frauth_t *)current; + + old->fra_age = fra->fra_age; + old->fra_len = fra->fra_len; + old->fra_index = fra->fra_index; + old->fra_pass = fra->fra_pass; + fr_info_current_to_4_1_24(&fra->fra_info, &old->fra_info); + old->fra_buf = fra->fra_buf; + old->fra_flx = fra->fra_flx; +#ifdef MENTAT + old->fra_q = fra->fra_q; + old->fra_m = fra->fra_m; +#endif +} + + +static void +frauth_current_to_4_1_24(current, old) + void *current; + frauth_4_1_24_t *old; +{ + frauth_t *fra = (frauth_t *)current; + + old->fra_age = fra->fra_age; + old->fra_len = fra->fra_len; + old->fra_index = fra->fra_index; + old->fra_pass = fra->fra_pass; + fr_info_current_to_4_1_24(&fra->fra_info, &old->fra_info); + old->fra_buf = fra->fra_buf; +#ifdef MENTAT + old->fra_q = fra->fra_q; + old->fra_m = fra->fra_m; +#endif +} + + +static void +frauth_current_to_4_1_23(current, old) + void *current; + frauth_4_1_23_t *old; +{ + frauth_t *fra = (frauth_t *)current; + + old->fra_age = fra->fra_age; + old->fra_len = fra->fra_len; + old->fra_index = fra->fra_index; + old->fra_pass = fra->fra_pass; + fr_info_current_to_4_1_23(&fra->fra_info, &old->fra_info); + old->fra_buf = fra->fra_buf; +#ifdef MENTAT + old->fra_q = fra->fra_q; + old->fra_m = fra->fra_m; +#endif +} + + +static void +frauth_current_to_4_1_11(current, old) + void *current; + frauth_4_1_11_t *old; +{ + frauth_t *fra = (frauth_t *)current; + + old->fra_age = fra->fra_age; + old->fra_len = fra->fra_len; + old->fra_index = fra->fra_index; + old->fra_pass = fra->fra_pass; + fr_info_current_to_4_1_11(&fra->fra_info, &old->fra_info); + old->fra_buf = fra->fra_buf; +#ifdef MENTAT + old->fra_q = fra->fra_q; + old->fra_m = fra->fra_m; +#endif +} + + +static void +ipnat_current_to_4_1_14(current, old) + void *current; + ipnat_4_1_14_t *old; +{ + ipnat_t *np = (ipnat_t *)current; + + old->in_next = np->in_next; + old->in_rnext = np->in_rnext; + old->in_prnext = np->in_prnext; + old->in_mnext = np->in_mnext; + old->in_pmnext = np->in_pmnext; + old->in_tqehead[0] = np->in_tqehead[0]; + old->in_tqehead[1] = np->in_tqehead[1]; + old->in_ifps[0] = np->in_ifps[0]; + old->in_ifps[1] = np->in_ifps[1]; + old->in_apr = np->in_apr; + old->in_comment = np->in_comment; + old->in_space = np->in_space; + old->in_hits = np->in_hits; + old->in_use = np->in_use; + old->in_hv = np->in_hv[0]; + old->in_flineno = np->in_flineno; + if (old->in_redir == NAT_REDIRECT) + old->in_pnext = np->in_dpnext; + else + old->in_pnext = np->in_spnext; + old->in_v = np->in_v[0]; + old->in_flags = np->in_flags; + old->in_mssclamp = np->in_mssclamp; + old->in_age[0] = np->in_age[0]; + old->in_age[1] = np->in_age[1]; + old->in_redir = np->in_redir; + old->in_p = np->in_pr[0]; + if (np->in_redir == NAT_REDIRECT) { + old->in_next6 = np->in_ndst.na_nextaddr; + old->in_in[0] = np->in_ndst.na_addr[0]; + old->in_in[1] = np->in_ndst.na_addr[1]; + old->in_out[0] = np->in_odst.na_addr[0]; + old->in_out[1] = np->in_odst.na_addr[1]; + old->in_src[0] = np->in_osrc.na_addr[0]; + old->in_src[1] = np->in_osrc.na_addr[1]; + } else { + old->in_next6 = np->in_nsrc.na_nextaddr; + old->in_out[0] = np->in_nsrc.na_addr[0]; + old->in_out[1] = np->in_nsrc.na_addr[1]; + old->in_in[0] = np->in_osrc.na_addr[0]; + old->in_in[1] = np->in_osrc.na_addr[1]; + old->in_src[0] = np->in_odst.na_addr[0]; + old->in_src[1] = np->in_odst.na_addr[1]; + } + ipfv5tuctov4(&np->in_tuc, &old->in_tuc); + if (np->in_redir == NAT_REDIRECT) { + old->in_port[0] = np->in_dpmin; + old->in_port[1] = np->in_dpmax; + } else { + old->in_port[0] = np->in_spmin; + old->in_port[1] = np->in_spmax; + } + old->in_ppip = np->in_ppip; + old->in_ippip = np->in_ippip; + bcopy(&np->in_tag, &old->in_tag, sizeof(np->in_tag)); + + if (np->in_ifnames[0] >= 0) { + strncpy(old->in_ifnames[0], np->in_names + np->in_ifnames[0], + LIFNAMSIZ); + old->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; + } + if (np->in_ifnames[1] >= 0) { + strncpy(old->in_ifnames[1], np->in_names + np->in_ifnames[1], + LIFNAMSIZ); + old->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; + } + if (np->in_plabel >= 0) { + strncpy(old->in_plabel, np->in_names + np->in_plabel, + APR_LABELLEN); + old->in_plabel[APR_LABELLEN - 1] = '\0'; + } +} + + +static void +ipnat_current_to_4_1_0(current, old) + void *current; + ipnat_4_1_0_t *old; +{ + ipnat_t *np = (ipnat_t *)current; + + old->in_next = np->in_next; + old->in_rnext = np->in_rnext; + old->in_prnext = np->in_prnext; + old->in_mnext = np->in_mnext; + old->in_pmnext = np->in_pmnext; + old->in_tqehead[0] = np->in_tqehead[0]; + old->in_tqehead[1] = np->in_tqehead[1]; + old->in_ifps[0] = np->in_ifps[0]; + old->in_ifps[1] = np->in_ifps[1]; + old->in_apr = np->in_apr; + old->in_comment = np->in_comment; + old->in_space = np->in_space; + old->in_hits = np->in_hits; + old->in_use = np->in_use; + old->in_hv = np->in_hv[0]; + old->in_flineno = np->in_flineno; + if (old->in_redir == NAT_REDIRECT) + old->in_pnext = np->in_dpnext; + else + old->in_pnext = np->in_spnext; + old->in_v = np->in_v[0]; + old->in_flags = np->in_flags; + old->in_mssclamp = np->in_mssclamp; + old->in_age[0] = np->in_age[0]; + old->in_age[1] = np->in_age[1]; + old->in_redir = np->in_redir; + old->in_p = np->in_pr[0]; + if (np->in_redir == NAT_REDIRECT) { + old->in_next6 = np->in_ndst.na_nextaddr; + old->in_in[0] = np->in_ndst.na_addr[0]; + old->in_in[1] = np->in_ndst.na_addr[1]; + old->in_out[0] = np->in_odst.na_addr[0]; + old->in_out[1] = np->in_odst.na_addr[1]; + old->in_src[0] = np->in_osrc.na_addr[0]; + old->in_src[1] = np->in_osrc.na_addr[1]; + } else { + old->in_next6 = np->in_nsrc.na_nextaddr; + old->in_out[0] = np->in_nsrc.na_addr[0]; + old->in_out[1] = np->in_nsrc.na_addr[1]; + old->in_in[0] = np->in_osrc.na_addr[0]; + old->in_in[1] = np->in_osrc.na_addr[1]; + old->in_src[0] = np->in_odst.na_addr[0]; + old->in_src[1] = np->in_odst.na_addr[1]; + } + ipfv5tuctov4(&np->in_tuc, &old->in_tuc); + if (np->in_redir == NAT_REDIRECT) { + old->in_port[0] = np->in_dpmin; + old->in_port[1] = np->in_dpmax; + } else { + old->in_port[0] = np->in_spmin; + old->in_port[1] = np->in_spmax; + } + old->in_ppip = np->in_ppip; + old->in_ippip = np->in_ippip; + bcopy(&np->in_tag, &old->in_tag, sizeof(np->in_tag)); + + if (np->in_ifnames[0] >= 0) { + strncpy(old->in_ifnames[0], np->in_names + np->in_ifnames[0], + LIFNAMSIZ); + old->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; + } + if (np->in_ifnames[1] >= 0) { + strncpy(old->in_ifnames[1], np->in_names + np->in_ifnames[1], + LIFNAMSIZ); + old->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; + } + if (np->in_plabel >= 0) { + strncpy(old->in_plabel, np->in_names + np->in_plabel, + APR_LABELLEN); + old->in_plabel[APR_LABELLEN - 1] = '\0'; + } +} + + +static void +ipstate_current_to_4_1_16(current, old) + void *current; + ipstate_4_1_16_t *old; +{ + ipstate_t *is = (ipstate_t *)current; + + old->is_lock = is->is_lock; + old->is_next = is->is_next; + old->is_pnext = is->is_pnext; + old->is_hnext = is->is_hnext; + old->is_phnext = is->is_phnext; + old->is_me = is->is_me; + old->is_ifp[0] = is->is_ifp[0]; + old->is_ifp[1] = is->is_ifp[1]; + old->is_sync = is->is_sync; + old->is_rule = is->is_rule; + old->is_tqehead[0] = is->is_tqehead[0]; + old->is_tqehead[1] = is->is_tqehead[1]; + old->is_isc = is->is_isc; + old->is_pkts[0] = is->is_pkts[0]; + old->is_pkts[1] = is->is_pkts[1]; + old->is_pkts[2] = is->is_pkts[2]; + old->is_pkts[3] = is->is_pkts[3]; + old->is_bytes[0] = is->is_bytes[0]; + old->is_bytes[1] = is->is_bytes[1]; + old->is_bytes[2] = is->is_bytes[2]; + old->is_bytes[3] = is->is_bytes[3]; + old->is_icmppkts[0] = is->is_icmppkts[0]; + old->is_icmppkts[1] = is->is_icmppkts[1]; + old->is_icmppkts[2] = is->is_icmppkts[2]; + old->is_icmppkts[3] = is->is_icmppkts[3]; + old->is_sti = is->is_sti; + old->is_frage[0] = is->is_frage[0]; + old->is_frage[1] = is->is_frage[1]; + old->is_ref = is->is_ref; + old->is_isninc[0] = is->is_isninc[0]; + old->is_isninc[1] = is->is_isninc[1]; + old->is_sumd[0] = is->is_sumd[0]; + old->is_sumd[1] = is->is_sumd[1]; + old->is_src = is->is_src; + old->is_dst = is->is_dst; + old->is_pass = is->is_pass; + old->is_p = is->is_p; + old->is_v = is->is_v; + old->is_hv = is->is_hv; + old->is_tag = is->is_tag; + old->is_opt[0] = is->is_opt[0]; + old->is_opt[1] = is->is_opt[1]; + old->is_optmsk[0] = is->is_optmsk[0]; + old->is_optmsk[1] = is->is_optmsk[1]; + old->is_sec = is->is_sec; + old->is_secmsk = is->is_secmsk; + old->is_auth = is->is_auth; + old->is_authmsk = is->is_authmsk; + ipf_v5tcpinfoto4(&is->is_tcp, &old->is_tcp); + old->is_flags = is->is_flags; + old->is_flx[0][0] = is->is_flx[0][0]; + old->is_flx[0][1] = is->is_flx[0][1]; + old->is_flx[1][0] = is->is_flx[1][0]; + old->is_flx[1][1] = is->is_flx[1][1]; + old->is_rulen = is->is_rulen; + old->is_s0[0] = is->is_s0[0]; + old->is_s0[1] = is->is_s0[1]; + old->is_smsk[0] = is->is_smsk[0]; + old->is_smsk[1] = is->is_smsk[1]; + bcopy(is->is_group, old->is_group, sizeof(is->is_group)); + bcopy(is->is_sbuf, old->is_sbuf, sizeof(is->is_sbuf)); + bcopy(is->is_ifname, old->is_ifname, sizeof(is->is_ifname)); +} + + +static void +ipstate_current_to_4_1_0(current, old) + void *current; + ipstate_4_1_0_t *old; +{ + ipstate_t *is = (ipstate_t *)current; + + old->is_lock = is->is_lock; + old->is_next = is->is_next; + old->is_pnext = is->is_pnext; + old->is_hnext = is->is_hnext; + old->is_phnext = is->is_phnext; + old->is_me = is->is_me; + old->is_ifp[0] = is->is_ifp[0]; + old->is_ifp[1] = is->is_ifp[1]; + old->is_sync = is->is_sync; + bzero(&old->is_nat, sizeof(old->is_nat)); + old->is_rule = is->is_rule; + old->is_tqehead[0] = is->is_tqehead[0]; + old->is_tqehead[1] = is->is_tqehead[1]; + old->is_isc = is->is_isc; + old->is_pkts[0] = is->is_pkts[0]; + old->is_pkts[1] = is->is_pkts[1]; + old->is_pkts[2] = is->is_pkts[2]; + old->is_pkts[3] = is->is_pkts[3]; + old->is_bytes[0] = is->is_bytes[0]; + old->is_bytes[1] = is->is_bytes[1]; + old->is_bytes[2] = is->is_bytes[2]; + old->is_bytes[3] = is->is_bytes[3]; + old->is_icmppkts[0] = is->is_icmppkts[0]; + old->is_icmppkts[1] = is->is_icmppkts[1]; + old->is_icmppkts[2] = is->is_icmppkts[2]; + old->is_icmppkts[3] = is->is_icmppkts[3]; + old->is_sti = is->is_sti; + old->is_frage[0] = is->is_frage[0]; + old->is_frage[1] = is->is_frage[1]; + old->is_ref = is->is_ref; + old->is_isninc[0] = is->is_isninc[0]; + old->is_isninc[1] = is->is_isninc[1]; + old->is_sumd[0] = is->is_sumd[0]; + old->is_sumd[1] = is->is_sumd[1]; + old->is_src = is->is_src; + old->is_dst = is->is_dst; + old->is_pass = is->is_pass; + old->is_p = is->is_p; + old->is_v = is->is_v; + old->is_hv = is->is_hv; + old->is_tag = is->is_tag; + old->is_opt[0] = is->is_opt[0]; + old->is_opt[1] = is->is_opt[1]; + old->is_optmsk[0] = is->is_optmsk[0]; + old->is_optmsk[1] = is->is_optmsk[1]; + old->is_sec = is->is_sec; + old->is_secmsk = is->is_secmsk; + old->is_auth = is->is_auth; + old->is_authmsk = is->is_authmsk; + ipf_v5tcpinfoto4(&is->is_tcp, &old->is_tcp); + old->is_flags = is->is_flags; + old->is_flx[0][0] = is->is_flx[0][0]; + old->is_flx[0][1] = is->is_flx[0][1]; + old->is_flx[1][0] = is->is_flx[1][0]; + old->is_flx[1][1] = is->is_flx[1][1]; + old->is_rulen = is->is_rulen; + old->is_s0[0] = is->is_s0[0]; + old->is_s0[1] = is->is_s0[1]; + old->is_smsk[0] = is->is_smsk[0]; + old->is_smsk[1] = is->is_smsk[1]; + bcopy(is->is_group, old->is_group, sizeof(is->is_group)); + bcopy(is->is_sbuf, old->is_sbuf, sizeof(is->is_sbuf)); + bcopy(is->is_ifname, old->is_ifname, sizeof(is->is_ifname)); +} + + +static void +ips_stat_current_to_4_1_21(current, old) + void *current; + ips_stat_4_1_21_t *old; +{ + ips_stat_t *st = (ips_stat_t *)current; + + old->iss_hits = st->iss_hits; + old->iss_miss = st->iss_check_miss; + old->iss_max = st->iss_max; + old->iss_maxref = st->iss_max_ref; + old->iss_tcp = st->iss_proto[IPPROTO_TCP]; + old->iss_udp = st->iss_proto[IPPROTO_UDP]; + old->iss_icmp = st->iss_proto[IPPROTO_ICMP]; + old->iss_nomem = st->iss_nomem; + old->iss_expire = st->iss_expire; + old->iss_fin = st->iss_fin; + old->iss_active = st->iss_active; + old->iss_logged = st->iss_log_ok; + old->iss_logfail = st->iss_log_fail; + old->iss_inuse = st->iss_inuse; + old->iss_wild = st->iss_wild; + old->iss_ticks = st->iss_ticks; + old->iss_bucketfull = st->iss_bucket_full; + old->iss_statesize = st->iss_state_size; + old->iss_statemax = st->iss_state_max; + old->iss_table = st->iss_table; + old->iss_list = st->iss_list; + old->iss_bucketlen = (void *)st->iss_bucketlen; + old->iss_tcptab = st->iss_tcptab; +} + + +static void +ips_stat_current_to_4_1_0(current, old) + void *current; + ips_stat_4_1_0_t *old; +{ + ips_stat_t *st = (ips_stat_t *)current; + + old->iss_hits = st->iss_hits; + old->iss_miss = st->iss_check_miss; + old->iss_max = st->iss_max; + old->iss_maxref = st->iss_max_ref; + old->iss_tcp = st->iss_proto[IPPROTO_TCP]; + old->iss_udp = st->iss_proto[IPPROTO_UDP]; + old->iss_icmp = st->iss_proto[IPPROTO_ICMP]; + old->iss_nomem = st->iss_nomem; + old->iss_expire = st->iss_expire; + old->iss_fin = st->iss_fin; + old->iss_active = st->iss_active; + old->iss_logged = st->iss_log_ok; + old->iss_logfail = st->iss_log_fail; + old->iss_inuse = st->iss_inuse; + old->iss_wild = st->iss_wild; + old->iss_ticks = st->iss_ticks; + old->iss_bucketfull = st->iss_bucket_full; + old->iss_statesize = st->iss_state_size; + old->iss_statemax = st->iss_state_max; + old->iss_table = st->iss_table; + old->iss_list = st->iss_list; + old->iss_bucketlen = (void *)st->iss_bucketlen; +} + + +static void +nat_save_current_to_4_1_16(current, old) + void *current; + nat_save_4_1_16_t *old; +{ + nat_save_t *nats = (nat_save_t *)current; + + old->ipn_next = nats->ipn_next; + bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); + bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); + frentry_current_to_4_1_16(&nats->ipn_fr, &old->ipn_fr); + old->ipn_dsize = nats->ipn_dsize; + bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +nat_save_current_to_4_1_14(current, old) + void *current; + nat_save_4_1_14_t *old; +{ + nat_save_t *nats = (nat_save_t *)current; + + old->ipn_next = nats->ipn_next; + bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); + bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); + frentry_current_to_4_1_0(&nats->ipn_fr, &old->ipn_fr); + old->ipn_dsize = nats->ipn_dsize; + bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +nat_save_current_to_4_1_3(current, old) + void *current; + nat_save_4_1_3_t *old; +{ + nat_save_t *nats = (nat_save_t *)current; + + old->ipn_next = nats->ipn_next; + bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); + bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); + frentry_current_to_4_1_0(&nats->ipn_fr, &old->ipn_fr); + old->ipn_dsize = nats->ipn_dsize; + bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); +} + + +static void +nat_current_to_4_1_25(current, old) + void *current; + nat_4_1_25_t *old; +{ + nat_t *nat = (nat_t *)current; + + old->nat_lock = nat->nat_lock; + old->nat_next = (void *)nat->nat_next; + old->nat_pnext = (void *)nat->nat_pnext; + old->nat_hnext[0] = (void *)nat->nat_hnext[0]; + old->nat_hnext[1] = (void *)nat->nat_hnext[1]; + old->nat_phnext[0] = (void *)nat->nat_phnext[0]; + old->nat_phnext[1] = (void *)nat->nat_phnext[1]; + old->nat_hm = nat->nat_hm; + old->nat_data = nat->nat_data; + old->nat_me = (void *)nat->nat_me; + old->nat_state = nat->nat_state; + old->nat_aps = nat->nat_aps; + old->nat_fr = nat->nat_fr; + old->nat_ptr = (void *)nat->nat_ptr; + old->nat_ifps[0] = nat->nat_ifps[0]; + old->nat_ifps[1] = nat->nat_ifps[1]; + old->nat_sync = nat->nat_sync; + old->nat_tqe = nat->nat_tqe; + old->nat_flags = nat->nat_flags; + old->nat_sumd[0] = nat->nat_sumd[0]; + old->nat_sumd[1] = nat->nat_sumd[1]; + old->nat_ipsumd = nat->nat_ipsumd; + old->nat_mssclamp = nat->nat_mssclamp; + old->nat_pkts[0] = nat->nat_pkts[0]; + old->nat_pkts[1] = nat->nat_pkts[1]; + old->nat_bytes[0] = nat->nat_bytes[0]; + old->nat_bytes[1] = nat->nat_bytes[1]; + old->nat_ref = nat->nat_ref; + old->nat_dir = nat->nat_dir; + old->nat_p = nat->nat_pr[0]; + old->nat_use = nat->nat_use; + old->nat_hv[0] = nat->nat_hv[0]; + old->nat_hv[1] = nat->nat_hv[1]; + old->nat_rev = nat->nat_rev; + old->nat_redir = nat->nat_redir; + bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); + bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); + + if (nat->nat_redir == NAT_REDIRECT) { + old->nat_inip6 = nat->nat_ndst6; + old->nat_outip6 = nat->nat_odst6; + old->nat_oip6 = nat->nat_osrc6; + old->nat_un.nat_unt.ts_sport = nat->nat_ndport; + old->nat_un.nat_unt.ts_dport = nat->nat_odport; + } else { + old->nat_inip6 = nat->nat_osrc6; + old->nat_outip6 = nat->nat_nsrc6; + old->nat_oip6 = nat->nat_odst6; + old->nat_un.nat_unt.ts_sport = nat->nat_osport; + old->nat_un.nat_unt.ts_dport = nat->nat_nsport; + } +} + + +static void +nat_current_to_4_1_14(current, old) + void *current; + nat_4_1_14_t *old; +{ + nat_t *nat = (nat_t *)current; + + old->nat_lock = nat->nat_lock; + old->nat_next = nat->nat_next; + old->nat_pnext = NULL; + old->nat_hnext[0] = NULL; + old->nat_hnext[1] = NULL; + old->nat_phnext[0] = NULL; + old->nat_phnext[1] = NULL; + old->nat_hm = nat->nat_hm; + old->nat_data = nat->nat_data; + old->nat_me = (void *)nat->nat_me; + old->nat_state = nat->nat_state; + old->nat_aps = nat->nat_aps; + old->nat_fr = nat->nat_fr; + old->nat_ptr = nat->nat_ptr; + old->nat_ifps[0] = nat->nat_ifps[0]; + old->nat_ifps[1] = nat->nat_ifps[1]; + old->nat_sync = nat->nat_sync; + old->nat_tqe = nat->nat_tqe; + old->nat_flags = nat->nat_flags; + old->nat_sumd[0] = nat->nat_sumd[0]; + old->nat_sumd[1] = nat->nat_sumd[1]; + old->nat_ipsumd = nat->nat_ipsumd; + old->nat_mssclamp = nat->nat_mssclamp; + old->nat_pkts[0] = nat->nat_pkts[0]; + old->nat_pkts[1] = nat->nat_pkts[1]; + old->nat_bytes[0] = nat->nat_bytes[0]; + old->nat_bytes[1] = nat->nat_bytes[1]; + old->nat_ref = nat->nat_ref; + old->nat_dir = nat->nat_dir; + old->nat_p = nat->nat_pr[0]; + old->nat_use = nat->nat_use; + old->nat_hv[0] = nat->nat_hv[0]; + old->nat_hv[1] = nat->nat_hv[1]; + old->nat_rev = nat->nat_rev; + bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); + bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); + + if (nat->nat_redir == NAT_REDIRECT) { + old->nat_inip6 = nat->nat_ndst6; + old->nat_outip6 = nat->nat_odst6; + old->nat_oip6 = nat->nat_osrc6; + old->nat_un.nat_unt.ts_sport = nat->nat_ndport; + old->nat_un.nat_unt.ts_dport = nat->nat_odport; + } else { + old->nat_inip6 = nat->nat_osrc6; + old->nat_outip6 = nat->nat_nsrc6; + old->nat_oip6 = nat->nat_odst6; + old->nat_un.nat_unt.ts_sport = nat->nat_osport; + old->nat_un.nat_unt.ts_dport = nat->nat_nsport; + } +} + + +static void +nat_current_to_4_1_3(current, old) + void *current; + nat_4_1_3_t *old; +{ + nat_t *nat = (nat_t *)current; + + old->nat_lock = nat->nat_lock; + old->nat_next = nat->nat_next; + old->nat_pnext = NULL; + old->nat_hnext[0] = NULL; + old->nat_hnext[1] = NULL; + old->nat_phnext[0] = NULL; + old->nat_phnext[1] = NULL; + old->nat_hm = nat->nat_hm; + old->nat_data = nat->nat_data; + old->nat_me = (void *)nat->nat_me; + old->nat_state = nat->nat_state; + old->nat_aps = nat->nat_aps; + old->nat_fr = nat->nat_fr; + old->nat_ptr = nat->nat_ptr; + old->nat_ifps[0] = nat->nat_ifps[0]; + old->nat_ifps[1] = nat->nat_ifps[1]; + old->nat_sync = nat->nat_sync; + old->nat_tqe = nat->nat_tqe; + old->nat_flags = nat->nat_flags; + old->nat_sumd[0] = nat->nat_sumd[0]; + old->nat_sumd[1] = nat->nat_sumd[1]; + old->nat_ipsumd = nat->nat_ipsumd; + old->nat_mssclamp = nat->nat_mssclamp; + old->nat_pkts[0] = nat->nat_pkts[0]; + old->nat_pkts[1] = nat->nat_pkts[1]; + old->nat_bytes[0] = nat->nat_bytes[0]; + old->nat_bytes[1] = nat->nat_bytes[1]; + old->nat_ref = nat->nat_ref; + old->nat_dir = nat->nat_dir; + old->nat_p = nat->nat_pr[0]; + old->nat_use = nat->nat_use; + old->nat_hv[0] = nat->nat_hv[0]; + old->nat_hv[1] = nat->nat_hv[1]; + old->nat_rev = nat->nat_rev; + bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); + bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); + + if (nat->nat_redir == NAT_REDIRECT) { + old->nat_inip6 = nat->nat_ndst6; + old->nat_outip6 = nat->nat_odst6; + old->nat_oip6 = nat->nat_osrc6; + old->nat_un.nat_unt.ts_sport = nat->nat_ndport; + old->nat_un.nat_unt.ts_dport = nat->nat_odport; + } else { + old->nat_inip6 = nat->nat_osrc6; + old->nat_outip6 = nat->nat_nsrc6; + old->nat_oip6 = nat->nat_odst6; + old->nat_un.nat_unt.ts_sport = nat->nat_osport; + old->nat_un.nat_unt.ts_dport = nat->nat_nsport; + } +} + +#endif /* IPFILTER_COMPAT */ diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index ae05ca7..280f98d 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001, 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.71.2.15 2007/05/11 10:44:14 darrenr Exp $ + * $Id$ */ #ifndef __IPF_H__ @@ -80,6 +80,7 @@ struct file; #include "netinet/ip_scan.h" #include "netinet/ip_htable.h" #include "netinet/ip_sync.h" +#include "netinet/ip_dstlist.h" #include "opts.h" @@ -120,6 +121,9 @@ typedef unsigned int u_32_t; #define MAX_ICMPCODE 16 #define MAX_ICMPTYPE 19 +#define PRINTF (void)printf +#define FPRINTF (void)fprintf + struct ipopt_names { int on_value; @@ -132,6 +136,7 @@ struct ipopt_names { typedef struct alist_s { struct alist_s *al_next; int al_not; + int al_family; i6addr_t al_i6addr; i6addr_t al_i6mask; } alist_t; @@ -142,6 +147,14 @@ typedef struct alist_s { #define al_2 al_mask +typedef struct plist_s { + struct plist_s *pl_next; + int pl_compare; + u_short pl_port1; + u_short pl_port2; +} plist_t; + + typedef struct { u_short fb_c; u_char fb_t; @@ -150,6 +163,35 @@ typedef struct { } fakebpf_t; +typedef struct { + char *it_name; + int it_v4; + int it_v6; +} icmptype_t; + + +typedef struct wordtab { + char *w_word; + int w_value; +} wordtab_t; + + +typedef struct namelist { + struct namelist *na_next; + char *na_name; + int na_value; +} namelist_t; + + +typedef struct proxyrule { + struct proxyrule *pr_next; + char *pr_proxy; + char *pr_conf; + namelist_t *pr_names; + int pr_proto; +} proxyrule_t; + + #if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux) @@ -158,7 +200,7 @@ typedef int (* ioctlfunc_t) __P((int, ioctlcmd_t, ...)); #else typedef int (* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *)); #endif -typedef void (* addfunc_t) __P((int, ioctlfunc_t, void *)); +typedef int (* addfunc_t) __P((int, ioctlfunc_t, void *)); typedef int (* copyfunc_t) __P((void *, void *, size_t)); @@ -178,90 +220,143 @@ extern char *icmpcodes[MAX_ICMPCODE + 1]; extern char *icmptypes[MAX_ICMPTYPE + 1]; extern int use_inet6; extern int lineNum; +extern int debuglevel; extern struct ipopt_names v6ionames[]; +extern icmptype_t icmptypelist[]; +extern wordtab_t statefields[]; +extern wordtab_t natfields[]; +extern wordtab_t poolfields[]; extern int addicmp __P((char ***, struct frentry *, int)); extern int addipopt __P((char *, struct ipopt_names *, int, char *)); -extern void alist_free __P((alist_t *)); +extern int addkeep __P((char ***, struct frentry *, int)); extern alist_t *alist_new __P((int, char *)); +extern void alist_free __P((alist_t *)); +extern void assigndefined __P((char *)); extern void binprint __P((void *, size_t)); -extern void initparse __P((void)); extern u_32_t buildopts __P((char *, char *, int)); extern int checkrev __P((char *)); +extern int connecttcp __P((char *, int)); extern int count6bits __P((u_32_t *)); extern int count4bits __P((u_32_t)); extern char *fac_toname __P((int)); extern int fac_findname __P((char *)); +extern const char *familyname __P((const int)); extern void fill6bits __P((int, u_int *)); -extern int gethost __P((char *, u_32_t *)); -extern int getport __P((struct frentry *, char *, u_short *)); +extern wordtab_t *findword __P((wordtab_t *, char *)); +extern int ftov __P((int)); +extern char *ipf_geterror __P((int, ioctlfunc_t *)); +extern int genmask __P((int, char *, i6addr_t *)); +extern int gethost __P((int, char *, i6addr_t *)); +extern int geticmptype __P((int, char *)); +extern int getport __P((struct frentry *, char *, u_short *, char *)); extern int getportproto __P((char *, int)); extern int getproto __P((char *)); -extern char *getnattype __P((struct nat *, int)); +extern char *getnattype __P((struct nat *)); extern char *getsumd __P((u_32_t)); extern u_32_t getoptbyname __P((char *)); extern u_32_t getoptbyvalue __P((int)); extern u_32_t getv6optbyname __P((char *)); extern u_32_t getv6optbyvalue __P((int)); +extern char *icmptypename __P((int, int)); extern void initparse __P((void)); -extern void ipf_dotuning __P((int, char *, ioctlfunc_t)); -extern void ipf_addrule __P((int, ioctlfunc_t, void *)); +extern void ipf_dotuning __P((int, char *, ioctlfunc_t)); +extern int ipf_addrule __P((int, ioctlfunc_t, void *)); +extern void ipf_mutex_clean __P((void)); extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *)); extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *)); +extern void ipf_perror __P((int, char *)); +extern int ipf_perror_fd __P(( int, ioctlfunc_t, char *)); +extern void ipf_rwlock_clean __P((void)); +extern char *ipf_strerror __P((int)); +extern void ipferror __P((int, char *)); extern int ipmon_parsefile __P((char *)); extern int ipmon_parsesome __P((FILE *)); -extern void ipnat_addrule __P((int, ioctlfunc_t, void *)); +extern int ipnat_addrule __P((int, ioctlfunc_t, void *)); extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *)); extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *)); extern int ippool_parsefile __P((int, char *, ioctlfunc_t)); extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t)); extern int kmemcpywrap __P((void *, void *, size_t)); extern char *kvatoname __P((ipfunc_t, ioctlfunc_t)); +extern int load_dstlist __P((struct ippool_dst *, ioctlfunc_t, + ipf_dstnode_t *)); +extern int load_dstlistnode __P((int, char *, struct ipf_dstnode *, + ioctlfunc_t)); extern alist_t *load_file __P((char *)); extern int load_hash __P((struct iphtable_s *, struct iphtent_s *, ioctlfunc_t)); -extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); +extern int load_hashnode __P((int, char *, struct iphtent_s *, int, + ioctlfunc_t)); extern alist_t *load_http __P((char *)); extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t)); -extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); +extern int load_poolnode __P((int, char *, ip_pool_node_t *, int, ioctlfunc_t)); extern alist_t *load_url __P((char *)); extern alist_t *make_range __P((int, struct in_addr, struct in_addr)); +extern void mb_hexdump __P((mb_t *, FILE *)); extern ipfunc_t nametokva __P((char *, ioctlfunc_t)); extern void nat_setgroupmap __P((struct ipnat *)); extern int ntomask __P((int, int, u_32_t *)); extern u_32_t optname __P((char ***, u_short *, int)); -extern struct frentry *parse __P((char *, int)); +extern wordtab_t *parsefields __P((wordtab_t *, char *)); +extern int *parseipfexpr __P((char *, char **)); +extern int parsewhoisline __P((char *, addrfamily_t *, addrfamily_t *)); +extern void pool_close __P((void)); +extern int pool_fd __P((void)); +extern int pool_ioctl __P((ioctlfunc_t, ioctlcmd_t, void *)); +extern int pool_open __P((void)); extern char *portname __P((int, int)); extern int pri_findname __P((char *)); extern char *pri_toname __P((int)); -extern void print_toif __P((char *, struct frdest *)); -extern void printaps __P((ap_session_t *, int)); +extern void print_toif __P((int, char *, char *, struct frdest *)); +extern void printaps __P((ap_session_t *, int, int)); +extern void printaddr __P((int, int, char *, int, u_32_t *, u_32_t *)); extern void printbuf __P((char *, int, int)); +extern void printfieldhdr __P((wordtab_t *, wordtab_t *)); extern void printfr __P((struct frentry *, ioctlfunc_t)); -extern void printtunable __P((ipftune_t *)); extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t, - char *, int)); -extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, int)); + char *, int, wordtab_t *)); +extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, + int, wordtab_t *)); +extern ippool_dst_t *printdstl_live __P((ippool_dst_t *, int, char *, + int, wordtab_t *)); extern void printhashdata __P((iphtable_t *, int)); extern struct iphtent_s *printhashnode __P((struct iphtable_s *, struct iphtent_s *, - copyfunc_t, int)); + copyfunc_t, int, wordtab_t *)); +extern void printhost __P((int, u_32_t *)); extern void printhostmask __P((int, u_32_t *, u_32_t *)); -extern void printip __P((u_32_t *)); +extern void printip __P((int, u_32_t *)); extern void printlog __P((struct frentry *)); -extern void printlookup __P((i6addr_t *addr, i6addr_t *mask)); -extern void printmask __P((u_32_t *)); -extern void printpacket __P((struct ip *)); -extern void printpacket6 __P((struct ip *)); +extern void printlookup __P((char *, i6addr_t *addr, i6addr_t *mask)); +extern void printmask __P((int, u_32_t *)); +extern void printnataddr __P((int, char *, nat_addr_t *, int)); +extern void printnatfield __P((nat_t *, int)); +extern void printnatside __P((char *, nat_stat_side_t *)); +extern void printpacket __P((int, mb_t *)); +extern void printpacket6 __P((int, mb_t *)); +extern struct ippool_dst *printdstlist __P((struct ippool_dst *, copyfunc_t, + char *, int, ipf_dstnode_t *, + wordtab_t *)); +extern void printdstlistdata __P((ippool_dst_t *, int)); +extern ipf_dstnode_t *printdstlistnode __P((ipf_dstnode_t *, copyfunc_t, + int, wordtab_t *)); +extern void printdstlistpolicy __P((ippool_policy_t)); extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, - char *, int)); + char *, int, wordtab_t *)); extern struct ip_pool_s *printpool_live __P((struct ip_pool_s *, int, - char *, int)); + char *, int, wordtab_t *)); extern void printpooldata __P((ip_pool_t *, int)); -extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int)); +extern void printpoolfield __P((void *, int, int)); +extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, + int, wordtab_t *)); extern void printproto __P((struct protoent *, int, struct ipnat *)); extern void printportcmp __P((int, struct frpcmp *)); +extern void printstatefield __P((ipstate_t *, int)); +extern void printtqtable __P((ipftq_t *)); +extern void printtunable __P((ipftune_t *)); +extern void printunit __P((int)); extern void optprint __P((u_short *, u_long, u_long)); #ifdef USE_INET6 extern void optprintv6 __P((u_short *, u_long, u_long)); @@ -270,7 +365,6 @@ extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t)); extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); extern int remove_pool __P((ip_pool_t *, ioctlfunc_t)); extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); -extern u_char tcp_flags __P((char *, u_char *, int)); extern u_char tcpflags __P((char *)); extern void printc __P((struct frentry *)); extern void printC __P((int)); @@ -283,14 +377,26 @@ extern char *hostname __P((int, void *)); extern struct ipstate *printstate __P((struct ipstate *, int, u_long)); extern void printsbuf __P((char *)); extern void printnat __P((struct ipnat *, int)); -extern void printactivenat __P((struct nat *, int, int, u_long)); +extern void printactiveaddress __P((int, char *, i6addr_t *, char *)); +extern void printactivenat __P((struct nat *, int, u_long)); extern void printhostmap __P((struct hostmap *, u_int)); -extern void printtqtable __P((ipftq_t *)); +extern void printtcpflags __P((u_32_t, u_32_t)); +extern void printipfexpr __P((int *)); +extern void printstatefield __P((ipstate_t *, int)); +extern void printstatefieldhdr __P((int)); +extern int sendtrap_v1_0 __P((int, char *, char *, int, time_t)); +extern int sendtrap_v2_0 __P((int, char *, char *, int)); +extern int vtof __P((int)); extern void set_variable __P((char *, char *)); extern char *get_variable __P((char *, char **, int)); extern void resetlexer __P((void)); +extern void debug __P((int, char *, ...)); +extern void verbose __P((int, char *, ...)); +extern void ipfkdebug __P((char *, ...)); +extern void ipfkverbose __P((char *, ...)); + #if SOLARIS extern int gethostname __P((char *, int )); extern void sync __P((void)); diff --git a/contrib/ipfilter/ipf_rb.h b/contrib/ipfilter/ipf_rb.h new file mode 100644 index 0000000..3d7a59d --- /dev/null +++ b/contrib/ipfilter/ipf_rb.h @@ -0,0 +1,364 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ +typedef enum rbcolour_e { + C_BLACK = 0, + C_RED = 1 +} rbcolour_t; + +#define RBI_LINK(_n, _t) \ + struct _n##_rb_link { \ + struct _t *left; \ + struct _t *right; \ + struct _t *parent; \ + rbcolour_t colour; \ + } + +#define RBI_HEAD(_n, _t) \ +struct _n##_rb_head { \ + struct _t top; \ + int count; \ + int (* compare)(struct _t *, struct _t *); \ +} + +#define RBI_CODE(_n, _t, _f, _cmp) \ + \ +typedef void (*_n##_rb_walker_t)(_t *, void *); \ + \ +_t * _n##_rb_delete(struct _n##_rb_head *, _t *); \ +void _n##_rb_init(struct _n##_rb_head *); \ +void _n##_rb_insert(struct _n##_rb_head *, _t *); \ +_t * _n##_rb_search(struct _n##_rb_head *, void *); \ +void _n##_rb_walktree(struct _n##_rb_head *, _n##_rb_walker_t, void *);\ + \ +static void \ +rotate_left(struct _n##_rb_head *head, _t *node) \ +{ \ + _t *parent, *tmp1, *tmp2; \ + \ + parent = node->_f.parent; \ + tmp1 = node->_f.right; \ + tmp2 = tmp1->_f.left; \ + node->_f.right = tmp2; \ + if (tmp2 != & _n##_rb_zero) \ + tmp2->_f.parent = node; \ + if (parent == & _n##_rb_zero) \ + head->top._f.right = tmp1; \ + else if (parent->_f.right == node) \ + parent->_f.right = tmp1; \ + else \ + parent->_f.left = tmp1; \ + tmp1->_f.left = node; \ + tmp1->_f.parent = parent; \ + node->_f.parent = tmp1; \ +} \ + \ +static void \ +rotate_right(struct _n##_rb_head *head, _t *node) \ +{ \ + _t *parent, *tmp1, *tmp2; \ + \ + parent = node->_f.parent; \ + tmp1 = node->_f.left; \ + tmp2 = tmp1->_f.right; \ + node->_f.left = tmp2; \ + if (tmp2 != &_n##_rb_zero) \ + tmp2->_f.parent = node; \ + if (parent == &_n##_rb_zero) \ + head->top._f.right = tmp1; \ + else if (parent->_f.right == node) \ + parent->_f.right = tmp1; \ + else \ + parent->_f.left = tmp1; \ + tmp1->_f.right = node; \ + tmp1->_f.parent = parent; \ + node->_f.parent = tmp1; \ +} \ + \ +void \ +_n##_rb_insert(struct _n##_rb_head *head, _t *node) \ +{ \ + _t *n, *parent, **p, *tmp1, *gparent; \ + \ + parent = &head->top; \ + node->_f.left = &_n##_rb_zero; \ + node->_f.right = &_n##_rb_zero; \ + p = &head->top._f.right; \ + while ((n = *p) != &_n##_rb_zero) { \ + if (_cmp(node, n) < 0) \ + p = &n->_f.left; \ + else \ + p = &n->_f.right; \ + parent = n; \ + } \ + *p = node; \ + node->_f.colour = C_RED; \ + node->_f.parent = parent; \ + \ + while ((node != &_n##_rb_zero) && (parent->_f.colour == C_RED)){\ + gparent = parent->_f.parent; \ + if (parent == gparent->_f.left) { \ + tmp1 = gparent->_f.right; \ + if (tmp1->_f.colour == C_RED) { \ + parent->_f.colour = C_BLACK; \ + tmp1->_f.colour = C_BLACK; \ + gparent->_f.colour = C_RED; \ + node = gparent; \ + } else { \ + if (node == parent->_f.right) { \ + node = parent; \ + rotate_left(head, node); \ + parent = node->_f.parent; \ + } \ + parent->_f.colour = C_BLACK; \ + gparent->_f.colour = C_RED; \ + rotate_right(head, gparent); \ + } \ + } else { \ + tmp1 = gparent->_f.left; \ + if (tmp1->_f.colour == C_RED) { \ + parent->_f.colour = C_BLACK; \ + tmp1->_f.colour = C_BLACK; \ + gparent->_f.colour = C_RED; \ + node = gparent; \ + } else { \ + if (node == parent->_f.left) { \ + node = parent; \ + rotate_right(head, node); \ + parent = node->_f.parent; \ + } \ + parent->_f.colour = C_BLACK; \ + gparent->_f.colour = C_RED; \ + rotate_left(head, parent->_f.parent); \ + } \ + } \ + parent = node->_f.parent; \ + } \ + head->top._f.right->_f.colour = C_BLACK; \ + head->count++; \ +} \ + \ +static void \ +deleteblack(struct _n##_rb_head *head, _t *parent, _t *node) \ +{ \ + _t *tmp; \ + \ + while ((node == &_n##_rb_zero || node->_f.colour == C_BLACK) && \ + node != &head->top) { \ + if (parent->_f.left == node) { \ + tmp = parent->_f.right; \ + if (tmp->_f.colour == C_RED) { \ + tmp->_f.colour = C_BLACK; \ + parent->_f.colour = C_RED; \ + rotate_left(head, parent); \ + tmp = parent->_f.right; \ + } \ + if ((tmp->_f.left == &_n##_rb_zero || \ + tmp->_f.left->_f.colour == C_BLACK) && \ + (tmp->_f.right == &_n##_rb_zero || \ + tmp->_f.right->_f.colour == C_BLACK)) { \ + tmp->_f.colour = C_RED; \ + node = parent; \ + parent = node->_f.parent; \ + } else { \ + if (tmp->_f.right == &_n##_rb_zero || \ + tmp->_f.right->_f.colour == C_BLACK) {\ + _t *tmp2 = tmp->_f.left; \ + \ + if (tmp2 != &_n##_rb_zero) \ + tmp2->_f.colour = C_BLACK;\ + tmp->_f.colour = C_RED; \ + rotate_right(head, tmp); \ + tmp = parent->_f.right; \ + } \ + tmp->_f.colour = parent->_f.colour; \ + parent->_f.colour = C_BLACK; \ + if (tmp->_f.right != &_n##_rb_zero) \ + tmp->_f.right->_f.colour = C_BLACK;\ + rotate_left(head, parent); \ + node = head->top._f.right; \ + } \ + } else { \ + tmp = parent->_f.left; \ + if (tmp->_f.colour == C_RED) { \ + tmp->_f.colour = C_BLACK; \ + parent->_f.colour = C_RED; \ + rotate_right(head, parent); \ + tmp = parent->_f.left; \ + } \ + if ((tmp->_f.left == &_n##_rb_zero || \ + tmp->_f.left->_f.colour == C_BLACK) && \ + (tmp->_f.right == &_n##_rb_zero || \ + tmp->_f.right->_f.colour == C_BLACK)) { \ + tmp->_f.colour = C_RED; \ + node = parent; \ + parent = node->_f.parent; \ + } else { \ + if (tmp->_f.left == &_n##_rb_zero || \ + tmp->_f.left->_f.colour == C_BLACK) {\ + _t *tmp2 = tmp->_f.right; \ + \ + if (tmp2 != &_n##_rb_zero) \ + tmp2->_f.colour = C_BLACK;\ + tmp->_f.colour = C_RED; \ + rotate_left(head, tmp); \ + tmp = parent->_f.left; \ + } \ + tmp->_f.colour = parent->_f.colour; \ + parent->_f.colour = C_BLACK; \ + if (tmp->_f.left != &_n##_rb_zero) \ + tmp->_f.left->_f.colour = C_BLACK;\ + rotate_right(head, parent); \ + node = head->top._f.right; \ + break; \ + } \ + } \ + } \ + if (node != &_n##_rb_zero) \ + node->_f.colour = C_BLACK; \ +} \ + \ +_t * \ +_n##_rb_delete(struct _n##_rb_head *head, _t *node) \ +{ \ + _t *child, *parent, *old = node, *left; \ + rbcolour_t color; \ + \ + if (node->_f.left == &_n##_rb_zero) { \ + child = node->_f.right; \ + } else if (node->_f.right == &_n##_rb_zero) { \ + child = node->_f.left; \ + } else { \ + node = node->_f.right; \ + while ((left = node->_f.left) != &_n##_rb_zero) \ + node = left; \ + child = node->_f.right; \ + parent = node->_f.parent; \ + color = node->_f.colour; \ + if (child != &_n##_rb_zero) \ + child->_f.parent = parent; \ + if (parent != &_n##_rb_zero) { \ + if (parent->_f.left == node) \ + parent->_f.left = child; \ + else \ + parent->_f.right = child; \ + } else { \ + head->top._f.right = child; \ + } \ + if (node->_f.parent == old) \ + parent = node; \ + *node = *old; \ + if (old->_f.parent != &_n##_rb_zero) { \ + if (old->_f.parent->_f.left == old) \ + old->_f.parent->_f.left = node; \ + else \ + old->_f.parent->_f.right = node; \ + } else { \ + head->top._f.right = child; \ + } \ + old->_f.left->_f.parent = node; \ + if (old->_f.right != &_n##_rb_zero) \ + old->_f.right->_f.parent = node; \ + if (parent != &_n##_rb_zero) { \ + left = parent; \ + } \ + goto colour; \ + } \ + parent = node->_f.parent; \ + color= node->_f.colour; \ + if (child != &_n##_rb_zero) \ + child->_f.parent = parent; \ + if (parent != &_n##_rb_zero) { \ + if (parent->_f.left == node) \ + parent->_f.left = child; \ + else \ + parent->_f.right = child; \ + } else { \ + head->top._f.right = child; \ + } \ +colour: \ + if (color == C_BLACK) \ + deleteblack(head, parent, node); \ + head->count--; \ + return old; \ +} \ + \ +void \ +_n##_rb_init(struct _n##_rb_head *head) \ +{ \ + memset(head, 0, sizeof(*head)); \ + memset(&_n##_rb_zero, 0, sizeof(_n##_rb_zero)); \ + head->top._f.left = &_n##_rb_zero; \ + head->top._f.right = &_n##_rb_zero; \ + head->top._f.parent = &head->top; \ + _n##_rb_zero._f.left = &_n##_rb_zero; \ + _n##_rb_zero._f.right = &_n##_rb_zero; \ + _n##_rb_zero._f.parent = &_n##_rb_zero; \ +} \ + \ +void \ +_n##_rb_walktree(struct _n##_rb_head *head, _n##_rb_walker_t func, void *arg)\ +{ \ + _t *prev; \ + _t *next; \ + _t *node = head->top._f.right; \ + _t *base; \ + \ + while (node != &_n##_rb_zero) \ + node = node->_f.left; \ + \ + for (;;) { \ + base = node; \ + prev = node; \ + while ((node->_f.parent->_f.right == node) && \ + (node != &_n##_rb_zero)) { \ + prev = node; \ + node = node->_f.parent; \ + } \ + \ + node = prev; \ + for (node = node->_f.parent->_f.right; node != &_n##_rb_zero;\ + node = node->_f.left) \ + prev = node; \ + next = prev; \ + \ + if (node != &_n##_rb_zero) \ + func(node, arg); \ + \ + node = next; \ + if (node == &_n##_rb_zero) \ + break; \ + } \ +} \ + \ +_t * \ +_n##_rb_search(struct _n##_rb_head *head, void *key) \ +{ \ + int match; \ + _t *node; \ + node = head->top._f.right; \ + while (node != &_n##_rb_zero) { \ + match = _cmp(key, node); \ + if (match == 0) \ + break; \ + if (match< 0) \ + node = node->_f.left; \ + else \ + node = node->_f.right; \ + } \ + if (node == &_n##_rb_zero || match != 0) \ + return (NULL); \ + return (node); \ +} + +#define RBI_DELETE(_n, _h, _v) _n##_rb_delete(_h, _v) +#define RBI_FIELD(_n) struct _n##_rb_link +#define RBI_INIT(_n, _h) _n##_rb_init(_h) +#define RBI_INSERT(_n, _h, _v) _n##_rb_insert(_h, _v) +#define RBI_ISEMPTY(_h) ((_h)->count == 0) +#define RBI_SEARCH(_n, _h, _k) _n##_rb_search(_h, _k) +#define RBI_WALK(_n, _h, _w, _a) _n##_rb_walktree(_h, _w, _a) +#define RBI_ZERO(_n) _n##_rb_zero diff --git a/contrib/ipfilter/iplang/.cvsignore b/contrib/ipfilter/iplang/.cvsignore deleted file mode 100644 index 68b5b4e..0000000 --- a/contrib/ipfilter/iplang/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -y.tab.h -y.output -lex.yy.c -y.tab.c -y.tab.o -lex.yy.o -iplang_y.output -iplang_y.tab.c -iplang_y.tab.h diff --git a/contrib/ipfilter/iplang/Makefile b/contrib/ipfilter/iplang/Makefile index 1d66bb6..5b53e9a 100644 --- a/contrib/ipfilter/iplang/Makefile +++ b/contrib/ipfilter/iplang/Makefile @@ -3,21 +3,20 @@ # #CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O CFLAGS=-I.. -CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o $(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c - $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@ + $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@ $(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c - $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@ + $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@ iplang_y.o: iplang_y.c - $(CC) $(CCARGS) $< -o $@ + $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@ iplang_l.o: iplang_l.c - $(CC) $(CCARGS) $< -o $@ + $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@ $(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h lex iplang_l.l diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h index 2b2d1db..63cc078 100644 --- a/contrib/ipfilter/iplang/iplang.h +++ b/contrib/ipfilter/iplang/iplang.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1997-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ diff --git a/contrib/ipfilter/iplang/iplang.tst b/contrib/ipfilter/iplang/iplang.tst index a0a2ad3..841c3ae 100644 --- a/contrib/ipfilter/iplang/iplang.tst +++ b/contrib/ipfilter/iplang/iplang.tst @@ -4,7 +4,7 @@ interface { ifname le0; mtu 1500; } ; ipv4 { src 1.1.1.1; dst 2.2.2.2; tcp { - seq 12345; ack 0; sport 9999; dport 23; flags S; + seq 12345; ack 0; sport 9999; dport 23; flags S; data { value "abcdef"; } ; } ; } ; diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index f356d0f..029a417 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -2,11 +2,11 @@ %{ /* - * Copyright (C) 1997-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp $ + * $Id$ */ #include <stdio.h> #include <string.h> diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 773f27f..98c8f1a 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -2,7 +2,7 @@ %{ /* - * Copyright (C) 1997-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -26,17 +26,13 @@ #include <unistd.h> #include <stddef.h> #include <sys/socket.h> +#include <net/if.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #ifndef linux # include <netinet/ip_var.h> -#endif -#ifdef __osf__ -# include "radix_ipf_local.h" -#endif -#include <net/if.h> -#ifndef linux +# include <net/route.h> # include <netinet/if_ether.h> #endif #include <netdb.h> @@ -605,7 +601,7 @@ struct statetoopt tosecopts[] = { #ifdef bsdi struct ether_addr * ether_aton(s) - char *s; + char *s; { static struct ether_addr n; u_int i[6]; @@ -1330,7 +1326,7 @@ void packet_done() sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); + *t++ = (isprint(*s) ? *s : '.'); s--; } @@ -1348,7 +1344,7 @@ void packet_done() t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); + *t++ = (isprint(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } @@ -1840,7 +1836,7 @@ u_long init; { u_long sum = init; int nwords = len >> 1; - + for(; nwords > 0; nwords--) sum += *buf++; sum = (sum>>16) + (sum & 0xffff); @@ -1855,7 +1851,7 @@ u_int len; { u_long sum = 0; int nwords = len >> 1; - + for(; nwords > 0; nwords--) sum += *buf++; return sum; diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h index afee1f4..b469cc8 100644 --- a/contrib/ipfilter/ipmon.h +++ b/contrib/ipfilter/ipmon.h @@ -1,22 +1,63 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $ + * $Id$ */ +typedef struct ipmon_msg_s { + int imm_msglen; + char *imm_msg; + int imm_dsize; + void *imm_data; + time_t imm_when; + int imm_loglevel; +} ipmon_msg_t; -typedef struct ipmon_action { +typedef void (*ims_destroy_func_t)(void *); +typedef void *(*ims_dup_func_t)(void *); +typedef int (*ims_match_func_t)(void *, void *); +typedef void *(*ims_parse_func_t)(char **); +typedef void (*ims_print_func_t)(void *); +typedef int (*ims_store_func_t)(void *, ipmon_msg_t *); + +typedef struct ipmon_saver_s { + char *ims_name; + ims_destroy_func_t ims_destroy; + ims_dup_func_t ims_dup; + ims_match_func_t ims_match; + ims_parse_func_t ims_parse; + ims_print_func_t ims_print; + ims_store_func_t ims_store; +} ipmon_saver_t; + +typedef struct ipmon_saver_int_s { + struct ipmon_saver_int_s *imsi_next; + ipmon_saver_t *imsi_stor; + void *imsi_handle; +} ipmon_saver_int_t; + +typedef struct ipmon_doing_s { + struct ipmon_doing_s *ipmd_next; + void *ipmd_token; + ipmon_saver_t *ipmd_saver; + /* + * ipmd_store is "cached" in this structure to avoid a double + * deref when doing saves.... + */ + int (*ipmd_store)(void *, ipmon_msg_t *); +} ipmon_doing_t; + + +typedef struct ipmon_action { struct ipmon_action *ac_next; int ac_mflag; /* collection of things to compare */ int ac_dflag; /* flags to compliment the doing fields */ - int ac_syslog; /* = 1 to syslog rules. */ - char *ac_savefile; /* filename to save log records to */ - FILE *ac_savefp; + int ac_logpri; int ac_direction; char ac_group[FR_GROUPLEN]; char ac_nattag[16]; @@ -28,19 +69,21 @@ typedef struct ipmon_action { int ac_second; int ac_result; u_32_t ac_sip; - u_32_t ac_smsk; + u_32_t ac_smsk; u_32_t ac_dip; - u_32_t ac_dmsk; + u_32_t ac_dmsk; u_short ac_sport; u_short ac_dport; - char *ac_exec; /* execute argument */ - char *ac_run; /* actual command that gets run */ char *ac_iface; /* * used with ac_packet/ac_second */ struct timeval ac_last; int ac_pktcnt; + /* + * What to do with matches + */ + ipmon_doing_t *ac_doing; } ipmon_action_t; #define ac_lastsec ac_last.tv_sec @@ -70,19 +113,18 @@ typedef struct ipmon_action { #define IPMR_NOMATCH 3 #define IPMR_LOG 4 -#define IPMDO_SAVERAW 0x0001 - -#define OPT_SYSLOG 0x001 -#define OPT_RESOLVE 0x002 -#define OPT_HEXBODY 0x004 -#define OPT_VERBOSE 0x008 -#define OPT_HEXHDR 0x010 -#define OPT_TAIL 0x020 -#define OPT_NAT 0x080 -#define OPT_STATE 0x100 -#define OPT_FILTER 0x200 -#define OPT_PORTNUM 0x400 -#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) +#define IPMON_SYSLOG 0x001 +#define IPMON_RESOLVE 0x002 +#define IPMON_HEXBODY 0x004 +#define IPMON_HEXHDR 0x010 +#define IPMON_TAIL 0x020 +#define IPMON_VERBOSE 0x040 +#define IPMON_NAT 0x080 +#define IPMON_STATE 0x100 +#define IPMON_FILTER 0x200 +#define IPMON_PORTNUM 0x400 +#define IPMON_LOGALL (IPMON_NAT|IPMON_STATE|IPMON_FILTER) +#define IPMON_LOGBODY 0x800 #define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) @@ -90,8 +132,11 @@ typedef struct ipmon_action { #define LOGFAC LOG_LOCAL0 #endif +extern void dump_config __P((void)); extern int load_config __P((char *)); +extern void unload_config __P((void)); extern void dumphex __P((FILE *, int, char *, int)); extern int check_action __P((char *, char *, int, int)); extern char *getword __P((int)); -extern int fac_findname __P((char *)); +extern void *add_doing __P((ipmon_saver_t *)); + diff --git a/contrib/ipfilter/ipsd/Makefile b/contrib/ipfilter/ipsd/Makefile index 0f3ce08..d5dde8e 100644 --- a/contrib/ipfilter/ipsd/Makefile +++ b/contrib/ipfilter/ipsd/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1998 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c index ad3dfe2..ce51c1b 100644 --- a/contrib/ipfilter/ipsd/ipsd.c +++ b/contrib/ipfilter/ipsd/ipsd.c @@ -34,7 +34,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif extern char *optarg; @@ -66,7 +66,7 @@ int writes = 0; int ipcmp(sh1, sh2) -sdhit_t *sh1, *sh2; + sdhit_t *sh1, *sh2; { return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr; } @@ -77,9 +77,9 @@ sdhit_t *sh1, *sh2; * port. */ int findhit(ihp, src, dport) -ipsd_t *ihp; -struct in_addr src; -u_short dport; + ipsd_t *ihp; + struct in_addr src; + u_short dport; { int i, j, k; sdhit_t *sh; @@ -110,8 +110,8 @@ u_short dport; * interested in. */ int detect(ip, tcp) -ip_t *ip; -tcphdr_t *tcp; + ip_t *ip; + tcphdr_t *tcp; { ipsd_t *ihp; sdhit_t *sh; @@ -179,7 +179,7 @@ waiter() * Write statistics out to a file */ writestats(nwrites) -int nwrites; + int nwrites; { ipsd_t **ipsd, *ips; char fname[32]; @@ -219,7 +219,7 @@ void writenow() void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "Usage: %s [-d device]\n", prog); exit(1); @@ -227,7 +227,7 @@ char *prog; void detecthits(fd, writecount) -int fd, writecount; + int fd, writecount; { struct in_addr ip; int hits = 0; @@ -243,8 +243,8 @@ int fd, writecount; main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { char *name = argv[0], *dev = NULL; int fd, writeafter = 10000, angelic = 0, c; diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c index 5a90706..e1c0c0a 100644 --- a/contrib/ipfilter/ipsd/ipsdr.c +++ b/contrib/ipfilter/ipsd/ipsdr.c @@ -35,7 +35,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif extern char *optarg; @@ -57,21 +57,21 @@ int pkts; int ipcmp(sh1, sh2) -sdhit_t *sh1, *sh2; + sdhit_t *sh1, *sh2; { return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr; } int ssipcmp(sh1, sh2) -ipss_t *sh1, *sh2; + ipss_t *sh1, *sh2; { return sh1->ss_ip.s_addr - sh2->ss_ip.s_addr; } int countpbits(num) -u_long num; + u_long num; { int i, j; @@ -87,9 +87,9 @@ u_long num; * port. */ int findhit(ihp, src, dport) -ipsd_t *ihp; -struct in_addr src; -u_short dport; + ipsd_t *ihp; + struct in_addr src; + u_short dport; { int i, j, k; sdhit_t *sh; @@ -120,9 +120,9 @@ u_short dport; * interested in. */ int detect(srcip, dport, date) -struct in_addr srcip; -u_short dport; -time_t date; + struct in_addr srcip; + u_short dport; + time_t date; { ipsd_t *ihp; sdhit_t *sh; @@ -181,7 +181,7 @@ setuphits() * Write statistics out to a file */ addfile(file) -char *file; + char *file; { ipsd_t ipsd, *ips = &ipsd; sdhit_t hit, *hp; @@ -209,7 +209,7 @@ char *file; readfiles(dir) -char *dir; + char *dir; { struct direct **d; int i, j; @@ -226,8 +226,8 @@ char *dir; void printreport(ss, num) -ipss_t *ss; -int num; + ipss_t *ss; + int num; { struct in_addr ip; ipss_t *sp; @@ -301,8 +301,8 @@ collectips() main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { char c, *name = argv[0], *dir = NULL; int fd; diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h index 88eb67a..f00ea53 100644 --- a/contrib/ipfilter/ipsd/linux.h +++ b/contrib/ipfilter/ipsd/linux.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1997-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index a724ba5..74ba197 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -68,7 +68,7 @@ static u_int bufsize = 32768, timeout = 1; int ack_recv(ep) -char *ep; + char *ep; { struct tcpiphdr tip; tcphdr_t *tcp; @@ -89,8 +89,8 @@ char *ep; int readloop(fd, port, dst) -int fd, port; -struct in_addr dst; + int fd, port; + struct in_addr dst; { register u_char *bp, *cp, *bufend; register struct bpf_hdr *bh; @@ -119,8 +119,8 @@ struct in_addr dst; } int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { struct bpf_program prog; struct bpf_version bv; diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c index b7515f1..00c197b 100644 --- a/contrib/ipfilter/ipsd/sdlpi.c +++ b/contrib/ipfilter/ipsd/sdlpi.c @@ -60,7 +60,7 @@ void nullbell() int ack_recv(ep) -char *ep; + char *ep; { struct tcpiphdr tip; tcphdr_t *tcp; @@ -80,8 +80,8 @@ char *ep; int readloop(fd, port, dst) -int fd, port; -struct in_addr dst; + int fd, port; + struct in_addr dst; { static u_char buf[BUFSPACE]; register u_char *bp, *cp, *bufend; @@ -145,8 +145,8 @@ struct in_addr dst; } int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { struct strioctl si; struct timeval to; diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c index c084795..95ad8e5 100644 --- a/contrib/ipfilter/ipsd/slinux.c +++ b/contrib/ipfilter/ipsd/slinux.c @@ -43,7 +43,7 @@ static char *eth_dev = NULL; int ack_recv(bp) -char *bp; + char *bp; { struct tcpip tip; tcphdr_t *tcp; @@ -61,8 +61,8 @@ char *bp; void readloop(fd, port, dst) -int fd, port; -struct in_addr dst; + int fd, port; + struct in_addr dst; { static u_char buf[BUFSPACE]; struct sockaddr dest; @@ -102,8 +102,8 @@ struct in_addr dst; } int initdevice(dev, tout) -char *dev; -int tout; + char *dev; + int tout; { int fd; diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c index 0d5a52a..855afd5 100644 --- a/contrib/ipfilter/ipsd/snit.c +++ b/contrib/ipfilter/ipsd/snit.c @@ -55,7 +55,7 @@ static int timeout; int ack_recv(ep) -char *ep; + char *ep; { struct tcpiphdr tip; struct tcphdr *tcp; @@ -74,8 +74,8 @@ char *ep; int readloop(fd, dst) -int fd; -struct in_addr dst; + int fd; + struct in_addr dst; { static u_char buf[BUFSPACE]; register u_char *bp, *cp, *bufend; @@ -114,8 +114,8 @@ struct in_addr dst; } int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { struct strioctl si; struct timeval to; diff --git a/contrib/ipfilter/ipsend/.cvsignore b/contrib/ipfilter/ipsend/.cvsignore deleted file mode 100644 index b7aea24..0000000 --- a/contrib/ipfilter/ipsend/.cvsignore +++ /dev/null @@ -1,3 +0,0 @@ -ipsend -ipresend -iptest diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 3fbafcc..9033ab9 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -13,9 +13,6 @@ #endif #include <net/if_dl.h> #include <net/if_types.h> -#if defined(__FreeBSD__) -# include "radix_ipf.h" -#endif #ifndef __osf__ # include <net/route.h> #endif @@ -44,7 +41,7 @@ * (4 bytes) */ int resolve(host, address) -char *host, *address; + char *host, *address; { struct hostent *hp; u_long add; @@ -66,7 +63,7 @@ char *host, *address; int arp(addr, eaddr) -char *addr, *eaddr; + char *addr, *eaddr; { int mib[6]; size_t needed; diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile index ed3a51e..34485ef 100644 --- a/contrib/ipfilter/ipsend/Makefile +++ b/contrib/ipfilter/ipsend/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1998 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # diff --git a/contrib/ipfilter/ipsend/README b/contrib/ipfilter/ipsend/README deleted file mode 100644 index 198556d..0000000 --- a/contrib/ipfilter/ipsend/README +++ /dev/null @@ -1,8 +0,0 @@ - -This distribution contains *ONLY* the code required to build the 'ipsend' -directory of programs (including man pages) found in the IP Filter package: -http://coombs.anu.edu.au/~avalon/ip-filter.html - -Patches, bugs, etc, please send to: - -darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 8670bda..58a1523 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/types.h> #include <sys/socket.h> @@ -17,9 +17,6 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darren #include <sys/ioctl.h> #include <netinet/in_systm.h> #include <netinet/in.h> -#ifdef __osf__ -# include "radix_ipf_local.h" -#endif #include <net/if.h> #include <netinet/if_ether.h> #ifndef ultrix @@ -42,7 +39,7 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darren * (4 bytes) */ int resolve(host, address) -char *host, *address; + char *host, *address; { struct hostent *hp; u_long add; @@ -68,8 +65,8 @@ char *host, *address; * some BSD program, I cant remember which. */ int arp(ip, ether) -char *ip; -char *ether; + char *ip; + char *ether; { static int sfd = -1; static char ethersave[6], ipsave[4]; diff --git a/contrib/ipfilter/ipsend/dlcommon.c b/contrib/ipfilter/ipsend/dlcommon.c index c6b6e8a..55bc942 100644 --- a/contrib/ipfilter/ipsend/dlcommon.c +++ b/contrib/ipfilter/ipsend/dlcommon.c @@ -32,18 +32,18 @@ typedef unsigned long ulong; #define CASERET(s) case s: return ("s") -char *dlprim(); -char *dlstate(); -char *dlerrno(); -char *dlpromisclevel(); -char *dlservicemode(); -char *dlstyle(); -char *dlmactype(); + char *dlprim(); + char *dlstate(); + char *dlerrno(); + char *dlpromisclevel(); + char *dlservicemode(); + char *dlstyle(); + char *dlmactype(); void dlinforeq(fd) -int fd; + int fd; { dl_info_req_t info_req; struct strbuf ctl; @@ -63,8 +63,8 @@ int fd; void dlinfoack(fd, bufp) -int fd; -char *bufp; + int fd; + char *bufp; { union DL_primitives *dlp; struct strbuf ctl; @@ -92,8 +92,8 @@ char *bufp; void dlattachreq(fd, ppa) -int fd; -u_long ppa; + int fd; + u_long ppa; { dl_attach_req_t attach_req; struct strbuf ctl; @@ -114,9 +114,9 @@ u_long ppa; void dlenabmultireq(fd, addr, length) -int fd; -char *addr; -int length; + int fd; + char *addr; + int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; @@ -143,9 +143,9 @@ int length; void dldisabmultireq(fd, addr, length) -int fd; -char *addr; -int length; + int fd; + char *addr; + int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; @@ -172,8 +172,8 @@ int length; void dlpromisconreq(fd, level) -int fd; -u_long level; + int fd; + u_long level; { dl_promiscon_req_t promiscon_req; struct strbuf ctl; @@ -195,8 +195,8 @@ u_long level; void dlpromiscoff(fd, level) -int fd; -u_long level; + int fd; + u_long level; { dl_promiscoff_req_t promiscoff_req; struct strbuf ctl; @@ -217,8 +217,8 @@ u_long level; void dlphysaddrreq(fd, addrtype) -int fd; -u_long addrtype; + int fd; + u_long addrtype; { dl_phys_addr_req_t phys_addr_req; struct strbuf ctl; @@ -239,9 +239,9 @@ u_long addrtype; void dlsetphysaddrreq(fd, addr, length) -int fd; -char *addr; -int length; + int fd; + char *addr; + int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; @@ -268,7 +268,7 @@ int length; void dldetachreq(fd) -int fd; + int fd; { dl_detach_req_t detach_req; struct strbuf ctl; @@ -288,12 +288,12 @@ int fd; void dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest) -int fd; -u_long sap; -u_long max_conind; -u_long service_mode; -u_long conn_mgmt; -u_long xidtest; + int fd; + u_long sap; + u_long max_conind; + u_long service_mode; + u_long conn_mgmt; + u_long xidtest; { dl_bind_req_t bind_req; struct strbuf ctl; @@ -318,12 +318,12 @@ u_long xidtest; void dlunitdatareq(fd, addrp, addrlen, minpri, maxpri, datap, datalen) -int fd; -u_char *addrp; -int addrlen; -u_long minpri, maxpri; -u_char *datap; -int datalen; + int fd; + u_char *addrp; + int addrlen; + u_long minpri, maxpri; + u_char *datap; + int datalen; { long buf[MAXDLBUF]; union DL_primitives *dlp; @@ -353,7 +353,7 @@ int datalen; void dlunbindreq(fd) -int fd; + int fd; { dl_unbind_req_t unbind_req; struct strbuf ctl; @@ -373,8 +373,8 @@ int fd; void dlokack(fd, bufp) -int fd; -char *bufp; + int fd; + char *bufp; { union DL_primitives *dlp; struct strbuf ctl; @@ -402,8 +402,8 @@ char *bufp; void dlerrorack(fd, bufp) -int fd; -char *bufp; + int fd; + char *bufp; { union DL_primitives *dlp; struct strbuf ctl; @@ -431,8 +431,8 @@ char *bufp; void dlbindack(fd, bufp) -int fd; -char *bufp; + int fd; + char *bufp; { union DL_primitives *dlp; struct strbuf ctl; @@ -457,8 +457,8 @@ char *bufp; void dlphysaddrack(fd, bufp) -int fd; -char *bufp; + int fd; + char *bufp; { union DL_primitives *dlp; struct strbuf ctl; @@ -488,10 +488,10 @@ sigalrm() } strgetmsg(fd, ctlp, datap, flagsp, caller) -int fd; -struct strbuf *ctlp, *datap; -int *flagsp; -char *caller; + int fd; + struct strbuf *ctlp, *datap; + int *flagsp; + char *caller; { int rc; static char errmsg[80]; @@ -540,8 +540,8 @@ char *caller; } expecting(prim, dlp) -int prim; -union DL_primitives *dlp; + int prim; + union DL_primitives *dlp; { if (dlp->dl_primitive != (u_long)prim) { printdlprim(dlp); @@ -555,7 +555,7 @@ union DL_primitives *dlp; * Print any DLPI msg in human readable format. */ printdlprim(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { switch (dlp->dl_primitive) { case DL_INFO_REQ: @@ -659,13 +659,13 @@ union DL_primitives *dlp; /* ARGSUSED */ printdlinforeq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_INFO_REQ\n"); } printdlinfoack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; u_char brdcst[MAXDLADDR]; @@ -702,21 +702,21 @@ union DL_primitives *dlp; } printdlattachreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_ATTACH_REQ: ppa %d\n", dlp->attach_req.dl_ppa); } printdlokack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_OK_ACK: correct_primitive %s\n", dlprim(dlp->ok_ack.dl_correct_primitive)); } printdlerrorack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_ERROR_ACK: error_primitive %s errno %s unix_errno %d: %s\n", dlprim(dlp->error_ack.dl_error_primitive), @@ -726,7 +726,7 @@ union DL_primitives *dlp; } printdlenabmultireq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -740,7 +740,7 @@ union DL_primitives *dlp; } printdldisabmultireq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -754,28 +754,28 @@ union DL_primitives *dlp; } printdlpromisconreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_PROMISCON_REQ: level %s\n", dlpromisclevel(dlp->promiscon_req.dl_level)); } printdlpromiscoffreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_PROMISCOFF_REQ: level %s\n", dlpromisclevel(dlp->promiscoff_req.dl_level)); } printdlphysaddrreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_PHYS_ADDR_REQ: addr_type 0x%x\n", dlp->physaddr_req.dl_addr_type); } printdlphysaddrack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -789,7 +789,7 @@ union DL_primitives *dlp; } printdlsetphysaddrreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -804,13 +804,13 @@ union DL_primitives *dlp; /* ARGSUSED */ printdldetachreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_DETACH_REQ\n"); } printdlbindreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_BIND_REQ: sap %d max_conind %d\n", dlp->bind_req.dl_sap, @@ -822,7 +822,7 @@ union DL_primitives *dlp; } printdlbindack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -841,13 +841,13 @@ union DL_primitives *dlp; /* ARGSUSED */ printdlunbindreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_UNBIND_REQ\n"); } printdlsubsbindreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char sap[MAXDLADDR]; @@ -861,7 +861,7 @@ union DL_primitives *dlp; } printdlsubsbindack(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char sap[MAXDLADDR]; @@ -875,7 +875,7 @@ union DL_primitives *dlp; } printdlsubsunbindreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char sap[MAXDLADDR]; @@ -889,7 +889,7 @@ union DL_primitives *dlp; } printdlunitdatareq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -906,7 +906,7 @@ union DL_primitives *dlp; } printdlunitdataind(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; @@ -929,7 +929,7 @@ union DL_primitives *dlp; } printdluderrorind(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -946,7 +946,7 @@ union DL_primitives *dlp; } printdltestreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char addr[MAXDLADDR]; @@ -961,7 +961,7 @@ union DL_primitives *dlp; } printdltestind(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; @@ -983,7 +983,7 @@ union DL_primitives *dlp; } printdltestres(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; @@ -998,7 +998,7 @@ union DL_primitives *dlp; } printdltestcon(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; @@ -1020,7 +1020,7 @@ union DL_primitives *dlp; } printdlxidreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; @@ -1035,7 +1035,7 @@ union DL_primitives *dlp; } printdlxidind(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; @@ -1057,7 +1057,7 @@ union DL_primitives *dlp; } printdlxidres(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; @@ -1072,7 +1072,7 @@ union DL_primitives *dlp; } printdlxidcon(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; @@ -1094,7 +1094,7 @@ union DL_primitives *dlp; } printdludqosreq(dlp) -union DL_primitives *dlp; + union DL_primitives *dlp; { (void) printf("DL_UDQOS_REQ: qos_length %d qos_offset %d\n", dlp->udqos_req.dl_qos_length, @@ -1105,9 +1105,9 @@ union DL_primitives *dlp; * Return string. */ addrtostring(addr, length, s) -u_char *addr; -u_long length; -u_char *s; + u_char *addr; + u_long length; + u_char *s; { int i; @@ -1123,8 +1123,8 @@ u_char *s; * Return length */ stringtoaddr(sp, addr) -char *sp; -char *addr; + char *sp; + char *addr; { int n = 0; char *p; @@ -1140,14 +1140,14 @@ char *addr; n++; p = NULL; } - + return (n); } static char hexnibble(c) -char c; + char c; { static char hextab[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', @@ -1159,7 +1159,7 @@ char c; char* dlprim(prim) -u_long prim; + u_long prim; { static char primbuf[80]; @@ -1200,7 +1200,7 @@ u_long prim; char* dlstate(state) -u_long state; + u_long state; { static char statebuf[80]; @@ -1234,7 +1234,7 @@ u_long state; char* dlerrno(errno) -u_long errno; + u_long errno; { static char errnobuf[80]; @@ -1276,7 +1276,7 @@ u_long errno; char* dlpromisclevel(level) -u_long level; + u_long level; { static char levelbuf[80]; @@ -1292,7 +1292,7 @@ u_long level; char* dlservicemode(servicemode) -u_long servicemode; + u_long servicemode; { static char servicemodebuf[80]; @@ -1309,7 +1309,7 @@ u_long servicemode; char* dlstyle(style) -long style; + long style; { static char stylebuf[80]; @@ -1324,7 +1324,7 @@ long style; char* dlmactype(media) -u_long media; + u_long media; { static char mediabuf[80]; @@ -1345,8 +1345,8 @@ u_long media; /*VARARGS1*/ err(fmt, a1, a2, a3, a4) -char *fmt; -char *a1, *a2, *a3, *a4; + char *fmt; + char *a1, *a2, *a3, *a4; { (void) fprintf(stderr, fmt, a1, a2, a3, a4); (void) fprintf(stderr, "\n"); @@ -1354,18 +1354,18 @@ char *a1, *a2, *a3, *a4; } syserr(s) -char *s; + char *s; { (void) perror(s); exit(1); } strioctl(fd, cmd, timout, len, dp) -int fd; -int cmd; -int timout; -int len; -char *dp; + int fd; + int cmd; + int timout; + int len; + char *dp; { struct strioctl sioc; int rc; diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c deleted file mode 100644 index 9cc7299..0000000 --- a/contrib/ipfilter/ipsend/hpux.c +++ /dev/null @@ -1,114 +0,0 @@ -/* $FreeBSD$ */ - -/* - * (C)opyright 1997-1998 Darren Reed. (from tcplog) - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <strings.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <sys/file.h> -#include <sys/ioctl.h> - - -int initdevice(device, sport, tout) -char *device; -int sport, tout; -{ - int fd; - - if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1) - perror("socket"); - return fd; -} - - -/* - * output an IP packet onto a fd opened for /dev/bpf - */ -int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ - if (send(fd, pkt, len, 0) == -1) - { - perror("send"); - return -1; - } - - return len; -} - - -char *strdup(str) -char *str; -{ - char *s; - - if ((s = (char *)malloc(strlen(str) + 1))) - return strcpy(s, str); - return NULL; -} -/* - * (C)opyright 1997 Darren Reed. (from tcplog) - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <strings.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <sys/file.h> -#include <sys/ioctl.h> - - -int initdevice(device, sport, tout) -char *device; -int sport, tout; -{ - int fd; - - if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1) - perror("socket"); - return fd; -} - - -/* - * output an IP packet onto a fd opened for /dev/bpf - */ -int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ - if (send(fd, pkt, len, 0) == -1) - { - perror("send"); - return -1; - } - - return len; -} - - -char *strdup(str) -char *str; -{ - char *s; - - if ((s = (char *)malloc(strlen(str) + 1))) - return strcpy(s, str); - return NULL; -} diff --git a/contrib/ipfilter/ipsend/in_var.h b/contrib/ipfilter/ipsend/in_var.h deleted file mode 100644 index 3523f77..0000000 --- a/contrib/ipfilter/ipsend/in_var.h +++ /dev/null @@ -1,179 +0,0 @@ -/* $FreeBSD$ */ - -/* @(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86 */ - -/* - * Copyright (c) 1985, 1986 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -/* - * Interface address, Internet version. One of these structures - * is allocated for each interface with an Internet address. - * The ifaddr structure contains the protocol-independent part - * of the structure and is assumed to be first. - */ - -#ifndef _netinet_in_var_h -#define _netinet_in_var_h - -struct in_ifaddr { - struct ifaddr ia_ifa; /* protocol-independent info */ -#define ia_addr ia_ifa.ifa_addr -#define ia_broadaddr ia_ifa.ifa_broadaddr -#define ia_dstaddr ia_ifa.ifa_dstaddr -#define ia_ifp ia_ifa.ifa_ifp - u_long ia_net; /* network number of interface */ - u_long ia_netmask; /* mask of net part */ - u_long ia_subnet; /* subnet number, including net */ - u_long ia_subnetmask; /* mask of net + subnet */ - struct in_addr ia_netbroadcast; /* broadcast addr for (logical) net */ - int ia_flags; - struct in_ifaddr *ia_next; /* next in list of internet addresses */ - struct in_multi *ia_multiaddrs;/* list of multicast addresses */ -}; -/* - * Given a pointer to an in_ifaddr (ifaddr), - * return a pointer to the addr as a sockadd_in. - */ -#define IA_SIN(ia) ((struct sockaddr_in *)(&((struct in_ifaddr *)ia)->ia_addr)) -/* - * ia_flags - */ -#define IFA_ROUTE 0x01 /* routing entry installed */ - -#ifdef KERNEL -struct in_ifaddr *in_ifaddr; -struct in_ifaddr *in_iaonnetof(); -struct ifqueue ipintrq; /* ip packet input queue */ -#endif - -#ifdef KERNEL -/* - * Macro for finding the interface (ifnet structure) corresponding to one - * of our IP addresses. - */ -#define INADDR_TO_IFP(addr, ifp) \ - /* struct in_addr addr; */ \ - /* struct ifnet *ifp; */ \ -{ \ - register struct in_ifaddr *ia; \ - \ - for (ia = in_ifaddr; \ - ia != NULL && IA_SIN(ia)->sin_addr.s_addr != (addr).s_addr; \ - ia = ia->ia_next); \ - (ifp) = (ia == NULL) ? NULL : ia->ia_ifp; \ -} - -/* - * Macro for finding the internet address structure (in_ifaddr) corresponding - * to a given interface (ifnet structure). - */ -#define IFP_TO_IA(ifp, ia) \ - /* struct ifnet *ifp; */ \ - /* struct in_ifaddr *ia; */ \ -{ \ - for ((ia) = in_ifaddr; \ - (ia) != NULL && (ia)->ia_ifp != (ifp); \ - (ia) = (ia)->ia_next); \ -} -#endif /* KERNEL */ - -/* - * Per-interface router version information is kept in this list. - * This information should be part of the ifnet structure but we don't wish - * to change that - as it might break a number of things - */ - -struct router_info { - struct ifnet *ifp; - int type; /* type of router which is querier on this interface */ - int time; /* # of slow timeouts since last old query */ - struct router_info *next; -}; - -/* - * Internet multicast address structure. There is one of these for each IP - * multicast group to which this host belongs on a given network interface. - * They are kept in a linked list, rooted in the interface's in_ifaddr - * structure. - */ - -struct in_multi { - struct in_addr inm_addr; /* IP multicast address */ - struct ifnet *inm_ifp; /* back pointer to ifnet */ - struct in_ifaddr *inm_ia; /* back pointer to in_ifaddr */ - u_int inm_refcount;/* no. membership claims by sockets */ - u_int inm_timer; /* IGMP membership report timer */ - struct in_multi *inm_next; /* ptr to next multicast address */ - u_int inm_state; /* state of the membership */ - struct router_info *inm_rti; /* router info*/ -}; - -#ifdef KERNEL -/* - * Structure used by macros below to remember position when stepping through - * all of the in_multi records. - */ -struct in_multistep { - struct in_ifaddr *i_ia; - struct in_multi *i_inm; -}; - -/* - * Macro for looking up the in_multi record for a given IP multicast address - * on a given interface. If no matching record is found, "inm" returns NULL. - */ -#define IN_LOOKUP_MULTI(addr, ifp, inm) \ - /* struct in_addr addr; */ \ - /* struct ifnet *ifp; */ \ - /* struct in_multi *inm; */ \ -{ \ - register struct in_ifaddr *ia; \ - \ - IFP_TO_IA((ifp), ia); \ - if (ia == NULL) \ - (inm) = NULL; \ - else \ - for ((inm) = ia->ia_multiaddrs; \ - (inm) != NULL && (inm)->inm_addr.s_addr != (addr).s_addr; \ - (inm) = inm->inm_next); \ -} - -/* - * Macro to step through all of the in_multi records, one at a time. - * The current position is remembered in "step", which the caller must - * provide. IN_FIRST_MULTI(), below, must be called to initialize "step" - * and get the first record. Both macros return a NULL "inm" when there - * are no remaining records. - */ -#define IN_NEXT_MULTI(step, inm) \ - /* struct in_multistep step; */ \ - /* struct in_multi *inm; */ \ -{ \ - if (((inm) = (step).i_inm) != NULL) { \ - (step).i_inm = (inm)->inm_next; \ - } \ - else while ((step).i_ia != NULL) { \ - (inm) = (step).i_ia->ia_multiaddrs; \ - (step).i_ia = (step).i_ia->ia_next; \ - if ((inm) != NULL) { \ - (step).i_inm = (inm)->inm_next; \ - break; \ - } \ - } \ -} - -#define IN_FIRST_MULTI(step, inm) \ - /* struct in_multistep step; */ \ - /* struct in_multi *inm; */ \ -{ \ - (step).i_ia = in_ifaddr; \ - (step).i_inm = NULL; \ - IN_NEXT_MULTI((step), (inm)); \ -} - -struct in_multi *in_addmulti(); -#endif /* KERNEL */ -#endif /*!_netinet_in_var_h*/ diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 26a7a89..74d164b 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,20 +7,18 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> #include <netinet/in_systm.h> #include <sys/socket.h> -#ifdef __osf__ -# include "radix_ipf_local.h" -#endif #include <net/if.h> #include <netinet/in.h> #include <netinet/ip.h> #include <sys/param.h> #ifndef linux +# include <net/route.h> # include <netinet/if_ether.h> # include <netinet/ip_var.h> # if __FreeBSD_version >= 300000 @@ -39,8 +37,8 @@ static char *ipbuf = NULL, *ethbuf = NULL; u_short chksum(buf,len) -u_short *buf; -int len; + u_short *buf; + int len; { u_long sum = 0; int nwords = len >> 1; @@ -54,9 +52,9 @@ int len; int send_ether(nfd, buf, len, gwip) -int nfd, len; -char *buf; -struct in_addr gwip; + int nfd, len; + char *buf; + struct in_addr gwip; { static struct in_addr last_gw; static char last_arp[6] = { 0, 0, 0, 0, 0, 0}; @@ -89,10 +87,10 @@ struct in_addr gwip; /* */ int send_ip(nfd, mtu, ip, gwip, frag) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -int frag; + int nfd, mtu; + ip_t *ip; + struct in_addr gwip; + int frag; { static struct in_addr last_gw, local_ip; static char local_arp[6] = { 0, 0, 0, 0, 0, 0}; @@ -250,9 +248,9 @@ int frag; * send a tcp packet. */ int send_tcp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; + int nfd, mtu; + ip_t *ip; + struct in_addr gwip; { static tcp_seq iss = 2; tcphdr_t *t, *t2; @@ -303,9 +301,9 @@ struct in_addr gwip; * send a udp packet. */ int send_udp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; + int nfd, mtu; + ip_t *ip; + struct in_addr gwip; { struct tcpiphdr *ti; int thlen; @@ -335,9 +333,9 @@ struct in_addr gwip; * send an icmp packet. */ int send_icmp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; + int nfd, mtu; + ip_t *ip; + struct in_addr gwip; { struct icmp *ic; @@ -351,9 +349,9 @@ struct in_addr gwip; int send_packet(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; + int nfd, mtu; + ip_t *ip; + struct in_addr gwip; { switch (ip->ip_p) { diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h deleted file mode 100644 index ab9813e..0000000 --- a/contrib/ipfilter/ipsend/ip_var.h +++ /dev/null @@ -1,125 +0,0 @@ -/* $FreeBSD$ */ - -/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ - -/* - * Copyright (c) 1982, 1986 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -/* - * Overlay for ip header used by other protocols (tcp, udp). - */ - -#ifndef _netinet_ip_var_h -#define _netinet_ip_var_h - -struct ipovly { - caddr_t ih_next, ih_prev; /* for protocol sequence q's */ - u_char ih_x1; /* (unused) */ - u_char ih_pr; /* protocol */ - short ih_len; /* protocol length */ - struct in_addr ih_src; /* source internet address */ - struct in_addr ih_dst; /* destination internet address */ -}; - -/* - * Ip reassembly queue structure. Each fragment - * being reassembled is attached to one of these structures. - * They are timed out after ipq_ttl drops to 0, and may also - * be reclaimed if memory becomes tight. - */ -struct ipq { - struct ipq *next,*prev; /* to other reass headers */ - u_char ipq_ttl; /* time for reass q to live */ - u_char ipq_p; /* protocol of this fragment */ - u_short ipq_id; /* sequence id for reassembly */ - struct ipasfrag *ipq_next,*ipq_prev; - /* to ip headers of fragments */ - struct in_addr ipq_src,ipq_dst; -}; - -/* - * Ip header, when holding a fragment. - * - * Note: ipf_next must be at same offset as ipq_next above - */ -struct ipasfrag { -#if defined(vax) || defined(i386) - u_char ip_hl:4, - ip_v:4; -#endif -#if defined(mc68000) || defined(sparc) - u_char ip_v:4, - ip_hl:4; -#endif - u_char ipf_mff; /* copied from (ip_off&IP_MF) */ - short ip_len; - u_short ip_id; - short ip_off; - u_char ip_ttl; - u_char ip_p; - u_short ip_sum; - struct ipasfrag *ipf_next; /* next fragment */ - struct ipasfrag *ipf_prev; /* previous fragment */ -}; - -/* - * Structure stored in mbuf in inpcb.ip_options - * and passed to ip_output when ip options are in use. - * The actual length of the options (including ipopt_dst) - * is in m_len. - */ -#define MAX_IPOPTLEN 40 - -struct ipoption { - struct in_addr ipopt_dst; /* first-hop dst if source routed */ - char ipopt_list[MAX_IPOPTLEN]; /* options proper */ -}; - -/* - * Structure stored in an mbuf attached to inpcb.ip_moptions and - * passed to ip_output when IP multicast options are in use. - */ -struct ip_moptions { - struct ifnet *imo_multicast_ifp; /* ifp for outgoing multicasts */ - u_char imo_multicast_ttl; /* TTL for outgoing multicasts */ - u_char imo_multicast_loop; /* 1 => hear sends if a member */ - u_short imo_num_memberships;/* no. memberships this socket */ - struct in_multi *imo_membership[IP_MAX_MEMBERSHIPS]; -#ifdef RSVP_ISI - long imo_multicast_vif; /* vif for outgoing multicasts */ -#endif /* RSVP_ISI */ -}; - -struct ipstat { - long ips_total; /* total packets received */ - long ips_badsum; /* checksum bad */ - long ips_tooshort; /* packet too short */ - long ips_toosmall; /* not enough data */ - long ips_badhlen; /* ip header length < data size */ - long ips_badlen; /* ip length < ip header length */ - long ips_fragments; /* fragments received */ - long ips_fragdropped; /* frags dropped (dups, out of space) */ - long ips_fragtimeout; /* fragments timed out */ - long ips_forward; /* packets forwarded */ - long ips_cantforward; /* packets rcvd for unreachable dest */ - long ips_redirectsent; /* packets forwarded on same net */ -}; - -#ifdef KERNEL -/* flags passed to ip_output as last parameter */ -#define IP_FORWARDING 0x1 /* most of ip header exists */ -#define IP_MULTICASTOPTS 0x2 /* multicast opts present */ -#define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ -#define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ - -struct ipstat ipstat; -struct ipq ipq; /* ip reass. queue */ -u_short ip_id; /* ip packet ctr, for ids */ - -struct mbuf *ip_srcroute(); -#endif - -#endif /*!_netinet_ip_var_h*/ diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 050aecf..7520a0e 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -32,7 +32,7 @@ static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darre extern char *optarg; extern int optind; #ifndef NO_IPF -extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext; +extern struct ipread pcap, iphex, iptext; #endif int opts = 0; @@ -68,7 +68,7 @@ int main __P((int, char **)); static void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\ \t\t-r filename\tsnoop data file to resend\n\ @@ -83,8 +83,8 @@ char *prog; int main(argc, argv) -int argc; -char **argv; + int argc; + char **argv; { struct in_addr gwip; struct ipread *ipr = NULL; @@ -115,21 +115,12 @@ char **argv; opts |= OPT_RAW; break; #ifndef NO_IPF - case 'E' : - ipr = ðerf; - break; case 'H' : ipr = &iphex; break; case 'P' : ipr = &pcap; break; - case 'S' : - ipr = &snoop; - break; - case 'T' : - ipr = &tcpd; - break; case 'X' : ipr = &iptext; break; diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5 index cd5842c..fc86911 100644 --- a/contrib/ipfilter/ipsend/ipsend.5 +++ b/contrib/ipfilter/ipsend/ipsend.5 @@ -123,7 +123,7 @@ be adjusted to accommodate data or further protocol headers. sets the fragment offset field of the IP packet. Default is 0. .TP .B ttl <number> -sets the time to live (TTL) field of the IP header. Default is 60. +sets the time to live (TTL) field of the IP header. Default is 60. .TP .B proto <protocol> sets the protocol field of the IP header. The protocol can either be a diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 06191ec..3df5c07 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -6,7 +6,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -67,7 +67,7 @@ int main __P((int, char **)); static void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "Usage: %s [options] dest [flags]\n\ \toptions:\n\ @@ -96,8 +96,8 @@ char *prog; static void do_icmp(ip, args) -ip_t *ip; -char *args; + ip_t *ip; + char *args; { struct icmp *ic; char *s; @@ -147,10 +147,10 @@ char *args; int send_packets(dev, mtu, ip, gwip) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; { int wfd; @@ -193,8 +193,8 @@ udpcksum(ip_t *ip, struct udphdr *udp, int len) } int main(argc, argv) -int argc; -char **argv; + int argc; + char **argv; { FILE *langfile = NULL; struct in_addr gwip; diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h index 91cfa6c..75a0496 100644 --- a/contrib/ipfilter/ipsend/ipsend.h +++ b/contrib/ipfilter/ipsend/ipsend.h @@ -29,7 +29,9 @@ #ifdef linux #include <linux/sockios.h> #endif -#include "tcpip.h" +/* XXX: The following is needed by tcpip.h */ +#include <netinet/ip_var.h> +#include "netinet/tcpip.h" #include "ipt.h" extern int resolve __P((char *, char *)); diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 10f132e..a2cc4d0 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -1,14 +1,14 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1995-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * */ #if !defined(lint) static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.4.4.1 2004/03/23 12:58:05 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -62,7 +62,7 @@ struct ipopt_names secnames[] = { u_short ipseclevel(slevel) -char *slevel; + char *slevel; { struct ipopt_names *so; @@ -79,10 +79,10 @@ char *slevel; int addipopt(op, io, len, class) -char *op; -struct ipopt_names *io; -int len; -char *class; + char *op; + struct ipopt_names *io; + int len; + char *class; { struct in_addr ipadr; int olen = len, srr = 0; @@ -150,8 +150,8 @@ char *class; u_32_t buildopts(cp, op, len) -char *cp, *op; -int len; + char *cp, *op; + int len; { struct ipopt_names *io; u_32_t msk = 0; diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index cc2ceb8..c6cfb1c 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.6 2004/01/08 13:34:31 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -63,7 +63,7 @@ int main __P((int, char **)); static void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "Usage: %s [options] dest\n\ \toptions:\n\ @@ -85,8 +85,8 @@ char *prog; int main(argc, argv) -int argc; -char **argv; + int argc; + char **argv; { struct tcpiphdr *ti; struct in_addr gwip; diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 22ef71f..0ca02db 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -1,14 +1,14 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -22,7 +22,7 @@ typedef int boolean_t; #endif #include <sys/time.h> #if !defined(__osf__) -# ifdef __NetBSD__ +# ifdef __NetBSD__ # include <machine/lock.h> # include <machine/mutex.h> # endif @@ -52,8 +52,9 @@ typedef int boolean_t; #endif #if defined(solaris) # include <sys/stream.h> +#else +# include <sys/socketvar.h> #endif -#include <sys/socketvar.h> #ifdef sun #include <sys/systm.h> #include <sys/session.h> @@ -68,9 +69,6 @@ typedef int boolean_t; #ifdef __hpux # define _NET_ROUTE_INCLUDED #endif -#ifdef __osf__ -# include "radix_ipf_local.h" -#endif #include <net/if.h> #if defined(linux) && (LINUX >= 0200) # include <asm/atomic.h> @@ -79,7 +77,9 @@ typedef int boolean_t; # if defined(__FreeBSD__) # include "radix_ipf.h" # endif -# include <net/route.h> +# if !defined(solaris) +# include <net/route.h> +# endif #else # define __KERNEL__ /* because there's a macro not wrapped by this */ # include <net/route.h> /* in this file :-/ */ @@ -87,12 +87,6 @@ typedef int boolean_t; #include <netinet/in.h> #include <arpa/inet.h> #include <netinet/ip.h> -#if !defined(linux) -# include <netinet/ip_var.h> -# if !defined(__hpux) -# include <netinet/in_pcb.h> -# endif -#endif #if defined(__SVR4) || defined(__svr4__) || defined(__sgi) # include <sys/sysmacros.h> #endif @@ -103,6 +97,12 @@ typedef int boolean_t; #ifdef __hpux # undef _NET_ROUTE_INCLUDED #endif +#if !defined(linux) +# include <netinet/ip_var.h> +# if !defined(__hpux) && !defined(solaris) +# include <netinet/in_pcb.h> +# endif +#endif #include "ipsend.h" #if !defined(linux) && !defined(__hpux) # include <netinet/tcp_timer.h> @@ -123,11 +123,11 @@ typedef int boolean_t; void ip_test1(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { #ifdef USE_NANOSLEEP struct timespec ts; @@ -474,11 +474,11 @@ int ptest; void ip_test2(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { #ifdef USE_NANOSLEEP struct timespec ts; @@ -570,11 +570,11 @@ int ptest; * test 3 (ICMP) */ void ip_test3(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 }; static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 }; @@ -771,11 +771,11 @@ int ptest; /* Perform test 4 (UDP) */ void ip_test4(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { #ifdef USE_NANOSLEEP struct timespec ts; @@ -936,11 +936,11 @@ int ptest; /* Perform test 5 (TCP) */ void ip_test5(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { #ifdef USE_NANOSLEEP struct timespec ts; @@ -1286,11 +1286,11 @@ skip_five_and_six: /* Perform test 6 (exhaust mbuf test) */ void ip_test6(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { #ifdef USE_NANOSLEEP struct timespec ts; @@ -1368,11 +1368,11 @@ int ptest; static u_long tbuf[64]; void ip_test7(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; + char *dev; + int mtu; + ip_t *ip; + struct in_addr gwip; + int ptest; { ip_t *pip; #ifdef USE_NANOSLEEP diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c index ccb70cc..5b79f73 100644 --- a/contrib/ipfilter/ipsend/larp.c +++ b/contrib/ipfilter/ipsend/larp.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: larp.c,v 2.4 2003/12/01 02:01:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -30,7 +30,7 @@ static const char rcsid[] = "@(#)$Id: larp.c,v 2.4 2003/12/01 02:01:16 darrenr E * (4 bytes) */ int resolve(host, address) -char *host, *address; + char *host, *address; { struct hostent *hp; u_long add; @@ -56,8 +56,8 @@ char *host, *address; * some BSD program, I cant remember which. */ int arp(ip, ether) -char *ip; -char *ether; + char *ip; + char *ether; { static int s = -1; struct arpreq ar; diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h index a36d1bf..e738f3b 100644 --- a/contrib/ipfilter/ipsend/linux.h +++ b/contrib/ipfilter/ipsend/linux.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1995-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * This code may be freely distributed as long as it retains this notice * and is not changed in any way. The author accepts no responsibility diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index a76bbbb..5cf2bf7 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -8,7 +8,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <stdio.h> #include <unistd.h> @@ -66,9 +66,9 @@ struct task_struct *proc; #endif int kmemcpy(buf, pos, n) -char *buf; -void *pos; -int n; + char *buf; + void *pos; + int n; { static int kfd = -1; @@ -150,8 +150,8 @@ struct task_struct *getproc() struct sock *find_tcp(fd, ti) -int fd; -struct tcpiphdr *ti; + int fd; + struct tcpiphdr *ti; { struct sock *s; struct inode *i; @@ -189,10 +189,10 @@ struct tcpiphdr *ti; } int do_socket(dev, mtu, ti, gwip) -char *dev; -int mtu; -struct tcpiphdr *ti; -struct in_addr gwip; + char *dev; + int mtu; + struct tcpiphdr *ti; + struct in_addr gwip; { struct sockaddr_in rsin, lsin; struct sock *s, sk; diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index b988e9b..d113af3 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -8,15 +8,12 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.3 2007/02/17 12:41:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> -#ifdef __osf__ -# include "radix_ipf_local.h" -#endif #include <net/if.h> #include <netinet/in.h> #include <arpa/inet.h> @@ -38,12 +35,11 @@ static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.3 2007/02/17 12:41:51 dar extern int opts; -static u_char pbuf[65536]; /* 1 big packet */ -void printpacket __P((ip_t *)); +void dumppacket __P((ip_t *)); -void printpacket(ip) -ip_t *ip; +void dumppacket(ip) + ip_t *ip; { tcphdr_t *t; int i, j; @@ -73,16 +69,17 @@ ip_t *ip; int ip_resend(dev, mtu, r, gwip, datain) -char *dev; -int mtu; -struct in_addr gwip; -struct ipread *r; -char *datain; + char *dev; + int mtu; + struct in_addr gwip; + struct ipread *r; + char *datain; { ether_header_t *eh; char dhost[6]; ip_t *ip; int fd, wfd = initdevice(dev, 5), len, i; + mb_t mb; if (wfd == -1) return -1; @@ -95,7 +92,7 @@ char *datain; if (fd < 0) exit(-1); - ip = (struct ip *)pbuf; + ip = (struct ip *)mb.mb_buf; eh = (ether_header_t *)malloc(sizeof(*eh)); if(!eh) { @@ -111,7 +108,7 @@ char *datain; return -2; } - while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0) + while ((i = (*r->r_readip)(&mb, NULL, NULL)) > 0) { if (!(opts & OPT_RAW)) { len = ntohs(ip->ip_len); @@ -131,9 +128,9 @@ char *datain; IP_HL(ip) << 2); bcopy(ip, (char *)(eh + 1), len); len += sizeof(*eh); - printpacket(ip); + dumppacket(ip); } else { - eh = (ether_header_t *)pbuf; + eh = (ether_header_t *)mb.mb_buf; len = i; } diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index 2b356b6..fcb66bc 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -26,7 +26,8 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_var.h> +#include <netinet/udp.h> +#include <netinet/tcp.h> #include <stdio.h> #include <netdb.h> @@ -44,7 +45,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif /* @@ -55,8 +56,8 @@ static int bufsize = 0, timeout = 1; int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { struct bpf_version bv; struct timeval to; @@ -139,9 +140,9 @@ int tout; * output an IP packet onto a fd opened for /dev/bpf */ int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ + int fd, len; + char *pkt; +{ if (write(fd, pkt, len) == -1) { perror("send"); diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index f48fd06..1aee2e4 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -27,7 +27,6 @@ #endif #ifdef __osf__ # include <sys/dlpihdr.h> -# include "radix_ipf_local.h" #else # include <sys/dlpi.h> #endif @@ -49,7 +48,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #define CHUNKSIZE 8192 @@ -61,8 +60,8 @@ static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.2 2007/02/17 12:41:51 darr * interface are included in the header size. */ int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { char devname[16], *s, buf[256]; int i, fd; @@ -136,9 +135,9 @@ int tout; * output an IP packet onto a fd opened for /dev/nit */ int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ + int fd, len; + char *pkt; +{ struct strbuf dbuf, *dp = &dbuf, *cp = NULL; int pri = 0; #ifdef DL_HP_RAWDLS diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index 5057c4f..3b565b1 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -60,7 +60,7 @@ int initdevice(char *device, int tout) * output an IP packet */ int sendip(int fd, char *pkt, int len) -{ +{ struct sockaddr_raw sr; int srlen = sizeof(sr); struct ifreq ifr; diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c index 7e37b30..7405d5e 100644 --- a/contrib/ipfilter/ipsend/slinux.c +++ b/contrib/ipfilter/ipsend/slinux.c @@ -30,7 +30,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95"; -static const char rcsid[] = "@(#)$Id: slinux.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #define CHUNKSIZE 8192 @@ -46,8 +46,8 @@ static char *eth_dev = NULL; int initdevice(dev, spare) -char *dev; -int spare; + char *dev; + int spare; { int fd; @@ -66,8 +66,8 @@ int spare; * output an IP packet onto a fd opened for /dev/nit */ int sendip(fd, pkt, len) -int fd, len; -char *pkt; + int fd, len; + char *pkt; { struct sockaddr s; struct ifreq ifr; diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c index 0ef7e54..0d75b4e 100644 --- a/contrib/ipfilter/ipsend/snit.c +++ b/contrib/ipfilter/ipsend/snit.c @@ -41,7 +41,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: snit.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #define CHUNKSIZE 8192 @@ -58,8 +58,8 @@ static int timeout; int initdevice(device, tout) -char *device; -int tout; + char *device; + int tout; { struct strioctl si; struct timeval to; @@ -115,9 +115,9 @@ int tout; * output an IP packet onto a fd opened for /dev/nit */ int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ + int fd, len; + char *pkt; +{ struct sockaddr sk, *sa = &sk; struct strbuf cbuf, *cp = &cbuf, dbuf, *dp = &dbuf; diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index dcff6eb..6d0f3db 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/param.h> #include <sys/types.h> @@ -30,9 +30,8 @@ typedef int boolean_t; # include <sys/dir.h> #endif #if !defined(__osf__) -# ifdef __NetBSD__ +# ifdef __NetBSD__ # include <machine/lock.h> -# include <machine/mutex.h> # endif # ifdef __FreeBSD__ # define _WANT_FILE @@ -75,9 +74,6 @@ typedef int boolean_t; #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> -#if defined(__FreeBSD__) -# include "radix_ipf.h" -#endif #ifndef __osf__ # include <net/route.h> #endif @@ -123,9 +119,9 @@ static struct kinfo_proc *getproc __P((void)); int kmemcpy(buf, pos, n) -char *buf; -void *pos; -int n; + char *buf; + void *pos; + int n; { static int kfd = -1; off_t offset = (u_long)pos; @@ -203,8 +199,8 @@ static struct proc *getproc() struct tcpcb *find_tcp(fd, ti) -int fd; -struct tcpiphdr *ti; + int fd; + struct tcpiphdr *ti; { struct tcpcb *t; struct inpcb *i; @@ -294,8 +290,8 @@ static struct kinfo_proc *getproc() struct tcpcb *find_tcp(tfd, ti) -int tfd; -struct tcpiphdr *ti; + int tfd; + struct tcpiphdr *ti; { struct tcpcb *t; struct inpcb *i; @@ -390,10 +386,10 @@ finderror: #endif /* BSD < 199301 */ int do_socket(dev, mtu, ti, gwip) -char *dev; -int mtu; -struct tcpiphdr *ti; -struct in_addr gwip; + char *dev; + int mtu; + struct tcpiphdr *ti; + struct in_addr gwip; { struct sockaddr_in rsin, lsin; struct tcpcb *t, tcb; diff --git a/contrib/ipfilter/ipsend/tcpip.h b/contrib/ipfilter/ipsend/tcpip.h deleted file mode 100644 index 3417893..0000000 --- a/contrib/ipfilter/ipsend/tcpip.h +++ /dev/null @@ -1,86 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (c) 1982, 1986, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)tcpip.h 8.1 (Berkeley) 6/10/93 - * $Id: tcpip.h,v 2.2.2.3 2004/05/26 15:45:48 darrenr Exp $ - */ - -#ifndef _NETINET_TCPIP_H_ -#define _NETINET_TCPIP_H_ - -# if defined(linux) && !defined(LINUX_IPOVLY) -# define LINUX_IPOVLY -struct ipovly { - caddr_t ih_next, ih_prev; /* for protocol sequence q's */ - u_char ih_x1; /* (unused) */ - u_char ih_pr; /* protocol */ - short ih_len; /* protocol length */ - struct in_addr ih_src; /* source internet address */ - struct in_addr ih_dst; /* destination internet address */ -}; -# endif - -/* - * Tcp+ip header, after ip options removed. - */ -struct tcpiphdr { - struct ipovly ti_i; /* overlaid ip structure */ - struct tcphdr ti_t; /* tcp header */ -}; - -#ifdef notyet -/* - * Tcp+ip header, after ip options removed but including TCP options. - */ -struct full_tcpiphdr { - struct ipovly ti_i; /* overlaid ip structure */ - struct tcphdr ti_t; /* tcp header */ - char ti_o[TCP_MAXOLEN]; /* space for tcp options */ -}; -#endif /* notyet */ -#define ti_next ti_i.ih_next -#define ti_prev ti_i.ih_prev -#define ti_x1 ti_i.ih_x1 -#define ti_pr ti_i.ih_pr -#define ti_len ti_i.ih_len -#define ti_src ti_i.ih_src -#define ti_dst ti_i.ih_dst -#define ti_sport ti_t.th_sport -#define ti_dport ti_t.th_dport -#define ti_seq ti_t.th_seq -#define ti_ack ti_t.th_ack -#define ti_x2 ti_t.th_x2 -#define ti_off ti_t.th_off -#define ti_flags ti_t.th_flags -#define ti_win ti_t.th_win -#define ti_sum ti_t.th_sum -#define ti_urp ti_t.th_urp - -#endif diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index f3074a8..16d88df 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $ + * $Id$ */ #ifndef __IPT_H__ @@ -26,15 +26,12 @@ struct ipread { int (*r_open) __P((char *)); int (*r_close) __P((void)); - int (*r_readip) __P((char *, int, char **, int *)); + int (*r_readip) __P((mb_t *, char **, int *)); int r_flags; }; #define R_DO_CKSUM 0x01 -extern void debug __P((char *, ...)); -extern void verbose __P((char *, ...)); - #ifdef P_DEF # undef __P # undef P_DEF diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index c0864b4..ce6ad56 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -1,10 +1,10 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * $Id: kmem.h,v 2.5 2002/08/21 22:57:36 darrenr Exp $ + * $Id$ */ #ifndef __KMEM_H__ diff --git a/contrib/ipfilter/l4check/Makefile b/contrib/ipfilter/l4check/Makefile index e2bb9f8..e7366b6 100644 --- a/contrib/ipfilter/l4check/Makefile +++ b/contrib/ipfilter/l4check/Makefile @@ -4,7 +4,7 @@ all: l4check l4check: l4check.c - $(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@ + $(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@ clean: /bin/rm -f l4check diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c index fd2753e..014446d 100644 --- a/contrib/ipfilter/l4check/l4check.c +++ b/contrib/ipfilter/l4check/l4check.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * (C)Copyright March, 2000 - Darren Reed. + * (C)Copyright (C) 2012 by Darren Reed. */ #include <sys/types.h> #include <sys/stat.h> @@ -27,7 +27,6 @@ #include "ip_compat.h" #include "ip_fil.h" #include "ip_nat.h" -#include "ipl.h" #include "ipf.h" @@ -68,7 +67,7 @@ int opts = 0; char *copystr(dst, src) -char *dst, *src; + char *dst, *src; { register char *s, *t, c; register int esc = 0; @@ -97,44 +96,29 @@ char *dst, *src; } void addnat(l4) -l4cfg_t *l4; + l4cfg_t *l4; { - ipnat_t *ipn = &l4->l4_nat; - printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4), + printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ntohs(ipn->in_pmin)); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext)); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext)); if (!(opts & OPT_DONOTHING)) { - ipfobj_t obj; - - bzero(&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*ipn); - obj.ipfo_ptr = ipn; - - if (ioctl(natfd, SIOCADNAT, &obj) == -1) + if (ioctl(natfd, SIOCADNAT, &ipn) == -1) perror("ioctl(SIOCADNAT)"); } } void delnat(l4) -l4cfg_t *l4; + l4cfg_t *l4; { ipnat_t *ipn = &l4->l4_nat; printf("Remove NAT rule for %s/%#x,%u -> ", - inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin); - printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext); + inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin); + printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext); if (!(opts & OPT_DONOTHING)) { - ipfobj_t obj; - - bzero(&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*ipn); - obj.ipfo_ptr = ipn; - if (ioctl(natfd, SIOCRMNAT, &ipn) == -1) perror("ioctl(SIOCRMNAT)"); } @@ -142,7 +126,7 @@ l4cfg_t *l4; void connectl4(l4) -l4cfg_t *l4; + l4cfg_t *l4; { l4->l4_rw = 1; l4->l4_rlen = 0; @@ -156,8 +140,8 @@ l4cfg_t *l4; void closel4(l4, dead) -l4cfg_t *l4; -int dead; + l4cfg_t *l4; + int dead; { close(l4->l4_fd); l4->l4_fd = -1; @@ -170,7 +154,7 @@ int dead; void connectfd(l4) -l4cfg_t *l4; + l4cfg_t *l4; { if (connect(l4->l4_fd, (struct sockaddr *)&l4->l4_sin, sizeof(l4->l4_sin)) == -1) { @@ -192,8 +176,9 @@ l4cfg_t *l4; void writefd(l4) -l4cfg_t *l4; + l4cfg_t *l4; { + char buf[80], *ptr; int n, i, fd; fd = l4->l4_fd; @@ -223,7 +208,7 @@ l4cfg_t *l4; void readfd(l4) -l4cfg_t *l4; + l4cfg_t *l4; { char buf[80], *ptr; int n, i, fd; @@ -417,14 +402,15 @@ int runconfig() int gethostport(str, lnum, ipp, portp) -char *str; -int lnum; -u_32_t *ipp; -u_short *portp; + char *str; + int lnum; + u_32_t *ipp; + u_short *portp; { struct servent *sp; struct hostent *hp; char *host, *port; + struct in_addr ip; host = str; port = strchr(host, ','); @@ -467,8 +453,8 @@ u_short *portp; char *mapfile(file, sizep) -char *file; -size_t *sizep; + char *file; + size_t *sizep; { struct stat sb; caddr_t addr; @@ -499,7 +485,7 @@ size_t *sizep; int readconfig(filename) -char *filename; + char *filename; { char c, buf[512], *s, *t, *errtxt = NULL, *line; int num, err = 0; @@ -569,8 +555,7 @@ char *filename; break; } - strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ); - strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ); + strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname)); if (!gethostport(t, num, &ipn->in_outip, &ipn->in_pmin)) { errtxt = line; @@ -582,11 +567,11 @@ char *filename; if (opts & OPT_VERBOSE) fprintf(stderr, "Interface %s %s/%#x port %u\n", - ipn->in_ifnames[0], - inet_ntoa(ipn->in_out[0].in4), + ipn->in_ifname, + inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin); } else if (!strcasecmp(t, "remote")) { - if (!*ipn->in_ifnames[0]) { + if (!*ipn->in_ifname) { fprintf(stderr, "%d: ifname not set prior to remote\n", num); @@ -621,7 +606,7 @@ char *filename; break; } bcopy((char *)&template, (char *)l4, sizeof(*l4)); - l4->l4_sin.sin_addr = ipn->in_in[0].in4; + l4->l4_sin.sin_addr = ipn->in_in[0]; l4->l4_sin.sin_port = ipn->in_pnext; l4->l4_next = l4list; l4list = l4; @@ -768,7 +753,7 @@ char *filename; void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "Usage: %s -f <configfile>\n", prog); exit(1); @@ -776,8 +761,8 @@ char *prog; int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { char *config = NULL; int c; @@ -808,7 +793,7 @@ char *argv[]; } if (!(opts & OPT_DONOTHING)) { - natfd = open(IPNAT_NAME, O_RDWR); + natfd = open(IPL_NAT, O_RDWR); if (natfd == -1) { perror("open(IPL_NAT)"); exit(1); @@ -819,6 +804,4 @@ char *argv[]; fprintf(stderr, "Starting...\n"); while (runconfig() == 0) ; - - exit(1); } diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile index a838063..fdda78e 100644 --- a/contrib/ipfilter/lib/Makefile +++ b/contrib/ipfilter/lib/Makefile @@ -1,27 +1,37 @@ # -# Copyright (C) 1993-2001 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# -# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $ -# +# Copyright (C) 2012 by Darren Reed. +# +# See the IPFILTER.LICENCE file for details on licencing. +# +# $Id$ +# INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/addipopt.o \ $(DEST)/alist_free.o \ $(DEST)/alist_new.o \ + $(DEST)/allocmbt.o \ + $(DEST)/assigndefined.o \ $(DEST)/bcopywrap.o \ $(DEST)/binprint.o \ $(DEST)/buildopts.o \ $(DEST)/checkrev.o \ + $(DEST)/connecttcp.o \ $(DEST)/count6bits.o \ $(DEST)/count4bits.o \ $(DEST)/debug.o \ + $(DEST)/dupmbt.o \ + $(DEST)/familyname.o \ $(DEST)/facpri.o \ - $(DEST)/flags.o \ $(DEST)/fill6bits.o \ + $(DEST)/findword.o \ + $(DEST)/flags.o \ + $(DEST)/freembt.o \ + $(DEST)/ftov.o \ + $(DEST)/genmask.o \ $(DEST)/gethost.o \ + $(DEST)/geticmptype.o \ $(DEST)/getifname.o \ $(DEST)/getnattype.o \ $(DEST)/getport.o \ @@ -30,27 +40,30 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/getsumd.o \ $(DEST)/hostname.o \ $(DEST)/icmpcode.o \ - $(DEST)/inet_addr.o \ + $(DEST)/icmptypename.o \ + $(DEST)/icmptypes.o \ $(DEST)/initparse.o \ + $(DEST)/interror.o \ $(DEST)/ionames.o \ - $(DEST)/ipoptsec.o \ $(DEST)/ipf_dotuning.o \ - $(DEST)/ipft_ef.o \ + $(DEST)/ipf_perror.o \ $(DEST)/ipft_hx.o \ $(DEST)/ipft_pc.o \ - $(DEST)/ipft_sn.o \ - $(DEST)/ipft_td.o \ $(DEST)/ipft_tx.o \ + $(DEST)/ipoptsec.o \ $(DEST)/kmem.o \ $(DEST)/kmemcpywrap.o \ $(DEST)/kvatoname.o \ $(DEST)/load_file.o \ + $(DEST)/load_dstlist.o \ + $(DEST)/load_dstlistnode.o \ $(DEST)/load_hash.o \ $(DEST)/load_hashnode.o \ $(DEST)/load_http.o \ $(DEST)/load_pool.o \ $(DEST)/load_poolnode.o \ $(DEST)/load_url.o \ + $(DEST)/msgdsize.o \ $(DEST)/mutex_emul.o \ $(DEST)/nametokva.o \ $(DEST)/nat_setgroupmap.o \ @@ -59,46 +72,74 @@ LIBOBJS=$(DEST)/addicmp.o \ $(DEST)/optprint.o \ $(DEST)/optprintv6.o \ $(DEST)/optvalue.o \ + $(DEST)/parsefields.o \ + $(DEST)/parseipfexpr.o \ + $(DEST)/parsewhoisline.o \ + $(DEST)/poolio.o \ $(DEST)/portname.o \ $(DEST)/print_toif.o \ + $(DEST)/printactiveaddr.o \ $(DEST)/printactivenat.o \ + $(DEST)/printaddr.o \ $(DEST)/printaps.o \ $(DEST)/printbuf.o \ + $(DEST)/printdstlist.o \ + $(DEST)/printdstlistdata.o \ + $(DEST)/printdstlistnode.o \ + $(DEST)/printdstlistpolicy.o \ + $(DEST)/printdstl_live.o \ + $(DEST)/printfieldhdr.o \ + $(DEST)/printfr.o \ + $(DEST)/printfraginfo.o \ $(DEST)/printhash.o \ $(DEST)/printhashdata.o \ $(DEST)/printhashnode.o \ $(DEST)/printhash_live.o \ + $(DEST)/printhost.o \ + $(DEST)/printhostmap.o \ + $(DEST)/printhostmask.o \ + $(DEST)/printifname.o \ $(DEST)/printip.o \ + $(DEST)/printipfexpr.o \ + $(DEST)/printlog.o \ + $(DEST)/printlookup.o \ + $(DEST)/printmask.o \ + $(DEST)/printnat.o \ + $(DEST)/printnataddr.o \ + $(DEST)/printnatfield.o \ + $(DEST)/printnatside.o \ $(DEST)/printpool.o \ $(DEST)/printpooldata.o \ + $(DEST)/printpoolfield.o \ $(DEST)/printpoolnode.o \ $(DEST)/printpool_live.o \ $(DEST)/printproto.o \ - $(DEST)/printfr.o \ - $(DEST)/printfraginfo.o \ - $(DEST)/printhostmap.o \ - $(DEST)/printifname.o \ - $(DEST)/printhostmask.o \ - $(DEST)/printlog.o \ - $(DEST)/printmask.o \ - $(DEST)/printnat.o \ $(DEST)/printportcmp.o \ $(DEST)/printpacket.o \ $(DEST)/printpacket6.o \ $(DEST)/printsbuf.o \ $(DEST)/printstate.o \ + $(DEST)/printstatefields.o \ + $(DEST)/printtcpflags.o \ $(DEST)/printtqtable.o \ $(DEST)/printtunable.o \ + $(DEST)/printunit.o \ $(DEST)/remove_hash.o \ $(DEST)/remove_hashnode.o \ $(DEST)/remove_pool.o \ $(DEST)/remove_poolnode.o \ $(DEST)/resetlexer.o \ $(DEST)/rwlock_emul.o \ + $(DEST)/save_execute.o \ + $(DEST)/save_file.o \ + $(DEST)/save_nothing.o \ + $(DEST)/save_syslog.o \ + $(DEST)/save_v1trap.o \ + $(DEST)/save_v2trap.o \ $(DEST)/tcpflags.o \ - $(DEST)/tcp_flags.o \ $(DEST)/var.o \ $(DEST)/verbose.o \ + $(DEST)/vtof.o \ $(DEST)/v6ionames.o \ $(DEST)/v6optvalue.o @@ -115,12 +156,18 @@ $(DEST)/alist_free.o: $(LIBSRC)/alist_free.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@ $(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@ +$(DEST)/allocmbt.o: $(LIBSRC)/allocmbt.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/allocmbt.c -o $@ +$(DEST)/assigndefined.o: $(LIBSRC)/assigndefined.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/assigndefined.c -o $@ $(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@ $(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/binprint.c -o $@ $(DEST)/buildopts.o: $(LIBSRC)/buildopts.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/buildopts.c -o $@ +$(DEST)/connecttcp.o: $(LIBSRC)/connecttcp.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/connecttcp.c -o $@ $(DEST)/count6bits.o: $(LIBSRC)/count6bits.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/count6bits.c -o $@ $(DEST)/checkrev.o: $(LIBSRC)/checkrev.c $(INCDEP) $(TOP)/ipl.h @@ -129,17 +176,31 @@ $(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@ $(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@ +$(DEST)/dupmbt.o: $(LIBSRC)/dupmbt.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/dupmbt.c -o $@ $(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@ +$(DEST)/familyname.o: $(LIBSRC)/familyname.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/familyname.c -o $@ $(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@ +$(DEST)/findword.o: $(LIBSRC)/findword.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/findword.c -o $@ $(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@ +$(DEST)/freembt.o: $(LIBSRC)/freembt.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/freembt.c -o $@ +$(DEST)/ftov.o: $(LIBSRC)/ftov.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/ftov.c -o $@ +$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@ $(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@ +$(DEST)/geticmptype.o: $(LIBSRC)/geticmptype.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/geticmptype.c -o $@ $(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/getifname.c -o $@ -$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP) +$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP) $(TOP)/ip_nat.h $(CC) $(CCARGS) -c $(LIBSRC)/getnattype.c -o $@ $(DEST)/getport.o: $(LIBSRC)/getport.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/getport.c -o $@ @@ -153,26 +214,26 @@ $(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@ $(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@ +$(DEST)/icmptypename.o: $(LIBSRC)/icmptypename.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/icmptypename.c -o $@ +$(DEST)/icmptypes.o: $(LIBSRC)/icmptypes.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/icmptypes.c -o $@ +$(DEST)/interror.o: $(LIBSRC)/interror.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/interror.c -o $@ $(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ipoptsec.c -o $@ -$(DEST)/inet_addr.o: $(LIBSRC)/inet_addr.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/inet_addr.c -o $@ $(DEST)/initparse.o: $(LIBSRC)/initparse.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/initparse.c -o $@ $(DEST)/ionames.o: $(LIBSRC)/ionames.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ionames.c -o $@ $(DEST)/ipf_dotuning.o: $(LIBSRC)/ipf_dotuning.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ipf_dotuning.c -o $@ -$(DEST)/ipft_ef.o: $(LIBSRC)/ipft_ef.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_ef.c -o $@ +$(DEST)/ipf_perror.o: $(LIBSRC)/ipf_perror.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/ipf_perror.c -o $@ $(DEST)/ipft_hx.o: $(LIBSRC)/ipft_hx.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ipft_hx.c -o $@ $(DEST)/ipft_pc.o: $(LIBSRC)/ipft_pc.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ipft_pc.c -o $@ -$(DEST)/ipft_sn.o: $(LIBSRC)/ipft_sn.c $(TOP)/snoop.h - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_sn.c -o $@ -$(DEST)/ipft_td.o: $(LIBSRC)/ipft_td.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_td.c -o $@ $(DEST)/ipft_tx.o: $(LIBSRC)/ipft_tx.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/ipft_tx.c -o $@ $(DEST)/kmem.o: $(LIBSRC)/kmem.c $(INCDEP) @@ -183,6 +244,11 @@ $(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@ $(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@ +$(DEST)/load_dstlist.o: $(LIBSRC)/load_dstlist.c $(INCDEP) $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlist.c -o $@ +$(DEST)/load_dstlistnode.o: $(LIBSRC)/load_dstlistnode.c $(INCDEP) \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlistnode.c -o $@ $(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@ $(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h @@ -195,8 +261,8 @@ $(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@ $(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@ -$(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@ +$(DEST)/msgdsize.o: $(LIBSRC)/msgdsize.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/msgdsize.c -o $@ $(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/mutex_emul.c -o $@ $(DEST)/nametokva.o: $(LIBSRC)/nametokva.c $(INCDEP) @@ -214,35 +280,78 @@ $(DEST)/optprintv6.o: $(LIBSRC)/optprintv6.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/optprintv6.c -o $@ $(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@ +$(DEST)/parsefields.o: $(LIBSRC)/parsefields.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/parsefields.c -o $@ +$(DEST)/parseipfexpr.o: $(LIBSRC)/parseipfexpr.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/parseipfexpr.c -o $@ +$(DEST)/parsewhoisline.o: $(LIBSRC)/parsewhoisline.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/parsewhoisline.c -o $@ +$(DEST)/poolio.o: $(LIBSRC)/poolio.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/poolio.c -o $@ $(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@ $(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@ -$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP) +$(DEST)/printactiveaddr.o: $(LIBSRC)/printactiveaddr.c $(INCDEP) $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(LIBSRC)/printactiveaddr.c -o $@ +$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP) $(TOP)/ip_nat.h $(CC) $(CCARGS) -c $(LIBSRC)/printactivenat.c -o $@ +$(DEST)/printaddr.o: $(LIBSRC)/printaddr.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/printaddr.c -o $@ $(DEST)/printaps.o: $(LIBSRC)/printaps.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printaps.c -o $@ $(DEST)/printbuf.o: $(LIBSRC)/printbuf.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printbuf.c -o $@ +$(DEST)/printdstlist.o: $(LIBSRC)/printdstlist.c $(INCDEP) $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/printdstlist.c -o $@ +$(DEST)/printdstlistdata.o: $(LIBSRC)/printdstlistdata.c $(INCDEP) \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistdata.c -o $@ +$(DEST)/printdstlistnode.o: $(LIBSRC)/printdstlistnode.c $(INCDEP) \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistnode.c -o $@ +$(DEST)/printdstlistpolicy.o: $(LIBSRC)/printdstlistpolicy.c $(INCDEP) \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistpolicy.c -o $@ +$(DEST)/printfieldhdr.o: $(LIBSRC)/printfieldhdr.c $(TOP)/ip_fil.h + $(CC) $(CCARGS) -c $(LIBSRC)/printfieldhdr.c -o $@ $(DEST)/printfr.o: $(LIBSRC)/printfr.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printfr.c -o $@ -$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h +$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h \ + $(TOP)/ip_frag.h $(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@ $(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@ -$(DEST)/printhashdata.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h +$(DEST)/printhashdata.o: $(LIBSRC)/printhashdata.c $(TOP)/ip_fil.h \ + $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@ $(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \ $(TOP)/ip_htable.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@ -$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h +$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h \ + $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@ +$(DEST)/printdstl_live.o: $(LIBSRC)/printdstl_live.c $(TOP)/ip_fil.h \ + $(TOP)/ip_dstlist.h + $(CC) $(CCARGS) -c $(LIBSRC)/printdstl_live.c -o $@ $(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@ +$(DEST)/printipfexpr.o: $(LIBSRC)/printipfexpr.c $(TOP)/ip_fil.h + $(CC) $(CCARGS) -c $(LIBSRC)/printipfexpr.c -o $@ +$(DEST)/printlookup.o: $(LIBSRC)/printlookup.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/printlookup.c -o $@ +$(DEST)/printnataddr.o: $(LIBSRC)/printnataddr.c $(INCDEP) $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(LIBSRC)/printnataddr.c -o $@ +$(DEST)/printnatside.o: $(LIBSRC)/printnatside.c $(INCDEP) $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(LIBSRC)/printnatside.c -o $@ $(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@ -$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h +$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h \ + $(TOP)/ip_pool.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@ +$(DEST)/printpoolfield.o: $(LIBSRC)/printpoolfield.c $(TOP)/ip_fil.h \ + $(TOP)/ip_pool.h $(TOP)/ip_lookup.h + $(CC) $(CCARGS) -c $(LIBSRC)/printpoolfield.c -o $@ $(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \ $(TOP)/ip_pool.h $(TOP)/ip_lookup.h $(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@ @@ -251,14 +360,18 @@ $(DEST)/printpool_live.o: $(LIBSRC)/printpool_live.c $(TOP)/ip_fil.h \ $(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@ $(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@ +$(DEST)/printhost.o: $(LIBSRC)/printhost.c $(TOP)/ip_fil.h + $(CC) $(CCARGS) -c $(LIBSRC)/printhost.c -o $@ $(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h $(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@ $(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printifname.c -o $@ $(DEST)/printmask.o: $(LIBSRC)/printmask.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printmask.c -o $@ -$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP) +$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP) $(TOP)/ip_nat.h $(CC) $(CCARGS) -c $(LIBSRC)/printnat.c -o $@ +$(DEST)/printnatfield.o: $(LIBSRC)/printnatfield.c $(INCDEP) $(TOP)/ip_nat.h + $(CC) $(CCARGS) -c $(LIBSRC)/printnatfield.c -o $@ $(DEST)/printhostmask.o: $(LIBSRC)/printhostmask.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printhostmask.c -o $@ $(DEST)/printlog.o: $(LIBSRC)/printlog.c $(INCDEP) @@ -273,10 +386,16 @@ $(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@ $(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h $(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@ +$(DEST)/printstatefields.o: $(LIBSRC)/printstatefields.c $(INCDEP) $(TOP)/ip_state.h + $(CC) $(CCARGS) -c $(LIBSRC)/printstatefields.c -o $@ +$(DEST)/printtcpflags.o: $(LIBSRC)/printtcpflags.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/printtcpflags.c -o $@ $(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@ $(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@ +$(DEST)/printunit.o: $(LIBSRC)/printunit.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/printunit.c -o $@ $(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \ $(TOP)/ip_htable.h $(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@ @@ -301,6 +420,20 @@ $(DEST)/var.o: $(LIBSRC)/var.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/var.c -o $@ $(DEST)/verbose.o: $(LIBSRC)/verbose.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/verbose.c -o $@ +$(DEST)/save_execute.o: $(LIBSRC)/save_execute.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_execute.c -o $@ +$(DEST)/save_file.o: $(LIBSRC)/save_file.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_file.c -o $@ +$(DEST)/save_nothing.o: $(LIBSRC)/save_nothing.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_nothing.c -o $@ +$(DEST)/save_syslog.o: $(LIBSRC)/save_syslog.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_syslog.c -o $@ +$(DEST)/vtof.o: $(LIBSRC)/vtof.c $(INCDEP) + $(CC) $(CCARGS) -c $(LIBSRC)/vtof.c -o $@ +$(DEST)/save_v1trap.o: $(LIBSRC)/save_v1trap.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_v1trap.c -o $@ +$(DEST)/save_v2trap.o: $(LIBSRC)/save_v2trap.c $(TOP)/ipl.h + $(CC) $(CCARGS) -c $(LIBSRC)/save_v2trap.c -o $@ $(DEST)/v6ionames.o: $(LIBSRC)/v6ionames.c $(INCDEP) $(CC) $(CCARGS) -c $(LIBSRC)/v6ionames.c -o $@ $(DEST)/v6optvalue.o: $(LIBSRC)/v6optvalue.c $(INCDEP) diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c index ef9abfe..da52f1c 100644 --- a/contrib/ipfilter/lib/addicmp.c +++ b/contrib/ipfilter/lib/addicmp.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addicmp.c,v 1.10.2.5 2006/06/16 17:20:55 darrenr Exp $ + * $Id$ */ #include <ctype.h> diff --git a/contrib/ipfilter/lib/addipopt.c b/contrib/ipfilter/lib/addipopt.c index 79155e7..26aff83 100644 --- a/contrib/ipfilter/lib/addipopt.c +++ b/contrib/ipfilter/lib/addipopt.c @@ -1,21 +1,21 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addipopt.c,v 1.7.4.1 2006/06/16 17:20:56 darrenr Exp $ + * $Id$ */ #include "ipf.h" int addipopt(op, io, len, class) -char *op; -struct ipopt_names *io; -int len; -char *class; + char *op; + struct ipopt_names *io; + int len; + char *class; { int olen = len; struct in_addr ipadr; @@ -41,6 +41,10 @@ char *class; lvl = seclevel(class); *(op - 1) = lvl; break; + case IPOPT_RR : + case IPOPT_TS : + s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4; + break; case IPOPT_LSRR : case IPOPT_SSRR : ipadr.s_addr = inet_addr(class); @@ -53,12 +57,6 @@ char *class; break; } } - - op += io->on_siz - 3; - if (len & 3) { - *op++ = IPOPT_NOP; - len++; - } } if (opts & OPT_DEBUG) fprintf(stderr, "bo: %s %d %#x: %d\n", diff --git a/contrib/ipfilter/lib/alist_free.c b/contrib/ipfilter/lib/alist_free.c index 3c1a518..44dea13 100644 --- a/contrib/ipfilter/lib/alist_free.c +++ b/contrib/ipfilter/lib/alist_free.c @@ -1,15 +1,15 @@ /* - * Copyright (C) 2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: alist_free.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $ + * $Id: alist_free.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ */ #include "ipf.h" void alist_free(hosts) -alist_t *hosts; + alist_t *hosts; { alist_t *a, *next; diff --git a/contrib/ipfilter/lib/alist_new.c b/contrib/ipfilter/lib/alist_new.c index 50a4275..73bc030 100644 --- a/contrib/ipfilter/lib/alist_new.c +++ b/contrib/ipfilter/lib/alist_new.c @@ -1,20 +1,30 @@ /* - * Copyright (C) 2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: alist_new.c,v 1.1.2.3 2007/06/06 08:05:33 darrenr Exp $ + * $Id: alist_new.c,v 1.5.2.2 2012/07/22 08:04:24 darren_r Exp $ */ #include "ipf.h" +#include <ctype.h> -alist_t * -alist_new(int v, char *host) +alist_t * +alist_new(int family, char *host) { int a, b, c, d, bits; - char *slash; - alist_t *al; - u_int mask; + char *slash; + alist_t *al; + u_int mask; + + if (family == AF_UNSPEC) { + if (strchr(host, ':') != NULL) + family = AF_INET6; + else + family = AF_INET; + } + if (family != AF_INET && family != AF_INET6) + return NULL; al = calloc(1, sizeof(*al)); if (al == NULL) { @@ -22,45 +32,62 @@ alist_new(int v, char *host) return NULL; } - bits = -1; + while (ISSPACE(*host)) + host++; + + if (*host == '!') { + al->al_not = 1; + host++; + while (ISSPACE(*host)) + host++; + } + + bits = -1; slash = strchr(host, '/'); if (slash != NULL) { *slash = '\0'; bits = atoi(slash + 1); } - a = b = c = d = -1; - sscanf(host, "%d.%d.%d.%d", &a, &b, &c, &d); + if (family == AF_INET) { + if (bits > 32) + goto bad; - if (bits > 0 && bits < 33) { - mask = 0xffffffff << (32 - bits); - } else if (b == -1) { - mask = 0xff000000; - b = c = d = 0; - } else if (c == -1) { - mask = 0xffff0000; - c = d = 0; - } else if (d == -1) { - mask = 0xffffff00; - d = 0; - } else { - mask = 0xffffffff; - } + a = b = c = d = -1; + sscanf(host, "%d.%d.%d.%d", &a, &b, &c, &d); - if (*host == '!') { - al->al_not = 1; - host++; + if (bits > 0 && bits < 33) { + mask = 0xffffffff << (32 - bits); + } else if (b == -1) { + mask = 0xff000000; + b = c = d = 0; + } else if (c == -1) { + mask = 0xffff0000; + c = d = 0; + } else if (d == -1) { + mask = 0xffffff00; + d = 0; + } else { + mask = 0xffffffff; + } + al->al_mask = htonl(mask); + } else { + if (bits > 128) + goto bad; + fill6bits(bits, al->al_i6mask.i6); } - if (gethost(host, &al->al_addr) == -1) { + if (gethost(family, host, &al->al_i6addr) == -1) { if (slash != NULL) *slash = '/'; fprintf(stderr, "Cannot parse hostname\n"); - free(al); - return NULL; + goto bad; } - al->al_mask = htonl(mask); + al->al_family = family; if (slash != NULL) *slash = '/'; return al; +bad: + free(al); + return NULL; } diff --git a/contrib/ipfilter/lib/allocmbt.c b/contrib/ipfilter/lib/allocmbt.c new file mode 100644 index 0000000..df77684 --- /dev/null +++ b/contrib/ipfilter/lib/allocmbt.c @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: allocmbt.c,v 1.1.4.1 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +mb_t *allocmbt(size_t len) +{ + mb_t *m; + + m = (mb_t *)malloc(sizeof(mb_t)); + if (m == NULL) + return NULL; + m->mb_len = len; + m->mb_next = NULL; + m->mb_data = (char *)m->mb_buf; + return m; +} diff --git a/contrib/ipfilter/lib/assigndefined.c b/contrib/ipfilter/lib/assigndefined.c new file mode 100644 index 0000000..34f8d9a --- /dev/null +++ b/contrib/ipfilter/lib/assigndefined.c @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: assigndefined.c,v 1.4.2.2 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +void assigndefined(env) + char *env; +{ + char *s, *t; + + if (env == NULL) + return; + + for (s = strtok(env, ";"); s != NULL; s = strtok(NULL, ";")) { + t = strchr(s, '='); + if (t == NULL) + continue; + *t++ = '\0'; + set_variable(s, t); + *--t = '='; + } +} diff --git a/contrib/ipfilter/lib/bcopywrap.c b/contrib/ipfilter/lib/bcopywrap.c index b2e8427..453c046 100644 --- a/contrib/ipfilter/lib/bcopywrap.c +++ b/contrib/ipfilter/lib/bcopywrap.c @@ -1,18 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: bcopywrap.c,v 1.1.4.1 2006/06/16 17:20:56 darrenr Exp $ - */ + * + * $Id$ + */ #include "ipf.h" int bcopywrap(from, to, size) -void *from, *to; -size_t size; + void *from, *to; + size_t size; { bcopy((caddr_t)from, (caddr_t)to, size); return 0; diff --git a/contrib/ipfilter/lib/binprint.c b/contrib/ipfilter/lib/binprint.c index fcb47ed..f826721 100644 --- a/contrib/ipfilter/lib/binprint.c +++ b/contrib/ipfilter/lib/binprint.c @@ -1,19 +1,19 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: binprint.c,v 1.8.4.1 2006/06/16 17:20:56 darrenr Exp $ + * $Id$ */ #include "ipf.h" void binprint(ptr, size) -void *ptr; -size_t size; + void *ptr; + size_t size; { u_char *s; int i, j; diff --git a/contrib/ipfilter/lib/buildopts.c b/contrib/ipfilter/lib/buildopts.c index bdd0538..1d1de8c 100644 --- a/contrib/ipfilter/lib/buildopts.c +++ b/contrib/ipfilter/lib/buildopts.c @@ -1,19 +1,19 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: buildopts.c,v 1.6.4.1 2006/06/16 17:20:56 darrenr Exp $ + * $Id$ */ #include "ipf.h" u_32_t buildopts(cp, op, len) -char *cp, *op; -int len; + char *cp, *op; + int len; { struct ipopt_names *io; u_32_t msk = 0; @@ -23,6 +23,8 @@ int len; for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) { if ((t = strchr(s, '='))) *t++ = '\0'; + else + t = ""; for (io = ionames; io->on_name; io++) { if (strcasecmp(s, io->on_name) || (msk & io->on_bit)) continue; @@ -38,6 +40,10 @@ int len; return 0; } } + while ((len & 3) != 3) { + *op++ = IPOPT_NOP; + len++; + } *op++ = IPOPT_EOL; len++; return len; diff --git a/contrib/ipfilter/lib/checkrev.c b/contrib/ipfilter/lib/checkrev.c index 9e584cc..b6f8eee 100644 --- a/contrib/ipfilter/lib/checkrev.c +++ b/contrib/ipfilter/lib/checkrev.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: checkrev.c,v 1.12.2.2 2006/06/16 17:20:56 darrenr Exp $ + * $Id$ */ #include <sys/ioctl.h> @@ -15,25 +15,25 @@ #include "netinet/ipl.h" int checkrev(ipfname) -char *ipfname; + char *ipfname; { static int vfd = -1; - struct friostat fio, *fiop = &fio; - ipfobj_t ipfo; + struct friostat fio; + ipfobj_t obj; - bzero((caddr_t)&ipfo, sizeof(ipfo)); - ipfo.ipfo_rev = IPFILTER_VERSION; - ipfo.ipfo_size = sizeof(*fiop); - ipfo.ipfo_ptr = (void *)fiop; - ipfo.ipfo_type = IPFOBJ_IPFSTAT; + bzero((caddr_t)&obj, sizeof(obj)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(fio); + obj.ipfo_ptr = (void *)&fio; + obj.ipfo_type = IPFOBJ_IPFSTAT; if ((vfd == -1) && ((vfd = open(ipfname, O_RDONLY)) == -1)) { perror("open device"); return -1; } - if (ioctl(vfd, SIOCGETFS, &ipfo)) { - perror("ioctl(SIOCGETFS)"); + if (ioctl(vfd, SIOCGETFS, &obj)) { + ipferror(vfd, "ioctl(SIOCGETFS)"); close(vfd); vfd = -1; return -1; diff --git a/contrib/ipfilter/lib/connecttcp.c b/contrib/ipfilter/lib/connecttcp.c new file mode 100644 index 0000000..2bab2af --- /dev/null +++ b/contrib/ipfilter/lib/connecttcp.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: connecttcp.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" +#include <ctype.h> + +/* + * Format expected is one addres per line, at the start of each line. + */ +int +connecttcp(char *server, int port) +{ + struct sockaddr_in sin; + struct hostent *host; + int fd; + + memset(&sin, 0, sizeof(sin)); + sin.sin_family = AF_INET; + sin.sin_port = htons(port & 65535); + + if (ISDIGIT(*server)) { + if (inet_aton(server, &sin.sin_addr) == -1) { + return -1; + } + } else { + host = gethostbyname(server); + if (host == NULL) + return -1; + memcpy(&sin.sin_addr, host->h_addr_list[0], + sizeof(sin.sin_addr)); + } + + fd = socket(AF_INET, SOCK_STREAM, 0); + if (fd == -1) + return -1; + + if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { + close(fd); + return -1; + } + + return fd; +} diff --git a/contrib/ipfilter/lib/count4bits.c b/contrib/ipfilter/lib/count4bits.c index 38e5742..a847388 100644 --- a/contrib/ipfilter/lib/count4bits.c +++ b/contrib/ipfilter/lib/count4bits.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: count4bits.c,v 1.1.4.1 2006/06/16 17:20:57 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -17,7 +17,7 @@ * of bits. */ int count4bits(ip) -u_int ip; + u_int ip; { int cnt = 0, i, j; u_int ipn; diff --git a/contrib/ipfilter/lib/count6bits.c b/contrib/ipfilter/lib/count6bits.c index 15538c3..b8f4320 100644 --- a/contrib/ipfilter/lib/count6bits.c +++ b/contrib/ipfilter/lib/count6bits.c @@ -1,18 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: count6bits.c,v 1.4.4.1 2006/06/16 17:20:57 darrenr Exp $ + * $Id$ */ #include "ipf.h" int count6bits(msk) -u_32_t *msk; + u_32_t *msk; { int i = 0, k; u_32_t j; diff --git a/contrib/ipfilter/lib/debug.c b/contrib/ipfilter/lib/debug.c index 3181e78..02e5f5b 100644 --- a/contrib/ipfilter/lib/debug.c +++ b/contrib/ipfilter/lib/debug.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: debug.c,v 1.6.4.1 2006/06/16 17:20:57 darrenr Exp $ + * $Id$ */ #if defined(__STDC__) @@ -15,16 +15,37 @@ #endif #include <stdio.h> -#include "ipt.h" +#include "ipf.h" #include "opts.h" +int debuglevel = 0; + + +#ifdef __STDC__ +void debug(int level, char *fmt, ...) +#else +void debug(level, fmt, va_alist) + int level; + char *fmt; + va_dcl +#endif +{ + va_list pvar; + + va_start(pvar, fmt); + + if ((debuglevel > 0) && (level <= debuglevel)) + vfprintf(stderr, fmt, pvar); + va_end(pvar); +} + #ifdef __STDC__ -void debug(char *fmt, ...) +void ipfkdebug(char *fmt, ...) #else -void debug(fmt, va_alist) -char *fmt; -va_dcl +void ipfkdebug(fmt, va_alist) + char *fmt; + va_dcl #endif { va_list pvar; @@ -32,6 +53,6 @@ va_dcl va_start(pvar, fmt); if (opts & OPT_DEBUG) - vprintf(fmt, pvar); + debug(0x1fffffff, fmt, pvar); va_end(pvar); } diff --git a/contrib/ipfilter/lib/dupmbt.c b/contrib/ipfilter/lib/dupmbt.c new file mode 100644 index 0000000..0929eeb --- /dev/null +++ b/contrib/ipfilter/lib/dupmbt.c @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: dupmbt.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +mb_t *dupmbt(orig) + mb_t *orig; +{ + mb_t *m; + + m = (mb_t *)malloc(sizeof(mb_t)); + if (m == NULL) + return NULL; + m->mb_len = orig->mb_len; + m->mb_next = NULL; + m->mb_data = (char *)m->mb_buf + (orig->mb_data - (char *)orig->mb_buf); + bcopy(orig->mb_data, m->mb_data, m->mb_len); + return m; +} diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c index b89e0f8..c9b4774 100644 --- a/contrib/ipfilter/lib/facpri.c +++ b/contrib/ipfilter/lib/facpri.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $ + * $Id$ */ #include <stdio.h> @@ -22,7 +22,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif @@ -96,7 +96,7 @@ fac_toname(facpri) /* * map a facility name to its number */ -int +int fac_findname(name) char *name; { @@ -119,6 +119,22 @@ table_t pris[] = { /* + * map a facility name to its number + */ +int +pri_findname(name) + char *name; +{ + int i; + + for (i = 0; pris[i].name; i++) + if (!strcmp(pris[i].name, name)) + return pris[i].value; + return -1; +} + + +/* * map a priority number to its name */ char * diff --git a/contrib/ipfilter/lib/facpri.h b/contrib/ipfilter/lib/facpri.h index ca53e05..54ecabd 100644 --- a/contrib/ipfilter/lib/facpri.h +++ b/contrib/ipfilter/lib/facpri.h @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.h,v 1.3.4.1 2006/06/16 17:20:58 darrenr Exp $ + * $Id$ */ #ifndef __FACPRI_H__ diff --git a/contrib/ipfilter/lib/familyname.c b/contrib/ipfilter/lib/familyname.c new file mode 100644 index 0000000..35bb975 --- /dev/null +++ b/contrib/ipfilter/lib/familyname.c @@ -0,0 +1,12 @@ +#include "ipf.h" + +const char *familyname(int family) +{ + if (family == AF_INET) + return "inet"; +#ifdef AF_INET6 + if (family == AF_INET6) + return "inet6"; +#endif + return "unknown"; +} diff --git a/contrib/ipfilter/lib/fill6bits.c b/contrib/ipfilter/lib/fill6bits.c index c0faf6a..39ec735 100644 --- a/contrib/ipfilter/lib/fill6bits.c +++ b/contrib/ipfilter/lib/fill6bits.c @@ -1,19 +1,19 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: fill6bits.c,v 1.5.4.1 2006/06/16 17:20:58 darrenr Exp $ + * $Id$ */ #include "ipf.h" void fill6bits(bits, msk) -int bits; -u_int *msk; + int bits; + u_int *msk; { if (bits == 0) { msk[0] = 0; diff --git a/contrib/ipfilter/lib/findword.c b/contrib/ipfilter/lib/findword.c new file mode 100644 index 0000000..e06f213 --- /dev/null +++ b/contrib/ipfilter/lib/findword.c @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: findword.c,v 1.3.4.1 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + + +wordtab_t *findword(words, name) + wordtab_t *words; + char *name; +{ + wordtab_t *w; + + for (w = words; w->w_word != NULL; w++) + if (!strcmp(name, w->w_word)) + break; + if (w->w_word == NULL) + return NULL; + + return w; +} diff --git a/contrib/ipfilter/lib/flags.c b/contrib/ipfilter/lib/flags.c index 200484c..05fcc98 100644 --- a/contrib/ipfilter/lib/flags.c +++ b/contrib/ipfilter/lib/flags.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: flags.c,v 1.4.4.1 2006/06/16 17:20:58 darrenr Exp $ + * $Id$ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/freembt.c b/contrib/ipfilter/lib/freembt.c new file mode 100644 index 0000000..0fc748d --- /dev/null +++ b/contrib/ipfilter/lib/freembt.c @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: freembt.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +void freembt(m) + mb_t *m; +{ + + free(m); +} diff --git a/contrib/ipfilter/lib/ftov.c b/contrib/ipfilter/lib/ftov.c new file mode 100644 index 0000000..cb9715d --- /dev/null +++ b/contrib/ipfilter/lib/ftov.c @@ -0,0 +1,16 @@ +#include "ipf.h" + +int +ftov(version) + int version; +{ +#ifdef USE_INET6 + if (version == AF_INET6) + return 6; +#endif + if (version == AF_INET) + return 4; + if (version == AF_UNSPEC) + return 0; + return -1; +} diff --git a/contrib/ipfilter/lib/gethost.c b/contrib/ipfilter/lib/gethost.c index be536c1..a11b09b 100644 --- a/contrib/ipfilter/lib/gethost.c +++ b/contrib/ipfilter/lib/gethost.c @@ -1,44 +1,75 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: gethost.c,v 1.3.2.2 2006/06/16 17:20:59 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" -int gethost(name, hostp) -char *name; -u_32_t *hostp; +int gethost(family, name, hostp) + int family; + char *name; + i6addr_t *hostp; { struct hostent *h; struct netent *n; u_32_t addr; if (!strcmp(name, "test.host.dots")) { - *hostp = htonl(0xfedcba98); + if (family == AF_INET) { + hostp->in4.s_addr = htonl(0xfedcba98); + } +#ifdef USE_INET6 + if (family == AF_INET6) { + hostp->i6[0] = 0xfe80aa55; + hostp->i6[1] = 0x12345678; + hostp->i6[2] = 0x5a5aa5a5; + hostp->i6[3] = 0xfedcba98; + } +#endif return 0; } if (!strcmp(name, "<thishost>")) name = thishost; - h = gethostbyname(name); - if (h != NULL) { - if ((h->h_addr != NULL) && (h->h_length == sizeof(addr))) { - bcopy(h->h_addr, (char *)&addr, sizeof(addr)); - *hostp = addr; + if (family == AF_INET) { + h = gethostbyname(name); + if (h != NULL) { + if ((h->h_addr != NULL) && + (h->h_length == sizeof(addr))) { + bcopy(h->h_addr, (char *)&addr, sizeof(addr)); + hostp->in4.s_addr = addr; + return 0; + } + } + + n = getnetbyname(name); + if (n != NULL) { + hostp->in4.s_addr = htonl(n->n_net & 0xffffffff); return 0; } } +#ifdef USE_INET6 + if (family == AF_INET6) { + struct addrinfo hints, *res; + struct sockaddr_in6 *sin6; - n = getnetbyname(name); - if (n != NULL) { - *hostp = (u_32_t)htonl(n->n_net & 0xffffffff); - return 0; + bzero((char *)&hints, sizeof(hints)); + hints.ai_family = PF_INET6; + + getaddrinfo(name, NULL, &hints, &res); + if (res != NULL) { + sin6 = (struct sockaddr_in6 *)res->ai_addr; + hostp->in6 = sin6->sin6_addr; + freeaddrinfo(res); + return 0; + } } +#endif return -1; } diff --git a/contrib/ipfilter/lib/geticmptype.c b/contrib/ipfilter/lib/geticmptype.c new file mode 100644 index 0000000..5c962e9 --- /dev/null +++ b/contrib/ipfilter/lib/geticmptype.c @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ +#include "ipf.h" + +int geticmptype(family, name) + int family; + char *name; +{ + icmptype_t *i; + + for (i = icmptypelist; i->it_name != NULL; i++) { + if (!strcmp(name, i->it_name)) { + if (family == AF_INET) + return i->it_v4; +#ifdef USE_INET6 + if (family == AF_INET6) + return i->it_v6; +#endif + return -1; + } + } + + return -1; +} diff --git a/contrib/ipfilter/lib/getifname.c b/contrib/ipfilter/lib/getifname.c index 7246fbb..88cad32 100644 --- a/contrib/ipfilter/lib/getifname.c +++ b/contrib/ipfilter/lib/getifname.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getifname.c,v 1.5.2.3 2006/07/14 06:12:24 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" @@ -18,7 +18,7 @@ */ #if 0 char *getifname(ptr) -struct ifnet *ptr; + struct ifnet *ptr; { #if SOLARIS || defined(__hpux) # if SOLARIS @@ -50,7 +50,7 @@ struct ifnet *ptr; defined(__OpenBSD__) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) #else - char buf[32]; + char buf[LIFNAMSIZ]; int len; # endif struct ifnet netif; @@ -85,8 +85,11 @@ struct ifnet *ptr; } #else char *getifname(ptr) -struct ifnet *ptr; + struct ifnet *ptr; { +#if 0 + ptr = ptr; +#endif return "X"; } #endif diff --git a/contrib/ipfilter/lib/getnattype.c b/contrib/ipfilter/lib/getnattype.c index 2fb5d17..ef7ffd4 100644 --- a/contrib/ipfilter/lib/getnattype.c +++ b/contrib/ipfilter/lib/getnattype.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -11,34 +11,24 @@ #include "kmem.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3.2.2 2006/07/14 06:12:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif /* * Get a nat filter type given its kernel address. */ -char *getnattype(nat, alive) -nat_t *nat; -int alive; +char * +getnattype(nat) + nat_t *nat; { static char unknownbuf[20]; - ipnat_t *ipn, ipnat; char *which; - int type; if (!nat) return "???"; - if (alive) { - type = nat->nat_redir; - } else { - ipn = nat->nat_ptr; - if (kmemcpy((char *)&ipnat, (long)ipn, sizeof(ipnat))) - return "!!!"; - type = ipnat.in_redir; - } - switch (type) + switch (nat->nat_redir) { case NAT_MAP : which = "MAP"; @@ -49,11 +39,30 @@ int alive; case NAT_REDIRECT : which = "RDR"; break; + case NAT_MAP|NAT_REWRITE : + which = "RWR-MAP"; + break; + case NAT_REDIRECT|NAT_REWRITE : + which = "RWR-RDR"; + break; case NAT_BIMAP : which = "BIMAP"; break; + case NAT_REDIRECT|NAT_DIVERTUDP : + which = "DIV-RDR"; + break; + case NAT_MAP|NAT_DIVERTUDP : + which = "DIV-MAP"; + break; + case NAT_REDIRECT|NAT_ENCAP : + which = "ENC-RDR"; + break; + case NAT_MAP|NAT_ENCAP : + which = "ENC-MAP"; + break; default : - sprintf(unknownbuf, "unknown(%04x)", type & 0xffffffff); + sprintf(unknownbuf, "unknown(%04x)", + nat->nat_redir & 0xffffffff); which = unknownbuf; break; } diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c index 69e897c..0981ff1 100644 --- a/contrib/ipfilter/lib/getport.c +++ b/contrib/ipfilter/lib/getport.c @@ -1,30 +1,39 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getport.c,v 1.1.4.6 2006/06/16 17:21:00 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" +#include <ctype.h> -int getport(fr, name, port) -frentry_t *fr; -char *name; -u_short *port; +int getport(fr, name, port, proto) + frentry_t *fr; + char *name, *proto; + u_short *port; { struct protoent *p; struct servent *s; u_short p1; if (fr == NULL || fr->fr_type != FR_T_IPF) { - s = getservbyname(name, NULL); + s = getservbyname(name, proto); if (s != NULL) { *port = s->s_port; return 0; } + + if (ISDIGIT(*name)) { + int portval = atoi(name); + if (portval < 0 || portval > 65535) + return -1; + *port = htons((u_short)portval); + return 0; + } return -1; } diff --git a/contrib/ipfilter/lib/getportproto.c b/contrib/ipfilter/lib/getportproto.c index 23e5fb1..69fecff 100644 --- a/contrib/ipfilter/lib/getportproto.c +++ b/contrib/ipfilter/lib/getportproto.c @@ -1,19 +1,19 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getportproto.c,v 1.2.4.4 2006/06/16 17:21:00 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include <ctype.h> #include "ipf.h" int getportproto(name, proto) -char *name; -int proto; + char *name; + int proto; { struct servent *s; struct protoent *p; diff --git a/contrib/ipfilter/lib/getproto.c b/contrib/ipfilter/lib/getproto.c index 33f6f47..6c52cd3 100644 --- a/contrib/ipfilter/lib/getproto.c +++ b/contrib/ipfilter/lib/getproto.c @@ -1,17 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getproto.c,v 1.2.2.3 2006/06/16 17:21:00 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" +#include <ctype.h> int getproto(name) -char *name; + char *name; { struct protoent *p; char *s; @@ -25,10 +26,13 @@ char *name; #ifdef _AIX51 /* * For some bogus reason, "ip" is 252 in /etc/protocols on AIX 5 + * The IANA has doubled up on the definition of 0 - it is now also + * used for IPv6 hop-opts, so we can no longer rely on /etc/protocols + * providing the correct name->number mapping */ +#endif if (!strcasecmp(name, "ip")) return 0; -#endif p = getprotobyname(name); if (p != NULL) diff --git a/contrib/ipfilter/lib/getsumd.c b/contrib/ipfilter/lib/getsumd.c index fdad461..84acc7a 100644 --- a/contrib/ipfilter/lib/getsumd.c +++ b/contrib/ipfilter/lib/getsumd.c @@ -1,17 +1,17 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: getsumd.c,v 1.2.4.1 2006/06/16 17:21:01 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" char *getsumd(sum) -u_32_t sum; + u_32_t sum; { static char sumdbuf[17]; diff --git a/contrib/ipfilter/lib/hostname.c b/contrib/ipfilter/lib/hostname.c index e8fde98..28ead89 100644 --- a/contrib/ipfilter/lib/hostname.c +++ b/contrib/ipfilter/lib/hostname.c @@ -1,18 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2003 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: hostname.c,v 1.6.2.2 2007/01/16 02:25:22 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" -char *hostname(v, ip) -int v; -void *ip; +char *hostname(family, ip) + int family; + void *ip; { static char hostbuf[MAXHOSTNAMELEN+1]; struct hostent *hp; @@ -21,14 +21,14 @@ void *ip; memset(&ipa, 0, sizeof(ipa)); /* XXX gcc */ - if (v == 4) { + if (family == AF_INET) { ipa.s_addr = *(u_32_t *)ip; if (ipa.s_addr == htonl(0xfedcba98)) return "test.host.dots"; } if ((opts & OPT_NORESOLVE) == 0) { - if (v == 4) { + if (family == AF_INET) { hp = gethostbyaddr(ip, 4, AF_INET); if (hp != NULL && hp->h_name != NULL && *hp->h_name != '\0') { @@ -47,7 +47,7 @@ void *ip; } } - if (v == 4) { + if (family == AF_INET) { return inet_ntoa(ipa); } #ifdef USE_INET6 diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c index d558beb..e898ebf 100644 --- a/contrib/ipfilter/lib/icmpcode.c +++ b/contrib/ipfilter/lib/icmpcode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: icmpcode.c,v 1.7.2.5 2006/06/16 17:21:02 darrenr Exp $ + * $Id$ */ #include <ctype.h> diff --git a/contrib/ipfilter/lib/icmptypename.c b/contrib/ipfilter/lib/icmptypename.c new file mode 100644 index 0000000..d7eb3bd --- /dev/null +++ b/contrib/ipfilter/lib/icmptypename.c @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ +#include "ipf.h" + +char *icmptypename(family, type) + int family, type; +{ + icmptype_t *i; + + if ((type < 0) || (type > 255)) + return NULL; + + for (i = icmptypelist; i->it_name != NULL; i++) { + if ((family == AF_INET) && (i->it_v4 == type)) + return i->it_name; +#ifdef USE_INET6 + if ((family == AF_INET6) && (i->it_v6 == type)) + return i->it_name; +#endif + } + + return NULL; +} diff --git a/contrib/ipfilter/lib/icmptypes.c b/contrib/ipfilter/lib/icmptypes.c new file mode 100644 index 0000000..c1123ff --- /dev/null +++ b/contrib/ipfilter/lib/icmptypes.c @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ +#include "ipf.h" + +#ifndef USE_INET6 +# undef ICMP6_ECHO_REQUEST +# define ICMP6_ECHO_REQUEST 0 +# undef ICMP6_ECHO_REPLY +# define ICMP6_ECHO_REPLY 0 +# undef ICMP6_NI_QUERY +# define ICMP6_NI_QUERY 0 +# undef ICMP6_NI_REPLY +# define ICMP6_NI_REPLY 0 +# undef ICMP6_PARAM_PROB +# define ICMP6_PARAM_PROB 0 +# undef ND_ROUTER_ADVERT +# define ND_ROUTER_ADVERT 0 +# undef ND_ROUTER_SOLICIT +# define ND_ROUTER_SOLICIT 0 +# undef ICMP6_TIME_EXCEEDED +# define ICMP6_TIME_EXCEEDED 0 +# undef ICMP6_DST_UNREACH +# define ICMP6_DST_UNREACH 0 +# undef ICMP6_PACKET_TOO_BIG +# define ICMP6_PACKET_TOO_BIG 0 +# undef MLD_LISTENER_QUERY +# define MLD_LISTENER_QUERY 0 +# undef MLD_LISTENER_REPORT +# define MLD_LISTENER_REPORT 0 +# undef MLD_LISTENER_DONE +# define MLD_LISTENER_DONE 0 +# undef ICMP6_MEMBERSHIP_QUERY +# define ICMP6_MEMBERSHIP_QUERY 0 +# undef ICMP6_MEMBERSHIP_REPORT +# define ICMP6_MEMBERSHIP_REPORT 0 +# undef ICMP6_MEMBERSHIP_REDUCTION +# define ICMP6_MEMBERSHIP_REDUCTION 0 +# undef ND_NEIGHBOR_ADVERT +# define ND_NEIGHBOR_ADVERT 0 +# undef ND_NEIGHBOR_SOLICIT +# define ND_NEIGHBOR_SOLICIT 0 +# undef ICMP6_ROUTER_RENUMBERING +# define ICMP6_ROUTER_RENUMBERING 0 +# undef ICMP6_WRUREQUEST +# define ICMP6_WRUREQUEST 0 +# undef ICMP6_WRUREPLY +# define ICMP6_WRUREPLY 0 +# undef ICMP6_FQDN_QUERY +# define ICMP6_FQDN_QUERY 0 +# undef ICMP6_FQDN_REPLY +# define ICMP6_FQDN_REPLY 0 +#else +# if !defined(MLD_LISTENER_QUERY) +# define MLD_LISTENER_QUERY 130 +# endif +# if !defined(MLD_LISTENER_REPORT) +# define MLD_LISTENER_REPORT 131 +# endif +# if !defined(MLD_LISTENER_DONE) +# define MLD_LISTENER_DONE 132 +# endif +# if defined(MLD_LISTENER_REDUCTION) && !defined(MLD_LISTENER_DONE) +# define MLD_LISTENER_DONE MLD_LISTENER_REDUCTION +# endif +#endif + +icmptype_t icmptypelist[] = { + { "echo", ICMP_ECHO, ICMP6_ECHO_REQUEST }, + { "echorep", ICMP_ECHOREPLY, ICMP6_ECHO_REPLY }, + { "fqdnquery", -1, ICMP6_FQDN_QUERY }, + { "fqdnreply", -1, ICMP6_FQDN_REPLY }, + { "infoqry", -1, ICMP6_NI_QUERY }, + { "inforeq", ICMP_IREQ, ICMP6_NI_QUERY }, + { "inforep", ICMP_IREQREPLY, ICMP6_NI_REPLY }, + { "listendone", -1, MLD_LISTENER_DONE }, + { "listenqry", -1, MLD_LISTENER_QUERY }, + { "listenrep", -1, MLD_LISTENER_REPORT }, + { "maskrep", ICMP_MASKREPLY, -1 }, + { "maskreq", ICMP_MASKREQ, -1 }, + { "memberqry", -1, ICMP6_MEMBERSHIP_QUERY }, + { "memberred", -1, ICMP6_MEMBERSHIP_REDUCTION }, + { "memberreply",-1, ICMP6_MEMBERSHIP_REPORT }, + { "neighadvert", -1, ND_NEIGHBOR_ADVERT }, + { "neighborsol", -1, ND_NEIGHBOR_SOLICIT }, + { "neighborsolicit", -1, ND_NEIGHBOR_SOLICIT }, + { "paramprob", ICMP_PARAMPROB, ICMP6_PARAM_PROB }, + { "redir", ICMP_REDIRECT, ND_REDIRECT }, + { "renumber", -1, ICMP6_ROUTER_RENUMBERING }, + { "routerad", ICMP_ROUTERADVERT, ND_ROUTER_ADVERT }, + { "routeradvert",ICMP_ROUTERADVERT, ND_ROUTER_ADVERT }, + { "routersol", ICMP_ROUTERSOLICIT, ND_ROUTER_SOLICIT }, + { "routersolcit",ICMP_ROUTERSOLICIT, ND_ROUTER_SOLICIT }, + { "squench", ICMP_SOURCEQUENCH, -1 }, + { "timest", ICMP_TSTAMP, -1 }, + { "timestrep", ICMP_TSTAMPREPLY, -1 }, + { "timex", ICMP_TIMXCEED, ICMP6_TIME_EXCEEDED }, + { "toobig", -1, ICMP6_PACKET_TOO_BIG }, + { "unreach", ICMP_UNREACH, ICMP6_DST_UNREACH }, + { "whorep", -1, ICMP6_WRUREPLY }, + { "whoreq", -1, ICMP6_WRUREQUEST }, + { NULL, -1, -1 } +}; diff --git a/contrib/ipfilter/lib/initparse.c b/contrib/ipfilter/lib/initparse.c index 6fdfc8a..a16ac0f 100644 --- a/contrib/ipfilter/lib/initparse.c +++ b/contrib/ipfilter/lib/initparse.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: initparse.c,v 1.6.4.1 2006/06/16 17:21:02 darrenr Exp $ + * $Id$ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/interror.c b/contrib/ipfilter/lib/interror.c new file mode 100644 index 0000000..c13f5f8 --- /dev/null +++ b/contrib/ipfilter/lib/interror.c @@ -0,0 +1,582 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: interror.c,v 1.9.2.12 2012/07/22 08:03:39 darren_r Exp $ + */ + +#include "ipf.h" +#include <fcntl.h> +#include <sys/ioctl.h> + +typedef struct { + int iee_number; + char *iee_text; +} ipf_error_entry_t; + +static ipf_error_entry_t *find_error __P((int)); + +#define IPF_NUM_ERRORS 475 + +/* + * NO REUSE OF NUMBERS! + * + * IF YOU WANT TO ADD AN ERROR TO THIS TABLE, _ADD_ A NEW NUMBER. + * DO _NOT_ USE AN EMPTY NUMBER OR FILL IN A GAP. + */ +static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { + { 1, "auth table locked/full" }, + { 2, "" }, + { 3, "copyinptr received bad address" }, + { 4, "copyoutptr received bad address" }, + { 5, "" }, + { 6, "cannot load a rule with FR_T_BUILTIN flag set" }, + { 7, "internal rule without FR_T_BUILDINT flag set" }, + { 8, "no data provided with filter rule" }, + { 9, "invalid ioctl for rule" }, + { 10, "rule protocol is not 4 or 6" }, + { 11, "cannot find rule function" }, + { 12, "cannot find rule group" }, + { 13, "group in/out does not match rule in/out" }, + { 14, "rule without in/out does not belong to a group" }, + { 15, "cannot determine where to append rule" }, + { 16, "malloc for rule data failed" }, + { 17, "copyin for rule data failed" }, + { 18, "" }, + { 19, "zero data size for BPF rule" }, + { 20, "BPF validation failed" }, + { 21, "incorrect data size for IPF rule" }, + { 22, "'keep state' rule included 'with oow'" }, + { 23, "bad interface index with dynamic source address" }, + { 24, "bad interface index with dynamic dest. address" }, + { 25, "match array verif failed for filter rule" }, + { 26, "bad filter rule type" }, + { 27, "rule not found for zero'stats" }, + { 28, "copyout failed for zero'ing stats" }, + { 29, "rule not found for removing" }, + { 30, "cannot remove internal rule" }, + { 31, "rule in use" }, + { 32, "rule already exists" }, + { 33, "no memory for another rule" }, + { 34, "could not find function" }, + { 35, "copyout failed for resolving function name -> addr" }, + { 36, "copyout failed for resolving function addr -> name" }, + { 37, "function name/addr resolving search failed" }, + { 38, "group map cannot find it's hash table" }, + { 39, "group map hash-table in/out do not match rule" }, + { 40, "bcopyout failed for SIOCIPFINTERROR" }, + { 41, "" }, + { 42, "ipfilter not enabled for NAT ioctl" }, + { 43, "ipfilter not enabled for state ioctl" }, + { 44, "ipfilter not enabled for auth ioctl" }, + { 45, "ipfilter not enbaled for sync ioctl" }, + { 46, "ipfilter not enabled for scan ioctl" }, + { 47, "ipfilter not enabled for lookup ioctl" }, + { 48, "unrecognised device minor number for ioctl" }, + { 49, "unrecognised object type for copying in ipfobj" }, + { 50, "mismatching object type for copying in ipfobj" }, + { 51, "object size too small for copying in ipfobj" }, + { 52, "object size mismatch for copying in ipfobj" }, + { 53, "compat object size too small for copying in ipfobj" }, + { 54, "compat object size mismatch for copying in ipfobj" }, + { 55, "error doing copyin of data for in ipfobj" }, + { 56, "unrecognised object type for size copy in ipfobj" }, + { 57, "object size too small for size copy in ipfobj" }, + { 58, "mismatching object type for size copy in ipfobj" }, + { 59, "object size mismatch for size copy in ipfobj" }, + { 60, "compat object size mismatch for size copy in ipfobj" }, + { 61, "error doing size copyin of data for in ipfobj" }, + { 62, "bad object type for size copy out ipfobj" }, + { 63, "mismatching object type for size copy out ipfobj" }, + { 64, "object size mismatch for size copy out ipfobj" }, + { 65, "compat object size wrong for size copy out ipfobj" }, + { 66, "error doing size copyout of data for out ipfobj" }, + { 67, "unrecognised object type for copying out ipfobj" }, + { 68, "mismatching object type for copying out ipfobj" }, + { 69, "object size too small for copying out ipfobj" }, + { 70, "object size mismatch for copying out ipfobj" }, + { 71, "compat object size too small for copying out ipfobj" }, + { 72, "compat object size mismatch for copying out ipfobj" }, + { 73, "error doing copyout of data for out ipfobj" }, + { 74, "attempt to add existing tunable name" }, + { 75, "cannot find tunable name to delete" }, + { 76, "internal data too big for next tunable" }, + { 77, "could not find tunable" }, + { 78, "tunable can only be changed when ipfilter disabled" }, + { 79, "new tunable value outside accepted range" }, + { 80, "ipftune called for unrecognised ioctl" }, + { 81, "" }, + { 82, "could not find token to delete" }, + { 83, "" }, + { 84, "attempt to get next rule when no more exist" }, + { 85, "value for iri_inout outside accepted range" }, + { 86, "value for iri_active outside accepted range" }, + { 87, "value for iri_nrules is 0" }, + { 88, "NULL pointer specified for where to copy rule to" }, + { 89, "copyout of rule failed" }, + { 90, "" }, + { 91, "could not get token for rule iteration" }, + { 92, "unrecognised generic iterator" }, + { 93, "could not find token for generic iterator" }, + { 94, "need write permissions to disable/enable ipfilter" }, + { 95, "error copying in enable/disable value" }, + { 96, "need write permissions to set ipf tunable" }, + { 97, "need write permissions to set ipf flags" }, + { 98, "error doing copyin of ipf flags" }, + { 99, "error doing copyout of ipf flags" }, + { 100, "need write permissions to add another rule" }, + { 101, "need write permissions to insert another rule" }, + { 102, "need write permissions to swap active rule set" }, + { 103, "error copying out current active rule set" }, + { 104, "need write permissions to zero ipf stats" }, + { 105, "need write permissions to flush ipf v4 rules" }, + { 106, "error copying out v4 flush results" }, + { 107, "error copying in v4 flush command" }, + { 108, "need write permissions to flush ipf v6 rules" }, + { 109, "error copying out v6 flush results" }, + { 110, "error copying in v6 flush command" }, + { 111, "error copying in new lock state for ipfilter" }, + { 112, "need write permissions to flush ipf logs" }, + { 113, "error copying out results of log flush" }, + { 114, "need write permissions to resync ipf" }, + { 115, "unrecognised ipf ioctl" }, + { 116, "error copying in match array" }, + { 117, "match array type is not IPFOBJ_IPFEXPR" }, + { 118, "bad size for match array" }, + { 119, "cannot allocate memory for match aray" }, + { 120, "error copying in match array" }, + { 121, "error verifying contents of match array" }, + { 122, "need write permissions to set ipf lock status" }, + { 123, "error copying in data for function resolution" }, + { 124, "error copying in ipfobj structure" }, + { 125, "error copying in ipfobj structure" }, + { 126, "error copying in ipfobj structure" }, + { 127, "error copying in ipfobj structure" }, + { 128, "no memory for filter rule comment" }, + { 129, "error copying in filter rule comment" }, + { 130, "error copying out filter rule comment" }, + { 131, "no memory for new rule alloc buffer" }, + { 132, "cannot find source lookup pool" }, + { 133, "unknown source address type" }, + { 134, "cannot find destination lookup pool" }, + { 135, "unknown destination address type" }, + { 136, "icmp head group name index incorrect" }, + { 137, "group head name index incorrect" }, + { 138, "group name index incorrect" }, + { 139, "to interface name index incorrect" }, + { 140, "dup-to interface name index incorrect" }, + { 141, "reply-to interface name index incorrect" }, + { 142, "could not initialise call now function" }, + { 143, "could not initialise call function" }, + { 144, "could not find destination list" }, + { 145, "auth rules cannot have dup/to/fastroute" }, + { 146, "incorrect size for object to copy out" }, + { 147, "object type out of bounds for kernel copyout" }, + { 148, "object size too small for kernel copyout" }, + { 149, "object size validation failed for kernel copyout" }, + { 150, "error copying data out for kernel copyout" }, + { 151, "version mismatch for kernel copyout" }, +/* -------------------------------------------------------------------------- */ + { 10001, "could not find token for auth iterator" }, + { 10002, "write permissions require to add/remove auth rule" }, + { 10003, "need write permissions to set auth lock" }, + { 10004, "error copying out results of auth flush" }, + { 10005, "unknown auth ioctl" }, + { 10006, "can only append or remove preauth rules" }, + { 10007, "NULL pointers passed in for preauth remove" }, + { 10008, "preauth rule not found to remove" }, + { 10009, "could not malloc memory for preauth entry" }, + { 10010, "unrecognised preauth rule ioctl command" }, + { 10011, "iterator data supplied with NULL pointer" }, + { 10012, "unknown auth iterator type" }, + { 10013, "iterator error copying out auth data" }, + { 10014, "sleep waiting for auth packet interrupted" }, + { 10015, "bad index supplied in auth reply" }, + { 10016, "error injecting outbound packet back into kernel" }, + { 10017, "error injecting inbound packet back into kernel" }, + { 10018, "could not attempt to inject packet back into kernel" }, + { 10019, "packet id does not match" }, +/* -------------------------------------------------------------------------- */ + { 20001, "invalid frag token data pointer supplied" }, + { 20002, "error copying out frag token data" }, + { 20003, "can only copy one fragment state entry at a time" }, +/* -------------------------------------------------------------------------- */ + { 30001, "incorrect object size to get hash table stats" }, + { 30002, "could not malloc memory for new hash table" }, + { 30003, "error coping in hash table structure" }, + { 30004, "hash table already exists" }, + { 30005, "mismach between new hash table and operation unit" }, + { 30006, "could not malloc memory for hash table base" }, + { 30007, "could not find hash table" }, + { 30008, "mismatch between hash table and operation unit" }, + { 30009, "could not find hash table for iterators next node" }, + { 30010, "unknown iterator tpe" }, + { 30011, "iterator error copying out hash table" }, + { 30012, "iterator error copying out hash table entry" }, + { 30013, "error copying out hash table statistics" }, + { 30014, "table node delete structure wrong size" }, + { 30015, "error copying in node to delete" }, + { 30016, "table to delete node from does not exist" }, + { 30017, "could not find table to remove node from" }, + { 30018, "table node add structure wrong size" }, + { 30019, "error copying in node to add" }, + { 30020, "could not find table to add node to" }, + { 30021, "node already exists in the table" }, + { 30022, "could not find node to delete in table" }, + { 30023, "uid mismatch on node to delete" }, + { 30024, "object size incorrect for hash table" }, + { 30025, "hash table size must be at least 1"}, + { 30026, "cannot allocate memory for hash table context" }, +/* -------------------------------------------------------------------------- */ + { 40001, "invalid minor device numebr for log read" }, + { 40002, "read size too small" }, + { 40003, "interrupted waiting for log data to read" }, + { 40004, "interrupted waiting for log data to read" }, + { 40005, "read size too large" }, + { 40006, "uiomove for read operation failed" }, +/* -------------------------------------------------------------------------- */ + { 50001, "unknown lookup ioctl" }, + { 50002, "error copying in object data for add node" }, + { 50003, "invalid unit for lookup add node" }, + { 50004, "incorrect size for adding a pool node" }, + { 50005, "error copying in pool node structure" }, + { 50006, "mismatch in pool node address/mask families" }, + { 50007, "could not find pool name" }, + { 50008, "node already exists in pool" }, + { 50009, "incorrect size for adding a hash node" }, + { 50010, "error copying in hash node structure" }, + { 50011, "could not find hash table name" }, + { 50012, "unrecognised object type for lookup add node" }, + { 50013, "invalid unit for lookup delete node" }, + { 50014, "incorrect size for deleting a pool node" }, + { 50015, "error copying in pool node structure" }, + { 50016, "could not find pool name" }, + { 50017, "could not find pool node" }, + { 50018, "incorrect size for removing a hash node" }, + { 50019, "error copying in hash node structure" }, + { 50020, "could not find hash table name" }, + { 50021, "unrecognised object type for lookup delete node" }, + { 50022, "error copying in add table data" }, + { 50023, "invalid unit for lookup add table" }, + { 50024, "pool name already exists" }, + { 50025, "hash table name already exists" }, + { 50026, "unrecognised object type for lookup add table" }, + { 50027, "error copying table data back out" }, + { 50028, "error copying in remove table data" }, + { 50029, "invalid unit for lookup remove table" }, + { 50030, "unrecognised object type for lookup remove table" }, + { 50031, "error copying in lookup stats structure" }, + { 50032, "invalid unit for lookup stats" }, + { 50033, "unrecognised object type for lookup stats" }, + { 50034, "error copying in flush lookup data" }, + { 50035, "invalid unit for lookup flush" }, + { 50036, "incorrect table type for lookup flush" }, + { 50037, "error copying out lookup flush results" }, + { 50038, "invalid unit for lookup iterator" }, + { 50039, "invalid unit for lookup iterator" }, + { 50040, "could not find token for lookup iterator" }, + { 50041, "unrecognised object type for lookup interator" }, + { 50042, "error copying in lookup delete node operation" }, +/* -------------------------------------------------------------------------- */ + { 60001, "insufficient privilege for NAT write operation" }, + { 60002, "need write permissions to flush NAT logs" }, + { 60003, "need write permissions to turn NAT logging on/off" }, + { 60004, "error copying out current NAT log setting" }, + { 60005, "error copying out bytes waiting to be read in NAT \ +log" }, + { 60006, "need write permissions to add NAT rule" }, + { 60007, "NAT rule already exists" }, + { 60008, "could not allocate memory for NAT rule" }, + { 60009, "need write permissions to remove NAT rule" }, + { 60010, "NAT rule could not be found" }, + { 60011, "could not find NAT entry for redirect lookup" }, + { 60012, "need write permissions to flush NAT table" }, + { 60013, "error copying in NAT flush command" }, + { 60014, "need write permissions to do matching NAT flush" }, + { 60015, "need write permissions to set NAT lock" }, + { 60016, "need write permissions to add entry to NAT table" }, + { 60017, "NAT not locked for size retrieval" }, + { 60018, "NAT not locked for fetching NAT table entry" }, + { 60019, "error copying in NAT token data for deletion" }, + { 60020, "unknown NAT ioctl" }, + { 60021, "" }, + { 60022, "resolving proxy name in NAT rule failed" }, + { 60023, "only reply age specified in NAT rule" }, + { 60024, "error doing copyin to determine NAT entry size" }, + { 60025, "error copying out NAT size of 0" }, + { 60026, "NAT entry not found" }, + { 60027, "error doing copyout of NAT entry size" }, + { 60028, "invalid data size for getting NAT entry" }, + { 60029, "could not malloc temporary space for NAT entry" }, + { 60030, "no NAT table entries present" }, + { 60031, "NAT entry to get next from not found" }, + { 60032, "not enough space for proxy structure" }, + { 60033, "not enough space for private proxy data" }, + { 60034, "NAT entry size is too large" }, + { 60035, "could not malloc memory for NAT entry sratch space" }, + { 60036, "" }, + { 60037, "could not malloc memory for NAT entry" }, + { 60038, "could not malloc memory for NAT entry rule" }, + { 60039, "could not resolve NAT entry rule's proxy" }, + { 60040, "cannot add outbound duplicate NAT entry" }, + { 60041, "cannot add inbound duplicate NAT entry" }, + { 60042, "cannot add NAT entry that is neither IN nor OUT" }, + { 60043, "could not malloc memory for NAT proxy data" }, + { 60044, "proxy data size too big" }, + { 60045, "could not malloc proxy private data for NAT entry" }, + { 60046, "could not malloc memory for new NAT filter rule" }, + { 60047, "could not find existing filter rule for NAT entry" }, + { 60048, "insertion into NAT table failed" }, + { 60049, "iterator error copying out hostmap data" }, + { 60050, "iterator error copying out NAT rule data" }, + { 60051, "iterator error copying out NAT entry data" }, + { 60052, "iterator data supplied with NULL pointer" }, + { 60053, "unknown NAT iterator type" }, + { 60054, "unknwon next address type" }, + { 60055, "iterator suppled with unknown type for get-next" }, + { 60056, "unknown lookup group for next address" }, + { 60057, "error copying out NAT log flush results" }, + { 60058, "bucket table type is incorrect" }, + { 60059, "error copying out NAT bucket table" }, + { 60060, "function not found for lookup" }, + { 60061, "address family not supported with SIOCSTPUT" }, + { 60062, "unknown timeout name" }, + { 60063, "cannot allocate new inbound NAT entry table" }, + { 60064, "cannot allocate new outbound NAT entry table" }, + { 60065, "cannot allocate new inbound NAT bucketlen table" }, + { 60066, "cannot allocate new outbound NAT bucketlen table" }, + { 60067, "cannot allocate new NAT rules table" }, + { 60068, "cannot allocate new NAT hostmap table" }, + { 60069, "new source lookup type is not dstlist" }, + { 60070, "cannot allocate NAT rule scratch space" }, + { 60071, "new destination lookup type is not dstlist" }, + { 60072, "function not found for lookup (ipv6)" }, + { 60073, "unknown lookup group for next address (ipv6)" }, + { 60074, "unknown next address type (ipv6)" }, + { 60075, "one object at a time must be copied" }, +/* -------------------------------------------------------------------------- */ + { 70001, "incorrect object size to get pool stats" }, + { 70002, "could not malloc memory for new pool node" }, + { 70003, "invalid addresss length for new pool node" }, + { 70004, "invalid mask length for new pool node" }, + { 70005, "error adding node to pool" }, + { 70006, "pool already exists" }, + { 70007, "could not malloc memory for new pool" }, + { 70008, "could not allocate radix tree for new pool" }, + { 70009, "could not find pool" }, + { 70010, "unknown pool name for iteration" }, + { 70011, "unknown pool iterator" }, + { 70012, "error copying out pool head" }, + { 70013, "error copying out pool node" }, + { 70014, "add node size incorrect" }, + { 70015, "error copying in pool node" }, + { 70016, "" }, + { 70017, "cannot find pool for node" }, + { 70018, "node entry already present in pool" }, + { 70019, "delete node size incorrect" }, + { 70020, "error copying in node to delete" }, + { 70021, "cannot find pool to delete node from" }, + { 70022, "cannot find node to delete in pool" }, + { 70023, "pool name already exists" }, + { 70024, "uid mismatch for node removal" }, + { 70025, "stats device unit is invalid" }, + { 70026, "error copying out statistics" }, + { 70027, "could not remove node from radix tree" }, + { 70028, "incorrect address length in pool node add" }, + { 70029, "incorrect mask length in pool node add" }, + { 70030, "incorrect address length in pool node remove" }, + { 70031, "incorrect mask length in pool node remove" }, + { 70032, "cannot allocate memory for pool context" }, + { 70033, "cannot allocate memory for radix tree context" }, + { 70034, "adding IPv6 node with incorrect address length" }, + { 70035, "IPv4 address not masked" }, + { 70036, "IPv6 address not masked" }, + { 70037, "removing IPv6 node with incorrect address length" }, +/* -------------------------------------------------------------------------- */ + { 80001, "could not find proxy" }, + { 80002, "proxy does not support control operations" }, + { 80003, "could not allocate data to hold proxy operation" }, + { 80004, "unknown proxy ioctl" }, + { 80005, "could not copyin proxy control structure" }, + { 80006, "DNS proxy could not find rule to delete" }, + { 80007, "DNS proxy found existing matching rule" }, + { 80008, "DNS proxy could not allocate memory for new rule" }, + { 80009, "DNS proxy unknown command request" }, +/* -------------------------------------------------------------------------- */ + { 90001, "could not malloc space for new scan structure" }, + { 90002, "scan tag already exists" }, + { 90003, "scan structure in use" }, + { 90004, "could not find matching scan tag for filter rule" }, + { 90005, "could not copyout scan statistics" }, +/* -------------------------------------------------------------------------- */ + { 100001, "cannot find matching state entry to remove" }, + { 100002, "error copying in v4 state flush command" }, + { 100003, "error copying out v4 state flush results" }, + { 100004, "error copying in v6 state flush command" }, + { 100005, "error copying out v6 state flush results" }, + { 100006, "" }, + { 100007, "" }, + { 100008, "need write permissions to flush state log" }, + { 100009, "erorr copyout results of flushing state log" }, + { 100010, "need write permissions to turn state logging on/off" }, + { 100011, "error copying in new state logging state" }, + { 100012, "error copying out current state logging state" }, + { 100013, "error copying out bytes waiting to be read in state \ +log" }, + { 100014, "need write permissions to set state lock" }, + { 100015, "need write permissions to add entry to state table" }, + { 100016, "state not locked for size retrieval" }, + { 100017, "error copying out hash table bucket lengths" }, + { 100018, "could not find token for state iterator" }, + { 100019, "error copying in state token data for deletion" }, + { 100020, "unknown state ioctl" }, + { 100021, "no state table entries present" }, + { 100022, "state entry to get next from not found" }, + { 100023, "could not malloc memory for state entry" }, + { 100024, "could not malloc memory for state entry rule" }, + { 100025, "could not copy back state entry to user space" }, + { 100026, "iterator data supplied with NULL pointer" }, + { 100027, "iterator supplied with 0 item count" }, + { 100028, "iterator type is incorrect" }, + { 100029, "invalid state token data pointer supplied" }, + { 100030, "error copying out next state entry" }, + { 100031, "unrecognised table request" }, + { 100032, "error copying out bucket length data" }, + { 100033, "could not find existing filter rule for state entry" }, + { 100034, "could not find timeout name" }, + { 100035, "could not allocate new state table" }, + { 100036, "could not allocate new state bucket length table" }, +/* -------------------------------------------------------------------------- */ + { 110001, "sync write header magic number is incorrect" }, + { 110002, "sync write header protocol is incorrect" }, + { 110003, "sync write header command is incorrect" }, + { 110004, "sync write header table number is incorrect" }, + { 110005, "data structure too small for sync write operation" }, + { 110006, "zero length data with sync write header" }, + { 110007, "insufficient data for sync write" }, + { 110008, "bad sync read size" }, + { 110009, "interrupted sync read (solaris)" }, + { 110010, "interrupted sync read (hpux)" }, + { 110011, "interrupted sync read (osf)" }, + { 110012, "interrupted sync read" }, + { 110013, "could not malloc memory for sync'd state" }, + { 110014, "could not malloc memory for sync-state list item" }, + { 110015, "sync update could not find state" }, + { 110016, "unrecognised sync state command" }, + { 110017, "could not malloc memory for new sync'd NAT entry" }, + { 110018, "could not malloc memory for sync-NAT list item" }, + { 110019, "sync update could not find NAT entry" }, + { 110020, "unrecognised sync NAT command" }, + { 110021, "ioctls are not handled with sync" }, +/* -------------------------------------------------------------------------- */ + { 120001, "null data pointer for iterator" }, + { 120002, "unit outside of acceptable range" }, + { 120003, "unknown iterator subtype" }, + { 120004, "cannot find dest. list for iteration" }, + { 120005, "error copying out destination iteration list" }, + { 120006, "error copying out destination iteration node" }, + { 120007, "wrong size for frdest_t structure" }, + { 120008, "cannot allocate memory for new destination node" }, + { 120009, "error copying in destination node to add" }, + { 120010, "could not find destination list to add node to" }, + { 120011, "error copying in destination node to remove" }, + { 120012, "could not find dest. list to remove node from" }, + { 120013, "destination list already exists" }, + { 120014, "could not allocate new destination table" }, + { 120015, "could not find destination list to remove" }, + { 120016, "destination list cannot be removed - it is busy" }, + { 120017, "error copying in names for destination" }, + { 120018, "destination name is too long/short" }, + { 120019, "unrecognised address family in destination" }, + { 120020, "" }, + { 120021, "error copying in new destination table" }, + { 120022, "cannot allocate memory for node table" }, + { 120023, "stats object size is incorrect for dest. lists" }, + { 120024, "stats device unit is invalid for dest. lists" }, + { 120025, "error copying out dest. list statistics" }, + { 120026, "cannot allocate memory for destination node" }, + { 120027, "error copying in destination node" }, + { 120028, "cannot allocate memory for destination context " }, +/* -------------------------------------------------------------------------- */ + { 130001, "ioctl denied by system security level" }, + { 130002, "ioctl operation on invalid minor device" }, + { 130003, "ioctl on device denied, ipfitler is disabled" }, + { 130004, "ioctl command not allowed when disabled" }, + { 130005, "ioctl denied due to insufficient authorisation" }, + { 130006, "cannot read while ipfilter is disabled" }, + { 130007, "read on minor device not supported" }, + { 130008, "cannot write while ipfilter is disabled" }, + { 130009, "write on minor device not supported" }, + { 130010, "poll on minor device is not supported" }, + { 130011, "error removing IPv4 filter hooks" }, + { 130012, "error removing IPv6 filter hooks" }, + { 130013, "attaching IPv4 hook failed" }, + { 130014, "attaching IPv6 hook failed" }, + { 130015, "ipf_init_all failed" }, + { 130016, "finding pfil head failed" }, + { 130017, "ipfilter is already initialised and running" }, +}; + + +static ipf_error_entry_t * +find_error(errnum) + int errnum; +{ + ipf_error_entry_t *ie; + + int l = -1, r = IPF_NUM_ERRORS + 1, step; + step = (r - l) / 2;; + + while (step != 0) { + ie = ipf_errors + l + step; + if (ie->iee_number == errnum) + return ie; + step = l + step; + if (ie->iee_number > errnum) + r = step; + else + l = step; + step = (r - l) / 2;; + } + + return NULL; +} + +char * +ipf_geterror(fd, func) + int fd; + ioctlfunc_t *func; +{ + static char text[80]; + ipf_error_entry_t *ie; + int errnum; + + if ((*func)(fd, SIOCIPFINTERROR, &errnum) == 0) { + + ie = find_error(errnum); + if (ie != NULL) + return ie->iee_text; + sprintf(text, "unknown error %d", errnum); + } else { + sprintf(text, "retrieving error number failed (%d)", errno); + } + return text; +} + + +char * +ipf_strerror(errnum) + int errnum; +{ + static char text[80]; + ipf_error_entry_t *ie; + + + ie = find_error(errnum); + if (ie != NULL) + return ie->iee_text; + + sprintf(text, "unknown error %d", errnum); + return text; +} diff --git a/contrib/ipfilter/lib/ionames.c b/contrib/ipfilter/lib/ionames.c index d2fc977..9b58642 100644 --- a/contrib/ipfilter/lib/ionames.c +++ b/contrib/ipfilter/lib/ionames.c @@ -1,40 +1,41 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ionames.c,v 1.7.4.1 2006/06/16 17:21:02 darrenr Exp $ + * $Id$ */ #include "ipf.h" struct ipopt_names ionames[] ={ { IPOPT_NOP, 0x000001, 1, "nop" }, /* RFC791 */ - { IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */ - { IPOPT_ZSU, 0x000004, 3, "zsu" }, /* size ?? */ - { IPOPT_MTUP, 0x000008, 3, "mtup" }, /* RFC1191 */ - { IPOPT_MTUR, 0x000010, 3, "mtur" }, /* RFC1191 */ - { IPOPT_ENCODE, 0x000020, 3, "encode" }, /* size ?? */ + { IPOPT_RR, 0x000002, 8, "rr" }, /* 1 route */ + { IPOPT_ZSU, 0x000004, 4, "zsu" }, /* size ?? */ + { IPOPT_MTUP, 0x000008, 4, "mtup" }, /* RFC1191 */ + { IPOPT_MTUR, 0x000010, 4, "mtur" }, /* RFC1191 */ + { IPOPT_ENCODE, 0x000020, 4, "encode" }, /* size ?? */ { IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */ - { IPOPT_TR, 0x000080, 3, "tr" }, /* RFC1393 */ - { IPOPT_SECURITY,0x000100, 11, "sec" }, /* RFC1108 */ - { IPOPT_SECURITY,0x000100, 11, "sec-class" }, /* RFC1108 */ - { IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */ - { IPOPT_E_SEC, 0x000400, 3, "e-sec" }, /* RFC1108 */ - { IPOPT_CIPSO, 0x000800, 3, "cipso" }, /* size ?? */ + { IPOPT_TR, 0x000080, 4, "tr" }, /* RFC1393 */ + { IPOPT_SECURITY,0x000100, 12, "sec" }, /* RFC1108 */ + { IPOPT_SECURITY,0x000100, 12, "sec-class" }, /* RFC1108 */ + { IPOPT_LSRR, 0x000200, 8, "lsrr" }, /* 1 route */ + { IPOPT_E_SEC, 0x000400, 8, "e-sec" }, /* RFC1108 */ + { IPOPT_CIPSO, 0x000800, 8, "cipso" }, /* size ?? */ { IPOPT_SATID, 0x001000, 4, "satid" }, /* RFC791 */ - { IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */ - { IPOPT_ADDEXT, 0x004000, 3, "addext" }, /* IPv7 ?? */ - { IPOPT_VISA, 0x008000, 3, "visa" }, /* size ?? */ - { IPOPT_IMITD, 0x010000, 3, "imitd" }, /* size ?? */ - { IPOPT_EIP, 0x020000, 3, "eip" }, /* RFC1385 */ - { IPOPT_FINN, 0x040000, 3, "finn" }, /* size ?? */ - { IPOPT_DPS, 0x080000, 3, "dps" }, /* size ?? */ - { IPOPT_SDB, 0x100000, 3, "sdb" }, /* size ?? */ - { IPOPT_NSAPA, 0x200000, 3, "nsapa" }, /* size ?? */ - { IPOPT_RTRALRT,0x400000, 3, "rtralrt" }, /* RFC2113 */ - { IPOPT_UMP, 0x800000, 3, "ump" }, /* size ?? */ + { IPOPT_SSRR, 0x002000, 8, "ssrr" }, /* 1 route */ + { IPOPT_ADDEXT, 0x004000, 4, "addext" }, /* IPv7 ?? */ + { IPOPT_VISA, 0x008000, 4, "visa" }, /* size ?? */ + { IPOPT_IMITD, 0x010000, 4, "imitd" }, /* size ?? */ + { IPOPT_EIP, 0x020000, 4, "eip" }, /* RFC1385 */ + { IPOPT_FINN, 0x040000, 4, "finn" }, /* size ?? */ + { IPOPT_DPS, 0x080000, 4, "dps" }, /* size ?? */ + { IPOPT_SDB, 0x100000, 4, "sdb" }, /* size ?? */ + { IPOPT_NSAPA, 0x200000, 4, "nsapa" }, /* size ?? */ + { IPOPT_RTRALRT,0x400000, 4, "rtralrt" }, /* RFC2113 */ + { IPOPT_UMP, 0x800000, 4, "ump" }, /* size ?? */ + { IPOPT_AH, 0x1000000, 0, "ah" }, /* IPPROTO_AH */ { 0, 0, 0, (char *)NULL } /* must be last */ }; diff --git a/contrib/ipfilter/lib/ipf_dotuning.c b/contrib/ipfilter/lib/ipf_dotuning.c index 6508a26..b0ac8b4 100644 --- a/contrib/ipfilter/lib/ipf_dotuning.c +++ b/contrib/ipfilter/lib/ipf_dotuning.c @@ -1,21 +1,21 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ipf_dotuning.c,v 1.2.4.3 2006/06/16 17:21:02 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" #include "netinet/ipl.h" #include <sys/ioctl.h> void ipf_dotuning(fd, tuneargs, iocfn) -int fd; -char *tuneargs; -ioctlfunc_t iocfn; + int fd; + char *tuneargs; + ioctlfunc_t iocfn; { ipfobj_t obj; ipftune_t tu; @@ -31,7 +31,8 @@ ioctlfunc_t iocfn; if (!strcmp(s, "list")) { while (1) { if ((*iocfn)(fd, SIOCIPFGETNEXT, &obj) == -1) { - perror("ioctl(SIOCIPFGETNEXT)"); + ipf_perror_fd(fd, iocfn, + "ioctl(SIOCIPFGETNEXT)"); break; } if (tu.ipft_cookie == NULL) @@ -46,7 +47,8 @@ ioctlfunc_t iocfn; strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) { if ((*iocfn)(fd, SIOCIPFSET, &obj) == -1) { - perror("ioctl(SIOCIPFSET)"); + ipf_perror_fd(fd, iocfn, + "ioctl(SIOCIPFSET)"); return; } } else { @@ -57,7 +59,7 @@ ioctlfunc_t iocfn; tu.ipft_cookie = NULL; strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) { - perror("ioctl(SIOCIPFGET)"); + ipf_perror_fd(fd, iocfn, "ioctl(SIOCIPFGET)"); return; } if (tu.ipft_cookie == NULL) { diff --git a/contrib/ipfilter/lib/ipf_perror.c b/contrib/ipfilter/lib/ipf_perror.c new file mode 100644 index 0000000..85a1b1d --- /dev/null +++ b/contrib/ipfilter/lib/ipf_perror.c @@ -0,0 +1,47 @@ +#include <fcntl.h> +#include <sys/ioctl.h> +#include "ipf.h" + +void +ipf_perror(err, string) + int err; + char *string; +{ + if (err == 0) + fprintf(stderr, "%s\n", string); + else + fprintf(stderr, "%s %s\n", string, ipf_strerror(err)); +} + +int +ipf_perror_fd(fd, iocfunc, string) + int fd; + ioctlfunc_t iocfunc; + char *string; +{ + int save; + int realerr; + + save = errno; + if ((*iocfunc)(fd, SIOCIPFINTERROR, &realerr) == -1) + realerr = 0; + + errno = save; + fprintf(stderr, "%d:", realerr); + ipf_perror(realerr, string); + return realerr ? realerr : save; + +} + +void +ipferror(fd, msg) + int fd; + char *msg; +{ + if (fd >= 0) { + ipf_perror_fd(fd, ioctl, msg); + } else { + fprintf(stderr, "0:"); + perror(msg); + } +} diff --git a/contrib/ipfilter/lib/ipft_ef.c b/contrib/ipfilter/lib/ipft_ef.c deleted file mode 100644 index 2d50f07..0000000 --- a/contrib/ipfilter/lib/ipft_ef.c +++ /dev/null @@ -1,135 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2000-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $ - */ - -/* - icmp type - lnth proto source destination src port dst port - -etherfind -n - - 60 tcp 128.250.20.20 128.250.133.13 2419 telnet - -etherfind -n -t - - 0.32 91 04 131.170.1.10 128.250.133.13 - 0.33 566 udp 128.250.37.155 128.250.133.3 901 901 -*/ - -#include "ipf.h" -#include "ipt.h" - -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcpip.h> - - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $"; -#endif - -static int etherf_open __P((char *)); -static int etherf_close __P((void)); -static int etherf_readip __P((char *, int, char **, int *)); - -struct ipread etherf = { etherf_open, etherf_close, etherf_readip, 0 }; - -static FILE *efp = NULL; -static int efd = -1; - - -static int etherf_open(fname) -char *fname; -{ - if (efd != -1) - return efd; - - if (!strcmp(fname, "-")) { - efd = 0; - efp = stdin; - } else { - efd = open(fname, O_RDONLY); - efp = fdopen(efd, "r"); - } - return efd; -} - - -static int etherf_close() -{ - return close(efd); -} - - -static int etherf_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - struct tcpiphdr pkt; - ip_t *ip = (ip_t *)&pkt; - char src[16], dst[16], sprt[16], dprt[16]; - char lbuf[128], len[8], prot[8], time[8], *s; - int slen, extra = 0, i; - - if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) - return 0; - - if ((s = strchr(lbuf, '\n'))) - *s = '\0'; - lbuf[sizeof(lbuf)-1] = '\0'; - - bzero(&pkt, sizeof(pkt)); - - if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst, - sprt, dprt) != 6) - if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time, - len, prot, src, dst, sprt, dprt) != 7) - return -1; - - ip->ip_p = getproto(prot); - - switch (ip->ip_p) { - case IPPROTO_TCP : - if (isdigit(*sprt)) - pkt.ti_sport = htons(atoi(sprt) & 65535); - if (isdigit(*dprt)) - pkt.ti_dport = htons(atoi(dprt) & 65535); - extra = sizeof(struct tcphdr); - break; - case IPPROTO_UDP : - if (isdigit(*sprt)) - pkt.ti_sport = htons(atoi(sprt) & 65535); - if (isdigit(*dprt)) - pkt.ti_dport = htons(atoi(dprt) & 65535); - extra = sizeof(struct udphdr); - break; -#ifdef IGMP - case IPPROTO_IGMP : - extra = sizeof(struct igmp); - break; -#endif - case IPPROTO_ICMP : - extra = sizeof(struct icmp); - break; - default : - break; - } - - (void) inet_aton(src, &ip->ip_src); - (void) inet_aton(dst, &ip->ip_dst); - ip->ip_len = atoi(len); - IP_HL_A(ip, sizeof(ip_t)); - - slen = IP_HL(ip) + extra; - i = MIN(cnt, slen); - bcopy((char *)&pkt, buf, i); - return i; -} diff --git a/contrib/ipfilter/lib/ipft_hx.c b/contrib/ipfilter/lib/ipft_hx.c index d295c21..15002ea 100644 --- a/contrib/ipfilter/lib/ipft_hx.c +++ b/contrib/ipfilter/lib/ipft_hx.