[Midnightbsd-cvs] src [11253] trunk/contrib/ipfilter: upate
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Jul 1 19:54:58 EDT 2018
Revision: 11253
http://svnweb.midnightbsd.org/src/?rev=11253
Author: laffer1
Date: 2018-07-01 19:54:57 -0400 (Sun, 01 Jul 2018)
Log Message:
-----------
upate
Modified Paths:
--------------
trunk/contrib/ipfilter/BNF
trunk/contrib/ipfilter/HISTORY
trunk/contrib/ipfilter/Makefile
trunk/contrib/ipfilter/NAT.FreeBSD
trunk/contrib/ipfilter/bpf-ipf.h
trunk/contrib/ipfilter/bpf_filter.c
trunk/contrib/ipfilter/ip_fil.c
trunk/contrib/ipfilter/ip_msnrpc_pxy.c
trunk/contrib/ipfilter/ipf.h
trunk/contrib/ipfilter/iplang/Makefile
trunk/contrib/ipfilter/iplang/iplang.h
trunk/contrib/ipfilter/iplang/iplang.tst
trunk/contrib/ipfilter/iplang/iplang_l.l
trunk/contrib/ipfilter/iplang/iplang_y.y
trunk/contrib/ipfilter/ipmon.h
trunk/contrib/ipfilter/ipsd/Celler/ip_compat.h
trunk/contrib/ipfilter/ipsd/Makefile
trunk/contrib/ipfilter/ipsd/ipsd.c
trunk/contrib/ipfilter/ipsd/ipsd.h
trunk/contrib/ipfilter/ipsd/ipsdr.c
trunk/contrib/ipfilter/ipsd/linux.h
trunk/contrib/ipfilter/ipsd/sbpf.c
trunk/contrib/ipfilter/ipsd/sdlpi.c
trunk/contrib/ipfilter/ipsd/slinux.c
trunk/contrib/ipfilter/ipsd/snit.c
trunk/contrib/ipfilter/ipsend/.OLD/ip_compat.h
trunk/contrib/ipfilter/ipsend/44arp.c
trunk/contrib/ipfilter/ipsend/Makefile
trunk/contrib/ipfilter/ipsend/arp.c
trunk/contrib/ipfilter/ipsend/dlcommon.c
trunk/contrib/ipfilter/ipsend/dltest.h
trunk/contrib/ipfilter/ipsend/ip.c
trunk/contrib/ipfilter/ipsend/ipresend.1
trunk/contrib/ipfilter/ipsend/ipresend.c
trunk/contrib/ipfilter/ipsend/ipsend.1
trunk/contrib/ipfilter/ipsend/ipsend.5
trunk/contrib/ipfilter/ipsend/ipsend.c
trunk/contrib/ipfilter/ipsend/ipsend.h
trunk/contrib/ipfilter/ipsend/ipsopt.c
trunk/contrib/ipfilter/ipsend/iptest.1
trunk/contrib/ipfilter/ipsend/iptest.c
trunk/contrib/ipfilter/ipsend/iptests.c
trunk/contrib/ipfilter/ipsend/larp.c
trunk/contrib/ipfilter/ipsend/linux.h
trunk/contrib/ipfilter/ipsend/lsock.c
trunk/contrib/ipfilter/ipsend/resend.c
trunk/contrib/ipfilter/ipsend/sbpf.c
trunk/contrib/ipfilter/ipsend/sdlpi.c
trunk/contrib/ipfilter/ipsend/sirix.c
trunk/contrib/ipfilter/ipsend/slinux.c
trunk/contrib/ipfilter/ipsend/snit.c
trunk/contrib/ipfilter/ipsend/sock.c
trunk/contrib/ipfilter/ipsend/sockraw.c
trunk/contrib/ipfilter/ipt.h
trunk/contrib/ipfilter/kmem.h
trunk/contrib/ipfilter/l4check/Makefile
trunk/contrib/ipfilter/l4check/l4check.c
trunk/contrib/ipfilter/lib/Makefile
trunk/contrib/ipfilter/lib/addicmp.c
trunk/contrib/ipfilter/lib/addipopt.c
trunk/contrib/ipfilter/lib/alist_free.c
trunk/contrib/ipfilter/lib/alist_new.c
trunk/contrib/ipfilter/lib/bcopywrap.c
trunk/contrib/ipfilter/lib/binprint.c
trunk/contrib/ipfilter/lib/buildopts.c
trunk/contrib/ipfilter/lib/checkrev.c
trunk/contrib/ipfilter/lib/count4bits.c
trunk/contrib/ipfilter/lib/count6bits.c
trunk/contrib/ipfilter/lib/debug.c
trunk/contrib/ipfilter/lib/facpri.c
trunk/contrib/ipfilter/lib/facpri.h
trunk/contrib/ipfilter/lib/fill6bits.c
trunk/contrib/ipfilter/lib/flags.c
trunk/contrib/ipfilter/lib/gethost.c
trunk/contrib/ipfilter/lib/getifname.c
trunk/contrib/ipfilter/lib/getnattype.c
trunk/contrib/ipfilter/lib/getport.c
trunk/contrib/ipfilter/lib/getportproto.c
trunk/contrib/ipfilter/lib/getproto.c
trunk/contrib/ipfilter/lib/getsumd.c
trunk/contrib/ipfilter/lib/hostname.c
trunk/contrib/ipfilter/lib/icmpcode.c
trunk/contrib/ipfilter/lib/inet_addr.c
trunk/contrib/ipfilter/lib/initparse.c
trunk/contrib/ipfilter/lib/ionames.c
trunk/contrib/ipfilter/lib/ipf_dotuning.c
trunk/contrib/ipfilter/lib/ipft_hx.c
trunk/contrib/ipfilter/lib/ipft_pc.c
trunk/contrib/ipfilter/lib/ipft_tx.c
trunk/contrib/ipfilter/lib/ipoptsec.c
trunk/contrib/ipfilter/lib/kmem.c
trunk/contrib/ipfilter/lib/kmem.h
trunk/contrib/ipfilter/lib/kmemcpywrap.c
trunk/contrib/ipfilter/lib/kvatoname.c
trunk/contrib/ipfilter/lib/load_file.c
trunk/contrib/ipfilter/lib/load_hash.c
trunk/contrib/ipfilter/lib/load_hashnode.c
trunk/contrib/ipfilter/lib/load_http.c
trunk/contrib/ipfilter/lib/load_pool.c
trunk/contrib/ipfilter/lib/load_poolnode.c
trunk/contrib/ipfilter/lib/load_url.c
trunk/contrib/ipfilter/lib/mutex_emul.c
trunk/contrib/ipfilter/lib/nametokva.c
trunk/contrib/ipfilter/lib/nat_setgroupmap.c
trunk/contrib/ipfilter/lib/ntomask.c
trunk/contrib/ipfilter/lib/optname.c
trunk/contrib/ipfilter/lib/optprint.c
trunk/contrib/ipfilter/lib/optprintv6.c
trunk/contrib/ipfilter/lib/optvalue.c
trunk/contrib/ipfilter/lib/portname.c
trunk/contrib/ipfilter/lib/print_toif.c
trunk/contrib/ipfilter/lib/printactivenat.c
trunk/contrib/ipfilter/lib/printaps.c
trunk/contrib/ipfilter/lib/printbuf.c
trunk/contrib/ipfilter/lib/printfr.c
trunk/contrib/ipfilter/lib/printfraginfo.c
trunk/contrib/ipfilter/lib/printhash.c
trunk/contrib/ipfilter/lib/printhash_live.c
trunk/contrib/ipfilter/lib/printhashdata.c
trunk/contrib/ipfilter/lib/printhashnode.c
trunk/contrib/ipfilter/lib/printhostmap.c
trunk/contrib/ipfilter/lib/printhostmask.c
trunk/contrib/ipfilter/lib/printifname.c
trunk/contrib/ipfilter/lib/printip.c
trunk/contrib/ipfilter/lib/printlog.c
trunk/contrib/ipfilter/lib/printmask.c
trunk/contrib/ipfilter/lib/printnat.c
trunk/contrib/ipfilter/lib/printpacket.c
trunk/contrib/ipfilter/lib/printpacket6.c
trunk/contrib/ipfilter/lib/printpool.c
trunk/contrib/ipfilter/lib/printpool_live.c
trunk/contrib/ipfilter/lib/printpooldata.c
trunk/contrib/ipfilter/lib/printpoolnode.c
trunk/contrib/ipfilter/lib/printportcmp.c
trunk/contrib/ipfilter/lib/printproto.c
trunk/contrib/ipfilter/lib/printsbuf.c
trunk/contrib/ipfilter/lib/printstate.c
trunk/contrib/ipfilter/lib/printtqtable.c
trunk/contrib/ipfilter/lib/printtunable.c
trunk/contrib/ipfilter/lib/remove_hash.c
trunk/contrib/ipfilter/lib/remove_hashnode.c
trunk/contrib/ipfilter/lib/remove_pool.c
trunk/contrib/ipfilter/lib/remove_poolnode.c
trunk/contrib/ipfilter/lib/resetlexer.c
trunk/contrib/ipfilter/lib/rwlock_emul.c
trunk/contrib/ipfilter/lib/tcp_flags.c
trunk/contrib/ipfilter/lib/tcpflags.c
trunk/contrib/ipfilter/lib/tcpoptnames.c
trunk/contrib/ipfilter/lib/v6ionames.c
trunk/contrib/ipfilter/lib/v6optvalue.c
trunk/contrib/ipfilter/lib/var.c
trunk/contrib/ipfilter/lib/verbose.c
trunk/contrib/ipfilter/man/Makefile
trunk/contrib/ipfilter/man/ipf.4
trunk/contrib/ipfilter/man/ipf.5
trunk/contrib/ipfilter/man/ipf.8
trunk/contrib/ipfilter/man/ipfilter.4
trunk/contrib/ipfilter/man/ipfilter.4.mandoc
trunk/contrib/ipfilter/man/ipfilter.5
trunk/contrib/ipfilter/man/ipfs.8
trunk/contrib/ipfilter/man/ipfstat.8
trunk/contrib/ipfilter/man/ipftest.1
trunk/contrib/ipfilter/man/ipl.4
trunk/contrib/ipfilter/man/ipmon.5
trunk/contrib/ipfilter/man/ipmon.8
trunk/contrib/ipfilter/man/ipnat.4
trunk/contrib/ipfilter/man/ipnat.5
trunk/contrib/ipfilter/man/ipnat.8
trunk/contrib/ipfilter/man/ippool.5
trunk/contrib/ipfilter/man/ippool.8
trunk/contrib/ipfilter/man/ipscan.5
trunk/contrib/ipfilter/man/ipscan.8
trunk/contrib/ipfilter/man/mkfilters.1
trunk/contrib/ipfilter/md5.c
trunk/contrib/ipfilter/md5.h
trunk/contrib/ipfilter/mkfilters
trunk/contrib/ipfilter/mlf_ipl.c
trunk/contrib/ipfilter/mlf_rule.c
trunk/contrib/ipfilter/mlfk_rule.c
trunk/contrib/ipfilter/mlh_rule.c
trunk/contrib/ipfilter/opts.h
trunk/contrib/ipfilter/pcap-bpf.h
trunk/contrib/ipfilter/pcap-ipf.h
trunk/contrib/ipfilter/radix_ipf.h
trunk/contrib/ipfilter/rules/BASIC_1.FW
trunk/contrib/ipfilter/rules/BASIC_2.FW
trunk/contrib/ipfilter/rules/firewall
trunk/contrib/ipfilter/rules/ipmon.conf
trunk/contrib/ipfilter/rules/server
trunk/contrib/ipfilter/samples/proxy.c
trunk/contrib/ipfilter/samples/relay.c
trunk/contrib/ipfilter/samples/userauth.c
trunk/contrib/ipfilter/snoop.h
trunk/contrib/ipfilter/tools/BNF.ipf
trunk/contrib/ipfilter/tools/Makefile
trunk/contrib/ipfilter/tools/ipf.c
trunk/contrib/ipfilter/tools/ipf_y.y
trunk/contrib/ipfilter/tools/ipfcomp.c
trunk/contrib/ipfilter/tools/ipfs.c
trunk/contrib/ipfilter/tools/ipfstat.c
trunk/contrib/ipfilter/tools/ipftest.c
trunk/contrib/ipfilter/tools/ipmon.c
trunk/contrib/ipfilter/tools/ipmon_y.y
trunk/contrib/ipfilter/tools/ipnat.c
trunk/contrib/ipfilter/tools/ipnat_y.y
trunk/contrib/ipfilter/tools/ippool.c
trunk/contrib/ipfilter/tools/ippool_y.y
trunk/contrib/ipfilter/tools/ipscan_y.y
trunk/contrib/ipfilter/tools/ipsyncm.c
trunk/contrib/ipfilter/tools/ipsyncs.c
trunk/contrib/ipfilter/tools/lex_var.h
trunk/contrib/ipfilter/tools/lexer.c
trunk/contrib/ipfilter/tools/lexer.h
Modified: trunk/contrib/ipfilter/BNF
===================================================================
--- trunk/contrib/ipfilter/BNF 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/BNF 2018-07-01 23:54:57 UTC (rev 11253)
@@ -67,7 +67,7 @@
"audit" | "logalert" | "local0" | "local1" | "local2" |
"local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
- "info" | "debug" .
+ "info" | "debug" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
Modified: trunk/contrib/ipfilter/HISTORY
===================================================================
--- trunk/contrib/ipfilter/HISTORY 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/HISTORY 2018-07-01 23:54:57 UTC (rev 11253)
@@ -10,746 +10,269 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
-4.1.28 - Release 16 October 2007
+5.1.2 - RELEASED - 22 Jul 2012
-backout changes (B1) & (B2) as they've caused NAT entries to persist for
-too long and possibly other side effects.
+3546266 macro letters could be more consistent
+3546265 not all of the state statistics are displayed
+3546261 scripts for updating BSD environment out of date
+3546260 compiler warnings about non-integer array subscript
+3546259 asserting numdereflists == 0 is not correct
+3546258 expression matching does not see IPF_EXP_END
+3544317 ipnat/ipfstat are not using ipfexp_t
+3545324 proxy checksum calculation is not hardware aware
+3545321 FTP sequence number adjustment incorrectly applied
+3545320 EPSV is not recognised
+3545319 move nat rule creation to ip_proxy.c
+3545317 better feedback of checksum requirements for proxies
+3545314 ftp proxy levels do not make sense
+3545312 EPRT is not supported by ftp proxy
+3544318 ipnat.conf parsing ignores LHS address family
+3545309 non-ipv6 safe proxies do not fail with ipv6
+3545323 NAT updates the source port twice
+3545322 ipv6 nat rules cannot start proxies
+3544314 bucket copyout tries to copy too much data
+3544313 remove nat encap feature
+3546248 compat rule pointer type mismatch
+3546247 UDP hardware checksum offload not recognised
+3545311 ifp_ifaddr does not find the first set address
+3545310 ipmon needs ipl_sec on 64bit boundary
+3545326 reference count changes made without lock
+3544315 stateful matching does not use ipfexp_t
+3543493 tokens are not flushed when disabled
+3543487 NAT rules do not always release lookup objects
+3543491 function comments in ip_state.c are old
+3543404 ipnat.conf parsing uses family/ip version badly
+3543403 incorrect line number printed in ipnat parsing errors
+3543402 Not all NAT statistics are printed
+3542979 NAT session list management is too simple
+3542978 ipv4 and ipv6 nat insert have common hash insertion
+3542977 ipnat_t refence tracking incomplete
+3542975 proxies must use ipnat_t separately
+3542980 printing ipv6 expressions is wrong
+3542983 ippool cannot handle more than one ipv6 address
+3543018 mask array shifted incorrectly.
+3542974 reason for dropping packet is lost
+3542982 line numbers not recorded/displayed correctly by ipf
+3542981 exclamation mark cuases trouble with pools
+3541655 test suite checksums incorrect
+3541653 display proxy fail status correctly
+3540993 IP header offset excluded in pullup calculations
+3540994 pullupmsg does not work as required
+3540992 pointer to ipv6 frag header not updated on pullup
+3541645 netmask management adds /32 for /0
+3541637 ipnat parser does not zero port fields for non-port protocol
+3541635 pool names cannot by numbers
+3540995 IPv6 fragment tracking does not always work
+3540996 printing of nextip for ipv6 nat rules is wrong
+3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6
+3540825 whois output parsing error for ipv6
+3540814 ipfd_lock serves no purpose
+3540810 lookup objects need tail pointers
+3540809 refactor hash table lookups for nat
+3540819 radix tree does not work with ipv6
+3540820 mutex emulation should be logged
+3540828 ipfstat filtering with -m fails tests
+3536480 ippool could be more like the others
+3536477 pool printing not uniform
+3536483 flushing empty destination lists causes panic
+3536481 more use of bzero after KMALLOC required
+3536479 ipnat.conf line numbers not stored
+3536484 Makefile missing dependency for ippool
+3536199 TFTP proxy requires something extra
+3536198 ICMP checksum out by one
+3536203 ipnat does not return an error
+3536201 ipf.conf parsing too address friendly
+3536200 printing of bytes/packets not indented
+3497941 ipv4 multicast detection incorrect on little endian
+3535361 to interfaces printed out of order
+3535363 ipf parser is inconsistent
+3532306 deleting ipnat rules does not work
+3532054 new error required for ipf_rx_create
+3532053 icmp6 checksums wrong
+3532052 icmpv6 state check with incorrect length
+3531871 checksum verification wants too many icmp6 bytes
+3531870 ipnat.conf parsing needs to support inet6
+3532048 error in ipf group parsing
+3531868 ICMPV6 checksum not validated
+3531893 ipftest exits without error for bad input
+3531890 whois pool parsing builds bad structures
+3531891 icmpv6 text parsing ignorant of icmp types
+3531653 rewrite with icmp does not work
+3530563 NAT operations fail with EPERM
+3530544 first pass at gcc -Wextra cleanup
+3530540 lookup create functions do not set error properly
+3530539 ipf_main_soft_destroy doesn't need 2nd arg
+3530541 reorder structure for better packing
+3530543 ipnat purge needs documentation
+3530515 BSD upgrade script required
+3528029 ipmon bad-mutex panic
+3530247 loading address pools light on input validation
+3530255 radix tree delete uses wrong lookup
+3530254 radix tree allocation support wrong
+3530264 ipmon prints qd for some 64bit numbers
+3530260 decapsulate rules not printed correctly.
+3530266 ipfstat -v/-d flags confused
+2939220 why a packet is blocked is not discernable
+2939218 output interface not recorded
+2941850 use of destination lists with to/dup-to beneficial
+3457747 build errors introduced with radix change
+3535360 timeout groups leak
+3535359 memory leak with tokens
+3535358 listing rules in groups requires tracking groups
+3535357 rule head removal is problematic
+3530259 not all ioctl error checked wth SIOCIPFINTERROR
+3530258 error routine that uses fd required
+3530253 inadequate function comment blocks
+3530249 walking lookup tables leaks memory
+3530241 extra lock padding required for freebsd
+3529901 ipf returns 0 when rules fail to load
+3529491 checksum validation could be better
+3529486 tcp checksum wrong for ipv6
+3533779 ipv6 nat rules missing inet6 keyword
+3532693 ipnat.conf rejects some ipv6 addresses
+3532691 ipv4 should not be forced for icmp
+3532689 ipv6 nat rules do not print inet6
+3532688 ipv6 address always printed with "to <if>"
+3532687 with v6hdrs not supported like with ipopts
+3532686 ipf expressions do not work with ipv6
+3540825 whois output parsing error for ipv6
+3540818 NAT for certain IPv6 ICMP packets should not be allowed
+3540815 memory leak with destination lists
+3540814 ipfd_lock serves no purpose
+3540810 lookup objects need tail pointers
+3540809 refactor hash table lookups for nat
+3540808 completed tokens do not stop iteration
+3530492 address hash table name not used
+3528029 ipmon bad-mutex panic
+3530256 hook memory leaked
+3530271 pools parsing produces badly formed address structures
+3488061 cleanup for illumos build
+3484434 SIOCIPFINTERROR must work for all devices
+3484067 mandoc -Tlint warnings to be fixed
+3483343 compile warning in ipfcomp.c
+3482893 building without IPFILTER_LOG fails
+3482765 building netbsd kernel without inet6 fails
+3482116 ipf_check frees packet from ipftest
+3481663 does not compile on solaris 11
-Still need to compile in our own radix.c for Solaris as the one in S10U4
-has a different alignment of structure members (causes panic)
+5.1.1 - RELEASED - 9 May 2012
-keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
+3481322 ip_fil_compat.c needs a cleanup
+3481211 add user errors to dtrace
+3481152 compatibility for 4.1 needs more work
+3481153 PRIu64 problems on FreeBSD
+3481155 ipnat listing incorrect
+3480543 change leads to compat problems
+3480538 compiler errors from earlier patch
+3480537 ipf_instance_destroy is incomplete
+3480536 _fini order leads to panic
+3479991 compiler warnings about size mismatches
+3479974 copyright dates are wrong (fix)
+3479464 add support for leaks testing
+3479457 %qu is not the prefered way
+3479451 iterators leak memory
+3479453 nat rules with pools leak
+3479454 memory leak in hostmap table
+3479461 load_hash uses memory after free
+3479462 printpool leaks memory
+3479452 missing FREE_MB_T to freembt leaks
+3479450 ipfdetach is called when detached
+3479448 group mapping rules memory leak
+3479455 memory leak from tuning
+3479458 ipf must be running in global zone
+3479460 driver replace is wrong
+3479459 radix tree tries to free null pointer
+3479463 rwlock emulation does not free memory
+3479465 parser leaks memory
+3475959 hardware checksum not correctly used
+3475426 ip pseudo checksum wrong
+3473566 radix tree does not delete dups right
+3472987 compile is not clean
+3472337 not everything is zero'd
+3472344 interface setup needs to be after insert
+3472340 wildcard counter drops twice
+3472338 change fastroute interface
+3472335 kernel lock defines not placed correctly
+3472324 ICMP INFOREQ/REPLY not handled
+3472330 multicast packets tagged by address
+3472333 ipf_deliverlocal called incorrectly
+3472345 mutex debug could be more granular
+3472761 building i19 regression is flawed
+3456457 use of bsd tree.h needs to be removed
+3460522 code cleanup required for building on freebsd
+3459734 trade some cpu for memory
+3457747 build errors introduced with radix change
+3457804 build errors from removal of pcap-int,h
+3440163 rewrite radix tree
+3428004 snoop, tcpdump, etherfind readers are unused
+3439495 ipf_rand_push never called (fix brackets)
+3437732 getnattype does not need to use ipnat_t (fix variable name)
+3437696 fr_cksum is a nightmare
+3439061 ipf_send_ip doesn't need 3rd arg
+3439059 ipid needs to be file local
+3437740 complete buildout of fnew
+3438575 add dtrace probes to block events
+3438347 comment blocks missing softc
+3437687 description of ipf_makefrip wrong
+3438340 more stats as dtrace probes
+3438316 free on nat structure uses fixed size
+3437745 nat iterator using the wrong size
+3437710 fail checksum verification if packet is short
+3437696 fr_cksum is a nightmare
+3437732 getnattype does not need to use ipnat_t
+3437735 rename ipf_allocmbt to allocmbt
+3437697 fr_family to version assignment is wrong
+3437746 ap_session_t has unused fields
+3437747 move softc structure to .h file (ip_state.c)
+3437704 there is no DTRACE_PROBE5
+3437748 wrong interface in qpktinfo_t
+3437729 create function to hexdump mb_t
+3438273 msgdsize should be easier to read
+3437683 object direction not set for 32bit
+3433767 calling ip_cksum could be easier
+3433764 left over locking
+3428015 printing proxy data size is useless
+3428013 add M_ADJ to hide adjmsg/m_adj
+3428012 interface name is not always returned correctly
+3428002 ip_ttl is too low
+3427997 ipft readers do not set buffer length
+3426558 resistence is futile
+3424495 various copy-paste errors
+1826936 shall we allow ipf to be as dumb as its admin
+3424477 specfuncs needs to go
+3424484 missing fr_checkv6sum
+3424478 one entry at a time
+2998760 auth rules do not mix well with to/dup-to/fastroute
+3424195 add ctfmerge to sunos5 makefile
+3424132 some dtrace probes to start with
+3423812 makefile needs ip_frag.h for some files
+3423817 reference count useful in verbose output
+3423800 walking lists does not drop reference
+3423805 fragmentation stats not reported correclty
+3423808 ip addresses reportied incorrectly with ipfstat -f
+3423821 track packets and bytes for fragmentation
+3423803 attempt to double free rule
+3423805 fragmentation stats not reported correctly
+3422712 system panic with ipfstat -f
+3422619 pullup counter bumped for every packet
+3422608 dummy rtentry required to build
+3422018 frflush next to ipf_fini_all is redundant
+3422012 instance cleanup is not clean
+3421845 instance name not set
+3005622 ip_fil5.1.0 does not load on Solaris 10 U8
+2976332 stateful filtering is incompatible with ipv4 options
+3387509 ipftest needs help construction ip packets with options
+2998746 passp can never be null
+3064034 mbuf clobbering problem with ipv6
+3105725 ipnat divide by zero panic
+2998750 ipf_htent_insert can leak memory
+3064034 mbuf clobbering problem with ipv6
+3105725 ipnat divie by zero panic
-ippool -l may only lists every 2nd pool's contents
+5.1 - RELEASED - 9 May 2010
-4.1.27 - Released 29 September 2007
+* See WhatsNew50.txt
-SunOS5/replace script does not deal with i386 systems that have the
-i86/amd64 directory pair.
-
-make BSD/kupgrade try to build ip_rules.[ch] before complaining
-
-Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
-
-Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
-to drive 32bit cc builds differently for sparc/i386 now.
-
-Update instructions for rebuilding FreeBSD kernels
-
-Make the target "freebsd" work for building ipfilter
-
-destroying NAT entries for blocked packets can lead to NAT table entry leak,
-provide a counter of orphan'd NAT entries to track this problem.
-
-4.1.26 - Released 24 September 2007
-
-Fix build problem for Solaris prior to S10U4
-
-4.1.25 - Released 20 September 2007
-
-stepping through structures with ioctls can lead to the wrong things
-being free'd and panics
-
-if a NAT entry (such as an rdr) is created but the packet ends up being
-blocked, tear down the NAT entry.
-
-fix fragment cache preventing keep state from functioning
-
-fix handling of \ to indicate a continued line in .conf files
-
-include port ranges in the allowed input for ipf when using "port = ()"
-
-only advance TCP state for packets on the leading edge of the window. (B1)
-
-using ipnat -l can lead to memory corruption in high stress situations
-
-track TCP sequence numbers with NAT so that it can do timeout advances
-correctly inline with state
-
-ICMP checksums for some redirect'd packets are not adjusted correctly.
-
-IPv6 address components need to be explicitly cast to a 32bit pointer
-boundary so that compilers don't try to access them as two 64bit
-pieces (no guarantee is made that an Ipv6 address is on a 64bit
-aligned address)
-
-filling up the ipauth packet queue can lead to no more packets being
-processed.
-
-locking used to deref a nat entry causes a significant performance hit
-
-m_pulldown isn't properly handled, leading to possible panics with ICMPv6
-packets
-
-IPv6 fragment handling doesn't allow for "keep frag" to work
-
-build on Solaris10 Update4 with pfhooks in the kernel
-
-logging of Ipv6 packets with extension headers fix - Miroslaw Luc
-
-4.1.24 - Released 8 July 2007
-
-patch from Stuart Remphrey to address recursive mutex lock with TCP state
-
-add hash table bucket stats display to ipnat -s
-
-give ASSERT some teeth for user compiles
-
-initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
-early on
-
-do some caddr_t cleanup, where possible
-
-fr_ref no longer tracks the number of children rules in a group for head rules
-
-make sure all BCOPY* have a value assigned to something
-
-fix possible use of icmp pointer after pullup makes it invalid
-
-resolve compile problems related to FreeBSD tree
-
-4.1.23 - Released 31 May 2007
-
-NAT was not always correctly fixing ICMP headers for errors
-
-some TCP state steps when closing do not update timeouts, leading to
-them being removed prematurely. (B2)
-
-fix compilation problems for netbsd 4.99
-
-protect enumeration of lists in the kernel from callout interrupts on
-BSD without locking
-
-fix various problems with IPv6 header checks: TCP/UDP checksum validation
-was not being done, fragmentation header parsed dangerously and routing
-header prevented others from being seen
-
-fix gcc 4.2 compiler warnings
-
-fix TCP/UDP checksum calculation for IPv6
-
-fix reference after free'ing ipftoken memory
-
-4.1.22 - Released 13 May 2007
-
-fix endless loop when flushing state/NAT by idle time
-
-4.1.21 - Released 12 May 2007
-
-show the number of states created against a rule with "-v" for ipfstat
-
-fix build problems with FreeBSD
-
-make it possible to flush the state table by idle time and TCP state
-
-fix flushing out idle connections when state/NAT tables fill
-
-print out the TCP state population with ipfstat/ipnat
-
-stop creation of state table orphans via return-*/fastroute
-
-fix printing out of rule groups - they now only appear once
-
-4.1.20 - Released 30 April 2007
-
-adjust TCP state numbers, making 11 closed (was 0) to better facilitate
-detecting closing connections that we can wipe out when a SYN arrives
-that matches the old
-
-make it compile on Solaris10 Update3
-
-structures used for ipf command ioctls weren't being freed in timeout
-fashion on solairs
-
-use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
-
-adjust TCP timeout values and introduce a time-wait specifc timeout
-to get a better TCP FSM emulation and one that can hopefully do a better
-job of cleaning up in a speedy fashion than previous
-
-refactor the automatic flushing of TCP state entries when we fill up,
-but use the same algorithm as before but now it hopefully works
-
-only 2 out of 4 interface names were being changed by ipfs when
-interface renaming was being used for state entries
-
-add ipf_proxy_debug to ipf-T
-
-matching of last fragments that had a number of bytes that wasn't a
-multiple of 8 failed
-
-some combinations of TCP flags are considered bad aren't picked up as such,
-but these may be possible with T/TCP
-
-4.1.19 - Released 22 February 2007
-
-Fix up compilation problems with NetBSD and Solaris.
-
-4.1.18 - Released 18 February 2007
-
-fix compiling on Tru64
-
-fix listing out filter rules with ipfstat (delete token at end of
-the list and detect zero rule being returned.)
-
-fix extended flushing of NAT tables (was clearing out state tables)
-
-fix null-pointer deref in hash table lookup
-
-fix NAT and stateful filtering with to/reply-to on destination interface
-
-4.1.17 - Released 20 January 2007
-
-make flushing pools that are still in use mark them for deletion and
-have attempting to recreate them clear the delete flag
-
-walking through the NAT tables with ioctls caused lock recursion
-
-fix tracking TCP window scaling in the state code
-
-4.1.16 - Released 20 December 2006
-
-allow rdr rules to only differ on the new port number
-
-when creating state entry orphans, leave them on the linked list but not
-attached to the hash table and mark them visible as orphans in "ipfstat -sl"
-
-log state removed when unloading differently to allow visible cues
-
-return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
-
-abort logging a packet if the mbuf pointer is null when ipflog is called
-
-Some NetBSD's have a selinfo.h instead of select.h
-
-SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
-
-listing accounting rules using ioctl interface wasn't possible
-
-fix leakage of state entries due to packets not matching up with NAT
-
-improve ICMP error packet matching with state/NAT
-
-fix problems with parsing and printing "-" as an interface name in ipnat.conf
-
-4.1.15 - Released 03 November 2006
-
-Add in automatic flushing of NAT, like state, table if it fills up too much
-
-Update comments in the code for NAT checksum adjustments
-
-Fix compiling on FreeBSD 5.4 and 6.0
-
-prevent panics from read/write IOs trying to use uninitialised structures
-
-Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
-the size is not staticly defined
-
-Some gcc warning message cleanup from NetBSD
-
-Missing include for <sys/filio.h> on Solaris for poll work
-
-NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h
-
-4.1.14 - Released 04 October 2006
-
-rewrite checksum alteration for ICMP packets being NAT'd to use a sane
-algorithm that can be understood...now it needs better comments
-
-fix 1 byte error in checksum validation perl script
-
-remove unused files in lib directory
-
-ipftest will say "bad-packet" if it has been freed rather than just "blocked"
-
-make it possible to load IP address pools from external files in ippool.conf
-
-update copyright messages in tools directory
-
-consolidate ioctl hanlding source code into fil.c
-
-make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem
-
-4.1.13 - Released 4 April 2006
-
-fix bug where null pointers introduced by proxies could cause a crash
-
-pass out the rule flags with SIOCAUTHW
-
-force loading NAT rules with bad proxy labels to cause an error
-
-nat_state is used unsafely in calls to fr_addstate
-
-make return-rst and return-icmp* work with auth rules
-
-4.1.12 - Released 28 March 2006
-
-poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup
-
-make the fastroute code used by ipftest invoke state/NAT
-
-move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)
-
-remove unused code in fr_fastroute
-
-fix NAT with rules that specify forward and reverise interfaces
-
-add missing ipfsync_canread() and ipfsync_canwrite()
-
-behaviour of \ on the end of a line in ipf.conf does not match older behaviour
-
-remove duplicate statistics line output with "ipfstat -s"
-
-4.1.11 - Released 19 March 2006
-
-Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org
-
-NetBSD coverity report fixes (from run 5)
-
-Possible to reacquire ipf_auth without releasing it in some circumstances
-
-Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be
-
-Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux
-
-Using auth rules to return "keep state" got broken with pushing fr_addstate
-call into fr_firewall
-
-all use of '!' in map/rdr rules to match use in ipf configs
-
-add -L command line option to ipmon to set the default syslog facility
-
-looking up a port number is more complex than needed in ipft_tx.c
-
-allow lib/getport to work when neither tcp or udp are specified in a rule
-
-remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c
-
-program in some more cases where TCP packets fail an initial in-window
-check but should be allowed to match
-
-filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
-initialise all fields, making it possible to panic
-
-simplify NAT ICMP error handling where it updates checksums
-
-rename "min" variables to "xmin" on NetBSD to avoid problems with the
-macro "min"
-
-#ifdef's for NetBSD compile incorrect for pfil interface
-
-support select/poll on NetBSD
-
-copying out a packet with an auth rule fails (EFAULT) because the wrong
-pointer is passed to copyoutptr
-
-ip_len/ip_off where byte swapped twice instead of once for packets
-going to be stored on the auth queue
-
-change timeout queue manipulation functions to make fewer mutex calls
-
-fix use of skip rules with groups
-fix coding problems discovered by the coverity project for FreeBSD
-
-update BPF program validation with FreeBSD changes
-
-4.1.10 - Released 6 December 2005
-
-Expand regression testing to cover more features
-
-Add "coverage" build target for BSD
-
-Fix building 64bit sparc target for Solaris
-
-Add IPv6 mobility header to list of accepted keywords for V6 headers
-
-Resolve locking problems on Solaris when sending RST/icmp packets
-
-#ifdef's for IPFILTER_BPF need to check if words are defined before
-using them in comparisons
-
-Add checking for SACK permitted option in TCP SYN packets
-
-Fix loading anonymous pools from inline rule configuration groups
-
-Add -C command line option to ipftest
-
-Include extra "const" from NetBSD
-
-Don't require SIOCKSTLCK for SIOCSTPUT
-
-Fix some use of "sticky" on NAT rules
-
-Fix statistical counting of deleting state for TCP connections
-
-Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
-
-Fix TCP out-of-window (OOW) problems:
-- window scaling turned off if one chose for its scale factor
-- Microsoft Windows TCP sends the "next packet" to the right of the window
- when using SACK and filling in a hole
-
-4.1.9 - Released 13 August 2005
-
-make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF
-is defined when compiled.
-
-move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h
-
-make the BSD/upgrade script more instructive about the requiements for
-ip_rules.[ch] when it is run
-
-register for interface events on FreeBSD (>5.2.1) and NetBSD so that
-"ipf -y" is not not requried to tell ipfilter about interface changes.
-
-for "quick" rules that do "keep state", move the state adding into the rule
-evaluation so that we can detect it failing as rules are evaluated and
-continue on to the next rather than wait until we're done and it's too late
-to recover for more rule processing.
-
-mark ICMP packets advertising an MTU that's too small as being bad
-
-rework ipv6 header parsing to get better code reuse and fix logic errors
-in dealing with ipv6 packets containing fragment headers. Also, where a
-protocol handler was doing both v4 & v6, make a seperate function for each.
-
-build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible
-
-include start of work to get IPFilter working on AIX 5.3
-
-Use FI_ICMPERR flag rather than try to compute its equivalent all the time
-
-Rewrork IPv6 extension header parsing to get better code reuse
-
-Add missing timeout on Linux
-
-Fix for locking when reading from ipsync (Frank Volf)
-
-Fix insertion/appending of rules that use a collection number
-
-Somehow turning up the spl knob to splnet disappeared on platforms that still
-use the spl interface.
-
-fix problems with "ipf -T" not listing multiple variables properly
-
-4.1.8 - Released 29 March 2005
-
-include path from Phil Dibowitz for sorting ipfstat -t output by source or
-destination port.
-
-fix a bug in printing rules where interface names could not be printed,
-even if they're in the rule structure.
-
-fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD
-
-add 2 new features to SIOCGNATL:
-- if IPN_FINDFORWARD is set, check if the respective MAP is already
- present in the outbound table
-- if IPN_IN is set, search for a matching MAP entry instead of RDR
- (Peter Potsma)
-
-turn off function inlining for freebsd 5.3+
-
-UDP doesn't pullup enough data which can sometimes cause a panic.
-Fix other protocols, as required, where a similar problem may exist.
-
-overhaul the timeout queue management, especially that for user defined queues
-which are now only freed in an orderly manner.
-
-4.1.7 - Released 13 March 2005
-
-Using the GRE call field is almost impossible because it is unbalanced and
-both call fields are not present in each v1 header.
-
-Fix a problem where it was possible to load duplicate rules into ipf
-
-patch from John Wehle to address problems with fastroute on solaris
-
-Copying data out for ipf -z failed because it tried to copy out to an address
-that is a kernel pointer in user space.
-
-add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
-
-synch up with NetBSD's changes
-
-fix problems parsing long lines of text in the ftp proxy where they would not
-be parsed properly and stop the session from working
-
-enhance the PPTP proxy so that it tries to decode messages in the TCP stream
-so it knows when to create and destroy the state/nat sessions for GRE. There
-are also 4 new regression tests for it, testing map/rdr rules.
-
-impose some limits on the size of data that can be moved with SIOCSTPUT in
-the NAT code and also prevent a duplicate session entry from being created
-using this method.
-
-add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
-to check if it is possible to create an outgoing transparent NAT mapping to
-compliment the redirect being investigated.
-
-Linux requires that the checksums in the IP header get adjusted
-
-only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
-in SIOCSTPUT to prevent bad data being loaded from userspace.
-
-make the byte counting for state correct (was counting data from ICMP packet
-twice)
-
-print out the keyword "frag-body" if the flag is set.
-
-fix ipfs loading/restoring NAT sessions
-
-patch from Frank to correctly format IP addresses in ipfstat -t output
-
-parsing port numbers in ipf/ipnat was confusing as the port number was returned
-in an int that was also overloaded to be the suceess/failure. instead, change
-the port using pass by reference and only use the return value for indicating
-success or failure.
-
-4.1.6 - Released 19 February 2005
-
-add a new timeout number to NAT (fr_defnatipage) that is used for all
-non-TCP/UDP/ICMP protocols - default 60 seconds.
-
-buffer leak with bad nat - David Gueluy
-
-fix memory leak with state entries created by proxies
-
-eliminate copying too much data into a scan buffer
-
-allow a trailing protocol name for map rules as well as rdr ones
-
-fix bug in parsing of <= and > for NAT rules (two were crossed over)
-
-FreeBSD's iplwrite hasn't kept pace with iplread's prototype
-
-expand documention on the karma of using "auto" in ipnat map rules
-
-add matching on IP protocol to ipnat map rules
-
-allow ippool definitions to contain no addresses to start with
-
-Linux NAT needs to modify the IP header checksum as it gets called after it
-has been computed by IP.
-
-UDP was missing a pullup for packet header information before examining
-the header
-
-4.1.5 - Released 9 January 2005
-
-all rules were being converted into "dup-to" rules in the kernel
-
-fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in
-complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied
-over correctly.
-
-response to CWDs
-revert ip_off back to network byte order in the ICMP error packet that
-gets generated.
-
-4.1.4 - Released 9 January 2005
-
-force NAT rules to only match ipv4 NAT rules (which all are, currently,
-by default)
-
-include state synchronisation fixes from Frank Volf
-
-make the maximum log size for internally buffered log entries accessible
-via "ipf -T"
-
-redesign start of fr_check() to avoid putting duplicate information in
-ipfilter about how much data needs to be pulled up for a protocol to be
-properly filtered.
-
-tidy up sending ICMP error messages - some bad inputs could result in
-data not being freed and/or no error returned.
-
-make the maximum size of the log buffer run-time tunable
-
-fix bug in parsing TCP header when looking for MSS option that could make
-the system hang
-
-change pool lookups that fail to find a match to return "no match"
-rather than fail.
-
-add run-time tunable debugging for proxy support code and FTP proxy.
-
-fix state table updates for entries where the first packet as an ICMPv6
-multicast message
-
-fix hang when flushing state for v4/v6 and other (v6/v4) entries are present
-too
-
-attaching filtering to ipv6 pfil hook wasn't present for solaris
-
-don't allow rules with "keep state" and "with oow"
-
-move a bunch of userland only code from fil.c to ip_fil.c
-
-make fr_coalesce() more resiliant to bad input, just returning an error
-instead of crashing, making calling it easier in many places
-
-When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer
-to the same mbuf passed in as the first arg.
-
-remove fr_unreach and use ENETUNREACH by default.
-
-printing out of tag data in ipf rules doesn't match input syntax
-
-ipftest(1) man page update
-
-ipfs command line option parsing still rejects some valid syntaxes
-
-SIGHUP handling by ipmon was not as safe as it could be
-
-fix various parsing regressions, including "<thishost>", "tcpudp", ordering
-of "keep" options
-
-patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD,
-ICMP packet length not calculated correctly in send_icmp_err, reply-to
-not printed by ipfstat, keep state with icmp passing (mtrr)
-
-patches for return-rst and return-icmp from Attila Fueloep
-(lichtscheu at gesindel.org)
-
-4.1.3 - Released 18 July 2004
-
-do some more fine tuning on NAT checksum adjustments
-
-correct IP address byte order in proxy setup for ipsec/pptp
-
-man page updates
-
-fix numerous problems with ipfs operation
-
-complete new syntax for ipmon.conf in its parser and update the sample file
-
-assign error value consistantly in fastroute code
-
-rewrite allocation of mbufs in send_reset/send_icmp_err to better use
-mbuf clusters and size calculations
-
-resolve problem with linux panic'ing because the wrong flag was being
-passed to skb_clone/skb_alloc
-
-enable use of shared/exclusive locks on freebsd5 and above
-
-do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD
-and so use mbufchainlen to get the mbuf length instead
-
-replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is
-going to be on the stack and not in userland
-
-packet buffer pointers were not refreshed & used properly in fr_check()
-
-include extra bits for OpenBSD 3.4 & 3.5.
-
-fix ipf/ipnat parsing regression problems with v3.4
-
-4.1.2 - RELEASED - 27 May 2004
-
-add state top for ipv6
-
-fix numerous parsing regressions
-
-change sample proxies to use SIOCGNATL with the new API
-
-allow macro names to contain underscores (_)
-
-split the parser into a collection of dictionaries so that keywords do
-not interfere with resolving hostnames and portnames
-
-fix ipfrule LKM loading on freebsd
-
-support mapping a fixed range of ports to a single port
-
-fix timeout queue use by proxies with private queues
-
-handle space-led ftp server replies properly
-
-fix timeout queue management
-
-fix fastroute, generation of RST & ICMP packets and operation with to/fastroute
-
-resolve further linux compatibility problems
-
-replace the use of COPYIN with BCOPYIN for platforms that provide ioctl
-args on the stack
-
-allow flushing of ipv6 rules independant of ipv4 rules
-
-correct internal ipv6 checksum calculations
-
-if a 'keep state' rule fails to create state, block the packet rather
-than let it through
-
-correct all checksums in regression tests and correct NAT code to adjust
-checksums correctly.
-
-fix ipfs -R/-W
-
-4.1.1 - RELEASED - 24 March 2004
-
-allow new connections with the same port numbers as an existing one
-in the state table if the creating packet is a SYN
-
-timeout values have drifted, incorrectly, from what they were in 3.4
-
-FreeBSD - compatibility changes for 5.2
-
-don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
-ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
-rather than per "flow"
-
-fr_cksum() returned the wrong answer for ICMP
-
-Linux:
-- get return-rst and return-icmp working
-- treat the interface name the same as if_xname on BSD
-
-adjust expectations for TCP urgent bits based on observed traffic in the
-wild
-
-openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called
-
-fix flushing of hash pool gorups (ippool -F) as well as displaying them
-(ippool -l)
-
-passing of pointers to interface structures wrong for HP-UX/Solaris with
-return-* rules.
-
-Make the solaris boot script able to run on 2.5.1
-
-ippool related files missing from Solaris packages
-
-The name /dev/ippool should be /dev/iplookup
-
-add regression testing for parsing long interface names in nat rules,
-along with mssclamp and tags. Also add test for mssclamp operation.
-
-ttl displayed for "ipfstat -t" is wrong because ttl is not computed.
-
-parse logical interface names (Sun)
-
-unloading LKMs was only working if they were enabled.
-
-sync'ing up NAT sessions when NICs change should cause NAT rules to
-re-lookup name->pointer mappings
-
-not all of the ippool ioctl's are IOWR and they should be because they
-use the ipfobj_t for passing information in/out of the kernel. leave the
-old values defined and handle them, for compatibility.
-
-pool stats wrong: ippoolstate used where ipoolstat should be, hash table
- statistics not reported at all
-
-fr_running not set correctly for OpenBSD when compiled into the kernel
-
-Allow SIOCGETFF while disabled
-
-Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
-altered. How do you say "untested" ?)
-
4.1 - RELEASED - 12 February 2004
4.0-BETA1 20 August 2003
@@ -1744,7 +1267,7 @@
should use SPLNET/SPLX around expire routines in NAT/frag/state code.
-redeclared malloc in 44arp.c -
+redeclared malloc in 44arp.c -
3.1.7 8/2/97 - Released
Modified: trunk/contrib/ipfilter/Makefile
===================================================================
--- trunk/contrib/ipfilter/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
#
-# Copyright (C) 1993-2001 by Darren Reed.
+# Copyright (C) 2012 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
-# $MidnightBSD$
+# $FreeBSD: stable/10/contrib/ipfilter/Makefile 255332 2013-09-06 23:11:19Z cy $
# Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $
#
SHELL=/bin/sh
@@ -13,8 +13,7 @@
SBINDEST=/sbin
MANDIR=/usr/local/man
#To test prototyping
-#CC=gcc -Wstrict-prototypes -Wmissing-prototypes
-# -Wunused -Wuninitialized
+CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Wunused -Wuninitialized
#CC=gcc
#CC=cc -Dconst=
DEBUG=-g
@@ -36,14 +35,14 @@
#
#COMPIPF=-DIPFILTER_COMPILED
#
+# To enable IPFilter compatibility with older CLI utilities
+#
+#COMPATIPF=-DIPFILTER_COMPAT
+#
# To enable synchronisation between IPFilter hosts
#
#SYNC=-DIPFILTER_SYNC
#
-# To enable extended IPFilter functionality
-#
-LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN
-#
# The facility you wish to log messages from ipmon to syslogd with.
#
LOGFAC=-DLOGFAC=LOG_SECURITY
@@ -65,8 +64,13 @@
# By default IPFilter looks for /usr/src/linux, but you may have to change
# it to /usr/src/linux-2.4 or similar.
#
-LINUXKERNEL=/usr/src/linux
+LINUXKERNEL=/usr/src/kernels/2.6.29.5-191.fc11.i586
LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i<NF&&i<3;i++){printf("%02d",$$(i+1));}}'`
+#
+#
+#
+#BUILDROOT=/usr/src/redhat/BUILD/ipfilter
+BUILDROOT=${HOME}/rpmbuild/BUILDROOT/ipfilter-4.1.32-1.i386
#
# All of the compile-time options are here, used for compiling the userland
@@ -73,7 +77,7 @@
# tools for regression testing. Well, all except for IPFILTER_LKM, of course.
#
ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \
- -DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM
+ -DIPFILTER_SYNC -DIPFILTER_CKSUM
#
# Uncomment the next 3 lines if you want to view the state table a la top(1)
@@ -80,7 +84,7 @@
# (requires that you have installed ncurses).
#STATETOP_CFLAGS=-DSTATETOP
#
-# Where to find the ncurses include files (if not in default path),
+# Where to find the ncurses include files (if not in default path),
#
#STATETOP_INC=
#STATETOP_INC=-I/usr/local/include
@@ -93,7 +97,7 @@
#
# Uncomment this when building IPv6 capability.
#
-#INET6=-DUSE_INET6
+INET6=-DUSE_INET6
#
# For packets which don't match any pass rules or any block rules, set either
# FR_PASS or FR_BLOCK (respectively). It defaults to FR_PASS if left
@@ -110,6 +114,7 @@
'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' "BPFILTER=$(BPFILTER)" \
'STATETOP_INC=$(STATETOP_INC)' 'STATETOP_LIB=$(STATETOP_LIB)' \
"BITS=$(BITS)" "OBJ=$(OBJ)" "LOOKUP=$(LOOKUP)" "COMPIPF=$(COMPIPF)" \
+ "COMPATIPF=$(COMPATIPF)" \
'SYNC=$(SYNC)' 'ALLOPTS=$(ALLOPTS)' 'LIBBPF=$(LIBBPF)'
MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)"
MACHASSERT=`/bin/ls -1 /usr/sys/*/mach_assert.h | head -1`
@@ -156,10 +161,6 @@
touch netinet/done; \
fi
-(cd netinet; ln -s ../ip_rules.h ip_rules.h)
- if [ ! -f net/done ] ; then \
- (cd net; ln -s ../radix_ipf.h .; ); \
- touch net/done; \
- fi
sunos solaris: include
MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
@@ -189,7 +190,7 @@
fi
make freebsd20
-freebsd5 freebsd6 freebsd7: include
+freebsd5 freebsd6 freebsd7 freebsd8: include
if [ x$(INET6) = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
@@ -212,7 +213,7 @@
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
+# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
freebsd4 : include
if [ x$(INET6) = x ] ; then \
@@ -241,7 +242,7 @@
exit 1; \
fi
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
+# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
openbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
@@ -294,7 +295,7 @@
clean: clean-include
/bin/rm -rf h y.output
- ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
+ ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipflkm \
vnode_if.h $(LKM) *~
/bin/rm -rf sparcv7 sparcv9 mdbgen_build
(cd SunOS4; $(MAKE) TOP=.. clean)
@@ -352,7 +353,7 @@
(cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2: null
- (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..)
+ (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" INSTANCE=$(INSTANCE); cd ..)
(cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
linux: include
@@ -361,7 +362,7 @@
# (cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..)
install-linux: linux
- (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..)
+ (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) ROOTDIR=$(BUILDROOT) install ; cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
@@ -407,4 +408,3 @@
-DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \
-I/home/dr146992/pfil -I/home/dr146992/ipf -f \
/usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h
-
Modified: trunk/contrib/ipfilter/NAT.FreeBSD
===================================================================
--- trunk/contrib/ipfilter/NAT.FreeBSD 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/NAT.FreeBSD 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-These are Instructions for Configuring A FreeBSD Box For NAT
+These are Instructions for Configuring A FreeBSD Box For NAT
After you have installed IpFilter.
You will need to change three files:
@@ -54,7 +54,7 @@
/32 is the subnet mask 255.255.255.255, ie only use this ip address.
-portmap tcp/udp 10000:65000
+portmap tcp/udp 10000:65000
tells it to use the ports to redirect the tcp/udp calls through
@@ -67,7 +67,7 @@
In your /etc/rc.local put the line:
-ipnat -f /etc/natrules
+ipnat -f /etc/natrules
To check and see if it is loaded, as root type
ipnat -ls
Modified: trunk/contrib/ipfilter/bpf-ipf.h
===================================================================
--- trunk/contrib/ipfilter/bpf-ipf.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/bpf-ipf.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/bpf-ipf.h 145519 2005-04-25 18:20:15Z darrenr $ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -39,7 +39,7 @@
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
- * @(#) $Header: /home/cvs/src/contrib/ipfilter/bpf-ipf.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $ (LBL)
+ * @(#) $Header: /devel/CVS/IP-Filter/bpf-ipf.h,v 2.1 2002/10/26 12:14:26 darrenr Exp $ (LBL)
*/
#ifndef BPF_MAJOR_VERSION
Modified: trunk/contrib/ipfilter/bpf_filter.c
===================================================================
--- trunk/contrib/ipfilter/bpf_filter.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/bpf_filter.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/bpf_filter.c 299749 2016-05-14 19:09:32Z cy $ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -42,7 +42,7 @@
#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
static const char rcsid[] =
- "@(#) $Header: /home/cvs/src/contrib/ipfilter/bpf_filter.c,v 1.2 2012-12-21 04:00:01 laffer1 Exp $ (LBL)";
+ "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)";
#endif
#include <sys/param.h>
@@ -132,7 +132,7 @@
return EXTRACT_LONG(cp);
}
m0 = m->m_next;
- if (m0 == 0 || M_LEN(m0) + len - k < 4)
+ if (m0 == NULL || M_LEN(m0) + len - k < 4)
goto bad;
*err = 0;
np = MTOD(m0, u_char *);
@@ -168,7 +168,7 @@
return EXTRACT_SHORT(cp);
}
m0 = m->m_next;
- if (m0 == 0)
+ if (m0 == NULL)
goto bad;
*err = 0;
return (cp[0] << 8) | MTOD(m0, u_char *)[0];
@@ -205,7 +205,7 @@
} else
m = NULL;
- if (pc == 0)
+ if (pc == NULL)
/*
* No filter means accept all.
*/
Modified: trunk/contrib/ipfilter/ip_fil.c
===================================================================
--- trunk/contrib/ipfilter/ip_fil.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ip_fil.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,155 +1,29 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ip_fil.c 255761 2013-09-21 14:22:07Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 1.5 2012-12-21 04:00:01 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
-#ifndef SOLARIS
-#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#include <sys/param.h>
-#if defined(__FreeBSD__) && !defined(__FreeBSD_version) || (defined(__MidnightBSD__) && !defined(__MidnightBSD_version))
-# if defined(IPFILTER_LKM)
-# ifndef __FreeBSD_cc_version || __MidnightBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-# endif
-#endif
-#include <sys/errno.h>
-#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL)
-# include <sys/kern_svcs.h>
-#endif
-#include <sys/types.h>
-#define _KERNEL
-#define KERNEL
-#ifdef __OpenBSD__
-struct file;
-#endif
-#include <sys/uio.h>
-#undef _KERNEL
-#undef KERNEL
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#ifdef __sgi
-# include <sys/ptimers.h>
-#endif
-#include <sys/time.h>
-#if !SOLARIS
-# if (NetBSD > 199609) || (OpenBSD > 199603) || \
- (__FreeBSD_version >= 300000) || defined(__MidnightBSD__)
-# include <sys/dirent.h>
-# else
-# include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-#endif
-#ifndef linux
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <fcntl.h>
-
-#ifdef __hpux
-# define _NET_ROUTE_INCLUDED
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#if __FreeBSD_version >= 300000 || defined(__MidnightBSD__)
-# include <net/if_var.h>
-#endif
-#ifdef __sgi
-#include <sys/debug.h>
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-# endif
-#endif
-#if defined(__FreeBSD__) || defined(SOLARIS2) || defined(__MidnightBSD__)
-# include "radix_ipf.h"
-#endif
-#ifndef __osf__
-# include <net/route.h>
-#endif
-#include <netinet/in.h>
-#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \
- !defined(__hpux) && !defined(linux)
-# include <netinet/in_var.h>
-#endif
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#if defined(__osf__)
-# include <netinet/tcp_timer.h>
-#endif
-#if defined(__osf__) || defined(__hpux) || defined(__sgi)
-# include "radix_ipf_local.h"
-# define _RADIX_H_
-#endif
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <arpa/inet.h>
-#ifdef __hpux
-# undef _NET_ROUTE_INCLUDED
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef IPFILTER_SYNC
-#include "netinet/ip_sync.h"
-#endif
-#ifdef IPFILTER_SCAN
-#include "netinet/ip_scan.h"
-#endif
-#include "netinet/ip_pool.h"
-#ifdef IPFILTER_COMPILED
-# include "netinet/ip_rules.h"
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) || defined(__MidnightBSD_version)
-# include <sys/malloc.h>
-#endif
-#ifdef __hpux
-struct rtentry;
-#endif
+#include "ipf.h"
#include "md5.h"
+#include "ipt.h"
+ipf_main_softc_t ipfmain;
-#if !defined(__osf__) && !defined(__linux__)
-extern struct protosw inetsw[];
-#endif
-
-#include "ipt.h"
static struct ifnet **ifneta = NULL;
static int nifs = 0;
-static void fr_setifpaddr __P((struct ifnet *, char *));
+struct rtentry;
+
+static void ipf_setifpaddr __P((struct ifnet *, char *));
void init_ifp __P((void));
#if defined(__sgi) && (IRIX < 60500)
static int no_output __P((struct ifnet *, struct mbuf *,
@@ -171,16 +45,18 @@
#endif
-int ipfattach()
+int
+ipfattach(softc)
+ ipf_main_softc_t *softc;
{
- fr_running = 1;
return 0;
}
-int ipfdetach()
+int
+ipfdetach(softc)
+ ipf_main_softc_t *softc;
{
- fr_running = -1;
return 0;
}
@@ -188,14 +64,15 @@
/*
* Filter ioctl interface.
*/
-int iplioctl(dev, cmd, data, mode)
-int dev;
-ioctlcmd_t cmd;
-caddr_t data;
-int mode;
+int
+ipfioctl(softc, dev, cmd, data, mode)
+ ipf_main_softc_t *softc;
+ int dev;
+ ioctlcmd_t cmd;
+ caddr_t data;
+ int mode;
{
int error = 0, unit = 0, uid;
- SPL_INT(s);
uid = getuid();
unit = dev;
@@ -202,87 +79,81 @@
SPL_NET(s);
- error = fr_ioctlswitch(unit, data, cmd, mode, uid, NULL);
+ error = ipf_ioctlswitch(softc, unit, data, cmd, mode, uid, NULL);
if (error != -1) {
SPL_X(s);
return error;
}
-
SPL_X(s);
return error;
}
-void fr_forgetifp(ifp)
-void *ifp;
+void
+ipf_forgetifp(softc, ifp)
+ ipf_main_softc_t *softc;
+ void *ifp;
{
register frentry_t *f;
- WRITE_ENTER(&ipf_mutex);
- for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
+ WRITE_ENTER(&softc->ipf_mutex);
+ for (f = softc->ipf_acct[0][softc->ipf_active]; (f != NULL);
+ f = f->fr_next)
if (f->fr_ifa == ifp)
f->fr_ifa = (void *)-1;
- for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
+ for (f = softc->ipf_acct[1][softc->ipf_active]; (f != NULL);
+ f = f->fr_next)
if (f->fr_ifa == ifp)
f->fr_ifa = (void *)-1;
- for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
+ for (f = softc->ipf_rules[0][softc->ipf_active]; (f != NULL);
+ f = f->fr_next)
if (f->fr_ifa == ifp)
f->fr_ifa = (void *)-1;
- for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
+ for (f = softc->ipf_rules[1][softc->ipf_active]; (f != NULL);
+ f = f->fr_next)
if (f->fr_ifa == ifp)
f->fr_ifa = (void *)-1;
-#ifdef USE_INET6
- for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
- if (f->fr_ifa == ifp)
- f->fr_ifa = (void *)-1;
- for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
- if (f->fr_ifa == ifp)
- f->fr_ifa = (void *)-1;
- for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
- if (f->fr_ifa == ifp)
- f->fr_ifa = (void *)-1;
- for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
- if (f->fr_ifa == ifp)
- f->fr_ifa = (void *)-1;
-#endif
- RWLOCK_EXIT(&ipf_mutex);
- fr_natsync(ifp);
+ RWLOCK_EXIT(&softc->ipf_mutex);
+ ipf_nat_sync(softc, ifp);
+ ipf_lookup_sync(softc, ifp);
}
+static int
#if defined(__sgi) && (IRIX < 60500)
-static int no_output(ifp, m, s)
+no_output(ifp, m, s)
#else
# if TRU64 >= 1885
-static int no_output (ifp, m, s, rt, cp)
-char *cp;
+no_output (ifp, m, s, rt, cp)
+ char *cp;
# else
-static int no_output(ifp, m, s, rt)
+no_output(ifp, m, s, rt)
# endif
-struct rtentry *rt;
+ struct rtentry *rt;
#endif
-struct ifnet *ifp;
-struct mbuf *m;
-struct sockaddr *s;
+ struct ifnet *ifp;
+ struct mbuf *m;
+ struct sockaddr *s;
{
return 0;
}
+static int
#if defined(__sgi) && (IRIX < 60500)
-static int write_output(ifp, m, s)
+write_output(ifp, m, s)
#else
# if TRU64 >= 1885
-static int write_output (ifp, m, s, rt, cp)
-char *cp;
+write_output (ifp, m, s, rt, cp)
+ char *cp;
# else
-static int write_output(ifp, m, s, rt)
+write_output(ifp, m, s, rt)
# endif
-struct rtentry *rt;
+ struct rtentry *rt;
#endif
-struct ifnet *ifp;
-struct mbuf *m;
-struct sockaddr *s;
+ struct ifnet *ifp;
+ struct mbuf *m;
+ struct sockaddr *s;
{
char fname[32];
mb_t *mb;
@@ -294,8 +165,7 @@
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- (defined(__MidnightBSD__))
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
sprintf(fname, "/tmp/%s", ifp->if_xname);
#else
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
@@ -311,9 +181,10 @@
}
-static void fr_setifpaddr(ifp, addr)
-struct ifnet *ifp;
-char *addr;
+static void
+ipf_setifpaddr(ifp, addr)
+ struct ifnet *ifp;
+ char *addr;
{
#ifdef __sgi
struct in_ifaddr *ifa;
@@ -321,7 +192,7 @@
struct ifaddr *ifa;
#endif
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__MidnightBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
if (ifp->if_addrlist.tqh_first != NULL)
#else
# ifdef __sgi
@@ -333,8 +204,7 @@
return;
ifa = (struct ifaddr *)malloc(sizeof(*ifa));
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
- defined(__MidnightBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
ifp->if_addrlist.tqh_first = ifa;
#else
# ifdef __sgi
@@ -352,23 +222,50 @@
#else
sin = (struct sockaddr_in *)&ifa->ifa_addr;
#endif
- sin->sin_addr.s_addr = inet_addr(addr);
- if (sin->sin_addr.s_addr == 0)
- abort();
+#ifdef USE_INET6
+ if (index(addr, ':') != NULL) {
+ struct sockaddr_in6 *sin6;
+
+ sin6 = (struct sockaddr_in6 *)&ifa->ifa_addr;
+ sin6->sin6_family = AF_INET6;
+ /* Abort if bad address. */
+ switch (inet_pton(AF_INET6, addr, &sin6->sin6_addr))
+ {
+ case 1:
+ break;
+ case -1:
+ perror("inet_pton");
+ abort();
+ break;
+ default:
+ abort();
+ break;
+ }
+ } else
+#endif
+ {
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = inet_addr(addr);
+ if (sin->sin_addr.s_addr == 0)
+ abort();
+ }
}
}
-struct ifnet *get_unit(name, v)
-char *name;
-int v;
+struct ifnet *
+get_unit(name, family)
+ char *name;
+ int family;
{
struct ifnet *ifp, **ifpp, **old_ifneta;
char *addr;
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- (defined(__MidnightBSD__))
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
+ if (!*name)
+ return NULL;
+
if (name == NULL)
name = "anon0";
@@ -379,7 +276,7 @@
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
if (!strcmp(name, ifp->if_xname)) {
if (addr != NULL)
- fr_setifpaddr(ifp, addr);
+ ipf_setifpaddr(ifp, addr);
return ifp;
}
}
@@ -394,10 +291,10 @@
*addr++ = '\0';
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
- COPYIFNAME(v, ifp, ifname);
+ COPYIFNAME(family, ifp, ifname);
if (!strcmp(name, ifname)) {
if (addr != NULL)
- fr_setifpaddr(ifp, addr);
+ ipf_setifpaddr(ifp, addr);
return ifp;
}
}
@@ -433,19 +330,23 @@
}
ifp = ifneta[nifs - 1];
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
- defined(__MidnightBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
TAILQ_INIT(&ifp->if_addrlist);
#endif
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- defined(__MidnightBSD__)
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
(void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname));
#else
- for (s = name; *s && !ISDIGIT(*s); s++)
- ;
- if (*s && ISDIGIT(*s)) {
+ s = name + strlen(name) - 1;
+ for (; s > name; s--) {
+ if (!ISDIGIT(*s)) {
+ s++;
+ break;
+ }
+ }
+
+ if ((s > name) && (*s != 0) && ISDIGIT(*s)) {
ifp->if_unit = atoi(s);
ifp->if_name = (char *)malloc(s - name + 1);
(void) strncpy(ifp->if_name, name, s - name);
@@ -458,7 +359,7 @@
ifp->if_output = (void *)no_output;
if (addr != NULL) {
- fr_setifpaddr(ifp, addr);
+ ipf_setifpaddr(ifp, addr);
}
return ifp;
@@ -465,17 +366,20 @@
}
-char *get_ifname(ifp)
-struct ifnet *ifp;
+char *
+get_ifname(ifp)
+ struct ifnet *ifp;
{
static char ifname[LIFNAMSIZ];
#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(linux) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- defined(__MidnightBSD__)
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
sprintf(ifname, "%s", ifp->if_xname);
#else
- sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit);
+ if (ifp->if_unit != -1)
+ sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit);
+ else
+ strcpy(ifname, ifp->if_name);
#endif
return ifname;
}
@@ -482,7 +386,8 @@
-void init_ifp()
+void
+init_ifp()
{
struct ifnet *ifp, **ifpp;
char fname[32];
@@ -490,8 +395,7 @@
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
- defined(__MidnightBSD__)
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
ifp->if_output = (void *)write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname);
@@ -504,7 +408,7 @@
#else
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
- ifp->if_output = write_output;
+ ifp->if_output = (void *)write_output;
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
if (fd == -1)
@@ -516,36 +420,48 @@
}
-int fr_fastroute(m, mpp, fin, fdp)
-mb_t *m, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
+int
+ipf_fastroute(m, mpp, fin, fdp)
+ mb_t *m, **mpp;
+ fr_info_t *fin;
+ frdest_t *fdp;
{
- struct ifnet *ifp = fdp->fd_ifp;
+ struct ifnet *ifp;
ip_t *ip = fin->fin_ip;
+ frdest_t node;
int error = 0;
frentry_t *fr;
void *sifp;
+ int sout;
- if (!ifp)
- return 0; /* no routing table out here */
-
+ sifp = fin->fin_ifp;
+ sout = fin->fin_out;
fr = fin->fin_fr;
ip->ip_sum = 0;
+ if (!(fr->fr_flags & FR_KEEPSTATE) && (fdp != NULL) &&
+ (fdp->fd_type == FRD_DSTLIST)) {
+ bzero(&node, sizeof(node));
+ ipf_dstlist_select_node(fin, fdp->fd_ptr, NULL, &node);
+ fdp = &node;
+ }
+ ifp = fdp->fd_ptr;
+
+ if (ifp == NULL)
+ return 0; /* no routing table out here */
+
if (fin->fin_out == 0) {
- sifp = fin->fin_ifp;
fin->fin_ifp = ifp;
fin->fin_out = 1;
- (void) fr_acctpkt(fin, NULL);
+ (void) ipf_acctpkt(fin, NULL);
fin->fin_fr = NULL;
if (!fr || !(fr->fr_flags & FR_RETMASK)) {
u_32_t pass;
- (void) fr_checkstate(fin, &pass);
+ (void) ipf_state_check(fin, &pass);
}
- switch (fr_checknatout(fin, NULL))
+ switch (ipf_nat_checkout(fin, NULL))
{
case 0 :
break;
@@ -558,10 +474,11 @@
break;
}
- fin->fin_ifp = sifp;
- fin->fin_out = 0;
}
+ m->mb_ifp = ifp;
+ printpacket(fin->fin_out, m);
+
#if defined(__sgi) && (IRIX < 60500)
(*ifp->if_output)(ifp, (void *)ip, NULL);
# if TRU64 >= 1885
@@ -571,55 +488,55 @@
# endif
#endif
done:
+ fin->fin_ifp = sifp;
+ fin->fin_out = sout;
return error;
}
-int fr_send_reset(fin)
-fr_info_t *fin;
+int
+ipf_send_reset(fin)
+ fr_info_t *fin;
{
- verbose("- TCP RST sent\n");
+ ipfkverbose("- TCP RST sent\n");
return 0;
}
-int fr_send_icmp_err(type, fin, dst)
-int type;
-fr_info_t *fin;
-int dst;
+int
+ipf_send_icmp_err(type, fin, dst)
+ int type;
+ fr_info_t *fin;
+ int dst;
{
- verbose("- ICMP unreachable sent\n");
+ ipfkverbose("- ICMP unreachable sent\n");
return 0;
}
-void frsync(ifp)
-void *ifp;
+void
+m_freem(m)
+ mb_t *m;
{
return;
}
-void m_freem(m)
-mb_t *m;
+void
+m_copydata(m, off, len, cp)
+ mb_t *m;
+ int off, len;
+ caddr_t cp;
{
- return;
-}
-
-
-void m_copydata(m, off, len, cp)
-mb_t *m;
-int off, len;
-caddr_t cp;
-{
bcopy((char *)m + off, cp, len);
}
-int ipfuiomove(buf, len, rwflag, uio)
-caddr_t buf;
-int len, rwflag;
-struct uio *uio;
+int
+ipfuiomove(buf, len, rwflag, uio)
+ caddr_t buf;
+ int len, rwflag;
+ struct uio *uio;
{
int left, ioc, num, offset;
struct iovec *io;
@@ -656,8 +573,9 @@
}
-u_32_t fr_newisn(fin)
-fr_info_t *fin;
+u_32_t
+ipf_newisn(fin)
+ fr_info_t *fin;
{
static int iss_seq_off = 0;
u_char hash[16];
@@ -696,50 +614,76 @@
/* ------------------------------------------------------------------------ */
-/* Function: fr_nextipid */
+/* Function: ipf_nextipid */
/* Returns: int - 0 == success, -1 == error (packet should be droppped) */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Returns the next IPv4 ID to use for this packet. */
/* ------------------------------------------------------------------------ */
-INLINE u_short fr_nextipid(fin)
-fr_info_t *fin;
+INLINE u_short
+ipf_nextipid(fin)
+ fr_info_t *fin;
{
static u_short ipid = 0;
+ ipf_main_softc_t *softc = fin->fin_main_soft;
u_short id;
- MUTEX_ENTER(&ipf_rw);
- id = ipid++;
- MUTEX_EXIT(&ipf_rw);
+ MUTEX_ENTER(&softc->ipf_rw);
+ if (fin->fin_pktnum != 0) {
+ /*
+ * The -1 is for aligned test results.
+ */
+ id = (fin->fin_pktnum - 1) & 0xffff;
+ } else {
+ }
+ id = ipid++;
+ MUTEX_EXIT(&softc->ipf_rw);
return id;
}
-INLINE void fr_checkv4sum(fin)
-fr_info_t *fin;
+INLINE int
+ipf_checkv4sum(fin)
+ fr_info_t *fin;
{
- if (fr_checkl4sum(fin) == -1)
+
+ if (fin->fin_flx & FI_SHORT)
+ return 1;
+
+ if (ipf_checkl4sum(fin) == -1) {
fin->fin_flx |= FI_BAD;
+ return -1;
+ }
+ return 0;
}
#ifdef USE_INET6
-INLINE void fr_checkv6sum(fin)
-fr_info_t *fin;
+INLINE int
+ipf_checkv6sum(fin)
+ fr_info_t *fin;
{
- if (fr_checkl4sum(fin) == -1)
+ if (fin->fin_flx & FI_SHORT)
+ return 1;
+
+ if (ipf_checkl4sum(fin) == -1) {
fin->fin_flx |= FI_BAD;
+ return -1;
+ }
+ return 0;
}
#endif
+#if 0
/*
* See above for description, except that all addressing is in user space.
*/
-int copyoutptr(src, dst, size)
-void *src, *dst;
-size_t size;
+int
+copyoutptr(softc, src, dst, size)
+ void *src, *dst;
+ size_t size;
{
caddr_t ca;
@@ -752,9 +696,10 @@
/*
* See above for description, except that all addressing is in user space.
*/
-int copyinptr(src, dst, size)
-void *src, *dst;
-size_t size;
+int
+copyinptr(src, dst, size)
+ void *src, *dst;
+ size_t size;
{
caddr_t ca;
@@ -762,15 +707,18 @@
bcopy(ca, dst, size);
return 0;
}
+#endif
/*
* return the first IP Address associated with an interface
*/
-int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
-int v, atype;
-void *ifptr;
-struct in_addr *inp, *inpmask;
+int
+ipf_ifpaddr(softc, v, atype, ifptr, inp, inpmask)
+ ipf_main_softc_t *softc;
+ int v, atype;
+ void *ifptr;
+ i6addr_t *inp, *inpmask;
{
struct ifnet *ifp = ifptr;
#ifdef __sgi
@@ -779,8 +727,7 @@
struct ifaddr *ifa;
#endif
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
- defined(__MidnightBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
ifa = ifp->if_addrlist.tqh_first;
#else
# ifdef __sgi
@@ -790,40 +737,145 @@
# endif
#endif
if (ifa != NULL) {
- struct sockaddr_in *sin, mask;
+ if (v == 4) {
+ struct sockaddr_in *sin, mask;
- mask.sin_addr.s_addr = 0xffffffff;
+ mask.sin_addr.s_addr = 0xffffffff;
#ifdef __sgi
- sin = (struct sockaddr_in *)&ifa->ia_addr;
+ sin = (struct sockaddr_in *)&ifa->ia_addr;
#else
- sin = (struct sockaddr_in *)&ifa->ifa_addr;
+ sin = (struct sockaddr_in *)&ifa->ifa_addr;
#endif
- return fr_ifpfillv4addr(atype, sin, &mask, inp, inpmask);
+ return ipf_ifpfillv4addr(atype, sin, &mask,
+ &inp->in4, &inpmask->in4);
+ }
+#ifdef USE_INET6
+ if (v == 6) {
+ struct sockaddr_in6 *sin6, mask;
+
+ sin6 = (struct sockaddr_in6 *)&ifa->ifa_addr;
+ ((i6addr_t *)&mask.sin6_addr)->i6[0] = 0xffffffff;
+ ((i6addr_t *)&mask.sin6_addr)->i6[1] = 0xffffffff;
+ ((i6addr_t *)&mask.sin6_addr)->i6[2] = 0xffffffff;
+ ((i6addr_t *)&mask.sin6_addr)->i6[3] = 0xffffffff;
+ return ipf_ifpfillv6addr(atype, sin6, &mask,
+ inp, inpmask);
+ }
+#endif
}
return 0;
}
-int ipfsync()
+/*
+ * This function is not meant to be random, rather just produce a
+ * sequence of numbers that isn't linear to show "randomness".
+ */
+u_32_t
+ipf_random()
{
+ static unsigned int last = 0xa5a5a5a5;
+ static int calls = 0;
+ int number;
+
+ calls++;
+
+ /*
+ * These are deliberately chosen to ensure that there is some
+ * attempt to test whether the output covers the range in test n18.
+ */
+ switch (calls)
+ {
+ case 1 :
+ number = 0;
+ break;
+ case 2 :
+ number = 4;
+ break;
+ case 3 :
+ number = 3999;
+ break;
+ case 4 :
+ number = 4000;
+ break;
+ case 5 :
+ number = 48999;
+ break;
+ case 6 :
+ number = 49000;
+ break;
+ default :
+ number = last;
+ last *= calls;
+ last++;
+ number ^= last;
+ break;
+ }
+ return number;
+}
+
+
+int
+ipf_verifysrc(fin)
+ fr_info_t *fin;
+{
+ return 1;
+}
+
+
+int
+ipf_inject(fin, m)
+ fr_info_t *fin;
+ mb_t *m;
+{
+ FREE_MB_T(m);
+
return 0;
}
-#ifndef ipf_random
-u_32_t ipf_random()
+u_int
+ipf_pcksum(fin, hlen, sum)
+ fr_info_t *fin;
+ int hlen;
+ u_int sum;
{
- static int seeded = 0;
+ u_short *sp;
+ u_int sum2;
+ int slen;
+ slen = fin->fin_plen - hlen;
+ sp = (u_short *)((u_char *)fin->fin_ip + hlen);
+
+ for (; slen > 1; slen -= 2)
+ sum += *sp++;
+ if (slen)
+ sum += ntohs(*(u_char *)sp << 8);
+ while (sum > 0xffff)
+ sum = (sum & 0xffff) + (sum >> 16);
+ sum2 = (u_short)(~sum & 0xffff);
+
+ return sum2;
+}
+
+
+void *
+ipf_pullup(m, fin, plen)
+ mb_t *m;
+ fr_info_t *fin;
+ int plen;
+{
+ if (M_LEN(m) >= plen)
+ return fin->fin_ip;
+
/*
- * Choose a non-random seed so that "randomness" can be "tested."
+ * Fake ipf_pullup failing
*/
- if (seeded == 0) {
- srand(0);
- seeded = 1;
- }
- return rand();
+ fin->fin_reason = FRB_PULLUP;
+ *fin->fin_mp = NULL;
+ fin->fin_m = NULL;
+ fin->fin_ip = NULL;
+ return NULL;
}
-#endif
Modified: trunk/contrib/ipfilter/ip_msnrpc_pxy.c
===================================================================
--- trunk/contrib/ipfilter/ip_msnrpc_pxy.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ip_msnrpc_pxy.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ip_msnrpc_pxy.c 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* Copyright (C) 2000-2003 by Darren Reed
Modified: trunk/contrib/ipfilter/ipf.h
===================================================================
--- trunk/contrib/ipfilter/ipf.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipf.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipf.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
- * $Id: ipf.h,v 1.4 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
#ifndef __IPF_H__
@@ -42,7 +42,7 @@
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
-#if __FreeBSD_version >= 300000 || defined(__MidnightBSD__)
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/in.h>
@@ -80,6 +80,7 @@
#include "netinet/ip_scan.h"
#include "netinet/ip_htable.h"
#include "netinet/ip_sync.h"
+#include "netinet/ip_dstlist.h"
#include "opts.h"
@@ -98,7 +99,7 @@
#ifndef U_32_T
# define U_32_T 1
# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
- defined(__sgi) || defined(__MidnightBSD__)
+ defined(__sgi)
typedef u_int32_t u_32_t;
# else
# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
@@ -110,7 +111,7 @@
typedef unsigned int u_32_t;
# endif
# endif
-# endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi || __MidnightBSD__ */
+# endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
#endif /* U_32_T */
#ifndef MAXHOSTNAMELEN
@@ -120,7 +121,10 @@
#define MAX_ICMPCODE 16
#define MAX_ICMPTYPE 19
+#define PRINTF (void)printf
+#define FPRINTF (void)fprintf
+
struct ipopt_names {
int on_value;
int on_bit;
@@ -132,6 +136,7 @@
typedef struct alist_s {
struct alist_s *al_next;
int al_not;
+ int al_family;
i6addr_t al_i6addr;
i6addr_t al_i6mask;
} alist_t;
@@ -142,6 +147,14 @@
#define al_2 al_mask
+typedef struct plist_s {
+ struct plist_s *pl_next;
+ int pl_compare;
+ u_short pl_port1;
+ u_short pl_port2;
+} plist_t;
+
+
typedef struct {
u_short fb_c;
u_char fb_t;
@@ -150,8 +163,36 @@
} fakebpf_t;
+typedef struct {
+ char *it_name;
+ int it_v4;
+ int it_v6;
+} icmptype_t;
+
+
+typedef struct wordtab {
+ char *w_word;
+ int w_value;
+} wordtab_t;
+
+
+typedef struct namelist {
+ struct namelist *na_next;
+ char *na_name;
+ int na_value;
+} namelist_t;
+
+
+typedef struct proxyrule {
+ struct proxyrule *pr_next;
+ char *pr_proxy;
+ char *pr_conf;
+ namelist_t *pr_names;
+ int pr_proto;
+} proxyrule_t;
+
+
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
- defined(__MidnightBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux)
# include <stdarg.h>
@@ -159,7 +200,7 @@
#else
typedef int (* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *));
#endif
-typedef void (* addfunc_t) __P((int, ioctlfunc_t, void *));
+typedef int (* addfunc_t) __P((int, ioctlfunc_t, void *));
typedef int (* copyfunc_t) __P((void *, void *, size_t));
@@ -179,40 +220,60 @@
extern char *icmptypes[MAX_ICMPTYPE + 1];
extern int use_inet6;
extern int lineNum;
+extern int debuglevel;
extern struct ipopt_names v6ionames[];
+extern icmptype_t icmptypelist[];
+extern wordtab_t statefields[];
+extern wordtab_t natfields[];
+extern wordtab_t poolfields[];
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
+extern int addkeep __P((char ***, struct frentry *, int));
+extern alist_t *alist_new __P((int, char *));
extern void alist_free __P((alist_t *));
-extern alist_t *alist_new __P((int, char *));
+extern void assigndefined __P((char *));
extern void binprint __P((void *, size_t));
-extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));
extern int checkrev __P((char *));
+extern int connecttcp __P((char *, int));
extern int count6bits __P((u_32_t *));
extern int count4bits __P((u_32_t));
extern char *fac_toname __P((int));
extern int fac_findname __P((char *));
+extern const char *familyname __P((const int));
extern void fill6bits __P((int, u_int *));
-extern int gethost __P((char *, u_32_t *));
-extern int getport __P((struct frentry *, char *, u_short *));
+extern wordtab_t *findword __P((wordtab_t *, char *));
+extern int ftov __P((int));
+extern char *ipf_geterror __P((int, ioctlfunc_t *));
+extern int genmask __P((int, char *, i6addr_t *));
+extern int gethost __P((int, char *, i6addr_t *));
+extern int geticmptype __P((int, char *));
+extern int getport __P((struct frentry *, char *, u_short *, char *));
extern int getportproto __P((char *, int));
extern int getproto __P((char *));
-extern char *getnattype __P((struct nat *, int));
+extern char *getnattype __P((struct nat *));
extern char *getsumd __P((u_32_t));
extern u_32_t getoptbyname __P((char *));
extern u_32_t getoptbyvalue __P((int));
extern u_32_t getv6optbyname __P((char *));
extern u_32_t getv6optbyvalue __P((int));
+extern char *icmptypename __P((int, int));
extern void initparse __P((void));
-extern void ipf_dotuning __P((int, char *, ioctlfunc_t));
-extern void ipf_addrule __P((int, ioctlfunc_t, void *));
+extern void ipf_dotuning __P((int, char *, ioctlfunc_t));
+extern int ipf_addrule __P((int, ioctlfunc_t, void *));
+extern void ipf_mutex_clean __P((void));
extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *));
extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *));
+extern void ipf_perror __P((int, char *));
+extern int ipf_perror_fd __P(( int, ioctlfunc_t, char *));
+extern void ipf_rwlock_clean __P((void));
+extern char *ipf_strerror __P((int));
+extern void ipferror __P((int, char *));
extern int ipmon_parsefile __P((char *));
extern int ipmon_parsesome __P((FILE *));
-extern void ipnat_addrule __P((int, ioctlfunc_t, void *));
+extern int ipnat_addrule __P((int, ioctlfunc_t, void *));
extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *));
extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *));
extern int ippool_parsefile __P((int, char *, ioctlfunc_t));
@@ -219,50 +280,83 @@
extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t));
extern int kmemcpywrap __P((void *, void *, size_t));
extern char *kvatoname __P((ipfunc_t, ioctlfunc_t));
+extern int load_dstlist __P((struct ippool_dst *, ioctlfunc_t,
+ ipf_dstnode_t *));
+extern int load_dstlistnode __P((int, char *, struct ipf_dstnode *,
+ ioctlfunc_t));
extern alist_t *load_file __P((char *));
extern int load_hash __P((struct iphtable_s *, struct iphtent_s *,
ioctlfunc_t));
-extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
+extern int load_hashnode __P((int, char *, struct iphtent_s *, int,
+ ioctlfunc_t));
extern alist_t *load_http __P((char *));
extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t));
-extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
+extern int load_poolnode __P((int, char *, ip_pool_node_t *, int, ioctlfunc_t));
extern alist_t *load_url __P((char *));
extern alist_t *make_range __P((int, struct in_addr, struct in_addr));
+extern void mb_hexdump __P((mb_t *, FILE *));
extern ipfunc_t nametokva __P((char *, ioctlfunc_t));
extern void nat_setgroupmap __P((struct ipnat *));
extern int ntomask __P((int, int, u_32_t *));
extern u_32_t optname __P((char ***, u_short *, int));
-extern struct frentry *parse __P((char *, int));
+extern wordtab_t *parsefields __P((wordtab_t *, char *));
+extern int *parseipfexpr __P((char *, char **));
+extern int parsewhoisline __P((char *, addrfamily_t *, addrfamily_t *));
+extern void pool_close __P((void));
+extern int pool_fd __P((void));
+extern int pool_ioctl __P((ioctlfunc_t, ioctlcmd_t, void *));
+extern int pool_open __P((void));
extern char *portname __P((int, int));
extern int pri_findname __P((char *));
extern char *pri_toname __P((int));
-extern void print_toif __P((char *, struct frdest *));
-extern void printaps __P((ap_session_t *, int));
+extern void print_toif __P((int, char *, char *, struct frdest *));
+extern void printaps __P((ap_session_t *, int, int));
+extern void printaddr __P((int, int, char *, int, u_32_t *, u_32_t *));
extern void printbuf __P((char *, int, int));
+extern void printfieldhdr __P((wordtab_t *, wordtab_t *));
extern void printfr __P((struct frentry *, ioctlfunc_t));
-extern void printtunable __P((ipftune_t *));
extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t,
- char *, int));
-extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, int));
+ char *, int, wordtab_t *));
+extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *,
+ int, wordtab_t *));
+extern ippool_dst_t *printdstl_live __P((ippool_dst_t *, int, char *,
+ int, wordtab_t *));
extern void printhashdata __P((iphtable_t *, int));
extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
struct iphtent_s *,
- copyfunc_t, int));
+ copyfunc_t, int, wordtab_t *));
+extern void printhost __P((int, u_32_t *));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
-extern void printip __P((u_32_t *));
+extern void printip __P((int, u_32_t *));
extern void printlog __P((struct frentry *));
-extern void printlookup __P((i6addr_t *addr, i6addr_t *mask));
-extern void printmask __P((u_32_t *));
-extern void printpacket __P((struct ip *));
-extern void printpacket6 __P((struct ip *));
+extern void printlookup __P((char *, i6addr_t *addr, i6addr_t *mask));
+extern void printmask __P((int, u_32_t *));
+extern void printnataddr __P((int, char *, nat_addr_t *, int));
+extern void printnatfield __P((nat_t *, int));
+extern void printnatside __P((char *, nat_stat_side_t *));
+extern void printpacket __P((int, mb_t *));
+extern void printpacket6 __P((int, mb_t *));
+extern struct ippool_dst *printdstlist __P((struct ippool_dst *, copyfunc_t,
+ char *, int, ipf_dstnode_t *,
+ wordtab_t *));
+extern void printdstlistdata __P((ippool_dst_t *, int));
+extern ipf_dstnode_t *printdstlistnode __P((ipf_dstnode_t *, copyfunc_t,
+ int, wordtab_t *));
+extern void printdstlistpolicy __P((ippool_policy_t));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t,
- char *, int));
+ char *, int, wordtab_t *));
extern struct ip_pool_s *printpool_live __P((struct ip_pool_s *, int,
- char *, int));
+ char *, int, wordtab_t *));
extern void printpooldata __P((ip_pool_t *, int));
-extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
+extern void printpoolfield __P((void *, int, int));
+extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *,
+ int, wordtab_t *));
extern void printproto __P((struct protoent *, int, struct ipnat *));
extern void printportcmp __P((int, struct frpcmp *));
+extern void printstatefield __P((ipstate_t *, int));
+extern void printtqtable __P((ipftq_t *));
+extern void printtunable __P((ipftune_t *));
+extern void printunit __P((int));
extern void optprint __P((u_short *, u_long, u_long));
#ifdef USE_INET6
extern void optprintv6 __P((u_short *, u_long, u_long));
@@ -271,7 +365,6 @@
extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int remove_pool __P((ip_pool_t *, ioctlfunc_t));
extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
-extern u_char tcp_flags __P((char *, u_char *, int));
extern u_char tcpflags __P((char *));
extern void printc __P((struct frentry *));
extern void printC __P((int));
@@ -284,14 +377,26 @@
extern struct ipstate *printstate __P((struct ipstate *, int, u_long));
extern void printsbuf __P((char *));
extern void printnat __P((struct ipnat *, int));
-extern void printactivenat __P((struct nat *, int, int, u_long));
+extern void printactiveaddress __P((int, char *, i6addr_t *, char *));
+extern void printactivenat __P((struct nat *, int, u_long));
extern void printhostmap __P((struct hostmap *, u_int));
-extern void printtqtable __P((ipftq_t *));
+extern void printtcpflags __P((u_32_t, u_32_t));
+extern void printipfexpr __P((int *));
+extern void printstatefield __P((ipstate_t *, int));
+extern void printstatefieldhdr __P((int));
+extern int sendtrap_v1_0 __P((int, char *, char *, int, time_t));
+extern int sendtrap_v2_0 __P((int, char *, char *, int));
+extern int vtof __P((int));
extern void set_variable __P((char *, char *));
extern char *get_variable __P((char *, char **, int));
extern void resetlexer __P((void));
+extern void debug __P((int, char *, ...));
+extern void verbose __P((int, char *, ...));
+extern void ipfkdebug __P((char *, ...));
+extern void ipfkverbose __P((char *, ...));
+
#if SOLARIS
extern int gethostname __P((char *, int ));
extern void sync __P((void));
Modified: trunk/contrib/ipfilter/iplang/Makefile
===================================================================
--- trunk/contrib/ipfilter/iplang/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/iplang/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -3,21 +3,20 @@
#
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
-CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend
all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
- $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
+ $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
- $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
+ $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
iplang_y.o: iplang_y.c
- $(CC) $(CCARGS) $< -o $@
+ $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
iplang_l.o: iplang_l.c
- $(CC) $(CCARGS) $< -o $@
+ $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
lex iplang_l.l
Modified: trunk/contrib/ipfilter/iplang/iplang.h
===================================================================
--- trunk/contrib/ipfilter/iplang/iplang.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/iplang/iplang.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/iplang/iplang.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
Modified: trunk/contrib/ipfilter/iplang/iplang.tst
===================================================================
--- trunk/contrib/ipfilter/iplang/iplang.tst 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/iplang/iplang.tst 2018-07-01 23:54:57 UTC (rev 11253)
@@ -4,7 +4,7 @@
ipv4 {
src 1.1.1.1; dst 2.2.2.2;
tcp {
- seq 12345; ack 0; sport 9999; dport 23; flags S;
+ seq 12345; ack 0; sport 9999; dport 23; flags S;
data { value "abcdef"; } ;
} ;
} ;
Modified: trunk/contrib/ipfilter/iplang/iplang_l.l
===================================================================
--- trunk/contrib/ipfilter/iplang/iplang_l.l 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/iplang/iplang_l.l 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/iplang/iplang_l.l 255332 2013-09-06 23:11:19Z cy $ */
%{
/*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: iplang_l.l,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <stdio.h>
#include <string.h>
Modified: trunk/contrib/ipfilter/iplang/iplang_y.y
===================================================================
--- trunk/contrib/ipfilter/iplang/iplang_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/iplang/iplang_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,13 +1,13 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/iplang/iplang_y.y 255332 2013-09-06 23:11:19Z cy $ */
%{
/*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $
- * $FreeBSD$
+ * $FreeBSD: stable/10/contrib/ipfilter/iplang/iplang_y.y 255332 2013-09-06 23:11:19Z cy $
*/
#include <stdio.h>
@@ -26,17 +26,13 @@
#include <unistd.h>
#include <stddef.h>
#include <sys/socket.h>
+#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef linux
# include <netinet/ip_var.h>
-#endif
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#ifndef linux
+# include <net/route.h>
# include <netinet/if_ether.h>
#endif
#include <netdb.h>
@@ -605,7 +601,7 @@
#ifdef bsdi
struct ether_addr *
ether_aton(s)
- char *s;
+ char *s;
{
static struct ether_addr n;
u_int i[6];
@@ -663,7 +659,7 @@
if (!e)
fprintf(stderr, "Invalid ethernet address: %s\n", arg);
else
-# if defined(__FreeBSD__) || defined(__MidnightBSD__)
+# ifdef __FreeBSD__
bcopy(e->octet, buf->octet, sizeof(e->octet));
# else
bcopy(e->ether_addr_octet, buf->ether_addr_octet,
@@ -1330,7 +1326,7 @@
sprintf((char *)t, " ");
t += 8;
for (k = 16; k; k--, s++)
- *t++ = (ISPRINT(*s) ? *s : '.');
+ *t++ = (isprint(*s) ? *s : '.');
s--;
}
@@ -1348,7 +1344,7 @@
t += 7;
s -= j & 0xf;
for (k = j & 0xf; k; k--, s++)
- *t++ = (ISPRINT(*s) ? *s : '.');
+ *t++ = (isprint(*s) ? *s : '.');
*t++ = '\n';
*t = '\0';
}
@@ -1840,7 +1836,7 @@
{
u_long sum = init;
int nwords = len >> 1;
-
+
for(; nwords > 0; nwords--)
sum += *buf++;
sum = (sum>>16) + (sum & 0xffff);
@@ -1855,7 +1851,7 @@
{
u_long sum = 0;
int nwords = len >> 1;
-
+
for(; nwords > 0; nwords--)
sum += *buf++;
return sum;
Modified: trunk/contrib/ipfilter/ipmon.h
===================================================================
--- trunk/contrib/ipfilter/ipmon.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipmon.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,22 +1,63 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipmon.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ipmon.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
+typedef struct ipmon_msg_s {
+ int imm_msglen;
+ char *imm_msg;
+ int imm_dsize;
+ void *imm_data;
+ time_t imm_when;
+ int imm_loglevel;
+} ipmon_msg_t;
-typedef struct ipmon_action {
+typedef void (*ims_destroy_func_t)(void *);
+typedef void *(*ims_dup_func_t)(void *);
+typedef int (*ims_match_func_t)(void *, void *);
+typedef void *(*ims_parse_func_t)(char **);
+typedef void (*ims_print_func_t)(void *);
+typedef int (*ims_store_func_t)(void *, ipmon_msg_t *);
+
+typedef struct ipmon_saver_s {
+ char *ims_name;
+ ims_destroy_func_t ims_destroy;
+ ims_dup_func_t ims_dup;
+ ims_match_func_t ims_match;
+ ims_parse_func_t ims_parse;
+ ims_print_func_t ims_print;
+ ims_store_func_t ims_store;
+} ipmon_saver_t;
+
+typedef struct ipmon_saver_int_s {
+ struct ipmon_saver_int_s *imsi_next;
+ ipmon_saver_t *imsi_stor;
+ void *imsi_handle;
+} ipmon_saver_int_t;
+
+typedef struct ipmon_doing_s {
+ struct ipmon_doing_s *ipmd_next;
+ void *ipmd_token;
+ ipmon_saver_t *ipmd_saver;
+ /*
+ * ipmd_store is "cached" in this structure to avoid a double
+ * deref when doing saves....
