summaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt707
-rw-r--r--contrib/ipfilter/FWTK/tproxy.diff82
-rw-r--r--contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-424
-rwxr-xr-xcontrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.02
-rw-r--r--contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.12
-rw-r--r--contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.22
-rw-r--r--contrib/ipfilter/INST.FreeBSD-2.22
-rw-r--r--contrib/ipfilter/Makefile334
-rw-r--r--contrib/ipfilter/UPGRADE_NOTICE10
-rw-r--r--contrib/ipfilter/bpf-ipf.h2
-rw-r--r--contrib/ipfilter/bpf.h450
-rw-r--r--contrib/ipfilter/bpf_filter.c2
-rw-r--r--contrib/ipfilter/common.c610
-rw-r--r--contrib/ipfilter/facpri.c151
-rw-r--r--contrib/ipfilter/facpri.h40
-rw-r--r--contrib/ipfilter/fils.c1536
-rw-r--r--contrib/ipfilter/inet_addr.c199
-rw-r--r--contrib/ipfilter/ip_fil_freebsd.c2
-rw-r--r--contrib/ipfilter/ip_htable.c2
-rw-r--r--contrib/ipfilter/ip_htable.h2
-rw-r--r--contrib/ipfilter/ip_irc_pxy.c2
-rw-r--r--contrib/ipfilter/ip_lfil.c975
-rw-r--r--contrib/ipfilter/ip_lookup.c2
-rw-r--r--contrib/ipfilter/ip_lookup.h2
-rw-r--r--contrib/ipfilter/ip_msnrpc_pxy.c2
-rw-r--r--contrib/ipfilter/ip_pool.c2
-rw-r--r--contrib/ipfilter/ip_pool.h2
-rw-r--r--contrib/ipfilter/ip_pptp_pxy.c2
-rw-r--r--contrib/ipfilter/ip_rpcb_pxy.c2
-rw-r--r--contrib/ipfilter/ip_scan.c2
-rw-r--r--contrib/ipfilter/ip_scan.h2
-rw-r--r--contrib/ipfilter/ip_sfil.c991
-rw-r--r--contrib/ipfilter/ip_sync.c2
-rw-r--r--contrib/ipfilter/ip_sync.h2
-rw-r--r--contrib/ipfilter/ipf.c764
-rw-r--r--contrib/ipfilter/ipf.h2
-rw-r--r--contrib/ipfilter/ipfs.c859
-rw-r--r--contrib/ipfilter/ipft_ef.c155
-rw-r--r--contrib/ipfilter/ipft_hx.c173
-rw-r--r--contrib/ipfilter/ipft_pc.c275
-rw-r--r--contrib/ipfilter/ipft_sn.c219
-rw-r--r--contrib/ipfilter/ipft_td.c193
-rw-r--r--contrib/ipfilter/ipft_tx.c353
-rw-r--r--contrib/ipfilter/iplang/iplang.h2
-rw-r--r--contrib/ipfilter/iplang/iplang_l.l2
-rw-r--r--contrib/ipfilter/iplang/iplang_y.y40
-rw-r--r--contrib/ipfilter/ipmon.c1495
-rw-r--r--contrib/ipfilter/ipmon.h2
-rw-r--r--contrib/ipfilter/ipnat.c433
-rw-r--r--contrib/ipfilter/ipsd/Celler/ip_compat.h2
-rw-r--r--contrib/ipfilter/ipsd/ipsd.c2
-rw-r--r--contrib/ipfilter/ipsd/ipsd.h2
-rw-r--r--contrib/ipfilter/ipsd/ipsdr.c2
-rw-r--r--contrib/ipfilter/ipsd/linux.h2
-rw-r--r--contrib/ipfilter/ipsd/sbpf.c2
-rw-r--r--contrib/ipfilter/ipsd/sdlpi.c2
-rw-r--r--contrib/ipfilter/ipsd/slinux.c2
-rw-r--r--contrib/ipfilter/ipsd/snit.c2
-rw-r--r--contrib/ipfilter/ipsend/.OLD/ip_compat.h2
-rw-r--r--contrib/ipfilter/ipsend/44arp.c2
-rw-r--r--contrib/ipfilter/ipsend/arp.c2
-rw-r--r--contrib/ipfilter/ipsend/dlcommon.c2
-rw-r--r--contrib/ipfilter/ipsend/dltest.h2
-rw-r--r--contrib/ipfilter/ipsend/hpux.c2
-rw-r--r--contrib/ipfilter/ipsend/in_var.h2
-rw-r--r--contrib/ipfilter/ipsend/ip.c2
-rw-r--r--contrib/ipfilter/ipsend/ip_var.h2
-rw-r--r--contrib/ipfilter/ipsend/ipresend.12
-rw-r--r--contrib/ipfilter/ipsend/ipresend.c2
-rw-r--r--contrib/ipfilter/ipsend/ipsend.12
-rw-r--r--contrib/ipfilter/ipsend/ipsend.52
-rw-r--r--contrib/ipfilter/ipsend/ipsend.c116
-rw-r--r--contrib/ipfilter/ipsend/ipsend.h2
-rw-r--r--contrib/ipfilter/ipsend/ipsopt.c2
-rw-r--r--contrib/ipfilter/ipsend/iptest.12
-rw-r--r--contrib/ipfilter/ipsend/iptest.c2
-rw-r--r--contrib/ipfilter/ipsend/iptests.c201
-rw-r--r--contrib/ipfilter/ipsend/larp.c2
-rw-r--r--contrib/ipfilter/ipsend/linux.h2
-rw-r--r--contrib/ipfilter/ipsend/lsock.c2
-rw-r--r--contrib/ipfilter/ipsend/resend.c2
-rw-r--r--contrib/ipfilter/ipsend/sbpf.c31
-rw-r--r--contrib/ipfilter/ipsend/sdlpi.c2
-rw-r--r--contrib/ipfilter/ipsend/sirix.c2
-rw-r--r--contrib/ipfilter/ipsend/slinux.c2
-rw-r--r--contrib/ipfilter/ipsend/snit.c2
-rw-r--r--contrib/ipfilter/ipsend/sock.c50
-rw-r--r--contrib/ipfilter/ipsend/sockraw.c2
-rw-r--r--contrib/ipfilter/ipsend/tcpip.h2
-rw-r--r--contrib/ipfilter/ipsend/ultrix.c84
-rw-r--r--contrib/ipfilter/ipt.c551
-rw-r--r--contrib/ipfilter/ipt.h2
-rw-r--r--contrib/ipfilter/kmem.c244
-rw-r--r--contrib/ipfilter/kmem.h2
-rw-r--r--contrib/ipfilter/l4check/l4check.c2
-rw-r--r--contrib/ipfilter/lib/addicmp.c2
-rw-r--r--contrib/ipfilter/lib/addipopt.c2
-rw-r--r--contrib/ipfilter/lib/addkeep.c2
-rw-r--r--contrib/ipfilter/lib/bcopywrap.c2
-rw-r--r--contrib/ipfilter/lib/binprint.c2
-rw-r--r--contrib/ipfilter/lib/buildopts.c2
-rw-r--r--contrib/ipfilter/lib/checkrev.c2
-rw-r--r--contrib/ipfilter/lib/count4bits.c2
-rw-r--r--contrib/ipfilter/lib/count6bits.c2
-rw-r--r--contrib/ipfilter/lib/debug.c2
-rw-r--r--contrib/ipfilter/lib/extras.c2
-rw-r--r--contrib/ipfilter/lib/facpri.c2
-rw-r--r--contrib/ipfilter/lib/facpri.h2
-rw-r--r--contrib/ipfilter/lib/fill6bits.c2
-rw-r--r--contrib/ipfilter/lib/flags.c2
-rw-r--r--contrib/ipfilter/lib/genmask.c2
-rw-r--r--contrib/ipfilter/lib/gethost.c2
-rw-r--r--contrib/ipfilter/lib/getifname.c2
-rw-r--r--contrib/ipfilter/lib/getline.c2
-rw-r--r--contrib/ipfilter/lib/getnattype.c2
-rw-r--r--contrib/ipfilter/lib/getport.c2
-rw-r--r--contrib/ipfilter/lib/getportproto.c2
-rw-r--r--contrib/ipfilter/lib/getproto.c2
-rw-r--r--contrib/ipfilter/lib/getsumd.c2
-rw-r--r--contrib/ipfilter/lib/hexdump.c2
-rw-r--r--contrib/ipfilter/lib/hostmask.c2
-rw-r--r--contrib/ipfilter/lib/hostname.c2
-rw-r--r--contrib/ipfilter/lib/hostnum.c2
-rw-r--r--contrib/ipfilter/lib/icmpcode.c2
-rw-r--r--contrib/ipfilter/lib/inet_addr.c2
-rw-r--r--contrib/ipfilter/lib/initparse.c2
-rw-r--r--contrib/ipfilter/lib/ionames.c2
-rw-r--r--contrib/ipfilter/lib/ipf_dotuning.c2
-rw-r--r--contrib/ipfilter/lib/ipft_ef.c2
-rw-r--r--contrib/ipfilter/lib/ipft_hx.c2
-rw-r--r--contrib/ipfilter/lib/ipft_pc.c2
-rw-r--r--contrib/ipfilter/lib/ipft_sn.c2
-rw-r--r--contrib/ipfilter/lib/ipft_td.c2
-rw-r--r--contrib/ipfilter/lib/ipft_tx.c2
-rw-r--r--contrib/ipfilter/lib/ipoptsec.c2
-rw-r--r--contrib/ipfilter/lib/kmem.c2
-rw-r--r--contrib/ipfilter/lib/kmem.h2
-rw-r--r--contrib/ipfilter/lib/kmemcpywrap.c2
-rw-r--r--contrib/ipfilter/lib/kvatoname.c2
-rw-r--r--contrib/ipfilter/lib/load_hash.c2
-rw-r--r--contrib/ipfilter/lib/load_hashnode.c2
-rw-r--r--contrib/ipfilter/lib/load_pool.c2
-rw-r--r--contrib/ipfilter/lib/load_poolnode.c2
-rw-r--r--contrib/ipfilter/lib/loglevel.c2
-rw-r--r--contrib/ipfilter/lib/make_range.c2
-rw-r--r--contrib/ipfilter/lib/mutex_emul.c2
-rw-r--r--contrib/ipfilter/lib/nametokva.c2
-rw-r--r--contrib/ipfilter/lib/nat_setgroupmap.c2
-rw-r--r--contrib/ipfilter/lib/natparse.c2
-rw-r--r--contrib/ipfilter/lib/ntomask.c2
-rw-r--r--contrib/ipfilter/lib/optname.c2
-rw-r--r--contrib/ipfilter/lib/optprint.c2
-rw-r--r--contrib/ipfilter/lib/optprintv6.c2
-rw-r--r--contrib/ipfilter/lib/optvalue.c2
-rw-r--r--contrib/ipfilter/lib/parse.c2
-rw-r--r--contrib/ipfilter/lib/portname.c2
-rw-r--r--contrib/ipfilter/lib/portnum.c2
-rw-r--r--contrib/ipfilter/lib/ports.c2
-rw-r--r--contrib/ipfilter/lib/print_toif.c2
-rw-r--r--contrib/ipfilter/lib/printactivenat.c2
-rw-r--r--contrib/ipfilter/lib/printaps.c2
-rw-r--r--contrib/ipfilter/lib/printbuf.c2
-rw-r--r--contrib/ipfilter/lib/printfr.c2
-rw-r--r--contrib/ipfilter/lib/printfraginfo.c2
-rw-r--r--contrib/ipfilter/lib/printhash.c2
-rw-r--r--contrib/ipfilter/lib/printhashnode.c2
-rw-r--r--contrib/ipfilter/lib/printhostmap.c2
-rw-r--r--contrib/ipfilter/lib/printhostmask.c2
-rw-r--r--contrib/ipfilter/lib/printifname.c2
-rw-r--r--contrib/ipfilter/lib/printip.c2
-rw-r--r--contrib/ipfilter/lib/printlog.c2
-rw-r--r--contrib/ipfilter/lib/printmask.c2
-rw-r--r--contrib/ipfilter/lib/printnat.c2
-rw-r--r--contrib/ipfilter/lib/printpacket.c2
-rw-r--r--contrib/ipfilter/lib/printpacket6.c2
-rw-r--r--contrib/ipfilter/lib/printpool.c2
-rw-r--r--contrib/ipfilter/lib/printpoolnode.c2
-rw-r--r--contrib/ipfilter/lib/printportcmp.c2
-rw-r--r--contrib/ipfilter/lib/printsbuf.c2
-rw-r--r--contrib/ipfilter/lib/printstate.c2
-rw-r--r--contrib/ipfilter/lib/printtunable.c2
-rw-r--r--contrib/ipfilter/lib/ratoi.c2
-rw-r--r--contrib/ipfilter/lib/ratoui.c2
-rw-r--r--contrib/ipfilter/lib/remove_hash.c2
-rw-r--r--contrib/ipfilter/lib/remove_hashnode.c2
-rw-r--r--contrib/ipfilter/lib/remove_pool.c2
-rw-r--r--contrib/ipfilter/lib/remove_poolnode.c2
-rw-r--r--contrib/ipfilter/lib/resetlexer.c2
-rw-r--r--contrib/ipfilter/lib/rwlock_emul.c2
-rw-r--r--contrib/ipfilter/lib/tcp_flags.c2
-rw-r--r--contrib/ipfilter/lib/tcpflags.c2
-rw-r--r--contrib/ipfilter/lib/tcpoptnames.c2
-rw-r--r--contrib/ipfilter/lib/to_interface.c2
-rw-r--r--contrib/ipfilter/lib/v6ionames.c2
-rw-r--r--contrib/ipfilter/lib/v6optvalue.c2
-rw-r--r--contrib/ipfilter/lib/var.c2
-rw-r--r--contrib/ipfilter/lib/verbose.c2
-rw-r--r--contrib/ipfilter/man/ipf.46
-rw-r--r--contrib/ipfilter/man/ipf.527
-rw-r--r--contrib/ipfilter/man/ipf.836
-rw-r--r--contrib/ipfilter/man/ipfilter.42
-rw-r--r--contrib/ipfilter/man/ipfs.82
-rw-r--r--contrib/ipfilter/man/ipfstat.852
-rw-r--r--contrib/ipfilter/man/ipftest.1192
-rw-r--r--contrib/ipfilter/man/ipl.42
-rw-r--r--contrib/ipfilter/man/ipmon.52
-rw-r--r--contrib/ipfilter/man/ipmon.87
-rw-r--r--contrib/ipfilter/man/ipnat.52
-rw-r--r--contrib/ipfilter/man/ipnat.82
-rw-r--r--contrib/ipfilter/man/ippool.52
-rw-r--r--contrib/ipfilter/man/ippool.82
-rw-r--r--contrib/ipfilter/man/ipscan.52
-rw-r--r--contrib/ipfilter/man/ipscan.82
-rw-r--r--contrib/ipfilter/man/mkfilters.12
-rw-r--r--contrib/ipfilter/md5.c2
-rw-r--r--contrib/ipfilter/md5.h2
-rw-r--r--contrib/ipfilter/misc.c207
-rw-r--r--contrib/ipfilter/ml_ipl.c165
-rw-r--r--contrib/ipfilter/mlf_ipl.c2
-rw-r--r--contrib/ipfilter/mlf_rule.c2
-rw-r--r--contrib/ipfilter/mlfk_rule.c2
-rw-r--r--contrib/ipfilter/mlh_rule.c2
-rw-r--r--contrib/ipfilter/mli_ipl.c596
-rw-r--r--contrib/ipfilter/mln_ipl.c295
-rw-r--r--contrib/ipfilter/mls_ipl.c213
-rw-r--r--contrib/ipfilter/natparse.c902
-rw-r--r--contrib/ipfilter/opt.c179
-rw-r--r--contrib/ipfilter/opts.h2
-rw-r--r--contrib/ipfilter/parse.c1510
-rw-r--r--contrib/ipfilter/pcap-ipf.h2
-rw-r--r--contrib/ipfilter/pcap.h34
-rw-r--r--contrib/ipfilter/printnat.c487
-rw-r--r--contrib/ipfilter/printstate.c151
-rw-r--r--contrib/ipfilter/radix.c2
-rw-r--r--contrib/ipfilter/radix_ipf.h2
-rw-r--r--contrib/ipfilter/relay.c227
-rw-r--r--contrib/ipfilter/samples/proxy.c2
-rw-r--r--contrib/ipfilter/samples/relay.c2
-rw-r--r--contrib/ipfilter/samples/userauth.c2
-rw-r--r--contrib/ipfilter/snoop.h2
-rwxr-xr-xcontrib/ipfilter/test/logtest23
-rw-r--r--contrib/ipfilter/tools/ipf.c2
-rw-r--r--contrib/ipfilter/tools/ipf_y.y2
-rw-r--r--contrib/ipfilter/tools/ipfcomp.c2
-rw-r--r--contrib/ipfilter/tools/ipfs.c2
-rw-r--r--contrib/ipfilter/tools/ipfstat.c2
-rw-r--r--contrib/ipfilter/tools/ipftest.c2
-rw-r--r--contrib/ipfilter/tools/ipmon.c2
-rw-r--r--contrib/ipfilter/tools/ipmon_y.y2
-rw-r--r--contrib/ipfilter/tools/ipnat.c2
-rw-r--r--contrib/ipfilter/tools/ipnat_y.y2
-rw-r--r--contrib/ipfilter/tools/ippool.c2
-rw-r--r--contrib/ipfilter/tools/ippool_y.y2
-rw-r--r--contrib/ipfilter/tools/ipscan_y.y2
-rw-r--r--contrib/ipfilter/tools/ipsyncm.c2
-rw-r--r--contrib/ipfilter/tools/ipsyncs.c2
-rw-r--r--contrib/ipfilter/tools/lex_var.h2
-rw-r--r--contrib/ipfilter/tools/lexer.c2
-rw-r--r--contrib/ipfilter/tools/lexer.h2
259 files changed, 832 insertions, 17240 deletions
diff --git a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
deleted file mode 100644
index 2e71938..0000000
--- a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
+++ /dev/null
@@ -1,707 +0,0 @@
-diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
-*** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998
---- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998
-***************
-*** 44,49 ****
---- 44,51 ----
-
- extern char *optarg;
-
-+ char *getdsthost();
-+
- #include "firewall.h"
-
-
-***************
-*** 88,93 ****
---- 90,97 ----
- static int cmdcnt = 0;
- static int timeout = PROXY_TIMEOUT;
-
-+ static int do_transparent = 0;
-+
-
- static int cmd_user();
- static int cmd_authorize();
-***************
-*** 101,106 ****
---- 105,111 ----
- static int cmd_passthru();
- static void saveline();
- static void flushsaved();
-+ static int connectdest();
-
- #define OP_CONN 001 /* only valid if connected */
- #define OP_WCON 002 /* writethrough if connected */
-***************
-*** 173,178 ****
---- 178,184 ----
- char xuf[1024];
- char huf[512];
- char *passuser = (char *)0; /* passed user as av */
-+ char *psychic, *hotline;
-
- #ifndef LOG_DAEMON
- openlog("ftp-gw",LOG_PID);
-***************
-*** 317,322 ****
---- 323,332 ----
- } else
- timeout = PROXY_TIMEOUT;
-
-+ psychic = getdsthost(0, NULL);
-+ if (psychic)
-+ do_transparent++;
-+
- /* display a welcome file or message */
- if(passuser == (char *)0) {
- if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-***************
-*** 324,329 ****
---- 334,345 ----
- syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
- exit(1);
- }
-+ if (do_transparent) {
-+ if (sayfile2(0, cf->argv[0], 220)) {
-+ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
-+ exit(1);
-+ }
-+ } else
- if(sayfile(0,cf->argv[0],220)) {
- syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
- exit(1);
-***************
-*** 336,341 ****
---- 352,360 ----
- if(say(0,"220-Proxy first requires authentication"))
- exit(1);
-
-+ if (do_transparent)
-+ sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
-+ else
- sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
- if(say(0,xuf))
- exit(1);
-***************
-*** 357,362 ****
---- 376,384 ----
- exit(1);
- }
-
-+ if (do_transparent)
-+ connectdest(psychic, 21);
-+
- /* main loop */
- while(1) {
- FD_ZERO(&rdy);
-***************
-*** 653,658 ****
---- 675,696 ----
- return(sayn(0,noad,sizeof(noad)-1));
- }
-
-+ if (do_transparent) {
-+ if((rfd == (-1)) && (x = connectdest(dest,port)))
-+ return x;
-+
-+ sprintf(buf,"USER %s",user);
-+
-+ if (say(rfd, buf))
-+ return(1);
-+
-+ x = getresp(rfd, buf, sizeof(buf), 1);
-+ if (sendsaved(0, x))
-+ return(1);
-+
-+ return(say(0, buf));
-+ }
-+
- if(*dest == '\0')
- dest = "localhost";
-
-***************
-*** 694,705 ****
- char ebuf[512];
-
- strcpy(ebuf,buf);
-! sprintf(buf,"521 %s: %s",dest,ebuf);
- rfd = -1;
- return(say(0,buf));
- }
-! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! saveline(buf);
-
- /* we are now connected and need to try the autologin thing */
- x = getresp(rfd,buf,sizeof(buf),1);
---- 732,748 ----
- char ebuf[512];
-
- strcpy(ebuf,buf);
-! if (do_transparent)
-! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
-! else
-! sprintf(buf,"521 %s: %s",dest,ebuf);
- rfd = -1;
- return(say(0,buf));
- }
-! if (!do_transparent) {
-! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! saveline(buf);
-! }
-
- /* we are now connected and need to try the autologin thing */
- x = getresp(rfd,buf,sizeof(buf),1);
-***************
-*** 1889,1891 ****
---- 1932,2050 ----
- dup(nread);
- }
- #endif
-+
-+ static int connectdest(dest, port)
-+ char *dest;
-+ short port;
-+ {
-+ char buf[1024], mbuf[512];
-+ int msg_int, x;
-+
-+ if(*dest == '\0')
-+ dest = "localhost";
-+
-+ if(validests != (char **)0) {
-+ char **xp;
-+ int x;
-+
-+ for(xp = validests; *xp != (char *)0; xp++) {
-+ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
-+ return(baddest(0,dest));
-+ } else {
-+ if(hostmatch(*xp,dest))
-+ break;
-+ }
-+ }
-+ if(*xp == (char *)0)
-+ return(baddest(0,dest));
-+ }
-+
-+ /* Extended permissions processing goes in here for destination */
-+ if(extendperm) {
-+ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
-+ if(msg_int == 1) {
-+ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-+ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-+ say(0,mbuf);
-+ return(1);
-+ } else {
-+ if(msg_int == -1) {
-+ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-+ say(0,mbuf);
-+ return(1);
-+ }
-+ }
-+ }
-+
-+ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
-+
-+ if((rfd = conn_server(dest,port,0,buf)) < 0) {
-+ char ebuf[512];
-+
-+ strcpy(ebuf,buf);
-+ if (do_transparent)
-+ sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-+ else
-+ sprintf(buf,"521 %s: %s",dest,ebuf);
-+ rfd = -1;
-+ return(say(0,buf));
-+ }
-+ if (!do_transparent) {
-+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-+ saveline(buf);
-+ }
-+
-+ /* we are now connected and need to try the autologin thing */
-+ x = getresp(rfd,buf,sizeof(buf),1);
-+ if(x / 100 != COMPLETE) {
-+ sendsaved(0,-1);
-+ return(say(0,buf));
-+ }
-+ saveline(buf);
-+
-+ sendsaved(0,-1);
-+ return 0;
-+ }
-+
-+ /* quick hack */
-+ sayfile2(fd,fn,code)
-+ int fd;
-+ char *fn;
-+ int code;
-+ {
-+ FILE *f;
-+ char buf[BUFSIZ];
-+ char yuf[BUFSIZ];
-+ char *c;
-+ int x;
-+ int saidsomething = 0;
-+
-+ if((f = fopen(fn,"r")) == (FILE *)0)
-+ return(1);
-+ while(fgets(buf,sizeof(buf),f) != (char *)0) {
-+ if((c = index(buf,'\n')) != (char *)0)
-+ *c = '\0';
-+ x = fgetc(f);
-+ if(feof(f))
-+ sprintf(yuf,"%3.3d-%s",code,buf);
-+ else {
-+ sprintf(yuf,"%3.3d-%s",code,buf);
-+ ungetc(x,f);
-+ }
-+ if(say(fd,yuf)) {
-+ fclose(f);
-+ return(1);
-+ }
-+ saidsomething++;
-+ }
-+ fclose(f);
-+ if (!saidsomething) {
-+ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
-+ sprintf(yuf, "%3.3d The file to display is empty",code);
-+ if(say(fd,yuf)) {
-+ fclose(f);
-+ return(1);
-+ }
-+ }
-+ return(0);
-+ }
-diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
-*** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998
---- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998
-***************
-*** 27,32 ****
---- 27,35 ----
- static char http_buffer[8192];
- static char reason[8192];
- static int checkBrowserType = 1;
-+ static int do_transparent = 0;
-+
-+ char * getdsthost();
-
- static void do_logging()
- { char *proto = "GOPHER";
-***************
-*** 473,478 ****
---- 476,490 ----
- /*(NOT A SPECIAL FORM)*/
-
- if((rem_type & TYPE_LOCAL)== 0){
-+ char * psychic = getdsthost(sockfd, &def_port);
-+ if (psychic) {
-+ if (strlen(psychic) <= MAXHOSTNAMELEN) {
-+ do_transparent ++;
-+ strncpy(def_httpd, psychic, strlen(psychic));
-+ strncpy(def_server, psychic, strlen(psychic));
-+ }
-+ }
-+
- /* See if it can be forwarded */
-
- if( can_forward(buf)){
-***************
-*** 1564,1570 ****
- parse_vec[0],
- parse_vec[1],
- ourname, ourport);
-! }else{
- sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
- parse_vec[0], parse_vec[2],
- parse_vec[3], chk_type_ch,
---- 1576,1589 ----
- parse_vec[0],
- parse_vec[1],
- ourname, ourport);
-! }
-! else
-! if (do_transparent) {
-! sprintf(new_reply, "%s\t%s\t%s\t%s",
-! parse_vec[0], parse_vec[1],
-! parse_vec[2],parse_vec[3]);
-! }
-! else {
- sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
- parse_vec[0], parse_vec[2],
- parse_vec[3], chk_type_ch,
-diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
-*** ./lib/hnam.c Tue Dec 10 13:08:48 1996
---- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998
-***************
-*** 23,28 ****
---- 23,33 ----
-
- #include "firewall.h"
-
-+ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
-+ #include <net/if.h>
-+ #include "ip_nat.h"
-+ #endif /* __FreeBSD__ */
-+
-
- char *
- maphostname(name)
-***************
-*** 49,52 ****
---- 54,132 ----
- }
- bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
- return(inet_ntoa(sin.sin_addr));
-+ }
-+
-+ char *getdsthost(fd, ptr)
-+ int fd;
-+ int *ptr;
-+ {
-+ struct sockaddr_in sin;
-+ struct hostent * hp;
-+ int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
-+ char buf[255], hostbuf[255];
-+ #ifdef __FreeBSD__
-+ struct sockaddr_in rsin;
-+ struct natlookup natlookup;
-+ #endif
-+
-+ #ifdef linux
-+ if (!(err = getsockname(0, &sin, &sl))) {
-+ if(ptr)
-+ * ptr = ntohs(sin.sin_port);
-+
-+ sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
-+ gethostname(hostbuf, 254);
-+ hp = gethostbyname(hostbuf);
-+ while (hp->h_addr_list[i]) {
-+ bzero(&sin, &sl);
-+ memcpy(&sin.sin_addr, hp->h_addr_list[i++],
-+ sizeof(hp->h_addr_list[i++]));
-+
-+ if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
-+ local_h++;
-+ }
-+
-+ if(local_h)
-+ return(NULL);
-+ else
-+ return(buf);
-+ }
-+ #endif
-+
-+ #ifdef __FreeBSD__
-+ /* The basis for this block of code is Darren Reed's
-+ * patches to the TIS ftwk's ftp-gw.
-+ */
-+ bzero((char*)&sin, sizeof(sin));
-+ bzero((char*)&rsin, sizeof(rsin));
-+
-+ if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
-+ return NULL;
-+
-+ sl = sizeof(rsin);
-+
-+ if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
-+ return NULL;
-+
-+ natlookup.nl_inport=sin.sin_port;
-+ natlookup.nl_outport=rsin.sin_port;
-+ natlookup.nl_inip=sin.sin_addr;
-+ natlookup.nl_outip=rsin.sin_addr;
-+
-+ if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
-+ return NULL;
-+
-+ if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
-+ return NULL;
-+
-+ close(natfd);
-+
-+ if (ptr)
-+ *ptr = ntohs(natlookup.nl_inport);
-+
-+ sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
-+ #endif
-+
-+ /* No transparent proxy support */
-+ return(NULL);
- }
-diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
-*** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998
---- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998
-***************
-*** 43,48 ****
---- 43,50 ----
- static char **validdests = (char **)0;
- static int net_write();
-
-+ static int do_transparent = 0;
-+
- main(ac,av)
- int ac;
- char *av[];
-***************
-*** 198,206 ****
---- 200,220 ----
- char *ptr;
- int state = 0;
- int ssl_plug = 0;
-+ char * getdsthost();
-+ int pport = 0;
-
- struct timeval timo;
-
-+ /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
-+ * idea ..
-+ */
-+ dhost = getdsthost(0, &pport);
-+ if (dhost) {
-+ do_transparent++;
-+ portid = pport;
-+ }
-+
-+
- if(c->flags & PERM_DENY) {
- if (p == -1)
- syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
-***************
-*** 220,226 ****
- syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
- exit (1);
- }
-! dhost = av[x];
- continue;
- }
-
---- 234,241 ----
- syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
- exit (1);
- }
-! if (!dhost)
-! dhost = av[x];
- continue;
- }
-
-diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
-*** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998
---- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998
-***************
-*** 103,108 ****
---- 103,111 ----
- static int trusted = 0;
- static int doX = 0;
- static char *prompt;
-+ static int do_transparent = 0;
-+
-+ char * getdsthost();
-
- main(ac,av)
- int ac;
-***************
-*** 123,128 ****
---- 126,132 ----
- static char *tokav[56];
- int tokac;
- struct timeval timo;
-+ char * psychic;
-
- #ifndef LOG_NDELAY
- openlog("rlogin-gw",LOG_PID);
-***************
-*** 188,194 ****
- xforwarder = cf->argv[0];
- }
-
-!
-
- if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
- if(cf->argc != 1) {
---- 192,203 ----
- xforwarder = cf->argv[0];
- }
-
-! psychic = getdsthost(0, NULL);
-! if (psychic) {
-! do_transparent++;
-! strncpy(dest, psychic, 511);
-! dest[511] = '\0';
-! }
-
- if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
- if(cf->argc != 1) {
-***************
-*** 266,271 ****
---- 275,281 ----
- if((p = index(rusername,'@')) != (char *)0) {
- char *namp;
-
-+ dest[0] = '\0';
- *p++ = '\0';
- if(*p == '\0')
- p = "localhost";
-***************
-*** 297,302 ****
---- 307,326 ----
-
- if(dest[0] != '\0') {
- /* Setup connection directly to remote machine */
-+ if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-+ if (cf->argc != 1) {
-+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ exit(1);
-+ }
-+
-+ if (sayfile(0, cf->argv[0])) {
-+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+ exit(1);
-+ }
-+ }
-+
-+ /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
-+
- sprintf(buf,"connect %.1000s",dest);
- tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
- if (cmd_connect(tokac, tokav, buf) != 2)
-***************
-*** 535,548 ****
- char ebuf[512];
-
- syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! if(strlen(namp) > 20)
-! namp[20] = '\0';
-! if(rusername[0] != '\0')
-! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! else
-! sprintf(ebuf,"Trying %s...",namp);
-! if(say(0,ebuf))
-! return(1);
- } else
- syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
- if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
---- 559,574 ----
- char ebuf[512];
-
- syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! if (!do_transparent) {
-! if(strlen(namp) > 20)
-! namp[20] = '\0';
-! if(rusername[0] != '\0')
-! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! else
-! sprintf(ebuf,"Trying %s...",namp);
-! if(say(0,ebuf))
-! return(1);
-! }
- } else
- syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
- if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
-diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
-*** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998
---- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998
-***************
-*** 91,96 ****
---- 91,100 ----
- static int cmd_xforward();
- static int cmd_timeout();
-
-+ char * getdsthost();
-+
-+ static int do_transparent = 0;
-+
- static int tn3270 = 1; /* don't do tn3270 stuff */
- static int doX;
-
-***************
-*** 144,149 ****
---- 148,155 ----
- char tokbuf[BSIZ];
- char *tokav[56];
- int tokac;
-+ int port;
-+ char * psychic;
-
- #ifndef LOG_DAEMON
- openlog("tn-gw",LOG_PID);
-***************
-*** 325,330 ****
---- 331,362 ----
- }
- }
-
-+ psychic = getdsthost(0, &port);
-+ if (psychic) {
-+ if ((strlen(psychic) + 10) < 510) {
-+ do_transparent++;
-+ if (port)
-+ sprintf(dest, "%s:%d", psychic, port);
-+ else
-+ sprintf(dest, "%s", psychic);
-+
-+ if (!welcomedone)
-+ if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
-+ if (cf->argc != 1) {
-+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ exit(1);
-+ }
-+
-+ if (sayfile(0, cf->argv[0])) {
-+ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
-+ exit(1);
-+ }
-+
-+ welcomedone = 1;
-+ }
-+ }
-+ }
-+
- while (argc > 1) {
- argc--;
- argv++;
-***************
-*** 947,955 ****
- char ebuf[512];
-
- syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! if(say(0,ebuf))
-! return(1);
- } else
- syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-
---- 979,989 ----
- char ebuf[512];
-
- syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! if (!do_transparent) {
-! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! if(say(0,ebuf))
-! return(1);
-! }
- } else
- syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-
-***************
-*** 991,998 ****
-
- syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
- strncpy(dest,av[1], 511);
-! sprintf(buf, "Connected to %.512s.", dest);
-! say(0, buf);
- return(2);
- }
-
---- 1025,1034 ----
-
- syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
- strncpy(dest,av[1], 511);
-! if (!do_transparent) {
-! sprintf(buf, "Connected to %.512s.", dest);
-! say(0, buf);
-! }
- return(2);
- }
-
diff --git a/contrib/ipfilter/FWTK/tproxy.diff b/contrib/ipfilter/FWTK/tproxy.diff
deleted file mode 100644
index 234404b..0000000
--- a/contrib/ipfilter/FWTK/tproxy.diff
+++ /dev/null
@@ -1,82 +0,0 @@
-*** tproxy.c.orig Fri Dec 20 10:53:24 1996
---- tproxy.c Sun Jan 3 11:33:55 1999
-***************
-*** 135,140 ****
---- 135,144 ----
- #include <netinet/in.h>
- #include <sys/signal.h>
- #include <syslog.h>
-+ #include <unistd.h>
-+ #include <fcntl.h>
-+ #include <sys/ioctl.h>
-+ #include <net/if.h>
- #include "tproxy.h"
-
- #ifdef AIX
-***************
-*** 147,152 ****
---- 151,159 ----
- #define bzero(buf,size) memset(buf, '\0', size);
- #endif /* SYSV */
-
-+ #include "ip_compat.h"
-+ #include "ip_fil.h"
-+ #include "ip_nat.h"
-
-
- /* socket to audio server */
-***************
-*** 324,329 ****
---- 331,369 ----
- char localbuf[2048];
- void timeout();
- extern int errno;
-+ /*
-+ * IP-Filter block
-+ */
-+ struct sockaddr_in laddr, faddr;
-+ struct natlookup natlookup;
-+ int slen, natfd;
-+
-+ bzero((char *)&laddr, sizeof(laddr));
-+ bzero((char *)&faddr, sizeof(faddr));
-+ slen = sizeof(laddr);
-+ if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0)
-+ return -1;
-+ slen = sizeof(faddr);
-+ if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0)
-+ return -1;
-+ natlookup.nl_inport = laddr.sin_port;
-+ natlookup.nl_outport = faddr.sin_port;
-+ natlookup.nl_inip = laddr.sin_addr;
-+ natlookup.nl_outip = faddr.sin_addr;
-+ natlookup.nl_flags = IPN_TCP;
-+ if ((natfd = open(IPL_NAT, O_RDONLY)) < 0)
-+ return -1;
-+ if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
-+ syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
-+ close(natfd);
-+ return -1;
-+ }
-+ close(natfd);
-+ strcpy(hostname, inet_ntoa(natlookup.nl_realip));
-+ serverport = ntohs(natlookup.nl_realport);
-+ /*
-+ * End of IP-Filter block
-+ */
-
- /* setup a timeout in case dialog doesn't finish */
- signal(SIGALRM, timeout);
-***************
-*** 337,344 ****
---- 377,386 ----
- * and modify the call to (and subroutine) serverconnect() as
- * appropriate.
- */
-+ #if 0
- strcpy(hostname, "randomhostname");
- serverport = 7070;
-+ #endif
- /* Can we connect to the server */
- if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) {
- /* errno may still be set from previous call */
diff --git a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
deleted file mode 100644
index 7d1b7a2..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
+++ /dev/null
@@ -1,24 +0,0 @@
-To build a kernel with the IP filter, follow these seven steps:
-
- 1. do "make freebsd4"
-
- 2. do "make install-bsd"
- (probably has to be done as root)
-
- 3. run "FreeBSD-4.0/kinstall" as root
-
- 4. build a new kernel
-
- 5. install the new kernel
-
- 6. If not using DEVFS, create devices for IP Filter as follows:
- mknod /dev/ipl c 79 0
- mknod /dev/ipnat c 79 1
- mknod /dev/ipstate c 79 2
- mknod /dev/ipauth c 79 3
-
- 7. reboot
-
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
index 8a827cf..1495801 100755
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
+++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
--- ip6_input.c Wed Apr 26 22:31:34 2000
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
index a6a4612..2e1d7e8 100644
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
+++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
index a6a4612..2e1d7e8 100644
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
+++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2
index 0e0ea06..d668c39 100644
--- a/contrib/ipfilter/INST.FreeBSD-2.2
+++ b/contrib/ipfilter/INST.FreeBSD-2.2
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
To build a kernel for use with the loadable kernel module, follow these
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index c415800..7b1d7d3 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -1,24 +1,28 @@
#
# Copyright (C) 1993-2001 by Darren Reed.
#
-# See the IPFILTER.LICENCE file for details on licencing.
+# Redistribution and use in source and binary forms are permitted
+# provided that this notice is preserved and due credit is given
+# to the original author and the contributors.
#
# $FreeBSD$
-# $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $
+# Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp
#
+SHELL=/bin/sh
BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/local/man
#To test prototyping
-CC=gcc -Wstrict-prototypes -Wmissing-prototypes
+#CC=gcc -Wstrict-prototypes -Wmissing-prototypes
+# -Wunused -Wuninitialized
#CC=gcc
#CC=cc -Dconst=
DEBUG=-g
-TOP=../..
-CFLAGS=-I$$(TOP)
+# -O
+CFLAGS=-I$$(TOP) -D_BSD_SOURCE
CPU=`uname -m`
CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`
-IPFILKERN=`/bin/ls -1tr /usr/src/sys/compile | grep -v .bak | tail -1`
+OBJ=.
#
# To enable this to work as a Loadable Kernel Module...
#
@@ -28,14 +32,53 @@ IPFLKM=-DIPFILTER_LKM
#
IPFLOG=-DIPFILTER_LOG
#
+# To enable loading filter rules compiled to C code...
+#
+#COMPIPF=-DIPFILTER_COMPILED
+#
+# To enable synchronisation between IPFilter hosts
+#
+#SYNC=-DIPFILTER_SYNC
+#
+# To enable extended IPFilter functionality
+#
+LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN
+#
# The facility you wish to log messages from ipmon to syslogd with.
#
LOGFAC=-DLOGFAC=LOG_SECURITY
+#
+# To enable rules to be written with BPF syntax, uncomment these two lines.
+#
+# WARNING: If you're building a commercial product based on IPFilter, using
+# this options *may* infringe at least one patent held by CheckPoint
+# (5,606,668.)
+#
+#IPFBPF=-DIPFILTER_BPF -I/usr/local/include
+#LIBBPF=-L/usr/local/lib -lpcap
+#
+# HP-UX and Solaris require this uncommented for BPF.
+#
+#BPFILTER=bpf_filter.o
+#
+# LINUXKERNEL is the path to the top of your Linux kernel source tree.
+# By default IPFilter looks for /usr/src/linux, but you may have to change
+# it to /usr/src/linux-2.4 or similar.
+#
+LINUXKERNEL=/usr/src/linux
+LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i<NF&&i<3;i++){printf("%02d",$$(i+1));}}'`
+
+#
+# All of the compile-time options are here, used for compiling the userland
+# tools for regression testing. Well, all except for IPFILTER_LKM, of course.
+#
+ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \
+ -DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM
#
# Uncomment the next 3 lines if you want to view the state table a la top(1)
# (requires that you have installed ncurses).
-STATETOP_CFLAGS=-DSTATETOP
+#STATETOP_CFLAGS=-DSTATETOP
#
# Where to find the ncurses include files (if not in default path),
#
@@ -44,7 +87,7 @@ STATETOP_CFLAGS=-DSTATETOP
#
# How to link the ncurses library
#
-STATETOP_LIB=-lcurses
+#STATETOP_LIB=-lncurses
#STATETOP_LIB=-L/usr/local/lib -lncurses
#
@@ -60,14 +103,16 @@ STATETOP_LIB=-lcurses
#
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
#
-MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6) $(IPFLOG)' \
+MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(SGIREV) $(INET6)' \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
- "CPUDIR=$(CPUDIR)" 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' \
+ "LIBBPF=$(LIBBPF)" "CPUDIR=$(CPUDIR)" "IPFBPF=$(IPFBPF)" \
+ 'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' "BPFILTER=$(BPFILTER)" \
'STATETOP_INC=$(STATETOP_INC)' 'STATETOP_LIB=$(STATETOP_LIB)' \
- "BITS=$(BITS)" "OBJ=$(OBJ)"
-DEST="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)"
+ "BITS=$(BITS)" "OBJ=$(OBJ)" "LOOKUP=$(LOOKUP)" "COMPIPF=$(COMPIPF)" \
+ 'SYNC=$(SYNC)' 'ALLOPTS=$(ALLOPTS)' 'LIBBPF=$(LIBBPF)'
MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)"
+MACHASSERT=`/bin/ls -1 /usr/sys/*/mach_assert.h | head -1`
#
SHELL=/bin/sh
#
@@ -89,227 +134,248 @@ all:
@echo "freebsd22 - compile for FreeBSD-2.2 or greater"
@echo "freebsd3 - compile for FreeBSD-3.x"
@echo "freebsd4 - compile for FreeBSD-4.x"
+ @echo "freebsd5 - compile for FreeBSD-5.x"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
+ @echo "hpux - compile for HP-UX 11.00"
+ @echo "osf - compile for OSF/Tru64 5.1"
@echo ""
tests:
@if [ -d test ]; then (cd test; make) \
else echo test directory not present, sorry; fi
+retest:
+ @if [ -d test ]; then (cd test; make clean && make) \
+ else echo test directory not present, sorry; fi
+
include:
if [ ! -f netinet/done ] ; then \
- (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); \
+ (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
touch netinet/done; \
fi
+ -(cd netinet; ln -s ../ip_rules.h ip_rules.h)
+ if [ ! -f net/done ] ; then \
+ (cd net; ln -s ../radix_ipf.h .; ); \
+ touch net/done; \
+ fi
sunos solaris: include
- CC="$(CC)" ./buildsunos
+ MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
+ CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos
freebsd22: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
- @if [ -n $(IPFILKERN) ] ; then \
+ -if [ x$(IPFILKERN) != x ] ; then \
if [ -f /sys/compile/$(IPFILKERN)/ioconf.h ] ; then \
- ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
+ ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$$y; \
else \
- ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
+ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$$y; \
fi \
- elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
- echo -n "Can't find ioconf.h in "; \
- echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
- exit 1;\
else \
- ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
+ x=`uname -v|sed -e 's@^.*:\(/[^: ]*\).*$$@\1/ioconf.h@'`; \
+ y=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`; \
+ if [ ! -f $$x ] ; then \
+ echo -n "Can't find ioconf.h at $$x "; \
+ exit 1;\
+ else \
+ ln -s $$x BSD/$$y ; \
+ fi \
fi
make freebsd20
-freebsd4: include
- if [ x$INET6 = x ] ; then \
+freebsd5: include
+ if [ x$(INET6) = x ] ; then \
+ echo "#undef INET6" > opt_inet6.h; \
+ else \
+ echo "#define INET6" > opt_inet6.h; \
+ fi
+ if [ x$(ENABLE_PFIL) = x ] ; then \
+ echo "#undef PFIL_HOOKS" > opt_pfil.h; \
+ else \
+ echo "#define PFIL_HOOKS" > opt_pfil.h; \
+ fi
+
+ make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
+
+freebsd4 : include
+ if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
echo "#define INET6" > opt_inet6.h; \
fi
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "DLKM=-DKLD_MODULE -I/sys"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "LKMR=ipfrule.ko" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
freebsd3 freebsd30: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" LKM= ; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" "MLR=mlf_rule.o" LKM= LKMR=; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
netbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
-openbsd openbsd21: include
+openbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mlo_ipl.c" LKMR= "MLR=mlo_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
freebsd20 freebsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c" "MLR=mlf_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
+
+osf tru64: null include
+ make setup "TARGOS=OSF" "CPUDIR=`OSF/cpurev`"
+ (cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..)
+ (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..)
bsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS); cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
bsdi bsdos: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= ; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= LKMR= ; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend build "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
irix IRIX: include
- make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
- -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) SGI=`../getrev` $(MFLAGS); else smake build SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi;)
- -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend SGI=`../getrev` TOP=../.. $(DEST) $(MFLAGS); fi)
-
-linux: include
- make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
- ./buildlinux
-
-linuxrev:
- (cd Linux/$(CPUDIR); make build TOP=../.. $(DEST) $(MFLAGS) LKM= ; cd ..)
- (cd Linux/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); cd ..)
+ make setup TARGOS=IRIX CPUDIR=`IRIX/cpurev`
+ if [ "x${SGIREV}" = "x" ] ; then \
+ make irix "SGIREV=-D_KMEMUSER -DIRIX=`IRIX/getrev`"; \
+ else \
+ (cd IRIX/`IRIX/cpurev`; smake -l -J 1 build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
+ (cd IRIX/`IRIX/cpurev`; make -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
+ fi
setup:
-if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi
-rm -f $(TARGOS)/$(CPUDIR)/Makefile $(TARGOS)/$(CPUDIR)/Makefile.ipsend
-ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile
- -if [ ! -f $(TARGOS)/$(CPUDIR)/Makefile.std -a \
- -f $(TARGOS)/Makefile.std ] ; then \
- ln -s ../Makefile.std $(TARGOS)/$(CPUDIR)/Makefile.std; \
- fi
- -if [ ! -f $(TARGOS)/$(CPUDIR)/Makefile.ipsend.std -a \
- -f $(TARGOS)/Makefile.ipsend.std ] ; then \
- ln -s ../Makefile.ipsend.std $(TARGOS)/$(CPUDIR)/Makefile.ipsend.std; \
- fi
-ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend
+ -if [ -f $(TARGOS)/Makefile.common ] ; then \
+ rm -f $(TARGOS)/$(CPUDIR)/Makefile.common; \
+ ln -s ../Makefile.common $(TARGOS)/$(CPUDIR)/Makefile.common;\
+ fi
clean: clean-include
+ /bin/rm -rf h y.output
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
vnode_if.h $(LKM) *~
- ${RM} -rf sparcv7 sparcv9
- (cd SunOS4; make clean)
- (cd SunOS5; make clean)
- (cd BSD; make clean)
- (cd Linux; make clean)
- if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; make clean); fi
- [ -d test ] && (cd test; make clean)
- (cd ipsend; make clean)
+ /bin/rm -rf sparcv7 sparcv9 mdbgen_build
+ (cd SunOS4; $(MAKE) TOP=.. clean)
+ -(cd SunOS5; $(MAKE) TOP=.. clean)
+ (cd BSD; $(MAKE) TOP=.. clean)
+ (cd HPUX; $(MAKE) BITS=32 TOP=.. clean)
+ (cd Linux; $(MAKE) TOP=.. clean)
+ (cd OSF; $(MAKE) TOP=.. clean)
+ if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi
+ [ -d test ] && (cd test; $(MAKE) clean)
+ (cd ipsend; $(MAKE) clean)
clean-include:
- sh -c 'cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done'
- ${RM} -f netinet/done
+ sh -c 'if [ -d netinet ] ; then cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
+ sh -c 'if [ -d net ] ; then cd net; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
+ ${RM} -f netinet/done net/done
clean-bsd: clean-include
- (cd BSD; make clean)
+ (cd BSD; make TOP=.. clean)
+
+clean-hpux: clean-include
+ (cd HPUX; $(MAKE) BITS=32 clean)
+
+clean-osf: clean-include
+ (cd OSF; make clean)
+
+clean-linux: clean-include
+ (cd Linux; make clean)
clean-sunos4: clean-include
(cd SunOS4; make clean)
clean-sunos5: clean-include
- (cd SunOS5; make clean)
+ (cd SunOS5; $(MAKE) clean)
+ /bin/rm -rf sparcv?
clean-irix: clean-include
- (cd IRIX; make clean)
+ (cd IRIX; $(MAKE) clean)
-clean-linux: clean-include
- (cd Linux; make clean)
+h/xti.h:
+ mkdir -p h
+ ln -s /usr/include/sys/xti.h h
-get:
- -@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
- ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
- mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
- parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
- ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
- ip_frag.h ip_sfil.c misc.c; do \
- if [ ! -f $$i ] ; then \
- echo "getting $$i"; \
- sccs get $$i; \
- fi \
- done
+hpux: include h/xti.h
+ make setup CPUDIR=`HPUX/cpurev` TARGOS=HPUX
+ (cd HPUX/`HPUX/cpurev`; $(MAKE) build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
+ (cd HPUX/`HPUX/cpurev`; $(MAKE) -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
-sunos4 solaris1: null
+sunos4 solaris1:
(cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
- (cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
+ (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2: null
- (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
- (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
+ (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
+ (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
sunos5x86 solaris2x86: null
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
- (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
+ (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
+
+linux: include
+ (cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..)
+ (cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..)
+# (cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..)
-install-linux:
- (cd Linux/$(CPUDIR); make install "TOP=../.." $(DEST) $(MFLAGS); cd ..)
- (cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(DEST) $(MFLAGS); cd ..)
+install-linux: linux
+ (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-sunos4: solaris
- (cd SunOS4; $(MAKE) "CPU=$(CPU)" "TOP=.." install)
+ (cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install)
-install-sunos5: solaris
- (cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install)
+install-sunos5: solaris null
+ (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install)
+
+install-hpux: hpux
+ (cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install)
install-irix: irix
- (cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS))
-
-rcsget:
- -@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
- ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
- mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
- parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
- ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
- ip_frag.h ip_sfil.c misc.c; do \
- if [ ! -f $$i ] ; then \
- echo "getting $$i"; \
- co $$i; \
- fi \
- done
+ (cd IRIX; smake install CPU=$(CPU) TOP=.. $(DEST) $(MFLAGS) CPUDIR=`./cpurev`)
+
+install-osf install-tru64:
+ (cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)
+ (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
do-cvs:
find . -type d -name CVS -print | xargs /bin/rm -rf
find . -type f -name .cvsignore -print | xargs /bin/rm -f
+ /bin/rm -f ip_msnrpc_pxy.c ip_sunrpc_pxy.c
+
+ip_rules.c ip_rules.h: rules/ip_rules tools/ipfcomp.c
+ -./ipf -n -cc -f rules/ip_rules 2>/dev/null 1>&2
null:
- -@if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \
+ @if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \
echo 'Do not use GNU make (gmake) to compile IPFilter'; \
exit 1; \
fi
-@echo make ok
-test-solaris test-sunos4 test-sunos5: solaris
- (cd test && make clean && make)
-
-test-freebsd: freebsd
- (cd test && make clean && make)
-
-test-freebsd22: freebsd22
- (cd test && make clean && make)
-
-test-freebsd3: freebsd3
- (cd test && make clean && make)
-
-test-freebsd4: freebsd4
- (cd test && make clean && make)
-
-test-netbsd: netbsd
- (cd test && make clean && make)
-
-test-openbsd: openbsd
- (cd test && make clean && make)
-
-test-irix: irix
- (cd test && make clean && make)
+mdb:
+ /bin/rm -rf mdbgen_build
+ mdbgen -D_KERNEL -DIPFILTER_LOG -DIPFILTER_LOOKUP -DSUNDDI \
+ -DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \
+ -I/home/dr146992/pfil -I/home/dr146992/ipf -f \
+ /usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h
diff --git a/contrib/ipfilter/UPGRADE_NOTICE b/contrib/ipfilter/UPGRADE_NOTICE
deleted file mode 100644
index 8b44760..0000000
--- a/contrib/ipfilter/UPGRADE_NOTICE
+++ /dev/null
@@ -1,10 +0,0 @@
-
-NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT
- AND setup ACL's to allow untranslated address through from outside,
-
- THIS HAS BEEN FIXED
-
- so your ACL's will now be `broken'. Please correct your ACL's to
- match the the untranslated addresses (the way it was meant to work).
-
-Darren
diff --git a/contrib/ipfilter/bpf-ipf.h b/contrib/ipfilter/bpf-ipf.h
index c303152..dc2b660 100644
--- a/contrib/ipfilter/bpf-ipf.h
+++ b/contrib/ipfilter/bpf-ipf.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
diff --git a/contrib/ipfilter/bpf.h b/contrib/ipfilter/bpf.h
deleted file mode 100644
index 715c79a..0000000
--- a/contrib/ipfilter/bpf.h
+++ /dev/null
@@ -1,450 +0,0 @@
-/*-
- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
- * The Regents of the University of California. All rights reserved.
- *
- * This code is derived from the Stanford/CMU enet packet filter,
- * (net/enet.c) distributed as part of 4.3BSD, and code contributed
- * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
- * Berkeley Laboratory.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * @(#)bpf.h 7.1 (Berkeley) 5/7/91
- *
- * @(#) $Header: /devel/CVS/IP-Filter/Attic/bpf.h,v 1.1.2.1 2002/11/07 13:18:35 darrenr Exp $ (LBL)
- */
-
-#ifndef BPF_MAJOR_VERSION
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* BSD style release date */
-#define BPF_RELEASE 199606
-
-typedef int bpf_int32;
-typedef u_int bpf_u_int32;
-
-/*
- * Alignment macros. BPF_WORDALIGN rounds up to the next
- * even multiple of BPF_ALIGNMENT.
- */
-#ifndef __NetBSD__
-#define BPF_ALIGNMENT sizeof(bpf_int32)
-#else
-#define BPF_ALIGNMENT sizeof(long)
-#endif
-#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
-
-#define BPF_MAXINSNS 512
-#define BPF_MAXBUFSIZE 0x8000
-#define BPF_MINBUFSIZE 32
-
-/*
- * Structure for BIOCSETF.
- */
-struct bpf_program {
- u_int bf_len;
- struct bpf_insn *bf_insns;
-};
-
-/*
- * Struct returned by BIOCGSTATS.
- */
-struct bpf_stat {
- u_int bs_recv; /* number of packets received */
- u_int bs_drop; /* number of packets dropped */
-};
-
-/*
- * Struct return by BIOCVERSION. This represents the version number of
- * the filter language described by the instruction encodings below.
- * bpf understands a program iff kernel_major == filter_major &&
- * kernel_minor >= filter_minor, that is, if the value returned by the
- * running kernel has the same major number and a minor number equal
- * equal to or less than the filter being downloaded. Otherwise, the
- * results are undefined, meaning an error may be returned or packets
- * may be accepted haphazardly.
- * It has nothing to do with the source code version.
- */
-struct bpf_version {
- u_short bv_major;
- u_short bv_minor;
-};
-/* Current version number of filter architecture. */
-#define BPF_MAJOR_VERSION 1
-#define BPF_MINOR_VERSION 1
-
-/*
- * BPF ioctls
- *
- * The first set is for compatibility with Sun's pcc style
- * header files. If your using gcc, we assume that you
- * have run fixincludes so the latter set should work.
- */
-#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
-#define BIOCGBLEN _IOR(B,102, u_int)
-#define BIOCSBLEN _IOWR(B,102, u_int)
-#define BIOCSETF _IOW(B,103, struct bpf_program)
-#define BIOCFLUSH _IO(B,104)
-#define BIOCPROMISC _IO(B,105)
-#define BIOCGDLT _IOR(B,106, u_int)
-#define BIOCGETIF _IOR(B,107, struct ifreq)
-#define BIOCSETIF _IOW(B,108, struct ifreq)
-#define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
-#define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
-#define BIOCGSTATS _IOR(B,111, struct bpf_stat)
-#define BIOCIMMEDIATE _IOW(B,112, u_int)
-#define BIOCVERSION _IOR(B,113, struct bpf_version)
-#define BIOCSTCPF _IOW(B,114, struct bpf_program)
-#define BIOCSUDPF _IOW(B,115, struct bpf_program)
-#else
-#define BIOCGBLEN _IOR('B',102, u_int)
-#define BIOCSBLEN _IOWR('B',102, u_int)
-#define BIOCSETF _IOW('B',103, struct bpf_program)
-#define BIOCFLUSH _IO('B',104)
-#define BIOCPROMISC _IO('B',105)
-#define BIOCGDLT _IOR('B',106, u_int)
-#define BIOCGETIF _IOR('B',107, struct ifreq)
-#define BIOCSETIF _IOW('B',108, struct ifreq)
-#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
-#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
-#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
-#define BIOCIMMEDIATE _IOW('B',112, u_int)
-#define BIOCVERSION _IOR('B',113, struct bpf_version)
-#define BIOCSTCPF _IOW('B',114, struct bpf_program)
-#define BIOCSUDPF _IOW('B',115, struct bpf_program)
-#endif
-
-/*
- * Structure prepended to each packet.
- */
-struct bpf_hdr {
- struct timeval bh_tstamp; /* time stamp */
- bpf_u_int32 bh_caplen; /* length of captured portion */
- bpf_u_int32 bh_datalen; /* original length of packet */
- u_short bh_hdrlen; /* length of bpf header (this struct
- plus alignment padding) */
-};
-/*
- * Because the structure above is not a multiple of 4 bytes, some compilers
- * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
- * Only the kernel needs to know about it; applications use bh_hdrlen.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-#define SIZEOF_BPF_HDR 18
-#endif
-
-/*
- * Data-link level type codes.
- */
-
-/*
- * These are the types that are the same on all platforms; on other
- * platforms, a <net/bpf.h> should be supplied that defines the additional
- * DLT_* codes appropriately for that platform (the BSDs, for example,
- * should not just pick up this version of "bpf.h"; they should also define
- * the additional DLT_* codes used by their kernels, as well as the values
- * defined here - and, if the values they use for particular DLT_ types
- * differ from those here, they should use their values, not the ones
- * here).
- */
-#define DLT_NULL 0 /* no link-layer encapsulation */
-#define DLT_EN10MB 1 /* Ethernet (10Mb) */
-#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
-#define DLT_AX25 3 /* Amateur Radio AX.25 */
-#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
-#define DLT_CHAOS 5 /* Chaos */
-#define DLT_IEEE802 6 /* IEEE 802 Networks */
-#define DLT_ARCNET 7 /* ARCNET */
-#define DLT_SLIP 8 /* Serial Line IP */
-#define DLT_PPP 9 /* Point-to-point Protocol */
-#define DLT_FDDI 10 /* FDDI */
-
-/*
- * These are values from the traditional libpcap "bpf.h".
- * Ports of this to particular platforms should replace these definitions
- * with the ones appropriate to that platform, if the values are
- * different on that platform.
- */
-#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
-#define DLT_RAW 12 /* raw IP */
-
-/*
- * These are values from BSD/OS's "bpf.h".
- * These are not the same as the values from the traditional libpcap
- * "bpf.h"; however, these values shouldn't be generated by any
- * OS other than BSD/OS, so the correct values to use here are the
- * BSD/OS values.
- *
- * Platforms that have already assigned these values to other
- * DLT_ codes, however, should give these codes the values
- * from that platform, so that programs that use these codes will
- * continue to compile - even though they won't correctly read
- * files of these types.
- */
-#ifdef __NetBSD__
-#ifndef DLT_SLIP_BSDOS
-#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
-#endif
-#else
-#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
-#endif
-
-#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
-
-/*
- * These values are defined by NetBSD; other platforms should refrain from
- * using them for other purposes, so that NetBSD savefiles with link
- * types of 50 or 51 can be read as this type on all platforms.
- */
-#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */
-#define DLT_PPP_ETHER 51 /* PPP over Ethernet */
-
-/*
- * Values between 100 and 103 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * This value was defined by libpcap 0.5; platforms that have defined
- * it with a different value should define it here with that value -
- * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
- * whatever value that happens to be, so programs will correctly
- * handle files with that link type regardless of the value of
- * DLT_C_HDLC.
- *
- * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
- * compatibility with programs written for BSD/OS.
- *
- * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
- * for source compatibility with programs written for libpcap 0.5.
- */
-#define DLT_C_HDLC 104 /* Cisco HDLC */
-#define DLT_CHDLC DLT_C_HDLC
-
-#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */
-
-/*
- * Values between 106 and 107 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
- * that the AF_ type in the link-layer header is in network byte order.
- *
- * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
- * define it as 108 here. If OpenBSD picks up this file, it should
- * define DLT_LOOP as 12 in its version, as per the comment above -
- * and should not use 108 as a DLT_ value.
- */
-#define DLT_LOOP 108
-
-/*
- * Values between 109 and 112 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ types
- * other than the corresponding DLT_ types.
- */
-
-/*
- * This is for Linux cooked sockets.
- */
-#define DLT_LINUX_SLL 113
-
-/*
- * Apple LocalTalk hardware.
- */
-#define DLT_LTALK 114
-
-/*
- * Acorn Econet.
- */
-#define DLT_ECONET 115
-
-/*
- * Reserved for use with OpenBSD ipfilter.
- */
-#define DLT_IPFILTER 116
-
-/*
- * Reserved for use in capture-file headers as a link-layer type
- * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
- * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
- * in capture-file headers.
- */
-#define DLT_PFLOG 117
-
-/*
- * Registered for Cisco-internal use.
- */
-#define DLT_CISCO_IOS 118
-
-/*
- * Reserved for 802.11 cards using the Prism II chips, with a link-layer
- * header including Prism monitor mode information plus an 802.11
- * header.
- */
-#define DLT_PRISM_HEADER 119
-
-/*
- * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
- * (see Doug Ambrisko's FreeBSD patches).
- */
-#define DLT_AIRONET_HEADER 120
-
-/*
- * Reserved for Siemens HiPath HDLC.
- */
-#define DLT_HHDLC 121
-
-/*
- * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
- * Don Lee <donlee@cray.com>.
- *
- * This is not for use with raw Fibre Channel, where the link-layer
- * header starts with a Fibre Channel frame header; it's for IP-over-FC,
- * where the link-layer header starts with an RFC 2625 Network_Header
- * field.
- */
-#define DLT_IP_OVER_FC 122
-
-/*
- * The instruction encodings.