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.4 2006/06/16 17:21:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <ctype.h> @@ -20,7 +20,7 @@ extern int opts; static int hex_open __P((char *)); static int hex_close __P((void)); -static int hex_readip __P((char *, int, char **, int *)); +static int hex_readip __P((mb_t *, char **, int *)); static char *readhex __P((char *, char *)); struct ipread iphex = { hex_open, hex_close, hex_readip, 0 }; @@ -28,7 +28,7 @@ static FILE *tfp = NULL; static int tfd = -1; static int hex_open(fname) -char *fname; + char *fname; { if (tfp && tfd != -1) { rewind(tfp); @@ -56,14 +56,19 @@ static int hex_close() } -static int hex_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; +static int hex_readip(mb, ifn, dir) + mb_t *mb; + char **ifn; + int *dir; { register char *s, *t, *u; char line[513]; ip_t *ip; + char *buf; + int cnt; + buf = (char *)mb->mb_buf; + cnt = sizeof(mb->mb_buf); /* * interpret start of line as possibly "[ifname]" or * "[in/out,ifname]". @@ -75,8 +80,10 @@ int cnt, *dir; ip = (ip_t *)buf; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = strchr(line, '\n'))) { - if (s == line) - return (char *)ip - buf; + if (s == line) { + mb->mb_len = (char *)ip - buf; + return mb->mb_len; + } *s = '\0'; } if ((s = strchr(line, '#'))) @@ -104,17 +111,35 @@ int cnt, *dir; } else if (ifn) *ifn = t; } + + while (*s++ == '+') { + if (!strncasecmp(s, "mcast", 5)) { + mb->mb_flags |= M_MCAST; + s += 5; + } + if (!strncasecmp(s, "bcast", 5)) { + mb->mb_flags |= M_BCAST; + s += 5; + } + if (!strncasecmp(s, "mbcast", 6)) { + mb->mb_flags |= M_MBCAST; + s += 6; + } + } + while (ISSPACE(*s)) + s++; } else s = line; t = (char *)ip; ip = (ip_t *)readhex(s, (char *)ip); if ((opts & OPT_DEBUG) != 0) { if (opts & OPT_ASCII) { + int c = *t; if (t < (char *)ip) putchar('\t'); while (t < (char *)ip) { - if (ISPRINT(*t) && ISASCII(*t)) - putchar(*t); + if (isprint(c) && isascii(c)) + putchar(c); else putchar('.'); t++; diff --git a/contrib/ipfilter/lib/ipft_pc.c b/contrib/ipfilter/lib/ipft_pc.c index 0f31a10..3a264bd 100644 --- a/contrib/ipfilter/lib/ipft_pc.c +++ b/contrib/ipfilter/lib/ipft_pc.c @@ -1,19 +1,17 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $ + * $Id$ */ #include "ipf.h" -#include "pcap-ipf.h" -#include "bpf-ipf.h" #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif struct llc { @@ -29,79 +27,61 @@ struct llc { */ static struct llc llcs[] = { - { DLT_NULL, 0, 0, 0 }, - { DLT_EN10MB, 14, 12, 2 }, - { DLT_EN3MB, 0, 0, 0 }, - { DLT_AX25, 0, 0, 0 }, - { DLT_PRONET, 0, 0, 0 }, - { DLT_CHAOS, 0, 0, 0 }, - { DLT_IEEE802, 0, 0, 0 }, - { DLT_ARCNET, 0, 0, 0 }, - { DLT_SLIP, 0, 0, 0 }, - { DLT_PPP, 0, 0, 0 }, - { DLT_FDDI, 0, 0, 0 }, -#ifdef DLT_ATMRFC1483 - { DLT_ATMRFC1483, 0, 0, 0 }, -#endif - { DLT_RAW, 0, 0, 0 }, -#ifdef DLT_ENC - { DLT_ENC, 0, 0, 0 }, -#endif -#ifdef DLT_SLIP_BSDOS - { DLT_SLIP_BSDOS, 0, 0, 0 }, -#endif -#ifdef DLT_PPP_BSDOS - { DLT_PPP_BSDOS, 0, 0, 0 }, -#endif -#ifdef DLT_HIPPI - { DLT_HIPPI, 0, 0, 0 }, -#endif -#ifdef DLT_HDLC - { DLT_HDLC, 0, 0, 0 }, -#endif -#ifdef DLT_PPP_SERIAL - { DLT_PPP_SERIAL, 4, 4, 0 }, -#endif -#ifdef DLT_PPP_ETHER - { DLT_PPP_ETHER, 8, 8, 0 }, -#endif -#ifdef DLT_ECONET - { DLT_ECONET, 0, 0, 0 }, -#endif + { 0, 0, 0, 0 }, /* DLT_NULL */ + { 1, 14, 12, 2 }, /* DLT_Ethernet */ + { 10, 0, 0, 0 }, /* DLT_FDDI */ + { 12, 0, 0, 0 }, /* DLT_RAW */ { -1, -1, -1, -1 } }; -static int pcap_open __P((char *)); -static int pcap_close __P((void)); -static int pcap_readip __P((char *, int, char **, int *)); -static void swap_hdr __P((pcaphdr_t *)); -static int pcap_read_rec __P((struct pcap_pkthdr *)); +typedef struct { + u_int id; + u_short major; + u_short minor; + u_int timezone; + u_int sigfigs; + u_int snaplen; + u_int type; +} fileheader_t; + +typedef struct { + u_32_t seconds; + u_32_t microseconds; + u_32_t caplen; + u_32_t wirelen; +} packetheader_t; + +static int ipcap_open __P((char *)); +static int ipcap_close __P((void)); +static int ipcap_readip __P((mb_t *, char **, int *)); +static int ipcap_read_rec __P((packetheader_t *)); +static void iswap_hdr __P((fileheader_t *)); static int pfd = -1, swapped = 0; static struct llc *llcp = NULL; -struct ipread pcap = { pcap_open, pcap_close, pcap_readip, 0 }; +struct ipread pcap = { ipcap_open, ipcap_close, ipcap_readip, 0 }; #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define SWAPSHORT(y) \ ( (((y)&0xff)<<8) | (((y)&0xff00)>>8) ) -static void swap_hdr(p) -pcaphdr_t *p; +static void iswap_hdr(p) + fileheader_t *p; { - p->pc_v_maj = SWAPSHORT(p->pc_v_maj); - p->pc_v_min = SWAPSHORT(p->pc_v_min); - p->pc_zone = SWAPLONG(p->pc_zone); - p->pc_sigfigs = SWAPLONG(p->pc_sigfigs); - p->pc_slen = SWAPLONG(p->pc_slen); - p->pc_type = SWAPLONG(p->pc_type); + p->major = SWAPSHORT(p->major); + p->minor = SWAPSHORT(p->minor); + p->timezone = SWAPLONG(p->timezone); + p->sigfigs = SWAPLONG(p->sigfigs); + p->snaplen = SWAPLONG(p->snaplen); + p->type = SWAPLONG(p->type); } -static int pcap_open(fname) -char *fname; +static int ipcap_open(fname) + char *fname; { - pcaphdr_t ph; + fileheader_t ph; int fd, i; if (pfd != -1) @@ -115,22 +95,17 @@ char *fname; if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph)) return -2; - if (ph.pc_id != TCPDUMP_MAGIC) { - if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) { + if (ph.id != 0xa1b2c3d4) { + if (SWAPLONG(ph.id) != 0xa1b2c3d4) { (void) close(fd); return -2; } swapped = 1; - swap_hdr(&ph); - } - - if (ph.pc_v_maj != PCAP_VERSION_MAJ) { - (void) close(fd); - return -2; + iswap_hdr(&ph); } for (i = 0; llcs[i].lc_type != -1; i++) - if (llcs[i].lc_type == ph.pc_type) { + if (llcs[i].lc_type == ph.type) { llcp = llcs + i; break; } @@ -143,13 +118,13 @@ char *fname; pfd = fd; printf("opened pcap file %s:\n", fname); printf("\tid: %08x version: %d.%d type: %d snap %d\n", - ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen); + ph.id, ph.major, ph.minor, ph.type, ph.snaplen); return fd; } -static int pcap_close() +static int ipcap_close() { return close(pfd); } @@ -159,8 +134,8 @@ static int pcap_close() * read in the header (and validate) which should be the first record * in a pcap file. */ -static int pcap_read_rec(rec) -struct pcap_pkthdr *rec; +static int ipcap_read_rec(rec) + packetheader_t *rec; { int n, p, i; char *s; @@ -177,13 +152,13 @@ struct pcap_pkthdr *rec; } if (swapped) { - rec->ph_clen = SWAPLONG(rec->ph_clen); - rec->ph_len = SWAPLONG(rec->ph_len); - rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec); - rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec); + rec->caplen = SWAPLONG(rec->caplen); + rec->wirelen = SWAPLONG(rec->wirelen); + rec->seconds = SWAPLONG(rec->seconds); + rec->microseconds = SWAPLONG(rec->microseconds); } - p = rec->ph_clen; - n = MIN(p, rec->ph_len); + p = rec->caplen; + n = MIN(p, rec->wirelen); if (!n || n < 0) return -3; @@ -198,15 +173,15 @@ struct pcap_pkthdr *rec; * read an entire pcap packet record. only the data part is copied into * the available buffer, with the number of bytes copied returned. */ -static int pcap_read(buf, cnt) -char *buf; -int cnt; +static int ipcap_read(buf, cnt) + char *buf; + int cnt; { - struct pcap_pkthdr rec; + packetheader_t rec; static char *bufp = NULL; int i, n; - if ((i = pcap_read_rec(&rec)) <= 0) + if ((i = ipcap_read_rec(&rec)) <= 0) return i; if (!bufp) @@ -227,20 +202,29 @@ int cnt; /* * return only an IP packet read into buf */ -static int pcap_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; +static int ipcap_readip(mb, ifn, dir) + mb_t *mb; + char **ifn; + int *dir; { static char *bufp = NULL; - struct pcap_pkthdr rec; + packetheader_t rec; struct llc *l; char *s, ty[4]; int i, j, n; + char *buf; + int cnt; +#if 0 + ifn = ifn; /* gcc -Wextra */ + dir = dir; /* gcc -Wextra */ +#endif + buf = (char *)mb->mb_buf; + cnt = sizeof(mb->mb_buf); l = llcp; /* do { */ - if ((i = pcap_read_rec(&rec)) <= 0) + if ((i = ipcap_read_rec(&rec)) <= 0) return i; if (!bufp) @@ -265,5 +249,6 @@ int cnt, *dir; /* } while (ty[0] != 0x8 && ty[1] != 0); */ n = MIN(i, cnt); bcopy(s, buf, n); + mb->mb_len = n; return n; } diff --git a/contrib/ipfilter/lib/ipft_sn.c b/contrib/ipfilter/lib/ipft_sn.c deleted file mode 100644 index 2beb6ee..0000000 --- a/contrib/ipfilter/lib/ipft_sn.c +++ /dev/null @@ -1,197 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2000-2003 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $ - */ - -/* - * Written to comply with the recent RFC 1761 from Sun. - */ -#include "ipf.h" -#include "snoop.h" -#include "ipt.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $"; -#endif - -struct llc { - int lc_sz; /* LLC header length */ - int lc_to; /* LLC Type offset */ - int lc_tl; /* LLC Type length */ -}; - -/* - * While many of these maybe the same, some do have different header formats - * which make this useful. - */ -static struct llc llcs[SDL_MAX+1] = { - { 0, 0, 0 }, /* SDL_8023 */ - { 0, 0, 0 }, /* SDL_8024 */ - { 0, 0, 0 }, /* SDL_8025 */ - { 0, 0, 0 }, /* SDL_8026 */ - { 14, 12, 2 }, /* SDL_ETHER */ - { 0, 0, 0 }, /* SDL_HDLC */ - { 0, 0, 0 }, /* SDL_CHSYNC */ - { 0, 0, 0 }, /* SDL_IBMCC */ - { 0, 0, 0 }, /* SDL_FDDI */ - { 0, 0, 0 }, /* SDL_OTHER */ -}; - -static int snoop_open __P((char *)); -static int snoop_close __P((void)); -static int snoop_readip __P((char *, int, char **, int *)); - -static int sfd = -1, s_type = -1; -static int snoop_read_rec __P((struct snooppkt *)); - -struct ipread snoop = { snoop_open, snoop_close, snoop_readip, 0 }; - - -static int snoop_open(fname) -char *fname; -{ - struct snoophdr sh; - int fd; - int s_v; - - if (sfd != -1) - return sfd; - - if (!strcmp(fname, "-")) - fd = 0; - else if ((fd = open(fname, O_RDONLY)) == -1) - return -1; - - if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh)) - return -2; - - s_v = (int)ntohl(sh.s_v); - s_type = (int)ntohl(sh.s_type); - - if (s_v != SNOOP_VERSION || - s_type < 0 || s_type > SDL_MAX) { - (void) close(fd); - return -2; - } - - sfd = fd; - printf("opened snoop file %s:\n", fname); - printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type); - - return fd; -} - - -static int snoop_close() -{ - return close(sfd); -} - - -/* - * read in the header (and validate) which should be the first record - * in a snoop file. - */ -static int snoop_read_rec(rec) -struct snooppkt *rec; -{ - int n, plen, ilen; - - if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec)) - return -2; - - ilen = (int)ntohl(rec->sp_ilen); - plen = (int)ntohl(rec->sp_plen); - if (ilen > plen || plen < sizeof(*rec)) - return -2; - - plen -= sizeof(*rec); - n = MIN(plen, ilen); - if (!n || n < 0) - return -3; - - return plen; -} - - -#ifdef notyet -/* - * read an entire snoop packet record. only the data part is copied into - * the available buffer, with the number of bytes copied returned. - */ -static int snoop_read(buf, cnt) -char *buf; -int cnt; -{ - struct snooppkt rec; - static char *bufp = NULL; - int i, n; - - if ((i = snoop_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - - if (read(sfd, bufp, i) != i) - return -2; - - n = MIN(i, cnt); - bcopy(bufp, buf, n); - return n; -} -#endif - - -/* - * return only an IP packet read into buf - */ -static int snoop_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - static char *bufp = NULL; - struct snooppkt rec; - struct llc *l; - char ty[4], *s; - int i, n; - - do { - if ((i = snoop_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - s = bufp; - - if (read(sfd, s, i) != i) - return -2; - - l = &llcs[s_type]; - i -= l->lc_to; - s += l->lc_to; - /* - * XXX - bogus assumption here on the part of the time field - * that it won't be greater than 4 bytes and the 1st two will - * have the values 8 and 0 for IP. Should be a table of - * these too somewhere. Really only works for SDL_ETHER. - */ - bcopy(s, ty, l->lc_tl); - } while (ty[0] != 0x8 && ty[1] != 0); - - i -= l->lc_tl; - s += l->lc_tl; - n = MIN(i, cnt); - bcopy(s, buf, n); - - return n; -} diff --git a/contrib/ipfilter/lib/ipft_td.c b/contrib/ipfilter/lib/ipft_td.c deleted file mode 100644 index d571ada..0000000 --- a/contrib/ipfilter/lib/ipft_td.c +++ /dev/null @@ -1,178 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2000-2006 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $ - */ - -/* -tcpdump -n - -00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap) - -tcpdump -nq - -00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap) - -tcpdump -nqt - -128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -tcpdump -nqtt - -123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -tcpdump -nqte - -8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -*/ - -#include "ipf.h" -#include "ipt.h" - -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcpip.h> - - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $"; -#endif - -static int tcpd_open __P((char *)); -static int tcpd_close __P((void)); -static int tcpd_readip __P((char *, int, char **, int *)); -static int count_dots __P((char *)); - -struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip, 0 }; - -static FILE *tfp = NULL; -static int tfd = -1; - - -static int tcpd_open(fname) -char *fname; -{ - if (tfd != -1) - return tfd; - - if (!strcmp(fname, "-")) { - tfd = 0; - tfp = stdin; - } else { - tfd = open(fname, O_RDONLY); - tfp = fdopen(tfd, "r"); - } - return tfd; -} - - -static int tcpd_close() -{ - (void) fclose(tfp); - return close(tfd); -} - - -static int count_dots(str) -char *str; -{ - int i = 0; - - while (*str) - if (*str++ == '.') - i++; - return i; -} - - -static int tcpd_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - struct tcpiphdr pkt; - ip_t *ip = (ip_t *)&pkt; - char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; - char lbuf[160], *s; - int n, slen, extra = 0; - - if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) - return 0; - - if ((s = strchr(lbuf, '\n'))) - *s = '\0'; - lbuf[sizeof(lbuf)-1] = '\0'; - - bzero(&pkt, sizeof(pkt)); - - if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3) - if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s", - time, src, dst, misc)) != 4) - if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s", - link1, link2, src, dst, misc)) != 5) { - n = sscanf(lbuf, - "%31s %31s %31s: %31s > %31s: %255s", - time, link1, link2, src, dst, misc); - if (n != 6) - return -1; - } - - if (count_dots(dst) == 4) { - s = strrchr(src, '.'); - *s++ = '\0'; - (void) inet_aton(src, &ip->ip_src); - pkt.ti_sport = htons(atoi(s)); - *--s = '.'; - s = strrchr(dst, '.'); - - *s++ = '\0'; - (void) inet_aton(src, &ip->ip_dst); - pkt.ti_dport = htons(atoi(s)); - *--s = '.'; - - } else { - (void) inet_aton(src, &ip->ip_src); - (void) inet_aton(src, &ip->ip_dst); - } - ip->ip_len = sizeof(ip_t); - IP_HL_A(ip, sizeof(ip_t)); - - s = strtok(misc, " :"); - if (s == NULL) - return 0; - ip->ip_p = getproto(s); - - switch (ip->ip_p) - { - case IPPROTO_TCP : - case IPPROTO_UDP : - s = strtok(NULL, " :"); - if (s == NULL) - return 0; - ip->ip_len += atoi(s); - if (ip->ip_p == IPPROTO_TCP) - extra = sizeof(struct tcphdr); - else if (ip->ip_p == IPPROTO_UDP) - extra = sizeof(struct udphdr); - break; -#ifdef IGMP - case IPPROTO_IGMP : - extra = sizeof(struct igmp); - break; -#endif - case IPPROTO_ICMP : - extra = sizeof(struct icmp); - break; - default : - break; - } - - slen = IP_HL(ip) + extra + ip->ip_len; - return slen; -} diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c index f4475e3..a996c5b 100644 --- a/contrib/ipfilter/lib/ipft_tx.c +++ b/contrib/ipfilter/lib/ipft_tx.c @@ -1,15 +1,15 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $ + * $Id$ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <ctype.h> @@ -17,18 +17,12 @@ static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 #include "ipf.h" #include "ipt.h" -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcpip.h> - - extern int opts; static char *tx_proto = ""; static int text_open __P((char *)), text_close __P((void)); -static int text_readip __P((char *, int, char **, int *)); +static int text_readip __P((mb_t *, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); static char myflagset[] = "FSRPAUEC"; @@ -42,16 +36,19 @@ static int tfd = -1; static u_32_t tx_hostnum __P((char *, int *)); static u_short tx_portnum __P((char *)); +#ifdef USE_INET6 +int parseipv6 __P((char **, ip6_t *, char **, int *)); +#endif /* * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ static u_32_t tx_hostnum(host, resolved) -char *host; -int *resolved; + char *host; + int *resolved; { - u_32_t ipa; + i6addr_t ipa; *resolved = 0; if (!strcasecmp("any", host)) @@ -59,12 +56,12 @@ int *resolved; if (ISDIGIT(*host)) return inet_addr(host); - if (gethost(host, &ipa) == -1) { + if (gethost(AF_INET, host, &ipa) == -1) { *resolved = -1; fprintf(stderr, "can't resolve hostname: %s\n", host); return 0; } - return ipa; + return ipa.in4.s_addr; } @@ -73,7 +70,7 @@ int *resolved; * straight atoi() */ static u_short tx_portnum(name) -char *name; + char *name; { struct servent *sp; @@ -87,15 +84,8 @@ char *name; } -char *tx_icmptypes[] = { - "echorep", (char *)NULL, (char *)NULL, "unreach", "squench", - "redir", (char *)NULL, (char *)NULL, "echo", "routerad", - "routersol", "timex", "paramprob", "timest", "timestrep", - "inforeq", "inforep", "maskreq", "maskrep", "END" -}; - static int text_open(fname) -char *fname; + char *fname; { if (tfp && tfd != -1) { rewind(tfp); @@ -123,13 +113,19 @@ static int text_close() } -static int text_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; +static int text_readip(mb, ifn, dir) + mb_t *mb; + char **ifn; + int *dir; { register char *s; char line[513]; ip_t *ip; + char *buf; + int cnt; + + buf = (char *)mb->mb_buf; + cnt = sizeof(mb->mb_buf); *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { @@ -147,7 +143,17 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) { ip = (ip_t *)buf; - return ntohs(ip->ip_len); + if (IP_V(ip) == 6) { +#ifdef USE_INET6 + mb->mb_len = ntohs(((ip6_t *)ip)->ip6_plen) + + sizeof(ip6_t); +#else + mb->mb_len = 0; +#endif + } else { + mb->mb_len = ntohs(ip->ip_len); + } + return mb->mb_len; } } if (feof(tfp)) @@ -156,10 +162,10 @@ int cnt, *dir; } static int parseline(line, ip, ifn, out) -char *line; -ip_t *ip; -char **ifn; -int *out; + char *line; + ip_t *ip; + char **ifn; + int *out; { tcphdr_t th, *tcp = &th; struct icmp icmp, *ic = &icmp; @@ -174,6 +180,7 @@ int *out; bzero(ipopts, sizeof(ipopts)); IP_HL_A(ip, sizeof(*ip) >> 2); IP_V_A(ip, IPVERSION); + ip->ip_ttl = 63; for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; ) cps[++i] = strtok(NULL, " \b\t\r\n"); @@ -186,6 +193,13 @@ int *out; fprintf(stderr, "bad direction \"%s\"\n", *cpp); return 1; } + +#ifdef USE_INET6 + if (!strcasecmp(*cpp, "out6") || !strcasecmp(*cpp, "in6")) { + return parseipv6(cpp, (ip6_t *)ip, ifn, out); + } +#endif + *out = (TOLOWER(c) == 'o') ? 1 : 0; cpp++; if (!*cpp) @@ -284,24 +298,20 @@ int *out; cpp++; } } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { - extern char *tx_icmptypes[]; - char **s, *t; - int i; + char *t; t = strchr(*cpp, ','); if (t != NULL) *t = '\0'; - for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END"); - s++, i++) { - if (*s && !strcasecmp(*cpp, *s)) { - ic->icmp_type = i; - if (t != NULL) - ic->icmp_code = atoi(t + 1); - cpp++; - break; - } - } + ic->icmp_type = geticmptype(AF_INET, *cpp); + if (t != NULL) + ic->icmp_code = atoi(t + 1); + cpp++; + + if (ic->icmp_type == ICMP_ECHO || + ic->icmp_type == ICMP_ECHOREPLY) + ic->icmp_id = htons(getpid()); if (t != NULL) *t = ','; } @@ -314,6 +324,7 @@ int *out; if (olen) { bcopy(ipopts, (char *)(ip + 1), olen); IP_HL_A(ip, IP_HL(ip) + (olen >> 2)); + ip->ip_len += olen; } } if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) @@ -325,3 +336,175 @@ int *out; ip->ip_len = htons(ip->ip_len); return 0; } + + +#ifdef USE_INET6 +int parseipv6(cpp, ip6, ifn, out) + char **cpp; + ip6_t *ip6; + char **ifn; + int *out; +{ + tcphdr_t th, *tcp = &th; + struct icmp6_hdr icmp, *ic6 = &icmp; + + bzero((char *)ip6, MAX(sizeof(*tcp), sizeof(*ic6)) + sizeof(*ip6)); + bzero((char *)tcp, sizeof(*tcp)); + bzero((char *)ic6, sizeof(*ic6)); + ip6->ip6_vfc = 0x60; + + *out = (**cpp == 'o') ? 1 : 0; + cpp++; + if (!*cpp) + return 1; + + if (!strcasecmp(*cpp, "on")) { + cpp++; + if (!*cpp) + return 1; + *ifn = strdup(*cpp++); + if (!*cpp) + return 1; + } + + if (!strcasecmp(*cpp, "tcp")) { + ip6->ip6_nxt = IPPROTO_TCP; + tx_proto = "tcp"; + cpp++; + } else if (!strcasecmp(*cpp, "udp")) { + ip6->ip6_nxt = IPPROTO_UDP; + tx_proto = "udp"; + cpp++; + } else if (!strcasecmp(*cpp, "icmpv6")) { + ip6->ip6_nxt = IPPROTO_ICMPV6; + tx_proto = "icmpv6"; + cpp++; + } else if (ISDIGIT(**cpp) && !index(*cpp, ':')) { + ip6->ip6_nxt = atoi(*cpp); + cpp++; + } else + ip6->ip6_nxt = IPPROTO_IPV6; + + if (!*cpp) + return 1; + + switch (ip6->ip6_nxt) + { + case IPPROTO_TCP : + ip6->ip6_plen = sizeof(struct tcphdr); + break; + case IPPROTO_UDP : + ip6->ip6_plen = sizeof(struct udphdr); + break; + case IPPROTO_ICMPV6 : + ip6->ip6_plen = ICMP6ERR_IPICMPHLEN; + break; + default : + break; + } + + if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) { + char *last; + + last = strchr(*cpp, ','); + if (!last) { + fprintf(stderr, "tcp/udp with no source port\n"); + return 1; + } + *last++ = '\0'; + tcp->th_sport = htons(tx_portnum(last)); + if (ip6->ip6_nxt == IPPROTO_TCP) { + tcp->th_win = htons(4096); + TCP_OFF_A(tcp, sizeof(*tcp) >> 2); + } + } + + if (inet_pton(AF_INET6, *cpp, &ip6->ip6_src) != 1) { + fprintf(stderr, "cannot parse source address '%s'\n", *cpp); + return 1; + } + + cpp++; + if (!*cpp) + return 1; + + if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) { + char *last; + + last = strchr(*cpp, ','); + if (!last) { + fprintf(stderr, "tcp/udp with no destination port\n"); + return 1; + } + *last++ = '\0'; + tcp->th_dport = htons(tx_portnum(last)); + } + + if (inet_pton(AF_INET6, *cpp, &ip6->ip6_dst) != 1) { + fprintf(stderr, "cannot parse destination address '%s'\n", + *cpp); + return 1; + } + + cpp++; + if (ip6->ip6_nxt == IPPROTO_TCP) { + if (*cpp != NULL) { + char *s, *t; + + tcp->th_flags = 0; + for (s = *cpp; *s; s++) + if ((t = strchr(myflagset, *s))) + tcp->th_flags |= myflags[t-myflagset]; + if (tcp->th_flags) + cpp++; + } + + if (tcp->th_flags & TH_URG) + tcp->th_urp = htons(1); + + if (*cpp && !strncasecmp(*cpp, "seq=", 4)) { + tcp->th_seq = htonl(atoi(*cpp + 4)); + cpp++; + } + + if (*cpp && !strncasecmp(*cpp, "ack=", 4)) { + tcp->th_ack = htonl(atoi(*cpp + 4)); + cpp++; + } + } else if (*cpp && ip6->ip6_nxt == IPPROTO_ICMPV6) { + char *t; + + t = strchr(*cpp, ','); + if (t != NULL) + *t = '\0'; + + ic6->icmp6_type = geticmptype(AF_INET6, *cpp); + if (t != NULL) + ic6->icmp6_code = atoi(t + 1); + + if (ic6->icmp6_type == ICMP6_ECHO_REQUEST || + ic6->icmp6_type == ICMP6_ECHO_REPLY) + ic6->icmp6_id = htons(getpid()); + + if (t != NULL) + *t = ','; + } + + if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) { + bcopy((char *)tcp, (char *)ip6 + sizeof(*ip6), + sizeof(*tcp)); + } else if (ip6->ip6_nxt == IPPROTO_ICMPV6) { + bcopy((char *)ic6, (char *)ip6 + sizeof(*ip6), + sizeof(*ic6)); + } + + /* + * Because a length of 0 == jumbo gram... + */ + if (ip6->ip6_plen == 0) { + ip6->ip6_plen++; + } + ip6->ip6_plen = htons(ip6->ip6_plen); + return 0; +} +#endif diff --git a/contrib/ipfilter/lib/ipoptsec.c b/contrib/ipfilter/lib/ipoptsec.c index 66a55c8..5e585ba 100644 --- a/contrib/ipfilter/lib/ipoptsec.c +++ b/contrib/ipfilter/lib/ipoptsec.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipoptsec.c,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -25,16 +25,19 @@ struct ipopt_names secclass[] = { u_char seclevel(slevel) -char *slevel; + char *slevel; { struct ipopt_names *so; + if (slevel == NULL || *slevel == '\0') + return 0; + for (so = secclass; so->on_name; so++) if (!strcasecmp(slevel, so->on_name)) break; if (!so->on_name) { - fprintf(stderr, "no such security level: %s\n", slevel); + fprintf(stderr, "no such security level: '%s'\n", slevel); return 0; } return (u_char)so->on_value; @@ -42,7 +45,7 @@ char *slevel; u_char secbit(class) -int class; + int class; { struct ipopt_names *so; @@ -51,7 +54,7 @@ int class; break; if (!so->on_name) { - fprintf(stderr, "no such security class: %d\n", class); + fprintf(stderr, "no such security class: %d.\n", class); return 0; } return (u_char)so->on_bit; diff --git a/contrib/ipfilter/lib/kmem.c b/contrib/ipfilter/lib/kmem.c index 26da2d0..382a51c 100644 --- a/contrib/ipfilter/lib/kmem.c +++ b/contrib/ipfilter/lib/kmem.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -44,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.3 2006/06/16 17:21:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif @@ -70,9 +70,9 @@ kvm_t kvm_open __P((char *, char *, char *, int, char *)); int kvm_read __P((kvm_t, u_long, char *, size_t)); kvm_t kvm_open(kernel, core, swap, mode, errstr) -char *kernel, *core, *swap; -int mode; -char *errstr; + char *kernel, *core, *swap; + int mode; + char *errstr; { kvm_t k; int fd; @@ -93,10 +93,10 @@ char *errstr; } int kvm_read(kvm, pos, buffer, size) -kvm_t kvm; -u_long pos; -char *buffer; -size_t size; + kvm_t kvm; + u_long pos; + char *buffer; + size_t size; { int r = 0, left; char *bufp; @@ -127,7 +127,7 @@ size_t size; #endif /* !defined(__sgi) && !defined(__hpux) && !defined(__osf__) */ int openkmem(kern, core) -char *kern, *core; + char *kern, *core; { kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL); if (kvm_f == NULL) @@ -139,9 +139,9 @@ char *kern, *core; } int kmemcpy(buf, pos, n) -register char *buf; -long pos; -register int n; + register char *buf; + long pos; + register int n; { register int r; @@ -169,9 +169,9 @@ register int n; } int kstrncpy(buf, pos, n) -register char *buf; -long pos; -register int n; + register char *buf; + long pos; + register int n; { register int r; diff --git a/contrib/ipfilter/lib/kmem.h b/contrib/ipfilter/lib/kmem.h index bcfde06..ce6ad56 100644 --- a/contrib/ipfilter/lib/kmem.h +++ b/contrib/ipfilter/lib/kmem.h @@ -1,10 +1,10 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * $Id: kmem.h,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $ + * $Id$ */ #ifndef __KMEM_H__ diff --git a/contrib/ipfilter/lib/kmemcpywrap.c b/contrib/ipfilter/lib/kmemcpywrap.c index 8747491..6c398d6 100644 --- a/contrib/ipfilter/lib/kmemcpywrap.c +++ b/contrib/ipfilter/lib/kmemcpywrap.c @@ -1,19 +1,19 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: kmemcpywrap.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" #include "kmem.h" int kmemcpywrap(from, to, size) -void *from, *to; -size_t size; + void *from, *to; + size_t size; { int ret; diff --git a/contrib/ipfilter/lib/kvatoname.c b/contrib/ipfilter/lib/kvatoname.c index c8c0d8f..65b5240 100644 --- a/contrib/ipfilter/lib/kvatoname.c +++ b/contrib/ipfilter/lib/kvatoname.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: kvatoname.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" @@ -14,8 +14,8 @@ #include <sys/ioctl.h> char *kvatoname(func, iocfunc) -ipfunc_t func; -ioctlfunc_t iocfunc; + ipfunc_t func; + ioctlfunc_t iocfunc; { static char funcname[40]; ipfunc_resolve_t res; @@ -25,7 +25,7 @@ ioctlfunc_t iocfunc; res.ipfu_name[0] = '\0'; fd = -1; - if ((opts & OPT_DONOTHING) == 0) { + if ((opts & OPT_DONTOPEN) == 0) { fd = open(IPL_NAME, O_RDONLY); if (fd == -1) return NULL; diff --git a/contrib/ipfilter/lib/load_dstlist.c b/contrib/ipfilter/lib/load_dstlist.c new file mode 100644 index 0000000..760699d --- /dev/null +++ b/contrib/ipfilter/lib/load_dstlist.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: load_dstlist.c,v 1.1.2.5 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include <fcntl.h> +#include <sys/ioctl.h> +#include "ipf.h" +#include "netinet/ip_lookup.h" +#include "netinet/ip_dstlist.h" + + +int +load_dstlist(dst, iocfunc, nodes) + ippool_dst_t *dst; + ioctlfunc_t iocfunc; + ipf_dstnode_t *nodes; +{ + iplookupop_t op; + ipf_dstnode_t *a; + ippool_dst_t dest; + + if (dst->ipld_name[0] == '\0') + return -1; + + if (pool_open() == -1) + return -1; + + op.iplo_unit = dst->ipld_unit; + op.iplo_type = IPLT_DSTLIST; + op.iplo_arg = 0; + strncpy(op.iplo_name, dst->ipld_name, sizeof(op.iplo_name)); + op.iplo_size = sizeof(dest); + op.iplo_struct = &dest; + bzero((char *)&dest, sizeof(dest)); + dest.ipld_unit = dst->ipld_unit; + dest.ipld_policy = dst->ipld_policy; + dest.ipld_flags = dst->ipld_flags; + strncpy(dest.ipld_name, dst->ipld_name, sizeof(dest.ipld_name)); + + if ((opts & OPT_REMOVE) == 0) { + if (pool_ioctl(iocfunc, SIOCLOOKUPADDTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + return ipf_perror_fd(pool_fd(), iocfunc, + "add destination list table"); + } + } + + if ((opts & OPT_VERBOSE) != 0) { + dest.ipld_dests = dst->ipld_dests; + printdstlist(&dest, bcopywrap, dest.ipld_name, opts, nodes, NULL); + dest.ipld_dests = NULL; + } + + for (a = nodes; a != NULL; a = a->ipfd_next) + load_dstlistnode(dst->ipld_unit, dest.ipld_name, a, iocfunc); + + if ((opts & OPT_REMOVE) != 0) { + if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + return ipf_perror_fd(pool_fd(), iocfunc, + "delete destination list table"); + } + } + return 0; +} diff --git a/contrib/ipfilter/lib/load_dstlistnode.c b/contrib/ipfilter/lib/load_dstlistnode.c new file mode 100644 index 0000000..e1ec001 --- /dev/null +++ b/contrib/ipfilter/lib/load_dstlistnode.c @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: load_dstlistnode.c,v 1.1.2.5 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include <fcntl.h> +#include <sys/ioctl.h> +#include "ipf.h" +#include "netinet/ip_lookup.h" +#include "netinet/ip_pool.h" + + +int +load_dstlistnode(role, name, node, iocfunc) + int role; + char *name; + ipf_dstnode_t *node; + ioctlfunc_t iocfunc; +{ + iplookupop_t op; + frdest_t *dst; + char *what; + int err; + + if (pool_open() == -1) + return -1; + + dst = calloc(1, sizeof(*dst) + node->ipfd_dest.fd_name); + if (dst == NULL) + return -1; + + op.iplo_unit = role; + op.iplo_type = IPLT_DSTLIST; + op.iplo_arg = 0; + op.iplo_struct = dst; + op.iplo_size = sizeof(*dst); + if (node->ipfd_dest.fd_name >= 0) + op.iplo_size += node->ipfd_dest.fd_name; + (void) strncpy(op.iplo_name, name, sizeof(op.iplo_name)); + + dst->fd_addr = node->ipfd_dest.fd_addr; + dst->fd_type = node->ipfd_dest.fd_type; + dst->fd_name = node->ipfd_dest.fd_name; + if (node->ipfd_dest.fd_name >= 0) + bcopy(node->ipfd_names, (char *)dst + sizeof(*dst), + node->ipfd_dest.fd_name); + + if ((opts & OPT_REMOVE) == 0) { + what = "add"; + err = pool_ioctl(iocfunc, SIOCLOOKUPADDNODE, &op); + } else { + what = "delete"; + err = pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op); + } + free(dst); + + if (err != 0) { + if ((opts & OPT_DONOTHING) == 0) { + char msg[80]; + + (void) sprintf(msg, "%s lookup node", what); + return ipf_perror_fd(pool_fd(), iocfunc, msg); + } + } + + return 0; +} diff --git a/contrib/ipfilter/lib/load_file.c b/contrib/ipfilter/lib/load_file.c index 9bb3899..a1d1f70 100644 --- a/contrib/ipfilter/lib/load_file.c +++ b/contrib/ipfilter/lib/load_file.c @@ -1,12 +1,13 @@ /* - * Copyright (C) 2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_file.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $ + * $Id: load_file.c,v 1.6.2.2 2012/07/22 08:04:24 darren_r Exp $ */ #include "ipf.h" +#include <ctype.h> alist_t * load_file(char *filename) @@ -20,13 +21,13 @@ load_file(char *filename) if (fp == NULL) { fprintf(stderr, "load_file cannot open '%s'\n", filename); return NULL; - } + } a = NULL; rtop = NULL; rbot = NULL; - linenum = 0; - + linenum = 0; + while (fgets(line, sizeof(line) - 1, fp)) { line[sizeof(line) - 1] = '\0'; linenum++; @@ -35,17 +36,23 @@ load_file(char *filename) */ s = strchr(line, '\n'); if (s == NULL) { - fprintf(stderr, "%d:%s: line too long\n", linenum, filename); + fprintf(stderr, "%d:%s: line too long\n", + linenum, filename); fclose(fp); alist_free(rtop); return NULL; } - *s = '\0'; + /* + * Remove trailing spaces + */ + for (; ISSPACE(*s); s--) + *s = '\0'; + s = strchr(line, '\r'); if (s != NULL) *s = '\0'; - for (t = line; isspace(*t); t++) + for (t = line; ISSPACE(*t); t++) ; if (*t == '!') { not = 1; @@ -56,21 +63,22 @@ load_file(char *filename) /* * Remove comment markers */ - for (s = t; *s; s++) { - if (*s == '#') - *s = '\0'; + s = strchr(t, '#'); + if (s != NULL) { + *s = '\0'; + if (s == t) + continue; } - if (!*t) - continue; + /* * Trim off tailing white spaces */ s = strlen(t) + t - 1; - while (isspace(*s)) + while (ISSPACE(*s)) *s-- = '\0'; - if (isdigit(*t)) { - a = alist_new(4, t); + a = alist_new(AF_UNSPEC, t); + if (a != NULL) { a->al_not = not; if (rbot != NULL) rbot->al_next = a; @@ -78,8 +86,8 @@ load_file(char *filename) rtop = a; rbot = a; } else { - fprintf(stderr, "%s: unrecognised content line %d\n", - filename, linenum); + fprintf(stderr, "%s:%d unrecognised content :%s\n", + filename, linenum, t); } } fclose(fp); diff --git a/contrib/ipfilter/lib/load_hash.c b/contrib/ipfilter/lib/load_hash.c index 7683470..7ec79a9 100644 --- a/contrib/ipfilter/lib/load_hash.c +++ b/contrib/ipfilter/lib/load_hash.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hash.c,v 1.11.2.5 2006/07/14 06:12:25 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,13 +14,12 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -static int hashfd = -1; - -int load_hash(iphp, list, iocfunc) -iphtable_t *iphp; -iphtent_t *list; -ioctlfunc_t iocfunc; +int +load_hash(iphp, list, iocfunc) + iphtable_t *iphp; + iphtent_t *list; + ioctlfunc_t iocfunc; { iplookupop_t op; iphtable_t iph; @@ -28,14 +27,13 @@ ioctlfunc_t iocfunc; size_t size; int n; - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) - hashfd = open(IPLOOKUP_NAME, O_RDWR); - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; for (n = 0, a = list; a != NULL; a = a->ipe_next) n++; + bzero((char *)&iph, sizeof(iph)); op.iplo_arg = 0; op.iplo_type = IPLT_HASH; op.iplo_unit = iphp->iph_unit; @@ -44,10 +42,7 @@ ioctlfunc_t iocfunc; op.iplo_arg = IPHASH_ANON; op.iplo_size = sizeof(iph); op.iplo_struct = &iph; - iph.iph_unit = iphp->iph_unit; - iph.iph_type = iphp->iph_type; - strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name)); - iph.iph_flags = iphp->iph_flags; + iph = *iphp; if (n <= 0) n = 1; if (iphp->iph_size == 0) @@ -60,16 +55,15 @@ ioctlfunc_t iocfunc; iphp->iph_name, "size to match expected use"); } iph.iph_size = size; - iph.iph_seed = iphp->iph_seed; iph.iph_table = NULL; iph.iph_list = NULL; iph.iph_ref = 0; if ((opts & OPT_REMOVE) == 0) { - if ((*iocfunc)(hashfd, SIOCLOOKUPADDTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPADDTABLE, &op)) if ((opts & OPT_DONOTHING) == 0) { - perror("load_hash:SIOCLOOKUPADDTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "add lookup hash table"); } } @@ -77,19 +71,14 @@ ioctlfunc_t iocfunc; strncpy(iphp->iph_name, op.iplo_name, sizeof(op.iplo_name)); if (opts & OPT_VERBOSE) { - for (a = list; a != NULL; a = a->ipe_next) { - a->ipe_addr.in4_addr = ntohl(a->ipe_addr.in4_addr); - a->ipe_mask.in4_addr = ntohl(a->ipe_mask.in4_addr); - } iph.iph_table = calloc(size, sizeof(*iph.iph_table)); if (iph.iph_table == NULL) { perror("calloc(size, sizeof(*iph.iph_table))"); return -1; } iph.iph_list = list; - printhash(&iph, bcopywrap, iph.iph_name, opts); + printhash(&iph, bcopywrap, iph.iph_name, opts, NULL); free(iph.iph_table); - iph.iph_list = NULL; for (a = list; a != NULL; a = a->ipe_next) { a->ipe_addr.in4_addr = htonl(a->ipe_addr.in4_addr); @@ -101,13 +90,13 @@ ioctlfunc_t iocfunc; printf("Hash %s:\n", iph.iph_name); for (a = list; a != NULL; a = a->ipe_next) - load_hashnode(iphp->iph_unit, iph.iph_name, a, iocfunc); + load_hashnode(iphp->iph_unit, iph.iph_name, a, 0, iocfunc); if ((opts & OPT_REMOVE) != 0) { - if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) if ((opts & OPT_DONOTHING) == 0) { - perror("load_hash:SIOCLOOKUPDELTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "delete lookup hash table"); } } return 0; diff --git a/contrib/ipfilter/lib/load_hashnode.c b/contrib/ipfilter/lib/load_hashnode.c index 3c3416d..2aac433 100644 --- a/contrib/ipfilter/lib/load_hashnode.c +++ b/contrib/ipfilter/lib/load_hashnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hashnode.c,v 1.2.4.2 2006/06/16 17:21:05 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,22 +14,21 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -static int hashfd = -1; - -int load_hashnode(unit, name, node, iocfunc) -int unit; -char *name; -iphtent_t *node; -ioctlfunc_t iocfunc; +int +load_hashnode(unit, name, node, ttl, iocfunc) + int unit; + char *name; + iphtent_t *node; + int ttl; + ioctlfunc_t iocfunc; { iplookupop_t op; iphtent_t ipe; + char *what; int err; - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) - hashfd = open(IPLOOKUP_NAME, O_RDWR); - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_type = IPLT_HASH; @@ -40,6 +39,8 @@ ioctlfunc_t iocfunc; strncpy(op.iplo_name, name, sizeof(op.iplo_name)); bzero((char *)&ipe, sizeof(ipe)); + ipe.ipe_family = node->ipe_family; + ipe.ipe_die = ttl; bcopy((char *)&node->ipe_addr, (char *)&ipe.ipe_addr, sizeof(ipe.ipe_addr)); bcopy((char *)&node->ipe_mask, (char *)&ipe.ipe_mask, @@ -47,15 +48,20 @@ ioctlfunc_t iocfunc; bcopy((char *)&node->ipe_group, (char *)&ipe.ipe_group, sizeof(ipe.ipe_group)); - if ((opts & OPT_REMOVE) == 0) - err = (*iocfunc)(hashfd, SIOCLOOKUPADDNODE, &op); - else - err = (*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op); + if ((opts & OPT_REMOVE) == 0) { + what = "add"; + err = pool_ioctl(iocfunc, SIOCLOOKUPADDNODE, &op); + } else { + what = "delete"; + err = pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op); + } if (err != 0) if (!(opts & OPT_DONOTHING)) { - perror("load_hash:SIOCLOOKUP*NODE"); - return -1; + char msg[80]; + + sprintf(msg, "%s node from lookup hash table", what); + return ipf_perror_fd(pool_fd(), iocfunc, msg); } return 0; } diff --git a/contrib/ipfilter/lib/load_http.c b/contrib/ipfilter/lib/load_http.c index 38d0b67..88fc1e3 100644 --- a/contrib/ipfilter/lib/load_http.c +++ b/contrib/ipfilter/lib/load_http.c @@ -1,12 +1,28 @@ +/* $FreeBSD$ */ + /* - * Copyright (C) 2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_http.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $ + * $Id: load_http.c,v 1.5.2.5 2012/07/22 08:04:24 darren_r Exp $ */ #include "ipf.h" +#include <ctype.h> + +/* + * Because the URL can be included twice into the buffer, once as the + * full path for the "GET" and once as the "Host:", the buffer it is + * put in needs to be larger than 512*2 to make room for the supporting + * text. Why not just use snprintf and truncate? The warning about the + * URL being too long tells you something is wrong and does not fetch + * any data - just truncating the URL (with snprintf, etc) and sending + * that to the server is allowing an unknown and unintentioned action + * to happen. + */ +#define MAX_URL_LEN 512 +#define LOAD_BUFSIZE (MAX_URL_LEN * 2 + 128) /* * Format expected is one addres per line, at the start of each line. @@ -14,19 +30,18 @@ alist_t * load_http(char *url) { - char *s, *t, *u, buffer[1044], *myurl; + int fd, len, left, port, endhdr, removed, linenum = 0; + char *s, *t, *u, buffer[LOAD_BUFSIZE], *myurl; alist_t *a, *rtop, *rbot; - struct sockaddr_in sin; - struct hostent *host; size_t avail; - int fd, len, left, port, endhdr, removed; int error; /* * More than this would just be absurd. */ - if (strlen(url) > 512) { - fprintf(stderr, "load_http has a URL > 512 bytes?!\n"); + if (strlen(url) > MAX_URL_LEN) { + fprintf(stderr, "load_http has a URL > %d bytes?!\n", + MAX_URL_LEN); return NULL; } @@ -56,6 +71,15 @@ load_http(char *url) } *t++ = '\0'; + /* + * 10 is the length of 'Host: \r\n\r\n' below. + */ + if (strlen(s) + strlen(buffer) + 10 > sizeof(buffer)) { + fprintf(stderr, "load_http has a malformed URL '%s'\n", url); + free(myurl); + return NULL; + } + u = strchr(s, '@'); if (u != NULL) s = u + 1; /* AUTH */ @@ -76,28 +100,11 @@ load_http(char *url) port = 80; } - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - - if (isdigit(*s)) { - if (inet_aton(s, &sin.sin_addr) == -1) { - goto done; - } - } else { - host = gethostbyname(s); - if (host == NULL) - goto done; - memcpy(&sin.sin_addr, host->h_addr_list[0], - sizeof(sin.sin_addr)); - } - fd = socket(AF_INET, SOCK_STREAM, 0); + fd = connecttcp(s, port); if (fd == -1) goto done; - if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) - goto done; len = strlen(buffer); if (write(fd, buffer, len) != len) @@ -150,30 +157,40 @@ load_http(char *url) if (t == NULL) break; - *t++ = '\0'; - for (u = buffer; isdigit(*u) || (*u == '.'); u++) - ; - if (*u == '/') { - char *slash; - - slash = u; - u++; - while (isdigit(*u)) - u++; - if (!isspace(*u) && *u) - u = slash; + linenum++; + *t = '\0'; + + /* + * Remove comment and continue to the next line if + * the comment is at the start of the line. + */ + u = strchr(buffer, '#'); + if (u != NULL) { + *u = '\0'; + if (u == buffer) + continue; } - *u = '\0'; - a = alist_new(4, buffer); + /* + * Trim off tailing white spaces, will include \r + */ + for (u = t - 1; (u >= buffer) && ISSPACE(*u); u--) + *u = '\0'; + + a = alist_new(AF_UNSPEC, buffer); if (a != NULL) { if (rbot != NULL) rbot->al_next = a; else rtop = a; rbot = a; + } else { + fprintf(stderr, + "%s:%d unrecognised content:%s\n", + url, linenum, buffer); } + t++; removed = t - buffer; memmove(buffer, t, sizeof(buffer) - left - removed); s -= removed; diff --git a/contrib/ipfilter/lib/load_pool.c b/contrib/ipfilter/lib/load_pool.c index 08baae7..190a2df 100644 --- a/contrib/ipfilter/lib/load_pool.c +++ b/contrib/ipfilter/lib/load_pool.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_pool.c,v 1.14.2.4 2006/06/16 17:21:06 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,20 +14,17 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" -static int poolfd = -1; - -int load_pool(plp, iocfunc) -ip_pool_t *plp; -ioctlfunc_t iocfunc; +int +load_pool(plp, iocfunc) + ip_pool_t *plp; + ioctlfunc_t iocfunc; { iplookupop_t op; ip_pool_node_t *a; ip_pool_t pool; - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) - poolfd = open(IPLOOKUP_NAME, O_RDWR); - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_unit = plp->ipo_unit; @@ -37,16 +34,18 @@ ioctlfunc_t iocfunc; op.iplo_size = sizeof(pool); op.iplo_struct = &pool; bzero((char *)&pool, sizeof(pool)); + pool.ipo_unit = plp->ipo_unit; strncpy(pool.ipo_name, plp->ipo_name, sizeof(pool.ipo_name)); if (plp->ipo_name[0] == '\0') op.iplo_arg |= IPOOL_ANON; if ((opts & OPT_REMOVE) == 0) { - if ((*iocfunc)(poolfd, SIOCLOOKUPADDTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPADDTABLE, &op)) { if ((opts & OPT_DONOTHING) == 0) { - perror("load_pool:SIOCLOOKUPADDTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "add lookup table"); } + } } if (op.iplo_arg & IPOOL_ANON) @@ -54,18 +53,19 @@ ioctlfunc_t iocfunc; if ((opts & OPT_VERBOSE) != 0) { pool.ipo_list = plp->ipo_list; - printpool(&pool, bcopywrap, pool.ipo_name, opts); + (void) printpool(&pool, bcopywrap, pool.ipo_name, opts, NULL); pool.ipo_list = NULL; } for (a = plp->ipo_list; a != NULL; a = a->ipn_next) - load_poolnode(plp->ipo_unit, pool.ipo_name, a, iocfunc); + load_poolnode(plp->ipo_unit, pool.ipo_name, + a, 0, iocfunc); if ((opts & OPT_REMOVE) != 0) { - if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) if ((opts & OPT_DONOTHING) == 0) { - perror("load_pool:SIOCLOOKUPDELTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "delete lookup table"); } } return 0; diff --git a/contrib/ipfilter/lib/load_poolnode.c b/contrib/ipfilter/lib/load_poolnode.c index 110a8b9..5afca84 100644 --- a/contrib/ipfilter/lib/load_poolnode.c +++ b/contrib/ipfilter/lib/load_poolnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_poolnode.c,v 1.3.2.3 2006/06/16 17:21:06 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,22 +14,21 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" -static int poolfd = -1; - -int load_poolnode(role, name, node, iocfunc) -int role; -char *name; -ip_pool_node_t *node; -ioctlfunc_t iocfunc; +int +load_poolnode(role, name, node, ttl, iocfunc) + int role; + char *name; + ip_pool_node_t *node; + int ttl; + ioctlfunc_t iocfunc; { ip_pool_node_t pn; iplookupop_t op; + char *what; int err; - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) - poolfd = open(IPLOOKUP_NAME, O_RDWR); - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_unit = role; @@ -45,17 +44,25 @@ ioctlfunc_t iocfunc; bcopy((char *)&node->ipn_mask, (char *)&pn.ipn_mask, sizeof(pn.ipn_mask)); pn.ipn_info = node->ipn_info; + pn.ipn_die = ttl; strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name)); - if ((opts & OPT_REMOVE) == 0) - err = (*iocfunc)(poolfd, SIOCLOOKUPADDNODE, &op); - else - err = (*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op); + if ((opts & OPT_REMOVE) == 0) { + what = "add"; + err = pool_ioctl(iocfunc, SIOCLOOKUPADDNODE, &op); + } else { + what = "delete"; + err = pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op); + } if (err != 0) { if ((opts & OPT_DONOTHING) == 0) { - perror("load_poolnode:SIOCLOOKUP*NODE"); - return -1; + char msg[80]; + + sprintf(msg, "%s pool node(%s/", what, + inet_ntoa(pn.ipn_addr.adf_addr.in4)); + strcat(msg, inet_ntoa(pn.ipn_mask.adf_addr.in4)); + return ipf_perror_fd(pool_fd(), iocfunc, msg); } } diff --git a/contrib/ipfilter/lib/load_url.c b/contrib/ipfilter/lib/load_url.c index 7709153..dcda4c0 100644 --- a/contrib/ipfilter/lib/load_url.c +++ b/contrib/ipfilter/lib/load_url.c @@ -1,9 +1,9 @@ /* - * Copyright (C) 2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_url.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $ + * $Id: load_url.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ */ #include "ipf.h" @@ -13,11 +13,11 @@ load_url(char *url) { alist_t *hosts = NULL; - if (strncmp(url, "file://", 7) == 0) { - /* + if (strncmp(url, "file://", 7) == 0) { + /* * file:///etc/passwd * ^------------s - */ + */ hosts = load_file(url); } else if (*url == '/' || *url == '.') { @@ -27,5 +27,5 @@ load_url(char *url) hosts = load_http(url); } - return hosts; + return hosts; } diff --git a/contrib/ipfilter/lib/mb_hexdump.c b/contrib/ipfilter/lib/mb_hexdump.c new file mode 100644 index 0000000..6da6563 --- /dev/null +++ b/contrib/ipfilter/lib/mb_hexdump.c @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: mb_hexdump.c,v 1.1.2.3 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +void +mb_hexdump(m, fp) + mb_t *m; + FILE *fp; +{ + u_char *s; + int len; + int i; + + for (; m != NULL; m = m->mb_next) { + len = m->mb_len; + for (s = (u_char *)m->mb_data, i = 0; i < len; i++) { + fprintf(fp, "%02x", *s++ & 0xff); + if (len - i > 1) { + i++; + fprintf(fp, "%02x", *s++ & 0xff); + } + fputc(' ', fp); + } + } + fputc('\n', fp); +} diff --git a/contrib/ipfilter/lib/msgdsize.c b/contrib/ipfilter/lib/msgdsize.c new file mode 100644 index 0000000..9bdc584 --- /dev/null +++ b/contrib/ipfilter/lib/msgdsize.c @@ -0,0 +1,20 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: msgdsize.c,v 1.2.4.3 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +size_t msgdsize(orig) + mb_t *orig; +{ + size_t sz = 0; + mb_t *m; + + for (m = orig; m != NULL; m = m->mb_next) + sz += m->mb_len; + return sz; +} diff --git a/contrib/ipfilter/lib/mutex_emul.c b/contrib/ipfilter/lib/mutex_emul.c index 3983f04..1846701 100644 --- a/contrib/ipfilter/lib/mutex_emul.c +++ b/contrib/ipfilter/lib/mutex_emul.c @@ -1,22 +1,30 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: mutex_emul.c,v 1.2.4.1 2006/06/16 17:21:06 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" #define EMM_MAGIC 0x9d7adba3 -void eMmutex_enter(mtx, file, line) -eMmutex_t *mtx; -char *file; -int line; +static int mutex_debug = 0; +static FILE *mutex_file = NULL; +static int initcount = 0; + +void +eMmutex_enter(mtx, file, line) + eMmutex_t *mtx; + char *file; + int line; { + if (mutex_debug & 2) + fprintf(mutex_file, "%s:%d:eMmutex_enter(%s)\n", file, line, + mtx->eMm_owner); if (mtx->eMm_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMmutex_enter(%p): bad magic: %#x\n", mtx->eMm_owner, mtx, mtx->eMm_magic); @@ -33,9 +41,15 @@ int line; } -void eMmutex_exit(mtx) -eMmutex_t *mtx; +void +eMmutex_exit(mtx, file, line) + eMmutex_t *mtx; + char *file; + int line; { + if (mutex_debug & 2) + fprintf(mutex_file, "%s:%d:eMmutex_exit(%s)\n", file, line, + mtx->eMm_owner); if (mtx->eMm_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMmutex_exit(%p): bad magic: %#x\n", mtx->eMm_owner, mtx, mtx->eMm_magic); @@ -52,10 +66,18 @@ eMmutex_t *mtx; } -void eMmutex_init(mtx, who) -eMmutex_t *mtx; -char *who; +void +eMmutex_init(mtx, who, file, line) + eMmutex_t *mtx; + char *who; + char *file; + int line; { + if (mutex_file == NULL && mutex_debug) + mutex_file = fopen("ipf_mutex_log", "w"); + if (mutex_debug & 1) + fprintf(mutex_file, "%s:%d:eMmutex_init(%p,%s)\n", + file, line, mtx, who); if (mtx->eMm_magic == EMM_MAGIC) { /* safe bet ? */ fprintf(stderr, "%s:eMmutex_init(%p): already initialised?: %#x\n", @@ -68,21 +90,44 @@ char *who; mtx->eMm_owner = strdup(who); else mtx->eMm_owner = NULL; + initcount++; } -void eMmutex_destroy(mtx) -eMmutex_t *mtx; +void +eMmutex_destroy(mtx, file, line) + eMmutex_t *mtx; + char *file; + int line; { + if (mutex_debug & 1) + fprintf(mutex_file, + "%s:%d:eMmutex_destroy(%p,%s)\n", file, line, + mtx, mtx->eMm_owner); if (mtx->eMm_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMmutex_destroy(%p): bad magic: %#x\n", mtx->eMm_owner, mtx, mtx->eMm_magic); abort(); } if (mtx->eMm_held != 0) { - fprintf(stderr, "%s:eMmutex_enter(%p): still locked: %d\n", + fprintf(stderr, + "%s:eMmutex_enter(%p): still locked: %d\n", mtx->eMm_owner, mtx, mtx->eMm_held); abort(); } + if (mtx->eMm_owner != NULL) + free(mtx->eMm_owner); memset(mtx, 0xa5, sizeof(*mtx)); + initcount--; +} + + +void +ipf_mutex_clean() +{ + if (initcount != 0) { + if (mutex_file) + fprintf(mutex_file, "initcount %d\n", initcount); + abort(); + } } diff --git a/contrib/ipfilter/lib/nametokva.c b/contrib/ipfilter/lib/nametokva.c index deee439..8e7af94 100644 --- a/contrib/ipfilter/lib/nametokva.c +++ b/contrib/ipfilter/lib/nametokva.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: nametokva.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" @@ -14,8 +14,8 @@ #include <fcntl.h> ipfunc_t nametokva(name, iocfunc) -char *name; -ioctlfunc_t iocfunc; + char *name; + ioctlfunc_t iocfunc; { ipfunc_resolve_t res; int fd; @@ -24,7 +24,7 @@ ioctlfunc_t iocfunc; res.ipfu_addr = NULL; fd = -1; - if ((opts & OPT_DONOTHING) == 0) { + if ((opts & OPT_DONTOPEN) == 0) { fd = open(IPL_NAME, O_RDONLY); if (fd == -1) return NULL; diff --git a/contrib/ipfilter/lib/nat_setgroupmap.c b/contrib/ipfilter/lib/nat_setgroupmap.c index 08b1a0a..15c21f6 100644 --- a/contrib/ipfilter/lib/nat_setgroupmap.c +++ b/contrib/ipfilter/lib/nat_setgroupmap.c @@ -1,33 +1,33 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: nat_setgroupmap.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include "ipf.h" void nat_setgroupmap(n) -ipnat_t *n; + ipnat_t *n; { - if (n->in_outmsk == n->in_inmsk) + if (n->in_nsrcmsk == n->in_osrcmsk) n->in_ippip = 1; else if (n->in_flags & IPN_AUTOPORTMAP) { - n->in_ippip = ~ntohl(n->in_inmsk); - if (n->in_outmsk != 0xffffffff) - n->in_ippip /= (~ntohl(n->in_outmsk) + 1); + n->in_ippip = ~ntohl(n->in_osrcmsk); + if (n->in_nsrcmsk != 0xffffffff) + n->in_ippip /= (~ntohl(n->in_nsrcmsk) + 1); n->in_ippip++; if (n->in_ippip == 0) n->in_ippip = 1; n->in_ppip = USABLE_PORTS / n->in_ippip; } else { - n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); - n->in_nip = 0; - if (!(n->in_ppip = n->in_pmin)) + n->in_space = USABLE_PORTS * ~ntohl(n->in_nsrcmsk); + n->in_snip = 0; + if (!(n->in_ppip = n->in_spmin)) n->in_ppip = 1; n->in_ippip = USABLE_PORTS / n->in_ppip; } diff --git a/contrib/ipfilter/lib/ntomask.c b/contrib/ipfilter/lib/ntomask.c index ba91a65..98e3b26 100644 --- a/contrib/ipfilter/lib/ntomask.c +++ b/contrib/ipfilter/lib/ntomask.c @@ -1,28 +1,28 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: ntomask.c,v 1.6.2.1 2006/06/16 17:21:07 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" -int ntomask(v, nbits, ap) -int v, nbits; -u_32_t *ap; +int ntomask(family, nbits, ap) + int family, nbits; + u_32_t *ap; { u_32_t mask; if (nbits < 0) return -1; - switch (v) + switch (family) { - case 4 : - if (nbits > 32 || use_inet6 != 0) + case AF_INET : + if (nbits > 32 || use_inet6 == 1) return -1; if (nbits == 0) { mask = 0; @@ -33,8 +33,9 @@ u_32_t *ap; *ap = htonl(mask); break; - case 6 : - if ((nbits > 128) || (use_inet6 == 0)) + case 0 : + case AF_INET6 : + if ((nbits > 128) || (use_inet6 == -1)) return -1; fill6bits(nbits, ap); break; diff --git a/contrib/ipfilter/lib/optname.c b/contrib/ipfilter/lib/optname.c index f41cab1..2bc811b 100644 --- a/contrib/ipfilter/lib/optname.c +++ b/contrib/ipfilter/lib/optname.c @@ -1,20 +1,20 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optname.c,v 1.3.4.1 2006/06/16 17:21:07 darrenr Exp $ + * $Id$ */ #include "ipf.h" u_32_t optname(cp, sp, linenum) -char ***cp; -u_short *sp; -int linenum; + char ***cp; + u_short *sp; + int linenum; { struct ipopt_names *io, *so; u_long msk = 0; diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c index 81a3287..8b1f5cd 100644 --- a/contrib/ipfilter/lib/optprint.c +++ b/contrib/ipfilter/lib/optprint.c @@ -1,18 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprint.c,v 1.6.4.2 2006/06/16 17:21:08 darrenr Exp $ + * $Id$ */ #include "ipf.h" void optprint(sec, optmsk, optbits) -u_short *sec; -u_long optmsk, optbits; + u_short *sec; + u_long optmsk, optbits; { u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; diff --git a/contrib/ipfilter/lib/optprintv6.c b/contrib/ipfilter/lib/optprintv6.c index f6ea6ec..752d1b3 100644 --- a/contrib/ipfilter/lib/optprintv6.c +++ b/contrib/ipfilter/lib/optprintv6.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optprintv6.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -13,14 +13,14 @@ #ifdef USE_INET6 void optprintv6(sec, optmsk, optbits) -u_short *sec; -u_long optmsk, optbits; + u_short *sec; + u_long optmsk, optbits; { u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io; char *s; - s = " v6hdrs "; + s = " v6hdr "; for (io = v6ionames; io->on_name; io++) if ((io->on_bit & optmsk) && ((io->on_bit & optmsk) == (io->on_bit & optbits))) { diff --git a/contrib/ipfilter/lib/optvalue.c b/contrib/ipfilter/lib/optvalue.c index aa1ef2e..5bc1f42 100644 --- a/contrib/ipfilter/lib/optvalue.c +++ b/contrib/ipfilter/lib/optvalue.c @@ -1,17 +1,17 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: optvalue.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $ + * $Id$ */ #include "ipf.h" u_32_t getoptbyname(optname) -char *optname; + char *optname; { struct ipopt_names *io; @@ -23,7 +23,7 @@ char *optname; u_32_t getoptbyvalue(optval) -int optval; + int optval; { struct ipopt_names *io; diff --git a/contrib/ipfilter/lib/parsefields.c b/contrib/ipfilter/lib/parsefields.c new file mode 100644 index 0000000..241496c --- /dev/null +++ b/contrib/ipfilter/lib/parsefields.c @@ -0,0 +1,48 @@ +#include "ipf.h" + +extern int nohdrfields; + +wordtab_t *parsefields(table, arg) + wordtab_t *table; + char *arg; +{ + wordtab_t *f, *fields; + char *s, *t; + int num; + + fields = NULL; + num = 0; + + for (s = strtok(arg, ","); s != NULL; s = strtok(NULL, ",")) { + t = strchr(s, '='); + if (t != NULL) { + *t++ = '\0'; + if (*t == '\0') + nohdrfields = 1; + } + + f = findword(table, s); + if (f == NULL) { + fprintf(stderr, "Unknown field '%s'\n", s); + exit(1); + } + + num++; + if (fields == NULL) { + fields = malloc(2 * sizeof(*fields)); + } else { + fields = realloc(fields, (num + 1) * sizeof(*fields)); + } + + if (t == NULL) { + fields[num - 1].w_word = f->w_word; + } else { + fields[num - 1].w_word = t; + } + fields[num - 1].w_value = f->w_value; + fields[num].w_word = NULL; + fields[num].w_value = 0; + } + + return fields; +} diff --git a/contrib/ipfilter/lib/parseipfexpr.c b/contrib/ipfilter/lib/parseipfexpr.c new file mode 100644 index 0000000..9a2a207 --- /dev/null +++ b/contrib/ipfilter/lib/parseipfexpr.c @@ -0,0 +1,283 @@ +#include "ipf.h" +#include <ctype.h> + + +typedef struct ipfopentry { + int ipoe_cmd; + int ipoe_nbasearg; + int ipoe_maxarg; + int ipoe_argsize; + char *ipoe_word; +} ipfopentry_t; + +static ipfopentry_t opwords[17] = { + { IPF_EXP_IP_ADDR, 2, 0, 1, "ip.addr" }, + { IPF_EXP_IP6_ADDR, 2, 0, 4, "ip6.addr" }, + { IPF_EXP_IP_PR, 1, 0, 1, "ip.p" }, + { IPF_EXP_IP_SRCADDR, 2, 0, 1, "ip.src" }, + { IPF_EXP_IP_DSTADDR, 2, 0, 1, "ip.dst" }, + { IPF_EXP_IP6_SRCADDR, 2, 0, 4, "ip6.src" }, + { IPF_EXP_IP6_DSTADDR, 2, 0, 4, "ip6.dst" }, + { IPF_EXP_TCP_PORT, 1, 0, 1, "tcp.port" }, + { IPF_EXP_TCP_DPORT, 1, 0, 1, "tcp.dport" }, + { IPF_EXP_TCP_SPORT, 1, 0, 1, "tcp.sport" }, + { IPF_EXP_TCP_FLAGS, 2, 0, 1, "tcp.flags" }, + { IPF_EXP_UDP_PORT, 1, 0, 1, "udp.port" }, + { IPF_EXP_UDP_DPORT, 1, 0, 1, "udp.dport" }, + { IPF_EXP_UDP_SPORT, 1, 0, 1, "udp.sport" }, + { IPF_EXP_TCP_STATE, 1, 0, 1, "tcp.state" }, + { IPF_EXP_IDLE_GT, 1, 1, 1, "idle-gt" }, + { -1, 0, 0, 0, NULL } +}; + + +int * +parseipfexpr(line, errorptr) + char *line; + char **errorptr; +{ + int not, items, asize, *oplist, osize, i; + char *temp, *arg, *s, *t, *ops, *error; + ipfopentry_t *e; + ipfexp_t *ipfe; + + asize = 0; + error = NULL; + oplist = NULL; + + temp = strdup(line); + if (temp == NULL) { + error = "strdup failed"; + goto parseerror; + } + + /* + * Eliminate any white spaces to make parsing easier. + */ + for (s = temp; *s != '\0'; ) { + if (ISSPACE(*s)) + strcpy(s, s + 1); + else + s++; + } + + /* + * Parse the string. + * It should be sets of "ip.dst=1.2.3.4/32;" things. + * There must be a "=" or "!=" and it must end in ";". + */ + if (temp[strlen(temp) - 1] != ';') { + error = "last character not ';'"; + goto parseerror; + } + + /* + * Work through the list of complete operands present. + */ + for (ops = strtok(temp, ";"); ops != NULL; ops = strtok(NULL, ";")) { + arg = strchr(ops, '='); + if ((arg < ops + 2) || (arg == NULL)) { + error = "bad 'arg' vlaue"; + goto parseerror; + } + + if (*(arg - 1) == '!') { + *(arg - 1) = '\0'; + not = 1; + } else { + not = 0; + } + *arg++ = '\0'; + + + for (e = opwords; e->ipoe_word; e++) { + if (strcmp(ops, e->ipoe_word) == 0) + break; + } + if (e->ipoe_word == NULL) { + error = malloc(32); + if (error != NULL) { + sprintf(error, "keyword (%.10s) not found", + ops); + } + goto parseerror; + } + + /* + * Count the number of commas so we know how big to + * build the array + */ + for (s = arg, items = 1; *s != '\0'; s++) + if (*s == ',') + items++; + + if ((e->ipoe_maxarg != 0) && (items > e->ipoe_maxarg)) { + error = "too many items"; + goto parseerror; + } + + /* + * osize will mark the end of where we have filled up to + * and is thus where we start putting new data. + */ + osize = asize; + asize += 4 + (items * e->ipoe_nbasearg * e->ipoe_argsize); + if (oplist == NULL) + oplist = calloc(1, sizeof(int) * (asize + 2)); + else + oplist = realloc(oplist, sizeof(int) * (asize + 2)); + if (oplist == NULL) { + error = "oplist alloc failed"; + goto parseerror; + } + ipfe = (ipfexp_t *)(oplist + osize); + osize += 4; + ipfe->ipfe_cmd = e->ipoe_cmd; + ipfe->ipfe_not = not; + ipfe->ipfe_narg = items * e->ipoe_nbasearg; + ipfe->ipfe_size = items * e->ipoe_nbasearg * e->ipoe_argsize; + ipfe->ipfe_size += 4; + + for (s = arg; (*s != '\0') && (osize < asize); s = t) { + /* + * Look for the end of this arg or the ',' to say + * there is another following. + */ + for (t = s; (*t != '\0') && (*t != ','); t++) + ; + if (*t == ',') + *t++ = '\0'; + + if (!strcasecmp(ops, "ip.addr") || + !strcasecmp(ops, "ip.src") || + !strcasecmp(ops, "ip.dst")) { + i6addr_t mask, addr; + char *delim; + + delim = strchr(s, '/'); + if (delim != NULL) { + *delim++ = '\0'; + if (genmask(AF_INET, delim, + &mask) == -1) { + error = "genmask failed"; + goto parseerror; + } + } else { + mask.in4.s_addr = 0xffffffff; + } + if (gethost(AF_INET, s, &addr) == -1) { + error = "gethost failed"; + goto parseerror; + } + + oplist[osize++] = addr.in4.s_addr; + oplist[osize++] = mask.in4.s_addr; + +#ifdef USE_INET6 + } else if (!strcasecmp(ops, "ip6.addr") || + !strcasecmp(ops, "ip6.src") || + !strcasecmp(ops, "ip6.dst")) { + i6addr_t mask, addr; + char *delim; + + delim = strchr(s, '/'); + if (delim != NULL) { + *delim++ = '\0'; + if (genmask(AF_INET6, delim, + &mask) == -1) { + error = "genmask failed"; + goto parseerror; + } + } else { + mask.i6[0] = 0xffffffff; + mask.i6[1] = 0xffffffff; + mask.i6[2] = 0xffffffff; + mask.i6[3] = 0xffffffff; + } + if (gethost(AF_INET6, s, &addr) == -1) { + error = "gethost failed"; + goto parseerror; + } + + oplist[osize++] = addr.i6[0]; + oplist[osize++] = addr.i6[1]; + oplist[osize++] = addr.i6[2]; + oplist[osize++] = addr.i6[3]; + oplist[osize++] = mask.i6[0]; + oplist[osize++] = mask.i6[1]; + oplist[osize++] = mask.i6[2]; + oplist[osize++] = mask.i6[3]; +#endif + + } else if (!strcasecmp(ops, "ip.p")) { + int p; + + p = getproto(s); + if (p == -1) + goto parseerror; + oplist[osize++] = p; + + } else if (!strcasecmp(ops, "tcp.flags")) { + u_32_t mask, flags; + char *delim; + + delim = strchr(s, '/'); + if (delim != NULL) { + *delim++ = '\0'; + mask = tcpflags(delim); + } else { + mask = 0xff; + } + flags = tcpflags(s); + + oplist[osize++] = flags; + oplist[osize++] = mask; + + + } else if (!strcasecmp(ops, "tcp.port") || + !strcasecmp(ops, "tcp.sport") || + !strcasecmp(ops, "tcp.dport") || + !strcasecmp(ops, "udp.port") || + !strcasecmp(ops, "udp.sport") || + !strcasecmp(ops, "udp.dport")) { + char proto[4]; + u_short port; + + strncpy(proto, ops, 3); + proto[3] = '\0'; + if (getport(NULL, s, &port, proto) == -1) + goto parseerror; + oplist[osize++] = port; + + } else if (!strcasecmp(ops, "tcp.state")) { + oplist[osize++] = atoi(s); + + } else { + error = "unknown word"; + goto parseerror; + } + } + } + + free(temp); + + if (errorptr != NULL) + *errorptr = NULL; + + for (i = asize; i > 0; i--) + oplist[i] = oplist[i - 1]; + + oplist[0] = asize + 2; + oplist[asize + 1] = IPF_EXP_END; + + return oplist; + +parseerror: + if (errorptr != NULL) + *errorptr = error; + if (oplist != NULL) + free(oplist); + if (temp != NULL) + free(temp); + return NULL; +} diff --git a/contrib/ipfilter/lib/parsewhoisline.c b/contrib/ipfilter/lib/parsewhoisline.c new file mode 100644 index 0000000..526935c --- /dev/null +++ b/contrib/ipfilter/lib/parsewhoisline.c @@ -0,0 +1,132 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: parsewhoisline.c,v 1.2.2.5 2012/07/22 08:04:24 darren_r Exp $ + */ +#include "ipf.h" + +/* +Microsoft Corp MICROSOFT19 (NET-198-136-97-0-1) 198.137.97.0 - 198.137.97.255 +Microsoft Corp SAVV-S233053-6 (NET-206-79-74-32-1) 206.79.74.32 - 206.79.74.47 + */ +int +parsewhoisline(line, addrp, maskp) + char *line; + addrfamily_t *addrp; + addrfamily_t *maskp; +{ + struct in_addr a1, a2; + char *src = line; + char *s = NULL; + + if (line == NULL) + return -1; + + while (*src != '\0') { + s = strchr(src, '('); + if (s == NULL) + break; + + if (strncmp(s, "(NET", 4)) { + src = s + 1; + } + break; + } + + if (s == NULL) + return -1; + + memset(addrp, 0x00, sizeof(*maskp)); + memset(maskp, 0x00, sizeof(*maskp)); + + if (*(s + 4) == '6') { +#ifdef USE_INET6 + i6addr_t a61, a62; + + s = strchr(s, ')'); + if (s == NULL || *++s != ' ') + return -1; + /* + * Parse the IPv6 + */ + if (inet_pton(AF_INET6, s, &a61.in6) != 1) + return -1; + + s = strchr(s, ' '); + if (s == NULL || strncmp(s, " - ", 3)) + return -1; + + s += 3; + if (inet_pton(AF_INET6, s, &a62) != 1) + return -1; + + addrp->adf_addr = a61; + addrp->adf_family = AF_INET6; + addrp->adf_len = offsetof(addrfamily_t, adf_addr) + + sizeof(struct in6_addr); + + maskp->adf_addr.i6[0] = ~(a62.i6[0] ^ a61.i6[0]); + maskp->adf_addr.i6[1] = ~(a62.i6[1] ^ a61.i6[1]); + maskp->adf_addr.i6[2] = ~(a62.i6[2] ^ a61.i6[2]); + maskp->adf_addr.i6[3] = ~(a62.i6[3] ^ a61.i6[3]); + + /* + * If the mask that's been generated isn't a consecutive mask + * then we can't add it into a pool. + */ + if (count6bits(maskp->adf_addr.i6) == -1) + return -1; + + maskp->adf_family = AF_INET6; + maskp->adf_len = addrp->adf_len; + + if (IP6_MASKNEQ(&addrp->adf_addr.in6, &maskp->adf_addr.in6, + &addrp->adf_addr.in6)) { + return -1; + } + return 0; +#else + return -1; +#endif + } + + s = strchr(s, ')'); + if (s == NULL || *++s != ' ') + return -1; + + s++; + + if (inet_aton(s, &a1) != 1) + return -1; + + s = strchr(s, ' '); + if (s == NULL || strncmp(s, " - ", 3)) + return -1; + + s += 3; + if (inet_aton(s, &a2) != 1) + return -1; + + addrp->adf_addr.in4 = a1; + addrp->adf_family = AF_INET; + addrp->adf_len = offsetof(addrfamily_t, adf_addr) + + sizeof(struct in_addr); + maskp->adf_addr.in4.s_addr = ~(a2.s_addr ^ a1.s_addr); + + /* + * If the mask that's been generated isn't a consecutive mask then + * we can't add it into a pool. + */ + if (count4bits(maskp->adf_addr.in4.s_addr) == -1) + return -1; + + maskp->adf_family = AF_INET; + maskp->adf_len = addrp->adf_len; + bzero((char *)maskp + maskp->adf_len, sizeof(*maskp) - maskp->adf_len); + if ((addrp->adf_addr.in4.s_addr & maskp->adf_addr.in4.s_addr) != + addrp->adf_addr.in4.s_addr) + return -1; + return 0; +} diff --git a/contrib/ipfilter/lib/poolio.c b/contrib/ipfilter/lib/poolio.c new file mode 100644 index 0000000..18cf698 --- /dev/null +++ b/contrib/ipfilter/lib/poolio.c @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: poolio.c,v 1.1.2.3 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include <fcntl.h> +#include <sys/ioctl.h> +#include "ipf.h" +#include "netinet/ip_lookup.h" +#include "netinet/ip_pool.h" + +static int poolfd = -1; + + +int +pool_open() +{ + + if ((opts & OPT_DONTOPEN) != 0) + return 0; + + if (poolfd == -1) + poolfd = open(IPLOOKUP_NAME, O_RDWR); + return poolfd; +} + +int +pool_ioctl(iocfunc, cmd, ptr) + ioctlfunc_t iocfunc; + ioctlcmd_t cmd; + void *ptr; +{ + return (*iocfunc)(poolfd, cmd, ptr); +} + + +void +pool_close() +{ + if (poolfd != -1) { + close(poolfd); + poolfd = -1; + } +} + +int +pool_fd() +{ + return poolfd; +} diff --git a/contrib/ipfilter/lib/portname.c b/contrib/ipfilter/lib/portname.c index f0c8625..59345f4 100644 --- a/contrib/ipfilter/lib/portname.c +++ b/contrib/ipfilter/lib/portname.c @@ -1,21 +1,22 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: portname.c,v 1.7.2.1 2006/06/16 17:21:09 darrenr Exp $ + * $Id$ */ #include "ipf.h" -char *portname(pr, port) -int pr, port; +char *portname(pr, port) + int pr, port; { - static char buf[32]; - struct protoent *p = NULL; - struct servent *sv = NULL, *sv1 = NULL; + static char buf[32]; + struct protoent *p = NULL; + struct servent *sv = NULL; + struct servent *sv1 = NULL; if ((opts & OPT_NORESOLVE) == 0) { if (pr == -1) { diff --git a/contrib/ipfilter/lib/prependmbt.c b/contrib/ipfilter/lib/prependmbt.c new file mode 100644 index 0000000..4f7220b --- /dev/null +++ b/contrib/ipfilter/lib/prependmbt.c @@ -0,0 +1,18 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: prependmbt.c,v 1.3.2.3 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + +int prependmbt(fin, m) + fr_info_t *fin; + mb_t *m; +{ + m->mb_next = *fin->fin_mp; + *fin->fin_mp = m; + return 0; +} diff --git a/contrib/ipfilter/lib/print_toif.c b/contrib/ipfilter/lib/print_toif.c index 94a4618..fb4a266 100644 --- a/contrib/ipfilter/lib/print_toif.c +++ b/contrib/ipfilter/lib/print_toif.c @@ -1,32 +1,50 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: print_toif.c,v 1.8.4.1 2006/06/16 17:21:09 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void print_toif(tag, fdp) -char *tag; -frdest_t *fdp; +void +print_toif(family, tag, base, fdp) + int family; + char *tag; + char *base; + frdest_t *fdp; { - printf("%s %s%s", tag, fdp->fd_ifname, - (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)"); + switch (fdp->fd_type) + { + case FRD_NORMAL : + PRINTF("%s %s%s", tag, base + fdp->fd_name, + (fdp->fd_ptr || (long)fdp->fd_ptr == -1) ? "" : "(!)"); #ifdef USE_INET6 - if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) { - char ipv6addr[80]; + if (family == AF_INET6) { + if (IP6_NOTZERO(&fdp->fd_ip6)) { + char ipv6addr[80]; - inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr, - sizeof(fdp->fd_ip6)); - printf(":%s", ipv6addr); - } else + inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr, + sizeof(fdp->fd_ip6)); + PRINTF(":%s", ipv6addr); + } + } else #endif - if (fdp->fd_ip.s_addr) - printf(":%s", inet_ntoa(fdp->fd_ip)); - putchar(' '); + if (fdp->fd_ip.s_addr) + PRINTF(":%s", inet_ntoa(fdp->fd_ip)); + putchar(' '); + break; + + case FRD_DSTLIST : + PRINTF("%s dstlist/%s ", tag, base + fdp->fd_name); + break; + + default : + PRINTF("%s <%d>", tag, fdp->fd_type); + break; + } } diff --git a/contrib/ipfilter/lib/printactiveaddr.c b/contrib/ipfilter/lib/printactiveaddr.c new file mode 100644 index 0000000..531cdc1 --- /dev/null +++ b/contrib/ipfilter/lib/printactiveaddr.c @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) + */ + +#include "ipf.h" + + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: printactiveaddr.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $"; +#endif + + +void +printactiveaddress(v, fmt, addr, ifname) + int v; + char *fmt, *ifname; + i6addr_t *addr; +{ + switch (v) + { + case 4 : + PRINTF(fmt, inet_ntoa(addr->in4)); + break; +#ifdef USE_INET6 + case 6 : + printaddr(AF_INET6, FRI_NORMAL, ifname, 0, + (u_32_t *)&addr->in6, NULL); + break; +#endif + default : + break; + } +} diff --git a/contrib/ipfilter/lib/printactivenat.c b/contrib/ipfilter/lib/printactivenat.c index a2e2924..c696c0b 100644 --- a/contrib/ipfilter/lib/printactivenat.c +++ b/contrib/ipfilter/lib/printactivenat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -12,73 +12,135 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.7 2006/12/12 16:13:00 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif -void printactivenat(nat, opts, alive, now) -nat_t *nat; -int opts, alive; -u_long now; +void +printactivenat(nat, opts, ticks) + nat_t *nat; + int opts; + u_long ticks; { - printf("%s", getnattype(nat, alive)); + PRINTF("%s", getnattype(nat)); if (nat->nat_flags & SI_CLONE) - printf(" CLONE"); + PRINTF(" CLONE"); + if (nat->nat_phnext[0] == NULL && nat->nat_phnext[1] == NULL) + PRINTF(" ORPHAN"); - printf(" %-15s", inet_ntoa(nat->nat_inip)); + putchar(' '); + if (nat->nat_redir & NAT_REWRITE) { + printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_osrc6, + nat->nat_ifnames[0]); - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %-5hu", ntohs(nat->nat_inport)); + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_osport)); - printf(" <- -> %-15s",inet_ntoa(nat->nat_outip)); + putchar(' '); + printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_odst6, + nat->nat_ifnames[0]); - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %-5hu", ntohs(nat->nat_outport)); + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_odport)); - printf(" [%s", inet_ntoa(nat->nat_oip)); - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %hu", ntohs(nat->nat_oport)); - printf("]"); + PRINTF("<- -> "); + printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_nsrc6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_nsport)); + + putchar(' '); + printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_ndst6, + nat->nat_ifnames[0]); + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_ndport)); + + } else if (nat->nat_dir == NAT_OUTBOUND) { + printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_osrc6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_osport)); + + PRINTF(" <- -> "); + printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_nsrc6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_nsport)); + + PRINTF(" ["); + printactiveaddress(nat->nat_v[0], "%s", &nat->nat_odst6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %hu", ntohs(nat->nat_odport)); + PRINTF("]"); + } else { + printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_ndst6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_ndport)); + + PRINTF(" <- -> "); + printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_odst6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %-5hu", ntohs(nat->nat_odport)); + + PRINTF(" ["); + printactiveaddress(nat->nat_v[0], "%s", &nat->nat_osrc6, + nat->nat_ifnames[0]); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + PRINTF(" %hu", ntohs(nat->nat_osport)); + PRINTF("]"); + } if (opts & OPT_VERBOSE) { - printf("\n\tttl %lu use %hu sumd %s/", - nat->nat_age - now, nat->nat_use, + PRINTF("\n\tttl %lu use %hu sumd %s/", + nat->nat_age - ticks, nat->nat_use, getsumd(nat->nat_sumd[0])); - printf("%s pr %u bkt %d/%d flags %x\n", - getsumd(nat->nat_sumd[1]), nat->nat_p, + PRINTF("%s pr %u/%u hash %u/%u flags %x\n", + getsumd(nat->nat_sumd[1]), + nat->nat_pr[0], nat->nat_pr[1], nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags); - printf("\tifp %s", getifname(nat->nat_ifps[0])); - printf(",%s ", getifname(nat->nat_ifps[1])); + PRINTF("\tifp %s", getifname(nat->nat_ifps[0])); + PRINTF(",%s ", getifname(nat->nat_ifps[1])); #ifdef USE_QUAD_T - printf("bytes %qu/%qu pkts %qu/%qu", + PRINTF("bytes %"PRIu64"/%"PRIu64" pkts %"PRIu64"/%"PRIu64"", (unsigned long long)nat->nat_bytes[0], (unsigned long long)nat->nat_bytes[1], (unsigned long long)nat->nat_pkts[0], (unsigned long long)nat->nat_pkts[1]); #else - printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0], + PRINTF("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0], nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]); #endif - printf(" ipsumd %x", nat->nat_ipsumd); + PRINTF(" ipsumd %x", nat->nat_ipsumd); } if (opts & OPT_DEBUG) { - printf("\n\tnat_next %p _pnext %p _hm %p\n", + PRINTF("\n\tnat_next %p _pnext %p _hm %p\n", nat->nat_next, nat->nat_pnext, nat->nat_hm); - printf("\t_hnext %p/%p _phnext %p/%p\n", + PRINTF("\t_hnext %p/%p _phnext %p/%p\n", nat->nat_hnext[0], nat->nat_hnext[1], nat->nat_phnext[0], nat->nat_phnext[1]); - printf("\t_data %p _me %p _state %p _aps %p\n", - nat->nat_data, nat->nat_me, nat->nat_state, nat->nat_aps); - printf("\tfr %p ptr %p ifps %p/%p sync %p\n", + PRINTF("\t_data %p _me %p _state %p _aps %p\n", + nat->nat_data, nat->nat_me, nat->nat_state, + nat->nat_aps); + PRINTF("\tfr %p ptr %p ifps %p/%p sync %p\n", nat->nat_fr, nat->nat_ptr, nat->nat_ifps[0], nat->nat_ifps[1], nat->nat_sync); - printf("\ttqe:pnext %p next %p ifq %p parent %p/%p\n", + PRINTF("\ttqe:pnext %p next %p ifq %p parent %p/%p\n", nat->nat_tqe.tqe_pnext, nat->nat_tqe.tqe_next, nat->nat_tqe.tqe_ifq, nat->nat_tqe.tqe_parent, nat); - printf("\ttqe:die %ld touched %ld flags %x state %d/%d\n", + PRINTF("\ttqe:die %d touched %d flags %x state %d/%d\n", nat->nat_tqe.tqe_die, nat->nat_tqe.tqe_touched, nat->nat_tqe.tqe_flags, nat->nat_tqe.tqe_state[0], nat->nat_tqe.tqe_state[1]); diff --git a/contrib/ipfilter/lib/printaddr.c b/contrib/ipfilter/lib/printaddr.c new file mode 100644 index 0000000..03fbacb --- /dev/null +++ b/contrib/ipfilter/lib/printaddr.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ + +#include "ipf.h" + +void +printaddr(family, type, base, ifidx, addr, mask) + int family, type, ifidx; + char *base; + u_32_t *addr, *mask; +{ + char *suffix; + + switch (type) + { + case FRI_BROADCAST : + suffix = "bcast"; + break; + + case FRI_DYNAMIC : + PRINTF("%s", base + ifidx); + printmask(family, mask); + suffix = NULL; + break; + + case FRI_NETWORK : + suffix = "net"; + break; + + case FRI_NETMASKED : + suffix = "netmasked"; + break; + + case FRI_PEERADDR : + suffix = "peer"; + break; + + case FRI_LOOKUP : + suffix = NULL; + printlookup(base, (i6addr_t *)addr, (i6addr_t *)mask); + break; + + case FRI_NONE : + case FRI_NORMAL : + printhostmask(family, addr, mask); + suffix = NULL; + break; + case FRI_RANGE : + printhost(family, addr); + putchar('-'); + printhost(family, mask); + suffix = NULL; + break; + case FRI_SPLIT : + printhost(family, addr); + putchar(','); + printhost(family, mask); + suffix = NULL; + break; + default : + PRINTF("<%d>", type); + printmask(family, mask); + suffix = NULL; + break; + } + + if (suffix != NULL) { + PRINTF("%s/%s", base + ifidx, suffix); + } +} diff --git a/contrib/ipfilter/lib/printaps.c b/contrib/ipfilter/lib/printaps.c index 87a12cd4..0304f34 100644 --- a/contrib/ipfilter/lib/printaps.c +++ b/contrib/ipfilter/lib/printaps.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -13,13 +13,14 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printaps.c,v 1.4.2.1 2006/06/16 17:21:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif -void printaps(aps, opts) -ap_session_t *aps; -int opts; +void +printaps(aps, opts, proto) + ap_session_t *aps; + int opts, proto; { ipsec_pxy_t ipsec; ap_session_t ap; @@ -31,33 +32,33 @@ int opts; return; if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr))) return; - printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label, + PRINTF("\tproxy %s/%d use %d flags %x\n", apr.apr_label, apr.apr_p, apr.apr_ref, apr.apr_flags); - printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); #ifdef USE_QUAD_T - printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes, + PRINTF("\tbytes %"PRIu64" pkts %"PRIu64"", + (unsigned long long)ap.aps_bytes, (unsigned long long)ap.aps_pkts); #else - printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); + PRINTF("\tbytes %lu pkts %lu", ap.aps_bytes, ap.aps_pkts); #endif - printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz); - if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { - printf("\t\tstate[%u,%u], sel[%d,%d]\n", + PRINTF(" data %s\n", ap.aps_data ? "YES" : "NO"); + if ((proto == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { + PRINTF("\t\tstate[%u,%u], sel[%d,%d]\n", ap.aps_state[0], ap.aps_state[1], ap.aps_sel[0], ap.aps_sel[1]); #if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \ (__FreeBSD_version >= 300000) || defined(OpenBSD) - printf("\t\tseq: off %hd/%hd min %x/%x\n", + PRINTF("\t\tseq: off %hd/%hd min %x/%x\n", ap.aps_seqoff[0], ap.aps_seqoff[1], ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %x/%x\n", + PRINTF("\t\tack: off %hd/%hd min %x/%x\n", ap.aps_ackoff[0], ap.aps_ackoff[1], ap.aps_ackmin[0], ap.aps_ackmin[1]); #else - printf("\t\tseq: off %hd/%hd min %lx/%lx\n", + PRINTF("\t\tseq: off %hd/%hd min %lx/%lx\n", ap.aps_seqoff[0], ap.aps_seqoff[1], ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %lx/%lx\n", + PRINTF("\t\tack: off %hd/%hd min %lx/%lx\n", ap.aps_ackoff[0], ap.aps_ackoff[1], ap.aps_ackmin[0], ap.aps_ackmin[1]); #endif @@ -66,43 +67,43 @@ int opts; if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) { if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra))) return; - printf("\tReal Audio Proxy:\n"); - printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", + PRINTF("\tReal Audio Proxy:\n"); + PRINTF("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", ra.rap_seenpna, ra.rap_version, ra.rap_eos); - printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); - printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", + PRINTF("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); + PRINTF("\t\tPorts:pl %hu, pr %hu, sr %hu\n", ra.rap_plport, ra.rap_prport, ra.rap_srport); } else if (!strcmp(apr.apr_label, "ftp") && (ap.aps_psiz == sizeof(ftp))) { if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp))) return; - printf("\tFTP Proxy:\n"); - printf("\t\tpassok: %d\n", ftp.ftp_passok); + PRINTF("\tFTP Proxy:\n"); + PRINTF("\t\tpassok: %d\n", ftp.ftp_passok); ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; - printf("\tClient:\n"); - printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n", + PRINTF("\tClient:\n"); + PRINTF("\t\tseq %x (ack %x) len %d junk %d cmds %d\n", ftp.ftp_side[0].ftps_seq[0], ftp.ftp_side[0].ftps_seq[1], ftp.ftp_side[0].ftps_len, ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds); - printf("\t\tbuf ["); + PRINTF("\t\tbuf ["); printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); - printf("]\n\tServer:\n"); - printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n", + PRINTF("]\n\tServer:\n"); + PRINTF("\t\tseq %x (ack %x) len %d junk %d cmds %d\n", ftp.ftp_side[1].ftps_seq[0], ftp.ftp_side[1].ftps_seq[1], ftp.ftp_side[1].ftps_len, ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds); - printf("\t\tbuf ["); + PRINTF("\t\tbuf ["); printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); - printf("]\n"); + PRINTF("]\n"); } else if (!strcmp(apr.apr_label, "ipsec") && (ap.aps_psiz == sizeof(ipsec))) { if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec))) return; - printf("\tIPSec Proxy:\n"); - printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n", + PRINTF("\tIPSec Proxy:\n"); + PRINTF("\t\tICookie %08x%08x RCookie %08x%08x %s\n", (u_int)ntohl(ipsec.ipsc_icookie[0]), (u_int)ntohl(ipsec.ipsc_icookie[1]), (u_int)ntohl(ipsec.ipsc_rcookie[0]), diff --git a/contrib/ipfilter/lib/printbuf.c b/contrib/ipfilter/lib/printbuf.c index b2e209a..4e9236f0 100644 --- a/contrib/ipfilter/lib/printbuf.c +++ b/contrib/ipfilter/lib/printbuf.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printbuf.c,v 1.5.4.2 2006/06/16 17:21:10 darrenr Exp $ + * $Id$ */ #include <ctype.h> @@ -13,19 +13,21 @@ #include "ipf.h" -void printbuf(buf, len, zend) -char *buf; -int len, zend; +void +printbuf(buf, len, zend) + char *buf; + int len, zend; { - char *s, c; + char *s; + int c; int i; for (s = buf, i = len; i; i--) { c = *s++; - if (ISPRINT(c)) + if (isprint(c)) putchar(c); else - printf("\\%03o", c); + PRINTF("\\%03o", c); if ((c == '\0') && zend) break; } diff --git a/contrib/ipfilter/lib/printdstl_live.c b/contrib/ipfilter/lib/printdstl_live.c new file mode 100644 index 0000000..c8741ed --- /dev/null +++ b/contrib/ipfilter/lib/printdstl_live.c @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include <sys/ioctl.h> +#include "ipf.h" +#include "netinet/ipl.h" + + +/* + * Because the ipf_dstnode_t can vary in size because of the interface name, + * the size may be larger than just sizeof(). + */ +ippool_dst_t * +printdstl_live(d, fd, name, opts, fields) + ippool_dst_t *d; + int fd; + char *name; + int opts; + wordtab_t *fields; +{ + ipf_dstnode_t *entry, *zero; + ipflookupiter_t iter; + int printed, last; + ipfobj_t obj; + + if ((name != NULL) && strncmp(name, d->ipld_name, FR_GROUPLEN)) + return d->ipld_next; + + entry = calloc(1, sizeof(*entry) + 64); + if (entry == NULL) + return d->ipld_next; + zero = calloc(1, sizeof(*zero) + 64); + if (zero == NULL) { + free(entry); + return d->ipld_next; + } + + if (fields == NULL) + printdstlistdata(d, opts); + + if ((d->ipld_flags & IPHASH_DELETE) != 0) + PRINTF("# "); + + if ((opts & OPT_DEBUG) == 0) + PRINTF("\t{"); + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_LOOKUPITER; + obj.ipfo_ptr = &iter; + obj.ipfo_size = sizeof(iter); + + iter.ili_data = entry; + iter.ili_type = IPLT_DSTLIST; + iter.ili_otype = IPFLOOKUPITER_NODE; + iter.ili_ival = IPFGENITER_LOOKUP; + iter.ili_unit = d->ipld_unit; + strncpy(iter.ili_name, d->ipld_name, FR_GROUPLEN); + + last = 0; + printed = 0; + + while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) { + if (entry->ipfd_next == NULL) + last = 1; + if (bcmp((char *)zero, (char *)entry, sizeof(*zero)) == 0) + break; + (void) printdstlistnode(entry, bcopywrap, opts, fields); + printed++; + } + + (void) ioctl(fd, SIOCIPFDELTOK, &iter.ili_key); + free(entry); + free(zero); + + if (printed == 0) + putchar(';'); + + if ((opts & OPT_DEBUG) == 0) + PRINTF(" };\n"); + return d->ipld_next; +} diff --git a/contrib/ipfilter/lib/printdstlist.c b/contrib/ipfilter/lib/printdstlist.c new file mode 100644 index 0000000..829a1d2 --- /dev/null +++ b/contrib/ipfilter/lib/printdstlist.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + + +ippool_dst_t * +printdstlist(pp, copyfunc, name, opts, nodes, fields) + ippool_dst_t *pp; + copyfunc_t copyfunc; + char *name; + int opts; + ipf_dstnode_t *nodes; + wordtab_t *fields; +{ + ipf_dstnode_t *node; + ippool_dst_t dst; + + if ((*copyfunc)(pp, &dst, sizeof(dst))) + return NULL; + + if ((name != NULL) && strncmp(name, dst.ipld_name, FR_GROUPLEN)) + return dst.ipld_next; + + if (fields == NULL) + printdstlistdata(&dst, opts); + + if ((dst.ipld_flags & IPDST_DELETE) != 0) + PRINTF("# "); + if ((opts & OPT_DEBUG) == 0) + PRINTF("\t{"); + + if (nodes == NULL) { + putchar(';'); + } else { + for (node = nodes; node != NULL; ) { + ipf_dstnode_t *n; + + n = calloc(1, node->ipfd_size); + if (n == NULL) + break; + if ((*copyfunc)(node, n, node->ipfd_size)) { + free(n); + return NULL; + } + + node = printdstlistnode(n, bcopywrap, opts, fields); + + free(n); + } + } + + if ((opts & OPT_DEBUG) == 0) + PRINTF(" };\n"); + + return dst.ipld_next; +} diff --git a/contrib/ipfilter/lib/printdstlistdata.c b/contrib/ipfilter/lib/printdstlistdata.c new file mode 100644 index 0000000..8b55afd --- /dev/null +++ b/contrib/ipfilter/lib/printdstlistdata.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" +#include <ctype.h> + + +void +printdstlistdata(pool, opts) + ippool_dst_t *pool; + int opts; +{ + + if ((opts & OPT_DEBUG) == 0) { + if ((pool->ipld_flags & IPDST_DELETE) != 0) + PRINTF("# "); + PRINTF("pool "); + } else { + if ((pool->ipld_flags & IPDST_DELETE) != 0) + PRINTF("# "); + PRINTF("Name: %s\tRole: ", pool->ipld_name); + } + + printunit(pool->ipld_unit); + + if ((opts & OPT_DEBUG) == 0) { + PRINTF("/dstlist (name %s;", pool->ipld_name); + if (pool->ipld_policy != IPLDP_NONE) { + PRINTF(" policy "); + printdstlistpolicy(pool->ipld_policy); + putchar(';'); + } + PRINTF(")\n"); + } else { + putchar(' '); + + PRINTF("\tReferences: %d\n", pool->ipld_ref); + if ((pool->ipld_flags & IPDST_DELETE) != 0) + PRINTF("# "); + PRINTF("Policy: \n"); + printdstlistpolicy(pool->ipld_policy); + PRINTF("\n\tNodes Starting at %p\n", pool->ipld_dests); + } +} diff --git a/contrib/ipfilter/lib/printdstlistnode.c b/contrib/ipfilter/lib/printdstlistnode.c new file mode 100644 index 0000000..898986d --- /dev/null +++ b/contrib/ipfilter/lib/printdstlistnode.c @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + + +ipf_dstnode_t * +printdstlistnode(inp, copyfunc, opts, fields) + ipf_dstnode_t *inp; + copyfunc_t copyfunc; + int opts; + wordtab_t *fields; +{ + ipf_dstnode_t node, *np; + int i; +#ifdef USE_INET6 + char buf[INET6_ADDRSTRLEN+1]; + const char *str; +#endif + + if ((*copyfunc)(inp, &node, sizeof(node))) + return NULL; + + np = calloc(1, node.ipfd_size); + if (np == NULL) + return node.ipfd_next; + if ((*copyfunc)(inp, np, node.ipfd_size)) + return NULL; + + if (fields != NULL) { + for (i = 0; fields[i].w_value != 0; i++) { + printpoolfield(np, IPLT_DSTLIST, i); + if (fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } else if ((opts & OPT_DEBUG) == 0) { + putchar(' '); + if (np->ipfd_dest.fd_name >= 0) + PRINTF("%s:", np->ipfd_names); + if (np->ipfd_dest.fd_addr.adf_family == AF_INET) { + printip(AF_INET, (u_32_t *)&np->ipfd_dest.fd_ip); + } else { +#ifdef USE_INET6 + str = inet_ntop(AF_INET6, &np->ipfd_dest.fd_ip6, + buf, sizeof(buf) - 1); + if (str != NULL) + PRINTF("%s", str); +#endif + } + putchar(';'); + } else { + PRINTF("Interface: [%s]/%d\n", np->ipfd_names, + np->ipfd_dest.fd_name); +#ifdef USE_INET6 + str = inet_ntop(np->ipfd_dest.fd_addr.adf_family, + &np->ipfd_dest.fd_ip6, buf, sizeof(buf) - 1); + if (str != NULL) { + PRINTF("\tAddress: %s\n", str); + } +#else + PRINTF("\tAddress: %s\n", inet_ntoa(np->ipfd_dest.fd_ip)); +#endif + PRINTF( +#ifdef USE_QUAD_T + "\t\tStates %d\tRef %d\tName [%s]\tUid %d\n", +#else + "\t\tStates %d\tRef %d\tName [%s]\tUid %d\n", +#endif + np->ipfd_states, np->ipfd_ref, + np->ipfd_names, np->ipfd_uid); + } + free(np); + return node.ipfd_next; +} diff --git a/contrib/ipfilter/lib/printdstlistpolicy.c b/contrib/ipfilter/lib/printdstlistpolicy.c new file mode 100644 index 0000000..4873b95 --- /dev/null +++ b/contrib/ipfilter/lib/printdstlistpolicy.c @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + + +void +printdstlistpolicy(policy) + ippool_policy_t policy; +{ + switch (policy) + { + case IPLDP_NONE : + PRINTF("none"); + break; + case IPLDP_ROUNDROBIN : + PRINTF("round-robin"); + break; + case IPLDP_CONNECTION : + PRINTF("weighting connection"); + break; + case IPLDP_RANDOM : + PRINTF("random"); + break; + default : + break; + } +} diff --git a/contrib/ipfilter/lib/printfieldhdr.c b/contrib/ipfilter/lib/printfieldhdr.c new file mode 100644 index 0000000..3cc22a6 --- /dev/null +++ b/contrib/ipfilter/lib/printfieldhdr.c @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printfieldhdr.c,v 1.5.2.3 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" +#include <ctype.h> + + +void +printfieldhdr(words, field) + wordtab_t *words, *field; +{ + wordtab_t *w; + char *s, *t; + int i; + + if (field->w_value == -2) { + for (i = 0, w = words; w->w_word != NULL; ) { + if (w->w_value > 0) { + printfieldhdr(words, w); + w++; + if (w->w_value > 0) + putchar('\t'); + } else { + w++; + } + } + return; + } + + for (w = words; w->w_word != NULL; w++) { + if (w->w_value == field->w_value) { + if (w->w_word == field->w_word) { + s = strdup(w->w_word); + } else { + s = NULL; + } + + if ((w->w_word != field->w_word) || (s == NULL)) { + PRINTF("%s", field->w_word); + } else { + for (t = s; *t != '\0'; t++) { + if (ISALPHA(*t) && ISLOWER(*t)) + *t = TOUPPER(*t); + } + PRINTF("%s", s); + free(s); + } + } + } +} diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c index 587d8cb..9883df4 100644 --- a/contrib/ipfilter/lib/printfr.c +++ b/contrib/ipfilter/lib/printfr.c @@ -1,161 +1,88 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfr.c,v 1.43.2.18 2007/05/07 06:55:38 darrenr Exp $ + * $Id$ */ #include "ipf.h" -static void printaddr(int, int, char *, u_32_t *, u_32_t *); - -static void printaddr(v, type, ifname, addr, mask) -int v, type; -char *ifname; -u_32_t *addr, *mask; -{ - char *suffix; - - switch (type) - { - case FRI_BROADCAST : - suffix = "bcast"; - break; - - case FRI_DYNAMIC : - printf("%s", ifname); - printmask(mask); - suffix = NULL; - break; - - case FRI_NETWORK : - suffix = "net"; - break; - - case FRI_NETMASKED : - suffix = "netmasked"; - break; - - case FRI_PEERADDR : - suffix = "peer"; - break; - - case FRI_LOOKUP : - suffix = NULL; - printlookup((i6addr_t *)addr, (i6addr_t *)mask); - break; - - case FRI_NORMAL : - printhostmask(v, addr, mask); - suffix = NULL; - break; - default : - printf("<%d>", type); - printmask(mask); - suffix = NULL; - break; - } - - if (suffix != NULL) { - printf("%s/%s", ifname, suffix); - } -} - - -void printlookup(addr, mask) -i6addr_t *addr, *mask; -{ - switch (addr->iplookuptype) - { - case IPLT_POOL : - printf("pool/"); - break; - case IPLT_HASH : - printf("hash/"); - break; - default : - printf("lookup(%x)=", addr->iplookuptype); - break; - } - - printf("%u", addr->iplookupnum); - if (mask->iplookupptr == NULL) - printf("(!)"); -} - /* * print the filter structure in a useful way */ -void printfr(fp, iocfunc) -struct frentry *fp; -ioctlfunc_t iocfunc; +void +printfr(fp, iocfunc) + struct frentry *fp; + ioctlfunc_t iocfunc; { struct protoent *p; u_short sec[2]; u_32_t type; - u_char *t; + int pr, af; char *s; - int pr; + int hash; pr = -2; type = fp->fr_type & ~FR_T_BUILTIN; if ((fp->fr_type & FR_T_BUILTIN) != 0) - printf("# Builtin: "); + PRINTF("# Builtin: "); if (fp->fr_collect != 0) - printf("%u ", fp->fr_collect); + PRINTF("%u ", fp->fr_collect); if (fp->fr_type == FR_T_CALLFUNC) { ; } else if (fp->fr_func != NULL) { - printf("call"); + PRINTF("call"); if ((fp->fr_flags & FR_CALLNOW) != 0) - printf(" now"); + PRINTF(" now"); s = kvatoname(fp->fr_func, iocfunc); - printf(" %s/%u", s ? s : "?", fp->fr_arg); + PRINTF(" %s/%u", s ? s : "?", fp->fr_arg); } else if (FR_ISPASS(fp->fr_flags)) - printf("pass"); + PRINTF("pass"); else if (FR_ISBLOCK(fp->fr_flags)) { - printf("block"); + PRINTF("block"); } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { printlog(fp); } else if (FR_ISACCOUNT(fp->fr_flags)) - printf("count"); + PRINTF("count"); else if (FR_ISAUTH(fp->fr_flags)) - printf("auth"); + PRINTF("auth"); else if (FR_ISPREAUTH(fp->fr_flags)) - printf("preauth"); + PRINTF("preauth"); else if (FR_ISNOMATCH(fp->fr_flags)) - printf("nomatch"); + PRINTF("nomatch"); + else if (FR_ISDECAPS(fp->fr_flags)) + PRINTF("decapsulate"); else if (FR_ISSKIP(fp->fr_flags)) - printf("skip %u", fp->fr_arg); + PRINTF("skip %u", fp->fr_arg); else { - printf("%x", fp->fr_flags); + PRINTF("%x", fp->fr_flags); } if (fp->fr_flags & FR_RETICMP) { if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) - printf(" return-icmp-as-dest"); + PRINTF(" return-icmp-as-dest"); else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) - printf(" return-icmp"); + PRINTF(" return-icmp"); if (fp->fr_icode) { if (fp->fr_icode <= MAX_ICMPCODE) - printf("(%s)", + PRINTF("(%s)", icmpcodes[(int)fp->fr_icode]); else - printf("(%d)", fp->fr_icode); + PRINTF("(%d)", fp->fr_icode); } } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) - printf(" return-rst"); + PRINTF(" return-rst"); if (fp->fr_flags & FR_OUTQUE) - printf(" out "); - else - printf(" in "); + PRINTF(" out "); + else if (fp->fr_flags & FR_INQUE) + PRINTF(" in "); if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { @@ -164,126 +91,153 @@ ioctlfunc_t iocfunc; } if (fp->fr_flags & FR_QUICK) - printf("quick "); - - if (*fp->fr_ifname) { - printifname("on ", fp->fr_ifname, fp->fr_ifa); - if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) - printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); + PRINTF("quick "); + + if (fp->fr_ifnames[0] != -1) { + printifname("on ", fp->fr_names + fp->fr_ifnames[0], + fp->fr_ifa); + if (fp->fr_ifnames[1] != -1 && + strcmp(fp->fr_names + fp->fr_ifnames[1], "*")) + printifname(",", fp->fr_names + fp->fr_ifnames[1], + fp->fr_ifas[1]); putchar(' '); } - if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP)) - print_toif("dup-to", &fp->fr_dif); - if (*fp->fr_tif.fd_ifname) - print_toif("to", &fp->fr_tif); - if (*fp->fr_rif.fd_ifname) - print_toif("reply-to", &fp->fr_rif); + if (fp->fr_tif.fd_name != -1) + print_toif(fp->fr_family, "to", fp->fr_names, &fp->fr_tif); + if (fp->fr_dif.fd_name != -1) + print_toif(fp->fr_family, "dup-to", fp->fr_names, + &fp->fr_dif); + if (fp->fr_rif.fd_name != -1) + print_toif(fp->fr_family, "reply-to", fp->fr_names, + &fp->fr_rif); if (fp->fr_flags & FR_FASTROUTE) - printf("fastroute "); + PRINTF("fastroute "); - if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || - (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { + if ((fp->fr_ifnames[2] != -1 && + strcmp(fp->fr_names + fp->fr_ifnames[2], "*")) || + (fp->fr_ifnames[3] != -1 && + strcmp(fp->fr_names + fp->fr_ifnames[3], "*"))) { if (fp->fr_flags & FR_OUTQUE) - printf("in-via "); + PRINTF("in-via "); else - printf("out-via "); + PRINTF("out-via "); - if (*fp->fr_ifnames[2]) { - printifname("", fp->fr_ifnames[2], + if (fp->fr_ifnames[2] != -1) { + printifname("", fp->fr_names + fp->fr_ifnames[2], fp->fr_ifas[2]); - if (*fp->fr_ifnames[3]) { - printifname(",", fp->fr_ifnames[3], + if (fp->fr_ifnames[3] != -1) { + printifname(",", + fp->fr_names + fp->fr_ifnames[3], fp->fr_ifas[3]); } putchar(' '); } } + if (fp->fr_family == AF_INET) { + PRINTF("inet "); + af = AF_INET; +#ifdef USE_INET6 + } else if (fp->fr_family == AF_INET6) { + PRINTF("inet6 "); + af = AF_INET6; +#endif + } else { + af = -1; + } + if (type == FR_T_IPF) { if (fp->fr_mip.fi_tos) - printf("tos %#x ", fp->fr_tos); + PRINTF("tos %#x ", fp->fr_tos); if (fp->fr_mip.fi_ttl) - printf("ttl %d ", fp->fr_ttl); + PRINTF("ttl %d ", fp->fr_ttl); if (fp->fr_flx & FI_TCPUDP) { - printf("proto tcp/udp "); + PRINTF("proto tcp/udp "); pr = -1; } else if (fp->fr_mip.fi_p) { pr = fp->fr_ip.fi_p; p = getprotobynumber(pr); - printf("proto "); + PRINTF("proto "); printproto(p, pr, NULL); putchar(' '); } } - if (type == FR_T_NONE) { - printf("all"); - } else if (type == FR_T_IPF) { - printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname, + switch (type) + { + case FR_T_NONE : + PRINTF("all"); + break; + + case FR_T_IPF : + PRINTF("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); + printaddr(af, fp->fr_satype, fp->fr_names, fp->fr_ifnames[0], &fp->fr_src.s_addr, &fp->fr_smsk.s_addr); if (fp->fr_scmp) printportcmp(pr, &fp->fr_tuc.ftu_src); - printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname, + PRINTF(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); + printaddr(af, fp->fr_datype, fp->fr_names, fp->fr_ifnames[0], &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr); if (fp->fr_dcmp) printportcmp(pr, &fp->fr_tuc.ftu_dst); - if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { + if (((fp->fr_proto == IPPROTO_ICMP) || + (fp->fr_proto == IPPROTO_ICMPV6)) && fp->fr_icmpm) { int type = fp->fr_icmp, code; + char *name; type = ntohs(fp->fr_icmp); code = type & 0xff; type /= 256; - if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && - icmptypes[type]) - printf(" icmp-type %s", icmptypes[type]); + name = icmptypename(fp->fr_family, type); + if (name == NULL) + PRINTF(" icmp-type %d", type); else - printf(" icmp-type %d", type); + PRINTF(" icmp-type %s", name); if (ntohs(fp->fr_icmpm) & 0xff) - printf(" code %d", code); + PRINTF(" code %d", code); } if ((fp->fr_proto == IPPROTO_TCP) && (fp->fr_tcpf || fp->fr_tcpfm)) { - printf(" flags "); - if (fp->fr_tcpf & ~TCPF_ALL) - printf("0x%x", fp->fr_tcpf); - else - for (s = flagset, t = flags; *s; s++, t++) - if (fp->fr_tcpf & *t) - (void)putchar(*s); - if (fp->fr_tcpfm) { - (void)putchar('/'); - if (fp->fr_tcpfm & ~TCPF_ALL) - printf("0x%x", fp->fr_tcpfm); - else - for (s = flagset, t = flags; *s; - s++, t++) - if (fp->fr_tcpfm & *t) - (void)putchar(*s); - } + PRINTF(" flags "); + printtcpflags(fp->fr_tcpf, fp->fr_tcpfm); } - } else if (type == FR_T_BPFOPC) { + break; + + case FR_T_BPFOPC : + { fakebpf_t *fb; int i; - printf("bpf-v%d { \"", fp->fr_v); + PRINTF("bpf-v%d { \"", fp->fr_family); i = fp->fr_dsize / sizeof(*fb); for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ") - printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t, + PRINTF("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t, fb->fb_f, fb->fb_k); - printf("\" }"); - } else if (type == FR_T_COMPIPF) { - ; - } else if (type == FR_T_CALLFUNC) { - printf("call function at %p", fp->fr_data); - } else { - printf("[unknown filter type %#x]", fp->fr_type); + PRINTF("\" }"); + break; + } + + case FR_T_COMPIPF : + break; + + case FR_T_CALLFUNC : + PRINTF("call function at %p", fp->fr_data); + break; + + case FR_T_IPFEXPR : + PRINTF("exp { \""); + printipfexpr(fp->fr_data); + PRINTF("\" } "); + break; + + default : + PRINTF("[unknown filter type %#x]", fp->fr_type); + break; } if ((type == FR_T_IPF) && @@ -292,12 +246,12 @@ ioctlfunc_t iocfunc; fp->fr_secbits || fp->fr_secmask)) { char *comma = " "; - printf(" with"); + PRINTF(" with"); if (fp->fr_optbits || fp->fr_optmask || fp->fr_secbits || fp->fr_secmask) { sec[0] = fp->fr_secmask; sec[1] = fp->fr_secbits; - if (fp->fr_v == 4) + if (fp->fr_family == AF_INET) optprint(sec, fp->fr_optmask, fp->fr_optbits); #ifdef USE_INET6 else @@ -307,175 +261,213 @@ ioctlfunc_t iocfunc; } else if (fp->fr_mflx & FI_OPTIONS) { fputs(comma, stdout); if (!(fp->fr_flx & FI_OPTIONS)) - printf("not "); - printf("ipopts"); + PRINTF("not "); + PRINTF("ipopts"); comma = ","; } if (fp->fr_mflx & FI_SHORT) { fputs(comma, stdout); if (!(fp->fr_flx & FI_SHORT)) - printf("not "); - printf("short"); + PRINTF("not "); + PRINTF("short"); comma = ","; } if (fp->fr_mflx & FI_FRAG) { fputs(comma, stdout); if (!(fp->fr_flx & FI_FRAG)) - printf("not "); - printf("frag"); + PRINTF("not "); + PRINTF("frag"); comma = ","; } if (fp->fr_mflx & FI_FRAGBODY) { fputs(comma, stdout); if (!(fp->fr_flx & FI_FRAGBODY)) - printf("not "); - printf("frag-body"); + PRINTF("not "); + PRINTF("frag-body"); comma = ","; } if (fp->fr_mflx & FI_NATED) { fputs(comma, stdout); if (!(fp->fr_flx & FI_NATED)) - printf("not "); - printf("nat"); + PRINTF("not "); + PRINTF("nat"); comma = ","; } if (fp->fr_mflx & FI_LOWTTL) { fputs(comma, stdout); if (!(fp->fr_flx & FI_LOWTTL)) - printf("not "); - printf("lowttl"); + PRINTF("not "); + PRINTF("lowttl"); comma = ","; } if (fp->fr_mflx & FI_BAD) { fputs(comma, stdout); if (!(fp->fr_flx & FI_BAD)) - printf("not "); - printf("bad"); + PRINTF("not "); + PRINTF("bad"); comma = ","; } if (fp->fr_mflx & FI_BADSRC) { fputs(comma, stdout); if (!(fp->fr_flx & FI_BADSRC)) - printf("not "); - printf("bad-src"); + PRINTF("not "); + PRINTF("bad-src"); comma = ","; } if (fp->fr_mflx & FI_BADNAT) { fputs(comma, stdout); if (!(fp->fr_flx & FI_BADNAT)) - printf("not "); - printf("bad-nat"); + PRINTF("not "); + PRINTF("bad-nat"); comma = ","; } if (fp->fr_mflx & FI_OOW) { fputs(comma, stdout); if (!(fp->fr_flx & FI_OOW)) - printf("not "); - printf("oow"); + PRINTF("not "); + PRINTF("oow"); comma = ","; } if (fp->fr_mflx & FI_MBCAST) { fputs(comma, stdout); if (!(fp->fr_flx & FI_MBCAST)) - printf("not "); - printf("mbcast"); + PRINTF("not "); + PRINTF("mbcast"); comma = ","; } if (fp->fr_mflx & FI_BROADCAST) { fputs(comma, stdout); if (!(fp->fr_flx & FI_BROADCAST)) - printf("not "); - printf("bcast"); + PRINTF("not "); + PRINTF("bcast"); comma = ","; } if (fp->fr_mflx & FI_MULTICAST) { fputs(comma, stdout); if (!(fp->fr_flx & FI_MULTICAST)) - printf("not "); - printf("mcast"); + PRINTF("not "); + PRINTF("mcast"); comma = ","; } if (fp->fr_mflx & FI_STATE) { fputs(comma, stdout); if (!(fp->fr_flx & FI_STATE)) - printf("not "); - printf("state"); + PRINTF("not "); + PRINTF("state"); + comma = ","; + } + if (fp->fr_mflx & FI_V6EXTHDR) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_V6EXTHDR)) + PRINTF("not "); + PRINTF("v6hdrs"); comma = ","; } } if (fp->fr_flags & FR_KEEPSTATE) { - printf(" keep state"); - if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) || - (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { + host_track_t *src = &fp->fr_srctrack; + PRINTF(" keep state"); + if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN| + FR_NOICMPERR|FR_STATESYNC)) || + (fp->fr_statemax != 0) || (fp->fr_age[0] != 0) || + (src->ht_max_nodes != 0)) { char *comma = ""; - printf(" ("); + PRINTF(" ("); if (fp->fr_statemax != 0) { - printf("limit %u", fp->fr_statemax); + PRINTF("limit %u", fp->fr_statemax); + comma = ","; + } + if (src->ht_max_nodes != 0) { + PRINTF("%smax-nodes %d", comma, + src->ht_max_nodes); + if (src->ht_max_per_node) + PRINTF(", max-per-src %d/%d", + src->ht_max_per_node, + src->ht_netmask); comma = ","; } if (fp->fr_flags & FR_STSTRICT) { - printf("%sstrict", comma); + PRINTF("%sstrict", comma); + comma = ","; + } + if (fp->fr_flags & FR_STLOOSE) { + PRINTF("%sloose", comma); comma = ","; } if (fp->fr_flags & FR_NEWISN) { - printf("%snewisn", comma); + PRINTF("%snewisn", comma); comma = ","; } if (fp->fr_flags & FR_NOICMPERR) { - printf("%sno-icmp-err", comma); + PRINTF("%sno-icmp-err", comma); comma = ","; } if (fp->fr_flags & FR_STATESYNC) { - printf("%ssync", comma); + PRINTF("%ssync", comma); comma = ","; } if (fp->fr_age[0] || fp->fr_age[1]) - printf("%sage %d/%d", comma, fp->fr_age[0], + PRINTF("%sage %d/%d", comma, fp->fr_age[0], fp->fr_age[1]); - printf(")"); + PRINTF(")"); } } if (fp->fr_flags & FR_KEEPFRAG) { - printf(" keep frags"); + PRINTF(" keep frags"); if (fp->fr_flags & (FR_FRSTRICT)) { - printf(" ("); + PRINTF(" ("); if (fp->fr_flags & FR_FRSTRICT) - printf("strict"); - printf(")"); - + PRINTF("strict"); + PRINTF(")"); + } } if (fp->fr_isc != (struct ipscan *)-1) { - if (fp->fr_isctag[0]) - printf(" scan %s", fp->fr_isctag); + if (fp->fr_isctag != -1) + PRINTF(" scan %s", fp->fr_isctag + fp->fr_names); else - printf(" scan *"); + PRINTF(" scan *"); } - if (*fp->fr_grhead != '\0') - printf(" head %s", fp->fr_grhead); - if (*fp->fr_group != '\0') - printf(" group %s", fp->fr_group); + if (fp->fr_grhead != -1) + PRINTF(" head %s", fp->fr_names + fp->fr_grhead); + if (fp->fr_group != -1) + PRINTF(" group %s", fp->fr_names + fp->fr_group); if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { char *s = ""; - printf(" set-tag("); + PRINTF(" set-tag("); if (fp->fr_logtag != FR_NOLOGTAG) { - printf("log=%u", fp->fr_logtag); + PRINTF("log=%u", fp->fr_logtag); s = ", "; } if (*fp->fr_nattag.ipt_tag) { - printf("%snat=%-.*s", s, IPFTAG_LEN, + PRINTF("%snat=%-.*s", s, IPFTAG_LEN, fp->fr_nattag.ipt_tag); } - printf(")"); + PRINTF(")"); } if (fp->fr_pps) - printf(" pps %d", fp->fr_pps); + PRINTF(" pps %d", fp->fr_pps); + if (fp->fr_comment != -1) + PRINTF(" comment \"%s\"", fp->fr_names + fp->fr_comment); + + hash = 0; if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) { - printf(" # count %d", fp->fr_statecnt); + PRINTF(" # count %d", fp->fr_statecnt); + if (fp->fr_die != 0) + PRINTF(" rule-ttl %u", fp->fr_die); + hash = 1; + } else if (fp->fr_die != 0) { + PRINTF(" # rule-ttl %u", fp->fr_die); + hash = 1; + } + if (opts & OPT_DEBUG) { + if (hash == 0) + putchar('#'); + PRINTF(" ref %d", fp->fr_ref); } (void)putchar('\n'); } diff --git a/contrib/ipfilter/lib/printfraginfo.c b/contrib/ipfilter/lib/printfraginfo.c index d9317e8..dd2966f 100644 --- a/contrib/ipfilter/lib/printfraginfo.c +++ b/contrib/ipfilter/lib/printfraginfo.c @@ -1,30 +1,42 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2004-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfraginfo.c,v 1.1.2.5 2006/12/25 15:10:37 darrenr Exp $ + * $Id$ */ #include "ipf.h" #include "kmem.h" -void printfraginfo(prefix, ifr) -char *prefix; -struct ipfr *ifr; + +void +printfraginfo(prefix, ifr) + char *prefix; + struct ipfr *ifr; { frentry_t fr; + int family; + PRINTF("%s", prefix); + if (ifr->ipfr_v == 6) { + PRINTF("inet6"); + family = AF_INET6; + } else { + PRINTF("inet"); + family = AF_INET; + } fr.fr_flags = 0xffffffff; - printf("%s%s -> ", prefix, hostname(4, &ifr->ipfr_src)); + PRINTF(" %s -> ", hostname(family, &ifr->ipfr_src)); /* if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule, sizeof(fr)) == -1) return; -*/ - printf("%s id %d ttl %ld pr %d seen0 %d ref %d tos %#02x\n", - hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_ttl, - ifr->ipfr_p, ifr->ipfr_seen0, ifr->ipfr_ref, ifr->ipfr_tos); + */ + PRINTF("%s id %x ttl %lu pr %d pkts %u bytes %u seen0 %d ref %d\n", + hostname(family, &ifr->ipfr_dst), ifr->ipfr_id, + ifr->ipfr_ttl, ifr->ipfr_p, ifr->ipfr_pkts, ifr->ipfr_bytes, + ifr->ipfr_seen0, ifr->ipfr_ref); } diff --git a/contrib/ipfilter/lib/printhash.c b/contrib/ipfilter/lib/printhash.c index 975b60e..3779662 100644 --- a/contrib/ipfilter/lib/printhash.c +++ b/contrib/ipfilter/lib/printhash.c @@ -1,22 +1,21 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf - -iphtable_t *printhash(hp, copyfunc, name, opts) -iphtable_t *hp; -copyfunc_t copyfunc; -char *name; -int opts; +iphtable_t * +printhash(hp, copyfunc, name, opts, fields) + iphtable_t *hp; + copyfunc_t copyfunc; + char *name; + int opts; + wordtab_t *fields; { iphtent_t *ipep, **table; iphtable_t iph; @@ -29,7 +28,8 @@ int opts; if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN)) return iph.iph_next; - printhashdata(hp, opts); + if (fields == NULL) + printhashdata(hp, opts); if ((hp->iph_flags & IPHASH_DELETE) != 0) PRINTF("# "); @@ -43,7 +43,7 @@ int opts; return NULL; for (printed = 0, ipep = iph.iph_list; ipep != NULL; ) { - ipep = printhashnode(&iph, ipep, copyfunc, opts); + ipep = printhashnode(&iph, ipep, copyfunc, opts, fields); printed++; } if (printed == 0) diff --git a/contrib/ipfilter/lib/printhash_live.c b/contrib/ipfilter/lib/printhash_live.c index 1afe632..53159b1 100644 --- a/contrib/ipfilter/lib/printhash_live.c +++ b/contrib/ipfilter/lib/printhash_live.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -8,25 +8,25 @@ #include "ipf.h" #include "netinet/ipl.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf - -iphtable_t *printhash_live(hp, fd, name, opts) -iphtable_t *hp; -int fd; -char *name; -int opts; +iphtable_t * +printhash_live(hp, fd, name, opts, fields) + iphtable_t *hp; + int fd; + char *name; + int opts; + wordtab_t *fields; { - iphtent_t entry, *top, *node; + iphtent_t entry, zero; ipflookupiter_t iter; - int printed, last; + int last, printed; ipfobj_t obj; if ((name != NULL) && strncmp(name, hp->iph_name, FR_GROUPLEN)) return hp->iph_next; - printhashdata(hp, opts); + if (fields == NULL) + printhashdata(hp, opts); if ((hp->iph_flags & IPHASH_DELETE) != 0) PRINTF("# "); @@ -47,26 +47,19 @@ int opts; strncpy(iter.ili_name, hp->iph_name, FR_GROUPLEN); last = 0; - top = NULL; printed = 0; + bzero((char *)&zero, sizeof(zero)); while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) { if (entry.ipe_next == NULL) last = 1; - entry.ipe_next = top; - top = malloc(sizeof(*top)); - if (top == NULL) + if (bcmp(&zero, &entry, sizeof(zero)) == 0) break; - bcopy(&entry, top, sizeof(entry)); - } - - while (top != NULL) { - node = top; - (void) printhashnode(hp, node, bcopywrap, opts); - top = node->ipe_next; - free(node); + (void) printhashnode(hp, &entry, bcopywrap, opts, fields); printed++; } + if (last == 0) + ipferror(fd, "walking hash nodes:"); if (printed == 0) putchar(';'); diff --git a/contrib/ipfilter/lib/printhashdata.c b/contrib/ipfilter/lib/printhashdata.c index d278c36..ea2d416 100644 --- a/contrib/ipfilter/lib/printhashdata.c +++ b/contrib/ipfilter/lib/printhashdata.c @@ -1,23 +1,22 @@ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" +#include <ctype.h> -#define PRINTF (void)printf -#define FPRINTF (void)fprintf - -void printhashdata(hp, opts) -iphtable_t *hp; -int opts; +void +printhashdata(hp, opts) + iphtable_t *hp; + int opts; { if ((opts & OPT_DEBUG) == 0) { if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON) - PRINTF("# 'anonymous' table\n"); + PRINTF("# 'anonymous' table refs %d\n", hp->iph_ref); if ((hp->iph_flags & IPHASH_DELETE) == IPHASH_DELETE) PRINTF("# "); switch (hp->iph_type & ~IPHASH_ANON) @@ -38,10 +37,10 @@ int opts; PRINTF("%#x", hp->iph_type); break; } - PRINTF(" role = "); + PRINTF(" role="); } else { PRINTF("Hash Table %s: %s", - isdigit(*hp->iph_name) ? "Number" : "Name", + ISDIGIT(*hp->iph_name) ? "Number" : "Name", hp->iph_name); if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON) PRINTF("(anon)"); @@ -49,33 +48,16 @@ int opts; PRINTF("Role: "); } - switch (hp->iph_unit) - { - case IPL_LOGNAT : - PRINTF("nat"); - break; - case IPL_LOGIPF : - PRINTF("ipf"); - break; - case IPL_LOGAUTH : - PRINTF("auth"); - break; - case IPL_LOGCOUNT : - PRINTF("count"); - break; - default : - PRINTF("#%d", hp->iph_unit); - break; - } + printunit(hp->iph_unit); if ((opts & OPT_DEBUG) == 0) { if ((hp->iph_type & ~IPHASH_ANON) == IPHASH_LOOKUP) - PRINTF(" type = hash"); - PRINTF(" %s = %s size = %lu", - isdigit(*hp->iph_name) ? "number" : "name", + PRINTF(" type=hash"); + PRINTF(" %s=%s size=%lu", + ISDIGIT(*hp->iph_name) ? "number" : "name", hp->iph_name, (u_long)hp->iph_size); if (hp->iph_seed != 0) - PRINTF(" seed = %lu", hp->iph_seed); + PRINTF(" seed=%lu", hp->iph_seed); putchar('\n'); } else { PRINTF(" Type: "); @@ -95,7 +77,7 @@ int opts; PRINTF("\t\tSize: %lu\tSeed: %lu", (u_long)hp->iph_size, hp->iph_seed); PRINTF("\tRef. Count: %d\tMasks: %#x\n", hp->iph_ref, - hp->iph_masks); + hp->iph_maskset[0]); } if ((opts & OPT_DEBUG) != 0) { @@ -103,8 +85,8 @@ int opts; int i; for (i = 0; i < 32; i++) { - if ((1 << i) & hp->iph_masks) { - ntomask(4, i, &m.s_addr); + if ((1 << i) & hp->iph_maskset[0]) { + ntomask(AF_INET, i, &m.s_addr); PRINTF("\t\tMask: %s\n", inet_ntoa(m)); } } diff --git a/contrib/ipfilter/lib/printhashnode.c b/contrib/ipfilter/lib/printhashnode.c index ed83c39..e245535 100644 --- a/contrib/ipfilter/lib/printhashnode.c +++ b/contrib/ipfilter/lib/printhashnode.c @@ -1,47 +1,63 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -iphtent_t *printhashnode(iph, ipep, copyfunc, opts) -iphtable_t *iph; -iphtent_t *ipep; -copyfunc_t copyfunc; -int opts; +iphtent_t * +printhashnode(iph, ipep, copyfunc, opts, fields) + iphtable_t *iph; + iphtent_t *ipep; + copyfunc_t copyfunc; + int opts; + wordtab_t *fields; { iphtent_t ipe; + u_int hv; + int i; if ((*copyfunc)(ipep, &ipe, sizeof(ipe))) return NULL; - ipe.ipe_addr.in4_addr = htonl(ipe.ipe_addr.in4_addr); - ipe.ipe_mask.in4_addr = htonl(ipe.ipe_mask.in4_addr); + hv = IPE_V4_HASH_FN(ipe.ipe_addr.i6[0], ipe.ipe_mask.i6[0], + iph->iph_size); - if ((opts & OPT_DEBUG) != 0) { - PRINTF("\tAddress: %s", + if (fields != NULL) { + for (i = 0; fields[i].w_value != 0; i++) { + printpoolfield(&ipe, IPLT_HASH, i); + if (fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } else if ((opts & OPT_DEBUG) != 0) { + PRINTF("\t%d\tAddress: %s", hv, inet_ntoa(ipe.ipe_addr.in4)); - printmask((u_32_t *)&ipe.ipe_mask.in4_addr); + printmask(ipe.ipe_family, (u_32_t *)&ipe.ipe_mask.in4_addr); PRINTF("\tRef. Count: %d\tGroup: %s\n", ipe.ipe_ref, ipe.ipe_group); +#ifdef USE_QUAD_T + PRINTF("\tHits: %"PRIu64"\tBytes: %"PRIu64"\n", + ipe.ipe_hits, ipe.ipe_bytes); +#else + PRINTF("\tHits: %lu\tBytes: %lu\n", + ipe.ipe_hits, ipe.ipe_bytes); +#endif } else { putchar(' '); - printip((u_32_t *)&ipe.ipe_addr.in4_addr); - printmask((u_32_t *)&ipe.ipe_mask.in4_addr); + printip(ipe.ipe_family, (u_32_t *)&ipe.ipe_addr.in4_addr); + printmask(ipe.ipe_family, (u_32_t *)&ipe.ipe_mask.in4_addr); if (ipe.ipe_value != 0) { switch (iph->iph_type & ~IPHASH_ANON) { case IPHASH_GROUPMAP : if (strncmp(ipe.ipe_group, iph->iph_name, FR_GROUPLEN)) - PRINTF(", group = %s", ipe.ipe_group); + PRINTF(", group=%s", ipe.ipe_group); break; } } diff --git a/contrib/ipfilter/lib/printhost.c b/contrib/ipfilter/lib/printhost.c new file mode 100644 index 0000000..eaf3fda --- /dev/null +++ b/contrib/ipfilter/lib/printhost.c @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printhost.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $ + */ + +#include "ipf.h" + + +void +printhost(family, addr) + int family; + u_32_t *addr; +{ +#ifdef USE_INET6 + char ipbuf[64]; +#else + struct in_addr ipa; +#endif + + if ((family == -1) || !*addr) + PRINTF("any"); + else { + void *ptr = addr; + +#ifdef USE_INET6 + PRINTF("%s", inet_ntop(family, ptr, ipbuf, sizeof(ipbuf))); +#else + ipa.s_addr = *addr; + PRINTF("%s", inet_ntoa(ipa)); +#endif + } +} diff --git a/contrib/ipfilter/lib/printhostmap.c b/contrib/ipfilter/lib/printhostmap.c index 0c9242f..714bc41 100644 --- a/contrib/ipfilter/lib/printhostmap.c +++ b/contrib/ipfilter/lib/printhostmap.c @@ -1,22 +1,31 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: printhostmap.c,v 1.3.2.3 2006/09/30 21:42:07 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" -void printhostmap(hmp, hv) -hostmap_t *hmp; -u_int hv; +void +printhostmap(hmp, hv) + hostmap_t *hmp; + u_int hv; { - printf("%s,", inet_ntoa(hmp->hm_srcip)); - printf("%s -> ", inet_ntoa(hmp->hm_dstip)); - printf("%s ", inet_ntoa(hmp->hm_mapip)); - printf("(use = %d hv = %u)\n", hmp->hm_ref, hv); + printactiveaddress(hmp->hm_v, "%s", &hmp->hm_osrcip6, NULL); + putchar(','); + printactiveaddress(hmp->hm_v, "%s", &hmp->hm_odstip6, NULL); + PRINTF(" -> "); + printactiveaddress(hmp->hm_v, "%s", &hmp->hm_nsrcip6, NULL); + putchar(','); + printactiveaddress(hmp->hm_v, "%s", &hmp->hm_ndstip6, NULL); + putchar(' '); + PRINTF("(use = %d", hmp->hm_ref); + if (opts & OPT_VERBOSE) + PRINTF(" hv = %u", hv); + printf(")\n"); } diff --git a/contrib/ipfilter/lib/printhostmask.c b/contrib/ipfilter/lib/printhostmask.c index 44703c4..10d90b2 100644 --- a/contrib/ipfilter/lib/printhostmask.c +++ b/contrib/ipfilter/lib/printhostmask.c @@ -1,19 +1,20 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printhostmask.c,v 1.8.4.1 2006/06/16 17:21:12 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void printhostmask(v, addr, mask) -int v; -u_32_t *addr, *mask; +void +printhostmask(family, addr, mask) + int family; + u_32_t *addr, *mask; { #ifdef USE_INET6 char ipbuf[64]; @@ -21,26 +22,18 @@ u_32_t *addr, *mask; struct in_addr ipa; #endif - if (!*addr && !*mask) - printf("any"); + if ((family == -1) || ((!addr || !*addr) && (!mask || !*mask))) + PRINTF("any"); else { -#ifdef USE_INET6 void *ptr = addr; - int af; - if (v == 4) { - ptr = addr; - af = AF_INET; - } else if (v == 6) { - ptr = addr; - af = AF_INET6; - } else - af = 0; - printf("%s", inet_ntop(af, ptr, ipbuf, sizeof(ipbuf))); +#ifdef USE_INET6 + PRINTF("%s", inet_ntop(family, ptr, ipbuf, sizeof(ipbuf))); #else ipa.s_addr = *addr; - printf("%s", inet_ntoa(ipa)); + PRINTF("%s", inet_ntoa(ipa)); #endif - printmask(mask); + if (mask != NULL) + printmask(family, mask); } } diff --git a/contrib/ipfilter/lib/printifname.c b/contrib/ipfilter/lib/printifname.c index 2f7d912..2e554d9 100644 --- a/contrib/ipfilter/lib/printifname.c +++ b/contrib/ipfilter/lib/printifname.c @@ -1,20 +1,22 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printifname.c,v 1.2.4.1 2006/06/16 17:21:12 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void printifname(format, name, ifp) -char *format, *name; -void *ifp; + +void +printifname(format, name, ifp) + char *format, *name; + void *ifp; { - printf("%s%s", format, name); + PRINTF("%s%s", format, name); if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*")) - printf("(!)"); + PRINTF("(!)"); } diff --git a/contrib/ipfilter/lib/printip.c b/contrib/ipfilter/lib/printip.c index 8c008af..6d414fe 100644 --- a/contrib/ipfilter/lib/printip.c +++ b/contrib/ipfilter/lib/printip.c @@ -1,24 +1,43 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printip.c,v 1.3.4.1 2006/06/16 17:21:12 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void printip(addr) -u_32_t *addr; +void +printip(family, addr) + int family; + u_32_t *addr; { struct in_addr ipa; - ipa.s_addr = *addr; - if (ntohl(ipa.s_addr) < 256) - printf("%lu", (u_long)ntohl(ipa.s_addr)); + if (family == AF_INET) { + ipa.s_addr = *addr; + if (ntohl(ipa.s_addr) < 256) + PRINTF("%lu", (u_long)ntohl(ipa.s_addr)); + else + PRINTF("%s", inet_ntoa(ipa)); + } +#ifdef AF_INET6 + else if (family == AF_INET6) { + char buf[INET6_ADDRSTRLEN + 1]; + const char *str; + + buf[0] = '\0'; + str = inet_ntop(AF_INET6, addr, buf, sizeof(buf) - 1); + if (str != NULL) + PRINTF("%s", str); + else + PRINTF("???"); + } +#endif else - printf("%s", inet_ntoa(ipa)); + PRINTF("?(%d)?", family); } diff --git a/contrib/ipfilter/lib/printipfexpr.c b/contrib/ipfilter/lib/printipfexpr.c new file mode 100644 index 0000000..64c2f1c --- /dev/null +++ b/contrib/ipfilter/lib/printipfexpr.c @@ -0,0 +1,197 @@ +#include "ipf.h" + +static void printport __P((int *)); +static void printhosts __P((int *)); +static void printsingle __P((int *)); +static void printhostsv6 __P((int *)); + +void +printipfexpr(array) + int *array; +{ + int i, nelems, j, not; + ipfexp_t *ipfe; + + nelems = array[0]; + + for (i = 1; i < nelems; ) { + ipfe = (ipfexp_t *)(array + i); + if (ipfe->ipfe_cmd == IPF_EXP_END) + break; + + not = ipfe->ipfe_not; + + switch (ipfe->ipfe_cmd) + { + case IPF_EXP_IP_ADDR : + PRINTF("ip.addr %s= ", not ? "!" : ""); + printhosts(array + i); + break; + + case IPF_EXP_IP_PR : + PRINTF("ip.p %s= ", not ? "!" : ""); + printsingle(array + i); + break; + + case IPF_EXP_IP_SRCADDR : + PRINTF("ip.src %s= ", not ? "!" : ""); + printhosts(array + i); + break; + + case IPF_EXP_IP_DSTADDR : + PRINTF("ip.dst %s= ", not ? "!" : ""); + printhosts(array + i); + break; + + case IPF_EXP_TCP_PORT : + PRINTF("tcp.port %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_TCP_DPORT : + PRINTF("tcp.dport %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_TCP_SPORT : + PRINTF("tcp.sport %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_TCP_FLAGS : + PRINTF("tcp.flags %s= ", not ? "!" : ""); + + for (j = 0; j < ipfe->ipfe_narg; ) { + printtcpflags(array[i + 4], array[i + 5]); + j += 2; + if (j < array[4]) + putchar(','); + } + break; + + case IPF_EXP_UDP_PORT : + PRINTF("udp.port %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_UDP_DPORT : + PRINTF("udp.dport %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_UDP_SPORT : + PRINTF("udp.sport %s= ", not ? "!" : ""); + printport(array + i); + break; + + case IPF_EXP_IDLE_GT : + PRINTF("idle-gt %s= ", not ? "!" : ""); + printsingle(array + i); + break; + + case IPF_EXP_TCP_STATE : + PRINTF("tcp-state %s= ", not ? "!" : ""); + printsingle(array + i); + break; + +#ifdef USE_INET6 + case IPF_EXP_IP6_ADDR : + PRINTF("ip6.addr %s= ", not ? "!" : ""); + printhostsv6(array + i); + break; + + case IPF_EXP_IP6_SRCADDR : + PRINTF("ip6.src %s= ", not ? "!" : ""); + printhostsv6(array + i); + break; + + case IPF_EXP_IP6_DSTADDR : + PRINTF("ip6.dst %s= ", not ? "!" : ""); + printhostsv6(array + i); + break; +#endif + + case IPF_EXP_END : + break; + + default : + PRINTF("#%#x,len=%d;", + ipfe->ipfe_cmd, ipfe->ipfe_narg); + } + + if (array[i] != IPF_EXP_END) + putchar(';'); + + i += ipfe->ipfe_size; + if (array[i] != IPF_EXP_END) + putchar(' '); + } +} + + +static void +printsingle(array) + int *array; +{ + ipfexp_t *ipfe = (ipfexp_t *)array; + int i; + + for (i = 0; i < ipfe->ipfe_narg; ) { + PRINTF("%d", array[i + 4]); + i++; + if (i < ipfe->ipfe_narg) + putchar(','); + } +} + + +static void +printport(array) + int *array; +{ + ipfexp_t *ipfe = (ipfexp_t *)array; + int i; + + for (i = 0; i < ipfe->ipfe_narg; ) { + PRINTF("%d", ntohs(array[i + 4])); + i++; + if (i < ipfe->ipfe_narg) + putchar(','); + } +} + + +static void +printhosts(array) + int *array; +{ + ipfexp_t *ipfe = (ipfexp_t *)array; + int i, j; + + for (i = 0, j = 0; i < ipfe->ipfe_narg; j++) { + printhostmask(AF_INET, (u_32_t *)ipfe->ipfe_arg0 + j * 2, + (u_32_t *)ipfe->ipfe_arg0 + j * 2 + 1); + i += 2; + if (i < ipfe->ipfe_narg) + putchar(','); + } +} + + +#ifdef USE_INET6 +static void +printhostsv6(array) + int *array; +{ + ipfexp_t *ipfe = (ipfexp_t *)array; + int i, j; + + for (i = 4, j= 0; i < ipfe->ipfe_size; j++) { + printhostmask(AF_INET6, (u_32_t *)ipfe->ipfe_arg0 + j * 8, + (u_32_t *)ipfe->ipfe_arg0 + j * 8 + 4); + i += 8; + if (i < ipfe->ipfe_size) + putchar(','); + } +} +#endif diff --git a/contrib/ipfilter/lib/printiphdr.c b/contrib/ipfilter/lib/printiphdr.c new file mode 100644 index 0000000..fdf0f75 --- /dev/null +++ b/contrib/ipfilter/lib/printiphdr.c @@ -0,0 +1,20 @@ +/* + * Copyright (C) by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printiphdr.c,v 1.1 2009/03/01 12:48:32 darren_r Exp $ + */ + +#include "ipf.h" + + +void +printiphdr(ip) + ip_t *ip; +{ + PRINTF("ip(v=%d,hl=%d,len=%d,tos=%#x,off=%#x,sum=%#x,src=%#x,dst=%#x", + ip->ip_v, ip->ip_hl, ntohs(ip->ip_len), ip->ip_tos, + ntohs(ip->ip_off), ntohs(ip->ip_sum), ntohl(ip->ip_src.s_addr), + ntohl(ip->ip_dst.s_addr)); +} diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c index 82c0400..c5278cd 100644 --- a/contrib/ipfilter/lib/printlog.c +++ b/contrib/ipfilter/lib/printlog.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printlog.c,v 1.6.4.3 2006/06/16 17:21:12 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -13,26 +13,27 @@ #include <syslog.h> -void printlog(fp) -frentry_t *fp; +void +printlog(fp) + frentry_t *fp; { char *s, *u; - printf("log"); + PRINTF("log"); if (fp->fr_flags & FR_LOGBODY) - printf(" body"); + PRINTF(" body"); if (fp->fr_flags & FR_LOGFIRST) - printf(" first"); + PRINTF(" first"); if (fp->fr_flags & FR_LOGORBLOCK) - printf(" or-block"); + PRINTF(" or-block"); if (fp->fr_loglevel != 0xffff) { - printf(" level "); + PRINTF(" level "); s = fac_toname(fp->fr_loglevel); if (s == NULL || *s == '\0') s = "!!!"; u = pri_toname(fp->fr_loglevel); if (u == NULL || *u == '\0') u = "!!!"; - printf("%s.%s", s, u); + PRINTF("%s.%s", s, u); } } diff --git a/contrib/ipfilter/lib/printlookup.c b/contrib/ipfilter/lib/printlookup.c new file mode 100644 index 0000000..51f8d6e --- /dev/null +++ b/contrib/ipfilter/lib/printlookup.c @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ + +#include "ipf.h" + + +void +printlookup(base, addr, mask) + char *base; + i6addr_t *addr, *mask; +{ + char name[32]; + + switch (addr->iplookuptype) + { + case IPLT_POOL : + PRINTF("pool/"); + break; + case IPLT_HASH : + PRINTF("hash/"); + break; + case IPLT_DSTLIST : + PRINTF("dstlist/"); + break; + default : + PRINTF("lookup(%x)=", addr->iplookuptype); + break; + } + + if (addr->iplookupsubtype == 0) + PRINTF("%u", addr->iplookupnum); + else if (addr->iplookupsubtype == 1) { + strncpy(name, base + addr->iplookupname, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + PRINTF("%s", name); + } +} diff --git a/contrib/ipfilter/lib/printmask.c b/contrib/ipfilter/lib/printmask.c index 9230dc0..365d7ff 100644 --- a/contrib/ipfilter/lib/printmask.c +++ b/contrib/ipfilter/lib/printmask.c @@ -1,30 +1,30 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printmask.c,v 1.5.4.1 2006/06/16 17:21:13 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void printmask(mask) -u_32_t *mask; +void +printmask(family, mask) + int family; + u_32_t *mask; { struct in_addr ipa; int ones; -#ifdef USE_INET6 - if (use_inet6) - printf("/%d", count6bits(mask)); - else -#endif - if ((ones = count4bits(*mask)) == -1) { + if (family == AF_INET6) { + PRINTF("/%d", count6bits(mask)); + } else if ((ones = count4bits(*mask)) == -1) { ipa.s_addr = *mask; - printf("/%s", inet_ntoa(ipa)); - } else - printf("/%d", ones); + PRINTF("/%s", inet_ntoa(ipa)); + } else { + PRINTF("/%d", ones); + } } diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c index 39c43ca..37a7e12 100644 --- a/contrib/ipfilter/lib/printnat.c +++ b/contrib/ipfilter/lib/printnat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -13,230 +13,339 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.14 2007/09/06 16:40:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif + /* * Print out a NAT rule */ -void printnat(np, opts) -ipnat_t *np; -int opts; +void +printnat(np, opts) + ipnat_t *np; + int opts; { - struct protoent *pr; - int bits; + struct protoent *pr; + char *base; + int family; + int proto; + + if (np->in_v[0] == 4) + family = AF_INET; +#ifdef USE_INET6 + else if (np->in_v[0] == 6) + family = AF_INET6; +#endif + else + family = AF_UNSPEC; - pr = getprotobynumber(np->in_p); + if (np->in_flags & IPN_NO) + PRINTF("no "); switch (np->in_redir) { + case NAT_REDIRECT|NAT_ENCAP : + PRINTF("encap in on"); + proto = np->in_pr[0]; + break; + case NAT_MAP|NAT_ENCAP : + PRINTF("encap out on"); + proto = np->in_pr[1]; + break; + case NAT_REDIRECT|NAT_DIVERTUDP : + PRINTF("divert in on"); + proto = np->in_pr[0]; + break; + case NAT_MAP|NAT_DIVERTUDP : + PRINTF("divert out on"); + proto = np->in_pr[1]; + break; + case NAT_REDIRECT|NAT_REWRITE : + PRINTF("rewrite in on"); + proto = np->in_pr[0]; + break; + case NAT_MAP|NAT_REWRITE : + PRINTF("rewrite out on"); + proto = np->in_pr[1]; + break; case NAT_REDIRECT : - printf("rdr"); + PRINTF("rdr"); + proto = np->in_pr[0]; break; case NAT_MAP : - printf("map"); + PRINTF("map"); + proto = np->in_pr[1]; break; case NAT_MAPBLK : - printf("map-block"); + PRINTF("map-block"); + proto = np->in_pr[1]; break; case NAT_BIMAP : - printf("bimap"); + PRINTF("bimap"); + proto = np->in_pr[0]; break; default : - fprintf(stderr, "unknown value for in_redir: %#x\n", + FPRINTF(stderr, "unknown value for in_redir: %#x\n", np->in_redir); + proto = np->in_pr[0]; break; } - if (!strcmp(np->in_ifnames[0], "-")) - printf(" \"%s\"", np->in_ifnames[0]); + pr = getprotobynumber(proto); + + base = np->in_names; + if (!strcmp(base + np->in_ifnames[0], "-")) + PRINTF(" \"%s\"", base + np->in_ifnames[0]); else - printf(" %s", np->in_ifnames[0]); - if ((np->in_ifnames[1][0] != '\0') && - (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) { - if (!strcmp(np->in_ifnames[1], "-")) - printf(",\"%s\"", np->in_ifnames[1]); + PRINTF(" %s", base + np->in_ifnames[0]); + if ((np->in_ifnames[1] != -1) && + (strcmp(base + np->in_ifnames[0], base + np->in_ifnames[1]) != 0)) { + if (!strcmp(base + np->in_ifnames[1], "-")) + PRINTF(",\"%s\"", base + np->in_ifnames[1]); else - printf(",%s", np->in_ifnames[1]); + PRINTF(",%s", base + np->in_ifnames[1]); } putchar(' '); + if (family == AF_INET6) + PRINTF("inet6 "); + + if (np->in_redir & (NAT_REWRITE|NAT_ENCAP|NAT_DIVERTUDP)) { + if ((proto != 0) || (np->in_flags & IPN_TCPUDP)) { + PRINTF("proto "); + printproto(pr, proto, np); + putchar(' '); + } + } + if (np->in_flags & IPN_FILTER) { if (np->in_flags & IPN_NOTSRC) - printf("! "); - printf("from "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - } else { - printhostmask(4, (u_32_t *)&np->in_inip, - (u_32_t *)&np->in_inmsk); - } + PRINTF("! "); + PRINTF("from "); + printnataddr(np->in_v[0], np->in_names, &np->in_osrc, + np->in_ifnames[0]); if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); + printportcmp(proto, &np->in_tuc.ftu_src); if (np->in_flags & IPN_NOTDST) - printf(" !"); - printf(" to "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_outip, - (u_32_t *)&np->in_outmsk); - } else { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - } + PRINTF(" !"); + PRINTF(" to "); + printnataddr(np->in_v[0], np->in_names, &np->in_odst, + np->in_ifnames[0]); if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); + printportcmp(proto, &np->in_tuc.ftu_dst); } - if (np->in_redir == NAT_REDIRECT) { - if (!(np->in_flags & IPN_FILTER)) { - printf("%s", inet_ntoa(np->in_out[0].in4)); - bits = count4bits(np->in_outmsk); - if (bits != -1) - printf("/%d", bits); + if (np->in_redir & (NAT_ENCAP|NAT_DIVERTUDP)) { + PRINTF(" -> src "); + printnataddr(np->in_v[1], np->in_names, &np->in_nsrc, + np->in_ifnames[0]); + if ((np->in_redir & NAT_DIVERTUDP) != 0) + PRINTF(",%u", np->in_spmin); + PRINTF(" dst "); + printnataddr(np->in_v[1], np->in_names, &np->in_ndst, + np->in_ifnames[0]); + if ((np->in_redir & NAT_DIVERTUDP) != 0) + PRINTF(",%u udp", np->in_dpmin); + if ((np->in_flags & IPN_PURGE) != 0) + PRINTF(" purge"); + PRINTF(";\n"); + + } else if (np->in_redir & NAT_REWRITE) { + PRINTF(" -> src "); + if (np->in_nsrc.na_type == IPLT_DSTLIST) { + PRINTF("dstlist/"); + if (np->in_nsrc.na_subtype == 0) + PRINTF("%d", np->in_nsrc.na_num); else - printf("/%s", inet_ntoa(np->in_out[1].in4)); + PRINTF("%s", base + np->in_nsrc.na_num); + } else { + printnataddr(np->in_v[1], np->in_names, &np->in_nsrc, + np->in_ifnames[0]); + } + if ((((np->in_flags & IPN_TCPUDP) != 0)) && + (np->in_spmin != 0)) { + if ((np->in_flags & IPN_FIXEDSPORT) != 0) { + PRINTF(",port = %u", np->in_spmin); + } else { + PRINTF(",%u", np->in_spmin); + if (np->in_spmax != np->in_spmin) + PRINTF("-%u", np->in_spmax); + } + } + PRINTF(" dst "); + if (np->in_ndst.na_type == IPLT_DSTLIST) { + PRINTF("dstlist/"); + if (np->in_ndst.na_subtype == 0) + PRINTF("%d", np->in_nsrc.na_num); + else + PRINTF("%s", base + np->in_ndst.na_num); + } else { + printnataddr(np->in_v[1], np->in_names, &np->in_ndst, + np->in_ifnames[0]); + } + if ((((np->in_flags & IPN_TCPUDP) != 0)) && + (np->in_dpmin != 0)) { + if ((np->in_flags & IPN_FIXEDDPORT) != 0) { + PRINTF(",port = %u", np->in_dpmin); + } else { + PRINTF(",%u", np->in_dpmin); + if (np->in_dpmax != np->in_dpmin) + PRINTF("-%u", np->in_dpmax); + } + } + if ((np->in_flags & IPN_PURGE) != 0) + PRINTF(" purge"); + PRINTF(";\n"); + + } else if (np->in_redir == NAT_REDIRECT) { + if (!(np->in_flags & IPN_FILTER)) { + printnataddr(np->in_v[0], np->in_names, &np->in_odst, + np->in_ifnames[0]); if (np->in_flags & IPN_TCPUDP) { - printf(" port %d", ntohs(np->in_pmin)); - if (np->in_pmax != np->in_pmin) - printf("-%d", ntohs(np->in_pmax)); + PRINTF(" port %d", np->in_odport); + if (np->in_odport != np->in_dtop) + PRINTF("-%d", np->in_dtop); } } - printf(" -> %s", inet_ntoa(np->in_in[0].in4)); - if (np->in_flags & IPN_SPLIT) - printf(",%s", inet_ntoa(np->in_in[1].in4)); - else if (np->in_inmsk == 0 && np->in_inip == 0) - printf("/0"); + if (np->in_flags & IPN_NO) { + putchar(' '); + printproto(pr, proto, np); + PRINTF(";\n"); + return; + } + PRINTF(" -> "); + printnataddr(np->in_v[1], np->in_names, &np->in_ndst, + np->in_ifnames[0]); if (np->in_flags & IPN_TCPUDP) { if ((np->in_flags & IPN_FIXEDDPORT) != 0) - printf(" port = %d", ntohs(np->in_pnext)); - else - printf(" port %d", ntohs(np->in_pnext)); + PRINTF(" port = %d", np->in_dpmin); + else { + PRINTF(" port %d", np->in_dpmin); + if (np->in_dpmin != np->in_dpmax) + PRINTF("-%d", np->in_dpmax); + } } putchar(' '); - printproto(pr, np->in_p, np); + printproto(pr, proto, np); if (np->in_flags & IPN_ROUNDR) - printf(" round-robin"); + PRINTF(" round-robin"); if (np->in_flags & IPN_FRAG) - printf(" frag"); + PRINTF(" frag"); if (np->in_age[0] != 0 || np->in_age[1] != 0) { - printf(" age %d/%d", np->in_age[0], np->in_age[1]); + PRINTF(" age %d/%d", np->in_age[0], np->in_age[1]); } if (np->in_flags & IPN_STICKY) - printf(" sticky"); + PRINTF(" sticky"); if (np->in_mssclamp != 0) - printf(" mssclamp %d", np->in_mssclamp); - if (*np->in_plabel != '\0') - printf(" proxy %.*s", (int)sizeof(np->in_plabel), - np->in_plabel); + PRINTF(" mssclamp %d", np->in_mssclamp); + if (np->in_plabel != -1) + PRINTF(" proxy %s", np->in_names + np->in_plabel); if (np->in_tag.ipt_tag[0] != '\0') - printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag); - printf("\n"); + PRINTF(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag); + if ((np->in_flags & IPN_PURGE) != 0) + PRINTF(" purge"); + PRINTF("\n"); if (opts & OPT_DEBUG) - printf("\tpmax %u\n", np->in_pmax); + PRINTF("\tpmax %u\n", np->in_dpmax); + } else { int protoprinted = 0; if (!(np->in_flags & IPN_FILTER)) { - printf("%s/", inet_ntoa(np->in_in[0].in4)); - bits = count4bits(np->in_inmsk); - if (bits != -1) - printf("%d", bits); - else - printf("%s", inet_ntoa(np->in_in[1].in4)); + printnataddr(np->in_v[0], np->in_names, &np->in_osrc, + np->in_ifnames[0]); } - printf(" -> "); - if (np->in_flags & IPN_IPRANGE) { - printf("range %s-", inet_ntoa(np->in_out[0].in4)); - printf("%s", inet_ntoa(np->in_out[1].in4)); + if (np->in_flags & IPN_NO) { + putchar(' '); + printproto(pr, proto, np); + PRINTF(";\n"); + return; + } + PRINTF(" -> "); + if (np->in_flags & IPN_SIPRANGE) { + PRINTF("range "); + printnataddr(np->in_v[1], np->in_names, &np->in_nsrc, + np->in_ifnames[0]); } else { - printf("%s/", inet_ntoa(np->in_out[0].in4)); - bits = count4bits(np->in_outmsk); - if (bits != -1) - printf("%d", bits); - else - printf("%s", inet_ntoa(np->in_out[1].in4)); + printnataddr(np->in_v[1], np->in_names, &np->in_nsrc, + np->in_ifnames[0]); } - if (*np->in_plabel != '\0') { - printf(" proxy port "); - if (np->in_dcmp != 0) - np->in_dport = htons(np->in_dport); - if (np->in_dport != 0) { + if (np->in_plabel != -1) { + PRINTF(" proxy port "); + if (np->in_odport != 0) { char *s; - s = portname(np->in_p, ntohs(np->in_dport)); + s = portname(proto, np->in_odport); if (s != NULL) fputs(s, stdout); else fputs("???", stdout); } - printf(" %.*s/", (int)sizeof(np->in_plabel), - np->in_plabel); - printproto(pr, np->in_p, NULL); + PRINTF(" %s/", np->in_names + np->in_plabel); + printproto(pr, proto, NULL); protoprinted = 1; } else if (np->in_redir == NAT_MAPBLK) { - if ((np->in_pmin == 0) && + if ((np->in_spmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) - printf(" ports auto"); + PRINTF(" ports auto"); else - printf(" ports %d", np->in_pmin); + PRINTF(" ports %d", np->in_spmin); if (opts & OPT_DEBUG) - printf("\n\tip modulous %d", np->in_pmax); - } else if (np->in_pmin || np->in_pmax) { + PRINTF("\n\tip modulous %d", np->in_spmax); + + } else if (np->in_spmin || np->in_spmax) { if (np->in_flags & IPN_ICMPQUERY) { - printf(" icmpidmap "); + PRINTF(" icmpidmap "); } else { - printf(" portmap "); + PRINTF(" portmap "); } - printproto(pr, np->in_p, np); + printproto(pr, proto, np); protoprinted = 1; if (np->in_flags & IPN_AUTOPORTMAP) { - printf(" auto"); + PRINTF(" auto"); if (opts & OPT_DEBUG) - printf(" [%d:%d %d %d]", - ntohs(np->in_pmin), - ntohs(np->in_pmax), + PRINTF(" [%d:%d %d %d]", + np->in_spmin, np->in_spmax, np->in_ippip, np->in_ppip); } else { - printf(" %d:%d", ntohs(np->in_pmin), - ntohs(np->in_pmax)); + PRINTF(" %d:%d", np->in_spmin, np->in_spmax); } + if (np->in_flags & IPN_SEQUENTIAL) + PRINTF(" sequential"); } if (np->in_flags & IPN_FRAG) - printf(" frag"); + PRINTF(" frag"); if (np->in_age[0] != 0 || np->in_age[1] != 0) { - printf(" age %d/%d", np->in_age[0], np->in_age[1]); + PRINTF(" age %d/%d", np->in_age[0], np->in_age[1]); } if (np->in_mssclamp != 0) - printf(" mssclamp %d", np->in_mssclamp); + PRINTF(" mssclamp %d", np->in_mssclamp); if (np->in_tag.ipt_tag[0] != '\0') - printf(" tag %s", np->in_tag.ipt_tag); - if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) { + PRINTF(" tag %s", np->in_tag.ipt_tag); + if (!protoprinted && (np->in_flags & IPN_TCPUDP || proto)) { putchar(' '); - printproto(pr, np->in_p, np); + printproto(pr, proto, np); } - if (np->in_flags & IPN_SEQUENTIAL) - printf(" sequential"); - printf("\n"); + if ((np->in_flags & IPN_PURGE) != 0) + PRINTF(" purge"); + PRINTF("\n"); if (opts & OPT_DEBUG) { - struct in_addr nip; - - nip.s_addr = htonl(np->in_nextip.s_addr); - - printf("\tnextip %s pnext %d\n", - inet_ntoa(nip), np->in_pnext); + PRINTF("\tnextip "); + printip(family, &np->in_snip); + PRINTF(" pnext %d\n", np->in_spnext); } } if (opts & OPT_DEBUG) { - printf("\tspace %lu use %u hits %lu flags %#x proto %d hv %d\n", + PRINTF("\tspace %lu use %u hits %lu flags %#x proto %d/%d", np->in_space, np->in_use, np->in_hits, - np->in_flags, np->in_p, np->in_hv); - printf("\tifp[0] %p ifp[1] %p apr %p\n", + np->in_flags, np->in_pr[0], np->in_pr[1]); + PRINTF(" hv %u/%u\n", np->in_hv[0], np->in_hv[1]); + PRINTF("\tifp[0] %p ifp[1] %p apr %p\n", np->in_ifps[0], np->in_ifps[1], np->in_apr); - printf("\ttqehead %p/%p comment %p\n", + PRINTF("\ttqehead %p/%p comment %p\n", np->in_tqehead[0], np->in_tqehead[1], np->in_comment); } } diff --git a/contrib/ipfilter/lib/printnataddr.c b/contrib/ipfilter/lib/printnataddr.c new file mode 100644 index 0000000..89faa62 --- /dev/null +++ b/contrib/ipfilter/lib/printnataddr.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) + */ + +#include "ipf.h" +#include "kmem.h" + + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: printnataddr.c,v 1.4.2.2 2012/07/22 08:04:24 darren_r Exp $"; +#endif + + +void +printnataddr(v, base, addr, ifidx) + int v; + char *base; + nat_addr_t *addr; + int ifidx; +{ + switch (v) + { + case 4 : + if (addr->na_atype == FRI_NORMAL && + addr->na_addr[0].in4.s_addr == 0) { + PRINTF("0/%d", count4bits(addr->na_addr[1].in4.s_addr)); + } else { + printaddr(AF_INET, addr->na_atype, base, ifidx, + (u_32_t *)&addr->na_addr[0].in4.s_addr, + (u_32_t *)&addr->na_addr[1].in4.s_addr); + } + break; +#ifdef USE_INET6 + case 6 : + printaddr(AF_INET6, addr->na_atype, base, ifidx, + (u_32_t *)&addr->na_addr[0].in6, + (u_32_t *)&addr->na_addr[1].in6); + break; +#endif + default : + printf("{v=%d}", v); + break; + } +} diff --git a/contrib/ipfilter/lib/printnatfield.c b/contrib/ipfilter/lib/printnatfield.c new file mode 100644 index 0000000..49596f6 --- /dev/null +++ b/contrib/ipfilter/lib/printnatfield.c @@ -0,0 +1,220 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printnatfield.c,v 1.6.2.2 2012/01/26 05:44:26 darren_r Exp $ + */ + +#include "ipf.h" + +wordtab_t natfields[] = { + { "all", -2 }, + { "ifp0", 1 }, + { "ifp1", 2 }, + { "mtu0", 3 }, + { "mtu1", 4 }, + { "ifname0", 5 }, + { "ifname1", 6 }, + { "sumd0", 7 }, + { "sumd1", 8 }, + { "pkts0", 9 }, + { "pkts1", 10 }, + { "bytes0", 11 }, + { "bytes1", 12 }, + { "proto0", 13 }, + { "proto1", 14 }, + { "hash0", 15 }, + { "hash1", 16 }, + { "ref", 17 }, + { "rev", 18 }, + { "v0", 19 }, + { "redir", 20 }, + { "use", 21 }, + { "ipsumd", 22 }, + { "dir", 23 }, + { "olddstip", 24 }, + { "oldsrcip", 25 }, + { "newdstip", 26 }, + { "newsrcip", 27 }, + { "olddport", 28 }, + { "oldsport", 29 }, + { "newdport", 30 }, + { "newsport", 31 }, + { "age", 32 }, + { "v1", 33 }, + { NULL, 0 } +}; + + +void +printnatfield(n, fieldnum) + nat_t *n; + int fieldnum; +{ + int i; + + switch (fieldnum) + { + case -2 : + for (i = 1; natfields[i].w_word != NULL; i++) { + if (natfields[i].w_value > 0) { + printnatfield(n, i); + if (natfields[i + 1].w_value > 0) + putchar('\t'); + } + } + break; + + case 1: + PRINTF("%#lx", (u_long)n->nat_ifps[0]); + break; + + case 2: + PRINTF("%#lx", (u_long)n->nat_ifps[1]); + break; + + case 3: + PRINTF("%d", n->nat_mtu[0]); + break; + + case 4: + PRINTF("%d", n->nat_mtu[1]); + break; + + case 5: + PRINTF("%s", n->nat_ifnames[0]); + break; + + case 6: + PRINTF("%s", n->nat_ifnames[1]); + break; + + case 7: + PRINTF("%d", n->nat_sumd[0]); + break; + + case 8: + PRINTF("%d", n->nat_sumd[1]); + break; + + case 9: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", n->nat_pkts[0]); +#else + PRINTF("%lu", n->nat_pkts[0]); +#endif + break; + + case 10: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", n->nat_pkts[1]); +#else + PRINTF("%lu", n->nat_pkts[1]); +#endif + break; + + case 11: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", n->nat_bytes[0]); +#else + PRINTF("%lu", n->nat_bytes[0]); +#endif + break; + + case 12: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", n->nat_bytes[1]); +#else + PRINTF("%lu", n->nat_bytes[1]); +#endif + break; + + case 13: + PRINTF("%d", n->nat_pr[0]); + break; + + case 14: + PRINTF("%d", n->nat_pr[1]); + break; + + case 15: + PRINTF("%u", n->nat_hv[0]); + break; + + case 16: + PRINTF("%u", n->nat_hv[1]); + break; + + case 17: + PRINTF("%d", n->nat_ref); + break; + + case 18: + PRINTF("%d", n->nat_rev); + break; + + case 19: + PRINTF("%d", n->nat_v[0]); + break; + + case 33: + PRINTF("%d", n->nat_v[0]); + break; + + case 20: + PRINTF("%d", n->nat_redir); + break; + + case 21: + PRINTF("%d", n->nat_use); + break; + + case 22: + PRINTF("%u", n->nat_ipsumd); + break; + + case 23: + PRINTF("%d", n->nat_dir); + break; + + case 24: + PRINTF("%s", hostname(n->nat_v[0], &n->nat_odstip)); + break; + + case 25: + PRINTF("%s", hostname(n->nat_v[0], &n->nat_osrcip)); + break; + + case 26: + PRINTF("%s", hostname(n->nat_v[1], &n->nat_ndstip)); + break; + + case 27: + PRINTF("%s", hostname(n->nat_v[1], &n->nat_nsrcip)); + break; + + case 28: + PRINTF("%hu", ntohs(n->nat_odport)); + break; + + case 29: + PRINTF("%hu", ntohs(n->nat_osport)); + break; + + case 30: + PRINTF("%hu", ntohs(n->nat_ndport)); + break; + + case 31: + PRINTF("%hu", ntohs(n->nat_nsport)); + break; + + case 32: + PRINTF("%u", n->nat_age); + break; + + default: + break; + } +} diff --git a/contrib/ipfilter/lib/printnatside.c b/contrib/ipfilter/lib/printnatside.c new file mode 100644 index 0000000..37e1cb8 --- /dev/null +++ b/contrib/ipfilter/lib/printnatside.c @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printnatside.c,v 1.2.2.6 2012/07/22 08:04:24 darren_r Exp $ + */ +#include "ipf.h" + +void +printnatside(side, ns) + char *side; + nat_stat_side_t *ns; +{ + PRINTF("%lu\tproxy create fail %s\n", ns->ns_appr_fail, side); + PRINTF("%lu\tproxy fail %s\n", ns->ns_ipf_proxy_fail, side); + PRINTF("%lu\tbad nat %s\n", ns->ns_badnat, side); + PRINTF("%lu\tbad nat new %s\n", ns->ns_badnatnew, side); + PRINTF("%lu\tbad next addr %s\n", ns->ns_badnextaddr, side); + PRINTF("%lu\tbucket max %s\n", ns->ns_bucket_max, side); + PRINTF("%lu\tclone nomem %s\n", ns->ns_clone_nomem, side); + PRINTF("%lu\tdecap bad %s\n", ns->ns_decap_bad, side); + PRINTF("%lu\tdecap fail %s\n", ns->ns_decap_fail, side); + PRINTF("%lu\tdecap pullup %s\n", ns->ns_decap_pullup, side); + PRINTF("%lu\tdivert dup %s\n", ns->ns_divert_dup, side); + PRINTF("%lu\tdivert exist %s\n", ns->ns_divert_exist, side); + PRINTF("%lu\tdrop %s\n", ns->ns_drop, side); + PRINTF("%lu\texhausted %s\n", ns->ns_exhausted, side); + PRINTF("%lu\ticmp address %s\n", ns->ns_icmp_address, side); + PRINTF("%lu\ticmp basic %s\n", ns->ns_icmp_basic, side); + PRINTF("%lu\tinuse %s\n", ns->ns_inuse, side); + PRINTF("%lu\ticmp mbuf wrong size %s\n", ns->ns_icmp_mbuf, side); + PRINTF("%lu\ticmp header unmatched %s\n", ns->ns_icmp_notfound, side); + PRINTF("%lu\ticmp rebuild failures %s\n", ns->ns_icmp_rebuild, side); + PRINTF("%lu\ticmp short %s\n", ns->ns_icmp_short, side); + PRINTF("%lu\ticmp packet size wrong %s\n", ns->ns_icmp_size, side); + PRINTF("%lu\tIFP address fetch failures %s\n", + ns->ns_ifpaddrfail, side); + PRINTF("%lu\tpackets untranslated %s\n", ns->ns_ignored, side); + PRINTF("%lu\tNAT insert failures %s\n", ns->ns_insert_fail, side); + PRINTF("%lu\tNAT lookup misses %s\n", ns->ns_lookup_miss, side); + PRINTF("%lu\tNAT lookup nowild %s\n", ns->ns_lookup_nowild, side); + PRINTF("%lu\tnew ifpaddr failed %s\n", ns->ns_new_ifpaddr, side); + PRINTF("%lu\tmemory requests failed %s\n", ns->ns_memfail, side); + PRINTF("%lu\ttable max reached %s\n", ns->ns_table_max, side); + PRINTF("%lu\tpackets translated %s\n", ns->ns_translated, side); + PRINTF("%lu\tfinalised failed %s\n", ns->ns_unfinalised, side); + PRINTF("%lu\tsearch wraps %s\n", ns->ns_wrap, side); + PRINTF("%lu\tnull translations %s\n", ns->ns_xlate_null, side); + PRINTF("%lu\ttranslation exists %s\n", ns->ns_xlate_exists, side); + PRINTF("%lu\tno memory %s\n", ns->ns_memfail, side); + + if (opts & OPT_VERBOSE) + PRINTF("%p table %s\n", ns->ns_table, side); +} diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c index 25a4d5a..5c4a749 100644 --- a/contrib/ipfilter/lib/printpacket.c +++ b/contrib/ipfilter/lib/printpacket.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printpacket.c,v 1.12.4.5 2007/09/09 22:15:30 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -15,32 +15,43 @@ #endif -void printpacket(ip) -struct ip *ip; +void +printpacket(dir, m) + int dir; + mb_t *m; { - struct tcphdr *tcp; - u_short len; - u_short off; + u_short len, off; + tcphdr_t *tcp; + ip_t *ip; + + ip = MTOD(m, ip_t *); if (IP_V(ip) == 6) { - off = 0; - len = ntohs(((u_short *)ip)[2]) + 40; +#ifdef USE_INET6 + len = ntohs(((ip6_t *)ip)->ip6_plen); +#else + len = ntohs(((u_short *)ip)[2]); +#endif + len += 40; } else { - off = ntohs(ip->ip_off); len = ntohs(ip->ip_len); } + ASSERT(len == msgdsize(m)); if ((opts & OPT_HEX) == OPT_HEX) { u_char *s; int i; - for (s = (u_char *)ip, i = 0; i < len; i++) { - printf("%02x", *s++ & 0xff); - if (len - i > 1) { - i++; - printf("%02x", *s++ & 0xff); + for (; m != NULL; m = m->mb_next) { + len = m->mb_len; + for (s = (u_char *)m->mb_data, i = 0; i < len; i++) { + PRINTF("%02x", *s++ & 0xff); + if (len - i > 1) { + i++; + PRINTF("%02x", *s++ & 0xff); + } + putchar(' '); } - putchar(' '); } putchar('\n'); putchar('\n'); @@ -48,24 +59,32 @@ struct ip *ip; } if (IP_V(ip) == 6) { - printpacket6(ip); + printpacket6(dir, m); return; } + if (dir) + PRINTF("> "); + else + PRINTF("< "); + + PRINTF("%s ", IFNAME(m->mb_ifp)); + + off = ntohs(ip->ip_off); tcp = (struct tcphdr *)((char *)ip + (IP_HL(ip) << 2)); - printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len), + PRINTF("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len), IP_HL(ip) << 2, ip->ip_p); if (off & IP_OFFMASK) - printf(" @%d", (off & IP_OFFMASK) << 3); - printf(" %s", inet_ntoa(ip->ip_src)); + PRINTF(" @%d", off << 3); + PRINTF(" %s", inet_ntoa(ip->ip_src)); if (!(off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - printf(",%d", ntohs(tcp->th_sport)); - printf(" > "); - printf("%s", inet_ntoa(ip->ip_dst)); + PRINTF(",%d", ntohs(tcp->th_sport)); + PRINTF(" > "); + PRINTF("%s", inet_ntoa(ip->ip_dst)); if (!(off & IP_OFFMASK)) { if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - printf(",%d", ntohs(tcp->th_dport)); + PRINTF(",%d", ntohs(tcp->th_dport)); if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags != 0)) { putchar(' '); if (tcp->th_flags & TH_FIN) diff --git a/contrib/ipfilter/lib/printpacket6.c b/contrib/ipfilter/lib/printpacket6.c index ca3b421..6363e55 100644 --- a/contrib/ipfilter/lib/printpacket6.c +++ b/contrib/ipfilter/lib/printpacket6.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: printpacket6.c,v 1.3.4.1 2006/06/16 17:21:13 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" @@ -14,15 +14,17 @@ * This is meant to work without the IPv6 header files being present or * the inet_ntop() library. */ -void printpacket6(ip) -struct ip *ip; +void +printpacket6(dir, m) + int dir; + mb_t *m; { u_char *buf, p; u_short plen, *addrs; tcphdr_t *tcp; u_32_t flow; - buf = (u_char *)ip; + buf = (u_char *)m->mb_data; tcp = (tcphdr_t *)(buf + 40); p = buf[6]; flow = ntohl(*(u_32_t *)buf); @@ -30,22 +32,29 @@ struct ip *ip; plen = ntohs(*((u_short *)buf +2)); addrs = (u_short *)buf + 4; - printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p); - printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", + if (dir) + PRINTF("> "); + else + PRINTF("< "); + + PRINTF("%s ", IFNAME(m->mb_ifp)); + + PRINTF("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p); + PRINTF(" %x:%x:%x:%x:%x:%x:%x:%x", ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]), ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]), ntohs(addrs[6]), ntohs(addrs[7])); if (plen >= 4) if (p == IPPROTO_TCP || p == IPPROTO_UDP) - (void)printf(",%d", ntohs(tcp->th_sport)); - printf(" >"); + (void)PRINTF(",%d", ntohs(tcp->th_sport)); + PRINTF(" >"); addrs += 8; - printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", + PRINTF(" %x:%x:%x:%x:%x:%x:%x:%x", ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]), ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]), ntohs(addrs[6]), ntohs(addrs[7])); if (plen >= 4) if (p == IPPROTO_TCP || p == IPPROTO_UDP) - (void)printf(",%d", ntohs(tcp->th_dport)); + PRINTF(",%d", ntohs(tcp->th_dport)); putchar('\n'); } diff --git a/contrib/ipfilter/lib/printpool.c b/contrib/ipfilter/lib/printpool.c index 4ab85fa..8d8cdcc 100644 --- a/contrib/ipfilter/lib/printpool.c +++ b/contrib/ipfilter/lib/printpool.c @@ -1,23 +1,23 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -ip_pool_t *printpool(pp, copyfunc, name, opts) -ip_pool_t *pp; -copyfunc_t copyfunc; -char *name; -int opts; +ip_pool_t * +printpool(pp, copyfunc, name, opts, fields) + ip_pool_t *pp; + copyfunc_t copyfunc; + char *name; + int opts; + wordtab_t *fields; { - ip_pool_node_t *ipnp, *ipnpn, ipn; + ip_pool_node_t *ipnp, *ipnpn, ipn, **pnext; ip_pool_t ipp; if ((*copyfunc)(pp, &ipp, sizeof(ipp))) @@ -35,19 +35,22 @@ int opts; ipnpn = ipp.ipo_list; ipp.ipo_list = NULL; + pnext = &ipp.ipo_list; while (ipnpn != NULL) { ipnp = (ip_pool_node_t *)malloc(sizeof(*ipnp)); (*copyfunc)(ipnpn, ipnp, sizeof(ipn)); ipnpn = ipnp->ipn_next; - ipnp->ipn_next = ipp.ipo_list; - ipp.ipo_list = ipnp; + *pnext = ipnp; + pnext = &ipnp->ipn_next; + ipnp->ipn_next = NULL; } if (ipp.ipo_list == NULL) { putchar(';'); } else { - for (ipnp = ipp.ipo_list; ipnp != NULL; ) { - ipnp = printpoolnode(ipnp, opts); + for (ipnp = ipp.ipo_list; ipnp != NULL; ipnp = ipnpn) { + ipnpn = printpoolnode(ipnp, opts, fields); + free(ipnp); if ((opts & OPT_DEBUG) == 0) { putchar(';'); diff --git a/contrib/ipfilter/lib/printpool_live.c b/contrib/ipfilter/lib/printpool_live.c index e228a39..2aabf32 100644 --- a/contrib/ipfilter/lib/printpool_live.c +++ b/contrib/ipfilter/lib/printpool_live.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -8,17 +8,16 @@ #include "ipf.h" #include "netinet/ipl.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf - -ip_pool_t *printpool_live(pool, fd, name, opts) -ip_pool_t *pool; -int fd; -char *name; -int opts; +ip_pool_t * +printpool_live(pool, fd, name, opts, fields) + ip_pool_t *pool; + int fd; + char *name; + int opts; + wordtab_t *fields; { - ip_pool_node_t entry, *top, *node; + ip_pool_node_t entry; ipflookupiter_t iter; int printed, last; ipfobj_t obj; @@ -26,7 +25,8 @@ int opts; if ((name != NULL) && strncmp(name, pool->ipo_name, FR_GROUPLEN)) return pool->ipo_next; - printpooldata(pool, opts); + if (fields == NULL) + printpooldata(pool, opts); if ((pool->ipo_flags & IPOOL_DELETE) != 0) PRINTF("# "); @@ -46,28 +46,17 @@ int opts; strncpy(iter.ili_name, pool->ipo_name, FR_GROUPLEN); last = 0; - top = NULL; printed = 0; - while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) { - if (entry.ipn_next == NULL) - last = 1; - node = malloc(sizeof(*top)); - if (node == NULL) - break; - bcopy(&entry, node, sizeof(entry)); - node->ipn_next = top; - top = node; - } - - while (top != NULL) { - node = top; - (void) printpoolnode(node, opts); - if ((opts & OPT_DEBUG) == 0) - putchar(';'); - top = node->ipn_next; - free(node); - printed++; + if (pool->ipo_list != NULL) { + while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) { + if (entry.ipn_next == NULL) + last = 1; + (void) printpoolnode(&entry, opts, fields); + if ((opts & OPT_DEBUG) == 0) + putchar(';'); + printed++; + } } if (printed == 0) @@ -76,8 +65,7 @@ int opts; if ((opts & OPT_DEBUG) == 0) PRINTF(" };\n"); - if (ioctl(fd, SIOCIPFDELTOK, &iter.ili_key) != 0) - perror("SIOCIPFDELTOK"); + (void) ioctl(fd,SIOCIPFDELTOK, &iter.ili_key); return pool->ipo_next; } diff --git a/contrib/ipfilter/lib/printpooldata.c b/contrib/ipfilter/lib/printpooldata.c index 8d8e962..a159177 100644 --- a/contrib/ipfilter/lib/printpooldata.c +++ b/contrib/ipfilter/lib/printpooldata.c @@ -1,17 +1,17 @@ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" +#include <ctype.h> -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -void printpooldata(pool, opts) -ip_pool_t *pool; -int opts; +void +printpooldata(pool, opts) + ip_pool_t *pool; + int opts; { if ((opts & OPT_DEBUG) == 0) { @@ -19,12 +19,12 @@ int opts; PRINTF("# 'anonymous' tree %s\n", pool->ipo_name); if ((pool->ipo_flags & IPOOL_DELETE) != 0) PRINTF("# "); - PRINTF("table role = "); + PRINTF("table role="); } else { if ((pool->ipo_flags & IPOOL_DELETE) != 0) PRINTF("# "); PRINTF("%s: %s", - isdigit(*pool->ipo_name) ? "Number" : "Name", + ISDIGIT(*pool->ipo_name) ? "Number" : "Name", pool->ipo_name); if ((pool->ipo_flags & IPOOL_ANON) == IPOOL_ANON) PRINTF("(anon)"); @@ -32,40 +32,12 @@ int opts; PRINTF("Role: "); } - switch (pool->ipo_unit) - { - case IPL_LOGIPF : - printf("ipf"); - break; - case IPL_LOGNAT : - printf("nat"); - break; - case IPL_LOGSTATE : - printf("state"); - break; - case IPL_LOGAUTH : - printf("auth"); - break; - case IPL_LOGSYNC : - printf("sync"); - break; - case IPL_LOGSCAN : - printf("scan"); - break; - case IPL_LOGLOOKUP : - printf("lookup"); - break; - case IPL_LOGCOUNT : - printf("count"); - break; - default : - printf("unknown(%d)", pool->ipo_unit); - } + printunit(pool->ipo_unit); if ((opts & OPT_DEBUG) == 0) { - PRINTF(" type = tree %s = %s\n", - isdigit(*pool->ipo_name) ? "number" : "name", - pool->ipo_name); + PRINTF(" type=tree %s=%s\n", + (!*pool->ipo_name || ISDIGIT(*pool->ipo_name)) ? \ + "number" : "name", pool->ipo_name); } else { putchar(' '); diff --git a/contrib/ipfilter/lib/printpoolfield.c b/contrib/ipfilter/lib/printpoolfield.c new file mode 100644 index 0000000..9254ab8 --- /dev/null +++ b/contrib/ipfilter/lib/printpoolfield.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printpoolfield.c,v 1.1.2.4 2012/01/26 05:44:26 darren_r Exp $ + */ + +#include "ipf.h" + +wordtab_t poolfields[] = { + { "all", -2 }, + { "address", 1 }, + { "mask", 2 }, + { "ifname", 3 }, + { "pkts", 4 }, + { "bytes", 5 }, + { "family", 6 }, + { NULL, 0 } +}; + + +void +printpoolfield(p, ptype, fieldnum) + void *p; + int ptype; + int fieldnum; +{ + addrfamily_t *a; + char abuf[80]; + int i; + + switch (fieldnum) + { + case -2 : + for (i = 1; poolfields[i].w_word != NULL; i++) { + if (poolfields[i].w_value > 0) { + printpoolfield(p, ptype, i); + if (poolfields[i + 1].w_value > 0) + putchar('\t'); + } + } + break; + + case 1: + if (ptype == IPLT_POOL) { + ip_pool_node_t *node = (ip_pool_node_t *)p; + + if (node->ipn_info) + PRINTF("!"); + a = &node->ipn_addr; + PRINTF("%s", inet_ntop(a->adf_family, &a->adf_addr, + abuf, sizeof(abuf))); + } else if (ptype == IPLT_HASH) { + iphtent_t *node = (iphtent_t *)p; + + PRINTF("%s", inet_ntop(node->ipe_family, + &node->ipe_addr, + abuf, sizeof(abuf))); + } else if (ptype == IPLT_DSTLIST) { + ipf_dstnode_t *node = (ipf_dstnode_t *)p; + + a = &node->ipfd_dest.fd_addr; + PRINTF("%s", inet_ntop(a->adf_family, &a->adf_addr, + abuf, sizeof(abuf))); + } + break; + + case 2: + if (ptype == IPLT_POOL) { + ip_pool_node_t *node = (ip_pool_node_t *)p; + + a = &node->ipn_mask; + PRINTF("%s", inet_ntop(a->adf_family, &a->adf_addr, + abuf, sizeof(abuf))); + } else if (ptype == IPLT_HASH) { + iphtent_t *node = (iphtent_t *)p; + + PRINTF("%s", inet_ntop(node->ipe_family, + &node->ipe_mask, + abuf, sizeof(abuf))); + } else if (ptype == IPLT_DSTLIST) { + PRINTF("%s", ""); + } + break; + + case 3: + if (ptype == IPLT_POOL) { + PRINTF("%s", ""); + } else if (ptype == IPLT_HASH) { + PRINTF("%s", ""); + } else if (ptype == IPLT_DSTLIST) { + ipf_dstnode_t *node = (ipf_dstnode_t *)p; + + if (node->ipfd_dest.fd_name == -1) { + PRINTF("%s", ""); + } else { + PRINTF("%s", node->ipfd_names + + node->ipfd_dest.fd_name); + } + } + break; + + case 4: + if (ptype == IPLT_POOL) { + ip_pool_node_t *node = (ip_pool_node_t *)p; + +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", node->ipn_hits); +#else + PRINTF("%lu", node->ipn_hits); +#endif + } else if (ptype == IPLT_HASH) { + iphtent_t *node = (iphtent_t *)p; + +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", node->ipe_hits); +#else + PRINTF("%lu", node->ipe_hits); +#endif + } else if (ptype == IPLT_DSTLIST) { + printf("0"); + } + break; + + case 5: + if (ptype == IPLT_POOL) { + ip_pool_node_t *node = (ip_pool_node_t *)p; + +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", node->ipn_bytes); +#else + PRINTF("%lu", node->ipn_bytes); +#endif + } else if (ptype == IPLT_HASH) { + iphtent_t *node = (iphtent_t *)p; + +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", node->ipe_bytes); +#else + PRINTF("%lu", node->ipe_bytes); +#endif + } else if (ptype == IPLT_DSTLIST) { + printf("0"); + } + break; + + case 6: + if (ptype == IPLT_POOL) { + ip_pool_node_t *node = (ip_pool_node_t *)p; + + PRINTF("%s", familyname(node->ipn_addr.adf_family)); + } else if (ptype == IPLT_HASH) { + iphtent_t *node = (iphtent_t *)p; + + PRINTF("%s", familyname(node->ipe_family)); + } else if (ptype == IPLT_DSTLIST) { + ipf_dstnode_t *node = (ipf_dstnode_t *)p; + + a = &node->ipfd_dest.fd_addr; + PRINTF("%s", familyname(a->adf_family)); + } + break; + + default : + break; + } +} diff --git a/contrib/ipfilter/lib/printpoolnode.c b/contrib/ipfilter/lib/printpoolnode.c index 3327b8a..aa2aed9 100644 --- a/contrib/ipfilter/lib/printpoolnode.c +++ b/contrib/ipfilter/lib/printpoolnode.c @@ -1,33 +1,51 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #include "ipf.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -ip_pool_node_t *printpoolnode(np, opts) -ip_pool_node_t *np; -int opts; +ip_pool_node_t * +printpoolnode(np, opts, fields) + ip_pool_node_t *np; + int opts; + wordtab_t *fields; { + int i; - if ((opts & OPT_DEBUG) == 0) { + if (fields != NULL) { + for (i = 0; fields[i].w_value != 0; i++) { + printpoolfield(np, IPLT_POOL, i); + if (fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } else if ((opts & OPT_DEBUG) == 0) { putchar(' '); if (np->ipn_info == 1) PRINTF("! "); - printip((u_32_t *)&np->ipn_addr.adf_addr.in4); - printmask((u_32_t *)&np->ipn_mask.adf_addr); + printip(np->ipn_addr.adf_family, + (u_32_t *)&np->ipn_addr.adf_addr.in4); + printmask(np->ipn_addr.adf_family, + (u_32_t *)&np->ipn_mask.adf_addr); } else { PRINTF("\tAddress: %s%s", np->ipn_info ? "! " : "", inet_ntoa(np->ipn_addr.adf_addr.in4)); - printmask((u_32_t *)&np->ipn_mask.adf_addr); - PRINTF("\t\tHits %lu\tName %s\tRef %d\n", - np->ipn_hits, np->ipn_name, np->ipn_ref); + printmask(np->ipn_addr.adf_family, + (u_32_t *)&np->ipn_mask.adf_addr); +#ifdef USE_QUAD_T + PRINTF("\n\t\tHits %"PRIu64"\tBytes %"PRIu64"\tName %s\tRef %d\n", + np->ipn_hits, np->ipn_bytes, + np->ipn_name, np->ipn_ref); +#else + PRINTF("\n\t\tHits %lu\tBytes %lu\tName %s\tRef %d\n", + np->ipn_hits, np->ipn_bytes, + np->ipn_name, np->ipn_ref); +#endif } return np->ipn_next; } diff --git a/contrib/ipfilter/lib/printportcmp.c b/contrib/ipfilter/lib/printportcmp.c index 6a1a461..2a5bd02 100644 --- a/contrib/ipfilter/lib/printportcmp.c +++ b/contrib/ipfilter/lib/printportcmp.c @@ -1,29 +1,30 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printportcmp.c,v 1.7.4.1 2006/06/16 17:21:14 darrenr Exp $ + * $Id$ */ #include "ipf.h" -void printportcmp(pr, frp) -int pr; -frpcmp_t *frp; +void +printportcmp(pr, frp) + int pr; + frpcmp_t *frp; { static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=", "<>", "><", ":" }; if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE) - printf(" port %d %s %d", frp->frp_port, + PRINTF(" port %d %s %d", frp->frp_port, pcmp1[frp->frp_cmp], frp->frp_top); else if (frp->frp_cmp == FR_INCRANGE) - printf(" port %d:%d", frp->frp_port, frp->frp_top); + PRINTF(" port %d:%d", frp->frp_port, frp->frp_top); else - printf(" port %s %s", pcmp1[frp->frp_cmp], + PRINTF(" port %s %s", pcmp1[frp->frp_cmp], portname(pr, frp->frp_port)); } diff --git a/contrib/ipfilter/lib/printproto.c b/contrib/ipfilter/lib/printproto.c index e65ec11..d411bfa 100644 --- a/contrib/ipfilter/lib/printproto.c +++ b/contrib/ipfilter/lib/printproto.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -8,44 +8,48 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.2 2006/06/16 17:21:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif -void printproto(pr, p, np) -struct protoent *pr; -int p; -ipnat_t *np; +void +printproto(pr, p, np) + struct protoent *pr; + int p; + ipnat_t *np; { if (np != NULL) { if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf("tcp/udp"); + PRINTF("tcp/udp"); else if (np->in_flags & IPN_TCP) - printf("tcp"); + PRINTF("tcp"); else if (np->in_flags & IPN_UDP) - printf("udp"); + PRINTF("udp"); else if (np->in_flags & IPN_ICMPQUERY) - printf("icmp"); + PRINTF("icmp"); #ifdef _AIX51 /* * To make up for "ip = 252" and "hopopt = 0" in /etc/protocols + * The IANA has doubled up on the definition of 0 - it is now + * also used for IPv6 hop-opts, so we can no longer rely on + * /etc/protocols providing the correct name->number mapping. */ - else if (np->in_p == 0) - printf("ip"); #endif + else if (np->in_pr[0] == 0) + PRINTF("ip"); else if (pr != NULL) - printf("%s", pr->p_name); + PRINTF("%s", pr->p_name); else - printf("%d", np->in_p); + PRINTF("%d", np->in_pr[0]); } else { #ifdef _AIX51 if (p == 0) - printf("ip"); + PRINTF("ip"); else #endif if (pr != NULL) - printf("%s", pr->p_name); + PRINTF("%s", pr->p_name); else - printf("%d", p); + PRINTF("%d", p); } } diff --git a/contrib/ipfilter/lib/printsbuf.c b/contrib/ipfilter/lib/printsbuf.c index f6c633c..efda99e 100644 --- a/contrib/ipfilter/lib/printsbuf.c +++ b/contrib/ipfilter/lib/printsbuf.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: printsbuf.c,v 1.2.4.2 2006/06/16 17:21:14 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #ifdef IPFILTER_SCAN @@ -15,8 +15,9 @@ #include "ipf.h" #include "netinet/ip_scan.h" -void printsbuf(buf) -char *buf; +void +printsbuf(buf) + char *buf; { u_char *s; int i; @@ -25,8 +26,17 @@ char *buf; if (ISPRINT(*s)) putchar(*s); else - printf("\\%o", *s); + PRINTF("\\%o", *s); } } +#else +void printsbuf(char *buf); +void printsbuf(buf) + char *buf; +{ +#if 0 + buf = buf; /* gcc -Wextra */ +#endif +} #endif diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c index a8777b2..fc85a70 100644 --- a/contrib/ipfilter/lib/printstate.c +++ b/contrib/ipfilter/lib/printstate.