+ */
+ int (*ipmd_store)(void *, ipmon_msg_t *);
+} ipmon_doing_t;
+
+
+typedef struct ipmon_action {
struct ipmon_action *ac_next;
int ac_mflag; /* collection of things to compare */
int ac_dflag; /* flags to compliment the doing fields */
- int ac_syslog; /* = 1 to syslog rules. */
- char *ac_savefile; /* filename to save log records to */
- FILE *ac_savefp;
+ int ac_logpri;
int ac_direction;
char ac_group[FR_GROUPLEN];
char ac_nattag[16];
@@ -28,13 +69,11 @@
int ac_second;
int ac_result;
u_32_t ac_sip;
- u_32_t ac_smsk;
+ u_32_t ac_smsk;
u_32_t ac_dip;
- u_32_t ac_dmsk;
+ u_32_t ac_dmsk;
u_short ac_sport;
u_short ac_dport;
- char *ac_exec; /* execute argument */
- char *ac_run; /* actual command that gets run */
char *ac_iface;
/*
* used with ac_packet/ac_second
@@ -41,6 +80,10 @@
*/
struct timeval ac_last;
int ac_pktcnt;
+ /*
+ * What to do with matches
+ */
+ ipmon_doing_t *ac_doing;
} ipmon_action_t;
#define ac_lastsec ac_last.tv_sec
@@ -70,20 +113,19 @@
#define IPMR_NOMATCH 3
#define IPMR_LOG 4
-#define IPMDO_SAVERAW 0x0001
+#define IPMON_SYSLOG 0x001
+#define IPMON_RESOLVE 0x002
+#define IPMON_HEXBODY 0x004
+#define IPMON_HEXHDR 0x010
+#define IPMON_TAIL 0x020
+#define IPMON_VERBOSE 0x040
+#define IPMON_NAT 0x080
+#define IPMON_STATE 0x100
+#define IPMON_FILTER 0x200
+#define IPMON_PORTNUM 0x400
+#define IPMON_LOGALL (IPMON_NAT|IPMON_STATE|IPMON_FILTER)
+#define IPMON_LOGBODY 0x800
-#define OPT_SYSLOG 0x001
-#define OPT_RESOLVE 0x002
-#define OPT_HEXBODY 0x004
-#define OPT_VERBOSE 0x008
-#define OPT_HEXHDR 0x010
-#define OPT_TAIL 0x020
-#define OPT_NAT 0x080
-#define OPT_STATE 0x100
-#define OPT_FILTER 0x200
-#define OPT_PORTNUM 0x400
-#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
-
#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b))
#ifndef LOGFAC
@@ -90,8 +132,11 @@
#define LOGFAC LOG_LOCAL0
#endif
+extern void dump_config __P((void));
extern int load_config __P((char *));
+extern void unload_config __P((void));
extern void dumphex __P((FILE *, int, char *, int));
extern int check_action __P((char *, char *, int, int));
extern char *getword __P((int));
-extern int fac_findname __P((char *));
+extern void *add_doing __P((ipmon_saver_t *));
+
Modified: trunk/contrib/ipfilter/ipsd/Celler/ip_compat.h
===================================================================
--- trunk/contrib/ipfilter/ipsd/Celler/ip_compat.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/Celler/ip_compat.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/Celler/ip_compat.h 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* (C)opyright 1995 by Darren Reed.
Modified: trunk/contrib/ipfilter/ipsd/Makefile
===================================================================
--- trunk/contrib/ipfilter/ipsd/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
#
-# Copyright (C) 1993-1998 by Darren Reed.
+# Copyright (C) 2012 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
Modified: trunk/contrib/ipfilter/ipsd/ipsd.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/ipsd.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/ipsd.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/ipsd.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1995-1998 Darren Reed.
@@ -34,7 +34,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsd.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
extern char *optarg;
@@ -66,7 +66,7 @@
int ipcmp(sh1, sh2)
-sdhit_t *sh1, *sh2;
+ sdhit_t *sh1, *sh2;
{
return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
}
@@ -77,9 +77,9 @@
* port.
*/
int findhit(ihp, src, dport)
-ipsd_t *ihp;
-struct in_addr src;
-u_short dport;
+ ipsd_t *ihp;
+ struct in_addr src;
+ u_short dport;
{
int i, j, k;
sdhit_t *sh;
@@ -110,8 +110,8 @@
* interested in.
*/
int detect(ip, tcp)
-ip_t *ip;
-tcphdr_t *tcp;
+ ip_t *ip;
+ tcphdr_t *tcp;
{
ipsd_t *ihp;
sdhit_t *sh;
@@ -179,7 +179,7 @@
* Write statistics out to a file
*/
writestats(nwrites)
-int nwrites;
+ int nwrites;
{
ipsd_t **ipsd, *ips;
char fname[32];
@@ -219,7 +219,7 @@
void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "Usage: %s [-d device]\n", prog);
exit(1);
@@ -227,7 +227,7 @@
void detecthits(fd, writecount)
-int fd, writecount;
+ int fd, writecount;
{
struct in_addr ip;
int hits = 0;
@@ -243,8 +243,8 @@
main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
char *name = argv[0], *dev = NULL;
int fd, writeafter = 10000, angelic = 0, c;
Modified: trunk/contrib/ipfilter/ipsd/ipsd.h
===================================================================
--- trunk/contrib/ipfilter/ipsd/ipsd.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/ipsd.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/ipsd.h 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* (C)opyright 1995-1998 Darren Reed.
Modified: trunk/contrib/ipfilter/ipsd/ipsdr.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/ipsdr.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/ipsdr.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/ipsdr.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1995-1998 Darren Reed.
@@ -35,7 +35,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsdr.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
extern char *optarg;
@@ -57,7 +57,7 @@
int ipcmp(sh1, sh2)
-sdhit_t *sh1, *sh2;
+ sdhit_t *sh1, *sh2;
{
return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
}
@@ -64,7 +64,7 @@
int ssipcmp(sh1, sh2)
-ipss_t *sh1, *sh2;
+ ipss_t *sh1, *sh2;
{
return sh1->ss_ip.s_addr - sh2->ss_ip.s_addr;
}
@@ -71,7 +71,7 @@
int countpbits(num)
-u_long num;
+ u_long num;
{
int i, j;
@@ -87,9 +87,9 @@
* port.
*/
int findhit(ihp, src, dport)
-ipsd_t *ihp;
-struct in_addr src;
-u_short dport;
+ ipsd_t *ihp;
+ struct in_addr src;
+ u_short dport;
{
int i, j, k;
sdhit_t *sh;
@@ -120,9 +120,9 @@
* interested in.
*/
int detect(srcip, dport, date)
-struct in_addr srcip;
-u_short dport;
-time_t date;
+ struct in_addr srcip;
+ u_short dport;
+ time_t date;
{
ipsd_t *ihp;
sdhit_t *sh;
@@ -181,7 +181,7 @@
* Write statistics out to a file
*/
addfile(file)
-char *file;
+ char *file;
{
ipsd_t ipsd, *ips = &ipsd;
sdhit_t hit, *hp;
@@ -209,7 +209,7 @@
readfiles(dir)
-char *dir;
+ char *dir;
{
struct direct **d;
int i, j;
@@ -226,8 +226,8 @@
void printreport(ss, num)
-ipss_t *ss;
-int num;
+ ipss_t *ss;
+ int num;
{
struct in_addr ip;
ipss_t *sp;
@@ -301,8 +301,8 @@
main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
char c, *name = argv[0], *dir = NULL;
int fd;
Modified: trunk/contrib/ipfilter/ipsd/linux.h
===================================================================
--- trunk/contrib/ipfilter/ipsd/linux.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/linux.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/linux.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
Modified: trunk/contrib/ipfilter/ipsd/sbpf.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/sbpf.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/sbpf.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/sbpf.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
@@ -68,7 +68,7 @@
int ack_recv(ep)
-char *ep;
+ char *ep;
{
struct tcpiphdr tip;
tcphdr_t *tcp;
@@ -89,8 +89,8 @@
int readloop(fd, port, dst)
-int fd, port;
-struct in_addr dst;
+ int fd, port;
+ struct in_addr dst;
{
register u_char *bp, *cp, *bufend;
register struct bpf_hdr *bh;
@@ -119,8 +119,8 @@
}
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
struct bpf_program prog;
struct bpf_version bv;
Modified: trunk/contrib/ipfilter/ipsd/sdlpi.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/sdlpi.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/sdlpi.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/sdlpi.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -60,7 +60,7 @@
int ack_recv(ep)
-char *ep;
+ char *ep;
{
struct tcpiphdr tip;
tcphdr_t *tcp;
@@ -80,8 +80,8 @@
int readloop(fd, port, dst)
-int fd, port;
-struct in_addr dst;
+ int fd, port;
+ struct in_addr dst;
{
static u_char buf[BUFSPACE];
register u_char *bp, *cp, *bufend;
@@ -145,8 +145,8 @@
}
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
struct strioctl si;
struct timeval to;
Modified: trunk/contrib/ipfilter/ipsd/slinux.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/slinux.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/slinux.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/slinux.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -43,7 +43,7 @@
int ack_recv(bp)
-char *bp;
+ char *bp;
{
struct tcpip tip;
tcphdr_t *tcp;
@@ -61,8 +61,8 @@
void readloop(fd, port, dst)
-int fd, port;
-struct in_addr dst;
+ int fd, port;
+ struct in_addr dst;
{
static u_char buf[BUFSPACE];
struct sockaddr dest;
@@ -102,8 +102,8 @@
}
int initdevice(dev, tout)
-char *dev;
-int tout;
+ char *dev;
+ int tout;
{
int fd;
Modified: trunk/contrib/ipfilter/ipsd/snit.c
===================================================================
--- trunk/contrib/ipfilter/ipsd/snit.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsd/snit.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsd/snit.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -55,7 +55,7 @@
int ack_recv(ep)
-char *ep;
+ char *ep;
{
struct tcpiphdr tip;
struct tcphdr *tcp;
@@ -74,8 +74,8 @@
int readloop(fd, dst)
-int fd;
-struct in_addr dst;
+ int fd;
+ struct in_addr dst;
{
static u_char buf[BUFSPACE];
register u_char *bp, *cp, *bufend;
@@ -114,8 +114,8 @@
}
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
struct strioctl si;
struct timeval to;
Modified: trunk/contrib/ipfilter/ipsend/.OLD/ip_compat.h
===================================================================
--- trunk/contrib/ipfilter/ipsend/.OLD/ip_compat.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/.OLD/ip_compat.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/.OLD/ip_compat.h 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* (C)opyright 1995 by Darren Reed.
Modified: trunk/contrib/ipfilter/ipsend/44arp.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/44arp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/44arp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/44arp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* Based upon 4.4BSD's /usr/sbin/arp
@@ -8,14 +8,11 @@
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <net/if.h>
-#if __FreeBSD_version >= 300000 || defined(__MidnightBSD__)
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <net/if_dl.h>
#include <net/if_types.h>
-#if defined(__FreeBSD__) || defined(__MidnightBSD__)
-# include "radix_ipf.h"
-#endif
#ifndef __osf__
# include <net/route.h>
#endif
@@ -44,7 +41,7 @@
* (4 bytes)
*/
int resolve(host, address)
-char *host, *address;
+ char *host, *address;
{
struct hostent *hp;
u_long add;
@@ -66,13 +63,13 @@
int arp(addr, eaddr)
-char *addr, *eaddr;
+ char *addr, *eaddr;
{
int mib[6];
size_t needed;
char *lim, *buf, *next;
struct rt_msghdr *rtm;
- struct sockaddr_inarp *sin;
+ struct sockaddr_in *sin;
struct sockaddr_dl *sdl;
#ifdef IPSEND
@@ -113,7 +110,7 @@
for (next = buf; next < lim; next += rtm->rtm_msglen)
{
rtm = (struct rt_msghdr *)next;
- sin = (struct sockaddr_inarp *)(rtm + 1);
+ sin = (struct sockaddr_in *)(rtm + 1);
sdl = (struct sockaddr_dl *)(sin + 1);
if (!bcmp(addr, (char *)&sin->sin_addr,
sizeof(struct in_addr)))
Modified: trunk/contrib/ipfilter/ipsend/Makefile
===================================================================
--- trunk/contrib/ipfilter/ipsend/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
#
-# Copyright (C) 1993-1998 by Darren Reed.
+# Copyright (C) 2012 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
Modified: trunk/contrib/ipfilter/ipsend/arp.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/arp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/arp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/arp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* arp.c (C) 1995-1998 Darren Reed
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: arp.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/types.h>
#include <sys/socket.h>
@@ -17,9 +17,6 @@
#include <sys/ioctl.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
#include <net/if.h>
#include <netinet/if_ether.h>
#ifndef ultrix
@@ -42,7 +39,7 @@
* (4 bytes)
*/
int resolve(host, address)
-char *host, *address;
+ char *host, *address;
{
struct hostent *hp;
u_long add;
@@ -68,8 +65,8 @@
* some BSD program, I cant remember which.
*/
int arp(ip, ether)
-char *ip;
-char *ether;
+ char *ip;
+ char *ether;
{
static int sfd = -1;
static char ethersave[6], ipsave[4];
Modified: trunk/contrib/ipfilter/ipsend/dlcommon.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/dlcommon.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/dlcommon.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/dlcommon.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* Common (shared) DLPI test routines.
@@ -32,18 +32,18 @@
#define CASERET(s) case s: return ("s")
-char *dlprim();
-char *dlstate();
-char *dlerrno();
-char *dlpromisclevel();
-char *dlservicemode();
-char *dlstyle();
-char *dlmactype();
+ char *dlprim();
+ char *dlstate();
+ char *dlerrno();
+ char *dlpromisclevel();
+ char *dlservicemode();
+ char *dlstyle();
+ char *dlmactype();
void
dlinforeq(fd)
-int fd;
+ int fd;
{
dl_info_req_t info_req;
struct strbuf ctl;
@@ -63,8 +63,8 @@
void
dlinfoack(fd, bufp)
-int fd;
-char *bufp;
+ int fd;
+ char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
@@ -92,8 +92,8 @@
void
dlattachreq(fd, ppa)
-int fd;
-u_long ppa;
+ int fd;
+ u_long ppa;
{
dl_attach_req_t attach_req;
struct strbuf ctl;
@@ -114,9 +114,9 @@
void
dlenabmultireq(fd, addr, length)
-int fd;
-char *addr;
-int length;
+ int fd;
+ char *addr;
+ int length;
{
long buf[MAXDLBUF];
union DL_primitives *dlp;
@@ -143,9 +143,9 @@
void
dldisabmultireq(fd, addr, length)
-int fd;
-char *addr;
-int length;
+ int fd;
+ char *addr;
+ int length;
{
long buf[MAXDLBUF];
union DL_primitives *dlp;
@@ -172,8 +172,8 @@
void
dlpromisconreq(fd, level)
-int fd;
-u_long level;
+ int fd;
+ u_long level;
{
dl_promiscon_req_t promiscon_req;
struct strbuf ctl;
@@ -195,8 +195,8 @@
void
dlpromiscoff(fd, level)
-int fd;
-u_long level;
+ int fd;
+ u_long level;
{
dl_promiscoff_req_t promiscoff_req;
struct strbuf ctl;
@@ -217,8 +217,8 @@
void
dlphysaddrreq(fd, addrtype)
-int fd;
-u_long addrtype;
+ int fd;
+ u_long addrtype;
{
dl_phys_addr_req_t phys_addr_req;
struct strbuf ctl;
@@ -239,9 +239,9 @@
void
dlsetphysaddrreq(fd, addr, length)
-int fd;
-char *addr;
-int length;
+ int fd;
+ char *addr;
+ int length;
{
long buf[MAXDLBUF];
union DL_primitives *dlp;
@@ -268,7 +268,7 @@
void
dldetachreq(fd)
-int fd;
+ int fd;
{
dl_detach_req_t detach_req;
struct strbuf ctl;
@@ -288,12 +288,12 @@
void
dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest)
-int fd;
-u_long sap;
-u_long max_conind;
-u_long service_mode;
-u_long conn_mgmt;
-u_long xidtest;
+ int fd;
+ u_long sap;
+ u_long max_conind;
+ u_long service_mode;
+ u_long conn_mgmt;
+ u_long xidtest;
{
dl_bind_req_t bind_req;
struct strbuf ctl;
@@ -318,12 +318,12 @@
void
dlunitdatareq(fd, addrp, addrlen, minpri, maxpri, datap, datalen)
-int fd;
-u_char *addrp;
-int addrlen;
-u_long minpri, maxpri;
-u_char *datap;
-int datalen;
+ int fd;
+ u_char *addrp;
+ int addrlen;
+ u_long minpri, maxpri;
+ u_char *datap;
+ int datalen;
{
long buf[MAXDLBUF];
union DL_primitives *dlp;
@@ -353,7 +353,7 @@
void
dlunbindreq(fd)
-int fd;
+ int fd;
{
dl_unbind_req_t unbind_req;
struct strbuf ctl;
@@ -373,8 +373,8 @@
void
dlokack(fd, bufp)
-int fd;
-char *bufp;
+ int fd;
+ char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
@@ -402,8 +402,8 @@
void
dlerrorack(fd, bufp)
-int fd;
-char *bufp;
+ int fd;
+ char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
@@ -431,8 +431,8 @@
void
dlbindack(fd, bufp)
-int fd;
-char *bufp;
+ int fd;
+ char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
@@ -457,8 +457,8 @@
void
dlphysaddrack(fd, bufp)
-int fd;
-char *bufp;
+ int fd;
+ char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
@@ -488,10 +488,10 @@
}
strgetmsg(fd, ctlp, datap, flagsp, caller)
-int fd;
-struct strbuf *ctlp, *datap;
-int *flagsp;
-char *caller;
+ int fd;
+ struct strbuf *ctlp, *datap;
+ int *flagsp;
+ char *caller;
{
int rc;
static char errmsg[80];
@@ -540,8 +540,8 @@
}
expecting(prim, dlp)
-int prim;
-union DL_primitives *dlp;
+ int prim;
+ union DL_primitives *dlp;
{
if (dlp->dl_primitive != (u_long)prim) {
printdlprim(dlp);
@@ -555,7 +555,7 @@
* Print any DLPI msg in human readable format.
*/
printdlprim(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
switch (dlp->dl_primitive) {
case DL_INFO_REQ:
@@ -659,13 +659,13 @@
/* ARGSUSED */
printdlinforeq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_INFO_REQ\n");
}
printdlinfoack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
u_char brdcst[MAXDLADDR];
@@ -702,7 +702,7 @@
}
printdlattachreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_ATTACH_REQ: ppa %d\n",
dlp->attach_req.dl_ppa);
@@ -709,7 +709,7 @@
}
printdlokack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_OK_ACK: correct_primitive %s\n",
dlprim(dlp->ok_ack.dl_correct_primitive));
@@ -716,7 +716,7 @@
}
printdlerrorack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_ERROR_ACK: error_primitive %s errno %s unix_errno %d: %s\n",
dlprim(dlp->error_ack.dl_error_primitive),
@@ -726,7 +726,7 @@
}
printdlenabmultireq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -740,7 +740,7 @@
}
printdldisabmultireq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -754,7 +754,7 @@
}
printdlpromisconreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_PROMISCON_REQ: level %s\n",
dlpromisclevel(dlp->promiscon_req.dl_level));
@@ -761,7 +761,7 @@
}
printdlpromiscoffreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_PROMISCOFF_REQ: level %s\n",
dlpromisclevel(dlp->promiscoff_req.dl_level));
@@ -768,7 +768,7 @@
}
printdlphysaddrreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_PHYS_ADDR_REQ: addr_type 0x%x\n",
dlp->physaddr_req.dl_addr_type);
@@ -775,7 +775,7 @@
}
printdlphysaddrack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -789,7 +789,7 @@
}
printdlsetphysaddrreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -804,13 +804,13 @@
/* ARGSUSED */
printdldetachreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_DETACH_REQ\n");
}
printdlbindreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_BIND_REQ: sap %d max_conind %d\n",
dlp->bind_req.dl_sap,
@@ -822,7 +822,7 @@
}
printdlbindack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -841,13 +841,13 @@
/* ARGSUSED */
printdlunbindreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_UNBIND_REQ\n");
}
printdlsubsbindreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char sap[MAXDLADDR];
@@ -861,7 +861,7 @@
}
printdlsubsbindack(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char sap[MAXDLADDR];
@@ -875,7 +875,7 @@
}
printdlsubsunbindreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char sap[MAXDLADDR];
@@ -889,7 +889,7 @@
}
printdlunitdatareq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -906,7 +906,7 @@
}
printdlunitdataind(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
u_char src[MAXDLADDR];
@@ -929,7 +929,7 @@
}
printdluderrorind(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -946,7 +946,7 @@
}
printdltestreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char addr[MAXDLADDR];
@@ -961,7 +961,7 @@
}
printdltestind(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
u_char src[MAXDLADDR];
@@ -983,7 +983,7 @@
}
printdltestres(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
@@ -998,7 +998,7 @@
}
printdltestcon(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
u_char src[MAXDLADDR];
@@ -1020,7 +1020,7 @@
}
printdlxidreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
@@ -1035,7 +1035,7 @@
}
printdlxidind(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
u_char src[MAXDLADDR];
@@ -1057,7 +1057,7 @@
}
printdlxidres(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
@@ -1072,7 +1072,7 @@
}
printdlxidcon(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
u_char dest[MAXDLADDR];
u_char src[MAXDLADDR];
@@ -1094,7 +1094,7 @@
}
printdludqosreq(dlp)
-union DL_primitives *dlp;
+ union DL_primitives *dlp;
{
(void) printf("DL_UDQOS_REQ: qos_length %d qos_offset %d\n",
dlp->udqos_req.dl_qos_length,
@@ -1105,9 +1105,9 @@
* Return string.
*/
addrtostring(addr, length, s)
-u_char *addr;
-u_long length;
-u_char *s;
+ u_char *addr;
+ u_long length;
+ u_char *s;
{
int i;
@@ -1123,8 +1123,8 @@
* Return length
*/
stringtoaddr(sp, addr)
-char *sp;
-char *addr;
+ char *sp;
+ char *addr;
{
int n = 0;
char *p;
@@ -1140,7 +1140,7 @@
n++;
p = NULL;
}
-
+
return (n);
}
@@ -1147,7 +1147,7 @@
static char
hexnibble(c)
-char c;
+ char c;
{
static char hextab[] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
@@ -1159,7 +1159,7 @@
char*
dlprim(prim)
-u_long prim;
+ u_long prim;
{
static char primbuf[80];
@@ -1200,7 +1200,7 @@
char*
dlstate(state)
-u_long state;
+ u_long state;
{
static char statebuf[80];
@@ -1234,7 +1234,7 @@
char*
dlerrno(errno)
-u_long errno;
+ u_long errno;
{
static char errnobuf[80];
@@ -1276,7 +1276,7 @@
char*
dlpromisclevel(level)
-u_long level;
+ u_long level;
{
static char levelbuf[80];
@@ -1292,7 +1292,7 @@
char*
dlservicemode(servicemode)
-u_long servicemode;
+ u_long servicemode;
{
static char servicemodebuf[80];
@@ -1309,7 +1309,7 @@
char*
dlstyle(style)
-long style;
+ long style;
{
static char stylebuf[80];
@@ -1324,7 +1324,7 @@
char*
dlmactype(media)
-u_long media;
+ u_long media;
{
static char mediabuf[80];
@@ -1345,8 +1345,8 @@
/*VARARGS1*/
err(fmt, a1, a2, a3, a4)
-char *fmt;
-char *a1, *a2, *a3, *a4;
+ char *fmt;
+ char *a1, *a2, *a3, *a4;
{
(void) fprintf(stderr, fmt, a1, a2, a3, a4);
(void) fprintf(stderr, "\n");
@@ -1354,7 +1354,7 @@
}
syserr(s)
-char *s;
+ char *s;
{
(void) perror(s);
exit(1);
@@ -1361,11 +1361,11 @@
}
strioctl(fd, cmd, timout, len, dp)
-int fd;
-int cmd;
-int timout;
-int len;
-char *dp;
+ int fd;
+ int cmd;
+ int timout;
+ int len;
+ char *dp;
{
struct strioctl sioc;
int rc;
Modified: trunk/contrib/ipfilter/ipsend/dltest.h
===================================================================
--- trunk/contrib/ipfilter/ipsend/dltest.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/dltest.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/dltest.h 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* Common DLPI Test Suite header file
Modified: trunk/contrib/ipfilter/ipsend/ip.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/ip.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ip.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/ip.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* ip.c (C) 1995-1998 Darren Reed
@@ -7,23 +7,21 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
-static const char rcsid[] = "@(#)$Id: ip.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <sys/socket.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <sys/param.h>
#ifndef linux
+# include <net/route.h>
# include <netinet/if_ether.h>
# include <netinet/ip_var.h>
-# if __FreeBSD_version >= 300000 || defined(__MidnightBSD__)
+# if __FreeBSD_version >= 300000
# include <net/if_var.h>
# endif
#endif
@@ -39,8 +37,8 @@
u_short chksum(buf,len)
-u_short *buf;
-int len;
+ u_short *buf;
+ int len;
{
u_long sum = 0;
int nwords = len >> 1;
@@ -54,9 +52,9 @@
int send_ether(nfd, buf, len, gwip)
-int nfd, len;
-char *buf;
-struct in_addr gwip;
+ int nfd, len;
+ char *buf;
+ struct in_addr gwip;
{
static struct in_addr last_gw;
static char last_arp[6] = { 0, 0, 0, 0, 0, 0};
@@ -89,10 +87,10 @@
/*
*/
int send_ip(nfd, mtu, ip, gwip, frag)
-int nfd, mtu;
-ip_t *ip;
-struct in_addr gwip;
-int frag;
+ int nfd, mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int frag;
{
static struct in_addr last_gw, local_ip;
static char local_arp[6] = { 0, 0, 0, 0, 0, 0};
@@ -250,9 +248,9 @@
* send a tcp packet.
*/
int send_tcp(nfd, mtu, ip, gwip)
-int nfd, mtu;
-ip_t *ip;
-struct in_addr gwip;
+ int nfd, mtu;
+ ip_t *ip;
+ struct in_addr gwip;
{
static tcp_seq iss = 2;
tcphdr_t *t, *t2;
@@ -303,9 +301,9 @@
* send a udp packet.
*/
int send_udp(nfd, mtu, ip, gwip)
-int nfd, mtu;
-ip_t *ip;
-struct in_addr gwip;
+ int nfd, mtu;
+ ip_t *ip;
+ struct in_addr gwip;
{
struct tcpiphdr *ti;
int thlen;
@@ -335,9 +333,9 @@
* send an icmp packet.
*/
int send_icmp(nfd, mtu, ip, gwip)
-int nfd, mtu;
-ip_t *ip;
-struct in_addr gwip;
+ int nfd, mtu;
+ ip_t *ip;
+ struct in_addr gwip;
{
struct icmp *ic;
@@ -351,9 +349,9 @@
int send_packet(nfd, mtu, ip, gwip)
-int nfd, mtu;
-ip_t *ip;
-struct in_addr gwip;
+ int nfd, mtu;
+ ip_t *ip;
+ struct in_addr gwip;
{
switch (ip->ip_p)
{
Modified: trunk/contrib/ipfilter/ipsend/ipresend.1
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipresend.1 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipresend.1 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipresend.1 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPRESEND 1
.SH NAME
Modified: trunk/contrib/ipfilter/ipsend/ipresend.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipresend.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipresend.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipresend.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* ipresend.c (C) 1995-1998 Darren Reed
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipresend.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -32,7 +32,7 @@
extern char *optarg;
extern int optind;
#ifndef NO_IPF
-extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext;
+extern struct ipread pcap, iphex, iptext;
#endif
int opts = 0;
@@ -68,7 +68,7 @@
static void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\
\t\t-r filename\tsnoop data file to resend\n\
@@ -83,8 +83,8 @@
int main(argc, argv)
-int argc;
-char **argv;
+ int argc;
+ char **argv;
{
struct in_addr gwip;
struct ipread *ipr = NULL;
@@ -115,9 +115,6 @@
opts |= OPT_RAW;
break;
#ifndef NO_IPF
- case 'E' :
- ipr = ðerf;
- break;
case 'H' :
ipr = &iphex;
break;
@@ -124,12 +121,6 @@
case 'P' :
ipr = &pcap;
break;
- case 'S' :
- ipr = &snoop;
- break;
- case 'T' :
- ipr = &tcpd;
- break;
case 'X' :
ipr = &iptext;
break;
Modified: trunk/contrib/ipfilter/ipsend/ipsend.1
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipsend.1 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipsend.1 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipsend.1 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPSEND 1
.SH NAME
Modified: trunk/contrib/ipfilter/ipsend/ipsend.5
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipsend.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipsend.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipsend.5 255332 2013-09-06 23:11:19Z cy $
.TH IPSEND 5
.SH NAME
ipsend \- IP packet description language
@@ -123,7 +123,7 @@
sets the fragment offset field of the IP packet. Default is 0.
.TP
.B ttl <number>
-sets the time to live (TTL) field of the IP header. Default is 60.
+sets the time to live (TTL) field of the IP header. Default is 60.
.TP
.B proto <protocol>
sets the protocol field of the IP header. The protocol can either be a
Modified: trunk/contrib/ipfilter/ipsend/ipsend.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipsend.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipsend.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipsend.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
*
@@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -67,7 +67,7 @@
static void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "Usage: %s [options] dest [flags]\n\
\toptions:\n\
@@ -96,8 +96,8 @@
static void do_icmp(ip, args)
-ip_t *ip;
-char *args;
+ ip_t *ip;
+ char *args;
{
struct icmp *ic;
char *s;
@@ -147,10 +147,10 @@
int send_packets(dev, mtu, ip, gwip)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
{
int wfd;
@@ -193,8 +193,8 @@
}
int main(argc, argv)
-int argc;
-char **argv;
+ int argc;
+ char **argv;
{
FILE *langfile = NULL;
struct in_addr gwip;
Modified: trunk/contrib/ipfilter/ipsend/ipsend.h
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipsend.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipsend.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipsend.h 255332 2013-09-06 23:11:19Z cy $ */
/*
* ipsend.h (C) 1997-1998 Darren Reed
@@ -29,7 +29,9 @@
#ifdef linux
#include <linux/sockios.h>
#endif
-#include "tcpip.h"
+/* XXX: The following is needed by tcpip.h */
+#include <netinet/ip_var.h>
+#include "netinet/tcpip.h"
#include "ipt.h"
extern int resolve __P((char *, char *));
Modified: trunk/contrib/ipfilter/ipsend/ipsopt.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/ipsopt.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/ipsopt.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/ipsopt.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsopt.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -62,7 +62,7 @@
u_short ipseclevel(slevel)
-char *slevel;
+ char *slevel;
{
struct ipopt_names *so;
@@ -79,10 +79,10 @@
int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
+ char *op;
+ struct ipopt_names *io;
+ int len;
+ char *class;
{
struct in_addr ipadr;
int olen = len, srr = 0;
@@ -150,8 +150,8 @@
u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
+ char *cp, *op;
+ int len;
{
struct ipopt_names *io;
u_32_t msk = 0;
Modified: trunk/contrib/ipfilter/ipsend/iptest.1
===================================================================
--- trunk/contrib/ipfilter/ipsend/iptest.1 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/iptest.1 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/ipsend/iptest.1 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPTEST 1
.SH NAME
Modified: trunk/contrib/ipfilter/ipsend/iptest.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/iptest.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/iptest.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/iptest.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptest.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -63,7 +63,7 @@
static void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "Usage: %s [options] dest\n\
\toptions:\n\
@@ -85,8 +85,8 @@
int main(argc, argv)
-int argc;
-char **argv;
+ int argc;
+ char **argv;
{
struct tcpiphdr *ti;
struct in_addr gwip;
Modified: trunk/contrib/ipfilter/ipsend/iptests.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/iptests.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/iptests.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/iptests.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -22,7 +22,7 @@
#endif
#include <sys/time.h>
#if !defined(__osf__)
-# ifdef __NetBSD__
+# ifdef __NetBSD__
# include <machine/lock.h>
# include <machine/mutex.h>
# endif
@@ -52,8 +52,9 @@
#endif
#if defined(solaris)
# include <sys/stream.h>
+#else
+# include <sys/socketvar.h>
#endif
-#include <sys/socketvar.h>
#ifdef sun
#include <sys/systm.h>
#include <sys/session.h>
@@ -68,18 +69,17 @@
#ifdef __hpux
# define _NET_ROUTE_INCLUDED
#endif
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
#include <net/if.h>
#if defined(linux) && (LINUX >= 0200)
# include <asm/atomic.h>
#endif
#if !defined(linux)
-# if defined(__FreeBSD__) || defined(__MidnightBSD__)
+# if defined(__FreeBSD__)
# include "radix_ipf.h"
# endif
-# include <net/route.h>
+# if !defined(solaris)
+# include <net/route.h>
+# endif
#else
# define __KERNEL__ /* because there's a macro not wrapped by this */
# include <net/route.h> /* in this file :-/ */
@@ -87,12 +87,6 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-# if !defined(__hpux)
-# include <netinet/in_pcb.h>
-# endif
-#endif
#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
# include <sys/sysmacros.h>
#endif
@@ -103,6 +97,12 @@
#ifdef __hpux
# undef _NET_ROUTE_INCLUDED
#endif
+#if !defined(linux)
+# include <netinet/ip_var.h>
+# if !defined(__hpux) && !defined(solaris)
+# include <netinet/in_pcb.h>
+# endif
+#endif
#include "ipsend.h"
#if !defined(linux) && !defined(__hpux)
# include <netinet/tcp_timer.h>
@@ -123,11 +123,11 @@
void ip_test1(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
@@ -474,11 +474,11 @@
void ip_test2(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
@@ -570,11 +570,11 @@
* test 3 (ICMP)
*/
void ip_test3(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 };
static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 };
@@ -771,11 +771,11 @@
/* Perform test 4 (UDP) */
void ip_test4(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
@@ -936,11 +936,11 @@
/* Perform test 5 (TCP) */
void ip_test5(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
@@ -1286,11 +1286,11 @@
/* Perform test 6 (exhaust mbuf test) */
void ip_test6(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
@@ -1368,11 +1368,11 @@
static u_long tbuf[64];
void ip_test7(dev, mtu, ip, gwip, ptest)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-int ptest;
+ char *dev;
+ int mtu;
+ ip_t *ip;
+ struct in_addr gwip;
+ int ptest;
{
ip_t *pip;
#ifdef USE_NANOSLEEP
Modified: trunk/contrib/ipfilter/ipsend/larp.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/larp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/larp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/larp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* larp.c (C) 1995-1998 Darren Reed
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: larp.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -30,7 +30,7 @@
* (4 bytes)
*/
int resolve(host, address)
-char *host, *address;
+ char *host, *address;
{
struct hostent *hp;
u_long add;
@@ -56,8 +56,8 @@
* some BSD program, I cant remember which.
*/
int arp(ip, ether)
-char *ip;
-char *ether;
+ char *ip;
+ char *ether;
{
static int s = -1;
struct arpreq ar;
Modified: trunk/contrib/ipfilter/ipsend/linux.h
===================================================================
--- trunk/contrib/ipfilter/ipsend/linux.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/linux.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/linux.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
Modified: trunk/contrib/ipfilter/ipsend/lsock.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/lsock.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/lsock.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/lsock.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* lsock.c (C) 1995-1998 Darren Reed
@@ -8,7 +8,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: lsock.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <stdio.h>
#include <unistd.h>
@@ -66,9 +66,9 @@
#endif
int kmemcpy(buf, pos, n)
-char *buf;
-void *pos;
-int n;
+ char *buf;
+ void *pos;
+ int n;
{
static int kfd = -1;
@@ -150,8 +150,8 @@
struct sock *find_tcp(fd, ti)
-int fd;
-struct tcpiphdr *ti;
+ int fd;
+ struct tcpiphdr *ti;
{
struct sock *s;
struct inode *i;
@@ -189,10 +189,10 @@
}
int do_socket(dev, mtu, ti, gwip)
-char *dev;
-int mtu;
-struct tcpiphdr *ti;
-struct in_addr gwip;
+ char *dev;
+ int mtu;
+ struct tcpiphdr *ti;
+ struct in_addr gwip;
{
struct sockaddr_in rsin, lsin;
struct sock *s, sk;
Modified: trunk/contrib/ipfilter/ipsend/resend.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/resend.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/resend.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/resend.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* resend.c (C) 1995-1998 Darren Reed
@@ -8,15 +8,12 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: resend.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
@@ -25,7 +22,7 @@
#ifndef linux
# include <netinet/ip_var.h>
# include <netinet/if_ether.h>
-# if __FreeBSD_version >= 300000 || defined(__MidnightBSD__)
+# if __FreeBSD_version >= 300000
# include <net/if_var.h>
# endif
#endif
@@ -38,12 +35,11 @@
extern int opts;
-static u_char pbuf[65536]; /* 1 big packet */
-void printpacket __P((ip_t *));
+void dumppacket __P((ip_t *));
-void printpacket(ip)
-ip_t *ip;
+void dumppacket(ip)
+ ip_t *ip;
{
tcphdr_t *t;
int i, j;
@@ -73,16 +69,17 @@
int ip_resend(dev, mtu, r, gwip, datain)
-char *dev;
-int mtu;
-struct in_addr gwip;
-struct ipread *r;
-char *datain;
+ char *dev;
+ int mtu;
+ struct in_addr gwip;
+ struct ipread *r;
+ char *datain;
{
ether_header_t *eh;
char dhost[6];
ip_t *ip;
int fd, wfd = initdevice(dev, 5), len, i;
+ mb_t mb;
if (wfd == -1)
return -1;
@@ -95,7 +92,7 @@
if (fd < 0)
exit(-1);
- ip = (struct ip *)pbuf;
+ ip = (struct ip *)mb.mb_buf;
eh = (ether_header_t *)malloc(sizeof(*eh));
if(!eh)
{
@@ -111,7 +108,7 @@
return -2;
}
- while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0)
+ while ((i = (*r->r_readip)(&mb, NULL, NULL)) > 0)
{
if (!(opts & OPT_RAW)) {
len = ntohs(ip->ip_len);
@@ -131,9 +128,9 @@
IP_HL(ip) << 2);
bcopy(ip, (char *)(eh + 1), len);
len += sizeof(*eh);
- printpacket(ip);
+ dumppacket(ip);
} else {
- eh = (ether_header_t *)pbuf;
+ eh = (ether_header_t *)mb.mb_buf;
len = i;
}
Modified: trunk/contrib/ipfilter/ipsend/sbpf.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/sbpf.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/sbpf.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/sbpf.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*
@@ -15,7 +15,7 @@
#if BSD < 199103
#include <sys/fcntlcom.h>
#endif
-#if (__FreeBSD_version >= 300000) || defined(__MidnightBSD__)
+#if (__FreeBSD_version >= 300000)
# include <sys/dirent.h>
#else
# include <sys/dir.h>
@@ -26,7 +26,8 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
-#include <netinet/ip_var.h>
+#include <netinet/udp.h>
+#include <netinet/tcp.h>
#include <stdio.h>
#include <netdb.h>
@@ -44,7 +45,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sbpf.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
/*
@@ -55,8 +56,8 @@
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
struct bpf_version bv;
struct timeval to;
@@ -139,9 +140,9 @@
* output an IP packet onto a fd opened for /dev/bpf
*/
int sendip(fd, pkt, len)
-int fd, len;
-char *pkt;
-{
+ int fd, len;
+ char *pkt;
+{
if (write(fd, pkt, len) == -1)
{
perror("send");
Modified: trunk/contrib/ipfilter/ipsend/sdlpi.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/sdlpi.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/sdlpi.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/sdlpi.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -27,7 +27,6 @@
#endif
#ifdef __osf__
# include <sys/dlpihdr.h>
-# include "radix_ipf_local.h"
#else
# include <sys/dlpi.h>
#endif
@@ -49,7 +48,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sdlpi.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#define CHUNKSIZE 8192
@@ -61,8 +60,8 @@
* interface are included in the header size.
*/
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
char devname[16], *s, buf[256];
int i, fd;
@@ -136,9 +135,9 @@
* output an IP packet onto a fd opened for /dev/nit
*/
int sendip(fd, pkt, len)
-int fd, len;
-char *pkt;
-{
+ int fd, len;
+ char *pkt;
+{
struct strbuf dbuf, *dp = &dbuf, *cp = NULL;
int pri = 0;
#ifdef DL_HP_RAWDLS
Modified: trunk/contrib/ipfilter/ipsend/sirix.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/sirix.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/sirix.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/sirix.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed.
@@ -60,7 +60,7 @@
* output an IP packet
*/
int sendip(int fd, char *pkt, int len)
-{
+{
struct sockaddr_raw sr;
int srlen = sizeof(sr);
struct ifreq ifr;
Modified: trunk/contrib/ipfilter/ipsend/slinux.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/slinux.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/slinux.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/slinux.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -30,7 +30,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95";
-static const char rcsid[] = "@(#)$Id: slinux.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#define CHUNKSIZE 8192
@@ -46,8 +46,8 @@
int initdevice(dev, spare)
-char *dev;
-int spare;
+ char *dev;
+ int spare;
{
int fd;
@@ -66,8 +66,8 @@
* output an IP packet onto a fd opened for /dev/nit
*/
int sendip(fd, pkt, len)
-int fd, len;
-char *pkt;
+ int fd, len;
+ char *pkt;
{
struct sockaddr s;
struct ifreq ifr;
Modified: trunk/contrib/ipfilter/ipsend/snit.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/snit.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/snit.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/snit.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
@@ -41,7 +41,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: snit.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#define CHUNKSIZE 8192
@@ -58,8 +58,8 @@
int initdevice(device, tout)
-char *device;
-int tout;
+ char *device;
+ int tout;
{
struct strioctl si;
struct timeval to;
@@ -115,9 +115,9 @@
* output an IP packet onto a fd opened for /dev/nit
*/
int sendip(fd, pkt, len)
-int fd, len;
-char *pkt;
-{
+ int fd, len;
+ char *pkt;
+{
struct sockaddr sk, *sa = &sk;
struct strbuf cbuf, *cp = &cbuf, dbuf, *dp = &dbuf;
Modified: trunk/contrib/ipfilter/ipsend/sock.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/sock.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/sock.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/sock.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* sock.c (C) 1995-1998 Darren Reed
*
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -24,15 +24,14 @@
#ifndef ultrix
#include <fcntl.h>
#endif
-#if (__FreeBSD_version >= 300000) || defined(__MidnightBSD__)
+#if (__FreeBSD_version >= 300000)
# include <sys/dirent.h>
#else
# include <sys/dir.h>
#endif
#if !defined(__osf__)
-# ifdef __NetBSD__
+# ifdef __NetBSD__
# include <machine/lock.h>
-# include <machine/mutex.h>
# endif
# ifdef __FreeBSD__
# define _WANT_FILE
@@ -75,9 +74,6 @@
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
-#if defined(__FreeBSD__) || defined(__MidnightBSD__)
-# include "radix_ipf.h"
-#endif
#ifndef __osf__
# include <net/route.h>
#endif
@@ -123,9 +119,9 @@
int kmemcpy(buf, pos, n)
-char *buf;
-void *pos;
-int n;
+ char *buf;
+ void *pos;
+ int n;
{
static int kfd = -1;
off_t offset = (u_long)pos;
@@ -203,8 +199,8 @@
struct tcpcb *find_tcp(fd, ti)
-int fd;
-struct tcpiphdr *ti;
+ int fd;
+ struct tcpiphdr *ti;
{
struct tcpcb *t;
struct inpcb *i;
@@ -294,8 +290,8 @@
struct tcpcb *find_tcp(tfd, ti)
-int tfd;
-struct tcpiphdr *ti;
+ int tfd;
+ struct tcpiphdr *ti;
{
struct tcpcb *t;
struct inpcb *i;
@@ -310,8 +306,7 @@
fd = (struct filedesc *)malloc(sizeof(*fd));
if (fd == NULL)
return NULL;
-#if defined(__MidnightBSD__) || \
- defined( __FreeBSD_version) && __FreeBSD_version >= 500013
+#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013
if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx) failed\n",
@@ -391,10 +386,10 @@
#endif /* BSD < 199301 */
int do_socket(dev, mtu, ti, gwip)
-char *dev;
-int mtu;
-struct tcpiphdr *ti;
-struct in_addr gwip;
+ char *dev;
+ int mtu;
+ struct tcpiphdr *ti;
+ struct in_addr gwip;
{
struct sockaddr_in rsin, lsin;
struct tcpcb *t, tcb;
Modified: trunk/contrib/ipfilter/ipsend/sockraw.c
===================================================================
--- trunk/contrib/ipfilter/ipsend/sockraw.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipsend/sockraw.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipsend/sockraw.c 145519 2005-04-25 18:20:15Z darrenr $ */
/*
* (C)opyright 2000 Darren Reed.
Modified: trunk/contrib/ipfilter/ipt.h
===================================================================
--- trunk/contrib/ipfilter/ipt.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/ipt.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/ipt.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ipt.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
#ifndef __IPT_H__
@@ -26,15 +26,12 @@
struct ipread {
int (*r_open) __P((char *));
int (*r_close) __P((void));
- int (*r_readip) __P((char *, int, char **, int *));
+ int (*r_readip) __P((mb_t *, char **, int *));
int r_flags;
};
#define R_DO_CKSUM 0x01
-extern void debug __P((char *, ...));
-extern void verbose __P((char *, ...));
-
#ifdef P_DEF
# undef __P
# undef P_DEF
Modified: trunk/contrib/ipfilter/kmem.h
===================================================================
--- trunk/contrib/ipfilter/kmem.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/kmem.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,10 +1,10 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/kmem.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
- * $Id: kmem.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
#ifndef __KMEM_H__
Modified: trunk/contrib/ipfilter/l4check/Makefile
===================================================================
--- trunk/contrib/ipfilter/l4check/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/l4check/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -4,7 +4,7 @@
all: l4check
l4check: l4check.c
- $(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@
+ $(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@
clean:
/bin/rm -f l4check
Modified: trunk/contrib/ipfilter/l4check/l4check.c
===================================================================
--- trunk/contrib/ipfilter/l4check/l4check.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/l4check/l4check.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/l4check/l4check.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * (C)Copyright March, 2000 - Darren Reed.
+ * (C)Copyright (C) 2012 by Darren Reed.
*/
#include <sys/types.h>
#include <sys/stat.h>
@@ -27,7 +27,6 @@
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
-#include "ipl.h"
#include "ipf.h"
@@ -68,7 +67,7 @@
char *copystr(dst, src)
-char *dst, *src;
+ char *dst, *src;
{
register char *s, *t, c;
register int esc = 0;
@@ -97,23 +96,15 @@
}
void addnat(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
-
ipnat_t *ipn = &l4->l4_nat;
- printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4),
+ printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]),
ipn->in_outmsk, ntohs(ipn->in_pmin));
- printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext));
+ printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext));
if (!(opts & OPT_DONOTHING)) {
- ipfobj_t obj;
-
- bzero(&obj, sizeof(obj));
- obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_size = sizeof(*ipn);
- obj.ipfo_ptr = ipn;
-
- if (ioctl(natfd, SIOCADNAT, &obj) == -1)
+ if (ioctl(natfd, SIOCADNAT, &ipn) == -1)
perror("ioctl(SIOCADNAT)");
}
}
@@ -120,21 +111,14 @@
void delnat(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
ipnat_t *ipn = &l4->l4_nat;
printf("Remove NAT rule for %s/%#x,%u -> ",
- inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin);
- printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext);
+ inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin);
+ printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext);
if (!(opts & OPT_DONOTHING)) {
- ipfobj_t obj;
-
- bzero(&obj, sizeof(obj));
- obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_size = sizeof(*ipn);
- obj.ipfo_ptr = ipn;
-
if (ioctl(natfd, SIOCRMNAT, &ipn) == -1)
perror("ioctl(SIOCRMNAT)");
}
@@ -142,7 +126,7 @@
void connectl4(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
l4->l4_rw = 1;
l4->l4_rlen = 0;
@@ -156,8 +140,8 @@
void closel4(l4, dead)
-l4cfg_t *l4;
-int dead;
+ l4cfg_t *l4;
+ int dead;
{
close(l4->l4_fd);
l4->l4_fd = -1;
@@ -170,7 +154,7 @@
void connectfd(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
if (connect(l4->l4_fd, (struct sockaddr *)&l4->l4_sin,
sizeof(l4->l4_sin)) == -1) {
@@ -192,8 +176,9 @@
void writefd(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
+ char buf[80], *ptr;
int n, i, fd;
fd = l4->l4_fd;
@@ -223,7 +208,7 @@
void readfd(l4)
-l4cfg_t *l4;
+ l4cfg_t *l4;
{
char buf[80], *ptr;
int n, i, fd;
@@ -417,14 +402,15 @@
int gethostport(str, lnum, ipp, portp)
-char *str;
-int lnum;
-u_32_t *ipp;
-u_short *portp;
+ char *str;
+ int lnum;
+ u_32_t *ipp;
+ u_short *portp;
{
struct servent *sp;
struct hostent *hp;
char *host, *port;
+ struct in_addr ip;
host = str;
port = strchr(host, ',');
@@ -467,8 +453,8 @@
char *mapfile(file, sizep)
-char *file;
-size_t *sizep;
+ char *file;
+ size_t *sizep;
{
struct stat sb;
caddr_t addr;
@@ -499,7 +485,7 @@
int readconfig(filename)
-char *filename;
+ char *filename;
{
char c, buf[512], *s, *t, *errtxt = NULL, *line;
int num, err = 0;
@@ -569,8 +555,7 @@
break;
}
- strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ);
- strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ);
+ strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname));
if (!gethostport(t, num, &ipn->in_outip,
&ipn->in_pmin)) {
errtxt = line;
@@ -582,11 +567,11 @@
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Interface %s %s/%#x port %u\n",
- ipn->in_ifnames[0],
- inet_ntoa(ipn->in_out[0].in4),
+ ipn->in_ifname,
+ inet_ntoa(ipn->in_out[0]),
ipn->in_outmsk, ipn->in_pmin);
} else if (!strcasecmp(t, "remote")) {
- if (!*ipn->in_ifnames[0]) {
+ if (!*ipn->in_ifname) {
fprintf(stderr,
"%d: ifname not set prior to remote\n",
num);
@@ -621,7 +606,7 @@
break;
}
bcopy((char *)&template, (char *)l4, sizeof(*l4));
- l4->l4_sin.sin_addr = ipn->in_in[0].in4;
+ l4->l4_sin.sin_addr = ipn->in_in[0];
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_next = l4list;
l4list = l4;
@@ -768,7 +753,7 @@
void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "Usage: %s -f <configfile>\n", prog);
exit(1);
@@ -776,8 +761,8 @@
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
char *config = NULL;
int c;
@@ -808,7 +793,7 @@
}
if (!(opts & OPT_DONOTHING)) {
- natfd = open(IPNAT_NAME, O_RDWR);
+ natfd = open(IPL_NAT, O_RDWR);
if (natfd == -1) {
perror("open(IPL_NAT)");
exit(1);
@@ -819,6 +804,4 @@
fprintf(stderr, "Starting...\n");
while (runconfig() == 0)
;
-
- exit(1);
}
Modified: trunk/contrib/ipfilter/lib/Makefile
===================================================================
--- trunk/contrib/ipfilter/lib/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,10 +1,10 @@
#
-# Copyright (C) 1993-2001 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-# $Id: Makefile,v 1.1.1.2 2008-11-22 14:33:09 laffer1 Exp $
-#
+# Copyright (C) 2012 by Darren Reed.
+#
+# See the IPFILTER.LICENCE file for details on licencing.
+#
+# $Id$
+#
INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
LIBOBJS=$(DEST)/addicmp.o \
@@ -11,17 +11,27 @@
$(DEST)/addipopt.o \
$(DEST)/alist_free.o \
$(DEST)/alist_new.o \
+ $(DEST)/allocmbt.o \
+ $(DEST)/assigndefined.o \
$(DEST)/bcopywrap.o \
$(DEST)/binprint.o \
$(DEST)/buildopts.o \
$(DEST)/checkrev.o \
+ $(DEST)/connecttcp.o \
$(DEST)/count6bits.o \
$(DEST)/count4bits.o \
$(DEST)/debug.o \
+ $(DEST)/dupmbt.o \
+ $(DEST)/familyname.o \
$(DEST)/facpri.o \
+ $(DEST)/fill6bits.o \
+ $(DEST)/findword.o \
$(DEST)/flags.o \
- $(DEST)/fill6bits.o \
+ $(DEST)/freembt.o \
+ $(DEST)/ftov.o \
+ $(DEST)/genmask.o \
$(DEST)/gethost.o \
+ $(DEST)/geticmptype.o \
$(DEST)/getifname.o \
$(DEST)/getnattype.o \
$(DEST)/getport.o \
@@ -30,21 +40,23 @@
$(DEST)/getsumd.o \
$(DEST)/hostname.o \
$(DEST)/icmpcode.o \
- $(DEST)/inet_addr.o \
+ $(DEST)/icmptypename.o \
+ $(DEST)/icmptypes.o \
$(DEST)/initparse.o \
+ $(DEST)/interror.o \
$(DEST)/ionames.o \
- $(DEST)/ipoptsec.o \
$(DEST)/ipf_dotuning.o \
- $(DEST)/ipft_ef.o \
+ $(DEST)/ipf_perror.o \
$(DEST)/ipft_hx.o \
$(DEST)/ipft_pc.o \
- $(DEST)/ipft_sn.o \
- $(DEST)/ipft_td.o \
$(DEST)/ipft_tx.o \
+ $(DEST)/ipoptsec.o \
$(DEST)/kmem.o \
$(DEST)/kmemcpywrap.o \
$(DEST)/kvatoname.o \
$(DEST)/load_file.o \
+ $(DEST)/load_dstlist.o \
+ $(DEST)/load_dstlistnode.o \
$(DEST)/load_hash.o \
$(DEST)/load_hashnode.o \
$(DEST)/load_http.o \
@@ -51,6 +63,7 @@
$(DEST)/load_pool.o \
$(DEST)/load_poolnode.o \
$(DEST)/load_url.o \
+ $(DEST)/msgdsize.o \
$(DEST)/mutex_emul.o \
$(DEST)/nametokva.o \
$(DEST)/nat_setgroupmap.o \
@@ -59,36 +72,58 @@
$(DEST)/optprint.o \
$(DEST)/optprintv6.o \
$(DEST)/optvalue.o \
+ $(DEST)/parsefields.o \
+ $(DEST)/parseipfexpr.o \
+ $(DEST)/parsewhoisline.o \
+ $(DEST)/poolio.o \
$(DEST)/portname.o \
$(DEST)/print_toif.o \
+ $(DEST)/printactiveaddr.o \
$(DEST)/printactivenat.o \
+ $(DEST)/printaddr.o \
$(DEST)/printaps.o \
$(DEST)/printbuf.o \
+ $(DEST)/printdstlist.o \
+ $(DEST)/printdstlistdata.o \
+ $(DEST)/printdstlistnode.o \
+ $(DEST)/printdstlistpolicy.o \
+ $(DEST)/printdstl_live.o \
+ $(DEST)/printfieldhdr.o \
+ $(DEST)/printfr.o \
+ $(DEST)/printfraginfo.o \
$(DEST)/printhash.o \
$(DEST)/printhashdata.o \
$(DEST)/printhashnode.o \
$(DEST)/printhash_live.o \
+ $(DEST)/printhost.o \
+ $(DEST)/printhostmap.o \
+ $(DEST)/printhostmask.o \
+ $(DEST)/printifname.o \
$(DEST)/printip.o \
+ $(DEST)/printipfexpr.o \
+ $(DEST)/printlog.o \
+ $(DEST)/printlookup.o \
+ $(DEST)/printmask.o \
+ $(DEST)/printnat.o \
+ $(DEST)/printnataddr.o \
+ $(DEST)/printnatfield.o \
+ $(DEST)/printnatside.o \
$(DEST)/printpool.o \
$(DEST)/printpooldata.o \
+ $(DEST)/printpoolfield.o \
$(DEST)/printpoolnode.o \
$(DEST)/printpool_live.o \
$(DEST)/printproto.o \
- $(DEST)/printfr.o \
- $(DEST)/printfraginfo.o \
- $(DEST)/printhostmap.o \
- $(DEST)/printifname.o \
- $(DEST)/printhostmask.o \
- $(DEST)/printlog.o \
- $(DEST)/printmask.o \
- $(DEST)/printnat.o \
$(DEST)/printportcmp.o \
$(DEST)/printpacket.o \
$(DEST)/printpacket6.o \
$(DEST)/printsbuf.o \
$(DEST)/printstate.o \
+ $(DEST)/printstatefields.o \
+ $(DEST)/printtcpflags.o \
$(DEST)/printtqtable.o \
$(DEST)/printtunable.o \
+ $(DEST)/printunit.o \
$(DEST)/remove_hash.o \
$(DEST)/remove_hashnode.o \
$(DEST)/remove_pool.o \
@@ -95,10 +130,16 @@
$(DEST)/remove_poolnode.o \
$(DEST)/resetlexer.o \
$(DEST)/rwlock_emul.o \
+ $(DEST)/save_execute.o \
+ $(DEST)/save_file.o \
+ $(DEST)/save_nothing.o \
+ $(DEST)/save_syslog.o \
+ $(DEST)/save_v1trap.o \
+ $(DEST)/save_v2trap.o \
$(DEST)/tcpflags.o \
- $(DEST)/tcp_flags.o \
$(DEST)/var.o \
$(DEST)/verbose.o \
+ $(DEST)/vtof.o \
$(DEST)/v6ionames.o \
$(DEST)/v6optvalue.o
@@ -115,6 +156,10 @@
$(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@
$(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@
+$(DEST)/allocmbt.o: $(LIBSRC)/allocmbt.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/allocmbt.c -o $@
+$(DEST)/assigndefined.o: $(LIBSRC)/assigndefined.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/assigndefined.c -o $@
$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@
$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP)
@@ -121,6 +166,8 @@
$(CC) $(CCARGS) -c $(LIBSRC)/binprint.c -o $@
$(DEST)/buildopts.o: $(LIBSRC)/buildopts.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/buildopts.c -o $@
+$(DEST)/connecttcp.o: $(LIBSRC)/connecttcp.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/connecttcp.c -o $@
$(DEST)/count6bits.o: $(LIBSRC)/count6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/count6bits.c -o $@
$(DEST)/checkrev.o: $(LIBSRC)/checkrev.c $(INCDEP) $(TOP)/ipl.h
@@ -129,17 +176,31 @@
$(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@
$(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@
+$(DEST)/dupmbt.o: $(LIBSRC)/dupmbt.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/dupmbt.c -o $@
$(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@
+$(DEST)/familyname.o: $(LIBSRC)/familyname.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/familyname.c -o $@
$(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
+$(DEST)/findword.o: $(LIBSRC)/findword.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/findword.c -o $@
$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
+$(DEST)/freembt.o: $(LIBSRC)/freembt.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/freembt.c -o $@
+$(DEST)/ftov.o: $(LIBSRC)/ftov.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/ftov.c -o $@
+$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@
$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
+$(DEST)/geticmptype.o: $(LIBSRC)/geticmptype.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/geticmptype.c -o $@
$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getifname.c -o $@
-$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP)
+$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP) $(TOP)/ip_nat.h
$(CC) $(CCARGS) -c $(LIBSRC)/getnattype.c -o $@
$(DEST)/getport.o: $(LIBSRC)/getport.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getport.c -o $@
@@ -153,10 +214,14 @@
$(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@
$(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@
+$(DEST)/icmptypename.o: $(LIBSRC)/icmptypename.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/icmptypename.c -o $@
+$(DEST)/icmptypes.o: $(LIBSRC)/icmptypes.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/icmptypes.c -o $@
+$(DEST)/interror.o: $(LIBSRC)/interror.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/interror.c -o $@
$(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipoptsec.c -o $@
-$(DEST)/inet_addr.o: $(LIBSRC)/inet_addr.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/inet_addr.c -o $@
$(DEST)/initparse.o: $(LIBSRC)/initparse.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/initparse.c -o $@
$(DEST)/ionames.o: $(LIBSRC)/ionames.c $(INCDEP)
@@ -163,16 +228,12 @@
$(CC) $(CCARGS) -c $(LIBSRC)/ionames.c -o $@
$(DEST)/ipf_dotuning.o: $(LIBSRC)/ipf_dotuning.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipf_dotuning.c -o $@
-$(DEST)/ipft_ef.o: $(LIBSRC)/ipft_ef.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/ipft_ef.c -o $@
+$(DEST)/ipf_perror.o: $(LIBSRC)/ipf_perror.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/ipf_perror.c -o $@
$(DEST)/ipft_hx.o: $(LIBSRC)/ipft_hx.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_hx.c -o $@
$(DEST)/ipft_pc.o: $(LIBSRC)/ipft_pc.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_pc.c -o $@
-$(DEST)/ipft_sn.o: $(LIBSRC)/ipft_sn.c $(TOP)/snoop.h
- $(CC) $(CCARGS) -c $(LIBSRC)/ipft_sn.c -o $@
-$(DEST)/ipft_td.o: $(LIBSRC)/ipft_td.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/ipft_td.c -o $@
$(DEST)/ipft_tx.o: $(LIBSRC)/ipft_tx.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_tx.c -o $@
$(DEST)/kmem.o: $(LIBSRC)/kmem.c $(INCDEP)
@@ -183,6 +244,11 @@
$(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@
$(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@
+$(DEST)/load_dstlist.o: $(LIBSRC)/load_dstlist.c $(INCDEP) $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlist.c -o $@
+$(DEST)/load_dstlistnode.o: $(LIBSRC)/load_dstlistnode.c $(INCDEP) \
+ $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlistnode.c -o $@
$(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@
$(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h
@@ -195,8 +261,8 @@
$(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@
$(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@
-$(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@
+$(DEST)/msgdsize.o: $(LIBSRC)/msgdsize.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/msgdsize.c -o $@
$(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/mutex_emul.c -o $@
$(DEST)/nametokva.o: $(LIBSRC)/nametokva.c $(INCDEP)
@@ -214,35 +280,78 @@
$(CC) $(CCARGS) -c $(LIBSRC)/optprintv6.c -o $@
$(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
+$(DEST)/parsefields.o: $(LIBSRC)/parsefields.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/parsefields.c -o $@
+$(DEST)/parseipfexpr.o: $(LIBSRC)/parseipfexpr.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/parseipfexpr.c -o $@
+$(DEST)/parsewhoisline.o: $(LIBSRC)/parsewhoisline.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/parsewhoisline.c -o $@
+$(DEST)/poolio.o: $(LIBSRC)/poolio.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/poolio.c -o $@
$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
-$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
+$(DEST)/printactiveaddr.o: $(LIBSRC)/printactiveaddr.c $(INCDEP) $(TOP)/ip_nat.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printactiveaddr.c -o $@
+$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP) $(TOP)/ip_nat.h
$(CC) $(CCARGS) -c $(LIBSRC)/printactivenat.c -o $@
+$(DEST)/printaddr.o: $(LIBSRC)/printaddr.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/printaddr.c -o $@
$(DEST)/printaps.o: $(LIBSRC)/printaps.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printaps.c -o $@
$(DEST)/printbuf.o: $(LIBSRC)/printbuf.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printbuf.c -o $@
+$(DEST)/printdstlist.o: $(LIBSRC)/printdstlist.c $(INCDEP) $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printdstlist.c -o $@
+$(DEST)/printdstlistdata.o: $(LIBSRC)/printdstlistdata.c $(INCDEP) \
+ $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistdata.c -o $@
+$(DEST)/printdstlistnode.o: $(LIBSRC)/printdstlistnode.c $(INCDEP) \
+ $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistnode.c -o $@
+$(DEST)/printdstlistpolicy.o: $(LIBSRC)/printdstlistpolicy.c $(INCDEP) \
+ $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistpolicy.c -o $@
+$(DEST)/printfieldhdr.o: $(LIBSRC)/printfieldhdr.c $(TOP)/ip_fil.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printfieldhdr.c -o $@
$(DEST)/printfr.o: $(LIBSRC)/printfr.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printfr.c -o $@
-$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h
+$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_frag.h
$(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@
$(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@
-$(DEST)/printhashdata.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
+$(DEST)/printhashdata.o: $(LIBSRC)/printhashdata.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@
$(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_htable.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@
-$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
+$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@
+$(DEST)/printdstl_live.o: $(LIBSRC)/printdstl_live.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_dstlist.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printdstl_live.c -o $@
$(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@
+$(DEST)/printipfexpr.o: $(LIBSRC)/printipfexpr.c $(TOP)/ip_fil.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printipfexpr.c -o $@
+$(DEST)/printlookup.o: $(LIBSRC)/printlookup.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/printlookup.c -o $@
+$(DEST)/printnataddr.o: $(LIBSRC)/printnataddr.c $(INCDEP) $(TOP)/ip_nat.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printnataddr.c -o $@
+$(DEST)/printnatside.o: $(LIBSRC)/printnatside.c $(INCDEP) $(TOP)/ip_nat.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printnatside.c -o $@
$(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@
-$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
+$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_pool.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@
+$(DEST)/printpoolfield.o: $(LIBSRC)/printpoolfield.c $(TOP)/ip_fil.h \
+ $(TOP)/ip_pool.h $(TOP)/ip_lookup.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printpoolfield.c -o $@
$(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@
@@ -251,6 +360,8 @@
$(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@
$(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@
+$(DEST)/printhost.o: $(LIBSRC)/printhost.c $(TOP)/ip_fil.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printhost.c -o $@
$(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@
$(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP)
@@ -257,8 +368,10 @@
$(CC) $(CCARGS) -c $(LIBSRC)/printifname.c -o $@
$(DEST)/printmask.o: $(LIBSRC)/printmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printmask.c -o $@
-$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP)
+$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP) $(TOP)/ip_nat.h
$(CC) $(CCARGS) -c $(LIBSRC)/printnat.c -o $@
+$(DEST)/printnatfield.o: $(LIBSRC)/printnatfield.c $(INCDEP) $(TOP)/ip_nat.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printnatfield.c -o $@
$(DEST)/printhostmask.o: $(LIBSRC)/printhostmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printhostmask.c -o $@
$(DEST)/printlog.o: $(LIBSRC)/printlog.c $(INCDEP)
@@ -273,10 +386,16 @@
$(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@
$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h
$(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@
+$(DEST)/printstatefields.o: $(LIBSRC)/printstatefields.c $(INCDEP) $(TOP)/ip_state.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/printstatefields.c -o $@
+$(DEST)/printtcpflags.o: $(LIBSRC)/printtcpflags.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/printtcpflags.c -o $@
$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@
$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@
+$(DEST)/printunit.o: $(LIBSRC)/printunit.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/printunit.c -o $@
$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@
@@ -301,6 +420,20 @@
$(CC) $(CCARGS) -c $(LIBSRC)/var.c -o $@
$(DEST)/verbose.o: $(LIBSRC)/verbose.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/verbose.c -o $@
+$(DEST)/save_execute.o: $(LIBSRC)/save_execute.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_execute.c -o $@
+$(DEST)/save_file.o: $(LIBSRC)/save_file.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_file.c -o $@
+$(DEST)/save_nothing.o: $(LIBSRC)/save_nothing.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_nothing.c -o $@
+$(DEST)/save_syslog.o: $(LIBSRC)/save_syslog.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_syslog.c -o $@
+$(DEST)/vtof.o: $(LIBSRC)/vtof.c $(INCDEP)
+ $(CC) $(CCARGS) -c $(LIBSRC)/vtof.c -o $@
+$(DEST)/save_v1trap.o: $(LIBSRC)/save_v1trap.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_v1trap.c -o $@
+$(DEST)/save_v2trap.o: $(LIBSRC)/save_v2trap.c $(TOP)/ipl.h
+ $(CC) $(CCARGS) -c $(LIBSRC)/save_v2trap.c -o $@
$(DEST)/v6ionames.o: $(LIBSRC)/v6ionames.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/v6ionames.c -o $@
$(DEST)/v6optvalue.o: $(LIBSRC)/v6optvalue.c $(INCDEP)
Modified: trunk/contrib/ipfilter/lib/addicmp.c
===================================================================
--- trunk/contrib/ipfilter/lib/addicmp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/addicmp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/addicmp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: addicmp.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <ctype.h>
Modified: trunk/contrib/ipfilter/lib/addipopt.c
===================================================================
--- trunk/contrib/ipfilter/lib/addipopt.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/addipopt.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/addipopt.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: addipopt.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,10 +12,10 @@
int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
+ char *op;
+ struct ipopt_names *io;
+ int len;
+ char *class;
{
int olen = len;
struct in_addr ipadr;
@@ -41,6 +41,10 @@
lvl = seclevel(class);
*(op - 1) = lvl;
break;
+ case IPOPT_RR :
+ case IPOPT_TS :
+ s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
+ break;
case IPOPT_LSRR :
case IPOPT_SSRR :
ipadr.s_addr = inet_addr(class);
@@ -53,12 +57,6 @@
break;
}
}
-
- op += io->on_siz - 3;
- if (len & 3) {
- *op++ = IPOPT_NOP;
- len++;
- }
}
if (opts & OPT_DEBUG)
fprintf(stderr, "bo: %s %d %#x: %d\n",
Modified: trunk/contrib/ipfilter/lib/alist_free.c
===================================================================
--- trunk/contrib/ipfilter/lib/alist_free.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/alist_free.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,15 +1,15 @@
/*
- * Copyright (C) 2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: alist_free.c,v 1.1.1.1 2008-11-22 14:33:09 laffer1 Exp $
+ * $Id: alist_free.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $
*/
#include "ipf.h"
void
alist_free(hosts)
-alist_t *hosts;
+ alist_t *hosts;
{
alist_t *a, *next;
Modified: trunk/contrib/ipfilter/lib/alist_new.c
===================================================================
--- trunk/contrib/ipfilter/lib/alist_new.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/alist_new.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,21 +1,31 @@
/*
- * Copyright (C) 2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: alist_new.c,v 1.1.1.1 2008-11-22 14:33:09 laffer1 Exp $
+ * $Id: alist_new.c,v 1.5.2.2 2012/07/22 08:04:24 darren_r Exp $
*/
#include "ipf.h"
+#include <ctype.h>
-alist_t *
-alist_new(int v, char *host)
+alist_t *
+alist_new(int family, char *host)
{
int a, b, c, d, bits;
- char *slash;
- alist_t *al;
- u_int mask;
+ char *slash;
+ alist_t *al;
+ u_int mask;
+ if (family == AF_UNSPEC) {
+ if (strchr(host, ':') != NULL)
+ family = AF_INET6;
+ else
+ family = AF_INET;
+ }
+ if (family != AF_INET && family != AF_INET6)
+ return NULL;
+
al = calloc(1, sizeof(*al));
if (al == NULL) {
fprintf(stderr, "alist_new out of memory\n");
@@ -22,7 +32,17 @@
return NULL;
}
- bits = -1;
+ while (ISSPACE(*host))
+ host++;
+
+ if (*host == '!') {
+ al->al_not = 1;
+ host++;
+ while (ISSPACE(*host))
+ host++;
+ }
+
+ bits = -1;
slash = strchr(host, '/');
if (slash != NULL) {
*slash = '\0';
@@ -29,38 +49,45 @@
bits = atoi(slash + 1);
}
- a = b = c = d = -1;
- sscanf(host, "%d.%d.%d.%d", &a, &b, &c, &d);
+ if (family == AF_INET) {
+ if (bits > 32)
+ goto bad;
- if (bits > 0 && bits < 33) {
- mask = 0xffffffff << (32 - bits);
- } else if (b == -1) {
- mask = 0xff000000;
- b = c = d = 0;
- } else if (c == -1) {
- mask = 0xffff0000;
- c = d = 0;
- } else if (d == -1) {
- mask = 0xffffff00;
- d = 0;
+ a = b = c = d = -1;
+ sscanf(host, "%d.%d.%d.%d", &a, &b, &c, &d);
+
+ if (bits > 0 && bits < 33) {
+ mask = 0xffffffff << (32 - bits);
+ } else if (b == -1) {
+ mask = 0xff000000;
+ b = c = d = 0;
+ } else if (c == -1) {
+ mask = 0xffff0000;
+ c = d = 0;
+ } else if (d == -1) {
+ mask = 0xffffff00;
+ d = 0;
+ } else {
+ mask = 0xffffffff;
+ }
+ al->al_mask = htonl(mask);
} else {
- mask = 0xffffffff;
+ if (bits > 128)
+ goto bad;
+ fill6bits(bits, al->al_i6mask.i6);
}
- if (*host == '!') {
- al->al_not = 1;
- host++;
- }
-
- if (gethost(host, &al->al_addr) == -1) {
+ if (gethost(family, host, &al->al_i6addr) == -1) {
if (slash != NULL)
*slash = '/';
fprintf(stderr, "Cannot parse hostname\n");
- free(al);
- return NULL;
+ goto bad;
}
- al->al_mask = htonl(mask);
+ al->al_family = family;
if (slash != NULL)
*slash = '/';
return al;
+bad:
+ free(al);
+ return NULL;
}
Modified: trunk/contrib/ipfilter/lib/bcopywrap.c
===================================================================
--- trunk/contrib/ipfilter/lib/bcopywrap.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/bcopywrap.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,18 +1,18 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/bcopywrap.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: bcopywrap.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ *
+ * $Id$
+ */
#include "ipf.h"
int bcopywrap(from, to, size)
-void *from, *to;
-size_t size;
+ void *from, *to;
+ size_t size;
{
bcopy((caddr_t)from, (caddr_t)to, size);
return 0;
Modified: trunk/contrib/ipfilter/lib/binprint.c
===================================================================
--- trunk/contrib/ipfilter/lib/binprint.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/binprint.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/binprint.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: binprint.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,8 +12,8 @@
void binprint(ptr, size)
-void *ptr;
-size_t size;
+ void *ptr;
+ size_t size;
{
u_char *s;
int i, j;
Modified: trunk/contrib/ipfilter/lib/buildopts.c
===================================================================
--- trunk/contrib/ipfilter/lib/buildopts.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/buildopts.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/buildopts.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: buildopts.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,8 +12,8 @@
u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
+ char *cp, *op;
+ int len;
{
struct ipopt_names *io;
u_32_t msk = 0;
@@ -23,6 +23,8 @@
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
if ((t = strchr(s, '=')))
*t++ = '\0';
+ else
+ t = "";
for (io = ionames; io->on_name; io++) {
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
continue;
@@ -38,6 +40,10 @@
return 0;
}
}
+ while ((len & 3) != 3) {
+ *op++ = IPOPT_NOP;
+ len++;
+ }
*op++ = IPOPT_EOL;
len++;
return len;
Modified: trunk/contrib/ipfilter/lib/checkrev.c
===================================================================
--- trunk/contrib/ipfilter/lib/checkrev.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/checkrev.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/checkrev.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: checkrev.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <sys/ioctl.h>
@@ -15,17 +15,17 @@
#include "netinet/ipl.h"
int checkrev(ipfname)
-char *ipfname;
+ char *ipfname;
{
static int vfd = -1;
- struct friostat fio, *fiop = &fio;
- ipfobj_t ipfo;
+ struct friostat fio;
+ ipfobj_t obj;
- bzero((caddr_t)&ipfo, sizeof(ipfo));
- ipfo.ipfo_rev = IPFILTER_VERSION;
- ipfo.ipfo_size = sizeof(*fiop);
- ipfo.ipfo_ptr = (void *)fiop;
- ipfo.ipfo_type = IPFOBJ_IPFSTAT;
+ bzero((caddr_t)&obj, sizeof(obj));
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_size = sizeof(fio);
+ obj.ipfo_ptr = (void *)&fio;
+ obj.ipfo_type = IPFOBJ_IPFSTAT;
if ((vfd == -1) && ((vfd = open(ipfname, O_RDONLY)) == -1)) {
perror("open device");
@@ -32,8 +32,8 @@
return -1;
}
- if (ioctl(vfd, SIOCGETFS, &ipfo)) {
- perror("ioctl(SIOCGETFS)");
+ if (ioctl(vfd, SIOCGETFS, &obj)) {
+ ipferror(vfd, "ioctl(SIOCGETFS)");
close(vfd);
vfd = -1;
return -1;
Modified: trunk/contrib/ipfilter/lib/count4bits.c
===================================================================
--- trunk/contrib/ipfilter/lib/count4bits.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/count4bits.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/count4bits.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: count4bits.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -17,7 +17,7 @@
* of bits.
*/
int count4bits(ip)
-u_int ip;
+ u_int ip;
{
int cnt = 0, i, j;
u_int ipn;
Modified: trunk/contrib/ipfilter/lib/count6bits.c
===================================================================
--- trunk/contrib/ipfilter/lib/count6bits.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/count6bits.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/count6bits.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: count6bits.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,7 +12,7 @@
int count6bits(msk)
-u_32_t *msk;
+ u_32_t *msk;
{
int i = 0, k;
u_32_t j;
Modified: trunk/contrib/ipfilter/lib/debug.c
===================================================================
--- trunk/contrib/ipfilter/lib/debug.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/debug.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/debug.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: debug.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#if defined(__STDC__)
@@ -15,16 +15,19 @@
#endif
#include <stdio.h>
-#include "ipt.h"
+#include "ipf.h"
#include "opts.h"
+int debuglevel = 0;
+
#ifdef __STDC__
-void debug(char *fmt, ...)
+void debug(int level, char *fmt, ...)
#else
-void debug(fmt, va_alist)
-char *fmt;
-va_dcl
+void debug(level, fmt, va_alist)
+ int level;
+ char *fmt;
+ va_dcl
#endif
{
va_list pvar;
@@ -31,7 +34,25 @@
va_start(pvar, fmt);
+ if ((debuglevel > 0) && (level <= debuglevel))
+ vfprintf(stderr, fmt, pvar);
+ va_end(pvar);
+}
+
+
+#ifdef __STDC__
+void ipfkdebug(char *fmt, ...)
+#else
+void ipfkdebug(fmt, va_alist)
+ char *fmt;
+ va_dcl
+#endif
+{
+ va_list pvar;
+
+ va_start(pvar, fmt);
+
if (opts & OPT_DEBUG)
- vprintf(fmt, pvar);
+ debug(0x1fffffff, fmt, pvar);
va_end(pvar);
}
Modified: trunk/contrib/ipfilter/lib/facpri.c
===================================================================
--- trunk/contrib/ipfilter/lib/facpri.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/facpri.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/facpri.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: facpri.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <stdio.h>
@@ -22,7 +22,7 @@
#include "facpri.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
@@ -96,7 +96,7 @@
/*
* map a facility name to its number
*/
-int
+int
fac_findname(name)
char *name;
{
@@ -119,6 +119,22 @@
/*
+ * map a facility name to its number
+ */
+int
+pri_findname(name)
+ char *name;
+{
+ int i;
+
+ for (i = 0; pris[i].name; i++)
+ if (!strcmp(pris[i].name, name))
+ return pris[i].value;
+ return -1;
+}
+
+
+/*
* map a priority number to its name
*/
char *
Modified: trunk/contrib/ipfilter/lib/facpri.h
===================================================================
--- trunk/contrib/ipfilter/lib/facpri.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/facpri.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/facpri.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: facpri.h,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#ifndef __FACPRI_H__
Modified: trunk/contrib/ipfilter/lib/fill6bits.c
===================================================================
--- trunk/contrib/ipfilter/lib/fill6bits.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/fill6bits.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/fill6bits.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: fill6bits.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,8 +12,8 @@
void fill6bits(bits, msk)
-int bits;
-u_int *msk;
+ int bits;
+ u_int *msk;
{
if (bits == 0) {
msk[0] = 0;
Modified: trunk/contrib/ipfilter/lib/flags.c
===================================================================
--- trunk/contrib/ipfilter/lib/flags.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/flags.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/flags.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: flags.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
Modified: trunk/contrib/ipfilter/lib/gethost.c
===================================================================
--- trunk/contrib/ipfilter/lib/gethost.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/gethost.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,25 +1,37 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/gethost.c 272986 2014-10-12 16:48:22Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: gethost.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
-int gethost(name, hostp)
-char *name;
-u_32_t *hostp;
+int gethost(family, name, hostp)
+ int family;
+ char *name;
+ i6addr_t *hostp;
{
struct hostent *h;
struct netent *n;
u_32_t addr;
+ bzero(hostp, sizeof(*hostp));
if (!strcmp(name, "test.host.dots")) {
- *hostp = htonl(0xfedcba98);
+ if (family == AF_INET) {
+ hostp->in4.s_addr = htonl(0xfedcba98);
+ }
+#ifdef USE_INET6
+ if (family == AF_INET6) {
+ hostp->i6[0] = htonl(0xfe80aa55);
+ hostp->i6[1] = htonl(0x12345678);
+ hostp->i6[2] = htonl(0x5a5aa5a5);
+ hostp->i6[3] = htonl(0xfedcba98);
+ }
+#endif
return 0;
}
@@ -26,19 +38,39 @@
if (!strcmp(name, "<thishost>"))
name = thishost;
- h = gethostbyname(name);
- if (h != NULL) {
- if ((h->h_addr != NULL) && (h->h_length == sizeof(addr))) {
- bcopy(h->h_addr, (char *)&addr, sizeof(addr));
- *hostp = addr;
+ if (family == AF_INET) {
+ h = gethostbyname(name);
+ if (h != NULL) {
+ if ((h->h_addr != NULL) &&
+ (h->h_length == sizeof(addr))) {
+ bcopy(h->h_addr, (char *)&addr, sizeof(addr));
+ hostp->in4.s_addr = addr;
+ return 0;
+ }
+ }
+
+ n = getnetbyname(name);
+ if (n != NULL) {
+ hostp->in4.s_addr = htonl(n->n_net & 0xffffffff);
return 0;
}
}
+#ifdef USE_INET6
+ if (family == AF_INET6) {
+ struct addrinfo hints, *res;
+ struct sockaddr_in6 *sin6;
- n = getnetbyname(name);
- if (n != NULL) {
- *hostp = (u_32_t)htonl(n->n_net & 0xffffffff);
- return 0;
+ bzero((char *)&hints, sizeof(hints));
+ hints.ai_family = PF_INET6;
+
+ getaddrinfo(name, NULL, &hints, &res);
+ if (res != NULL) {
+ sin6 = (struct sockaddr_in6 *)res->ai_addr;
+ hostp->in6 = sin6->sin6_addr;
+ freeaddrinfo(res);
+ return 0;
+ }
}
+#endif
return -1;
}
Modified: trunk/contrib/ipfilter/lib/getifname.c
===================================================================
--- trunk/contrib/ipfilter/lib/getifname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getifname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getifname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getifname.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
@@ -18,7 +18,7 @@
*/
#if 0
char *getifname(ptr)
-struct ifnet *ptr;
+ struct ifnet *ptr;
{
#if SOLARIS || defined(__hpux)
# if SOLARIS
@@ -47,10 +47,10 @@
return ifname;
#else
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || defined(__MidnightBSD__) || \
+ defined(__OpenBSD__) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
#else
- char buf[32];
+ char buf[LIFNAMSIZ];
int len;
# endif
struct ifnet netif;
@@ -63,7 +63,7 @@
if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
return "X";
# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
- defined(__OpenBSD__) || defined(linux) || defined(__MidnightBSD__) || \
+ defined(__OpenBSD__) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
return strdup(netif.if_xname);
# else
@@ -85,8 +85,11 @@
}
#else
char *getifname(ptr)
-struct ifnet *ptr;
+ struct ifnet *ptr;
{
+#if 0
+ ptr = ptr;
+#endif
return "X";
}
#endif
Modified: trunk/contrib/ipfilter/lib/getnattype.c
===================================================================
--- trunk/contrib/ipfilter/lib/getnattype.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getnattype.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getnattype.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -11,7 +11,7 @@
#include "kmem.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
@@ -18,27 +18,17 @@
/*
* Get a nat filter type given its kernel address.
*/
-char *getnattype(nat, alive)
-nat_t *nat;
-int alive;
+char *
+getnattype(nat)
+ nat_t *nat;
{
static char unknownbuf[20];
- ipnat_t *ipn, ipnat;
char *which;
- int type;
if (!nat)
return "???";
- if (alive) {
- type = nat->nat_redir;
- } else {
- ipn = nat->nat_ptr;
- if (kmemcpy((char *)&ipnat, (long)ipn, sizeof(ipnat)))
- return "!!!";
- type = ipnat.in_redir;
- }
- switch (type)
+ switch (nat->nat_redir)
{
case NAT_MAP :
which = "MAP";
@@ -49,11 +39,30 @@
case NAT_REDIRECT :
which = "RDR";
break;
+ case NAT_MAP|NAT_REWRITE :
+ which = "RWR-MAP";
+ break;
+ case NAT_REDIRECT|NAT_REWRITE :
+ which = "RWR-RDR";
+ break;
case NAT_BIMAP :
which = "BIMAP";
break;
+ case NAT_REDIRECT|NAT_DIVERTUDP :
+ which = "DIV-RDR";
+ break;
+ case NAT_MAP|NAT_DIVERTUDP :
+ which = "DIV-MAP";
+ break;
+ case NAT_REDIRECT|NAT_ENCAP :
+ which = "ENC-RDR";
+ break;
+ case NAT_MAP|NAT_ENCAP :
+ which = "ENC-MAP";
+ break;
default :
- sprintf(unknownbuf, "unknown(%04x)", type & 0xffffffff);
+ sprintf(unknownbuf, "unknown(%04x)",
+ nat->nat_redir & 0xffffffff);
which = unknownbuf;
break;
}
Modified: trunk/contrib/ipfilter/lib/getport.c
===================================================================
--- trunk/contrib/ipfilter/lib/getport.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getport.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,19 +1,20 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getport.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getport.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
+#include <ctype.h>
-int getport(fr, name, port)
-frentry_t *fr;
-char *name;
-u_short *port;
+int getport(fr, name, port, proto)
+ frentry_t *fr;
+ char *name, *proto;
+ u_short *port;
{
struct protoent *p;
struct servent *s;
@@ -20,11 +21,19 @@
u_short p1;
if (fr == NULL || fr->fr_type != FR_T_IPF) {
- s = getservbyname(name, NULL);
+ s = getservbyname(name, proto);
if (s != NULL) {
*port = s->s_port;
return 0;
}
+
+ if (ISDIGIT(*name)) {
+ int portval = atoi(name);
+ if (portval < 0 || portval > 65535)
+ return -1;
+ *port = htons((u_short)portval);
+ return 0;
+ }
return -1;
}
Modified: trunk/contrib/ipfilter/lib/getportproto.c
===================================================================
--- trunk/contrib/ipfilter/lib/getportproto.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getportproto.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,19 +1,19 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getportproto.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getportproto.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include <ctype.h>
#include "ipf.h"
int getportproto(name, proto)
-char *name;
-int proto;
+ char *name;
+ int proto;
{
struct servent *s;
struct protoent *p;
Modified: trunk/contrib/ipfilter/lib/getproto.c
===================================================================
--- trunk/contrib/ipfilter/lib/getproto.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getproto.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,17 +1,18 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getproto.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getproto.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
+#include <ctype.h>
int getproto(name)
-char *name;
+ char *name;
{
struct protoent *p;
char *s;
@@ -25,10 +26,13 @@
#ifdef _AIX51
/*
* For some bogus reason, "ip" is 252 in /etc/protocols on AIX 5
+ * The IANA has doubled up on the definition of 0 - it is now also
+ * used for IPv6 hop-opts, so we can no longer rely on /etc/protocols
+ * providing the correct name->number mapping
*/
+#endif
if (!strcasecmp(name, "ip"))
return 0;
-#endif
p = getprotobyname(name);
if (p != NULL)
Modified: trunk/contrib/ipfilter/lib/getsumd.c
===================================================================
--- trunk/contrib/ipfilter/lib/getsumd.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/getsumd.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,17 +1,17 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/getsumd.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getsumd.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
char *getsumd(sum)
-u_32_t sum;
+ u_32_t sum;
{
static char sumdbuf[17];
Modified: trunk/contrib/ipfilter/lib/hostname.c
===================================================================
--- trunk/contrib/ipfilter/lib/hostname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/hostname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,18 +1,18 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/hostname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: hostname.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
-char *hostname(v, ip)
-int v;
-void *ip;
+char *hostname(family, ip)
+ int family;
+ void *ip;
{
static char hostbuf[MAXHOSTNAMELEN+1];
struct hostent *hp;
@@ -21,7 +21,7 @@
memset(&ipa, 0, sizeof(ipa)); /* XXX gcc */
- if (v == 4) {
+ if (family == AF_INET) {
ipa.s_addr = *(u_32_t *)ip;
if (ipa.s_addr == htonl(0xfedcba98))
return "test.host.dots";
@@ -28,7 +28,7 @@
}
if ((opts & OPT_NORESOLVE) == 0) {
- if (v == 4) {
+ if (family == AF_INET) {
hp = gethostbyaddr(ip, 4, AF_INET);
if (hp != NULL && hp->h_name != NULL &&
*hp->h_name != '\0') {
@@ -47,7 +47,7 @@
}
}
- if (v == 4) {
+ if (family == AF_INET) {
return inet_ntoa(ipa);
}
#ifdef USE_INET6
Modified: trunk/contrib/ipfilter/lib/icmpcode.c
===================================================================
--- trunk/contrib/ipfilter/lib/icmpcode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/icmpcode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/icmpcode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: icmpcode.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <ctype.h>
Modified: trunk/contrib/ipfilter/lib/inet_addr.c
===================================================================
--- trunk/contrib/ipfilter/lib/inet_addr.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/inet_addr.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/inet_addr.c 153881 2005-12-30 11:52:26Z guido $ */
/*
* ++Copyright++ 1983, 1990, 1993
@@ -57,7 +57,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.3 2004/12/09 19:41:20 darrenr Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
Modified: trunk/contrib/ipfilter/lib/initparse.c
===================================================================
--- trunk/contrib/ipfilter/lib/initparse.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/initparse.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/initparse.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: initparse.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
Modified: trunk/contrib/ipfilter/lib/ionames.c
===================================================================
--- trunk/contrib/ipfilter/lib/ionames.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ionames.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ionames.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ionames.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,29 +12,30 @@
struct ipopt_names ionames[] ={
{ IPOPT_NOP, 0x000001, 1, "nop" }, /* RFC791 */
- { IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */
- { IPOPT_ZSU, 0x000004, 3, "zsu" }, /* size ?? */
- { IPOPT_MTUP, 0x000008, 3, "mtup" }, /* RFC1191 */
- { IPOPT_MTUR, 0x000010, 3, "mtur" }, /* RFC1191 */
- { IPOPT_ENCODE, 0x000020, 3, "encode" }, /* size ?? */
+ { IPOPT_RR, 0x000002, 8, "rr" }, /* 1 route */
+ { IPOPT_ZSU, 0x000004, 4, "zsu" }, /* size ?? */
+ { IPOPT_MTUP, 0x000008, 4, "mtup" }, /* RFC1191 */
+ { IPOPT_MTUR, 0x000010, 4, "mtur" }, /* RFC1191 */
+ { IPOPT_ENCODE, 0x000020, 4, "encode" }, /* size ?? */
{ IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */
- { IPOPT_TR, 0x000080, 3, "tr" }, /* RFC1393 */
- { IPOPT_SECURITY,0x000100, 11, "sec" }, /* RFC1108 */
- { IPOPT_SECURITY,0x000100, 11, "sec-class" }, /* RFC1108 */
- { IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */
- { IPOPT_E_SEC, 0x000400, 3, "e-sec" }, /* RFC1108 */
- { IPOPT_CIPSO, 0x000800, 3, "cipso" }, /* size ?? */
+ { IPOPT_TR, 0x000080, 4, "tr" }, /* RFC1393 */
+ { IPOPT_SECURITY,0x000100, 12, "sec" }, /* RFC1108 */
+ { IPOPT_SECURITY,0x000100, 12, "sec-class" }, /* RFC1108 */
+ { IPOPT_LSRR, 0x000200, 8, "lsrr" }, /* 1 route */
+ { IPOPT_E_SEC, 0x000400, 8, "e-sec" }, /* RFC1108 */
+ { IPOPT_CIPSO, 0x000800, 8, "cipso" }, /* size ?? */
{ IPOPT_SATID, 0x001000, 4, "satid" }, /* RFC791 */
- { IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */
- { IPOPT_ADDEXT, 0x004000, 3, "addext" }, /* IPv7 ?? */
- { IPOPT_VISA, 0x008000, 3, "visa" }, /* size ?? */
- { IPOPT_IMITD, 0x010000, 3, "imitd" }, /* size ?? */
- { IPOPT_EIP, 0x020000, 3, "eip" }, /* RFC1385 */
- { IPOPT_FINN, 0x040000, 3, "finn" }, /* size ?? */
- { IPOPT_DPS, 0x080000, 3, "dps" }, /* size ?? */
- { IPOPT_SDB, 0x100000, 3, "sdb" }, /* size ?? */
- { IPOPT_NSAPA, 0x200000, 3, "nsapa" }, /* size ?? */
- { IPOPT_RTRALRT,0x400000, 3, "rtralrt" }, /* RFC2113 */
- { IPOPT_UMP, 0x800000, 3, "ump" }, /* size ?? */
+ { IPOPT_SSRR, 0x002000, 8, "ssrr" }, /* 1 route */
+ { IPOPT_ADDEXT, 0x004000, 4, "addext" }, /* IPv7 ?? */
+ { IPOPT_VISA, 0x008000, 4, "visa" }, /* size ?? */
+ { IPOPT_IMITD, 0x010000, 4, "imitd" }, /* size ?? */
+ { IPOPT_EIP, 0x020000, 4, "eip" }, /* RFC1385 */
+ { IPOPT_FINN, 0x040000, 4, "finn" }, /* size ?? */
+ { IPOPT_DPS, 0x080000, 4, "dps" }, /* size ?? */
+ { IPOPT_SDB, 0x100000, 4, "sdb" }, /* size ?? */
+ { IPOPT_NSAPA, 0x200000, 4, "nsapa" }, /* size ?? */
+ { IPOPT_RTRALRT,0x400000, 4, "rtralrt" }, /* RFC2113 */
+ { IPOPT_UMP, 0x800000, 4, "ump" }, /* size ?? */
+ { IPOPT_AH, 0x1000000, 0, "ah" }, /* IPPROTO_AH */
{ 0, 0, 0, (char *)NULL } /* must be last */
};
Modified: trunk/contrib/ipfilter/lib/ipf_dotuning.c
===================================================================
--- trunk/contrib/ipfilter/lib/ipf_dotuning.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ipf_dotuning.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ipf_dotuning.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipf_dotuning.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
#include "netinet/ipl.h"
@@ -13,9 +13,9 @@
#include <sys/ioctl.h>
void ipf_dotuning(fd, tuneargs, iocfn)
-int fd;
-char *tuneargs;
-ioctlfunc_t iocfn;
+ int fd;
+ char *tuneargs;
+ ioctlfunc_t iocfn;
{
ipfobj_t obj;
ipftune_t tu;
@@ -31,7 +31,8 @@
if (!strcmp(s, "list")) {
while (1) {
if ((*iocfn)(fd, SIOCIPFGETNEXT, &obj) == -1) {
- perror("ioctl(SIOCIPFGETNEXT)");
+ ipf_perror_fd(fd, iocfn,
+ "ioctl(SIOCIPFGETNEXT)");
break;
}
if (tu.ipft_cookie == NULL)
@@ -46,7 +47,8 @@
strncpy(tu.ipft_name, s, sizeof(tu.ipft_name));
if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) {
if ((*iocfn)(fd, SIOCIPFSET, &obj) == -1) {
- perror("ioctl(SIOCIPFSET)");
+ ipf_perror_fd(fd, iocfn,
+ "ioctl(SIOCIPFSET)");
return;
}
} else {
@@ -57,7 +59,7 @@
tu.ipft_cookie = NULL;
strncpy(tu.ipft_name, s, sizeof(tu.ipft_name));
if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) {
- perror("ioctl(SIOCIPFGET)");
+ ipf_perror_fd(fd, iocfn, "ioctl(SIOCIPFGET)");
return;
}
if (tu.ipft_cookie == NULL) {
Modified: trunk/contrib/ipfilter/lib/ipft_hx.c
===================================================================
--- trunk/contrib/ipfilter/lib/ipft_hx.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ipft_hx.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,13 +1,13 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ipft_hx.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <ctype.h>
@@ -20,7 +20,7 @@
static int hex_open __P((char *));
static int hex_close __P((void));
-static int hex_readip __P((char *, int, char **, int *));
+static int hex_readip __P((mb_t *, char **, int *));
static char *readhex __P((char *, char *));
struct ipread iphex = { hex_open, hex_close, hex_readip, 0 };
@@ -28,7 +28,7 @@
static int tfd = -1;
static int hex_open(fname)
-char *fname;
+ char *fname;
{
if (tfp && tfd != -1) {
rewind(tfp);
@@ -56,14 +56,19 @@
}
-static int hex_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
+static int hex_readip(mb, ifn, dir)
+ mb_t *mb;
+ char **ifn;
+ int *dir;
{
register char *s, *t, *u;
char line[513];
ip_t *ip;
+ char *buf;
+ int cnt;
+ buf = (char *)mb->mb_buf;
+ cnt = sizeof(mb->mb_buf);
/*
* interpret start of line as possibly "[ifname]" or
* "[in/out,ifname]".