- */
-/* instruction classes */
-#define BPF_CLASS(code) ((code) & 0x07)
-#define BPF_LD 0x00
-#define BPF_LDX 0x01
-#define BPF_ST 0x02
-#define BPF_STX 0x03
-#define BPF_ALU 0x04
-#define BPF_JMP 0x05
-#define BPF_RET 0x06
-#define BPF_MISC 0x07
-
-/* ld/ldx fields */
-#define BPF_SIZE(code) ((code) & 0x18)
-#define BPF_W 0x00
-#define BPF_H 0x08
-#define BPF_B 0x10
-#define BPF_MODE(code) ((code) & 0xe0)
-#define BPF_IMM 0x00
-#define BPF_ABS 0x20
-#define BPF_IND 0x40
-#define BPF_MEM 0x60
-#define BPF_LEN 0x80
-#define BPF_MSH 0xa0
-
-/* alu/jmp fields */
-#define BPF_OP(code) ((code) & 0xf0)
-#define BPF_ADD 0x00
-#define BPF_SUB 0x10
-#define BPF_MUL 0x20
-#define BPF_DIV 0x30
-#define BPF_OR 0x40
-#define BPF_AND 0x50
-#define BPF_LSH 0x60
-#define BPF_RSH 0x70
-#define BPF_NEG 0x80
-#define BPF_JA 0x00
-#define BPF_JEQ 0x10
-#define BPF_JGT 0x20
-#define BPF_JGE 0x30
-#define BPF_JSET 0x40
-#define BPF_SRC(code) ((code) & 0x08)
-#define BPF_K 0x00
-#define BPF_X 0x08
-
-/* ret - BPF_K and BPF_X also apply */
-#define BPF_RVAL(code) ((code) & 0x18)
-#define BPF_A 0x10
-
-/* misc */
-#define BPF_MISCOP(code) ((code) & 0xf8)
-#define BPF_TAX 0x00
-#define BPF_TXA 0x80
-
-/*
- * The instruction data structure.
- */
-struct bpf_insn {
- u_short code;
- u_char jt;
- u_char jf;
- bpf_int32 k;
-};
-
-/*
- * Macros for insn array initializers.
- */
-#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
-#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
-
-#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
-/*
- * Systems based on non-BSD kernels don't have ifnet's (or they don't mean
- * anything if it is in <net/if.h>) and won't work like this.
- */
-# if __STDC__
-extern void bpf_tap(struct ifnet *, u_char *, u_int);
-extern void bpf_mtap(struct ifnet *, struct mbuf *);
-extern void bpfattach(struct ifnet *, u_int, u_int);
-extern void bpfilterattach(int);
-# else
-extern void bpf_tap();
-extern void bpf_mtap();
-extern void bpfattach();
-extern void bpfilterattach();
-# endif /* __STDC__ */
-#endif /* BSD && (_KERNEL || KERNEL) */
-#if __STDC__ || defined(__cplusplus)
-extern int bpf_validate(struct bpf_insn *, int);
-extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
-#else
-extern int bpf_validate();
-extern u_int bpf_filter();
-#endif
-
-/*
- * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
- */
-#define BPF_MEMWORDS 16
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c
index 9876ff3..4c4c341 100644
--- a/contrib/ipfilter/bpf_filter.c
+++ b/contrib/ipfilter/bpf_filter.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c
deleted file mode 100644
index fa21fc9..0000000
--- a/contrib/ipfilter/common.c
+++ /dev/null
@@ -1,610 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern struct ipopt_names ionames[], secclass[];
-extern int opts;
-extern int use_inet6;
-
-
-char *proto = NULL;
-char flagset[] = "FSRPAUEC";
-u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
- TH_ECN, TH_CWR };
-
-void fill6bits __P((int, u_32_t *));
-int count6bits __P((u_32_t *));
-
-static char thishost[MAXHOSTNAMELEN];
-
-
-void initparse()
-{
- gethostname(thishost, sizeof(thishost));
- thishost[sizeof(thishost) - 1] = '\0';
-}
-
-
-int genmask(msk, mskp)
-char *msk;
-u_32_t *mskp;
-{
- char *endptr = NULL;
-#ifdef USE_INET6
- u_32_t addr;
-#endif
- int bits;
-
- if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) {
- /* possibly of the form xxx.xxx.xxx.xxx
- * or 0xYYYYYYYY */
-#ifdef USE_INET6
- if (use_inet6) {
- if (inet_pton(AF_INET6, msk, &addr) != 1)
- return -1;
- } else
-#endif
- if (inet_aton(msk, (struct in_addr *)mskp) == 0)
- return -1;
- } else {
- /*
- * set x most significant bits
- */
- bits = (int)strtol(msk, &endptr, 0);
- if ((*endptr != '\0') ||
- ((bits > 32) && !use_inet6) || (bits < 0) ||
- ((bits > 128) && use_inet6))
- return -1;
- if (use_inet6)
- fill6bits(bits, mskp);
- else {
- if (bits == 0)
- *mskp = 0;
- else
- *mskp = htonl(0xffffffff << (32 - bits));
- }
- }
- return 0;
-}
-
-
-
-void fill6bits(bits, msk)
-int bits;
-u_32_t *msk;
-{
- int i;
-
- for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32)
- msk[i] = 0xffffffff;
-
- if (bits > 0 && i < 4)
- msk[i++] = htonl(0xffffffff << (32 - bits));
-
- while (i < 4)
- msk[i++] = 0;
-}
-
-
-/*
- * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
- * found in the line segments, there is an error processing this information,
- * or there is an error processing ports information.
- */
-int hostmask(seg, sa, msk, pp, cp, tp, linenum)
-char ***seg;
-u_32_t *sa, *msk;
-u_short *pp, *tp;
-int *cp;
-int linenum;
-{
- struct in_addr maskaddr;
- char *s;
-
- /*
- * is it possibly hostname/num ?
- */
- if ((s = index(**seg, '/')) ||
- ((s = index(**seg, ':')) && !index(s + 1, ':'))) {
- *s++ = '\0';
- if (genmask(s, msk) == -1) {
- fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
- return -1;
- }
- if (hostnum(sa, **seg, linenum) == -1) {
- fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
- return -1;
- }
- *sa &= *msk;
- (*seg)++;
- return ports(seg, pp, cp, tp, linenum);
- }
-
- /*
- * look for extra segments if "mask" found in right spot
- */
- if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
- if (hostnum(sa, **seg, linenum) == -1) {
- fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
- return -1;
- }
- (*seg)++;
- (*seg)++;
- if (inet_aton(**seg, &maskaddr) == 0) {
- fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
- return -1;
- }
- *msk = maskaddr.s_addr;
- (*seg)++;
- *sa &= *msk;
- return ports(seg, pp, cp, tp, linenum);
- }
-
- if (**seg) {
- if (hostnum(sa, **seg, linenum) == -1) {
- fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
- return -1;
- }
- (*seg)++;
- if (use_inet6) {
- u_32_t k = 0;
- if (sa[0] || sa[1] || sa[2] || sa[3])
- k = 0xffffffff;
- msk[0] = msk[1] = msk[2] = msk[3] = k;
- }
- else
- *msk = *sa ? 0xffffffff : 0;
- return ports(seg, pp, cp, tp, linenum);
- }
- fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
- return -1;
-}
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-int hostnum(ipa, host, linenum)
-u_32_t *ipa;
-char *host;
-int linenum;
-{
- struct hostent *hp;
- struct netent *np;
- struct in_addr ip;
-
- if (!strcasecmp("any", host))
- return 0;
-#ifdef USE_INET6
- if (use_inet6) {
- if (inet_pton(AF_INET6, host, ipa) == 1)
- return 0;
- else
- return -1;
- }
-#endif
- if (isdigit(*host) && inet_aton(host, &ip)) {
- *ipa = ip.s_addr;
- return 0;
- }
-
- if (!strcasecmp("<thishost>", host))
- host = thishost;
-
- if (!(hp = gethostbyname(host))) {
- if (!(np = getnetbyname(host))) {
- fprintf(stderr, "%d: can't resolve hostname: %s\n",
- linenum, host);
- return -1;
- }
- *ipa = htonl(np->n_net);
- return 0;
- }
- *ipa = *(u_32_t *)hp->h_addr;
- return 0;
-}
-
-
-/*
- * check for possible presence of the port fields in the line
- */
-int ports(seg, pp, cp, tp, linenum)
-char ***seg;
-u_short *pp, *tp;
-int *cp;
-int linenum;
-{
- int comp = -1;
-
- if (!*seg || !**seg || !***seg)
- return 0;
- if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
- (*seg)++;
- if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
- comp = FR_EQUAL;
- else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
- comp = FR_NEQUAL;
- else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
- comp = FR_LESST;
- else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
- comp = FR_GREATERT;
- else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
- comp = FR_LESSTE;
- else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
- comp = FR_GREATERTE;
- else if (isalnum(***seg) && *(*seg + 2)) {
- if (portnum(**seg, pp, linenum) == 0)
- return -1;
- (*seg)++;
- if (!strcmp(**seg, "<>"))
- comp = FR_OUTRANGE;
- else if (!strcmp(**seg, "><"))
- comp = FR_INRANGE;
- else {
- fprintf(stderr,
- "%d: unknown range operator (%s)\n",
- linenum, **seg);
- return -1;
- }
- (*seg)++;
- if (**seg == NULL) {
- fprintf(stderr, "%d: missing 2nd port value\n",
- linenum);
- return -1;
- }
- if (portnum(**seg, tp, linenum) == 0)
- return -1;
- } else {
- fprintf(stderr, "%d: unknown comparator (%s)\n",
- linenum, **seg);
- return -1;
- }
- if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
- (*seg)++;
- if (portnum(**seg, pp, linenum) == 0)
- return -1;
- }
- *cp = comp;
- (*seg)++;
- }
- return 0;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi(). Return 1 on success, 0 on failure
- */
-int portnum(name, port, linenum)
-char *name;
-u_short *port;
-int linenum;
-{
- struct servent *sp, *sp2;
- u_short p1 = 0;
- int i;
-
- if (isdigit(*name)) {
- if (ratoi(name, &i, 0, USHRT_MAX)) {
- *port = (u_short)i;
- return 1;
- }
- fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
- return 0;
- }
- if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
- sp = getservbyname(name, proto);
- if (sp) {
- *port = ntohs(sp->s_port);
- return 1;
- }
- fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
- return 0;
- }
- sp = getservbyname(name, "tcp");
- if (sp)
- p1 = sp->s_port;
- sp2 = getservbyname(name, "udp");
- if (!sp || !sp2) {
- fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
- linenum, name);
- return 0;
- }
- if (p1 != sp2->s_port) {
- fprintf(stderr, "%d: %s %d/tcp is a different port to ",
- linenum, name, p1);
- fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
- return 0;
- }
- *port = ntohs(p1);
- return 1;
-}
-
-
-u_char tcp_flags(flgs, mask, linenum)
-char *flgs;
-u_char *mask;
-int linenum;
-{
- u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
- char *s, *t;
-
- if (*flgs == '0') {
- s = strchr(flgs, '/');
- if (s)
- *s++ = '\0';
- tcpf = strtol(flgs, NULL, 0);
- fp = &tcpfm;
- } else
- s = flgs;
-
- for (; *s; s++) {
- if (*s == '/' && fp == &tcpf) {
- fp = &tcpfm;
- if (*(s + 1) == '0')
- break;
- continue;
- }
- if (!(t = index(flagset, *s))) {
- fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
- return 0;
- }
- *fp |= flags[t - flagset];
- }
-
- if (s && *s == '0')
- tcpfm = strtol(s, NULL, 0);
-
- if (!tcpfm) {
- if (tcpf == TH_SYN)
- tcpfm = 0xff & ~(TH_ECN|TH_CWR);
- else
- tcpfm = 0xff & ~(TH_ECN);
- }
- *mask = tcpfm;
- return tcpf;
-}
-
-
-/*
- * count consecutive 1's in bit mask. If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int countbits(ip)
-u_32_t ip;
-{
- u_32_t ipn;
- int cnt = 0, i, j;
-
- ip = ipn = ntohl(ip);
- for (i = 32; i; i--, ipn *= 2)
- if (ipn & 0x80000000)
- cnt++;
- else
- break;
- ipn = 0;
- for (i = 32, j = cnt; i; i--, j--) {
- ipn *= 2;
- if (j > 0)
- ipn++;
- }
- if (ipn == ip)
- return cnt;
- return -1;
-}
-
-
-int count6bits(msk)
-u_32_t *msk;
-{
- int i = 0, k;
- u_32_t j;
-
- for (k = 3; k >= 0; k--)
- if (msk[k] == 0xffffffff)
- i += 32;
- else {
- for (j = msk[k]; j; j <<= 1)
- if (j & 0x80000000)
- i++;
- }
- return i;
-}
-
-
-char *portname(pr, port)
-int pr, port;
-{
- static char buf[32];
- struct protoent *p = NULL;
- struct servent *sv = NULL, *sv1 = NULL;
-
- if (pr == -1) {
- if ((sv = getservbyport(htons(port), "tcp"))) {
- strncpy(buf, sv->s_name, sizeof(buf)-1);
- buf[sizeof(buf)-1] = '\0';
- sv1 = getservbyport(htons(port), "udp");
- sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
- NULL : sv1;
- }
- if (sv)
- return buf;
- } else if (pr && (p = getprotobynumber(pr))) {
- if ((sv = getservbyport(htons(port), p->p_name))) {
- strncpy(buf, sv->s_name, sizeof(buf)-1);
- buf[sizeof(buf)-1] = '\0';
- return buf;
- }
- }
-
- (void) sprintf(buf, "%d", port);
- return buf;
-}
-
-
-int ratoi(ps, pi, min, max)
-char *ps;
-int *pi, min, max;
-{
- int i;
- char *pe;
-
- i = (int)strtol(ps, &pe, 0);
- if (*pe != '\0' || i < min || i > max)
- return 0;
- *pi = i;
- return 1;
-}
-
-
-int ratoui(ps, pi, min, max)
-char *ps;
-u_int *pi, min, max;
-{
- u_int i;
- char *pe;
-
- i = (u_int)strtol(ps, &pe, 0);
- if (*pe != '\0' || i < min || i > max)
- return 0;
- *pi = i;
- return 1;
-}
-
-
-void printhostmask(v, addr, mask)
-int v;
-u_32_t *addr, *mask;
-{
- struct in_addr ipa;
- int ones;
-
-#ifdef USE_INET6
- if (v == 6) {
- ones = count6bits(mask);
- if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3])
- printf("any");
- else {
- char ipbuf[64];
- printf("%s/%d",
- inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)),
- ones);
- }
- }
- else
-#endif
- if (!*addr && !*mask)
- printf("any");
- else {
- ipa.s_addr = *addr;
- printf("%s", inet_ntoa(ipa));
- if ((ones = countbits(*mask)) == -1) {
- ipa.s_addr = *mask;
- printf("/%s", inet_ntoa(ipa));
- } else
- printf("/%d", ones);
- }
-}
-
-
-void printportcmp(pr, frp)
-int pr;
-frpcmp_t *frp;
-{
- static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
- "<>", "><"};
-
- if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
- printf(" port %d %s %d", frp->frp_port,
- pcmp1[frp->frp_cmp], frp->frp_top);
- else
- printf(" port %s %s", pcmp1[frp->frp_cmp],
- portname(pr, frp->frp_port));
-}
-
-
-void printbuf(buf, len, zend)
-char *buf;
-int len, zend;
-{
- char *s, c;
- int i;
-
- for (s = buf, i = len; i; i--) {
- c = *s++;
- if (isprint(c))
- putchar(c);
- else
- printf("\\%03o", c);
- if ((c == '\0') && zend)
- break;
- }
-}
-
-
-
-char *hostname(v, ip)
-int v;
-void *ip;
-{
-#ifdef USE_INET6
- static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
- struct in_addr ipa;
-
- if (v == 4) {
- ipa.s_addr = *(u_32_t *)ip;
- return inet_ntoa(ipa);
- }
-#ifdef USE_INET6
- (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
- hostbuf[MAXHOSTNAMELEN] = '\0';
- return hostbuf;
-#else
- return "IPv6";
-#endif
-}
diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c
deleted file mode 100644
index 79afdd2..0000000
--- a/contrib/ipfilter/facpri.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <syslog.h>
-#include "facpri.h"
-
-#ifndef __STDC__
-# define const
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp $";
-#endif
-
-typedef struct table {
- char *name;
- int value;
-} table_t;
-
-table_t facs[] = {
- { "kern", LOG_KERN }, { "user", LOG_USER },
- { "mail", LOG_MAIL }, { "daemon", LOG_DAEMON },
- { "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG },
- { "lpr", LOG_LPR }, { "news", LOG_NEWS },
- { "uucp", LOG_UUCP },
-#if LOG_CRON == LOG_CRON2
- { "cron2", LOG_CRON1 },
-#else
- { "cron", LOG_CRON1 },
-#endif
-#ifdef LOG_FTP
- { "ftp", LOG_FTP },
-#endif
-#ifdef LOG_AUTHPRIV
- { "authpriv", LOG_AUTHPRIV },
-#endif
-#ifdef LOG_AUDIT
- { "audit", LOG_AUDIT },
-#endif
-#ifdef LOG_LFMT
- { "logalert", LOG_LFMT },
-#endif
-#if LOG_CRON == LOG_CRON1
- { "cron", LOG_CRON2 },
-#else
- { "cron2", LOG_CRON2 },
-#endif
-#ifdef LOG_SECURITY
- { "security", LOG_SECURITY },
-#endif
- { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 },
- { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 },
- { "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 },
- { "local6", LOG_LOCAL6 }, { "local7", LOG_LOCAL7 },
- { NULL, 0 }
-};
-
-
-/*
- * map a facility number to its name
- */
-char *
-fac_toname(facpri)
- int facpri;
-{
- int i, j, fac;
-
- fac = facpri & LOG_FACMASK;
- j = fac >> 3;
- if (j < 24) {
- if (facs[j].value == fac)
- return facs[j].name;
- for (i = 0; facs[i].name; i++)
- if (fac == facs[i].value)
- return facs[i].name;
- }
-
- return NULL;
-}
-
-
-/*
- * map a facility name to its number
- */
-int
-fac_findname(name)
- char *name;
-{
- int i;
-
- for (i = 0; facs[i].name; i++)
- if (!strcmp(facs[i].name, name))
- return facs[i].value;
- return -1;
-}
-
-
-table_t pris[] = {
- { "emerg", LOG_EMERG }, { "alert", LOG_ALERT },
- { "crit", LOG_CRIT }, { "err", LOG_ERR },
- { "warn", LOG_WARNING }, { "notice", LOG_NOTICE },
- { "info", LOG_INFO }, { "debug", LOG_DEBUG },
- { NULL, 0 }
-};
-
-
-/*
- * map a priority name to its number
- */
-int
-pri_findname(name)
- char *name;
-{
- int i;
-
- for (i = 0; pris[i].name; i++)
- if (!strcmp(pris[i].name, name))
- return pris[i].value;
- return -1;
-}
-
-
-/*
- * map a priority number to its name
- */
-char *
-pri_toname(facpri)
- int facpri;
-{
- int i, pri;
-
- pri = facpri & LOG_PRIMASK;
- if (pris[pri].value == pri)
- return pris[pri].name;
- for (i = 0; pris[i].name; i++)
- if (pri == pris[i].value)
- return pris[i].name;
- return NULL;
-}
diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h
deleted file mode 100644
index 7b80377..0000000
--- a/contrib/ipfilter/facpri.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * $Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp $
- */
-
-#ifndef __FACPRI_H__
-#define __FACPRI_H__
-
-#ifndef __P
-# define P_DEF
-# ifdef __STDC__
-# define __P(x) x
-# else
-# define __P(x) ()
-# endif
-#endif
-
-extern char *fac_toname __P((int));
-extern int fac_findname __P((char *));
-
-extern char *pri_toname __P((int));
-extern int pri_findname __P((char *));
-
-#ifdef P_DEF
-# undef __P
-# undef P_DEF
-#endif
-
-#if LOG_CRON == (9<<3)
-# define LOG_CRON1 LOG_CRON
-# define LOG_CRON2 (15<<3)
-#endif
-#if LOG_CRON == (15<<3)
-# define LOG_CRON1 (9<<3)
-# define LOG_CRON2 LOG_CRON
-#endif
-
-#endif /* __FACPRI_H__ */
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
deleted file mode 100644
index e21af89..0000000
--- a/contrib/ipfilter/fils.c
+++ /dev/null
@@ -1,1536 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if defined(STATETOP)
-# if defined(_BSDI_VERSION)
-# undef STATETOP)
-# endif
-# if defined(__FreeBSD__) && \
- (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
-# undef STATETOP
-# endif
-# if defined(__NetBSD_Version__)
-# if (__NetBSD_Version__ < 105000000)
-# undef STATETOP
-# else
-# include <poll.h>
-# define USE_POLL
-# endif
-# endif
-# if defined(sun)
-# if defined(__svr4__) || defined(__SVR4)
-# include <sys/select.h>
-# else
-# undef STATETOP /* NOT supported on SunOS4 */
-# endif
-# endif
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <nlist.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <netinet/tcp.h>
-#if defined(STATETOP) && !defined(linux)
-# include <netinet/ip_var.h>
-# include <netinet/tcp_fsm.h>
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef STATETOP
-# include "netinet/ipl.h"
-# include <ctype.h>
-# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
- defined(__sgi)
-# ifdef ERR
-# undef ERR
-# endif
-# include <curses.h>
-# else /* SOLARIS */
-# include <ncurses.h>
-# endif /* SOLARIS */
-#endif /* STATETOP */
-#include "kmem.h"
-#if defined(__NetBSD__) || (__OpenBSD__)
-# include <paths.h>
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.45 2004/04/10 11:45:48 darrenr Exp $";
-#endif
-
-extern char *optarg;
-extern int optind;
-
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-#define F_IN 0
-#define F_OUT 1
-#define F_ACIN 2
-#define F_ACOUT 3
-static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
- "ipacct(in)", "ipacct(out)" };
-
-int opts = 0;
-int use_inet6 = 0;
-int live_kernel = 1;
-int state_fd = -1;
-int auth_fd = -1;
-int ipf_fd = -1;
-
-#ifdef STATETOP
-#define STSTRSIZE 80
-#define STGROWSIZE 16
-#define HOSTNMLEN 40
-
-#define STSORT_PR 0
-#define STSORT_PKTS 1
-#define STSORT_BYTES 2
-#define STSORT_TTL 3
-#define STSORT_SRCIP 4
-#define STSORT_DSTIP 5
-#define STSORT_MAX STSORT_DSTIP
-#define STSORT_DEFAULT STSORT_BYTES
-
-
-typedef struct statetop {
- union i6addr st_src;
- union i6addr st_dst;
- u_short st_sport;
- u_short st_dport;
- u_char st_p;
- u_char st_state[2];
- U_QUAD_T st_pkts;
- U_QUAD_T st_bytes;
- u_long st_age;
-} statetop_t;
-#endif
-
-extern int main __P((int, char *[]));
-static void showstats __P((friostat_t *, u_32_t));
-static void showfrstates __P((ipfrstat_t *));
-static void showlist __P((friostat_t *));
-static void showipstates __P((ips_stat_t *));
-static void showauthstates __P((fr_authstat_t *));
-static void showgroups __P((friostat_t *));
-static void Usage __P((char *));
-static void printlist __P((frentry_t *));
-static void parse_ipportstr __P((const char *, struct in_addr *, int *));
-static int ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
- ipfrstat_t **, fr_authstat_t **, u_32_t *));
-static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
- ipfrstat_t **, fr_authstat_t **, u_32_t *));
-#ifdef STATETOP
-static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int));
-static char *ttl_to_string __P((long));
-static int sort_p __P((const void *, const void *));
-static int sort_pkts __P((const void *, const void *));
-static int sort_bytes __P((const void *, const void *));
-static int sort_ttl __P((const void *, const void *));
-static int sort_srcip __P((const void *, const void *));
-static int sort_dstip __P((const void *, const void *));
-#endif
-#if SOLARIS
-void showqiflist __P((char *));
-#endif
-
-
-static void Usage(name)
-char *name;
-{
-#ifdef USE_INET6
- fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name);
-#else
- fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
-#endif
- fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n");
- fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
- exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
- fr_authstat_t frauthst;
- fr_authstat_t *frauthstp = &frauthst;
- friostat_t fio;
- friostat_t *fiop = &fio;
- ips_stat_t ipsst;
- ips_stat_t *ipsstp = &ipsst;
- ipfrstat_t ifrst;
- ipfrstat_t *ifrstp = &ifrst;
- char *device = IPL_NAME, *memf = NULL;
- char *kern = NULL;
- int c, myoptind;
- struct protoent *proto;
-
- int protocol = -1; /* -1 = wild card for any protocol */
- int refreshtime = 1; /* default update time */
- int sport = -1; /* -1 = wild card for any source port */
- int dport = -1; /* -1 = wild card for any dest port */
- int topclosed = 0; /* do not show closed tcp sessions */
- struct in_addr saddr, daddr;
- u_32_t frf;
-
- saddr.s_addr = INADDR_ANY; /* default any source addr */
- daddr.s_addr = INADDR_ANY; /* default any dest addr */
-
- /*
- * Parse these two arguments now lest there be any buffer overflows
- * in the parsing of the rest.
- */
- myoptind = optind;
- while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
- switch (c)
- {
- case 'M' :
- memf = optarg;
- live_kernel = 0;
- break;
- case 'N' :
- kern = optarg;
- live_kernel = 0;
- break;
- }
- optind = myoptind;
-
- if (live_kernel == 1) {
- if ((state_fd = open(IPL_STATE, O_RDONLY)) == -1) {
- perror("open");
- exit(-1);
- }
- if ((auth_fd = open(IPL_AUTH, O_RDONLY)) == -1) {
- perror("open");
- exit(-1);
- }
- if ((ipf_fd = open(device, O_RDONLY)) == -1) {
- perror("open");
- exit(-1);
- }
- }
-
- if (kern != NULL || memf != NULL)
- {
- (void)setuid(getuid());
- (void)setgid(getgid());
- }
-
- if (openkmem(kern, memf) == -1)
- exit(-1);
-
- (void)setuid(getuid());
- (void)setgid(getgid());
-
- while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
- {
- switch (c)
- {
-#ifdef USE_INET6
- case '6' :
- use_inet6 = 1;
- break;
-#endif
- case 'a' :
- opts |= OPT_ACCNT|OPT_SHOWLIST;
- break;
- case 'A' :
- device = IPAUTH_NAME;
- opts |= OPT_AUTHSTATS;
- break;
- case 'C' :
- topclosed = 1;
- break;
- case 'd' :
- device = optarg;
- break;
- case 'D' :
- parse_ipportstr(optarg, &daddr, &dport);
- break;
- case 'f' :
- opts |= OPT_FRSTATES;
- break;
- case 'g' :
- opts |= OPT_GROUPS;
- break;
- case 'h' :
- opts |= OPT_HITS;
- break;
- case 'i' :
- opts |= OPT_INQUE|OPT_SHOWLIST;
- break;
- case 'I' :
- opts |= OPT_INACTIVE;
- break;
- case 'l' :
- opts |= OPT_SHOWLIST;
- break;
- case 'M' :
- break;
- case 'N' :
- break;
- case 'n' :
- opts |= OPT_SHOWLINENO;
- break;
- case 'o' :
- opts |= OPT_OUTQUE|OPT_SHOWLIST;
- break;
- case 'P' :
- if ((proto = getprotobyname(optarg)) != NULL) {
- protocol = proto->p_proto;
- } else if (!sscanf(optarg, "%ud", &protocol) ||
- (protocol < 0)) {
- fprintf(stderr, "%s : Invalid protocol: %s\n",
- argv[0], optarg);
- exit(-2);
- }
- break;
- case 'q' :
-#if SOLARIS
- showqiflist(kern);
- exit(0);
- break;
-#else
- fprintf(stderr, "-q only availble on Solaris\n");
- exit(1);
- break;
-#endif
- case 's' :
- opts |= OPT_IPSTATES;
- break;
- case 'S' :
- parse_ipportstr(optarg, &saddr, &sport);
- break;
- case 't' :
-#ifdef STATETOP
- opts |= OPT_STATETOP;
- break;
-#else
- fprintf(stderr,
- "%s : state top facility not compiled in\n",
- argv[0]);
- exit(-2);
-#endif
- case 'T' :
- if (!sscanf(optarg, "%d", &refreshtime) ||
- (refreshtime <= 0)) {
- fprintf(stderr,
- "%s : Invalid refreshtime < 1 : %s\n",
- argv[0], optarg);
- exit(-2);
- }
- break;
- case 'v' :
- opts |= OPT_VERBOSE;
- break;
- default :
- Usage(argv[0]);
- break;
- }
- }
-
- if (live_kernel == 1) {
- bzero((char *)&fio, sizeof(fio));
- bzero((char *)&ipsst, sizeof(ipsst));
- bzero((char *)&ifrst, sizeof(ifrst));
-
- ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
- &frauthstp, &frf);
- } else
- ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
-
- if (opts & OPT_IPSTATES) {
- showipstates(ipsstp);
- } else if (opts & OPT_SHOWLIST) {
- showlist(fiop);
- if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
- opts &= ~OPT_OUTQUE;
- showlist(fiop);
- }
- } else {
- if (opts & OPT_FRSTATES)
- showfrstates(ifrstp);
-#ifdef STATETOP
- else if (opts & OPT_STATETOP)
- topipstates(saddr, daddr, sport, dport,
- protocol, refreshtime, topclosed);
-#endif
- else if (opts & OPT_AUTHSTATS)
- showauthstates(frauthstp);
- else if (opts & OPT_GROUPS)
- showgroups(fiop);
- else
- showstats(fiop, frf);
- }
- return 0;
-}
-
-
-/*
- * Fill in the stats structures from the live kernel, using a combination
- * of ioctl's and copying directly from kernel memory.
- */
-int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *device;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-
- if (!(opts & OPT_AUTHSTATS) && ioctl(ipf_fd, SIOCGETFS, fiopp) == -1) {
- perror("ioctl(ipf:SIOCGETFS)");
- exit(-1);
- }
-
- if ((opts & OPT_IPSTATES)) {
- if ((ioctl(state_fd, SIOCGETFS, ipsstpp) == -1)) {
- perror("ioctl(state:SIOCGETFS)");
- exit(-1);
- }
- }
- if ((opts & OPT_FRSTATES) &&
- (ioctl(ipf_fd, SIOCGFRST, ifrstpp) == -1)) {
- perror("ioctl(SIOCGFRST)");
- exit(-1);
- }
-
- if (opts & OPT_VERBOSE)
- PRINTF("opts %#x name %s\n", opts, device);
-
- if ((opts & OPT_AUTHSTATS) &&
- (ioctl(auth_fd, SIOCATHST, frauthstpp) == -1)) {
- perror("ioctl(SIOCATHST)");
- exit(-1);
- }
-
- if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
- perror("ioctl(SIOCGETFF)");
-
- return ipf_fd;
-}
-
-
-/*
- * Build up the stats structures from data held in the "core" memory.
- * This is mainly useful when looking at data in crash dumps and ioctl's
- * just won't work any more.
- */
-void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *kernel;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
- static fr_authstat_t frauthst, *frauthstp;
- static ips_stat_t ipsst, *ipsstp;
- static ipfrstat_t ifrst, *ifrstp;
- static friostat_t fio, *fiop;
-
- void *rules[2][2];
- struct nlist deadlist[42] = {
- { "fr_authstats" }, /* 0 */
- { "fae_list" },
- { "ipauth" },
- { "fr_authlist" },
- { "fr_authstart" },
- { "fr_authend" }, /* 5 */
- { "fr_authnext" },
- { "fr_auth" },
- { "fr_authused" },
- { "fr_authsize" },
- { "fr_defaultauthage" }, /* 10 */
- { "fr_authpkts" },
- { "fr_auth_lock" },
- { "frstats" },
- { "ips_stats" },
- { "ips_num" }, /* 15 */
- { "ips_wild" },
- { "ips_list" },
- { "ips_table" },
- { "fr_statemax" },
- { "fr_statesize" }, /* 20 */
- { "fr_state_doflush" },
- { "fr_state_lock" },
- { "ipfr_heads" },
- { "ipfr_nattab" },
- { "ipfr_stats" }, /* 25 */
- { "ipfr_inuse" },
- { "fr_ipfrttl" },
- { "fr_frag_lock" },
- { "ipfr_timer_id" },
- { "fr_nat_lock" }, /* 30 */
- { "ipfilter" },
- { "ipfilter6" },
- { "ipacct" },
- { "ipacct6" },
- { "ipl_frouteok" }, /* 35 */
- { "fr_running" },
- { "ipfgroups" },
- { "fr_active" },
- { "fr_pass" },
- { "fr_flags" }, /* 40 */
- { NULL }
- };
-
-
- frauthstp = &frauthst;
- ipsstp = &ipsst;
- ifrstp = &ifrst;
- fiop = &fio;
-
- *frfp = 0;
- *fiopp = fiop;
- *ipsstpp = ipsstp;
- *ifrstpp = ifrstp;
- *frauthstpp = frauthstp;
-
- bzero((char *)fiop, sizeof(*fiop));
- bzero((char *)ipsstp, sizeof(*ipsstp));
- bzero((char *)ifrstp, sizeof(*ifrstp));
- bzero((char *)frauthstp, sizeof(*frauthstp));
-
- if (nlist(kernel, deadlist) == -1) {
- fprintf(stderr, "nlist error\n");
- return;
- }
-
- /*
- * This is for SIOCGETFF.
- */
- kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
-
- /*
- * f_locks is a combination of the lock variable from each part of
- * ipfilter (state, auth, nat, fragments).
- */
- kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
- kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
- sizeof(fiop->f_locks[0]));
- kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
- sizeof(fiop->f_locks[1]));
- kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
- sizeof(fiop->f_locks[2]));
- kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
- sizeof(fiop->f_locks[3]));
-
- /*
- * Get pointers to each list of rules (active, inactive, in, out)
- */
- kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
- fiop->f_fin[0] = rules[0][0];
- fiop->f_fin[1] = rules[0][1];
- fiop->f_fout[0] = rules[1][0];
- fiop->f_fout[1] = rules[1][1];
-
- /*
- * Same for IPv6, except make them null if support for it is not
- * being compiled in.
- */
-#ifdef USE_INET6
- kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
- fiop->f_fin6[0] = rules[0][0];
- fiop->f_fin6[1] = rules[0][1];
- fiop->f_fout6[0] = rules[1][0];
- fiop->f_fout6[1] = rules[1][1];
-#else
- fiop->f_fin6[0] = NULL;
- fiop->f_fin6[1] = NULL;
- fiop->f_fout6[0] = NULL;
- fiop->f_fout6[1] = NULL;
-#endif
-
- /*
- * Now get accounting rules pointers.
- */
- kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
- fiop->f_acctin[0] = rules[0][0];
- fiop->f_acctin[1] = rules[0][1];
- fiop->f_acctout[0] = rules[1][0];
- fiop->f_acctout[1] = rules[1][1];
-
-#ifdef USE_INET6
- kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
- fiop->f_acctin6[0] = rules[0][0];
- fiop->f_acctin6[1] = rules[0][1];
- fiop->f_acctout6[0] = rules[1][0];
- fiop->f_acctout6[1] = rules[1][1];
-#else
- fiop->f_acctin6[0] = NULL;
- fiop->f_acctin6[1] = NULL;
- fiop->f_acctout6[0] = NULL;
- fiop->f_acctout6[1] = NULL;
-#endif
-
- /*
- * A collection of "global" variables used inside the kernel which
- * are all collected in friostat_t via ioctl.
- */
- kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
- sizeof(fiop->f_froute));
- kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
- sizeof(fiop->f_running));
- kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
- sizeof(fiop->f_groups));
- kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
- sizeof(fiop->f_active));
- kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
- sizeof(fiop->f_defpass));
-
- /*
- * Build up the state information stats structure.
- */
- kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
- kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value,
- sizeof(ipsstp->iss_active));
- ipsstp->iss_table = (void *)deadlist[18].n_value;
- ipsstp->iss_list = (void *)deadlist[17].n_value;
-
- /*
- * Build up the authentiation information stats structure.
- */
- kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
- sizeof(*frauthstp));
- frauthstp->fas_faelist = (void *)deadlist[1].n_value;
-
- /*
- * Build up the fragment information stats structure.
- */
- kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
- sizeof(*ifrstp));
- ifrstp->ifs_table = (void *)deadlist[23].n_value;
- ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
- kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
- sizeof(ifrstp->ifs_inuse));
-}
-
-
-/*
- * Display the kernel stats for packets blocked and passed and other
- * associated running totals which are kept.
- */
-static void showstats(fp, frf)
-struct friostat *fp;
-u_32_t frf;
-{
-
-#if SOLARIS
- PRINTF("dropped packets:\tin %lu\tout %lu\n",
- fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
- PRINTF("non-data packets:\tin %lu\tout %lu\n",
- fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata);
- PRINTF("no-data packets:\tin %lu\tout %lu\n",
- fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata);
- PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
- fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
- PRINTF(" bad packets:\t\tin %lu\tout %lu\n",
- fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
- PRINTF("copied messages:\tin %lu\tout %lu\n",
- fp->f_st[0].fr_copy, fp->f_st[1].fr_copy);
-#endif
-#ifdef USE_INET6
- PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
- fp->f_st[0].fr_ipv6[0], fp->f_st[0].fr_ipv6[1]);
-#endif
- PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
- fp->f_st[0].fr_nom);
- PRINTF(" counted %lu short %lu\n",
- fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
- PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
- fp->f_st[1].fr_nom);
- PRINTF(" counted %lu short %lu\n",
- fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
- PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
- PRINTF("output packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
- PRINTF(" packets logged:\tinput %lu output %lu\n",
- fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
- PRINTF(" log failures:\t\tinput %lu output %lu\n",
- fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
- PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
- fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, fp->f_st[0].fr_cfr);
- PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
- fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, fp->f_st[1].fr_cfr);
- PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
- fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
- PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
- fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
- PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
- fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
- PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
- PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
- fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
- PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
- fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
- PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
- fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
- PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
- fp->f_froute[0], fp->f_froute[1]);
- PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
- fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
-
- PRINTF("Packet log flags set: (%#x)\n", frf);
- if (frf & FF_LOGPASS)
- PRINTF("\tpackets passed through filter\n");
- if (frf & FF_LOGBLOCK)
- PRINTF("\tpackets blocked by filter\n");
- if (frf & FF_LOGNOMATCH)
- PRINTF("\tpackets not matched by filter\n");
- if (!frf)
- PRINTF("\tnone\n");
-}
-
-
-/*
- * Print out a list of rules from the kernel, starting at the one passed.
- */
-static void printlist(fp)
-frentry_t *fp;
-{
- struct frentry fb;
- int n;
-
- for (n = 1; fp; n++) {
- if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
- perror("kmemcpy");
- return;
- }
- fp = &fb;
- if (opts & OPT_OUTQUE)
- fp->fr_flags |= FR_OUTQUE;
- if (opts & (OPT_HITS|OPT_VERBOSE))
-#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fp->fr_hits);
-#else
- PRINTF("%lu ", fp->fr_hits);
-#endif
- if (opts & (OPT_ACCNT|OPT_VERBOSE))
-#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
-#else
- PRINTF("%lu ", fp->fr_bytes);
-#endif
- if (opts & OPT_SHOWLINENO)
- PRINTF("@%d ", n);
- printfr(fp);
- if (opts & OPT_VERBOSE)
- binprint(fp);
- if (fp->fr_grp)
- printlist(fp->fr_grp);
- fp = fp->fr_next;
- }
-}
-
-/*
- * print out all of the asked for rule sets, using the stats struct as
- * the base from which to get the pointers.
- */
-static void showlist(fiop)
-struct friostat *fiop;
-{
- struct frentry *fp = NULL;
- int i, set;
-
- set = fiop->f_active;
- if (opts & OPT_INACTIVE)
- set = 1 - set;
- if (opts & OPT_ACCNT) {
-#ifdef USE_INET6
- if ((use_inet6) && (opts & OPT_OUTQUE)) {
- i = F_ACOUT;
- fp = (struct frentry *)fiop->f_acctout6[set];
- } else if ((use_inet6) && (opts & OPT_INQUE)) {
- i = F_ACIN;
- fp = (struct frentry *)fiop->f_acctin6[set];
- } else
-#endif
- if (opts & OPT_OUTQUE) {
- i = F_ACOUT;
- fp = (struct frentry *)fiop->f_acctout[set];
- } else if (opts & OPT_INQUE) {
- i = F_ACIN;
- fp = (struct frentry *)fiop->f_acctin[set];
- } else {
- FPRINTF(stderr, "No -i or -o given with -a\n");
- return;
- }
- } else {
-#ifdef USE_INET6
- if ((use_inet6) && (opts & OPT_OUTQUE)) {
- i = F_OUT;
- fp = (struct frentry *)fiop->f_fout6[set];
- } else if ((use_inet6) && (opts & OPT_INQUE)) {
- i = F_IN;
- fp = (struct frentry *)fiop->f_fin6[set];
- } else
-#endif
- if (opts & OPT_OUTQUE) {
- i = F_OUT;
- fp = (struct frentry *)fiop->f_fout[set];
- } else if (opts & OPT_INQUE) {
- i = F_IN;
- fp = (struct frentry *)fiop->f_fin[set];
- } else
- return;
- }
- if (opts & OPT_VERBOSE)
- FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
-
- if (opts & OPT_VERBOSE)
- PRINTF("fp %p set %d\n", fp, set);
- if (fp == NULL) {
- FPRINTF(stderr, "empty list for %s%s\n",
- (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
- return;
- }
- printlist(fp);
-}
-
-
-/*
- * Display ipfilter stateful filtering information
- */
-static void showipstates(ipsp)
-ips_stat_t *ipsp;
-{
- ipstate_t *istab[IPSTATE_SIZE];
-
- /*
- * If a list of states hasn't been asked for, only print out stats
- */
- if (!(opts & OPT_SHOWLIST)) {
- PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
- ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
- PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
- ipsp->iss_miss);
- PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
- ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
- PRINTF("\t%lu logged\n\t%lu log failures\n",
- ipsp->iss_logged, ipsp->iss_logfail);
- PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
- ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
- return;
- }
-
- if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
- return;
-
- /*
- * Print out all the state information currently held in the kernel.
- */
- while (ipsp->iss_list != NULL) {
- ipsp->iss_list = printstate(ipsp->iss_list, opts);
- }
-}
-
-
-#if SOLARIS
-/*
- * Displays the list of interfaces of which IPFilter has taken control in
- * Solaris.
- */
-void showqiflist(kern)
-char *kern;
-{
- struct nlist qifnlist[2] = {
- { "_qif_head" },
- { NULL }
- };
- qif_t qif, *qf;
- ill_t ill;
-
- if (kern == NULL)
- kern = "/dev/ksyms";
-
- if (nlist(kern, qifnlist) == -1) {
- fprintf(stderr, "nlist error\n");
- return;
- }
-
- printf("List of interfaces bound by IPFilter:\n");
- if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf)))
- return;
- while (qf) {
- if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
- break;
- if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill)))
- ill.ill_ppa = -1;
- printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d",
- qif.qf_name, qif.qf_hl,
-#ifdef IP6_DL_SAP
- (qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
- "IPv4"
-#endif
- , qif.qf_sap, ill.ill_ppa);
- printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt);
- qf = qif.qf_next;
- putchar('\n');
- }
-}
-#endif
-
-
-#ifdef STATETOP
-static void topipstates(saddr, daddr, sport, dport, protocol,
- refreshtime, topclosed)
-struct in_addr saddr;
-struct in_addr daddr;
-int sport;
-int dport;
-int protocol;
-int refreshtime;
-int topclosed;
-{
- char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
- int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
- int i, j, winx, tsentry, maxx, maxy, redraw = 0;
- ipstate_t *istab[IPSTATE_SIZE], ips;
- ips_stat_t ipsst, *ipsstp = &ipsst;
- statetop_t *tstable = NULL, *tp;
- char hostnm[HOSTNMLEN];
- struct protoent *proto;
- int c = 0;
- time_t t;
-#ifdef USE_POLL
- struct pollfd set[1];
-#else
- struct timeval selecttimeout;
- fd_set readfd;
-#endif
-
- /* init ncurses stuff */
- initscr();
- cbreak();
- noecho();
-
- /* init hostname */
- gethostname(hostnm, sizeof(hostnm) - 1);
- hostnm[sizeof(hostnm) - 1] = '\0';
-
- /* repeat until user aborts */
- while ( 1 ) {
-
- /* get state table */
- bzero((char *)&ipsst, sizeof(&ipsst));
- if ((ioctl(state_fd, SIOCGETFS, &ipsstp) == -1)) {
- perror("ioctl(SIOCGETFS)");
- exit(-1);
- }
- if (kmemcpy((char *)istab, (u_long)ipsstp->iss_table,
- sizeof(ips)))
- return;
-
- /* clear the history */
- tsentry = -1;
-
- /* read the state table and store in tstable */
- while (ipsstp->iss_list) {
- if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list,
- sizeof(ips)))
- break;
- ipsstp->iss_list = ips.is_next;
-
- if (((saddr.s_addr == INADDR_ANY) ||
- (saddr.s_addr == ips.is_saddr)) &&
- ((daddr.s_addr == INADDR_ANY) ||
- (daddr.s_addr == ips.is_daddr)) &&
- ((protocol < 0) || (protocol == ips.is_p)) &&
- (((ips.is_p != IPPROTO_TCP) &&
- (ips.is_p != IPPROTO_UDP)) ||
- (((sport < 0) ||
- (htons(sport) == ips.is_sport)) &&
- ((dport < 0) ||
- (htons(dport) == ips.is_dport)))) &&
- (topclosed || (ips.is_p != IPPROTO_TCP) ||
- (ips.is_state[0] < TCPS_LAST_ACK) ||
- (ips.is_state[1] < TCPS_LAST_ACK))) {
- /*
- * if necessary make room for this state
- * entry
- */
- tsentry++;
- if (!maxtsentries ||
- (tsentry == maxtsentries)) {
-
- maxtsentries += STGROWSIZE;
- tstable = realloc(tstable, maxtsentries * sizeof(statetop_t));
- if (!tstable) {
- perror("malloc");
- exit(-1);
- }
- }
-
- /* fill structure */
- tp = tstable + tsentry;
- tp->st_src = ips.is_src;
- tp->st_dst = ips.is_dst;
- tp->st_p = ips.is_p;
- tp->st_state[0] = ips.is_state[0];
- tp->st_state[1] = ips.is_state[1];
- tp->st_pkts = ips.is_pkts;
- tp->st_bytes = ips.is_bytes;
- tp->st_age = ips.is_age;
- if ((ips.is_p == IPPROTO_TCP) ||
- (ips.is_p == IPPROTO_UDP)) {
- tp->st_sport = ips.is_sport;
- tp->st_dport = ips.is_dport;
- }
-
- }
- }
-
-
- /* sort the array */
- if (tsentry != -1)
- switch (sorting)
- {
- case STSORT_PR:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_p);
- break;
- case STSORT_PKTS:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_pkts);
- break;
- case STSORT_BYTES:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_bytes);
- break;
- case STSORT_TTL:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_ttl);
- break;
- case STSORT_SRCIP:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_srcip);
- break;
- case STSORT_DSTIP:
- qsort(tstable, tsentry + 1,
- sizeof(statetop_t), sort_dstip);
- break;
- default:
- break;
- }
-
- /* print title */
- erase();
- getmaxyx(stdscr, maxy, maxx);
- attron(A_BOLD);
- winx = 0;
- move(winx,0);
- sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
- for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
- printw(" ");
- printw("%s", str1);
- attroff(A_BOLD);
-
- /* just for fun add a clock */
- move(winx, maxx - 8);
- t = time(NULL);
- strftime(str1, 80, "%T", localtime(&t));
- printw("%s\n", str1);
-
- /*
- * print the display filters, this is placed in the loop,
- * because someday I might add code for changing these
- * while the programming is running :-)
- */
- if (sport >= 0)
- sprintf(str1, "%s,%d", inet_ntoa(saddr), sport);
- else
- sprintf(str1, "%s", inet_ntoa(saddr));
-
- if (dport >= 0)
- sprintf(str2, "%s,%d", inet_ntoa(daddr), dport);
- else
- sprintf(str2, "%s", inet_ntoa(daddr));
-
- if (protocol < 0)
- strcpy(str3, "any");
- else if ((proto = getprotobynumber(protocol)) != NULL)
- sprintf(str3, "%s", proto->p_name);
- else
- sprintf(str3, "%d", protocol);
-
- switch (sorting)
- {
- case STSORT_PR:
- sprintf(str4, "proto");
- break;
- case STSORT_PKTS:
- sprintf(str4, "# pkts");
- break;
- case STSORT_BYTES:
- sprintf(str4, "# bytes");
- break;
- case STSORT_TTL:
- sprintf(str4, "ttl");
- break;
- case STSORT_SRCIP:
- sprintf(str4, "srcip");
- break;
- case STSORT_DSTIP:
- sprintf(str4, "dstip");
- break;
- default:
- sprintf(str4, "unknown");
- break;
- }
-
- if (reverse)
- strcat(str4, " (reverse)");
-
- winx += 2;
- move(winx,0);
- printw("Src = %s Dest = %s Proto = %s Sorted by = %s\n\n",
- str1, str2, str3, str4);
-
- /* print column description */
- winx += 2;
- move(winx,0);
- attron(A_BOLD);
- printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP",
- "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl");
- attroff(A_BOLD);
-
- /* print all the entries */
- tp = tstable;
- if (reverse)
- tp += tsentry;
-
- if (tsentry > maxy - 6)
- tsentry = maxy - 6;
- for (i = 0; i <= tsentry; i++) {
- /* print src/dest and port */
- if ((tp->st_p == IPPROTO_TCP) ||
- (tp->st_p == IPPROTO_UDP)) {
- sprintf(str1, "%s,%hu",
- inet_ntoa(tp->st_src.in4),
- ntohs(tp->st_sport));
- sprintf(str2, "%s,%hu",
- inet_ntoa(tp->st_dst.in4),
- ntohs(tp->st_dport));
- } else {
- sprintf(str1, "%s", inet_ntoa(tp->st_src.in4));
- sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4));
- }
- winx++;
- move(winx, 0);
- printw("%-21s %-21s", str1, str2);
-
- /* print state */
- sprintf(str1, "%X/%X", tp->st_state[0],
- tp->st_state[1]);
- printw(" %3s", str1);
-
- /* print proto */
- proto = getprotobynumber(tp->st_p);
- if (proto) {
- strncpy(str1, proto->p_name, 4);
- str1[4] = '\0';
- } else {
- sprintf(str1, "%d", tp->st_p);
- }
- printw(" %4s", str1);
- /* print #pkt/#bytes */
-#ifdef USE_QUAD_T
- printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
- (unsigned long long) tp->st_bytes);
-#else
- printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
-#endif
- printw(" %9s", ttl_to_string(tp->st_age));
-
- if (reverse)
- tp--;
- else
- tp++;
- }
-
- /* screen data structure is filled, now update the screen */
- if (redraw)
- clearok(stdscr,1);
-
- refresh();
- if (redraw) {
- clearok(stdscr,0);
- redraw = 0;
- }
-
- /* wait for key press or a 1 second time out period */
-#ifdef USE_POLL
- set[0].fd = 0;
- set[0].events = POLLIN;
- poll(set, 1, refreshtime * 1000);
-
- /* if key pressed, read all waiting keys */
- if (set[0].revents & POLLIN)
-#else
- selecttimeout.tv_sec = refreshtime;
- selecttimeout.tv_usec = 0;
- FD_ZERO(&readfd);
- FD_SET(0, &readfd);
- select(1, &readfd, NULL, NULL, &selecttimeout);
-
- /* if key pressed, read all waiting keys */
- if (FD_ISSET(0, &readfd))
-#endif
-
- {
- c = wgetch(stdscr);
- if (c == ERR)
- continue;
-
- if (isalpha(c) && isupper(c))
- c = tolower(c);
- if (c == 'l') {
- redraw = 1;
- } else if (c == 'q') {
- break; /* exits while() loop */
- } else if (c == 'r') {
- reverse = !reverse;
- } else if (c == 's') {
- sorting++;
- if (sorting > STSORT_MAX)
- sorting = 0;
- }
- }
- } /* while */
-
- printw("\n");
- nocbreak();
- endwin();
-}
-#endif
-
-
-/*
- * Show fragment cache information that's held in the kernel.
- */
-static void showfrstates(ifsp)
-ipfrstat_t *ifsp;
-{
- struct ipfr *ipfrtab[IPFT_SIZE], ifr;
- frentry_t fr;
- int i;
-
- /*
- * print out the numeric statistics
- */
- PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
- ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
- PRINTF("\t%lu no memory\n\t%lu already exist\n",
- ifsp->ifs_nomem, ifsp->ifs_exists);
- PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
- if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
- return;
-
- /*
- * Print out the contents (if any) of the fragment cache table.
- */
- PRINTF("\n");
- for (i = 0; i < IPFT_SIZE; i++)
- while (ipfrtab[i]) {
- if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
- sizeof(ifr)) == -1)
- break;
- PRINTF("%s -> ", hostname(4, &ifr.ipfr_src));
- if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
- sizeof(fr)) == -1)
- break;
- PRINTF("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = fl %#x\n",
- hostname(4, &ifr.ipfr_dst), ntohs(ifr.ipfr_id),
- ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_seen0,
- ifr.ipfr_ifp, ifr.ipfr_tos, fr.fr_flags);
- ipfrtab[i] = ifr.ipfr_next;
- }
- if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
- return;
- for (i = 0; i < IPFT_SIZE; i++)
- while (ipfrtab[i]) {
- if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
- sizeof(ifr)) == -1)
- break;
- PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src));
- if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
- sizeof(fr)) == -1)
- break;
- PRINTF("%s %d %d %d %#02x = %#x\n",
- hostname(4, &ifr.ipfr_dst), ifr.ipfr_id,
- ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
- fr.fr_flags);
- ipfrtab[i] = ifr.ipfr_next;
- }
-}
-
-
-/*
- * Show stats on how auth within IPFilter has been used
- */
-static void showauthstates(asp)
-fr_authstat_t *asp;
-{
- frauthent_t *frap, fra;
-
-#ifdef USE_QUAD_T
- printf("Authorisation hits: %qu\tmisses %qu\n",
- (unsigned long long) asp->fas_hits,
- (unsigned long long) asp->fas_miss);
-#else
- printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
- asp->fas_miss);
-#endif
- printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
- asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
- asp->fas_sendok);
- printf("queok %ld\nquefail %ld\nexpire %ld\n",
- asp->fas_queok, asp->fas_quefail, asp->fas_expire);
-
- frap = asp->fas_faelist;
- while (frap) {
- if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
- break;
-
- printf("age %ld\t", fra.fae_age);
- printfr(&fra.fae_fr);
- frap = fra.fae_next;
- }
-}
-
-
-/*
- * Display groups used for each of filter rules, accounting rules and
- * authentication, separately.
- */
-static void showgroups(fiop)
-struct friostat *fiop;
-{
- static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
- frgroup_t *fp, grp;
- int on, off, i;
-
- on = fiop->f_active;
- off = 1 - on;
-
- for (i = 0; i < 3; i++) {
- printf("%s groups (active):\n", gnames[i]);
- for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next)
- if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
- break;
- else
- printf("%hu\n", grp.fg_num);
- printf("%s groups (inactive):\n", gnames[i]);
- for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next)
- if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
- break;
- else
- printf("%hu\n", grp.fg_num);
- }
-}
-
-static void parse_ipportstr(argument, ip, port)
-const char *argument;
-struct in_addr *ip;
-int *port;
-{
-
- char *s, *comma;
-
- /* make working copy of argument, Theoretically you must be able
- * to write to optarg, but that seems very ugly to me....
- */
- if ((s = malloc(strlen(argument) + 1)) == NULL)
- perror("malloc");
- strcpy(s, argument);
-
- /* get port */
- if ((comma = strchr(s, ',')) != NULL) {
- if (!strcasecmp(s, "any")) {
- *port = -1;
- } else if (!sscanf(comma + 1, "%d", port) ||
- (*port < 0) || (*port > 65535)) {
- fprintf(stderr, "Invalid port specfication in %s\n",
- argument);
- exit(-2);
- }
- *comma = '\0';
- }
-
-
- /* get ip address */
- if (!strcasecmp(s, "any")) {
- ip->s_addr = INADDR_ANY;
- } else if (!inet_aton(s, ip)) {
- fprintf(stderr, "Invalid IP address: %s\n", s);
- exit(-2);
- }
-
- /* free allocated memory */
- free(s);
-}
-
-
-#ifdef STATETOP
-static char ttlbuf[STSTRSIZE];
-
-static char *ttl_to_string(ttl)
-long int ttl;
-{
-
- int hours, minutes, seconds;
-
- /* ttl is in half seconds */
- ttl /= 2;
-
- hours = ttl / 3600;
- ttl = ttl % 3600;
- minutes = ttl / 60;
- seconds = ttl % 60;
-
- if (hours > 0 )
- sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
- else
- sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
- return ttlbuf;
-}
-
-
-static int sort_pkts(a, b)
-const void *a;
-const void *b;
-{
-
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ap->st_pkts == bp->st_pkts)
- return 0;
- else if (ap->st_pkts < bp->st_pkts)
- return 1;
- return -1;
-}
-
-
-static int sort_bytes(a, b)
-const void *a;
-const void *b;
-{
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ap->st_bytes == bp->st_bytes)
- return 0;
- else if (ap->st_bytes < bp->st_bytes)
- return 1;
- return -1;
-}
-
-
-static int sort_p(a, b)
-const void *a;
-const void *b;
-{
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ap->st_p == bp->st_p)
- return 0;
- else if (ap->st_p < bp->st_p)
- return 1;
- return -1;
-}
-
-
-static int sort_ttl(a, b)
-const void *a;
-const void *b;
-{
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ap->st_age == bp->st_age)
- return 0;
- else if (ap->st_age < bp->st_age)
- return 1;
- return -1;
-}
-
-static int sort_srcip(a, b)
-const void *a;
-const void *b;
-{
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr))
- return 0;
- else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr))
- return 1;
- return -1;
-}
-
-static int sort_dstip(a, b)
-const void *a;
-const void *b;
-{
- register const statetop_t *ap = a;
- register const statetop_t *bp = b;
-
- if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr))
- return 0;
- else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr))
- return 1;
- return -1;
-}
-#endif
diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c
deleted file mode 100644
index e940280..0000000
--- a/contrib/ipfilter/inet_addr.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * ++Copyright++ 1983, 1990, 1993
- * -
- * Copyright (c) 1983, 1990, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-#ifdef __STDC__
-# ifndef __P
-# define __P(x) x
-# endif
-#else
-# undef __P
-# define __P(x) ()
-# undef const
-# define const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-int inet_aton __P((const char *, struct in_addr *));
-
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(cp, addr)
- register const char *cp;
- struct in_addr *addr;
-{
- register u_long val;
- register int base, n;
- register char c;
- u_int parts[4];
- register u_int *pp = parts;
-
- c = *cp;
- for (;;) {
- /*
- * Collect number up to ``.''.
- * Values are specified as for C:
- * 0x=hex, 0=octal, isdigit=decimal.
- */
- if (!isdigit(c))
- return (0);
- val = 0; base = 10;
- if (c == '0') {
- c = *++cp;
- if (c == 'x' || c == 'X')
- base = 16, c = *++cp;
- else
- base = 8;
- }
- for (;;) {
- if (isascii(c) && isdigit(c)) {
- val = (val * base) + (c - '0');
- c = *++cp;
- } else if (base == 16 && isascii(c) && isxdigit(c)) {
- val = (val << 4) |
- (c + 10 - (islower(c) ? 'a' : 'A'));
- c = *++cp;
- } else
- break;
- }
- if (c == '.') {
- /*
- * Internet format:
- * a.b.c.d
- * a.b.c (with c treated as 16 bits)
- * a.b (with b treated as 24 bits)
- */
- if (pp >= parts + 3)
- return (0);
- *pp++ = val;
- c = *++cp;
- } else
- break;
- }
- /*
- * Check for trailing characters.
- */
- if (c != '\0' && (!isascii(c) || !isspace(c)))
- return (0);
- /*
- * Concoct the address according to
- * the number of parts specified.
- */
- n = pp - parts + 1;
- switch (n) {
-
- case 0:
- return (0); /* initial nondigit */
-
- case 1: /* a -- 32 bits */
- break;
-
- case 2: /* a.b -- 8.24 bits */
- if (val > 0xffffff)
- return (0);
- val |= parts[0] << 24;
- break;
-
- case 3: /* a.b.c -- 8.8.16 bits */
- if (val > 0xffff)
- return (0);
- val |= (parts[0] << 24) | (parts[1] << 16);
- break;
-
- case 4: /* a.b.c.d -- 8.8.8.8 bits */
- if (val > 0xff)
- return (0);
- val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
- break;
- }
- if (addr)
- addr->s_addr = htonl(val);
- return (1);
-}
-
-/* these are compatibility routines, not needed on recent BSD releases */
-
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
- (defined(IRIX) && (IRIX >= 605))
-in_addr_t
-#else
-u_long
-#endif
-inet_addr(cp)
- register const char *cp;
-{
- struct in_addr val;
-
- if (inet_aton(cp, &val))
- return (val.s_addr);
- return (0xffffffff);
-}
diff --git a/contrib/ipfilter/ip_fil_freebsd.c b/contrib/ipfilter/ip_fil_freebsd.c
index 3b36b93..4ee0d3b 100644
--- a/contrib/ipfilter/ip_fil_freebsd.c
+++ b/contrib/ipfilter/ip_fil_freebsd.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
diff --git a/contrib/ipfilter/ip_htable.c b/contrib/ipfilter/ip_htable.c
index 50aa926..22acbec 100644
--- a/contrib/ipfilter/ip_htable.c
+++ b/contrib/ipfilter/ip_htable.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/ip_htable.h b/contrib/ipfilter/ip_htable.h
index e138459..1bc4087 100644
--- a/contrib/ipfilter/ip_htable.h
+++ b/contrib/ipfilter/ip_htable.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#ifndef __IP_HTABLE_H__
#define __IP_HTABLE_H__
diff --git a/contrib/ipfilter/ip_irc_pxy.c b/contrib/ipfilter/ip_irc_pxy.c
index 45a120f..0f61d76 100644
--- a/contrib/ipfilter/ip_irc_pxy.c
+++ b/contrib/ipfilter/ip_irc_pxy.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2000-2003 Darren Reed
diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c
deleted file mode 100644
index 196d64e..0000000
--- a/contrib/ipfilter/ip_lfil.c
+++ /dev/null
@@ -1,975 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.5 2002/10/03 13:47:19 darrenr Exp $";
-#endif
-
-#if defined(KERNEL) && !defined(_KERNEL)
-# define _KERNEL
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <sys/dir.h>
-#include <sys/socket.h>
-#ifndef _KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-#else
-# include <linux/module.h>
-#endif
-
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef _KERNEL
-# include <syslog.h>
-#endif
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#ifdef _KERNEL
-#include <net/ip_forward.h>
-#endif
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-
-#ifndef _KERNEL
-# include "ipt.h"
-static struct ifnet **ifneta = NULL;
-static int nifs = 0;
-#endif
-
-int fr_running = 0;
-int ipl_unreach = ICMP_UNREACH_FILTER;
-u_long ipl_frouteok[2] = {0, 0};
-
-static int frzerostats __P((caddr_t));
-static void frsync __P((void));
-#if defined(__NetBSD__) || defined(__OpenBSD__)
-static int frrequest __P((int, u_long, caddr_t, int));
-#else
-static int frrequest __P((int, u_long, caddr_t, int));
-#endif
-#ifdef _KERNEL
-static int (*fr_savep) __P((ip_t *, int, void *, int, mb_t **));
-#else
-int ipllog __P((void));
-void init_ifp __P((void));
-static int no_output __P((mb_t *, struct ifnet *));
-static int write_output __P((mb_t *, struct ifnet *));
-#endif
-
-#ifdef _KERNEL
-
-int fr_precheck(struct iphdr *ip, struct device *dev, int out, struct device **ifp)
-{
- int hlen = ip->ihl << 2;
-
- return fr_check((ip_t *)ip, hlen, dev, out, (mb_t **)ifp);
-}
-
-
-int iplattach()
-{
- char *defpass;
- int s;
-
- if (fr_running || (fr_checkp == fr_precheck)) {
- printk("IP Filter: already initialized\n");
- return EBUSY;
- }
-
- fr_running = 1;
- bzero((char *)frcache, sizeof(frcache));
- bzero((char *)nat_table, sizeof(nat_table));
- fr_savep = fr_checkp;
- fr_checkp = fr_precheck;
-
-# ifdef IPFILTER_LOG
- ipflog_init();
-# endif
- if (fr_pass & FR_PASS)
- defpass = "pass";
- else if (fr_pass & FR_BLOCK)
- defpass = "block";
- else
- defpass = "no-match -> block";
-
- printk("IP Filter: initialized. Default = %s all, Logging = %s\n",
- defpass,
-# ifdef IPFILTER_LOG
- "enabled");
-# else
- "disabled");
-# endif
- return 0;
-}
-
-
-/*
- * Disable the filter by removing the hooks from the IP input/output
- * stream.