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -9,75 +9,102 @@ #include "ipf.h" #include "kmem.h" -#define PRINTF (void)printf -#define FPRINTF (void)fprintf -ipstate_t *printstate(sp, opts, now) -ipstate_t *sp; -int opts; -u_long now; +ipstate_t * +printstate(sp, opts, now) + ipstate_t *sp; + int opts; + u_long now; { + struct protoent *pr; synclist_t ipsync; + if ((opts & OPT_NORESOLVE) == 0) + pr = getprotobynumber(sp->is_p); + else + pr = NULL; + + PRINTF("%d:", sp->is_v); + if (pr != NULL) + PRINTF("%s", pr->p_name); + else + PRINTF("%d", sp->is_p); + + PRINTF(" src:%s", hostname(sp->is_family, &sp->is_src.in4)); + if (sp->is_p == IPPROTO_UDP || sp->is_p == IPPROTO_TCP) { + if (sp->is_flags & IS_WSPORT) + PRINTF(",*"); + else + PRINTF(",%d", ntohs(sp->is_sport)); + } + + PRINTF(" dst:%s", hostname(sp->is_family, &sp->is_dst.in4)); + if (sp->is_p == IPPROTO_UDP || sp->is_p == IPPROTO_TCP) { + if (sp->is_flags & IS_WDPORT) + PRINTF(",*"); + else + PRINTF(",%d", ntohs(sp->is_dport)); + } + + if (sp->is_p == IPPROTO_TCP) { + PRINTF(" state:%d/%d", sp->is_state[0], sp->is_state[1]); + } + + PRINTF(" %ld", sp->is_die - now); if (sp->is_phnext == NULL) - PRINTF("ORPHAN "); - PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4)); - PRINTF("%s pass %#x pr %d state %d/%d", - hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p, - sp->is_state[0], sp->is_state[1]); - if (opts & OPT_DEBUG) - PRINTF(" bkt %d ref %d", sp->is_hv, sp->is_ref); - PRINTF("\n\ttag %u ttl %lu", sp->is_tag, sp->is_die - now); + PRINTF(" ORPHAN"); + if (sp->is_flags & IS_CLONE) + PRINTF(" CLONE"); + putchar('\n'); if (sp->is_p == IPPROTO_TCP) { - PRINTF("\n\t%hu -> %hu %x:%x %hu<<%d:%hu<<%d\n", - ntohs(sp->is_sport), ntohs(sp->is_dport), + PRINTF("\t%x:%x %hu<<%d:%hu<<%d\n", sp->is_send, sp->is_dend, sp->is_maxswin, sp->is_swinscale, sp->is_maxdwin, sp->is_dwinscale); - PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n", - sp->is_smsk[0], sp->is_smsk[1], - sp->is_s0[0], sp->is_s0[1]); - PRINTF("\tFWD:ISN inc %x sumd %x\n", - sp->is_isninc[0], sp->is_sumd[0]); - PRINTF("\tREV:ISN inc %x sumd %x\n", - sp->is_isninc[1], sp->is_sumd[1]); + if ((opts & OPT_VERBOSE) != 0) { + PRINTF("\tcmsk %04x smsk %04x isc %p s0 %08x/%08x\n", + sp->is_smsk[0], sp->is_smsk[1], sp->is_isc, + sp->is_s0[0], sp->is_s0[1]); + PRINTF("\tFWD: ISN inc %x sumd %x\n", + sp->is_isninc[0], sp->is_sumd[0]); + PRINTF("\tREV: ISN inc %x sumd %x\n", + sp->is_isninc[1], sp->is_sumd[1]); #ifdef IPFILTER_SCAN - PRINTF("\tsbuf[0] ["); - printsbuf(sp->is_sbuf[0]); - PRINTF("] sbuf[1] ["); - printsbuf(sp->is_sbuf[1]); - PRINTF("]\n"); + PRINTF("\tsbuf[0] ["); + printsbuf(sp->is_sbuf[0]); + PRINTF("] sbuf[1] ["); + printsbuf(sp->is_sbuf[1]); + PRINTF("]\n"); #endif - } else if (sp->is_p == IPPROTO_UDP) { - PRINTF(" %hu -> %hu\n", ntohs(sp->is_sport), - ntohs(sp->is_dport)); + } } else if (sp->is_p == IPPROTO_GRE) { - PRINTF(" call %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]), + PRINTF("\tcall %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]), ntohs(sp->is_gre.gs_call[1])); } else if (sp->is_p == IPPROTO_ICMP #ifdef USE_INET6 || sp->is_p == IPPROTO_ICMPV6 #endif - ) - PRINTF(" id %hu seq %hu type %d\n", sp->is_icmp.ici_id, + ) { + PRINTF("\tid %hu seq %hu type %d\n", sp->is_icmp.ici_id, sp->is_icmp.ici_seq, sp->is_icmp.ici_type); + } #ifdef USE_QUAD_T - PRINTF("\tforward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n\tbackward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n", + PRINTF("\tFWD: IN pkts %"PRIu64" bytes %"PRIu64" OUT pkts %"PRIu64" bytes %"PRIu64"\n\tREV: IN pkts %"PRIu64" bytes %"PRIu64" OUT pkts %"PRIu64" bytes %"PRIu64"\n", sp->is_pkts[0], sp->is_bytes[0], sp->is_pkts[1], sp->is_bytes[1], sp->is_pkts[2], sp->is_bytes[2], sp->is_pkts[3], sp->is_bytes[3]); #else - PRINTF("\tforward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n\tbackward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n", + PRINTF("\tFWD: IN pkts %lu bytes %lu OUT pkts %lu bytes %lu\n\tREV: IN pkts %lu bytes %lu OUT pkts %lu bytes %lu\n", sp->is_pkts[0], sp->is_bytes[0], sp->is_pkts[1], sp->is_bytes[1], sp->is_pkts[2], sp->is_bytes[2], sp->is_pkts[3], sp->is_bytes[3]); #endif - PRINTF("\t"); + PRINTF("\ttag %u pass %#x = ", sp->is_tag, sp->is_pass); /* * Print out bits set in the result code for the state being @@ -135,22 +162,31 @@ u_long now; /* a given; no? */ if (sp->is_pass & FR_KEEPSTATE) { PRINTF(" keep state"); - if (sp->is_pass & FR_STATESYNC) - PRINTF(" ( sync )"); + if (sp->is_pass & (FR_STATESYNC|FR_STSTRICT|FR_STLOOSE)) { + PRINTF(" ("); + if (sp->is_pass & FR_STATESYNC) + PRINTF(" sync"); + if (sp->is_pass & FR_STSTRICT) + PRINTF(" strict"); + if (sp->is_pass & FR_STLOOSE) + PRINTF(" loose"); + PRINTF(" )"); + } } - PRINTF("\tIPv%d", sp->is_v); PRINTF("\n"); - PRINTF("\tpkt_flags & %x(%x) = %x,\t", - sp->is_flags & 0xf, sp->is_flags, - sp->is_flags >> 4); - PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0], - sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]); - PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", - sp->is_secmsk, sp->is_sec, sp->is_authmsk, - sp->is_auth); - PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0], sp->is_flx[0][1], - sp->is_flx[1][0], sp->is_flx[1][1]); + if ((opts & OPT_VERBOSE) != 0) { + PRINTF("\tref %d", sp->is_ref); + PRINTF(" pkt_flags & %x(%x) = %x\n", + sp->is_flags & 0xf, sp->is_flags, sp->is_flags >> 4); + PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0], + sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]); + PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", + sp->is_secmsk, sp->is_sec, sp->is_authmsk, + sp->is_auth); + PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0], + sp->is_flx[0][1], sp->is_flx[1][0], sp->is_flx[1][1]); + } PRINTF("\tinterfaces: in %s[%s", getifname(sp->is_ifp[0]), sp->is_ifname[0]); if (opts & OPT_DEBUG) @@ -169,20 +205,19 @@ u_long now; PRINTF("/%p", sp->is_ifp[3]); PRINTF("]\n"); + PRINTF("\tSync status: "); if (sp->is_sync != NULL) { - - if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync, sizeof(ipsync))) { - - PRINTF("\tSync status: status could not be retrieved\n"); + if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync, + sizeof(ipsync))) { + PRINTF("status could not be retrieved\n"); return NULL; } - PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n", + PRINTF("idx %d num %d v %d pr %d rev %d\n", ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v, ipsync.sl_p, ipsync.sl_rev); - } else { - PRINTF("\tSync status: not synchronized\n"); + PRINTF("not synchronized\n"); } return sp->is_next; diff --git a/contrib/ipfilter/lib/printstatefields.c b/contrib/ipfilter/lib/printstatefields.c new file mode 100644 index 0000000..5632d84 --- /dev/null +++ b/contrib/ipfilter/lib/printstatefields.c @@ -0,0 +1,358 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printstatefields.c,v 1.4.2.2 2012/01/26 05:44:26 darren_r Exp $ + */ + +#include "ipf.h" + +wordtab_t statefields[] = { + { "all", -2 }, + { "ifp0", 1 }, + { "ifp1", 2 }, + { "ifp2", 3 }, + { "ifp3", 4 }, + { "ifname0", 5 }, + { "ifname1", 6 }, + { "ifname2", 7 }, + { "ifname3", 8 }, + { "pkts0", 9 }, + { "pkts1", 10 }, + { "pkts2", 11 }, + { "pkts3", 12 }, + { "bytes0", 13 }, + { "bytes1", 14 }, + { "bytes2", 15 }, + { "bytes3", 16 }, + { "state0", 17 }, + { "state1", 18 }, + { "age0", 19 }, + { "age1", 20 }, + { "ref", 21 }, + { "isn0", 22 }, + { "isn1", 23 }, + { "sumd0", 24 }, + { "sumd1", 25 }, + { "src", 26 }, + { "dst", 27 }, + { "sport", 28 }, + { "dport", 29 }, + { "icmptype", 30 }, + { "-", 31 }, + { "pass", 32 }, + { "proto", 33 }, + { "version", 34 }, + { "hash", 35 }, + { "tag", 36 }, + { "flags", 37 }, + { "rulen", 38 }, + { "group", 39 }, + { "flx0", 40 }, + { "flx1", 41 }, + { "flx2", 42 }, + { "flx3", 43 }, + { "opt0", 44 }, + { "opt1", 45 }, + { "optmsk0", 46 }, + { "optmsk1", 47 }, + { "sec", 48 }, + { "secmsk", 49 }, + { "auth", 50 }, + { "authmsk", 51 }, + { "icmppkts0", 52 }, + { "icmppkts1", 53 }, + { "icmppkts2", 54 }, + { "icmppkts3", 55 }, + { NULL, 0 } +}; + + +void +printstatefield(sp, fieldnum) + ipstate_t *sp; + int fieldnum; +{ + int i; + + switch (fieldnum) + { + case -2 : + for (i = 1; statefields[i].w_word != NULL; i++) { + if (statefields[i].w_value > 0) { + printstatefield(sp, i); + if (statefields[i + 1].w_value > 0) + putchar('\t'); + } + } + break; + + case 1: + PRINTF("%#lx", (u_long)sp->is_ifp[0]); + break; + + case 2: + PRINTF("%#lx", (u_long)sp->is_ifp[1]); + break; + + case 3: + PRINTF("%#lx", (u_long)sp->is_ifp[2]); + break; + + case 4: + PRINTF("%#lx", (u_long)sp->is_ifp[3]); + break; + + case 5: + PRINTF("%s", sp->is_ifname[0]); + break; + + case 6: + PRINTF("%s", sp->is_ifname[1]); + break; + + case 7: + PRINTF("%s", sp->is_ifname[2]); + break; + + case 8: + PRINTF("%s", sp->is_ifname[3]); + break; + + case 9: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_pkts[0]); +#else + PRINTF("%lu", sp->is_pkts[0]); +#endif + break; + + case 10: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_pkts[1]); +#else + PRINTF("%lu", sp->is_pkts[1]); +#endif + break; + + case 11: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_pkts[2]); +#else + PRINTF("%lu", sp->is_pkts[2]); +#endif + break; + + case 12: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_pkts[3]); +#else + PRINTF("%lu", sp->is_pkts[3]); +#endif + break; + + case 13: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_bytes[0]); +#else + PRINTF("%lu", sp->is_bytes[0]); +#endif + break; + + case 14: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_bytes[1]); +#else + PRINTF("%lu", sp->is_bytes[1]); +#endif + break; + + case 15: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_bytes[2]); +#else + PRINTF("%lu", sp->is_bytes[2]); +#endif + break; + + case 16: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_bytes[3]); +#else + PRINTF("%lu", sp->is_bytes[3]); +#endif + break; + + case 17: + PRINTF("%d", sp->is_state[0]); + break; + + case 18: + PRINTF("%d", sp->is_state[1]); + break; + + case 19: + PRINTF("%d", sp->is_frage[0]); + break; + + case 20: + PRINTF("%d", sp->is_frage[1]); + break; + + case 21: + PRINTF("%d", sp->is_ref); + break; + + case 22: + PRINTF("%d", sp->is_isninc[0]); + break; + + case 23: + PRINTF("%d", sp->is_isninc[1]); + break; + + case 24: + PRINTF("%hd", sp->is_sumd[0]); + break; + + case 25: + PRINTF("%hd", sp->is_sumd[1]); + break; + + case 26: + PRINTF("%s", hostname(sp->is_v, &sp->is_src.in4)); + break; + + case 27: + PRINTF("%s", hostname(sp->is_v, &sp->is_dst.in4)); + break; + + case 28: + PRINTF("%hu", ntohs(sp->is_sport)); + break; + + case 29: + PRINTF("%hu", ntohs(sp->is_dport)); + break; + + case 30: + PRINTF("%d", sp->is_type); + break; + + case 32: + PRINTF("%#x", sp->is_pass); + break; + + case 33: + PRINTF("%d", sp->is_p); + break; + + case 34: + PRINTF("%d", sp->is_v); + break; + + case 35: + PRINTF("%d", sp->is_hv); + break; + + case 36: + PRINTF("%d", sp->is_tag); + break; + + case 37: + PRINTF("%#x", sp->is_flags); + break; + + case 38: + PRINTF("%d", sp->is_rulen); + break; + + case 39: + PRINTF("%s", sp->is_group); + break; + + case 40: + PRINTF("%#x", sp->is_flx[0][0]); + break; + + case 41: + PRINTF("%#x", sp->is_flx[0][1]); + break; + + case 42: + PRINTF("%#x", sp->is_flx[1][0]); + break; + + case 43: + PRINTF("%#x", sp->is_flx[1][1]); + break; + + case 44: + PRINTF("%#x", sp->is_opt[0]); + break; + + case 45: + PRINTF("%#x", sp->is_opt[1]); + break; + + case 46: + PRINTF("%#x", sp->is_optmsk[0]); + break; + + case 47: + PRINTF("%#x", sp->is_optmsk[1]); + break; + + case 48: + PRINTF("%#x", sp->is_sec); + break; + + case 49: + PRINTF("%#x", sp->is_secmsk); + break; + + case 50: + PRINTF("%#x", sp->is_auth); + break; + + case 51: + PRINTF("%#x", sp->is_authmsk); + break; + + case 52: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_icmppkts[0]); +#else + PRINTF("%lu", sp->is_icmppkts[0]); +#endif + break; + + case 53: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_icmppkts[1]); +#else + PRINTF("%lu", sp->is_icmppkts[1]); +#endif + break; + + case 54: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_icmppkts[2]); +#else + PRINTF("%lu", sp->is_icmppkts[2]); +#endif + break; + + case 55: +#ifdef USE_QUAD_T + PRINTF("%"PRIu64"", sp->is_icmppkts[3]); +#else + PRINTF("%lu", sp->is_icmppkts[3]); +#endif + break; + + default: + break; + } +} diff --git a/contrib/ipfilter/lib/printtcpflags.c b/contrib/ipfilter/lib/printtcpflags.c new file mode 100644 index 0000000..9860780 --- /dev/null +++ b/contrib/ipfilter/lib/printtcpflags.c @@ -0,0 +1,30 @@ +#include "ipf.h" + + +void +printtcpflags(tcpf, tcpfm) + u_32_t tcpf, tcpfm; +{ + u_char *t; + char *s; + + if (tcpf & ~TCPF_ALL) { + PRINTF("0x%x", tcpf); + } else { + for (s = flagset, t = flags; *s; s++, t++) { + if (tcpf & *t) + (void)putchar(*s); + } + } + + if (tcpfm) { + (void)putchar('/'); + if (tcpfm & ~TCPF_ALL) { + PRINTF("0x%x", tcpfm); + } else { + for (s = flagset, t = flags; *s; s++, t++) + if (tcpfm & *t) + (void)putchar(*s); + } + } +} diff --git a/contrib/ipfilter/lib/printtqtable.c b/contrib/ipfilter/lib/printtqtable.c index 67adb53..ffb512d 100644 --- a/contrib/ipfilter/lib/printtqtable.c +++ b/contrib/ipfilter/lib/printtqtable.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -9,17 +9,18 @@ #include "ipf.h" -void printtqtable(table) -ipftq_t *table; +void +printtqtable(table) + ipftq_t *table; { int i; - printf("TCP Entries per state\n"); + PRINTF("TCP Entries per state\n"); for (i = 0; i < IPF_TCP_NSTATES; i++) - printf(" %5d", i); - printf("\n"); + PRINTF(" %5d", i); + PRINTF("\n"); for (i = 0; i < IPF_TCP_NSTATES; i++) - printf(" %5d", table[i].ifq_ref - 1); - printf("\n"); + PRINTF(" %5d", table[i].ifq_ref - 1); + PRINTF("\n"); } diff --git a/contrib/ipfilter/lib/printtunable.c b/contrib/ipfilter/lib/printtunable.c index aa7ae5d..aa82841 100644 --- a/contrib/ipfilter/lib/printtunable.c +++ b/contrib/ipfilter/lib/printtunable.c @@ -1,29 +1,30 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: printtunable.c,v 1.1.4.1 2006/06/16 17:21:15 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" -void printtunable(tup) -ipftune_t *tup; +void +printtunable(tup) + ipftune_t *tup; { - printf("%s\tmin %#lx\tmax %#lx\tcurrent ", + PRINTF("%s\tmin %lu\tmax %lu\tcurrent ", tup->ipft_name, tup->ipft_min, tup->ipft_max); if (tup->ipft_sz == sizeof(u_long)) - printf("%lu\n", tup->ipft_vlong); + PRINTF("%lu\n", tup->ipft_vlong); else if (tup->ipft_sz == sizeof(u_int)) - printf("%u\n", tup->ipft_vint); + PRINTF("%u\n", tup->ipft_vint); else if (tup->ipft_sz == sizeof(u_short)) - printf("%hu\n", tup->ipft_vshort); + PRINTF("%hu\n", tup->ipft_vshort); else if (tup->ipft_sz == sizeof(u_char)) - printf("%u\n", (u_int)tup->ipft_vchar); + PRINTF("%u\n", (u_int)tup->ipft_vchar); else { - printf("sz = %d\n", tup->ipft_sz); + PRINTF("sz = %d\n", tup->ipft_sz); } } diff --git a/contrib/ipfilter/lib/printunit.c b/contrib/ipfilter/lib/printunit.c new file mode 100644 index 0000000..bac3d45 --- /dev/null +++ b/contrib/ipfilter/lib/printunit.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + + +void +printunit(unit) + int unit; +{ + + switch (unit) + { + case IPL_LOGIPF : + PRINTF("ipf"); + break; + case IPL_LOGNAT : + PRINTF("nat"); + break; + case IPL_LOGSTATE : + PRINTF("state"); + break; + case IPL_LOGAUTH : + PRINTF("auth"); + break; + case IPL_LOGSYNC : + PRINTF("sync"); + break; + case IPL_LOGSCAN : + PRINTF("scan"); + break; + case IPL_LOGLOOKUP : + PRINTF("lookup"); + break; + case IPL_LOGCOUNT : + PRINTF("count"); + break; + case IPL_LOGALL : + PRINTF("all"); + break; + default : + PRINTF("unknown(%d)", unit); + } +} diff --git a/contrib/ipfilter/lib/remove_hash.c b/contrib/ipfilter/lib/remove_hash.c index 297db48..a60c1fd 100644 --- a/contrib/ipfilter/lib/remove_hash.c +++ b/contrib/ipfilter/lib/remove_hash.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_hash.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,19 +14,16 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -static int hashfd = -1; - -int remove_hash(iphp, iocfunc) -iphtable_t *iphp; -ioctlfunc_t iocfunc; +int +remove_hash(iphp, iocfunc) + iphtable_t *iphp; + ioctlfunc_t iocfunc; { iplookupop_t op; iphtable_t iph; - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) - hashfd = open(IPLOOKUP_NAME, O_RDWR); - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_type = IPLT_HASH; @@ -43,11 +40,11 @@ ioctlfunc_t iocfunc; strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name)); iph.iph_flags = iphp->iph_flags; - if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) { if ((opts & OPT_DONOTHING) == 0) { - perror("remove_hash:SIOCLOOKUPDELTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "remove lookup hash table"); } - + } return 0; } diff --git a/contrib/ipfilter/lib/remove_hashnode.c b/contrib/ipfilter/lib/remove_hashnode.c index 47a19dc..58e9125 100644 --- a/contrib/ipfilter/lib/remove_hashnode.c +++ b/contrib/ipfilter/lib/remove_hashnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_hashnode.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,21 +14,18 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -static int hashfd = -1; - -int remove_hashnode(unit, name, node, iocfunc) -int unit; -char *name; -iphtent_t *node; -ioctlfunc_t iocfunc; +int +remove_hashnode(unit, name, node, iocfunc) + int unit; + char *name; + iphtent_t *node; + ioctlfunc_t iocfunc; { iplookupop_t op; iphtent_t ipe; - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) - hashfd = open(IPLOOKUP_NAME, O_RDWR); - if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_type = IPLT_HASH; @@ -49,10 +46,11 @@ ioctlfunc_t iocfunc; printf("%s\n", inet_ntoa(ipe.ipe_mask.in4)); } - if ((*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op)) { if (!(opts & OPT_DONOTHING)) { - perror("remove_hash:SIOCLOOKUPDELNODE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "remove lookup hash node"); } + } return 0; } diff --git a/contrib/ipfilter/lib/remove_pool.c b/contrib/ipfilter/lib/remove_pool.c index 1e7fe5f..8e75549 100644 --- a/contrib/ipfilter/lib/remove_pool.c +++ b/contrib/ipfilter/lib/remove_pool.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_pool.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,19 +14,16 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -static int poolfd = -1; - -int remove_pool(poolp, iocfunc) -ip_pool_t *poolp; -ioctlfunc_t iocfunc; +int +remove_pool(poolp, iocfunc) + ip_pool_t *poolp; + ioctlfunc_t iocfunc; { iplookupop_t op; ip_pool_t pool; - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) - poolfd = open(IPLOOKUP_NAME, O_RDWR); - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_type = IPLT_POOL; @@ -40,11 +37,11 @@ ioctlfunc_t iocfunc; strncpy(pool.ipo_name, poolp->ipo_name, sizeof(pool.ipo_name)); pool.ipo_flags = poolp->ipo_flags; - if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op)) + if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) { if ((opts & OPT_DONOTHING) == 0) { - perror("remove_pool:SIOCLOOKUPDELTABLE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "delete lookup pool"); } - + } return 0; } diff --git a/contrib/ipfilter/lib/remove_poolnode.c b/contrib/ipfilter/lib/remove_poolnode.c index c80ff70..0b78118 100644 --- a/contrib/ipfilter/lib/remove_poolnode.c +++ b/contrib/ipfilter/lib/remove_poolnode.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_poolnode.c,v 1.3.2.1 2006/06/16 17:21:16 darrenr Exp $ + * $Id$ */ #include <fcntl.h> @@ -14,21 +14,18 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" -static int poolfd = -1; - -int remove_poolnode(unit, name, node, iocfunc) -int unit; -char *name; -ip_pool_node_t *node; -ioctlfunc_t iocfunc; +int +remove_poolnode(unit, name, node, iocfunc) + int unit; + char *name; + ip_pool_node_t *node; + ioctlfunc_t iocfunc; { ip_pool_node_t pn; iplookupop_t op; - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) - poolfd = open(IPLOOKUP_NAME, O_RDWR); - if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) + if (pool_open() == -1) return -1; op.iplo_unit = unit; @@ -46,10 +43,10 @@ ioctlfunc_t iocfunc; pn.ipn_info = node->ipn_info; strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name)); - if ((*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op)) { + if (pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op)) { if ((opts & OPT_DONOTHING) == 0) { - perror("remove_pool:SIOCLOOKUPDELNODE"); - return -1; + return ipf_perror_fd(pool_fd(), iocfunc, + "remove lookup pool node"); } } diff --git a/contrib/ipfilter/lib/resetlexer.c b/contrib/ipfilter/lib/resetlexer.c index 8ea83f1..558db98 100644 --- a/contrib/ipfilter/lib/resetlexer.c +++ b/contrib/ipfilter/lib/resetlexer.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: resetlexer.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/rwlock_emul.c b/contrib/ipfilter/lib/rwlock_emul.c index 1ee2475..24d00a5 100644 --- a/contrib/ipfilter/lib/rwlock_emul.c +++ b/contrib/ipfilter/lib/rwlock_emul.c @@ -1,21 +1,21 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: rwlock_emul.c,v 1.1.4.1 2006/06/16 17:21:17 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include "ipf.h" #define EMM_MAGIC 0x97dd8b3a void eMrwlock_read_enter(rw, file, line) -eMrwlock_t *rw; -char *file; -int line; + eMrwlock_t *rw; + char *file; + int line; { if (rw->eMrw_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMrwlock_read_enter(%p): bad magic: %#x\n", @@ -35,9 +35,9 @@ int line; void eMrwlock_write_enter(rw, file, line) -eMrwlock_t *rw; -char *file; -int line; + eMrwlock_t *rw; + char *file; + int line; { if (rw->eMrw_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n", @@ -57,9 +57,9 @@ int line; void eMrwlock_downgrade(rw, file, line) -eMrwlock_t *rw; -char *file; -int line; + eMrwlock_t *rw; + char *file; + int line; { if (rw->eMrw_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n", @@ -80,7 +80,7 @@ int line; void eMrwlock_exit(rw) -eMrwlock_t *rw; + eMrwlock_t *rw; { if (rw->eMrw_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMrwlock_exit(%p): bad magic: %#x\n", @@ -101,9 +101,11 @@ eMrwlock_t *rw; } +static int initcount = 0; + void eMrwlock_init(rw, who) -eMrwlock_t *rw; -char *who; + eMrwlock_t *rw; + char *who; { if (rw->eMrw_magic == EMM_MAGIC) { /* safe bet ? */ fprintf(stderr, @@ -118,16 +120,26 @@ char *who; rw->eMrw_owner = strdup(who); else rw->eMrw_owner = NULL; + initcount++; } void eMrwlock_destroy(rw) -eMrwlock_t *rw; + eMrwlock_t *rw; { if (rw->eMrw_magic != EMM_MAGIC) { fprintf(stderr, "%s:eMrwlock_destroy(%p): bad magic: %#x\n", rw->eMrw_owner, rw, rw->eMrw_magic); abort(); } + if (rw->eMrw_owner != NULL) + free(rw->eMrw_owner); memset(rw, 0xa5, sizeof(*rw)); + initcount--; +} + +void ipf_rwlock_clean() +{ + if (initcount != 0) + abort(); } diff --git a/contrib/ipfilter/lib/save_execute.c b/contrib/ipfilter/lib/save_execute.c new file mode 100644 index 0000000..65caca4 --- /dev/null +++ b/contrib/ipfilter/lib/save_execute.c @@ -0,0 +1,80 @@ +#include "ipf.h" +#include "ipmon.h" + +static void *execute_parse __P((char **)); +static void execute_destroy __P((void *)); +static int execute_send __P((void *, ipmon_msg_t *)); +static void execute_print __P((void *)); + +typedef struct execute_opts_s { + char *path; +} execute_opts_t; + +ipmon_saver_t executesaver = { + "execute", + execute_destroy, + NULL, /* dup */ + NULL, /* match */ + execute_parse, + execute_print, + execute_send +}; + + +static void * +execute_parse(char **strings) +{ + execute_opts_t *ctx; + + ctx = calloc(1, sizeof(*ctx)); + + if (ctx != NULL && strings[0] != NULL && strings[0][0] != '\0') { + ctx->path = strdup(strings[0]); + + } else { + free(ctx); + return NULL; + } + + return ctx; +} + + +static void +execute_print(ctx) + void *ctx; +{ + execute_opts_t *exe = ctx; + + printf("%s", exe->path); +} + + +static void +execute_destroy(ctx) + void *ctx; +{ + execute_opts_t *exe = ctx; + + if (exe != NULL) + free(exe->path); + free(exe); +} + + +static int +execute_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ + execute_opts_t *exe = ctx; + FILE *fp; + + fp = popen(exe->path, "w"); + if (fp != NULL) { + fwrite(msg->imm_msg, msg->imm_msglen, 1, fp); + pclose(fp); + } + return 0; +} + diff --git a/contrib/ipfilter/lib/save_file.c b/contrib/ipfilter/lib/save_file.c new file mode 100644 index 0000000..b852bd6 --- /dev/null +++ b/contrib/ipfilter/lib/save_file.c @@ -0,0 +1,130 @@ +#include "ipf.h" +#include "ipmon.h" + +static void *file_parse __P((char **)); +static void file_destroy __P((void *)); +static int file_send __P((void *, ipmon_msg_t *)); +static void file_print __P((void *)); +static int file_match __P((void *, void *)); +static void *file_dup __P((void *)); + +typedef struct file_opts_s { + FILE *fp; + int raw; + char *path; + int ref; +} file_opts_t; + +ipmon_saver_t filesaver = { + "file", + file_destroy, + file_dup, + file_match, + file_parse, + file_print, + file_send +}; + + +static void * +file_parse(strings) + char **strings; +{ + file_opts_t *ctx; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) + return NULL; + + if (strings[0] != NULL && strings[0][0] != '\0') { + ctx->ref = 1; + if (!strncmp(strings[0], "raw://", 6)) { + ctx->raw = 1; + ctx->path = strdup(strings[0] + 6); + ctx->fp = fopen(ctx->path, "ab"); + } else if (!strncmp(strings[0], "file://", 7)) { + ctx->path = strdup(strings[0] + 7); + ctx->fp = fopen(ctx->path, "a"); + } else { + free(ctx); + ctx = NULL; + } + } else { + free(ctx); + ctx = NULL; + } + + return ctx; +} + + +static int +file_match(ctx1, ctx2) + void *ctx1, *ctx2; +{ + file_opts_t *f1 = ctx1, *f2 = ctx2; + + if (f1->raw != f2->raw) + return 1; + if (strcmp(f1->path, f2->path)) + return 1; + return 0; +} + + +static void * +file_dup(ctx) + void *ctx; +{ + file_opts_t *f = ctx; + + f->ref++; + return f; +} + + +static void +file_print(ctx) + void *ctx; +{ + file_opts_t *file = ctx; + + if (file->raw) + printf("raw://"); + else + printf("file://"); + printf("%s", file->path); +} + + +static void +file_destroy(ctx) + void *ctx; +{ + file_opts_t *file = ctx; + + file->ref--; + if (file->ref > 0) + return; + + if (file->path != NULL) + free(file->path); + free(file); +} + + +static int +file_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ + file_opts_t *file = ctx; + + if (file->raw) { + fwrite(msg->imm_data, msg->imm_dsize, 1, file->fp); + } else { + fprintf(file->fp, "%s", msg->imm_msg); + } + return 0; +} + diff --git a/contrib/ipfilter/lib/save_nothing.c b/contrib/ipfilter/lib/save_nothing.c new file mode 100644 index 0000000..d25ab51 --- /dev/null +++ b/contrib/ipfilter/lib/save_nothing.c @@ -0,0 +1,62 @@ +#include "ipf.h" +#include "ipmon.h" + +static void *nothing_parse __P((char **)); +static void nothing_destroy __P((void *)); +static int nothing_send __P((void *, ipmon_msg_t *)); + +typedef struct nothing_opts_s { + FILE *fp; + int raw; + char *path; +} nothing_opts_t; + +ipmon_saver_t nothingsaver = { + "nothing", + nothing_destroy, + NULL, /* dup */ + NULL, /* match */ + nothing_parse, + NULL, /* print */ + nothing_send +}; + + +static void * +nothing_parse(char **strings) +{ + void *ctx; + +#if 0 + strings = strings; /* gcc -Wextra */ +#endif + + ctx = calloc(1, sizeof(void *)); + + return ctx; +} + + +static void +nothing_destroy(ctx) + void *ctx; +{ + free(ctx); +} + + +static int +nothing_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ +#if 0 + ctx = ctx; /* gcc -Wextra */ + msg = msg; /* gcc -Wextra */ +#endif + /* + * Do nothing + */ + return 0; +} + diff --git a/contrib/ipfilter/lib/save_syslog.c b/contrib/ipfilter/lib/save_syslog.c new file mode 100644 index 0000000..c1efdf4 --- /dev/null +++ b/contrib/ipfilter/lib/save_syslog.c @@ -0,0 +1,137 @@ +#include "ipf.h" +#include "ipmon.h" +#include <syslog.h> + +static void *syslog_parse __P((char **)); +static void syslog_destroy __P((void *)); +static int syslog_send __P((void *, ipmon_msg_t *)); +static void syslog_print __P((void *)); + +typedef struct syslog_opts_s { + int facpri; + int fac; + int pri; +} syslog_opts_t; + +ipmon_saver_t syslogsaver = { + "syslog", + syslog_destroy, + NULL, /* dup */ + NULL, /* match */ + syslog_parse, + syslog_print, + syslog_send +}; + + +static void * +syslog_parse(char **strings) +{ + syslog_opts_t *ctx; + char *str; + char *s; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) + return NULL; + + ctx->facpri = -1; + + if (strings[0] != NULL && strings[0][0] != '\0') { + str = strdup(*strings); + if (str != NULL && *str != '\0') { + int fac = -1, pri = -1; + + s = strchr(str, '.'); + if (s != NULL) + *s++ = '\0'; + + if (*str != '\0') { + fac = fac_findname(str); + if (fac == -1) { + free(str); + free(ctx); + return NULL; + } + } + + if (s != NULL && *s != '\0') { + pri = pri_findname(s); + if (pri == -1) { + free(str); + free(ctx); + return NULL; + } + } + free(str); + + ctx->fac = fac; + ctx->pri = pri; + if (pri == -1) + ctx->facpri = fac; + else if (fac == -1) + ctx->facpri = pri; + else + ctx->facpri = fac | pri; + } else { + if (str != NULL) + free(str); + free(ctx); + ctx = NULL; + } + } + + return ctx; +} + + +static void +syslog_print(ctx) + void *ctx; +{ + syslog_opts_t *sys = ctx; + + if (sys->facpri == -1) + return; + + if (sys->fac == -1) { + printf(".%s", pri_toname(sys->pri)); + } else if (sys->pri == -1) { + printf("%s.", fac_toname(sys->fac)); + } else { + printf("%s.%s", fac_toname(sys->facpri & LOG_FACMASK), + pri_toname(sys->facpri & LOG_PRIMASK)); + } +} + + +static void +syslog_destroy(ctx) + void *ctx; +{ + free(ctx); +} + + +static int +syslog_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ + syslog_opts_t *sys = ctx; + int facpri; + + if (sys->facpri == -1) { + facpri = msg->imm_loglevel; + } else { + if (sys->pri == -1) { + facpri = sys->fac | (msg->imm_loglevel & LOG_PRIMASK); + } else if (sys->fac == -1) { + facpri = sys->pri | (msg->imm_loglevel & LOG_FACMASK); + } else { + facpri = sys->facpri; + } + } + syslog(facpri, "%s", msg->imm_msg); + return 0; +} diff --git a/contrib/ipfilter/lib/save_v1trap.c b/contrib/ipfilter/lib/save_v1trap.c new file mode 100644 index 0000000..b17f62c --- /dev/null +++ b/contrib/ipfilter/lib/save_v1trap.c @@ -0,0 +1,463 @@ +#include "ipf.h" +#include "netinet/ipl.h" +#include "ipmon.h" +#include <ctype.h> + +#define IPF_ENTERPRISE 9932 +/* + * Enterprise number OID: + * 1.3.6.1.4.1.9932 + */ +static u_char ipf_enterprise[] = { 6, 7, 0x2b, 6, 1, 4, 1, 0xcd, 0x4c }; +static u_char ipf_trap0_1[] = { 6, 10, 0x2b, 6, 1, 4, 1, 0xcd, 0x4c, 1, 1, 1 }; +static u_char ipf_trap0_2[] = { 6, 10, 0x2b, 6, 1, 4, 1, 0xcd, 0x4c, 1, 1, 2 }; + +static int writeint __P((u_char *, int)); +static int writelength __P((u_char *, u_int)); +static int maketrap_v1 __P((char *, u_char *, int, u_char *, int, u_32_t, + time_t)); +static void snmpv1_destroy __P((void *)); +static void *snmpv1_dup __P((void *)); +static int snmpv1_match __P((void *, void *)); +static void *snmpv1_parse __P((char **)); +static void snmpv1_print __P((void *)); +static int snmpv1_send __P((void *, ipmon_msg_t *)); + +typedef struct snmpv1_opts_s { + char *community; + int fd; + int v6; + int ref; +#ifdef USE_INET6 + struct sockaddr_in6 sin6; +#endif + struct sockaddr_in sin; +} snmpv1_opts_t; + +ipmon_saver_t snmpv1saver = { + "snmpv1", + snmpv1_destroy, + snmpv1_dup, /* dup */ + snmpv1_match, /* match */ + snmpv1_parse, + snmpv1_print, + snmpv1_send +}; + + +static int +snmpv1_match(ctx1, ctx2) + void *ctx1, *ctx2; +{ + snmpv1_opts_t *s1 = ctx1, *s2 = ctx2; + + if (s1->v6 != s2->v6) + return 1; + + if (strcmp(s1->community, s2->community)) + return 1; + +#ifdef USE_INET6 + if (s1->v6 == 1) { + if (memcmp(&s1->sin6, &s2->sin6, sizeof(s1->sin6))) + return 1; + } else +#endif + { + if (memcmp(&s1->sin, &s2->sin, sizeof(s1->sin))) + return 1; + } + + return 0; +} + + +static void * +snmpv1_dup(ctx) + void *ctx; +{ + snmpv1_opts_t *s = ctx; + + s->ref++; + return s; +} + + +static void +snmpv1_print(ctx) + void *ctx; +{ + snmpv1_opts_t *snmpv1 = ctx; + + printf("%s ", snmpv1->community); +#ifdef USE_INET6 + if (snmpv1->v6 == 1) { + char buf[80]; + + printf("%s", inet_ntop(AF_INET6, &snmpv1->sin6.sin6_addr, buf, + sizeof(snmpv1->sin6.sin6_addr))); + } else +#endif + { + printf("%s", inet_ntoa(snmpv1->sin.sin_addr)); + } +} + + +static void * +snmpv1_parse(char **strings) +{ + snmpv1_opts_t *ctx; + int result; + char *str; + char *s; + + if (strings[0] == NULL || strings[0][0] == '\0') + return NULL; + + if (strchr(*strings, ' ') == NULL) + return NULL; + + str = strdup(*strings); + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) + return NULL; + + ctx->fd = -1; + + s = strchr(str, ' '); + *s++ = '\0'; + ctx->community = str; + + while (ISSPACE(*s)) + s++; + if (!*s) { + free(str); + free(ctx); + return NULL; + } + +#ifdef USE_INET6 + if (strchr(s, ':') == NULL) { + result = inet_pton(AF_INET, s, &ctx->sin.sin_addr); + if (result == 1) { + ctx->fd = socket(AF_INET, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin.sin_family = AF_INET; + ctx->sin.sin_port = htons(162); + if (connect(ctx->fd, + (struct sockaddr *)&ctx->sin, + sizeof(ctx->sin)) != 0) { + snmpv1_destroy(ctx); + return NULL; + } + } + } + } else { + result = inet_pton(AF_INET6, s, &ctx->sin6.sin6_addr); + if (result == 1) { + ctx->v6 = 1; + ctx->fd = socket(AF_INET6, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin6.sin6_family = AF_INET6; + ctx->sin6.sin6_port = htons(162); + if (connect(ctx->fd, + (struct sockaddr *)&ctx->sin6, + sizeof(ctx->sin6)) != 0) { + snmpv1_destroy(ctx); + return NULL; + } + } + } + } +#else + result = inet_aton(s, &ctx->sin.sin_addr); + if (result == 1) { + ctx->fd = socket(AF_INET, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin.sin_family = AF_INET; + ctx->sin.sin_port = htons(162); + if (connect(ctx->fd, &ctx->sin, + sizeof(ctx->sin)) != 0) { + snmpv1_destroy(ctx); + return NULL; + } + } + } +#endif + + if (result != 1) { + free(str); + free(ctx); + return NULL; + } + + ctx->ref = 1; + + return ctx; +} + + +static void +snmpv1_destroy(ctx) + void *ctx; +{ + snmpv1_opts_t *v1 = ctx; + + v1->ref--; + if (v1->ref > 0) + return; + + if (v1->community) + free(v1->community); + if (v1->fd >= 0) + close(v1->fd); + free(v1); +} + + +static int +snmpv1_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ + snmpv1_opts_t *v1 = ctx; + + return sendtrap_v1_0(v1->fd, v1->community, + msg->imm_msg, msg->imm_msglen, msg->imm_when); +} + +static char def_community[] = "public"; /* ublic */ + +static int +writelength(buffer, value) + u_char *buffer; + u_int value; +{ + u_int n = htonl(value); + int len; + + if (value < 128) { + *buffer = value; + return 1; + } + if (value > 0xffffff) + len = 4; + else if (value > 0xffff) + len = 3; + else if (value > 0xff) + len = 2; + else + len = 1; + + *buffer = 0x80 | len; + + bcopy((u_char *)&n + 4 - len, buffer + 1, len); + + return len + 1; +} + + +static int +writeint(buffer, value) + u_char *buffer; + int value; +{ + u_char *s = buffer; + u_int n = value; + + if (value == 0) { + *buffer = 0; + return 1; + } + + if (n > 4194304) { + *s++ = 0x80 | (n / 4194304); + n -= 4194304 * (n / 4194304); + } + if (n > 32768) { + *s++ = 0x80 | (n / 32768); + n -= 32768 * (n / 327678); + } + if (n > 128) { + *s++ = 0x80 | (n / 128); + n -= (n / 128) * 128; + } + *s++ = (u_char)n; + + return s - buffer; +} + + + +/* + * First style of traps is: + * 1.3.6.1.4.1.9932.1.1 + */ +static int +maketrap_v1(community, buffer, bufsize, msg, msglen, ipaddr, when) + char *community; + u_char *buffer; + int bufsize; + u_char *msg; + int msglen; + u_32_t ipaddr; + time_t when; +{ + u_char *s = buffer, *t, *pdulen, *varlen; + int basesize = 73; + u_short len; + int trapmsglen; + int pdulensz; + int varlensz; + int baselensz; + int n; + + if (community == NULL || *community == '\0') + community = def_community; + basesize += strlen(community) + msglen; + + if (basesize + 8 > bufsize) + return 0; + + memset(buffer, 0xff, bufsize); + *s++ = 0x30; /* Sequence */ + if (basesize - 1 >= 128) { + baselensz = 2; + basesize++; + } else { + baselensz = 1; + } + s += baselensz; + *s++ = 0x02; /* Integer32 */ + *s++ = 0x01; /* length 1 */ + *s++ = 0x00; /* version 1 */ + *s++ = 0x04; /* octet string */ + *s++ = strlen(community); /* length of "public" */ + bcopy(community, s, s[-1]); + s += s[-1]; + *s++ = 0xA4; /* PDU(4) */ + pdulen = s++; + if (basesize - (s - buffer) >= 128) { + pdulensz = 2; + basesize++; + s++; + } else { + pdulensz = 1; + } + + /* enterprise */ + bcopy(ipf_enterprise, s, sizeof(ipf_enterprise)); + s += sizeof(ipf_enterprise); + + /* Agent address */ + *s++ = 0x40; + *s++ = 0x4; + bcopy(&ipaddr, s, 4); + s += 4; + + /* Generic Trap code */ + *s++ = 0x2; + n = writeint(s + 1, 6); + if (n == 0) + return 0; + *s = n; + s += n + 1; + + /* Specific Trap code */ + *s++ = 0x2; + n = writeint(s + 1, 0); + if (n == 0) + return 0; + *s = n; + s += n + 1; + + /* Time stamp */ + *s++ = 0x43; /* TimeTicks */ + *s++ = 0x04; /* TimeTicks */ + s[0] = when >> 24; + s[1] = when >> 16; + s[2] = when >> 8; + s[3] = when & 0xff; + s += 4; + + /* + * The trap0 message is "ipfilter_version" followed by the message + */ + *s++ = 0x30; + varlen = s; + if (basesize - (s - buffer) >= 128) { + varlensz = 2; + basesize++; + } else { + varlensz = 1; + } + s += varlensz; + + *s++ = 0x30; + t = s + 1; + bcopy(ipf_trap0_1, t, sizeof(ipf_trap0_1)); + t += sizeof(ipf_trap0_1); + + *t++ = 0x2; /* Integer */ + n = writeint(t + 1, IPFILTER_VERSION); + *t = n; + t += n + 1; + + len = t - s - 1; + writelength(s, len); + + s = t; + *s++ = 0x30; + if (basesize - (s - buffer) >= 128) { + trapmsglen = 2; + basesize++; + } else { + trapmsglen = 1; + } + t = s + trapmsglen; + bcopy(ipf_trap0_2, t, sizeof(ipf_trap0_2)); + t += sizeof(ipf_trap0_2); + + *t++ = 0x4; /* Octet string */ + n = writelength(t, msglen); + t += n; + bcopy(msg, t, msglen); + t += msglen; + + len = t - s - trapmsglen; + writelength(s, len); + + len = t - varlen - varlensz; + writelength(varlen, len); /* pdu length */ + + len = t - pdulen - pdulensz; + writelength(pdulen, len); /* pdu length */ + + len = t - buffer - baselensz - 1; + writelength(buffer + 1, len); /* length of trap */ + + return t - buffer; +} + + +int +sendtrap_v1_0(fd, community, msg, msglen, when) + int fd; + char *community, *msg; + int msglen; + time_t when; +{ + + u_char buffer[1500]; + int n; + + n = maketrap_v1(community, buffer, sizeof(buffer), + (u_char *)msg, msglen, 0, when); + if (n > 0) { + return send(fd, buffer, n, 0); + } + + return 0; +} diff --git a/contrib/ipfilter/lib/save_v2trap.c b/contrib/ipfilter/lib/save_v2trap.c new file mode 100644 index 0000000..24349bb --- /dev/null +++ b/contrib/ipfilter/lib/save_v2trap.c @@ -0,0 +1,459 @@ +#include "ipf.h" +#include "netinet/ipl.h" +#include "ipmon.h" +#include <ctype.h> + +static u_char sysuptime[] = { 6, 8, 0x2b, 6, 1, 2, 1, 1, 3, 0 }; +/* + * Enterprise number OID: + * 1.3.6.1.4.1.9932 + */ +static u_char ipf_trap0_1[] = { 6, 10, 0x2b, 6, 1, 4, 1, 0xcd, 0x4c, 1, 1, 1 }; +static u_char ipf_trap0_2[] = { 6, 10, 0x2b, 6, 1, 4, 1, 0xcd, 0x4c, 1, 1, 2 }; + +static int writeint __P((u_char *, int)); +static int writelength __P((u_char *, u_int)); +static int maketrap_v2 __P((char *, u_char *, int, u_char *, int)); +static void snmpv2_destroy __P((void *)); +static void *snmpv2_dup __P((void *)); +static int snmpv2_match __P((void *, void *)); +static void *snmpv2_parse __P((char **)); +static void snmpv2_print __P((void *)); +static int snmpv2_send __P((void *, ipmon_msg_t *)); + + +int sendtrap_v2_0 __P((int, char *, char *, int)); + +static char def_community[] = "public"; /* ublic */ + +typedef struct snmpv2_opts_s { + char *community; + char *server; + int fd; + int v6; + int ref; +#ifdef USE_INET6 + struct sockaddr_in6 sin6; +#endif + struct sockaddr_in sin; +} snmpv2_opts_t; + +ipmon_saver_t snmpv2saver = { + "snmpv2", + snmpv2_destroy, + snmpv2_dup, /* dup */ + snmpv2_match, /* match */ + snmpv2_parse, + snmpv2_print, + snmpv2_send +}; + + +static int +snmpv2_match(ctx1, ctx2) + void *ctx1, *ctx2; +{ + snmpv2_opts_t *s1 = ctx1, *s2 = ctx2; + + if (s1->v6 != s2->v6) + return 1; + + if (strcmp(s1->community, s2->community)) + return 1; + +#ifdef USE_INET6 + if (s1->v6 == 1) { + if (memcmp(&s1->sin6, &s2->sin6, sizeof(s1->sin6))) + return 1; + } else +#endif + { + if (memcmp(&s1->sin, &s2->sin, sizeof(s1->sin))) + return 1; + } + + return 0; +} + + +static void * +snmpv2_dup(ctx) + void *ctx; +{ + snmpv2_opts_t *s = ctx; + + s->ref++; + return s; +} + + +static void +snmpv2_print(ctx) + void *ctx; +{ + snmpv2_opts_t *snmpv2 = ctx; + + printf("%s ", snmpv2->community); +#ifdef USE_INET6 + if (snmpv2->v6 == 1) { + char buf[80]; + + printf("%s", inet_ntop(AF_INET6, &snmpv2->sin6.sin6_addr, buf, + sizeof(snmpv2->sin6.sin6_addr))); + } else +#endif + { + printf("%s", inet_ntoa(snmpv2->sin.sin_addr)); + } +} + + +static void * +snmpv2_parse(char **strings) +{ + snmpv2_opts_t *ctx; + int result; + char *str; + char *s; + + if (strings[0] == NULL || strings[0][0] == '\0') + return NULL; + if (strchr(*strings, ' ') == NULL) + return NULL; + + str = strdup(*strings); + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) + return NULL; + + ctx->fd = -1; + + s = strchr(str, ' '); + *s++ = '\0'; + ctx->community = str; + + while (ISSPACE(*s)) + s++; + if (!*s) { + free(str); + free(ctx); + return NULL; + } + +#ifdef USE_INET6 + if (strchr(s, ':') == NULL) { + result = inet_pton(AF_INET, s, &ctx->sin.sin_addr); + if (result == 1) { + ctx->fd = socket(AF_INET, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin.sin_family = AF_INET; + ctx->sin.sin_port = htons(162); + if (connect(ctx->fd, + (struct sockaddr *)&ctx->sin, + sizeof(ctx->sin)) != 0) { + snmpv2_destroy(ctx); + return NULL; + } + } + } + } else { + result = inet_pton(AF_INET6, s, &ctx->sin6.sin6_addr); + if (result == 1) { + ctx->v6 = 1; + ctx->fd = socket(AF_INET6, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin6.sin6_family = AF_INET6; + ctx->sin6.sin6_port = htons(162); + if (connect(ctx->fd, + (struct sockaddr *)&ctx->sin6, + sizeof(ctx->sin6)) != 0) { + snmpv2_destroy(ctx); + return NULL; + } + } + } + } +#else + result = inet_aton(s, &ctx->sin.sin_addr); + if (result == 1) { + ctx->fd = socket(AF_INET, SOCK_DGRAM, 0); + if (ctx->fd >= 0) { + ctx->sin.sin_family = AF_INET; + ctx->sin.sin_port = htons(162); + if (connect(ctx->fd, &ctx->sin, + sizeof(ctx->sin)) != 0) { + snmpv2_destroy(ctx); + return NULL; + } + } + } +#endif + + if (result != 1) { + free(str); + free(ctx); + return NULL; + } + + ctx->ref = 1; + + return ctx; +} + + +static void +snmpv2_destroy(ctx) + void *ctx; +{ + snmpv2_opts_t *v2 = ctx; + + v2->ref--; + if (v2->ref > 0) + return; + + if (v2->community) + free(v2->community); + if (v2->fd >= 0) + close(v2->fd); + free(v2); +} + + +static int +snmpv2_send(ctx, msg) + void *ctx; + ipmon_msg_t *msg; +{ + snmpv2_opts_t *v2 = ctx; + + return sendtrap_v2_0(v2->fd, v2->community, + msg->imm_msg, msg->imm_msglen); +} +static int +writelength(buffer, value) + u_char *buffer; + u_int value; +{ + u_int n = htonl(value); + int len; + + if (value < 128) { + *buffer = value; + return 1; + } + if (value > 0xffffff) + len = 4; + else if (value > 0xffff) + len = 3; + else if (value > 0xff) + len = 2; + else + len = 1; + + *buffer = 0x80 | len; + + bcopy((u_char *)&n + 4 - len, buffer + 1, len); + + return len + 1; +} + + +static int +writeint(buffer, value) + u_char *buffer; + int value; +{ + u_char *s = buffer; + u_int n = value; + + if (value == 0) { + *buffer = 0; + return 1; + } + + if (n > 4194304) { + *s++ = 0x80 | (n / 4194304); + n -= 4194304 * (n / 4194304); + } + if (n > 32768) { + *s++ = 0x80 | (n / 32768); + n -= 32768 * (n / 327678); + } + if (n > 128) { + *s++ = 0x80 | (n / 128); + n -= (n / 128) * 128; + } + *s++ = (u_char)n; + + return s - buffer; +} + + + +/* + * First style of traps is: + * 1.3.6.1.4.1.9932.1.1 + */ +static int +maketrap_v2(community, buffer, bufsize, msg, msglen) + char *community; + u_char *buffer; + int bufsize; + u_char *msg; + int msglen; +{ + u_char *s = buffer, *t, *pdulen; + u_char *varlen; + int basesize = 77; + u_short len; + int trapmsglen; + int pdulensz; + int varlensz; + int baselensz; + int n; + + if (community == NULL || *community == '\0') + community = def_community; + basesize += strlen(community) + msglen; + + if (basesize + 8 > bufsize) + return 0; + + memset(buffer, 0xff, bufsize); + *s++ = 0x30; /* Sequence */ + + if (basesize - 1 >= 128) { + baselensz = 2; + basesize++; + } else { + baselensz = 1; + } + s += baselensz; + *s++ = 0x02; /* Integer32 */ + *s++ = 0x01; /* length 1 */ + *s++ = 0x01; /* version 2 */ + *s++ = 0x04; /* octet string */ + *s++ = strlen(community); /* length of "public" */ + bcopy(community, s, s[-1]); + s += s[-1]; + *s++ = 0xA7; /* PDU(7) */ + pdulen = s++; + if (basesize - (s - buffer) >= 128) { + pdulensz = 2; + basesize++; + s++; + } else { + pdulensz = 1; + } + /* request id */ + *s++ = 0x2; /* integer */ + *s++ = 0x4; /* len 4 */ + *s++ = 0x0; /* noError */ + *s++ = 0x0; /* noError */ + *s++ = 0x0; /* noError */ + *s++ = 0x0; /* noError */ + + /* error status */ + *s++ = 0x2; /* integer */ + *s++ = 0x1; /* len 1 */ + *s++ = 0x0; /* noError */ + + /* error-index */ + *s++ = 0x2; /* integer */ + *s++ = 0x1; /* len 1 */ + *s++ = 0x0; /* noError */ + + *s++ = 0x30; /* sequence */ + varlen = s++; + if (basesize - (s - buffer) >= 128) { + varlensz = 2; + basesize++; + s++; + } else { + varlensz = 1; + } + + *s++ = 0x30; /* sequence */ + *s++ = sizeof(sysuptime) + 6; + + bcopy(sysuptime, s, sizeof(sysuptime)); + s += sizeof(sysuptime); + + *s++ = 0x43; /* Timestamp */ + *s++ = 0x04; /* TimeTicks */ + *s++ = 0x0; + *s++ = 0x0; + *s++ = 0x0; + *s++ = 0x0; + + *s++ = 0x30; + t = s + 1; + bcopy(ipf_trap0_1, t, sizeof(ipf_trap0_1)); + t += sizeof(ipf_trap0_1); + + *t++ = 0x2; /* Integer */ + n = writeint(t + 1, IPFILTER_VERSION); + *t = n; + t += n + 1; + + len = t - s - 1; + writelength(s, len); + + s = t; + *s++ = 0x30; + if (msglen < 128) { + if (msglen + 1 + 1 + sizeof(ipf_trap0_2) >= 128) + trapmsglen = 2; + else + trapmsglen = 1; + } else { + if (msglen + 2 + 1 + sizeof(ipf_trap0_2) >= 128) + trapmsglen = 2; + else + trapmsglen = 1; + } + t = s + trapmsglen; + bcopy(ipf_trap0_2, t, sizeof(ipf_trap0_2)); + t += sizeof(ipf_trap0_2); + + *t++ = 0x4; /* Octet string */ + n = writelength(t, msglen); + t += n; + bcopy(msg, t, msglen); + t += msglen; + + len = t - s - trapmsglen; + writelength(s, len); + + len = t - varlen - varlensz; + writelength(varlen, len); /* pdu length */ + + len = t - pdulen - pdulensz; + writelength(pdulen, len); /* pdu length */ + + len = t - buffer - baselensz - 1; + writelength(buffer + 1, len); /* length of trap */ + + return t - buffer; +} + + +int +sendtrap_v2_0(fd, community, msg, msglen) + int fd; + char *community, *msg; + int msglen; +{ + + u_char buffer[1500]; + int n; + + n = maketrap_v2(community, buffer, sizeof(buffer), + (u_char *)msg, msglen); + if (n > 0) { + return send(fd, buffer, n, 0); + } + + return 0; +} diff --git a/contrib/ipfilter/lib/tcpflags.c b/contrib/ipfilter/lib/tcpflags.c index f01d7dc..feb3e8a 100644 --- a/contrib/ipfilter/lib/tcpflags.c +++ b/contrib/ipfilter/lib/tcpflags.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: tcpflags.c,v 1.3.4.1 2006/06/16 17:21:17 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -26,7 +26,7 @@ extern u_char flags[]; u_char tcpflags(flgs) -char *flgs; + char *flgs; { u_char tcpf = 0; char *s, *t; diff --git a/contrib/ipfilter/lib/tcpoptnames.c b/contrib/ipfilter/lib/tcpoptnames.c index 25e3b27..24e41bb 100644 --- a/contrib/ipfilter/lib/tcpoptnames.c +++ b/contrib/ipfilter/lib/tcpoptnames.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: tcpoptnames.c,v 1.5.4.1 2006/06/16 17:21:17 darrenr Exp $ + * $Id$ */ #include "ipf.h" diff --git a/contrib/ipfilter/lib/v6ionames.c b/contrib/ipfilter/lib/v6ionames.c index b57b301..9f1207f 100644 --- a/contrib/ipfilter/lib/v6ionames.c +++ b/contrib/ipfilter/lib/v6ionames.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: v6ionames.c,v 1.1.4.3 2006/06/16 17:21:18 darrenr Exp $ + * $Id$ */ #include "ipf.h" @@ -16,10 +16,10 @@ struct ipopt_names v6ionames[] ={ { IPPROTO_HOPOPTS, 0x000001, 0, "hopopts" }, { IPPROTO_IPV6, 0x000002, 0, "ipv6" }, { IPPROTO_ROUTING, 0x000004, 0, "routing" }, - { IPPROTO_FRAGMENT, 0x000008, 0, "frag" }, + { IPPROTO_FRAGMENT, 0x000008, 0, "frag" }, { IPPROTO_ESP, 0x000010, 0, "esp" }, { IPPROTO_AH, 0x000020, 0, "ah" }, - { IPPROTO_NONE, 0x000040, 0, "none" }, + { IPPROTO_NONE, 0x000040, 0, "none" }, { IPPROTO_DSTOPTS, 0x000080, 0, "dstopts" }, { IPPROTO_MOBILITY, 0x000100, 0, "mobility" }, { 0, 0, 0, (char *)NULL } diff --git a/contrib/ipfilter/lib/v6optvalue.c b/contrib/ipfilter/lib/v6optvalue.c index a60d076..a6eff92 100644 --- a/contrib/ipfilter/lib/v6optvalue.c +++ b/contrib/ipfilter/lib/v6optvalue.c @@ -1,18 +1,18 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2003 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: v6optvalue.c,v 1.1.4.1 2006/06/16 17:21:18 darrenr Exp $ + * $Id$ */ #include "ipf.h" u_32_t getv6optbyname(optname) -char *optname; + char *optname; { #ifdef USE_INET6 struct ipopt_names *io; @@ -26,7 +26,7 @@ char *optname; u_32_t getv6optbyvalue(optval) -int optval; + int optval; { #ifdef USE_INET6 struct ipopt_names *io; diff --git a/contrib/ipfilter/lib/var.c b/contrib/ipfilter/lib/var.c index 4a62d7a..e61c8d1 100644 --- a/contrib/ipfilter/lib/var.c +++ b/contrib/ipfilter/lib/var.c @@ -1,12 +1,12 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - * $Id: var.c,v 1.4.2.3 2006/06/16 17:21:18 darrenr Exp $ - */ + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id$ + */ #include <ctype.h> @@ -25,7 +25,7 @@ static char *expand_string __P((char *, int)); static variable_t *find_var(name) -char *name; + char *name; { variable_t *v; @@ -37,8 +37,8 @@ char *name; char *get_variable(string, after, line) -char *string, **after; -int line; + char *string, **after; + int line; { char c, *s, *t, *value; variable_t *v; @@ -84,8 +84,8 @@ int line; static char *expand_string(oldstring, line) -char *oldstring; -int line; + char *oldstring; + int line; { char c, *s, *p1, *p2, *p3, *newstring, *value; int len; @@ -144,8 +144,8 @@ int line; void set_variable(name, value) -char *name; -char *value; + char *name; + char *value; { variable_t *v; int len; diff --git a/contrib/ipfilter/lib/verbose.c b/contrib/ipfilter/lib/verbose.c index f1b4516..710daab 100644 --- a/contrib/ipfilter/lib/verbose.c +++ b/contrib/ipfilter/lib/verbose.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: verbose.c,v 1.6.4.1 2006/06/16 17:21:18 darrenr Exp $ + * $Id$ */ #if defined(__STDC__) @@ -15,16 +15,16 @@ #endif #include <stdio.h> -#include "ipt.h" +#include "ipf.h" #include "opts.h" #if defined(__STDC__) -void verbose(char *fmt, ...) +void verbose(int level, char *fmt, ...) #else -void verbose(fmt, va_alist) -char *fmt; -va_dcl +void verbose(level, fmt, va_alist) + char *fmt; + va_dcl #endif { va_list pvar; @@ -35,3 +35,21 @@ va_dcl vprintf(fmt, pvar); va_end(pvar); } + + +#if defined(__STDC__) +void ipfkverbose(char *fmt, ...) +#else +void ipfkverbose(fmt, va_alist) + char *fmt; + va_dcl +#endif +{ + va_list pvar; + + va_start(pvar, fmt); + + if (opts & OPT_VERBOSE) + verbose(0x1fffffff, fmt, pvar); + va_end(pvar); +} diff --git a/contrib/ipfilter/lib/vtof.c b/contrib/ipfilter/lib/vtof.c new file mode 100644 index 0000000..fd1a984 --- /dev/null +++ b/contrib/ipfilter/lib/vtof.c @@ -0,0 +1,16 @@ +#include "ipf.h" + +int +vtof(version) + int version; +{ +#ifdef USE_INET6 + if (version == 6) + return AF_INET6; +#endif + if (version == 4) + return AF_INET; + if (version == 0) + return AF_UNSPEC; + return -1; +} diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile index 0b8f2a1..04e97fb 100644 --- a/contrib/ipfilter/man/Makefile +++ b/contrib/ipfilter/man/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 1993-1998 by Darren Reed. +# Copyright (C) 2012 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index dfef858..aaa050d 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -46,7 +46,6 @@ active and inactive, respectively. All of these ioctl's are implemented as being routing ioctls and thus the same rules for the various routing ioctls and the file descriptor are employed, mainly being that the fd must be that of the device associated with the module (i.e., /dev/ipl). -.LP .PP The three groups of ioctls above perform adding rules to the end of the list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*) @@ -83,10 +82,10 @@ typedef struct frentry { u_short fr_icmp; u_char fr_scmp; /* data for port comparisons */ - u_char fr_dcmp; + u_char fr_dcmp; u_short fr_dport; u_short fr_sport; - u_short fr_stop; /* top port for <> and >< */ + u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ u_32_t fr_flags; /* per-rule flags && options (see below) */ u_short fr_skip; /* # of rules to skip */ @@ -96,7 +95,7 @@ typedef struct frentry { char fr_ifname[IFNAMSIZ]; #if BSD > 199306 char fr_oifname[IFNAMSIZ]; -#endif +#endif struct frdest fr_tif; /* "to" interface */ struct frdest fr_dif; /* duplicate packet interfaces */ } frentry_t; @@ -106,7 +105,6 @@ When adding a new rule, all unused fields (in the filter rule) should be initialised to be zero. To insert a rule, at a particular position in the filter list, the number of the rule which it is to be inserted before must be put in the "fr_hits" field (the first rule is number 0). -.LP .PP Flags which are recognised in fr_flags: .nf @@ -137,7 +135,7 @@ Flags which are recognised in fr_flags: FR_NOTDSTIP 0x100000 /* not the dst IP# */ FR_AUTH 0x200000 /* use authentication */ FR_PREAUTH 0x400000 /* require preauthentication */ - + .fi .PP Values for fr_scomp and fr_dcomp (source and destination port value diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 8bdaedc..3e5e9b2 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -1,557 +1,1698 @@ .\" $FreeBSD$ .TH IPF 5 .SH NAME -ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax +ipf, ipf.conf \- IPFilter firewall rules file format .SH DESCRIPTION .PP -A rule file for \fBipf\fP may have any name or even be stdin. As -\fBipfstat\fP produces parsable rules as output when displaying the internal -kernel filter lists, it is quite plausible to use its output to feed back -into \fBipf\fP. Thus, to remove all filters on input packets, the following -could be done: +The ipf.conf file is used to specify rules for the firewall, packet +authentication and packet accounting components of IPFilter. To load rules +specified in the ipf.conf file, the ipf(8) program is used. +.PP +For use as a firewall, there are two important rule types: those that block +and drop packets (block rules) and those that allow packets through (pass +rules.) Accompanying the decision to apply is a collection of statements +that specify under what conditions the result is to be applied and how. +.PP +The simplest rules that can be used in ipf.conf are expressed like this: +.PP .nf - -\fC# ipfstat \-i | ipf \-rf \-\fP +block in all +pass out all .fi -.SH GRAMMAR .PP -The format used by \fBipf\fP for construction of filtering rules can be -described using the following grammar in BNF: -\fC +Each rule must contain at least the following three components +.RS +.IP * +a decision keyword (pass, block, etc.) +.IP * +the direction of the packet (in or out) +.IP * +address patterns or "all" to match any address information +.RE +.SS Long lines +.PP +For rules lines that are particularly long, it is possible to split +them over multiple lines implicity like this: +.PP .nf -filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] - [ proto ] ip [ group ]. - -insert = "@" decnumber . -action = block | "pass" | log | "count" | skip | auth | call . -in-out = "in" | "out" . -options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ] - [ froute ] [ replyto ] ] . -tos = "tos" decnumber | "tos" hexnumber . -ttl = "ttl" decnumber . -proto = "proto" protocol . -ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . -group = [ "head" decnumber ] [ "group" decnumber ] . - -block = "block" [ return-icmp[return-code] | "return-rst" ] . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . -tag = "tag" tagid . -skip = "skip" decnumber . -auth = "auth" | "preauth" . -call = "call" [ "now" ] function-name . -dup = "dup-to" interface-name [ ":" ipaddr ] . -froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . -replyto = "reply-to" interface-name [ ":" ipaddr ] . -protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . -srcdst = "all" | fromto . -fromto = "from" [ "!" ] object "to" [ "!" ] object . - -return-icmp = "return-icmp" | "return-icmp-as-dest" . -return-code = "(" icmp-code ")" . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -addr = "any" | "<thishost>" | nummask | - host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . -flags = "flags" flag { flag } [ "/" flag { flag } ] . -with = "with" | "and" . -icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "(" icmp-code ")" . -keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" . -loglevel = facility"."priority | priority . - -nummask = host-name [ "/" decnumber ] . -host-name = ipaddr | hostname | "any" . -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . -port-num = service-name | decnumber . -state-options = state-opts [ "," state-options ] . - -state-opts = "age" decnumber [ "/" decnumber ] | "strict" | - "no-icmp-err" | "limit" decnumber | "newisn" | "sync" . -withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "frag" | "opt" optname . -optname = ipopts [ "," optname ] . -ipopts = optlist | "sec-class" [ secname ] . -secname = seclvl [ "," secname ] . -seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | - "reserv-4" | "secret" | "topsecret" . -icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | - "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | - "inforep" | "maskreq" | "maskrep" | decnumber . -icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | - "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | - "addext" | "visa" | "imitd" | "eip" | "finn" . -facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | - "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | - "audit" | "logalert" | "local0" | "local1" | "local2" | - "local3" | "local4" | "local5" | "local6" | "local7" . -priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . - -hexnumber = "0" "x" hexstring . -hexstring = hexdigit [ hexstring ] . -decnumber = digit [ decnumber ] . - -compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | - "gt" | "le" | "ge" . -range = "<>" | "><" . -hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . -digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -flag = "F" | "S" | "R" | "P" | "A" | "U" . -.fi -.PP -This syntax is somewhat simplified for readability, some combinations -that match this grammar are disallowed by the software because they do -not make sense (such as tcp \fBflags\fP for non-TCP packets). -.SH FILTER RULES -.PP -The "briefest" valid rules are (currently) no-ops and are of the form: -.nf - block in all - pass in all - log out all - count in all -.fi -.PP -Filter rules are checked in order, with the last matching rule -determining the fate of the packet (but see the \fBquick\fP option, -below). -.PP -Filters are installed by default at the end of the kernel's filter -lists, prepending the rule with \fB@n\fP will cause it to be inserted -as the n'th entry in the current list. This is especially useful when -modifying and testing active filter rulesets. See ipf(8) for more -information. -.SH ACTIONS -.PP -The action indicates what to do with the packet if it matches the rest -of the filter rule. Each rule MUST have an action. The following -actions are recognised: -.TP -.B block -indicates that the packet should be flagged to be dropped. In response -to blocking a packet, the filter may be instructed to send a reply -packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet -masquerading as being from the original packet's destination -(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An -ICMP packet may be generated in response to any IP packet, and its -type may optionally be specified, but a TCP reset may only be used -with a rule which is being applied to TCP packets. When using -\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify -the actual unreachable `type'. That is, whether it is a network -unreachable, port unreachable or even administratively -prohibited. This is done by enclosing the ICMP code associated with -it in parenthesis directly following \fBreturn-icmp\fP or -\fBreturn-icmp-as-dest\fP as follows: -.nf - block return-icmp(11) ... -.fi -.PP -Would return a Type-Of-Service (TOS) ICMP unreachable error. -.TP -.B pass -will flag the packet to be let through the filter. -.TP -.B log -causes the packet to be logged (as described in the LOGGING section -below) and has no effect on whether the packet will be allowed through -the filter. -.TP -.B count -causes the packet to be included in the accounting statistics kept by -the filter, and has no effect on whether the packet will be allowed through -the filter. These statistics are viewable with ipfstat(8). -.TP -.B call -this action is used to invoke the named function in the kernel, which -must conform to a specific calling interface. Customised actions and -semantics can thus be implemented to supplement those available. This -feature is for use by knowledgeable hackers, and is not currently -documented. -.TP -.B "skip <n>" -causes the filter to skip over the next \fIn\fP filter rules. If a rule is -inserted or deleted inside the region being skipped over, then the value of -\fIn\fP is adjusted appropriately. -.TP -.B auth -this allows authentication to be performed by a user-space program running -and waiting for packet information to validate. The packet is held for a -period of time in an internal buffer whilst it waits for the program to return -to the kernel the \fIreal\fP flags for whether it should be allowed through -or not. Such a program might look at the source address and request some sort -of authentication from the user (such as a password) before allowing the -packet through or telling the kernel to drop it if from an unrecognised source. -.TP -.B preauth -tells the filter that for packets of this class, it should look in the -pre-authenticated list for further clarification. If no further matching -rule is found, the packet will be dropped (the FR_PREAUTH is not the same -as FR_PASS). If a further matching rule is found, the result from that is -used in its instead. This might be used in a situation where a person -\fIlogs in\fP to the firewall and it sets up some temporary rules defining -the access for that person. -.PP -The next word must be either \fBin\fP or \fBout\fP. Each packet -moving through the kernel is either inbound (just been received on an -interface, and moving towards the kernel's protocol processing) or -outbound (transmitted or forwarded by the stack, and on its way to an -interface). There is a requirement that each filter rule explicitly -state which side of the I/O it is to be used on. -.SH OPTIONS -.PP -The list of options is brief, and all are indeed optional. Where -options are used, they must be present in the order shown here. These -are the currently supported options: -.TP -.B log -indicates that, should this be the last matching rule, the packet -header will be written to the \fBipl\fP log (as described in the -LOGGING section below). -.TP -.B tag tagid -indicates that, if this rule causes the packet to be logged or entered -in the state table, the tagid will be logged as part of the log entry. -This can be used to quickly match "similar" rules in scripts that post -process the log files for e.g. generation of security reports or accounting -purposes. The tagid is a 32 bit unsigned integer. -.TP -.B quick -allows "short-cut" rules in order to speed up the filter or override -later rules. If a packet matches a filter rule which is marked as -\fBquick\fP, this rule will be the last rule checked, allowing a -"short-circuit" path to avoid processing later rules for this -packet. The current status of the packet (after any effects of the -current rule) will determine whether it is passed or blocked. +pass in on bgeo proto tcp from 1.1.1.1 port > 1000 + to 2.2.2.2 port < 5000 flags S keep state +.fi +.PP +or explicitly using the backslash ('\\') character: +.PP +.nf +pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\ + to 2.2.2.2 port < 5000 flags S keep state +.fi +.SS Comments +.PP +Comments in the ipf.conf file are indicated by the use of the '#' character. +This can either be at the start of the line, like this: +.PP +.nf +# Allow all ICMP packets in +pass in proto icmp from any to any +.fi +.PP +Or at the end of a like, like this: +.PP +.nf +pass in proto icmp from any to any # Allow all ICMP packets in +.fi +.SH Firewall rules +.PP +This section goes into detail on how to construct firewall rules that +are placed in the ipf.conf file. +.PP +It is beyond the scope of this document to describe what makes a good +firewall rule set or which packets should be blocked or allowed in. +Some suggestions will be provided but further reading is expected to +fully understand what is safe and unsafe to allow in/out. +.SS Filter rule keywords +.PP +The first word found in any filter rule describes what the eventual outcome +of a packet that matches it will be. Descriptions of the many and various +sections that can be used to match on the contents of packet headers will +follow on below. +.PP +The complete list of keywords, along with what they do is as follows: +.RS +.HP +pass +rules that match a packet indicate to ipfilter that it should be +allowed to continue on in the direction it is flowing. +.HP +block +rules are used when it is desirable to prevent a packet from going +any further. Packets that are blocked on the "in" side are never seen by +TCP/IP and those that are blocked going "out" are never seen on the wire. +.HP +log +when IPFilter successfully matches a packet against a log rule a log +record is generated and made available for ipmon(8) to read. These rules +have no impact on whether or not a packet is allowed through or not. +So if a packet first matched a block rule and then matched a log rule, +the status of the packet after the log rule is that it will still be +blocked. +.HP +count +rules provide the administrator with the ability to count packets and +bytes that match the criteria laid out in the configuration file. +The count rules are applied after NAT and filter rules on the inbound +path. For outbound packets, count rules are applied before NAT and +before the packet is dropped. Thus the count rule cannot be used as +a true indicator of link layer +.HP +auth +rules cause the matching packet to be queued up for processing by a +user space program. The user space program is responsible for making +an ioctl system call to collect the information about the queued +packet and another ioctl system call to return the verdict (block, +pass, etc) on what to do with the packet. In the event that the queue +becomes full, the packets will end up being dropped. +.HP +call +provides access to functions built into IPFilter that allow for more +complex actions to be taken as part of the decision making that goes +with the rule. +.HP +decapsulate +rules instruct ipfilter to remove any +other headers (IP, UDP, AH) and then process what is inside as a new packet. +For non-UDP packets, there are builtin checks that are applied in addition +to whatever is specified in the rule, to only allow decapsulation of +recognised protocols. After decapsulating the inner packet, any filtering +result that is applied to the inner packet is also applied to the other +packet. +.PP +The default way in which filter rules are applied is for the last +matching rule to be used as the decision maker. So even if the first +rule to match a packet is a pass, if there is a later matching rule +that is a block and no further rules match the packet, then it will +be blocked. +.SS Matching Network Interfaces +.PP +On systems with more than one network interface, it is necessary +to be able to specify different filter rules for each of them. +In the first instance, this is because different networks will send us +packets via each network interface but it is also because of the hosts, +the role and the resulting security policy that we need to be able to +distinguish which network interface a packet is on. +.PP +To accomodate systems where the presence of a network interface is +dynamic, it is not necessary for the network interface named in a +filter rule to be present in the system when the rule is loaded. +This can lead to silent errors being introduced and unexpected +behaviour with the simplest of keyboard mistakes - for example, +typing in hem0 instead of hme0 or hme2 instead of hme3. +.PP +On Solaris systems prior to Solaris 10 Update 4, it is not possible +to filter packets on the loopback interface (lo0) so filter rules +that specify it will have no impact on the corresponding flow of +packets. See below for Solaris specific tips on how to enable this. +.PP +Some examples of including the network interface in filter rules are: +.PP +.nf +block in on bge0 all +pass out on bge0 all +.fi +.SS Address matching (basic) +.PP +The first and most basic part of matching for filtering rules is to +specify IP addresses and TCP/UDP port numbers. The source address +information is matched by the "from" information in a filter rule +and the destination address information is matched with the "to" +information in a filter rule. +.PP +The typical format used for IP addresses is CIDR notation, where an +IP address (or network) is followed by a '/' and a number representing +the size of the netmask in bits. This notation is used for specifying +address matching in both IPv4 and IPv6. If the '/' and bitmask size +are excluded from the matching string, it is assumed that the address +specified is a host address and that the netmask applied should be +all 1's. +.PP +Some examples of this are: +.PP +.nf +pass in from 10.1.0.0/24 to any +block out from any to 10.1.1.1 +.fi +.PP +It is not possible to specify a range of addresses that does not +have a boundary that can be defined by a standard subnet mask. +.IP +.B Names instead of addresses +.RS +.PP +Hostnames, resolved either via DNS or /etc/hosts, or network names, +resolved via /etc/networks, may be used in place of actual addresses +in the filter rules. WARNING: if a hostname expands to more than one +address, only the *first* is used in building the filter rule. +.PP +Caution should be exercised when relying on DNS for filter rules in +case the sending and receiving of DNS packets is blocked when ipf(8) +is processing that part of the configuration file, leading to long +delays, if not errors, in loading the filter rules. +.RE +.SS Protocol Matching +.PP +To match packets based on TCP/UDP port information, it is first necessary +to indicate which protocol the packet must be. This is done using the +"proto" keyword, followed by either the protocol number or a name which +is mapped to the protocol number, usually through the /etc/protocols file. +.PP +.nf +pass in proto tcp from 10.1.0.0/24 to any +block out proto udp from any to 10.1.1.1 +pass in proto icmp from any to 192.168.0.0/16 +.fi +.SS Sending back error packets +.PP +When a packet is just discarded using a block rule, there is no feedback given +to the host that sent the packet. This is both good and bad. If this is the +desired behaviour and it is not desirable to send any feedback about packets +that are to be denied. The catch is that often a host trying to connect to a +TCP port or with a UDP based application will send more than one packet +because it assumes that just one packet may be discarded so a retry is +required. The end result being logs can become cluttered with duplicate +entries due to the retries. +.PP +To address this problem, a block rule can be qualified in two ways. +The first of these is specific to TCP and instructs IPFilter to send back +a reset (RST) packet. This packet indicates to the remote system that the +packet it sent has been rejected and that it shouldn't make any further +attempts to send packets to that port. Telling IPFilter to return a TCP +RST packet in response to something that has been received is achieved +with the return-rst keyword like this: +.PP +.nf +block return-rst in proto tcp from 10.0.0.0/8 to any +.fi +.PP +When sending back a TCP RST packet, IPFilter must construct a new packet +that has the source address of the intended target, not the source address +of the system it is running on (if they are different.) +.PP +For all of the other protocols handled by the IP protocol suite, to send +back an error indicating that the received packet was dropped requires +sending back an ICMP error packet. Whilst these can also be used for TCP, +the sending host may not treat the received ICMP error as a hard error +in the same way as it does the TCP RST packet. To return an ICMP error +it is necessary to place return-icmp after the block keyword like this: +.PP +.nf +block return-icmp in proto udp from any to 192.168.0.1/24 +.fi +.PP +When electing to return an ICMP error packet, it is also possible to +select what type of ICMP error is returned. Whilst the full compliment +of ICMP unreachable codes can be used by specifying a number instead of +the string below, only the following should be used in conjunction with +return-icmp. Which return code to use is a choice to be made when +weighing up the pro's and con's. Using some of the codes may make it +more obvious that a firewall is being used rather than just the host +not responding. +.RS +.HP +filter-prohib +(prohibited by filter) +sending packets to the destination given in the received packet is +prohibited due to the application of a packet filter +.HP +net-prohib +(prohibited network) +sending packets to the destination given in the received packet is +administratively prohibited. +.HP +host-unk +(host unknown) +the destination host address is not known by the system receiving +the packet and therefore cannot be reached. +.HP +host-unr +(host unreachable) +it is not possible to reach the host as given by the destination address +in the packet header. +.HP +net-unk +(network unknown) +the destination network address is not known by the system receiving +the packet and therefore cannot be reached. +.HP +net-unr +(network unreachable) +it is not possible to forward the packet on to its final destination +as given by the destination address +.HP +port-unr +(port unreachable) +there is no application using the given destination port and therefore +it is not possible to reach that port. +.HP +proto-unr +(protocol unreachable) +the IP protocol specified in the packet is not available to receive +packets. +.DE +.PP +An example that shows how to send back a port unreachable packet for +UDP packets to 192.168.1.0/24 is as follows: +.PP +.nf +block return-icmp(port-unr) in proto udp from any to 192.168.1.0/24 +.fi +.PP +In the above examples, when sending the ICMP packet, IPFilter will construct +a new ICMP packet with a source address of the network interface used to +send the packet back to the original source. This can give away that there +is an intermediate system blocking packets. To have IPFilter send back +ICMP packets where the source address is the original destination, regardless +of whether or not it is on the local host, return-icmp-as-dest is used like +this: +.PP +.nf +block return-icmp-as-dest(port-unr) in proto udp \\ + from any to 192.168.1.0/24 +.fi +.SS TCP/UDP Port Matching +.PP +Having specified which protocol is being matched, it is then possible to +indicate which port numbers a packet must have in order to match the rule. +Due to port numbers being used differently to addresses, it is therefore +possible to match on them in different ways. IPFilter allows you to use +the following logical operations: +.IP "< x" +is true if the port number is greater than or equal to x and less than or +equal to y +is true if the port number in the packet is less than x +.IP "<= x" +is true if the port number in the packet is less than or equal to x +.IP "> x" +is true if the port number in the packet is greater than x +.IP ">= x" +is true if the port number in the packet is greater or equal to x +.IP "= x" +is true if the port number in the packet is equal to x +.IP "!= x" +is true if the port number in the packet is not equal to x +.PP +Additionally, there are a number of ways to specify a range of ports: +.IP "x <> y" +is true if the port number is less than a and greater than y +.IP "x >< y" +is true if the port number is greater than x and less than y +.IP "x:y" +is true if the port number is greater than or equal to x and less than or +equal to y +.PP +Some examples of this are: +.PP +.nf +block in proto tcp from any port >= 1024 to any port < 1024 +pass in proto tcp from 10.1.0.0/24 to any port = 22 +block out proto udp from any to 10.1.1.1 port = 135 +pass in proto udp from 1.1.1.1 port = 123 to 10.1.1.1 port = 123 +pass in proto tcp from 127.0.0.0/8 to any port = 6000:6009 +.fi +.PP +If there is no desire to mention any specific source or destintion +information in a filter rule then the word "all" can be used to +indicate that all addresses are considered to match the rule. +.SS IPv4 or IPv6 +.PP +If a filter rule is constructed without any addresses then IPFilter +will attempt to match both IPv4 and IPv6 packets with it. In the +next list of rules, each one can be applied to either network protocol +because there is no address specified from which IPFilter can derive +with network protocol to expect. +.PP +.nf +pass in proto udp from any to any port = 53 +block in proto tcp from any port < 1024 to any +.fi +.PP +To explicitly match a particular network address family with a specific +rule, the family must be added to the rule. For IPv4 it is necessary to +add family inet and for IPv6, family inet6. Thus the next rule will +block all packets (both IPv4 and IPv6: +.PP +.nf +block in all +.fi +.PP +but in the following example, we block all IPv4 packets and only allow +in IPv6 packets: +.PP +.nf +block in family inet all +pass in family inet6 all +.fi +.PP +To continue on from the example where we allowed either IPv4 or IPv6 +packets to port 53 in, to change that such that only IPv6 packets to +port 53 need to allowed blocked then it is possible to add in a +protocol family qualifier: +.PP +.nf +pass in family inet6 proto udp from any to any port = 53 +.fi +.SS First match vs last match +.PP +To change the default behaviour from being the last matched rule decides +the outcome to being the first matched rule, the word "quick" is inserted +to the rule. +.SH Extended Packet Matching +.SS Beyond using plain addresses +.PP +On firewalls that are working with large numbers of hosts and networks +or simply trying to filter discretely against various hosts, it can +be an easier administration task to define a pool of addresses and have +a filter rule reference that address pool rather than have a rule for +each address. +.PP +In addition to being able to use address pools, it is possible to use +the interface name(s) in the from/to address fields of a rule. If the +name being used in the address section can be matched to any of the +interface names mentioned in the rule's "on" or "via" fields then it +can be used with one of the following keywords for extended effect: +.HP +broadcast +use the primary broadcast address of the network interface for matching +packets with this filter rule; .IP -If this option is missing, the rule is taken to be a "fall-through" -rule, meaning that the result of the match (block/pass) is saved and -that processing will continue to see if there are any more matches. -.TP -.B on -allows an interface name to be incorporated into the matching -procedure. Interface names are as printed by "netstat \-i". If this -option is used, the rule will only match if the packet is going -through that interface in the specified direction (in/out). If this -option is absent, the rule is taken to be applied to a packet -regardless of the interface it is present on (i.e. on all interfaces). -Filter rulesets are common to all interfaces, rather than having a -filter list for each interface. +.nf +pass in on fxp0 proto udp from any to fxp0/broadcast port = 123 +.fi +.HP +peer +use the peer address on point to point network interfaces for matching +packets with this filter rule. This option typically only has meaningful +use with link protocols such as SLIP and PPP. +For example, this rule allows ICMP packets from the remote peer of ppp0 +to be received if they're destined for the address assigned to the link +at the firewall end. .IP -This option is especially useful for simple IP-spoofing protection: -packets should only be allowed to pass inbound on the interface from -which the specified source address would be expected, others may be -logged and/or dropped. -.TP -.B dup-to -causes the packet to be copied, and the duplicate packet to be sent -outbound on the specified interface, optionally with the destination -IP address changed to that specified. This is useful for off-host -logging, using a network sniffer. -.TP -.B to -causes the packet to be moved to the outbound queue on the -specified interface. This can be used to circumvent kernel routing -decisions, and even to bypass the rest of the kernel processing of the -packet (if applied to an inbound rule). It is thus possible to -construct a firewall that behaves transparently, like a filtering hub -or switch, rather than a router. The \fBfastroute\fP keyword is a -synonym for this option. -.SH MATCHING PARAMETERS -.PP -The keywords described in this section are used to describe attributes -of the packet to be used when determining whether rules match or don't -match. The following general-purpose attributes are provided for -matching, and must be used in this order: -.TP -.B tos -packets with different Type-Of-Service values can be filtered. -Individual service levels or combinations can be filtered upon. The -value for the TOS mask can either be represented as a hex number or a -decimal integer value. -.TP -.B ttl -packets may also be selected by their Time-To-Live value. The value given in -the filter rule must exactly match that in the packet for a match to occur. -This value can only be given as a decimal integer value. -.TP -.B proto -allows a specific protocol to be matched against. All protocol names -found in \fB/etc/protocols\fP are recognised and may be used. -However, the protocol may also be given as a DECIMAL number, allowing -for rules to match your own protocols, or new ones which would -out-date any attempted listing. +.nf +pass in on ppp0 proto icmp from ppp0/peer to ppp0/32 +.fi +.HP +netmasked +use the primary network address, with its netmask, of the network interface +for matching packets with this filter rule. If a network interface had an +IP address of 192.168.1.1 and its netmask was 255.255.255.0 (/24), then +using the word "netmasked" after the interface name would match any +addresses that would match 192.168.1.0/24. If we assume that bge0 has +this IP address and netmask then the following two rules both serve +to produce the same effect: .IP -The special protocol keyword \fBtcp/udp\fP may be used to match either -a TCP or a UDP packet, and has been added as a convenience to save -duplication of otherwise-identical rules. -.\" XXX grammar should reflect this (/etc/protocols) -.PP -The \fBfrom\fP and \fBto\fP keywords are used to match against IP -addresses (and optionally port numbers). Rules must specify BOTH -source and destination parameters. -.PP -IP addresses may be specified in one of two ways: as a numerical -address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname -may either be a valid hostname, from either the hosts file or DNS -(depending on your configuration and library) or of the dotted numeric -form. There is no special designation for networks but network names -are recognised. Note that having your filter rules depend on DNS -results can introduce an avenue of attack, and is discouraged. -.PP -There is a special case for the hostname \fBany\fP which is taken to -be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses. -Only the presence of "any" has an implied mask, in all other -situations, a hostname MUST be accompanied by a mask. It is possible -to give "any" a hostmask, but in the context of this language, it is -non-sensical. -.PP -The numerical format "x\fB/\fPy" indicates that a mask of y -consecutive 1 bits set is generated, starting with the MSB, so a y value -of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates -that the mask y is in dotted IP notation or a hexadecimal number of -the form 0x12345678. Note that all the bits of the IP address -indicated by the bitmask must match the address on the packet exactly; -there isn't currently a way to invert the sense of the match, or to -match ranges of IP addresses which do not express themselves easily as -bitmasks (anthropomorphization; it's not just for breakfast anymore). -.PP -If a \fBport\fP match is included, for either or both of source and -destination, then it is only applied to -.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored? -TCP and UDP packets. If there is no \fBproto\fP match parameter, -packets from both protocols are compared. This is equivalent to "proto -tcp/udp". When composing \fBport\fP comparisons, either the service -name or an integer port number may be used. Port comparisons may be -done in a number of forms, with a number of comparison operators, or -port ranges may be specified. When the port appears as part of the -\fBfrom\fP object, it matches the source port number, when it appears -as part of the \fBto\fP object, it matches the destination port number. -See the examples for more information. -.PP -The \fBall\fP keyword is essentially a synonym for "from any to any" -with no other match parameters. -.PP -Following the source and destination matching parameters, the -following additional parameters may be used: -.TP -.B with -is used to match irregular attributes that some packets may have -associated with them. To match the presence of IP options in general, -use \fBwith ipopts\fP. To match packets that are too short to contain -a complete header, use \fBwith short\fP. To match fragmented packets, -use \fBwith frag\fP. For more specific filtering on IP options, -individual options can be listed. +.nf +pass in on bge0 proto icmp from any to 192.168.1.0/24 +pass in on bge0 proto icmp from any to bge0/netmasked +.fi +.HP +network +using the primary network address, and its netmask, of the network interface, +construct an address for exact matching. If a network interface has an +address of 192.168.1.1 and its netmask is 255.255.255.0, using this +option would only match packets to 192.168.1.0. .IP -Before any parameter used after the \fBwith\fP keyword, the word -\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only -match if the option(s) is not present. +.nf +pass in on bge0 proto icmp from any to bge0/network +.fi +.PP +Another way to use the name of a network interface to get the address +is to wrap the name in ()'s. In the above method, IPFilter +looks at the interface names in use and to decide whether or not +the name given is a hostname or network interface name. With the +use of ()'s, it is possible to tell IPFilter that the name should +be treated as a network interface name even though it doesn't +appear in the list of network interface that the rule ias associated +with. .IP -Multiple consecutive \fBwith\fP clauses are allowed. Alternatively, -the keyword \fBand\fP may be used in place of \fBwith\fP, this is -provided purely to make the rules more readable ("with ... and ..."). -When multiple clauses are listed, all those must match to cause a -match of the rule. -.\" XXX describe the options more specifically in a separate section -.TP -.B flags -is only effective for TCP filtering. Each of the letters possible -represents one of the possible flags that can be set in the TCP -header. The association is as follows: -.LP -.nf - F - FIN - S - SYN - R - RST - P - PUSH - A - ACK - U - URG +.nf +pass in proto icmp from any to (bge0)/32 +.fi +.SS Using address pools +.PP +Rather than list out multiple rules that either allow or deny specific +addresses, it is possible to create a single object, call an address +pool, that contains all of those addresses and reference that in the +filter rule. For documentation on how to write the configuration file +for those pools and load them, see ippool.conf(5) and ippool(8). +There are two types of address pools that can be defined in ippool.conf(5): +trees and hash tables. To refer to a tree defined in ippool.conf(5), +use this syntax: +.PP +.nf +pass in from pool/trusted to any .fi +.PP +Either a name or number can be used after the '/', just so long as it +matches up with something that has already been defined in ipool.conf(5) +and loaded in with ippool(8). Loading a filter rule that references a +pool that does not exist will result in an error. +.PP +If hash tables have been used in ippool.conf(5) to store the addresses +in instead of a tree, then replace the word pool with hash: .IP -The various flag symbols may be used in combination, so that "SA" -would represent a SYN-ACK combination present in a packet. There is -nothing preventing the specification of combinations, such as "SFR", -that would not normally be generated by law-abiding TCP -implementations. However, to guard against weird aberrations, it is -necessary to state which flags you are filtering against. To allow -this, it is possible to set a mask indicating which TCP flags you wish -to compare (i.e., those you deem significant). This is done by -appending "/<flags>" to the set of TCP flags you wish to match -against, e.g.: -.LP -.nf - ... flags S - # becomes "flags S/AUPRFS" and will match - # packets with ONLY the SYN flag set. - - ... flags SA - # becomes "flags SA/AUPRFS" and will match any - # packet with only the SYN and ACK flags set. +.nf +pass in from any to hash/webservers +.fi +.PP +There are different operational characteristics with each, so there +may be some situations where a pool works better than hash and vice +versa. +.SS Matching TCP flags +.PP +The TCP header contains a field of flags that is used to decide if the +packet is a connection request, connection termination, data, etc. +By matching on the flags in conjunction with port numbers, it is +possible to restrict the way in which IPFilter allows connections to +be created. A quick overview of the TCP +flags is below. Each is listed with the letter used in IPFilter +rules, followed by its three or four letter pneumonic. +.HP +S +SYN - this bit is set when a host is setting up a connection. +The initiator typically sends a packet with the SYN bit and the +responder sends back SYN plus ACK. +.HP +A +ACK - this bit is set when the sender wishes to acknowledge the receipt +of a packet from another host +.HP +P +PUSH - this bit is set when a sending host has send some data that +is yet to be acknowledged and a reply is sought +.HP +F +FIN - this bit is set when one end of a connection starts to close +the connection down +.HP +U +URG - this bit is set to indicate that the packet contains urgent data +.HP +R +RST - this bit is set only in packets that are a reply to another +that has been received but is not targetted at any open port +.HP +C +CWN +.HP +E +ECN +.PP +When matching TCP flags, it is normal to just list the flag that you +wish to be set. By default the set of flags it is compared against +is "FSRPAU". Rules that say "flags S" will be displayed by ipfstat(8) +as having "flags S/FSRPAU". This is normal. +The last two flags, "C" and "E", are optional - they +may or may not be used by an end host and have no bearing on either +the acceptance of data nor control of the connection. Masking them +out with "flags S/FSRPAUCE" may cause problems for remote hosts +making a successful connection. +.PP +.nf +pass in quick proto tcp from any to any port = 22 flags S/SAFR +pass out quick proto tcp from any port = 22 to any flags SA +.fi +.PP +By itself, filtering based on the TCP flags becomes more work but when +combined with stateful filtering (see below), the situation changes. +.SS Matching on ICMP header information +.PP +The TCP and UDP are not the only protocols for which filtering beyond +just the IP header is possible, extended matching on ICMP packets is +also available. The list of valid ICMP types is different for IPv4 +vs IPv6. +.PP +As a practical example, to allow the ping command to work +against a specific target requires allowing two different types of +ICMP packets, like this: +.PP +.nf +pass in proto icmp from any to webserver icmp-type echo +pass out proto icmp from webserver to any icmp-type echorep +.fi +.PP +The ICMP header has two fields that are of interest for filtering: +the ICMP type and code. Filter rules can accept either a name or +number for both the type and code. The list of names supported for +ICMP types is listed below, however only ICMP unreachable errors +have named codes (see above.) +.PP +The list of ICMP types that are available for matching an IPv4 packet +are as follows: +.PP +echo (echo request), +echorep (echo reply), +inforeq (information request), +inforep (information reply), +maskreq (mask request), +maskrep (mask reply), +paramprob (parameter problem), +redir (redirect), +routerad (router advertisement), +routersol (router solicit), +squence (source quence), +timest (timestamp), +timestreq (timestamp reply), +timex (time exceeded), +unreach (unreachable). +.PP +The list of ICMP types that are available for matching an IPv6 packet +are as follows: +.PP +echo (echo request), +echorep (echo reply), +fqdnquery (FQDN query), +fqdnreply (FQDN reply), +inforeq (information request), +inforep (information reply), +listendone (MLD listener done), +listendqry (MLD listener query), +listendrep (MLD listener reply), +neighadvert (neighbour advert), +neighborsol (neighbour solicit), +paramprob (parameter problem), +redir (redirect), +renumber (router renumbering), +routerad (router advertisement), +routersol (router solicit), +timex (time exceeded), +toobig (packet too big), +unreach (unreachable, +whoreq (WRU request), +whorep (WRU reply). +.SH Stateful Packet Filtering +.PP +Stateful packet filtering is where IPFilter remembers some information from +one or more packets that it has seen and is able to apply it to future +packets that it receives from the network. +.PP +What this means for each transport layer protocol is different. +For TCP it means that if IPFilter +sees the very first packet of an attempt to make a connection, it has enough +information to allow all other subsequent packets without there needing to +be any explicit rules to match them. IPFilter uses the TCP port numbers, +TCP flags, window size and sequence numbers to determine which packets +should be matched. For UDP, only the UDP port numbers are available. +For ICMP, the ICMP types can be combined with the ICMP id field to +determine which reply packets match a request/query that has already +been seen. For all other protocols, only matching on IP address and +protocol number is available for determining if a packet received is a mate +to one that has already been let through. +.PP +The difference this makes is a reduction in the number of rules from +2 or 4 to 1. For example, these 4 rules: +.PP +.nf +pass in on bge0 proto tcp from any to any port = 22 +pass out on bge1 proto tcp from any to any port = 22 +pass in on bge1 proto tcp from any port = 22 to any +pass out on bge0 proto tcp from any port = 22 to any +.fi +.PP +can be replaced with this single rule: +.PP +.nf +pass in on bge0 proto tcp from any to any port = 22 flags S keep state +.fi +.PP +Similar rules for UDP and ICMP might be: +.PP +.nf +pass in on bge0 proto udp from any to any port = 53 keep state +pass in on bge0 proto icmp all icmp-type echo keep state +.fi +.PP +When using stateful filtering with TCP it is best to add "flags S" to the +rule to ensure that state is only created when a packet is seen that is +an indication of a new connection. Although IPFilter can gather some +information from packets in the middle of a TCP connection to do stateful +filtering, there are some options that are only sent at the start of the +connection which alter the valid window of what TCP accepts. The end result +of trying to pickup TCP state in mid connection is that some later packets +that are part of the connection may not match the known state information +and be dropped or blocked, causing problems. If a TCP packet matches IP +addresses and port numbers but does not fit into the recognised window, +it will not be automatically allowed and will be flagged inside of +IPFitler as "out of window" (oow). See below, "Extra packet attributes", +for how to match on this attribute. +.PP +Once a TCP connection has reached the established state, the default +timeout allows for it to be idle for 5 days before it is removed from +the state table. The timeouts for the other TCP connection states +vary from 240 seconds to 30 seconds. +Both UDP and ICMP state entries have asymetric timeouts where the timeout +set upon seeing packets in the forward direction is much larger than +for the reverse direction. For UDP the default timeouts are 120 and +12 seconds, for ICMP 60 and 6 seconds. This is a reflection of the +use of these protocols being more for query-response than for ongoing +connections. For all other protocols the +timeout is 60 seconds in both directions. +.SS Stateful filtering options +.PP +The following options can be used with stateful filtering: +.HP +limit +limit the number of state table entries that this rule can create to +the number given after limit. A rule that has a limit specified is +always permitted that many state table entries, even if creating an +additional entry would cause the table to have more entries than the +otherwise global limit. +.IP +.nf +pass ... keep state(limit 100) +.fi +.HP +age +sets the timeout for the state entry when it sees packets going through +it. Additionally it is possible to set the tieout for the reply packets +that come back through the firewall to a different value than for the +forward path. allowing a short timeout to be set after the reply has +been seen and the state no longer required. +.RS +.PP +.nf +pass in quick proto icmp all icmp-type echo \\ + keep state (age 3) +pass in quick proto udp from any \\ + to any port = 53 keep state (age 30/1) +.fi +.RE +.HP +strict +only has an impact when used with TCP. It forces all packets that are +allowed through the firewall to be sequential: no out of order delivery +of packets is allowed. This can cause significant slowdown for some +connections and may stall others. Use with caution. +.IP +.nf +pass in proto tcp ... keep state(strict) +.fi +.HP +noicmperr +prevents ICMP error packets from being able to match state table entries +created with this flag using the contents of the original packet included. +.IP +.nf +pass ... keep state(noicmperr) +.fi +.HP +sync +indicates to IPFilter that it needs to provide information to the user +land daemons responsible for syncing other machines state tables up +with this one. +.IP +.nf +pass ... keep state(sync) +.fi +.HP +nolog +do not generate any log records for the creation or deletion of state +table entries. +.IP +.nf +pass ... keep state(nolog) +.fi +.HP +icmp-head +rather than just precent ICMP error packets from being able to match +state table entries, allow an ACL to be processed that can filter in or +out ICMP error packets based as you would with normal firewall rules. +The icmp-head option requires a filter rule group number or name to +be present, just as you would use with head. +.RS +.PP +.nf +pass in quick proto tcp ... keep state(icmp-head 101) +block in proto icmp from 10.0.0.0/8 to any group 101 +.fi +.RE +.HP +max-srcs +allows the number of distinct hosts that can create a state entry to +be defined. +.IP +.nf +pass ... keep state(max-srcs 100) +pass ... keep state(limit 1000, max-srcs 100) +.fi +.HP +max-per-src +whilst max-srcs limits the number of individual hosts that may cause +the creation of a state table entry, each one of those hosts is still +table to fill up the state table with new entries until the global +maximum is reached. This option allows the number of state table entries +per address to be limited. +.IP +.nf +pass ... keep state(max-srcs 100, max-per-src 1) +pass ... keep state(limit 100, max-srcs 100, max-per-src 1) +.fi +.IP +Whilst these two rules might seem identical, in that they both +ultimately limit the number of hosts and state table entries created +from the rule to 100, there is a subtle difference: the second will +always allow up to 100 state table entries to be created whereas the +first may not if the state table fills up from other rules. +.IP +Further, it is possible to specify a netmask size after the per-host +limit that enables the per-host limit to become a per-subnet or +per-network limit. +.IP +.nf +pass ... keep state(max-srcs 100, max-per-src 1/24) +.fi +.IP +If there is no IP protocol implied by addresses or other features of +the rule, IPFilter will assume that no netmask is an all ones netmask +for both IPv4 and IPv6. +.SS Tieing down a connection +.PP +For any connection that transits a firewall, each packet will be seen +twice: once going in and once going out. Thus a connection has 4 flows +of packets: +.HP +forward +inbound packets +.HP +forward +outbound packets +.HP +reverse +inbound packets +.HP +reverse +outbound packets +.PP +IPFilter allows you to define the network interface to be used at all +four points in the flow of packets. For rules that match inbound packets, +out-via is used to specify which interfaces the packets go out, For rules +that match outbound packets, in-via is used to match the inbound packets. +In each case, the syntax generalises to this: +.PP +.nf +pass ... in on forward-in,reverse-in \\ + out-via forward-out,reverse-out ... - ... flags S/SA - # will match any packet with just the SYN flag set - # out of the SYN-ACK pair; the common "establish" - # keyword action. "S/SA" will NOT match a packet - # with BOTH SYN and ACK set, but WILL match "SFP". -.fi -.TP -.B icmp-type -is only effective when used with \fBproto icmp\fP and must NOT be used -in conjunction with \fBflags\fP. There are a number of types, which can be -referred to by an abbreviation recognised by this language, or the numbers -with which they are associated can be used. The most important from -a security point of view is the ICMP redirect. -.SH KEEP HISTORY -.PP -The second last parameter which can be set for a filter rule is whether or not -to record historical information for that packet, and what sort to keep. The -following information can be kept: -.TP -.B state -keeps information about the flow of a communication session. State can -be kept for TCP, UDP, and ICMP packets. -.TP -.B frags -keeps information on fragmented packets, to be applied to later -fragments. -.PP -allowing packets which match these to flow straight through, rather -than going through the access control list. -.SH GROUPS -The last pair of parameters control filter rule "grouping". By default, all -filter rules are placed in group 0 if no other group is specified. To add a -rule to a non-default group, the group must first be started by creating a -group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a -group, the filter processing then switches to the group, using that rule as -the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule -processing isn't stopped until it has returned from processing the group. -.PP -A rule may be both the head for a new group and a member of a non-default -group (\fBhead\fP and \fBgroup\fP may be used together in a rule). -.TP -.B "head <n>" -indicates that a new group (number n) should be created. -.TP -.B "group <n>" -indicates that the rule should be put in group (number n) rather than group 0. -.SH LOGGING -.PP -When a packet is logged, with either the \fBlog\fP action or option, -the headers of the packet are written to the \fBipl\fP packet logging -pseudo-device. Immediately following the \fBlog\fP keyword, the -following qualifiers may be used (in order): -.TP -.B body -indicates that the first 128 bytes of the packet contents will be -logged after the headers. -.TP -.B first -If log is being used in conjunction with a "keep" option, it is recommended -that this option is also applied so that only the triggering packet is logged -and not every packet which thereafter matches state information. -.TP -.B or-block -indicates that, if for some reason the filter is unable to log the -packet (such as the log reader being too slow) then the rule should be -interpreted as if the action was \fBblock\fP for this packet. -.TP -.B "level <loglevel>" -indicates what logging facility and priority, or just priority with -the default facility being used, will be used to log information about -this packet using ipmon's -s option. -.PP -See ipl(4) for the format of records written -to this device. The ipmon(8) program can be used to read and format -this log. -.SH EXAMPLES -.PP -The \fBquick\fP option is good for rules such as: -\fC -.nf -block in quick from any to any with ipopts -.fi -.PP -which will match any packet with a non-standard header length (IP -options present) and abort further processing of later rules, -recording a match and also that the packet should be blocked. -.PP -The "fall-through" rule parsing allows for effects such as this: -.LP -.nf - block in from any to any port < 6000 - pass in from any to any port >= 6000 - block in from any to any port > 6003 -.fi -.PP -which sets up the range 6000-6003 as being permitted and all others being -denied. Note that the effect of the first rule is overridden by subsequent -rules. Another (easier) way to do the same is: -.LP -.nf - block in from any to any port 6000 <> 6003 - pass in from any to any port 5999 >< 6004 -.fi -.PP -Note that both the "block" and "pass" are needed here to effect a -result as a failed match on the "block" action does not imply a pass, -only that the rule hasn't taken effect. To then allow ports < 1024, a -rule such as: -.LP -.nf - pass in quick from any to any port < 1024 -.fi -.PP -would be needed before the first block. To create a new group for -processing all inbound packets on le0/le1/lo0, with the default being to block -all inbound packets, we would do something like: -.LP -.nf - block in all - block in quick on le0 all head 100 - block in quick on le1 all head 200 - block in quick on lo0 all head 300 +pass ... out on forward-out,reverse-out \\ + in-via forward-in,reverse-in ... +.fi +.PP +An example that pins down all 4 network interfaces used by an ssh +connection might look something like this: +.PP +.nf +pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\ + from any to any port = 22 flags S keep state +.fi +.SS Working with packet fragments +.PP +Fragmented packets result in 1 packet containing all of the layer 3 and 4 +header information whilst the data is split across a number of other packets. +.PP +To enforce access control on fragmented packets, one of two approaches +can be taken. The first is to allow through all of the data fragments +(those that made up the body of the original packet) and rely on matching +the header information in the "first" fragment, when it is seen. The +reception of body fragments without the first will result in the receiving +host being unable to completely reassemble the packet and discarding all +of the fragments. The following three rules deny all fragmented packets +from being received except those that are UDP and even then only allows +those destined for port 2049 to be completed. +.PP +.nf +block in all with frags +pass in proto udp from any to any with frag-body +pass in proto udp from any to any port = 2049 with frags +.fi +.PP +Another mechanism that is available is to track "fragment state". +This relies on the first fragment of a packet that arrives to be +the fragment that contains all of the layer 3 and layer 4 header +information. With the receipt of that fragment before any other, +it is possible to determine which other fragments are to be allowed +through without needing to explicitly allow all fragment body packets. +An example of how this is done is as follows: +.PP +.nf +pass in proto udp from any prot = 2049 to any with frags keep fags +.fi +.SH Building a tree of rules +.PP +Writing your filter rules as one long list of rules can be both inefficient +in terms of processing the rules and difficult to understand. To make the +construction of filter rules easier, it is possible to place them in groups. +A rule can be both a member of a group and the head of a new group. +.PP +Using filter groups requires at least two rules: one to be in the group +one one to send matchign packets to the group. If a packet matches a +filtre rule that is a group head but does not match any of the rules +in that group, then the packet is considered to have matched the head +rule. +.PP +Rules that are a member of a group contain the word group followed by +either a name or number that defines which group they're in. Rules that +form the branch point or starting point for the group must use the +word head, followed by either a group name or number. If rules are +loaded in that define a group but there is no matching head then they +will effectively be orphaned rules. It is possible to have more than +one head rule point to the same group, allowing groups to be used +like subroutines to implement specific common policies. +.PP +A common use of filter groups is to define head rules that exist in the +filter "main line" for each direction with the interfaces in use. For +example: +.PP +.nf +block in quick on bge0 all head 100 +block out quick on bge0 all head 101 +block in quick on fxp0 all head internal-in +block out quick on fxp0 all head internal-out +pass in quick proto icmp all icmp-type echo group 100 +.fi +.PP +In the above set of rules, there are four groups defined but only one +of them has a member rule. The only packets that would be allowed +through the above ruleset would be ICMP echo packets that are +received on bge0. +.PP +Rules can be both a member of a group and the head of a new group, +allowing groups to specialise. +.PP +.nf +block in quick on bge0 all head 100 +block in quick proto tcp all head 1006 group 100 +.fi +.PP +Another use of filter rule groups is to provide a place for rules to +be dynamically added without needing to worry about their specific +ordering amongst the entire ruleset. For example, if I was using this +simple ruleset: +.PP +.nf +block in quick all with bad +block in proto tcp from any to any port = smtp head spammers +pass in quick proto tcp from any to any port = smtp flags S keep state +.fi +.PP +and I was getting lots of connections to my email server from 10.1.1.1 +to deliver spam, I could load the following rule to complement the above: +.IP +.nf +block in quick from 10.1.1.1 to any group spammers .fi +.SS Decapsulation .PP +Rule groups also form a different but vital role for decapsulation rules. +With the following simple rule, if IPFilter receives an IP packet that has +an AH header as its layer 4 payload, IPFilter would adjust its view of the +packet internally and then jump to group 1001 using the data beyond the +AH header as the new transport header. +.PP +.nf +decapsulate in proto ah all head 1001 +.fi +.PP +For protocols that +are recognised as being used with tunnelling or otherwise encapsulating +IP protocols, IPFilter is able to decide what it has on the inside +without any assistance. Some tunnelling protocols use UDP as the +transport mechanism. In this case, it is necessary to instruct IPFilter +as to what protocol is inside UDP. +.PP +.nf +decapsulate l5-as(ip) in proto udp from any \\ + to any port = 1520 head 1001 +.fi +.PP +Currently IPFilter only supports finding IPv4 and IPv6 headers +directly after the UDP header. +.PP +If a packet matches a decapsulate rule but fails to match any of the rules +that are within the specified group, processing of the packet continues +to the next rule after the decapsulate and IPFilter's internal view of the +packet is returned to what it was prior to the decapsulate rule. +.PP +It is possible to construct a decapsulate rule without the group +head at the end that ipf(8) will accept but such rules will not +result in anything happening. +.SS Policy Based Routing +.PP +With firewalls being in the position they often are, at the boundary +of different networks connecting together and multiple connections that +have different properties, it is often desirable to have packets flow +in a direction different to what the routing table instructs the kernel. +These decisions can often be extended to changing the route based on +both source and destination address or even port numbers. +.PP +To support this kind of configuration, IPFilter allows the next hop +destination to be specified with a filter rule. The next hop is given +with the interface name to use for output. The syntax for this is +interface:ip.address. It is expected that the address given as the next +hop is directly connected to the network to which the interface is. +.PP +.nf +pass in on bge0 to bge1:1.1.1.1 proto tcp \\ + from 1.1.2.3 to any port = 80 flags S keep state +.fi +.PP +When this feature is combined with stateful filtering, it becomes +possible to influence the network interface used to transmit packets +in both directions because we now have a sense for what its reverse +flow of packets is. +.PP +.nf +pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ + proto tcp from 1.1.2.3 to any port = 80 flags S keep state +.fi +.PP +If the actions of the routing table are perfectly acceptable, but +you would like to mask the presence of the firewall by not changing +the TTL in IP packets as they transit it, IPFilter can be instructed +to do a "fastroute" action like this: +.PP +.nf +pass in on bge0 fastroute proto icmp all +.fi +.PP +This should be used with caution as it can lead to endless packet +loops. Additionally, policy based routing does not change the IP +header's TTL value. +.PP +A variation on this type of rule supports a duplicate of the original +packet being created and sent out a different network. This can be +useful for monitoring traffic and other purposes. +.PP +.nf +pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ + dup-to fxp0:10.0.0.1 proto tcp from 1.1.2.3 \\ + to any port = 80 flags S keep state +.fi +.SS Matching IPv4 options +.PP +The design for IPv4 allows for the header to be upto 64 bytes long, +however most traffic only uses the basic header which is 20 bytes long. +The other 44 bytes can be uesd to store IP options. These options are +generally not necessary for proper interaction and function on the +Internet today. For most people it is sufficient to block and drop +all packets that have any options set. This can be achieved with this +rule: +.PP +.nf +block in quick all with ipopts +.fi +.PP +This rule is usually placed towards the top of the configuration +so that all incoming packets are blocked. +.PP +If you wanted to allow in a specific IP option type, the syntax +changes slightly: +.PP +.nf +pass in quick proto igmp all with opt rtralrt +.fi +.PP +The following is a list of IP options that most people encounter and +what their use/threat is. +.HP +lsrr +(loose source route) the sender of the packet includes a list of addresses +that they wish the packet to be routed through to on the way to the +destination. Because replies to such packets are expected to use the +list of addresses in reverse, hackers are able to very effectively use +this header option in address spoofing attacks. +.HP +rr +(record route) the sender allocates some buffer space for recording the +IP address of each router that the packet goes through. This is most often +used with ping, where the ping response contains a copy of all addresses +from the original packet, telling the sender what route the packet took +to get there. Due to performance and security issues with IP header +options, this is almost no longer used. +.HP +rtralrt +(router alert) this option is often used in IGMP messages as a flag to +routers that the packet needs to be handled differently. It is unlikely +to ever be received from an unknown sender. It may be found on LANs or +otherwise controlled networks where the RSVP protocol and multicast +traffic is in heavy use. +.HP +ssrr +(strict source route) the sender of the packet includes a list of addresses +that they wish the packet to be routed through to on the way to the +destination. Where the lsrr option allows the sender to specify only +some of the nodes the packet must go through, with the ssrr option, +every next hop router must be specified. +.PP +The complete list of IPv4 options that can be matched on is: +addext (Address Extention), +cipso (Classical IP Security Option), +dps (Dynamic Packet State), +e-sec (Extended Security), +eip (Extended Internet Protocol), +encode (ENCODE), +finn (Experimental Flow Control), +imitd (IMI Traffic Descriptor), +lsrr (Loose Source Route), +mtup (MTU Probe - obsolete), +mtur (MTU response - obsolete), +nop (No Operation), +nsapa (NSAP Address), +rr (Record Route), +rtralrt (Router Alert), +satid (Stream Identifier), +sdb (Selective Directed Broadcast), +sec (Security), +ssrr (Strict Source Route), +tr (Tracerote), +ts (Timestamp), +ump (Upstream Multicast Packet), +visa (Experimental Access Control) +and zsu (Experimental Measurement). +.SS Security with CIPSO and IPSO +.PP +IPFilter supports filtering on IPv4 packets using security attributes embedded +in the IP options part of the packet. These options are usually only used on +networks and systems that are using lablled security. Unless you know that +you are using labelled security and your networking is also labelled, it +is highly unlikely that this section will be relevant to you. +.PP +With the traditional IP Security Options (IPSO), packets can be tagged with +a security level. The following keywords are recognised and match with the +relevant RFC with respect to the bit patterns matched: +confid (confidential), +rserve-1 (1st reserved value), +rserve-2 (2nd reserved value), +rserve-3 (3rd reserved value), +rserve-4 (4th reserved value), +secret (secret), +topsecret (top secret), +unclass (unclassified). +.PP +.nf +block in quick all with opt sec-class unclass +pass in all with opt sec-class secret +.fi +.SS Matching IPv6 extension headers +.PP +Just as it is possible to filter on the various IPv4 header options, +so too it is possible to filter on the IPv6 extension headers that are +placed between the IPv6 header and the transport protocol header. +.PP +dstopts (destination options), +esp (encrypted, secure, payload), +frag (fragment), +hopopts (hop-by-hop options), +ipv6 (IPv6 header), +mobility (IP mobility), +none, +routing. +.SS Logging +.PP +There are two ways in which packets can be logged with IPFilter. The +first is with a rule that specifically says log these types of packets +and the second is a qualifier to one of the other keywords. Thus it is +possible to both log and allow or deny a packet with a single rule. +.PP +.nf +pass in log quick proto tcp from any to any port = 22 +.fi +.PP +When using stateful filtering, the log action becomes part of the result +that is remembered about a packet. Thus if the above rule was qualified +with keep state, every packet in the connection would be logged. To only +log the first packet from every packet flow tracked with keep state, it +is necessary to indicate to IPFilter that you only wish to log the first +packet. +.PP +.nf +pass in log first quick proto tcp from any to any port = 22 \\ + flags S keep state +.fi +.PP +If it is a requirement that the logging provide an accurate representation +of which connections are allowed, the log action can be qualified with the +option or-block. This allows the administrator to instruct IPFilter to +block the packet if the attempt to record the packet in IPFilter's kernel +log records (which have an upper bound on size) failed. Unless the system +shuts down or reboots, once a log record is written into the kernel buffer, +it is there until ipmon(8) reads it. +.PP +.nf +block in log proto tcp from any to any port = smtp +pass in log or-block first quick proto tcp from any \\ + to any port = 22 flags S keep state +.fi +.PP +By default, IPFilter will only log the header portion of a packet received +on the network. A portion of the body of a packet, upto 128 bytes, can also +be logged with the body keyword. ipmon(8) will display the contents of the +portion of the body logged in hex. +.PP +.nf +block in log body proto icmp all +.fi +.PP +When logging packets from ipmon(8) to syslog, by default ipmon(8) will +control what syslog facility and priority a packet will be logged with. +This can be tuned on a per rule basis like this: +.PP +.nf +block in quick log level err all with bad +pass in log level local1.info proto tcp \\ + from any to any port = 22 flags S keep state +.fi +.PP +ipfstat(8) reports how many packets have been successfully logged and how +many failed attempts to log a packet there were. +.SS Filter rule comments +.PP +If there is a desire to associate a text string, be it an administrative +comment or otherwise, with an IPFilter rule, this can be achieved by giving +the filter rule a comment. The comment is loaded with the rule into the +kernel and can be seen when the rules are listed with ipfstat. +.PP +.nf +pass in quick proto tcp from any \\ + to port = 80 comment "all web server traffic is ok" +pass out quick proto tcp from any port = 80 \\ + to any comment "all web server traffic is ok" +.fi +.SS Tags +.PP +To enable filtering and NAT to correctly match up packets with rules, +tags can be added at with NAT (for inbound packets) and filtering (for +outbound packets.) This allows a filter to be correctly mated with its +NAT rule in the event that the NAT rule changed the packet in a way +that would mean it is not obvious what it was. +.PP +For inbound packets, IPFilter can match the tag used in the filter +rules with that set by NAT. For outbound rules, it is the reverse, +the filter sets the tag and the NAT rule matches up with it. +.PP +.nf +pass in ... match-tag(nat=proxy) +pass out ... set-tag(nat=proxy) +.fi +.PP +Another use of tags is to supply a number that is only used with logging. +When packets match these rules, the log tag is carried over into the +log file records generated by ipmon(8). With the correct use of tools +such as grep, extracting log records of interest is simplified. +.PP +.nf +block in quick log ... set-tag(log=33) +.fi +.SH Filter Rule Expiration +.PP +IPFilter allows rules to be added into the kernel that it will remove after +a specific period of time by specifying rule-ttl at the end of a rule. +When listing rules in the kernel using ipfstat(8), rules that are going +to expire will NOT display "rule-ttl" with the timeout, rather what will +be seen is a comment with how many ipfilter ticks left the rule has to +live. +.PP +The time to live is specified in seconds. +.PP +.nf +pass in on fxp0 proto tcp from any \\ + to port = 22 flags S keep state rule-ttl 30 +.fi +.SH Internal packet attributes +.PP +In addition to being able to filter on very specific network and transport +header fields, it is possible to filter on other attributes that IPFilter +attaches to a packet. These attributes are placed in a rule after the +keyword "with", as can be seen with frags and frag-body above. The +following is a list of the other attributes available: +.HP +oow +the packet's IP addresses and TCP ports match an existing entry in the +state table but the sequence numbers indicate that it is outside of the +accepted window. +.IP +.nf +block return-rst in quick proto tcp from any to any with not oow +.fi +.HP +bcast +this is set by IPFilter when it receives notification that the link +layer packet was a broadcast packet. No checking of the IP addresses +is performned to determine if it is a broadcast destination or not. +.IP +.nf +block in quick proto udp all with bcast +.fi +.HP +mcast +this is set by IPFilter when it receives notification that the link +layer packet was a multicast packet. No checking of the IP addresses +is performned to determine if it is a multicast destination or not. +.IP +.nf +pass in quick proto udp from any to any port = dns with mcast +.fi +.HP +mbcast +can be used to match a packet that is either a multicast or broadcast +packet at the link layer, as indicated by the operating system. +.IP +.nf +pass in quick proto udp from any to any port = ntp with mbcast +.fi +.HP +nat +the packet positively matched a NAT table entry. +.HP +bad +sanity checking of the packet failed. This could indicate that the +layer 3/4 headers are not properly formed. +.HP +bad-src +when reverse path verification is enabled, this flag will be set when +the interface the packet is received on does not match that which would +be used to send a packet out of to the source address in the received +packet. +.HP +bad-nat +an attempt to perform NAT on the packet failed. +.HP +not +each one of the attributes matched using the "with" keyword can also be +looked for to not be present. For example, to only allow in good packets, +I can do this: +.PP +.nf +block in all +pass in all with not bad +.fi +.SH Tuning IPFilter +.PP +The ipf.conf file can also be used to tune the behaviour of IPFilter, +allowing, for example, timeouts for the NAT/state table(s) to be set +along with their sizes. The presence and names of tunables may change +from one release of IPFilter to the next. The tunables that can be +changed via ipf.conf is the same as those that can be seen and modified +using the -T command line option to ipf(8). +.PP +NOTE: When parsing ipf.conf, ipf(8) will apply the settings before +loading any rules. Thus if your settings are at the top, these may +be applied whilst the rules not applied if there is an error further +down in the configuration file. +.PP +To set one of the values below, the syntax is simple: "set", followed +by the name of the tuneable to set and then the value to set it to. +.PP +.nf +set state_max 9999; +set state_size 10101; +.fi +.PP +A list of the currently available variables inside IPFilter that may +be tuned from ipf.conf are as follows: +.HP +active +set through -s command line switch of ipf(8). See ipf(8) for detals. +.HP +chksrc +when set, enables reverse path verification on source addresses and +for filters to match packets with bad-src attribute. +.HP +control_forwarding +when set turns off kernel forwarding when IPFilter is disabled or unloaded. +.HP +default_pass +the default policy - whether packets are blocked or passed, etc - is +represented by the value of this variable. It is a bit field and the +bits that can be set are found in <netinet/ip_fil.h>. It is not +recommended to tune this value directly. +.HP +ftp_debug +set the debugging level of the in-kernel FTP proxy. +Debug messages will be printed to the system console. +.HP +ftp_forcepasv +when set the FTP proxy must see a PASV/EPSV command before creating +the state/NAT entries for the 227 response. +.HP +ftp_insecure +when set the FTP proxy will not wait for a user to login before allowing +data connections to be created. +.HP +ftp_pasvonly +when set the proxy will not create state/NAT entries for when it +sees either the PORT or EPRT command. +.HP +ftp_pasvrdr +when enabled causes the FTP proxy to create very insecure NAT/state +entries that will allow any connection between the client and server +hosts when a 227 reply is seen. Use with extreme caution. +.HP +ftp_single_xfer +when set the FTP proxy will only allow one data connection at a time. +.HP +hostmap_size +sets the size of the hostmap table used by NAT to store address mappings +for use with sticky rules. +.HP +icmp_ack_timeout +default timeout used for ICMP NAT/state when a reply packet is seen for +an ICMP state that already exists +.HP +icmp_minfragmtu +sets the minimum MTU that is considered acceptable in an ICMP error +before deciding it is a bad packet. +.HP +icmp_timeout +default timeout used for ICMP NAT/state when the packet matches the rule +.HP +ip_timeout +default timeout used for NAT/state entries that are not TCP/UDP/ICMP. +.HP +ipf_flags +.HP +ips_proxy_debug +this sets the debugging level for the proxy support code. +When enabled, debugging messages will be printed to the system console. +.HP +log_all +when set it changes the behaviour of "log body" to log the entire packet +rather than just the first 128 bytes. +.HP +log_size +sets the size of the in-kernel log buffer in bytes. +.HP +log_suppress +when set, IPFilter will check to see if the packet it is logging is +similar to the one it previously logged and if so, increases +the occurance count for that packet. The previously logged packet +must not have yet been read by ipmon(8). +.HP +min_ttl +is used to set the TTL value that packets below will be marked with +the low-ttl attribute. +.HP +nat_doflush +if set it will cause the NAT code to do a more aggressive flush of the +NAT table at the next opportunity. Once the flush has been done, the +value is reset to 0. +.HP +nat_lock +this should only be changed using ipfs(8) +.HP +nat_logging +when set, NAT will create log records that can be read from /dev/ipnat. +.HP +nat_maxbucket +maximum number of entries allowed to exist in each NAT hash bucket. +This prevents an attacker trying to load up the hash table with +entries in a single bucket, reducing performance. +.HP +nat_rules_size +size of the hash table to store map rules. +.HP +nat_table_max +maximum number of entries allowed into the NAT table +.HP +nat_table_size +size of the hash table used for NAT +.HP +nat_table_wm_high +when the fill percentage of the NAT table exceeds this mark, more +aggressive flushing is enabled. +.HP +nat_table_wm_low +this sets the percentage at which the NAT table's agressive flushing +will turn itself off at. +.HP +rdr_rules_size +size of the hash table to store rdr rules. +.HP +state_lock +this should only be changed using ipfs(8) +.HP +state_logging +when set, the stateful filtering will create log records +that can be read from /dev/ipstate. +.HP +state_max +maximum number of entries allowed into the state table +.HP +state_maxbucket +maximum number of entries allowed to exist in each state hash bucket. +This prevents an attacker trying to load up the hash table with +entries in a single bucket, reducing performance. +.HP +state_size +size of the hash table used for stateful filtering +.HP +state_wm_freq +this controls how often the agressive flushing should be run once the +state table exceeds state_wm_high in percentage full. +.HP +state_wm_high +when the fill percentage of the state table exceeds this mark, more +aggressive flushing is enabled. +.HP +state_wm_low +this sets the percentage at which the state table's agressive flushing +will turn itself off at. +.HP +tcp_close_wait +timeout used when a TCP state entry reaches the FIN_WAIT_2 state. +.HP +tcp_closed +timeout used when a TCP state entry is ready to be removed after either +a RST packet is seen. +.HP +tcp_half_closed +timeout used when a TCP state entry reaches the CLOSE_WAIT state. +.HP +tcp_idle_timeout +timeout used when a TCP state entry reaches the ESTABLISHED state. +.HP +tcp_last_ack +timeout used when a TCP NAT/state entry reaches the LAST_ACK state. +.HP +tcp_syn_received +timeout applied to a TCP NAT/state entry after SYN-ACK packet has been seen. +.HP +tcp_syn_sent +timeout applied to a TCP NAT/state entry after SYN packet has been seen. +.HP +tcp_time_wait +timeout used when a TCP NAT/state entry reaches the TIME_WAIT state. +.HP +tcp_timeout +timeout used when a TCP NAT/state entry reaches either the half established +state (one ack is seen after a SYN-ACK) or one side is in FIN_WAIT_1. +.HP +udp_ack_timeout +default timeout used for UDP NAT/state when a reply packet is seen for +a UDP state that already exists +.HP +udp_timeout +default timeout used for UDP NAT/state when the packet matches the rule +.HP +update_ipid +when set, turns on changing the IP id field in NAT'd packets to a random +number. +.SS Table of visible variables +.PP +A list of all of the tunables, their minimum, maximum and current +values is as follows. +.PP +.nf +Name Min Max Current +active 0 0 0 +chksrc 0 1 0 +control_forwarding 0 1 0 +default_pass 0 MAXUINT 134217730 +ftp_debug 0 10 0 +ftp_forcepasv 0 1 1 +ftp_insecure 0 1 0 +ftp_pasvonly 0 1 0 +ftp_pasvrdr 0 1 0 +ftp_single_xfer 0 1 0 +hostmap_size 1 MAXINT 2047 +icmp_ack_timeout 1 MAXINT 12 +icmp_minfragmtu 0 1 68 +icmp_timeout 1 MAXINT 120 +ip_timeout 1 MAXINT 120 +ipf_flags 0 MAXUINT 0 +ips_proxy_debug 0 10 0 +log_all 0 1 0 +log_size 0 524288 32768 +log_suppress 0 1 1 +min_ttl 0 1 4 +nat_doflush 0 1 0 +nat_lock 0 1 0 +nat_logging 0 1 1 +nat_maxbucket 1 MAXINT 22 +nat_rules_size 1 MAXINT 127 +nat_table_max 1 MAXINT 30000 +nat_table_size 1 MAXINT 2047 +nat_table_wm_high 2 100 99 +nat_table_wm_low 1 99 90 +rdr_rules_size 1 MAXINT 127 +state_lock 0 1 0 +state_logging 0 1 1 +state_max 1 MAXINT 4013 +state_maxbucket 1 MAXINT 26 +state_size 1 MAXINT 5737 +state_wm_freq 2 999999 20 +state_wm_high 2 100 99 +state_wm_low 1 99 90 +tcp_close_wait 1 MAXINT 480 +tcp_closed 1 MAXINT 60 +tcp_half_closed 1 MAXINT 14400 +tcp_idle_timeout 1 MAXINT 864000 +tcp_last_ack 1 MAXINT 60 +tcp_syn_received 1 MAXINT 480 +tcp_syn_sent 1 MAXINT 480 +tcp_time_wait 1 MAXINT 480 +tcp_timeout 1 MAXINT 480 +udp_ack_timeout 1 MAXINT 24 +udp_timeout 1 MAXINT 240 +update_ipid 0 1 0 +.fi +.SH Calling out to internal functions +.PP +IPFilter provides a pair of functions that can be called from a rule +that allow for a single rule to jump out to a group rather than walk +through a list of rules to find the group. If you've got multiple +networks, each with its own group of rules, this feature may help +provide better filtering performance. +.PP +The lookup to find which rule group to jump to is done on either the +source address or the destination address but not both. +.PP +In this example below, we are blocking all packets by default but then +doing a lookup on the source address from group 1010. The two rules in +the ipf.conf section are lone members of their group. For an incoming +packet that is from 1.1.1.1, it will go through three rules: (1) the +block rule, (2) the call rule and (3) the pass rule for group 1020. +For a packet that is from 3.3.2.2, it will also go through three rules: +(1) the block rule, (2) the call rule and (3) the pass rule for group +1030. Should a packet from 3.1.1.1 arrive, it will be blocked as it +does not match any of the entries in group 1010, leaving it to only +match the first rule. +.PP +.nf +from ipf.conf +------------- +block in all +call now srcgrpmap/1010 in all +pass in proto tcp from any to any port = 80 group 1020 +pass in proto icmp all icmp-type echo group 1030 -and to then allow ICMP packets in on le0, only, we would do: -.LP +from ippool.conf +---------------- +group-map in role=ipf number=1010 + { 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; }; +.fi +.SS IPFilter matching expressions +.PP +An experimental feature that has been added to filter rules is to use +the same expression matching that is available with various commands +to flush and list state/NAT table entries. The use of such an expression +precludes the filter rule from using the normal IP header matching. +.PP .nf - pass in proto icmp all group 100 +pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state .fi +.SS Filter rules with BPF +.PP +On platforms that have the BPF built into the kernel, IPFilter can be +built to allow BPF expressions in filter rules. This allows for packet +matching to be on arbitrary data in the packt. The use of a BPF expression +replaces all of the other protocol header matching done by IPFilter. .PP -Note that because only inbound packets on le0 are used processed by group 100, -there is no need to respecify the interface name. Likewise, we could further -breakup processing of TCP, etc, as follows: -.LP .nf - block in proto tcp all head 110 group 100 - pass in from any to any port = 23 group 110 +pass in bpf-v4 { "tcp and (src port 23 or src port 50)" } \\ + keep state .fi .PP -and so on. The last line, if written without the groups would be: -.LP +These rules tend to be +write-only because the act of compiling the filter expression into the +BPF instructions loaded into the kernel can make it difficut to +accurately reconstruct the original text filter. The end result is that +while ipf.conf() can be easy to read, understanding the output from +ipfstat might not be. +.SH VARIABLES +.PP +This configuration file, like all others used with IPFilter, supports the +use of variable substitution throughout the text. +.PP +.nf +nif="ppp0"; +pass in on $nif from any to any +.fi +.PP +would become +.PP .nf - pass in on le0 proto tcp from any to any port = telnet +pass in on ppp0 from any to any .fi .PP -Note, that if we wanted to say "port = telnet", "proto tcp" would -need to be specified as the parser interprets each rule on its own and -qualifies all service/port names with the protocol specified. +Variables can be used recursively, such as 'foo="$bar baz";', so long as +$bar exists when the parser reaches the assignment for foo. +.PP +See +.B ipf(8) +for instructions on how to define variables to be used from a shell +environment. +.DT .SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipstate -.br -/etc/hosts +/dev/ipf +/etc/ipf.conf .br -/etc/services +/usr/share/examples/ipf Directory with examples. .SH SEE ALSO -ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8) +ipf(8), ipfstat(8), ippool.conf(5), ippool(8) diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4 index 09eb4db..10fd18e 100644 --- a/contrib/ipfilter/man/ipfilter.4 +++ b/contrib/ipfilter/man/ipfilter.4 @@ -28,7 +28,7 @@ send back an ICMP error/TCP reset for blocked packets .IP keep packet state information for TCP, UDP and ICMP packet flows .IP -keep fragment state information for any IP packet, applying the same rule +keep fragment state information for any IP packet, applying the same rule to all fragments. .IP act as a Network Address Translator (NAT) @@ -53,7 +53,7 @@ On any arbitrary combination of TCP flags .IP "short" (fragmented) IP packets with incomplete headers can be filtered .IP -any of the 19 IP options or 8 registered IP security classes TOS (Type of +any of the 19 IP options or 8 registered IP security classes TOS (Type of Service) field in packets .PP To keep track of the performance of the IP packet filter, a logging device @@ -73,12 +73,12 @@ it matches a rule setup to look for suspicious packets .PP IP Filter keeps its own set of statistics on: .IP -packets blocked +packets blocked .IP packets (and bytes!) used for accounting .IP packets passed -.lP +.IP packets logged .IP attempts to log which failed (buffer full) @@ -87,7 +87,7 @@ and much more, for packets going both in and out. .SH Tools The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description +be used and integrated with regular unix shells and tools. A brief description of the tools provided: .PP ipf(8) @@ -100,7 +100,7 @@ ipfs(8) is a utility to temporarily lock the IP Filter kernel tables (state tables and NAT mappings) and write them to disk. After that the system can be rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the +them into the kernel. This way the system can be rebooted without the connections being terminated. .PP ipfstat(8) @@ -117,7 +117,7 @@ ipmon(8) reads buffered data from the logging device (default is /dev/ipl) for output to either: .IP -screen (standard output) +screen (standard output) .IP file .IP @@ -147,13 +147,13 @@ documented in ipf(4). Documentation on ioctl's and the format of data saved to the logging character device is provided in ipl(4) -so that you may develop your own applications to work with or in place of any +so that you may develop your own applications to work with or in place of any of the above. Similar, the interface to the NAT code is documented in ipnat(4). .SH PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the +The following diagram illustrates the flow of TCP/IP packets through the various stages introduced by IP Filter. .PP .nf diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc index 72534a7..22e1f36 100644 --- a/contrib/ipfilter/man/ipfilter.4.mandoc +++ b/contrib/ipfilter/man/ipfilter.4.mandoc @@ -30,7 +30,7 @@ send back an ICMP error/TCP reset for blocked packets .It keep packet state information for TCP, UDP and ICMP packet flows .It -keep fragment state information for any IP packet, applying the same rule +keep fragment state information for any IP packet, applying the same rule to all fragments. .It act as a Network Address Translator (NAT) @@ -57,7 +57,7 @@ On any arbitrary combination of TCP flags .It "short" (fragmented) IP packets with incomplete headers can be filtered .It -any of the 19 IP options or 8 registered IP security classes TOS (Type of +any of the 19 IP options or 8 registered IP security classes TOS (Type of Service) field in packets .El .Pp @@ -83,7 +83,7 @@ it matches a rule setup to look for suspicious packets IP Filter keeps its own set of statistics on: .Bl -bullet -offset indent -compact .It -packets blocked +packets blocked .It packets (and bytes!) used for accounting .It @@ -97,7 +97,7 @@ and much more, for packets going both in and out. .Sh Tools The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description +be used and integrated with regular unix shells and tools. A brief description of the tools provided: .Pp .Xr ipf 8 @@ -111,7 +111,7 @@ described in is a utility to temporarily lock the IP Filter kernel tables (state tables and NAT mappings) and write them to disk. After that the system can be rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the +them into the kernel. This way the system can be rebooted without the connections being terminated. .Pp .Xr ipfstat 8 @@ -129,7 +129,7 @@ reads buffered data from the logging device (default is /dev/ipl) for output to either: .Bl -bullet -offset indent -compact .It -screen (standard output) +screen (standard output) .It file .It @@ -152,7 +152,7 @@ aimed at. WARNING: this may crash machine(s) targeted! reads in a set of rules, from either stdin or a file and adds them to the kernels current list of active NAT rules. NAT rules can also be deleted using ipnat. The format of the configuration file to be used -with ipnat is described in +with ipnat is described in .Xr ipnat 5 . .Pp For use in your own programs (e.g. for writing of transparent application @@ -162,15 +162,15 @@ documented in Documentation on ioctl's and the format of data saved to the logging character device is provided in -.Xr ipl 4 -so that you may develop your own applications to work with or in place of any +.Xr ipl 4 +so that you may develop your own applications to work with or in place of any of the above. -Similar, the interface to the NAT code is documented in +Similar, the interface to the NAT code is documented in .Xr ipnat 4 . .Sh PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the +The following diagram illustrates the flow of TCP/IP packets through the various stages introduced by IP Filter. .Pp .nf diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index 44ba8ba..cea8d5f 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -43,7 +43,7 @@ Display the accounting filter list and show bytes counted against each rule. .TP .B \-A Display packet authentication statistics. -.TP +.TP .B \-C This option is only valid in combination with \fB\-t\fP. Display "closed" states as well in the top. Normally, a TCP connection is @@ -145,8 +145,8 @@ The number is incremented every half\-second. .SH STATE TOP Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays -the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP -command line options can be used to restrict the state entries that will be +the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP +command line options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed @@ -158,7 +158,7 @@ information: .TP \fBl\fP redraw the screen. .TP -\fBq\fP quit the program. +\fBq\fP quit the program. .TP \fBs\fP switch between different sorting criterion. .TP diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index 402195f..10232d3 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -143,7 +143,6 @@ are: # a TCP packet going out of le0 with the SYN flag set. out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S .fi -.LP .RE .DT .TP diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5 index 081fc08..95126f0 100644 --- a/contrib/ipfilter/man/ipmon.5 +++ b/contrib/ipfilter/man/ipmon.5 @@ -4,56 +4,213 @@ .SH NAME ipmon, ipmon.conf \- ipmon configuration file format .SH DESCRIPTION -The format for files accepted by ipmon is described by the following grammar: -.LP +The +.B ipmon.conf +file is optionally loaded by +.B ipmon +when it starts. Its primary purpose is to direct +.B ipmon +to do extra actions when it sees a specific log entry from the kernel. +.PP +A line in the +.B ipmon.conf +file is either a comment or a +.B match +line. Each line must have a matching segment and an action segment. +These are to the left and right of the word "do", respectively. +A comment line is any line that starts with a #. +.PP +.B NOTE: +This file differs from all other IPFilter configuration files because it +attempts to match every line with every log record received. It does +.B not +stop at the +.B first +match or only use the +.B last +match. +.PP +For the action segment, a +.B match +line can delivery output to one of three destinations: +\fBfile\fR, \fBemail\fR or \fBcommand\fR. For example: .nf -"match" "{" matchlist "}" "do" "{" doing "}" ";" - -matchlist ::= matching [ "," matching ] . -matching ::= direction | dstip | dstport | every | group | interface | - logtag | nattag | protocol | result | rule | srcip | srcport . - -dolist ::= doing [ "," doing ] . -doing ::= execute | save | syslog . - -direction ::= "in" | "out" . -dstip ::= "dstip" "=" ipv4 "/" number . -dstport ::= "dstport" "=" number . -every ::= "every" every-options . -execute ::= "execute" "=" string . -group ::= "group" "=" string | "group" "=" number . -interface ::= "interface" "=" string . -logtag ::= "logtag" "=" string | "logtag" "=" number . -nattag ::= "nattag" "=" string . -protocol ::= "protocol" "=" string | "protocol" "=" number . -result ::= "result" "=" result-option . -rule ::= "rule" "=" number . -srcip ::= "srcip" "=" ipv4 "/" number . -srcport ::= "srcport" "=" number . -type ::= "type" "=" ipftype . -ipv4 ::= number "." number "." number "." number . - -every-options ::= "second" | number "seconds" | "packet" | number "packets" . -result-option ::= "pass" | "block" | "short" | "nomatch" | "log" . -ipftype ::= "ipf" | "nat" | "state" . +match { type = ipf; } do { save("file:///var/log/ipf-log"); }; +match { type = nat; } do { syslog; }; +match { type = state; } do { execute("/bin/mail root"); }; .fi .PP -In addition, lines that start with a # are considered to be comments. -.TP -.SH OVERVIEW +and is roughly described like this: +.PP +match { \fImatch-it ,match-it, ...\fP } do { \fIaction, action, ...\fP}; .PP -The ipmon configuration file is used for defining rules to be executed when -logging records are read from -.B /dev/ipl. +where there can be a list of matching expressions and a list of actions +to perform if all of the matching expressions are matched up with by +the current log entry. .PP +The lines above would save all ipf log entries to /var/log/ipf-log, send +all of the entries for NAT (ipnat related) to syslog and generate an email +to root for each log entry from the state tables. +.SH SYNTAX - MATCHING +.PP +In the above example, the matching segment was confined to matching on +the type of log entry generated. The full list of fields that can be +used here is: +.TP +direction <in|out> +This option is used to match on log records generated for packets going +in or out. +.TP +dstip <address/mask> +This option is used to match against the destination address associated +with the packet being logged. A "/mask" must be given and given in CIDR +notation (/0-/32) so to specify host 192.2.2.1, 192.2.2.1/32 must be given. +.TP +dstport <portnumber> +This option is used to match against the destination port in log entries. +A number must be given, symbolic names (such as those from /etc/services) +are not recognised by the parser. +.TP +every <second|# seconds|packet|# packets> +This option is used to regulate how often an \fBipmon.conf\fR entry is +actioned in response to an otherwise matching log record from the kernel. +.TP +group <name|number> +.TP +interface <interface-name> +This option is used to match against the network interface name associated +with the action causing the logging to happen. In general this will be the +network interface where the packet is seen by IPFilter. +.TP +logtag <number> +This option is used to match against tags set by ipf rules in \fBipf.conf\fR. +These tags are set with "set-tag(log=100)" appended to filter rules. +.TP +nattag <string> +This option is used to match against tags set by NAT rules in \fBipnat.conf\fR. +.TP +protocol <name|number> +This option is used to match against the IP protocol field in the packet +being logged. +.TP +result <pass|block|nomatch|log> +This option is used to match against the result of packet matching in the +kernel. If a packet is logged, using a \fBlog\fR rule in \fBipf.conf\fR +then it will match "log" here. The "nomatch" option is for use with +matching log records generated for all packets as the default. +.TP +rule <number> +This option is used to match against the \fInumber\fR of the rule +causing the record to be generated. The \fInumber\fR of a rule can be +observed using "ipfstat -ion". +.TP +srcip <address/mask> +This option is used to match against the source address associated +with the packet being logged. A "/mask" must be given and given in CIDR +notation (/0-/32) so to specify host 192.2.2.1, 192.2.2.1/32 must be given. +.TP +srcport <portnumber> +This option is used to match against the source port in log entries. +A number must be given, symbolic names (such as those from /etc/services) +are not recognised by the parser. +.TP +type <ipf|nat|state> +The format for files accepted by ipmon is described by the following grammar: +.B NOTE: At present, only IPv4 matching is available for source/destination address matching. +.SH SYNTAX - ACTIONS +The list of actions supported is as follows: +.TP +save("file://<filename>") +save("raw://<filename>") +Write out the log record to the filename given. This file will be closed +and reopened on receipt of a SIGHUP. If the \fIraw\fP target is used, +binary log data, as read from the kernel, is written out rather than a +text log record. The filename should be an absolute target, including +the root directory. Thus, saving to /var/log/ipmon.log would be, as an +example, save("file:///var/log/ipmon.log"). +.TP +syslog("<facility>.<priority>") +syslog("<facility>.") +syslog(".<priority>") +To log a text record via syslog, the \fBsyslog\fP action word is used. +The facility used by default is determined at first by the default +compiled into \fBipmon\fP (usually LOG_LOCAL0), which can be changed +via the command line (-L <facility>) or in an \fBipf.conf\fP rule +using the \fIlevel\fP option with logging. If the facility is +specified here, it takes precedence over all other settings. +The same applies to the syslog priority. By default, ipmon will +determine a priority for the packet, depending on whether or not it +has been blocked, passed, etc. It is possible to force the complete +facility/priority value for each log entry or to choose to replace +only one of them. +.TP +execute("<command string>") +The +.B execute +action runs the specified command each time the log entry matches +and feeds the log entry, as text, to the command being executed. +The command string given is executed using /bin/sh. +.TP +nothing +Literally, do nothing. Use this if you want to be verbose in your config +file about doing nothing for a particular log record. +.SH PLUGIN ACTIONS +It is possible to configure +.B ipmon +to use externally supplied modules to save log entries with. +These are added to +.B ipmon +using the +.I load_action +configuration line. The syntax of this line is: +.nf + +load_action <name> <path>; +.fi +.TP +name +is a short name for the action. It does not need to correspond to the +name of the library file, but inside the library file, the functions +.B <name>destroy +, +.B <name>parse +and +.B <name>store +must be present. +.TP +path +specifies the path in the filesystem to the shared object +that contains the implementation of the new action. After the new +action has been declared using +.I load_action +it can then be used in any +.I do +statement. +.SH EXAMPLES +.PP +Some further examples are: +.nf + +# +# log everything to syslog local4, regardless +# +match { ; } do { syslog("local4."); }; +# +# keep a local copy of things packets to/from port 80 +# +match { srcport = 80; } do { save("file:///var/log/web"); }; +match { dstport = 80; } do { save("file:///var/log/web"); }; +# +load_action local "/usr/lib/libmyaction.so"; +match { dstip 127.0.0.1; } do { local("local options"); }; +# +.fi .SH MATCHING .PP -Each rule for ipmon consists of two primary segments: the first describes how -the log record is to be matched, the second defines what action to take if -there is a positive match. All entries of the rules present in the file are +All entries of the rules present in the file are compared for matches - there is no first or last rule match. .SH FILES /dev/ipl diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 index 095e4e5..80c5ba4 100644 --- a/contrib/ipfilter/man/ipnat.4 +++ b/contrib/ipfilter/man/ipnat.4 @@ -30,7 +30,6 @@ These ioctl's are implemented as being routing ioctls and thus the same rules for the various routing ioctls and the file descriptor are employed, mainly being that the fd must be that of the device associated with the module (i.e., /dev/ipl). -.LP .PP The structure used with the NAT interface is described below: .LP @@ -65,7 +64,6 @@ Recognised values for in_redir: #define NAT_MAP 0 #define NAT_REDIRECT 1 .fi -.PP .LP \fBNAT statistics\fP Statistics on the number of packets mapped, going in and out are kept, diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 6d3f9bc..69163fc 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -2,159 +2,671 @@ .