@@ -75,8 +80,10 @@
ip = (ip_t *)buf;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = strchr(line, '\n'))) {
- if (s == line)
- return (char *)ip - buf;
+ if (s == line) {
+ mb->mb_len = (char *)ip - buf;
+ return mb->mb_len;
+ }
*s = '\0';
}
if ((s = strchr(line, '#')))
@@ -104,6 +111,23 @@
} else if (ifn)
*ifn = t;
}
+
+ while (*s++ == '+') {
+ if (!strncasecmp(s, "mcast", 5)) {
+ mb->mb_flags |= M_MCAST;
+ s += 5;
+ }
+ if (!strncasecmp(s, "bcast", 5)) {
+ mb->mb_flags |= M_BCAST;
+ s += 5;
+ }
+ if (!strncasecmp(s, "mbcast", 6)) {
+ mb->mb_flags |= M_MBCAST;
+ s += 6;
+ }
+ }
+ while (ISSPACE(*s))
+ s++;
} else
s = line;
t = (char *)ip;
@@ -110,11 +134,12 @@
ip = (ip_t *)readhex(s, (char *)ip);
if ((opts & OPT_DEBUG) != 0) {
if (opts & OPT_ASCII) {
+ int c = *t;
if (t < (char *)ip)
putchar('\t');
while (t < (char *)ip) {
- if (ISPRINT(*t) && ISASCII(*t))
- putchar(*t);
+ if (isprint(c) && isascii(c))
+ putchar(c);
else
putchar('.');
t++;
Modified: trunk/contrib/ipfilter/lib/ipft_pc.c
===================================================================
--- trunk/contrib/ipfilter/lib/ipft_pc.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ipft_pc.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,19 +1,17 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ipft_pc.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ipft_pc.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-#include "pcap-ipf.h"
-#include "bpf-ipf.h"
#include "ipt.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
struct llc {
@@ -29,58 +27,40 @@
*/
static struct llc llcs[] = {
- { DLT_NULL, 0, 0, 0 },
- { DLT_EN10MB, 14, 12, 2 },
- { DLT_EN3MB, 0, 0, 0 },
- { DLT_AX25, 0, 0, 0 },
- { DLT_PRONET, 0, 0, 0 },
- { DLT_CHAOS, 0, 0, 0 },
- { DLT_IEEE802, 0, 0, 0 },
- { DLT_ARCNET, 0, 0, 0 },
- { DLT_SLIP, 0, 0, 0 },
- { DLT_PPP, 0, 0, 0 },
- { DLT_FDDI, 0, 0, 0 },
-#ifdef DLT_ATMRFC1483
- { DLT_ATMRFC1483, 0, 0, 0 },
-#endif
- { DLT_RAW, 0, 0, 0 },
-#ifdef DLT_ENC
- { DLT_ENC, 0, 0, 0 },
-#endif
-#ifdef DLT_SLIP_BSDOS
- { DLT_SLIP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef DLT_PPP_BSDOS
- { DLT_PPP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef DLT_HIPPI
- { DLT_HIPPI, 0, 0, 0 },
-#endif
-#ifdef DLT_HDLC
- { DLT_HDLC, 0, 0, 0 },
-#endif
-#ifdef DLT_PPP_SERIAL
- { DLT_PPP_SERIAL, 4, 4, 0 },
-#endif
-#ifdef DLT_PPP_ETHER
- { DLT_PPP_ETHER, 8, 8, 0 },
-#endif
-#ifdef DLT_ECONET
- { DLT_ECONET, 0, 0, 0 },
-#endif
+ { 0, 0, 0, 0 }, /* DLT_NULL */
+ { 1, 14, 12, 2 }, /* DLT_Ethernet */
+ { 10, 0, 0, 0 }, /* DLT_FDDI */
+ { 12, 0, 0, 0 }, /* DLT_RAW */
{ -1, -1, -1, -1 }
};
-static int pcap_open __P((char *));
-static int pcap_close __P((void));
-static int pcap_readip __P((char *, int, char **, int *));
-static void swap_hdr __P((pcaphdr_t *));
-static int pcap_read_rec __P((struct pcap_pkthdr *));
+typedef struct {
+ u_int id;
+ u_short major;
+ u_short minor;
+ u_int timezone;
+ u_int sigfigs;
+ u_int snaplen;
+ u_int type;
+} fileheader_t;
+typedef struct {
+ u_32_t seconds;
+ u_32_t microseconds;
+ u_32_t caplen;
+ u_32_t wirelen;
+} packetheader_t;
+
+static int ipcap_open __P((char *));
+static int ipcap_close __P((void));
+static int ipcap_readip __P((mb_t *, char **, int *));
+static int ipcap_read_rec __P((packetheader_t *));
+static void iswap_hdr __P((fileheader_t *));
+
static int pfd = -1, swapped = 0;
static struct llc *llcp = NULL;
-struct ipread pcap = { pcap_open, pcap_close, pcap_readip, 0 };
+struct ipread pcap = { ipcap_open, ipcap_close, ipcap_readip, 0 };
#define SWAPLONG(y) \
((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
@@ -87,21 +67,21 @@
#define SWAPSHORT(y) \
( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
-static void swap_hdr(p)
-pcaphdr_t *p;
+static void iswap_hdr(p)
+ fileheader_t *p;
{
- p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
- p->pc_v_min = SWAPSHORT(p->pc_v_min);
- p->pc_zone = SWAPLONG(p->pc_zone);
- p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
- p->pc_slen = SWAPLONG(p->pc_slen);
- p->pc_type = SWAPLONG(p->pc_type);
+ p->major = SWAPSHORT(p->major);
+ p->minor = SWAPSHORT(p->minor);
+ p->timezone = SWAPLONG(p->timezone);
+ p->sigfigs = SWAPLONG(p->sigfigs);
+ p->snaplen = SWAPLONG(p->snaplen);
+ p->type = SWAPLONG(p->type);
}
-static int pcap_open(fname)
-char *fname;
+static int ipcap_open(fname)
+ char *fname;
{
- pcaphdr_t ph;
+ fileheader_t ph;
int fd, i;
if (pfd != -1)
@@ -115,22 +95,17 @@
if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
return -2;
- if (ph.pc_id != TCPDUMP_MAGIC) {
- if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
+ if (ph.id != 0xa1b2c3d4) {
+ if (SWAPLONG(ph.id) != 0xa1b2c3d4) {
(void) close(fd);
return -2;
}
swapped = 1;
- swap_hdr(&ph);
+ iswap_hdr(&ph);
}
- if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
- (void) close(fd);
- return -2;
- }
-
for (i = 0; llcs[i].lc_type != -1; i++)
- if (llcs[i].lc_type == ph.pc_type) {
+ if (llcs[i].lc_type == ph.type) {
llcp = llcs + i;
break;
}
@@ -143,13 +118,13 @@
pfd = fd;
printf("opened pcap file %s:\n", fname);
printf("\tid: %08x version: %d.%d type: %d snap %d\n",
- ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
+ ph.id, ph.major, ph.minor, ph.type, ph.snaplen);
return fd;
}
-static int pcap_close()
+static int ipcap_close()
{
return close(pfd);
}
@@ -159,8 +134,8 @@
* read in the header (and validate) which should be the first record
* in a pcap file.
*/
-static int pcap_read_rec(rec)
-struct pcap_pkthdr *rec;
+static int ipcap_read_rec(rec)
+ packetheader_t *rec;
{
int n, p, i;
char *s;
@@ -177,13 +152,13 @@
}
if (swapped) {
- rec->ph_clen = SWAPLONG(rec->ph_clen);
- rec->ph_len = SWAPLONG(rec->ph_len);
- rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
- rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
+ rec->caplen = SWAPLONG(rec->caplen);
+ rec->wirelen = SWAPLONG(rec->wirelen);
+ rec->seconds = SWAPLONG(rec->seconds);
+ rec->microseconds = SWAPLONG(rec->microseconds);
}
- p = rec->ph_clen;
- n = MIN(p, rec->ph_len);
+ p = rec->caplen;
+ n = MIN(p, rec->wirelen);
if (!n || n < 0)
return -3;
@@ -198,15 +173,15 @@
* read an entire pcap packet record. only the data part is copied into
* the available buffer, with the number of bytes copied returned.
*/
-static int pcap_read(buf, cnt)
-char *buf;
-int cnt;
+static int ipcap_read(buf, cnt)
+ char *buf;
+ int cnt;
{
- struct pcap_pkthdr rec;
+ packetheader_t rec;
static char *bufp = NULL;
int i, n;
- if ((i = pcap_read_rec(&rec)) <= 0)
+ if ((i = ipcap_read_rec(&rec)) <= 0)
return i;
if (!bufp)
@@ -227,20 +202,29 @@
/*
* return only an IP packet read into buf
*/
-static int pcap_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
+static int ipcap_readip(mb, ifn, dir)
+ mb_t *mb;
+ char **ifn;
+ int *dir;
{
static char *bufp = NULL;
- struct pcap_pkthdr rec;
+ packetheader_t rec;
struct llc *l;
char *s, ty[4];
int i, j, n;
+ char *buf;
+ int cnt;
+#if 0
+ ifn = ifn; /* gcc -Wextra */
+ dir = dir; /* gcc -Wextra */
+#endif
+ buf = (char *)mb->mb_buf;
+ cnt = sizeof(mb->mb_buf);
l = llcp;
/* do { */
- if ((i = pcap_read_rec(&rec)) <= 0)
+ if ((i = ipcap_read_rec(&rec)) <= 0)
return i;
if (!bufp)
@@ -265,5 +249,6 @@
/* } while (ty[0] != 0x8 && ty[1] != 0); */
n = MIN(i, cnt);
bcopy(s, buf, n);
+ mb->mb_len = n;
return n;
}
Modified: trunk/contrib/ipfilter/lib/ipft_tx.c
===================================================================
--- trunk/contrib/ipfilter/lib/ipft_tx.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ipft_tx.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,15 +1,15 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ipft_tx.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ipft_tx.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <ctype.h>
@@ -17,18 +17,12 @@
#include "ipf.h"
#include "ipt.h"
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcpip.h>
-
-
extern int opts;
static char *tx_proto = "";
static int text_open __P((char *)), text_close __P((void));
-static int text_readip __P((char *, int, char **, int *));
+static int text_readip __P((mb_t *, char **, int *));
static int parseline __P((char *, ip_t *, char **, int *));
static char myflagset[] = "FSRPAUEC";
@@ -42,6 +36,9 @@
static u_32_t tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
+#ifdef USE_INET6
+int parseipv6 __P((char **, ip6_t *, char **, int *));
+#endif
/*
* returns an ip address as a long var as a result of either a DNS lookup or
@@ -48,10 +45,10 @@
* straight inet_addr() call
*/
static u_32_t tx_hostnum(host, resolved)
-char *host;
-int *resolved;
+ char *host;
+ int *resolved;
{
- u_32_t ipa;
+ i6addr_t ipa;
*resolved = 0;
if (!strcasecmp("any", host))
@@ -59,12 +56,12 @@
if (ISDIGIT(*host))
return inet_addr(host);
- if (gethost(host, &ipa) == -1) {
+ if (gethost(AF_INET, host, &ipa) == -1) {
*resolved = -1;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
- return ipa;
+ return ipa.in4.s_addr;
}
@@ -73,7 +70,7 @@
* straight atoi()
*/
static u_short tx_portnum(name)
-char *name;
+ char *name;
{
struct servent *sp;
@@ -87,15 +84,8 @@
}
-char *tx_icmptypes[] = {
- "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
- "redir", (char *)NULL, (char *)NULL, "echo", "routerad",
- "routersol", "timex", "paramprob", "timest", "timestrep",
- "inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
static int text_open(fname)
-char *fname;
+ char *fname;
{
if (tfp && tfd != -1) {
rewind(tfp);
@@ -123,14 +113,20 @@
}
-static int text_readip(buf, cnt, ifn, dir)
-char *buf, **ifn;
-int cnt, *dir;
+static int text_readip(mb, ifn, dir)
+ mb_t *mb;
+ char **ifn;
+ int *dir;
{
register char *s;
char line[513];
ip_t *ip;
+ char *buf;
+ int cnt;
+ buf = (char *)mb->mb_buf;
+ cnt = sizeof(mb->mb_buf);
+
*ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = strchr(line, '\n')))
@@ -147,7 +143,17 @@
*dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir)) {
ip = (ip_t *)buf;
- return ntohs(ip->ip_len);
+ if (IP_V(ip) == 6) {
+#ifdef USE_INET6
+ mb->mb_len = ntohs(((ip6_t *)ip)->ip6_plen) +
+ sizeof(ip6_t);
+#else
+ mb->mb_len = 0;
+#endif
+ } else {
+ mb->mb_len = ntohs(ip->ip_len);
+ }
+ return mb->mb_len;
}
}
if (feof(tfp))
@@ -156,10 +162,10 @@
}
static int parseline(line, ip, ifn, out)
-char *line;
-ip_t *ip;
-char **ifn;
-int *out;
+ char *line;
+ ip_t *ip;
+ char **ifn;
+ int *out;
{
tcphdr_t th, *tcp = &th;
struct icmp icmp, *ic = &icmp;
@@ -174,6 +180,7 @@
bzero(ipopts, sizeof(ipopts));
IP_HL_A(ip, sizeof(*ip) >> 2);
IP_V_A(ip, IPVERSION);
+ ip->ip_ttl = 63;
for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; )
cps[++i] = strtok(NULL, " \b\t\r\n");
@@ -186,6 +193,13 @@
fprintf(stderr, "bad direction \"%s\"\n", *cpp);
return 1;
}
+
+#ifdef USE_INET6
+ if (!strcasecmp(*cpp, "out6") || !strcasecmp(*cpp, "in6")) {
+ return parseipv6(cpp, (ip6_t *)ip, ifn, out);
+ }
+#endif
+
*out = (TOLOWER(c) == 'o') ? 1 : 0;
cpp++;
if (!*cpp)
@@ -284,25 +298,21 @@
cpp++;
}
} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
- extern char *tx_icmptypes[];
- char **s, *t;
- int i;
+ char *t;
t = strchr(*cpp, ',');
if (t != NULL)
*t = '\0';
- for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
- s++, i++) {
- if (*s && !strcasecmp(*cpp, *s)) {
- ic->icmp_type = i;
- if (t != NULL)
- ic->icmp_code = atoi(t + 1);
- cpp++;
- break;
- }
- }
+ ic->icmp_type = geticmptype(AF_INET, *cpp);
if (t != NULL)
+ ic->icmp_code = atoi(t + 1);
+ cpp++;
+
+ if (ic->icmp_type == ICMP_ECHO ||
+ ic->icmp_type == ICMP_ECHOREPLY)
+ ic->icmp_id = htons(getpid());
+ if (t != NULL)
*t = ',';
}
@@ -314,6 +324,7 @@
if (olen) {
bcopy(ipopts, (char *)(ip + 1), olen);
IP_HL_A(ip, IP_HL(ip) + (olen >> 2));
+ ip->ip_len += olen;
}
}
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
@@ -325,3 +336,175 @@
ip->ip_len = htons(ip->ip_len);
return 0;
}
+
+
+#ifdef USE_INET6
+int parseipv6(cpp, ip6, ifn, out)
+ char **cpp;
+ ip6_t *ip6;
+ char **ifn;
+ int *out;
+{
+ tcphdr_t th, *tcp = &th;
+ struct icmp6_hdr icmp, *ic6 = &icmp;
+
+ bzero((char *)ip6, MAX(sizeof(*tcp), sizeof(*ic6)) + sizeof(*ip6));
+ bzero((char *)tcp, sizeof(*tcp));
+ bzero((char *)ic6, sizeof(*ic6));
+ ip6->ip6_vfc = 0x60;
+
+ *out = (**cpp == 'o') ? 1 : 0;
+ cpp++;
+ if (!*cpp)
+ return 1;
+
+ if (!strcasecmp(*cpp, "on")) {
+ cpp++;
+ if (!*cpp)
+ return 1;
+ *ifn = strdup(*cpp++);
+ if (!*cpp)
+ return 1;
+ }
+
+ if (!strcasecmp(*cpp, "tcp")) {
+ ip6->ip6_nxt = IPPROTO_TCP;
+ tx_proto = "tcp";
+ cpp++;
+ } else if (!strcasecmp(*cpp, "udp")) {
+ ip6->ip6_nxt = IPPROTO_UDP;
+ tx_proto = "udp";
+ cpp++;
+ } else if (!strcasecmp(*cpp, "icmpv6")) {
+ ip6->ip6_nxt = IPPROTO_ICMPV6;
+ tx_proto = "icmpv6";
+ cpp++;
+ } else if (ISDIGIT(**cpp) && !index(*cpp, ':')) {
+ ip6->ip6_nxt = atoi(*cpp);
+ cpp++;
+ } else
+ ip6->ip6_nxt = IPPROTO_IPV6;
+
+ if (!*cpp)
+ return 1;
+
+ switch (ip6->ip6_nxt)
+ {
+ case IPPROTO_TCP :
+ ip6->ip6_plen = sizeof(struct tcphdr);
+ break;
+ case IPPROTO_UDP :
+ ip6->ip6_plen = sizeof(struct udphdr);
+ break;
+ case IPPROTO_ICMPV6 :
+ ip6->ip6_plen = ICMP6ERR_IPICMPHLEN;
+ break;
+ default :
+ break;
+ }
+
+ if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) {
+ char *last;
+
+ last = strchr(*cpp, ',');
+ if (!last) {
+ fprintf(stderr, "tcp/udp with no source port\n");
+ return 1;
+ }
+ *last++ = '\0';
+ tcp->th_sport = htons(tx_portnum(last));
+ if (ip6->ip6_nxt == IPPROTO_TCP) {
+ tcp->th_win = htons(4096);
+ TCP_OFF_A(tcp, sizeof(*tcp) >> 2);
+ }
+ }
+
+ if (inet_pton(AF_INET6, *cpp, &ip6->ip6_src) != 1) {
+ fprintf(stderr, "cannot parse source address '%s'\n", *cpp);
+ return 1;
+ }
+
+ cpp++;
+ if (!*cpp)
+ return 1;
+
+ if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) {
+ char *last;
+
+ last = strchr(*cpp, ',');
+ if (!last) {
+ fprintf(stderr, "tcp/udp with no destination port\n");
+ return 1;
+ }
+ *last++ = '\0';
+ tcp->th_dport = htons(tx_portnum(last));
+ }
+
+ if (inet_pton(AF_INET6, *cpp, &ip6->ip6_dst) != 1) {
+ fprintf(stderr, "cannot parse destination address '%s'\n",
+ *cpp);
+ return 1;
+ }
+
+ cpp++;
+ if (ip6->ip6_nxt == IPPROTO_TCP) {
+ if (*cpp != NULL) {
+ char *s, *t;
+
+ tcp->th_flags = 0;
+ for (s = *cpp; *s; s++)
+ if ((t = strchr(myflagset, *s)))
+ tcp->th_flags |= myflags[t-myflagset];
+ if (tcp->th_flags)
+ cpp++;
+ }
+
+ if (tcp->th_flags & TH_URG)
+ tcp->th_urp = htons(1);
+
+ if (*cpp && !strncasecmp(*cpp, "seq=", 4)) {
+ tcp->th_seq = htonl(atoi(*cpp + 4));
+ cpp++;
+ }
+
+ if (*cpp && !strncasecmp(*cpp, "ack=", 4)) {
+ tcp->th_ack = htonl(atoi(*cpp + 4));
+ cpp++;
+ }
+ } else if (*cpp && ip6->ip6_nxt == IPPROTO_ICMPV6) {
+ char *t;
+
+ t = strchr(*cpp, ',');
+ if (t != NULL)
+ *t = '\0';
+
+ ic6->icmp6_type = geticmptype(AF_INET6, *cpp);
+ if (t != NULL)
+ ic6->icmp6_code = atoi(t + 1);
+
+ if (ic6->icmp6_type == ICMP6_ECHO_REQUEST ||
+ ic6->icmp6_type == ICMP6_ECHO_REPLY)
+ ic6->icmp6_id = htons(getpid());
+
+ if (t != NULL)
+ *t = ',';
+ }
+
+ if (ip6->ip6_nxt == IPPROTO_TCP || ip6->ip6_nxt == IPPROTO_UDP) {
+ bcopy((char *)tcp, (char *)ip6 + sizeof(*ip6),
+ sizeof(*tcp));
+ } else if (ip6->ip6_nxt == IPPROTO_ICMPV6) {
+ bcopy((char *)ic6, (char *)ip6 + sizeof(*ip6),
+ sizeof(*ic6));
+ }
+
+ /*
+ * Because a length of 0 == jumbo gram...
+ */
+ if (ip6->ip6_plen == 0) {
+ ip6->ip6_plen++;
+ }
+ ip6->ip6_plen = htons(ip6->ip6_plen);
+ return 0;
+}
+#endif
Modified: trunk/contrib/ipfilter/lib/ipoptsec.c
===================================================================
--- trunk/contrib/ipfilter/lib/ipoptsec.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ipoptsec.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ipoptsec.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ipoptsec.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -25,16 +25,19 @@
u_char seclevel(slevel)
-char *slevel;
+ char *slevel;
{
struct ipopt_names *so;
+ if (slevel == NULL || *slevel == '\0')
+ return 0;
+
for (so = secclass; so->on_name; so++)
if (!strcasecmp(slevel, so->on_name))
break;
if (!so->on_name) {
- fprintf(stderr, "no such security level: %s\n", slevel);
+ fprintf(stderr, "no such security level: '%s'\n", slevel);
return 0;
}
return (u_char)so->on_value;
@@ -42,7 +45,7 @@
u_char secbit(class)
-int class;
+ int class;
{
struct ipopt_names *so;
@@ -51,7 +54,7 @@
break;
if (!so->on_name) {
- fprintf(stderr, "no such security class: %d\n", class);
+ fprintf(stderr, "no such security class: %d.\n", class);
return 0;
}
return (u_char)so->on_bit;
Modified: trunk/contrib/ipfilter/lib/kmem.c
===================================================================
--- trunk/contrib/ipfilter/lib/kmem.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/kmem.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/kmem.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -29,7 +29,7 @@
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#if defined(linux) || defined(__osf__) || defined(__sgi) || defined(__hpux)
@@ -44,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
@@ -70,9 +70,9 @@
int kvm_read __P((kvm_t, u_long, char *, size_t));
kvm_t kvm_open(kernel, core, swap, mode, errstr)
-char *kernel, *core, *swap;
-int mode;
-char *errstr;
+ char *kernel, *core, *swap;
+ int mode;
+ char *errstr;
{
kvm_t k;
int fd;
@@ -93,10 +93,10 @@
}
int kvm_read(kvm, pos, buffer, size)
-kvm_t kvm;
-u_long pos;
-char *buffer;
-size_t size;
+ kvm_t kvm;
+ u_long pos;
+ char *buffer;
+ size_t size;
{
int r = 0, left;
char *bufp;
@@ -127,7 +127,7 @@
#endif /* !defined(__sgi) && !defined(__hpux) && !defined(__osf__) */
int openkmem(kern, core)
-char *kern, *core;
+ char *kern, *core;
{
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL);
if (kvm_f == NULL)
@@ -139,9 +139,9 @@
}
int kmemcpy(buf, pos, n)
-register char *buf;
-long pos;
-register int n;
+ register char *buf;
+ long pos;
+ register int n;
{
register int r;
@@ -169,9 +169,9 @@
}
int kstrncpy(buf, pos, n)
-register char *buf;
-long pos;
-register int n;
+ register char *buf;
+ long pos;
+ register int n;
{
register int r;
Modified: trunk/contrib/ipfilter/lib/kmem.h
===================================================================
--- trunk/contrib/ipfilter/lib/kmem.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/kmem.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,10 +1,10 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/kmem.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
- * $Id: kmem.h,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#ifndef __KMEM_H__
Modified: trunk/contrib/ipfilter/lib/kmemcpywrap.c
===================================================================
--- trunk/contrib/ipfilter/lib/kmemcpywrap.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/kmemcpywrap.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,19 +1,19 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/kmemcpywrap.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: kmemcpywrap.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
#include "kmem.h"
int kmemcpywrap(from, to, size)
-void *from, *to;
-size_t size;
+ void *from, *to;
+ size_t size;
{
int ret;
Modified: trunk/contrib/ipfilter/lib/kvatoname.c
===================================================================
--- trunk/contrib/ipfilter/lib/kvatoname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/kvatoname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/kvatoname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: kvatoname.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
@@ -14,8 +14,8 @@
#include <sys/ioctl.h>
char *kvatoname(func, iocfunc)
-ipfunc_t func;
-ioctlfunc_t iocfunc;
+ ipfunc_t func;
+ ioctlfunc_t iocfunc;
{
static char funcname[40];
ipfunc_resolve_t res;
@@ -25,7 +25,7 @@
res.ipfu_name[0] = '\0';
fd = -1;
- if ((opts & OPT_DONOTHING) == 0) {
+ if ((opts & OPT_DONTOPEN) == 0) {
fd = open(IPL_NAME, O_RDONLY);
if (fd == -1)
return NULL;
Modified: trunk/contrib/ipfilter/lib/load_file.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_file.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_file.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,13 @@
/*
- * Copyright (C) 2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_file.c,v 1.1.1.1 2008-11-22 14:33:09 laffer1 Exp $
+ * $Id: load_file.c,v 1.6.2.2 2012/07/22 08:04:24 darren_r Exp $
*/
#include "ipf.h"
+#include <ctype.h>
alist_t *
load_file(char *filename)
@@ -20,13 +21,13 @@
if (fp == NULL) {
fprintf(stderr, "load_file cannot open '%s'\n", filename);
return NULL;
- }
+ }
a = NULL;
rtop = NULL;
rbot = NULL;
- linenum = 0;
-
+ linenum = 0;
+
while (fgets(line, sizeof(line) - 1, fp)) {
line[sizeof(line) - 1] = '\0';
linenum++;
@@ -35,17 +36,23 @@
*/
s = strchr(line, '\n');
if (s == NULL) {
- fprintf(stderr, "%d:%s: line too long\n", linenum, filename);
+ fprintf(stderr, "%d:%s: line too long\n",
+ linenum, filename);
fclose(fp);
alist_free(rtop);
return NULL;
}
- *s = '\0';
+ /*
+ * Remove trailing spaces
+ */
+ for (; ISSPACE(*s); s--)
+ *s = '\0';
+
s = strchr(line, '\r');
if (s != NULL)
*s = '\0';
- for (t = line; isspace(*t); t++)
+ for (t = line; ISSPACE(*t); t++)
;
if (*t == '!') {
not = 1;
@@ -56,21 +63,22 @@
/*
* Remove comment markers
*/
- for (s = t; *s; s++) {
- if (*s == '#')
- *s = '\0';
+ s = strchr(t, '#');
+ if (s != NULL) {
+ *s = '\0';
+ if (s == t)
+ continue;
}
- if (!*t)
- continue;
+
/*
* Trim off tailing white spaces
*/
s = strlen(t) + t - 1;
- while (isspace(*s))
+ while (ISSPACE(*s))
*s-- = '\0';
- if (isdigit(*t)) {
- a = alist_new(4, t);
+ a = alist_new(AF_UNSPEC, t);
+ if (a != NULL) {
a->al_not = not;
if (rbot != NULL)
rbot->al_next = a;
@@ -78,8 +86,8 @@
rtop = a;
rbot = a;
} else {
- fprintf(stderr, "%s: unrecognised content line %d\n",
- filename, linenum);
+ fprintf(stderr, "%s:%d unrecognised content :%s\n",
+ filename, linenum, t);
}
}
fclose(fp);
Modified: trunk/contrib/ipfilter/lib/load_hash.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_hash.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_hash.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/load_hash.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_hash.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,13 +14,12 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
-static int hashfd = -1;
-
-int load_hash(iphp, list, iocfunc)
-iphtable_t *iphp;
-iphtent_t *list;
-ioctlfunc_t iocfunc;
+int
+load_hash(iphp, list, iocfunc)
+ iphtable_t *iphp;
+ iphtent_t *list;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
iphtable_t iph;
@@ -28,14 +27,13 @@
size_t size;
int n;
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
- hashfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
for (n = 0, a = list; a != NULL; a = a->ipe_next)
n++;
+ bzero((char *)&iph, sizeof(iph));
op.iplo_arg = 0;
op.iplo_type = IPLT_HASH;
op.iplo_unit = iphp->iph_unit;
@@ -44,10 +42,7 @@
op.iplo_arg = IPHASH_ANON;
op.iplo_size = sizeof(iph);
op.iplo_struct = &iph;
- iph.iph_unit = iphp->iph_unit;
- iph.iph_type = iphp->iph_type;
- strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name));
- iph.iph_flags = iphp->iph_flags;
+ iph = *iphp;
if (n <= 0)
n = 1;
if (iphp->iph_size == 0)
@@ -60,16 +55,15 @@
iphp->iph_name, "size to match expected use");
}
iph.iph_size = size;
- iph.iph_seed = iphp->iph_seed;
iph.iph_table = NULL;
iph.iph_list = NULL;
iph.iph_ref = 0;
if ((opts & OPT_REMOVE) == 0) {
- if ((*iocfunc)(hashfd, SIOCLOOKUPADDTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPADDTABLE, &op))
if ((opts & OPT_DONOTHING) == 0) {
- perror("load_hash:SIOCLOOKUPADDTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "add lookup hash table");
}
}
@@ -77,10 +71,6 @@
strncpy(iphp->iph_name, op.iplo_name, sizeof(op.iplo_name));
if (opts & OPT_VERBOSE) {
- for (a = list; a != NULL; a = a->ipe_next) {
- a->ipe_addr.in4_addr = ntohl(a->ipe_addr.in4_addr);
- a->ipe_mask.in4_addr = ntohl(a->ipe_mask.in4_addr);
- }
iph.iph_table = calloc(size, sizeof(*iph.iph_table));
if (iph.iph_table == NULL) {
perror("calloc(size, sizeof(*iph.iph_table))");
@@ -87,9 +77,8 @@
return -1;
}
iph.iph_list = list;
- printhash(&iph, bcopywrap, iph.iph_name, opts);
+ printhash(&iph, bcopywrap, iph.iph_name, opts, NULL);
free(iph.iph_table);
- iph.iph_list = NULL;
for (a = list; a != NULL; a = a->ipe_next) {
a->ipe_addr.in4_addr = htonl(a->ipe_addr.in4_addr);
@@ -101,13 +90,13 @@
printf("Hash %s:\n", iph.iph_name);
for (a = list; a != NULL; a = a->ipe_next)
- load_hashnode(iphp->iph_unit, iph.iph_name, a, iocfunc);
+ load_hashnode(iphp->iph_unit, iph.iph_name, a, 0, iocfunc);
if ((opts & OPT_REMOVE) != 0) {
- if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op))
if ((opts & OPT_DONOTHING) == 0) {
- perror("load_hash:SIOCLOOKUPDELTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "delete lookup hash table");
}
}
return 0;
Modified: trunk/contrib/ipfilter/lib/load_hashnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_hashnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_hashnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/load_hashnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_hashnode.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,22 +14,21 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
-static int hashfd = -1;
-
-int load_hashnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-iphtent_t *node;
-ioctlfunc_t iocfunc;
+int
+load_hashnode(unit, name, node, ttl, iocfunc)
+ int unit;
+ char *name;
+ iphtent_t *node;
+ int ttl;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
iphtent_t ipe;
+ char *what;
int err;
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
- hashfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_type = IPLT_HASH;
@@ -40,6 +39,8 @@
strncpy(op.iplo_name, name, sizeof(op.iplo_name));
bzero((char *)&ipe, sizeof(ipe));
+ ipe.ipe_family = node->ipe_family;
+ ipe.ipe_die = ttl;
bcopy((char *)&node->ipe_addr, (char *)&ipe.ipe_addr,
sizeof(ipe.ipe_addr));
bcopy((char *)&node->ipe_mask, (char *)&ipe.ipe_mask,
@@ -47,15 +48,20 @@
bcopy((char *)&node->ipe_group, (char *)&ipe.ipe_group,
sizeof(ipe.ipe_group));
- if ((opts & OPT_REMOVE) == 0)
- err = (*iocfunc)(hashfd, SIOCLOOKUPADDNODE, &op);
- else
- err = (*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op);
+ if ((opts & OPT_REMOVE) == 0) {
+ what = "add";
+ err = pool_ioctl(iocfunc, SIOCLOOKUPADDNODE, &op);
+ } else {
+ what = "delete";
+ err = pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op);
+ }
if (err != 0)
if (!(opts & OPT_DONOTHING)) {
- perror("load_hash:SIOCLOOKUP*NODE");
- return -1;
+ char msg[80];
+
+ sprintf(msg, "%s node from lookup hash table", what);
+ return ipf_perror_fd(pool_fd(), iocfunc, msg);
}
return 0;
}
Modified: trunk/contrib/ipfilter/lib/load_http.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_http.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_http.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,32 +1,47 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_http.c,v 1.1.1.2 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id: load_http.c,v 1.5.2.5 2012/07/22 08:04:24 darren_r Exp $
*/
#include "ipf.h"
+#include <ctype.h>
/*
+ * Because the URL can be included twice into the buffer, once as the
+ * full path for the "GET" and once as the "Host:", the buffer it is
+ * put in needs to be larger than 512*2 to make room for the supporting
+ * text. Why not just use snprintf and truncate? The warning about the
+ * URL being too long tells you something is wrong and does not fetch
+ * any data - just truncating the URL (with snprintf, etc) and sending
+ * that to the server is allowing an unknown and unintentioned action
+ * to happen.
+ */
+#define MAX_URL_LEN 512
+#define LOAD_BUFSIZE (MAX_URL_LEN * 2 + 128)
+
+/*
* Format expected is one addres per line, at the start of each line.
*/
alist_t *
load_http(char *url)
{
- char *s, *t, *u, buffer[1044], *myurl;
+ int fd, len, left, port, endhdr, removed, linenum = 0;
+ char *s, *t, *u, buffer[LOAD_BUFSIZE], *myurl;
alist_t *a, *rtop, *rbot;
- struct sockaddr_in sin;
- struct hostent *host;
size_t avail;
- int fd, len, left, port, endhdr, removed;
int error;
/*
* More than this would just be absurd.
*/
- if (strlen(url) > 512) {
- fprintf(stderr, "load_http has a URL > 512 bytes?!\n");
+ if (strlen(url) > MAX_URL_LEN) {
+ fprintf(stderr, "load_http has a URL > %d bytes?!\n",
+ MAX_URL_LEN);
return NULL;
}
@@ -56,6 +71,15 @@
}
*t++ = '\0';
+ /*
+ * 10 is the length of 'Host: \r\n\r\n' below.
+ */
+ if (strlen(s) + strlen(buffer) + 10 > sizeof(buffer)) {
+ fprintf(stderr, "load_http has a malformed URL '%s'\n", url);
+ free(myurl);
+ return NULL;
+ }
+
u = strchr(s, '@');
if (u != NULL)
s = u + 1; /* AUTH */
@@ -76,28 +100,11 @@
port = 80;
}
- memset(&sin, 0, sizeof(sin));
- sin.sin_family = AF_INET;
- sin.sin_port = htons(port);
- if (isdigit(*s)) {
- if (inet_aton(s, &sin.sin_addr) == -1) {
- goto done;
- }
- } else {
- host = gethostbyname(s);
- if (host == NULL)
- goto done;
- memcpy(&sin.sin_addr, host->h_addr_list[0],
- sizeof(sin.sin_addr));
- }
-
- fd = socket(AF_INET, SOCK_STREAM, 0);
+ fd = connecttcp(s, port);
if (fd == -1)
goto done;
- if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1)
- goto done;
len = strlen(buffer);
if (write(fd, buffer, len) != len)
@@ -150,22 +157,27 @@
if (t == NULL)
break;
- *t++ = '\0';
- for (u = buffer; isdigit(*u) || (*u == '.'); u++)
- ;
- if (*u == '/') {
- char *slash;
+ linenum++;
+ *t = '\0';
- slash = u;
- u++;
- while (isdigit(*u))
- u++;
- if (!isspace(*u) && *u)
- u = slash;
+ /*
+ * Remove comment and continue to the next line if
+ * the comment is at the start of the line.
+ */
+ u = strchr(buffer, '#');
+ if (u != NULL) {
+ *u = '\0';
+ if (u == buffer)
+ continue;
}
- *u = '\0';
- a = alist_new(4, buffer);
+ /*
+ * Trim off tailing white spaces, will include \r
+ */
+ for (u = t - 1; (u >= buffer) && ISSPACE(*u); u--)
+ *u = '\0';
+
+ a = alist_new(AF_UNSPEC, buffer);
if (a != NULL) {
if (rbot != NULL)
rbot->al_next = a;
@@ -172,8 +184,13 @@
else
rtop = a;
rbot = a;
+ } else {
+ fprintf(stderr,
+ "%s:%d unrecognised content:%s\n",
+ url, linenum, buffer);
}
+ t++;
removed = t - buffer;
memmove(buffer, t, sizeof(buffer) - left - removed);
s -= removed;
Modified: trunk/contrib/ipfilter/lib/load_pool.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_pool.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_pool.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/load_pool.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_pool.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,20 +14,17 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
-static int poolfd = -1;
-
-int load_pool(plp, iocfunc)
-ip_pool_t *plp;
-ioctlfunc_t iocfunc;
+int
+load_pool(plp, iocfunc)
+ ip_pool_t *plp;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
ip_pool_node_t *a;
ip_pool_t pool;
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
- poolfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_unit = plp->ipo_unit;
@@ -37,16 +34,18 @@
op.iplo_size = sizeof(pool);
op.iplo_struct = &pool;
bzero((char *)&pool, sizeof(pool));
+ pool.ipo_unit = plp->ipo_unit;
strncpy(pool.ipo_name, plp->ipo_name, sizeof(pool.ipo_name));
if (plp->ipo_name[0] == '\0')
op.iplo_arg |= IPOOL_ANON;
if ((opts & OPT_REMOVE) == 0) {
- if ((*iocfunc)(poolfd, SIOCLOOKUPADDTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPADDTABLE, &op)) {
if ((opts & OPT_DONOTHING) == 0) {
- perror("load_pool:SIOCLOOKUPADDTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "add lookup table");
}
+ }
}
if (op.iplo_arg & IPOOL_ANON)
@@ -54,18 +53,19 @@
if ((opts & OPT_VERBOSE) != 0) {
pool.ipo_list = plp->ipo_list;
- printpool(&pool, bcopywrap, pool.ipo_name, opts);
+ (void) printpool(&pool, bcopywrap, pool.ipo_name, opts, NULL);
pool.ipo_list = NULL;
}
for (a = plp->ipo_list; a != NULL; a = a->ipn_next)
- load_poolnode(plp->ipo_unit, pool.ipo_name, a, iocfunc);
+ load_poolnode(plp->ipo_unit, pool.ipo_name,
+ a, 0, iocfunc);
if ((opts & OPT_REMOVE) != 0) {
- if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op))
if ((opts & OPT_DONOTHING) == 0) {
- perror("load_pool:SIOCLOOKUPDELTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "delete lookup table");
}
}
return 0;
Modified: trunk/contrib/ipfilter/lib/load_poolnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_poolnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_poolnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/load_poolnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_poolnode.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,22 +14,21 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
-static int poolfd = -1;
-
-int load_poolnode(role, name, node, iocfunc)
-int role;
-char *name;
-ip_pool_node_t *node;
-ioctlfunc_t iocfunc;
+int
+load_poolnode(role, name, node, ttl, iocfunc)
+ int role;
+ char *name;
+ ip_pool_node_t *node;
+ int ttl;
+ ioctlfunc_t iocfunc;
{
ip_pool_node_t pn;
iplookupop_t op;
+ char *what;
int err;
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
- poolfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_unit = role;
@@ -45,17 +44,25 @@
bcopy((char *)&node->ipn_mask, (char *)&pn.ipn_mask,
sizeof(pn.ipn_mask));
pn.ipn_info = node->ipn_info;
+ pn.ipn_die = ttl;
strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name));
- if ((opts & OPT_REMOVE) == 0)
- err = (*iocfunc)(poolfd, SIOCLOOKUPADDNODE, &op);
- else
- err = (*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op);
+ if ((opts & OPT_REMOVE) == 0) {
+ what = "add";
+ err = pool_ioctl(iocfunc, SIOCLOOKUPADDNODE, &op);
+ } else {
+ what = "delete";
+ err = pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op);
+ }
if (err != 0) {
if ((opts & OPT_DONOTHING) == 0) {
- perror("load_poolnode:SIOCLOOKUP*NODE");
- return -1;
+ char msg[80];
+
+ sprintf(msg, "%s pool node(%s/", what,
+ inet_ntoa(pn.ipn_addr.adf_addr.in4));
+ strcat(msg, inet_ntoa(pn.ipn_mask.adf_addr.in4));
+ return ipf_perror_fd(pool_fd(), iocfunc, msg);
}
}
Modified: trunk/contrib/ipfilter/lib/load_url.c
===================================================================
--- trunk/contrib/ipfilter/lib/load_url.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/load_url.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,9 +1,9 @@
/*
- * Copyright (C) 2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: load_url.c,v 1.1.1.1 2008-11-22 14:33:10 laffer1 Exp $
+ * $Id: load_url.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $
*/
#include "ipf.h"
@@ -13,11 +13,11 @@
{
alist_t *hosts = NULL;
- if (strncmp(url, "file://", 7) == 0) {
- /*
+ if (strncmp(url, "file://", 7) == 0) {
+ /*
* file:///etc/passwd
* ^------------s
- */
+ */
hosts = load_file(url);
} else if (*url == '/' || *url == '.') {
@@ -27,5 +27,5 @@
hosts = load_http(url);
}
- return hosts;
+ return hosts;
}
Modified: trunk/contrib/ipfilter/lib/mutex_emul.c
===================================================================
--- trunk/contrib/ipfilter/lib/mutex_emul.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/mutex_emul.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,22 +1,30 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/mutex_emul.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: mutex_emul.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
#define EMM_MAGIC 0x9d7adba3
-void eMmutex_enter(mtx, file, line)
-eMmutex_t *mtx;
-char *file;
-int line;
+static int mutex_debug = 0;
+static FILE *mutex_file = NULL;
+static int initcount = 0;
+
+void
+eMmutex_enter(mtx, file, line)
+ eMmutex_t *mtx;
+ char *file;
+ int line;
{
+ if (mutex_debug & 2)
+ fprintf(mutex_file, "%s:%d:eMmutex_enter(%s)\n", file, line,
+ mtx->eMm_owner);
if (mtx->eMm_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMmutex_enter(%p): bad magic: %#x\n",
mtx->eMm_owner, mtx, mtx->eMm_magic);
@@ -33,9 +41,15 @@
}
-void eMmutex_exit(mtx)
-eMmutex_t *mtx;
+void
+eMmutex_exit(mtx, file, line)
+ eMmutex_t *mtx;
+ char *file;
+ int line;
{
+ if (mutex_debug & 2)
+ fprintf(mutex_file, "%s:%d:eMmutex_exit(%s)\n", file, line,
+ mtx->eMm_owner);
if (mtx->eMm_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMmutex_exit(%p): bad magic: %#x\n",
mtx->eMm_owner, mtx, mtx->eMm_magic);
@@ -52,10 +66,18 @@
}
-void eMmutex_init(mtx, who)
-eMmutex_t *mtx;
-char *who;
+void
+eMmutex_init(mtx, who, file, line)
+ eMmutex_t *mtx;
+ char *who;
+ char *file;
+ int line;
{
+ if (mutex_file == NULL && mutex_debug)
+ mutex_file = fopen("ipf_mutex_log", "w");
+ if (mutex_debug & 1)
+ fprintf(mutex_file, "%s:%d:eMmutex_init(%p,%s)\n",
+ file, line, mtx, who);
if (mtx->eMm_magic == EMM_MAGIC) { /* safe bet ? */
fprintf(stderr,
"%s:eMmutex_init(%p): already initialised?: %#x\n",
@@ -68,12 +90,20 @@
mtx->eMm_owner = strdup(who);
else
mtx->eMm_owner = NULL;
+ initcount++;
}
-void eMmutex_destroy(mtx)
-eMmutex_t *mtx;
+void
+eMmutex_destroy(mtx, file, line)
+ eMmutex_t *mtx;
+ char *file;
+ int line;
{
+ if (mutex_debug & 1)
+ fprintf(mutex_file,
+ "%s:%d:eMmutex_destroy(%p,%s)\n", file, line,
+ mtx, mtx->eMm_owner);
if (mtx->eMm_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMmutex_destroy(%p): bad magic: %#x\n",
mtx->eMm_owner, mtx, mtx->eMm_magic);
@@ -80,9 +110,24 @@
abort();
}
if (mtx->eMm_held != 0) {
- fprintf(stderr, "%s:eMmutex_enter(%p): still locked: %d\n",
+ fprintf(stderr,
+ "%s:eMmutex_enter(%p): still locked: %d\n",
mtx->eMm_owner, mtx, mtx->eMm_held);
abort();
}
+ if (mtx->eMm_owner != NULL)
+ free(mtx->eMm_owner);
memset(mtx, 0xa5, sizeof(*mtx));
+ initcount--;
}
+
+
+void
+ipf_mutex_clean()
+{
+ if (initcount != 0) {
+ if (mutex_file)
+ fprintf(mutex_file, "initcount %d\n", initcount);
+ abort();
+ }
+}
Modified: trunk/contrib/ipfilter/lib/nametokva.c
===================================================================
--- trunk/contrib/ipfilter/lib/nametokva.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/nametokva.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/nametokva.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: nametokva.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
@@ -14,8 +14,8 @@
#include <fcntl.h>
ipfunc_t nametokva(name, iocfunc)
-char *name;
-ioctlfunc_t iocfunc;
+ char *name;
+ ioctlfunc_t iocfunc;
{
ipfunc_resolve_t res;
int fd;
@@ -24,7 +24,7 @@
res.ipfu_addr = NULL;
fd = -1;
- if ((opts & OPT_DONOTHING) == 0) {
+ if ((opts & OPT_DONTOPEN) == 0) {
fd = open(IPL_NAME, O_RDONLY);
if (fd == -1)
return NULL;
Modified: trunk/contrib/ipfilter/lib/nat_setgroupmap.c
===================================================================
--- trunk/contrib/ipfilter/lib/nat_setgroupmap.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/nat_setgroupmap.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,33 +1,33 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/nat_setgroupmap.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: nat_setgroupmap.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include "ipf.h"
void nat_setgroupmap(n)
-ipnat_t *n;
+ ipnat_t *n;
{
- if (n->in_outmsk == n->in_inmsk)
+ if (n->in_nsrcmsk == n->in_osrcmsk)
n->in_ippip = 1;
else if (n->in_flags & IPN_AUTOPORTMAP) {
- n->in_ippip = ~ntohl(n->in_inmsk);
- if (n->in_outmsk != 0xffffffff)
- n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
+ n->in_ippip = ~ntohl(n->in_osrcmsk);
+ if (n->in_nsrcmsk != 0xffffffff)
+ n->in_ippip /= (~ntohl(n->in_nsrcmsk) + 1);
n->in_ippip++;
if (n->in_ippip == 0)
n->in_ippip = 1;
n->in_ppip = USABLE_PORTS / n->in_ippip;
} else {
- n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
- n->in_nip = 0;
- if (!(n->in_ppip = n->in_pmin))
+ n->in_space = USABLE_PORTS * ~ntohl(n->in_nsrcmsk);
+ n->in_snip = 0;
+ if (!(n->in_ppip = n->in_spmin))
n->in_ppip = 1;
n->in_ippip = USABLE_PORTS / n->in_ppip;
}
Modified: trunk/contrib/ipfilter/lib/ntomask.c
===================================================================
--- trunk/contrib/ipfilter/lib/ntomask.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/ntomask.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,18 +1,18 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/ntomask.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ntomask.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
-int ntomask(v, nbits, ap)
-int v, nbits;
-u_32_t *ap;
+int ntomask(family, nbits, ap)
+ int family, nbits;
+ u_32_t *ap;
{
u_32_t mask;
@@ -19,10 +19,10 @@
if (nbits < 0)
return -1;
- switch (v)
+ switch (family)
{
- case 4 :
- if (nbits > 32 || use_inet6 != 0)
+ case AF_INET :
+ if (nbits > 32 || use_inet6 == 1)
return -1;
if (nbits == 0) {
mask = 0;
@@ -33,8 +33,9 @@
*ap = htonl(mask);
break;
- case 6 :
- if ((nbits > 128) || (use_inet6 == 0))
+ case 0 :
+ case AF_INET6 :
+ if ((nbits > 128) || (use_inet6 == -1))
return -1;
fill6bits(nbits, ap);
break;
Modified: trunk/contrib/ipfilter/lib/optname.c
===================================================================
--- trunk/contrib/ipfilter/lib/optname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/optname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/optname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: optname.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,9 +12,9 @@
u_32_t optname(cp, sp, linenum)
-char ***cp;
-u_short *sp;
-int linenum;
+ char ***cp;
+ u_short *sp;
+ int linenum;
{
struct ipopt_names *io, *so;
u_long msk = 0;
Modified: trunk/contrib/ipfilter/lib/optprint.c
===================================================================
--- trunk/contrib/ipfilter/lib/optprint.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/optprint.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,18 +1,18 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/optprint.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: optprint.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
void optprint(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
+ u_short *sec;
+ u_long optmsk, optbits;
{
u_short secmsk = sec[0], secbits = sec[1];
struct ipopt_names *io, *so;
Modified: trunk/contrib/ipfilter/lib/optprintv6.c
===================================================================
--- trunk/contrib/ipfilter/lib/optprintv6.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/optprintv6.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/optprintv6.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: optprintv6.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -13,14 +13,14 @@
#ifdef USE_INET6
void optprintv6(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
+ u_short *sec;
+ u_long optmsk, optbits;
{
u_short secmsk = sec[0], secbits = sec[1];
struct ipopt_names *io;
char *s;
- s = " v6hdrs ";
+ s = " v6hdr ";
for (io = v6ionames; io->on_name; io++)
if ((io->on_bit & optmsk) &&
((io->on_bit & optmsk) == (io->on_bit & optbits))) {
Modified: trunk/contrib/ipfilter/lib/optvalue.c
===================================================================
--- trunk/contrib/ipfilter/lib/optvalue.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/optvalue.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,17 +1,17 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/optvalue.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: optvalue.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
u_32_t getoptbyname(optname)
-char *optname;
+ char *optname;
{
struct ipopt_names *io;
@@ -23,7 +23,7 @@
u_32_t getoptbyvalue(optval)
-int optval;
+ int optval;
{
struct ipopt_names *io;
Modified: trunk/contrib/ipfilter/lib/portname.c
===================================================================
--- trunk/contrib/ipfilter/lib/portname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/portname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,21 +1,22 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/portname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: portname.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-char *portname(pr, port)
-int pr, port;
+char *portname(pr, port)
+ int pr, port;
{
- static char buf[32];
- struct protoent *p = NULL;
- struct servent *sv = NULL, *sv1 = NULL;
+ static char buf[32];
+ struct protoent *p = NULL;
+ struct servent *sv = NULL;
+ struct servent *sv1 = NULL;
if ((opts & OPT_NORESOLVE) == 0) {
if (pr == -1) {
Modified: trunk/contrib/ipfilter/lib/print_toif.c
===================================================================
--- trunk/contrib/ipfilter/lib/print_toif.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/print_toif.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,32 +1,50 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/print_toif.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: print_toif.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void print_toif(tag, fdp)
-char *tag;
-frdest_t *fdp;
+void
+print_toif(family, tag, base, fdp)
+ int family;
+ char *tag;
+ char *base;
+ frdest_t *fdp;
{
- printf("%s %s%s", tag, fdp->fd_ifname,
- (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
+ switch (fdp->fd_type)
+ {
+ case FRD_NORMAL :
+ PRINTF("%s %s%s", tag, base + fdp->fd_name,
+ (fdp->fd_ptr || (long)fdp->fd_ptr == -1) ? "" : "(!)");
#ifdef USE_INET6
- if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
- char ipv6addr[80];
+ if (family == AF_INET6) {
+ if (IP6_NOTZERO(&fdp->fd_ip6)) {
+ char ipv6addr[80];
- inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
- sizeof(fdp->fd_ip6));
- printf(":%s", ipv6addr);
- } else
+ inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
+ sizeof(fdp->fd_ip6));
+ PRINTF(":%s", ipv6addr);
+ }
+ } else
#endif
- if (fdp->fd_ip.s_addr)
- printf(":%s", inet_ntoa(fdp->fd_ip));
- putchar(' ');
+ if (fdp->fd_ip.s_addr)
+ PRINTF(":%s", inet_ntoa(fdp->fd_ip));
+ putchar(' ');
+ break;
+
+ case FRD_DSTLIST :
+ PRINTF("%s dstlist/%s ", tag, base + fdp->fd_name);
+ break;
+
+ default :
+ PRINTF("%s <%d>", tag, fdp->fd_type);
+ break;
+ }
}
Modified: trunk/contrib/ipfilter/lib/printactivenat.c
===================================================================
--- trunk/contrib/ipfilter/lib/printactivenat.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printactivenat.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printactivenat.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -12,73 +12,135 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
-void printactivenat(nat, opts, alive, now)
-nat_t *nat;
-int opts, alive;
-u_long now;
+void
+printactivenat(nat, opts, ticks)
+ nat_t *nat;
+ int opts;
+ u_long ticks;
{
- printf("%s", getnattype(nat, alive));
+ PRINTF("%s", getnattype(nat));
if (nat->nat_flags & SI_CLONE)
- printf(" CLONE");
+ PRINTF(" CLONE");
+ if (nat->nat_phnext[0] == NULL && nat->nat_phnext[1] == NULL)
+ PRINTF(" ORPHAN");
- printf(" %-15s", inet_ntoa(nat->nat_inip));
+ putchar(' ');
+ if (nat->nat_redir & NAT_REWRITE) {
+ printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_osrc6,
+ nat->nat_ifnames[0]);
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %-5hu", ntohs(nat->nat_inport));
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_osport));
- printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
+ putchar(' ');
+ printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_odst6,
+ nat->nat_ifnames[0]);
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %-5hu", ntohs(nat->nat_outport));
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_odport));
- printf(" [%s", inet_ntoa(nat->nat_oip));
- if ((nat->nat_flags & IPN_TCPUDP) != 0)
- printf(" %hu", ntohs(nat->nat_oport));
- printf("]");
+ PRINTF("<- -> ");
+ printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_nsrc6,
+ nat->nat_ifnames[0]);
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_nsport));
+
+ putchar(' ');
+ printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_ndst6,
+ nat->nat_ifnames[0]);
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_ndport));
+
+ } else if (nat->nat_dir == NAT_OUTBOUND) {
+ printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_osrc6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_osport));
+
+ PRINTF(" <- -> ");
+ printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_nsrc6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_nsport));
+
+ PRINTF(" [");
+ printactiveaddress(nat->nat_v[0], "%s", &nat->nat_odst6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %hu", ntohs(nat->nat_odport));
+ PRINTF("]");
+ } else {
+ printactiveaddress(nat->nat_v[1], "%-15s", &nat->nat_ndst6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_ndport));
+
+ PRINTF(" <- -> ");
+ printactiveaddress(nat->nat_v[0], "%-15s", &nat->nat_odst6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %-5hu", ntohs(nat->nat_odport));
+
+ PRINTF(" [");
+ printactiveaddress(nat->nat_v[0], "%s", &nat->nat_osrc6,
+ nat->nat_ifnames[0]);
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ PRINTF(" %hu", ntohs(nat->nat_osport));
+ PRINTF("]");
+ }
+
if (opts & OPT_VERBOSE) {
- printf("\n\tttl %lu use %hu sumd %s/",
- nat->nat_age - now, nat->nat_use,
+ PRINTF("\n\tttl %lu use %hu sumd %s/",
+ nat->nat_age - ticks, nat->nat_use,
getsumd(nat->nat_sumd[0]));
- printf("%s pr %u bkt %d/%d flags %x\n",
- getsumd(nat->nat_sumd[1]), nat->nat_p,
+ PRINTF("%s pr %u/%u hash %u/%u flags %x\n",
+ getsumd(nat->nat_sumd[1]),
+ nat->nat_pr[0], nat->nat_pr[1],
nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags);
- printf("\tifp %s", getifname(nat->nat_ifps[0]));
- printf(",%s ", getifname(nat->nat_ifps[1]));
+ PRINTF("\tifp %s", getifname(nat->nat_ifps[0]));
+ PRINTF(",%s ", getifname(nat->nat_ifps[1]));
#ifdef USE_QUAD_T
- printf("bytes %qu/%qu pkts %qu/%qu",
+ PRINTF("bytes %"PRIu64"/%"PRIu64" pkts %"PRIu64"/%"PRIu64"",
(unsigned long long)nat->nat_bytes[0],
(unsigned long long)nat->nat_bytes[1],
(unsigned long long)nat->nat_pkts[0],
(unsigned long long)nat->nat_pkts[1]);
#else
- printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0],
+ PRINTF("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0],
nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]);
#endif
- printf(" ipsumd %x", nat->nat_ipsumd);
+ PRINTF(" ipsumd %x", nat->nat_ipsumd);
}
if (opts & OPT_DEBUG) {
- printf("\n\tnat_next %p _pnext %p _hm %p\n",
+ PRINTF("\n\tnat_next %p _pnext %p _hm %p\n",
nat->nat_next, nat->nat_pnext, nat->nat_hm);
- printf("\t_hnext %p/%p _phnext %p/%p\n",
+ PRINTF("\t_hnext %p/%p _phnext %p/%p\n",
nat->nat_hnext[0], nat->nat_hnext[1],
nat->nat_phnext[0], nat->nat_phnext[1]);
- printf("\t_data %p _me %p _state %p _aps %p\n",
- nat->nat_data, nat->nat_me, nat->nat_state, nat->nat_aps);
- printf("\tfr %p ptr %p ifps %p/%p sync %p\n",
+ PRINTF("\t_data %p _me %p _state %p _aps %p\n",
+ nat->nat_data, nat->nat_me, nat->nat_state,
+ nat->nat_aps);
+ PRINTF("\tfr %p ptr %p ifps %p/%p sync %p\n",
nat->nat_fr, nat->nat_ptr, nat->nat_ifps[0],
nat->nat_ifps[1], nat->nat_sync);
- printf("\ttqe:pnext %p next %p ifq %p parent %p/%p\n",
+ PRINTF("\ttqe:pnext %p next %p ifq %p parent %p/%p\n",
nat->nat_tqe.tqe_pnext, nat->nat_tqe.tqe_next,
nat->nat_tqe.tqe_ifq, nat->nat_tqe.tqe_parent, nat);
- printf("\ttqe:die %ld touched %ld flags %x state %d/%d\n",
+ PRINTF("\ttqe:die %d touched %d flags %x state %d/%d\n",
nat->nat_tqe.tqe_die, nat->nat_tqe.tqe_touched,
nat->nat_tqe.tqe_flags, nat->nat_tqe.tqe_state[0],
nat->nat_tqe.tqe_state[1]);
Modified: trunk/contrib/ipfilter/lib/printaps.c
===================================================================
--- trunk/contrib/ipfilter/lib/printaps.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printaps.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printaps.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -13,13 +13,14 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printaps.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
-void printaps(aps, opts)
-ap_session_t *aps;
-int opts;
+void
+printaps(aps, opts, proto)
+ ap_session_t *aps;
+ int opts, proto;
{
ipsec_pxy_t ipsec;
ap_session_t ap;
@@ -31,33 +32,33 @@
return;
if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
return;
- printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
+ PRINTF("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
apr.apr_p, apr.apr_ref, apr.apr_flags);
- printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
#ifdef USE_QUAD_T
- printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
+ PRINTF("\tbytes %"PRIu64" pkts %"PRIu64"",
+ (unsigned long long)ap.aps_bytes,
(unsigned long long)ap.aps_pkts);
#else
- printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
+ PRINTF("\tbytes %lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
#endif
- printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
- if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
- printf("\t\tstate[%u,%u], sel[%d,%d]\n",
+ PRINTF(" data %s\n", ap.aps_data ? "YES" : "NO");
+ if ((proto == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
+ PRINTF("\t\tstate[%u,%u], sel[%d,%d]\n",
ap.aps_state[0], ap.aps_state[1],
ap.aps_sel[0], ap.aps_sel[1]);
#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
- (__FreeBSD_version >= 300000) || defined(OpenBSD) || defined(__MidnightBSD__)
- printf("\t\tseq: off %hd/%hd min %x/%x\n",
+ (__FreeBSD_version >= 300000) || defined(OpenBSD)
+ PRINTF("\t\tseq: off %hd/%hd min %x/%x\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
- printf("\t\tack: off %hd/%hd min %x/%x\n",
+ PRINTF("\t\tack: off %hd/%hd min %x/%x\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#else
- printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
+ PRINTF("\t\tseq: off %hd/%hd min %lx/%lx\n",
ap.aps_seqoff[0], ap.aps_seqoff[1],
ap.aps_seqmin[0], ap.aps_seqmin[1]);
- printf("\t\tack: off %hd/%hd min %lx/%lx\n",
+ PRINTF("\t\tack: off %hd/%hd min %lx/%lx\n",
ap.aps_ackoff[0], ap.aps_ackoff[1],
ap.aps_ackmin[0], ap.aps_ackmin[1]);
#endif
@@ -66,43 +67,43 @@
if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
return;
- printf("\tReal Audio Proxy:\n");
- printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
+ PRINTF("\tReal Audio Proxy:\n");
+ PRINTF("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
ra.rap_seenpna, ra.rap_version, ra.rap_eos);
- printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
- printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
+ PRINTF("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
+ PRINTF("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
ra.rap_plport, ra.rap_prport, ra.rap_srport);
} else if (!strcmp(apr.apr_label, "ftp") &&
(ap.aps_psiz == sizeof(ftp))) {
if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
return;
- printf("\tFTP Proxy:\n");
- printf("\t\tpassok: %d\n", ftp.ftp_passok);
+ PRINTF("\tFTP Proxy:\n");
+ PRINTF("\t\tpassok: %d\n", ftp.ftp_passok);
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
- printf("\tClient:\n");
- printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
+ PRINTF("\tClient:\n");
+ PRINTF("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
ftp.ftp_side[0].ftps_seq[0],
ftp.ftp_side[0].ftps_seq[1],
ftp.ftp_side[0].ftps_len, ftp.ftp_side[0].ftps_junk,
ftp.ftp_side[0].ftps_cmds);
- printf("\t\tbuf [");
+ PRINTF("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
- printf("]\n\tServer:\n");
- printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
+ PRINTF("]\n\tServer:\n");
+ PRINTF("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
ftp.ftp_side[1].ftps_seq[0],
ftp.ftp_side[1].ftps_seq[1],
ftp.ftp_side[1].ftps_len, ftp.ftp_side[1].ftps_junk,
ftp.ftp_side[1].ftps_cmds);
- printf("\t\tbuf [");
+ PRINTF("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
- printf("]\n");
+ PRINTF("]\n");
} else if (!strcmp(apr.apr_label, "ipsec") &&
(ap.aps_psiz == sizeof(ipsec))) {
if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
return;
- printf("\tIPSec Proxy:\n");
- printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
+ PRINTF("\tIPSec Proxy:\n");
+ PRINTF("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
(u_int)ntohl(ipsec.ipsc_icookie[0]),
(u_int)ntohl(ipsec.ipsc_icookie[1]),
(u_int)ntohl(ipsec.ipsc_rcookie[0]),
Modified: trunk/contrib/ipfilter/lib/printbuf.c
===================================================================
--- trunk/contrib/ipfilter/lib/printbuf.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printbuf.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printbuf.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printbuf.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <ctype.h>
@@ -13,19 +13,21 @@
#include "ipf.h"
-void printbuf(buf, len, zend)
-char *buf;
-int len, zend;
+void
+printbuf(buf, len, zend)
+ char *buf;
+ int len, zend;
{
- char *s, c;
+ char *s;
+ int c;
int i;
for (s = buf, i = len; i; i--) {
c = *s++;
- if (ISPRINT(c))
+ if (isprint(c))
putchar(c);
else
- printf("\\%03o", c);
+ PRINTF("\\%03o", c);
if ((c == '\0') && zend)
break;
}
Modified: trunk/contrib/ipfilter/lib/printfr.c
===================================================================
--- trunk/contrib/ipfilter/lib/printfr.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printfr.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,161 +1,88 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printfr.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printfr.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-static void printaddr(int, int, char *, u_32_t *, u_32_t *);
-static void printaddr(v, type, ifname, addr, mask)
-int v, type;
-char *ifname;
-u_32_t *addr, *mask;
-{
- char *suffix;
-
- switch (type)
- {
- case FRI_BROADCAST :
- suffix = "bcast";
- break;
-
- case FRI_DYNAMIC :
- printf("%s", ifname);
- printmask(mask);
- suffix = NULL;
- break;
-
- case FRI_NETWORK :
- suffix = "net";
- break;
-
- case FRI_NETMASKED :
- suffix = "netmasked";
- break;
-
- case FRI_PEERADDR :
- suffix = "peer";
- break;
-
- case FRI_LOOKUP :
- suffix = NULL;
- printlookup((i6addr_t *)addr, (i6addr_t *)mask);
- break;
-
- case FRI_NORMAL :
- printhostmask(v, addr, mask);
- suffix = NULL;
- break;
- default :
- printf("<%d>", type);
- printmask(mask);
- suffix = NULL;
- break;
- }
-
- if (suffix != NULL) {
- printf("%s/%s", ifname, suffix);
- }
-}
-
-
-void printlookup(addr, mask)
-i6addr_t *addr, *mask;
-{
- switch (addr->iplookuptype)
- {
- case IPLT_POOL :
- printf("pool/");
- break;
- case IPLT_HASH :
- printf("hash/");
- break;
- default :
- printf("lookup(%x)=", addr->iplookuptype);
- break;
- }
-
- printf("%u", addr->iplookupnum);
- if (mask->iplookupptr == NULL)
- printf("(!)");
-}
-
-
/*
* print the filter structure in a useful way
*/
-void printfr(fp, iocfunc)
-struct frentry *fp;
-ioctlfunc_t iocfunc;
+void
+printfr(fp, iocfunc)
+ struct frentry *fp;
+ ioctlfunc_t iocfunc;
{
struct protoent *p;
u_short sec[2];
u_32_t type;
- u_char *t;
+ int pr, af;
char *s;
- int pr;
+ int hash;
pr = -2;
type = fp->fr_type & ~FR_T_BUILTIN;
if ((fp->fr_type & FR_T_BUILTIN) != 0)
- printf("# Builtin: ");
+ PRINTF("# Builtin: ");
if (fp->fr_collect != 0)
- printf("%u ", fp->fr_collect);
+ PRINTF("%u ", fp->fr_collect);
if (fp->fr_type == FR_T_CALLFUNC) {
;
} else if (fp->fr_func != NULL) {
- printf("call");
+ PRINTF("call");
if ((fp->fr_flags & FR_CALLNOW) != 0)
- printf(" now");
+ PRINTF(" now");
s = kvatoname(fp->fr_func, iocfunc);
- printf(" %s/%u", s ? s : "?", fp->fr_arg);
+ PRINTF(" %s/%u", s ? s : "?", fp->fr_arg);
} else if (FR_ISPASS(fp->fr_flags))
- printf("pass");
+ PRINTF("pass");
else if (FR_ISBLOCK(fp->fr_flags)) {
- printf("block");
+ PRINTF("block");
} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
printlog(fp);
} else if (FR_ISACCOUNT(fp->fr_flags))
- printf("count");
+ PRINTF("count");
else if (FR_ISAUTH(fp->fr_flags))
- printf("auth");
+ PRINTF("auth");
else if (FR_ISPREAUTH(fp->fr_flags))
- printf("preauth");
+ PRINTF("preauth");
else if (FR_ISNOMATCH(fp->fr_flags))
- printf("nomatch");
+ PRINTF("nomatch");
+ else if (FR_ISDECAPS(fp->fr_flags))
+ PRINTF("decapsulate");
else if (FR_ISSKIP(fp->fr_flags))
- printf("skip %u", fp->fr_arg);
+ PRINTF("skip %u", fp->fr_arg);
else {
- printf("%x", fp->fr_flags);
+ PRINTF("%x", fp->fr_flags);
}
if (fp->fr_flags & FR_RETICMP) {
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
- printf(" return-icmp-as-dest");
+ PRINTF(" return-icmp-as-dest");
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
- printf(" return-icmp");
+ PRINTF(" return-icmp");
if (fp->fr_icode) {
if (fp->fr_icode <= MAX_ICMPCODE)
- printf("(%s)",
+ PRINTF("(%s)",
icmpcodes[(int)fp->fr_icode]);
else
- printf("(%d)", fp->fr_icode);
+ PRINTF("(%d)", fp->fr_icode);
}
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
- printf(" return-rst");
+ PRINTF(" return-rst");
if (fp->fr_flags & FR_OUTQUE)
- printf(" out ");
- else
- printf(" in ");
+ PRINTF(" out ");
+ else if (fp->fr_flags & FR_INQUE)
+ PRINTF(" in ");
if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
@@ -164,36 +91,44 @@
}
if (fp->fr_flags & FR_QUICK)
- printf("quick ");
+ PRINTF("quick ");
- if (*fp->fr_ifname) {
- printifname("on ", fp->fr_ifname, fp->fr_ifa);
- if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
- printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
+ if (fp->fr_ifnames[0] != -1) {
+ printifname("on ", fp->fr_names + fp->fr_ifnames[0],
+ fp->fr_ifa);
+ if (fp->fr_ifnames[1] != -1 &&
+ strcmp(fp->fr_names + fp->fr_ifnames[1], "*"))
+ printifname(",", fp->fr_names + fp->fr_ifnames[1],
+ fp->fr_ifas[1]);
putchar(' ');
}
- if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP))
- print_toif("dup-to", &fp->fr_dif);
- if (*fp->fr_tif.fd_ifname)
- print_toif("to", &fp->fr_tif);
- if (*fp->fr_rif.fd_ifname)
- print_toif("reply-to", &fp->fr_rif);
+ if (fp->fr_tif.fd_name != -1)
+ print_toif(fp->fr_family, "to", fp->fr_names, &fp->fr_tif);
+ if (fp->fr_dif.fd_name != -1)
+ print_toif(fp->fr_family, "dup-to", fp->fr_names,
+ &fp->fr_dif);
+ if (fp->fr_rif.fd_name != -1)
+ print_toif(fp->fr_family, "reply-to", fp->fr_names,
+ &fp->fr_rif);
if (fp->fr_flags & FR_FASTROUTE)
- printf("fastroute ");
+ PRINTF("fastroute ");
- if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
- (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
+ if ((fp->fr_ifnames[2] != -1 &&
+ strcmp(fp->fr_names + fp->fr_ifnames[2], "*")) ||
+ (fp->fr_ifnames[3] != -1 &&
+ strcmp(fp->fr_names + fp->fr_ifnames[3], "*"))) {
if (fp->fr_flags & FR_OUTQUE)
- printf("in-via ");
+ PRINTF("in-via ");
else
- printf("out-via ");
+ PRINTF("out-via ");
- if (*fp->fr_ifnames[2]) {
- printifname("", fp->fr_ifnames[2],
+ if (fp->fr_ifnames[2] != -1) {
+ printifname("", fp->fr_names + fp->fr_ifnames[2],
fp->fr_ifas[2]);
- if (*fp->fr_ifnames[3]) {
- printifname(",", fp->fr_ifnames[3],
+ if (fp->fr_ifnames[3] != -1) {
+ printifname(",",
+ fp->fr_names + fp->fr_ifnames[3],
fp->fr_ifas[3]);
}
putchar(' ');
@@ -200,90 +135,109 @@
}
}
+ if (fp->fr_family == AF_INET) {
+ PRINTF("inet ");
+ af = AF_INET;
+#ifdef USE_INET6
+ } else if (fp->fr_family == AF_INET6) {
+ PRINTF("inet6 ");
+ af = AF_INET6;
+#endif
+ } else {
+ af = -1;
+ }
+
if (type == FR_T_IPF) {
if (fp->fr_mip.fi_tos)
- printf("tos %#x ", fp->fr_tos);
+ PRINTF("tos %#x ", fp->fr_tos);
if (fp->fr_mip.fi_ttl)
- printf("ttl %d ", fp->fr_ttl);
+ PRINTF("ttl %d ", fp->fr_ttl);
if (fp->fr_flx & FI_TCPUDP) {
- printf("proto tcp/udp ");
+ PRINTF("proto tcp/udp ");
pr = -1;
} else if (fp->fr_mip.fi_p) {
pr = fp->fr_ip.fi_p;
p = getprotobynumber(pr);
- printf("proto ");
+ PRINTF("proto ");
printproto(p, pr, NULL);
putchar(' ');
}
}
- if (type == FR_T_NONE) {
- printf("all");
- } else if (type == FR_T_IPF) {
- printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
- printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname,
+ switch (type)
+ {
+ case FR_T_NONE :
+ PRINTF("all");
+ break;
+
+ case FR_T_IPF :
+ PRINTF("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
+ printaddr(af, fp->fr_satype, fp->fr_names, fp->fr_ifnames[0],
&fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
if (fp->fr_scmp)
printportcmp(pr, &fp->fr_tuc.ftu_src);
- printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
- printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname,
+ PRINTF(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
+ printaddr(af, fp->fr_datype, fp->fr_names, fp->fr_ifnames[0],
&fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
if (fp->fr_dcmp)
printportcmp(pr, &fp->fr_tuc.ftu_dst);
- if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
+ if (((fp->fr_proto == IPPROTO_ICMP) ||
+ (fp->fr_proto == IPPROTO_ICMPV6)) && fp->fr_icmpm) {
int type = fp->fr_icmp, code;
+ char *name;
type = ntohs(fp->fr_icmp);
code = type & 0xff;
type /= 256;
- if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
- icmptypes[type])
- printf(" icmp-type %s", icmptypes[type]);
+ name = icmptypename(fp->fr_family, type);
+ if (name == NULL)
+ PRINTF(" icmp-type %d", type);
else
- printf(" icmp-type %d", type);
+ PRINTF(" icmp-type %s", name);
if (ntohs(fp->fr_icmpm) & 0xff)
- printf(" code %d", code);
+ PRINTF(" code %d", code);
}
if ((fp->fr_proto == IPPROTO_TCP) &&
(fp->fr_tcpf || fp->fr_tcpfm)) {
- printf(" flags ");
- if (fp->fr_tcpf & ~TCPF_ALL)
- printf("0x%x", fp->fr_tcpf);
- else
- for (s = flagset, t = flags; *s; s++, t++)
- if (fp->fr_tcpf & *t)
- (void)putchar(*s);
- if (fp->fr_tcpfm) {
- (void)putchar('/');
- if (fp->fr_tcpfm & ~TCPF_ALL)
- printf("0x%x", fp->fr_tcpfm);
- else
- for (s = flagset, t = flags; *s;
- s++, t++)
- if (fp->fr_tcpfm & *t)
- (void)putchar(*s);
- }
+ PRINTF(" flags ");
+ printtcpflags(fp->fr_tcpf, fp->fr_tcpfm);
}
- } else if (type == FR_T_BPFOPC) {
+ break;
+
+ case FR_T_BPFOPC :
+ {
fakebpf_t *fb;
int i;
- printf("bpf-v%d { \"", fp->fr_v);
+ PRINTF("bpf-v%d { \"", fp->fr_family);
i = fp->fr_dsize / sizeof(*fb);
for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
- printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
+ PRINTF("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
fb->fb_f, fb->fb_k);
- printf("\" }");
- } else if (type == FR_T_COMPIPF) {
- ;
- } else if (type == FR_T_CALLFUNC) {
- printf("call function at %p", fp->fr_data);
- } else {
- printf("[unknown filter type %#x]", fp->fr_type);
+ PRINTF("\" }");
+ break;
+ }
+
+ case FR_T_COMPIPF :
+ break;
+
+ case FR_T_CALLFUNC :
+ PRINTF("call function at %p", fp->fr_data);
+ break;
+
+ case FR_T_IPFEXPR :
+ PRINTF("exp { \"");
+ printipfexpr(fp->fr_data);
+ PRINTF("\" } ");
+ break;
+
+ default :
+ PRINTF("[unknown filter type %#x]", fp->fr_type);
+ break;
}
if ((type == FR_T_IPF) &&
@@ -292,12 +246,12 @@
fp->fr_secbits || fp->fr_secmask)) {
char *comma = " ";
- printf(" with");
+ PRINTF(" with");
if (fp->fr_optbits || fp->fr_optmask ||
fp->fr_secbits || fp->fr_secmask) {
sec[0] = fp->fr_secmask;
sec[1] = fp->fr_secbits;
- if (fp->fr_v == 4)
+ if (fp->fr_family == AF_INET)
optprint(sec, fp->fr_optmask, fp->fr_optbits);
#ifdef USE_INET6
else
@@ -307,175 +261,213 @@
} else if (fp->fr_mflx & FI_OPTIONS) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_OPTIONS))
- printf("not ");
- printf("ipopts");
+ PRINTF("not ");
+ PRINTF("ipopts");
comma = ",";
}
if (fp->fr_mflx & FI_SHORT) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_SHORT))
- printf("not ");
- printf("short");
+ PRINTF("not ");
+ PRINTF("short");
comma = ",";
}
if (fp->fr_mflx & FI_FRAG) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_FRAG))
- printf("not ");
- printf("frag");
+ PRINTF("not ");
+ PRINTF("frag");
comma = ",";
}
if (fp->fr_mflx & FI_FRAGBODY) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_FRAGBODY))
- printf("not ");
- printf("frag-body");
+ PRINTF("not ");
+ PRINTF("frag-body");
comma = ",";
}
if (fp->fr_mflx & FI_NATED) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_NATED))
- printf("not ");
- printf("nat");
+ PRINTF("not ");
+ PRINTF("nat");
comma = ",";
}
if (fp->fr_mflx & FI_LOWTTL) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_LOWTTL))
- printf("not ");
- printf("lowttl");
+ PRINTF("not ");
+ PRINTF("lowttl");
comma = ",";
}
if (fp->fr_mflx & FI_BAD) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_BAD))
- printf("not ");
- printf("bad");
+ PRINTF("not ");
+ PRINTF("bad");
comma = ",";
}
if (fp->fr_mflx & FI_BADSRC) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_BADSRC))
- printf("not ");
- printf("bad-src");
+ PRINTF("not ");
+ PRINTF("bad-src");
comma = ",";
}
if (fp->fr_mflx & FI_BADNAT) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_BADNAT))
- printf("not ");
- printf("bad-nat");
+ PRINTF("not ");
+ PRINTF("bad-nat");
comma = ",";
}
if (fp->fr_mflx & FI_OOW) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_OOW))
- printf("not ");
- printf("oow");
+ PRINTF("not ");
+ PRINTF("oow");
comma = ",";
}
if (fp->fr_mflx & FI_MBCAST) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_MBCAST))
- printf("not ");
- printf("mbcast");
+ PRINTF("not ");
+ PRINTF("mbcast");
comma = ",";
}
if (fp->fr_mflx & FI_BROADCAST) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_BROADCAST))
- printf("not ");
- printf("bcast");
+ PRINTF("not ");
+ PRINTF("bcast");
comma = ",";
}
if (fp->fr_mflx & FI_MULTICAST) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_MULTICAST))
- printf("not ");
- printf("mcast");
+ PRINTF("not ");
+ PRINTF("mcast");
comma = ",";
}
if (fp->fr_mflx & FI_STATE) {
fputs(comma, stdout);
if (!(fp->fr_flx & FI_STATE))
- printf("not ");
- printf("state");
+ PRINTF("not ");
+ PRINTF("state");
comma = ",";
}
+ if (fp->fr_mflx & FI_V6EXTHDR) {
+ fputs(comma, stdout);
+ if (!(fp->fr_flx & FI_V6EXTHDR))
+ PRINTF("not ");
+ PRINTF("v6hdrs");
+ comma = ",";
+ }
}
if (fp->fr_flags & FR_KEEPSTATE) {
- printf(" keep state");
- if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) ||
- (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
+ host_track_t *src = &fp->fr_srctrack;
+ PRINTF(" keep state");
+ if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|
+ FR_NOICMPERR|FR_STATESYNC)) ||
+ (fp->fr_statemax != 0) || (fp->fr_age[0] != 0) ||
+ (src->ht_max_nodes != 0)) {
char *comma = "";
- printf(" (");
+ PRINTF(" (");
if (fp->fr_statemax != 0) {
- printf("limit %u", fp->fr_statemax);
+ PRINTF("limit %u", fp->fr_statemax);
comma = ",";
}
+ if (src->ht_max_nodes != 0) {
+ PRINTF("%smax-nodes %d", comma,
+ src->ht_max_nodes);
+ if (src->ht_max_per_node)
+ PRINTF(", max-per-src %d/%d",
+ src->ht_max_per_node,
+ src->ht_netmask);
+ comma = ",";
+ }
if (fp->fr_flags & FR_STSTRICT) {
- printf("%sstrict", comma);
+ PRINTF("%sstrict", comma);
comma = ",";
}
+ if (fp->fr_flags & FR_STLOOSE) {
+ PRINTF("%sloose", comma);
+ comma = ",";
+ }
if (fp->fr_flags & FR_NEWISN) {
- printf("%snewisn", comma);
+ PRINTF("%snewisn", comma);
comma = ",";
}
if (fp->fr_flags & FR_NOICMPERR) {
- printf("%sno-icmp-err", comma);
+ PRINTF("%sno-icmp-err", comma);
comma = ",";
}
if (fp->fr_flags & FR_STATESYNC) {
- printf("%ssync", comma);
+ PRINTF("%ssync", comma);
comma = ",";
}
if (fp->fr_age[0] || fp->fr_age[1])
- printf("%sage %d/%d", comma, fp->fr_age[0],
+ PRINTF("%sage %d/%d", comma, fp->fr_age[0],
fp->fr_age[1]);
- printf(")");
+ PRINTF(")");
}
}
if (fp->fr_flags & FR_KEEPFRAG) {
- printf(" keep frags");
+ PRINTF(" keep frags");
if (fp->fr_flags & (FR_FRSTRICT)) {
- printf(" (");
+ PRINTF(" (");
if (fp->fr_flags & FR_FRSTRICT)
- printf("strict");
- printf(")");
-
+ PRINTF("strict");
+ PRINTF(")");
+
}
}
if (fp->fr_isc != (struct ipscan *)-1) {
- if (fp->fr_isctag[0])
- printf(" scan %s", fp->fr_isctag);
+ if (fp->fr_isctag != -1)
+ PRINTF(" scan %s", fp->fr_isctag + fp->fr_names);
else
- printf(" scan *");
+ PRINTF(" scan *");
}
- if (*fp->fr_grhead != '\0')
- printf(" head %s", fp->fr_grhead);
- if (*fp->fr_group != '\0')
- printf(" group %s", fp->fr_group);
+ if (fp->fr_grhead != -1)
+ PRINTF(" head %s", fp->fr_names + fp->fr_grhead);
+ if (fp->fr_group != -1)
+ PRINTF(" group %s", fp->fr_names + fp->fr_group);
if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
char *s = "";
- printf(" set-tag(");
+ PRINTF(" set-tag(");
if (fp->fr_logtag != FR_NOLOGTAG) {
- printf("log=%u", fp->fr_logtag);
+ PRINTF("log=%u", fp->fr_logtag);
s = ", ";
}
if (*fp->fr_nattag.ipt_tag) {
- printf("%snat=%-.*s", s, IPFTAG_LEN,
+ PRINTF("%snat=%-.*s", s, IPFTAG_LEN,
fp->fr_nattag.ipt_tag);
}
- printf(")");
+ PRINTF(")");
}
if (fp->fr_pps)
- printf(" pps %d", fp->fr_pps);
+ PRINTF(" pps %d", fp->fr_pps);
+ if (fp->fr_comment != -1)
+ PRINTF(" comment \"%s\"", fp->fr_names + fp->fr_comment);
+
+ hash = 0;
if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
- printf(" # count %d", fp->fr_statecnt);
+ PRINTF(" # count %d", fp->fr_statecnt);
+ if (fp->fr_die != 0)
+ PRINTF(" rule-ttl %u", fp->fr_die);
+ hash = 1;
+ } else if (fp->fr_die != 0) {
+ PRINTF(" # rule-ttl %u", fp->fr_die);
+ hash = 1;
}
+ if (opts & OPT_DEBUG) {
+ if (hash == 0)
+ putchar('#');
+ PRINTF(" ref %d", fp->fr_ref);
+ }
(void)putchar('\n');
}
Modified: trunk/contrib/ipfilter/lib/printfraginfo.c
===================================================================
--- trunk/contrib/ipfilter/lib/printfraginfo.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printfraginfo.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,30 +1,42 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printfraginfo.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2004-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printfraginfo.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
#include "kmem.h"
-void printfraginfo(prefix, ifr)
-char *prefix;
-struct ipfr *ifr;
+
+void
+printfraginfo(prefix, ifr)
+ char *prefix;
+ struct ipfr *ifr;
{
frentry_t fr;
+ int family;
+ PRINTF("%s", prefix);
+ if (ifr->ipfr_v == 6) {
+ PRINTF("inet6");
+ family = AF_INET6;
+ } else {
+ PRINTF("inet");
+ family = AF_INET;
+ }
fr.fr_flags = 0xffffffff;
- printf("%s%s -> ", prefix, hostname(4, &ifr->ipfr_src));
+ PRINTF(" %s -> ", hostname(family, &ifr->ipfr_src));
/*
if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule,
sizeof(fr)) == -1)
return;
-*/
- printf("%s id %d ttl %ld pr %d seen0 %d ref %d tos %#02x\n",
- hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_ttl,
- ifr->ipfr_p, ifr->ipfr_seen0, ifr->ipfr_ref, ifr->ipfr_tos);
+ */
+ PRINTF("%s id %x ttl %lu pr %d pkts %u bytes %u seen0 %d ref %d\n",
+ hostname(family, &ifr->ipfr_dst), ifr->ipfr_id,
+ ifr->ipfr_ttl, ifr->ipfr_p, ifr->ipfr_pkts, ifr->ipfr_bytes,
+ ifr->ipfr_seen0, ifr->ipfr_ref);
}
Modified: trunk/contrib/ipfilter/lib/printhash.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhash.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhash.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printhash.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,15 +8,14 @@
#include "ipf.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-
-iphtable_t *printhash(hp, copyfunc, name, opts)
-iphtable_t *hp;
-copyfunc_t copyfunc;
-char *name;
-int opts;
+iphtable_t *
+printhash(hp, copyfunc, name, opts, fields)
+ iphtable_t *hp;
+ copyfunc_t copyfunc;
+ char *name;
+ int opts;
+ wordtab_t *fields;
{
iphtent_t *ipep, **table;
iphtable_t iph;
@@ -29,7 +28,8 @@
if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN))
return iph.iph_next;
- printhashdata(hp, opts);
+ if (fields == NULL)
+ printhashdata(hp, opts);
if ((hp->iph_flags & IPHASH_DELETE) != 0)
PRINTF("# ");
@@ -43,7 +43,7 @@
return NULL;
for (printed = 0, ipep = iph.iph_list; ipep != NULL; ) {
- ipep = printhashnode(&iph, ipep, copyfunc, opts);
+ ipep = printhashnode(&iph, ipep, copyfunc, opts, fields);
printed++;
}
if (printed == 0)
Modified: trunk/contrib/ipfilter/lib/printhash_live.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhash_live.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhash_live.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,25 +8,25 @@
#include "ipf.h"
#include "netinet/ipl.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-
-iphtable_t *printhash_live(hp, fd, name, opts)
-iphtable_t *hp;
-int fd;
-char *name;
-int opts;
+iphtable_t *
+printhash_live(hp, fd, name, opts, fields)
+ iphtable_t *hp;
+ int fd;
+ char *name;
+ int opts;
+ wordtab_t *fields;
{
- iphtent_t entry, *top, *node;
+ iphtent_t entry, zero;
ipflookupiter_t iter;
- int printed, last;
+ int last, printed;
ipfobj_t obj;
if ((name != NULL) && strncmp(name, hp->iph_name, FR_GROUPLEN))
return hp->iph_next;
- printhashdata(hp, opts);
+ if (fields == NULL)
+ printhashdata(hp, opts);
if ((hp->iph_flags & IPHASH_DELETE) != 0)
PRINTF("# ");
@@ -47,26 +47,19 @@
strncpy(iter.ili_name, hp->iph_name, FR_GROUPLEN);
last = 0;
- top = NULL;
printed = 0;
+ bzero((char *)&zero, sizeof(zero));
while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
if (entry.ipe_next == NULL)
last = 1;
- entry.ipe_next = top;
- top = malloc(sizeof(*top));
- if (top == NULL)
+ if (bcmp(&zero, &entry, sizeof(zero)) == 0)
break;
- bcopy(&entry, top, sizeof(entry));
- }
-
- while (top != NULL) {
- node = top;
- (void) printhashnode(hp, node, bcopywrap, opts);
- top = node->ipe_next;
- free(node);
+ (void) printhashnode(hp, &entry, bcopywrap, opts, fields);
printed++;
}
+ if (last == 0)
+ ipferror(fd, "walking hash nodes");
if (printed == 0)
putchar(';');
Modified: trunk/contrib/ipfilter/lib/printhashdata.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhashdata.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhashdata.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,23 +1,22 @@
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include "ipf.h"
+#include <ctype.h>
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-
-void printhashdata(hp, opts)
-iphtable_t *hp;
-int opts;
+void
+printhashdata(hp, opts)
+ iphtable_t *hp;
+ int opts;
{
if ((opts & OPT_DEBUG) == 0) {
if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON)
- PRINTF("# 'anonymous' table\n");
+ PRINTF("# 'anonymous' table refs %d\n", hp->iph_ref);
if ((hp->iph_flags & IPHASH_DELETE) == IPHASH_DELETE)
PRINTF("# ");
switch (hp->iph_type & ~IPHASH_ANON)
@@ -38,10 +37,10 @@
PRINTF("%#x", hp->iph_type);
break;
}
- PRINTF(" role = ");
+ PRINTF(" role=");
} else {
PRINTF("Hash Table %s: %s",
- isdigit(*hp->iph_name) ? "Number" : "Name",
+ ISDIGIT(*hp->iph_name) ? "Number" : "Name",
hp->iph_name);
if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON)
PRINTF("(anon)");
@@ -49,33 +48,16 @@
PRINTF("Role: ");
}
- switch (hp->iph_unit)
- {
- case IPL_LOGNAT :
- PRINTF("nat");
- break;
- case IPL_LOGIPF :
- PRINTF("ipf");
- break;
- case IPL_LOGAUTH :
- PRINTF("auth");
- break;
- case IPL_LOGCOUNT :
- PRINTF("count");
- break;
- default :
- PRINTF("#%d", hp->iph_unit);
- break;
- }
+ printunit(hp->iph_unit);
if ((opts & OPT_DEBUG) == 0) {
if ((hp->iph_type & ~IPHASH_ANON) == IPHASH_LOOKUP)
- PRINTF(" type = hash");
- PRINTF(" %s = %s size = %lu",
- isdigit(*hp->iph_name) ? "number" : "name",
+ PRINTF(" type=hash");
+ PRINTF(" %s=%s size=%lu",
+ ISDIGIT(*hp->iph_name) ? "number" : "name",
hp->iph_name, (u_long)hp->iph_size);
if (hp->iph_seed != 0)
- PRINTF(" seed = %lu", hp->iph_seed);
+ PRINTF(" seed=%lu", hp->iph_seed);
putchar('\n');
} else {
PRINTF(" Type: ");
@@ -95,7 +77,7 @@
PRINTF("\t\tSize: %lu\tSeed: %lu",
(u_long)hp->iph_size, hp->iph_seed);
PRINTF("\tRef. Count: %d\tMasks: %#x\n", hp->iph_ref,
- hp->iph_masks);
+ hp->iph_maskset[0]);
}
if ((opts & OPT_DEBUG) != 0) {
@@ -103,8 +85,8 @@
int i;
for (i = 0; i < 32; i++) {
- if ((1 << i) & hp->iph_masks) {
- ntomask(4, i, &m.s_addr);
+ if ((1 << i) & hp->iph_maskset[0]) {
+ ntomask(AF_INET, i, &m.s_addr);
PRINTF("\t\tMask: %s\n", inet_ntoa(m));
}
}
Modified: trunk/contrib/ipfilter/lib/printhashnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhashnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhashnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printhashnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,33 +8,49 @@
#include "ipf.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-iphtent_t *printhashnode(iph, ipep, copyfunc, opts)
-iphtable_t *iph;
-iphtent_t *ipep;
-copyfunc_t copyfunc;
-int opts;
+iphtent_t *
+printhashnode(iph, ipep, copyfunc, opts, fields)
+ iphtable_t *iph;
+ iphtent_t *ipep;
+ copyfunc_t copyfunc;
+ int opts;
+ wordtab_t *fields;
{
iphtent_t ipe;
+ u_int hv;
+ int i;
if ((*copyfunc)(ipep, &ipe, sizeof(ipe)))
return NULL;
- ipe.ipe_addr.in4_addr = htonl(ipe.ipe_addr.in4_addr);
- ipe.ipe_mask.in4_addr = htonl(ipe.ipe_mask.in4_addr);
+ hv = IPE_V4_HASH_FN(ipe.ipe_addr.i6[0], ipe.ipe_mask.i6[0],
+ iph->iph_size);
- if ((opts & OPT_DEBUG) != 0) {
- PRINTF("\tAddress: %s",
+ if (fields != NULL) {
+ for (i = 0; fields[i].w_value != 0; i++) {
+ printpoolfield(&ipe, IPLT_HASH, i);
+ if (fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ } else if ((opts & OPT_DEBUG) != 0) {
+ PRINTF("\t%d\tAddress: %s", hv,
inet_ntoa(ipe.ipe_addr.in4));
- printmask((u_32_t *)&ipe.ipe_mask.in4_addr);
+ printmask(ipe.ipe_family, (u_32_t *)&ipe.ipe_mask.in4_addr);
PRINTF("\tRef. Count: %d\tGroup: %s\n", ipe.ipe_ref,
ipe.ipe_group);
+#ifdef USE_QUAD_T
+ PRINTF("\tHits: %"PRIu64"\tBytes: %"PRIu64"\n",
+ ipe.ipe_hits, ipe.ipe_bytes);
+#else
+ PRINTF("\tHits: %lu\tBytes: %lu\n",
+ ipe.ipe_hits, ipe.ipe_bytes);
+#endif
} else {
putchar(' ');
- printip((u_32_t *)&ipe.ipe_addr.in4_addr);
- printmask((u_32_t *)&ipe.ipe_mask.in4_addr);
+ printip(ipe.ipe_family, (u_32_t *)&ipe.ipe_addr.in4_addr);
+ printmask(ipe.ipe_family, (u_32_t *)&ipe.ipe_mask.in4_addr);
if (ipe.ipe_value != 0) {
switch (iph->iph_type & ~IPHASH_ANON)
{
@@ -41,7 +57,7 @@
case IPHASH_GROUPMAP :
if (strncmp(ipe.ipe_group, iph->iph_name,
FR_GROUPLEN))
- PRINTF(", group = %s", ipe.ipe_group);
+ PRINTF(", group=%s", ipe.ipe_group);
break;
}
}
Modified: trunk/contrib/ipfilter/lib/printhostmap.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhostmap.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhostmap.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,22 +1,31 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printhostmap.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printhostmap.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
-void printhostmap(hmp, hv)
-hostmap_t *hmp;
-u_int hv;
+void
+printhostmap(hmp, hv)
+ hostmap_t *hmp;
+ u_int hv;
{
- printf("%s,", inet_ntoa(hmp->hm_srcip));
- printf("%s -> ", inet_ntoa(hmp->hm_dstip));
- printf("%s ", inet_ntoa(hmp->hm_mapip));
- printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
+ printactiveaddress(hmp->hm_v, "%s", &hmp->hm_osrcip6, NULL);