- */
-int ipldetach()
-{
- int s, i = FR_INQUE|FR_OUTQUE;
-
- if (!fr_running)
- {
- printk("IP Filter: not initialized\n");
- return 0;
- }
-
- fr_checkp = fr_savep;
- i = frflush(IPL_LOGIPF, i);
- fr_running = 0;
-
- ipfr_unload();
- ip_natunload();
- fr_stateunload();
- fr_authunload();
-
- printk("IP Filter: unloaded\n");
-
- return 0;
-}
-#endif /* _KERNEL */
-
-
-static int frzerostats(data)
-caddr_t data;
-{
- struct friostat fio;
- int error;
-
- bcopy((char *)frstats, (char *)fio.f_st,
- sizeof(struct filterstats) * 2);
- fio.f_fin[0] = ipfilter[0][0];
- fio.f_fin[1] = ipfilter[0][1];
- fio.f_fout[0] = ipfilter[1][0];
- fio.f_fout[1] = ipfilter[1][1];
- fio.f_acctin[0] = ipacct[0][0];
- fio.f_acctin[1] = ipacct[0][1];
- fio.f_acctout[0] = ipacct[1][0];
- fio.f_acctout[1] = ipacct[1][1];
- fio.f_active = fr_active;
- fio.f_froute[0] = ipl_frouteok[0];
- fio.f_froute[1] = ipl_frouteok[1];
- error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
- if (!error)
- bzero((char *)frstats, sizeof(*frstats) * 2);
- return error;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-#if defined(_KERNEL)
-int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
-{
- int s;
- caddr_t data = (caddr_t)arg;
-
- int mode = file->f_mode;
-#else
-int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
-{
-#endif
- int error = 0, unit = 0, tmp;
-
-#ifdef _KERNEL
- unit = GET_MINOR(inode->i_rdev);
- if ((IPL_LOGMAX < unit) || (unit < 0))
- return ENXIO;
-#endif
-
- if (unit == IPL_LOGNAT) {
- error = nat_ioctl(data, cmd, mode);
- return error;
- }
- if (unit == IPL_LOGSTATE) {
- error = fr_state_ioctl(data, cmd, mode);
- return error;
- }
-
- switch (cmd) {
- case FIONREAD :
-#ifdef IPFILTER_LOG
- error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], data,
- sizeof(iplused[IPL_LOGIPF]));
-#endif
- break;
-#if !defined(IPFILTER_LKM) && defined(_KERNEL)
- case SIOCFRENB :
- {
- u_int enable;
-
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
- if (error)
- break;
- if (enable)
- error = iplattach();
- else
- error = ipldetach();
- }
- break;
- }
-#endif
- case SIOCSETFF :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = IRCOPY(data, (caddr_t)&fr_flags,
- sizeof(fr_flags));
- break;
- case SIOCGETFF :
- error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
- break;
- case SIOCINAFR :
- case SIOCRMAFR :
- case SIOCADAFR :
- case SIOCZRLST :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frrequest(unit, cmd, data, fr_active);
- break;
- case SIOCINIFR :
- case SIOCRMIFR :
- case SIOCADIFR :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frrequest(unit, cmd, data, 1 - fr_active);
- break;
- case SIOCSWAPA :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
- *(u_int *)data = fr_active;
- fr_active = 1 - fr_active;
- }
- break;
- case SIOCGETFS :
- {
- struct friostat fio;
-
- bcopy((char *)frstats, (char *)fio.f_st,
- sizeof(struct filterstats) * 2);
- fio.f_fin[0] = ipfilter[0][0];
- fio.f_fin[1] = ipfilter[0][1];
- fio.f_fout[0] = ipfilter[1][0];
- fio.f_fout[1] = ipfilter[1][1];
- fio.f_acctin[0] = ipacct[0][0];
- fio.f_acctin[1] = ipacct[0][1];
- fio.f_acctout[0] = ipacct[1][0];
- fio.f_acctout[1] = ipacct[1][1];
- fio.f_auth = ipauth;
- fio.f_active = fr_active;
- fio.f_froute[0] = ipl_frouteok[0];
- fio.f_froute[1] = ipl_frouteok[1];
- error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
- break;
- }
- case SIOCFRZST :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frzerostats(data);
- break;
- case SIOCIPFFL :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
- if (!error) {
- tmp = frflush(unit, tmp);
- error = IWCOPY((caddr_t)&tmp, data,
- sizeof(tmp));
- }
- }
- break;
-#ifdef IPFILTER_LOG
- case SIOCIPFFB :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- *(int *)data = ipflog_clear(unit);
- break;
-#endif /* IPFILTER_LOG */
- case SIOCGFRST :
- error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
- sizeof(ipfrstat_t));
- break;
- case SIOCFRSYN :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
-#if defined(_KERNEL) && defined(__sgi)
- ipfsync();
-#endif
- frsync();
- }
- break;
- default :
- error = EINVAL;
- break;
- }
- return error;
-}
-
-
-static void frsync()
-{
-#ifdef _KERNEL
- struct device *dev;
-
- for (dev = dev_base; dev; dev = dev->next)
- ip_natsync(dev);
-#endif
-}
-
-
-static int frrequest(unit, req, data, set)
-int unit;
-u_long req;
-int set;
-caddr_t data;
-{
- register frentry_t *fp, *f, **fprev;
- register frentry_t **ftail;
- frentry_t frd;
- frdest_t *fdp;
- frgroup_t *fg = NULL;
- int error = 0, in;
- u_int group;
-
- fp = &frd;
- error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
- if (error)
- return error;
-
- /*
- * Check that the group number does exist and that if a head group
- * has been specified, doesn't exist.
- */
- if (fp->fr_grhead &&
- fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
- return EEXIST;
- if (fp->fr_group &&
- !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
- return ESRCH;
-
- in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
- if (unit == IPL_LOGAUTH)
- ftail = fprev = &ipauth;
- else if (fp->fr_flags & FR_ACCOUNT)
- ftail = fprev = &ipacct[in][set];
- else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
- ftail = fprev = &ipfilter[in][set];
- else
- return ESRCH;
-
- if ((group = fp->fr_group)) {
- if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
- return ESRCH;
- ftail = fprev = fg->fg_start;
- }
-
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
- if (*fp->fr_ifname) {
- fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_ip.fi_v);
- if (!fp->fr_ifa)
- fp->fr_ifa = (void *)-1;
- }
-
- fdp = &fp->fr_dif;
- fp->fr_flags &= ~FR_DUP;
- if (*fdp->fd_ifname) {
- fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
- if (!fdp->fd_ifp)
- fdp->fd_ifp = (struct ifnet *)-1;
- else
- fp->fr_flags |= FR_DUP;
- }
-
- fdp = &fp->fr_tif;
- if (*fdp->fd_ifname) {
- fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
- if (!fdp->fd_ifp)
- fdp->fd_ifp = (struct ifnet *)-1;
- }
-
- /*
- * Look for a matching filter rule, but don't include the next or
- * interface pointer in the comparison (fr_next, fr_ifa).
- */
- for (; (f = *ftail); ftail = &f->fr_next)
- if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
- FR_CMPSIZ) == 0)
- break;
-
- /*
- * If zero'ing statistics, copy current to caller and zero.
- */
- if (req == SIOCZRLST) {
- if (!f)
- return ESRCH;
- error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
- if (error)
- return error;
- f->fr_hits = 0;
- f->fr_bytes = 0;
- return 0;
- }
-
- if (!f) {
- if (req == SIOCINAFR || req == SIOCINIFR) {
- ftail = fprev;
- if (fp->fr_hits) {
- while (--fp->fr_hits && (f = *ftail)) {
- ftail = &f->fr_next;
- }
- }
- }
- f = NULL;
- }
-
- if (req == SIOCRMAFR || req == SIOCRMIFR) {
- if (!f)
- error = ESRCH;
- else {
- if (f->fr_ref > 1)
- return EBUSY;
- if (fg && fg->fg_head)
- fg->fg_head->fr_ref--;
- if (unit == IPL_LOGAUTH)
- return fr_auth_ioctl(data, mode, req, f, ftail);
- if (f->fr_grhead)
- fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
- unit, set);
- fixskip(fprev, f, -1);
- *ftail = f->fr_next;
- KFREE(f);
- }
- } else {
- if (f)
- error = EEXIST;
- else {
- if (unit == IPL_LOGAUTH)
- return fr_auth_ioctl(data, mode, req, f, ftail);
- KMALLOC(f, frentry_t *);
- if (f != NULL) {
- if (fg && fg->fg_head)
- fg->fg_head->fr_ref++;
- bcopy((char *)fp, (char *)f, sizeof(*f));
- f->fr_ref = 1;
- f->fr_hits = 0;
- f->fr_next = *ftail;
- *ftail = f;
- if (req == SIOCINIFR || req == SIOCINAFR)
- fixskip(fprev, f, 1);
- f->fr_grp = NULL;
- if ((group = f->fr_grhead))
- fg = fr_addgroup(group, f, unit, set);
- } else
- error = ENOMEM;
- }
- }
- return (error);
-}
-
-
-#ifdef _KERNEL
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(struct inode *inode, struct file *file)
-{
- u_int min = GET_MINOR(inode->i_rdev);
-
- if (IPL_LOGMAX < min)
- min = ENXIO;
- else {
- MOD_INC_USE_COUNT;
- min = 0;
- }
- return min;
-}
-
-
-void iplclose(struct inode *inode, struct file *file)
-{
- u_int min = GET_MINOR(inode->i_rdev);
-
- if (IPL_LOGMAX >= min) {
- MOD_DEC_USE_COUNT;
- }
-}
-
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(struct inode *inode, struct file *file, char *buf, int nbytes)
-{
- struct uio uiob, *uio = &uiob;
-
- uio->uio_buf = buf;
- uio->uio_resid = nbytes;
-# ifdef IPFILTER_LOG
- return ipflog_read(GET_MINOR(inode->i_rdev), uio);
-# else
- return ENXIO;
-# endif
-}
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(ti, ifp)
-struct tcpiphdr *ti;
-struct ifnet *ifp;
-{
- tcphdr_t *tcp;
- int tlen = 0;
- ip_t *ip;
- mb_t *m;
-
- if (ti->ti_flags & TH_RST)
- return -1; /* feedback loop */
-
- m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC);
- if (m == NULL)
- return -1;
-
- if (ti->ti_flags & TH_SYN)
- tlen = 1;
-
- m->dev = ifp;
- m->csum = 0;
- ip = mtod(m, ip_t *);
- m->h.iph = ip;
- m->ip_hdr = NULL;
- m->m_len = sizeof(tcpiphdr_t);
- tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t));
- bzero((char *)ip, sizeof(tcpiphdr_t));
-
- ip->ip_v = IPVERSION;
- ip->ip_hl = sizeof(ip_t) >> 2;
- ip->ip_tos = ((ip_t *)ti)->ip_tos;
- ip->ip_p = ((ip_t *)ti)->ip_p;
- ip->ip_id = ((ip_t *)ti)->ip_id;
- ip->ip_len = htons(sizeof(tcpiphdr_t));
- ip->ip_ttl = 127;
- ip->ip_src.s_addr = ti->ti_dst.s_addr;
- ip->ip_dst.s_addr = ti->ti_src.s_addr;
- tcp->th_dport = ti->ti_sport;
- tcp->th_sport = ti->ti_dport;
- tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
- tcp->th_off = sizeof(tcphdr_t) >> 2;
- tcp->th_flags = TH_RST|TH_ACK;
-
- ip->ip_sum = 0;
- ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t));
- tcp->th_sum = fr_tcpsum(m, ip, tcp);
- return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr);
-}
-
-
-size_t mbufchainlen(m0)
-register mb_t *m0;
-{
- register size_t len = 0;
-
- for (; m0; m0 = m0->m_next)
- len += m0->m_len;
- return len;
-}
-
-
-void ipfr_fastroute(m0, fin, fdp)
-mb_t *m0;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-#if notyet
- register ip_t *ip, *mhip;
- register mb_t *m = m0;
- register struct route *ro;
- struct ifnet *ifp = fdp->fd_ifp;
- int len, off, error = 0;
- int hlen = fin->fin_hlen;
- struct route iproute;
- struct sockaddr_in *dst;
-
- ip = mtod(m0, ip_t *);
- /*
- * Route packet.
- */
- ro = &iproute;
- bzero((caddr_t)ro, sizeof (*ro));
- dst = (struct sockaddr_in *)&ro->ro_dst;
- dst->sin_family = AF_INET;
- dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
- /*
- * XXX -allocate route here
- */
- if (!ifp) {
- if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
- error = -2;
- goto bad;
- }
- if (ro->ro_rt == 0 || (ifp = ro->ro_rt->rt_ifp) == 0) {
- if (in_localaddr(ip->ip_dst))
- error = EHOSTUNREACH;
- else
- error = ENETUNREACH;
- goto bad;
- }
- if (ro->ro_rt->rt_flags & RTF_GATEWAY)
- dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
- }
- ro->ro_rt->rt_use++;
-
- /*
- * For input packets which are being "fastrouted", they won't
- * go back through output filtering and miss their chance to get
- * NAT'd.
- */
- (void) ip_natout(ip, hlen, fin);
- if (fin->fin_out)
- ip->ip_sum = 0;
- /*
- * If small enough for interface, can just send directly.
- */
- if (ip->ip_len <= ifp->if_mtu) {
-# ifndef sparc
- ip->ip_id = htons(ip->ip_id);
- ip->ip_len = htons(ip->ip_len);
- ip->ip_off = htons(ip->ip_off);
-# endif
- if (!ip->ip_sum)
- ip->ip_sum = in_cksum(m, hlen);
- error = (*ifp->hard_start_xmit)(m, ifp, m);
- goto done;
- }
- /*
- * Too large for interface; fragment if possible.
- * Must be able to put at least 8 bytes per fragment.
- */
- if (ip->ip_off & IP_DF) {
- error = EMSGSIZE;
- goto bad;
- }
- len = (ifp->if_mtu - hlen) &~ 7;
- if (len < 8) {
- error = EMSGSIZE;
- goto bad;
- }
-
- {
- int mhlen, firstlen = len;
- mb_t **mnext = &m->m_act;
-
- /*
- * Loop through length of segment after first fragment,
- * make new header and copy data of each part and link onto chain.
- */
- m0 = m;
- mhlen = sizeof (struct ip);
- for (off = hlen + len; off < ip->ip_len; off += len) {
- MGET(m, M_DONTWAIT, MT_HEADER);
- if (m == 0) {
- error = ENOBUFS;
- goto bad;
- }
- m->m_data += max_linkhdr;
- mhip = mtod(m, struct ip *);
- bcopy((char *)ip, (char *)mhip, sizeof(*ip));
- if (hlen > sizeof (struct ip)) {
- mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
- mhip->ip_hl = mhlen >> 2;
- }
- m->m_len = mhlen;
- mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
- if (ip->ip_off & IP_MF)
- mhip->ip_off |= IP_MF;
- if (off + len >= ip->ip_len)
- len = ip->ip_len - off;
- else
- mhip->ip_off |= IP_MF;
- mhip->ip_len = htons((u_short)(len + mhlen));
- m->m_next = m_copy(m0, off, len);
- if (m->m_next == 0) {
- error = ENOBUFS; /* ??? */
- goto sendorfree;
- }
-# ifndef sparc
- mhip->ip_off = htons((u_short)mhip->ip_off);
-# endif
- mhip->ip_sum = 0;
- mhip->ip_sum = in_cksum(m, mhlen);
- *mnext = m;
- mnext = &m->m_act;
- }
- /*
- * Update first fragment by trimming what's been copied out
- * and updating header, then send each fragment (in order).
- */
- m_adj(m0, hlen + firstlen - ip->ip_len);
- ip->ip_len = htons((u_short)(hlen + firstlen));
- ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
- ip->ip_sum = 0;
- ip->ip_sum = in_cksum(m0, hlen);
-sendorfree:
- for (m = m0; m; m = m0) {
- m0 = m->m_act;
- m->m_act = 0;
- if (error == 0)
- error = (*ifp->if_output)(ifp, m,
- (struct sockaddr *)dst);
- else
- m_freem(m);
- }
- }
-done:
- if (!error)
- ipl_frouteok[0]++;
- else
- ipl_frouteok[1]++;
-
- if (ro->ro_rt) {
- RTFREE(ro->ro_rt);
- }
- return;
-bad:
- m_freem(m);
- goto done;
-# endif
-}
-
-
-/*
- * Fake BSD uiomove() call.
- */
-int uiomove(caddr_t src, size_t ssize, int rw, struct uio *uio)
-{
- int error;
- size_t mv = MIN(ssize, uio->uio_resid);
-
- if (rw == UIO_READ) {
- error = IWCOPY(src, (caddr_t)uio->uio_buf, mv);
- } else if (rw == UIO_WRITE) {
- error = IRCOPY((caddr_t)uio->uio_buf, src, mv);
- } else
- error = EINVAL;
- if (!error) {
- uio->uio_resid -= mv;
- uio->uio_buf += mv;
- }
- return error;
-}
-
-# ifdef IPFILTER_LKM
-# ifndef IPL_MAJOR
-# define IPL_MAJOR 95
-# endif
-
-# ifndef IPL_NAME
-# define IPL_NAME "/dev/ipl"
-# endif
-
-static struct file_operations ipl_fops = {
- NULL, /* lseek */
- iplread, /* read */
- NULL, /* write */
- NULL, /* readdir */
- NULL, /* select */
- iplioctl, /* ioctl */
- NULL, /* mmap */
- iplopen, /* open */
- iplclose, /* release */
- NULL, /* fsync */
- NULL, /* fasync */
- NULL, /* check_media_change */
- NULL, /* revalidate */
-};
-
-
-int init_module(void)
-{
- int error = 0, major;
-
- if (register_chrdev(IPL_MAJOR, "ipf", &ipl_fops)) {
- printk("ipf: unable to get major number: %d\n", IPL_MAJOR);
- return -EIO;
- }
-
- error = iplattach();
- if (!error)
- register_symtab(0);
- return -error;
-}
-
-void cleanup_module(void)
-{
- unregister_chrdev(IPL_MAJOR, "ipf");
- (void) ipldetach();
-}
-# endif /* IPFILTER_LKM */
-#else /* #ifdef _KERNEL */
-
-
-static int no_output __P((mb_t *m, struct ifnet *ifp))
-{
- return 0;
-}
-
-
-static int write_output __P((mb_t *m, struct ifnet *ifp))
-{
- FILE *fp;
- char fname[32];
- ip_t *ip;
-
- ip = mtod(m, ip_t *);
- sprintf(fname, "/tmp/%s", ifp->name);
- if ((fp = fopen(fname, "a"))) {
- fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
- fclose(fp);
- }
- return 0;
-}
-
-
-struct ifnet *get_unit(name, v)
-char *name;
-int v;
-{
- struct ifnet *ifp, **ifa;
- char ifname[32], *s;
-
- for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
- (void) sprintf(ifname, "%s", ifp->name);
- if (!strcmp(name, ifname))
- return ifp;
- }
-
- if (!ifneta) {
- ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
- ifneta[1] = NULL;
- ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
- nifs = 1;
- } else {
- nifs++;
- ifneta = (struct ifnet **)realloc(ifneta,
- (nifs + 1) * sizeof(*ifa));
- ifneta[nifs] = NULL;
- ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
- }
- ifp = ifneta[nifs - 1];
-
- for (s = name; *s && !isdigit(*s); s++)
- ;
- if (*s && isdigit(*s)) {
- ifp->name = (char *)malloc(s - name + 1);
- strncpy(ifp->name, name, s - name);
- ifp->name[s - name] = '\0';
- } else {
- ifp->name = strdup(name);
- }
- ifp->hard_start_xmit = no_output;
- return ifp;
-}
-
-
-
-void init_ifp()
-{
- FILE *fp;
- struct ifnet *ifp, **ifa;
- char fname[32];
-
- for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
- ifp->hard_start_xmit = write_output;
- sprintf(fname, "/tmp/%s", ifp->name);
- if ((fp = fopen(fname, "w")))
- fclose(fp);
- }
-}
-
-
-void ipfr_fastroute(ip, fin, fdp)
-ip_t *ip;
-fr_info_t *fin;
-frdest_t *fdp;
-{
- struct ifnet *ifp = fdp->fd_ifp;
-
- if (!ifp)
- return; /* no routing table out here */
-
- ip->ip_len = htons((u_short)ip->ip_len);
- ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
- ip->ip_sum = 0;
- (*ifp->hard_start_xmit)((mb_t *)ip, ifp);
-}
-
-
-int ipllog __P((void))
-{
- verbose("l");
- return 0;
-}
-
-
-int send_reset(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
- verbose("- TCP RST sent\n");
- return 0;
-}
-
-
-int icmp_error(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
- verbose("- TCP RST sent\n");
- return 0;
-}
-#endif /* _KERNEL */
diff --git a/contrib/ipfilter/ip_lookup.c b/contrib/ipfilter/ip_lookup.c
index b832373..2f404ee 100644
--- a/contrib/ipfilter/ip_lookup.c
+++ b/contrib/ipfilter/ip_lookup.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
diff --git a/contrib/ipfilter/ip_lookup.h b/contrib/ipfilter/ip_lookup.h
index e9f8cb8..7d9acad 100644
--- a/contrib/ipfilter/ip_lookup.h
+++ b/contrib/ipfilter/ip_lookup.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#ifndef __IP_LOOKUP_H__
diff --git a/contrib/ipfilter/ip_msnrpc_pxy.c b/contrib/ipfilter/ip_msnrpc_pxy.c
index 187a964..40bc084 100644
--- a/contrib/ipfilter/ip_msnrpc_pxy.c
+++ b/contrib/ipfilter/ip_msnrpc_pxy.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2000-2003 by Darren Reed
diff --git a/contrib/ipfilter/ip_pool.c b/contrib/ipfilter/ip_pool.c
index b6e111b..9880c9d 100644
--- a/contrib/ipfilter/ip_pool.c
+++ b/contrib/ipfilter/ip_pool.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/ip_pool.h b/contrib/ipfilter/ip_pool.h
index 3e3c073..5ddc74e 100644
--- a/contrib/ipfilter/ip_pool.h
+++ b/contrib/ipfilter/ip_pool.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/ip_pptp_pxy.c b/contrib/ipfilter/ip_pptp_pxy.c
index 2511a17..b7ec697 100644
--- a/contrib/ipfilter/ip_pptp_pxy.c
+++ b/contrib/ipfilter/ip_pptp_pxy.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed
diff --git a/contrib/ipfilter/ip_rpcb_pxy.c b/contrib/ipfilter/ip_rpcb_pxy.c
index 5d0a1ee..4c01223 100644
--- a/contrib/ipfilter/ip_rpcb_pxy.c
+++ b/contrib/ipfilter/ip_rpcb_pxy.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
diff --git a/contrib/ipfilter/ip_scan.c b/contrib/ipfilter/ip_scan.c
index 37f6d58..b36fccf 100644
--- a/contrib/ipfilter/ip_scan.c
+++ b/contrib/ipfilter/ip_scan.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
diff --git a/contrib/ipfilter/ip_scan.h b/contrib/ipfilter/ip_scan.h
index de98f9c..8891367 100644
--- a/contrib/ipfilter/ip_scan.h
+++ b/contrib/ipfilter/ip_scan.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
deleted file mode 100644
index 9e995d9..0000000
--- a/contrib/ipfilter/ip_sfil.c
+++ /dev/null
@@ -1,991 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * I hate legaleese, don't you ?
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.27 2003/06/12 16:03:14 darrenr Exp $";
-#endif
-
-#include <sys/types.h>
-#include <sys/errno.h>
-#include <sys/param.h>
-#include <sys/cpuvar.h>
-#include <sys/open.h>
-#include <sys/ioctl.h>
-#include <sys/filio.h>
-#include <sys/systm.h>
-#include <sys/cred.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include <sys/ksynch.h>
-#include <sys/kmem.h>
-#include <sys/mkdev.h>
-#include <sys/protosw.h>
-#include <sys/socket.h>
-#include <sys/dditypes.h>
-#include <sys/cmn_err.h>
-#include <net/if.h>
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#ifdef USE_INET6
-# include <netinet/icmp6.h>
-#endif
-#include "ip_fil.h"
-#include "ip_state.h"
-#include "ip_nat.h"
-#include "ip_frag.h"
-#include "ip_auth.h"
-#include "ip_proxy.h"
-#include <inet/ip_ire.h>
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-
-extern fr_flags, fr_active;
-
-int fr_running = 0;
-int ipl_unreach = ICMP_UNREACH_HOST;
-u_long ipl_frouteok[2] = {0, 0};
-static int frzerostats __P((caddr_t));
-#if SOLARIS2 >= 7
-static u_int *ip_ttl_ptr;
-static u_int *ip_mtudisc;
-#else
-static u_long *ip_ttl_ptr;
-static u_long *ip_mtudisc;
-#endif
-
-static int frrequest __P((minor_t, int, caddr_t, int));
-static int send_ip __P((fr_info_t *fin, mblk_t *m));
-kmutex_t ipl_mutex, ipf_authmx, ipf_rw;
-KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris;
-KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-kcondvar_t iplwait, ipfauthwait;
-
-
-int ipldetach()
-{
- int i;
-
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "ipldetach()\n");
-#endif
-#ifdef IPFILTER_LOG
- for (i = IPL_LOGMAX; i >= 0; i--)
- ipflog_clear(i);
-#endif
- i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
- i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
- ipfr_unload();
- fr_stateunload();
- ip_natunload();
- cv_destroy(&iplwait);
- cv_destroy(&ipfauthwait);
- mutex_destroy(&ipf_authmx);
- mutex_destroy(&ipl_mutex);
- mutex_destroy(&ipf_rw);
- RW_DESTROY(&ipf_mutex);
- RW_DESTROY(&ipf_frag);
- RW_DESTROY(&ipf_state);
- RW_DESTROY(&ipf_natfrag);
- RW_DESTROY(&ipf_nat);
- RW_DESTROY(&ipf_auth);
- RW_DESTROY(&ipfs_mutex);
- /* NOTE: This lock is acquired in ipf_detach */
- RWLOCK_EXIT(&ipf_solaris);
- RW_DESTROY(&ipf_solaris);
- return 0;
-}
-
-
-int iplattach __P((void))
-{
- int i;
-
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "iplattach()\n");
-#endif
- bzero((char *)frcache, sizeof(frcache));
- mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL);
- mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
- mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL);
- RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL);
- RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL);
- RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL);
- RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL);
- RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL);
- RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL);
- RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL);
- RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL);
- cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
- cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
-#ifdef IPFILTER_LOG
- ipflog_init();
-#endif
- if (nat_init() == -1)
- return -1;
- if (fr_stateinit() == -1)
- return -1;
- if (appr_init() == -1)
- return -1;
-
- ip_ttl_ptr = NULL;
- ip_mtudisc = NULL;
- /*
- * XXX - There is no terminator for this array, so it is not possible
- * to tell if what we are looking for is missing and go off the end
- * of the array.
- */
- for (i = 0; ; i++) {
- if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
- ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
- } else if (strcmp(ip_param_arr[i].ip_param_name,
- "ip_path_mtu_discovery") == 0) {
- ip_mtudisc = &ip_param_arr[i].ip_param_value;
- }
-
- if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
- break;
- }
- return 0;
-}
-
-
-static int frzerostats(data)
-caddr_t data;
-{
- friostat_t fio;
- int error;
-
- fr_getstat(&fio);
- error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
- if (error)
- return error;
-
- bzero((char *)frstats, sizeof(*frstats) * 2);
-
- return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-int iplioctl(dev, cmd, data, mode, cp, rp)
-dev_t dev;
-int cmd;
-#if SOLARIS2 >= 7
-intptr_t data;
-#else
-int *data;
-#endif
-int mode;
-cred_t *cp;
-int *rp;
-{
- int error = 0, tmp;
- minor_t unit;
-
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n",
- dev, cmd, data, mode, cp, rp);
-#endif
- unit = getminor(dev);
- if (IPL_LOGMAX < unit)
- return ENXIO;
-
- if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
- return ENODEV;
-
- if (fr_running <= 0)
- return 0;
-
- READ_ENTER(&ipf_solaris);
- if (unit == IPL_LOGNAT) {
- error = nat_ioctl((caddr_t)data, cmd, mode);
- RWLOCK_EXIT(&ipf_solaris);
- return error;
- }
- if (unit == IPL_LOGSTATE) {
- error = fr_state_ioctl((caddr_t)data, cmd, mode);
- RWLOCK_EXIT(&ipf_solaris);
- return error;
- }
- if (unit == IPL_LOGAUTH) {
- if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
- if (!(mode & FWRITE)) {
- error = EPERM;
- } else {
- error = frrequest(unit, cmd, (caddr_t)data,
- fr_active);
- }
- } else {
- error = fr_auth_ioctl((caddr_t)data, mode, cmd);
- }
- RWLOCK_EXIT(&ipf_solaris);
- return error;
- }
-
- switch (cmd) {
- case SIOCFRENB :
- {
- u_int enable;
-
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = IRCOPY((caddr_t)data, (caddr_t)&enable,
- sizeof(enable));
- break;
- }
- case SIOCSETFF :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- WRITE_ENTER(&ipf_mutex);
- error = IRCOPY((caddr_t)data, (caddr_t)&fr_flags,
- sizeof(fr_flags));
- RWLOCK_EXIT(&ipf_mutex);
- }
- break;
- case SIOCGETFF :
- error = IWCOPY((caddr_t)&fr_flags, (caddr_t)data,
- sizeof(fr_flags));
- if (error)
- error = EFAULT;
- break;
- case SIOCINAFR :
- case SIOCRMAFR :
- case SIOCADAFR :
- case SIOCZRLST :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frrequest(unit, cmd, (caddr_t)data, fr_active);
- break;
- case SIOCINIFR :
- case SIOCRMIFR :
- case SIOCADIFR :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frrequest(unit, cmd, (caddr_t)data,
- 1 - fr_active);
- break;
- case SIOCSWAPA :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- WRITE_ENTER(&ipf_mutex);
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
- error = IWCOPY((caddr_t)&fr_active, (caddr_t)data,
- sizeof(fr_active));
- if (error)
- error = EFAULT;
- fr_active = 1 - fr_active;
- RWLOCK_EXIT(&ipf_mutex);
- }
- break;
- case SIOCGETFS :
- {
- friostat_t fio;
-
- READ_ENTER(&ipf_mutex);
- fr_getstat(&fio);
- RWLOCK_EXIT(&ipf_mutex);
- error = IWCOPYPTR((caddr_t)&fio, (caddr_t)data, sizeof(fio));
- if (error)
- error = EFAULT;
- break;
- }
- case SIOCFRZST :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = frzerostats((caddr_t)data);
- break;
- case SIOCIPFFL :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
- sizeof(tmp));
- if (!error) {
- tmp = frflush(unit, 4, tmp);
- error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
- sizeof(tmp));
- if (error)
- error = EFAULT;
- }
- }
- break;
-#ifdef USE_INET6
- case SIOCIPFL6 :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
- sizeof(tmp));
- if (!error) {
- tmp = frflush(unit, 6, tmp);
- error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
- sizeof(tmp));
- if (error)
- error = EFAULT;
- }
- }
- break;
-#endif
- case SIOCSTLCK :
- error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
- if (!error) {
- fr_state_lock = tmp;
- fr_nat_lock = tmp;
- fr_frag_lock = tmp;
- fr_auth_lock = tmp;
- } else
- error = EFAULT;
- break;
-#ifdef IPFILTER_LOG
- case SIOCIPFFB :
- if (!(mode & FWRITE))
- error = EPERM;
- else {
- tmp = ipflog_clear(unit);
- error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
- sizeof(tmp));
- if (error)
- error = EFAULT;
- }
- break;
-#endif /* IPFILTER_LOG */
- case SIOCFRSYN :
- if (!(mode & FWRITE))
- error = EPERM;
- else
- error = ipfsync();
- break;
- case SIOCGFRST :
- error = IWCOPYPTR((caddr_t)ipfr_fragstats(), (caddr_t)data,
- sizeof(ipfrstat_t));
- break;
- case FIONREAD :
- {
-#ifdef IPFILTER_LOG
- int copy = (int)iplused[IPL_LOGIPF];
-
- error = IWCOPY((caddr_t)&copy, (caddr_t)data, sizeof(copy));
- if (error)
- error = EFAULT;
-#endif
- break;
- }
- default :
- error = EINVAL;
- break;
- }
- RWLOCK_EXIT(&ipf_solaris);
- return error;
-}
-
-
-ill_t *get_unit(name, v)
-char *name;
-int v;
-{
- size_t len = strlen(name) + 1; /* includes \0 */
- ill_t *il;
-#if SOLARIS2 >= 10
- ill_walk_context_t ctx;
-#endif
- int sap;
-
- if (v == 4)
- sap = 0x0800;
- else if (v == 6)
- sap = 0x86dd;
- else
- return NULL;
-#if SOLARIS2 >= 10
- for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il))
-#else
- for (il = ill_g_head; il; il = il->ill_next)
-#endif
- if ((len == il->ill_name_length) && (il->ill_sap == sap) &&
- !strncmp(il->ill_name, name, len))
- return il;
- return NULL;
-}
-
-
-static int frrequest(unit, req, data, set)
-minor_t unit;
-int req, set;
-caddr_t data;
-{
- register frentry_t *fp, *f, **fprev;
- register frentry_t **ftail;
- frgroup_t *fg = NULL;
- int error = 0, in, i;
- u_int *p, *pp;
- frdest_t *fdp;
- frentry_t fr;
- u_32_t group;
- ipif_t *ipif;
- ill_t *ill;
- ire_t *ire;
-
- fp = &fr;
- error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
- if (error)
- return EFAULT;
- fp->fr_ref = 0;
-#if SOLARIS2 >= 8
- if (fp->fr_v == 4)
- fp->fr_sap = IP_DL_SAP;
- else if (fp->fr_v == 6)
- fp->fr_sap = IP6_DL_SAP;
- else
- return EINVAL;
-#else
- fp->fr_sap = 0;
-#endif
-
- WRITE_ENTER(&ipf_mutex);
- /*
- * Check that the group number does exist and that if a head group
- * has been specified, doesn't exist.
- */
- if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
- (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
- fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
- error = EEXIST;
- goto out;
- }
- if ((req != SIOCZRLST) && fp->fr_group &&
- !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) {
- error = ESRCH;
- goto out;
- }
-
- in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
- if (unit == IPL_LOGAUTH)
- ftail = fprev = &ipauth;
- else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
- ftail = fprev = &ipacct[in][set];
- else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
- ftail = fprev = &ipfilter[in][set];
-#ifdef USE_INET6
- else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
- ftail = fprev = &ipacct6[in][set];
- else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
- ftail = fprev = &ipfilter6[in][set];
-#endif
- else {
- error = ESRCH;
- goto out;
- }
-
- group = fp->fr_group;
- if (group != 0) {
- fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL);
- if (fg == NULL) {
- error = ESRCH;
- goto out;
- }
- ftail = fprev = fg->fg_start;
- }
-
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
- for (i = 0; i < 4; i++) {
- if ((fp->fr_ifnames[i][1] == '\0') &&
- ((fp->fr_ifnames[i][0] == '-') ||
- (fp->fr_ifnames[i][0] == '*'))) {
- fp->fr_ifas[i] = NULL;
- } else if (*fp->fr_ifnames[i]) {
- fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
- if (!fp->fr_ifas[i])
- fp->fr_ifas[i] = (void *)-1;
- }
- }
-
- fdp = &fp->fr_dif;
- fdp->fd_mp = NULL;
- fp->fr_flags &= ~FR_DUP;
- if (*fdp->fd_ifname) {
- ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
- if (!ill)
- ire = (ire_t *)-1;
- else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
- ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
- IRE_LOCAL, NULL, NULL,
- MATCH_IRE_TYPE);
-#else
- ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
- if (!ire)
- ire = (ire_t *)-1;
- else
- fp->fr_flags |= FR_DUP;
- }
-#ifdef USE_INET6
- else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
- ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
- IRE_LOCAL, NULL, NULL,
- MATCH_IRE_TYPE);
- if (!ire)
- ire = (ire_t *)-1;
- else
- fp->fr_flags |= FR_DUP;
- }
-#endif
- fdp->fd_ifp = (struct ifnet *)ire;
- }
-
- fdp = &fp->fr_tif;
- fdp->fd_mp = NULL;
- if (*fdp->fd_ifname) {
- ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
- if (!ill)
- ire = (ire_t *)-1;
- else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
- ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
- IRE_LOCAL, NULL, NULL,
- MATCH_IRE_TYPE);
-#else
- ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
- if (!ire)
- ire = (ire_t *)-1;
- }
-#ifdef USE_INET6
- else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
- ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
- IRE_LOCAL, NULL, NULL,
- MATCH_IRE_TYPE);
- if (!ire)
- ire = (ire_t *)-1;
- }
-#endif
- fdp->fd_ifp = (struct ifnet *)ire;
- }
-
- /*
- * Look for a matching filter rule, but don't include the next or
- * interface pointer in the comparison (fr_next, fr_ifa).
- */
- for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
- p < pp; p++)
- fp->fr_cksum += *p;
-
- for (; (f = *ftail); ftail = &f->fr_next)
- if ((fp->fr_cksum == f->fr_cksum) &&
- !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
- break;
-
- /*
- * If zero'ing statistics, copy current to caller and zero.
- */
- if (req == SIOCZRLST) {
- if (!f) {
- error = ESRCH;
- goto out;
- }
- MUTEX_DOWNGRADE(&ipf_mutex);
- error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
- if (error)
- goto out;
- f->fr_hits = 0;
- f->fr_bytes = 0;
- goto out;
- }
-
- if (!f) {
- if (req != SIOCINAFR && req != SIOCINIFR)
- while ((f = *ftail))
- ftail = &f->fr_next;
- else {
- ftail = fprev;
- if (fp->fr_hits) {
- while (--fp->fr_hits && (f = *ftail))
- ftail = &f->fr_next;
- }
- f = NULL;
- }
- }
-
- if (req == SIOCRMAFR || req == SIOCRMIFR) {
- if (!f)
- error = ESRCH;
- else {
- /*
- * Only return EBUSY if there is a group list, else
- * it's probably just state information referencing
- * the rule.
- */
- if ((f->fr_ref > 1) && f->fr_grp) {
- error = EBUSY;
- goto out;
- }
- if (fg && fg->fg_head)
- fg->fg_head->fr_ref--;
- if (unit == IPL_LOGAUTH) {
- return fr_preauthcmd(req, f, ftail);
- }
- if (f->fr_grhead)
- fr_delgroup(f->fr_grhead, fp->fr_flags,
- unit, set);
- fixskip(fprev, f, -1);
- *ftail = f->fr_next;
- f->fr_next = NULL;
- f->fr_ref--;
- if (f->fr_ref == 0)
- KFREE(f);
- }
- } else {
- if (f) {
- error = EEXIST;
- } else {
- if (unit == IPL_LOGAUTH) {
- return fr_preauthcmd(req, fp, ftail);
- }
- KMALLOC(f, frentry_t *);
- if (f != NULL) {
- if (fg && fg->fg_head)
- fg->fg_head->fr_ref++;
- bcopy((char *)fp, (char *)f, sizeof(*f));
- f->fr_ref = 1;
- f->fr_hits = 0;
- f->fr_next = *ftail;
- *ftail = f;
- if (req == SIOCINIFR || req == SIOCINAFR)
- fixskip(fprev, f, 1);
- f->fr_grp = NULL;
- group = f->fr_grhead;
- if (group != 0)
- fg = fr_addgroup(group, f, unit, set);
- } else
- error = ENOMEM;
- }
- }
-out:
- RWLOCK_EXIT(&ipf_mutex);
- return (error);
-}
-
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(devp, flags, otype, cred)
-dev_t *devp;
-int flags, otype;
-cred_t *cred;
-{
- minor_t min = getminor(*devp);
-
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred);
-#endif
- if ((fr_running <= 0) || !(otype & OTYP_CHR))
- return ENXIO;
- min = (IPL_LOGMAX < min) ? ENXIO : 0;
- return min;
-}
-
-
-int iplclose(dev, flags, otype, cred)
-dev_t dev;
-int flags, otype;
-cred_t *cred;
-{
- minor_t min = getminor(dev);
-
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred);
-#endif
- min = (IPL_LOGMAX < min) ? ENXIO : 0;
- return min;
-}
-
-#ifdef IPFILTER_LOG
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(dev, uio, cp)
-dev_t dev;
-register struct uio *uio;
-cred_t *cp;
-{
-#ifdef IPFDEBUG
- cmn_err(CE_CONT, "iplread(%x,%x,%x)\n", dev, uio, cp);
-#endif
- return ipflog_read(getminor(dev), uio);
-}
-#endif /* IPFILTER_LOG */
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(oip, fin)
-ip_t *oip;
-fr_info_t *fin;
-{
- tcphdr_t *tcp, *tcp2;
- int tlen, hlen;
- mblk_t *m;
-#ifdef USE_INET6
- ip6_t *ip6, *oip6 = (ip6_t *)oip;
-#endif
- ip_t *ip;
-
- tcp = (struct tcphdr *)fin->fin_dp;
- if (tcp->th_flags & TH_RST)
- return -1;
- tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0;
-#ifdef USE_INET6
- if (fin->fin_v == 6)
- hlen = sizeof(ip6_t);
- else
-#endif
- hlen = sizeof(ip_t);
- hlen += sizeof(*tcp2);
- if ((m = (mblk_t *)allocb(hlen + 16, BPRI_HI)) == NULL)
- return -1;
-
- m->b_rptr += 16;
- MTYPE(m) = M_DATA;
- m->b_wptr = m->b_rptr + hlen;
- bzero((char *)m->b_rptr, hlen);
- tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2));
- tcp2->th_dport = tcp->th_sport;
- tcp2->th_sport = tcp->th_dport;
- if (tcp->th_flags & TH_ACK) {
- tcp2->th_seq = tcp->th_ack;
- tcp2->th_flags = TH_RST;
- } else {
- tcp2->th_ack = ntohl(tcp->th_seq);
- tcp2->th_ack += tlen;
- tcp2->th_ack = htonl(tcp2->th_ack);
- tcp2->th_flags = TH_RST|TH_ACK;
- }
- tcp2->th_off = sizeof(struct tcphdr) >> 2;
-
- /*
- * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum
- * computation that is done by their put routine.
- */
- tcp2->th_sum = htons(0x14);
-#ifdef USE_INET6
- if (fin->fin_v == 6) {
- ip6 = (ip6_t *)m->b_rptr;
- ip6->ip6_src = oip6->ip6_dst;
- ip6->ip6_dst = oip6->ip6_src;
- ip6->ip6_plen = htons(sizeof(*tcp));
- ip6->ip6_nxt = IPPROTO_TCP;
- } else
-#endif
- {
- ip = (ip_t *)m->b_rptr;
- ip->ip_src.s_addr = oip->ip_dst.s_addr;
- ip->ip_dst.s_addr = oip->ip_src.s_addr;
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_p = IPPROTO_TCP;
- ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp));
- ip->ip_tos = oip->ip_tos;
- }
- return send_ip(fin, m);
-}
-
-
-int static send_ip(fin, m)
-fr_info_t *fin;
-mblk_t *m;
-{
- RWLOCK_EXIT(&ipfs_mutex);
- RWLOCK_EXIT(&ipf_solaris);
-#ifdef USE_INET6
- if (fin->fin_v == 6) {
- extern void ip_wput_v6 __P((queue_t *, mblk_t *));
- ip6_t *ip6;
-
- ip6 = (ip6_t *)m->b_rptr;
- ip6->ip6_flow = 0;
- ip6->ip6_vfc = 0x60;
- ip6->ip6_hlim = 127;
- ip_wput_v6(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
- } else
-#endif
- {
- ip_t *ip;
-
- ip = (ip_t *)m->b_rptr;
- ip->ip_v = IPVERSION;
- ip->ip_ttl = (u_char)(*ip_ttl_ptr);
- ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
- ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
- }
- READ_ENTER(&ipf_solaris);
- READ_ENTER(&ipfs_mutex);
- return 0;
-}
-
-
-int send_icmp_err(oip, type, fin, dst)
-ip_t *oip;
-int type;
-fr_info_t *fin;
-int dst;
-{
- struct in_addr dst4;
- struct icmp *icmp;
- mblk_t *m, *mb;
- int hlen, code;
- qif_t *qif;
- u_short sz;
- ill_t *il;
-#ifdef USE_INET6
- ip6_t *ip6, *oip6;
-#endif
- ip_t *ip;
-
- if ((type < 0) || (type > ICMP_MAXTYPE))
- return -1;
-
- code = fin->fin_icode;
-#ifdef USE_INET6
- if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
- return -1;
-#endif
-
- qif = fin->fin_qif;
- m = fin->fin_qfm;
-
-#ifdef USE_INET6
- if (oip->ip_v == 6) {
- oip6 = (ip6_t *)oip;
- sz = sizeof(ip6_t);
- sz += MIN(m->b_wptr - m->b_rptr, 512);
- hlen = sizeof(ip6_t);
- type = icmptoicmp6types[type];
- if (type == ICMP6_DST_UNREACH)
- code = icmptoicmp6unreach[code];
- } else
-#endif
- {
- if ((oip->ip_p == IPPROTO_ICMP) &&
- !(fin->fin_fi.fi_fl & FI_SHORT))
- switch (ntohs(fin->fin_data[0]) >> 8)
- {
- case ICMP_ECHO :
- case ICMP_TSTAMP :
- case ICMP_IREQ :
- case ICMP_MASKREQ :
- break;
- default :
- return 0;
- }
-
- sz = sizeof(ip_t) * 2;
- sz += 8; /* 64 bits of data */
- hlen = sz;
- }
-
- sz += offsetof(struct icmp, icmp_ip);
- if ((mb = (mblk_t *)allocb((size_t)sz + 16, BPRI_HI)) == NULL)
- return -1;
- MTYPE(mb) = M_DATA;
- mb->b_rptr += 16;
- mb->b_wptr = mb->b_rptr + sz;
- bzero((char *)mb->b_rptr, (size_t)sz);
- icmp = (struct icmp *)(mb->b_rptr + sizeof(*ip));
- icmp->icmp_type = type;
- icmp->icmp_code = code;
- icmp->icmp_cksum = 0;
-#ifdef icmp_nextmtu
- if (type == ICMP_UNREACH && (il = qif->qf_ill) &&
- fin->fin_icode == ICMP_UNREACH_NEEDFRAG)
- icmp->icmp_nextmtu = htons(il->ill_max_frag);
-#endif
-
-#ifdef USE_INET6
- if (oip->ip_v == 6) {
- struct in6_addr dst6;
- int csz;
-
- if (dst == 0) {
- if (fr_ifpaddr(6, ((qif_t *)fin->fin_qif)->qf_ill,
- (struct in_addr *)&dst6) == -1)
- return -1;
- } else
- dst6 = oip6->ip6_dst;
-
- csz = sz;
- sz -= sizeof(ip6_t);
- ip6 = (ip6_t *)mb->b_rptr;
- ip6->ip6_flow = 0;
- ip6->ip6_vfc = 0x60;
- ip6->ip6_hlim = 127;
- ip6->ip6_plen = htons(sz);
- ip6->ip6_nxt = IPPROTO_ICMPV6;
- ip6->ip6_src = dst6;
- ip6->ip6_dst = oip6->ip6_src;
- sz -= offsetof(struct icmp, icmp_ip);
- bcopy((char *)m->b_rptr, (char *)&icmp->icmp_ip, sz);
- icmp->icmp_cksum = csz - sizeof(ip6_t);
- } else
-#endif
- {
- ip = (ip_t *)mb->b_rptr;
- ip->ip_v = IPVERSION;
- ip->ip_hl = (sizeof(*ip) >> 2);
- ip->ip_p = IPPROTO_ICMP;
- ip->ip_id = oip->ip_id;
- ip->ip_sum = 0;
- ip->ip_ttl = (u_char)(*ip_ttl_ptr);
- ip->ip_tos = oip->ip_tos;
- ip->ip_len = (u_short)htons(sz);
- if (dst == 0) {
- if (fr_ifpaddr(4, ((qif_t *)fin->fin_qif)->qf_ill,
- &dst4) == -1)
- return -1;
- } else
- dst4 = oip->ip_dst;
- ip->ip_src = dst4;
- ip->ip_dst = oip->ip_src;
- bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip));
- bcopy((char *)oip + (oip->ip_hl << 2),
- (char *)&icmp->icmp_ip + sizeof(*oip), 8);
- icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
- sizeof(*icmp) + 8);
- }
-
- /*
- * Need to exit out of these so we don't recursively call rw_enter
- * from fr_qout.
- */
- return send_ip(fin, mb);
-}
diff --git a/contrib/ipfilter/ip_sync.c b/contrib/ipfilter/ip_sync.c
index 396bae7..40a027e 100644
--- a/contrib/ipfilter/ip_sync.c
+++ b/contrib/ipfilter/ip_sync.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
diff --git a/contrib/ipfilter/ip_sync.h b/contrib/ipfilter/ip_sync.h
index e319a95..25ad708 100644
--- a/contrib/ipfilter/ip_sync.h
+++ b/contrib/ipfilter/ip_sync.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
deleted file mode 100644
index cf85280..0000000
--- a/contrib/ipfilter/ipf.c
+++ /dev/null
@@ -1,764 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-#include "ipl.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.23 2003/06/27 14:39:13 darrenr Exp $";
-#endif
-
-#if SOLARIS
-static void blockunknown __P((void));
-#endif
-#if !defined(__SVR4) && defined(__GNUC__)
-extern char *index __P((const char *, int));
-#endif
-
-extern char *optarg;
-extern int optind;
-
-void frsync __P((void));
-void zerostats __P((void));
-int main __P((int, char *[]));
-
-int opts = 0;
-int use_inet6 = 0;
-
-static int fd = -1;
-
-static void procfile __P((char *, char *)), flushfilter __P((char *));
-static int set_state __P((u_int));
-static void showstats __P((friostat_t *));
-static void packetlogon __P((char *)), swapactive __P((void));
-static int opendevice __P((char *));
-static void closedevice __P((void));
-static char *getline __P((char *, size_t, FILE *, int *));
-static char *ipfname = IPL_NAME;
-static void usage __P((char *));
-static int showversion __P((void));
-static int get_flags __P((int *));
-
-
-#if SOLARIS
-# define OPTS "6AdDEf:F:Il:noPrsUvVyzZ"
-#else
-# define OPTS "6AdDEf:F:Il:noPrsvVyzZ"
-#endif
-
-static void usage(name)
-char *name;
-{
- fprintf(stderr, "usage: %s [-%s] %s %s %s\n", name, OPTS,
- "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
- exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
- int c;
-
- if (argc < 2)
- usage(argv[0]);
-
- while ((c = getopt(argc, argv, OPTS)) != -1) {
- switch (c)
- {
- case '6' :
- use_inet6 = 1;
- break;
- case 'A' :
- opts &= ~OPT_INACTIVE;
- break;
- case 'E' :
- if (set_state((u_int)1))
- exit(1);
- break;
- case 'D' :
- if (set_state((u_int)0))
- exit(1);
- break;
- case 'd' :
- opts |= OPT_DEBUG;
- break;
- case 'f' :
- procfile(argv[0], optarg);
- break;
- case 'F' :
- flushfilter(optarg);
- break;
- case 'I' :
- opts |= OPT_INACTIVE;
- break;
- case 'l' :
- packetlogon(optarg);
- break;
- case 'n' :
- opts |= OPT_DONOTHING;
- break;
- case 'o' :
- break;
- case 'P' :
- ipfname = IPL_AUTH;
- break;
- case 'r' :
- opts |= OPT_REMOVE;
- break;
- case 's' :
- swapactive();
- break;
-#if SOLARIS
- case 'U' :
- blockunknown();
- break;
-#endif
- case 'v' :
- opts += OPT_VERBOSE;
- break;
- case 'V' :
- if (showversion())
- exit(1);
- break;
- case 'y' :
- frsync();
- break;
- case 'z' :
- opts |= OPT_ZERORULEST;
- break;
- case 'Z' :
- zerostats();
- break;
- case '?' :
- default :
- usage(argv[0]);
- break;
- }
- }
-
- if (optind < 2)
- usage(argv[0]);
-
- if (fd != -1)
- (void) close(fd);
-
- exit(0);
- /* NOTREACHED */
-}
-
-
-static int opendevice(ipfdev)
-char *ipfdev;
-{
- if (opts & OPT_DONOTHING)
- return 0;
-
- if (!ipfdev)
- ipfdev = ipfname;
-
- /*
- * shouldn't we really be testing for fd < 0 here and below?
- */
-
- if (fd != -1)
- return 0;
-
- if ((fd = open(ipfdev, O_RDWR)) == -1) {
- if ((fd = open(ipfdev, O_RDONLY)) == -1) {
- perror("open device");
- if (errno == ENODEV)
- fprintf(stderr, "IPFilter enabled?\n");
- return -1;
- }
- }
-
- return 0;
-}
-
-
-static void closedevice()
-{
- if (fd != -1)
- close(fd);
- fd = -1;
-}
-
-
-/*
- * Return codes:
- * 0 Success
- * !0 Failure (and an error message has already been printed)
- */
-static int get_flags(i)
-int *i;
-{
-
- if (opts & OPT_DONOTHING)
- return 0;
-
- if (opendevice(ipfname) < 0)
- return -1;
-
- if (ioctl(fd, SIOCGETFF, i) == -1) {
- perror("SIOCGETFF");
- return -1;
- }
- return 0;
-}
-
-
-static int set_state(enable)
-u_int enable;
-{
- if (opts & OPT_DONOTHING)
- return 0;
-
- if (opendevice(ipfname))
- return -1;
-
- if (ioctl(fd, SIOCFRENB, &enable) == -1) {
- if (errno == EBUSY)
- /* Not really an error */
- fprintf(stderr,
- "IP Filter: already initialized\n");
- else {
- perror("SIOCFRENB");
- return -1;
- }
- }
- return 0;
-}
-
-static void procfile(name, file)
-char *name, *file;
-{
- FILE *fp;
- char line[513], *s;
- struct frentry *fr;
- u_int add, del;
- int linenum = 0;
- int parsestatus;
-
- if (opendevice(ipfname) == -1)
- exit(1);
-
- if (opts & OPT_INACTIVE) {
- add = SIOCADIFR;
- del = SIOCRMIFR;
- } else {
- add = SIOCADAFR;
- del = SIOCRMAFR;
- }
- if (opts & OPT_DEBUG)
- printf("add %x del %x\n", add, del);
-
- initparse();
-
- if (!strcmp(file, "-"))
- fp = stdin;
- else if (!(fp = fopen(file, "r"))) {
- fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
- STRERROR(errno));
- exit(1);
- }
-
- while (getline(line, sizeof(line), fp, &linenum)) {
- /*
- * treat CR as EOL. LF is converted to NUL by getline().
- */
- if ((s = index(line, '\r')))
- *s = '\0';
- /*
- * # is comment marker, everything after is a ignored
- */
- if ((s = index(line, '#')))
- *s = '\0';
-
- if (!*line)
- continue;
-
- if (opts & OPT_VERBOSE)
- (void)fprintf(stderr, "[%s]\n", line);
-
- parsestatus = 1;
- fr = parse(line, linenum, &parsestatus);
- (void)fflush(stdout);
-
- if (parsestatus != 0) {
- fprintf(stderr, "%s: %s: %s error (%d), quitting\n",
- name, file,
- ((parsestatus < 0)? "parse": "internal"),
- parsestatus);
- exit(1);
- }
-
- if (fr) {
- if (opts & OPT_ZERORULEST)
- add = SIOCZRLST;
- else if (opts & OPT_INACTIVE)
- add = (u_int)fr->fr_hits ? SIOCINIFR :
- SIOCADIFR;
- else
- add = (u_int)fr->fr_hits ? SIOCINAFR :
- SIOCADAFR;
- if (fr->fr_hits)
- fr->fr_hits--;
- if (fr && (opts & OPT_VERBOSE))
- printfr(fr);
- if (fr && (opts & OPT_OUTQUE))
- fr->fr_flags |= FR_OUTQUE;
-
- if (opts & OPT_DEBUG)
- binprint(fr);
-
- if ((opts & OPT_ZERORULEST) &&
- !(opts & OPT_DONOTHING)) {
- if (ioctl(fd, add, &fr) == -1) {
- fprintf(stderr, "%d:", linenum);
- perror("ioctl(SIOCZRLST)");
- exit(1);
- } else {
-#ifdef USE_QUAD_T
- printf("hits %qd bytes %qd ",
- (long long)fr->fr_hits,
- (long long)fr->fr_bytes);
-#else
- printf("hits %ld bytes %ld ",
- fr->fr_hits, fr->fr_bytes);
-#endif
- printfr(fr);
- }
- } else if ((opts & OPT_REMOVE) &&
- !(opts & OPT_DONOTHING)) {
- if (ioctl(fd, del, &fr) == -1) {
- fprintf(stderr, "%d:", linenum);
- perror("ioctl(delete rule)");
- exit(1);
- }
- } else if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, add, &fr) == -1) {
- fprintf(stderr, "%d:", linenum);
- perror("ioctl(add/insert rule)");
- exit(1);
- }
- }
- }
- }
- if (ferror(fp) || !feof(fp)) {
- fprintf(stderr, "%s: %s: file error or line too long\n",
- name, file);
- exit(1);
- }
- (void)fclose(fp);
-}
-
-/*
- * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
- * Returns NULL if error occurred, EOF encounterd or input line is too long.
- */
-static char *getline(str, size, file, linenum)
-register char *str;
-size_t size;
-FILE *file;
-int *linenum;
-{
- char *p;
- int s, len;
-
- do {
- for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
- /*
- * if an error occurred, EOF was encounterd, or there
- * was no room to put NUL, return NULL.
- */
- if (fgets(p, s, file) == NULL)
- return (NULL);
- len = strlen(p);
- if (p[len - 1] != '\n') {
- p[len] = '\0';
- break;
- }
- (*linenum)++;
- p[len - 1] = '\0';
- if (len < 2 || p[len - 2] != '\\')
- break;
- else
- /*
- * Convert '\\' to a space so words don't
- * run together
- */
- p[len - 2] = ' ';
- }
- } while (*str == '\0');
- return (str);
-}
-
-
-static void packetlogon(opt)
-char *opt;
-{
- int flag;
-
- if (get_flags(&flag))
- exit(1);
-
- if (flag != 0) {
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
- printf("log flag is currently %#x\n", flag);
- }
-
- flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
-
- if (index(opt, 'p')) {
- flag |= FF_LOGPASS;
- if (opts & OPT_VERBOSE)
- printf("set log flag: pass\n");
- }
- if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
- flag |= FF_LOGNOMATCH;
- if (opts & OPT_VERBOSE)
- printf("set log flag: nomatch\n");
- }
- if (index(opt, 'b') || index(opt, 'd')) {
- flag |= FF_LOGBLOCK;
- if (opts & OPT_VERBOSE)
- printf("set log flag: block\n");
- }
-
- if (opendevice(ipfname) == -1) {
- exit(1);
- }
-
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCSETFF, &flag) != 0) {
- perror("ioctl(SIOCSETFF)");
- exit(1);
- }
- }
-
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
- /*
- * Even though the ioctls above succeeded, it
- * is possible that a calling script/program
- * relies on the following verbose mode string.
- * Thus, we still take an error exit if get_flags
- * fails here.