\" .TH IPNAT 5 .SH NAME -ipnat, ipnat.conf \- IP NAT file format +ipnat, ipnat.conf \- IPFilter NAT file format .SH DESCRIPTION -The format for files accepted by ipnat is described by the following grammar: -.LP -.nf -ipmap :: = mapblock | redir | map . - -map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ] - mapoptions . -mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions . -redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions . - -lhs ::= ipmask | fromto . -rlhs ::= ipmask dport | fromto . -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -rdrport ::= "port" portnum . -mapit ::= "map" | "bimap" . -fromto ::= "from" object "to" object . -ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . -dstipmask ::= ipmask | "range" ip "-" ip . -mapicmp ::= "icmpidmap" "icmp" number ":" number . -mapport ::= "portmap" tcpudp portspec . -mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . -rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] . - -object :: = addr [ port-comp | port-range ] . -addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp :: = "port" compare port-num . -port-range :: = "port" port-num range port-num . -rdrproto ::= tcpudp | protocol . - -rr ::= "round-robin" . -age ::= "age" decnumber [ "/" decnumber ] . -clamp ::= "mssclamp" decnumber . -tcpudp ::= "tcp/udp" | protocol . -mapproxy ::= "proxy" "port" port proxy-name '/' protocol -rdrproxy ::= "proxy" proxy-name . - -protocol ::= protocol-name | decnumber . -nummask ::= host-name [ "/" decnumber ] . -portspec ::= "auto" | portnumber ":" portnumber . -port ::= portnumber | port-name . -portnumber ::= number { numbers } . -ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . - -numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . -.fi +.PP +The +.B ipnat.conf +file is used to specify rules for the Network Address Translation (NAT) +component of IPFilter. To load rules specified in the +.B ipnat.conf +file, the +.B ipnat(8) +program is used. .PP For standard NAT functionality, a rule should start with \fBmap\fP and then proceeds to specify the interface for which outgoing packets will have their -source address rewritten. -.PP -Packets which will be rewritten can only be selected by matching the original -source address. A netmask must be specified with the IP address. -.PP -The address selected for replacing the original is chosen from an IP#/netmask -pair. A netmask of all 1's indicating a hostname is valid. A netmask of -31 1's (255.255.255.254) is considered invalid as there is no space for -allocating host IP#'s after consideration for broadcast and network -addresses. -.PP -When remapping TCP and UDP packets, it is also possible to change the source -port number. Either TCP or UDP or both can be selected by each rule, with a -range of port numbers to remap into given as \fBport-number:port-number\fP. -.SH COMMANDS -There are four commands recognised by IP Filter's NAT code: -.TP +source address rewritten. Following this it is expected that the old source +address, and optionally port number, will be specified. +.PP +In general, all NAT rules conform to the following layout: +the first word indicates what type of NAT rule is present, this is followed +by some stanzas to match a packet, followed by a "->" and this is then +followed by several more stanzas describing the new data to be put in the +packet. +.PP +In this text and in others, +use of the term "left hand side" (LHS) when talking about a NAT rule refers +to text that appears before the "->" and the "right hand side" (RHS) for text +that appears after it. In essence, the LHS is the packet matching and the +RHS is the new data to be used. +.SH VARIABLES +.PP +This configuration file, like all others used with IPFilter, supports the +use of variable substitution throughout the text. +.nf + +nif="ppp0"; +map $nif 0/0 -> 0/32 +.fi +.PP +would become +.nf + +map ppp0 0/0 -> 0/32 +.fi +.PP +Variables can be used recursively, such as 'foo="$bar baz";', so long as +$bar exists when the parser reaches the assignment for foo. +.PP +See +.B ipnat(8) +for instructions on how to define variables to be used from a shell +environment. +.SH OUTBOUND SOURCE TRANSLATION (map'ing) +Changing the source address of a packet is traditionally performed using .B map -that is used for mapping one address or network to another in an unregulated -round robin fashion; -.TP -.B rdr -that is used for redirecting packets to one IP address and port pair to -another; -.TP -.B bimap -for setting up bidirectional NAT between an external IP address and an internal -IP address and +rules. Both the source address and optionally port number can be changed +according to various controls. +.PP +To start out with, a common rule used is of the form: +.nf + +map le0 0/0 -> 0/32 +.fi +.PP +Here we're saying change the source address of all packets going out of +le0 (the address/mask pair of 0/0 matching all packets) to that of the +interface le0 (0/32 is a synonym for the interface's own address at +the current point in time.) If we wanted to pass the packet through +with no change in address, we would write it as: +.nf + +map le0 0/0 -> 0/0 +.fi +.PP +If we only want to change a portion of our internal network and to a +different address that is routed back through this host, we might do: +.nf + +map le0 10.1.1.0/24 -> 192.168.55.3/32 +.fi +.PP +In some instances, we may have an entire subnet to map internal addresses +out onto, in which case we can express the translation as this: +.nf + +map le0 10.0.0.0/8 -> 192.168.55.0/24 +.fi +.PP +IPFilter will cycle through each of the 256 addresses in the 192.168.55.0/24 +address space to ensure that they all get used. +.PP +Of course this poses a problem for TCP and UDP, with many connections made, +each with its own port number pair. If we're unlucky, translations can be +dropped because the new address/port pair mapping already exists. To +mitigate this problem, we add in port translation or port mapping: +.nf + +map le0 10.0.0.0/8 -> 192.168.55.0/24 portmap tcp/udp auto +.fi +.PP +In this instance, the word "auto" tells IPFilter to calculate a private +range of port numbers for each address on the LHS to use without fear +of them being trampled by others. This can lead to problems if there are +connections being generated mire quickly than IPFilter can expire them. +In this instance, and if we want to get away from a private range of +port numbers, we can say: +.nf + +map le0 10.0.0.0/8 -> 192.168.55.0/24 portmap tcp/udp 5000:65000 +.fi +.PP +And now each connection through le0 will add to the enumeration of +the port number space 5000-65000 as well as the IP address subnet +of 192.168.55.0/24. +.PP +If the new addresses to be used are in a consecutive range, rather +than a complete subnet, we can express this as: +.nf + +map le0 10.0.0.0/8 -> range 192.168.55.10-192.168.55.249 + portmap tcp/udp 5000:65000 +.fi +.PP +This tells IPFilter that it has a range of 240 IP address to use, from +192.168.55.10 to 192.168.55.249, inclusive. +.PP +If there were several ranges of addresses for use, we can use each one +in a round-robin fashion as followed: +.nf + +map le0 10.0.0.0/8 -> range 192.168.55.10-192.168.55.29 + portmap tcp/udp 5000:65000 round-robin +map le0 10.0.0.0/8 -> range 192.168.55.40-192.168.55.49 + portmap tcp/udp 5000:65000 round-robin +.fi +.PP +To specify translation rules that impact a specific IP protocol, +the protocol name or number is appended to the rule like this: +.nf + +map le0 10.0.0.0/8 -> 192.168.55.0/24 tcp/udp +map le0 10.0.0.0/8 -> 192.168.55.1/32 icmp +map le0 10.0.0.0/8 -> 192.168.55.2/32 gre +.fi +.PP +For TCP connections exiting a connection such as PPPoE where the MTU is +slightly smaller than normal ethernet, it can be useful to reduce the +Maximum Segment Size (MSS) offered by the internal machines to match, +reducing the liklihood that the either end will attempt to send packets +that are too big and result in fragmentation. This is acheived using the +.B mssclamp +option with TCP +.B map +rules like this: +.nf + +map pppoe0 0/0 -> 0/32 mssclamp 1400 tcp +.fi +.PP +For ICMP packets, we can map the ICMP id space in query packets: +.nf + +map le0 10.0.0.0/8 -> 192.168.55.1/32 icmpidmap icmp 1000:20000 +.fi +.PP +If we wish to be more specific about our initial matching criteria on the +LHS, we can expand to using a syntax more similar to that in +.B ipf.conf(5) +: +.nf + +map le0 from 10.0.0.0/8 to 26.0.0.0/8 -> + 192.168.55.1 +map le0 from 10.0.0.0/8 port > 1024 to 26.0.0.0/8 -> + 192.168.55.2 portmap 5000:9999 tcp/udp +map le0 from 10.0.0.0/8 ! to 26.0.0.0/8 -> + 192.168.55.3 portmap 5000:9999 tcp/udp +.fi .TP +.B NOTE: +negation matching with source addresses is +.B NOT +possible with +.B map +/ .B map-block -which sets up static IP address based translation, based on a algorithm to -squeeze the addresses to be translated into the destination range. -.SH MATCHING -.PP -For basic NAT and redirection of packets, the address subject to change is used -along with its protocol to check if a packet should be altered. The packet -\fImatching\fP part of the rule is to the left of the "->" in each rule. -.PP -Matching of packets has now been extended to allow more complex compares. -In place of the address which is to be translated, an IP address and port -number comparison can be made using the same expressions available with -\fBipf\fP. A simple NAT rule could be written as: +rules. +.PP +The NAT code has builtin default timeouts for TCP, UDP, ICMP and another +for all other protocols. In general, the timeout for an entry to be +deleted shrinks once a reply packet has been seen (excluding TCP.) +If you wish to specify your own timeouts, this can be achieved either +by setting one timeout for both directions: +.nf + +map le0 0/0 -> 0/32 gre age 30 +.fi +.PP +or setting a different timeout for the reply: +.nf + +map le0 from any to any port = 53 -> 0/32 age 60/10 udp +.fi +.PP +A pressing problem that many people encounter when using NAT is that the +address protocol can be embedded inside an application's communication. +To address this problem, IPFilter provides a number of built-in proxies +for the more common trouble makers, such as FTP. These proxies can be +used as follows: +.nf + +map le0 0/0 -> 0/32 proxy port 21 ftp/tcp +.fi +.PP +In this rule, the word "proxy" tells us that we want to connect up this +translation with an internal proxy. The "port 21" is an extra restriction +that requires the destination port number to be 21 if this rule is to be +activated. The word "ftp" is the proxy identifier that the kernel will +try and resolve internally, "tcp" the protocol that packets must match. +.PP +See below for a list of proxies and their relative staus. +.PP +To associate NAT rules with filtering rules, it is possible to set and +match tags during either inbound or outbound processing. At present the +tags for forwarded packets are not preserved by forwarding, so once the +packet leaves IPFilter, the tag is forgotten. For +.B map +rules, we can match tags set by filter rules like this: +.nf + +map le0 0/0 -> 0/32 proxy portmap 5000:5999 tag lan1 tcp +.fi +.PP +This would be used with "pass out" rules that includes a stanza such +as "set-tag (nat = lan1)". +.PP +If the interface in which packets are received is different from the +interface on which packets are sent out, then the translation rule needs +to be written to take this into account: +.nf + +map hme0,le0 0/0 -> 0/32 +.fi +.PP +Although this might seem counterintuitive, the interfaces when listed +in rules for +.B ipnat.conf +are always in the +.I inbound +, +.I outbound +order. In this case, hme0 would be the return interface and le0 would be +the outgoing interface. If you wish to allow return packets on any +interface, the correct syntax to use would be: +.nf + +map *,le0 0/0 -> 0/32 +.fi .LP +A special variant of +.B map +rules exists, called +.B map-block. +This command is intended for use when there is a large network to be mapped +onto a smaller network, where the difference in netmasks is upto 14 bits +difference in size. This is achieved by dividing the address space and +port space up to ensure that each source address has its own private range +of ports to use. For example, this rule: +.nf + +map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto +.fi +.PP +would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 +with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its +own. As opposed to the above use of \fBmap\fP, if for some reason the user +of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would +be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next +IP address with the \fBmap\fP command. +.SS Extended matching +.PP +If it is desirable to match on both the source and destination of a packet +before applying an address translation to it, this can be achieved by using +the same from-to syntax as is used in \fBipf.conf\fP(5). What follows +applies equally to the +.B map +rules discussed above and +.B rdr +rules discussed below. A simple example is as follows: +.nf + +map bge0 from 10.1.0.0/16 to 192.168.1.0/24 -> 172.12.1.4 +.fi +.PP +This would only match packets that are coming from hosts that have a source +address matching 10.1.0.0/16 and a destination matching 192.168.1.0/24. +This can be expanded upon with ports for TCP like this: +.nf + +rdr bge0 from 10.1.0.0/16 to any port = 25 -> 127.0.0.1 port 2501 tcp +.fi +.PP +Where only TCP packets from 10.1.0.0/16 to port 25 will be redirected to +port 2501. +.PP +As with \fBipf.conf\fR(5), if we have a large set of networks or addresses +that we would like to match up with then we can define a pool using +\fBippool\fR(8) in \fBippool.conf\fR(5) and then refer to it in an +\fBipnat\fR rule like this: +.nf + +map bge0 from pool/100 to any port = 25 -> 127.0.0.1 port 2501 tcp +.fi +.TP +.B NOTE: +In this situation, the rule is considered to have a netmask of "0" and +thus is looked at last, after any rules with /16's or /24's in them, +.I even if +the defined pool only has /24's or /32's. Pools may also be used +.I wherever +the from-to syntax in \fBipnat.conf\fR(5) is allowed. +.SH INBOUND DESTINATION TRANSLATION (redirection) +.PP +Redirection of packets is used to change the destination fields in a packet +and is supported for packets that are moving \fIin\fP on a network interface. +While the same general syntax for +.B map +rules is supported, there are differences and limitations. +.PP +Firstly, by default all redirection rules target a single IP address, not +a network or range of network addresses, so a rule written like this: +.nf + +rdr le0 0/0 -> 192.168.1.0 +.fi +.PP +Will not spread packets across all 256 IP addresses in that class C network. +If you were to try a rule like this: +.nf + +rdr le0 0/0 -> 192.168.1.0/24 +.fi +.PP +then you will receive a parsing error. +.PP +The from-to source-destination matching used with +.B map +rules can be used with rdr rules, along with negation, however the +restriction moves - only a source address match can be negated: +.nf + +rdr le0 from 1.1.0.0/16 to any -> 192.168.1.3 +rdr le0 ! from 1.1.0.0/16 to any -> 192.168.1.4 +.fi +.PP +If there is a consective set of addresses you wish to spread the packets +over, then this can be done in one of two ways, the word "range" optional +to preserve: +.nf + +rdr le0 0/0 -> 192.168.1.1 - 192.168.1.5 +rdr le0 0/0 -> range 192.168.1.1 - 192.168.1.5 +.fi +.PP +If there are only two addresses to split the packets across, the +recommended method is to use a comma (",") like this: +.nf + +rdr le0 0/0 -> 192.168.1.1,192.168.1.2 +.fi +.PP +If there is a large group of destination addresses that are somewhat +disjoint in nature, we can cycle through them using a +.B round-robin +technique like this: .nf -map de0 10.1.0.0/16 -> 201.2.3.4/32 + +rdr le0 0/0 -> 192.168.1.1,192.168.1.2 round-robin +rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin +rdr le0 0/0 -> 192.168.1.9 round-robin +.fi +.PP +If there are a large number of redirect rules and hosts being targetted +then it may be desirable to have all those from a single source address +be targetted at the same destination address. To achieve this, the +word +.B sticky +is appended to the rule like this: +.nf + +rdr le0 0/0 -> 192.168.1.1,192.168.1.2 sticky +rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin sticky +rdr le0 0/0 -> 192.168.1.9 round-robin sticky +.fi +.PP +The +.B sticky +feature can only be combined with +.B round-robin +and the use of comma. +.PP +For TCP and UDP packets, it is possible to both match on the destiantion +port number and to modify it. For example, to change the destination port +from 80 to 3128, we would use a rule like this: +.nf + +rdr de0 0/0 port 80 -> 127.0.0.1 port 3128 tcp +.fi +.PP +If a range of ports is given on the LHS and a single port is given on the +RHS, the entire range of ports is moved. For example, if we had this: +.nf + +rdr le0 0/0 port 80-88 -> 127.0.0.1 port 3128 tcp +.fi +.PP +then port 80 would become 3128, port 81 would become 3129, etc. If we +want to redirect a number of different pots to just a single port, an +equals sign ("=") is placed before the port number on the RHS like this: +.nf + +rdr le0 0/0 port 80-88 -> 127.0.0.1 port = 3128 tcp +.fi +.PP +In this case, port 80 goes to 3128, port 81 to 3128, etc. +.PP +As with +.B map +rules, it is possible to manually set a timeout using the +.B age +option, like this: +.nf + +rdr le0 0/0 port 53 -> 127.0.0.1 port 10053 udp age 5/5 +.fi +.PP +The use of proxies is not restricted to +.B map +rules and outbound sessions. Proxies can also be used with redirect +rules, although the syntax is slightly different: +.nf + +rdr ge0 0/0 port 21 -> 127.0.0.1 port 21 tcp proxy ftp +.fi +.PP +For +.B rdr +rules, the interfaces supplied are in the same order as +.B map +rules - input first, then output. In situations where the outgoing interface +is not certain, it is also possible to use a wildcard ("*") to effect a match +on any interface. +.nf + +rdr le0,* 0/0 -> 192.168.1.0 +.fi +.PP +A single rule, with as many options set as possible would look something like +this: +.nf + +rdr le0,ppp0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp + round-robin frag age 40/40 sticky mssclamp 1000 tag tagged .fi +.SH REWRITING SOURCE AND DESTINATION +.PP +Whilst the above two commands provide a lot of flexibility in changing +addressing fields in packets, often it can be of benefit to translate +\fIboth\fP source \fBand\fR destination at the same time or to change +the source address on input or the destination address on output. +Doing all of these things can be accomplished using +.B rewrite +NAT rules. +.PP +A +.B rewrite +rule requires the same level of packet matching as before, protocol and +source/destination information but in addition allows either +.B in +or +.B out +to be specified like this: +.nf + +rewrite in on ppp0 proto tcp from any to any port = 80 -> + src 0/0 dst 127.0.0.1,3128; +rewrite out on ppp0 from any to any -> + src 0/32 dst 10.1.1.0/24; +.fi +.PP +On the RHS we can specify both new source and destination information to place +into the packet being sent out. As with other rules used in +\fBipnat.conf\fR, there are shortcuts syntaxes available to use the original +address information (\fB0/0\fR) and the address associated with the network +interface (\fB0/32\fR.) For TCP and UDP, both address and port information +can be changed. At present it is only possible to specify either a range of +port numbers to be used (\fBX-Y\fR) or a single port number (\fB= X\fR) as +follows: +.nf + +rewrite in on le0 proto tcp from any to any port = 80 -> + src 0/0,2000-20000 dst 127.0.0.1,port = 3128; +.fi +.PP +There are four fields that are stepped through in enumerating the number +space available for creating a new destination: +.LP +source address +.LP +source port .LP -or as +destination address .LP +destination port +.PP +If one of these happens to be a static then it will be skipped and the next +one incremented. As an example: .nf -map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 + +rewrite out on le0 proto tcp from any to any port = 80 -> + src 1.0.0.0/8,5000-5999 dst 2.0.0.0/24,6000-6999; .fi +.PP +The translated packets would be: +.LP +1st src=1.0.0.1,5000 dst=2.0.0.1,6000 +.LP +2nd src=1.0.0.2,5000 dst=2.0.0.1,6000 +.LP +3rd src=1.0.0.2,5001 dst=2.0.0.1,6000 .LP -Only IP address and port numbers can be compared against. This is available -with all NAT rules. -.SH TRANSLATION -.PP -To the right of the "->" is the address and port specification which will be -written into the packet providing it has already successfully matched the -prior constraints. The case of redirections (\fBrdr\fP) is the simplest: -the new destination address is that specified in the rule. For \fBmap\fP -rules, the destination address will be one for which the tuple combining -the new source and destination is known to be unique. If the packet is -either a TCP or UDP packet, the destination and source ports come into the -equation too. If the tuple already exists, IP Filter will increment the -port number first, within the available range specified with \fBportmap\fP -and if there exists no unique tuple, the source address will be incremented -within the specified netmask. If a unique tuple cannot be determined, then -the packet will not be translated. The \fBmap-block\fP is more limited in -how it searches for a new, free and unique tuple, in that it will used an -algorithm to determine what the new source address should be, along with the -range of available ports - the IP address is never changed and nor does the -port number ever exceed its allotted range. -.SH ICMPIDMAP -.PP -ICMP messages can be divided into two groups: "errors" and "queries". ICMP -errors are generated as a response of another IP packet. IP Filter will take -care that ICMP errors that are the response of a NAT-ed IP packet are -handled properly. -.PP -For 4 types of ICMP queries (echo request, timestamp request, information -request and address mask request) IP Filter supports an additional mapping -called "ICMP id mapping". All these 4 types of ICMP queries use a unique -identifier called the ICMP id. This id is set by the process sending the -ICMP query and it is usually equal to the process id. The receiver of the -ICMP query will use the same id in its response, thus enabling the -sender to recognize that the incoming ICMP reply is intended for him and is -an answer to a query that he made. The "ICMP id mapping" feature modifies -these ICMP id in a way identical to \fBportmap\fP for TCP or UDP. -.PP -The reason that you might want this, is that using this feature you don't -need an IP address per host behind the NAT box, that wants to do ICMP queries. -The two numbers behind the \fBicmpidmap\fP keyword are the first and the -last icmp id number that can be used. There is one important caveat: if you -map to an IP address that belongs to the NAT box itself (notably if you have -only a single public IP address), then you must ensure that the NAT box does -not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule. -Since the ICMP id is usually the process id, it is wise to restrict the -largest permittable process id (PID) on your operating system to e.g. 63999 and -use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is -system dependent. For most BSD derived systems can be done by changing -PID_MAX in /usr/include/sys/proc.h and then rebuild the system. +4th src=1.0.0.2,5001 dst=2.0.0.2,6000 +.LP +5th src=1.0.0.2,5001 dst=2.0.0.2,6001 +.LP +6th src=1.0.0.3,5001 dst=2.0.0.2,6001 +.PP +and so on. +.PP +As with +.B map +rules, it is possible to specify a range of addresses by including the word +\fIrange\fR before the addresses: +.nf + +rewrite from any to any port = 80 -> + src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6; +.fi +.SH DIVERTING PACKETS +.PP +If you'd like to send packets to a UDP socket rather than just another +computer to be decapsulated, this can be achieved using a +.B divert +rule. +.PP +Divert rules can be be used with both inbound and outbound packet +matching however the rule +.B must +specify host addresses for the outer packet, not ranges of addresses +or netmasks, just single addresses. +Additionally the syntax must supply required information for UDP. +An example of what a divert rule looks ike is as follows: +.nf + +divert in on le0 proto udp from any to any port = 53 -> + src 192.1.1.1,54 dst 192.168.1.22.1,5300; +.fi +.PP +On the LHS is a normal set of matching capabilities but on the RHS it is +a requirement to specify both the source and destination addresses and +ports. +.PP +As this feature is intended to be used with targetting packets at sockets +and not IPFilter running on other systems, there is no rule provided to +\fIundivert\fR packets. +.TP +.B NOTE: +Diverted packets \fImay\fP be fragmented if the addition of the +encapsulating IP header plus UDP header causes the packet to exceed +the size allowed by the outbound network interface. At present it is +not possible to cause Path MTU discovery to happen as this feature +is intended to be transparent to both endpoints. +.B Path MTU Discovery +If Path MTU discovery is being used and the "do not fragment" flag +is set in packets to be encapsulated, an ICMP error message will +be sent back to the sender if the new packet would need to be +fragmented. +.SH COMMON OPTIONS +This section deals with options that are available with all rules. +.TP +.B purge +When the purge keyword is added to the end of a NAT rule, it will +cause all of the active NAT sessions to be removed when the rule +is removed as an individual operation. If all of the NAT rules +are flushed out, it is expected that the operator will similarly +flush the NAT table and thus NAT sessions are not removed when the +NAT rules are flushed out. +.SH RULE ORDERING +.PP +.B NOTE: +Rules in +.B ipnat.conf +are read in sequentially as listed and loaded into the kernel in this +fashion +.B BUT +packet matching is done on \fBnetmask\fR, going from 32 down to 0. +If a rule uses +.B pool +or +.B hash +to reference a set of addresses or networks, the netmask value for +these fields is considered to be "0". +So if your +.B ipnat.conf +has the following rules: +.nf + +rdr le0 192.0.0.0/8 port 80 -> 127.0.0.1 3132 tcp +rdr le0 192.2.0.0/16 port 80 -> 127.0.0.1 3131 tcp +rdr le0 from any to pool/100 port 80 -> 127.0.0.1 port 3130 tcp +rdr le0 192.2.2.0/24 port 80 -> 127.0.0.1 3129 tcp +rdr le0 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp +.fi +.PP +then the rule with 192.2.2.1 will match \fBfirst\fR, regardless of where +it appears in the ordering of the above rules. In fact, the order in +which they would be used to match a packet is: +.nf + +rdr le0 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp +rdr le0 192.2.2.0/24 port 80 -> 127.0.0.1 3129 tcp +rdr le0 192.2.0.0/16 port 80 -> 127.0.0.1 3131 tcp +rdr le0 192.0.0.0/8 port 80 -> 127.0.0.1 3132 tcp +rdr le0 from any to pool/100 port 80 -> 127.0.0.1 port 3130 tcp +.fi +.PP +where the first line is actually a /32. +.PP +If your +.B ipnat.conf +file has entries with matching target fields (source address for +.B map +rules and destination address for +.B rdr +rules), then the ordering in the +.B ipnat.conf +file does matter. So if you had the following: +.nf + +rdr le0 from 1.1.0.0/16 to 192.2.2.1 port 80 -> 127.0.0.1 3129 tcp +rdr le0 from 1.1.1.0/24 to 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp +.fi +.PP +Then no packets will match the 2nd rule, they'll all match the first. +.SH IPv6 +.PP +In all of the examples above, where an IPv4 address is present, an IPv6 +address can also be used. All rules must use either IPv4 addresses with +both halves of the NAT rule or IPv6 addresses for both halves. Mixing +IPv6 addresses with IPv4 addresses, in a single rule, will result in an +error. +.PP +For shorthand notations such as "0/32", the equivalent for IPv6 is +"0/128". IPFilter will treat any netmask greater than 32 as an +implicit direction that the address should be IPv6, not IPv4. +To be unambiguous with 0/0, for IPv6 use ::0/0. .SH KERNEL PROXIES .PP IP Filter comes with a few, simple, proxies built into the code that is loaded @@ -177,117 +689,38 @@ Mature - well tested, protocol is properly understood by the proxy; .PP The currently compiled in proxy list is as follows: -.HP +.TP FTP - Mature -.HP +(map ... proxy port ftp ftp/tcp) +.TP IRC - Experimental -.HP +(proxy port 6667 irc/tcp) +.TP rpcbind - Experimental -.HP +.TP +PPTP - Experimental +.TP H.323 - Experimental -.HP +(map ... proxy port 1720 h323/tcp) +.TP Real Audio (PNA) - Aging -.HP +.TP +DNS - Developmental +(map ... proxy port 53 dns/udp { block .cnn.com; }) +.TP IPsec - Developmental -.HP +(map ... proxy port 500 ipsec/tcp) +.TP netbios - Experimental -.HP +.TP R-command - Mature - -.SH TRANSPARENT PROXIES -.PP -True transparent proxying should be performed using the redirect (\fBrdr\fP) -rules directing ports to localhost (127.0.0.1) with the proxy program doing -a lookup through \fB/dev/ipnat\fP to determine the real source and address -of the connection. -.SH LOAD-BALANCING -.PP -Two options for use with \fBrdr\fP are available to support primitive, -\fIround-robin\fP based load balancing. The first option allows for a -\fBrdr\fP to specify a second destination, as follows: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp -.fi -.LP -This would send alternate connections to either 203.1.2.3 or 203.1.2.4. -In scenarios where the load is being spread amongst a larger set of -servers, you can use: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin -.fi -.LP -In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 -and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, -the rule is removed from the top of the list and added to the end, -automatically, as required. This will not effect the display of rules -using "ipnat -l", only the internal application order. -.SH EXAMPLES -.PP -This section deals with the \fBmap\fP command and its variations. -.PP -To change IP#'s used internally from network 10 into an ISP provided 8 bit -subnet at 209.1.2.0 through the ppp0 interface, the following would be used: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -The obvious problem here is we're trying to squeeze over 16,000,000 IP -addresses into a 254 address space. To increase the scope, remapping for TCP -and/or UDP, port remapping can be used; -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -.fi -.PP -which falls only 527,566 `addresses' short of the space available in network -10. If we were to combine these rules, they would need to be specified as -follows: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. In some instances, it is more appropriate -to use the keyword \fBauto\fP in place of an actual range of port numbers if -you want to guarantee simultaneous access to all within the given range. -However, in the above case, it would default to 1 port per IP address, since -we need to squeeze 24 bits of address space into 8. A good example of how -this is used might be: -.LP -.nf -map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto -.fi -.PP -which would result in each IP address being given a small range of ports to -use (252). In all cases, the new port number that is used is deterministic. -That is, port X will always map to port Y. -WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing -to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to -the same port number, outgoing and ultimately this will only succeed for one -of them. -The problem here is that the \fBmap\fP directive tells the NAT -code to use the next address/port pair available for an outgoing connection, -resulting in no easily discernible relation between external addresses/ports -and internal ones. This is overcome by using \fBmap-block\fP as follows: -.LP -.nf -map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto -.fi -.PP -For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 -with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its -own. As opposed to the above use of \fBmap\fP, if for some reason the user -of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would -be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next -IP address with the \fBmap\fP command. +(map ... proxy port shell rcmd/tcp) +.SH KERNEL PROXIES +.SH FILES /dev/ipnat .br +/etc/protocols +.br /etc/services .br /etc/hosts diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8 index 4329786..a49f337 100644 --- a/contrib/ipfilter/man/ipnat.8 +++ b/contrib/ipfilter/man/ipnat.8 @@ -53,6 +53,11 @@ Show the list of current NAT table entry mappings. This flag (no-change) prevents \fBipf\fP from actually making any ioctl calls or doing anything which would alter the currently running kernel. .TP +.B \-p +This flag is used with the \fB-r\fP flag to cause any active NAT +sessions that were created by the rules being removed and that are +currently active to also be removed. +.TP .B \-r Remove matching NAT rules rather than add them to the internal lists. .TP diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5 index 367eb8d..4de19a4 100644 --- a/contrib/ipfilter/man/ippool.5 +++ b/contrib/ipfilter/man/ippool.5 @@ -4,146 +4,311 @@ .SH NAME ippool, ippool.conf \- IP Pool file format .SH DESCRIPTION -The format for files accepted by ippool is described by the following grammar: -.LP +The file ippool.conf is used with ippool(8) to configure address pools for +use with ipnat(8) and ipf(8). +.PP +There are four different types of address pools that can be configured +through ippool.conf. The various types are presented below with a brief +description of how they are used: +.HP +dstlist +.IP +destination list - is a collection of IP addresses with an optional +network interface name that can be used with either redirect (rdr) rules +in ipnat.conf(5) or as the destination in ipf.conf(5) for policy based +routing. +.HP +group-map +.IP +group maps - support the srcgrpmap and dstgrpmap call functions in +ipf.conf(5) by providing a list of addresses or networks rule group +numbers to start processing them with. +.HP +hash +.IP +hash tables - provide the means for performing a very efficient +lookup address or network when there is expected to be only one +exact match. These are best used with more static sets of addresses +so they can be sized optimally. +.HP +pool +.IP +address pools - are an alternative to hash tables that can perform just +as well in most circumstances. In addition, the address pools allow for +heirarchical matching, so it is possible to define a subnet as matching +but then exclude specific addresses from it. +.SS +Evolving Configuration +.PP +Over time the configuration syntax used by ippool.conf(5) has evolved. +Originally the syntax used was more verbose about what a particular +value was being used for, for example: +.PP .nf -line ::= table | groupmap . -table ::= "table" role tabletype . -groupmap ::= "group-map" inout role number ipfgroup -tabletype ::= ipftree | ipfhash . - -role ::= "role" "=" "ipf" . -inout ::= "in" | "out" . - -ipftree ::= "type" "=" "tree" number "{" addrlist "}" . -ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" . - -ipfgroup ::= setgroup hashopts "{" grouplist "}" | - hashopts "{" setgrouplist "}" . -setgroup ::= "group" "=" groupname . - -hashopts ::= size [ seed ] | seed . - -size ::= "size" number . -seed ::= "seed" number . - -addrlist ::= [ "!" ] addrmask ";" [ addrlist ] . -grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] . - -setgrouplist ::= groupentry ";" [ setgrouplist ] . - -groupentry ::= addrmask "," setgroup . - -hashlist ::= hashentry ";" [ hashlist ] . -hashentry ::= addrmask . - -addrmask ::= ipaddr | ipaddr "/" mask . - -mask ::= number | ipaddr . - -groupname ::= number | name . - -number ::= digit { digit } . - -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . - -digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -name ::= letter { letter | digit } . +table role = ipf type = tree number = 100 + { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; .fi .PP -The IP pool configuration file is used for defining a single object that -contains a reference to multiple IP address/netmask pairs. A pool may consist -of a mixture of netmask sizes, from 0 to 32. -.PP -At this point in time, only IPv4 addressing is supported. -.TP -.SH OVERVIEW -.PP -The IP pool configuration file provides for defining two different mechanisms -for improving speed in matching IP addresses with rules. -The first, -.B table -, defines a lookup -.I table -to provide a single reference in a -filter rule to multiple targets and the second, -.B group-map -, provides a mechanism to target multiple groups from a single filter line. -.PP -The -.B group-map -command can only be used with filter rules that use the -.B call -command to invoke either -.B fr_srcgrpmap -or -.B fr_dstgrpmap -, to use the source or destination address, -respectively, for determining which filter group to jump to next for -continuation of filter packet processing. -.SH POOL TYPES -.PP -Two storage formats are provided: hash tables and tree structure. The hash -table is intended for use with objects all containing the same netmask or a -few different sized netmasks of non-overlapping address space and the tree -is designed for being able to support exceptions to a covering mask, in -addition to normal searching as you would do with a table. It is not possible -to use the tree data storage type with -.B group-map -configuration entries. -.SH POOL ROLES -.PP -When a pool is defined in the configuration file, it must have an associated -role. At present the only supported role is -.B ipf. -Future development will see futher expansion of their use by other sections -of IPFilter code. -.SH EXAMPLES -The following examples show how the pool configuration file is used with -the ipf configuration file to enhance the ability for the ipf configuration -file to be succinct in meaning. -.TP -1 -The first example shows how a filter rule makes reference to a specific -pool for matching of the source address. +This is rather long winded. The evolution of the configuration syntax +has also replaced the use of numbers with names, although numbers can +still be used as can be seen here: +.PP .nf -pass in from pool/100 to any +pool ipf/tree (name "100";) + { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; .fi .PP -The pool configuration, which matches IP addresses 1.1.1.1 and any -in 2.2.0.0/16, except for those in 2.2.2.0/24. +Both of the above examples produce the same configuration in the kernel +for use with ipf.conf(5). +.PP +Newer options for use in ippool.conf(5) will only be offered in the new +configuration syntax and all output using "ippool -l" will also be in the +new configuration syntax. +.SS +IPFilter devices and pools +.PP +To cater to different administration styles, ipool.conf(5) allows you to +tie a pool to a specific role in IPFilter. The recognised role names are: +.HP +ipf +.IP +pools defined for role "ipf" are available for use with all rules that are +found in ipf.conf(5) except for auth rules. +.HP +nat +.IP +pools defined for role "nat" are available for use with all rules that are +found in ipnat.conf(5). +.HP +auth +.IP +pools defined for role "auth" are available only for use with "auth" rules +that are found in ipf.conf(5) +.HP +all +.IP +pools that are defined for the "all" role are available to all types of +rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5). +.SH Address Pools +.PP +An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching +the source or destination address of packets. They can be referred to either +by name or number and can hold an arbitrary number of address patterns to +match. +.PP +An address pool is considered to be a "tree type". In the older configuration +style, it was necessary to have "type=tree" in ippool.conf(5). In the new +style configuration, it follows the IPFilter device with which the pool +is being configured. +Now it is the default if left out. +.PP +For convenience, both IPv4 and IPv6 addresses can be stored in the same +address pool. It should go without saying that either type of packet can +only ever match an entry in a pool that is of the same address family. +.PP +The address pool searches the list of addresses configured for the best +match. The "best match" is considered to be the match that has the highest +number of bits set in the mask. Thus if both 2.2.0.0/16 and 2.2.2.0/24 are +present in an address pool, the addres 2.2.2.1 will match 2.2.2.0/24 and +2.2.1.1 will match 2.2.0.0/16. The reason for this is to allow exceptions +to be added through the use of negative matching. In the following example, +the pool contains "2.2.0.0/16" and "!2.2.2.0/24", meaning that all packets +that match 2.2.0.0/16, except those that match 2.2.2.0/24, will be considered +as a match for this pool. .PP -.nf table role = ipf type = tree number = 100 - { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 }; + { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24; ef00::5/128; }; +.PP +For the sake of clarity and to aid in managing large numbers of addresses +inside address pools, it is possible to specify a location to load the +addresses from. To do this simply use a "file://" URL where you would +specify an actual IP address. +.PP +.nf +pool ipf/tree (name rfc1918;) { file:///etc/ipf/rfc1918; }; .fi -.TP -2 -The following ipf.conf extract uses the -fr_srcgrpmap/fr_dstgrpmap lookups to use the -.B group-map -facility to lookup the next group to use for filter processing, providing -the -.B call -filter rule is matched. +.PP +The contents of the file might look something like this: +.PP .nf -call now fr_srcgrpmap/1010 in all -call now fr_dstgrpmap/2010 out all -pass in all group 1020 -block in all group 1030 -pass out all group 2020 -block out all group 2040 +# RFC 1918 networks +10.0.0.0/8 +!127.0.0.0/8 +172.16.0.0/12 +192.168.0.0/24 .fi .PP -A ippool configuration to work with the above ipf.conf file might -look like this: +In this example, the inclusion of the line "!127.0.0.0/8" is, strictly +speaking not correct and serves only as an example to show that negative +matching is also supported in this file. +.PP +Another format that ippool(8) recognises for input from a file is that +from whois servers. In the following example, output from a query to a +WHOIS server for information about which networks are associated with +the name "microsoft" has been saved in a file named "ms-networks". +There is no need to modify the output from the whois server, so using +either the whois command or dumping data directly from it over a TCP +connection works perfectly file as input. +.PP +.nf +pool ipf/tree (name microsoft;) { whois file "/etc/ipf/ms-networks"; }; +.fi +.PP +And to then block all packets to/from networks defined in that file, +a rule like this might be used: +.PP +.nf +block in from pool/microsoft to any +.fi +.PP +Note that there are limitations on the output returned by whois servers +so be aware that their output may not be 100% perfect for your goal. +.SH Destination Lists +.PP +Destination lists are provided for use primarily with NAT redirect rules +(rdr). Their purpose is to allow more sophisticated methods of selecting +which host to send traffic to next than the simple round-robin technique +that is present with with "round-robin" rules in ipnat.conf(5). +.PP +When building a list of hosts to use as a redirection list, it is +necessary to list each host to be used explicitly. Expressing a +collection of hosts as a range or a subnet is not supported. With each +address it is also possible to specify a network interface name. The +network interface name is ignored by NAT when using destination lists. +The network itnerface name is currently only used with policy based +routing (use of "to"/"dup-to" in ipf.conf(5)). +.PP +Unlike the other directives that can be expressed in this file, destination +lists must be written using the new configuration syntax. Each destination +list must have a name associated with it and a next hop selection policy. +Some policies have further options. The currently available selection +policies are: +.HP +round-robin +.IP +steps through the list of hosts configured with the destination list +one by one +.HP +random +.IP +the next hop is chosen by random selection from the list available +.HP +src-hash +.IP +a hash is made of the source address components of the packet +(address and port number) and this is used to select which +next hop address is used +.HP +dst-hash +.IP +a hash is made of the destination address components of the packet +(address and port number) and this is used to select which +next hop address is used +.HP +hash +.IP +a hash is made of all the address components in the packet +(addresses and port numbers) and this is used to select which +next hop address is used +.HP +weighted +.IP +selecting a weighted policy for destination selection needs further +clarification as to what type of weighted selection will be used. +The sub-options to a weighted policy are: +.RS +.HP +connection +.IP +the host that has received the least number of connections is selected +to be the next hop. When all hosts have the same connection count, +the last one used will be the next address selected. +.RE +.PP +The first example here shows 4 destinations that are used with a +round-robin selection policy. +.PP +.nf +pool nat/dstlist (name servers; policy round-robin;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; +.fi +.PP +In the following example, the destination is chosen by whichever has +had the least number of connections. By placing the interface name +with each address and saying "all/dstlist", the destination list can +be used with both ipnat.conf(5) and ipf.conf(5). +.PP +.nf +pool all/dstlist (name servers; policy weighted connection;) + { bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; }; +.fi +.SH Group maps +.PP +Group maps are provided to allow more efficient processing of packets +where there are a larger number of subnets and groups of rules for those +subnets. Group maps are used with "call" rules in ipf.conf(5) that +use the "srcgrpmap" and "dstgrpmap" functions. +.PP +A group map declaration must mention which group is the default group +for all matching addresses to be applied to. Then inside the list of +addresses and networks for the group, each one may optionally have +a group number associated with it. A simple example like this, where +the first two entries would map to group 2020 but 5.0.0.0/8 sends +rule processing to group 2040. .PP .nf -group-map in role = ipf number = 1010 - { 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; }; group-map out role = ipf number = 2010 group = 2020 - { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; }; + { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; }; +.fi +.PP +An example that outlines the real purpose of group maps is below, +where each one of the 12 subnets is mapped to a different group +number. This might be because each subnet has its own policy and +rather than write a list of twelve rules in ipf.conf(5) that match +the subnet and branch off with a head statement, a single rule can +be used with this group map to achieve the same result. +.PP +.nf +group-map ( name "2010"; in; ) + { 192.168.1.0/24, group = 10010; 192.168.2.0/24, group = 10020; + 192.168.3.0/24, group = 10030; 192.168.4.0/24, group = 10040; + 192.168.5.0/24, group = 10050; 192.168.6.0/24, group = 10060; + 192.168.7.0/24, group = 10070; 192.168.8.0/24, group = 10080; + 192.168.9.0/24, group = 10090; 192.168.10.0/24, group = 10100; + 192.168.11.0/24, group = 10110; 192.168.12.0/24, group = 10120; + }; +.fi +.PP +The limitation with group maps is that only the source address or the +destination address can be used to map the packet to the starting group, +not both, in your ipf.conf(5) file. +.SH Hash Tables +.PP +The hash table is operationally similar to the address pool. It is +used as a store for a collection of address to match on, saving the +need to write a lengthy list of rules. As with address pools, searching +will attempt to find the best match - an address specification with the +largest contiguous netmask. +.PP +Hash tables are best used where the list of addresses, subnets and +networks is relatively static, which is something of a contrast to +the address pool that can work with either static or changing +address list sizes. +.PP +Further work is still needed to have IPFilter correctly size and tune +the hash table to optimise searching. The goal is to allow for small to +medium sized tables to achieve close to O(1) for either a positive or +negative match, in contrast to the address pool, which is O(logn). +.PP +The following two examples build the same table in the kernel, using +the old configuration format (first) and the new one (second). +.PP +.nf +table role=all type=hash name=servers size=5 + { 1.1.1.2/32; 1.1.1.3/32; 11.23.44.66/32; }; + +pool all/hash (name servers; size 5;) + { 1.1.1.2; 1.1.1.3; 11.23.44.66; }; .fi .SH FILES /dev/iplookup diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8 index 986812a..26cec20 100644 --- a/contrib/ipfilter/man/ippool.8 +++ b/contrib/ipfilter/man/ippool.8 @@ -6,7 +6,7 @@ ippool \- user interface to the IPFilter pools .SH SYNOPSIS .br .B ippool --a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>] +-a [-dnv] [-m <name>] [-o <role>] [-t <type>] [-T ttl] -i <ipaddr>[/<netmask>] .br .B ippool -A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>] @@ -21,7 +21,7 @@ ippool \- user interface to the IPFilter pools -l [-dv] [-m <name>] [-t <type>] .br .B ippool --r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>] +-r [-dnv] [-m <name>] [-o <role>] [-t <type>] -i <ipaddr>[/<netmask>] .br .B ippool -R [-dnv] [-m <name>] [-o <role>] [-t <type>] @@ -113,6 +113,13 @@ Sets the type of pool being defined. Myst be one of .B hash, .B group-map. .TP +.B -T <ttl> +Sets the expiration of the node being added. The timeout is expressed +as a number of seconds. +.B tree, +.B hash, +.B group-map. +.TP .B -u When parsing a configuration file, rather than load new pool data into the kernel, unload it. diff --git a/contrib/ipfilter/md5.c b/contrib/ipfilter/md5.c index 63dd4b4..35756cd 100644 --- a/contrib/ipfilter/md5.c +++ b/contrib/ipfilter/md5.c @@ -35,10 +35,15 @@ *********************************************************************** */ -#if defined(_KERNEL) && !defined(__sgi) -# include <sys/systm.h> +#if defined(linux) && defined(_KERNEL) +extern void *memcpy(void *, const void *, unsigned long); +# define bcopy(a,b,c) memcpy(b,a,c) #else -# include <string.h> +# if defined(_KERNEL) && !defined(__sgi) +# include <sys/systm.h> +# else +# include <string.h> +# endif #endif #include "md5.h" diff --git a/contrib/ipfilter/mkfilters b/contrib/ipfilter/mkfilters index f0e6ff4..fe15c55 100644 --- a/contrib/ipfilter/mkfilters +++ b/contrib/ipfilter/mkfilters @@ -60,7 +60,7 @@ foreach $i (keys %ifaces) { sub irix_mkfilters { open(NETSTAT, "/usr/etc/netstat -i|") || return 0; - + while (defined($line = <NETSTAT>)) { if ($line =~ m/^Name/) @@ -113,4 +113,4 @@ sub scan_ifconfig } } } - + diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c new file mode 100644 index 0000000..aaf61a4 --- /dev/null +++ b/contrib/ipfilter/ml_ipl.c @@ -0,0 +1,164 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +/* + * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate + * its own major char number! Way cool patch! + */ +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/file.h> +#include <sys/conf.h> +#include <sys/syslog.h> +#include <sys/buf.h> +#include <sys/param.h> +#include <sys/errno.h> +#include <sys/uio.h> +#include <sys/vnode.h> +#include <sundev/mbvar.h> +#include <sun/autoconf.h> +#include <sun/vddrv.h> +#if defined(sun4c) || defined(sun4m) +#include <sun/openprom.h> +#endif + +#ifndef IPL_NAME +#define IPL_NAME "/dev/ipf" +#endif + +extern int ipfattach(), ipfopen(), ipfclose(), ipfioctl(), ipfread(); +extern int nulldev(), ipfidentify(), errno; + +struct cdevsw ipfdevsw = +{ + ipfopen, ipfclose, ipfread, nulldev, + ipfioctl, nulldev, nulldev, nulldev, + 0, nulldev, +}; + + +struct dev_ops ipf_ops = +{ + 1, + ipfidentify, + ipfattach, + ipfopen, + ipfclose, + ipfread, + NULL, /* write */ + NULL, /* strategy */ + NULL, /* dump */ + 0, /* psize */ + ipfioctl, + NULL, /* reset */ + NULL /* mmap */ +}; + +int ipf_major = 0; + +#ifdef sun4m +struct vdldrv vd = +{ + VDMAGIC_PSEUDO, + "ipf", + &ipf_ops, + NULL, + &ipfdevsw, + 0, + 0, + NULL, + NULL, + NULL, + 0, + 1, +}; +#else /* sun4m */ +struct vdldrv vd = +{ + VDMAGIC_PSEUDO, /* magic */ + "ipf", /* name */ +#ifdef sun4c + &ipf_ops, /* dev_ops */ +#else + NULL, /* struct mb_ctlr *mb_ctlr */ + NULL, /* struct mb_driver *mb_driver */ + NULL, /* struct mb_device *mb_device */ + 0, /* num ctlrs */ + 1, /* numdevs */ +#endif /* sun4c */ + NULL, /* bdevsw */ + &ipfdevsw, /* cdevsw */ + 0, /* block major */ + 0, /* char major */ +}; +#endif /* sun4m */ + +extern int vd_unuseddev(); +extern struct cdevsw cdevsw[]; +extern int nchrdev; + +xxxinit(fc, vdp, vdi, vds) + u_int fc; + struct vddrv *vdp; + caddr_t vdi; + struct vdstat *vds; +{ + struct vdlinkage *v; + int i; + + switch (fc) + { + case VDLOAD: + while (ipf_major < nchrdev && + cdevsw[ipf_major].d_open != vd_unuseddev) + ipf_major++; + if (ipf_major == nchrdev) + return ENODEV; + vd.Drv_charmajor = ipf_major; + vdp->vdd_vdtab = (struct vdlinkage *)&vd; + return ipf_attach(vdi); + case VDUNLOAD: + return unload(vdp, vdi); + + case VDSTAT: + return 0; + + default: + return EIO; + } +} + +static unload(vdp, vdi) + struct vddrv *vdp; + struct vdioctl_unload *vdi; +{ + int i; + + (void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE); + return ipfdetach(); +} + + +static int ipf_attach(vdi) +struct vdioctl_load *vdi; +{ + struct vnode *vp; + struct vattr vattr; + int error = 0, fmode = S_IFCHR|0600; + + (void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE); + vattr_null(&vattr); + vattr.va_type = MFTOVT(fmode); + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = ipf_major<<8; + + error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp); + if (error == 0) + VN_RELE(vp); + return ipfattach(0); +} diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index ca79596..93995af 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -95,43 +95,43 @@ int sysctl_ipf_int SYSCTL_HANDLER_ARGS; # define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ # define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipf_flags, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipf_pass, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipf_active, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipf_chksrc, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipf_minttl, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, - &fr_tcpidletimeout, 0, ""); + &ipf_tcpidletimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, - &fr_tcphalfclosed, 0, ""); + &ipf_tcphalfclosed, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, - &fr_tcpclosewait, 0, ""); + &ipf_tcpclosewait, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, - &fr_tcplastack, 0, ""); + &ipf_tcplastack, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, - &fr_tcptimeout, 0, ""); + &ipf_tcptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, - &fr_tcpclosed, 0, ""); + &ipf_tcpclosed, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, - &fr_udptimeout, 0, ""); + &ipf_udptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, - &fr_icmptimeout, 0, ""); + &ipf_icmptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, - &fr_defnatage, 0, ""); + &ipf_defnatage, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, - &fr_ipfrttl, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, - &fr_running, 0, ""); + &ipf_ipfrttl, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD, + &ipf_running, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, - &fr_statesize, 0, ""); + &ipf_statesize, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO, - &fr_statemax, 0, ""); + &ipf_statemax, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO, - &fr_authsize, 0, ""); + &ipf_authsize, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, - &fr_authused, 0, ""); + &ipf_authused, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, - &fr_defaultauthage, 0, ""); + &ipf_defaultauthage, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW, &ippr_ftp_pasvonly, 0, ""); #endif @@ -141,15 +141,15 @@ static void *ipf_devfs[IPL_LOGSIZE]; #endif #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) -int ipl_major = 0; +int ipf_major = 0; -static struct cdevsw ipldevsw = +static struct cdevsw ipfdevsw = { - iplopen, /* open */ - iplclose, /* close */ - iplread, /* read */ + ipfopen, /* open */ + ipfclose, /* close */ + ipfread, /* read */ (void *)nullop, /* write */ - iplioctl, /* ioctl */ + ipfioctl, /* ioctl */ (void *)nullop, /* stop */ (void *)nullop, /* reset */ (void *)NULL, /* tty */ @@ -158,45 +158,45 @@ static struct cdevsw ipldevsw = NULL /* strategy */ }; -MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); +MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipfdevsw); extern struct cdevsw cdevsw[]; extern int vd_unuseddev __P((void)); extern int nchrdev; #else -static struct cdevsw ipl_cdevsw = { - iplopen, iplclose, iplread, nowrite, /* 79 */ - iplioctl, nostop, noreset, nodevtotty, +static struct cdevsw ipf_cdevsw = { + ipfopen, ipfclose, ipfread, nowrite, /* 79 */ + ipfioctl, nostop, noreset, nodevtotty, #if (__FreeBSD_version >= 300000) - seltrue, nommap, nostrategy, "ipl", + seltrue, nommap, nostrategy, "ipf", #else - noselect, nommap, nostrategy, "ipl", + noselect, nommap, nostrategy, "ipf", #endif NULL, -1 }; #endif -static void ipl_drvinit __P((void *)); +static void ipf_drvinit __P((void *)); #ifdef ACTUALLY_LKM_NOT_KERNEL -static int if_ipl_unload __P((struct lkm_table *, int)); -static int if_ipl_load __P((struct lkm_table *, int)); -static int if_ipl_remove __P((void)); -static int ipl_major = CDEV_MAJOR; +static int if_ipf_unload __P((struct lkm_table *, int)); +static int if_ipf_load __P((struct lkm_table *, int)); +static int if_ipf_remove __P((void)); +static int ipf_major = CDEV_MAJOR; -static int iplaction __P((struct lkm_table *, int)); +static int ipfaction __P((struct lkm_table *, int)); static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH, IPL_SCAN, IPL_SYNC, IPL_POOL, NULL }; extern int lkmenodev __P((void)); -static int iplaction(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; +static int ipfaction(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; { #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) - int i = ipl_major; + int i = ipf_major; struct lkm_dev *args = lkmtp->private.lkm_dev; #endif int err = 0; @@ -210,27 +210,27 @@ int cmd; #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) for (i = 0; i < nchrdev; i++) if (cdevsw[i].d_open == lkmenodev || - cdevsw[i].d_open == iplopen) + cdevsw[i].d_open == ipfopen) break; if (i == nchrdev) { printf("IP Filter: No free cdevsw slots\n"); return ENODEV; } - ipl_major = i; + ipf_major = i; args->lkm_offset = i; /* slot in cdevsw[] */ #endif - printf("IP Filter: loaded into slot %d\n", ipl_major); - err = if_ipl_load(lkmtp, cmd); + printf("IP Filter: loaded into slot %d\n", ipf_major); + err = if_ipf_load(lkmtp, cmd); if (!err) - ipl_drvinit((void *)NULL); + ipf_drvinit((void *)NULL); return err; break; case LKM_E_UNLOAD : - err = if_ipl_unload(lkmtp, cmd); + err = if_ipf_unload(lkmtp, cmd); if (!err) { printf("IP Filter: unloaded from slot %d\n", - ipl_major); + ipf_major); #ifdef DEVFS if (ipf_devfs[IPL_LOGIPF]) devfs_remove_dev(ipf_devfs[IPL_LOGIPF]); @@ -259,7 +259,7 @@ int cmd; } -static int if_ipl_remove __P((void)) +static int if_ipf_remove __P((void)) { char *name; struct nameidata nd; @@ -292,32 +292,32 @@ static int if_ipl_remove __P((void)) } -static int if_ipl_unload(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; +static int if_ipf_unload(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; { int error = 0; - error = ipldetach(); + error = ipfdetach(); if (!error) - error = if_ipl_remove(); + error = if_ipf_remove(); return error; } -static int if_ipl_load(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; +static int if_ipf_load(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; { struct nameidata nd; struct vattr vattr; int error = 0, fmode = S_IFCHR|0600, i; char *name; - error = iplattach(); + error = ipfattach(); if (error) return error; - (void) if_ipl_remove(); + (void) if_ipf_remove(); for (i = 0; (name = ipf_devfiles[i]); i++) { NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc); @@ -335,7 +335,7 @@ int cmd; VATTR_NULL(&vattr); vattr.va_type = VCHR; vattr.va_mode = (fmode & 07777); - vattr.va_rdev = (ipl_major << 8) | i; + vattr.va_rdev = (ipf_major << 8) | i; VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); #if (__FreeBSD_version >= 300000) @@ -354,7 +354,7 @@ int cmd; * strlen isn't present in 2.1.* kernels. */ size_t strlen(string) -char *string; + char *string; { register char *s; @@ -365,19 +365,19 @@ char *string; int xxxinit(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; + struct lkm_table *lkmtp; + int cmd, ver; { - DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); + DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction); } #else /* __FREEBSD_version >= 220000 */ # ifdef IPFILTER_LKM # include <sys/exec.h> # if (__FreeBSD_version >= 300000) -MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw); +MOD_DEV(if_ipf, LM_DT_CHAR, CDEV_MAJOR, &ipf_cdevsw); # else -MOD_DECL(if_ipl); +MOD_DECL(if_ipf); static struct lkm_dev _module = { @@ -386,48 +386,48 @@ static struct lkm_dev _module = { IPL_VERSION, CDEV_MAJOR, LM_DT_CHAR, - { (void *)&ipl_cdevsw } + { (void *)&ipf_cdevsw } }; # endif -int if_ipl __P((struct lkm_table *, int, int)); +int if_ipf __P((struct lkm_table *, int, int)); -int if_ipl(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; +int if_ipf(lkmtp, cmd, ver) + struct lkm_table *lkmtp; + int cmd, ver; { # if (__FreeBSD_version >= 300000) - MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction); + MOD_DISPATCH(if_ipf, lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction); # else - DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); + DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction); # endif } # endif /* IPFILTER_LKM */ -static ipl_devsw_installed = 0; +static ipf_devsw_installed = 0; -static void ipl_drvinit __P((void *unused)) +static void ipf_drvinit __P((void *unused)) { dev_t dev; # ifdef DEVFS void **tp = ipf_devfs; # endif - if (!ipl_devsw_installed ) { + if (!ipf_devsw_installed ) { dev = makedev(CDEV_MAJOR, 0); - cdevsw_add(&dev, &ipl_cdevsw, NULL); - ipl_devsw_installed = 1; + cdevsw_add(&dev, &ipf_cdevsw, NULL); + ipf_devsw_installed = 1; # ifdef DEVFS - tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF, + tp[IPL_LOGIPF] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGIPF, DV_CHR, 0, 0, 0600, "ipf"); - tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT, + tp[IPL_LOGNAT] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGNAT, DV_CHR, 0, 0, 0600, "ipnat"); - tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE, + tp[IPL_LOGSTATE] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGSTATE, DV_CHR, 0, 0, 0600, "ipstate"); - tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH, + tp[IPL_LOGAUTH] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGAUTH, DV_CHR, 0, 0, 0600, "ipauth"); # endif @@ -452,7 +452,7 @@ sysctl_ipf_int SYSCTL_HANDLER_ARGS if (!arg1) error = EPERM; else { - if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0)) + if ((oidp->oid_kind & CTLFLAG_OFF) && (ipf_running > 0)) error = EBUSY; else error = SYSCTL_IN(req, arg1, sizeof(int)); @@ -464,6 +464,133 @@ sysctl_ipf_int SYSCTL_HANDLER_ARGS # if defined(IPFILTER_LKM) || \ defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) -SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) +SYSINIT(ipfdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipf_drvinit,NULL) # endif /* IPFILTER_LKM */ #endif /* _FreeBSD_version */ + + +/* + * routines below for saving IP headers to buffer + */ +int ipfopen(dev, flags +#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) +, devtype, p) + int devtype; +# if (__FreeBSD_version >= 500024) + struct thread *p; +# else + struct proc *p; +# endif /* __FreeBSD_version >= 500024 */ +#else +) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + int flags; +{ + u_int unit = GET_MINOR(dev); + + if (IPL_LOGMAX < unit) + unit = ENXIO; + else + unit = 0; + return unit; +} + + +int ipfclose(dev, flags +#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) +, devtype, p) + int devtype; +# if (__FreeBSD_version >= 500024) + struct thread *p; +# else + struct proc *p; +# endif /* __FreeBSD_version >= 500024 */ +#else +) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + int flags; +{ + u_int unit = GET_MINOR(dev); + + if (IPL_LOGMAX < unit) + unit = ENXIO; + else + unit = 0; + return unit; +} + +/* + * ipfread/ipflog + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +#if (BSD >= 199306) +int ipfread(dev, uio, ioflag) + int ioflag; +#else +int ipfread(dev, uio) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + register struct uio *uio; +{ + u_int unit = GET_MINOR(dev); + + if (unit < 0) + return ENXIO; + + if (ipf_running < 1) + return EIO; + + if (unit == IPL_LOGSYNC) + return ipfsync_read(uio); + +#ifdef IPFILTER_LOG + return ipflog_read(unit, uio); +#else + return ENXIO; +#endif +} + + +/* + * ipfwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +#if (BSD >= 199306) +int ipfwrite(dev, uio, ioflag) + int ioflag; +#else +int ipfwrite(dev, uio) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + register struct uio *uio; +{ + + if (ipf_running < 1) + return EIO; + + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + return ENXIO; +} diff --git a/contrib/ipfilter/mlf_rule.c b/contrib/ipfilter/mlf_rule.c index 8b7b9d3..babd2c6 100644 --- a/contrib/ipfilter/mlf_rule.c +++ b/contrib/ipfilter/mlf_rule.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -79,8 +79,8 @@ static int ipfrule_ioctl __P((struct lkm_table *, int)); #if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) int xxxinit(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; + struct lkm_table *lkmtp; + int cmd, ver; { DISPATCH(lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl, ipfrule_ioctl); } @@ -107,8 +107,8 @@ int ipfrule __P((struct lkm_table *, int, int)); int ipfrule(lkmtp, cmd, ver) -struct lkm_table *lkmtp; -int cmd, ver; + struct lkm_table *lkmtp; + int cmd, ver; { # if (__FreeBSD_version >= 300000) MOD_DISPATCH(ipfrule, lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl, @@ -121,24 +121,24 @@ int cmd, ver; int ipfrule_load(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; + struct lkm_table *lkmtp; + int cmd; { return ipfrule_add(); } int ipfrule_unload(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; + struct lkm_table *lkmtp; + int cmd; { return ipfrule_remove(); } static int ipfrule_ioctl(lkmtp, cmd) -struct lkm_table *lkmtp; -int cmd; + struct lkm_table *lkmtp; + int cmd; { int err = 0; @@ -150,12 +150,12 @@ int cmd; err = ipfrule_load(lkmtp, cmd); if (!err) - fr_refcnt++; + ipf_refcnt++; break; case LKM_E_UNLOAD : err = ipfrule_unload(lkmtp, cmd); if (!err) - fr_refcnt--; + ipf_refcnt--; break; case LKM_E_STAT : break; diff --git a/contrib/ipfilter/mlfk_ipl.c b/contrib/ipfilter/mlfk_ipl.c new file mode 100644 index 0000000..ba1f44f --- /dev/null +++ b/contrib/ipfilter/mlfk_ipl.c @@ -0,0 +1,529 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/module.h> +#include <sys/conf.h> +#include <sys/socket.h> +#include <sys/sysctl.h> +#include <sys/select.h> +#if __FreeBSD_version >= 500000 +# include <sys/selinfo.h> +#endif +#include <net/if.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> + + +#include "netinet/ipl.h" +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#include "netinet/ip_state.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_auth.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_sync.h" + +extern ipf_main_softc_t ipfmain; + +#if __FreeBSD_version >= 502116 +static struct cdev *ipf_devs[IPL_LOGSIZE]; +#else +static dev_t ipf_devs[IPL_LOGSIZE]; +#endif + +#if 0 +static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ); +#endif +static int ipf_modload(void); +static int ipf_modunload(void); + +#if (__FreeBSD_version >= 500024) +# if (__FreeBSD_version >= 502116) +static int ipfopen __P((struct cdev*, int, int, struct thread *)); +static int ipfclose __P((struct cdev*, int, int, struct thread *)); +# else +static int ipfopen __P((dev_t, int, int, struct thread *)); +static int ipfclose __P((dev_t, int, int, struct thread *)); +# endif /* __FreeBSD_version >= 502116 */ +#else +static int ipfopen __P((dev_t, int, int, struct proc *)); +static int ipfclose __P((dev_t, int, int, struct proc *)); +#endif +#if (__FreeBSD_version >= 502116) +static int ipfread __P((struct cdev*, struct uio *, int)); +static int ipfwrite __P((struct cdev*, struct uio *, int)); +#else +static int ipfread __P((dev_t, struct uio *, int)); +static int ipfwrite __P((dev_t, struct uio *, int)); +#endif /* __FreeBSD_version >= 502116 */ + + + +SYSCTL_DECL(_net_inet); +#define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ + SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \ + ptr, val, sysctl_ipf_int, "I", descr); +#define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ +#define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) +SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); +#if 0 +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipf_flags, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipf_pass, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipf_active, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, + &ipf_tcpidletimeout, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, + &ipf_tcphalfclosed, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, + &ipf_tcpclosewait, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, + &ipf_tcplastack, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, + &ipf_tcptimeout, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, + &ipf_tcpclosed, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, + &ipf_udptimeout, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO, + &ipf_udpacktimeout, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, + &ipf_icmptimeout, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, + &ipf_nat_defage, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, + &ipf_ipfrttl, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD, + &ipf_running, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, + &ipf_state_size, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO, + &ipf_state_max, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO, + &ipf_nat_table_sz, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO, + &ipf_nat_maprules_sz, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO, + &ipf_nat_rdrrules_sz, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO, + &ipf_nat_hostmap_sz, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO, + &ipf_auth_size, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, + &ipf_auth_used, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, + &ipf_auth_defaultage, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipf_chksrc, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipf_minttl, 0, ""); +#endif + +#define CDEV_MAJOR 79 +#include <sys/poll.h> +#if __FreeBSD_version >= 500043 +# include <sys/select.h> +static int ipfpoll(struct cdev *dev, int events, struct thread *td); + +static struct cdevsw ipf_cdevsw = { +#if __FreeBSD_version >= 502103 + .d_version = D_VERSION, + .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */ +#endif + .d_open = ipfopen, + .d_close = ipfclose, + .d_read = ipfread, + .d_write = ipfwrite, + .d_ioctl = ipfioctl, + .d_poll = ipfpoll, + .d_name = "ipf", +#if __FreeBSD_version < 600000 + .d_maj = CDEV_MAJOR, +#endif +}; +#else +static int ipfpoll(dev_t dev, int events, struct proc *td); + +static struct cdevsw ipf_cdevsw = { + /* open */ ipfopen, + /* close */ ipfclose, + /* read */ ipfread, + /* write */ ipfwrite, + /* ioctl */ ipfioctl, + /* poll */ ipfpoll, + /* mmap */ nommap, + /* strategy */ nostrategy, + /* name */ "ipf", + /* maj */ CDEV_MAJOR, + /* dump */ nodump, + /* psize */ nopsize, + /* flags */ 0, +# if (__FreeBSD_version < 500043) + /* bmaj */ -1, +# endif +# if (__FreeBSD_version >= 430000) + /* kqfilter */ NULL +# endif +}; +#endif + +static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME, + IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL }; + + +static int +ipfilter_modevent(module_t mod, int type, void *unused) +{ + int error = 0; + + switch (type) + { + case MOD_LOAD : + error = ipf_modload(); + break; + + case MOD_UNLOAD : + error = ipf_modunload(); + break; + default: + error = EINVAL; + break; + } + return error; +} + + +static int +ipf_modload() +{ + char *defpass, *c, *str; + int i, j, error; + + if (ipf_load_all() != 0) + return EIO; + + if (ipf_create_all(&ipfmain) == NULL) + return EIO; + + error = ipfattach(&ipfmain); + if (error) + return error; + + for (i = 0; i < IPL_LOGSIZE; i++) + ipf_devs[i] = NULL; + + for (i = 0; (str = ipf_devfiles[i]); i++) { + c = NULL; + for(j = strlen(str); j > 0; j--) + if (str[j] == '/') { + c = str + j + 1; + break; + } + if (!c) + c = str; + ipf_devs[i] = make_dev(&ipf_cdevsw, i, 0, 0, 0600, c); + } + + error = ipf_pfil_hook(); + if (error != 0) + return error; + ipf_event_reg(); + + if (FR_ISPASS(ipfmain.ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(ipfmain.ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +#ifdef IPFILTER_LOG + "enabled", +#else + "disabled", +#endif +#ifdef IPFILTER_COMPILED + " (COMPILED)" +#else + "" +#endif + ); + return 0; +} + + +static int +ipf_modunload() +{ + int error, i; + + if (ipfmain.ipf_refcnt) + return EBUSY; + + error = ipf_pfil_unhook(); + if (error != 0) + return error; + + if (ipfmain.ipf_running >= 0) { + error = ipfdetach(&ipfmain); + if (error != 0) + return error; + + ipf_destroy_all(&ipfmain); + ipf_unload_all(); + } else + error = 0; + + ipfmain.ipf_running = -2; + + for (i = 0; ipf_devfiles[i]; i++) { + if (ipf_devs[i] != NULL) + destroy_dev(ipf_devs[i]); + } + + printf("%s unloaded\n", ipfilter_version); + + return error; +} + + +static moduledata_t ipfiltermod = { + "ipfilter", + ipfilter_modevent, + 0 +}; + + +DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY); +#ifdef MODULE_VERSION +MODULE_VERSION(ipfilter, 1); +#endif + + +#if 0 +#ifdef SYSCTL_IPF +int +sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ) +{ + int error = 0; + + if (arg1) + error = SYSCTL_OUT(req, arg1, sizeof(int)); + else + error = SYSCTL_OUT(req, &arg2, sizeof(int)); + + if (error || !req->newptr) + return (error); + + if (!arg1) + error = EPERM; + else { + if ((oidp->oid_kind & CTLFLAG_OFF) && (ipfmain.ipf_running > 0)) + error = EBUSY; + else + error = SYSCTL_IN(req, arg1, sizeof(int)); + } + return (error); +} +#endif +#endif + + +static int +#if __FreeBSD_version >= 500043 +ipfpoll(struct cdev *dev, int events, struct thread *td) +#else +ipfpoll(dev_t dev, int events, struct proc *td) +#endif +{ + u_int unit = GET_MINOR(dev); + int revents; + + if (unit < 0 || unit > IPL_LOGMAX) + return 0; + + revents = 0; + + switch (unit) + { + case IPL_LOGIPF : + case IPL_LOGNAT : + case IPL_LOGSTATE : +#ifdef IPFILTER_LOG + if ((events & (POLLIN | POLLRDNORM)) && ipf_log_canread(&ipfmain, unit)) + revents |= events & (POLLIN | POLLRDNORM); +#endif + break; + case IPL_LOGAUTH : + if ((events & (POLLIN | POLLRDNORM)) && ipf_auth_waiting(&ipfmain)) + revents |= events & (POLLIN | POLLRDNORM); + break; + case IPL_LOGSYNC : + if ((events & (POLLIN | POLLRDNORM)) && ipf_sync_canread(&ipfmain)) + revents |= events & (POLLIN | POLLRDNORM); + if ((events & (POLLOUT | POLLWRNORM)) && ipf_sync_canwrite(&ipfmain)) + revents |= events & (POLLOUT | POLLWRNORM); + break; + case IPL_LOGSCAN : + case IPL_LOGLOOKUP : + default : + break; + } + + if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0)) + selrecord(td, &ipfmain.ipf_selwait[unit]); + + return revents; +} + + +/* + * routines below for saving IP headers to buffer + */ +static int ipfopen(dev, flags +#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) +, devtype, p) + int devtype; +# if (__FreeBSD_version >= 500024) + struct thread *p; +# else + struct proc *p; +# endif /* __FreeBSD_version >= 500024 */ +#else +) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + int flags; +{ + u_int unit = GET_MINOR(dev); + int error; + + if (IPL_LOGMAX < unit) + error = ENXIO; + else { + switch (unit) + { + case IPL_LOGIPF : + case IPL_LOGNAT : + case IPL_LOGSTATE : + case IPL_LOGAUTH : + case IPL_LOGLOOKUP : + case IPL_LOGSYNC : +#ifdef IPFILTER_SCAN + case IPL_LOGSCAN : +#endif + error = 0; + break; + default : + error = ENXIO; + break; + } + } + return error; +} + + +static int ipfclose(dev, flags +#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) +, devtype, p) + int devtype; +# if (__FreeBSD_version >= 500024) + struct thread *p; +# else + struct proc *p; +# endif /* __FreeBSD_version >= 500024 */ +#else +) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + int flags; +{ + u_int unit = GET_MINOR(dev); + + if (IPL_LOGMAX < unit) + unit = ENXIO; + else + unit = 0; + return unit; +} + +/* + * ipfread/ipflog + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +#if (BSD >= 199306) +static int ipfread(dev, uio, ioflag) + int ioflag; +#else +static int ipfread(dev, uio) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + struct uio *uio; +{ + u_int unit = GET_MINOR(dev); + + if (unit < 0) + return ENXIO; + + if (ipfmain.ipf_running < 1) + return EIO; + + if (unit == IPL_LOGSYNC) + return ipf_sync_read(&ipfmain, uio); + +#ifdef IPFILTER_LOG + return ipf_log_read(&ipfmain, unit, uio); +#else + return ENXIO; +#endif +} + + +/* + * ipfwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +#if (BSD >= 199306) +static int ipfwrite(dev, uio, ioflag) + int ioflag; +#else +static int ipfwrite(dev, uio) +#endif +#if (__FreeBSD_version >= 502116) + struct cdev *dev; +#else + dev_t dev; +#endif + struct uio *uio; +{ + + if (ipfmain.ipf_running < 1) + return EIO; + + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipf_sync_write(&ipfmain, uio); + return ENXIO; +} diff --git a/contrib/ipfilter/mlfk_rule.c b/contrib/ipfilter/mlfk_rule.c index 5f7aed8..9f951cf 100644 --- a/contrib/ipfilter/mlfk_rule.c +++ b/contrib/ipfilter/mlfk_rule.c @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: mlfk_rule.c,v 2.4.4.2 2004/04/16 23:32:08 darrenr Exp $ + * $Id$ */ @@ -30,6 +30,7 @@ #include "ip_rules.h" +extern ipf_main_softc_t ipfmain; static int ipfrule_modevent(module_t mod, int type, void *unused) @@ -41,12 +42,12 @@ ipfrule_modevent(module_t mod, int type, void *unused) case MOD_LOAD : error = ipfrule_add(); if (!error) - fr_refcnt++; + ipfmain.ipf_refcnt++; break; case MOD_UNLOAD : error = ipfrule_remove(); if (!error) - fr_refcnt--; + ipfmain.ipf_refcnt--; break; default: error = EINVAL; diff --git a/contrib/ipfilter/mlh_rule.c b/contrib/ipfilter/mlh_rule.c index dd350df..cc2a74c 100644 --- a/contrib/ipfilter/mlh_rule.c +++ b/contrib/ipfilter/mlh_rule.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -88,7 +88,7 @@ static int ipf_load(void *arg) i = ipfrule_add(); if (!i) - fr_refcnt--; + ipf_refcnt--; #ifdef IPFDEBUG printf("IP Filter Rules: ipfrule_add() = %d\n", i); #endif @@ -104,7 +104,7 @@ static int ipf_unload(void *arg) i = ipfrule_remove(); if (!i) - fr_refcnt--; + ipf_refcnt--; #ifdef IPFDEBUG printf("IP Filter Rules: ipfrule_remove() = %d\n", i); #endif diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c new file mode 100644 index 0000000..2a0024c --- /dev/null +++ b/contrib/ipfilter/mli_ipl.c @@ -0,0 +1,683 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * (C)opyright 1997 by Marc Boucher. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ + +/* TODO: (MARCXXX) + - ipl_init failure -> open ENODEV or whatever + - prevent multiple LKM loads + - surround access to ifnet structures by IFNET_LOCK()/IFNET_UNLOCK() ? + - m != m1 problem +*/ + +#include <sys/types.h> +#include <sys/conf.h> +#ifdef IPFILTER_LKM +#include <sys/mload.h> +#endif +#include <sys/systm.h> +#include <sys/errno.h> +#include <net/if.h> +#include <net/route.h> +#include <netinet/in.h> +#ifdef IFF_DRVRLOCK /* IRIX6 */ +#include <sys/hashing.h> +#include <netinet/in_var.h> +#endif +#include <sys/mbuf.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/udp.h> +#include <netinet/tcpip.h> +#include <netinet/ip_icmp.h> +#include <netinet/ipfilter.h> +#include "ipl.h" +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_nat.h" + +#ifndef MBUF_IS_CLUSTER +# define MBUF_IS_CLUSTER(m) ((m)->m_flags & MCL_CLUSTER) +#endif +#undef IPFDEBUG /* #define IPFDEBUG 9 */ + +#ifdef IPFILTER_LKM +u_int ipldevflag = D_MP; +char *iplmversion = M_VERSION; +#else +u_int ipfilterdevflag = D_MP; +char *ipfiltermversion = M_VERSION; +#endif + +ipfmutex_t ipl_mutex, ipfi_mutex, ipf_rw, ipf_stinsert, ipf_auth_mx; +ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; +ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; +ipfrwlock_t ipf_global, ipf_mutex, ipf_ipidfrag, ipf_frcache, ipf_tokens; + +int (*ipf_checkp) __P((struct ip *, int, void *, int, mb_t **)); + +#ifdef IPFILTER_LKM +static int *ipff_addr = 0; +static int ipff_value; +static __psunsigned_t *ipfk_addr = 0; +static __psunsigned_t ipfk_code[4]; +#endif +static void nifattach(); +static void nifdetach(); + +typedef struct nif { + struct nif *nf_next; + struct ifnet *nf_ifp; +#if (IRIX < 60500) + int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *); +#else + int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *, + struct rtentry *); +#endif + char nf_name[LIFNAMSIZ]; + int nf_unit; +} nif_t; + +static nif_t *nif_head = 0; +static int nif_interfaces = 0; +extern int in_interfaces; +#if IRIX >= 60500 +toid_t ipf_timer_id; +#endif + +extern ipnat_t *nat_list; + +#ifdef IPFDEBUG +static void ipf_dumppacket(m) + struct mbuf *m; +{ + u_char *s; + char *t, line[80]; + int len, off, i; + + off = 0; + + while (m != NULL) { + len = M_LEN(m); + s = mtod(m, u_char *); + printf("mbuf 0x%lx len %d flags %x type %d\n", + m, len, m->m_flags, m->m_type); + printf("dat 0x%lx off 0x%lx/%d s 0x%lx next 0x%lx\n", + m->m_dat, m->m_off, m->m_off, s, m->m_next); + while (len > 0) { + t = line; + for (i = 0; (i < 16) && (len > 0); len--, i++) + sprintf(t, " %02x", *s++), t += strlen(t); + *s = '\0'; + printf("mbuf:%x:%s\n", off, line); + off += 16; + } + m = m->m_next; + } +} +#endif + + +static int +#if IRIX < 60500 +ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst) +#else +ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +#endif +{ +#if (IPFDEBUG >= 0) + static unsigned int cnt = 0; +#endif + nif_t *nif; + + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ + for (nif = nif_head; nif; nif = nif->nf_next) + if (nif->nf_ifp == ifp) + break; + MUTEX_EXIT(&ipfi_mutex); + + if (nif == NULL) { + printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp); + return ENETDOWN; + } + +#if (IPFDEBUG >= 7) + if ((++cnt % 200) == 0) + printf("IP Filter: ipl_if_output(ifp=0x%lx, m=0x%lx, dst=0x%lx), m_type=%d m_flags=0x%lx m_off=0x%lx\n", ifp, m, dst, m->m_type, (u_long)m->m_flags, m->m_off); +#endif + + if (ipf_checkp) { + struct mbuf *m1 = m; + struct ip *ip; + int hlen; + + switch(m->m_type) + { + case MT_HEADER: + if (m->m_len == 0) { + if (m->m_next == NULL) + break; + m = m->m_next; + } + /* FALLTHROUGH */ + case MT_DATA: + if (!MBUF_IS_CLUSTER(m) && + ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) { +#if (IPFDEBUG >= 4) + printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (u_long)m->m_flags, m->m_off); +#endif + break; + } + if (m->m_len < sizeof(char)) { +#if (IPFDEBUG >= 3) + printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (u_long)m->m_flags); +#endif + break; + } + ip = mtod(m, struct ip *); + if (ip->ip_v != IPVERSION) { +#if (IPFDEBUG >= 2) + ipf_dumppacket(m); + printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (u_long)m->m_flags, m->m_off); +#endif + break; + } + + hlen = ip->ip_hl << 2; + if ((*ipf_checkp)(ip, hlen, ifp, 1, &m1) || (m1 == NULL)) + return EHOSTUNREACH; + + m = m1; + break; + + default: +#if (IPFDEBUG >= 2) + printf("IP Filter: ipl_if_output: bad m_type=%d m_flags=0x%lxm_off=0x%lx\n", m->m_type, (u_long)m->m_flags, m->m_off); +#endif + break; + } + } +#if (IRIX < 60500) + return (*nif->nf_output)(ifp, m, dst); +#else + return (*nif->nf_output)(ifp, m, dst, rt); +#endif +} + +int + + +#if !defined(IPFILTER_LKM) && (IRIX >= 60500) +ipfilter_kernel(struct ifnet *rcvif, struct mbuf *m) +#else +ipl_kernel(struct ifnet *rcvif, struct mbuf *m) +#endif +{ +#if (IPFDEBUG >= 7) + static unsigned int cnt = 0; + + if ((++cnt % 200) == 0) + printf("IP Filter: ipl_kernel(rcvif=0x%lx, m=0x%lx\n", + rcvif, m); +#endif + + if (ipf_running <= 0) + return IPF_ACCEPTIT; + + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ + if (ipf_checkp) { + struct mbuf *m1 = m; + struct ip *ip; + int hlen; + + if ((m->m_type != MT_DATA) && (m->m_type != MT_HEADER)) { +#if (IPFDEBUG >= 4) + printf("IP Filter: ipl_kernel: bad m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (u_long)m->m_flags, m->m_off); +#endif + return IPF_ACCEPTIT; + } + + if (!MBUF_IS_CLUSTER(m) && + ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) { +#if (IPFDEBUG >= 4) + printf("IP Filter: ipl_kernel: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (u_long)m->m_flags, m->m_off); +#endif + return IPF_ACCEPTIT; + } + + if (m->m_len < sizeof(char)) { +#if (IPFDEBUG >= 1) + printf("IP Filter: ipl_kernel: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (u_long)m->m_flags); +#endif + return IPF_ACCEPTIT; + } + + ip = mtod(m, struct ip *); + if (ip->ip_v != IPVERSION) { +#if (IPFDEBUG >= 4) + printf("IP Filter: ipl_kernel: bad ip_v\n"); +#endif + m_freem(m); + return IPF_DROPIT; + } + + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); + hlen = ip->ip_hl << 2; + if ((*ipf_checkp)(ip, hlen, rcvif, 0, &m1) || !m1) + return IPF_DROPIT; + ip = mtod(m1, struct ip *); + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + +#if (IPFDEBUG >= 2) + if (m != m1) + printf("IP Filter: ipl_kernel: m != m1\n"); +#endif + } + + return IPF_ACCEPTIT; +} + +int +ipl_ipfilter_attach(void) +{ +#if defined(IPFILTER_LKM) + __psunsigned_t *addr_ff, *addr_fk; + + st_findaddr("ipfilterflag", &addr_ff); +# if (IPFDEBUG >= 1) + printf("IP Filter: st_findaddr ipfilterflag=0x%lx\n", addr_ff); +# endif + if (!addr_ff) + return ESRCH; + + st_findaddr("ipfilter_kernel", &addr_fk); +# if (IPFDEBUG >= 1) + printf("IP Filter: st_findaddr ipfilter_kernel=0x%lx\n", addr_fk); +# endif + if (!addr_fk) + return ESRCH; + + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ + + ipff_addr = (int *)addr_ff; + + ipff_value = *ipff_addr; + *ipff_addr = 0; + + + ipfk_addr = addr_fk; + + bcopy(ipfk_addr, ipfk_code, sizeof(ipfk_code)); + + /* write a "li t4, ipl_kernel" instruction */ + ipfk_addr[0] = 0x3c0c0000 | + (((__psunsigned_t)ipl_kernel >> 16) & 0xffff); + ipfk_addr[1] = 0x358c0000 | + ((__psunsigned_t)ipl_kernel & 0xffff); + /* write a "jr t4" instruction" */ + ipfk_addr[2] = 0x01800008; + + /* write a "nop" instruction */ + ipfk_addr[3] = 0; + + icache_inval(ipfk_addr, sizeof(ipfk_code)); + + *ipff_addr = 1; /* enable ipfilter_kernel */ + + MUTEX_EXIT(&ipfi_mutex); +#else + extern int ipfilterflag; + + ipfilterflag = 1; +#endif + nif_interfaces = 0; + nifattach(); + + return 0; +} + + +/* + * attach the packet filter to each non-loopback interface that is running + */ +static void +nifattach() +{ + nif_t *nif, *qf2; + struct ifnet *ifp; + struct frentry *f; + ipnat_t *np; + + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ + + for (ifp = ifnet; ifp; ifp = ifp->if_next) { + if ((!(ifp->if_flags & IFF_RUNNING)) || + (ifp->if_flags & IFF_LOOPBACK)) + continue; + + /* + * Look for entry already setup for this device + */ + for (nif = nif_head; nif; nif = nif->nf_next) + if (nif->nf_ifp == ifp) + break; + if (nif) + continue; + + if (ifp->if_output == ipl_if_output) { + printf("IP Filter: ERROR INTF 0x%lx STILL ATTACHED\n", + ifp); + continue; + } +#if (IPFDEBUG >= 2) + printf("IP Filter: nifattach nif %x opt %x\n", + ifp, ifp->if_output); +#endif + KMALLOC(nif, nif_t *); + if (!nif) { + printf("IP Filter: malloc(%d) for nif_t failed\n", + sizeof(nif_t)); + continue; + } + + nif->nf_ifp = ifp; + (void) strncpy(nif->nf_name, ifp->if_name, + sizeof(nif->nf_name)); + nif->nf_name[sizeof(nif->nf_name) - 1] = '\0'; + nif->nf_unit = ifp->if_unit; + + nif->nf_next = nif_head; + nif_head = nif; + + /* + * Activate any rules directly associated with this interface + */ + WRITE_ENTER(&ipf_mutex); + for (f = ipf_rules[0][0]; f; f = f->fr_next) { + if ((f->fr_ifa == (struct ifnet *)-1)) { + if (f->fr_ifname[0] && + (GETIFP(f->fr_ifname, 4) == ifp)) + f->fr_ifa = ifp; + } + } + for (f = ipf_rules[1][0]; f; f = f->fr_next) { + if ((f->fr_ifa == (struct ifnet *)-1)) { + if (f->fr_ifname[0] && + (GETIFP(f->fr_ifname, 4) == ifp)) + f->fr_ifa = ifp; + } + } + RWLOCK_EXIT(&ipf_mutex); + WRITE_ENTER(&ipf_nat); + for (np = nat_list; np; np = np->in_next) { + if ((np->in_ifps[0] == (void *)-1)) { + if (np->in_ifnames[0][0] && + (GETIFP(np->in_ifnames[0], 4) == ifp)) + np->in_ifps[0] = (void *)ifp; + } + if ((np->in_ifps[1] == (void *)-1)) { + if (np->in_ifnames[1][0] && + (GETIFP(np->in_ifnames[1], 4) == ifp)) + np->in_ifps[1] = (void *)ifp; + } + } + RWLOCK_EXIT(&ipf_nat); + + nif->nf_output = ifp->if_output; + ifp->if_output = ipl_if_output; + +#if (IPFDEBUG >= 2) + printf("IP Filter: nifattach: ifp(%lx)->if_output FROM %lx TO %lx\n", + ifp, nif->nf_output, ifp->if_output); +#endif + + printf("IP Filter: attach to [%s,%d]\n", + nif->nf_name, ifp->if_unit); + } + if (!nif_head) + printf("IP Filter: not attached to any interfaces\n"); + + nif_interfaces = in_interfaces; + + MUTEX_EXIT(&ipfi_mutex); + + return; +} + + +/* + * unhook the IP filter from all defined interfaces with IP addresses + */ +static void +nifdetach() +{ + nif_t *nif, *qf2, **qp; + struct ifnet *ifp; + + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ + /* + * Make two passes, first get rid of all the unknown devices, next + * unlink known devices. + */ + for (qp = &nif_head; (nif = *qp); ) { + for (ifp = ifnet; ifp; ifp = ifp->if_next) + if (nif->nf_ifp == ifp) + break; + if (ifp) { + qp = &nif->nf_next; + continue; + } + printf("IP Filter: removing [%s]\n", nif->nf_name); + *qp = nif->nf_next; + KFREE(nif); + } + + while ((nif = nif_head)) { + nif_head = nif->nf_next; + for (ifp = ifnet; ifp; ifp = ifp->if_next) + if (nif->nf_ifp == ifp) + break; + if (ifp) { + printf("IP Filter: detaching [%s,%d]\n", + nif->nf_name, ifp->if_unit); + +#if (IPFDEBUG >= 4) + printf("IP Filter: nifdetach: ifp(%lx)->if_output FROM %lx TO %lx\n", + ifp, ifp->if_output, nif->nf_output); +#endif + ifp->if_output = nif->nf_output; + } + KFREE(nif); + } + MUTEX_EXIT(&ipfi_mutex); + + return; +} + + +void +ipl_ipfilter_detach(void) +{ +#ifdef IPFILTER_LKM + nifdetach(); + MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */ + + if (ipff_addr) { + *ipff_addr = 0; + + if (ipfk_addr) { + bcopy(ipfk_code, ipfk_addr, sizeof(ipfk_code)); + icache_inval(ipfk_addr - 16, sizeof(ipfk_code)+32); + } + + *ipff_addr = ipff_value; + } + + MUTEX_EXIT(&ipfi_mutex); +#else + extern int ipfilterflag; + + nifdetach(); + + ipfilterflag = 0; +#endif +} + + +/* this function is called from ipf_slowtimer at 500ms intervals to + keep our interface list in sync */ +void +ipl_ipfilter_intfsync(void) +{ + MUTEX_ENTER(&ipfi_mutex); + if (nif_interfaces != in_interfaces) { + /* if the number of interfaces has changed, resync */ + MUTEX_EXIT(&ipfi_mutex); + ipf_sync(&ipfmain, NULL); + } else + MUTEX_EXIT(&ipfi_mutex); +} + +#ifdef IPFILTER_LKM +/* this routine should be treated as an interrupt routine and should + not call any routines that would cause it to sleep, such as: biowait(), + sleep(), psema() or delay(). +*/ +int +iplunload(void) +{ + int error = 0; + + if (ipf_refcnt) + return EBUSY; + + WRITE_ENTER(&ipf_global); + error = ipl_detach(); + if (error != 0) { + RWLOCK_EXIT(&ipf_global); + return error; + } + ipf_running = -2; + +#if (IRIX < 60500) + LOCK_DEALLOC(ipl_mutex.l); + LOCK_DEALLOC(ipf_rw.l); + LOCK_DEALLOC(ipf_auth.l); + LOCK_DEALLOC(ipf_natfrag.l); + LOCK_DEALLOC(ipf_ipidfrag.l); + LOCK_DEALLOC(ipf_tokens.l); + LOCK_DEALLOC(ipf_stinsert.l); + LOCK_DEALLOC(ipf_nat_new.l); + LOCK_DEALLOC(ipf_natio.l); + LOCK_DEALLOC(ipf_nat.l); + LOCK_DEALLOC(ipf_state.l); + LOCK_DEALLOC(ipf_frag.l); + LOCK_DEALLOC(ipf_auth_mx.l); + LOCK_DEALLOC(ipf_mutex.l); + LOCK_DEALLOC(ipf_frcache.l); + LOCK_DEALLOC(ipfi_mutex.l); + RWLOCK_EXIT(&ipf_global); + LOCK_DEALLOC(ipf_global.l); +#else + MUTEX_DESTROY(&ipf_rw); + MUTEX_DESTROY(&ipfi_mutex); + MUTEX_DESTROY(&ipf_timeoutlock); + RW_DESTROY(&ipf_mutex); + RW_DESTROY(&ipf_frcache); + RW_DESTROY(&ipf_tokens); + RWLOCK_EXIT(&ipf_global); + delay(hz); + RW_DESTROY(&ipf_global); +#endif + + printf("%s unloaded\n", ipfilter_version); + + delay(hz); + + return 0; +} +#endif + +void +ipfilterinit(void) +{ +#ifdef IPFILTER_LKM + int error; +#endif + +#if (IRIX < 60500) + ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); +ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); +ipf_frcache.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); +ipf_timeoutlock.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_global.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_stinsert.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_ipidfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_tokens.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); + + if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_timeoutlock.l || + !ipf_frag.l || !ipf_state.l || !ipf_nat.l || !ipf_natfrag.l || + !ipf_auth.l || !ipf_rw.l || !ipf_ipidfrag.l || !ipl_mutex.l || + !ipf_stinsert.l || !ipf_auth_mx.l || !ipf_frcache.l || + !ipf_tokens.l) + panic("IP Filter: LOCK_ALLOC failed"); +#else + MUTEX_INIT(&ipf_rw, "ipf rw mutex"); + MUTEX_INIT(&ipf_timeoutlock, "ipf timeout mutex"); + RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); + RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); +#endif + +#ifdef IPFILTER_LKM + error = ipl_attach(); + if (error) { + iplunload(); + } else { + char *defpass; + + if (FR_ISPASS(ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +# ifdef IPFILTER_LOG + "enabled", +# else + "disabled", +# endif +# ifdef IPFILTER_COMPILED + " (COMPILED)" +# else + "" +# endif + ); + } +#endif + + return; +} diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c new file mode 100644 index 0000000..28b5407 --- /dev/null +++ b/contrib/ipfilter/mln_ipl.c @@ -0,0 +1,355 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ +/* + * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate + * its own major char number! Way cool patch! + */ + + +#include <sys/param.h> + +/* + * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns + * on those hooks. We don't need any special mods with this! + */ +#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ + (defined(NetBSD1_2) && NetBSD1_2 > 1) +# define NETBSD_PF +#endif + +#include <sys/systm.h> +#include <sys/conf.h> +#include <sys/file.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/uio.h> +#include <sys/kernel.h> +#include <sys/vnode.h> +#include <sys/namei.h> +#include <sys/malloc.h> +#include <sys/mount.h> +#include <sys/exec.h> +#include <sys/mbuf.h> +#include <net/if.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <net/route.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <sys/lkm.h> +#include <sys/poll.h> +#include <sys/select.h> +#include "ipl.h" +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_auth.h" +#include "ip_state.h" +#include "ip_nat.h" +#include "ip_sync.h" + +#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000 +#define vn_lock(v,f) VOP_LOCK(v) +#endif + +#if !defined(VOP_LEASE) && defined(LEASE_CHECK) +#define VOP_LEASE LEASE_CHECK +#endif + + +extern int lkmenodev __P((void)); + +#if NetBSD >= 199706 +int ipflkm_lkmentry __P((struct lkm_table *, int, int)); +#else +int xxxinit __P((struct lkm_table *, int, int)); +#endif +static int ipf_unload __P((void)); +static int ipf_load __P((void)); +static int ipf_remove __P((void)); +static int ipfaction __P((struct lkm_table *, int)); +static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, + IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, + IPLOOKUP_NAME, NULL }; + +int ipf_major = 0; +extern ipf_main_softc_t ipfmain; +extern const struct cdevsw ipl_cdevsw; + +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) +MOD_DEV(IPL_VERSION, "ipf", NULL, -1, &ipl_cdevsw, -1); +#else +MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw); +#endif + +extern int vd_unuseddev __P((void)); +extern struct cdevsw cdevsw[]; +extern int nchrdev; + + +int +#if NetBSD >= 199706 +ipflkm_lkmentry(lkmtp, cmd, ver) +#else +xxxinit(lkmtp, cmd, ver) +#endif + struct lkm_table *lkmtp; + int cmd, ver; +{ + DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction); +} + + +static int +ipfaction(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; +{ +#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000) + int i; +#endif + struct lkm_dev *args = lkmtp->private.lkm_dev; + int err = 0; + + switch (cmd) + { + case LKM_E_LOAD : + if (lkmexists(lkmtp)) + return EEXIST; + +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) +# if (__NetBSD_Version__ < 200000000) + err = devsw_attach(args->lkm_devname, + args->lkm_bdev, &args->lkm_bdevmaj, + args->lkm_cdev, &args->lkm_cdevmaj); + if (err != 0) + return (err); +# endif + ipf_major = args->lkm_cdevmaj; +#else + for (i = 0; i < nchrdev; i++) + if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev || + cdevsw[i].d_open == ipfopen) + break; + if (i == nchrdev) { + printf("IP Filter: No free cdevsw slots\n"); + return ENODEV; + } + + ipf_major = i; + args->lkm_offset = i; /* slot in cdevsw[] */ +#endif + printf("IP Filter: loaded into slot %d\n", ipf_major); + return ipf_load(); + case LKM_E_UNLOAD : +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) + devsw_detach(args->lkm_bdev, args->lkm_cdev); + args->lkm_bdevmaj = -1; + args->lkm_cdevmaj = -1; +#endif + err = ipf_unload(); + if (!err) + printf("IP Filter: unloaded from slot %d\n", + ipf_major); + break; + case LKM_E_STAT : + break; + default: + err = EIO; + break; + } + return err; +} + + +static int +ipf_remove() +{ + char *name; + struct nameidata nd; + int error, i; + + for (i = 0; (name = ipf_devfiles[i]); i++) { +#if (__NetBSD_Version__ > 106009999) +# if (__NetBSD_Version__ > 399001400) +# if (__NetBSD_Version__ > 499001400) + NDINIT(&nd, DELETE, LOCKPARENT|LOCKLEAF, UIO_SYSSPACE, + name); +# else + NDINIT(&nd, DELETE, LOCKPARENT|LOCKLEAF, UIO_SYSSPACE, + name, curlwp); +# endif +# else + NDINIT(&nd, DELETE, LOCKPARENT|LOCKLEAF, UIO_SYSSPACE, + name, curproc); +# endif +#else + NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc); +#endif + if ((error = namei(&nd))) + return (error); +#if (__NetBSD_Version__ > 399001400) +# if (__NetBSD_Version__ > 399002000) +# if (__NetBSD_Version__ < 499001400) + VOP_LEASE(nd.ni_dvp, curlwp, curlwp->l_cred, LEASE_WRITE); +# endif +# else + VOP_LEASE(nd.ni_dvp, curlwp, curlwp->l_proc->p_ucred, LEASE_WRITE); +# endif +#else + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); +#endif +#if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000) + vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); +#endif +#if (__NetBSD_Version__ >= 399002000) +# if (__NetBSD_Version__ < 499001400) + VOP_LEASE(nd.ni_vp, curlwp, curlwp->l_cred, LEASE_WRITE); +# endif +#else +# if (__NetBSD_Version__ > 399001400) + VOP_LEASE(nd.ni_vp, curlwp, curlwp->l_proc->p_ucred, LEASE_WRITE); +# else + VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +# endif +#endif + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + } + return 0; +} + + +static int +ipf_unload() +{ + int error = 0; + + /* + * Unloading - remove the filter rule check from the IP + * input/output stream. + */ + if (ipfmain.ipf_refcnt) + error = EBUSY; + else if (ipfmain.ipf_running >= 0) { + error = ipfdetach(&ipfmain); + if (error == 0) { + ipf_destroy_all(&ipfmain); + ipf_unload_all(); + } + } + + if (error == 0) { + ipfmain.ipf_running = -2; + error = ipf_remove(); + printf("%s unloaded\n", ipfilter_version); + } + return error; +} + + +static int +ipf_load() +{ + struct nameidata nd; + struct vattr vattr; + int error = 0, fmode = S_IFCHR|0600, i; + char *name; + + /* + * XXX Remove existing device nodes prior to creating new ones + * XXX using the assigned LKM device slot's major number. In a + * XXX perfect world we could use the ones specified by cdevsw[]. + */ + (void)ipf_remove(); + + bzero((char *)&ipfmain, sizeof(ipfmain)); + error = ipf_load_all(); + if (error != 0) + return error; + if (ipf_create_all(&ipfmain) == NULL) { + ipf_unload_all(); + return EIO; + } + + error = ipfattach(&ipfmain); + if (error != 0) { + (void) ipf_unload(); + return error; + } + + for (i = 0; (error == 0) && (name = ipf_devfiles[i]); i++) { +#if (__NetBSD_Version__ > 399001400) +# if (__NetBSD_Version__ > 499001400) + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name); +# else + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curlwp); +# endif +#else + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc); +#endif + if ((error = namei(&nd))) + break; + if (nd.ni_vp != NULL) { + VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + vrele(nd.ni_vp); + error = EEXIST; + break; + } + VATTR_NULL(&vattr); + vattr.va_type = VCHR; + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipf_major << 8) | i; +#if (__NetBSD_Version__ > 399001400) +# if (__NetBSD_Version__ >= 399002000) +# if (__NetBSD_Version__ < 499001400) + VOP_LEASE(nd.ni_dvp, curlwp, curlwp->l_cred, LEASE_WRITE); +# endif +# else + VOP_LEASE(nd.ni_dvp, curlwp, curlwp->l_proc->p_ucred, LEASE_WRITE); +# endif +#else + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); +#endif + error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + if (error == 0) + vput(nd.ni_vp); + } + + if (error == 0) { + char *defpass; + + if (FR_ISPASS(ipfmain.ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(ipfmain.ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +#ifdef IPFILTER_LOG + "enabled", +#else + "disabled", +#endif +#ifdef IPFILTER_COMPILED + " (COMPILED)" +#else + "" +#endif + ); + ipfmain.ipf_running = 1; + } + return error; +} diff --git a/contrib/ipfilter/mln_rule.c b/contrib/ipfilter/mln_rule.c new file mode 100644 index 0000000..2df3376 --- /dev/null +++ b/contrib/ipfilter/mln_rule.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/conf.h> +#include <sys/proc.h> +#include <sys/ioctl.h> +#include <sys/kernel.h> +#include <sys/mbuf.h> +#include <sys/exec.h> +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <net/route.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <sys/lkm.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_rules.h" + + +static int ipfruleaction __P((struct lkm_table *, int)); + +#ifdef IPFILTER_LKM +# if NetBSD >= 199706 +int ipfrule_lkmentry __P((struct lkm_table *, int, int)); +# else +int xxxinit __P((struct lkm_table *, int, int)); +# endif + + +MOD_MISC("IPFilter Rules"); + +# if NetBSD >= 199706 +int ipfrule_lkmentry(lkmtp, cmd, ver) +# else +int xxxinit(lkmtp, cmd, ver) +# endif + struct lkm_table *lkmtp; + int cmd, ver; +{ + DISPATCH(lkmtp, cmd, ver, ipfruleaction, ipfruleaction, ipfruleaction); +} + +static int ipfruleaction(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; +{ + int err = 0; + + switch (cmd) + { + case LKM_E_LOAD : + if (lkmexists(lkmtp)) + return EEXIST; + + err = ipfrule_add(); + if (!err) + ipf_refcnt++; + break; + case LKM_E_UNLOAD : + err = ipfrule_remove(); + if (!err) + ipf_refcnt--; + break; + case LKM_E_STAT : + break; + default: + err = EIO; + break; + } + return err; +} +#endif /* IPFILTER_LKM */ diff --git a/contrib/ipfilter/mlo_ipl.c b/contrib/ipfilter/mlo_ipl.c new file mode 100644 index 0000000..35556fa --- /dev/null +++ b/contrib/ipfilter/mlo_ipl.c @@ -0,0 +1,364 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/conf.h> +#include <sys/file.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/uio.h> +#include <sys/kernel.h> +#include <sys/vnode.h> +#include <sys/namei.h> +#include <sys/malloc.h> +#include <sys/mount.h> +#include <sys/exec.h> +#include <sys/mbuf.h> +#include <net/if.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <net/route.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <sys/lkm.h> +#include "ipl.h" +#include "ip_compat.h" +#include "ip_fil.h" + +#define vn_lock(v,f) VOP_LOCK(v) + +#if !defined(VOP_LEASE) && defined(LEASE_CHECK) +#define VOP_LEASE LEASE_CHECK +#endif + + +extern int lkmenodev __P((void)); + +#if OpenBSD >= 200311 +int if_ipf_lkmentry __P((struct lkm_table *, int, int)); +#else +int if_ipf __P((struct lkm_table *, int, int)); +#endif +static int ipf_unload __P((void)); +static int ipf_load __P((void)); +static int ipf_remove __P((void)); +static int ipfaction __P((struct lkm_table *, int)); +static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, + IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, + IPLOOKUP_NAME, NULL }; + + +struct cdevsw ipfdevsw = +{ + ipfopen, /* open */ + ipfclose, /* close */ + ipfread, /* read */ + (void *)nullop, /* write */ + ipfioctl, /* ioctl */ + (void *)nullop, /* stop */ + (void *)NULL, /* tty */ + (void *)nullop, /* select */ + (void *)nullop, /* mmap */ + NULL /* strategy */ +}; + +int ipf_major = 0; + +MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipfdevsw); + +extern int vd_unuseddev __P((void)); +extern struct cdevsw cdevsw[]; +extern int nchrdev; + + +#if OpenBSD >= 200311 +int if_ipf_lkmentry (lkmtp, cmd, ver) +#else +int if_ipf(lkmtp, cmd, ver) +#endif + struct lkm_table *lkmtp; + int cmd, ver; +{ + DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction); +} + +int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */ + +static int ipfaction(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; +{ + int i; + struct lkm_dev *args = lkmtp->private.lkm_dev; + int err = 0; + + switch (cmd) + { + case LKM_E_LOAD : + if (lkmexists(lkmtp)) + return EEXIST; + + for (i = 0; i < nchrdev; i++) + if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev || + cdevsw[i].d_open == ipfopen) + break; + if (i == nchrdev) { + printf("IP Filter: No free cdevsw slots\n"); + return ENODEV; + } + + ipf_major = i; + args->lkm_offset = i; /* slot in cdevsw[] */ + printf("IP Filter: loaded into slot %d\n", ipf_major); + return ipf_load(); + case LKM_E_UNLOAD : + err = ipf_unload(); + if (!err) + printf("IP Filter: unloaded from slot %d\n", + ipf_major); + break; + case LKM_E_STAT : + break; + default: + err = EIO; + break; + } + return err; +} + + +static int ipf_remove() +{ + struct nameidata nd; + int error, i; + char *name; + + for (i = 0; (name = ipf_devfiles[i]); i++) { +#if OpenBSD >= 200311 + NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_SYSSPACE, + name, curproc); +#else + NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc); +#endif + if ((error = namei(&nd))) + return (error); + VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#if OpenBSD < 200311 + VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc); + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); +#else + (void)uvm_vnp_uncache(nd.ni_vp); + + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); +#endif + (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); + } + return 0; +} + + +static int ipf_unload() +{ + int error = 0; + + /* + * Unloading - remove the filter rule check from the IP + * input/output stream. + */ + if (ipf_refcnt) + error = EBUSY; + else if (ipf_running >= 0) + error = ipfdetach(); + + if (error == 0) { + ipf_running = -2; + error = ipf_remove(); + printf("%s unloaded\n", ipfilter_version); + } + return error; +} + + +static int ipf_load() +{ + struct nameidata nd; + struct vattr vattr; + int error = 0, fmode = S_IFCHR|0600, i; + char *name; + + /* + * XXX Remove existing device nodes prior to creating new ones + * XXX using the assigned LKM device slot's major number. In a + * XXX perfect world we could use the ones specified by cdevsw[]. + */ + (void)ipf_remove(); + + error = ipfattach(); + + for (i = 0; (error == 0) && (name = ipf_devfiles[i]); i++) { + NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc); + if ((error = namei(&nd))) + break; + if (nd.ni_vp != NULL) { + VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); + if (nd.ni_dvp == nd.ni_vp) + vrele(nd.ni_dvp); + else + vput(nd.ni_dvp); + vrele(nd.ni_vp); + error = EEXIST; + break; + } + VATTR_NULL(&vattr); + vattr.va_type = VCHR; + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipf_major << 8) | i; + VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); + error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); + } + + if (error == 0) { + char *defpass; + + if (FR_ISPASS(ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +#ifdef IPFILTER_LOG + "enabled", +#else + "disabled", +#endif +#ifdef IPFILTER_COMPILED + " (COMPILED)" +#else + "" +#endif + ); + ipf_running = 1; + } + return error; +} + + +/* + * routines below for saving IP headers to buffer + */ +int +ipfopen(dev, flags, devtype, p) + dev_t dev; + int flags; + int devtype; + struct proc *p; +{ + u_int min = GET_MINOR(dev); + int error; + + if (IPL_LOGMAX < min) { + error = ENXIO; + } else { + switch (unit) + { + case IPL_LOGIPF : + case IPL_LOGNAT : + case IPL_LOGSTATE : + case IPL_LOGAUTH : + case IPL_LOGLOOKUP : + case IPL_LOGSYNC : +#ifdef IPFILTER_SCAN + case IPL_LOGSCAN : +#endif + error = 0; + break; + default : + error = ENXIO; + break; + } + } + return error; +} + + +int +ipfclose(dev, flags, devtype, p) + dev_t dev; + int flags; + int devtype; + struct proc *p; +{ + u_int min = GET_MINOR(dev); + + if (IPL_LOGMAX < min) + min = ENXIO; + else + min = 0; + return min; +} + + +/* + * ipfread/ipflog + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +int +ipfread(dev, uio, ioflag) + dev_t dev; + register struct uio *uio; + int ioflag; +{ + + if (ipf_running < 1) + return EIO; + + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + +#ifdef IPFILTER_LOG + return ipflog_read(GET_MINOR(dev), uio); +#else + return ENXIO; +#endif +} + + +/* + * ipfwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +int +#if (BSD >= 199306) +ipfwrite(dev, uio, ioflag) + int ioflag; +#else +ipfwrite(dev, uio) +#endif + dev_t dev; + register struct uio *uio; +{ + + if (ipf_running < 1) + return EIO; + + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + return ENXIO; +} diff --git a/contrib/ipfilter/mlo_rule.c b/contrib/ipfilter/mlo_rule.c new file mode 100644 index 0000000..dbd4305 --- /dev/null +++ b/contrib/ipfilter/mlo_rule.c @@ -0,0 +1,80 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + */ + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/conf.h> +#include <sys/proc.h> +#include <sys/ioctl.h> +#include <sys/kernel.h> +#include <sys/mbuf.h> +#include <sys/exec.h> +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <net/route.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <sys/lkm.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_rules.h" + + +#ifdef IPFILTER_LKM + +static int ipfruleaction __P((struct lkm_table *, int)); + +int ipfrule __P((struct lkm_table *, int, int)); + + +MOD_MISC("IPFilter Rules"); + +int ipfrule(lkmtp, cmd, ver) + struct lkm_table *lkmtp; + int cmd, ver; +{ + DISPATCH(lkmtp, cmd, ver, ipfruleaction, ipfruleaction, ipfruleaction); +} + +int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */ + +static int ipfruleaction(lkmtp, cmd) + struct lkm_table *lkmtp; + int cmd; +{ + int err = 0; + + switch (cmd) + { + case LKM_E_LOAD : + if (lkmexists(lkmtp)) + return EEXIST; + + err = ipfrule_add(); + if (!err) + ipf_refcnt++; + break; + case LKM_E_UNLOAD : + err = ipfrule_remove(); + if (!err) + ipf_refcnt--; + break; + case LKM_E_STAT : + break; + default: + err = EIO; + break; + } + return err; +} +#endif /* IPFILTER_LKM */ diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c new file mode 100644 index 0000000..4388b61 --- /dev/null +++ b/contrib/ipfilter/mls_ipl.c @@ -0,0 +1,351 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +/* + * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate + * its own major char number! Way cool patch! + */ +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/file.h> +#include <sys/socket.h> +#include <sys/conf.h> +#include <sys/syslog.h> +#include <sys/buf.h> +#include <sys/mbuf.h> +#include <sys/param.h> +#include <sys/errno.h> +#include <sys/uio.h> +#include <sys/vnode.h> +#include <sundev/mbvar.h> +#include <sun/autoconf.h> +#include <sun/vddrv.h> +#if defined(sun4c) || defined(sun4m) +# include <sun/openprom.h> +#endif +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <net/if.h> +#include "ipl.h" +#include "ip_compat.h" +#include "ip_fil.h" + + +#if !defined(lint) +static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id$"; +#endif + +extern int ipfdetach __P((void)); +#ifndef IPFILTER_LOG +#define ipfread nulldev +#endif +extern int nulldev __P((void)); +extern int errno; + +extern int nodev __P((void)); + +static int unload __P((void)); +static int ipf_attach __P((void)); +int xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *)); +static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, + IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, + IPLOOKUP_NAME, NULL }; +static int ipfopen __P((dev_t, int)); +static int ipfclose __P((dev_t, int)); +static int ipfread __P((dev_t, struct uio *)); +static int ipfwrite __P((dev_t, struct uio *)); + + +struct cdevsw ipfdevsw = +{ + ipfopen, ipfclose, ipfread, nulldev, + ipfioctl, nulldev, nulldev, nulldev, + 0, nulldev, +}; + + +struct dev_ops ipf_ops = +{ + 1, + ipfidentify, + ipfattach, + ipfopen, + ipfclose, + ipfread, + ipfwrite, + NULL, /* strategy */ + NULL, /* dump */ + 0, /* psize */ + ipfioctl, + NULL, /* reset */ + NULL /* mmap */ +}; + +int ipf_major = 0; + +#ifdef sun4m +struct vdldrv vd = +{ + VDMAGIC_PSEUDO, + IPL_VERSION, + &ipf_ops, + NULL, + &ipfdevsw, + 0, + 0, + NULL, + NULL, + NULL, + 0, + 1, +}; +#else /* sun4m */ +struct vdldrv vd = +{ + VDMAGIC_PSEUDO, /* magic */ + IPL_VERSION, +#ifdef sun4c + &ipf_ops, /* dev_ops */ +#else + NULL, /* struct mb_ctlr *mb_ctlr */ + NULL, /* struct mb_driver *mb_driver */ + NULL, /* struct mb_device *mb_device */ + 0, /* num ctlrs */ + 1, /* numdevs */ +#endif /* sun4c */ + NULL, /* bdevsw */ + &ipfdevsw, /* cdevsw */ + 0, /* block major */ + 0, /* char major */ +}; +#endif /* sun4m */ + +extern int vd_unuseddev __P((void)); +extern struct cdevsw cdevsw[]; +extern int nchrdev; + +xxxinit(fc, vdp, data, vds) + u_int fc; + struct vddrv *vdp; + caddr_t data; + struct vdstat *vds; +{ + struct vdioctl_load *vdi = (struct vdioctl_load *)data; + + switch (fc) + { + case VDLOAD: + { + struct vdconf *vdc; + if (vdi && vdi->vdi_userconf) + for (vdc = vdi->vdi_userconf; vdc->vdc_type; vdc++) + if (vdc->vdc_type == VDCCHARMAJOR) { + ipf_major = vdc->vdc_data; + break; + } + + if (!ipf_major) { + while (ipf_major < nchrdev && + cdevsw[ipf_major].d_open != vd_unuseddev) + ipf_major++; + if (ipf_major == nchrdev) + return ENODEV; + } + vdp->vdd_vdtab = (struct vdlinkage *)&vd; + vd.Drv_charmajor = ipf_major; + return ipf_attach(); + } + case VDUNLOAD: + return unload(); + case VDSTAT: + return 0; + default: + return EIO; + } +} + + +static int +unload() +{ + int err = 0, i; + char *name; + + if (ipf_refcnt != 0) + err = EBUSY; + else if (ipf_running >= 0) + err = ipfdetach(); + if (err) + return err; + + ipf_running = -2; + for (i = 0; (name = ipf_devfiles[i]); i++) + (void) vn_remove(name, UIO_SYSSPACE, FILE); + printf("%s unloaded\n", ipfilter_version); + return 0; +} + + +static int +ipf_attach() +{ + struct vnode *vp; + struct vattr vattr; + int error = 0, fmode = S_IFCHR|0600, i; + char *name; + + error = ipfattach(); + if (error) + return error; + + for (i = 0; (name = ipf_devfiles[i]); i++) { + (void) vn_remove(name, UIO_SYSSPACE, FILE); + vattr_null(&vattr); + vattr.va_type = MFTOVT(fmode); + vattr.va_mode = (fmode & 07777); + vattr.va_rdev = (ipf_major << 8) | i; + + error = vn_create(name, UIO_SYSSPACE, &vattr, EXCL, 0, &vp); + if (error) { + printf("IP Filter: vn_create(%s) = %d\n", name, error); + break; + } else { + VN_RELE(vp); + } + } + + if (error == 0) { + char *defpass; + + if (FR_ISPASS(ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +#ifdef IPFILTER_LOG + "enabled", +#else + "disabled", +#endif +#ifdef IPFILTER_COMPILED + " (COMPILED)" +#else + "" +#endif + ); + ipf_running = 1; + } + return error; +} + + +/* + * routines below for saving IP headers to buffer + */ +static int +ipfopen(dev, flags) + dev_t dev; + int flags; +{ + u_int unit = GET_MINOR(dev); + int error; + + if (IPL_LOGMAX < unit) { + error = ENXIO; + } else { + switch (unit) + { + case IPL_LOGIPF : + case IPL_LOGNAT : + case IPL_LOGSTATE : + case IPL_LOGAUTH : + case IPL_LOGLOOKUP : + case IPL_LOGSYNC : +#ifdef IPFILTER_SCAN + case IPL_LOGSCAN : +#endif + error = 0; + break; + default : + error = ENXIO; + break; + } + } + return error; +} + + +static int +ipfclose(dev, flags) + dev_t dev; + int flags; +{ + u_int unit = GET_MINOR(dev); + + if (IPL_LOGMAX < unit) + unit = ENXIO; + else + unit = 0; + return unit; +} + + +/* + * ipfread/ipflog + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ +static int +ipfread(dev, uio) + dev_t dev; + register struct uio *uio; +{ + + if (ipf_running < 1) { + ipfmain.ipf_interror = 130006; + return EIO; + } + +#ifdef IPFILTER_LOG + return ipflog_read(GET_MINOR(dev), uio); +#else + ipfmain.ipf_interror = 130007; + return ENXIO; +#endif +} + + +/* + * ipfwrite + */ +static int +ipfwrite(dev, uio) + dev_t dev; + register struct uio *uio; +{ + + if (ipf_running < 1) { + ipfmain.ipf_interror = 130008; + return EIO; + } + + if (getminor(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + ipfmain.ipf_interror = 130009; + return ENXIO; +} diff --git a/contrib/ipfilter/mls_rule.c b/contrib/ipfilter/mls_rule.c new file mode 100644 index 0000000..e37df0c --- /dev/null +++ b/contrib/ipfilter/mls_rule.c @@ -0,0 +1,116 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +/* + * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate + * its own major char number! Way cool patch! + */ +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/file.h> +#include <sys/socket.h> +#include <sys/conf.h> +#include <sys/syslog.h> +#include <sys/buf.h> +#include <sys/mbuf.h> +#include <sys/param.h> +#include <sys/errno.h> +#include <sys/uio.h> +#include <sys/vnode.h> +#include <sundev/mbvar.h> +#include <sun/autoconf.h> +#include <sun/vddrv.h> +#if defined(sun4c) || defined(sun4m) +# include <sun/openprom.h> +#endif +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/tcpip.h> +#include <net/if.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_rules.h" + + +extern int errno; + + +int xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *)); + +int ipl_major = 0; + +#ifdef sun4m +struct vdldrv vd = +{ + VDMAGIC_USER, + "IP Filter rules", + NULL, + NULL, + NULL, + 0, + 0, + NULL, + NULL, + NULL, + 0, + 1, +}; +#else /* sun4m */ +struct vdldrv vd = +{ + VDMAGIC_USER, /* magic */ + "IP Filter rules", +#ifdef sun4c + NULL, /* dev_ops */ +#else + NULL, /* struct mb_ctlr *mb_ctlr */ + NULL, /* struct mb_driver *mb_driver */ + NULL, /* struct mb_device *mb_device */ + 0, /* num ctlrs */ + 1, /* numdevs */ +#endif /* sun4c */ + NULL, /* bdevsw */ + NULL, /* cdevsw */ + 0, /* block major */ + 0, /* char major */ +}; +#endif /* sun4m */ + + +xxxinit(fc, vdp, data, vds) + u_int fc; + struct vddrv *vdp; + caddr_t data; + struct vdstat *vds; +{ + struct vdioctl_load *vdi = (struct vdioctl_load *)data; + int err; + + switch (fc) + { + case VDLOAD: + err = ipfrule_add(); + if (!err) + ipf_refcnt++; + break; + case VDUNLOAD: + err = ipfrule_remove(); + if (!err) + ipf_refcnt--; + break; + case VDSTAT: + err = 0; + break; + default: + err = EIO; + break; + } +} diff --git a/contrib/ipfilter/mlso_rule.c b/contrib/ipfilter/mlso_rule.c new file mode 100644 index 0000000..a9395f2 --- /dev/null +++ b/contrib/ipfilter/mlso_rule.c @@ -0,0 +1,130 @@ +/* $FreeBSD$ */ + +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +#pragma ident "@(#)$Id$" + +#include <sys/systm.h> +#include <sys/types.h> +#include <sys/param.h> +#include <sys/errno.h> +#include <sys/uio.h> +#include <sys/buf.h> +#include <sys/modctl.h> +#include <sys/open.h> +#include <sys/kmem.h> +#include <sys/conf.h> +#include <sys/cmn_err.h> +#include <sys/stat.h> +#include <sys/cred.h> +#include <sys/dditypes.h> +#include <sys/stream.h> +#include <sys/poll.h> +#include <sys/autoconf.h> +#include <sys/byteorder.h> +#include <sys/socket.h> +#include <sys/dlpi.h> +#include <sys/stropts.h> +#include <sys/sockio.h> +#include <net/if.h> +#if SOLARIS2 >= 6 +# include <net/if_types.h> +#endif +#include <net/af.h> +#include <net/route.h> +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/if_ether.h> +#include <netinet/ip.h> +#include <netinet/ip_var.h> +#include <netinet/tcp.h> +#include <netinet/udp.h> +#include <netinet/tcpip.h> +#include <netinet/ip_icmp.h> +#include <sys/ddi.h> +#include <sys/sunddi.h> +#include "ip_compat.h" +#include "ip_fil.h" +#include "ip_rules.h" + +char _depends_on[] = "drv/ipf"; + + +extern ipf_main_softc_t ipfmain; +extern struct mod_ops mod_miscops; +static struct modlmisc ipfrulemod = { + &mod_miscops, + "IP Filter rules" +}; + +static struct modlinkage modlink1 = { + MODREV_1, + &ipfrulemod, + NULL +}; + + +int _init() +{ + int ipfruleinst; + + ipfruleinst = mod_install(&modlink1); +#ifdef IPFRULEDEBUG + cmn_err(CE_NOTE, "IP Filter Rules: _init() = %d", ipfruleinst); +#endif + + if (ipfruleinst == 0) { + if (ipfmain.ipf_running >= 0) { + ipfruleinst = ipfrule_add(); + if (!ipfruleinst) + ipfmain.ipf_refcnt++; + else { + cmn_err(CE_NOTE, + "IP Filter Rules: ipfrule_add failed"); + ipfruleinst = -1; + } + } else + ipfruleinst = -1; + } + if (ipfruleinst == 0) + cmn_err(CE_CONT, "IP Filter Rules: loaded\n"); + return ipfruleinst; +} + + +int _fini(void) +{ + int ipfruleinst; + + ipfruleinst = mod_remove(&modlink1); +#ifdef IPFRULEDEBUG + cmn_err(CE_NOTE, "IP Filter Rules: _fini() = %d", ipfruleinst); +#endif + if (ipfruleinst == 0) { + ipfruleinst = ipfrule_remove(); + if (!ipfruleinst) + ipfmain.ipf_refcnt--; + else + ipfruleinst = -1; + } + if (ipfruleinst == 0) + cmn_err(CE_CONT, "IP Filter Rules: unloaded\n"); + return ipfruleinst; +} + + +int _info(modinfop) + struct modinfo *modinfop; +{ + int ipfruleinst; + + ipfruleinst = mod_info(&modlink1, modinfop); +#ifdef IPFRULEDEBUG + cmn_err(CE_NOTE, "IP Filter Rules: _info(%x) = %x", + modinfop, ipfruleinst); +#endif + return ipfruleinst; +} diff --git a/contrib/ipfilter/net/.cvsignore b/contrib/ipfilter/net/.cvsignore deleted file mode 100644 index 19f86f4..0000000 --- a/contrib/ipfilter/net/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -done diff --git a/contrib/ipfilter/opts.h b/contrib/ipfilter/opts.h index fa53c8f..3c8b88b 100644 --- a/contrib/ipfilter/opts.h +++ b/contrib/ipfilter/opts.h @@ -1,11 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2000 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: opts.h,v 2.12 2003/08/14 14:24:27 darrenr Exp $ + * $Id$ */ #ifndef __OPTS_H__ @@ -42,6 +42,8 @@ #define OPT_HEX 0x2000000 #define OPT_ASCII 0x4000000 #define OPT_NORESOLVE 0x8000000 +#define OPT_DONTOPEN 0x10000000 +#define OPT_PURGE 0x20000000 #define OPT_STAT OPT_FRSTATES #define OPT_LIST OPT_SHOWLIST diff --git a/contrib/ipfilter/pcap-ipf.h b/contrib/ipfilter/pcap-ipf.h index 71250ad..b856760 100644 --- a/contrib/ipfilter/pcap-ipf.h +++ b/contrib/ipfilter/pcap-ipf.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * diff --git a/contrib/ipfilter/perl/Ipfanaly.pl b/contrib/ipfilter/perl/Ipfanaly.pl index 0fa7c17..eda232e 100644 --- a/contrib/ipfilter/perl/Ipfanaly.pl +++ b/contrib/ipfilter/perl/Ipfanaly.pl @@ -41,7 +41,7 @@ if ($maxout > $maxin) ($dayis,$monthis,$yearis)=split "/",$dateis; $month=$months{$monthis}; $dateis="$dayis " . "$month " . "$yearis "; -# split graphs in to 6 four hour spans for 24 hours +# split graphs in to 6 four hour spans for 24 hours $numgraphs=int($XMAX/240); $junk=0; @@ -62,7 +62,7 @@ while ($cnt1++ < $numgraphs) $filename3="graph$cnt1.conf"; open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n"; open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n"; - + $loop=$end; $end=($end + 240); @@ -144,7 +144,7 @@ sub packbytime { local ($xmax)=@_; $XMAX=$xmax; # pass in the dest port number or get graph for all packets -# at 1 minute intervals +# at 1 minute intervals # @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 # @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 # @@ -175,9 +175,9 @@ while ($cnt++ <= $#recs ) if("$destip" eq "$gatekeep") { # TO GATEKEEP port lookat -# print "to gatekeep at $xpos\n"; +# print "to gatekeep at $xpos\n"; $value5=$inwards[$xpos] [1]; - $value5++ ; + $value5++ ; # $maxin = $value5 if $maxin < $value5 ; if($value5 > $maxin) @@ -190,9 +190,9 @@ while ($cnt++ <= $#recs ) else { # FROM GATEKEEP to port lookat -# print "from gatekeep at $xpos\n"; +# print "from gatekeep at $xpos\n"; $value4=$outwards[$xpos] [1]; - $value4++ ; + $value4++ ; # $maxout = $value4 if $maxout < $value4 ; if($value4 > $maxout) { @@ -212,18 +212,18 @@ while ($cnt++ <= $#recs ) if("$destip" eq "$gatekeep") { # TO GATEKEEP port lookat -# print "to gatekeep at $xpos\n"; +# print "to gatekeep at $xpos\n"; $value5=$inwards[$xpos] [1]; - $value5++ ; + $value5++ ; $maxin = $value5 if $maxin < $value5 ; $inwards[$xpos][1]=$value5; } else { # FROM GATEKEEP to port lookat -# print "from gatekeep at $xpos\n"; +# print "from gatekeep at $xpos\n"; $value4=$outwards[$xpos] [1]; - $value4++ ; + $value4++ ; $maxout = $value4 if $maxout < $value4 ; $outwards[$xpos][1]=$value4; } @@ -276,7 +276,7 @@ $loop=-1; while ($loop++ <= $#recs ) { ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; - if ("$destip" eq "$gatekeep") + if ("$destip" eq "$gatekeep") { if ($destport < $ITRUSTABOVE ) { @@ -309,10 +309,10 @@ print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking print "Trusted hosts are $safehosts\n"; print "\nTOTAL packets were $#recs \n"; print "########################################################################\n"; -while(($ipadd,$numpacketsent)=each %numpacks) +while(($ipadd,$numpacketsent)=each %numpacks) { $perc=$numpacketsent/$#recs*100; -if ($perc > $percsafe) +if ($perc > $percsafe) # dont believe safehosts are attacking! { $where=index($safehosts,$ipadd); @@ -326,7 +326,7 @@ if ($perc > $percsafe) } print "\n\n"; -} # end of subroutine toobusy_site +} # end of subroutine toobusy_site ############### END SUBROUTINE DECLARATIONS ########### @@ -339,7 +339,7 @@ if("$opt_t" eq "0") {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n"; exit; } - + if("$opt_h" eq "1") {usage;exit 0}; if("$opt_H" eq "1") @@ -379,7 +379,7 @@ if("$opt_p" eq "") # -p arg must be all or AN INTEGER in range 1<=N<=64K if ("$opt_p" ne "all") { - $_=$opt_p; + $_=$opt_p; unless (/^[+-]?\d+$/) { usage; @@ -394,7 +394,7 @@ if ("$opt_p" ne "all") $lookat=$opt_p; # -o arg must be all or AN INTEGER in range 1<=N<=64K - $_=$opt_o; + $_=$opt_o; unless (/^[+-]?\d+$/) { usage; @@ -438,7 +438,7 @@ open (REC, $FILENAME) || die "Cant open $FILENAME: \n"; ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC; print "Log file $FILENAME is $size bytes in size\n"; #each record is an element of array rec[] now -while(<REC>) +while(<REC>) { @recs[$numrec++]=$_; } @@ -456,7 +456,7 @@ while ($loop++ < $#recs ) $bit=substr(@recs[$loop],39); $bit =~ s/,/ /g; ($sourceip,$junkit)= split " " , $bit ; - + # NOTE the . is the string concat command NOT + .......!!!! $sourceip =~ split " ", $sourceip; @@ -467,7 +467,7 @@ while ($loop++ < $#recs ) $allips = $allips . "$sourceip " ; } } - + print "Put all unique ip addresses into a 1D array\n"; @allips=split " ", $allips; @@ -490,7 +490,7 @@ while ($loop++ < $#recs ) { $a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ; } - + # dump the "->" and commas from logging $a =~ s/->//g; $a =~ s/PR//g; @@ -503,7 +503,7 @@ while ($loop++ < $#recs ) ($srcip,$junk) = split " ","$a"; $numpackets=$numpacks{"$srcip"}; $numpackets++ ; - $numpacks{"$srcip"}=$numpackets; + $numpacks{"$srcip"}=$numpackets; } @@ -546,7 +546,7 @@ while ($cnt++ < $#allips) while ($loop++ < $#recs ) { -# get src IP num, src port number, +# get src IP num, src port number, # destination IP num, destnation port number,protocol ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; # loop over all records for the machine $uniqip @@ -564,7 +564,7 @@ while ($cnt++ < $#allips) { $srcportnam=$services{$srcport}; } -# try and get dest portname, if not there, leave it as the +# try and get dest portname, if not there, leave it as the # dest portnumber if ("$destport" eq "icmp") { $destportnam="icmp";} @@ -581,15 +581,15 @@ while ($cnt++ < $#allips) if ($srcportnam eq "") { # increment number of times a (high)/unknown port has gone to destport - $value1=$unknownsrcports{$destportnam}; - $value1++ ; + $value1=$unknownsrcports{$destportnam}; + $value1++ ; $unknownsrcports{$destportnam}=$value1; } else { # want tally(srcport) counter to be increased by 1 $value3=$tally{$srcportnam}; - $value3++ ; + $value3++ ; $tally{$srcportnam}=$value3; } } @@ -603,7 +603,7 @@ if ($set eq "N") $set="Y"; print "\n#### with $uniqip as the the source for packets ####\n"; -while(($key,$value)=each %tally) +while(($key,$value)=each %tally) { if (not "$uniqip" eq "$gatekeep") { @@ -617,7 +617,7 @@ while(($key,$value)=each %tally) -while(($key2,$value2)=each %unknownsrcports) +while(($key2,$value2)=each %unknownsrcports) { if (not "$uniqip" eq "$gatekeep") { @@ -632,7 +632,7 @@ while(($key2,$value2)=each %unknownsrcports) } # print if rests for UNIQIP IF flag is set to N then toggle flag -} # end of all IPs loop +} # end of all IPs loop } # end of if verbose option set block diff --git a/contrib/ipfilter/perl/Isbgraph b/contrib/ipfilter/perl/Isbgraph index c68b672..8641099 100644 --- a/contrib/ipfilter/perl/Isbgraph +++ b/contrib/ipfilter/perl/Isbgraph @@ -67,7 +67,7 @@ close(CNF); # number datapoints/24 hours is 1440 (minutes) # # Split into N graphs where each graph has max of 240 datapoints (4 hours) -# +# $barset=0; $m=0; @@ -117,7 +117,7 @@ $teal=$im->colorAllocate(51,153,153); $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i; # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled); $num = $i+1; - + use integer; { $posis=$num - ($num/60)*60; @@ -157,7 +157,7 @@ $nextdata="N"; $count=0; $i=0; $fname=$_; - + print "fname $fname\n"; # change entry for red in colour table to green for packets LEAVING target host @@ -180,14 +180,14 @@ $nextdata="N"; if($nextdata eq "Y") { - + #$im->line($XINIT,$YGRAPH,$X,$Y,$orange); $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green); } else { $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red); - } + } } else { @@ -214,7 +214,7 @@ $nextdata="N"; $im->line(500,60,530,60,$green); $im->string(gdSmallFont,535,35,"Packets IN",$fg); $im->string(gdSmallFont,535,55,"Packets OUT",$fg); - + if ($option{'Bar'} ne 0) { if ($X eq $option{'XMAX'}) @@ -237,7 +237,7 @@ $nextdata="N"; $nextdata="Y"; # TOP LEFT is 0,0 on GIF (image) -# origin of plot is xinit,yinit +# origin of plot is xinit,yinit # print "little line\n"; $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue); $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue); diff --git a/contrib/ipfilter/perl/Services b/contrib/ipfilter/perl/Services index 401fff0..e9ae317 100644 --- a/contrib/ipfilter/perl/Services +++ b/contrib/ipfilter/perl/Services @@ -89,7 +89,7 @@ 110 pop3 PostOfficeProtocol-Version3 111 sunrpc SUNRemoteProcedureCall 112 mcidas McIDASDataTransmissionProtocol -113 ident +113 ident 114 audionews AudioNewsMulticast 115 sftp SimpleFileTransferProtocol 116 ansanotify ANSAREXNotify @@ -426,7 +426,7 @@ 515 printer spooler 516 videotex videotex 517 talk liketenexlink,butacross -518 ntalk +518 ntalk 519 utime unixtime 520 route 521 ripng ripng @@ -451,7 +451,7 @@ 540 uucp uucpd 541 uucp-rlogin uucp-rlogin 542 commerce commerce -543 klogin +543 klogin 544 kshell krcmd 545 appleqtcsrvr appleqtcsrvr 546 dhcpv6-client DHCPv6Client @@ -463,7 +463,7 @@ 552 deviceshare deviceshare 553 pirp pirp 554 rtsp RealTimeStreamControlProtocol -555 dsf +555 dsf 556 remotefs rfsserver 557 openvms-sysipc openvms-sysipc 558 sdnskmp SDNSKMP @@ -542,7 +542,7 @@ 637 lanserver lanserver 638 mcns-sec mcns-sec 639 msdp MSDP -666 mdqs +666 mdqs 667 disclose campaigncontributiondisclosures-SDRTechnologies 668 mecomm MeComm 669 meregister MeRegister @@ -569,32 +569,32 @@ 748 ris-cm RussellInfoSciCalendarManager 749 kerberos-adm kerberosadministration 750 kerberos-iv kerberosversioniv -751 pump -752 qrh -753 rrh +751 pump +752 qrh +753 rrh 754 tell send -758 nlogin -759 con -760 ns -761 rxe -762 quotad -763 cycleserv -764 omserv -765 webster +758 nlogin +759 con +760 ns +761 rxe +762 quotad +763 cycleserv +764 omserv +765 webster 767 phonebook phone -769 vid -770 cadlock -771 rtip -772 cycleserv2 -773 notify -774 rpasswd -775 acmaint_transd -776 wpages -780 wpgs +769 vid +770 cadlock +771 rtip +772 cycleserv2 +773 notify +774 rpasswd +775 acmaint_transd +776 wpages +780 wpgs 786 concert Concert 787 qsc QSC -800 mdbs_daemon -801 device +800 mdbs_daemon +801 device 829 pkix-3-ca-ra PKIX-3CA/RA 873 rsync rsync 886 iclcnet-locate ICLcoNETionlocateserver @@ -610,10 +610,10 @@ 994 ircs ircprotocoloverTLS/SSL 995 pop3s pop3protocoloverTLS/SSL(wasspop3) 996 vsinet vsinet -997 maitrd -998 busboy -999 garcon -1000 cadlock +997 maitrd +998 busboy +999 garcon +1000 cadlock 1008 ufsd 1010 surf surf 1011 Reserved @@ -654,7 +654,7 @@ 1222 nerv SNIR&Dnetwork 1234 search-agent InfoseekSearchAgent 1239 nmsd NMSD -1248 hermes +1248 hermes 1300 h323hostcallsc H323HostCallSecure 1313 bmc_patroldb BMC_PATROLDB 1314 pdps PhotoscriptDistributedPrintingSystem @@ -695,7 +695,7 @@ 1379 dbreporter IntegritySolutions 1380 telesis-licman TelesisNetworkLicenseManager 1381 apple-licman AppleNetworkLicenseManager -1382 udt_os +1382 udt_os 1383 gwha GWHannawayNetworkLicenseManager 1384 os-licman ObjectiveSolutionsLicenseManager 1385 atex_elmd AtexPublishingLicenseManager @@ -913,7 +913,7 @@ 1597 orbplus-iiop orbplus-iiop 1598 picknfs picknfs 1599 simbaservices simbaservices -1600 issd +1600 issd 1601 aas aas 1602 inspect inspect 1603 picodbc pickodbc @@ -1079,7 +1079,7 @@ 1772 essweb-gw EssWebGateway 1773 kmscontrol KMSControl 1774 global-dtserv global-dtserv -1775 Unknown +1775 Unknown 1776 femis FederalEmergencyManagementInformationSystem 1777 powerguardian powerguardian 1778 prodigy-intrnet prodigy-internet @@ -1180,49 +1180,49 @@ 1997 gdp-port ciscoGatewayDiscoveryProtocol 1998 x25-svc-port ciscoX.25service(XOT) 1999 tcp-id-port ciscoidentificationport -2000 callbook -2001 dc -2002 globe -2004 mailbox -2005 berknet -2006 invokator -2007 dectalk -2008 conf -2009 news -2010 search +2000 callbook +2001 dc +2002 globe +2004 mailbox +2005 berknet +2006 invokator +2007 dectalk +2008 conf +2009 news +2010 search 2011 raid-cc raid -2012 ttyinfo -2013 raid-am -2014 troff -2015 cypress -2016 bootserver -2017 cypress-stat -2018 terminaldb -2019 whosockami -2020 xinupageserver -2021 servexec -2022 down -2023 xinuexpansion3 -2024 xinuexpansion4 -2025 ellpack -2026 scrabble -2027 shadowserver -2028 submitserver -2030 device2 -2032 blackboard -2033 glogger -2034 scoremgr -2035 imsldoc -2038 objectmanager -2040 lam -2041 interbase +2012 ttyinfo +2013 raid-am +2014 troff +2015 cypress +2016 bootserver +2017 cypress-stat +2018 terminaldb +2019 whosockami +2020 xinupageserver +2021 servexec +2022 down +2023 xinuexpansion3 +2024 xinuexpansion4 +2025 ellpack +2026 scrabble +2027 shadowserver +2028 submitserver +2030 device2 +2032 blackboard +2033 glogger +2034 scoremgr +2035 imsldoc +2038 objectmanager +2040 lam +2041 interbase 2042 isis isis 2043 isis-bcast isis-bcast -2044 rimsl -2045 cdfunc -2046 sdfunc -2047 dls -2048 dls-monitor +2044 rimsl +2045 cdfunc +2046 sdfunc +2047 dls +2048 dls-monitor 2049 nfsd-or-shilp 2065 dlsrpn DataLinkSwitchReadPortNumber 2067 dlswpn DataLinkSwitchWritePortNumber @@ -1798,8 +1798,8 @@ 4868 phrelay PhotonRelay 4869 phrelaydbg PhotonRelayDebug 4885 abbs ABBS -5000 commplex-main -5001 commplex-link +5000 commplex-main +5001 commplex-link 5002 rfe radiofreeethernet 5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding 5004 avt-profile-1 avt-profile-1 @@ -1812,13 +1812,13 @@ 5051 ita-agent ITAAgent 5052 ita-manager ITAManager 5060 sip SIP -5145 rmonitor_secure +5145 rmonitor_secure 5150 atmp AscendTunnelManagementProtocol 5190 aol America-Online 5191 aol-1 AmericaOnline1 5192 aol-2 AmericaOnline2 5193 aol-3 AmericaOnline3 -5236 padl2sim +5236 padl2sim 5272 pk PK 5300 hacl-hb #HAclusterheartbeat 5301 hacl-gs #HAclustergeneralservices @@ -1975,7 +1975,7 @@ 6506 badm_pub BoKSAdminPublicPort 6507 bdir_priv BoKSDirServer,PrivatePort 6508 bdir_pub BoKSDirServer,PublicPort -6558 xdsxdm +6558 xdsxdm 6665 ircu 6666 ircu 6667 ircu @@ -2059,7 +2059,7 @@ 9000 cslistener CSlistener 9006 sctp SCTP 9090 websm WebSM -9535 man +9535 man 9594 msgsys MessageSystem 9595 pds PingDiscoveryService 9876 sd SessionDirector @@ -2093,7 +2093,7 @@ 13821 dsmcc-download DSMCCDownloadProtocol 13822 dsmcc-ccp DSMCCChannelChangeProtocol 14001 itu-sccp-ss7 ITUSCCP(SS7) -17007 isode-dua +17007 isode-dua 17219 chipper Chipper 18000 biimenu BeckmanInstruments,Inc. 19541 jcp JCPClient diff --git a/contrib/ipfilter/perl/ipfmeta.pl b/contrib/ipfilter/perl/ipfmeta.pl index 1a7bb3f..decc35b 100644 --- a/contrib/ipfilter/perl/ipfmeta.pl +++ b/contrib/ipfilter/perl/ipfmeta.pl @@ -83,7 +83,7 @@ sub expand { return @retlines; } - + __END__ =head1 NAME @@ -164,7 +164,7 @@ block in from UNWANTED to any pass in from NOC to WEBSERVERS port = MGMT-PORTS pass out all - + I<Run> ipfmeta ipf.objs <ipf.metarules >ipf.rules diff --git a/contrib/ipfilter/perl/logfilter.pl b/contrib/ipfilter/perl/logfilter.pl index 6ebe401..fd0da6d 100644 --- a/contrib/ipfilter/perl/logfilter.pl +++ b/contrib/ipfilter/perl/logfilter.pl @@ -3,7 +3,7 @@ # Author: Chris Grant # Copyright 1999, Codetalker Communications, Inc. # -# This script takes a firewall log and breaks it into several +# This script takes a firewall log and breaks it into several # different files. Each file is named based on the service that # runs on the port that was recognized in log line. After # this script has run, you should end up with several files. @@ -18,11 +18,11 @@ # # You may be wondering why I haven't simply parsed RFC1700 to come up # with a list of port numbers and files. The reason is that I don't -# believe reading firewall logs should be all that automated. You +# believe reading firewall logs should be all that automated. You # should be familiar with what probes are hitting your system. By -# manually adding entries to the data section this ensures that I -# have at least educated myself about what this protocol is, what -# the potential exposure is, and why you might be seeing this traffic. +# manually adding entries to the data section this ensures that I +# have at least educated myself about what this protocol is, what +# the potential exposure is, and why you might be seeing this traffic. %icmp = (); %udp = (); @@ -61,30 +61,30 @@ while($line = <LOGFILE>) { # determine the protocol - send to unknown.log if not found SWITCH: { - ($line =~ m /\sicmp\s/) && do { + ($line =~ m /\sicmp\s/) && do { # - # ICMP Protocol + # ICMP Protocol # # Extract the icmp packet information specifying the type. - # + # # Note: Must check for ICMP first because this may be an ICMP reply # to a TCP or UDP connection (eg Port Unreachable). - + ($icmptype) = $line =~ m/icmp (\d+)\/\d+/; $filename = $TIDBITSFILE; $filename = $icmp{$icmptype} if (defined($icmp{$icmptype})); - last SWITCH; + last SWITCH; }; - ($line =~ m /\stcp\s/) && do { + ($line =~ m /\stcp\s/) && do { - # + # # TCP Protocol # - # extract the source and destination ports and compare them to + # extract the source and destination ports and compare them to # known ports in the tcp hash. For the first match, place this # line in the file specified by the tcp hash. Ignore one of the # port matches if both ports happen to be known services. @@ -96,14 +96,14 @@ while($line = <LOGFILE>) { $filename = $tcp{$sport} if (defined($tcp{$sport})); $filename = $tcp{$dport} if (defined($tcp{$dport})); - last SWITCH; + last SWITCH; }; - ($line =~ m /\sudp\s/) && do { + ($line =~ m /\sudp\s/) && do { # # UDP Protocol - same procedure as with TCP, different hash - # + # ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; @@ -111,7 +111,7 @@ while($line = <LOGFILE>) { $filename = $udp{$sport} if (defined($udp{$sport})); $filename = $udp{$dport} if (defined($udp{$dport})); - last SWITCH; + last SWITCH; }; # @@ -126,7 +126,7 @@ while($line = <LOGFILE>) { # check for filename in the openfiles hash. if it exists then write # to the given handle. otherwise open a handle to the file and add # it to the hash of open files. - + if (defined($openfiles{$filename})) { $handle = $openfiles{$filename}; } else { @@ -178,4 +178,4 @@ tcp 6667 irc.log tcp 7070 realaudio.log tcp 8080 http.log tcp 12345 netbus.log -udp 31337 backorifice.log
\ No newline at end of file +udp 31337 backorifice.log diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c deleted file mode 100644 index 8c67562..0000000 --- a/contrib/ipfilter/radix.c +++ /dev/null @@ -1,1214 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (c) 1988, 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)radix.c 8.6 (Berkeley) 10/17/95 - */ - -/* - * Routines to build and maintain radix trees for routing lookups. - */ -#if defined(KERNEL) || defined(_KERNEL) -# undef KERNEL -# undef _KERNEL -# define KERNEL 1 -# define _KERNEL 1 -#endif -#define __SYS_ATOMIC_OPS_H__ -#if !defined(__svr4__) && !defined(__SVR4) && !defined(__osf__) && \ - !defined(__hpux) && !defined(__sgi) -#include <sys/cdefs.h> -#endif -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif -#ifdef __osf__ -# define CONST -# define _IPV6_SWTAB_H -# define _PROTO_NET_H_ -# define _PROTO_IPV6_H -# include <sys/malloc.h> -#endif - -#include <sys/param.h> -#ifdef _KERNEL -#include <sys/systm.h> -#else -void panic __P((char *str)); -#include <stdlib.h> -#include <stdio.h> -#include <stdarg.h> -#include <string.h> -#endif -#ifdef __hpux -#include <syslog.h> -#else -#include <sys/syslog.h> -#endif -#include <sys/time.h> -#include <netinet/in.h> -#include <sys/socket.h> -#include <net/if.h> -#ifdef SOLARIS2 -# define _RADIX_H_ -#endif -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#ifdef SOLARIS2 -# undef _RADIX_H_ -#endif -/* END OF INCLUDES */ -#include "radix_ipf.h" -#ifndef min -# define min MIN -#endif -#ifndef max -# define max MAX -#endif - -int max_keylen = 16; -static struct radix_mask *rn_mkfreelist; -static struct radix_node_head *mask_rnhead; -static char *addmask_key; -static u_char normal_chars[] = {0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; -static char *rn_zeros = NULL, *rn_ones = NULL; - -#define rn_masktop (mask_rnhead->rnh_treetop) -#undef Bcmp -#define Bcmp(a, b, l) (l == 0 ? 0 : bcmp((caddr_t)(a), (caddr_t)(b), (u_long)l)) - -static int rn_satisfies_leaf __P((char *, struct radix_node *, int)); -static int rn_lexobetter __P((void *, void *)); -static struct radix_mask *rn_new_radix_mask __P((struct radix_node *, - struct radix_mask *)); -static int rn_freenode __P((struct radix_node *, void *)); -#if defined(AIX) && !defined(_KERNEL) -struct radix_node *rn_match __P((void *, struct radix_node_head *)); -struct radix_node *rn_addmask __P((int, int, void *)); -#define FreeS(x, y) KFREES(x, y) -#define Bcopy(x, y, z) bcopy(x, y, z) -#endif - -/* - * The data structure for the keys is a radix tree with one way - * branching removed. The index rn_b at an internal node n represents a bit - * position to be tested. The tree is arranged so that all descendants - * of a node n have keys whose bits all agree up to position rn_b - 1. - * (We say the index of n is rn_b.) - * - * There is at least one descendant which has a one bit at position rn_b, - * and at least one with a zero there. - * - * A route is determined by a pair of key and mask. We require that the - * bit-wise logical and of the key and mask to be the key. - * We define the index of a route to associated with the mask to be - * the first bit number in the mask where 0 occurs (with bit number 0 - * representing the highest order bit). - * - * We say a mask is normal if every bit is 0, past the index of the mask. - * If a node n has a descendant (k, m) with index(m) == index(n) == rn_b, - * and m is a normal mask, then the route applies to every descendant of n. - * If the index(m) < rn_b, this implies the trailing last few bits of k - * before bit b are all 0, (and hence consequently true of every descendant - * of n), so the route applies to all descendants of the node as well. - * - * Similar logic shows that a non-normal mask m such that - * index(m) <= index(n) could potentially apply to many children of n. - * Thus, for each non-host route, we attach its mask to a list at an internal - * node as high in the tree as we can go. - * - * The present version of the code makes use of normal routes in short- - * circuiting an explicit mask and compare operation when testing whether - * a key satisfies a normal route, and also in remembering the unique leaf - * that governs a subtree. - */ - -struct radix_node * -rn_search(v_arg, head) - void *v_arg; - struct radix_node *head; -{ - struct radix_node *x; - caddr_t v; - - for (x = head, v = v_arg; x->rn_b >= 0;) { - if (x->rn_bmask & v[x->rn_off]) - x = x->rn_r; - else - x = x->rn_l; - } - return (x); -} - -struct radix_node * -rn_search_m(v_arg, head, m_arg) - struct radix_node *head; - void *v_arg, *m_arg; -{ - struct radix_node *x; - caddr_t v = v_arg, m = m_arg; - - for (x = head; x->rn_b >= 0;) { - if ((x->rn_bmask & m[x->rn_off]) && - (x->rn_bmask & v[x->rn_off])) - x = x->rn_r; - else - x = x->rn_l; - } - return x; -} - -int -rn_refines(m_arg, n_arg) - void *m_arg, *n_arg; -{ - caddr_t m = m_arg, n = n_arg; - caddr_t lim, lim2 = lim = n + *(u_char *)n; - int longer = (*(u_char *)n++) - (int)(*(u_char *)m++); - int masks_are_equal = 1; - - if (longer > 0) - lim -= longer; - while (n < lim) { - if (*n & ~(*m)) - return 0; - if (*n++ != *m++) - masks_are_equal = 0; - } - while (n < lim2) - if (*n++) - return 0; - if (masks_are_equal && (longer < 0)) - for (lim2 = m - longer; m < lim2; ) - if (*m++) - return 1; - return (!masks_are_equal); -} - -struct radix_node * -rn_lookup(v_arg, m_arg, head) - void *v_arg, *m_arg; - struct radix_node_head *head; -{ - struct radix_node *x; - caddr_t netmask = 0; - - if (m_arg) { - if ((x = rn_addmask(m_arg, 1, head->rnh_treetop->rn_off)) == 0) - return (0); - netmask = x->rn_key; - } - x = rn_match(v_arg, head); - if (x && netmask) { - while (x && x->rn_mask != netmask) - x = x->rn_dupedkey; - } - return x; -} - -static int -rn_satisfies_leaf(trial, leaf, skip) - char *trial; - struct radix_node *leaf; - int skip; -{ - char *cp = trial, *cp2 = leaf->rn_key, *cp3 = leaf->rn_mask; - char *cplim; - int length = min(*(u_char *)cp, *(u_char *)cp2); - - if (cp3 == 0) - cp3 = rn_ones; - else - length = min(length, *(u_char *)cp3); - cplim = cp + length; - cp3 += skip; - cp2 += skip; - for (cp += skip; cp < cplim; cp++, cp2++, cp3++) - if ((*cp ^ *cp2) & *cp3) - return 0; - return 1; -} - -struct radix_node * -rn_match(v_arg, head) - void *v_arg; - struct radix_node_head *head; -{ - caddr_t v = v_arg; - struct radix_node *t = head->rnh_treetop, *x; - caddr_t cp = v, cp2; - caddr_t cplim; - struct radix_node *saved_t, *top = t; - int off = t->rn_off, vlen = *(u_char *)cp, matched_off; - int test, b, rn_b; - - /* - * Open code rn_search(v, top) to avoid overhead of extra - * subroutine call. - */ - for (; t->rn_b >= 0; ) { - if (t->rn_bmask & cp[t->rn_off]) - t = t->rn_r; - else - t = t->rn_l; - } - /* - * See if we match exactly as a host destination - * or at least learn how many bits match, for normal mask finesse. - * - * It doesn't hurt us to limit how many bytes to check - * to the length of the mask, since if it matches we had a genuine - * match and the leaf we have is the most specific one anyway; - * if it didn't match with a shorter length it would fail - * with a long one. This wins big for class B&C netmasks which - * are probably the most common case... - */ - if (t->rn_mask) - vlen = *(u_char *)t->rn_mask; - cp += off; - cp2 = t->rn_key + off; - cplim = v + vlen; - for (; cp < cplim; cp++, cp2++) - if (*cp != *cp2) - goto on1; - /* - * This extra grot is in case we are explicitly asked - * to look up the default. Ugh! - */ - if ((t->rn_flags & RNF_ROOT) && t->rn_dupedkey) - t = t->rn_dupedkey; - return t; -on1: - test = (*cp ^ *cp2) & 0xff; /* find first bit that differs */ - for (b = 7; (test >>= 1) > 0;) - b--; - matched_off = cp - v; - b += matched_off << 3; - rn_b = -1 - b; - /* - * If there is a host route in a duped-key chain, it will be first. - */ - if ((saved_t = t)->rn_mask == 0) - t = t->rn_dupedkey; - for (; t; t = t->rn_dupedkey) - /* - * Even if we don't match exactly as a host, - * we may match if the leaf we wound up at is - * a route to a net. - */ - if (t->rn_flags & RNF_NORMAL) { - if (rn_b <= t->rn_b) - return t; - } else if (rn_satisfies_leaf(v, t, matched_off)) - return t; - t = saved_t; - /* start searching up the tree */ - do { - struct radix_mask *m; - t = t->rn_p; - m = t->rn_mklist; - if (m) { - /* - * If non-contiguous masks ever become important - * we can restore the masking and open coding of - * the search and satisfaction test and put the - * calculation of "off" back before the "do". - */ - do { - if (m->rm_flags & RNF_NORMAL) { - if (rn_b <= m->rm_b) - return (m->rm_leaf); - } else { - off = min(t->rn_off, matched_off); - x = rn_search_m(v, t, m->rm_mask); - while (x && x->rn_mask != m->rm_mask) - x = x->rn_dupedkey; - if (x && rn_satisfies_leaf(v, x, off)) - return x; - } - m = m->rm_mklist; - } while (m); - } - } while (t != top); - return 0; -} - -#ifdef RN_DEBUG -int rn_nodenum; -struct radix_node *rn_clist; -int rn_saveinfo; -int rn_debug = 1; -#endif - -struct radix_node * -rn_newpair(v, b, nodes) - void *v; - int b; - struct radix_node nodes[2]; -{ - struct radix_node *tt = nodes, *t = tt + 1; - t->rn_b = b; - t->rn_bmask = 0x80 >> (b & 7); - t->rn_l = tt; - t->rn_off = b >> 3; - tt->rn_b = -1; - tt->rn_key = (caddr_t)v; - tt->rn_p = t; - tt->rn_flags = t->rn_flags = RNF_ACTIVE; -#ifdef RN_DEBUG - tt->rn_info = rn_nodenum++; - t->rn_info = rn_nodenum++; - tt->rn_twin = t; - tt->rn_ybro = rn_clist; - rn_clist = tt; -#endif - return t; -} - -struct radix_node * -rn_insert(v_arg, head, dupentry, nodes) - void *v_arg; - struct radix_node_head *head; - int *dupentry; - struct radix_node nodes[2]; -{ - caddr_t v = v_arg; - struct radix_node *top = head->rnh_treetop; - int head_off = top->rn_off, vlen = (int)*((u_char *)v); - struct radix_node *t = rn_search(v_arg, top); - caddr_t cp = v + head_off; - int b; - struct radix_node *tt; - -#ifdef RN_DEBUG - if (rn_debug) - log(LOG_DEBUG, "rn_insert(%p,%p,%p,%p)\n", v_arg, head, dupentry, nodes); -#endif - /* - * Find first bit at which v and t->rn_key differ - */ - { - caddr_t cp2 = t->rn_key + head_off; - int cmp_res; - caddr_t cplim = v + vlen; - - while (cp < cplim) - if (*cp2++ != *cp++) - goto on1; - *dupentry = 1; - return t; -on1: - *dupentry = 0; - cmp_res = (cp[-1] ^ cp2[-1]) & 0xff; - for (b = (cp - v) << 3; cmp_res; b--) - cmp_res >>= 1; - } - { - struct radix_node *p, *x = top; - cp = v; - do { - p = x; - if (cp[x->rn_off] & x->rn_bmask) - x = x->rn_r; - else - x = x->rn_l; - } while (b > (unsigned) x->rn_b); /* x->rn_b < b && x->rn_b >= 0 */ -#ifdef RN_DEBUG - if (rn_debug) - log(LOG_DEBUG, "rn_insert: Going In:\n"); // traverse(p); -#endif - t = rn_newpair(v_arg, b, nodes); - tt = t->rn_l; - if ((cp[p->rn_off] & p->rn_bmask) == 0) - p->rn_l = t; - else - p->rn_r = t; - x->rn_p = t; - t->rn_p = p; /* frees x, p as temp vars below */ - if ((cp[t->rn_off] & t->rn_bmask) == 0) { - t->rn_r = x; - } else { - t->rn_r = tt; - t->rn_l = x; - } -#ifdef RN_DEBUG - if (rn_debug) - log(LOG_DEBUG, "rn_insert: Coming Out:\n"); // traverse(p); -#endif - } - return (tt); -} - -struct radix_node * -rn_addmask(n_arg, search, skip) - int search, skip; - void *n_arg; -{ - caddr_t netmask = (caddr_t)n_arg; - struct radix_node *x; - caddr_t cp, cplim; - int b = 0, mlen, j; - int maskduplicated, m0, isnormal; - struct radix_node *saved_x; - static int last_zeroed = 0; - -#ifdef RN_DEBUG - if (rn_debug) - log(LOG_DEBUG, "rn_addmask(%p,%d,%d)\n", n_arg, search, skip); -#endif - mlen = *(u_char *)netmask; - if ((mlen = *(u_char *)netmask) > max_keylen) - mlen = max_keylen; - if (skip == 0) - skip = 1; - if (mlen <= skip) - return (mask_rnhead->rnh_nodes); - if (skip > 1) - Bcopy(rn_ones + 1, addmask_key + 1, skip - 1); - if ((m0 = mlen) > skip) - Bcopy(netmask + skip, addmask_key + skip, mlen - skip); - /* - * Trim trailing zeroes. - */ - for (cp = addmask_key + mlen; (cp > addmask_key) && cp[-1] == 0;) - cp--; - mlen = cp - addmask_key; - if (mlen <= skip) { - if (m0 >= last_zeroed) - last_zeroed = mlen; - return (mask_rnhead->rnh_nodes); - } - if (m0 < last_zeroed) - Bzero(addmask_key + m0, last_zeroed - m0); - *addmask_key = last_zeroed = mlen; - x = rn_search(addmask_key, rn_masktop); - if (Bcmp(addmask_key, x->rn_key, mlen) != 0) - x = 0; - if (x || search) - return (x); - R_Malloc(x, struct radix_node *, max_keylen + 2 * sizeof (*x)); - if ((saved_x = x) == 0) - return (0); - Bzero(x, max_keylen + 2 * sizeof (*x)); - netmask = cp = (caddr_t)(x + 2); - Bcopy(addmask_key, cp, mlen); - x = rn_insert(cp, mask_rnhead, &maskduplicated, x); - if (maskduplicated) { -#if 0 - log(LOG_ERR, "rn_addmask: mask impossibly already in tree\n"); -#endif - Free(saved_x); - return (x); - } - /* - * Calculate index of mask, and check for normalcy. - */ - cplim = netmask + mlen; - isnormal = 1; - for (cp = netmask + skip; (cp < cplim) && *(u_char *)cp == 0xff;) - cp++; - if (cp != cplim) { - for (j = 0x80; (j & *cp) != 0; j >>= 1) - b++; - if (*cp != normal_chars[b] || cp != (cplim - 1)) - isnormal = 0; - } - b += (cp - netmask) << 3; - x->rn_b = -1 - b; - if (isnormal) - x->rn_flags |= RNF_NORMAL; - return (x); -} - -static int /* XXX: arbitrary ordering for non-contiguous masks */ -rn_lexobetter(m_arg, n_arg) - void *m_arg, *n_arg; -{ - u_char *mp = m_arg, *np = n_arg, *lim; - - if (*mp > *np) - return 1; /* not really, but need to check longer one first */ - if (*mp == *np) - for (lim = mp + *mp; mp < lim;) - if (*mp++ > *np++) - return 1; - return 0; -} - -static struct radix_mask * -rn_new_radix_mask(tt, next) - struct radix_node *tt; - struct radix_mask *next; -{ - struct radix_mask *m; - - MKGet(m); - if (m == 0) { -#if 0 - log(LOG_ERR, "Mask for route not entered\n"); -#endif - return (0); - } - Bzero(m, sizeof *m); - m->rm_b = tt->rn_b; - m->rm_flags = tt->rn_flags; - if (tt->rn_flags & RNF_NORMAL) - m->rm_leaf = tt; - else - m->rm_mask = tt->rn_mask; - m->rm_mklist = next; - tt->rn_mklist = m; - return m; -} - -struct radix_node * -rn_addroute(v_arg, n_arg, head, treenodes) - void *v_arg, *n_arg; - struct radix_node_head *head; - struct radix_node treenodes[2]; -{ - caddr_t v = (caddr_t)v_arg, netmask = (caddr_t)n_arg; - struct radix_node *t, *x = NULL, *tt; - struct radix_node *saved_tt, *top = head->rnh_treetop; - short b = 0, b_leaf = 0; - int keyduplicated; - caddr_t mmask; - struct radix_mask *m, **mp; - -#ifdef RN_DEBUG - if (rn_debug) - log(LOG_DEBUG, "rn_addroute(%p,%p,%p,%p)\n", v_arg, n_arg, head, treenodes); -#endif - /* - * In dealing with non-contiguous masks, there may be - * many different routes which have the same mask. - * We will find it useful to have a unique pointer to - * the mask to speed avoiding duplicate references at - * nodes and possibly save time in calculating indices. - */ - if (netmask) { - if ((x = rn_addmask(netmask, 0, top->rn_off)) == 0) - return (0); - b_leaf = x->rn_b; - b = -1 - x->rn_b; - netmask = x->rn_key; - } - /* - * Deal with duplicated keys: attach node to previous instance - */ - saved_tt = tt = rn_insert(v, head, &keyduplicated, treenodes); - if (keyduplicated) { - for (t = tt; tt; t = tt, tt = tt->rn_dupedkey) { - if (tt->rn_mask == netmask) - return (0); - if (netmask == 0 || - (tt->rn_mask && - ((b_leaf < tt->rn_b) || /* index(netmask) > node */ - rn_refines(netmask, tt->rn_mask) || - rn_lexobetter(netmask, tt->rn_mask)))) - break; - } - /* - * If the mask is not duplicated, we wouldn't - * find it among possible duplicate key entries - * anyway, so the above test doesn't hurt. - * - * We sort the masks for a duplicated key the same way as - * in a masklist -- most specific to least specific. - * This may require the unfortunate nuisance of relocating - * the head of the list. - * - * We also reverse, or doubly link the list through the - * parent pointer. - */ - if (tt == saved_tt) { - struct radix_node *xx = x; - /* link in at head of list */ - (tt = treenodes)->rn_dupedkey = t; - tt->rn_flags = t->rn_flags; - tt->rn_p = x = t->rn_p; - t->rn_p = tt; - if (x->rn_l == t) - x->rn_l = tt; - else - x->rn_r = tt; - saved_tt = tt; - x = xx; - } else { - (tt = treenodes)->rn_dupedkey = t->rn_dupedkey; - t->rn_dupedkey = tt; - tt->rn_p = t; - if (tt->rn_dupedkey) - tt->rn_dupedkey->rn_p = tt; - } -#ifdef RN_DEBUG - t=tt+1; - tt->rn_info = rn_nodenum++; - t->rn_info = rn_nodenum++; - tt->rn_twin = t; - tt->rn_ybro = rn_clist; - rn_clist = tt; -#endif - tt->rn_key = (caddr_t) v; - tt->rn_b = -1; - tt->rn_flags = RNF_ACTIVE; - } - /* - * Put mask in tree. - */ - if (netmask) { - tt->rn_mask = netmask; - tt->rn_b = x->rn_b; - tt->rn_flags |= x->rn_flags & RNF_NORMAL; - } - t = saved_tt->rn_p; - if (keyduplicated) - goto on2; - b_leaf = -1 - t->rn_b; - if (t->rn_r == saved_tt) - x = t->rn_l; - else - x = t->rn_r; - /* Promote general routes from below */ - if (x->rn_b < 0) { - for (mp = &t->rn_mklist; x; x = x->rn_dupedkey) - if (x->rn_mask && (x->rn_b >= b_leaf) && x->rn_mklist == 0) { - *mp = m = rn_new_radix_mask(x, 0); - if (m) - mp = &m->rm_mklist; - } - } else if (x->rn_mklist) { - /* - * Skip over masks whose index is > that of new node - */ - for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist) - if (m->rm_b >= b_leaf) - break; - t->rn_mklist = m; - *mp = 0; - } -on2: - /* Add new route to highest possible ancestor's list */ - if ((netmask == 0) || (b > t->rn_b )) - return tt; /* can't lift at all */ - b_leaf = tt->rn_b; - do { - x = t; - t = t->rn_p; - } while (b <= t->rn_b && x != top); - /* - * Search through routes associated with node to - * insert new route according to index. - * Need same criteria as when sorting dupedkeys to avoid - * double loop on deletion. - */ - for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist) { - if (m->rm_b < b_leaf) - continue; - if (m->rm_b > b_leaf) - break; - if (m->rm_flags & RNF_NORMAL) { - mmask = m->rm_leaf->rn_mask; - if (tt->rn_flags & RNF_NORMAL) { -#if 0 - log(LOG_ERR, "Non-unique normal route," - " mask not entered\n"); -#endif - return tt; - } - } else - mmask = m->rm_mask; - if (mmask == netmask) { - m->rm_refs++; - tt->rn_mklist = m; - return tt; - } - if (rn_refines(netmask, mmask) - || rn_lexobetter(netmask, mmask)) - break; - } - *mp = rn_new_radix_mask(tt, *mp); - return tt; -} - -struct radix_node * -rn_delete(v_arg, netmask_arg, head) - void *v_arg, *netmask_arg; - struct radix_node_head *head; -{ - struct radix_node *t, *p, *x, *tt; - struct radix_mask *m, *saved_m, **mp; - struct radix_node *dupedkey, *saved_tt, *top; - caddr_t v, netmask; - int b, head_off, vlen; - - v = v_arg; - netmask = netmask_arg; - x = head->rnh_treetop; - tt = rn_search(v, x); - head_off = x->rn_off; - vlen = *(u_char *)v; - saved_tt = tt; - top = x; - if (tt == 0 || - Bcmp(v + head_off, tt->rn_key + head_off, vlen - head_off)) - return (0); - /* - * Delete our route from mask lists. - */ - if (netmask) { - if ((x = rn_addmask(netmask, 1, head_off)) == 0) - return (0); - netmask = x->rn_key; - while (tt->rn_mask != netmask) - if ((tt = tt->rn_dupedkey) == 0) - return (0); - } - if (tt->rn_mask == 0 || (saved_m = m = tt->rn_mklist) == 0) - goto on1; - if (tt->rn_flags & RNF_NORMAL) { - if (m->rm_leaf != tt || m->rm_refs > 0) { -#if 0 - log(LOG_ERR, "rn_delete: inconsistent annotation\n"); -#endif - return 0; /* dangling ref could cause disaster */ - } - } else { - if (m->rm_mask != tt->rn_mask) { -#if 0 - log(LOG_ERR, "rn_delete: inconsistent annotation\n"); -#endif - goto on1; - } - if (--m->rm_refs >= 0) - goto on1; - } - b = -1 - tt->rn_b; - t = saved_tt->rn_p; - if (b > t->rn_b) - goto on1; /* Wasn't lifted at all */ - do { - x = t; - t = t->rn_p; - } while (b <= t->rn_b && x != top); - for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist) - if (m == saved_m) { - *mp = m->rm_mklist; - MKFree(m); - break; - } - if (m == 0) { -#if 0 - log(LOG_ERR, "rn_delete: couldn't find our annotation\n"); -#endif - if (tt->rn_flags & RNF_NORMAL) - return (0); /* Dangling ref to us */ - } -on1: - /* - * Eliminate us from tree - */ - if (tt->rn_flags & RNF_ROOT) - return (0); -#ifdef RN_DEBUG - /* Get us out of the creation list */ - for (t = rn_clist; t && t->rn_ybro != tt; t = t->rn_ybro) - ; - if (t) t->rn_ybro = tt->rn_ybro; -#endif - t = tt->rn_p; - dupedkey = saved_tt->rn_dupedkey; - if (dupedkey) { - /* - * Here, tt is the deletion target and - * saved_tt is the head of the dupedkey chain. - */ - if (tt == saved_tt) { - x = dupedkey; - x->rn_p = t; - if (t->rn_l == tt) - t->rn_l = x; - else - t->rn_r = x; - } else { - /* find node in front of tt on the chain */ - for (x = p = saved_tt; p && p->rn_dupedkey != tt;) - p = p->rn_dupedkey; - if (p) { - p->rn_dupedkey = tt->rn_dupedkey; - if (tt->rn_dupedkey) - tt->rn_dupedkey->rn_p = p; - } -#if 0 - else - log(LOG_ERR, "rn_delete: couldn't find us\n"); -#endif - } - t = tt + 1; - if (t->rn_flags & RNF_ACTIVE) { -#ifndef RN_DEBUG - *++x = *t; - p = t->rn_p; -#else - b = t->rn_info; - *++x = *t; - t->rn_info = b; - p = t->rn_p; -#endif - if (p->rn_l == t) - p->rn_l = x; - else - p->rn_r = x; - x->rn_l->rn_p = x; - x->rn_r->rn_p = x; - } - goto out; - } - if (t->rn_l == tt) - x = t->rn_r; - else - x = t->rn_l; - p = t->rn_p; - if (p->rn_r == t) - p->rn_r = x; - else - p->rn_l = x; - x->rn_p = p; - /* - * Demote routes attached to us. - */ - if (t->rn_mklist) { - if (x->rn_b >= 0) { - for (mp = &x->rn_mklist; (m = *mp) != NULL;) - mp = &m->rm_mklist; - *mp = t->rn_mklist; - } else { - /* If there are any key,mask pairs in a sibling - duped-key chain, some subset will appear sorted - in the same order attached to our mklist */ - for (m = t->rn_mklist; m && x; x = x->rn_dupedkey) - if (m == x->rn_mklist) { - struct radix_mask *mm = m->rm_mklist; - x->rn_mklist = 0; - if (--(m->rm_refs) < 0) - MKFree(m); - m = mm; - } -#if 0 - if (m) - log(LOG_ERR, "%s %p at %p\n", - "rn_delete: Orphaned Mask", m, x); -#endif - } - } - /* - * We may be holding an active internal node in the tree. - */ - x = tt + 1; - if (t != x) { -#ifndef RN_DEBUG - *t = *x; -#else - b = t->rn_info; - *t = *x; - t->rn_info = b; -#endif - t->rn_l->rn_p = t; - t->rn_r->rn_p = t; - p = x->rn_p; - if (p->rn_l == x) - p->rn_l = t; - else - p->rn_r = t; - } -out: - tt->rn_flags &= ~RNF_ACTIVE; - tt[1].rn_flags &= ~RNF_ACTIVE; - return (tt); -} - -int -rn_walktree(h, f, w) - struct radix_node_head *h; - int (*f) __P((struct radix_node *, void *)); - void *w; -{ - int error; - struct radix_node *base, *next; - struct radix_node *rn = h->rnh_treetop; - /* - * This gets complicated because we may delete the node - * while applying the function f to it, so we need to calculate - * the successor node in advance. - */ - /* First time through node, go left */ - while (rn->rn_b >= 0) - rn = rn->rn_l; - for (;;) { - base = rn; - /* If at right child go back up, otherwise, go right */ - while (rn->rn_p->rn_r == rn && (rn->rn_flags & RNF_ROOT) == 0) - rn = rn->rn_p; - /* Find the next *leaf* since next node might vanish, too */ - for (rn = rn->rn_p->rn_r; rn->rn_b >= 0;) - rn = rn->rn_l; - next = rn; - /* Process leaves */ - while ((rn = base) != NULL) { - base = rn->rn_dupedkey; - if (!(rn->rn_flags & RNF_ROOT) - && (error = (*f)(rn, w))) - return (error); - } - rn = next; - if (rn->rn_flags & RNF_ROOT) - return (0); - } - /* NOTREACHED */ -} - -int -rn_inithead(head, off) - void **head; - int off; -{ - struct radix_node_head *rnh; - - if (*head) - return (1); - R_Malloc(rnh, struct radix_node_head *, sizeof (*rnh)); - if (rnh == 0) - return (0); - *head = rnh; - return rn_inithead0(rnh, off); -} - -int -rn_inithead0(rnh, off) - struct radix_node_head *rnh; - int off; -{ - struct radix_node *t, *tt, *ttt; - - Bzero(rnh, sizeof (*rnh)); - t = rn_newpair(rn_zeros, off, rnh->rnh_nodes); - ttt = rnh->rnh_nodes + 2; - t->rn_r = ttt; - t->rn_p = t; - tt = t->rn_l; - tt->rn_flags = t->rn_flags = RNF_ROOT | RNF_ACTIVE; - tt->rn_b = -1 - off; - *ttt = *tt; - ttt->rn_key = rn_ones; - rnh->rnh_addaddr = rn_addroute; - rnh->rnh_deladdr = rn_delete; - rnh->rnh_matchaddr = rn_match; - rnh->rnh_lookup = rn_lookup; - rnh->rnh_walktree = rn_walktree; - rnh->rnh_treetop = t; - return (1); -} - -void -rn_init() -{ - char *cp, *cplim; - - if (max_keylen == 0) { -#if 0 - log(LOG_ERR, - "rn_init: radix functions require max_keylen be set\n"); -#endif - return; - } - if (rn_zeros == NULL) { - R_Malloc(rn_zeros, char *, 3 * max_keylen); - } - if (rn_zeros == NULL) - panic("rn_init"); - Bzero(rn_zeros, 3 * max_keylen); - rn_ones = cp = rn_zeros + max_keylen; - addmask_key = cplim = rn_ones + max_keylen; - while (cp < cplim) - *cp++ = -1; - if (rn_inithead((void *)&mask_rnhead, 0) == 0) - panic("rn_init 2"); -} - - -static int -rn_freenode(struct radix_node *n, void *p) -{ - struct radix_node_head *rnh = p; - struct radix_node *d; - - d = rnh->rnh_deladdr(n->rn_key, NULL, rnh); - if (d != NULL) { - FreeS(d, max_keylen + 2 * sizeof (*d)); - } - return 0; -} - - -void -rn_freehead(rnh) - struct radix_node_head *rnh; -{ - - (void)rn_walktree(rnh, rn_freenode, rnh); - - rnh->rnh_addaddr = NULL; - rnh->rnh_deladdr = NULL; - rnh->rnh_matchaddr = NULL; - rnh->rnh_lookup = NULL; - rnh->rnh_walktree = NULL; - - Free(rnh); -} - - -void -rn_fini() -{ - struct radix_mask *m; - - if (rn_zeros != NULL) { - FreeS(rn_zeros, 3 * max_keylen); - rn_zeros = NULL; - } - - if (mask_rnhead != NULL) { - rn_freehead(mask_rnhead); - mask_rnhead = NULL; - } - - while ((m = rn_mkfreelist) != NULL) { - rn_mkfreelist = m->rm_mklist; - KFREE(m); - } -} - - -#ifdef USE_MAIN - -typedef struct myst { - addrfamily_t dst; - addrfamily_t mask; - struct radix_node nodes[2]; -} myst_t; - -int -main(int argc, char *argv[]) -{ - struct radix_node_head *rnh; - struct radix_node *rn; - addrfamily_t af, mf; - myst_t st1, st2, *stp; - - memset(&st1, 0, sizeof(st1)); - memset(&st2, 0, sizeof(st2)); - memset(&af, 0, sizeof(af)); - - rn_init(); - - rnh = NULL; - rn_inithead(&rnh, offsetof(addrfamily_t, adf_addr) << 3); - - st1.dst.adf_len = sizeof(st1); - st1.mask.adf_len = sizeof(st1); - st1.dst.adf_addr.in4.s_addr = inet_addr("127.0.0.0"); - st1.mask.adf_addr.in4.s_addr = inet_addr("255.0.0.0"); - rn = rnh->rnh_addaddr(&st1.dst, &st1.mask, rnh, st1.nodes); - printf("add.1 %p\n", rn); - - st2.dst.adf_len = sizeof(st2); - st2.mask.adf_len = sizeof(st2); - st2.dst.adf_addr.in4.s_addr = inet_addr("127.0.1.0"); - st2.mask.adf_addr.in4.s_addr = inet_addr("255.255.255.0"); - rn = rnh->rnh_addaddr(&st2.dst, &st2.mask, rnh, st2.nodes); - printf("add.2 %p\n", rn); - - af.adf_len = sizeof(af); - af.adf_addr.in4.s_addr = inet_addr("127.0.1.0"); - rn = rnh->rnh_matchaddr(&af, rnh); - if (rn != NULL) { - printf("1.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask); - stp = rn->rn_key; - printf("%s/", inet_ntoa(stp->dst.adf_addr.in4)); - stp = rn->rn_mask; - printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4)); - } - - mf.adf_len = sizeof(mf); - mf.adf_addr.in4.s_addr = inet_addr("255.255.255.0"); - rn = rnh->rnh_lookup(&af, &mf, rnh); - if (rn != NULL) { - printf("2.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask); - stp = rn->rn_key; - printf("%s/", inet_ntoa(stp->dst.adf_addr.in4)); - stp = rn->rn_mask; - printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4)); - } - - af.adf_len = sizeof(af); - af.adf_addr.in4.s_addr = inet_addr("126.0.0.1"); - rn = rnh->rnh_matchaddr(&af, rnh); - if (rn != NULL) { - printf("3.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask); - stp = rn->rn_key; - printf("%s/", inet_ntoa(stp->dst.adf_addr.in4)); - stp = rn->rn_mask; - printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4)); - } - - return 0; -} - - -void -log(int level, char *format, ...) -{ - va_list ap; - - va_start(ap, format); - vfprintf(stderr, format, ap); - va_end(ap); -} -#endif - - -#ifndef _KERNEL -void -panic(char *str) -{ - fputs(str, stderr); - abort(); -} -#endif diff --git a/contrib/ipfilter/radix_ipf.c b/contrib/ipfilter/radix_ipf.c new file mode 100644 index 0000000..f145c38 --- /dev/null +++ b/contrib/ipfilter/radix_ipf.c @@ -0,0 +1,1528 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +#include <sys/types.h> +#include <sys/time.h> +#include <sys/socket.h> +#include <sys/param.h> +#include <netinet/in.h> +#include <net/if.h> +#if !defined(_KERNEL) +# include <stddef.h> +# include <stdlib.h> +# include <strings.h> +# include <string.h> +#endif +#include "netinet/ip_compat.h" +#include "netinet/ip_fil.h" +#ifdef RDX_DEBUG +# include <arpa/inet.h> +# include <stdlib.h> +# include <stdio.h> +#endif +#include "netinet/radix_ipf.h" + +#define ADF_OFF offsetof(addrfamily_t, adf_addr) +#define ADF_OFF_BITS (ADF_OFF << 3) + +static ipf_rdx_node_t *ipf_rx_insert __P((ipf_rdx_head_t *, + ipf_rdx_node_t nodes[2], int *)); +static void ipf_rx_attach_mask __P((ipf_rdx_node_t *, ipf_rdx_mask_t *)); +static int count_mask_bits __P((addrfamily_t *, u_32_t **)); +static void buildnodes __P((addrfamily_t *, addrfamily_t *, + ipf_rdx_node_t n[2])); +static ipf_rdx_node_t *ipf_rx_find_addr __P((ipf_rdx_node_t *, u_32_t *)); +static ipf_rdx_node_t *ipf_rx_lookup __P((ipf_rdx_head_t *, addrfamily_t *, + addrfamily_t *)); +static ipf_rdx_node_t *ipf_rx_match __P((ipf_rdx_head_t *, addrfamily_t *)); + +/* + * Foreword. + * --------- + * The code in this file has been written to target using the addrfamily_t + * data structure to house the address information and no other. Thus there + * are certain aspects of thise code (such as offsets to the address itself) + * that are hard coded here whilst they might be more variable elsewhere. + * Similarly, this code enforces no maximum key length as that's implied by + * all keys needing to be stored in addrfamily_t. + */ + +/* ------------------------------------------------------------------------ */ +/* Function: count_mask_bits */ +/* Returns: number of consecutive bits starting at "mask". */ +/* */ +/* Count the number of bits set in the address section of addrfamily_t and */ +/* return both that number and a pointer to the last word with a bit set if */ +/* lastp is not NULL. The bit count is performed using network byte order */ +/* as the guide for which bit is the most significant bit. */ +/* ------------------------------------------------------------------------ */ +static int +count_mask_bits(mask, lastp) + addrfamily_t *mask; + u_32_t **lastp; +{ + u_32_t *mp = (u_32_t *)&mask->adf_addr; + u_32_t m; + int count = 0; + int mlen; + + mlen = mask->adf_len - offsetof(addrfamily_t, adf_addr); + for (; mlen > 0; mlen -= 4, mp++) { + if ((m = ntohl(*mp)) == 0) + break; + if (lastp != NULL) + *lastp = mp; + for (; m & 0x80000000; m <<= 1) + count++; + } + + return count; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: buildnodes */ +/* Returns: Nil */ +/* Parameters: addr(I) - network address for this radix node */ +/* mask(I) - netmask associated with the above address */ +/* nodes(O) - pair of ipf_rdx_node_t's to initialise with data */ +/* associated with addr and mask. */ +/* */ +/* Initialise the fields in a pair of radix tree nodes according to the */ +/* data supplied in the paramters "addr" and "mask". It is expected that */ +/* "mask" will contain a consecutive string of bits set. Masks with gaps in */ +/* the middle are not handled by this implementation. */ +/* ------------------------------------------------------------------------ */ +static void +buildnodes(addr, mask, nodes) + addrfamily_t *addr, *mask; + ipf_rdx_node_t nodes[2]; +{ + u_32_t maskbits; + u_32_t lastbits; + u_32_t lastmask; + u_32_t *last; + int masklen; + + last = NULL; + maskbits = count_mask_bits(mask, &last); + if (last == NULL) { + masklen = 0; + lastmask = 0; + } else { + masklen = last - (u_32_t *)mask; + lastmask = *last; + } + lastbits = maskbits & 0x1f; + + bzero(&nodes[0], sizeof(ipf_rdx_node_t) * 2); + nodes[0].maskbitcount = maskbits; + nodes[0].index = -1 - (ADF_OFF_BITS + maskbits); + nodes[0].addrkey = (u_32_t *)addr; + nodes[0].maskkey = (u_32_t *)mask; + nodes[0].addroff = nodes[0].addrkey + masklen; + nodes[0].maskoff = nodes[0].maskkey + masklen; + nodes[0].parent = &nodes[1]; + nodes[0].offset = masklen; + nodes[0].lastmask = lastmask; + nodes[1].offset = masklen; + nodes[1].left = &nodes[0]; + nodes[1].maskbitcount = maskbits; +#ifdef RDX_DEBUG + (void) strcpy(nodes[0].name, "_BUILD.0"); + (void) strcpy(nodes[1].name, "_BUILD.1"); +#endif +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_find_addr */ +/* Returns: ipf_rdx_node_t * - pointer to a node in the radix tree. */ +/* Parameters: tree(I) - pointer to first right node in tree to search */ +/* addr(I) - pointer to address to match */ +/* */ +/* Walk the radix tree given by "tree", looking for a leaf node that is a */ +/* match for the address given by "addr". */ +/* ------------------------------------------------------------------------ */ +static ipf_rdx_node_t * +ipf_rx_find_addr(tree, addr) + ipf_rdx_node_t *tree; + u_32_t *addr; +{ + ipf_rdx_node_t *cur; + + for (cur = tree; cur->index >= 0;) { + if (cur->bitmask & addr[cur->offset]) { + cur = cur->right; + } else { + cur = cur->left; + } + } + + return (cur); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_match */ +/* Returns: ipf_rdx_node_t * - NULL on error, else pointer to the node */ +/* added to the tree. */ +/* Paramters: head(I) - pointer to tree head to search */ +/* addr(I) - pointer to address to find */ +/* */ +/* Search the radix tree for the best match to the address pointed to by */ +/* "addr" and return a pointer to that node. This search will not match the */ +/* address information stored in either of the root leaves as neither of */ +/* them are considered to be part of the tree of data being stored. */ +/* ------------------------------------------------------------------------ */ +static ipf_rdx_node_t * +ipf_rx_match(head, addr) + ipf_rdx_head_t *head; + addrfamily_t *addr; +{ + ipf_rdx_mask_t *masknode; + ipf_rdx_node_t *prev; + ipf_rdx_node_t *node; + ipf_rdx_node_t *cur; + u_32_t *data; + u_32_t *mask; + u_32_t *key; + u_32_t *end; + int len; + int i; + + len = addr->adf_len; + end = (u_32_t *)((u_char *)addr + len); + node = ipf_rx_find_addr(head->root, (u_32_t *)addr); + + /* + * Search the dupkey list for a potential match. + */ + for (cur = node; (cur != NULL) && (cur->root == 0); cur = cur->dupkey) { + i = cur[0].addroff - cur[0].addrkey; + data = cur[0].addrkey + i; + mask = cur[0].maskkey + i; + key = (u_32_t *)addr + i; + for (; key < end; data++, key++, mask++) + if ((*key & *mask) != *data) + break; + if ((end == key) && (cur->root == 0)) + return (cur); /* Equal keys */ + } + prev = node->parent; + key = (u_32_t *)addr; + + for (node = prev; node->root == 0; node = node->parent) { + /* + * We know that the node hasn't matched so therefore only + * the entries in the mask list are searched, not the top + * node nor the dupkey list. + */ + masknode = node->masks; + for (; masknode != NULL; masknode = masknode->next) { + if (masknode->maskbitcount > node->maskbitcount) + continue; + cur = masknode->node; + for (i = ADF_OFF >> 2; i <= node->offset; i++) { + if ((key[i] & masknode->mask[i]) == + cur->addrkey[i]) + return (cur); + } + } + } + + return NULL; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_lookup */ +/* Returns: ipf_rdx_node_t * - NULL on error, else pointer to the node */ +/* added to the tree. */ +/* Paramters: head(I) - pointer to tree head to search */ +/* addr(I) - address part of the key to match */ +/* mask(I) - netmask part of the key to match */ +/* */ +/* ipf_rx_lookup searches for an exact match on (addr,mask). The intention */ +/* is to see if a given key is in the tree, not to see if a route exists. */ +/* ------------------------------------------------------------------------ */ +ipf_rdx_node_t * +ipf_rx_lookup(head, addr, mask) + ipf_rdx_head_t *head; + addrfamily_t *addr, *mask; +{ + ipf_rdx_node_t *found; + ipf_rdx_node_t *node; + u_32_t *akey; + int count; + + found = ipf_rx_find_addr(head->root, (u_32_t *)addr); + if (found->root == 1) + return NULL; + + /* + * It is possible to find a matching address in the tree but for the + * netmask to not match. If the netmask does not match and there is + * no list of alternatives present at dupkey, return a failure. + */ + count = count_mask_bits(mask, NULL); + if (count != found->maskbitcount && found->dupkey == NULL) + return (NULL); + + akey = (u_32_t *)addr; + if ((found->addrkey[found->offset] & found->maskkey[found->offset]) != + akey[found->offset]) + return NULL; + + if (found->dupkey != NULL) { + node = found; + while (node != NULL && node->maskbitcount != count) + node = node->dupkey; + if (node == NULL) + return (NULL); + found = node; + } + return found; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_attach_mask */ +/* Returns: Nil */ +/* Parameters: node(I) - pointer to a radix tree node */ +/* mask(I) - pointer to mask structure to add */ +/* */ +/* Add the netmask to the given node in an ordering where the most specific */ +/* netmask is at the top of the list. */ +/* ------------------------------------------------------------------------ */ +static void +ipf_rx_attach_mask(node, mask) + ipf_rdx_node_t *node; + ipf_rdx_mask_t *mask; +{ + ipf_rdx_mask_t **pm; + ipf_rdx_mask_t *m; + + for (pm = &node->masks; (m = *pm) != NULL; pm = &m->next) + if (m->maskbitcount < mask->maskbitcount) + break; + mask->next = *pm; + *pm = mask; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_insert */ +/* Returns: ipf_rdx_node_t * - NULL on error, else pointer to the node */ +/* added to the tree. */ +/* Paramters: head(I) - pointer to tree head to add nodes to */ +/* nodes(I) - pointer to radix nodes to be added */ +/* dup(O) - set to 1 if node is a duplicate, else 0. */ +/* */ +/* Add the new radix tree entry that owns nodes[] to the tree given by head.*/ +/* If there is already a matching key in the table, "dup" will be set to 1 */ +/* and the existing node pointer returned if there is a complete key match. */ +/* A complete key match is a matching of all key data that is presented by */ +/* by the netmask. */ +/* ------------------------------------------------------------------------ */ +static ipf_rdx_node_t * +ipf_rx_insert(head, nodes, dup) + ipf_rdx_head_t *head; + ipf_rdx_node_t nodes[2]; + int *dup; +{ + ipf_rdx_mask_t **pmask; + ipf_rdx_node_t *node; + ipf_rdx_node_t *prev; + ipf_rdx_mask_t *mask; + ipf_rdx_node_t *cur; + u_32_t nodemask; + u_32_t *addr; + u_32_t *data; + int nodebits; + u_32_t *key; + u_32_t *end; + u_32_t bits; + int nodekey; + int nodeoff; + int nlen; + int len; + + addr = nodes[0].addrkey; + + node = ipf_rx_find_addr(head->root, addr); + len = ((addrfamily_t *)addr)->adf_len; + key = (u_32_t *)&((addrfamily_t *)addr)->adf_addr; + data= (u_32_t *)&((addrfamily_t *)node->addrkey)->adf_addr; + end = (u_32_t *)((u_char *)addr + len); + for (nlen = 0; key < end; data++, key++, nlen += 32) + if (*key != *data) + break; + if (end == data) { + *dup = 1; + return (node); /* Equal keys */ + } + *dup = 0; + + bits = (ntohl(*data) ^ ntohl(*key)); + for (; bits != 0; nlen++) { + if ((bits & 0x80000000) != 0) + break; + bits <<= 1; + } + nlen += ADF_OFF_BITS; + nodes[1].index = nlen; + nodes[1].bitmask = htonl(0x80000000 >> (nlen & 0x1f)); + nodes[0].offset = nlen / 32; + nodes[1].offset = nlen / 32; + + /* + * Walk through the tree and look for the correct place to attach + * this node. ipf_rx_fin_addr is not used here because the place + * to attach this node may be an internal node (same key, different + * netmask.) Additionally, the depth of the search is forcibly limited + * here to not exceed the netmask, so that a short netmask will be + * added higher up the tree even if there are lower branches. + */ + cur = head->root; + key = nodes[0].addrkey; + do { + prev = cur; + if (key[cur->offset] & cur->bitmask) { + cur = cur->right; + } else { + cur = cur->left; + } + } while (nlen > (unsigned)cur->index); + + if ((key[prev->offset] & prev->bitmask) == 0) { + prev->left = &nodes[1]; + } else { + prev->right = &nodes[1]; + } + cur->parent = &nodes[1]; + nodes[1].parent = prev; + if ((key[nodes[1].offset] & nodes[1].bitmask) == 0) { + nodes[1].right = cur; + } else { + nodes[1].right = &nodes[0]; + nodes[1].left = cur; + } + + nodeoff = nodes[0].offset; + nodekey = nodes[0].addrkey[nodeoff]; + nodemask = nodes[0].lastmask; + nodebits = nodes[0].maskbitcount; + prev = NULL; + /* + * Find the node up the tree with the largest pattern that still + * matches the node being inserted to see if this mask can be + * moved there. + */ + for (cur = nodes[1].parent; cur->root == 0; cur = cur->parent) { + if (cur->maskbitcount <= nodebits) + break; + if (((cur - 1)->addrkey[nodeoff] & nodemask) != nodekey) + break; + prev = cur; + } + + KMALLOC(mask, ipf_rdx_mask_t *); + if (mask == NULL) + return NULL; + bzero(mask, sizeof(*mask)); + mask->next = NULL; + mask->node = &nodes[0]; + mask->maskbitcount = nodebits; + mask->mask = nodes[0].maskkey; + nodes[0].mymask = mask; + + if (prev != NULL) { + ipf_rdx_mask_t *m; + + for (pmask = &prev->masks; (m = *pmask) != NULL; + pmask = &m->next) { + if (m->maskbitcount < nodebits) + break; + } + } else { + /* + * No higher up nodes qualify, so attach mask locally. + */ + pmask = &nodes[0].masks; + } + mask->next = *pmask; + *pmask = mask; + + /* + * Search the mask list on each child to see if there are any masks + * there that can be moved up to this newly inserted node. + */ + cur = nodes[1].right; + if (cur->root == 0) { + for (pmask = &cur->masks; (mask = *pmask) != NULL; ) { + if (mask->maskbitcount < nodebits) { + *pmask = mask->next; + ipf_rx_attach_mask(&nodes[0], mask); + } else { + pmask = &mask->next; + } + } + } + cur = nodes[1].left; + if (cur->root == 0 && cur != &nodes[0]) { + for (pmask = &cur->masks; (mask = *pmask) != NULL; ) { + if (mask->maskbitcount < nodebits) { + *pmask = mask->next; + ipf_rx_attach_mask(&nodes[0], mask); + } else { + pmask = &mask->next; + } + } + } + return (&nodes[0]); +} + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_addroute */ +/* Returns: ipf_rdx_node_t * - NULL on error, else pointer to the node */ +/* added to the tree. */ +/* Paramters: head(I) - pointer to tree head to search */ +/* addr(I) - address portion of "route" to add */ +/* mask(I) - netmask portion of "route" to add */ +/* nodes(I) - radix tree data nodes inside allocate structure */ +/* */ +/* Attempt to add a node to the radix tree. The key for the node is the */ +/* (addr,mask). No memory allocation for the radix nodes themselves is */ +/* performed here, the data structure that this radix node is being used to */ +/* find is expected to house the node data itself however the call to */ +/* ipf_rx_insert() will attempt to allocate memory in order for netmask to */ +/* be promoted further up the tree. */ +/* In this case, the ip_pool_node_t structure from ip_pool.h contains both */ +/* the key material (addr,mask) and the radix tree nodes[]. */ +/* */ +/* The mechanics of inserting the node into the tree is handled by the */ +/* function ipf_rx_insert() above. Here, the code deals with the case */ +/* where the data to be inserted is a duplicate. */ +/* ------------------------------------------------------------------------ */ +ipf_rdx_node_t * +ipf_rx_addroute(head, addr, mask, nodes) + ipf_rdx_head_t *head; + addrfamily_t *addr, *mask; + ipf_rdx_node_t *nodes; +{ + ipf_rdx_node_t *node; + ipf_rdx_node_t *prev; + ipf_rdx_node_t *x; + int dup; + + buildnodes(addr, mask, nodes); + x = ipf_rx_insert(head, nodes, &dup); + if (x == NULL) + return NULL; + + if (dup == 1) { + node = &nodes[0]; + prev = NULL; + /* + * The duplicate list is kept sorted with the longest + * mask at the top, meaning that the most specific entry + * in the listis found first. This list thus allows for + * duplicates such as 128.128.0.0/32 and 128.128.0.0/16. + */ + while ((x != NULL) && (x->maskbitcount > node->maskbitcount)) { + prev = x; + x = x->dupkey; + } + + /* + * Is it a complete duplicate? If so, return NULL and + * fail the insert. Otherwise, insert it into the list + * of netmasks active for this key. + */ + if ((x != NULL) && (x->maskbitcount == node->maskbitcount)) + return (NULL); + + if (prev != NULL) { + nodes[0].dupkey = x; + prev->dupkey = &nodes[0]; + nodes[0].parent = prev; + if (x != NULL) + x->parent = &nodes[0]; + } else { + nodes[0].dupkey = x->dupkey; + prev = x->parent; + nodes[0].parent = prev; + x->parent = &nodes[0]; + if (prev->left == x) + prev->left = &nodes[0]; + else + prev->right = &nodes[0]; + } + } + + return &nodes[0]; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_delete */ +/* Returns: ipf_rdx_node_t * - NULL on error, else node removed from */ +/* the tree. */ +/* Paramters: head(I) - pointer to tree head to search */ +/* addr(I) - pointer to the address part of the key */ +/* mask(I) - pointer to the netmask part of the key */ +/* */ +/* Search for an entry in the radix tree that is an exact match for (addr, */ +/* mask) and remove it if it exists. In the case where (addr,mask) is a not */ +/* a unique key, the tree structure itself is not changed - only the list */ +/* of duplicate keys. */ +/* ------------------------------------------------------------------------ */ +ipf_rdx_node_t * +ipf_rx_delete(head, addr, mask) + ipf_rdx_head_t *head; + addrfamily_t *addr, *mask; +{ + ipf_rdx_mask_t **pmask; + ipf_rdx_node_t *parent; + ipf_rdx_node_t *found; + ipf_rdx_node_t *prev; + ipf_rdx_node_t *node; + ipf_rdx_node_t *cur; + ipf_rdx_mask_t *m; + int count; + + found = ipf_rx_find_addr(head->root, (u_32_t *)addr); + if (found == NULL) + return NULL; + if (found->root == 1) + return NULL; + count = count_mask_bits(mask, NULL); + parent = found->parent; + if (found->dupkey != NULL) { + node = found; + while (node != NULL && node->maskbitcount != count) + node = node->dupkey; + if (node == NULL) + return (NULL); + if (node != found) { + /* + * Remove from the dupkey list. Here, "parent" is + * the previous node on the list (rather than tree) + * and "dupkey" is the next node on the list. + */ + parent = node->parent; + parent->dupkey = node->dupkey; + node->dupkey->parent = parent; + } else { + /* + * + * When removing the top node of the dupkey list, + * the pointers at the top of the list that point + * to other tree nodes need to be preserved and + * any children must have their parent updated. + */ + node = node->dupkey; + node->parent = found->parent; + node->right = found->right; + node->left = found->left; + found->right->parent = node; + found->left->parent = node; + if (parent->left == found) + parent->left = node; + else + parent->right= node; + } + } else { + if (count != found->maskbitcount) + return (NULL); + /* + * Remove the node from the tree and reconnect the subtree + * below. + */ + /* + * If there is a tree to the left, look for something to + * attach in place of "found". + */ + prev = found + 1; + cur = parent->parent; + if (parent != found + 1) { + if ((found + 1)->parent->right == found + 1) + (found + 1)->parent->right = parent; + else + (found + 1)->parent->left = parent; + if (cur->right == parent) { + if (parent->left == found) { + cur->right = parent->right; + } else if (parent->left != parent - 1) { + cur->right = parent->left; + } else { + cur->right = parent - 1; + } + cur->right->parent = cur; + } else { + if (parent->right == found) { + cur->left = parent->left; + } else if (parent->right != parent - 1) { + cur->left = parent->right; + } else { + cur->left = parent - 1; + } + cur->left->parent = cur; + } + parent->left = (found + 1)->left; + if ((found + 1)->right != parent) + parent->right = (found + 1)->right; + parent->left->parent = parent; + parent->right->parent = parent; + parent->parent = (found + 1)->parent; + + parent->bitmask = prev->bitmask; + parent->offset = prev->offset; + parent->index = prev->index; + } else { + /* + * We found an edge node. + */ + cur = parent->parent; + if (cur->left == parent) { + if (parent->left == found) { + cur->left = parent->right; + parent->right->parent = cur; + } else { + cur->left = parent->left; + parent->left->parent = cur; + } + } else { + if (parent->right != found) { + cur->right = parent->right; + parent->right->parent = cur; + } else { + cur->right = parent->left; + prev->left->parent = cur; + } + } + } + } + + /* + * Remove mask associated with this node. + */ + for (cur = parent; cur->root == 0; cur = cur->parent) { + ipf_rdx_mask_t **pm; + + if (cur->maskbitcount <= found->maskbitcount) + break; + if (((cur - 1)->addrkey[found->offset] & found->bitmask) != + found->addrkey[found->offset]) + break; + for (pm = &cur->masks; (m = *pm) != NULL; ) + if (m->node == cur) { + *pm = m->next; + break; + } else { + pm = &m->next; + } + } + KFREE(found->mymask); + + /* + * Masks that have been brought up to this node from below need to + * be sent back down. + */ + for (pmask = &parent->masks; (m = *pmask) != NULL; ) { + *pmask = m->next; + cur = m->node; + if (cur == found) + continue; + if (found->addrkey[cur->offset] & cur->lastmask) { + ipf_rx_attach_mask(parent->right, m); + } else if (parent->left != found) { + ipf_rx_attach_mask(parent->left, m); + } + } + + return (found); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_walktree */ +/* Returns: Nil */ +/* Paramters: head(I) - pointer to tree head to search */ +/* walker(I) - function to call for each node in the tree */ +/* arg(I) - parameter to pass to walker, in addition to the */ +/* node pointer */ +/* */ +/* A standard tree walking function except that it is iterative, rather */ +/* than recursive and tracks the next node in case the "walker" function */ +/* should happen to delete and free the current node. It thus goes without */ +/* saying that the "walker" function is not permitted to cause any change */ +/* in the validity of the data found at either the left or right child. */ +/* ------------------------------------------------------------------------ */ +void +ipf_rx_walktree(head, walker, arg) + ipf_rdx_head_t *head; + radix_walk_func_t walker; + void *arg; +{ + ipf_rdx_node_t *next; + ipf_rdx_node_t *node = head->root; + ipf_rdx_node_t *base; + + while (node->index >= 0) + node = node->left; + + for (;;) { + base = node; + while ((node->parent->right == node) && (node->root == 0)) + node = node->parent; + + for (node = node->parent->right; node->index >= 0; ) + node = node->left; + next = node; + + for (node = base; node != NULL; node = base) { + base = node->dupkey; + if (node->root == 0) + walker(node, arg); + } + node = next; + if (node->root) + return; + } +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_inithead */ +/* Returns: int - 0 = success, else failure */ +/* Paramters: softr(I) - pointer to radix context */ +/* headp(O) - location for where to store allocated tree head */ +/* */ +/* This function allocates and initialises a radix tree head structure. */ +/* As a traditional radix tree, node 0 is used as the "0" sentinel and node */ +/* "2" is used as the all ones sentinel, leaving node "1" as the root from */ +/* which the tree is hung with node "0" on its left and node "2" to the */ +/* right. The context, "softr", is used here to provide a common source of */ +/* the zeroes and ones data rather than have one per head. */ +/* ------------------------------------------------------------------------ */ +int +ipf_rx_inithead(softr, headp) + radix_softc_t *softr; + ipf_rdx_head_t **headp; +{ + ipf_rdx_head_t *ptr; + ipf_rdx_node_t *node; + + KMALLOC(ptr, ipf_rdx_head_t *); + *headp = ptr; + if (ptr == NULL) + return -1; + bzero(ptr, sizeof(*ptr)); + node = ptr->nodes; + ptr->root = node + 1; + node[0].index = ADF_OFF_BITS; + node[0].index = -1 - node[0].index; + node[1].index = ADF_OFF_BITS; + node[2].index = node[0].index; + node[0].parent = node + 1; + node[1].parent = node + 1; + node[2].parent = node + 1; + node[1].bitmask = htonl(0x80000000); + node[0].root = 1; + node[1].root = 1; + node[2].root = 1; + node[0].offset = ADF_OFF_BITS >> 5; + node[1].offset = ADF_OFF_BITS >> 5; + node[2].offset = ADF_OFF_BITS >> 5; + node[1].left = &node[0]; + node[1].right = &node[2]; + node[0].addrkey = (u_32_t *)softr->zeros; + node[2].addrkey = (u_32_t *)softr->ones; +#ifdef RDX_DEBUG + (void) strcpy(node[0].name, "0_ROOT"); + (void) strcpy(node[1].name, "1_ROOT"); + (void) strcpy(node[2].name, "2_ROOT"); +#endif + + ptr->addaddr = ipf_rx_addroute; + ptr->deladdr = ipf_rx_delete; + ptr->lookup = ipf_rx_lookup; + ptr->matchaddr = ipf_rx_match; + ptr->walktree = ipf_rx_walktree; + return 0; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_freehead */ +/* Returns: Nil */ +/* Paramters: head(I) - pointer to tree head to free */ +/* */ +/* This function simply free's up the radix tree head. Prior to calling */ +/* this function, it is expected that the tree will have been emptied. */ +/* ------------------------------------------------------------------------ */ +void +ipf_rx_freehead(head) + ipf_rdx_head_t *head; +{ + KFREE(head); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_create */ +/* Parameters: Nil */ +/* */ +/* ------------------------------------------------------------------------ */ +void * +ipf_rx_create() +{ + radix_softc_t *softr; + + KMALLOC(softr, radix_softc_t *); + if (softr == NULL) + return NULL; + bzero((char *)softr, sizeof(*softr)); + + KMALLOCS(softr->zeros, u_char *, 3 * sizeof(addrfamily_t)); + if (softr->zeros == NULL) { + KFREE(softr); + return (NULL); + } + softr->ones = softr->zeros + sizeof(addrfamily_t); + + return softr; +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_init */ +/* Returns: int - 0 = success (always) */ +/* */ +/* ------------------------------------------------------------------------ */ +int +ipf_rx_init(ctx) + void *ctx; +{ + radix_softc_t *softr = ctx; + + memset(softr->zeros, 0, 3 * sizeof(addrfamily_t)); + memset(softr->ones, 0xff, sizeof(addrfamily_t)); + + return (0); +} + + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_rx_destroy */ +/* Returns: Nil */ +/* */ +/* ------------------------------------------------------------------------ */ +void +ipf_rx_destroy(ctx) + void *ctx; +{ + radix_softc_t *softr = ctx; + + if (softr->zeros != NULL) + KFREES(softr->zeros, 3 * sizeof(addrfamily_t)); + KFREE(softr); +} + +/* ====================================================================== */ + +#ifdef RDX_DEBUG +/* + * To compile this file as a standalone test unit, use -DRDX_DEBUG=1 + */ +#define NAME(x) ((x)->index < 0 ? (x)->name : (x)->name) +#define GNAME(y) ((y) == NULL ? "NULL" : NAME(y)) + +typedef struct myst { + struct ipf_rdx_node nodes[2]; + addrfamily_t dst; + addrfamily_t mask; + struct myst *next; + int printed; +} myst_t; + +typedef struct tabe_s { + char *host; + char *mask; + char *what; +} tabe_t; + +tabe_t builtin[] = { +#if 1 + { "192:168:100::0", "48", "d" }, + { "192:168:100::2", "128", "d" }, +#else + { "127.192.0.0", "255.255.255.0", "d" }, + { "127.128.0.0", "255.255.255.0", "d" }, + { "127.96.0.0", "255.255.255.0", "d" }, + { "127.80.0.0", "255.255.255.0", "d" }, + { "127.72.0.0", "255.255.255.0", "d" }, + { "127.64.0.0", "255.255.255.0", "d" }, + { "127.56.0.0", "255.255.255.0", "d" }, + { "127.48.0.0", "255.255.255.0", "d" }, + { "127.40.0.0", "255.255.255.0", "d" }, + { "127.32.0.0", "255.255.255.0", "d" }, + { "127.24.0.0", "255.255.255.0", "d" }, + { "127.16.0.0", "255.255.255.0", "d" }, + { "127.8.0.0", "255.255.255.0", "d" }, + { "124.0.0.0", "255.0.0.0", "d" }, + { "125.0.0.0", "255.0.0.0", "d" }, + { "126.0.0.0", "255.0.0.0", "d" }, + { "127.0.0.0", "255.0.0.0", "d" }, + { "10.0.0.0", "255.0.0.0", "d" }, + { "128.250.0.0", "255.255.0.0", "d" }, + { "192.168.0.0", "255.255.0.0", "d" }, + { "192.168.1.0", "255.255.255.0", "d" }, +#endif + { NULL, NULL, NULL } +}; + +char *mtable[][1] = { +#if 1 + { "192:168:100::2" }, + { "192:168:101::2" }, +#else + { "9.0.0.0" }, + { "9.0.0.1" }, + { "11.0.0.0" }, + { "11.0.0.1" }, + { "127.0.0.1" }, + { "127.0.1.0" }, + { "255.255.255.0" }, + { "126.0.0.1" }, + { "128.251.0.0" }, + { "128.251.0.1" }, + { "128.251.255.255" }, + { "129.250.0.0" }, + { "129.250.0.1" }, + { "192.168.255.255" }, +#endif + { NULL } +}; + + +int forder[22] = { + 14, 13, 12, 5, 10, 3, 19, 7, 4, 20, 8, + 2, 17, 9, 16, 11, 15, 1, 6, 18, 0, 21 +}; + +static int nodecount = 0; +myst_t *myst_top = NULL; +tabe_t *ttable = NULL; + +void add_addr(ipf_rdx_head_t *, int , int); +void checktree(ipf_rdx_head_t *); +void delete_addr(ipf_rdx_head_t *rnh, int item); +void dumptree(ipf_rdx_head_t *rnh); +void nodeprinter(ipf_rdx_node_t *, void *); +void printroots(ipf_rdx_head_t *); +void random_add(ipf_rdx_head_t *); +void random_delete(ipf_rdx_head_t *); +void test_addr(ipf_rdx_head_t *rnh, int pref, addrfamily_t *, int); + + +static void +ipf_rx_freenode(node, arg) + ipf_rdx_node_t *node; + void *arg; +{ + ipf_rdx_head_t *head = arg; + ipf_rdx_node_t *rv; + myst_t *stp; + + stp = (myst_t *)node; + rv = ipf_rx_delete(head, &stp->dst, &stp->mask); + if (rv != NULL) { + free(rv); + } +} + + +const char * +addrname(ap) + addrfamily_t *ap; +{ + static char name[80]; + const char *txt; + + bzero((char *)name, sizeof(name)); + txt = inet_ntop(ap->adf_family, &ap->adf_addr, name, + sizeof(name)); + return txt; +} + + +void +fill6bits(bits, msk) + int bits; + u_int *msk; +{ + if (bits == 0) { + msk[0] = 0; + msk[1] = 0; + msk[2] = 0; + msk[3] = 0; + return; + } + + msk[0] = 0xffffffff; + msk[1] = 0xffffffff; + msk[2] = 0xffffffff; + msk[3] = 0xffffffff; + + if (bits == 128) + return; + if (bits > 96) { + msk[3] = htonl(msk[3] << (128 - bits)); + } else if (bits > 64) { + msk[3] = 0; + msk[2] = htonl(msk[2] << (96 - bits)); + } else if (bits > 32) { + msk[3] = 0; + msk[2] = 0; + msk[1] = htonl(msk[1] << (64 - bits)); + } else { + msk[3] = 0; + msk[2] = 0; + msk[1] = 0; + msk[0] = htonl(msk[0] << (32 - bits)); + } +} + + +void +setaddr(afp, str) + addrfamily_t *afp; + char *str; +{ + + bzero((char *)afp, sizeof(*afp)); + + if (strchr(str, ':') == NULL) { + afp->adf_family = AF_INET; + afp->adf_len = offsetof(addrfamily_t, adf_addr) + 4; + } else { + afp->adf_family = AF_INET6; + afp->adf_len = offsetof(addrfamily_t, adf_addr) + 16; + } + inet_pton(afp->adf_family, str, &afp->adf_addr); +} + + +void +setmask(afp, str) + addrfamily_t *afp; + char *str; +{ + if (strchr(str, '.') != NULL) { + afp->adf_addr.in4.s_addr = inet_addr(str); + afp->adf_len = offsetof(addrfamily_t, adf_addr) + 4; + } else if (afp->adf_family == AF_INET) { + afp->adf_addr.i6[0] = htonl(0xffffffff << (32 - atoi(str))); + afp->adf_len = offsetof(addrfamily_t, adf_addr) + 4; + } else if (afp->adf_family == AF_INET6) { + fill6bits(atoi(str), afp->adf_addr.i6); + afp->adf_len = offsetof(addrfamily_t, adf_addr) + 16; + } +} + + +void +nodeprinter(node, arg) + ipf_rdx_node_t *node; + void *arg; +{ + myst_t *stp = (myst_t *)node; + + printf("Node %-9.9s L %-9.9s R %-9.9s P %9.9s/%-9.9s %s/%d\n", + node[0].name, + GNAME(node[1].left), GNAME(node[1].right), + GNAME(node[0].parent), GNAME(node[1].parent), + addrname(&stp->dst), node[0].maskbitcount); + if (stp->printed == -1) + printf("!!! %d\n", stp->printed); + else + stp->printed = 1; +} + + +void +printnode(stp) + myst_t *stp; +{ + ipf_rdx_node_t *node = &stp->nodes[0]; + + if (stp->nodes[0].index > 0) + stp = (myst_t *)&stp->nodes[-1]; + + printf("Node %-9.9s ", node[0].name); + printf("L %-9.9s ", GNAME(node[1].left)); + printf("R %-9.9s ", GNAME(node[1].right)); + printf("P %9.9s", GNAME(node[0].parent)); + printf("/%-9.9s ", GNAME(node[1].parent)); + printf("%s P%d\n", addrname(&stp->dst), stp->printed); +} + + +void +buildtab(void) +{ + char line[80], *s; + tabe_t *tab; + int lines; + FILE *fp; + + lines = 0; + fp = fopen("hosts", "r"); + + while (fgets(line, sizeof(line), fp) != NULL) { + s = strchr(line, '\n'); + if (s != NULL) + *s = '\0'; + lines++; + if (lines == 1) + tab = malloc(sizeof(*tab) * 2); + else + tab = realloc(tab, (lines + 1) * sizeof(*tab)); + tab[lines - 1].host = strdup(line); + s = strchr(tab[lines - 1].host, '/'); + *s++ = '\0'; + tab[lines - 1].mask = s; + tab[lines - 1].what = "d"; + } + fclose(fp); + + tab[lines].host = NULL; + tab[lines].mask = NULL; + tab[lines].what = NULL; + ttable = tab; +} + + +void +printroots(rnh) + ipf_rdx_head_t *rnh; +{ + printf("Root.0.