+ putchar(',');
+ printactiveaddress(hmp->hm_v, "%s", &hmp->hm_odstip6, NULL);
+ PRINTF(" -> ");
+ printactiveaddress(hmp->hm_v, "%s", &hmp->hm_nsrcip6, NULL);
+ putchar(',');
+ printactiveaddress(hmp->hm_v, "%s", &hmp->hm_ndstip6, NULL);
+ putchar(' ');
+ PRINTF("(use = %d", hmp->hm_ref);
+ if (opts & OPT_VERBOSE)
+ PRINTF(" hv = %u", hv);
+ printf(")\n");
}
Modified: trunk/contrib/ipfilter/lib/printhostmask.c
===================================================================
--- trunk/contrib/ipfilter/lib/printhostmask.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printhostmask.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,19 +1,20 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printhostmask.c 268563 2014-07-12 05:59:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printhostmask.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void printhostmask(v, addr, mask)
-int v;
-u_32_t *addr, *mask;
+void
+printhostmask(family, addr, mask)
+ int family;
+ u_32_t *addr, *mask;
{
#ifdef USE_INET6
char ipbuf[64];
@@ -21,26 +22,18 @@
struct in_addr ipa;
#endif
- if (!*addr && !*mask)
- printf("any");
+ if ((family == -1) || ((!addr || !*addr) && (!mask || !*mask)))
+ PRINTF("any");
else {
#ifdef USE_INET6
void *ptr = addr;
- int af;
- if (v == 4) {
- ptr = addr;
- af = AF_INET;
- } else if (v == 6) {
- ptr = addr;
- af = AF_INET6;
- } else
- af = 0;
- printf("%s", inet_ntop(af, ptr, ipbuf, sizeof(ipbuf)));
+ PRINTF("%s", inet_ntop(family, ptr, ipbuf, sizeof(ipbuf)));
#else
ipa.s_addr = *addr;
- printf("%s", inet_ntoa(ipa));
+ PRINTF("%s", inet_ntoa(ipa));
#endif
- printmask(mask);
+ if (mask != NULL)
+ printmask(family, mask);
}
}
Modified: trunk/contrib/ipfilter/lib/printifname.c
===================================================================
--- trunk/contrib/ipfilter/lib/printifname.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printifname.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,20 +1,22 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printifname.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printifname.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void printifname(format, name, ifp)
-char *format, *name;
-void *ifp;
+
+void
+printifname(format, name, ifp)
+ char *format, *name;
+ void *ifp;
{
- printf("%s%s", format, name);
+ PRINTF("%s%s", format, name);
if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
- printf("(!)");
+ PRINTF("(!)");
}
Modified: trunk/contrib/ipfilter/lib/printip.c
===================================================================
--- trunk/contrib/ipfilter/lib/printip.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printip.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,24 +1,43 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printip.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printip.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void printip(addr)
-u_32_t *addr;
+void
+printip(family, addr)
+ int family;
+ u_32_t *addr;
{
struct in_addr ipa;
- ipa.s_addr = *addr;
- if (ntohl(ipa.s_addr) < 256)
- printf("%lu", (u_long)ntohl(ipa.s_addr));
+ if (family == AF_INET) {
+ ipa.s_addr = *addr;
+ if (ntohl(ipa.s_addr) < 256)
+ PRINTF("%lu", (u_long)ntohl(ipa.s_addr));
+ else
+ PRINTF("%s", inet_ntoa(ipa));
+ }
+#ifdef AF_INET6
+ else if (family == AF_INET6) {
+ char buf[INET6_ADDRSTRLEN + 1];
+ const char *str;
+
+ buf[0] = '\0';
+ str = inet_ntop(AF_INET6, addr, buf, sizeof(buf) - 1);
+ if (str != NULL)
+ PRINTF("%s", str);
+ else
+ PRINTF("???");
+ }
+#endif
else
- printf("%s", inet_ntoa(ipa));
+ PRINTF("?(%d)?", family);
}
Modified: trunk/contrib/ipfilter/lib/printlog.c
===================================================================
--- trunk/contrib/ipfilter/lib/printlog.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printlog.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printlog.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printlog.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -13,20 +13,21 @@
#include <syslog.h>
-void printlog(fp)
-frentry_t *fp;
+void
+printlog(fp)
+ frentry_t *fp;
{
char *s, *u;
- printf("log");
+ PRINTF("log");
if (fp->fr_flags & FR_LOGBODY)
- printf(" body");
+ PRINTF(" body");
if (fp->fr_flags & FR_LOGFIRST)
- printf(" first");
+ PRINTF(" first");
if (fp->fr_flags & FR_LOGORBLOCK)
- printf(" or-block");
+ PRINTF(" or-block");
if (fp->fr_loglevel != 0xffff) {
- printf(" level ");
+ PRINTF(" level ");
s = fac_toname(fp->fr_loglevel);
if (s == NULL || *s == '\0')
s = "!!!";
@@ -33,6 +34,6 @@
u = pri_toname(fp->fr_loglevel);
if (u == NULL || *u == '\0')
u = "!!!";
- printf("%s.%s", s, u);
+ PRINTF("%s.%s", s, u);
}
}
Modified: trunk/contrib/ipfilter/lib/printmask.c
===================================================================
--- trunk/contrib/ipfilter/lib/printmask.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printmask.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,30 +1,30 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printmask.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printmask.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void printmask(mask)
-u_32_t *mask;
+void
+printmask(family, mask)
+ int family;
+ u_32_t *mask;
{
struct in_addr ipa;
int ones;
-#ifdef USE_INET6
- if (use_inet6)
- printf("/%d", count6bits(mask));
- else
-#endif
- if ((ones = count4bits(*mask)) == -1) {
+ if (family == AF_INET6) {
+ PRINTF("/%d", count6bits(mask));
+ } else if ((ones = count4bits(*mask)) == -1) {
ipa.s_addr = *mask;
- printf("/%s", inet_ntoa(ipa));
- } else
- printf("/%d", ones);
+ PRINTF("/%s", inet_ntoa(ipa));
+ } else {
+ PRINTF("/%d", ones);
+ }
}
Modified: trunk/contrib/ipfilter/lib/printnat.c
===================================================================
--- trunk/contrib/ipfilter/lib/printnat.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printnat.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printnat.c 272987 2014-10-12 16:51:02Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -13,230 +13,341 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
+
/*
* Print out a NAT rule
*/
-void printnat(np, opts)
-ipnat_t *np;
-int opts;
+void
+printnat(np, opts)
+ ipnat_t *np;
+ int opts;
{
- struct protoent *pr;
- int bits;
+ struct protoent *pr;
+ char *base;
+ int family;
+ int proto;
- pr = getprotobynumber(np->in_p);
+ if (np->in_v[0] == 4)
+ family = AF_INET;
+#ifdef USE_INET6
+ else if (np->in_v[0] == 6)
+ family = AF_INET6;
+#endif
+ else
+ family = AF_UNSPEC;
+ if (np->in_flags & IPN_NO)
+ PRINTF("no ");
+
switch (np->in_redir)
{
+ case NAT_REDIRECT|NAT_ENCAP :
+ PRINTF("encap in on");
+ proto = np->in_pr[0];
+ break;
+ case NAT_MAP|NAT_ENCAP :
+ PRINTF("encap out on");
+ proto = np->in_pr[1];
+ break;
+ case NAT_REDIRECT|NAT_DIVERTUDP :
+ PRINTF("divert in on");
+ proto = np->in_pr[0];
+ break;
+ case NAT_MAP|NAT_DIVERTUDP :
+ PRINTF("divert out on");
+ proto = np->in_pr[1];
+ break;
+ case NAT_REDIRECT|NAT_REWRITE :
+ PRINTF("rewrite in on");
+ proto = np->in_pr[0];
+ break;
+ case NAT_MAP|NAT_REWRITE :
+ PRINTF("rewrite out on");
+ proto = np->in_pr[1];
+ break;
case NAT_REDIRECT :
- printf("rdr");
+ PRINTF("rdr");
+ proto = np->in_pr[0];
break;
case NAT_MAP :
- printf("map");
+ PRINTF("map");
+ proto = np->in_pr[1];
break;
case NAT_MAPBLK :
- printf("map-block");
+ PRINTF("map-block");
+ proto = np->in_pr[1];
break;
case NAT_BIMAP :
- printf("bimap");
+ PRINTF("bimap");
+ proto = np->in_pr[0];
break;
default :
- fprintf(stderr, "unknown value for in_redir: %#x\n",
+ FPRINTF(stderr, "unknown value for in_redir: %#x\n",
np->in_redir);
+ proto = np->in_pr[0];
break;
}
- if (!strcmp(np->in_ifnames[0], "-"))
- printf(" \"%s\"", np->in_ifnames[0]);
+ pr = getprotobynumber(proto);
+
+ base = np->in_names;
+ if (!strcmp(base + np->in_ifnames[0], "-"))
+ PRINTF(" \"%s\"", base + np->in_ifnames[0]);
else
- printf(" %s", np->in_ifnames[0]);
- if ((np->in_ifnames[1][0] != '\0') &&
- (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) {
- if (!strcmp(np->in_ifnames[1], "-"))
- printf(",\"%s\"", np->in_ifnames[1]);
+ PRINTF(" %s", base + np->in_ifnames[0]);
+ if ((np->in_ifnames[1] != -1) &&
+ (strcmp(base + np->in_ifnames[0], base + np->in_ifnames[1]) != 0)) {
+ if (!strcmp(base + np->in_ifnames[1], "-"))
+ PRINTF(",\"%s\"", base + np->in_ifnames[1]);
else
- printf(",%s", np->in_ifnames[1]);
+ PRINTF(",%s", base + np->in_ifnames[1]);
}
putchar(' ');
+ if (family == AF_INET6)
+ PRINTF("inet6 ");
+
+ if (np->in_redir & (NAT_REWRITE|NAT_ENCAP|NAT_DIVERTUDP)) {
+ if ((proto != 0) || (np->in_flags & IPN_TCPUDP)) {
+ PRINTF("proto ");
+ printproto(pr, proto, np);
+ putchar(' ');
+ }
+ }
+
if (np->in_flags & IPN_FILTER) {
if (np->in_flags & IPN_NOTSRC)
- printf("! ");
- printf("from ");
- if (np->in_redir == NAT_REDIRECT) {
- printhostmask(4, (u_32_t *)&np->in_srcip,
- (u_32_t *)&np->in_srcmsk);
- } else {
- printhostmask(4, (u_32_t *)&np->in_inip,
- (u_32_t *)&np->in_inmsk);
- }
+ PRINTF("! ");
+ PRINTF("from ");
+ printnataddr(np->in_v[0], np->in_names, &np->in_osrc,
+ np->in_ifnames[0]);
if (np->in_scmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_src);
+ printportcmp(proto, &np->in_tuc.ftu_src);
if (np->in_flags & IPN_NOTDST)
- printf(" !");
- printf(" to ");
- if (np->in_redir == NAT_REDIRECT) {
- printhostmask(4, (u_32_t *)&np->in_outip,
- (u_32_t *)&np->in_outmsk);
- } else {
- printhostmask(4, (u_32_t *)&np->in_srcip,
- (u_32_t *)&np->in_srcmsk);
- }
+ PRINTF(" !");
+ PRINTF(" to ");
+ printnataddr(np->in_v[0], np->in_names, &np->in_odst,
+ np->in_ifnames[0]);
if (np->in_dcmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_dst);
+ printportcmp(proto, &np->in_tuc.ftu_dst);
}
- if (np->in_redir == NAT_REDIRECT) {
+ if (np->in_redir & (NAT_ENCAP|NAT_DIVERTUDP)) {
+ PRINTF(" -> src ");
+ printnataddr(np->in_v[1], np->in_names, &np->in_nsrc,
+ np->in_ifnames[0]);
+ if ((np->in_redir & NAT_DIVERTUDP) != 0)
+ PRINTF(",%u", np->in_spmin);
+ PRINTF(" dst ");
+ printnataddr(np->in_v[1], np->in_names, &np->in_ndst,
+ np->in_ifnames[0]);
+ if ((np->in_redir & NAT_DIVERTUDP) != 0)
+ PRINTF(",%u udp", np->in_dpmin);
+ if ((np->in_flags & IPN_PURGE) != 0)
+ PRINTF(" purge");
+ PRINTF(";\n");
+
+ } else if (np->in_redir & NAT_REWRITE) {
+ PRINTF(" -> src ");
+ if (np->in_nsrc.na_atype == FRI_LOOKUP &&
+ np->in_nsrc.na_type == IPLT_DSTLIST) {
+ PRINTF("dstlist/");
+ if (np->in_nsrc.na_subtype == 0)
+ PRINTF("%d", np->in_nsrc.na_num);
+ else
+ PRINTF("%s", base + np->in_nsrc.na_num);
+ } else {
+ printnataddr(np->in_v[1], np->in_names, &np->in_nsrc,
+ np->in_ifnames[0]);
+ }
+ if ((((np->in_flags & IPN_TCPUDP) != 0)) &&
+ (np->in_spmin != 0)) {
+ if ((np->in_flags & IPN_FIXEDSPORT) != 0) {
+ PRINTF(",port = %u", np->in_spmin);
+ } else {
+ PRINTF(",%u", np->in_spmin);
+ if (np->in_spmax != np->in_spmin)
+ PRINTF("-%u", np->in_spmax);
+ }
+ }
+ PRINTF(" dst ");
+ if (np->in_ndst.na_atype == FRI_LOOKUP &&
+ np->in_ndst.na_type == IPLT_DSTLIST) {
+ PRINTF("dstlist/");
+ if (np->in_ndst.na_subtype == 0)
+ PRINTF("%d", np->in_nsrc.na_num);
+ else
+ PRINTF("%s", base + np->in_ndst.na_num);
+ } else {
+ printnataddr(np->in_v[1], np->in_names, &np->in_ndst,
+ np->in_ifnames[0]);
+ }
+ if ((((np->in_flags & IPN_TCPUDP) != 0)) &&
+ (np->in_dpmin != 0)) {
+ if ((np->in_flags & IPN_FIXEDDPORT) != 0) {
+ PRINTF(",port = %u", np->in_dpmin);
+ } else {
+ PRINTF(",%u", np->in_dpmin);
+ if (np->in_dpmax != np->in_dpmin)
+ PRINTF("-%u", np->in_dpmax);
+ }
+ }
+ if ((np->in_flags & IPN_PURGE) != 0)
+ PRINTF(" purge");
+ PRINTF(";\n");
+
+ } else if (np->in_redir == NAT_REDIRECT) {
if (!(np->in_flags & IPN_FILTER)) {
- printf("%s", inet_ntoa(np->in_out[0].in4));
- bits = count4bits(np->in_outmsk);
- if (bits != -1)
- printf("/%d", bits);
- else
- printf("/%s", inet_ntoa(np->in_out[1].in4));
+ printnataddr(np->in_v[0], np->in_names, &np->in_odst,
+ np->in_ifnames[0]);
if (np->in_flags & IPN_TCPUDP) {
- printf(" port %d", ntohs(np->in_pmin));
- if (np->in_pmax != np->in_pmin)
- printf("-%d", ntohs(np->in_pmax));
+ PRINTF(" port %d", np->in_odport);
+ if (np->in_odport != np->in_dtop)
+ PRINTF("-%d", np->in_dtop);
}
}
- printf(" -> %s", inet_ntoa(np->in_in[0].in4));
- if (np->in_flags & IPN_SPLIT)
- printf(",%s", inet_ntoa(np->in_in[1].in4));
- else if (np->in_inmsk == 0 && np->in_inip == 0)
- printf("/0");
+ if (np->in_flags & IPN_NO) {
+ putchar(' ');
+ printproto(pr, proto, np);
+ PRINTF(";\n");
+ return;
+ }
+ PRINTF(" -> ");
+ printnataddr(np->in_v[1], np->in_names, &np->in_ndst,
+ np->in_ifnames[0]);
if (np->in_flags & IPN_TCPUDP) {
if ((np->in_flags & IPN_FIXEDDPORT) != 0)
- printf(" port = %d", ntohs(np->in_pnext));
- else
- printf(" port %d", ntohs(np->in_pnext));
+ PRINTF(" port = %d", np->in_dpmin);
+ else {
+ PRINTF(" port %d", np->in_dpmin);
+ if (np->in_dpmin != np->in_dpmax)
+ PRINTF("-%d", np->in_dpmax);
+ }
}
putchar(' ');
- printproto(pr, np->in_p, np);
+ printproto(pr, proto, np);
if (np->in_flags & IPN_ROUNDR)
- printf(" round-robin");
+ PRINTF(" round-robin");
if (np->in_flags & IPN_FRAG)
- printf(" frag");
+ PRINTF(" frag");
if (np->in_age[0] != 0 || np->in_age[1] != 0) {
- printf(" age %d/%d", np->in_age[0], np->in_age[1]);
+ PRINTF(" age %d/%d", np->in_age[0], np->in_age[1]);
}
if (np->in_flags & IPN_STICKY)
- printf(" sticky");
+ PRINTF(" sticky");
if (np->in_mssclamp != 0)
- printf(" mssclamp %d", np->in_mssclamp);
- if (*np->in_plabel != '\0')
- printf(" proxy %.*s", (int)sizeof(np->in_plabel),
- np->in_plabel);
+ PRINTF(" mssclamp %d", np->in_mssclamp);
+ if (np->in_plabel != -1)
+ PRINTF(" proxy %s", np->in_names + np->in_plabel);
if (np->in_tag.ipt_tag[0] != '\0')
- printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag);
- printf("\n");
+ PRINTF(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag);
+ if ((np->in_flags & IPN_PURGE) != 0)
+ PRINTF(" purge");
+ PRINTF("\n");
if (opts & OPT_DEBUG)
- printf("\tpmax %u\n", np->in_pmax);
+ PRINTF("\tpmax %u\n", np->in_dpmax);
+
} else {
int protoprinted = 0;
if (!(np->in_flags & IPN_FILTER)) {
- printf("%s/", inet_ntoa(np->in_in[0].in4));
- bits = count4bits(np->in_inmsk);
- if (bits != -1)
- printf("%d", bits);
- else
- printf("%s", inet_ntoa(np->in_in[1].in4));
+ printnataddr(np->in_v[0], np->in_names, &np->in_osrc,
+ np->in_ifnames[0]);
}
- printf(" -> ");
- if (np->in_flags & IPN_IPRANGE) {
- printf("range %s-", inet_ntoa(np->in_out[0].in4));
- printf("%s", inet_ntoa(np->in_out[1].in4));
+ if (np->in_flags & IPN_NO) {
+ putchar(' ');
+ printproto(pr, proto, np);
+ PRINTF(";\n");
+ return;
+ }
+ PRINTF(" -> ");
+ if (np->in_flags & IPN_SIPRANGE) {
+ PRINTF("range ");
+ printnataddr(np->in_v[1], np->in_names, &np->in_nsrc,
+ np->in_ifnames[0]);
} else {
- printf("%s/", inet_ntoa(np->in_out[0].in4));
- bits = count4bits(np->in_outmsk);
- if (bits != -1)
- printf("%d", bits);
- else
- printf("%s", inet_ntoa(np->in_out[1].in4));
+ printnataddr(np->in_v[1], np->in_names, &np->in_nsrc,
+ np->in_ifnames[0]);
}
- if (*np->in_plabel != '\0') {
- printf(" proxy port ");
- if (np->in_dcmp != 0)
- np->in_dport = htons(np->in_dport);
- if (np->in_dport != 0) {
+ if (np->in_plabel != -1) {
+ PRINTF(" proxy port ");
+ if (np->in_odport != 0) {
char *s;
- s = portname(np->in_p, ntohs(np->in_dport));
+ s = portname(proto, np->in_odport);
if (s != NULL)
fputs(s, stdout);
else
fputs("???", stdout);
}
- printf(" %.*s/", (int)sizeof(np->in_plabel),
- np->in_plabel);
- printproto(pr, np->in_p, NULL);
+ PRINTF(" %s/", np->in_names + np->in_plabel);
+ printproto(pr, proto, NULL);
protoprinted = 1;
} else if (np->in_redir == NAT_MAPBLK) {
- if ((np->in_pmin == 0) &&
+ if ((np->in_spmin == 0) &&
(np->in_flags & IPN_AUTOPORTMAP))
- printf(" ports auto");
+ PRINTF(" ports auto");
else
- printf(" ports %d", np->in_pmin);
+ PRINTF(" ports %d", np->in_spmin);
if (opts & OPT_DEBUG)
- printf("\n\tip modulous %d", np->in_pmax);
- } else if (np->in_pmin || np->in_pmax) {
+ PRINTF("\n\tip modulous %d", np->in_spmax);
+
+ } else if (np->in_spmin || np->in_spmax) {
if (np->in_flags & IPN_ICMPQUERY) {
- printf(" icmpidmap ");
+ PRINTF(" icmpidmap ");
} else {
- printf(" portmap ");
+ PRINTF(" portmap ");
}
- printproto(pr, np->in_p, np);
+ printproto(pr, proto, np);
protoprinted = 1;
if (np->in_flags & IPN_AUTOPORTMAP) {
- printf(" auto");
+ PRINTF(" auto");
if (opts & OPT_DEBUG)
- printf(" [%d:%d %d %d]",
- ntohs(np->in_pmin),
- ntohs(np->in_pmax),
+ PRINTF(" [%d:%d %d %d]",
+ np->in_spmin, np->in_spmax,
np->in_ippip, np->in_ppip);
} else {
- printf(" %d:%d", ntohs(np->in_pmin),
- ntohs(np->in_pmax));
+ PRINTF(" %d:%d", np->in_spmin, np->in_spmax);
}
+ if (np->in_flags & IPN_SEQUENTIAL)
+ PRINTF(" sequential");
}
if (np->in_flags & IPN_FRAG)
- printf(" frag");
+ PRINTF(" frag");
if (np->in_age[0] != 0 || np->in_age[1] != 0) {
- printf(" age %d/%d", np->in_age[0], np->in_age[1]);
+ PRINTF(" age %d/%d", np->in_age[0], np->in_age[1]);
}
if (np->in_mssclamp != 0)
- printf(" mssclamp %d", np->in_mssclamp);
+ PRINTF(" mssclamp %d", np->in_mssclamp);
if (np->in_tag.ipt_tag[0] != '\0')
- printf(" tag %s", np->in_tag.ipt_tag);
- if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) {
+ PRINTF(" tag %s", np->in_tag.ipt_tag);
+ if (!protoprinted && (np->in_flags & IPN_TCPUDP || proto)) {
putchar(' ');
- printproto(pr, np->in_p, np);
+ printproto(pr, proto, np);
}
- if (np->in_flags & IPN_SEQUENTIAL)
- printf(" sequential");
- printf("\n");
+ if ((np->in_flags & IPN_PURGE) != 0)
+ PRINTF(" purge");
+ PRINTF("\n");
if (opts & OPT_DEBUG) {
- struct in_addr nip;
-
- nip.s_addr = htonl(np->in_nextip.s_addr);
-
- printf("\tnextip %s pnext %d\n",
- inet_ntoa(nip), np->in_pnext);
+ PRINTF("\tnextip ");
+ printip(family, &np->in_snip);
+ PRINTF(" pnext %d\n", np->in_spnext);
}
}
if (opts & OPT_DEBUG) {
- printf("\tspace %lu use %u hits %lu flags %#x proto %d hv %d\n",
+ PRINTF("\tspace %lu use %u hits %lu flags %#x proto %d/%d",
np->in_space, np->in_use, np->in_hits,
- np->in_flags, np->in_p, np->in_hv);
- printf("\tifp[0] %p ifp[1] %p apr %p\n",
+ np->in_flags, np->in_pr[0], np->in_pr[1]);
+ PRINTF(" hv %u/%u\n", np->in_hv[0], np->in_hv[1]);
+ PRINTF("\tifp[0] %p ifp[1] %p apr %p\n",
np->in_ifps[0], np->in_ifps[1], np->in_apr);
- printf("\ttqehead %p/%p comment %p\n",
+ PRINTF("\ttqehead %p/%p comment %p\n",
np->in_tqehead[0], np->in_tqehead[1], np->in_comment);
}
}
Modified: trunk/contrib/ipfilter/lib/printpacket.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpacket.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpacket.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printpacket.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printpacket.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -15,32 +15,43 @@
#endif
-void printpacket(ip)
-struct ip *ip;
+void
+printpacket(dir, m)
+ int dir;
+ mb_t *m;
{
- struct tcphdr *tcp;
- u_short len;
- u_short off;
+ u_short len, off;
+ tcphdr_t *tcp;
+ ip_t *ip;
+ ip = MTOD(m, ip_t *);
+
if (IP_V(ip) == 6) {
- off = 0;
- len = ntohs(((u_short *)ip)[2]) + 40;
+#ifdef USE_INET6
+ len = ntohs(((ip6_t *)ip)->ip6_plen);
+#else
+ len = ntohs(((u_short *)ip)[2]);
+#endif
+ len += 40;
} else {
- off = ntohs(ip->ip_off);
len = ntohs(ip->ip_len);
}
+ ASSERT(len == msgdsize(m));
if ((opts & OPT_HEX) == OPT_HEX) {
u_char *s;
int i;
- for (s = (u_char *)ip, i = 0; i < len; i++) {
- printf("%02x", *s++ & 0xff);
- if (len - i > 1) {
- i++;
- printf("%02x", *s++ & 0xff);
+ for (; m != NULL; m = m->mb_next) {
+ len = m->mb_len;
+ for (s = (u_char *)m->mb_data, i = 0; i < len; i++) {
+ PRINTF("%02x", *s++ & 0xff);
+ if (len - i > 1) {
+ i++;
+ PRINTF("%02x", *s++ & 0xff);
+ }
+ putchar(' ');
}
- putchar(' ');
}
putchar('\n');
putchar('\n');
@@ -48,24 +59,32 @@
}
if (IP_V(ip) == 6) {
- printpacket6(ip);
+ printpacket6(dir, m);
return;
}
+ if (dir)
+ PRINTF("> ");
+ else
+ PRINTF("< ");
+
+ PRINTF("%s ", IFNAME(m->mb_ifp));
+
+ off = ntohs(ip->ip_off);
tcp = (struct tcphdr *)((char *)ip + (IP_HL(ip) << 2));
- printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len),
+ PRINTF("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len),
IP_HL(ip) << 2, ip->ip_p);
if (off & IP_OFFMASK)
- printf(" @%d", (off & IP_OFFMASK) << 3);
- printf(" %s", inet_ntoa(ip->ip_src));
+ PRINTF(" @%d", off << 3);
+ PRINTF(" %s", inet_ntoa(ip->ip_src));
if (!(off & IP_OFFMASK))
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- printf(",%d", ntohs(tcp->th_sport));
- printf(" > ");
- printf("%s", inet_ntoa(ip->ip_dst));
+ PRINTF(",%d", ntohs(tcp->th_sport));
+ PRINTF(" > ");
+ PRINTF("%s", inet_ntoa(ip->ip_dst));
if (!(off & IP_OFFMASK)) {
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
- printf(",%d", ntohs(tcp->th_dport));
+ PRINTF(",%d", ntohs(tcp->th_dport));
if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags != 0)) {
putchar(' ');
if (tcp->th_flags & TH_FIN)
Modified: trunk/contrib/ipfilter/lib/printpacket6.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpacket6.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpacket6.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printpacket6.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printpacket6.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
@@ -14,8 +14,10 @@
* This is meant to work without the IPv6 header files being present or
* the inet_ntop() library.
*/
-void printpacket6(ip)
-struct ip *ip;
+void
+printpacket6(dir, m)
+ int dir;
+ mb_t *m;
{
u_char *buf, p;
u_short plen, *addrs;
@@ -22,7 +24,7 @@
tcphdr_t *tcp;
u_32_t flow;
- buf = (u_char *)ip;
+ buf = (u_char *)m->mb_data;
tcp = (tcphdr_t *)(buf + 40);
p = buf[6];
flow = ntohl(*(u_32_t *)buf);
@@ -30,22 +32,29 @@
plen = ntohs(*((u_short *)buf +2));
addrs = (u_short *)buf + 4;
- printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
- printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+ if (dir)
+ PRINTF("> ");
+ else
+ PRINTF("< ");
+
+ PRINTF("%s ", IFNAME(m->mb_ifp));
+
+ PRINTF("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
+ PRINTF(" %x:%x:%x:%x:%x:%x:%x:%x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_sport));
- printf(" >");
+ (void)PRINTF(",%d", ntohs(tcp->th_sport));
+ PRINTF(" >");
addrs += 8;
- printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+ PRINTF(" %x:%x:%x:%x:%x:%x:%x:%x",
ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
ntohs(addrs[6]), ntohs(addrs[7]));
if (plen >= 4)
if (p == IPPROTO_TCP || p == IPPROTO_UDP)
- (void)printf(",%d", ntohs(tcp->th_dport));
+ PRINTF(",%d", ntohs(tcp->th_dport));
putchar('\n');
}
Modified: trunk/contrib/ipfilter/lib/printpool.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpool.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpool.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printpool.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,16 +8,16 @@
#include "ipf.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-ip_pool_t *printpool(pp, copyfunc, name, opts)
-ip_pool_t *pp;
-copyfunc_t copyfunc;
-char *name;
-int opts;
+ip_pool_t *
+printpool(pp, copyfunc, name, opts, fields)
+ ip_pool_t *pp;
+ copyfunc_t copyfunc;
+ char *name;
+ int opts;
+ wordtab_t *fields;
{
- ip_pool_node_t *ipnp, *ipnpn, ipn;
+ ip_pool_node_t *ipnp, *ipnpn, ipn, **pnext;
ip_pool_t ipp;
if ((*copyfunc)(pp, &ipp, sizeof(ipp)))
@@ -35,19 +35,22 @@
ipnpn = ipp.ipo_list;
ipp.ipo_list = NULL;
+ pnext = &ipp.ipo_list;
while (ipnpn != NULL) {
ipnp = (ip_pool_node_t *)malloc(sizeof(*ipnp));
(*copyfunc)(ipnpn, ipnp, sizeof(ipn));
ipnpn = ipnp->ipn_next;
- ipnp->ipn_next = ipp.ipo_list;
- ipp.ipo_list = ipnp;
+ *pnext = ipnp;
+ pnext = &ipnp->ipn_next;
+ ipnp->ipn_next = NULL;
}
if (ipp.ipo_list == NULL) {
putchar(';');
} else {
- for (ipnp = ipp.ipo_list; ipnp != NULL; ) {
- ipnp = printpoolnode(ipnp, opts);
+ for (ipnp = ipp.ipo_list; ipnp != NULL; ipnp = ipnpn) {
+ ipnpn = printpoolnode(ipnp, opts, fields);
+ free(ipnp);
if ((opts & OPT_DEBUG) == 0) {
putchar(';');
Modified: trunk/contrib/ipfilter/lib/printpool_live.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpool_live.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpool_live.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,17 +8,16 @@
#include "ipf.h"
#include "netinet/ipl.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-
-ip_pool_t *printpool_live(pool, fd, name, opts)
-ip_pool_t *pool;
-int fd;
-char *name;
-int opts;
+ip_pool_t *
+printpool_live(pool, fd, name, opts, fields)
+ ip_pool_t *pool;
+ int fd;
+ char *name;
+ int opts;
+ wordtab_t *fields;
{
- ip_pool_node_t entry, *top, *node;
+ ip_pool_node_t entry;
ipflookupiter_t iter;
int printed, last;
ipfobj_t obj;
@@ -26,7 +25,8 @@
if ((name != NULL) && strncmp(name, pool->ipo_name, FR_GROUPLEN))
return pool->ipo_next;
- printpooldata(pool, opts);
+ if (fields == NULL)
+ printpooldata(pool, opts);
if ((pool->ipo_flags & IPOOL_DELETE) != 0)
PRINTF("# ");
@@ -46,30 +46,19 @@
strncpy(iter.ili_name, pool->ipo_name, FR_GROUPLEN);
last = 0;
- top = NULL;
printed = 0;
- while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
- if (entry.ipn_next == NULL)
- last = 1;
- node = malloc(sizeof(*top));
- if (node == NULL)
- break;
- bcopy(&entry, node, sizeof(entry));
- node->ipn_next = top;
- top = node;
+ if (pool->ipo_list != NULL) {
+ while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
+ if (entry.ipn_next == NULL)
+ last = 1;
+ (void) printpoolnode(&entry, opts, fields);
+ if ((opts & OPT_DEBUG) == 0)
+ putchar(';');
+ printed++;
+ }
}
- while (top != NULL) {
- node = top;
- (void) printpoolnode(node, opts);
- if ((opts & OPT_DEBUG) == 0)
- putchar(';');
- top = node->ipn_next;
- free(node);
- printed++;
- }
-
if (printed == 0)
putchar(';');
@@ -76,8 +65,7 @@
if ((opts & OPT_DEBUG) == 0)
PRINTF(" };\n");
- if (ioctl(fd, SIOCIPFDELTOK, &iter.ili_key) != 0)
- perror("SIOCIPFDELTOK");
+ (void) ioctl(fd,SIOCIPFDELTOK, &iter.ili_key);
return pool->ipo_next;
}
Modified: trunk/contrib/ipfilter/lib/printpooldata.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpooldata.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpooldata.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,17 +1,17 @@
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#include "ipf.h"
+#include <ctype.h>
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-void printpooldata(pool, opts)
-ip_pool_t *pool;
-int opts;
+void
+printpooldata(pool, opts)
+ ip_pool_t *pool;
+ int opts;
{
if ((opts & OPT_DEBUG) == 0) {
@@ -19,12 +19,12 @@
PRINTF("# 'anonymous' tree %s\n", pool->ipo_name);
if ((pool->ipo_flags & IPOOL_DELETE) != 0)
PRINTF("# ");
- PRINTF("table role = ");
+ PRINTF("table role=");
} else {
if ((pool->ipo_flags & IPOOL_DELETE) != 0)
PRINTF("# ");
PRINTF("%s: %s",
- isdigit(*pool->ipo_name) ? "Number" : "Name",
+ ISDIGIT(*pool->ipo_name) ? "Number" : "Name",
pool->ipo_name);
if ((pool->ipo_flags & IPOOL_ANON) == IPOOL_ANON)
PRINTF("(anon)");
@@ -32,40 +32,12 @@
PRINTF("Role: ");
}
- switch (pool->ipo_unit)
- {
- case IPL_LOGIPF :
- printf("ipf");
- break;
- case IPL_LOGNAT :
- printf("nat");
- break;
- case IPL_LOGSTATE :
- printf("state");
- break;
- case IPL_LOGAUTH :
- printf("auth");
- break;
- case IPL_LOGSYNC :
- printf("sync");
- break;
- case IPL_LOGSCAN :
- printf("scan");
- break;
- case IPL_LOGLOOKUP :
- printf("lookup");
- break;
- case IPL_LOGCOUNT :
- printf("count");
- break;
- default :
- printf("unknown(%d)", pool->ipo_unit);
- }
+ printunit(pool->ipo_unit);
if ((opts & OPT_DEBUG) == 0) {
- PRINTF(" type = tree %s = %s\n",
- isdigit(*pool->ipo_name) ? "number" : "name",
- pool->ipo_name);
+ PRINTF(" type=tree %s=%s\n",
+ (!*pool->ipo_name || ISDIGIT(*pool->ipo_name)) ? \
+ "number" : "name", pool->ipo_name);
} else {
putchar(' ');
Modified: trunk/contrib/ipfilter/lib/printpoolnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/printpoolnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printpoolnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printpoolnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,26 +8,44 @@
#include "ipf.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-ip_pool_node_t *printpoolnode(np, opts)
-ip_pool_node_t *np;
-int opts;
+ip_pool_node_t *
+printpoolnode(np, opts, fields)
+ ip_pool_node_t *np;
+ int opts;
+ wordtab_t *fields;
{
+ int i;
- if ((opts & OPT_DEBUG) == 0) {
+ if (fields != NULL) {
+ for (i = 0; fields[i].w_value != 0; i++) {
+ printpoolfield(np, IPLT_POOL, i);
+ if (fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ } else if ((opts & OPT_DEBUG) == 0) {
putchar(' ');
if (np->ipn_info == 1)
PRINTF("! ");
- printip((u_32_t *)&np->ipn_addr.adf_addr.in4);
- printmask((u_32_t *)&np->ipn_mask.adf_addr);
+ printip(np->ipn_addr.adf_family,
+ (u_32_t *)&np->ipn_addr.adf_addr.in4);
+ printmask(np->ipn_addr.adf_family,
+ (u_32_t *)&np->ipn_mask.adf_addr);
} else {
PRINTF("\tAddress: %s%s", np->ipn_info ? "! " : "",
inet_ntoa(np->ipn_addr.adf_addr.in4));
- printmask((u_32_t *)&np->ipn_mask.adf_addr);
- PRINTF("\t\tHits %lu\tName %s\tRef %d\n",
- np->ipn_hits, np->ipn_name, np->ipn_ref);
+ printmask(np->ipn_addr.adf_family,
+ (u_32_t *)&np->ipn_mask.adf_addr);
+#ifdef USE_QUAD_T
+ PRINTF("\n\t\tHits %"PRIu64"\tBytes %"PRIu64"\tName %s\tRef %d\n",
+ np->ipn_hits, np->ipn_bytes,
+ np->ipn_name, np->ipn_ref);
+#else
+ PRINTF("\n\t\tHits %lu\tBytes %lu\tName %s\tRef %d\n",
+ np->ipn_hits, np->ipn_bytes,
+ np->ipn_name, np->ipn_ref);
+#endif
}
return np->ipn_next;
}
Modified: trunk/contrib/ipfilter/lib/printportcmp.c
===================================================================
--- trunk/contrib/ipfilter/lib/printportcmp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printportcmp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,29 +1,30 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printportcmp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printportcmp.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
-void printportcmp(pr, frp)
-int pr;
-frpcmp_t *frp;
+void
+printportcmp(pr, frp)
+ int pr;
+ frpcmp_t *frp;
{
static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
"<>", "><", ":" };
if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
- printf(" port %d %s %d", frp->frp_port,
+ PRINTF(" port %d %s %d", frp->frp_port,
pcmp1[frp->frp_cmp], frp->frp_top);
else if (frp->frp_cmp == FR_INCRANGE)
- printf(" port %d:%d", frp->frp_port, frp->frp_top);
+ PRINTF(" port %d:%d", frp->frp_port, frp->frp_top);
else
- printf(" port %s %s", pcmp1[frp->frp_cmp],
+ PRINTF(" port %s %s", pcmp1[frp->frp_cmp],
portname(pr, frp->frp_port));
}
Modified: trunk/contrib/ipfilter/lib/printproto.c
===================================================================
--- trunk/contrib/ipfilter/lib/printproto.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printproto.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -8,44 +8,48 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.1.1 2008-11-22 14:33:10 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
-void printproto(pr, p, np)
-struct protoent *pr;
-int p;
-ipnat_t *np;
+void
+printproto(pr, p, np)
+ struct protoent *pr;
+ int p;
+ ipnat_t *np;
{
if (np != NULL) {
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
- printf("tcp/udp");
+ PRINTF("tcp/udp");
else if (np->in_flags & IPN_TCP)
- printf("tcp");
+ PRINTF("tcp");
else if (np->in_flags & IPN_UDP)
- printf("udp");
+ PRINTF("udp");
else if (np->in_flags & IPN_ICMPQUERY)
- printf("icmp");
+ PRINTF("icmp");
#ifdef _AIX51
/*
* To make up for "ip = 252" and "hopopt = 0" in /etc/protocols
+ * The IANA has doubled up on the definition of 0 - it is now
+ * also used for IPv6 hop-opts, so we can no longer rely on
+ * /etc/protocols providing the correct name->number mapping.
*/
- else if (np->in_p == 0)
- printf("ip");
#endif
+ else if (np->in_pr[0] == 0)
+ PRINTF("ip");
else if (pr != NULL)
- printf("%s", pr->p_name);
+ PRINTF("%s", pr->p_name);
else
- printf("%d", np->in_p);
+ PRINTF("%d", np->in_pr[0]);
} else {
#ifdef _AIX51
if (p == 0)
- printf("ip");
+ PRINTF("ip");
else
#endif
if (pr != NULL)
- printf("%s", pr->p_name);
+ PRINTF("%s", pr->p_name);
else
- printf("%d", p);
+ PRINTF("%d", p);
}
}
Modified: trunk/contrib/ipfilter/lib/printsbuf.c
===================================================================
--- trunk/contrib/ipfilter/lib/printsbuf.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printsbuf.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printsbuf.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printsbuf.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#ifdef IPFILTER_SCAN
@@ -15,8 +15,9 @@
#include "ipf.h"
#include "netinet/ip_scan.h"
-void printsbuf(buf)
-char *buf;
+void
+printsbuf(buf)
+ char *buf;
{
u_char *s;
int i;
@@ -25,8 +26,17 @@
if (ISPRINT(*s))
putchar(*s);
else
- printf("\\%o", *s);
+ PRINTF("\\%o", *s);
}
}
+#else
+void printsbuf(char *buf);
+void printsbuf(buf)
+ char *buf;
+{
+#if 0
+ buf = buf; /* gcc -Wextra */
#endif
+}
+#endif
Modified: trunk/contrib/ipfilter/lib/printstate.c
===================================================================
--- trunk/contrib/ipfilter/lib/printstate.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printstate.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printstate.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -9,68 +9,95 @@
#include "ipf.h"
#include "kmem.h"
-#define PRINTF (void)printf
-#define FPRINTF (void)fprintf
-ipstate_t *printstate(sp, opts, now)
-ipstate_t *sp;
-int opts;
-u_long now;
+ipstate_t *
+printstate(sp, opts, now)
+ ipstate_t *sp;
+ int opts;
+ u_long now;
{
+ struct protoent *pr;
synclist_t ipsync;
+ if ((opts & OPT_NORESOLVE) == 0)
+ pr = getprotobynumber(sp->is_p);
+ else
+ pr = NULL;
+
+ PRINTF("%d:", sp->is_v);
+ if (pr != NULL)
+ PRINTF("%s", pr->p_name);
+ else
+ PRINTF("%d", sp->is_p);
+
+ PRINTF(" src:%s", hostname(sp->is_family, &sp->is_src.in4));
+ if (sp->is_p == IPPROTO_UDP || sp->is_p == IPPROTO_TCP) {
+ if (sp->is_flags & IS_WSPORT)
+ PRINTF(",*");
+ else
+ PRINTF(",%d", ntohs(sp->is_sport));
+ }
+
+ PRINTF(" dst:%s", hostname(sp->is_family, &sp->is_dst.in4));
+ if (sp->is_p == IPPROTO_UDP || sp->is_p == IPPROTO_TCP) {
+ if (sp->is_flags & IS_WDPORT)
+ PRINTF(",*");
+ else
+ PRINTF(",%d", ntohs(sp->is_dport));
+ }
+
+ if (sp->is_p == IPPROTO_TCP) {
+ PRINTF(" state:%d/%d", sp->is_state[0], sp->is_state[1]);
+ }
+
+ PRINTF(" %ld", sp->is_die - now);
if (sp->is_phnext == NULL)
- PRINTF("ORPHAN ");
- PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4));
- PRINTF("%s pass %#x pr %d state %d/%d",
- hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p,
- sp->is_state[0], sp->is_state[1]);
- if (opts & OPT_DEBUG)
- PRINTF(" bkt %d ref %d", sp->is_hv, sp->is_ref);
- PRINTF("\n\ttag %u ttl %lu", sp->is_tag, sp->is_die - now);
+ PRINTF(" ORPHAN");
+ if (sp->is_flags & IS_CLONE)
+ PRINTF(" CLONE");
+ putchar('\n');
if (sp->is_p == IPPROTO_TCP) {
- PRINTF("\n\t%hu -> %hu %x:%x %hu<<%d:%hu<<%d\n",
- ntohs(sp->is_sport), ntohs(sp->is_dport),
+ PRINTF("\t%x:%x %hu<<%d:%hu<<%d\n",
sp->is_send, sp->is_dend,
sp->is_maxswin, sp->is_swinscale,
sp->is_maxdwin, sp->is_dwinscale);
- PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n",
- sp->is_smsk[0], sp->is_smsk[1],
- sp->is_s0[0], sp->is_s0[1]);
- PRINTF("\tFWD:ISN inc %x sumd %x\n",
- sp->is_isninc[0], sp->is_sumd[0]);
- PRINTF("\tREV:ISN inc %x sumd %x\n",
- sp->is_isninc[1], sp->is_sumd[1]);
+ if ((opts & OPT_VERBOSE) != 0) {
+ PRINTF("\tcmsk %04x smsk %04x isc %p s0 %08x/%08x\n",
+ sp->is_smsk[0], sp->is_smsk[1], sp->is_isc,
+ sp->is_s0[0], sp->is_s0[1]);
+ PRINTF("\tFWD: ISN inc %x sumd %x\n",
+ sp->is_isninc[0], sp->is_sumd[0]);
+ PRINTF("\tREV: ISN inc %x sumd %x\n",
+ sp->is_isninc[1], sp->is_sumd[1]);
#ifdef IPFILTER_SCAN
- PRINTF("\tsbuf[0] [");
- printsbuf(sp->is_sbuf[0]);
- PRINTF("] sbuf[1] [");
- printsbuf(sp->is_sbuf[1]);
- PRINTF("]\n");
+ PRINTF("\tsbuf[0] [");
+ printsbuf(sp->is_sbuf[0]);
+ PRINTF("] sbuf[1] [");
+ printsbuf(sp->is_sbuf[1]);
+ PRINTF("]\n");
#endif
- } else if (sp->is_p == IPPROTO_UDP) {
- PRINTF(" %hu -> %hu\n", ntohs(sp->is_sport),
- ntohs(sp->is_dport));
+ }
} else if (sp->is_p == IPPROTO_GRE) {
- PRINTF(" call %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]),
+ PRINTF("\tcall %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]),
ntohs(sp->is_gre.gs_call[1]));
} else if (sp->is_p == IPPROTO_ICMP
#ifdef USE_INET6
|| sp->is_p == IPPROTO_ICMPV6
#endif
- )
- PRINTF(" id %hu seq %hu type %d\n", sp->is_icmp.ici_id,
+ ) {
+ PRINTF("\tid %hu seq %hu type %d\n", sp->is_icmp.ici_id,
sp->is_icmp.ici_seq, sp->is_icmp.ici_type);
+ }
#ifdef USE_QUAD_T
- PRINTF("\tforward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n\tbackward: pkts in %lld bytes in %lld pkts out %lld bytes out %lld\n",
+ PRINTF("\tFWD: IN pkts %"PRIu64" bytes %"PRIu64" OUT pkts %"PRIu64" bytes %"PRIu64"\n\tREV: IN pkts %"PRIu64" bytes %"PRIu64" OUT pkts %"PRIu64" bytes %"PRIu64"\n",
sp->is_pkts[0], sp->is_bytes[0],
sp->is_pkts[1], sp->is_bytes[1],
sp->is_pkts[2], sp->is_bytes[2],
sp->is_pkts[3], sp->is_bytes[3]);
#else
- PRINTF("\tforward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n\tbackward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n",
+ PRINTF("\tFWD: IN pkts %lu bytes %lu OUT pkts %lu bytes %lu\n\tREV: IN pkts %lu bytes %lu OUT pkts %lu bytes %lu\n",
sp->is_pkts[0], sp->is_bytes[0],
sp->is_pkts[1], sp->is_bytes[1],
sp->is_pkts[2], sp->is_bytes[2],
@@ -77,7 +104,7 @@
sp->is_pkts[3], sp->is_bytes[3]);
#endif
- PRINTF("\t");
+ PRINTF("\ttag %u pass %#x = ", sp->is_tag, sp->is_pass);
/*
* Print out bits set in the result code for the state being
@@ -135,22 +162,31 @@
/* a given; no? */
if (sp->is_pass & FR_KEEPSTATE) {
PRINTF(" keep state");
- if (sp->is_pass & FR_STATESYNC)
- PRINTF(" ( sync )");
+ if (sp->is_pass & (FR_STATESYNC|FR_STSTRICT|FR_STLOOSE)) {
+ PRINTF(" (");
+ if (sp->is_pass & FR_STATESYNC)
+ PRINTF(" sync");
+ if (sp->is_pass & FR_STSTRICT)
+ PRINTF(" strict");
+ if (sp->is_pass & FR_STLOOSE)
+ PRINTF(" loose");
+ PRINTF(" )");
+ }
}
- PRINTF("\tIPv%d", sp->is_v);
PRINTF("\n");
- PRINTF("\tpkt_flags & %x(%x) = %x,\t",
- sp->is_flags & 0xf, sp->is_flags,
- sp->is_flags >> 4);
- PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0],
- sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]);
- PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
- sp->is_secmsk, sp->is_sec, sp->is_authmsk,
- sp->is_auth);
- PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0], sp->is_flx[0][1],
- sp->is_flx[1][0], sp->is_flx[1][1]);
+ if ((opts & OPT_VERBOSE) != 0) {
+ PRINTF("\tref %d", sp->is_ref);
+ PRINTF(" pkt_flags & %x(%x) = %x\n",
+ sp->is_flags & 0xf, sp->is_flags, sp->is_flags >> 4);
+ PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0],
+ sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]);
+ PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
+ sp->is_secmsk, sp->is_sec, sp->is_authmsk,
+ sp->is_auth);
+ PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0],
+ sp->is_flx[0][1], sp->is_flx[1][0], sp->is_flx[1][1]);
+ }
PRINTF("\tinterfaces: in %s[%s", getifname(sp->is_ifp[0]),
sp->is_ifname[0]);
if (opts & OPT_DEBUG)
@@ -169,20 +205,19 @@
PRINTF("/%p", sp->is_ifp[3]);
PRINTF("]\n");
+ PRINTF("\tSync status: ");
if (sp->is_sync != NULL) {
-
- if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync, sizeof(ipsync))) {
-
- PRINTF("\tSync status: status could not be retrieved\n");
+ if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync,
+ sizeof(ipsync))) {
+ PRINTF("status could not be retrieved\n");
return NULL;
}
- PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n",
+ PRINTF("idx %d num %d v %d pr %d rev %d\n",
ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v,
ipsync.sl_p, ipsync.sl_rev);
-
} else {
- PRINTF("\tSync status: not synchronized\n");
+ PRINTF("not synchronized\n");
}
return sp->is_next;
Modified: trunk/contrib/ipfilter/lib/printtqtable.c
===================================================================
--- trunk/contrib/ipfilter/lib/printtqtable.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printtqtable.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -9,17 +9,18 @@
#include "ipf.h"
-void printtqtable(table)
-ipftq_t *table;
+void
+printtqtable(table)
+ ipftq_t *table;
{
int i;
- printf("TCP Entries per state\n");
+ PRINTF("TCP Entries per state\n");
for (i = 0; i < IPF_TCP_NSTATES; i++)
- printf(" %5d", i);
- printf("\n");
+ PRINTF(" %5d", i);
+ PRINTF("\n");
for (i = 0; i < IPF_TCP_NSTATES; i++)
- printf(" %5d", table[i].ifq_ref - 1);
- printf("\n");
+ PRINTF(" %5d", table[i].ifq_ref - 1);
+ PRINTF("\n");
}
Modified: trunk/contrib/ipfilter/lib/printtunable.c
===================================================================
--- trunk/contrib/ipfilter/lib/printtunable.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/printtunable.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,29 +1,30 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/printtunable.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printtunable.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
-void printtunable(tup)
-ipftune_t *tup;
+void
+printtunable(tup)
+ ipftune_t *tup;
{
- printf("%s\tmin %#lx\tmax %#lx\tcurrent ",
+ PRINTF("%s\tmin %lu\tmax %lu\tcurrent ",
tup->ipft_name, tup->ipft_min, tup->ipft_max);
if (tup->ipft_sz == sizeof(u_long))
- printf("%lu\n", tup->ipft_vlong);
+ PRINTF("%lu\n", tup->ipft_vlong);
else if (tup->ipft_sz == sizeof(u_int))
- printf("%u\n", tup->ipft_vint);
+ PRINTF("%u\n", tup->ipft_vint);
else if (tup->ipft_sz == sizeof(u_short))
- printf("%hu\n", tup->ipft_vshort);
+ PRINTF("%hu\n", tup->ipft_vshort);
else if (tup->ipft_sz == sizeof(u_char))
- printf("%u\n", (u_int)tup->ipft_vchar);
+ PRINTF("%u\n", (u_int)tup->ipft_vchar);
else {
- printf("sz = %d\n", tup->ipft_sz);
+ PRINTF("sz = %d\n", tup->ipft_sz);
}
}
Modified: trunk/contrib/ipfilter/lib/remove_hash.c
===================================================================
--- trunk/contrib/ipfilter/lib/remove_hash.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/remove_hash.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/remove_hash.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: remove_hash.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,19 +14,16 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
-static int hashfd = -1;
-
-int remove_hash(iphp, iocfunc)
-iphtable_t *iphp;
-ioctlfunc_t iocfunc;
+int
+remove_hash(iphp, iocfunc)
+ iphtable_t *iphp;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
iphtable_t iph;
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
- hashfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_type = IPLT_HASH;
@@ -43,11 +40,11 @@
strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name));
iph.iph_flags = iphp->iph_flags;
- if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) {
if ((opts & OPT_DONOTHING) == 0) {
- perror("remove_hash:SIOCLOOKUPDELTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "remove lookup hash table");
}
-
+ }
return 0;
}
Modified: trunk/contrib/ipfilter/lib/remove_hashnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/remove_hashnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/remove_hashnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/remove_hashnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: remove_hashnode.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,21 +14,18 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
-static int hashfd = -1;
-
-int remove_hashnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-iphtent_t *node;
-ioctlfunc_t iocfunc;
+int
+remove_hashnode(unit, name, node, iocfunc)
+ int unit;
+ char *name;
+ iphtent_t *node;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
iphtent_t ipe;
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
- hashfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_type = IPLT_HASH;
@@ -49,10 +46,11 @@
printf("%s\n", inet_ntoa(ipe.ipe_mask.in4));
}
- if ((*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op)) {
if (!(opts & OPT_DONOTHING)) {
- perror("remove_hash:SIOCLOOKUPDELNODE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "remove lookup hash node");
}
+ }
return 0;
}
Modified: trunk/contrib/ipfilter/lib/remove_pool.c
===================================================================
--- trunk/contrib/ipfilter/lib/remove_pool.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/remove_pool.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/remove_pool.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: remove_pool.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,19 +14,16 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
-static int poolfd = -1;
-
-int remove_pool(poolp, iocfunc)
-ip_pool_t *poolp;
-ioctlfunc_t iocfunc;
+int
+remove_pool(poolp, iocfunc)
+ ip_pool_t *poolp;
+ ioctlfunc_t iocfunc;
{
iplookupop_t op;
ip_pool_t pool;
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
- poolfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_type = IPLT_POOL;
@@ -40,11 +37,11 @@
strncpy(pool.ipo_name, poolp->ipo_name, sizeof(pool.ipo_name));
pool.ipo_flags = poolp->ipo_flags;
- if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op))
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELTABLE, &op)) {
if ((opts & OPT_DONOTHING) == 0) {
- perror("remove_pool:SIOCLOOKUPDELTABLE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "delete lookup pool");
}
-
+ }
return 0;
}
Modified: trunk/contrib/ipfilter/lib/remove_poolnode.c
===================================================================
--- trunk/contrib/ipfilter/lib/remove_poolnode.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/remove_poolnode.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/remove_poolnode.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: remove_poolnode.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include <fcntl.h>
@@ -14,21 +14,18 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
-static int poolfd = -1;
-
-int remove_poolnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-ip_pool_node_t *node;
-ioctlfunc_t iocfunc;
+int
+remove_poolnode(unit, name, node, iocfunc)
+ int unit;
+ char *name;
+ ip_pool_node_t *node;
+ ioctlfunc_t iocfunc;
{
ip_pool_node_t pn;
iplookupop_t op;
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
- poolfd = open(IPLOOKUP_NAME, O_RDWR);
- if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
+ if (pool_open() == -1)
return -1;
op.iplo_unit = unit;
@@ -46,10 +43,10 @@
pn.ipn_info = node->ipn_info;
strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name));
- if ((*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op)) {
+ if (pool_ioctl(iocfunc, SIOCLOOKUPDELNODE, &op)) {
if ((opts & OPT_DONOTHING) == 0) {
- perror("remove_pool:SIOCLOOKUPDELNODE");
- return -1;
+ return ipf_perror_fd(pool_fd(), iocfunc,
+ "remove lookup pool node");
}
}
Modified: trunk/contrib/ipfilter/lib/resetlexer.c
===================================================================
--- trunk/contrib/ipfilter/lib/resetlexer.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/resetlexer.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/resetlexer.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: resetlexer.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
Modified: trunk/contrib/ipfilter/lib/rwlock_emul.c
===================================================================
--- trunk/contrib/ipfilter/lib/rwlock_emul.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/rwlock_emul.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/rwlock_emul.c 314251 2017-02-25 08:07:28Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: rwlock_emul.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include "ipf.h"
@@ -13,9 +13,9 @@
#define EMM_MAGIC 0x97dd8b3a
void eMrwlock_read_enter(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
+ eMrwlock_t *rw;
+ char *file;
+ int line;
{
if (rw->eMrw_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMrwlock_read_enter(%p): bad magic: %#x\n",
@@ -35,9 +35,9 @@
void eMrwlock_write_enter(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
+ eMrwlock_t *rw;
+ char *file;
+ int line;
{
if (rw->eMrw_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n",
@@ -56,10 +56,31 @@
}
+void eMrwlock_try_upgrade(rw, file, line)
+ eMrwlock_t *rw;
+ char *file;
+ int line;
+{
+ if (rw->eMrw_magic != EMM_MAGIC) {
+ fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n",
+ rw->eMrw_owner, rw, rw->eMrw_magic);
+ abort();
+ }
+ if (rw->eMrw_read != 0 || rw->eMrw_write != 0) {
+ fprintf(stderr,
+ "%s:eMrwlock_try_upgrade(%p): already locked: %d/%d\n",
+ rw->eMrw_owner, rw, rw->eMrw_read, rw->eMrw_write);
+ abort();
+ }
+ rw->eMrw_write++;
+ rw->eMrw_heldin = file;
+ rw->eMrw_heldat = line;
+}
+
void eMrwlock_downgrade(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
+ eMrwlock_t *rw;
+ char *file;
+ int line;
{
if (rw->eMrw_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n",
@@ -80,7 +101,7 @@
void eMrwlock_exit(rw)
-eMrwlock_t *rw;
+ eMrwlock_t *rw;
{
if (rw->eMrw_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMrwlock_exit(%p): bad magic: %#x\n",
@@ -101,9 +122,11 @@
}
+static int initcount = 0;
+
void eMrwlock_init(rw, who)
-eMrwlock_t *rw;
-char *who;
+ eMrwlock_t *rw;
+ char *who;
{
if (rw->eMrw_magic == EMM_MAGIC) { /* safe bet ? */
fprintf(stderr,
@@ -118,11 +141,12 @@
rw->eMrw_owner = strdup(who);
else
rw->eMrw_owner = NULL;
+ initcount++;
}
void eMrwlock_destroy(rw)
-eMrwlock_t *rw;
+ eMrwlock_t *rw;
{
if (rw->eMrw_magic != EMM_MAGIC) {
fprintf(stderr, "%s:eMrwlock_destroy(%p): bad magic: %#x\n",
@@ -129,5 +153,14 @@
rw->eMrw_owner, rw, rw->eMrw_magic);
abort();
}
+ if (rw->eMrw_owner != NULL)
+ free(rw->eMrw_owner);
memset(rw, 0xa5, sizeof(*rw));
+ initcount--;
}
+
+void ipf_rwlock_clean()
+{
+ if (initcount != 0)
+ abort();
+}
Modified: trunk/contrib/ipfilter/lib/tcp_flags.c
===================================================================
--- trunk/contrib/ipfilter/lib/tcp_flags.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/tcp_flags.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/tcp_flags.c 170268 2007-06-04 02:54:36Z darrenr $ */
/*
* Copyright (C) 2000-2004 by Darren Reed.
@@ -5,7 +5,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: tcp_flags.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id: tcp_flags.c,v 1.8.2.1 2006/06/16 17:21:17 darrenr Exp $
*/
#include "ipf.h"
Modified: trunk/contrib/ipfilter/lib/tcpflags.c
===================================================================
--- trunk/contrib/ipfilter/lib/tcpflags.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/tcpflags.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/tcpflags.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: tcpflags.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -26,7 +26,7 @@
u_char tcpflags(flgs)
-char *flgs;
+ char *flgs;
{
u_char tcpf = 0;
char *s, *t;
Modified: trunk/contrib/ipfilter/lib/tcpoptnames.c
===================================================================
--- trunk/contrib/ipfilter/lib/tcpoptnames.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/tcpoptnames.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/tcpoptnames.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: tcpoptnames.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
Modified: trunk/contrib/ipfilter/lib/v6ionames.c
===================================================================
--- trunk/contrib/ipfilter/lib/v6ionames.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/v6ionames.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/v6ionames.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: v6ionames.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -16,10 +16,10 @@
{ IPPROTO_HOPOPTS, 0x000001, 0, "hopopts" },
{ IPPROTO_IPV6, 0x000002, 0, "ipv6" },
{ IPPROTO_ROUTING, 0x000004, 0, "routing" },
- { IPPROTO_FRAGMENT, 0x000008, 0, "frag" },
+ { IPPROTO_FRAGMENT, 0x000008, 0, "frag" },
{ IPPROTO_ESP, 0x000010, 0, "esp" },
{ IPPROTO_AH, 0x000020, 0, "ah" },
- { IPPROTO_NONE, 0x000040, 0, "none" },
+ { IPPROTO_NONE, 0x000040, 0, "none" },
{ IPPROTO_DSTOPTS, 0x000080, 0, "dstopts" },
{ IPPROTO_MOBILITY, 0x000100, 0, "mobility" },
{ 0, 0, 0, (char *)NULL }
Modified: trunk/contrib/ipfilter/lib/v6optvalue.c
===================================================================
--- trunk/contrib/ipfilter/lib/v6optvalue.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/v6optvalue.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/v6optvalue.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: v6optvalue.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#include "ipf.h"
@@ -12,7 +12,7 @@
u_32_t getv6optbyname(optname)
-char *optname;
+ char *optname;
{
#ifdef USE_INET6
struct ipopt_names *io;
@@ -26,7 +26,7 @@
u_32_t getv6optbyvalue(optval)
-int optval;
+ int optval;
{
#ifdef USE_INET6
struct ipopt_names *io;
Modified: trunk/contrib/ipfilter/lib/var.c
===================================================================
--- trunk/contrib/ipfilter/lib/var.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/var.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,12 +1,12 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/var.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: var.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
- */
+ * Copyright (C) 2012 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * $Id$
+ */
#include <ctype.h>
@@ -25,7 +25,7 @@
static variable_t *find_var(name)
-char *name;
+ char *name;
{
variable_t *v;
@@ -37,8 +37,8 @@
char *get_variable(string, after, line)
-char *string, **after;
-int line;
+ char *string, **after;
+ int line;
{
char c, *s, *t, *value;
variable_t *v;
@@ -84,8 +84,8 @@
static char *expand_string(oldstring, line)
-char *oldstring;
-int line;
+ char *oldstring;
+ int line;
{
char c, *s, *p1, *p2, *p3, *newstring, *value;
int len;
@@ -144,8 +144,8 @@
void set_variable(name, value)
-char *name;
-char *value;
+ char *name;
+ char *value;
{
variable_t *v;
int len;
Modified: trunk/contrib/ipfilter/lib/verbose.c
===================================================================
--- trunk/contrib/ipfilter/lib/verbose.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/lib/verbose.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/lib/verbose.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: verbose.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $
+ * $Id$
*/
#if defined(__STDC__)
@@ -15,16 +15,16 @@
#endif
#include <stdio.h>
-#include "ipt.h"
+#include "ipf.h"
#include "opts.h"
#if defined(__STDC__)
-void verbose(char *fmt, ...)
+void verbose(int level, char *fmt, ...)
#else
-void verbose(fmt, va_alist)
-char *fmt;
-va_dcl
+void verbose(level, fmt, va_alist)
+ char *fmt;
+ va_dcl
#endif
{
va_list pvar;
@@ -35,3 +35,21 @@
vprintf(fmt, pvar);
va_end(pvar);
}
+
+
+#if defined(__STDC__)
+void ipfkverbose(char *fmt, ...)
+#else
+void ipfkverbose(fmt, va_alist)
+ char *fmt;
+ va_dcl
+#endif
+{
+ va_list pvar;
+
+ va_start(pvar, fmt);
+
+ if (opts & OPT_VERBOSE)
+ verbose(0x1fffffff, fmt, pvar);
+ va_end(pvar);
+}
Modified: trunk/contrib/ipfilter/man/Makefile
===================================================================
--- trunk/contrib/ipfilter/man/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,9 +1,9 @@
#
-# Copyright (C) 1993-1998 by Darren Reed.
+# Copyright (C) 2012 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
-# $FreeBSD$
+# $FreeBSD: stable/10/contrib/ipfilter/man/Makefile 255332 2013-09-06 23:11:19Z cy $
#
all:
Modified: trunk/contrib/ipfilter/man/ipf.4
===================================================================
--- trunk/contrib/ipfilter/man/ipf.4 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipf.4 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipf.4 255332 2013-09-06 23:11:19Z cy $
.TH IPF 4
.SH NAME
ipf \- packet filtering kernel interface
@@ -46,7 +46,6 @@
as being routing ioctls and thus the same rules for the various routing
ioctls and the file descriptor are employed, mainly being that the fd must
be that of the device associated with the module (i.e., /dev/ipl).
-.LP
.PP
The three groups of ioctls above perform adding rules to the end of the
list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
@@ -83,10 +82,10 @@
u_short fr_icmp;
u_char fr_scmp; /* data for port comparisons */
- u_char fr_dcmp;
+ u_char fr_dcmp;
u_short fr_dport;
u_short fr_sport;
- u_short fr_stop; /* top port for <> and >< */
+ u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_32_t fr_flags; /* per-rule flags && options (see below) */
u_short fr_skip; /* # of rules to skip */
@@ -96,7 +95,7 @@
char fr_ifname[IFNAMSIZ];
#if BSD > 199306
char fr_oifname[IFNAMSIZ];
-#endif
+#endif
struct frdest fr_tif; /* "to" interface */
struct frdest fr_dif; /* duplicate packet interfaces */
} frentry_t;
@@ -106,7 +105,6 @@
initialised to be zero. To insert a rule, at a particular position in the
filter list, the number of the rule which it is to be inserted before must
be put in the "fr_hits" field (the first rule is number 0).
-.LP
.PP
Flags which are recognised in fr_flags:
.nf
@@ -137,7 +135,7 @@
FR_NOTDSTIP 0x100000 /* not the dst IP# */
FR_AUTH 0x200000 /* use authentication */
FR_PREAUTH 0x400000 /* require preauthentication */
-
+
.fi
.PP
Values for fr_scomp and fr_dcomp (source and destination port value
Modified: trunk/contrib/ipfilter/man/ipf.5
===================================================================
--- trunk/contrib/ipfilter/man/ipf.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipf.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,557 +1,1698 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipf.5 320090 2017-06-19 05:02:27Z cy $
.TH IPF 5
.SH NAME
-ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
+ipf, ipf.conf \- IPFilter firewall rules file format
.SH DESCRIPTION
.PP
-A rule file for \fBipf\fP may have any name or even be stdin. As
-\fBipfstat\fP produces parsable rules as output when displaying the internal
-kernel filter lists, it is quite plausible to use its output to feed back
-into \fBipf\fP. Thus, to remove all filters on input packets, the following
-could be done:
+The ipf.conf file is used to specify rules for the firewall, packet
+authentication and packet accounting components of IPFilter. To load rules
+specified in the ipf.conf file, the ipf(8) program is used.
+.PP
+For use as a firewall, there are two important rule types: those that block
+and drop packets (block rules) and those that allow packets through (pass
+rules.) Accompanying the decision to apply is a collection of statements
+that specify under what conditions the result is to be applied and how.
+.PP
+The simplest rules that can be used in ipf.conf are expressed like this:
+.PP
.nf
-
-\fC# ipfstat \-i | ipf \-rf \-\fP
+block in all
+pass out all
.fi
-.SH GRAMMAR
.PP
-The format used by \fBipf\fP for construction of filtering rules can be
-described using the following grammar in BNF:
-\fC
+Each rule must contain at least the following three components
+.RS
+.IP *
+a decision keyword (pass, block, etc.)
+.IP *
+the direction of the packet (in or out)
+.IP *
+address patterns or "all" to match any address information
+.RE
+.SS Long lines
+.PP
+For rules lines that are particularly long, it is possible to split
+them over multiple lines implicity like this:
+.PP
.nf
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
- [ proto ] ip [ group ].
-
-insert = "@" decnumber .
-action = block | "pass" | log | "count" | skip | auth | call .
-in-out = "in" | "out" .
-options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
- [ froute ] [ replyto ] ] .
-tos = "tos" decnumber | "tos" hexnumber .
-ttl = "ttl" decnumber .
-proto = "proto" protocol .
-ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-group = [ "head" decnumber ] [ "group" decnumber ] .
-
-block = "block" [ return-icmp[return-code] | "return-rst" ] .
-log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-tag = "tag" tagid .
-skip = "skip" decnumber .
-auth = "auth" | "preauth" .
-call = "call" [ "now" ] function-name .
-dup = "dup-to" interface-name [ ":" ipaddr ] .
-froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
-replyto = "reply-to" interface-name [ ":" ipaddr ] .
-protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst = "all" | fromto .
-fromto = "from" [ "!" ] object "to" [ "!" ] object .
-
-return-icmp = "return-icmp" | "return-icmp-as-dest" .
-return-code = "(" icmp-code ")" .
-object = addr [ port-comp | port-range ] .
-addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-addr = "any" | "<thishost>" | nummask |
- host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-flags = "flags" flag { flag } [ "/" flag { flag } ] .
-with = "with" | "and" .
-icmp = "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "(" icmp-code ")" .
-keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
-loglevel = facility"."priority | priority .
-
-nummask = host-name [ "/" decnumber ] .
-host-name = ipaddr | hostname | "any" .
-ipaddr = host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-port-num = service-name | decnumber .
-state-options = state-opts [ "," state-options ] .
-
-state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
- "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
-withopt = [ "not" | "no" ] opttype [ withopt ] .
-opttype = "ipopts" | "short" | "frag" | "opt" optname .
-optname = ipopts [ "," optname ] .
-ipopts = optlist | "sec-class" [ secname ] .
-secname = seclvl [ "," secname ] .
-seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
- "reserv-4" | "secret" | "topsecret" .
-icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
- "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
- "inforep" | "maskreq" | "maskrep" | decnumber .
-icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
- "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
- "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
- "filter-prohib" | "host-preced" | "cutoff-preced" .
-optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
- "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
- "addext" | "visa" | "imitd" | "eip" | "finn" .
-facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
- "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
- "audit" | "logalert" | "local0" | "local1" | "local2" |
- "local3" | "local4" | "local5" | "local6" | "local7" .
-priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
- "info" | "debug" .
-
-hexnumber = "0" "x" hexstring .
-hexstring = hexdigit [ hexstring ] .
-decnumber = digit [ decnumber ] .
-
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
- "gt" | "le" | "ge" .
-range = "<>" | "><" .
-hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag = "F" | "S" | "R" | "P" | "A" | "U" .
+pass in on bgeo proto tcp from 1.1.1.1 port > 1000
+ to 2.2.2.2 port < 5000 flags S keep state
.fi
.PP
-This syntax is somewhat simplified for readability, some combinations
-that match this grammar are disallowed by the software because they do
-not make sense (such as tcp \fBflags\fP for non-TCP packets).
-.SH FILTER RULES
+or explicitly using the backslash ('\\') character:
.PP
-The "briefest" valid rules are (currently) no-ops and are of the form:
.nf
- block in all
- pass in all
- log out all
- count in all
+pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\
+ to 2.2.2.2 port < 5000 flags S keep state
.fi
+.SS Comments
.PP
-Filter rules are checked in order, with the last matching rule
-determining the fate of the packet (but see the \fBquick\fP option,
-below).
+Comments in the ipf.conf file are indicated by the use of the '#' character.
+This can either be at the start of the line, like this:
.PP
-Filters are installed by default at the end of the kernel's filter
-lists, prepending the rule with \fB at n\fP will cause it to be inserted
-as the n'th entry in the current list. This is especially useful when
-modifying and testing active filter rulesets. See ipf(8) for more
-information.
-.SH ACTIONS
+.nf
+# Allow all ICMP packets in
+pass in proto icmp from any to any
+.fi
.PP
-The action indicates what to do with the packet if it matches the rest
-of the filter rule. Each rule MUST have an action. The following
-actions are recognised:
-.TP
-.B block
-indicates that the packet should be flagged to be dropped. In response
-to blocking a packet, the filter may be instructed to send a reply
-packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
-masquerading as being from the original packet's destination
-(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
-ICMP packet may be generated in response to any IP packet, and its
-type may optionally be specified, but a TCP reset may only be used
-with a rule which is being applied to TCP packets. When using
-\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
-the actual unreachable `type'. That is, whether it is a network
-unreachable, port unreachable or even administratively
-prohibited. This is done by enclosing the ICMP code associated with
-it in parenthesis directly following \fBreturn-icmp\fP or
-\fBreturn-icmp-as-dest\fP as follows:
+Or at the end of a like, like this:
+.PP
.nf
- block return-icmp(11) ...
+pass in proto icmp from any to any # Allow all ICMP packets in
.fi
+.SH Firewall rules
.PP
-Would return a Type-Of-Service (TOS) ICMP unreachable error.
-.TP
-.B pass
-will flag the packet to be let through the filter.
-.TP
-.B log
-causes the packet to be logged (as described in the LOGGING section
-below) and has no effect on whether the packet will be allowed through
-the filter.
-.TP
-.B count
-causes the packet to be included in the accounting statistics kept by
-the filter, and has no effect on whether the packet will be allowed through
-the filter. These statistics are viewable with ipfstat(8).
-.TP
-.B call
-this action is used to invoke the named function in the kernel, which
-must conform to a specific calling interface. Customised actions and
-semantics can thus be implemented to supplement those available. This
-feature is for use by knowledgeable hackers, and is not currently
-documented.
-.TP
-.B "skip <n>"
-causes the filter to skip over the next \fIn\fP filter rules. If a rule is
-inserted or deleted inside the region being skipped over, then the value of
-\fIn\fP is adjusted appropriately.
-.TP
-.B auth
-this allows authentication to be performed by a user-space program running
-and waiting for packet information to validate. The packet is held for a
-period of time in an internal buffer whilst it waits for the program to return
-to the kernel the \fIreal\fP flags for whether it should be allowed through
-or not. Such a program might look at the source address and request some sort
-of authentication from the user (such as a password) before allowing the
-packet through or telling the kernel to drop it if from an unrecognised source.
-.TP
-.B preauth
-tells the filter that for packets of this class, it should look in the
-pre-authenticated list for further clarification. If no further matching
-rule is found, the packet will be dropped (the FR_PREAUTH is not the same
-as FR_PASS). If a further matching rule is found, the result from that is
-used in its instead. This might be used in a situation where a person
-\fIlogs in\fP to the firewall and it sets up some temporary rules defining
-the access for that person.
+This section goes into detail on how to construct firewall rules that
+are placed in the ipf.conf file.
.PP
-The next word must be either \fBin\fP or \fBout\fP. Each packet
-moving through the kernel is either inbound (just been received on an
-interface, and moving towards the kernel's protocol processing) or
-outbound (transmitted or forwarded by the stack, and on its way to an
-interface). There is a requirement that each filter rule explicitly
-state which side of the I/O it is to be used on.
-.SH OPTIONS
+It is beyond the scope of this document to describe what makes a good
+firewall rule set or which packets should be blocked or allowed in.
+Some suggestions will be provided but further reading is expected to
+fully understand what is safe and unsafe to allow in/out.
+.SS Filter rule keywords
.PP
-The list of options is brief, and all are indeed optional. Where
-options are used, they must be present in the order shown here. These
-are the currently supported options:
-.TP
-.B log
-indicates that, should this be the last matching rule, the packet
-header will be written to the \fBipl\fP log (as described in the
-LOGGING section below).
-.TP
-.B tag tagid
-indicates that, if this rule causes the packet to be logged or entered
-in the state table, the tagid will be logged as part of the log entry.
-This can be used to quickly match "similar" rules in scripts that post
-process the log files for e.g. generation of security reports or accounting
-purposes. The tagid is a 32 bit unsigned integer.
-.TP
-.B quick
-allows "short-cut" rules in order to speed up the filter or override
-later rules. If a packet matches a filter rule which is marked as
-\fBquick\fP, this rule will be the last rule checked, allowing a
-"short-circuit" path to avoid processing later rules for this
-packet. The current status of the packet (after any effects of the
-current rule) will determine whether it is passed or blocked.
+The first word found in any filter rule describes what the eventual outcome
+of a packet that matches it will be. Descriptions of the many and various
+sections that can be used to match on the contents of packet headers will
+follow on below.
+.PP
+The complete list of keywords, along with what they do is as follows:
+.RS
+.HP
+pass
+rules that match a packet indicate to ipfilter that it should be
+allowed to continue on in the direction it is flowing.
+.HP
+block
+rules are used when it is desirable to prevent a packet from going
+any further. Packets that are blocked on the "in" side are never seen by
+TCP/IP and those that are blocked going "out" are never seen on the wire.
+.HP
+log
+when IPFilter successfully matches a packet against a log rule a log
+record is generated and made available for ipmon(8) to read. These rules
+have no impact on whether or not a packet is allowed through or not.
+So if a packet first matched a block rule and then matched a log rule,
+the status of the packet after the log rule is that it will still be
+blocked.
+.HP
+count
+rules provide the administrator with the ability to count packets and
+bytes that match the criteria laid out in the configuration file.
+The count rules are applied after NAT and filter rules on the inbound
+path. For outbound packets, count rules are applied before NAT and
+before the packet is dropped. Thus the count rule cannot be used as
+a true indicator of link layer
+.HP
+auth
+rules cause the matching packet to be queued up for processing by a
+user space program. The user space program is responsible for making
+an ioctl system call to collect the information about the queued
+packet and another ioctl system call to return the verdict (block,
+pass, etc) on what to do with the packet. In the event that the queue
+becomes full, the packets will end up being dropped.
+.HP
+call
+provides access to functions built into IPFilter that allow for more
+complex actions to be taken as part of the decision making that goes
+with the rule.
+.HP
+decapsulate
+rules instruct ipfilter to remove any
+other headers (IP, UDP, AH) and then process what is inside as a new packet.
+For non-UDP packets, there are builtin checks that are applied in addition
+to whatever is specified in the rule, to only allow decapsulation of
+recognised protocols. After decapsulating the inner packet, any filtering
+result that is applied to the inner packet is also applied to the other
+packet.
+.PP
+The default way in which filter rules are applied is for the last
+matching rule to be used as the decision maker. So even if the first
+rule to match a packet is a pass, if there is a later matching rule
+that is a block and no further rules match the packet, then it will
+be blocked.
+.SS Matching Network Interfaces
+.PP
+On systems with more than one network interface, it is necessary
+to be able to specify different filter rules for each of them.
+In the first instance, this is because different networks will send us
+packets via each network interface but it is also because of the hosts,
+the role and the resulting security policy that we need to be able to
+distinguish which network interface a packet is on.
+.PP
+To accomodate systems where the presence of a network interface is
+dynamic, it is not necessary for the network interface named in a
+filter rule to be present in the system when the rule is loaded.
+This can lead to silent errors being introduced and unexpected
+behaviour with the simplest of keyboard mistakes - for example,
+typing in hem0 instead of hme0 or hme2 instead of hme3.
+.PP
+On Solaris systems prior to Solaris 10 Update 4, it is not possible
+to filter packets on the loopback interface (lo0) so filter rules
+that specify it will have no impact on the corresponding flow of
+packets. See below for Solaris specific tips on how to enable this.
+.PP
+Some examples of including the network interface in filter rules are:
+.PP
+.nf
+block in on bge0 all
+pass out on bge0 all
+.fi
+.SS Address matching (basic)
+.PP
+The first and most basic part of matching for filtering rules is to
+specify IP addresses and TCP/UDP port numbers. The source address
+information is matched by the "from" information in a filter rule
+and the destination address information is matched with the "to"
+information in a filter rule.
+.PP
+The typical format used for IP addresses is CIDR notation, where an
+IP address (or network) is followed by a '/' and a number representing
+the size of the netmask in bits. This notation is used for specifying
+address matching in both IPv4 and IPv6. If the '/' and bitmask size
+are excluded from the matching string, it is assumed that the address
+specified is a host address and that the netmask applied should be
+all 1's.
+.PP
+Some examples of this are:
+.PP
+.nf
+pass in from 10.1.0.0/24 to any
+block out from any to 10.1.1.1
+.fi
+.PP
+It is not possible to specify a range of addresses that does not
+have a boundary that can be defined by a standard subnet mask.
.IP
-If this option is missing, the rule is taken to be a "fall-through"
-rule, meaning that the result of the match (block/pass) is saved and
-that processing will continue to see if there are any more matches.
-.TP
-.B on
-allows an interface name to be incorporated into the matching
-procedure. Interface names are as printed by "netstat \-i". If this
-option is used, the rule will only match if the packet is going
-through that interface in the specified direction (in/out). If this
-option is absent, the rule is taken to be applied to a packet
-regardless of the interface it is present on (i.e. on all interfaces).
-Filter rulesets are common to all interfaces, rather than having a
-filter list for each interface.
+.B Names instead of addresses
+.RS
+.PP
+Hostnames, resolved either via DNS or /etc/hosts, or network names,
+resolved via /etc/networks, may be used in place of actual addresses
+in the filter rules. WARNING: if a hostname expands to more than one
+address, only the *first* is used in building the filter rule.
+.PP
+Caution should be exercised when relying on DNS for filter rules in
+case the sending and receiving of DNS packets is blocked when ipf(8)
+is processing that part of the configuration file, leading to long
+delays, if not errors, in loading the filter rules.
+.RE
+.SS Protocol Matching
+.PP
+To match packets based on TCP/UDP port information, it is first necessary
+to indicate which protocol the packet must be. This is done using the
+"proto" keyword, followed by either the protocol number or a name which
+is mapped to the protocol number, usually through the /etc/protocols file.
+.PP
+.nf
+pass in proto tcp from 10.1.0.0/24 to any
+block out proto udp from any to 10.1.1.1
+pass in proto icmp from any to 192.168.0.0/16
+.fi
+.SS Sending back error packets
+.PP
+When a packet is just discarded using a block rule, there is no feedback given
+to the host that sent the packet. This is both good and bad. If this is the
+desired behaviour and it is not desirable to send any feedback about packets
+that are to be denied. The catch is that often a host trying to connect to a
+TCP port or with a UDP based application will send more than one packet
+because it assumes that just one packet may be discarded so a retry is
+required. The end result being logs can become cluttered with duplicate
+entries due to the retries.
+.PP
+To address this problem, a block rule can be qualified in two ways.
+The first of these is specific to TCP and instructs IPFilter to send back
+a reset (RST) packet. This packet indicates to the remote system that the
+packet it sent has been rejected and that it shouldn't make any further
+attempts to send packets to that port. Telling IPFilter to return a TCP
+RST packet in response to something that has been received is achieved
+with the return-rst keyword like this:
+.PP
+.nf
+block return-rst in proto tcp from 10.0.0.0/8 to any
+.fi
+.PP
+When sending back a TCP RST packet, IPFilter must construct a new packet
+that has the source address of the intended target, not the source address
+of the system it is running on (if they are different.)
+.PP
+For all of the other protocols handled by the IP protocol suite, to send
+back an error indicating that the received packet was dropped requires
+sending back an ICMP error packet. Whilst these can also be used for TCP,
+the sending host may not treat the received ICMP error as a hard error
+in the same way as it does the TCP RST packet. To return an ICMP error
+it is necessary to place return-icmp after the block keyword like this:
+.PP
+.nf
+block return-icmp in proto udp from any to 192.168.0.1/24
+.fi
+.PP
+When electing to return an ICMP error packet, it is also possible to
+select what type of ICMP error is returned. Whilst the full compliment
+of ICMP unreachable codes can be used by specifying a number instead of
+the string below, only the following should be used in conjunction with
+return-icmp. Which return code to use is a choice to be made when
+weighing up the pro's and con's. Using some of the codes may make it
+more obvious that a firewall is being used rather than just the host
+not responding.
+.RS
+.HP
+filter-prohib
+(prohibited by filter)
+sending packets to the destination given in the received packet is
+prohibited due to the application of a packet filter
+.HP
+net-prohib
+(prohibited network)
+sending packets to the destination given in the received packet is
+administratively prohibited.
+.HP
+host-unk
+(host unknown)
+the destination host address is not known by the system receiving
+the packet and therefore cannot be reached.
+.HP
+host-unr
+(host unreachable)
+it is not possible to reach the host as given by the destination address
+in the packet header.
+.HP
+net-unk
+(network unknown)
+the destination network address is not known by the system receiving
+the packet and therefore cannot be reached.
+.HP
+net-unr
+(network unreachable)
+it is not possible to forward the packet on to its final destination
+as given by the destination address
+.HP
+port-unr
+(port unreachable)
+there is no application using the given destination port and therefore
+it is not possible to reach that port.
+.HP
+proto-unr
+(protocol unreachable)
+the IP protocol specified in the packet is not available to receive
+packets.
+.DE
+.PP
+An example that shows how to send back a port unreachable packet for
+UDP packets to 192.168.1.0/24 is as follows:
+.PP
+.nf
+block return-icmp(port-unr) in proto udp from any to 192.168.1.0/24
+.fi
+.PP
+In the above examples, when sending the ICMP packet, IPFilter will construct
+a new ICMP packet with a source address of the network interface used to
+send the packet back to the original source. This can give away that there
+is an intermediate system blocking packets. To have IPFilter send back
+ICMP packets where the source address is the original destination, regardless
+of whether or not it is on the local host, return-icmp-as-dest is used like
+this:
+.PP
+.nf
+block return-icmp-as-dest(port-unr) in proto udp \\
+ from any to 192.168.1.0/24
+.fi
+.SS TCP/UDP Port Matching
+.PP
+Having specified which protocol is being matched, it is then possible to
+indicate which port numbers a packet must have in order to match the rule.
+Due to port numbers being used differently to addresses, it is therefore
+possible to match on them in different ways. IPFilter allows you to use
+the following logical operations:
+.IP "< x"
+is true if the port number is greater than or equal to x and less than or
+equal to y
+is true if the port number in the packet is less than x
+.IP "<= x"
+is true if the port number in the packet is less than or equal to x
+.IP "> x"
+is true if the port number in the packet is greater than x
+.IP ">= x"
+is true if the port number in the packet is greater or equal to x
+.IP "= x"
+is true if the port number in the packet is equal to x
+.IP "!= x"
+is true if the port number in the packet is not equal to x
+.PP
+Additionally, there are a number of ways to specify a range of ports:
+.IP "x <> y"
+is true if the port number is less than a and greater than y
+.IP "x >< y"
+is true if the port number is greater than x and less than y
+.IP "x:y"
+is true if the port number is greater than or equal to x and less than or
+equal to y
+.PP
+Some examples of this are:
+.PP
+.nf
+block in proto tcp from any port >= 1024 to any port < 1024
+pass in proto tcp from 10.1.0.0/24 to any port = 22
+block out proto udp from any to 10.1.1.1 port = 135
+pass in proto udp from 1.1.1.1 port = 123 to 10.1.1.1 port = 123
+pass in proto tcp from 127.0.0.0/8 to any port = 6000:6009
+.fi
+.PP
+If there is no desire to mention any specific source or destintion
+information in a filter rule then the word "all" can be used to
+indicate that all addresses are considered to match the rule.