- */
- if (get_flags(&flag))
- exit(1);
- printf("log flag is now %#x\n", flag);
- }
-}
-
-
-static void flushfilter(arg)
-char *arg;
-{
- int fl = 0, rem;
-
- if (!arg || !*arg) {
- fprintf(stderr, "-F: no filter specified\n");
- exit(1);
- }
-
- if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
- if (*arg == 'S')
- fl = 0;
- else
- fl = 1;
- rem = fl;
-
- closedevice();
-
- if (opendevice(IPL_STATE) == -1) {
- exit(1);
- }
-
- if (!(opts & OPT_DONOTHING)) {
- if (use_inet6) {
- if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
- perror("ioctl(SIOCIPFL6)");
- exit(1);
- }
- } else {
- if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
- perror("ioctl(SIOCIPFFL)");
- exit(1);
- }
- }
- }
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
- printf("remove flags %s (%d)\n", arg, rem);
- printf("removed %d filter rules\n", fl);
- }
- closedevice();
- return;
- }
- if (strchr(arg, 'i') || strchr(arg, 'I'))
- fl = FR_INQUE;
- if (strchr(arg, 'o') || strchr(arg, 'O'))
- fl = FR_OUTQUE;
- if (strchr(arg, 'a') || strchr(arg, 'A'))
- fl = FR_OUTQUE|FR_INQUE;
- fl |= (opts & FR_INACTIVE);
- rem = fl;
-
- if (opendevice(ipfname) == -1) {
- exit(1);
- }
-
- if (!(opts & OPT_DONOTHING)) {
- if (use_inet6) {
- if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
- perror("ioctl(SIOCIPFL6)");
- exit(1);
- }
- } else {
- if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
- perror("ioctl(SIOCIPFFL)");
- exit(1);
- }
- }
- }
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
- printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
- (rem & FR_OUTQUE) ? "O" : "", rem);
- printf("removed %d filter rules\n", fl);
- }
- return;
-}
-
-
-static void swapactive()
-{
- int in = 2;
-
- if (opendevice(ipfname) == -1) {
- exit(1);
- }
-
-
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCSWAPA, &in) == -1) {
- perror("ioctl(SIOCSWAPA)");
- exit(1);
- }
- }
- printf("Set %d now inactive\n", in);
-}
-
-
-void frsync()
-{
- int frsyn = 0;
-
- if (opendevice(ipfname) == -1)
- exit(1);
-
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCFRSYN, &frsyn) == -1) {
- perror("SIOCFRSYN");
- exit(1);
- }
- }
- printf("filter sync'd\n");
-}
-
-
-void zerostats()
-{
- friostat_t fio;
- friostat_t *fiop = &fio;
-
- if (opendevice(ipfname) == -1)
- exit(1);
-
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
- perror("ioctl(SIOCFRZST)");
- exit(-1);
- }
- showstats(fiop);
- }
-
-}
-
-
-/*
- * Read the kernel stats for packets blocked and passed
- */
-static void showstats(fp)
-friostat_t *fp;
-{
-#if SOLARIS
- printf("dropped packets:\tin %lu\tout %lu\n",
- fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
- printf("non-ip packets:\t\tin %lu\tout %lu\n",
- fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
- printf(" bad packets:\t\tin %lu\tout %lu\n",
- fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-#endif
- printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
- fp->f_st[0].fr_nom);
- printf(" counted %lu\n", fp->f_st[0].fr_acct);
- printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
- fp->f_st[1].fr_nom);
- printf(" counted %lu\n", fp->f_st[0].fr_acct);
- printf(" input packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
- printf("output packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
- printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
- fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
- fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
-}
-
-
-#if SOLARIS
-static void blockunknown()
-{
- int flag;
-
- if (opendevice(ipfname) == -1)
- exit(1);
-
- if (get_flags(&flag))
- exit(1);
-
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
- printf("log flag is currently %#x\n", flag);
-
- flag ^= FF_BLOCKNONIP;
-
- if (opendevice(ipfname) == -1)
- exit(1);
-
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCSETFF, &flag))
- perror("ioctl(SIOCSETFF)");
- }
-
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
- if (ioctl(fd, SIOCGETFF, &flag))
- perror("ioctl(SIOCGETFF)");
-
- printf("log flag is now %#x\n", flag);
- }
-}
-#endif
-
-
-/*
- * nonzero return value means caller should exit with error
- */
-static int showversion()
-{
- struct friostat fio;
- struct friostat *fiop=&fio;
- int flags, vfd;
- char *s;
-
- printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
-
- if ((vfd = open(ipfname, O_RDONLY)) == -1) {
- perror("open device");
- return 1;
- }
-
- if (ioctl(vfd, SIOCGETFS, &fiop)) {
- perror("ioctl(SIOCGETFS)");
- close(vfd);
- return 1;
- }
- close(vfd);
-
- printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
- (int)sizeof(fio.f_version), fio.f_version);
- printf("Running: %s\n", fio.f_running ? "yes" : "no");
-
- if (get_flags(&flags)) {
- return 1;
- }
- printf("Log Flags: %#x = ", flags);
- s = "";
- if (flags & FF_LOGPASS) {
- printf("pass");
- s = ", ";
- }
- if (flags & FF_LOGBLOCK) {
- printf("%sblock", s);
- s = ", ";
- }
- if (flags & FF_LOGNOMATCH) {
- printf("%snomatch", s);
- s = ", ";
- }
- if (flags & FF_BLOCKNONIP) {
- printf("%snonip", s);
- s = ", ";
- }
- if (!*s)
- printf("none set");
- putchar('\n');
-
- printf("Default: ");
- if (fio.f_defpass & FR_PASS)
- s = "pass";
- else if (fio.f_defpass & FR_BLOCK)
- s = "block";
- else
- s = "nomatch -> block";
- printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
- printf("Active list: %d\n", fio.f_active);
-
- return 0;
-}
diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h
index 1398c05..60a2013 100644
--- a/contrib/ipfilter/ipf.h
+++ b/contrib/ipfilter/ipf.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
deleted file mode 100644
index ffbd71b..0000000
--- a/contrib/ipfilter/ipfs.c
+++ /dev/null
@@ -1,859 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.15 2003/05/31 02:12:21 darrenr Exp $";
-#endif
-
-#ifndef IPF_SAVEDIR
-# define IPF_SAVEDIR "/var/db/ipf"
-#endif
-#ifndef IPF_NATFILE
-# define IPF_NATFILE "ipnat.ipf"
-#endif
-#ifndef IPF_STATEFILE
-# define IPF_STATEFILE "ipstate.ipf"
-#endif
-
-#if !defined(__SVR4) && defined(__GNUC__)
-extern char *index __P((const char *, int));
-#endif
-
-extern char *optarg;
-extern int optind;
-
-int main __P((int, char *[]));
-void usage __P((void));
-int changestateif __P((char *, char *));
-int changenatif __P((char *, char *));
-int readstate __P((int, char *));
-int readnat __P((int, char *));
-int writestate __P((int, char *));
-int opendevice __P((char *));
-void closedevice __P((int));
-int setlock __P((int, int));
-int writeall __P((char *));
-int readall __P((char *));
-int writenat __P((int, char *));
-char *concat __P((char *, char *));
-
-int opts = 0;
-char *progname;
-
-
-void usage()
-{
- fprintf(stderr, "\
-usage: %s [-nv] -l\n\
-usage: %s [-nv] -u\n\
-usage: %s [-nv] [-d <dir>] -R\n\
-usage: %s [-nv] [-d <dir>] -W\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -N [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-usage: %s [-nv] -S [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-", progname, progname, progname, progname, progname, progname,
- progname, progname, progname, progname);
- exit(1);
-}
-
-
-/*
- * Change interface names in state information saved out to disk.
- */
-int changestateif(ifs, fname)
-char *ifs, *fname;
-{
- int fd, olen, nlen, rw;
- ipstate_save_t ips;
- off_t pos;
- char *s;
-
- s = strchr(ifs, ',');
- if (!s)
- usage();
- *s++ = '\0';
- nlen = strlen(s);
- olen = strlen(ifs);
- if (nlen >= sizeof(ips.ips_is.is_ifname) ||
- olen >= sizeof(ips.ips_is.is_ifname))
- usage();
-
- fd = open(fname, O_RDWR);
- if (fd == -1) {
- perror("open");
- exit(1);
- }
-
- for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) {
- rw = 0;
- if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) {
- strcpy(ips.ips_is.is_ifname[0], s);
- rw = 1;
- }
- if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) {
- strcpy(ips.ips_is.is_ifname[1], s);
- rw = 1;
- }
- if (rw == 1) {
- if (lseek(fd, pos, SEEK_SET) != pos) {
- perror("lseek");
- exit(1);
- }
- if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) {
- perror("write");
- exit(1);
- }
- }
- pos = lseek(fd, 0, SEEK_CUR);
- }
- close(fd);
-
- return 0;
-}
-
-
-/*
- * Change interface names in NAT information saved out to disk.
- */
-int changenatif(ifs, fname)
-char *ifs, *fname;
-{
- int fd, olen, nlen, rw;
- nat_save_t ipn;
- nat_t *nat;
- off_t pos;
- char *s;
-
- s = strchr(ifs, ',');
- if (!s)
- usage();
- *s++ = '\0';
- nlen = strlen(s);
- olen = strlen(ifs);
- nat = &ipn.ipn_nat;
- if (nlen >= sizeof(nat->nat_ifname) || olen >= sizeof(nat->nat_ifname))
- usage();
-
- fd = open(fname, O_RDWR);
- if (fd == -1) {
- perror("open");
- exit(1);
- }
-
- for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) {
- rw = 0;
- if (!strncmp(nat->nat_ifname, ifs, olen + 1)) {
- strcpy(nat->nat_ifname, s);
- rw = 1;
- }
- if (rw == 1) {
- if (lseek(fd, pos, SEEK_SET) != pos) {
- perror("lseek");
- exit(1);
- }
- if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) {
- perror("write");
- exit(1);
- }
- }
- pos = lseek(fd, 0, SEEK_CUR);
- }
- close(fd);
-
- return 0;
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
- int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
- char *dirname = NULL, *filename = NULL, *ifs = NULL;
-
- progname = argv[0];
-
- while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
- switch (c)
- {
- case 'd' :
- if ((set == 0) && !dirname && !filename)
- dirname = optarg;
- else
- usage();
- break;
- case 'f' :
- if ((set == 1) && !dirname && !filename && !(rw & 2))
- filename = optarg;
- else
- usage();
- break;
- case 'i' :
- ifs = optarg;
- set = 1;
- break;
- case 'l' :
- if (filename || dirname || set)
- usage();
- lock = 1;
- set = 1;
- break;
- case 'n' :
- opts |= OPT_DONOTHING;
- break;
- case 'N' :
- if ((ns >= 0) || dirname || (rw != -1) || set)
- usage();
- ns = 0;
- set = 1;
- break;
- case 'r' :
- if (dirname || (rw != -1) || (ns == -1))
- usage();
- rw = 0;
- set = 1;
- break;
- case 'R' :
- if (filename || (ns != -1))
- usage();
- rw = 2;
- set = 1;
- break;
- case 'S' :
- if ((ns >= 0) || dirname || (rw != -1) || set)
- usage();
- ns = 1;
- set = 1;
- break;
- case 'u' :
- if (filename || dirname || set)
- usage();
- lock = 0;
- set = 1;
- break;
- case 'v' :
- opts |= OPT_VERBOSE;
- break;
- case 'w' :
- if (dirname || (rw != -1) || (ns == -1))
- usage();
- rw = 1;
- set = 1;
- break;
- case 'W' :
- if (filename || (ns != -1))
- usage();
- rw = 3;
- set = 1;
- break;
- case '?' :
- default :
- usage();
- }
-
- if (optind < 2)
- usage();
-
- if (filename == NULL) {
- if (ns == 0) {
- if (dirname == NULL)
- dirname = IPF_SAVEDIR;
- if (dirname[strlen(dirname) - 1] != '/')
- dirname = concat(dirname, "/");
- filename = concat(dirname, IPF_NATFILE);
- } else if (ns == 1) {
- if (dirname == NULL)
- dirname = IPF_SAVEDIR;
- if (dirname[strlen(dirname) - 1] != '/')
- dirname = concat(dirname, "/");
- filename = concat(dirname, IPF_STATEFILE);
- }
- }
-
- if (ifs) {
- if (!filename || ns < 0)
- usage();
- if (ns == 0)
- return changenatif(ifs, filename);
- else
- return changestateif(ifs, filename);
- }
-
- if ((ns >= 0) || (lock >= 0)) {
- if (lock >= 0)
- devfd = opendevice(NULL);
- else if (ns >= 0) {
- if (ns == 1)
- devfd = opendevice(IPL_STATE);
- else if (ns == 0)
- devfd = opendevice(IPL_NAT);
- }
- if (devfd == -1)
- exit(1);
- }
-
- if (lock >= 0)
- err = setlock(devfd, lock);
- else if (rw >= 0) {
- if (rw & 1) { /* WRITE */
- if (rw & 2)
- err = writeall(dirname);
- else {
- if (ns == 0)
- err = writenat(devfd, filename);
- else if (ns == 1)
- err = writestate(devfd, filename);
- }
- } else {
- if (rw & 2)
- err = readall(dirname);
- else {
- if (ns == 0)
- err = readnat(devfd, filename);
- else if (ns == 1)
- err = readstate(devfd, filename);
- }
- }
- }
- return err;
-}
-
-
-char *concat(base, append)
-char *base, *append;
-{
- char *str;
-
- str = malloc(strlen(base) + strlen(append) + 1);
- if (str != NULL) {
- strcpy(str, base);
- strcat(str, append);
- }
- return str;
-}
-
-
-int opendevice(ipfdev)
-char *ipfdev;
-{
- int fd = -1;
-
- if (opts & OPT_DONOTHING)
- return -2;
-
- if (!ipfdev)
- ipfdev = IPL_NAME;
-
- if ((fd = open(ipfdev, O_RDWR)) == -1)
- if ((fd = open(ipfdev, O_RDONLY)) == -1)
- perror("open device");
- return fd;
-}
-
-
-void closedevice(fd)
-int fd;
-{
- close(fd);
-}
-
-
-int setlock(fd, lock)
-int fd, lock;
-{
- if (opts & OPT_VERBOSE)
- printf("Turn lock %s\n", lock ? "on" : "off");
- if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, SIOCSTLCK, &lock) == -1) {
- perror("SIOCSTLCK");
- return 1;
- }
- if (opts & OPT_VERBOSE)
- printf("Lock now %s\n", lock ? "on" : "off");
- }
- return 0;
-}
-
-
-int writestate(fd, file)
-int fd;
-char *file;
-{
- ipstate_save_t ips, *ipsp;
- int wfd = -1;
-
- if (!file)
- file = IPF_STATEFILE;
-
- wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
- if (wfd == -1) {
- fprintf(stderr, "%s ", file);
- perror("state:open");
- return 1;
- }
-
- ipsp = &ips;
- bzero((char *)ipsp, sizeof(ips));
-
- do {
- if (opts & OPT_VERBOSE)
- printf("Getting state from addr %p\n", ips.ips_next);
- if (ioctl(fd, SIOCSTGET, &ipsp)) {
- if (errno == ENOENT)
- break;
- perror("state:SIOCSTGET");
- close(wfd);
- return 1;
- }
- if (opts & OPT_VERBOSE)
- printf("Got state next %p\n", ips.ips_next);
- if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) {
- perror("state:write");
- close(wfd);
- return 1;
- }
- } while (ips.ips_next != NULL);
- close(wfd);
-
- return 0;
-}
-
-
-int readstate(fd, file)
-int fd;
-char *file;
-{
- ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
- int sfd = -1, i;
-
- if (!file)
- file = IPF_STATEFILE;
-
- sfd = open(file, O_RDONLY, 0600);
- if (sfd == -1) {
- fprintf(stderr, "%s ", file);
- perror("open");
- return 1;
- }
-
- bzero((char *)&ips, sizeof(ips));
-
- /*
- * 1. Read all state information in.
- */
- do {
- i = read(sfd, &ips, sizeof(ips));
- if (i == -1) {
- perror("read");
- close(sfd);
- return 1;
- }
- if (i == 0)
- break;
- if (i != sizeof(ips)) {
- fprintf(stderr, "incomplete read: %d != %d\n", i,
- (int)sizeof(ips));
- close(sfd);
- return 1;
- }
- is = (ipstate_save_t *)malloc(sizeof(*is));
- if(!is) {
- fprintf(stderr, "malloc failed\n");
- return 1;
- }
-
- bcopy((char *)&ips, (char *)is, sizeof(ips));
-
- /*
- * Check to see if this is the first state entry that will
- * reference a particular rule and if so, flag it as such
- * else just adjust the rule pointer to become a pointer to
- * the other. We do this so we have a means later for tracking
- * who is referencing us when we get back the real pointer
- * in is_rule after doing the ioctl.
- */
- for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next)
- if (is1->ips_rule == is->ips_rule)
- break;
- if (is1 == NULL)
- is->ips_is.is_flags |= FI_NEWFR;
- else
- is->ips_rule = (void *)&is1->ips_rule;
-
- /*
- * Use a tail-queue type list (add things to the end)..
- */
- is->ips_next = NULL;
- if (!ipshead)
- ipshead = is;
- if (ipstail)
- ipstail->ips_next = is;
- ipstail = is;
- } while (1);
-
- close(sfd);
-
- for (is = ipshead; is; is = is->ips_next) {
- if (opts & OPT_VERBOSE)
- printf("Loading new state table entry\n");
- if (is->ips_is.is_flags & FI_NEWFR) {
- if (opts & OPT_VERBOSE)
- printf("Loading new filter rule\n");
- }
- if (!(opts & OPT_DONOTHING))
- if (ioctl(fd, SIOCSTPUT, &is)) {
- perror("SIOCSTPUT");
- return 1;
- }
-
- if (is->ips_is.is_flags & FI_NEWFR) {
- if (opts & OPT_VERBOSE)
- printf("Real rule addr %p\n", is->ips_rule);
- for (is1 = is->ips_next; is1; is1 = is1->ips_next)
- if (is1->ips_rule == (frentry_t *)&is->ips_rule)
- is1->ips_rule = is->ips_rule;
- }
- }
-
- return 0;
-}
-
-
-int readnat(fd, file)
-int fd;
-char *file;
-{
- nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL;
- int nfd = -1, i;
- nat_t *nat;
- char *s;
- int n;
-
- if (!file)
- file = IPF_NATFILE;
-
- nfd = open(file, O_RDONLY);
- if (nfd == -1) {
- fprintf(stderr, "%s ", file);
- perror("nat:open");
- return 1;
- }
-
- bzero((char *)&ipn, sizeof(ipn));
-
- /*
- * 1. Read all state information in.
- */
- do {
- i = read(nfd, &ipn, sizeof(ipn));
- if (i == -1) {
- perror("read");
- close(nfd);
- return 1;
- }
- if (i == 0)
- break;
- if (i != sizeof(ipn)) {
- fprintf(stderr, "incomplete read: %d != %d\n", i,
- (int)sizeof(ipn));
- close(nfd);
- return 1;
- }
-
- if (ipn.ipn_dsize > 0) {
- n = ipn.ipn_dsize;
-
- if (n > sizeof(ipn.ipn_data))
- n -= sizeof(ipn.ipn_data);
- else
- n = 0;
- in = malloc(sizeof(*in) + n);
- if (!in)
- break;
-
- if (n > 0) {
- s = in->ipn_data + sizeof(in->ipn_data);
- i = read(nfd, s, n);
- if (i == 0)
- break;
- if (i != n) {
- fprintf(stderr,
- "incomplete read: %d != %d\n",
- i, n);
- close(nfd);
- return 1;
- }
- }
- } else
- in = (nat_save_t *)malloc(sizeof(*in));
- bcopy((char *)&ipn, (char *)in, sizeof(ipn));
-
- /*
- * Check to see if this is the first NAT entry that will
- * reference a particular rule and if so, flag it as such
- * else just adjust the rule pointer to become a pointer to
- * the other. We do this so we have a means later for tracking
- * who is referencing us when we get back the real pointer
- * in is_rule after doing the ioctl.
- */
- nat = &in->ipn_nat;
- if (nat->nat_fr != NULL) {
- for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next)
- if (in1->ipn_rule == nat->nat_fr)
- break;
- if (in1 == NULL)
- nat->nat_flags |= FI_NEWFR;
- else
- nat->nat_fr = &in1->ipn_fr;
- }
-
- /*
- * Use a tail-queue type list (add things to the end)..
- */
- in->ipn_next = NULL;
- if (!ipnhead)
- ipnhead = in;
- if (ipntail)
- ipntail->ipn_next = in;
- ipntail = in;
- } while (1);
-
- close(nfd);
- nfd = -1;
-
- for (in = ipnhead; in; in = in->ipn_next) {
- if (opts & OPT_VERBOSE)
- printf("Loading new NAT table entry\n");
- nat = &in->ipn_nat;
- if (nat->nat_flags & FI_NEWFR) {
- if (opts & OPT_VERBOSE)
- printf("Loading new filter rule\n");
- }
- if (!(opts & OPT_DONOTHING))
- if (ioctl(fd, SIOCSTPUT, &in)) {
- perror("SIOCSTPUT");
- return 1;
- }
-
- if (nat->nat_flags & FI_NEWFR) {
- if (opts & OPT_VERBOSE)
- printf("Real rule addr %p\n", nat->nat_fr);
- for (in1 = in->ipn_next; in1; in1 = in1->ipn_next)
- if (in1->ipn_rule == &in->ipn_fr)
- in1->ipn_rule = nat->nat_fr;
- }
- }
-
- return 0;
-}
-
-
-int writenat(fd, file)
-int fd;
-char *file;
-{
- nat_save_t *ipnp = NULL, *next = NULL;
- int nfd = -1;
- natget_t ng;
-
- if (!file)
- file = IPF_NATFILE;
-
- nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
- if (nfd == -1) {
- fprintf(stderr, "%s ", file);
- perror("nat:open");
- return 1;
- }
-
-
- do {
- if (opts & OPT_VERBOSE)
- printf("Getting nat from addr %p\n", ipnp);
- ng.ng_ptr = next;
- ng.ng_sz = 0;
- if (ioctl(fd, SIOCSTGSZ, &ng)) {
- perror("nat:SIOCSTGSZ");
- close(nfd);
- return 1;
- }
-
- if (opts & OPT_VERBOSE)
- printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr);
-
- if (ng.ng_sz == 0)
- break;
-
- if (!ipnp)
- ipnp = malloc(ng.ng_sz);
- else
- ipnp = realloc((char *)ipnp, ng.ng_sz);
- if (!ipnp) {
- fprintf(stderr,
- "malloc for %d bytes failed\n", ng.ng_sz);
- break;
- }
-
- bzero((char *)ipnp, ng.ng_sz);
- ipnp->ipn_next = next;
- if (ioctl(fd, SIOCSTGET, &ipnp)) {
- if (errno == ENOENT)
- break;
- perror("nat:SIOCSTGET");
- close(nfd);
- return 1;
- }
-
- if (opts & OPT_VERBOSE)
- printf("Got nat next %p\n", ipnp->ipn_next);
- if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) {
- perror("nat:write");
- close(nfd);
- return 1;
- }
- next = ipnp->ipn_next;
- } while (ipnp && next);
- close(nfd);
-
- return 0;
-}
-
-
-int writeall(dirname)
-char *dirname;
-{
- int fd, devfd;
-
- if (!dirname)
- dirname = IPF_SAVEDIR;
-
- if (chdir(dirname)) {
- fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname);
- perror("chdir(IPF_SAVEDIR)");
- return 1;
- }
-
- fd = opendevice(NULL);
- if (fd == -1)
- return 1;
- if (setlock(fd, 1)) {
- close(fd);
- return 1;
- }
-
- devfd = opendevice(IPL_STATE);
- if (devfd == -1)
- goto bad;
- if (writestate(devfd, NULL))
- goto bad;
- close(devfd);
-
- devfd = opendevice(IPL_NAT);
- if (devfd == -1)
- goto bad;
- if (writenat(devfd, NULL))
- goto bad;
- close(devfd);
-
- if (setlock(fd, 0)) {
- close(fd);
- return 1;
- }
-
- return 0;
-
-bad:
- setlock(fd, 0);
- close(fd);
- return 1;
-}
-
-
-int readall(dirname)
-char *dirname;
-{
- int fd, devfd;
-
- if (!dirname)
- dirname = IPF_SAVEDIR;
-
- if (chdir(dirname)) {
- perror("chdir(IPF_SAVEDIR)");
- return 1;
- }
-
- fd = opendevice(NULL);
- if (fd == -1)
- return 1;
- if (setlock(fd, 1)) {
- close(fd);
- return 1;
- }
-
- devfd = opendevice(IPL_STATE);
- if (devfd == -1)
- return 1;
- if (readstate(devfd, NULL))
- return 1;
- close(devfd);
-
- devfd = opendevice(IPL_NAT);
- if (devfd == -1)
- return 1;
- if (readnat(devfd, NULL))
- return 1;
- close(devfd);
-
- if (setlock(fd, 0)) {
- close(fd);
- return 1;
- }
-
- return 0;
-}
diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c
deleted file mode 100644
index c8ae3f2..0000000
--- a/contrib/ipfilter/ipft_ef.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
- icmp type
- lnth proto source destination src port dst port
-
-etherfind -n
-
- 60 tcp 128.250.20.20 128.250.133.13 2419 telnet
-
-etherfind -n -t
-
- 0.32 91 04 131.170.1.10 128.250.133.13
- 0.33 566 udp 128.250.37.155 128.250.133.3 901 901
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.5 2003/05/19 12:02:35 darrenr Exp $";
-#endif
-
-static int etherf_open __P((char *));
-static int etherf_close __P((void));
-static int etherf_readip __P((char *, int, char **, int *));
-
-struct ipread etherf = { etherf_open, etherf_close, etherf_readip };
-
-static FILE *efp = NULL;
-static int efd = -1;
-
-
-static int etherf_open(fname)
-char *fname;
-{
- if (efd != -1)
- return efd;
-
- if (!strcmp(fname, "-")) {
- efd = 0;
- efp = stdin;
- } else {
- efd = open(fname, O_RDONLY);
- efp = fdopen(efd, "r");
- }
- return efd;
-}
-
-
-static int etherf_close()
-{
- return close(efd);
-}
-
-
-static int etherf_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- struct tcpiphdr pkt;
- ip_t *ip = (ip_t *)&pkt;
- struct protoent *p = NULL;
- char src[16], dst[16], sprt[16], dprt[16];
- char lbuf[128], len[8], prot[8], time[8], *s;
- int slen, extra = 0, i;
-
- if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
- return 0;
-
- if ((s = strchr(lbuf, '\n')))
- *s = '\0';
- lbuf[sizeof(lbuf)-1] = '\0';
-
- bzero(&pkt, sizeof(pkt));
-
- if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst,
- sprt, dprt) != 6)
- if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time,
- len, prot, src, dst, sprt, dprt) != 7)
- return -1;
-
- ip->ip_p = atoi(prot);
- if (ip->ip_p == 0) {
- if (!(p = getprotobyname(prot)))
- return -1;
- ip->ip_p = p->p_proto;
- }
-
- switch (ip->ip_p) {
- case IPPROTO_TCP :
- case IPPROTO_UDP :
- s = strtok(NULL, " :");
- ip->ip_len += atoi(s);
- if (p->p_proto == IPPROTO_TCP)
- extra = sizeof(struct tcphdr);
- else if (p->p_proto == IPPROTO_UDP)
- extra = sizeof(struct udphdr);
- break;
-#ifdef IGMP
- case IPPROTO_IGMP :
- extra = sizeof(struct igmp);
- break;
-#endif
- case IPPROTO_ICMP :
- extra = sizeof(struct icmp);
- break;
- default :
- break;
- }
-
- (void) inet_aton(src, &ip->ip_src);
- (void) inet_aton(dst, &ip->ip_dst);
- ip->ip_len = atoi(len);
- ip->ip_hl = sizeof(ip_t);
-
- slen = ip->ip_hl + extra;
- i = MIN(cnt, slen);
- bcopy((char *)&pkt, buf, i);
- return i;
-}
diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c
deleted file mode 100644
index b26bd93..0000000
--- a/contrib/ipfilter/ipft_hx.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.6 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-extern int opts;
-
-static int hex_open __P((char *));
-static int hex_close __P((void));
-static int hex_readip __P((char *, int, char **, int *));
-static char *readhex __P((char *, char *));
-
-struct ipread iphex = { hex_open, hex_close, hex_readip };
-static FILE *tfp = NULL;
-static int tfd = -1;
-
-static int hex_open(fname)
-char *fname;
-{
- if (tfp && tfd != -1) {
- rewind(tfp);
- return tfd;
- }
-
- if (!strcmp(fname, "-")) {
- tfd = 0;
- tfp = stdin;
- } else {
- tfd = open(fname, O_RDONLY);
- if (tfd != -1)
- tfp = fdopen(tfd, "r");
- }
- return tfd;
-}
-
-
-static int hex_close()
-{
- int cfd = tfd;
-
- tfd = -1;
- return close(cfd);
-}
-
-
-static int hex_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- register char *s, *t, *u;
- char line[513];
- ip_t *ip;
-
- /*
- * interpret start of line as possibly "[ifname]" or
- * "[in/out,ifname]".
- */
- if (ifn)
- *ifn = NULL;
- if (dir)
- *dir = 0;
- ip = (ip_t *)buf;
- while (fgets(line, sizeof(line)-1, tfp)) {
- if ((s = index(line, '\n'))) {
- if (s == line)
- return (char *)ip - buf;
- *s = '\0';
- }
- if ((s = index(line, '#')))
- *s = '\0';
- if (!*line)
- continue;
- if (!(opts & OPT_BRIEF)) {
- printf("input: %s\n", line);
- fflush(stdout);
- }
-
- if ((*line == '[') && (s = index(line, ']'))) {
- t = line + 1;
- if (s - t > 0) {
- *s++ = '\0';
- if ((u = index(t, ',')) && (u < s)) {
- u++;
- if (ifn)
- *ifn = strdup(u);
- if (dir) {
- if (*t == 'i')
- *dir = 0;
- else if (*t == 'o')
- *dir = 1;
- }
- } else if (ifn)
- *ifn = t;
- }
- } else
- s = line;
- ip = (ip_t *)readhex(s, (char *)ip);
- }
- return -1;
-}
-
-
-static char *readhex(src, dst)
-register char *src, *dst;
-{
- int state = 0;
- char c;
-
- while ((c = *src++)) {
- if (isspace(c)) {
- if (state) {
- dst++;
- state = 0;
- }
- continue;
- } else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
- (c >= 'A' && c <= 'F')) {
- c = isdigit(c) ? (c - '0') : (toupper(c) - 55);
- if (state == 0) {
- *dst = (c << 4);
- state++;
- } else {
- *dst++ |= c;
- state = 0;
- }
- } else
- break;
- }
- return dst;
-}
diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c
deleted file mode 100644
index b6060de..0000000
--- a/contrib/ipfilter/ipft_pc.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "pcap.h"
-#include "bpf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.5 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-struct llc {
- int lc_type;
- int lc_sz; /* LLC header length */
- int lc_to; /* LLC Type offset */
- int lc_tl; /* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-
-static struct llc llcs[] = {
- { DLT_NULL, 0, 0, 0 },
- { DLT_EN10MB, 14, 12, 2 },
- { DLT_EN3MB, 0, 0, 0 },
- { DLT_AX25, 0, 0, 0 },
- { DLT_PRONET, 0, 0, 0 },
- { DLT_CHAOS, 0, 0, 0 },
- { DLT_IEEE802, 0, 0, 0 },
- { DLT_ARCNET, 0, 0, 0 },
- { DLT_SLIP, 0, 0, 0 },
- { DLT_PPP, 0, 0, 0 },
- { DLT_FDDI, 0, 0, 0 },
-#ifdef DLT_ATMRFC1483
- { DLT_ATMRFC1483, 0, 0, 0 },
-#endif
- { DLT_RAW, 0, 0, 0 },
-#ifdef DLT_ENC
- { DLT_ENC, 0, 0, 0 },
-#endif
-#ifdef DLT_SLIP_BSDOS
- { DLT_SLIP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef DLT_PPP_BSDOS
- { DLT_PPP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef DLT_HIPPI
- { DLT_HIPPI, 0, 0, 0 },
-#endif
-#ifdef DLT_HDLC
- { DLT_HDLC, 0, 0, 0 },
-#endif
-#ifdef DLT_PPP_SERIAL
- { DLT_PPP_SERIAL, 4, 4, 0 },
-#endif
-#ifdef DLT_PPP_ETHER
- { DLT_PPP_ETHER, 8, 8, 0 },
-#endif
-#ifdef DLT_ECONET
- { DLT_ECONET, 0, 0, 0 },
-#endif
- { -1, -1, -1, -1 }
-};
-
-static int pcap_open __P((char *));
-static int pcap_close __P((void));
-static int pcap_readip __P((char *, int, char **, int *));
-static void swap_hdr __P((pcaphdr_t *));
-static int pcap_read_rec __P((struct pcap_pkthdr *));
-
-static int pfd = -1, s_type = -1, swapped = 0;
-static struct llc *llcp = NULL;
-
-struct ipread pcap = { pcap_open, pcap_close, pcap_readip };
-
-#define SWAPLONG(y) \
- ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
-#define SWAPSHORT(y) \
- ( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
-
-static void swap_hdr(p)
-pcaphdr_t *p;
-{
- p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
- p->pc_v_min = SWAPSHORT(p->pc_v_min);
- p->pc_zone = SWAPLONG(p->pc_zone);
- p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
- p->pc_slen = SWAPLONG(p->pc_slen);
- p->pc_type = SWAPLONG(p->pc_type);
-}
-
-static int pcap_open(fname)
-char *fname;
-{
- pcaphdr_t ph;
- int fd, i;
-
- if (pfd != -1)
- return pfd;
-
- if (!strcmp(fname, "-"))
- fd = 0;
- else if ((fd = open(fname, O_RDONLY)) == -1)
- return -1;
-
- if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
- return -2;
-
- if (ph.pc_id != TCPDUMP_MAGIC) {
- if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
- (void) close(fd);
- return -2;
- }
- swapped = 1;
- swap_hdr(&ph);
- }
-
- if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
- (void) close(fd);
- return -2;
- }
-
- for (i = 0; llcs[i].lc_type != -1; i++)
- if (llcs[i].lc_type == ph.pc_type) {
- llcp = llcs + i;
- break;
- }
-
- if (llcp == NULL) {
- (void) close(fd);
- return -2;
- }
-
- pfd = fd;
- s_type = ph.pc_type;
- printf("opened pcap file %s:\n", fname);
- printf("\tid: %08x version: %d.%d type: %d snap %d\n",
- ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
-
- return fd;
-}
-
-
-static int pcap_close()
-{
- return close(pfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a pcap file.
- */
-static int pcap_read_rec(rec)
-struct pcap_pkthdr *rec;
-{
- int n, p;
-
- if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
- return -2;
-
- if (swapped) {
- rec->ph_clen = SWAPLONG(rec->ph_clen);
- rec->ph_len = SWAPLONG(rec->ph_len);
- rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
- rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
- }
- p = rec->ph_clen;
- n = MIN(p, rec->ph_len);
- if (!n || n < 0)
- return -3;
-
- return p;
-}
-
-
-#ifdef notyet
-/*
- * read an entire pcap packet record. only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static int pcap_read(buf, cnt)
-char *buf;
-int cnt;
-{
- struct pcap_pkthdr rec;
- static char *bufp = NULL;
- int i, n;
-
- if ((i = pcap_read_rec(&rec)) <= 0)
- return i;
-
- if (!bufp)
- bufp = malloc(i);
- else
- bufp = realloc(bufp, i);
-
- if (read(pfd, bufp, i) != i)
- return -2;
-
- n = MIN(i, cnt);
- bcopy(bufp, buf, n);
- return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static int pcap_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- static char *bufp = NULL;
- struct pcap_pkthdr rec;
- struct llc *l;
- char *s, ty[4];
- int i, n;
-
- l = llcp;
-
- /* do { */
- if ((i = pcap_read_rec(&rec)) <= 0)
- return i;
-
- if (!bufp)
- bufp = malloc(i);
- else
- bufp = realloc(bufp, i);
- s = bufp;
-
- if (read(pfd, s, i) != i)
- return -2;
-
- i -= l->lc_sz;
- s += l->lc_to;
- bcopy(s, ty, l->lc_tl);
- s += l->lc_tl;
- /* } while (ty[0] != 0x8 && ty[1] != 0); */
- n = MIN(i, cnt);
- bcopy(s, buf, n);
- return n;
-}
diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c
deleted file mode 100644
index 859bf5e..0000000
--- a/contrib/ipfilter/ipft_sn.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
- * Written to comply with the recent RFC 1761 from Sun.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "snoop.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-struct llc {
- int lc_sz; /* LLC header length */
- int lc_to; /* LLC Type offset */
- int lc_tl; /* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-static struct llc llcs[SDL_MAX+1] = {
- { 0, 0, 0 }, /* SDL_8023 */
- { 0, 0, 0 }, /* SDL_8024 */
- { 0, 0, 0 }, /* SDL_8025 */
- { 0, 0, 0 }, /* SDL_8026 */
- { 14, 12, 2 }, /* SDL_ETHER */
- { 0, 0, 0 }, /* SDL_HDLC */
- { 0, 0, 0 }, /* SDL_CHSYNC */
- { 0, 0, 0 }, /* SDL_IBMCC */
- { 0, 0, 0 }, /* SDL_FDDI */
- { 0, 0, 0 }, /* SDL_OTHER */
-};
-
-static int snoop_open __P((char *));
-static int snoop_close __P((void));
-static int snoop_readip __P((char *, int, char **, int *));
-
-static int sfd = -1, s_type = -1;
-static int snoop_read_rec __P((struct snooppkt *));
-
-struct ipread snoop = { snoop_open, snoop_close, snoop_readip };
-
-
-static int snoop_open(fname)
-char *fname;
-{
- struct snoophdr sh;
- int fd;
- int s_v;
-
- if (sfd != -1)
- return sfd;
-
- if (!strcmp(fname, "-"))
- fd = 0;
- else if ((fd = open(fname, O_RDONLY)) == -1)
- return -1;
-
- if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
- return -2;
-
- s_v = (int)ntohl(sh.s_v);
- s_type = (int)ntohl(sh.s_type);
-
- if (s_v != SNOOP_VERSION ||
- s_type < 0 || s_type > SDL_MAX) {
- (void) close(fd);
- return -2;
- }
-
- sfd = fd;
- printf("opened snoop file %s:\n", fname);
- printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
-
- return fd;
-}
-
-
-static int snoop_close()
-{
- return close(sfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a snoop file.
- */
-static int snoop_read_rec(rec)
-struct snooppkt *rec;
-{
- int n, plen, ilen;
-
- if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
- return -2;
-
- ilen = (int)ntohl(rec->sp_ilen);
- plen = (int)ntohl(rec->sp_plen);
- if (ilen > plen || plen < sizeof(*rec))
- return -2;
-
- plen -= sizeof(*rec);
- n = MIN(plen, ilen);
- if (!n || n < 0)
- return -3;
-
- return plen;
-}
-
-
-#ifdef notyet
-/*
- * read an entire snoop packet record. only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static int snoop_read(buf, cnt)
-char *buf;
-int cnt;
-{
- struct snooppkt rec;
- static char *bufp = NULL;
- int i, n;
-
- if ((i = snoop_read_rec(&rec)) <= 0)
- return i;
-
- if (!bufp)
- bufp = malloc(i);
- else
- bufp = realloc(bufp, i);
-
- if (read(sfd, bufp, i) != i)
- return -2;
-
- n = MIN(i, cnt);
- bcopy(bufp, buf, n);
- return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static int snoop_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- static char *bufp = NULL;
- struct snooppkt rec;
- struct llc *l;
- char ty[4], *s;
- int i, n;
-
- do {
- if ((i = snoop_read_rec(&rec)) <= 0)
- return i;
-
- if (!bufp)
- bufp = malloc(i);
- else
- bufp = realloc(bufp, i);
- s = bufp;
-
- if (read(sfd, s, i) != i)
- return -2;
-
- l = &llcs[s_type];
- i -= l->lc_to;
- s += l->lc_to;
- /*
- * XXX - bogus assumption here on the part of the time field
- * that it won't be greater than 4 bytes and the 1st two will
- * have the values 8 and 0 for IP. Should be a table of
- * these too somewhere. Really only works for SDL_ETHER.
- */
- bcopy(s, ty, l->lc_tl);
- } while (ty[0] != 0x8 && ty[1] != 0);
-
- i -= l->lc_tl;
- s += l->lc_tl;
- n = MIN(i, cnt);
- bcopy(s, buf, n);
-
- return n;
-}
diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c
deleted file mode 100644
index 99beab5..0000000
--- a/contrib/ipfilter/ipft_td.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
-tcpdump -n
-
-00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
-
-tcpdump -nq
-
-00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
-
-tcpdump -nqt
-
-128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqtt
-
-123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqte
-
-8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.6 2003/05/31 02:13:04 darrenr Exp $";
-#endif
-
-static int tcpd_open __P((char *));
-static int tcpd_close __P((void));
-static int tcpd_readip __P((char *, int, char **, int *));
-static int count_dots __P((char *));
-
-struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip };
-
-static FILE *tfp = NULL;
-static int tfd = -1;
-
-
-static int tcpd_open(fname)
-char *fname;
-{
- if (tfd != -1)
- return tfd;
-
- if (!strcmp(fname, "-")) {
- tfd = 0;
- tfp = stdin;
- } else {
- tfd = open(fname, O_RDONLY);
- tfp = fdopen(tfd, "r");
- }
- return tfd;
-}
-
-
-static int tcpd_close()
-{
- (void) fclose(tfp);
- return close(tfd);
-}
-
-
-static int count_dots(str)
-char *str;
-{
- int i = 0;
-
- while (*str)
- if (*str++ == '.')
- i++;
- return i;
-}
-
-
-static int tcpd_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- struct tcpiphdr pkt;
- ip_t *ip = (ip_t *)&pkt;
- struct protoent *p;
- char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
- char lbuf[160], *s;
- int n, slen, extra = 0;
-
- if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
- return 0;
-
- if ((s = strchr(lbuf, '\n')))
- *s = '\0';
- lbuf[sizeof(lbuf)-1] = '\0';
-
- bzero(&pkt, sizeof(pkt));
-
- if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3)
- if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s",
- time, src, dst, misc)) != 4)
- if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s",
- link1, link2, src, dst, misc)) != 5) {
- n = sscanf(lbuf,
- "%31s %31s %31s: %31s > %31s: %255s",
- time, link1, link2, src, dst, misc);
- if (n != 6)
- return -1;
- }
-
- if (count_dots(dst) == 4) {
- s = strrchr(src, '.');
- *s++ = '\0';
- (void) inet_aton(src, &ip->ip_src);
- pkt.ti_sport = htons(atoi(s));
- *--s = '.';
- s = strrchr(dst, '.');
-
- *s++ = '\0';
- (void) inet_aton(src, &ip->ip_dst);
- pkt.ti_dport = htons(atoi(s));
- *--s = '.';
-
- } else {
- (void) inet_aton(src, &ip->ip_src);
- (void) inet_aton(src, &ip->ip_dst);
- }
- ip->ip_len = ip->ip_hl = sizeof(ip_t);
-
- s = strtok(misc, " :");
- if ((p = getprotobyname(s))) {
- ip->ip_p = p->p_proto;
-
- switch (p->p_proto) {
- case IPPROTO_TCP :
- case IPPROTO_UDP :
- s = strtok(NULL, " :");
- ip->ip_len += atoi(s);
- if (p->p_proto == IPPROTO_TCP)
- extra = sizeof(struct tcphdr);
- else if (p->p_proto == IPPROTO_UDP)
- extra = sizeof(struct udphdr);
- break;
-#ifdef IGMP
- case IPPROTO_IGMP :
- extra = sizeof(struct igmp);
- break;
-#endif
- case IPPROTO_ICMP :
- extra = sizeof(struct icmp);
- break;
- default :
- break;
- }
- }
- slen = ip->ip_hl + extra + ip->ip_len;
- return slen;
-}
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
deleted file mode 100644
index 7ea87e3..0000000
--- a/contrib/ipfilter/ipft_tx.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <arpa/inet.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.8 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-extern int opts;
-
-static char *tx_proto = "";
-
-static int text_open __P((char *)), text_close __P((void));
-static int text_readip __P((char *, int, char **, int *));
-static int parseline __P((char *, ip_t *, char **, int *));
-
-static char _tcp_flagset[] = "FSRPAUEC";
-static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
- TH_ACK, TH_URG, TH_ECN, TH_CWR };
-
-struct ipread iptext = { text_open, text_close, text_readip };
-static FILE *tfp = NULL;
-static int tfd = -1;
-
-static u_32_t tx_hostnum __P((char *, int *));
-static u_short tx_portnum __P((char *));
-
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-static u_32_t tx_hostnum(host, resolved)
-char *host;
-int *resolved;
-{
- struct hostent *hp;
- struct netent *np;
-
- *resolved = 0;
- if (!strcasecmp("any",host))
- return 0L;
- if (isdigit(*host))
- return inet_addr(host);
-
- if (!(hp = gethostbyname(host))) {
- if (!(np = getnetbyname(host))) {
- *resolved = -1;
- fprintf(stderr, "can't resolve hostname: %s\n", host);
- return 0;
- }
- return htonl(np->n_net);
- }
- return *(u_32_t *)hp->h_addr;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi()
- */
-static u_short tx_portnum(name)
-char *name;
-{
- struct servent *sp, *sp2;
- u_short p1 = 0;
-
- if (isdigit(*name))
- return (u_short)atoi(name);
- if (!tx_proto)
- tx_proto = "tcp/udp";
- if (strcasecmp(tx_proto, "tcp/udp")) {
- sp = getservbyname(name, tx_proto);
- if (sp)
- return ntohs(sp->s_port);
- (void) fprintf(stderr, "unknown service \"%s\".\n", name);
- return 0;
- }
- sp = getservbyname(name, "tcp");
- if (sp)
- p1 = sp->s_port;
- sp2 = getservbyname(name, "udp");
- if (!sp || !sp2) {
- (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
- name);
- return 0;
- }
- if (p1 != sp2->s_port) {
- (void) fprintf(stderr, "%s %d/tcp is a different port to ",
- name, p1);
- (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
- return 0;
- }
- return ntohs(p1);
-}
-
-
-char *tx_icmptypes[] = {
- "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
- "redir", (char *)NULL, (char *)NULL, "echo", "routerad",
- "routersol", "timex", "paramprob", "timest", "timestrep",
- "inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-static int text_open(fname)
-char *fname;
-{
- if (tfp && tfd != -1) {
- rewind(tfp);
- return tfd;
- }
-
- if (!strcmp(fname, "-")) {
- tfd = 0;
- tfp = stdin;
- } else {
- tfd = open(fname, O_RDONLY);
- if (tfd != -1)
- tfp = fdopen(tfd, "r");
- }
- return tfd;
-}
-
-
-static int text_close()
-{
- int cfd = tfd;
-
- tfd = -1;
- return close(cfd);
-}
-
-
-static int text_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
-{
- register char *s;
- char line[513];
-
- *ifn = NULL;
- while (fgets(line, sizeof(line)-1, tfp)) {
- if ((s = index(line, '\n')))
- *s = '\0';
- if ((s = index(line, '\r')))
- *s = '\0';
- if ((s = index(line, '#')))
- *s = '\0';
- if (!*line)
- continue;
- if (!(opts & OPT_BRIEF))
- printf("input: %s\n", line);
- *ifn = NULL;
- *dir = 0;
- if (!parseline(line, (ip_t *)buf, ifn, dir))
-#if 0
- return sizeof(ip_t) + sizeof(tcphdr_t);
-#else
- return sizeof(ip_t);
-#endif
- }
- return -1;
-}
-
-static int parseline(line, ip, ifn, out)
-char *line;
-ip_t *ip;
-char **ifn;
-int *out;
-{
- tcphdr_t th, *tcp = &th;
- struct icmp icmp, *ic = &icmp;
- char *cps[20], **cpp, c, ipopts[68];
- int i, r;
-
- if (*ifn)
- free(*ifn);
- bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
- bzero((char *)tcp, sizeof(*tcp));
- bzero((char *)ic, sizeof(*ic));
- bzero(ipopts, sizeof(ipopts));
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_v = IPVERSION;
- for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); )
- cps[++i] = strtok(NULL, " \b\t\r\n");
-
- cpp = cps;
- if (!*cpp)
- return 1;
-
- c = **cpp;
- if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
- fprintf(stderr, "bad direction \"%s\"\n", *cpp);
- return 1;
- }
- *out = (tolower(c) == 'o') ? 1 : 0;
- cpp++;
- if (!*cpp)
- return 1;
-
- if (!strcasecmp(*cpp, "on")) {
- cpp++;
- if (!*cpp)
- return 1;
- *ifn = strdup(*cpp++);
- if (!*cpp)
- return 1;
- }
-
- c = **cpp;
- ip->ip_len = sizeof(ip_t);
- if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
- !strcasecmp(*cpp, "icmp")) {
- if (c == 't') {
- ip->ip_p = IPPROTO_TCP;
- ip->ip_len += sizeof(struct tcphdr);
- tx_proto = "tcp";
- } else if (c == 'u') {
- ip->ip_p = IPPROTO_UDP;
- ip->ip_len += sizeof(struct udphdr);
- tx_proto = "udp";
- } else {
- ip->ip_p = IPPROTO_ICMP;
- ip->ip_len += ICMPERR_IPICMPHLEN;
- tx_proto = "icmp";
- }
- cpp++;
- } else if (isdigit(**cpp) && !index(*cpp, '.')) {
- ip->ip_p = atoi(*cpp);
- cpp++;
- } else
- ip->ip_p = IPPROTO_IP;
-
- if (!*cpp)
- return 1;
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
- char *last;
-
- last = index(*cpp, ',');
- if (!last) {
- fprintf(stderr, "tcp/udp with no source port\n");
- return 1;
- }
- *last++ = '\0';
- tcp->th_sport = htons(tx_portnum(last));
- }
- ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
- cpp++;
- if (!*cpp)
- return 1;
-
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
- char *last;
-
- last = index(*cpp, ',');
- if (!last) {
- fprintf(stderr, "tcp/udp with no destination port\n");
- return 1;
- }
- *last++ = '\0';
- tcp->th_dport = htons(tx_portnum(last));
- }
- ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
- cpp++;
- if (*cpp && ip->ip_p == IPPROTO_TCP) {
- extern char _tcp_flagset[];
- extern u_char _tcp_flags[];
- char *s, *t;
-
- for (s = *cpp; *s; s++)
- if ((t = index(_tcp_flagset, *s)))
- tcp->th_flags |= _tcp_flags[t - _tcp_flagset];
- if (tcp->th_flags)
- cpp++;
- assert(tcp->th_flags != 0);
- tcp->th_win = htons(4096);
- tcp->th_off = sizeof(*tcp) >> 2;
- } else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
- extern char *tx_icmptypes[];
- char **s, *t;
- int i;
-
- for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
- s++, i++)
- if (*s && !strncasecmp(*cpp, *s, strlen(*s))) {
- ic->icmp_type = i;
- if ((t = index(*cpp, ',')))
- ic->icmp_code = atoi(t+1);
- cpp++;
- break;
- }
- }
-
- if (*cpp && !strcasecmp(*cpp, "opt")) {
- u_long olen;
-
- cpp++;
- olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
- if (olen) {
- bcopy(ipopts, (char *)(ip + 1), olen);
- ip->ip_hl += olen >> 2;
- }
- }
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2),
- sizeof(*tcp));
- else if (ip->ip_p == IPPROTO_ICMP)
- bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2),
- sizeof(*ic));
- ip->ip_len = htons(ip->ip_len);
- return 0;
-}
diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h
index 675897b..2b2d1db 100644
--- a/contrib/ipfilter/iplang/iplang.h
+++ b/contrib/ipfilter/iplang/iplang.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1997-1998 by Darren Reed.
diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l
index 0a97ec9..71e478b 100644
--- a/contrib/ipfilter/iplang/iplang_l.l
+++ b/contrib/ipfilter/iplang/iplang_l.l
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
/*
diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y
index 5b7608b..22ea40b 100644
--- a/contrib/ipfilter/iplang/iplang_y.y
+++ b/contrib/ipfilter/iplang/iplang_y.y
@@ -1,18 +1,15 @@
+/* $FreeBSD$ */
+
%{
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: iplang_y.y,v 2.2 1999/12/04 03:37:04 darrenr Exp $
+ * Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp
* $FreeBSD$
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
@@ -32,12 +29,9 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
#include <net/if.h>
#ifndef linux
#include <netinet/if_ether.h>
@@ -53,7 +47,7 @@
#include "iplang.h"
#if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \
- __FreeBSD_version < 400020 ) && SOLARIS2 < 10
+ __FreeBSD_version < 400020) && (!SOLARIS || SOLARIS2 < 10)
extern struct ether_addr *ether_aton __P((char *));
#endif
@@ -774,7 +768,7 @@ char **arg;
while ((c = *s++)) {
if (todo) {
- if (isdigit(c)) {
+ if (ISDIGIT(c)) {
todo--;
if (c > '7') {
fprintf(stderr, "octal with %c!\n", c);
@@ -783,7 +777,7 @@ char **arg;
val <<= 3;
val |= (c - '0');
}
- if (!isdigit(c) || !todo) {
+ if (!ISDIGIT(c) || !todo) {
*t++ = (u_char)(val & 0xff);
todo = 0;
}
@@ -791,7 +785,7 @@ char **arg;
continue;
}
if (quote) {
- if (isdigit(c)) {
+ if (ISDIGIT(c)) {
todo = 2;
if (c > '7') {
fprintf(stderr, "octal with %c!\n", c);
@@ -1295,7 +1289,7 @@ void prep_packet()
return;
}
if (ifp->if_fd == -1)
- ifp->if_fd = initdevice(ifp->if_name, 0, 5);
+ ifp->if_fd = initdevice(ifp->if_name, 5);
gwip = sending.snd_gw;
if (!gwip.s_addr)
gwip = aniphead->ah_ip->ip_dst;
@@ -1327,7 +1321,7 @@ void packet_done()
sprintf((char *)t, " ");
t += 8;
for (k = 16; k; k--, s++)
- *t++ = (isprint(*s) ? *s : '.');
+ *t++ = (ISPRINT(*s) ? *s : '.');
s--;
}
@@ -1345,7 +1339,7 @@ void packet_done()
t += 7;
s -= j & 0xf;
for (k = j & 0xf; k; k--, s++)
- *t++ = (isprint(*s) ? *s : '.');
+ *t++ = (ISPRINT(*s) ? *s : '.');
*t++ = '\n';
*t = '\0';
}
@@ -1519,11 +1513,6 @@ int type;
}
-static char *icmpcodes[] = {
- "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
- "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
- "net-tos", "host-tos", NULL };
-
void set_icmpcodetok(code)
char **code;
{
@@ -1542,13 +1531,6 @@ char **code;
}
-static char *icmptypes[] = {
- "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
- "redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL,
- (char *)NULL, "timex", "paramprob", "timest", "timestrep",
- "inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
void set_icmptypetok(type)
char **type;
{
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
deleted file mode 100644
index 7919430..0000000
--- a/contrib/ipfilter/ipmon.c
+++ /dev/null
@@ -1,1495 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#ifndef SOLARIS
-#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
-#endif
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# if (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-# else
-# include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-#endif
-#if !defined(__SVR4) && !defined(__GNUC__)
-# include <strings.h>
-#endif
-#include <signal.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <netinet/ip.h>
-#include <netinet/tcp_fsm.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#ifndef linux
-# include <sys/protosw.h>
-# include <netinet/ip_var.h>
-#endif
-
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-
-#include <ctype.h>
-#include <syslog.h>
-
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-/* static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.13 2001/07/19 12:24:59 darrenr Exp $"; */
-static const char rcsid[] = "@(#)$FreeBSD$";
-#endif
-
-
-#if defined(sun) && !defined(SOLARIS2)
-#define STRERROR(x) sys_errlist[x]
-extern char *sys_errlist[];
-#else
-#define STRERROR(x) strerror(x)
-#endif
-
-
-struct flags {
- int value;
- char flag;
-};
-
-
-typedef struct icmp_subtype {
- int ist_val;
- char *ist_name;
-} icmp_subtype_t;
-
-typedef struct icmp_type {
- int it_val;
- struct icmp_subtype *it_subtable;
- size_t it_stsize;
- char *it_name;
-} icmp_type_t;
-
-
-#define IST_SZ(x) (sizeof(x)/sizeof(icmp_subtype_t))
-
-
-struct flags tcpfl[] = {
- { TH_ACK, 'A' },
- { TH_RST, 'R' },
- { TH_SYN, 'S' },
- { TH_FIN, 'F' },
- { TH_URG, 'U' },
- { TH_PUSH,'P' },
- { TH_ECN, 'E' },
- { TH_CWR, 'C' },
- { 0, '\0' }
-};
-
-#if SOLARIS
-static char *pidfile = "/etc/opt/ipf/ipmon.pid";
-#else
-# if BSD >= 199306
-static char *pidfile = "/var/run/ipmon.pid";
-# else
-static char *pidfile = "/etc/ipmon.pid";
-# endif
-#endif
-
-static char line[2048];
-static int opts = 0;
-static FILE *newlog = NULL;
-static char *logfile = NULL;
-static int donehup = 0;
-static void usage __P((char *));
-static void handlehup __P((int));
-static void flushlogs __P((char *, FILE *));
-static void print_log __P((int, FILE *, char *, int));
-static void print_ipflog __P((FILE *, char *, int));
-static void print_natlog __P((FILE *, char *, int));
-static void print_statelog __P((FILE *, char *, int));
-static void dumphex __P((FILE *, u_char *, int));
-static int read_log __P((int, int *, char *, int));
-static void write_pid __P((char *));
-static char *icmpname __P((u_int, u_int));
-static char *icmpname6 __P((u_int, u_int));
-static icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t));
-static icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t));
-
-char *hostname __P((int, int, u_32_t *));
-char *portname __P((int, char *, u_int));
-int main __P((int, char *[]));
-
-static void logopts __P((int, char *));
-static void init_tabs __P((void));
-static char *getproto __P((u_int));
-
-static char **protocols = NULL;
-static char **udp_ports = NULL;
-static char **tcp_ports = NULL;
-
-#define OPT_SYSLOG 0x001
-#define OPT_RESOLVE 0x002
-#define OPT_HEXBODY 0x004
-#define OPT_VERBOSE 0x008
-#define OPT_HEXHDR 0x010
-#define OPT_TAIL 0x020
-#define OPT_NAT 0x080
-#define OPT_STATE 0x100
-#define OPT_FILTER 0x200
-#define OPT_PORTNUM 0x400
-#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
-#define OPT_LOGBODY 0x800
-
-#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b))
-
-#ifndef LOGFAC
-#define LOGFAC LOG_LOCAL0
-#endif
-
-
-static icmp_subtype_t icmpunreachnames[] = {
- { ICMP_UNREACH_NET, "net" },
- { ICMP_UNREACH_HOST, "host" },
- { ICMP_UNREACH_PROTOCOL, "protocol" },
- { ICMP_UNREACH_PORT, "port" },
- { ICMP_UNREACH_NEEDFRAG, "needfrag" },
- { ICMP_UNREACH_SRCFAIL, "srcfail" },
- { ICMP_UNREACH_NET_UNKNOWN, "net_unknown" },
- { ICMP_UNREACH_HOST_UNKNOWN, "host_unknown" },
- { ICMP_UNREACH_NET, "isolated" },
- { ICMP_UNREACH_NET_PROHIB, "net_prohib" },
- { ICMP_UNREACH_NET_PROHIB, "host_prohib" },
- { ICMP_UNREACH_TOSNET, "tosnet" },
- { ICMP_UNREACH_TOSHOST, "toshost" },
- { ICMP_UNREACH_ADMIN_PROHIBIT, "admin_prohibit" },
- { -2, NULL }
-};
-
-static icmp_subtype_t redirectnames[] = {
- { ICMP_REDIRECT_NET, "net" },
- { ICMP_REDIRECT_HOST, "host" },
- { ICMP_REDIRECT_TOSNET, "tosnet" },
- { ICMP_REDIRECT_TOSHOST, "toshost" },
- { -2, NULL }
-};
-
-static icmp_subtype_t timxceednames[] = {
- { ICMP_TIMXCEED_INTRANS, "transit" },
- { ICMP_TIMXCEED_REASS, "reassem" },
- { -2, NULL }
-};
-
-static icmp_subtype_t paramnames[] = {
- { ICMP_PARAMPROB_ERRATPTR, "errata_pointer" },
- { ICMP_PARAMPROB_OPTABSENT, "optmissing" },
- { ICMP_PARAMPROB_LENGTH, "length" },
- { -2, NULL }
-};
-
-static icmp_type_t icmptypes[] = {
- { ICMP_ECHOREPLY, NULL, 0, "echoreply" },
- { -1, NULL, 0, NULL },
- { -1, NULL, 0, NULL },
- { ICMP_UNREACH, icmpunreachnames,
- IST_SZ(icmpunreachnames),"unreach" },
- { ICMP_SOURCEQUENCH, NULL, 0, "sourcequench" },
- { ICMP_REDIRECT, redirectnames,
- IST_SZ(redirectnames), "redirect" },
- { -1, NULL, 0, NULL },
- { -1, NULL, 0, NULL },
- { ICMP_ECHO, NULL, 0, "echo" },
- { ICMP_ROUTERADVERT, NULL, 0, "routeradvert" },
- { ICMP_ROUTERSOLICIT, NULL, 0, "routersolicit" },
- { ICMP_TIMXCEED, timxceednames,
- IST_SZ(timxceednames), "timxceed" },
- { ICMP_PARAMPROB, paramnames,
- IST_SZ(paramnames), "paramprob" },
- { ICMP_TSTAMP, NULL, 0, "timestamp" },
- { ICMP_TSTAMPREPLY, NULL, 0, "timestampreply" },
- { ICMP_IREQ, NULL, 0, "inforeq" },
- { ICMP_IREQREPLY, NULL, 0, "inforeply" },
- { ICMP_MASKREQ, NULL, 0, "maskreq" },
- { ICMP_MASKREPLY, NULL, 0, "maskreply" },
- { -2, NULL, 0, NULL }
-};
-
-static icmp_subtype_t icmpredirect6[] = {
- { ICMP6_DST_UNREACH_NOROUTE, "noroute" },
- { ICMP6_DST_UNREACH_ADMIN, "admin" },
- { ICMP6_DST_UNREACH_NOTNEIGHBOR, "neighbour" },
- { ICMP6_DST_UNREACH_ADDR, "address" },
- { ICMP6_DST_UNREACH_NOPORT, "noport" },
- { -2, NULL }
-};
-
-static icmp_subtype_t icmptimexceed6[] = {
- { ICMP6_TIME_EXCEED_TRANSIT, "intransit" },
- { ICMP6_TIME_EXCEED_REASSEMBLY, "reassem" },
- { -2, NULL }
-};
-
-static icmp_subtype_t icmpparamprob6[] = {
- { ICMP6_PARAMPROB_HEADER, "header" },
- { ICMP6_PARAMPROB_NEXTHEADER, "nextheader" },
- { ICMP6_PARAMPROB_OPTION, "option" },
- { -2, NULL }
-};
-
-static icmp_subtype_t icmpquerysubject6[] = {
- { ICMP6_NI_SUBJ_IPV6, "ipv6" },
- { ICMP6_NI_SUBJ_FQDN, "fqdn" },
- { ICMP6_NI_SUBJ_IPV4, "ipv4" },
- { -2, NULL },
-};
-
-static icmp_subtype_t icmpnodeinfo6[] = {
- { ICMP6_NI_SUCCESS, "success" },
- { ICMP6_NI_REFUSED, "refused" },
- { ICMP6_NI_UNKNOWN, "unknown" },
- { -2, NULL }
-};
-
-static icmp_subtype_t icmprenumber6[] = {
- { ICMP6_ROUTER_RENUMBERING_COMMAND, "command" },
- { ICMP6_ROUTER_RENUMBERING_RESULT, "result" },
- { ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET, "seqnum_reset" },
- { -2, NULL }
-};
-
-static icmp_type_t icmptypes6[] = {
- { 0, NULL, 0, NULL },
- { ICMP6_DST_UNREACH, icmpredirect6,
- IST_SZ(icmpredirect6), "unreach" },
- { ICMP6_PACKET_TOO_BIG, NULL, 0, "toobig" },
- { ICMP6_TIME_EXCEEDED, icmptimexceed6,
- IST_SZ(icmptimexceed6), "timxceed" },
- { ICMP6_PARAM_PROB, icmpparamprob6,
- IST_SZ(icmpparamprob6), "paramprob" },
- { ICMP6_ECHO_REQUEST, NULL, 0, "echo" },
- { ICMP6_ECHO_REPLY, NULL, 0, "echoreply" },
- { ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6,
- IST_SZ(icmpquerysubject6), "groupmemberquery" },
- { ICMP6_MEMBERSHIP_REPORT,NULL, 0, "groupmemberreport" },
- { ICMP6_MEMBERSHIP_REDUCTION,NULL, 0, "groupmemberterm" },
- { ND_ROUTER_SOLICIT, NULL, 0, "routersolicit" },
- { ND_ROUTER_ADVERT, NULL, 0, "routeradvert" },
- { ND_NEIGHBOR_SOLICIT, NULL, 0, "neighborsolicit" },
- { ND_NEIGHBOR_ADVERT, NULL, 0, "neighboradvert" },
- { ND_REDIRECT, NULL, 0, "redirect" },
- { ICMP6_ROUTER_RENUMBERING, icmprenumber6,
- IST_SZ(icmprenumber6), "routerrenumber" },
- { ICMP6_WRUREQUEST, NULL, 0, "whoareyourequest" },
- { ICMP6_WRUREPLY, NULL, 0, "whoareyoureply" },
- { ICMP6_FQDN_QUERY, NULL, 0, "fqdnquery" },
- { ICMP6_FQDN_REPLY, NULL, 0, "fqdnreply" },
- { ICMP6_NI_QUERY, icmpnodeinfo6,
- IST_SZ(icmpnodeinfo6), "nodeinforequest" },
- { ICMP6_NI_REPLY, NULL, 0, "nodeinforeply" },
- { MLD6_MTRACE_RESP, NULL, 0, "mtraceresponse" },
- { MLD6_MTRACE, NULL, 0, "mtracerequest" },
- { -2, NULL, 0, NULL }
-};
-
-static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
-int type;
-icmp_subtype_t *table;
-size_t tablesz;
-{
- icmp_subtype_t *ist;
- int i;
-
- if (tablesz < 2)
- return NULL;
-
- if ((type < 0) || (type > table[tablesz - 2].ist_val))
- return NULL;
-
- i = type;
- if (table[type].ist_val == type)
- return table + type;
-
- for (i = 0, ist = table; ist->ist_val != -2; i++, ist++)
- if (ist->ist_val == type)
- return ist;
- return NULL;
-}
-
-
-static icmp_type_t *find_icmptype(type, table, tablesz)
-int type;
-icmp_type_t *table;
-size_t tablesz;
-{
- icmp_type_t *it;
- int i;
-
- if (tablesz < 2)
- return NULL;
-
- if ((type < 0) || (type > table[tablesz - 2].it_val))
- return NULL;
-
- i = type;
- if (table[type].it_val == type)
- return table + type;
-
- for (i = 0, it = table; it->it_val != -2; i++, it++)
- if (it->it_val == type)
- return it;
- return NULL;
-}
-
-
-static void handlehup(sig)
-int sig;
-{
- FILE *fp;
-
- signal(SIGHUP, handlehup);
- if (logfile && (fp = fopen(logfile, "a")))
- newlog = fp;
- init_tabs();
- donehup = 1;
-}
-
-
-static void init_tabs()
-{
- struct protoent *p;
- struct servent *s;
- char *name, **tab;
- int port;
-
- if (protocols != NULL) {
- free(protocols);
- protocols = NULL;
- }
- protocols = (char **)malloc(256 * sizeof(*protocols));
- if (protocols != NULL) {
- bzero((char *)protocols, 256 * sizeof(*protocols));
-
- setprotoent(1);
- while ((p = getprotoent()) != NULL)
- if (p->p_proto >= 0 && p->p_proto <= 255 &&
- p->p_name != NULL && protocols[p->p_proto] == NULL)
- protocols[p->p_proto] = strdup(p->p_name);
- endprotoent();
- }
-
- if (udp_ports != NULL) {
- free(udp_ports);
- udp_ports = NULL;
- }
- udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
- if (udp_ports != NULL)
- bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
-
- if (tcp_ports != NULL) {
- free(tcp_ports);
- tcp_ports = NULL;
- }
- tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
- if (tcp_ports != NULL)
- bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
-
- setservent(1);
- while ((s = getservent()) != NULL) {
- if (s->s_proto == NULL)
- continue;
- else if (!strcmp(s->s_proto, "tcp")) {
- port = ntohs(s->s_port);
- name = s->s_name;
- tab = tcp_ports;
- } else if (!strcmp(s->s_proto, "udp")) {
- port = ntohs(s->s_port);
- name = s->s_name;
- tab = udp_ports;
- } else
- continue;
- if ((port < 0 || port > 65535) || (name == NULL))
- continue;
- tab[port] = strdup(name);
- }
- endservent();
-}
-
-
-static char *getproto(p)
-u_int p;
-{
- static char pnum[4];
- char *s;
-
- p &= 0xff;
- s = protocols ? protocols[p] : NULL;
- if (s == NULL) {
- sprintf(pnum, "%u", p);
- s = pnum;
- }
- return s;
-}
-
-
-static int read_log(fd, lenp, buf, bufsize)
-int fd, bufsize, *lenp;
-char *buf;
-{
- int nr;
-
- nr = read(fd, buf, bufsize);
- if (!nr)
- return 2;
- if ((nr < 0) && (errno != EINTR))
- return -1;
- *lenp = nr;
- return 0;
-}
-
-
-char *hostname(res, v, ip)
-int res, v;
-u_32_t *ip;
-{
-# define MAX_INETA 16
- static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
-#ifdef USE_INET6
- static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
- struct hostent *hp;
- struct in_addr ipa;
-
- if (v == 4) {
- ipa.s_addr = *ip;
- if (!res)
- return inet_ntoa(ipa);
- hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET);
- if (!hp)
- return inet_ntoa(ipa);
- sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name,
- inet_ntoa(ipa));
- return hname;
- }
-#ifdef USE_INET6
- (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
- hostbuf[MAXHOSTNAMELEN] = '\0';
- return hostbuf;
-#else
- return "IPv6";
-#endif
-}
-
-
-char *portname(res, proto, port)
-int res;
-char *proto;
-u_int port;
-{
- static char pname[8];
- char *s;
-
- port = ntohs(port);
- port &= 0xffff;
- (void) sprintf(pname, "%u", port);
- if (!res || (opts & OPT_PORTNUM))
- return pname;
- s = NULL;
- if (!strcmp(proto, "tcp"))
- s = tcp_ports[port];
- else if (!strcmp(proto, "udp"))
- s = udp_ports[port];
- if (s == NULL)
- s = pname;
- return s;
-}
-
-
-static char *icmpname(type, code)
-u_int type;
-u_int code;
-{
- static char name[80];
- icmp_subtype_t *ist;
- icmp_type_t *it;
- char *s;
-
- s = NULL;
- it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it));
- if (it != NULL)
- s = it->it_name;
-
- if (s == NULL)
- sprintf(name, "icmptype(%d)/", type);
- else
- sprintf(name, "%s/", s);
-
- ist = NULL;
- if (it != NULL && it->it_subtable != NULL)
- ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
- if (ist != NULL && ist->ist_name != NULL)
- strcat(name, ist->ist_name);
- else
- sprintf(name + strlen(name), "%d", code);
-
- return name;
-}
-
-static char *icmpname6(type, code)
-u_int type;
-u_int code;
-{
- static char name[80];
- icmp_subtype_t *ist;
- icmp_type_t *it;
- char *s;
-
- s = NULL;
- it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it));
- if (it != NULL)
- s = it->it_name;
-
- if (s == NULL)
- sprintf(name, "icmpv6type(%d)/", type);
- else
- sprintf(name, "%s/", s);
-
- ist = NULL;
- if (it != NULL && it->it_subtable != NULL)
- ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
- if (ist != NULL && ist->ist_name != NULL)
- strcat(name, ist->ist_name);
- else
- sprintf(name + strlen(name), "%d", code);
-
- return name;
-}
-
-
-static void dumphex(log, buf, len)
-FILE *log;
-u_char *buf;
-int len;
-{
- char line[80];
- int i, j, k;
- u_char *s = buf, *t = (u_char *)line;
-
- if (len == 0 || buf == 0)
- return;
- *line = '\0';
-
- for (i = len, j = 0; i; i--, j++, s++) {
- if (j && !(j & 0xf)) {
- *t++ = '\n';
- *t = '\0';
- if (!(opts & OPT_SYSLOG))
- fputs(line, log);
- else
- syslog(LOG_INFO, "%s", line);
- t = (u_char *)line;
- *t = '\0';
- }
- sprintf((char *)t, "%02x", *s & 0xff);
- t += 2;
- if (!((j + 1) & 0xf)) {
- s -= 15;
- sprintf((char *)t, " ");
- t += 8;
- for (k = 16; k; k--, s++)
- *t++ = (isprint(*s) ? *s : '.');
- s--;
- }
-
- if ((j + 1) & 0xf)
- *t++ = ' ';;
- }
-
- if (j & 0xf) {
- for (k = 16 - (j & 0xf); k; k--) {
- *t++ = ' ';
- *t++ = ' ';
- *t++ = ' ';
- }
- sprintf((char *)t, " ");
- t += 7;
- s -= j & 0xf;
- for (k = j & 0xf; k; k--, s++)
- *t++ = (isprint(*s) ? *s : '.');
- *t++ = '\n';
- *t = '\0';
- }
- if (!(opts & OPT_SYSLOG)) {
- fputs(line, log);
- fflush(log);
- } else
- syslog(LOG_INFO, "%s", line);
-}
-
-static void print_natlog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
-{
- struct natlog *nl;
- iplog_t *ipl = (iplog_t *)buf;
- char *t = line;
- struct tm *tm;
- int res, i, len;
- char *proto;
-
- nl = (struct natlog *)((char *)ipl + IPLOG_SIZE);
- res = (opts & OPT_RESOLVE) ? 1 : 0;
- tm = localtime((time_t *)&ipl->ipl_sec);
- len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
- (void) strftime(t, len, "%d/%m/%Y ", tm);
- i = strlen(t);
- len -= i;
- t += i;
- }
- (void) strftime(t, len, "%T", tm);
- t += strlen(t);
- (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
- t += strlen(t);
-
- if (nl->nl_type == NL_NEWMAP)
- strcpy(t, "NAT:MAP ");
- else if (nl->nl_type == NL_NEWRDR)
- strcpy(t, "NAT:RDR ");
- else if (nl->nl_type == NL_EXPIRE)
- strcpy(t, "NAT:EXPIRE ");
- else if (nl->nl_type == NL_FLUSH)
- strcpy(t, "NAT:FLUSH ");
- else if (nl->nl_type == NL_NEWBIMAP)
- strcpy(t, "NAT:BIMAP ");
- else if (nl->nl_type == NL_NEWBLOCK)
- strcpy(t, "NAT:MAPBLOCK ");
- else
- sprintf(t, "Type: %d ", nl->nl_type);
- t += strlen(t);
-
- proto = getproto(nl->nl_p);
-
- (void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
- portname(res, proto, (u_int)nl->nl_inport));
- t += strlen(t);
- (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
- portname(res, proto, (u_int)nl->nl_outport));
- t += strlen(t);
- (void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
- portname(res, proto, (u_int)nl->nl_origport));
- t += strlen(t);
- if (nl->nl_type == NL_EXPIRE) {
-#ifdef USE_QUAD_T
- (void) sprintf(t, " Pkts %qd Bytes %qd",
- (long long)nl->nl_pkts,
- (long long)nl->nl_bytes);
-#else
- (void) sprintf(t, " Pkts %ld Bytes %ld",
- nl->nl_pkts, nl->nl_bytes);
-#endif
- t += strlen(t);
- }
-
- *t++ = '\n';
- *t++ = '\0';
- if (opts & OPT_SYSLOG)
- syslog(LOG_INFO, "%s", line);
- else
- (void) fprintf(log, "%s", line);
-}
-
-
-static void print_statelog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
-{
- struct ipslog *sl;
- iplog_t *ipl = (iplog_t *)buf;
- char *t = line, *proto;
- struct tm *tm;
- int res, i, len;
-
- sl = (struct ipslog *)((char *)ipl + IPLOG_SIZE);
- res = (opts & OPT_RESOLVE) ? 1 : 0;
- tm = localtime((time_t *)&ipl->ipl_sec);
- len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
- (void) strftime(t, len, "%d/%m/%Y ", tm);
- i = strlen(t);
- len -= i;
- t += i;
- }
- (void) strftime(t, len, "%T", tm);
- t += strlen(t);
- (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
- t += strlen(t);
-
- if (sl->isl_type == ISL_NEW)
- strcpy(t, "STATE:NEW ");
- else if (sl->isl_type == ISL_EXPIRE) {
- if ((sl->isl_p == IPPROTO_TCP) &&
- (sl->isl_state[0] > TCPS_ESTABLISHED ||
- sl->isl_state[1] > TCPS_ESTABLISHED))
- strcpy(t, "STATE:CLOSE ");
- else
- strcpy(t, "STATE:EXPIRE ");
- } else if (sl->isl_type == ISL_FLUSH)
- strcpy(t, "STATE:FLUSH ");
- else if (sl->isl_type == ISL_REMOVE)
- strcpy(t, "STATE:REMOVE ");
- else
- sprintf(t, "Type: %d ", sl->isl_type);
- t += strlen(t);
-
- proto = getproto(sl->isl_p);
-
- if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
- (void) sprintf(t, "%s,%s -> ",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
- portname(res, proto, (u_int)sl->isl_sport));
- t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
- portname(res, proto, (u_int)sl->isl_dport), proto);
- } else if (sl->isl_p == IPPROTO_ICMP) {
- (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
- (u_32_t *)&sl->isl_src));
- t += strlen(t);
- (void) sprintf(t, "%s PR icmp %d",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
- sl->isl_itype);
- } else if (sl->isl_p == IPPROTO_ICMPV6) {
- (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
- (u_32_t *)&sl->isl_src));
- t += strlen(t);
- (void) sprintf(t, "%s PR icmpv6 %d",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
- sl->isl_itype);
- }
- t += strlen(t);
- if (sl->isl_type != ISL_NEW) {
-#ifdef USE_QUAD_T
- (void) sprintf(t, " Pkts %qd Bytes %qd",
- (long long)sl->isl_pkts,
- (long long)sl->isl_bytes);
-#else
- (void) sprintf(t, " Pkts %ld Bytes %ld",
- sl->isl_pkts, sl->isl_bytes);
-#endif
- t += strlen(t);
- }
-
- *t++ = '\n';
- *t++ = '\0';
- if (opts & OPT_SYSLOG)
- syslog(LOG_INFO, "%s", line);
- else
- (void) fprintf(log, "%s", line);
-}
-
-
-static void print_log(logtype, log, buf, blen)
-FILE *log;
-char *buf;
-int logtype, blen;
-{
- iplog_t *ipl;
- char *bp = NULL, *bpo = NULL;
- int psize;
-
- while (blen > 0) {
- ipl = (iplog_t *)buf;
- if ((u_long)ipl & (sizeof(long)-1)) {
- if (bp)
- bpo = bp;
- bp = (char *)malloc(blen);
- bcopy((char *)ipl, bp, blen);
- if (bpo) {
- free(bpo);
- bpo = NULL;
- }
- buf = bp;
- continue;
- }
- if (ipl->ipl_magic != IPL_MAGIC) {
- /* invalid data or out of sync */
- break;
- }
- psize = ipl->ipl_dsize;
- switch (logtype)
- {
- case IPL_LOGIPF :
- print_ipflog(log, buf, psize);
- break;
- case IPL_LOGNAT :
- print_natlog(log, buf, psize);
- break;
- case IPL_LOGSTATE :
- print_statelog(log, buf, psize);
- break;
- }
-
- blen -= psize;
- buf += psize;
- }
- if (bp)
- free(bp);
- return;
-}
-
-
-static void print_ipflog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
-{
- tcphdr_t *tp;
- struct icmp *ic;
- struct icmp *icmp;
- struct tm *tm;
- char *t, *proto;
- int i, v, lvl, res, len, off, plen, ipoff;
- ip_t *ipc, *ip;
- u_short hl, p;
- ipflog_t *ipf;
- iplog_t *ipl;
- u_32_t *s, *d;
-#ifdef USE_INET6
- ip6_t *ip6;
-#endif
-
- ipl = (iplog_t *)buf;
- ipf = (ipflog_t *)((char *)buf + IPLOG_SIZE);
- ip = (ip_t *)((char *)ipf + sizeof(*ipf));
- v = ip->ip_v;
- res = (opts & OPT_RESOLVE) ? 1 : 0;
- t = line;
- *t = '\0';
- tm = localtime((time_t *)&ipl->ipl_sec);
-#ifdef linux
- if (v == 4)
- ip->ip_len = ntohs(ip->ip_len);
-#endif
-
- len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
- (void) strftime(t, len, "%d/%m/%Y ", tm);
- i = strlen(t);
- len -= i;
- t += i;
- }
- (void) strftime(t, len, "%T", tm);
- t += strlen(t);
- (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
- t += strlen(t);
- if (ipl->ipl_count > 1) {
- (void) sprintf(t, "%dx ", ipl->ipl_count);
- t += strlen(t);
- }
-#if (SOLARIS || \
- (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
- {
- char ifname[sizeof(ipf->fl_ifname) + 1];
-
- strncpy(ifname, (char *)ipf->fl_ifname, sizeof(ipf->fl_ifname));
- ifname[sizeof(ipf->fl_ifname)] = '\0';
- (void) sprintf(t, "%s", ifname);
- t += strlen(t);
-# if SOLARIS
- if (isalpha(*(t - 1))) {
- sprintf(t, "%d", ipf->fl_unit);
- t += strlen(t);
- }
-# endif
- }
-#else
- for (len = 0; len < 3; len++)
- if (ipf->fl_ifname[len] == '\0')
- break;
- if (ipf->fl_ifname[len])
- len++;
- (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
- t += strlen(t);
-#endif
- if (ipf->fl_group == 0xffffffff)
- strcat(t, " @-1:");
- else
- (void) sprintf(t, " @%u:", ipf->fl_group);
- t += strlen(t);
- if (ipf->fl_rule == 0xffffffff)
- strcat(t, "-1 ");
- else
- (void) sprintf(t, "%u ", ipf->fl_rule + 1);
- t += strlen(t);
-
- if (ipf->fl_flags & FF_SHORT) {
- *t++ = 'S';
- lvl = LOG_ERR;
- } else if (ipf->fl_flags & FR_PASS) {
- if (ipf->fl_flags & FR_LOG)
- *t++ = 'p';
- else
- *t++ = 'P';
- lvl = LOG_NOTICE;
- } else if (ipf->fl_flags & FR_BLOCK) {
- if (ipf->fl_flags & FR_LOG)
- *t++ = 'b';
- else
- *t++ = 'B';
- lvl = LOG_WARNING;
- } else if (ipf->fl_flags & FF_LOGNOMATCH) {
- *t++ = 'n';
- lvl = LOG_NOTICE;
- } else {
- *t++ = 'L';
- lvl = LOG_INFO;
- }
- if (ipf->fl_loglevel != 0xffff)
- lvl = ipf->fl_loglevel;
- *t++ = ' ';
- *t = '\0';
-
- if (v == 6) {
-#ifdef USE_INET6
- off = 0;
- ipoff = 0;
- hl = sizeof(ip6_t);
- ip6 = (ip6_t *)ip;
- p = (u_short)ip6->ip6_nxt;
- s = (u_32_t *)&ip6->ip6_src;
- d = (u_32_t *)&ip6->ip6_dst;
- plen = hl + ntohs(ip6->ip6_plen);
-#else
- sprintf(t, "ipv6");
- goto printipflog;
-#endif
- } else if (v == 4) {
- hl = (ip->ip_hl << 2);
- ipoff = ip->ip_off;
- off = ipoff & IP_OFFMASK;
- p = (u_short)ip->ip_p;
- s = (u_32_t *)&ip->ip_src;
- d = (u_32_t *)&ip->ip_dst;
- plen = ip->ip_len;
- } else {
- goto printipflog;
- }
- proto = getproto(p);
-
- if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
- tp = (tcphdr_t *)((char *)ip + hl);
- if (!(ipf->fl_flags & FF_SHORT)) {
- (void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
- portname(res, proto, (u_int)tp->th_sport));
- t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s len %hu %hu",
- hostname(res, v, d),
- portname(res, proto, (u_int)tp->th_dport),
- proto, hl, plen);
- t += strlen(t);
-
- if (p == IPPROTO_TCP) {
- *t++ = ' ';
- *t++ = '-';
- for (i = 0; tcpfl[i].value; i++)
- if (tp->th_flags & tcpfl[i].value)
- *t++ = tcpfl[i].flag;
- if (opts & OPT_VERBOSE) {
- (void) sprintf(t, " %lu %lu %hu",
- (u_long)(ntohl(tp->th_seq)),
- (u_long)(ntohl(tp->th_ack)),
- ntohs(tp->th_win));
- t += strlen(t);
- }
- }
- *t = '\0';
- } else {
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
- t += strlen(t);
- (void) sprintf(t, "%s PR %s len %hu %hu",
- hostname(res, v, d), proto, hl, plen);
- }
- } else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) {
- ic = (struct icmp *)((char *)ip + hl);
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
- t += strlen(t);
- (void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
- hostname(res, v, d), hl, plen,
- icmpname6(ic->icmp_type, ic->icmp_code));
- } else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
- ic = (struct icmp *)((char *)ip + hl);
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
- t += strlen(t);
- (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
- hostname(res, v, d), hl, plen,
- icmpname(ic->icmp_type, ic->icmp_code));
- if (ic->icmp_type == ICMP_UNREACH ||
- ic->icmp_type == ICMP_SOURCEQUENCH ||
- ic->icmp_type == ICMP_PARAMPROB ||
- ic->icmp_type == ICMP_REDIRECT ||
- ic->icmp_type == ICMP_TIMXCEED) {
- ipc = &ic->icmp_ip;
- i = ntohs(ipc->ip_len);
- ipoff = ntohs(ipc->ip_off);
- proto = getproto(ipc->ip_p);
-
- if (!(ipoff & IP_OFFMASK) &&
- ((ipc->ip_p == IPPROTO_TCP) ||
- (ipc->ip_p == IPPROTO_UDP))) {
- tp = (tcphdr_t *)((char *)ipc + hl);
- t += strlen(t);
- (void) sprintf(t, " for %s,%s -",
- HOSTNAME_V4(res, ipc->ip_src),
- portname(res, proto,
- (u_int)tp->th_sport));
- t += strlen(t);
- (void) sprintf(t, " %s,%s PR %s len %hu %hu",
- HOSTNAME_V4(res, ipc->ip_dst),
- portname(res, proto,
- (u_int)tp->th_dport),
- proto, ipc->ip_hl << 2, i);
- } else if (!(ipoff & IP_OFFMASK) &&
- (ipc->ip_p == IPPROTO_ICMP)) {
- icmp = (icmphdr_t *)((char *)ipc + hl);
-
- t += strlen(t);
- (void) sprintf(t, " for %s -",
- HOSTNAME_V4(res, ipc->ip_src));
- t += strlen(t);
- (void) sprintf(t,
- " %s PR icmp len %hu %hu icmp %d/%d",
- HOSTNAME_V4(res, ipc->ip_dst),
- ipc->ip_hl << 2, i,
- icmp->icmp_type, icmp->icmp_code);
-
- } else {
- t += strlen(t);
- (void) sprintf(t, " for %s -",
- HOSTNAME_V4(res, ipc->ip_src));
- t += strlen(t);
- (void) sprintf(t, " %s PR %s len %hu (%hu)",
- HOSTNAME_V4(res, ipc->ip_dst), proto,
- ipc->ip_hl << 2, i);
- t += strlen(t);
- if (ipoff & IP_OFFMASK) {
- (void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
- ntohs(ipc->ip_id),
- i - (ipc->ip_hl<<2),
- (ipoff & IP_OFFMASK) << 3,
- ipoff & IP_MF ? "+" : "",
- ipoff & IP_DF ? "-" : "");
- }
- }
- }
- } else {
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
- t += strlen(t);
- (void) sprintf(t, "%s PR %s len %hu (%hu)",
- hostname(res, v, d), proto, hl, plen);
- t += strlen(t);
- if (off & IP_OFFMASK)
- (void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
- ntohs(ip->ip_id),
- plen - hl, (off & IP_OFFMASK) << 3,
- ipoff & IP_MF ? "+" : "",
- ipoff & IP_DF ? "-" : "");
- }
- t += strlen(t);
-
- if (ipf->fl_flags & FR_KEEPSTATE) {
- (void) strcpy(t, " K-S");
- t += strlen(t);
- }
-
- if (ipf->fl_flags & FR_KEEPFRAG) {
- (void) strcpy(t, " K-F");
- t += strlen(t);
- }
-
- if (ipf->fl_dir == 0)
- strcpy(t, " IN");
- else if (ipf->fl_dir == 1)
- strcpy(t, " OUT");
- t += strlen(t);
-printipflog:
- *t++ = '\n';
- *t++ = '\0';
- if (opts & OPT_SYSLOG)
- syslog(lvl, "%s", line);
- else
- (void) fprintf(log, "%s", line);
- if (opts & OPT_HEXHDR)
- dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
- if (opts & OPT_HEXBODY)
- dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
- else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
- dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen);
-}
-
-
-static void usage(prog)
-char *prog;
-{
- fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
- exit(1);
-}
-
-
-static void write_pid(file)
-char *file;
-{
- FILE *fp = NULL;
- int fd;
-
- if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0)
- fp = fdopen(fd, "w");
- if (!fp) {
- close(fd);
- fprintf(stderr, "unable to open/create pid file: %s\n", file);
- return;
- }
- fprintf(fp, "%d", getpid());
- fclose(fp);
- close(fd);
-}
-
-
-static void flushlogs(file, log)
-char *file;
-FILE *log;
-{
- int fd, flushed = 0;
-
- if ((fd = open(file, O_RDWR)) == -1) {
- (void) fprintf(stderr, "%s: open: %s\n",
- file, STRERROR(errno));
- exit(1);
- }
-
- if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
- printf("%d bytes flushed from log buffer\n",
- flushed);
- fflush(stdout);
- } else
- perror("SIOCIPFFB");
- (void) close(fd);
-
- if (flushed) {
- if (opts & OPT_SYSLOG)
- syslog(LOG_INFO, "%d bytes flushed from log\n",
- flushed);
- else if (log != stdout)
- fprintf(log, "%d bytes flushed from log\n", flushed);
- }
-}
-
-
-static void logopts(turnon, options)
-int turnon;
-char *options;
-{
- int flags = 0;
- char *s;
-
- for (s = options; *s; s++)
- {
- switch (*s)
- {
- case 'N' :
- flags |= OPT_NAT;
- break;
- case 'S' :
- flags |= OPT_STATE;
- break;
- case 'I' :
- flags |= OPT_FILTER;
- break;
- default :
- fprintf(stderr, "Unknown log option %c\n", *s);
- exit(1);
- }
- }
-
- if (turnon)
- opts |= flags;
- else
- opts &= ~(flags);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
- int fdt[3], devices = 0, make_daemon = 0;
- char buf[IPLLOGSIZE], *iplfile[3], *s;
- int fd[3], doread, n, i;
- extern char *optarg;
- extern int optind;
- int regular[3], c;
- FILE *log = stdout;
- struct stat sb;
- size_t nr, tr;
-
- fd[0] = fd[1] = fd[2] = -1;
- fdt[0] = fdt[1] = fdt[2] = -1;
- iplfile[0] = IPL_NAME;
- iplfile[1] = IPNAT_NAME;
- iplfile[2] = IPSTATE_NAME;
-
- while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
- switch (c)
- {
- case 'a' :
- opts |= OPT_LOGALL;
- fdt[0] = IPL_LOGIPF;
- fdt[1] = IPL_LOGNAT;
- fdt[2] = IPL_LOGSTATE;
- break;
- case 'b' :
- opts |= OPT_LOGBODY;
- break;
- case 'D' :
- make_daemon = 1;
- break;
- case 'f' : case 'I' :
- opts |= OPT_FILTER;
- fdt[0] = IPL_LOGIPF;
- iplfile[0] = optarg;
- break;
- case 'F' :
- flushlogs(iplfile[0], log);
- flushlogs(iplfile[1], log);
- flushlogs(iplfile[2], log);
- break;
- case 'n' :
- opts |= OPT_RESOLVE;
- break;
- case 'N' :
- opts |= OPT_NAT;
- fdt[1] = IPL_LOGNAT;
- iplfile[1] = optarg;
- break;
- case 'o' : case 'O' :
- logopts(c == 'o', optarg);
- fdt[0] = fdt[1] = fdt[2] = -1;
- if (opts & OPT_FILTER)
- fdt[0] = IPL_LOGIPF;
- if (opts & OPT_NAT)
- fdt[1] = IPL_LOGNAT;
- if (opts & OPT_STATE)
- fdt[2] = IPL_LOGSTATE;
- break;
- case 'p' :
- opts |= OPT_PORTNUM;
- break;
- case 'P' :
- pidfile = optarg;
- break;
- case 's' :
- s = strrchr(argv[0], '/');
- if (s == NULL)
- s = argv[0];
- else
- s++;
- openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
- opts |= OPT_SYSLOG;
- log = NULL;
- break;
- case 'S' :
- opts |= OPT_STATE;
- fdt[2] = IPL_LOGSTATE;
- iplfile[2] = optarg;
- break;
- case 't' :
- opts |= OPT_TAIL;
- break;
- case 'v' :
- opts |= OPT_VERBOSE;
- break;
- case 'x' :
- opts |= OPT_HEXBODY;
- break;
- case 'X' :
- opts |= OPT_HEXHDR;
- break;
- default :
- case 'h' :
- case '?' :
- usage(argv[0]);
- }
-
- init_tabs();
-
- /*
- * Default action is to only open the filter log file.
- */
- if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
- fdt[0] = IPL_LOGIPF;
-
- for (i = 0; i < 3; i++) {
- if (fdt[i] == -1)
- continue;
- if (!strcmp(iplfile[i], "-"))
- fd[i] = 0;
- else {
- if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
- (void) fprintf(stderr,
- "%s: open: %s\n", iplfile[i],
- STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- if (fstat(fd[i], &sb) == -1) {
- (void) fprintf(stderr, "%d: fstat: %s\n",
- fd[i], STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- if (!(regular[i] = !S_ISCHR(sb.st_mode)))
- devices++;
- }
- }
-
- if (!(opts & OPT_SYSLOG)) {
- logfile = argv[optind];
- log = logfile ? fopen(logfile, "a") : stdout;
- if (log == NULL) {
- (void) fprintf(stderr, "%s: fopen: %s\n",
- argv[optind], STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- setvbuf(log, NULL, _IONBF, 0);
- } else
- log = NULL;
-
- if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
-#if BSD
- daemon(0, !(opts & OPT_SYSLOG));
-#else
- int pid;
- if ((pid = fork()) > 0)
- exit(0);
- if (pid < 0) {
- (void) fprintf(stderr, "%s: fork() failed: %s\n",
- argv[0], STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- setsid();
- if ((opts & OPT_SYSLOG))
- close(2);
-#endif /* !BSD */
- close(0);
- close(1);
- }
- write_pid(pidfile);
-
- signal(SIGHUP, handlehup);
-
- for (doread = 1; doread; ) {
- nr = 0;
-
- for (i = 0; i < 3; i++) {
- tr = 0;
- if (fdt[i] == -1)
- continue;
- if (!regular[i]) {
- if (ioctl(fd[i], FIONREAD, &tr) == -1) {
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT,
- "ioctl(FIONREAD): %m");
- else
- perror("ioctl(FIONREAD)");
- exit(1);
- /* NOTREACHED */
- }
- } else {
- tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
- if (!tr && !(opts & OPT_TAIL))
- doread = 0;
- }
- if (!tr)
- continue;
- nr += tr;
-
- tr = read_log(fd[i], &n, buf, sizeof(buf));
- if (donehup) {
- donehup = 0;
- if (newlog) {
- fclose(log);
- log = newlog;
- newlog = NULL;
- }
- }
-
- switch (tr)
- {
- case -1 :
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT, "read: %m\n");
- else
- perror("read");
- doread = 0;
- break;
- case 1 :
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT, "aborting logging\n");
- else
- fprintf(log, "aborting logging\n");
- doread = 0;
- break;
- case 2 :
- break;
- case 0 :
- if (n > 0) {
- print_log(fdt[i], log, buf, n);
- if (!(opts & OPT_SYSLOG))
- fflush(log);
- }
- break;
- }
- }
- if (!nr && ((opts & OPT_TAIL) || devices))
- sleep(1);
- }
- exit(0);
- /* NOTREACHED */
-}
diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h
index a240836..6d14e52 100644
--- a/contrib/ipfilter/ipmon.h
+++ b/contrib/ipfilter/ipmon.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
deleted file mode 100644
index 69e7959..0000000
--- a/contrib/ipfilter/ipnat.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <nlist.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if defined(sun) && !SOLARIS2
-# define STRERROR(x) sys_errlist[x]
-extern char *sys_errlist[];
-#else
-# define STRERROR(x) strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.25 2003/06/05 14:00:28 darrenr Exp $";
-#endif
-
-
-#if SOLARIS
-#define bzero(a,b) memset(a,0,b)
-#endif
-int use_inet6 = 0;
-char thishost[MAXHOSTNAMELEN];
-
-extern char *optarg;
-extern int optind;
-#if 0
-extern ipnat_t *natparse __P((char *, int));
-#endif
-extern void natparsefile __P((int, char *, int));
-extern void printnat __P((ipnat_t *, int));
-extern void printactivenat __P((nat_t *, int));
-extern void printhostmap __P((hostmap_t *, u_int));
-extern char *getsumd __P((u_32_t));
-
-static int dostats __P((natstat_t *, int));
-static int flushtable __P((int, int));
-void usage __P((char *));
-int countbits __P((u_32_t));
-char *getnattype __P((ipnat_t *));
-int main __P((int, char*[]));
-void printaps __P((ap_session_t *, int));
-static int showhostmap __P((natstat_t *nsp));
-static int natstat_dead __P((natstat_t *, char *));
-
-
-void usage(name)
-char *name;
-{
- fprintf(stderr, "Usage: %s [-CFhlnrsv] [-f filename]\n", name);
- exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
- natstat_t ns, *nsp = &ns;
- char *file, *core, *kernel;
- int fd, opts, c, mode;
-
- fd = -1;
- opts = 0;
- file = NULL;
- core = NULL;
- kernel = NULL;
- mode = O_RDWR;
-
- while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
- switch (c)
- {
- case 'C' :
- opts |= OPT_CLEAR;
- break;
- case 'd' :
- opts |= OPT_DEBUG;
- break;
- case 'f' :
- file = optarg;
- break;
- case 'F' :
- opts |= OPT_FLUSH;
- break;
- case 'h' :
- opts |=OPT_HITS;
- break;
- case 'l' :
- opts |= OPT_LIST;
- mode = O_RDONLY;
- break;
- case 'M' :
- core = optarg;
- break;
- case 'N' :
- kernel = optarg;
- break;
- case 'n' :
- opts |= OPT_NODO;
- mode = O_RDONLY;
- break;
- case 'r' :
- opts |= OPT_REMOVE;
- break;
- case 's' :
- opts |= OPT_STAT;
- mode = O_RDONLY;
- break;
- case 'v' :
- opts |= OPT_VERBOSE;
- break;
- case '?' :
- default :
- usage(argv[0]);
- }
-
- if (optind < 2)
- usage(argv[0]);
-
- if ((kernel != NULL) || (core != NULL)) {
- (void) setgid(getgid());
- (void) setuid(getuid());
- }
-
- bzero((char *)&ns, sizeof(ns));
-
- gethostname(thishost, sizeof(thishost));
- thishost[sizeof(thishost) - 1] = '\0';
-
- if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
- if (openkmem(kernel, core) == -1)
- exit(1);
-
- if (((fd = open(IPL_NAT, mode)) == -1) &&
- ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
- (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
- STRERROR(errno));
- if (errno == ENODEV)
- fprintf(stderr, "IPFilter enabled?\n");
- exit(1);
- }
- if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
- perror("ioctl(SIOCGNATS)");
- exit(1);
- }
- (void) setgid(getgid());
- (void) setuid(getuid());
- } else if ((kernel != NULL) || (core != NULL)) {
- if (openkmem(kernel, core) == -1)
- exit(1);
-
- if (natstat_dead(nsp, kernel))
- exit(1);
- if (opts & (OPT_LIST|OPT_STAT)) {
- if (dostats(nsp, opts))
- exit(1);
- }
- exit(0);
- }
-
- if (opts & (OPT_FLUSH|OPT_CLEAR))
- if (flushtable(fd, opts))
- exit(1);
- if (file) {
- /* NB natparsefile exits with nonzero in case of error */
- natparsefile(fd, file, opts);
- }
- if (opts & (OPT_LIST|OPT_STAT))
- if (dostats(nsp, opts))
- exit(1);
-
- /* TBD why not exit(0)? */
- return 0;
-}
-
-
-/*
- * Read NAT statistic information in using a symbol table and memory file
- * rather than doing ioctl's.
- */
-static int natstat_dead(nsp, kernel)
-natstat_t *nsp;
-char *kernel;
-{
- struct nlist nat_nlist[10] = {
- { "nat_table" }, /* 0 */
- { "nat_list" },
- { "maptable" },
- { "ipf_nattable_sz" },
- { "ipf_natrules_sz" },
- { "ipf_rdrrules_sz" }, /* 5 */
- { "ipf_hostmap_sz" },
- { "nat_instances" },
- { "ap_sess_list" },
- { NULL }
- };
- void *tables[2];
-
- if (nlist(kernel, nat_nlist) == -1) {
- fprintf(stderr, "nlist error\n");
- return -1;
- }
-
- /*
- * Normally the ioctl copies all of these values into the structure
- * for us, before returning it to userland, so here we must copy each
- * one in individually.
- */
- kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
- nsp->ns_table[0] = tables[0];
- nsp->ns_table[1] = tables[1];
-
- kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
- sizeof(nsp->ns_list));
- kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
- sizeof(nsp->ns_maptable));
- kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
- sizeof(nsp->ns_nattab_sz));
- kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
- sizeof(nsp->ns_rultab_sz));
- kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
- sizeof(nsp->ns_rdrtab_sz));
- kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
- sizeof(nsp->ns_hostmap_sz));
- kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
- sizeof(nsp->ns_instances));
- kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
- sizeof(nsp->ns_apslist));
-
- return 0;
-}
-
-
-/*
- * Display NAT statistics.
- */
-static int dostats(nsp, opts)
-natstat_t *nsp;
-int opts;
-{
- nat_t **nt[2], *np, nat;
- ipnat_t ipn;
- int rc = 0;
-
- /*
- * Show statistics ?
- */
- if (opts & OPT_STAT) {
- printf("mapped\tin\t%lu\tout\t%lu\n",
- nsp->ns_mapped[0], nsp->ns_mapped[1]);
- printf("added\t%lu\texpired\t%lu\n",
- nsp->ns_added, nsp->ns_expire);
- printf("no memory\t%lu\tbad nat\t%lu\n",
- nsp->ns_memfail, nsp->ns_badnat);
- printf("inuse\t%lu\nrules\t%lu\n",
- nsp->ns_inuse, nsp->ns_rules);
- printf("wilds\t%u\n", nsp->ns_wilds);
- if (opts & OPT_VERBOSE)
- printf("table %p list %p\n",
- nsp->ns_table, nsp->ns_list);
- }
-
- /*
- * Show list of NAT rules and NAT sessions ?
- */
- if (opts & OPT_LIST) {
- printf("List of active MAP/Redirect filters:\n");
- while (nsp->ns_list) {
- if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
- sizeof(ipn))) {
- perror("kmemcpy");
- rc = -1;
- break;
- }
- if (opts & OPT_HITS)
- printf("%d ", ipn.in_hits);
- printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
- nsp->ns_list = ipn.in_next;
- }
-
- nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
- if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
- sizeof(**nt) * NAT_SIZE)) {
- perror("kmemcpy");
- rc = -1;
- }
- if (rc) {
- free(nt[0]);
- return rc;
- }
-
- printf("\nList of active sessions:\n");
-
- for (np = nsp->ns_instances; np; np = nat.nat_next) {
- if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) {
- /* TBD Is this an error? If so, return -1 */
- break;
- }
- printactivenat(&nat, opts);
- }
-
- if (opts & OPT_VERBOSE) {
- if (showhostmap(nsp)) {
- free(nt[0]);
- return -1;
- }
- }
-
- free(nt[0]);
- }
- return 0;
-}
-
-
-/*
- * Display the active host mapping table.
- */
-static int showhostmap(nsp)
-natstat_t *nsp;
-{
- hostmap_t hm, *hmp, **maptable;
- u_int hv;
-
- printf("\nList of active host mappings:\n");
-
- maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
- nsp->ns_hostmap_sz);
- if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
- sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
- perror("kmemcpy (maptable)");
- free(maptable);
- return -1;
- }
-
- for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
- hmp = maptable[hv];
-
- while (hmp) {
- if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
- perror("kmemcpy (hostmap)");
- free(maptable);
- return -1;
- }
-
- printhostmap(&hm, hv);
- hmp = hm.hm_next;
- }
- }
- free(maptable);
- return 0;
-}
-
-
-/*
- * Issue an ioctl to flush either the NAT rules table or the active mapping
- * table or both.
- */
-static int flushtable(fd, opts)
-int fd, opts;
-{
- int n = 0;
- int rc = 0;
-
- if (opts & OPT_FLUSH) {
- n = 0;
- if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
- perror("ioctl(SIOCFLNAT)");
- rc = -1;
- } else {
- printf("%d entries flushed from NAT table\n", n);
- }
- }
-
- if (opts & OPT_CLEAR) {
- n = 1;
- if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
- perror("ioctl(SIOCCNATL)");
- rc = -1;
- } else {
- printf("%d entries flushed from NAT list\n", n);
- }
- }
-
- return rc;
-}
diff --git a/contrib/ipfilter/ipsd/Celler/ip_compat.h b/contrib/ipfilter/ipsd/Celler/ip_compat.h
index 8b43cb9..5793776 100644
--- a/contrib/ipfilter/ipsd/Celler/ip_compat.h
+++ b/contrib/ipfilter/ipsd/Celler/ip_compat.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995 by Darren Reed.
diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c
index 3d9ea4c..970b47e 100644
--- a/contrib/ipfilter/ipsd/ipsd.c
+++ b/contrib/ipfilter/ipsd/ipsd.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h
index 48f5911..f898c99 100644
--- a/contrib/ipfilter/ipsd/ipsd.h
+++ b/contrib/ipfilter/ipsd/ipsd.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c
index 4689cba..df8b9a8 100644
--- a/contrib/ipfilter/ipsd/ipsdr.c
+++ b/contrib/ipfilter/ipsd/ipsdr.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h
index 2fadfcf..88eb67a 100644
--- a/contrib/ipfilter/ipsd/linux.h
+++ b/contrib/ipfilter/ipsd/linux.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1997-1998 by Darren Reed.
diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c
index 29a7200..6d4f83d 100644
--- a/contrib/ipfilter/ipsd/sbpf.c
+++ b/contrib/ipfilter/ipsd/sbpf.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c
index 289ad2f..b7515f1 100644
--- a/contrib/ipfilter/ipsd/sdlpi.c
+++ b/contrib/ipfilter/ipsd/sdlpi.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c
index 3b786b0..c084795 100644
--- a/contrib/ipfilter/ipsd/slinux.c
+++ b/contrib/ipfilter/ipsd/slinux.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c
index 8f25026..0d5a52a 100644
--- a/contrib/ipfilter/ipsd/snit.c
+++ b/contrib/ipfilter/ipsd/snit.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsend/.OLD/ip_compat.h b/contrib/ipfilter/ipsend/.OLD/ip_compat.h
index 3b62be1..b5b8f07 100644
--- a/contrib/ipfilter/ipsend/.OLD/ip_compat.h
+++ b/contrib/ipfilter/ipsend/.OLD/ip_compat.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1995 by Darren Reed.
diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c
index 4206355..1063d3a 100644
--- a/contrib/ipfilter/ipsend/44arp.c
+++ b/contrib/ipfilter/ipsend/44arp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Based upon 4.4BSD's /usr/sbin/arp
diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c
index 0e8f556..f90fc3c 100644
--- a/contrib/ipfilter/ipsend/arp.c
+++ b/contrib/ipfilter/ipsend/arp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* arp.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/dlcommon.c b/contrib/ipfilter/ipsend/dlcommon.c
index 6e351f0..c6b6e8a 100644
--- a/contrib/ipfilter/ipsend/dlcommon.c
+++ b/contrib/ipfilter/ipsend/dlcommon.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Common (shared) DLPI test routines.
diff --git a/contrib/ipfilter/ipsend/dltest.h b/contrib/ipfilter/ipsend/dltest.h
index 9fafd91..086782c 100644
--- a/contrib/ipfilter/ipsend/dltest.h
+++ b/contrib/ipfilter/ipsend/dltest.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Common DLPI Test Suite header file
diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c
index 69f962c..9cc7299 100644
--- a/contrib/ipfilter/ipsend/hpux.c
+++ b/contrib/ipfilter/ipsend/hpux.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1997-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsend/in_var.h b/contrib/ipfilter/ipsend/in_var.h
index f228bbb..3523f77 100644
--- a/contrib/ipfilter/ipsend/in_var.h
+++ b/contrib/ipfilter/ipsend/in_var.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/* @(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86 */
diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c
index 8302806..cc9f6b9 100644
--- a/contrib/ipfilter/ipsend/ip.c
+++ b/contrib/ipfilter/ipsend/ip.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* ip.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h
index b08f4e7..ab9813e 100644
--- a/contrib/ipfilter/ipsend/ip_var.h
+++ b/contrib/ipfilter/ipsend/ip_var.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */
diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1
index cffc6f3..6761a18 100644
--- a/contrib/ipfilter/ipsend/ipresend.1
+++ b/contrib/ipfilter/ipsend/ipresend.1
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPRESEND 1
.SH NAME
diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c
index 1db54e1..3a11d83 100644
--- a/contrib/ipfilter/ipsend/ipresend.c
+++ b/contrib/ipfilter/ipsend/ipresend.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* ipresend.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/ipsend.1 b/contrib/ipfilter/ipsend/ipsend.1
index 33320f3..7f0a8e3 100644
--- a/contrib/ipfilter/ipsend/ipsend.1
+++ b/contrib/ipfilter/ipsend/ipsend.1
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPSEND 1
.SH NAME
diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5
index 40b186a..cd5842c 100644
--- a/contrib/ipfilter/ipsend/ipsend.5
+++ b/contrib/ipfilter/ipsend/ipsend.5
@@ -359,7 +359,7 @@ should be routing packets via another route. The redirect code names are:
Echo.
.TP
.B routerad
-Router Advertisment.
+Router Advertisement.
.TP
.B routersol
Router solicitation.
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 80faef2..06be711 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -2,21 +2,12 @@
/*
* ipsend.c (C) 1995-1998 Darren Reed
*
- * This was written to test what size TCP fragments would get through
- * various TCP/IP packet filters, as used in IP firewalls. In certain
- * conditions, enough of the TCP header is missing for unpredictable
- * results unless the filter is aware that this can happen.
- *
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if !defined(lint)
+static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp";
#endif
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
@@ -24,21 +15,19 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/ip_icmp.h>
#ifndef linux
-#include <netinet/ip_var.h>
+# include <netinet/ip_var.h>
#endif
#include "ipsend.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
-/* static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.3 2001/07/15 22:00:14 darrenr Exp $"; */
-static const char rcsid[] = "@(#)$FreeBSD$";
+#include "ipf.h"
+#ifndef linux
+# include <netinet/udp_var.h>
#endif
@@ -48,27 +37,27 @@ extern void iplang __P((FILE *));
char options[68];
int opts;
-#ifdef linux
+#ifdef linux
char default_device[] = "eth0";
#else
-# ifdef sun
-char default_device[] = "le0";
-# else
-# ifdef ultrix
+# ifdef ultrix
char default_device[] = "ln0";
-# else
-# ifdef __bsdi__
+# else
+# ifdef __bsdi__
char default_device[] = "ef0";
-# else
-# ifdef __sgi
+# else
+# ifdef __sgi
char default_device[] = "ec0";
-# else
+# else
+# ifdef __hpux
char default_device[] = "lan0";
-# endif
-# endif
-# endif
-# endif
-#endif
+# else
+char default_device[] = "le0";
+# endif /* __hpux */
+# endif /* __sgi */
+# endif /* __bsdi__ */
+# endif /* ultrix */
+#endif /* linux */
static void usage __P((char *));
@@ -163,13 +152,9 @@ int mtu;
ip_t *ip;
struct in_addr gwip;
{
- u_short sport = 0;
- int wfd;
-
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- sport = ((struct tcpiphdr *)ip)->ti_sport;
- wfd = initdevice(dev, sport, 5);
+ int wfd;
+ wfd = initdevice(dev, 5);
return send_packet(wfd, mtu, ip, gwip);
}
@@ -187,7 +172,7 @@ udpcksum(ip_t *ip, struct udphdr *udp, int len)
u_short w[6];
} ph;
u_32_t temp32;
- u_short cksum, *opts;
+ u_short *opts;
ph.h.len = htons(len);
ph.h.ttl = 0;
@@ -210,8 +195,6 @@ int argc;
char **argv;
{
FILE *langfile = NULL;
- struct tcpiphdr *ti;
- struct udpiphdr *ui;
struct in_addr gwip;
tcphdr_t *tcp;
udphdr_t *udp;
@@ -225,15 +208,12 @@ char **argv;
* 65535 is maximum packet size...you never know...
*/
ip = (ip_t *)calloc(1, 65536);
- ti = (struct tcpiphdr *)ip;
- ui = (struct udpiphdr *)ip;
- tcp = (tcphdr_t *)&ti->ti_sport;
- udp = (udphdr_t *)&ui->ui_sport;
- ui->ui_ulen = htons(sizeof(*udp));
+ tcp = (tcphdr_t *)(ip + 1);
+ udp = (udphdr_t *)tcp;
ip->ip_len = sizeof(*ip);
- ip->ip_hl = sizeof(*ip) >> 2;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
- while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1)
+ while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1) {
switch (c)
{
case 'I' :
@@ -327,7 +307,7 @@ char **argv;
break;
case 'o' :
nonl++;
- olen = buildopts(optarg, options, (ip->ip_hl - 5) << 2);
+ olen = buildopts(optarg, options, (IP_HL(ip) - 5) << 2);
break;
case 's' :
nonl++;
@@ -352,6 +332,7 @@ char **argv;
fprintf(stderr, "Unknown option \"%c\"\n", c);
usage(name);
}
+ }
if (argc - optind < 1)
usage(name);
@@ -383,11 +364,6 @@ char **argv;
exit(2);
}
- if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP) {
- fprintf(stderr,"Unsupported protocol %d\n", ip->ip_p);
- exit(2);
- }
-
if (olen)
{
int hlen;
@@ -395,22 +371,24 @@ char **argv;
printf("Options: %d\n", olen);
hlen = sizeof(*ip) + olen;
- ip->ip_hl = hlen >> 2;
+ IP_HL_A(ip, hlen >> 2);
ip->ip_len += olen;
p = (char *)malloc(65536);
- if(!p)
+ if (p == NULL)
{
- fprintf(stderr,"malloc failed\n");
+ fprintf(stderr, "malloc failed\n");
exit(2);
- }
+ }
+
bcopy(ip, p, sizeof(*ip));
bcopy(options, p + sizeof(*ip), olen);
bcopy(ip + 1, p + hlen, ip->ip_len - hlen);
ip = (ip_t *)p;
+
if (ip->ip_p == IPPROTO_TCP) {
- tcp = (tcphdr_t *)((char *)ip + hlen);
- } else {
- udp = (udphdr_t *)((char *)ip + hlen);
+ tcp = (tcphdr_t *)(p + hlen);
+ } else if (ip->ip_p == IPPROTO_UDP) {
+ udp = (udphdr_t *)(p + hlen);
}
}
@@ -450,11 +428,11 @@ char **argv;
if (ip->ip_p == IPPROTO_UDP) {
udp->uh_sum = 0;
- udpcksum(ip, udp, (ip->ip_len) - (ip->ip_hl << 2));
+ udpcksum(ip, udp, ip->ip_len - (IP_HL(ip) << 2));
}
#ifdef DOSOCKET
if (ip->ip_p == IPPROTO_TCP && tcp->th_dport)
- return do_socket(dev, mtu, (struct tcpiphdr *)ip, gwip);
+ return do_socket(dev, mtu, ip, gwip);
#endif
return send_packets(dev, mtu, ip, gwip);
}
diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h
index be98c1b..91cfa6c 100644
--- a/contrib/ipfilter/ipsend/ipsend.h
+++ b/contrib/ipfilter/ipsend/ipsend.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* ipsend.h (C) 1997-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c
index 7f16705..a85f162 100644
--- a/contrib/ipfilter/ipsend/ipsopt.c
+++ b/contrib/ipfilter/ipsend/ipsopt.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
diff --git a/contrib/ipfilter/ipsend/iptest.1 b/contrib/ipfilter/ipsend/iptest.1
index ca74094..8f25f4a 100644
--- a/contrib/ipfilter/ipsend/iptest.1
+++ b/contrib/ipfilter/ipsend/iptest.1
@@ -1,3 +1,5 @@
+.\" $FreeBSD$
+.\"
.TH IPTEST 1
.SH NAME
iptest \- automatically generate a packets to test IP functionality
diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c
index 45f8f3a..0e81ec5 100644
--- a/contrib/ipfilter/ipsend/iptest.c
+++ b/contrib/ipfilter/ipsend/iptest.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
index 4805caf..51715d8 100644
--- a/contrib/ipfilter/ipsend/iptests.c
+++ b/contrib/ipfilter/ipsend/iptests.c
@@ -1,35 +1,38 @@
+/* $FreeBSD$ */
+
/*
* Copyright (C) 1993-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
+ *
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if !defined(lint)
+static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: iptests.c,v 2.8.2.3 2004/04/16 23:33:04 darrenr Exp";
#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
+#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
-#include <sys/param.h>
-#define _KERNEL
-#define KERNEL
-#if !defined(solaris) && !defined(linux) && !defined(__sgi)
-# include <sys/file.h>
-#else
-# ifdef solaris
-# include <sys/dditypes.h>
+#if !defined(__osf__)
+# define _KERNEL
+# define KERNEL
+# if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux)
+# include <sys/file.h>
+# else
+# ifdef solaris
+# include <sys/dditypes.h>
+# endif
# endif
+# undef _KERNEL
+# undef KERNEL
#endif
-#undef _KERNEL
-#undef KERNEL
#if !defined(solaris) && !defined(linux) && !defined(__sgi)
# include <nlist.h>
# include <sys/user.h>
# include <sys/proc.h>
#endif
-#if !defined(ultrix) && !defined(hpux) && !defined(linux) && !defined(__sgi)
+#if !defined(ultrix) && !defined(hpux) && !defined(linux) && \
+ !defined(__sgi) && !defined(__osf__)
# include <kvm.h>
#endif
#ifndef ultrix
@@ -50,11 +53,17 @@
#endif
#include <netinet/in_systm.h>
#include <sys/socket.h>
+#ifdef __hpux
+# define _NET_ROUTE_INCLUDED
+#endif
#include <net/if.h>
#if defined(linux) && (LINUX >= 0200)
# include <asm/atomic.h>
#endif
#if !defined(linux)
+# if defined(__FreeBSD__)
+# include "radix_ipf.h"
+# endif
# include <net/route.h>
#else
# define __KERNEL__ /* because there's a macro not wrapped by this */
@@ -63,39 +72,38 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef linux
+#if !defined(linux)
# include <netinet/ip_var.h>
-# include <netinet/in_pcb.h>
-# include <netinet/tcp_timer.h>
-# include <netinet/tcp_var.h>
+# if !defined(__hpux)
+# include <netinet/in_pcb.h>
+# endif
#endif
#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
# include <sys/sysmacros.h>
#endif
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
-# define USE_NANOSLEEP
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef __hpux
+# undef _NET_ROUTE_INCLUDED
#endif
#include "ipsend.h"
-
-#if 0
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.8 2002/12/06 11:40:35 darrenr Exp $";
+#if !defined(linux) && !defined(__hpux)
+# include <netinet/tcp_timer.h>
+# include <netinet/tcp_var.h>
#endif
+#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
+# define USE_NANOSLEEP
#endif
-__FBSDID("$FreeBSD$");
-
-#ifdef USE_NANOSLEEP
-# define PAUSE() ts.tv_sec = 0; ts.tv_nsec = 10000000; \
+#ifdef USE_NANOSLEEP
+# define PAUSE() ts.tv_sec = 0; ts.tv_nsec = 10000000; \
(void) nanosleep(&ts, NULL)
#else
# define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \
- (void) select(0, NULL, NULL, NULL, &tv)
+ (void) select(0, NULL, NULL, NULL, &tv)
#endif
@@ -106,7 +114,7 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -114,8 +122,8 @@ int ptest;
udphdr_t *u;
int nfd, i = 0, len, id = getpid();
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_v = IPVERSION;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
+ IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
@@ -128,7 +136,7 @@ int ptest;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
- nfd = initdevice(dev, u->uh_sport, 1);
+ nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
@@ -137,7 +145,7 @@ int ptest;
ip->ip_id = 0;
printf("1.1. sending packets with ip_hl < ip_len\n");
for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) {
- ip->ip_hl = i >> 2;
+ IP_HL_A(ip, i >> 2);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@@ -153,7 +161,7 @@ int ptest;
ip->ip_id = 0;
printf("1.2. sending packets with ip_hl > ip_len\n");
for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) {
- ip->ip_hl = i >> 2;
+ IP_HL_A(ip, i >> 2);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@@ -168,9 +176,9 @@ int ptest;
*/
ip->ip_id = 0;
printf("1.3. ip_v < 4\n");
- ip->ip_hl = sizeof(*ip) >> 2;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
for (i = 0; i < 4; i++) {
- ip->ip_v = i;
+ IP_V_A(ip, i);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@@ -186,7 +194,7 @@ int ptest;
ip->ip_id = 0;
printf("1.4. ip_v > 4\n");
for (i = 5; i < 16; i++) {
- ip->ip_v = i;
+ IP_V_A(ip, i);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
@@ -200,13 +208,13 @@ int ptest;
* Part5: len < packet
*/
ip->ip_id = 0;
- ip->ip_v = IPVERSION;
+ IP_V_A(ip, IPVERSION);
i = ip->ip_len + 1;
printf("1.5.0 ip_len < packet size (size++, long packets)\n");
for (; i < (ip->ip_len * 2); i++) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
- ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
+ ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, i, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -218,7 +226,7 @@ int ptest;
ip->ip_id = htons(id++);
ip->ip_len = i;
ip->ip_sum = 0;
- ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
+ ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -237,7 +245,7 @@ int ptest;
ip->ip_id = htons(id++);
ip->ip_len = i;
ip->ip_sum = 0;
- ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
+ ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -249,7 +257,7 @@ int ptest;
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
- ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
+ ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
(void) send_ether(nfd, (char *)ip, i, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -318,14 +326,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
- ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
+ ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = htons((i >> 3) & 0x1fff);
+ ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@@ -352,7 +360,7 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
- ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
+ ip->ip_off = htons(IP_MF | (i >> 3));
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@@ -362,7 +370,7 @@ int ptest;
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = htons((i >> 3) & 0x1fff);
+ ip->ip_off = htons(i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@@ -389,14 +397,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (32 * 1024 + 768); i += 768) {
- ip->ip_off = htons(IP_MF | ((i >> 3) & 0x1fff));
+ ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = htons((i >> 3) & 0x1fff);
+ ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@@ -454,7 +462,7 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -463,10 +471,10 @@ int ptest;
u_char *s;
s = (u_char *)(ip + 1);
- nfd = initdevice(dev, htons(1), 1);
+ nfd = initdevice(dev, 1);
- ip->ip_hl = 6;
- ip->ip_len = ip->ip_hl << 2;
+ IP_HL_A(ip, 6);
+ ip->ip_len = IP_HL(ip) << 2;
s[IPOPT_OPTVAL] = IPOPT_NOP;
s++;
if (!ptest || (ptest == 1)) {
@@ -484,8 +492,8 @@ int ptest;
PAUSE();
}
- ip->ip_hl = 7;
- ip->ip_len = ip->ip_hl << 2;
+ IP_HL_A(ip, 7);
+ ip->ip_len = IP_HL(ip) << 2;
if (!ptest || (ptest == 1)) {
/*
* Test 2: options have length = 0
@@ -549,7 +557,7 @@ int ptest;
{
static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 };
static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 };
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -557,16 +565,16 @@ int ptest;
struct icmp *icp;
int nfd, i;
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_v = IPVERSION;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
+ IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
ip->ip_p = IPPROTO_ICMP;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
- icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
- nfd = initdevice(dev, htons(1), 1);
+ icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
+ nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
@@ -745,7 +753,7 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -754,25 +762,25 @@ int ptest;
int nfd, i;
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_v = IPVERSION;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
+ IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
- u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2));
+ u = (udphdr_t *)((char *)ip + (IP_HL(ip) << 2));
u->uh_sport = htons(1);
u->uh_dport = htons(1);
u->uh_ulen = htons(sizeof(*u) + 4);
- nfd = initdevice(dev, u->uh_sport, 1);
+ nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1. ulen > packet
*/
u->uh_ulen = htons(sizeof(*u) + 4);
- ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
+ ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.1 UDP uh_ulen > packet size - short packets\n");
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
u->uh_ulen = htons(i);
@@ -789,7 +797,7 @@ int ptest;
* Test 2. ulen < packet
*/
u->uh_ulen = htons(sizeof(*u) + 4);
- ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
+ ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.2 UDP uh_ulen < packet size - short packets\n");
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
ip->ip_len = i;
@@ -807,7 +815,7 @@ int ptest;
* sport = 32768, sport = 65535
*/
u->uh_ulen = sizeof(*u) + 4;
- ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
+ ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.3.1 UDP sport = 0\n");
u->uh_sport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@@ -848,7 +856,7 @@ int ptest;
*/
u->uh_ulen = ntohs(sizeof(*u) + 4);
u->uh_sport = htons(1);
- ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
+ ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
printf("4.4.1 UDP dport = 0\n");
u->uh_dport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@@ -907,7 +915,7 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -915,11 +923,11 @@ int ptest;
tcphdr_t *t;
int nfd, i;
- t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2));
-#ifndef linux
+ t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
+#if !defined(linux) && !defined(__osf__)
t->th_x2 = 0;
#endif
- t->th_off = 0;
+ TCP_OFF_A(t, 0);
t->th_sport = htons(1);
t->th_dport = htons(1);
t->th_win = htons(4096);
@@ -928,13 +936,13 @@ int ptest;
t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
- nfd = initdevice(dev, t->th_sport, 1);
+ nfd = initdevice(dev, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1: flags variations, 0 - 3f
*/
- t->th_off = sizeof(*t) >> 2;
+ TCP_OFF_A(t, sizeof(*t) >> 2);
printf("5.1 Test TCP flag combinations\n");
for (i = 0; i <= (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN);
i++) {
@@ -1058,14 +1066,13 @@ int ptest;
}
#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \
- !defined(__sgi)
+ !defined(__sgi) && !defined(__hpux) && !defined(__osf__)
{
struct tcpcb *tcbp, tcb;
struct tcpiphdr ti;
struct sockaddr_in sin;
int fd, slen;
- fd = -1;
bzero((char *)&sin, sizeof(sin));
for (i = 1; i < 63; i++) {
@@ -1134,7 +1141,7 @@ int ptest;
t->th_flags = TH_ACK;
printf("5.6.1 TCP off = 1-15, len = 40\n");
for (i = 1; i < 16; i++) {
- ti.ti_off = ntohs(i);
+ TCP_OFF_A(t, ntohs(i));
(void) send_tcp(nfd, mtu, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -1150,7 +1157,7 @@ skip_five_and_six:
#endif
t->th_seq = htonl(1);
t->th_ack = htonl(1);
- t->th_off = 0;
+ TCP_OFF_A(t, 0);
if (!ptest || (ptest == 7)) {
t->th_flags = TH_SYN;
@@ -1254,7 +1261,7 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
@@ -1262,7 +1269,7 @@ int ptest;
udphdr_t *u;
int nfd, i, j, k;
- ip->ip_v = IPVERSION;
+ IP_V_A(ip, IPVERSION);
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_ttl = 60;
@@ -1273,7 +1280,7 @@ int ptest;
u->uh_dport = htons(9);
u->uh_sum = 0;
- nfd = initdevice(dev, u->uh_sport, 1);
+ nfd = initdevice(dev, 1);
u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
@@ -1284,7 +1291,7 @@ int ptest;
* First send the entire packet in 768 byte chunks.