%s b %3d p %-9.9s l %-9.9s r %-9.9s\n", + GNAME(&rnh->nodes[0]), + rnh->nodes[0].index, GNAME(rnh->nodes[0].parent), + GNAME(rnh->nodes[0].left), GNAME(rnh->nodes[0].right)); + printf("Root.1.%s b %3d p %-9.9s l %-9.9s r %-9.9s\n", + GNAME(&rnh->nodes[1]), + rnh->nodes[1].index, GNAME(rnh->nodes[1].parent), + GNAME(rnh->nodes[1].left), GNAME(rnh->nodes[1].right)); + printf("Root.2.%s b %3d p %-9.9s l %-9.9s r %-9.9s\n", + GNAME(&rnh->nodes[2]), + rnh->nodes[2].index, GNAME(rnh->nodes[2].parent), + GNAME(rnh->nodes[2].left), GNAME(rnh->nodes[2].right)); +} + + +int +main(int argc, char *argv[]) +{ + addrfamily_t af; + ipf_rdx_head_t *rnh; + radix_softc_t *ctx; + int j; + int i; + + rnh = NULL; + + buildtab(); + ctx = ipf_rx_create(); + ipf_rx_init(ctx); + ipf_rx_inithead(ctx, &rnh); + + printf("=== ADD-0 ===\n"); + for (i = 0; ttable[i].host != NULL; i++) { + add_addr(rnh, i, i); + checktree(rnh); + } + printroots(rnh); + ipf_rx_walktree(rnh, nodeprinter, NULL); + printf("=== DELETE-0 ===\n"); + for (i = 0; ttable[i].host != NULL; i++) { + delete_addr(rnh, i); + printroots(rnh); + ipf_rx_walktree(rnh, nodeprinter, NULL); + } + printf("=== ADD-1 ===\n"); + for (i = 0; ttable[i].host != NULL; i++) { + setaddr(&af, ttable[i].host); + add_addr(rnh, i, i); /*forder[i]); */ + checktree(rnh); + } + dumptree(rnh); + ipf_rx_walktree(rnh, nodeprinter, NULL); + printf("=== TEST-1 ===\n"); + for (i = 0; ttable[i].host != NULL; i++) { + setaddr(&af, ttable[i].host); + test_addr(rnh, i, &af, -1); + } + + printf("=== TEST-2 ===\n"); + for (i = 0; mtable[i][0] != NULL; i++) { + setaddr(&af, mtable[i][0]); + test_addr(rnh, i, &af, -1); + } + printf("=== DELETE-1 ===\n"); + for (i = 0; ttable[i].host != NULL; i++) { + if (ttable[i].what[0] != 'd') + continue; + delete_addr(rnh, i); + for (j = 0; ttable[j].host != NULL; j++) { + setaddr(&af, ttable[j].host); + test_addr(rnh, i, &af, 3); + } + printroots(rnh); + ipf_rx_walktree(rnh, nodeprinter, NULL); + } + + dumptree(rnh); + + printf("=== ADD-2 ===\n"); + random_add(rnh); + checktree(rnh); + dumptree(rnh); + ipf_rx_walktree(rnh, nodeprinter, NULL); + printf("=== DELETE-2 ===\n"); + random_delete(rnh); + checktree(rnh); + dumptree(rnh); + + ipf_rx_walktree(rnh, ipf_rx_freenode, rnh); + + return 0; +} + + +void +dumptree(rnh) + ipf_rdx_head_t *rnh; +{ + myst_t *stp; + + printf("VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n"); + printroots(rnh); + for (stp = myst_top; stp; stp = stp->next) + printnode(stp); + printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n"); +} + + +void +test_addr(rnh, pref, addr, limit) + ipf_rdx_head_t *rnh; + int pref; + addrfamily_t *addr; +{ + static int extras[14] = { 0, -1, 1, 3, 5, 8, 9, + 15, 16, 19, 255, 256, 65535, 65536 + }; + ipf_rdx_node_t *rn; + addrfamily_t af; + char name[80]; + myst_t *stp; + int i; + + memset(&af, 0, sizeof(af)); +#if 0 + if (limit < 0 || limit > 14) + limit = 14; + + for (i = 0; i < limit; i++) { + if (ttable[i].host == NULL) + break; + setaddr(&af, ttable[i].host); + printf("%d.%d.LOOKUP(%s)", pref, i, addrname(&af)); + rn = ipf_rx_match(rnh, &af); + stp = (myst_t *)rn; + printf(" = %s (%s/%d)\n", GNAME(rn), + rn ? addrname(&stp->dst) : "NULL", + rn ? rn->maskbitcount : 0); + } +#else + printf("%d.%d.LOOKUP(%s)", pref, -1, addrname(addr)); + rn = ipf_rx_match(rnh, addr); + stp = (myst_t *)rn; + printf(" = %s (%s/%d)\n", GNAME(rn), + rn ? addrname(&stp->dst) : "NULL", rn ? rn->maskbitcount : 0); +#endif +} + + +void +delete_addr(rnh, item) + ipf_rdx_head_t *rnh; + int item; +{ + ipf_rdx_node_t *rn; + addrfamily_t mask; + addrfamily_t af; + myst_t **pstp; + myst_t *stp; + + memset(&af, 0, sizeof(af)); + memset(&mask, 0, sizeof(mask)); + setaddr(&af, ttable[item].host); + mask.adf_family = af.adf_family; + setmask(&mask, ttable[item].mask); + + printf("DELETE(%s)\n", addrname(&af)); + rn = ipf_rx_delete(rnh, &af, &mask); + if (rn == NULL) { + printf("FAIL LOOKUP DELETE\n"); + checktree(rnh); + for (stp = myst_top; stp != NULL; stp = stp->next) + if (stp->printed != -1) + stp->printed = -2; + ipf_rx_walktree(rnh, nodeprinter, NULL); + dumptree(rnh); + abort(); + } + printf("%d.delete(%s) = %s\n", item, addrname(&af), GNAME(rn)); + + for (pstp = &myst_top; (stp = *pstp) != NULL; pstp = &stp->next) + if (stp == (myst_t *)rn) + break; + stp->printed = -1; + stp->nodes[0].parent = &stp->nodes[0]; + stp->nodes[1].parent = &stp->nodes[1]; + *pstp = stp->next; + free(stp); + nodecount--; + checktree(rnh); +} + + +void +add_addr(rnh, n, item) + ipf_rdx_head_t *rnh; + int n, item; +{ + ipf_rdx_node_t *rn; + myst_t *stp; + + stp = calloc(1, sizeof(*stp)); + rn = (ipf_rdx_node_t *)stp; + setaddr(&stp->dst, ttable[item].host); + stp->mask.adf_family = stp->dst.adf_family; + setmask(&stp->mask, ttable[item].mask); + stp->next = myst_top; + myst_top = stp; + (void) sprintf(rn[0].name, "_BORN.0"); + (void) sprintf(rn[1].name, "_BORN.1"); + rn = ipf_rx_addroute(rnh, &stp->dst, &stp->mask, stp->nodes); + (void) sprintf(rn[0].name, "%d_NODE.0", item); + (void) sprintf(rn[1].name, "%d_NODE.1", item); + printf("ADD %d/%d %s/%s\n", n, item, rn[0].name, rn[1].name); + nodecount++; + checktree(rnh); +} + + +void +checktree(ipf_rdx_head_t *head) +{ + myst_t *s1; + ipf_rdx_node_t *rn; + + if (nodecount <= 1) + return; + + for (s1 = myst_top; s1 != NULL; s1 = s1->next) { + int fault = 0; + if (s1->printed == -1) + continue; + rn = &s1->nodes[1]; + if (rn->right->parent != rn) + fault |= 1; + if (rn->left->parent != rn) + fault |= 2; + if (rn->parent->left != rn && rn->parent->right != rn) + fault |= 4; + if (fault != 0) { + printf("FAULT %#x %s\n", fault, rn->name); + dumptree(head); + ipf_rx_walktree(head, nodeprinter, NULL); + fflush(stdout); + fflush(stderr); + printf("--\n"); + abort(); + } + } +} + + +int * +randomize(int *pnitems) +{ + int *order; + int nitems; + int choice; + int j; + int i; + + nitems = sizeof(ttable) / sizeof(ttable[0]); + *pnitems = nitems; + order = calloc(nitems, sizeof(*order)); + srandom(getpid() * time(NULL)); + memset(order, 0xff, nitems * sizeof(*order)); + order[21] = 21; + for (i = 0; i < nitems - 1; i++) { + do { + choice = rand() % (nitems - 1); + for (j = 0; j < nitems; j++) + if (order[j] == choice) + break; + } while (j != nitems); + order[i] = choice; + } + + return order; +} + + +void +random_add(rnh) + ipf_rdx_head_t *rnh; +{ + int *order; + int nitems; + int i; + + order = randomize(&nitems); + + for (i = 0; i < nitems - 1; i++) { + add_addr(rnh, i, order[i]); + checktree(rnh); + } +} + + +void +random_delete(rnh) + ipf_rdx_head_t *rnh; +{ + int *order; + int nitems; + int i; + + order = randomize(&nitems); + + for (i = 0; i < nitems - 1; i++) { + delete_addr(rnh, i); + checktree(rnh); + } +} +#endif /* RDX_DEBUG */ diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h index 11e4ba7..bbbf559 100644 --- a/contrib/ipfilter/radix_ipf.h +++ b/contrib/ipfilter/radix_ipf.h @@ -1,214 +1,97 @@ /* $FreeBSD$ */ /* - * Copyright (c) 1988, 1989, 1993 - * The Regents of the University of California. All rights reserved. + * Copyright (C) 2012 by Darren Reed. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)radix.h 8.2 (Berkeley) 10/31/94 + * See the IPFILTER.LICENCE file for details on licencing. */ +#ifndef __RADIX_IPF_H__ +#define __RADIX_IPF_H__ -#if !defined(_NET_RADIX_H_) && !defined(_RADIX_H_) -#define _NET_RADIX_H_ -#ifndef _RADIX_H_ -#define _RADIX_H_ -#endif /* _RADIX_H_ */ - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif +#ifndef U_32_T +typedef unsigned int u_32_t; +# define U_32_T 1 #endif -#if defined(__sgi) || defined(__osf__) || defined(sun) -# define radix_mask ipf_radix_mask -# define radix_node ipf_radix_node -# define radix_node_head ipf_radix_node_head -#endif - -/* - * Radix search tree node layout. - */ - -struct radix_node { - struct radix_mask *rn_mklist; /* list of masks contained in subtree */ - struct radix_node *rn_p; /* parent */ - short rn_b; /* bit offset; -1-index(netmask) */ - char rn_bmask; /* node: mask for bit test*/ - u_char rn_flags; /* enumerated next */ -#define RNF_NORMAL 1 /* leaf contains normal route */ -#define RNF_ROOT 2 /* leaf is root leaf for tree */ -#define RNF_ACTIVE 4 /* This node is alive (for rtfree) */ - union { - struct { /* leaf only data: */ - caddr_t rn_Key; /* object of search */ - caddr_t rn_Mask; /* netmask, if present */ - struct radix_node *rn_Dupedkey; - } rn_leaf; - struct { /* node only data: */ - int rn_Off; /* where to start compare */ - struct radix_node *rn_L;/* progeny */ - struct radix_node *rn_R;/* progeny */ - } rn_node; - } rn_u; -#ifdef RN_DEBUG - int rn_info; - struct radix_node *rn_twin; - struct radix_node *rn_ybro; +typedef struct ipf_rdx_mask { + struct ipf_rdx_mask *next; + struct ipf_rdx_node *node; + u_32_t *mask; + int maskbitcount; +} ipf_rdx_mask_t; + +typedef struct ipf_rdx_node { + struct ipf_rdx_node *left; + struct ipf_rdx_node *right; + struct ipf_rdx_node *parent; + struct ipf_rdx_node *dupkey; + struct ipf_rdx_mask *masks; + struct ipf_rdx_mask *mymask; + u_32_t *addrkey; + u_32_t *maskkey; + u_32_t *addroff; + u_32_t *maskoff; + u_32_t lastmask; + u_32_t bitmask; + int offset; + int index; + int maskbitcount; + int root; +#ifdef RDX_DEBUG + char name[40]; #endif -}; - -#define rn_dupedkey rn_u.rn_leaf.rn_Dupedkey -#define rn_key rn_u.rn_leaf.rn_Key -#define rn_mask rn_u.rn_leaf.rn_Mask -#define rn_off rn_u.rn_node.rn_Off -#define rn_l rn_u.rn_node.rn_L -#define rn_r rn_u.rn_node.rn_R - -/* - * Annotations to tree concerning potential routes applying to subtrees. - */ - -struct radix_mask { - short rm_b; /* bit offset; -1-index(netmask) */ - char rm_unused; /* cf. rn_bmask */ - u_char rm_flags; /* cf. rn_flags */ - struct radix_mask *rm_mklist; /* more masks to try */ - union { - caddr_t rmu_mask; /* the mask */ - struct radix_node *rmu_leaf; /* for normal routes */ - } rm_rmu; - int rm_refs; /* # of references to this struct */ -}; - -#define rm_mask rm_rmu.rmu_mask -#define rm_leaf rm_rmu.rmu_leaf /* extra field would make 32 bytes */ - -#define MKGet(m) {\ - if (rn_mkfreelist) {\ - m = rn_mkfreelist; \ - rn_mkfreelist = (m)->rm_mklist; \ - } else \ - R_Malloc(m, struct radix_mask *, sizeof (*(m))); }\ - -#define MKFree(m) { (m)->rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);} - -struct radix_node_head { - struct radix_node *rnh_treetop; - struct radix_node *rnh_leaflist; - u_long rnh_hits; - u_int rnh_number; - u_int rnh_ref; - int rnh_addrsize; /* permit, but not require fixed keys */ - int rnh_pktsize; /* permit, but not require fixed keys */ - struct radix_node *(*rnh_addaddr) /* add based on sockaddr */ - __P((void *v, void *mask, - struct radix_node_head *head, struct radix_node nodes[])); - struct radix_node *(*rnh_addpkt) /* add based on packet hdr */ - __P((void *v, void *mask, - struct radix_node_head *head, struct radix_node nodes[])); - struct radix_node *(*rnh_deladdr) /* remove based on sockaddr */ - __P((void *v, void *mask, struct radix_node_head *head)); - struct radix_node *(*rnh_delpkt) /* remove based on packet hdr */ - __P((void *v, void *mask, struct radix_node_head *head)); - struct radix_node *(*rnh_matchaddr) /* locate based on sockaddr */ - __P((void *v, struct radix_node_head *head)); - struct radix_node *(*rnh_lookup) /* locate based on sockaddr */ - __P((void *v, void *mask, struct radix_node_head *head)); - struct radix_node *(*rnh_matchpkt) /* locate based on packet hdr */ - __P((void *v, struct radix_node_head *head)); - int (*rnh_walktree) /* traverse tree */ - __P((struct radix_node_head *, - int (*)(struct radix_node *, void *), void *)); - struct radix_node rnh_nodes[3]; /* empty tree for common case */ -}; - - -#if defined(AIX) -# undef Bcmp -# undef Bzero -# undef R_Malloc -# undef Free -#endif -#define Bcmp(a, b, n) bcmp(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n)) -#if defined(linux) && defined(_KERNEL) -# define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) +} ipf_rdx_node_t; + +struct ipf_rdx_head; + +typedef void (* radix_walk_func_t)(ipf_rdx_node_t *, void *); +typedef ipf_rdx_node_t *(* idx_hamn_func_t)(struct ipf_rdx_head *, + addrfamily_t *, addrfamily_t *, + ipf_rdx_node_t *); +typedef ipf_rdx_node_t *(* idx_ham_func_t)(struct ipf_rdx_head *, + addrfamily_t *, addrfamily_t *); +typedef ipf_rdx_node_t *(* idx_ha_func_t)(struct ipf_rdx_head *, + addrfamily_t *); +typedef void (* idx_walk_func_t)(struct ipf_rdx_head *, + radix_walk_func_t, void *); + +typedef struct ipf_rdx_head { + ipf_rdx_node_t *root; + ipf_rdx_node_t nodes[3]; + ipfmutex_t lock; + idx_hamn_func_t addaddr; /* add addr/mask to tree */ + idx_ham_func_t deladdr; /* delete addr/mask from tree */ + idx_ham_func_t lookup; /* look for specific addr/mask */ + idx_ha_func_t matchaddr; /* search tree for address match */ + idx_walk_func_t walktree; /* walk entire tree */ +} ipf_rdx_head_t; + +typedef struct radix_softc { + u_char *zeros; + u_char *ones; +} radix_softc_t; + +#undef RADIX_NODE_HEAD_LOCK +#undef RADIX_NODE_HEAD_UNLOCK +#ifdef _KERNEL +# define RADIX_NODE_HEAD_LOCK(x) MUTEX_ENTER(&(x)->lock) +# define RADIX_NODE_HEAD_UNLOCK(x) MUTEX_UNLOCK(&(x)->lock) #else -# define Bcopy(a, b, n) bcopy(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n)) +# define RADIX_NODE_HEAD_LOCK(x) +# define RADIX_NODE_HEAD_UNLOCK(x) #endif -#define Bzero(p, n) bzero((caddr_t)(p), (unsigned)(n)); -#define R_Malloc(p, t, n) KMALLOCS(p, t, n) -#define FreeS(p, z) KFREES(p, z) -#define Free(p) KFREE(p) - -#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL) -# define rn_init ipf_rn_init -# define rn_fini ipf_rn_fini -# define rn_inithead ipf_rn_inithead -# define rn_freehead ipf_rn_freehead -# define rn_inithead0 ipf_rn_inithead0 -# define rn_refines ipf_rn_refines -# define rn_walktree ipf_rn_walktree -# define rn_addmask ipf_rn_addmask -# define rn_addroute ipf_rn_addroute -# define rn_delete ipf_rn_delete -# define rn_insert ipf_rn_insert -# define rn_lookup ipf_rn_lookup -# define rn_match ipf_rn_match -# define rn_newpair ipf_rn_newpair -# define rn_search ipf_rn_search -# define rn_search_m ipf_rn_search_m -# define max_keylen ipf_maxkeylen -# define rn_mkfreelist ipf_rn_mkfreelist -# define rn_zeros ipf_rn_zeros -# define rn_ones ipf_rn_ones -# define rn_satisfies_leaf ipf_rn_satisfies_leaf -# define rn_lexobetter ipf_rn_lexobetter -# define rn_new_radix_mask ipf_rn_new_radix_mask -# define rn_freenode ipf_rn_freenode -#endif - -void rn_init __P((void)); -void rn_fini __P((void)); -int rn_inithead __P((void **, int)); -void rn_freehead __P((struct radix_node_head *)); -int rn_inithead0 __P((struct radix_node_head *, int)); -int rn_refines __P((void *, void *)); -int rn_walktree __P((struct radix_node_head *, - int (*)(struct radix_node *, void *), void *)); -struct radix_node - *rn_addmask __P((void *, int, int)), - *rn_addroute __P((void *, void *, struct radix_node_head *, - struct radix_node [2])), - *rn_delete __P((void *, void *, struct radix_node_head *)), - *rn_insert __P((void *, struct radix_node_head *, int *, - struct radix_node [2])), - *rn_lookup __P((void *, void *, struct radix_node_head *)), - *rn_match __P((void *, struct radix_node_head *)), - *rn_newpair __P((void *, int, struct radix_node[2])), - *rn_search __P((void *, struct radix_node *)), - *rn_search_m __P((void *, struct radix_node *, void *)); -#endif /* _NET_RADIX_H_ */ +extern void *ipf_rx_create __P((void)); +extern int ipf_rx_init __P((void *)); +extern void ipf_rx_destroy __P((void *)); +extern int ipf_rx_inithead __P((radix_softc_t *, ipf_rdx_head_t **)); +extern void ipf_rx_freehead __P((ipf_rdx_head_t *)); +extern ipf_rdx_node_t *ipf_rx_addroute __P((ipf_rdx_head_t *, + addrfamily_t *, addrfamily_t *, + ipf_rdx_node_t *)); +extern ipf_rdx_node_t *ipf_rx_delete __P((ipf_rdx_head_t *, addrfamily_t *, + addrfamily_t *)); +extern void ipf_rx_walktree __P((ipf_rdx_head_t *, radix_walk_func_t, + void *)); + +#endif /* __RADIX_IPF_H__ */ diff --git a/contrib/ipfilter/rules/.cvsignore b/contrib/ipfilter/rules/.cvsignore deleted file mode 100644 index 3e75765..0000000 --- a/contrib/ipfilter/rules/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -new diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW index d2bd60a..642dde0 100644 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ b/contrib/ipfilter/rules/BASIC_1.FW @@ -22,10 +22,10 @@ block in log quick all with short # (especially for ed0) and needs to be further refined. # block in log on ppp0 all head 100 -block in log proto tcp all flags S/SA head 101 group 100 +block in log proto tcp all flags S/SA head 101 group 100 block out log on ppp0 all head 150 block in log on ed0 from w.x.y.z/24 to any head 200 -block in log proto tcp all flags S/SA head 201 group 200 +block in log proto tcp all flags S/SA head 201 group 200 block in log proto udp all head 202 group 200 block out log on ed0 all head 250 #------------------------------------------------------- diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW index 46564f0..1d4fd73 100644 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ b/contrib/ipfilter/rules/BASIC_2.FW @@ -56,7 +56,7 @@ pass out quick on lo0 all # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # -pass in log quick proto tcp all flags S/SA keep state group 200 +pass in log quick proto tcp all flags S/SA keep state group 200 # # Support all UDP `connections' initiated from inside. # diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall index 681a81d..f26b715 100644 --- a/contrib/ipfilter/rules/firewall +++ b/contrib/ipfilter/rules/firewall @@ -31,7 +31,7 @@ where closest to your internal network in terms of network hops. * "int-net" is the internal network IP# subnet address range. This might - be something like 10.1.0.0/16, or 128.33.1.0/24 + be something like 10.1.0.0/16, or 128.33.1.0/24 * "ext-service" is the service to which you wish to connect or if it doesn't have a proper name, a number can be used. The translation of "ext-service" diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf index 47b0146..652afce 100644 --- a/contrib/ipfilter/rules/ipmon.conf +++ b/contrib/ipfilter/rules/ipmon.conf @@ -2,23 +2,24 @@ # # # -match { logtag = 10000 } - do { execute "/usr/bin/mail -s 'logtag 10000' root" }; -match { logtag = 2000, every 10 seconds } - do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" }; +match { logtag = 10000; } +do { execute("/usr/bin/mail -s 'logtag 10000' root"); }; # -match { protocol = udp, result = block } - do { execute "/usr/bin/mail -s 'blocked udp' root" -}; +match { logtag = 2000, every 10 seconds; } +do { execute("echo 'XXXXXXXX tag 2000 packet XXXXXXXX'"); }; # -match { - srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 } - do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root" -}; +match { protocol = udp, result = block; } +do { file("file:///var/log/udp-block"); }; +# +match { protocol = tcp, result = block, dstport = 25; } +do { syslog("local0.info"), syslog("local1."), syslog(".warn"); }; +# +match { srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; } +do { execute("/usr/bin/mail -s 'from 10.1 to 192.168.1' root"); }; + # match { rule = 12, logtag = 101, direction = in, result = block, - protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 } - do { execute "run shell command" -}; + protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; } +do { nothing; }; # diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server index f2fb204..de0e9bb 100644 --- a/contrib/ipfilter/rules/server +++ b/contrib/ipfilter/rules/server @@ -3,7 +3,7 @@ # 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is # connected to the majority of the network, whilst le0 is connected to a # leaf subnet. We're not concerned about filtering individual services -# or +# or # pass in quick on le0 from 128.1.40.0/24 to any block in log quick on le0 from any to any diff --git a/contrib/ipfilter/samples/.cvsignore b/contrib/ipfilter/samples/.cvsignore deleted file mode 100644 index 4d38251..0000000 --- a/contrib/ipfilter/samples/.cvsignore +++ /dev/null @@ -1,4 +0,0 @@ -userauth -proxy -relay -trans_relay diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c index 471cc73..483c4b5 100644 --- a/contrib/ipfilter/samples/proxy.c +++ b/contrib/ipfilter/samples/proxy.c @@ -51,8 +51,8 @@ main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { struct sockaddr_in sin, sloc, sout; ipfobj_t obj; @@ -132,9 +132,9 @@ char *argv[]; #ifdef DO_NAT_OUT do_nat_out(in, out, fd, nlp, extif) -int fd; -natlookup_t *nlp; -char *extif; + int fd; + natlookup_t *nlp; + char *extif; { nat_save_t ns, *nsp = &ns; struct sockaddr_in usin; @@ -228,7 +228,7 @@ fflush(stdout); relay(in, out, net) -int in, out, net; + int in, out, net; { char netbuf[1024], outbuf[1024]; char *nwptr, *nrptr, *owptr, *orptr; diff --git a/contrib/ipfilter/samples/relay.c b/contrib/ipfilter/samples/relay.c index ac5c602..11b76b0 100644 --- a/contrib/ipfilter/samples/relay.c +++ b/contrib/ipfilter/samples/relay.c @@ -29,7 +29,7 @@ char ibuff[RELAY_BUFSZ]; char obuff[RELAY_BUFSZ]; int relay(ifd, ofd, rfd) -int ifd, ofd, rfd; + int ifd, ofd, rfd; { fd_set rfds, wfds; char *irh, *irt, *rrh, *rrt; @@ -103,8 +103,8 @@ int ifd, ofd, rfd; } main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { struct sockaddr_in sin; ipfobj_t obj; diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index 3cb54b9..74bc247 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 1993-2001 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -11,7 +11,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.3 2001/06/09 17:09:23 darrenr Exp $ + * $Id$ */ struct snoophdr { char s_id[8]; diff --git a/contrib/ipfilter/sys/tree.h b/contrib/ipfilter/sys/tree.h new file mode 100644 index 0000000..5855885 --- /dev/null +++ b/contrib/ipfilter/sys/tree.h @@ -0,0 +1,750 @@ +/* $NetBSD: tree.h,v 1.8 2004/03/28 19:38:30 provos Exp $ */ +/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ +/* $FreeBSD: src/sys/sys/tree.h,v 1.7 2007/12/28 07:03:26 jasone Exp $ */ + +/*- + * Copyright 2002 Niels Provos <provos@citi.umich.edu> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_TREE_H_ +#define _SYS_TREE_H_ + +/* + * This file defines data structures for different types of trees: + * splay trees and red-black trees. + * + * A splay tree is a self-organizing data structure. Every operation + * on the tree causes a splay to happen. The splay moves the requested + * node to the root of the tree and partly rebalances it. + * + * This has the benefit that request locality causes faster lookups as + * the requested nodes move to the top of the tree. On the other hand, + * every lookup causes memory writes. + * + * The Balance Theorem bounds the total access time for m operations + * and n inserts on an initially empty tree as O((m + n)lg n). The + * amortized cost for a sequence of m accesses to a splay tree is O(lg n); + * + * A red-black tree is a binary search tree with the node color as an + * extra attribute. It fulfills a set of conditions: + * - every search path from the root to a leaf consists of the + * same number of black nodes, + * - each red node (except for the root) has a black parent, + * - each leaf node is black. + * + * Every operation on a red-black tree is bounded as O(lg n). + * The maximum height of a red-black tree is 2lg (n+1). + */ + +#define SPLAY_HEAD(name, type) \ +struct name { \ + struct type *sph_root; /* root of the tree */ \ +} + +#define SPLAY_INITIALIZER(root) \ + { NULL } + +#define SPLAY_INIT(root) do { \ + (root)->sph_root = NULL; \ +} while (/*CONSTCOND*/ 0) + +#define SPLAY_ENTRY(type) \ +struct { \ + struct type *spe_left; /* left element */ \ + struct type *spe_right; /* right element */ \ +} + +#define SPLAY_LEFT(elm, field) (elm)->field.spe_left +#define SPLAY_RIGHT(elm, field) (elm)->field.spe_right +#define SPLAY_ROOT(head) (head)->sph_root +#define SPLAY_EMPTY(head) (SPLAY_ROOT(head) == NULL) + +/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */ +#define SPLAY_ROTATE_RIGHT(head, tmp, field) do { \ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field); \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (/*CONSTCOND*/ 0) + +#define SPLAY_ROTATE_LEFT(head, tmp, field) do { \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field); \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (/*CONSTCOND*/ 0) + +#define SPLAY_LINKLEFT(head, tmp, field) do { \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field); \ +} while (/*CONSTCOND*/ 0) + +#define SPLAY_LINKRIGHT(head, tmp, field) do { \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field); \ +} while (/*CONSTCOND*/ 0) + +#define SPLAY_ASSEMBLE(head, node, left, right, field) do { \ + SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \ + SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \ +} while (/*CONSTCOND*/ 0) + +/* Generates prototypes and inline functions */ + +#define SPLAY_PROTOTYPE(name, type, field, cmp) \ +void name##_SPLAY(struct name *, struct type *); \ +void name##_SPLAY_MINMAX(struct name *, int); \ +struct type *name##_SPLAY_INSERT(struct name *, struct type *); \ +struct type *name##_SPLAY_REMOVE(struct name *, struct type *); \ + \ +/* Finds the node with the same key as elm */ \ +static __inline struct type * \ +name##_SPLAY_FIND(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) \ + return(NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) \ + return (head->sph_root); \ + return (NULL); \ +} \ + \ +static __inline struct type * \ +name##_SPLAY_NEXT(struct name *head, struct type *elm) \ +{ \ + name##_SPLAY(head, elm); \ + if (SPLAY_RIGHT(elm, field) != NULL) { \ + elm = SPLAY_RIGHT(elm, field); \ + while (SPLAY_LEFT(elm, field) != NULL) { \ + elm = SPLAY_LEFT(elm, field); \ + } \ + } else \ + elm = NULL; \ + return (elm); \ +} \ + \ +static __inline struct type * \ +name##_SPLAY_MIN_MAX(struct name *head, int val) \ +{ \ + name##_SPLAY_MINMAX(head, val); \ + return (SPLAY_ROOT(head)); \ +} + +/* Main splay operation. + * Moves node close to the key of elm to top + */ +#define SPLAY_GENERATE(name, type, field, cmp) \ +struct type * \ +name##_SPLAY_INSERT(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) { \ + SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL; \ + } else { \ + int __comp; \ + name##_SPLAY(head, elm); \ + __comp = (cmp)(elm, (head)->sph_root); \ + if(__comp < 0) { \ + SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\ + SPLAY_RIGHT(elm, field) = (head)->sph_root; \ + SPLAY_LEFT((head)->sph_root, field) = NULL; \ + } else if (__comp > 0) { \ + SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT(elm, field) = (head)->sph_root; \ + SPLAY_RIGHT((head)->sph_root, field) = NULL; \ + } else \ + return ((head)->sph_root); \ + } \ + (head)->sph_root = (elm); \ + return (NULL); \ +} \ + \ +struct type * \ +name##_SPLAY_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *__tmp; \ + if (SPLAY_EMPTY(head)) \ + return (NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) { \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL) { \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\ + } else { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\ + name##_SPLAY(head, elm); \ + SPLAY_RIGHT((head)->sph_root, field) = __tmp; \ + } \ + return (elm); \ + } \ + return (NULL); \ +} \ + \ +void \ +name##_SPLAY(struct name *head, struct type *elm) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ + int __comp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while ((__comp = (cmp)(elm, (head)->sph_root)) != 0) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) > 0){ \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} \ + \ +/* Splay with either the minimum or the maximum element \ + * Used to find minimum or maximum element in tree. \ + */ \ +void name##_SPLAY_MINMAX(struct name *head, int __comp) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while (1) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp > 0) { \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} + +#define SPLAY_NEGINF -1 +#define SPLAY_INF 1 + +#define SPLAY_INSERT(name, x, y) name##_SPLAY_INSERT(x, y) +#define SPLAY_REMOVE(name, x, y) name##_SPLAY_REMOVE(x, y) +#define SPLAY_FIND(name, x, y) name##_SPLAY_FIND(x, y) +#define SPLAY_NEXT(name, x, y) name##_SPLAY_NEXT(x, y) +#define SPLAY_MIN(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF)) +#define SPLAY_MAX(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_INF)) + +#define SPLAY_FOREACH(x, name, head) \ + for ((x) = SPLAY_MIN(name, head); \ + (x) != NULL; \ + (x) = SPLAY_NEXT(name, head, x)) + +/* Macros that define a red-black tree */ +#define RB_HEAD(name, type) \ +struct name { \ + struct type *rbh_root; /* root of the tree */ \ +} + +#define RB_INITIALIZER(root) \ + { NULL } + +#define RB_INIT(root) do { \ + (root)->rbh_root = NULL; \ +} while (/*CONSTCOND*/ 0) + +/* + * Undef for Linux + */ +#undef RB_BLACK +#undef RB_RED +#undef RB_ROOT + +#define RB_BLACK 0 +#define RB_RED 1 +#define RB_ENTRY(type) \ +struct { \ + struct type *rbe_left; /* left element */ \ + struct type *rbe_right; /* right element */ \ + struct type *rbe_parent; /* parent element */ \ + int rbe_color; /* node color */ \ +} + +#define RB_LEFT(elm, field) (elm)->field.rbe_left +#define RB_RIGHT(elm, field) (elm)->field.rbe_right +#define RB_PARENT(elm, field) (elm)->field.rbe_parent +#define RB_COLOR(elm, field) (elm)->field.rbe_color +#define RB_ROOT(head) (head)->rbh_root +#define RB_EMPTY(head) (RB_ROOT(head) == NULL) + +#define RB_SET(elm, parent, field) do { \ + RB_PARENT(elm, field) = parent; \ + RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL; \ + RB_COLOR(elm, field) = RB_RED; \ +} while (/*CONSTCOND*/ 0) + +#define RB_SET_BLACKRED(black, red, field) do { \ + RB_COLOR(black, field) = RB_BLACK; \ + RB_COLOR(red, field) = RB_RED; \ +} while (/*CONSTCOND*/ 0) + +#ifndef RB_AUGMENT +#define RB_AUGMENT(x) do {} while (0) +#endif + +#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ + (tmp) = RB_RIGHT(elm, field); \ + if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field)) != NULL) { \ + RB_PARENT(RB_LEFT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field)) != NULL) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_LEFT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (/*CONSTCOND*/ 0) + +#define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ + (tmp) = RB_LEFT(elm, field); \ + if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field)) != NULL) { \ + RB_PARENT(RB_RIGHT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field)) != NULL) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_RIGHT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (/*CONSTCOND*/ 0) + +/* Generates prototypes and inline functions */ +#define RB_PROTOTYPE(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) +#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __unused static) +#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ +attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ +attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ +attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ +attr struct type *name##_RB_INSERT(struct name *, struct type *); \ +attr struct type *name##_RB_FIND(struct name *, struct type *); \ +attr struct type *name##_RB_NFIND(struct name *, struct type *); \ +attr struct type *name##_RB_NEXT(struct type *); \ +attr struct type *name##_RB_PREV(struct type *); \ +attr struct type *name##_RB_MINMAX(struct name *, int); \ + \ + +/* Main rb operation. + * Moves node close to the key of elm to top + */ +#define RB_GENERATE(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp,) +#define RB_GENERATE_STATIC(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp, __unused static) +#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ +attr void \ +name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ +{ \ + struct type *parent, *gparent, *tmp; \ + while ((parent = RB_PARENT(elm, field)) != NULL && \ + RB_COLOR(parent, field) == RB_RED) { \ + gparent = RB_PARENT(parent, field); \ + if (parent == RB_LEFT(gparent, field)) { \ + tmp = RB_RIGHT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_RIGHT(parent, field) == elm) { \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_RIGHT(head, gparent, tmp, field); \ + } else { \ + tmp = RB_LEFT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_LEFT(parent, field) == elm) { \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_LEFT(head, gparent, tmp, field); \ + } \ + } \ + RB_COLOR(head->rbh_root, field) = RB_BLACK; \ +} \ + \ +attr void \ +name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ +{ \ + struct type *tmp; \ + while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) && \ + elm != RB_ROOT(head)) { \ + if (RB_LEFT(parent, field) == elm) { \ + tmp = RB_RIGHT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\ + struct type *oleft; \ + if ((oleft = RB_LEFT(tmp, field)) \ + != NULL) \ + RB_COLOR(oleft, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_RIGHT(head, tmp, oleft, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_RIGHT(tmp, field)) \ + RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } else { \ + tmp = RB_LEFT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\ + struct type *oright; \ + if ((oright = RB_RIGHT(tmp, field)) \ + != NULL) \ + RB_COLOR(oright, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_LEFT(head, tmp, oright, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_LEFT(tmp, field)) \ + RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } \ + } \ + if (elm) \ + RB_COLOR(elm, field) = RB_BLACK; \ +} \ + \ +attr struct type * \ +name##_RB_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *child, *parent, *old = elm; \ + int color; \ + if (RB_LEFT(elm, field) == NULL) \ + child = RB_RIGHT(elm, field); \ + else if (RB_RIGHT(elm, field) == NULL) \ + child = RB_LEFT(elm, field); \ + else { \ + struct type *left; \ + elm = RB_RIGHT(elm, field); \ + while ((left = RB_LEFT(elm, field)) != NULL) \ + elm = left; \ + child = RB_RIGHT(elm, field); \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ + if (RB_PARENT(elm, field) == old) \ + parent = elm; \ + (elm)->field = (old)->field; \ + if (RB_PARENT(old, field)) { \ + if (RB_LEFT(RB_PARENT(old, field), field) == old)\ + RB_LEFT(RB_PARENT(old, field), field) = elm;\ + else \ + RB_RIGHT(RB_PARENT(old, field), field) = elm;\ + RB_AUGMENT(RB_PARENT(old, field)); \ + } else \ + RB_ROOT(head) = elm; \ + RB_PARENT(RB_LEFT(old, field), field) = elm; \ + if (RB_RIGHT(old, field)) \ + RB_PARENT(RB_RIGHT(old, field), field) = elm; \ + if (parent) { \ + left = parent; \ + do { \ + RB_AUGMENT(left); \ + } while ((left = RB_PARENT(left, field)) != NULL); \ + } \ + goto color; \ + } \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ +color: \ + if (color == RB_BLACK) \ + name##_RB_REMOVE_COLOR(head, parent, child); \ + return (old); \ +} \ + \ +/* Inserts a node into the RB tree */ \ +attr struct type * \ +name##_RB_INSERT(struct name *head, struct type *elm) \ +{ \ + struct type *tmp; \ + struct type *parent = NULL; \ + int comp = 0; \ + tmp = RB_ROOT(head); \ + while (tmp) { \ + parent = tmp; \ + comp = (cmp)(elm, parent); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + RB_SET(elm, parent, field); \ + if (parent != NULL) { \ + if (comp < 0) \ + RB_LEFT(parent, field) = elm; \ + else \ + RB_RIGHT(parent, field) = elm; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = elm; \ + name##_RB_INSERT_COLOR(head, elm); \ + return (NULL); \ +} \ + \ +/* Finds the node with the same key as elm */ \ +attr struct type * \ +name##_RB_FIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (NULL); \ +} \ + \ +/* Finds the first node greater than or equal to the search key */ \ +attr struct type * \ +name##_RB_NFIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *res = NULL; \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) { \ + res = tmp; \ + tmp = RB_LEFT(tmp, field); \ + } \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (res); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_NEXT(struct type *elm) \ +{ \ + if (RB_RIGHT(elm, field)) { \ + elm = RB_RIGHT(elm, field); \ + while (RB_LEFT(elm, field)) \ + elm = RB_LEFT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_PREV(struct type *elm) \ +{ \ + if (RB_LEFT(elm, field)) { \ + elm = RB_LEFT(elm, field); \ + while (RB_RIGHT(elm, field)) \ + elm = RB_RIGHT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +attr struct type * \ +name##_RB_MINMAX(struct name *head, int val) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *parent = NULL; \ + while (tmp) { \ + parent = tmp; \ + if (val < 0) \ + tmp = RB_LEFT(tmp, field); \ + else \ + tmp = RB_RIGHT(tmp, field); \ + } \ + return (parent); \ +} + +#define RB_NEGINF -1 +#define RB_INF 1 + +#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) +#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) +#define RB_FIND(name, x, y) name##_RB_FIND(x, y) +#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) +#define RB_NEXT(name, x, y) name##_RB_NEXT(y) +#define RB_PREV(name, x, y) name##_RB_PREV(y) +#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) +#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) + +#define RB_FOREACH(x, name, head) \ + for ((x) = RB_MIN(name, head); \ + (x) != NULL; \ + (x) = name##_RB_NEXT(x)) + +#define RB_FOREACH_REVERSE(x, name, head) \ + for ((x) = RB_MAX(name, head); \ + (x) != NULL; \ + (x) = name##_RB_PREV(x)) + +#endif /* _SYS_TREE_H_ */ diff --git a/contrib/ipfilter/test/.cvsignore b/contrib/ipfilter/test/.cvsignore deleted file mode 100644 index 5825abc..0000000 --- a/contrib/ipfilter/test/.cvsignore +++ /dev/null @@ -1,87 +0,0 @@ -results -1 -2 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -i1 -i2 -i3 -i4 -i5 -i6 -i7 -i8 -i9 -i10 -i11 -f1 -f2 -f3 -f4 -f5 -f6 -f7 -f8 -f9 -f10 -f11 -f12 -f13 -f14 -n1 -n2 -n3 -n4 -n5 -n6 -n7 -f15 -f16 -ipv6.1 -ipv6.2 -l1 -ni1 -ni2 -ni3 -ni4 -f17 -in1 -in2 -in3 -in4 -p1 -p2 -i12 -ip1 -p3 -i13 -ni5 -ni6 -i14 -in5 -ipv6.3 -n8 -n9 -n10 -n11 -ni7 -ni8 -ni9 -ni10 -ni11 -ni12 -n12 -in6 -i15 -ni13 -ni14 -ni15 -ni16 diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index b0462f3..8918311 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -3,6 +3,9 @@ # # See the IPFILTER.LICENCE file for details on licencing. # +POOLDEP=../ip_lookup.c ../ip_lookup.h ../ip_pool.c ../ip_pool.h \ + ../ip_htable.c ../ip_htable.h ../ip_dstlist.c ../ip_dstlist.h \ + ../tools/ippool_y.y BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/share/man @@ -14,86 +17,504 @@ expected.d: results: mkdir -p results -tests: ipf nat logtests ipv6 pools bpf +tests: ipf nat logtests ipv6 pools -ipf: ftests ptests +ipf: patests ftests -nat: ntests nitests intests +nat: intests ntests nitests first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f24 f25 f26 f27 f28 f29 f30 # Rule parsing tests -ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \ - i20 i21 +patests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \ + i20 i21 i22 i23 -ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16 +ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n15 n16 n17 n18 n100 n101 n102 n103 n104 n105 n106 n200 + +ntests6: n1_6 n2_6 n4_6 n5_6 n6_6 n7_6 n8_6 n9_6 n11_6 n12_6 n15_6 nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \ - ni16 ni19 ni20 ni21 ni23 + ni16 ni17 ni18 ni19 ni20 ni21 ni23 -intests: in1 in2 in3 in4 in5 in6 +intests: in1 in2 in3 in4 in5 in6 in7 in8 in100 in101 in102 logtests: l1 -pools: p1 p2 p3 p5 ip1 ip2 +pools: p1 p2 p3 p4 p5 p6 p7 p9 p10 p11 p12 p13 ip1 ip2 ip3 -ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6 +ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.4 ipv6.5 ipv6.6 ntests6 bpf: bpf1 bpf-f1 -f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19: +f1: expected/f1 input/f1 regress/f1 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f2: expected/f2 input/f2 regress/f2 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f3: expected/f3 input/f3 regress/f3 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f4: expected/f4 input/f4 regress/f4 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f5: expected/f5 input/f5 regress/f5 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f6: expected/f6 input/f6 regress/f6 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f7: expected/f7 input/f7 regress/f7 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f8: expected/f8 input/f8 regress/f8 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f9: expected/f9 input/f9 regress/f9 @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` -f15 f16 f17 f18 f20 f24: +f10: expected/f10 input/f10 regress/f10 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f11: expected/f11 input/f11 regress/f11 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f12: expected/f12 input/f12 regress/f12 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f13: expected/f13 input/f13 regress/f13 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f14: expected/f14 input/f14 regress/f14 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f19: expected/f15 input/f15 regress/f15 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f15: expected/f15 input/f15 regress/f15 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f16: expected/f16 input/f16 regress/f16 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f17: expected/f17 input/f17 regress/f17 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f18: expected/f18 input/f18 regress/f18 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f20: expected/f20 input/f20 regress/f20 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f21: expected/f21 input/f21 regress/f21 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f22: expected/f22 input/f22 regress/f22 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f24: expected/f24 input/f24 regress/f24 @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` -i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1: +f25: expected/f25 input/f25 regress/f25 + @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` + +f26: expected/f26 input/f26 regress/f26 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f27: expected/f27 input/f27 regress/f27 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +f28: expected/f28 input/f28 regress/f28.ipf regress/f28.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +f29: expected/f29 input/f29 regress/f29.ipf regress/f29.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +f30: expected/f30 input/f30 regress/f30 + @/bin/sh ./dotest `awk "/^$@ / { print; } " test.format` + +i1: expected/i1 regress/i1 @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` -n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16: +i2: expected/i2 regress/i2 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i3: expected/i3 regress/i3 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i4: expected/i4 regress/i4 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i5: expected/i5 regress/i5 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i6: expected/i6 regress/i6 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i7: expected/i7 regress/i7 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i8: expected/i8 regress/i8 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i9: expected/i9 regress/i9 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i10: expected/i10 regress/i10 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i11: expected/i11 regress/i11 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i12: expected/i12 regress/i12 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i13: expected/i13 regress/i13 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i14: expected/i14 regress/i14 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i15: expected/i15 regress/i15 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i16: expected/i16 regress/i16 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i17: expected/i17 regress/i17 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i18: expected/i18 regress/i18 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i19: expected/i19 regress/i19 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i20: expected/i20 regress/i20 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i21: expected/i21 regress/i21 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i22: expected/i22 regress/i22 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +i23: expected/i23 regress/i23 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +bpf1: expected/bpf1 regress/bpf1 + @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` + +n1: expected/n1 regress/n1 input/n1 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n2: expected/n2 regress/n2 input/n2 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n3: expected/n3 regress/n3 input/n3 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n4: expected/n4 regress/n4 input/n4 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n5: expected/n5 regress/n5 input/n5 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n6: expected/n6 regress/n6 input/n6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n7: expected/n7 regress/n7 input/n7 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n8: expected/n8 regress/n8 input/n8 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n9: expected/n9 regress/n9 input/n9 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n10: expected/n10 regress/n10 input/n10 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n11: expected/n11 regress/n11 input/n11 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n12: expected/n12 regress/n12 input/n12 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n13: expected/n13 regress/n13 input/n13 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n14: expected/n14 regress/n14 input/n14 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n15: expected/n15 regress/n15 input/n15 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n16: expected/n16 regress/n16 input/n16 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n17: expected/n17 regress/n17 input/n17 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n18: expected/n18 regress/n18 input/n18 @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` -ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20: +n100: expected/n100 regress/n100 input/n100 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n101: expected/n101 regress/n101 input/n101 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n102: expected/n102 regress/n102 input/n102 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n103: expected/n103 regress/n103 input/n103 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n104: expected/n104 regress/n104 input/n104 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n105: expected/n105 regress/n105 input/n105 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n106: expected/n106 regress/n106 input/n106 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n200: expected/n200 regress/n200 input/n200 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n1_6: expected/n1_6 regress/n1_6 input/n1_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n2_6: expected/n2_6 regress/n2_6 input/n2_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n4_6: expected/n4_6 regress/n4_6 input/n4_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n5_6: expected/n5_6 regress/n5_6 input/n5_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n6_6: expected/n6_6 regress/n6_6 input/n6_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n7_6: expected/n7_6 regress/n7_6 input/n7_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n8_6: expected/n8_6 regress/n8_6 input/n8_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n9_6: expected/n9_6 regress/n9_6 input/n9_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n11_6: expected/n11_6 regress/n11_6 input/n11_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n12_6: expected/n12_6 regress/n12_6 input/n12_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +n15_6: expected/n15_6 regress/n15_6 input/n15_6 + @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` + +ni2: expected/ni2 input/ni2 regress/ni2.nat regress/ni2.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni3: expected/ni3 input/ni3 regress/ni3.nat regress/ni3.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni4: expected/ni4 input/ni4 regress/ni4.nat regress/ni4.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni5: expected/ni5 input/ni5 regress/ni5.nat regress/ni5.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni7: expected/ni7 input/ni7 regress/ni7.nat regress/ni7.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni8: expected/ni8 input/ni8 regress/ni8.nat regress/ni8.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni9: expected/ni9 input/ni9 regress/ni9.nat regress/ni9.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni10: expected/ni10 input/ni10 regress/ni10.nat regress/ni10.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni11: expected/ni11 input/ni11 regress/ni11.nat regress/ni11.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni12: expected/ni12 input/ni12 regress/ni12.nat regress/ni12.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni13: expected/ni13 input/ni13 regress/ni13.nat regress/ni13.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni14: expected/ni14 input/ni14 regress/ni14.nat regress/ni14.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni15: expected/ni15 input/ni15 regress/ni15.nat regress/ni15.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni16: expected/ni16 input/ni16 regress/ni16.nat regress/ni16.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni19: expected/ni19 input/ni19 regress/ni19.nat regress/ni19.ipf + @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` + +ni20: expected/ni20 input/ni20 regress/ni20.nat regress/ni20.ipf @/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format` -ni1 ni6 ni21 ni23: +ni1: expected/ni1 input/ni1 regress/ni1.nat regress/ni1.ipf @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` -in1 in2 in3 in4 in5 in6: +ni6: expected/ni6 input/ni6 regress/ni6.nat regress/ni6.ipf + @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` + +ni17: expected/ni17 input/ni17 regress/ni17.nat regress/ni17.ipf + @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` + +ni18: expected/ni18 input/ni18 regress/ni18.nat regress/ni18.ipf + @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` + +ni21: expected/ni21 input/ni21 regress/ni21.nat regress/ni21.ipf + @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` + +ni23: expected/ni23 input/ni23 regress/ni23.nat regress/ni23.ipf + @/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format` + +in1: expected/in1 regress/in1 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in2: expected/in2 regress/in2 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in3: expected/in3 regress/in3 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in4: expected/in4 regress/in4 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in5: expected/in5 regress/in5 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in6: expected/in6 regress/in6 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in7: expected/in7 regress/in7 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in8: expected/in8 regress/in8 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in100: expected/in100 regress/in100 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in101: expected/in101 regress/in101 + @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` + +in102: expected/in102 regress/in102 @/bin/sh ./intest `awk "/^$@ / { print; } " test.format` l1: @/bin/sh ./logtest `awk "/^$@ / { print; } " test.format` -ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6: +ipv6.1: expected/ipv6.1 input/ipv6.1 regress/ipv6.1 + @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` + +ipv6.2: expected/ipv6.2 input/ipv6.2 regress/ipv6.2 + @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` + +ipv6.3: expected/ipv6.3 input/ipv6.3 regress/ipv6.3 @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` -p1 p2 p3 p5: +ipv6.4: expected/ipv6.4 input/ipv6.4 regress/ipv6.4 + @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` + +ipv6.5: expected/ipv6.5 input/ipv6.5 regress/ipv6.5 + @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` + +ipv6.6: expected/ipv6.6 input/ipv6.6 regress/ipv6.6 + @/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format` + +p1: expected/p1 input/p1 regress/p1.ipf regress/p1.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p2: expected/p2 input/p2 regress/p2.ipf $(POOLDEP) @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` -ip1 ip2: +p3: expected/p3 input/p3 regress/p3.ipf regress/p3.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p4: expected/p4 input/p4 regress/p4.nat regress/p4.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p5: expected/p5 input/p5 regress/p5.ipf regress/p5.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p6: expected/p6 input/p6 regress/p6.ipf regress/p6.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p7: expected/p7 input/p7 regress/p7.nat regress/p7.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p9: expected/p9 input/p9 regress/p9.nat regress/p9.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p10: expected/p10 input/p10 regress/p10.nat regress/p10.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p11: expected/p11 input/p11 regress/p11.nat regress/p11.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p12: expected/p12 input/p12 regress/p12.nat regress/p12.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +p13: expected/p13 input/p13 regress/p13.ipf regress/p13.pool $(POOLDEP) + @/bin/sh ./ptest `awk "/^$@ / { print; } " test.format` + +ip1: expected/ip1 regress/ip1 $(POOLDEP) + @/bin/sh ./iptest `awk "/^$@ / { print; } " test.format` + +ip2: expected/ip2 input/ip2.data regress/ip2 $(POOLDEP) + @/bin/sh ./iptest `awk "/^$@ / { print; } " test.format` + +ip3: expected/ip3 regress/ip3 $(POOLDEP) @/bin/sh ./iptest `awk "/^$@ / { print; } " test.format` -bpf-f1: +bpf-f1: expected/bpf-f1 regress/bpf-f1 /bin/sh ./bpftest `awk "/^$@ / { print; } " test.format` clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24 - /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 - /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16 + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 + /bin/rm -f f18 f19 f20 f21 f22 f24 f25 f26 f27 f28 f29 + /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 + /bin/rm -f i18 i19 i20 i21 i22 i23 + /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n15 n16 n17 n18 n100 n101 n102 n103 n104 n105 n106 n200 + /bin/rm -f n1_6 n2_6 n4_6 n5_6 n6_6 n7_6 n8_6 n9_6 n11_6 n12_6 n15_6 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 - /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 ni23 - /bin/rm -f in1 in2 in3 in4 in5 in6 - /bin/rm -f p1 p2 p3 p5 ip1 ip2 + /bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni17 ni18 ni19 ni20 ni21 ni23 + /bin/rm -f in1 in2 in3 in4 in5 in6 in7 in100 in101 in102 + /bin/rm -f p1 p2 p3 p4 p5 p6 p7 p9 p10 p11 p12 p13 ip1 ip2 ip3 /bin/rm -f l1 - /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6 + /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.4 ipv6.5 ipv6.6 /bin/rm -f bpf1 bpf-f1 /bin/rm -f results/* logout (cd expected; make clean) diffs: -cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then diff -c $$i ../results/$$i >> ../diff.out; fi done + +n6s: + for i in 1 2 4 5 6 7 11 13 14 15; do \ + sh i4to6 < input/n$${i} > input/n$${i}_6; \ + sh e4to6 < regress/n$${i} > regress/n$${i}_6; \ + sh e4to6 < expected/n$${i} > expected/n$${i}_6; \ + done + for i in 8 9 10 12 17; do \ + sh e4to6 < regress/n$${i} > regress/n$${i}_6; \ + perl h4to6 < input/n$${i} > input/n$${i}_6; \ + done diff --git a/contrib/ipfilter/test/bpftest b/contrib/ipfilter/test/bpftest index b24c0f1..5449658f 100644 --- a/contrib/ipfilter/test/bpftest +++ b/contrib/ipfilter/test/bpftest @@ -1,28 +1,19 @@ #!/bin/sh -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -input=`expr $1 : 'bpf-\(.*\)'` -/bin/cp /dev/null results/$1 +name=$1 + +. ./ipflib.sh + +test_init + +echo "$name..."; +input=`expr $name : 'bpf-\(.*\)'` +/bin/cp /dev/null results/$name ( while read rule; do - echo "$rule" | ../ipftest -Rbr - -i input/$input >> results/$1; + echo "$rule" | ../ipftest -Rbr - -i input/$input >> results/$name if [ $? -ne 0 ] ; then exit 1; fi - echo "--------" >> results/$1 -done ) < regress/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 -fi + echo "--------" >> results/$name +done ) < regress/$name +check_results $name exit $status diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest index 2989109..71c09b7 100644 --- a/contrib/ipfilter/test/dotest +++ b/contrib/ipfilter/test/dotest @@ -1,19 +1,13 @@ #!/bin/sh -thistest=$1 +name=$1 format=$2 output=$3 tuning=$4 -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi + +. ./ipflib.sh + +test_init + if [ "$tuning" != "" ] ; then case $tuning in -*) @@ -23,18 +17,17 @@ if [ "$tuning" != "" ] ; then ;; esac fi -echo "${thistest}..."; -/bin/cp /dev/null results/${thistest} +echo "${name}..."; +n=1 +/bin/cp /dev/null results/${name} ( while read rule; do - echo "$rule" | ../ipftest -F $format -Rbr - -i input/${thistest} $tuning>> results/${thistest}; - if [ $? -ne 0 ] ; then - exit 1; - fi - echo "--------" >> results/${thistest} -done ) < regress/${thistest} -cmp expected/${thistest} results/${thistest} -status=$? -if [ $status = 0 ] ; then - $TOUCH ${thistest} -fi + set_core $name $n + echo "$rule" | ../ipftest -F $format -Rbr - -i input/${name} $tuning>> results/${name} & + back=$! + wait $back + test_end_leak $? + n=`expr $n + 1` + echo "--------" >> results/${name} +done ) < regress/${name} +check_results $name exit $status diff --git a/contrib/ipfilter/test/e4to6 b/contrib/ipfilter/test/e4to6 new file mode 100644 index 0000000..8755899 --- /dev/null +++ b/contrib/ipfilter/test/e4to6 @@ -0,0 +1,61 @@ +sed \ +-e 's/192.168.126.0/c0a8:7e00::/' \ +-e 's/\/32/\/128/g' \ +-e 's/\/24/\/112/g' \ +-e 's/\/16/\/32/g' \ +-e 's/10\.2\.0\.0/10::2:0:0/g' \ +-e 's/1\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/1:0:0:0:0:\1:\2:\3/g' \ +-e 's/2\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/2:0:0:0:0:\1:\2:\3/g' \ +-e 's/4\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/4:\1:\2:0:0:0:0:\3/g' \ +-e 's/3\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/3:0:\1:0:0:0:\2:\3/g' \ +-e 's/5\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/5:\1:0:0:0:0:\2:\3/g' \ +-e 's/9\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/9:\1:\2:0:0:0:0:\3/g' \ +-e 's/10\.1\.\([0-9]\)\.\([0-9]\)/10:1:\1:0:0:0:0:\2/g' \ +-e 's/10\.10\.\([0-9]*\)\.\([0-9]\)/10:10:\1:0:0:0:0:\2/g' \ +-e 's/10\.2\.\([0-9]\)\.\([0-9]\)/10:0:0:0:0:2:\1:\2/g' \ +-e 's/10\.4\.3\.\([0-9]\)/10:4:3:0:0:0:0:\1/g' \ +-e 's/10\.3\.4\.\([0-9]\)/10:0:0:0:0:3:4:\1/g' \ +-e 's/10\.3\.\([0-9]\)\.\([0-9]\)/10:3:\1:0:0:0:0:\2/g' \ +-e 's/0\.0\.0\.0/any/g' \ +-e 's/ 0\/0 / any /g' \ +-e 's/ip #0/ip6\/0/' \ +-e 's/40(20) 6 /20 0 6 /' \ +-e 's/28(20) 17 /8 0 17 /' \ +-e 's/20(20) 0 /1 0 41 /' \ +-e 's/48(20) 1 /88 0 58 /g' \ +-e 's/20(20) 34 /1 0 34 /g' \ +-e 's/20(20) 35 /1 0 35 /g' \ +-e 's/20(20) 255 /1 0 255 /g' \ +-e 's/ */ /g' | sed \ +-e '/use/s/:0:0:0:0:/::/g' \ +-e '/map/s/:0:0:0:0:/::/g' \ +-e '/rdr/s/:0:0:0:0:/::/g' \ +-e '/map/s/:0:0:0:/::/g' \ +-e '/rdr/s/:0:0:0:/::/g' \ +-e '/MAP/s/:0:0:0:0:0:/::/g' \ +-e '/RDR/s/:0:0:0:0:0:/::/g' \ +-e '/MAP/s/:0:0:0:0:/::/g' \ +-e '/RDR/s/:0:0:0:0:/::/g' \ +-e '/MAP/s/:0:0:0:/::/g' \ +-e '/RDR/s/:0:0:0:/::/g' \ +| sed \ +-e '/MAP/s/ \([0-9][0-9][0-9][0-9]\) / \1 /g' \ +-e '/MAP/s/ \([0-9][0-9][0-9]\) / \1 /g' \ +-e '/MAP/s/ \([0-9][0-9]\) / \1 /g' \ +-e '/RDR/s/ \([0-9][0-9][0-9][0-9]\) / \1 /g' \ +-e '/RDR/s/ \([0-9][0-9][0-9]\) / \1 /g' \ +-e '/RDR/s/ \([0-9][0-9]\) / \1 /g' \ +-e 's/::0:0\//::\//g' \ +-e 's/:0:0\//::\//g' \ +-e 's/::0\([^:0-9]\)/::\1/g' \ +-e 's/::0,/::,/g' \ +-e 's/::0:0 \([^>]\)/:: \1/g' \ +-e 's/:0:0 \([^>]\)/:: \1/g' \ +-e 's/::0 \([^>]\)/:: \1/g' \ +| sed \ +-e 's@::\([0-9]*\)::/16@::/16@g' \ +-e 's@::\([0-9]*\)::/32@::/32@g' \ +-e 's@::\([0-9]*\)::@::\1:0:0@g' \ +-e 's@::\([0-9]*\)::@::\1:0:0@g' \ +-e 's@::[:0-9]*\([^0-9:]\)/16@::/16@g' \ +-e 's@::[:0-9]*\([^0-9:]\)/32@::/32@g' diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11 index c1eb060..d7ab889 100644 --- a/contrib/ipfilter/test/expected/f11 +++ b/contrib/ipfilter/test/expected/f11 @@ -24,6 +24,15 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +1 pass in proto tcp from any to any port = 23 flags S/SA keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- block nomatch @@ -51,6 +60,15 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +1 block in proto tcp from any to any port = 23 flags S/SA keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- nomatch nomatch @@ -78,6 +96,15 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in proto udp from any to any port = 53 keep frags +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- nomatch nomatch @@ -105,6 +132,15 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +2 block in proto udp from any to any port = 53 keep frags +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- nomatch nomatch @@ -128,30 +164,31 @@ List of active sessions: Hostmap table: List of active state sessions: -2.2.2.2 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0 - tag 0 ttl 240 2 -> 53 - forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0 - pass in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0 0 0 +4:udp src:2.2.2.2,2 dst:4.4.4.4,53 240 + FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state interfaces: in X[e1],X[] out X[],X[] Sync status: not synchronized -1.1.1.1 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0 - tag 0 ttl 24 1 -> 53 - forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - pass in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0x8001 0 0 +4:udp src:1.1.1.1,1 dst:4.4.4.4,53 24 + FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + REV: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state interfaces: in X[e1],X[e0] out X[],X[] Sync status: not synchronized List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in proto udp from any to any port = 53 keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- nomatch nomatch @@ -175,30 +212,31 @@ List of active sessions: Hostmap table: List of active state sessions: -2.2.2.2 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0 - tag 0 ttl 240 2 -> 53 - forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0 - block in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0 0 0 +4:udp src:2.2.2.2,2 dst:4.4.4.4,53 240 + FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008401 = block in keep state interfaces: in X[e1],X[] out X[],X[] Sync status: not synchronized -1.1.1.1 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0 - tag 0 ttl 24 1 -> 53 - forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0 - block in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0x8001 0 0 +4:udp src:1.1.1.1,1 dst:4.4.4.4,53 24 + FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + REV: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + tag 0 pass 0x2008401 = block in keep state interfaces: in X[e1],X[e0] out X[],X[] Sync status: not synchronized List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +2 block in proto udp from any to any port = 53 keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- nomatch nomatch @@ -222,22 +260,24 @@ List of active sessions: Hostmap table: List of active state sessions: -1.1.1.1 -> 2.1.2.2 pass 0x40008402 pr 6 state 3/4 - tag 0 ttl 864000 - 1 -> 25 2:66 4096<<0:16384<<0 - cmsk 0000 smsk 0000 s0 00000000/00000000 - FWD:ISN inc 0 sumd 0 - REV:ISN inc 0 sumd 0 - forward: pkts in 1 bytes in 40 pkts out 0 bytes out 0 - backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0 - pass in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0x8001 0 0 +4:tcp src:1.1.1.1,1 dst:2.1.2.2,25 state:3/4 864000 + 2:66 4096<<0:16384<<0 + FWD: IN pkts 1 bytes 40 OUT pkts 0 bytes 0 + REV: IN pkts 1 bytes 40 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state interfaces: in X[e0],X[e1] out X[],X[] Sync status: not synchronized List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +1 pass in on e0 proto tcp from any to any port = 25 keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) -------- diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13 index 99c0565..ac7947b 100644 --- a/contrib/ipfilter/test/expected/f13 +++ b/contrib/ipfilter/test/expected/f13 @@ -154,7 +154,27 @@ nomatch nomatch nomatch pass +block +block +pass +-------- +block +bad-packet +nomatch +pass +bad-packet +nomatch +nomatch +bad-packet +nomatch +bad-packet +nomatch nomatch nomatch +nomatch +nomatch +pass +pass +pass pass -------- diff --git a/contrib/ipfilter/test/expected/f18 b/contrib/ipfilter/test/expected/f18 index 801abd3..1af5de5 100644 --- a/contrib/ipfilter/test/expected/f18 +++ b/contrib/ipfilter/test/expected/f18 @@ -2,4 +2,26 @@ pass pass pass pass +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in inet from 1.1.1.1/32 to any +Rules configured (set 0, out) +2 pass out inet from 2.2.2.2/32 to any +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +1 count in inet from 1.1.1.1/32 to 3.3.3.3/32 +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +1 count out inet from 2.2.2.2/32 to 4.4.4.4/32 +Accounting rules configured (set 1, out) -------- diff --git a/contrib/ipfilter/test/expected/f21 b/contrib/ipfilter/test/expected/f21 new file mode 100644 index 0000000..525daca --- /dev/null +++ b/contrib/ipfilter/test/expected/f21 @@ -0,0 +1,5 @@ +pass +pass +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f22 b/contrib/ipfilter/test/expected/f22 new file mode 100644 index 0000000..525daca --- /dev/null +++ b/contrib/ipfilter/test/expected/f22 @@ -0,0 +1,5 @@ +pass +pass +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f25 b/contrib/ipfilter/test/expected/f25 new file mode 100644 index 0000000..a87b084 --- /dev/null +++ b/contrib/ipfilter/test/expected/f25 @@ -0,0 +1,35 @@ +pass +pass +pass +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +4:udp src:192.168.1.235,8008 dst:239.255.255.250,1900 240 + FWD: IN pkts 1 bytes 129 OUT pkts 0 bytes 0 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[hme0],X[] out X[],X[] + Sync status: not synchronized +4:udp src:192.168.1.235,8008 dst:192.168.1.254,1900 24 + FWD: IN pkts 1 bytes 129 OUT pkts 0 bytes 0 + REV: IN pkts 0 bytes 0 OUT pkts 1 bytes 264 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[hme0],X[] out X[],X[hme0] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in on hme0 proto udp from any to any with mcast keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +-------- diff --git a/contrib/ipfilter/test/expected/f26 b/contrib/ipfilter/test/expected/f26 new file mode 100644 index 0000000..9e4d62b --- /dev/null +++ b/contrib/ipfilter/test/expected/f26 @@ -0,0 +1,84 @@ +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +nomatch +pass +pass +nomatch +-------- +pass +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +nomatch +pass +pass +nomatch +-------- +pass +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/f27 b/contrib/ipfilter/test/expected/f27 new file mode 100644 index 0000000..c62f588 --- /dev/null +++ b/contrib/ipfilter/test/expected/f27 @@ -0,0 +1,90 @@ +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +nomatch +pass +pass +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +pass +nomatch +pass +pass +nomatch +pass +pass +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +-------- diff --git a/contrib/ipfilter/test/expected/f28 b/contrib/ipfilter/test/expected/f28 new file mode 100644 index 0000000..e5867e6 --- /dev/null +++ b/contrib/ipfilter/test/expected/f28 @@ -0,0 +1,32 @@ +block +block +block +> nic0 ip #0 20(20) 0 4.4.3.1 > 4.2.3.2 +pass +> nic1 ip #0 20(20) 0 4.4.1.1 > 4.2.1.2 +pass +> nic2 ip #0 20(20) 0 4.4.2.1 > 4.2.2.2 +pass +> nic3 ip #0 20(20) 0 4.4.3.1 > 4.2.3.2 +pass +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +7 block in all +4 pass in on nic0 to dstlist/spread inet from 4.4.0.0/16 to any +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/f29 b/contrib/ipfilter/test/expected/f29 new file mode 100644 index 0000000..a650c1b --- /dev/null +++ b/contrib/ipfilter/test/expected/f29 @@ -0,0 +1,64 @@ +block +block +block +> nic0 ip #0 28(20) 17 4.4.3.1,1000 > 4.2.3.2,2000 +pass +> nic0 ip #0 28(20) 17 4.4.3.1,1000 > 4.2.3.2,2000 +pass +> nic1 ip #0 28(20) 17 4.4.1.1,1001 > 4.2.1.2,2001 +pass +> nic1 ip #0 28(20) 17 4.4.1.1,1001 > 4.2.1.2,2001 +pass +> nic2 ip #0 28(20) 17 4.4.2.1,1002 > 4.2.2.2,2002 +pass +> nic2 ip #0 28(20) 17 4.4.2.1,1002 > 4.2.2.2,2002 +pass +> nic3 ip #0 28(20) 17 4.4.3.1,1003 > 4.2.3.2,2003 +pass +> nic3 ip #0 28(20) 17 4.4.3.1,1003 > 4.2.3.2,2003 +pass +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +4:udp src:4.4.3.1,1003 dst:4.2.3.2,2003 240 + FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[nic0],X[] out X[nic3],X[] + Sync status: not synchronized +4:udp src:4.4.2.1,1002 dst:4.2.2.2,2002 240 + FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[nic0],X[] out X[nic2],X[] + Sync status: not synchronized +4:udp src:4.4.1.1,1001 dst:4.2.1.2,2001 240 + FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[nic0],X[] out X[nic1],X[] + Sync status: not synchronized +4:udp src:4.4.3.1,1000 dst:4.2.3.2,2000 240 + FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x2008402 = pass in keep state + interfaces: in X[nic0],X[] out X[nic0],X[] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +7 block in all +4 pass in on nic0 to dstlist/spread inet from 4.4.0.0/16 to any keep state +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/f30 b/contrib/ipfilter/test/expected/f30 new file mode 100644 index 0000000..30b9d40 --- /dev/null +++ b/contrib/ipfilter/test/expected/f30 @@ -0,0 +1,68 @@ +nomatch +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +nomatch +nomatch +pass +nomatch +nomatch +-------- diff --git a/contrib/ipfilter/test/expected/i1 b/contrib/ipfilter/test/expected/i1 index 74d0f30..19ae393 100644 --- a/contrib/ipfilter/test/expected/i1 +++ b/contrib/ipfilter/test/expected/i1 @@ -5,8 +5,8 @@ log body in all count in from any to any pass in from !any to any pps 10 block in from any to !any -pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32 -pass in on ed0(!),vx0(!) from 127.0.0.1/32 to 127.0.0.1/32 +pass in on ed0(!) inet from 127.0.0.1/32 to 127.0.0.1/32 +pass in on ed0(!),vx0(!) inet from 127.0.0.1/32 to 127.0.0.1/32 block in log first on lo0(!) from any to any pass in log body or-block quick from any to any block return-rst in quick on le0(!) proto tcp from any to any @@ -14,4 +14,4 @@ block return-icmp in on qe0(!) from any to any block return-icmp(host-unr) in on qe0(!) from any to any block return-icmp-as-dest in on le0(!) from any to any block return-icmp-as-dest(port-unr) in on qe0(!) from any to any -pass out on longNICname0(!) from 254.220.186.152/32 to 254.220.186.152/32 +pass out on longNICname0(!) inet from 254.220.186.152/32 to 254.220.186.152/32 diff --git a/contrib/ipfilter/test/expected/i10 b/contrib/ipfilter/test/expected/i10 index 9e0a5d5..24137c1 100644 --- a/contrib/ipfilter/test/expected/i10 +++ b/contrib/ipfilter/test/expected/i10 @@ -1,5 +1,5 @@ -pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt sec -pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec -block in from any to any with not opt sec-class topsecret -block in from any to any with not opt sec-class topsecret,secret -pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with opt sec +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec +block in inet from any to any with not opt sec-class topsecret +block in inet from any to any with not opt sec-class topsecret,secret +pass in inet from any to any with opt sec-class topsecret,confid not opt sec-class unclass diff --git a/contrib/ipfilter/test/expected/i11 b/contrib/ipfilter/test/expected/i11 index 154f31e..d1d2cf6 100644 --- a/contrib/ipfilter/test/expected/i11 +++ b/contrib/ipfilter/test/expected/i11 @@ -1,11 +1,12 @@ -pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state # count 0 +pass in on ed0(!) inet proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state # count 0 block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state # count 0 -pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 20499 keep frags -pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags (strict) -pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags # count 0 +pass in inet proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 20499 keep frags +pass in inet proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags (strict) +pass in inet proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags # count 0 pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state # count 0 pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state # count 0 pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state # count 0 -pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state # count 0 +pass in inet proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state # count 0 pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) # count 0 +pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,loose,newisn,no-icmp-err,age 600/600) # count 0 pass in proto udp from any to any keep state (sync,age 10/20) # count 0 diff --git a/contrib/ipfilter/test/expected/i12 b/contrib/ipfilter/test/expected/i12 index dadf597..6747d93 100644 --- a/contrib/ipfilter/test/expected/i12 +++ b/contrib/ipfilter/test/expected/i12 @@ -1,39 +1,39 @@ -pass in from 1.1.1.1/32 to 2.2.2.2/32 -pass in from 2.2.2.0/24 to 4.4.4.4/32 -pass in from 3.3.3.3/32 to 4.4.4.4/32 -pass in from 2.2.2.0/24 to 5.5.5.5/32 -pass in from 3.3.3.3/32 to 5.5.5.5/32 -pass in from 2.2.2.0/24 to 6.6.6.6/32 -pass in from 3.3.3.3/32 to 6.6.6.6/32 -pass in from 2.2.2.0/24 to 5.5.5.5/32 port = 22 -pass in from 3.3.3.3/32 to 5.5.5.5/32 port = 22 -pass in from 2.2.2.0/24 to 6.6.6.6/32 port = 22 -pass in from 3.3.3.3/32 to 6.6.6.6/32 port = 22 -pass in from 2.2.2.0/24 to 5.5.5.5/32 port = 25 -pass in from 3.3.3.3/32 to 5.5.5.5/32 port = 25 -pass in from 2.2.2.0/24 to 6.6.6.6/32 port = 25 -pass in from 3.3.3.3/32 to 6.6.6.6/32 port = 25 -pass in proto tcp from 2.2.2.0/24 port = 53 to 5.5.5.5/32 -pass in proto tcp from 3.3.3.3/32 port = 53 to 5.5.5.5/32 -pass in proto tcp from 2.2.2.0/24 port = 9 to 5.5.5.5/32 -pass in proto tcp from 3.3.3.3/32 port = 9 to 5.5.5.5/32 -pass in proto tcp from 2.2.2.0/24 port = 53 to 6.6.6.6/32 -pass in proto tcp from 3.3.3.3/32 port = 53 to 6.6.6.6/32 -pass in proto tcp from 2.2.2.0/24 port = 9 to 6.6.6.6/32 -pass in proto tcp from 3.3.3.3/32 port = 9 to 6.6.6.6/32 -pass in proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 53 -pass in proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 53 -pass in proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 53 -pass in proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 53 -pass in proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 9 -pass in proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 9 -pass in proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 9 -pass in proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 9 -pass in from 10.10.10.10/32 to 11.11.11.11/32 -pass in from pool/101(!) to hash/202(!) -pass in from hash/303(!) to pool/404(!) -table role = ipf type = tree name = - { ! 1.1.1.1/32; 2.2.2.2/32; ! 2.2.0.0/16; }; -table role = ipf type = tree name = +pass in inet from 1.1.1.1/32 to 2.2.2.2/32 +pass in inet from 2.2.2.0/24 to 4.4.4.4/32 +pass in inet from 3.3.3.3/32 to 4.4.4.4/32 +pass in inet from 2.2.2.0/24 to 5.5.5.5/32 +pass in inet from 3.3.3.3/32 to 5.5.5.5/32 +pass in inet from 2.2.2.0/24 to 6.6.6.6/32 +pass in inet from 3.3.3.3/32 to 6.6.6.6/32 +pass in inet from 2.2.2.0/24 to 5.5.5.5/32 port = 22 +pass in inet from 3.3.3.3/32 to 5.5.5.5/32 port = 22 +pass in inet from 2.2.2.0/24 to 6.6.6.6/32 port = 22 +pass in inet from 3.3.3.3/32 to 6.6.6.6/32 port = 22 +pass in inet from 2.2.2.0/24 to 5.5.5.5/32 port = 25 +pass in inet from 3.3.3.3/32 to 5.5.5.5/32 port = 25 +pass in inet from 2.2.2.0/24 to 6.6.6.6/32 port = 25 +pass in inet from 3.3.3.3/32 to 6.6.6.6/32 port = 25 +pass in inet proto tcp from 2.2.2.0/24 port = 53 to 5.5.5.5/32 +pass in inet proto tcp from 3.3.3.3/32 port = 53 to 5.5.5.5/32 +pass in inet proto tcp from 2.2.2.0/24 port = 9 to 5.5.5.5/32 +pass in inet proto tcp from 3.3.3.3/32 port = 9 to 5.5.5.5/32 +pass in inet proto tcp from 2.2.2.0/24 port = 53 to 6.6.6.6/32 +pass in inet proto tcp from 3.3.3.3/32 port = 53 to 6.6.6.6/32 +pass in inet proto tcp from 2.2.2.0/24 port = 9 to 6.6.6.6/32 +pass in inet proto tcp from 3.3.3.3/32 port = 9 to 6.6.6.6/32 +pass in inet proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 53 +pass in inet proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 53 +pass in inet proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 53 +pass in inet proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 53 +pass in inet proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 9 +pass in inet proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 9 +pass in inet proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 9 +pass in inet proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 9 +pass in inet from 10.10.10.10/32 to 11.11.11.11/32 +pass in from pool/101 to hash/202 +pass in from hash/303 to pool/404 +table role=ipf type=tree number= + { ! 2.2.0.0/16; 2.2.2.2/32; ! 1.1.1.1/32; }; +table role=ipf type=tree number= { 1.1.0.0/16; }; -pass in from pool/0(!) to pool/0(!) +pass in from pool/0 to pool/0 diff --git a/contrib/ipfilter/test/expected/i14 b/contrib/ipfilter/test/expected/i14 index 08ba19a..bccdcac 100644 --- a/contrib/ipfilter/test/expected/i14 +++ b/contrib/ipfilter/test/expected/i14 @@ -3,8 +3,10 @@ pass in on eri0(!) proto icmp from any to any group 1 pass out on ed0(!) all head 1000000 block out on ed0(!) proto udp from any to any group 1000000 block in on vm0(!) proto tcp/udp from any to any head 101 -pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group 101 -pass in proto tcp from 1.0.0.1/32 to 2.0.0.2/32 group 101 -pass in proto udp from 2.0.0.2/32 to 3.0.0.3/32 group 101 +pass in inet proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group 101 +pass in inet proto tcp from 1.0.0.1/32 to 2.0.0.2/32 group 101 +pass in inet proto udp from 2.0.0.2/32 to 3.0.0.3/32 group 101 block in on vm0(!) proto tcp/udp from any to any head vm0-group -pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group vm0-group +pass in inet proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group vm0-group +block in on vm0(!) proto tcp/udp from any to any head vm0-group +pass in inet proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group vm0-group diff --git a/contrib/ipfilter/test/expected/i17 b/contrib/ipfilter/test/expected/i17 index bcc4d2d..9e71cb1 100644 --- a/contrib/ipfilter/test/expected/i17 +++ b/contrib/ipfilter/test/expected/i17 @@ -8,3 +8,22 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +0 pass in inet from 1.1.1.1/32 to any +0 pass in all +0 pass in inet from 3.3.3.3/32 to any +0 pass in inet from any to 127.0.0.1/32 +0 pass in inet from 127.0.0.1/32 to any +0 100 pass in inet from 127.0.0.1/32 to any +0 100 pass in all +0 110 pass in proto udp from any to any +0 110 pass in inet from 2.2.2.2/32 to any +0 110 pass in inet from 127.0.0.1/32 to any +0 200 pass in proto tcp from any to any +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) diff --git a/contrib/ipfilter/test/expected/i18 b/contrib/ipfilter/test/expected/i18 index 88fca47..2c7e493 100644 --- a/contrib/ipfilter/test/expected/i18 +++ b/contrib/ipfilter/test/expected/i18 @@ -1,7 +1,7 @@ pass in tos 0x50 from any to any pass in tos 0x80 from any to any -pass in tos 0x80 from any to any -pass in tos 0x50 from any to any +pass out tos 0x80 from any to any +pass out tos 0x50 from any to any block in ttl 0 from any to any block in ttl 1 from any to any block in ttl 2 from any to any diff --git a/contrib/ipfilter/test/expected/i2 b/contrib/ipfilter/test/expected/i2 index 5ff18f4..17b9d07 100644 --- a/contrib/ipfilter/test/expected/i2 +++ b/contrib/ipfilter/test/expected/i2 @@ -1,8 +1,9 @@ log in proto tcp from any to any pass in proto tcp from any to any -pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 +pass in inet proto udp from 127.0.0.1/32 to 127.0.0.1/32 block in proto ipv6 from any to any block in proto udp from any to any block in proto 250 from any to any pass in proto tcp/udp from any to any block in proto tcp/udp from any to any +block in proto tcp/udp from any to any diff --git a/contrib/ipfilter/test/expected/i20 b/contrib/ipfilter/test/expected/i20 index 77eabdb..25e35cd 100644 --- a/contrib/ipfilter/test/expected/i20 +++ b/contrib/ipfilter/test/expected/i20 @@ -1,4 +1,4 @@ -pass in on ppp0(!) from ppp0/peer to ppp0/32 -block in on hme0(!) from any to hme0/bcast -pass in on bge0(!) from bge0/net to bge0/32 -block in on eri0(!) from any to eri0/netmasked +pass in on ppp0(!) inet from ppp0/peer to ppp0/32 +block in on hme0(!) inet from any to hme0/bcast +pass in on bge0(!) inet from bge0/net to bge0/32 +block in on eri0(!) inet from any to eri0/netmasked diff --git a/contrib/ipfilter/test/expected/i22 b/contrib/ipfilter/test/expected/i22 new file mode 100644 index 0000000..6e5a07d --- /dev/null +++ b/contrib/ipfilter/test/expected/i22 @@ -0,0 +1,5 @@ +pass in exp { "ip.src != 1.1.1.0/24; tcp.dport = 80;" } +pass in exp { "ip.addr = 1.2.3.4/32,5.6.7.8/32;" } +block out exp { "ip.dst = 127.0.0.0/8;" } +block in exp { "udp.sport = 53; udp.dport = 53;" } +pass out exp { "tcp.sport = 22; tcp.port = 25;" } diff --git a/contrib/ipfilter/test/expected/i23 b/contrib/ipfilter/test/expected/i23 new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/expected/i23 diff --git a/contrib/ipfilter/test/expected/i3 b/contrib/ipfilter/test/expected/i3 index 6150c7e..691ad25 100644 --- a/contrib/ipfilter/test/expected/i3 +++ b/contrib/ipfilter/test/expected/i3 @@ -1,11 +1,11 @@ log in all -pass in from 128.16.0.0/16 to 129.10.10.0/24 -pass in from 128.0.0.0/24 to 128.0.0.0/16 -pass in from 128.0.0.0/24 to 128.0.0.0/16 -pass in from 128.0.0.0/24 to 128.0.0.0/16 -pass in from 128.0.0.0/24 to 128.0.0.0/16 -pass in from 128.0.0.0/24 to 128.0.0.0/16 -pass in from 127.0.0.1/32 to 127.0.0.1/32 -block in log from any to any +pass in inet from 128.16.0.0/16 to 129.10.10.0/24 +pass in inet from 128.0.0.0/24 to 128.0.0.0/16 +pass in inet from 128.0.0.0/24 to 128.0.0.0/16 +pass in inet from 128.0.0.0/24 to 128.0.0.0/16 +pass in inet from 128.0.0.0/24 to 128.0.0.0/16 +pass in inet from 128.0.0.0/24 to 128.0.0.0/16 +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 +block in log inet from any to any block in log level auth.info on hme0(!) all log level local5.warn out all diff --git a/contrib/ipfilter/test/expected/i4 b/contrib/ipfilter/test/expected/i4 index 4992455..1198714 100644 --- a/contrib/ipfilter/test/expected/i4 +++ b/contrib/ipfilter/test/expected/i4 @@ -1,7 +1,7 @@ log in proto tcp from any port > 0 to any log in proto tcp from any to any port > 0 pass in proto tcp from any port != 0 to any port 0 >< 65535 -pass in proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000 +pass in inet proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000 block in proto udp from any port != 123 to any port < 7 block in proto tcp from any port = 25 to any port > 25 pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 diff --git a/contrib/ipfilter/test/expected/i5 b/contrib/ipfilter/test/expected/i5 index edf9865..0dbc859 100644 --- a/contrib/ipfilter/test/expected/i5 +++ b/contrib/ipfilter/test/expected/i5 @@ -1,9 +1,9 @@ log in all count in tos 0x80 from any to any -pass in on ed0(!) tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32 +pass in on ed0(!) inet tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32 block in log on lo0(!) ttl 0 from any to any pass in quick ttl 1 from any to any -skip 3 out from 127.0.0.1/32 to any +skip 3 out inet from 127.0.0.1/32 to any auth out on foo0(!) proto tcp from any to any port = 80 preauth out on foo0(!) proto tcp from any to any port = 22 nomatch out on foo0(!) proto tcp from any port < 1024 to any diff --git a/contrib/ipfilter/test/expected/i6 b/contrib/ipfilter/test/expected/i6 index e4b14c3..29c33a2 100644 --- a/contrib/ipfilter/test/expected/i6 +++ b/contrib/ipfilter/test/expected/i6 @@ -1,12 +1,12 @@ pass in on lo0(!) fastroute from any to any -pass in on lo0(!) to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32 -pass in on le0(!) to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32 -pass in on lo0(!) dup-to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32 -pass in on le0(!) dup-to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32 -pass in on le0(!) dup-to qe0(!):127.0.0.1 to hme0(!):10.1.1.1 from 127.0.0.1/32 to 127.0.0.1/32 +pass in on lo0(!) to qe0(!) inet from 127.0.0.1/32 to 127.0.0.1/32 +pass in on le0(!) to qe0:127.0.0.1 inet from 127.0.0.1/32 to 127.0.0.1/32 +pass in on lo0(!) dup-to qe0(!) inet from 127.0.0.1/32 to 127.0.0.1/32 +pass in on le0(!) dup-to qe0:127.0.0.1 inet from 127.0.0.1/32 to 127.0.0.1/32 +pass in on le0(!) to hme0:10.1.1.1 dup-to qe0:127.0.0.1 inet from 127.0.0.1/32 to 127.0.0.1/32 block in quick on qe0(!) to qe1(!) from any to any block in quick to qe1(!) from any to any pass out quick dup-to hme0(!) from any to any pass out quick on hme0(!) reply-to hme1(!) from any to any -pass in on le0(!) dup-to qe0(!):127.0.0.1 reply-to hme1(!):10.10.10.10 all +pass in on le0(!) dup-to qe0:127.0.0.1 reply-to hme1:10.10.10.10 inet all pass in quick fastroute all diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7 index 309cd28..552f7f8 100644 --- a/contrib/ipfilter/test/expected/i7 +++ b/contrib/ipfilter/test/expected/i7 @@ -1,4 +1,4 @@ -pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA +pass in on ed0(!) inet proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA block in on lo0(!) proto tcp from any to any flags A/FSRPAU pass in on lo0(!) proto tcp from any to any flags /SPA block in on lo0(!) proto tcp from any to any flags C/A @@ -7,3 +7,8 @@ block in on lo0(!) proto tcp from any to any flags S/SA pass in on lo0(!) proto tcp from any to any flags S/FSRPAU block in on lo0(!) proto tcp from any to any flags /A pass in on lo0(!) proto tcp from any to any flags S/SA +pass in on lo0(!) proto tcp from any to any flags S/SA +block in on lo0(!) proto tcp from any to any flags S/SA +pass in on lo0(!) proto tcp from any to any flags S/FSRPAU +block in on lo0(!) proto tcp from any to any flags /A +pass in on lo0(!) proto tcp from any to any flags S/SA diff --git a/contrib/ipfilter/test/expected/i8 b/contrib/ipfilter/test/expected/i8 index f033e6b..a85f1de 100644 --- a/contrib/ipfilter/test/expected/i8 +++ b/contrib/ipfilter/test/expected/i8 @@ -1,35 +1,66 @@ -pass in proto icmp from 127.0.0.1/32 to 127.0.0.1/32 icmp-type timest -block in proto icmp from any to any icmp-type unreach code 1 -pass in proto icmp from any to any icmp-type unreach code 15 -pass in proto icmp from any to any icmp-type unreach code 13 -pass in proto icmp from any to any icmp-type unreach code 8 -pass in proto icmp from any to any icmp-type unreach code 4 -pass in proto icmp from any to any icmp-type unreach code 9 -pass in proto icmp from any to any icmp-type unreach code 11 -pass in proto icmp from any to any icmp-type unreach code 14 -pass in proto icmp from any to any icmp-type unreach code 10 -pass in proto icmp from any to any icmp-type unreach code 12 -pass in proto icmp from any to any icmp-type unreach code 7 -pass in proto icmp from any to any icmp-type unreach code 1 -pass in proto icmp from any to any icmp-type unreach code 6 -pass in proto icmp from any to any icmp-type unreach code 0 -pass in proto icmp from any to any icmp-type unreach code 3 -pass in proto icmp from any to any icmp-type unreach code 2 -pass in proto icmp from any to any icmp-type unreach code 5 -pass in proto icmp from any to any icmp-type echo -pass in proto icmp from any to any icmp-type echorep -pass in proto icmp from any to any icmp-type inforeq -pass in proto icmp from any to any icmp-type inforep -pass in proto icmp from any to any icmp-type maskrep -pass in proto icmp from any to any icmp-type maskreq -pass in proto icmp from any to any icmp-type paramprob -pass in proto icmp from any to any icmp-type redir -pass in proto icmp from any to any icmp-type unreach -pass in proto icmp from any to any icmp-type routerad -pass in proto icmp from any to any icmp-type routersol -pass in proto icmp from any to any icmp-type squench -pass in proto icmp from any to any icmp-type timest -pass in proto icmp from any to any icmp-type timestrep -pass in proto icmp from any to any icmp-type timex -pass in proto icmp from any to any icmp-type 254 -pass in proto icmp from any to any icmp-type 253 code 254 +pass in inet proto icmp from 127.0.0.1/32 to 127.0.0.1/32 icmp-type timest +block in inet proto icmp from any to any icmp-type unreach code 1 +pass in inet proto icmp from any to any icmp-type unreach code 15 +pass in inet proto icmp from any to any icmp-type unreach code 13 +pass in inet proto icmp from any to any icmp-type unreach code 8 +pass in inet proto icmp from any to any icmp-type unreach code 4 +pass in inet proto icmp from any to any icmp-type unreach code 9 +pass in inet proto icmp from any to any icmp-type unreach code 11 +pass in inet proto icmp from any to any icmp-type unreach code 14 +pass in inet proto icmp from any to any icmp-type unreach code 10 +pass in inet proto icmp from any to any icmp-type unreach code 12 +pass in inet proto icmp from any to any icmp-type unreach code 7 +pass in inet proto icmp from any to any icmp-type unreach code 1 +pass in inet proto icmp from any to any icmp-type unreach code 6 +pass in inet proto icmp from any to any icmp-type unreach code 0 +pass in inet proto icmp from any to any icmp-type unreach code 3 +pass in inet proto icmp from any to any icmp-type unreach code 2 +pass in inet proto icmp from any to any icmp-type unreach code 5 +pass in inet proto icmp from any to any icmp-type echo +pass in inet proto icmp from any to any icmp-type echorep +pass in inet proto icmp from any to any icmp-type inforeq +pass in inet proto icmp from any to any icmp-type inforep +pass in inet proto icmp from any to any icmp-type maskrep +pass in inet proto icmp from any to any icmp-type maskreq +pass in inet proto icmp from any to any icmp-type paramprob +pass in inet proto icmp from any to any icmp-type redir +pass in inet proto icmp from any to any icmp-type unreach +pass in inet proto icmp from any to any icmp-type routerad +pass in inet proto icmp from any to any icmp-type routersol +pass in inet proto icmp from any to any icmp-type squench +pass in inet proto icmp from any to any icmp-type timest +pass in inet proto icmp from any to any icmp-type timestrep +pass in inet proto icmp from any to any icmp-type timex +pass in inet proto icmp from any to any icmp-type 254 +pass in inet proto icmp from any to any icmp-type 253 code 254 +pass in inet proto icmp from any to any icmp-type unreach code 15 +pass in inet proto icmp from any to any icmp-type unreach code 13 +pass in inet proto icmp from any to any icmp-type unreach code 8 +pass in inet proto icmp from any to any icmp-type unreach code 4 +pass in inet proto icmp from any to any icmp-type unreach code 9 +pass in inet proto icmp from any to any icmp-type unreach code 11 +pass in inet proto icmp from any to any icmp-type unreach code 14 +pass in inet proto icmp from any to any icmp-type unreach code 10 +pass in inet proto icmp from any to any icmp-type unreach code 12 +pass in inet proto icmp from any to any icmp-type unreach code 7 +pass in inet proto icmp from any to any icmp-type unreach code 1 +pass in inet proto icmp from any to any icmp-type unreach code 6 +pass in inet proto icmp from any to any icmp-type unreach code 0 +pass in inet proto icmp from any to any icmp-type unreach code 3 +pass in inet proto icmp from any to any icmp-type unreach code 2 +pass in inet proto icmp from any to any icmp-type unreach code 5 +pass in inet proto icmp from any to any icmp-type echo +pass in inet proto icmp from any to any icmp-type echorep +pass in inet proto icmp from any to any icmp-type inforeq +pass in inet proto icmp from any to any icmp-type inforep +pass in inet proto icmp from any to any icmp-type maskrep +pass in inet proto icmp from any to any icmp-type maskreq +pass in inet proto icmp from any to any icmp-type paramprob +pass in inet proto icmp from any to any icmp-type redir +pass in inet proto icmp from any to any icmp-type unreach +pass in inet proto icmp from any to any icmp-type routerad +pass in inet proto icmp from any to any icmp-type routersol +pass in inet proto icmp from any to any icmp-type squench +pass in inet proto icmp from any to any icmp-type timest +pass in inet proto icmp from any to any icmp-type timestrep +pass in inet proto icmp from any to any icmp-type timex diff --git a/contrib/ipfilter/test/expected/i9 b/contrib/ipfilter/test/expected/i9 index b128f99..deecd17 100644 --- a/contrib/ipfilter/test/expected/i9 +++ b/contrib/ipfilter/test/expected/i9 @@ -1,9 +1,9 @@ -pass in from 127.0.0.1/32 to 127.0.0.1/32 with short,frag +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with short,frag block in from any to any with ipopts -pass in from any to any with opt nop,rr,zsu -pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr -pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag -pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body +pass in inet from any to any with opt nop,rr,zsu +pass in inet from any to any with opt nop,rr,zsu not opt lsrr,ssrr +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with not frag +pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body pass in proto tcp from any to any flags S/FSRPAU with not oow keep state # count 0 block in proto tcp from any to any with oow pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat @@ -14,4 +14,4 @@ pass in quick from any to any with not frag-body block in quick from any to any with not lowttl pass in from any to any with not ipopts,mbcast,not bcast,mcast,not state block in from any to any with not mbcast,bcast,not mcast,state -pass in from any to any with opt mtup,mtur,encode,ts,tr,sec,e-sec,cipso,satid,ssrr,addext,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump +pass in inet from any to any with opt mtup,mtur,encode,ts,tr,sec,e-sec,cipso,satid,ssrr,addext,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1 index 03436b6..2f1cf31 100644 --- a/contrib/ipfilter/test/expected/in1 +++ b/contrib/ipfilter/test/expected/in1 @@ -1,31 +1,31 @@ -map le0 0.0.0.0/0 -> 0.0.0.0/32 +map le0 0/0 -> 0/32 map le0 0.0.0.1/32 -> 0.0.0.1/32 -map le0 128.0.0.0/1 -> 0.0.0.0/0 +map le0 128.0.0.0/1 -> 0/0 map le0 10.0.0.0/8 -> 1.2.3.0/24 map le0 10.0.0.0/8 -> 1.2.3.0/24 map le0 10.0.0.0/8 -> 1.2.3.0/24 map le0 0.0.0.5/0.0.0.255 -> 1.2.3.0/24 map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp auto -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp auto -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 21 ftp/tcp -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp -map le0 0.0.0.0/0 -> 0.0.0.0/32 frag +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 +map ppp0 192.168.0.0/16 -> 0/32 portmap udp 20000:29999 +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp 30000:39999 +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp auto +map ppp0 192.168.0.0/16 -> 0/32 portmap udp auto +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp auto +map ppp0 192.168.0.0/16 -> 0/32 proxy port 21 ftp/tcp +map ppp0 192.168.0.0/16 -> 0/32 proxy port 1010 ftp/tcp +map le0 0/0 -> 0/32 frag map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 21 ftp/tcp frag -map le0 0.0.0.0/0 -> 0.0.0.0/32 age 10/10 +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag +map ppp0 192.168.0.0/16 -> 0/32 proxy port 21 ftp/tcp frag +map le0 0/0 -> 0/32 age 10/10 map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 age 10/20 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 age 30/30 -map le0 0.0.0.0/0 -> 0.0.0.0/32 frag age 10/10 +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 age 30/30 +map le0 0/0 -> 0/32 frag age 10/10 map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 -map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag age 30/30 -map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp -map thisisalonginte 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere -map bar0 0.0.0.0/0 -> 0.0.0.0/32 icmpidmap icmp 1000:2000 -map ppp0,adsl0 0.0.0.0/0 -> 0.0.0.0/32 -map ppp0 from 192.168.0.0/16 to any port = 123 -> 0.0.0.0/32 age 30/1 udp +map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag age 30/30 +map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp +map thisisalonginte 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere +map bar0 0/0 -> 0/32 icmpidmap icmp 1000:2000 +map ppp0,adsl0 0/0 -> 0/32 +map ppp0 from 192.168.0.0/16 to 0/0 port = 123 -> 0/32 age 30/1 udp diff --git a/contrib/ipfilter/test/expected/in100 b/contrib/ipfilter/test/expected/in100 new file mode 100644 index 0000000..dcf3097 --- /dev/null +++ b/contrib/ipfilter/test/expected/in100 @@ -0,0 +1,3 @@ +rewrite in on bge0 from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.3/32 dst 4.4.4.4/32; +rewrite out on bge0 from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24 dst 4.4.4.4/32; +rewrite in on bge0 from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24 dst 4.4.4.0/24; diff --git a/contrib/ipfilter/test/expected/in101 b/contrib/ipfilter/test/expected/in101 new file mode 100644 index 0000000..04e234c --- /dev/null +++ b/contrib/ipfilter/test/expected/in101 @@ -0,0 +1,4 @@ +rewrite in on bge0 proto icmp from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.3/32 dst 4.4.4.4/32; +rewrite in on bge0 proto udp from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.3/32 dst 4.4.4.4/32; +rewrite out on bge0 proto tcp from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24 dst 4.4.4.4/32; +rewrite in on bge0 proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24,20202 dst 4.4.4.0/24,10101; diff --git a/contrib/ipfilter/test/expected/in102 b/contrib/ipfilter/test/expected/in102 new file mode 100644 index 0000000..0a1b612 --- /dev/null +++ b/contrib/ipfilter/test/expected/in102 @@ -0,0 +1,5 @@ +rewrite in on bge0 proto tcp from 0/0 to 0/0 -> src 0/0 dst dstlist/a; +rewrite in on bge0 proto tcp from 1.1.1.1/32 to 0/0 -> src 0/0 dst dstlist/bee; +rewrite in on bge0 proto tcp from 1.1.1.1/32 to 2.2.2.2/32 -> src 0/0 dst dstlist/cat; +rewrite in on bge0 proto tcp from pool/a to 2.2.2.2/32 -> src 0/0 dst dstlist/bat; +rewrite in on bge0 proto tcp from pool/a to pool/1 -> src 0/0 dst dstlist/ant; diff --git a/contrib/ipfilter/test/expected/in2 b/contrib/ipfilter/test/expected/in2 index f1239b1..dc8f4ac 100644 --- a/contrib/ipfilter/test/expected/in2 +++ b/contrib/ipfilter/test/expected/in2 @@ -1,71 +1,71 @@ -rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp -rdr le0 9.8.7.6/32 -> 1.1.1.1 255 -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip -rdr le0 9.0.0.0/8 -> 1.1.1.1 ip -rdr le0 9.8.0.0/16 -> 1.1.1.1 ip -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp -rdr le0 9.8.7.6/32 port 80 -> 0.0.0.0/0 port 80 tcp -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp +rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1/32 port 0 tcp +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 255 +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip +rdr le0 9.0.0.0/8 -> 1.1.1.1/32 ip +rdr le0 9.8.0.0/16 -> 1.1.1.1/32 ip +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp +rdr le0 9.8.7.6/32 port 80 -> 0/0 port 80 tcp +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 udp +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp/udp +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp/udp frag -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/10 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/20 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag age 10/10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag age 30/30 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag sticky rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/10 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/20 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag age 10/10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag age 30/30 sticky rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag mssclamp 1000 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag sticky mssclamp 1000 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/10 mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/20 mssclamp 1000 +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag age 10/10 mssclamp 1000 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag mssclamp 1000 tag nattagcacheline rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/10 mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/20 mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 -> 1.1.1.1/32 icmp frag age 10/10 mssclamp 1000 tag nattagcacheline rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 tag nattagcacheline -rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 tag nattagcacheline +rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1/32 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 tag nattagcacheline rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag nattagcacheline -rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp -rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp -rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp -rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp -rdr le0 0.0.0.0/0 -> 254.220.186.152 ip -rdr le0 0.0.0.0/0 -> 254.220.186.152,254.220.186.152 ip -rdr adsl0,ppp0 0.0.0.0/0 port 25 -> 127.0.0.1 port 25 tcp +rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1/32 port 21 tcp proxy ftp +rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1/32 port 21 tcp proxy ftp +rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1/32 port 5555 tcp +rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1/32 port = 5555 tcp +rdr le0 0/0 -> 254.220.186.152/32 ip +rdr le0 0/0 -> 254.220.186.152,254.220.186.152 ip +rdr adsl0,ppp0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1/32 port 5555-7777 tcp diff --git a/contrib/ipfilter/test/expected/in3 b/contrib/ipfilter/test/expected/in3 index b8a85bf..dac97c7 100644 --- a/contrib/ipfilter/test/expected/in3 +++ b/contrib/ipfilter/test/expected/in3 @@ -1,5 +1,5 @@ -bimap le0 0.0.0.0/0 -> 0.0.0.0/32 +bimap le0 0/0 -> 0/32 bimap le0 0.0.0.1/32 -> 0.0.0.1/32 -bimap le0 128.0.0.0/1 -> 0.0.0.0/0 +bimap le0 128.0.0.0/1 -> 0/0 bimap le0 10.0.0.0/8 -> 1.2.3.0/24 bimap le0 10.0.5.0/24 -> 1.2.3.0/24 diff --git a/contrib/ipfilter/test/expected/in5 b/contrib/ipfilter/test/expected/in5 index e77de71..b7c6ef5 100644 --- a/contrib/ipfilter/test/expected/in5 +++ b/contrib/ipfilter/test/expected/in5 @@ -1,24 +1,24 @@ -map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1/32 portmap tcp 10000:20000 +map le0 from 9.8.7.6/32 port > 1024 to 0/0 -> 1.1.1.1/32 portmap tcp 10000:20000 map le0 from 9.8.7.6/32 port > 1024 ! to 1.2.3.4/32 -> 1.1.1.1/32 portmap tcp 10000:20000 -rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip -rdr le0 ! from 1.2.3.4/32 to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 -rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20 -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30 -rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40 +rdr le0 from 0/0 to 9.8.7.6/32 port = 0 -> 1.1.1.1/32 port 0 tcp +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 ip +rdr le0 ! from 1.2.3.4/32 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 ip +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 udp +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp/udp +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 icmp +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp round-robin +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 ip frag +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 icmp frag +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp round-robin frag +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/10 +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 ip frag age 10/20 +rdr le0 from 0/0 to 9.8.7.6/32 -> 1.1.1.1/32 icmp frag age 10/10 +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20 +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1/32 port 888 tcp round-robin frag age 30/30 +rdr le0 from 0/0 to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40 diff --git a/contrib/ipfilter/test/expected/in6 b/contrib/ipfilter/test/expected/in6 index 05426e7..fefc052 100644 --- a/contrib/ipfilter/test/expected/in6 +++ b/contrib/ipfilter/test/expected/in6 @@ -1,8 +1,8 @@ -map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp -map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp -map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp -map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp -map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp -map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp -map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0.0.0.0/32 tcp/udp -map foo0 from any port 10:20 to any port 30:40 -> 0.0.0.0/32 tcp/udp +map foo0 from 0/0 port = 1 to 0/0 port != 0 -> 0/32 udp +map foo0 from 0/0 port = 1 to 0/0 port != 0 -> 0/32 udp +map foo0 from 0/0 port < 1 to 0/0 port > 0 -> 0/32 tcp +map foo0 from 0/0 port < 1 to 0/0 port > 0 -> 0/32 tcp +map foo0 from 0/0 port <= 1 to 0/0 port >= 0 -> 0/32 tcp/udp +map foo0 from 0/0 port <= 1 to 0/0 port >= 0 -> 0/32 tcp/udp +map foo0 from 0/0 port 1 >< 20 to 0/0 port 20 <> 40 -> 0/32 tcp/udp +map foo0 from 0/0 port 10:20 to 0/0 port 30:40 -> 0/32 tcp/udp diff --git a/contrib/ipfilter/test/expected/in7 b/contrib/ipfilter/test/expected/in7 new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/expected/in7 diff --git a/contrib/ipfilter/test/expected/ip1 b/contrib/ipfilter/test/expected/ip1 index b04fa9d..cee7831 100644 --- a/contrib/ipfilter/test/expected/ip1 +++ b/contrib/ipfilter/test/expected/ip1 @@ -1,68 +1,68 @@ -table role = ipf type = tree number = 1 +table role=ipf type=tree number=1 {; }; -table role = ipf type = tree number = 100 - { 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; }; -table role = ipf type = tree number = 110 - { 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; }; -table role = ipf type = tree number = 120 - { 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; }; -table role = ipf type = tree number = 130 - { 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; }; -table role = ipf type = hash number = 2 size = 1 +table role=ipf type=tree number=100 + { 1.2.3.4/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +table role=nat type=tree number=110 + { 1.2.3.4/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +table role=auth type=tree number=120 + { 1.2.3.4/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +table role=count type=tree number=130 + { 1.2.3.4/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +table role=ipf type=hash number=2 size=1 {; }; -table role = ipf type = hash number = 200 size = 5 +table role=ipf type=hash number=200 size=5 { 0/0; 1/32; 1.2.3.4/32; }; -table role = nat type = hash number = 210 size = 5 +table role=nat type=hash number=210 size=5 { 0/0; 2/32; 1.2.3.4/32; }; -table role = auth type = hash number = 220 size = 5 +table role=auth type=hash number=220 size=5 { 0/0; 3/32; 1.2.3.4/32; }; -table role = count type = hash number = 230 size = 5 +table role=count type=hash number=230 size=5 { 0/0; 4/32; 1.2.3.4/32; }; -table role = ipf type = hash number = 240 size = 5 seed = 101 +table role=ipf type=hash number=240 size=5 seed=101 { 0/0; 1/32; 1.2.3.4/32; }; -table role = nat type = hash number = 250 size = 5 seed = 101 +table role=nat type=hash number=250 size=5 seed=101 { 0/0; 2/32; 1.2.3.4/32; }; -table role = auth type = hash number = 260 size = 5 seed = 101 +table role=auth type=hash number=260 size=5 seed=101 { 0/0; 3/32; 1.2.3.4/32; }; -table role = count type = hash number = 270 size = 5 seed = 101 +table role=count type=hash number=270 size=5 seed=101 { 0/0; 4/32; 1.2.3.4/32; }; -table role = ipf type = hash number = 2000 size = 1001 +table role=ipf type=hash number=2000 size=1001 { 0/0; 1/32; 1.2.3.4/32; }; -table role = nat type = hash number = 2000 size = 1001 +table role=nat type=hash number=2000 size=1001 { 0/0; 2/32; 1.2.3.4/32; }; -table role = auth type = hash number = 2000 size = 1001 +table role=auth type=hash number=2000 size=1001 { 0/0; 3/32; 1.2.3.4/32; }; -table role = count type = hash number = 2000 size = 1001 +table role=count type=hash number=2000 size=1001 { 0/0; 4/32; 1.2.3.4/32; }; -table role = ipf type = hash number = 100 size = 1001 seed = 101 +table role=ipf type=hash number=100 size=1001 seed=101 { 0/0; 1/32; 1.2.3.4/32; }; -table role = nat type = hash number = 100 size = 1001 seed = 101 +table role=nat type=hash number=100 size=1001 seed=101 { 0/0; 2/32; 1.2.3.4/32; }; -table role = auth type = hash number = 100 size = 1001 seed = 101 +table role=auth type=hash number=100 size=1001 seed=101 { 0/0; 3/32; 1.2.3.4/32; }; -table role = count type = hash number = 100 size = 1001 seed = 101 +table role=count type=hash number=100 size=1001 seed=101 { 0/0; 4/32; 1.2.3.4/32; }; -group-map in role = ipf number = 300 size = 5 - { 0/0, group = 303; 5/32, group = 303; 1.2.3.4/32, group = 303; }; -group-map in role = nat number = 300 size = 5 - { 0/0, group = 303; 6/32, group = 303; 1.2.3.4/32, group = 303; }; -group-map in role = auth number = 300 size = 5 - { 0/0, group = 303; 7/32, group = 303; 1.2.3.4/32, group = 303; }; -group-map in role = count number = 300 size = 5 - { 0/0, group = 303; 8/32, group = 303; 1.2.3.4/32, group = 303; }; -group-map out role = ipf number = 400 size = 5 - { 0/0, group = 303; 5/32, group = 303; 1.2.3.4/32, group = 606; }; -group-map out role = nat number = 400 size = 5 - { 0/0, group = 303; 6/32, group = 303; 1.2.3.4/32, group = 606; }; -group-map out role = auth number = 400 size = 5 - { 0/0, group = 303; 7/32, group = 303; 1.2.3.4/32, group = 606; }; -group-map out role = count number = 400 size = 5 - { 0/0, group = 303; 8/32, group = 303; 1.2.3.4/32, group = 606; }; -group-map in role = ipf number = 500 size = 5 - { 0/0, group = 10; 5/32, group = 800; 1.2.3.4/32, group = 606; }; -group-map in role = nat number = 500 size = 5 - { 0/0, group = 10; 6/32, group = 800; 1.2.3.4/32, group = 606; }; -group-map in role = auth number = 500 size = 5 - { 0/0, group = 10; 7/32, group = 800; 1.2.3.4/32, group = 606; }; -group-map in role = count number = 500 size = 5 - { 0/0, group = 10; 8/32, group = 800; 1.2.3.4/32, group = 606; }; +group-map in role=ipf number=300 size=5 + { 0/0, group=303; 5/32, group=303; 1.2.3.4/32, group=303; }; +group-map in role=nat number=300 size=5 + { 0/0, group=303; 6/32, group=303; 1.2.3.4/32, group=303; }; +group-map in role=auth number=300 size=5 + { 0/0, group=303; 7/32, group=303; 1.2.3.4/32, group=303; }; +group-map in role=count number=300 size=5 + { 0/0, group=303; 8/32, group=303; 1.2.3.4/32, group=303; }; +group-map out role=ipf number=400 size=5 + { 0/0, group=303; 5/32, group=303; 1.2.3.4/32, group=606; }; +group-map out role=nat number=400 size=5 + { 0/0, group=303; 6/32, group=303; 1.2.3.4/32, group=606; }; +group-map out role=auth number=400 size=5 + { 0/0, group=303; 7/32, group=303; 1.2.3.4/32, group=606; }; +group-map out role=count number=400 size=5 + { 0/0, group=303; 8/32, group=303; 1.2.3.4/32, group=606; }; +group-map in role=ipf number=500 size=5 + { 0/0, group=10; 5/32, group=800; 1.2.3.4/32, group=606; }; +group-map in role=nat number=500 size=5 + { 0/0, group=10; 6/32, group=800; 1.2.3.4/32, group=606; }; +group-map in role=auth number=500 size=5 + { 0/0, group=10; 7/32, group=800; 1.2.3.4/32, group=606; }; +group-map in role=count number=500 size=5 + { 0/0, group=10; 8/32, group=800; 1.2.3.4/32, group=606; }; diff --git a/contrib/ipfilter/test/expected/ip2 b/contrib/ipfilter/test/expected/ip2 index 9b0ed2b..3de3c47 100644 --- a/contrib/ipfilter/test/expected/ip2 +++ b/contrib/ipfilter/test/expected/ip2 @@ -1,2 +1,2 @@ -table role = ipf type = tree name = letters - { 2.2.2.0/24; ! 2.2.0.0/16; 1.1.1.1/32; }; +table role=ipf type=tree name=letters + { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; }; diff --git a/contrib/ipfilter/test/expected/ip3 b/contrib/ipfilter/test/expected/ip3 new file mode 100644 index 0000000..48dd074 --- /dev/null +++ b/contrib/ipfilter/test/expected/ip3 @@ -0,0 +1,14 @@ +pool ipf/dstlist (name fred; policy round-robin;) + { 3.3.3.3; }; +pool ipf/dstlist (name jack; policy weighting connection;) + { 4.4.4.4; bge0:5.5.5.5; }; +pool ipf/dstlist (name jill; policy random;) + { 1.1.1.1; bge0:2.2.2.2; }; +table role=nat type=hash name=noproxy size=3 + { 1.1.1.1/32; 2.2.2.2/32; }; +table role=nat type=tree name=raw + { 1.1.1.1/32; 2.2.2.2/32; }; +pool all/dstlist (name jill; policy random;) + { 1.1.1.1; bge0:2.2.2.2; }; +table role=all type=hash name=noproxy size=3 + { 1.1.1.1/32; 2.2.2.2/32; }; diff --git a/contrib/ipfilter/test/expected/ipv6.4 b/contrib/ipfilter/test/expected/ipv6.4 new file mode 100644 index 0000000..e3ae842 --- /dev/null +++ b/contrib/ipfilter/test/expected/ipv6.4 @@ -0,0 +1,51 @@ +pass +pass +nomatch +nomatch +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +pass +pass +pass +pass +pass +pass +pass +pass +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +-------- +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +nomatch +pass +pass +block +nomatch +nomatch +nomatch +pass +pass +-------- diff --git a/contrib/ipfilter/test/expected/ipv6.6 b/contrib/ipfilter/test/expected/ipv6.6 index abc0e87..efd0421 100644 --- a/contrib/ipfilter/test/expected/ipv6.6 +++ b/contrib/ipfilter/test/expected/ipv6.6 @@ -1,3 +1,10 @@ pass pass +pass +pass +-------- +nomatch +nomatch +block +nomatch -------- diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1 index ba0de69..e4a081d 100644 --- a/contrib/ipfilter/test/expected/l1 +++ b/contrib/ipfilter/test/expected/l1 @@ -1,11 +1,13 @@ log in all +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF IN 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN @@ -15,11 +17,14 @@ pass in on anon0 all head 100 pass in log quick from 3.3.3.3 to any group 100 -------- pass in log body quick from 2.2.2.2 to any +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- pass in log quick proto tcp from 1.1.1.1 to any flags S keep state +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN @@ -27,8 +32,10 @@ pass in log quick proto tcp from 1.1.1.1 to any flags S keep state 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN -------- pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b index c060086..e06e486 100644 --- a/contrib/ipfilter/test/expected/l1.b +++ b/contrib/ipfilter/test/expected/l1.b @@ -1,29 +1,38 @@ +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF IN 01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN -01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN -------- -------- -------- +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN -01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN 01 02 03 04 05 06 07 08 09 0a 0b 0d ............ +01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN +01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a +42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN -------- +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN 01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN 01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN -------- +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN -------- +missed 1 ipf log entries: 0 1 01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN 01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN diff --git a/contrib/ipfilter/test/expected/n1 b/contrib/ipfilter/test/expected/n1 index 537f9bb..20eaedc 100644 --- a/contrib/ipfilter/test/expected/n1 +++ b/contrib/ipfilter/test/expected/n1 @@ -1,105 +1,197 @@ -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.2.2.2 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.2.2.2 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +List of active MAP/Redirect filters: +map zx0 10.1.1.1/32 -> 10.2.2.2/32 + +List of active sessions: +MAP 10.1.1.1 <- -> 10.2.2.2 [10.4.3.2] +MAP 10.1.1.1 <- -> 10.2.2.2 [10.1.1.2] + +Hostmap table: +10.1.1.1,10.4.3.2 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.2.2.2,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.3.4.5 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.5 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 48(20) 1 10.3.4.5 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 -ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 -ip #0 20(20) 34 10.3.4.5 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.3.4.5 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.1.1.2 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.3.4.5 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 20(20) 255 10.3.4.5 > 10.1.1.2 +15 +> zx0 ip #0 20(20) 255 10.3.4.5 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 48(20) 1 10.3.4.5 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 +> zx0 ip #0 20(20) 34 10.3.4.5 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.3.4.5 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.1.1.2 +15 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.3.4.5 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.5/32 + +List of active sessions: +MAP 10.1.1.3 <- -> 10.3.4.5 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.5 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.5 [10.4.3.2] +MAP 10.1.1.1 <- -> 10.3.4.5 [10.4.3.2] +MAP 10.1.1.2 1026 <- -> 10.3.4.5 1026 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 1025 [10.1.1.1 1025] +MAP 10.1.1.2 <- -> 10.3.4.5 [10.1.1.1] +MAP 10.1.1.0 <- -> 10.3.4.5 [10.1.1.2] + +Hostmap table: +10.1.1.3,10.4.3.4 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.4.3.4 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.4.3.2 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.4.3.2 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 3) +10.1.1.0,10.1.1.2 -> 10.3.4.5,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.3.4.1 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.2 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.3 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.3,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.3,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.3.4.3 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 -ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.3.4.3 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.3.4.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.3.4.4 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.3.4.4 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 20(20) 255 10.3.4.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.3.4.2 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.3.4.3 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.3,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.3,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.3.4.3 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.4 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.3.4.3 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.3.4.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.3.4.4 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.3.4.4 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.0/24 + +List of active sessions: +MAP 10.1.1.3 <- -> 10.3.4.4 [10.4.3.4] +MAP 10.1.1.3 <- -> 10.3.4.4 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.3 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.3 [10.4.3.2] +MAP 10.1.1.1 <- -> 10.3.4.3 [10.4.3.2] +MAP 10.1.1.2 1026 <- -> 10.3.4.3 1026 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.3 1025 [10.1.1.1 1025] +MAP 10.1.1.2 <- -> 10.3.4.3 [10.1.1.1] +MAP 10.1.1.1 <- -> 10.3.4.2 [10.1.1.2] +MAP 10.1.1.0 <- -> 10.3.4.1 [10.1.1.2] + +Hostmap table: +10.1.1.3,10.4.3.4 -> 10.3.4.4,0.0.0.0 (use = 2) +10.1.1.2,10.4.3.4 -> 10.3.4.3,0.0.0.0 (use = 1) +10.1.1.2,10.4.3.2 -> 10.3.4.3,0.0.0.0 (use = 1) +10.1.1.1,10.4.3.2 -> 10.3.4.3,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.3,0.0.0.0 (use = 3) +10.1.1.1,10.1.1.2 -> 10.3.4.2,0.0.0.0 (use = 1) +10.1.1.0,10.1.1.2 -> 10.3.4.1,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n10 b/contrib/ipfilter/test/expected/n10 index ae541d1..0c03ff0 100644 --- a/contrib/ipfilter/test/expected/n10 +++ b/contrib/ipfilter/test/expected/n10 @@ -1,9 +1,72 @@ 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 655d 0000 0204 0064 +List of active MAP/Redirect filters: +map ppp0 0/0 -> 203.203.203.203/32 mssclamp 100 + +List of active sessions: +MAP 192.168.1.3 32818 <- -> 203.203.203.203 32818 [150.203.224.2 21] + +Hostmap table: +192.168.1.3,150.203.224.2 -> 203.203.203.203,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 61d9 0000 0204 03e8 +List of active MAP/Redirect filters: +map ppp0 0/0 -> 203.203.203.203/32 mssclamp 1000 + +List of active sessions: +MAP 192.168.1.3 32818 <- -> 203.203.203.203 32818 [150.203.224.2 21] + +Hostmap table: +192.168.1.3,150.203.224.2 -> 203.203.203.203,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 600d 0000 0204 05b4 +List of active MAP/Redirect filters: +map ppp0 0/0 -> 203.203.203.203/32 mssclamp 10000 + +List of active sessions: +MAP 192.168.1.3 32818 <- -> 203.203.203.203 32818 [150.203.224.2 21] + +Hostmap table: +192.168.1.3,150.203.224.2 -> 203.203.203.203,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n100 b/contrib/ipfilter/test/expected/n100 new file mode 100644 index 0000000..80f00a1 --- /dev/null +++ b/contrib/ipfilter/test/expected/n100 @@ -0,0 +1,33 @@ +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.3.2.3 +> zx0 ip #0 20(20) 255 4.4.4.4 > 6.6.0.1 +> zx0 ip #0 20(20) 255 4.4.4.4 > 6.6.0.2 +> zx0 ip #0 20(20) 255 4.4.4.4 > 6.6.0.3 +> zx0 ip #0 20(20) 255 4.4.4.4 > 6.6.0.4 +> zx0 ip #0 20(20) 255 4.4.4.4 > 6.6.0.1 +> zx0 ip #0 40(20) 6 1.1.1.1,101 > 2.3.2.3,203 +> zx0 ip #0 40(20) 6 4.4.4.4,101 > 6.6.0.5,203 +List of active MAP/Redirect filters: +rewrite out on zx0 from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32 dst 6.6.0.0/16; + +List of active sessions: +RWR-MAP 1.1.1.1 101 2.2.2.3 203 <- -> 4.4.4.4 101 6.6.0.5 203 +RWR-MAP 1.1.1.1 2.2.2.4 <- -> 4.4.4.4 6.6.0.4 +RWR-MAP 1.2.1.2 2.2.2.3 <- -> 4.4.4.4 6.6.0.3 +RWR-MAP 1.1.1.2 2.2.2.3 <- -> 4.4.4.4 6.6.0.2 +RWR-MAP 1.1.1.1 2.2.2.3 <- -> 4.4.4.4 6.6.0.1 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n101 b/contrib/ipfilter/test/expected/n101 new file mode 100644 index 0000000..ad0ad97 --- /dev/null +++ b/contrib/ipfilter/test/expected/n101 @@ -0,0 +1,29 @@ +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.3.2.3 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.1.1.2 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.2.1.2 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.4 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.3 +> zx0 ip #0 40(20) 6 1.1.1.1,101 > 2.3.2.3,203 +> zx0 ip #0 40(20) 6 4.4.4.4,101 > 6.6.0.1,203 +List of active MAP/Redirect filters: +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32 dst 6.6.0.0/16; + +List of active sessions: +RWR-MAP 1.1.1.1 101 2.2.2.3 203 <- -> 4.4.4.4 101 6.6.0.1 203 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n102 b/contrib/ipfilter/test/expected/n102 new file mode 100644 index 0000000..a2f130e --- /dev/null +++ b/contrib/ipfilter/test/expected/n102 @@ -0,0 +1,29 @@ +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.3.2.3 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.1.1.2 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.2.1.2 > 2.2.2.3 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.4 +> zx0 ip #0 20(20) 255 1.1.1.1 > 2.2.2.3 +> zx0 ip #0 40(20) 6 1.1.1.1,101 > 2.3.2.3,203 +> zx0 ip #0 40(20) 6 4.4.4.4,1000 > 6.6.0.1,203 +List of active MAP/Redirect filters: +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32,1000-2000 dst 6.6.0.0/16; + +List of active sessions: +RWR-MAP 1.1.1.1 101 2.2.2.3 203 <- -> 4.4.4.4 1000 6.6.0.1 203 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n103 b/contrib/ipfilter/test/expected/n103 new file mode 100644 index 0000000..31ed740 --- /dev/null +++ b/contrib/ipfilter/test/expected/n103 @@ -0,0 +1,33 @@ +> zx0 ip #0 40(20) 6 1.1.1.1,101 > 2.3.2.3,203 +> zx0 ip #0 40(20) 6 4.4.4.4,1000 > 6.6.0.1,4000 +> zx0 ip #0 40(20) 6 4.4.4.4,1000 > 6.6.0.1,4000 +> zx0 ip #0 40(20) 6 4.4.4.4,1001 > 6.6.0.1,4000 +> zx0 ip #0 40(20) 6 4.4.4.4,1001 > 6.6.0.2,4000 +> zx0 ip #0 40(20) 6 4.4.4.4,1001 > 6.6.0.2,4001 +< zx0 ip #0 40(20) 6 2.2.2.3,4000 > 4.4.4.4,1000 +> zx0 ip #0 40(20) 6 4.4.4.4,1000 > 6.6.0.2,4001 +List of active MAP/Redirect filters: +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16,4000-4001; + +List of active sessions: +RWR-MAP 7.7.7.7 101 2.2.2.3 203 <- -> 4.4.4.4 1000 6.6.0.2 4001 +RWR-MAP 5.5.5.5 101 2.2.2.3 203 <- -> 4.4.4.4 1001 6.6.0.2 4001 +RWR-MAP 10.10.10.10 101 2.2.2.3 203 <- -> 4.4.4.4 1001 6.6.0.2 4000 +RWR-MAP 1.1.1.2 101 2.2.2.3 203 <- -> 4.4.4.4 1001 6.6.0.1 4000 +RWR-MAP 1.1.1.1 101 2.2.2.3 203 <- -> 4.4.4.4 1000 6.6.0.1 4000 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n104 b/contrib/ipfilter/test/expected/n104 new file mode 100644 index 0000000..3b8a9de --- /dev/null +++ b/contrib/ipfilter/test/expected/n104 @@ -0,0 +1,50 @@ +4500 0028 0001 0000 ff06 b1c3 0404 0001 0606 0001 03e8 0fa0 0000 0001 1000 0001 5010 2000 623f 0000 + +4500 0028 0002 0000 ff06 b5c8 0202 0202 0101 0101 00cb 0065 0000 0001 1000 0001 5010 2000 789d 0000 + +4500 0028 0003 0000 ff06 b1c0 0404 0002 0606 0001 03e8 0fa0 0000 0001 1000 0001 5010 2000 623e 0000 + +4500 0028 0004 0000 ff06 b5c6 0202 0202 0101 0101 00cb 0066 0000 0001 1000 0001 5010 2000 789c 0000 + +4500 0028 0005 0000 ff06 b1be 0404 0002 0606 0001 03e9 0fa0 0000 0001 1000 0001 5010 2000 623d 0000 + +4500 0028 0006 0000 ff06 b5c4 0202 0202 0101 0101 00cb 0067 0000 0001 1000 0001 5010 2000 789b 0000 + +4500 0028 0007 0000 ff06 b1bb 0404 0002 0606 0002 03e9 0fa0 0000 0001 1000 0001 5010 2000 623c 0000 + +4500 0028 0008 0000 ff06 b5c2 0202 0202 0101 0101 00cb 0068 0000 0001 1000 0001 5010 2000 789a 0000 + +4500 0028 0009 0000 ff06 b1b9 0404 0002 0606 0002 03e9 0fa1 0000 0001 1000 0001 5010 2000 623b 0000 + +4500 0028 000a 0000 ff06 b5c0 0202 0202 0101 0101 00cb 0069 0000 0001 1000 0001 5010 2000 7899 0000 + +4500 0028 000b 0000 ff06 b1b6 0404 0003 0606 0002 03e9 0fa1 0000 0001 1000 0001 5010 2000 623a 0000 + +4500 0028 000c 0000 ff06 b5be 0202 0202 0101 0101 00cb 006a 0000 0001 1000 0001 5010 2000 7898 0000 + +List of active MAP/Redirect filters: +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.0.0/24,1000-1001 dst 6.6.0.0/16,4000-4001; + +List of active sessions: +RWR-MAP 1.1.1.1 106 2.2.2.2 203 <- -> 4.4.0.3 1001 6.6.0.2 4001 +RWR-MAP 1.1.1.1 105 2.2.2.2 203 <- -> 4.4.0.2 1001 6.6.0.2 4001 +RWR-MAP 1.1.1.1 104 2.2.2.2 203 <- -> 4.4.0.2 1001 6.6.0.2 4000 +RWR-MAP 1.1.1.1 103 2.2.2.2 203 <- -> 4.4.0.2 1001 6.6.0.1 4000 +RWR-MAP 1.1.1.1 102 2.2.2.2 203 <- -> 4.4.0.2 1000 6.6.0.1 4000 +RWR-MAP 1.1.1.1 101 2.2.2.2 203 <- -> 4.4.0.1 1000 6.6.0.1 4000 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n105 b/contrib/ipfilter/test/expected/n105 new file mode 100644 index 0000000..d45a4af --- /dev/null +++ b/contrib/ipfilter/test/expected/n105 @@ -0,0 +1,25 @@ +4500 0028 0001 0000 ff06 adc0 0404 0404 0606 0001 03e8 0c38 0000 0001 1000 0001 5010 2000 61a4 0000 + +4500 0028 0001 0000 ff06 b5c9 0202 0202 0101 0101 0050 0065 0000 0001 1000 0001 5010 2000 7918 0000 + +List of active MAP/Redirect filters: +rewrite in on zx0 proto tcp from 0/0 to 2.2.0.0/16 port = 80 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16,port = 3128; + +List of active sessions: +RWR-RDR 1.1.1.1 101 2.2.2.2 80 <- -> 4.4.4.4 1000 6.6.0.1 3128 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n106 b/contrib/ipfilter/test/expected/n106 new file mode 100644 index 0000000..d466e65 --- /dev/null +++ b/contrib/ipfilter/test/expected/n106 @@ -0,0 +1,25 @@ +4500 0028 0001 0000 ff06 adc0 0404 0404 0606 0001 03e8 0c38 0000 0001 1000 0001 5010 2000 61a4 0000 + +4500 0028 0001 0000 ff06 b5c9 0202 0202 0101 0101 0050 0065 0000 0001 1000 0001 5010 2000 7918 0000 + +List of active MAP/Redirect filters: +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 port = 80 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16,port = 3128; + +List of active sessions: +RWR-MAP 1.1.1.1 101 2.2.2.2 80 <- -> 4.4.4.4 1000 6.6.0.1 3128 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n11 b/contrib/ipfilter/test/expected/n11 index 5257a64..ea11b93 100644 --- a/contrib/ipfilter/test/expected/n11 +++ b/contrib/ipfilter/test/expected/n11 @@ -1,51 +1,124 @@ -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 1.6.7.8 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 1.6.7.8 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +List of active MAP/Redirect filters: +bimap zx0 10.1.1.1/32 -> 1.6.7.8/32 + +List of active sessions: +BIMAP 10.1.1.1 <- -> 1.6.7.8 [10.1.1.2] + +Hostmap table: +10.1.1.1,10.1.1.2 -> 1.6.7.8,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.2.2.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.1.1.0 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 +15 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.1.1 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.1.1.0 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +List of active MAP/Redirect filters: +bimap zx0 10.1.1.0/24 -> 10.2.2.2/32 + +List of active sessions: +BIMAP 10.1.1.0 <- -> 10.2.2.2 [10.2.3.4] +BIMAP 10.1.1.2 <- -> 10.2.2.2 [10.1.1.1] +BIMAP 10.1.1.0 <- -> 10.2.2.2 [10.1.1.2] + +Hostmap table: +10.1.1.2,10.1.1.1 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.0,10.1.1.2 -> 10.2.2.2,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.3.4.0 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.1 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.1.1.5 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.5 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.5 +> zx0 ip #0 20(20) 255 10.3.4.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.3.4.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.3.4.2 > 10.1.1.1 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.5 +List of active MAP/Redirect filters: +bimap zx0 10.1.1.0/24 -> 10.3.4.0/24 + +List of active sessions: +BIMAP 10.1.1.5 <- -> 10.3.4.5 [10.1.1.2] +BIMAP 10.1.1.5 <- -> 10.3.4.5 [10.1.1.1] +BIMAP 10.1.1.5 <- -> 10.3.4.5 [10.1.1.0] +BIMAP 10.1.1.2 <- -> 10.3.4.2 [10.1.1.1] +BIMAP 10.1.1.1 <- -> 10.3.4.1 [10.1.1.2] +BIMAP 10.1.1.0 <- -> 10.3.4.0 [10.1.1.2] + +Hostmap table: +10.1.1.2,10.1.1.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.0,10.1.1.2 -> 10.3.4.1,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n11_6 b/contrib/ipfilter/test/expected/n11_6 new file mode 100644 index 0000000..f1c80de --- /dev/null +++ b/contrib/ipfilter/test/expected/n11_6 @@ -0,0 +1,124 @@ +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 1:0:0:0:0:6:7:8 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +List of active MAP/Redirect filters: +bimap zx0 inet6 10:1:1::1/128 -> 1::6:7:8/128 + +List of active sessions: +BIMAP 10:1:1::1 <- -> 1::6:7:8 [10:1:1::2] + +Hostmap table: +10:1:1::1,10:1:1::2 -> 1::6:7:8,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:1:0:0:0:0:2 +16 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:1:1:0:0:0:0:0 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:0 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +List of active MAP/Redirect filters: +bimap zx0 inet6 10:1:1::/112 -> 10::2:2:2/128 + +List of active sessions: +BIMAP 10:1:1:: <- -> 10::2:2:2 [10::2:3:4] +BIMAP 10:1:1::2 <- -> 10::2:2:2 [10:1:1::1] +BIMAP 10:1:1:: <- -> 10::2:2:2 [10:1:1::2] + +Hostmap table: +10:1:1::2,10:1:1::1 -> 10::2:2:2,any (use = 1) +10:1:1::,10:1:1::2 -> 10::2:2:2,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:5 +List of active MAP/Redirect filters: +bimap zx0 inet6 10:1:1::/112 -> 10::3:4:0/112 + +List of active sessions: +BIMAP 10:1:1::5 <- -> 10::3:4:5 [10:1:1::2] +BIMAP 10:1:1::5 <- -> 10::3:4:5 [10:1:1::1] +BIMAP 10:1:1::5 <- -> 10::3:4:5 [10:1:1::] +BIMAP 10:1:1::2 <- -> 10::3:4:2 [10:1:1::1] +BIMAP 10:1:1::1 <- -> 10::3:4:1 [10:1:1::2] +BIMAP 10:1:1:: <- -> 10::3:4:0 [10:1:1::2] + +Hostmap table: +10:1:1::2,10:1:1::1 -> 10::3:4:1,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::3:4:1,any (use = 1) +10:1:1::,10:1:1::2 -> 10::3:4:1,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n12 b/contrib/ipfilter/test/expected/n12 index 0d5cefb..56b3a78 100644 --- a/contrib/ipfilter/test/expected/n12 +++ b/contrib/ipfilter/test/expected/n12 @@ -4,4 +4,25 @@ 4510 0034 493b 4000 4006 6b69 c0a8 01bc c0a8 0303 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797 +List of active MAP/Redirect filters: +map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000 sequential + +List of active sessions: +MAP 192.168.126.83 4802 <- -> 192.168.1.188 10000 [192.168.3.3 23] + +Hostmap table: +192.168.126.83,192.168.3.3 -> 0.0.0.0,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n12_6 b/contrib/ipfilter/test/expected/n12_6 new file mode 100644 index 0000000..9ef040a --- /dev/null +++ b/contrib/ipfilter/test/expected/n12_6 @@ -0,0 +1,28 @@ +6000 0000 002c 0640 c0a8 0100 0000 0000 0000 0000 0000 00bc c0a8 0300 0000 0000 0000 0000 0000 0003 2710 0017 4e33 298e 0000 0000 b002 4000 6ff8 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000 + +6000 0000 0028 06fe c0a8 0300 0000 0000 0000 0000 0000 0003 c0a8 7e00 0000 0000 0000 0000 0000 0053 0017 12c2 f674 e02c 4e33 298f a012 2798 7ace 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4 + +6000 0000 0020 0640 c0a8 0100 0000 0000 0000 0000 0000 00bc c0a8 0300 0000 0000 0000 0000 0000 0003 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797 + +List of active MAP/Redirect filters: +map le0 inet6 c0a8:7e00::/112 -> ::/128 portmap tcp/udp 10000:20000 + +List of active sessions: +MAP c0a8:7e00::53 4802 <- -> c0a8:100::bc 10000 [c0a8:300::3 23] + +Hostmap table: +c0a8:7e00::53,c0a8:300::3 -> any,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n13 b/contrib/ipfilter/test/expected/n13 index bfe2018..e6d26b2 100644 --- a/contrib/ipfilter/test/expected/n13 +++ b/contrib/ipfilter/test/expected/n13 @@ -1,5 +1,32 @@ -ip #0 20(20) 0 203.1.1.23 > 150.1.1.1 -ip #0 20(20) 0 203.1.1.23 > 150.1.1.2 -ip #0 20(20) 0 203.1.1.24 > 150.1.1.2 -ip #0 20(20) 0 203.1.1.25 > 150.1.1.1 +> le0 ip #0 20(20) 0 203.1.1.23 > 150.1.1.1 +> le0 ip #0 20(20) 0 203.1.1.23 > 150.1.1.2 +> le0 ip #0 20(20) 0 203.1.1.24 > 150.1.1.2 +> le0 ip #0 20(20) 0 203.1.1.25 > 150.1.1.1 +List of active MAP/Redirect filters: +map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 + +List of active sessions: +MAP 192.168.1.3 <- -> 203.1.1.25 [150.1.1.1] +MAP 192.168.1.2 <- -> 203.1.1.24 [150.1.1.2] +MAP 192.168.1.1 <- -> 203.1.1.23 [150.1.1.2] +MAP 192.168.1.1 <- -> 203.1.1.23 [150.1.1.1] + +Hostmap table: +192.168.1.3,150.1.1.1 -> 203.1.1.25,0.0.0.0 (use = 1) +192.168.1.2,150.1.1.2 -> 203.1.1.24,0.0.0.0 (use = 1) +192.168.1.1,150.1.1.2 -> 203.1.1.23,0.0.0.0 (use = 1) +192.168.1.1,150.1.1.1 -> 203.1.1.23,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n13_6 b/contrib/ipfilter/test/expected/n13_6 new file mode 100644 index 0000000..d3b5fe7 --- /dev/null +++ b/contrib/ipfilter/test/expected/n13_6 @@ -0,0 +1,32 @@ +> le0 ip6/0 1 0 41 203:0:1:0:0:0:1:23 > 150.1.1.1 +> le0 ip6/0 1 0 41 203:0:1:0:0:0:1:23 > 150.1.1.2 +> le0 ip6/0 1 0 41 203:0:1:0:0:0:1:24 > 150.1.1.2 +> le0 ip6/0 1 0 41 203:0:1:0:0:0:1:25 > 150.1.1.1 +List of active MAP/Redirect filters: +map le0 inet6 192:168:0::0/48 -> range 203:0:1::1:23-203:0:1::3:45 + +List of active sessions: +MAP 192.168.1.3 <- -> 203:0:1::1:25 [150.1.1.1] +MAP 192.168.1.2 <- -> 203:0:1::1:24 [150.1.1.2] +MAP 192.168.1.1 <- -> 203:0:1::1:23 [150.1.1.2] +MAP 192.168.1.1 <- -> 203:0:1::1:23 [150.1.1.1] + +Hostmap table: +192.168.1.3,150.1.1.1 -> 203:0:1:0:0:0:1:25,any (use = 1) +192.168.1.2,150.1.1.2 -> 203:0:1:0:0:0:1:24,any (use = 1) +192.168.1.1,150.1.1.2 -> 203:0:1:0:0:0:1:23,any (use = 1) +192.168.1.1,150.1.1.1 -> 203:0:1:0:0:0:1:23,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n14 b/contrib/ipfilter/test/expected/n14 index 4669300..7b1a19e 100644 --- a/contrib/ipfilter/test/expected/n14 +++ b/contrib/ipfilter/test/expected/n14 @@ -1,5 +1,30 @@ -ip #0 40(20) 6 10.2.2.5,2000 > 10.1.1.254,80 -ip #0 40(20) 6 10.2.2.6,2000 > 10.1.1.253,80 -ip #0 40(20) 6 10.2.2.7,2000 > 10.1.1.254,80 -ip #0 40(20) 6 10.2.2.5,2001 > 10.1.1.254,80 +< gre0 ip #0 40(20) 6 10.2.2.5,2000 > 10.1.1.254,80 +< gre0 ip #0 40(20) 6 10.2.2.6,2000 > 10.1.1.253,80 +< gre0 ip #0 40(20) 6 10.2.2.7,2000 > 10.1.1.254,80 +15 +List of active MAP/Redirect filters: +rdr gre0 0/0 port 80 -> 10.1.1.254,10.1.1.253 port 80 tcp sticky + +List of active sessions: +RDR 10.1.1.254 80 <- -> 203.1.1.1 80 [10.2.2.7 2000] +RDR 10.1.1.253 80 <- -> 203.1.1.1 80 [10.2.2.6 2000] +RDR 10.1.1.254 80 <- -> 203.1.1.1 80 [10.2.2.5 2000] + +Hostmap table: +10.2.2.7,203.1.1.1 -> 254.1.1.10,0.0.0.0 (use = 1) +10.2.2.6,203.1.1.1 -> 253.1.1.10,0.0.0.0 (use = 1) +10.2.2.5,203.1.1.1 -> 254.1.1.10,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n14_6 b/contrib/ipfilter/test/expected/n14_6 new file mode 100644 index 0000000..b999ee97 --- /dev/null +++ b/contrib/ipfilter/test/expected/n14_6 @@ -0,0 +1,30 @@ +< gre0 ip6/0 20 0 6 10:0:0:0:0:2:2:5,2000 > 10:1:1:0:0:0:0:254,80 +< gre0 ip6/0 20 0 6 10:0:0:0:0:2:2:6,2000 > 10:1:1:0:0:0:0:253,80 +< gre0 ip6/0 20 0 6 10:0:0:0:0:2:2:7,2000 > 10:1:1:0:0:0:0:254,80 +< gre0 ip6/0 20 0 6 10:0:0:0:0:2:2:5,2001 > 203:0:1:0:0:0:1:1,80 +List of active MAP/Redirect filters: +rdr gre0 inet6 any port 80 -> 10:1:1::254,10:1:1::253 port 80 tcp sticky + +List of active sessions: +RDR 10:1:1::254 80 <- -> 203:0:1::1:1 80 [10::2:2:7 2000] +RDR 10:1:1::253 80 <- -> 203:0:1::1:1 80 [10::2:2:6 2000] +RDR 10:1:1::254 80 <- -> 203:0:1::1:1 80 [10::2:2:5 2000] + +Hostmap table: +10::2:2:7,203:0:1:0:0:0:1:1 -> 254:1:1::10,any (use = 1) +10::2:2:6,203:0:1:0:0:0:1:1 -> 253:0:1:0:0:0:1:10,any (use = 1) +10::2:2:5,203:0:1:0:0:0:1:1 -> 254:1:1::10,any (use = 3) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n15 b/contrib/ipfilter/test/expected/n15 new file mode 100644 index 0000000..3889f82 --- /dev/null +++ b/contrib/ipfilter/test/expected/n15 @@ -0,0 +1,47 @@ +< le0 ip #0 40(20) 6 9.9.9.9,10011 > 3.3.3.3,80 +15 +List of active MAP/Redirect filters: +rdr le0 0/0 port 80 -> 3.3.3.3/32 port 80 tcp + +List of active sessions: +RDR 3.3.3.3 80 <- -> 5.5.5.5 80 [9.9.9.9 10011] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< le0 ip #0 40(20) 6 9.9.9.9,10011 > 3.3.3.3,80 +< le0 ip #0 40(20) 6 9.9.9.9,10011 > 3.3.3.3,81 +List of active MAP/Redirect filters: +rdr le0 0/0 port 80 -> 3.3.3.3/32 port 80-88 tcp + +List of active sessions: +RDR 3.3.3.3 81 <- -> 2.2.2.2 80 [9.9.9.9 10011] +RDR 3.3.3.3 80 <- -> 5.5.5.5 80 [9.9.9.9 10011] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n15_6 b/contrib/ipfilter/test/expected/n15_6 new file mode 100644 index 0000000..f01b72b --- /dev/null +++ b/contrib/ipfilter/test/expected/n15_6 @@ -0,0 +1,47 @@ +< le0 ip6/0 20 0 6 9:9:9:0:0:0:0:9,10011 > 3:0:3:0:0:0:3:3,80 +16 +List of active MAP/Redirect filters: +rdr le0 inet6 any port 80 -> 3:0:3::3:3/128 port 80 tcp + +List of active sessions: +RDR 3:0:3::3:3 80 <- -> 5:5::5:5 80 [9:9:9::9 10011] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< le0 ip6/0 20 0 6 9:9:9:0:0:0:0:9,10011 > 3:0:3:0:0:0:3:3,80 +< le0 ip6/0 20 0 6 9:9:9:0:0:0:0:9,10011 > 3:0:3:0:0:0:3:3,81 +List of active MAP/Redirect filters: +rdr le0 inet6 any port 80 -> 3:0:3::3:3/128 port 80-88 tcp + +List of active sessions: +RDR 3:0:3::3:3 81 <- -> 2::2:2:2 80 [9:9:9::9 10011] +RDR 3:0:3::3:3 80 <- -> 5:5::5:5 80 [9:9:9::9 10011] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n16 b/contrib/ipfilter/test/expected/n16 index da617d9..0eb3954 100644 --- a/contrib/ipfilter/test/expected/n16 +++ b/contrib/ipfilter/test/expected/n16 @@ -7,7 +7,7 @@ 4500 0084 ee0f 0000 8001 4a21 45f8 4fc1 c05b ac33 0303 bf85 0000 0000 4520 0068 17e4 0000 6a11 3639 c05b ac33 45f8 4fc1 1194 94f8 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 List of active MAP/Redirect filters: -rdr vlan0 from any to 69.248.79.193/32 port = 38136 -> 172.31.83.24 port 2013 udp +rdr vlan0 from 0/0 to 69.248.79.193/32 port = 38136 -> 172.31.83.24/32 port 2013 udp List of active sessions: RDR 172.31.83.24 2013 <- -> 69.248.79.193 38136 [192.91.172.51 4500] @@ -18,4 +18,12 @@ List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n17 b/contrib/ipfilter/test/expected/n17 new file mode 100644 index 0000000..f336bb0 --- /dev/null +++ b/contrib/ipfilter/test/expected/n17 @@ -0,0 +1,24 @@ +4500 00a0 0000 0100 3f06 7555 0101 0101 0201 0101 0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + +4500 00a0 0000 0100 3f06 7553 0201 0101 0101 0103 0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 + +List of active MAP/Redirect filters: +bimap zx0 0/0 -> 1.1.1.3/32 + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n18 b/contrib/ipfilter/test/expected/n18 new file mode 100644 index 0000000..c51c11c --- /dev/null +++ b/contrib/ipfilter/test/expected/n18 @@ -0,0 +1,111 @@ +> z0 ip #0 40(20) 6 1.1.1.1,1 > 3.3.3.3,30 +> z0 ip #0 40(20) 6 1.1.1.1,2 > 3.3.3.3,31 +> z0 ip #0 40(20) 6 1.1.1.1,3 > 3.3.3.3,32 +> z0 ip #0 40(20) 6 1.1.1.1,4 > 3.3.3.3,33 +> z0 ip #0 40(20) 6 1.1.1.1,1 > 3.3.3.3,34 +> z0 ip #0 40(20) 6 1.1.1.1,2 > 3.3.3.3,35 +> z0 ip #0 40(20) 6 1.1.1.1,3 > 3.3.3.3,36 +> z0 ip #0 40(20) 6 1.1.1.1,4 > 3.3.3.3,37 +List of active MAP/Redirect filters: +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1:4 sequential + +List of active sessions: +MAP 2.2.2.2 29 <- -> 1.1.1.1 4 [3.3.3.3 37] +MAP 2.2.2.2 28 <- -> 1.1.1.1 3 [3.3.3.3 36] +MAP 2.2.2.2 27 <- -> 1.1.1.1 2 [3.3.3.3 35] +MAP 2.2.2.2 26 <- -> 1.1.1.1 1 [3.3.3.3 34] +MAP 2.2.2.2 25 <- -> 1.1.1.1 4 [3.3.3.3 33] +MAP 2.2.2.2 24 <- -> 1.1.1.1 3 [3.3.3.3 32] +MAP 2.2.2.2 23 <- -> 1.1.1.1 2 [3.3.3.3 31] +MAP 2.2.2.2 22 <- -> 1.1.1.1 1 [3.3.3.3 30] + +Hostmap table: +2.2.2.2,3.3.3.3 -> 1.1.1.1,0.0.0.0 (use = 8) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> z0 ip #0 40(20) 6 1.1.1.1,1000 > 3.3.3.3,30 +> z0 ip #0 40(20) 6 1.1.1.1,1001 > 3.3.3.3,31 +> z0 ip #0 40(20) 6 1.1.1.1,1002 > 3.3.3.3,32 +> z0 ip #0 40(20) 6 1.1.1.1,1003 > 3.3.3.3,33 +> z0 ip #0 40(20) 6 1.1.1.1,1004 > 3.3.3.3,34 +> z0 ip #0 40(20) 6 1.1.1.1,1005 > 3.3.3.3,35 +> z0 ip #0 40(20) 6 1.1.1.1,1006 > 3.3.3.3,36 +> z0 ip #0 40(20) 6 1.1.1.1,1007 > 3.3.3.3,37 +List of active MAP/Redirect filters: +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1000:5000 sequential + +List of active sessions: +MAP 2.2.2.2 29 <- -> 1.1.1.1 1007 [3.3.3.3 37] +MAP 2.2.2.2 28 <- -> 1.1.1.1 1006 [3.3.3.3 36] +MAP 2.2.2.2 27 <- -> 1.1.1.1 1005 [3.3.3.3 35] +MAP 2.2.2.2 26 <- -> 1.1.1.1 1004 [3.3.3.3 34] +MAP 2.2.2.2 25 <- -> 1.1.1.1 1003 [3.3.3.3 33] +MAP 2.2.2.2 24 <- -> 1.1.1.1 1002 [3.3.3.3 32] +MAP 2.2.2.2 23 <- -> 1.1.1.1 1001 [3.3.3.3 31] +MAP 2.2.2.2 22 <- -> 1.1.1.1 1000 [3.3.3.3 30] + +Hostmap table: +2.2.2.2,3.3.3.3 -> 1.1.1.1,0.0.0.0 (use = 8) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> z0 ip #0 40(20) 6 1.1.1.1,1000 > 3.3.3.3,30 +> z0 ip #0 40(20) 6 1.1.1.1,1001 > 3.3.3.3,31 +> z0 ip #0 40(20) 6 1.1.1.1,1002 > 3.3.3.3,32 +> z0 ip #0 40(20) 6 1.1.1.1,1003 > 3.3.3.3,33 +> z0 ip #0 40(20) 6 1.1.1.1,1004 > 3.3.3.3,34 +> z0 ip #0 40(20) 6 1.1.1.1,1005 > 3.3.3.3,35 +> z0 ip #0 40(20) 6 1.1.1.1,1006 > 3.3.3.3,36 +> z0 ip #0 40(20) 6 1.1.1.1,1007 > 3.3.3.3,37 +List of active MAP/Redirect filters: +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1000:50000 sequential + +List of active sessions: +MAP 2.2.2.2 29 <- -> 1.1.1.1 1007 [3.3.3.3 37] +MAP 2.2.2.2 28 <- -> 1.1.1.1 1006 [3.3.3.3 36] +MAP 2.2.2.2 27 <- -> 1.1.1.1 1005 [3.3.3.3 35] +MAP 2.2.2.2 26 <- -> 1.1.1.1 1004 [3.3.3.3 34] +MAP 2.2.2.2 25 <- -> 1.1.1.1 1003 [3.3.3.3 33] +MAP 2.2.2.2 24 <- -> 1.1.1.1 1002 [3.3.3.3 32] +MAP 2.2.2.2 23 <- -> 1.1.1.1 1001 [3.3.3.3 31] +MAP 2.2.2.2 22 <- -> 1.1.1.1 1000 [3.3.3.3 30] + +Hostmap table: +2.2.2.2,3.3.3.3 -> 1.1.1.1,0.0.0.0 (use = 8) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n1_6 b/contrib/ipfilter/test/expected/n1_6 new file mode 100644 index 0000000..347bf4a --- /dev/null +++ b/contrib/ipfilter/test/expected/n1_6 @@ -0,0 +1,197 @@ +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:0:0:0:0:2:2:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::1/128 -> 10::2:2:2/128 + +List of active sessions: +MAP 10:1:1::1 <- -> 10::2:2:2 [10:4:3::2] +MAP 10:1:1::1 <- -> 10::2:2:2 [10:1:1::2] + +Hostmap table: +10:1:1::1,10:4:3::2 -> 10::2:2:2,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::2:2:2,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:5 > 10:1:1:0:0:0:0:2 +16 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:5 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:0 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 88 0 58 10:0:0:0:0:3:4:5 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:5 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:5 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:1:1:0:0:0:0:2 +16 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:0:0:0:0:3:4:5 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:5/128 + +List of active sessions: +MAP 10:1:1::3 <- -> 10::3:4:5 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:5 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:5 [10:4:3::2] +MAP 10:1:1::1 <- -> 10::3:4:5 [10:4:3::2] +MAP 10:1:1::2 1026 <- -> 10::3:4:5 1026 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 1025 [10:1:1::1 1025] +MAP 10:1:1::2 <- -> 10::3:4:5 [10:1:1::1] +MAP 10:1:1:: <- -> 10::3:4:5 [10:1:1::2] + +Hostmap table: +10:1:1::3,10:4:3::4 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:4:3::4 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:4:3::2 -> 10::3:4:5,any (use = 1) +10:1:1::1,10:4:3::2 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 3) +10:1:1::,10:1:1::2 -> 10::3:4:5,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:2 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:3 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:3,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:3,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:0:0:0:0:3:4:3 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:3 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:4 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:0:0:0:0:3:4:4 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:0/112 + +List of active sessions: +MAP 10:1:1::3 <- -> 10::3:4:4 [10:4:3::4] +MAP 10:1:1::3 <- -> 10::3:4:4 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:3 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:3 [10:4:3::2] +MAP 10:1:1::1 <- -> 10::3:4:3 [10:4:3::2] +MAP 10:1:1::2 1026 <- -> 10::3:4:3 1026 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:3 1025 [10:1:1::1 1025] +MAP 10:1:1::2 <- -> 10::3:4:3 [10:1:1::1] +MAP 10:1:1::1 <- -> 10::3:4:2 [10:1:1::2] +MAP 10:1:1:: <- -> 10::3:4:1 [10:1:1::2] + +Hostmap table: +10:1:1::3,10:4:3::4 -> 10::3:4:4,any (use = 2) +10:1:1::2,10:4:3::4 -> 10::3:4:3,any (use = 1) +10:1:1::2,10:4:3::2 -> 10::3:4:3,any (use = 1) +10:1:1::1,10:4:3::2 -> 10::3:4:3,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:3,any (use = 3) +10:1:1::1,10:1:1::2 -> 10::3:4:2,any (use = 1) +10:1:1::,10:1:1::2 -> 10::3:4:1,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n2 b/contrib/ipfilter/test/expected/n2 index 827272e..836608a 100644 --- a/contrib/ipfilter/test/expected/n2 +++ b/contrib/ipfilter/test/expected/n2 @@ -1,80 +1,191 @@ -ip #0 40(20) 6 10.2.2.2,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.2.2.2,10001 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.2.2.2,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.2.2.2,10001 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000 sequential + +List of active sessions: +MAP 10.1.1.1 1025 <- -> 10.2.2.2 10001 [10.1.1.2 1025] +MAP 10.1.1.1 1025 <- -> 10.2.2.2 10000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.1,10.1.1.2 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.1 -> 10.2.2.2,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential + +List of active sessions: +MAP 10.1.1.2 1025 <- -> 10.3.4.5 10000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 -ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 -ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 -ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential + +List of active sessions: +MAP 10.1.1.3 2003 <- -> 10.3.4.1 10008 [10.1.4.1 80] +MAP 10.1.1.3 2002 <- -> 10.3.4.1 10007 [10.1.4.1 80] +MAP 10.1.1.3 2001 <- -> 10.3.4.1 10006 [10.1.3.1 80] +MAP 10.1.1.3 2000 <- -> 10.3.4.1 10005 [10.1.2.1 80] +MAP 10.1.1.2 1025 <- -> 10.3.4.1 10004 [10.1.1.1 1025] +MAP 10.1.1.2 1026 <- -> 10.3.4.1 10003 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.1 10002 [10.1.1.1 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.1 10001 [10.1.1.2 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.1 10000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.3,10.1.4.1 -> 10.3.4.1,0.0.0.0 (use = 2) +10.1.1.3,10.1.3.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.3,10.1.2.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.1,0.0.0.0 (use = 3) +10.1.1.1,10.1.1.2 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.1 -> 10.3.4.1,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.5,40000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.2.1,80 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.3.1,80 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.1.1.3,2000 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +15 +> zx0 ip #0 28(20) 17 10.3.4.5,40000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.1.1.3,2000 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential + +List of active sessions: +MAP 10.1.1.3 2003 <- -> 10.3.4.5 40000 [10.1.4.1 80] +MAP 10.1.1.3 2002 <- -> 10.3.4.5 40001 [10.1.4.1 80] +MAP 10.1.1.3 2001 <- -> 10.3.4.5 40000 [10.1.3.1 80] +MAP 10.1.1.3 2000 <- -> 10.3.4.5 40001 [10.1.2.1 80] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 40000 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 40001 [10.1.1.1 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.5 40001 [10.1.1.2 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.5 40000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.3,10.1.4.1 -> 10.3.4.5,0.0.0.0 (use = 2) +10.1.1.3,10.1.3.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.3,10.1.2.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 2) +10.1.1.1,10.1.1.2 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n200 b/contrib/ipfilter/test/expected/n200 new file mode 100644 index 0000000..0f3c6a5 --- /dev/null +++ b/contrib/ipfilter/test/expected/n200 @@ -0,0 +1,25 @@ +4500 0044 0000 0000 ff11 bda6 7f00 0001 7f00 0001 2775 2775 0030 0000 4500 0028 0000 0000 0006 435a 6363 6363 5858 5858 038d 0050 0000 0000 0000 0000 5000 1000 2491 0000 + +4500 0028 0000 0000 0006 435a 6363 6363 5858 5858 038d 0050 0000 0000 0000 0000 5000 1000 2491 0000 + +List of active MAP/Redirect filters: +divert in on bar0 proto tcp from 0/0 to 0/0 -> src 127.0.0.1/32,10101 dst 127.0.0.1/32,10101 udp; + +List of active sessions: +DIV-RDR 127.0.0.1 10101 <- -> 88.88.88.88 80 [99.99.99.99 909] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n2_6 b/contrib/ipfilter/test/expected/n2_6 new file mode 100644 index 0000000..08abc8f --- /dev/null +++ b/contrib/ipfilter/test/expected/n2_6 @@ -0,0 +1,191 @@ +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,10001 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::1/128 -> 10::2:2:2/128 portmap tcp 10000:20000 sequential + +List of active sessions: +MAP 10:1:1::1 1025 <- -> 10::2:2:2 10001 [10:1:1::2 1025] +MAP 10:1:1::1 1025 <- -> 10::2:2:2 10000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::1,10:1:1::2 -> 10::2:2:2,any (use = 1) +10:1:1::1,10:1:1::1 -> 10::2:2:2,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:5/128 portmap udp 10000:20000 sequential + +List of active sessions: +MAP 10:1:1::2 1025 <- -> 10::3:4:5 10000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10001 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10002 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10002 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10003 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:1,10004 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10005 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10006 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10007 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10008 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1::/32 -> 10::3:4:0/112 portmap tcp/udp 10000:20000 sequential + +List of active sessions: +MAP 10:1:1::3 2003 <- -> 10::3:4:1 10008 [10:1:4::1 80] +MAP 10:1:1::3 2002 <- -> 10::3:4:1 10007 [10:1:4::1 80] +MAP 10:1:1::3 2001 <- -> 10::3:4:1 10006 [10:1:3::1 80] +MAP 10:1:1::3 2000 <- -> 10::3:4:1 10005 [10:1:2::1 80] +MAP 10:1:1::2 1025 <- -> 10::3:4:1 10004 [10:1:1::1 1025] +MAP 10:1:1::2 1026 <- -> 10::3:4:1 10003 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:1 10002 [10:1:1::1 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:1 10001 [10:1:1::2 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:1 10000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::3,10:1:4::1 -> 10::3:4:1,any (use = 2) +10:1:1::3,10:1:3::1 -> 10::3:4:1,any (use = 1) +10:1:1::3,10:1:2::1 -> 10::3:4:1,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:1,any (use = 3) +10:1:1::1,10:1:1::2 -> 10::3:4:1,any (use = 1) +10:1:1::1,10:1:1::1 -> 10::3:4:1,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:1,1025 +16 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:1,1025 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:1:1:0:0:0:0:3,2000 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:5/128 portmap tcp/udp 40000:40001 sequential + +List of active sessions: +MAP 10:1:1::3 2003 <- -> 10::3:4:5 40000 [10:1:4::1 80] +MAP 10:1:1::3 2002 <- -> 10::3:4:5 40001 [10:1:4::1 80] +MAP 10:1:1::3 2001 <- -> 10::3:4:5 40000 [10:1:3::1 80] +MAP 10:1:1::3 2000 <- -> 10::3:4:5 40001 [10:1:2::1 80] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 40000 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 40001 [10:1:1::1 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:5 40001 [10:1:1::2 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:5 40000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::3,10:1:4::1 -> 10::3:4:5,any (use = 2) +10:1:1::3,10:1:3::1 -> 10::3:4:5,any (use = 1) +10:1:1::3,10:1:2::1 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 2) +10:1:1::1,10:1:1::2 -> 10::3:4:5,any (use = 1) +10:1:1::1,10:1:1::1 -> 10::3:4:5,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n3 b/contrib/ipfilter/test/expected/n3 index 0e019ae..66ada76 100644 --- a/contrib/ipfilter/test/expected/n3 +++ b/contrib/ipfilter/test/expected/n3 @@ -1,12 +1,66 @@ -ip #0 40(20) 6 192.168.2.1,1488 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.2.1,1276 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.2.1,1032 > 203.1.1.1,80 -ip #0 28(20) 17 192.168.2.1,1032 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.2.1,65299 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.2.1,1488 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.2.1,1276 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.2.1,1032 > 203.1.1.1,80 +> zz0 ip #0 28(20) 17 192.168.2.1,1032 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.2.1,65299 > 203.1.1.1,80 +List of active MAP/Redirect filters: +map zz0 10.1.0.0/16 -> 192.168.2.0/24 portmap tcp/udp auto + +List of active sessions: +MAP 10.1.255.255 65535 <- -> 192.168.2.1 65299 [203.1.1.1 80] +MAP 10.1.0.0 32768 <- -> 192.168.2.1 1032 [203.1.1.1 80] +MAP 10.1.0.0 32768 <- -> 192.168.2.1 1032 [203.1.1.1 80] +MAP 10.1.1.1 252 <- -> 192.168.2.1 1276 [203.1.1.1 80] +MAP 10.1.1.1 5000 <- -> 192.168.2.1 1488 [203.1.1.1 80] + +Hostmap table: +10.1.255.255,203.1.1.1 -> 192.168.2.1,0.0.0.0 (use = 1) +10.1.0.0,203.1.1.1 -> 192.168.2.1,0.0.0.0 (use = 2) +10.1.1.1,203.1.1.1 -> 192.168.2.1,0.0.0.0 (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 192.168.1.1,1488 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.1.1,1276 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.1.0,1032 > 203.1.1.1,80 -ip #0 28(20) 17 192.168.1.0,1032 > 203.1.1.1,80 -ip #0 40(20) 6 192.168.1.255,65299 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.1.1,1488 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.1.1,1276 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.1.0,1032 > 203.1.1.1,80 +> zz0 ip #0 28(20) 17 192.168.1.0,1032 > 203.1.1.1,80 +> zz0 ip #0 40(20) 6 192.168.1.255,65299 > 203.1.1.1,80 +List of active MAP/Redirect filters: +map-block zz0 10.1.0.0/16 -> 192.168.1.0/24 ports 252 + +List of active sessions: +MAP-BLOCK 10.1.255.255 65535 <- -> 192.168.1.255 65299 [203.1.1.1 80] +MAP-BLOCK 10.1.0.0 32768 <- -> 192.168.1.0 1032 [203.1.1.1 80] +MAP-BLOCK 10.1.0.0 32768 <- -> 192.168.1.0 1032 [203.1.1.1 80] +MAP-BLOCK 10.1.1.1 252 <- -> 192.168.1.1 1276 [203.1.1.1 80] +MAP-BLOCK 10.1.1.1 5000 <- -> 192.168.1.1 1488 [203.1.1.1 80] + +Hostmap table: +10.1.255.255,203.1.1.1 -> 192.168.1.1,0.0.0.0 (use = 1) +10.1.0.0,203.1.1.1 -> 192.168.1.1,0.0.0.0 (use = 2) +10.1.1.1,203.1.1.1 -> 192.168.1.1,0.0.0.0 (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n4 b/contrib/ipfilter/test/expected/n4 index 863217c..746ef7e 100644 --- a/contrib/ipfilter/test/expected/n4 +++ b/contrib/ipfilter/test/expected/n4 @@ -1,66 +1,190 @@ -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +> zx0 ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +> zx0 ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.0/24 port 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.2.2.1,10023 -ip #0 40(20) 6 10.1.0.0,23 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +> zx0 ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.2.2.1,10023 +> zx0 ip #0 40(20) 6 10.1.0.0,23 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 0/0 port 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.0.0 23 [10.3.3.3 12346] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 -ip #0 28(20) 17 10.1.1.0,53 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 +> zx0 ip #0 28(20) 17 10.1.1.0,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.0/24 port 53 -> 10.2.2.1/32 port 10053 udp + +List of active sessions: +RDR 10.2.2.1 10053 <- -> 10.1.1.0 53 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +> zx0 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 +15 +> zx0 ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.0/24 port 0 -> 10.2.2.1/32 port 0 tcp + +List of active sessions: +RDR 10.2.2.1 53 <- -> 10.1.1.1 53 [10.3.3.3 12345] +RDR 10.2.2.1 23 <- -> 10.1.1.1 23 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 -ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 -ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 -ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53 -ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 +> zx0 ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345 +< zx0 ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23 +> zx0 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53 +> zx0 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 +15 +> zx0 ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.0/24 -> 10.2.2.1/32 ip + +List of active sessions: +RDR 10.2.2.1 53 <- -> 10.1.1.0 53 [10.3.3.3 12345] +RDR 10.2.2.1 53 <- -> 10.1.1.1 53 [10.3.3.3 12345] +RDR 10.2.2.1 23 <- -> 10.1.1.1 23 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n4_6 b/contrib/ipfilter/test/expected/n4_6 new file mode 100644 index 0000000..e9a5ce3 --- /dev/null +++ b/contrib/ipfilter/test/expected/n4_6 @@ -0,0 +1,190 @@ +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,23 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:1:0:0:0:0:0:0,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::1/128 port 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,23 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:1:0:0:0:0:0:0,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::/112 port 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,23 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:0:0:0:0:2:2:1,10023 +> zx0 ip6/0 20 0 6 10:1:0:0:0:0:0:0,23 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 any port 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:: 23 [10:3:3::3 12346] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:1:0:0:0:0:0:0,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10053 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:0,53 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::/112 port 53 -> 10::2:2:1/128 port 10053 udp + +List of active sessions: +RDR 10::2:2:1 10053 <- -> 10:1:1:: 53 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:1:0:0:0:0:0:0,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +> zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +16 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::/112 port 0 -> 10::2:2:1/128 port 0 tcp + +List of active sessions: +RDR 10::2:2:1 53 <- -> 10:1:1::1 53 [10:3:3::3 12345] +RDR 10::2:2:1 23 <- -> 10:1:1::1 23 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,53 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12346 > 10:1:0:0:0:0:0:0,23 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:1,10023 > 10:3:3:0:0:0:0:3,12346 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,53 +> zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:1,10053 > 10:3:3:0:0:0:0:3,12345 +16 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,53 > 10:3:3:0:0:0:0:3,12345 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::/112 -> 10::2:2:1/128 ip + +List of active sessions: +RDR 10::2:2:1 53 <- -> 10:1:1:: 53 [10:3:3::3 12345] +RDR 10::2:2:1 53 <- -> 10:1:1::1 53 [10:3:3::3 12345] +RDR 10::2:2:1 23 <- -> 10:1:1::1 23 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n5 b/contrib/ipfilter/test/expected/n5 index 0e578b6..423bf48 100644 --- a/contrib/ipfilter/test/expected/n5 +++ b/contrib/ipfilter/test/expected/n5 @@ -1,330 +1,533 @@ -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.2.2.2 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.2.2.2 > 10.1.2.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.2.2.2 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.1.1.1 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.2.2.2 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +> zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.1.1/32 -> 10.2.2.2/32 + +List of active sessions: +MAP 10.1.1.1 1025 <- -> 10.2.2.2 1025 [10.3.4.5 40000] +MAP 10.1.1.1 1026 <- -> 10.2.2.2 1026 [10.3.4.5 40000] +MAP 10.1.1.1 <- -> 10.2.2.2 [10.1.2.1] +MAP 10.1.1.1 1025 <- -> 10.2.2.2 1025 [10.1.1.2 1025] +MAP 10.1.1.1 1025 <- -> 10.2.2.2 1025 [10.1.1.1 1025] +MAP 10.1.1.1 <- -> 10.2.2.2 [10.4.3.2] +MAP 10.1.1.1 <- -> 10.2.2.2 [10.1.1.2] + +Hostmap table: +10.1.1.1,10.3.4.5 -> 10.2.2.2,0.0.0.0 (use = 2) +10.1.1.1,10.1.2.1 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.1 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.1,10.4.3.2 -> 10.2.2.2,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.2.2.2,0.0.0.0 (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.3.4.5 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.3.4.5 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.3.4.5 > 10.1.1.2 -ip #0 20(20) 0 10.3.4.5 > 10.1.2.1 -ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.3.4.5 > 10.1.1.2 +15 +> zx0 ip #0 20(20) 255 10.3.4.5 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.0 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +15 +> zx0 ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.3.4.5 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.3.4.5 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +> zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32 + +List of active sessions: +MAP 10.1.1.3 2003 <- -> 10.3.4.5 2003 [10.1.4.1 80] +MAP 10.1.1.3 2002 <- -> 10.3.4.5 2002 [10.1.4.1 80] +MAP 10.1.1.3 2001 <- -> 10.3.4.5 2001 [10.1.3.1 80] +MAP 10.1.1.3 2000 <- -> 10.3.4.5 2000 [10.1.2.1 80] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 1025 [10.1.1.1 1025] +MAP 10.1.1.1 <- -> 10.3.4.5 [10.1.2.1] +MAP 10.1.1.0 <- -> 10.3.4.5 [10.1.1.2] +MAP 10.1.1.1 1025 <- -> 10.3.4.5 1025 [10.1.1.2 1025] +MAP 10.1.1.2 1026 <- -> 10.3.4.5 1026 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 1025 [10.1.1.1 1025] +MAP 10.1.1.2 <- -> 10.3.4.5 [10.1.1.1] +MAP 10.1.1.0 <- -> 10.3.4.5 [10.1.1.2] + +Hostmap table: +10.1.1.3,10.1.4.1 -> 10.3.4.5,0.0.0.0 (use = 2) +10.1.1.3,10.1.3.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.3,10.1.2.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.1.2.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 4) +10.1.1.0,10.1.1.2 -> 10.3.4.5,0.0.0.0 (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.3.4.1 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.3.4.1 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.3.4.1 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.3.4.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.3.4.2 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.3,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.3.4.3,1025 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.3.4.3,1025 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.3.4.1 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.3.4.1 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.3.4.1 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.3.4.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.3.4.2 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.3,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.3.4.3,1025 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +> zx0 ip #0 28(20) 17 10.3.4.3,1025 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24 + +List of active sessions: +MAP 10.1.1.2 1025 <- -> 10.3.4.3 1025 [10.3.4.5 40001] +MAP 10.1.1.1 1025 <- -> 10.3.4.3 1025 [10.3.4.5 40000] +MAP 10.1.1.1 1026 <- -> 10.3.4.3 1026 [10.3.4.5 40000] +MAP 10.1.1.3 <- -> 10.3.4.2 [10.4.3.4] +MAP 10.1.1.3 <- -> 10.3.4.2 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.1 [10.4.3.4] +MAP 10.1.1.2 <- -> 10.3.4.1 [10.4.3.2] +MAP 10.1.1.1 <- -> 10.3.4.1 [10.4.3.2] + +Hostmap table: +10.1.1.2,10.3.4.5 -> 10.3.4.3,0.0.0.0 (use = 1) +10.1.1.1,10.3.4.5 -> 10.3.4.3,0.0.0.0 (use = 2) +10.1.1.3,10.4.3.4 -> 10.3.4.2,0.0.0.0 (use = 2) +10.1.1.2,10.4.3.4 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.2,10.4.3.2 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.4.3.2 -> 10.3.4.1,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 -ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 -ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 -ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +> zx0 ip #0 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential + +List of active sessions: +MAP 10.1.1.2 1025 <- -> 10.3.4.5 10001 [10.3.4.5 40001] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 10000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.2,10.3.4.5 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 -ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 -ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 -ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 -ip #0 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +> zx0 ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000 +> zx0 ip #0 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential + +List of active sessions: +MAP 10.1.2.1 80 <- -> 10.3.4.1 10012 [10.3.4.5 40001] +MAP 10.1.1.2 1025 <- -> 10.3.4.1 10011 [10.3.4.5 40001] +MAP 10.1.1.1 1025 <- -> 10.3.4.1 10010 [10.3.4.5 40000] +MAP 10.1.1.1 1026 <- -> 10.3.4.1 10009 [10.3.4.5 40000] +MAP 10.1.1.3 2003 <- -> 10.3.4.1 10008 [10.1.4.1 80] +MAP 10.1.1.3 2002 <- -> 10.3.4.1 10007 [10.1.4.1 80] +MAP 10.1.1.3 2001 <- -> 10.3.4.1 10006 [10.1.3.1 80] +MAP 10.1.1.3 2000 <- -> 10.3.4.1 10005 [10.1.2.1 80] +MAP 10.1.1.2 1025 <- -> 10.3.4.1 10004 [10.1.1.1 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.1 10003 [10.1.1.2 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.1 10002 [10.1.1.1 1025] +MAP 10.1.1.2 1026 <- -> 10.3.4.1 10001 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.1 10000 [10.1.1.1 1025] + +Hostmap table: +10.1.2.1,10.3.4.5 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.2,10.3.4.5 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.3.4.5 -> 10.3.4.1,0.0.0.0 (use = 2) +10.1.1.3,10.1.4.1 -> 10.3.4.1,0.0.0.0 (use = 2) +10.1.1.3,10.1.3.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.3,10.1.2.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.1 -> 10.3.4.1,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.1,0.0.0.0 (use = 3) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 -ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 -ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 -ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 -ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 -ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 -ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 -ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 -ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 -ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 -ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 -ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 -ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 -ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 -ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 -ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 -ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 -ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 -ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 -ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 -ip #0 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80 -ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 -ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 -ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 -ip #0 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 -ip #0 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000 -ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 -ip #0 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001 -ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 -ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +> zx0 ip #0 20(20) 255 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +> zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +> zx0 ip #0 20(20) 255 10.2.2.1 > 10.1.2.1 +> zx0 ip #0 20(20) 255 10.2.2.2 > 10.1.2.1 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.2.1 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.2 > 10.2.1.1 +< zx0 ip #0 20(20) 255 10.2.2.3 > 10.1.1.1 +< zx0 ip #0 20(20) 255 10.2.3.4 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.2.2.2 +< zx0 ip #0 20(20) 255 10.1.1.0 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.1 > 10.3.4.5 +< zx0 ip #0 20(20) 255 10.1.1.2 > 10.3.4.5 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025 +> zx0 ip #0 48(20) 1 10.1.1.1 > 10.4.3.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.2.2.2 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.3 +< zx0 ip #0 48(20) 1 10.4.3.2 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.2 +< zx0 ip #0 20(20) 34 10.4.3.2 > 10.3.4.4 +> zx0 ip #0 20(20) 34 10.1.1.2 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.5 +> zx0 ip #0 20(20) 34 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 34 10.4.3.4 > 10.3.4.6 +> zx0 ip #0 20(20) 35 10.1.1.3 > 10.4.3.4 +< zx0 ip #0 20(20) 35 10.4.3.4 > 10.3.4.7 +15 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025 +> zx0 ip #0 20(20) 0 10.1.1.0 > 10.1.1.2 +> zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.2.1 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025 +> zx0 ip #0 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80 +< zx0 ip #0 20(20) 0 10.1.1.1 > 10.1.1.2 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +< zx0 ip #0 20(20) 0 10.1.1.2 > 10.1.1.1 +> zx0 ip #0 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000 +> zx0 ip #0 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000 +< zx0 ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025 +> zx0 ip #0 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001 +< zx0 ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001 +> zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +< zx0 ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001 +List of active MAP/Redirect filters: +map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential + +List of active sessions: +MAP 10.1.1.2 1025 <- -> 10.3.4.5 40000 [10.3.4.5 40001] +MAP 10.1.1.1 1025 <- -> 10.3.4.5 40001 [10.3.4.5 40000] +MAP 10.1.1.1 1026 <- -> 10.3.4.5 40000 [10.3.4.5 40000] +MAP 10.1.1.3 2003 <- -> 10.3.4.5 40001 [10.1.4.1 80] +MAP 10.1.1.3 2002 <- -> 10.3.4.5 40000 [10.1.4.1 80] +MAP 10.1.1.3 2001 <- -> 10.3.4.5 40001 [10.1.3.1 80] +MAP 10.1.1.3 2000 <- -> 10.3.4.5 40000 [10.1.2.1 80] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 40001 [10.1.1.1 1025] +MAP 10.1.1.1 1025 <- -> 10.3.4.5 40000 [10.1.1.2 1025] +MAP 10.1.1.2 1026 <- -> 10.3.4.5 40001 [10.1.1.1 1025] +MAP 10.1.1.2 1025 <- -> 10.3.4.5 40000 [10.1.1.1 1025] + +Hostmap table: +10.1.1.2,10.3.4.5 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.3.4.5 -> 10.3.4.5,0.0.0.0 (use = 2) +10.1.1.3,10.1.4.1 -> 10.3.4.5,0.0.0.0 (use = 2) +10.1.1.3,10.1.3.