+.SS IPv4 or IPv6
+.PP
+If a filter rule is constructed without any addresses then IPFilter
+will attempt to match both IPv4 and IPv6 packets with it. In the
+next list of rules, each one can be applied to either network protocol
+because there is no address specified from which IPFilter can derive
+with network protocol to expect.
+.PP
+.nf
+pass in proto udp from any to any port = 53
+block in proto tcp from any port < 1024 to any
+.fi
+.PP
+To explicitly match a particular network address family with a specific
+rule, the family must be added to the rule. For IPv4 it is necessary to
+add family inet and for IPv6, family inet6. Thus the next rule will
+block all packets (both IPv4 and IPv6:
+.PP
+.nf
+block in all
+.fi
+.PP
+but in the following example, we block all IPv4 packets and only allow
+in IPv6 packets:
+.PP
+.nf
+block in family inet all
+pass in family inet6 all
+.fi
+.PP
+To continue on from the example where we allowed either IPv4 or IPv6
+packets to port 53 in, to change that such that only IPv6 packets to
+port 53 need to allowed blocked then it is possible to add in a
+protocol family qualifier:
+.PP
+.nf
+pass in family inet6 proto udp from any to any port = 53
+.fi
+.SS First match vs last match
+.PP
+To change the default behaviour from being the last matched rule decides
+the outcome to being the first matched rule, the word "quick" is inserted
+to the rule.
+.SH Extended Packet Matching
+.SS Beyond using plain addresses
+.PP
+On firewalls that are working with large numbers of hosts and networks
+or simply trying to filter discretely against various hosts, it can
+be an easier administration task to define a pool of addresses and have
+a filter rule reference that address pool rather than have a rule for
+each address.
+.PP
+In addition to being able to use address pools, it is possible to use
+the interface name(s) in the from/to address fields of a rule. If the
+name being used in the address section can be matched to any of the
+interface names mentioned in the rule's "on" or "via" fields then it
+can be used with one of the following keywords for extended effect:
+.HP
+broadcast
+use the primary broadcast address of the network interface for matching
+packets with this filter rule;
.IP
-This option is especially useful for simple IP-spoofing protection:
-packets should only be allowed to pass inbound on the interface from
-which the specified source address would be expected, others may be
-logged and/or dropped.
-.TP
-.B dup-to
-causes the packet to be copied, and the duplicate packet to be sent
-outbound on the specified interface, optionally with the destination
-IP address changed to that specified. This is useful for off-host
-logging, using a network sniffer.
-.TP
-.B to
-causes the packet to be moved to the outbound queue on the
-specified interface. This can be used to circumvent kernel routing
-decisions, and even to bypass the rest of the kernel processing of the
-packet (if applied to an inbound rule). It is thus possible to
-construct a firewall that behaves transparently, like a filtering hub
-or switch, rather than a router. The \fBfastroute\fP keyword is a
-synonym for this option.
-.SH MATCHING PARAMETERS
-.PP
-The keywords described in this section are used to describe attributes
-of the packet to be used when determining whether rules match or don't
-match. The following general-purpose attributes are provided for
-matching, and must be used in this order:
-.TP
-.B tos
-packets with different Type-Of-Service values can be filtered.
-Individual service levels or combinations can be filtered upon. The
-value for the TOS mask can either be represented as a hex number or a
-decimal integer value.
-.TP
-.B ttl
-packets may also be selected by their Time-To-Live value. The value given in
-the filter rule must exactly match that in the packet for a match to occur.
-This value can only be given as a decimal integer value.
-.TP
-.B proto
-allows a specific protocol to be matched against. All protocol names
-found in \fB/etc/protocols\fP are recognised and may be used.
-However, the protocol may also be given as a DECIMAL number, allowing
-for rules to match your own protocols, or new ones which would
-out-date any attempted listing.
+.nf
+pass in on fxp0 proto udp from any to fxp0/broadcast port = 123
+.fi
+.HP
+peer
+use the peer address on point to point network interfaces for matching
+packets with this filter rule. This option typically only has meaningful
+use with link protocols such as SLIP and PPP.
+For example, this rule allows ICMP packets from the remote peer of ppp0
+to be received if they're destined for the address assigned to the link
+at the firewall end.
.IP
-The special protocol keyword \fBtcp/udp\fP may be used to match either
-a TCP or a UDP packet, and has been added as a convenience to save
-duplication of otherwise-identical rules.
-.\" XXX grammar should reflect this (/etc/protocols)
+.nf
+pass in on ppp0 proto icmp from ppp0/peer to ppp0/32
+.fi
+.HP
+netmasked
+use the primary network address, with its netmask, of the network interface
+for matching packets with this filter rule. If a network interface had an
+IP address of 192.168.1.1 and its netmask was 255.255.255.0 (/24), then
+using the word "netmasked" after the interface name would match any
+addresses that would match 192.168.1.0/24. If we assume that bge0 has
+this IP address and netmask then the following two rules both serve
+to produce the same effect:
+.IP
+.nf
+pass in on bge0 proto icmp from any to 192.168.1.0/24
+pass in on bge0 proto icmp from any to bge0/netmasked
+.fi
+.HP
+network
+using the primary network address, and its netmask, of the network interface,
+construct an address for exact matching. If a network interface has an
+address of 192.168.1.1 and its netmask is 255.255.255.0, using this
+option would only match packets to 192.168.1.0.
+.IP
+.nf
+pass in on bge0 proto icmp from any to bge0/network
+.fi
.PP
-The \fBfrom\fP and \fBto\fP keywords are used to match against IP
-addresses (and optionally port numbers). Rules must specify BOTH
-source and destination parameters.
-.PP
-IP addresses may be specified in one of two ways: as a numerical
-address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
-may either be a valid hostname, from either the hosts file or DNS
-(depending on your configuration and library) or of the dotted numeric
-form. There is no special designation for networks but network names
-are recognised. Note that having your filter rules depend on DNS
-results can introduce an avenue of attack, and is discouraged.
+Another way to use the name of a network interface to get the address
+is to wrap the name in ()'s. In the above method, IPFilter
+looks at the interface names in use and to decide whether or not
+the name given is a hostname or network interface name. With the
+use of ()'s, it is possible to tell IPFilter that the name should
+be treated as a network interface name even though it doesn't
+appear in the list of network interface that the rule ias associated
+with.
+.IP
+.nf
+pass in proto icmp from any to (bge0)/32
+.fi
+.SS Using address pools
.PP
-There is a special case for the hostname \fBany\fP which is taken to
-be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
-Only the presence of "any" has an implied mask, in all other
-situations, a hostname MUST be accompanied by a mask. It is possible
-to give "any" a hostmask, but in the context of this language, it is
-non-sensical.
+Rather than list out multiple rules that either allow or deny specific
+addresses, it is possible to create a single object, call an address
+pool, that contains all of those addresses and reference that in the
+filter rule. For documentation on how to write the configuration file
+for those pools and load them, see ippool.conf(5) and ippool(8).
+There are two types of address pools that can be defined in ippool.conf(5):
+trees and hash tables. To refer to a tree defined in ippool.conf(5),
+use this syntax:
.PP
-The numerical format "x\fB/\fPy" indicates that a mask of y
-consecutive 1 bits set is generated, starting with the MSB, so a y value
-of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
-that the mask y is in dotted IP notation or a hexadecimal number of
-the form 0x12345678. Note that all the bits of the IP address
-indicated by the bitmask must match the address on the packet exactly;
-there isn't currently a way to invert the sense of the match, or to
-match ranges of IP addresses which do not express themselves easily as
-bitmasks (anthropomorphization; it's not just for breakfast anymore).
+.nf
+pass in from pool/trusted to any
+.fi
.PP
-If a \fBport\fP match is included, for either or both of source and
-destination, then it is only applied to
-.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
-TCP and UDP packets. If there is no \fBproto\fP match parameter,
-packets from both protocols are compared. This is equivalent to "proto
-tcp/udp". When composing \fBport\fP comparisons, either the service
-name or an integer port number may be used. Port comparisons may be
-done in a number of forms, with a number of comparison operators, or
-port ranges may be specified. When the port appears as part of the
-\fBfrom\fP object, it matches the source port number, when it appears
-as part of the \fBto\fP object, it matches the destination port number.
-See the examples for more information.
+Either a name or number can be used after the '/', just so long as it
+matches up with something that has already been defined in ipool.conf(5)
+and loaded in with ippool(8). Loading a filter rule that references a
+pool that does not exist will result in an error.
.PP
-The \fBall\fP keyword is essentially a synonym for "from any to any"
-with no other match parameters.
+If hash tables have been used in ippool.conf(5) to store the addresses
+in instead of a tree, then replace the word pool with hash:
+.IP
+.nf
+pass in from any to hash/webservers
+.fi
.PP
-Following the source and destination matching parameters, the
-following additional parameters may be used:
-.TP
-.B with
-is used to match irregular attributes that some packets may have
-associated with them. To match the presence of IP options in general,
-use \fBwith ipopts\fP. To match packets that are too short to contain
-a complete header, use \fBwith short\fP. To match fragmented packets,
-use \fBwith frag\fP. For more specific filtering on IP options,
-individual options can be listed.
+There are different operational characteristics with each, so there
+may be some situations where a pool works better than hash and vice
+versa.
+.SS Matching TCP flags
+.PP
+The TCP header contains a field of flags that is used to decide if the
+packet is a connection request, connection termination, data, etc.
+By matching on the flags in conjunction with port numbers, it is
+possible to restrict the way in which IPFilter allows connections to
+be created. A quick overview of the TCP
+flags is below. Each is listed with the letter used in IPFilter
+rules, followed by its three or four letter pneumonic.
+.HP
+S
+SYN - this bit is set when a host is setting up a connection.
+The initiator typically sends a packet with the SYN bit and the
+responder sends back SYN plus ACK.
+.HP
+A
+ACK - this bit is set when the sender wishes to acknowledge the receipt
+of a packet from another host
+.HP
+P
+PUSH - this bit is set when a sending host has send some data that
+is yet to be acknowledged and a reply is sought
+.HP
+F
+FIN - this bit is set when one end of a connection starts to close
+the connection down
+.HP
+U
+URG - this bit is set to indicate that the packet contains urgent data
+.HP
+R
+RST - this bit is set only in packets that are a reply to another
+that has been received but is not targetted at any open port
+.HP
+C
+CWN
+.HP
+E
+ECN
+.PP
+When matching TCP flags, it is normal to just list the flag that you
+wish to be set. By default the set of flags it is compared against
+is "FSRPAU". Rules that say "flags S" will be displayed by ipfstat(8)
+as having "flags S/FSRPAU". This is normal.
+The last two flags, "C" and "E", are optional - they
+may or may not be used by an end host and have no bearing on either
+the acceptance of data nor control of the connection. Masking them
+out with "flags S/FSRPAUCE" may cause problems for remote hosts
+making a successful connection.
+.PP
+.nf
+pass in quick proto tcp from any to any port = 22 flags S/SAFR
+pass out quick proto tcp from any port = 22 to any flags SA
+.fi
+.PP
+By itself, filtering based on the TCP flags becomes more work but when
+combined with stateful filtering (see below), the situation changes.
+.SS Matching on ICMP header information
+.PP
+The TCP and UDP are not the only protocols for which filtering beyond
+just the IP header is possible, extended matching on ICMP packets is
+also available. The list of valid ICMP types is different for IPv4
+vs IPv6.
+.PP
+As a practical example, to allow the ping command to work
+against a specific target requires allowing two different types of
+ICMP packets, like this:
+.PP
+.nf
+pass in proto icmp from any to webserver icmp-type echo
+pass out proto icmp from webserver to any icmp-type echorep
+.fi
+.PP
+The ICMP header has two fields that are of interest for filtering:
+the ICMP type and code. Filter rules can accept either a name or
+number for both the type and code. The list of names supported for
+ICMP types is listed below, however only ICMP unreachable errors
+have named codes (see above.)
+.PP
+The list of ICMP types that are available for matching an IPv4 packet
+are as follows:
+.PP
+echo (echo request),
+echorep (echo reply),
+inforeq (information request),
+inforep (information reply),
+maskreq (mask request),
+maskrep (mask reply),
+paramprob (parameter problem),
+redir (redirect),
+routerad (router advertisement),
+routersol (router solicit),
+squence (source quence),
+timest (timestamp),
+timestreq (timestamp reply),
+timex (time exceeded),
+unreach (unreachable).
+.PP
+The list of ICMP types that are available for matching an IPv6 packet
+are as follows:
+.PP
+echo (echo request),
+echorep (echo reply),
+fqdnquery (FQDN query),
+fqdnreply (FQDN reply),
+inforeq (information request),
+inforep (information reply),
+listendone (MLD listener done),
+listendqry (MLD listener query),
+listendrep (MLD listener reply),
+neighadvert (neighbour advert),
+neighborsol (neighbour solicit),
+paramprob (parameter problem),
+redir (redirect),
+renumber (router renumbering),
+routerad (router advertisement),
+routersol (router solicit),
+timex (time exceeded),
+toobig (packet too big),
+unreach (unreachable,
+whoreq (WRU request),
+whorep (WRU reply).
+.SH Stateful Packet Filtering
+.PP
+Stateful packet filtering is where IPFilter remembers some information from
+one or more packets that it has seen and is able to apply it to future
+packets that it receives from the network.
+.PP
+What this means for each transport layer protocol is different.
+For TCP it means that if IPFilter
+sees the very first packet of an attempt to make a connection, it has enough
+information to allow all other subsequent packets without there needing to
+be any explicit rules to match them. IPFilter uses the TCP port numbers,
+TCP flags, window size and sequence numbers to determine which packets
+should be matched. For UDP, only the UDP port numbers are available.
+For ICMP, the ICMP types can be combined with the ICMP id field to
+determine which reply packets match a request/query that has already
+been seen. For all other protocols, only matching on IP address and
+protocol number is available for determining if a packet received is a mate
+to one that has already been let through.
+.PP
+The difference this makes is a reduction in the number of rules from
+2 or 4 to 1. For example, these 4 rules:
+.PP
+.nf
+pass in on bge0 proto tcp from any to any port = 22
+pass out on bge1 proto tcp from any to any port = 22
+pass in on bge1 proto tcp from any port = 22 to any
+pass out on bge0 proto tcp from any port = 22 to any
+.fi
+.PP
+can be replaced with this single rule:
+.PP
+.nf
+pass in on bge0 proto tcp from any to any port = 22 flags S keep state
+.fi
+.PP
+Similar rules for UDP and ICMP might be:
+.PP
+.nf
+pass in on bge0 proto udp from any to any port = 53 keep state
+pass in on bge0 proto icmp all icmp-type echo keep state
+.fi
+.PP
+When using stateful filtering with TCP it is best to add "flags S" to the
+rule to ensure that state is only created when a packet is seen that is
+an indication of a new connection. Although IPFilter can gather some
+information from packets in the middle of a TCP connection to do stateful
+filtering, there are some options that are only sent at the start of the
+connection which alter the valid window of what TCP accepts. The end result
+of trying to pickup TCP state in mid connection is that some later packets
+that are part of the connection may not match the known state information
+and be dropped or blocked, causing problems. If a TCP packet matches IP
+addresses and port numbers but does not fit into the recognised window,
+it will not be automatically allowed and will be flagged inside of
+IPFitler as "out of window" (oow). See below, "Extra packet attributes",
+for how to match on this attribute.
+.PP
+Once a TCP connection has reached the established state, the default
+timeout allows for it to be idle for 5 days before it is removed from
+the state table. The timeouts for the other TCP connection states
+vary from 240 seconds to 30 seconds.
+Both UDP and ICMP state entries have asymetric timeouts where the timeout
+set upon seeing packets in the forward direction is much larger than
+for the reverse direction. For UDP the default timeouts are 120 and
+12 seconds, for ICMP 60 and 6 seconds. This is a reflection of the
+use of these protocols being more for query-response than for ongoing
+connections. For all other protocols the
+timeout is 60 seconds in both directions.
+.SS Stateful filtering options
+.PP
+The following options can be used with stateful filtering:
+.HP
+limit
+limit the number of state table entries that this rule can create to
+the number given after limit. A rule that has a limit specified is
+always permitted that many state table entries, even if creating an
+additional entry would cause the table to have more entries than the
+otherwise global limit.
.IP
-Before any parameter used after the \fBwith\fP keyword, the word
-\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
-match if the option(s) is not present.
+.nf
+pass ... keep state(limit 100)
+.fi
+.HP
+age
+sets the timeout for the state entry when it sees packets going through
+it. Additionally it is possible to set the tieout for the reply packets
+that come back through the firewall to a different value than for the
+forward path. allowing a short timeout to be set after the reply has
+been seen and the state no longer required.
+.RS
+.PP
+.nf
+pass in quick proto icmp all icmp-type echo \\
+ keep state (age 3)
+pass in quick proto udp from any \\
+ to any port = 53 keep state (age 30/1)
+.fi
+.RE
+.HP
+strict
+only has an impact when used with TCP. It forces all packets that are
+allowed through the firewall to be sequential: no out of order delivery
+of packets is allowed. This can cause significant slowdown for some
+connections and may stall others. Use with caution.
.IP
-Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
-the keyword \fBand\fP may be used in place of \fBwith\fP, this is
-provided purely to make the rules more readable ("with ... and ...").
-When multiple clauses are listed, all those must match to cause a
-match of the rule.
-.\" XXX describe the options more specifically in a separate section
-.TP
-.B flags
-is only effective for TCP filtering. Each of the letters possible
-represents one of the possible flags that can be set in the TCP
-header. The association is as follows:
-.LP
.nf
- F - FIN
- S - SYN
- R - RST
- P - PUSH
- A - ACK
- U - URG
+pass in proto tcp ... keep state(strict)
.fi
+.HP
+noicmperr
+prevents ICMP error packets from being able to match state table entries
+created with this flag using the contents of the original packet included.
.IP
-The various flag symbols may be used in combination, so that "SA"
-would represent a SYN-ACK combination present in a packet. There is
-nothing preventing the specification of combinations, such as "SFR",
-that would not normally be generated by law-abiding TCP
-implementations. However, to guard against weird aberrations, it is
-necessary to state which flags you are filtering against. To allow
-this, it is possible to set a mask indicating which TCP flags you wish
-to compare (i.e., those you deem significant). This is done by
-appending "/<flags>" to the set of TCP flags you wish to match
-against, e.g.:
-.LP
.nf
- ... flags S
- # becomes "flags S/AUPRFS" and will match
- # packets with ONLY the SYN flag set.
+pass ... keep state(noicmperr)
+.fi
+.HP
+sync
+indicates to IPFilter that it needs to provide information to the user
+land daemons responsible for syncing other machines state tables up
+with this one.
+.IP
+.nf
+pass ... keep state(sync)
+.fi
+.HP
+nolog
+do not generate any log records for the creation or deletion of state
+table entries.
+.IP
+.nf
+pass ... keep state(nolog)
+.fi
+.HP
+icmp-head
+rather than just precent ICMP error packets from being able to match
+state table entries, allow an ACL to be processed that can filter in or
+out ICMP error packets based as you would with normal firewall rules.
+The icmp-head option requires a filter rule group number or name to
+be present, just as you would use with head.
+.RS
+.PP
+.nf
+pass in quick proto tcp ... keep state(icmp-head 101)
+block in proto icmp from 10.0.0.0/8 to any group 101
+.fi
+.RE
+.HP
+max-srcs
+allows the number of distinct hosts that can create a state entry to
+be defined.
+.IP
+.nf
+pass ... keep state(max-srcs 100)
+pass ... keep state(limit 1000, max-srcs 100)
+.fi
+.HP
+max-per-src
+whilst max-srcs limits the number of individual hosts that may cause
+the creation of a state table entry, each one of those hosts is still
+table to fill up the state table with new entries until the global
+maximum is reached. This option allows the number of state table entries
+per address to be limited.
+.IP
+.nf
+pass ... keep state(max-srcs 100, max-per-src 1)
+pass ... keep state(limit 100, max-srcs 100, max-per-src 1)
+.fi
+.IP
+Whilst these two rules might seem identical, in that they both
+ultimately limit the number of hosts and state table entries created
+from the rule to 100, there is a subtle difference: the second will
+always allow up to 100 state table entries to be created whereas the
+first may not if the state table fills up from other rules.
+.IP
+Further, it is possible to specify a netmask size after the per-host
+limit that enables the per-host limit to become a per-subnet or
+per-network limit.
+.IP
+.nf
+pass ... keep state(max-srcs 100, max-per-src 1/24)
+.fi
+.IP
+If there is no IP protocol implied by addresses or other features of
+the rule, IPFilter will assume that no netmask is an all ones netmask
+for both IPv4 and IPv6.
+.SS Tieing down a connection
+.PP
+For any connection that transits a firewall, each packet will be seen
+twice: once going in and once going out. Thus a connection has 4 flows
+of packets:
+.HP
+forward
+inbound packets
+.HP
+forward
+outbound packets
+.HP
+reverse
+inbound packets
+.HP
+reverse
+outbound packets
+.PP
+IPFilter allows you to define the network interface to be used at all
+four points in the flow of packets. For rules that match inbound packets,
+out-via is used to specify which interfaces the packets go out, For rules
+that match outbound packets, in-via is used to match the inbound packets.
+In each case, the syntax generalises to this:
+.PP
+.nf
+pass ... in on forward-in,reverse-in \\
+ out-via forward-out,reverse-out ...
- ... flags SA
- # becomes "flags SA/AUPRFS" and will match any
- # packet with only the SYN and ACK flags set.
-
- ... flags S/SA
- # will match any packet with just the SYN flag set
- # out of the SYN-ACK pair; the common "establish"
- # keyword action. "S/SA" will NOT match a packet
- # with BOTH SYN and ACK set, but WILL match "SFP".
+pass ... out on forward-out,reverse-out \\
+ in-via forward-in,reverse-in ...
.fi
-.TP
-.B icmp-type
-is only effective when used with \fBproto icmp\fP and must NOT be used
-in conjunction with \fBflags\fP. There are a number of types, which can be
-referred to by an abbreviation recognised by this language, or the numbers
-with which they are associated can be used. The most important from
-a security point of view is the ICMP redirect.
-.SH KEEP HISTORY
.PP
-The second last parameter which can be set for a filter rule is whether or not
-to record historical information for that packet, and what sort to keep. The
-following information can be kept:
-.TP
-.B state
-keeps information about the flow of a communication session. State can
-be kept for TCP, UDP, and ICMP packets.
-.TP
-.B frags
-keeps information on fragmented packets, to be applied to later
-fragments.
+An example that pins down all 4 network interfaces used by an ssh
+connection might look something like this:
.PP
-allowing packets which match these to flow straight through, rather
-than going through the access control list.
-.SH GROUPS
-The last pair of parameters control filter rule "grouping". By default, all
-filter rules are placed in group 0 if no other group is specified. To add a
-rule to a non-default group, the group must first be started by creating a
-group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
-group, the filter processing then switches to the group, using that rule as
-the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
-processing isn't stopped until it has returned from processing the group.
+.nf
+pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\
+ from any to any port = 22 flags S keep state
+.fi
+.SS Working with packet fragments
.PP
-A rule may be both the head for a new group and a member of a non-default
-group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
-.TP
-.B "head <n>"
-indicates that a new group (number n) should be created.
-.TP
-.B "group <n>"
-indicates that the rule should be put in group (number n) rather than group 0.
-.SH LOGGING
+Fragmented packets result in 1 packet containing all of the layer 3 and 4
+header information whilst the data is split across a number of other packets.
.PP
-When a packet is logged, with either the \fBlog\fP action or option,
-the headers of the packet are written to the \fBipl\fP packet logging
-pseudo-device. Immediately following the \fBlog\fP keyword, the
-following qualifiers may be used (in order):
-.TP
-.B body
-indicates that the first 128 bytes of the packet contents will be
-logged after the headers.
-.TP
-.B first
-If log is being used in conjunction with a "keep" option, it is recommended
-that this option is also applied so that only the triggering packet is logged
-and not every packet which thereafter matches state information.
-.TP
-.B or-block
-indicates that, if for some reason the filter is unable to log the
-packet (such as the log reader being too slow) then the rule should be
-interpreted as if the action was \fBblock\fP for this packet.
-.TP
-.B "level <loglevel>"
-indicates what logging facility and priority, or just priority with
-the default facility being used, will be used to log information about
-this packet using ipmon's -s option.
+To enforce access control on fragmented packets, one of two approaches
+can be taken. The first is to allow through all of the data fragments
+(those that made up the body of the original packet) and rely on matching
+the header information in the "first" fragment, when it is seen. The
+reception of body fragments without the first will result in the receiving
+host being unable to completely reassemble the packet and discarding all
+of the fragments. The following three rules deny all fragmented packets
+from being received except those that are UDP and even then only allows
+those destined for port 2049 to be completed.
.PP
-See ipl(4) for the format of records written
-to this device. The ipmon(8) program can be used to read and format
-this log.
-.SH EXAMPLES
+.nf
+block in all with frags
+pass in proto udp from any to any with frag-body
+pass in proto udp from any to any port = 2049 with frags
+.fi
.PP
-The \fBquick\fP option is good for rules such as:
-\fC
+Another mechanism that is available is to track "fragment state".
+This relies on the first fragment of a packet that arrives to be
+the fragment that contains all of the layer 3 and layer 4 header
+information. With the receipt of that fragment before any other,
+it is possible to determine which other fragments are to be allowed
+through without needing to explicitly allow all fragment body packets.
+An example of how this is done is as follows:
+.PP
.nf
-block in quick from any to any with ipopts
+pass in proto udp from any port = 2049 to any with frags keep frags
.fi
+.SH Building a tree of rules
.PP
-which will match any packet with a non-standard header length (IP
-options present) and abort further processing of later rules,
-recording a match and also that the packet should be blocked.
+Writing your filter rules as one long list of rules can be both inefficient
+in terms of processing the rules and difficult to understand. To make the
+construction of filter rules easier, it is possible to place them in groups.
+A rule can be both a member of a group and the head of a new group.
.PP
-The "fall-through" rule parsing allows for effects such as this:
-.LP
+Using filter groups requires at least two rules: one to be in the group
+one one to send matchign packets to the group. If a packet matches a
+filtre rule that is a group head but does not match any of the rules
+in that group, then the packet is considered to have matched the head
+rule.
+.PP
+Rules that are a member of a group contain the word group followed by
+either a name or number that defines which group they're in. Rules that
+form the branch point or starting point for the group must use the
+word head, followed by either a group name or number. If rules are
+loaded in that define a group but there is no matching head then they
+will effectively be orphaned rules. It is possible to have more than
+one head rule point to the same group, allowing groups to be used
+like subroutines to implement specific common policies.
+.PP
+A common use of filter groups is to define head rules that exist in the
+filter "main line" for each direction with the interfaces in use. For
+example:
+.PP
.nf
- block in from any to any port < 6000
- pass in from any to any port >= 6000
- block in from any to any port > 6003
+block in quick on bge0 all head 100
+block out quick on bge0 all head 101
+block in quick on fxp0 all head internal-in
+block out quick on fxp0 all head internal-out
+pass in quick proto icmp all icmp-type echo group 100
.fi
.PP
-which sets up the range 6000-6003 as being permitted and all others being
-denied. Note that the effect of the first rule is overridden by subsequent
-rules. Another (easier) way to do the same is:
-.LP
+In the above set of rules, there are four groups defined but only one
+of them has a member rule. The only packets that would be allowed
+through the above ruleset would be ICMP echo packets that are
+received on bge0.
+.PP
+Rules can be both a member of a group and the head of a new group,
+allowing groups to specialise.
+.PP
.nf
- block in from any to any port 6000 <> 6003
- pass in from any to any port 5999 >< 6004
+block in quick on bge0 all head 100
+block in quick proto tcp all head 1006 group 100
.fi
.PP
-Note that both the "block" and "pass" are needed here to effect a
-result as a failed match on the "block" action does not imply a pass,
-only that the rule hasn't taken effect. To then allow ports < 1024, a
-rule such as:
-.LP
+Another use of filter rule groups is to provide a place for rules to
+be dynamically added without needing to worry about their specific
+ordering amongst the entire ruleset. For example, if I was using this
+simple ruleset:
+.PP
.nf
- pass in quick from any to any port < 1024
+block in quick all with bad
+block in proto tcp from any to any port = smtp head spammers
+pass in quick proto tcp from any to any port = smtp flags S keep state
.fi
.PP
-would be needed before the first block. To create a new group for
-processing all inbound packets on le0/le1/lo0, with the default being to block
-all inbound packets, we would do something like:
-.LP
+and I was getting lots of connections to my email server from 10.1.1.1
+to deliver spam, I could load the following rule to complement the above:
+.IP
.nf
- block in all
- block in quick on le0 all head 100
- block in quick on le1 all head 200
- block in quick on lo0 all head 300
+block in quick from 10.1.1.1 to any group spammers
.fi
+.SS Decapsulation
.PP
+Rule groups also form a different but vital role for decapsulation rules.
+With the following simple rule, if IPFilter receives an IP packet that has
+an AH header as its layer 4 payload, IPFilter would adjust its view of the
+packet internally and then jump to group 1001 using the data beyond the
+AH header as the new transport header.
+.PP
+.nf
+decapsulate in proto ah all head 1001
+.fi
+.PP
+For protocols that
+are recognised as being used with tunnelling or otherwise encapsulating
+IP protocols, IPFilter is able to decide what it has on the inside
+without any assistance. Some tunnelling protocols use UDP as the
+transport mechanism. In this case, it is necessary to instruct IPFilter
+as to what protocol is inside UDP.
+.PP
+.nf
+decapsulate l5-as(ip) in proto udp from any \\
+ to any port = 1520 head 1001
+.fi
+.PP
+Currently IPFilter only supports finding IPv4 and IPv6 headers
+directly after the UDP header.
+.PP
+If a packet matches a decapsulate rule but fails to match any of the rules
+that are within the specified group, processing of the packet continues
+to the next rule after the decapsulate and IPFilter's internal view of the
+packet is returned to what it was prior to the decapsulate rule.
+.PP
+It is possible to construct a decapsulate rule without the group
+head at the end that ipf(8) will accept but such rules will not
+result in anything happening.
+.SS Policy Based Routing
+.PP
+With firewalls being in the position they often are, at the boundary
+of different networks connecting together and multiple connections that
+have different properties, it is often desirable to have packets flow
+in a direction different to what the routing table instructs the kernel.
+These decisions can often be extended to changing the route based on
+both source and destination address or even port numbers.
+.PP
+To support this kind of configuration, IPFilter allows the next hop
+destination to be specified with a filter rule. The next hop is given
+with the interface name to use for output. The syntax for this is
+interface:ip.address. It is expected that the address given as the next
+hop is directly connected to the network to which the interface is.
+.PP
+.nf
+pass in on bge0 to bge1:1.1.1.1 proto tcp \\
+ from 1.1.2.3 to any port = 80 flags S keep state
+.fi
+.PP
+When this feature is combined with stateful filtering, it becomes
+possible to influence the network interface used to transmit packets
+in both directions because we now have a sense for what its reverse
+flow of packets is.
+.PP
+.nf
+pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\
+ proto tcp from 1.1.2.3 to any port = 80 flags S keep state
+.fi
+.PP
+If the actions of the routing table are perfectly acceptable, but
+you would like to mask the presence of the firewall by not changing
+the TTL in IP packets as they transit it, IPFilter can be instructed
+to do a "fastroute" action like this:
+.PP
+.nf
+pass in on bge0 fastroute proto icmp all
+.fi
+.PP
+This should be used with caution as it can lead to endless packet
+loops. Additionally, policy based routing does not change the IP
+header's TTL value.
+.PP
+A variation on this type of rule supports a duplicate of the original
+packet being created and sent out a different network. This can be
+useful for monitoring traffic and other purposes.
+.PP
+.nf
+pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\
+ dup-to fxp0:10.0.0.1 proto tcp from 1.1.2.3 \\
+ to any port = 80 flags S keep state
+.fi
+.SS Matching IPv4 options
+.PP
+The design for IPv4 allows for the header to be upto 64 bytes long,
+however most traffic only uses the basic header which is 20 bytes long.
+The other 44 bytes can be uesd to store IP options. These options are
+generally not necessary for proper interaction and function on the
+Internet today. For most people it is sufficient to block and drop
+all packets that have any options set. This can be achieved with this
+rule:
+.PP
+.nf
+block in quick all with ipopts
+.fi
+.PP
+This rule is usually placed towards the top of the configuration
+so that all incoming packets are blocked.
+.PP
+If you wanted to allow in a specific IP option type, the syntax
+changes slightly:
+.PP
+.nf
+pass in quick proto igmp all with opt rtralrt
+.fi
+.PP
+The following is a list of IP options that most people encounter and
+what their use/threat is.
+.HP
+lsrr
+(loose source route) the sender of the packet includes a list of addresses
+that they wish the packet to be routed through to on the way to the
+destination. Because replies to such packets are expected to use the
+list of addresses in reverse, hackers are able to very effectively use
+this header option in address spoofing attacks.
+.HP
+rr
+(record route) the sender allocates some buffer space for recording the
+IP address of each router that the packet goes through. This is most often
+used with ping, where the ping response contains a copy of all addresses
+from the original packet, telling the sender what route the packet took
+to get there. Due to performance and security issues with IP header
+options, this is almost no longer used.
+.HP
+rtralrt
+(router alert) this option is often used in IGMP messages as a flag to
+routers that the packet needs to be handled differently. It is unlikely
+to ever be received from an unknown sender. It may be found on LANs or
+otherwise controlled networks where the RSVP protocol and multicast
+traffic is in heavy use.
+.HP
+ssrr
+(strict source route) the sender of the packet includes a list of addresses
+that they wish the packet to be routed through to on the way to the
+destination. Where the lsrr option allows the sender to specify only
+some of the nodes the packet must go through, with the ssrr option,
+every next hop router must be specified.
+.PP
+The complete list of IPv4 options that can be matched on is:
+addext (Address Extention),
+cipso (Classical IP Security Option),
+dps (Dynamic Packet State),
+e-sec (Extended Security),
+eip (Extended Internet Protocol),
+encode (ENCODE),
+finn (Experimental Flow Control),
+imitd (IMI Traffic Descriptor),
+lsrr (Loose Source Route),
+mtup (MTU Probe - obsolete),
+mtur (MTU response - obsolete),
+nop (No Operation),
+nsapa (NSAP Address),
+rr (Record Route),
+rtralrt (Router Alert),
+satid (Stream Identifier),
+sdb (Selective Directed Broadcast),
+sec (Security),
+ssrr (Strict Source Route),
+tr (Tracerote),
+ts (Timestamp),
+ump (Upstream Multicast Packet),
+visa (Experimental Access Control)
+and zsu (Experimental Measurement).
+.SS Security with CIPSO and IPSO
+.PP
+IPFilter supports filtering on IPv4 packets using security attributes embedded
+in the IP options part of the packet. These options are usually only used on
+networks and systems that are using lablled security. Unless you know that
+you are using labelled security and your networking is also labelled, it
+is highly unlikely that this section will be relevant to you.
+.PP
+With the traditional IP Security Options (IPSO), packets can be tagged with
+a security level. The following keywords are recognised and match with the
+relevant RFC with respect to the bit patterns matched:
+confid (confidential),
+rserve-1 (1st reserved value),
+rserve-2 (2nd reserved value),
+rserve-3 (3rd reserved value),
+rserve-4 (4th reserved value),
+secret (secret),
+topsecret (top secret),
+unclass (unclassified).
+.PP
+.nf
+block in quick all with opt sec-class unclass
+pass in all with opt sec-class secret
+.fi
+.SS Matching IPv6 extension headers
+.PP
+Just as it is possible to filter on the various IPv4 header options,
+so too it is possible to filter on the IPv6 extension headers that are
+placed between the IPv6 header and the transport protocol header.
+.PP
+dstopts (destination options),
+esp (encrypted, secure, payload),
+frag (fragment),
+hopopts (hop-by-hop options),
+ipv6 (IPv6 header),
+mobility (IP mobility),
+none,
+routing.
+.SS Logging
+.PP
+There are two ways in which packets can be logged with IPFilter. The
+first is with a rule that specifically says log these types of packets
+and the second is a qualifier to one of the other keywords. Thus it is
+possible to both log and allow or deny a packet with a single rule.
+.PP
+.nf
+pass in log quick proto tcp from any to any port = 22
+.fi
+.PP
+When using stateful filtering, the log action becomes part of the result
+that is remembered about a packet. Thus if the above rule was qualified
+with keep state, every packet in the connection would be logged. To only
+log the first packet from every packet flow tracked with keep state, it
+is necessary to indicate to IPFilter that you only wish to log the first
+packet.
+.PP
+.nf
+pass in log first quick proto tcp from any to any port = 22 \\
+ flags S keep state
+.fi
+.PP
+If it is a requirement that the logging provide an accurate representation
+of which connections are allowed, the log action can be qualified with the
+option or-block. This allows the administrator to instruct IPFilter to
+block the packet if the attempt to record the packet in IPFilter's kernel
+log records (which have an upper bound on size) failed. Unless the system
+shuts down or reboots, once a log record is written into the kernel buffer,
+it is there until ipmon(8) reads it.
+.PP
+.nf
+block in log proto tcp from any to any port = smtp
+pass in log or-block first quick proto tcp from any \\
+ to any port = 22 flags S keep state
+.fi
+.PP
+By default, IPFilter will only log the header portion of a packet received
+on the network. A portion of the body of a packet, upto 128 bytes, can also
+be logged with the body keyword. ipmon(8) will display the contents of the
+portion of the body logged in hex.
+.PP
+.nf
+block in log body proto icmp all
+.fi
+.PP
+When logging packets from ipmon(8) to syslog, by default ipmon(8) will
+control what syslog facility and priority a packet will be logged with.
+This can be tuned on a per rule basis like this:
+.PP
+.nf
+block in quick log level err all with bad
+pass in log level local1.info proto tcp \\
+ from any to any port = 22 flags S keep state
+.fi
+.PP
+ipfstat(8) reports how many packets have been successfully logged and how
+many failed attempts to log a packet there were.
+.SS Filter rule comments
+.PP
+If there is a desire to associate a text string, be it an administrative
+comment or otherwise, with an IPFilter rule, this can be achieved by giving
+the filter rule a comment. The comment is loaded with the rule into the
+kernel and can be seen when the rules are listed with ipfstat.
+.PP
+.nf
+pass in quick proto tcp from any \\
+ to port = 80 comment "all web server traffic is ok"
+pass out quick proto tcp from any port = 80 \\
+ to any comment "all web server traffic is ok"
+.fi
+.SS Tags
+.PP
+To enable filtering and NAT to correctly match up packets with rules,
+tags can be added at with NAT (for inbound packets) and filtering (for
+outbound packets.) This allows a filter to be correctly mated with its
+NAT rule in the event that the NAT rule changed the packet in a way
+that would mean it is not obvious what it was.
+.PP
+For inbound packets, IPFilter can match the tag used in the filter
+rules with that set by NAT. For outbound rules, it is the reverse,
+the filter sets the tag and the NAT rule matches up with it.
+.PP
+.nf
+pass in ... match-tag(nat=proxy)
+pass out ... set-tag(nat=proxy)
+.fi
+.PP
+Another use of tags is to supply a number that is only used with logging.
+When packets match these rules, the log tag is carried over into the
+log file records generated by ipmon(8). With the correct use of tools
+such as grep, extracting log records of interest is simplified.
+.PP
+.nf
+block in quick log ... set-tag(log=33)
+.fi
+.SH Filter Rule Expiration
+.PP
+IPFilter allows rules to be added into the kernel that it will remove after
+a specific period of time by specifying rule-ttl at the end of a rule.
+When listing rules in the kernel using ipfstat(8), rules that are going
+to expire will NOT display "rule-ttl" with the timeout, rather what will
+be seen is a comment with how many ipfilter ticks left the rule has to
+live.
+.PP
+The time to live is specified in seconds.
+.PP
+.nf
+pass in on fxp0 proto tcp from any \\
+ to port = 22 flags S keep state rule-ttl 30
+.fi
+.SH Internal packet attributes
+.PP
+In addition to being able to filter on very specific network and transport
+header fields, it is possible to filter on other attributes that IPFilter
+attaches to a packet. These attributes are placed in a rule after the
+keyword "with", as can be seen with frags and frag-body above. The
+following is a list of the other attributes available:
+.HP
+oow
+the packet's IP addresses and TCP ports match an existing entry in the
+state table but the sequence numbers indicate that it is outside of the
+accepted window.
+.IP
+.nf
+block return-rst in quick proto tcp from any to any with not oow
+.fi
+.HP
+bcast
+this is set by IPFilter when it receives notification that the link
+layer packet was a broadcast packet. No checking of the IP addresses
+is performned to determine if it is a broadcast destination or not.
+.IP
+.nf
+block in quick proto udp all with bcast
+.fi
+.HP
+mcast
+this is set by IPFilter when it receives notification that the link
+layer packet was a multicast packet. No checking of the IP addresses
+is performned to determine if it is a multicast destination or not.
+.IP
+.nf
+pass in quick proto udp from any to any port = dns with mcast
+.fi
+.HP
+mbcast
+can be used to match a packet that is either a multicast or broadcast
+packet at the link layer, as indicated by the operating system.
+.IP
+.nf
+pass in quick proto udp from any to any port = ntp with mbcast
+.fi
+.HP
+nat
+the packet positively matched a NAT table entry.
+.HP
+bad
+sanity checking of the packet failed. This could indicate that the
+layer 3/4 headers are not properly formed.
+.HP
+bad-src
+when reverse path verification is enabled, this flag will be set when
+the interface the packet is received on does not match that which would
+be used to send a packet out of to the source address in the received
+packet.
+.HP
+bad-nat
+an attempt to perform NAT on the packet failed.
+.HP
+not
+each one of the attributes matched using the "with" keyword can also be
+looked for to not be present. For example, to only allow in good packets,
+I can do this:
+.PP
+.nf
+block in all
+pass in all with not bad
+.fi
+.SH Tuning IPFilter
+.PP
+The ipf.conf file can also be used to tune the behaviour of IPFilter,
+allowing, for example, timeouts for the NAT/state table(s) to be set
+along with their sizes. The presence and names of tunables may change
+from one release of IPFilter to the next. The tunables that can be
+changed via ipf.conf is the same as those that can be seen and modified
+using the -T command line option to ipf(8).
+.PP
+NOTE: When parsing ipf.conf, ipf(8) will apply the settings before
+loading any rules. Thus if your settings are at the top, these may
+be applied whilst the rules not applied if there is an error further
+down in the configuration file.
+.PP
+To set one of the values below, the syntax is simple: "set", followed
+by the name of the tuneable to set and then the value to set it to.
+.PP
+.nf
+set state_max 9999;
+set state_size 10101;
+.fi
+.PP
+A list of the currently available variables inside IPFilter that may
+be tuned from ipf.conf are as follows:
+.HP
+active
+set through -s command line switch of ipf(8). See ipf(8) for detals.
+.HP
+chksrc
+when set, enables reverse path verification on source addresses and
+for filters to match packets with bad-src attribute.
+.HP
+control_forwarding
+when set turns off kernel forwarding when IPFilter is disabled or unloaded.
+.HP
+default_pass
+the default policy - whether packets are blocked or passed, etc - is
+represented by the value of this variable. It is a bit field and the
+bits that can be set are found in <netinet/ip_fil.h>. It is not
+recommended to tune this value directly.
+.HP
+ftp_debug
+set the debugging level of the in-kernel FTP proxy.
+Debug messages will be printed to the system console.
+.HP
+ftp_forcepasv
+when set the FTP proxy must see a PASV/EPSV command before creating
+the state/NAT entries for the 227 response.
+.HP
+ftp_insecure
+when set the FTP proxy will not wait for a user to login before allowing
+data connections to be created.
+.HP
+ftp_pasvonly
+when set the proxy will not create state/NAT entries for when it
+sees either the PORT or EPRT command.
+.HP
+ftp_pasvrdr
+when enabled causes the FTP proxy to create very insecure NAT/state
+entries that will allow any connection between the client and server
+hosts when a 227 reply is seen. Use with extreme caution.
+.HP
+ftp_single_xfer
+when set the FTP proxy will only allow one data connection at a time.
+.HP
+hostmap_size
+sets the size of the hostmap table used by NAT to store address mappings
+for use with sticky rules.
+.HP
+icmp_ack_timeout
+default timeout used for ICMP NAT/state when a reply packet is seen for
+an ICMP state that already exists
+.HP
+icmp_minfragmtu
+sets the minimum MTU that is considered acceptable in an ICMP error
+before deciding it is a bad packet.
+.HP
+icmp_timeout
+default timeout used for ICMP NAT/state when the packet matches the rule
+.HP
+ip_timeout
+default timeout used for NAT/state entries that are not TCP/UDP/ICMP.
+.HP
+ipf_flags
+.HP
+ips_proxy_debug
+this sets the debugging level for the proxy support code.
+When enabled, debugging messages will be printed to the system console.
+.HP
+log_all
+when set it changes the behaviour of "log body" to log the entire packet
+rather than just the first 128 bytes.
+.HP
+log_size
+sets the size of the in-kernel log buffer in bytes.
+.HP
+log_suppress
+when set, IPFilter will check to see if the packet it is logging is
+similar to the one it previously logged and if so, increases
+the occurance count for that packet. The previously logged packet
+must not have yet been read by ipmon(8).
+.HP
+min_ttl
+is used to set the TTL value that packets below will be marked with
+the low-ttl attribute.
+.HP
+nat_doflush
+if set it will cause the NAT code to do a more aggressive flush of the
+NAT table at the next opportunity. Once the flush has been done, the
+value is reset to 0.
+.HP
+nat_lock
+this should only be changed using ipfs(8)
+.HP
+nat_logging
+when set, NAT will create log records that can be read from /dev/ipnat.
+.HP
+nat_maxbucket
+maximum number of entries allowed to exist in each NAT hash bucket.
+This prevents an attacker trying to load up the hash table with
+entries in a single bucket, reducing performance.
+.HP
+nat_rules_size
+size of the hash table to store map rules.
+.HP
+nat_table_max
+maximum number of entries allowed into the NAT table
+.HP
+nat_table_size
+size of the hash table used for NAT
+.HP
+nat_table_wm_high
+when the fill percentage of the NAT table exceeds this mark, more
+aggressive flushing is enabled.
+.HP
+nat_table_wm_low
+this sets the percentage at which the NAT table's agressive flushing
+will turn itself off at.
+.HP
+rdr_rules_size
+size of the hash table to store rdr rules.
+.HP
+state_lock
+this should only be changed using ipfs(8)
+.HP
+state_logging
+when set, the stateful filtering will create log records
+that can be read from /dev/ipstate.
+.HP
+state_max
+maximum number of entries allowed into the state table
+.HP
+state_maxbucket
+maximum number of entries allowed to exist in each state hash bucket.
+This prevents an attacker trying to load up the hash table with
+entries in a single bucket, reducing performance.
+.HP
+state_size
+size of the hash table used for stateful filtering
+.HP
+state_wm_freq
+this controls how often the agressive flushing should be run once the
+state table exceeds state_wm_high in percentage full.
+.HP
+state_wm_high
+when the fill percentage of the state table exceeds this mark, more
+aggressive flushing is enabled.
+.HP
+state_wm_low
+this sets the percentage at which the state table's agressive flushing
+will turn itself off at.
+.HP
+tcp_close_wait
+timeout used when a TCP state entry reaches the FIN_WAIT_2 state.
+.HP
+tcp_closed
+timeout used when a TCP state entry is ready to be removed after either
+a RST packet is seen.
+.HP
+tcp_half_closed
+timeout used when a TCP state entry reaches the CLOSE_WAIT state.
+.HP
+tcp_idle_timeout
+timeout used when a TCP state entry reaches the ESTABLISHED state.
+.HP
+tcp_last_ack
+timeout used when a TCP NAT/state entry reaches the LAST_ACK state.
+.HP
+tcp_syn_received
+timeout applied to a TCP NAT/state entry after SYN-ACK packet has been seen.
+.HP
+tcp_syn_sent
+timeout applied to a TCP NAT/state entry after SYN packet has been seen.
+.HP
+tcp_time_wait
+timeout used when a TCP NAT/state entry reaches the TIME_WAIT state.
+.HP
+tcp_timeout
+timeout used when a TCP NAT/state entry reaches either the half established
+state (one ack is seen after a SYN-ACK) or one side is in FIN_WAIT_1.
+.HP
+udp_ack_timeout
+default timeout used for UDP NAT/state when a reply packet is seen for
+a UDP state that already exists
+.HP
+udp_timeout
+default timeout used for UDP NAT/state when the packet matches the rule
+.HP
+update_ipid
+when set, turns on changing the IP id field in NAT'd packets to a random
+number.
+.SS Table of visible variables
+.PP
+A list of all of the tunables, their minimum, maximum and current
+values is as follows.
+.PP
+.nf
+Name Min Max Current
+active 0 0 0
+chksrc 0 1 0
+control_forwarding 0 1 0
+default_pass 0 MAXUINT 134217730
+ftp_debug 0 10 0
+ftp_forcepasv 0 1 1
+ftp_insecure 0 1 0
+ftp_pasvonly 0 1 0
+ftp_pasvrdr 0 1 0
+ftp_single_xfer 0 1 0
+hostmap_size 1 MAXINT 2047
+icmp_ack_timeout 1 MAXINT 12
+icmp_minfragmtu 0 1 68
+icmp_timeout 1 MAXINT 120
+ip_timeout 1 MAXINT 120
+ipf_flags 0 MAXUINT 0
+ips_proxy_debug 0 10 0
+log_all 0 1 0
+log_size 0 524288 32768
+log_suppress 0 1 1
+min_ttl 0 1 4
+nat_doflush 0 1 0
+nat_lock 0 1 0
+nat_logging 0 1 1
+nat_maxbucket 1 MAXINT 22
+nat_rules_size 1 MAXINT 127
+nat_table_max 1 MAXINT 30000
+nat_table_size 1 MAXINT 2047
+nat_table_wm_high 2 100 99
+nat_table_wm_low 1 99 90
+rdr_rules_size 1 MAXINT 127
+state_lock 0 1 0
+state_logging 0 1 1
+state_max 1 MAXINT 4013
+state_maxbucket 1 MAXINT 26
+state_size 1 MAXINT 5737
+state_wm_freq 2 999999 20
+state_wm_high 2 100 99
+state_wm_low 1 99 90
+tcp_close_wait 1 MAXINT 480
+tcp_closed 1 MAXINT 60
+tcp_half_closed 1 MAXINT 14400
+tcp_idle_timeout 1 MAXINT 864000
+tcp_last_ack 1 MAXINT 60
+tcp_syn_received 1 MAXINT 480
+tcp_syn_sent 1 MAXINT 480
+tcp_time_wait 1 MAXINT 480
+tcp_timeout 1 MAXINT 480
+udp_ack_timeout 1 MAXINT 24
+udp_timeout 1 MAXINT 240
+update_ipid 0 1 0
+.fi
+.SH Calling out to internal functions
+.PP
+IPFilter provides a pair of functions that can be called from a rule
+that allow for a single rule to jump out to a group rather than walk
+through a list of rules to find the group. If you've got multiple
+networks, each with its own group of rules, this feature may help
+provide better filtering performance.
+.PP
+The lookup to find which rule group to jump to is done on either the
+source address or the destination address but not both.
+.PP
+In this example below, we are blocking all packets by default but then
+doing a lookup on the source address from group 1010. The two rules in
+the ipf.conf section are lone members of their group. For an incoming
+packet that is from 1.1.1.1, it will go through three rules: (1) the
+block rule, (2) the call rule and (3) the pass rule for group 1020.
+For a packet that is from 3.3.2.2, it will also go through three rules:
+(1) the block rule, (2) the call rule and (3) the pass rule for group
+1030. Should a packet from 3.1.1.1 arrive, it will be blocked as it
+does not match any of the entries in group 1010, leaving it to only
+match the first rule.
+.PP
+.nf
+from ipf.conf
+-------------
+block in all
+call now srcgrpmap/1010 in all
+pass in proto tcp from any to any port = 80 group 1020
+pass in proto icmp all icmp-type echo group 1030
-and to then allow ICMP packets in on le0, only, we would do:
-.LP
+from ippool.conf
+----------------
+group-map in role=ipf number=1010
+ { 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; };
+.fi
+.SS IPFilter matching expressions
+.PP
+An experimental feature that has been added to filter rules is to use
+the same expression matching that is available with various commands
+to flush and list state/NAT table entries. The use of such an expression
+precludes the filter rule from using the normal IP header matching.
+.PP
.nf
- pass in proto icmp all group 100
+pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state
.fi
+.SS Filter rules with BPF
.PP
-Note that because only inbound packets on le0 are used processed by group 100,
-there is no need to respecify the interface name. Likewise, we could further
-breakup processing of TCP, etc, as follows:
-.LP
+On platforms that have the BPF built into the kernel, IPFilter can be
+built to allow BPF expressions in filter rules. This allows for packet
+matching to be on arbitrary data in the packt. The use of a BPF expression
+replaces all of the other protocol header matching done by IPFilter.
+.PP
.nf
- block in proto tcp all head 110 group 100
- pass in from any to any port = 23 group 110
+pass in bpf-v4 { "tcp and (src port 23 or src port 50)" } \\
+ keep state
.fi
.PP
-and so on. The last line, if written without the groups would be:
-.LP
+These rules tend to be
+write-only because the act of compiling the filter expression into the
+BPF instructions loaded into the kernel can make it difficut to
+accurately reconstruct the original text filter. The end result is that
+while ipf.conf() can be easy to read, understanding the output from
+ipfstat might not be.
+.SH VARIABLES
+.PP
+This configuration file, like all others used with IPFilter, supports the
+use of variable substitution throughout the text.
+.PP
.nf
- pass in on le0 proto tcp from any to any port = telnet
+nif="ppp0";
+pass in on $nif from any to any
.fi
.PP
-Note, that if we wanted to say "port = telnet", "proto tcp" would
-need to be specified as the parser interprets each rule on its own and
-qualifies all service/port names with the protocol specified.
+would become
+.PP
+.nf
+pass in on ppp0 from any to any
+.fi
+.PP
+Variables can be used recursively, such as 'foo="$bar baz";', so long as
+$bar exists when the parser reaches the assignment for foo.
+.PP
+See
+.B ipf(8)
+for instructions on how to define variables to be used from a shell
+environment.
+.DT
.SH FILES
-/dev/ipauth
+/dev/ipf
+/etc/ipf.conf
.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/etc/hosts
-.br
-/etc/services
+/usr/share/examples/ipfilter Directory with examples.
.SH SEE ALSO
-ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
+ipf(8), ipfstat(8), ippool.conf(5), ippool(8)
Modified: trunk/contrib/ipfilter/man/ipf.8
===================================================================
--- trunk/contrib/ipfilter/man/ipf.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipf.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipf.8 301978 2016-06-17 02:48:57Z cy $
.TH IPF 8
.SH NAME
ipf \- alters packet filtering lists for IP packet input and output
@@ -35,7 +35,10 @@
.SH OPTIONS
.TP
.B \-6
-This option is required to parse IPv6 rules and to have them loaded.
+IPv4 and IPv6 rules are stored in a single table and can be read from a
+single file. This option is no longer required to load IPv6 rules. This
+option is ignored when specified with the -F option and the -F option
+will flush IPv4 rules even if this option is specified.
.TP
.B \-A
Set the list to make changes to the active list (default).
Modified: trunk/contrib/ipfilter/man/ipfilter.4
===================================================================
--- trunk/contrib/ipfilter/man/ipfilter.4 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipfilter.4 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipfilter.4 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IP\ FILTER 4
.SH NAME
@@ -28,7 +28,7 @@
.IP
keep packet state information for TCP, UDP and ICMP packet flows
.IP
-keep fragment state information for any IP packet, applying the same rule
+keep fragment state information for any IP packet, applying the same rule
to all fragments.
.IP
act as a Network Address Translator (NAT)
@@ -53,7 +53,7 @@
.IP
"short" (fragmented) IP packets with incomplete headers can be filtered
.IP
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
+any of the 19 IP options or 8 registered IP security classes TOS (Type of
Service) field in packets
.PP
To keep track of the performance of the IP packet filter, a logging device
@@ -73,12 +73,12 @@
.PP
IP Filter keeps its own set of statistics on:
.IP
-packets blocked
+packets blocked
.IP
packets (and bytes!) used for accounting
.IP
packets passed
-.lP
+.IP
packets logged
.IP
attempts to log which failed (buffer full)
@@ -87,7 +87,7 @@
.SH Tools
The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
+be used and integrated with regular unix shells and tools. A brief description
of the tools provided:
.PP
ipf(8)
@@ -100,7 +100,7 @@
is a utility to temporarily lock the IP Filter kernel tables (state tables
and NAT mappings) and write them to disk. After that the system can be
rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
+them into the kernel. This way the system can be rebooted without the
connections being terminated.
.PP
ipfstat(8)
@@ -117,7 +117,7 @@
reads buffered data from the logging device (default is /dev/ipl)
for output to either:
.IP
-screen (standard output)
+screen (standard output)
.IP
file
.IP
@@ -147,13 +147,13 @@
Documentation on ioctl's and the format of data saved
to the logging character device is provided in ipl(4)
-so that you may develop your own applications to work with or in place of any
+so that you may develop your own applications to work with or in place of any
of the above.
Similar, the interface to the NAT code is documented in ipnat(4).
.SH PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
+The following diagram illustrates the flow of TCP/IP packets through the
various stages introduced by IP Filter.
.PP
.nf
Modified: trunk/contrib/ipfilter/man/ipfilter.4.mandoc
===================================================================
--- trunk/contrib/ipfilter/man/ipfilter.4.mandoc 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipfilter.4.mandoc 2018-07-01 23:54:57 UTC (rev 11253)
@@ -30,7 +30,7 @@
.It
keep packet state information for TCP, UDP and ICMP packet flows
.It
-keep fragment state information for any IP packet, applying the same rule
+keep fragment state information for any IP packet, applying the same rule
to all fragments.
.It
act as a Network Address Translator (NAT)
@@ -57,7 +57,7 @@
.It
"short" (fragmented) IP packets with incomplete headers can be filtered
.It
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
+any of the 19 IP options or 8 registered IP security classes TOS (Type of
Service) field in packets
.El
.Pp
@@ -83,7 +83,7 @@
IP Filter keeps its own set of statistics on:
.Bl -bullet -offset indent -compact
.It
-packets blocked
+packets blocked
.It
packets (and bytes!) used for accounting
.It
@@ -97,7 +97,7 @@
.Sh Tools
The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
+be used and integrated with regular unix shells and tools. A brief description
of the tools provided:
.Pp
.Xr ipf 8
@@ -111,7 +111,7 @@
is a utility to temporarily lock the IP Filter kernel tables (state tables
and NAT mappings) and write them to disk. After that the system can be
rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
+them into the kernel. This way the system can be rebooted without the
connections being terminated.
.Pp
.Xr ipfstat 8
@@ -129,7 +129,7 @@
for output to either:
.Bl -bullet -offset indent -compact
.It
-screen (standard output)
+screen (standard output)
.It
file
.It
@@ -152,7 +152,7 @@
reads in a set of rules, from either stdin or a file and adds them
to the kernels current list of active NAT rules. NAT rules can also be
deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in
+with ipnat is described in
.Xr ipnat 5 .
.Pp
For use in your own programs (e.g. for writing of transparent application
@@ -162,15 +162,15 @@
Documentation on ioctl's and the format of data saved
to the logging character device is provided in
-.Xr ipl 4
-so that you may develop your own applications to work with or in place of any
+.Xr ipl 4
+so that you may develop your own applications to work with or in place of any
of the above.
-Similar, the interface to the NAT code is documented in
+Similar, the interface to the NAT code is documented in
.Xr ipnat 4 .
.Sh PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
+The following diagram illustrates the flow of TCP/IP packets through the
various stages introduced by IP Filter.
.Pp
.nf
Modified: trunk/contrib/ipfilter/man/ipfilter.5
===================================================================
--- trunk/contrib/ipfilter/man/ipfilter.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipfilter.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipfilter.5 92691 2002-03-19 11:48:16Z darrenr $
.TH IPFILTER 1
.SH NAME
IP Filter
Modified: trunk/contrib/ipfilter/man/ipfs.8
===================================================================
--- trunk/contrib/ipfilter/man/ipfs.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipfs.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipfs.8 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPFS 8
.SH NAME
Modified: trunk/contrib/ipfilter/man/ipfstat.8
===================================================================
--- trunk/contrib/ipfilter/man/ipfstat.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipfstat.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipfstat.8 255332 2013-09-06 23:11:19Z cy $
.TH ipfstat 8
.SH NAME
ipfstat \- reports on packet filter statistics and filter list
@@ -43,7 +43,7 @@
.TP
.B \-A
Display packet authentication statistics.
-.TP
+.TP
.B \-C
This option is only valid in combination with \fB\-t\fP.
Display "closed" states as well in the top. Normally, a TCP connection is
@@ -145,8 +145,8 @@
.SH STATE TOP
Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
this mode the state table is displayed similar to the way \fBtop\fP displays
-the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP
-command line options can be used to restrict the state entries that will be
+the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP
+command line options can be used to restrict the state entries that will be
shown and to specify the frequency of display updates.
.PP
In state top mode, the following keys can be used to influence the displayed
@@ -158,7 +158,7 @@
.TP
\fBl\fP redraw the screen.
.TP
-\fBq\fP quit the program.
+\fBq\fP quit the program.
.TP
\fBs\fP switch between different sorting criterion.
.TP
Modified: trunk/contrib/ipfilter/man/ipftest.1
===================================================================
--- trunk/contrib/ipfilter/man/ipftest.1 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipftest.1 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipftest.1 255332 2013-09-06 23:11:19Z cy $
.TH ipftest 1
.SH NAME
ipftest \- test packet filter rules with arbitrary input.
@@ -143,7 +143,6 @@
# a TCP packet going out of le0 with the SYN flag set.
out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
.fi
-.LP
.RE
.DT
.TP
Modified: trunk/contrib/ipfilter/man/ipl.4
===================================================================
--- trunk/contrib/ipfilter/man/ipl.4 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipl.4 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipl.4 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPL 4
.SH NAME
Modified: trunk/contrib/ipfilter/man/ipmon.5
===================================================================
--- trunk/contrib/ipfilter/man/ipmon.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipmon.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,59 +1,216 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipmon.5 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IPMON 5
.SH NAME
ipmon, ipmon.conf \- ipmon configuration file format
.SH DESCRIPTION
-The format for files accepted by ipmon is described by the following grammar:
-.LP
+The
+.B ipmon.conf
+file is optionally loaded by
+.B ipmon
+when it starts. Its primary purpose is to direct
+.B ipmon
+to do extra actions when it sees a specific log entry from the kernel.
+.PP
+A line in the
+.B ipmon.conf
+file is either a comment or a
+.B match
+line. Each line must have a matching segment and an action segment.
+These are to the left and right of the word "do", respectively.
+A comment line is any line that starts with a #.
+.PP
+.B NOTE:
+This file differs from all other IPFilter configuration files because it
+attempts to match every line with every log record received. It does
+.B not
+stop at the
+.B first
+match or only use the
+.B last
+match.
+.PP
+For the action segment, a
+.B match
+line can delivery output to one of three destinations:
+\fBfile\fR, \fBemail\fR or \fBcommand\fR. For example:
.nf
-"match" "{" matchlist "}" "do" "{" doing "}" ";"
-matchlist ::= matching [ "," matching ] .
-matching ::= direction | dstip | dstport | every | group | interface |
- logtag | nattag | protocol | result | rule | srcip | srcport .
-
-dolist ::= doing [ "," doing ] .
-doing ::= execute | save | syslog .
-
-direction ::= "in" | "out" .
-dstip ::= "dstip" "=" ipv4 "/" number .
-dstport ::= "dstport" "=" number .
-every ::= "every" every-options .
-execute ::= "execute" "=" string .
-group ::= "group" "=" string | "group" "=" number .
-interface ::= "interface" "=" string .
-logtag ::= "logtag" "=" string | "logtag" "=" number .
-nattag ::= "nattag" "=" string .
-protocol ::= "protocol" "=" string | "protocol" "=" number .
-result ::= "result" "=" result-option .
-rule ::= "rule" "=" number .
-srcip ::= "srcip" "=" ipv4 "/" number .
-srcport ::= "srcport" "=" number .
-type ::= "type" "=" ipftype .
-ipv4 ::= number "." number "." number "." number .
-
-every-options ::= "second" | number "seconds" | "packet" | number "packets" .
-result-option ::= "pass" | "block" | "short" | "nomatch" | "log" .
-ipftype ::= "ipf" | "nat" | "state" .
-
+match { type = ipf; } do { save("file:///var/log/ipf-log"); };
+match { type = nat; } do { syslog; };
+match { type = state; } do { execute("/bin/mail root"); };
.fi
.PP
-In addition, lines that start with a # are considered to be comments.
-.TP
-.SH OVERVIEW
+and is roughly described like this:
.PP
-The ipmon configuration file is used for defining rules to be executed when
-logging records are read from
-.B /dev/ipl.
+match { \fImatch-it ,match-it, ...\fP } do { \fIaction, action, ...\fP};
.PP
+where there can be a list of matching expressions and a list of actions
+to perform if all of the matching expressions are matched up with by
+the current log entry.
+.PP
+The lines above would save all ipf log entries to /var/log/ipf-log, send
+all of the entries for NAT (ipnat related) to syslog and generate an email
+to root for each log entry from the state tables.
+.SH SYNTAX - MATCHING
+.PP
+In the above example, the matching segment was confined to matching on
+the type of log entry generated. The full list of fields that can be
+used here is:
+.TP
+direction <in|out>
+This option is used to match on log records generated for packets going
+in or out.
+.TP
+dstip <address/mask>
+This option is used to match against the destination address associated
+with the packet being logged. A "/mask" must be given and given in CIDR
+notation (/0-/32) so to specify host 192.2.2.1, 192.2.2.1/32 must be given.
+.TP
+dstport <portnumber>
+This option is used to match against the destination port in log entries.
+A number must be given, symbolic names (such as those from /etc/services)
+are not recognised by the parser.
+.TP
+every <second|# seconds|packet|# packets>
+This option is used to regulate how often an \fBipmon.conf\fR entry is
+actioned in response to an otherwise matching log record from the kernel.
+.TP
+group <name|number>
+.TP
+interface <interface-name>
+This option is used to match against the network interface name associated
+with the action causing the logging to happen. In general this will be the
+network interface where the packet is seen by IPFilter.
+.TP
+logtag <number>
+This option is used to match against tags set by ipf rules in \fBipf.conf\fR.
+These tags are set with "set-tag(log=100)" appended to filter rules.
+.TP
+nattag <string>
+This option is used to match against tags set by NAT rules in \fBipnat.conf\fR.
+.TP
+protocol <name|number>
+This option is used to match against the IP protocol field in the packet
+being logged.
+.TP
+result <pass|block|nomatch|log>
+This option is used to match against the result of packet matching in the
+kernel. If a packet is logged, using a \fBlog\fR rule in \fBipf.conf\fR
+then it will match "log" here. The "nomatch" option is for use with
+matching log records generated for all packets as the default.
+.TP
+rule <number>
+This option is used to match against the \fInumber\fR of the rule
+causing the record to be generated. The \fInumber\fR of a rule can be
+observed using "ipfstat -ion".
+.TP
+srcip <address/mask>
+This option is used to match against the source address associated
+with the packet being logged. A "/mask" must be given and given in CIDR
+notation (/0-/32) so to specify host 192.2.2.1, 192.2.2.1/32 must be given.
+.TP
+srcport <portnumber>
+This option is used to match against the source port in log entries.
+A number must be given, symbolic names (such as those from /etc/services)
+are not recognised by the parser.
+.TP
+type <ipf|nat|state>
+The format for files accepted by ipmon is described by the following grammar:
+.B NOTE:
At present, only IPv4 matching is available for source/destination address
matching.
+.SH SYNTAX - ACTIONS
+The list of actions supported is as follows:
+.TP
+save("file://<filename>")
+save("raw://<filename>")
+Write out the log record to the filename given. This file will be closed
+and reopened on receipt of a SIGHUP. If the \fIraw\fP target is used,
+binary log data, as read from the kernel, is written out rather than a
+text log record. The filename should be an absolute target, including
+the root directory. Thus, saving to /var/log/ipmon.log would be, as an
+example, save("file:///var/log/ipmon.log").
+.TP
+syslog("<facility>.<priority>")
+syslog("<facility>.")
+syslog(".<priority>")
+To log a text record via syslog, the \fBsyslog\fP action word is used.
+The facility used by default is determined at first by the default
+compiled into \fBipmon\fP (usually LOG_LOCAL0), which can be changed
+via the command line (-L <facility>) or in an \fBipf.conf\fP rule
+using the \fIlevel\fP option with logging. If the facility is
+specified here, it takes precedence over all other settings.
+The same applies to the syslog priority. By default, ipmon will
+determine a priority for the packet, depending on whether or not it
+has been blocked, passed, etc. It is possible to force the complete
+facility/priority value for each log entry or to choose to replace
+only one of them.
+.TP
+execute("<command string>")
+The
+.B execute
+action runs the specified command each time the log entry matches
+and feeds the log entry, as text, to the command being executed.
+The command string given is executed using /bin/sh.
+.TP
+nothing
+Literally, do nothing. Use this if you want to be verbose in your config
+file about doing nothing for a particular log record.
+.SH PLUGIN ACTIONS
+It is possible to configure
+.B ipmon
+to use externally supplied modules to save log entries with.
+These are added to
+.B ipmon
+using the
+.I load_action
+configuration line. The syntax of this line is:
+.nf
+
+load_action <name> <path>;
+.fi
+.TP
+name
+is a short name for the action. It does not need to correspond to the
+name of the library file, but inside the library file, the functions
+.B <name>destroy
+,
+.B <name>parse
+and
+.B <name>store
+must be present.
+.TP
+path
+specifies the path in the filesystem to the shared object
+that contains the implementation of the new action. After the new
+action has been declared using
+.I load_action
+it can then be used in any
+.I do
+statement.
+.SH EXAMPLES
+.PP
+Some further examples are:
+.nf
+
+#
+# log everything to syslog local4, regardless
+#
+match { ; } do { syslog("local4."); };
+#
+# keep a local copy of things packets to/from port 80
+#
+match { srcport = 80; } do { save("file:///var/log/web"); };
+match { dstport = 80; } do { save("file:///var/log/web"); };
+#
+load_action local "/usr/lib/libmyaction.so";
+match { dstip 127.0.0.1; } do { local("local options"); };
+#
+.fi
.SH MATCHING
.PP
-Each rule for ipmon consists of two primary segments: the first describes how
-the log record is to be matched, the second defines what action to take if
-there is a positive match. All entries of the rules present in the file are
+All entries of the rules present in the file are
compared for matches - there is no first or last rule match.
.SH FILES
/dev/ipl
Modified: trunk/contrib/ipfilter/man/ipmon.8
===================================================================
--- trunk/contrib/ipfilter/man/ipmon.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipmon.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipmon.8 207945 2010-05-12 00:56:53Z brueffer $
.TH ipmon 8
.SH NAME
ipmon \- monitors /dev/ipl for logged packets
Modified: trunk/contrib/ipfilter/man/ipnat.4
===================================================================
--- trunk/contrib/ipfilter/man/ipnat.4 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipnat.4 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipnat.4 255332 2013-09-06 23:11:19Z cy $
.TH IPNAT 4
.SH NAME
ipnat \- Network Address Translation kernel interface
@@ -30,7 +30,6 @@
for the various routing ioctls and the file descriptor are employed, mainly
being that the fd must be that of the device associated with the module
(i.e., /dev/ipl).
-.LP
.PP
The structure used with the NAT interface is described below:
.LP
@@ -65,7 +64,6 @@
#define NAT_MAP 0
#define NAT_REDIRECT 1
.fi
-.PP
.LP
\fBNAT statistics\fP
Statistics on the number of packets mapped, going in and out are kept,
Modified: trunk/contrib/ipfilter/man/ipnat.5
===================================================================
--- trunk/contrib/ipfilter/man/ipnat.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipnat.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,160 +1,672 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipnat.5 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IPNAT 5
.SH NAME
-ipnat, ipnat.conf \- IP NAT file format
+ipnat, ipnat.conf \- IPFilter NAT file format
.SH DESCRIPTION
-The format for files accepted by ipnat is described by the following grammar:
-.LP
+.PP
+The
+.B ipnat.conf
+file is used to specify rules for the Network Address Translation (NAT)
+component of IPFilter. To load rules specified in the
+.B ipnat.conf
+file, the
+.B ipnat(8)
+program is used.
+.PP
+For standard NAT functionality, a rule should start with \fBmap\fP and then
+proceeds to specify the interface for which outgoing packets will have their
+source address rewritten. Following this it is expected that the old source
+address, and optionally port number, will be specified.
+.PP
+In general, all NAT rules conform to the following layout:
+the first word indicates what type of NAT rule is present, this is followed
+by some stanzas to match a packet, followed by a "->" and this is then
+followed by several more stanzas describing the new data to be put in the
+packet.
+.PP
+In this text and in others,
+use of the term "left hand side" (LHS) when talking about a NAT rule refers
+to text that appears before the "->" and the "right hand side" (RHS) for text
+that appears after it. In essence, the LHS is the packet matching and the
+RHS is the new data to be used.
+.SH VARIABLES
+.PP
+This configuration file, like all others used with IPFilter, supports the
+use of variable substitution throughout the text.
.nf
-ipmap :: = mapblock | redir | map .
-map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
- mapoptions .
-mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
-redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
+nif="ppp0";
+map $nif 0/0 -> 0/32
+.fi
+.PP
+would become
+.nf
-lhs ::= ipmask | fromto .
-rlhs ::= ipmask dport | fromto .
-dport ::= "port" portnum [ "-" portnum ] .
-ports ::= "ports" numports | "auto" .
-rdrport ::= "port" portnum .
-mapit ::= "map" | "bimap" .
-fromto ::= "from" object "to" object .
-ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
-dstipmask ::= ipmask | "range" ip "-" ip .
-mapicmp ::= "icmpidmap" "icmp" number ":" number .
-mapport ::= "portmap" tcpudp portspec .
-mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
-rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] .
+map ppp0 0/0 -> 0/32
+.fi
+.PP
+Variables can be used recursively, such as 'foo="$bar baz";', so long as
+$bar exists when the parser reaches the assignment for foo.
+.PP
+See
+.B ipnat(8)
+for instructions on how to define variables to be used from a shell
+environment.
+.SH OUTBOUND SOURCE TRANSLATION (map'ing)
+Changing the source address of a packet is traditionally performed using
+.B map
+rules. Both the source address and optionally port number can be changed
+according to various controls.
+.PP
+To start out with, a common rule used is of the form:
+.nf
-object :: = addr [ port-comp | port-range ] .
-addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp :: = "port" compare port-num .
-port-range :: = "port" port-num range port-num .
-rdrproto ::= tcpudp | protocol .
+map le0 0/0 -> 0/32
+.fi
+.PP
+Here we're saying change the source address of all packets going out of
+le0 (the address/mask pair of 0/0 matching all packets) to that of the
+interface le0 (0/32 is a synonym for the interface's own address at
+the current point in time.) If we wanted to pass the packet through
+with no change in address, we would write it as:
+.nf
-rr ::= "round-robin" .
-age ::= "age" decnumber [ "/" decnumber ] .
-clamp ::= "mssclamp" decnumber .
-tcpudp ::= "tcp/udp" | protocol .
-mapproxy ::= "proxy" "port" port proxy-name '/' protocol
-rdrproxy ::= "proxy" proxy-name .
+map le0 0/0 -> 0/0
+.fi
+.PP
+If we only want to change a portion of our internal network and to a
+different address that is routed back through this host, we might do:
+.nf
-protocol ::= protocol-name | decnumber .
-nummask ::= host-name [ "/" decnumber ] .
-portspec ::= "auto" | portnumber ":" portnumber .
-port ::= portnumber | port-name .
-portnumber ::= number { numbers } .
-ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
+map le0 10.1.1.0/24 -> 192.168.55.3/32
+.fi
+.PP
+In some instances, we may have an entire subnet to map internal addresses
+out onto, in which case we can express the translation as this:
+.nf
-numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
+map le0 10.0.0.0/8 -> 192.168.55.0/24
.fi
.PP
-For standard NAT functionality, a rule should start with \fBmap\fP and then
-proceeds to specify the interface for which outgoing packets will have their
-source address rewritten.
+IPFilter will cycle through each of the 256 addresses in the 192.168.55.0/24
+address space to ensure that they all get used.
.PP
-Packets which will be rewritten can only be selected by matching the original
-source address. A netmask must be specified with the IP address.
+Of course this poses a problem for TCP and UDP, with many connections made,
+each with its own port number pair. If we're unlucky, translations can be
+dropped because the new address/port pair mapping already exists. To
+mitigate this problem, we add in port translation or port mapping:
+.nf
+
+map le0 10.0.0.0/8 -> 192.168.55.0/24 portmap tcp/udp auto
+.fi
.PP
-The address selected for replacing the original is chosen from an IP#/netmask
-pair. A netmask of all 1's indicating a hostname is valid. A netmask of
-31 1's (255.255.255.254) is considered invalid as there is no space for
-allocating host IP#'s after consideration for broadcast and network
-addresses.
+In this instance, the word "auto" tells IPFilter to calculate a private
+range of port numbers for each address on the LHS to use without fear
+of them being trampled by others. This can lead to problems if there are
+connections being generated mire quickly than IPFilter can expire them.
+In this instance, and if we want to get away from a private range of
+port numbers, we can say:
+.nf
+
+map le0 10.0.0.0/8 -> 192.168.55.0/24 portmap tcp/udp 5000:65000
+.fi
.PP
-When remapping TCP and UDP packets, it is also possible to change the source
-port number. Either TCP or UDP or both can be selected by each rule, with a
-range of port numbers to remap into given as \fBport-number:port-number\fP.
-.SH COMMANDS
-There are four commands recognised by IP Filter's NAT code:
+And now each connection through le0 will add to the enumeration of
+the port number space 5000-65000 as well as the IP address subnet
+of 192.168.55.0/24.
+.PP
+If the new addresses to be used are in a consecutive range, rather
+than a complete subnet, we can express this as:
+.nf
+
+map le0 10.0.0.0/8 -> range 192.168.55.10-192.168.55.249
+ portmap tcp/udp 5000:65000
+.fi
+.PP
+This tells IPFilter that it has a range of 240 IP address to use, from
+192.168.55.10 to 192.168.55.249, inclusive.
+.PP
+If there were several ranges of addresses for use, we can use each one
+in a round-robin fashion as followed:
+.nf
+
+map le0 10.0.0.0/8 -> range 192.168.55.10-192.168.55.29
+ portmap tcp/udp 5000:65000 round-robin
+map le0 10.0.0.0/8 -> range 192.168.55.40-192.168.55.49
+ portmap tcp/udp 5000:65000 round-robin
+.fi
+.PP
+To specify translation rules that impact a specific IP protocol,
+the protocol name or number is appended to the rule like this:
+.nf
+
+map le0 10.0.0.0/8 -> 192.168.55.0/24 tcp/udp
+map le0 10.0.0.0/8 -> 192.168.55.1/32 icmp
+map le0 10.0.0.0/8 -> 192.168.55.2/32 gre
+.fi
+.PP
+For TCP connections exiting a connection such as PPPoE where the MTU is
+slightly smaller than normal ethernet, it can be useful to reduce the
+Maximum Segment Size (MSS) offered by the internal machines to match,
+reducing the liklihood that the either end will attempt to send packets
+that are too big and result in fragmentation. This is acheived using the
+.B mssclamp
+option with TCP
+.B map
+rules like this:
+.nf
+
+map pppoe0 0/0 -> 0/32 mssclamp 1400 tcp
+.fi
+.PP
+For ICMP packets, we can map the ICMP id space in query packets:
+.nf
+
+map le0 10.0.0.0/8 -> 192.168.55.1/32 icmpidmap icmp 1000:20000
+.fi
+.PP
+If we wish to be more specific about our initial matching criteria on the
+LHS, we can expand to using a syntax more similar to that in
+.B ipf.conf(5)
+:
+.nf
+
+map le0 from 10.0.0.0/8 to 26.0.0.0/8 ->
+ 192.168.55.1
+map le0 from 10.0.0.0/8 port > 1024 to 26.0.0.0/8 ->
+ 192.168.55.2 portmap 5000:9999 tcp/udp
+map le0 from 10.0.0.0/8 ! to 26.0.0.0/8 ->
+ 192.168.55.3 portmap 5000:9999 tcp/udp
+.fi
.TP
+.B NOTE:
+negation matching with source addresses is
+.B NOT
+possible with
.B map
-that is used for mapping one address or network to another in an unregulated
-round robin fashion;
-.TP
-.B rdr
-that is used for redirecting packets to one IP address and port pair to
-another;
-.TP
-.B bimap
-for setting up bidirectional NAT between an external IP address and an internal
-IP address and
-.TP
+/
.B map-block
-which sets up static IP address based translation, based on a algorithm to
-squeeze the addresses to be translated into the destination range.
-.SH MATCHING
+rules.
.PP
-For basic NAT and redirection of packets, the address subject to change is used
-along with its protocol to check if a packet should be altered. The packet
-\fImatching\fP part of the rule is to the left of the "->" in each rule.
+The NAT code has builtin default timeouts for TCP, UDP, ICMP and another
+for all other protocols. In general, the timeout for an entry to be
+deleted shrinks once a reply packet has been seen (excluding TCP.)
+If you wish to specify your own timeouts, this can be achieved either
+by setting one timeout for both directions:
+.nf
+
+map le0 0/0 -> 0/32 gre age 30
+.fi
.PP
-Matching of packets has now been extended to allow more complex compares.
-In place of the address which is to be translated, an IP address and port
-number comparison can be made using the same expressions available with
-\fBipf\fP. A simple NAT rule could be written as:
+or setting a different timeout for the reply:
+.nf
+
+map le0 from any to any port = 53 -> 0/32 age 60/10 udp
+.fi
+.PP
+A pressing problem that many people encounter when using NAT is that the
+address protocol can be embedded inside an application's communication.
+To address this problem, IPFilter provides a number of built-in proxies
+for the more common trouble makers, such as FTP. These proxies can be
+used as follows:
+.nf
+
+map le0 0/0 -> 0/32 proxy port 21 ftp/tcp
+.fi
+.PP
+In this rule, the word "proxy" tells us that we want to connect up this
+translation with an internal proxy. The "port 21" is an extra restriction
+that requires the destination port number to be 21 if this rule is to be
+activated. The word "ftp" is the proxy identifier that the kernel will
+try and resolve internally, "tcp" the protocol that packets must match.
+.PP
+See below for a list of proxies and their relative staus.
+.PP
+To associate NAT rules with filtering rules, it is possible to set and
+match tags during either inbound or outbound processing. At present the
+tags for forwarded packets are not preserved by forwarding, so once the
+packet leaves IPFilter, the tag is forgotten. For
+.B map
+rules, we can match tags set by filter rules like this:
+.nf
+
+map le0 0/0 -> 0/32 proxy portmap 5000:5999 tag lan1 tcp
+.fi
+.PP
+This would be used with "pass out" rules that includes a stanza such
+as "set-tag (nat = lan1)".
+.PP
+If the interface in which packets are received is different from the
+interface on which packets are sent out, then the translation rule needs
+to be written to take this into account:
+.nf
+
+map hme0,le0 0/0 -> 0/32
+.fi
+.PP
+Although this might seem counterintuitive, the interfaces when listed
+in rules for
+.B ipnat.conf
+are always in the
+.I inbound
+,
+.I outbound
+order. In this case, hme0 would be the return interface and le0 would be
+the outgoing interface. If you wish to allow return packets on any
+interface, the correct syntax to use would be:
+.nf
+
+map *,le0 0/0 -> 0/32
+.fi
.LP
+A special variant of
+.B map
+rules exists, called
+.B map-block.
+This command is intended for use when there is a large network to be mapped
+onto a smaller network, where the difference in netmasks is upto 14 bits
+difference in size. This is achieved by dividing the address space and
+port space up to ensure that each source address has its own private range
+of ports to use. For example, this rule:
.nf
-map de0 10.1.0.0/16 -> 201.2.3.4/32
+
+map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
.fi
+.PP
+would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
+with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
+own. As opposed to the above use of \fBmap\fP, if for some reason the user
+of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
+be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
+IP address with the \fBmap\fP command.
+.SS Extended matching
+.PP
+If it is desirable to match on both the source and destination of a packet
+before applying an address translation to it, this can be achieved by using
+the same from-to syntax as is used in \fBipf.conf\fP(5). What follows
+applies equally to the
+.B map
+rules discussed above and
+.B rdr
+rules discussed below. A simple example is as follows:
+.nf
+
+map bge0 from 10.1.0.0/16 to 192.168.1.0/24 -> 172.12.1.4
+.fi
+.PP
+This would only match packets that are coming from hosts that have a source
+address matching 10.1.0.0/16 and a destination matching 192.168.1.0/24.
+This can be expanded upon with ports for TCP like this:
+.nf
+
+rdr bge0 from 10.1.0.0/16 to any port = 25 -> 127.0.0.1 port 2501 tcp
+.fi
+.PP
+Where only TCP packets from 10.1.0.0/16 to port 25 will be redirected to
+port 2501.
+.PP
+As with \fBipf.conf\fR(5), if we have a large set of networks or addresses
+that we would like to match up with then we can define a pool using
+\fBippool\fR(8) in \fBippool.conf\fR(5) and then refer to it in an
+\fBipnat\fR rule like this:
+.nf
+
+map bge0 from pool/100 to any port = 25 -> 127.0.0.1 port 2501 tcp
+.fi
+.TP
+.B NOTE:
+In this situation, the rule is considered to have a netmask of "0" and
+thus is looked at last, after any rules with /16's or /24's in them,
+.I even if
+the defined pool only has /24's or /32's. Pools may also be used
+.I wherever
+the from-to syntax in \fBipnat.conf\fR(5) is allowed.
+.SH INBOUND DESTINATION TRANSLATION (redirection)
+.PP
+Redirection of packets is used to change the destination fields in a packet
+and is supported for packets that are moving \fIin\fP on a network interface.
+While the same general syntax for
+.B map
+rules is supported, there are differences and limitations.
+.PP
+Firstly, by default all redirection rules target a single IP address, not
+a network or range of network addresses, so a rule written like this:
+.nf
+
+rdr le0 0/0 -> 192.168.1.0
+.fi
+.PP
+Will not spread packets across all 256 IP addresses in that class C network.
+If you were to try a rule like this:
+.nf
+
+rdr le0 0/0 -> 192.168.1.0/24
+.fi
+.PP
+then you will receive a parsing error.
+.PP
+The from-to source-destination matching used with
+.B map
+rules can be used with rdr rules, along with negation, however the
+restriction moves - only a source address match can be negated:
+.nf
+
+rdr le0 from 1.1.0.0/16 to any -> 192.168.1.3
+rdr le0 ! from 1.1.0.0/16 to any -> 192.168.1.4
+.fi
+.PP
+If there is a consective set of addresses you wish to spread the packets
+over, then this can be done in one of two ways, the word "range" optional
+to preserve:
+.nf
+
+rdr le0 0/0 -> 192.168.1.1 - 192.168.1.5
+rdr le0 0/0 -> range 192.168.1.1 - 192.168.1.5
+.fi
+.PP
+If there are only two addresses to split the packets across, the
+recommended method is to use a comma (",") like this:
+.nf
+
+rdr le0 0/0 -> 192.168.1.1,192.168.1.2
+.fi
+.PP
+If there is a large group of destination addresses that are somewhat
+disjoint in nature, we can cycle through them using a
+.B round-robin
+technique like this:
+.nf
+
+rdr le0 0/0 -> 192.168.1.1,192.168.1.2 round-robin
+rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin
+rdr le0 0/0 -> 192.168.1.9 round-robin
+.fi
+.PP
+If there are a large number of redirect rules and hosts being targetted
+then it may be desirable to have all those from a single source address
+be targetted at the same destination address. To achieve this, the
+word
+.B sticky
+is appended to the rule like this:
+.nf
+
+rdr le0 0/0 -> 192.168.1.1,192.168.1.2 sticky
+rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin sticky
+rdr le0 0/0 -> 192.168.1.9 round-robin sticky
+.fi
+.PP
+The
+.B sticky
+feature can only be combined with
+.B round-robin
+and the use of comma.
+.PP
+For TCP and UDP packets, it is possible to both match on the destiantion
+port number and to modify it. For example, to change the destination port
+from 80 to 3128, we would use a rule like this:
+.nf
+
+rdr de0 0/0 port 80 -> 127.0.0.1 port 3128 tcp
+.fi
+.PP
+If a range of ports is given on the LHS and a single port is given on the
+RHS, the entire range of ports is moved. For example, if we had this:
+.nf
+
+rdr le0 0/0 port 80-88 -> 127.0.0.1 port 3128 tcp
+.fi
+.PP
+then port 80 would become 3128, port 81 would become 3129, etc. If we
+want to redirect a number of different pots to just a single port, an
+equals sign ("=") is placed before the port number on the RHS like this:
+.nf
+
+rdr le0 0/0 port 80-88 -> 127.0.0.1 port = 3128 tcp
+.fi
+.PP
+In this case, port 80 goes to 3128, port 81 to 3128, etc.
+.PP
+As with
+.B map
+rules, it is possible to manually set a timeout using the
+.B age
+option, like this:
+.nf
+
+rdr le0 0/0 port 53 -> 127.0.0.1 port 10053 udp age 5/5
+.fi
+.PP
+The use of proxies is not restricted to
+.B map
+rules and outbound sessions. Proxies can also be used with redirect
+rules, although the syntax is slightly different:
+.nf
+
+rdr ge0 0/0 port 21 -> 127.0.0.1 port 21 tcp proxy ftp
+.fi
+.PP
+For
+.B rdr
+rules, the interfaces supplied are in the same order as
+.B map
+rules - input first, then output. In situations where the outgoing interface
+is not certain, it is also possible to use a wildcard ("*") to effect a match
+on any interface.
+.nf
+
+rdr le0,* 0/0 -> 192.168.1.0
+.fi
+.PP
+A single rule, with as many options set as possible would look something like
+this:
+.nf
+
+rdr le0,ppp0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp
+ round-robin frag age 40/40 sticky mssclamp 1000 tag tagged
+.fi
+.SH REWRITING SOURCE AND DESTINATION
+.PP
+Whilst the above two commands provide a lot of flexibility in changing
+addressing fields in packets, often it can be of benefit to translate
+\fIboth\fP source \fBand\fR destination at the same time or to change
+the source address on input or the destination address on output.
+Doing all of these things can be accomplished using
+.B rewrite
+NAT rules.
+.PP
+A
+.B rewrite
+rule requires the same level of packet matching as before, protocol and
+source/destination information but in addition allows either
+.B in
+or
+.B out
+to be specified like this:
+.nf
+
+rewrite in on ppp0 proto tcp from any to any port = 80 ->
+ src 0/0 dst 127.0.0.1,3128;
+rewrite out on ppp0 from any to any ->
+ src 0/32 dst 10.1.1.0/24;
+.fi
+.PP
+On the RHS we can specify both new source and destination information to place
+into the packet being sent out. As with other rules used in
+\fBipnat.conf\fR, there are shortcuts syntaxes available to use the original
+address information (\fB0/0\fR) and the address associated with the network
+interface (\fB0/32\fR.) For TCP and UDP, both address and port information
+can be changed. At present it is only possible to specify either a range of
+port numbers to be used (\fBX-Y\fR) or a single port number (\fB= X\fR) as
+follows:
+.nf
+
+rewrite in on le0 proto tcp from any to any port = 80 ->
+ src 0/0,2000-20000 dst 127.0.0.1,port = 3128;
+.fi
+.PP
+There are four fields that are stepped through in enumerating the number
+space available for creating a new destination:
.LP
-or as
+source address
.LP
+source port
+.LP
+destination address
+.LP
+destination port
+.PP
+If one of these happens to be a static then it will be skipped and the next
+one incremented. As an example:
.nf
-map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
+
+rewrite out on le0 proto tcp from any to any port = 80 ->
+ src 1.0.0.0/8,5000-5999 dst 2.0.0.0/24,6000-6999;
.fi
+.PP
+The translated packets would be:
.LP
-Only IP address and port numbers can be compared against. This is available
-with all NAT rules.
-.SH TRANSLATION
+1st src=1.0.0.1,5000 dst=2.0.0.1,6000
+.LP
+2nd src=1.0.0.2,5000 dst=2.0.0.1,6000
+.LP
+3rd src=1.0.0.2,5001 dst=2.0.0.1,6000
+.LP
+4th src=1.0.0.2,5001 dst=2.0.0.2,6000
+.LP
+5th src=1.0.0.2,5001 dst=2.0.0.2,6001
+.LP
+6th src=1.0.0.3,5001 dst=2.0.0.2,6001
.PP
-To the right of the "->" is the address and port specification which will be
-written into the packet providing it has already successfully matched the
-prior constraints. The case of redirections (\fBrdr\fP) is the simplest:
-the new destination address is that specified in the rule. For \fBmap\fP
-rules, the destination address will be one for which the tuple combining
-the new source and destination is known to be unique. If the packet is
-either a TCP or UDP packet, the destination and source ports come into the
-equation too. If the tuple already exists, IP Filter will increment the
-port number first, within the available range specified with \fBportmap\fP
-and if there exists no unique tuple, the source address will be incremented
-within the specified netmask. If a unique tuple cannot be determined, then
-the packet will not be translated. The \fBmap-block\fP is more limited in
-how it searches for a new, free and unique tuple, in that it will used an
-algorithm to determine what the new source address should be, along with the
-range of available ports - the IP address is never changed and nor does the
-port number ever exceed its allotted range.
-.SH ICMPIDMAP
+and so on.
.PP
-ICMP messages can be divided into two groups: "errors" and "queries". ICMP
-errors are generated as a response of another IP packet. IP Filter will take
-care that ICMP errors that are the response of a NAT-ed IP packet are
-handled properly.