*/
ip->ip_len = sizeof(*ip) + 768 + sizeof(*u);
- ip->ip_hl = sizeof(*ip) >> 2;
+ IP_HL_A(ip, sizeof(*ip) >> 2);
ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
@@ -1302,7 +1309,7 @@ int ptest;
for (j = 768; j < 3584; j += 768) {
ip->ip_len = sizeof(*ip) + 768;
- ip->ip_off = htons(IP_MF|((j>>3) & 0x1fff));
+ ip->ip_off = htons(IP_MF|(j>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, j);
fflush(stdout);
@@ -1310,7 +1317,7 @@ int ptest;
ip->ip_len = sizeof(*ip) + 128;
for (k = j - 768; k < j; k += 128) {
- ip->ip_off = htons(IP_MF|((k>>3) & 0x1fff));
+ ip->ip_off = htons(IP_MF|(k>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, k);
fflush(stdout);
@@ -1333,16 +1340,16 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
-#ifdef USE_NANOSLEEP
+ ip_t *pip;
+#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
- ip_t *pip;
int nfd, i, j;
u_char *s;
- nfd = initdevice(dev, 0, 1);
+ nfd = initdevice(dev, 1);
pip = (ip_t *)tbuf;
srand(time(NULL) ^ (getpid() * getppid()));
@@ -1352,7 +1359,7 @@ int ptest;
for (i = 0; i < 512; i++) {
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
- pip->ip_v = IPVERSION;
+ IP_V_A(pip, IPVERSION);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));
pip->ip_sum = 0;
@@ -1367,7 +1374,7 @@ int ptest;
for (i = 0; i < 512; i++) {
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
- pip->ip_v = IPVERSION;
+ IP_V_A(pip, IPVERSION);
pip->ip_off &= htons(0xc000);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));
diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c
index a8e782e..1e0b169 100644
--- a/contrib/ipfilter/ipsend/larp.c
+++ b/contrib/ipfilter/ipsend/larp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* larp.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h
index d8296ba..a36d1bf 100644
--- a/contrib/ipfilter/ipsend/linux.h
+++ b/contrib/ipfilter/ipsend/linux.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c
index abe664e..8c6616d 100644
--- a/contrib/ipfilter/ipsend/lsock.c
+++ b/contrib/ipfilter/ipsend/lsock.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* lsock.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c
index 07220df..fb2d8bd 100644
--- a/contrib/ipfilter/ipsend/resend.c
+++ b/contrib/ipfilter/ipsend/resend.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* resend.c (C) 1995-1998 Darren Reed
diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c
index 82db7ca..c25a423 100644
--- a/contrib/ipfilter/ipsend/sbpf.c
+++ b/contrib/ipfilter/ipsend/sbpf.c
@@ -3,17 +3,10 @@
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
+ *
*/
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
#include <sys/param.h>
+#include <sys/types.h>
#include <sys/mbuf.h>
#include <sys/time.h>
#include <sys/timeb.h>
@@ -38,11 +31,21 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <signal.h>
+#include <errno.h>
+
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1.4.2 2001/09/30 04:04:28 darrenr Exp $";
+static const char rcsid[] = "@(#)Id: sbpf.c,v 2.5 2002/02/24 07:30:03 darrenr Exp";
#endif
/*
@@ -52,17 +55,15 @@ static u_char *buf = NULL;
static int bufsize = 0, timeout = 1;
-int initdevice(device, sport, tout)
+int initdevice(device, tout)
char *device;
-int sport, tout;
+int tout;
{
struct bpf_version bv;
struct timeval to;
struct ifreq ifr;
char bpfname[16];
- int fd, i;
-
- fd = -1;
+ int fd = 0, i;
for (i = 0; i < 16; i++)
{
diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c
index 215223a..3ff9d4b 100644
--- a/contrib/ipfilter/ipsend/sdlpi.c
+++ b/contrib/ipfilter/ipsend/sdlpi.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c
index 39a0992..5057c4f 100644
--- a/contrib/ipfilter/ipsend/sirix.c
+++ b/contrib/ipfilter/ipsend/sirix.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed.
diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c
index 3bc7f09..1021acf 100644
--- a/contrib/ipfilter/ipsend/slinux.c
+++ b/contrib/ipfilter/ipsend/slinux.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c
index a4b19b9..b57609b 100644
--- a/contrib/ipfilter/ipsend/snit.c
+++ b/contrib/ipfilter/ipsend/snit.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
index 988da4c..5020a4a 100644
--- a/contrib/ipfilter/ipsend/sock.c
+++ b/contrib/ipfilter/ipsend/sock.c
@@ -3,19 +3,15 @@
* sock.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
+ *
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if !defined(lint)
+static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: sock.c,v 2.8.4.1 2004/03/23 12:58:06 darrenr Exp";
#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <pwd.h>
+#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
-#include <sys/param.h>
#include <sys/stat.h>
#ifndef ultrix
#include <fcntl.h>
@@ -25,21 +21,23 @@
#else
# include <sys/dir.h>
#endif
-#define _KERNEL
-#define KERNEL
-#ifdef ultrix
-# undef LOCORE
-# include <sys/smp_lock.h>
+#if !defined(__osf__)
+# define _KERNEL
+# define KERNEL
+# ifdef ultrix
+# undef LOCORE
+# include <sys/smp_lock.h>
+# endif
+# include <sys/file.h>
+# undef _KERNEL
+# undef KERNEL
#endif
-#include <sys/file.h>
-#undef _KERNEL
-#undef KERNEL
#include <nlist.h>
#include <sys/user.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/proc.h>
-#if !defined(ultrix) && !defined(hpux)
+#if !defined(ultrix) && !defined(hpux) && !defined(__osf__)
# include <kvm.h>
#endif
#ifdef sun
@@ -57,18 +55,22 @@
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
+#if defined(__FreeBSD__)
+# include "radix_ipf.h"
+#endif
#include <net/route.h>
#include <netinet/ip_var.h>
#include <netinet/in_pcb.h>
#include <netinet/tcp_timer.h>
#include <netinet/tcp_var.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <pwd.h>
#include "ipsend.h"
-#if !defined(lint)
-static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.6 2002/12/06 11:40:36 darrenr Exp $";
-#endif
-
int nproc;
struct proc *proc;
@@ -381,7 +383,7 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
- nfd = initdevice(dev, ntohs(lsin.sin_port), 1);
+ nfd = initdevice(dev, 1);
if (!(t = find_tcp(fd, ti)))
return -1;
diff --git a/contrib/ipfilter/ipsend/sockraw.c b/contrib/ipfilter/ipsend/sockraw.c
index 822c146..c923227 100644
--- a/contrib/ipfilter/ipsend/sockraw.c
+++ b/contrib/ipfilter/ipsend/sockraw.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)opyright 2000 Darren Reed.
diff --git a/contrib/ipfilter/ipsend/tcpip.h b/contrib/ipfilter/ipsend/tcpip.h
index 0d3e040..c609434 100644
--- a/contrib/ipfilter/ipsend/tcpip.h
+++ b/contrib/ipfilter/ipsend/tcpip.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (c) 1982, 1986, 1993
diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c
deleted file mode 100644
index f41a8a9..0000000
--- a/contrib/ipfilter/ipsend/ultrix.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * (C)opyright 1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/if_ether.h>
-#include <netdnet/dli_var.h>
-
-
-static struct dli_devid dli_devid;
-
-
-int initdevice(device, sport, tout)
-char *device;
-int sport, tout;
-{
- u_char *s;
- int fd;
-
- fd = socket(AF_DLI, SOCK_DGRAM, 0);
- if (fd == -1)
- perror("socket(AF_DLI,SOCK_DGRAM)");
- else {
- strncpy(dli_devid.dli_devname, device, DLI_DEVSIZE);
- dli_devid.dli_devname[DLI_DEVSIZE] ='\0';
- for (s = dli_devid.dli_devname; *s && isalpha((char)*s); s++)
- ;
- if (*s && isdigit((char)*s)) {
- dli_devid.dli_devnumber = atoi(s);
- }
- }
- return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int sendip(fd, pkt, len)
-int fd, len;
-char *pkt;
-{
- struct sockaddr_dl dl;
- struct sockaddr_edl *edl = &dl.choose_addr.dli_eaddr;
-
- dl.dli_family = AF_DLI;
- dl.dli_substructype = DLI_ETHERNET;
- bcopy((char *)&dli_devid, (char *)&dl.dli_device, sizeof(dli_devid));
- bcopy(pkt, edl->dli_target, DLI_EADDRSIZE);
- bcopy(pkt, edl->dli_dest, DLI_EADDRSIZE);
- bcopy(pkt + DLI_EADDRSIZE * 2, (char *)&edl->dli_protype, 2);
- edl->dli_ioctlflg = 0;
-
- if (sendto(fd, pkt, len, 0, (struct sockaddr *)&dl, sizeof(dl)) == -1)
- {
- perror("send");
- return -1;
- }
-
- return len;
-}
-
-
-char *strdup(str)
-char *str;
-{
- char *s;
-
- if ((s = (char *)malloc(strlen(str) + 1)))
- return strcpy(s, str);
- return NULL;
-}
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
deleted file mode 100644
index 5a20f24..0000000
--- a/contrib/ipfilter/ipt.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# define _KMEMUSER
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
-#include <strings.h>
-#else
-#if !defined(__sgi)
-#include <sys/byteorder.h>
-#endif
-#include <sys/file.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ip_frag.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.26 2003/11/09 17:22:21 darrenr Exp $";
-#endif
-
-extern char *optarg;
-extern struct frentry *ipfilter[2][2];
-extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;
-extern struct ifnet *get_unit __P((char *, int));
-extern void init_ifp __P((void));
-extern ipnat_t *natparse __P((char *, int, int *));
-extern int fr_running;
-
-int opts = 0;
-int rremove = 0;
-int use_inet6 = 0;
-int main __P((int, char *[]));
-int loadrules __P((char *));
-int kmemcpy __P((char *, long, int));
-void dumpnat __P((void));
-void dumpstate __P((void));
-char *getifname __P((void *));
-void drain_log __P((char *));
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
- char *datain, *iface, *ifname, *packet, *logout;
- int fd, i, dir, c, loaded, dump, hlen;
- struct in_addr src;
- struct ifnet *ifp;
- struct ipread *r;
- u_long buf[2048];
- ip_t *ip;
-
- dir = 0;
- dump = 0;
- loaded = 0;
- r = &iptext;
- iface = NULL;
- logout = NULL;
- src.s_addr = 0;
- ifname = "anon0";
- datain = NULL;
-
- nat_init();
- fr_stateinit();
- initparse();
- ipflog_init();
- fr_running = 1;
-
- while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:Rs:STvxX")) != -1)
- switch (c)
- {
- case '6' :
-#ifdef USE_INET6
- use_inet6 = 1;
- break;
-#else
- fprintf(stderr, "IPv6 not supported\n");
- exit(1);
-#endif
- case 'b' :
- opts |= OPT_BRIEF;
- break;
- case 'd' :
- opts |= OPT_DEBUG;
- break;
- case 'D' :
- dump = 1;
- break;
- case 'i' :
- datain = optarg;
- break;
- case 'I' :
- ifname = optarg;
- break;
- case 'l' :
- logout = optarg;
- break;
- case 'o' :
- opts |= OPT_SAVEOUT;
- break;
- case 'r' :
- if (loadrules(optarg) == -1)
- return -1;
- loaded = 1;
- break;
- case 's' :
- src.s_addr = inet_addr(optarg);
- break;
- case 'v' :
- opts |= OPT_VERBOSE;
- break;
- case 'E' :
- r = &etherf;
- break;
- case 'H' :
- r = &iphex;
- break;
- case 'N' :
- opts |= OPT_NAT;
- break;
- case 'P' :
- r = &pcap;
- break;
- case 'R' :
- rremove = 1;
- break;
- case 'S' :
- r = &snoop;
- break;
- case 'T' :
- r = &tcpd;
- break;
- case 'x' :
- opts |= OPT_HEX;
- break;
- case 'X' :
- r = &iptext;
- break;
- }
-
- if (loaded == 0) {
- (void)fprintf(stderr,"no rules loaded\n");
- exit(-1);
- }
-
- if (opts & OPT_SAVEOUT)
- init_ifp();
-
- if (datain)
- fd = (*r->r_open)(datain);
- else
- fd = (*r->r_open)("-");
-
- if (fd < 0)
- exit(-1);
-
- ip = (ip_t *)buf;
- while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
- &iface, &dir)) > 0) {
- if (iface == NULL || *iface == '\0')
- iface = ifname;
- ifp = get_unit(iface, ip->ip_v);
- hlen = 0;
- if (!use_inet6) {
- ip->ip_off = ntohs(ip->ip_off);
- ip->ip_len = ntohs(ip->ip_len);
- hlen = ip->ip_hl << 2;
- if (src.s_addr != 0) {
- if (src.s_addr == ip->ip_src.s_addr)
- dir = 1;
- else if (src.s_addr == ip->ip_dst.s_addr)
- dir = 0;
- }
- }
-#ifdef USE_INET6
- else
- hlen = sizeof(ip6_t);
-#endif
- if (opts & OPT_VERBOSE) {
- printf("%s on [%s]: ", dir ? "out" : "in",
- (iface && *iface) ? iface : "??");
- }
- packet = (char *)buf;
- /* ipfr_slowtimer(); */
- i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);
- if ((opts & OPT_NAT) == 0)
- switch (i)
- {
- case -5 :
- (void)printf("block return-icmp-as-dest");
- break;
- case -4 :
- (void)printf("block return-icmp");
- break;
- case -3 :
- (void)printf("block return-rst");
- break;
- case -2 :
- (void)printf("auth");
- break;
- case -1 :
- (void)printf("block");
- break;
- case 0 :
- (void)printf("pass");
- break;
- case 1 :
- (void)printf("nomatch");
- break;
- }
- if (!use_inet6) {
- ip->ip_off = htons(ip->ip_off);
- ip->ip_len = htons(ip->ip_len);
- }
-
- if (!(opts & OPT_BRIEF)) {
- putchar(' ');
- printpacket((ip_t *)buf);
- printf("--------------");
- } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
- printpacket((ip_t *)buf);
-#ifndef linux
- if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
-# if defined(__sgi) && (IRIX < 605)
- (*ifp->if_output)(ifp, (void *)packet, NULL);
-# else
- (*ifp->if_output)(ifp, (void *)packet, NULL, 0);
-# endif
-#endif
- if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
- putchar('\n');
- dir = 0;
- if (iface != ifname) {
- free(iface);
- iface = ifname;
- }
- }
- (*r->r_close)();
-
- if (logout != NULL) {
- drain_log(logout);
- }
-
- if (dump == 1) {
- dumpnat();
- dumpstate();
- }
-
- return 0;
-}
-
-
-/*
- * Load in either NAT or ipf rules from a file, which is treated as stdin
- * if the name is "-". NOTE, stdin can only be used once as the file is
- * closed after use.
- */
-int loadrules(file)
-char *file;
-{
- char line[513], *s;
- int linenum, i;
- void *fr;
- FILE *fp;
- int parsestatus;
-
- if (!strcmp(file, "-"))
- fp = stdin;
- else if (!(fp = fopen(file, "r"))) {
- (void)fprintf(stderr, "couldn't open %s\n", file);
- return (-1);
- }
-
- if (!(opts & OPT_BRIEF))
- (void)printf("opening rule file \"%s\"\n", file);
-
- linenum = 0;
-
- while (fgets(line, sizeof(line) - 1, fp)) {
- linenum++;
-
- /*
- * treat both CR and LF as EOL
- */
- if ((s = index(line, '\n')))
- *s = '\0';
- if ((s = index(line, '\r')))
- *s = '\0';
-
- /*
- * # is comment marker, everything after is a ignored
- */
- if ((s = index(line, '#')))
- *s = '\0';
-
- if (!*line)
- continue;
-
- /* fake an `ioctl' call :) */
-
- if ((opts & OPT_NAT) != 0) {
- parsestatus = 1;
- fr = natparse(line, linenum, &parsestatus);
- if (parsestatus != 0) {
- if (*line) {
- fprintf(stderr,
- "%d: syntax error in \"%s\"\n",
- linenum, line);
- }
- fprintf(stderr, "%s: %s error (%d), quitting\n",
- file,
- ((parsestatus < 0)? "parse": "internal"),
- parsestatus);
- exit(1);
- }
- if (!fr)
- continue;
-
- if (rremove == 0) {
- i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
- (caddr_t)&fr,
- FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr,
- "iplioctl(ADNAT,%p,1) = %d\n",
- fr, i);
- } else {
- i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
- (caddr_t)&fr,
- FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr,
- "iplioctl(RMNAT,%p,1) = %d\n",
- fr, i);
- }
- } else {
- fr = parse(line, linenum, &parsestatus);
-
- if (parsestatus != 0) {
- fprintf(stderr, "%s: %s error (%d), quitting\n",
- file,
- ((parsestatus < 0)? "parse": "internal"),
- parsestatus);
- exit(1);
- }
-
- if (!fr) {
- continue;
- }
-
- if (rremove == 0) {
- i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
- (caddr_t)&fr,
- FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr,
- "iplioctl(ADAFR,%p,1) = %d\n",
- fr, i);
- } else {
- i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
- (caddr_t)&fr,
- FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr,
- "iplioctl(RMAFR,%p,1) = %d\n",
- fr, i);
- }
- }
- }
- (void)fclose(fp);
-
- return 0;
-}
-
-
-int kmemcpy(addr, offset, size)
-char *addr;
-long offset;
-int size;
-{
- bcopy((char *)offset, addr, size);
- return 0;
-}
-
-
-/*
- * Display the built up NAT table rules and mapping entries.
- */
-void dumpnat()
-{
- ipnat_t *ipn;
- nat_t *nat;
-
- printf("List of active MAP/Redirect filters:\n");
- for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
- printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
- printf("\nList of active sessions:\n");
- for (nat = nat_instances; nat; nat = nat->nat_next)
- printactivenat(nat, opts);
-}
-
-
-/*
- * Display the built up state table rules and mapping entries.
- */
-void dumpstate()
-{
- ipstate_t *ips;
-
- printf("List of active state sessions:\n");
- for (ips = ips_list; ips != NULL; )
- ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
- char buf[32], *s;
- int len;
-#endif
- struct ifnet netif;
-
- if (ptr == (void *)-1)
- return "!";
- if (ptr == NULL)
- return "-";
-
- if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
- return "X";
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
- return strdup(netif.if_xname);
-#else
- if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
- return "X";
- if (netif.if_unit < 10)
- len = 2;
- else if (netif.if_unit < 1000)
- len = 3;
- else if (netif.if_unit < 10000)
- len = 4;
- else
- len = 5;
- buf[sizeof(buf) - len] = '\0';
- for (s = buf; *s && !isdigit(*s); s++)
- ;
- if (isdigit(*s))
- *s = '\0';
- sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
- return strdup(buf);
-#endif
-}
-
-
-void drain_log(filename)
-char *filename;
-{
- char buffer[IPLLOGSIZE];
- struct iovec iov;
- struct uio uio;
- size_t resid;
- int fd;
-
- fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
- if (fd == -1) {
- perror("drain_log:open");
- return;
- }
-
- while (1) {
- bzero((char *)&iov, sizeof(iov));
- iov.iov_base = buffer;
- iov.iov_len = sizeof(buffer);
-
- bzero((char *)&uio, sizeof(uio));
- uio.uio_iov = &iov;
- uio.uio_iovcnt = 1;
- uio.uio_resid = iov.iov_len;
- resid = uio.uio_resid;
-
- if (ipflog_read(0, &uio) == 0) {
- /*
- * If nothing was read then break out.
- */
- if (uio.uio_resid == resid)
- break;
- write(fd, buffer, resid - uio.uio_resid);
- } else
- break;
- }
-
- close(fd);
-}
diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h
index 6a14fe5..57d8b46 100644
--- a/contrib/ipfilter/ipt.h
+++ b/contrib/ipfilter/ipt.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c
deleted file mode 100644
index 5723ba3..0000000
--- a/contrib/ipfilter/kmem.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * kmemcpy() - copies n bytes from kernel memory into user buffer.
- * returns 0 on success, -1 on error.
- */
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <sys/file.h>
-#ifndef __sgi
-#include <kvm.h>
-#endif
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-
-
-#ifndef __STDC__
-# define const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.18 2003/11/09 17:22:22 darrenr Exp $";
-#endif
-
-#ifdef __sgi
-typedef int kvm_t;
-
-static int kvm_fd = -1;
-static char *kvm_errstr = NULL;
-
-kvm_t *kvm_open(kernel, core, swap, mode, errstr)
-char *kernel, *core, *swap;
-int mode;
-char *errstr;
-{
- kvm_errstr = errstr;
-
- if (core == NULL)
- core = "/dev/kmem";
- kvm_fd = open(core, mode);
- return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
-}
-
-int kvm_read(kvm, pos, buffer, size)
-kvm_t *kvm;
-u_long pos;
-char *buffer;
-size_t size;
-{
- size_t left;
- char *bufp;
- int r;
-
- if (lseek(*kvm, pos, 0) == -1) {
- if (kvm_errstr != NULL) {
- fprintf(stderr, "%s:", kvm_errstr);
- perror("lseek");
- }
- return -1;
- }
-
- for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
- r = read(*kvm, bufp, 1);
- if (r <= 0)
- return -1;
- }
- return size;
-}
-#endif
-
-static kvm_t *kvm_f = NULL;
-
-int openkmem(kern, core)
-char *kern, *core;
-{
- union {
- int ui;
- kvm_t *uk;
- } k;
-
- kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL);
- if (kvm_f == NULL)
- {
- perror("openkmem:open");
- return -1;
- }
- k.uk = kvm_f;
- return k.ui;
-}
-
-int kmemcpy(buf, pos, n)
-register char *buf;
-long pos;
-register int n;
-{
- register int r;
-
- if (!n)
- return 0;
-
- if (kvm_f == NULL)
- if (openkmem(NULL, NULL) == -1)
- return -1;
-
- while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
- if (r <= 0)
- {
- fprintf(stderr, "pos=0x%x ", (u_int)pos);
- perror("kmemcpy:read");
- return -1;
- }
- else
- {
- buf += r;
- pos += r;
- n -= r;
- }
- return 0;
-}
-
-int kstrncpy(buf, pos, n)
-register char *buf;
-long pos;
-register int n;
-{
- register int r;
-
- if (!n)
- return 0;
-
- if (kvm_f == NULL)
- if (openkmem(NULL, NULL) == -1)
- return -1;
-
- while (n > 0)
- {
- r = kvm_read(kvm_f, pos, buf, (size_t)1);
- if (r <= 0)
- {
- fprintf(stderr, "pos=0x%x ", (u_int)pos);
- perror("kstrncpy:read");
- return -1;
- }
- else
- {
- if (*buf == '\0')
- break;
- buf++;
- pos++;
- n--;
- }
- }
- return 0;
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if SOLARIS
- char *ifname;
- ill_t ill;
-
- if (ptr == (void *)-1)
- return "!";
- if (ptr == NULL)
- return "-";
-
- if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
- return "X";
- ifname = malloc(ill.ill_name_length + 1);
- if (kmemcpy(ifname, (u_long)ill.ill_name,
- ill.ill_name_length) == -1)
- return "X";
- return ifname;
-#else
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
- char buf[32];
- int len;
-# endif
- struct ifnet netif;
-
- if (ptr == (void *)-1)
- return "!";
- if (ptr == NULL)
- return "-";
-
- if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
- return "X";
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
- return strdup(netif.if_xname);
-# else
- if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
- return "X";
- if (netif.if_unit < 10)
- len = 2;
- else if (netif.if_unit < 1000)
- len = 3;
- else if (netif.if_unit < 10000)
- len = 4;
- else
- len = 5;
- buf[sizeof(buf) - len] = '\0';
- sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
- return strdup(buf);
-# endif
-#endif
-}
diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h
index 7cb6635..38b97b4 100644
--- a/contrib/ipfilter/kmem.h
+++ b/contrib/ipfilter/kmem.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c
index 68c41de..5c44a37 100644
--- a/contrib/ipfilter/l4check/l4check.c
+++ b/contrib/ipfilter/l4check/l4check.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* (C)Copyright March, 2000 - Darren Reed.
diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c
index a8c1722..eb6e8a7 100644
--- a/contrib/ipfilter/lib/addicmp.c
+++ b/contrib/ipfilter/lib/addicmp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/addipopt.c b/contrib/ipfilter/lib/addipopt.c
index 23f4427..e775184 100644
--- a/contrib/ipfilter/lib/addipopt.c
+++ b/contrib/ipfilter/lib/addipopt.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/addkeep.c b/contrib/ipfilter/lib/addkeep.c
index 3f20fb4..5765c52 100644
--- a/contrib/ipfilter/lib/addkeep.c
+++ b/contrib/ipfilter/lib/addkeep.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/bcopywrap.c b/contrib/ipfilter/lib/bcopywrap.c
index 939137b..4c68930 100644
--- a/contrib/ipfilter/lib/bcopywrap.c
+++ b/contrib/ipfilter/lib/bcopywrap.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/binprint.c b/contrib/ipfilter/lib/binprint.c
index afa4910..6d99218 100644
--- a/contrib/ipfilter/lib/binprint.c
+++ b/contrib/ipfilter/lib/binprint.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/buildopts.c b/contrib/ipfilter/lib/buildopts.c
index a35649b..92686f6 100644
--- a/contrib/ipfilter/lib/buildopts.c
+++ b/contrib/ipfilter/lib/buildopts.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/checkrev.c b/contrib/ipfilter/lib/checkrev.c
index 28032ce..882aeb7 100644
--- a/contrib/ipfilter/lib/checkrev.c
+++ b/contrib/ipfilter/lib/checkrev.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/count4bits.c b/contrib/ipfilter/lib/count4bits.c
index 0f2187f..56b4c86 100644
--- a/contrib/ipfilter/lib/count4bits.c
+++ b/contrib/ipfilter/lib/count4bits.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/count6bits.c b/contrib/ipfilter/lib/count6bits.c
index bd4e9f8..fe1bf4b 100644
--- a/contrib/ipfilter/lib/count6bits.c
+++ b/contrib/ipfilter/lib/count6bits.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/debug.c b/contrib/ipfilter/lib/debug.c
index 1510222..58974c1 100644
--- a/contrib/ipfilter/lib/debug.c
+++ b/contrib/ipfilter/lib/debug.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/extras.c b/contrib/ipfilter/lib/extras.c
index 0f7f39f..5d3c8dc 100644
--- a/contrib/ipfilter/lib/extras.c
+++ b/contrib/ipfilter/lib/extras.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c
index 1e35ea9..4637916 100644
--- a/contrib/ipfilter/lib/facpri.c
+++ b/contrib/ipfilter/lib/facpri.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/facpri.h b/contrib/ipfilter/lib/facpri.h
index e8eef2b..c902086 100644
--- a/contrib/ipfilter/lib/facpri.h
+++ b/contrib/ipfilter/lib/facpri.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1999-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/fill6bits.c b/contrib/ipfilter/lib/fill6bits.c
index 8f23a6f..12e6579 100644
--- a/contrib/ipfilter/lib/fill6bits.c
+++ b/contrib/ipfilter/lib/fill6bits.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/flags.c b/contrib/ipfilter/lib/flags.c
index df6645d..543d61b 100644
--- a/contrib/ipfilter/lib/flags.c
+++ b/contrib/ipfilter/lib/flags.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/genmask.c b/contrib/ipfilter/lib/genmask.c
index 06f6404..178c466 100644
--- a/contrib/ipfilter/lib/genmask.c
+++ b/contrib/ipfilter/lib/genmask.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/gethost.c b/contrib/ipfilter/lib/gethost.c
index a03168a..f9034cc 100644
--- a/contrib/ipfilter/lib/gethost.c
+++ b/contrib/ipfilter/lib/gethost.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/getifname.c b/contrib/ipfilter/lib/getifname.c
index 94c9c9c..35acb32 100644
--- a/contrib/ipfilter/lib/getifname.c
+++ b/contrib/ipfilter/lib/getifname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/getline.c b/contrib/ipfilter/lib/getline.c
index 61c00ba..137068f 100644
--- a/contrib/ipfilter/lib/getline.c
+++ b/contrib/ipfilter/lib/getline.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/getnattype.c b/contrib/ipfilter/lib/getnattype.c
index c783d6f..90d7ba4 100644
--- a/contrib/ipfilter/lib/getnattype.c
+++ b/contrib/ipfilter/lib/getnattype.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c
index 7cf903d..99e1d4f 100644
--- a/contrib/ipfilter/lib/getport.c
+++ b/contrib/ipfilter/lib/getport.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/getportproto.c b/contrib/ipfilter/lib/getportproto.c
index 17efa43..02e3c20 100644
--- a/contrib/ipfilter/lib/getportproto.c
+++ b/contrib/ipfilter/lib/getportproto.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include <ctype.h>
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/getproto.c b/contrib/ipfilter/lib/getproto.c
index c75f137..2581e28 100644
--- a/contrib/ipfilter/lib/getproto.c
+++ b/contrib/ipfilter/lib/getproto.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/getsumd.c b/contrib/ipfilter/lib/getsumd.c
index 11ecc57..44ff3aa 100644
--- a/contrib/ipfilter/lib/getsumd.c
+++ b/contrib/ipfilter/lib/getsumd.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/hexdump.c b/contrib/ipfilter/lib/hexdump.c
index 4eb3b9ad..f6cc156 100644
--- a/contrib/ipfilter/lib/hexdump.c
+++ b/contrib/ipfilter/lib/hexdump.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include <ctype.h>
diff --git a/contrib/ipfilter/lib/hostmask.c b/contrib/ipfilter/lib/hostmask.c
index 67755f8..b6ea5ad 100644
--- a/contrib/ipfilter/lib/hostmask.c
+++ b/contrib/ipfilter/lib/hostmask.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/hostname.c b/contrib/ipfilter/lib/hostname.c
index a0109da..c4950e9 100644
--- a/contrib/ipfilter/lib/hostname.c
+++ b/contrib/ipfilter/lib/hostname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/hostnum.c b/contrib/ipfilter/lib/hostnum.c
index c62e4a1..f517860 100644
--- a/contrib/ipfilter/lib/hostnum.c
+++ b/contrib/ipfilter/lib/hostnum.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c
index 17e1ba4..c458d28 100644
--- a/contrib/ipfilter/lib/icmpcode.c
+++ b/contrib/ipfilter/lib/icmpcode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/inet_addr.c b/contrib/ipfilter/lib/inet_addr.c
index 5ccf6a9..287e5ff 100644
--- a/contrib/ipfilter/lib/inet_addr.c
+++ b/contrib/ipfilter/lib/inet_addr.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* ++Copyright++ 1983, 1990, 1993
diff --git a/contrib/ipfilter/lib/initparse.c b/contrib/ipfilter/lib/initparse.c
index 676774c..1f565d2 100644
--- a/contrib/ipfilter/lib/initparse.c
+++ b/contrib/ipfilter/lib/initparse.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ionames.c b/contrib/ipfilter/lib/ionames.c
index 9e4602b..0f7060b 100644
--- a/contrib/ipfilter/lib/ionames.c
+++ b/contrib/ipfilter/lib/ionames.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipf_dotuning.c b/contrib/ipfilter/lib/ipf_dotuning.c
index c9416ff..fb5af2d 100644
--- a/contrib/ipfilter/lib/ipf_dotuning.c
+++ b/contrib/ipfilter/lib/ipf_dotuning.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
#include "ipl.h"
diff --git a/contrib/ipfilter/lib/ipft_ef.c b/contrib/ipfilter/lib/ipft_ef.c
index eebc417..b9a7054 100644
--- a/contrib/ipfilter/lib/ipft_ef.c
+++ b/contrib/ipfilter/lib/ipft_ef.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipft_hx.c b/contrib/ipfilter/lib/ipft_hx.c
index 3cc8ec5..4e0f98e 100644
--- a/contrib/ipfilter/lib/ipft_hx.c
+++ b/contrib/ipfilter/lib/ipft_hx.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipft_pc.c b/contrib/ipfilter/lib/ipft_pc.c
index 3678d78..9b7da65 100644
--- a/contrib/ipfilter/lib/ipft_pc.c
+++ b/contrib/ipfilter/lib/ipft_pc.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipft_sn.c b/contrib/ipfilter/lib/ipft_sn.c
index 1458821..61ce875 100644
--- a/contrib/ipfilter/lib/ipft_sn.c
+++ b/contrib/ipfilter/lib/ipft_sn.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipft_td.c b/contrib/ipfilter/lib/ipft_td.c
index b278c72..e6367ff 100644
--- a/contrib/ipfilter/lib/ipft_td.c
+++ b/contrib/ipfilter/lib/ipft_td.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c
index c77fbc4..f69aab0 100644
--- a/contrib/ipfilter/lib/ipft_tx.c
+++ b/contrib/ipfilter/lib/ipft_tx.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ipoptsec.c b/contrib/ipfilter/lib/ipoptsec.c
index 95bde9c..24a58ac 100644
--- a/contrib/ipfilter/lib/ipoptsec.c
+++ b/contrib/ipfilter/lib/ipoptsec.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/kmem.c b/contrib/ipfilter/lib/kmem.c
index 3f044bb..789219e 100644
--- a/contrib/ipfilter/lib/kmem.c
+++ b/contrib/ipfilter/lib/kmem.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/kmem.h b/contrib/ipfilter/lib/kmem.h
index 07a14f5..dc29a52 100644
--- a/contrib/ipfilter/lib/kmem.h
+++ b/contrib/ipfilter/lib/kmem.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/kmemcpywrap.c b/contrib/ipfilter/lib/kmemcpywrap.c
index 274bcb1..4eeb62d 100644
--- a/contrib/ipfilter/lib/kmemcpywrap.c
+++ b/contrib/ipfilter/lib/kmemcpywrap.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
#include "kmem.h"
diff --git a/contrib/ipfilter/lib/kvatoname.c b/contrib/ipfilter/lib/kvatoname.c
index 030c633..a3764e4 100644
--- a/contrib/ipfilter/lib/kvatoname.c
+++ b/contrib/ipfilter/lib/kvatoname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/load_hash.c b/contrib/ipfilter/lib/load_hash.c
index 4fc042b..4a13624 100644
--- a/contrib/ipfilter/lib/load_hash.c
+++ b/contrib/ipfilter/lib/load_hash.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/load_hashnode.c b/contrib/ipfilter/lib/load_hashnode.c
index 186ba05..cf42280 100644
--- a/contrib/ipfilter/lib/load_hashnode.c
+++ b/contrib/ipfilter/lib/load_hashnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/load_pool.c b/contrib/ipfilter/lib/load_pool.c
index 5fab311..65ea05d 100644
--- a/contrib/ipfilter/lib/load_pool.c
+++ b/contrib/ipfilter/lib/load_pool.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/load_poolnode.c b/contrib/ipfilter/lib/load_poolnode.c
index e9d233f..eb17481 100644
--- a/contrib/ipfilter/lib/load_poolnode.c
+++ b/contrib/ipfilter/lib/load_poolnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/loglevel.c b/contrib/ipfilter/lib/loglevel.c
index 31b4f17..4dc875f 100644
--- a/contrib/ipfilter/lib/loglevel.c
+++ b/contrib/ipfilter/lib/loglevel.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/make_range.c b/contrib/ipfilter/lib/make_range.c
index 9ec3ca3..ae576df 100644
--- a/contrib/ipfilter/lib/make_range.c
+++ b/contrib/ipfilter/lib/make_range.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/mutex_emul.c b/contrib/ipfilter/lib/mutex_emul.c
index 43b7f76..10472e5 100644
--- a/contrib/ipfilter/lib/mutex_emul.c
+++ b/contrib/ipfilter/lib/mutex_emul.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/nametokva.c b/contrib/ipfilter/lib/nametokva.c
index 50f3077..b2854d6 100644
--- a/contrib/ipfilter/lib/nametokva.c
+++ b/contrib/ipfilter/lib/nametokva.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/nat_setgroupmap.c b/contrib/ipfilter/lib/nat_setgroupmap.c
index ce64abb..5c732b1 100644
--- a/contrib/ipfilter/lib/nat_setgroupmap.c
+++ b/contrib/ipfilter/lib/nat_setgroupmap.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/natparse.c b/contrib/ipfilter/lib/natparse.c
index adbbeb9..de5b388 100644
--- a/contrib/ipfilter/lib/natparse.c
+++ b/contrib/ipfilter/lib/natparse.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ntomask.c b/contrib/ipfilter/lib/ntomask.c
index 415a5e8..c95f78f 100644
--- a/contrib/ipfilter/lib/ntomask.c
+++ b/contrib/ipfilter/lib/ntomask.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/optname.c b/contrib/ipfilter/lib/optname.c
index 7fdcc57..d56c4d5 100644
--- a/contrib/ipfilter/lib/optname.c
+++ b/contrib/ipfilter/lib/optname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c
index 261a75c..890eb53 100644
--- a/contrib/ipfilter/lib/optprint.c
+++ b/contrib/ipfilter/lib/optprint.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/optprintv6.c b/contrib/ipfilter/lib/optprintv6.c
index 75e0fd0..8f33305 100644
--- a/contrib/ipfilter/lib/optprintv6.c
+++ b/contrib/ipfilter/lib/optprintv6.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/optvalue.c b/contrib/ipfilter/lib/optvalue.c
index dc9448d..b30e030 100644
--- a/contrib/ipfilter/lib/optvalue.c
+++ b/contrib/ipfilter/lib/optvalue.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/parse.c b/contrib/ipfilter/lib/parse.c
index 4cf69ab..30fc117 100644
--- a/contrib/ipfilter/lib/parse.c
+++ b/contrib/ipfilter/lib/parse.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/portname.c b/contrib/ipfilter/lib/portname.c
index 7c0fc87..0709fc5 100644
--- a/contrib/ipfilter/lib/portname.c
+++ b/contrib/ipfilter/lib/portname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/portnum.c b/contrib/ipfilter/lib/portnum.c
index 284bbc9..c290c93 100644
--- a/contrib/ipfilter/lib/portnum.c
+++ b/contrib/ipfilter/lib/portnum.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ports.c b/contrib/ipfilter/lib/ports.c
index 634dfeb..deee05e 100644
--- a/contrib/ipfilter/lib/ports.c
+++ b/contrib/ipfilter/lib/ports.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/print_toif.c b/contrib/ipfilter/lib/print_toif.c
index 0e230cd..be6eaec 100644
--- a/contrib/ipfilter/lib/print_toif.c
+++ b/contrib/ipfilter/lib/print_toif.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printactivenat.c b/contrib/ipfilter/lib/printactivenat.c
index 3c56b14..78b0ed9 100644
--- a/contrib/ipfilter/lib/printactivenat.c
+++ b/contrib/ipfilter/lib/printactivenat.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printaps.c b/contrib/ipfilter/lib/printaps.c
index 5c5c3dd..df69a7b 100644
--- a/contrib/ipfilter/lib/printaps.c
+++ b/contrib/ipfilter/lib/printaps.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printbuf.c b/contrib/ipfilter/lib/printbuf.c
index f2b7faa..fa24fbe 100644
--- a/contrib/ipfilter/lib/printbuf.c
+++ b/contrib/ipfilter/lib/printbuf.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c
index f0f5a0e..a7ab1d2 100644
--- a/contrib/ipfilter/lib/printfr.c
+++ b/contrib/ipfilter/lib/printfr.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printfraginfo.c b/contrib/ipfilter/lib/printfraginfo.c
index b521c83..461d497 100644
--- a/contrib/ipfilter/lib/printfraginfo.c
+++ b/contrib/ipfilter/lib/printfraginfo.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2004 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printhash.c b/contrib/ipfilter/lib/printhash.c
index 80157bb..fab0659 100644
--- a/contrib/ipfilter/lib/printhash.c
+++ b/contrib/ipfilter/lib/printhash.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printhashnode.c b/contrib/ipfilter/lib/printhashnode.c
index 39255e7..b5eda15 100644
--- a/contrib/ipfilter/lib/printhashnode.c
+++ b/contrib/ipfilter/lib/printhashnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printhostmap.c b/contrib/ipfilter/lib/printhostmap.c
index bdb6702..d4ffd44 100644
--- a/contrib/ipfilter/lib/printhostmap.c
+++ b/contrib/ipfilter/lib/printhostmap.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/printhostmask.c b/contrib/ipfilter/lib/printhostmask.c
index c34bc43..05121c3 100644
--- a/contrib/ipfilter/lib/printhostmask.c
+++ b/contrib/ipfilter/lib/printhostmask.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printifname.c b/contrib/ipfilter/lib/printifname.c
index 53a7fd7..8726e625 100644
--- a/contrib/ipfilter/lib/printifname.c
+++ b/contrib/ipfilter/lib/printifname.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printip.c b/contrib/ipfilter/lib/printip.c
index 1a04f1d..01b06bd 100644
--- a/contrib/ipfilter/lib/printip.c
+++ b/contrib/ipfilter/lib/printip.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c
index d14add4..c255cf1 100644
--- a/contrib/ipfilter/lib/printlog.c
+++ b/contrib/ipfilter/lib/printlog.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printmask.c b/contrib/ipfilter/lib/printmask.c
index d3d9a6f..a477c66 100644
--- a/contrib/ipfilter/lib/printmask.c
+++ b/contrib/ipfilter/lib/printmask.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c
index 15a6886..09056b1 100644
--- a/contrib/ipfilter/lib/printnat.c
+++ b/contrib/ipfilter/lib/printnat.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c
index 58460be..4791b08 100644
--- a/contrib/ipfilter/lib/printpacket.c
+++ b/contrib/ipfilter/lib/printpacket.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printpacket6.c b/contrib/ipfilter/lib/printpacket6.c
index 2f9ea1d..2ddffed 100644
--- a/contrib/ipfilter/lib/printpacket6.c
+++ b/contrib/ipfilter/lib/printpacket6.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/printpool.c b/contrib/ipfilter/lib/printpool.c
index 6291306..4bd48aa 100644
--- a/contrib/ipfilter/lib/printpool.c
+++ b/contrib/ipfilter/lib/printpool.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printpoolnode.c b/contrib/ipfilter/lib/printpoolnode.c
index dd0ef97..ec8ac3e 100644
--- a/contrib/ipfilter/lib/printpoolnode.c
+++ b/contrib/ipfilter/lib/printpoolnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printportcmp.c b/contrib/ipfilter/lib/printportcmp.c
index 7ec0116..14854be 100644
--- a/contrib/ipfilter/lib/printportcmp.c
+++ b/contrib/ipfilter/lib/printportcmp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printsbuf.c b/contrib/ipfilter/lib/printsbuf.c
index 805c03b..cfa9171 100644
--- a/contrib/ipfilter/lib/printsbuf.c
+++ b/contrib/ipfilter/lib/printsbuf.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#ifdef IPFILTER_SCAN
diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c
index 9cfdc8a..b3350c2 100644
--- a/contrib/ipfilter/lib/printstate.c
+++ b/contrib/ipfilter/lib/printstate.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/printtunable.c b/contrib/ipfilter/lib/printtunable.c
index 46e9f80..12e019d 100644
--- a/contrib/ipfilter/lib/printtunable.c
+++ b/contrib/ipfilter/lib/printtunable.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/ratoi.c b/contrib/ipfilter/lib/ratoi.c
index 31ee122..f6f7081 100644
--- a/contrib/ipfilter/lib/ratoi.c
+++ b/contrib/ipfilter/lib/ratoi.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/ratoui.c b/contrib/ipfilter/lib/ratoui.c
index e4d0cbf..0a54ceb 100644
--- a/contrib/ipfilter/lib/ratoui.c
+++ b/contrib/ipfilter/lib/ratoui.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/remove_hash.c b/contrib/ipfilter/lib/remove_hash.c
index 256751f..fc52a0a 100644
--- a/contrib/ipfilter/lib/remove_hash.c
+++ b/contrib/ipfilter/lib/remove_hash.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/remove_hashnode.c b/contrib/ipfilter/lib/remove_hashnode.c
index 5e5b634..271c853 100644
--- a/contrib/ipfilter/lib/remove_hashnode.c
+++ b/contrib/ipfilter/lib/remove_hashnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/remove_pool.c b/contrib/ipfilter/lib/remove_pool.c
index 3f5e004..2663cb8 100644
--- a/contrib/ipfilter/lib/remove_pool.c
+++ b/contrib/ipfilter/lib/remove_pool.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/remove_poolnode.c b/contrib/ipfilter/lib/remove_poolnode.c
index aff4694..5a1d639 100644
--- a/contrib/ipfilter/lib/remove_poolnode.c
+++ b/contrib/ipfilter/lib/remove_poolnode.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2002 by Darren Reed.
diff --git a/contrib/ipfilter/lib/resetlexer.c b/contrib/ipfilter/lib/resetlexer.c
index 0801242..19eb161 100644
--- a/contrib/ipfilter/lib/resetlexer.c
+++ b/contrib/ipfilter/lib/resetlexer.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/rwlock_emul.c b/contrib/ipfilter/lib/rwlock_emul.c
index 64b807e..d3beb60 100644
--- a/contrib/ipfilter/lib/rwlock_emul.c
+++ b/contrib/ipfilter/lib/rwlock_emul.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include "ipf.h"
diff --git a/contrib/ipfilter/lib/tcp_flags.c b/contrib/ipfilter/lib/tcp_flags.c
index 314b9d2..7a57124 100644
--- a/contrib/ipfilter/lib/tcp_flags.c
+++ b/contrib/ipfilter/lib/tcp_flags.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/tcpflags.c b/contrib/ipfilter/lib/tcpflags.c
index b7ea4b8..2e65bdb 100644
--- a/contrib/ipfilter/lib/tcpflags.c
+++ b/contrib/ipfilter/lib/tcpflags.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/tcpoptnames.c b/contrib/ipfilter/lib/tcpoptnames.c
index b5e0cc7..7f2dfb6 100644
--- a/contrib/ipfilter/lib/tcpoptnames.c
+++ b/contrib/ipfilter/lib/tcpoptnames.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/to_interface.c b/contrib/ipfilter/lib/to_interface.c
index 50f9a70..fb97cee 100644
--- a/contrib/ipfilter/lib/to_interface.c
+++ b/contrib/ipfilter/lib/to_interface.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/v6ionames.c b/contrib/ipfilter/lib/v6ionames.c
index 087da5d..a2ce683 100644
--- a/contrib/ipfilter/lib/v6ionames.c
+++ b/contrib/ipfilter/lib/v6ionames.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/v6optvalue.c b/contrib/ipfilter/lib/v6optvalue.c
index 57dc2fb..b81ed7a 100644
--- a/contrib/ipfilter/lib/v6optvalue.c
+++ b/contrib/ipfilter/lib/v6optvalue.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/lib/var.c b/contrib/ipfilter/lib/var.c
index 79b2517..5f3e015 100644
--- a/contrib/ipfilter/lib/var.c
+++ b/contrib/ipfilter/lib/var.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include <ctype.h>
diff --git a/contrib/ipfilter/lib/verbose.c b/contrib/ipfilter/lib/verbose.c
index d4f3012..cc81516 100644
--- a/contrib/ipfilter/lib/verbose.c
+++ b/contrib/ipfilter/lib/verbose.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index b1188c8..dfef858 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -36,8 +36,8 @@ However, the full complement is as follows:
ioctl(fd, SIOCFRSYN, u_int *)
ioctl(fd, SIOCFRZST, struct friostat **)
ioctl(fd, SIOCZRLST, struct frentry **)
- ioctl(fd, SIOCAUTHW, struct frauth_t **)
- ioctl(fd, SIOCAUTHR, struct frauth_t **)
+ ioctl(fd, SIOCAUTHW, struct fr_info **)
+ ioctl(fd, SIOCAUTHR, struct fr_info **)
ioctl(fd, SIOCATHST, struct fr_authstat **)
.fi
.PP
@@ -123,7 +123,7 @@ Flags which are recognised in fr_flags:
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
- FR_NOMATCH 0x000200 /* No match occurred */
+ FR_NOMATCH 0x000200 /* no match occured */
FR_ACCOUNT 0x000400 /* count packet bytes */
FR_KEEPFRAG 0x000800 /* keep fragment information */
FR_KEEPSTATE 0x001000 /* keep `connection' state information */
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index 2f998b5..d6b6ac1 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -20,12 +20,13 @@ described using the following grammar in BNF:
\fC
.nf
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
- [ proto ] [ ip ] [ group ].
+ [ proto ] ip [ group ].
insert = "@" decnumber .
action = block | "pass" | log | "count" | skip | auth | call .
in-out = "in" | "out" .
-options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
+options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
+ [ froute ] [ replyto ] ] .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
@@ -33,19 +34,24 @@ ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
-auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-call = "call" [ "now" ] function-name .
+tag = "tag" tagid .
skip = "skip" decnumber .
-dup = "dup-to" interface-name[":"ipaddr] .
-froute = "fastroute" | "to" interface-name[":"ipaddr] .
+auth = "auth" | "preauth" .
+call = "call" [ "now" ] function-name .
+dup = "dup-to" interface-name [ ":" ipaddr ] .
+froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
+replyto = "reply-to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" [ "!" ] object "to" [ "!" ] object .
return-icmp = "return-icmp" | "return-icmp-as-dest" .
+return-code = "(" icmp-code ")" .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+addr = "any" | "<thishost>" | nummask |
+ host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags = "flags" flag { flag } [ "/" flag { flag } ] .
@@ -206,6 +212,13 @@ indicates that, should this be the last matching rule, the packet
header will be written to the \fBipl\fP log (as described in the
LOGGING section below).
.TP
+.B tag tagid
+indicates that, if this rule causes the packet to be logged or entered
+in the state table, the tagid will be logged as part of the log entry.
+This can be used to quickly match "similar" rules in scripts that post
+process the log files for e.g. generation of security reports or accounting
+purposes. The tagid is a 32 bit unsigned integer.
+.TP
.B quick
allows "short-cut" rules in order to speed up the filter or override
later rules. If a packet matches a filter rule which is marked as
@@ -375,7 +388,7 @@ against, e.g.:
# packets with ONLY the SYN flag set.
... flags SA
- # becomes "flags SA/AUPRFSC" and will match any
+ # becomes "flags SA/AUPRFS" and will match any
# packet with only the SYN and ACK flags set.
... flags S/SA
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index 661375a..bcf9307 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -5,11 +5,14 @@ ipf \- alters packet filtering lists for IP packet input and output
.SH SYNOPSIS
.B ipf
[
-.B \-6AdDEInoPrsUvVyzZ
+.B \-6AcdDEInoPrsvVyzZ
] [
.B \-l
<block|pass|nomatch>
] [
+.B \-T
+<optionlist>
+] [
.B \-F
<i|o|a|s|S>
]
@@ -37,6 +40,15 @@ This option is required to parse IPv6 rules and to have them loaded.
.B \-A
Set the list to make changes to the active list (default).
.TP
+.B \-c <language>
+This option causes \fBipf\fP to generate output files for a compiler that
+supports \fBlanguage\fI. At present, the only target language supported is
+\fBC\fB (-cc) for which two files - \fBip_rules.c\fP
+and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when
+\fBipf\fP is being run. These files can be used with the
+\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticly into
+the kernel.
+.TP
.B \-d
Turn debug mode on. Causes a hexdump of filter rules to be generated as
it processes each one.
@@ -59,7 +71,7 @@ To flush entries from the state table, the \fB-F\fP option is used in
conjunction with either "s" (removes state information about any non-fully
established connections) or "S" (deletes the entire state table). Only
one of the two options may be given. A fully established connection
-will show up in \fBipfstat -s\fP output as 4/4, with deviations either
+will show up in \fBipfstat -s\fP output as 5/5, with deviations either
way indicating it is not fully established any more.
.TP
.BR \-f \0<filename>
@@ -93,10 +105,22 @@ Remove matching filter rules rather than add them to the internal lists
.TP
.B \-s
Swap the active filter list in use to be the "other" one.
-.TP
-.B \-U
-(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
-recognised as IP packets. They will be printed out on the console.
+.B \-T <optionlist>
+This option allows run-time changing of IPFilter kernel variables. Some
+variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
+others do not. The optionlist parameter is a comma separated list of tuning
+commands. A tuning command is either "list" (retrieve a list of all variables
+in the kernel, their maximum, minimum and current value), a single variable
+name (retrieve its current value) and a variable name with a following
+assignment to set a new value. Some examples follow.
+.nf
+# Print out all IPFilter kernel tunable parameters
+ipf -T list
+# Display the current TCP idle timeout and then set it to 3600
+ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
+# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
+ipf -T fr_pass,fr_chksrc,fr_chksrc=1
+.fi
.TP
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
index cf8ca9f..09eb4db 100644
--- a/contrib/ipfilter/man/ipfilter.4
+++ b/contrib/ipfilter/man/ipfilter.4
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IP\ FILTER 4
.SH NAME
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
index 52f6fcb..01d0c70 100644
--- a/contrib/ipfilter/man/ipfs.8
+++ b/contrib/ipfilter/man/ipfs.8
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPFS 8
.SH NAME
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index e2f38a0..8e413e2 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -5,15 +5,12 @@ ipfstat \- reports on packet filter statistics and filter list
.SH SYNOPSIS
.B ipfstat
[
-.B \-6aAfghIinosv
-] [
-.B \-d
-<device>
+.B \-6aAdfghIilnoRsv
]
-
+.br
.B ipfstat -t
[
-.B \-C
+.B \-6C
] [
.B \-D
<addrport>
@@ -26,12 +23,8 @@ ipfstat \- reports on packet filter statistics and filter list
] [
.B \-T
<refresh time>
-] [
-.B \-d
-<device>
]
.SH DESCRIPTION
-.PP
\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
To run and work, it needs to be able to read both /dev/kmem and the
@@ -43,7 +36,7 @@ accumulated over time as the kernel has put packets through the filter.
.SH OPTIONS
.TP
.B \-6
-Display filter lists for IPv6, if available.
+Display filter lists and states for IPv6, if available.
.TP
.B \-a
Display the accounting filter list and show bytes counted against each rule.
@@ -57,13 +50,13 @@ Display "closed" states as well in the top. Normally, a TCP connection is
not displayed when it reaches the CLOSE_WAIT protocol state. With this
option enabled, all state entries are displayed.
.TP
-.BR \-d \0<device>
-Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
+.BR \-d
+Produce debugging output when displaying data.
.TP
.BR \-D \0<addrport>
This option is only valid in combination with \fB\-t\fP. Limit the state top
display to show only state entries whose destination IP address and port
-match the addport argument. The addrport specification is of the form
+match the addrport argument. The addrport specification is of the form
ipaddress[,port]. The ipaddress and port should be either numerical or the
string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
option is not specified, it defaults to "\fB\-D\fP any,any".
@@ -99,6 +92,10 @@ argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a
protocol number. If this option is not specified, state entries for any
protocol are specified.
.TP
+.BR \-R
+Don't try to resolve addresses to hostnames and ports to services while
+printing statistics.
+.TP
.B \-s
Show packet/flow state information (statistics only).
.TP
@@ -108,15 +105,15 @@ Show held state information (in the kernel) if any is present (no statistics).
.BR \-S \0<addrport>
This option is only valid in combination with \fB\-t\fP. Limit the state top
display to show only state entries whose source IP address and port match
-the addport argument. The addrport specification is of the form
+the addrport argument. The addrport specification is of the form
ipaddress[,port]. The ipaddress and port should be either numerical or the
-string "any" (specifying any ip address resp. any port). If the \fB\-S\fP
+string "any" (specifying any IP address resp. any port). If the \fB\-S\fP
option is not specified, it defaults to "\fB\-S\fP any,any".
.TP
.B \-t
-Show the state table in a way similar to they way \fBtop(1)\fP shows the process
-table. States can be sorted using a number of different ways. This options
-requires \fBncurses(3)\fP and needs to be compiled in. It may not be available on
+Show the state table in a way similar to the way \fBtop(1)\fP shows the process
+table. States can be sorted using a number of different ways. This option
+requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on
all operating systems. See below, for more information on the keys that can
be used while ipfstat is in top mode.
.TP
@@ -137,6 +134,10 @@ parameters are present.
When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
the appropriate list of filter rules currently installed and in use by the
kernel.
+.PP
+One of the statistics that \fBipfstat\fP shows is \fBticks\fP.
+This number indicates how long the filter has been enabled.
+The number is incremented every half\-second.
.SH STATE TOP
Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
this mode the state table is displayed similar to the way \fBtop\fP displays
@@ -147,7 +148,9 @@ shown and to specify the frequency of display updates.
In state top mode, the following keys can be used to influence the displayed
information:
.TP
-\fBd\fP select information to display.
+\fBb\fP show packets/bytes from backward direction.
+.TP
+\fBf\fP show packets/bytes from forward direction. (default)
.TP
\fBl\fP redraw the screen.
.TP
@@ -167,13 +170,12 @@ and protocol filters or the refresh frequency. This must be done from the
command line.
.PP
The screen must have at least 80 columns. This is however not checked.
+When running state top in IPv6 mode, the screen must be much wider to display
+the very long IPv6 addresses.
.PP
Only the first X-5 entries that match the sort and filter criteria are
-displayed (where X is the number of rows on the display. There is no way to
-see more entries.
-.PP
-No support for IPv6
-.PP
+displayed (where X is the number of rows on the display. The only way to see
+more entries is to resize the screen.
.SH FILES
/dev/kmem
.br
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index 936445c..df8320a 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -5,19 +5,31 @@ ipftest \- test packet filter rules with arbitrary input.
.SH SYNOPSIS
.B ipftest
[
-.B \-vbdPRSTEHX
+.B \-6bdDoRvx
+] [
+.B \-F
+input-format
+] [
+.B \-i
+<filename>
] [
.B \-I
interface
-]
-.B \-r
+] [
+.B \-l
<filename>
-[
-.B \-i
+] [
+.B \-N
<filename>
] [
-.B \-s
-<ipaddress>
+.B \-P
+<filename>
+] [
+.B \-r
+<filename>
+] [
+.B \-T
+<optionlist>
]
.SH DESCRIPTION
.PP
@@ -26,70 +38,69 @@ filter rules without having to put them in place, in operation and proceed
to test their effectiveness. The hope is that this minimises disruptions
in providing a secure IP environment.
.PP
-\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP
+\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP,
+\fBipnat\fP and/or \fBippool\fP
and apply input, returning output as to the result. However, \fBipftest\fP
will return one of three values for packets passed through the filter:
pass, block or nomatch. This is intended to give the operator a better
idea of what is happening with packets passing through their filter
ruleset.
.PP
-When used without either of \fB\-S\fP, \fB\-T\fP or \fB\-E\fP,
-\fBipftest\fP uses its own text input format to generate "fake" IP packets.
-The format used is as follows:
-.nf
- "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
- srchost[,srcport] dsthost[,destport] [FSRPAU]
-.fi
-.PP
-This allows for a packet going "in" or "out" of an interface (if) to be
-generated, being one of the three main protocols (optionally), and if
-either TCP or UDP, a port parameter is also expected. If TCP is selected,
-it is possible to (optionally) supply TCP flags at the end. Some examples
-are:
-.nf
- # a UDP packet coming in on le0
- in on le0 udp 10.1.1.1,2210 10.2.1.5,23
- # an IP packet coming in on le0 from localhost - hmm :)
- in on le0 localhost 10.4.12.1
- # a TCP packet going out of le0 with the SYN flag set.
- out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
-.fi
+At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified.
.SH OPTIONS
.TP
-.B \-v
-Verbose mode. This provides more information about which parts of rule
-matching the input packet passes and fails.
-.TP
-.B \-d
-Turn on filter rule debugging. Currently, this only shows you what caused
-the rule to not match in the IP header checking (addresses/netmasks, etc).
+.B \-6
+Use IPv6.
.TP
.B \-b
Cause the output to be a brief summary (one-word) of the result of passing
the packet through the filter; either "pass", "block" or "nomatch".
This is used in the regression testing.
.TP
-.BR \-I \0<interface>
-Set the interface name (used in rule matching) to be the name supplied.
-This is useful with the \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is
-not otherwise possible to associate a packet with an interface. Normal
-"text packets" can override this setting.
+.B \-d
+Turn on filter rule debugging. Currently, this only shows you what caused
+the rule to not match in the IP header checking (addresses/netmasks, etc).
.TP
-.B \-P
+.B \-D
+Dump internal tables before exiting.
+This excludes log messages.
+.TP
+.B \-F
+This option is used to select which input format the input file is in.
+The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text.
+.RS
+.TP
+.B etherfind
+The input file is to be text output from etherfind. The text formats which
+are currently supported are those which result from the following etherfind
+option combinations:
+.PP
+.nf
+ etherfind -n
+ etherfind -n -t
+.fi
+.TP
+.B hex
+The input file is to be hex digits, representing the binary makeup of the
+packet. No length correction is made, if an incorrect length is put in
+the IP header. A packet may be broken up over several lines of hex digits,
+a blank line indicating the end of the packet. It is possible to specify
+both the interface name and direction of the packet (for filtering purposes)
+at the start of the line using this format: [direction,interface] To define
+a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
+and part of the input syntax.
+.HP
+.B pcap
The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes). An interface maybe specified using \fB\-I\fP.
.TP
-.B \-R
-Remove rules rather than load them. This is not a toggle option, so once
-set, it cannot be reset by further use of -R.
-.TP
-.B \-S
+.B snoop
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
most useful input type, currently.
.TP
-.B \-T
+.B tcpdump
The input file is to be text output from tcpdump. The text formats which
are currently supported are those which result from the following tcpdump
option combinations:
@@ -101,42 +112,77 @@ option combinations:
tcpdump -nqtt
tcpdump -nqte
.fi
-.LP
.TP
-.B \-H
-The input file is to be hex digits, representing the binary makeup of the
-packet. No length correction is made, if an incorrect length is put in
-the IP header. A packet may be broken up over several lines of hex digits,
-a blank line indicating the end of the packet. It is possible to specify
-both the interface name and direction of the packet (for filtering purposes)
-at the start of the line using this format: [direction,interface] To define
-a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
-and part of the input syntax.
-.TP
-.B \-X
-The input file is composed of text descriptions of IP packets.
-.TP
-.B \-E
-The input file is to be text output from etherfind. The text formats which
-are currently supported are those which result from the following etherfind
-option combinations:
+.B text
+The input file is in \fBipftest\fP text input format.
+This is the default if no \fB\-F\fP argument is specified.
+The format used is as follows:
+.nf
+ "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
+ srchost[,srcport] dsthost[,destport] [FSRPAU]
+.fi
.PP
+This allows for a packet going "in" or "out" of an interface (if) to be
+generated, being one of the three main protocols (optionally), and if
+either TCP or UDP, a port parameter is also expected. If TCP is selected,
+it is possible to (optionally) supply TCP flags at the end. Some examples
+are:
.nf
- etherfind -n
- etherfind -n -t
+ # a UDP packet coming in on le0
+ in on le0 udp 10.1.1.1,2210 10.2.1.5,23
+ # an IP packet coming in on le0 from localhost - hmm :)
+ in on le0 localhost 10.4.12.1
+ # a TCP packet going out of le0 with the SYN flag set.
+ out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
.fi
.LP
+.RE
+.DT
.TP
.BR \-i \0<filename>
Specify the filename from which to take input. Default is stdin.
.TP
+.BR \-I \0<interface>
+Set the interface name (used in rule matching) to be the name supplied.
+This is useful where it is
+not otherwise possible to associate a packet with an interface. Normal
+"text packets" can override this setting.
+.TP
+.BR \-l \0<filename>
+Dump log messages generated during testing to the specified file.
+.TP
+.BR \-N \0<filename>
+Specify the filename from which to read NAT rules in \fBipnat\fP(5) format.
+.TP
+.B \-o
+Save output packets that would have been written to each interface in
+a file /tmp/\fIinterface_name\fP in raw format.
+.TP
+.BR \-P \0<filename>
+Read IP pool configuration information in \fBippool\fP(5) format from the
+specified file.
+.TP
.BR \-r \0<filename>
-Specify the filename from which to read filter rules.
+Specify the filename from which to read filter rules in \fBipf\fP(5) format.
+.TP
+.B \-R
+Don't attempt to convert IP addresses to hostnames.
+.TP
+.BR \-T \0<optionlist>
+This option simulates the run-time changing of IPFilter kernel variables
+available with the \fB\-T\fP option of \fBipf\fP.
+The optionlist parameter is a comma separated list of tuning
+commands. A tuning command is either "list" (retrieve a list of all variables
+in the kernel, their maximum, minimum and current value), a single variable
+name (retrieve its current value) and a variable name with a following
+assignment to set a new value. See \fBipf\fP(8) for examples.
+.TP
+.B \-v
+Verbose mode. This provides more information about which parts of rule
+matching the input packet passes and fails.
.TP
-.BR \-s \0<ipaddress>
-Where the input format is incapable of telling \fBipftest\fP whther a packet is
-going in or out, setting this option to an IP address results in the direction
-being set to out if the source matches or in if the destination matches.
+.B \-x
+Print a hex dump of each packet before printing the decoded contents.
.SH SEE ALSO
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
index d45749b..da1d9e6 100644
--- a/contrib/ipfilter/man/ipl.4
+++ b/contrib/ipfilter/man/ipl.4
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPL 4
.SH NAME
diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5
index bc48466..081fc08 100644
--- a/contrib/ipfilter/man/ipmon.5
+++ b/contrib/ipfilter/man/ipmon.5
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPMON 5
.SH NAME
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index d7f94df..48b2a41 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -47,11 +47,8 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
-5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
-packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order
-of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or
-\fBB\fP means that the packet has been logged due to a global logging
-setting, not a particular rule.