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.3,10.1.2.1 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.1,10.1.1.2 -> 10.3.4.5,0.0.0.0 (use = 1) +10.1.1.2,10.1.1.1 -> 10.3.4.5,0.0.0.0 (use = 3) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n5_6 b/contrib/ipfilter/test/expected/n5_6 new file mode 100644 index 0000000..1e7bc8e --- /dev/null +++ b/contrib/ipfilter/test/expected/n5_6 @@ -0,0 +1,533 @@ +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:0:0:0:0:2:2:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::1/128 -> 10::2:2:2/128 + +List of active sessions: +MAP 10:1:1::1 1025 <- -> 10::2:2:2 1025 [10::3:4:5 40000] +MAP 10:1:1::1 1026 <- -> 10::2:2:2 1026 [10::3:4:5 40000] +MAP 10:1:1::1 <- -> 10::2:2:2 [10:1:2::1] +MAP 10:1:1::1 1025 <- -> 10::2:2:2 1025 [10:1:1::2 1025] +MAP 10:1:1::1 1025 <- -> 10::2:2:2 1025 [10:1:1::1 1025] +MAP 10:1:1::1 <- -> 10::2:2:2 [10:4:3::2] +MAP 10:1:1::1 <- -> 10::2:2:2 [10:1:1::2] + +Hostmap table: +10:1:1::1,10::3:4:5 -> 10::2:2:2,any (use = 2) +10:1:1::1,10:1:2::1 -> 10::2:2:2,any (use = 1) +10:1:1::1,10:1:1::1 -> 10::2:2:2,any (use = 1) +10:1:1::1,10:4:3::2 -> 10::2:2:2,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::2:2:2,any (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:5 > 10:1:1:0:0:0:0:2 +16 +> zx0 ip6/0 1 0 255 10:0:0:0:0:3:4:5 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:0 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 88 0 58 10:1:1:0:0:0:0:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +16 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:0:0:0:0:3:4:5 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:0:0:0:0:3:4:5 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 from 10:1:1::/112 to 10:1::/32 -> 10::3:4:5/128 + +List of active sessions: +MAP 10:1:1::3 2003 <- -> 10::3:4:5 2003 [10:1:4::1 80] +MAP 10:1:1::3 2002 <- -> 10::3:4:5 2002 [10:1:4::1 80] +MAP 10:1:1::3 2001 <- -> 10::3:4:5 2001 [10:1:3::1 80] +MAP 10:1:1::3 2000 <- -> 10::3:4:5 2000 [10:1:2::1 80] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 1025 [10:1:1::1 1025] +MAP 10:1:1::1 <- -> 10::3:4:5 [10:1:2::1] +MAP 10:1:1:: <- -> 10::3:4:5 [10:1:1::2] +MAP 10:1:1::1 1025 <- -> 10::3:4:5 1025 [10:1:1::2 1025] +MAP 10:1:1::2 1026 <- -> 10::3:4:5 1026 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 1025 [10:1:1::1 1025] +MAP 10:1:1::2 <- -> 10::3:4:5 [10:1:1::1] +MAP 10:1:1:: <- -> 10::3:4:5 [10:1:1::2] + +Hostmap table: +10:1:1::3,10:1:4::1 -> 10::3:4:5,any (use = 2) +10:1:1::3,10:1:3::1 -> 10::3:4:5,any (use = 1) +10:1:1::3,10:1:2::1 -> 10::3:4:5,any (use = 1) +10:1:1::1,10:1:2::1 -> 10::3:4:5,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 4) +10:1:1::,10:1:1::2 -> 10::3:4:5,any (use = 2) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:0:0:0:0:3:4:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:1 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:0:0:0:0:3:4:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:0:0:0:0:3:4:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:3,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:3,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:3,1025 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 from 10:1:1::/112 ! to 10:1::/32 -> 10::3:4:0/112 + +List of active sessions: +MAP 10:1:1::2 1025 <- -> 10::3:4:3 1025 [10::3:4:5 40001] +MAP 10:1:1::1 1025 <- -> 10::3:4:3 1025 [10::3:4:5 40000] +MAP 10:1:1::1 1026 <- -> 10::3:4:3 1026 [10::3:4:5 40000] +MAP 10:1:1::3 <- -> 10::3:4:2 [10:4:3::4] +MAP 10:1:1::3 <- -> 10::3:4:2 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:1 [10:4:3::4] +MAP 10:1:1::2 <- -> 10::3:4:1 [10:4:3::2] +MAP 10:1:1::1 <- -> 10::3:4:1 [10:4:3::2] + +Hostmap table: +10:1:1::2,10::3:4:5 -> 10::3:4:3,any (use = 1) +10:1:1::1,10::3:4:5 -> 10::3:4:3,any (use = 2) +10:1:1::3,10:4:3::4 -> 10::3:4:2,any (use = 2) +10:1:1::2,10:4:3::4 -> 10::3:4:1,any (use = 1) +10:1:1::2,10:4:3::2 -> 10::3:4:1,any (use = 1) +10:1:1::1,10:4:3::2 -> 10::3:4:1,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:1:1:0:0:0:0:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1025 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:2,1026 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2002 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:3,2003 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,10001 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:5/128 portmap udp 10000:20000 sequential + +List of active sessions: +MAP 10:1:1::2 1025 <- -> 10::3:4:5 10001 [10::3:4:5 40001] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 10000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::2,10::3:4:5 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:1:1:0:0:0:0:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10002 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10003 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:1,10004 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10005 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10006 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10007 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10008 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10009 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10010 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:1,10011 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:1,10012 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1::/32 -> 10::3:4:0/112 portmap tcp/udp 10000:20000 sequential + +List of active sessions: +MAP 10:1:2::1 80 <- -> 10::3:4:1 10012 [10::3:4:5 40001] +MAP 10:1:1::2 1025 <- -> 10::3:4:1 10011 [10::3:4:5 40001] +MAP 10:1:1::1 1025 <- -> 10::3:4:1 10010 [10::3:4:5 40000] +MAP 10:1:1::1 1026 <- -> 10::3:4:1 10009 [10::3:4:5 40000] +MAP 10:1:1::3 2003 <- -> 10::3:4:1 10008 [10:1:4::1 80] +MAP 10:1:1::3 2002 <- -> 10::3:4:1 10007 [10:1:4::1 80] +MAP 10:1:1::3 2001 <- -> 10::3:4:1 10006 [10:1:3::1 80] +MAP 10:1:1::3 2000 <- -> 10::3:4:1 10005 [10:1:2::1 80] +MAP 10:1:1::2 1025 <- -> 10::3:4:1 10004 [10:1:1::1 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:1 10003 [10:1:1::2 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:1 10002 [10:1:1::1 1025] +MAP 10:1:1::2 1026 <- -> 10::3:4:1 10001 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:1 10000 [10:1:1::1 1025] + +Hostmap table: +10:1:2::1,10::3:4:5 -> 10::3:4:1,any (use = 1) +10:1:1::2,10::3:4:5 -> 10::3:4:1,any (use = 1) +10:1:1::1,10::3:4:5 -> 10::3:4:1,any (use = 2) +10:1:1::3,10:1:4::1 -> 10::3:4:1,any (use = 2) +10:1:1::3,10:1:3::1 -> 10::3:4:1,any (use = 1) +10:1:1::3,10:1:2::1 -> 10::3:4:1,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::3:4:1,any (use = 1) +10:1:1::1,10:1:1::1 -> 10::3:4:1,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:1,any (use = 3) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:1:2:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:1 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:2 > 10:0:0:0:0:2:1:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:2:3 > 10:1:1:0:0:0:0:1 +< zx0 ip6/0 1 0 255 10:0:0:0:0:2:3:4 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:0 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:1 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 1 0 255 10:1:1:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:0:0:0:0:3:4:5,1025 +> zx0 ip6/0 88 0 58 10:1:1:0:0:0:0:1 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:2:2:2 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:3 +< zx0 ip6/0 88 0 58 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:2 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:2 > 10:0:0:0:0:3:4:4 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:2 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:5 +> zx0 ip6/0 1 0 34 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 34 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:6 +> zx0 ip6/0 1 0 35 10:1:1:0:0:0:0:3 > 10:4:3:0:0:0:0:4 +< zx0 ip6/0 1 0 35 10:4:3:0:0:0:0:4 > 10:0:0:0:0:3:4:7 +16 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:0 > 10:1:1:0:0:0:0:2 +> zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:2:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,40001 > 10:1:1:0:0:0:0:1,1025 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:2:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:3:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:1:4:0:0:0:0:1,80 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:1:4:0:0:0:0:1,80 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:1 > 10:1:1:0:0:0:0:2 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +< zx0 ip6/0 1 0 41 10:1:1:0:0:0:0:2 > 10:1:1:0:0:0:0:1 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40000 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1026 > 10:0:0:0:0:3:4:5,40000 +> zx0 ip6/0 20 0 6 10:0:0:0:0:3:4:5,40001 > 10:0:0:0:0:3:4:5,40000 +< zx0 ip6/0 20 0 6 10:1:1:0:0:0:0:1,1025 > 10:1:1:0:0:0:0:2,1025 +> zx0 ip6/0 8 0 17 10:0:0:0:0:3:4:5,40000 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 8 0 17 10:1:1:0:0:0:0:2,1025 > 10:0:0:0:0:3:4:5,40001 +> zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +< zx0 ip6/0 20 0 6 10:1:2:0:0:0:0:1,80 > 10:0:0:0:0:3:4:5,40001 +List of active MAP/Redirect filters: +map zx0 inet6 10:1:1::/112 -> 10::3:4:5/128 portmap tcp/udp 40000:40001 sequential + +List of active sessions: +MAP 10:1:1::2 1025 <- -> 10::3:4:5 40000 [10::3:4:5 40001] +MAP 10:1:1::1 1025 <- -> 10::3:4:5 40001 [10::3:4:5 40000] +MAP 10:1:1::1 1026 <- -> 10::3:4:5 40000 [10::3:4:5 40000] +MAP 10:1:1::3 2003 <- -> 10::3:4:5 40001 [10:1:4::1 80] +MAP 10:1:1::3 2002 <- -> 10::3:4:5 40000 [10:1:4::1 80] +MAP 10:1:1::3 2001 <- -> 10::3:4:5 40001 [10:1:3::1 80] +MAP 10:1:1::3 2000 <- -> 10::3:4:5 40000 [10:1:2::1 80] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 40001 [10:1:1::1 1025] +MAP 10:1:1::1 1025 <- -> 10::3:4:5 40000 [10:1:1::2 1025] +MAP 10:1:1::2 1026 <- -> 10::3:4:5 40001 [10:1:1::1 1025] +MAP 10:1:1::2 1025 <- -> 10::3:4:5 40000 [10:1:1::1 1025] + +Hostmap table: +10:1:1::2,10::3:4:5 -> 10::3:4:5,any (use = 1) +10:1:1::1,10::3:4:5 -> 10::3:4:5,any (use = 2) +10:1:1::3,10:1:4::1 -> 10::3:4:5,any (use = 2) +10:1:1::3,10:1:3::1 -> 10::3:4:5,any (use = 1) +10:1:1::3,10:1:2::1 -> 10::3:4:5,any (use = 1) +10:1:1::1,10:1:1::2 -> 10::3:4:5,any (use = 1) +10:1:1::2,10:1:1::1 -> 10::3:4:5,any (use = 3) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n6 b/contrib/ipfilter/test/expected/n6 index cbdad9f..1afd94e 100644 --- a/contrib/ipfilter/test/expected/n6 +++ b/contrib/ipfilter/test/expected/n6 @@ -1,70 +1,173 @@ -ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 -ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +< zx0 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.2.2.2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 -ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +15 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +< zx0 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +List of active MAP/Redirect filters: +rdr zx0 from 0/0 to 10.1.1.0/24 port = 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.2.2.2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 -ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 +15 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +< zx0 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +List of active MAP/Redirect filters: +rdr zx0 from 10.2.0.0/16 to 10.1.1.0/24 port = 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.2.2.2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 -ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +15 +< zx0 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +List of active MAP/Redirect filters: +rdr zx0 from 10.3.0.0/16 to 10.1.0.0/16 port = 23 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.3.3.3 12345] +RDR 10.2.2.1 10023 <- -> 10.1.2.2 23 [10.3.0.1 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 -ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 -ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 -ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 -ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 +< zx0 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 +< zx0 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053 +< zx0 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 +< zx0 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 +List of active MAP/Redirect filters: +rdr zx0 ! from 10.2.0.0/16 to 10.1.1.0/24 port = 53 -> 10.2.2.1/32 port 10053 udp + +List of active sessions: +RDR 10.2.2.1 10053 <- -> 10.1.1.0 53 [10.3.3.3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n6_6 b/contrib/ipfilter/test/expected/n6_6 new file mode 100644 index 0000000..e10f9bd --- /dev/null +++ b/contrib/ipfilter/test/expected/n6_6 @@ -0,0 +1,173 @@ +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:1:2:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:2,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::1/128 port 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10::2:2:2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:0:0:0:0:2:2:1,10023 +16 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:1:2:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:2,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +List of active MAP/Redirect filters: +rdr zx0 inet6 from any to 10:1:1::/112 port = 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10::2:2:2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:0:0:0:0:2:2:1,10023 +16 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:1:2:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:2,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,23 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +List of active MAP/Redirect filters: +rdr zx0 inet6 from 10::/32 to 10:1:1::/112 port = 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10::2:2:2 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,23 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:2,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:0:0:0:0:0:0,23 +16 +< zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +List of active MAP/Redirect filters: +rdr zx0 inet6 from 10:3::/32 to 10:1::/32 port = 23 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10:3:3::3 12345] +RDR 10::2:2:1 10023 <- -> 10:1:2::2 23 [10:3::1 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,23 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:1:2:0:0:0:0:2,23 +< zx0 ip6/0 20 0 6 10:3:0:0:0:0:0:1,12345 > 10:0:0:0:0:2:2:2,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,23 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:1,53 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:0:0:0:0:0:0,23 +< zx0 ip6/0 8 0 17 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 8 0 17 10:3:3:0:0:0:0:3,12345 > 10:0:0:0:0:2:2:1,10053 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:2:2,12345 > 10:1:1:0:0:0:0:0,53 +< zx0 ip6/0 20 0 6 10:3:3:0:0:0:0:3,12345 > 10:1:1:0:0:0:0:0,53 +List of active MAP/Redirect filters: +rdr zx0 inet6 ! from 10::/32 to 10:1:1::/112 port = 53 -> 10::2:2:1/128 port 10053 udp + +List of active sessions: +RDR 10::2:2:1 10053 <- -> 10:1:1:: 53 [10:3:3::3 12345] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n7 b/contrib/ipfilter/test/expected/n7 index eb23534..11b8115 100644 --- a/contrib/ipfilter/test/expected/n7 +++ b/contrib/ipfilter/test/expected/n7 @@ -1,30 +1,98 @@ -ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 -ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050 -ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079 -ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80 -ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80 -ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80 -ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80 -ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 +< zx0 ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050 +< zx0 ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079 +< zx0 ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1/32 port 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10079 <- -> 10.1.1.1 79 [10.2.3.1 1233] +RDR 10.2.2.1 10050 <- -> 10.1.1.1 50 [10.2.3.1 1232] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.2.3.1 1231] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 -ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10023 -ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80 -ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80 -ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80 -ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80 -ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 +< zx0 ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10023 +< zx0 ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80 +< zx0 ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1/32 port = 10023 tcp + +List of active sessions: +RDR 10.2.2.1 10023 <- -> 10.1.1.1 79 [10.2.3.1 1233] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 50 [10.2.3.1 1232] +RDR 10.2.2.1 10023 <- -> 10.1.1.1 23 [10.2.3.1 1231] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- -ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 -ip #0 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23 -ip #0 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50 -ip #0 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79 -ip #0 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128 -ip #0 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128 -ip #0 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128 -ip #0 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128 -ip #0 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128 +< zx0 ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22 +< zx0 ip #0 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23 +< zx0 ip #0 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50 +< zx0 ip #0 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79 +< zx0 ip #0 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128 +< zx0 ip #0 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128 +< zx0 ip #0 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128 +< zx0 ip #0 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128 +< zx0 ip #0 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128 +List of active MAP/Redirect filters: +rdr zx0 10.1.1.0/24 port 80 -> 10.2.2.1,1.2.2.129 port 3128 tcp + +List of active sessions: +RDR 10.2.2.1 3128 <- -> 10.1.1.4 80 [10.2.3.1 1238] +RDR 1.2.2.129 3128 <- -> 10.1.1.4 80 [10.2.3.1 1237] +RDR 10.2.2.1 3128 <- -> 10.1.1.3 80 [10.2.3.1 1236] +RDR 1.2.2.129 3128 <- -> 10.1.1.2 80 [10.2.3.1 1235] +RDR 10.2.2.1 3128 <- -> 10.1.1.1 80 [10.2.3.1 1234] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n7_6 b/contrib/ipfilter/test/expected/n7_6 new file mode 100644 index 0000000..2563033 --- /dev/null +++ b/contrib/ipfilter/test/expected/n7_6 @@ -0,0 +1,98 @@ +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1230 > 10:1:1:0:0:0:0:1,22 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1231 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1232 > 10:0:0:0:0:2:2:1,10050 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1233 > 10:0:0:0:0:2:2:1,10079 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1234 > 10:1:1:0:0:0:0:1,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1235 > 10:1:1:0:0:0:0:2,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1236 > 10:1:1:0:0:0:0:3,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1237 > 10:1:1:0:0:0:0:4,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1238 > 10:1:1:0:0:0:0:4,80 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::1/128 port 23-79 -> 10::2:2:1/128 port 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10079 <- -> 10:1:1::1 79 [10::2:3:1 1233] +RDR 10::2:2:1 10050 <- -> 10:1:1::1 50 [10::2:3:1 1232] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10::2:3:1 1231] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1230 > 10:1:1:0:0:0:0:1,22 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1231 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1232 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1233 > 10:0:0:0:0:2:2:1,10023 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1234 > 10:1:1:0:0:0:0:1,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1235 > 10:1:1:0:0:0:0:2,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1236 > 10:1:1:0:0:0:0:3,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1237 > 10:1:1:0:0:0:0:4,80 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1238 > 10:1:1:0:0:0:0:4,80 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::1/128 port 23-79 -> 10::2:2:1/128 port = 10023 tcp + +List of active sessions: +RDR 10::2:2:1 10023 <- -> 10:1:1::1 79 [10::2:3:1 1233] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 50 [10::2:3:1 1232] +RDR 10::2:2:1 10023 <- -> 10:1:1::1 23 [10::2:3:1 1231] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1230 > 10:1:1:0:0:0:0:1,22 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1231 > 10:1:1:0:0:0:0:1,23 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1232 > 10:1:1:0:0:0:0:1,50 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1233 > 10:1:1:0:0:0:0:1,79 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1234 > 10:0:0:0:0:2:2:1,3128 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1235 > 1:0:0:0:0:2:2:129,3128 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1236 > 10:0:0:0:0:2:2:1,3128 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1237 > 1:0:0:0:0:2:2:129,3128 +< zx0 ip6/0 20 0 6 10:0:0:0:0:2:3:1,1238 > 10:0:0:0:0:2:2:1,3128 +List of active MAP/Redirect filters: +rdr zx0 inet6 10:1:1::/112 port 80 -> 10::2:2:1,1::2:2:129 port 3128 tcp + +List of active sessions: +RDR 10::2:2:1 3128 <- -> 10:1:1::4 80 [10::2:3:1 1238] +RDR 1::2:2:129 3128 <- -> 10:1:1::4 80 [10::2:3:1 1237] +RDR 10::2:2:1 3128 <- -> 10:1:1::3 80 [10::2:3:1 1236] +RDR 1::2:2:129 3128 <- -> 10:1:1::2 80 [10::2:3:1 1235] +RDR 10::2:2:1 3128 <- -> 10:1:1::1 80 [10::2:3:1 1234] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n8 b/contrib/ipfilter/test/expected/n8 index d3e061d..a5e938f 100644 --- a/contrib/ipfilter/test/expected/n8 +++ b/contrib/ipfilter/test/expected/n8 @@ -6,4 +6,25 @@ 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +List of active MAP/Redirect filters: +map icmp0 2.2.2.0/24 -> 10.10.10.0/24 + +List of active sessions: +MAP 2.2.2.2 <- -> 10.10.10.1 [4.4.4.4] + +Hostmap table: +2.2.2.2,4.4.4.4 -> 10.10.10.1,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n8_6 b/contrib/ipfilter/test/expected/n8_6 new file mode 100644 index 0000000..4d08efe --- /dev/null +++ b/contrib/ipfilter/test/expected/n8_6 @@ -0,0 +1,30 @@ +6000 0000 0040 3aff 0010 0010 0010 0000 0000 0000 0000 0001 0004 0004 0004 0000 0000 0000 0000 0004 8000 7724 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0002 0000 0000 0000 0000 0002 0002 0002 8100 764d 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0010 0010 0010 0000 0000 0000 0000 0001 0004 0004 0004 0000 0000 0000 0000 0004 8000 7723 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0002 0000 0000 0000 0000 0002 0002 0002 8100 764c 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +List of active MAP/Redirect filters: +map icmp0 inet6 2::2:2:0/112 -> 10:10:10::/112 + +List of active sessions: +MAP 2::2:2:2 <- -> 10:10:10::1 [4:4:4::4] + +Hostmap table: +2::2:2:2,4:4:4::4 -> 10:10:10::1,any (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/n9 b/contrib/ipfilter/test/expected/n9 index 917105f..2c762be 100644 --- a/contrib/ipfilter/test/expected/n9 +++ b/contrib/ipfilter/test/expected/n9 @@ -6,4 +6,24 @@ 4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +List of active MAP/Redirect filters: +rdr icmp0 4.4.4.0/24 -> 10.10.10.1/32 ip + +List of active sessions: +RDR 10.10.10.1 <- -> 4.4.4.4 [2.2.2.2] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/n9_6 b/contrib/ipfilter/test/expected/n9_6 new file mode 100644 index 0000000..134d74c --- /dev/null +++ b/contrib/ipfilter/test/expected/n9_6 @@ -0,0 +1,29 @@ +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0010 0010 0010 0000 0000 0000 0000 0001 8000 772c 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0002 0000 0000 0000 0000 0002 0002 0002 8100 764d 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0010 0010 0010 0000 0000 0000 0000 0001 8000 772b 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0002 0000 0000 0000 0000 0002 0002 0002 8100 764c 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 + +List of active MAP/Redirect filters: +rdr icmp0 inet6 4:4:4::/112 -> 10:10:10::1/128 ip + +List of active sessions: +RDR 10:10:10::1 <- -> 4:4:4::4 [2::2:2:2] + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/ni10 b/contrib/ipfilter/test/expected/ni10 index 3ee63fb..050fb40 100644 --- a/contrib/ipfilter/test/expected/ni10 +++ b/contrib/ipfilter/test/expected/ni10 @@ -4,6 +4,5 @@ 4500 0058 0001 0000 ff01 af98 0202 0202 0404 0404 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001 - +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni11 b/contrib/ipfilter/test/expected/ni11 index 88d6406..6ed8ecc 100644 --- a/contrib/ipfilter/test/expected/ni11 +++ b/contrib/ipfilter/test/expected/ni11 @@ -1,9 +1,8 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 +4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fc 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 - +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni12 b/contrib/ipfilter/test/expected/ni12 index 7d24a49..590ec23 100644 --- a/contrib/ipfilter/test/expected/ni12 +++ b/contrib/ipfilter/test/expected/ni12 @@ -1,9 +1,8 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 +4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fc 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 -4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 - -4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 +4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni17 b/contrib/ipfilter/test/expected/ni17 new file mode 100644 index 0000000..74eb4dd --- /dev/null +++ b/contrib/ipfilter/test/expected/ni17 @@ -0,0 +1,7 @@ +< le0 ip #0 40(20) 6 10.2.2.5,2000 > 10.1.1.252,3128 +< le0 ip #0 40(20) 6 10.2.2.6,2000 > 10.1.2.252,3128 +< le0 ip #0 40(20) 6 10.2.2.7,2000 > 10.1.3.252,3128 +< le0 ip #0 40(20) 6 10.2.2.7,2001 > 10.1.3.252,3128 +< le0 ip #0 40(20) 6 10.2.2.8,2000 > 10.1.1.253,3128 +< le0 ip #0 40(20) 6 10.2.2.9,2000 > 10.1.2.253,3128 +------------------------------- diff --git a/contrib/ipfilter/test/expected/ni18 b/contrib/ipfilter/test/expected/ni18 new file mode 100644 index 0000000..defc59c --- /dev/null +++ b/contrib/ipfilter/test/expected/ni18 @@ -0,0 +1,5 @@ +< hme0 ip #0 40(20) 6 2.2.2.2,3000 > 1.1.1.1,80 +< hme0 ip #0 40(20) 6 2.2.2.2,3000 > 192.168.1.1,80 +> hme1 ip #0 40(20) 6 203.1.1.1,10000 > 4.5.6.7,80 +> hme1 ip #0 40(20) 6 10.1.1.2,5050 > 4.5.6.7,80 +------------------------------- diff --git a/contrib/ipfilter/test/expected/ni19 b/contrib/ipfilter/test/expected/ni19 index fa40771..e55c75d 100644 --- a/contrib/ipfilter/test/expected/ni19 +++ b/contrib/ipfilter/test/expected/ni19 @@ -34,16 +34,10 @@ 4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 -4500 0028 e404 4000 4006 1a1b c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5010 8328 bcd3 0000 - -4500 0034 e405 4000 4006 1a0e c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 57d7 0000 0101 080a 0000 0004 0039 dd6c - -4500 0028 e40a 4000 4006 1a15 c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5011 832c bcce 0000 - -4500 0034 e40b 4000 4006 1a08 c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 57d2 0000 0101 080a 0000 0004 0039 dd6c - -4500 0028 0004 4000 4006 fe1b 0a01 0104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 3a47 0000 - -4500 0034 118e 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 d548 0000 0101 080a 0039 dd6e 0000 0004 - +0 +0 +0 +0 +0 +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni2 b/contrib/ipfilter/test/expected/ni2 index e2a7eb8..69a5272 100644 --- a/contrib/ipfilter/test/expected/ni2 +++ b/contrib/ipfilter/test/expected/ni2 @@ -14,6 +14,6 @@ 4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 -4500 0038 0004 4000 4001 76e4 0101 0101 c0a8 0133 0304 9dea 0000 05a0 4500 05dc e483 4000 7e06 4ebb c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 +4500 0038 0004 4000 4001 76e4 0101 0101 c0a8 0133 0304 444f 0000 05a0 4500 05dc e483 4000 7e06 4ebb c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni20 b/contrib/ipfilter/test/expected/ni20 index 6001a5a..913ef0b 100644 --- a/contrib/ipfilter/test/expected/ni20 +++ b/contrib/ipfilter/test/expected/ni20 @@ -34,16 +34,36 @@ 4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 -4500 0028 e404 4000 4006 f372 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5010 8328 962b 0000 - -4500 0034 e405 4000 4006 f365 c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 312f 0000 0101 080a 0000 0004 0039 dd6c - -4500 0028 e40a 4000 4006 f36c c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5011 832c 9626 0000 - -4500 0034 e40b 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 312a 0000 0101 080a 0000 0004 0039 dd6c - -4500 0028 0004 4000 4006 d773 c0a8 7104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 139f 0000 - -4500 0034 118e 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 aea0 0000 0101 080a 0039 dd6e 0000 0004 - +0 +0 +0 +0 +0 +0 +List of active MAP/Redirect filters: +rdr bge0 10.1.1.4/32 port 514 -> 192.168.113.4/32 port 514 tcp proxy rcmd + +List of active sessions: +MAP 192.168.113.4 1023 <- -> 10.1.1.4 1023 [192.168.113.3 1008] +RDR 192.168.113.4 514 <- -> 10.1.1.4 514 [192.168.113.3 1009] + proxy active + +Hostmap table: +192.168.113.4,192.168.113.3 -> 10.1.1.4,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +5 block in all +1 pass in quick on bge0 proto tcp from any to any port = 514 flags S/FSRPAU keep state +Rules configured (set 0, out) +2 block out all +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni21 b/contrib/ipfilter/test/expected/ni21 index 349ae23..53e64a5 100644 --- a/contrib/ipfilter/test/expected/ni21 +++ b/contrib/ipfilter/test/expected/ni21 @@ -1,4 +1,6 @@ -ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 -ip #0 20(20) 0 3.3.3.3 > 2.2.2.2 -ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 +> eri0 ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 +0 +< lan0 ip #0 20(20) 0 3.3.3.3 > 2.2.2.2 +> eri0 ip #0 20(20) 0 4.4.4.4 > 3.3.3.3 +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni23 b/contrib/ipfilter/test/expected/ni23 index 24909b0..586373c 100644 --- a/contrib/ipfilter/test/expected/ni23 +++ b/contrib/ipfilter/test/expected/ni23 @@ -1,8 +1,9 @@ -ip #0 28(20) 17 4.4.4.4,6700 > 2.2.2.2,4500 -ip #0 28(20) 17 2.2.2.2,4500 > 3.3.3.1,6700 -ip #0 28(20) 17 1.1.2.3,4500 > 3.3.3.1,6700 +> ppp0 ip #0 28(20) 17 4.4.4.4,6700 > 2.2.2.2,4500 +0 +< hme0 ip #0 28(20) 17 2.2.2.2,4500 > 3.3.3.1,6700 +> bge0 ip #0 28(20) 17 1.1.2.3,4500 > 3.3.3.1,6700 List of active MAP/Redirect filters: -rdr le0,bge0 1.1.0.0/16 -> 2.2.2.2 ip +rdr le0,bge0 1.1.0.0/16 -> 2.2.2.2/32 ip map hme0,ppp0 3.3.3.0/24 -> 4.4.4.4/32 List of active sessions: @@ -10,20 +11,27 @@ MAP 3.3.3.1 6700 <- -> 4.4.4.4 6700 [2.2.2.2 4500] RDR 2.2.2.2 4500 <- -> 1.1.2.3 4500 [3.3.3.1 6700] Hostmap table: -3.3.3.1,2.2.2.2 -> 4.4.4.4 (use = 1 hv = 0) +3.3.3.1,2.2.2.2 -> 4.4.4.4,0.0.0.0 (use = 1) List of active state sessions: -3.3.3.1 -> 2.2.2.2 pass 0x40008402 pr 17 state 0/0 - tag 0 ttl 24 6700 -> 4500 - forward: pkts in 1 bytes in 28 pkts out 1 bytes out 28 - backward: pkts in 1 bytes in 28 pkts out 1 bytes out 28 - pass in keep state IPv4 - pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 - pkt_security & ffff = 0, pkt_auth & ffff = 0 - is_flx 0x8001 0x8001 0x8001 0x1 +4:udp src:3.3.3.1,6700 dst:2.2.2.2,4500 24 + FWD: IN pkts 1 bytes 28 OUT pkts 1 bytes 28 + REV: IN pkts 1 bytes 28 OUT pkts 1 bytes 28 + tag 0 pass 0x2008402 = pass in keep state interfaces: in X[le0],X[hme0] out X[ppp0],X[bge0] Sync status: not synchronized List of configured pools List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +1 block in all +1 pass in on le0,hme0 to ppp0:3.3.3.254 out-via ppp0,bge0 inet proto udp from any to any keep state +Rules configured (set 0, out) +0 block out all +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni4 b/contrib/ipfilter/test/expected/ni4 index c9f7504..627aa19 100644 --- a/contrib/ipfilter/test/expected/ni4 +++ b/contrib/ipfilter/test/expected/ni4 @@ -1,6 +1,6 @@ 4500 003c 0000 4000 ff06 67a8 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 +4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acac 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 4500 0058 809a 0000 ff01 3101 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 diff --git a/contrib/ipfilter/test/expected/ni5 b/contrib/ipfilter/test/expected/ni5 index e713cf2..14d9837 100644 --- a/contrib/ipfilter/test/expected/ni5 +++ b/contrib/ipfilter/test/expected/ni5 @@ -4,6 +4,7 @@ 4500 0028 0001 4000 ff06 02ff 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 5aa0 0000 +ipf_p_ftp_servert_valid:i(0) < 5 4500 006f ffde 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 76c5 bd6b c9c9 5018 269c 967e 0000 3232 302d 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 7520 4e63 4654 5064 2053 6572 7665 7220 2866 7265 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a 4500 0028 0002 4000 ff06 02fe 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 5a59 0000 @@ -22,6 +23,7 @@ 4500 0036 0006 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5018 269c 373f 0000 5041 5353 2061 7661 6c6f 6e40 0d0a +ipf_p_ftp_servert_valid:i(0) < 5 4500 005f ffe2 4000 ef06 533c 96cb e002 c0a8 0103 0015 8032 3786 77ef bd6b c9e7 5018 269c 895e 0000 3233 302d 596f 7520 6172 6520 7573 6572 2023 3420 6f66 2035 3020 7369 6d75 6c74 616e 656f 7573 2075 7365 7273 2061 6c6c 6f77 6564 2e0d 0a 4500 0028 0007 4000 ff06 02f9 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7826 5010 269c 5921 0000 @@ -72,32 +74,23 @@ 4500 0028 ffec 4000 ef06 5369 96cb e002 c0a8 0103 0014 8034 d9f8 11d4 0000 0000 5010 2238 e90d 0000 -4500 0063 ffed 4000 ef06 532d 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5018 269c a315 0000 636f 6f6d 6273 7061 7065 7273 0d0a 6465 7074 730d 0a66 6f75 6e64 2d66 696c 6573 0d0a 696e 636f 6d69 6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075 620d 0a - -4500 0028 0014 4000 ff06 02ec 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 1210 5010 6348 4de0 0000 - -4500 0028 ffee 4000 ef06 5367 96cb e002 c0a8 0103 0014 8033 d9f8 1210 bd78 5c13 5011 269c cae1 0000 - -4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5010 6348 8e35 0000 - -4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5011 6348 8e34 0000 - -4500 0028 ffef 4000 ef06 5366 96cb e002 c0a8 0103 0014 8033 d9f8 1211 bd78 5c14 5010 269c cae0 0000 - +0 +0 +0 +0 +0 +0 4500 0040 fff0 4000 ef06 534d 96cb e002 c0a8 0103 0015 8032 3786 7903 bd6b ca3f 5018 269c 7c80 0000 3232 3620 4c69 7374 696e 6720 636f 6d70 6c65 7465 642e 0d0a -4500 0028 0015 4000 ff06 02eb 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5010 269c 57e4 0000 +4500 0028 0014 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5010 269c 57e4 0000 -4500 002e 0016 4000 ff06 02e4 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5018 269c b022 0000 5155 4954 0d0a +4500 002e 0015 4000 ff06 02e5 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5018 269c b022 0000 5155 4954 0d0a 4500 0036 fff2 4000 ef06 5355 96cb e002 c0a8 0103 0015 8032 3786 791b bd6b ca45 5018 269c a936 0000 3232 3120 476f 6f64 6279 652e 0d0a -4500 0028 0017 4000 ff06 02e9 0101 0101 96cb e002 8032 0015 bd6b ca35 3786 7929 5011 269c 57cf 0000 - -4500 0028 fff3 4000 ef06 5362 96cb e002 c0a8 0103 0015 8032 3786 7929 bd6b ca45 5011 269c 9815 0000 - -4500 0028 10e3 4000 ff06 3273 c0a8 0103 96cb e002 8032 0015 bd6b ca3d 3786 792a 5010 269c 981d 0000 - -4500 0028 fff4 4000 ef06 5361 96cb e002 c0a8 0103 0015 8032 3786 792a bd6b ca46 5010 269c 9814 0000 +4500 0028 0016 4000 ff06 02ea 0101 0101 96cb e002 8032 0015 bd6b ca35 3786 7929 5011 269c 57cf 0000 +0 +0 +0 ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni6 b/contrib/ipfilter/test/expected/ni6 index 0da034a..e70412b 100644 --- a/contrib/ipfilter/test/expected/ni6 +++ b/contrib/ipfilter/test/expected/ni6 @@ -1,17 +1,63 @@ -4500 0054 cd8a 4000 ff11 1fbb c0a8 0601 c0a8 0701 8075 006f 0040 d26e 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 - -4500 0054 0000 4000 ff11 ec44 c0a8 0702 c0a8 0701 8075 006f 0040 d16d 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 - -4500 0038 cd83 4000 ff11 1fde c0a8 0701 c0a8 0601 006f 8075 0024 d805 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 - -4500 0038 0001 4000 ff11 ee5f c0a8 0602 c0a8 0601 006f 8075 0024 d904 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 - -4500 0044 d5a6 4000 ff11 17af c0a8 0601 c0a8 0701 80df 0801 0030 03f1 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 - -4500 0044 0002 4000 ff11 ec52 c0a8 0702 c0a8 0701 80df 0801 0030 02f0 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 - -4500 0034 0000 4000 fe11 ee65 c0a8 0701 c0a8 0601 0801 80df 0020 8ab8 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 - -4500 0034 0003 4000 fe11 ef61 c0a8 0602 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 - +< nf0 ip #52618 84(20) 17 192.168.6.1,32885 > 192.168.7.1,111 +> qfe0 ip #0 84(20) 17 192.168.7.2,32885 > 192.168.7.1,111 +< qfe0 ip #52611 56(20) 17 192.168.7.1,111 > 192.168.6.1,32885 +> nf0 ip #1 56(20) 17 192.168.6.2,111 > 192.168.6.1,32885 +< nf0 ip #54694 68(20) 17 192.168.6.1,32991 > 192.168.7.1,2049 +> qfe0 ip #2 68(20) 17 192.168.7.2,32991 > 192.168.7.1,2049 +< qfe0 ip #0 52(20) 17 192.168.7.1,2049 > 192.168.6.1,32991 +> nf0 ip #3 52(20) 17 192.168.6.2,2049 > 192.168.6.1,32991 +List of active MAP/Redirect filters: +rdr nf0 192.168.6.2/32 port 111 -> 192.168.7.1/32 port 111 udp proxy rpcbu +rdr nf0 192.168.6.2/32 port 111 -> 192.168.7.1/32 port 111 tcp proxy rpcbt +map qfe0 192.168.6.0/24 -> 192.168.7.2/32 + +List of active sessions: +MAP 192.168.6.1 32991 <- -> 192.168.7.2 32991 [192.168.7.1 2049] +RDR 192.168.7.1 2049 <- -> 192.168.6.2 2049 [192.168.6.1 32991] +RDR CLONE 192.168.7.1 2049 <- -> 192.168.6.2 2049 [192.168.6.1 0] +MAP 192.168.6.1 32885 <- -> 192.168.7.2 32885 [192.168.7.1 111] +RDR 192.168.7.1 111 <- -> 192.168.6.2 111 [192.168.6.1 32885] + proxy active + +Hostmap table: +192.168.6.1,192.168.7.1 -> 192.168.7.2,0.0.0.0 (use = 2) +List of active state sessions: +4:udp src:192.168.6.1,32991 dst:192.168.7.1,2049 24 + FWD: IN pkts 2 bytes 96 OUT pkts 1 bytes 68 + REV: IN pkts 1 bytes 52 OUT pkts 1 bytes 52 + tag 0 pass 0x502 = pass in quick keep state + interfaces: in X[nf0],X[qfe0] out X[qfe0],X[nf0] + Sync status: not synchronized +4:udp src:192.168.6.1,* dst:192.168.7.1,2049 240 CLONE + FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0 + REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0 + tag 0 pass 0x502 = pass in quick keep state + interfaces: in X[nf0],X[] out X[],X[] + Sync status: not synchronized +4:udp src:192.168.6.1,32885 dst:192.168.7.1,111 24 + FWD: IN pkts 1 bytes 84 OUT pkts 1 bytes 84 + REV: IN pkts 1 bytes 56 OUT pkts 1 bytes 56 + tag 0 pass 0x2008502 = pass in quick keep state + interfaces: in X[nf0],X[qfe0] out X[qfe0],X[nf0] + Sync status: not synchronized +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +0 pass in quick on nf0 proto tcp from any to any port = 111 flags S/FSRPAU keep state +1 pass in quick on nf0 proto udp from any to any port = 111 keep state +0 block return-rst in log quick on nf0 proto tcp from any to any +0 block in log quick on nf0 inet from 192.168.7.0/24 to any +0 block return-rst in log quick on qfe0 proto tcp from any to any +0 block in log quick on qfe0 inet from 192.168.6.0/24 to any +Rules configured (set 0, out) +0 block out log quick on qfe0 inet from 192.168.7.0/24 to any +0 block out log quick on nf0 inet from 192.168.6.0/24 to any +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/ni8 b/contrib/ipfilter/test/expected/ni8 index 689ccaa..e0d5182 100644 --- a/contrib/ipfilter/test/expected/ni8 +++ b/contrib/ipfilter/test/expected/ni8 @@ -1,6 +1,6 @@ 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 +4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fc 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 diff --git a/contrib/ipfilter/test/expected/p1 b/contrib/ipfilter/test/expected/p1 index 9f02804..58dc681 100644 --- a/contrib/ipfilter/test/expected/p1 +++ b/contrib/ipfilter/test/expected/p1 @@ -13,9 +13,18 @@ List of active sessions: Hostmap table: List of active state sessions: List of configured pools -table role = ipf type = tree number = 100 - { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +table role=ipf type=tree number=100 + { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; List of configured hash tables List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in from pool/100 to any +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/p10 b/contrib/ipfilter/test/expected/p10 new file mode 100644 index 0000000..9f09502 --- /dev/null +++ b/contrib/ipfilter/test/expected/p10 @@ -0,0 +1,40 @@ +< bge0 ip #0 40(20) 6 5.5.5.5,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.5.6,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.5.7,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.5.8,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.5.9,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.5,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.6,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.7,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.8,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.9,10000 > 1.1.1.9,80 +List of active MAP/Redirect filters: +rewrite in on bge0 proto tcp from 0/0 to 0/0 port = 80 -> src 0/0 dst dstlist/servers; + +List of active sessions: +RWR-RDR 5.5.6.9 10000 9.9.9.9 80 <- -> 5.5.6.9 10000 1.1.1.9 80 +RWR-RDR 5.5.6.8 10000 9.9.9.9 80 <- -> 5.5.6.8 10000 1.1.1.5 80 +RWR-RDR 5.5.6.7 10000 9.9.9.9 80 <- -> 5.5.6.7 10000 1.1.1.5 80 +RWR-RDR 5.5.6.6 10000 9.9.9.9 80 <- -> 5.5.6.6 10000 1.1.1.9 80 +RWR-RDR 5.5.6.5 10000 9.9.9.9 80 <- -> 5.5.6.5 10000 1.1.1.4 80 +RWR-RDR 5.5.5.9 10000 9.9.9.9 80 <- -> 5.5.5.9 10000 1.1.1.4 80 +RWR-RDR 5.5.5.8 10000 9.9.9.9 80 <- -> 5.5.5.8 10000 1.1.1.9 80 +RWR-RDR 5.5.5.7 10000 9.9.9.9 80 <- -> 5.5.5.7 10000 1.1.1.2 80 +RWR-RDR 5.5.5.6 10000 9.9.9.9 80 <- -> 5.5.5.6 10000 1.1.1.9 80 +RWR-RDR 5.5.5.5 10000 9.9.9.9 80 <- -> 5.5.5.5 10000 1.1.1.2 80 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p11 b/contrib/ipfilter/test/expected/p11 new file mode 100644 index 0000000..e907fbb --- /dev/null +++ b/contrib/ipfilter/test/expected/p11 @@ -0,0 +1,40 @@ +< bge0 ip #0 40(20) 6 5.5.5.5,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.6,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.7,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.8,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.9,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.5,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.6,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.7,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.8,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.9,10000 > 1.1.1.5,80 +List of active MAP/Redirect filters: +rewrite in on bge0 proto tcp from 0/0 to 0/0 port = 80 -> src 0/0 dst dstlist/servers; + +List of active sessions: +RWR-RDR 5.5.6.9 10000 9.9.9.9 80 <- -> 5.5.6.9 10000 1.1.1.5 80 +RWR-RDR 5.5.6.8 10000 9.9.9.9 80 <- -> 5.5.6.8 10000 1.1.1.5 80 +RWR-RDR 5.5.6.7 10000 9.9.9.9 80 <- -> 5.5.6.7 10000 1.1.1.5 80 +RWR-RDR 5.5.6.6 10000 9.9.9.9 80 <- -> 5.5.6.6 10000 1.1.1.5 80 +RWR-RDR 5.5.6.5 10000 9.9.9.9 80 <- -> 5.5.6.5 10000 1.1.1.5 80 +RWR-RDR 5.5.5.9 10000 9.9.9.9 80 <- -> 5.5.5.9 10000 1.1.1.5 80 +RWR-RDR 5.5.5.8 10000 9.9.9.9 80 <- -> 5.5.5.8 10000 1.1.1.5 80 +RWR-RDR 5.5.5.7 10000 9.9.9.9 80 <- -> 5.5.5.7 10000 1.1.1.5 80 +RWR-RDR 5.5.5.6 10000 9.9.9.9 80 <- -> 5.5.5.6 10000 1.1.1.5 80 +RWR-RDR 5.5.5.5 10000 9.9.9.9 80 <- -> 5.5.5.5 10000 1.1.1.5 80 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p12 b/contrib/ipfilter/test/expected/p12 new file mode 100644 index 0000000..d097d51 --- /dev/null +++ b/contrib/ipfilter/test/expected/p12 @@ -0,0 +1,40 @@ +< bge0 ip #0 40(20) 6 5.5.5.5,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.5.6,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.7,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.5.8,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.5.9,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.5,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.6,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.7,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.8,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.9,10000 > 1.1.1.5,80 +List of active MAP/Redirect filters: +rewrite in on bge0 proto tcp from 0/0 to 0/0 port = 80 -> src 0/0 dst dstlist/servers; + +List of active sessions: +RWR-RDR 5.5.6.9 10000 9.9.9.9 80 <- -> 5.5.6.9 10000 1.1.1.5 80 +RWR-RDR 5.5.6.8 10000 9.9.9.9 80 <- -> 5.5.6.8 10000 1.1.1.9 80 +RWR-RDR 5.5.6.7 10000 9.9.9.9 80 <- -> 5.5.6.7 10000 1.1.1.9 80 +RWR-RDR 5.5.6.6 10000 9.9.9.9 80 <- -> 5.5.6.6 10000 1.1.1.4 80 +RWR-RDR 5.5.6.5 10000 9.9.9.9 80 <- -> 5.5.6.5 10000 1.1.1.4 80 +RWR-RDR 5.5.5.9 10000 9.9.9.9 80 <- -> 5.5.5.9 10000 1.1.1.9 80 +RWR-RDR 5.5.5.8 10000 9.9.9.9 80 <- -> 5.5.5.8 10000 1.1.1.4 80 +RWR-RDR 5.5.5.7 10000 9.9.9.9 80 <- -> 5.5.5.7 10000 1.1.1.4 80 +RWR-RDR 5.5.5.6 10000 9.9.9.9 80 <- -> 5.5.5.6 10000 1.1.1.5 80 +RWR-RDR 5.5.5.5 10000 9.9.9.9 80 <- -> 5.5.5.5 10000 1.1.1.2 80 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p13 b/contrib/ipfilter/test/expected/p13 new file mode 100644 index 0000000..aa529ea --- /dev/null +++ b/contrib/ipfilter/test/expected/p13 @@ -0,0 +1,30 @@ +nomatch +pass +nomatch +nomatch +nomatch +pass +nomatch +nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +table role=all type=tree number=100 + { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +2 pass in from pool/100 to any +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p2 b/contrib/ipfilter/test/expected/p2 index 67a7c3e..5388742 100644 --- a/contrib/ipfilter/test/expected/p2 +++ b/contrib/ipfilter/test/expected/p2 @@ -14,12 +14,22 @@ Hostmap table: List of active state sessions: List of configured pools List of configured hash tables -# 'anonymous' table -table role = ipf type = hash number = 2147483650 size = 3 +# 'anonymous' table refs 2 +table role=ipf type=hash number=2147483650 size=3 { 127.0.0.1/32; 4.4.0.0/16; }; -# 'anonymous' table -table role = ipf type = hash number = 2147483649 size = 3 +# 'anonymous' table refs 2 +table role=ipf type=hash number=2147483649 size=3 { 127.0.0.1/32; 4.4.0.0/16; }; List of groups configured (set 0) List of groups configured (set 1) +Rules configured (set 0, in) +1 block in from hash/2147483650 to any +Rules configured (set 0, out) +2 pass out from hash/2147483649 to any +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/p3 b/contrib/ipfilter/test/expected/p3 index 94fde9e..c1e0343 100644 --- a/contrib/ipfilter/test/expected/p3 +++ b/contrib/ipfilter/test/expected/p3 @@ -18,18 +18,28 @@ Hostmap table: List of active state sessions: List of configured pools List of configured hash tables -group-map out role = ipf number = 2010 size = 5 - { 5.0.0.0/8, group = 2040; 4.4.0.0/16, group = 2020; 2.2.2.2/32, group = 2020; }; -group-map in role = ipf number = 1010 size = 3 - { 3.3.0.0/16, group = 1030; 1.1.1.1/32, group = 1020; }; +group-map out role=ipf number=2010 size=5 + { 2.2.2.2/32, group=2020; 4.4.0.0/16, group=2020; 5.0.0.0/8, group=2040; }; +group-map in role=ipf number=1010 size=3 + { 1.1.1.1/32, group=1020; 3.3.0.0/16, group=1030; }; List of groups configured (set 0) -Dev.0. Group 1020 Ref 1 Flags 0x8000 +Dev.0. Group 1020 Ref 2 Flags 0x8000 2 pass in all group 1020 -Dev.0. Group 1030 Ref 1 Flags 0x8000 +Dev.0. Group 1030 Ref 2 Flags 0x8000 2 block in all group 1030 -Dev.0. Group 2020 Ref 2 Flags 0x4000 +Dev.0. Group 2020 Ref 3 Flags 0x4000 4 pass out all group 2020 -Dev.0. Group 2040 Ref 1 Flags 0x4000 +Dev.0. Group 2040 Ref 2 Flags 0x4000 2 block out all group 2040 List of groups configured (set 1) +Rules configured (set 0, in) +6 call now srcgrpmap/1010 in all +Rules configured (set 0, out) +6 call now dstgrpmap/2010 out all +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) ------------------------------- diff --git a/contrib/ipfilter/test/expected/p4 b/contrib/ipfilter/test/expected/p4 new file mode 100644 index 0000000..e7aa73f --- /dev/null +++ b/contrib/ipfilter/test/expected/p4 @@ -0,0 +1,38 @@ +< anon0 ip #0 20(20) 0 127.0.0.1 > 127.0.0.1 +< anon0 ip #0 20(20) 0 1.1.1.1 > 1.2.1.1 +> anon0 ip #0 20(20) 0 127.0.0.1 > 127.0.0.1 +> anon0 ip #0 20(20) 0 1.2.3.4 > 1.2.1.1 +< anon0 ip #0 20(20) 0 2.3.0.1 > 1.2.1.1 +< anon0 ip #0 20(20) 0 2.2.2.1 > 1.2.1.1 +< anon0 ip #0 20(20) 0 2.2.0.1 > 1.2.1.1 +15 +> anon0 ip #0 20(20) 0 1.2.3.4 > 1.2.1.2 +> anon0 ip #0 20(20) 0 2.2.0.1 > 1.2.1.1 +> anon0 ip #0 20(20) 0 2.2.0.1 > 1.2.1.3 +> anon0 ip #0 20(20) 0 4.4.1.1 > 1.2.1.1 +List of active MAP/Redirect filters: +map * from pool/100 to 0/0 -> 1.2.3.4/32 + +List of active sessions: +MAP 2.2.2.1 <- -> 1.2.3.4 [1.2.1.2] +MAP 1.1.1.1 <- -> 1.2.3.4 [1.2.1.1] + +Hostmap table: +2.2.2.1,1.2.1.2 -> 1.2.3.4,0.0.0.0 (use = 1) +1.1.1.1,1.2.1.1 -> 1.2.3.4,0.0.0.0 (use = 1) +List of active state sessions: +List of configured pools +table role=nat type=tree number=100 + { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; }; +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p5 b/contrib/ipfilter/test/expected/p5 index d8ea95c..b56c3bc 100644 --- a/contrib/ipfilter/test/expected/p5 +++ b/contrib/ipfilter/test/expected/p5 @@ -13,7 +13,7 @@ List of active sessions: Hostmap table: List of active state sessions: List of configured pools -table role = ipf type = tree name = letters +table role=ipf type=tree name=letters { 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; }; List of configured hash tables List of groups configured (set 0) diff --git a/contrib/ipfilter/test/expected/p6 b/contrib/ipfilter/test/expected/p6 new file mode 100644 index 0000000..413f94b --- /dev/null +++ b/contrib/ipfilter/test/expected/p6 @@ -0,0 +1,24 @@ +block +nomatch +List of active MAP/Redirect filters: + +List of active sessions: + +Hostmap table: +List of active state sessions: +List of configured pools +table role=ipf type=tree name=microsoft + { 131.107.0.0/16; 192.92.90.0/24; 198.105.232.0/22; 204.231.58.0/24; 204.140.77.0/24; 204.140.80.0/22; 199.60.28.0/24; 199.103.90.0/23; 199.103.122.0/24; 204.79.101.0/24; 192.237.67.0/24; 198.137.97.0/24; 204.79.135.0/24; 204.79.179.0/24; 204.79.180.0/23; 204.79.188.0/24; 204.79.7.0/24; 204.79.27.0/24; 198.180.74.0/23; 204.231.236.0/24; 205.163.63.0/24; 205.163.62.0/24; 205.163.144.0/20; 205.248.50.0/23; 205.248.72.0/24; 205.248.212.0/22; 205.248.228.0/24; 205.248.235.0/24; 204.231.76.0/24; 204.231.192.0/24; 207.78.80.0/24; 207.78.81.0/24; 207.78.82.0/24; 207.117.3.0/24; 207.18.117.0/24; 208.139.27.0/24; 209.28.213.0/24; 207.209.68.0/24; 204.95.96.0/20; 207.158.93.192/27; 207.240.123.192/27; 208.26.205.0/24; 192.197.157.0/24; 204.133.231.0/24; 216.72.96.0/22; 207.229.166.152/29; 204.95.149.0/24; 209.192.213.72/29; 206.73.203.0/24; 206.73.118.0/24; 208.45.54.16/29; 208.45.54.8/29; 206.73.31.0/24; 63.161.50.128/25; 63.161.50.0/25; 207.240.8.224/28; 208.45.89.248/29; 206.182.69.0/24; 206.182.240.0/24; 206.182.241.0/24; 206.73.67.0/24; 206.182.251.0/24; 206.182.247.0/24; 206.182.236.0/24; 63.236.198.64/29; 63.236.198.152/29; 165.121.253.232/29; 63.236.170.64/29; 63.236.186.64/29; 63.236.187.104/29; 63.236.187.128/29; 63.236.187.160/29; 199.2.137.0/24; 216.222.104.224/28; 63.151.87.64/29; 64.77.82.96/29; 64.77.93.80/28; 65.52.0.0/14; 207.46.0.0/16; 204.182.144.0/20; 206.107.34.0/24; 205.240.158.0/23; 204.79.252.0/24; 64.200.211.16/28; 12.178.163.0/27; 69.44.126.80/28; 63.173.42.128/25; 12.28.108.0/25; 65.170.29.0/29; 67.132.133.96/29; 8.6.176.0/24; 63.148.123.240/29; 64.41.193.0/24; 64.85.70.32/28; 64.85.81.96/29; 64.85.81.104/29; 216.32.168.224/27; 206.79.74.32/28; 216.32.175.224/27; 216.32.180.0/22; 216.33.229.224/27; 216.33.236.0/22; 216.33.240.0/22; 216.32.240.0/22; 216.34.51.0/24; 209.1.112.0/24; 209.1.113.0/24; 209.1.15.0/24; 216.34.53.176/28; 216.35.8.224/28; 209.185.128.0/22; 65.114.175.128/27; 64.15.229.96/27; 64.15.177.0/24; 64.15.170.192/29; 209.143.238.0/24; 64.15.178.0/24; 66.35.209.120/29; 66.35.211.128/26; 66.35.208.48/28; 216.33.148.0/22; 216.35.66.88/29; 12.230.32.160/29; 12.53.124.0/27; 12.232.18.96/27; 12.190.158.0/24; 12.71.196.32/28; 209.240.192.0/19; 70.37.128.0/23; 70.37.135.0/24; 12.49.87.192/26; 74.93.205.144/29; 74.93.205.152/29; 74.93.206.64/29; 70.89.139.120/29; 206.71.119.0/24; 206.71.117.0/24; 206.71.118.0/24; 209.154.155.112/29; 65.68.62.152/29; 67.39.208.168/29; 65.242.67.0/24; 204.71.191.0/24; 63.194.155.144/29; 66.136.85.192/29; 64.124.184.72/29; 216.200.206.0/24; 63.80.93.0/25; 67.192.225.208/28; 69.74.162.0/24; 65.221.5.0/24; 65.248.85.0/24; 199.243.157.192/27; 199.243.157.112/29; 65.194.210.224/27; 208.194.139.0/24; 208.204.49.128/25; 208.205.26.0/24; 208.217.184.0/22; 208.222.172.0/24; 208.224.200.64/27; 208.229.100.0/23; 208.241.19.0/28; 208.241.19.16/28; 208.241.9.224/28; 208.244.108.0/28; 208.245.16.0/27; 208.249.17.160/28; 63.104.216.0/25; 63.69.245.0/24; 68.90.141.72/29; 63.198.123.160/29; 68.248.48.64/29; 68.248.48.72/29; 99.49.8.248/29; 65.38.172.72/29; 65.38.172.96/28; 75.149.174.16/29; 75.151.100.240/28; 64.81.8.96/27; 67.112.255.144/29; 63.240.201.176/28; 206.16.209.208/28; 63.240.195.208/28; 206.16.204.64/28; 206.16.223.0/24; 63.240.216.0/22; 63.240.220.0/22; 206.16.246.24/29; 63.240.195.192/28; 206.16.224.160/27; 67.192.39.48/28; 72.32.240.160/28; 72.32.201.152/29; 67.39.81.152/29; 69.20.127.32/29; 216.52.28.0/24; 70.42.230.0/23; 63.251.97.0/24; 67.120.132.128/29; 67.120.132.152/29; 67.120.132.192/28; }; +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +1 block in from pool/microsoft to any +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p7 b/contrib/ipfilter/test/expected/p7 new file mode 100644 index 0000000..89bfc11 --- /dev/null +++ b/contrib/ipfilter/test/expected/p7 @@ -0,0 +1,40 @@ +< bge0 ip #0 40(20) 6 5.5.5.5,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.5.6,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.5.7,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.8,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.5.9,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.6.5,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.6,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.7,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.8,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.6.9,10000 > 1.1.1.4,80 +List of active MAP/Redirect filters: +rewrite in on bge0 proto tcp from 0/0 to 0/0 port = 80 -> src 0/0 dst dstlist/servers; + +List of active sessions: +RWR-RDR 5.5.6.9 10000 9.9.9.9 80 <- -> 5.5.6.9 10000 1.1.1.4 80 +RWR-RDR 5.5.6.8 10000 9.9.9.9 80 <- -> 5.5.6.8 10000 1.1.1.2 80 +RWR-RDR 5.5.6.7 10000 9.9.9.9 80 <- -> 5.5.6.7 10000 1.1.1.9 80 +RWR-RDR 5.5.6.6 10000 9.9.9.9 80 <- -> 5.5.6.6 10000 1.1.1.5 80 +RWR-RDR 5.5.6.5 10000 9.9.9.9 80 <- -> 5.5.6.5 10000 1.1.1.4 80 +RWR-RDR 5.5.5.9 10000 9.9.9.9 80 <- -> 5.5.5.9 10000 1.1.1.2 80 +RWR-RDR 5.5.5.8 10000 9.9.9.9 80 <- -> 5.5.5.8 10000 1.1.1.9 80 +RWR-RDR 5.5.5.7 10000 9.9.9.9 80 <- -> 5.5.5.7 10000 1.1.1.5 80 +RWR-RDR 5.5.5.6 10000 9.9.9.9 80 <- -> 5.5.5.6 10000 1.1.1.4 80 +RWR-RDR 5.5.5.5 10000 9.9.9.9 80 <- -> 5.5.5.5 10000 1.1.1.2 80 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/expected/p9 b/contrib/ipfilter/test/expected/p9 new file mode 100644 index 0000000..89bfc11 --- /dev/null +++ b/contrib/ipfilter/test/expected/p9 @@ -0,0 +1,40 @@ +< bge0 ip #0 40(20) 6 5.5.5.5,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.5.6,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.5.7,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.5.8,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.5.9,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.6.5,10000 > 1.1.1.4,80 +< bge0 ip #0 40(20) 6 5.5.6.6,10000 > 1.1.1.5,80 +< bge0 ip #0 40(20) 6 5.5.6.7,10000 > 1.1.1.9,80 +< bge0 ip #0 40(20) 6 5.5.6.8,10000 > 1.1.1.2,80 +< bge0 ip #0 40(20) 6 5.5.6.9,10000 > 1.1.1.4,80 +List of active MAP/Redirect filters: +rewrite in on bge0 proto tcp from 0/0 to 0/0 port = 80 -> src 0/0 dst dstlist/servers; + +List of active sessions: +RWR-RDR 5.5.6.9 10000 9.9.9.9 80 <- -> 5.5.6.9 10000 1.1.1.4 80 +RWR-RDR 5.5.6.8 10000 9.9.9.9 80 <- -> 5.5.6.8 10000 1.1.1.2 80 +RWR-RDR 5.5.6.7 10000 9.9.9.9 80 <- -> 5.5.6.7 10000 1.1.1.9 80 +RWR-RDR 5.5.6.6 10000 9.9.9.9 80 <- -> 5.5.6.6 10000 1.1.1.5 80 +RWR-RDR 5.5.6.5 10000 9.9.9.9 80 <- -> 5.5.6.5 10000 1.1.1.4 80 +RWR-RDR 5.5.5.9 10000 9.9.9.9 80 <- -> 5.5.5.9 10000 1.1.1.2 80 +RWR-RDR 5.5.5.8 10000 9.9.9.9 80 <- -> 5.5.5.8 10000 1.1.1.9 80 +RWR-RDR 5.5.5.7 10000 9.9.9.9 80 <- -> 5.5.5.7 10000 1.1.1.5 80 +RWR-RDR 5.5.5.6 10000 9.9.9.9 80 <- -> 5.5.5.6 10000 1.1.1.4 80 +RWR-RDR 5.5.5.5 10000 9.9.9.9 80 <- -> 5.5.5.5 10000 1.1.1.2 80 + +Hostmap table: +List of active state sessions: +List of configured pools +List of configured hash tables +List of groups configured (set 0) +List of groups configured (set 1) +Rules configured (set 0, in) +Rules configured (set 0, out) +Rules configured (set 1, in) +Rules configured (set 1, out) +Accounting rules configured (set 0, in) +Accounting rules configured (set 0, out) +Accounting rules configured (set 1, in) +Accounting rules configured (set 1, out) +------------------------------- diff --git a/contrib/ipfilter/test/h4to6 b/contrib/ipfilter/test/h4to6 new file mode 100644 index 0000000..e31f7c4 --- /dev/null +++ b/contrib/ipfilter/test/h4to6 @@ -0,0 +1,135 @@ +@P=(); +$line = 0; +while (<>) { + s/\=192.168.1.188/\=c0a8:0100::bc/g; + s/\=192.168.1.188/\=c0a8:0100::bc/g; + @F = split; + if (/^#/) { + @P[$nline++] = join(" ",@F); + next; + } + $line = 0 if (/^\[/); + if ($line == 1) { + $len = hex($F[1]) - 20; + $pr = hex($F[4]) & 0xff; + $pr = 58 if ($pr == 1); + $ttl = hex($F[4]) >> 8; + &replaceip($_, $len, $pr, $ttl); + $ipline = $nline; + $err = 0; + } elsif ($line == 2) { + if ($pr == 58) { + # + # Map the ICMP type codes from IPv4 to IPv6 + # and update the checksum to compensate. + # + if ($F[0] =~ /^0800/) { + $F[0] =~ s/^0800/8000/; + $d = 0x7800; + } + if ($F[0] =~ /^0000/) { + $F[0] =~ s/^0000/8100/; + $d = 0x8100; + } + if ($F[0] =~ /^0304/) { + $F[0] =~ s/^0304/0200/; + $d = 0xfefc; + $err = 1; + } + if ($F[0] =~ /^03/) { + $F[0] =~ s/^03/01/; + $d = 0xfe00; + $err = 1; + } + if ($F[0] =~ /^0b/) { + $F[0] =~ s/^0b/03/; + $d = 0xf800; + $err = 1; + } + if ($F[0] =~ /^0c/) { + $F[0] =~ s/^0c/04/; + $d = 0xf800; + $err = 1; + } + $F[1] = sprintf "%04x", hex($F[1]) - $d; + } + @P[$nline++] = join(" ",@F); + } elsif ($line == 3) { + if ($pr == 58 && $err == 1 && $F[0] =~ /^45/) { + local($l) = hex($F[1]) - 20; + local($p) = hex($F[4]) & 0xff; + $p = 58 if ($p == 1); + local($t) = hex($F[4]) >> 8; + &replaceip(join(" ", @F), $l, $p, $t); + @H = split(/ /, $P[$ipline]); + $H[2] += 20; + $P[$ipline] = join(" ",@H); + } else { + @P[$nline++] = join(" ",@F); + } + } else { + @P[$nline++] = join(" ",@F); + } + $line++; +} + +for ($li = 0; $li < $nline; $li++) { + print "$P[$li]\n"; +} + +exit(0); + +sub replaceip { + local(@G) = split(/\s/,$_[0]); + local($p) = ""; + + $p = sprintf "6000 0000 %04x %02x%02x", $_[1], $_[2], $_[3]; + if ($G[6] =~ /^c0a8/) { + $fmt = " %02x%02x %02x00 0000 0000 0000 0000 0000 00%02x"; + } else { + if ($G[6] =~ /^0[4a]../) { + $fmt = " 00%02x 00%02x 00%02x 0000 0000 0000 0000 00%02x"; + } else { + $fmt = " 00%02x 0000 0000 0000 0000 00%02x 00%02x 00%02x"; + } + if ($G[6] =~ /^0a/) { + $G[6] =~ s/^0a/10/; + } + if ($G[6] =~ /0a$/) { + $G[6] =~ s/0a$/10/; + } + if ($G[7] =~ /^0a/) { + $G[7] =~ s/^0a/10/; + } + if ($G[7] =~ /0a$/) { + $G[7] =~ s/0a$/10/; + } + } + $p = $p.sprintf $fmt, hex($G[6]) >> 8, hex($G[6]) & 0xff, + hex($G[7]) >> 8, hex($G[7]) & 0xff; + + if ($G[6] =~ /^c0a8/) { + $fmt = " %02x%02x %02x00 0000 0000 0000 0000 0000 00%02x"; + } else { + if ($G[8] =~ /^0[4a]../) { + $fmt = " 00%02x 00%02x 00%02x 0000 0000 0000 0000 00%02x"; + } else { + $fmt = " 00%02x 0000 0000 0000 0000 00%02x 00%02x 00%02x"; + } + if ($G[8] =~ /^0a/) { + $G[8] =~ s/^0a/10/; + } + if ($G[8] =~ /0a$/) { + $G[8] =~ s/0a$/10/; + } + if ($G[9] =~ /^0a/) { + $G[9] =~ s/^0a/10/; + } + if ($G[9] =~ /0a$/) { + $G[9] =~ s/0a$/10/; + } + } + $p = $p.sprintf $fmt, hex($G[8]) >> 8, hex($G[8]) & 0xff, + hex($G[9]) >> 8, hex($G[9]) & 0xff; + $P[$nline++] = $p; +} diff --git a/contrib/ipfilter/test/hextest b/contrib/ipfilter/test/hextest deleted file mode 100644 index b7b0b2c..0000000 --- a/contrib/ipfilter/test/hextest +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 -( while read rule; do - echo "$rule" | ../ipftest -br - -F hex -i input/$1 >> results/$1; - if [ $? -ne 0 ] ; then - exit 1; - fi - echo "--------" >> results/$1 -done ) < regress/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 -fi -exit $status diff --git a/contrib/ipfilter/test/i4to6 b/contrib/ipfilter/test/i4to6 new file mode 100644 index 0000000..b1208fd --- /dev/null +++ b/contrib/ipfilter/test/i4to6 @@ -0,0 +1,12 @@ +sed \ +-e 's/in /in6 /g' \ +-e 's/icmp/58/g' \ +-e 's/out /out6 /g' \ +-e 's/10\.4\.\([0-9]\)\.\([0-9]\)/10:4:\1::\2/g' \ +-e 's/10\.3\.4\.\([0-9]\)/10::3:4:\1/g' \ +-e 's/10\.3\.\([0-9]\)\.\([0-9]\)/10:3:\1::\2/g' \ +-e 's/10\.1\.\([0-9]\)\.\([0-9]\)/10:1:\1::\2/g' \ +-e 's/10\.2\.\([0-9]\)\.\([0-9]\)/10::2:\1:\2/g' \ +-e 's/9\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/9:\1:\2::\3/g' \ +-e 's/5\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/5:\1::\2:\3/g' \ +-e 's/2\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/2::\1:\2:\3/g' diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 index 77e537e..ccd370a 100644 --- a/contrib/ipfilter/test/input/f13 +++ b/contrib/ipfilter/test/input/f13 @@ -83,7 +83,7 @@ 4500 0028 0003 4000 3f06 36ca 0101 0101 0201 0101 0400 0019 0040 0000 0000 0000 5010 2000 8678 0000 -# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF ACK +# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF ACK (out-of-order) [in] 4500 0028 0003 4000 3f06 36ca 0101 0101 0201 0101 0400 0019 7000 0004 0000 0002 5010 2000 16b2 0000 diff --git a/contrib/ipfilter/test/input/f21 b/contrib/ipfilter/test/input/f21 new file mode 100644 index 0000000..1135cbd --- /dev/null +++ b/contrib/ipfilter/test/input/f21 @@ -0,0 +1,31 @@ +# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet +# going out) +# IP 4.4.4.4 2.2.2.2 TCP(20480,80) +[out,df0] +4500 003c 4706 4000 ff06 28aa 0404 0404 +0202 0202 5000 0050 0000 0001 0000 0000 +a002 16d0 d8e2 0000 0204 05b4 0402 080a +0047 fbb0 0000 0000 0103 0300 + +# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) UNREACH +[in,df0] +4500 0038 809a 0000 ff01 2d1d 0303 0303 +0404 0404 0303 acab 0000 0000 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + +# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) REDIRECT +# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) +[in,df0] +4500 0038 809a 0000 ff01 2d1d 0303 0303 +0404 0404 0501 9a9d 0808 0808 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + +# IP 3.3.3.3 -> 5.5.5.5 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) UNREACH +[in,df0] +4500 0038 809a 0000 ff01 2b1b 0303 0303 +0505 0505 0303 acab 0000 0000 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + diff --git a/contrib/ipfilter/test/input/f22 b/contrib/ipfilter/test/input/f22 new file mode 100644 index 0000000..a5221c1a --- /dev/null +++ b/contrib/ipfilter/test/input/f22 @@ -0,0 +1,31 @@ +# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet +# going out) +# IP 4.4.4.4 2.2.2.2 TCP(20480,80) +[in,df0] +4500 003c 4706 4000 ff06 28aa 0404 0404 +0202 0202 5000 0050 0000 0001 0000 0000 +a002 16d0 d8e2 0000 0204 05b4 0402 080a +0047 fbb0 0000 0000 0103 0300 + +# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) UNREACH +[out,df0] +4500 0038 809a 0000 ff01 2d1d 0303 0303 +0404 0404 0303 acab 0000 0000 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + +# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) REDIRECT +# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) +[out,df0] +4500 0038 809a 0000 ff01 2d1d 0303 0303 +0404 0404 0501 9a9d 0808 0808 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + +# IP 3.3.3.3 -> 5.5.5.5 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) UNREACH +[out,df0] +4500 0038 809a 0000 ff01 2b1b 0303 0303 +0505 0505 0303 acab 0000 0000 4500 003c +4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 + diff --git a/contrib/ipfilter/test/input/f24 b/contrib/ipfilter/test/input/f24 index 1d06682..030772b 100644 --- a/contrib/ipfilter/test/input/f24 +++ b/contrib/ipfilter/test/input/f24 @@ -12,7 +12,7 @@ c0a8 0101 0035 eb22 00a9 d7b9 4a82 8180 0c00 0100 0100 0000 3c00 0496 [in,hme0] -4500 004c fc96 2006 4011 d9b4 c0a8 01fe +4500 004c fc96 2007 4011 d9b3 c0a8 01fe c0a8 0101 cbe7 50c0 1300 0200 0100 0078 8c00 0603 6e73 31c0 13c0 1300 0200 0100 0078 8c00 0e02 6e73 0861 6465 6c61 6964 diff --git a/contrib/ipfilter/test/input/f25 b/contrib/ipfilter/test/input/f25 new file mode 100644 index 0000000..a4e3139 --- /dev/null +++ b/contrib/ipfilter/test/input/f25 @@ -0,0 +1,41 @@ +[in,hme0]+mcast +4500 0081 b02d 0000 0411 53b1 c0a8 01eb +efff fffa 1f48 076c 006d 1bd2 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0a + +[out,hme0] +4500 0108 7aca 0000 4011 79e1 c0a8 01fe +c0a8 01eb 076c 1f48 00f4 5218 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 + +[in,hme0]+mcast +4500 0081 b02d 0000 0411 53b1 c0a8 01eb +efff fffa 1f48 076c 006d 1bd2 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0a + diff --git a/contrib/ipfilter/test/input/f26 b/contrib/ipfilter/test/input/f26 new file mode 100644 index 0000000..2151f72 --- /dev/null +++ b/contrib/ipfilter/test/input/f26 @@ -0,0 +1,13 @@ +in tcp 1.1.1.1,1001 2.2.2.2,22 S +in tcp 1.1.1.1,1002 2.2.2.2,22 S +in tcp 1.1.1.1,1003 2.2.2.2,22 S +in tcp 1.1.1.1,1004 2.2.2.2,22 S +in tcp 1.1.1.2,1002 2.2.2.2,22 S +in tcp 1.1.1.3,1003 2.2.2.2,22 S +in tcp 1.1.1.4,1004 2.2.2.2,22 S +in tcp 1.1.1.2,1005 2.2.2.2,22 S +in tcp 1.1.1.3,1006 2.2.2.2,22 S +in tcp 1.1.1.4,1007 2.2.2.2,22 S +in tcp 1.1.1.2,1008 2.2.2.2,22 S +in tcp 1.1.1.3,1009 2.2.2.2,22 S +in tcp 1.1.1.4,1010 2.2.2.2,22 S diff --git a/contrib/ipfilter/test/input/f27 b/contrib/ipfilter/test/input/f27 new file mode 100644 index 0000000..f01bf7e --- /dev/null +++ b/contrib/ipfilter/test/input/f27 @@ -0,0 +1,84 @@ +[in,hme0] +45000028 0000 0000 FF06 b5ca +01010101 02020202 +03e9 0016 00000000 00000000 5002 0000 +a5de 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5ca +01010101 02020202 +03ea 0016 00000000 00000000 5002 0000 +a5dd 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5ca +01010101 02020202 +03eb 0016 00000000 00000000 5002 0000 +a5dc 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5ca +01010101 02020202 +03ec 0016 00000000 00000000 5002 0000 +a5db 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c9 +01010102 02020202 +03ed 0016 00000000 00000000 5002 0000 +a5d9 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c8 +01010103 02020202 +03ee 0016 00000000 00000000 5002 0000 +a5d7 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c7 +01010104 02020202 +03ef 0016 00000000 00000000 5002 0000 +a5d5 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c9 +01010102 02020202 +03f0 0016 00000000 00000000 5002 0000 +a5d6 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c8 +01010103 02020202 +03f1 0016 00000000 00000000 5002 0000 +a5d4 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c7 +01010104 02020202 +03f2 0016 00000000 00000000 5002 0000 +a5d2 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c9 +01010102 02020202 +03f3 0016 00000000 00000000 5002 0000 +a5d3 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c8 +01010103 02020202 +03f4 0016 00000000 00000000 5002 0000 +a5d1 0000 + +[in,hme0] +45000028 0000 0000 FF06 b5c7 +01010104 02020202 +03f5 0016 00000000 00000000 5002 0000 +a5cf 0000 + +[in,hme0] +6000 0000 0014 06FF +ef00 1001 2002 0001 0000 0000 0000 0070 +2001 1002 3333 0001 0000 0000 0000 0001 +03f6 0016 0000 0000 0000 0000 5002 0000 292a 0000 + diff --git a/contrib/ipfilter/test/input/f28 b/contrib/ipfilter/test/input/f28 new file mode 100644 index 0000000..8849c14 --- /dev/null +++ b/contrib/ipfilter/test/input/f28 @@ -0,0 +1,7 @@ +in on nic1 4.4.0.1 4.2.0.2 +in on nic2 4.4.1.1 4.2.1.2 +in on nic3 4.4.2.1 4.2.2.2 +in on nic0 4.4.3.1 4.2.3.2 +in on nic0 4.4.1.1 4.2.1.2 +in on nic0 4.4.2.1 4.2.2.2 +in on nic0 4.4.3.1 4.2.3.2 diff --git a/contrib/ipfilter/test/input/f29 b/contrib/ipfilter/test/input/f29 new file mode 100644 index 0000000..2e717af --- /dev/null +++ b/contrib/ipfilter/test/input/f29 @@ -0,0 +1,11 @@ +in on nic1 4.4.0.1 4.2.0.2 +in on nic2 4.4.1.1 4.2.1.2 +in on nic3 4.4.2.1 4.2.2.2 +in on nic0 udp 4.4.3.1,1000 4.2.3.2,2000 +in on nic0 udp 4.4.3.1,1000 4.2.3.2,2000 +in on nic0 udp 4.4.1.1,1001 4.2.1.2,2001 +in on nic0 udp 4.4.1.1,1001 4.2.1.2,2001 +in on nic0 udp 4.4.2.1,1002 4.2.2.2,2002 +in on nic0 udp 4.4.2.1,1002 4.2.2.2,2002 +in on nic0 udp 4.4.3.1,1003 4.2.3.2,2003 +in on nic0 udp 4.4.3.1,1003 4.2.3.2,2003 diff --git a/contrib/ipfilter/test/input/f30 b/contrib/ipfilter/test/input/f30 new file mode 100644 index 0000000..ebf7dc0 --- /dev/null +++ b/contrib/ipfilter/test/input/f30 @@ -0,0 +1,16 @@ +in on hme0 udp 1.1.1.1,53 2.1.1.1,53 opt lsrr +in on hme1 udp 2.1.1.1,53 1.1.1.1,53 opt ts,lsrr +in on hme1 udp 2.1.1.1,53 1.1.1.1,53 opt lsrr +in on hme0 udp 1.1.1.1,53 2.1.1.1,53 +in on hme1 udp 2.1.1.1,53 1.1.1.1,53 +in on hme0 tcp 1.1.1.1,12345 2.1.1.1,22 S opt rr +in on hme0 tcp 1.1.1.1,12345 2.1.1.1,22 S +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12345 SA opt rr,ts +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12345 SA opt rr +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12345 SA +in on hme0 tcp 1.1.1.1,12346 2.1.1.1,22 S opt sec-class=secret +in on hme0 tcp 1.1.1.1,12346 2.1.1.1,22 S +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12346 SA opt sec-class=topsecret +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12346 SA opt ts,sec-class=secret +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12346 SA opt sec-class=secret +in on hme1 tcp 2.1.1.1,22 1.1.1.1,12346 SA diff --git a/contrib/ipfilter/test/input/ipf6-1 b/contrib/ipfilter/test/input/ipf6-1 deleted file mode 100644 index 8cc2d17..0000000 --- a/contrib/ipfilter/test/input/ipf6-1 +++ /dev/null @@ -1,26 +0,0 @@ -[out,de0] -6000 0000 0020 3aff ef00 0000 0000 0000 -0000 0000 0001 0013 ff02 0000 0000 0000 -0000 0001 ff01 000b 8700 ea32 0000 0000 -ef00 0000 0000 0000 0000 0000 0001 000b -0101 0048 5487 5c6f - -[in,de0] -6000 0000 0020 3aff ef00 0000 0000 0000 -0000 0000 0001 000b ef00 0000 0000 0000 -0000 0000 0001 0013 8800 5322 6000 0000 -ef00 0000 0000 0000 0000 0000 0001 000b -0201 0800 2071 cce1 - -[out,de0] -6000 0000 0010 3a40 ef00 0000 0000 0000 -0000 0000 0001 0013 ef00 0000 0000 0000 -0000 0000 0001 000b 8000 3210 06ff 0002 -9ec3 3c3c 8a82 0300 - -[in,de0] -6000 0000 0010 3aff ef00 0000 0000 0000 -0000 0000 0001 000b ef00 0000 0000 0000 -0000 0000 0001 0013 8100 3110 06ff 0002 -9ec3 3c3c 8a82 0300 - diff --git a/contrib/ipfilter/test/input/ipv6.1 b/contrib/ipfilter/test/input/ipv6.1 index 3f0fd30..6da8da0 100644 --- a/contrib/ipfilter/test/input/ipv6.1 +++ b/contrib/ipfilter/test/input/ipv6.1 @@ -1,3 +1,8 @@ +# +# traceroute simulation +# +# UDP +# [out,gif0] 6000 0000 0018 1101 ef00 1001 2002 0001 0000 0000 0000 0070 2001 1002 3333 0001 0000 0000 0000 0001 @@ -6,10 +11,14 @@ ef00 1001 2002 0001 0000 0000 0000 0070 f4c1 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 +# +# ICMPV6 +# - Time exceeded +# [in,gif0] 6000 0000 0048 3a40 ef00 1001 0880 6cbf 0000 0000 0000 0001 ef00 1001 2002 0001 0000 0000 0000 0070 -0300 7d44 0000 0000 +0300 f86f 0000 0000 6000 0000 0018 1101 ef00 1001 2002 0001 0000 0000 0000 0070 2001 1002 3333 0001 0000 0000 0000 0001 @@ -18,14 +27,18 @@ ef00 1001 2002 0001 0000 0000 0000 0070 f427 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 +# +# ICMPV6 +# - Time exceeded +# [in,gif0] 6000 0000 0048 3a40 ef00 1001 0880 6cbf 0000 0000 0000 0001 ef00 1001 2002 0001 0000 0000 0000 0070 -0300 7d44 0000 0000 +0300 7266 0000 0000 6000 0000 0018 1101 ef00 1001 2002 1001 0000 0000 0000 0070 2001 1002 3333 0001 0000 0000 0000 0001 -8083 829a +8083 f8a3 0018 f427 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 diff --git a/contrib/ipfilter/test/input/ipv6.3 b/contrib/ipfilter/test/input/ipv6.3 index e8ad9f2..3b2ef4d 100644 --- a/contrib/ipfilter/test/input/ipv6.3 +++ b/contrib/ipfilter/test/input/ipv6.3 @@ -7,19 +7,19 @@ [in,gif0] 6000 0000 0010 3a40 3ffe 8280 0000 2001 0000 0000 0000 4393 3ffe 8280 0000 2001 -0000 0000 0000 4395 8100 3e77 085c 0038 +0000 0000 0000 4395 8100 3e78 085c 0038 0c06 b73d 1b3d 0d00 [in,gif0] 6000 0000 0010 3a40 3ffe 8280 0000 2001 0000 0000 0000 4394 3ffe 8280 0000 2001 -0000 0000 0000 4395 8300 3e77 085c 0038 +0000 0000 0000 4395 8300 3c77 085c 0038 0c06 b73d 1b3d 0d00 [in,gif0] 6000 0000 0010 3a40 3ffe 8280 0000 2001 0000 0000 0000 4394 3ffe 8280 0000 2001 -0000 0000 0000 4395 8000 3e77 085c 0038 +0000 0000 0000 4395 8000 3f77 085c 0038 0c06 b73d 1b3d 0d00 [in,gif0] diff --git a/contrib/ipfilter/test/input/ipv6.4 b/contrib/ipfilter/test/input/ipv6.4 new file mode 100644 index 0000000..eb986ae --- /dev/null +++ b/contrib/ipfilter/test/input/ipv6.4 @@ -0,0 +1,522 @@ +# fe80::20c:29ff:fe13:6899 > fe80::20c:29ff:fe21:5742: frag (0|1448) icmp6: echo request +[in,eth0] +6000 0000 05b0 2c40 fe80 0000 0000 0000 +020c 29ff fe13 6899 fe80 0000 0000 0000 +020c 29ff fe21 5742 3a00 0001 0000 0008 +8000 f400 2c0a 0001 fd38 4a42 9e59 0900 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f + +# fe80::20c:29ff:fe13:6899 > fe80::20c:29ff:fe21:5742: frag (1448|160) +[in,eth0] +6000 0000 00a8 2c40 fe80 0000 0000 0000 +020c 29ff fe13 6899 fe80 0000 0000 0000 +020c 29ff fe21 5742 3a00 05a8 0000 0008 +a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf +b0b1 b2b3 b4b5 b6b7 b8b9 babb bcbd bebf +c0c1 c2c3 c4c5 c6c7 c8c9 cacb cccd cecf +d0d1 d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf +e0e1 e2e3 e4e5 e6e7 e8e9 eaeb eced eeef +f0f1 f2f3 f4f5 f6f7 f8f9 fafb fcfd feff +0001 0203 0405 0607 0809 0a0b 0c0d 0e0f +1011 1213 1415 1617 1819 1a1b 1c1d 1e1f +2021 2223 2425 2627 2829 2a2b 2c2d 2e2f +3031 3233 3435 3637 3839 3a3b 3c3d 3e3f + +# fe80::20c:29ff:fe21:5742 > fe80::20c:29ff:fe13:6899: frag (0|1232) icmp6: echo reply +[out,eth0] +6000 0000 04d8 2c40 fe80 0000 0000 0000 +020c 29ff fe21 5742 fe80 0000 0000 0000 +020c 29ff fe13 6899 3a00 0001 9c56 86dd +8100 f300 2c0a 0001 fd38 4a42 9e59 0900 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 + +# fe80::20c:29ff:fe21:5742 > fe80::20c:29ff:fe13:6899: frag (1232|376) +[out,eth0] +6000 0000 0180 2c40 fe80 0000 0000 0000 +020c 29ff fe21 5742 fe80 0000 0000 0000 +020c 29ff fe13 6899 3a00 04d0 9c56 86dd +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f + +# fe80::20c:29ff:fe13:6899 > fe80::20c:29ff:fe21:5742: frag (0|1448) icmp6: echo request +[in,eth0] +6000 0000 05b0 2c40 fe80 0000 0000 0000 +020c 29ff fe13 6899 fe80 0000 0000 0000 +020c 29ff fe21 5742 3a00 0001 0000 0009 +8000 80fb 2c0a 0002 fe38 4a42 105e 0900 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f + +# fe80::20c:29ff:fe13:6899 > fe80::20c:29ff:fe21:5742: frag (1448|160) +[in,eth0] +6000 0000 00a8 2c40 fe80 0000 0000 0000 +020c 29ff fe13 6899 fe80 0000 0000 0000 +020c 29ff fe21 5742 3a00 05a8 0000 0009 +a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf +b0b1 b2b3 b4b5 b6b7 b8b9 babb bcbd bebf +c0c1 c2c3 c4c5 c6c7 c8c9 cacb cccd cecf +d0d1 d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf +e0e1 e2e3 e4e5 e6e7 e8e9 eaeb eced eeef +f0f1 f2f3 f4f5 f6f7 f8f9 fafb fcfd feff +0001 0203 0405 0607 0809 0a0b 0c0d 0e0f +1011 1213 1415 1617 1819 1a1b 1c1d 1e1f +2021 2223 2425 2627 2829 2a2b 2c2d 2e2f +3031 3233 3435 3637 3839 3a3b 3c3d 3e3f + +# fe80::20c:29ff:fe21:5742 > fe80::20c:29ff:fe13:6899: frag (0|1232) icmp6: echo reply +[out,eth0] +6000 0000 04d8 2c40 fe80 0000 0000 0000 +020c 29ff fe21 5742 fe80 0000 0000 0000 +020c 29ff fe13 6899 3a00 0001 9889 f4c1 +8100 7ffb 2c0a 0002 fe38 4a42 105e 0900 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 + +# fe80::20c:29ff:fe21:5742 > fe80::20c:29ff:fe13:6899: frag (1232|376) +[out,eth0] +6000 0000 0180 2c40 fe80 0000 0000 0000 +020c 29ff fe21 5742 fe80 0000 0000 0000 +020c 29ff fe13 6899 3a00 04d0 9889 f4c1 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f 4041 4243 4445 4647 +4849 4a4b 4c4d 4e4f 5051 5253 5455 5657 +5859 5a5b 5c5d 5e5f 6061 6263 6465 6667 +6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 +7879 7a7b 7c7d 7e7f 8081 8283 8485 8687 +8889 8a8b 8c8d 8e8f 9091 9293 9495 9697 +9899 9a9b 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 +a8a9 aaab acad aeaf b0b1 b2b3 b4b5 b6b7 +b8b9 babb bcbd bebf c0c1 c2c3 c4c5 c6c7 +c8c9 cacb cccd cecf d0d1 d2d3 d4d5 d6d7 +d8d9 dadb dcdd dedf e0e1 e2e3 e4e5 e6e7 +e8e9 eaeb eced eeef f0f1 f2f3 f4f5 f6f7 +f8f9 fafb fcfd feff 0001 0203 0405 0607 +0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 +1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 +2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 +3839 3a3b 3c3d 3e3f + +# frag: [0-7:nh][8-15:res][16-31:off][32-64:id] +# Case 4: ipv6,fragment[id=10,off=0,m=1],tcp +[in,eth0] +600a af74 0038 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +0600 0001 0000 0010 +fff3 0017 52ac fbab 0000 0000 c002 8000 d36b 0000 +0204 05a0 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 0000 0000 + +# Case 5: ipv6,fragment[id=10,off=5,m=1],data +[in,eth0] +600a af74 0010 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +0600 0030 0000 0010 +0000 0000 0000 0000 + +# Case 3: ipv6,fragment[id=10,off=1,m=0],tcp +[in,eth0] +600a af74 0034 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +0600 0008 0000 0010 +0000 0000 b002 8000 d36b 0000 +0204 05a0 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 + +# Case 1: ipv6,fragment[id=11,off=0,m=1],hopopts,ah[next=dstopts] +[in,eth0] +600a af74 0020 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +0000 0001 0000 0011 +3300 0000 0000 0000 +3c01 0000 0000 0000 0000 0000 0000 0000 + +# Case 2: ipv6,fragment[id=11,off=3,m=0],dstopts,hop,tcp +[in,eth0] +600a af74 002c 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +3c00 0008 0000 0011 +0000 0000 0000 0000 +0600 0000 0000 0000 +fff3 0017 52ac fbab 0000 0000 5002 8000 d36b 0000 + +# Case 4: ipv6,fragment[id=10,off=0,m=1],tcp +[out,eth0] +6000 0000 001c 2c40 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +fe80 0000 0000 0000 020c 29ff fe21 5742 +0600 0001 0000 0010 +0017 fff3 0000 0000 52ac fbac 5014 0000 cd26 0000 + +# Normal TCP Reset +[out,eth0] +6000 0000 0014 0640 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +fe80 0000 0000 0000 020c 29ff fe21 5742 +0017 fff3 0000 0000 52ac fbac 5014 0000 cd26 0000 + +# Case 4: ipv6,fragment[id=12,off=0,m=1],tcp +[in,eth0] +600a af74 0038 2c40 +fe80 0000 0000 0000 020c 29ff fe21 5742 +fe80 0000 0000 0000 020c 29ff fe6e eb5a +0600 0001 0000 0012 +fff3 0017 52ac fbab 0000 0000 c002 8000 d36b 0000 +0204 05a0 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 0000 0000 + diff --git a/contrib/ipfilter/test/input/ipv6.6 b/contrib/ipfilter/test/input/ipv6.6 index 82efeac..fffbad2 100644 --- a/contrib/ipfilter/test/input/ipv6.6 +++ b/contrib/ipfilter/test/input/ipv6.6 @@ -15,3 +15,17 @@ ef00 1001 2002 0001 0000 0000 0000 0070 1100 0008 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 +[out,gif0] +6000 0000 001e 2c01 +ef00 1001 2002 0001 0000 0000 0000 0070 +2001 1002 3333 0001 0000 0000 0000 0001 +1100 0001 0000 0001 +0000 0000 0000 0000 0000 0000 0000 + +[out,gif0] +6000 0000 0020 2c01 +ef00 1001 2002 0001 0000 0000 0000 0070 +2001 1002 3333 0001 0000 0000 0000 0001 +1100 001c 0000 0001 +0000 0000 0000 0000 0000 0000 0000 0000 + diff --git a/contrib/ipfilter/test/input/n10 b/contrib/ipfilter/test/input/n10 index 321ed0b..1e919cc 100644 --- a/contrib/ipfilter/test/input/n10 +++ b/contrib/ipfilter/test/input/n10 @@ -1,6 +1,6 @@ # TCP SYN packet with an MSS option [out,ppp0] -4500 002c 10c9 4000 ff06 3289 c0a8 0103 -96cb e002 8032 0015 bd6b c9c8 0000 0000 +4500 002c 10c9 4000 ff06 3289 c0a8 0103 96cb e002 +8032 0015 bd6b c9c8 0000 0000 6002 2238 35f9 0000 0204 05b4 diff --git a/contrib/ipfilter/test/input/n100 b/contrib/ipfilter/test/input/n100 new file mode 100644 index 0000000..94ff8c4 --- /dev/null +++ b/contrib/ipfilter/test/input/n100 @@ -0,0 +1,8 @@ +out on zx0 255 1.1.1.1 2.3.2.3 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 255 1.1.1.2 2.2.2.3 +out on zx0 255 1.2.1.2 2.2.2.3 +out on zx0 255 1.1.1.1 2.2.2.4 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 tcp 1.1.1.1,101 2.3.2.3,203 +out on zx0 tcp 1.1.1.1,101 2.2.2.3,203 diff --git a/contrib/ipfilter/test/input/n101 b/contrib/ipfilter/test/input/n101 new file mode 100644 index 0000000..94ff8c4 --- /dev/null +++ b/contrib/ipfilter/test/input/n101 @@ -0,0 +1,8 @@ +out on zx0 255 1.1.1.1 2.3.2.3 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 255 1.1.1.2 2.2.2.3 +out on zx0 255 1.2.1.2 2.2.2.3 +out on zx0 255 1.1.1.1 2.2.2.4 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 tcp 1.1.1.1,101 2.3.2.3,203 +out on zx0 tcp 1.1.1.1,101 2.2.2.3,203 diff --git a/contrib/ipfilter/test/input/n102 b/contrib/ipfilter/test/input/n102 new file mode 100644 index 0000000..94ff8c4 --- /dev/null +++ b/contrib/ipfilter/test/input/n102 @@ -0,0 +1,8 @@ +out on zx0 255 1.1.1.1 2.3.2.3 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 255 1.1.1.2 2.2.2.3 +out on zx0 255 1.2.1.2 2.2.2.3 +out on zx0 255 1.1.1.1 2.2.2.4 +out on zx0 255 1.1.1.1 2.2.2.3 +out on zx0 tcp 1.1.1.1,101 2.3.2.3,203 +out on zx0 tcp 1.1.1.1,101 2.2.2.3,203 diff --git a/contrib/ipfilter/test/input/n103 b/contrib/ipfilter/test/input/n103 new file mode 100644 index 0000000..7957799 --- /dev/null +++ b/contrib/ipfilter/test/input/n103 @@ -0,0 +1,8 @@ +out on zx0 tcp 1.1.1.1,101 2.3.2.3,203 +out on zx0 tcp 1.1.1.1,101 2.2.2.3,203 +out on zx0 tcp 1.1.1.1,101 2.2.2.3,203 +out on zx0 tcp 1.1.1.2,101 2.2.2.3,203 +out on zx0 tcp 10.10.10.10,101 2.2.2.3,203 +out on zx0 tcp 5.5.5.5,101 2.2.2.3,203 +in on zx0 tcp 2.2.2.3,4000 4.4.4.4,1000 +out on zx0 tcp 7.7.7.7,101 2.2.2.3,203 diff --git a/contrib/ipfilter/test/input/n104 b/contrib/ipfilter/test/input/n104 new file mode 100644 index 0000000..bb46b28 --- /dev/null +++ b/contrib/ipfilter/test/input/n104 @@ -0,0 +1,48 @@ +[out,zx0] +4500 0028 0001 0000 ff06 b5c9 0101 0101 0202 0202 +0065 00cb 0000 0001 1000 0001 5010 2000 789d 0000 + +[in,zx0] +4500 0028 0002 0000 ff06 b1c2 0606 0001 0404 0001 +0fa0 03e8 0000 0001 1000 0001 5010 2000 623f 0000 + +[out,zx0] +4500 0028 0003 0000 ff06 b5c7 0101 0101 0202 0202 +0066 00cb 0000 0001 1000 0001 5010 2000 789c 0000 + +[in,zx0] +4500 0028 0004 0000 ff06 b1bf 0606 0001 0404 0002 +0fa0 03e8 0000 0001 1000 0001 5010 2000 623e 0000 + +[out,zx0] +4500 0028 0005 0000 ff06 b5c5 0101 0101 0202 0202 +0067 00cb 0000 0001 1000 0001 5010 2000 789b 0000 + +[in,zx0] +4500 0028 0006 0000 ff06 b1bd 0606 0001 0404 0002 +0fa0 03e9 0000 0001 1000 0001 5010 2000 623d 0000 + +[out,zx0] +4500 0028 0007 0000 ff06 b5c3 0101 0101 0202 0202 +0068 00cb 0000 0001 1000 0001 5010 2000 789a 0000 + +[in,zx0] +4500 0028 0008 0000 ff06 b1ba 0606 0002 0404 0002 +0fa0 03e9 0000 0001 1000 0001 5010 2000 623c 0000 + +[out,zx0] +4500 0028 0009 0000 ff06 b5c1 0101 0101 0202 0202 +0069 00cb 0000 0001 1000 0001 5010 2000 7899 0000 + +[in,zx0] +4500 0028 000a 0000 ff06 b1b8 0606 0002 0404 0002 +0fa1 03e9 0000 0001 1000 0001 5010 2000 623b 0000 + +[out,zx0] +4500 0028 000b 0000 ff06 b5bf 0101 0101 0202 0202 +006a 00cb 0000 0001 1000 0001 5010 2000 7898 0000 + +[in,zx0] +4500 0028 000c 0000 ff06 b1b5 0606 0002 0404 0003 +0fa1 03e9 0000 0001 1000 0001 5010 2000 623a 0000 + diff --git a/contrib/ipfilter/test/input/n105 b/contrib/ipfilter/test/input/n105 new file mode 100644 index 0000000..63b68f0 --- /dev/null +++ b/contrib/ipfilter/test/input/n105 @@ -0,0 +1,8 @@ +[in,zx0] +4500 0028 0001 0000 ff06 b5c9 0101 0101 0202 0202 +0065 0050 0000 0001 1000 0001 5010 2000 7918 0000 + +[out,zx0] +4500 0028 0001 0000 ff06 adc0 0606 0001 0404 0404 +0c38 03e8 0000 0001 1000 0001 5010 2000 61a4 0000 + diff --git a/contrib/ipfilter/test/input/n106 b/contrib/ipfilter/test/input/n106 new file mode 100644 index 0000000..4e93378 --- /dev/null +++ b/contrib/ipfilter/test/input/n106 @@ -0,0 +1,8 @@ +[out,zx0] +4500 0028 0001 0000 ff06 b5c9 0101 0101 0202 0202 +0065 0050 0000 0001 1000 0001 5010 2000 7918 0000 + +[in,zx0] +4500 0028 0001 0000 ff06 adc0 0606 0001 0404 0404 +0c38 03e8 0000 0001 1000 0001 5010 2000 61a4 0000 + diff --git a/contrib/ipfilter/test/input/n10_6 b/contrib/ipfilter/test/input/n10_6 new file mode 100644 index 0000000..5c1f5af --- /dev/null +++ b/contrib/ipfilter/test/input/n10_6 @@ -0,0 +1,6 @@ +# TCP SYN packet with an MSS option +[out,ppp0] +6000 0000 0018 06ff c0a8 0100 0000 0000 0000 0000 0000 0003 96cb e000 0000 0000 0000 0000 0000 0002 +8032 0015 bd6b c9c8 0000 0000 +6002 2238 35f9 0000 0204 05b4 + diff --git a/contrib/ipfilter/test/input/n11_6 b/contrib/ipfilter/test/input/n11_6 new file mode 100644 index 0000000..128e45a --- /dev/null +++ b/contrib/ipfilter/test/input/n11_6 @@ -0,0 +1,16 @@ +out6 on zx0 255 10:1:1::0 10:1:1::2 +out6 on zx0 255 10:1:1::1 10:1:1::2 +out6 on zx0 255 10:1:1::2 10:1:1::1 +out6 on zx0 255 10::2:2:1 10:1:2::1 +out6 on zx0 255 10::2:2:2 10:1:2::1 +in6 on zx0 255 10:1:1::1 10:1:1::2 +in6 on zx0 255 10:1:1::2 10:1:1::1 +in6 on zx0 255 10::2:2:1 10::2:1:1 +in6 on zx0 255 10::2:2:2 10::2:1:1 +in6 on zx0 255 10::2:2:3 10:1:1::1 +in6 on zx0 255 10::2:3:4 10::2:2:2 +in6 on zx0 255 10:1:1::1 10::2:2:2 +in6 on zx0 255 10:1:1::2 10::2:2:2 +in6 on zx0 255 10:1:1::0 10::3:4:5 +in6 on zx0 255 10:1:1::1 10::3:4:5 +in6 on zx0 255 10:1:1::2 10::3:4:5 diff --git a/contrib/ipfilter/test/input/n12 b/contrib/ipfilter/test/input/n12 index fb4d76d..16e479e 100644 --- a/contrib/ipfilter/test/input/n12 +++ b/contrib/ipfilter/test/input/n12 @@ -1,18 +1,18 @@ [out,le0=192.168.1.188] -4510 0040 2020 4000 4006 17e1 c0a8 7e53 -c0a8 0303 12c2 0017 4e33 298e 0000 0000 +4510 0040 2020 4000 4006 17e1 c0a8 7e53 c0a8 0303 +12c2 0017 4e33 298e 0000 0000 b002 4000 07af 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000 [in,le0] -4500 003c 00b0 4000 fe06 f5fb c0a8 0303 -c0a8 01bc 0017 2710 f674 e02c 4e33 298f +4500 003c 00b0 4000 fe06 f5fb c0a8 0303 c0a8 01bc +0017 2710 f674 e02c 4e33 298f a012 2798 e317 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4 [out,le0] -4510 0034 493b 4000 4006 eed1 c0a8 7e53 -c0a8 0303 12c2 0017 4e33 298f f674 e02d +4510 0034 493b 4000 4006 eed1 c0a8 7e53 c0a8 0303 +12c2 0017 4e33 298f f674 e02d 8010 4000 8e2a 0000 0101 080a 0c72 549e 2c05 b797 diff --git a/contrib/ipfilter/test/input/n12_6 b/contrib/ipfilter/test/input/n12_6 new file mode 100644 index 0000000..8583acb --- /dev/null +++ b/contrib/ipfilter/test/input/n12_6 @@ -0,0 +1,18 @@ +[out,le0=c0a8:0100::bc] +6000 0000 002c 0640 c0a8 7e00 0000 0000 0000 0000 0000 0053 c0a8 0300 0000 0000 0000 0000 0000 0003 +12c2 0017 4e33 298e 0000 0000 +b002 4000 07af 0000 0204 05b4 0101 0402 +0103 0300 0101 080a 0c72 549e 0000 0000 + +[in,le0] +6000 0000 0028 06fe c0a8 0300 0000 0000 0000 0000 0000 0003 c0a8 0100 0000 0000 0000 0000 0000 00bc +0017 2710 f674 e02c 4e33 298f +a012 2798 e317 0000 0101 080a 2c05 b797 +0c72 549e 0103 0300 0204 05b4 + +[out,le0] +6000 0000 0020 0640 c0a8 7e00 0000 0000 0000 0000 0000 0053 c0a8 0300 0000 0000 0000 0000 0000 0003 +12c2 0017 4e33 298f f674 e02d +8010 4000 8e2a 0000 0101 080a 0c72 549e +2c05 b797 + diff --git a/contrib/ipfilter/test/input/n13_6 b/contrib/ipfilter/test/input/n13_6 new file mode 100644 index 0000000..54b262d --- /dev/null +++ b/contrib/ipfilter/test/input/n13_6 @@ -0,0 +1,4 @@ +out6 on le0 192:168:1::1 150:1:1::1 +out6 on le0 192:168:1::1 150:1:1::2 +out6 on le0 192:168:1::2 150:1:1::2 +out6 on le0 192:168:1::3 150:1:1::1 diff --git a/contrib/ipfilter/test/input/n14_6 b/contrib/ipfilter/test/input/n14_6 new file mode 100644 index 0000000..f5dd5d3 --- /dev/null +++ b/contrib/ipfilter/test/input/n14_6 @@ -0,0 +1,4 @@ +in6 on gre0 tcp 10::2:2:5,2000 203:1:1::1,80 +in6 on gre0 tcp 10::2:2:6,2000 203:1:1::1,80 +in6 on gre0 tcp 10::2:2:7,2000 203:1:1::1,80 +in6 on gre0 tcp 10::2:2:5,2001 203:1:1::1,80 diff --git a/contrib/ipfilter/test/input/n15 b/contrib/ipfilter/test/input/n15 new file mode 100644 index 0000000..715848e --- /dev/null +++ b/contrib/ipfilter/test/input/n15 @@ -0,0 +1,2 @@ +in on le0 tcp 9.9.9.9,10011 5.5.5.5,80 +in on le0 tcp 9.9.9.9,10011 2.2.2.2,80 diff --git a/contrib/ipfilter/test/input/n15_6 b/contrib/ipfilter/test/input/n15_6 new file mode 100644 index 0000000..4a56138 --- /dev/null +++ b/contrib/ipfilter/test/input/n15_6 @@ -0,0 +1,2 @@ +in6 on le0 tcp 9:9:9::9,10011 5:5::5:5,80 +in6 on le0 tcp 9:9:9::9,10011 2::2:2:2,80 diff --git a/contrib/ipfilter/test/input/n16 b/contrib/ipfilter/test/input/n16 index 2e77e40..ad09a45 100644 --- a/contrib/ipfilter/test/input/n16 +++ b/contrib/ipfilter/test/input/n16 @@ -8,33 +8,33 @@ a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 [out,vlan2] -4520 0068 17e4 0000 6a11 ccba c05b ac33 -ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 +4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 +1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 -a5a5 a5a5 a5a5 a5a5 +a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 [in,vlan2] -4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 -c05b ac33 0303 4ca1 0000 0000 4520 0068 -17e4 0000 6a11 ccba c05b ac33 ac1f 5318 -1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 +4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 c05b ac33 +0303 4ca1 0000 0000 +4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 +1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 -a5a5 a5a5 +a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 [out,vlan0] -4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 -c05b ac33 0303 4ca1 0000 0000 4520 0068 -17e4 0000 6a11 ccba c05b ac33 ac1f 5318 -1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 +4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 c05b ac33 +0303 4ca1 0000 0000 +4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 +1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 -a5a5 a5a5 +a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 diff --git a/contrib/ipfilter/test/input/n17 b/contrib/ipfilter/test/input/n17 new file mode 100644 index 0000000..29709de --- /dev/null +++ b/contrib/ipfilter/test/input/n17 @@ -0,0 +1,24 @@ +[out,zx0] +4500 00a0 0000 0100 3f06 7555 0101 0101 0201 0101 +0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 + +[in,zx0] +4500 00a0 0000 0100 3f06 7553 0201 0101 0101 0103 +0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 + diff --git a/contrib/ipfilter/test/input/n17_6 b/contrib/ipfilter/test/input/n17_6 new file mode 100644 index 0000000..a176c15 --- /dev/null +++ b/contrib/ipfilter/test/input/n17_6 @@ -0,0 +1,24 @@ +[out,zx0] +6000 0000 008c 063f 0001 0000 0000 0000 0000 0001 0001 0001 0002 0000 0000 0000 0000 0001 0001 0001 +0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 + +[in,zx0] +6000 0000 008c 063f 0002 0000 0000 0000 0000 0001 0001 0001 0001 0000 0000 0000 0000 0001 0001 0003 +0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 + diff --git a/contrib/ipfilter/test/input/n18 b/contrib/ipfilter/test/input/n18 new file mode 100644 index 0000000..a7a610c --- /dev/null +++ b/contrib/ipfilter/test/input/n18 @@ -0,0 +1,8 @@ +out on z0 tcp 2.2.2.2,22 3.3.3.3,30 +out on z0 tcp 2.2.2.2,23 3.3.3.3,31 +out on z0 tcp 2.2.2.2,24 3.3.3.3,32 +out on z0 tcp 2.2.2.2,25 3.3.3.3,33 +out on z0 tcp 2.2.2.2,26 3.3.3.3,34 +out on z0 tcp 2.2.2.2,27 3.3.3.3,35 +out on z0 tcp 2.2.2.2,28 3.3.3.3,36 +out on z0 tcp 2.2.2.2,29 3.3.3.3,37 diff --git a/contrib/ipfilter/test/input/n1_6 b/contrib/ipfilter/test/input/n1_6 new file mode 100644 index 0000000..c1badab --- /dev/null +++ b/contrib/ipfilter/test/input/n1_6 @@ -0,0 +1,34 @@ +out6 on zx0 255 10:1:1::0 10:1:1::2 +out6 on zx0 255 10:1:1::1 10:1:1::2 +out6 on zx0 255 10:1:1::2 10:1:1::1 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1026 10:1:1::1,1025 +out6 on zx0 255 10::2:2:1 10:1:2::1 +out6 on zx0 255 10::2:2:2 10:1:2::1 +in6 on zx0 255 10:1:1::1 10:1:1::2 +in6 on zx0 255 10:1:1::2 10:1:1::1 +in6 on zx0 255 10::2:2:1 10::2:1:1 +in6 on zx0 255 10::2:2:2 10::2:1:1 +in6 on zx0 255 10::2:2:3 10:1:1::1 +in6 on zx0 255 10::2:3:4 10::2:2:2 +in6 on zx0 255 10:1:1::1 10::2:2:2 +in6 on zx0 255 10:1:1::2 10::2:2:2 +in6 on zx0 255 10:1:1::0 10::3:4:5 +in6 on zx0 255 10:1:1::1 10::3:4:5 +in6 on zx0 255 10:1:1::2 10::3:4:5 +in6 on zx0 tcp 10:1:1::1,1025 10::3:4:5,1025 +out6 on zx0 58 10:1:1::1 10:4:3::2 +in6 on zx0 58 10:4:3::2 10::2:2:2 +in6 on zx0 58 10:4:3::2 10::3:4:1 +in6 on zx0 58 10:4:3::2 10::3:4:2 +in6 on zx0 58 10:4:3::2 10::3:4:3 +in6 on zx0 58 10:4:3::2 10::3:4:4 +in6 on zx0 58 10:4:3::2 10::3:4:5 +out6 on zx0 34 10:1:1::2 10:4:3::2 +in6 on zx0 34 10:4:3::2 10::3:4:4 +out6 on zx0 34 10:1:1::2 10:4:3::4 +in6 on zx0 34 10:4:3::4 10::3:4:5 +out6 on zx0 34 10:1:1::3 10:4:3::4 +in6 on zx0 34 10:4:3::4 10::3:4:6 +out6 on zx0 35 10:1:1::3 10:4:3::4 +in6 on zx0 35 10:4:3::4 10::3:4:7 diff --git a/contrib/ipfilter/test/input/n200 b/contrib/ipfilter/test/input/n200 new file mode 100644 index 0000000..9b02158 --- /dev/null +++ b/contrib/ipfilter/test/input/n200 @@ -0,0 +1,6 @@ +[in,bar0] +4500 0028 0000 0000 0006 435a 6363 6363 5858 5858 038d 0050 0000 0000 0000 0000 5000 1000 2491 0000 + +[out,bar0] +4500 0044 0000 0000 ff11 bda6 7f00 0001 7f00 0001 2775 2775 0030 0000 4500 0028 0000 0000 0006 435a 6363 6363 5858 5858 038d 0050 0000 0000 0000 0000 5000 1000 2491 0000 + diff --git a/contrib/ipfilter/test/input/n2_6 b/contrib/ipfilter/test/input/n2_6 new file mode 100644 index 0000000..3ea74ff --- /dev/null +++ b/contrib/ipfilter/test/input/n2_6 @@ -0,0 +1,19 @@ +out6 on zx0 tcp 10:1:1::1,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::1,1025 10:1:1::2,1025 +out6 on zx0 10:1:1::0 10:1:1::2 +out6 on zx0 10:1:1::1 10:1:2::1 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1026 10:1:1::1,1025 +out6 on zx0 udp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::3,2000 10:1:2::1,80 +out6 on zx0 tcp 10:1:1::3,2001 10:1:3::1,80 +out6 on zx0 tcp 10:1:1::3,2002 10:1:4::1,80 +out6 on zx0 tcp 10:1:1::3,2003 10:1:4::1,80 +in6 on zx0 10:1:1::1 10:1:1::2 +in6 on zx0 tcp 10:1:1::1,1025 10:1:1::2,1025 +in6 on zx0 10:1:1::2 10:1:1::1 +in6 on zx0 tcp 10:1:1::1,1026 10::3:4:5,40000 +in6 on zx0 tcp 10:1:1::1,1025 10::3:4:5,40000 +in6 on zx0 udp 10:1:1::2,1025 10::3:4:5,40001 +in6 on zx0 tcp 10:1:2::1,80 10::3:4:5,40001 diff --git a/contrib/ipfilter/test/input/n4_6 b/contrib/ipfilter/test/input/n4_6 new file mode 100644 index 0000000..8f0f423 --- /dev/null +++ b/contrib/ipfilter/test/input/n4_6 @@ -0,0 +1,10 @@ +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::1,23 +out6 on zx0 tcp 10::2:2:1,10023 10:3:3::3,12345 +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::1,53 +out6 on zx0 tcp 10::2:2:1,10053 10:3:3::3,12345 +in6 on zx0 tcp 10:3:3::3,12346 10:1:0::0,23 +out6 on zx0 tcp 10::2:2:1,10023 10:3:3::3,12346 +in6 on zx0 udp 10:3:3::3,12345 10:1:1::0,53 +out6 on zx0 udp 10::2:2:1,10053 10:3:3::3,12345 +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::0,53 +out6 on zx0 tcp 10::2:2:1,53 10:3:3::3,12345 diff --git a/contrib/ipfilter/test/input/n5_6 b/contrib/ipfilter/test/input/n5_6 new file mode 100644 index 0000000..9ac0c29 --- /dev/null +++ b/contrib/ipfilter/test/input/n5_6 @@ -0,0 +1,54 @@ +out6 on zx0 255 10:1:1::0 10:1:1::2 +out6 on zx0 255 10:1:1::1 10:1:1::2 +out6 on zx0 255 10:1:1::2 10:1:1::1 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1026 10:1:1::1,1025 +out6 on zx0 255 10::2:2:1 10:1:2::1 +out6 on zx0 255 10::2:2:2 10:1:2::1 +in6 on zx0 255 10:1:1::1 10:1:1::2 +in6 on zx0 255 10:1:1::2 10:1:1::1 +in6 on zx0 255 10::2:2:1 10::2:1:1 +in6 on zx0 255 10::2:2:2 10::2:1:1 +in6 on zx0 255 10::2:2:3 10:1:1::1 +in6 on zx0 255 10::2:3:4 10::2:2:2 +in6 on zx0 255 10:1:1::1 10::2:2:2 +in6 on zx0 255 10:1:1::2 10::2:2:2 +in6 on zx0 255 10:1:1::0 10::3:4:5 +in6 on zx0 255 10:1:1::1 10::3:4:5 +in6 on zx0 255 10:1:1::2 10::3:4:5 +in6 on zx0 tcp 10:1:1::1,1025 10::3:4:5,1025 +out6 on zx0 58 10:1:1::1 10:4:3::2 +in6 on zx0 58 10:4:3::2 10::2:2:2 +in6 on zx0 58 10:4:3::2 10::3:4:3 +in6 on zx0 58 10:4:3::2 10::3:4:5 +out6 on zx0 34 10:1:1::2 10:4:3::2 +in6 on zx0 34 10:4:3::2 10::3:4:4 +out6 on zx0 34 10:1:1::2 10:4:3::4 +in6 on zx0 34 10:4:3::4 10::3:4:5 +out6 on zx0 34 10:1:1::3 10:4:3::4 +in6 on zx0 34 10:4:3::4 10::3:4:6 +out6 on zx0 35 10:1:1::3 10:4:3::4 +in6 on zx0 35 10:4:3::4 10::3:4:7 +out6 on zx0 tcp 10:1:1::1,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::1,1025 10:1:1::2,1025 +out6 on zx0 10:1:1::0 10:1:1::2 +out6 on zx0 10:1:1::1 10:1:2::1 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::2,1026 10:1:1::1,1025 +out6 on zx0 udp 10:1:1::2,1025 10:1:1::1,1025 +out6 on zx0 tcp 10:1:1::3,2000 10:1:2::1,80 +out6 on zx0 tcp 10:1:1::3,2001 10:1:3::1,80 +out6 on zx0 tcp 10:1:1::3,2002 10:1:4::1,80 +out6 on zx0 tcp 10:1:1::3,2003 10:1:4::1,80 +in6 on zx0 10:1:1::1 10:1:1::2 +in6 on zx0 tcp 10:1:1::1,1025 10:1:1::2,1025 +in6 on zx0 10:1:1::2 10:1:1::1 +out6 on zx0 tcp 10:1:1::1,1026 10::3:4:5,40000 +in6 on zx0 tcp 10:1:1::1,1026 10::3:4:5,40000 +out6 on zx0 tcp 10:1:1::1,1025 10::3:4:5,40000 +in6 on zx0 tcp 10:1:1::1,1025 10::3:4:5,40000 +out6 on zx0 udp 10:1:1::2,1025 10::3:4:5,40001 +in6 on zx0 udp 10:1:1::2,1025 10::3:4:5,40001 +out6 on zx0 tcp 10:1:2::1,80 10::3:4:5,40001 +in6 on zx0 tcp 10:1:2::1,80 10::3:4:5,40001 diff --git a/contrib/ipfilter/test/input/n6_6 b/contrib/ipfilter/test/input/n6_6 new file mode 100644 index 0000000..18300cd --- /dev/null +++ b/contrib/ipfilter/test/input/n6_6 @@ -0,0 +1,13 @@ +in6 on zx0 tcp 10::2:2:2,12345 10:1:1::1,23 +in6 on zx0 tcp 10::2:2:2,12345 10:1:1::2,23 +in6 on zx0 tcp 10:3:0::1,12345 10:1:2::2,23 +in6 on zx0 tcp 10:3:0::1,12345 10::2:2:2,23 +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::1,23 +in6 on zx0 tcp 10::2:2:2,12345 10:1:1::1,53 +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::1,53 +in6 on zx0 tcp 10::2:2:2,12345 10:1:0::0,23 +in6 on zx0 tcp 10:3:3::3,12345 10:1:0::0,23 +in6 on zx0 udp 10::2:2:2,12345 10:1:1::0,53 +in6 on zx0 udp 10:3:3::3,12345 10:1:1::0,53 +in6 on zx0 tcp 10::2:2:2,12345 10:1:1::0,53 +in6 on zx0 tcp 10:3:3::3,12345 10:1:1::0,53 diff --git a/contrib/ipfilter/test/input/n7_6 b/contrib/ipfilter/test/input/n7_6 new file mode 100644 index 0000000..b31a1de --- /dev/null +++ b/contrib/ipfilter/test/input/n7_6 @@ -0,0 +1,9 @@ +in6 on zx0 tcp 10::2:3:1,1230 10:1:1::1,22 +in6 on zx0 tcp 10::2:3:1,1231 10:1:1::1,23 +in6 on zx0 tcp 10::2:3:1,1232 10:1:1::1,50 +in6 on zx0 tcp 10::2:3:1,1233 10:1:1::1,79 +in6 on zx0 tcp 10::2:3:1,1234 10:1:1::1,80 +in6 on zx0 tcp 10::2:3:1,1235 10:1:1::2,80 +in6 on zx0 tcp 10::2:3:1,1236 10:1:1::3,80 +in6 on zx0 tcp 10::2:3:1,1237 10:1:1::4,80 +in6 on zx0 tcp 10::2:3:1,1238 10:1:1::4,80 diff --git a/contrib/ipfilter/test/input/n8 b/contrib/ipfilter/test/input/n8 index 1f5b213..c0a5b3f 100644 --- a/contrib/ipfilter/test/input/n8 +++ b/contrib/ipfilter/test/input/n8 @@ -1,27 +1,31 @@ #v tos len id off ttl p sum src dst # ICMP ECHO (ping) exchange -[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 +[out,icmp0] +4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01 +[in,icmp0] +4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 +[out,icmp0] +4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01 +[in,icmp0] +4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 diff --git a/contrib/ipfilter/test/input/n8_6 b/contrib/ipfilter/test/input/n8_6 new file mode 100644 index 0000000..8039f78 --- /dev/null +++ b/contrib/ipfilter/test/input/n8_6 @@ -0,0 +1,37 @@ +#v tos len id off ttl p sum src dst +# ICMP ECHO (ping) exchange +[out,icmp0] +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0004 0004 0004 0000 0000 0000 0000 0004 +8000 774d 6220 0000 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +# ECHO reply +[in,icmp0] +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0010 0010 0010 0000 0000 0000 0000 0001 +8100 7624 6220 0000 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +# ECHO request +[out,icmp0] +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0004 0004 0004 0000 0000 0000 0000 0004 +8000 774c 6220 0001 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +# ECHO reply +[in,icmp0] +6000 0000 0040 3aff 0004 0004 0004 0000 0000 0000 0000 0004 0010 0010 0010 0000 0000 0000 0000 0001 +8100 7623 6220 0001 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + diff --git a/contrib/ipfilter/test/input/n9 b/contrib/ipfilter/test/input/n9 index c4aada8..5c2d3c7 100644 --- a/contrib/ipfilter/test/input/n9 +++ b/contrib/ipfilter/test/input/n9 @@ -1,27 +1,31 @@ #v tos len id off ttl p sum src dst # ICMP ECHO (ping) exchange -[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 +[in,icmp0] +4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202 +[out,icmp0] +4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 +[in,icmp0] +4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 -[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202 +[out,icmp0] +4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 diff --git a/contrib/ipfilter/test/input/n9_6 b/contrib/ipfilter/test/input/n9_6 new file mode 100644 index 0000000..42db09d --- /dev/null +++ b/contrib/ipfilter/test/input/n9_6 @@ -0,0 +1,34 @@ +#v tos len id off ttl p sum src dst +# ICMP ECHO (ping) exchange +[in,icmp0] +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0004 0004 0004 0000 0000 0000 0000 0004 +8000 774d 6220 0000 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +[out,icmp0] +6000 0000 0040 3aff 0010 0010 0010 0000 0000 0000 0000 0001 0002 0000 0000 0000 0000 0002 0002 0002 +8100 762c 6220 0000 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +[in,icmp0] +6000 0000 0040 3aff 0002 0000 0000 0000 0000 0002 0002 0002 0004 0004 0004 0000 0000 0000 0000 0004 +8000 774c 6220 0001 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + +[out,icmp0] +6000 0000 0040 3aff 0010 0010 0010 0000 0000 0000 0000 0001 0002 0000 0000 0000 0000 0002 0002 0002 +8100 762b 6220 0001 3f6f 6e80 000b +0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 +1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 +2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 +3637 + diff --git a/contrib/ipfilter/test/input/ni1 b/contrib/ipfilter/test/input/ni1 index fb6b0b6..519325f 100644 --- a/contrib/ipfilter/test/input/ni1 +++ b/contrib/ipfilter/test/input/ni1 @@ -1,55 +1,58 @@ #v tos len id off ttl p sum src dst # ICMP timeout exceeded in reply to a ICMP packet going out. +# 2.2.2.2,44489 -> 4.4.4.4,33438 [out,df0] -4500 0028 4706 4000 0111 26b4 0202 0202 -0404 0404 afc9 829e 0014 6b10 0402 0000 -3be5 468d 000a cfc3 +4500 0028 4706 4000 0111 26b4 0202 0202 0404 0404 +afc9 829e 0014 6b10 +0402 0000 3be5 468d 000a cfc3 [in,df0] -4500 0038 809a 0000 ff01 2919 0303 0303 -0606 0606 0b00 5f7b 0000 0000 +4500 0038 809a 0000 ff01 2919 0303 0303 0606 0606 +0b00 5f7b 0000 0000 4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404 afc9 829e 0014 6308 [in,df0] -4500 0044 809a 0000 ff01 290d 0303 0303 -0606 0606 0b00 0939 0000 0000 +4500 0044 809a 0000 ff01 290d 0303 0303 0606 0606 +0b00 0939 0000 0000 4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 +# 2.2.2.2,2048 -> 4.4.4.4,33438 [out,df0] -4500 0028 4706 4000 0111 26b4 0202 0202 -0404 0404 0800 829e 0014 12da 0402 0000 -3be5 468d 000a cfc3 +4500 0028 4706 4000 0111 26b4 0202 0202 0404 0404 +0800 829e 0014 12da +0402 0000 3be5 468d 000a cfc3 [in,df0] -4500 0038 809a 0000 ff01 2918 0303 0303 -0606 0607 0b00 5f7c 0000 0000 +4500 0038 809a 0000 ff01 2918 0303 0303 0606 0607 +0b00 5f7c 0000 0000 4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404 4e20 829e 0014 c4b0 [in,df0] -4500 0044 809a 0000 ff01 290c 0303 0303 -0606 0607 0b00 093a 0000 0000 +4500 0044 809a 0000 ff01 290c 0303 0303 0606 0607 +0b00 093a 0000 0000 4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404 4e20 829e 0014 c4b0 0402 0000 3be5 468d 000a cfc3 +# 2.2.2.2,20480 -> 4.4.4.4,33438 [out,df0] -4500 0028 4706 4000 0111 26b4 0202 0202 -0404 0404 5000 829e 0014 cad9 0402 0000 -3be5 468d 000a cfc3 +4500 0028 4706 4000 0111 26b4 0202 0202 0404 0404 +5000 829e 0014 cad9 +0402 0000 3be5 468d 000a cfc3 [in,df0] -4500 0038 809a 0000 ff01 2917 0303 0303 -0606 0608 0b00 0775 0000 0000 +4500 0038 809a 0000 ff01 2917 0303 0303 0606 0608 +0b00 0775 0000 0000 4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404 07d0 829e 0014 6308 [in,df0] -4500 0044 809a 0000 ff01 290b 0303 0303 -0606 0608 0b00 093b 0000 0000 +4500 0044 809a 0000 ff01 290b 0303 0303 0606 0608 +0b00 093b 0000 0000 4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404 07d0 829e 0014 0b00 0402 0000 3be5 468d 000a cfc3 diff --git a/contrib/ipfilter/test/input/ni10 b/contrib/ipfilter/test/input/ni10 index 48ac225..636c4f1 100644 --- a/contrib/ipfilter/test/input/ni10 +++ b/contrib/ipfilter/test/input/ni10 @@ -2,7 +2,9 @@ # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) # IP 4.4.4.4 2.2.2.2 TCP(20480,80) -[in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 +5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) [out,df0] @@ -13,7 +15,11 @@ # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) -[out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[out,df0] +4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 +0303 113f 0000 0000 +4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 +5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) [out,df0] diff --git a/contrib/ipfilter/test/input/ni11 b/contrib/ipfilter/test/input/ni11 index 788e603..0650abb 100644 --- a/contrib/ipfilter/test/input/ni11 +++ b/contrib/ipfilter/test/input/ni11 @@ -1,7 +1,9 @@ #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) -[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 +5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 [out,df0] 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 diff --git a/contrib/ipfilter/test/input/ni12 b/contrib/ipfilter/test/input/ni12 index 788e603..c44aacc 100644 --- a/contrib/ipfilter/test/input/ni12 +++ b/contrib/ipfilter/test/input/ni12 @@ -1,24 +1,26 @@ #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) -[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 +5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 [out,df0] 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 -0303 0fa3 0000 0000 +0303 10bb 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 -5000 9d58 0000 0001 +5000 9c40 0000 0001 # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) [out,df0] 4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 -5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 +5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 [out,df0] 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 -0303 0fa3 0000 0000 -4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 +0303 10bb 0000 0000 +4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9c40 0000 0001 diff --git a/contrib/ipfilter/test/input/ni13 b/contrib/ipfilter/test/input/ni13 index 77569ee..70c1952 100644 --- a/contrib/ipfilter/test/input/ni13 +++ b/contrib/ipfilter/test/input/ni13 @@ -1,19 +1,17 @@ # 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [in,pcn1=192.168.113.3] -4500 0030 5e11 4000 8006 3961 c0a8 7101 -c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 -7002 faf0 21a1 0000 0204 05b4 0101 0402 +4500 0030 5e11 4000 8006 3961 c0a8 7101 c0a8 7103 +05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 # 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF) [out,pcn1] -4500 002c 69a6 4000 4006 6dd0 c0a8 7103 -c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 -6012 8000 a348 0000 0204 05b4 +4500 002c 69a6 4000 4006 6dd0 c0a8 7103 c0a8 7101 +06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 # 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF) [in,pcn1] -4500 00c4 5e12 4000 8006 38cc c0a8 7101 -c0a8 7103 05e7 06bb abf0 4aa6 a564 68db +4500 00c4 5e12 4000 8006 38cc c0a8 7101 c0a8 7103 +05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 @@ -28,8 +26,8 @@ c0a8 7103 05e7 06bb abf0 4aa6 a564 68db # 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF) [out,pcn1] -4500 00c4 69a7 4000 4006 6d37 c0a8 7103 -c0a8 7101 06bb 05e7 a564 68db abf0 4b42 +4500 00c4 69a7 4000 4006 6d37 c0a8 7103 c0a8 7101 +06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 @@ -44,8 +42,8 @@ c0a8 7101 06bb 05e7 a564 68db abf0 4b42 # 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF) [in,pcn1] -4500 00d0 5e13 4000 8006 38bf c0a8 7101 -c0a8 7103 05e7 06bb abf0 4b42 a564 6977 +4500 00d0 5e13 4000 8006 38bf c0a8 7101 c0a8 7103 +05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 @@ -60,176 +58,174 @@ c0a8 7103 05e7 06bb abf0 4b42 a564 6977 # 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF) [out,pcn1] -4500 0048 69a8 4000 4006 6db2 c0a8 7103 -c0a8 7101 06bb 05e7 a564 6977 abf0 4bea +4500 0048 69a8 4000 4006 6db2 c0a8 7103 c0a8 7101 +06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 # 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF) [in,pcn1] -4500 0040 5e14 4000 8006 394e c0a8 7101 -c0a8 7103 05e7 06bb abf0 4bea a564 6997 +4500 0040 5e14 4000 8006 394e c0a8 7101 c0a8 7103 +05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff # 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP [in,pcn1] -4500 0039 5e15 0000 802f 792b c0a8 7101 -c0a8 7103 3001 880b 0019 0000 0000 0000 +4500 0039 5e15 0000 802f 792b c0a8 7101 c0a8 7103 +3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 # 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre] [out,pcn1] -4500 0020 69a9 0000 ff2f eeaf c0a8 7103 -c0a8 7101 2081 880b 0000 4000 ffff ffff +4500 0020 69a9 0000 ff2f eeaf c0a8 7103 c0a8 7101 +2081 880b 0000 4000 ffff ffff # 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF) [out,pcn1] -4500 0028 69aa 4000 4006 6dd0 c0a8 7103 -c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 -5010 832c b5c1 0000 +4500 0028 69aa 4000 4006 6dd0 c0a8 7103 c0a8 7101 +06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 # 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC [out,pcn1] -4500 0038 69ab 0000 ff2f ee95 c0a8 7103 -c0a8 7101 3001 880b 0018 4000 0000 0000 +4500 0038 69ab 0000 ff2f ee95 c0a8 7103 c0a8 7101 +3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 # 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP [out,pcn1] -4500 002f 69ac 0000 ff2f ee9d c0a8 7103 -c0a8 7101 3081 880b 000b 4000 0000 0001 -0000 0000 ff03 c021 0400 0007 0d03 06 +4500 002f 69ac 0000 ff2f ee9d c0a8 7103 c0a8 7101 +3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 # 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC [in,pcn1] -4500 003c 5e16 0000 802f 7927 c0a8 7101 -c0a8 7103 3081 880b 0018 0000 0000 0001 +4500 003c 5e16 0000 802f 7927 c0a8 7101 c0a8 7103 +3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 # 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC [in,pcn1] -4500 0036 5e17 0000 802f 792c c0a8 7101 -c0a8 7103 3001 880b 0016 0000 0000 0002 +4500 0036 5e17 0000 802f 792c c0a8 7101 c0a8 7103 +3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 # 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC [out,pcn1] -4500 003a 69ad 0000 ff2f ee91 c0a8 7103 -c0a8 7101 3081 880b 0016 4000 0000 0002 +4500 003a 69ad 0000 ff2f ee91 c0a8 7103 c0a8 7101 +3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 # 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp [out,pcn1] -4500 0032 69ae 0000 ff2f ee98 c0a8 7103 -c0a8 7101 3001 880b 0012 4000 0000 0003 +4500 0032 69ae 0000 ff2f ee98 c0a8 7103 c0a8 7101 +3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 # 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF) [in,pcn1] -4500 0040 5e18 4000 8006 394a c0a8 7101 -c0a8 7103 05e7 06bb abf0 4c02 a564 6997 +4500 0040 5e18 4000 8006 394a c0a8 7101 c0a8 7103 +05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff # 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b [in,pcn1] -4500 0038 5e19 0000 802f 7928 c0a8 7101 -c0a8 7103 3081 880b 0014 0000 0000 0003 +4500 0038 5e19 0000 802f 7928 c0a8 7101 c0a8 7103 +3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 # 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2) [out,pcn1] -4500 003e 69af 0000 ff2f ee8b c0a8 7103 -c0a8 7101 3081 880b 001a 4000 0000 0004 +4500 003e 69af 0000 ff2f ee8b c0a8 7103 c0a8 7101 +3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 # 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b [in,pcn1] -4500 003e 5e1a 0000 802f 7921 c0a8 7101 -c0a8 7103 3081 880b 001a 0000 0000 0004 +4500 003e 5e1a 0000 802f 7921 c0a8 7101 c0a8 7103 +3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 # 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3) [out,pcn1] -4500 0044 69b0 0000 ff2f ee84 c0a8 7103 -c0a8 7101 3081 880b 0020 4000 0000 0005 +4500 0044 69b0 0000 ff2f ee84 c0a8 7103 c0a8 7101 +3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 # 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC [in,pcn1] -4500 0030 5e1b 0000 802f 792e c0a8 7101 -c0a8 7103 3081 880b 000c 0000 0000 0005 +4500 0030 5e1b 0000 802f 792e c0a8 7101 c0a8 7103 +3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 # 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1) [out,pcn1] -4500 002a 69b1 0000 ff2f ee9d c0a8 7103 -c0a8 7101 3081 880b 0006 4000 0000 0006 +4500 002a 69b1 0000 ff2f ee9d c0a8 7103 c0a8 7101 +3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 # 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC [out,pcn1] -4500 002c 69b2 0000 ff2f ee9a c0a8 7103 -c0a8 7101 3001 880b 000c 4000 0000 0007 +4500 002c 69b2 0000 ff2f ee9a c0a8 7103 c0a8 7101 +3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 # 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0 [in,pcn1] -4500 0048 5e1c 0000 802f 7915 c0a8 7101 -c0a8 7103 3081 880b 0024 0000 0000 0006 +4500 0048 5e1c 0000 802f 7915 c0a8 7101 c0a8 7103 +3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 # 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0 [out,pcn1] -4500 0042 69b3 0000 ff2f ee83 c0a8 7103 -c0a8 7101 3081 880b 001e 4000 0000 0008 +4500 0042 69b3 0000 ff2f ee83 c0a8 7103 c0a8 7101 +3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 # 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp [in,pcn1] -4500 0030 5e1d 0000 802f 792c c0a8 7101 -c0a8 7103 3081 880b 000c 0000 0000 0007 +4500 0030 5e1d 0000 802f 792c c0a8 7101 c0a8 7103 +3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 # 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1 [out,pcn1] -4500 0030 69b4 0000 ff2f ee94 c0a8 7103 -c0a8 7101 3081 880b 000c 4000 0000 0009 +4500 0030 69b4 0000 ff2f ee94 c0a8 7103 c0a8 7101 +3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 # 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1) [in,pcn1] -4500 002a 5e1e 0000 802f 7931 c0a8 7101 -c0a8 7103 3081 880b 0006 0000 0000 0008 -0000 0009 80fd 0201 0004 0000 0000 +4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 +3081 880b 0006 0000 0000 0008 +0000 0009 80fd 0201 0004 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [in,pcn1] -4500 0032 5e1f 0000 802f 7928 c0a8 7101 -c0a8 7103 3001 880b 0012 0000 0000 0009 +4500 0032 5e1f 0000 802f 7928 c0a8 7101 c0a8 7103 +3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc # 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6) [out,pcn1] -4500 002a 69b5 0000 ff2f ee99 c0a8 7103 -c0a8 7101 3081 880b 0006 4000 0000 000a +4500 002a 69b5 0000 ff2f ee99 c0a8 7103 c0a8 7101 +3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 diff --git a/contrib/ipfilter/test/input/ni14 b/contrib/ipfilter/test/input/ni14 index 6811321..6bc1276 100644 --- a/contrib/ipfilter/test/input/ni14 +++ b/contrib/ipfilter/test/input/ni14 @@ -1,19 +1,19 @@ # 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [in,pcn1=192.168.113.3] -4500 0030 5e11 4000 8006 3961 c0a8 7101 -c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 +4500 0030 5e11 4000 8006 3961 c0a8 7101 c0a8 7103 +05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 # 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF) [out,pcn1] -4500 002c 69a6 4000 4006 207b 7f00 0001 -c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 +4500 002c 69a6 4000 4006 207b 7f00 0001 c0a8 7101 +06bb 05e7 a564 68da abf0 4aa6 6012 8000 55f3 0000 0204 05b4 # 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF) [in,pcn1] -4500 00c4 5e12 4000 8006 38cc c0a8 7101 -c0a8 7103 05e7 06bb abf0 4aa6 a564 68db +4500 00c4 5e12 4000 8006 38cc c0a8 7101 c0a8 7103 +05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 @@ -28,8 +28,8 @@ c0a8 7103 05e7 06bb abf0 4aa6 a564 68db # 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF) [out,pcn1] -4500 00c4 69a7 4000 4006 1fe2 7f00 0001 -c0a8 7101 06bb 05e7 a564 68db abf0 4b42 +4500 00c4 69a7 4000 4006 1fe2 7f00 0001 c0a8 7101 +06bb 05e7 a564 68db abf0 4b42 5018 832c 817a 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 @@ -44,8 +44,8 @@ c0a8 7101 06bb 05e7 a564 68db abf0 4b42 # 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF) [in,pcn1] -4500 00d0 5e13 4000 8006 38bf c0a8 7101 -c0a8 7103 05e7 06bb abf0 4b42 a564 6977 +4500 00d0 5e13 4000 8006 38bf c0a8 7101 c0a8 7103 +05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 @@ -60,176 +60,176 @@ c0a8 7103 05e7 06bb abf0 4b42 a564 6977 # 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF) [out,pcn1] -4500 0048 69a8 4000 4006 205d 7f00 0001 -c0a8 7101 06bb 05e7 a564 6977 abf0 4bea +4500 0048 69a8 4000 4006 205d 7f00 0001 c0a8 7101 +06bb 05e7 a564 6977 abf0 4bea 5018 832c e9a4 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 # 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF) [in,pcn1] -4500 0040 5e14 4000 8006 394e c0a8 7101 -c0a8 7103 05e7 06bb abf0 4bea a564 6997 +4500 0040 5e14 4000 8006 394e c0a8 7101 c0a8 7103 +05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff # 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP [in,pcn1] -4500 0039 5e15 0000 802f 792b c0a8 7101 -c0a8 7103 3001 880b 0019 0000 0000 0000 +4500 0039 5e15 0000 802f 792b c0a8 7101 c0a8 7103 +3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 # 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre] [out,pcn1] -4500 0020 69a9 0000 ff2f a15a 7f00 0001 -c0a8 7101 2081 880b 0000 4000 ffff ffff +4500 0020 69a9 0000 ff2f a15a 7f00 0001 c0a8 7101 +2081 880b 0000 4000 ffff ffff # 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF) [out,pcn1] -4500 0028 69aa 4000 4006 207b 7f00 0001 -c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 +4500 0028 69aa 4000 4006 207b 7f00 0001 c0a8 7101 +06bb 05e7 a564 6997 abf0 4c02 5010 832c 686c 0000 # 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC [out,pcn1] -4500 0038 69ab 0000 ff2f a140 7f00 0001 -c0a8 7101 3001 880b 0018 4000 0000 0000 +4500 0038 69ab 0000 ff2f a140 7f00 0001 c0a8 7101 +3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 # 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP [out,pcn1] -4500 002f 69ac 0000 ff2f a148 7f00 0001 -c0a8 7101 3081 880b 000b 4000 0000 0001 +4500 002f 69ac 0000 ff2f a148 7f00 0001 c0a8 7101 +3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 # 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC [in,pcn1] -4500 003c 5e16 0000 802f 7927 c0a8 7101 -c0a8 7103 3081 880b 0018 0000 0000 0001 +4500 003c 5e16 0000 802f 7927 c0a8 7101 c0a8 7103 +3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 # 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC [in,pcn1] -4500 0036 5e17 0000 802f 792c c0a8 7101 -c0a8 7103 3001 880b 0016 0000 0000 0002 +4500 0036 5e17 0000 802f 792c c0a8 7101 c0a8 7103 +3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 # 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC [out,pcn1] -4500 003a 69ad 0000 ff2f a13c 7f00 0001 -c0a8 7101 3081 880b 0016 4000 0000 0002 +4500 003a 69ad 0000 ff2f a13c 7f00 0001 c0a8 7101 +3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 # 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp [out,pcn1] -4500 0032 69ae 0000 ff2f a143 7f00 0001 -c0a8 7101 3001 880b 0012 4000 0000 0003 +4500 0032 69ae 0000 ff2f a143 7f00 0001 c0a8 7101 +3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 # 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF) [in,pcn1] -4500 0040 5e18 4000 8006 394a c0a8 7101 -c0a8 7103 05e7 06bb abf0 4c02 a564 6997 +4500 0040 5e18 4000 8006 394a c0a8 7101 c0a8 7103 +05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff # 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b [in,pcn1] -4500 0038 5e19 0000 802f 7928 c0a8 7101 -c0a8 7103 3081 880b 0014 0000 0000 0003 +4500 0038 5e19 0000 802f 7928 c0a8 7101 c0a8 7103 +3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 # 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2) [out,pcn1] -4500 003e 69af 0000 ff2f a136 7f00 0001 -c0a8 7101 3081 880b 001a 4000 0000 0004 +4500 003e 69af 0000 ff2f a136 7f00 0001 c0a8 7101 +3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 # 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b [in,pcn1] -4500 003e 5e1a 0000 802f 7921 c0a8 7101 -c0a8 7103 3081 880b 001a 0000 0000 0004 +4500 003e 5e1a 0000 802f 7921 c0a8 7101 c0a8 7103 +3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 # 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3) [out,pcn1] -4500 0044 69b0 0000 ff2f a12f 7f00 0001 -c0a8 7101 3081 880b 0020 4000 0000 0005 +4500 0044 69b0 0000 ff2f a12f 7f00 0001 c0a8 7101 +3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 # 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC [in,pcn1] -4500 0030 5e1b 0000 802f 792e c0a8 7101 -c0a8 7103 3081 880b 000c 0000 0000 0005 +4500 0030 5e1b 0000 802f 792e c0a8 7101 c0a8 7103 +3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 # 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1) [out,pcn1] -4500 002a 69b1 0000 ff2f a148 7f00 0001 -c0a8 7101 3081 880b 0006 4000 0000 0006 +4500 002a 69b1 0000 ff2f a148 7f00 0001 c0a8 7101 +3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 # 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC [out,pcn1] -4500 002c 69b2 0000 ff2f a145 7f00 0001 -c0a8 7101 3001 880b 000c 4000 0000 0007 +4500 002c 69b2 0000 ff2f a145 7f00 0001 c0a8 7101 +3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 # 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0 [in,pcn1] -4500 0048 5e1c 0000 802f 7915 c0a8 7101 -c0a8 7103 3081 880b 0024 0000 0000 0006 +4500 0048 5e1c 0000 802f 7915 c0a8 7101 c0a8 7103 +3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 # 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0 [out,pcn1] -4500 0042 69b3 0000 ff2f a12e 7f00 0001 -c0a8 7101 3081 880b 001e 4000 0000 0008 +4500 0042 69b3 0000 ff2f a12e 7f00 0001 c0a8 7101 +3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 # 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp [in,pcn1] -4500 0030 5e1d 0000 802f 792c c0a8 7101 -c0a8 7103 3081 880b 000c 0000 0000 0007 +4500 0030 5e1d 0000 802f 792c c0a8 7101 c0a8 7103 +3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 # 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1 [out,pcn1] -4500 0030 69b4 0000 ff2f a13f 7f00 0001 -c0a8 7101 3081 880b 000c 4000 0000 0009 +4500 0030 69b4 0000 ff2f a13f 7f00 0001 c0a8 7101 +3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 # 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1) [in,pcn1] -4500 002a 5e1e 0000 802f 7931 c0a8 7101 -c0a8 7103 3081 880b 0006 0000 0000 0008 -0000 0009 80fd 0201 0004 0000 0000 +4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 +3081 880b 0006 0000 0000 0008 +0000 0009 80fd 0201 0004 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [in,pcn1] -4500 0032 5e1f 0000 802f 7928 c0a8 7101 -c0a8 7103 3001 880b 0012 0000 0000 0009 +4500 0032 5e1f 0000 802f 7928 c0a8 7101 c0a8 7103 +3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc # 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6) [out,pcn1] -4500 002a 69b5 0000 ff2f a144 7f00 0001 -c0a8 7101 3081 880b 0006 4000 0000 000a +4500 002a 69b5 0000 ff2f a144 7f00 0001 c0a8 7101 +3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 diff --git a/contrib/ipfilter/test/input/ni15 b/contrib/ipfilter/test/input/ni15 index fb445bb..7e7aabd 100644 --- a/contrib/ipfilter/test/input/ni15 +++ b/contrib/ipfilter/test/input/ni15 @@ -218,7 +218,7 @@ c0a8 7101 3081 880b 000c 4000 0000 0009 [out,pcn1] 4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 -0000 0009 80fd 0201 0004 0000 0000 +0000 0009 80fd 0201 0004 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [out,pcn1] diff --git a/contrib/ipfilter/test/input/ni16 b/contrib/ipfilter/test/input/ni16 index 24bfcfc..362b98d 100644 --- a/contrib/ipfilter/test/input/ni16 +++ b/contrib/ipfilter/test/input/ni16 @@ -218,7 +218,7 @@ c0a8 7101 3081 880b 000c 4000 0000 0009 [out,pcn1] 4500 002a 5e1e 0000 802f 9ed7 0a02 0202 c0a8 7103 3081 880b 0006 0000 0000 0008 -0000 0009 80fd 0201 0004 0000 0000 +0000 0009 80fd 0201 0004 # 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6) [out,pcn1] diff --git a/contrib/ipfilter/test/input/ni18 b/contrib/ipfilter/test/input/ni18 new file mode 100644 index 0000000..4e06f79 --- /dev/null +++ b/contrib/ipfilter/test/input/ni18 @@ -0,0 +1,4 @@ +in on hme0 tcp 2.2.2.2,3000 192.168.1.2,80 +in on hme0 tcp 2.2.2.2,3000 192.168.1.1,80 +out on hme1 tcp 10.1.2.2,5050 4.5.6.7,80; +out on hme1 tcp 10.1.1.2,5050 4.5.6.7,80; diff --git a/contrib/ipfilter/test/input/ni19 b/contrib/ipfilter/test/input/ni19 index d95e68a..3ea706f 100644 --- a/contrib/ipfilter/test/input/ni19 +++ b/contrib/ipfilter/test/input/ni19 @@ -28,7 +28,7 @@ b002 8000 7d87 0000 0204 05b4 0103 0300 [in,bge0] 4500 0028 7ce5 4000 4006 a7e4 0a01 0104 0a01 0101 0202 03f1 915a a5c5 6523 90b8 -5010 05b4 612b 0000 0000 0000 0000 +5010 05b4 612b 0000 # 10.1.1.4.1023 > 10.1.1.1.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2> [in,bge0] @@ -61,7 +61,7 @@ b012 8000 1e85 0000 0204 05b4 0103 0300 [in,bge0] 4500 0028 7ce7 4000 4006 a7e2 0a01 0104 0a01 0101 0202 03f1 915a a5c5 6523 90c0 -5010 05b4 6123 0000 0000 0000 0000 +5010 05b4 6123 0000 # 192.168.113.3.1009 > 10.1.1.4.shell [out,bge0] @@ -76,13 +76,13 @@ b012 8000 1e85 0000 0204 05b4 0103 0300 [in,bge0] 4500 0028 7ce9 4000 4006 a7e0 0a01 0104 0a01 0101 0202 03f1 915a a5c5 6523 90eb -5010 05b4 60f8 0000 0000 0000 0000 +5010 05b4 60f8 0000 # 10.1.1.4.shell > 10.1.1.1.1009 [in,bge0] 4500 0029 7ceb 4000 4006 a7dd 0a01 0104 0a01 0101 0202 03f1 915a a5c5 6523 90eb -5018 05b4 60ef 0000 0000 0000 0000 +5018 05b4 60ef 0000 00 # 192.168.113.3.1009 > 10.1.1.4.shell [out,bge0] @@ -94,7 +94,7 @@ b012 8000 1e85 0000 0204 05b4 0103 0300 [in,bge0] 4500 002c 7ced 4000 4006 a7d8 0a01 0104 0a01 0101 0202 03f1 915a a5c6 6523 90eb -5018 05b4 8b71 0000 666f 6f0a 0000 +5018 05b4 8b71 0000 666f 6f0a # 10.1.1.4.1023 > 10.1.1.1.1008 [in,bge0] @@ -107,7 +107,7 @@ b012 8000 1e85 0000 0204 05b4 0103 0300 [in,bge0] 4500 0028 7cef 4000 4006 a7da 0a01 0104 0a01 0101 0202 03f1 915a a5ca 6523 90eb -5011 05b4 60f2 0000 0000 0000 0000 +5011 05b4 60f2 0000 # 10.1.1.4.1023 > 10.1.1.1.1008 [in,bge0] @@ -146,7 +146,7 @@ b012 8000 1e85 0000 0204 05b4 0103 0300 [in,bge0] 4500 0028 0004 4000 4006 24c6 0a01 0104 0a01 0101 0202 03f1 915a a5cb 6523 90ec -5010 05b4 60f1 0000 0000 0000 0000 +5010 05b4 60f1 0000 # 10.1.1.4.1023 > 10.1.1.1.1008 [in,bge0] diff --git a/contrib/ipfilter/test/input/ni2 b/contrib/ipfilter/test/input/ni2 index 3045821..6dcedb7 100644 --- a/contrib/ipfilter/test/input/ni2 +++ b/contrib/ipfilter/test/input/ni2 @@ -1,29 +1,21 @@ # Test of fragmentation required coming from the inside. [out,xl0] -4510 002c bd0d 4000 3e06 b1d1 -0a01 0201 -c0a8 0133 +4510 002c bd0d 4000 3e06 b1d1 0a01 0201 c0a8 0133 05f6 0077 a664 2485 0000 0000 6002 4000 b8f2 0000 0204 05b4 [in,xl0] -4500 002c ce83 4000 7e06 606b -c0a8 0133 -0a01 0201 +4500 002c ce83 4000 7e06 606b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a21 a664 2486 -6012 2238 c0a8 0000 0204 05b4 0000 +6012 2238 c0a8 0000 0204 05b4 [out,xl0] -4510 0028 bd0e 4000 3e06 b1d4 -0a01 0201 -c0a8 0133 +4510 0028 bd0e 4000 3e06 b1d4 0a01 0201 c0a8 0133 05f6 0077 a664 2486 fbdf 1a22 5010 4470 b62d 0000 [in,xl0] -4500 005b cf83 4000 7e06 5f3c -c0a8 0133 -0a01 0201 +4500 005b cf83 4000 7e06 5f3c c0a8 0133 0a01 0201 0077 05f6 fbdf 1a22 a664 2486 5018 2238 ce2a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 @@ -31,32 +23,24 @@ c0a8 0133 0000 0000 0000 0000 0000 0a [out,xl0] -4510 0028 bd18 4000 3e06 b1ca -0a01 0201 -c0a8 0133 +4510 0028 bd18 4000 3e06 b1ca 0a01 0201 c0a8 0133 05f6 0077 a664 2486 fbdf 1a55 5010 4470 b5fa 0000 [out,xl0] -4510 002e bd1e 4000 3e06 b1be -0a01 0201 -c0a8 0133 +4510 002e bd1e 4000 3e06 b1be 0a01 0201 c0a8 0133 05f6 0077 a664 2486 fbdf 1a55 5018 4470 a8e2 0000 0000 0000 0d0a [in,xl0] -4500 0048 e383 4000 7e06 4b4f -c0a8 0133 -0a01 0201 +4500 0048 e383 4000 7e06 4b4f c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 d80a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 [in,xl0] -4500 05dc e483 4000 7e06 44bb -c0a8 0133 -0a01 0201 +4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 @@ -152,10 +136,8 @@ c0a8 0133 0000 0000 0000 0000 0000 0000 [out,xl0] -4500 0038 d71d 4000 4001 7d22 -c0a8 6401 -c0a8 0133 -0304 3435 0000 05a0 +4500 0038 d71d 4000 4001 7d22 c0a8 6401 c0a8 0133 +0304 da99 0000 05a0 4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 -0077 05f6 fbdf 1a75 a664 +0077 05f6 fbdf 1a75 diff --git a/contrib/ipfilter/test/input/ni20 b/contrib/ipfilter/test/input/ni20 index 4c2b87e..065ed27 100644 --- a/contrib/ipfilter/test/input/ni20 +++ b/contrib/ipfilter/test/input/ni20 @@ -28,7 +28,7 @@ c0a8 7103 0202 03f1 915a a5c4 6523 90b3 [out,bge0] 4500 0028 7ce5 4000 4006 5a92 c0a8 7104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 -5010 05b4 13d9 0000 0000 0000 0000 +5010 05b4 13d9 0000 # 192.168.113.4.1023 > 192.168.113.3.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2> [out,bge0] @@ -44,26 +44,26 @@ a002 16d0 9218 0000 0204 05b4 0402 080a b012 8000 1e85 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101 -# 192.168.113.4.1023 > 192.168.113.3.1008 +# 192.168.113.4.1023 > 192.168.113.3.1008 ACK [out,bge0] 4500 0034 1188 4000 4006 c5e3 c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 b2f3 0000 0101 080a 0039 d925 0000 0000 -# 192.168.113.3.1009 > 10.1.1.4.shell +# 192.168.113.3.1009 > 10.1.1.4.shell PUSH+ACK [in,bge0] 4500 0030 e400 4000 4006 1a17 c0a8 7103 0a01 0104 03f1 0202 6523 90b8 915a a5c5 5018 832c 0eb6 0000 6461 7272 656e 7200 -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 ACK [out,bge0] 4500 0028 7ce7 4000 4006 5a90 c0a8 7104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 -5010 05b4 13d1 0000 0000 0000 0000 +5010 05b4 13d1 0000 -# 192.168.113.3.1009 > 10.1.1.4.shell +# 192.168.113.3.1009 > 10.1.1.4.shell PUSH+ACK [in,bge0] 4500 0053 e401 4000 4006 19f3 c0a8 7103 0a01 0104 03f1 0202 6523 90c0 915a a5c5 @@ -72,83 +72,83 @@ c0a8 7103 0202 03f1 915a a5c5 6523 90c0 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00 -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 ACK [out,bge0] 4500 0028 7ce9 4000 4006 5a8e c0a8 7104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb -5010 05b4 13a6 0000 0000 0000 0000 +5010 05b4 13a6 0000 -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 PUSH+ACK [out,bge0] 4500 0029 7ceb 4000 4006 5a8b c0a8 7104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb -5018 05b4 139d 0000 0000 0000 0000 +5018 05b4 139d 0000 00 -# 192.168.113.3.1009 > 10.1.1.4.shell +# 192.168.113.3.1009 > 10.1.1.4.shell ACK [in,bge0] 4500 0028 e403 4000 4006 1a1c c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5c6 5010 832c bcd4 0000 -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 PUSH+ACK [out,bge0] 4500 002c 7ced 4000 4006 5a86 c0a8 7104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb -5018 05b4 3e1f 0000 666f 6f0a 0000 +5018 05b4 3e1f 0000 666f 6f0a -# 192.168.113.4.1023 > 192.168.113.3.1008 +# 192.168.113.4.1023 > 192.168.113.3.1008 PUSH+ACK [out,bge0] 4500 0038 118a 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 da34 0000 0101 080a 0039 dd6c 0000 0000 6261 720a -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 FIN+ACK [out,bge0] 4500 0028 7cef 4000 4006 5a88 c0a8 7104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb -5011 05b4 13a0 0000 0000 0000 0000 +5011 05b4 13a0 0000 -# 192.168.113.4.1023 > 192.168.113.3.1008 +# 192.168.113.4.1023 > 192.168.113.3.1008 FIN+ACK [out,bge0] 4500 0034 118c 4000 4006 c5df c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 aea6 0000 0101 080a 0039 dd6d 0000 0000 -# 192.168.113.3.1009 > 10.1.1.4.shell +# 192.168.113.3.1009 > 10.1.1.4.shell ACK [in,bge0] 4500 0028 e404 4000 4006 1a1b c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5010 8328 bcd3 0000 -# 192.168.113.3.1008 > 10.1.1.4.1023 +# 192.168.113.3.1008 > 10.1.1.4.1023 ACK [in,bge0] 4500 0034 e405 4000 4006 1a0e c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 57d7 0000 0101 080a 0000 0004 0039 dd6c -# 192.168.113.3.1009 > 10.1.1.4.shell +# 192.168.113.3.1009 > 10.1.1.4.shell FIN+ACK [in,bge0] 4500 0028 e40a 4000 4006 1a15 c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5011 832c bcce 0000 -# 192.168.113.3.1008 > 10.1.1.4.1023 +# 192.168.113.3.1008 > 10.1.1.4.1023 FIN+ACK [in,bge0] 4500 0034 e40b 4000 4006 1a08 c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 57d2 0000 0101 080a 0000 0004 0039 dd6c -# 192.168.113.4.shell > 192.168.113.3.1009 +# 192.168.113.4.shell > 192.168.113.3.1009 ACK [out,bge0] 4500 0028 0004 4000 4006 d773 c0a8 7104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec -5010 05b4 139f 0000 0000 0000 0000 +5010 05b4 139f 0000 -# 192.168.113.4.1023 > 192.168.113.3.1008 +# 192.168.113.4.1023 > 192.168.113.3.1008 ACK [out,bge0] 4500 0034 118e 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 diff --git a/contrib/ipfilter/test/input/ni3 b/contrib/ipfilter/test/input/ni3 index 66b22a6..e4d12fe 100644 --- a/contrib/ipfilter/test/input/ni3 +++ b/contrib/ipfilter/test/input/ni3 @@ -1,10 +1,20 @@ #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) -[out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[out,df0] +4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 +5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 ac ab 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 +[in,df0] +4500 0038 809a 0000 ff01 2919 0303 0303 0606 0606 +0303 acab 0000 0000 +4500 003c 4706 4000 ff06 20a2 0606 0606 0404 0404 +5000 0050 0000 0001 # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) -[in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 0058 809a 0000 ff01 28f9 0303 0303 0606 0606 +0303 113f 0000 0000 +4500 003c 4706 4000 ff06 20a2 0606 0606 0404 0404 +5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 diff --git a/contrib/ipfilter/test/input/ni4 b/contrib/ipfilter/test/input/ni4 index ad5575f..dac9f53 100644 --- a/contrib/ipfilter/test/input/ni4 +++ b/contrib/ipfilter/test/input/ni4 @@ -1,10 +1,18 @@ #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) -[out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[out,df0] +4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 +5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 -[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 60 6b 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 +[in,df0] +4500 0038 809a 0000 ff01 2919 0303 0303 0606 0606 +0303 606b 0000 0000 4500 003c 4706 4000 ff06 20a2 0606 0606 0404 0404 9c40 0050 0000 0001 # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) -[in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 84 9a 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 0058 809a 0000 ff01 28f9 0303 0303 0606 0606 +0303 113f 0000 0000 +4500 003c 4706 4000 ff06 20a2 0606 0606 0404 0404 +9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 diff --git a/contrib/ipfilter/test/input/ni5 b/contrib/ipfilter/test/input/ni5 index c45be54..4b32e49 100644 --- a/contrib/ipfilter/test/input/ni5 +++ b/contrib/ipfilter/test/input/ni5 @@ -203,7 +203,7 @@ 0101 0101 0014 8033 d9f8 11d5 bd78 5c13 5010 269c 8ac7 0000 -# 21,32819 ACK "150 Opening ASCII mode data connection for /bin/ls.\r\n" +# 21,32818 ACK "150 Opening ASCII mode data connection for /bin/ls.\r\n" [in,ppp0] 4500 005d ffe9 4000 ef06 12e1 96cb e002 0101 0101 0015 8032 3786 78d5 bd6b ca16 diff --git a/contrib/ipfilter/test/input/ni7 b/contrib/ipfilter/test/input/ni7 index 30f247d..8d07937 100644 --- a/contrib/ipfilter/test/input/ni7 +++ b/contrib/ipfilter/test/input/ni7 @@ -1,13 +1,13 @@ #v tos len id off ttl p sum src dst # ICMP timeout exceeded in reply to a ICMP packet coming in. [in,df0] -4500 0028 4706 4000 0111 26b4 0404 0404 -0202 0202 afc9 829e 0014 6b10 0402 0000 +4500 0028 4706 4000 0111 26b4 0404 0404 0202 0202 +afc9 829e 0014 6b10 0402 0000 3be5 468d 000a cfc3 [out,df0] -4500 0038 809a 0000 ff01 2d1d 0303 0303 -0404 0404 0b00 0125 0000 0000 4500 0028 -4706 4000 0111 1eac 0404 0404 0606 0606 +4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 +0b00 0125 0000 0000 +4500 0028 4706 4000 0111 1eac 0404 0404 0606 0606 afc9 829e 0014 c15e diff --git a/contrib/ipfilter/test/input/ni8 b/contrib/ipfilter/test/input/ni8 index 788e603..72205ee 100644 --- a/contrib/ipfilter/test/input/ni8 +++ b/contrib/ipfilter/test/input/ni8 @@ -1,7 +1,7 @@ #v tos len id off ttl p sum src dst -# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet -# going out) -[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 +5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 [out,df0] 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 @@ -17,8 +17,11 @@ 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 +# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet +# going in) [out,df0] 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 -4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 +4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 +5000 9d58 0000 0001 diff --git a/contrib/ipfilter/test/input/ni9 b/contrib/ipfilter/test/input/ni9 index 788e603..b8f4599 100644 --- a/contrib/ipfilter/test/input/ni9 +++ b/contrib/ipfilter/test/input/ni9 @@ -1,7 +1,9 @@ #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) -[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 +[in,df0] +4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 +5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 [out,df0] 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 @@ -20,5 +22,6 @@ [out,df0] 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 -4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 +4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 +5000 9d58 0000 0001 diff --git a/contrib/ipfilter/test/input/p10 b/contrib/ipfilter/test/input/p10 new file mode 100644 index 0000000..f8162e8 --- /dev/null +++ b/contrib/ipfilter/test/input/p10 @@ -0,0 +1,10 @@ +in on bge0 tcp 5.5.5.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.9,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.9,10000 9.9.9.9,80 diff --git a/contrib/ipfilter/test/input/p11 b/contrib/ipfilter/test/input/p11 new file mode 100644 index 0000000..f8162e8 --- /dev/null +++ b/contrib/ipfilter/test/input/p11 @@ -0,0 +1,10 @@ +in on bge0 tcp 5.5.5.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.9,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.9,10000 9.9.9.9,80 diff --git a/contrib/ipfilter/test/input/p12 b/contrib/ipfilter/test/input/p12 new file mode 100644 index 0000000..f8162e8 --- /dev/null +++ b/contrib/ipfilter/test/input/p12 @@ -0,0 +1,10 @@ +in on bge0 tcp 5.5.5.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.9,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.9,10000 9.9.9.9,80 diff --git a/contrib/ipfilter/test/input/p13 b/contrib/ipfilter/test/input/p13 new file mode 100644 index 0000000..f6753fa --- /dev/null +++ b/contrib/ipfilter/test/input/p13 @@ -0,0 +1,8 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +out 127.0.0.1 127.0.0.1 +out 1.1.1.1 1.2.1.1 +in 2.3.0.1 1.2.1.1 +in 2.2.2.1 1.2.1.1 +in 2.2.0.1 1.2.1.1 +out 4.4.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/p4 b/contrib/ipfilter/test/input/p4 new file mode 100644 index 0000000..46c0998 --- /dev/null +++ b/contrib/ipfilter/test/input/p4 @@ -0,0 +1,12 @@ +in 127.0.0.1 127.0.0.1 +in 1.1.1.1 1.2.1.1 +out 127.0.0.1 127.0.0.1 +out 1.1.1.1 1.2.1.1 +in 2.3.0.1 1.2.1.1 +in 2.2.2.1 1.2.1.1 +in 2.2.0.1 1.2.1.1 +out 2.2.2.1 1.2.1.1 +out 2.2.2.1 1.2.1.2 +out 2.2.0.1 1.2.1.1 +out 2.2.0.1 1.2.1.3 +out 4.4.1.1 1.2.1.1 diff --git a/contrib/ipfilter/test/input/p6 b/contrib/ipfilter/test/input/p6 new file mode 100644 index 0000000..37c26ce --- /dev/null +++ b/contrib/ipfilter/test/input/p6 @@ -0,0 +1,2 @@ +in 131.107.1.1 10.1.1.1 +out 10.1.1.1 131.107.1.1 diff --git a/contrib/ipfilter/test/input/p7 b/contrib/ipfilter/test/input/p7 new file mode 100644 index 0000000..f8162e8 --- /dev/null +++ b/contrib/ipfilter/test/input/p7 @@ -0,0 +1,10 @@ +in on bge0 tcp 5.5.5.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.9,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.9,10000 9.9.9.9,80 diff --git a/contrib/ipfilter/test/input/p9 b/contrib/ipfilter/test/input/p9 new file mode 100644 index 0000000..f8162e8 --- /dev/null +++ b/contrib/ipfilter/test/input/p9 @@ -0,0 +1,10 @@ +in on bge0 tcp 5.5.5.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.5.9,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.5,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.6,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.7,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.8,10000 9.9.9.9,80 +in on bge0 tcp 5.5.6.9,10000 9.9.9.9,80 diff --git a/contrib/ipfilter/test/intest b/contrib/ipfilter/test/intest index e94ca08..bcafe76 100755 --- a/contrib/ipfilter/test/intest +++ b/contrib/ipfilter/test/intest @@ -1,22 +1,12 @@ #!/bin/sh -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 -../ipnat -Rnvf regress/$1 2>/dev/null > results/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 -fi +name=$1 + +. ./ipflib.sh + +test_init + +echo "$name..."; +/bin/cp /dev/null results/$name +../ipnat -Rnvf regress/$name 2>/dev/null > results/$name +check_results $name exit $status diff --git a/contrib/ipfilter/test/ipflib.sh b/contrib/ipfilter/test/ipflib.sh new file mode 100644 index 0000000..82d473d --- /dev/null +++ b/contrib/ipfilter/test/ipflib.sh @@ -0,0 +1,59 @@ +#!/bin/sh +# +# (C)opyright 2012 by Darren Reed. +# +# See the IPFILTER.LICENCE file for details on licencing. +# +test_init() { + mkdir -p results + find_touch + set_core $name 1 +} + +set_core() { + if [ -n "${FINDLEAKS}" -a -x /bin/mdb ] ; then + _findleaks=1 + else + _findleaks=0 + fi + if [ -x /bin/coreadm ] ; then + _cn="$1.$2.core" + coreadm -p "${PWD}/$_cn" + else + _cn= + fi +} + +test_end_leak() { + if [ $1 -ne 0 ] ; then + if [ ${_findleaks} = 1 -a -f $_cn ] ; then + echo "==== ${name}:${n} ====" >> leaktest + echo '::findleaks' | mdb ../i86/ipftest $_cn >> leaktest + rm $_cn + else + exit 2; + fi + fi +} + +check_results() { + cmp expected/$1 results/$1 + status=$? + if [ $status = 0 ] ; then + $TOUCH $1 + fi +} + +find_touch() { + if [ -f /bin/touch ] ; then + TOUCH=/bin/touch + else + if [ -f /usr/bin/touch ] ; then + TOUCH=/usr/bin/touch + else + if [ -f /usr/ucb/touch ] ; then + TOUCH=/usr/ucb/touch + fi + fi + fi +} diff --git a/contrib/ipfilter/test/iptest b/contrib/ipfilter/test/iptest index bb3ab5e..70fd9d8 100644 --- a/contrib/ipfilter/test/iptest +++ b/contrib/ipfilter/test/iptest @@ -1,22 +1,12 @@ #!/bin/sh -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 -../ippool -f regress/$1 -nRv 2>/dev/null > results/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 -fi +name=$1 + +. ./ipflib.sh + +test_init + +echo "$name..."; +/bin/cp /dev/null results/$name +../ippool -f regress/$name -nRv 2>/dev/null > results/$name +check_results $name exit $status diff --git a/contrib/ipfilter/test/itest b/contrib/ipfilter/test/itest index 8fefc63..84b0454 100644 --- a/contrib/ipfilter/test/itest +++ b/contrib/ipfilter/test/itest @@ -1,29 +1,30 @@ #!/bin/sh -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 +name=$1 + +. ./ipflib.sh + +test_init + +echo "$name..."; +/bin/cp /dev/null results/$name case $3 in ipf) - ../ipf -Rnvf regress/$1 2>/dev/null > results/$1 + ../ipf -Rnvf regress/$name 2>/dev/null > results/$name + status=$? + if [ $status -ne 0 ] ; then + echo "ERROR: ../ipf -Rnvf regress/$name" + fi ;; ipftest) - ../ipftest -D -r regress/$1 -i /dev/null > results/$1 + unset FINDLEAKS + ../ipftest -D -r regress/$name -i /dev/null > results/$name + status=$? + if [ $status -ne 0 ] ; then + echo "ERROR: ../ipftest -D -r regress/$name" + fi ;; esac -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 +if [ $status -eq 0 ] ; then + check_results $name fi exit $status diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest index 1c8ac5bca..a3a9671 100755 --- a/contrib/ipfilter/test/logtest +++ b/contrib/ipfilter/test/logtest @@ -1,19 +1,13 @@ #!/bin/sh # $FreeBSD$ +name=$1 format=$2 -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; + +. ./ipflib.sh + +test_init + +echo "$name..."; case `uname -s` in OSF1) @@ -24,16 +18,20 @@ OSF1) ;; esac -/bin/cp /dev/null results/$1 -/bin/cp /dev/null results/$1.b +n=1 +/bin/cp /dev/null results/$name +/bin/cp /dev/null results/$name.b ( while read rule; do - echo $rule >> results/$1 - echo $rule | ../ipftest -br - -F $format -i input/$1 -l logout > /dev/null - if [ $? -ne 0 ] ; then - /bin/rm -f logout - exit 1 - fi + /bin/rm -f logout + set_core $name $n + echo $rule >> results/$name + echo $rule | ../ipftest -br - -F $format -i input/$name -l logout > /dev/null & + back=$! + wait $back + test_end_leak $? + n=`expr $n + 1` + TZ=$GMT ../ipmon -P /dev/null -f logout >> results/$1 echo "--------" >> results/$1 TZ=$GMT ../ipmon -P /dev/null -bf logout >> results/$1.b diff --git a/contrib/ipfilter/test/mhtest b/contrib/ipfilter/test/mhtest deleted file mode 100755 index a4d48d6..0000000 --- a/contrib/ipfilter/test/mhtest +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -# multiple rules at the same time - -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; - -/bin/cp /dev/null results/$1 - -../ipftest -br regress/$1 -F hex -i input/$1 > results/$1 -if [ $? -ne 0 ] ; then - exit 1 -fi -echo "--------" >> results/$1 - -cmp expected/$1 results/$1 -status=$? -if [ $status -ne 0 ] ; then - exit $status -fi -cmp expected/$1 results/$1 -status=$? -if [ $status -ne 0 ] ; then - exit $status -fi -$TOUCH $1 -exit 0 diff --git a/contrib/ipfilter/test/mtest b/contrib/ipfilter/test/mtest index 2a3ed38..aed9fb9 100755 --- a/contrib/ipfilter/test/mtest +++ b/contrib/ipfilter/test/mtest @@ -1,38 +1,20 @@ #!/bin/sh +name=$1 format=$2 -mkdir -p results -# multiple rules at the same time -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; +. ./ipflib.sh + +test_init + +echo "$name..."; /bin/cp /dev/null results/$1 -../ipftest -F $format -Rbr regress/$1 -i input/$1 > results/$1 -if [ $? -ne 0 ] ; then - exit 1 -fi -echo "--------" >> results/$1 +../ipftest -F $format $4 -Rbr regress/$name -i input/$name > results/$name & +back=$! +wait $back +test_end_leak $? +echo "--------" >> results/$name -cmp expected/$1 results/$1 -status=$? -if [ $status -ne 0 ] ; then - exit $status -fi -cmp expected/$1 results/$1 -status=$? -if [ $status -ne 0 ] ; then - exit $status -fi -$TOUCH $1 -exit 0 +check_results $name +exit $status diff --git a/contrib/ipfilter/test/natipftest b/contrib/ipfilter/test/natipftest index 5776b42..493f18b 100755 --- a/contrib/ipfilter/test/natipftest +++ b/contrib/ipfilter/test/natipftest @@ -3,6 +3,12 @@ mode=$1 name=$2 input=$3 output=$4 +n=1 + +. ./ipflib.sh + +test_init + shift if [ $output = hex ] ; then format="-xF $input" @@ -21,51 +27,33 @@ while [ $# -ge 1 ] ; do fi shift done -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi case $mode in single) echo "$name..."; /bin/cp /dev/null results/$name ( while read rule; do + set_core $name $n echo "$rule" | ../ipftest -R $format -b -r regress/$name.ipf -N - -i input/$name >> \ - results/$name; - if [ $? -ne 0 ] ; then - exit 1; - fi + results/$name & + back=$! + wait $back + test_end_leak $? + n=`expr $n + 1` echo "-------------------------------" >> results/$name done ) < regress/$name.nat - cmp expected/$name results/$name - status=$? - if [ $status = 0 ] ; then - $TOUCH $name - fi + check_results $name ;; multi) echo "$name..."; /bin/cp /dev/null results/$name ../ipftest -R $format -b -r regress/$name.ipf -N regress/$name.nat \ - -i input/$name >> results/$name; - if [ $? -ne 0 ] ; then - exit 2; - fi + -i input/$name >> results/$name & + back=$! + wait $back + test_end_leak $? echo "-------------------------------" >> results/$name - cmp expected/$name results/$name - status=$? - if [ $status = 0 ] ; then - $TOUCH $name - fi + check_results $name ;; esac exit $status diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest index fece276..c970877 100755 --- a/contrib/ipfilter/test/nattest +++ b/contrib/ipfilter/test/nattest @@ -1,4 +1,10 @@ #!/bin/sh +name=$1 + +. ./ipflib.sh + +test_init + if [ $3 = hex ] ; then format="-xF $2" else @@ -14,29 +20,18 @@ if [ "$4" != "" ] ; then ;; esac fi -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch -else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 + +echo "$name..."; +n=1 +/bin/cp /dev/null results/$name ( while read rule; do - echo "$rule" | ../ipftest $format -RbN - -i input/$1 >> results/$1; - if [ $? -ne 0 ] ; then - exit 1; - fi - echo "-------------------------------" >> results/$1 -done ) < regress/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 -fi + set_core $name $n + echo "$rule" | ../ipftest $format -DRbN - -i input/$name >>results/$name & + back=$! + wait $back + test_end_leak $? + n=`expr $n + 1` + echo "-------------------------------" >> results/$name +done ) < regress/$name +check_results $name exit $status diff --git a/contrib/ipfilter/test/ptest b/contrib/ipfilter/test/ptest index 7deccd3..87daacc 100644 --- a/contrib/ipfilter/test/ptest +++ b/contrib/ipfilter/test/ptest @@ -1,31 +1,24 @@ #!