+As with
+.B map
+rules, it is possible to specify a range of addresses by including the word
+\fIrange\fR before the addresses:
+.nf
+
+rewrite from any to any port = 80 ->
+ src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6;
+.fi
+.SH DIVERTING PACKETS
.PP
-For 4 types of ICMP queries (echo request, timestamp request, information
-request and address mask request) IP Filter supports an additional mapping
-called "ICMP id mapping". All these 4 types of ICMP queries use a unique
-identifier called the ICMP id. This id is set by the process sending the
-ICMP query and it is usually equal to the process id. The receiver of the
-ICMP query will use the same id in its response, thus enabling the
-sender to recognize that the incoming ICMP reply is intended for him and is
-an answer to a query that he made. The "ICMP id mapping" feature modifies
-these ICMP id in a way identical to \fBportmap\fP for TCP or UDP.
+If you'd like to send packets to a UDP socket rather than just another
+computer to be decapsulated, this can be achieved using a
+.B divert
+rule.
.PP
-The reason that you might want this, is that using this feature you don't
-need an IP address per host behind the NAT box, that wants to do ICMP queries.
-The two numbers behind the \fBicmpidmap\fP keyword are the first and the
-last icmp id number that can be used. There is one important caveat: if you
-map to an IP address that belongs to the NAT box itself (notably if you have
-only a single public IP address), then you must ensure that the NAT box does
-not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule.
-Since the ICMP id is usually the process id, it is wise to restrict the
-largest permittable process id (PID) on your operating system to e.g. 63999 and
-use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is
-system dependent. For most BSD derived systems can be done by changing
-PID_MAX in /usr/include/sys/proc.h and then rebuild the system.
+Divert rules can be be used with both inbound and outbound packet
+matching however the rule
+.B must
+specify host addresses for the outer packet, not ranges of addresses
+or netmasks, just single addresses.
+Additionally the syntax must supply required information for UDP.
+An example of what a divert rule looks ike is as follows:
+.nf
+
+divert in on le0 proto udp from any to any port = 53 ->
+ src 192.1.1.1,54 dst 192.168.1.22.1,5300;
+.fi
+.PP
+On the LHS is a normal set of matching capabilities but on the RHS it is
+a requirement to specify both the source and destination addresses and
+ports.
+.PP
+As this feature is intended to be used with targetting packets at sockets
+and not IPFilter running on other systems, there is no rule provided to
+\fIundivert\fR packets.
+.TP
+.B NOTE:
+Diverted packets \fImay\fP be fragmented if the addition of the
+encapsulating IP header plus UDP header causes the packet to exceed
+the size allowed by the outbound network interface. At present it is
+not possible to cause Path MTU discovery to happen as this feature
+is intended to be transparent to both endpoints.
+.B Path MTU Discovery
+If Path MTU discovery is being used and the "do not fragment" flag
+is set in packets to be encapsulated, an ICMP error message will
+be sent back to the sender if the new packet would need to be
+fragmented.
+.SH COMMON OPTIONS
+This section deals with options that are available with all rules.
+.TP
+.B purge
+When the purge keyword is added to the end of a NAT rule, it will
+cause all of the active NAT sessions to be removed when the rule
+is removed as an individual operation. If all of the NAT rules
+are flushed out, it is expected that the operator will similarly
+flush the NAT table and thus NAT sessions are not removed when the
+NAT rules are flushed out.
+.SH RULE ORDERING
+.PP
+.B NOTE:
+Rules in
+.B ipnat.conf
+are read in sequentially as listed and loaded into the kernel in this
+fashion
+.B BUT
+packet matching is done on \fBnetmask\fR, going from 32 down to 0.
+If a rule uses
+.B pool
+or
+.B hash
+to reference a set of addresses or networks, the netmask value for
+these fields is considered to be "0".
+So if your
+.B ipnat.conf
+has the following rules:
+.nf
+
+rdr le0 192.0.0.0/8 port 80 -> 127.0.0.1 3132 tcp
+rdr le0 192.2.0.0/16 port 80 -> 127.0.0.1 3131 tcp
+rdr le0 from any to pool/100 port 80 -> 127.0.0.1 port 3130 tcp
+rdr le0 192.2.2.0/24 port 80 -> 127.0.0.1 3129 tcp
+rdr le0 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp
+.fi
+.PP
+then the rule with 192.2.2.1 will match \fBfirst\fR, regardless of where
+it appears in the ordering of the above rules. In fact, the order in
+which they would be used to match a packet is:
+.nf
+
+rdr le0 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp
+rdr le0 192.2.2.0/24 port 80 -> 127.0.0.1 3129 tcp
+rdr le0 192.2.0.0/16 port 80 -> 127.0.0.1 3131 tcp
+rdr le0 192.0.0.0/8 port 80 -> 127.0.0.1 3132 tcp
+rdr le0 from any to pool/100 port 80 -> 127.0.0.1 port 3130 tcp
+.fi
+.PP
+where the first line is actually a /32.
+.PP
+If your
+.B ipnat.conf
+file has entries with matching target fields (source address for
+.B map
+rules and destination address for
+.B rdr
+rules), then the ordering in the
+.B ipnat.conf
+file does matter. So if you had the following:
+.nf
+
+rdr le0 from 1.1.0.0/16 to 192.2.2.1 port 80 -> 127.0.0.1 3129 tcp
+rdr le0 from 1.1.1.0/24 to 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp
+.fi
+.PP
+Then no packets will match the 2nd rule, they'll all match the first.
+.SH IPv6
+.PP
+In all of the examples above, where an IPv4 address is present, an IPv6
+address can also be used. All rules must use either IPv4 addresses with
+both halves of the NAT rule or IPv6 addresses for both halves. Mixing
+IPv6 addresses with IPv4 addresses, in a single rule, will result in an
+error.
+.PP
+For shorthand notations such as "0/32", the equivalent for IPv6 is
+"0/128". IPFilter will treat any netmask greater than 32 as an
+implicit direction that the address should be IPv6, not IPv4.
+To be unambiguous with 0/0, for IPv6 use ::0/0.
.SH KERNEL PROXIES
.PP
IP Filter comes with a few, simple, proxies built into the code that is loaded
@@ -177,117 +689,38 @@
understood by the proxy;
.PP
The currently compiled in proxy list is as follows:
-.HP
+.TP
FTP - Mature
-.HP
+(map ... proxy port ftp ftp/tcp)
+.TP
IRC - Experimental
-.HP
+(proxy port 6667 irc/tcp)
+.TP
rpcbind - Experimental
-.HP
+.TP
+PPTP - Experimental
+.TP
H.323 - Experimental
-.HP
+(map ... proxy port 1720 h323/tcp)
+.TP
Real Audio (PNA) - Aging
-.HP
+.TP
+DNS - Developmental
+(map ... proxy port 53 dns/udp { block .cnn.com; })
+.TP
IPsec - Developmental
-.HP
+(map ... proxy port 500 ipsec/tcp)
+.TP
netbios - Experimental
-.HP
+.TP
R-command - Mature
-
-.SH TRANSPARENT PROXIES
-.PP
-True transparent proxying should be performed using the redirect (\fBrdr\fP)
-rules directing ports to localhost (127.0.0.1) with the proxy program doing
-a lookup through \fB/dev/ipnat\fP to determine the real source and address
-of the connection.
-.SH LOAD-BALANCING
-.PP
-Two options for use with \fBrdr\fP are available to support primitive,
-\fIround-robin\fP based load balancing. The first option allows for a
-\fBrdr\fP to specify a second destination, as follows:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp
-.fi
-.LP
-This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
-In scenarios where the load is being spread amongst a larger set of
-servers, you can use:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin
-.fi
-.LP
-In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4
-and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this,
-the rule is removed from the top of the list and added to the end,
-automatically, as required. This will not effect the display of rules
-using "ipnat -l", only the internal application order.
-.SH EXAMPLES
-.PP
-This section deals with the \fBmap\fP command and its variations.
-.PP
-To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-The obvious problem here is we're trying to squeeze over 16,000,000 IP
-addresses into a 254 address space. To increase the scope, remapping for TCP
-and/or UDP, port remapping can be used;
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-.fi
-.PP
-which falls only 527,566 `addresses' short of the space available in network
-10. If we were to combine these rules, they would need to be specified as
-follows:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-so that all TCP/UDP packets were port mapped and only other protocols, such as
-ICMP, only have their IP# changed. In some instances, it is more appropriate
-to use the keyword \fBauto\fP in place of an actual range of port numbers if
-you want to guarantee simultaneous access to all within the given range.
-However, in the above case, it would default to 1 port per IP address, since
-we need to squeeze 24 bits of address space into 8. A good example of how
-this is used might be:
-.LP
-.nf
-map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
-.fi
-.PP
-which would result in each IP address being given a small range of ports to
-use (252). In all cases, the new port number that is used is deterministic.
-That is, port X will always map to port Y.
-WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing
-to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to
-the same port number, outgoing and ultimately this will only succeed for one
-of them.
-The problem here is that the \fBmap\fP directive tells the NAT
-code to use the next address/port pair available for an outgoing connection,
-resulting in no easily discernible relation between external addresses/ports
-and internal ones. This is overcome by using \fBmap-block\fP as follows:
-.LP
-.nf
-map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
-.fi
-.PP
-For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
-with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
-own. As opposed to the above use of \fBmap\fP, if for some reason the user
-of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
-be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
-IP address with the \fBmap\fP command.
+(map ... proxy port shell rcmd/tcp)
+.SH KERNEL PROXIES
+.SH FILES
/dev/ipnat
.br
+/etc/protocols
+.br
/etc/services
.br
/etc/hosts
Modified: trunk/contrib/ipfilter/man/ipnat.8
===================================================================
--- trunk/contrib/ipfilter/man/ipnat.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipnat.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipnat.8 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IPNAT 8
.SH NAME
@@ -53,6 +53,11 @@
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
calls or doing anything which would alter the currently running kernel.
.TP
+.B \-p
+This flag is used with the \fB-r\fP flag to cause any active NAT
+sessions that were created by the rules being removed and that are
+currently active to also be removed.
+.TP
.B \-r
Remove matching NAT rules rather than add them to the internal lists.
.TP
Modified: trunk/contrib/ipfilter/man/ippool.5
===================================================================
--- trunk/contrib/ipfilter/man/ippool.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ippool.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,150 +1,315 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ippool.5 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IPPOOL 5
.SH NAME
ippool, ippool.conf \- IP Pool file format
.SH DESCRIPTION
-The format for files accepted by ippool is described by the following grammar:
-.LP
+The file ippool.conf is used with ippool(8) to configure address pools for
+use with ipnat(8) and ipf(8).
+.PP
+There are four different types of address pools that can be configured
+through ippool.conf. The various types are presented below with a brief
+description of how they are used:
+.HP
+dstlist
+.IP
+destination list - is a collection of IP addresses with an optional
+network interface name that can be used with either redirect (rdr) rules
+in ipnat.conf(5) or as the destination in ipf.conf(5) for policy based
+routing.
+.HP
+group-map
+.IP
+group maps - support the srcgrpmap and dstgrpmap call functions in
+ipf.conf(5) by providing a list of addresses or networks rule group
+numbers to start processing them with.
+.HP
+hash
+.IP
+hash tables - provide the means for performing a very efficient
+lookup address or network when there is expected to be only one
+exact match. These are best used with more static sets of addresses
+so they can be sized optimally.
+.HP
+pool
+.IP
+address pools - are an alternative to hash tables that can perform just
+as well in most circumstances. In addition, the address pools allow for
+heirarchical matching, so it is possible to define a subnet as matching
+but then exclude specific addresses from it.
+.SS
+Evolving Configuration
+.PP
+Over time the configuration syntax used by ippool.conf(5) has evolved.
+Originally the syntax used was more verbose about what a particular
+value was being used for, for example:
+.PP
.nf
-line ::= table | groupmap .
-table ::= "table" role tabletype .
-groupmap ::= "group-map" inout role number ipfgroup
-tabletype ::= ipftree | ipfhash .
-
-role ::= "role" "=" "ipf" .
-inout ::= "in" | "out" .
-
-ipftree ::= "type" "=" "tree" number "{" addrlist "}" .
-ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" .
-
-ipfgroup ::= setgroup hashopts "{" grouplist "}" |
- hashopts "{" setgrouplist "}" .
-setgroup ::= "group" "=" groupname .
-
-hashopts ::= size [ seed ] | seed .
-
-size ::= "size" number .
-seed ::= "seed" number .
-
-addrlist ::= [ "!" ] addrmask ";" [ addrlist ] .
-grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] .
-
-setgrouplist ::= groupentry ";" [ setgrouplist ] .
-
-groupentry ::= addrmask "," setgroup .
-
-hashlist ::= hashentry ";" [ hashlist ] .
-hashentry ::= addrmask .
-
-addrmask ::= ipaddr | ipaddr "/" mask .
-
-mask ::= number | ipaddr .
-
-groupname ::= number | name .
-
-number ::= digit { digit } .
-
-ipaddr = host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-
-digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-name ::= letter { letter | digit } .
+table role = ipf type = tree number = 100
+ { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
.fi
.PP
-The IP pool configuration file is used for defining a single object that
-contains a reference to multiple IP address/netmask pairs. A pool may consist
-of a mixture of netmask sizes, from 0 to 32.
+This is rather long winded. The evolution of the configuration syntax
+has also replaced the use of numbers with names, although numbers can
+still be used as can be seen here:
.PP
-At this point in time, only IPv4 addressing is supported.
-.TP
-.SH OVERVIEW
+.nf
+pool ipf/tree (name "100";)
+ { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
+.fi
.PP
-The IP pool configuration file provides for defining two different mechanisms
-for improving speed in matching IP addresses with rules.
-The first,
-.B table
-, defines a lookup
-.I table
-to provide a single reference in a
-filter rule to multiple targets and the second,
-.B group-map
-, provides a mechanism to target multiple groups from a single filter line.
+Both of the above examples produce the same configuration in the kernel
+for use with ipf.conf(5).
.PP
-The
-.B group-map
-command can only be used with filter rules that use the
-.B call
-command to invoke either
-.B fr_srcgrpmap
-or
-.B fr_dstgrpmap
-, to use the source or destination address,
-respectively, for determining which filter group to jump to next for
-continuation of filter packet processing.
-.SH POOL TYPES
+Newer options for use in ippool.conf(5) will only be offered in the new
+configuration syntax and all output using "ippool -l" will also be in the
+new configuration syntax.
+.SS
+IPFilter devices and pools
.PP
-Two storage formats are provided: hash tables and tree structure. The hash
-table is intended for use with objects all containing the same netmask or a
-few different sized netmasks of non-overlapping address space and the tree
-is designed for being able to support exceptions to a covering mask, in
-addition to normal searching as you would do with a table. It is not possible
-to use the tree data storage type with
-.B group-map
-configuration entries.
-.SH POOL ROLES
+To cater to different administration styles, ipool.conf(5) allows you to
+tie a pool to a specific role in IPFilter. The recognised role names are:
+.HP
+ipf
+.IP
+pools defined for role "ipf" are available for use with all rules that are
+found in ipf.conf(5) except for auth rules.
+.HP
+nat
+.IP
+pools defined for role "nat" are available for use with all rules that are
+found in ipnat.conf(5).
+.HP
+auth
+.IP
+pools defined for role "auth" are available only for use with "auth" rules
+that are found in ipf.conf(5)
+.HP
+all
+.IP
+pools that are defined for the "all" role are available to all types of
+rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5).
+.SH Address Pools
.PP
-When a pool is defined in the configuration file, it must have an associated
-role. At present the only supported role is
-.B ipf.
-Future development will see futher expansion of their use by other sections
-of IPFilter code.
-.SH EXAMPLES
-The following examples show how the pool configuration file is used with
-the ipf configuration file to enhance the ability for the ipf configuration
-file to be succinct in meaning.
-.TP
-1
-The first example shows how a filter rule makes reference to a specific
-pool for matching of the source address.
+An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching
+the source or destination address of packets. They can be referred to either
+by name or number and can hold an arbitrary number of address patterns to
+match.
+.PP
+An address pool is considered to be a "tree type". In the older configuration
+style, it was necessary to have "type=tree" in ippool.conf(5). In the new
+style configuration, it follows the IPFilter device with which the pool
+is being configured.
+Now it is the default if left out.
+.PP
+For convenience, both IPv4 and IPv6 addresses can be stored in the same
+address pool. It should go without saying that either type of packet can
+only ever match an entry in a pool that is of the same address family.
+.PP
+The address pool searches the list of addresses configured for the best
+match. The "best match" is considered to be the match that has the highest
+number of bits set in the mask. Thus if both 2.2.0.0/16 and 2.2.2.0/24 are
+present in an address pool, the addres 2.2.2.1 will match 2.2.2.0/24 and
+2.2.1.1 will match 2.2.0.0/16. The reason for this is to allow exceptions
+to be added through the use of negative matching. In the following example,
+the pool contains "2.2.0.0/16" and "!2.2.2.0/24", meaning that all packets
+that match 2.2.0.0/16, except those that match 2.2.2.0/24, will be considered
+as a match for this pool.
+.PP
+table role = ipf type = tree number = 100
+ { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24; ef00::5/128; };
+.PP
+For the sake of clarity and to aid in managing large numbers of addresses
+inside address pools, it is possible to specify a location to load the
+addresses from. To do this simply use a "file://" URL where you would
+specify an actual IP address.
+.PP
.nf
-pass in from pool/100 to any
+pool ipf/tree (name rfc1918;) { file:///etc/ipf/rfc1918; };
.fi
.PP
-The pool configuration, which matches IP addresses 1.1.1.1 and any
-in 2.2.0.0/16, except for those in 2.2.2.0/24.
+The contents of the file might look something like this:
.PP
.nf
-table role = ipf type = tree number = 100
- { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
+# RFC 1918 networks
+10.0.0.0/8
+!127.0.0.0/8
+172.16.0.0/12
+192.168.0.0/24
.fi
-.TP
-2
-The following ipf.conf extract uses the
-fr_srcgrpmap/fr_dstgrpmap lookups to use the
-.B group-map
-facility to lookup the next group to use for filter processing, providing
-the
-.B call
-filter rule is matched.
+.PP
+In this example, the inclusion of the line "!127.0.0.0/8" is, strictly
+speaking not correct and serves only as an example to show that negative
+matching is also supported in this file.
+.PP
+Another format that ippool(8) recognises for input from a file is that
+from whois servers. In the following example, output from a query to a
+WHOIS server for information about which networks are associated with
+the name "microsoft" has been saved in a file named "ms-networks".
+There is no need to modify the output from the whois server, so using
+either the whois command or dumping data directly from it over a TCP
+connection works perfectly file as input.
+.PP
.nf
-call now fr_srcgrpmap/1010 in all
-call now fr_dstgrpmap/2010 out all
-pass in all group 1020
-block in all group 1030
-pass out all group 2020
-block out all group 2040
+pool ipf/tree (name microsoft;) { whois file "/etc/ipf/ms-networks"; };
.fi
.PP
-A ippool configuration to work with the above ipf.conf file might
-look like this:
+And to then block all packets to/from networks defined in that file,
+a rule like this might be used:
.PP
.nf
-group-map in role = ipf number = 1010
- { 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
+block in from pool/microsoft to any
+.fi
+.PP
+Note that there are limitations on the output returned by whois servers
+so be aware that their output may not be 100% perfect for your goal.
+.SH Destination Lists
+.PP
+Destination lists are provided for use primarily with NAT redirect rules
+(rdr). Their purpose is to allow more sophisticated methods of selecting
+which host to send traffic to next than the simple round-robin technique
+that is present with with "round-robin" rules in ipnat.conf(5).
+.PP
+When building a list of hosts to use as a redirection list, it is
+necessary to list each host to be used explicitly. Expressing a
+collection of hosts as a range or a subnet is not supported. With each
+address it is also possible to specify a network interface name. The
+network interface name is ignored by NAT when using destination lists.
+The network itnerface name is currently only used with policy based
+routing (use of "to"/"dup-to" in ipf.conf(5)).
+.PP
+Unlike the other directives that can be expressed in this file, destination
+lists must be written using the new configuration syntax. Each destination
+list must have a name associated with it and a next hop selection policy.
+Some policies have further options. The currently available selection
+policies are:
+.HP
+round-robin
+.IP
+steps through the list of hosts configured with the destination list
+one by one
+.HP
+random
+.IP
+the next hop is chosen by random selection from the list available
+.HP
+src-hash
+.IP
+a hash is made of the source address components of the packet
+(address and port number) and this is used to select which
+next hop address is used
+.HP
+dst-hash
+.IP
+a hash is made of the destination address components of the packet
+(address and port number) and this is used to select which
+next hop address is used
+.HP
+hash
+.IP
+a hash is made of all the address components in the packet
+(addresses and port numbers) and this is used to select which
+next hop address is used
+.HP
+weighted
+.IP
+selecting a weighted policy for destination selection needs further
+clarification as to what type of weighted selection will be used.
+The sub-options to a weighted policy are:
+.RS
+.HP
+connection
+.IP
+the host that has received the least number of connections is selected
+to be the next hop. When all hosts have the same connection count,
+the last one used will be the next address selected.
+.RE
+.PP
+The first example here shows 4 destinations that are used with a
+round-robin selection policy.
+.PP
+.nf
+pool nat/dstlist (name servers; policy round-robin;)
+ { 1.1.1.2; 1.1.1.4; 1.1.1.5; 1.1.1.9; };
+.fi
+.PP
+In the following example, the destination is chosen by whichever has
+had the least number of connections. By placing the interface name
+with each address and saying "all/dstlist", the destination list can
+be used with both ipnat.conf(5) and ipf.conf(5).
+.PP
+.nf
+pool all/dstlist (name servers; policy weighted connection;)
+ { bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; };
+.fi
+.SH Group maps
+.PP
+Group maps are provided to allow more efficient processing of packets
+where there are a larger number of subnets and groups of rules for those
+subnets. Group maps are used with "call" rules in ipf.conf(5) that
+use the "srcgrpmap" and "dstgrpmap" functions.
+.PP
+A group map declaration must mention which group is the default group
+for all matching addresses to be applied to. Then inside the list of
+addresses and networks for the group, each one may optionally have
+a group number associated with it. A simple example like this, where
+the first two entries would map to group 2020 but 5.0.0.0/8 sends
+rule processing to group 2040.
+.PP
+.nf
group-map out role = ipf number = 2010 group = 2020
- { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
+ { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
.fi
+.PP
+An example that outlines the real purpose of group maps is below,
+where each one of the 12 subnets is mapped to a different group
+number. This might be because each subnet has its own policy and
+rather than write a list of twelve rules in ipf.conf(5) that match
+the subnet and branch off with a head statement, a single rule can
+be used with this group map to achieve the same result.
+.PP
+.nf
+group-map ( name "2010"; in; )
+ { 192.168.1.0/24, group = 10010; 192.168.2.0/24, group = 10020;
+ 192.168.3.0/24, group = 10030; 192.168.4.0/24, group = 10040;
+ 192.168.5.0/24, group = 10050; 192.168.6.0/24, group = 10060;
+ 192.168.7.0/24, group = 10070; 192.168.8.0/24, group = 10080;
+ 192.168.9.0/24, group = 10090; 192.168.10.0/24, group = 10100;
+ 192.168.11.0/24, group = 10110; 192.168.12.0/24, group = 10120;
+ };
+.fi
+.PP
+The limitation with group maps is that only the source address or the
+destination address can be used to map the packet to the starting group,
+not both, in your ipf.conf(5) file.
+.SH Hash Tables
+.PP
+The hash table is operationally similar to the address pool. It is
+used as a store for a collection of address to match on, saving the
+need to write a lengthy list of rules. As with address pools, searching
+will attempt to find the best match - an address specification with the
+largest contiguous netmask.
+.PP
+Hash tables are best used where the list of addresses, subnets and
+networks is relatively static, which is something of a contrast to
+the address pool that can work with either static or changing
+address list sizes.
+.PP
+Further work is still needed to have IPFilter correctly size and tune
+the hash table to optimise searching. The goal is to allow for small to
+medium sized tables to achieve close to O(1) for either a positive or
+negative match, in contrast to the address pool, which is O(logn).
+.PP
+The following two examples build the same table in the kernel, using
+the old configuration format (first) and the new one (second).
+.PP
+.nf
+table role=all type=hash name=servers size=5
+ { 1.1.1.2/32; 1.1.1.3/32; 11.23.44.66/32; };
+
+pool all/hash (name servers; size 5;)
+ { 1.1.1.2; 1.1.1.3; 11.23.44.66; };
+.fi
.SH FILES
/dev/iplookup
.br
Modified: trunk/contrib/ipfilter/man/ippool.8
===================================================================
--- trunk/contrib/ipfilter/man/ippool.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ippool.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ippool.8 255332 2013-09-06 23:11:19Z cy $
.\"
.TH IPPOOL 8
.SH NAME
@@ -6,7 +6,7 @@
.SH SYNOPSIS
.br
.B ippool
--a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
+-a [-dnv] [-m <name>] [-o <role>] [-t <type>] [-T ttl] -i <ipaddr>[/<netmask>]
.br
.B ippool
-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]
@@ -21,7 +21,7 @@
-l [-dv] [-m <name>] [-t <type>]
.br
.B ippool
--r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
+-r [-dnv] [-m <name>] [-o <role>] [-t <type>] -i <ipaddr>[/<netmask>]
.br
.B ippool
-R [-dnv] [-m <name>] [-o <role>] [-t <type>]
@@ -113,6 +113,13 @@
.B hash,
.B group-map.
.TP
+.B -T <ttl>
+Sets the expiration of the node being added. The timeout is expressed
+as a number of seconds.
+.B tree,
+.B hash,
+.B group-map.
+.TP
.B -u
When parsing a configuration file, rather than load new pool data into the
kernel, unload it.
Modified: trunk/contrib/ipfilter/man/ipscan.5
===================================================================
--- trunk/contrib/ipfilter/man/ipscan.5 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipscan.5 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipscan.5 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPSCAN 5
.SH NAME
Modified: trunk/contrib/ipfilter/man/ipscan.8
===================================================================
--- trunk/contrib/ipfilter/man/ipscan.8 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/ipscan.8 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/ipscan.8 145519 2005-04-25 18:20:15Z darrenr $
.\"
.TH IPSCAN 8
.SH NAME
Modified: trunk/contrib/ipfilter/man/mkfilters.1
===================================================================
--- trunk/contrib/ipfilter/man/mkfilters.1 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/man/mkfilters.1 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-.\" $FreeBSD$
+.\" $FreeBSD: stable/10/contrib/ipfilter/man/mkfilters.1 215463 2010-11-18 18:22:58Z markm $
.\"
.TH MKFILTERS 1
.SH NAME
Modified: trunk/contrib/ipfilter/md5.c
===================================================================
--- trunk/contrib/ipfilter/md5.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/md5.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/md5.c 255332 2013-09-06 23:11:19Z cy $ */
@@ -35,10 +35,15 @@
***********************************************************************
*/
-#if defined(_KERNEL) && !defined(__sgi)
-# include <sys/systm.h>
+#if defined(linux) && defined(_KERNEL)
+extern void *memcpy(void *, const void *, unsigned long);
+# define bcopy(a,b,c) memcpy(b,a,c)
#else
-# include <string.h>
+# if defined(_KERNEL) && !defined(__sgi)
+# include <sys/systm.h>
+# else
+# include <string.h>
+# endif
#endif
#include "md5.h"
Modified: trunk/contrib/ipfilter/md5.h
===================================================================
--- trunk/contrib/ipfilter/md5.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/md5.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/md5.h 172776 2007-10-18 21:52:14Z darrenr $ */
/*
***********************************************************************
Modified: trunk/contrib/ipfilter/mkfilters
===================================================================
--- trunk/contrib/ipfilter/mkfilters 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/mkfilters 2018-07-01 23:54:57 UTC (rev 11253)
@@ -60,7 +60,7 @@
sub irix_mkfilters
{
open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
-
+
while (defined($line = <NETSTAT>))
{
if ($line =~ m/^Name/)
@@ -113,4 +113,4 @@
}
}
}
-
+
Modified: trunk/contrib/ipfilter/mlf_ipl.c
===================================================================
--- trunk/contrib/ipfilter/mlf_ipl.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/mlf_ipl.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/mlf_ipl.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -32,8 +32,7 @@
# endif
#endif
#include <sys/systm.h>
-#if defined(__MidnightBSD__) || \
- defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
# ifndef ACTUALLY_LKM_NOT_KERNEL
# include "opt_devfs.h"
# endif
@@ -45,7 +44,7 @@
#endif
#include <sys/conf.h>
#include <sys/file.h>
-#if defined(__MidnightBSD__) || defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/lock.h>
#endif
#include <sys/stat.h>
@@ -60,7 +59,7 @@
#if BSD >= 199506
# include <sys/sysctl.h>
#endif
-#if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+#if (__FreeBSD_version >= 300000)
# include <sys/socket.h>
#endif
#include <net/if.h>
@@ -96,43 +95,43 @@
# define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */
# define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF)
SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipf_flags, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipf_pass, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipf_active, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipf_chksrc, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipf_minttl, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
- &fr_tcpidletimeout, 0, "");
+ &ipf_tcpidletimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
- &fr_tcphalfclosed, 0, "");
+ &ipf_tcphalfclosed, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
- &fr_tcpclosewait, 0, "");
+ &ipf_tcpclosewait, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
- &fr_tcplastack, 0, "");
+ &ipf_tcplastack, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
- &fr_tcptimeout, 0, "");
+ &ipf_tcptimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
- &fr_tcpclosed, 0, "");
+ &ipf_tcpclosed, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
- &fr_udptimeout, 0, "");
+ &ipf_udptimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
- &fr_icmptimeout, 0, "");
+ &ipf_icmptimeout, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
- &fr_defnatage, 0, "");
+ &ipf_defnatage, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
- &fr_ipfrttl, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
- &fr_running, 0, "");
+ &ipf_ipfrttl, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD,
+ &ipf_running, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
- &fr_statesize, 0, "");
+ &ipf_statesize, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
- &fr_statemax, 0, "");
+ &ipf_statemax, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
- &fr_authsize, 0, "");
+ &ipf_authsize, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
- &fr_authused, 0, "");
+ &ipf_authused, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
- &fr_defaultauthage, 0, "");
+ &ipf_defaultauthage, 0, "");
SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW,
&ippr_ftp_pasvonly, 0, "");
#endif
@@ -141,16 +140,16 @@
static void *ipf_devfs[IPL_LOGSIZE];
#endif
-#if !defined(__MidnightBSD__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
-int ipl_major = 0;
+#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
+int ipf_major = 0;
-static struct cdevsw ipldevsw =
+static struct cdevsw ipfdevsw =
{
- iplopen, /* open */
- iplclose, /* close */
- iplread, /* read */
+ ipfopen, /* open */
+ ipfclose, /* close */
+ ipfread, /* read */
(void *)nullop, /* write */
- iplioctl, /* ioctl */
+ ipfioctl, /* ioctl */
(void *)nullop, /* stop */
(void *)nullop, /* reset */
(void *)NULL, /* tty */
@@ -159,7 +158,7 @@
NULL /* strategy */
};
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
+MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipfdevsw);
extern struct cdevsw cdevsw[];
extern int vd_unuseddev __P((void));
@@ -166,38 +165,38 @@
extern int nchrdev;
#else
-static struct cdevsw ipl_cdevsw = {
- iplopen, iplclose, iplread, nowrite, /* 79 */
- iplioctl, nostop, noreset, nodevtotty,
-#if (__FreeBSD_version >= 300000) || defined(__MidnightBSD__)
- seltrue, nommap, nostrategy, "ipl",
+static struct cdevsw ipf_cdevsw = {
+ ipfopen, ipfclose, ipfread, nowrite, /* 79 */
+ ipfioctl, nostop, noreset, nodevtotty,
+#if (__FreeBSD_version >= 300000)
+ seltrue, nommap, nostrategy, "ipf",
#else
- noselect, nommap, nostrategy, "ipl",
+ noselect, nommap, nostrategy, "ipf",
#endif
NULL, -1
};
#endif
-static void ipl_drvinit __P((void *));
+static void ipf_drvinit __P((void *));
#ifdef ACTUALLY_LKM_NOT_KERNEL
-static int if_ipl_unload __P((struct lkm_table *, int));
-static int if_ipl_load __P((struct lkm_table *, int));
-static int if_ipl_remove __P((void));
-static int ipl_major = CDEV_MAJOR;
+static int if_ipf_unload __P((struct lkm_table *, int));
+static int if_ipf_load __P((struct lkm_table *, int));
+static int if_ipf_remove __P((void));
+static int ipf_major = CDEV_MAJOR;
-static int iplaction __P((struct lkm_table *, int));
+static int ipfaction __P((struct lkm_table *, int));
static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
IPL_SCAN, IPL_SYNC, IPL_POOL, NULL };
extern int lkmenodev __P((void));
-static int iplaction(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+static int ipfaction(lkmtp, cmd)
+ struct lkm_table *lkmtp;
+ int cmd;
{
-#if !defined(__MidnightBSD__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
- int i = ipl_major;
+#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
+ int i = ipf_major;
struct lkm_dev *args = lkmtp->private.lkm_dev;
#endif
int err = 0;
@@ -208,10 +207,10 @@
if (lkmexists(lkmtp))
return EEXIST;
-#if !defined(__MidnightBSD__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
+#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
for (i = 0; i < nchrdev; i++)
if (cdevsw[i].d_open == lkmenodev ||
- cdevsw[i].d_open == iplopen)
+ cdevsw[i].d_open == ipfopen)
break;
if (i == nchrdev) {
printf("IP Filter: No free cdevsw slots\n");
@@ -218,20 +217,20 @@
return ENODEV;
}
- ipl_major = i;
+ ipf_major = i;
args->lkm_offset = i; /* slot in cdevsw[] */
#endif
- printf("IP Filter: loaded into slot %d\n", ipl_major);
- err = if_ipl_load(lkmtp, cmd);
+ printf("IP Filter: loaded into slot %d\n", ipf_major);
+ err = if_ipf_load(lkmtp, cmd);
if (!err)
- ipl_drvinit((void *)NULL);
+ ipf_drvinit((void *)NULL);
return err;
break;
case LKM_E_UNLOAD :
- err = if_ipl_unload(lkmtp, cmd);
+ err = if_ipf_unload(lkmtp, cmd);
if (!err) {
printf("IP Filter: unloaded from slot %d\n",
- ipl_major);
+ ipf_major);
#ifdef DEVFS
if (ipf_devfs[IPL_LOGIPF])
devfs_remove_dev(ipf_devfs[IPL_LOGIPF]);
@@ -260,7 +259,7 @@
}
-static int if_ipl_remove __P((void))
+static int if_ipf_remove __P((void))
{
char *name;
struct nameidata nd;
@@ -271,7 +270,7 @@
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
-#if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+#if (__FreeBSD_version >= 300000)
VOP_LOCK(nd.ni_vp, LK_RETRY | LK_EXCLUSIVE, curproc);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
@@ -293,22 +292,22 @@
}
-static int if_ipl_unload(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+static int if_ipf_unload(lkmtp, cmd)
+ struct lkm_table *lkmtp;
+ int cmd;
{
int error = 0;
- error = ipldetach();
+ error = ipfdetach();
if (!error)
- error = if_ipl_remove();
+ error = if_ipf_remove();
return error;
}
-static int if_ipl_load(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+static int if_ipf_load(lkmtp, cmd)
+ struct lkm_table *lkmtp;
+ int cmd;
{
struct nameidata nd;
struct vattr vattr;
@@ -315,10 +314,10 @@
int error = 0, fmode = S_IFCHR|0600, i;
char *name;
- error = iplattach();
+ error = ipfattach();
if (error)
return error;
- (void) if_ipl_remove();
+ (void) if_ipf_remove();
for (i = 0; (name = ipf_devfiles[i]); i++) {
NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
@@ -336,10 +335,10 @@
VATTR_NULL(&vattr);
vattr.va_type = VCHR;
vattr.va_mode = (fmode & 07777);
- vattr.va_rdev = (ipl_major << 8) | i;
+ vattr.va_rdev = (ipf_major << 8) | i;
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
-#if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+#if (__FreeBSD_version >= 300000)
vput(nd.ni_dvp);
#endif
if (error)
@@ -355,7 +354,7 @@
* strlen isn't present in 2.1.* kernels.
*/
size_t strlen(string)
-char *string;
+ char *string;
{
register char *s;
@@ -366,19 +365,19 @@
int xxxinit(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
+ struct lkm_table *lkmtp;
+ int cmd, ver;
{
- DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
+ DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction);
}
#else /* __FREEBSD_version >= 220000 */
# ifdef IPFILTER_LKM
# include <sys/exec.h>
-# if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
-MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw);
+# if (__FreeBSD_version >= 300000)
+MOD_DEV(if_ipf, LM_DT_CHAR, CDEV_MAJOR, &ipf_cdevsw);
# else
-MOD_DECL(if_ipl);
+MOD_DECL(if_ipf);
static struct lkm_dev _module = {
@@ -387,28 +386,28 @@
IPL_VERSION,
CDEV_MAJOR,
LM_DT_CHAR,
- { (void *)&ipl_cdevsw }
+ { (void *)&ipf_cdevsw }
};
# endif
-int if_ipl __P((struct lkm_table *, int, int));
+int if_ipf __P((struct lkm_table *, int, int));
-int if_ipl(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
+int if_ipf(lkmtp, cmd, ver)
+ struct lkm_table *lkmtp;
+ int cmd, ver;
{
-# if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
- MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction);
+# if (__FreeBSD_version >= 300000)
+ MOD_DISPATCH(if_ipf, lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction);
# else
- DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
+ DISPATCH(lkmtp, cmd, ver, ipfaction, ipfaction, ipfaction);
# endif
}
# endif /* IPFILTER_LKM */
-static ipl_devsw_installed = 0;
+static ipf_devsw_installed = 0;
-static void ipl_drvinit __P((void *unused))
+static void ipf_drvinit __P((void *unused))
{
dev_t dev;
# ifdef DEVFS
@@ -415,20 +414,20 @@
void **tp = ipf_devfs;
# endif
- if (!ipl_devsw_installed ) {
+ if (!ipf_devsw_installed ) {
dev = makedev(CDEV_MAJOR, 0);
- cdevsw_add(&dev, &ipl_cdevsw, NULL);
- ipl_devsw_installed = 1;
+ cdevsw_add(&dev, &ipf_cdevsw, NULL);
+ ipf_devsw_installed = 1;
# ifdef DEVFS
- tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
+ tp[IPL_LOGIPF] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGIPF,
DV_CHR, 0, 0, 0600, "ipf");
- tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
+ tp[IPL_LOGNAT] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGNAT,
DV_CHR, 0, 0, 0600, "ipnat");
- tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
+ tp[IPL_LOGSTATE] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGSTATE,
DV_CHR, 0, 0, 0600,
"ipstate");
- tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH,
+ tp[IPL_LOGAUTH] = devfs_add_devswf(&ipf_cdevsw, IPL_LOGAUTH,
DV_CHR, 0, 0, 0600,
"ipauth");
# endif
@@ -453,7 +452,7 @@
if (!arg1)
error = EPERM;
else {
- if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
+ if ((oidp->oid_kind & CTLFLAG_OFF) && (ipf_running > 0))
error = EBUSY;
else
error = SYSCTL_IN(req, arg1, sizeof(int));
@@ -463,8 +462,135 @@
#endif
-# if defined(IPFILTER_LKM) || defined(__MidnightBSD__) || \
+# if defined(IPFILTER_LKM) || \
defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
-SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
+SYSINIT(ipfdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipf_drvinit,NULL)
# endif /* IPFILTER_LKM */
#endif /* _FreeBSD_version */
+
+
+/*
+ * routines below for saving IP headers to buffer
+ */
+int ipfopen(dev, flags
+#if ((BSD >= 199506) || (__FreeBSD_version >= 220000))
+, devtype, p)
+ int devtype;
+# if (__FreeBSD_version >= 500024)
+ struct thread *p;
+# else
+ struct proc *p;
+# endif /* __FreeBSD_version >= 500024 */
+#else
+)
+#endif
+#if (__FreeBSD_version >= 502116)
+ struct cdev *dev;
+#else
+ dev_t dev;
+#endif
+ int flags;
+{
+ u_int unit = GET_MINOR(dev);
+
+ if (IPL_LOGMAX < unit)
+ unit = ENXIO;
+ else
+ unit = 0;
+ return unit;
+}
+
+
+int ipfclose(dev, flags
+#if ((BSD >= 199506) || (__FreeBSD_version >= 220000))
+, devtype, p)
+ int devtype;
+# if (__FreeBSD_version >= 500024)
+ struct thread *p;
+# else
+ struct proc *p;
+# endif /* __FreeBSD_version >= 500024 */
+#else
+)
+#endif
+#if (__FreeBSD_version >= 502116)
+ struct cdev *dev;
+#else
+ dev_t dev;
+#endif
+ int flags;
+{
+ u_int unit = GET_MINOR(dev);
+
+ if (IPL_LOGMAX < unit)
+ unit = ENXIO;
+ else
+ unit = 0;
+ return unit;
+}
+
+/*
+ * ipfread/ipflog
+ * both of these must operate with at least splnet() lest they be
+ * called during packet processing and cause an inconsistancy to appear in
+ * the filter lists.
+ */
+#if (BSD >= 199306)
+int ipfread(dev, uio, ioflag)
+ int ioflag;
+#else
+int ipfread(dev, uio)
+#endif
+#if (__FreeBSD_version >= 502116)
+ struct cdev *dev;
+#else
+ dev_t dev;
+#endif
+ register struct uio *uio;
+{
+ u_int unit = GET_MINOR(dev);
+
+ if (unit < 0)
+ return ENXIO;
+
+ if (ipf_running < 1)
+ return EIO;
+
+ if (unit == IPL_LOGSYNC)
+ return ipfsync_read(uio);
+
+#ifdef IPFILTER_LOG
+ return ipflog_read(unit, uio);
+#else
+ return ENXIO;
+#endif
+}
+
+
+/*
+ * ipfwrite
+ * both of these must operate with at least splnet() lest they be
+ * called during packet processing and cause an inconsistancy to appear in
+ * the filter lists.
+ */
+#if (BSD >= 199306)
+int ipfwrite(dev, uio, ioflag)
+ int ioflag;
+#else
+int ipfwrite(dev, uio)
+#endif
+#if (__FreeBSD_version >= 502116)
+ struct cdev *dev;
+#else
+ dev_t dev;
+#endif
+ register struct uio *uio;
+{
+
+ if (ipf_running < 1)
+ return EIO;
+
+ if (GET_MINOR(dev) == IPL_LOGSYNC)
+ return ipfsync_write(uio);
+ return ENXIO;
+}
Modified: trunk/contrib/ipfilter/mlf_rule.c
===================================================================
--- trunk/contrib/ipfilter/mlf_rule.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/mlf_rule.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/mlf_rule.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -13,7 +13,7 @@
#include <sys/param.h>
-#if defined(__MidnightBSD__) || defined(__FreeBSD__) && (__FreeBSD__ > 1)
+#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
# ifdef IPFILTER_LKM
# include <osreldate.h>
# define ACTUALLY_LKM_NOT_KERNEL
@@ -22,7 +22,7 @@
# endif
#endif
#include <sys/systm.h>
-#if defined(__MidnightBSD__) || defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
# include <sys/conf.h>
# include <sys/kernel.h>
# ifdef DEVFS
@@ -31,7 +31,7 @@
#endif
#include <sys/conf.h>
#include <sys/file.h>
-#if defined(__MidnightBSD__) || defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/lock.h>
#endif
#include <sys/stat.h>
@@ -46,10 +46,10 @@
#if BSD >= 199506
# include <sys/sysctl.h>
#endif
-#if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+#if (__FreeBSD_version >= 300000)
# include <sys/socket.h>
#endif
-#if defined(__MidnightBSD__) || (__FreeBSD_version >= 199511)
+#if (__FreeBSD_version >= 199511)
#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
@@ -59,7 +59,7 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#endif
-#if defined(__MidnightBSD__) || (__FreeBSD__ > 1)
+#if (__FreeBSD__ > 1)
# include <sys/sysent.h>
#endif
#include <sys/lkm.h>
@@ -70,7 +70,7 @@
int xxxinit __P((struct lkm_table *, int, int));
-#if !defined(__MidnightBSD__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
+#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
#endif
@@ -79,8 +79,8 @@
#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
int xxxinit(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
+ struct lkm_table *lkmtp;
+ int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl, ipfrule_ioctl);
}
@@ -88,7 +88,7 @@
# ifdef IPFILTER_LKM
# include <sys/exec.h>
-# if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+# if (__FreeBSD_version >= 300000)
MOD_MISC(ipfrule);
# else
MOD_DECL(ipfrule);
@@ -107,10 +107,10 @@
int ipfrule(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
+ struct lkm_table *lkmtp;
+ int cmd, ver;
{
-# if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
+# if (__FreeBSD_version >= 300000)
MOD_DISPATCH(ipfrule, lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl,
ipfrule_ioctl);
# else
@@ -121,8 +121,8 @@
int ipfrule_load(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+ struct lkm_table *lkmtp;
+ int cmd;
{
return ipfrule_add();
}
@@ -129,8 +129,8 @@
int ipfrule_unload(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+ struct lkm_table *lkmtp;
+ int cmd;
{
return ipfrule_remove();
}
@@ -137,8 +137,8 @@
static int ipfrule_ioctl(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
+ struct lkm_table *lkmtp;
+ int cmd;
{
int err = 0;
@@ -150,12 +150,12 @@
err = ipfrule_load(lkmtp, cmd);
if (!err)
- fr_refcnt++;
+ ipf_refcnt++;
break;
case LKM_E_UNLOAD :
err = ipfrule_unload(lkmtp, cmd);
if (!err)
- fr_refcnt--;
+ ipf_refcnt--;
break;
case LKM_E_STAT :
break;
Modified: trunk/contrib/ipfilter/mlfk_rule.c
===================================================================
--- trunk/contrib/ipfilter/mlfk_rule.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/mlfk_rule.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/mlfk_rule.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2000 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: mlfk_rule.c,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
@@ -30,6 +30,7 @@
#include "ip_rules.h"
+extern ipf_main_softc_t ipfmain;
static int
ipfrule_modevent(module_t mod, int type, void *unused)
@@ -41,12 +42,12 @@
case MOD_LOAD :
error = ipfrule_add();
if (!error)
- fr_refcnt++;
+ ipfmain.ipf_refcnt++;
break;
case MOD_UNLOAD :
error = ipfrule_remove();
if (!error)
- fr_refcnt--;
+ ipfmain.ipf_refcnt--;
break;
default:
error = EINVAL;
Modified: trunk/contrib/ipfilter/mlh_rule.c
===================================================================
--- trunk/contrib/ipfilter/mlh_rule.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/mlh_rule.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/mlh_rule.c 259073 2013-12-07 18:23:29Z peter $ */
/*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -88,7 +88,7 @@
i = ipfrule_add();
if (!i)
- fr_refcnt--;
+ ipf_refcnt--;
#ifdef IPFDEBUG
printf("IP Filter Rules: ipfrule_add() = %d\n", i);
#endif
@@ -104,7 +104,7 @@
i = ipfrule_remove();
if (!i)
- fr_refcnt--;
+ ipf_refcnt--;
#ifdef IPFDEBUG
printf("IP Filter Rules: ipfrule_remove() = %d\n", i);
#endif
Modified: trunk/contrib/ipfilter/opts.h
===================================================================
--- trunk/contrib/ipfilter/opts.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/opts.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/opts.h 305138 2016-08-31 18:00:41Z dim $ */
/*
- * Copyright (C) 2000 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: opts.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
#ifndef __OPTS_H__
@@ -12,7 +12,11 @@
#define __OPTS_H__
#ifndef SOLARIS
-#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+# if defined(sun) && (defined(__svr4__) || defined(__SVR4))
+# define SOLARIS 1
+# else
+# define SOLARIS 0
+# endif
#endif
#define OPT_REMOVE 0x000001
#define OPT_DEBUG 0x000002
@@ -42,6 +46,8 @@
#define OPT_HEX 0x2000000
#define OPT_ASCII 0x4000000
#define OPT_NORESOLVE 0x8000000
+#define OPT_DONTOPEN 0x10000000
+#define OPT_PURGE 0x20000000
#define OPT_STAT OPT_FRSTATES
#define OPT_LIST OPT_SHOWLIST
Modified: trunk/contrib/ipfilter/pcap-bpf.h
===================================================================
--- trunk/contrib/ipfilter/pcap-bpf.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/pcap-bpf.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/pcap-bpf.h 146277 2005-05-16 16:22:55Z darrenr $ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -39,7 +39,7 @@
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
- * @(#) $Header: /home/cvs/src/contrib/ipfilter/pcap-bpf.h,v 1.4 2012-12-21 04:00:01 laffer1 Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.37 2005/05/01 19:46:27 guy Exp $ (LBL)
*/
/*
@@ -163,7 +163,7 @@
* for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they
* didn't. So it goes.
*/
-#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__MidnightBSD__)
+#if defined(__NetBSD__) || defined(__FreeBSD__)
#ifndef DLT_SLIP_BSDOS
#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
Modified: trunk/contrib/ipfilter/pcap-ipf.h
===================================================================
--- trunk/contrib/ipfilter/pcap-ipf.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/pcap-ipf.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/pcap-ipf.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
Modified: trunk/contrib/ipfilter/radix_ipf.h
===================================================================
--- trunk/contrib/ipfilter/radix_ipf.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/radix_ipf.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,214 +1,97 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/radix_ipf.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (c) 1988, 1989, 1993
- * The Regents of the University of California. All rights reserved.
+ * Copyright (C) 2012 by Darren Reed.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * @(#)radix.h 8.2 (Berkeley) 10/31/94
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
+#ifndef __RADIX_IPF_H__
+#define __RADIX_IPF_H__
-#if !defined(_NET_RADIX_H_) && !defined(_RADIX_H_)
-#define _NET_RADIX_H_
-#ifndef _RADIX_H_
-#define _RADIX_H_
-#endif /* _RADIX_H_ */
-
-#ifndef __P
-# ifdef __STDC__
-# define __P(x) x
-# else
-# define __P(x) ()
-# endif
+#ifndef U_32_T
+typedef unsigned int u_32_t;
+# define U_32_T 1
#endif
-#if defined(__sgi) || defined(__osf__) || defined(sun)
-# define radix_mask ipf_radix_mask
-# define radix_node ipf_radix_node
-# define radix_node_head ipf_radix_node_head
-#endif
+typedef struct ipf_rdx_mask {
+ struct ipf_rdx_mask *next;
+ struct ipf_rdx_node *node;
+ u_32_t *mask;
+ int maskbitcount;
+} ipf_rdx_mask_t;
-/*
- * Radix search tree node layout.
- */
-
-struct radix_node {
- struct radix_mask *rn_mklist; /* list of masks contained in subtree */
- struct radix_node *rn_p; /* parent */
- short rn_b; /* bit offset; -1-index(netmask) */
- char rn_bmask; /* node: mask for bit test*/
- u_char rn_flags; /* enumerated next */
-#define RNF_NORMAL 1 /* leaf contains normal route */
-#define RNF_ROOT 2 /* leaf is root leaf for tree */
-#define RNF_ACTIVE 4 /* This node is alive (for rtfree) */
- union {
- struct { /* leaf only data: */
- caddr_t rn_Key; /* object of search */
- caddr_t rn_Mask; /* netmask, if present */
- struct radix_node *rn_Dupedkey;
- } rn_leaf;
- struct { /* node only data: */
- int rn_Off; /* where to start compare */
- struct radix_node *rn_L;/* progeny */
- struct radix_node *rn_R;/* progeny */
- } rn_node;
- } rn_u;
-#ifdef RN_DEBUG
- int rn_info;
- struct radix_node *rn_twin;
- struct radix_node *rn_ybro;
+typedef struct ipf_rdx_node {
+ struct ipf_rdx_node *left;
+ struct ipf_rdx_node *right;
+ struct ipf_rdx_node *parent;
+ struct ipf_rdx_node *dupkey;
+ struct ipf_rdx_mask *masks;
+ struct ipf_rdx_mask *mymask;
+ u_32_t *addrkey;
+ u_32_t *maskkey;
+ u_32_t *addroff;
+ u_32_t *maskoff;
+ u_32_t lastmask;
+ u_32_t bitmask;
+ int offset;
+ int index;
+ int maskbitcount;
+ int root;
+#ifdef RDX_DEBUG
+ char name[40];
#endif
-};
+} ipf_rdx_node_t;
-#define rn_dupedkey rn_u.rn_leaf.rn_Dupedkey
-#define rn_key rn_u.rn_leaf.rn_Key
-#define rn_mask rn_u.rn_leaf.rn_Mask
-#define rn_off rn_u.rn_node.rn_Off
-#define rn_l rn_u.rn_node.rn_L
-#define rn_r rn_u.rn_node.rn_R
+struct ipf_rdx_head;
-/*
- * Annotations to tree concerning potential routes applying to subtrees.
- */
+typedef void (* radix_walk_func_t)(ipf_rdx_node_t *, void *);
+typedef ipf_rdx_node_t *(* idx_hamn_func_t)(struct ipf_rdx_head *,
+ addrfamily_t *, addrfamily_t *,
+ ipf_rdx_node_t *);
+typedef ipf_rdx_node_t *(* idx_ham_func_t)(struct ipf_rdx_head *,
+ addrfamily_t *, addrfamily_t *);
+typedef ipf_rdx_node_t *(* idx_ha_func_t)(struct ipf_rdx_head *,
+ addrfamily_t *);
+typedef void (* idx_walk_func_t)(struct ipf_rdx_head *,
+ radix_walk_func_t, void *);
-struct radix_mask {
- short rm_b; /* bit offset; -1-index(netmask) */
- char rm_unused; /* cf. rn_bmask */
- u_char rm_flags; /* cf. rn_flags */
- struct radix_mask *rm_mklist; /* more masks to try */
- union {
- caddr_t rmu_mask; /* the mask */
- struct radix_node *rmu_leaf; /* for normal routes */
- } rm_rmu;
- int rm_refs; /* # of references to this struct */
-};
+typedef struct ipf_rdx_head {
+ ipf_rdx_node_t *root;
+ ipf_rdx_node_t nodes[3];
+ ipfmutex_t lock;
+ idx_hamn_func_t addaddr; /* add addr/mask to tree */
+ idx_ham_func_t deladdr; /* delete addr/mask from tree */
+ idx_ham_func_t lookup; /* look for specific addr/mask */
+ idx_ha_func_t matchaddr; /* search tree for address match */
+ idx_walk_func_t walktree; /* walk entire tree */
+} ipf_rdx_head_t;
-#define rm_mask rm_rmu.rmu_mask
-#define rm_leaf rm_rmu.rmu_leaf /* extra field would make 32 bytes */
+typedef struct radix_softc {
+ u_char *zeros;
+ u_char *ones;
+} radix_softc_t;
-#define MKGet(m) {\
- if (rn_mkfreelist) {\
- m = rn_mkfreelist; \
- rn_mkfreelist = (m)->rm_mklist; \
- } else \
- R_Malloc(m, struct radix_mask *, sizeof (*(m))); }\
-
-#define MKFree(m) { (m)->rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);}
-
-struct radix_node_head {
- struct radix_node *rnh_treetop;
- struct radix_node *rnh_leaflist;
- u_long rnh_hits;
- u_int rnh_number;
- u_int rnh_ref;
- int rnh_addrsize; /* permit, but not require fixed keys */
- int rnh_pktsize; /* permit, but not require fixed keys */
- struct radix_node *(*rnh_addaddr) /* add based on sockaddr */
- __P((void *v, void *mask,
- struct radix_node_head *head, struct radix_node nodes[]));
- struct radix_node *(*rnh_addpkt) /* add based on packet hdr */
- __P((void *v, void *mask,
- struct radix_node_head *head, struct radix_node nodes[]));
- struct radix_node *(*rnh_deladdr) /* remove based on sockaddr */
- __P((void *v, void *mask, struct radix_node_head *head));
- struct radix_node *(*rnh_delpkt) /* remove based on packet hdr */
- __P((void *v, void *mask, struct radix_node_head *head));
- struct radix_node *(*rnh_matchaddr) /* locate based on sockaddr */
- __P((void *v, struct radix_node_head *head));
- struct radix_node *(*rnh_lookup) /* locate based on sockaddr */
- __P((void *v, void *mask, struct radix_node_head *head));
- struct radix_node *(*rnh_matchpkt) /* locate based on packet hdr */
- __P((void *v, struct radix_node_head *head));
- int (*rnh_walktree) /* traverse tree */
- __P((struct radix_node_head *,
- int (*)(struct radix_node *, void *), void *));
- struct radix_node rnh_nodes[3]; /* empty tree for common case */
-};
-
-
-#if defined(AIX)
-# undef Bcmp
-# undef Bzero
-# undef R_Malloc
-# undef Free
-#endif
-#define Bcmp(a, b, n) bcmp(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n))
-#if defined(linux) && defined(_KERNEL)
-# define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
+#undef RADIX_NODE_HEAD_LOCK
+#undef RADIX_NODE_HEAD_UNLOCK
+#ifdef _KERNEL
+# define RADIX_NODE_HEAD_LOCK(x) MUTEX_ENTER(&(x)->lock)
+# define RADIX_NODE_HEAD_UNLOCK(x) MUTEX_UNLOCK(&(x)->lock)
#else
-# define Bcopy(a, b, n) bcopy(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n))
+# define RADIX_NODE_HEAD_LOCK(x)
+# define RADIX_NODE_HEAD_UNLOCK(x)
#endif
-#define Bzero(p, n) bzero((caddr_t)(p), (unsigned)(n));
-#define R_Malloc(p, t, n) KMALLOCS(p, t, n)
-#define FreeS(p, z) KFREES(p, z)
-#define Free(p) KFREE(p)
-#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL)
-# define rn_init ipf_rn_init
-# define rn_fini ipf_rn_fini
-# define rn_inithead ipf_rn_inithead
-# define rn_freehead ipf_rn_freehead
-# define rn_inithead0 ipf_rn_inithead0
-# define rn_refines ipf_rn_refines
-# define rn_walktree ipf_rn_walktree
-# define rn_addmask ipf_rn_addmask
-# define rn_addroute ipf_rn_addroute
-# define rn_delete ipf_rn_delete
-# define rn_insert ipf_rn_insert
-# define rn_lookup ipf_rn_lookup
-# define rn_match ipf_rn_match
-# define rn_newpair ipf_rn_newpair
-# define rn_search ipf_rn_search
-# define rn_search_m ipf_rn_search_m
-# define max_keylen ipf_maxkeylen
-# define rn_mkfreelist ipf_rn_mkfreelist
-# define rn_zeros ipf_rn_zeros
-# define rn_ones ipf_rn_ones
-# define rn_satisfies_leaf ipf_rn_satisfies_leaf
-# define rn_lexobetter ipf_rn_lexobetter
-# define rn_new_radix_mask ipf_rn_new_radix_mask
-# define rn_freenode ipf_rn_freenode
-#endif
+extern void *ipf_rx_create __P((void));
+extern int ipf_rx_init __P((void *));
+extern void ipf_rx_destroy __P((void *));
+extern int ipf_rx_inithead __P((radix_softc_t *, ipf_rdx_head_t **));
+extern void ipf_rx_freehead __P((ipf_rdx_head_t *));
+extern ipf_rdx_node_t *ipf_rx_addroute __P((ipf_rdx_head_t *,
+ addrfamily_t *, addrfamily_t *,
+ ipf_rdx_node_t *));
+extern ipf_rdx_node_t *ipf_rx_delete __P((ipf_rdx_head_t *, addrfamily_t *,
+ addrfamily_t *));
+extern void ipf_rx_walktree __P((ipf_rdx_head_t *, radix_walk_func_t,
+ void *));
-void rn_init __P((void));
-void rn_fini __P((void));
-int rn_inithead __P((void **, int));
-void rn_freehead __P((struct radix_node_head *));
-int rn_inithead0 __P((struct radix_node_head *, int));
-int rn_refines __P((void *, void *));
-int rn_walktree __P((struct radix_node_head *,
- int (*)(struct radix_node *, void *), void *));
-struct radix_node
- *rn_addmask __P((void *, int, int)),
- *rn_addroute __P((void *, void *, struct radix_node_head *,
- struct radix_node [2])),
- *rn_delete __P((void *, void *, struct radix_node_head *)),
- *rn_insert __P((void *, struct radix_node_head *, int *,
- struct radix_node [2])),
- *rn_lookup __P((void *, void *, struct radix_node_head *)),
- *rn_match __P((void *, struct radix_node_head *)),
- *rn_newpair __P((void *, int, struct radix_node[2])),
- *rn_search __P((void *, struct radix_node *)),
- *rn_search_m __P((void *, struct radix_node *, void *));
-
-#endif /* _NET_RADIX_H_ */
+#endif /* __RADIX_IPF_H__ */
Modified: trunk/contrib/ipfilter/rules/BASIC_1.FW
===================================================================
--- trunk/contrib/ipfilter/rules/BASIC_1.FW 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/rules/BASIC_1.FW 2018-07-01 23:54:57 UTC (rev 11253)
@@ -22,10 +22,10 @@
# (especially for ed0) and needs to be further refined.
#
block in log on ppp0 all head 100
-block in log proto tcp all flags S/SA head 101 group 100
+block in log proto tcp all flags S/SA head 101 group 100
block out log on ppp0 all head 150
block in log on ed0 from w.x.y.z/24 to any head 200
-block in log proto tcp all flags S/SA head 201 group 200
+block in log proto tcp all flags S/SA head 201 group 200
block in log proto udp all head 202 group 200
block out log on ed0 all head 250
#-------------------------------------------------------
Modified: trunk/contrib/ipfilter/rules/BASIC_2.FW
===================================================================
--- trunk/contrib/ipfilter/rules/BASIC_2.FW 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/rules/BASIC_2.FW 2018-07-01 23:54:57 UTC (rev 11253)
@@ -56,7 +56,7 @@
#
# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
#
-pass in log quick proto tcp all flags S/SA keep state group 200
+pass in log quick proto tcp all flags S/SA keep state group 200
#
# Support all UDP `connections' initiated from inside.
#
Modified: trunk/contrib/ipfilter/rules/firewall
===================================================================
--- trunk/contrib/ipfilter/rules/firewall 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/rules/firewall 2018-07-01 23:54:57 UTC (rev 11253)
@@ -31,7 +31,7 @@
closest to your internal network in terms of network hops.
* "int-net" is the internal network IP# subnet address range. This might
- be something like 10.1.0.0/16, or 128.33.1.0/24
+ be something like 10.1.0.0/16, or 128.33.1.0/24
* "ext-service" is the service to which you wish to connect or if it doesn't
have a proper name, a number can be used. The translation of "ext-service"
Modified: trunk/contrib/ipfilter/rules/ipmon.conf
===================================================================
--- trunk/contrib/ipfilter/rules/ipmon.conf 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/rules/ipmon.conf 2018-07-01 23:54:57 UTC (rev 11253)
@@ -2,23 +2,24 @@
#
#
#
-match { logtag = 10000 }
- do { execute "/usr/bin/mail -s 'logtag 10000' root" };
-match { logtag = 2000, every 10 seconds }
- do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
+match { logtag = 10000; }
+do { execute("/usr/bin/mail -s 'logtag 10000' root"); };
#
-match { protocol = udp, result = block }
- do { execute "/usr/bin/mail -s 'blocked udp' root"
-};
+match { logtag = 2000, every 10 seconds; }
+do { execute("echo 'XXXXXXXX tag 2000 packet XXXXXXXX'"); };
#
-match {
- srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
- do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
-};
+match { protocol = udp, result = block; }
+do { file("file:///var/log/udp-block"); };
#
+match { protocol = tcp, result = block, dstport = 25; }
+do { syslog("local0.info"), syslog("local1."), syslog(".warn"); };
+#
+match { srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
+do { execute("/usr/bin/mail -s 'from 10.1 to 192.168.1' root"); };
+
+#
match {
rule = 12, logtag = 101, direction = in, result = block,
- protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
- do { execute "run shell command"
-};
+ protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
+do { nothing; };
#
Modified: trunk/contrib/ipfilter/rules/server
===================================================================
--- trunk/contrib/ipfilter/rules/server 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/rules/server 2018-07-01 23:54:57 UTC (rev 11253)
@@ -3,7 +3,7 @@
# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
# connected to the majority of the network, whilst le0 is connected to a
# leaf subnet. We're not concerned about filtering individual services
-# or
+# or
#
pass in quick on le0 from 128.1.40.0/24 to any
block in log quick on le0 from any to any
Modified: trunk/contrib/ipfilter/samples/proxy.c
===================================================================
--- trunk/contrib/ipfilter/samples/proxy.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/samples/proxy.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/samples/proxy.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* Sample transparent proxy program.
@@ -51,8 +51,8 @@
main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
struct sockaddr_in sin, sloc, sout;
ipfobj_t obj;
@@ -132,9 +132,9 @@
#ifdef DO_NAT_OUT
do_nat_out(in, out, fd, nlp, extif)
-int fd;
-natlookup_t *nlp;
-char *extif;
+ int fd;
+ natlookup_t *nlp;
+ char *extif;
{
nat_save_t ns, *nsp = &ns;
struct sockaddr_in usin;
@@ -228,7 +228,7 @@
relay(in, out, net)
-int in, out, net;
+ int in, out, net;
{
char netbuf[1024], outbuf[1024];
char *nwptr, *nrptr, *owptr, *orptr;
Modified: trunk/contrib/ipfilter/samples/relay.c
===================================================================
--- trunk/contrib/ipfilter/samples/relay.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/samples/relay.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/samples/relay.c 255332 2013-09-06 23:11:19Z cy $ */
/*
* Sample program to be used as a transparent proxy.
@@ -29,7 +29,7 @@
char obuff[RELAY_BUFSZ];
int relay(ifd, ofd, rfd)
-int ifd, ofd, rfd;
+ int ifd, ofd, rfd;
{
fd_set rfds, wfds;
char *irh, *irt, *rrh, *rrt;
@@ -103,8 +103,8 @@
}
main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
struct sockaddr_in sin;
ipfobj_t obj;
Modified: trunk/contrib/ipfilter/samples/userauth.c
===================================================================
--- trunk/contrib/ipfilter/samples/userauth.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/samples/userauth.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,4 +1,4 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/samples/userauth.c 145519 2005-04-25 18:20:15Z darrenr $ */
#include <sys/types.h>
#include <sys/socket.h>
Modified: trunk/contrib/ipfilter/snoop.h
===================================================================
--- trunk/contrib/ipfilter/snoop.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/snoop.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $MidnightBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/snoop.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -11,7 +11,7 @@
/*
* written to comply with the RFC (1761) from Sun.
- * $Id: snoop.h,v 1.2 2012-12-21 04:00:01 laffer1 Exp $
+ * $Id$
*/
struct snoophdr {
char s_id[8];
Modified: trunk/contrib/ipfilter/tools/BNF.ipf
===================================================================
--- trunk/contrib/ipfilter/tools/BNF.ipf 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/BNF.ipf 2018-07-01 23:54:57 UTC (rev 11253)
@@ -66,7 +66,7 @@
"audit" | "logalert" | "local0" | "local1" | "local2" |
"local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
- "info" | "debug" .
+ "info" | "debug" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
Modified: trunk/contrib/ipfilter/tools/Makefile
===================================================================
--- trunk/contrib/ipfilter/tools/Makefile 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/Makefile 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,8 +1,5 @@
-#
-# Copyright (C) 1993-2001 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
+YACC=yacc -v
+
DEST=.