+5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
+packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 7db3308..210f09a 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPNAT 5
.SH NAME
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
index 49a09be..87f2da5 100644
--- a/contrib/ipfilter/man/ipnat.8
+++ b/contrib/ipfilter/man/ipnat.8
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPNAT 8
.SH NAME
diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5
index c9eaaca..974a0e8 100644
--- a/contrib/ipfilter/man/ippool.5
+++ b/contrib/ipfilter/man/ippool.5
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPPOOL 5
.SH NAME
diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8
index 6ed1e88..986812a 100644
--- a/contrib/ipfilter/man/ippool.8
+++ b/contrib/ipfilter/man/ippool.8
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPPOOL 8
.SH NAME
diff --git a/contrib/ipfilter/man/ipscan.5 b/contrib/ipfilter/man/ipscan.5
index 4a00174..91bf9b0 100644
--- a/contrib/ipfilter/man/ipscan.5
+++ b/contrib/ipfilter/man/ipscan.5
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPSCAN 5
.SH NAME
diff --git a/contrib/ipfilter/man/ipscan.8 b/contrib/ipfilter/man/ipscan.8
index d3ce952..513dc94 100644
--- a/contrib/ipfilter/man/ipscan.8
+++ b/contrib/ipfilter/man/ipscan.8
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH IPSCAN 8
.SH NAME
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
index 3bac7d1..89a8d47 100644
--- a/contrib/ipfilter/man/mkfilters.1
+++ b/contrib/ipfilter/man/mkfilters.1
@@ -1,4 +1,4 @@
-.\" $NetBSD$
+.\" $FreeBSD$
.\"
.TH MKFILTERS 1
.SH NAME
diff --git a/contrib/ipfilter/md5.c b/contrib/ipfilter/md5.c
index 78a0eb7..63dd4b4 100644
--- a/contrib/ipfilter/md5.c
+++ b/contrib/ipfilter/md5.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
diff --git a/contrib/ipfilter/md5.h b/contrib/ipfilter/md5.h
index 40e8dc6..8270531 100644
--- a/contrib/ipfilter/md5.h
+++ b/contrib/ipfilter/md5.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
***********************************************************************
diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c
deleted file mode 100644
index e39b98f..0000000
--- a/contrib/ipfilter/misc.c
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#if (SOLARIS2 >= 7)
-# define _SYS_VARARGS_H
-# define _VARARGS_H
-#endif
-#if defined(__STDC__)
-# include <stdarg.h>
-#else
-# include <varargs.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.9 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern int opts;
-
-
-void printpacket(ip)
-ip_t *ip;
-{
- tcphdr_t *tcp;
- u_short len;
-
- if (ip->ip_v == 4)
- len = ntohs(ip->ip_len);
- else if (ip->ip_v == 6)
- len = ntohs(((u_short *)ip)[2]) + 40;
- else
- len = 0;
-
- if ((opts & OPT_HEX) == OPT_HEX) {
- u_char *s;
- int i;
-
- for (s = (u_char *)ip, i = 0; i < len; i++) {
- printf("%02x", *s++ & 0xff);
- if (len - i > 1) {
- i++;
- printf("%02x", *s++ & 0xff);
- }
- if (i + 1 != len)
- putchar(' ');
- }
- putchar('\n');
- return;
- }
-
- if (ip->ip_v == 6) {
- printpacket6(ip);
- return;
- }
-
- tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
- printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
- if (ip->ip_off & IP_OFFMASK)
- printf(" @%d", ip->ip_off << 3);
- (void)printf(" %s", inet_ntoa(ip->ip_src));
- if (!(ip->ip_off & IP_OFFMASK))
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_sport));
- (void)printf(" > ");
- (void)printf("%s", inet_ntoa(ip->ip_dst));
- if (!(ip->ip_off & IP_OFFMASK)) {
- if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_dport));
- if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags)) {
- putchar(' ');
- if (tcp->th_flags & TH_FIN)
- putchar('F');
- if (tcp->th_flags & TH_SYN)
- putchar('S');
- if (tcp->th_flags & TH_RST)
- putchar('R');
- if (tcp->th_flags & TH_PUSH)
- putchar('P');
- if (tcp->th_flags & TH_ACK)
- putchar('A');
- if (tcp->th_flags & TH_URG)
- putchar('U');
- if (tcp->th_flags & TH_ECN)
- putchar('E');
- if (tcp->th_flags & TH_CWR)
- putchar('C');
- }
- }
- putchar('\n');
-}
-
-
-/*
- * This is meant to work without the IPv6 header files being present or
- * the inet_ntop() library.
- */
-void printpacket6(ip)
-ip_t *ip;
-{
- u_char *buf, p, hops;
- u_short plen, *addrs;
- tcphdr_t *tcp;
- u_32_t flow;
-
- buf = (u_char *)ip;
- tcp = (tcphdr_t *)(buf + 40);
- p = buf[6];
- hops = buf[7];
- flow = ntohl(*(u_32_t *)buf);
- flow &= 0xfffff;
- plen = ntohs(*((u_short *)buf +2));
- addrs = (u_short *)buf + 4;
-
- printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
- printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
- ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
- ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
- ntohs(addrs[6]), ntohs(addrs[7]));
- if (plen >= 4)
- if (p == IPPROTO_TCP || p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_sport));
- printf(" >");
- addrs += 8;
- printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
- ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
- ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
- ntohs(addrs[6]), ntohs(addrs[7]));
- if (plen >= 4)
- if (p == IPPROTO_TCP || p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_dport));
- putchar('\n');
-}
-
-
-#if defined(__STDC__)
-void verbose(char *fmt, ...)
-#else
-void verbose(fmt, va_alist)
-char *fmt;
-va_dcl
-#endif
-{
- va_list pvar;
-
- va_start(pvar, fmt);
- if (opts & OPT_VERBOSE)
- vprintf(fmt, pvar);
- va_end(pvar);
-}
-
-
-#ifdef __STDC__
-void debug(char *fmt, ...)
-#else
-void debug(fmt, va_alist)
-char *fmt;
-va_dcl
-#endif
-{
- va_list pvar;
-
- va_start(pvar, fmt);
- if (opts & OPT_DEBUG)
- vprintf(fmt, pvar);
- va_end(pvar);
-}
diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c
deleted file mode 100644
index 4db9a9b..0000000
--- a/contrib/ipfilter/ml_ipl.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * responsibility and is not changed in any way.
- *
- * I hate legaleese, don't you ?
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-#include <sun/openprom.h>
-#endif
-
-#ifndef IPL_NAME
-#define IPL_NAME "/dev/ipl"
-#endif
-
-extern int iplattach(), iplopen(), iplclose(), iplioctl(), iplread();
-extern int nulldev(), iplidentify(), errno;
-
-struct cdevsw ipldevsw =
-{
- iplopen, iplclose, iplread, nulldev,
- iplioctl, nulldev, nulldev, nulldev,
- 0, nulldev,
-};
-
-
-struct dev_ops ipl_ops =
-{
- 1,
- iplidentify,
- iplattach,
- iplopen,
- iplclose,
- iplread,
- NULL, /* write */
- NULL, /* strategy */
- NULL, /* dump */
- 0, /* psize */
- iplioctl,
- NULL, /* reset */
- NULL /* mmap */
-};
-
-int ipl_major = 0;
-
-#ifdef sun4m
-struct vdldrv vd =
-{
- VDMAGIC_PSEUDO,
- "ipl",
- &ipl_ops,
- NULL,
- &ipldevsw,
- 0,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- 1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
- VDMAGIC_PSEUDO, /* magic */
- "ipl", /* name */
-#ifdef sun4c
- &ipl_ops, /* dev_ops */
-#else
- NULL, /* struct mb_ctlr *mb_ctlr */
- NULL, /* struct mb_driver *mb_driver */
- NULL, /* struct mb_device *mb_device */
- 0, /* num ctlrs */
- 1, /* numdevs */
-#endif /* sun4c */
- NULL, /* bdevsw */
- &ipldevsw, /* cdevsw */
- 0, /* block major */
- 0, /* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev();
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, vdi, vds)
-u_int fc;
-struct vddrv *vdp;
-caddr_t vdi;
-struct vdstat *vds;
-{
- struct vdlinkage *v;
- int i;
-
- switch (fc)
- {
- case VDLOAD:
- while (ipl_major < nchrdev &&
- cdevsw[ipl_major].d_open != vd_unuseddev)
- ipl_major++;
- if (ipl_major == nchrdev)
- return ENODEV;
- vd.Drv_charmajor = ipl_major;
- vdp->vdd_vdtab = (struct vdlinkage *)&vd;
- return ipl_attach(vdi);
- case VDUNLOAD:
- return unload(vdp, vdi);
-
- case VDSTAT:
- return 0;
-
- default:
- return EIO;
- }
-}
-
-static unload(vdp, vdi)
- struct vddrv *vdp;
- struct vdioctl_unload *vdi;
-{
- int i;
-
- (void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
- return ipldetach();
-}
-
-
-static int ipl_attach(vdi)
-struct vdioctl_load *vdi;
-{
- struct vnode *vp;
- struct vattr vattr;
- int error = 0, fmode = S_IFCHR|0600;
-
- (void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
- vattr_null(&vattr);
- vattr.va_type = MFTOVT(fmode);
- vattr.va_mode = (fmode & 07777);
- vattr.va_rdev = ipl_major<<8;
-
- error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
- if (error == 0)
- VN_RELE(vp);
- return iplattach(0);
-}
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
index c0cdce8..ca79596 100644
--- a/contrib/ipfilter/mlf_ipl.c
+++ b/contrib/ipfilter/mlf_ipl.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/mlf_rule.c b/contrib/ipfilter/mlf_rule.c
index 731ef5e..8b7b9d3 100644
--- a/contrib/ipfilter/mlf_rule.c
+++ b/contrib/ipfilter/mlf_rule.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/mlfk_rule.c b/contrib/ipfilter/mlfk_rule.c
index a4f3ba7..b5aa0ba 100644
--- a/contrib/ipfilter/mlfk_rule.c
+++ b/contrib/ipfilter/mlfk_rule.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2000 by Darren Reed.
diff --git a/contrib/ipfilter/mlh_rule.c b/contrib/ipfilter/mlh_rule.c
index e71c7be..dd350df 100644
--- a/contrib/ipfilter/mlh_rule.c
+++ b/contrib/ipfilter/mlh_rule.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c
deleted file mode 100644
index 235a5af..0000000
--- a/contrib/ipfilter/mli_ipl.c
+++ /dev/null
@@ -1,596 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- * (C)opyright 1997 by Marc Boucher.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/* TODO: (MARCXXX)
- - ipl_init failure -> open ENODEV or whatever
- - prevent multiple LKM loads
- - surround access to ifnet structures by IFNET_LOCK()/IFNET_UNLOCK() ?
- - m != m1 problem
-*/
-
-#include <sys/types.h>
-#include <sys/conf.h>
-#ifdef IPFILTER_LKM
-#include <sys/mload.h>
-#endif
-#include <sys/systm.h>
-#include <sys/errno.h>
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-#include <netinet/in_var.h>
-#endif
-#include <sys/mbuf.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <netinet/ipfilter.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-
-/*#define IPFDEBUG 1*/
-
-unsigned IPL_EXTERN(devflag) = D_MP;
-#ifdef IPFILTER_LKM
-char *IPL_EXTERN(mversion) = M_VERSION;
-#endif
-
-kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw;
-kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-
-int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
-
-#ifdef IPFILTER_LKM
-static int *ipff_addr = 0;
-static int ipff_value;
-static __psunsigned_t *ipfk_addr = 0;
-static __psunsigned_t ipfk_code[4];
-#endif
-
-typedef struct nif {
- struct nif *nf_next;
- struct ifnet *nf_ifp;
-#if IRIX < 605
- int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *);
-#else
- int (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
- struct rtentry *);
-#endif
- char nf_name[IFNAMSIZ];
- int nf_unit;
-} nif_t;
-
-static nif_t *nif_head = 0;
-static int nif_interfaces = 0;
-extern int in_interfaces;
-
-extern ipnat_t *nat_list;
-
-static int
-#if IRIX < 605
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
-#else
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
- struct rtentry *rt)
-#endif
-{
- nif_t *nif;
-
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
- for (nif = nif_head; nif; nif = nif->nf_next)
- if (nif->nf_ifp == ifp)
- break;
-
- MUTEX_EXIT(&ipfi_mutex);
- if (!nif) {
- printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp);
- return ENETDOWN;
- }
-
-#if IPFDEBUG >= 4
- static unsigned int cnt = 0;
- if ((++cnt % 200) == 0)
- printf("IP Filter: ipl_if_output(ifp=0x%lx, m=0x%lx, dst=0x%lx), m_type=%d m_flags=0x%lx m_off=0x%lx\n", ifp, m, dst, m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
- if (fr_checkp) {
- struct mbuf *m1 = m;
- struct ip *ip;
- int hlen;
-
- switch(m->m_type) {
- case MT_DATA:
- if (m->m_flags & M_BCAST) {
-#if IPFDEBUG >= 2
- printf("IP Filter: ipl_if_output: passing M_BCAST\n");
-#endif
- break;
- }
- /* FALLTHROUGH */
- case MT_HEADER:
-#if IPFDEBUG >= 4
- if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
- printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
- goto done;
- }
-#endif
- if (m->m_len < sizeof(char)) {
- printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
- goto done;
- }
- ip = mtod(m, struct ip *);
- if (ip->ip_v != IPVERSION) {
-#if IPFDEBUG >= 4
- printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
- goto done;
- }
-
- hlen = ip->ip_hl << 2;
- if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
- return EHOSTUNREACH;
-
- if (!m1)
- return 0;
-
- m = m1;
- break;
-
- default:
- printf("IP Filter: ipl_if_output: bad m_type=%d m_flags=0x%lxm_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
- break;
- }
- }
-done:
-#if IRIX < 605
- return (*nif->nf_output)(ifp, m, dst);
-#else
- return (*nif->nf_output)(ifp, m, dst, rt);
-#endif
-}
-
-int
-IPL_EXTERN(_kernel)(struct ifnet *rcvif, struct mbuf *m)
-{
-#if IPFDEBUG >= 4
- static unsigned int cnt = 0;
- if ((++cnt % 200) == 0)
- printf("IP Filter: ipl_ipfilter_kernel(rcvif=0x%lx, m=0x%lx\n", rcvif, m);
-#endif
-
- /*
- * Check if we want to allow this packet to be processed.
- * Consider it to be bad if not.
- */
- if (fr_checkp) {
- struct mbuf *m1 = m;
- struct ip *ip;
- int hlen;
-
- if ((m->m_type != MT_DATA) && (m->m_type != MT_HEADER)) {
- printf("IP Filter: ipl_ipfilter_kernel: bad m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
- return IPF_ACCEPTIT;
- }
-
-#if IPFDEBUG >= 4
- if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
- printf("IP Filter: ipl_ipfilter_kernel: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
- return IPF_ACCEPTIT;
- }
-#endif
- if (m->m_len < sizeof(char)) {
- printf("IP Filter: ipl_ipfilter_kernel: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
- return IPF_ACCEPTIT;
- }
- ip = mtod(m, struct ip *);
- if (ip->ip_v != IPVERSION) {
- printf("IP Filter: ipl_ipfilter_kernel: bad ip_v\n");
- m_freem(m);
- return IPF_DROPIT;
- }
-
- hlen = ip->ip_hl << 2;
- if ((*fr_checkp)(ip, hlen, rcvif, 0, &m1) || !m1)
- return IPF_DROPIT;
- if (m != m1)
- printf("IP Filter: ipl_ipfilter_kernel: m != m1\n");
- }
-
- return IPF_ACCEPTIT;
-}
-
-static int
-ipfilterattach(void)
-{
-#ifdef IPFILTER_LKM
- __psunsigned_t *addr_ff, *addr_fk;
-
- st_findaddr("ipfilterflag", &addr_ff);
-#if IPFDEBUG >= 4
- printf("IP Filter: st_findaddr ipfilterflag=0x%lx\n", addr_ff);
-#endif
- if (!addr_ff)
- return ESRCH;
-
- st_findaddr("ipfilter_kernel", &addr_fk);
-#if IPFDEBUG >= 4
- printf("IP Filter: st_findaddr ipfilter_kernel=0x%lx\n", addr_fk);
-#endif
- if (!addr_fk)
- return ESRCH;
-
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
- ipff_addr = (int *)addr_ff;
-
- ipff_value = *ipff_addr;
- *ipff_addr = 0;
-
-
- ipfk_addr = addr_fk;
-
- bcopy(ipfk_addr, ipfk_code,
- sizeof(ipfk_code));
-
- /* write a "li t4, ipl_ipfilter_kernel" instruction */
- ipfk_addr[0] = 0x3c0c0000 |
- (((__psunsigned_t)IPL_EXTERN(_kernel) >> 16) & 0xffff);
- ipfk_addr[1] = 0x358c0000 |
- ((__psunsigned_t)IPL_EXTERN(_kernel) & 0xffff);
- /* write a "jr t4" instruction" */
- ipfk_addr[2] = 0x01800008;
-
- /* write a "nop" instruction */
- ipfk_addr[3] = 0;
-
- icache_inval(ipfk_addr, sizeof(ipfk_code));
-
- *ipff_addr = 1; /* enable ipfilter_kernel */
-
- MUTEX_EXIT(&ipfi_mutex);
-#else
- extern int ipfilterflag;
-
- ipfilterflag = 1;
-#endif
-
- return 0;
-}
-
-/*
- * attach the packet filter to each non-loopback interface that is running
- */
-static void
-nifattach()
-{
- struct ifnet *ifp;
- struct frentry *f;
- ipnat_t *np;
- nif_t *nif;
-
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
- for (ifp = ifnet; ifp; ifp = ifp->if_next) {
- if ((!(ifp->if_flags & IFF_RUNNING)) ||
- (ifp->if_flags & IFF_LOOPBACK))
- continue;
-
- /*
- * Look for entry already setup for this device
- */
- for (nif = nif_head; nif; nif = nif->nf_next)
- if (nif->nf_ifp == ifp)
- break;
- if (nif)
- continue;
-
- if (ifp->if_output == ipl_if_output) {
- printf("IP Filter: ERROR INTF 0x%lx STILL ATTACHED\n",
- ifp);
- continue;
- }
-#if IPFDEBUG >= 4
- printf("IP Filter: nifattach nif %x opt %x\n",
- ifp, ifp->if_output);
-#endif
- KMALLOC(nif, nif_t *);
- if (!nif) {
- printf("IP Filter: malloc(%d) for nif_t failed\n",
- sizeof(nif_t));
- continue;
- }
-
- nif->nf_ifp = ifp;
- strncpy(nif->nf_name, ifp->if_name, sizeof(nif->nf_name));
- nif->nf_name[sizeof(nif->nf_name) - 1] = '\0';
- nif->nf_unit = ifp->if_unit;
-
- nif->nf_next = nif_head;
- nif_head = nif;
-
- /*
- * Activate any rules directly associated with this interface
- */
- MUTEX_ENTER(&ipf_mutex);
- for (f = ipfilter[0][0]; f; f = f->fr_next) {
- if ((f->fr_ifa == (struct ifnet *)-1)) {
- if (f->fr_ifname[0] &&
- (GETUNIT(f->fr_ifname, 4) == ifp))
- f->fr_ifa = ifp;
- }
- }
- for (f = ipfilter[1][0]; f; f = f->fr_next) {
- if ((f->fr_ifa == (struct ifnet *)-1)) {
- if (f->fr_ifname[0] &&
- (GETUNIT(f->fr_ifname, 4) == ifp))
- f->fr_ifa = ifp;
- }
- }
- MUTEX_EXIT(&ipf_mutex);
- MUTEX_ENTER(&ipf_nat);
- for (np = nat_list; np; np = np->in_next) {
- if ((np->in_ifp == (void *)-1)) {
- if (np->in_ifname[0] &&
- (GETUNIT(np->in_ifname, 4) == ifp))
- np->in_ifp = (void *)ifp;
- }
- }
- MUTEX_EXIT(&ipf_nat);
-
- nif->nf_output = ifp->if_output;
- ifp->if_output = ipl_if_output;
-
-#if IPFDEBUG >= 4
- printf("IP Filter: nifattach: ifp(%lx)->if_output FROM %lx TO %lx\n",
- ifp, nif->nf_output, ifp->if_output);
-#endif
-
- printf("IP Filter: attach to [%s,%d]\n",
- nif->nf_name, ifp->if_unit);
- }
- if (!nif_head)
- printf("IP Filter: not attached to any interfaces\n");
-
- nif_interfaces = in_interfaces;
-
- MUTEX_EXIT(&ipfi_mutex);
-
- return;
-}
-
-/*
- * look for bad consistancies between the list of interfaces the filter knows
- * about and those which are currently configured.
- */
-int
-ipfsync(void)
-{
- register struct frentry *f;
- register ipnat_t *np;
- register nif_t *nif, **qp;
- register struct ifnet *ifp;
-
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
- for (qp = &nif_head; (nif = *qp); ) {
- for (ifp = ifnet; ifp; ifp = ifp->if_next)
- if ((nif->nf_ifp == ifp) &&
- (nif->nf_unit == ifp->if_unit) &&
- !strcmp(nif->nf_name, ifp->if_name)) {
- break;
- }
- if (ifp) {
- qp = &nif->nf_next;
- continue;
- }
- printf("IP Filter: detaching [%s]\n", nif->nf_name);
- *qp = nif->nf_next;
-
- /*
- * Disable any rules directly associated with this interface
- */
- MUTEX_ENTER(&ipf_mutex);
- for (f = ipfilter[0][0]; f; f = f->fr_next)
- if (f->fr_ifa == (void *)nif->nf_ifp)
- f->fr_ifa = (struct ifnet *)-1;
- for (f = ipfilter[1][0]; f; f = f->fr_next)
- if (f->fr_ifa == (void *)nif->nf_ifp)
- f->fr_ifa = (struct ifnet *)-1;
- MUTEX_EXIT(&ipf_mutex);
- MUTEX_ENTER(&ipf_nat);
- for (np = nat_list; np; np = np->in_next)
- if (np->in_ifp == (void *)nif->nf_ifp)
- np->in_ifp =(struct ifnet *)-1;
- MUTEX_EXIT(&ipf_nat);
-
- KFREE(nif);
- nif = *qp;
- }
- MUTEX_EXIT(&ipfi_mutex);
-
- nifattach();
-
- return 0;
-}
-
-
-/*
- * unhook the IP filter from all defined interfaces with IP addresses
- */
-static void
-nifdetach()
-{
- struct ifnet *ifp;
- nif_t *nif, **qp;
-
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
- /*
- * Make two passes, first get rid of all the unknown devices, next
- * unlink known devices.
- */
- for (qp = &nif_head; (nif = *qp); ) {
- for (ifp = ifnet; ifp; ifp = ifp->if_next)
- if (nif->nf_ifp == ifp)
- break;
- if (ifp) {
- qp = &nif->nf_next;
- continue;
- }
- printf("IP Filter: removing [%s]\n", nif->nf_name);
- *qp = nif->nf_next;
- KFREE(nif);
- }
-
- while ((nif = nif_head)) {
- nif_head = nif->nf_next;
- for (ifp = ifnet; ifp; ifp = ifp->if_next)
- if (nif->nf_ifp == ifp)
- break;
- if (ifp) {
- printf("IP Filter: detaching [%s,%d]\n",
- nif->nf_name, ifp->if_unit);
-
-#if IPFDEBUG >= 4
- printf("IP Filter: nifdetach: ifp(%lx)->if_output FROM %lx TO %lx\n",
- ifp, ifp->if_output, nif->nf_output);
-#endif
- ifp->if_output = nif->nf_output;
- }
- KFREE(nif);
- }
- MUTEX_EXIT(&ipfi_mutex);
-
- return;
-}
-
-
-static void
-ipfilterdetach(void)
-{
-#ifdef IPFILTER_LKM
- MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
- if (ipff_addr) {
- *ipff_addr = 0;
-
- if (ipfk_addr)
- bcopy(ipfk_code, ipfk_addr, sizeof(ipfk_code));
-
- *ipff_addr = ipff_value;
- }
-
- MUTEX_EXIT(&ipfi_mutex);
-#else
- extern int ipfilterflag;
-
- ipfilterflag = 0;
-#endif
-}
-
-/* called by ipldetach() */
-void
-ipfilter_sgi_detach(void)
-{
- nifdetach();
-
- ipfilterdetach();
-}
-
-/* called by iplattach() */
-int
-ipfilter_sgi_attach(void)
-{
- int error;
-
- nif_interfaces = 0;
-
- error = ipfilterattach();
-
- if (!error)
- nifattach();
-
- return error;
-}
-
-/* this function is called from ipfr_slowtimer at 500ms intervals to
- keep our interface list in sync */
-void
-ipfilter_sgi_intfsync(void)
-{
- MUTEX_ENTER(&ipfi_mutex);
- if (nif_interfaces != in_interfaces) {
- /* if the number of interfaces has changed, resync */
- MUTEX_EXIT(&ipfi_mutex);
- ipfsync();
- } else
- MUTEX_EXIT(&ipfi_mutex);
-}
-
-#ifdef IPFILTER_LKM
-/* this routine should be treated as an interrupt routine and should
- not call any routines that would cause it to sleep, such as: biowait(),
- sleep(), psema() or delay().
-*/
-int
-IPL_EXTERN(unload)(void)
-{
- int error = 0;
-
- error = ipldetach();
-
- LOCK_DEALLOC(ipl_mutex.l);
- LOCK_DEALLOC(ipf_rw.l);
- LOCK_DEALLOC(ipf_auth.l);
- LOCK_DEALLOC(ipf_natfrag.l);
- LOCK_DEALLOC(ipf_nat.l);
- LOCK_DEALLOC(ipf_state.l);
- LOCK_DEALLOC(ipf_frag.l);
- LOCK_DEALLOC(ipf_mutex.l);
- LOCK_DEALLOC(ipfi_mutex.l);
-
- return error;
-}
-#endif
-
-void
-IPL_EXTERN(init)(void)
-{
-#ifdef IPFILTER_LKM
- int error;
-#endif
-
- ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-
- if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l ||
- !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l ||
- !ipl_mutex.l)
- panic("IP Filter: LOCK_ALLOC failed");
-
-#ifdef IPFILTER_LKM
- error = iplattach();
- if (error) {
- IPL_EXTERN(unload)();
- }
-#endif
-
- return;
-}
-
diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c
deleted file mode 100644
index b170940..0000000
--- a/contrib/ipfilter/mln_ipl.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-
-
-#include <sys/param.h>
-
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
- * on those hooks. We don't need any special mods with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
- (defined(NetBSD1_2) && NetBSD1_2 > 1)
-# define NETBSD_PF
-#endif
-
-#include <sys/systm.h>
-#include <sys/conf.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <sys/proc.h>
-#include <sys/uio.h>
-#include <sys/kernel.h>
-#include <sys/vnode.h>
-#include <sys/namei.h>
-#include <sys/malloc.h>
-#include <sys/mount.h>
-#include <sys/exec.h>
-#include <sys/mbuf.h>
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <net/route.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <sys/lkm.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
-#define vn_lock(v,f) VOP_LOCK(v)
-#endif
-
-#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
-#define VOP_LEASE LEASE_CHECK
-#endif
-
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-
-extern int lkmenodev __P((void));
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int if_ipl_lkmentry __P((struct lkm_table *, int, int));
-#else
-#if defined(OpenBSD)
-int if_ipl __P((struct lkm_table *, int, int));
-#else
-int xxxinit __P((struct lkm_table *, int, int));
-#endif
-#endif
-static int ipl_unload __P((void));
-static int ipl_load __P((void));
-static int ipl_remove __P((void));
-static int iplaction __P((struct lkm_table *, int));
-static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
- NULL };
-
-
-#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
- (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
-# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-extern const struct cdevsw ipl_cdevsw;
-# else
-struct cdevsw ipldevsw =
-{
- iplopen, /* open */
- iplclose, /* close */
- iplread, /* read */
- 0, /* write */
- iplioctl, /* ioctl */
- 0, /* stop */
- 0, /* tty */
- 0, /* select */
- 0, /* mmap */
- NULL /* strategy */
-};
-# endif
-#else
-struct cdevsw ipldevsw =
-{
- iplopen, /* open */
- iplclose, /* close */
- iplread, /* read */
- (void *)nullop, /* write */
- iplioctl, /* ioctl */
- (void *)nullop, /* stop */
-#ifndef OpenBSD
- (void *)nullop, /* reset */
-#endif
- (void *)NULL, /* tty */
- (void *)nullop, /* select */
- (void *)nullop, /* mmap */
- NULL /* strategy */
-};
-#endif
-int ipl_major = 0;
-
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-MOD_DEV(IPL_VERSION, "ipl", NULL, -1, &ipl_cdevsw, -1);
-#else
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
-#endif
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int if_ipl_lkmentry(lkmtp, cmd, ver)
-#else
-#if defined(OpenBSD)
-int if_ipl(lkmtp, cmd, ver)
-#else
-int xxxinit(lkmtp, cmd, ver)
-#endif
-#endif
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
- DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-}
-
-#ifdef OpenBSD
-int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */
-#endif
-
-static int iplaction(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
- struct lkm_dev *args = lkmtp->private.lkm_dev;
- int err = 0;
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
- int i;
-#endif
-
- switch (cmd)
- {
- case LKM_E_LOAD :
- if (lkmexists(lkmtp))
- return EEXIST;
-
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
- for (i = 0; i < nchrdev; i++)
- if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev ||
- cdevsw[i].d_open == iplopen)
- break;
- if (i == nchrdev) {
- printf("IP Filter: No free cdevsw slots\n");
- return ENODEV;
- }
-
- ipl_major = i;
- args->lkm_offset = i; /* slot in cdevsw[] */
-#else
- err = devsw_attach(args->lkm_devname,
- args->lkm_bdev, &args->lkm_bdevmaj,
- args->lkm_cdev, &args->lkm_cdevmaj);
- if (err != 0)
- return (err);
- ipl_major = args->lkm_cdevmaj;
-#endif
- printf("IP Filter: loaded into slot %d\n", ipl_major);
- return ipl_load();
- case LKM_E_UNLOAD :
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
- devsw_detach(args->lkm_bdev, args->lkm_cdev);
- args->lkm_bdevmaj = -1;
- args->lkm_cdevmaj = -1;
-#endif
- err = ipl_unload();
- if (!err)
- printf("IP Filter: unloaded from slot %d\n",
- ipl_major);
- break;
- case LKM_E_STAT :
- break;
- default:
- err = EIO;
- break;
- }
- return err;
-}
-
-
-static int ipl_remove()
-{
- char *name;
- struct nameidata nd;
- int error, i;
-
- for (i = 0; (name = ipf_devfiles[i]); i++) {
- NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
- if ((error = namei(&nd)))
- return (error);
- VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
-#ifdef OpenBSD
- VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc);
-#else
-# if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000)
- vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
-# endif
-#endif
- VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
- (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
- }
- return 0;
-}
-
-
-static int ipl_unload()
-{
- int error = 0;
-
- /*
- * Unloading - remove the filter rule check from the IP
- * input/output stream.
- */
-#if defined(__NetBSD__)
- error = ipl_disable();
-#else
- error = ipldetach();
-#endif
-
- if (!error)
- error = ipl_remove();
- return error;
-}
-
-
-static int ipl_load()
-{
- struct nameidata nd;
- struct vattr vattr;
- int error = 0, fmode = S_IFCHR|0600, i;
- char *name;
-
- /*
- * XXX Remove existing device nodes prior to creating new ones
- * XXX using the assigned LKM device slot's major number. In a
- * XXX perfect world we could use the ones specified by cdevsw[].
- */
- (void)ipl_remove();
-
- error = ipl_enable();
- if (error)
- return error;
-
- for (i = 0; (name = ipf_devfiles[i]); i++) {
- NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
- if ((error = namei(&nd)))
- return error;
- if (nd.ni_vp != NULL) {
- VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
- if (nd.ni_dvp == nd.ni_vp)
- vrele(nd.ni_dvp);
- else
- vput(nd.ni_dvp);
- vrele(nd.ni_vp);
- return (EEXIST);
- }
- VATTR_NULL(&vattr);
- vattr.va_type = VCHR;
- vattr.va_mode = (fmode & 07777);
- vattr.va_rdev = (ipl_major << 8) | i;
- VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
- error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
- if (error)
- return error;
- }
- return error;
-}
diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c
deleted file mode 100644
index 5a70ab9..0000000
--- a/contrib/ipfilter/mls_ipl.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/mbuf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-# include <sun/openprom.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <net/if.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $";
-#endif
-
-extern int ipldetach __P((void));
-#ifndef IPFILTER_LOG
-#define iplread nulldev
-#endif
-extern int nulldev __P((void));
-extern int errno;
-extern int iplidentify __P((char *));
-
-extern int nodev __P((void));
-
-static int unload __P((void));
-static int ipl_attach __P((void));
-int xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *));
-static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
- NULL };
-
-
-struct cdevsw ipldevsw =
-{
- iplopen, iplclose, iplread, nulldev,
- iplioctl, nulldev, nulldev, nulldev,
- 0, nulldev,
-};
-
-
-struct dev_ops ipl_ops =
-{
- 1,
- iplidentify,
- iplattach,
- iplopen,
- iplclose,
- iplread,
- NULL, /* write */
- NULL, /* strategy */
- NULL, /* dump */
- 0, /* psize */
- iplioctl,
- NULL, /* reset */
- NULL /* mmap */
-};
-
-int ipl_major = 0;
-
-#ifdef sun4m
-struct vdldrv vd =
-{
- VDMAGIC_PSEUDO,
- IPL_VERSION,
- &ipl_ops,
- NULL,
- &ipldevsw,
- 0,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- 1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
- VDMAGIC_PSEUDO, /* magic */
- IPL_VERSION,
-#ifdef sun4c
- &ipl_ops, /* dev_ops */
-#else
- NULL, /* struct mb_ctlr *mb_ctlr */
- NULL, /* struct mb_driver *mb_driver */
- NULL, /* struct mb_device *mb_device */
- 0, /* num ctlrs */
- 1, /* numdevs */
-#endif /* sun4c */
- NULL, /* bdevsw */
- &ipldevsw, /* cdevsw */
- 0, /* block major */
- 0, /* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, data, vds)
-u_int fc;
-struct vddrv *vdp;
-caddr_t data;
-struct vdstat *vds;
-{
- struct vdioctl_load *vdi = (struct vdioctl_load *)data;
-
- switch (fc)
- {
- case VDLOAD:
- {
- struct vdconf *vdc;
- if (vdi && vdi->vdi_userconf)
- for (vdc = vdi->vdi_userconf; vdc->vdc_type; vdc++)
- if (vdc->vdc_type == VDCCHARMAJOR) {
- ipl_major = vdc->vdc_data;
- break;
- }
-
- if (!ipl_major) {
- while (ipl_major < nchrdev &&
- cdevsw[ipl_major].d_open != vd_unuseddev)
- ipl_major++;
- if (ipl_major == nchrdev)
- return ENODEV;
- }
- vdp->vdd_vdtab = (struct vdlinkage *)&vd;
- vd.Drv_charmajor = ipl_major;
- return ipl_attach();
- }
- case VDUNLOAD:
- return unload();
- case VDSTAT:
- return 0;
- default:
- return EIO;
- }
-}
-
-
-static int unload()
-{
- char *name;
- int err, i;
-
- err = ipldetach();
- if (err)
- return err;
- for (i = 0; (name = ipf_devfiles[i]); i++)
- (void) vn_remove(name, UIO_SYSSPACE, FILE);
- return 0;
-}
-
-
-static int ipl_attach()
-{
- struct vnode *vp;
- struct vattr vattr;
- int error = 0, fmode = S_IFCHR|0600, i;
- char *name;
-
- error = iplattach();
- if (error)
- return error;
-
- for (i = 0; (name = ipf_devfiles[i]); i++) {
- (void) vn_remove(name, UIO_SYSSPACE, FILE);
- vattr_null(&vattr);
- vattr.va_type = MFTOVT(fmode);
- vattr.va_mode = (fmode & 07777);
- vattr.va_rdev = (ipl_major << 8) | i;
-
- error = vn_create(name, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
- if (error) {
- printf("IP Filter: vn_create(%s) = %d\n", name, error);
- break;
- } else {
- VN_RELE(vp);
- }
- }
- return error;
-}
diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c
deleted file mode 100644
index 7246234..0000000
--- a/contrib/ipfilter/natparse.c
+++ /dev/null
@@ -1,902 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#else
-# include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-
-#if defined(sun) && !SOLARIS2
-# define STRERROR(x) sys_errlist[x]
-extern char *sys_errlist[];
-#else
-# define STRERROR(x) strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.29 2003/05/15 17:45:34 darrenr Exp $";
-#endif
-
-
-#if SOLARIS
-#define bzero(a,b) memset(a,0,b)
-#endif
-
-extern void printnat __P((ipnat_t *, int));
-extern int countbits __P((u_32_t));
-extern char *proto;
-
-ipnat_t *natparse __P((char *, int, int *));
-void natparsefile __P((int, char *, int));
-void nat_setgroupmap __P((struct ipnat *));
-
-
-void nat_setgroupmap(n)
-ipnat_t *n;
-{
- if (n->in_outmsk == n->in_inmsk)
- n->in_ippip = 1;
- else if (n->in_flags & IPN_AUTOPORTMAP) {
- n->in_ippip = ~ntohl(n->in_inmsk);
- if (n->in_outmsk != 0xffffffff)
- n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
- n->in_ippip++;
- if (n->in_ippip == 0)
- n->in_ippip = 1;
- n->in_ppip = USABLE_PORTS / n->in_ippip;
- } else {
- n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
- n->in_nip = 0;
- if (!(n->in_ppip = n->in_pmin))
- n->in_ppip = 1;
- n->in_ippip = USABLE_PORTS / n->in_ppip;
- }
-}
-
-
-/*
- * Parse a line of input from the ipnat configuration file
- *
- * status:
- * < 0 error
- * = 0 OK
- * > 0 programmer error
- */
-ipnat_t *natparse(line, linenum, status)
-char *line;
-int linenum;
-int *status;
-{
- static ipnat_t ipn;
- struct protoent *pr;
- char *dnetm = NULL, *dport = NULL;
- char *s, *t, *cps[31], **cpp;
- int i, cnt;
- char *port1a = NULL, *port1b = NULL, *port2a = NULL;
-
- *status = 100; /* default to error */
- proto = NULL;
-
- /*
- * Search for end of line and comment marker, advance of leading spaces
- */
- if ((s = strchr(line, '\n')))
- *s = '\0';
- if ((s = strchr(line, '#')))
- *s = '\0';
- while (*line && isspace(*line))
- line++;
- if (!*line) {
- *status = 0;
- return NULL;
- }
-
- bzero((char *)&ipn, sizeof(ipn));
- cnt = 0;
-
- /*
- * split line upto into segments.
- */
- for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
- cps[++i] = strtok(NULL, " \b\t\r\n");
-
- cps[i] = NULL;
-
- if (cnt < 3) {
- fprintf(stderr, "%d: not enough segments in line\n", linenum);
- *status = -1;
- return NULL;
- }
-
- cpp = cps;
-
- /*
- * Check first word is a recognised keyword and then is the interface
- */
- if (!strcasecmp(*cpp, "map"))
- ipn.in_redir = NAT_MAP;
- else if (!strcasecmp(*cpp, "map-block"))
- ipn.in_redir = NAT_MAPBLK;
- else if (!strcasecmp(*cpp, "rdr"))
- ipn.in_redir = NAT_REDIRECT;
- else if (!strcasecmp(*cpp, "bimap"))
- ipn.in_redir = NAT_BIMAP;
- else {
- fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
-
- cpp++;
-
- strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
- ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
- cpp++;
-
- /*
- * If the first word after the interface is "from" or is a ! then
- * the expanded syntax is being used so parse it differently.
- */
- if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
- if (!strcmp(*cpp, "!")) {
- cpp++;
- if (strcasecmp(*cpp, "from")) {
- fprintf(stderr, "Missing from after !\n");
- *status = -1;
- return NULL;
- }
- ipn.in_flags |= IPN_NOTSRC;
- } else if (**cpp == '!') {
- if (strcasecmp(*cpp + 1, "from")) {
- fprintf(stderr, "Missing from after !\n");
- *status = -1;
- return NULL;
- }
- ipn.in_flags |= IPN_NOTSRC;
- }
- if ((ipn.in_flags & IPN_NOTSRC) &&
- (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
- fprintf(stderr, "Cannot use '! from' with map\n");
- *status = -1;
- return NULL;
- }
-
- ipn.in_flags |= IPN_FILTER;
- cpp++;
- if (ipn.in_redir == NAT_REDIRECT) {
- if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
- (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
- &ipn.in_scmp, &ipn.in_stop, linenum)) {
- *status = -1;
- return NULL;
- }
- } else {
- if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
- (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
- &ipn.in_scmp, &ipn.in_stop, linenum)) {
- *status = -1;
- return NULL;
- }
- }
-
- if (!strcmp(*cpp, "!")) {
- cpp++;
- ipn.in_flags |= IPN_NOTDST;
- } else if (**cpp == '!') {
- (*cpp)++;
- ipn.in_flags |= IPN_NOTDST;
- }
-
- if (strcasecmp(*cpp, "to")) {
- fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- if ((ipn.in_flags & IPN_NOTDST) &&
- (ipn.in_redir & (NAT_REDIRECT))) {
- fprintf(stderr, "Cannot use '! to' with rdr\n");
- *status = -1;
- return NULL;
- }
-
- if (!*++cpp) {
- fprintf(stderr, "%d: missing host after to\n", linenum);
- *status = -1;
- return NULL;
- }
- if (ipn.in_redir == NAT_REDIRECT) {
- if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
- (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
- &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
- *status = -1;
- return NULL;
- }
- ipn.in_pmin = htons(ipn.in_dport);
- } else {
- if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
- (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
- &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
- *status = -1;
- return NULL;
- }
- }
- } else {
- s = *cpp;
- if (!s) {
- fprintf(stderr, "%d: short line\n", linenum);
- *status = -1;
- return NULL;
- }
- t = strchr(s, '/');
- if (!t) {
- fprintf(stderr, "%d: no netmask on LHS\n", linenum);
- *status = -1;
- return NULL;
- }
- *t++ = '\0';
- if (ipn.in_redir == NAT_REDIRECT) {
- if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1){
- *status = -1;
- return NULL;
- }
- if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
- *status = -1;
- return NULL;
- }
- } else {
- if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) {
- *status = -1;
- return NULL;
- }
- if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
- *status = -1;
- return NULL;
- }
- }
- cpp++;
- if (!*cpp) {
- fprintf(stderr, "%d: short line\n", linenum);
- *status = -1;
- return NULL;
- }
- }
-
- /*
- * If it is a standard redirect then we expect it to have a port
- * match after the hostmask.
- */
- if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
- if (strcasecmp(*cpp, "port")) {
- fprintf(stderr, "%d: missing fields - 1st port\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- cpp++;
-
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing fields (destination port)\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
- *s++ = '\0';
- else
- s = NULL;
-
- port1a = *cpp++;
-
- if (!strcmp(*cpp, "-")) {
- cpp++;
- s = *cpp++;
- }
-
- if (s)
- port1b = s;
- else
- ipn.in_pmax = ipn.in_pmin;
- }
-
- /*
- * In the middle of the NAT rule syntax is -> to indicate the
- * direction of translation.
- */
- if (!*cpp) {
- fprintf(stderr, "%d: missing fields (->)\n", linenum);
- *status = -1;
- return NULL;
- }
- if (strcmp(*cpp, "->")) {
- fprintf(stderr, "%d: missing ->\n", linenum);
- *status = -1;
- return NULL;
- }
- cpp++;
-
- if (!*cpp) {
- fprintf(stderr, "%d: missing fields (%s)\n",
- linenum, ipn.in_redir ? "destination" : "target");
- *status = -1;
- return NULL;
- }
-
- if (ipn.in_redir == NAT_MAP) {
- if (!strcasecmp(*cpp, "range")) {
- cpp++;
- ipn.in_flags |= IPN_IPRANGE;
- if (!*cpp) {
- fprintf(stderr, "%d: missing fields (%s)\n",
- linenum,
- ipn.in_redir ? "destination":"target");
- *status = -1;
- return NULL;
- }
- }
- }
-
- if (ipn.in_flags & IPN_IPRANGE) {
- dnetm = strrchr(*cpp, '-');
- if (dnetm == NULL) {
- cpp++;
- if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
- dnetm = *(cpp + 1);
- } else
- *dnetm++ = '\0';
- if (dnetm == NULL || *dnetm == '\0') {
- fprintf(stderr,
- "%d: desination range not specified\n",
- linenum);
- *status = -1;
- return NULL;
- }
- } else if (ipn.in_redir != NAT_REDIRECT) {
- dnetm = strrchr(*cpp, '/');
- if (dnetm == NULL) {
- cpp++;
- if (*cpp && !strcasecmp(*cpp, "netmask"))
- dnetm = *++cpp;
- }
- if (dnetm == NULL) {
- fprintf(stderr,
- "%d: missing fields (dest netmask)\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (*dnetm == '/')
- *dnetm++ = '\0';
- }
-
- if (ipn.in_redir == NAT_REDIRECT) {
- dnetm = strchr(*cpp, ',');
- if (dnetm != NULL) {
- ipn.in_flags |= IPN_SPLIT;
- *dnetm++ = '\0';
- }
- if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) {
- *status = -1;
- return NULL;
- }
-#if SOLARIS
- if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) {
- fprintf(stderr,
- "localhost as destination not supported\n");
- *status = -1;
- return NULL;
- }
-#endif
- } else {
- if (!strcmp(*cpp, ipn.in_ifname))
- *cpp = "0";
- if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) {
- *status = -1;
- return NULL;
- }
- }
- cpp++;
-
- if (ipn.in_redir & NAT_MAPBLK) {
- if (*cpp) {
- if (strcasecmp(*cpp, "ports")) {
- fprintf(stderr,
- "%d: expected \"ports\" - got \"%s\"\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- cpp++;
- if (*cpp == NULL) {
- fprintf(stderr,
- "%d: missing argument to \"ports\"\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (!strcasecmp(*cpp, "auto"))
- ipn.in_flags |= IPN_AUTOPORTMAP;
- else
- ipn.in_pmin = atoi(*cpp);
- cpp++;
- } else
- ipn.in_pmin = 0;
- } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
- if (*cpp && (strrchr(*cpp, '/') != NULL)) {
- fprintf(stderr, "%d: No netmask supported in %s\n",
- linenum, "destination host for redirect");
- *status = -1;
- return NULL;
- }
-
- if (!*cpp) {
- fprintf(stderr, "%d: Missing destination port %s\n",
- linenum, "in redirect");
- *status = -1;
- return NULL;
- }
-
- /* If it's a in_redir, expect target port */
-
- if (strcasecmp(*cpp, "port")) {
- fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- cpp++;
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing fields (destination port)\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- port2a = *cpp++;
- }
- if (dnetm && *dnetm == '/')
- *dnetm++ = '\0';
-
- if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
- if (ipn.in_flags & IPN_IPRANGE) {
- if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
- linenum) == -1) {
- *status = -1;
- return NULL;
- }
- } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) {
- *status = -1;
- return NULL;
- }
- } else {
- if (ipn.in_flags & IPN_SPLIT) {
- if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
- linenum) == -1) {
- *status = -1;
- return NULL;
- }
- } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)){
- *status = -1;
- return NULL;
- }
- if (!*cpp) {
- ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
- proto = "tcp";
- } else {
- proto = *cpp++;
- if (!strcasecmp(proto, "tcp"))
- ipn.in_flags |= IPN_TCP;
- else if (!strcasecmp(proto, "udp"))
- ipn.in_flags |= IPN_UDP;
- else if (!strcasecmp(proto, "tcp/udp"))
- ipn.in_flags |= IPN_TCPUDP;
- else if (!strcasecmp(proto, "tcpudp")) {
- ipn.in_flags |= IPN_TCPUDP;
- proto = "tcp/udp";
- } else if (!strcasecmp(proto, "ip"))
- ipn.in_flags |= IPN_ANY;
- else {
- ipn.in_flags |= IPN_ANY;
- if ((pr = getprotobyname(proto)))
- ipn.in_p = pr->p_proto;
- else {
- if (!isdigit(*proto)) {
- fprintf(stderr,
- "%d: Unknown protocol %s\n",
- linenum, proto);
- *status = -1;
- return NULL;
- } else
- ipn.in_p = atoi(proto);
- }
- }
- if ((ipn.in_flags & IPN_TCPUDP) == 0) {
- port1a = "0";
- port2a = "0";
- }
-
- if (*cpp && !strcasecmp(*cpp, "round-robin")) {
- cpp++;
- ipn.in_flags |= IPN_ROUNDR;
- }
-
- if (*cpp && !strcasecmp(*cpp, "frag")) {
- cpp++;
- ipn.in_flags |= IPN_FRAG;
- }
-
- if (*cpp && !strcasecmp(*cpp, "age")) {
- cpp++;
- if (!*cpp) {
- fprintf(stderr,
- "%d: age with no parameters\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- ipn.in_age[0] = atoi(*cpp);
- s = index(*cpp, '/');
- if (s != NULL)
- ipn.in_age[1] = atoi(s + 1);
- else
- ipn.in_age[1] = ipn.in_age[0];
- cpp++;
- }
-
- if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
- cpp++;
- if (*cpp) {
- ipn.in_mssclamp = atoi(*cpp);
- cpp++;
- } else {
- fprintf(stderr,
- "%d: mssclamp with no parameters\n",
- linenum);
- *status = -1;
- return NULL;
- }
- }
-
- if (*cpp) {
- fprintf(stderr,
- "%d: extra junk at the end of the line: %s\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- }
- }
-
- if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
- if (!portnum(port1a, &ipn.in_pmin, linenum)) {
- *status = -1;
- return NULL;
- }
- ipn.in_pmin = htons(ipn.in_pmin);
- if (port1b != NULL) {
- if (!portnum(port1b, &ipn.in_pmax, linenum)) {
- *status = -1;
- return NULL;
- }
- ipn.in_pmax = htons(ipn.in_pmax);
- } else
- ipn.in_pmax = ipn.in_pmin;
- }
-
- if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
- if (!portnum(port2a, &ipn.in_pnext, linenum)) {
- *status = -1;
- return NULL;
- }
- ipn.in_pnext = htons(ipn.in_pnext);
- }
-
- if (!(ipn.in_flags & IPN_SPLIT))
- ipn.in_inip &= ipn.in_inmsk;
- if ((ipn.in_flags & IPN_IPRANGE) == 0)
- ipn.in_outip &= ipn.in_outmsk;
- ipn.in_srcip &= ipn.in_srcmsk;
-
- if ((ipn.in_redir & NAT_MAPBLK) != 0)
- nat_setgroupmap(&ipn);
-
- if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
- cpp++;
- ipn.in_flags |= IPN_FRAG;
- }
-
- if (!*cpp) {
- *status = 0;
- return &ipn;
- }
-
- if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
- u_short pport;
-
- if (ipn.in_redir == NAT_BIMAP) {
- fprintf(stderr, "%d: cannot use proxy with bimap\n",
- linenum);
- *status = -1;
- return NULL;
- }
- cpp++;
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing parameter for \"proxy\"\n",
- linenum);
- *status = -1;
- return NULL;
- }
- dport = NULL;
-
- if (!strcasecmp(*cpp, "port")) {
- cpp++;
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing parameter for \"port\"\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- dport = *cpp;
- cpp++;
-
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing parameter for \"proxy\"\n",
- linenum);
- *status = -1;
- return NULL;
- }
- } else {
- fprintf(stderr,
- "%d: missing keyword \"port\"\n", linenum);
- *status = -1;
- return NULL;
- }
-
- if ((proto = index(*cpp, '/'))) {
- *proto++ = '\0';
- if ((pr = getprotobyname(proto)))
- ipn.in_p = pr->p_proto;
- else
- ipn.in_p = atoi(proto);
- } else
- ipn.in_p = 0;
-
- if (dport && !portnum(dport, &pport, linenum))
- return NULL;
- if (ipn.in_dcmp != 0) {
- if (pport != ipn.in_dport) {
- fprintf(stderr,
- "%d: mismatch in port numbers\n",
- linenum);
- return NULL;
- }
- } else
- ipn.in_dport = htons(pport);
-
- (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
- cpp++;
-
- } else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) {
- if (ipn.in_redir == NAT_BIMAP) {
- fprintf(stderr, "%d: cannot use portmap with bimap\n",
- linenum);
- *status = -1;
- return NULL;
- }
- cpp++;
- if (!*cpp) {
- fprintf(stderr,
- "%d: missing expression following portmap\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- if (!strcasecmp(*cpp, "tcp"))
- ipn.in_flags |= IPN_TCP;
- else if (!strcasecmp(*cpp, "udp"))
- ipn.in_flags |= IPN_UDP;
- else if (!strcasecmp(*cpp, "tcpudp"))
- ipn.in_flags |= IPN_TCPUDP;
- else if (!strcasecmp(*cpp, "tcp/udp"))
- ipn.in_flags |= IPN_TCPUDP;
- else {
- fprintf(stderr,
- "%d: expected protocol name - got \"%s\"\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- proto = *cpp;
- cpp++;
-
- if (!*cpp) {
- fprintf(stderr, "%d: no port range found\n", linenum);
- *status = -1;
- return NULL;
- }
-
- if (!strcasecmp(*cpp, "auto")) {
- ipn.in_flags |= IPN_AUTOPORTMAP;
- ipn.in_pmin = htons(1024);
- ipn.in_pmax = htons(65535);
- nat_setgroupmap(&ipn);
- cpp++;
- } else {
- if (!(t = strchr(*cpp, ':'))) {
- fprintf(stderr,
- "%d: no port range in \"%s\"\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- *t++ = '\0';
- if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
- !portnum(t, &ipn.in_pmax, linenum)) {
- *status = -1;
- return NULL;
- }
- ipn.in_pmin = htons(ipn.in_pmin);
- ipn.in_pmax = htons(ipn.in_pmax);
- cpp++;
- }
- }
-
- if (*cpp && !strcasecmp(*cpp, "frag")) {
- cpp++;
- ipn.in_flags |= IPN_FRAG;
- }
-
- if (*cpp && !strcasecmp(*cpp, "age")) {
- cpp++;
- if (!*cpp) {
- fprintf(stderr, "%d: age with no parameters\n",
- linenum);
- *status = -1;
- return NULL;
- }
- ipn.in_age[0] = atoi(*cpp);
- s = index(*cpp, '/');
- if (s != NULL)
- ipn.in_age[1] = atoi(s + 1);
- else
- ipn.in_age[1] = ipn.in_age[0];
- cpp++;
- }
-
- if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
- cpp++;
- if (*cpp) {
- ipn.in_mssclamp = atoi(*cpp);
- cpp++;
- } else {
- fprintf(stderr, "%d: mssclamp with no parameters\n",
- linenum);
- *status = -1;
- return NULL;
- }
- }
-
- if (*cpp) {
- fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
-
- *status = 0;
- return &ipn;
-}
-
-
-void natparsefile(fd, file, opts)
-int fd;
-char *file;
-int opts;
-{
- char line[512], *s;
- ipnat_t *np;
- FILE *fp;
- int linenum = 0;
- int parsestatus;
-
- if (strcmp(file, "-")) {
- if (!(fp = fopen(file, "r"))) {
- fprintf(stderr, "%s: open: %s\n", file,
- STRERROR(errno));
- exit(1);
- }
- } else
- fp = stdin;
-
- while (fgets(line, sizeof(line) - 1, fp)) {
- linenum++;
- line[sizeof(line) - 1] = '\0';
- if ((s = strchr(line, '\n')))
- *s = '\0';
-
- parsestatus = 1;
- np = natparse(line, linenum, &parsestatus);
- if (parsestatus != 0) {
- if (*line) {
- fprintf(stderr, "%d: syntax error in \"%s\"\n",
- linenum, line);
- }
- fprintf(stderr, "%s: %s error (%d), quitting\n",
- file,
- ((parsestatus < 0)? "parse": "internal"),
- parsestatus);
- exit(1);
- }
- if (np) {
- if ((opts & OPT_VERBOSE) && np)
- printnat(np, opts);
- if (!(opts & OPT_NODO)) {
- if (!(opts & OPT_REMOVE)) {
- if (ioctl(fd, SIOCADNAT, &np) == -1) {
- fprintf(stderr, "%d:",
- linenum);
- perror("ioctl(SIOCADNAT)");
- }
- } else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
- fprintf(stderr, "%d:", linenum);
- perror("ioctl(SIOCRMNAT)");
- }
- }
- }
- }
- if (fp != stdin)
- fclose(fp);
-}
diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c
deleted file mode 100644
index 825a5e3..0000000
--- a/contrib/ipfilter/opt.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include <arpa/inet.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.3 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern int opts;
-
-struct ipopt_names ionames[] ={
- { IPOPT_NOP, 0x000001, 1, "nop" },
- { IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */
- { IPOPT_ZSU, 0x000004, 3, "zsu" },
- { IPOPT_MTUP, 0x000008, 3, "mtup" },
- { IPOPT_MTUR, 0x000010, 3, "mtur" },
- { IPOPT_ENCODE, 0x000020, 3, "encode" },
- { IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */
- { IPOPT_TR, 0x000080, 3, "tr" },
- { IPOPT_SECURITY,0x000100, 11, "sec" },
- { IPOPT_SECURITY,0x000100, 11, "sec-class" },
- { IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */
- { IPOPT_E_SEC, 0x000400, 3, "e-sec" },
- { IPOPT_CIPSO, 0x000800, 3, "cipso" },
- { IPOPT_SATID, 0x001000, 4, "satid" },
- { IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */
- { IPOPT_ADDEXT, 0x004000, 3, "addext" },
- { IPOPT_VISA, 0x008000, 3, "visa" },
- { IPOPT_IMITD, 0x010000, 3, "imitd" },
- { IPOPT_EIP, 0x020000, 3, "eip" },
- { IPOPT_FINN, 0x040000, 3, "finn" },
- { 0, 0, 0, (char *)NULL } /* must be last */
-};
-
-struct ipopt_names secclass[] = {
- { IPSO_CLASS_RES4, 0x01, 0, "reserv-4" },
- { IPSO_CLASS_TOPS, 0x02, 0, "topsecret" },
- { IPSO_CLASS_SECR, 0x04, 0, "secret" },
- { IPSO_CLASS_RES3, 0x08, 0, "reserv-3" },
- { IPSO_CLASS_CONF, 0x10, 0, "confid" },
- { IPSO_CLASS_UNCL, 0x20, 0, "unclass" },
- { IPSO_CLASS_RES2, 0x40, 0, "reserv-2" },
- { IPSO_CLASS_RES1, 0x80, 0, "reserv-1" },
- { 0, 0, 0, NULL } /* must be last */
-};
-
-
-static u_char seclevel __P((char *));
-int addipopt __P((char *, struct ipopt_names *, int, char *));
-
-static u_char seclevel(slevel)
-char *slevel;
-{
- struct ipopt_names *so;
-
- for (so = secclass; so->on_name; so++)
- if (!strcasecmp(slevel, so->on_name))
- break;
-
- if (!so->on_name) {
- fprintf(stderr, "no such security level: %s\n", slevel);
- return 0;
- }
- return (u_char)so->on_value;
-}
-
-
-int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
-{
- int olen = len;
- struct in_addr ipadr;
- u_short val;
- u_char lvl;
- char *s;
-
- if ((len + io->on_siz) > 48) {
- fprintf(stderr, "options too long\n");
- return 0;
- }
- len += io->on_siz;
- *op++ = io->on_value;
- if (io->on_siz > 1) {
- s = op;
- *op++ = io->on_siz;
- *op++ = IPOPT_MINOFF;
-
- if (class) {
- switch (io->on_value)
- {
- case IPOPT_SECURITY :
- lvl = seclevel(class);
- *(op - 1) = lvl;
- break;
- case IPOPT_LSRR :
- case IPOPT_SSRR :
- ipadr.s_addr = inet_addr(class);
- s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
- bcopy((char *)&ipadr, op, sizeof(ipadr));
- break;
- case IPOPT_SATID :
- val = atoi(class);
- bcopy((char *)&val, op, 2);
- break;
- }
- }
-
- op += io->on_siz - 3;
- if (len & 3) {
- *op++ = IPOPT_NOP;
- len++;
- }
- }
- if (opts & OPT_DEBUG)
- fprintf(stderr, "bo: %s %d %#x: %d\n",
- io->on_name, io->on_value, io->on_bit, len);
- return len - olen;
-}
-
-
-u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
-{
- struct ipopt_names *io;
- u_32_t msk = 0;
- char *s, *t;
- int inc;
-
- for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
- if ((t = strchr(s, '=')))
- *t++ = '\0';
- for (io = ionames; io->on_name; io++) {
- if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
- continue;
- if ((inc = addipopt(op, io, len, t))) {
- op += inc;
- len += inc;
- }
- msk |= io->on_bit;
- break;
- }
- if (!io->on_name) {
- fprintf(stderr, "unknown IP option name %s\n", s);
- return 0;
- }
- }
- *op++ = IPOPT_EOL;
- len++;
- return len;
-}
diff --git a/contrib/ipfilter/opts.h b/contrib/ipfilter/opts.h
index 602c4e3..6a9494a 100644
--- a/contrib/ipfilter/opts.h
+++ b/contrib/ipfilter/opts.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2000 by Darren Reed.
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
deleted file mode 100644
index 0d8a617..0000000
--- a/contrib/ipfilter/parse.c
+++ /dev/null
@@ -1,1510 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern struct ipopt_names ionames[], secclass[];
-extern int opts;
-extern int use_inet6;
-
-int addicmp __P((char ***, struct frentry *, int));
-int extras __P((char ***, struct frentry *, int));
-
-int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int));
-int to_interface __P((frdest_t *, char *, int));
-void print_toif __P((char *, frdest_t *));
-void optprint __P((u_short *, u_long, u_long));
-int loglevel __P((char **, u_int *, int));
-void printlog __P((frentry_t *));
-void printifname __P((char *, char *, void *));
-
-extern char *proto;
-extern char flagset[];
-extern u_char flags[];
-
-
-/* parse()
- *
- * parse a line read from the input filter rule file
- *
- * status:
- * < 0 error
- * = 0 OK
- * > 0 programmer error
- */
-struct frentry *parse(line, linenum, status)
-char *line;
-int linenum;
-int *status; /* good, bad, or indifferent */
-{
- static struct frentry fil;
- char *cps[31], **cpp, *endptr, *s;
- struct protoent *p = NULL;
- int i, cnt = 1, j, ch;
- u_int k;
-
- *status = 100; /* default to error */
-
- while (*line && isspace(*line))
- line++;
- if (!*line) {
- *status = 0;
- return NULL;
- }
-
- bzero((char *)&fil, sizeof(fil));
- fil.fr_mip.fi_v = 0xf;
- fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
- fil.fr_loglevel = 0xffff;
-
- /*
- * break line up into max of 20 segments
- */
- if (opts & OPT_DEBUG)
- fprintf(stderr, "parse [%s]\n", line);
- for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
- cps[++i] = strtok(NULL, " \b\t\r\n");
- cps[i] = NULL;
-
- if (cnt < 3) {
- fprintf(stderr, "%d: not enough segments in line\n", linenum);
- *status = -1;
- return NULL;
- }
-
- cpp = cps;
- /*
- * The presence of an '@' followed by a number gives the position in
- * the current rule list to insert this one.
- */
- if (**cpp == '@')
- fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
-
-
- /*
- * Check the first keyword in the rule and any options that are
- * expected to follow it.