/bin/sh -mkdir -p results -if [ -f /usr/ucb/touch ] ; then - TOUCH=/usr/ucb/touch +name=$1 + +. ./ipflib.sh + +test_init + +echo "$name..."; +/bin/cp /dev/null results/$name +if [ -f regress/$name.pool -a -f regress/$name.ipf ] ; then + ../ipftest -RD -b -P regress/$name.pool -r regress/$name.ipf -i input/$name >> \ + results/$name & +elif [ -f regress/$name.pool -a -f regress/$name.nat ] ; then + ../ipftest -RD -b -P regress/$name.pool -N regress/$name.nat -i input/$name >> \ + results/$name & else - if [ -f /usr/bin/touch ] ; then - TOUCH=/usr/bin/touch - else - if [ -f /bin/touch ] ; then - TOUCH=/bin/touch - fi - fi -fi -echo "$1..."; -/bin/cp /dev/null results/$1 -if [ -f regress/$1.pool ] ; then - ../ipftest -RD -b -P regress/$1.pool -r regress/$1.ipf -i input/$1 >> \ - results/$1 -else - ../ipftest -RD -b -r regress/$1.ipf -i input/$1 >> results/$1 -fi -if [ $? -ne 0 ] ; then - exit 1; -fi -echo "-------------------------------" >> results/$1 -cmp expected/$1 results/$1 -status=$? -if [ $status = 0 ] ; then - $TOUCH $1 + ../ipftest -RD -b -r regress/$name.ipf -i input/$name >> results/$name & fi +back=$! +wait $back +test_end_leak $? +echo "-------------------------------" >> results/$name +check_results $name exit $status diff --git a/contrib/ipfilter/test/regress/f13 b/contrib/ipfilter/test/regress/f13 index 8106419..393a65e 100644 --- a/contrib/ipfilter/test/regress/f13 +++ b/contrib/ipfilter/test/regress/f13 @@ -6,3 +6,4 @@ pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags block in proto tcp from any to any port = 25 flags S/SA keep state keep frags pass in proto udp from any to any port = 53 keep frags(strict) pass in proto tcp from any to any port = 25 keep state(strict) +pass in proto tcp from any to any port = 25 keep state(loose) diff --git a/contrib/ipfilter/test/regress/f21 b/contrib/ipfilter/test/regress/f21 new file mode 100644 index 0000000..26ffa87 --- /dev/null +++ b/contrib/ipfilter/test/regress/f21 @@ -0,0 +1,2 @@ +pass out proto tcp all flags S keep state(icmp-head icmpredir) +block in proto icmp all icmp-type redir group icmpredir diff --git a/contrib/ipfilter/test/regress/f22 b/contrib/ipfilter/test/regress/f22 new file mode 100644 index 0000000..10765db --- /dev/null +++ b/contrib/ipfilter/test/regress/f22 @@ -0,0 +1,2 @@ +pass in proto tcp all flags S keep state(icmp-head icmpredir) +block out proto icmp all icmp-type redir group icmpredir diff --git a/contrib/ipfilter/test/regress/f25 b/contrib/ipfilter/test/regress/f25 new file mode 100644 index 0000000..c018b49 --- /dev/null +++ b/contrib/ipfilter/test/regress/f25 @@ -0,0 +1 @@ +pass in on hme0 proto udp all with mcast keep state diff --git a/contrib/ipfilter/test/regress/f26 b/contrib/ipfilter/test/regress/f26 new file mode 100644 index 0000000..22357a4 --- /dev/null +++ b/contrib/ipfilter/test/regress/f26 @@ -0,0 +1,6 @@ +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3) +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3, max-per-src 1/32) +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3, max-per-src 1/16) +pass in quick proto tcp all flags S keep state(max-srcs 3) +pass in quick proto tcp all flags S keep state(max-srcs 3, max-per-src 1/32) +pass in quick proto tcp all flags S keep state(max-srcs 3, max-per-src 1/16) diff --git a/contrib/ipfilter/test/regress/f27 b/contrib/ipfilter/test/regress/f27 new file mode 100644 index 0000000..22357a4 --- /dev/null +++ b/contrib/ipfilter/test/regress/f27 @@ -0,0 +1,6 @@ +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3) +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3, max-per-src 1/32) +pass in quick proto tcp from 1.1.1.0/24 to any port = 22 flags S keep state(max-srcs 3, max-per-src 1/16) +pass in quick proto tcp all flags S keep state(max-srcs 3) +pass in quick proto tcp all flags S keep state(max-srcs 3, max-per-src 1/32) +pass in quick proto tcp all flags S keep state(max-srcs 3, max-per-src 1/16) diff --git a/contrib/ipfilter/test/regress/f28.ipf b/contrib/ipfilter/test/regress/f28.ipf new file mode 100644 index 0000000..ca42771 --- /dev/null +++ b/contrib/ipfilter/test/regress/f28.ipf @@ -0,0 +1,2 @@ +block in all +pass in on nic0 to dstlist/spread from 4.4.0.0/16 to any diff --git a/contrib/ipfilter/test/regress/f28.pool b/contrib/ipfilter/test/regress/f28.pool new file mode 100644 index 0000000..499b603 --- /dev/null +++ b/contrib/ipfilter/test/regress/f28.pool @@ -0,0 +1,2 @@ +pool ipf/dstlist (name spread; policy round-robin;) + { nic0:1.1.0.2; nic1:1.1.1.2; nic2:1.1.2.2; nic3:1.1.3.2; }; diff --git a/contrib/ipfilter/test/regress/f29.ipf b/contrib/ipfilter/test/regress/f29.ipf new file mode 100644 index 0000000..e4634cc --- /dev/null +++ b/contrib/ipfilter/test/regress/f29.ipf @@ -0,0 +1,2 @@ +block in all +pass in on nic0 to dstlist/spread from 4.4.0.0/16 to any keep state diff --git a/contrib/ipfilter/test/regress/f29.pool b/contrib/ipfilter/test/regress/f29.pool new file mode 100644 index 0000000..499b603 --- /dev/null +++ b/contrib/ipfilter/test/regress/f29.pool @@ -0,0 +1,2 @@ +pool ipf/dstlist (name spread; policy round-robin;) + { nic0:1.1.0.2; nic1:1.1.1.2; nic2:1.1.2.2; nic3:1.1.3.2; }; diff --git a/contrib/ipfilter/test/regress/f30 b/contrib/ipfilter/test/regress/f30 new file mode 100644 index 0000000..84a8970 --- /dev/null +++ b/contrib/ipfilter/test/regress/f30 @@ -0,0 +1,4 @@ +pass in on hme0 proto udp all with not ipopts keep state +pass in on hme0 proto udp all with ipopts keep state +pass in on hme0 proto tcp all flags S with opt rr keep state +pass in on hme0 proto tcp all flags S with opt sec-class secret keep state diff --git a/contrib/ipfilter/test/regress/i11 b/contrib/ipfilter/test/regress/i11 index cb7d683..ca65da3 100644 --- a/contrib/ipfilter/test/regress/i11 +++ b/contrib/ipfilter/test/regress/i11 @@ -8,4 +8,5 @@ pass out on ppp0 in-via le0 proto tcp from any to any keep state pass in on ed0,vx0 out-via vx0,ed0 proto udp from any to any keep state pass in proto tcp from any port gt 1024 to localhost port eq 1024 keep state pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101,age 600) +pass in proto tcp all flags S keep state(loose,newisn,no-icmp-err,limit 101,age 600) pass in proto udp all keep state(age 10/20,sync) diff --git a/contrib/ipfilter/test/regress/i12 b/contrib/ipfilter/test/regress/i12 index 5342702..f42c2d5 100644 --- a/contrib/ipfilter/test/regress/i12 +++ b/contrib/ipfilter/test/regress/i12 @@ -1,9 +1,9 @@ pass in from 1.1.1.1/32 to 2.2.2.2/32 -pass in from (2.2.2.2/24,3.3.3.3/32) to 4.4.4.4/32 -pass in from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32) -pass in from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32) port = (22,25) -pass in proto tcp from (2.2.2.2/24,3.3.3.3/32) port = (53,9) to (5.5.5.5/32,6.6.6.6/32) -pass in proto udp from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32) port = (53,9) +pass in from {2.2.2.2/24,3.3.3.3/32} to 4.4.4.4/32 +pass in from {2.2.2.2/24,3.3.3.3/32} to {5.5.5.5/32,6.6.6.6/32} +pass in from {2.2.2.2/24,3.3.3.3/32} to {5.5.5.5/32,6.6.6.6/32} port = {22,25} +pass in proto tcp from {2.2.2.2/24,3.3.3.3/32} port = {53,9} to {5.5.5.5/32,6.6.6.6/32} +pass in proto udp from {2.2.2.2/24,3.3.3.3/32} to {5.5.5.5/32,6.6.6.6/32} port = {53,9} pass in from 10.10.10.10 to 11.11.11.11 pass in from pool/101 to hash/202 pass in from hash/303 to pool/404 diff --git a/contrib/ipfilter/test/regress/i14 b/contrib/ipfilter/test/regress/i14 index 2cd2613..54613a5 100644 --- a/contrib/ipfilter/test/regress/i14 +++ b/contrib/ipfilter/test/regress/i14 @@ -8,3 +8,5 @@ pass in proto tcp from 1.0.0.1 to 2.0.0.2 group 101 pass in proto udp from 2.0.0.2 to 3.0.0.3 group 101 block in on vm0 proto tcp/udp all head vm0-group pass in from 1.1.1.1 to 2.2.2.2 group vm0-group +block in on vm0 proto tcp/udp all head vm0-group +pass in from 1.1.1.1 to 2.2.2.2 group vm0-group diff --git a/contrib/ipfilter/test/regress/i17 b/contrib/ipfilter/test/regress/i17 index e399248..139b86a 100644 --- a/contrib/ipfilter/test/regress/i17 +++ b/contrib/ipfilter/test/regress/i17 @@ -9,5 +9,5 @@ pass in from localhost to any @0 pass in from 1.1.1.1 to any @1 110 pass in from 2.2.2.2 to any @2 pass in from 3.3.3.3 to any -call fr_srcgrpmap/100 out from 10.1.0.0/16 to any -call now fr_dstgrpmap/200 in from 10.2.0.0/16 to any +call srcgrpmap/100 out from 10.1.0.0/16 to any +call now dstgrpmap/200 in from 10.2.0.0/16 to any diff --git a/contrib/ipfilter/test/regress/i18 b/contrib/ipfilter/test/regress/i18 index 03ce713..b55b11a 100644 --- a/contrib/ipfilter/test/regress/i18 +++ b/contrib/ipfilter/test/regress/i18 @@ -1,3 +1,3 @@ -pass in tos (80,0x80) all -pass in tos (0x80,80) all -block in ttl (0,1,2,3,4,5,6) all +pass in tos {80,0x80} all +pass out tos {0x80,80} all +block in ttl {0,1,2,3,4,5,6} all diff --git a/contrib/ipfilter/test/regress/i2 b/contrib/ipfilter/test/regress/i2 index 50f6107..f69e28e 100644 --- a/contrib/ipfilter/test/regress/i2 +++ b/contrib/ipfilter/test/regress/i2 @@ -6,3 +6,4 @@ block in proto 17 from any to any block in proto 250 from any to any pass in proto tcp/udp from any to any block in proto tcp-udp from any to any +block in proto tcp-udp from any to any diff --git a/contrib/ipfilter/test/regress/i21 b/contrib/ipfilter/test/regress/i21 index 9d583ab..237f8fa 100644 --- a/contrib/ipfilter/test/regress/i21 +++ b/contrib/ipfilter/test/regress/i21 @@ -2,6 +2,6 @@ pass in from port = 10101 pass out from any to port != 22 block in from port 20:21 block out from any to port 10 <> 100 -pass out from any to port = (3,5,7,9) -block in from port = (20,25) -pass in from any port = (11:12, 21:22) to any port = (1:2, 4:5, 8:9) +pass out from any to port = {3,5,7,9} +block in from port = {20,25} +pass in from any port = {11:12, 21:22} to any port = {1:2, 4:5, 8:9} diff --git a/contrib/ipfilter/test/regress/i22 b/contrib/ipfilter/test/regress/i22 new file mode 100644 index 0000000..1ac8d12 --- /dev/null +++ b/contrib/ipfilter/test/regress/i22 @@ -0,0 +1,5 @@ +pass in exp { "ip.src != 1.1.1.0/24; tcp.dport = 80;" } +pass in exp { "ip.addr = 1.2.3.4,5.6.7.8;" } +block out exp { "ip.dst= 127.0.0.0/8;" } +block in exp { "udp.sport=53;udp.dport=53;" } +pass out exp { "tcp.sport=22; tcp.port=25;" } diff --git a/contrib/ipfilter/test/regress/i23 b/contrib/ipfilter/test/regress/i23 new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/contrib/ipfilter/test/regress/i23 @@ -0,0 +1 @@ +# diff --git a/contrib/ipfilter/test/regress/i7 b/contrib/ipfilter/test/regress/i7 index 1a82940..15b88a5 100644 --- a/contrib/ipfilter/test/regress/i7 +++ b/contrib/ipfilter/test/regress/i7 @@ -7,3 +7,8 @@ block in on lo0 proto tcp from any to any flags 2/18 pass in on lo0 proto tcp from any to any flags 2 block in on lo0 proto tcp from any to any flags /16 pass in on lo0 proto tcp from any to any flags 2/SA +pass in on lo0 proto tcp from any to any flags S/18 +block in on lo0 proto tcp from any to any flags 2/18 +pass in on lo0 proto tcp from any to any flags 2 +block in on lo0 proto tcp from any to any flags /16 +pass in on lo0 proto tcp from any to any flags 2/SA diff --git a/contrib/ipfilter/test/regress/i8 b/contrib/ipfilter/test/regress/i8 index c30f8bd..abf69d9 100644 --- a/contrib/ipfilter/test/regress/i8 +++ b/contrib/ipfilter/test/regress/i8 @@ -11,11 +11,11 @@ pass in proto icmp all icmp-type unreach code host-prohib pass in proto icmp all icmp-type unreach code host-tos pass in proto icmp all icmp-type unreach code host-unk pass in proto icmp all icmp-type unreach code host-unr -pass in proto icmp all icmp-type unreach code (net-unk,net-unr) +pass in proto icmp all icmp-type unreach code {net-unk,net-unr} pass in proto icmp all icmp-type unreach code port-unr pass in proto icmp all icmp-type unreach code proto-unr pass in proto icmp all icmp-type unreach code srcfail -pass in proto icmp all icmp-type (echo,echorep) +pass in proto icmp all icmp-type {echo,echorep} pass in proto icmp all icmp-type inforeq pass in proto icmp all icmp-type inforep pass in proto icmp all icmp-type maskrep @@ -31,3 +31,32 @@ pass in proto icmp all icmp-type timestrep pass in proto icmp all icmp-type timex pass in proto icmp all icmp-type 254 pass in proto icmp all icmp-type 253 code 254 +pass in proto icmp all icmp-type unreach code cutoff-preced +pass in proto icmp all icmp-type unreach code filter-prohib +pass in proto icmp all icmp-type unreach code isolate +pass in proto icmp all icmp-type unreach code needfrag +pass in proto icmp all icmp-type unreach code net-prohib +pass in proto icmp all icmp-type unreach code net-tos +pass in proto icmp all icmp-type unreach code host-preced +pass in proto icmp all icmp-type unreach code host-prohib +pass in proto icmp all icmp-type unreach code host-tos +pass in proto icmp all icmp-type unreach code host-unk +pass in proto icmp all icmp-type unreach code host-unr +pass in proto icmp all icmp-type unreach code {net-unk,net-unr} +pass in proto icmp all icmp-type unreach code port-unr +pass in proto icmp all icmp-type unreach code proto-unr +pass in proto icmp all icmp-type unreach code srcfail +pass in proto icmp all icmp-type {echo,echorep} +pass in proto icmp all icmp-type inforeq +pass in proto icmp all icmp-type inforep +pass in proto icmp all icmp-type maskrep +pass in proto icmp all icmp-type maskreq +pass in proto icmp all icmp-type paramprob +pass in proto icmp all icmp-type redir +pass in proto icmp all icmp-type unreach +pass in proto icmp all icmp-type routerad +pass in proto icmp all icmp-type routersol +pass in proto icmp all icmp-type squench +pass in proto icmp all icmp-type timest +pass in proto icmp all icmp-type timestrep +pass in proto icmp all icmp-type timex diff --git a/contrib/ipfilter/test/regress/in100 b/contrib/ipfilter/test/regress/in100 new file mode 100644 index 0000000..5e2ab6c --- /dev/null +++ b/contrib/ipfilter/test/regress/in100 @@ -0,0 +1,3 @@ +rewrite in on bge0 from 1.1.1.1 to 2.2.2.2 -> src 3.3.3.3 dst 4.4.4.4; +rewrite out on bge0 from 1.1.1.1/32 to 2.2.2.2 -> src 3.3.3.0/24 dst 4.4.4.4; +rewrite in on bge0 from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24 dst 4.4.4.0/24; diff --git a/contrib/ipfilter/test/regress/in101 b/contrib/ipfilter/test/regress/in101 new file mode 100644 index 0000000..afef53b --- /dev/null +++ b/contrib/ipfilter/test/regress/in101 @@ -0,0 +1,4 @@ +rewrite in on bge0 proto icmp from 1.1.1.1 to 2.2.2.2 -> src 3.3.3.3 dst 4.4.4.4; +rewrite in on bge0 proto udp from 1.1.1.1 to 2.2.2.2 -> src 3.3.3.3 dst 4.4.4.4; +rewrite out on bge0 proto tcp from 1.1.1.1/32 to 2.2.2.2 -> src 3.3.3.0/24 dst 4.4.4.4; +rewrite in on bge0 proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 -> src 3.3.3.0/24,20202 dst 4.4.4.0/24,10101; diff --git a/contrib/ipfilter/test/regress/in102 b/contrib/ipfilter/test/regress/in102 new file mode 100644 index 0000000..57f3645 --- /dev/null +++ b/contrib/ipfilter/test/regress/in102 @@ -0,0 +1,5 @@ +rewrite in on bge0 proto tcp from any to any -> src 0/0 dst dstlist/a; +rewrite in on bge0 proto tcp from 1.1.1.1 to any -> src 0/0 dst dstlist/bee; +rewrite in on bge0 proto tcp from 1.1.1.1 to 2.2.2.2 -> src 0/0 dst dstlist/cat; +rewrite in on bge0 proto tcp from pool/a to 2.2.2.2 -> src 0/0 dst dstlist/bat; +rewrite in on bge0 proto tcp from pool/a to pool/1 -> src 0/0 dst dstlist/ant; diff --git a/contrib/ipfilter/test/regress/in2 b/contrib/ipfilter/test/regress/in2 index 83a2ca5..58556c0 100644 --- a/contrib/ipfilter/test/regress/in2 +++ b/contrib/ipfilter/test/regress/in2 @@ -67,5 +67,5 @@ rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp rdr le0 0/0 -> test.host.dots -rdr le0 0/0 -> test.host.dots,test.host.dots -rdr adsl0,ppp0 0/0 port 25 -> 127.0.0.1 port 25 +rdr le0 any -> test.host.dots,test.host.dots +rdr adsl0,ppp0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555-7777 tcp diff --git a/contrib/ipfilter/test/regress/in7 b/contrib/ipfilter/test/regress/in7 new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/contrib/ipfilter/test/regress/in7 @@ -0,0 +1 @@ +# diff --git a/contrib/ipfilter/test/regress/ip3 b/contrib/ipfilter/test/regress/ip3 new file mode 100644 index 0000000..98d2b0b --- /dev/null +++ b/contrib/ipfilter/test/regress/ip3 @@ -0,0 +1,14 @@ +pool ipf/dstlist (name fred; policy round-robin;) + { 3.3.3.3; }; +pool ipf/dstlist (name jack; policy weighted connection;) + { 4.4.4.4; bge0:5.5.5.5;}; +pool ipf/dstlist (name jill; policy random;) + { 1.1.1.1; bge0:2.2.2.2;}; +pool nat/hash (name noproxy; size 17;) + { 1.1.1.1; 2.2.2.2;}; +pool nat/tree (name raw;) + { 1.1.1.1; 2.2.2.2;}; +pool all/dstlist (name jill; policy random;) + { 1.1.1.1; bge0:2.2.2.2;}; +pool all/hash (name noproxy; size 17;) + { 1.1.1.1; 2.2.2.2;}; diff --git a/contrib/ipfilter/test/regress/ipv6.4 b/contrib/ipfilter/test/regress/ipv6.4 new file mode 100644 index 0000000..b221744 --- /dev/null +++ b/contrib/ipfilter/test/regress/ipv6.4 @@ -0,0 +1,3 @@ +pass in proto ipv6-icmp all icmp-type echo keep frags +pass in proto ipv6-icmp all icmp-type echo keep frags keep state +pass in proto tcp all keep frags keep state diff --git a/contrib/ipfilter/test/regress/ipv6.5 b/contrib/ipfilter/test/regress/ipv6.5 index ba8cabb..d9ae23b 100644 --- a/contrib/ipfilter/test/regress/ipv6.5 +++ b/contrib/ipfilter/test/regress/ipv6.5 @@ -1,2 +1,2 @@ -pass out all with v6hdrs routing -block out proto tcp all with v6hdrs routing +pass out family inet6 all with v6hdr routing +block out family inet6 proto tcp all with v6hdr routing diff --git a/contrib/ipfilter/test/regress/ipv6.6 b/contrib/ipfilter/test/regress/ipv6.6 index f1f904b..19a4df9 100644 --- a/contrib/ipfilter/test/regress/ipv6.6 +++ b/contrib/ipfilter/test/regress/ipv6.6 @@ -1 +1,2 @@ pass out on gif0 proto udp all keep frag +block out all with bad diff --git a/contrib/ipfilter/test/regress/n100 b/contrib/ipfilter/test/regress/n100 new file mode 100644 index 0000000..a8b6dee --- /dev/null +++ b/contrib/ipfilter/test/regress/n100 @@ -0,0 +1 @@ +rewrite out on zx0 from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32 dst 6.6.0.0/16; diff --git a/contrib/ipfilter/test/regress/n101 b/contrib/ipfilter/test/regress/n101 new file mode 100644 index 0000000..2f5fcd9 --- /dev/null +++ b/contrib/ipfilter/test/regress/n101 @@ -0,0 +1 @@ +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32 dst 6.6.0.0/16; diff --git a/contrib/ipfilter/test/regress/n102 b/contrib/ipfilter/test/regress/n102 new file mode 100644 index 0000000..f056633 --- /dev/null +++ b/contrib/ipfilter/test/regress/n102 @@ -0,0 +1 @@ +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32,1000:2000 dst 6.6.0.0/16; diff --git a/contrib/ipfilter/test/regress/n103 b/contrib/ipfilter/test/regress/n103 new file mode 100644 index 0000000..c3c27d6 --- /dev/null +++ b/contrib/ipfilter/test/regress/n103 @@ -0,0 +1 @@ +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16,4000:4001; diff --git a/contrib/ipfilter/test/regress/n104 b/contrib/ipfilter/test/regress/n104 new file mode 100644 index 0000000..785f0ad --- /dev/null +++ b/contrib/ipfilter/test/regress/n104 @@ -0,0 +1 @@ +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 -> src 4.4.0.0/24,1000-1001 dst 6.6.0.0/16,4000:4001; diff --git a/contrib/ipfilter/test/regress/n105 b/contrib/ipfilter/test/regress/n105 new file mode 100644 index 0000000..afe8966 --- /dev/null +++ b/contrib/ipfilter/test/regress/n105 @@ -0,0 +1 @@ +rewrite in on zx0 proto tcp from 0/0 to 2.2.0.0/16 port = 80 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16 port = 3128; diff --git a/contrib/ipfilter/test/regress/n106 b/contrib/ipfilter/test/regress/n106 new file mode 100644 index 0000000..6074ab0 --- /dev/null +++ b/contrib/ipfilter/test/regress/n106 @@ -0,0 +1 @@ +rewrite out on zx0 proto tcp from 0/0 to 2.2.0.0/16 port = 80 -> src 4.4.4.4/32,1000-1001 dst 6.6.0.0/16 port = 3128; diff --git a/contrib/ipfilter/test/regress/n10_6 b/contrib/ipfilter/test/regress/n10_6 new file mode 100644 index 0000000..738152d --- /dev/null +++ b/contrib/ipfilter/test/regress/n10_6 @@ -0,0 +1,3 @@ +map ppp0 any -> 203.203.203.203/128 mssclamp 100 +map ppp0 any -> 203.203.203.203/128 mssclamp 1000 +map ppp0 any -> 203.203.203.203/128 mssclamp 10000 diff --git a/contrib/ipfilter/test/regress/n11_6 b/contrib/ipfilter/test/regress/n11_6 new file mode 100644 index 0000000..7b428cc --- /dev/null +++ b/contrib/ipfilter/test/regress/n11_6 @@ -0,0 +1,3 @@ +bimap zx0 10:1:1::1/128 -> 1::6:7:8/128 +bimap zx0 10:1:1::/112 -> 10::2:2:2/128 +bimap zx0 10:1:1::/112 -> 10::3:4:5/112 diff --git a/contrib/ipfilter/test/regress/n12_6 b/contrib/ipfilter/test/regress/n12_6 new file mode 100644 index 0000000..bf21848 --- /dev/null +++ b/contrib/ipfilter/test/regress/n12_6 @@ -0,0 +1 @@ +map le0 c0a8:7e00::/112 -> 0/128 portmap tcp/udp 10000:20000 diff --git a/contrib/ipfilter/test/regress/n13_6 b/contrib/ipfilter/test/regress/n13_6 new file mode 100644 index 0000000..c1d1646 --- /dev/null +++ b/contrib/ipfilter/test/regress/n13_6 @@ -0,0 +1 @@ +map le0 192:168:1::0/48 -> range 203:0:1::1:23-203:0:1::3:45 diff --git a/contrib/ipfilter/test/regress/n14_6 b/contrib/ipfilter/test/regress/n14_6 new file mode 100644 index 0000000..64e88ee --- /dev/null +++ b/contrib/ipfilter/test/regress/n14_6 @@ -0,0 +1 @@ +rdr gre0 any port 80 -> 10:1:1::254,10:1:1::253 port 80 tcp sticky diff --git a/contrib/ipfilter/test/regress/n15 b/contrib/ipfilter/test/regress/n15 new file mode 100644 index 0000000..062b766 --- /dev/null +++ b/contrib/ipfilter/test/regress/n15 @@ -0,0 +1,2 @@ +rdr le0 0/0 port 80 -> 3.3.3.3 port 80 tcp +rdr le0 0/0 port 80 -> 3.3.3.3 port 80-88 tcp diff --git a/contrib/ipfilter/test/regress/n15_6 b/contrib/ipfilter/test/regress/n15_6 new file mode 100644 index 0000000..e82dd82 --- /dev/null +++ b/contrib/ipfilter/test/regress/n15_6 @@ -0,0 +1,2 @@ +rdr le0 any port 80 -> 3:0:3::3:3 port 80 tcp +rdr le0 any port 80 -> 3:0:3::3:3 port 80-88 tcp diff --git a/contrib/ipfilter/test/regress/n16_6 b/contrib/ipfilter/test/regress/n16_6 new file mode 100644 index 0000000..ff8958c --- /dev/null +++ b/contrib/ipfilter/test/regress/n16_6 @@ -0,0 +1 @@ +rdr vlan0 from any to 69.248.79.193 port = 38136 -> 172.31.83.24 port 2013 udp diff --git a/contrib/ipfilter/test/regress/n17 b/contrib/ipfilter/test/regress/n17 new file mode 100644 index 0000000..213f51f --- /dev/null +++ b/contrib/ipfilter/test/regress/n17 @@ -0,0 +1 @@ +bimap zx0 0/0 -> 1.1.1.3 diff --git a/contrib/ipfilter/test/regress/n17_6 b/contrib/ipfilter/test/regress/n17_6 new file mode 100644 index 0000000..08ef77a --- /dev/null +++ b/contrib/ipfilter/test/regress/n17_6 @@ -0,0 +1 @@ +bimap zx0 any -> 1::1:1:3 diff --git a/contrib/ipfilter/test/regress/n18 b/contrib/ipfilter/test/regress/n18 new file mode 100644 index 0000000..792f136 --- /dev/null +++ b/contrib/ipfilter/test/regress/n18 @@ -0,0 +1,3 @@ +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1:4 sequential +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1000:5000 sequential +map z0 0/0 -> 1.1.1.1/32 portmap tcp/udp 1000:50000 sequential diff --git a/contrib/ipfilter/test/regress/n1_6 b/contrib/ipfilter/test/regress/n1_6 new file mode 100644 index 0000000..341f136 --- /dev/null +++ b/contrib/ipfilter/test/regress/n1_6 @@ -0,0 +1,3 @@ +map zx0 10:1:1::1/128 -> 10::2:2:2/128 +map zx0 10:1:1::/112 -> 10::3:4:5/128 +map zx0 10:1:1::/112 -> 10::3:4:0/112 diff --git a/contrib/ipfilter/test/regress/n200 b/contrib/ipfilter/test/regress/n200 new file mode 100644 index 0000000..c792e54 --- /dev/null +++ b/contrib/ipfilter/test/regress/n200 @@ -0,0 +1 @@ +divert in on bar0 from any to any -> src 127.0.0.1,10101 dst 127.0.0.1,10101 udp; diff --git a/contrib/ipfilter/test/regress/n2_6 b/contrib/ipfilter/test/regress/n2_6 new file mode 100644 index 0000000..3a04f33 --- /dev/null +++ b/contrib/ipfilter/test/regress/n2_6 @@ -0,0 +1,4 @@ +map zx0 10:1:1::1/128 -> 10::2:2:2/128 portmap tcp 10000:20000 sequential +map zx0 10:1:1::/112 -> 10::3:4:5/128 portmap udp 10000:20000 sequential +map zx0 10:1::/32 -> 10::3:4:0/112 portmap tcp/udp 10000:20000 sequential +map zx0 10:1:1::/112 -> 10::3:4:5/128 portmap tcp/udp 40000:40001 sequential diff --git a/contrib/ipfilter/test/regress/n4_6 b/contrib/ipfilter/test/regress/n4_6 new file mode 100644 index 0000000..72dad4c --- /dev/null +++ b/contrib/ipfilter/test/regress/n4_6 @@ -0,0 +1,6 @@ +rdr zx0 10:1:1::1/128 port 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 10:1:1::/112 port 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 any port 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 10:1:1::/112 port 53 -> 10::2:2:1 port 10053 udp +rdr zx0 10:1:1::/112 port 0 -> 10::2:2:1 port 0 tcp +rdr zx0 10:1:1::/112 port 0 -> 10::2:2:1 port 0 ip diff --git a/contrib/ipfilter/test/regress/n5_6 b/contrib/ipfilter/test/regress/n5_6 new file mode 100644 index 0000000..acefd7b --- /dev/null +++ b/contrib/ipfilter/test/regress/n5_6 @@ -0,0 +1,6 @@ +map zx0 10:1:1::1/128 -> 10::2:2:2/128 +map zx0 from 10:1:1::/112 to 10:1::/32 -> 10::3:4:5/128 +map zx0 from 10:1:1::/112 ! to 10:1::/32 -> 10::3:4:0/112 +map zx0 10:1:1::/112 -> 10::3:4:5/128 portmap udp 10000:20000 sequential +map zx0 10:1::/32 -> 10::3:4:0/112 portmap tcp/udp 10000:20000 sequential +map zx0 10:1:1::/112 -> 10::3:4:5/128 portmap tcp/udp 40000:40001 sequential diff --git a/contrib/ipfilter/test/regress/n6_6 b/contrib/ipfilter/test/regress/n6_6 new file mode 100644 index 0000000..3491c6b --- /dev/null +++ b/contrib/ipfilter/test/regress/n6_6 @@ -0,0 +1,5 @@ +rdr zx0 10:1:1::1/128 port 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 from any to 10:1:1::/112 port = 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 from 10::/32 to 10:1:1::/112 port = 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 from 10:3::/32 to 10:1::/32 port = 23 -> 10::2:2:1 port 10023 tcp +rdr zx0 ! from 10::/32 to 10:1:1::/112 port = 53 -> 10::2:2:1 port 10053 udp diff --git a/contrib/ipfilter/test/regress/n7_6 b/contrib/ipfilter/test/regress/n7_6 new file mode 100644 index 0000000..88055f6 --- /dev/null +++ b/contrib/ipfilter/test/regress/n7_6 @@ -0,0 +1,3 @@ +rdr zx0 10:1:1::1/128 port 23-79 -> 10::2:2:1 port 10023 tcp +rdr zx0 10:1:1::1/128 port 23-79 -> 10::2:2:1 port = 10023 tcp +rdr zx0 10:1:1::/112 port 80 -> 10::2:2:1,1::2:2:129 port 3128 tcp diff --git a/contrib/ipfilter/test/regress/n8_6 b/contrib/ipfilter/test/regress/n8_6 new file mode 100644 index 0000000..2f96be0 --- /dev/null +++ b/contrib/ipfilter/test/regress/n8_6 @@ -0,0 +1 @@ +map icmp0 2::2:2:0/112 -> 10:10:10::/112 diff --git a/contrib/ipfilter/test/regress/n9_6 b/contrib/ipfilter/test/regress/n9_6 new file mode 100644 index 0000000..31e4615 --- /dev/null +++ b/contrib/ipfilter/test/regress/n9_6 @@ -0,0 +1 @@ +rdr icmp0 4:4:4::/112 port 0 -> 10:10:10::1 port 0 ip diff --git a/contrib/ipfilter/test/regress/ni13.nat b/contrib/ipfilter/test/regress/ni13.nat index 7a879d8..ac2be49 100644 --- a/contrib/ipfilter/test/regress/ni13.nat +++ b/contrib/ipfilter/test/regress/ni13.nat @@ -1 +1 @@ -rdr pcn1 192.168.113.3/32 port 1723 -> 0.0.0.0 port 1723 proxy pptp +rdr pcn1 192.168.113.3/32 port 1723 -> 0.0.0.0 port 1723 tcp proxy pptp diff --git a/contrib/ipfilter/test/regress/ni14.nat b/contrib/ipfilter/test/regress/ni14.nat index c546e99..72a8a4a 100644 --- a/contrib/ipfilter/test/regress/ni14.nat +++ b/contrib/ipfilter/test/regress/ni14.nat @@ -1 +1 @@ -rdr pcn1 192.168.113.3/32 port 1723 -> 127.0.0.1 port 1723 proxy pptp +rdr pcn1 192.168.113.3/32 port 1723 -> 127.0.0.1 port 1723 tcp proxy pptp diff --git a/contrib/ipfilter/test/regress/ni17.ipf b/contrib/ipfilter/test/regress/ni17.ipf new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni17.ipf diff --git a/contrib/ipfilter/test/regress/ni18.ipf b/contrib/ipfilter/test/regress/ni18.ipf new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni18.ipf diff --git a/contrib/ipfilter/test/regress/ni18.nat b/contrib/ipfilter/test/regress/ni18.nat new file mode 100644 index 0000000..40113c1 --- /dev/null +++ b/contrib/ipfilter/test/regress/ni18.nat @@ -0,0 +1,4 @@ +rdr hme0 192.168.1.0/24 port 80 -> 1.1.1.1 port 80 tcp; +no rdr hme0 192.168.1.1 port 80 tcp; +map hme1 10.1.0.0/16 -> 203.1.1.1/32 portmap tcp/udp 10000:20000 +no map hme1 10.1.1.0/24 tcp; diff --git a/contrib/ipfilter/test/regress/p1.pool b/contrib/ipfilter/test/regress/p1.pool index 14ae3a3..aa262a7 100644 --- a/contrib/ipfilter/test/regress/p1.pool +++ b/contrib/ipfilter/test/regress/p1.pool @@ -1,2 +1,2 @@ table role = ipf type = tree number = 100 - { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; }; + { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; diff --git a/contrib/ipfilter/test/regress/p10.nat b/contrib/ipfilter/test/regress/p10.nat new file mode 100644 index 0000000..3c3fa7c --- /dev/null +++ b/contrib/ipfilter/test/regress/p10.nat @@ -0,0 +1 @@ +rewrite in on bge0 proto tcp from any to any port = 80 -> src 0/0 dst dstlist/servers; diff --git a/contrib/ipfilter/test/regress/p10.pool b/contrib/ipfilter/test/regress/p10.pool new file mode 100644 index 0000000..2be554a --- /dev/null +++ b/contrib/ipfilter/test/regress/p10.pool @@ -0,0 +1,2 @@ +pool nat/dstlist (name servers; policy hash;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; diff --git a/contrib/ipfilter/test/regress/p11.nat b/contrib/ipfilter/test/regress/p11.nat new file mode 100644 index 0000000..3c3fa7c --- /dev/null +++ b/contrib/ipfilter/test/regress/p11.nat @@ -0,0 +1 @@ +rewrite in on bge0 proto tcp from any to any port = 80 -> src 0/0 dst dstlist/servers; diff --git a/contrib/ipfilter/test/regress/p11.pool b/contrib/ipfilter/test/regress/p11.pool new file mode 100644 index 0000000..a79d9ea --- /dev/null +++ b/contrib/ipfilter/test/regress/p11.pool @@ -0,0 +1,2 @@ +pool nat/dstlist (name servers; policy dst-hash;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; diff --git a/contrib/ipfilter/test/regress/p12.nat b/contrib/ipfilter/test/regress/p12.nat new file mode 100644 index 0000000..3c3fa7c --- /dev/null +++ b/contrib/ipfilter/test/regress/p12.nat @@ -0,0 +1 @@ +rewrite in on bge0 proto tcp from any to any port = 80 -> src 0/0 dst dstlist/servers; diff --git a/contrib/ipfilter/test/regress/p12.pool b/contrib/ipfilter/test/regress/p12.pool new file mode 100644 index 0000000..c9afcda --- /dev/null +++ b/contrib/ipfilter/test/regress/p12.pool @@ -0,0 +1,2 @@ +pool nat/dstlist (name servers; policy src-hash;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; diff --git a/contrib/ipfilter/test/regress/p13.ipf b/contrib/ipfilter/test/regress/p13.ipf new file mode 100644 index 0000000..acaf639 --- /dev/null +++ b/contrib/ipfilter/test/regress/p13.ipf @@ -0,0 +1 @@ +pass in from pool/100 to any diff --git a/contrib/ipfilter/test/regress/p13.pool b/contrib/ipfilter/test/regress/p13.pool new file mode 100644 index 0000000..de80f72 --- /dev/null +++ b/contrib/ipfilter/test/regress/p13.pool @@ -0,0 +1,2 @@ +table role = all type = tree number = 100 + { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; }; diff --git a/contrib/ipfilter/test/regress/p3.ipf b/contrib/ipfilter/test/regress/p3.ipf index aad7cb3..a598d88 100644 --- a/contrib/ipfilter/test/regress/p3.ipf +++ b/contrib/ipfilter/test/regress/p3.ipf @@ -1,5 +1,5 @@ -call now fr_srcgrpmap/1010 in all -call now fr_dstgrpmap/2010 out all +call now srcgrpmap/1010 in all +call now dstgrpmap/2010 out all pass in all group 1020 block in all group 1030 pass out all group 2020 diff --git a/contrib/ipfilter/test/regress/p4.nat b/contrib/ipfilter/test/regress/p4.nat new file mode 100644 index 0000000..d504ac9 --- /dev/null +++ b/contrib/ipfilter/test/regress/p4.nat @@ -0,0 +1 @@ +map * from pool/100 to any -> 1.2.3.4/32 diff --git a/contrib/ipfilter/test/regress/p4.pool b/contrib/ipfilter/test/regress/p4.pool new file mode 100644 index 0000000..6ed0e49 --- /dev/null +++ b/contrib/ipfilter/test/regress/p4.pool @@ -0,0 +1,2 @@ +table role = nat type = tree number = 100 + { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; }; diff --git a/contrib/ipfilter/test/regress/p6.ipf b/contrib/ipfilter/test/regress/p6.ipf new file mode 100644 index 0000000..b9b8937 --- /dev/null +++ b/contrib/ipfilter/test/regress/p6.ipf @@ -0,0 +1 @@ +block in from pool/microsoft to any diff --git a/contrib/ipfilter/test/regress/p6.pool b/contrib/ipfilter/test/regress/p6.pool new file mode 100644 index 0000000..83e818c --- /dev/null +++ b/contrib/ipfilter/test/regress/p6.pool @@ -0,0 +1 @@ +pool ipf/tree (name microsoft;) { whois file "regress/p6.whois"; }; diff --git a/contrib/ipfilter/test/regress/p6.whois b/contrib/ipfilter/test/regress/p6.whois new file mode 100644 index 0000000..284244e --- /dev/null +++ b/contrib/ipfilter/test/regress/p6.whois @@ -0,0 +1,241 @@ +# This query resulted in more than 256 records. Remaining results +# have been truncated. For more specific results, go to +# http://ws.arin.net/whois for help in refining your query. +Microsoft Corp (MSFT) +Microsoft Corp., MSN Operations (MCMO) +MICROSOFT CORPORATION (MICRO-101) +MICROSOFT CORPORATION (MICRO-97) +MICROSOFT CORPORATION (MICRO-100) +Microsoft Corporation (MICRO-111) +MICROSOFT CORPORATION (MICRO-117) +Microsoft Corporation (ZM23-ARIN) noc@microsoft.com +1-425-882-8080 +Microsoft (ZM39-ARIN) noc@microsoft.com +1-425-882-8080 +Microsoft Corp (AS8068) MICROSOFT-CORP---MSN-AS-BLOCK 8068 - 8075 +Microsoft Corp (AS13811) MSLI 13811 +Microsoft Corp (AS14719) MICROSOFT-CORP-BCENTRAL 14719 +Microsoft Corp (AS3598) MICROSOFT-CORP-AS 3598 +Microsoft Corp (AS5761) MICROSOFT-CORP---MSN-AS---SATURN 5761 +Microsoft Corp (AS6182) MICROSOFT-CORP--MSN-AS-4 6182 +Microsoft Corp (AS6194) MICROSOFT-CORP--MSN-AS-3 6194 +Microsoft Corp (AS6291) MICROSOFT-CORP---MSN-AS 6291 +Microsoft Corp (AS13399) MICROSOFT-CORP---MSN-AS-2 13399 +Microsoft Corp (AS23468) MICROSOFT-CORP-XBOX-ONLINE 23468 +Microsoft Corp MICROSOFT (NET-131-107-0-0-1) 131.107.0.0 - 131.107.255.255 +Microsoft Corp MICROSOFT-VEXCEL (NET-192-92-90-0-1) 192.92.90.0 - 192.92.90.255 +Microsoft Corp NETBLK-MSOFT-NET (NET-198-105-232-0-1) 198.105.232.0 - 198.105.235.255 +Microsoft Corp MICROSOFT19-NET58 (NET-204-231-58-0-1) 204.231.58.0 - 204.231.58.255 +Microsoft Corp MICROSOFT15 (NET-204-140-77-0-1) 204.140.77.0 - 204.140.77.255 +Microsoft Corp MICROSOFT16 (NET-204-140-80-0-1) 204.140.80.0 - 204.140.83.255 +Microsoft Corp MICROSOFT-CORP-MSN-1 (NET-199-60-28-0-1) 199.60.28.0 - 199.60.28.255 +Microsoft Corp MICROSOFT-1 (NET-199-103-90-0-1) 199.103.90.0 - 199.103.91.255 +Microsoft Corp MICROSOFT-CORP-MSN-3 (NET-199-103-122-0-1) 199.103.122.0 - 199.103.122.255 +Microsoft Corp MICROSOFT8 (NET-204-79-101-0-1) 204.79.101.0 - 204.79.101.255 +Microsoft Corp MICROSOFT18 (NET-192-237-67-0-1) 192.237.67.0 - 192.237.67.255 +Microsoft Corp MICROSOFT19 (NET-198-137-97-0-1) 198.137.97.0 - 198.137.97.255 +Microsoft Corp MICROSOFT-HK (NET-204-79-135-0-1) 204.79.135.0 - 204.79.135.255 +Microsoft Corp MICROSOFT-PLACEWARE-1 (NET-204-79-179-0-1) 204.79.179.0 - 204.79.179.255 +Microsoft Corp MICROSOFT11 (NET-204-79-180-0-1) 204.79.180.0 - 204.79.181.255 +Microsoft Corp MICROSOFT-PLACEWARE-2 (NET-204-79-188-0-1) 204.79.188.0 - 204.79.188.255 +Microsoft Corp MICROSOFT13 (NET-204-79-195-0-1) 204.79.195.0 - 204.79.197.255 +Microsoft Corp MICROSOFT17 (NET-199-6-92-0-1) 199.6.92.0 - 199.6.94.255 +Microsoft Corp MICROSOFT-2 (NET-204-79-7-0-1) 204.79.7.0 - 204.79.7.255 +Microsoft Corp MICROSOFT-NET1 (NET-204-79-27-0-1) 204.79.27.0 - 204.79.27.255 +Microsoft Corp MICROSOFT2 (NET-198-180-74-0-1) 198.180.74.0 - 198.180.75.255 +Microsoft Corp MICROSOFT3 (NET-198-180-95-0-1) 198.180.95.0 - 198.180.97.255 +Microsoft Corp MICROSOFT28 (NET-204-231-236-0-1) 204.231.236.0 - 204.231.236.255 +Microsoft Corp MICROSOFT29 (NET-205-248-10-0-1) 205.248.10.0 - 205.248.15.255 +Microsoft Corp SPRINT-CDA33F (NET-205-163-63-0-1) 205.163.63.0 - 205.163.63.255 +Microsoft Corp SPRINT-CDA33E (NET-205-163-62-0-1) 205.163.62.0 - 205.163.62.255 +Microsoft Corp SPRINT-CDA39F (NET-205-163-144-0-1) 205.163.144.0 - 205.163.159.255 +Microsoft Corp MICROSOFT30 (NET-205-248-41-0-1) 205.248.41.0 - 205.248.43.255 +Microsoft Corp MICROSOFT31 (NET-205-248-50-0-1) 205.248.50.0 - 205.248.51.255 +Microsoft Corp MICROSOFT32 (NET-205-248-61-0-1) 205.248.61.0 - 205.248.63.255 +Microsoft Corp MICROSOFT34 (NET-205-248-72-0-1) 205.248.72.0 - 205.248.72.255 +Microsoft Corp MICROSOFT35 (NET-205-248-212-0-1) 205.248.212.0 - 205.248.215.255 +Microsoft Corp MICROSOFT36 (NET-205-248-228-0-1) 205.248.228.0 - 205.248.228.255 +Microsoft Corp MICROSOFT37 (NET-205-248-235-0-1) 205.248.235.0 - 205.248.235.255 +Microsoft Corp MICROSOFT20 (NET-204-231-76-0-1) 204.231.76.0 - 204.231.76.255 +Microsoft Corp MICROSOFT26 (NET-204-231-192-0-1) 204.231.192.0 - 204.231.192.255 +Microsoft Corp MICROSOFT27 (NET-204-231-194-0-1) 204.231.194.0 - 204.231.223.255 +Microsoft Corp SOCRATIC (NET-207-78-80-0-1) 207.78.80.0 - 207.78.80.255 +Microsoft Corp DAVELADD (NET-207-78-81-0-1) 207.78.81.0 - 207.78.81.255 +Microsoft Corp RSEGAL (NET-207-78-82-0-1) 207.78.82.0 - 207.78.82.255 +Microsoft Corp MICROSOFT44 (NET-205-248-243-0-1) 205.248.243.0 - 205.248.244.255 +Microsoft Corp MICROSOFT48 (NET-207-117-3-0-1) 207.117.3.0 - 207.117.3.255 +Microsoft Corp UU-207-18-117 (NET-207-18-117-0-1) 207.18.117.0 - 207.18.117.255 +Microsoft Corp CW-208-139-27-B (NET-208-139-27-0-1) 208.139.27.0 - 208.139.27.255 +Microsoft Corp MICROSOFT55 (NET-209-28-213-0-1) 209.28.213.0 - 209.28.213.255 +Microsoft Corp MICROSOFT50 (NET-207-209-68-0-1) 207.209.68.0 - 207.209.68.255 +Microsoft Corp SPRINT-CC5F6F (NET-204-95-96-0-1) 204.95.96.0 - 204.95.111.255 +Microsoft Corp CYBR-LCCLAB (NET-207-158-93-192-1) 207.158.93.192 - 207.158.93.223 +Microsoft Corp MSBPN-2 (NET-207-240-123-192-1) 207.240.123.192 - 207.240.123.223 +Microsoft Corp SPRINT-D01ACD (NET-208-26-205-0-1) 208.26.205.0 - 208.26.205.255 +Microsoft Corp MICROSOFT-CORP-MSN-2 (NET-192-197-157-0-1) 192.197.157.0 - 192.197.157.255 +Microsoft Corp MICROSOFTDENVER (NET-204-133-231-0-1) 204.133.231.0 - 204.133.231.255 +Microsoft Corp MICROSOFTG1-COM (NET-216-72-96-0-1) 216.72.96.0 - 216.72.99.255 +Microsoft Corp EACT-CUST-JLEZNEK (NET-207-229-166-152-1) 207.229.166.152 - 207.229.166.159 +Microsoft Corp SPRINT-CC5F95-8 (NET-204-95-149-0-1) 204.95.149.0 - 204.95.149.255 +Microsoft Corp NET-CSAMSI (NET-209-192-213-72-1) 209.192.213.72 - 209.192.213.79 +Microsoft Corp MICROSOFT57 (NET-206-73-203-0-1) 206.73.203.0 - 206.73.203.255 +Microsoft Corp MICROSOFT56 (NET-206-73-118-0-1) 206.73.118.0 - 206.73.118.255 +Microsoft Corp QWEST-208-45-54-16 (NET-208-45-54-16-1) 208.45.54.16 - 208.45.54.23 +Microsoft Corp QWEST-208-45-54-8 (NET-208-45-54-8-1) 208.45.54.8 - 208.45.54.15 +Microsoft Corp MICROSOFT58 (NET-206-73-31-0-1) 206.73.31.0 - 206.73.31.255 +Microsoft Corp SPRINT-3FA132 (NET-63-161-50-128-1) 63.161.50.128 - 63.161.50.255 +Microsoft Corp SPRINT-3FA132-6 (NET-63-161-50-0-1) 63.161.50.0 - 63.161.50.127 +Microsoft Corp MICROSOFT-8-18 (NET-207-240-8-224-1) 207.240.8.224 - 207.240.8.239 +Microsoft Corp MICROSOFT-BBLK (NET-157-54-0-0-1) 157.54.0.0 - 157.60.255.255 +Microsoft Corp QWEST-208-45-89-248A (NET-208-45-89-248-1) 208.45.89.248 - 208.45.89.255 +Microsoft Corp MICROSOFT61 (NET-206-182-69-0-1) 206.182.69.0 - 206.182.69.255 +Microsoft Corp MICROSOFT63 (NET-206-182-240-0-1) 206.182.240.0 - 206.182.240.255 +Microsoft Corp MICROSOFT64 (NET-206-182-241-0-1) 206.182.241.0 - 206.182.241.255 +Microsoft Corp MICROSOFT59 (NET-206-73-67-0-1) 206.73.67.0 - 206.73.67.255 +Microsoft Corp MICROSOFT66 (NET-206-182-251-0-1) 206.182.251.0 - 206.182.251.255 +Microsoft Corp MICROSOFT65 (NET-206-182-247-0-1) 206.182.247.0 - 206.182.247.255 +Microsoft Corp MICROSOFT62 (NET-206-182-236-0-1) 206.182.236.0 - 206.182.236.255 +Microsoft Corp QWEST-63-236-198-64 (NET-63-236-198-64-1) 63.236.198.64 - 63.236.198.71 +Microsoft Corp QWEST-63-236-198-152 (NET-63-236-198-152-1) 63.236.198.152 - 63.236.198.159 +Microsoft Corp ERMS-6799349 (NET-165-121-253-232-1) 165.121.253.232 - 165.121.253.239 +Microsoft Corp QWEST-63-236-170-64 (NET-63-236-170-64-1) 63.236.170.64 - 63.236.170.71 +Microsoft Corp QWEST-63-236-186-64 (NET-63-236-186-64-1) 63.236.186.64 - 63.236.186.71 +Microsoft Corp QWEST-63-236-187-104 (NET-63-236-187-104-1) 63.236.187.104 - 63.236.187.111 +Microsoft Corp QWEST-63-236-187-128 (NET-63-236-187-128-1) 63.236.187.128 - 63.236.187.135 +Microsoft Corp QWEST-63-236-187-160 (NET-63-236-187-160-1) 63.236.187.160 - 63.236.187.167 +Microsoft Corp FON-3338832128690 (NET-199-2-137-0-1) 199.2.137.0 - 199.2.137.255 +Microsoft Corp CUST-86-24614 (NET-216-222-104-224-1) 216.222.104.224 - 216.222.104.239 +Microsoft Corp QWEST-63-151-87-64 (NET-63-151-87-64-1) 63.151.87.64 - 63.151.87.71 +Microsoft Corp HP-64-77-82-96 (NET-64-77-82-96-1) 64.77.82.96 - 64.77.82.103 +Microsoft Corp HP-64-77-93-80 (NET-64-77-93-80-1) 64.77.93.80 - 64.77.93.95 +Microsoft Corp MICROSOFT-1BLK (NET-65-52-0-0-1) 65.52.0.0 - 65.55.255.255 +Microsoft Corp MICROSOFT-GLOBAL-NET (NET-207-46-0-0-1) 207.46.0.0 - 207.46.255.255 +Microsoft Corp MICROSOFT-CORP-MSN-BLK (NET-207-68-128-0-1) 207.68.128.0 - 207.68.207.255 +Microsoft Corp FON-343451648081865 (NET-204-182-144-0-1) 204.182.144.0 - 204.182.159.255 +Microsoft Corp FON-346312755281299 (NET-206-107-34-0-1) 206.107.34.0 - 206.107.34.255 +Microsoft Corp FON-34550983681918 (NET-205-240-158-0-1) 205.240.158.0 - 205.240.159.255 +Microsoft Corp MICROSOFT-PLACEWARE-2 (NET-204-79-252-0-1) 204.79.252.0 - 204.79.252.255 +Microsoft Corp WLCO-TWC1057147-MICROSOFT (NET-64-200-211-16-1) 64.200.211.16 - 64.200.211.31 +Microsoft Corp MICROSOF81-163-0 (NET-12-178-163-0-1) 12.178.163.0 - 12.178.163.31 +Microsoft Corp WLCO-TWC1057147-MICROSOFT-1 (NET-69-44-126-80-1) 69.44.126.80 - 69.44.126.95 +Microsoft Corp SPRINTLINK (NET-63-173-42-128-1) 63.173.42.128 - 63.173.42.255 +Microsoft Corp MICROSOF33-108-0 (NET-12-28-108-0-1) 12.28.108.0 - 12.28.108.127 +Microsoft Corp SPRINTLINK (NET-65-170-29-0-1) 65.170.29.0 - 65.170.29.7 +Microsoft Corp Q0903-67-132-133-96 (NET-67-132-133-96-1) 67.132.133.96 - 67.132.133.103 +Microsoft Corp MICROSOFT-IPV6-BLK (NET6-2001-4898-1) 2001:4898:0000:0000:0000:0000:0000:0000 - 2001:4898:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF +Microsoft Corp LVLT-MSFT-8-6-176 (NET-8-6-176-0-1) 8.6.176.0 - 8.6.176.255 +Microsoft Corp MICROSOFT33 (NET-205-248-80-0-1) 205.248.80.0 - 205.248.129.255 +Microsoft Corp Q0523-63-148-123-240 (NET-63-148-123-240-1) 63.148.123.240 - 63.148.123.247 +Microsoft Corp SAVV-S233608-1 (NET-64-41-193-0-1) 64.41.193.0 - 64.41.193.255 +Microsoft Corp SAVV-S233053-1 (NET-64-85-70-32-1) 64.85.70.32 - 64.85.70.47 +Microsoft Corp SAVV-S233053-2 (NET-64-85-81-96-1) 64.85.81.96 - 64.85.81.103 +Microsoft Corp SAVV-S233053-3 (NET-64-85-81-104-1) 64.85.81.104 - 64.85.81.111 +Microsoft Corp SAVV-S233053-7 (NET-216-32-168-224-1) 216.32.168.224 - 216.32.168.255 +Microsoft Corp SAVV-S233053-6 (NET-206-79-74-32-1) 206.79.74.32 - 206.79.74.47 +Microsoft Corp SAVV-S233053-8 (NET-216-32-175-224-1) 216.32.175.224 - 216.32.175.255 +Microsoft Corp SAVV-S233053-9 (NET-216-32-180-0-1) 216.32.180.0 - 216.32.183.255 +Microsoft Corp SAVV-S233053-11 (NET-216-33-229-224-1) 216.33.229.224 - 216.33.229.255 +Microsoft Corp SAVV-S233053-12 (NET-216-33-236-0-1) 216.33.236.0 - 216.33.239.255 +Microsoft Corp SAVV-S233053-13 (NET-216-33-240-0-1) 216.33.240.0 - 216.33.243.255 +Microsoft Corp SAVV-S233053-10 (NET-216-32-240-0-1) 216.32.240.0 - 216.32.243.255 +Microsoft Corp SAVV-S233608-3 (NET-216-34-51-0-1) 216.34.51.0 - 216.34.51.255 +Microsoft Corp SAVV-S233053-4 (NET-209-1-112-0-1) 209.1.112.0 - 209.1.112.255 +Microsoft Corp SAVV-S233053-5 (NET-209-1-113-0-1) 209.1.113.0 - 209.1.113.255 +Microsoft Corp SAVV-S233608-2 (NET-209-1-15-0-1) 209.1.15.0 - 209.1.15.255 +Microsoft Corp SAVV-S233608-4 (NET-216-34-53-176-1) 216.34.53.176 - 216.34.53.191 +Microsoft Corp SAVV-S233608-5 (NET-216-35-8-224-1) 216.35.8.224 - 216.35.8.239 +Microsoft Corp SAVV-S233053-14 (NET-209-185-128-0-1) 209.185.128.0 - 209.185.131.255 +Microsoft Corp Q0112-65-114-175-128 (NET-65-114-175-128-1) 65.114.175.128 - 65.114.175.159 +Microsoft Corp SAVV-S233053-15 (NET-64-15-229-96-1) 64.15.229.96 - 64.15.229.127 +Microsoft Corp SAVV-S233050-5 (NET-64-15-177-0-1) 64.15.177.0 - 64.15.177.255 +Microsoft Corp SAVV-S233050-4 (NET-64-15-170-192-1) 64.15.170.192 - 64.15.170.199 +Microsoft Corp SAVV-S233050-2 (NET-209-143-238-0-1) 209.143.238.0 - 209.143.238.255 +Microsoft Corp SAVV-S233050-6 (NET-64-15-178-0-1) 64.15.178.0 - 64.15.178.255 +Microsoft Corp SAVV-S232995-2 (NET-66-35-209-120-1) 66.35.209.120 - 66.35.209.127 +Microsoft Corp SAVV-S232995-3 (NET-66-35-211-128-1) 66.35.211.128 - 66.35.211.191 +Microsoft Corp SAVV-S232995-1 (NET-66-35-208-48-1) 66.35.208.48 - 66.35.208.63 +Microsoft Corp SAVV-S233053-16 (NET-216-33-148-0-1) 216.33.148.0 - 216.33.151.255 +Microsoft Corp., MSN Operations SAVV-S233052-4 (NET-216-35-66-88-1) 216.35.66.88 - 216.35.66.95 +MICROSOFT CORPORATION MICROSOF32-32-160 (NET-12-230-32-160-1) 12.230.32.160 - 12.230.32.167 +MICROSOFT CORPORATION MICROSOF43-124-0 (NET-12-53-124-0-1) 12.53.124.0 - 12.53.124.31 +MICROSOFT CORPORATION MICROSOF82-18-96 (NET-12-232-18-96-1) 12.232.18.96 - 12.232.18.127 +MICROSOFT CORPORATION MICROSOF25-158 (NET-12-190-158-0-1) 12.190.158.0 - 12.190.158.255 +MICROSOFT CORPORATION MICROSOF61-196-32 (NET-12-71-196-32-1) 12.71.196.32 - 12.71.196.47 +Microsoft Corporation MICROSOFT-ONLINE-SERVICES (NET-209-240-192-0-1) 209.240.192.0 - 209.240.223.255 +Microsoft Corporation MICROSOFT-DYNAMIC-HOSTING (NET-70-37-0-0-1) 70.37.0.0 - 70.37.191.255 +Microsoft Corporation MS-ONLINE-SERVICES-NJ (NET-70-37-128-0-1) 70.37.128.0 - 70.37.129.255 +Microsoft Corporation MS-GLOBAL-ONLINE-SERVICES (NET-70-37-135-0-1) 70.37.135.0 - 70.37.135.255 +MICROSOFT CORPORATION MICROSOF82-87-192 (NET-12-49-87-192-1) 12.49.87.192 - 12.49.87.255 +Microsoft MICROSOFT (NET-74-93-205-144-1) 74.93.205.144 - 74.93.205.151 +Microsoft MICROSOFT (NET-74-93-205-152-1) 74.93.205.152 - 74.93.205.159 +Microsoft MICROSOFT (NET-74-93-206-64-1) 74.93.206.64 - 74.93.206.71 +Microsoft MICROSOFT (NET-70-89-139-120-1) 70.89.139.120 - 70.89.139.127 +Microsoft DIRECP-NET1-206-71-11 (NET-206-71-119-0-1) 206.71.119.0 - 206.71.119.255 +Microsoft DIRECP-NET1-117 (NET-206-71-117-0-1) 206.71.117.0 - 206.71.117.255 +Microsoft DIRECP-NET1-118 (NET-206-71-118-0-1) 206.71.118.0 - 206.71.118.255 +Microsoft UUHIL-BLK1-C155-112 (NET-209-154-155-112-1) 209.154.155.112 - 209.154.155.119 +Microsoft SBCIS-101411-164355 (NET-65-68-62-152-1) 65.68.62.152 - 65.68.62.159 +MICROSOFT SBC067039208168020503 (NET-67-39-208-168-1) 67.39.208.168 - 67.39.208.175 +Microsoft UU-65-242-67 (NET-65-242-67-0-1) 65.242.67.0 - 65.242.67.255 +Microsoft CW-204-71-191-0 (NET-204-71-191-0-1) 204.71.191.0 - 204.71.191.255 +Microsoft SBC063194155144021023 (NET-63-194-155-144-1) 63.194.155.144 - 63.194.155.151 +Microsoft SBC066136085192030113 (NET-66-136-85-192-1) 66.136.85.192 - 66.136.85.199 +MICROSOFT MFN-T280-64-124-184-72-29 (NET-64-124-184-72-1) 64.124.184.72 - 64.124.184.79 +MICROSOFT MFN-T133-216-200-206-0-24 (NET-216-200-206-0-1) 216.200.206.0 - 216.200.206.255 +Microsoft UU-63-80-93-D4 (NET-63-80-93-0-1) 63.80.93.0 - 63.80.93.127 +Microsoft RSPC-1218167167199384 (NET-67-192-225-208-1) 67.192.225.208 - 67.192.225.223 +Microsoft CVNET-454AA20 (NET-69-74-162-0-1) 69.74.162.0 - 69.74.162.255 +Microsoft UU-65-221-5 (NET-65-221-5-0-1) 65.221.5.0 - 65.221.5.255 +Microsoft - Partner Campaign Builder (PCB) MICROSOFT-PARTNER-CAMPAIGN-BUILDER-PCB (NET-216-182-89-192-1) 216.182.89.192 - 216.182.89.207 +Microsoft - Partner Campaign Builder (PCB) MICROSOFT-PARTNER-CAMPAIGN-BUILDER-PCB (NET-216-182-89-48-1) 216.182.89.48 - 216.182.89.63 +MICROSOFT AUSTIN-STO UU-65-248-85-D4 (NET-65-248-85-0-1) 65.248.85.0 - 65.248.85.255 +Microsoft Canada MIC0923-CA (NET-199-243-157-192-1) 199.243.157.192 - 199.243.157.223 +Microsoft Canada MIC0702-CA (NET-199-243-157-112-1) 199.243.157.112 - 199.243.157.119 +Microsoft Corp UU-65-194-210-224 (NET-65-194-210-224-1) 65.194.210.224 - 65.194.210.255 +Microsoft Corp UU-208-194-139 (NET-208-194-139-0-1) 208.194.139.0 - 208.194.139.255 +Microsoft Corp UU-208-204-49-128-B (NET-208-204-49-128-1) 208.204.49.128 - 208.204.49.255 +Microsoft Corp UU-208-205-26 (NET-208-205-26-0-1) 208.205.26.0 - 208.205.26.255 +Microsoft Corp UU-208-217-184-D1 (NET-208-217-184-0-1) 208.217.184.0 - 208.217.187.255 +Microsoft Corp UU-208-222-172 (NET-208-222-172-0-1) 208.222.172.0 - 208.222.172.255 +Microsoft Corp UU-208-224-200-64 (NET-208-224-200-64-1) 208.224.200.64 - 208.224.200.95 +Microsoft Corp UU-208-229-100-D1 (NET-208-229-100-0-1) 208.229.100.0 - 208.229.101.255 +Microsoft Corp UU-208-241-19 (NET-208-241-19-0-1) 208.241.19.0 - 208.241.19.15 +Microsoft Corp UU-208-241-19-16 (NET-208-241-19-16-1) 208.241.19.16 - 208.241.19.31 +Microsoft Corp UU-208-241-9-224 (NET-208-241-9-224-1) 208.241.9.224 - 208.241.9.239 +Microsoft Corp UU-208-244-108-D2 (NET-208-244-108-0-1) 208.244.108.0 - 208.244.108.15 +Microsoft Corp UU-208-245-16 (NET-208-245-16-0-1) 208.245.16.0 - 208.245.16.31 +Microsoft Corp UU-208-249-17-160 (NET-208-249-17-160-1) 208.249.17.160 - 208.249.17.175 +Microsoft Corp UU-63-104-216-D2 (NET-63-104-216-0-1) 63.104.216.0 - 63.104.216.127 +Microsoft Corp UU-63-69-245 (NET-63-69-245-0-1) 63.69.245.0 - 63.69.245.255 +Microsoft Corp SBC068090141072031030 (NET-68-90-141-72-1) 68.90.141.72 - 68.90.141.79 +Microsoft Corp 10825385 SBC06319812316029040317151513 (NET-63-198-123-160-1) 63.198.123.160 - 63.198.123.167 +MICROSOFT CORP-040821020257 SBC06824804806429040821020303 (NET-68-248-48-64-1) 68.248.48.64 - 68.248.48.71 +MICROSOFT CORP-040821020338 SBC06824804807229040821020347 (NET-68-248-48-72-1) 68.248.48.72 - 68.248.48.79 +MICROSOFT CORP-081024181821 SBC-99-49-8-248-29-0810241850 (NET-99-49-8-248-1) 99.49.8.248 - 99.49.8.255 +Microsoft Corp. HUGE-65-38-172-72-29 (NET-65-38-172-72-1) 65.38.172.72 - 65.38.172.79 +Microsoft Corp. HUGE-65-38-172-96-28 (NET-65-38-172-96-1) 65.38.172.96 - 65.38.172.111 +Microsoft Corporation MICROSOFT-CORPORATION (NET-75-149-174-16-1) 75.149.174.16 - 75.149.174.23 +Microsoft Corporation MICROSOFT-CORPORATION (NET-75-151-100-240-1) 75.151.100.240 - 75.151.100.255 +Microsoft Corporation SPEK-647057-0 (NET-64-81-8-96-1) 64.81.8.96 - 64.81.8.127 +Microsoft Corporation SBC067112255144030130 (NET-67-112-255-144-1) 67.112.255.144 - 67.112.255.151 +Microsoft Corporation ATTENS-010075-004522 (NET-63-240-201-176-1) 63.240.201.176 - 63.240.201.191 +Microsoft Corporation ATTENS-010075-004523 (NET-206-16-209-208-1) 206.16.209.208 - 206.16.209.223 +Microsoft Corporation ATTENS-010075-004525 (NET-63-240-195-208-1) 63.240.195.208 - 63.240.195.223 +Microsoft Corporation ATTENS-010075-004526 (NET-206-16-204-64-1) 206.16.204.64 - 206.16.204.79 +Microsoft Corporation ATTENS-010075-004450 (NET-206-16-223-0-1) 206.16.223.0 - 206.16.223.255 +Microsoft Corporation ATTENS-010075-005028 (NET-63-240-216-0-1) 63.240.216.0 - 63.240.219.255 +Microsoft Corporation ATTENS-010075-005057 (NET-63-240-220-0-1) 63.240.220.0 - 63.240.223.255 +Microsoft Corporation ATTENS-010075-005135 (NET-206-16-246-24-1) 206.16.246.24 - 206.16.246.31 +Microsoft Corporation ATTENS-010075-004524 (NET-63-240-195-192-1) 63.240.195.192 - 63.240.195.207 +Microsoft Corporation ATTENS-010075-005880 (NET-206-16-224-160-1) 206.16.224.160 - 206.16.224.191 +Microsoft Corporation (managed segment) RSPC-1229444888833780 (NET-98-129-187-144-1) 98.129.187.144 - 98.129.187.151 +Microsoft Corporation - Secure Dimensions ( RSPC-33955-12072007 (NET-67-192-39-48-1) 67.192.39.48 - 67.192.39.63 +Microsoft Corporation - Whale RSPC-108457-1170047010 (NET-72-32-240-160-1) 72.32.240.160 - 72.32.240.175 +Microsoft Corporation - Whale RSPC-108456-1173386392 (NET-72-32-201-152-1) 72.32.201.152 - 72.32.201.159 +MICROSOFT CROP SBC067039081152020503 (NET-67-39-81-152-1) 67.39.81.152 - 67.39.81.159 +Microsoft Education Programs RSPC-48725-1096578571 (NET-69-20-127-32-1) 69.20.127.32 - 69.20.127.39 +Microsoft License PNAP-SFJ-MSLI-RM-01 (NET-216-52-28-0-1) 216.52.28.0 - 216.52.28.255 +Microsoft License INAP-PHX003-MSLICENSE-25271 (NET-70-42-230-0-1) 70.42.230.0 - 70.42.231.255 +Microsoft License INAP-SFJ-MSLICENSE-13982 (NET-63-251-97-0-1) 63.251.97.0 - 63.251.97.255 +Microsoft Licensing SBC067120132128020815 (NET-67-120-132-128-1) 67.120.132.128 - 67.120.132.135 +Microsoft Licensing SBC067120132152020815 (NET-67-120-132-152-1) 67.120.132.152 - 67.120.132.159 +Microsoft Licensing SBC067120132192020816 (NET-67-120-132-192-1) 67.120.132.192 - 67.120.132.207 +Microsoft Licensing SBC0671201322080208 diff --git a/contrib/ipfilter/test/regress/p7.nat b/contrib/ipfilter/test/regress/p7.nat new file mode 100644 index 0000000..3c3fa7c --- /dev/null +++ b/contrib/ipfilter/test/regress/p7.nat @@ -0,0 +1 @@ +rewrite in on bge0 proto tcp from any to any port = 80 -> src 0/0 dst dstlist/servers; diff --git a/contrib/ipfilter/test/regress/p7.pool b/contrib/ipfilter/test/regress/p7.pool new file mode 100644 index 0000000..451b374d --- /dev/null +++ b/contrib/ipfilter/test/regress/p7.pool @@ -0,0 +1,2 @@ +pool nat/dstlist (name servers; policy weighted connection;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; diff --git a/contrib/ipfilter/test/regress/p9.nat b/contrib/ipfilter/test/regress/p9.nat new file mode 100644 index 0000000..3c3fa7c --- /dev/null +++ b/contrib/ipfilter/test/regress/p9.nat @@ -0,0 +1 @@ +rewrite in on bge0 proto tcp from any to any port = 80 -> src 0/0 dst dstlist/servers; diff --git a/contrib/ipfilter/test/regress/p9.pool b/contrib/ipfilter/test/regress/p9.pool new file mode 100644 index 0000000..c452ffc --- /dev/null +++ b/contrib/ipfilter/test/regress/p9.pool @@ -0,0 +1,2 @@ +pool nat/dstlist (name servers; policy round-robin;) + { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; }; diff --git a/contrib/ipfilter/test/test.format b/contrib/ipfilter/test/test.format index dfc3f35..64f7d9b 100644 --- a/contrib/ipfilter/test/test.format +++ b/contrib/ipfilter/test/test.format @@ -1,6 +1,6 @@ -#test input-format output-format +#test input-format output-format options bpf-f1 text text -bpf1 text ipf +bpf1 text text f1 text text f2 text text f3 text text @@ -18,9 +18,11 @@ f14 text text f15 text text f16 text text f17 hex hex -f18 text text -f19 text text fr_statemax=3 +f18 text text -D +f19 text text state_max=3 f20 text text +f21 hex text +f22 hex text i1 text ipf i2 text ipf i3 text ipf @@ -42,17 +44,26 @@ i18 text ipf i19 text ipf i20 text ipf i21 text ipf +i22 text ipf +i23 text ipf in1 text text in2 text text in3 text text in4 text text in5 text text in6 text text +in7 text text +in8 text text +in100 text text +in101 text text +in102 text text ip1 text text ip2 text text +ip3 text text ipv6.1 hex hex ipv6.2 hex hex ipv6.3 hex hex +ipv6.4 hex hex ipv6.5 hex hex l1 hex hex n1 text text @@ -62,31 +73,40 @@ n4 text text n5 text text n6 text text n7 text text -n8 hex hex fr_update_ipid=0 -n9 hex hex fr_update_ipid=0 -n10 hex hex fr_update_ipid=0 +n8 hex hex update_ipid=0 +n9 hex hex update_ipid=0 +n10 hex hex update_ipid=0 n11 text text -n12 hex hex fr_update_ipid=0 -n13 text text -n14 text text -ni1 hex hex fr_update_ipid=1 -ni2 hex hex fr_update_ipid=1 -ni3 hex hex fr_update_ipid=1 -ni4 hex hex fr_update_ipid=1 -ni5 hex hex fr_update_ipid=1 -ni6 hex hex fr_update_ipid=1 -ni7 hex hex fr_update_ipid=1 -ni8 hex hex fr_update_ipid=1 -ni9 hex hex fr_update_ipid=1 -ni10 hex hex fr_update_ipid=1 -ni11 hex hex fr_update_ipid=1 -ni12 hex hex fr_update_ipid=1 -ni13 hex hex fr_update_ipid=1 -ni14 hex hex fr_update_ipid=1 -ni15 hex hex fr_update_ipid=1 -ni16 hex hex fr_update_ipid=1 -ni19 hex hex fr_update_ipid=0 -ni20 hex hex fr_update_ipid=0 +n12 hex hex update_ipid=0 -v +n15 text text update_ipid=0 +n100 text text +n101 text text +n102 text text +n103 text text +n104 hex hex update_ipid=0 +n105 hex hex update_ipid=0 +n106 hex hex update_ipid=0 +n200 hex hex update_ipid=0 +ni1 hex hex update_ipid=1 +ni2 hex hex update_ipid=1 +ni3 hex hex update_ipid=1 +ni4 hex hex update_ipid=1 +ni5 hex hex update_ipid=1 +ni6 hex text update_ipid=1 -D +ni7 hex hex update_ipid=1 +ni8 hex hex update_ipid=1 +ni9 hex hex update_ipid=1 +ni10 hex hex update_ipid=1 +ni11 hex hex update_ipid=1 +ni12 hex hex update_ipid=1 +ni13 hex hex update_ipid=1 +ni14 hex hex update_ipid=1 +ni15 hex hex update_ipid=1 +ni16 hex hex update_ipid=1 +ni17 text text +ni18 text text +ni19 hex hex update_ipid=0 +ni20 hex hex update_ipid=0 -D ni21 text text ni23 text text -D p1 text text @@ -94,6 +114,35 @@ p2 text text p3 text text p4 text text p5 text text +p6 text text +p7 text text +p9 text text +p10 text text +p11 text text +p12 text text +p13 text text n16 hex hex -D +n17 hex hex -D f24 hex text ipv6.6 hex text +f25 hex text -D +f26 text text +f27 hex text +n1_6 text text -6 +n2_6 text text -6 +n4_6 text text -6 +n5_6 text text -6 +n6_6 text text -6 +n7_6 text text -6 +n8_6 hex hex -6D +n9_6 hex hex -6D +n11_6 text text -6 +n12_6 hex hex -D6 +n15_6 text text -6 +n17_6 hex hex -6 +n13 text text +n14 text text +n18 text text -D +f28 text text +f29 text text +f30 text text diff --git a/contrib/ipfilter/test/vfycksum.pl b/contrib/ipfilter/test/vfycksum.pl index b3a20be..0272e4b 100755 --- a/contrib/ipfilter/test/vfycksum.pl +++ b/contrib/ipfilter/test/vfycksum.pl @@ -19,82 +19,71 @@ sub dosum { local($lsum) = $seed; for ($idx = $start, $lsum = $seed; $idx < $max; $idx++) { +#printf "%#x += %#x\n", $lsum, $bytes[$idx]; $lsum += $bytes[$idx]; } - $lsum = ($lsum & 0xffff) + ($lsum >> 16); + while ($lsum > 0xffff) { + $lsum = ($lsum & 0xffff) + ($lsum >> 16); + } $lsum = ~$lsum & 0xffff; return $lsum; } -sub ipv4check { - local($base) = $_[0]; - $hl = $bytes[$base] / 256; - return if (($hl >> 4) != 4); # IPv4 ? - $hl &= 0xf; - $hl <<= 1; # get the header length in 16bit words - $hs = &dosum(0, $base, $base + $hl); - $osum = $bytes[$base + 5]; +sub ipv4addrsum { + local($b) = $_[0]; + local($as) = 0; - if ($hs != 0) { - $bytes[$base + 5] = 0; - $hs2 = &dosum(0, $base, $base + $hl); - $bytes[$base + 5] = $osum; - printf " IP: ($hl,%x) %x != %x", $hs, $osum, $hs2; - } else { - print " IP($base): ok "; - } - - # - # Recognise TCP & UDP and calculate checksums for each of these. - # - if (($bytes[$base + 4] & 0xff) == 6) { - &tcpcheck($base); - } - - if (($bytes[$base + 4] & 0xff) == 17) { - &udpcheck($base); - } + $as += $bytes[$b + 6]; # source address + $as += $bytes[$b + 7]; + $as += $bytes[$b + 8]; # destination address + $as += $bytes[$b + 9]; + return ($as); +} - if (($bytes[$base + 4] & 0xff) == 1) { - &icmpcheck($base); - } - if ($base == 0) { - print "\n"; - } +sub ipv6addrsum { + local($b) = $_[0]; + local($as) = 0; + + $as += $bytes[$b + 4]; # source address + $as += $bytes[$b + 5]; + $as += $bytes[$b + 6]; + $as += $bytes[$b + 7]; + $as += $bytes[$b + 8]; + $as += $bytes[$b + 9]; + $as += $bytes[$b + 10]; + $as += $bytes[$b + 11]; + $as += $bytes[$b + 12]; # destination address + $as += $bytes[$b + 13]; + $as += $bytes[$b + 14]; + $as += $bytes[$b + 15]; + $as += $bytes[$b + 16]; + $as += $bytes[$b + 17]; + $as += $bytes[$b + 18]; + $as += $bytes[$b + 19]; + return ($as); } -sub tcpcheck { +sub tcpcommon { local($base) = $_[0]; - local($hl) = $bytes[$base] / 256; - return if (($hl >> 4) != 4); - return if ($bytes[$base + 3] & 0x1fff); - $hl &= 0xf; - $hl <<= 1; + local($hl) = $_[1]; + local($hs) = $_[2]; + local($lenoffset) = $_[3]; - local($hs2); - local($hs) = 6; # TCP - local($len) = $bytes[$base + 1] - ($hl << 1); - $hs += $len; - $hs += $bytes[$base + 6]; # source address - $hs += $bytes[$base + 7]; - $hs += $bytes[$base + 8]; # destination address - $hs += $bytes[$base + 9]; - local($tcpsum) = $hs; - - local($thl) = $bytes[$base + $hl + 6] >> 8; + local($thl) = $bytes[$base + $hl + 6]; $thl &= 0xf0; $thl >>= 2; - $x = $bytes[$base + 1]; - $y = ($cnt - $base) * 2; - $z = 0; - if ($bytes[$base + 1] > ($cnt - $base) * 2) { + local($x) = $bytes[$base + $lenoffset]; + local($y) = ($cnt - $base) * 2; + local($z) = 0; + + if ($bytes[$base + $lenoffset] > ($cnt - $base) * 2) { print "[cnt=$cnt base=$base]"; - $x = $bytes[$base + 1]; + $x = $bytes[$base + $lenoffset]; $y = ($cnt - $base) * 2; $z = 1; - } elsif (($cnt - $base) * 2 < $hl + 20) { + } elsif (($cnt - $base) * 2 < $hl + $hl) { $x = ($cnt - $base) * 2; $y = $hl + 20; $z = 2; @@ -106,6 +95,10 @@ sub tcpcheck { $x = ($cnt - $base) * 2; $y = $len; $z = 4; + } elsif (($cnt - $base) * 2 < 20) { + $x = ($cnt - $base) * 2; + $y = $len; + $z = 5; } if ($z) { @@ -115,11 +108,11 @@ sub tcpcheck { } local($tcpat) = $base + $hl; - $hs = &dosum($tcpsum, $tcpat, $cnt); + $hs = &dosum($_[2], $tcpat, $cnt); if ($hs != 0) { local($osum) = $bytes[$tcpat + 8]; $bytes[$base + $hl + 8] = 0; - $hs2 = &dosum($tcpsum, $tcpat, $cnt); + local($hs2) = &dosum($_[2], $tcpat, $cnt); $bytes[$tcpat + 8] = $osum; printf " TCP: (%x) %x != %x", $hs, $osum, $hs2; } else { @@ -127,23 +120,10 @@ sub tcpcheck { } } -sub udpcheck { +sub udpcommon { local($base) = $_[0]; - local($hl) = $bytes[0] / 256; - return if (($hl >> 4) != 4); - return if ($bytes[3] & 0x1fff); - $hl &= 0xf; - $hl <<= 1; - - local($hs2); - local($hs) = 17; # UDP - local($len) = $bytes[$base + 1] - ($hl << 1); - $hs += $len; - $hs += $bytes[$base + 6]; # source address - $hs += $bytes[$base + 7]; - $hs += $bytes[$base + 8]; # destination address - $hs += $bytes[$base + 9]; - local($udpsum) = $hs; + local($hl) = $_[1]; + local($hs) = $_[2]; if ($bytes[$base + 1] > ($cnt - $base) * 2) { print " UDP: missing data(1)"; @@ -168,7 +148,7 @@ sub udpcheck { printf " UDP: => %x", $hs; } elsif ($hs != 0) { $bytes[$udpat + 3] = 0; - $hs2 = &dosum($udpsum, $udpat, $cnt); + local($hs2) = &dosum($udpsum, $udpat, $cnt); $bytes[$udpat + 3] = $osum; printf " UDP: (%x) %x != %x", $hs, $osum, $hs2; } else { @@ -176,6 +156,156 @@ sub udpcheck { } } +sub ipv6check { + local($base) = $_[0]; + $hl = $bytes[$base] / 256; + return if (($hl >> 4) != 6); # IPv4 ? + $hl = 40; + + print " IPv6($base): ok "; + + if (($bytes[$base + 3] >> 8) == 6) { + &tcpcheck6($base); + } elsif (($bytes[$base + 3] >> 8) == 58) { + &icmpcheck6($base); + } + print "\n"; +} + +sub tcpcheck6 { + local($base) = $_[0]; + local($hl) = $bytes[$base] / 256; + return if (($hl >> 4) != 6); + $hl = 20; + + local($hs) = 6; # TCP + local($len) = $bytes[$base + 2]; + $hs += $len; + $hs += &ipv6addrsum($base); + + &tcpcommon($base, $hl, $hs, 2); +} + +sub icmpcheck6 { + local($base) = $_[0]; + local($hl) = 20; + + local($hs) = 58; # ICMP6 + local($len) = $bytes[$base + 2]; + $hs += $len; + $hs += &ipv6addrsum($base); + + local($len) = $bytes[$base + 1] - ($hl << 1); + + if ($bytes[$base + 2] > ($cnt - $base) * 2) { + print " ICMPv6: missing data(1)"; + return; + } elsif ($bytes[$base + 2] < 8) { + print " ICMPv6: missing data(2)"; + return; + } + + local($osum) = $bytes[$base + $hl + 1]; + $bytes[$base + $hl + 1] = 0; + local($hs2) = &dosum($hs, $base + $hl, $cnt); + $bytes[$base + $hl + 1] = $osum; + + if ($osum != $hs2) { + printf " ICMPv6: (%x) %x != %x", $hs, $osum, $hs2; + } else { + print " ICMPv6: ok"; + } +# if ($base == 0) { +# $type = $bytes[$hl] >> 8; +# if ($type == 3 || $type == 4 || $type == 5 || +# $type == 11 || $type == 12) { +# &ipv4check($hl + 4); +# } +# } +} + +sub ipv4check { + local($base) = $_[0]; + $hl = $bytes[$base] / 256; + if (($hl >> 4) == 6) { + &ipv6check($_[0]); + } + return if (($hl >> 4) != 4); # IPv4 ? + $hl &= 0xf; + $hl <<= 1; # get the header length in 16bit words + + $hs = &dosum(0, $base, $base + $hl); + $osum = $bytes[$base + 5]; + + if ($hs != 0) { + $bytes[$base + 5] = 0; + $hs2 = &dosum(0, $base, $base + $hl); + $bytes[$base + 5] = $osum; + printf " IPv4: ($hl,%x) %x != %x", $hs, $osum, $hs2; + } else { + print " IPv4($base): ok "; + } + + # + # Recognise TCP & UDP and calculate checksums for each of these. + # + if (($bytes[$base + 4] & 0xff) == 4) { + &ipv4check($hl); + } + if (($bytes[$base + 4] & 0xff) == 6) { + &tcpcheck($base); + } + + if (($bytes[$base + 4] & 0xff) == 17) { + &udpcheck($base); + } + + if (($bytes[$base + 4] & 0xff) == 1) { + &icmpcheck($base); + } + if ($base == 0) { + print "\n"; + } +} + +sub tcpcheck { + local($base) = $_[0]; + local($hl) = $bytes[$base] / 256; + return if (($hl >> 4) != 4); + if ($bytes[$base + 3] & 0x3fff) { + print " TCP: fragment"; + return; + } + $hl &= 0xf; + $hl <<= 1; + + local($hs) = 6; # TCP + local($len) = $bytes[$base + 1] - ($hl << 1); + $hs += $len; + $hs += &ipv4addrsum($base); + + &tcpcommon($base, $hl, $hs, 1); +} + +sub udpcheck { + local($base) = $_[0]; + local($hl) = $bytes[0] / 256; + return if (($hl >> 4) != 4); + if ($bytes[$base + 3] & 0x3fff) { + print " UDP: fragment"; + return; + } + $hl &= 0xf; + $hl <<= 1; + + local($hs) = 17; # UDP + local($len) = $bytes[$base + 1] - ($hl << 1); + $hs += $len; + $hs += &ipv4addrsum($base); + local($udpsum) = $hs; + &udpcommon($base, $hl, $hs); +} + sub icmpcheck { local($base) = $_[0]; local($hl) = $bytes[$base + 0] / 256; diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index 5b2c059..3f558d1 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -21,14 +21,6 @@ time permitting: * record buffering for TCP/UDP -* modular application proxying --done - -* allow multiple ip addresses in a source route list for ipsend - -* port IP Filter to Linux -Not in this century. - * document bimap * document NAT rule order processing @@ -56,14 +48,14 @@ I would also love to see a more extensive NAT. It can choose to do rdr and map based on saddr, daddr, sport and dport. (Does the kernel module already have functionality for that and it just needs support in the userland ipnat?) --sort of done +-done - * intrusion detection - detection of port scans + * intrusion detection + detection of port scans detection of multiple connection attempts - + * support for multiple log files - i.e. all connections to ftp and telnet logged to + i.e. all connections to ftp and telnet logged to a seperate log file * multiple levels of log severity with E-mail notification diff --git a/contrib/ipfilter/tools/BNF.ipf b/contrib/ipfilter/tools/BNF.ipf index 0e84332..0740c58 100644 --- a/contrib/ipfilter/tools/BNF.ipf +++ b/contrib/ipfilter/tools/BNF.ipf @@ -66,7 +66,7 @@ facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | "audit" | "logalert" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7" . priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . + "info" | "debug" . hexnumber = "0" "x" hexstring . hexstring = hexdigit [ hexstring ] . diff --git a/contrib/ipfilter/tools/Makefile b/contrib/ipfilter/tools/Makefile index 43ec1a8..ce1ab0e 100644 --- a/contrib/ipfilter/tools/Makefile +++ b/contrib/ipfilter/tools/Makefile @@ -1,8 +1,5 @@ -# -# Copyright (C) 1993-2001 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# +YACC=yacc -v + DEST=. all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \ @@ -16,7 +13,7 @@ all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \ $(DEST)/ipf_y.h: $(DEST)/ipf_y.c $(DEST)/ipf_y.c: ipf_y.y - yacc -d ipf_y.y + $(YACC) -d ipf_y.y sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \ -e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \ y.tab.c > $(DEST)/ipf_y.c @@ -30,7 +27,7 @@ $(DEST)/ipf_l.c: lexer.c $(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y - yacc -d ipmon_y.y + $(YACC) -d ipmon_y.y sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \ y.tab.c > $(DEST)/ipmon_y.c sed -e 's/yy/ipmon_yy/g' y.tab.h > $(DEST)/ipmon_y.h @@ -43,7 +40,7 @@ $(DEST)/ipmon_l.c: lexer.c $(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y - yacc -d ipscan_y.y + $(YACC) -d ipscan_y.y sed -e 's/yy/ipscan_yy/g' \ -e 's/"ipscan_y.y"/"..\/tools\/ipscan_y.y"/' \ y.tab.c > $(DEST)/ipscan_y.c @@ -57,7 +54,7 @@ $(DEST)/ipscan_l.c: lexer.c $(DEST)/ippool_y.h: $(DEST)/ippool_y.c $(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y - yacc -d ippool_y.y + $(YACC) -d ippool_y.y sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \ y.tab.c > $(DEST)/ippool_y.c sed -e 's/yy/ippool_yy/g' y.tab.h > $(DEST)/ippool_y.h @@ -70,7 +67,7 @@ $(DEST)/ippool_l.c: lexer.c $(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y - yacc -d ipnat_y.y + $(YACC) -d ipnat_y.y sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \ -e s/\"ipnat_y.y\"/\"..\\/tools\\/ipnat_y.y\"/ \ y.tab.c > $(DEST)/ipnat_y.c diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c index fe9fec2..dd60142 100644 --- a/contrib/ipfilter/tools/ipf.c +++ b/contrib/ipfilter/tools/ipf.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -16,12 +16,13 @@ #endif #include "ipf.h" #include <fcntl.h> +#include <ctype.h> #include <sys/ioctl.h> #include "netinet/ipl.h" #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.8 2007/05/10 06:12:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #if !defined(__SVR4) && defined(__GNUC__) @@ -40,23 +41,30 @@ int main __P((int, char *[])); int opts = 0; int outputc = 0; int use_inet6 = 0; - -static void procfile __P((char *, char *)), flushfilter __P((char *)); -static void set_state __P((u_int)), showstats __P((friostat_t *)); -static void packetlogon __P((char *)), swapactive __P((void)); +int exitstatus = 0; + +static void procfile __P((char *)); +static void flushfilter __P((char *, int *)); +static void set_state __P((u_int)); +static void showstats __P((friostat_t *)); +static void packetlogon __P((char *)); +static void swapactive __P((void)); static int opendevice __P((char *, int)); static void closedevice __P((void)); static char *ipfname = IPL_NAME; static void usage __P((void)); static int showversion __P((void)); static int get_flags __P((void)); -static void ipf_interceptadd __P((int, ioctlfunc_t, void *)); +static int ipf_interceptadd __P((int, ioctlfunc_t, void *)); static int fd = -1; static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl, ioctl, ioctl, ioctl, ioctl, ioctl }; +/* XXX The following was added to satisfy a rescue/rescue/ build + XXX requirement. */ +int nohdrfields; static void usage() { @@ -68,25 +76,28 @@ static void usage() int main(argc,argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { - int c; + int c, *filter = NULL; if (argc < 2) usage(); - while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) { + assigndefined(getenv("IPF_PREDEFINED")); + + while ((c = getopt(argc, argv, "46Ac:dDEf:F:Il:m:noPrRsT:vVyzZ")) != -1) { switch (c) { case '?' : usage(); break; -#ifdef USE_INET6 + case '4' : + use_inet6 = -1; + break; case '6' : use_inet6 = 1; break; -#endif case 'A' : opts &= ~OPT_INACTIVE; break; @@ -104,10 +115,10 @@ char *argv[]; opts ^= OPT_DEBUG; break; case 'f' : - procfile(argv[0], optarg); + procfile(optarg); break; case 'F' : - flushfilter(optarg); + flushfilter(optarg, filter); break; case 'I' : opts ^= OPT_INACTIVE; @@ -115,8 +126,11 @@ char *argv[]; case 'l' : packetlogon(optarg); break; + case 'm' : + filter = parseipfexpr(optarg, NULL); + break; case 'n' : - opts ^= OPT_DONOTHING; + opts ^= OPT_DONOTHING|OPT_DONTOPEN; break; case 'o' : break; @@ -161,14 +175,14 @@ char *argv[]; if (fd != -1) (void) close(fd); - return(0); + return(exitstatus); /* NOTREACHED */ } static int opendevice(ipfdev, check) -char *ipfdev; -int check; + char *ipfdev; + int check; { if (opts & OPT_DONOTHING) return -2; @@ -184,7 +198,7 @@ int check; if (fd == -1) if ((fd = open(ipfdev, O_RDWR)) == -1) if ((fd = open(ipfdev, O_RDONLY)) == -1) - perror("open device"); + ipferror(fd, "open device"); return fd; } @@ -202,7 +216,7 @@ static int get_flags() if ((opendevice(ipfname, 1) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { - perror("SIOCGETFF"); + ipferror(fd, "SIOCGETFF"); return 0; } return i; @@ -210,22 +224,24 @@ static int get_flags() static void set_state(enable) -u_int enable; + u_int enable; { - if (opendevice(ipfname, 0) != -2) + if (opendevice(ipfname, 0) != -2) { if (ioctl(fd, SIOCFRENB, &enable) == -1) { - if (errno == EBUSY) + if (errno == EBUSY) { fprintf(stderr, "IP FIlter: already initialized\n"); - else - perror("SIOCFRENB"); + } else { + ipferror(fd, "SIOCFRENB"); + } } + } return; } -static void procfile(name, file) -char *name, *file; +static void procfile(file) + char *file; { (void) opendevice(ipfname, 1); @@ -241,20 +257,22 @@ char *name, *file; } -static void ipf_interceptadd(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; +static int ipf_interceptadd(fd, ioctlfunc, ptr) + int fd; + ioctlfunc_t ioctlfunc; + void *ptr; { if (outputc) printc(ptr); - ipf_addrule(fd, ioctlfunc, ptr); + if (ipf_addrule(fd, ioctlfunc, ptr) != 0) + exitstatus = 1; + return 0; } static void packetlogon(opt) -char *opt; + char *opt; { int flag, xfd, logopt, change = 0; @@ -293,7 +311,7 @@ char *opt; if (change == 1) { if (opendevice(ipfname, 1) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) - perror("ioctl(SIOCSETFF)"); + ipferror(fd, "ioctl(SIOCSETFF)"); } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { @@ -308,11 +326,11 @@ char *opt; if (xfd >= 0) { logopt = 0; if (ioctl(xfd, SIOCGETLG, &logopt)) - perror("ioctl(SIOCGETLG)"); + ipferror(fd, "ioctl(SIOCGETLG)"); else { logopt = 1 - logopt; if (ioctl(xfd, SIOCSETLG, &logopt)) - perror("ioctl(SIOCSETLG)"); + ipferror(xfd, "ioctl(SIOCSETLG)"); } close(xfd); } @@ -325,11 +343,11 @@ char *opt; if (xfd >= 0) { logopt = 0; if (ioctl(xfd, SIOCGETLG, &logopt)) - perror("ioctl(SIOCGETLG)"); + ipferror(xfd, "ioctl(SIOCGETLG)"); else { logopt = 1 - logopt; if (ioctl(xfd, SIOCSETLG, &logopt)) - perror("ioctl(SIOCSETLG)"); + ipferror(xfd, "ioctl(SIOCSETLG)"); } close(xfd); } @@ -337,8 +355,9 @@ char *opt; } -static void flushfilter(arg) -char *arg; +static void flushfilter(arg, filter) + char *arg; + int *filter; { int fl = 0, rem; @@ -359,20 +378,33 @@ char *arg; if (!(opts & OPT_DONOTHING)) { if (use_inet6) { - if (ioctl(fd, SIOCIPFL6, &fl) == -1) { - perror("ioctl(SIOCIPFL6)"); - exit(1); + fprintf(stderr, + "IPv6 rules are no longer seperate\n"); + } else if (filter != NULL) { + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = filter[0] * sizeof(int); + obj.ipfo_type = IPFOBJ_IPFEXPR; + obj.ipfo_ptr = filter; + if (ioctl(fd, SIOCMATCHFLUSH, &obj) == -1) { + ipferror(fd, "ioctl(SIOCMATCHFLUSH)"); + fl = -1; + } else { + fl = obj.ipfo_retval; } } else { if (ioctl(fd, SIOCIPFFL, &fl) == -1) { - perror("ioctl(SIOCIPFFL)"); + ipferror(fd, "ioctl(SIOCIPFFL)"); exit(1); } } } - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { + if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) { printf("remove flags %s (%d)\n", arg, rem); - printf("removed %d entries\n", fl); + } + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { + printf("%d state entries removed\n", fl); } closedevice(); return; @@ -388,7 +420,7 @@ char *arg; perror("open(IPL_AUTH)"); else { if (ioctl(fd, SIOCIPFFA, &fl) == -1) - perror("ioctl(SIOCIPFFA)"); + ipferror(fd, "ioctl(SIOCIPFFA)"); } closedevice(); return; @@ -411,21 +443,23 @@ char *arg; if (!(opts & OPT_DONOTHING)) { if (use_inet6) { if (ioctl(fd, SIOCIPFL6, &fl) == -1) { - perror("ioctl(SIOCIPFL6)"); + ipferror(fd, "ioctl(SIOCIPFL6)"); exit(1); } } else { if (ioctl(fd, SIOCIPFFL, &fl) == -1) { - perror("ioctl(SIOCIPFFL)"); + ipferror(fd, "ioctl(SIOCIPFFL)"); exit(1); } } } - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { + if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) { printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "", (rem & FR_OUTQUE) ? "O" : "", rem); - printf("removed %d filter rules\n", fl); + } + if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { + printf("%d filter rules removed\n", fl); } return; } @@ -436,7 +470,7 @@ static void swapactive() int in = 2; if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1) - perror("ioctl(SIOCSWAPA)"); + ipferror(fd, "ioctl(SIOCSWAPA)"); else printf("Set %d now inactive\n", in); } @@ -447,7 +481,7 @@ void ipf_frsync() int frsyn = 0; if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) - perror("SIOCFRSYN"); + ipferror(fd, "SIOCFRSYN"); else printf("filter sync'd\n"); } @@ -466,7 +500,7 @@ void zerostats() if (opendevice(ipfname, 1) != -2) { if (ioctl(fd, SIOCFRZST, &obj) == -1) { - perror("ioctl(SIOCFRZST)"); + ipferror(fd, "ioctl(SIOCFRZST)"); exit(-1); } showstats(&fio); @@ -479,7 +513,7 @@ void zerostats() * read the kernel stats for packets blocked and passed */ static void showstats(fp) -friostat_t *fp; + friostat_t *fp; { printf("bad packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); @@ -495,9 +529,6 @@ friostat_t *fp; fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); printf("output packets logged:\tblocked %lu passed %lu\n", fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n", - fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip, - fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip); } @@ -523,7 +554,7 @@ static int showversion() } if (ioctl(vfd, SIOCGETFS, &ipfo)) { - perror("ioctl(SIOCGETFS)"); + ipferror(vfd, "ioctl(SIOCGETFS)"); close(vfd); return 1; } diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y index 82307de..822e9a5 100644 --- a/contrib/ipfilter/tools/ipf_y.y +++ b/contrib/ipfilter/tools/ipf_y.y @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -28,18 +28,29 @@ extern int yydebug; extern FILE *yyin; extern int yylineNum; -static void newrule __P((void)); -static void setipftype __P((void)); -static u_32_t lookuphost __P((char *)); +static int addname __P((frentry_t **, char *)); +static frentry_t *addrule __P((void)); +static frentry_t *allocfr __P((void)); +static void build_dstaddr_af __P((frentry_t *, void *)); +static void build_srcaddr_af __P((frentry_t *, void *)); static void dobpf __P((int, char *)); -static void resetaddr __P((void)); -static struct alist_s *newalist __P((struct alist_s *)); +static void doipfexpr __P((char *)); +static void do_tuneint __P((char *, int)); +static void do_tunestr __P((char *, char *)); +static void fillgroup __P((frentry_t *)); +static int lookuphost __P((char *, i6addr_t *)); static u_int makehash __P((struct alist_s *)); static int makepool __P((struct alist_s *)); -static frentry_t *addrule __P((void)); +static struct alist_s *newalist __P((struct alist_s *)); +static void newrule __P((void)); +static void resetaddr __P((void)); +static void setgroup __P((frentry_t **, char *)); +static void setgrhead __P((frentry_t **, char *)); +static void seticmphead __P((frentry_t **, char *)); +static void setifname __P((frentry_t **, int, char *)); +static void setipftype __P((void)); static void setsyslog __P((void)); static void unsetsyslog __P((void)); -static void fillgroup __P((frentry_t *)); frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; @@ -52,52 +63,54 @@ static int nrules = 0; static int newlist = 0; static int added = 0; static int ipffd = -1; -static int *yycont = 0; -static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; +static int *yycont = NULL; +static ioctlfunc_t ipfioctls[IPL_LOGSIZE]; static addfunc_t ipfaddfunc = NULL; -static struct wordtab ipfwords[95]; -static struct wordtab addrwords[4]; -static struct wordtab maskwords[5]; -static struct wordtab icmpcodewords[17]; -static struct wordtab icmptypewords[16]; -static struct wordtab ipv4optwords[25]; -static struct wordtab ipv4secwords[9]; -static struct wordtab ipv6optwords[9]; -static struct wordtab logwords[33]; %} %union { char *str; u_32_t num; - struct in_addr ipa; frentry_t fr; frtuc_t *frt; struct alist_s *alist; u_short port; + struct in_addr ip4; struct { u_short p1; u_short p2; int pc; } pc; - struct { + struct ipp_s { + int type; + int ifpos; + int f; + int v; + int lif; union i6addr a; union i6addr m; + char *name; } ipp; - union i6addr ip6; + struct { + i6addr_t adr; + int f; + } adr; + i6addr_t ip6; struct { char *if1; char *if2; } ifs; + char gname[FR_GROUPLEN]; }; %type <port> portnum %type <num> facility priority icmpcode seclevel secname icmptype %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr -%type <num> portc porteq -%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24 -%type <ip6> ipv6mask +%type <num> portc porteq ipmask maskopts +%type <ip4> ipv4 ipv4_16 ipv4_24 +%type <adr> hostname %type <ipp> addr ipaddr -%type <str> servicename name interfacename +%type <str> servicename name interfacename groupname %type <pc> portrange portcomp %type <alist> addrlist poollist %type <ifs> onname @@ -109,30 +122,32 @@ static struct wordtab logwords[33]; %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 +%token IPFY_SET %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST %token IPFY_IN IPFY_OUT %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO -%token IPFY_TOS IPFY_TTL IPFY_PROTO +%token IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6 %token IPFY_HEAD IPFY_GROUP %token IPFY_AUTH IPFY_PREAUTH -%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK -%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP +%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS +%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH -%token IPFY_PPS +%token IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST %token IPFY_ESP IPFY_AH %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT %token IPFY_TCPUDP IPFY_TCP IPFY_UDP %token IPFY_FLAGS IPFY_MULTICAST %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER -%token IPFY_PORT -%token IPFY_NOW +%token IPFY_RPC IPFY_PORT +%token IPFY_NOW IPFY_COMMENT IPFY_RULETTL %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE -%token IPFY_SYNC IPFY_FRAGBODY +%token IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE +%token IPFY_MAX_SRCS IPFY_MAX_PER_SRC %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO @@ -140,10 +155,10 @@ static struct wordtab logwords[33]; %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 -%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 +%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI -%token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS -%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING +%token IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS +%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH @@ -168,16 +183,36 @@ static struct wordtab logwords[33]; %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG %% -file: line +file: settings rules + | rules + ; + +settings: + YY_COMMENT + | setting + | settings setting + ; + +rules: line | assign - | file line - | file assign + | rules line + | rules assign + ; + +setting: + IPFY_SET YY_STR YY_NUMBER ';' { do_tuneint($2, $3); } + | IPFY_SET YY_STR YY_HEX ';' { do_tuneint($2, $3); } + | IPFY_SET YY_STR YY_STR ';' { do_tunestr($2, $3); } ; line: rule { while ((fr = frtop) != NULL) { frtop = fr->fr_next; fr->fr_next = NULL; - (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); + if ((fr->fr_type == FR_T_IPF) && + (fr->fr_ip.fi_v == 0)) + fr->fr_mip.fi_v = 0; + /* XXX validate ? */ + (*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr); fr->fr_next = frold; frold = fr; } @@ -231,10 +266,37 @@ markout: rulemain: ipfrule | bpfrule + | exprrule ; ipfrule: - tos ttl proto ip + family tos ttl proto ip + ; + +family: | IPFY_FAMILY IPFY_INET { if (use_inet6 == 1) { + YYERROR; + } else { + frc->fr_family = AF_INET; + } + } + | IPFY_INET { if (use_inet6 == 1) { + YYERROR; + } else { + frc->fr_family = AF_INET; + } + } + | IPFY_FAMILY IPFY_INET6 { if (use_inet6 == -1) { + YYERROR; + } else { + frc->fr_family = AF_INET6; + } + } + | IPFY_INET6 { if (use_inet6 == -1) { + YYERROR; + } else { + frc->fr_family = AF_INET6; + } + } ; bpfrule: @@ -242,12 +304,16 @@ bpfrule: | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } ; +exprrule: + IPFY_IPFEXPR '{' YY_STR '}' { doipfexpr($3); } + ; + ruletail: with keep head group ; ruletail2: - pps age new + pps age new rulettl comment ; intag: settagin matchtagin @@ -269,6 +335,7 @@ action: block | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } | log | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } + | decaps { fr->fr_flags |= FR_DECAPSULATE; } | auth | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; fr->fr_arg = $2; } @@ -291,6 +358,11 @@ blockreturn: | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } ; +decaps: IPFY_DECAPS + | IPFY_DECAPS IPFY_L5AS '(' YY_STR ')' + { fr->fr_icode = atoi($4); } + ; + log: IPFY_LOG { fr->fr_flags |= FR_LOG; } | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } ; @@ -300,10 +372,11 @@ auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } ; -func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, - ipfioctl[IPL_LOGIPF]); - fr->fr_arg = $3; - free($1); } +func: YY_STR '/' YY_NUMBER + { fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]); + fr->fr_arg = $3; + free($1); + } ; inopts: @@ -330,6 +403,7 @@ outopt: | on | dup | proute + | froute | replyto ; @@ -346,7 +420,7 @@ toslist: | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } | toslist lmore YY_NUMBER { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } - | toslist lmore YY_HEX + | toslist lmore YY_HEX { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } ; @@ -355,10 +429,10 @@ ttl: | setttl YY_NUMBER | setttl lstart ttllist lend ; -lstart: '(' { newlist = 1; fr = frc; added = 0; } +lstart: '{' { newlist = 1; fr = frc; added = 0; } ; -lend: ')' { nrules += added; } +lend: '}' { nrules += added; } ; lmore: lanother { if (newlist == 1) { @@ -394,20 +468,25 @@ protox: IPFY_PROTO { setipftype(); ip: srcdst flags icmp ; -group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ - FR_GROUPLEN); \ - fillgroup(fr);); - free($2); } - | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ - $2); \ - fillgroup(fr);) } +group: | IPFY_GROUP groupname { DOALL(setgroup(&fr, $2); \ + fillgroup(fr);); + free($2); + } + ; + +head: | IPFY_HEAD groupname { DOALL(setgrhead(&fr, $2);); + free($2); + } ; -head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ - FR_GROUPLEN);); - free($2); } - | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ - $2);) } +groupname: + YY_STR { $$ = $1; + if (strlen($$) >= FR_GROUPLEN) + $$[FR_GROUPLEN - 1] = '\0'; + } + | YY_NUMBER { $$ = malloc(16); + sprintf($$, "%d", $1); + } ; settagin: @@ -461,6 +540,15 @@ pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } new: | savegroup file restoregroup ; +rulettl: + | IPFY_RULETTL YY_NUMBER { DOALL(fr->fr_die = $2;) } + ; + +comment: + | IPFY_COMMENT YY_STR { DOALL(fr->fr_comment = addname(&fr, \ + $2);) } + ; + savegroup: '{' ; @@ -472,76 +560,92 @@ restoregroup: logopt: log ; -quick: - IPFY_QUICK { fr->fr_flags |= FR_QUICK; } +quick: IPFY_QUICK { fr->fr_flags |= FR_QUICK; } ; -on: IPFY_ON onname +on: IPFY_ON onname { setifname(&fr, 0, $2.if1); + free($2.if1); + if ($2.if2 != NULL) { + setifname(&fr, 1, + $2.if2); + free($2.if2); + } + } | IPFY_ON lstart onlist lend - | IPFY_ON onname IPFY_INVIA vianame - | IPFY_ON onname IPFY_OUTVIA vianame - ; - -onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \ - sizeof(fr->fr_ifnames[0])); \ - if ($1.if2 != NULL) { \ - strncpy(fr->fr_ifnames[1], \ - $1.if2, \ - sizeof(fr->fr_ifnames[1]));\ - } \ - ) } - | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \ - sizeof(fr->fr_ifnames[0])); \ - if ($3.if2 != NULL) { \ - strncpy(fr->fr_ifnames[1], \ - $3.if2, \ - sizeof(fr->fr_ifnames[1]));\ - } \ - ) } - ; - -onname: interfacename - { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); - $$.if1 = fr->fr_ifnames[0]; - $$.if2 = NULL; - free($1); - } + | IPFY_ON onname IPFY_INVIA vianame { setifname(&fr, 0, $2.if1); + free($2.if1); + if ($2.if2 != NULL) { + setifname(&fr, 1, + $2.if2); + free($2.if2); + } + } + | IPFY_ON onname IPFY_OUTVIA vianame { setifname(&fr, 0, $2.if1); + free($2.if1); + if ($2.if2 != NULL) { + setifname(&fr, 1, + $2.if2); + free($2.if2); + } + } + ; + +onlist: onname { DOREM(setifname(&fr, 0, $1.if1); \ + if ($1.if2 != NULL) \ + setifname(&fr, 1, $1.if2); \ + ) + free($1.if1); + if ($1.if2 != NULL) + free($1.if2); + } + | onlist lmore onname { DOREM(setifname(&fr, 0, $3.if1); \ + if ($3.if2 != NULL) \ + setifname(&fr, 1, $3.if2); \ + ) + free($3.if1); + if ($3.if2 != NULL) + free($3.if2); + } + ; + +onname: interfacename { $$.if1 = $1; + $$.if2 = NULL; + } | interfacename ',' interfacename - { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); - $$.if1 = fr->fr_ifnames[0]; - free($1); - strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); - $$.if1 = fr->fr_ifnames[1]; - free($3); - } + { $$.if1 = $1; + $$.if2 = $3; + } ; vianame: - name - { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); - free($1); - } - | name ',' name - { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); - free($1); - strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); - free($3); - } + name { setifname(&fr, 2, $1); + free($1); + } + | name ',' name { setifname(&fr, 2, $1); + free($1); + setifname(&fr, 3, $3); + free($3); + } ; dup: IPFY_DUPTO name - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); + { int idx = addname(&fr, $2); + fr->fr_dif.fd_name = idx; free($2); } - | IPFY_DUPTO name duptoseparator hostname - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); - fr->fr_dif.fd_ip = $4; - yyexpectaddr = 0; - free($2); + | IPFY_DUPTO IPFY_DSTLIST '/' name + { int idx = addname(&fr, $4); + fr->fr_dif.fd_name = idx; + fr->fr_dif.fd_type = FRD_DSTLIST; + free($4); } - | IPFY_DUPTO name duptoseparator YY_IPV6 - { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); - bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); + | IPFY_DUPTO name duptoseparator hostname + { int idx = addname(&fr, $2); + fr->fr_dif.fd_name = idx; + fr->fr_dif.fd_ptr = (void *)-1; + fr->fr_dif.fd_ip6 = $4.adr; + if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) + fr->fr_family = $4.f; yyexpectaddr = 0; free($2); } @@ -555,18 +659,23 @@ froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } ; proute: routeto name - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); + { int idx = addname(&fr, $2); + fr->fr_tif.fd_name = idx; free($2); } - | routeto name duptoseparator hostname - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); - fr->fr_tif.fd_ip = $4; - yyexpectaddr = 0; - free($2); + | routeto IPFY_DSTLIST '/' name + { int idx = addname(&fr, $4); + fr->fr_tif.fd_name = idx; + fr->fr_tif.fd_type = FRD_DSTLIST; + free($4); } - | routeto name duptoseparator YY_IPV6 - { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); - bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); + | routeto name duptoseparator hostname + { int idx = addname(&fr, $2); + fr->fr_tif.fd_name = idx; + fr->fr_tif.fd_ptr = (void *)-1; + fr->fr_tif.fd_ip6 = $4.adr; + if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) + fr->fr_family = $4.f; yyexpectaddr = 0; free($2); } @@ -579,12 +688,22 @@ routeto: replyto: IPFY_REPLY_TO name - { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); + { int idx = addname(&fr, $2); + fr->fr_rif.fd_name = idx; free($2); } + | IPFY_REPLY_TO IPFY_DSTLIST '/' name + { fr->fr_rif.fd_name = addname(&fr, $4); + fr->fr_rif.fd_type = FRD_DSTLIST; + free($4); + } | IPFY_REPLY_TO name duptoseparator hostname - { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); - fr->fr_rif.fd_ip = $4; + { int idx = addname(&fr, $2); + fr->fr_rif.fd_name = idx; + fr->fr_rif.fd_ptr = (void *)-1; + fr->fr_rif.fd_ip6 = $4.adr; + if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) + fr->fr_family = $4.f; free($2); } ; @@ -614,27 +733,29 @@ srcdst: | IPFY_ALL ; protocol: - YY_NUMBER { DOREM(fr->fr_proto = $1; \ - fr->fr_mproto = 0xff;) } + YY_NUMBER { DOALL(fr->fr_proto = $1; \ + fr->fr_mproto = 0xff;) + } | YY_STR { if (!strcmp($1, "tcp-udp")) { - DOREM(fr->fr_flx |= FI_TCPUDP; \ + DOALL(fr->fr_flx |= FI_TCPUDP; \ fr->fr_mflx |= FI_TCPUDP;) } else { int p = getproto($1); if (p == -1) yyerror("protocol unknown"); - DOREM(fr->fr_proto = p; \ + DOALL(fr->fr_proto = p; \ fr->fr_mproto = 0xff;) } free($1); - } + } | YY_STR nextstring YY_STR { if (!strcmp($1, "tcp") && !strcmp($3, "udp")) { DOREM(fr->fr_flx |= FI_TCPUDP; \ fr->fr_mflx |= FI_TCPUDP;) - } else + } else { YYERROR; + } free($1); free($3); } @@ -667,7 +788,8 @@ to: IPFY_TO { if (fr == NULL) printf("set yyexpectaddr\n"); yycont = &yyexpectaddr; yysetdict(addrwords); - resetaddr(); } + resetaddr(); + } ; with: | andwith withlist @@ -678,7 +800,7 @@ andwith: | IPFY_AND { nowith = 0; setipftype(); } ; -flags: | startflags flagset +flags: | startflags flagset { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } | startflags flagset '/' flagset { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } @@ -717,35 +839,14 @@ srcobject: ; srcaddr: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } + addr { build_srcaddr_af(fr, &$1); } | lstart srcaddrlist lend ; srcaddrlist: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } + addr { build_srcaddr_af(fr, &$1); } | srcaddrlist lmore addr - { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ - bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ - if (dynamic != -1) { \ - fr->fr_satype = ifpflag; \ - fr->fr_ipf->fri_sifpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_satype = FRI_LOOKUP;) - } + { build_srcaddr_af(fr, &$3); } ; srcport: @@ -770,10 +871,10 @@ fromport: srcportlist: portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } - | portnum ':' portnum + | portnum ':' portnum { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ fr->fr_stop = $3;) } - | portnum YY_RANGE_IN portnum + | portnum YY_RANGE_IN portnum { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ fr->fr_stop = $3;) } | srcportlist lmore portnum @@ -794,34 +895,25 @@ dstobject: ; dstaddr: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) + addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && + ($1.f != frc->fr_family)) + yyerror("1.src/dst address family mismatch"); + build_dstaddr_af(fr, &$1); } | lstart dstaddrlist lend ; dstaddrlist: - addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ - bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) + addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && + ($1.f != frc->fr_family)) + yyerror("2.src/dst address family mismatch"); + build_dstaddr_af(fr, &$1); } | dstaddrlist lmore addr - { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ - bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ - if (dynamic != -1) { \ - fr->fr_datype = ifpflag; \ - fr->fr_ipf->fri_difpidx = dynamic; \ - } else if (pooled || hashed) \ - fr->fr_datype = FRI_LOOKUP;) + { if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && + ($3.f != frc->fr_family)) + yyerror("3.src/dst address family mismatch"); + build_dstaddr_af(fr, &$3); } ; @@ -848,10 +940,10 @@ toport: dstportlist: portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } - | portnum ':' portnum + | portnum ':' portnum { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ fr->fr_dtop = $3;) } - | portnum YY_RANGE_IN portnum + | portnum YY_RANGE_IN portnum { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ fr->fr_dtop = $3;) } | dstportlist lmore portnum @@ -865,141 +957,234 @@ dstportlist: ; addr: pool '/' YY_NUMBER { pooled = 1; + yyexpectaddr = 0; + $$.type = FRI_LOOKUP; + $$.v = 0; + $$.ifpos = -1; + $$.f = AF_UNSPEC; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupsubtype = 0; $$.a.iplookupnum = $3; } | pool '/' YY_STR { pooled = 1; + $$.ifpos = -1; + $$.f = AF_UNSPEC; + $$.type = FRI_LOOKUP; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupsubtype = 1; - strncpy($$.a.iplookupname, $3, - sizeof($$.a.iplookupname)); + $$.a.iplookupname = addname(&fr, $3); + } + | pool '=' '(' { yyexpectaddr = 1; + pooled = 1; } - | pool '=' '(' poollist ')' { pooled = 1; + poollist ')' { yyexpectaddr = 0; + $$.v = 0; + $$.ifpos = -1; + $$.f = AF_UNSPEC; + $$.type = FRI_LOOKUP; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makepool($4); } + $$.a.iplookupnum = makepool($5); + } | hash '/' YY_NUMBER { hashed = 1; + yyexpectaddr = 0; + $$.v = 0; + $$.ifpos = -1; + $$.f = AF_UNSPEC; + $$.type = FRI_LOOKUP; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = $3; } - | hash '/' YY_STR { pooled = 1; + $$.a.iplookupnum = $3; + } + | hash '/' YY_STR { hashed = 1; + $$.type = FRI_LOOKUP; + $$.v = 0; + $$.ifpos = -1; + $$.f = AF_UNSPEC; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupsubtype = 1; - strncpy($$.a.iplookupname, $3, - sizeof($$.a.iplookupname)); + $$.a.iplookupname = addname(&fr, $3); + } + | hash '=' '(' { hashed = 1; + yyexpectaddr = 1; } - | hash '=' '(' addrlist ')' { hashed = 1; + addrlist ')' { yyexpectaddr = 0; + $$.v = 0; + $$.ifpos = -1; + $$.f = AF_UNSPEC; + $$.type = FRI_LOOKUP; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makehash($4); } - | ipaddr { bcopy(&$1, &$$, sizeof($$)); + $$.a.iplookupnum = makehash($5); + } + | ipaddr { $$ = $1; yyexpectaddr = 0; } ; ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); + $$.type = FRI_NORMAL; + $$.ifpos = -1; + yyexpectaddr = 0; + } + | hostname { $$.a = $1.adr; + $$.f = $1.f; + if ($1.f == AF_INET6) + fill6bits(128, $$.m.i6); + else if ($1.f == AF_INET) + fill6bits(32, $$.m.i6); + $$.v = ftov($1.f); + $$.ifpos = dynamic; + $$.type = FRI_NORMAL; + } + | hostname { yyresetdict(); } + maskspace { yysetdict(maskwords); + yyexpectaddr = 2; } + ipmask { ntomask($1.f, $5, $$.m.i6); + $$.a = $1.adr; + $$.a.i6[0] &= $$.m.i6[0]; + $$.a.i6[1] &= $$.m.i6[1]; + $$.a.i6[2] &= $$.m.i6[2]; + $$.a.i6[3] &= $$.m.i6[3]; + $$.f = $1.f; + $$.v = ftov($1.f); + $$.type = ifpflag; + $$.ifpos = dynamic; + if (ifpflag != 0 && $$.v == 0) { + if (frc->fr_family == AF_INET6){ + $$.v = 6; + $$.f = AF_INET6; + } else { + $$.v = 4; + $$.f = AF_INET; + } + } yyresetdict(); - yyexpectaddr = 0; } - | hostname { $$.a.in4 = $1; - $$.m.in4_addr = 0xffffffff; - yyexpectaddr = 0; } - | hostname { yyresetdict(); - $$.a.in4_addr = $1.s_addr; } - maskspace { yysetdict(maskwords); } - ipv4mask { $$.m.in4_addr = $5.s_addr; - $$.a.in4_addr &= $5.s_addr; - yyresetdict(); - yyexpectaddr = 0; } - | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); - fill6bits(128, (u_32_t *)&$$.m); + yyexpectaddr = 0; + } + | '(' YY_STR ')' { $$.type = FRI_DYNAMIC; + ifpflag = FRI_DYNAMIC; + $$.ifpos = addname(&fr, $2); + $$.lif = 0; + } + | '(' YY_STR ')' '/' + { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } + maskopts + { $$.type = ifpflag; + $$.ifpos = addname(&fr, $2); + $$.lif = 0; + if (frc->fr_family == AF_UNSPEC) + frc->fr_family = AF_INET; + if (ifpflag == FRI_DYNAMIC) { + ntomask(frc->fr_family, + $6, $$.m.i6); + } yyresetdict(); - yyexpectaddr = 0; } - | YY_IPV6 { yyresetdict(); - bcopy(&$1, &$$.a, sizeof($$.a)); } - maskspace { yysetdict(maskwords); } - ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); + yyexpectaddr = 0; + } + | '(' YY_STR ':' YY_NUMBER ')' '/' + { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } + maskopts + { $$.type = ifpflag; + $$.ifpos = addname(&fr, $2); + $$.lif = $4; + if (frc->fr_family == AF_UNSPEC) + frc->fr_family = AF_INET; + if (ifpflag == FRI_DYNAMIC) { + ntomask(frc->fr_family, + $8, $$.m.i6); + } yyresetdict(); - yyexpectaddr = 0; } + yyexpectaddr = 0; + } ; + maskspace: '/' | IPFY_MASK ; -ipv4mask: - ipv4 { $$ = $1; } - | YY_HEX { $$.s_addr = htonl($1); } - | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } - | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; +ipmask: ipv4 { $$ = count4bits($1.s_addr); } + | YY_HEX { $$ = count4bits(htonl($1)); } + | YY_NUMBER { $$ = $1; } + | YY_IPV6 { $$ = count6bits($1.i6); } + | maskopts { $$ = $1; } + ; + +maskopts: + IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { ifpflag = FRI_BROADCAST; - } else + } else { YYERROR; + } + $$ = 0; } | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; ifpflag = FRI_NETWORK; - } else + } else { YYERROR; + } + $$ = 0; } | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; ifpflag = FRI_NETMASKED; - } else + } else { YYERROR; + } + $$ = 0; } | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { - $$.s_addr = 0; ifpflag = FRI_PEERADDR; - } else + } else { YYERROR; + } + $$ = 0; } + | YY_NUMBER { $$ = $1; } ; -ipv6mask: - YY_NUMBER { ntomask(6, $1, $$.i6); } - | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else - YYERROR; - } - | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else +hostname: + ipv4 { $$.adr.in4 = $1; + if (frc->fr_family == AF_INET6) YYERROR; + $$.f = AF_INET; + yyexpectaddr = 2; } - | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else + | YY_NUMBER { if (frc->fr_family == AF_INET6) YYERROR; + $$.adr.in4_addr = $1; + $$.f = AF_INET; + yyexpectaddr = 2; } - | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { - bzero(&$$, sizeof($$)); - ifpflag = FRI_BROADCAST; - } else + | YY_HEX { if (frc->fr_family == AF_INET6) YYERROR; + $$.adr.in4_addr = $1; + $$.f = AF_INET; + yyexpectaddr = 2; } - ; - -hostname: - ipv4 { $$ = $1; } - | YY_NUMBER { $$.s_addr = $1; } - | YY_HEX { $$.s_addr = $1; } - | YY_STR { $$.s_addr = lookuphost($1); + | YY_STR { if (lookuphost($1, &$$.adr) == 0) + $$.f = AF_INET; free($1); + yyexpectaddr = 2; + } + | YY_IPV6 { if (frc->fr_family == AF_INET) + YYERROR; + $$.adr = $1; + $$.f = AF_INET6; + yyexpectaddr = 2; } ; addrlist: ipaddr { $$ = newalist(NULL); - bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); - bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } - | addrlist ',' ipaddr - { $$ = newalist($1); - bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); - bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } + $$->al_family = $1.f; + $$->al_i6addr = $1.a; + $$->al_i6mask = $1.m; + } + | ipaddr ',' { yyexpectaddr = 1; } addrlist + { $$ = newalist($4); + $$->al_family = $1.f; + $$->al_i6addr = $1.a; + $$->al_i6mask = $1.m; + } ; pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } @@ -1010,53 +1195,70 @@ hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } poollist: ipaddr { $$ = newalist(NULL); - bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); - bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } + $$->al_family = $1.f; + $$->al_i6addr = $1.a; + $$->al_i6mask = $1.m; + } | '!' ipaddr { $$ = newalist(NULL); $$->al_not = 1; - bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); - bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } + $$->al_family = $2.f; + $$->al_i6addr = $2.a; + $$->al_i6mask = $2.m; + } | poollist ',' ipaddr { $$ = newalist($1); - bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); - bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } + $$->al_family = $3.f; + $$->al_i6addr = $3.a; + $$->al_i6mask = $3.m; + } | poollist ',' '!' ipaddr { $$ = newalist($1); $$->al_not = 1; - bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); - bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } + $$->al_family = $4.f; + $$->al_i6addr = $4.a; + $$->al_i6mask = $4.m; + } ; port: IPFY_PORT { yyexpectaddr = 0; yycont = NULL; + if (frc->fr_proto != 0 && + frc->fr_proto != IPPROTO_UDP && + frc->fr_proto != IPPROTO_TCP) + yyerror("port use incorrect"); } ; portc: port compare { $$ = $2; - yysetdict(NULL); } + yysetdict(NULL); + } | porteq { $$ = $1; } ; porteq: port '=' { $$ = FR_EQUAL; - yysetdict(NULL); } + yysetdict(NULL); + } ; portr: IPFY_PORT { yyexpectaddr = 0; yycont = NULL; - yysetdict(NULL); } + yysetdict(NULL); + } ; portcomp: portc portnum { $$.pc = $1; $$.p1 = $2; - yyresetdict(); } + yyresetdict(); + } ; portrange: portr portnum range portnum { $$.p1 = $2; $$.pc = $3; $$.p2 = $4; - yyresetdict(); } + yyresetdict(); + } ; icmp: | itype icode @@ -1070,8 +1272,30 @@ itype: seticmptype icmptype ; seticmptype: - IPFY_ICMPTYPE { setipftype(); - yysetdict(icmptypewords); } + IPFY_ICMPTYPE { if (frc->fr_family == AF_UNSPEC) + frc->fr_family = AF_INET; + if (frc->fr_family == AF_INET && + frc->fr_type == FR_T_IPF && + frc->fr_proto != IPPROTO_ICMP) { + yyerror("proto not icmp"); + } + if (frc->fr_family == AF_INET6 && + frc->fr_type == FR_T_IPF && + frc->fr_proto != IPPROTO_ICMPV6) { + yyerror("proto not ipv6-icmp"); + } + setipftype(); + DOALL(if (fr->fr_family == AF_INET) { \ + fr->fr_ip.fi_v = 4; \ + fr->fr_mip.fi_v = 0xf; \ + } + if (fr->fr_family == AF_INET6) { \ + fr->fr_ip.fi_v = 6; \ + fr->fr_mip.fi_v = 0xf; \ + } + ) + yysetdict(NULL); + } ; icode: | seticmpcode icmpcode @@ -1146,9 +1370,18 @@ stateopt: IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ YYERROR; \ - } else \ + } else if (fr->fr_flags & FR_STLOOSE) {\ + YYERROR; \ + } else \ fr->fr_flags |= FR_STSTRICT;) } + | IPFY_LOOSE { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ + YYERROR; \ + } else if (fr->fr_flags & FR_STSTRICT){\ + YYERROR; \ + } else \ + fr->fr_flags |= FR_STLOOSE;) + } | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ YYERROR; \ } else \ @@ -1162,10 +1395,32 @@ stateopt: | IPFY_AGE YY_NUMBER '/' YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ fr->fr_age[1] = $4;) } + | IPFY_ICMPHEAD groupname + { DOALL(seticmphead(&fr, $2);) + free($2); + } + | IPFY_NOLOG + { DOALL(fr->fr_nostatelog = 1;) } + | IPFY_RPC + { DOALL(fr->fr_rpc = 1;) } + | IPFY_RPC IPFY_IN YY_STR + { DOALL(fr->fr_rpc = 1;) } + | IPFY_MAX_SRCS YY_NUMBER + { DOALL(fr->fr_srctrack.ht_max_nodes = $2;) } + | IPFY_MAX_PER_SRC YY_NUMBER + { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ + fr->fr_srctrack.ht_netmask = \ + fr->fr_family == AF_INET ? 32: 128;) + } + | IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER + { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ + fr->fr_srctrack.ht_netmask = $4;) + } ; portnum: - servicename { if (getport(frc, $1, &($$)) == -1) + servicename { if (getport(frc, $1, + &($$), NULL) == -1) yyerror("service unknown"); $$ = ntohs($$); free($1); @@ -1188,14 +1443,14 @@ withopt: | notwith opttype { DOALL(fr->fr_mflx |= $2;) } | ipopt ipopts { yyresetdict(); } | notwith ipopt ipopts { yyresetdict(); } - | startv6hdrs ipv6hdrs { yyresetdict(); } + | startv6hdr ipv6hdrs { yyresetdict(); } ; ipopt: IPFY_OPT { yysetdict(ipv4optwords); } ; -startv6hdrs: - IPF6_V6HDRS { if (use_inet6 == 0) +startv6hdr: + IPFY_V6HDR { if (frc->fr_family != AF_INET6) yyerror("only available with IPv6"); yysetdict(ipv6optwords); } @@ -1222,9 +1477,18 @@ opttype: | IPFY_BROADCAST { $$ = FI_BROADCAST; } | IPFY_STATE { $$ = FI_STATE; } | IPFY_OOW { $$ = FI_OOW; } + | IPFY_AH { $$ = FI_AH; } + | IPFY_V6HDRS { $$ = FI_V6EXTHDR; } ; ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; + if (fr->fr_family == AF_UNSPEC) { + fr->fr_family = AF_INET; + fr->fr_ip.fi_v = 4; + fr->fr_mip.fi_v = 0xf; + } else if (fr->fr_family != AF_INET) { + YYERROR; + } if (!nowith) fr->fr_ip.fi_optmsk |= $1;) } @@ -1264,22 +1528,11 @@ seclevel: ; icmptype: - YY_NUMBER { $$ = $1; } - | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } - | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } - | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } - | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } - | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } - | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } - | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } - | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } - | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } - | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } - | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } - | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } - | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } - | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } - | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } + YY_NUMBER { $$ = $1; } + | YY_STR { $$ = geticmptype(frc->fr_family, $1); + if ($$ == -1) + yyerror("unrecognised icmp type"); + } ; icmpcode: @@ -1314,7 +1567,8 @@ opt: | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } - | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } + | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } + | IPFY_IPOPT_CIPSO doi { $$ = getoptbyvalue(IPOPT_CIPSO); } | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } @@ -1329,6 +1583,13 @@ opt: | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } | setsecclass secname { DOALL(fr->fr_mip.fi_secmsk |= $2; + if (fr->fr_family == AF_UNSPEC) { + fr->fr_family = AF_INET; + fr->fr_ip.fi_v = 4; + fr->fr_mip.fi_v = 0xf; + } else if (fr->fr_family != AF_INET) { + YYERROR; + } if (!nowith) fr->fr_ip.fi_secmsk |= $2;) $$ = 0; @@ -1337,7 +1598,15 @@ opt: ; setsecclass: - IPFY_SECCLASS { yysetdict(ipv4secwords); } + IPFY_SECCLASS { yysetdict(ipv4secwords); } + ; + +doi: IPFY_DOI YY_NUMBER { DOALL(fr->fr_doimask = 0xffffffff; \ + if (!nowith) \ + fr->fr_doi = $2;) } + | IPFY_DOI YY_HEX { DOALL(fr->fr_doimask = 0xffffffff; \ + if (!nowith) \ + fr->fr_doi = $2;) } ; ipv6hdr: @@ -1463,7 +1732,7 @@ ipv4: ipv4_24 '.' YY_NUMBER %% -static struct wordtab ipfwords[95] = { +static struct wordtab ipfwords[] = { { "age", IPFY_AGE }, { "ah", IPFY_AH }, { "all", IPFY_ALL }, @@ -1481,10 +1750,16 @@ static struct wordtab ipfwords[95] = { #endif { "call", IPFY_CALL }, { "code", IPFY_ICMPCODE }, + { "comment", IPFY_COMMENT }, { "count", IPFY_COUNT }, + { "decapsulate", IPFY_DECAPS }, + { "dstlist", IPFY_DSTLIST }, + { "doi", IPFY_DOI }, { "dup-to", IPFY_DUPTO }, { "eq", YY_CMP_EQ }, { "esp", IPFY_ESP }, + { "exp", IPFY_IPFEXPR }, + { "family", IPFY_FAMILY }, { "fastroute", IPFY_FROUTE }, { "first", IPFY_FIRST }, { "flags", IPFY_FLAGS }, @@ -1497,20 +1772,27 @@ static struct wordtab ipfwords[95] = { { "gt", YY_CMP_GT }, { "head", IPFY_HEAD }, { "icmp", IPFY_ICMP }, + { "icmp-head", IPFY_ICMPHEAD }, { "icmp-type", IPFY_ICMPTYPE }, { "in", IPFY_IN }, { "in-via", IPFY_INVIA }, + { "inet", IPFY_INET }, + { "inet6", IPFY_INET6 }, { "ipopt", IPFY_IPOPTS }, { "ipopts", IPFY_IPOPTS }, { "keep", IPFY_KEEP }, + { "l5-as", IPFY_L5AS }, { "le", YY_CMP_LE }, { "level", IPFY_LEVEL }, { "limit", IPFY_LIMIT }, { "log", IPFY_LOG }, + { "loose", IPFY_LOOSE }, { "lowttl", IPFY_LOWTTL }, { "lt", YY_CMP_LT }, { "mask", IPFY_MASK }, { "match-tag", IPFY_MATCHTAG }, + { "max-per-src", IPFY_MAX_PER_SRC }, + { "max-srcs", IPFY_MAX_SRCS }, { "mbcast", IPFY_MBCAST }, { "mcast", IPFY_MULTICAST }, { "multicast", IPFY_MULTICAST }, @@ -1520,6 +1802,7 @@ static struct wordtab ipfwords[95] = { { "newisn", IPFY_NEWISN }, { "no", IPFY_NO }, { "no-icmp-err", IPFY_NOICMPERR }, + { "nolog", IPFY_NOLOG }, { "nomatch", IPFY_NOMATCH }, { "now", IPFY_NOW }, { "not", IPFY_NOT }, @@ -1540,7 +1823,10 @@ static struct wordtab ipfwords[95] = { { "return-icmp-as-dest", IPFY_RETICMPASDST }, { "return-rst", IPFY_RETRST }, { "route-to", IPFY_ROUTETO }, + { "rule-ttl", IPFY_RULETTL }, + { "rpc", IPFY_RPC }, { "sec-class", IPFY_SECCLASS }, + { "set", IPFY_SET }, { "set-tag", IPFY_SETTAG }, { "skip", IPFY_SKIP }, { "short", IPFY_SHORT }, @@ -1554,19 +1840,20 @@ static struct wordtab ipfwords[95] = { { "to", IPFY_TO }, { "ttl", IPFY_TTL }, { "udp", IPFY_UDP }, - { "v6hdrs", IPF6_V6HDRS }, + { "v6hdr", IPFY_V6HDR }, + { "v6hdrs", IPFY_V6HDRS }, { "with", IPFY_WITH }, { NULL, 0 } }; -static struct wordtab addrwords[4] = { +static struct wordtab addrwords[] = { { "any", IPFY_ANY }, { "hash", IPFY_HASH }, { "pool", IPFY_POOL }, { NULL, 0 } }; -static struct wordtab maskwords[5] = { +static struct wordtab maskwords[] = { { "broadcast", IPFY_BROADCAST }, { "netmasked", IPFY_NETMASKED }, { "network", IPFY_NETWORK }, @@ -1574,26 +1861,7 @@ static struct wordtab maskwords[5] = { { NULL, 0 } }; -static struct wordtab icmptypewords[16] = { - { "echo", IPFY_ICMPT_ECHO }, - { "echorep", IPFY_ICMPT_ECHOR }, - { "inforeq", IPFY_ICMPT_INFOREQ }, - { "inforep", IPFY_ICMPT_INFOREP }, - { "maskrep", IPFY_ICMPT_MASKREP }, - { "maskreq", IPFY_ICMPT_MASKREQ }, - { "paramprob", IPFY_ICMPT_PARAMP }, - { "redir", IPFY_ICMPT_REDIR }, - { "unreach", IPFY_ICMPT_UNR }, - { "routerad", IPFY_ICMPT_ROUTERAD }, - { "routersol", IPFY_ICMPT_ROUTERSOL }, - { "squench", IPFY_ICMPT_SQUENCH }, - { "timest", IPFY_ICMPT_TIMEST }, - { "timestrep", IPFY_ICMPT_TIMESTREP }, - { "timex", IPFY_ICMPT_TIMEX }, - { NULL, 0 }, -}; - -static struct wordtab icmpcodewords[17] = { +static struct wordtab icmpcodewords[] = { { "cutoff-preced", IPFY_ICMPC_CUTPRE }, { "filter-prohib", IPFY_ICMPC_FLTPRO }, { "isolate", IPFY_ICMPC_ISOLATE }, @@ -1613,7 +1881,7 @@ static struct wordtab icmpcodewords[17] = { { NULL, 0 }, }; -static struct wordtab ipv4optwords[25] = { +static struct wordtab ipv4optwords[] = { { "addext", IPFY_IPOPT_ADDEXT }, { "cipso", IPFY_IPOPT_CIPSO }, { "dps", IPFY_IPOPT_DPS }, @@ -1641,7 +1909,7 @@ static struct wordtab ipv4optwords[25] = { { NULL, 0 }, }; -static struct wordtab ipv4secwords[9] = { +static struct wordtab ipv4secwords[] = { { "confid", IPFY_SEC_CONF }, { "reserv-1", IPFY_SEC_RSV1 }, { "reserv-2", IPFY_SEC_RSV2 }, @@ -1653,7 +1921,7 @@ static struct wordtab ipv4secwords[9] = { { NULL, 0 }, }; -static struct wordtab ipv6optwords[9] = { +static struct wordtab ipv6optwords[] = { { "dstopts", IPFY_IPV6OPT_DSTOPTS }, { "esp", IPFY_IPV6OPT_ESP }, { "frag", IPFY_IPV6OPT_FRAG }, @@ -1665,7 +1933,7 @@ static struct wordtab ipv6optwords[9] = { { NULL, 0 }, }; -static struct wordtab logwords[33] = { +static struct wordtab logwords[] = { { "kern", IPFY_FAC_KERN }, { "user", IPFY_FAC_USER }, { "mail", IPFY_FAC_MAIL }, @@ -1751,7 +2019,7 @@ FILE *fp; ipffd = fd; for (i = 0; i <= IPL_LOGMAX; i++) - ipfioctl[i] = iocfuncs[i]; + ipfioctls[i] = iocfuncs[i]; ipfaddfunc = addfunc; if (feof(fp)) @@ -1779,23 +2047,29 @@ static void newrule() { frentry_t *frn; - frn = (frentry_t *)calloc(1, sizeof(frentry_t)); + frn = allocfr(); for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) ; - if (fr != NULL) + if (fr != NULL) { fr->fr_next = frn; - if (frtop == NULL) + frn->fr_pnext = &fr->fr_next; + } + if (frtop == NULL) { frtop = frn; + frn->fr_pnext = &frtop; + } fr = frn; frc = frn; fr->fr_loglevel = 0xffff; fr->fr_isc = (void *)-1; fr->fr_logtag = FR_NOLOGTAG; fr->fr_type = FR_T_NONE; - if (use_inet6 != 0) - fr->fr_v = 6; - else - fr->fr_v = 4; + fr->fr_flineno = yylineNum; + + if (use_inet6 == 1) + fr->fr_family = AF_INET6; + else if (use_inet6 == -1) + fr->fr_family = AF_INET; nrules = 1; } @@ -1808,7 +2082,13 @@ static void setipftype() fr->fr_type = FR_T_IPF; fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); fr->fr_dsize = sizeof(fripf_t); - fr->fr_ip.fi_v = frc->fr_v; + fr->fr_family = frc->fr_family; + if (fr->fr_family == AF_INET) { + fr->fr_ip.fi_v = 4; + } + else if (fr->fr_family == AF_INET6) { + fr->fr_ip.fi_v = 6; + } fr->fr_mip.fi_v = 0xf; fr->fr_ipf->fri_sifpidx = -1; fr->fr_ipf->fri_difpidx = -1; @@ -1831,10 +2111,13 @@ static frentry_t *addrule() count = nrules; f = f2; for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { - f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); + f->fr_next = allocfr(); + if (f->fr_next == NULL) + return NULL; + f->fr_next->fr_pnext = &f->fr_next; added++; f = f->fr_next; - bcopy(f1, f, sizeof(*f)); + *f = *f1; f->fr_next = NULL; if (f->fr_caddr != NULL) { f->fr_caddr = malloc(f->fr_dsize); @@ -1846,10 +2129,11 @@ static frentry_t *addrule() } -static u_32_t lookuphost(name) -char *name; +static int +lookuphost(name, addrp) + char *name; + i6addr_t *addrp; { - u_32_t addr; int i; hashed = 0; @@ -1857,19 +2141,20 @@ char *name; dynamic = -1; for (i = 0; i < 4; i++) { - if (strncmp(name, frc->fr_ifnames[i], - sizeof(frc->fr_ifnames[i])) == 0) { + if (fr->fr_ifnames[i] == -1) + continue; + if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) { ifpflag = FRI_DYNAMIC; - dynamic = i; - return 0; + dynamic = addname(&fr, name); + return 1; } } - if (gethost(name, &addr) == -1) { + if (gethost(AF_INET, name, addrp) == -1) { fprintf(stderr, "unknown name \"%s\"\n", name); - return 0; + return -1; } - return addr; + return 0; } @@ -1891,7 +2176,7 @@ char *phrase; fprintf(stderr, "cannot mix IPF and BPF matching\n"); return; } - fr->fr_v = v; + fr->fr_family = vtof(v); fr->fr_type = FR_T_BPFOPC; if (!strncmp(phrase, "0x", 2)) { @@ -1986,8 +2271,9 @@ alist_t *ptr; } -static int makepool(list) -alist_t *list; +static int +makepool(list) + alist_t *list; { ip_pool_node_t *n, *top; ip_pool_t pool; @@ -1999,10 +2285,30 @@ alist_t *list; top = calloc(1, sizeof(*top)); if (top == NULL) return 0; - + for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - n->ipn_addr.adf_addr.in4.s_addr = a->al_1; - n->ipn_mask.adf_addr.in4.s_addr = a->al_2; + if (use_inet6 == 1) { +#ifdef AF_INET6 + n->ipn_addr.adf_family = AF_INET6; + n->ipn_addr.adf_addr = a->al_i6addr; + n->ipn_addr.adf_len = offsetof(addrfamily_t, + adf_addr) + 16; + n->ipn_mask.adf_family = AF_INET6; + n->ipn_mask.adf_addr = a->al_i6mask; + n->ipn_mask.adf_len = offsetof(addrfamily_t, + adf_addr) + 16; + +#endif + } else { + n->ipn_addr.adf_family = AF_INET; + n->ipn_addr.adf_addr.in4.s_addr = a->al_1; + n->ipn_addr.adf_len = offsetof(addrfamily_t, + adf_addr) + 4; + n->ipn_mask.adf_family = AF_INET; + n->ipn_mask.adf_addr.in4.s_addr = a->al_2; + n->ipn_mask.adf_len = offsetof(addrfamily_t, + adf_addr) + 4; + } n->ipn_info = a->al_not; if (a->al_next != NULL) { n->ipn_next = calloc(1, sizeof(*n)); @@ -2013,7 +2319,7 @@ alist_t *list; bzero((char *)&pool, sizeof(pool)); pool.ipo_unit = IPL_LOGIPF; pool.ipo_list = top; - num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); + num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]); while ((n = top) != NULL) { top = n->ipn_next; @@ -2036,10 +2342,17 @@ alist_t *list; top = calloc(1, sizeof(*top)); if (top == NULL) return 0; - + for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - n->ipe_addr.in4_addr = a->al_1; - n->ipe_mask.in4_addr = a->al_2; + if (a->al_family == AF_INET6) { + n->ipe_family = AF_INET6; + n->ipe_addr = a->al_i6addr; + n->ipe_mask = a->al_i6mask; + } else { + n->ipe_family = AF_INET; + n->ipe_addr.in4_addr = a->al_1; + n->ipe_mask.in4_addr = a->al_2; + } n->ipe_value = 0; if (a->al_next != NULL) { n->ipe_next = calloc(1, sizeof(*n)); @@ -2052,7 +2365,7 @@ alist_t *list; iph.iph_type = IPHASH_LOOKUP; *iph.iph_name = '\0'; - if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) + if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0) sscanf(iph.iph_name, "%u", &num); else num = 0; @@ -2065,7 +2378,7 @@ alist_t *list; } -void ipf_addrule(fd, ioctlfunc, ptr) +int ipf_addrule(fd, ioctlfunc, ptr) int fd; ioctlfunc_t ioctlfunc; void *ptr; @@ -2075,7 +2388,7 @@ void *ptr; ipfobj_t obj; if (ptr == NULL) - return; + return 0; fr = ptr; add = 0; @@ -2083,7 +2396,7 @@ void *ptr; bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(*fr); + obj.ipfo_size = fr->fr_size; obj.ipfo_type = IPFOBJ_FRENTRY; obj.ipfo_ptr = ptr; @@ -2118,8 +2431,11 @@ void *ptr; if ((opts & OPT_ZERORULEST) != 0) { if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(SIOCZRLST)"); + char msg[80]; + + sprintf(msg, "%d:ioctl(zero rule)", + fr->fr_flineno); + return ipf_perror_fd(fd, ioctlfunc, msg); } } else { #ifdef USE_QUAD_T @@ -2134,19 +2450,26 @@ void *ptr; } } else if ((opts & OPT_REMOVE) != 0) { if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) != 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(delete rule)"); + if ((opts & OPT_DONOTHING) == 0) { + char msg[80]; + + sprintf(msg, "%d:ioctl(delete rule)", + fr->fr_flineno); + return ipf_perror_fd(fd, ioctlfunc, msg); } } } else { if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if (!(opts & OPT_DONOTHING)) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(add/insert rule)"); + if ((opts & OPT_DONOTHING) == 0) { + char msg[80]; + + sprintf(msg, "%d:ioctl(add/insert rule)", + fr->fr_flineno); + return ipf_perror_fd(fd, ioctlfunc, msg); } } } + return 0; } static void setsyslog() @@ -2168,9 +2491,16 @@ frentry_t *fr; { frentry_t *f; - for (f = frold; f != NULL; f = f->fr_next) - if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) + for (f = frold; f != NULL; f = f->fr_next) { + if (f->fr_grhead == -1 && fr->fr_group == -1) + break; + if (f->fr_grhead == -1 || fr->fr_group == -1) + continue; + if (strcmp(f->fr_names + f->fr_grhead, + fr->fr_names + fr->fr_group) == 0) break; + } + if (f == NULL) return; @@ -2183,8 +2513,8 @@ frentry_t *fr; if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) return; - if (fr->fr_v == 0 && f->fr_v != 0) - fr->fr_v = f->fr_v; + if (fr->fr_family == 0 && f->fr_family != 0) + fr->fr_family = f->fr_family; if (fr->fr_mproto == 0 && f->fr_mproto != 0) fr->fr_mproto = f->fr_mproto; @@ -2192,6 +2522,218 @@ frentry_t *fr; fr->fr_proto = f->fr_proto; if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && - ((f->fr_flx & FI_TCPUDP) != 0)) + ((f->fr_flx & FI_TCPUDP) != 0)) { fr->fr_flx |= FI_TCPUDP; + fr->fr_mflx |= FI_TCPUDP; + } +} + + +static void doipfexpr(line) +char *line; +{ + int *array; + char *error; + + array = parseipfexpr(line, &error); + if (array == NULL) { + fprintf(stderr, "%s:", error); + yyerror("error parsing ipf matching expression"); + return; + } + + fr->fr_type = FR_T_IPFEXPR; + fr->fr_data = array; + fr->fr_dsize = array[0] * sizeof(*array); +} + + +static void do_tuneint(varname, value) +char *varname; +int value; +{ + char buffer[80]; + + strncpy(buffer, varname, 60); + buffer[59] = '\0'; + strcat(buffer, "="); + sprintf(buffer, "%u", value); + ipf_dotuning(ipffd, buffer, ioctl); +} + + +static void do_tunestr(varname, value) +char *varname, *value; +{ + + if (!strcasecmp(value, "true")) { + do_tuneint(varname, 1); + } else if (!strcasecmp(value, "false")) { + do_tuneint(varname, 0); + } else { + yyerror("did not find true/false where expected"); + } +} + + +static void setifname(frp, idx, name) +frentry_t **frp; +int idx; +char *name; +{ + int pos; + + pos = addname(frp, name); + if (pos == -1) + return; + (*frp)->fr_ifnames[idx] = pos; +} + + +static int addname(frp, name) +frentry_t **frp; +char *name; +{ + frentry_t *f; + int nlen; + int pos; + + nlen = strlen(name) + 1; + f = realloc(*frp, (*frp)->fr_size + nlen); + if (*frp == frc) + frc = f; + *frp = f; + if (f == NULL) + return -1; + if (f->fr_pnext != NULL) + *f->fr_pnext = f; + f->fr_size += nlen; + pos = f->fr_namelen; + f->fr_namelen += nlen; + strcpy(f->fr_names + pos, name); + f->fr_names[f->fr_namelen] = '\0'; + return pos; +} + + +static frentry_t *allocfr() +{ + frentry_t *fr; + + fr = calloc(1, sizeof(*fr)); + if (fr != NULL) { + fr->fr_size = sizeof(*fr); + fr->fr_comment = -1; + fr->fr_group = -1; + fr->fr_grhead = -1; + fr->fr_icmphead = -1; + fr->fr_ifnames[0] = -1; + fr->fr_ifnames[1] = -1; + fr->fr_ifnames[2] = -1; + fr->fr_ifnames[3] = -1; + fr->fr_tif.fd_name = -1; + fr->fr_rif.fd_name = -1; + fr->fr_dif.fd_name = -1; + } + return fr; +} + + +static void setgroup(frp, name) +frentry_t **frp; +char *name; +{ + int pos; + + pos = addname(frp, name); + if (pos == -1) + return; + (*frp)->fr_group = pos; +} + + +static void setgrhead(frp, name) +frentry_t **frp; +char *name; +{ + int pos; + + pos = addname(frp, name); + if (pos == -1) + return; + (*frp)->fr_grhead = pos; +} + + +static void seticmphead(frp, name) +frentry_t **frp; +char *name; +{ + int pos; + + pos = addname(frp, name); + if (pos == -1) + return; + (*frp)->fr_icmphead = pos; +} + + +static void +build_dstaddr_af(fp, ptr) + frentry_t *fp; + void *ptr; +{ + struct ipp_s *ipp = ptr; + frentry_t *f = fp; + + if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { + ipp->f = f->fr_family; + ipp->v = f->fr_ip.fi_v; + } + if (ipp->f == AF_INET) + ipp->v = 4; + else if (ipp->f == AF_INET6) + ipp->v = 6; + + for (; f != NULL; f = f->fr_next) { + f->fr_ip.fi_dst = ipp->a; + f->fr_mip.fi_dst = ipp->m; + f->fr_family = ipp->f; + f->fr_ip.fi_v = ipp->v; + f->fr_mip.fi_v = 0xf; + f->fr_datype = ipp->type; + if (ipp->ifpos != -1) + f->fr_ipf->fri_difpidx = ipp->ifpos; + } + fr = NULL; +} + + +static void +build_srcaddr_af(fp, ptr) + frentry_t *fp; + void *ptr; +{ + struct ipp_s *ipp = ptr; + frentry_t *f = fp; + + if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { + ipp->f = f->fr_family; + ipp->v = f->fr_ip.fi_v; + } + if (ipp->f == AF_INET) + ipp->v = 4; + else if (ipp->f == AF_INET6) + ipp->v = 6; + + for (; f != NULL; f = f->fr_next) { + f->fr_ip.fi_src = ipp->a; + f->fr_mip.fi_src = ipp->m; + f->fr_family = ipp->f; + f->fr_ip.fi_v = ipp->v; + f->fr_mip.fi_v = 0xf; + f->fr_satype = ipp->type; + f->fr_ipf->fri_sifpidx = ipp->ifpos; + } + fr = NULL; } diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c index e00fe84..eba28ce 100644 --- a/contrib/ipfilter/tools/ipfcomp.c +++ b/contrib/ipfilter/tools/ipfcomp.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2005 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include "ipf.h" @@ -63,7 +63,7 @@ static FILE *cfile = NULL; * required. */ void printc(fr) -frentry_t *fr; + frentry_t *fr; { fripf_t *ipf; u_long *ulp; @@ -71,7 +71,7 @@ frentry_t *fr; FILE *fp; int i; - if (fr->fr_v != 4) + if (fr->fr_family == 6) return; if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE)) return; @@ -87,7 +87,7 @@ frentry_t *fr; fp = cfile; if (count == 0) { fprintf(fp, "/*\n"); - fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n"); + fprintf(fp, "* Copyright (C) 2012 by Darren Reed.\n"); fprintf(fp, "*\n"); fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n"); fprintf(fp, "* provided that this notice is preserved and due credit is given\n"); @@ -136,6 +136,9 @@ frentry_t *fr; fprintf(fp, "#endif /* _KERNEL */\n"); fprintf(fp, "\n"); fprintf(fp, "#ifdef IPFILTER_COMPILED\n"); + fprintf(fp, "\n"); + fprintf(fp, "extern ipf_main_softc_t ipfmain;\n"); + fprintf(fp, "\n"); } addrule(fp, fr); @@ -162,12 +165,14 @@ static frgroup_t *groups = NULL; static void addrule(fp, fr) -FILE *fp; -frentry_t *fr; + FILE *fp; + frentry_t *fr; { frentry_t *f, **fpp; frgroup_t *g; u_long *ulp; + char *ghead; + char *gname; char *and; int i; @@ -180,8 +185,10 @@ frentry_t *fr; } f->fr_next = NULL; + gname = FR_NAME(fr, fr_group); + for (g = groups; g != NULL; g = g->fg_next) - if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) && + if ((strncmp(g->fg_name, gname, FR_GROUPLEN) == 0) && (g->fg_flags == (f->fr_flags & FR_INOUT))) break; @@ -190,7 +197,7 @@ frentry_t *fr; g->fg_next = groups; groups = g; g->fg_head = f; - bcopy(f->fr_group, g->fg_name, FR_GROUPLEN); + strncpy(g->fg_name, gname, FR_GROUPLEN); g->fg_ref = 0; g->fg_flags = f->fr_flags & FR_INOUT; } @@ -219,10 +226,10 @@ static u_long ipf%s_rule_data_%s_%u[] = {\n", g->fg_ref++; - if (f->fr_grhead != 0) { + if (f->fr_grhead != -1) { + ghead = FR_NAME(f, fr_grhead); for (g = groups; g != NULL; g = g->fg_next) - if ((strncmp(g->fg_name, f->fr_grhead, - FR_GROUPLEN) == 0) && + if ((strncmp(g->fg_name, ghead, FR_GROUPLEN) == 0) && g->fg_flags == (f->fr_flags & FR_INOUT)) break; if (g == NULL) { @@ -230,7 +237,7 @@ static u_long ipf%s_rule_data_%s_%u[] = {\n", g->fg_next = groups; groups = g; g->fg_head = f; - bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN); + strncpy(g->fg_name, ghead, FR_GROUPLEN); g->fg_ref = 0; g->fg_flags = f->fr_flags & FR_INOUT; } @@ -239,7 +246,7 @@ static u_long ipf%s_rule_data_%s_%u[] = {\n", int intcmp(c1, c2) -const void *c1, *c2; + const void *c1, *c2; { const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2; @@ -251,17 +258,17 @@ const void *c1, *c2; static void indent(fp, in) -FILE *fp; -int in; + FILE *fp; + int in; { for (; in; in--) fputc('\t', fp); } static void printeq(fp, var, m, max, v) -FILE *fp; -char *var; -int m, max, v; + FILE *fp; + char *var; + int m, max, v; { if (m == max) fprintf(fp, "%s == %#x) {\n", var, v); @@ -276,9 +283,9 @@ int m, max, v; * v - required address */ static void printipeq(fp, var, fl, m, v) -FILE *fp; -char *var; -int fl, m, v; + FILE *fp; + char *var; + int fl, m, v; { if (m == 0xffffffff) fprintf(fp, "%s ", var); @@ -290,9 +297,9 @@ int fl, m, v; void emit(num, dir, v, fr) -int num, dir; -void *v; -frentry_t *fr; + int num, dir; + void *v; + frentry_t *fr; { u_int incnt, outcnt; frgroup_t *g; @@ -342,8 +349,8 @@ frentry_t *fr; static void emitheader(grp, incount, outcount) -frgroup_t *grp; -u_int incount, outcount; + frgroup_t *grp; + u_int incount, outcount; { static FILE *fph = NULL; frgroup_t *g; @@ -434,11 +441,11 @@ int ipfrule_remove()\n\ static void emitGroup(num, dir, v, fr, group, incount, outcount) -int num, dir; -void *v; -frentry_t *fr; -char *group; -u_int incount, outcount; + int num, dir; + void *v; + frentry_t *fr; + char *group; + u_int incount, outcount; { static FILE *fp = NULL; static int header[2] = { 0, 0 }; @@ -514,9 +521,8 @@ u_int incount, outcount; if ((i & 1) == 0) { fprintf(fp, "\n\t"); } - fprintf(fp, - "(frentry_t *)&in_rule_%s_%d", - f->fr_group, i); + fprintf(fp, "(frentry_t *)&in_rule_%s_%d", + FR_NAME(f, fr_group), i); if (i + 1 < incount) fprintf(fp, ", "); i++; @@ -534,9 +540,8 @@ u_int incount, outcount; if ((i & 1) == 0) { fprintf(fp, "\n\t"); } - fprintf(fp, - "(frentry_t *)&out_rule_%s_%d", - f->fr_group, i); + fprintf(fp, "(frentry_t *)&out_rule_%s_%d", + FR_NAME(f, fr_group), i); if (i + 1 < outcount) fprintf(fp, ", "); i++; @@ -586,7 +591,7 @@ u_int incount, outcount; switch(m[i].c) { case FRC_IFN : - if (*fr->fr_ifname) + if (fr->fr_ifnames[0] != -1) m[i].s = 1; break; case FRC_V : @@ -940,11 +945,11 @@ u_int incount, outcount; if (fr->fr_flags & FR_QUICK) { fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n", fr->fr_flags & FR_INQUE ? "in" : "out", - fr->fr_group, num); + FR_NAME(fr, fr_group), num); } else { fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n", fr->fr_flags & FR_INQUE ? "in" : "out", - fr->fr_group, num); + FR_NAME(fr, fr_group), num); } if (n == NULL) n = (mc_t *)malloc(sizeof(*n) * FRC_MAX); @@ -954,7 +959,7 @@ u_int incount, outcount; void printC(dir) -int dir; + int dir; { static mc_t *m = NULL; frgroup_t *g; @@ -977,10 +982,10 @@ int dir; * Now print out code to implement all of the rules. */ static void printCgroup(dir, top, m, group) -int dir; -frentry_t *top; -mc_t *m; -char *group; + int dir; + frentry_t *top; + mc_t *m; + char *group; { frentry_t *fr, *fr1; int i, n, rn; @@ -1027,13 +1032,14 @@ char *group; continue; if ((n & 0x0001) && - !strcmp(fr1->fr_ifname, fr->fr_ifname)) { + !strcmp(fr1->fr_names + fr1->fr_ifnames[0], + fr->fr_names + fr->fr_ifnames[0])) { m[FRC_IFN].e++; m[FRC_IFN].n++; } else n &= ~0x0001; - if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) { + if ((n & 0x0002) && (fr1->fr_family == fr->fr_family)) { m[FRC_V].e++; m[FRC_V].n++; } else @@ -1226,10 +1232,10 @@ char *group; } static void printhooks(fp, in, out, grp) -FILE *fp; -int in; -int out; -frgroup_t *grp; + FILE *fp; + int in; + int out; + frgroup_t *grp; { frentry_t *fr; char *group; @@ -1237,7 +1243,7 @@ frgroup_t *grp; char *instr; group = grp->fg_name; - dogrp = *group ? 1 : 0; + dogrp = 0; if (in && out) { fprintf(stderr, @@ -1283,18 +1289,24 @@ int ipfrule_add_%s_%s()\n", instr, group); fprintf(fp, "\ for (j = i + 1; j < max; j++)\n\ - if (strncmp(fp->fr_group,\n\ + if (strncmp(fp->fr_names + fp->fr_group,\n\ + ipf_rules_%s_%s[j]->fr_names +\n\ ipf_rules_%s_%s[j]->fr_group,\n\ FR_GROUPLEN) == 0) {\n\ + if (ipf_rules_%s_%s[j] != NULL)\n\ + ipf_rules_%s_%s[j]->fr_pnext =\n\ + &fp->fr_next;\n\ + fp->fr_pnext = &ipf_rules_%s_%s[j];\n\ fp->fr_next = ipf_rules_%s_%s[j];\n\ break;\n\ - }\n", instr, group, instr, group); + }\n", instr, group, instr, group, instr, group, + instr, group, instr, group, instr, group); if (dogrp) fprintf(fp, "\ \n\ - if (fp->fr_grhead != 0) {\n\ - fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\ - IPL_LOGIPF, 0);\n\ + if (fp->fr_grhead != -1) {\n\ + fg = fr_addgroup(fp->fr_names + fp->fr_grhead,\n\ + fp, FR_INQUE, IPL_LOGIPF, 0);\n\ if (fg != NULL)\n\ fp->fr_grp = &fg->fg_start;\n\ }\n"); @@ -1304,7 +1316,7 @@ int ipfrule_add_%s_%s()\n", instr, group); fp = &ipfrule_%s_%s;\n", instr, group); fprintf(fp, "\ bzero((char *)fp, sizeof(*fp));\n\ - fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\ + fp->fr_type = FR_T_CALLFUNC_BUILTIN;\n\ fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\ fp->fr_data = (void *)ipf_rules_%s_%s[0];\n", (in != 0) ? "IN" : "OUT", instr, group); @@ -1313,9 +1325,10 @@ int ipfrule_add_%s_%s()\n", instr, group); instr, group); fprintf(fp, "\ - fp->fr_v = 4;\n\ + fp->fr_family = AF_INET;\n\ fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\ - err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n", + err = frrequest(&ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp,\n\ + ipfmain.ipf_active, 0);\n", instr, group); fprintf(fp, "\treturn err;\n}\n"); @@ -1348,8 +1361,9 @@ int ipfrule_remove_%s_%s()\n", instr, group); }\n\ }\n\ if (err == 0)\n\ - err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\ - (caddr_t)&ipfrule_%s_%s, fr_active, 0);\n", + err = frrequest(&ipfmain, IPL_LOGIPF, SIOCDELFR,\n\ + (caddr_t)&ipfrule_%s_%s,\n\ + ipfmain.ipf_active, 0);\n", instr, group, instr, group, instr, group); fprintf(fp, "\ if (err)\n\ diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c index eab650a..b5484be 100644 --- a/contrib/ipfilter/tools/ipfs.c +++ b/contrib/ipfilter/tools/ipfs.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -44,7 +44,7 @@ #include "netinet/ipl.h" #if !defined(lint) -static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; +static const char rcsid[] = "@(#)$Id$"; #endif #ifndef IPF_SAVEDIR @@ -100,7 +100,7 @@ void usage() * Change interface names in state information saved out to disk. */ int changestateif(ifs, fname) -char *ifs, *fname; + char *ifs, *fname; { int fd, olen, nlen, rw; ipstate_save_t ips; @@ -163,7 +163,7 @@ char *ifs, *fname; * Change interface names in NAT information saved out to disk. */ int changenatif(ifs, fname) -char *ifs, *fname; + char *ifs, *fname; { int fd, olen, nlen, rw; nat_save_t ipn; @@ -198,14 +198,6 @@ char *ifs, *fname; strcpy(nat->nat_ifnames[1], s); rw = 1; } - if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[2], s); - rw = 1; - } - if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) { - strcpy(nat->nat_ifnames[3], s); - rw = 1; - } if (rw == 1) { if (lseek(fd, pos, SEEK_SET) != pos) { perror("lseek"); @@ -225,8 +217,8 @@ char *ifs, *fname; int main(argc,argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; @@ -356,7 +348,7 @@ char *argv[]; int opendevice(ipfdev) -char *ipfdev; + char *ipfdev; { int fd = -1; @@ -374,14 +366,14 @@ char *ipfdev; void closedevice(fd) -int fd; + int fd; { close(fd); } int setlock(fd, lock) -int fd, lock; + int fd, lock; { if (opts & OPT_VERBOSE) printf("Turn lock %s\n", lock ? "on" : "off"); @@ -398,8 +390,8 @@ int fd, lock; int writestate(fd, file) -int fd; -char *file; + int fd; + char *file; { ipstate_save_t ips, *ipsp; ipfobj_t obj; @@ -450,8 +442,8 @@ char *file; int readstate(fd, file) -int fd; -char *file; + int fd; + char *file; { ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; int sfd = -1, i; @@ -567,8 +559,8 @@ freeipshead: int readnat(fd, file) -int fd; -char *file; + int fd; + char *file; { nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL; ipfobj_t obj; @@ -714,8 +706,8 @@ freenathead: int writenat(fd, file) -int fd; -char *file; + int fd; + char *file; { nat_save_t *ipnp = NULL, *next = NULL; ipfobj_t obj; @@ -798,7 +790,7 @@ char *file; int writeall(dirname) -char *dirname; + char *dirname; { int fd, devfd; @@ -849,7 +841,7 @@ bad: int readall(dirname) -char *dirname; + char *dirname; { int fd, devfd; diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c index 3c5bfdd..3261cef 100644 --- a/contrib/ipfilter/tools/ipfstat.c +++ b/contrib/ipfilter/tools/ipfstat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -15,6 +15,7 @@ # endif #endif #include <sys/ioctl.h> +#include <ctype.h> #include <fcntl.h> #ifdef linux # include <linux/a.out.h> @@ -71,7 +72,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #ifdef __hpux @@ -87,7 +88,9 @@ extern int opterr; static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; static int state_logging = -1; +static wordtab_t *state_fields = NULL; +int nohdrfields = 0; int opts = 0; int use_inet6 = 0; int live_kernel = 1; @@ -98,6 +101,26 @@ int nat_fd = -1; frgroup_t *grtop = NULL; frgroup_t *grtail = NULL; +char *blockreasons[FRB_MAX_VALUE + 1] = { + "packet blocked", + "log rule failure", + "pps rate exceeded", + "jumbogram", + "makefrip failed", + "cannot add state", + "IP ID update failed", + "log-or-block failed", + "decapsulate failure", + "cannot create new auth entry", + "packet queued for auth", + "buffer coalesce failure", + "buffer pullup failure", + "auth feedback", + "bad fragment", + "IPv4 NAT failure", + "IPv6 NAT failure" +}; + #ifdef STATETOP #define STSTRSIZE 80 #define STGROWSIZE 16 @@ -135,22 +158,27 @@ static int fetchfrag __P((int, int, ipfr_t *)); static void showstats __P((friostat_t *, u_32_t)); static void showfrstates __P((ipfrstat_t *, u_long)); static void showlist __P((friostat_t *)); -static void showipstates __P((ips_stat_t *)); -static void showauthstates __P((fr_authstat_t *)); +static void showstatestats __P((ips_stat_t *)); +static void showipstates __P((ips_stat_t *, int *)); +static void showauthstates __P((ipf_authstat_t *)); +static void showtqtable_live __P((int)); static void showgroups __P((friostat_t *)); static void usage __P((char *)); -static void showtqtable_live __P((int)); -static void printlivelist __P((int, int, frentry_t *, char *, char *)); -static void printdeadlist __P((int, int, frentry_t *, char *, char *)); +static int state_matcharray __P((ipstate_t *, int *)); +static int printlivelist __P((friostat_t *, int, int, frentry_t *, + char *, char *)); +static void printdeadlist __P((friostat_t *, int, int, frentry_t *, + char *, char *)); +static void printside __P((char *, ipf_statistics_t *)); static void parse_ipportstr __P((const char *, i6addr_t *, int *)); static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **, - ipfrstat_t **, fr_authstat_t **, u_32_t *)); + ipfrstat_t **, ipf_authstat_t **, u_32_t *)); static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, - ipfrstat_t **, fr_authstat_t **, u_32_t *)); + ipfrstat_t **, ipf_authstat_t **, u_32_t *)); static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *)); #ifdef STATETOP static void topipstates __P((i6addr_t, i6addr_t, int, int, int, - int, int, int)); + int, int, int, int *)); static void sig_break __P((int)); static void sig_resize __P((int)); static char *getip __P((int, i6addr_t *)); @@ -167,7 +195,7 @@ static int sort_dstpt __P((const void *, const void *)); static void usage(name) -char *name; + char *name; { #ifdef USE_INET6 fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name); @@ -186,20 +214,23 @@ char *name; int main(argc,argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { - fr_authstat_t frauthst; - fr_authstat_t *frauthstp = &frauthst; + ipf_authstat_t frauthst; + ipf_authstat_t *frauthstp = &frauthst; friostat_t fio; friostat_t *fiop = &fio; ips_stat_t ipsst; ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; - char *memf = NULL; - char *options, *kern = NULL; - int c, myoptind; + char *options; + char *kern = NULL; + char *memf = NULL; + int c; + int myoptind; + int *filter = NULL; int protocol = -1; /* -1 = wild card for any protocol */ int refreshtime = 1; /* default update time */ @@ -210,9 +241,9 @@ char *argv[]; u_32_t frf; #ifdef USE_INET6 - options = "6aACdfghIilnostvD:M:N:P:RS:T:"; + options = "6aACdfghIilnostvD:m:M:N:O:P:RS:T:"; #else - options = "aACdfghIilnostvD:M:N:P:RS:T:"; + options = "aACdfghIilnostvD:m:M:N:O:P:RS:T:"; #endif saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */ @@ -324,6 +355,14 @@ char *argv[]; case 'l' : opts |= OPT_SHOWLIST; break; + case 'm' : + filter = parseipfexpr(optarg, NULL); + if (filter == NULL) { + fprintf(stderr, "Error parseing '%s'\n", + optarg); + exit(1); + } + break; case 'M' : break; case 'N' : @@ -334,6 +373,9 @@ char *argv[]; case 'o' : opts |= OPT_OUTQUE|OPT_SHOWLIST; break; + case 'O' : + state_fields = parsefields(statefields, optarg); + break; case 'P' : protocol = getproto(optarg); if (protocol == -1) { @@ -386,11 +428,12 @@ char *argv[]; ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); - } else + } else { ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); + } if (opts & OPT_IPSTATES) { - showipstates(ipsstp); + showipstates(ipsstp, filter); } else if (opts & OPT_SHOWLIST) { showlist(fiop); if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ @@ -402,7 +445,7 @@ char *argv[]; #ifdef STATETOP else if (opts & OPT_STATETOP) topipstates(saddr, daddr, sport, dport, protocol, - use_inet6 ? 6 : 4, refreshtime, topclosed); + use_inet6 ? 6 : 4, refreshtime, topclosed, filter); #endif else if (opts & OPT_AUTHSTATS) showauthstates(frauthstp); @@ -420,12 +463,12 @@ char *argv[]; * of ioctl's and copying directly from kernel memory. */ static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) -char *device; -friostat_t **fiopp; -ips_stat_t **ipsstpp; -ipfrstat_t **ifrstpp; -fr_authstat_t **frauthstpp; -u_32_t *frfp; + char *device; + friostat_t **fiopp; + ips_stat_t **ipsstpp; + ipfrstat_t **ifrstpp; + ipf_authstat_t **frauthstpp; + u_32_t *frfp; { ipfobj_t ipfo; @@ -442,12 +485,12 @@ u_32_t *frfp; ipfo.ipfo_ptr = (void *)*fiopp; if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) { - perror("ioctl(ipf:SIOCGETFS)"); + ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)"); exit(-1); } if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1) - perror("ioctl(SIOCGETFF)"); + ipferror(ipf_fd, "ioctl(SIOCGETFF)"); } if ((opts & OPT_IPSTATES) != 0) { @@ -459,11 +502,11 @@ u_32_t *frfp; ipfo.ipfo_ptr = (void *)*ipsstpp; if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { - perror("ioctl(state:SIOCGETFS)"); + ipferror(state_fd, "ioctl(state:SIOCGETFS)"); exit(-1); } if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) { - perror("ioctl(state:SIOCGETLG)"); + ipferror(state_fd, "ioctl(state:SIOCGETLG)"); exit(-1); } } @@ -474,9 +517,9 @@ u_32_t *frfp; ipfo.ipfo_type = IPFOBJ_FRAGSTAT; ipfo.ipfo_size = sizeof(ipfrstat_t); ipfo.ipfo_ptr = (void *)*ifrstpp; - + if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) { - perror("ioctl(SIOCGFRST)"); + ipferror(ipf_fd, "ioctl(SIOCGFRST)"); exit(-1); } } @@ -488,11 +531,11 @@ u_32_t *frfp; bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; ipfo.ipfo_type = IPFOBJ_AUTHSTAT; - ipfo.ipfo_size = sizeof(fr_authstat_t); + ipfo.ipfo_size = sizeof(ipf_authstat_t); ipfo.ipfo_ptr = (void *)*frauthstpp; if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) { - perror("ioctl(SIOCATHST)"); + ipferror(auth_fd, "ioctl(SIOCATHST)"); exit(-1); } } @@ -505,66 +548,64 @@ u_32_t *frfp; * just won't work any more. */ static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) -char *kernel; -friostat_t **fiopp; -ips_stat_t **ipsstpp; -ipfrstat_t **ifrstpp; -fr_authstat_t **frauthstpp; -u_32_t *frfp; + char *kernel; + friostat_t **fiopp; + ips_stat_t **ipsstpp; + ipfrstat_t **ifrstpp; + ipf_authstat_t **frauthstpp; + u_32_t *frfp; { - static fr_authstat_t frauthst, *frauthstp; + static ipf_authstat_t frauthst, *frauthstp; + static ipftq_t ipstcptab[IPF_TCP_NSTATES]; static ips_stat_t ipsst, *ipsstp; static ipfrstat_t ifrst, *ifrstp; static friostat_t fio, *fiop; - static ipftq_t ipssttab[IPF_TCP_NSTATES]; int temp; void *rules[2][2]; struct nlist deadlist[44] = { - { "fr_authstats" }, /* 0 */ - { "fae_list" }, - { "ipauth" }, - { "fr_authlist" }, - { "fr_authstart" }, - { "fr_authend" }, /* 5 */ - { "fr_authnext" }, - { "fr_auth" }, - { "fr_authused" }, - { "fr_authsize" }, - { "fr_defaultauthage" }, /* 10 */ - { "fr_authpkts" }, - { "fr_auth_lock" }, - { "frstats" }, - { "ips_stats" }, - { "ips_num" }, /* 15 */ - { "ips_wild" }, - { "ips_list" }, - { "ips_table" }, - { "fr_statemax" }, - { "fr_statesize" }, /* 20 */ - { "fr_state_doflush" }, - { "fr_state_lock" }, - { "ipfr_heads" }, - { "ipfr_nattab" }, - { "ipfr_stats" }, /* 25 */ - { "ipfr_inuse" }, - { "fr_ipfrttl" }, - { "fr_frag_lock" }, - { "ipfr_timer_id" }, - { "fr_nat_lock" }, /* 30 */ - { "ipfilter" }, - { "ipfilter6" }, - { "ipacct" }, - { "ipacct6" }, - { "ipl_frouteok" }, /* 35 */ - { "fr_running" }, - { "ipfgroups" }, - { "fr_active" }, - { "fr_pass" }, - { "fr_flags" }, /* 40 */ - { "ipstate_logging" }, - { "ips_tqtqb" }, - { NULL } + { "ipf_auth_stats", 0, 0, 0, 0 }, /* 0 */ + { "fae_list", 0, 0, 0, 0 }, + { "ipauth", 0, 0, 0, 0 }, + { "ipf_auth_list", 0, 0, 0, 0 }, + { "ipf_auth_start", 0, 0, 0, 0 }, + { "ipf_auth_end", 0, 0, 0, 0 }, /* 5 */ + { "ipf_auth_next", 0, 0, 0, 0 }, + { "ipf_auth", 0, 0, 0, 0 }, + { "ipf_auth_used", 0, 0, 0, 0 }, + { "ipf_auth_size", 0, 0, 0, 0 }, + { "ipf_auth_defaultage", 0, 0, 0, 0 }, /* 10 */ + { "ipf_auth_pkts", 0, 0, 0, 0 }, + { "ipf_auth_lock", 0, 0, 0, 0 }, + { "frstats", 0, 0, 0, 0 }, + { "ips_stats", 0, 0, 0, 0 }, + { "ips_num", 0, 0, 0, 0 }, /* 15 */ + { "ips_wild", 0, 0, 0, 0 }, + { "ips_list", 0, 0, 0, 0 }, + { "ips_table", 0, 0, 0, 0 }, + { "ipf_state_max", 0, 0, 0, 0 }, + { "ipf_state_size", 0, 0, 0, 0 }, /* 20 */ + { "ipf_state_doflush", 0, 0, 0, 0 }, + { "ipf_state_lock", 0, 0, 0, 0 }, + { "ipfr_heads", 0, 0, 0, 0 }, + { "ipfr_nattab", 0, 0, 0, 0 }, + { "ipfr_stats", 0, 0, 0, 0 }, /* 25 */ + { "ipfr_inuse", 0, 0, 0, 0 }, + { "ipf_ipfrttl", 0, 0, 0, 0 }, + { "ipf_frag_lock", 0, 0, 0, 0 }, + { "ipfr_timer_id", 0, 0, 0, 0 }, + { "ipf_nat_lock", 0, 0, 0, 0 }, /* 30 */ + { "ipf_rules", 0, 0, 0, 0 }, + { "ipf_acct", 0, 0, 0, 0 }, + { "ipl_frouteok", 0, 0, 0, 0 }, + { "ipf_running", 0, 0, 0, 0 }, + { "ipf_groups", 0, 0, 0, 0 }, /* 35 */ + { "ipf_active", 0, 0, 0, 0 }, + { "ipf_pass", 0, 0, 0, 0 }, + { "ipf_flags", 0, 0, 0, 0 }, + { "ipf_state_logging", 0, 0, 0, 0 }, + { "ips_tqtqb", 0, 0, 0, 0 }, /* 40 */ + { NULL, 0, 0, 0, 0 } }; @@ -618,23 +659,6 @@ u_32_t *frfp; fiop->f_fout[1] = rules[1][1]; /* - * Same for IPv6, except make them null if support for it is not - * being compiled in. - */ -#ifdef USE_INET6 - kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules)); - fiop->f_fin6[0] = rules[0][0]; - fiop->f_fin6[1] = rules[0][1]; - fiop->f_fout6[0] = rules[1][0]; - fiop->f_fout6[1] = rules[1][1]; -#else - fiop->f_fin6[0] = NULL; - fiop->f_fin6[1] = NULL; - fiop->f_fout6[0] = NULL; - fiop->f_fout6[1] = NULL; -#endif - - /* * Now get accounting rules pointers. */ kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules)); @@ -643,32 +667,19 @@ u_32_t *frfp; fiop->f_acctout[0] = rules[1][0]; fiop->f_acctout[1] = rules[1][1]; -#ifdef USE_INET6 - kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules)); - fiop->f_acctin6[0] = rules[0][0]; - fiop->f_acctin6[1] = rules[0][1]; - fiop->f_acctout6[0] = rules[1][0]; - fiop->f_acctout6[1] = rules[1][1]; -#else - fiop->f_acctin6[0] = NULL; - fiop->f_acctin6[1] = NULL; - fiop->f_acctout6[0] = NULL; - fiop->f_acctout6[1] = NULL; -#endif - /* * A collection of "global" variables used inside the kernel which * are all collected in friostat_t via ioctl. */ - kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value, + kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value, sizeof(fiop->f_froute)); - kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value, + kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value, sizeof(fiop->f_running)); - kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value, + kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value, sizeof(fiop->f_groups)); - kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value, + kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value, sizeof(fiop->f_active)); - kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value, + kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value, sizeof(fiop->f_defpass)); /* @@ -676,12 +687,12 @@ u_32_t *frfp; */ kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp)); - kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value, - sizeof(ipssttab)); + kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value, + sizeof(ipstcptab)); ipsstp->iss_active = temp; ipsstp->iss_table = (void *)deadlist[18].n_value; ipsstp->iss_list = (void *)deadlist[17].n_value; - ipsstp->iss_tcptab = ipssttab; + ipsstp->iss_tcptab = ipstcptab; /* * Build up the authentiation information stats structure. @@ -708,65 +719,62 @@ u_32_t *frfp; } +static void printside(side, frs) + char *side; + ipf_statistics_t *frs; +{ + int i; + + PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side); +#ifdef USE_INET6 + PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side); +#endif + PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side); + PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side); + PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side); + PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side); + PRINTF("%lu\t%s packets short\n", frs->fr_short, side); + PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side); + PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side); + PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side); + PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side); + PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side); + PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side); + PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side); + PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side); + PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side); + PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side); + PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side); + PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side); + PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side); + for (i = 0; i <= FRB_MAX_VALUE; i++) + PRINTF("%lu\t%s block reason %s\n", + frs->fr_blocked[i], side, blockreasons[i]); +} + + /* * Display the kernel stats for packets blocked and passed and other * associated running totals which are kept. */ static void showstats(fp, frf) -struct friostat *fp; -u_32_t frf; + struct friostat *fp; + u_32_t frf; { - - PRINTF("bad packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); -#ifdef USE_INET6 - PRINTF(" IPv6 packets:\t\tin %lu out %lu\n", - fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6); -#endif - PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[0].fr_block, fp->f_st[0].fr_pass, - fp->f_st[0].fr_nom); - PRINTF(" counted %lu short %lu\n", - fp->f_st[0].fr_acct, fp->f_st[0].fr_short); - PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[1].fr_block, fp->f_st[1].fr_pass, - fp->f_st[1].fr_nom); - PRINTF(" counted %lu short %lu\n", - fp->f_st[1].fr_acct, fp->f_st[1].fr_short); - PRINTF(" input packets logged:\tblocked %lu passed %lu\n", - fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - PRINTF("output packets logged:\tblocked %lu passed %lu\n", - fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - PRINTF(" packets logged:\tinput %lu output %lu\n", - fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); - PRINTF(" log failures:\t\tinput %lu output %lu\n", - fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); - PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n", - fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, - fp->f_st[0].fr_cfr); - PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n", - fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, - fp->f_st[0].fr_cfr); - PRINTF("packet state(in):\tkept %lu\tlost %lu\n", - fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); - PRINTF("packet state(out):\tkept %lu\tlost %lu\n", - fp->f_st[1].fr_ads, fp->f_st[1].fr_bads); - PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", - fp->f_st[0].fr_ret, fp->f_st[1].fr_ret); - PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc); - PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_chit, fp->f_st[1].fr_chit); - PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]); - PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); - PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", - fp->f_froute[0], fp->f_froute[1]); - PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); - PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks); - - PRINTF("Packet log flags set: (%#x)\n", frf); + printside("input", &fp->f_st[0]); + printside("output", &fp->f_st[1]); + + PRINTF("%lu\tpackets logged\n", fp->f_log_ok); + PRINTF("%lu\tlog failures\n", fp->f_log_fail); + PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem); + PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max); + PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret); + PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret); + PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]); + PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]); + PRINTF("%u\tIPF Ticks\n", fp->f_ticks); + + PRINTF("%x\tPacket log flags set:\n", frf); if (frf & FF_LOGPASS) PRINTF("\tpackets passed through filter\n"); if (frf & FF_LOGBLOCK) @@ -781,30 +789,27 @@ u_32_t frf; /* * Print out a list of rules from the kernel, starting at the one passed. */ -static void printlivelist(out, set, fp, group, comment) -int out, set; -frentry_t *fp; -char *group, *comment; +static int +printlivelist(fiop, out, set, fp, group, comment) + struct friostat *fiop; + int out, set; + frentry_t *fp; + char *group, *comment; { struct frentry fb; ipfruleiter_t rule; frentry_t zero; frgroup_t *g; ipfobj_t obj; - int n; + int rules; + int num; - if (use_inet6 == 1) - fb.fr_v = 6; - else - fb.fr_v = 4; - fb.fr_next = fp; - n = 0; + rules = 0; rule.iri_inout = out; rule.iri_active = set; rule.iri_rule = &fb; rule.iri_nrules = 1; - rule.iri_v = use_inet6 ? 6 : 4; if (group != NULL) strncpy(rule.iri_group, group, FR_GROUPLEN); else @@ -818,49 +823,65 @@ char *group, *comment; obj.ipfo_size = sizeof(rule); obj.ipfo_ptr = &rule; - do { + while (rule.iri_rule != NULL) { u_long array[1000]; memset(array, 0xff, sizeof(array)); fp = (frentry_t *)array; rule.iri_rule = fp; if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) { - perror("ioctl(SIOCIPFITER)"); - n = IPFGENITER_IPF; - ioctl(ipf_fd, SIOCIPFDELTOK, &n); - return; + ipferror(ipf_fd, "ioctl(SIOCIPFITER)"); + num = IPFGENITER_IPF; + (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num); + return rules; } if (bcmp(fp, &zero, sizeof(zero)) == 0) break; + if (rule.iri_rule == NULL) + break; +#ifdef USE_INET6 + if (use_inet6 != 0) { + if (fp->fr_family != 0 && fp->fr_family != AF_INET6) + continue; + } else +#endif + { + if (fp->fr_family != 0 && fp->fr_family != AF_INET) + continue; + } if (fp->fr_data != NULL) - fp->fr_data = (char *)fp + sizeof(*fp); + fp->fr_data = (char *)fp + fp->fr_size; - n++; + rules++; - if (opts & (OPT_HITS|OPT_VERBOSE)) + if (opts & (OPT_HITS|OPT_DEBUG)) #ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fp->fr_hits); + PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits); #else PRINTF("%lu ", fp->fr_hits); #endif - if (opts & (OPT_ACCNT|OPT_VERBOSE)) + if (opts & (OPT_ACCNT|OPT_DEBUG)) #ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fp->fr_bytes); + PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes); #else PRINTF("%lu ", fp->fr_bytes); #endif if (opts & OPT_SHOWLINENO) - PRINTF("@%d ", n); + PRINTF("@%d ", rules); + + if (fp->fr_die != 0) + fp->fr_die -= fiop->f_ticks; printfr(fp, ioctl); if (opts & OPT_DEBUG) { - binprint(fp, sizeof(*fp)); + binprint(fp, fp->fr_size); if (fp->fr_data != NULL && fp->fr_dsize > 0) binprint(fp->fr_data, fp->fr_dsize); } - if (fp->fr_grhead[0] != '\0') { + if (fp->fr_grhead != -1) { for (g = grtop; g != NULL; g = g->fg_next) { - if (!strncmp(fp->fr_grhead, g->fg_name, + if (!strncmp(fp->fr_names + fp->fr_grhead, + g->fg_name, FR_GROUPLEN)) break; } @@ -868,7 +889,8 @@ char *group, *comment; g = calloc(1, sizeof(*g)); if (g != NULL) { - strncpy(g->fg_name, fp->fr_grhead, + strncpy(g->fg_name, + fp->fr_names + fp->fr_grhead, FR_GROUPLEN); if (grtop == NULL) { grtop = g; @@ -881,29 +903,23 @@ char *group, *comment; } } if (fp->fr_type == FR_T_CALLFUNC) { - printlivelist(out, set, fp->fr_data, group, - "# callfunc: "); + rules += printlivelist(fiop, out, set, fp->fr_data, + group, "# callfunc: "); } - } while (fp->fr_next != NULL); + } - n = IPFGENITER_IPF; - ioctl(ipf_fd, SIOCIPFDELTOK, &n); + num = IPFGENITER_IPF; + (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num); - if (group == NULL) { - while ((g = grtop) != NULL) { - printf("# Group %s\n", g->fg_name); - printlivelist(out, set, NULL, g->fg_name, comment); - grtop = g->fg_next; - free(g); - } - } + return rules; } -static void printdeadlist(out, set, fp, group, comment) -int out, set; -frentry_t *fp; -char *group, *comment; +static void printdeadlist(fiop, out, set, fp, group, comment) + friostat_t *fiop; + int out, set; + frentry_t *fp; + char *group, *comment; { frgroup_t *grtop, *grtail, *g; struct frentry fb; @@ -916,13 +932,20 @@ char *group, *comment; grtop = NULL; grtail = NULL; - do { - fp = fb.fr_next; + for (n = 1; fp; fp = fb.fr_next, n++) { if (kmemcpy((char *)&fb, (u_long)fb.fr_next, - sizeof(fb)) == -1) { + fb.fr_size) == -1) { perror("kmemcpy"); return; } + fp = &fb; + if (use_inet6 != 0) { + if (fp->fr_family != 0 && fp->fr_family != 6) + continue; + } else { + if (fp->fr_family != 0 && fp->fr_family != 4) + continue; + } data = NULL; type = fb.fr_type & ~FR_T_BUILTIN; @@ -939,17 +962,15 @@ char *group, *comment; } } - n++; - - if (opts & (OPT_HITS|OPT_VERBOSE)) + if (opts & OPT_HITS) #ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fb.fr_hits); + PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits); #else PRINTF("%lu ", fb.fr_hits); #endif - if (opts & (OPT_ACCNT|OPT_VERBOSE)) + if (opts & OPT_ACCNT) #ifdef USE_QUAD_T - PRINTF("%qu ", (unsigned long long) fb.fr_bytes); + PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes); #else PRINTF("%lu ", fb.fr_bytes); #endif @@ -958,17 +979,17 @@ char *group, *comment; printfr(fp, ioctl); if (opts & OPT_DEBUG) { - binprint(fp, sizeof(*fp)); + binprint(fp, fp->fr_size); if (fb.fr_data != NULL && fb.fr_dsize > 0) binprint(fb.fr_data, fb.fr_dsize); } if (data != NULL) free(data); - if (fb.fr_grhead[0] != '\0') { + if (fb.fr_grhead != -1) { g = calloc(1, sizeof(*g)); if (g != NULL) { - strncpy(g->fg_name, fb.fr_grhead, + strncpy(g->fg_name, fb.fr_names + fb.fr_grhead, FR_GROUPLEN); if (grtop == NULL) { grtop = g; @@ -980,13 +1001,13 @@ char *group, *comment; } } if (type == FR_T_CALLFUNC) { - printdeadlist(out, set, fb.fr_data, group, + printdeadlist(fiop, out, set, fb.fr_data, group, "# callfunc: "); } - } while (fb.fr_next != NULL); + } while ((g = grtop) != NULL) { - printdeadlist(out, set, NULL, g->fg_name, comment); + printdeadlist(fiop, out, set, NULL, g->fg_name, comment); grtop = g->fg_next; free(g); } @@ -997,7 +1018,7 @@ char *group, *comment; * the base from which to get the pointers. */ static void showlist(fiop) -struct friostat *fiop; + struct friostat *fiop; { struct frentry *fp = NULL; int i, set; @@ -1006,15 +1027,6 @@ struct friostat *fiop; if (opts & OPT_INACTIVE) set = 1 - set; if (opts & OPT_ACCNT) { -#ifdef USE_INET6 - if ((use_inet6) && (opts & OPT_OUTQUE)) { - i = F_ACOUT; - fp = (struct frentry *)fiop->f_acctout6[set]; - } else if ((use_inet6) && (opts & OPT_INQUE)) { - i = F_ACIN; - fp = (struct frentry *)fiop->f_acctin6[set]; - } else -#endif if (opts & OPT_OUTQUE) { i = F_ACOUT; fp = (struct frentry *)fiop->f_acctout[set]; @@ -1026,15 +1038,6 @@ struct friostat *fiop; return; } } else { -#ifdef USE_INET6 - if ((use_inet6) && (opts & OPT_OUTQUE)) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout6[set]; - } else if ((use_inet6) && (opts & OPT_INQUE)) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin6[set]; - } else -#endif if (opts & OPT_OUTQUE) { i = F_OUT; fp = (struct frentry *)fiop->f_fout[set]; @@ -1049,139 +1052,243 @@ struct friostat *fiop; if (opts & OPT_DEBUG) PRINTF("fp %p set %d\n", fp, set); - if (!fp) { - FPRINTF(stderr, "empty list for %s%s\n", - (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); - return; + + if (live_kernel == 1) { + int printed; + + printed = printlivelist(fiop, i, set, fp, NULL, NULL); + if (printed == 0) { + FPRINTF(stderr, "# empty list for %s%s\n", + (opts & OPT_INACTIVE) ? "inactive " : "", + filters[i]); + } + } else { + if (!fp) { + FPRINTF(stderr, "# empty list for %s%s\n", + (opts & OPT_INACTIVE) ? "inactive " : "", + filters[i]); + } else { + printdeadlist(fiop, i, set, fp, NULL, NULL); + } } - if (live_kernel == 1) - printlivelist(i, set, fp, NULL, NULL); - else - printdeadlist(i, set, fp, NULL, NULL); } /* * Display ipfilter stateful filtering information */ -static void showipstates(ipsp) -ips_stat_t *ipsp; +static void showipstates(ipsp, filter) + ips_stat_t *ipsp; + int *filter; { - u_long minlen, maxlen, totallen, *buckets; - ipftable_t table; - ipfobj_t obj; - int i, sz; + ipstate_t *is; + int i; /* * If a list of states hasn't been asked for, only print out stats */ if (!(opts & OPT_SHOWLIST)) { + showstatestats(ipsp); + return; + } - sz = sizeof(*buckets) * ipsp->iss_statesize; - buckets = (u_long *)malloc(sz); + if ((state_fields != NULL) && (nohdrfields == 0)) { + for (i = 0; state_fields[i].w_value != 0; i++) { + printfieldhdr(statefields, state_fields + i); + if (state_fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_type = IPFOBJ_GTABLE; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = &table; + /* + * Print out all the state information currently held in the kernel. + */ + for (is = ipsp->iss_list; is != NULL; ) { + ipstate_t ips; - table.ita_type = IPFTABLE_BUCKETS; - table.ita_table = buckets; + is = fetchstate(is, &ips); - if (live_kernel == 1) { - if (ioctl(state_fd, SIOCGTABL, &obj) != 0) { - free(buckets); - return; + if (is == NULL) + break; + + is = ips.is_next; + if ((filter != NULL) && + (state_matcharray(&ips, filter) == 0)) { + continue; + } + if (state_fields != NULL) { + for (i = 0; state_fields[i].w_value != 0; i++) { + printstatefield(&ips, state_fields[i].w_value); + if (state_fields[i + 1].w_value != 0) + printf("\t"); } + printf("\n"); } else { - if (kmemcpy((char *)buckets, - (u_long)ipsp->iss_bucketlen, sz)) { - free(buckets); - return; - } + printstate(&ips, opts, ipsp->iss_ticks); } + } +} - PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", - ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); - PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, - ipsp->iss_miss); - PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull); - PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref); - PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); - PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", - ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); - - PRINTF("State logging %sabled\n", - state_logging ? "en" : "dis"); - - PRINTF("\nState table bucket statistics:\n"); - PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); - PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ? - (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0); - - minlen = ipsp->iss_inuse; - totallen = 0; - maxlen = 0; - - for (i = 0; i < ipsp->iss_statesize; i++) { - if (buckets[i] > maxlen) - maxlen = buckets[i]; - if (buckets[i] < minlen) - minlen = buckets[i]; - totallen += buckets[i]; - } - PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n", - ((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0, - minlen); - PRINTF("\t%lu maximal length\n\t%.3f average length\n", - maxlen, - ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse : - 0.0); +static void showstatestats(ipsp) + ips_stat_t *ipsp; +{ + int minlen, maxlen, totallen; + ipftable_t table; + u_int *buckets; + ipfobj_t obj; + int i, sz; -#define ENTRIES_PER_LINE 5 + /* + * If a list of states hasn't been asked for, only print out stats + */ - if (opts & OPT_VERBOSE) { - PRINTF("\nCurrent bucket sizes :\n"); - for (i = 0; i < ipsp->iss_statesize; i++) { - if ((i % ENTRIES_PER_LINE) == 0) - PRINTF("\t"); - PRINTF("%4d -> %4lu", i, buckets[i]); - if ((i % ENTRIES_PER_LINE) == - (ENTRIES_PER_LINE - 1)) - PRINTF("\n"); - else - PRINTF(" "); - } - PRINTF("\n"); - } - PRINTF("\n"); + sz = sizeof(*buckets) * ipsp->iss_state_size; + buckets = (u_int *)malloc(sz); - free(buckets); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_GTABLE; + obj.ipfo_size = sizeof(table); + obj.ipfo_ptr = &table; - if (live_kernel == 1) { - showtqtable_live(state_fd); - } else { - printtqtable(ipsp->iss_tcptab); + table.ita_type = IPFTABLE_BUCKETS; + table.ita_table = buckets; + + if (live_kernel == 1) { + if (ioctl(state_fd, SIOCGTABL, &obj) != 0) { + free(buckets); + return; } + } else { + if (kmemcpy((char *)buckets, + (u_long)ipsp->iss_bucketlen, sz)) { + free(buckets); + return; + } + } - return; + PRINTF("%u\tactive state table entries\n",ipsp->iss_active); + PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad); + PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup); + PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked); + PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow); + PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full); + PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad); + PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss); + PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag); + PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem); + PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag); + PRINTF("%lu\tcheck success\n", ipsp->iss_hits); + PRINTF("%lu\tcloned\n", ipsp->iss_cloned); + PRINTF("%lu\texpired\n", ipsp->iss_expire); + PRINTF("%lu\tflush all\n", ipsp->iss_flush_all); + PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing); + PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue); + PRINTF("%lu\tflush state\n", ipsp->iss_flush_state); + PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout); + PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse); + PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad); + PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned); + PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr); + PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock); + PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits); + PRINTF("%lu\tICMP not query\n", ipsp->iss_icmp_notquery); + PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short); + PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany); + PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr); + PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss); + PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo); + PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery); + PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail); + PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok); + PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp); + PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask); + PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport); + PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss); + PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref); + PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track); + PRINTF("%lu\tno memory\n", ipsp->iss_nomem); + PRINTF("%lu\tout of window\n", ipsp->iss_oow); + PRINTF("%lu\torphans\n", ipsp->iss_orphan); + PRINTF("%lu\tscan block\n", ipsp->iss_scan_block); + PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max); + PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing); + PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow); + PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd); + PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall); + PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt); + PRINTF("%lu\tTCP removed\n", ipsp->iss_fin); + PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm); + PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict); + PRINTF("%lu\tTCP wild\n", ipsp->iss_wild); + PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack); + + PRINTF("State logging %sabled\n", state_logging ? "en" : "dis"); + + PRINTF("IP states added:\n"); + for (i = 0; i < 256; i++) { + if (ipsp->iss_proto[i] != 0) { + struct protoent *proto; + + proto = getprotobynumber(i); + PRINTF("%lu", ipsp->iss_proto[i]); + if (proto != NULL) + PRINTF("\t%s\n", proto->p_name); + else + PRINTF("\t%d\n", i); + } + } + + PRINTF("\nState table bucket statistics:\n"); + PRINTF("%u\tin use\n", ipsp->iss_inuse); + + minlen = ipsp->iss_max; + totallen = 0; + maxlen = 0; + for (i = 0; i < ipsp->iss_state_size; i++) { + if (buckets[i] > maxlen) + maxlen = buckets[i]; + if (buckets[i] < minlen) + minlen = buckets[i]; + totallen += buckets[i]; } - /* - * Print out all the state information currently held in the kernel. - */ - while (ipsp->iss_list != NULL) { - ipstate_t ips; + PRINTF("%d\thash efficiency\n", + totallen ? ipsp->iss_inuse * 100 / totallen : 0); + PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n", + ((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0, + minlen); + PRINTF("%u\tmaximal length\n%.3f\taverage length\n", + maxlen, + ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse : + 0.0); - ipsp->iss_list = fetchstate(ipsp->iss_list, &ips); +#define ENTRIES_PER_LINE 5 - if (ipsp->iss_list != NULL) { - ipsp->iss_list = ips.is_next; - printstate(&ips, opts, ipsp->iss_ticks); + if (opts & OPT_VERBOSE) { + PRINTF("\nCurrent bucket sizes :\n"); + for (i = 0; i < ipsp->iss_state_size; i++) { + if ((i % ENTRIES_PER_LINE) == 0) + PRINTF("\t"); + PRINTF("%4d -> %4u", i, buckets[i]); + if ((i % ENTRIES_PER_LINE) == + (ENTRIES_PER_LINE - 1)) + PRINTF("\n"); + else + PRINTF(" "); } + PRINTF("\n"); + } + PRINTF("\n"); + + free(buckets); + + if (live_kernel == 1) { + showtqtable_live(state_fd); + } else { + printtqtable(ipsp->iss_tcptab); } } @@ -1190,21 +1297,23 @@ ips_stat_t *ipsp; static int handle_resize = 0, handle_break = 0; static void topipstates(saddr, daddr, sport, dport, protocol, ver, - refreshtime, topclosed) -i6addr_t saddr; -i6addr_t daddr; -int sport; -int dport; -int protocol; -int ver; -int refreshtime; -int topclosed; + refreshtime, topclosed, filter) + i6addr_t saddr; + i6addr_t daddr; + int sport; + int dport; + int protocol; + int ver; + int refreshtime; + int topclosed; + int *filter; { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0; int len, srclen, dstlen, forward = 1, c = 0; ips_stat_t ipsst, *ipsstp = &ipsst; + int token_type = IPFGENITER_STATE; statetop_t *tstable = NULL, *tp; const char *errstr = ""; ipstate_t ips; @@ -1267,6 +1376,10 @@ int topclosed; if (ips.is_v != ver) continue; + if ((filter != NULL) && + (state_matcharray(&ips, filter) == 0)) + continue; + /* check v4 src/dest addresses */ if (ips.is_v == 4) { if ((saddr.in4.s_addr != INADDR_ANY && @@ -1348,6 +1461,7 @@ int topclosed; } } + (void) ioctl(state_fd, SIOCIPFDELTOK, &token_type); /* sort the array */ if (tsentry != -1) { @@ -1485,14 +1599,14 @@ int topclosed; printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n", str1, str2, str3, str4); - /* + /* * For an IPv4 IP address we need at most 15 characters, * 4 tuples of 3 digits, separated by 3 dots. Enforce this * length, so the colums do not change positions based * on the size of the IP address. This length makes the - * output fit in a 80 column terminal. + * output fit in a 80 column terminal. * We are lacking a good solution for IPv6 addresses (that - * can be longer that 15 characters), so we do not enforce + * can be longer that 15 characters), so we do not enforce * a maximum on the IP field size. */ if (srclen < 15) @@ -1629,8 +1743,8 @@ out: * Show fragment cache information that's held in the kernel. */ static void showfrstates(ifsp, ticks) -ipfrstat_t *ifsp; -u_long ticks; + ipfrstat_t *ifsp; + u_long ticks; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; int i; @@ -1638,13 +1752,13 @@ u_long ticks; /* * print out the numeric statistics */ - PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", + PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n", ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); - PRINTF("\t%lu retrans\n\t%lu too short\n", + PRINTF("%lu\tretrans\n%lu\ttoo short\n", ifsp->ifs_retrans0, ifsp->ifs_short); - PRINTF("\t%lu no memory\n\t%lu already exist\n", + PRINTF("%lu\tno memory\n%lu\talready exist\n", ifsp->ifs_nomem, ifsp->ifs_exists); - PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); + PRINTF("%lu\tinuse\n", ifsp->ifs_inuse); PRINTF("\n"); if (live_kernel == 0) { @@ -1664,7 +1778,7 @@ u_long ticks; break; ifr.ipfr_ttl -= ticks; printfraginfo("", &ifr); - } while (1); + } while (ifr.ipfr_next != NULL); } else { for (i = 0; i < IPFT_SIZE; i++) while (ipfrtab[i] != NULL) { @@ -1693,7 +1807,7 @@ u_long ticks; break; ifr.ipfr_ttl -= ticks; printfraginfo("NAT: ", &ifr); - } while (1); + } while (ifr.ipfr_next != NULL); } else { for (i = 0; i < IPFT_SIZE; i++) while (ipfrtab[i] != NULL) { @@ -1711,7 +1825,7 @@ u_long ticks; * Show stats on how auth within IPFilter has been used */ static void showauthstates(asp) -fr_authstat_t *asp; + ipf_authstat_t *asp; { frauthent_t *frap, fra; ipfgeniter_t auth; @@ -1727,7 +1841,7 @@ fr_authstat_t *asp; auth.igi_data = &fra; #ifdef USE_QUAD_T - printf("Authorisation hits: %qu\tmisses %qu\n", + printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n", (unsigned long long) asp->fas_hits, (unsigned long long) asp->fas_miss); #else @@ -1762,7 +1876,7 @@ fr_authstat_t *asp; * authentication, separately. */ static void showgroups(fiop) -struct friostat *fiop; + struct friostat *fiop; { static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH }; @@ -1790,10 +1904,11 @@ struct friostat *fiop; } } + static void parse_ipportstr(argument, ip, port) -const char *argument; -i6addr_t *ip; -int *port; + const char *argument; + i6addr_t *ip; + int *port; { char *s, *comma; int ok = 0; @@ -1845,20 +1960,20 @@ int *port; #ifdef STATETOP static void sig_resize(s) -int s; + int s; { handle_resize = 1; } static void sig_break(s) -int s; + int s; { handle_break = 1; } static char *getip(v, addr) -int v; -i6addr_t *addr; + int v; + i6addr_t *addr; { #ifdef USE_INET6 static char hostbuf[MAXHOSTNAMELEN+1]; @@ -1878,7 +1993,7 @@ i6addr_t *addr; static char *ttl_to_string(ttl) -long int ttl; + long int ttl; { static char ttlbuf[STSTRSIZE]; int hours, minutes, seconds; @@ -1900,8 +2015,8 @@ long int ttl; static int sort_pkts(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; @@ -1916,8 +2031,8 @@ const void *b; static int sort_bytes(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -1931,8 +2046,8 @@ const void *b; static int sort_p(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -1946,8 +2061,8 @@ const void *b; static int sort_ttl(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -1960,8 +2075,8 @@ const void *b; } static int sort_srcip(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -1986,8 +2101,8 @@ const void *b; } static int sort_srcpt(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -2000,8 +2115,8 @@ const void *b; } static int sort_dstip(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -2026,8 +2141,8 @@ const void *b; } static int sort_dstpt(a, b) -const void *a; -const void *b; + const void *a; + const void *b; { register const statetop_t *ap = a; register const statetop_t *bp = b; @@ -2043,9 +2158,8 @@ const void *b; ipstate_t *fetchstate(src, dst) -ipstate_t *src, *dst; + ipstate_t *src, *dst; { - int i; if (live_kernel == 1) { ipfgeniter_t state; @@ -2063,8 +2177,8 @@ ipstate_t *src, *dst; if (ioctl(state_fd, SIOCGENITER, &obj) != 0) return NULL; if (dst->is_next == NULL) { - i = IPFGENITER_STATE; - ioctl(state_fd, SIOCIPFDELTOK, &i); + int n = IPFGENITER_STATE; + (void) ioctl(ipf_fd,SIOCIPFDELTOK, &n); } } else { if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst))) @@ -2075,8 +2189,8 @@ ipstate_t *src, *dst; static int fetchfrag(fd, type, frp) -int fd, type; -ipfr_t *frp; + int fd, type; + ipfr_t *frp; { ipfgeniter_t frag; ipfobj_t obj; @@ -2096,8 +2210,155 @@ ipfr_t *frp; } +static int state_matcharray(stp, array) + ipstate_t *stp; + int *array; +{ + int i, n, *x, rv, p; + ipfexp_t *e; + + rv = 0; + + for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) { + e = (ipfexp_t *)x; + if (e->ipfe_cmd == IPF_EXP_END) + break; + n -= e->ipfe_size; + + rv = 0; + /* + * The upper 16 bits currently store the protocol value. + * This is currently used with TCP and UDP port compares and + * allows "tcp.port = 80" without requiring an explicit + " "ip.pr = tcp" first. + */ + p = e->ipfe_cmd >> 16; + if ((p != 0) && (p != stp->is_p)) + break; + + switch (e->ipfe_cmd) + { + case IPF_EXP_IP_PR : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_p == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_IP_SRCADDR : + if (stp->is_v != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((stp->is_saddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + + case IPF_EXP_IP_DSTADDR : + if (stp->is_v != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((stp->is_daddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + + case IPF_EXP_IP_ADDR : + if (stp->is_v != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((stp->is_saddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((stp->is_daddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + +#ifdef USE_INET6 + case IPF_EXP_IP6_SRCADDR : + if (stp->is_v != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&stp->is_src, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; + + case IPF_EXP_IP6_DSTADDR : + if (stp->is_v != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&stp->is_dst, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; + + case IPF_EXP_IP6_ADDR : + if (stp->is_v != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&stp->is_src, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&stp->is_dst, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; +#endif + + case IPF_EXP_UDP_PORT : + case IPF_EXP_TCP_PORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_sport == e->ipfe_arg0[i]) || + (stp->is_dport == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_UDP_SPORT : + case IPF_EXP_TCP_SPORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_sport == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_UDP_DPORT : + case IPF_EXP_TCP_DPORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_dport == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_IDLE_GT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_die < e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_TCP_STATE : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (stp->is_state[0] == e->ipfe_arg0[i]) || + (stp->is_state[1] == e->ipfe_arg0[i]); + } + break; + } + rv ^= e->ipfe_not; + + if (rv == 0) + break; + } + + return rv; +} + + static void showtqtable_live(fd) -int fd; + int fd; { ipftq_t table[IPF_TCP_NSTATES]; ipfobj_t obj; diff --git a/contrib/ipfilter/tools/ipfsyncd.c b/contrib/ipfilter/tools/ipfsyncd.c new file mode 100644 index 0000000..d4671e4 --- /dev/null +++ b/contrib/ipfilter/tools/ipfsyncd.c @@ -0,0 +1,671 @@ +/* + * Copyright (C) 2012 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ +#if !defined(lint) +static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipfsyncd.c,v 1.1.2.2 2012/07/22 08:04:24 darren_r Exp $"; +#endif +#include <sys/types.h> +#include <sys/time.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <sys/sockio.h> +#include <sys/errno.h> + +#include <netinet/in.h> +#include <net/if.h> + +#include <arpa/inet.h> + +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <unistd.h> +#include <string.h> +#include <syslog.h> +#include <signal.h> + +#include "ipf.h" +#include "opts.h" + + +#define R_IO_ERROR -1 +#define R_OKAY 0 +#define R_MORE 1 +#define R_SKIP 2 +#if defined(sun) && !defined(SOLARIS2) +# define STRERROR(x) sys_errlist[x] +extern char *sys_errlist[]; +#else +# define STRERROR(x) strerror(x) +#endif + + +int main __P((int, char *[])); +void usage __P((char *)); +void printsynchdr __P((synchdr_t *)); +void printtable __P((int)); +void printsmcproto __P((char *)); +void printcommand __P((int)); +int do_kbuff __P((int, char *, int *)); +int do_packet __P((int, char *)); +int buildsocket __P((char *, struct sockaddr_in *)); +void do_io __P((void)); +void handleterm __P((int)); + +int terminate = 0; +int igmpfd = -1; +int nfd = -1; +int lfd = -1; +int opts = 0; + +void +usage(progname) + char *progname; +{ + fprintf(stderr, + "Usage: %s [-d] [-p port] [-i address] -I <interface>\n", + progname); +} + +void +handleterm(sig) + int sig; +{ + terminate = sig; +} + + +/* should be large enough to hold header + any datatype */ +#define BUFFERLEN 1400 + +int +main(argc, argv) + int argc; + char *argv[]; +{ + struct sockaddr_in sin; + char *interface; + char *progname; + int opt, tries; + + progname = strrchr(argv[0], '/'); + if (progname) { + progname++; + } else { + progname = argv[0]; + } + + opts = 0; + tries = 0; + interface = NULL; + + bzero((char *)&sin, sizeof(sin)); + sin.sin_family = AF_INET; + sin.sin_port = htons(0xaf6c); + sin.sin_addr.s_addr = htonl(INADDR_UNSPEC_GROUP | 0x697066); + + while ((opt = getopt(argc, argv, "di:I:p:")) != -1) + switch (opt) + { + case 'd' : + debuglevel++; + break; + case 'I' : + interface = optarg; + break; + case 'i' : + sin.sin_addr.s_addr = inet_addr(optarg); + break; + case 'p' : + sin.sin_port = htons(atoi(optarg)); + break; + } + + if (interface == NULL) { + usage(progname); + exit(1); + } + + if (!debuglevel) { + +#if BSD >= 199306 + daemon(0, 0); +#else + int fd = open("/dev/null", O_RDWR); + + switch (fork()) + { + case 0 : + break; + + case -1 : + fprintf(stderr, "%s: fork() failed: %s\n", + argv[0], STRERROR(errno)); + exit(1); + /* NOTREACHED */ + + default : + exit(0); + /* NOTREACHED */ + } + + dup2(fd, 0); + dup2(fd, 1); + dup2(fd, 2); + close(fd); + + setsid(); +#endif + } + + signal(SIGHUP, handleterm); + signal(SIGINT, handleterm); + signal(SIGTERM, handleterm); + + openlog(progname, LOG_PID, LOG_SECURITY); + + while (!terminate) { + if (lfd != -1) { + close(lfd); + lfd = -1; + } + if (nfd != -1) { + close(nfd); + nfd = -1; + } + if (igmpfd != -1) { + close(igmpfd); + igmpfd = -1; + } + + if (buildsocket(interface, &sin) == -1) + goto tryagain; + + lfd = open(IPSYNC_NAME, O_RDWR); + if (lfd == -1) { + syslog(LOG_ERR, "open(%s):%m", IPSYNC_NAME); + debug(1, "open(%s): %s\n", IPSYNC_NAME, + STRERROR(errno)); + goto tryagain; + } + + tries = -1; + do_io(); +tryagain: + tries++; + syslog(LOG_INFO, "retry in %d seconds", 1 << tries); + debug(1, "wait %d seconds\n", 1 << tries); + sleep(1 << tries); + } + + + /* terminate */ + if (lfd != -1) + close(lfd); + if (nfd != -1) + close(nfd); + + syslog(LOG_ERR, "signal %d received, exiting...", terminate); + debug(1, "signal %d received, exiting...", terminate); + + exit(1); +} + + +void +do_io() +{ + char nbuff[BUFFERLEN]; + char buff[BUFFERLEN]; + fd_set mrd, rd; + int maxfd; + int inbuf; + int n1; + int left; + + FD_ZERO(&mrd); + FD_SET(lfd, &mrd); + FD_SET(nfd, &mrd); + maxfd = nfd; + if (lfd > maxfd) + maxfd = lfd; + debug(2, "nfd %d lfd %d maxfd %d\n", nfd, lfd, maxfd); + + inbuf = 0; + /* + * A threaded approach to this loop would have one thread + * work on reading lfd (only) all the time and another thread + * working on reading nfd all the time. + */ + while (!terminate) { + int n; + + rd = mrd; + + n = select(maxfd + 1, &rd, NULL, NULL, NULL); + if (n < 0) { + switch (errno) + { + case EINTR : + continue; + default : + syslog(LOG_ERR, "select error: %m"); + debug(1, "select error: %s\n", STRERROR(errno)); + return; + } + } + + if (FD_ISSET(lfd, &rd)) { + n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); + + debug(3, "read(K):%d\n", n1); + + if (n1 <= 0) { + syslog(LOG_ERR, "read error (k-header): %m"); + debug(1, "read error (k-header): %s\n", + STRERROR(errno)); + return; + } + + left = 0; + + switch (do_kbuff(n1, buff, &left)) + { + case R_IO_ERROR : + return; + case R_MORE : + inbuf += left; + break; + default : + inbuf = 0; + break; + } + } + + if (FD_ISSET(nfd, &rd)) { + n1 = recv(nfd, nbuff, sizeof(nbuff), 0); + + debug(3, "read(N):%d\n", n1); + + if (n1 <= 0) { + syslog(LOG_ERR, "read error (n-header): %m"); + debug(1, "read error (n-header): %s\n", + STRERROR(errno)); + return; + } + + switch (do_packet(n1, nbuff)) + { + case R_IO_ERROR : + return; + default : + break; + } + } + } +} + + +int +buildsocket(nicname, sinp) + char *nicname; + struct sockaddr_in *sinp; +{ + struct sockaddr_in *reqip; + struct ifreq req; + char opt; + + debug(2, "binding to %s:%s\n", nicname, inet_ntoa(sinp->sin_addr)); + + if (IN_MULTICAST(ntohl(sinp->sin_addr.s_addr))) { + struct in_addr addr; + struct ip_mreq mreq; + + igmpfd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP); + if (igmpfd == -1) { + syslog(LOG_ERR, "socket:%m"); + debug(1, "socket:%s\n", STRERROR(errno)); + return -1; + } + + bzero((char *)&req, sizeof(req)); + strncpy(req.ifr_name, nicname, sizeof(req.ifr_name)); + req.ifr_name[sizeof(req.ifr_name) - 1] = '\0'; + if (ioctl(igmpfd, SIOCGIFADDR, &req) == -1) { + syslog(LOG_ERR, "ioctl(SIOCGIFADDR):%m"); + debug(1, "ioctl(SIOCGIFADDR):%s\n", STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + reqip = (struct sockaddr_in *)&req.ifr_addr; + + addr = reqip->sin_addr; + if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_IF, + (char *)&addr, sizeof(addr)) == -1) { + syslog(LOG_ERR, "setsockopt(IP_MULTICAST_IF(%s)):%m", + inet_ntoa(addr)); + debug(1, "setsockopt(IP_MULTICAST_IF(%s)):%s\n", + inet_ntoa(addr), STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + + opt = 0; + if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_LOOP, + (char *)&opt, sizeof(opt)) == -1) { + syslog(LOG_ERR, "setsockopt(IP_MULTICAST_LOOP=0):%m"); + debug(1, "setsockopt(IP_MULTICAST_LOOP=0):%s\n", + STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + + opt = 63; + if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_TTL, + (char *)&opt, sizeof(opt)) == -1) { + syslog(LOG_ERR, "setsockopt(IP_MULTICAST_TTL=%d):%m", + opt); + debug(1, "setsockopt(IP_MULTICAST_TTL=%d):%s\n", opt, + STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + + mreq.imr_multiaddr.s_addr = sinp->sin_addr.s_addr; + mreq.imr_interface.s_addr = reqip->sin_addr.s_addr; + + if (setsockopt(igmpfd, IPPROTO_IP, IP_ADD_MEMBERSHIP, + (char *)&mreq, sizeof(mreq)) == -1) { + char buffer[80]; + + sprintf(buffer, "%s,", inet_ntoa(sinp->sin_addr)); + strcat(buffer, inet_ntoa(reqip->sin_addr)); + + syslog(LOG_ERR, + "setsockpt(IP_ADD_MEMBERSHIP,%s):%m", buffer); + debug(1, "setsockpt(IP_ADD_MEMBERSHIP,%s):%s\n", + buffer, STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + } + nfd = socket(AF_INET, SOCK_DGRAM, 0); + if (nfd == -1) { + syslog(LOG_ERR, "socket:%m"); + if (igmpfd != -1) { + close(igmpfd); + igmpfd = -1; + } + return -1; + } + bzero((char *)&req, sizeof(req)); + strncpy(req.ifr_name, nicname, sizeof(req.ifr_name)); + req.ifr_name[sizeof(req.ifr_name) - 1] = '\0'; + if (ioctl(nfd, SIOCGIFADDR, &req) == -1) { + syslog(LOG_ERR, "ioctl(SIOCGIFADDR):%m"); + debug(1, "ioctl(SIOCGIFADDR):%s\n", STRERROR(errno)); + close(igmpfd); + igmpfd = -1; + return -1; + } + + if (bind(nfd, (struct sockaddr *)&req.ifr_addr, + sizeof(req.ifr_addr)) == -1) { + syslog(LOG_ERR, "bind:%m"); + debug(1, "bind:%s\n", STRERROR(errno)); + close(nfd); + if (igmpfd != -1) { + close(igmpfd); + igmpfd = -1; + } + nfd = -1; + return -1; + } + + if (connect(nfd, (struct sockaddr *)sinp, sizeof(*sinp)) == -1) { + syslog(LOG_ERR, "connect:%m"); + debug(1, "connect:%s\n", STRERROR(errno)); + close(nfd); + if (igmpfd != -1) { + close(igmpfd); + igmpfd = -1; + } + nfd = -1; + return -1; + } + syslog(LOG_INFO, "Sending data to %s", inet_ntoa(sinp->sin_addr)); + debug(3, "Sending data to %s\n", inet_ntoa(sinp->sin_addr)); + + return nfd; +} + + +int +do_packet(pklen, buff) + int pklen; + char *buff; +{ + synchdr_t *sh; + u_32_t magic; + int len; + int n2; + int n3; + + while (pklen > 0) { + if (pklen < sizeof(*sh)) { + syslog(LOG_ERR, "packet length too short:%d", pklen); + debug(2, "packet length too short:%d\n", pklen); + return R_SKIP; + } + + sh = (synchdr_t *)buff; + len = ntohl(sh->sm_len); + magic = ntohl(sh->sm_magic); + + if (magic != SYNHDRMAGIC) { + syslog(LOG_ERR, "invalid header magic %x", magic); + debug(2, "invalid header magic %x\n", magic); + return R_SKIP; + } + + if (pklen < len + sizeof(*sh)) { + syslog(LOG_ERR, "packet length too short:%d", pklen); + debug(2, "packet length too short:%d\n", pklen); + return R_SKIP; + } + + if (debuglevel > 3) { + printsynchdr(sh); + printcommand(sh->sm_cmd); + printtable(sh->sm_table); + printsmcproto(buff); + } + + n2 = sizeof(*sh) + len; + + do { + n3 = write(lfd, buff, n2); + if (n3 <= 0) { + syslog(LOG_ERR, "write error: %m"); + debug(1, "write error: %s\n", STRERROR(errno)); + return R_IO_ERROR; + } + + n2 -= n3; + buff += n3; + pklen -= n3; + } while (n3 != 0); + } + + return R_OKAY; +} + + + +int +do_kbuff(inbuf, buf, left) + int inbuf, *left; + char *buf; +{ + synchdr_t *sh; + u_32_t magic; + int complete; + int sendlen; + int error; + int bytes; + int len; + int n2; + int n3; + + sendlen = 0; + bytes = inbuf; + error = R_OKAY; + sh = (synchdr_t *)buf; + + for (complete = 0; bytes > 0; complete++) { + len = ntohl(sh->sm_len); + magic = ntohl(sh->sm_magic); + + if (magic != SYNHDRMAGIC) { + syslog(LOG_ERR, + "read invalid header magic 0x%x, flushing", + magic); + debug(2, "read invalid header magic 0x%x, flushing\n", + magic); + n2 = SMC_RLOG; + (void) ioctl(lfd, SIOCIPFFL, &n2); + break; + } + + if (debuglevel > 3) { + printsynchdr(sh); + printcommand(sh->sm_cmd); + printtable(sh->sm_table); + putchar('\n'); + } + + if (bytes < sizeof(*sh) + len) { + debug(3, "Not enough bytes %d < %d\n", bytes, + sizeof(*sh) + len); + error = R_MORE; + break; + } + + if (debuglevel > 3) { + printsmcproto(buf); + } + + sendlen += len + sizeof(*sh); + sh = (synchdr_t *)(buf + sendlen); + bytes -= sendlen; + } + + if (complete) { + n3 = send(nfd, buf, sendlen, 0); + if (n3 <= 0) { + syslog(LOG_ERR, "write error: %m"); + debug(1, "write error: %s\n", STRERROR(errno)); + return R_IO_ERROR; + } + debug(3, "send on %d len %d = %d\n", nfd, sendlen, n3); + error = R_OKAY; + } + + /* move buffer to the front,we might need to make + * this more efficient, by using a rolling pointer + * over the buffer and only copying it, when + * we are reaching the end + */ + if (bytes > 0) { + bcopy(buf + bytes, buf, bytes); + error = R_MORE; + } + debug(4, "complete %d bytes %d error %d\n", complete, bytes, error); + + *left = bytes; + + return error; +} + + +void +printcommand(cmd) + int cmd; +{ + + switch (cmd) + { + case SMC_CREATE : + printf(" cmd:CREATE"); + break; + case SMC_UPDATE : + printf(" cmd:UPDATE"); + break; + default : + printf(" cmd:Unknown(%d)", cmd); + break; + } +} + + +void +printtable(table) + int table; +{ + switch (table) + { + case SMC_NAT : + printf(" table:NAT"); + break; + case SMC_STATE : + printf(" table:STATE"); + break; + default : + printf(" table:Unknown(%d)", table); + break; + } +} + + +void +printsmcproto(buff) + char *buff; +{ + syncupdent_t *su; + synchdr_t *sh; + + sh = (synchdr_t *)buff; + + if (sh->sm_cmd == SMC_CREATE) { + ; + + } else if (sh->sm_cmd == SMC_UPDATE) { + su = (syncupdent_t *)buff; + if (sh->sm_p == IPPROTO_TCP) { + printf(" TCP Update: age %lu state %d/%d\n", + su->sup_tcp.stu_age, + su->sup_tcp.stu_state[0], + su->sup_tcp.stu_state[1]); + } + } else { + printf("Unknown command\n"); + } +} + + +void +printsynchdr(sh) + synchdr_t *sh; +{ + + printf("v:%d p:%d num:%d len:%d magic:%x", sh->sm_v, sh->sm_p, + ntohl(sh->sm_num), ntohl(sh->sm_len), ntohl(sh->sm_magic)); +} diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c index 963ed19..a475828 100644 --- a/contrib/ipfilter/tools/ipftest.c +++ b/contrib/ipfilter/tools/ipftest.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -12,24 +12,23 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif extern char *optarg; -extern struct frentry *ipfilter[2][2]; -extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; +extern struct ipread pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *, int)); extern void init_ifp __P((void)); extern ipnat_t *natparse __P((char *, int)); -extern int fr_running; extern hostmap_t **ipf_hm_maptable; extern hostmap_t *ipf_hm_maplist; -ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; +ipfmutex_t ipl_mutex, ipf_auth_mx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache; -ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens; -int opts = OPT_DONOTHING; +ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_authlk; +ipfrwlock_t ipf_tokens; +int opts = OPT_DONTOPEN; int use_inet6 = 0; int docksum = 0; int pfil_delayed_copy = 0; @@ -37,10 +36,10 @@ int main __P((int, char *[])); int loadrules __P((char *, int)); int kmemcpy __P((char *, long, int)); int kstrncpy __P((char *, long, int n)); -void dumpnat __P((void)); -void dumpstate __P((void)); -void dumplookups __P((void)); -void dumpgroups __P((void)); +int blockreason; +void dumpnat __P((void *)); +void dumpgroups __P((ipf_main_softc_t *)); +void dumprules __P((frentry_t *)); void drain_log __P((char *)); void fixv4sums __P((mb_t *, ip_t *)); @@ -72,18 +71,20 @@ static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ipftestioctl, ipscantestioctl, ipooltestioctl, NULL }; +static ipf_main_softc_t *softc = NULL; -int main(argc,argv) -int argc; -char *argv[]; +int +main(argc,argv) + int argc; + char *argv[]; { char *datain, *iface, *ifname, *logout; int fd, i, dir, c, loaded, dump, hlen; struct in_addr sip; struct ifnet *ifp; struct ipread *r; - mb_t mb, *m; + mb_t mb, *m, *n; ip_t *ip; m = &mb; @@ -98,18 +99,20 @@ char *argv[]; sip.s_addr = 0; ifname = "anon0"; - MUTEX_INIT(&ipf_rw, "ipf rw mutex"); - MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock"); - RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); - RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); - RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); - RWLOCK_INIT(&ipf_frcache, "ipf filter cache"); - RWLOCK_INIT(&ipf_tokens, "ipf token rwlock"); - initparse(); - if (fr_initialise() == -1) - abort(); - fr_running = 1; + + ipf_load_all(); + + softc = ipf_create_all(NULL); + if (softc == NULL) + exit(1); + + if (ipf_init_all(softc) == -1) + exit(1); + + i = 1; + if (ipftestioctl(IPL_LOGIPF, SIOCFRENB, &i) != 0) + exit(1); while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1) switch (c) @@ -137,12 +140,6 @@ char *argv[]; case 'F' : if (strcasecmp(optarg, "pcap") == 0) r = &pcap; - else if (strcasecmp(optarg, "etherfind") == 0) - r = ðerf; - else if (strcasecmp(optarg, "snoop") == 0) - r = &snoop; - else if (strcasecmp(optarg, "tcpdump") == 0) - r = &tcpd; else if (strcasecmp(optarg, "hex") == 0) r = &iphex; else if (strcasecmp(optarg, "text") == 0) @@ -208,18 +205,21 @@ char *argv[]; else fd = (*r->r_open)("-"); - if (fd < 0) + if (fd < 0) { + perror("error opening input"); exit(-1); + } + + m->m_data = (char *)m->mb_buf; + while ((i = (*r->r_readip)(m, &iface, &dir)) > 0) { - ip = MTOD(m, ip_t *); - while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf), - &iface, &dir)) > 0) { if ((iface == NULL) || (*iface == '\0')) iface = ifname; + + ip = MTOD(m, ip_t *); ifp = get_unit(iface, IP_V(ip)); - if (!use_inet6) { - ip->ip_off = ntohs(ip->ip_off); - ip->ip_len = ntohs(ip->ip_len); + + if (IP_V(ip) == 4) { if ((r->r_flags & R_DO_CKSUM) || docksum) fixv4sums(m, ip); hlen = IP_HL(ip) << 2; @@ -231,9 +231,11 @@ char *argv[]; hlen = sizeof(ip6_t); #endif /* ipfr_slowtimer(); */ + blockreason = 0; m = &mb; + m->mb_ifp = ifp; m->mb_len = i; - i = fr_check(ip, hlen, ifp, dir, &m); + i = ipf_check(softc, ip, hlen, ifp, dir, &m); if ((opts & OPT_NAT) == 0) switch (i) { @@ -271,17 +273,24 @@ char *argv[]; (void)printf("recognised return %#x\n", i); break; } - if (!use_inet6) { - ip->ip_off = htons(ip->ip_off); - ip->ip_len = htons(ip->ip_len); - } if (!(opts & OPT_BRIEF)) { putchar(' '); - printpacket(ip); + if (m != NULL) + printpacket(dir, m); + else + printpacket(dir, &mb); printf("--------------"); - } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) - printpacket(ip); + } else if ((opts & (OPT_BRIEF|OPT_NAT)) == + (OPT_NAT|OPT_BRIEF)) { + if (m != NULL) + printpacket(dir, m); + else + PRINTF("%d\n", blockreason); + } + + ipf_state_flush(softc, 1, 0); + if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL)) #if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)m, NULL); @@ -292,6 +301,13 @@ char *argv[]; (*ifp->if_output)(ifp, (void *)m, NULL, 0); # endif #endif + + while ((m != NULL) && (m != &mb)) { + n = m->mb_next; + freembt(m); + m = n; + } + if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) putchar('\n'); dir = 0; @@ -300,6 +316,7 @@ char *argv[]; iface = ifname; } m = &mb; + m->mb_data = (char *)m->mb_buf; } if (i != 0) @@ -311,14 +328,25 @@ char *argv[]; } if (dump == 1) { - dumpnat(); - dumpstate(); - dumplookups(); - dumpgroups(); + dumpnat(softc->ipf_nat_soft); + ipf_state_dump(softc, softc->ipf_state_soft); + ipf_lookup_dump(softc, softc->ipf_state_soft); + dumpgroups(softc); } - fr_deinitialise(); + ipf_fini_all(softc); + + ipf_destroy_all(softc); + + ipf_unload_all(); + ipf_mutex_clean(); + ipf_rwlock_clean(); + + if (getenv("FINDLEAKS")) { + fflush(stdout); + abort(); + } return 0; } @@ -332,14 +360,15 @@ int ipftestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGIPF, cmd, data, FWRITE|FREAD); if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", - (u_int)cmd, data, i); + fprintf(stderr, "ipfioctl(IPF,%#x,%p) = %d (%d)\n", + (u_int)cmd, data, i, softc->ipf_interror); if (i != 0) { errno = i; return -1; @@ -354,13 +383,14 @@ int ipnattestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGNAT, cmd, data, FWRITE|FREAD); if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", + fprintf(stderr, "ipfioctl(NAT,%#x,%p) = %d\n", (u_int)cmd, data, i); if (i != 0) { errno = i; @@ -376,13 +406,14 @@ int ipstatetestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGSTATE, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", + fprintf(stderr, "ipfioctl(STATE,%#x,%p) = %d\n", (u_int)cmd, data, i); if (i != 0) { errno = i; @@ -398,13 +429,14 @@ int ipauthtestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGAUTH, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", + fprintf(stderr, "ipfioctl(AUTH,%#x,%p) = %d\n", (u_int)cmd, data, i); if (i != 0) { errno = i; @@ -420,13 +452,14 @@ int ipscantestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGSCAN, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", + fprintf(stderr, "ipfioctl(SCAN,%#x,%p) = %d\n", (u_int)cmd, data, i); if (i != 0) { errno = i; @@ -442,13 +475,14 @@ int ipsynctestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGSYNC, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", + fprintf(stderr, "ipfioctl(SYNC,%#x,%p) = %d\n", (u_int)cmd, data, i); if (i != 0) { errno = i; @@ -464,14 +498,15 @@ int ipooltestioctl(int dev, ioctlcmd_t cmd, ...) va_list ap; int i; + dev = dev; /* gcc -Wextra */ va_start(ap, cmd); data = va_arg(ap, caddr_t); va_end(ap); - i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); + i = ipfioctl(softc, IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", - (u_int)cmd, data, i); + fprintf(stderr, "ipfioctl(POOL,%#x,%p) = %d (%d)\n", + (u_int)cmd, data, i, softc->ipf_interror); if (i != 0) { errno = i; return -1; @@ -480,15 +515,17 @@ int ipooltestioctl(int dev, ioctlcmd_t cmd, ...) } #else int ipftestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGIPF, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(IPF,%#x,%p) = %d (%d)\n", + cmd, data, i, softc->ipf_interror); if (i != 0) { errno = i; return -1; @@ -498,15 +535,16 @@ void *data; int ipnattestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGNAT, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(NAT,%#x,%p) = %d\n", cmd, data, i); if (i != 0) { errno = i; return -1; @@ -516,15 +554,16 @@ void *data; int ipstatetestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGSTATE, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(STATE,%#x,%p) = %d\n", cmd, data, i); if (i != 0) { errno = i; return -1; @@ -534,15 +573,16 @@ void *data; int ipauthtestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGAUTH, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(AUTH,%#x,%p) = %d\n", cmd, data, i); if (i != 0) { errno = i; return -1; @@ -552,15 +592,16 @@ void *data; int ipsynctestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGSYNC, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(SYNC,%#x,%p) = %d\n", cmd, data, i); if (i != 0) { errno = i; return -1; @@ -570,15 +611,16 @@ void *data; int ipscantestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGSCAN, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) - fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(SCAN,%#x,%p) = %d\n", cmd, data, i); if (i != 0) { errno = i; return -1; @@ -588,15 +630,17 @@ void *data; int ipooltestioctl(dev, cmd, data) -dev_t dev; -ioctlcmd_t cmd; -void *data; + dev_t dev; + ioctlcmd_t cmd; + void *data; { int i; - i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); + dev = dev; /* gcc -Wextra */ + i = ipfioctl(softc, IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); if (opts & OPT_DEBUG) - fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i); + fprintf(stderr, "ipfioctl(POOL,%#x,%p) = %d (%d)\n", + cmd, data, i, softc->ipf_interror); if (i != 0) { errno = i; return -1; @@ -607,9 +651,9 @@ void *data; int kmemcpy(addr, offset, size) -char *addr; -long offset; -int size; + char *addr; + long offset; + int size; { bcopy((char *)offset, addr, size); return 0; @@ -617,9 +661,9 @@ int size; int kstrncpy(buf, pos, n) -char *buf; -long pos; -int n; + char *buf; + long pos; + int n; { char *ptr; @@ -634,100 +678,91 @@ int n; /* * Display the built up NAT table rules and mapping entries. */ -void dumpnat() +void dumpnat(arg) + void *arg; { + ipf_nat_softc_t *softn = arg; hostmap_t *hm; ipnat_t *ipn; nat_t *nat; printf("List of active MAP/Redirect filters:\n"); - for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next) + for (ipn = softn->ipf_nat_list; ipn != NULL; ipn = ipn->in_next) printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); printf("\nList of active sessions:\n"); - for (nat = nat_instances; nat; nat = nat->nat_next) { - printactivenat(nat, opts, 0, 0); + for (nat = softn->ipf_nat_instances; nat; nat = nat->nat_next) { + printactivenat(nat, opts, 0); if (nat->nat_aps) - printaps(nat->nat_aps, opts); + printf("\tproxy active\n"); } printf("\nHostmap table:\n"); - for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next) - printhostmap(hm, 0); + for (hm = softn->ipf_hm_maplist; hm != NULL; hm = hm->hm_next) + printhostmap(hm, hm->hm_hv); } -/* - * Display the built up state table rules and mapping entries. - */ -void dumpstate() -{ - ipstate_t *ips; - - printf("List of active state sessions:\n"); - for (ips = ips_list; ips != NULL; ) - ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE), - fr_ticks); -} - - -void dumplookups() -{ - iphtable_t *iph; - ip_pool_t *ipl; - int i; - - printf("List of configured pools\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next) - printpool(ipl, bcopywrap, NULL, opts); - - printf("List of configured hash tables\n"); - for (i = 0; i < IPL_LOGSIZE; i++) - for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next) - printhash(iph, bcopywrap, NULL, opts); -} - - -void dumpgroups() +void dumpgroups(softc) + ipf_main_softc_t *softc; { frgroup_t *fg; - frentry_t *fr; int i; printf("List of groups configured (set 0)\n"); for (i = 0; i < IPL_LOGSIZE; i++) - for (fg = ipfgroups[i][0]; fg != NULL; fg = fg->fg_next) { + for (fg = softc->ipf_groups[i][0]; fg != NULL; + fg = fg->fg_next) { printf("Dev.