all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \
@@ -16,7 +13,7 @@
$(DEST)/ipf_y.h: $(DEST)/ipf_y.c
$(DEST)/ipf_y.c: ipf_y.y
- yacc -d ipf_y.y
+ $(YACC) -d ipf_y.y
sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \
-e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \
y.tab.c > $(DEST)/ipf_y.c
@@ -30,7 +27,7 @@
$(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c
$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y
- yacc -d ipmon_y.y
+ $(YACC) -d ipmon_y.y
sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \
y.tab.c > $(DEST)/ipmon_y.c
sed -e 's/yy/ipmon_yy/g' y.tab.h > $(DEST)/ipmon_y.h
@@ -43,7 +40,7 @@
$(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c
$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y
- yacc -d ipscan_y.y
+ $(YACC) -d ipscan_y.y
sed -e 's/yy/ipscan_yy/g' \
-e 's/"ipscan_y.y"/"..\/tools\/ipscan_y.y"/' \
y.tab.c > $(DEST)/ipscan_y.c
@@ -57,7 +54,7 @@
$(DEST)/ippool_y.h: $(DEST)/ippool_y.c
$(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y
- yacc -d ippool_y.y
+ $(YACC) -d ippool_y.y
sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \
y.tab.c > $(DEST)/ippool_y.c
sed -e 's/yy/ippool_yy/g' y.tab.h > $(DEST)/ippool_y.h
@@ -70,7 +67,7 @@
$(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c
$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y
- yacc -d ipnat_y.y
+ $(YACC) -d ipnat_y.y
sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \
-e s/\"ipnat_y.y\"/\"..\\/tools\\/ipnat_y.y\"/ \
y.tab.c > $(DEST)/ipnat_y.c
Modified: trunk/contrib/ipfilter/tools/ipf.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipf.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipf.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipf.c 313461 2017-02-09 02:08:42Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__FreeBSD__) || defined(__MidnightBSD__)
+#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
@@ -16,12 +16,13 @@
#endif
#include "ipf.h"
#include <fcntl.h>
+#include <ctype.h>
#include <sys/ioctl.h>
#include "netinet/ipl.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 1.4 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@@ -40,10 +41,14 @@
int opts = 0;
int outputc = 0;
int use_inet6 = 0;
+int exitstatus = 0;
-static void procfile __P((char *, char *)), flushfilter __P((char *));
-static void set_state __P((u_int)), showstats __P((friostat_t *));
-static void packetlogon __P((char *)), swapactive __P((void));
+static void procfile __P((char *));
+static void flushfilter __P((char *, int *));
+static void set_state __P((u_int));
+static void showstats __P((friostat_t *));
+static void packetlogon __P((char *));
+static void swapactive __P((void));
static int opendevice __P((char *, int));
static void closedevice __P((void));
static char *ipfname = IPL_NAME;
@@ -50,7 +55,7 @@
static void usage __P((void));
static int showversion __P((void));
static int get_flags __P((void));
-static void ipf_interceptadd __P((int, ioctlfunc_t, void *));
+static int ipf_interceptadd __P((int, ioctlfunc_t, void *));
static int fd = -1;
static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
@@ -57,6 +62,9 @@
ioctl, ioctl, ioctl,
ioctl, ioctl };
+/* XXX The following was added to satisfy a rescue/rescue/ build
+ XXX requirement. */
+int nohdrfields;
static void usage()
{
@@ -68,25 +76,28 @@
int main(argc,argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
- int c;
+ int c, *filter = NULL;
if (argc < 2)
usage();
- while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) {
+ assigndefined(getenv("IPF_PREDEFINED"));
+
+ while ((c = getopt(argc, argv, "46Ac:dDEf:F:Il:m:noPrRsT:vVyzZ")) != -1) {
switch (c)
{
case '?' :
usage();
break;
-#ifdef USE_INET6
+ case '4' :
+ use_inet6 = -1;
+ break;
case '6' :
use_inet6 = 1;
break;
-#endif
case 'A' :
opts &= ~OPT_INACTIVE;
break;
@@ -104,10 +115,10 @@
opts ^= OPT_DEBUG;
break;
case 'f' :
- procfile(argv[0], optarg);
+ procfile(optarg);
break;
case 'F' :
- flushfilter(optarg);
+ flushfilter(optarg, filter);
break;
case 'I' :
opts ^= OPT_INACTIVE;
@@ -115,8 +126,11 @@
case 'l' :
packetlogon(optarg);
break;
+ case 'm' :
+ filter = parseipfexpr(optarg, NULL);
+ break;
case 'n' :
- opts ^= OPT_DONOTHING;
+ opts ^= OPT_DONOTHING|OPT_DONTOPEN;
break;
case 'o' :
break;
@@ -161,14 +175,14 @@
if (fd != -1)
(void) close(fd);
- return(0);
+ return(exitstatus);
/* NOTREACHED */
}
static int opendevice(ipfdev, check)
-char *ipfdev;
-int check;
+ char *ipfdev;
+ int check;
{
if (opts & OPT_DONOTHING)
return -2;
@@ -184,7 +198,7 @@
if (fd == -1)
if ((fd = open(ipfdev, O_RDWR)) == -1)
if ((fd = open(ipfdev, O_RDONLY)) == -1)
- perror("open device");
+ ipferror(fd, "open device");
return fd;
}
@@ -202,7 +216,7 @@
if ((opendevice(ipfname, 1) != -2) &&
(ioctl(fd, SIOCGETFF, &i) == -1)) {
- perror("SIOCGETFF");
+ ipferror(fd, "SIOCGETFF");
return 0;
}
return i;
@@ -210,22 +224,24 @@
static void set_state(enable)
-u_int enable;
+ u_int enable;
{
- if (opendevice(ipfname, 0) != -2)
+ if (opendevice(ipfname, 0) != -2) {
if (ioctl(fd, SIOCFRENB, &enable) == -1) {
- if (errno == EBUSY)
+ if (errno == EBUSY) {
fprintf(stderr,
"IP FIlter: already initialized\n");
- else
- perror("SIOCFRENB");
+ } else {
+ ipferror(fd, "SIOCFRENB");
+ }
}
+ }
return;
}
-static void procfile(name, file)
-char *name, *file;
+static void procfile(file)
+ char *file;
{
(void) opendevice(ipfname, 1);
@@ -241,20 +257,22 @@
}
-static void ipf_interceptadd(fd, ioctlfunc, ptr)
-int fd;
-ioctlfunc_t ioctlfunc;
-void *ptr;
+static int ipf_interceptadd(fd, ioctlfunc, ptr)
+ int fd;
+ ioctlfunc_t ioctlfunc;
+ void *ptr;
{
if (outputc)
printc(ptr);
- ipf_addrule(fd, ioctlfunc, ptr);
+ if (ipf_addrule(fd, ioctlfunc, ptr) != 0)
+ exitstatus = 1;
+ return 0;
}
static void packetlogon(opt)
-char *opt;
+ char *opt;
{
int flag, xfd, logopt, change = 0;
@@ -278,7 +296,7 @@
printf("set log flag: nomatch\n");
change = 1;
}
- if (strstr(opt, "block") || index(opt, 'd')) {
+ if (strstr(opt, "block") || strchr(opt, 'd')) {
flag |= FF_LOGBLOCK;
if (opts & OPT_VERBOSE)
printf("set log flag: block\n");
@@ -293,7 +311,7 @@
if (change == 1) {
if (opendevice(ipfname, 1) != -2 &&
(ioctl(fd, SIOCSETFF, &flag) != 0))
- perror("ioctl(SIOCSETFF)");
+ ipferror(fd, "ioctl(SIOCSETFF)");
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
@@ -308,11 +326,11 @@
if (xfd >= 0) {
logopt = 0;
if (ioctl(xfd, SIOCGETLG, &logopt))
- perror("ioctl(SIOCGETLG)");
+ ipferror(fd, "ioctl(SIOCGETLG)");
else {
logopt = 1 - logopt;
if (ioctl(xfd, SIOCSETLG, &logopt))
- perror("ioctl(SIOCSETLG)");
+ ipferror(xfd, "ioctl(SIOCSETLG)");
}
close(xfd);
}
@@ -325,11 +343,11 @@
if (xfd >= 0) {
logopt = 0;
if (ioctl(xfd, SIOCGETLG, &logopt))
- perror("ioctl(SIOCGETLG)");
+ ipferror(xfd, "ioctl(SIOCGETLG)");
else {
logopt = 1 - logopt;
if (ioctl(xfd, SIOCSETLG, &logopt))
- perror("ioctl(SIOCSETLG)");
+ ipferror(xfd, "ioctl(SIOCSETLG)");
}
close(xfd);
}
@@ -337,8 +355,9 @@
}
-static void flushfilter(arg)
-char *arg;
+static void flushfilter(arg, filter)
+ char *arg;
+ int *filter;
{
int fl = 0, rem;
@@ -359,48 +378,46 @@
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
- if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
- perror("ioctl(SIOCIPFL6)");
- exit(1);
+ fprintf(stderr,
+ "IPv6 rules are no longer seperate\n");
+ } else if (filter != NULL) {
+ ipfobj_t obj;
+
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_size = filter[0] * sizeof(int);
+ obj.ipfo_type = IPFOBJ_IPFEXPR;
+ obj.ipfo_ptr = filter;
+ if (ioctl(fd, SIOCMATCHFLUSH, &obj) == -1) {
+ ipferror(fd, "ioctl(SIOCMATCHFLUSH)");
+ fl = -1;
+ } else {
+ fl = obj.ipfo_retval;
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
- perror("ioctl(SIOCIPFFL)");
+ ipferror(fd, "ioctl(SIOCIPFFL)");
exit(1);
}
}
}
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) {
printf("remove flags %s (%d)\n", arg, rem);
- printf("removed %d entries\n", fl);
}
- closedevice();
- return;
- }
-
-#ifdef SIOCIPFFA
- if (!strcmp(arg, "u")) {
- closedevice();
- /*
- * Flush auth rules and packets
- */
- if (opendevice(IPL_AUTH, 1) == -1)
- perror("open(IPL_AUTH)");
- else {
- if (ioctl(fd, SIOCIPFFA, &fl) == -1)
- perror("ioctl(SIOCIPFFA)");
+ if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ printf("%d state entries removed\n", fl);
}
closedevice();
return;
- }
-#endif
-
- if (strchr(arg, 'i') || strchr(arg, 'I'))
+ } else if (strchr(arg, 'i') || strchr(arg, 'I'))
fl = FR_INQUE;
- if (strchr(arg, 'o') || strchr(arg, 'O'))
+ else if (strchr(arg, 'o') || strchr(arg, 'O'))
fl = FR_OUTQUE;
- if (strchr(arg, 'a') || strchr(arg, 'A'))
+ else if (strchr(arg, 'a') || strchr(arg, 'A'))
fl = FR_OUTQUE|FR_INQUE;
+ else {
+ fprintf(stderr, "Incorrect flush argument: %s\n", arg);
+ usage();
+ }
if (opts & OPT_INACTIVE)
fl |= FR_INACTIVE;
rem = fl;
@@ -411,22 +428,24 @@
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
- perror("ioctl(SIOCIPFL6)");
+ ipferror(fd, "ioctl(SIOCIPFL6)");
exit(1);
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
- perror("ioctl(SIOCIPFFL)");
+ ipferror(fd, "ioctl(SIOCIPFFL)");
exit(1);
}
}
}
- if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) {
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
(rem & FR_OUTQUE) ? "O" : "", rem);
- printf("removed %d filter rules\n", fl);
}
+ if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ printf("%d filter rules removed\n", fl);
+ }
return;
}
@@ -436,7 +455,7 @@
int in = 2;
if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
- perror("ioctl(SIOCSWAPA)");
+ ipferror(fd, "ioctl(SIOCSWAPA)");
else
printf("Set %d now inactive\n", in);
}
@@ -447,7 +466,7 @@
int frsyn = 0;
if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
- perror("SIOCFRSYN");
+ ipferror(fd, "SIOCFRSYN");
else
printf("filter sync'd\n");
}
@@ -466,7 +485,7 @@
if (opendevice(ipfname, 1) != -2) {
if (ioctl(fd, SIOCFRZST, &obj) == -1) {
- perror("ioctl(SIOCFRZST)");
+ ipferror(fd, "ioctl(SIOCFRZST)");
exit(-1);
}
showstats(&fio);
@@ -479,7 +498,7 @@
* read the kernel stats for packets blocked and passed
*/
static void showstats(fp)
-friostat_t *fp;
+ friostat_t *fp;
{
printf("bad packets:\t\tin %lu\tout %lu\n",
fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
@@ -495,9 +514,6 @@
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
printf("output packets logged:\tblocked %lu passed %lu\n",
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
- printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
- fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
- fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
}
@@ -523,7 +539,7 @@
}
if (ioctl(vfd, SIOCGETFS, &ipfo)) {
- perror("ioctl(SIOCGETFS)");
+ ipferror(vfd, "ioctl(SIOCGETFS)");
close(vfd);
return 1;
}
Modified: trunk/contrib/ipfilter/tools/ipf_y.y
===================================================================
--- trunk/contrib/ipfilter/tools/ipf_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipf_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipf_y.y 317314 2017-04-23 03:16:38Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -9,6 +9,7 @@
#include "ipf.h"
#include <sys/ioctl.h>
#include <syslog.h>
+#include <err.h>
#ifdef IPFILTER_BPF
# include <pcap.h>
#endif
@@ -28,18 +29,29 @@
extern FILE *yyin;
extern int yylineNum;
-static void newrule __P((void));
-static void setipftype __P((void));
-static u_32_t lookuphost __P((char *));
+static int addname __P((frentry_t **, char *));
+static frentry_t *addrule __P((void));
+static frentry_t *allocfr __P((void));
+static void build_dstaddr_af __P((frentry_t *, void *));
+static void build_srcaddr_af __P((frentry_t *, void *));
static void dobpf __P((int, char *));
-static void resetaddr __P((void));
-static struct alist_s *newalist __P((struct alist_s *));
+static void doipfexpr __P((char *));
+static void do_tuneint __P((char *, int));
+static void do_tunestr __P((char *, char *));
+static void fillgroup __P((frentry_t *));
+static int lookuphost __P((char *, i6addr_t *));
static u_int makehash __P((struct alist_s *));
static int makepool __P((struct alist_s *));
-static frentry_t *addrule __P((void));
+static struct alist_s *newalist __P((struct alist_s *));
+static void newrule __P((void));
+static void resetaddr __P((void));
+static void setgroup __P((frentry_t **, char *));
+static void setgrhead __P((frentry_t **, char *));
+static void seticmphead __P((frentry_t **, char *));
+static void setifname __P((frentry_t **, int, char *));
+static void setipftype __P((void));
static void setsyslog __P((void));
static void unsetsyslog __P((void));
-static void fillgroup __P((frentry_t *));
frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
@@ -52,52 +64,54 @@
static int newlist = 0;
static int added = 0;
static int ipffd = -1;
-static int *yycont = 0;
-static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
+static int *yycont = NULL;
+static ioctlfunc_t ipfioctls[IPL_LOGSIZE];
static addfunc_t ipfaddfunc = NULL;
-static struct wordtab ipfwords[95];
-static struct wordtab addrwords[4];
-static struct wordtab maskwords[5];
-static struct wordtab icmpcodewords[17];
-static struct wordtab icmptypewords[16];
-static struct wordtab ipv4optwords[25];
-static struct wordtab ipv4secwords[9];
-static struct wordtab ipv6optwords[9];
-static struct wordtab logwords[33];
%}
%union {
char *str;
u_32_t num;
- struct in_addr ipa;
frentry_t fr;
frtuc_t *frt;
struct alist_s *alist;
u_short port;
+ struct in_addr ip4;
struct {
u_short p1;
u_short p2;
int pc;
} pc;
- struct {
+ struct ipp_s {
+ int type;
+ int ifpos;
+ int f;
+ int v;
+ int lif;
union i6addr a;
union i6addr m;
+ char *name;
} ipp;
- union i6addr ip6;
struct {
+ i6addr_t adr;
+ int f;
+ } adr;
+ i6addr_t ip6;
+ struct {
char *if1;
char *if2;
} ifs;
+ char gname[FR_GROUPLEN];
};
%type <port> portnum
%type <num> facility priority icmpcode seclevel secname icmptype
%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
-%type <num> portc porteq
-%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
-%type <ip6> ipv6mask
+%type <num> portc porteq ipmask maskopts
+%type <ip4> ipv4 ipv4_16 ipv4_24
+%type <adr> hostname
%type <ipp> addr ipaddr
-%type <str> servicename name interfacename
+%type <str> servicename name interfacename groupname
%type <pc> portrange portcomp
%type <alist> addrlist poollist
%type <ifs> onname
@@ -109,30 +123,32 @@
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
+%token IPFY_SET
%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
%token IPFY_IN IPFY_OUT
%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
-%token IPFY_TOS IPFY_TTL IPFY_PROTO
+%token IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6
%token IPFY_HEAD IPFY_GROUP
%token IPFY_AUTH IPFY_PREAUTH
-%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
-%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
+%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS
+%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS
%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
-%token IPFY_PPS
+%token IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST
%token IPFY_ESP IPFY_AH
%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
%token IPFY_TCPUDP IPFY_TCP IPFY_UDP
%token IPFY_FLAGS IPFY_MULTICAST
%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
-%token IPFY_PORT
-%token IPFY_NOW
+%token IPFY_RPC IPFY_PORT
+%token IPFY_NOW IPFY_COMMENT IPFY_RULETTL
%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
-%token IPFY_SYNC IPFY_FRAGBODY
+%token IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE
+%token IPFY_MAX_SRCS IPFY_MAX_PER_SRC
%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
@@ -140,10 +156,10 @@
%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
-%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
+%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI
-%token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
-%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
+%token IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
+%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR
%token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
%token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
@@ -168,16 +184,36 @@
%token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
%token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
%%
-file: line
+file: settings rules
+ | rules
+ ;
+
+settings:
+ YY_COMMENT
+ | setting
+ | settings setting
+ ;
+
+rules: line
| assign
- | file line
- | file assign
+ | rules line
+ | rules assign
;
+setting:
+ IPFY_SET YY_STR YY_NUMBER ';' { do_tuneint($2, $3); }
+ | IPFY_SET YY_STR YY_HEX ';' { do_tuneint($2, $3); }
+ | IPFY_SET YY_STR YY_STR ';' { do_tunestr($2, $3); }
+ ;
+
line: rule { while ((fr = frtop) != NULL) {
frtop = fr->fr_next;
fr->fr_next = NULL;
- (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
+ if ((fr->fr_type == FR_T_IPF) &&
+ (fr->fr_ip.fi_v == 0))
+ fr->fr_mip.fi_v = 0;
+ /* XXX validate ? */
+ (*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr);
fr->fr_next = frold;
frold = fr;
}
@@ -231,23 +267,54 @@
rulemain:
ipfrule
| bpfrule
+ | exprrule
;
ipfrule:
- tos ttl proto ip
+ family tos ttl proto ip
;
+family: | IPFY_FAMILY IPFY_INET { if (use_inet6 == 1) {
+ YYERROR;
+ } else {
+ frc->fr_family = AF_INET;
+ }
+ }
+ | IPFY_INET { if (use_inet6 == 1) {
+ YYERROR;
+ } else {
+ frc->fr_family = AF_INET;
+ }
+ }
+ | IPFY_FAMILY IPFY_INET6 { if (use_inet6 == -1) {
+ YYERROR;
+ } else {
+ frc->fr_family = AF_INET6;
+ }
+ }
+ | IPFY_INET6 { if (use_inet6 == -1) {
+ YYERROR;
+ } else {
+ frc->fr_family = AF_INET6;
+ }
+ }
+ ;
+
bpfrule:
IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
| IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
;
+exprrule:
+ IPFY_IPFEXPR '{' YY_STR '}' { doipfexpr($3); }
+ ;
+
ruletail:
with keep head group
;
ruletail2:
- pps age new
+ pps age new rulettl comment
;
intag: settagin matchtagin
@@ -269,6 +336,7 @@
| IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
| log
| IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
+ | decaps { fr->fr_flags |= FR_DECAPSULATE; }
| auth
| IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
fr->fr_arg = $2; }
@@ -291,6 +359,11 @@
| IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
;
+decaps: IPFY_DECAPS
+ | IPFY_DECAPS IPFY_L5AS '(' YY_STR ')'
+ { fr->fr_icode = atoi($4); }
+ ;
+
log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
| IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
;
@@ -300,10 +373,11 @@
| IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
;
-func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
- ipfioctl[IPL_LOGIPF]);
- fr->fr_arg = $3;
- free($1); }
+func: YY_STR '/' YY_NUMBER
+ { fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]);
+ fr->fr_arg = $3;
+ free($1);
+ }
;
inopts:
@@ -330,6 +404,7 @@
| on
| dup
| proute
+ | froute
| replyto
;
@@ -346,7 +421,7 @@
| YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
| toslist lmore YY_NUMBER
{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
- | toslist lmore YY_HEX
+ | toslist lmore YY_HEX
{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
;
@@ -355,10 +430,10 @@
| setttl lstart ttllist lend
;
-lstart: '(' { newlist = 1; fr = frc; added = 0; }
+lstart: '{' { newlist = 1; fr = frc; added = 0; }
;
-lend: ')' { nrules += added; }
+lend: '}' { nrules += added; }
;
lmore: lanother { if (newlist == 1) {
@@ -394,22 +469,27 @@
ip: srcdst flags icmp
;
-group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
- FR_GROUPLEN); \
- fillgroup(fr););
- free($2); }
- | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
- $2); \
- fillgroup(fr);) }
+group: | IPFY_GROUP groupname { DOALL(setgroup(&fr, $2); \
+ fillgroup(fr););
+ free($2);
+ }
;
-head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
- FR_GROUPLEN););
- free($2); }
- | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
- $2);) }
+head: | IPFY_HEAD groupname { DOALL(setgrhead(&fr, $2););
+ free($2);
+ }
;
+groupname:
+ YY_STR { $$ = $1;
+ if (strlen($$) >= FR_GROUPLEN)
+ $$[FR_GROUPLEN - 1] = '\0';
+ }
+ | YY_NUMBER { $$ = malloc(16);
+ sprintf($$, "%d", $1);
+ }
+ ;
+
settagin:
| IPFY_SETTAG '(' taginlist ')'
;
@@ -461,6 +541,15 @@
new: | savegroup file restoregroup
;
+rulettl:
+ | IPFY_RULETTL YY_NUMBER { DOALL(fr->fr_die = $2;) }
+ ;
+
+comment:
+ | IPFY_COMMENT YY_STR { DOALL(fr->fr_comment = addname(&fr, \
+ $2);) }
+ ;
+
savegroup:
'{'
;
@@ -472,79 +561,95 @@
logopt: log
;
-quick:
- IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
+quick: IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
;
-on: IPFY_ON onname
+on: IPFY_ON onname { setifname(&fr, 0, $2.if1);
+ free($2.if1);
+ if ($2.if2 != NULL) {
+ setifname(&fr, 1,
+ $2.if2);
+ free($2.if2);
+ }
+ }
| IPFY_ON lstart onlist lend
- | IPFY_ON onname IPFY_INVIA vianame
- | IPFY_ON onname IPFY_OUTVIA vianame
+ | IPFY_ON onname IPFY_INVIA vianame { setifname(&fr, 0, $2.if1);
+ free($2.if1);
+ if ($2.if2 != NULL) {
+ setifname(&fr, 1,
+ $2.if2);
+ free($2.if2);
+ }
+ }
+ | IPFY_ON onname IPFY_OUTVIA vianame { setifname(&fr, 0, $2.if1);
+ free($2.if1);
+ if ($2.if2 != NULL) {
+ setifname(&fr, 1,
+ $2.if2);
+ free($2.if2);
+ }
+ }
;
-onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
- sizeof(fr->fr_ifnames[0])); \
- if ($1.if2 != NULL) { \
- strncpy(fr->fr_ifnames[1], \
- $1.if2, \
- sizeof(fr->fr_ifnames[1]));\
- } \
- ) }
- | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
- sizeof(fr->fr_ifnames[0])); \
- if ($3.if2 != NULL) { \
- strncpy(fr->fr_ifnames[1], \
- $3.if2, \
- sizeof(fr->fr_ifnames[1]));\
- } \
- ) }
+onlist: onname { DOREM(setifname(&fr, 0, $1.if1); \
+ if ($1.if2 != NULL) \
+ setifname(&fr, 1, $1.if2); \
+ )
+ free($1.if1);
+ if ($1.if2 != NULL)
+ free($1.if2);
+ }
+ | onlist lmore onname { DOREM(setifname(&fr, 0, $3.if1); \
+ if ($3.if2 != NULL) \
+ setifname(&fr, 1, $3.if2); \
+ )
+ free($3.if1);
+ if ($3.if2 != NULL)
+ free($3.if2);
+ }
;
-onname: interfacename
- { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
- $$.if1 = fr->fr_ifnames[0];
- $$.if2 = NULL;
- free($1);
- }
+onname: interfacename { $$.if1 = $1;
+ $$.if2 = NULL;
+ }
| interfacename ',' interfacename
- { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
- $$.if1 = fr->fr_ifnames[0];
- free($1);
- strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
- $$.if1 = fr->fr_ifnames[1];
- free($3);
- }
+ { $$.if1 = $1;
+ $$.if2 = $3;
+ }
;
vianame:
- name
- { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
- free($1);
- }
- | name ',' name
- { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
- free($1);
- strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
- free($3);
- }
+ name { setifname(&fr, 2, $1);
+ free($1);
+ }
+ | name ',' name { setifname(&fr, 2, $1);
+ free($1);
+ setifname(&fr, 3, $3);
+ free($3);
+ }
;
dup: IPFY_DUPTO name
- { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
+ { int idx = addname(&fr, $2);
+ fr->fr_dif.fd_name = idx;
free($2);
}
+ | IPFY_DUPTO IPFY_DSTLIST '/' name
+ { int idx = addname(&fr, $4);
+ fr->fr_dif.fd_name = idx;
+ fr->fr_dif.fd_type = FRD_DSTLIST;
+ free($4);
+ }
| IPFY_DUPTO name duptoseparator hostname
- { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
- fr->fr_dif.fd_ip = $4;
+ { int idx = addname(&fr, $2);
+ fr->fr_dif.fd_name = idx;
+ fr->fr_dif.fd_ptr = (void *)-1;
+ fr->fr_dif.fd_ip6 = $4.adr;
+ if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
+ fr->fr_family = $4.f;
yyexpectaddr = 0;
free($2);
}
- | IPFY_DUPTO name duptoseparator YY_IPV6
- { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
- bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
- yyexpectaddr = 0;
- free($2);
- }
;
duptoseparator:
@@ -555,21 +660,26 @@
;
proute: routeto name
- { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
+ { int idx = addname(&fr, $2);
+ fr->fr_tif.fd_name = idx;
free($2);
}
+ | routeto IPFY_DSTLIST '/' name
+ { int idx = addname(&fr, $4);
+ fr->fr_tif.fd_name = idx;
+ fr->fr_tif.fd_type = FRD_DSTLIST;
+ free($4);
+ }
| routeto name duptoseparator hostname
- { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
- fr->fr_tif.fd_ip = $4;
+ { int idx = addname(&fr, $2);
+ fr->fr_tif.fd_name = idx;
+ fr->fr_tif.fd_ptr = (void *)-1;
+ fr->fr_tif.fd_ip6 = $4.adr;
+ if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
+ fr->fr_family = $4.f;
yyexpectaddr = 0;
free($2);
}
- | routeto name duptoseparator YY_IPV6
- { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
- bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
- yyexpectaddr = 0;
- free($2);
- }
;
routeto:
@@ -579,12 +689,22 @@
replyto:
IPFY_REPLY_TO name
- { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
+ { int idx = addname(&fr, $2);
+ fr->fr_rif.fd_name = idx;
free($2);
}
+ | IPFY_REPLY_TO IPFY_DSTLIST '/' name
+ { fr->fr_rif.fd_name = addname(&fr, $4);
+ fr->fr_rif.fd_type = FRD_DSTLIST;
+ free($4);
+ }
| IPFY_REPLY_TO name duptoseparator hostname
- { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
- fr->fr_rif.fd_ip = $4;
+ { int idx = addname(&fr, $2);
+ fr->fr_rif.fd_name = idx;
+ fr->fr_rif.fd_ptr = (void *)-1;
+ fr->fr_rif.fd_ip6 = $4.adr;
+ if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
+ fr->fr_family = $4.f;
free($2);
}
;
@@ -614,27 +734,29 @@
;
protocol:
- YY_NUMBER { DOREM(fr->fr_proto = $1; \
- fr->fr_mproto = 0xff;) }
+ YY_NUMBER { DOALL(fr->fr_proto = $1; \
+ fr->fr_mproto = 0xff;)
+ }
| YY_STR { if (!strcmp($1, "tcp-udp")) {
- DOREM(fr->fr_flx |= FI_TCPUDP; \
+ DOALL(fr->fr_flx |= FI_TCPUDP; \
fr->fr_mflx |= FI_TCPUDP;)
} else {
int p = getproto($1);
if (p == -1)
yyerror("protocol unknown");
- DOREM(fr->fr_proto = p; \
+ DOALL(fr->fr_proto = p; \
fr->fr_mproto = 0xff;)
}
free($1);
- }
+ }
| YY_STR nextstring YY_STR
{ if (!strcmp($1, "tcp") &&
!strcmp($3, "udp")) {
DOREM(fr->fr_flx |= FI_TCPUDP; \
fr->fr_mflx |= FI_TCPUDP;)
- } else
+ } else {
YYERROR;
+ }
free($1);
free($3);
}
@@ -667,7 +789,8 @@
printf("set yyexpectaddr\n");
yycont = &yyexpectaddr;
yysetdict(addrwords);
- resetaddr(); }
+ resetaddr();
+ }
;
with: | andwith withlist
@@ -678,7 +801,7 @@
| IPFY_AND { nowith = 0; setipftype(); }
;
-flags: | startflags flagset
+flags: | startflags flagset
{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
| startflags flagset '/' flagset
{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
@@ -717,35 +840,14 @@
;
srcaddr:
- addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
- bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
- if (dynamic != -1) { \
- fr->fr_satype = ifpflag; \
- fr->fr_ipf->fri_sifpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_satype = FRI_LOOKUP;)
- }
+ addr { build_srcaddr_af(fr, &$1); }
| lstart srcaddrlist lend
;
srcaddrlist:
- addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
- bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
- if (dynamic != -1) { \
- fr->fr_satype = ifpflag; \
- fr->fr_ipf->fri_sifpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_satype = FRI_LOOKUP;)
- }
+ addr { build_srcaddr_af(fr, &$1); }
| srcaddrlist lmore addr
- { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
- bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
- if (dynamic != -1) { \
- fr->fr_satype = ifpflag; \
- fr->fr_ipf->fri_sifpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_satype = FRI_LOOKUP;)
- }
+ { build_srcaddr_af(fr, &$3); }
;
srcport:
@@ -770,10 +872,10 @@
srcportlist:
portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
- | portnum ':' portnum
+ | portnum ':' portnum
{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
fr->fr_stop = $3;) }
- | portnum YY_RANGE_IN portnum
+ | portnum YY_RANGE_IN portnum
{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
fr->fr_stop = $3;) }
| srcportlist lmore portnum
@@ -794,34 +896,25 @@
;
dstaddr:
- addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
- bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
- if (dynamic != -1) { \
- fr->fr_datype = ifpflag; \
- fr->fr_ipf->fri_difpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_datype = FRI_LOOKUP;)
+ addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
+ ($1.f != frc->fr_family))
+ yyerror("1.src/dst address family mismatch");
+ build_dstaddr_af(fr, &$1);
}
| lstart dstaddrlist lend
;
dstaddrlist:
- addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
- bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
- if (dynamic != -1) { \
- fr->fr_datype = ifpflag; \
- fr->fr_ipf->fri_difpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_datype = FRI_LOOKUP;)
+ addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
+ ($1.f != frc->fr_family))
+ yyerror("2.src/dst address family mismatch");
+ build_dstaddr_af(fr, &$1);
}
| dstaddrlist lmore addr
- { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
- bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
- if (dynamic != -1) { \
- fr->fr_datype = ifpflag; \
- fr->fr_ipf->fri_difpidx = dynamic; \
- } else if (pooled || hashed) \
- fr->fr_datype = FRI_LOOKUP;)
+ { if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
+ ($3.f != frc->fr_family))
+ yyerror("3.src/dst address family mismatch");
+ build_dstaddr_af(fr, &$3);
}
;
@@ -848,10 +941,10 @@
dstportlist:
portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
- | portnum ':' portnum
+ | portnum ':' portnum
{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
fr->fr_dtop = $3;) }
- | portnum YY_RANGE_IN portnum
+ | portnum YY_RANGE_IN portnum
{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
fr->fr_dtop = $3;) }
| dstportlist lmore portnum
@@ -865,141 +958,244 @@
;
addr: pool '/' YY_NUMBER { pooled = 1;
+ yyexpectaddr = 0;
+ $$.type = FRI_LOOKUP;
+ $$.v = 0;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
$$.a.iplookuptype = IPLT_POOL;
$$.a.iplookupsubtype = 0;
$$.a.iplookupnum = $3; }
| pool '/' YY_STR { pooled = 1;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
+ $$.type = FRI_LOOKUP;
$$.a.iplookuptype = IPLT_POOL;
$$.a.iplookupsubtype = 1;
- strncpy($$.a.iplookupname, $3,
- sizeof($$.a.iplookupname));
+ $$.a.iplookupname = addname(&fr, $3);
}
- | pool '=' '(' poollist ')' { pooled = 1;
+ | pool '=' '(' { yyexpectaddr = 1;
+ pooled = 1;
+ }
+ poollist ')' { yyexpectaddr = 0;
+ $$.v = 0;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
+ $$.type = FRI_LOOKUP;
$$.a.iplookuptype = IPLT_POOL;
$$.a.iplookupsubtype = 0;
- $$.a.iplookupnum = makepool($4); }
+ $$.a.iplookupnum = makepool($5);
+ }
| hash '/' YY_NUMBER { hashed = 1;
+ yyexpectaddr = 0;
+ $$.v = 0;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
+ $$.type = FRI_LOOKUP;
$$.a.iplookuptype = IPLT_HASH;
$$.a.iplookupsubtype = 0;
- $$.a.iplookupnum = $3; }
- | hash '/' YY_STR { pooled = 1;
+ $$.a.iplookupnum = $3;
+ }
+ | hash '/' YY_STR { hashed = 1;
+ $$.type = FRI_LOOKUP;
+ $$.v = 0;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
$$.a.iplookuptype = IPLT_HASH;
$$.a.iplookupsubtype = 1;
- strncpy($$.a.iplookupname, $3,
- sizeof($$.a.iplookupname));
+ $$.a.iplookupname = addname(&fr, $3);
}
- | hash '=' '(' addrlist ')' { hashed = 1;
+ | hash '=' '(' { hashed = 1;
+ yyexpectaddr = 1;
+ }
+ addrlist ')' { yyexpectaddr = 0;
+ $$.v = 0;
+ $$.ifpos = -1;
+ $$.f = AF_UNSPEC;
+ $$.type = FRI_LOOKUP;
$$.a.iplookuptype = IPLT_HASH;
$$.a.iplookupsubtype = 0;
- $$.a.iplookupnum = makehash($4); }
- | ipaddr { bcopy(&$1, &$$, sizeof($$));
+ $$.a.iplookupnum = makehash($5);
+ }
+ | ipaddr { $$ = $1;
yyexpectaddr = 0; }
;
-ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
+ipaddr: IPFY_ANY { memset(&($$), 0, sizeof($$));
+ $$.type = FRI_NORMAL;
+ $$.ifpos = -1;
+ yyexpectaddr = 0;
+ }
+ | hostname { memset(&($$), 0, sizeof($$));
+ $$.a = $1.adr;
+ $$.f = $1.f;
+ if ($1.f == AF_INET6)
+ fill6bits(128, $$.m.i6);
+ else if ($1.f == AF_INET)
+ fill6bits(32, $$.m.i6);
+ $$.v = ftov($1.f);
+ $$.ifpos = dynamic;
+ $$.type = FRI_NORMAL;
+ }
+ | hostname { yyresetdict(); }
+ maskspace { yysetdict(maskwords);
+ yyexpectaddr = 2; }
+ ipmask { memset(&($$), 0, sizeof($$));
+ ntomask($1.f, $5, $$.m.i6);
+ $$.a = $1.adr;
+ $$.a.i6[0] &= $$.m.i6[0];
+ $$.a.i6[1] &= $$.m.i6[1];
+ $$.a.i6[2] &= $$.m.i6[2];
+ $$.a.i6[3] &= $$.m.i6[3];
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ $$.type = ifpflag;
+ $$.ifpos = dynamic;
+ if (ifpflag != 0 && $$.v == 0) {
+ if (frc->fr_family == AF_INET6){
+ $$.v = 6;
+ $$.f = AF_INET6;
+ } else {
+ $$.v = 4;
+ $$.f = AF_INET;
+ }
+ }
yyresetdict();
- yyexpectaddr = 0; }
- | hostname { $$.a.in4 = $1;
- $$.m.in4_addr = 0xffffffff;
- yyexpectaddr = 0; }
- | hostname { yyresetdict();
- $$.a.in4_addr = $1.s_addr; }
- maskspace { yysetdict(maskwords); }
- ipv4mask { $$.m.in4_addr = $5.s_addr;
- $$.a.in4_addr &= $5.s_addr;
+ yyexpectaddr = 0;
+ }
+ | '(' YY_STR ')' { memset(&($$), 0, sizeof($$));
+ $$.type = FRI_DYNAMIC;
+ ifpflag = FRI_DYNAMIC;
+ $$.ifpos = addname(&fr, $2);
+ $$.lif = 0;
+ }
+ | '(' YY_STR ')' '/'
+ { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
+ maskopts
+ { memset(&($$), 0, sizeof($$));
+ $$.type = ifpflag;
+ $$.ifpos = addname(&fr, $2);
+ $$.lif = 0;
+ if (frc->fr_family == AF_UNSPEC)
+ frc->fr_family = AF_INET;
+ if (ifpflag == FRI_DYNAMIC) {
+ ntomask(frc->fr_family,
+ $6, $$.m.i6);
+ }
yyresetdict();
- yyexpectaddr = 0; }
- | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a));
- fill6bits(128, (u_32_t *)&$$.m);
+ yyexpectaddr = 0;
+ }
+ | '(' YY_STR ':' YY_NUMBER ')' '/'
+ { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
+ maskopts
+ { memset(&($$), 0, sizeof($$));
+ $$.type = ifpflag;
+ $$.ifpos = addname(&fr, $2);
+ $$.lif = $4;
+ if (frc->fr_family == AF_UNSPEC)
+ frc->fr_family = AF_INET;
+ if (ifpflag == FRI_DYNAMIC) {
+ ntomask(frc->fr_family,
+ $8, $$.m.i6);
+ }
yyresetdict();
- yyexpectaddr = 0; }
- | YY_IPV6 { yyresetdict();
- bcopy(&$1, &$$.a, sizeof($$.a)); }
- maskspace { yysetdict(maskwords); }
- ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m));
- yyresetdict();
- yyexpectaddr = 0; }
+ yyexpectaddr = 0;
+ }
;
+
maskspace:
'/'
| IPFY_MASK
;
-ipv4mask:
- ipv4 { $$ = $1; }
- | YY_HEX { $$.s_addr = htonl($1); }
- | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }
- | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
- $$.s_addr = 0;
+ipmask: ipv4 { $$ = count4bits($1.s_addr); }
+ | YY_HEX { $$ = count4bits(htonl($1)); }
+ | YY_NUMBER { $$ = $1; }
+ | YY_IPV6 { $$ = count6bits($1.i6); }
+ | maskopts { $$ = $1; }
+ ;
+
+maskopts:
+ IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
ifpflag = FRI_BROADCAST;
- } else
+ } else {
YYERROR;
+ }
+ $$ = 0;
}
| IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
- $$.s_addr = 0;
ifpflag = FRI_NETWORK;
- } else
+ } else {
YYERROR;
+ }
+ $$ = 0;
}
| IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
- $$.s_addr = 0;
ifpflag = FRI_NETMASKED;
- } else
+ } else {
YYERROR;
+ }
+ $$ = 0;
}
| IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
- $$.s_addr = 0;
ifpflag = FRI_PEERADDR;
- } else
+ } else {
YYERROR;
+ }
+ $$ = 0;
}
+ | YY_NUMBER { $$ = $1; }
;
-ipv6mask:
- YY_NUMBER { ntomask(6, $1, $$.i6); }
- | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
- bzero(&$$, sizeof($$));
- ifpflag = FRI_BROADCAST;
- } else
+hostname:
+ ipv4 { memset(&($$), 0, sizeof($$));
+ $$.adr.in4 = $1;
+ if (frc->fr_family == AF_INET6)
YYERROR;
+ $$.f = AF_INET;
+ yyexpectaddr = 2;
}
- | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
- bzero(&$$, sizeof($$));
- ifpflag = FRI_BROADCAST;
- } else
+ | YY_NUMBER { memset(&($$), 0, sizeof($$));
+ if (frc->fr_family == AF_INET6)
YYERROR;
+ $$.adr.in4_addr = $1;
+ $$.f = AF_INET;
+ yyexpectaddr = 2;
}
- | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
- bzero(&$$, sizeof($$));
- ifpflag = FRI_BROADCAST;
- } else
+ | YY_HEX { memset(&($$), 0, sizeof($$));
+ if (frc->fr_family == AF_INET6)
YYERROR;
+ $$.adr.in4_addr = $1;
+ $$.f = AF_INET;
+ yyexpectaddr = 2;
}
- | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
- bzero(&$$, sizeof($$));
- ifpflag = FRI_BROADCAST;
- } else
+ | YY_STR { memset(&($$), 0, sizeof($$));
+ if (lookuphost($1, &$$.adr) == 0)
+ $$.f = AF_INET;
+ free($1);
+ yyexpectaddr = 2;
+ }
+ | YY_IPV6 { memset(&($$), 0, sizeof($$));
+ if (frc->fr_family == AF_INET)
YYERROR;
+ $$.adr = $1;
+ $$.f = AF_INET6;
+ yyexpectaddr = 2;
}
;
-hostname:
- ipv4 { $$ = $1; }
- | YY_NUMBER { $$.s_addr = $1; }
- | YY_HEX { $$.s_addr = $1; }
- | YY_STR { $$.s_addr = lookuphost($1);
- free($1);
- }
- ;
-
addrlist:
ipaddr { $$ = newalist(NULL);
- bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
- bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
- | addrlist ',' ipaddr
- { $$ = newalist($1);
- bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
- bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
+ $$->al_family = $1.f;
+ $$->al_i6addr = $1.a;
+ $$->al_i6mask = $1.m;
+ }
+ | ipaddr ',' { yyexpectaddr = 1; } addrlist
+ { $$ = newalist($4);
+ $$->al_family = $1.f;
+ $$->al_i6addr = $1.a;
+ $$->al_i6mask = $1.m;
+ }
;
pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
@@ -1010,46 +1206,62 @@
poollist:
ipaddr { $$ = newalist(NULL);
- bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
- bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
+ $$->al_family = $1.f;
+ $$->al_i6addr = $1.a;
+ $$->al_i6mask = $1.m;
+ }
| '!' ipaddr { $$ = newalist(NULL);
$$->al_not = 1;
- bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
- bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
+ $$->al_family = $2.f;
+ $$->al_i6addr = $2.a;
+ $$->al_i6mask = $2.m;
+ }
| poollist ',' ipaddr
{ $$ = newalist($1);
- bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
- bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
+ $$->al_family = $3.f;
+ $$->al_i6addr = $3.a;
+ $$->al_i6mask = $3.m;
+ }
| poollist ',' '!' ipaddr
{ $$ = newalist($1);
$$->al_not = 1;
- bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
- bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
+ $$->al_family = $4.f;
+ $$->al_i6addr = $4.a;
+ $$->al_i6mask = $4.m;
+ }
;
port: IPFY_PORT { yyexpectaddr = 0;
yycont = NULL;
+ if (frc->fr_proto != 0 &&
+ frc->fr_proto != IPPROTO_UDP &&
+ frc->fr_proto != IPPROTO_TCP)
+ yyerror("port use incorrect");
}
;
portc: port compare { $$ = $2;
- yysetdict(NULL); }
+ yysetdict(NULL);
+ }
| porteq { $$ = $1; }
;
porteq: port '=' { $$ = FR_EQUAL;
- yysetdict(NULL); }
+ yysetdict(NULL);
+ }
;
portr: IPFY_PORT { yyexpectaddr = 0;
yycont = NULL;
- yysetdict(NULL); }
+ yysetdict(NULL);
+ }
;
portcomp:
portc portnum { $$.pc = $1;
$$.p1 = $2;
- yyresetdict(); }
+ yyresetdict();
+ }
;
portrange:
@@ -1056,7 +1268,8 @@
portr portnum range portnum { $$.p1 = $2;
$$.pc = $3;
$$.p2 = $4;
- yyresetdict(); }
+ yyresetdict();
+ }
;
icmp: | itype icode
@@ -1070,8 +1283,30 @@
;
seticmptype:
- IPFY_ICMPTYPE { setipftype();
- yysetdict(icmptypewords); }
+ IPFY_ICMPTYPE { if (frc->fr_family == AF_UNSPEC)
+ frc->fr_family = AF_INET;
+ if (frc->fr_family == AF_INET &&
+ frc->fr_type == FR_T_IPF &&
+ frc->fr_proto != IPPROTO_ICMP) {
+ yyerror("proto not icmp");
+ }
+ if (frc->fr_family == AF_INET6 &&
+ frc->fr_type == FR_T_IPF &&
+ frc->fr_proto != IPPROTO_ICMPV6) {
+ yyerror("proto not ipv6-icmp");
+ }
+ setipftype();
+ DOALL(if (fr->fr_family == AF_INET) { \
+ fr->fr_ip.fi_v = 4; \
+ fr->fr_mip.fi_v = 0xf; \
+ }
+ if (fr->fr_family == AF_INET6) { \
+ fr->fr_ip.fi_v = 6; \
+ fr->fr_mip.fi_v = 0xf; \
+ }
+ )
+ yysetdict(NULL);
+ }
;
icode: | seticmpcode icmpcode
@@ -1146,9 +1381,18 @@
IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
| IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
YYERROR; \
- } else \
+ } else if (fr->fr_flags & FR_STLOOSE) {\
+ YYERROR; \
+ } else \
fr->fr_flags |= FR_STSTRICT;)
}
+ | IPFY_LOOSE { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
+ YYERROR; \
+ } else if (fr->fr_flags & FR_STSTRICT){\
+ YYERROR; \
+ } else \
+ fr->fr_flags |= FR_STLOOSE;)
+ }
| IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
YYERROR; \
} else \
@@ -1162,10 +1406,32 @@
| IPFY_AGE YY_NUMBER '/' YY_NUMBER
{ DOALL(fr->fr_age[0] = $2; \
fr->fr_age[1] = $4;) }
+ | IPFY_ICMPHEAD groupname
+ { DOALL(seticmphead(&fr, $2);)
+ free($2);
+ }
+ | IPFY_NOLOG
+ { DOALL(fr->fr_nostatelog = 1;) }
+ | IPFY_RPC
+ { DOALL(fr->fr_rpc = 1;) }
+ | IPFY_RPC IPFY_IN YY_STR
+ { DOALL(fr->fr_rpc = 1;) }
+ | IPFY_MAX_SRCS YY_NUMBER
+ { DOALL(fr->fr_srctrack.ht_max_nodes = $2;) }
+ | IPFY_MAX_PER_SRC YY_NUMBER
+ { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
+ fr->fr_srctrack.ht_netmask = \
+ fr->fr_family == AF_INET ? 32: 128;)
+ }
+ | IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER
+ { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
+ fr->fr_srctrack.ht_netmask = $4;)
+ }
;
portnum:
- servicename { if (getport(frc, $1, &($$)) == -1)
+ servicename { if (getport(frc, $1,
+ &($$), NULL) == -1)
yyerror("service unknown");
$$ = ntohs($$);
free($1);
@@ -1188,14 +1454,14 @@
| notwith opttype { DOALL(fr->fr_mflx |= $2;) }
| ipopt ipopts { yyresetdict(); }
| notwith ipopt ipopts { yyresetdict(); }
- | startv6hdrs ipv6hdrs { yyresetdict(); }
+ | startv6hdr ipv6hdrs { yyresetdict(); }
;
ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
;
-startv6hdrs:
- IPF6_V6HDRS { if (use_inet6 == 0)
+startv6hdr:
+ IPFY_V6HDR { if (frc->fr_family != AF_INET6)
yyerror("only available with IPv6");
yysetdict(ipv6optwords);
}
@@ -1222,9 +1488,18 @@
| IPFY_BROADCAST { $$ = FI_BROADCAST; }
| IPFY_STATE { $$ = FI_STATE; }
| IPFY_OOW { $$ = FI_OOW; }
+ | IPFY_AH { $$ = FI_AH; }
+ | IPFY_V6HDRS { $$ = FI_V6EXTHDR; }
;
ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
+ if (fr->fr_family == AF_UNSPEC) {
+ fr->fr_family = AF_INET;
+ fr->fr_ip.fi_v = 4;
+ fr->fr_mip.fi_v = 0xf;
+ } else if (fr->fr_family != AF_INET) {
+ YYERROR;
+ }
if (!nowith)
fr->fr_ip.fi_optmsk |= $1;)
}
@@ -1264,22 +1539,11 @@
;
icmptype:
- YY_NUMBER { $$ = $1; }
- | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
- | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
- | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
- | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
- | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
- | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
- | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
- | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
- | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
- | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
- | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
- | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
- | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
- | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
- | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
+ YY_NUMBER { $$ = $1; }
+ | YY_STR { $$ = geticmptype(frc->fr_family, $1);
+ if ($$ == -1)
+ yyerror("unrecognised icmp type");
+ }
;
icmpcode:
@@ -1314,7 +1578,8 @@
| IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
| IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
| IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
- | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
+ | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
+ | IPFY_IPOPT_CIPSO doi { $$ = getoptbyvalue(IPOPT_CIPSO); }
| IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
| IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
| IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
@@ -1329,6 +1594,13 @@
| IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
| setsecclass secname
{ DOALL(fr->fr_mip.fi_secmsk |= $2;
+ if (fr->fr_family == AF_UNSPEC) {
+ fr->fr_family = AF_INET;
+ fr->fr_ip.fi_v = 4;
+ fr->fr_mip.fi_v = 0xf;
+ } else if (fr->fr_family != AF_INET) {
+ YYERROR;
+ }
if (!nowith)
fr->fr_ip.fi_secmsk |= $2;)
$$ = 0;
@@ -1337,9 +1609,17 @@
;
setsecclass:
- IPFY_SECCLASS { yysetdict(ipv4secwords); }
+ IPFY_SECCLASS { yysetdict(ipv4secwords); }
;
+doi: IPFY_DOI YY_NUMBER { DOALL(fr->fr_doimask = 0xffffffff; \
+ if (!nowith) \
+ fr->fr_doi = $2;) }
+ | IPFY_DOI YY_HEX { DOALL(fr->fr_doimask = 0xffffffff; \
+ if (!nowith) \
+ fr->fr_doi = $2;) }
+ ;
+
ipv6hdr:
IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
| IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
@@ -1463,7 +1743,7 @@
%%
-static struct wordtab ipfwords[95] = {
+static struct wordtab ipfwords[] = {
{ "age", IPFY_AGE },
{ "ah", IPFY_AH },
{ "all", IPFY_ALL },
@@ -1481,10 +1761,16 @@
#endif
{ "call", IPFY_CALL },
{ "code", IPFY_ICMPCODE },
+ { "comment", IPFY_COMMENT },
{ "count", IPFY_COUNT },
+ { "decapsulate", IPFY_DECAPS },
+ { "dstlist", IPFY_DSTLIST },
+ { "doi", IPFY_DOI },
{ "dup-to", IPFY_DUPTO },
{ "eq", YY_CMP_EQ },
{ "esp", IPFY_ESP },
+ { "exp", IPFY_IPFEXPR },
+ { "family", IPFY_FAMILY },
{ "fastroute", IPFY_FROUTE },
{ "first", IPFY_FIRST },
{ "flags", IPFY_FLAGS },
@@ -1497,20 +1783,27 @@
{ "gt", YY_CMP_GT },
{ "head", IPFY_HEAD },
{ "icmp", IPFY_ICMP },
+ { "icmp-head", IPFY_ICMPHEAD },
{ "icmp-type", IPFY_ICMPTYPE },
{ "in", IPFY_IN },
{ "in-via", IPFY_INVIA },
+ { "inet", IPFY_INET },
+ { "inet6", IPFY_INET6 },
{ "ipopt", IPFY_IPOPTS },
{ "ipopts", IPFY_IPOPTS },
{ "keep", IPFY_KEEP },
+ { "l5-as", IPFY_L5AS },
{ "le", YY_CMP_LE },
{ "level", IPFY_LEVEL },
{ "limit", IPFY_LIMIT },
{ "log", IPFY_LOG },
+ { "loose", IPFY_LOOSE },
{ "lowttl", IPFY_LOWTTL },
{ "lt", YY_CMP_LT },
{ "mask", IPFY_MASK },
{ "match-tag", IPFY_MATCHTAG },
+ { "max-per-src", IPFY_MAX_PER_SRC },
+ { "max-srcs", IPFY_MAX_SRCS },
{ "mbcast", IPFY_MBCAST },
{ "mcast", IPFY_MULTICAST },
{ "multicast", IPFY_MULTICAST },
@@ -1520,6 +1813,7 @@
{ "newisn", IPFY_NEWISN },
{ "no", IPFY_NO },
{ "no-icmp-err", IPFY_NOICMPERR },
+ { "nolog", IPFY_NOLOG },
{ "nomatch", IPFY_NOMATCH },
{ "now", IPFY_NOW },
{ "not", IPFY_NOT },
@@ -1540,7 +1834,10 @@
{ "return-icmp-as-dest", IPFY_RETICMPASDST },
{ "return-rst", IPFY_RETRST },
{ "route-to", IPFY_ROUTETO },
+ { "rule-ttl", IPFY_RULETTL },
+ { "rpc", IPFY_RPC },
{ "sec-class", IPFY_SECCLASS },
+ { "set", IPFY_SET },
{ "set-tag", IPFY_SETTAG },
{ "skip", IPFY_SKIP },
{ "short", IPFY_SHORT },
@@ -1554,12 +1851,13 @@
{ "to", IPFY_TO },
{ "ttl", IPFY_TTL },
{ "udp", IPFY_UDP },
- { "v6hdrs", IPF6_V6HDRS },
+ { "v6hdr", IPFY_V6HDR },
+ { "v6hdrs", IPFY_V6HDRS },
{ "with", IPFY_WITH },
{ NULL, 0 }
};
-static struct wordtab addrwords[4] = {
+static struct wordtab addrwords[] = {
{ "any", IPFY_ANY },
{ "hash", IPFY_HASH },
{ "pool", IPFY_POOL },
@@ -1566,7 +1864,7 @@
{ NULL, 0 }
};
-static struct wordtab maskwords[5] = {
+static struct wordtab maskwords[] = {
{ "broadcast", IPFY_BROADCAST },
{ "netmasked", IPFY_NETMASKED },
{ "network", IPFY_NETWORK },
@@ -1574,26 +1872,7 @@
{ NULL, 0 }
};
-static struct wordtab icmptypewords[16] = {
- { "echo", IPFY_ICMPT_ECHO },
- { "echorep", IPFY_ICMPT_ECHOR },
- { "inforeq", IPFY_ICMPT_INFOREQ },
- { "inforep", IPFY_ICMPT_INFOREP },
- { "maskrep", IPFY_ICMPT_MASKREP },
- { "maskreq", IPFY_ICMPT_MASKREQ },
- { "paramprob", IPFY_ICMPT_PARAMP },
- { "redir", IPFY_ICMPT_REDIR },
- { "unreach", IPFY_ICMPT_UNR },
- { "routerad", IPFY_ICMPT_ROUTERAD },
- { "routersol", IPFY_ICMPT_ROUTERSOL },
- { "squench", IPFY_ICMPT_SQUENCH },
- { "timest", IPFY_ICMPT_TIMEST },
- { "timestrep", IPFY_ICMPT_TIMESTREP },
- { "timex", IPFY_ICMPT_TIMEX },
- { NULL, 0 },
-};
-
-static struct wordtab icmpcodewords[17] = {
+static struct wordtab icmpcodewords[] = {
{ "cutoff-preced", IPFY_ICMPC_CUTPRE },
{ "filter-prohib", IPFY_ICMPC_FLTPRO },
{ "isolate", IPFY_ICMPC_ISOLATE },
@@ -1613,7 +1892,7 @@
{ NULL, 0 },
};
-static struct wordtab ipv4optwords[25] = {
+static struct wordtab ipv4optwords[] = {
{ "addext", IPFY_IPOPT_ADDEXT },
{ "cipso", IPFY_IPOPT_CIPSO },
{ "dps", IPFY_IPOPT_DPS },
@@ -1641,7 +1920,7 @@
{ NULL, 0 },
};
-static struct wordtab ipv4secwords[9] = {
+static struct wordtab ipv4secwords[] = {
{ "confid", IPFY_SEC_CONF },
{ "reserv-1", IPFY_SEC_RSV1 },
{ "reserv-2", IPFY_SEC_RSV2 },
@@ -1653,7 +1932,7 @@
{ NULL, 0 },
};
-static struct wordtab ipv6optwords[9] = {
+static struct wordtab ipv6optwords[] = {
{ "dstopts", IPFY_IPV6OPT_DSTOPTS },
{ "esp", IPFY_IPV6OPT_ESP },
{ "frag", IPFY_IPV6OPT_FRAG },
@@ -1665,7 +1944,7 @@
{ NULL, 0 },
};
-static struct wordtab logwords[33] = {
+static struct wordtab logwords[] = {
{ "kern", IPFY_FAC_KERN },
{ "user", IPFY_FAC_USER },
{ "mail", IPFY_FAC_MAIL },
@@ -1751,7 +2030,7 @@
ipffd = fd;
for (i = 0; i <= IPL_LOGMAX; i++)
- ipfioctl[i] = iocfuncs[i];
+ ipfioctls[i] = iocfuncs[i];
ipfaddfunc = addfunc;
if (feof(fp))
@@ -1779,13 +2058,17 @@
{
frentry_t *frn;
- frn = (frentry_t *)calloc(1, sizeof(frentry_t));
+ frn = allocfr();
for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
;
- if (fr != NULL)
+ if (fr != NULL) {
fr->fr_next = frn;
- if (frtop == NULL)
+ frn->fr_pnext = &fr->fr_next;
+ }
+ if (frtop == NULL) {
frtop = frn;
+ frn->fr_pnext = &frtop;
+ }
fr = frn;
frc = frn;
fr->fr_loglevel = 0xffff;
@@ -1792,11 +2075,13 @@
fr->fr_isc = (void *)-1;
fr->fr_logtag = FR_NOLOGTAG;
fr->fr_type = FR_T_NONE;
- if (use_inet6 != 0)
- fr->fr_v = 6;
- else
- fr->fr_v = 4;
+ fr->fr_flineno = yylineNum;
+ if (use_inet6 == 1)
+ fr->fr_family = AF_INET6;
+ else if (use_inet6 == -1)
+ fr->fr_family = AF_INET;
+
nrules = 1;
}
@@ -1808,7 +2093,13 @@
fr->fr_type = FR_T_IPF;
fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
fr->fr_dsize = sizeof(fripf_t);
- fr->fr_ip.fi_v = frc->fr_v;
+ fr->fr_family = frc->fr_family;
+ if (fr->fr_family == AF_INET) {
+ fr->fr_ip.fi_v = 4;
+ }
+ else if (fr->fr_family == AF_INET6) {
+ fr->fr_ip.fi_v = 6;
+ }
fr->fr_mip.fi_v = 0xf;
fr->fr_ipf->fri_sifpidx = -1;
fr->fr_ipf->fri_difpidx = -1;
@@ -1831,10 +2122,13 @@
count = nrules;
f = f2;
for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
- f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
+ f->fr_next = allocfr();
+ if (f->fr_next == NULL)
+ return NULL;
+ f->fr_next->fr_pnext = &f->fr_next;
added++;
f = f->fr_next;
- bcopy(f1, f, sizeof(*f));
+ *f = *f1;
f->fr_next = NULL;
if (f->fr_caddr != NULL) {
f->fr_caddr = malloc(f->fr_dsize);
@@ -1846,10 +2140,11 @@
}
-static u_32_t lookuphost(name)
-char *name;
+static int
+lookuphost(name, addrp)
+ char *name;
+ i6addr_t *addrp;
{
- u_32_t addr;
int i;
hashed = 0;
@@ -1857,19 +2152,20 @@
dynamic = -1;
for (i = 0; i < 4; i++) {
- if (strncmp(name, frc->fr_ifnames[i],
- sizeof(frc->fr_ifnames[i])) == 0) {
+ if (fr->fr_ifnames[i] == -1)
+ continue;
+ if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) {
ifpflag = FRI_DYNAMIC;
- dynamic = i;
- return 0;
+ dynamic = addname(&fr, name);
+ return 1;
}
}
- if (gethost(name, &addr) == -1) {
+ if (gethost(AF_INET, name, addrp) == -1) {
fprintf(stderr, "unknown name \"%s\"\n", name);
- return 0;
+ return -1;
}
- return addr;
+ return 0;
}
@@ -1891,7 +2187,7 @@
fprintf(stderr, "cannot mix IPF and BPF matching\n");
return;
}
- fr->fr_v = v;
+ fr->fr_family = vtof(v);
fr->fr_type = FR_T_BPFOPC;
if (!strncmp(phrase, "0x", 2)) {
@@ -1900,6 +2196,10 @@
for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
s = strtok(NULL, " \r\n\t"), i++) {
fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
+ if (fb == NULL) {
+ warnx("memory allocation error at %d in %s in %s", __LINE__, __FUNCTION__, __FILE__);
+ abort();
+ }
l = (u_32_t)strtol(s, NULL, 0);
switch (i & 3)
{
@@ -1986,8 +2286,9 @@
}
-static int makepool(list)
-alist_t *list;
+static int
+makepool(list)
+ alist_t *list;
{
ip_pool_node_t *n, *top;
ip_pool_t pool;
@@ -1999,10 +2300,30 @@
top = calloc(1, sizeof(*top));
if (top == NULL)
return 0;
-
+
for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
- n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
- n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
+ if (use_inet6 == 1) {
+#ifdef AF_INET6
+ n->ipn_addr.adf_family = AF_INET6;
+ n->ipn_addr.adf_addr = a->al_i6addr;
+ n->ipn_addr.adf_len = offsetof(addrfamily_t,
+ adf_addr) + 16;
+ n->ipn_mask.adf_family = AF_INET6;
+ n->ipn_mask.adf_addr = a->al_i6mask;
+ n->ipn_mask.adf_len = offsetof(addrfamily_t,
+ adf_addr) + 16;
+
+#endif
+ } else {
+ n->ipn_addr.adf_family = AF_INET;
+ n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
+ n->ipn_addr.adf_len = offsetof(addrfamily_t,
+ adf_addr) + 4;
+ n->ipn_mask.adf_family = AF_INET;
+ n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
+ n->ipn_mask.adf_len = offsetof(addrfamily_t,
+ adf_addr) + 4;
+ }
n->ipn_info = a->al_not;
if (a->al_next != NULL) {
n->ipn_next = calloc(1, sizeof(*n));
@@ -2013,7 +2334,7 @@
bzero((char *)&pool, sizeof(pool));
pool.ipo_unit = IPL_LOGIPF;
pool.ipo_list = top;
- num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
+ num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]);
while ((n = top) != NULL) {
top = n->ipn_next;
@@ -2036,10 +2357,17 @@
top = calloc(1, sizeof(*top));
if (top == NULL)
return 0;
-
+
for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
- n->ipe_addr.in4_addr = a->al_1;
- n->ipe_mask.in4_addr = a->al_2;
+ if (a->al_family == AF_INET6) {
+ n->ipe_family = AF_INET6;
+ n->ipe_addr = a->al_i6addr;
+ n->ipe_mask = a->al_i6mask;
+ } else {
+ n->ipe_family = AF_INET;
+ n->ipe_addr.in4_addr = a->al_1;
+ n->ipe_mask.in4_addr = a->al_2;
+ }
n->ipe_value = 0;
if (a->al_next != NULL) {
n->ipe_next = calloc(1, sizeof(*n));
@@ -2052,7 +2380,7 @@
iph.iph_type = IPHASH_LOOKUP;
*iph.iph_name = '\0';
- if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
+ if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0)
sscanf(iph.iph_name, "%u", &num);
else
num = 0;
@@ -2065,7 +2393,7 @@
}
-void ipf_addrule(fd, ioctlfunc, ptr)
+int ipf_addrule(fd, ioctlfunc, ptr)
int fd;
ioctlfunc_t ioctlfunc;
void *ptr;
@@ -2075,7 +2403,7 @@
ipfobj_t obj;
if (ptr == NULL)
- return;
+ return 0;
fr = ptr;
add = 0;
@@ -2083,7 +2411,7 @@
bzero((char *)&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_size = sizeof(*fr);
+ obj.ipfo_size = fr->fr_size;
obj.ipfo_type = IPFOBJ_FRENTRY;
obj.ipfo_ptr = ptr;
@@ -2118,8 +2446,11 @@
if ((opts & OPT_ZERORULEST) != 0) {
if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
if ((opts & OPT_DONOTHING) == 0) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(SIOCZRLST)");
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(zero rule)",
+ fr->fr_flineno);
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
} else {
#ifdef USE_QUAD_T
@@ -2134,19 +2465,26 @@
}
} else if ((opts & OPT_REMOVE) != 0) {
if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
- if ((opts & OPT_DONOTHING) != 0) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(delete rule)");
+ if ((opts & OPT_DONOTHING) == 0) {
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(delete rule)",
+ fr->fr_flineno);
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
}
} else {
if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
- if (!(opts & OPT_DONOTHING)) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(add/insert rule)");
+ if ((opts & OPT_DONOTHING) == 0) {
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(add/insert rule)",
+ fr->fr_flineno);
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
}
}
+ return 0;
}
static void setsyslog()
@@ -2168,9 +2506,16 @@
{
frentry_t *f;
- for (f = frold; f != NULL; f = f->fr_next)
- if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
+ for (f = frold; f != NULL; f = f->fr_next) {
+ if (f->fr_grhead == -1 && fr->fr_group == -1)
break;
+ if (f->fr_grhead == -1 || fr->fr_group == -1)
+ continue;
+ if (strcmp(f->fr_names + f->fr_grhead,
+ fr->fr_names + fr->fr_group) == 0)
+ break;
+ }
+
if (f == NULL)
return;
@@ -2183,8 +2528,8 @@
if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
return;
- if (fr->fr_v == 0 && f->fr_v != 0)
- fr->fr_v = f->fr_v;
+ if (fr->fr_family == 0 && f->fr_family != 0)
+ fr->fr_family = f->fr_family;
if (fr->fr_mproto == 0 && f->fr_mproto != 0)
fr->fr_mproto = f->fr_mproto;
@@ -2192,6 +2537,218 @@
fr->fr_proto = f->fr_proto;
if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
- ((f->fr_flx & FI_TCPUDP) != 0))
+ ((f->fr_flx & FI_TCPUDP) != 0)) {
fr->fr_flx |= FI_TCPUDP;
+ fr->fr_mflx |= FI_TCPUDP;
+ }
}
+
+
+static void doipfexpr(line)
+char *line;
+{
+ int *array;
+ char *error;
+
+ array = parseipfexpr(line, &error);
+ if (array == NULL) {
+ fprintf(stderr, "%s:", error);
+ yyerror("error parsing ipf matching expression");
+ return;
+ }
+
+ fr->fr_type = FR_T_IPFEXPR;
+ fr->fr_data = array;
+ fr->fr_dsize = array[0] * sizeof(*array);
+}
+
+
+static void do_tuneint(varname, value)
+char *varname;
+int value;
+{
+ char buffer[80];
+
+ strncpy(buffer, varname, 60);
+ buffer[59] = '\0';
+ strcat(buffer, "=");
+ sprintf(buffer, "%u", value);
+ ipf_dotuning(ipffd, buffer, ioctl);
+}
+
+
+static void do_tunestr(varname, value)
+char *varname, *value;
+{
+
+ if (!strcasecmp(value, "true")) {
+ do_tuneint(varname, 1);
+ } else if (!strcasecmp(value, "false")) {
+ do_tuneint(varname, 0);
+ } else {
+ yyerror("did not find true/false where expected");
+ }
+}
+
+
+static void setifname(frp, idx, name)
+frentry_t **frp;
+int idx;
+char *name;
+{
+ int pos;
+
+ pos = addname(frp, name);
+ if (pos == -1)
+ return;
+ (*frp)->fr_ifnames[idx] = pos;
+}
+
+
+static int addname(frp, name)
+frentry_t **frp;
+char *name;
+{
+ frentry_t *f;
+ int nlen;
+ int pos;
+
+ nlen = strlen(name) + 1;
+ f = realloc(*frp, (*frp)->fr_size + nlen);
+ if (*frp == frc)
+ frc = f;
+ *frp = f;
+ if (f == NULL)
+ return -1;
+ if (f->fr_pnext != NULL)
+ *f->fr_pnext = f;
+ f->fr_size += nlen;
+ pos = f->fr_namelen;
+ f->fr_namelen += nlen;
+ strcpy(f->fr_names + pos, name);
+ f->fr_names[f->fr_namelen] = '\0';
+ return pos;
+}
+
+
+static frentry_t *allocfr()
+{
+ frentry_t *fr;
+
+ fr = calloc(1, sizeof(*fr));
+ if (fr != NULL) {
+ fr->fr_size = sizeof(*fr);
+ fr->fr_comment = -1;
+ fr->fr_group = -1;
+ fr->fr_grhead = -1;
+ fr->fr_icmphead = -1;
+ fr->fr_ifnames[0] = -1;
+ fr->fr_ifnames[1] = -1;
+ fr->fr_ifnames[2] = -1;
+ fr->fr_ifnames[3] = -1;
+ fr->fr_tif.fd_name = -1;
+ fr->fr_rif.fd_name = -1;
+ fr->fr_dif.fd_name = -1;
+ }
+ return fr;
+}
+
+
+static void setgroup(frp, name)
+frentry_t **frp;
+char *name;
+{
+ int pos;
+
+ pos = addname(frp, name);
+ if (pos == -1)
+ return;
+ (*frp)->fr_group = pos;
+}
+
+
+static void setgrhead(frp, name)
+frentry_t **frp;
+char *name;
+{
+ int pos;
+
+ pos = addname(frp, name);
+ if (pos == -1)
+ return;
+ (*frp)->fr_grhead = pos;
+}
+
+
+static void seticmphead(frp, name)
+frentry_t **frp;
+char *name;
+{
+ int pos;
+
+ pos = addname(frp, name);
+ if (pos == -1)
+ return;
+ (*frp)->fr_icmphead = pos;
+}
+
+
+static void
+build_dstaddr_af(fp, ptr)
+ frentry_t *fp;
+ void *ptr;
+{
+ struct ipp_s *ipp = ptr;
+ frentry_t *f = fp;
+
+ if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
+ ipp->f = f->fr_family;
+ ipp->v = f->fr_ip.fi_v;
+ }
+ if (ipp->f == AF_INET)
+ ipp->v = 4;
+ else if (ipp->f == AF_INET6)
+ ipp->v = 6;
+
+ for (; f != NULL; f = f->fr_next) {
+ f->fr_ip.fi_dst = ipp->a;
+ f->fr_mip.fi_dst = ipp->m;
+ f->fr_family = ipp->f;
+ f->fr_ip.fi_v = ipp->v;
+ f->fr_mip.fi_v = 0xf;
+ f->fr_datype = ipp->type;
+ if (ipp->ifpos != -1)
+ f->fr_ipf->fri_difpidx = ipp->ifpos;
+ }
+ fr = NULL;
+}
+
+
+static void
+build_srcaddr_af(fp, ptr)
+ frentry_t *fp;
+ void *ptr;
+{
+ struct ipp_s *ipp = ptr;
+ frentry_t *f = fp;
+
+ if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
+ ipp->f = f->fr_family;
+ ipp->v = f->fr_ip.fi_v;
+ }
+ if (ipp->f == AF_INET)
+ ipp->v = 4;
+ else if (ipp->f == AF_INET6)
+ ipp->v = 6;
+
+ for (; f != NULL; f = f->fr_next) {
+ f->fr_ip.fi_src = ipp->a;
+ f->fr_mip.fi_src = ipp->m;
+ f->fr_family = ipp->f;
+ f->fr_ip.fi_v = ipp->v;
+ f->fr_mip.fi_v = 0xf;
+ f->fr_satype = ipp->type;
+ f->fr_ipf->fri_sifpidx = ipp->ifpos;
+ }
+ fr = NULL;
+}
Modified: trunk/contrib/ipfilter/tools/ipfcomp.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipfcomp.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipfcomp.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,13 +1,13 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipfcomp.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2005 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.4 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include "ipf.h"
@@ -63,7 +63,7 @@
* required.
*/
void printc(fr)
-frentry_t *fr;
+ frentry_t *fr;
{
fripf_t *ipf;
u_long *ulp;
@@ -71,7 +71,7 @@
FILE *fp;
int i;
- if (fr->fr_v != 4)
+ if (fr->fr_family == 6)
return;
if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE))
return;
@@ -87,7 +87,7 @@
fp = cfile;
if (count == 0) {
fprintf(fp, "/*\n");
- fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n");
+ fprintf(fp, "* Copyright (C) 2012 by Darren Reed.\n");
fprintf(fp, "*\n");
fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n");
fprintf(fp, "* provided that this notice is preserved and due credit is given\n");
@@ -98,7 +98,7 @@
fprintf(fp, "#include <sys/types.h>\n");
fprintf(fp, "#include <sys/time.h>\n");
fprintf(fp, "#include <sys/socket.h>\n");
- fprintf(fp, "#if (__FreeBSD_version >= 40000) || defined(__MidnightBSD__)\n");
+ fprintf(fp, "#if (__FreeBSD_version >= 40000)\n");
fprintf(fp, "# if defined(_KERNEL)\n");
fprintf(fp, "# include <sys/libkern.h>\n");
fprintf(fp, "# else\n");
@@ -107,7 +107,7 @@
fprintf(fp, "#endif\n");
fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n");
fprintf(fp, "#else\n");
- fprintf(fp, "# if !defined(__MidnightBSD__) && !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
+ fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
fprintf(fp, "# include <sys/systm.h>\n");
fprintf(fp, "# endif\n");
fprintf(fp, "#endif\n");
@@ -118,7 +118,7 @@
fprintf(fp, "# include <sys/mbuf.h>\n");
fprintf(fp, "#endif\n");
fprintf(fp,
-"#if defined(__MidnightBSD__) || defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n");
+"#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n");
fprintf(fp, "# include <sys/sockio.h>\n");
fprintf(fp, "#else\n");
fprintf(fp, "# include <sys/ioctl.h>\n");
@@ -136,6 +136,9 @@
fprintf(fp, "#endif /* _KERNEL */\n");
fprintf(fp, "\n");
fprintf(fp, "#ifdef IPFILTER_COMPILED\n");
+ fprintf(fp, "\n");
+ fprintf(fp, "extern ipf_main_softc_t ipfmain;\n");
+ fprintf(fp, "\n");
}
addrule(fp, fr);
@@ -162,12 +165,14 @@
static void addrule(fp, fr)
-FILE *fp;
-frentry_t *fr;
+ FILE *fp;
+ frentry_t *fr;
{
frentry_t *f, **fpp;
frgroup_t *g;
u_long *ulp;
+ char *ghead;
+ char *gname;
char *and;
int i;
@@ -180,8 +185,10 @@
}
f->fr_next = NULL;
+ gname = FR_NAME(fr, fr_group);
+
for (g = groups; g != NULL; g = g->fg_next)
- if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) &&
+ if ((strncmp(g->fg_name, gname, FR_GROUPLEN) == 0) &&
(g->fg_flags == (f->fr_flags & FR_INOUT)))
break;
@@ -190,7 +197,7 @@
g->fg_next = groups;
groups = g;
g->fg_head = f;
- bcopy(f->fr_group, g->fg_name, FR_GROUPLEN);
+ strncpy(g->fg_name, gname, FR_GROUPLEN);
g->fg_ref = 0;
g->fg_flags = f->fr_flags & FR_INOUT;
}
@@ -219,10 +226,10 @@
g->fg_ref++;
- if (f->fr_grhead != 0) {
+ if (f->fr_grhead != -1) {
+ ghead = FR_NAME(f, fr_grhead);
for (g = groups; g != NULL; g = g->fg_next)
- if ((strncmp(g->fg_name, f->fr_grhead,
- FR_GROUPLEN) == 0) &&
+ if ((strncmp(g->fg_name, ghead, FR_GROUPLEN) == 0) &&
g->fg_flags == (f->fr_flags & FR_INOUT))
break;
if (g == NULL) {
@@ -230,7 +237,7 @@
g->fg_next = groups;
groups = g;
g->fg_head = f;
- bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN);
+ strncpy(g->fg_name, ghead, FR_GROUPLEN);
g->fg_ref = 0;
g->fg_flags = f->fr_flags & FR_INOUT;
}
@@ -239,7 +246,7 @@
int intcmp(c1, c2)
-const void *c1, *c2;
+ const void *c1, *c2;
{
const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2;
@@ -251,8 +258,8 @@
static void indent(fp, in)
-FILE *fp;
-int in;
+ FILE *fp;
+ int in;
{
for (; in; in--)
fputc('\t', fp);
@@ -259,9 +266,9 @@
}
static void printeq(fp, var, m, max, v)
-FILE *fp;
-char *var;
-int m, max, v;
+ FILE *fp;
+ char *var;
+ int m, max, v;
{
if (m == max)
fprintf(fp, "%s == %#x) {\n", var, v);
@@ -276,9 +283,9 @@
* v - required address
*/
static void printipeq(fp, var, fl, m, v)
-FILE *fp;
-char *var;
-int fl, m, v;
+ FILE *fp;
+ char *var;
+ int fl, m, v;
{
if (m == 0xffffffff)
fprintf(fp, "%s ", var);
@@ -290,9 +297,9 @@
void emit(num, dir, v, fr)
-int num, dir;
-void *v;
-frentry_t *fr;
+ int num, dir;
+ void *v;
+ frentry_t *fr;
{
u_int incnt, outcnt;
frgroup_t *g;
@@ -342,8 +349,8 @@
static void emitheader(grp, incount, outcount)
-frgroup_t *grp;
-u_int incount, outcount;
+ frgroup_t *grp;
+ u_int incount, outcount;
{
static FILE *fph = NULL;
frgroup_t *g;
@@ -434,11 +441,11 @@
static void emitGroup(num, dir, v, fr, group, incount, outcount)
-int num, dir;
-void *v;
-frentry_t *fr;
-char *group;
-u_int incount, outcount;
+ int num, dir;
+ void *v;
+ frentry_t *fr;
+ char *group;
+ u_int incount, outcount;
{
static FILE *fp = NULL;
static int header[2] = { 0, 0 };
@@ -514,9 +521,8 @@
if ((i & 1) == 0) {
fprintf(fp, "\n\t");
}
- fprintf(fp,
- "(frentry_t *)&in_rule_%s_%d",
- f->fr_group, i);
+ fprintf(fp, "(frentry_t *)&in_rule_%s_%d",
+ FR_NAME(f, fr_group), i);
if (i + 1 < incount)
fprintf(fp, ", ");
i++;
@@ -534,9 +540,8 @@
if ((i & 1) == 0) {
fprintf(fp, "\n\t");
}
- fprintf(fp,
- "(frentry_t *)&out_rule_%s_%d",
- f->fr_group, i);
+ fprintf(fp, "(frentry_t *)&out_rule_%s_%d",
+ FR_NAME(f, fr_group), i);
if (i + 1 < outcount)
fprintf(fp, ", ");
i++;
@@ -586,7 +591,7 @@
switch(m[i].c)
{
case FRC_IFN :
- if (*fr->fr_ifname)
+ if (fr->fr_ifnames[0] != -1)
m[i].s = 1;
break;
case FRC_V :
@@ -940,11 +945,11 @@
if (fr->fr_flags & FR_QUICK) {
fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n",
fr->fr_flags & FR_INQUE ? "in" : "out",
- fr->fr_group, num);
+ FR_NAME(fr, fr_group), num);
} else {
fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n",
fr->fr_flags & FR_INQUE ? "in" : "out",
- fr->fr_group, num);
+ FR_NAME(fr, fr_group), num);
}
if (n == NULL)
n = (mc_t *)malloc(sizeof(*n) * FRC_MAX);
@@ -954,7 +959,7 @@
void printC(dir)
-int dir;
+ int dir;
{
static mc_t *m = NULL;
frgroup_t *g;
@@ -977,10 +982,10 @@
* Now print out code to implement all of the rules.
*/
static void printCgroup(dir, top, m, group)
-int dir;
-frentry_t *top;
-mc_t *m;
-char *group;
+ int dir;
+ frentry_t *top;
+ mc_t *m;
+ char *group;
{
frentry_t *fr, *fr1;
int i, n, rn;
@@ -1027,13 +1032,14 @@
continue;
if ((n & 0x0001) &&
- !strcmp(fr1->fr_ifname, fr->fr_ifname)) {
+ !strcmp(fr1->fr_names + fr1->fr_ifnames[0],
+ fr->fr_names + fr->fr_ifnames[0])) {
m[FRC_IFN].e++;
m[FRC_IFN].n++;
} else
n &= ~0x0001;
- if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) {
+ if ((n & 0x0002) && (fr1->fr_family == fr->fr_family)) {
m[FRC_V].e++;
m[FRC_V].n++;
} else
@@ -1226,10 +1232,10 @@
}
static void printhooks(fp, in, out, grp)
-FILE *fp;
-int in;
-int out;
-frgroup_t *grp;
+ FILE *fp;
+ int in;
+ int out;
+ frgroup_t *grp;
{
frentry_t *fr;
char *group;
@@ -1237,7 +1243,7 @@
char *instr;
group = grp->fg_name;
- dogrp = *group ? 1 : 0;
+ dogrp = 0;
if (in && out) {
fprintf(stderr,
@@ -1283,18 +1289,24 @@
fprintf(fp, "\
for (j = i + 1; j < max; j++)\n\
- if (strncmp(fp->fr_group,\n\
+ if (strncmp(fp->fr_names + fp->fr_group,\n\
+ ipf_rules_%s_%s[j]->fr_names +\n\
ipf_rules_%s_%s[j]->fr_group,\n\
FR_GROUPLEN) == 0) {\n\
+ if (ipf_rules_%s_%s[j] != NULL)\n\
+ ipf_rules_%s_%s[j]->fr_pnext =\n\
+ &fp->fr_next;\n\
+ fp->fr_pnext = &ipf_rules_%s_%s[j];\n\
fp->fr_next = ipf_rules_%s_%s[j];\n\
break;\n\
- }\n", instr, group, instr, group);
+ }\n", instr, group, instr, group, instr, group,
+ instr, group, instr, group, instr, group);
if (dogrp)
fprintf(fp, "\
\n\
- if (fp->fr_grhead != 0) {\n\
- fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\
- IPL_LOGIPF, 0);\n\
+ if (fp->fr_grhead != -1) {\n\
+ fg = fr_addgroup(fp->fr_names + fp->fr_grhead,\n\
+ fp, FR_INQUE, IPL_LOGIPF, 0);\n\
if (fg != NULL)\n\
fp->fr_grp = &fg->fg_start;\n\
}\n");
@@ -1304,7 +1316,7 @@
fp = &ipfrule_%s_%s;\n", instr, group);
fprintf(fp, "\
bzero((char *)fp, sizeof(*fp));\n\
- fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\
+ fp->fr_type = FR_T_CALLFUNC_BUILTIN;\n\
fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\
fp->fr_data = (void *)ipf_rules_%s_%s[0];\n",
(in != 0) ? "IN" : "OUT", instr, group);
@@ -1313,9 +1325,10 @@
instr, group);
fprintf(fp, "\
- fp->fr_v = 4;\n\
+ fp->fr_family = AF_INET;\n\
fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\
- err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n",
+ err = frrequest(&ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp,\n\
+ ipfmain.ipf_active, 0);\n",
instr, group);
fprintf(fp, "\treturn err;\n}\n");
@@ -1348,8 +1361,9 @@
}\n\
}\n\
if (err == 0)\n\
- err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\
- (caddr_t)&ipfrule_%s_%s, fr_active, 0);\n",
+ err = frrequest(&ipfmain, IPL_LOGIPF, SIOCDELFR,\n\
+ (caddr_t)&ipfrule_%s_%s,\n\
+ ipfmain.ipf_active, 0);\n",
instr, group, instr, group, instr, group);
fprintf(fp, "\
if (err)\n\
Modified: trunk/contrib/ipfilter/tools/ipfs.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipfs.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipfs.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipfs.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__FreeBSD__) || defined(__MidnightBSD__)
+#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
@@ -33,7 +33,7 @@
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/ip.h>
@@ -44,7 +44,7 @@
#include "netinet/ipl.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp";
+static const char rcsid[] = "@(#)$Id$";
#endif
#ifndef IPF_SAVEDIR
@@ -100,7 +100,7 @@
* Change interface names in state information saved out to disk.
*/
int changestateif(ifs, fname)
-char *ifs, *fname;
+ char *ifs, *fname;
{
int fd, olen, nlen, rw;
ipstate_save_t ips;
@@ -163,7 +163,7 @@
* Change interface names in NAT information saved out to disk.
*/
int changenatif(ifs, fname)
-char *ifs, *fname;
+ char *ifs, *fname;
{
int fd, olen, nlen, rw;
nat_save_t ipn;
@@ -198,14 +198,6 @@
strcpy(nat->nat_ifnames[1], s);
rw = 1;
}
- if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) {
- strcpy(nat->nat_ifnames[2], s);
- rw = 1;
- }
- if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) {
- strcpy(nat->nat_ifnames[3], s);
- rw = 1;
- }
if (rw == 1) {
if (lseek(fd, pos, SEEK_SET) != pos) {
perror("lseek");
@@ -225,8 +217,8 @@
int main(argc,argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
char *dirname = NULL, *filename = NULL, *ifs = NULL;
@@ -356,7 +348,7 @@
int opendevice(ipfdev)
-char *ipfdev;
+ char *ipfdev;
{
int fd = -1;
@@ -374,7 +366,7 @@
void closedevice(fd)
-int fd;
+ int fd;
{
close(fd);
}
@@ -381,7 +373,7 @@
int setlock(fd, lock)
-int fd, lock;
+ int fd, lock;
{
if (opts & OPT_VERBOSE)
printf("Turn lock %s\n", lock ? "on" : "off");
@@ -398,8 +390,8 @@
int writestate(fd, file)
-int fd;
-char *file;
+ int fd;
+ char *file;
{
ipstate_save_t ips, *ipsp;
ipfobj_t obj;
@@ -450,8 +442,8 @@
int readstate(fd, file)
-int fd;
-char *file;
+ int fd;
+ char *file;
{
ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
int sfd = -1, i;
@@ -567,8 +559,8 @@
int readnat(fd, file)
-int fd;
-char *file;
+ int fd;
+ char *file;
{
nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL;
ipfobj_t obj;
@@ -714,8 +706,8 @@
int writenat(fd, file)
-int fd;
-char *file;
+ int fd;
+ char *file;
{
nat_save_t *ipnp = NULL, *next = NULL;
ipfobj_t obj;
@@ -798,7 +790,7 @@
int writeall(dirname)
-char *dirname;
+ char *dirname;
{
int fd, devfd;
@@ -849,7 +841,7 @@
int readall(dirname)
-char *dirname;
+ char *dirname;
{
int fd, devfd;
Modified: trunk/contrib/ipfilter/tools/ipfstat.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipfstat.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipfstat.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,11 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipfstat.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__FreeBSD__) || defined(__MidnightBSD__)
+#ifdef __FreeBSD__
# ifndef __FreeBSD_cc_version
# include <osreldate.h>
# else
@@ -15,6 +15,7 @@
# endif
#endif
#include <sys/ioctl.h>
+#include <ctype.h>
#include <fcntl.h>
#ifdef linux
# include <linux/a.out.h>
@@ -71,7 +72,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#ifdef __hpux
@@ -87,7 +88,9 @@
static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
"ipacct(in)", "ipacct(out)" };
static int state_logging = -1;
+static wordtab_t *state_fields = NULL;
+int nohdrfields = 0;
int opts = 0;
int use_inet6 = 0;
int live_kernel = 1;
@@ -98,6 +101,26 @@
frgroup_t *grtop = NULL;
frgroup_t *grtail = NULL;
+char *blockreasons[FRB_MAX_VALUE + 1] = {
+ "packet blocked",
+ "log rule failure",
+ "pps rate exceeded",
+ "jumbogram",
+ "makefrip failed",
+ "cannot add state",
+ "IP ID update failed",
+ "log-or-block failed",
+ "decapsulate failure",
+ "cannot create new auth entry",
+ "packet queued for auth",
+ "buffer coalesce failure",
+ "buffer pullup failure",
+ "auth feedback",
+ "bad fragment",
+ "IPv4 NAT failure",
+ "IPv6 NAT failure"
+};
+
#ifdef STATETOP
#define STSTRSIZE 80
#define STGROWSIZE 16
@@ -135,22 +158,27 @@
static void showstats __P((friostat_t *, u_32_t));
static void showfrstates __P((ipfrstat_t *, u_long));
static void showlist __P((friostat_t *));
-static void showipstates __P((ips_stat_t *));
-static void showauthstates __P((fr_authstat_t *));
+static void showstatestats __P((ips_stat_t *));
+static void showipstates __P((ips_stat_t *, int *));
+static void showauthstates __P((ipf_authstat_t *));
+static void showtqtable_live __P((int));
static void showgroups __P((friostat_t *));
static void usage __P((char *));
-static void showtqtable_live __P((int));
-static void printlivelist __P((int, int, frentry_t *, char *, char *));
-static void printdeadlist __P((int, int, frentry_t *, char *, char *));
+static int state_matcharray __P((ipstate_t *, int *));
+static int printlivelist __P((friostat_t *, int, int, frentry_t *,
+ char *, char *));
+static void printdeadlist __P((friostat_t *, int, int, frentry_t *,
+ char *, char *));
+static void printside __P((char *, ipf_statistics_t *));
static void parse_ipportstr __P((const char *, i6addr_t *, int *));
static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
- ipfrstat_t **, fr_authstat_t **, u_32_t *));
+ ipfrstat_t **, ipf_authstat_t **, u_32_t *));
static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
- ipfrstat_t **, fr_authstat_t **, u_32_t *));
+ ipfrstat_t **, ipf_authstat_t **, u_32_t *));
static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *));
#ifdef STATETOP
static void topipstates __P((i6addr_t, i6addr_t, int, int, int,
- int, int, int));
+ int, int, int, int *));
static void sig_break __P((int));
static void sig_resize __P((int));
static char *getip __P((int, i6addr_t *));
@@ -167,7 +195,7 @@
static void usage(name)
-char *name;
+ char *name;
{
#ifdef USE_INET6
fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name);
@@ -186,11 +214,11 @@
int main(argc,argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
- fr_authstat_t frauthst;
- fr_authstat_t *frauthstp = &frauthst;
+ ipf_authstat_t frauthst;
+ ipf_authstat_t *frauthstp = &frauthst;
friostat_t fio;
friostat_t *fiop = &fio;
ips_stat_t ipsst;
@@ -197,9 +225,12 @@
ips_stat_t *ipsstp = &ipsst;
ipfrstat_t ifrst;
ipfrstat_t *ifrstp = &ifrst;
- char *memf = NULL;
- char *options, *kern = NULL;
- int c, myoptind;
+ char *options;
+ char *kern = NULL;
+ char *memf = NULL;
+ int c;
+ int myoptind;
+ int *filter = NULL;
int protocol = -1; /* -1 = wild card for any protocol */
int refreshtime = 1; /* default update time */
@@ -210,9 +241,9 @@
u_32_t frf;
#ifdef USE_INET6
- options = "6aACdfghIilnostvD:M:N:P:RS:T:";
+ options = "6aACdfghIilnostvD:m:M:N:O:P:RS:T:";
#else
- options = "aACdfghIilnostvD:M:N:P:RS:T:";
+ options = "aACdfghIilnostvD:m:M:N:O:P:RS:T:";
#endif
saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */
@@ -324,6 +355,14 @@
case 'l' :
opts |= OPT_SHOWLIST;
break;
+ case 'm' :
+ filter = parseipfexpr(optarg, NULL);
+ if (filter == NULL) {
+ fprintf(stderr, "Error parseing '%s'\n",
+ optarg);
+ exit(1);
+ }
+ break;
case 'M' :
break;
case 'N' :
@@ -334,6 +373,9 @@
case 'o' :
opts |= OPT_OUTQUE|OPT_SHOWLIST;
break;
+ case 'O' :
+ state_fields = parsefields(statefields, optarg);
+ break;
case 'P' :
protocol = getproto(optarg);
if (protocol == -1) {
@@ -386,11 +428,12 @@
ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
&frauthstp, &frf);
- } else
+ } else {
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
+ }
if (opts & OPT_IPSTATES) {
- showipstates(ipsstp);
+ showipstates(ipsstp, filter);
} else if (opts & OPT_SHOWLIST) {
showlist(fiop);
if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
@@ -402,7 +445,7 @@
#ifdef STATETOP
else if (opts & OPT_STATETOP)
topipstates(saddr, daddr, sport, dport, protocol,
- use_inet6 ? 6 : 4, refreshtime, topclosed);
+ use_inet6 ? 6 : 4, refreshtime, topclosed, filter);
#endif
else if (opts & OPT_AUTHSTATS)
showauthstates(frauthstp);
@@ -420,12 +463,12 @@
* of ioctl's and copying directly from kernel memory.
*/
static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *device;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
+ char *device;
+ friostat_t **fiopp;
+ ips_stat_t **ipsstpp;
+ ipfrstat_t **ifrstpp;
+ ipf_authstat_t **frauthstpp;
+ u_32_t *frfp;
{
ipfobj_t ipfo;
@@ -442,12 +485,12 @@
ipfo.ipfo_ptr = (void *)*fiopp;
if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
- perror("ioctl(ipf:SIOCGETFS)");
+ ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)");
exit(-1);
}
if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
- perror("ioctl(SIOCGETFF)");
+ ipferror(ipf_fd, "ioctl(SIOCGETFF)");
}
if ((opts & OPT_IPSTATES) != 0) {
@@ -459,11 +502,11 @@
ipfo.ipfo_ptr = (void *)*ipsstpp;
if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
- perror("ioctl(state:SIOCGETFS)");
+ ipferror(state_fd, "ioctl(state:SIOCGETFS)");
exit(-1);
}
if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
- perror("ioctl(state:SIOCGETLG)");
+ ipferror(state_fd, "ioctl(state:SIOCGETLG)");
exit(-1);
}
}
@@ -474,9 +517,9 @@
ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
ipfo.ipfo_size = sizeof(ipfrstat_t);
ipfo.ipfo_ptr = (void *)*ifrstpp;
-
+
if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
- perror("ioctl(SIOCGFRST)");
+ ipferror(ipf_fd, "ioctl(SIOCGFRST)");
exit(-1);
}
}
@@ -488,11 +531,11 @@
bzero((caddr_t)&ipfo, sizeof(ipfo));
ipfo.ipfo_rev = IPFILTER_VERSION;
ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
- ipfo.ipfo_size = sizeof(fr_authstat_t);
+ ipfo.ipfo_size = sizeof(ipf_authstat_t);
ipfo.ipfo_ptr = (void *)*frauthstpp;
if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
- perror("ioctl(SIOCATHST)");
+ ipferror(auth_fd, "ioctl(SIOCATHST)");
exit(-1);
}
}
@@ -505,66 +548,64 @@
* just won't work any more.
*/
static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *kernel;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
+ char *kernel;
+ friostat_t **fiopp;
+ ips_stat_t **ipsstpp;
+ ipfrstat_t **ifrstpp;
+ ipf_authstat_t **frauthstpp;
+ u_32_t *frfp;
{
- static fr_authstat_t frauthst, *frauthstp;
+ static ipf_authstat_t frauthst, *frauthstp;
+ static ipftq_t ipstcptab[IPF_TCP_NSTATES];
static ips_stat_t ipsst, *ipsstp;
static ipfrstat_t ifrst, *ifrstp;
static friostat_t fio, *fiop;
- static ipftq_t ipssttab[IPF_TCP_NSTATES];
int temp;
void *rules[2][2];
struct nlist deadlist[44] = {
- { "fr_authstats" }, /* 0 */
- { "fae_list" },
- { "ipauth" },
- { "fr_authlist" },
- { "fr_authstart" },
- { "fr_authend" }, /* 5 */
- { "fr_authnext" },
- { "fr_auth" },
- { "fr_authused" },
- { "fr_authsize" },
- { "fr_defaultauthage" }, /* 10 */
- { "fr_authpkts" },
- { "fr_auth_lock" },
- { "frstats" },
- { "ips_stats" },
- { "ips_num" }, /* 15 */
- { "ips_wild" },
- { "ips_list" },
- { "ips_table" },
- { "fr_statemax" },
- { "fr_statesize" }, /* 20 */
- { "fr_state_doflush" },
- { "fr_state_lock" },
- { "ipfr_heads" },
- { "ipfr_nattab" },
- { "ipfr_stats" }, /* 25 */
- { "ipfr_inuse" },
- { "fr_ipfrttl" },
- { "fr_frag_lock" },
- { "ipfr_timer_id" },
- { "fr_nat_lock" }, /* 30 */
- { "ipfilter" },
- { "ipfilter6" },
- { "ipacct" },
- { "ipacct6" },
- { "ipl_frouteok" }, /* 35 */
- { "fr_running" },
- { "ipfgroups" },
- { "fr_active" },
- { "fr_pass" },
- { "fr_flags" }, /* 40 */
- { "ipstate_logging" },
- { "ips_tqtqb" },
- { NULL }
+ { "ipf_auth_stats", 0, 0, 0, 0 }, /* 0 */
+ { "fae_list", 0, 0, 0, 0 },
+ { "ipauth", 0, 0, 0, 0 },
+ { "ipf_auth_list", 0, 0, 0, 0 },
+ { "ipf_auth_start", 0, 0, 0, 0 },
+ { "ipf_auth_end", 0, 0, 0, 0 }, /* 5 */
+ { "ipf_auth_next", 0, 0, 0, 0 },
+ { "ipf_auth", 0, 0, 0, 0 },
+ { "ipf_auth_used", 0, 0, 0, 0 },
+ { "ipf_auth_size", 0, 0, 0, 0 },
+ { "ipf_auth_defaultage", 0, 0, 0, 0 }, /* 10 */
+ { "ipf_auth_pkts", 0, 0, 0, 0 },
+ { "ipf_auth_lock", 0, 0, 0, 0 },
+ { "frstats", 0, 0, 0, 0 },
+ { "ips_stats", 0, 0, 0, 0 },
+ { "ips_num", 0, 0, 0, 0 }, /* 15 */
+ { "ips_wild", 0, 0, 0, 0 },
+ { "ips_list", 0, 0, 0, 0 },
+ { "ips_table", 0, 0, 0, 0 },
+ { "ipf_state_max", 0, 0, 0, 0 },
+ { "ipf_state_size", 0, 0, 0, 0 }, /* 20 */
+ { "ipf_state_doflush", 0, 0, 0, 0 },
+ { "ipf_state_lock", 0, 0, 0, 0 },
+ { "ipfr_heads", 0, 0, 0, 0 },
+ { "ipfr_nattab", 0, 0, 0, 0 },
+ { "ipfr_stats", 0, 0, 0, 0 }, /* 25 */
+ { "ipfr_inuse", 0, 0, 0, 0 },
+ { "ipf_ipfrttl", 0, 0, 0, 0 },
+ { "ipf_frag_lock", 0, 0, 0, 0 },
+ { "ipfr_timer_id", 0, 0, 0, 0 },
+ { "ipf_nat_lock", 0, 0, 0, 0 }, /* 30 */
+ { "ipf_rules", 0, 0, 0, 0 },
+ { "ipf_acct", 0, 0, 0, 0 },
+ { "ipl_frouteok", 0, 0, 0, 0 },
+ { "ipf_running", 0, 0, 0, 0 },
+ { "ipf_groups", 0, 0, 0, 0 }, /* 35 */
+ { "ipf_active", 0, 0, 0, 0 },
+ { "ipf_pass", 0, 0, 0, 0 },
+ { "ipf_flags", 0, 0, 0, 0 },
+ { "ipf_state_logging", 0, 0, 0, 0 },
+ { "ips_tqtqb", 0, 0, 0, 0 }, /* 40 */
+ { NULL, 0, 0, 0, 0 }
};
@@ -618,23 +659,6 @@
fiop->f_fout[1] = rules[1][1];
/*
- * Same for IPv6, except make them null if support for it is not
- * being compiled in.
- */
-#ifdef USE_INET6
- kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
- fiop->f_fin6[0] = rules[0][0];
- fiop->f_fin6[1] = rules[0][1];
- fiop->f_fout6[0] = rules[1][0];
- fiop->f_fout6[1] = rules[1][1];
-#else
- fiop->f_fin6[0] = NULL;
- fiop->f_fin6[1] = NULL;
- fiop->f_fout6[0] = NULL;
- fiop->f_fout6[1] = NULL;
-#endif
-
- /*
* Now get accounting rules pointers.
*/
kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
@@ -643,32 +667,19 @@
fiop->f_acctout[0] = rules[1][0];
fiop->f_acctout[1] = rules[1][1];
-#ifdef USE_INET6
- kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
- fiop->f_acctin6[0] = rules[0][0];
- fiop->f_acctin6[1] = rules[0][1];
- fiop->f_acctout6[0] = rules[1][0];
- fiop->f_acctout6[1] = rules[1][1];
-#else
- fiop->f_acctin6[0] = NULL;
- fiop->f_acctin6[1] = NULL;
- fiop->f_acctout6[0] = NULL;
- fiop->f_acctout6[1] = NULL;
-#endif
-
/*
* A collection of "global" variables used inside the kernel which
* are all collected in friostat_t via ioctl.
*/
- kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
+ kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value,
sizeof(fiop->f_froute));
- kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
+ kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value,
sizeof(fiop->f_running));
- kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
+ kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value,
sizeof(fiop->f_groups));
- kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
+ kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value,
sizeof(fiop->f_active));
- kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
+ kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value,
sizeof(fiop->f_defpass));
/*
@@ -676,12 +687,12 @@
*/
kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
- kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value,
- sizeof(ipssttab));
+ kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value,
+ sizeof(ipstcptab));
ipsstp->iss_active = temp;
ipsstp->iss_table = (void *)deadlist[18].n_value;
ipsstp->iss_list = (void *)deadlist[17].n_value;
- ipsstp->iss_tcptab = ipssttab;
+ ipsstp->iss_tcptab = ipstcptab;
/*
* Build up the authentiation information stats structure.
@@ -708,65 +719,62 @@
}
+static void printside(side, frs)
+ char *side;
+ ipf_statistics_t *frs;
+{
+ int i;
+
+ PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
+#ifdef USE_INET6
+ PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side);
+#endif
+ PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side);
+ PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side);
+ PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side);
+ PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side);
+ PRINTF("%lu\t%s packets short\n", frs->fr_short, side);
+ PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side);
+ PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side);
+ PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side);
+ PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side);
+ PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side);
+ PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side);
+ PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side);
+ PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side);
+ PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side);
+ PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side);
+ PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side);
+ PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
+ PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
+ for (i = 0; i <= FRB_MAX_VALUE; i++)
+ PRINTF("%lu\t%s block reason %s\n",
+ frs->fr_blocked[i], side, blockreasons[i]);
+}
+
+
/*
* Display the kernel stats for packets blocked and passed and other
* associated running totals which are kept.
*/
static void showstats(fp, frf)
-struct friostat *fp;
-u_32_t frf;
+ struct friostat *fp;
+ u_32_t frf;
{
+ printside("input", &fp->f_st[0]);
+ printside("output", &fp->f_st[1]);
- PRINTF("bad packets:\t\tin %lu\tout %lu\n",
- fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-#ifdef USE_INET6
- PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
- fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6);
-#endif
- PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
- fp->f_st[0].fr_nom);
- PRINTF(" counted %lu short %lu\n",
- fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
- PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
- fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
- fp->f_st[1].fr_nom);
- PRINTF(" counted %lu short %lu\n",
- fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
- PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
- PRINTF("output packets logged:\tblocked %lu passed %lu\n",
- fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
- PRINTF(" packets logged:\tinput %lu output %lu\n",
- fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
- PRINTF(" log failures:\t\tinput %lu output %lu\n",
- fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
- PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
- fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr,
- fp->f_st[0].fr_cfr);
- PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
- fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr,
- fp->f_st[0].fr_cfr);
- PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
- fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
- PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
- fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
- PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
- fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
- PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
- PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
- fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
- PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
- fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
- PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
- fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
- PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
- fp->f_froute[0], fp->f_froute[1]);
- PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
- fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
- PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks);
+ PRINTF("%lu\tpackets logged\n", fp->f_log_ok);
+ PRINTF("%lu\tlog failures\n", fp->f_log_fail);
+ PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem);
+ PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max);
+ PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret);
+ PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret);
+ PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]);
+ PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]);
+ PRINTF("%u\tIPF Ticks\n", fp->f_ticks);
- PRINTF("Packet log flags set: (%#x)\n", frf);
+ PRINTF("%x\tPacket log flags set:\n", frf);
if (frf & FF_LOGPASS)
PRINTF("\tpackets passed through filter\n");
if (frf & FF_LOGBLOCK)
@@ -781,10 +789,12 @@
/*
* Print out a list of rules from the kernel, starting at the one passed.
*/
-static void printlivelist(out, set, fp, group, comment)
-int out, set;
-frentry_t *fp;
-char *group, *comment;
+static int
+printlivelist(fiop, out, set, fp, group, comment)
+ struct friostat *fiop;
+ int out, set;
+ frentry_t *fp;
+ char *group, *comment;
{
struct frentry fb;
ipfruleiter_t rule;
@@ -791,20 +801,15 @@
frentry_t zero;
frgroup_t *g;
ipfobj_t obj;
- int n;
+ int rules;
+ int num;
- if (use_inet6 == 1)
- fb.fr_v = 6;
- else
- fb.fr_v = 4;
- fb.fr_next = fp;
- n = 0;
+ rules = 0;
rule.iri_inout = out;
rule.iri_active = set;
rule.iri_rule = &fb;
rule.iri_nrules = 1;
- rule.iri_v = use_inet6 ? 6 : 4;
if (group != NULL)
strncpy(rule.iri_group, group, FR_GROUPLEN);
else
@@ -818,7 +823,7 @@
obj.ipfo_size = sizeof(rule);
obj.ipfo_ptr = &rule;
- do {
+ while (rule.iri_rule != NULL) {
u_long array[1000];
memset(array, 0xff, sizeof(array));
@@ -825,42 +830,58 @@
fp = (frentry_t *)array;
rule.iri_rule = fp;
if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
- perror("ioctl(SIOCIPFITER)");
- n = IPFGENITER_IPF;
- ioctl(ipf_fd, SIOCIPFDELTOK, &n);
- return;
+ ipferror(ipf_fd, "ioctl(SIOCIPFITER)");
+ num = IPFGENITER_IPF;
+ (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
+ return rules;
}
if (bcmp(fp, &zero, sizeof(zero)) == 0)
break;
+ if (rule.iri_rule == NULL)
+ break;
+#ifdef USE_INET6
+ if (use_inet6 != 0) {
+ if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
+ continue;
+ } else
+#endif
+ {
+ if (fp->fr_family != 0 && fp->fr_family != AF_INET)
+ continue;
+ }
if (fp->fr_data != NULL)
- fp->fr_data = (char *)fp + sizeof(*fp);
+ fp->fr_data = (char *)fp + fp->fr_size;
- n++;
+ rules++;
- if (opts & (OPT_HITS|OPT_VERBOSE))
+ if (opts & (OPT_HITS|OPT_DEBUG))
#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fp->fr_hits);
+ PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits);
#else
PRINTF("%lu ", fp->fr_hits);
#endif
- if (opts & (OPT_ACCNT|OPT_VERBOSE))
+ if (opts & (OPT_ACCNT|OPT_DEBUG))
#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
+ PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes);
#else
PRINTF("%lu ", fp->fr_bytes);
#endif
if (opts & OPT_SHOWLINENO)
- PRINTF("@%d ", n);
+ PRINTF("@%d ", rules);
+ if (fp->fr_die != 0)
+ fp->fr_die -= fiop->f_ticks;
+
printfr(fp, ioctl);
if (opts & OPT_DEBUG) {
- binprint(fp, sizeof(*fp));
+ binprint(fp, fp->fr_size);
if (fp->fr_data != NULL && fp->fr_dsize > 0)
binprint(fp->fr_data, fp->fr_dsize);
}
- if (fp->fr_grhead[0] != '\0') {
+ if (fp->fr_grhead != -1) {
for (g = grtop; g != NULL; g = g->fg_next) {
- if (!strncmp(fp->fr_grhead, g->fg_name,
+ if (!strncmp(fp->fr_names + fp->fr_grhead,
+ g->fg_name,
FR_GROUPLEN))
break;
}
@@ -868,7 +889,8 @@
g = calloc(1, sizeof(*g));
if (g != NULL) {
- strncpy(g->fg_name, fp->fr_grhead,
+ strncpy(g->fg_name,
+ fp->fr_names + fp->fr_grhead,
FR_GROUPLEN);
if (grtop == NULL) {
grtop = g;
@@ -881,29 +903,23 @@
}
}
if (fp->fr_type == FR_T_CALLFUNC) {
- printlivelist(out, set, fp->fr_data, group,
- "# callfunc: ");
+ rules += printlivelist(fiop, out, set, fp->fr_data,
+ group, "# callfunc: ");
}
- } while (fp->fr_next != NULL);
+ }
- n = IPFGENITER_IPF;
- ioctl(ipf_fd, SIOCIPFDELTOK, &n);
+ num = IPFGENITER_IPF;
+ (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
- if (group == NULL) {
- while ((g = grtop) != NULL) {
- printf("# Group %s\n", g->fg_name);
- printlivelist(out, set, NULL, g->fg_name, comment);
- grtop = g->fg_next;
- free(g);
- }
- }
+ return rules;
}
-static void printdeadlist(out, set, fp, group, comment)
-int out, set;
-frentry_t *fp;
-char *group, *comment;
+static void printdeadlist(fiop, out, set, fp, group, comment)
+ friostat_t *fiop;
+ int out, set;
+ frentry_t *fp;
+ char *group, *comment;
{
frgroup_t *grtop, *grtail, *g;
struct frentry fb;
@@ -916,13 +932,20 @@
grtop = NULL;
grtail = NULL;
- do {
- fp = fb.fr_next;
+ for (n = 1; fp; fp = fb.fr_next, n++) {
if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
- sizeof(fb)) == -1) {
+ fb.fr_size) == -1) {
perror("kmemcpy");
return;
}
+ fp = &fb;
+ if (use_inet6 != 0) {
+ if (fp->fr_family != 0 && fp->fr_family != 6)
+ continue;
+ } else {
+ if (fp->fr_family != 0 && fp->fr_family != 4)
+ continue;
+ }
data = NULL;
type = fb.fr_type & ~FR_T_BUILTIN;
@@ -939,17 +962,15 @@
}
}
- n++;
-
- if (opts & (OPT_HITS|OPT_VERBOSE))
+ if (opts & OPT_HITS)
#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fb.fr_hits);
+ PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits);
#else
PRINTF("%lu ", fb.fr_hits);
#endif
- if (opts & (OPT_ACCNT|OPT_VERBOSE))
+ if (opts & OPT_ACCNT)
#ifdef USE_QUAD_T
- PRINTF("%qu ", (unsigned long long) fb.fr_bytes);
+ PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes);
#else
PRINTF("%lu ", fb.fr_bytes);
#endif
@@ -958,17 +979,17 @@
printfr(fp, ioctl);
if (opts & OPT_DEBUG) {
- binprint(fp, sizeof(*fp));
+ binprint(fp, fp->fr_size);
if (fb.fr_data != NULL && fb.fr_dsize > 0)
binprint(fb.fr_data, fb.fr_dsize);
}
if (data != NULL)
free(data);
- if (fb.fr_grhead[0] != '\0') {
+ if (fb.fr_grhead != -1) {
g = calloc(1, sizeof(*g));
if (g != NULL) {
- strncpy(g->fg_name, fb.fr_grhead,
+ strncpy(g->fg_name, fb.fr_names + fb.fr_grhead,
FR_GROUPLEN);
if (grtop == NULL) {
grtop = g;
@@ -980,13 +1001,13 @@
}
}
if (type == FR_T_CALLFUNC) {
- printdeadlist(out, set, fb.fr_data, group,
+ printdeadlist(fiop, out, set, fb.fr_data, group,
"# callfunc: ");
}
- } while (fb.fr_next != NULL);
+ }
while ((g = grtop) != NULL) {
- printdeadlist(out, set, NULL, g->fg_name, comment);
+ printdeadlist(fiop, out, set, NULL, g->fg_name, comment);
grtop = g->fg_next;
free(g);
}
@@ -997,7 +1018,7 @@
* the base from which to get the pointers.
*/
static void showlist(fiop)
-struct friostat *fiop;
+ struct friostat *fiop;
{
struct frentry *fp = NULL;
int i, set;
@@ -1006,15 +1027,6 @@
if (opts & OPT_INACTIVE)
set = 1 - set;
if (opts & OPT_ACCNT) {
-#ifdef USE_INET6
- if ((use_inet6) && (opts & OPT_OUTQUE)) {
- i = F_ACOUT;
- fp = (struct frentry *)fiop->f_acctout6[set];
- } else if ((use_inet6) && (opts & OPT_INQUE)) {
- i = F_ACIN;
- fp = (struct frentry *)fiop->f_acctin6[set];
- } else
-#endif
if (opts & OPT_OUTQUE) {
i = F_ACOUT;
fp = (struct frentry *)fiop->f_acctout[set];
@@ -1026,15 +1038,6 @@
return;
}
} else {
-#ifdef USE_INET6
- if ((use_inet6) && (opts & OPT_OUTQUE)) {
- i = F_OUT;
- fp = (struct frentry *)fiop->f_fout6[set];
- } else if ((use_inet6) && (opts & OPT_INQUE)) {
- i = F_IN;
- fp = (struct frentry *)fiop->f_fin6[set];
- } else
-#endif
if (opts & OPT_OUTQUE) {
i = F_OUT;
fp = (struct frentry *)fiop->f_fout[set];
@@ -1049,15 +1052,25 @@
if (opts & OPT_DEBUG)
PRINTF("fp %p set %d\n", fp, set);
- if (!fp) {
- FPRINTF(stderr, "empty list for %s%s\n",
- (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
- return;
+
+ if (live_kernel == 1) {
+ int printed;
+
+ printed = printlivelist(fiop, i, set, fp, NULL, NULL);
+ if (printed == 0) {
+ FPRINTF(stderr, "# empty list for %s%s\n",
+ (opts & OPT_INACTIVE) ? "inactive " : "",
+ filters[i]);
+ }
+ } else {
+ if (!fp) {
+ FPRINTF(stderr, "# empty list for %s%s\n",
+ (opts & OPT_INACTIVE) ? "inactive " : "",
+ filters[i]);
+ } else {
+ printdeadlist(fiop, i, set, fp, NULL, NULL);
+ }
}
- if (live_kernel == 1)
- printlivelist(i, set, fp, NULL, NULL);
- else
- printdeadlist(i, set, fp, NULL, NULL);
}
@@ -1064,125 +1077,219 @@
/*
* Display ipfilter stateful filtering information
*/
-static void showipstates(ipsp)
-ips_stat_t *ipsp;
+static void showipstates(ipsp, filter)
+ ips_stat_t *ipsp;
+ int *filter;
{
- u_long minlen, maxlen, totallen, *buckets;
- ipftable_t table;
- ipfobj_t obj;
- int i, sz;
+ ipstate_t *is;
+ int i;
/*
* If a list of states hasn't been asked for, only print out stats
*/
if (!(opts & OPT_SHOWLIST)) {
+ showstatestats(ipsp);
+ return;
+ }
- sz = sizeof(*buckets) * ipsp->iss_statesize;
- buckets = (u_long *)malloc(sz);
+ if ((state_fields != NULL) && (nohdrfields == 0)) {
+ for (i = 0; state_fields[i].w_value != 0; i++) {
+ printfieldhdr(statefields, state_fields + i);
+ if (state_fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ }
- obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_type = IPFOBJ_GTABLE;
- obj.ipfo_size = sizeof(table);
- obj.ipfo_ptr = &table;
+ /*
+ * Print out all the state information currently held in the kernel.
+ */
+ for (is = ipsp->iss_list; is != NULL; ) {
+ ipstate_t ips;
- table.ita_type = IPFTABLE_BUCKETS;
- table.ita_table = buckets;
+ is = fetchstate(is, &ips);
- if (live_kernel == 1) {
- if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
- free(buckets);
- return;
+ if (is == NULL)
+ break;
+
+ is = ips.is_next;
+ if ((filter != NULL) &&
+ (state_matcharray(&ips, filter) == 0)) {
+ continue;
+ }
+ if (state_fields != NULL) {
+ for (i = 0; state_fields[i].w_value != 0; i++) {
+ printstatefield(&ips, state_fields[i].w_value);
+ if (state_fields[i + 1].w_value != 0)
+ printf("\t");
}
+ printf("\n");
} else {
- if (kmemcpy((char *)buckets,
- (u_long)ipsp->iss_bucketlen, sz)) {
- free(buckets);
- return;
- }
+ printstate(&ips, opts, ipsp->iss_ticks);
}
+ }
+}
- PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
- ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
- PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
- ipsp->iss_miss);
- PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull);
- PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref);
- PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
- ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
- PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
- ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
- PRINTF("State logging %sabled\n",
- state_logging ? "en" : "dis");
+static void showstatestats(ipsp)
+ ips_stat_t *ipsp;
+{
+ int minlen, maxlen, totallen;
+ ipftable_t table;
+ u_int *buckets;
+ ipfobj_t obj;
+ int i, sz;
- PRINTF("\nState table bucket statistics:\n");
- PRINTF("\t%lu in use\t\n", ipsp->iss_inuse);
- PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
- (u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
+ /*
+ * If a list of states hasn't been asked for, only print out stats
+ */
- minlen = ipsp->iss_inuse;
- totallen = 0;
- maxlen = 0;
+ sz = sizeof(*buckets) * ipsp->iss_state_size;
+ buckets = (u_int *)malloc(sz);
- for (i = 0; i < ipsp->iss_statesize; i++) {
- if (buckets[i] > maxlen)
- maxlen = buckets[i];
- if (buckets[i] < minlen)
- minlen = buckets[i];
- totallen += buckets[i];
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_type = IPFOBJ_GTABLE;
+ obj.ipfo_size = sizeof(table);
+ obj.ipfo_ptr = &table;
+
+ table.ita_type = IPFTABLE_BUCKETS;
+ table.ita_table = buckets;
+
+ if (live_kernel == 1) {
+ if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
+ free(buckets);
+ return;
}
+ } else {
+ if (kmemcpy((char *)buckets,
+ (u_long)ipsp->iss_bucketlen, sz)) {
+ free(buckets);
+ return;
+ }
+ }
- PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n",
- ((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0,
- minlen);
- PRINTF("\t%lu maximal length\n\t%.3f average length\n",
- maxlen,
- ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
- 0.0);
+ PRINTF("%u\tactive state table entries\n",ipsp->iss_active);
+ PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad);
+ PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup);
+ PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked);
+ PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow);
+ PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full);
+ PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad);
+ PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss);
+ PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag);
+ PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem);
+ PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag);
+ PRINTF("%lu\tcheck success\n", ipsp->iss_hits);
+ PRINTF("%lu\tcloned\n", ipsp->iss_cloned);
+ PRINTF("%lu\texpired\n", ipsp->iss_expire);
+ PRINTF("%lu\tflush all\n", ipsp->iss_flush_all);
+ PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing);
+ PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue);
+ PRINTF("%lu\tflush state\n", ipsp->iss_flush_state);
+ PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout);
+ PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse);
+ PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad);
+ PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned);
+ PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr);
+ PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock);
+ PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits);
+ PRINTF("%lu\tICMP not query\n", ipsp->iss_icmp_notquery);
+ PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short);
+ PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany);
+ PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr);
+ PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss);
+ PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo);
+ PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery);
+ PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail);
+ PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok);
+ PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp);
+ PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask);
+ PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport);
+ PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss);
+ PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref);
+ PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track);
+ PRINTF("%lu\tno memory\n", ipsp->iss_nomem);
+ PRINTF("%lu\tout of window\n", ipsp->iss_oow);
+ PRINTF("%lu\torphans\n", ipsp->iss_orphan);
+ PRINTF("%lu\tscan block\n", ipsp->iss_scan_block);
+ PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max);
+ PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing);
+ PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow);
+ PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd);
+ PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall);
+ PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt);
+ PRINTF("%lu\tTCP removed\n", ipsp->iss_fin);
+ PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm);
+ PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict);
+ PRINTF("%lu\tTCP wild\n", ipsp->iss_wild);
+ PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack);
-#define ENTRIES_PER_LINE 5
+ PRINTF("State logging %sabled\n", state_logging ? "en" : "dis");
- if (opts & OPT_VERBOSE) {
- PRINTF("\nCurrent bucket sizes :\n");
- for (i = 0; i < ipsp->iss_statesize; i++) {
- if ((i % ENTRIES_PER_LINE) == 0)
- PRINTF("\t");
- PRINTF("%4d -> %4lu", i, buckets[i]);
- if ((i % ENTRIES_PER_LINE) ==
- (ENTRIES_PER_LINE - 1))
- PRINTF("\n");
- else
- PRINTF(" ");
- }
- PRINTF("\n");
+ PRINTF("IP states added:\n");
+ for (i = 0; i < 256; i++) {
+ if (ipsp->iss_proto[i] != 0) {
+ struct protoent *proto;
+
+ proto = getprotobynumber(i);
+ PRINTF("%lu", ipsp->iss_proto[i]);
+ if (proto != NULL)
+ PRINTF("\t%s\n", proto->p_name);
+ else
+ PRINTF("\t%d\n", i);
}
- PRINTF("\n");
+ }
- free(buckets);
+ PRINTF("\nState table bucket statistics:\n");
+ PRINTF("%u\tin use\n", ipsp->iss_inuse);
- if (live_kernel == 1) {
- showtqtable_live(state_fd);
- } else {
- printtqtable(ipsp->iss_tcptab);
- }
+ minlen = ipsp->iss_max;
+ totallen = 0;
+ maxlen = 0;
- return;
-
+ for (i = 0; i < ipsp->iss_state_size; i++) {
+ if (buckets[i] > maxlen)
+ maxlen = buckets[i];
+ if (buckets[i] < minlen)
+ minlen = buckets[i];
+ totallen += buckets[i];
}
- /*
- * Print out all the state information currently held in the kernel.