- */
- if (!strcasecmp("block", *cpp)) {
- fil.fr_flags |= FR_BLOCK;
- if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
- (i = 19))
- fil.fr_flags |= FR_FAKEICMP;
- else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
- fil.fr_flags |= FR_RETICMP;
- if (fil.fr_flags & FR_RETICMP) {
- cpp++;
- if (strlen(*cpp) == i) {
- if (*(cpp + 1) && **(cpp +1) == '(') {
- cpp++;
- i = 0;
- } else
- i = -1;
- }
-
- /*
- * The ICMP code is not required to follow in ()'s
- */
- if ((i >= 0) && (*(*cpp + i) == '(')) {
- i++;
- j = icmpcode(*cpp + i);
- if (j == -1) {
- fprintf(stderr,
- "%d: unrecognised icmp code %s\n",
- linenum, *cpp + 20);
- *status = -1;
- return NULL;
- }
- fil.fr_icode = j;
- }
- } else if (!strcasecmp(*(cpp+1), "return-rst")) {
- fil.fr_flags |= FR_RETRST;
- cpp++;
- }
- } else if (!strcasecmp("count", *cpp)) {
- fil.fr_flags |= FR_ACCOUNT;
- } else if (!strcasecmp("pass", *cpp)) {
- fil.fr_flags |= FR_PASS;
- } else if (!strcasecmp("nomatch", *cpp)) {
- fil.fr_flags |= FR_NOMATCH;
- } else if (!strcasecmp("auth", *cpp)) {
- fil.fr_flags |= FR_AUTH;
- if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
- fil.fr_flags |= FR_RETRST;
- cpp++;
- }
- } else if (!strcasecmp("preauth", *cpp)) {
- fil.fr_flags |= FR_PREAUTH;
- } else if (!strcasecmp("skip", *cpp)) {
- cpp++;
- if (ratoui(*cpp, &k, 0, UINT_MAX))
- fil.fr_skip = k;
- else {
- fprintf(stderr, "%d: integer must follow skip\n",
- linenum);
- *status = -1;
- return NULL;
- }
- } else if (!strcasecmp("log", *cpp)) {
- fil.fr_flags |= FR_LOG;
- if (!strcasecmp(*(cpp+1), "body")) {
- fil.fr_flags |= FR_LOGBODY;
- cpp++;
- }
- if (!strcasecmp(*(cpp+1), "first")) {
- fil.fr_flags |= FR_LOGFIRST;
- cpp++;
- }
- if (*cpp && !strcasecmp(*(cpp+1), "or-block")) {
- fil.fr_flags |= FR_LOGORBLOCK;
- cpp++;
- }
- if (!strcasecmp(*(cpp+1), "level")) {
- cpp++;
- if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
- /* NB loglevel prints its own error message */
- *status = -1;
- return NULL;
- }
- cpp++;
- }
- } else {
- /*
- * Doesn't start with one of the action words
- */
- fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
- *status = -1;
- return NULL;
- }
- if (!*++cpp) {
- fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
- *status = -1;
- return NULL;
- }
-
- /*
- * Get the direction for filtering. Impose restrictions on direction
- * if blocking with returning ICMP or an RST has been requested.
- */
- if (!strcasecmp("in", *cpp))
- fil.fr_flags |= FR_INQUE;
- else if (!strcasecmp("out", *cpp)) {
- fil.fr_flags |= FR_OUTQUE;
- if (fil.fr_flags & FR_RETICMP) {
- fprintf(stderr,
- "%d: Can only use return-icmp with 'in'\n",
- linenum);
- *status = -1;
- return NULL;
- } else if (fil.fr_flags & FR_RETRST) {
- fprintf(stderr,
- "%d: Can only use return-rst with 'in'\n",
- linenum);
- *status = -1;
- return NULL;
- }
- }
- if (!*++cpp) {
- fprintf(stderr, "%d: missing source specification\n", linenum);
- *status = -1;
- return NULL;
- }
-
- if (!strcasecmp("log", *cpp)) {
- if (!*++cpp) {
- fprintf(stderr, "%d: missing source specification\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (fil.fr_flags & FR_PASS)
- fil.fr_flags |= FR_LOGP;
- else if (fil.fr_flags & FR_BLOCK)
- fil.fr_flags |= FR_LOGB;
- if (*cpp && !strcasecmp(*cpp, "body")) {
- fil.fr_flags |= FR_LOGBODY;
- cpp++;
- }
- if (*cpp && !strcasecmp(*cpp, "first")) {
- fil.fr_flags |= FR_LOGFIRST;
- cpp++;
- }
- if (*cpp && !strcasecmp(*cpp, "or-block")) {
- if (!(fil.fr_flags & FR_PASS)) {
- fprintf(stderr,
- "%d: or-block must be used with pass\n",
- linenum);
- *status = -1;
- return NULL;
- }
- fil.fr_flags |= FR_LOGORBLOCK;
- cpp++;
- }
- if (*cpp && !strcasecmp(*cpp, "level")) {
- if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
- *status = -1;
- return NULL;
- }
- cpp++;
- cpp++;
- }
- }
-
- if (*cpp && !strcasecmp("quick", *cpp)) {
- if (fil.fr_skip != 0) {
- fprintf(stderr, "%d: cannot use skip with quick\n",
- linenum);
- *status = -1;
- return NULL;
- }
- cpp++;
- fil.fr_flags |= FR_QUICK;
- }
-
- /*
- * Parse rule options that are available if a rule is tied to an
- * interface.
- */
- *fil.fr_ifname = '\0';
- *fil.fr_oifname = '\0';
- if (*cpp && !strcasecmp(*cpp, "on")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: interface name missing\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- s = index(*cpp, ',');
- if (s != NULL) {
- *s++ = '\0';
- (void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
- fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
- } else
- strcpy(fil.fr_ifnames[1], "*");
-
- (void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
- fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
-
- cpp++;
- if (!*cpp) {
- if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
- fprintf(stderr,
- "%d: %s can only be used with TCP\n",
- linenum, "return-rst");
- *status = -1;
- return NULL;
- }
- *status = 0;
- return &fil;
- }
-
- if (*cpp) {
- if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
- cpp++;
- if (to_interface(&fil.fr_dif, *cpp, linenum)) {
- *status = -1;
- return NULL;
- }
- cpp++;
- }
- if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) {
- cpp++;
- if (to_interface(&fil.fr_tif, *cpp, linenum)) {
- *status = -1;
- return NULL;
- }
- cpp++;
- } else if (*cpp && !strcasecmp(*cpp, "fastroute")) {
- if (!(fil.fr_flags & FR_INQUE)) {
- fprintf(stderr,
- "can only use %s with 'in'\n",
- "fastroute");
- *status = -1;
- return NULL;
- }
- fil.fr_flags |= FR_FASTROUTE;
- cpp++;
- }
- }
-
- /*
- * Set the "other" interface name. Lets you specify both
- * inbound and outbound interfaces for state rules. Do not
- * prevent both interfaces from being the same.
- */
- strcpy(fil.fr_ifnames[3], "*");
- if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
- ((((fil.fr_flags & FR_INQUE) != 0) &&
- (strcasecmp(*cpp, "out-via") == 0)) ||
- (((fil.fr_flags & FR_OUTQUE) != 0) &&
- (strcasecmp(*cpp, "in-via") == 0)))) {
- cpp++;
-
- s = index(*cpp, ',');
- if (s != NULL) {
- *s++ = '\0';
- (void)strncpy(fil.fr_ifnames[3], s,
- IFNAMSIZ - 1);
- fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
- }
-
- (void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
- fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
- cpp++;
- } else
- strcpy(fil.fr_ifnames[2], "*");
- }
- if (*cpp && !strcasecmp(*cpp, "tos")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: tos missing value\n", linenum);
- *status = -1;
- return NULL;
- }
- fil.fr_tos = strtol(*cpp, NULL, 0);
- fil.fr_mip.fi_tos = 0xff;
- cpp++;
- }
-
- if (*cpp && !strcasecmp(*cpp, "ttl")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: ttl missing hopcount value\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (ratoi(*cpp, &i, 0, 255))
- fil.fr_ttl = i;
- else {
- fprintf(stderr, "%d: invalid ttl (%s)\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- fil.fr_mip.fi_ttl = 0xff;
- cpp++;
- }
-
- /*
- * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
- */
- proto = NULL;
- if (*cpp && !strcasecmp(*cpp, "proto")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: protocol name missing\n", linenum);
- *status = -1;
- return NULL;
- }
- proto = *cpp++;
- if (!strcasecmp(proto, "tcp/udp")) {
- fil.fr_ip.fi_fl |= FI_TCPUDP;
- fil.fr_mip.fi_fl |= FI_TCPUDP;
- } else if (use_inet6 && !strcasecmp(proto, "icmp")) {
- fprintf(stderr,
-"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
- linenum);
- } else {
- if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
- fprintf(stderr,
- "%d: unknown protocol (%s)\n",
- linenum, proto);
- *status = -1;
- return NULL;
- }
- if (p)
- fil.fr_proto = p->p_proto;
- else if (isdigit(*proto)) {
- i = (int)strtol(proto, &endptr, 0);
- if (*endptr != '\0' || i < 0 || i > 255) {
- fprintf(stderr,
- "%d: unknown protocol (%s)\n",
- linenum, proto);
- *status = -1;
- return NULL;
- }
- fil.fr_proto = i;
- }
- fil.fr_mip.fi_p = 0xff;
- }
- }
- if ((fil.fr_proto != IPPROTO_TCP) &&
- ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) {
- fprintf(stderr, "%d: %s can only be used with TCP\n",
- linenum, "return-rst");
- *status = -1;
- return NULL;
- }
-
- /*
- * get the from host and bit mask to use against packets
- */
-
- if (!*cpp) {
- fprintf(stderr, "%d: missing source specification\n", linenum);
- *status = -1;
- return NULL;
- }
- if (!strcasecmp(*cpp, "all")) {
- cpp++;
- if (!*cpp) {
- *status = 0;
- return &fil;
- }
- } else {
- if (strcasecmp(*cpp, "from")) {
- fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- if (!*++cpp) {
- fprintf(stderr, "%d: missing host after from\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (!strcmp(*cpp, "!")) {
- fil.fr_flags |= FR_NOTSRCIP;
- if (!*++cpp) {
- fprintf(stderr,
- "%d: missing host after from\n",
- linenum);
- *status = -1;
- return NULL;
- }
- } else if (**cpp == '!') {
- fil.fr_flags |= FR_NOTSRCIP;
- (*cpp)++;
- }
- ch = 0;
- if (hostmask(&cpp, (u_32_t *)&fil.fr_src,
- (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch,
- &fil.fr_stop, linenum)) {
- *status = -1;
- return NULL;
- }
-
- if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
- (fil.fr_proto != IPPROTO_UDP) &&
- !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
- fprintf(stderr,
- "%d: cannot use port and neither tcp or udp\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- fil.fr_scmp = ch;
- if (!*cpp) {
- fprintf(stderr, "%d: missing to fields\n", linenum);
- *status = -1;
- return NULL;
- }
-
- /*
- * do the same for the to field (destination host)
- */
- if (strcasecmp(*cpp, "to")) {
- fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- if (!*++cpp) {
- fprintf(stderr, "%d: missing host after to\n", linenum);
- *status = -1;
- return NULL;
- }
- ch = 0;
- if (!strcmp(*cpp, "!")) {
- fil.fr_flags |= FR_NOTDSTIP;
- if (!*++cpp) {
- fprintf(stderr,
- "%d: missing host after from\n",
- linenum);
- *status = -1;
- return NULL;
- }
- } else if (**cpp == '!') {
- fil.fr_flags |= FR_NOTDSTIP;
- (*cpp)++;
- }
- if (hostmask(&cpp, (u_32_t *)&fil.fr_dst,
- (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch,
- &fil.fr_dtop, linenum)) {
- *status = -1;
- return NULL;
- }
- if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
- (fil.fr_proto != IPPROTO_UDP) &&
- !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
- fprintf(stderr,
- "%d: cannot use port and neither tcp or udp\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- fil.fr_dcmp = ch;
- }
-
- /*
- * check some sanity, make sure we don't have icmp checks with tcp
- * or udp or visa versa.
- */
- if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) &&
- fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) {
- fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum);
- *status = -1;
- return NULL;
- }
- if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) {
- fprintf(stderr, "%d: icmp comparisons on wrong protocol\n",
- linenum);
- *status = -1;
- return NULL;
- }
-
- if (!*cpp) {
- *status = 0;
- return &fil;
- }
-
- if (*cpp && !strcasecmp(*cpp, "flags")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: no flags present\n", linenum);
- *status = -1;
- return NULL;
- }
- fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum);
- cpp++;
- }
-
- /*
- * extras...
- */
- if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") ||
- !strcasecmp(*cpp, "and")))
- if (extras(&cpp, &fil, linenum)) {
- *status = -1;
- return NULL;
- }
-
- /*
- * icmp types for use with the icmp protocol
- */
- if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
- if (fil.fr_proto != IPPROTO_ICMP &&
- fil.fr_proto != IPPROTO_ICMPV6) {
- fprintf(stderr,
- "%d: icmp with wrong protocol (%d)\n",
- linenum, fil.fr_proto);
- *status = -1;
- return NULL;
- }
- if (addicmp(&cpp, &fil, linenum)) {
- *status = -1;
- return NULL;
- }
- fil.fr_icmp = htons(fil.fr_icmp);
- fil.fr_icmpm = htons(fil.fr_icmpm);
- }
-
- /*
- * Keep something...
- */
- while (*cpp && !strcasecmp(*cpp, "keep"))
- if (addkeep(&cpp, &fil, linenum)) {
- *status = -1;
- return NULL;
- }
-
- /*
- * This is here to enforce the old interface binding behaviour.
- * That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
- */
- if (fil.fr_flags & FR_KEEPSTATE) {
- if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
- bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
- sizeof(fil.fr_ifnames[3]));
- strncpy(fil.fr_ifnames[2], "*",
- sizeof(fil.fr_ifnames[3]));
- }
- }
-
- /*
- * head of a new group ?
- */
- if (*cpp && !strcasecmp(*cpp, "head")) {
- if (fil.fr_skip != 0) {
- fprintf(stderr, "%d: cannot use skip with head\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (!*++cpp) {
- fprintf(stderr, "%d: head without group #\n", linenum);
- *status = -1;
- return NULL;
- }
- if (ratoui(*cpp, &k, 0, UINT_MAX))
- fil.fr_grhead = (u_32_t)k;
- else {
- fprintf(stderr, "%d: invalid group (%s)\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- cpp++;
- }
-
- /*
- * head of a new group ?
- */
- if (*cpp && !strcasecmp(*cpp, "group")) {
- if (!*++cpp) {
- fprintf(stderr, "%d: group without group #\n",
- linenum);
- *status = -1;
- return NULL;
- }
- if (ratoui(*cpp, &k, 0, UINT_MAX))
- fil.fr_group = k;
- else {
- fprintf(stderr, "%d: invalid group (%s)\n",
- linenum, *cpp);
- *status = -1;
- return NULL;
- }
- cpp++;
- }
-
- /*
- * leftovers...yuck
- */
- if (*cpp && **cpp) {
- fprintf(stderr, "%d: unknown words at end: [", linenum);
- for (; *cpp; cpp++)
- fprintf(stderr, "%s ", *cpp);
- fprintf(stderr, "]\n");
- *status = -1;
- return NULL;
- }
-
- /*
- * lazy users...
- */
- if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
- fprintf(stderr, "%d: TCP protocol not specified\n", linenum);
- *status = -1;
- return NULL;
- }
- if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
- (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
- if (!fil.fr_proto) {
- fil.fr_ip.fi_fl |= FI_TCPUDP;
- fil.fr_mip.fi_fl |= FI_TCPUDP;
- } else {
- fprintf(stderr,
- "%d: port comparisons for non-TCP/UDP\n",
- linenum);
- *status = -1;
- return NULL;
- }
- }
-/*
- if ((fil.fr_flags & FR_KEEPFRAG) &&
- (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
- fprintf(stderr,
- "%d: must use 'with frags' with 'keep frags'\n",
- linenum);
- *status = -1;
- return NULL;
- }
-*/
- *status = 0;
- return &fil;
-}
-
-
-int loglevel(cpp, facpri, linenum)
-char **cpp;
-u_int *facpri;
-int linenum;
-{
- int fac, pri;
- char *s;
-
- fac = 0;
- pri = 0;
- if (!*++cpp) {
- fprintf(stderr, "%d: %s\n", linenum,
- "missing identifier after level");
- return -1;
- }
-
- s = index(*cpp, '.');
- if (s) {
- *s++ = '\0';
- fac = fac_findname(*cpp);
- if (fac == -1) {
- fprintf(stderr, "%d: %s %s\n", linenum,
- "Unknown facility", *cpp);
- return -1;
- }
- pri = pri_findname(s);
- if (pri == -1) {
- fprintf(stderr, "%d: %s %s\n", linenum,
- "Unknown priority", s);
- return -1;
- }
- } else {
- pri = pri_findname(*cpp);
- if (pri == -1) {
- fprintf(stderr, "%d: %s %s\n", linenum,
- "Unknown priority", *cpp);
- return -1;
- }
- }
- *facpri = fac|pri;
- return 0;
-}
-
-
-int to_interface(fdp, to, linenum)
-frdest_t *fdp;
-char *to;
-int linenum;
-{
- char *s;
-
- s = index(to, ':');
- fdp->fd_ifp = NULL;
- if (s) {
- *s++ = '\0';
- if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum) == -1)
- return -1;
- }
- (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
- fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
- return 0;
-}
-
-
-void print_toif(tag, fdp)
-char *tag;
-frdest_t *fdp;
-{
- printf("%s %s%s", tag, fdp->fd_ifname,
- (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
-#ifdef USE_INET6
- if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
- char ipv6addr[80];
-
- inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
- sizeof(fdp->fd_ip6));
- printf(":%s", ipv6addr);
- } else
-#endif
- if (fdp->fd_ip.s_addr)
- printf(":%s", inet_ntoa(fdp->fd_ip));
- putchar(' ');
-}
-
-
-/*
- * deal with extra bits on end of the line
- */
-int extras(cp, fr, linenum)
-char ***cp;
-struct frentry *fr;
-int linenum;
-{
- u_short secmsk;
- u_long opts;
- int notopt;
- char oflags;
-
- opts = 0;
- secmsk = 0;
- notopt = 0;
- (*cp)++;
- if (!**cp)
- return -1;
-
- while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
- !strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) ||
- !strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") ||
- !strcasecmp(**cp, "short"))) {
- if (***cp == 'n' || ***cp == 'N') {
- notopt = 1;
- (*cp)++;
- continue;
- } else if (***cp == 'i' || ***cp == 'I') {
- if (!notopt)
- fr->fr_ip.fi_fl |= FI_OPTIONS;
- fr->fr_mip.fi_fl |= FI_OPTIONS;
- goto nextopt;
- } else if (***cp == 'f' || ***cp == 'F') {
- if (!notopt)
- fr->fr_ip.fi_fl |= FI_FRAG;
- fr->fr_mip.fi_fl |= FI_FRAG;
- goto nextopt;
- } else if (***cp == 'o' || ***cp == 'O') {
- if (!*(*cp + 1)) {
- fprintf(stderr,
- "%d: opt missing arguements\n",
- linenum);
- return -1;
- }
- (*cp)++;
- if (!(opts = optname(cp, &secmsk, linenum)))
- return -1;
- oflags = FI_OPTIONS;
- } else if (***cp == 's' || ***cp == 'S') {
- if (fr->fr_tcpf) {
- fprintf(stderr,
- "%d: short cannot be used with TCP flags\n",
- linenum);
- return -1;
- }
-
- if (!notopt)
- fr->fr_ip.fi_fl |= FI_SHORT;
- fr->fr_mip.fi_fl |= FI_SHORT;
- goto nextopt;
- } else
- return -1;
-
- if (!notopt || !opts)
- fr->fr_mip.fi_fl |= oflags;
- if (notopt) {
- if (!secmsk) {
- fr->fr_mip.fi_optmsk |= opts;
- } else {
- fr->fr_mip.fi_optmsk |= (opts & ~0x0100);
- }
- } else {
- fr->fr_mip.fi_optmsk |= opts;
- }
- fr->fr_mip.fi_secmsk |= secmsk;
-
- if (notopt) {
- fr->fr_ip.fi_fl &= (~oflags & 0xf);
- fr->fr_ip.fi_optmsk &= ~opts;
- fr->fr_ip.fi_secmsk &= ~secmsk;
- } else {
- fr->fr_ip.fi_fl |= oflags;
- fr->fr_ip.fi_optmsk |= opts;
- fr->fr_ip.fi_secmsk |= secmsk;
- }
-nextopt:
- notopt = 0;
- opts = 0;
- oflags = 0;
- secmsk = 0;
- (*cp)++;
- }
- return 0;
-}
-
-
-u_32_t optname(cp, sp, linenum)
-char ***cp;
-u_short *sp;
-int linenum;
-{
- struct ipopt_names *io, *so;
- u_long msk = 0;
- u_short smsk = 0;
- char *s;
- int sec = 0;
-
- for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
- for (io = ionames; io->on_name; io++)
- if (!strcasecmp(s, io->on_name)) {
- msk |= io->on_bit;
- break;
- }
- if (!io->on_name) {
- fprintf(stderr, "%d: unknown IP option name %s\n",
- linenum, s);
- return 0;
- }
- if (!strcasecmp(s, "sec-class"))
- sec = 1;
- }
-
- if (sec && !*(*cp + 1)) {
- fprintf(stderr, "%d: missing security level after sec-class\n",
- linenum);
- return 0;
- }
-
- if (sec) {
- (*cp)++;
- for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
- for (so = secclass; so->on_name; so++)
- if (!strcasecmp(s, so->on_name)) {
- smsk |= so->on_bit;
- break;
- }
- if (!so->on_name) {
- fprintf(stderr,
- "%d: no such security level: %s\n",
- linenum, s);
- return 0;
- }
- }
- if (smsk)
- *sp = smsk;
- }
- return msk;
-}
-
-
-#ifdef __STDC__
-void optprint(u_short *sec, u_long optmsk, u_long optbits)
-#else
-void optprint(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
-#endif
-{
- u_short secmsk = sec[0], secbits = sec[1];
- struct ipopt_names *io, *so;
- char *s;
-
- s = " opt ";
- for (io = ionames; io->on_name; io++)
- if ((io->on_bit & optmsk) &&
- ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
- if ((io->on_value != IPOPT_SECURITY) ||
- (!secmsk && !secbits)) {
- printf("%s%s", s, io->on_name);
- if (io->on_value == IPOPT_SECURITY)
- io++;
- s = ",";
- }
- }
-
-
- if (secmsk & secbits) {
- printf("%ssec-class", s);
- s = " ";
- for (so = secclass; so->on_name; so++)
- if ((secmsk & so->on_bit) &&
- ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
- printf("%s%s", s, so->on_name);
- s = ",";
- }
- }
-
- if ((optmsk && (optmsk != optbits)) ||
- (secmsk && (secmsk != secbits))) {
- s = " ";
- printf(" not opt");
- if (optmsk != optbits) {
- for (io = ionames; io->on_name; io++)
- if ((io->on_bit & optmsk) &&
- ((io->on_bit & optmsk) !=
- (io->on_bit & optbits))) {
- if ((io->on_value != IPOPT_SECURITY) ||
- (!secmsk && !secbits)) {
- printf("%s%s", s, io->on_name);
- s = ",";
- if (io->on_value ==
- IPOPT_SECURITY)
- io++;
- } else
- io++;
- }
- }
-
- if (secmsk != secbits) {
- printf("%ssec-class", s);
- s = " ";
- for (so = secclass; so->on_name; so++)
- if ((so->on_bit & secmsk) &&
- ((so->on_bit & secmsk) !=
- (so->on_bit & secbits))) {
- printf("%s%s", s, so->on_name);
- s = ",";
- }
- }
- }
-}
-
-char *icmptypes[] = {
- "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
- "redir", (char *)NULL, (char *)NULL, "echo", "routerad",
- "routersol", "timex", "paramprob", "timest", "timestrep",
- "inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addicmp(cp, fp, linenum)
-char ***cp;
-struct frentry *fp;
-int linenum;
-{
- char **t;
- int i;
-
- (*cp)++;
- if (!**cp)
- return -1;
-
- if (isdigit(***cp)) {
- if (!ratoi(**cp, &i, 0, 255)) {
- fprintf(stderr,
- "%d: Invalid icmp-type (%s) specified\n",
- linenum, **cp);
- return -1;
- }
- } else if (fp->fr_proto == IPPROTO_ICMPV6) {
- fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
- linenum, **cp, "(use numeric value instead)\n");
- return -1;
- } else {
- for (t = icmptypes, i = 0; ; t++, i++) {
- if (!*t)
- continue;
- if (!strcasecmp("END", *t)) {
- i = -1;
- break;
- }
- if (!strcasecmp(*t, **cp))
- break;
- }
- if (i == -1) {
- fprintf(stderr,
- "%d: Invalid icmp-type (%s) specified\n",
- linenum, **cp);
- return -1;
- }
- }
- fp->fr_icmp = (u_short)(i << 8);
- fp->fr_icmpm = (u_short)0xff00;
- (*cp)++;
- if (!**cp)
- return 0;
-
- if (**cp && strcasecmp("code", **cp))
- return 0;
- (*cp)++;
- if (isdigit(***cp)) {
- if (!ratoi(**cp, &i, 0, 255)) {
- fprintf(stderr,
- "%d: Invalid icmp code (%s) specified\n",
- linenum, **cp);
- return -1;
- }
- } else {
- i = icmpcode(**cp);
- if (i == -1) {
- fprintf(stderr,
- "%d: Invalid icmp code (%s) specified\n",
- linenum, **cp);
- return -1;
- }
- }
- i &= 0xff;
- fp->fr_icmp |= (u_short)i;
- fp->fr_icmpm = (u_short)0xffff;
- (*cp)++;
- return 0;
-}
-
-
-#define MAX_ICMPCODE 15
-
-char *icmpcodes[] = {
- "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag",
- "srcfail", "net-unk", "host-unk", "isolate", "net-prohib",
- "host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced",
- "preced-cutoff", NULL };
-/*
- * Return the number for the associated ICMP unreachable code.
- */
-int icmpcode(str)
-char *str;
-{
- char *s;
- int i, len;
-
- if ((s = strrchr(str, ')')))
- *s = '\0';
- if (isdigit(*str)) {
- if (!ratoi(str, &i, 0, 255))
- return -1;
- else
- return i;
- }
- len = strlen(str);
- for (i = 0; icmpcodes[i]; i++)
- if (!strncasecmp(str, icmpcodes[i], MIN(len,
- strlen(icmpcodes[i])) ))
- return i;
- return -1;
-}
-
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addkeep(cp, fp, linenum)
-char ***cp;
-struct frentry *fp;
-int linenum;
-{
- char *s;
-
- (*cp)++;
- if (!**cp) {
- fprintf(stderr, "%d: Missing keyword after keep\n",
- linenum);
- return -1;
- }
-
- if (strcasecmp(**cp, "state") == 0)
- fp->fr_flags |= FR_KEEPSTATE;
- else if (strncasecmp(**cp, "frag", 4) == 0)
- fp->fr_flags |= FR_KEEPFRAG;
- else if (strcasecmp(**cp, "state-age") == 0) {
- if (fp->fr_ip.fi_p == IPPROTO_TCP) {
- fprintf(stderr, "%d: cannot use state-age with tcp\n",
- linenum);
- return -1;
- }
- if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
- fprintf(stderr, "%d: state-age with no 'keep state'\n",
- linenum);
- return -1;
- }
- (*cp)++;
- if (!**cp) {
- fprintf(stderr, "%d: state-age with no arg\n",
- linenum);
- return -1;
- }
- fp->fr_age[0] = atoi(**cp);
- s = index(**cp, '/');
- if (s != NULL) {
- s++;
- fp->fr_age[1] = atoi(s);
- } else
- fp->fr_age[1] = fp->fr_age[0];
- } else {
- fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
- linenum, **cp);
- return -1;
- }
- (*cp)++;
- return 0;
-}
-
-
-void printifname(format, name, ifp)
-char *format, *name;
-void *ifp;
-{
- printf("%s%s", format, name);
- if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
- printf("(!)");
-}
-
-
-/*
- * print the filter structure in a useful way
- */
-void printfr(fp)
-struct frentry *fp;
-{
- struct protoent *p;
- u_short sec[2];
- char *s;
- u_char *t;
- int pr;
-
- if (fp->fr_flags & FR_PASS)
- printf("pass");
- if (fp->fr_flags & FR_NOMATCH)
- printf("nomatch");
- else if (fp->fr_flags & FR_BLOCK) {
- printf("block");
- if (fp->fr_flags & FR_RETICMP) {
- if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
- printf(" return-icmp-as-dest");
- else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
- printf(" return-icmp");
- if (fp->fr_icode) {
- if (fp->fr_icode <= MAX_ICMPCODE)
- printf("(%s)",
- icmpcodes[(int)fp->fr_icode]);
- else
- printf("(%d)", fp->fr_icode);
- }
- } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
- printf(" return-rst");
- } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
- printlog(fp);
- } else if (fp->fr_flags & FR_ACCOUNT)
- printf("count");
- else if (fp->fr_flags & FR_AUTH) {
- printf("auth");
- if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
- printf(" return-rst");
- } else if (fp->fr_flags & FR_PREAUTH)
- printf("preauth");
- else if (fp->fr_skip)
- printf("skip %hu", fp->fr_skip);
-
- if (fp->fr_flags & FR_OUTQUE)
- printf(" out ");
- else
- printf(" in ");
-
- if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
- ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
- printlog(fp);
- putchar(' ');
- }
-
- if (fp->fr_flags & FR_QUICK)
- printf("quick ");
-
- if (*fp->fr_ifname) {
- printifname("on ", fp->fr_ifname, fp->fr_ifa);
- if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
- printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
- putchar(' ');
-
- if (*fp->fr_dif.fd_ifname)
- print_toif("dup-to", &fp->fr_dif);
- if (*fp->fr_tif.fd_ifname)
- print_toif("to", &fp->fr_tif);
- if (fp->fr_flags & FR_FASTROUTE)
- printf("fastroute ");
-
- if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
- (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
- if (fp->fr_flags & FR_OUTQUE)
- printf("in-via ");
- else
- printf("out-via ");
-
- if (*fp->fr_ifnames[2]) {
- printifname("", fp->fr_ifnames[2],
- fp->fr_ifas[2]);
- putchar(',');
- }
-
- if (*fp->fr_ifnames[3])
- printifname("", fp->fr_ifnames[3],
- fp->fr_ifas[3]);
- putchar(' ');
- }
- }
-
- if (fp->fr_mip.fi_tos)
- printf("tos %#x ", fp->fr_tos);
- if (fp->fr_mip.fi_ttl)
- printf("ttl %d ", fp->fr_ttl);
- if (fp->fr_ip.fi_fl & FI_TCPUDP) {
- printf("proto tcp/udp ");
- pr = -1;
- } else if ((pr = fp->fr_mip.fi_p)) {
- if ((p = getprotobynumber(fp->fr_proto)))
- printf("proto %s ", p->p_name);
- else
- printf("proto %d ", fp->fr_proto);
- }
-
- printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
- printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr,
- (u_32_t *)&fp->fr_smsk.s_addr);
- if (fp->fr_scmp)
- printportcmp(pr, &fp->fr_tuc.ftu_src);
-
- printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
- printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr,
- (u_32_t *)&fp->fr_dmsk.s_addr);
- if (fp->fr_dcmp)
- printportcmp(pr, &fp->fr_tuc.ftu_dst);
-
- if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) ||
- (fp->fr_mip.fi_fl & ~FI_TCPUDP) ||
- fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
- fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
- printf(" with");
- if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
- fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
- sec[0] = fp->fr_mip.fi_secmsk;
- sec[1] = fp->fr_ip.fi_secmsk;
- optprint(sec,
- fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk);
- } else if (fp->fr_mip.fi_fl & FI_OPTIONS) {
- if (!(fp->fr_ip.fi_fl & FI_OPTIONS))
- printf(" not");
- printf(" ipopt");
- }
- if (fp->fr_mip.fi_fl & FI_SHORT) {
- if (!(fp->fr_ip.fi_fl & FI_SHORT))
- printf(" not");
- printf(" short");
- }
- if (fp->fr_mip.fi_fl & FI_FRAG) {
- if (!(fp->fr_ip.fi_fl & FI_FRAG))
- printf(" not");
- printf(" frag");
- }
- }
- if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) {
- int type = fp->fr_icmp, code;
-
- type = ntohs(fp->fr_icmp);
- code = type & 0xff;
- type /= 256;
- if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
- icmptypes[type])
- printf(" icmp-type %s", icmptypes[type]);
- else
- printf(" icmp-type %d", type);
- if (ntohs(fp->fr_icmpm) & 0xff)
- printf(" code %d", code);
- }
- if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) {
- int type = fp->fr_icmp, code;
-
- type = ntohs(fp->fr_icmp);
- code = type & 0xff;
- type /= 256;
- printf(" icmp-type %d", type);
- if (ntohs(fp->fr_icmpm) & 0xff)
- printf(" code %d", code);
- }
- if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
- printf(" flags ");
- if (fp->fr_tcpf & ~TCPF_ALL)
- printf("0x%x", fp->fr_tcpf);
- else
- for (s = flagset, t = flags; *s; s++, t++)
- if (fp->fr_tcpf & *t)
- (void)putchar(*s);
- if (fp->fr_tcpfm) {
- (void)putchar('/');
- if (fp->fr_tcpfm & ~TCPF_ALL)
- printf("0x%x", fp->fr_tcpfm);
- else
- for (s = flagset, t = flags; *s; s++, t++)
- if (fp->fr_tcpfm & *t)
- (void)putchar(*s);
- }
- }
-
- if (fp->fr_flags & FR_KEEPSTATE)
- printf(" keep state");
- if (fp->fr_flags & FR_KEEPFRAG)
- printf(" keep frags");
- if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0)
- printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]);
- if (fp->fr_grhead)
- printf(" head %d", fp->fr_grhead);
- if (fp->fr_group)
- printf(" group %d", fp->fr_group);
- (void)putchar('\n');
-}
-
-void binprint(fp)
-struct frentry *fp;
-{
- int i = sizeof(*fp), j = 0;
- u_char *s;
-
- for (s = (u_char *)fp; i; i--, s++) {
- j++;
- printf("%02x ", *s);
- if (j == 16) {
- printf("\n");
- j = 0;
- }
- }
- putchar('\n');
- (void)fflush(stdout);
-}
-
-
-void printlog(fp)
-frentry_t *fp;
-{
- char *s, *u;
-
- printf("log");
- if (fp->fr_flags & FR_LOGBODY)
- printf(" body");
- if (fp->fr_flags & FR_LOGFIRST)
- printf(" first");
- if (fp->fr_flags & FR_LOGORBLOCK)
- printf(" or-block");
- if (fp->fr_loglevel != 0xffff) {
- printf(" level ");
- if (fp->fr_loglevel & LOG_FACMASK) {
- s = fac_toname(fp->fr_loglevel);
- if (s == NULL)
- s = "!!!";
- } else
- s = "";
- u = pri_toname(fp->fr_loglevel);
- if (u == NULL)
- u = "!!!";
- if (*s)
- printf("%s.%s", s, u);
- else
- printf("%s", u);
- }
-}
diff --git a/contrib/ipfilter/pcap-ipf.h b/contrib/ipfilter/pcap-ipf.h
index a6b974c..71250ad 100644
--- a/contrib/ipfilter/pcap-ipf.h
+++ b/contrib/ipfilter/pcap-ipf.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h
deleted file mode 100644
index aa24798..0000000
--- a/contrib/ipfilter/pcap.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $
- */
-/*
- * This header file is constructed to match the version described by
- * PCAP_VERSION_MAJ.
- *
- * The structure largely derives from libpcap which wouldn't include
- * nicely without bpf.
- */
-typedef struct pcap_filehdr {
- u_int pc_id;
- u_short pc_v_maj;
- u_short pc_v_min;
- u_int pc_zone;
- u_int pc_sigfigs;
- u_int pc_slen;
- u_int pc_type;
-} pcaphdr_t;
-
-#define TCPDUMP_MAGIC 0xa1b2c3d4
-
-#define PCAP_VERSION_MAJ 2
-
-typedef struct pcap_pkthdr {
- struct timeval ph_ts;
- u_int ph_clen;
- u_int ph_len;
-} pcappkt_t;
-
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
deleted file mode 100644
index 5a12b32..0000000
--- a/contrib/ipfilter/printnat.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if defined(sun) && !SOLARIS2
-# define STRERROR(x) sys_errlist[x]
-extern char *sys_errlist[];
-#else
-# define STRERROR(x) strerror(x)
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.15 2003/03/22 15:31:49 darrenr Exp $";
-#endif
-
-
-#if SOLARIS
-#define bzero(a,b) memset(a,0,b)
-#endif
-#ifdef USE_INET6
-extern int use_inet6;
-#endif
-
-extern char thishost[MAXHOSTNAMELEN];
-
-extern int countbits __P((u_32_t));
-
-void printnat __P((ipnat_t *, int));
-char *getnattype __P((ipnat_t *));
-void printactivenat __P((nat_t *, int));
-void printhostmap __P((hostmap_t *, u_int));
-char *getsumd __P((u_32_t));
-
-static void printaps __P((ap_session_t *, int));
-
-static void printaps(aps, opts)
-ap_session_t *aps;
-int opts;
-{
- ipsec_pxy_t ipsec;
- ap_session_t ap;
- ftpinfo_t ftp;
- aproxy_t apr;
- raudio_t ra;
-
- if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
- return;
- if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
- return;
- printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
- apr.apr_p, apr.apr_ref, apr.apr_flags);
- printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
-#ifdef USE_QUAD_T
- printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
- (unsigned long long)ap.aps_pkts);
-#else
- printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
-#endif
- printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
- if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
- printf("\t\tstate[%u,%u], sel[%d,%d]\n",
- ap.aps_state[0], ap.aps_state[1],
- ap.aps_sel[0], ap.aps_sel[1]);
-#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
- (__FreeBSD_version >= 300000) || defined(OpenBSD)
- printf("\t\tseq: off %hd/%hd min %x/%x\n",
- ap.aps_seqoff[0], ap.aps_seqoff[1],
- ap.aps_seqmin[0], ap.aps_seqmin[1]);
- printf("\t\tack: off %hd/%hd min %x/%x\n",
- ap.aps_ackoff[0], ap.aps_ackoff[1],
- ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#else
- printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
- ap.aps_seqoff[0], ap.aps_seqoff[1],
- ap.aps_seqmin[0], ap.aps_seqmin[1]);
- printf("\t\tack: off %hd/%hd min %lx/%lx\n",
- ap.aps_ackoff[0], ap.aps_ackoff[1],
- ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#endif
- }
-
- if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
- if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
- return;
- printf("\tReal Audio Proxy:\n");
- printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
- ra.rap_seenpna, ra.rap_version, ra.rap_eos);
- printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
- printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
- ra.rap_plport, ra.rap_prport, ra.rap_srport);
- } else if (!strcmp(apr.apr_label, "ftp") &&
- (ap.aps_psiz == sizeof(ftp))) {
- if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
- return;
- printf("\tFTP Proxy:\n");
- printf("\t\tpassok: %d\n", ftp.ftp_passok);
- ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
- ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
- printf("\tClient:\n");
- printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
- ftp.ftp_side[0].ftps_seq[1],
- ftp.ftp_side[0].ftps_seq[0],
- ftp.ftp_side[0].ftps_len,
- ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
- printf("\t\tbuf [");
- printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
- printf("]\n\tServer:\n");
- printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
- ftp.ftp_side[1].ftps_seq[1],
- ftp.ftp_side[1].ftps_seq[0],
- ftp.ftp_side[1].ftps_len,
- ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
- printf("\t\tbuf [");
- printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
- printf("]\n");
- } else if (!strcmp(apr.apr_label, "ipsec") &&
- (ap.aps_psiz == sizeof(ipsec))) {
- if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
- return;
- printf("\tIPSec Proxy:\n");
- printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
- (u_int)ntohl(ipsec.ipsc_icookie[0]),
- (u_int)ntohl(ipsec.ipsc_icookie[1]),
- (u_int)ntohl(ipsec.ipsc_rcookie[0]),
- (u_int)ntohl(ipsec.ipsc_rcookie[1]),
- ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
- }
-}
-
-
-/*
- * Get a nat filter type given its kernel address.
- */
-char *getnattype(ipnat)
-ipnat_t *ipnat;
-{
- static char unknownbuf[20];
- ipnat_t ipnatbuff;
- char *which;
-
- if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
- sizeof(ipnatbuff))))
- return "???";
-
- switch (ipnatbuff.in_redir)
- {
- case NAT_MAP :
- which = "MAP";
- break;
- case NAT_MAPBLK :
- which = "MAP-BLOCK";
- break;
- case NAT_REDIRECT :
- which = "RDR";
- break;
- case NAT_BIMAP :
- which = "BIMAP";
- break;
- default :
- sprintf(unknownbuf, "unknown(%04x)",
- ipnatbuff.in_redir & 0xffffffff);
- which = unknownbuf;
- break;
- }
- return which;
-}
-
-
-void printactivenat(nat, opts)
-nat_t *nat;
-int opts;
-{
- u_int hv1, hv2;
-
- printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
-
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %-5hu", ntohs(nat->nat_inport));
-
- printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
-
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %-5hu", ntohs(nat->nat_outport));
-
- printf(" [%s", inet_ntoa(nat->nat_oip));
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %hu", ntohs(nat->nat_oport));
- printf("]");
-
- if (opts & OPT_VERBOSE) {
- printf("\n\tage %lu use %hu sumd %s/",
- nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
- hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
- 0xffffffff),
- hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
- NAT_TABLE_SZ),
- hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
- 0xffffffff),
- hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
- NAT_TABLE_SZ),
- printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
- getsumd(nat->nat_sumd[1]), nat->nat_p,
- hv1, hv2, nat->nat_flags,
- nat->nat_drop[0], nat->nat_drop[1]);
- printf("\tifp %s ", getifname(nat->nat_ifp));
-#ifdef USE_QUAD_T
- printf("bytes %qu pkts %qu",
- (unsigned long long)nat->nat_bytes,
- (unsigned long long)nat->nat_pkts);
-#else
- printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
-#endif
-#if SOLARIS
- printf(" %lx", nat->nat_ipsumd);
-#endif
- }
-
- putchar('\n');
- if (nat->nat_aps)
- printaps(nat->nat_aps, opts);
-}
-
-
-void printhostmap(hmp, hv)
-hostmap_t *hmp;
-u_int hv;
-{
- printf("%s -> ", inet_ntoa(hmp->hm_realip));
- printf("%s ", inet_ntoa(hmp->hm_mapip));
- printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
-}
-
-
-char *getsumd(sum)
-u_32_t sum;
-{
- static char sumdbuf[17];
-
- if (sum & NAT_HW_CKSUM)
- sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
- else
- sprintf(sumdbuf, "%#0x", sum);
- return sumdbuf;
-}
-
-
-/*
- * Print out a NAT rule
- */
-void printnat(np, opts)
-ipnat_t *np;
-int opts;
-{
- struct protoent *pr;
- struct servent *sv;
- int bits;
-
- pr = getprotobynumber(np->in_p);
-
- switch (np->in_redir)
- {
- case NAT_REDIRECT :
- printf("rdr");
- break;
- case NAT_MAP :
- printf("map");
- break;
- case NAT_MAPBLK :
- printf("map-block");
- break;
- case NAT_BIMAP :
- printf("bimap");
- break;
- default :
- fprintf(stderr, "unknown value for in_redir: %#x\n",
- np->in_redir);
- break;
- }
-
- printf(" %s ", np->in_ifname);
-
- if (np->in_flags & IPN_FILTER) {
- if (np->in_flags & IPN_NOTSRC)
- printf("! ");
- printf("from ");
- if (np->in_redir == NAT_REDIRECT) {
- printhostmask(4, (u_32_t *)&np->in_srcip,
- (u_32_t *)&np->in_srcmsk);
- } else {
- printhostmask(4, (u_32_t *)&np->in_inip,
- (u_32_t *)&np->in_inmsk);
- }
- if (np->in_scmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_src);
-
- if (np->in_flags & IPN_NOTDST)
- printf(" !");
- printf(" to ");
- if (np->in_redir == NAT_REDIRECT) {
- printhostmask(4, (u_32_t *)&np->in_outip,
- (u_32_t *)&np->in_outmsk);
- } else {
- printhostmask(4, (u_32_t *)&np->in_srcip,
- (u_32_t *)&np->in_srcmsk);
- }
- if (np->in_dcmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_dst);
- }
-
- if (np->in_redir == NAT_REDIRECT) {
- if (!(np->in_flags & IPN_FILTER)) {
- printf("%s", inet_ntoa(np->in_out[0]));
- bits = countbits(np->in_out[1].s_addr);
- if (bits != -1)
- printf("/%d ", bits);
- else
- printf("/%s ", inet_ntoa(np->in_out[1]));
- printf("port %d", ntohs(np->in_pmin));
- if (np->in_pmax != np->in_pmin)
- printf("- %d", ntohs(np->in_pmax));
- }
- printf(" -> %s", inet_ntoa(np->in_in[0]));
- if (np->in_flags & IPN_SPLIT)
- printf(",%s", inet_ntoa(np->in_in[1]));
- printf(" port %d", ntohs(np->in_pnext));
- if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
- printf(" tcp/udp");
- else if ((np->in_flags & IPN_TCP) == IPN_TCP)
- printf(" tcp");
- else if ((np->in_flags & IPN_UDP) == IPN_UDP)
- printf(" udp");
- else if (np->in_p == 0)
- printf(" ip");
- else if (np->in_p != 0) {
- if (pr != NULL)
- printf(" %s", pr->p_name);
- else
- printf(" %d", np->in_p);
- }
- if (np->in_flags & IPN_ROUNDR)
- printf(" round-robin");
- if (np->in_flags & IPN_FRAG)
- printf(" frag");
- if (np->in_age[0])
- printf(" age %d/%d", np->in_age[0], np->in_age[1]);
- if (np->in_mssclamp)
- printf(" mssclamp %u", np->in_mssclamp);
- printf("\n");
- if (opts & OPT_DEBUG)
- printf("\tspc %lu flg %#x max %u use %d\n",
- np->in_space, np->in_flags,
- np->in_pmax, np->in_use);
- } else {
- if (!(np->in_flags & IPN_FILTER)) {
- printf("%s/", inet_ntoa(np->in_in[0]));
- bits = countbits(np->in_in[1].s_addr);
- if (bits != -1)
- printf("%d", bits);
- else
- printf("%s", inet_ntoa(np->in_in[1]));
- }
- printf(" -> ");
- if (np->in_flags & IPN_IPRANGE) {
- printf("range %s-", inet_ntoa(np->in_out[0]));
- printf("%s", inet_ntoa(np->in_out[1]));
- } else {
- printf("%s/", inet_ntoa(np->in_out[0]));
- bits = countbits(np->in_out[1].s_addr);
- if (bits != -1)
- printf("%d", bits);
- else
- printf("%s", inet_ntoa(np->in_out[1]));
- }
- if (*np->in_plabel) {
- printf(" proxy port");
- if (np->in_dcmp != 0)
- np->in_dport = htons(np->in_dport);
- if (np->in_dport != 0) {
- if (pr != NULL)
- sv = getservbyport(np->in_dport,
- pr->p_name);
- else
- sv = getservbyport(np->in_dport, NULL);
- if (sv != NULL)
- printf(" %s", sv->s_name);
- else
- printf(" %hu", ntohs(np->in_dport));
- }
- printf(" %.*s/", (int)sizeof(np->in_plabel),
- np->in_plabel);
- if (pr != NULL)
- fputs(pr->p_name, stdout);
- else
- printf("%d", np->in_p);
- } else if (np->in_redir == NAT_MAPBLK) {
- if ((np->in_pmin == 0) &&
- (np->in_flags & IPN_AUTOPORTMAP))
- printf(" ports auto");
- else
- printf(" ports %d", np->in_pmin);
- if (opts & OPT_DEBUG)
- printf("\n\tip modulous %d", np->in_pmax);
- } else if (np->in_pmin || np->in_pmax) {
- printf(" portmap");
- if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
- printf(" tcp/udp");
- else if (np->in_flags & IPN_TCP)
- printf(" tcp");
- else if (np->in_flags & IPN_UDP)
- printf(" udp");
- if (np->in_flags & IPN_AUTOPORTMAP) {
- printf(" auto");
- if (opts & OPT_DEBUG)
- printf(" [%d:%d %d %d]",
- ntohs(np->in_pmin),
- ntohs(np->in_pmax),
- np->in_ippip, np->in_ppip);
- } else {
- printf(" %d:%d", ntohs(np->in_pmin),
- ntohs(np->in_pmax));
- }
- }
- if (np->in_flags & IPN_FRAG)
- printf(" frag");
- if (np->in_age[0])
- printf(" age %d/%d", np->in_age[0], np->in_age[1]);
- printf("\n");
- if (opts & OPT_DEBUG) {
- struct in_addr nip;
-
- nip.s_addr = htonl(np->in_nextip.s_addr);
-
- printf("\tspace %lu nextip %s pnext %d", np->in_space,
- inet_ntoa(nip), np->in_pnext);
- printf(" flags %x use %u\n",
- np->in_flags, np->in_use);
- }
- }
-}
diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c
deleted file mode 100644
index 624493b..0000000
--- a/contrib/ipfilter/printstate.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <stdio.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "ipf.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-
-ipstate_t *printstate(sp, opts)
-ipstate_t *sp;
-int opts;
-{
- ipstate_t ips;
-
- if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
- return NULL;
-
- PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
- PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
- hostname(ips.is_v, &ips.is_dst.in4),
- ips.is_age, ips.is_pass, ips.is_p,
- ips.is_state[0], ips.is_state[1]);
-#ifdef USE_QUAD_T
- PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
- (unsigned long long) ips.is_bytes);
-#else
- PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
-#endif
- if (ips.is_p == IPPROTO_TCP) {
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
- PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
- ntohs(ips.is_sport), ntohs(ips.is_dport),
- ips.is_send, ips.is_dend,
- ips.is_maxsend, ips.is_maxdend);
- PRINTF("\t%u<<%d:%u<<%d",
- ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
- ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#else
- PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
- ntohs(ips.is_sport), ntohs(ips.is_dport),
- ips.is_send, ips.is_dend,
- ips.is_maxsend, ips.is_maxdend);
- PRINTF("\t%u<<%d:%u<<%d",
- ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
- ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#endif
- } else if (ips.is_p == IPPROTO_UDP)
- PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
- ntohs(ips.is_dport));
- else if (ips.is_p == IPPROTO_ICMP
-#ifdef USE_INET6
- || ips.is_p == IPPROTO_ICMPV6
-#endif
- )
- PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
- ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
-
- PRINTF("\n\t");
-
- /*
- * Print out bits set in the result code for the state being
- * kept as they would for a rule.
- */
- if (ips.is_pass & FR_PASS) {
- PRINTF("pass");
- } else if (ips.is_pass & FR_BLOCK) {
- PRINTF("block");
- switch (ips.is_pass & FR_RETMASK)
- {
- case FR_RETICMP :
- PRINTF(" return-icmp");
- break;
- case FR_FAKEICMP :
- PRINTF(" return-icmp-as-dest");
- break;
- case FR_RETRST :
- PRINTF(" return-rst");
- break;
- default :
- break;
- }
- } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
- PRINTF("log");
- if (ips.is_pass & FR_LOGBODY)
- PRINTF(" body");
- if (ips.is_pass & FR_LOGFIRST)
- PRINTF(" first");
- } else if (ips.is_pass & FR_ACCOUNT)
- PRINTF("count");
-
- if (ips.is_pass & FR_OUTQUE)
- PRINTF(" out");
- else
- PRINTF(" in");
-
- if ((ips.is_pass & FR_LOG) != 0) {
- PRINTF(" log");
- if (ips.is_pass & FR_LOGBODY)
- PRINTF(" body");
- if (ips.is_pass & FR_LOGFIRST)
- PRINTF(" first");
- if (ips.is_pass & FR_LOGORBLOCK)
- PRINTF(" or-block");
- }
- if (ips.is_pass & FR_QUICK)
- PRINTF(" quick");
- if (ips.is_pass & FR_KEEPFRAG)
- PRINTF(" keep frags");
- /* a given; no? */
- if (ips.is_pass & FR_KEEPSTATE)
- PRINTF(" keep state");
- PRINTF("\tIPv%d", ips.is_v);
- PRINTF("\n");
-
- PRINTF("\tpkt_flags & %x(%x) = %x,\t",
- ips.is_flags & 0xf, ips.is_flags,
- ips.is_flags >> 4);
- PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
- ips.is_opt);
- PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
- ips.is_secmsk, ips.is_sec, ips.is_authmsk,
- ips.is_auth);
- PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
- PRINTF(",%s", getifname(ips.is_ifp[1]));
- PRINTF(" out %s", getifname(ips.is_ifp[2]));
- PRINTF(",%s\n", getifname(ips.is_ifp[3]));
-
- return ips.is_next;
-}
diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c
index 964c1095..8bef078 100644
--- a/contrib/ipfilter/radix.c
+++ b/contrib/ipfilter/radix.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (c) 1988, 1989, 1993
diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h
index 1dada60..cc046fe 100644
--- a/contrib/ipfilter/radix_ipf.h
+++ b/contrib/ipfilter/radix_ipf.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (c) 1988, 1989, 1993
diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c
deleted file mode 100644
index 6a67433..0000000
--- a/contrib/ipfilter/relay.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Sample program to be used as a transparent proxy.
- *
- * Must be executed with permission enough to do an ioctl on /dev/ipl
- * or equivalent. This is just a sample and is only alpha quality.
- * - Darren Reed (8 April 1996)
- */
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/errno.h>
-#include <sys/syslog.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <sys/socket.h>
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)
-# include <poll.h>
-# define USE_POLL
-#endif
-#include "ip_nat.h"
-
-#define RELAY_BUFSZ 8192
-
-char ibuff[RELAY_BUFSZ];
-char obuff[RELAY_BUFSZ];
-
-int relay(ifd, ofd, rfd)
-int ifd, ofd, rfd;
-{
-#ifdef USE_POLL
- struct pollfd set[3];
-#else
- fd_set rfds, wfds;
-#endif
- char *irh, *irt, *rrh, *rrt;
- char *iwh, *iwt, *rwh, *rwt;
- int nfd, n, rw;
-
- irh = irt = ibuff;
- iwh = iwt = obuff;
- nfd = ifd;
- if (nfd < ofd)
- nfd = ofd;
- if (nfd < rfd)
- nfd = rfd;
-
-#ifdef USE_POLL
- set[0].fd = rfd;
- set[1].fd = ifd;
- set[2].fd = ofd;
-#endif
-
- while (1) {
-#ifdef USE_POLL
- set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) |
- (irh > irt ? POLLOUT : 0);
- set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0);
- set[2].events = (iwh > iwt ? POLLOUT : 0);
-
- switch ((n = poll(set, 3, INFTIM)))
-#else
- FD_ZERO(&rfds);
- FD_ZERO(&wfds);
- if (irh > irt)
- FD_SET(rfd, &wfds);
- if (irh < (ibuff + RELAY_BUFSZ))
- FD_SET(ifd, &rfds);
- if (iwh > iwt)
- FD_SET(ofd, &wfds);
- if (iwh < (obuff + RELAY_BUFSZ))
- FD_SET(rfd, &rfds);
-
- switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
-#endif
- {
- case -1 :
- case 0 :
- return -1;
- default :
-#ifdef USE_POLL
- if (set[1].revents & POLLIN)
-#else
- if (FD_ISSET(ifd, &rfds))
-#endif
- {
- rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
- if (rw == -1)
- return -1;
- if (rw == 0)
- return 0;
- irh += rw;
- n--;
- }
-#ifdef USE_POLL
- if (set[2].revents & POLLOUT)
-#else
- if (n && FD_ISSET(ofd, &wfds))
-#endif
- {
- rw = write(ofd, iwt, iwh - iwt);
- if (rw == -1)
- return -1;
- iwt += rw;
- n--;
- }
-#ifdef USE_POLL
- if (set[0].revents & POLLIN)
-#else
- if (n && FD_ISSET(rfd, &rfds))
-#endif
- {
- rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
- if (rw == -1)
- return -1;
- if (rw == 0)
- return 0;
- iwh += rw;
- n--;
- }
-#ifdef USE_POLL
- if (set[0].revents & POLLOUT)
-#else
- if (n && FD_ISSET(rfd, &wfds))
-#endif
- {
- rw = write(rfd, irt, irh - irt);
- if (rw == -1)
- return -1;
- irt += rw;
- n--;
- }
- if (irh == irt)
- irh = irt = ibuff;
- if (iwh == iwt)
- iwh = iwt = obuff;
- }
- }
-}
-
-main(argc, argv)
-int argc;
-char *argv[];
-{
- struct sockaddr_in sin;
- natlookup_t nl;
- natlookup_t *nlp = &nl;
- int fd, sl = sizeof(sl), se;
-
- openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
- if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) {
- se = errno;
- perror("open");
- errno = se;
- syslog(LOG_ERR, "open: %m\n");
- exit(-1);
- }
-
- bzero(&nl, sizeof(nl));
- nl.nl_flags = IPN_TCP;
-
- bzero(&sin, sizeof(sin));
- sin.sin_family = AF_INET;
- sl = sizeof(sin);
- if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
- se = errno;
- perror("getsockname");
- errno = se;
- syslog(LOG_ERR, "getsockname: %m\n");
- exit(-1);
- } else {
- nl.nl_inip.s_addr = sin.sin_addr.s_addr;
- nl.nl_inport = sin.sin_port;
- }
-
- bzero(&sin, sizeof(sin));
- sin.sin_family = AF_INET;
- sl = sizeof(sin);
- if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
- se = errno;
- perror("getpeername");
- errno = se;
- syslog(LOG_ERR, "getpeername: %m\n");
- exit(-1);
- } else {
- nl.nl_outip.s_addr = sin.sin_addr.s_addr;
- nl.nl_outport = sin.sin_port;
- }
-
- if (ioctl(fd, SIOCGNATL, &nlp) == -1) {
- se = errno;
- perror("ioctl");
- errno = se;
- syslog(LOG_ERR, "ioctl: %m\n");
- exit(-1);
- }
-
- sin.sin_port = nl.nl_realport;
- sin.sin_addr = nl.nl_realip;
- sl = sizeof(sin);
-
- fd = socket(AF_INET, SOCK_STREAM, 0);
- if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
- se = errno;
- perror("connect");
- errno = se;
- syslog(LOG_ERR, "connect: %m\n");
- exit(-1);
- }
-
- (void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
- (void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
- (void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-
- syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
- ntohs(sin.sin_port));
- if (relay(0, 1, fd) == -1) {
- se = errno;
- perror("relay");
- errno = se;
- syslog(LOG_ERR, "relay: %m\n");
- exit(-1);
- }
- exit(0);
-}
diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c
index ccf2ac6..c1854b5 100644
--- a/contrib/ipfilter/samples/proxy.c
+++ b/contrib/ipfilter/samples/proxy.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Sample transparent proxy program.
diff --git a/contrib/ipfilter/samples/relay.c b/contrib/ipfilter/samples/relay.c
index b91779a..220b942 100644
--- a/contrib/ipfilter/samples/relay.c
+++ b/contrib/ipfilter/samples/relay.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Sample program to be used as a transparent proxy.
diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c
index ef059ac..620bd72 100644
--- a/contrib/ipfilter/samples/userauth.c
+++ b/contrib/ipfilter/samples/userauth.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
#include <sys/types.h>
#include <sys/socket.h>
diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h
index 12dea37..97fa767 100644
--- a/contrib/ipfilter/snoop.h
+++ b/contrib/ipfilter/snoop.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest
index 16abed9..1c8ac5bca 100755
--- a/contrib/ipfilter/test/logtest
+++ b/contrib/ipfilter/test/logtest
@@ -1,5 +1,7 @@
#!/bin/sh
# $FreeBSD$
+format=$2
+mkdir -p results
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
else
@@ -13,25 +15,34 @@ else
fi
echo "$1...";
+case `uname -s` in
+OSF1)
+ GMT=:
+ ;;
+*)
+ GMT=GMT
+ ;;
+esac
+
/bin/cp /dev/null results/$1
/bin/cp /dev/null results/$1.b
( while read rule; do
echo $rule >> results/$1
- echo $rule | ../ipftest -br - -Hi input/$1 -l logout > /dev/null
+ echo $rule | ../ipftest -br - -F $format -i input/$1 -l logout > /dev/null
if [ $? -ne 0 ] ; then
/bin/rm -f logout
exit 1
fi
- TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1
+ TZ=$GMT ../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
- TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
+ TZ=$GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
done ) < regress/$1
-../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null
-TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1
+../ipftest -br regress/$1 -F $format -i input/$1 -l logout > /dev/null
+TZ=$GMT ../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
-TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
+TZ=$GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
cmp expected/$1 results/$1
diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c
index ea39780..e9af944 100644
--- a/contrib/ipfilter/tools/ipf.c
+++ b/contrib/ipfilter/tools/ipf.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
index 0660d50..9fd02dd 100644
--- a/contrib/ipfilter/tools/ipf_y.y
+++ b/contrib/ipfilter/tools/ipf_y.y
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
#include "ipf.h"
diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c
index 262e909..de60f69 100644
--- a/contrib/ipfilter/tools/ipfcomp.c
+++ b/contrib/ipfilter/tools/ipfcomp.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c
index 49e7e52..041e911 100644
--- a/contrib/ipfilter/tools/ipfs.c
+++ b/contrib/ipfilter/tools/ipfs.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1999-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
index fbd6c35..0ce970c 100644
--- a/contrib/ipfilter/tools/ipfstat.c
+++ b/contrib/ipfilter/tools/ipfstat.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c
index fbc91e5..6dbf21f 100644
--- a/contrib/ipfilter/tools/ipftest.c
+++ b/contrib/ipfilter/tools/ipftest.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
index a91eee4..78f8d68 100644
--- a/contrib/ipfilter/tools/ipmon.c
+++ b/contrib/ipfilter/tools/ipmon.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y
index 8b30028..e1aa812 100644
--- a/contrib/ipfilter/tools/ipmon_y.y
+++ b/contrib/ipfilter/tools/ipmon_y.y
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
#include "ipf.h"
diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c
index fc17cea..12fca51 100644
--- a/contrib/ipfilter/tools/ipnat.c
+++ b/contrib/ipfilter/tools/ipnat.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index d3f18c6..5f7ec8c 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
#ifdef __FreeBSD__
diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c
index 7122c94..d974cb2 100644
--- a/contrib/ipfilter/tools/ippool.c
+++ b/contrib/ipfilter/tools/ippool.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2003 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y
index 357745d..f0ba451 100644
--- a/contrib/ipfilter/tools/ippool_y.y
+++ b/contrib/ipfilter/tools/ippool_y.y
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
#include <sys/types.h>
diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y
index 64cbb6d..af360d4 100644
--- a/contrib/ipfilter/tools/ipscan_y.y
+++ b/contrib/ipfilter/tools/ipscan_y.y
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
%{
#include <sys/types.h>
diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c
index 20cc25e..da9065e 100644
--- a/contrib/ipfilter/tools/ipsyncm.c
+++ b/contrib/ipfilter/tools/ipsyncm.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c
index a189a9b..cd79e1a 100644
--- a/contrib/ipfilter/tools/ipsyncs.c
+++ b/contrib/ipfilter/tools/ipsyncs.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h
index 33fba25..547ebf3 100644
--- a/contrib/ipfilter/tools/lex_var.h
+++ b/contrib/ipfilter/tools/lex_var.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
extern long string_start;
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
index f6fccfb..14882e4 100644
--- a/contrib/ipfilter/tools/lexer.c
+++ b/contrib/ipfilter/tools/lexer.c
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
/*
* Copyright (C) 2003 by Darren Reed.
diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h
index 4950aa8..b172c93 100644
--- a/contrib/ipfilter/tools/lexer.h
+++ b/contrib/ipfilter/tools/lexer.h
@@ -1,4 +1,4 @@
-/* $NetBSD$ */
+/* $FreeBSD$ */
typedef struct wordtab {
OpenPOWER on IntegriCloud