%d. Group %s Ref %d Flags %#x\n", i, fg->fg_name, fg->fg_ref, fg->fg_flags); - for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) { -#ifdef USE_QUAD_T - printf("%qu ",(unsigned long long)fr->fr_hits); -#else - printf("%ld ", fr->fr_hits); -#endif - printfr(fr, ipftestioctl); - } + dumprules(fg->fg_start); } printf("List of groups configured (set 1)\n"); for (i = 0; i < IPL_LOGSIZE; i++) - for (fg = ipfgroups[i][1]; fg != NULL; fg = fg->fg_next) { + for (fg = softc->ipf_groups[i][1]; fg != NULL; + fg = fg->fg_next) { printf("Dev.%d. Group %s Ref %d Flags %#x\n", i, fg->fg_name, fg->fg_ref, fg->fg_flags); - for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) { + dumprules(fg->fg_start); + } + + printf("Rules configured (set 0, in)\n"); + dumprules(softc->ipf_rules[0][0]); + printf("Rules configured (set 0, out)\n"); + dumprules(softc->ipf_rules[1][0]); + printf("Rules configured (set 1, in)\n"); + dumprules(softc->ipf_rules[0][1]); + printf("Rules configured (set 1, out)\n"); + dumprules(softc->ipf_rules[1][1]); + + printf("Accounting rules configured (set 0, in)\n"); + dumprules(softc->ipf_acct[0][0]); + printf("Accounting rules configured (set 0, out)\n"); + dumprules(softc->ipf_acct[0][1]); + printf("Accounting rules configured (set 1, in)\n"); + dumprules(softc->ipf_acct[1][0]); + printf("Accounting rules configured (set 1, out)\n"); + dumprules(softc->ipf_acct[1][1]); +} + +void dumprules(rulehead) + frentry_t *rulehead; +{ + frentry_t *fr; + + for (fr = rulehead; fr != NULL; fr = fr->fr_next) { #ifdef USE_QUAD_T - printf("%qu ",(unsigned long long)fr->fr_hits); + printf("%"PRIu64" ",(unsigned long long)fr->fr_hits); #else - printf("%ld ", fr->fr_hits); + printf("%ld ", fr->fr_hits); #endif - printfr(fr, ipftestioctl); - } - } + printfr(fr, ipftestioctl); + } } void drain_log(filename) -char *filename; + char *filename; { char buffer[DEFAULT_IPFLOGSIZE]; struct iovec iov; @@ -753,7 +788,7 @@ char *filename; uio.uio_resid = iov.iov_len; resid = uio.uio_resid; - if (ipflog_read(i, &uio) == 0) { + if (ipf_log_read(softc, i, &uio) == 0) { /* * If nothing was read then break out. */ @@ -769,18 +804,38 @@ char *filename; void fixv4sums(m, ip) -mb_t *m; -ip_t *ip; + mb_t *m; + ip_t *ip; { - u_char *csump, *hdr; + u_char *csump, *hdr, p; + fr_info_t tmp; + int len; - ip->ip_sum = 0; - ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2); + p = 0; + len = 0; + bzero((char *)&tmp, sizeof(tmp)); csump = (u_char *)ip; - csump += IP_HL(ip) << 2; + if (IP_V(ip) == 4) { + ip->ip_sum = 0; + ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2); + tmp.fin_hlen = IP_HL(ip) << 2; + csump += IP_HL(ip) << 2; + p = ip->ip_p; + len = ntohs(ip->ip_len); +#ifdef USE_INET6 + } else if (IP_V(ip) == 6) { + tmp.fin_hlen = sizeof(ip6_t); + csump += sizeof(ip6_t); + p = ((ip6_t *)ip)->ip6_nxt; + len = ntohs(((ip6_t *)ip)->ip6_plen); + len += sizeof(ip6_t); +#endif + } + tmp.fin_plen = len; + tmp.fin_dlen = len - tmp.fin_hlen; - switch (ip->ip_p) + switch (p) { case IPPROTO_TCP : hdr = csump; @@ -800,7 +855,12 @@ ip_t *ip; break; } if (hdr != NULL) { + tmp.fin_m = m; + tmp.fin_mp = &m; + tmp.fin_dp = hdr; + tmp.fin_ip = ip; + tmp.fin_plen = len; *csump = 0; - *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len); + *(u_short *)csump = fr_cksum(&tmp, ip, p, hdr); } } diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c index ceaed82..1c52e7f 100644 --- a/contrib/ipfilter/tools/ipmon.c +++ b/contrib/ipfilter/tools/ipmon.c @@ -1,84 +1,22 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifndef SOLARIS -#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) -#endif - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> -#include <sys/file.h> -#include <sys/time.h> -#define _KERNEL -#include <sys/uio.h> -#undef _KERNEL -#include <sys/socket.h> +#include "ipf.h" +#include "ipmon.h" #include <sys/ioctl.h> - -#include <stdio.h> -#include <unistd.h> -#include <string.h> +#include <sys/stat.h> +#include <syslog.h> +#include <ctype.h> #include <fcntl.h> -#include <errno.h> -#include <time.h> -#if !defined(__SVR4) && !defined(__svr4__) -# if (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -# else -# include <sys/dir.h> -# endif -#else -# include <sys/filio.h> -# include <sys/byteorder.h> -#endif -#if !defined(__hpux) && (!defined(__SVR4) && !defined(__GNUC__)) -# include <strings.h> -#endif #include <signal.h> -#include <stdlib.h> -#include <stddef.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <net/if.h> -#include <netinet/ip.h> -#if !defined(__hpux) && !defined(linux) -# include <netinet/tcp_fsm.h> -#endif -#include <netdb.h> -#include <arpa/inet.h> -#include <arpa/nameser.h> -#ifdef __hpux -# undef NOERROR -#endif -#include <resolv.h> - -#if !defined(linux) -# include <sys/protosw.h> -# include <netinet/ip_var.h> -#endif - -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> - -#include <ctype.h> -#include <syslog.h> - -#include "netinet/ip_compat.h" -#include <netinet/tcpip.h> -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" -#include "netinet/ip_proxy.h" -#include "ipmon.h" #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif @@ -89,12 +27,41 @@ extern char *sys_errlist[]; #define STRERROR(x) strerror(x) #endif +extern int optind; +extern char *optarg; + +extern ipmon_saver_t executesaver; +extern ipmon_saver_t filesaver; +extern ipmon_saver_t nothingsaver; +extern ipmon_saver_t snmpv1saver; +extern ipmon_saver_t snmpv2saver; +extern ipmon_saver_t syslogsaver; + struct flags { int value; char flag; }; +typedef struct logsource { + int fd; + int logtype; + char *file; + int regular; + size_t size; +} logsource_t; + +typedef struct config { + int opts; + int maxfd; + logsource_t logsrc[3]; + fd_set fdmr; + FILE *blog; + char *bfile; + FILE *log; + char *file; + char *cfile; +} config_t; typedef struct icmp_subtype { int ist_val; @@ -124,6 +91,28 @@ struct flags tcpfl[] = { { 0, '\0' } }; +char *reasons[] = { + "filter-rule", + "log-or-block_1", + "pps-rate", + "jumbogram", + "makefrip-fail", + "state_add-fail", + "updateipid-fail", + "log-or-block_2", + "decap-fail", + "auth_new-fail", + "auth_captured", + "coalesce-fail", + "pullup-fail", + "auth-feedback", + "bad-frag", + "natv4_out-fail", + "natv4_in-fail", + "natv6_out-fail", + "natv6_in-fail", +}; + #ifdef MENTAT static char *pidfile = "/etc/opt/ipf/ipmon.pid"; #else @@ -135,18 +124,14 @@ static char *pidfile = "/etc/ipmon.pid"; #endif static char line[2048]; -static int opts = 0; -static char *logfile = NULL; -static FILE *binarylog = NULL; -static char *binarylogfile = NULL; static int donehup = 0; static void usage __P((char *)); static void handlehup __P((int)); static void flushlogs __P((char *, FILE *)); -static void print_log __P((int, FILE *, char *, int)); -static void print_ipflog __P((FILE *, char *, int)); -static void print_natlog __P((FILE *, char *, int)); -static void print_statelog __P((FILE *, char *, int)); +static void print_log __P((config_t *, logsource_t *, char *, int)); +static void print_ipflog __P((config_t *, char *, int)); +static void print_natlog __P((config_t *, char *, int)); +static void print_statelog __P((config_t *, char *, int)); static int read_log __P((int, int *, char *, int)); static void write_pid __P((char *)); static char *icmpname __P((u_int, u_int)); @@ -159,39 +144,30 @@ static struct tm *get_tm __P((u_32_t)); static struct tm *get_tm __P((time_t)); #endif -char *hostname __P((int, int, u_32_t *)); -char *portname __P((int, char *, u_int)); +char *portlocalname __P((int, char *, u_int)); int main __P((int, char *[])); static void logopts __P((int, char *)); static void init_tabs __P((void)); -static char *getproto __P((u_int)); +static char *getlocalproto __P((u_int)); +static void openlogs __P((config_t *conf)); +static int read_loginfo __P((config_t *conf)); +static void initconfig __P((config_t *conf)); static char **protocols = NULL; static char **udp_ports = NULL; static char **tcp_ports = NULL; -static char *conf_file = NULL; - -#define OPT_SYSLOG 0x001 -#define OPT_RESOLVE 0x002 -#define OPT_HEXBODY 0x004 -#define OPT_VERBOSE 0x008 -#define OPT_HEXHDR 0x010 -#define OPT_TAIL 0x020 -#define OPT_NAT 0x080 -#define OPT_STATE 0x100 -#define OPT_FILTER 0x200 -#define OPT_PORTNUM 0x400 -#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) -#define OPT_LOGBODY 0x800 -#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) +#define HOSTNAMEV4(b) hostname(AF_INET, (u_32_t *)&(b)) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif int logfac = LOGFAC; +int ipmonopts = 0; +int opts = OPT_NORESOLVE; +int use_inet6 = 0; static icmp_subtype_t icmpunreachnames[] = { @@ -233,7 +209,7 @@ static icmp_subtype_t paramnames[] = { { -2, NULL } }; -static icmp_type_t icmptypes[] = { +static icmp_type_t icmptypes4[] = { { ICMP_ECHOREPLY, NULL, 0, "echoreply" }, { -1, NULL, 0, NULL }, { -1, NULL, 0, NULL }, @@ -338,9 +314,9 @@ static icmp_type_t icmptypes6[] = { }; static icmp_subtype_t *find_icmpsubtype(type, table, tablesz) -int type; -icmp_subtype_t *table; -size_t tablesz; + int type; + icmp_subtype_t *table; + size_t tablesz; { icmp_subtype_t *ist; int i; @@ -363,9 +339,9 @@ size_t tablesz; static icmp_type_t *find_icmptype(type, table, tablesz) -int type; -icmp_type_t *table; -size_t tablesz; + int type; + icmp_type_t *table; + size_t tablesz; { icmp_type_t *it; int i; @@ -388,7 +364,7 @@ size_t tablesz; static void handlehup(sig) -int sig; + int sig; { signal(SIGHUP, handlehup); donehup = 1; @@ -421,12 +397,12 @@ static void init_tabs() p->p_name != NULL && protocols[p->p_proto] == NULL) protocols[p->p_proto] = strdup(p->p_name); endprotoent(); -#if defined(_AIX51) if (protocols[0]) free(protocols[0]); + protocols[0] = strdup("ip"); +#if defined(_AIX51) if (protocols[252]) free(protocols[252]); - protocols[0] = "ip"; protocols[252] = NULL; #endif } @@ -480,8 +456,8 @@ static void init_tabs() } -static char *getproto(p) -u_int p; +static char *getlocalproto(p) + u_int p; { static char pnum[4]; char *s; @@ -497,11 +473,14 @@ u_int p; static int read_log(fd, lenp, buf, bufsize) -int fd, bufsize, *lenp; -char *buf; + int fd, bufsize, *lenp; + char *buf; { int nr; + if (bufsize > IPFILTER_LOGSIZE) + bufsize = IPFILTER_LOGSIZE; + nr = read(fd, buf, bufsize); if (!nr) return 2; @@ -512,51 +491,18 @@ char *buf; } -char *hostname(res, v, ip) -int res, v; -u_32_t *ip; +char *portlocalname(res, proto, port) + int res; + char *proto; + u_int port; { -# define MAX_INETA 16 - static char hname[MAXHOSTNAMELEN + MAX_INETA + 3]; -#ifdef USE_INET6 - static char hostbuf[MAXHOSTNAMELEN+1]; -#endif - struct hostent *hp; - struct in_addr ipa; - - if (v == 4) { - ipa.s_addr = *ip; - if (!res) - return inet_ntoa(ipa); - hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET); - if (!hp) - return inet_ntoa(ipa); - sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name, - inet_ntoa(ipa)); - return hname; - } -#ifdef USE_INET6 - (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); - hostbuf[MAXHOSTNAMELEN] = '\0'; - return hostbuf; -#else - return "IPv6"; -#endif -} - - -char *portname(res, proto, port) -int res; -char *proto; -u_int port; -{ - static char pname[8]; - char *s; + static char pname[8]; + char *s; port = ntohs(port); port &= 0xffff; - (void) sprintf(pname, "%u", port); - if (!res || (opts & OPT_PORTNUM)) + sprintf(pname, "%u", port); + if (!res || (ipmonopts & IPMON_PORTNUM)) return pname; s = NULL; if (!strcmp(proto, "tcp")) @@ -569,9 +515,9 @@ u_int port; } -static char *icmpname(type, code) -u_int type; -u_int code; +static char *icmpname(type, code) + u_int type; + u_int code; { static char name[80]; icmp_subtype_t *ist; @@ -579,7 +525,7 @@ u_int code; char *s; s = NULL; - it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it)); + it = find_icmptype(type, icmptypes4, sizeof(icmptypes4) / sizeof(*it)); if (it != NULL) s = it->it_name; @@ -600,9 +546,9 @@ u_int code; return name; } -static char *icmpname6(type, code) -u_int type; -u_int code; +static char *icmpname6(type, code) + u_int type; + u_int code; { static char name[80]; icmp_subtype_t *ist; @@ -632,11 +578,11 @@ u_int code; } -void dumphex(log, dopts, buf, len) -FILE *log; -int dopts; -char *buf; -int len; +void dumphex(log, dopts, buf, len) + FILE *log; + int dopts; + char *buf; + int len; { char hline[80]; int i, j, k; @@ -651,7 +597,7 @@ int len; if (j && !(j & 0xf)) { *t++ = '\n'; *t = '\0'; - if ((dopts & OPT_SYSLOG)) + if ((dopts & IPMON_SYSLOG)) syslog(LOG_INFO, "%s", hline); else if (log != NULL) fputs(hline, log); @@ -665,10 +611,10 @@ int len; sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); + *t++ = (isprint(*s) ? *s : '.'); s--; } - + if ((j + 1) & 0xf) *t++ = ' ';; } @@ -683,11 +629,11 @@ int len; t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) - *t++ = (ISPRINT(*s) ? *s : '.'); + *t++ = (isprint(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } - if ((dopts & OPT_SYSLOG) != 0) + if ((dopts & IPMON_SYSLOG) != 0) syslog(LOG_INFO, "%s", hline); else if (log != NULL) { fputs(hline, log); @@ -696,11 +642,11 @@ int len; } -static struct tm *get_tm(sec) +static struct tm *get_tm(sec) #ifdef __hpux -u_32_t sec; + u_32_t sec; #else -time_t sec; + time_t sec; #endif { struct tm *tm; @@ -711,23 +657,44 @@ time_t sec; return tm; } -static void print_natlog(log, buf, blen) -FILE *log; -char *buf; -int blen; +static void print_natlog(conf, buf, blen) + config_t *conf; + char *buf; + int blen; { - struct natlog *nl; - iplog_t *ipl = (iplog_t *)buf; - char *t = line; - struct tm *tm; - int res, i, len; - char *proto; + static u_32_t seqnum = 0; + int res, i, len, family; + struct natlog *nl; + struct tm *tm; + iplog_t *ipl; + char *proto; + int simple; + char *t; + + t = line; + simple = 0; + ipl = (iplog_t *)buf; + if (ipl->ipl_seqnum != seqnum) { + if ((ipmonopts & IPMON_SYSLOG) != 0) { + syslog(LOG_WARNING, + "missed %u NAT log entries: %u %u", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } else { + (void) fprintf(conf->log, + "missed %u NAT log entries: %u %u\n", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } + } + seqnum = ipl->ipl_seqnum + ipl->ipl_count; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); - res = (opts & OPT_RESOLVE) ? 1 : 0; + res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0; tm = get_tm(ipl->ipl_sec); len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { + + if (!(ipmonopts & IPMON_SYSLOG)) { (void) strftime(t, len, "%d/%m/%Y ", tm); i = strlen(t); len -= i; @@ -735,81 +702,184 @@ int blen; } (void) strftime(t, len, "%T", tm); t += strlen(t); - (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1); + sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1); t += strlen(t); - if (nl->nl_type == NL_NEWMAP) - strcpy(t, "NAT:MAP "); - else if (nl->nl_type == NL_NEWRDR) - strcpy(t, "NAT:RDR "); - else if (nl->nl_type == NL_FLUSH) - strcpy(t, "NAT:FLUSH "); - else if (nl->nl_type == NL_EXPIRE) - strcpy(t, "NAT:EXPIRE "); - else if (nl->nl_type == NL_NEWBIMAP) - strcpy(t, "NAT:BIMAP "); - else if (nl->nl_type == NL_NEWBLOCK) - strcpy(t, "NAT:MAPBLOCK "); - else if (nl->nl_type == NL_CLONE) - strcpy(t, "NAT:CLONE "); - else if (nl->nl_type == NL_DESTROY) - strcpy(t, "NAT:DESTROY "); - else - sprintf(t, "Type: %d ", nl->nl_type); + switch (nl->nl_action) + { + case NL_NEW : + strcpy(t, "NAT:NEW"); + break; + + case NL_FLUSH : + strcpy(t, "NAT:FLUSH"); + break; + + case NL_CLONE : + strcpy(t, "NAT:CLONE"); + break; + + case NL_EXPIRE : + strcpy(t, "NAT:EXPIRE"); + break; + + case NL_DESTROY : + strcpy(t, "NAT:DESTROY"); + break; + + case NL_PURGE : + strcpy(t, "NAT:PURGE"); + break; + + default : + sprintf(t, "NAT:Action(%d)", nl->nl_action); + break; + } t += strlen(t); - proto = getproto(nl->nl_p); - (void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip), - portname(res, proto, (u_int)nl->nl_inport)); + switch (nl->nl_type) + { + case NAT_MAP : + strcpy(t, "-MAP "); + simple = 1; + break; + + case NAT_REDIRECT : + strcpy(t, "-RDR "); + simple = 1; + break; + + case NAT_BIMAP : + strcpy(t, "-BIMAP "); + simple = 1; + break; + + case NAT_MAPBLK : + strcpy(t, "-MAPBLOCK "); + simple = 1; + break; + + case NAT_REWRITE|NAT_MAP : + strcpy(t, "-RWR_MAP "); + break; + + case NAT_REWRITE|NAT_REDIRECT : + strcpy(t, "-RWR_RDR "); + break; + + case NAT_ENCAP|NAT_MAP : + strcpy(t, "-ENC_MAP "); + break; + + case NAT_ENCAP|NAT_REDIRECT : + strcpy(t, "-ENC_RDR "); + break; + + case NAT_DIVERTUDP|NAT_MAP : + strcpy(t, "-DIV_MAP "); + break; + + case NAT_DIVERTUDP|NAT_REDIRECT : + strcpy(t, "-DIV_RDR "); + break; + + default : + sprintf(t, "-Type(%d) ", nl->nl_type); + break; + } t += strlen(t); - (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip), - portname(res, proto, (u_int)nl->nl_outport)); + + proto = getlocalproto(nl->nl_p[0]); + + family = vtof(nl->nl_v[0]); + + if (simple == 1) { + sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_osrcip.i6), + portlocalname(res, proto, (u_int)nl->nl_osrcport)); + t += strlen(t); + sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6), + portlocalname(res, proto, (u_int)nl->nl_nsrcport)); + t += strlen(t); + sprintf(t, "[%s,%s] ", hostname(family, nl->nl_odstip.i6), + portlocalname(res, proto, (u_int)nl->nl_odstport)); + } else { + sprintf(t, "%s,%s ", hostname(family, nl->nl_osrcip.i6), + portlocalname(res, proto, (u_int)nl->nl_osrcport)); + t += strlen(t); + sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_odstip.i6), + portlocalname(res, proto, (u_int)nl->nl_odstport)); + t += strlen(t); + sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6), + portlocalname(res, proto, (u_int)nl->nl_nsrcport)); + t += strlen(t); + sprintf(t, "%s,%s ", hostname(family, nl->nl_ndstip.i6), + portlocalname(res, proto, (u_int)nl->nl_ndstport)); + } t += strlen(t); - (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip), - portname(res, proto, (u_int)nl->nl_origport), - getproto(nl->nl_p)); + + strcpy(t, getlocalproto(nl->nl_p[0])); t += strlen(t); - if (nl->nl_type == NL_EXPIRE) { + + if (nl->nl_action == NL_EXPIRE || nl->nl_action == NL_FLUSH) { #ifdef USE_QUAD_T - (void) sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd", - (long long)nl->nl_pkts[0], - (long long)nl->nl_pkts[1], - (long long)nl->nl_bytes[0], - (long long)nl->nl_bytes[1]); +# ifdef PRId64 + sprintf(t, " Pkts %" PRId64 "/%" PRId64 " Bytes %" PRId64 "/%" + PRId64, +# else + sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd", +# endif #else - (void) sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld", + sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld", +#endif nl->nl_pkts[0], nl->nl_pkts[1], nl->nl_bytes[0], nl->nl_bytes[1]); -#endif t += strlen(t); } *t++ = '\n'; *t++ = '\0'; - if (opts & OPT_SYSLOG) + if (ipmonopts & IPMON_SYSLOG) syslog(LOG_INFO, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); + else if (conf->log != NULL) + (void) fprintf(conf->log, "%s", line); } -static void print_statelog(log, buf, blen) -FILE *log; -char *buf; -int blen; +static void print_statelog(conf, buf, blen) + config_t *conf; + char *buf; + int blen; { - struct ipslog *sl; - iplog_t *ipl = (iplog_t *)buf; - char *t = line, *proto; - struct tm *tm; - int res, i, len; + static u_32_t seqnum = 0; + int res, i, len, family; + struct ipslog *sl; + char *t, *proto; + struct tm *tm; + iplog_t *ipl; + + t = line; + ipl = (iplog_t *)buf; + if (ipl->ipl_seqnum != seqnum) { + if ((ipmonopts & IPMON_SYSLOG) != 0) { + syslog(LOG_WARNING, + "missed %u state log entries: %u %u", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } else { + (void) fprintf(conf->log, + "missed %u state log entries: %u %u\n", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } + } + seqnum = ipl->ipl_seqnum + ipl->ipl_count; sl = (struct ipslog *)((char *)ipl + sizeof(*ipl)); - res = (opts & OPT_RESOLVE) ? 1 : 0; + res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0; tm = get_tm(ipl->ipl_sec); len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { + if (!(ipmonopts & IPMON_SYSLOG)) { (void) strftime(t, len, "%d/%m/%Y ", tm); i = strlen(t); len -= i; @@ -817,9 +887,11 @@ int blen; } (void) strftime(t, len, "%T", tm); t += strlen(t); - (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); + sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec); t += strlen(t); + family = vtof(sl->isl_v); + switch (sl->isl_type) { case ISL_NEW : @@ -865,41 +937,37 @@ int blen; } t += strlen(t); - proto = getproto(sl->isl_p); + proto = getlocalproto(sl->isl_p); if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) { - (void) sprintf(t, "%s,%s -> ", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src), - portname(res, proto, (u_int)sl->isl_sport)); + sprintf(t, "%s,%s -> ", + hostname(family, (u_32_t *)&sl->isl_src), + portlocalname(res, proto, (u_int)sl->isl_sport)); t += strlen(t); - (void) sprintf(t, "%s,%s PR %s", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - portname(res, proto, (u_int)sl->isl_dport), proto); + sprintf(t, "%s,%s PR %s", + hostname(family, (u_32_t *)&sl->isl_dst), + portlocalname(res, proto, (u_int)sl->isl_dport), proto); } else if (sl->isl_p == IPPROTO_ICMP) { - (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v, - (u_32_t *)&sl->isl_src)); + sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src)); t += strlen(t); - (void) sprintf(t, "%s PR icmp %d", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), + sprintf(t, "%s PR icmp %d", + hostname(family, (u_32_t *)&sl->isl_dst), sl->isl_itype); } else if (sl->isl_p == IPPROTO_ICMPV6) { - (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v, - (u_32_t *)&sl->isl_src)); + sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src)); t += strlen(t); - (void) sprintf(t, "%s PR icmpv6 %d", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), + sprintf(t, "%s PR icmpv6 %d", + hostname(family, (u_32_t *)&sl->isl_dst), sl->isl_itype); } else { - (void) sprintf(t, "%s -> ", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src)); + sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src)); t += strlen(t); - (void) sprintf(t, "%s PR %s", - hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), - proto); + sprintf(t, "%s PR %s", + hostname(family, (u_32_t *)&sl->isl_dst), proto); } t += strlen(t); if (sl->isl_tag != FR_NOLOGTAG) { - (void) sprintf(t, " tag %u", sl->isl_tag); + sprintf(t, " tag %u", sl->isl_tag); t += strlen(t); } if (sl->isl_type != ISL_NEW) { @@ -926,22 +994,26 @@ int blen; *t++ = '\n'; *t++ = '\0'; - if (opts & OPT_SYSLOG) + if (ipmonopts & IPMON_SYSLOG) syslog(LOG_INFO, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); + else if (conf->log != NULL) + (void) fprintf(conf->log, "%s", line); } -static void print_log(logtype, log, buf, blen) -FILE *log; -char *buf; -int logtype, blen; +static void print_log(conf, log, buf, blen) + config_t *conf; + logsource_t *log; + char *buf; + int blen; { + char *bp, *bpo; iplog_t *ipl; - char *bp = NULL, *bpo = NULL; int psize; + bp = NULL; + bpo = NULL; + while (blen > 0) { ipl = (iplog_t *)buf; if ((u_long)ipl & (sizeof(long)-1)) { @@ -961,22 +1033,22 @@ int logtype, blen; if (psize > blen) break; - if (binarylog) { - fwrite(buf, psize, 1, binarylog); - fflush(binarylog); + if (conf->blog != NULL) { + fwrite(buf, psize, 1, conf->blog); + fflush(conf->blog); } - if (logtype == IPL_LOGIPF) { + if (log->logtype == IPL_LOGIPF) { if (ipl->ipl_magic == IPL_MAGIC) - print_ipflog(log, buf, psize); + print_ipflog(conf, buf, psize); - } else if (logtype == IPL_LOGNAT) { + } else if (log->logtype == IPL_LOGNAT) { if (ipl->ipl_magic == IPL_MAGIC_NAT) - print_natlog(log, buf, psize); + print_natlog(conf, buf, psize); - } else if (logtype == IPL_LOGSTATE) { + } else if (log->logtype == IPL_LOGSTATE) { if (ipl->ipl_magic == IPL_MAGIC_STATE) - print_statelog(log, buf, psize); + print_statelog(conf, buf, psize); } blen -= psize; @@ -988,22 +1060,23 @@ int logtype, blen; } -static void print_ipflog(log, buf, blen) -FILE *log; -char *buf; -int blen; +static void print_ipflog(conf, buf, blen) + config_t *conf; + char *buf; + int blen; { - tcphdr_t *tp; - struct icmp *ic; - struct icmp *icmp; - struct tm *tm; - char *t, *proto; - int i, v, lvl, res, len, off, plen, ipoff, defaction; - ip_t *ipc, *ip; - u_32_t *s, *d; - u_short hl, p; + static u_32_t seqnum = 0; + int i, f, lvl, res, len, off, plen, ipoff, defaction; + struct icmp *icmp; + struct icmp *ic; + char *t, *proto; + ip_t *ipc, *ip; + struct tm *tm; + u_32_t *s, *d; + u_short hl, p; ipflog_t *ipf; - iplog_t *ipl; + iplog_t *ipl; + tcphdr_t *tp; #ifdef USE_INET6 struct ip6_ext *ehp; u_short ehl; @@ -1012,16 +1085,31 @@ int blen; #endif ipl = (iplog_t *)buf; + if (ipl->ipl_seqnum != seqnum) { + if ((ipmonopts & IPMON_SYSLOG) != 0) { + syslog(LOG_WARNING, + "missed %u ipf log entries: %u %u", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } else { + (void) fprintf(conf->log, + "missed %u ipf log entries: %u %u\n", + ipl->ipl_seqnum - seqnum, seqnum, + ipl->ipl_seqnum); + } + } + seqnum = ipl->ipl_seqnum + ipl->ipl_count; + ipf = (ipflog_t *)((char *)buf + sizeof(*ipl)); ip = (ip_t *)((char *)ipf + sizeof(*ipf)); - v = IP_V(ip); - res = (opts & OPT_RESOLVE) ? 1 : 0; + f = ipf->fl_family; + res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0; t = line; *t = '\0'; tm = get_tm(ipl->ipl_sec); len = sizeof(line); - if (!(opts & OPT_SYSLOG)) { + if (!(ipmonopts & IPMON_SYSLOG)) { (void) strftime(t, len, "%d/%m/%Y ", tm); i = strlen(t); len -= i; @@ -1029,10 +1117,10 @@ int blen; } (void) strftime(t, len, "%T", tm); t += strlen(t); - (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); + sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec); t += strlen(t); if (ipl->ipl_count > 1) { - (void) sprintf(t, "%dx ", ipl->ipl_count); + sprintf(t, "%dx ", ipl->ipl_count); t += strlen(t); } #if (defined(MENTAT) || \ @@ -1044,13 +1132,19 @@ int blen; strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname)); ifname[sizeof(ipf->fl_ifname)] = '\0'; - (void) sprintf(t, "%s", ifname); + sprintf(t, "%s", ifname); t += strlen(t); # if defined(MENTAT) || defined(linux) - if (ISALPHA(*(t - 1))) { - sprintf(t, "%d", ipf->fl_unit); - t += strlen(t); - } +# if defined(linux) + /* + * On Linux, the loopback interface is just "lo", not "lo0". + */ + if (strcmp(ifname, "lo") != 0) +# endif + if (ISALPHA(*(t - 1))) { + sprintf(t, "%d", ipf->fl_unit); + t += strlen(t); + } # endif } #else @@ -1059,7 +1153,7 @@ int blen; break; if (ipf->fl_ifname[len]) len++; - (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); + sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0')) @@ -1067,12 +1161,12 @@ int blen; else if (ipf->fl_group[0] == '\0') (void) strcpy(t, " @0:"); else - (void) sprintf(t, " @%s:", ipf->fl_group); + sprintf(t, " @%s:", ipf->fl_group); t += strlen(t); if (ipf->fl_rule == 0xffffffff) strcat(t, "-1 "); else - (void) sprintf(t, "%u ", ipf->fl_rule + 1); + sprintf(t, "%u ", ipf->fl_rule + 1); t += strlen(t); lvl = LOG_NOTICE; @@ -1107,8 +1201,17 @@ int blen; *t++ = ' '; *t = '\0'; - if (v == 6) { + if (f == AF_INET) { + hl = IP_HL(ip) << 2; + ipoff = ntohs(ip->ip_off); + off = ipoff & IP_OFFMASK; + p = (u_short)ip->ip_p; + s = (u_32_t *)&ip->ip_src; + d = (u_32_t *)&ip->ip_dst; + plen = ntohs(ip->ip_len); + } else #ifdef USE_INET6 + if (f == AF_INET6) { off = 0; ipoff = 0; hl = sizeof(ip6_t); @@ -1140,32 +1243,22 @@ int blen; break; } } -#else - sprintf(t, "ipv6"); - goto printipflog; + } else #endif - } else if (v == 4) { - hl = IP_HL(ip) << 2; - ipoff = ip->ip_off; - off = ipoff & IP_OFFMASK; - p = (u_short)ip->ip_p; - s = (u_32_t *)&ip->ip_src; - d = (u_32_t *)&ip->ip_dst; - plen = ip->ip_len; - } else { + { goto printipflog; } - proto = getproto(p); + proto = getlocalproto(p); if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) { tp = (tcphdr_t *)((char *)ip + hl); if (!(ipf->fl_lflags & FI_SHORT)) { - (void) sprintf(t, "%s,%s -> ", hostname(res, v, s), - portname(res, proto, (u_int)tp->th_sport)); + sprintf(t, "%s,%s -> ", hostname(f, s), + portlocalname(res, proto, (u_int)tp->th_sport)); t += strlen(t); - (void) sprintf(t, "%s,%s PR %s len %hu %hu", - hostname(res, v, d), - portname(res, proto, (u_int)tp->th_dport), + sprintf(t, "%s,%s PR %s len %hu %hu", + hostname(f, d), + portlocalname(res, proto, (u_int)tp->th_dport), proto, hl, plen); t += strlen(t); @@ -1175,8 +1268,8 @@ int blen; for (i = 0; tcpfl[i].value; i++) if (tp->th_flags & tcpfl[i].value) *t++ = tcpfl[i].flag; - if (opts & OPT_VERBOSE) { - (void) sprintf(t, " %lu %lu %hu", + if (ipmonopts & IPMON_VERBOSE) { + sprintf(t, " %lu %lu %hu", (u_long)(ntohl(tp->th_seq)), (u_long)(ntohl(tp->th_ack)), ntohs(tp->th_win)); @@ -1185,24 +1278,26 @@ int blen; } *t = '\0'; } else { - (void) sprintf(t, "%s -> ", hostname(res, v, s)); + sprintf(t, "%s -> ", hostname(f, s)); t += strlen(t); - (void) sprintf(t, "%s PR %s len %hu %hu", - hostname(res, v, d), proto, hl, plen); + sprintf(t, "%s PR %s len %hu %hu", + hostname(f, d), proto, hl, plen); } - } else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) { +#if defined(AF_INET6) && defined(IPPROTO_ICMPV6) + } else if ((p == IPPROTO_ICMPV6) && !off && (f == AF_INET6)) { ic = (struct icmp *)((char *)ip + hl); - (void) sprintf(t, "%s -> ", hostname(res, v, s)); + sprintf(t, "%s -> ", hostname(f, s)); t += strlen(t); - (void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s", - hostname(res, v, d), hl, plen, + sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s", + hostname(f, d), hl, plen, icmpname6(ic->icmp_type, ic->icmp_code)); - } else if ((p == IPPROTO_ICMP) && !off && (v == 4)) { +#endif + } else if ((p == IPPROTO_ICMP) && !off && (f == AF_INET)) { ic = (struct icmp *)((char *)ip + hl); - (void) sprintf(t, "%s -> ", hostname(res, v, s)); + sprintf(t, "%s -> ", hostname(f, s)); t += strlen(t); - (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s", - hostname(res, v, d), hl, plen, + sprintf(t, "%s PR icmp len %hu %hu icmp %s", + hostname(f, d), hl, plen, icmpname(ic->icmp_type, ic->icmp_code)); if (ic->icmp_type == ICMP_UNREACH || ic->icmp_type == ICMP_SOURCEQUENCH || @@ -1218,21 +1313,21 @@ int blen; if (i > 1500) i = ipc->ip_len; ipoff = ntohs(ipc->ip_off); - proto = getproto(ipc->ip_p); + proto = getlocalproto(ipc->ip_p); if (!(ipoff & IP_OFFMASK) && ((ipc->ip_p == IPPROTO_TCP) || (ipc->ip_p == IPPROTO_UDP))) { tp = (tcphdr_t *)((char *)ipc + hl); t += strlen(t); - (void) sprintf(t, " for %s,%s -", - HOSTNAME_V4(res, ipc->ip_src), - portname(res, proto, + sprintf(t, " for %s,%s -", + HOSTNAMEV4(ipc->ip_src), + portlocalname(res, proto, (u_int)tp->th_sport)); t += strlen(t); - (void) sprintf(t, " %s,%s PR %s len %hu %hu", - HOSTNAME_V4(res, ipc->ip_dst), - portname(res, proto, + sprintf(t, " %s,%s PR %s len %hu %hu", + HOSTNAMEV4(ipc->ip_dst), + portlocalname(res, proto, (u_int)tp->th_dport), proto, IP_HL(ipc) << 2, i); } else if (!(ipoff & IP_OFFMASK) && @@ -1240,26 +1335,25 @@ int blen; icmp = (icmphdr_t *)((char *)ipc + hl); t += strlen(t); - (void) sprintf(t, " for %s -", - HOSTNAME_V4(res, ipc->ip_src)); + sprintf(t, " for %s -", + HOSTNAMEV4(ipc->ip_src)); t += strlen(t); - (void) sprintf(t, + sprintf(t, " %s PR icmp len %hu %hu icmp %d/%d", - HOSTNAME_V4(res, ipc->ip_dst), + HOSTNAMEV4(ipc->ip_dst), IP_HL(ipc) << 2, i, icmp->icmp_type, icmp->icmp_code); } else { t += strlen(t); - (void) sprintf(t, " for %s -", - HOSTNAME_V4(res, ipc->ip_src)); + sprintf(t, " for %s -", + HOSTNAMEV4(ipc->ip_src)); t += strlen(t); - (void) sprintf(t, " %s PR %s len %hu (%hu)", - HOSTNAME_V4(res, ipc->ip_dst), proto, + sprintf(t, " %s PR %s len %hu (%hu)", + HOSTNAMEV4(ipc->ip_dst), proto, IP_HL(ipc) << 2, i); t += strlen(t); if (ipoff & IP_OFFMASK) { - (void) sprintf(t, - "(frag %d:%hu@%hu%s%s)", + sprintf(t, "(frag %d:%hu@%hu%s%s)", ntohs(ipc->ip_id), i - (IP_HL(ipc) << 2), (ipoff & IP_OFFMASK) << 3, @@ -1270,13 +1364,13 @@ int blen; } } else { - (void) sprintf(t, "%s -> ", hostname(res, v, s)); + sprintf(t, "%s -> ", hostname(f, s)); t += strlen(t); - (void) sprintf(t, "%s PR %s len %hu (%hu)", - hostname(res, v, d), proto, hl, plen); + sprintf(t, "%s PR %s len %hu (%hu)", + hostname(f, d), proto, hl, plen); t += strlen(t); if (off & IP_OFFMASK) - (void) sprintf(t, " (frag %d:%hu@%hu%s%s)", + sprintf(t, " (frag %d:%hu@%hu%s%s)", ntohs(ip->ip_id), plen - hl, (off & IP_OFFMASK) << 3, ipoff & IP_MF ? "+" : "", @@ -1347,32 +1441,43 @@ printipflog: strcpy(t, " mbcast"); t += 7; } + if (ipf->fl_breason != 0) { + strcpy(t, " reason:"); + t += 8; + strcpy(t, reasons[ipf->fl_breason]); + t += strlen(reasons[ipf->fl_breason]); + } *t++ = '\n'; *t++ = '\0'; defaction = 0; - if (conf_file != NULL) - defaction = check_action(buf, line, opts, lvl); + if (conf->cfile != NULL) + defaction = check_action(buf, line, ipmonopts, lvl); + if (defaction == 0) { - if (opts & OPT_SYSLOG) + if (ipmonopts & IPMON_SYSLOG) { syslog(lvl, "%s", line); - else if (log != NULL) - (void) fprintf(log, "%s", line); + } else if (conf->log != NULL) { + (void) fprintf(conf->log, "%s", line); + } - if (opts & OPT_HEXHDR) - dumphex(log, opts, buf, + if (ipmonopts & IPMON_HEXHDR) { + dumphex(conf->log, ipmonopts, buf, sizeof(iplog_t) + sizeof(*ipf)); - if (opts & OPT_HEXBODY) - dumphex(log, opts, (char *)ip, + } + if (ipmonopts & IPMON_HEXBODY) { + dumphex(conf->log, ipmonopts, (char *)ip, ipf->fl_plen + ipf->fl_hlen); - else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) - dumphex(log, opts, (char *)ip + ipf->fl_hlen, + } else if ((ipmonopts & IPMON_LOGBODY) && + (ipf->fl_flags & FR_LOGBODY)) { + dumphex(conf->log, ipmonopts, (char *)ip + ipf->fl_hlen, ipf->fl_plen); + } } } static void usage(prog) -char *prog; + char *prog; { fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog); exit(1); @@ -1380,7 +1485,7 @@ char *prog; static void write_pid(file) -char *file; + char *file; { FILE *fp = NULL; int fd; @@ -1400,8 +1505,8 @@ char *file; static void flushlogs(file, log) -char *file; -FILE *log; + char *file; + FILE *log; { int fd, flushed = 0; @@ -1416,11 +1521,11 @@ FILE *log; flushed); fflush(stdout); } else - perror("SIOCIPFFB"); + ipferror(fd, "SIOCIPFFB"); (void) close(fd); if (flushed) { - if (opts & OPT_SYSLOG) { + if (ipmonopts & IPMON_SYSLOG) { syslog(LOG_INFO, "%d bytes flushed from log\n", flushed); } else if ((log != stdout) && (log != NULL)) { @@ -1431,8 +1536,8 @@ FILE *log; static void logopts(turnon, options) -int turnon; -char *options; + int turnon; + char *options; { int flags = 0; char *s; @@ -1442,13 +1547,13 @@ char *options; switch (*s) { case 'N' : - flags |= OPT_NAT; + flags |= IPMON_NAT; break; case 'S' : - flags |= OPT_STATE; + flags |= IPMON_STATE; break; case 'I' : - flags |= OPT_FILTER; + flags |= IPMON_FILTER; break; default : fprintf(stderr, "Unknown log option %c\n", *s); @@ -1457,64 +1562,87 @@ char *options; } if (turnon) - opts |= flags; + ipmonopts |= flags; else - opts &= ~(flags); + ipmonopts &= ~(flags); +} + +static void initconfig(config_t *conf) +{ + int i; + + memset(conf, 0, sizeof(*conf)); + + conf->log = stdout; + conf->maxfd = -1; + + for (i = 0; i < 3; i++) { + conf->logsrc[i].fd = -1; + conf->logsrc[i].logtype = -1; + conf->logsrc[i].regular = -1; + } + + conf->logsrc[0].file = IPL_NAME; + conf->logsrc[1].file = IPNAT_NAME; + conf->logsrc[2].file = IPSTATE_NAME; + + add_doing(&executesaver); + add_doing(&snmpv1saver); + add_doing(&snmpv2saver); + add_doing(&syslogsaver); + add_doing(&filesaver); + add_doing(¬hingsaver); } int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { - struct stat sb; - FILE *log = stdout; - FILE *fp; - int fd[3], doread, n, i; - int tr, nr, regular[3], c; - int fdt[3], devices = 0, make_daemon = 0; - char buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s; - extern int optind; - extern char *optarg; - - fd[0] = fd[1] = fd[2] = -1; - fdt[0] = fdt[1] = fdt[2] = -1; - iplfile[0] = IPL_NAME; - iplfile[1] = IPNAT_NAME; - iplfile[2] = IPSTATE_NAME; + int doread, c, make_daemon = 0; + char *prog; + config_t config; + + prog = strrchr(argv[0], '/'); + if (prog == NULL) + prog = argv[0]; + else + prog++; + + initconfig(&config); while ((c = getopt(argc, argv, "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : - opts |= OPT_LOGALL; - fdt[0] = IPL_LOGIPF; - fdt[1] = IPL_LOGNAT; - fdt[2] = IPL_LOGSTATE; + ipmonopts |= IPMON_LOGALL; + config.logsrc[0].logtype = IPL_LOGIPF; + config.logsrc[1].logtype = IPL_LOGNAT; + config.logsrc[2].logtype = IPL_LOGSTATE; break; case 'b' : - opts |= OPT_LOGBODY; + ipmonopts |= IPMON_LOGBODY; break; case 'B' : - binarylogfile = optarg; - binarylog = fopen(optarg, "a"); + config.bfile = optarg; + config.blog = fopen(optarg, "a"); break; case 'C' : - conf_file = optarg; + config.cfile = optarg; break; case 'D' : make_daemon = 1; break; case 'f' : case 'I' : - opts |= OPT_FILTER; - fdt[0] = IPL_LOGIPF; - iplfile[0] = optarg; + ipmonopts |= IPMON_FILTER; + config.logsrc[0].logtype = IPL_LOGIPF; + config.logsrc[0].file = optarg; break; case 'F' : - flushlogs(iplfile[0], log); - flushlogs(iplfile[1], log); - flushlogs(iplfile[2], log); + flushlogs(config.logsrc[0].file, config.log); + flushlogs(config.logsrc[1].file, config.log); + flushlogs(config.logsrc[2].file, config.log); break; case 'L' : logfac = fac_findname(optarg); @@ -1526,56 +1654,49 @@ char *argv[]; } break; case 'n' : - opts |= OPT_RESOLVE; + ipmonopts |= IPMON_RESOLVE; + opts &= ~OPT_NORESOLVE; break; case 'N' : - opts |= OPT_NAT; - fdt[1] = IPL_LOGNAT; - iplfile[1] = optarg; + ipmonopts |= IPMON_NAT; + config.logsrc[1].logtype = IPL_LOGNAT; + config.logsrc[1].file = optarg; break; case 'o' : case 'O' : logopts(c == 'o', optarg); - fdt[0] = fdt[1] = fdt[2] = -1; - if (opts & OPT_FILTER) - fdt[0] = IPL_LOGIPF; - if (opts & OPT_NAT) - fdt[1] = IPL_LOGNAT; - if (opts & OPT_STATE) - fdt[2] = IPL_LOGSTATE; + if (ipmonopts & IPMON_FILTER) + config.logsrc[0].logtype = IPL_LOGIPF; + if (ipmonopts & IPMON_NAT) + config.logsrc[1].logtype = IPL_LOGNAT; + if (ipmonopts & IPMON_STATE) + config.logsrc[2].logtype = IPL_LOGSTATE; break; case 'p' : - opts |= OPT_PORTNUM; + ipmonopts |= IPMON_PORTNUM; break; case 'P' : pidfile = optarg; break; case 's' : - s = strrchr(argv[0], '/'); - if (s == NULL) - s = argv[0]; - else - s++; - openlog(s, LOG_NDELAY|LOG_PID, logfac); - s = NULL; - opts |= OPT_SYSLOG; - log = NULL; + ipmonopts |= IPMON_SYSLOG; + config.log = NULL; break; case 'S' : - opts |= OPT_STATE; - fdt[2] = IPL_LOGSTATE; - iplfile[2] = optarg; + ipmonopts |= IPMON_STATE; + config.logsrc[2].logtype = IPL_LOGSTATE; + config.logsrc[2].file = optarg; break; case 't' : - opts |= OPT_TAIL; + ipmonopts |= IPMON_TAIL; break; case 'v' : - opts |= OPT_VERBOSE; + ipmonopts |= IPMON_VERBOSE; break; case 'x' : - opts |= OPT_HEXBODY; + ipmonopts |= IPMON_HEXBODY; break; case 'X' : - opts |= OPT_HEXHDR; + ipmonopts |= IPMON_HEXHDR; break; default : case 'h' : @@ -1583,69 +1704,62 @@ char *argv[]; usage(argv[0]); } + if (ipmonopts & IPMON_SYSLOG) + openlog(prog, LOG_NDELAY|LOG_PID, logfac); + init_tabs(); - if (conf_file) - if (load_config(conf_file) == -1) + if (config.cfile) + if (load_config(config.cfile) == -1) { + unload_config(); exit(1); + } /* * Default action is to only open the filter log file. */ - if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1)) - fdt[0] = IPL_LOGIPF; + if ((config.logsrc[0].logtype == -1) && + (config.logsrc[0].logtype == -1) && + (config.logsrc[0].logtype == -1)) + config.logsrc[0].logtype = IPL_LOGIPF; - for (i = 0; i < 3; i++) { - if (fdt[i] == -1) - continue; - if (!strcmp(iplfile[i], "-")) - fd[i] = 0; - else { - if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) { - (void) fprintf(stderr, - "%s: open: %s\n", iplfile[i], - STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - if (fstat(fd[i], &sb) == -1) { - (void) fprintf(stderr, "%d: fstat: %s\n", - fd[i], STRERROR(errno)); - exit(1); - /* NOTREACHED */ - } - if (!(regular[i] = !S_ISCHR(sb.st_mode))) - devices++; - } - } + openlogs(&config); - if (!(opts & OPT_SYSLOG)) { - logfile = argv[optind]; - log = logfile ? fopen(logfile, "a") : stdout; - if (log == NULL) { + if (!(ipmonopts & IPMON_SYSLOG)) { + config.file = argv[optind]; + config.log = config.file ? fopen(config.file, "a") : stdout; + if (config.log == NULL) { (void) fprintf(stderr, "%s: fopen: %s\n", argv[optind], STRERROR(errno)); exit(1); /* NOTREACHED */ } - setvbuf(log, NULL, _IONBF, 0); - } else - log = NULL; + setvbuf(config.log, NULL, _IONBF, 0); + } else { + config.log = NULL; + } - if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) { + if (make_daemon && + ((config.log != stdout) || (ipmonopts & IPMON_SYSLOG))) { #if BSD >= 199306 - daemon(0, !(opts & OPT_SYSLOG)); + daemon(0, !(ipmonopts & IPMON_SYSLOG)); #else int pid; - if ((pid = fork()) > 0) - exit(0); - if (pid < 0) { + + switch (fork()) + { + case -1 : (void) fprintf(stderr, "%s: fork() failed: %s\n", argv[0], STRERROR(errno)); exit(1); /* NOTREACHED */ + case 0 : + break; + default : + exit(0); } + setsid(); - if ((opts & OPT_SYSLOG)) + if ((ipmonopts & IPMON_SYSLOG)) close(2); #endif /* !BSD */ close(0); @@ -1655,80 +1769,142 @@ char *argv[]; signal(SIGHUP, handlehup); - for (doread = 1; doread; ) { - nr = 0; - - for (i = 0; i < 3; i++) { - tr = 0; - if (fdt[i] == -1) - continue; - if (!regular[i]) { - if (ioctl(fd[i], FIONREAD, &tr) == -1) { - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, - "ioctl(FIONREAD): %m"); - else - perror("ioctl(FIONREAD)"); - exit(1); - /* NOTREACHED */ - } - } else { - tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size); - if (!tr && !(opts & OPT_TAIL)) - doread = 0; + for (doread = 1; doread; ) + doread = read_loginfo(&config); + + unload_config(); + + return(0); + /* NOTREACHED */ +} + + +static void openlogs(config_t *conf) +{ + logsource_t *l; + struct stat sb; + int i; + + for (i = 0; i < 3; i++) { + l = &conf->logsrc[i]; + if (l->logtype == -1) + continue; + if (!strcmp(l->file, "-")) + l->fd = 0; + else { + if ((l->fd= open(l->file, O_RDONLY)) == -1) { + (void) fprintf(stderr, + "%s: open: %s\n", l->file, + STRERROR(errno)); + exit(1); + /* NOTREACHED */ } - if (!tr) - continue; - nr += tr; - n = 0; - tr = read_log(fd[i], &n, buf, sizeof(buf)); - if (donehup) { - if (logfile && (fp = fopen(logfile, "a"))) { - fclose(log); - log = fp; - } - if (binarylogfile && - (fp = fopen(binarylogfile, "a"))) { - fclose(binarylog); - binarylog = fp; + if (fstat(l->fd, &sb) == -1) { + (void) fprintf(stderr, "%d: fstat: %s\n", + l->fd, STRERROR(errno)); + exit(1); + /* NOTREACHED */ + } + + l->regular = !S_ISCHR(sb.st_mode); + if (l->regular) + l->size = sb.st_size; + + FD_SET(l->fd, &conf->fdmr); + if (l->fd > conf->maxfd) + conf->maxfd = l->fd; + } + } +} + + +static int read_loginfo(config_t *conf) +{ + iplog_t buf[DEFAULT_IPFLOGSIZE/sizeof(iplog_t)+1]; + int n, tr, nr, i; + logsource_t *l; + fd_set fdr; + + fdr = conf->fdmr; + + n = select(conf->maxfd + 1, &fdr, NULL, NULL, NULL); + if (n == 0) + return 1; + if (n == -1) { + if (errno == EINTR) + return 1; + return -1; + } + + for (i = 0, nr = 0; i < 3; i++) { + l = &conf->logsrc[i]; + + if ((l->logtype == -1) || !FD_ISSET(l->fd, &fdr)) + continue; + + tr = 0; + if (l->regular) { + tr = (lseek(l->fd, 0, SEEK_CUR) < l->size); + if (!tr && !(ipmonopts & IPMON_TAIL)) + return 0; + } + + n = 0; + tr = read_log(l->fd, &n, (char *)buf, sizeof(buf)); + if (donehup) { + if (conf->file != NULL) { + if (conf->log != NULL) { + fclose(conf->log); + conf->log = NULL; } - init_tabs(); - if (conf_file != NULL) - load_config(conf_file); - donehup = 0; + conf->log = fopen(conf->file, "a"); } - switch (tr) - { - case -1 : - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, "read: %m\n"); - else - perror("read"); - doread = 0; - break; - case 1 : - if (opts & OPT_SYSLOG) - syslog(LOG_CRIT, "aborting logging\n"); - else if (log != NULL) - fprintf(log, "aborting logging\n"); - doread = 0; - break; - case 2 : - break; - case 0 : - if (n > 0) { - print_log(fdt[i], log, buf, n); - if (!(opts & OPT_SYSLOG)) - fflush(log); + if (conf->bfile != NULL) { + if (conf->blog != NULL) { + fclose(conf->blog); + conf->blog = NULL; } - break; + conf->blog = fopen(conf->bfile, "a"); } + + init_tabs(); + if (conf->cfile != NULL) + load_config(conf->cfile); + donehup = 0; + } + + switch (tr) + { + case -1 : + if (ipmonopts & IPMON_SYSLOG) + syslog(LOG_CRIT, "read: %m\n"); + else { + ipferror(l->fd, "read"); + } + return 0; + case 1 : + if (ipmonopts & IPMON_SYSLOG) + syslog(LOG_CRIT, "aborting logging\n"); + else if (conf->log != NULL) + fprintf(conf->log, "aborting logging\n"); + return 0; + case 2 : + break; + case 0 : + nr += tr; + if (n > 0) { + print_log(conf, l, (char *)buf, n); + if (!(ipmonopts & IPMON_SYSLOG)) + fflush(conf->log); + } + break; } - if (!nr && ((opts & OPT_TAIL) || devices)) - sleep(1); } - return(0); - /* NOTREACHED */ + + if (!nr && (ipmonopts & IPMON_TAIL)) + sleep(1); + + return 1; } diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y index 98042d8..f14180d 100644 --- a/contrib/ipfilter/tools/ipmon_y.y +++ b/contrib/ipfilter/tools/ipmon_y.y @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -13,6 +13,8 @@ #include "ipmon_l.h" #include "ipmon.h" +#include <dlfcn.h> + #define YYDEBUG 1 extern void yyerror __P((char *)); @@ -21,69 +23,88 @@ extern int yylex __P((void)); extern int yydebug; extern FILE *yyin; extern int yylineNum; +extern int ipmonopts; -typedef struct opt { - struct opt *o_next; +typedef struct opt_s { + struct opt_s *o_next; int o_line; int o_type; int o_num; char *o_str; struct in_addr o_ip; + int o_logfac; + int o_logpri; } opt_t; -static void build_action __P((struct opt *)); +static void build_action __P((opt_t *, ipmon_doing_t *)); static opt_t *new_opt __P((int)); static void free_action __P((ipmon_action_t *)); +static void print_action __P((ipmon_action_t *)); +static int find_doing __P((char *)); +static ipmon_doing_t *build_doing __P((char *, char *)); +static void print_match __P((ipmon_action_t *)); +static int install_saver __P((char *, char *)); static ipmon_action_t *alist = NULL; + +ipmon_saver_int_t *saverlist = NULL; %} %union { char *str; u_32_t num; struct in_addr addr; - struct opt *opt; + struct opt_s *opt; union i6addr ip6; + struct ipmon_doing_s *ipmd; } %token <num> YY_NUMBER YY_HEX %token <str> YY_STR %token <ip6> YY_IPV6 -%token YY_COMMENT +%token YY_COMMENT %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token IPM_MATCH IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT -%token IPM_EVERY IPM_EXECUTE IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT +%token IPM_EVERY IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT IPM_LOADACTION %token IPM_PACKET IPM_PACKETS IPM_POOL IPM_PROTOCOL IPM_RESULT IPM_RULE %token IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_LOGTAG IPM_WITH -%token IPM_DO IPM_SAVE IPM_SYSLOG IPM_NOTHING IPM_RAW IPM_TYPE IPM_NAT +%token IPM_DO IPM_DOING IPM_TYPE IPM_NAT %token IPM_STATE IPM_NATTAG IPM_IPF %type <addr> ipv4 -%type <opt> direction dstip dstport every execute group interface +%type <opt> direction dstip dstport every group interface %type <opt> protocol result rule srcip srcport logtag matching -%type <opt> matchopt nattag type doopt doing save syslog nothing -%type <num> saveopts saveopt typeopt +%type <opt> matchopt nattag type +%type <num> typeopt +%type <ipmd> doopt doing %% -file: line - | assign - | file line - | file assign +file: action + | file action ; -line: IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';' - { build_action($3); resetlexer(); } +action: line ';' + | assign ';' | IPM_COMMENT | YY_COMMENT ; -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); +line: IPM_MATCH '{' matching ';' '}' IPM_DO '{' doing ';' '}' + { build_action($3, $8); + resetlexer(); + } + | IPM_LOADACTION YY_STR YY_STR { if (install_saver($2, $3)) + yyerror("install saver"); + } + ; + +assign: YY_STR assigning YY_STR { set_variable($1, $3); resetlexer(); free($1); free($3); yyvarnext = 0; - } + } ; assigning: @@ -114,14 +135,20 @@ matchopt: doing: doopt { $$ = $1; } - | doopt ',' doing { $1->o_next = $3; $$ = $1; } + | doopt ',' doing { $1->ipmd_next = $3; $$ = $1; } ; doopt: - execute { $$ = $1; } - | save { $$ = $1; } - | syslog { $$ = $1; } - | nothing { $$ = $1; } + YY_STR { if (find_doing($1) != IPM_DOING) + yyerror("unknown action"); + } + '(' YY_STR ')' { $$ = build_doing($1, $4); + if ($$ == NULL) + yyerror("action building"); + } + | YY_STR { if (find_doing($1) == IPM_DOING) + $$ = build_doing($1, NULL); + } ; direction: @@ -211,31 +238,7 @@ typeopt: | IPM_STATE { $$ = IPL_MAGIC_STATE; } ; -execute: - IPM_EXECUTE YY_STR { $$ = new_opt(IPM_EXECUTE); - $$->o_str = $2; } - ; -save: IPM_SAVE saveopts YY_STR { $$ = new_opt(IPM_SAVE); - $$->o_num = $2; - $$->o_str = $3; } - ; - -saveopts: { $$ = 0; } - | saveopt { $$ = $1; } - | saveopt ',' saveopts { $$ = $1 | $3; } - ; - -saveopt: - IPM_RAW { $$ = IPMDO_SAVERAW; } - ; - -syslog: IPM_SYSLOG { $$ = new_opt(IPM_SYSLOG); } - ; - -nothing: - IPM_NOTHING { $$ = 0; } - ; ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { @@ -253,30 +256,27 @@ static struct wordtab yywords[] = { { "dstip", IPM_DSTIP }, { "dstport", IPM_DSTPORT }, { "every", IPM_EVERY }, - { "execute", IPM_EXECUTE }, { "group", IPM_GROUP }, { "in", IPM_IN }, { "interface", IPM_INTERFACE }, { "ipf", IPM_IPF }, + { "load_action",IPM_LOADACTION }, { "logtag", IPM_LOGTAG }, { "match", IPM_MATCH }, { "nat", IPM_NAT }, { "nattag", IPM_NATTAG }, { "no", IPM_NO }, - { "nothing", IPM_NOTHING }, { "out", IPM_OUT }, { "packet", IPM_PACKET }, { "packets", IPM_PACKETS }, { "protocol", IPM_PROTOCOL }, { "result", IPM_RESULT }, { "rule", IPM_RULE }, - { "save", IPM_SAVE }, { "second", IPM_SECOND }, { "seconds", IPM_SECONDS }, { "srcip", IPM_SRCIP }, { "srcport", IPM_SRCPORT }, { "state", IPM_STATE }, - { "syslog", IPM_SYSLOG }, { "with", IPM_WITH }, { NULL, 0 } }; @@ -301,31 +301,33 @@ static int macflags[17][2] = { { 0, 0 } }; -static opt_t *new_opt(type) -int type; +static opt_t * +new_opt(type) + int type; { opt_t *o; - o = (opt_t *)malloc(sizeof(*o)); + o = (opt_t *)calloc(1, sizeof(*o)); o->o_type = type; o->o_line = yylineNum; - o->o_num = 0; - o->o_str = (char *)0; - o->o_next = NULL; + o->o_logfac = -1; + o->o_logpri = -1; return o; } -static void build_action(olist) -opt_t *olist; +static void +build_action(olist, todo) + opt_t *olist; + ipmon_doing_t *todo; { ipmon_action_t *a; opt_t *o; - char c; int i; a = (ipmon_action_t *)calloc(1, sizeof(*a)); if (a == NULL) return; + while ((o = olist) != NULL) { /* * Check to see if the same comparator is being used more than @@ -358,24 +360,11 @@ opt_t *olist; case IPM_DSTPORT : a->ac_dport = htons(o->o_num); break; - case IPM_EXECUTE : - a->ac_exec = o->o_str; - c = *o->o_str; - if (c== '"'|| c == '\'') { - if (o->o_str[strlen(o->o_str) - 1] == c) { - a->ac_run = strdup(o->o_str + 1); - a->ac_run[strlen(a->ac_run) - 1] ='\0'; - } else - a->ac_run = o->o_str; - } else - a->ac_run = o->o_str; - o->o_str = NULL; - break; case IPM_INTERFACE : a->ac_iface = o->o_str; o->o_str = NULL; break; - case IPM_GROUP : + case IPM_GROUP : if (o->o_str != NULL) strncpy(a->ac_group, o->o_str, FR_GROUPLEN); else @@ -416,24 +405,6 @@ opt_t *olist; case IPM_SRCPORT : a->ac_sport = htons(o->o_num); break; - case IPM_SAVE : - if (a->ac_savefile != NULL) { - fprintf(stderr, "%s redfined on line %d\n", - yykeytostr(o->o_type), yylineNum); - break; - } - a->ac_savefile = strdup(o->o_str); - a->ac_savefp = fopen(o->o_str, "a"); - a->ac_dflag |= o->o_num & IPMDO_SAVERAW; - break; - case IPM_SYSLOG : - if (a->ac_syslog != 0) { - fprintf(stderr, "%s redfined on line %d\n", - yykeytostr(o->o_type), yylineNum); - break; - } - a->ac_syslog = 1; - break; case IPM_TYPE : a->ac_type = o->o_num; break; @@ -448,17 +419,25 @@ opt_t *olist; free(o->o_str); free(o); } + + a->ac_doing = todo; a->ac_next = alist; alist = a; + + if (ipmonopts & IPMON_VERBOSE) + print_action(a); } -int check_action(buf, log, opts, lvl) -char *buf, *log; -int opts, lvl; +int +check_action(buf, log, opts, lvl) + char *buf, *log; + int opts, lvl; { ipmon_action_t *a; struct timeval tv; + ipmon_doing_t *d; + ipmon_msg_t msg; ipflog_t *ipf; tcphdr_t *tcp; iplog_t *ipl; @@ -472,19 +451,33 @@ int opts, lvl; ip = (ip_t *)(ipf + 1); tcp = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2)); + msg.imm_data = ipl; + msg.imm_dsize = ipl->ipl_dsize; + msg.imm_when = ipl->ipl_time.tv_sec; + msg.imm_msg = log; + msg.imm_msglen = strlen(log); + msg.imm_loglevel = lvl; + for (a = alist; a != NULL; a = a->ac_next) { + verbose(0, "== checking config rule\n"); if ((a->ac_mflag & IPMAC_DIRECTION) != 0) { if (a->ac_direction == IPM_IN) { - if ((ipf->fl_flags & FR_INQUE) == 0) + if ((ipf->fl_flags & FR_INQUE) == 0) { + verbose(8, "-- direction not in\n"); continue; + } } else if (a->ac_direction == IPM_OUT) { - if ((ipf->fl_flags & FR_OUTQUE) == 0) + if ((ipf->fl_flags & FR_OUTQUE) == 0) { + verbose(8, "-- direction not out\n"); continue; + } } } - if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic)) + if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic)) { + verbose(8, "-- type mismatch\n"); continue; + } if ((a->ac_mflag & IPMAC_EVERY) != 0) { gettimeofday(&tv, NULL); @@ -492,8 +485,10 @@ int opts, lvl; if (tv.tv_usec <= a->ac_lastusec) t1--; if (a->ac_second != 0) { - if (t1 < a->ac_second) + if (t1 < a->ac_second) { + verbose(8, "-- too soon\n"); continue; + } a->ac_lastsec = tv.tv_sec; a->ac_lastusec = tv.tv_usec; } @@ -503,159 +498,149 @@ int opts, lvl; a->ac_pktcnt++; else if (a->ac_pktcnt == a->ac_packet) { a->ac_pktcnt = 0; + verbose(8, "-- packet count\n"); continue; } else { a->ac_pktcnt++; + verbose(8, "-- packet count\n"); continue; } } } if ((a->ac_mflag & IPMAC_DSTIP) != 0) { - if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip) + if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip) { + verbose(8, "-- dstip wrong\n"); continue; + } } if ((a->ac_mflag & IPMAC_DSTPORT) != 0) { - if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) + if (ip->ip_p != IPPROTO_UDP && + ip->ip_p != IPPROTO_TCP) { + verbose(8, "-- not port protocol\n"); continue; - if (tcp->th_dport != a->ac_dport) + } + if (tcp->th_dport != a->ac_dport) { + verbose(8, "-- dport mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_GROUP) != 0) { if (strncmp(a->ac_group, ipf->fl_group, - FR_GROUPLEN) != 0) + FR_GROUPLEN) != 0) { + verbose(8, "-- group mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_INTERFACE) != 0) { - if (strcmp(a->ac_iface, ipf->fl_ifname)) + if (strcmp(a->ac_iface, ipf->fl_ifname)) { + verbose(8, "-- ifname mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) { - if (a->ac_proto != ip->ip_p) + if (a->ac_proto != ip->ip_p) { + verbose(8, "-- protocol mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_RESULT) != 0) { if ((ipf->fl_flags & FF_LOGNOMATCH) != 0) { - if (a->ac_result != IPMR_NOMATCH) + if (a->ac_result != IPMR_NOMATCH) { + verbose(8, "-- ff-flags mismatch\n"); continue; + } } else if (FR_ISPASS(ipf->fl_flags)) { - if (a->ac_result != IPMR_PASS) + if (a->ac_result != IPMR_PASS) { + verbose(8, "-- pass mismatch\n"); continue; + } } else if (FR_ISBLOCK(ipf->fl_flags)) { - if (a->ac_result != IPMR_BLOCK) + if (a->ac_result != IPMR_BLOCK) { + verbose(8, "-- block mismatch\n"); continue; + } } else { /* Log only */ - if (a->ac_result != IPMR_LOG) + if (a->ac_result != IPMR_LOG) { + verbose(8, "-- log mismatch\n"); continue; + } } } if ((a->ac_mflag & IPMAC_RULE) != 0) { - if (a->ac_rule != ipf->fl_rule) + if (a->ac_rule != ipf->fl_rule) { + verbose(8, "-- rule mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_SRCIP) != 0) { - if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip) + if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip) { + verbose(8, "-- srcip mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_SRCPORT) != 0) { - if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) + if (ip->ip_p != IPPROTO_UDP && + ip->ip_p != IPPROTO_TCP) { + verbose(8, "-- port protocol mismatch\n"); continue; - if (tcp->th_sport != a->ac_sport) + } + if (tcp->th_sport != a->ac_sport) { + verbose(8, "-- sport mismatch\n"); continue; + } } if ((a->ac_mflag & IPMAC_LOGTAG) != 0) { - if (a->ac_logtag != ipf->fl_logtag) + if (a->ac_logtag != ipf->fl_logtag) { + verbose(8, "-- logtag %d != %d\n", + a->ac_logtag, ipf->fl_logtag); continue; + } } if ((a->ac_mflag & IPMAC_NATTAG) != 0) { if (strncmp(a->ac_nattag, ipf->fl_nattag.ipt_tag, - IPFTAG_LEN) != 0) + IPFTAG_LEN) != 0) { + verbose(8, "-- nattag mismatch\n"); continue; + } } matched = 1; + verbose(8, "++ matched\n"); /* - * It matched so now execute the command + * It matched so now perform the saves */ - if (a->ac_syslog != 0) { - syslog(lvl, "%s", log); - } - - if (a->ac_savefp != NULL) { - if (a->ac_dflag & IPMDO_SAVERAW) - fwrite(ipl, 1, ipl->ipl_dsize, a->ac_savefp); - else - fputs(log, a->ac_savefp); - } - - if (a->ac_exec != NULL) { - switch (fork()) - { - case 0 : - { - FILE *pi; - - pi = popen(a->ac_run, "w"); - if (pi != NULL) { - fprintf(pi, "%s\n", log); - if ((opts & OPT_HEXHDR) != 0) { - dumphex(pi, 0, buf, - sizeof(*ipl) + - sizeof(*ipf)); - } - if ((opts & OPT_HEXBODY) != 0) { - dumphex(pi, 0, (char *)ip, - ipf->fl_hlen + - ipf->fl_plen); - } - pclose(pi); - } - exit(1); - } - case -1 : - break; - default : - break; - } - } + for (d = a->ac_doing; d != NULL; d = d->ipmd_next) + (*d->ipmd_store)(d->ipmd_token, &msg); } return matched; } -static void free_action(a) -ipmon_action_t *a; +static void +free_action(a) + ipmon_action_t *a; { - if (a->ac_savefile != NULL) { - free(a->ac_savefile); - a->ac_savefile = NULL; - } - if (a->ac_savefp != NULL) { - fclose(a->ac_savefp); - a->ac_savefp = NULL; - } - if (a->ac_exec != NULL) { - free(a->ac_exec); - if (a->ac_run == a->ac_exec) - a->ac_run = NULL; - a->ac_exec = NULL; - } - if (a->ac_run != NULL) { - free(a->ac_run); - a->ac_run = NULL; + ipmon_doing_t *d; + + while ((d = a->ac_doing) != NULL) { + a->ac_doing = d->ipmd_next; + (*d->ipmd_saver->ims_destroy)(d->ipmd_token); + free(d); } + if (a->ac_iface != NULL) { free(a->ac_iface); a->ac_iface = NULL; @@ -665,24 +650,21 @@ ipmon_action_t *a; } -int load_config(file) -char *file; +int +load_config(file) + char *file; { - ipmon_action_t *a; FILE *fp; char *s; + unload_config(); + s = getenv("YYDEBUG"); if (s != NULL) yydebug = atoi(s); else yydebug = 0; - while ((a = alist) != NULL) { - alist = a->ac_next; - free_action(a); - } - yylineNum = 1; (void) yysettab(yywords); @@ -698,3 +680,373 @@ char *file; fclose(fp); return 0; } + + +void +unload_config() +{ + ipmon_saver_int_t *sav, **imsip; + ipmon_saver_t *is; + ipmon_action_t *a; + + while ((a = alist) != NULL) { + alist = a->ac_next; + free_action(a); + } + + /* + * Look for savers that have been added in dynamically from the + * configuration file. + */ + for (imsip = &saverlist; (sav = *imsip) != NULL; ) { + if (sav->imsi_handle == NULL) + imsip = &sav->imsi_next; + else { + dlclose(sav->imsi_handle); + + *imsip = sav->imsi_next; + is = sav->imsi_stor; + free(sav); + + free(is->ims_name); + free(is); + } + } +} + + +void +dump_config() +{ + ipmon_action_t *a; + + for (a = alist; a != NULL; a = a->ac_next) { + print_action(a); + + printf("#\n"); + } +} + + +static void +print_action(a) + ipmon_action_t *a; +{ + ipmon_doing_t *d; + + printf("match { "); + print_match(a); + printf("; }\n"); + printf("do {"); + for (d = a->ac_doing; d != NULL; d = d->ipmd_next) { + printf("%s", d->ipmd_saver->ims_name); + if (d->ipmd_saver->ims_print != NULL) { + printf("(\""); + (*d->ipmd_saver->ims_print)(d->ipmd_token); + printf("\")"); + } + printf(";"); + } + printf("};\n"); +} + + +void * +add_doing(saver) + ipmon_saver_t *saver; +{ + ipmon_saver_int_t *it; + + if (find_doing(saver->ims_name) == IPM_DOING) + return NULL; + + it = calloc(1, sizeof(*it)); + if (it == NULL) + return NULL; + it->imsi_stor = saver; + it->imsi_next = saverlist; + saverlist = it; + return it; +} + + +static int +find_doing(string) + char *string; +{ + ipmon_saver_int_t *it; + + for (it = saverlist; it != NULL; it = it->imsi_next) { + if (!strcmp(it->imsi_stor->ims_name, string)) + return IPM_DOING; + } + return 0; +} + + +static ipmon_doing_t * +build_doing(target, options) + char *target; + char *options; +{ + ipmon_saver_int_t *it; + char *strarray[2]; + ipmon_doing_t *d, *d1; + ipmon_action_t *a; + ipmon_saver_t *save; + + d = calloc(1, sizeof(*d)); + if (d == NULL) + return NULL; + + for (it = saverlist; it != NULL; it = it->imsi_next) { + if (!strcmp(it->imsi_stor->ims_name, target)) + break; + } + if (it == NULL) { + free(d); + return NULL; + } + + strarray[0] = options; + strarray[1] = NULL; + + d->ipmd_token = (*it->imsi_stor->ims_parse)(strarray); + if (d->ipmd_token == NULL) { + free(d); + return NULL; + } + + save = it->imsi_stor; + d->ipmd_saver = save; + d->ipmd_store = it->imsi_stor->ims_store; + + /* + * Look for duplicate do-things that need to be dup'd + */ + for (a = alist; a != NULL; a = a->ac_next) { + for (d1 = a->ac_doing; d1 != NULL; d1 = d1->ipmd_next) { + if (save != d1->ipmd_saver) + continue; + if (save->ims_match == NULL || save->ims_dup == NULL) + continue; + if ((*save->ims_match)(d->ipmd_token, d1->ipmd_token)) + continue; + + (*d->ipmd_saver->ims_destroy)(d->ipmd_token); + d->ipmd_token = (*save->ims_dup)(d1->ipmd_token); + break; + } + } + + return d; +} + + +static void +print_match(a) + ipmon_action_t *a; +{ + char *coma = ""; + + if ((a->ac_mflag & IPMAC_DIRECTION) != 0) { + printf("direction = "); + if (a->ac_direction == IPM_IN) + printf("in"); + else if (a->ac_direction == IPM_OUT) + printf("out"); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_DSTIP) != 0) { + printf("%sdstip = ", coma); + printhostmask(AF_INET, &a->ac_dip, &a->ac_dmsk); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_DSTPORT) != 0) { + printf("%sdstport = %hu", coma, ntohs(a->ac_dport)); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_GROUP) != 0) { + char group[FR_GROUPLEN+1]; + + strncpy(group, a->ac_group, FR_GROUPLEN); + group[FR_GROUPLEN] = '\0'; + printf("%sgroup = %s", coma, group); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_INTERFACE) != 0) { + printf("%siface = %s", coma, a->ac_iface); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_LOGTAG) != 0) { + printf("%slogtag = %u", coma, a->ac_logtag); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_NATTAG) != 0) { + char tag[17]; + + strncpy(tag, a->ac_nattag, 16); + tag[16] = '\0'; + printf("%snattag = %s", coma, tag); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) { + printf("%sprotocol = %u", coma, a->ac_proto); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_RESULT) != 0) { + printf("%sresult = ", coma); + switch (a->ac_result) + { + case IPMR_LOG : + printf("log"); + break; + case IPMR_PASS : + printf("pass"); + break; + case IPMR_BLOCK : + printf("block"); + break; + case IPMR_NOMATCH : + printf("nomatch"); + break; + } + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_RULE) != 0) { + printf("%srule = %u", coma, a->ac_rule); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_EVERY) != 0) { + if (a->ac_packet > 1) { + printf("%severy %d packets", coma, a->ac_packet); + coma = ", "; + } else if (a->ac_packet == 1) { + printf("%severy packet", coma); + coma = ", "; + } + if (a->ac_second > 1) { + printf("%severy %d seconds", coma, a->ac_second); + coma = ", "; + } else if (a->ac_second == 1) { + printf("%severy second", coma); + coma = ", "; + } + } + + if ((a->ac_mflag & IPMAC_SRCIP) != 0) { + printf("%ssrcip = ", coma); + printhostmask(AF_INET, &a->ac_sip, &a->ac_smsk); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_SRCPORT) != 0) { + printf("%ssrcport = %hu", coma, ntohs(a->ac_sport)); + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_TYPE) != 0) { + printf("%stype = ", coma); + switch (a->ac_type) + { + case IPL_LOGIPF : + printf("ipf"); + break; + case IPL_LOGSTATE : + printf("state"); + break; + case IPL_LOGNAT : + printf("nat"); + break; + } + coma = ", "; + } + + if ((a->ac_mflag & IPMAC_WITH) != 0) { + printf("%swith ", coma); + coma = ", "; + } +} + + +static int +install_saver(name, path) + char *name, *path; +{ + ipmon_saver_int_t *isi; + ipmon_saver_t *is; + char nbuf[80]; + + if (find_doing(name) == IPM_DOING) + return -1; + + isi = calloc(1, sizeof(*isi)); + if (isi == NULL) + return -1; + + is = calloc(1, sizeof(*is)); + if (is == NULL) + goto loaderror; + + is->ims_name = name; + +#ifdef RTLD_LAZY + isi->imsi_handle = dlopen(path, RTLD_LAZY); +#endif +#ifdef DL_LAZY + isi->imsi_handle = dlopen(path, DL_LAZY); +#endif + + if (isi->imsi_handle == NULL) + goto loaderror; + + snprintf(nbuf, sizeof(nbuf), "%sdup", name); + is->ims_dup = (ims_dup_func_t)dlsym(isi->imsi_handle, nbuf); + + snprintf(nbuf, sizeof(nbuf), "%sdestroy", name); + is->ims_destroy = (ims_destroy_func_t)dlsym(isi->imsi_handle, nbuf); + if (is->ims_destroy == NULL) + goto loaderror; + + snprintf(nbuf, sizeof(nbuf), "%smatch", name); + is->ims_match = (ims_match_func_t)dlsym(isi->imsi_handle, nbuf); + + snprintf(nbuf, sizeof(nbuf), "%sparse", name); + is->ims_parse = (ims_parse_func_t)dlsym(isi->imsi_handle, nbuf); + if (is->ims_parse == NULL) + goto loaderror; + + snprintf(nbuf, sizeof(nbuf), "%sprint", name); + is->ims_print = (ims_print_func_t)dlsym(isi->imsi_handle, nbuf); + if (is->ims_print == NULL) + goto loaderror; + + snprintf(nbuf, sizeof(nbuf), "%sstore", name); + is->ims_store = (ims_store_func_t)dlsym(isi->imsi_handle, nbuf); + if (is->ims_store == NULL) + goto loaderror; + + isi->imsi_stor = is; + isi->imsi_next = saverlist; + saverlist = isi; + + return 0; + +loaderror: + if (isi->imsi_handle != NULL) + dlclose(isi->imsi_handle); + free(isi); + if (is != NULL) + free(is); + return -1; +} diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c index 28e29ec..448c1c0 100644 --- a/contrib/ipfilter/tools/ipnat.c +++ b/contrib/ipfilter/tools/ipnat.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * @@ -67,7 +67,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif @@ -79,23 +79,25 @@ char thishost[MAXHOSTNAMELEN]; extern char *optarg; -void dostats __P((int, natstat_t *, int, int)); -void dotable __P((natstat_t *, int, int)); -void flushtable __P((int, int)); +void dostats __P((int, natstat_t *, int, int, int *)); +void dotable __P((natstat_t *, int, int, int, char *)); +void flushtable __P((int, int, int *)); void usage __P((char *)); int main __P((int, char*[])); void showhostmap __P((natstat_t *nsp)); void natstat_dead __P((natstat_t *, char *)); -void dostats_live __P((int, natstat_t *, int)); +void dostats_live __P((int, natstat_t *, int, int *)); void showhostmap_dead __P((natstat_t *)); void showhostmap_live __P((int, natstat_t *)); -void dostats_dead __P((natstat_t *, int)); -void showtqtable_live __P((int)); +void dostats_dead __P((natstat_t *, int, int *)); +int nat_matcharray __P((nat_t *, int *)); -int opts; +int opts; +int nohdrfields = 0; +wordtab_t *nat_fields = NULL; void usage(name) -char *name; + char *name; { fprintf(stderr, "Usage: %s [-CFhlnrRsv] [-f filename]\n", name); exit(1); @@ -103,12 +105,12 @@ char *name; int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { + int fd, c, mode, *natfilter; char *file, *core, *kernel; natstat_t ns, *nsp; - int fd, c, mode; ipfobj_t obj; fd = -1; @@ -118,8 +120,11 @@ char *argv[]; core = NULL; kernel = NULL; mode = O_RDWR; + natfilter = NULL; - while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1) + assigndefined(getenv("IPNAT_PREDEFINED")); + + while ((c = getopt(argc, argv, "CdFf:hlm:M:N:nO:prRsv")) != -1) switch (c) { case 'C' : @@ -141,6 +146,9 @@ char *argv[]; opts |= OPT_LIST; mode = O_RDONLY; break; + case 'm' : + natfilter = parseipfexpr(optarg, NULL); + break; case 'M' : core = optarg; break; @@ -148,9 +156,15 @@ char *argv[]; kernel = optarg; break; case 'n' : - opts |= OPT_DONOTHING; + opts |= OPT_DONOTHING|OPT_DONTOPEN; mode = O_RDONLY; break; + case 'O' : + nat_fields = parsefields(natfields, optarg); + break; + case 'p' : + opts |= OPT_PURGE; + break; case 'R' : opts |= OPT_NORESOLVE; break; @@ -168,6 +182,12 @@ char *argv[]; usage(argv[0]); } + if (((opts & OPT_PURGE) != 0) && ((opts & OPT_REMOVE) == 0)) { + (void) fprintf(stderr, "%s: -p must be used with -r\n", + argv[0]); + exit(1); + } + initparse(); if ((kernel != NULL) || (core != NULL)) { @@ -200,7 +220,7 @@ char *argv[]; obj.ipfo_size = sizeof(*nsp); obj.ipfo_ptr = (void *)nsp; if (ioctl(fd, SIOCGNATS, &obj) == -1) { - perror("ioctl(SIOCGNATS)"); + ipferror(fd, "ioctl(SIOCGNATS)"); exit(1); } (void) setgid(getgid()); @@ -211,17 +231,17 @@ char *argv[]; natstat_dead(nsp, kernel); if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, nsp, opts, 0); + dostats(fd, nsp, opts, 0, natfilter); exit(0); } if (opts & (OPT_FLUSH|OPT_CLEAR)) - flushtable(fd, opts); + flushtable(fd, opts, natfilter); if (file) { - ipnat_parsefile(fd, ipnat_addrule, ioctl, file); + return ipnat_parsefile(fd, ipnat_addrule, ioctl, file); } if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, nsp, opts, 1); + dostats(fd, nsp, opts, 1, natfilter); return 0; } @@ -231,8 +251,8 @@ char *argv[]; * rather than doing ioctl's. */ void natstat_dead(nsp, kernel) -natstat_t *nsp; -char *kernel; + natstat_t *nsp; + char *kernel; { struct nlist nat_nlist[10] = { { "nat_table" }, /* 0 */ @@ -243,7 +263,6 @@ char *kernel; { "ipf_rdrrules_sz" }, /* 5 */ { "ipf_hostmap_sz" }, { "nat_instances" }, - { "ap_sess_list" }, { NULL } }; void *tables[2]; @@ -259,8 +278,8 @@ char *kernel; * one in individually. */ kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables)); - nsp->ns_table[0] = tables[0]; - nsp->ns_table[1] = tables[1]; + nsp->ns_side[0].ns_table = tables[0]; + nsp->ns_side[1].ns_table = tables[1]; kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value, sizeof(nsp->ns_list)); @@ -276,8 +295,6 @@ char *kernel; sizeof(nsp->ns_hostmap_sz)); kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value, sizeof(nsp->ns_instances)); - kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value, - sizeof(nsp->ns_apslist)); } @@ -285,23 +302,40 @@ char *kernel; * Issue an ioctl to flush either the NAT rules table or the active mapping * table or both. */ -void flushtable(fd, opts) -int fd, opts; +void flushtable(fd, opts, match) + int fd, opts, *match; { int n = 0; if (opts & OPT_FLUSH) { n = 0; - if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCFLNAT)"); - else + if (!(opts & OPT_DONOTHING)) { + if (match != NULL) { + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = match[0] * sizeof(int); + obj.ipfo_type = IPFOBJ_IPFEXPR; + obj.ipfo_ptr = match; + if (ioctl(fd, SIOCMATCHFLUSH, &obj) == -1) { + ipferror(fd, "ioctl(SIOCMATCHFLUSH)"); + n = -1; + } else { + n = obj.ipfo_retval; + } + } else if (ioctl(fd, SIOCIPFFL, &n) == -1) { + ipferror(fd, "ioctl(SIOCIPFFL)"); + n = -1; + } + } + if (n >= 0) printf("%d entries flushed from NAT table\n", n); } if (opts & OPT_CLEAR) { n = 1; if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCCNATL)"); + ipferror(fd, "ioctl(SIOCCNATL)"); else printf("%d entries flushed from NAT list\n", n); } @@ -311,34 +345,65 @@ int fd, opts; /* * Display NAT statistics. */ -void dostats_dead(nsp, opts) -natstat_t *nsp; -int opts; +void dostats_dead(nsp, opts, filter) + natstat_t *nsp; + int opts, *filter; { nat_t *np, nat; ipnat_t ipn; - - printf("List of active MAP/Redirect filters:\n"); - while (nsp->ns_list) { - if (kmemcpy((char *)&ipn, (long)nsp->ns_list, - sizeof(ipn))) { - perror("kmemcpy"); - break; + int i; + + if (nat_fields == NULL) { + printf("List of active MAP/Redirect filters:\n"); + while (nsp->ns_list) { + if (kmemcpy((char *)&ipn, (long)nsp->ns_list, + sizeof(ipn))) { + perror("kmemcpy"); + break; + } + if (opts & OPT_HITS) + printf("%lu ", ipn.in_hits); + printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + nsp->ns_list = ipn.in_next; } - if (opts & OPT_HITS) - printf("%lu ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - nsp->ns_list = ipn.in_next; } - printf("\nList of active sessions:\n"); + if (nat_fields == NULL) { + printf("\nList of active sessions:\n"); + + } else if (nohdrfields == 0) { + for (i = 0; nat_fields[i].w_value != 0; i++) { + printfieldhdr(natfields, nat_fields + i); + if (nat_fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } for (np = nsp->ns_instances; np; np = nat.nat_next) { if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; - printactivenat(&nat, opts, 0, nsp->ns_ticks); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); + if ((filter != NULL) && (nat_matcharray(&nat, filter) == 0)) + continue; + if (nat_fields != NULL) { + for (i = 0; nat_fields[i].w_value != 0; i++) { + printnatfield(&nat, nat_fields[i].w_value); + if (nat_fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } else { + printactivenat(&nat, opts, nsp->ns_ticks); + if (nat.nat_aps) { + int proto; + + if (nat.nat_dir & NAT_OUTBOUND) + proto = nat.nat_pr[1]; + else + proto = nat.nat_pr[0]; + printaps(nat.nat_aps, opts, proto); + } + } } if (opts & OPT_VERBOSE) @@ -346,62 +411,39 @@ int opts; } -void dostats(fd, nsp, opts, alive) -natstat_t *nsp; -int fd, opts, alive; -{ - /* - * Show statistics ? - */ - if (opts & OPT_STAT) { - printf("mapped\tin\t%lu\tout\t%lu\n", - nsp->ns_mapped[0], nsp->ns_mapped[1]); - printf("added\t%lu\texpired\t%lu\n", - nsp->ns_added, nsp->ns_expire); - printf("no memory\t%lu\tbad nat\t%lu\n", - nsp->ns_memfail, nsp->ns_badnat); - printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n", - nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules); - printf("wilds\t%u\n", nsp->ns_wilds); - dotable(nsp, fd, alive); - if (opts & OPT_VERBOSE) - printf("table %p list %p\n", - nsp->ns_table, nsp->ns_list); - if (alive) - showtqtable_live(fd); - } - - if (opts & OPT_LIST) { - if (alive) - dostats_live(fd, nsp, opts); - else - dostats_dead(nsp, opts); - } -} - - -void dotable(nsp, fd, alive) -natstat_t *nsp; -int fd, alive; +void dotable(nsp, fd, alive, which, side) + natstat_t *nsp; + int fd, alive, which; + char *side; { - int sz, i, used, totallen, maxlen, minlen; + int sz, i, used, maxlen, minlen, totallen; ipftable_t table; - u_long *buckets; + u_int *buckets; ipfobj_t obj; sz = sizeof(*buckets) * nsp->ns_nattab_sz; - buckets = (u_long *)malloc(sz); + buckets = (u_int *)malloc(sz); + if (buckets == NULL) { + fprintf(stderr, + "cannot allocate memory (%d) for buckets\n", sz); + return; + } obj.ipfo_rev = IPFILTER_VERSION; obj.ipfo_type = IPFOBJ_GTABLE; obj.ipfo_size = sizeof(table); obj.ipfo_ptr = &table; - table.ita_type = IPFTABLE_BUCKETS_NATIN; + if (which == 0) { + table.ita_type = IPFTABLE_BUCKETS_NATIN; + } else if (which == 1) { + table.ita_type = IPFTABLE_BUCKETS_NATOUT; + } table.ita_table = buckets; if (alive) { if (ioctl(fd, SIOCGTABL, &obj) != 0) { + ipferror(fd, "SIOCFTABL"); free(buckets); return; } @@ -412,9 +454,9 @@ int fd, alive; } } + minlen = nsp->ns_side[which].ns_inuse; totallen = 0; maxlen = 0; - minlen = nsp->ns_inuse; used = 0; for (i = 0; i < nsp->ns_nattab_sz; i++) { @@ -427,27 +469,84 @@ int fd, alive; totallen += buckets[i]; } - printf("hash efficiency\t%2.2f%%\n", - totallen ? ((float)used / totallen) * 100.0 : 0.0); - printf("bucket usage\t%2.2f%%\n", - ((float)used / nsp->ns_nattab_sz) * 100.0); - printf("minimal length\t%d\n", minlen); - printf("maximal length\t%d\n", maxlen); - printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0); + printf("%d%%\thash efficiency %s\n", + totallen ? used * 100 / totallen : 0, side); + printf("%2.2f%%\tbucket usage %s\n", + ((float)used / nsp->ns_nattab_sz) * 100.0, side); + printf("%d\tminimal length %s\n", minlen, side); + printf("%d\tmaximal length %s\n", maxlen, side); + printf("%.3f\taverage length %s\n", + used ? ((float)totallen / used) : 0.0, side); + + free(buckets); +} + + +void dostats(fd, nsp, opts, alive, filter) + natstat_t *nsp; + int fd, opts, alive, *filter; +{ + /* + * Show statistics ? + */ + if (opts & OPT_STAT) { + printnatside("in", &nsp->ns_side[0]); + dotable(nsp, fd, alive, 0, "in"); + + printnatside("out", &nsp->ns_side[1]); + dotable(nsp, fd, alive, 1, "out"); + + printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log); + printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log); + printf("%lu\tadded in\n%lu\tadded out\n", + nsp->ns_side[0].ns_added, + nsp->ns_side[1].ns_added); + printf("%u\tactive\n", nsp->ns_active); + printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt); + printf("%lu\tdivert build\n", nsp->ns_divert_build); + printf("%lu\texpired\n", nsp->ns_expire); + printf("%lu\tflush all\n", nsp->ns_flush_all); + printf("%lu\tflush closing\n", nsp->ns_flush_closing); + printf("%lu\tflush queue\n", nsp->ns_flush_queue); + printf("%lu\tflush state\n", nsp->ns_flush_state); + printf("%lu\tflush timeout\n", nsp->ns_flush_timeout); + printf("%lu\thostmap new\n", nsp->ns_hm_new); + printf("%lu\thostmap fails\n", nsp->ns_hm_newfail); + printf("%lu\thostmap add\n", nsp->ns_hm_addref); + printf("%lu\thostmap NULL rule\n", nsp->ns_hm_nullnp); + printf("%lu\tlog ok\n", nsp->ns_log_ok); + printf("%lu\tlog fail\n", nsp->ns_log_fail); + printf("%u\torphan count\n", nsp->ns_orphans); + printf("%u\trule count\n", nsp->ns_rules); + printf("%u\tmap rules\n", nsp->ns_rules_map); + printf("%u\trdr rules\n", nsp->ns_rules_rdr); + printf("%u\twilds\n", nsp->ns_wilds); + if (opts & OPT_VERBOSE) + printf("list %p\n", nsp->ns_list); + } + + if (opts & OPT_LIST) { + if (alive) + dostats_live(fd, nsp, opts, filter); + else + dostats_dead(nsp, opts, filter); + } } /* * Display NAT statistics. */ -void dostats_live(fd, nsp, opts) -natstat_t *nsp; -int fd, opts; +void dostats_live(fd, nsp, opts, filter) + natstat_t *nsp; + int fd, opts, *filter; { ipfgeniter_t iter; + char buffer[2000]; ipfobj_t obj; - ipnat_t ipn; + ipnat_t *ipn; nat_t nat; + int i; bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; @@ -457,22 +556,39 @@ int fd, opts; iter.igi_type = IPFGENITER_IPNAT; iter.igi_nitems = 1; - iter.igi_data = &ipn; + iter.igi_data = buffer; + ipn = (ipnat_t *)buffer; /* * Show list of NAT rules and NAT sessions ? */ - printf("List of active MAP/Redirect filters:\n"); - while (nsp->ns_list) { - if (ioctl(fd, SIOCGENITER, &obj) == -1) - break; - if (opts & OPT_HITS) - printf("%lu ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); - nsp->ns_list = ipn.in_next; + if (nat_fields == NULL) { + printf("List of active MAP/Redirect filters:\n"); + while (nsp->ns_list) { + if (ioctl(fd, SIOCGENITER, &obj) == -1) + break; + if (opts & OPT_HITS) + printf("%lu ", ipn->in_hits); + printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); + nsp->ns_list = ipn->in_next; + } } - printf("\nList of active sessions:\n"); + if (nat_fields == NULL) { + printf("\nList of active sessions:\n"); + + } else if (nohdrfields == 0) { + for (i = 0; nat_fields[i].w_value != 0; i++) { + printfieldhdr(natfields, nat_fields + i); + if (nat_fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } + + i = IPFGENITER_IPNAT; + (void) ioctl(fd,SIOCIPFDELTOK, &i); + iter.igi_type = IPFGENITER_NAT; iter.igi_nitems = 1; @@ -481,14 +597,35 @@ int fd, opts; while (nsp->ns_instances != NULL) { if (ioctl(fd, SIOCGENITER, &obj) == -1) break; - printactivenat(&nat, opts, 1, nsp->ns_ticks); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); + if ((filter != NULL) && (nat_matcharray(&nat, filter) == 0)) + continue; + if (nat_fields != NULL) { + for (i = 0; nat_fields[i].w_value != 0; i++) { + printnatfield(&nat, nat_fields[i].w_value); + if (nat_fields[i + 1].w_value != 0) + printf("\t"); + } + printf("\n"); + } else { + printactivenat(&nat, opts, nsp->ns_ticks); + if (nat.nat_aps) { + int proto; + + if (nat.nat_dir & NAT_OUTBOUND) + proto = nat.nat_pr[1]; + else + proto = nat.nat_pr[0]; + printaps(nat.nat_aps, opts, proto); + } + } nsp->ns_instances = nat.nat_next; } if (opts & OPT_VERBOSE) showhostmap_live(fd, nsp); + + i = IPFGENITER_NAT; + (void) ioctl(fd,SIOCIPFDELTOK, &i); } @@ -496,7 +633,7 @@ int fd, opts; * Display the active host mapping table. */ void showhostmap_dead(nsp) -natstat_t *nsp; + natstat_t *nsp; { hostmap_t hm, *hmp, **maptable; u_int hv; @@ -532,12 +669,13 @@ natstat_t *nsp; * Display the active host mapping table. */ void showhostmap_live(fd, nsp) -int fd; -natstat_t *nsp; + int fd; + natstat_t *nsp; { ipfgeniter_t iter; hostmap_t hm; ipfobj_t obj; + int i; bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; @@ -554,25 +692,167 @@ natstat_t *nsp; while (nsp->ns_maplist != NULL) { if (ioctl(fd, SIOCGENITER, &obj) == -1) break; - printhostmap(&hm, 0); + printhostmap(&hm, hm.hm_hv); nsp->ns_maplist = hm.hm_next; } + + i = IPFGENITER_HOSTMAP; + (void) ioctl(fd,SIOCIPFDELTOK, &i); } -void showtqtable_live(fd) -int fd; +int nat_matcharray(nat, array) + nat_t *nat; + int *array; { - ipftq_t table[IPF_TCP_NSTATES]; - ipfobj_t obj; + int i, n, *x, rv, p; + ipfexp_t *e; - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(table); - obj.ipfo_ptr = (void *)table; - obj.ipfo_type = IPFOBJ_STATETQTAB; + rv = 0; + n = array[0]; + x = array + 1; + + for (; n > 0; x += 3 + x[3], rv = 0) { + e = (ipfexp_t *)x; + if (e->ipfe_cmd == IPF_EXP_END) + break; + n -= e->ipfe_size; + + p = e->ipfe_cmd >> 16; + if ((p != 0) && (p != nat->nat_pr[1])) + break; + + switch (e->ipfe_cmd) + { + case IPF_EXP_IP_PR : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (nat->nat_pr[1] == e->ipfe_arg0[i]); + } + break; - if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { - printtqtable(table); + case IPF_EXP_IP_SRCADDR : + if (nat->nat_v[0] != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((nat->nat_osrcaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((nat->nat_nsrcaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + + case IPF_EXP_IP_DSTADDR : + if (nat->nat_v[0] != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((nat->nat_odstaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((nat->nat_ndstaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + + case IPF_EXP_IP_ADDR : + if (nat->nat_v[0] != 4) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= ((nat->nat_osrcaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((nat->nat_nsrcaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((nat->nat_odstaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]) || + ((nat->nat_ndstaddr & + e->ipfe_arg0[i * 2 + 1]) == + e->ipfe_arg0[i * 2]); + } + break; + +#ifdef USE_INET6 + case IPF_EXP_IP6_SRCADDR : + if (nat->nat_v[0] != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&nat->nat_osrc6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&nat->nat_nsrc6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; + + case IPF_EXP_IP6_DSTADDR : + if (nat->nat_v[0] != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&nat->nat_odst6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&nat->nat_ndst6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; + + case IPF_EXP_IP6_ADDR : + if (nat->nat_v[0] != 6) + break; + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= IP6_MASKEQ(&nat->nat_osrc6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&nat->nat_nsrc6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&nat->nat_odst6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]) || + IP6_MASKEQ(&nat->nat_ndst6, + &e->ipfe_arg0[i * 8 + 4], + &e->ipfe_arg0[i * 8]); + } + break; +#endif + + case IPF_EXP_UDP_PORT : + case IPF_EXP_TCP_PORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (nat->nat_osport == e->ipfe_arg0[i]) || + (nat->nat_nsport == e->ipfe_arg0[i]) || + (nat->nat_odport == e->ipfe_arg0[i]) || + (nat->nat_ndport == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_UDP_SPORT : + case IPF_EXP_TCP_SPORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (nat->nat_osport == e->ipfe_arg0[i]) || + (nat->nat_nsport == e->ipfe_arg0[i]); + } + break; + + case IPF_EXP_UDP_DPORT : + case IPF_EXP_TCP_DPORT : + for (i = 0; !rv && i < e->ipfe_narg; i++) { + rv |= (nat->nat_odport == e->ipfe_arg0[i]) || + (nat->nat_ndport == e->ipfe_arg0[i]); + } + break; + } + rv ^= e->ipfe_not; + + if (rv == 0) + break; } + + return rv; } diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y index 7109f60..71fb8ee 100644 --- a/contrib/ipfilter/tools/ipnat_y.y +++ b/contrib/ipfilter/tools/ipnat_y.y @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -60,33 +60,58 @@ static int natfd = -1; static ioctlfunc_t natioctlfunc = NULL; static addfunc_t nataddfunc = NULL; static int suggest_port = 0; +static proxyrule_t *prules = NULL; +static int parser_error = 0; static void newnatrule __P((void)); static void setnatproto __P((int)); - +static void setmapifnames __P((void)); +static void setrdrifnames __P((void)); +static void proxy_setconfig __P((int)); +static void proxy_unsetconfig __P((void)); +static namelist_t *proxy_dns_add_pass __P((char *, char *)); +static namelist_t *proxy_dns_add_block __P((char *, char *)); +static void proxy_addconfig __P((char *, int, char *, namelist_t *)); +static void proxy_loadconfig __P((int, ioctlfunc_t, char *, int, + char *, namelist_t *)); +static void proxy_loadrules __P((int, ioctlfunc_t, proxyrule_t *)); +static void setmapifnames __P((void)); +static void setrdrifnames __P((void)); +static void setifname __P((ipnat_t **, int, char *)); +static int addname __P((ipnat_t **, char *)); %} %union { char *str; u_32_t num; - struct in_addr ipa; + struct { + i6addr_t a; + int f; + } ipa; frentry_t fr; frtuc_t *frt; u_short port; struct { - u_short p1; - u_short p2; + int p1; + int p2; int pc; } pc; struct { - struct in_addr a; - struct in_addr m; + i6addr_t a; + i6addr_t m; + int t; /* Address type */ + int u; + int f; /* Family */ + int v; /* IP version */ + int s; /* 0 = number, 1 = text */ + int n; /* number */ } ipp; union i6addr ip6; + namelist_t *names; }; %token <num> YY_NUMBER YY_HEX %token <str> YY_STR -%token YY_COMMENT +%token YY_COMMENT %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 @@ -95,23 +120,42 @@ static void setnatproto __P((int)); %token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY %token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY %token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG -%token IPNY_TLATE IPNY_SEQUENTIAL +%token IPNY_TLATE IPNY_POOL IPNY_HASH IPNY_NO IPNY_REWRITE IPNY_PROTO +%token IPNY_ON IPNY_SRC IPNY_DST IPNY_IN IPNY_OUT IPNY_DIVERT +%token IPNY_CONFIG IPNY_ALLOW IPNY_DENY IPNY_DNS IPNY_INET IPNY_INET6 +%token IPNY_SEQUENTIAL IPNY_DSTLIST IPNY_PURGE %type <port> portspec %type <num> hexnumber compare range proto -%type <ipa> hostname ipv4 -%type <ipp> addr nummask rhaddr -%type <pc> portstuff +%type <num> saddr daddr sobject dobject mapfrom rdrfrom dip +%type <ipa> hostname ipv4 ipaddr +%type <ipp> addr rhsaddr rhdaddr erhdaddr +%type <pc> portstuff portpair comaports srcports dstports +%type <names> dnslines dnsline %% file: line | assign | file line | file assign + | file pconf ';' ; -line: xx rule { while ((nat = nattop) != NULL) { +line: xx rule { int err; + while ((nat = nattop) != NULL) { + if (nat->in_v[0] == 0) + nat->in_v[0] = 4; + if (nat->in_v[1] == 0) + nat->in_v[1] = nat->in_v[0]; nattop = nat->in_next; - (*nataddfunc)(natfd, natioctlfunc, nat); + err = (*nataddfunc)(natfd, natioctlfunc, nat); free(nat); + if (err != 0) { + parser_error = err; + break; + } + } + if (parser_error == 0 && prules != NULL) { + proxy_loadrules(natfd, natioctlfunc, prules); + prules = NULL; } resetlexer(); } @@ -136,206 +180,541 @@ xx: { newnatrule(); } rule: map eol | mapblock eol | redir eol + | rewrite ';' + | divert ';' + ; + +no: IPNY_NO { nat->in_flags |= IPN_NO; } ; eol: | ';' ; -map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); +map: mapit ifnames addr tlate rhsaddr proxy mapoptions + { if ($3.f != 0 && $3.f != $5.f && $5.f != 0) + yyerror("3.address family mismatch"); + if (nat->in_v[0] == 0 && $5.v != 0) + nat->in_v[0] = $5.v; + else if (nat->in_v[0] == 0 && $3.v != 0) + nat->in_v[0] = $3.v; + if (nat->in_v[1] == 0 && $5.v != 0) + nat->in_v[1] = $5.v; + else if (nat->in_v[1] == 0 && $3.v != 0) + nat->in_v[1] = $3.v; + nat->in_osrcatype = $3.t; + bcopy(&$3.a, &nat->in_osrc.na_addr[0], + sizeof($3.a)); + bcopy(&$3.m, &nat->in_osrc.na_addr[1], + sizeof($3.a)); + nat->in_nsrcatype = $5.t; + nat->in_nsrcafunc = $5.u; + bcopy(&$5.a, &nat->in_nsrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_nsrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); + } + | mapit ifnames addr tlate rhsaddr mapport mapoptions + { if ($3.f != $5.f && $3.f != 0 && $5.f != 0) + yyerror("4.address family mismatch"); + if (nat->in_v[1] == 0 && $5.v != 0) + nat->in_v[1] = $5.v; + else if (nat->in_v[0] == 0 && $3.v != 0) + nat->in_v[0] = $3.v; + if (nat->in_v[0] == 0 && $5.v != 0) + nat->in_v[0] = $5.v; + else if (nat->in_v[1] == 0 && $3.v != 0) + nat->in_v[1] = $3.v; + nat->in_osrcatype = $3.t; + bcopy(&$3.a, &nat->in_osrc.na_addr[0], + sizeof($3.a)); + bcopy(&$3.m, &nat->in_osrc.na_addr[1], + sizeof($3.a)); + nat->in_nsrcatype = $5.t; + nat->in_nsrcafunc = $5.u; + bcopy(&$5.a, &nat->in_nsrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_nsrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); } - | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); + | no mapit ifnames addr setproto ';' + { if (nat->in_v[0] == 0) + nat->in_v[0] = $4.v; + nat->in_osrcatype = $4.t; + bcopy(&$4.a, &nat->in_osrc.na_addr[0], + sizeof($4.a)); + bcopy(&$4.m, &nat->in_osrc.na_addr[1], + sizeof($4.a)); + + setmapifnames(); } - | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions - { nat->in_v = 4; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); + | mapit ifnames mapfrom tlate rhsaddr proxy mapoptions + { if ($3 != 0 && $5.f != 0 && $3 != $5.f) + yyerror("5.address family mismatch"); + if (nat->in_v[0] == 0 && $5.v != 0) + nat->in_v[0] = $5.v; + else if (nat->in_v[0] == 0 && $3 != 0) + nat->in_v[0] = ftov($3); + if (nat->in_v[1] == 0 && $5.v != 0) + nat->in_v[1] = $5.v; + else if (nat->in_v[1] == 0 && $3 != 0) + nat->in_v[1] = ftov($3); + nat->in_nsrcatype = $5.t; + nat->in_nsrcafunc = $5.u; + bcopy(&$5.a, &nat->in_nsrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_nsrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); } - | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions - { nat->in_v = 4; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); + | no mapit ifnames mapfrom setproto ';' + { nat->in_v[0] = ftov($4); + setmapifnames(); + } + | mapit ifnames mapfrom tlate rhsaddr mapport mapoptions + { if ($3 != 0 && $5.f != 0 && $3 != $5.f) + yyerror("6.address family mismatch"); + if (nat->in_v[0] == 0 && $5.v != 0) + nat->in_v[0] = $5.v; + else if (nat->in_v[0] == 0 && $3 != 0) + nat->in_v[0] = ftov($3); + if (nat->in_v[1] == 0 && $5.v != 0) + nat->in_v[1] = $5.v; + else if (nat->in_v[1] == 0 && $3 != 0) + nat->in_v[1] = ftov($3); + nat->in_nsrcatype = $5.t; + nat->in_nsrcafunc = $5.u; + bcopy(&$5.a, &nat->in_nsrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_nsrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); } ; mapblock: - mapblockit ifnames addr IPNY_TLATE addr ports mapoptions - { nat->in_v = 4; - nat->in_inip = $3.a.s_addr; - nat->in_inmsk = $3.m.s_addr; - nat->in_outip = $5.a.s_addr; - nat->in_outmsk = $5.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) - setnatproto(nat->in_p); - if (((nat->in_redir & NAT_MAPBLK) != 0) || - ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) - nat_setgroupmap(nat); + mapblockit ifnames addr tlate addr ports mapoptions + { if ($3.f != 0 && $5.f != 0 && $3.f != $5.f) + yyerror("7.address family mismatch"); + if (nat->in_v[0] == 0 && $5.v != 0) + nat->in_v[0] = $5.v; + else if (nat->in_v[0] == 0 && $3.v != 0) + nat->in_v[0] = $3.v; + if (nat->in_v[1] == 0 && $5.v != 0) + nat->in_v[1] = $5.v; + else if (nat->in_v[1] == 0 && $3.v != 0) + nat->in_v[1] = $3.v; + nat->in_osrcatype = $3.t; + bcopy(&$3.a, &nat->in_osrc.na_addr[0], + sizeof($3.a)); + bcopy(&$3.m, &nat->in_osrc.na_addr[1], + sizeof($3.a)); + nat->in_nsrcatype = $5.t; + nat->in_nsrcafunc = $5.u; + bcopy(&$5.a, &nat->in_nsrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_nsrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); + } + | no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';' + { if (nat->in_v[0] == 0) + nat->in_v[0] = $5.v; + if (nat->in_v[1] == 0) + nat->in_v[1] = $5.v; + nat->in_osrcatype = $5.t; + bcopy(&$5.a, &nat->in_osrc.na_addr[0], + sizeof($5.a)); + bcopy(&$5.m, &nat->in_osrc.na_addr[1], + sizeof($5.a)); + + setmapifnames(); + } + ; + +redir: rdrit ifnames addr dport tlate dip nport setproto rdroptions + { if ($6 != 0 && $3.f != 0 && $6 != $3.f) + yyerror("21.address family mismatch"); + if (nat->in_v[0] == 0) { + if ($3.v != AF_UNSPEC) + nat->in_v[0] = ftov($3.f); + else + nat->in_v[0] = ftov($6); + } + nat->in_odstatype = $3.t; + bcopy(&$3.a, &nat->in_odst.na_addr[0], + sizeof($3.a)); + bcopy(&$3.m, &nat->in_odst.na_addr[1], + sizeof($3.a)); + + setrdrifnames(); + } + | no rdrit ifnames addr dport setproto ';' + { if (nat->in_v[0] == 0) + nat->in_v[0] = ftov($4.f); + nat->in_odstatype = $4.t; + bcopy(&$4.a, &nat->in_odst.na_addr[0], + sizeof($4.a)); + bcopy(&$4.m, &nat->in_odst.na_addr[1], + sizeof($4.a)); + + setrdrifnames(); + } + | rdrit ifnames rdrfrom tlate dip nport setproto rdroptions + { if ($5 != 0 && $3 != 0 && $5 != $3) + yyerror("20.address family mismatch"); + if (nat->in_v[0] == 0) { + if ($3 != AF_UNSPEC) + nat->in_v[0] = ftov($3); + else + nat->in_v[0] = ftov($5); + } + setrdrifnames(); + } + | no rdrit ifnames rdrfrom setproto ';' + { nat->in_v[0] = ftov($4); + + setrdrifnames(); + } + ; + +rewrite: + IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts + { if (nat->in_v[0] == 0) + nat->in_v[0] = ftov($4); + if (nat->in_redir & NAT_MAP) + setmapifnames(); + else + setrdrifnames(); + nat->in_redir |= NAT_REWRITE; + } + ; + +divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts + { if (nat->in_v[0] == 0) + nat->in_v[0] = ftov($4); + if (nat->in_redir & NAT_MAP) { + setmapifnames(); + nat->in_pr[0] = IPPROTO_UDP; + } else { + setrdrifnames(); + nat->in_pr[1] = IPPROTO_UDP; + } + nat->in_flags &= ~IPN_TCP; + } + ; + +tlate: IPNY_TLATE { yyexpectaddr = 1; } + ; + +pconf: IPNY_PROXY { yysetdict(proxies); } + IPNY_DNS '/' proto IPNY_CONFIG YY_STR '{' + { proxy_setconfig(IPNY_DNS); } + dnslines ';' '}' + { proxy_addconfig("dns", $5, $7, $10); + proxy_unsetconfig(); + } + ; + +dnslines: + dnsline { $$ = $1; } + | dnslines ';' dnsline { $$ = $1; $1->na_next = $3; } + ; + +dnsline: + IPNY_ALLOW YY_STR { $$ = proxy_dns_add_pass(NULL, $2); } + | IPNY_DENY YY_STR { $$ = proxy_dns_add_block(NULL, $2); } + | IPNY_ALLOW '.' YY_STR { $$ = proxy_dns_add_pass(".", $3); } + | IPNY_DENY '.' YY_STR { $$ = proxy_dns_add_block(".", $3); } + ; + +oninout: + inout IPNY_ON ifnames { ; } + ; + +inout: IPNY_IN { nat->in_redir = NAT_REDIRECT; } + | IPNY_OUT { nat->in_redir = NAT_MAP; } + ; + +rwrproto: + | IPNY_PROTO setproto + ; + +newdst: src rhsaddr srcports dst erhdaddr dstports + { nat->in_nsrc.na_addr[0] = $2.a; + nat->in_nsrc.na_addr[1] = $2.m; + nat->in_nsrc.na_atype = $2.t; + if ($2.t == FRI_LOOKUP) { + nat->in_nsrc.na_type = $2.u; + nat->in_nsrc.na_subtype = $2.s; + nat->in_nsrc.na_num = $2.n; + } + nat->in_nsports[0] = $3.p1; + nat->in_nsports[1] = $3.p2; + nat->in_ndst.na_addr[0] = $5.a; + nat->in_ndst.na_addr[1] = $5.m; + nat->in_ndst.na_atype = $5.t; + if ($5.t == FRI_LOOKUP) { + nat->in_ndst.na_type = $5.u; + nat->in_ndst.na_subtype = $5.s; + nat->in_ndst.na_num = $5.n; + } + nat->in_ndports[0] = $6.p1; + nat->in_ndports[1] = $6.p2; + } + ; + +divdst: src addr ',' portspec dst addr ',' portspec IPNY_UDP + { nat->in_nsrc.na_addr[0] = $2.a; + if ($2.m.in4.s_addr != 0xffffffff) + yyerror("divert must have /32 dest"); + nat->in_nsrc.na_addr[1] = $2.m; + nat->in_nsports[0] = $4; + nat->in_nsports[1] = $4; + + nat->in_ndst.na_addr[0] = $6.a; + nat->in_ndst.na_addr[1] = $6.m; + if ($6.m.in4.s_addr != 0xffffffff) + yyerror("divert must have /32 dest"); + nat->in_ndports[0] = $8; + nat->in_ndports[1] = $8; + + nat->in_redir |= NAT_DIVERTUDP; + } + ; + +src: IPNY_SRC { yyexpectaddr = 1; } + ; + +dst: IPNY_DST { yyexpectaddr = 1; } + ; + +srcports: + comaports { $$.p1 = $1.p1; + $$.p2 = $1.p2; + } + | IPNY_PORT '=' portspec + { $$.p1 = $3; + $$.p2 = $3; + nat->in_flags |= IPN_FIXEDSPORT; } ; -redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions - { nat->in_v = 4; - nat->in_outip = $3.a.s_addr; - nat->in_outmsk = $3.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); - if ((nat->in_p == 0) && - ((nat->in_flags & IPN_TCPUDP) == 0) && - (nat->in_pmin != 0 || - nat->in_pmax != 0 || - nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); +dstports: + comaports { $$.p1 = $1.p1; + $$.p2 = $1.p2; } - | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions - { nat->in_v = 4; - if ((nat->in_p == 0) && - ((nat->in_flags & IPN_TCPUDP) == 0) && - (nat->in_pmin != 0 || - nat->in_pmax != 0 || - nat->in_pnext != 0)) - setnatproto(IPPROTO_TCP); - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); + | IPNY_PORT '=' portspec + { $$.p1 = $3; + $$.p2 = $3; + nat->in_flags |= IPN_FIXEDDPORT; } - | rdrit ifnames addr IPNY_TLATE dip setproto rdroptions - { nat->in_v = 4; - nat->in_outip = $3.a.s_addr; - nat->in_outmsk = $3.m.s_addr; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); + ; + +comaports: + { $$.p1 = 0; + $$.p2 = 0; } - | rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions - { nat->in_v = 4; - if ((suggest_port == 1) && - (nat->in_flags & IPN_TCPUDP) == 0) - nat->in_flags |= IPN_TCPUDP; - if (nat->in_ifnames[1][0] == '\0') - strncpy(nat->in_ifnames[1], - nat->in_ifnames[0], - sizeof(nat->in_ifnames[0])); + | ',' { if (!(nat->in_flags & IPN_TCPUDP)) + yyerror("must be TCP/UDP for ports"); + } + portpair { $$.p1 = $3.p1; + $$.p2 = $3.p2; } ; proxy: | IPNY_PROXY port portspec YY_STR '/' proto - { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); + { int pos; + pos = addname(&nat, $4); + nat->in_plabel = pos; if (nat->in_dcmp == 0) { - nat->in_dport = htons($3); - } else if ($3 != nat->in_dport) { + nat->in_odport = $3; + } else if ($3 != nat->in_odport) { yyerror("proxy port numbers not consistant"); } + nat->in_ndport = $3; setnatproto($6); free($4); } | IPNY_PROXY port YY_STR YY_STR '/' proto - { int pnum; - strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); + { int pnum, pos; + pos = addname(&nat, $4); + nat->in_plabel = pos; pnum = getportproto($3, $6); if (pnum == -1) yyerror("invalid port number"); - nat->in_dport = pnum; + nat->in_odport = ntohs(pnum); + nat->in_ndport = ntohs(pnum); setnatproto($6); free($3); free($4); } + | IPNY_PROXY port portspec YY_STR '/' proto IPNY_CONFIG YY_STR + { int pos; + pos = addname(&nat, $4); + nat->in_plabel = pos; + if (nat->in_dcmp == 0) { + nat->in_odport = $3; + } else if ($3 != nat->in_odport) { + yyerror("proxy port numbers not consistant"); + } + nat->in_ndport = $3; + setnatproto($6); + nat->in_pconfig = addname(&nat, $8); + free($4); + free($8); + } + | IPNY_PROXY port YY_STR YY_STR '/' proto IPNY_CONFIG YY_STR + { int pnum, pos; + pos = addname(&nat, $4); + nat->in_plabel = pos; + pnum = getportproto($3, $6); + if (pnum == -1) + yyerror("invalid port number"); + nat->in_odport = ntohs(pnum); + nat->in_ndport = ntohs(pnum); + setnatproto($6); + pos = addname(&nat, $8); + nat->in_pconfig = pos; + free($3); + free($4); + free($8); + } ; - setproto: - | proto { if (nat->in_p != 0 || + | proto { if (nat->in_pr[0] != 0 || + nat->in_pr[1] != 0 || nat->in_flags & IPN_TCPUDP) yyerror("protocol set twice"); setnatproto($1); } - | IPNY_TCPUDP { if (nat->in_p != 0 || + | IPNY_TCPUDP { if (nat->in_pr[0] != 0 || + nat->in_pr[1] != 0 || nat->in_flags & IPN_TCPUDP) yyerror("protocol set twice"); nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; + nat->in_pr[0] = 0; + nat->in_pr[1] = 0; } - | IPNY_TCP '/' IPNY_UDP { if (nat->in_p != 0 || + | IPNY_TCP '/' IPNY_UDP { if (nat->in_pr[0] != 0 || + nat->in_pr[1] != 0 || nat->in_flags & IPN_TCPUDP) yyerror("protocol set twice"); nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; + nat->in_pr[0] = 0; + nat->in_pr[1] = 0; } ; -rhaddr: addr { $$.a = $1.a; $$.m = $1.m; } - | IPNY_RANGE ipv4 '-' ipv4 - { $$.a = $2; $$.m = $4; - nat->in_flags |= IPN_IPRANGE; } +rhsaddr: + addr { $$ = $1; + yyexpectaddr = 0; + } + | hostname '-' { yyexpectaddr = 1; } hostname + { $$.t = FRI_RANGE; + if ($1.f != $4.f) + yyerror("8.address family " + "mismatch"); + $$.f = $1.f; + $$.v = ftov($1.f); + $$.a = $1.a; + $$.m = $4.a; + nat->in_flags |= IPN_SIPRANGE; + yyexpectaddr = 0; + } + | IPNY_RANGE hostname '-' { yyexpectaddr = 1; } hostname + { $$.t = FRI_RANGE; + if ($2.f != $5.f) + yyerror("9.address family " + "mismatch"); + $$.f = $2.f; + $$.v = ftov($2.f); + $$.a = $2.a; + $$.m = $5.a; + nat->in_flags |= IPN_SIPRANGE; + yyexpectaddr = 0; + } ; dip: - hostname { nat->in_inip = $1.s_addr; - nat->in_inmsk = 0xffffffff; } - | hostname '/' YY_NUMBER { if ($3 != 0 || $1.s_addr != 0) - yyerror("Only 0/0 supported"); - nat->in_inip = 0; - nat->in_inmsk = 0; + hostname ',' { yyexpectaddr = 1; } hostname + { nat->in_flags |= IPN_SPLIT; + if ($1.f != $4.f) + yyerror("10.address family " + "mismatch"); + $$ = $1.f; + nat->in_ndstip6 = $1.a; + nat->in_ndstmsk6 = $4.a; + nat->in_ndstatype = FRI_SPLIT; + yyexpectaddr = 0; + } + | rhdaddr { int bits; + nat->in_ndstip6 = $1.a; + nat->in_ndstmsk6 = $1.m; + nat->in_ndst.na_atype = $1.t; + yyexpectaddr = 0; + if ($1.f == AF_INET) + bits = count4bits($1.m.in4.s_addr); + else + bits = count6bits($1.m.i6); + if (($1.f == AF_INET) && (bits != 0) && + (bits != 32)) { + yyerror("dest ip bitmask not /32"); + } else if (($1.f == AF_INET6) && + (bits != 0) && (bits != 128)) { + yyerror("dest ip bitmask not /128"); + } + $$ = $1.f; + } + ; + +rhdaddr: + addr { $$ = $1; + yyexpectaddr = 0; + } + | hostname '-' hostname { bzero(&$$, sizeof($$)); + $$.t = FRI_RANGE; + if ($1.f != 0 && $3.f != 0 && + $1.f != $3.f) + yyerror("11.address family " + "mismatch"); + $$.a = $1.a; + $$.m = $3.a; + nat->in_flags |= IPN_DIPRANGE; + yyexpectaddr = 0; + } + | IPNY_RANGE hostname '-' hostname + { bzero(&$$, sizeof($$)); + $$.t = FRI_RANGE; + if ($2.f != 0 && $4.f != 0 && + $2.f != $4.f) + yyerror("12.address family " + "mismatch"); + $$.a = $2.a; + $$.m = $4.a; + nat->in_flags |= IPN_DIPRANGE; + yyexpectaddr = 0; + } + ; + +erhdaddr: + rhdaddr { $$ = $1; } + | IPNY_DSTLIST '/' YY_NUMBER { $$.t = FRI_LOOKUP; + $$.u = IPLT_DSTLIST; + $$.s = 0; + $$.n = $3; + } + | IPNY_DSTLIST '/' YY_STR { $$.t = FRI_LOOKUP; + $$.u = IPLT_DSTLIST; + $$.s = 1; + $$.n = addname(&nat, $3); } - | hostname ',' hostname { nat->in_flags |= IPN_SPLIT; - nat->in_inip = $1.s_addr; - nat->in_inmsk = $3.s_addr; } ; port: IPNY_PORT { suggest_port = 1; } @@ -347,27 +726,44 @@ portspec: else $$ = $1; } - | YY_STR { if (getport(NULL, $1, &($$)) == -1) + | YY_STR { if (getport(NULL, $1, + &($$), NULL) == -1) yyerror("invalid port number"); $$ = ntohs($$); } ; -dport: | port portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($2); } - | port portspec '-' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } - | port portspec ':' portspec { nat->in_pmin = htons($2); - nat->in_pmax = htons($4); } +portpair: + portspec { $$.p1 = $1; $$.p2 = $1; } + | portspec '-' portspec { $$.p1 = $1; $$.p2 = $3; } + | portspec ':' portspec { $$.p1 = $1; $$.p2 = $3; } + ; + +dport: | port portpair { nat->in_odport = $2.p1; + if ($2.p2 == 0) + nat->in_dtop = $2.p1; + else + nat->in_dtop = $2.p2; + } ; -nport: port portspec { nat->in_pnext = htons($2); } - | port '=' portspec { nat->in_pnext = htons($3); +nport: | port portpair { nat->in_dpmin = $2.p1; + nat->in_dpnext = $2.p1; + nat->in_dpmax = $2.p2; + nat->in_ndport = $2.p1; + if (nat->in_dtop == 0) + nat->in_dtop = $2.p2; + } + | port '=' portspec { nat->in_dpmin = $3; + nat->in_dpnext = $3; + nat->in_ndport = $3; + if (nat->in_dtop == 0) + nat->in_dtop = nat->in_odport; nat->in_flags |= IPN_FIXEDDPORT; } ; -ports: | IPNY_PORTS YY_NUMBER { nat->in_pmin = $2; } +ports: | IPNY_PORTS YY_NUMBER { nat->in_spmin = $2; } | IPNY_PORTS IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; } ; @@ -383,128 +779,282 @@ mapblockit: ; mapfrom: - from sobject IPNY_TO dobject - | from sobject '!' IPNY_TO dobject - { nat->in_flags |= IPN_NOTDST; } - | from sobject IPNY_TO '!' dobject - { nat->in_flags |= IPN_NOTDST; } + from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4) + yyerror("13.address family " + "mismatch"); + $$ = $2; + } + | from sobject '!' to dobject + { if ($2 != 0 && $5 != 0 && $2 != $5) + yyerror("14.address family " + "mismatch"); + nat->in_flags |= IPN_NOTDST; + $$ = $2; + } + | from sobject to '!' dobject + { if ($2 != 0 && $5 != 0 && $2 != $5) + yyerror("15.address family " + "mismatch"); + nat->in_flags |= IPN_NOTDST; + $$ = $2; + } ; rdrfrom: - from sobject IPNY_TO dobject - | '!' from sobject IPNY_TO dobject - { nat->in_flags |= IPN_NOTSRC; } - | from '!' sobject IPNY_TO dobject - { nat->in_flags |= IPN_NOTSRC; } + from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4) + yyerror("16.address family " + "mismatch"); + $$ = $2; + } + | '!' from sobject to dobject + { if ($3 != 0 && $5 != 0 && $3 != $5) + yyerror("17.address family " + "mismatch"); + nat->in_flags |= IPN_NOTSRC; + $$ = $3; + } + | from '!' sobject to dobject + { if ($3 != 0 && $5 != 0 && $3 != $5) + yyerror("18.address family " + "mismatch"); + nat->in_flags |= IPN_NOTSRC; + $$ = $3; + } + ; + +from: IPNY_FROM { nat->in_flags |= IPN_FILTER; + yyexpectaddr = 1; + } ; -from: IPNY_FROM { nat->in_flags |= IPN_FILTER; } +to: IPNY_TO { yyexpectaddr = 1; } ; ifnames: - ifname - | ifname ',' otherifname + ifname family { yyexpectaddr = 1; } + | ifname ',' otherifname family { yyexpectaddr = 1; } ; -ifname: YY_STR { strncpy(nat->in_ifnames[0], $1, - sizeof(nat->in_ifnames[0])); - nat->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; - free($1); - } +ifname: YY_STR { setifname(&nat, 0, $1); + free($1); + } + ; + +family: | IPNY_INET { nat->in_v[0] = 4; nat->in_v[1] = 4; } + | IPNY_INET6 { nat->in_v[0] = 6; nat->in_v[1] = 6; } ; otherifname: - YY_STR { strncpy(nat->in_ifnames[1], $1, - sizeof(nat->in_ifnames[1])); - nat->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; - free($1); - } + YY_STR { setifname(&nat, 1, $1); + free($1); + } ; mapport: - IPNY_PORTMAP tcpudp portspec ':' portspec randport - { nat->in_pmin = htons($3); - nat->in_pmax = htons($5); - } - | IPNY_PORTMAP tcpudp IPNY_AUTO randport - { nat->in_flags |= IPN_AUTOPORTMAP; - nat->in_pmin = htons(1024); - nat->in_pmax = htons(65535); - } - | IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER - { if (strcmp($2, "icmp") != 0) { + IPNY_PORTMAP tcpudp portpair sequential + { nat->in_spmin = $3.p1; + nat->in_spmax = $3.p2; + } + | IPNY_PORTMAP portpair tcpudp sequential + { nat->in_spmin = $2.p1; + nat->in_spmax = $2.p2; + } + | IPNY_PORTMAP tcpudp IPNY_AUTO sequential + { nat->in_flags |= IPN_AUTOPORTMAP; + nat->in_spmin = 1024; + nat->in_spmax = 65535; + } + | IPNY_ICMPIDMAP YY_STR portpair sequential + { if (strcmp($2, "icmp") != 0 && + strcmp($2, "ipv6-icmp") != 0) { yyerror("icmpidmap not followed by icmp"); } free($2); - if ($3 < 0 || $3 > 65535) + if ($3.p1 < 0 || $3.p1 > 65535) yyerror("invalid ICMP Id number"); - if ($5 < 0 || $5 > 65535) + if ($3.p2 < 0 || $3.p2 > 65535) yyerror("invalid ICMP Id number"); + if (strcmp($2, "ipv6-icmp") == 0) { + nat->in_pr[0] = IPPROTO_ICMPV6; + nat->in_pr[1] = IPPROTO_ICMPV6; + } else { + nat->in_pr[0] = IPPROTO_ICMP; + nat->in_pr[1] = IPPROTO_ICMP; + } nat->in_flags = IPN_ICMPQUERY; - nat->in_pmin = htons($3); - nat->in_pmax = htons($5); + nat->in_spmin = $3.p1; + nat->in_spmax = $3.p2; } ; -randport: - | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; } - ; - sobject: - saddr - | saddr port portstuff { nat->in_sport = $3.p1; + saddr { $$ = $1; } + | saddr port portstuff { nat->in_osport = $3.p1; nat->in_stop = $3.p2; - nat->in_scmp = $3.pc; } + nat->in_scmp = $3.pc; + $$ = $1; + } ; -saddr: addr { if (nat->in_redir == NAT_REDIRECT) { - nat->in_srcip = $1.a.s_addr; - nat->in_srcmsk = $1.m.s_addr; - } else { - nat->in_inip = $1.a.s_addr; - nat->in_inmsk = $1.m.s_addr; - } +saddr: addr { nat->in_osrcatype = $1.t; + bcopy(&$1.a, + &nat->in_osrc.na_addr[0], + sizeof($1.a)); + bcopy(&$1.m, + &nat->in_osrc.na_addr[1], + sizeof($1.m)); + $$ = $1.f; } ; dobject: - daddr - | daddr port portstuff { nat->in_dport = $3.p1; + daddr { $$ = $1; } + | daddr port portstuff { nat->in_odport = $3.p1; nat->in_dtop = $3.p2; nat->in_dcmp = $3.pc; - if (nat->in_redir == NAT_REDIRECT) - nat->in_pmin = htons($3.p1); + $$ = $1; } ; -daddr: addr { if (nat->in_redir == NAT_REDIRECT) { - nat->in_outip = $1.a.s_addr; - nat->in_outmsk = $1.m.s_addr; - } else { - nat->in_srcip = $1.a.s_addr; - nat->in_srcmsk = $1.m.s_addr; +daddr: addr { nat->in_odstatype = $1.t; + bcopy(&$1.a, + &nat->in_odst.na_addr[0], + sizeof($1.a)); + bcopy(&$1.m, + &nat->in_odst.na_addr[1], + sizeof($1.m)); + $$ = $1.f; + } + ; + +addr: IPNY_ANY { yyexpectaddr = 0; + bzero(&$$, sizeof($$)); + $$.t = FRI_NORMAL; + } + | hostname { bzero(&$$, sizeof($$)); + $$.a = $1.a; + $$.t = FRI_NORMAL; + $$.v = ftov($1.f); + $$.f = $1.f; + if ($$.f == AF_INET) { + $$.m.in4.s_addr = 0xffffffff; + } else if ($$.f == AF_INET6) { + $$.m.i6[0] = 0xffffffff; + $$.m.i6[1] = 0xffffffff; + $$.m.i6[2] = 0xffffffff; + $$.m.i6[3] = 0xffffffff; } + yyexpectaddr = 0; + } + | hostname slash YY_NUMBER + { bzero(&$$, sizeof($$)); + $$.a = $1.a; + $$.f = $1.f; + $$.v = ftov($1.f); + $$.t = FRI_NORMAL; + ntomask($$.f, $3, (u_32_t *)&$$.m); + $$.a.i6[0] &= $$.m.i6[0]; + $$.a.i6[1] &= $$.m.i6[1]; + $$.a.i6[2] &= $$.m.i6[2]; + $$.a.i6[3] &= $$.m.i6[3]; + yyexpectaddr = 0; + } + | hostname slash ipaddr { bzero(&$$, sizeof($$)); + if ($1.f != $3.f) { + yyerror("1.address family " + "mismatch"); + } + $$.a = $1.a; + $$.m = $3.a; + $$.t = FRI_NORMAL; + $$.a.i6[0] &= $$.m.i6[0]; + $$.a.i6[1] &= $$.m.i6[1]; + $$.a.i6[2] &= $$.m.i6[2]; + $$.a.i6[3] &= $$.m.i6[3]; + $$.f = $1.f; + $$.v = ftov($1.f); + yyexpectaddr = 0; + } + | hostname slash hexnumber { bzero(&$$, sizeof($$)); + $$.a = $1.a; + $$.m.in4.s_addr = htonl($3); + $$.t = FRI_NORMAL; + $$.a.in4.s_addr &= $$.m.in4.s_addr; + $$.f = $1.f; + $$.v = ftov($1.f); + if ($$.f == AF_INET6) + yyerror("incorrect inet6 mask"); + } + | hostname mask ipaddr { bzero(&$$, sizeof($$)); + if ($1.f != $3.f) { + yyerror("2.address family " + "mismatch"); + } + $$.a = $1.a; + $$.m = $3.a; + $$.t = FRI_NORMAL; + $$.a.i6[0] &= $$.m.i6[0]; + $$.a.i6[1] &= $$.m.i6[1]; + $$.a.i6[2] &= $$.m.i6[2]; + $$.a.i6[3] &= $$.m.i6[3]; + $$.f = $1.f; + $$.v = ftov($1.f); + yyexpectaddr = 0; + } + | hostname mask hexnumber { bzero(&$$, sizeof($$)); + $$.a = $1.a; + $$.m.in4.s_addr = htonl($3); + $$.t = FRI_NORMAL; + $$.a.in4.s_addr &= $$.m.in4.s_addr; + $$.f = AF_INET; + $$.v = 4; } + | pool slash YY_NUMBER { bzero(&$$, sizeof($$)); + $$.a.iplookupnum = $3; + $$.a.iplookuptype = IPLT_POOL; + $$.a.iplookupsubtype = 0; + $$.t = FRI_LOOKUP; + } + | pool slash YY_STR { bzero(&$$, sizeof($$)); + $$.a.iplookupname = addname(&nat,$3); + $$.a.iplookuptype = IPLT_POOL; + $$.a.iplookupsubtype = 1; + $$.t = FRI_LOOKUP; + } + | hash slash YY_NUMBER { bzero(&$$, sizeof($$)); + $$.a.iplookupnum = $3; + $$.a.iplookuptype = IPLT_HASH; + $$.a.iplookupsubtype = 0; + $$.t = FRI_LOOKUP; + } + | hash slash YY_STR { bzero(&$$, sizeof($$)); + $$.a.iplookupname = addname(&nat,$3); + $$.a.iplookuptype = IPLT_HASH; + $$.a.iplookupsubtype = 1; + $$.t = FRI_LOOKUP; + } + ; + +slash: '/' { yyexpectaddr = 0; } + ; + +mask: IPNY_MASK { yyexpectaddr = 0; } ; -addr: IPNY_ANY { $$.a.s_addr = 0; $$.m.s_addr = 0; } - | nummask { $$.a = $1.a; $$.m = $1.m; - $$.a.s_addr &= $$.m.s_addr; } - | hostname '/' ipv4 { $$.a = $1; $$.m = $3; - $$.a.s_addr &= $$.m.s_addr; } - | hostname '/' hexnumber { $$.a = $1; $$.m.s_addr = htonl($3); - $$.a.s_addr &= $$.m.s_addr; } - | hostname IPNY_MASK ipv4 { $$.a = $1; $$.m = $3; - $$.a.s_addr &= $$.m.s_addr; } - | hostname IPNY_MASK hexnumber { $$.a = $1; $$.m.s_addr = htonl($3); - $$.a.s_addr &= $$.m.s_addr; } +pool: IPNY_POOL { if (!(nat->in_flags & IPN_FILTER)) { + yyerror("Can only use pool with from/to rules\n"); + } + yyexpectaddr = 0; + yyresetdict(); + } ; -nummask: - hostname { $$.a = $1; - $$.m.s_addr = 0xffffffff; } - | hostname '/' YY_NUMBER { $$.a = $1; - ntomask(4, $3, &$$.m.s_addr); } +hash: IPNY_HASH { if (!(nat->in_flags & IPN_FILTER)) { + yyerror("Can only use hash with from/to rules\n"); + } + yyexpectaddr = 0; + yyresetdict(); + } ; portstuff: @@ -513,17 +1063,16 @@ portstuff: ; mapoptions: - rr frag age mssclamp nattag setproto + rr frag age mssclamp nattag setproto purge ; rdroptions: - rr frag age sticky mssclamp rdrproxy nattag + rr frag age sticky mssclamp rdrproxy nattag purge ; nattag: | IPNY_TAG YY_STR { strncpy(nat->in_tag.ipt_tag, $2, sizeof(nat->in_tag.ipt_tag)); } - rr: | IPNY_ROUNDROBIN { nat->in_flags |= IPN_ROUNDR; } ; @@ -536,9 +1085,9 @@ age: | IPNY_AGE YY_NUMBER { nat->in_age[0] = $2; nat->in_age[1] = $4; } ; -sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) && +sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) && !(nat->in_flags & IPN_SPLIT)) { - fprintf(stderr, + FPRINTF(stderr, "'sticky' for use with round-robin/IP splitting only\n"); } else nat->in_flags |= IPN_STICKY; @@ -549,30 +1098,47 @@ mssclamp: | IPNY_MSSCLAMP YY_NUMBER { nat->in_mssclamp = $2; } ; -tcpudp: | IPNY_TCP { setnatproto(IPPROTO_TCP); } +tcpudp: IPNY_TCP { setnatproto(IPPROTO_TCP); } | IPNY_UDP { setnatproto(IPPROTO_UDP); } | IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; + nat->in_pr[0] = 0; + nat->in_pr[1] = 0; } | IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; + nat->in_pr[0] = 0; + nat->in_pr[1] = 0; } ; +sequential: + | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; } + ; + +purge: + | IPNY_PURGE { nat->in_flags |= IPN_PURGE; } + ; + rdrproxy: IPNY_PROXY YY_STR - { strncpy(nat->in_plabel, $2, - sizeof(nat->in_plabel)); - nat->in_dport = nat->in_pnext; - nat->in_dport = htons(nat->in_dport); + { int pos; + pos = addname(&nat, $2); + nat->in_plabel = pos; + nat->in_odport = nat->in_dpnext; + nat->in_dtop = nat->in_odport; free($2); } - | proxy { if (nat->in_plabel[0] != '\0') { - nat->in_pmin = nat->in_dport; - nat->in_pmax = nat->in_pmin; - nat->in_pnext = nat->in_pmin; - } - } + | proxy { if (nat->in_plabel != -1) { + nat->in_ndport = nat->in_odport; + nat->in_dpmin = nat->in_odport; + nat->in_dpmax = nat->in_dpmin; + nat->in_dtop = nat->in_dpmin; + nat->in_dpnext = nat->in_dpmin; + } + } + ; + +newopts: + | IPNY_PURGE { nat->in_flags |= IPN_PURGE; } ; proto: YY_NUMBER { $$ = $1; @@ -582,7 +1148,10 @@ proto: YY_NUMBER { $$ = $1; } | IPNY_TCP { $$ = IPPROTO_TCP; } | IPNY_UDP { $$ = IPPROTO_UDP; } - | YY_STR { $$ = getproto($1); free($1); + | YY_STR { $$ = getproto($1); + free($1); + if ($$ == -1) + yyerror("unknwon protocol"); if ($$ != IPPROTO_TCP && $$ != IPPROTO_UDP) suggest_port = 0; @@ -594,14 +1163,39 @@ hexnumber: ; hostname: - YY_STR { if (gethost($1, &$$.s_addr) == -1) - fprintf(stderr, + YY_STR { i6addr_t addr; + + bzero(&$$, sizeof($$)); + if (gethost(AF_INET, $1, + &addr) == 0) { + $$.a = addr; + $$.f = AF_INET; + } else + if (gethost(AF_INET6, $1, + &addr) == 0) { + $$.a = addr; + $$.f = AF_INET6; + } else { + FPRINTF(stderr, "Unknown host '%s'\n", $1); + } free($1); } - | YY_NUMBER { $$.s_addr = htonl($1); } - | ipv4 { $$.s_addr = $1.s_addr; } + | YY_NUMBER { bzero(&$$, sizeof($$)); + $$.a.in4.s_addr = htonl($1); + if ($$.a.in4.s_addr != 0) + $$.f = AF_INET; + } + | ipv4 { $$ = $1; } + | YY_IPV6 { bzero(&$$, sizeof($$)); + $$.a = $1; + $$.f = AF_INET6; + } + | YY_NUMBER YY_IPV6 { bzero(&$$, sizeof($$)); + $$.a = $2; + $$.f = AF_INET6; + } ; compare: @@ -619,40 +1213,77 @@ range: | ':' { $$ = FR_INCRANGE; } ; +ipaddr: ipv4 { $$ = $1; } + | YY_IPV6 { $$.a = $1; + $$.f = AF_INET6; + } + ; + ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { yyerror("Invalid octet string for IP address"); return 0; } - $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; - $$.s_addr = htonl($$.s_addr); + bzero((char *)&$$, sizeof($$)); + $$.a.in4.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; + $$.a.in4.s_addr = htonl($$.a.in4.s_addr); + $$.f = AF_INET; } ; %% +static wordtab_t proxies[] = { + { "dns", IPNY_DNS } +}; + +static wordtab_t dnswords[] = { + { "allow", IPNY_ALLOW }, + { "block", IPNY_DENY }, + { "deny", IPNY_DENY }, + { "drop", IPNY_DENY }, + { "pass", IPNY_ALLOW }, + +}; + static wordtab_t yywords[] = { { "age", IPNY_AGE }, { "any", IPNY_ANY }, { "auto", IPNY_AUTO }, { "bimap", IPNY_BIMAP }, + { "config", IPNY_CONFIG }, + { "divert", IPNY_DIVERT }, + { "dst", IPNY_DST }, + { "dstlist", IPNY_DSTLIST }, { "frag", IPNY_FRAG }, { "from", IPNY_FROM }, + { "hash", IPNY_HASH }, { "icmpidmap", IPNY_ICMPIDMAP }, + { "in", IPNY_IN }, + { "inet", IPNY_INET }, + { "inet6", IPNY_INET6 }, { "mask", IPNY_MASK }, { "map", IPNY_MAP }, { "map-block", IPNY_MAPBLOCK }, { "mssclamp", IPNY_MSSCLAMP }, { "netmask", IPNY_MASK }, + { "no", IPNY_NO }, + { "on", IPNY_ON }, + { "out", IPNY_OUT }, + { "pool", IPNY_POOL }, { "port", IPNY_PORT }, { "portmap", IPNY_PORTMAP }, { "ports", IPNY_PORTS }, + { "proto", IPNY_PROTO }, { "proxy", IPNY_PROXY }, + { "purge", IPNY_PURGE }, { "range", IPNY_RANGE }, + { "rewrite", IPNY_REWRITE }, { "rdr", IPNY_RDR }, { "round-robin",IPNY_ROUNDROBIN }, { "sequential", IPNY_SEQUENTIAL }, + { "src", IPNY_SRC }, { "sticky", IPNY_STICKY }, { "tag", IPNY_TAG }, { "tcp", IPNY_TCP }, @@ -671,15 +1302,19 @@ static wordtab_t yywords[] = { }; -int ipnat_parsefile(fd, addfunc, ioctlfunc, filename) -int fd; -addfunc_t addfunc; -ioctlfunc_t ioctlfunc; -char *filename; +int +ipnat_parsefile(fd, addfunc, ioctlfunc, filename) + int fd; + addfunc_t addfunc; + ioctlfunc_t ioctlfunc; + char *filename; { FILE *fp = NULL; + int rval; char *s; + yylineNum = 1; + (void) yysettab(yywords); s = getenv("YYDEBUG"); @@ -691,45 +1326,49 @@ char *filename; if (strcmp(filename, "-")) { fp = fopen(filename, "r"); if (!fp) { - fprintf(stderr, "fopen(%s) failed: %s\n", filename, + FPRINTF(stderr, "fopen(%s) failed: %s\n", filename, STRERROR(errno)); return -1; } } else fp = stdin; - while (ipnat_parsesome(fd, addfunc, ioctlfunc, fp) == 1) + while ((rval = ipnat_parsesome(fd, addfunc, ioctlfunc, fp)) == 0) ; if (fp != NULL) fclose(fp); - return 0; + if (rval == -1) + rval = 0; + else if (rval != 0) + rval = 1; + return rval; } -int ipnat_parsesome(fd, addfunc, ioctlfunc, fp) -int fd; -addfunc_t addfunc; -ioctlfunc_t ioctlfunc; -FILE *fp; +int +ipnat_parsesome(fd, addfunc, ioctlfunc, fp) + int fd; + addfunc_t addfunc; + ioctlfunc_t ioctlfunc; + FILE *fp; { char *s; int i; - yylineNum = 1; - natfd = fd; + parser_error = 0; nataddfunc = addfunc; natioctlfunc = ioctlfunc; if (feof(fp)) - return 0; + return -1; i = fgetc(fp); if (i == EOF) - return 0; + return -1; if (ungetc(i, fp) == EOF) - return 0; + return -1; if (feof(fp)) - return 0; + return -1; s = getenv("YYDEBUG"); if (s) yydebug = atoi(s); @@ -738,11 +1377,12 @@ FILE *fp; yyin = fp; yyparse(); - return 1; + return parser_error; } -static void newnatrule() +static void +newnatrule() { ipnat_t *n; @@ -750,21 +1390,32 @@ static void newnatrule() if (n == NULL) return; - if (nat == NULL) + if (nat == NULL) { nattop = nat = n; - else { + n->in_pnext = &nattop; + } else { nat->in_next = n; + n->in_pnext = &nat->in_next; nat = n; } + n->in_flineno = yylineNum; + n->in_ifnames[0] = -1; + n->in_ifnames[1] = -1; + n->in_plabel = -1; + n->in_pconfig = -1; + n->in_size = sizeof(*n); + suggest_port = 0; } -static void setnatproto(p) -int p; +static void +setnatproto(p) + int p; { - nat->in_p = p; + nat->in_pr[0] = p; + nat->in_pr[1] = p; switch (p) { @@ -778,12 +1429,16 @@ int p; break; case IPPROTO_ICMP : nat->in_flags &= ~IPN_TCPUDP; - if (!(nat->in_flags & IPN_ICMPQUERY)) { + if (!(nat->in_flags & IPN_ICMPQUERY) && + !(nat->in_redir & NAT_DIVERTUDP)) { nat->in_dcmp = 0; nat->in_scmp = 0; - nat->in_pmin = 0; - nat->in_pmax = 0; - nat->in_pnext = 0; + nat->in_dpmin = 0; + nat->in_dpmax = 0; + nat->in_dpnext = 0; + nat->in_spmin = 0; + nat->in_spmax = 0; + nat->in_spnext = 0; } break; default : @@ -791,22 +1446,36 @@ int p; nat->in_flags &= ~IPN_TCPUDP; nat->in_dcmp = 0; nat->in_scmp = 0; - nat->in_pmin = 0; - nat->in_pmax = 0; - nat->in_pnext = 0; + nat->in_dpmin = 0; + nat->in_dpmax = 0; + nat->in_dpnext = 0; + nat->in_spmin = 0; + nat->in_spmax = 0; + nat->in_spnext = 0; } break; } + if ((nat->in_flags & (IPN_TCP|IPN_UDP)) == 0) { + nat->in_stop = 0; + nat->in_dtop = 0; + nat->in_osport = 0; + nat->in_odport = 0; + nat->in_stop = 0; + nat->in_osport = 0; + nat->in_dtop = 0; + nat->in_odport = 0; + } if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT) nat->in_flags &= ~IPN_FIXEDDPORT; } -void ipnat_addrule(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; +int +ipnat_addrule(fd, ioctlfunc, ptr) + int fd; + ioctlfunc_t ioctlfunc; + void *ptr; { ioctlcmd_t add, del; ipfobj_t obj; @@ -815,20 +1484,19 @@ void *ptr; ipn = ptr; bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(ipnat_t); + obj.ipfo_size = ipn->in_size; obj.ipfo_type = IPFOBJ_IPNAT; obj.ipfo_ptr = ptr; - add = 0; - del = 0; if ((opts & OPT_DONOTHING) != 0) fd = -1; if (opts & OPT_ZERORULEST) { add = SIOCZRLST; - } else if (opts & OPT_INACTIVE) { - add = SIOCADNAT; - del = SIOCRMNAT; + del = 0; + } else if (opts & OPT_PURGE) { + add = 0; + del = SIOCPURGENAT; } else { add = SIOCADNAT; del = SIOCRMNAT; @@ -843,37 +1511,269 @@ void *ptr; if ((opts & OPT_ZERORULEST) != 0) { if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(SIOCZRLST)"); + char msg[80]; + + sprintf(msg, "%d:ioctl(zero nat rule)", + ipn->in_flineno); + return ipf_perror_fd(fd, ioctlfunc, msg); } } else { -#ifdef USE_QUAD_T -/* - printf("hits %qd bytes %qd ", - (long long)fr->fr_hits, - (long long)fr->fr_bytes); -*/ + PRINTF("hits %lu ", ipn->in_hits); +#ifdef USE_QUAD_T + PRINTF("bytes %"PRIu64" ", + ipn->in_bytes[0] + ipn->in_bytes[1]); #else -/* - printf("hits %ld bytes %ld ", - fr->fr_hits, fr->fr_bytes); -*/ + PRINTF("bytes %lu ", + ipn->in_bytes[0] + ipn->in_bytes[1]); #endif printnat(ipn, opts); } } else if ((opts & OPT_REMOVE) != 0) { if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(delete nat rule)"); + char msg[80]; + + sprintf(msg, "%d:ioctl(delete nat rule)", + ipn->in_flineno); + return ipf_perror_fd(fd, ioctlfunc, msg); } } } else { if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { if ((opts & OPT_DONOTHING) == 0) { - fprintf(stderr, "%d:", yylineNum); - perror("ioctl(add/insert nat rule)"); + char msg[80]; + + sprintf(msg, "%d:ioctl(add/insert nat rule)", + ipn->in_flineno); + if (errno == EEXIST) { + sprintf(msg + strlen(msg), "(line %d)", + ipn->in_flineno); + } + return ipf_perror_fd(fd, ioctlfunc, msg); } } } + return 0; +} + + +static void +setmapifnames() +{ + if (nat->in_ifnames[1] == -1) + nat->in_ifnames[1] = nat->in_ifnames[0]; + + if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; + + if ((nat->in_flags & IPN_TCPUDP) == 0) + setnatproto(nat->in_pr[1]); + + if (((nat->in_redir & NAT_MAPBLK) != 0) || + ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) + nat_setgroupmap(nat); +} + + +static void +setrdrifnames() +{ + if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0) + nat->in_flags |= IPN_TCPUDP; + + if ((nat->in_pr[0] == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) && + (nat->in_dpmin != 0 || nat->in_dpmax != 0 || nat->in_dpnext != 0)) + setnatproto(IPPROTO_TCP); + + if (nat->in_ifnames[1] == -1) + nat->in_ifnames[1] = nat->in_ifnames[0]; +} + + +static void +proxy_setconfig(proxy) + int proxy; +{ + if (proxy == IPNY_DNS) { + yysetfixeddict(dnswords); + } +} + + +static void +proxy_unsetconfig() +{ + yyresetdict(); +} + + +static namelist_t * +proxy_dns_add_pass(prefix, name) + char *prefix, *name; +{ + namelist_t *n; + + n = calloc(1, sizeof(*n)); + if (n != NULL) { + if (prefix == NULL || *prefix == '\0') { + n->na_name = strdup(name); + } else { + n->na_name = malloc(strlen(name) + strlen(prefix) + 1); + strcpy(n->na_name, prefix); + strcat(n->na_name, name); + } + } + return n; +} + + +static namelist_t * +proxy_dns_add_block(prefix, name) + char *prefix, *name; +{ + namelist_t *n; + + n = calloc(1, sizeof(*n)); + if (n != NULL) { + if (prefix == NULL || *prefix == '\0') { + n->na_name = strdup(name); + } else { + n->na_name = malloc(strlen(name) + strlen(prefix) + 1); + strcpy(n->na_name, prefix); + strcat(n->na_name, name); + } + n->na_value = 1; + } + return n; +} + + +static void +proxy_addconfig(proxy, proto, conf, list) + char *proxy, *conf; + int proto; + namelist_t *list; +{ + proxyrule_t *pr; + + pr = calloc(1, sizeof(*pr)); + if (pr != NULL) { + pr->pr_proto = proto; + pr->pr_proxy = proxy; + pr->pr_conf = conf; + pr->pr_names = list; + pr->pr_next = prules; + prules = pr; + } +} + + +static void +proxy_loadrules(fd, ioctlfunc, rules) + int fd; + ioctlfunc_t ioctlfunc; + proxyrule_t *rules; +{ + proxyrule_t *pr; + + while ((pr = rules) != NULL) { + proxy_loadconfig(fd, ioctlfunc, pr->pr_proxy, pr->pr_proto, + pr->pr_conf, pr->pr_names); + rules = pr->pr_next; + free(pr->pr_conf); + free(pr); + } +} + + +static void +proxy_loadconfig(fd, ioctlfunc, proxy, proto, conf, list) + int fd; + ioctlfunc_t ioctlfunc; + char *proxy, *conf; + int proto; + namelist_t *list; +{ + namelist_t *na; + ipfobj_t obj; + ap_ctl_t pcmd; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_PROXYCTL; + obj.ipfo_size = sizeof(pcmd); + obj.ipfo_ptr = &pcmd; + + while ((na = list) != NULL) { + if ((opts & OPT_REMOVE) != 0) + pcmd.apc_cmd = APC_CMD_DEL; + else + pcmd.apc_cmd = APC_CMD_ADD; + pcmd.apc_dsize = strlen(na->na_name) + 1; + pcmd.apc_data = na->na_name; + pcmd.apc_arg = na->na_value; + pcmd.apc_p = proto; + + strncpy(pcmd.apc_label, proxy, APR_LABELLEN); + pcmd.apc_label[APR_LABELLEN - 1] = '\0'; + + strncpy(pcmd.apc_config, conf, APR_LABELLEN); + pcmd.apc_config[APR_LABELLEN - 1] = '\0'; + + if ((*ioctlfunc)(fd, SIOCPROXY, (void *)&obj) == -1) { + if ((opts & OPT_DONOTHING) == 0) { + char msg[80]; + + sprintf(msg, "%d:ioctl(add/remove proxy rule)", + yylineNum); + ipf_perror_fd(fd, ioctlfunc, msg); + return; + } + } + + list = na->na_next; + free(na->na_name); + free(na); + } +} + + +static void +setifname(np, idx, name) + ipnat_t **np; + int idx; + char *name; +{ + int pos; + + pos = addname(np, name); + if (pos == -1) + return; + (*np)->in_ifnames[idx] = pos; +} + + +static int +addname(np, name) + ipnat_t **np; + char *name; +{ + ipnat_t *n; + int nlen; + int pos; + + nlen = strlen(name) + 1; + n = realloc(*np, (*np)->in_size + nlen); + if (*np == nattop) + nattop = n; + *np = n; + if (n == NULL) + return -1; + if (n->in_pnext != NULL) + *n->in_pnext = n; + n->in_size += nlen; + pos = n->in_namelen; + n->in_namelen += nlen; + strcpy(n->in_names + pos, name); + n->in_names[n->in_namelen] = '\0'; + return pos; } diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c index 8b70960..49cf7da 100644 --- a/contrib/ipfilter/tools/ippool.c +++ b/contrib/ipfilter/tools/ippool.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -61,41 +61,48 @@ int poolflush __P((int, char *[])); int poolstats __P((int, char *[])); int gettype __P((char *, u_int *)); int getrole __P((char *)); -int setnodeaddr __P((ip_pool_node_t *node, char *arg)); -void showpools_live __P((int, int, ip_pool_stat_t *, char *)); +int setnodeaddr __P((int, int, void *ptr, char *arg)); +void showpools_live __P((int, int, ipf_pool_stat_t *, char *)); void showhashs_live __P((int, int, iphtstat_t *, char *)); +void showdstls_live __P((int, int, ipf_dstl_stat_t *, char *)); int opts = 0; int fd = -1; int use_inet6 = 0; +wordtab_t *pool_fields = NULL; +int nohdrfields = 0; -void usage(prog) -char *prog; +void +usage(prog) + char *prog; { fprintf(stderr, "Usage:\t%s\n", prog); - fprintf(stderr, "\t\t\t-a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n"); - fprintf(stderr, "\t\t\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-f <file> [-dnuv]\n"); - fprintf(stderr, "\t\t\t-F [-dv] [-o <role>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-l [-dv] [-m <name>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n"); - fprintf(stderr, "\t\t\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n"); - fprintf(stderr, "\t\t\t-s [-dtv] [-M <core>] [-N <namelist>]\n"); + fprintf(stderr, "\t-a [-dnv] [-m <name>] [-o <role>] [-t type] [-T ttl] -i <ipaddr>[/netmask]\n"); + fprintf(stderr, "\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n"); + fprintf(stderr, "\t-f <file> [-dnuv]\n"); + fprintf(stderr, "\t-F [-dv] [-o <role>] [-t <type>]\n"); + fprintf(stderr, "\t-l [-dv] [-m <name>] [-t <type>] [-O <fields>]\n"); + fprintf(stderr, "\t-r [-dnv] [-m <name>] [-o <role>] [-t type] -i <ipaddr>[/netmask]\n"); + fprintf(stderr, "\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n"); + fprintf(stderr, "\t-s [-dtv] [-M <core>] [-N <namelist>]\n"); exit(1); } -int main(argc, argv) -int argc; -char *argv[]; +int +main(argc, argv) + int argc; + char *argv[]; { - int err; + int err = 1; if (argc < 2) usage(argv[0]); - switch (getopt(argc, argv, "aAf:FlrRs")) + assigndefined(getenv("IPPOOL_PREDEFINED")); + + switch (getopt(argc, argv, "aAf:FlnrRsv")) { case 'a' : err = poolnodecommand(0, argc, argv); @@ -112,6 +119,9 @@ char *argv[]; case 'l' : err = poollist(argc, argv); break; + case 'n' : + opts |= OPT_DONOTHING|OPT_DONTOPEN; + break; case 'r' : err = poolnodecommand(1, argc, argv); break; @@ -121,6 +131,9 @@ char *argv[]; case 's' : err = poolstats(argc, argv); break; + case 'v' : + opts |= OPT_VERBOSE; + break; default : exit(1); } @@ -131,19 +144,23 @@ char *argv[]; } -int poolnodecommand(remove, argc, argv) -int remove, argc; -char *argv[]; +int +poolnodecommand(remove, argc, argv) + int remove, argc; + char *argv[]; { - int err, c, ipset, role; + int err = 0, c, ipset, role, type = IPLT_POOL, ttl = 0; char *poolname = NULL; - ip_pool_node_t node; + ip_pool_node_t pnode; + iphtent_t hnode; + void *ptr = &pnode; ipset = 0; role = IPL_LOGIPF; - bzero((char *)&node, sizeof(node)); + bzero((char *)&pnode, sizeof(pnode)); + bzero((char *)&hnode, sizeof(hnode)); - while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1) + while ((c = getopt(argc, argv, "di:m:no:Rt:T:v")) != -1) switch (c) { case 'd' : @@ -151,16 +168,21 @@ char *argv[]; ippool_yydebug++; break; case 'i' : - if (setnodeaddr(&node, optarg) == 0) + if (setnodeaddr(type, role, ptr, optarg) == 0) ipset = 1; break; case 'm' : poolname = optarg; break; case 'n' : - opts |= OPT_DONOTHING; + opts |= OPT_DONOTHING|OPT_DONTOPEN; break; case 'o' : + if (ipset == 1) { + fprintf(stderr, + "cannot set role after ip address\n"); + return -1; + } role = getrole(optarg); if (role == IPL_LOGNONE) return -1; @@ -168,13 +190,39 @@ char *argv[]; case 'R' : opts |= OPT_NORESOLVE; break; + case 't' : + if (ipset == 1) { + fprintf(stderr, + "cannot set type after ip address\n"); + return -1; + } + type = gettype(optarg, NULL); + switch (type) { + case IPLT_NONE : + fprintf(stderr, "unknown type '%s'\n", optarg); + return -1; + case IPLT_HASH : + ptr = &hnode; + break; + case IPLT_POOL : + default : + break; + } + break; + case 'T' : + ttl = atoi(optarg); + if (ttl < 0) { + fprintf(stderr, "cannot set negative ttl\n"); + return -1; + } + break; case 'v' : opts |= OPT_VERBOSE; break; } if (argv[optind] != NULL && ipset == 0) { - if (setnodeaddr(&node, argv[optind]) == 0) + if (setnodeaddr(type, role, ptr, argv[optind]) == 0) ipset = 1; } @@ -191,17 +239,30 @@ char *argv[]; return -1; } - if (remove == 0) - err = load_poolnode(0, poolname, &node, ioctl); - else - err = remove_poolnode(0, poolname, &node, ioctl); + switch (type) { + case IPLT_POOL : + if (remove == 0) + err = load_poolnode(role, poolname, &pnode, ttl, ioctl); + else + err = remove_poolnode(role, poolname, &pnode, ioctl); + break; + case IPLT_HASH : + if (remove == 0) + err = load_hashnode(role, poolname, &hnode, ttl, ioctl); + else + err = remove_hashnode(role, poolname, &hnode, ioctl); + break; + default : + break; + } return err; } -int poolcommand(remove, argc, argv) -int remove, argc; -char *argv[]; +int +poolcommand(remove, argc, argv) + int remove, argc; + char *argv[]; { int type, role, c, err; char *poolname; @@ -216,7 +277,7 @@ char *argv[]; bzero((char *)&iph, sizeof(iph)); bzero((char *)&pool, sizeof(pool)); - while ((c = getopt(argc, argv, "dm:no:RSt:v")) != -1) + while ((c = getopt(argc, argv, "dm:no:RSv")) != -1) switch (c) { case 'd' : @@ -227,7 +288,7 @@ char *argv[]; poolname = optarg; break; case 'n' : - opts |= OPT_DONOTHING; + opts |= OPT_DONOTHING|OPT_DONTOPEN; break; case 'o' : role = getrole(optarg); @@ -242,13 +303,6 @@ char *argv[]; case 'S' : iph.iph_seed = atoi(optarg); break; - case 't' : - type = gettype(optarg, &iph.iph_type); - if (type == IPLT_NONE) { - fprintf(stderr, "unknown type '%s'\n", optarg); - return -1; - } - break; case 'v' : opts |= OPT_VERBOSE; break; @@ -262,6 +316,12 @@ char *argv[]; return -1; } + type = gettype(argv[optind], &iph.iph_type); + if (type == IPLT_NONE) { + fprintf(stderr, "unknown type '%s'\n", argv[optind]); + return -1; + } + if (type == IPLT_HASH) { strncpy(iph.iph_name, poolname, sizeof(iph.iph_name)); iph.iph_name[sizeof(iph.iph_name) - 1] = '\0'; @@ -297,9 +357,10 @@ char *argv[]; } -int loadpoolfile(argc, argv, infile) -int argc; -char *argv[], *infile; +int +loadpoolfile(argc, argv, infile) + int argc; + char *argv[], *infile; { int c; @@ -313,7 +374,7 @@ char *argv[], *infile; ippool_yydebug++; break; case 'n' : - opts |= OPT_DONOTHING; + opts |= OPT_DONOTHING|OPT_DONTOPEN; break; case 'R' : opts |= OPT_NORESOLVE; @@ -329,7 +390,7 @@ char *argv[], *infile; if (opts & OPT_DEBUG) fprintf(stderr, "loadpoolfile: opts = %#x\n", opts); - if (!(opts & OPT_DONOTHING) && (fd == -1)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { perror("open(IPLOOKUP_NAME)"); @@ -343,12 +404,14 @@ char *argv[], *infile; } -int poolstats(argc, argv) -int argc; -char *argv[]; +int +poolstats(argc, argv) + int argc; + char *argv[]; { int c, type, role, live_kernel; - ip_pool_stat_t plstat; + ipf_pool_stat_t plstat; + ipf_dstl_stat_t dlstat; char *kernel, *core; iphtstat_t htstat; iplookupop_t op; @@ -398,7 +461,7 @@ char *argv[]; if (opts & OPT_DEBUG) fprintf(stderr, "poolstats: opts = %#x\n", opts); - if (!(opts & OPT_DONOTHING) && (fd == -1)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { perror("open(IPLOOKUP_NAME)"); @@ -410,14 +473,14 @@ char *argv[]; op.iplo_type = IPLT_POOL; op.iplo_struct = &plstat; op.iplo_size = sizeof(plstat); - if (!(opts & OPT_DONOTHING)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) { c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(S0IOCLOOKUPSTAT)"); return -1; } - printf("Pools:\t%lu\n", plstat.ipls_pools); - printf("Nodes:\t%lu\n", plstat.ipls_nodes); + printf("%lu\taddress pools\n", plstat.ipls_pools); + printf("%lu\taddress pool nodes\n", plstat.ipls_nodes); } } @@ -425,24 +488,49 @@ char *argv[]; op.iplo_type = IPLT_HASH; op.iplo_struct = &htstat; op.iplo_size = sizeof(htstat); - if (!(opts & OPT_DONOTHING)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) { + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); + return -1; + } + printf("%lu\thash tables\n", htstat.iphs_numtables); + printf("%lu\thash table nodes\n", htstat.iphs_numnodes); + printf("%lu\thash table no memory \n", + htstat.iphs_nomem); + } + } + + if (type == IPLT_ALL || type == IPLT_DSTLIST) { + op.iplo_type = IPLT_DSTLIST; + op.iplo_struct = &dlstat; + op.iplo_size = sizeof(dlstat); + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) { c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); return -1; } - printf("Hash Tables:\t%lu\n", htstat.iphs_numtables); - printf("Nodes:\t%lu\n", htstat.iphs_numnodes); - printf("Out of Memory:\t%lu\n", htstat.iphs_nomem); + printf("%u\tdestination lists\n", + dlstat.ipls_numlists); + printf("%u\tdestination list nodes\n", + dlstat.ipls_numnodes); + printf("%lu\tdestination list no memory\n", + dlstat.ipls_nomem); + printf("%u\tdestination list zombies\n", + dlstat.ipls_numdereflists); + printf("%u\tdesetination list node zombies\n", + dlstat.ipls_numderefnodes); } } return 0; } -int poolflush(argc, argv) -int argc; -char *argv[]; +int +poolflush(argc, argv) + int argc; + char *argv[]; { int c, role, type, arg; iplookupflush_t flush; @@ -479,7 +567,7 @@ char *argv[]; if (opts & OPT_DEBUG) fprintf(stderr, "poolflush: opts = %#x\n", opts); - if (!(opts & OPT_DONOTHING) && (fd == -1)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { perror("open(IPLOOKUP_NAME)"); @@ -492,22 +580,23 @@ char *argv[]; flush.iplf_unit = role; flush.iplf_arg = arg; - if (!(opts & OPT_DONOTHING)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) { if (ioctl(fd, SIOCLOOKUPFLUSH, &flush) == -1) { - perror("ioctl(SIOCLOOKUPFLUSH)"); + ipferror(fd, "ioctl(SIOCLOOKUPFLUSH)"); exit(1); } } - printf("%zd object%s flushed\n", flush.iplf_count, + printf("%u object%s flushed\n", flush.iplf_count, (flush.iplf_count == 1) ? "" : "s"); return 0; } -int getrole(rolename) -char *rolename; +int +getrole(rolename) + char *rolename; { int role; @@ -537,19 +626,20 @@ char *rolename; } -int gettype(typename, minor) -char *typename; -u_int *minor; +int +gettype(typename, minor) + char *typename; + u_int *minor; { int type; - if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) { + if (!strcasecmp(typename, "tree") || !strcasecmp(typename, "pool")) { type = IPLT_POOL; - } else if (!strcasecmp(optarg, "hash")) { + } else if (!strcasecmp(typename, "hash")) { type = IPLT_HASH; if (minor != NULL) *minor = IPHASH_LOOKUP; - } else if (!strcasecmp(optarg, "group-map")) { + } else if (!strcasecmp(typename, "group-map")) { type = IPLT_HASH; if (minor != NULL) *minor = IPHASH_GROUPMAP; @@ -560,9 +650,10 @@ u_int *minor; } -int poollist(argc, argv) -int argc; -char *argv[]; +int +poollist(argc, argv) + int argc; + char *argv[]; { char *kernel, *core, *poolname; int c, role, type, live_kernel; @@ -599,6 +690,9 @@ char *argv[]; return -1; } break; + case 'O' : + pool_fields = parsefields(poolfields, optarg); + break; case 'R' : opts |= OPT_NORESOLVE; break; @@ -617,7 +711,7 @@ char *argv[]; if (opts & OPT_DEBUG) fprintf(stderr, "poollist: opts = %#x\n", opts); - if (!(opts & OPT_DONOTHING) && (fd == -1)) { + if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { perror("open(IPLOOKUP_NAME)"); @@ -640,9 +734,10 @@ char *argv[]; } -void poollist_dead(role, poolname, type, kernel, core) -int role, type; -char *poolname, *kernel, *core; +void +poollist_dead(role, poolname, type, kernel, core) + int role, type; + char *poolname, *kernel, *core; { iphtable_t *hptr; ip_pool_t *ptr; @@ -665,14 +760,15 @@ char *poolname, *kernel, *core; ptr = pools[role]; while (ptr != NULL) { ptr = printpool(ptr, kmemcpywrap, poolname, - opts); + opts, pool_fields); } } else { for (role = 0; role <= IPL_LOGMAX; role++) { ptr = pools[role]; while (ptr != NULL) { ptr = printpool(ptr, kmemcpywrap, - poolname, opts); + poolname, opts, + pool_fields); } } role = IPL_LOGALL; @@ -693,14 +789,15 @@ char *poolname, *kernel, *core; hptr = tables[role]; while (hptr != NULL) { hptr = printhash(hptr, kmemcpywrap, - poolname, opts); + poolname, opts, pool_fields); } } else { for (role = 0; role <= IPL_LOGMAX; role++) { hptr = tables[role]; while (hptr != NULL) { hptr = printhash(hptr, kmemcpywrap, - poolname, opts); + poolname, opts, + pool_fields); } } } @@ -708,12 +805,12 @@ char *poolname, *kernel, *core; } -void poollist_live(role, poolname, type, fd) -int role, type, fd; -char *poolname; +void +poollist_live(role, poolname, type, fd) + int role, type, fd; + char *poolname; { - ip_pool_stat_t plstat; - iphtstat_t htstat; + ipf_pool_stat_t plstat; iplookupop_t op; int c; @@ -729,18 +826,18 @@ char *poolname; c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); return; } showpools_live(fd, role, &plstat, poolname); } else { - for (role = 0; role <= IPL_LOGMAX; role++) { + for (role = -1; role <= IPL_LOGMAX; role++) { op.iplo_unit = role; c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); return; } @@ -752,6 +849,8 @@ char *poolname; } if (type == IPLT_ALL || type == IPLT_HASH) { + iphtstat_t htstat; + op.iplo_type = IPLT_HASH; op.iplo_size = sizeof(htstat); op.iplo_struct = &htstat; @@ -763,7 +862,7 @@ char *poolname; c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); return; } showhashs_live(fd, role, &htstat, poolname); @@ -773,21 +872,57 @@ char *poolname; op.iplo_unit = role; c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { - perror("ioctl(SIOCLOOKUPSTAT)"); + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); return; } showhashs_live(fd, role, &htstat, poolname); } + role = IPL_LOGALL; + } + } + + if (type == IPLT_ALL || type == IPLT_DSTLIST) { + ipf_dstl_stat_t dlstat; + + op.iplo_type = IPLT_DSTLIST; + op.iplo_size = sizeof(dlstat); + op.iplo_struct = &dlstat; + op.iplo_name[0] = '\0'; + op.iplo_arg = 0; + + if (role != IPL_LOGALL) { + op.iplo_unit = role; + + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); + return; + } + showdstls_live(fd, role, &dlstat, poolname); + } else { + for (role = 0; role <= IPL_LOGMAX; role++) { + + op.iplo_unit = role; + c = ioctl(fd, SIOCLOOKUPSTAT, &op); + if (c == -1) { + ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); + return; + } + + showdstls_live(fd, role, &dlstat, poolname); + } + role = IPL_LOGALL; } } } -void showpools_live(fd, role, plstp, poolname) -int fd, role; -ip_pool_stat_t *plstp; -char *poolname; +void +showpools_live(fd, role, plstp, poolname) + int fd, role; + ipf_pool_stat_t *plstp; + char *poolname; { ipflookupiter_t iter; ip_pool_t pool; @@ -806,22 +941,27 @@ char *poolname; iter.ili_unit = role; *iter.ili_name = '\0'; - while (plstp->ipls_list[role] != NULL) { + bzero((char *)&pool, sizeof(pool)); + + while (plstp->ipls_list[role + 1] != NULL) { if (ioctl(fd, SIOCLOOKUPITER, &obj)) { - perror("ioctl(SIOCLOOKUPITER)"); + ipferror(fd, "ioctl(SIOCLOOKUPITER)"); break; } - printpool_live(&pool, fd, poolname, opts); + if (((pool.ipo_flags & IPOOL_DELETE) == 0) || + ((opts & OPT_DEBUG) != 0)) + printpool_live(&pool, fd, poolname, opts, pool_fields); - plstp->ipls_list[role] = pool.ipo_next; + plstp->ipls_list[role + 1] = pool.ipo_next; } } -void showhashs_live(fd, role, htstp, poolname) -int fd, role; -iphtstat_t *htstp; -char *poolname; +void +showhashs_live(fd, role, htstp, poolname) + int fd, role; + iphtstat_t *htstp; + char *poolname; { ipflookupiter_t iter; iphtable_t table; @@ -842,18 +982,55 @@ char *poolname; while (htstp->iphs_tables != NULL) { if (ioctl(fd, SIOCLOOKUPITER, &obj)) { - perror("ioctl(SIOCLOOKUPITER)"); + ipferror(fd, "ioctl(SIOCLOOKUPITER)"); break; } - printhash_live(&table, fd, poolname, opts); + printhash_live(&table, fd, poolname, opts, pool_fields); htstp->iphs_tables = table.iph_next; } } -int setnodeaddr(ip_pool_node_t *node, char *arg) +void +showdstls_live(fd, role, dlstp, poolname) + int fd, role; + ipf_dstl_stat_t *dlstp; + char *poolname; +{ + ipflookupiter_t iter; + ippool_dst_t table; + ipfobj_t obj; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_LOOKUPITER; + obj.ipfo_size = sizeof(iter); + obj.ipfo_ptr = &iter; + + iter.ili_type = IPLT_DSTLIST; + iter.ili_otype = IPFLOOKUPITER_LIST; + iter.ili_ival = IPFGENITER_LOOKUP; + iter.ili_nitems = 1; + iter.ili_data = &table; + iter.ili_unit = role; + *iter.ili_name = '\0'; + + while (dlstp->ipls_list[role] != NULL) { + if (ioctl(fd, SIOCLOOKUPITER, &obj)) { + ipferror(fd, "ioctl(SIOCLOOKUPITER)"); + break; + } + + printdstl_live(&table, fd, poolname, opts, pool_fields); + + dlstp->ipls_list[role] = table.ipld_next; + } +} + + +int +setnodeaddr(int type, int role, void *ptr, char *arg) { struct in_addr mask; char *s; @@ -862,17 +1039,38 @@ int setnodeaddr(ip_pool_node_t *node, char *arg) if (s == NULL) mask.s_addr = 0xffffffff; else if (strchr(s, '.') == NULL) { - if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0) + if (ntomask(AF_INET, atoi(s + 1), &mask.s_addr) != 0) return -1; } else { mask.s_addr = inet_addr(s + 1); } if (s != NULL) *s = '\0'; - node->ipn_addr.adf_len = sizeof(node->ipn_addr); - node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg); - node->ipn_mask.adf_len = sizeof(node->ipn_mask); - node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr; + + if (type == IPLT_POOL) { + ip_pool_node_t *node = ptr; + + if (node->ipn_addr.adf_family == AF_INET) + node->ipn_addr.adf_len = offsetof(addrfamily_t, + adf_addr) + + sizeof(struct in_addr); +#ifdef USE_INET6 + else + node->ipn_addr.adf_len = offsetof(addrfamily_t, + adf_addr) + + sizeof(struct in6_addr); +#endif + node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg); + node->ipn_mask.adf_len = node->ipn_addr.adf_len; + node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr; + } else if (type == IPLT_HASH) { + iphtent_t *node = ptr; + + node->ipe_addr.in4.s_addr = inet_addr(arg); + node->ipe_mask.in4.s_addr = mask.s_addr; + node->ipe_family = AF_INET; + node->ipe_unit = role; + } return 0; } diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y index 24f683b..3498745 100644 --- a/contrib/ipfilter/tools/ippool_y.y +++ b/contrib/ipfilter/tools/ippool_y.y @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -35,6 +35,7 @@ #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" +#include "netinet/ip_dstlist.h" #include "ippool_l.h" #include "kmem.h" @@ -48,43 +49,52 @@ extern FILE *yyin; static iphtable_t ipht; static iphtent_t iphte; static ip_pool_t iplo; +static ippool_dst_t ipld; static ioctlfunc_t poolioctl = NULL; static char poolname[FR_GROUPLEN]; static iphtent_t *add_htablehosts __P((char *)); static ip_pool_node_t *add_poolhosts __P((char *)); +static ip_pool_node_t *read_whoisfile __P((char *)); +static void setadflen __P((addrfamily_t *)); %} %union { char *str; u_32_t num; - struct in_addr addr; + struct in_addr ip4; struct alist_s *alist; - struct in_addr adrmsk[2]; + addrfamily_t adrmsk[2]; iphtent_t *ipe; ip_pool_node_t *ipp; - union i6addr ip6; + ipf_dstnode_t *ipd; + addrfamily_t ipa; + i6addr_t ip6; } -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 - -%token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT -%token IPT_TABLE IPT_GROUPMAP IPT_HASH +%token <num> YY_NUMBER YY_HEX +%token <str> YY_STR +%token <ip6> YY_IPV6 +%token YY_COMMENT +%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT +%token YY_RANGE_OUT YY_RANGE_IN +%token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT IPT_ALL +%token IPT_TABLE IPT_GROUPMAP IPT_HASH IPT_SRCHASH IPT_DSTHASH %token IPT_ROLE IPT_TYPE IPT_TREE -%token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME -%type <num> role table inout +%token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME IPT_POLICY +%token IPT_POOL IPT_DSTLIST IPT_ROUNDROBIN +%token IPT_WEIGHTED IPT_RANDOM IPT_CONNECTION +%token IPT_WHOIS IPT_FILE +%type <num> role table inout unit dstopts weighting %type <ipp> ipftree range addrlist %type <adrmsk> addrmask %type <ipe> ipfgroup ipfhash hashlist hashentry %type <ipe> groupentry setgrouplist grouplist -%type <addr> ipaddr mask ipv4 -%type <str> number setgroup +%type <ipa> ipaddr mask +%type <ip4> ipv4 +%type <str> number setgroup name +%type <ipd> dstentry dstentries dstlist %% file: line @@ -93,25 +103,44 @@ file: line | file assign ; -line: table role ipftree eol { iplo.ipo_unit = $2; +line: table role ipftree eol { ip_pool_node_t *n; + iplo.ipo_unit = $2; iplo.ipo_list = $3; load_pool(&iplo, poolioctl); + while ((n = $3) != NULL) { + $3 = n->ipn_next; + free(n); + } resetlexer(); + use_inet6 = 0; } - | table role ipfhash eol { ipht.iph_unit = $2; + | table role ipfhash eol { iphtent_t *h; + ipht.iph_unit = $2; ipht.iph_type = IPHASH_LOOKUP; load_hash(&ipht, $3, poolioctl); + while ((h = $3) != NULL) { + $3 = h->ipe_next; + free(h); + } resetlexer(); + use_inet6 = 0; } | groupmap role number ipfgroup eol - { ipht.iph_unit = $2; + { iphtent_t *h; + ipht.iph_unit = $2; strncpy(ipht.iph_name, $3, sizeof(ipht.iph_name)); ipht.iph_type = IPHASH_GROUPMAP; load_hash(&ipht, $4, poolioctl); + while ((h = $4) != NULL) { + $4 = h->ipe_next; + free(h); + } resetlexer(); + use_inet6 = 0; } | YY_COMMENT + | poolline eol ; eol: ';' @@ -132,6 +161,7 @@ assigning: table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht)); bzero((char *)&iphte, sizeof(iphte)); bzero((char *)&iplo, sizeof(iplo)); + bzero((char *)&ipld, sizeof(ipld)); *ipht.iph_name = '\0'; iplo.ipo_flags = IPHASH_ANON; iplo.ipo_name[0] = '\0'; @@ -150,11 +180,15 @@ groupmap: inout: IPT_IN { $$ = FR_INQUE; } | IPT_OUT { $$ = FR_OUTQUE; } ; -role: - IPT_ROLE '=' IPT_IPF { $$ = IPL_LOGIPF; } - | IPT_ROLE '=' IPT_NAT { $$ = IPL_LOGNAT; } - | IPT_ROLE '=' IPT_AUTH { $$ = IPL_LOGAUTH; } - | IPT_ROLE '=' IPT_COUNT { $$ = IPL_LOGCOUNT; } + +role: IPT_ROLE '=' unit { $$ = $3; } + ; + +unit: IPT_IPF { $$ = IPL_LOGIPF; } + | IPT_NAT { $$ = IPL_LOGNAT; } + | IPT_AUTH { $$ = IPL_LOGAUTH; } + | IPT_COUNT { $$ = IPL_LOGCOUNT; } + | IPT_ALL { $$ = IPL_LOGALL; } ; ipftree: @@ -183,14 +217,21 @@ ipfgroup: $1, FR_GROUPLEN); $$ = $4; + free($1); } - | hashopts start setgrouplist end { $$ = $3; } + | hashopts start setgrouplist end + { $$ = $3; } ; number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3); $$ = poolname; } - | IPT_NAME '=' YY_STR { $$ = $3; } + | IPT_NAME '=' YY_STR { strncpy(poolname, $3, + FR_GROUPLEN); + poolname[FR_GROUPLEN-1]='\0'; + free($3); + $$ = poolname; + } | { $$ = ""; } ; @@ -198,6 +239,7 @@ setgroup: IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1]; strncpy(tmp, $3, FR_GROUPLEN); $$ = strdup(tmp); + free($3); } | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1]; sprintf(tmp, "%u", $3); @@ -212,119 +254,162 @@ hashopts: ; addrlist: - next { $$ = NULL; } - | range next addrlist { $1->ipn_next = $3; $$ = $1; } + ';' { $$ = NULL; } + | range next addrlist { $$ = $1; + while ($1->ipn_next != NULL) + $1 = $1->ipn_next; + $1->ipn_next = $3; + } | range next { $$ = $1; } ; grouplist: - next { $$ = NULL; } + ';' { $$ = NULL; } | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; } | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); + $$->ipe_addr = $1[0].adf_addr; + $$->ipe_mask = $1[1].adf_addr; + $$->ipe_family = $1[0].adf_family; $$->ipe_next = $3; } | groupentry next { $$ = $1; } | addrmask next { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); + $$->ipe_addr = $1[0].adf_addr; + $$->ipe_mask = $1[1].adf_addr; +#ifdef AF_INET6 + if (use_inet6) + $$->ipe_family = AF_INET6; + else +#endif + $$->ipe_family = AF_INET; + } + | YY_STR { $$ = add_htablehosts($1); + free($1); } ; setgrouplist: - next { $$ = NULL; } + ';' { $$ = NULL; } | groupentry next { $$ = $1; } | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; } ; groupentry: addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); + $$->ipe_addr = $1[0].adf_addr; + $$->ipe_mask = $1[1].adf_addr; strncpy($$->ipe_group, $3, FR_GROUPLEN); +#ifdef AF_INET6 + if (use_inet6) + $$->ipe_family = AF_INET6; + else +#endif + $$->ipe_family = AF_INET; free($3); } - | YY_STR { $$ = add_htablehosts($1); } ; -range: addrmask { $$ = calloc(1, sizeof(*$$)); - $$->ipn_info = 0; - $$->ipn_addr.adf_len = sizeof($$->ipn_addr); - $$->ipn_addr.adf_addr.in4.s_addr = $1[0].s_addr; - $$->ipn_mask.adf_len = sizeof($$->ipn_mask); - $$->ipn_mask.adf_addr.in4.s_addr = $1[1].s_addr; - } - | '!' addrmask { $$ = calloc(1, sizeof(*$$)); - $$->ipn_info = 1; - $$->ipn_addr.adf_len = sizeof($$->ipn_addr); - $$->ipn_addr.adf_addr.in4.s_addr = $2[0].s_addr; - $$->ipn_mask.adf_len = sizeof($$->ipn_mask); - $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr; - } - | YY_STR { $$ = add_poolhosts($1); } +range: addrmask { $$ = calloc(1, sizeof(*$$)); + $$->ipn_info = 0; + $$->ipn_addr = $1[0]; + $$->ipn_mask = $1[1]; + } + | '!' addrmask { $$ = calloc(1, sizeof(*$$)); + $$->ipn_info = 1; + $$->ipn_addr = $2[0]; + $$->ipn_mask = $2[1]; + } + | YY_STR { $$ = add_poolhosts($1); + free($1); + } + | IPT_WHOIS IPT_FILE YY_STR { $$ = read_whoisfile($3); + free($3); + } + ; hashlist: - next { $$ = NULL; } + ';' { $$ = NULL; } | hashentry next { $$ = $1; } | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; } ; hashentry: - addrmask { $$ = calloc(1, sizeof(iphtent_t)); - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - } - | YY_STR { $$ = add_htablehosts($1); } + addrmask { $$ = calloc(1, sizeof(iphtent_t)); + $$->ipe_addr = $1[0].adf_addr; + $$->ipe_mask = $1[1].adf_addr; +#ifdef USE_INET6 + if (use_inet6) + $$->ipe_family = AF_INET6; + else +#endif + $$->ipe_family = AF_INET; + } + | YY_STR { $$ = add_htablehosts($1); + free($1); + } ; addrmask: - ipaddr '/' mask { $$[0] = $1; $$[1].s_addr = $3.s_addr; - yyexpectaddr = 0; + ipaddr '/' mask { $$[0] = $1; + setadflen(&$$[0]); + $$[1] = $3; + $$[1].adf_len = $$[0].adf_len; } - | ipaddr { $$[0] = $1; $$[1].s_addr = 0xffffffff; - yyexpectaddr = 0; + | ipaddr { $$[0] = $1; + setadflen(&$$[1]); + $$[1].adf_len = $$[0].adf_len; +#ifdef USE_INET6 + if (use_inet6) + memset(&$$[1].adf_addr, 0xff, + sizeof($$[1].adf_addr.in6)); + else +#endif + memset(&$$[1].adf_addr, 0xff, + sizeof($$[1].adf_addr.in4)); } ; -ipaddr: ipv4 { $$ = $1; } - | YY_NUMBER { $$.s_addr = htonl($1); } - ; - -mask: YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$.s_addr); } - | ipv4 { $$ = $1; } - ; - -start: '{' { yyexpectaddr = 1; } - ; - -end: '}' { yyexpectaddr = 0; } +ipaddr: ipv4 { $$.adf_addr.in4 = $1; + $$.adf_family = AF_INET; + setadflen(&$$); + use_inet6 = 0; + } + | YY_NUMBER { $$.adf_addr.in4.s_addr = htonl($1); + $$.adf_family = AF_INET; + setadflen(&$$); + use_inet6 = 0; + } + | YY_IPV6 { $$.adf_addr = $1; + $$.adf_family = AF_INET6; + setadflen(&$$); + use_inet6 = 1; + } ; -next: ';' { yyexpectaddr = 1; } +mask: YY_NUMBER { bzero(&$$, sizeof($$)); + if (use_inet6) { + if (ntomask(AF_INET6, $1, + (u_32_t *)&$$.adf_addr) == -1) + yyerror("bad bitmask"); + } else { + if (ntomask(AF_INET, $1, + (u_32_t *)&$$.adf_addr.in4) == -1) + yyerror("bad bitmask"); + } + } + | ipv4 { bzero(&$$, sizeof($$)); + $$.adf_addr.in4 = $1; + } + | YY_IPV6 { bzero(&$$, sizeof($$)); + $$.adf_addr = $1; + } ; -size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; } +size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; } ; -seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; } +seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; } ; ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER @@ -336,26 +421,180 @@ ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER $$.s_addr = htonl($$.s_addr); } ; + +next: ';' { yyexpectaddr = 1; } + ; + +start: '{' { yyexpectaddr = 1; } + ; + +end: '}' { yyexpectaddr = 0; } + ; + +poolline: + IPT_POOL unit '/' IPT_DSTLIST '(' name ';' dstopts ')' + start dstlist end + { bzero((char *)&ipld, sizeof(ipld)); + strncpy(ipld.ipld_name, $6, + sizeof(ipld.ipld_name)); + ipld.ipld_unit = $2; + ipld.ipld_policy = $8; + load_dstlist(&ipld, poolioctl, $11); + resetlexer(); + use_inet6 = 0; + free($6); + } + | IPT_POOL unit '/' IPT_TREE '(' name ';' ')' + start addrlist end + { bzero((char *)&iplo, sizeof(iplo)); + strncpy(iplo.ipo_name, $6, + sizeof(iplo.ipo_name)); + iplo.ipo_list = $10; + iplo.ipo_unit = $2; + load_pool(&iplo, poolioctl); + resetlexer(); + use_inet6 = 0; + free($6); + } + | IPT_POOL '(' name ';' ')' start addrlist end + { bzero((char *)&iplo, sizeof(iplo)); + strncpy(iplo.ipo_name, $3, + sizeof(iplo.ipo_name)); + iplo.ipo_list = $7; + iplo.ipo_unit = IPL_LOGALL; + load_pool(&iplo, poolioctl); + resetlexer(); + use_inet6 = 0; + free($3); + } + | IPT_POOL unit '/' IPT_HASH '(' name ';' hashoptlist ')' + start hashlist end + { iphtent_t *h; + bzero((char *)&ipht, sizeof(ipht)); + strncpy(ipht.iph_name, $6, + sizeof(ipht.iph_name)); + ipht.iph_unit = $2; + load_hash(&ipht, $11, poolioctl); + while ((h = ipht.iph_list) != NULL) { + ipht.iph_list = h->ipe_next; + free(h); + } + resetlexer(); + use_inet6 = 0; + free($6); + } + | IPT_GROUPMAP '(' name ';' inout ';' ')' + start setgrouplist end + { iphtent_t *h; + bzero((char *)&ipht, sizeof(ipht)); + strncpy(ipht.iph_name, $3, + sizeof(ipht.iph_name)); + ipht.iph_type = IPHASH_GROUPMAP; + ipht.iph_unit = IPL_LOGIPF; + ipht.iph_flags = $5; + load_hash(&ipht, $9, poolioctl); + while ((h = ipht.iph_list) != NULL) { + ipht.iph_list = h->ipe_next; + free(h); + } + resetlexer(); + use_inet6 = 0; + free($3); + } + ; + +name: IPT_NAME YY_STR { $$ = $2; } + | IPT_NUM YY_NUMBER { char name[80]; + sprintf(name, "%d", $2); + $$ = strdup(name); + } + ; + +hashoptlist: + | hashopt ';' + | hashoptlist ';' hashopt ';' + ; +hashopt: + IPT_SIZE YY_NUMBER + | IPT_SEED YY_NUMBER + ; + +dstlist: + dstentries { $$ = $1; } + | ';' { $$ = NULL; } + ; + +dstentries: + dstentry next { $$ = $1; } + | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; } + ; + +dstentry: + YY_STR ':' ipaddr { int size = sizeof(*$$) + strlen($1) + 1; + $$ = calloc(1, size); + if ($$ != NULL) { + $$->ipfd_dest.fd_name = strlen($1) + 1; + bcopy($1, $$->ipfd_names, + $$->ipfd_dest.fd_name); + $$->ipfd_dest.fd_addr = $3; + $$->ipfd_size = size; + } + free($1); + } + | ipaddr { $$ = calloc(1, sizeof(*$$)); + if ($$ != NULL) { + $$->ipfd_dest.fd_name = -1; + $$->ipfd_dest.fd_addr = $1; + $$->ipfd_size = sizeof(*$$); + } + } + ; + +dstopts: + { $$ = IPLDP_NONE; } + | IPT_POLICY IPT_ROUNDROBIN ';' { $$ = IPLDP_ROUNDROBIN; } + | IPT_POLICY IPT_WEIGHTED weighting ';' { $$ = $3; } + | IPT_POLICY IPT_RANDOM ';' { $$ = IPLDP_RANDOM; } + | IPT_POLICY IPT_HASH ';' { $$ = IPLDP_HASHED; } + | IPT_POLICY IPT_SRCHASH ';' { $$ = IPLDP_SRCHASH; } + | IPT_POLICY IPT_DSTHASH ';' { $$ = IPLDP_DSTHASH; } + ; + +weighting: + IPT_CONNECTION { $$ = IPLDP_CONNECTION; } + ; %% static wordtab_t yywords[] = { - { "auth", IPT_AUTH }, - { "count", IPT_COUNT }, - { "group", IPT_GROUP }, - { "group-map", IPT_GROUPMAP }, - { "hash", IPT_HASH }, - { "in", IPT_IN }, - { "ipf", IPT_IPF }, - { "name", IPT_NAME }, - { "nat", IPT_NAT }, - { "number", IPT_NUM }, - { "out", IPT_OUT }, - { "role", IPT_ROLE }, - { "seed", IPT_SEED }, - { "size", IPT_SIZE }, - { "table", IPT_TABLE }, - { "tree", IPT_TREE }, - { "type", IPT_TYPE }, - { NULL, 0 } + { "all", IPT_ALL }, + { "auth", IPT_AUTH }, + { "connection", IPT_CONNECTION }, + { "count", IPT_COUNT }, + { "dst-hash", IPT_DSTHASH }, + { "dstlist", IPT_DSTLIST }, + { "file", IPT_FILE }, + { "group", IPT_GROUP }, + { "group-map", IPT_GROUPMAP }, + { "hash", IPT_HASH }, + { "in", IPT_IN }, + { "ipf", IPT_IPF }, + { "name", IPT_NAME }, + { "nat", IPT_NAT }, + { "number", IPT_NUM }, + { "out", IPT_OUT }, + { "policy", IPT_POLICY }, + { "pool", IPT_POOL }, + { "random", IPT_RANDOM }, + { "round-robin", IPT_ROUNDROBIN }, + { "role", IPT_ROLE }, + { "seed", IPT_SEED }, + { "size", IPT_SIZE }, + { "src-hash", IPT_SRCHASH }, + { "table", IPT_TABLE }, + { "tree", IPT_TREE }, + { "type", IPT_TYPE }, + { "weighted", IPT_WEIGHTED }, + { "whois", IPT_WHOIS }, + { NULL, 0 } }; @@ -441,8 +680,9 @@ char *url; if (hlist == NULL) return NULL; - if (gethost(url, &hlist->al_addr) == -1) + if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) { yyerror("Unknown hostname"); + } } hbot = NULL; @@ -453,10 +693,9 @@ char *url; if (h == NULL) break; - bcopy((char *)&a->al_addr, (char *)&h->ipe_addr, - sizeof(h->ipe_addr)); - bcopy((char *)&a->al_mask, (char *)&h->ipe_mask, - sizeof(h->ipe_mask)); + h->ipe_family = a->al_family; + h->ipe_addr = a->al_i6addr; + h->ipe_mask = a->al_i6mask; if (hbot != NULL) hbot->ipe_next = h; @@ -487,8 +726,9 @@ char *url; if (hlist == NULL) return NULL; - if (gethost(url, &hlist->al_addr) == -1) + if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) { yyerror("Unknown hostname"); + } } pbot = NULL; @@ -498,16 +738,19 @@ char *url; p = calloc(1, sizeof(*p)); if (p == NULL) break; + p->ipn_mask.adf_addr = a->al_i6mask; - p->ipn_addr.adf_len = 8; - p->ipn_mask.adf_len = 8; - + if (a->al_family == AF_INET) { + p->ipn_addr.adf_family = AF_INET; +#ifdef USE_INET6 + } else if (a->al_family == AF_INET6) { + p->ipn_addr.adf_family = AF_INET6; +#endif + } + setadflen(&p->ipn_addr); + p->ipn_addr.adf_addr = a->al_i6addr; p->ipn_info = a->al_not; - - bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr, - sizeof(p->ipn_addr.adf_addr)); - bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr, - sizeof(p->ipn_mask.adf_addr)); + p->ipn_mask.adf_len = p->ipn_addr.adf_len; if (pbot != NULL) pbot->ipn_next = p; @@ -520,3 +763,59 @@ char *url; return ptop; } + + +ip_pool_node_t * +read_whoisfile(file) + char *file; +{ + ip_pool_node_t *ntop, *ipn, node, *last; + char line[1024]; + FILE *fp; + + fp = fopen(file, "r"); + if (fp == NULL) + return NULL; + + last = NULL; + ntop = NULL; + while (fgets(line, sizeof(line) - 1, fp) != NULL) { + line[sizeof(line) - 1] = '\0'; + + if (parsewhoisline(line, &node.ipn_addr, &node.ipn_mask)) + continue; + ipn = calloc(1, sizeof(*ipn)); + if (ipn == NULL) + continue; + ipn->ipn_addr = node.ipn_addr; + ipn->ipn_mask = node.ipn_mask; + if (last == NULL) + ntop = ipn; + else + last->ipn_next = ipn; + last = ipn; + } + fclose(fp); + return ntop; +} + + +static void +setadflen(afp) + addrfamily_t *afp; +{ + afp->adf_len = offsetof(addrfamily_t, adf_addr); + switch (afp->adf_family) + { + case AF_INET : + afp->adf_len += sizeof(struct in_addr); + break; +#ifdef USE_INET6 + case AF_INET6 : + afp->adf_len += sizeof(struct in6_addr); + break; +#endif + default : + break; + } +} diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y index 5dbefd6..d323f05 100644 --- a/contrib/ipfilter/tools/ipscan_y.y +++ b/contrib/ipfilter/tools/ipscan_y.y @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -13,6 +13,7 @@ #include "kmem.h" #include "ipscan_l.h" #include "netinet/ip_scan.h" +#include <ctype.h> #define YYDEBUG 1 @@ -60,7 +61,7 @@ int fd = -1; %token <num> YY_NUMBER YY_HEX %token <str> YY_STR -%token YY_COMMENT +%token YY_COMMENT %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c index 600d39a..41513fa 100644 --- a/contrib/ipfilter/tools/ipsyncm.c +++ b/contrib/ipfilter/tools/ipsyncm.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.5 2006/08/26 11:21:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/types.h> #include <sys/time.h> @@ -49,13 +49,13 @@ static void handleterm(int sig) } #endif - + /* should be large enough to hold header + any datatype */ #define BUFFERLEN 1400 int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { struct sockaddr_in sin; char buff[BUFFERLEN]; @@ -66,14 +66,14 @@ char *argv[]; u_32_t magic; synchdr_t *sh; char *progname; - + progname = strrchr(argv[0], '/'); if (progname) { progname++; } else { progname = argv[0]; } - + if (argc < 2) { usage(progname); @@ -108,13 +108,13 @@ char *argv[]; syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); goto tryagain; } - + nfd = socket(AF_INET, SOCK_DGRAM, 0); if (nfd == -1) { syslog(LOG_ERR, "Socket :%m"); goto tryagain; } - + if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { syslog(LOG_ERR, "Connect: %m"); goto tryagain; @@ -122,15 +122,15 @@ char *argv[]; syslog(LOG_INFO, "Sending data to %s", inet_ntoa(sin.sin_addr)); - - inbuf = 0; + + inbuf = 0; while (1) { n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); - + printf("header : %d bytes read (header = %d bytes)\n", - n1, sizeof(*sh)); - + n1, (int) sizeof(*sh)); + if (n1 < 0) { syslog(LOG_ERR, "Read error (header): %m"); goto tryagain; @@ -143,8 +143,8 @@ char *argv[]; sleep(1); continue; } - - inbuf += n1; + + inbuf += n1; moreinbuf: if (inbuf < sizeof(*sh)) { @@ -153,7 +153,7 @@ moreinbuf: sh = (synchdr_t *)buff; len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); + magic = ntohl(sh->sm_magic); if (magic != SYNHDRMAGIC) { syslog(LOG_ERR, @@ -181,8 +181,8 @@ moreinbuf: printf(" table:Unknown(%d)", sh->sm_table); printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - +#endif + if (inbuf < sizeof(*sh) + len) { continue; /* need more data */ goto tryagain; @@ -195,9 +195,9 @@ moreinbuf: } else if (sh->sm_cmd == SMC_UPDATE) { su = (syncupdent_t *)buff; if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", + printf(" TCP Update: age %lu state %d/%d\n", su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], + su->sup_tcp.stu_state[0], su->sup_tcp.stu_state[1]); } } else { @@ -212,7 +212,7 @@ moreinbuf: goto tryagain; } - + if (n3 != n2) { syslog(LOG_ERR, "Incomplete write (%d/%d)", n3, n2); @@ -226,7 +226,7 @@ moreinbuf: /* move buffer to the front,we might need to make * this more efficient, by using a rolling pointer * over the buffer and only copying it, when - * we are reaching the end + * we are reaching the end */ inbuf -= n2; if (inbuf) { diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c index 887eeab..43692cd 100644 --- a/contrib/ipfilter/tools/ipsyncs.c +++ b/contrib/ipfilter/tools/ipsyncs.c @@ -1,13 +1,13 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2001-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.4 2006/08/26 11:21:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id$"; #endif #include <sys/types.h> #include <sys/time.h> @@ -54,10 +54,10 @@ static void handleterm(int sig) #define BUFFERLEN 1400 int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { - int nfd = -1 , lfd = -1; + int nfd = -1 , lfd = -1; int n1, n2, n3, magic, len, inbuf; struct sockaddr_in sin; struct sockaddr_in in; @@ -66,14 +66,14 @@ char *argv[]; syncupdent_t *su; synchdr_t *sh; char *progname; - + progname = strrchr(argv[0], '/'); if (progname) { progname++; } else { progname = argv[0]; } - + if (argc < 2) { usage(progname); exit(1); @@ -86,7 +86,7 @@ char *argv[]; #endif openlog(progname, LOG_PID, LOG_SECURITY); - + lfd = open(IPSYNC_NAME, O_WRONLY); if (lfd == -1) { syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); @@ -101,14 +101,14 @@ char *argv[]; sin.sin_port = htons(atoi(argv[2])); else sin.sin_port = htons(43434); - if (argc > 3) + if (argc > 3) in.sin_addr.s_addr = inet_addr(argv[3]); else in.sin_addr.s_addr = 0; in.sin_port = 0; while(1) { - + if (lfd != -1) close(lfd); if (nfd != -1) @@ -119,7 +119,7 @@ char *argv[]; syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); goto tryagain; } - + nfd = socket(AF_INET, SOCK_DGRAM, 0); if (nfd == -1) { syslog(LOG_ERR, "Socket :%m"); @@ -135,20 +135,20 @@ char *argv[]; } syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr)); - - inbuf = 0; + + inbuf = 0; while (1) { - /* + /* * XXX currently we do not check the source address * of a datagram, this can be a security risk */ n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf); - + printf("header : %d bytes read (header = %d bytes)\n", - n1, sizeof(*sh)); - + n1, (int) sizeof(*sh)); + if (n1 < 0) { syslog(LOG_ERR, "Read error (header): %m"); goto tryagain; @@ -161,8 +161,8 @@ char *argv[]; sleep(1); continue; } - - inbuf += n1; + + inbuf += n1; moreinbuf: if (inbuf < sizeof(*sh)) { @@ -171,7 +171,7 @@ moreinbuf: sh = (synchdr_t *)buff; len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); + magic = ntohl(sh->sm_magic); if (magic != SYNHDRMAGIC) { syslog(LOG_ERR, "Invalid header magic %x", @@ -199,8 +199,8 @@ moreinbuf: printf(" table:Unknown(%d)", sh->sm_table); printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - +#endif + if (inbuf < sizeof(*sh) + len) { continue; /* need more data */ goto tryagain; @@ -213,9 +213,9 @@ moreinbuf: } else if (sh->sm_cmd == SMC_UPDATE) { su = (syncupdent_t *)buff; if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", + printf(" TCP Update: age %lu state %d/%d\n", su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], + su->sup_tcp.stu_state[0], su->sup_tcp.stu_state[1]); } } else { @@ -231,7 +231,7 @@ moreinbuf: goto tryagain; } - + if (n3 != n2) { syslog(LOG_ERR, "%s: Incomplete write (%d/%d)", IPSYNC_NAME, n3, n2); @@ -245,7 +245,7 @@ moreinbuf: /* move buffer to the front,we might need to make * this more efficient, by using a rolling pointer * over the buffer and only copying it, when - * we are reaching the end + * we are reaching the end */ inbuf -= n2; if (inbuf) { diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h index 78c5efc..eb59f58 100644 --- a/contrib/ipfilter/tools/lex_var.h +++ b/contrib/ipfilter/tools/lex_var.h @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c index 989643c..41b7896 100644 --- a/contrib/ipfilter/tools/lexer.c +++ b/contrib/ipfilter/tools/lexer.c @@ -1,7 +1,7 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2006 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ @@ -42,6 +42,7 @@ char yychars[YYBUFSIZ+1]; int yylineNum = 1; int yypos = 0; int yylast = -1; +int yydictfixed = 0; int yyexpectaddr = 0; int yybreakondot = 0; int yyvarnext = 0; @@ -60,7 +61,7 @@ static void yystrtotext __P((char *)); static char *yytexttochar __P((void)); static int yygetc(docont) -int docont; + int docont; { int c; @@ -98,7 +99,7 @@ int docont; static void yyunputc(c) -int c; + int c; { if (c == '\n') yylineNum--; @@ -107,7 +108,7 @@ int c; static int yyswallow(last) -int last; + int last; { int c; @@ -134,7 +135,7 @@ static char *yytexttochar() static void yystrtotext(str) -char *str; + char *str; { int len; char *s; @@ -150,7 +151,7 @@ char *str; static char *yytexttostr(offset, max) -int offset, max; + int offset, max; { char *str; int i; @@ -175,8 +176,11 @@ int offset, max; int yylex() { + static int prior = 0; + static int priornum = 0; int c, n, isbuilding, rval, lnext, nokey = 0; char *name; + int triedv6 = 0; isbuilding = 0; lnext = 0; @@ -190,7 +194,8 @@ int yylex() nextchar: c = yygetc(0); if (yydebug > 1) - printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar()); + printf("yygetc = (%x) %c [%*.*s]\n", + c, c, yypos, yypos, yytexttochar()); switch (c) { @@ -209,6 +214,8 @@ nextchar: sizeof(yytext[0]) * (yylast - yypos + 1)); } yylast -= yypos; + if (yyexpectaddr == 2) + yyexpectaddr = 0; yypos = 0; lnext = 0; nokey = 0; @@ -232,6 +239,7 @@ nextchar: if (lnext == 1) { lnext = 0; if ((isbuilding == 0) && !ISALNUM(c)) { + prior = c; return c; } goto nextchar; @@ -246,7 +254,7 @@ nextchar: } yyswallow('\n'); rval = YY_COMMENT; - goto nextchar; + goto done; case '$' : if (isbuilding == 1) { @@ -320,6 +328,9 @@ nextchar: yybreakondot = 0; yyvarnext = 0; yytokentype = 0; + if (yydebug) + fprintf(stderr, "reset at EOF\n"); + prior = 0; return 0; } @@ -344,16 +355,21 @@ nextchar: switch (c) { case '-' : - if (yyexpectaddr) - break; - if (isbuilding == 1) - break; n = yygetc(0); if (n == '>') { isbuilding = 1; goto done; } yyunputc(n); + if (yyexpectaddr) { + if (isbuilding == 1) + yyunputc(c); + else + rval = '-'; + goto done; + } + if (isbuilding == 1) + break; rval = '-'; goto done; @@ -420,14 +436,21 @@ nextchar: * 0000:0000:0000:0000:0000:0000:0000:0000 */ #ifdef USE_INET6 - if (yyexpectaddr == 1 && isbuilding == 0 && (ishex(c) || c == ':')) { + if (yyexpectaddr != 0 && isbuilding == 0 && + (ishex(c) || isdigit(c) || c == ':')) { char ipv6buf[45 + 1], *s, oc; int start; +buildipv6: start = yypos; s = ipv6buf; oc = c; + if (prior == YY_NUMBER && c == ':') { + sprintf(s, "%d", priornum); + s += strlen(s); + } + /* * Perhaps we should implement stricter controls on what we * swallow up here, but surely it would just be duplicating @@ -451,7 +474,25 @@ nextchar: } #endif - if (c == ':') { + if ((c == ':') && (rval != YY_IPV6) && (triedv6 == 0)) { +#ifdef USE_INET6 + yystr = yytexttostr(0, yypos - 1); + if (yystr != NULL) { + char *s; + + for (s = yystr; *s && ishex(*s); s++) + ; + if (!*s && *yystr) { + isbuilding = 0; + c = *yystr; + free(yystr); + triedv6 = 1; + yypos = 1; + goto buildipv6; + } + free(yystr); + } +#endif if (isbuilding == 1) { yyunputc(c); goto done; @@ -492,8 +533,8 @@ done: yystr = yytexttostr(0, yypos); if (yydebug) - printf("isbuilding %d yyvarnext %d nokey %d\n", - isbuilding, yyvarnext, nokey); + printf("isbuilding %d yyvarnext %d nokey %d fixed %d addr %d\n", + isbuilding, yyvarnext, nokey, yydictfixed, yyexpectaddr); if (isbuilding == 1) { wordtab_t *w; @@ -502,7 +543,7 @@ done: if ((yyvarnext == 0) && (nokey == 0)) { w = yyfindkey(yystr); - if (w == NULL && yywordtab != NULL) { + if (w == NULL && yywordtab != NULL && !yydictfixed) { yyresetdict(); w = yyfindkey(yystr); } @@ -514,14 +555,19 @@ done: rval = YY_STR; } - if (rval == YY_STR && yysavedepth > 0) - yyresetdict(); + if (rval == YY_STR) { + if (yysavedepth > 0 && !yydictfixed) + yyresetdict(); + if (yyexpectaddr != 0) + yyexpectaddr = 0; + } yytokentype = rval; if (yydebug) - printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start, - string_end, pos, rval, yysavedepth); + printf("lexed(%s) %d,%d,%d [%d,%d,%d] => %d @%d\n", + yystr, isbuilding, yyexpectaddr, yysavedepth, + string_start, string_end, pos, rval, yysavedepth); switch (rval) { @@ -548,12 +594,15 @@ done: yypos = 0; } + if (rval == YY_NUMBER) + priornum = yylval.num; + prior = rval; return rval; } static wordtab_t *yyfindkey(key) -char *key; + char *key; { wordtab_t *w; @@ -568,7 +617,7 @@ char *key; char *yykeytostr(num) -int num; + int num; { wordtab_t *w; @@ -583,7 +632,7 @@ int num; wordtab_t *yysettab(words) -wordtab_t *words; + wordtab_t *words; { wordtab_t *save; @@ -594,7 +643,7 @@ wordtab_t *words; void yyerror(msg) -char *msg; + char *msg; { char *txt, letter[2]; int freetxt = 0; @@ -620,9 +669,31 @@ char *msg; } +void yysetfixeddict(newdict) + wordtab_t *newdict; +{ + if (yydebug) + printf("yysetfixeddict(%lx)\n", (u_long)newdict); + + if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) { + fprintf(stderr, "%d: at maximum dictionary depth\n", + yylineNum); + return; + } + + yysavewords[yysavedepth++] = yysettab(newdict); + if (yydebug) + printf("yysavedepth++ => %d\n", yysavedepth); + yydictfixed = 1; +} + + void yysetdict(newdict) -wordtab_t *newdict; + wordtab_t *newdict; { + if (yydebug) + printf("yysetdict(%lx)\n", (u_long)newdict); + if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) { fprintf(stderr, "%d: at maximum dictionary depth\n", yylineNum); @@ -643,14 +714,15 @@ void yyresetdict() if (yydebug) printf("yysavedepth-- => %d\n", yysavedepth); } + yydictfixed = 0; } #ifdef TEST_LEXER int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { int n; diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h index d973ea4..cff24b4 100644 --- a/contrib/ipfilter/tools/lexer.h +++ b/contrib/ipfilter/tools/lexer.h @@ -1,16 +1,11 @@ /* $FreeBSD$ */ /* - * Copyright (C) 2002-2004 by Darren Reed. + * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -typedef struct wordtab { - char *w_word; - int w_value; -} wordtab_t; - #ifdef NO_YACC #define YY_COMMENT 1000 #define YY_CMP_NE 1001 @@ -29,6 +24,7 @@ typedef struct wordtab { extern wordtab_t *yysettab __P((wordtab_t *)); extern void yysetdict __P((wordtab_t *)); +extern void yysetfixeddict __P((wordtab_t *)); extern int yylex __P((void)); extern void yyerror __P((char *)); extern char *yykeytostr __P((int)); |