- */
- while (ipsp->iss_list != NULL) {
- ipstate_t ips;
+ PRINTF("%d\thash efficiency\n",
+ totallen ? ipsp->iss_inuse * 100 / totallen : 0);
+ PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n",
+ ((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0,
+ minlen);
+ PRINTF("%u\tmaximal length\n%.3f\taverage length\n",
+ maxlen,
+ ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
+ 0.0);
- ipsp->iss_list = fetchstate(ipsp->iss_list, &ips);
+#define ENTRIES_PER_LINE 5
- if (ipsp->iss_list != NULL) {
- ipsp->iss_list = ips.is_next;
- printstate(&ips, opts, ipsp->iss_ticks);
+ if (opts & OPT_VERBOSE) {
+ PRINTF("\nCurrent bucket sizes :\n");
+ for (i = 0; i < ipsp->iss_state_size; i++) {
+ if ((i % ENTRIES_PER_LINE) == 0)
+ PRINTF("\t");
+ PRINTF("%4d -> %4u", i, buckets[i]);
+ if ((i % ENTRIES_PER_LINE) ==
+ (ENTRIES_PER_LINE - 1))
+ PRINTF("\n");
+ else
+ PRINTF(" ");
}
+ PRINTF("\n");
}
+ PRINTF("\n");
+
+ free(buckets);
+
+ if (live_kernel == 1) {
+ showtqtable_live(state_fd);
+ } else {
+ printtqtable(ipsp->iss_tcptab);
+ }
}
@@ -1190,15 +1297,16 @@
static int handle_resize = 0, handle_break = 0;
static void topipstates(saddr, daddr, sport, dport, protocol, ver,
- refreshtime, topclosed)
-i6addr_t saddr;
-i6addr_t daddr;
-int sport;
-int dport;
-int protocol;
-int ver;
-int refreshtime;
-int topclosed;
+ refreshtime, topclosed, filter)
+ i6addr_t saddr;
+ i6addr_t daddr;
+ int sport;
+ int dport;
+ int protocol;
+ int ver;
+ int refreshtime;
+ int topclosed;
+ int *filter;
{
char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
@@ -1205,6 +1313,7 @@
int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
int len, srclen, dstlen, forward = 1, c = 0;
ips_stat_t ipsst, *ipsstp = &ipsst;
+ int token_type = IPFGENITER_STATE;
statetop_t *tstable = NULL, *tp;
const char *errstr = "";
ipstate_t ips;
@@ -1267,6 +1376,10 @@
if (ips.is_v != ver)
continue;
+ if ((filter != NULL) &&
+ (state_matcharray(&ips, filter) == 0))
+ continue;
+
/* check v4 src/dest addresses */
if (ips.is_v == 4) {
if ((saddr.in4.s_addr != INADDR_ANY &&
@@ -1348,6 +1461,7 @@
}
}
+ (void) ioctl(state_fd, SIOCIPFDELTOK, &token_type);
/* sort the array */
if (tsentry != -1) {
@@ -1485,14 +1599,14 @@
printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
str1, str2, str3, str4);
- /*
+ /*
* For an IPv4 IP address we need at most 15 characters,
* 4 tuples of 3 digits, separated by 3 dots. Enforce this
* length, so the colums do not change positions based
* on the size of the IP address. This length makes the
- * output fit in a 80 column terminal.
+ * output fit in a 80 column terminal.
* We are lacking a good solution for IPv6 addresses (that
- * can be longer that 15 characters), so we do not enforce
+ * can be longer that 15 characters), so we do not enforce
* a maximum on the IP field size.
*/
if (srclen < 15)
@@ -1629,8 +1743,8 @@
* Show fragment cache information that's held in the kernel.
*/
static void showfrstates(ifsp, ticks)
-ipfrstat_t *ifsp;
-u_long ticks;
+ ipfrstat_t *ifsp;
+ u_long ticks;
{
struct ipfr *ipfrtab[IPFT_SIZE], ifr;
int i;
@@ -1638,13 +1752,13 @@
/*
* print out the numeric statistics
*/
- PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
+ PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n",
ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
- PRINTF("\t%lu retrans\n\t%lu too short\n",
+ PRINTF("%lu\tretrans\n%lu\ttoo short\n",
ifsp->ifs_retrans0, ifsp->ifs_short);
- PRINTF("\t%lu no memory\n\t%lu already exist\n",
+ PRINTF("%lu\tno memory\n%lu\talready exist\n",
ifsp->ifs_nomem, ifsp->ifs_exists);
- PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
+ PRINTF("%lu\tinuse\n", ifsp->ifs_inuse);
PRINTF("\n");
if (live_kernel == 0) {
@@ -1664,7 +1778,7 @@
break;
ifr.ipfr_ttl -= ticks;
printfraginfo("", &ifr);
- } while (1);
+ } while (ifr.ipfr_next != NULL);
} else {
for (i = 0; i < IPFT_SIZE; i++)
while (ipfrtab[i] != NULL) {
@@ -1693,7 +1807,7 @@
break;
ifr.ipfr_ttl -= ticks;
printfraginfo("NAT: ", &ifr);
- } while (1);
+ } while (ifr.ipfr_next != NULL);
} else {
for (i = 0; i < IPFT_SIZE; i++)
while (ipfrtab[i] != NULL) {
@@ -1711,7 +1825,7 @@
* Show stats on how auth within IPFilter has been used
*/
static void showauthstates(asp)
-fr_authstat_t *asp;
+ ipf_authstat_t *asp;
{
frauthent_t *frap, fra;
ipfgeniter_t auth;
@@ -1727,7 +1841,7 @@
auth.igi_data = &fra;
#ifdef USE_QUAD_T
- printf("Authorisation hits: %qu\tmisses %qu\n",
+ printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n",
(unsigned long long) asp->fas_hits,
(unsigned long long) asp->fas_miss);
#else
@@ -1762,7 +1876,7 @@
* authentication, separately.
*/
static void showgroups(fiop)
-struct friostat *fiop;
+ struct friostat *fiop;
{
static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
@@ -1790,10 +1904,11 @@
}
}
+
static void parse_ipportstr(argument, ip, port)
-const char *argument;
-i6addr_t *ip;
-int *port;
+ const char *argument;
+ i6addr_t *ip;
+ int *port;
{
char *s, *comma;
int ok = 0;
@@ -1845,20 +1960,20 @@
#ifdef STATETOP
static void sig_resize(s)
-int s;
+ int s;
{
handle_resize = 1;
}
static void sig_break(s)
-int s;
+ int s;
{
handle_break = 1;
}
static char *getip(v, addr)
-int v;
-i6addr_t *addr;
+ int v;
+ i6addr_t *addr;
{
#ifdef USE_INET6
static char hostbuf[MAXHOSTNAMELEN+1];
@@ -1878,7 +1993,7 @@
static char *ttl_to_string(ttl)
-long int ttl;
+ long int ttl;
{
static char ttlbuf[STSTRSIZE];
int hours, minutes, seconds;
@@ -1900,8 +2015,8 @@
static int sort_pkts(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
@@ -1916,8 +2031,8 @@
static int sort_bytes(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -1931,8 +2046,8 @@
static int sort_p(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -1946,8 +2061,8 @@
static int sort_ttl(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -1960,8 +2075,8 @@
}
static int sort_srcip(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -1986,8 +2101,8 @@
}
static int sort_srcpt(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -2000,8 +2115,8 @@
}
static int sort_dstip(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -2026,8 +2141,8 @@
}
static int sort_dstpt(a, b)
-const void *a;
-const void *b;
+ const void *a;
+ const void *b;
{
register const statetop_t *ap = a;
register const statetop_t *bp = b;
@@ -2043,9 +2158,8 @@
ipstate_t *fetchstate(src, dst)
-ipstate_t *src, *dst;
+ ipstate_t *src, *dst;
{
- int i;
if (live_kernel == 1) {
ipfgeniter_t state;
@@ -2063,8 +2177,8 @@
if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
return NULL;
if (dst->is_next == NULL) {
- i = IPFGENITER_STATE;
- ioctl(state_fd, SIOCIPFDELTOK, &i);
+ int n = IPFGENITER_STATE;
+ (void) ioctl(ipf_fd,SIOCIPFDELTOK, &n);
}
} else {
if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
@@ -2075,8 +2189,8 @@
static int fetchfrag(fd, type, frp)
-int fd, type;
-ipfr_t *frp;
+ int fd, type;
+ ipfr_t *frp;
{
ipfgeniter_t frag;
ipfobj_t obj;
@@ -2096,8 +2210,155 @@
}
+static int state_matcharray(stp, array)
+ ipstate_t *stp;
+ int *array;
+{
+ int i, n, *x, rv, p;
+ ipfexp_t *e;
+
+ rv = 0;
+
+ for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) {
+ e = (ipfexp_t *)x;
+ if (e->ipfe_cmd == IPF_EXP_END)
+ break;
+ n -= e->ipfe_size;
+
+ rv = 0;
+ /*
+ * The upper 16 bits currently store the protocol value.
+ * This is currently used with TCP and UDP port compares and
+ * allows "tcp.port = 80" without requiring an explicit
+ " "ip.pr = tcp" first.
+ */
+ p = e->ipfe_cmd >> 16;
+ if ((p != 0) && (p != stp->is_p))
+ break;
+
+ switch (e->ipfe_cmd)
+ {
+ case IPF_EXP_IP_PR :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_p == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_IP_SRCADDR :
+ if (stp->is_v != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((stp->is_saddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+ case IPF_EXP_IP_DSTADDR :
+ if (stp->is_v != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((stp->is_daddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+ case IPF_EXP_IP_ADDR :
+ if (stp->is_v != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((stp->is_saddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((stp->is_daddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+#ifdef USE_INET6
+ case IPF_EXP_IP6_SRCADDR :
+ if (stp->is_v != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&stp->is_src,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+
+ case IPF_EXP_IP6_DSTADDR :
+ if (stp->is_v != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&stp->is_dst,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+
+ case IPF_EXP_IP6_ADDR :
+ if (stp->is_v != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&stp->is_src,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&stp->is_dst,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+#endif
+
+ case IPF_EXP_UDP_PORT :
+ case IPF_EXP_TCP_PORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_sport == e->ipfe_arg0[i]) ||
+ (stp->is_dport == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_UDP_SPORT :
+ case IPF_EXP_TCP_SPORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_sport == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_UDP_DPORT :
+ case IPF_EXP_TCP_DPORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_dport == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_IDLE_GT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_die < e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_TCP_STATE :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (stp->is_state[0] == e->ipfe_arg0[i]) ||
+ (stp->is_state[1] == e->ipfe_arg0[i]);
+ }
+ break;
+ }
+ rv ^= e->ipfe_not;
+
+ if (rv == 0)
+ break;
+ }
+
+ return rv;
+}
+
+
static void showtqtable_live(fd)
-int fd;
+ int fd;
{
ipftq_t table[IPF_TCP_NSTATES];
ipfobj_t obj;
Modified: trunk/contrib/ipfilter/tools/ipftest.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipftest.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipftest.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipftest.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -12,24 +12,23 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
extern char *optarg;
-extern struct frentry *ipfilter[2][2];
-extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;
+extern struct ipread pcap, iptext, iphex;
extern struct ifnet *get_unit __P((char *, int));
extern void init_ifp __P((void));
extern ipnat_t *natparse __P((char *, int));
-extern int fr_running;
extern hostmap_t **ipf_hm_maptable;
extern hostmap_t *ipf_hm_maplist;
-ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
+ipfmutex_t ipl_mutex, ipf_auth_mx, ipf_rw, ipf_stinsert;
ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache;
-ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens;
-int opts = OPT_DONOTHING;
+ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_authlk;
+ipfrwlock_t ipf_tokens;
+int opts = OPT_DONTOPEN;
int use_inet6 = 0;
int docksum = 0;
int pfil_delayed_copy = 0;
@@ -37,16 +36,16 @@
int loadrules __P((char *, int));
int kmemcpy __P((char *, long, int));
int kstrncpy __P((char *, long, int n));
-void dumpnat __P((void));
-void dumpstate __P((void));
-void dumplookups __P((void));
-void dumpgroups __P((void));
+int blockreason;
+void dumpnat __P((void *));
+void dumpgroups __P((ipf_main_softc_t *));
+void dumprules __P((frentry_t *));
void drain_log __P((char *));
void fixv4sums __P((mb_t *, ip_t *));
#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
- defined(__osf__) || defined(linux) || defined(__MidnightBSD__)
+ defined(__osf__) || defined(linux)
int ipftestioctl __P((int, ioctlcmd_t, ...));
int ipnattestioctl __P((int, ioctlcmd_t, ...));
int ipstatetestioctl __P((int, ioctlcmd_t, ...));
@@ -72,11 +71,13 @@
ipscantestioctl,
ipooltestioctl,
NULL };
+static ipf_main_softc_t *softc = NULL;
-int main(argc,argv)
-int argc;
-char *argv[];
+int
+main(argc,argv)
+ int argc;
+ char *argv[];
{
char *datain, *iface, *ifname, *logout;
int fd, i, dir, c, loaded, dump, hlen;
@@ -83,7 +84,7 @@
struct in_addr sip;
struct ifnet *ifp;
struct ipread *r;
- mb_t mb, *m;
+ mb_t mb, *m, *n;
ip_t *ip;
m = &mb;
@@ -98,19 +99,21 @@
sip.s_addr = 0;
ifname = "anon0";
- MUTEX_INIT(&ipf_rw, "ipf rw mutex");
- MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock");
- RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
- RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
- RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
- RWLOCK_INIT(&ipf_frcache, "ipf filter cache");
- RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
-
initparse();
- if (fr_initialise() == -1)
- abort();
- fr_running = 1;
+ ipf_load_all();
+
+ softc = ipf_create_all(NULL);
+ if (softc == NULL)
+ exit(1);
+
+ if (ipf_init_all(softc) == -1)
+ exit(1);
+
+ i = 1;
+ if (ipftestioctl(IPL_LOGIPF, SIOCFRENB, &i) != 0)
+ exit(1);
+
while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1)
switch (c)
{
@@ -137,12 +140,6 @@
case 'F' :
if (strcasecmp(optarg, "pcap") == 0)
r = &pcap;
- else if (strcasecmp(optarg, "etherfind") == 0)
- r = ðerf;
- else if (strcasecmp(optarg, "snoop") == 0)
- r = &snoop;
- else if (strcasecmp(optarg, "tcpdump") == 0)
- r = &tcpd;
else if (strcasecmp(optarg, "hex") == 0)
r = &iphex;
else if (strcasecmp(optarg, "text") == 0)
@@ -208,18 +205,21 @@
else
fd = (*r->r_open)("-");
- if (fd < 0)
+ if (fd < 0) {
+ perror("error opening input");
exit(-1);
+ }
- ip = MTOD(m, ip_t *);
- while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
- &iface, &dir)) > 0) {
+ m->m_data = (char *)m->mb_buf;
+ while ((i = (*r->r_readip)(m, &iface, &dir)) > 0) {
+
if ((iface == NULL) || (*iface == '\0'))
iface = ifname;
+
+ ip = MTOD(m, ip_t *);
ifp = get_unit(iface, IP_V(ip));
- if (!use_inet6) {
- ip->ip_off = ntohs(ip->ip_off);
- ip->ip_len = ntohs(ip->ip_len);
+
+ if (IP_V(ip) == 4) {
if ((r->r_flags & R_DO_CKSUM) || docksum)
fixv4sums(m, ip);
hlen = IP_HL(ip) << 2;
@@ -231,9 +231,11 @@
hlen = sizeof(ip6_t);
#endif
/* ipfr_slowtimer(); */
+ blockreason = 0;
m = &mb;
+ m->mb_ifp = ifp;
m->mb_len = i;
- i = fr_check(ip, hlen, ifp, dir, &m);
+ i = ipf_check(softc, ip, hlen, ifp, dir, &m);
if ((opts & OPT_NAT) == 0)
switch (i)
{
@@ -271,17 +273,24 @@
(void)printf("recognised return %#x\n", i);
break;
}
- if (!use_inet6) {
- ip->ip_off = htons(ip->ip_off);
- ip->ip_len = htons(ip->ip_len);
- }
if (!(opts & OPT_BRIEF)) {
putchar(' ');
- printpacket(ip);
+ if (m != NULL)
+ printpacket(dir, m);
+ else
+ printpacket(dir, &mb);
printf("--------------");
- } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
- printpacket(ip);
+ } else if ((opts & (OPT_BRIEF|OPT_NAT)) ==
+ (OPT_NAT|OPT_BRIEF)) {
+ if (m != NULL)
+ printpacket(dir, m);
+ else
+ PRINTF("%d\n", blockreason);
+ }
+
+ ipf_state_flush(softc, 1, 0);
+
if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL))
#if defined(__sgi) && (IRIX < 60500)
(*ifp->if_output)(ifp, (void *)m, NULL);
@@ -292,6 +301,13 @@
(*ifp->if_output)(ifp, (void *)m, NULL, 0);
# endif
#endif
+
+ while ((m != NULL) && (m != &mb)) {
+ n = m->mb_next;
+ freembt(m);
+ m = n;
+ }
+
if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
putchar('\n');
dir = 0;
@@ -300,6 +316,7 @@
iface = ifname;
}
m = &mb;
+ m->mb_data = (char *)m->mb_buf;
}
if (i != 0)
@@ -311,14 +328,25 @@
}
if (dump == 1) {
- dumpnat();
- dumpstate();
- dumplookups();
- dumpgroups();
+ dumpnat(softc->ipf_nat_soft);
+ ipf_state_dump(softc, softc->ipf_state_soft);
+ ipf_lookup_dump(softc, softc->ipf_state_soft);
+ dumpgroups(softc);
}
- fr_deinitialise();
+ ipf_fini_all(softc);
+ ipf_destroy_all(softc);
+
+ ipf_unload_all();
+
+ ipf_mutex_clean();
+ ipf_rwlock_clean();
+
+ if (getenv("FINDLEAKS")) {
+ fflush(stdout);
+ abort();
+ }
return 0;
}
@@ -325,7 +353,7 @@
#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
- defined(__osf__) || defined(linux) || defined(__MidnightBSD__)
+ defined(__osf__) || defined(linux)
int ipftestioctl(int dev, ioctlcmd_t cmd, ...)
{
caddr_t data;
@@ -332,14 +360,15 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGIPF, cmd, data, FWRITE|FREAD);
if (opts & OPT_DEBUG)
- fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n",
- (u_int)cmd, data, i);
+ fprintf(stderr, "ipfioctl(IPF,%#x,%p) = %d (%d)\n",
+ (u_int)cmd, data, i, softc->ipf_interror);
if (i != 0) {
errno = i;
return -1;
@@ -354,13 +383,14 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGNAT, cmd, data, FWRITE|FREAD);
if (opts & OPT_DEBUG)
- fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n",
+ fprintf(stderr, "ipfioctl(NAT,%#x,%p) = %d\n",
(u_int)cmd, data, i);
if (i != 0) {
errno = i;
@@ -376,13 +406,14 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n",
+ fprintf(stderr, "ipfioctl(STATE,%#x,%p) = %d\n",
(u_int)cmd, data, i);
if (i != 0) {
errno = i;
@@ -398,13 +429,14 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n",
+ fprintf(stderr, "ipfioctl(AUTH,%#x,%p) = %d\n",
(u_int)cmd, data, i);
if (i != 0) {
errno = i;
@@ -420,13 +452,14 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n",
+ fprintf(stderr, "ipfioctl(SCAN,%#x,%p) = %d\n",
(u_int)cmd, data, i);
if (i != 0) {
errno = i;
@@ -442,13 +475,14 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n",
+ fprintf(stderr, "ipfioctl(SYNC,%#x,%p) = %d\n",
(u_int)cmd, data, i);
if (i != 0) {
errno = i;
@@ -464,14 +498,15 @@
va_list ap;
int i;
+ dev = dev; /* gcc -Wextra */
va_start(ap, cmd);
data = va_arg(ap, caddr_t);
va_end(ap);
- i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
+ i = ipfioctl(softc, IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n",
- (u_int)cmd, data, i);
+ fprintf(stderr, "ipfioctl(POOL,%#x,%p) = %d (%d)\n",
+ (u_int)cmd, data, i, softc->ipf_interror);
if (i != 0) {
errno = i;
return -1;
@@ -480,15 +515,17 @@
}
#else
int ipftestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGIPF, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(IPF,%#x,%p) = %d (%d)\n",
+ cmd, data, i, softc->ipf_interror);
if (i != 0) {
errno = i;
return -1;
@@ -498,15 +535,16 @@
int ipnattestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGNAT, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(NAT,%#x,%p) = %d\n", cmd, data, i);
if (i != 0) {
errno = i;
return -1;
@@ -516,15 +554,16 @@
int ipstatetestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(STATE,%#x,%p) = %d\n", cmd, data, i);
if (i != 0) {
errno = i;
return -1;
@@ -534,15 +573,16 @@
int ipauthtestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(AUTH,%#x,%p) = %d\n", cmd, data, i);
if (i != 0) {
errno = i;
return -1;
@@ -552,15 +592,16 @@
int ipsynctestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(SYNC,%#x,%p) = %d\n", cmd, data, i);
if (i != 0) {
errno = i;
return -1;
@@ -570,15 +611,16 @@
int ipscantestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
if ((opts & OPT_DEBUG) || (i != 0))
- fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(SCAN,%#x,%p) = %d\n", cmd, data, i);
if (i != 0) {
errno = i;
return -1;
@@ -588,15 +630,17 @@
int ipooltestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
+ dev_t dev;
+ ioctlcmd_t cmd;
+ void *data;
{
int i;
- i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
+ dev = dev; /* gcc -Wextra */
+ i = ipfioctl(softc, IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
if (opts & OPT_DEBUG)
- fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i);
+ fprintf(stderr, "ipfioctl(POOL,%#x,%p) = %d (%d)\n",
+ cmd, data, i, softc->ipf_interror);
if (i != 0) {
errno = i;
return -1;
@@ -607,9 +651,9 @@
int kmemcpy(addr, offset, size)
-char *addr;
-long offset;
-int size;
+ char *addr;
+ long offset;
+ int size;
{
bcopy((char *)offset, addr, size);
return 0;
@@ -617,9 +661,9 @@
int kstrncpy(buf, pos, n)
-char *buf;
-long pos;
-int n;
+ char *buf;
+ long pos;
+ int n;
{
char *ptr;
@@ -634,100 +678,91 @@
/*
* Display the built up NAT table rules and mapping entries.
*/
-void dumpnat()
+void dumpnat(arg)
+ void *arg;
{
+ ipf_nat_softc_t *softn = arg;
hostmap_t *hm;
ipnat_t *ipn;
nat_t *nat;
printf("List of active MAP/Redirect filters:\n");
- for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
+ for (ipn = softn->ipf_nat_list; ipn != NULL; ipn = ipn->in_next)
printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
printf("\nList of active sessions:\n");
- for (nat = nat_instances; nat; nat = nat->nat_next) {
- printactivenat(nat, opts, 0, 0);
+ for (nat = softn->ipf_nat_instances; nat; nat = nat->nat_next) {
+ printactivenat(nat, opts, 0);
if (nat->nat_aps)
- printaps(nat->nat_aps, opts);
+ printf("\tproxy active\n");
}
printf("\nHostmap table:\n");
- for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
- printhostmap(hm, 0);
+ for (hm = softn->ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
+ printhostmap(hm, hm->hm_hv);
}
-/*
- * Display the built up state table rules and mapping entries.
- */
-void dumpstate()
+void dumpgroups(softc)
+ ipf_main_softc_t *softc;
{
- ipstate_t *ips;
-
- printf("List of active state sessions:\n");
- for (ips = ips_list; ips != NULL; )
- ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE),
- fr_ticks);
-}
-
-
-void dumplookups()
-{
- iphtable_t *iph;
- ip_pool_t *ipl;
- int i;
-
- printf("List of configured pools\n");
- for (i = 0; i < IPL_LOGSIZE; i++)
- for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next)
- printpool(ipl, bcopywrap, NULL, opts);
-
- printf("List of configured hash tables\n");
- for (i = 0; i < IPL_LOGSIZE; i++)
- for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next)
- printhash(iph, bcopywrap, NULL, opts);
-}
-
-
-void dumpgroups()
-{
frgroup_t *fg;
- frentry_t *fr;
int i;
printf("List of groups configured (set 0)\n");
for (i = 0; i < IPL_LOGSIZE; i++)
- for (fg = ipfgroups[i][0]; fg != NULL; fg = fg->fg_next) {
+ for (fg = softc->ipf_groups[i][0]; fg != NULL;
+ fg = fg->fg_next) {
printf("Dev.%d. Group %s Ref %d Flags %#x\n",
i, fg->fg_name, fg->fg_ref, fg->fg_flags);
- for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
-#ifdef USE_QUAD_T
- printf("%qu ",(unsigned long long)fr->fr_hits);
-#else
- printf("%ld ", fr->fr_hits);
-#endif
- printfr(fr, ipftestioctl);
- }
+ dumprules(fg->fg_start);
}
printf("List of groups configured (set 1)\n");
for (i = 0; i < IPL_LOGSIZE; i++)
- for (fg = ipfgroups[i][1]; fg != NULL; fg = fg->fg_next) {
+ for (fg = softc->ipf_groups[i][1]; fg != NULL;
+ fg = fg->fg_next) {
printf("Dev.%d. Group %s Ref %d Flags %#x\n",
i, fg->fg_name, fg->fg_ref, fg->fg_flags);
- for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
+ dumprules(fg->fg_start);
+ }
+
+ printf("Rules configured (set 0, in)\n");
+ dumprules(softc->ipf_rules[0][0]);
+ printf("Rules configured (set 0, out)\n");
+ dumprules(softc->ipf_rules[1][0]);
+ printf("Rules configured (set 1, in)\n");
+ dumprules(softc->ipf_rules[0][1]);
+ printf("Rules configured (set 1, out)\n");
+ dumprules(softc->ipf_rules[1][1]);
+
+ printf("Accounting rules configured (set 0, in)\n");
+ dumprules(softc->ipf_acct[0][0]);
+ printf("Accounting rules configured (set 0, out)\n");
+ dumprules(softc->ipf_acct[0][1]);
+ printf("Accounting rules configured (set 1, in)\n");
+ dumprules(softc->ipf_acct[1][0]);
+ printf("Accounting rules configured (set 1, out)\n");
+ dumprules(softc->ipf_acct[1][1]);
+}
+
+void dumprules(rulehead)
+ frentry_t *rulehead;
+{
+ frentry_t *fr;
+
+ for (fr = rulehead; fr != NULL; fr = fr->fr_next) {
#ifdef USE_QUAD_T
- printf("%qu ",(unsigned long long)fr->fr_hits);
+ printf("%"PRIu64" ",(unsigned long long)fr->fr_hits);
#else
- printf("%ld ", fr->fr_hits);
+ printf("%ld ", fr->fr_hits);
#endif
- printfr(fr, ipftestioctl);
- }
- }
+ printfr(fr, ipftestioctl);
+ }
}
void drain_log(filename)
-char *filename;
+ char *filename;
{
char buffer[DEFAULT_IPFLOGSIZE];
struct iovec iov;
@@ -753,7 +788,7 @@
uio.uio_resid = iov.iov_len;
resid = uio.uio_resid;
- if (ipflog_read(i, &uio) == 0) {
+ if (ipf_log_read(softc, i, &uio) == 0) {
/*
* If nothing was read then break out.
*/
@@ -769,18 +804,38 @@
void fixv4sums(m, ip)
-mb_t *m;
-ip_t *ip;
+ mb_t *m;
+ ip_t *ip;
{
- u_char *csump, *hdr;
+ u_char *csump, *hdr, p;
+ fr_info_t tmp;
+ int len;
- ip->ip_sum = 0;
- ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2);
+ p = 0;
+ len = 0;
+ bzero((char *)&tmp, sizeof(tmp));
csump = (u_char *)ip;
- csump += IP_HL(ip) << 2;
+ if (IP_V(ip) == 4) {
+ ip->ip_sum = 0;
+ ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2);
+ tmp.fin_hlen = IP_HL(ip) << 2;
+ csump += IP_HL(ip) << 2;
+ p = ip->ip_p;
+ len = ntohs(ip->ip_len);
+#ifdef USE_INET6
+ } else if (IP_V(ip) == 6) {
+ tmp.fin_hlen = sizeof(ip6_t);
+ csump += sizeof(ip6_t);
+ p = ((ip6_t *)ip)->ip6_nxt;
+ len = ntohs(((ip6_t *)ip)->ip6_plen);
+ len += sizeof(ip6_t);
+#endif
+ }
+ tmp.fin_plen = len;
+ tmp.fin_dlen = len - tmp.fin_hlen;
- switch (ip->ip_p)
+ switch (p)
{
case IPPROTO_TCP :
hdr = csump;
@@ -800,7 +855,12 @@
break;
}
if (hdr != NULL) {
+ tmp.fin_m = m;
+ tmp.fin_mp = &m;
+ tmp.fin_dp = hdr;
+ tmp.fin_ip = ip;
+ tmp.fin_plen = len;
*csump = 0;
- *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);
+ *(u_short *)csump = fr_cksum(&tmp, ip, p, hdr);
}
}
Modified: trunk/contrib/ipfilter/tools/ipmon.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipmon.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipmon.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,84 +1,22 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipmon.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#ifndef SOLARIS
-#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
-#endif
-
-#include <sys/types.h>
+#include "ipf.h"
+#include "ipmon.h"
+#include <sys/ioctl.h>
#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/time.h>
-#define _KERNEL
-#include <sys/uio.h>
-#undef _KERNEL
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
+#include <syslog.h>
+#include <ctype.h>
#include <fcntl.h>
-#include <errno.h>
-#include <time.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# if defined(__MidnightBSD__) || (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-# else
-# include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-#endif
-#if !defined(__hpux) && (!defined(__SVR4) && !defined(__GNUC__))
-# include <strings.h>
-#endif
#include <signal.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <netinet/ip.h>
-#if !defined(__hpux) && !defined(linux)
-# include <netinet/tcp_fsm.h>
-#endif
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef __hpux
-# undef NOERROR
-#endif
-#include <resolv.h>
-#if !defined(linux)
-# include <sys/protosw.h>
-# include <netinet/ip_var.h>
-#endif
-
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-
-#include <ctype.h>
-#include <syslog.h>
-
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipmon.h"
-
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
@@ -89,13 +27,42 @@
#define STRERROR(x) strerror(x)
#endif
+extern int optind;
+extern char *optarg;
+extern ipmon_saver_t executesaver;
+extern ipmon_saver_t filesaver;
+extern ipmon_saver_t nothingsaver;
+extern ipmon_saver_t snmpv1saver;
+extern ipmon_saver_t snmpv2saver;
+extern ipmon_saver_t syslogsaver;
+
+
struct flags {
int value;
char flag;
};
+typedef struct logsource {
+ int fd;
+ int logtype;
+ char *file;
+ int regular;
+ size_t size;
+} logsource_t;
+typedef struct config {
+ int opts;
+ int maxfd;
+ logsource_t logsrc[3];
+ fd_set fdmr;
+ FILE *blog;
+ char *bfile;
+ FILE *log;
+ char *file;
+ char *cfile;
+} config_t;
+
typedef struct icmp_subtype {
int ist_val;
char *ist_name;
@@ -124,6 +91,28 @@
{ 0, '\0' }
};
+char *reasons[] = {
+ "filter-rule",
+ "log-or-block_1",
+ "pps-rate",
+ "jumbogram",
+ "makefrip-fail",
+ "state_add-fail",
+ "updateipid-fail",
+ "log-or-block_2",
+ "decap-fail",
+ "auth_new-fail",
+ "auth_captured",
+ "coalesce-fail",
+ "pullup-fail",
+ "auth-feedback",
+ "bad-frag",
+ "natv4_out-fail",
+ "natv4_in-fail",
+ "natv6_out-fail",
+ "natv6_in-fail",
+};
+
#ifdef MENTAT
static char *pidfile = "/etc/opt/ipf/ipmon.pid";
#else
@@ -135,18 +124,14 @@
#endif
static char line[2048];
-static int opts = 0;
-static char *logfile = NULL;
-static FILE *binarylog = NULL;
-static char *binarylogfile = NULL;
static int donehup = 0;
static void usage __P((char *));
static void handlehup __P((int));
static void flushlogs __P((char *, FILE *));
-static void print_log __P((int, FILE *, char *, int));
-static void print_ipflog __P((FILE *, char *, int));
-static void print_natlog __P((FILE *, char *, int));
-static void print_statelog __P((FILE *, char *, int));
+static void print_log __P((config_t *, logsource_t *, char *, int));
+static void print_ipflog __P((config_t *, char *, int));
+static void print_natlog __P((config_t *, char *, int));
+static void print_statelog __P((config_t *, char *, int));
static int read_log __P((int, int *, char *, int));
static void write_pid __P((char *));
static char *icmpname __P((u_int, u_int));
@@ -159,39 +144,30 @@
static struct tm *get_tm __P((time_t));
#endif
-char *hostname __P((int, int, u_32_t *));
-char *portname __P((int, char *, u_int));
+char *portlocalname __P((int, char *, u_int));
int main __P((int, char *[]));
static void logopts __P((int, char *));
static void init_tabs __P((void));
-static char *getproto __P((u_int));
+static char *getlocalproto __P((u_int));
+static void openlogs __P((config_t *conf));
+static int read_loginfo __P((config_t *conf));
+static void initconfig __P((config_t *conf));
static char **protocols = NULL;
static char **udp_ports = NULL;
static char **tcp_ports = NULL;
-static char *conf_file = NULL;
-#define OPT_SYSLOG 0x001
-#define OPT_RESOLVE 0x002
-#define OPT_HEXBODY 0x004
-#define OPT_VERBOSE 0x008
-#define OPT_HEXHDR 0x010
-#define OPT_TAIL 0x020
-#define OPT_NAT 0x080
-#define OPT_STATE 0x100
-#define OPT_FILTER 0x200
-#define OPT_PORTNUM 0x400
-#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
-#define OPT_LOGBODY 0x800
+#define HOSTNAMEV4(b) hostname(AF_INET, (u_32_t *)&(b))
-#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b))
-
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
#endif
int logfac = LOGFAC;
+int ipmonopts = 0;
+int opts = OPT_NORESOLVE;
+int use_inet6 = 0;
static icmp_subtype_t icmpunreachnames[] = {
@@ -233,7 +209,7 @@
{ -2, NULL }
};
-static icmp_type_t icmptypes[] = {
+static icmp_type_t icmptypes4[] = {
{ ICMP_ECHOREPLY, NULL, 0, "echoreply" },
{ -1, NULL, 0, NULL },
{ -1, NULL, 0, NULL },
@@ -338,9 +314,9 @@
};
static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
-int type;
-icmp_subtype_t *table;
-size_t tablesz;
+ int type;
+ icmp_subtype_t *table;
+ size_t tablesz;
{
icmp_subtype_t *ist;
int i;
@@ -363,9 +339,9 @@
static icmp_type_t *find_icmptype(type, table, tablesz)
-int type;
-icmp_type_t *table;
-size_t tablesz;
+ int type;
+ icmp_type_t *table;
+ size_t tablesz;
{
icmp_type_t *it;
int i;
@@ -388,7 +364,7 @@
static void handlehup(sig)
-int sig;
+ int sig;
{
signal(SIGHUP, handlehup);
donehup = 1;
@@ -421,12 +397,12 @@
p->p_name != NULL && protocols[p->p_proto] == NULL)
protocols[p->p_proto] = strdup(p->p_name);
endprotoent();
-#if defined(_AIX51)
if (protocols[0])
free(protocols[0]);
+ protocols[0] = strdup("ip");
+#if defined(_AIX51)
if (protocols[252])
free(protocols[252]);
- protocols[0] = "ip";
protocols[252] = NULL;
#endif
}
@@ -480,8 +456,8 @@
}
-static char *getproto(p)
-u_int p;
+static char *getlocalproto(p)
+ u_int p;
{
static char pnum[4];
char *s;
@@ -497,11 +473,14 @@
static int read_log(fd, lenp, buf, bufsize)
-int fd, bufsize, *lenp;
-char *buf;
+ int fd, bufsize, *lenp;
+ char *buf;
{
int nr;
+ if (bufsize > IPFILTER_LOGSIZE)
+ bufsize = IPFILTER_LOGSIZE;
+
nr = read(fd, buf, bufsize);
if (!nr)
return 2;
@@ -512,51 +491,18 @@
}
-char *hostname(res, v, ip)
-int res, v;
-u_32_t *ip;
+char *portlocalname(res, proto, port)
+ int res;
+ char *proto;
+ u_int port;
{
-# define MAX_INETA 16
- static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
-#ifdef USE_INET6
- static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
- struct hostent *hp;
- struct in_addr ipa;
+ static char pname[8];
+ char *s;
- if (v == 4) {
- ipa.s_addr = *ip;
- if (!res)
- return inet_ntoa(ipa);
- hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET);
- if (!hp)
- return inet_ntoa(ipa);
- sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name,
- inet_ntoa(ipa));
- return hname;
- }
-#ifdef USE_INET6
- (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
- hostbuf[MAXHOSTNAMELEN] = '\0';
- return hostbuf;
-#else
- return "IPv6";
-#endif
-}
-
-
-char *portname(res, proto, port)
-int res;
-char *proto;
-u_int port;
-{
- static char pname[8];
- char *s;
-
port = ntohs(port);
port &= 0xffff;
- (void) sprintf(pname, "%u", port);
- if (!res || (opts & OPT_PORTNUM))
+ sprintf(pname, "%u", port);
+ if (!res || (ipmonopts & IPMON_PORTNUM))
return pname;
s = NULL;
if (!strcmp(proto, "tcp"))
@@ -569,9 +515,9 @@
}
-static char *icmpname(type, code)
-u_int type;
-u_int code;
+static char *icmpname(type, code)
+ u_int type;
+ u_int code;
{
static char name[80];
icmp_subtype_t *ist;
@@ -579,7 +525,7 @@
char *s;
s = NULL;
- it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it));
+ it = find_icmptype(type, icmptypes4, sizeof(icmptypes4) / sizeof(*it));
if (it != NULL)
s = it->it_name;
@@ -600,9 +546,9 @@
return name;
}
-static char *icmpname6(type, code)
-u_int type;
-u_int code;
+static char *icmpname6(type, code)
+ u_int type;
+ u_int code;
{
static char name[80];
icmp_subtype_t *ist;
@@ -632,11 +578,11 @@
}
-void dumphex(log, dopts, buf, len)
-FILE *log;
-int dopts;
-char *buf;
-int len;
+void dumphex(log, dopts, buf, len)
+ FILE *log;
+ int dopts;
+ char *buf;
+ int len;
{
char hline[80];
int i, j, k;
@@ -651,7 +597,7 @@
if (j && !(j & 0xf)) {
*t++ = '\n';
*t = '\0';
- if ((dopts & OPT_SYSLOG))
+ if ((dopts & IPMON_SYSLOG))
syslog(LOG_INFO, "%s", hline);
else if (log != NULL)
fputs(hline, log);
@@ -665,10 +611,10 @@
sprintf((char *)t, " ");
t += 8;
for (k = 16; k; k--, s++)
- *t++ = (ISPRINT(*s) ? *s : '.');
+ *t++ = (isprint(*s) ? *s : '.');
s--;
}
-
+
if ((j + 1) & 0xf)
*t++ = ' ';;
}
@@ -683,11 +629,11 @@
t += 7;
s -= j & 0xf;
for (k = j & 0xf; k; k--, s++)
- *t++ = (ISPRINT(*s) ? *s : '.');
+ *t++ = (isprint(*s) ? *s : '.');
*t++ = '\n';
*t = '\0';
}
- if ((dopts & OPT_SYSLOG) != 0)
+ if ((dopts & IPMON_SYSLOG) != 0)
syslog(LOG_INFO, "%s", hline);
else if (log != NULL) {
fputs(hline, log);
@@ -696,11 +642,11 @@
}
-static struct tm *get_tm(sec)
+static struct tm *get_tm(sec)
#ifdef __hpux
-u_32_t sec;
+ u_32_t sec;
#else
-time_t sec;
+ time_t sec;
#endif
{
struct tm *tm;
@@ -711,23 +657,44 @@
return tm;
}
-static void print_natlog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
+static void print_natlog(conf, buf, blen)
+ config_t *conf;
+ char *buf;
+ int blen;
{
- struct natlog *nl;
- iplog_t *ipl = (iplog_t *)buf;
- char *t = line;
- struct tm *tm;
- int res, i, len;
- char *proto;
+ static u_32_t seqnum = 0;
+ int res, i, len, family;
+ struct natlog *nl;
+ struct tm *tm;
+ iplog_t *ipl;
+ char *proto;
+ int simple;
+ char *t;
+ t = line;
+ simple = 0;
+ ipl = (iplog_t *)buf;
+ if (ipl->ipl_seqnum != seqnum) {
+ if ((ipmonopts & IPMON_SYSLOG) != 0) {
+ syslog(LOG_WARNING,
+ "missed %u NAT log entries: %u %u",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ } else {
+ (void) fprintf(conf->log,
+ "missed %u NAT log entries: %u %u\n",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ }
+ }
+ seqnum = ipl->ipl_seqnum + ipl->ipl_count;
+
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
- res = (opts & OPT_RESOLVE) ? 1 : 0;
+ res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
tm = get_tm(ipl->ipl_sec);
len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
+
+ if (!(ipmonopts & IPMON_SYSLOG)) {
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
@@ -735,81 +702,184 @@
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
+ sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1);
t += strlen(t);
- if (nl->nl_type == NL_NEWMAP)
- strcpy(t, "NAT:MAP ");
- else if (nl->nl_type == NL_NEWRDR)
- strcpy(t, "NAT:RDR ");
- else if (nl->nl_type == NL_FLUSH)
- strcpy(t, "NAT:FLUSH ");
- else if (nl->nl_type == NL_EXPIRE)
- strcpy(t, "NAT:EXPIRE ");
- else if (nl->nl_type == NL_NEWBIMAP)
- strcpy(t, "NAT:BIMAP ");
- else if (nl->nl_type == NL_NEWBLOCK)
- strcpy(t, "NAT:MAPBLOCK ");
- else if (nl->nl_type == NL_CLONE)
- strcpy(t, "NAT:CLONE ");
- else if (nl->nl_type == NL_DESTROY)
- strcpy(t, "NAT:DESTROY ");
- else
- sprintf(t, "Type: %d ", nl->nl_type);
+ switch (nl->nl_action)
+ {
+ case NL_NEW :
+ strcpy(t, "NAT:NEW");
+ break;
+
+ case NL_FLUSH :
+ strcpy(t, "NAT:FLUSH");
+ break;
+
+ case NL_CLONE :
+ strcpy(t, "NAT:CLONE");
+ break;
+
+ case NL_EXPIRE :
+ strcpy(t, "NAT:EXPIRE");
+ break;
+
+ case NL_DESTROY :
+ strcpy(t, "NAT:DESTROY");
+ break;
+
+ case NL_PURGE :
+ strcpy(t, "NAT:PURGE");
+ break;
+
+ default :
+ sprintf(t, "NAT:Action(%d)", nl->nl_action);
+ break;
+ }
t += strlen(t);
- proto = getproto(nl->nl_p);
- (void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
- portname(res, proto, (u_int)nl->nl_inport));
+ switch (nl->nl_type)
+ {
+ case NAT_MAP :
+ strcpy(t, "-MAP ");
+ simple = 1;
+ break;
+
+ case NAT_REDIRECT :
+ strcpy(t, "-RDR ");
+ simple = 1;
+ break;
+
+ case NAT_BIMAP :
+ strcpy(t, "-BIMAP ");
+ simple = 1;
+ break;
+
+ case NAT_MAPBLK :
+ strcpy(t, "-MAPBLOCK ");
+ simple = 1;
+ break;
+
+ case NAT_REWRITE|NAT_MAP :
+ strcpy(t, "-RWR_MAP ");
+ break;
+
+ case NAT_REWRITE|NAT_REDIRECT :
+ strcpy(t, "-RWR_RDR ");
+ break;
+
+ case NAT_ENCAP|NAT_MAP :
+ strcpy(t, "-ENC_MAP ");
+ break;
+
+ case NAT_ENCAP|NAT_REDIRECT :
+ strcpy(t, "-ENC_RDR ");
+ break;
+
+ case NAT_DIVERTUDP|NAT_MAP :
+ strcpy(t, "-DIV_MAP ");
+ break;
+
+ case NAT_DIVERTUDP|NAT_REDIRECT :
+ strcpy(t, "-DIV_RDR ");
+ break;
+
+ default :
+ sprintf(t, "-Type(%d) ", nl->nl_type);
+ break;
+ }
t += strlen(t);
- (void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
- portname(res, proto, (u_int)nl->nl_outport));
+
+ proto = getlocalproto(nl->nl_p[0]);
+
+ family = vtof(nl->nl_v[0]);
+
+ if (simple == 1) {
+ sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_osrcip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_osrcport));
+ t += strlen(t);
+ sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_nsrcport));
+ t += strlen(t);
+ sprintf(t, "[%s,%s] ", hostname(family, nl->nl_odstip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_odstport));
+ } else {
+ sprintf(t, "%s,%s ", hostname(family, nl->nl_osrcip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_osrcport));
+ t += strlen(t);
+ sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_odstip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_odstport));
+ t += strlen(t);
+ sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_nsrcport));
+ t += strlen(t);
+ sprintf(t, "%s,%s ", hostname(family, nl->nl_ndstip.i6),
+ portlocalname(res, proto, (u_int)nl->nl_ndstport));
+ }
t += strlen(t);
- (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip),
- portname(res, proto, (u_int)nl->nl_origport),
- getproto(nl->nl_p));
+
+ strcpy(t, getlocalproto(nl->nl_p[0]));
t += strlen(t);
- if (nl->nl_type == NL_EXPIRE) {
+
+ if (nl->nl_action == NL_EXPIRE || nl->nl_action == NL_FLUSH) {
#ifdef USE_QUAD_T
- (void) sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd",
- (long long)nl->nl_pkts[0],
- (long long)nl->nl_pkts[1],
- (long long)nl->nl_bytes[0],
- (long long)nl->nl_bytes[1]);
+# ifdef PRId64
+ sprintf(t, " Pkts %" PRId64 "/%" PRId64 " Bytes %" PRId64 "/%"
+ PRId64,
+# else
+ sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd",
+# endif
#else
- (void) sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld",
+ sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld",
+#endif
nl->nl_pkts[0], nl->nl_pkts[1],
nl->nl_bytes[0], nl->nl_bytes[1]);
-#endif
t += strlen(t);
}
*t++ = '\n';
*t++ = '\0';
- if (opts & OPT_SYSLOG)
+ if (ipmonopts & IPMON_SYSLOG)
syslog(LOG_INFO, "%s", line);
- else if (log != NULL)
- (void) fprintf(log, "%s", line);
+ else if (conf->log != NULL)
+ (void) fprintf(conf->log, "%s", line);
}
-static void print_statelog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
+static void print_statelog(conf, buf, blen)
+ config_t *conf;
+ char *buf;
+ int blen;
{
- struct ipslog *sl;
- iplog_t *ipl = (iplog_t *)buf;
- char *t = line, *proto;
- struct tm *tm;
- int res, i, len;
+ static u_32_t seqnum = 0;
+ int res, i, len, family;
+ struct ipslog *sl;
+ char *t, *proto;
+ struct tm *tm;
+ iplog_t *ipl;
+ t = line;
+ ipl = (iplog_t *)buf;
+ if (ipl->ipl_seqnum != seqnum) {
+ if ((ipmonopts & IPMON_SYSLOG) != 0) {
+ syslog(LOG_WARNING,
+ "missed %u state log entries: %u %u",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ } else {
+ (void) fprintf(conf->log,
+ "missed %u state log entries: %u %u\n",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ }
+ }
+ seqnum = ipl->ipl_seqnum + ipl->ipl_count;
+
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
- res = (opts & OPT_RESOLVE) ? 1 : 0;
+ res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
tm = get_tm(ipl->ipl_sec);
len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
+ if (!(ipmonopts & IPMON_SYSLOG)) {
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
@@ -817,9 +887,11 @@
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
+ sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
t += strlen(t);
+ family = vtof(sl->isl_v);
+
switch (sl->isl_type)
{
case ISL_NEW :
@@ -865,41 +937,37 @@
}
t += strlen(t);
- proto = getproto(sl->isl_p);
+ proto = getlocalproto(sl->isl_p);
if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
- (void) sprintf(t, "%s,%s -> ",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
- portname(res, proto, (u_int)sl->isl_sport));
+ sprintf(t, "%s,%s -> ",
+ hostname(family, (u_32_t *)&sl->isl_src),
+ portlocalname(res, proto, (u_int)sl->isl_sport));
t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
- portname(res, proto, (u_int)sl->isl_dport), proto);
+ sprintf(t, "%s,%s PR %s",
+ hostname(family, (u_32_t *)&sl->isl_dst),
+ portlocalname(res, proto, (u_int)sl->isl_dport), proto);
} else if (sl->isl_p == IPPROTO_ICMP) {
- (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
- (u_32_t *)&sl->isl_src));
+ sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
t += strlen(t);
- (void) sprintf(t, "%s PR icmp %d",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
+ sprintf(t, "%s PR icmp %d",
+ hostname(family, (u_32_t *)&sl->isl_dst),
sl->isl_itype);
} else if (sl->isl_p == IPPROTO_ICMPV6) {
- (void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
- (u_32_t *)&sl->isl_src));
+ sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
t += strlen(t);
- (void) sprintf(t, "%s PR icmpv6 %d",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
+ sprintf(t, "%s PR icmpv6 %d",
+ hostname(family, (u_32_t *)&sl->isl_dst),
sl->isl_itype);
} else {
- (void) sprintf(t, "%s -> ",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src));
+ sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
t += strlen(t);
- (void) sprintf(t, "%s PR %s",
- hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
- proto);
+ sprintf(t, "%s PR %s",
+ hostname(family, (u_32_t *)&sl->isl_dst), proto);
}
t += strlen(t);
if (sl->isl_tag != FR_NOLOGTAG) {
- (void) sprintf(t, " tag %u", sl->isl_tag);
+ sprintf(t, " tag %u", sl->isl_tag);
t += strlen(t);
}
if (sl->isl_type != ISL_NEW) {
@@ -926,22 +994,26 @@
*t++ = '\n';
*t++ = '\0';
- if (opts & OPT_SYSLOG)
+ if (ipmonopts & IPMON_SYSLOG)
syslog(LOG_INFO, "%s", line);
- else if (log != NULL)
- (void) fprintf(log, "%s", line);
+ else if (conf->log != NULL)
+ (void) fprintf(conf->log, "%s", line);
}
-static void print_log(logtype, log, buf, blen)
-FILE *log;
-char *buf;
-int logtype, blen;
+static void print_log(conf, log, buf, blen)
+ config_t *conf;
+ logsource_t *log;
+ char *buf;
+ int blen;
{
+ char *bp, *bpo;
iplog_t *ipl;
- char *bp = NULL, *bpo = NULL;
int psize;
+ bp = NULL;
+ bpo = NULL;
+
while (blen > 0) {
ipl = (iplog_t *)buf;
if ((u_long)ipl & (sizeof(long)-1)) {
@@ -961,22 +1033,22 @@
if (psize > blen)
break;
- if (binarylog) {
- fwrite(buf, psize, 1, binarylog);
- fflush(binarylog);
+ if (conf->blog != NULL) {
+ fwrite(buf, psize, 1, conf->blog);
+ fflush(conf->blog);
}
- if (logtype == IPL_LOGIPF) {
+ if (log->logtype == IPL_LOGIPF) {
if (ipl->ipl_magic == IPL_MAGIC)
- print_ipflog(log, buf, psize);
+ print_ipflog(conf, buf, psize);
- } else if (logtype == IPL_LOGNAT) {
+ } else if (log->logtype == IPL_LOGNAT) {
if (ipl->ipl_magic == IPL_MAGIC_NAT)
- print_natlog(log, buf, psize);
+ print_natlog(conf, buf, psize);
- } else if (logtype == IPL_LOGSTATE) {
+ } else if (log->logtype == IPL_LOGSTATE) {
if (ipl->ipl_magic == IPL_MAGIC_STATE)
- print_statelog(log, buf, psize);
+ print_statelog(conf, buf, psize);
}
blen -= psize;
@@ -988,22 +1060,23 @@
}
-static void print_ipflog(log, buf, blen)
-FILE *log;
-char *buf;
-int blen;
+static void print_ipflog(conf, buf, blen)
+ config_t *conf;
+ char *buf;
+ int blen;
{
- tcphdr_t *tp;
- struct icmp *ic;
- struct icmp *icmp;
- struct tm *tm;
- char *t, *proto;
- int i, v, lvl, res, len, off, plen, ipoff, defaction;
- ip_t *ipc, *ip;
- u_32_t *s, *d;
- u_short hl, p;
+ static u_32_t seqnum = 0;
+ int i, f, lvl, res, len, off, plen, ipoff, defaction;
+ struct icmp *icmp;
+ struct icmp *ic;
+ char *t, *proto;
+ ip_t *ipc, *ip;
+ struct tm *tm;
+ u_32_t *s, *d;
+ u_short hl, p;
ipflog_t *ipf;
- iplog_t *ipl;
+ iplog_t *ipl;
+ tcphdr_t *tp;
#ifdef USE_INET6
struct ip6_ext *ehp;
u_short ehl;
@@ -1012,16 +1085,31 @@
#endif
ipl = (iplog_t *)buf;
+ if (ipl->ipl_seqnum != seqnum) {
+ if ((ipmonopts & IPMON_SYSLOG) != 0) {
+ syslog(LOG_WARNING,
+ "missed %u ipf log entries: %u %u",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ } else {
+ (void) fprintf(conf->log,
+ "missed %u ipf log entries: %u %u\n",
+ ipl->ipl_seqnum - seqnum, seqnum,
+ ipl->ipl_seqnum);
+ }
+ }
+ seqnum = ipl->ipl_seqnum + ipl->ipl_count;
+
ipf = (ipflog_t *)((char *)buf + sizeof(*ipl));
ip = (ip_t *)((char *)ipf + sizeof(*ipf));
- v = IP_V(ip);
- res = (opts & OPT_RESOLVE) ? 1 : 0;
+ f = ipf->fl_family;
+ res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
t = line;
*t = '\0';
tm = get_tm(ipl->ipl_sec);
len = sizeof(line);
- if (!(opts & OPT_SYSLOG)) {
+ if (!(ipmonopts & IPMON_SYSLOG)) {
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
@@ -1029,13 +1117,13 @@
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
+ sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
- (void) sprintf(t, "%dx ", ipl->ipl_count);
+ sprintf(t, "%dx ", ipl->ipl_count);
t += strlen(t);
}
-#if (defined(MENTAT) || defined(__MidnightBSD__) || \
+#if (defined(MENTAT) || \
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
@@ -1044,13 +1132,19 @@
strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname));
ifname[sizeof(ipf->fl_ifname)] = '\0';
- (void) sprintf(t, "%s", ifname);
+ sprintf(t, "%s", ifname);
t += strlen(t);
# if defined(MENTAT) || defined(linux)
- if (ISALPHA(*(t - 1))) {
- sprintf(t, "%d", ipf->fl_unit);
- t += strlen(t);
- }
+# if defined(linux)
+ /*
+ * On Linux, the loopback interface is just "lo", not "lo0".
+ */
+ if (strcmp(ifname, "lo") != 0)
+# endif
+ if (ISALPHA(*(t - 1))) {
+ sprintf(t, "%d", ipf->fl_unit);
+ t += strlen(t);
+ }
# endif
}
#else
@@ -1059,7 +1153,7 @@
break;
if (ipf->fl_ifname[len])
len++;
- (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
+ sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
t += strlen(t);
#endif
if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
@@ -1067,12 +1161,12 @@
else if (ipf->fl_group[0] == '\0')
(void) strcpy(t, " @0:");
else
- (void) sprintf(t, " @%s:", ipf->fl_group);
+ sprintf(t, " @%s:", ipf->fl_group);
t += strlen(t);
if (ipf->fl_rule == 0xffffffff)
strcat(t, "-1 ");
else
- (void) sprintf(t, "%u ", ipf->fl_rule + 1);
+ sprintf(t, "%u ", ipf->fl_rule + 1);
t += strlen(t);
lvl = LOG_NOTICE;
@@ -1107,8 +1201,17 @@
*t++ = ' ';
*t = '\0';
- if (v == 6) {
+ if (f == AF_INET) {
+ hl = IP_HL(ip) << 2;
+ ipoff = ntohs(ip->ip_off);
+ off = ipoff & IP_OFFMASK;
+ p = (u_short)ip->ip_p;
+ s = (u_32_t *)&ip->ip_src;
+ d = (u_32_t *)&ip->ip_dst;
+ plen = ntohs(ip->ip_len);
+ } else
#ifdef USE_INET6
+ if (f == AF_INET6) {
off = 0;
ipoff = 0;
hl = sizeof(ip6_t);
@@ -1140,32 +1243,22 @@
break;
}
}
-#else
- sprintf(t, "ipv6");
- goto printipflog;
+ } else
#endif
- } else if (v == 4) {
- hl = IP_HL(ip) << 2;
- ipoff = ip->ip_off;
- off = ipoff & IP_OFFMASK;
- p = (u_short)ip->ip_p;
- s = (u_32_t *)&ip->ip_src;
- d = (u_32_t *)&ip->ip_dst;
- plen = ip->ip_len;
- } else {
+ {
goto printipflog;
}
- proto = getproto(p);
+ proto = getlocalproto(p);
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
tp = (tcphdr_t *)((char *)ip + hl);
if (!(ipf->fl_lflags & FI_SHORT)) {
- (void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
- portname(res, proto, (u_int)tp->th_sport));
+ sprintf(t, "%s,%s -> ", hostname(f, s),
+ portlocalname(res, proto, (u_int)tp->th_sport));
t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s len %hu %hu",
- hostname(res, v, d),
- portname(res, proto, (u_int)tp->th_dport),
+ sprintf(t, "%s,%s PR %s len %hu %hu",
+ hostname(f, d),
+ portlocalname(res, proto, (u_int)tp->th_dport),
proto, hl, plen);
t += strlen(t);
@@ -1175,8 +1268,8 @@
for (i = 0; tcpfl[i].value; i++)
if (tp->th_flags & tcpfl[i].value)
*t++ = tcpfl[i].flag;
- if (opts & OPT_VERBOSE) {
- (void) sprintf(t, " %lu %lu %hu",
+ if (ipmonopts & IPMON_VERBOSE) {
+ sprintf(t, " %lu %lu %hu",
(u_long)(ntohl(tp->th_seq)),
(u_long)(ntohl(tp->th_ack)),
ntohs(tp->th_win));
@@ -1185,24 +1278,26 @@
}
*t = '\0';
} else {
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
+ sprintf(t, "%s -> ", hostname(f, s));
t += strlen(t);
- (void) sprintf(t, "%s PR %s len %hu %hu",
- hostname(res, v, d), proto, hl, plen);
+ sprintf(t, "%s PR %s len %hu %hu",
+ hostname(f, d), proto, hl, plen);
}
- } else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) {
+#if defined(AF_INET6) && defined(IPPROTO_ICMPV6)
+ } else if ((p == IPPROTO_ICMPV6) && !off && (f == AF_INET6)) {
ic = (struct icmp *)((char *)ip + hl);
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
+ sprintf(t, "%s -> ", hostname(f, s));
t += strlen(t);
- (void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
- hostname(res, v, d), hl, plen,
+ sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
+ hostname(f, d), hl, plen,
icmpname6(ic->icmp_type, ic->icmp_code));
- } else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
+#endif
+ } else if ((p == IPPROTO_ICMP) && !off && (f == AF_INET)) {
ic = (struct icmp *)((char *)ip + hl);
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
+ sprintf(t, "%s -> ", hostname(f, s));
t += strlen(t);
- (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
- hostname(res, v, d), hl, plen,
+ sprintf(t, "%s PR icmp len %hu %hu icmp %s",
+ hostname(f, d), hl, plen,
icmpname(ic->icmp_type, ic->icmp_code));
if (ic->icmp_type == ICMP_UNREACH ||
ic->icmp_type == ICMP_SOURCEQUENCH ||
@@ -1218,7 +1313,7 @@
if (i > 1500)
i = ipc->ip_len;
ipoff = ntohs(ipc->ip_off);
- proto = getproto(ipc->ip_p);
+ proto = getlocalproto(ipc->ip_p);
if (!(ipoff & IP_OFFMASK) &&
((ipc->ip_p == IPPROTO_TCP) ||
@@ -1225,14 +1320,14 @@
(ipc->ip_p == IPPROTO_UDP))) {
tp = (tcphdr_t *)((char *)ipc + hl);
t += strlen(t);
- (void) sprintf(t, " for %s,%s -",
- HOSTNAME_V4(res, ipc->ip_src),
- portname(res, proto,
+ sprintf(t, " for %s,%s -",
+ HOSTNAMEV4(ipc->ip_src),
+ portlocalname(res, proto,
(u_int)tp->th_sport));
t += strlen(t);
- (void) sprintf(t, " %s,%s PR %s len %hu %hu",
- HOSTNAME_V4(res, ipc->ip_dst),
- portname(res, proto,
+ sprintf(t, " %s,%s PR %s len %hu %hu",
+ HOSTNAMEV4(ipc->ip_dst),
+ portlocalname(res, proto,
(u_int)tp->th_dport),
proto, IP_HL(ipc) << 2, i);
} else if (!(ipoff & IP_OFFMASK) &&
@@ -1240,26 +1335,25 @@
icmp = (icmphdr_t *)((char *)ipc + hl);
t += strlen(t);
- (void) sprintf(t, " for %s -",
- HOSTNAME_V4(res, ipc->ip_src));
+ sprintf(t, " for %s -",
+ HOSTNAMEV4(ipc->ip_src));
t += strlen(t);
- (void) sprintf(t,
+ sprintf(t,
" %s PR icmp len %hu %hu icmp %d/%d",
- HOSTNAME_V4(res, ipc->ip_dst),
+ HOSTNAMEV4(ipc->ip_dst),
IP_HL(ipc) << 2, i,
icmp->icmp_type, icmp->icmp_code);
} else {
t += strlen(t);
- (void) sprintf(t, " for %s -",
- HOSTNAME_V4(res, ipc->ip_src));
+ sprintf(t, " for %s -",
+ HOSTNAMEV4(ipc->ip_src));
t += strlen(t);
- (void) sprintf(t, " %s PR %s len %hu (%hu)",
- HOSTNAME_V4(res, ipc->ip_dst), proto,
+ sprintf(t, " %s PR %s len %hu (%hu)",
+ HOSTNAMEV4(ipc->ip_dst), proto,
IP_HL(ipc) << 2, i);
t += strlen(t);
if (ipoff & IP_OFFMASK) {
- (void) sprintf(t,
- "(frag %d:%hu@%hu%s%s)",
+ sprintf(t, "(frag %d:%hu@%hu%s%s)",
ntohs(ipc->ip_id),
i - (IP_HL(ipc) << 2),
(ipoff & IP_OFFMASK) << 3,
@@ -1270,13 +1364,13 @@
}
} else {
- (void) sprintf(t, "%s -> ", hostname(res, v, s));
+ sprintf(t, "%s -> ", hostname(f, s));
t += strlen(t);
- (void) sprintf(t, "%s PR %s len %hu (%hu)",
- hostname(res, v, d), proto, hl, plen);
+ sprintf(t, "%s PR %s len %hu (%hu)",
+ hostname(f, d), proto, hl, plen);
t += strlen(t);
if (off & IP_OFFMASK)
- (void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
+ sprintf(t, " (frag %d:%hu@%hu%s%s)",
ntohs(ip->ip_id),
plen - hl, (off & IP_OFFMASK) << 3,
ipoff & IP_MF ? "+" : "",
@@ -1347,32 +1441,43 @@
strcpy(t, " mbcast");
t += 7;
}
+ if (ipf->fl_breason != 0) {
+ strcpy(t, " reason:");
+ t += 8;
+ strcpy(t, reasons[ipf->fl_breason]);
+ t += strlen(reasons[ipf->fl_breason]);
+ }
*t++ = '\n';
*t++ = '\0';
defaction = 0;
- if (conf_file != NULL)
- defaction = check_action(buf, line, opts, lvl);
+ if (conf->cfile != NULL)
+ defaction = check_action(buf, line, ipmonopts, lvl);
+
if (defaction == 0) {
- if (opts & OPT_SYSLOG)
+ if (ipmonopts & IPMON_SYSLOG) {
syslog(lvl, "%s", line);
- else if (log != NULL)
- (void) fprintf(log, "%s", line);
+ } else if (conf->log != NULL) {
+ (void) fprintf(conf->log, "%s", line);
+ }
- if (opts & OPT_HEXHDR)
- dumphex(log, opts, buf,
+ if (ipmonopts & IPMON_HEXHDR) {
+ dumphex(conf->log, ipmonopts, buf,
sizeof(iplog_t) + sizeof(*ipf));
- if (opts & OPT_HEXBODY)
- dumphex(log, opts, (char *)ip,
+ }
+ if (ipmonopts & IPMON_HEXBODY) {
+ dumphex(conf->log, ipmonopts, (char *)ip,
ipf->fl_plen + ipf->fl_hlen);
- else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
- dumphex(log, opts, (char *)ip + ipf->fl_hlen,
+ } else if ((ipmonopts & IPMON_LOGBODY) &&
+ (ipf->fl_flags & FR_LOGBODY)) {
+ dumphex(conf->log, ipmonopts, (char *)ip + ipf->fl_hlen,
ipf->fl_plen);
+ }
}
}
static void usage(prog)
-char *prog;
+ char *prog;
{
fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
exit(1);
@@ -1380,7 +1485,7 @@
static void write_pid(file)
-char *file;
+ char *file;
{
FILE *fp = NULL;
int fd;
@@ -1400,8 +1505,8 @@
static void flushlogs(file, log)
-char *file;
-FILE *log;
+ char *file;
+ FILE *log;
{
int fd, flushed = 0;
@@ -1416,11 +1521,11 @@
flushed);
fflush(stdout);
} else
- perror("SIOCIPFFB");
+ ipferror(fd, "SIOCIPFFB");
(void) close(fd);
if (flushed) {
- if (opts & OPT_SYSLOG) {
+ if (ipmonopts & IPMON_SYSLOG) {
syslog(LOG_INFO, "%d bytes flushed from log\n",
flushed);
} else if ((log != stdout) && (log != NULL)) {
@@ -1431,8 +1536,8 @@
static void logopts(turnon, options)
-int turnon;
-char *options;
+ int turnon;
+ char *options;
{
int flags = 0;
char *s;
@@ -1442,13 +1547,13 @@
switch (*s)
{
case 'N' :
- flags |= OPT_NAT;
+ flags |= IPMON_NAT;
break;
case 'S' :
- flags |= OPT_STATE;
+ flags |= IPMON_STATE;
break;
case 'I' :
- flags |= OPT_FILTER;
+ flags |= IPMON_FILTER;
break;
default :
fprintf(stderr, "Unknown log option %c\n", *s);
@@ -1457,64 +1562,87 @@
}
if (turnon)
- opts |= flags;
+ ipmonopts |= flags;
else
- opts &= ~(flags);
+ ipmonopts &= ~(flags);
}
+static void initconfig(config_t *conf)
+{
+ int i;
+ memset(conf, 0, sizeof(*conf));
+
+ conf->log = stdout;
+ conf->maxfd = -1;
+
+ for (i = 0; i < 3; i++) {
+ conf->logsrc[i].fd = -1;
+ conf->logsrc[i].logtype = -1;
+ conf->logsrc[i].regular = -1;
+ }
+
+ conf->logsrc[0].file = IPL_NAME;
+ conf->logsrc[1].file = IPNAT_NAME;
+ conf->logsrc[2].file = IPSTATE_NAME;
+
+ add_doing(&executesaver);
+ add_doing(&snmpv1saver);
+ add_doing(&snmpv2saver);
+ add_doing(&syslogsaver);
+ add_doing(&filesaver);
+ add_doing(¬hingsaver);
+}
+
+
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
- struct stat sb;
- FILE *log = stdout;
- FILE *fp;
- int fd[3], doread, n, i;
- int tr, nr, regular[3], c;
- int fdt[3], devices = 0, make_daemon = 0;
- char buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s;
- extern int optind;
- extern char *optarg;
+ int doread, c, make_daemon = 0;
+ char *prog;
+ config_t config;
- fd[0] = fd[1] = fd[2] = -1;
- fdt[0] = fdt[1] = fdt[2] = -1;
- iplfile[0] = IPL_NAME;
- iplfile[1] = IPNAT_NAME;
- iplfile[2] = IPSTATE_NAME;
+ prog = strrchr(argv[0], '/');
+ if (prog == NULL)
+ prog = argv[0];
+ else
+ prog++;
+ initconfig(&config);
+
while ((c = getopt(argc, argv,
"?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
- opts |= OPT_LOGALL;
- fdt[0] = IPL_LOGIPF;
- fdt[1] = IPL_LOGNAT;
- fdt[2] = IPL_LOGSTATE;
+ ipmonopts |= IPMON_LOGALL;
+ config.logsrc[0].logtype = IPL_LOGIPF;
+ config.logsrc[1].logtype = IPL_LOGNAT;
+ config.logsrc[2].logtype = IPL_LOGSTATE;
break;
case 'b' :
- opts |= OPT_LOGBODY;
+ ipmonopts |= IPMON_LOGBODY;
break;
case 'B' :
- binarylogfile = optarg;
- binarylog = fopen(optarg, "a");
+ config.bfile = optarg;
+ config.blog = fopen(optarg, "a");
break;
case 'C' :
- conf_file = optarg;
+ config.cfile = optarg;
break;
case 'D' :
make_daemon = 1;
break;
case 'f' : case 'I' :
- opts |= OPT_FILTER;
- fdt[0] = IPL_LOGIPF;
- iplfile[0] = optarg;
+ ipmonopts |= IPMON_FILTER;
+ config.logsrc[0].logtype = IPL_LOGIPF;
+ config.logsrc[0].file = optarg;
break;
case 'F' :
- flushlogs(iplfile[0], log);
- flushlogs(iplfile[1], log);
- flushlogs(iplfile[2], log);
+ flushlogs(config.logsrc[0].file, config.log);
+ flushlogs(config.logsrc[1].file, config.log);
+ flushlogs(config.logsrc[2].file, config.log);
break;
case 'L' :
logfac = fac_findname(optarg);
@@ -1526,56 +1654,49 @@
}
break;
case 'n' :
- opts |= OPT_RESOLVE;
+ ipmonopts |= IPMON_RESOLVE;
+ opts &= ~OPT_NORESOLVE;
break;
case 'N' :
- opts |= OPT_NAT;
- fdt[1] = IPL_LOGNAT;
- iplfile[1] = optarg;
+ ipmonopts |= IPMON_NAT;
+ config.logsrc[1].logtype = IPL_LOGNAT;
+ config.logsrc[1].file = optarg;
break;
case 'o' : case 'O' :
logopts(c == 'o', optarg);
- fdt[0] = fdt[1] = fdt[2] = -1;
- if (opts & OPT_FILTER)
- fdt[0] = IPL_LOGIPF;
- if (opts & OPT_NAT)
- fdt[1] = IPL_LOGNAT;
- if (opts & OPT_STATE)
- fdt[2] = IPL_LOGSTATE;
+ if (ipmonopts & IPMON_FILTER)
+ config.logsrc[0].logtype = IPL_LOGIPF;
+ if (ipmonopts & IPMON_NAT)
+ config.logsrc[1].logtype = IPL_LOGNAT;
+ if (ipmonopts & IPMON_STATE)
+ config.logsrc[2].logtype = IPL_LOGSTATE;
break;
case 'p' :
- opts |= OPT_PORTNUM;
+ ipmonopts |= IPMON_PORTNUM;
break;
case 'P' :
pidfile = optarg;
break;
case 's' :
- s = strrchr(argv[0], '/');
- if (s == NULL)
- s = argv[0];
- else
- s++;
- openlog(s, LOG_NDELAY|LOG_PID, logfac);
- s = NULL;
- opts |= OPT_SYSLOG;
- log = NULL;
+ ipmonopts |= IPMON_SYSLOG;
+ config.log = NULL;
break;
case 'S' :
- opts |= OPT_STATE;
- fdt[2] = IPL_LOGSTATE;
- iplfile[2] = optarg;
+ ipmonopts |= IPMON_STATE;
+ config.logsrc[2].logtype = IPL_LOGSTATE;
+ config.logsrc[2].file = optarg;
break;
case 't' :
- opts |= OPT_TAIL;
+ ipmonopts |= IPMON_TAIL;
break;
case 'v' :
- opts |= OPT_VERBOSE;
+ ipmonopts |= IPMON_VERBOSE;
break;
case 'x' :
- opts |= OPT_HEXBODY;
+ ipmonopts |= IPMON_HEXBODY;
break;
case 'X' :
- opts |= OPT_HEXHDR;
+ ipmonopts |= IPMON_HEXHDR;
break;
default :
case 'h' :
@@ -1583,69 +1704,62 @@
usage(argv[0]);
}
+ if (ipmonopts & IPMON_SYSLOG)
+ openlog(prog, LOG_NDELAY|LOG_PID, logfac);
+
init_tabs();
- if (conf_file)
- if (load_config(conf_file) == -1)
+ if (config.cfile)
+ if (load_config(config.cfile) == -1) {
+ unload_config();
exit(1);
+ }
/*
* Default action is to only open the filter log file.
*/
- if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
- fdt[0] = IPL_LOGIPF;
+ if ((config.logsrc[0].logtype == -1) &&
+ (config.logsrc[0].logtype == -1) &&
+ (config.logsrc[0].logtype == -1))
+ config.logsrc[0].logtype = IPL_LOGIPF;
- for (i = 0; i < 3; i++) {
- if (fdt[i] == -1)
- continue;
- if (!strcmp(iplfile[i], "-"))
- fd[i] = 0;
- else {
- if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
- (void) fprintf(stderr,
- "%s: open: %s\n", iplfile[i],
- STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- if (fstat(fd[i], &sb) == -1) {
- (void) fprintf(stderr, "%d: fstat: %s\n",
- fd[i], STRERROR(errno));
- exit(1);
- /* NOTREACHED */
- }
- if (!(regular[i] = !S_ISCHR(sb.st_mode)))
- devices++;
- }
- }
+ openlogs(&config);
- if (!(opts & OPT_SYSLOG)) {
- logfile = argv[optind];
- log = logfile ? fopen(logfile, "a") : stdout;
- if (log == NULL) {
+ if (!(ipmonopts & IPMON_SYSLOG)) {
+ config.file = argv[optind];
+ config.log = config.file ? fopen(config.file, "a") : stdout;
+ if (config.log == NULL) {
(void) fprintf(stderr, "%s: fopen: %s\n",
argv[optind], STRERROR(errno));
exit(1);
/* NOTREACHED */
}
- setvbuf(log, NULL, _IONBF, 0);
- } else
- log = NULL;
+ setvbuf(config.log, NULL, _IONBF, 0);
+ } else {
+ config.log = NULL;
+ }
- if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
+ if (make_daemon &&
+ ((config.log != stdout) || (ipmonopts & IPMON_SYSLOG))) {
#if BSD >= 199306
- daemon(0, !(opts & OPT_SYSLOG));
+ daemon(0, !(ipmonopts & IPMON_SYSLOG));
#else
int pid;
- if ((pid = fork()) > 0)
- exit(0);
- if (pid < 0) {
+
+ switch (fork())
+ {
+ case -1 :
(void) fprintf(stderr, "%s: fork() failed: %s\n",
argv[0], STRERROR(errno));
exit(1);
/* NOTREACHED */
+ case 0 :
+ break;
+ default :
+ exit(0);
}
+
setsid();
- if ((opts & OPT_SYSLOG))
+ if ((ipmonopts & IPMON_SYSLOG))
close(2);
#endif /* !BSD */
close(0);
@@ -1655,80 +1769,142 @@
signal(SIGHUP, handlehup);
- for (doread = 1; doread; ) {
- nr = 0;
+ for (doread = 1; doread; )
+ doread = read_loginfo(&config);
- for (i = 0; i < 3; i++) {
- tr = 0;
- if (fdt[i] == -1)
- continue;
- if (!regular[i]) {
- if (ioctl(fd[i], FIONREAD, &tr) == -1) {
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT,
- "ioctl(FIONREAD): %m");
- else
- perror("ioctl(FIONREAD)");
- exit(1);
- /* NOTREACHED */
- }
- } else {
- tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
- if (!tr && !(opts & OPT_TAIL))
- doread = 0;
+ unload_config();
+
+ return(0);
+ /* NOTREACHED */
+}
+
+
+static void openlogs(config_t *conf)
+{
+ logsource_t *l;
+ struct stat sb;
+ int i;
+
+ for (i = 0; i < 3; i++) {
+ l = &conf->logsrc[i];
+ if (l->logtype == -1)
+ continue;
+ if (!strcmp(l->file, "-"))
+ l->fd = 0;
+ else {
+ if ((l->fd= open(l->file, O_RDONLY)) == -1) {
+ (void) fprintf(stderr,
+ "%s: open: %s\n", l->file,
+ STRERROR(errno));
+ exit(1);
+ /* NOTREACHED */
}
- if (!tr)
- continue;
- nr += tr;
- n = 0;
- tr = read_log(fd[i], &n, buf, sizeof(buf));
- if (donehup) {
- if (logfile && (fp = fopen(logfile, "a"))) {
- fclose(log);
- log = fp;
+ if (fstat(l->fd, &sb) == -1) {
+ (void) fprintf(stderr, "%d: fstat: %s\n",
+ l->fd, STRERROR(errno));
+ exit(1);
+ /* NOTREACHED */
+ }
+
+ l->regular = !S_ISCHR(sb.st_mode);
+ if (l->regular)
+ l->size = sb.st_size;
+
+ FD_SET(l->fd, &conf->fdmr);
+ if (l->fd > conf->maxfd)
+ conf->maxfd = l->fd;
+ }
+ }
+}
+
+
+static int read_loginfo(config_t *conf)
+{
+ iplog_t buf[DEFAULT_IPFLOGSIZE/sizeof(iplog_t)+1];
+ int n, tr, nr, i;
+ logsource_t *l;
+ fd_set fdr;
+
+ fdr = conf->fdmr;
+
+ n = select(conf->maxfd + 1, &fdr, NULL, NULL, NULL);
+ if (n == 0)
+ return 1;
+ if (n == -1) {
+ if (errno == EINTR)
+ return 1;
+ return -1;
+ }
+
+ for (i = 0, nr = 0; i < 3; i++) {
+ l = &conf->logsrc[i];
+
+ if ((l->logtype == -1) || !FD_ISSET(l->fd, &fdr))
+ continue;
+
+ tr = 0;
+ if (l->regular) {
+ tr = (lseek(l->fd, 0, SEEK_CUR) < l->size);
+ if (!tr && !(ipmonopts & IPMON_TAIL))
+ return 0;
+ }
+
+ n = 0;
+ tr = read_log(l->fd, &n, (char *)buf, sizeof(buf));
+ if (donehup) {
+ if (conf->file != NULL) {
+ if (conf->log != NULL) {
+ fclose(conf->log);
+ conf->log = NULL;
}
- if (binarylogfile &&
- (fp = fopen(binarylogfile, "a"))) {
- fclose(binarylog);
- binarylog = fp;
- }
- init_tabs();
- if (conf_file != NULL)
- load_config(conf_file);
- donehup = 0;
+ conf->log = fopen(conf->file, "a");
}
- switch (tr)
- {
- case -1 :
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT, "read: %m\n");
- else
- perror("read");
- doread = 0;
- break;
- case 1 :
- if (opts & OPT_SYSLOG)
- syslog(LOG_CRIT, "aborting logging\n");
- else if (log != NULL)
- fprintf(log, "aborting logging\n");
- doread = 0;
- break;
- case 2 :
- break;
- case 0 :
- if (n > 0) {
- print_log(fdt[i], log, buf, n);
- if (!(opts & OPT_SYSLOG))
- fflush(log);
+ if (conf->bfile != NULL) {
+ if (conf->blog != NULL) {
+ fclose(conf->blog);
+ conf->blog = NULL;
}
- break;
+ conf->blog = fopen(conf->bfile, "a");
}
+
+ init_tabs();
+ if (conf->cfile != NULL)
+ load_config(conf->cfile);
+ donehup = 0;
}
- if (!nr && ((opts & OPT_TAIL) || devices))
- sleep(1);
+
+ switch (tr)
+ {
+ case -1 :
+ if (ipmonopts & IPMON_SYSLOG)
+ syslog(LOG_CRIT, "read: %m\n");
+ else {
+ ipferror(l->fd, "read");
+ }
+ return 0;
+ case 1 :
+ if (ipmonopts & IPMON_SYSLOG)
+ syslog(LOG_CRIT, "aborting logging\n");
+ else if (conf->log != NULL)
+ fprintf(conf->log, "aborting logging\n");
+ return 0;
+ case 2 :
+ break;
+ case 0 :
+ nr += tr;
+ if (n > 0) {
+ print_log(conf, l, (char *)buf, n);
+ if (!(ipmonopts & IPMON_SYSLOG))
+ fflush(conf->log);
+ }
+ break;
+ }
}
- return(0);
- /* NOTREACHED */
+
+ if (!nr && (ipmonopts & IPMON_TAIL))
+ sleep(1);
+
+ return 1;
}
Modified: trunk/contrib/ipfilter/tools/ipmon_y.y
===================================================================
--- trunk/contrib/ipfilter/tools/ipmon_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipmon_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipmon_y.y 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -13,6 +13,8 @@
#include "ipmon_l.h"
#include "ipmon.h"
+#include <dlfcn.h>
+
#define YYDEBUG 1
extern void yyerror __P((char *));
@@ -21,21 +23,31 @@
extern int yydebug;
extern FILE *yyin;
extern int yylineNum;
+extern int ipmonopts;
-typedef struct opt {
- struct opt *o_next;
+typedef struct opt_s {
+ struct opt_s *o_next;
int o_line;
int o_type;
int o_num;
char *o_str;
struct in_addr o_ip;
+ int o_logfac;
+ int o_logpri;
} opt_t;
-static void build_action __P((struct opt *));
+static void build_action __P((opt_t *, ipmon_doing_t *));
static opt_t *new_opt __P((int));
static void free_action __P((ipmon_action_t *));
+static void print_action __P((ipmon_action_t *));
+static int find_doing __P((char *));
+static ipmon_doing_t *build_doing __P((char *, char *));
+static void print_match __P((ipmon_action_t *));
+static int install_saver __P((char *, char *));
static ipmon_action_t *alist = NULL;
+
+ipmon_saver_int_t *saverlist = NULL;
%}
%union {
@@ -42,48 +54,57 @@
char *str;
u_32_t num;
struct in_addr addr;
- struct opt *opt;
+ struct opt_s *opt;
union i6addr ip6;
+ struct ipmon_doing_s *ipmd;
}
%token <num> YY_NUMBER YY_HEX
%token <str> YY_STR
%token <ip6> YY_IPV6
-%token YY_COMMENT
+%token YY_COMMENT
%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
%token YY_RANGE_OUT YY_RANGE_IN
%token IPM_MATCH IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT
-%token IPM_EVERY IPM_EXECUTE IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT
+%token IPM_EVERY IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT IPM_LOADACTION
%token IPM_PACKET IPM_PACKETS IPM_POOL IPM_PROTOCOL IPM_RESULT IPM_RULE
%token IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_LOGTAG IPM_WITH
-%token IPM_DO IPM_SAVE IPM_SYSLOG IPM_NOTHING IPM_RAW IPM_TYPE IPM_NAT
+%token IPM_DO IPM_DOING IPM_TYPE IPM_NAT
%token IPM_STATE IPM_NATTAG IPM_IPF
%type <addr> ipv4
-%type <opt> direction dstip dstport every execute group interface
+%type <opt> direction dstip dstport every group interface
%type <opt> protocol result rule srcip srcport logtag matching
-%type <opt> matchopt nattag type doopt doing save syslog nothing
-%type <num> saveopts saveopt typeopt
+%type <opt> matchopt nattag type
+%type <num> typeopt
+%type <ipmd> doopt doing
%%
-file: line
- | assign
- | file line
- | file assign
+file: action
+ | file action
;
-line: IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';'
- { build_action($3); resetlexer(); }
+action: line ';'
+ | assign ';'
| IPM_COMMENT
| YY_COMMENT
;
-assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
+line: IPM_MATCH '{' matching ';' '}' IPM_DO '{' doing ';' '}'
+ { build_action($3, $8);
resetlexer();
+ }
+ | IPM_LOADACTION YY_STR YY_STR { if (install_saver($2, $3))
+ yyerror("install saver");
+ }
+ ;
+
+assign: YY_STR assigning YY_STR { set_variable($1, $3);
+ resetlexer();
free($1);
free($3);
yyvarnext = 0;
- }
+ }
;
assigning:
@@ -114,14 +135,20 @@
doing:
doopt { $$ = $1; }
- | doopt ',' doing { $1->o_next = $3; $$ = $1; }
+ | doopt ',' doing { $1->ipmd_next = $3; $$ = $1; }
;
doopt:
- execute { $$ = $1; }
- | save { $$ = $1; }
- | syslog { $$ = $1; }
- | nothing { $$ = $1; }
+ YY_STR { if (find_doing($1) != IPM_DOING)
+ yyerror("unknown action");
+ }
+ '(' YY_STR ')' { $$ = build_doing($1, $4);
+ if ($$ == NULL)
+ yyerror("action building");
+ }
+ | YY_STR { if (find_doing($1) == IPM_DOING)
+ $$ = build_doing($1, NULL);
+ }
;
direction:
@@ -211,32 +238,8 @@
| IPM_STATE { $$ = IPL_MAGIC_STATE; }
;
-execute:
- IPM_EXECUTE YY_STR { $$ = new_opt(IPM_EXECUTE);
- $$->o_str = $2; }
- ;
-save: IPM_SAVE saveopts YY_STR { $$ = new_opt(IPM_SAVE);
- $$->o_num = $2;
- $$->o_str = $3; }
- ;
-saveopts: { $$ = 0; }
- | saveopt { $$ = $1; }
- | saveopt ',' saveopts { $$ = $1 | $3; }
- ;
-
-saveopt:
- IPM_RAW { $$ = IPMDO_SAVERAW; }
- ;
-
-syslog: IPM_SYSLOG { $$ = new_opt(IPM_SYSLOG); }
- ;
-
-nothing:
- IPM_NOTHING { $$ = 0; }
- ;
-
ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
yyerror("Invalid octet string for IP address");
@@ -253,17 +256,16 @@
{ "dstip", IPM_DSTIP },
{ "dstport", IPM_DSTPORT },
{ "every", IPM_EVERY },
- { "execute", IPM_EXECUTE },
{ "group", IPM_GROUP },
{ "in", IPM_IN },
{ "interface", IPM_INTERFACE },
{ "ipf", IPM_IPF },
+ { "load_action",IPM_LOADACTION },
{ "logtag", IPM_LOGTAG },
{ "match", IPM_MATCH },
{ "nat", IPM_NAT },
{ "nattag", IPM_NATTAG },
{ "no", IPM_NO },
- { "nothing", IPM_NOTHING },
{ "out", IPM_OUT },
{ "packet", IPM_PACKET },
{ "packets", IPM_PACKETS },
@@ -270,13 +272,11 @@
{ "protocol", IPM_PROTOCOL },
{ "result", IPM_RESULT },
{ "rule", IPM_RULE },
- { "save", IPM_SAVE },
{ "second", IPM_SECOND },
{ "seconds", IPM_SECONDS },
{ "srcip", IPM_SRCIP },
{ "srcport", IPM_SRCPORT },
{ "state", IPM_STATE },
- { "syslog", IPM_SYSLOG },
{ "with", IPM_WITH },
{ NULL, 0 }
};
@@ -301,31 +301,33 @@
{ 0, 0 }
};
-static opt_t *new_opt(type)
-int type;
+static opt_t *
+new_opt(type)
+ int type;
{
opt_t *o;
- o = (opt_t *)malloc(sizeof(*o));
+ o = (opt_t *)calloc(1, sizeof(*o));
o->o_type = type;
o->o_line = yylineNum;
- o->o_num = 0;
- o->o_str = (char *)0;
- o->o_next = NULL;
+ o->o_logfac = -1;
+ o->o_logpri = -1;
return o;
}
-static void build_action(olist)
-opt_t *olist;
+static void
+build_action(olist, todo)
+ opt_t *olist;
+ ipmon_doing_t *todo;
{
ipmon_action_t *a;
opt_t *o;
- char c;
int i;
a = (ipmon_action_t *)calloc(1, sizeof(*a));
if (a == NULL)
return;
+
while ((o = olist) != NULL) {
/*
* Check to see if the same comparator is being used more than
@@ -358,24 +360,11 @@
case IPM_DSTPORT :
a->ac_dport = htons(o->o_num);
break;
- case IPM_EXECUTE :
- a->ac_exec = o->o_str;
- c = *o->o_str;
- if (c== '"'|| c == '\'') {
- if (o->o_str[strlen(o->o_str) - 1] == c) {
- a->ac_run = strdup(o->o_str + 1);
- a->ac_run[strlen(a->ac_run) - 1] ='\0';
- } else
- a->ac_run = o->o_str;
- } else
- a->ac_run = o->o_str;
- o->o_str = NULL;
- break;
case IPM_INTERFACE :
a->ac_iface = o->o_str;
o->o_str = NULL;
break;
- case IPM_GROUP :
+ case IPM_GROUP :
if (o->o_str != NULL)
strncpy(a->ac_group, o->o_str, FR_GROUPLEN);
else
@@ -416,24 +405,6 @@
case IPM_SRCPORT :
a->ac_sport = htons(o->o_num);
break;
- case IPM_SAVE :
- if (a->ac_savefile != NULL) {
- fprintf(stderr, "%s redfined on line %d\n",
- yykeytostr(o->o_type), yylineNum);
- break;
- }
- a->ac_savefile = strdup(o->o_str);
- a->ac_savefp = fopen(o->o_str, "a");
- a->ac_dflag |= o->o_num & IPMDO_SAVERAW;
- break;
- case IPM_SYSLOG :
- if (a->ac_syslog != 0) {
- fprintf(stderr, "%s redfined on line %d\n",
- yykeytostr(o->o_type), yylineNum);
- break;
- }
- a->ac_syslog = 1;
- break;
case IPM_TYPE :
a->ac_type = o->o_num;
break;
@@ -448,17 +419,25 @@
free(o->o_str);
free(o);
}
+
+ a->ac_doing = todo;
a->ac_next = alist;
alist = a;
+
+ if (ipmonopts & IPMON_VERBOSE)
+ print_action(a);
}
-int check_action(buf, log, opts, lvl)
-char *buf, *log;
-int opts, lvl;
+int
+check_action(buf, log, opts, lvl)
+ char *buf, *log;
+ int opts, lvl;
{
ipmon_action_t *a;
struct timeval tv;
+ ipmon_doing_t *d;
+ ipmon_msg_t msg;
ipflog_t *ipf;
tcphdr_t *tcp;
iplog_t *ipl;
@@ -472,19 +451,33 @@
ip = (ip_t *)(ipf + 1);
tcp = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
+ msg.imm_data = ipl;
+ msg.imm_dsize = ipl->ipl_dsize;
+ msg.imm_when = ipl->ipl_time.tv_sec;
+ msg.imm_msg = log;
+ msg.imm_msglen = strlen(log);
+ msg.imm_loglevel = lvl;
+
for (a = alist; a != NULL; a = a->ac_next) {
+ verbose(0, "== checking config rule\n");
if ((a->ac_mflag & IPMAC_DIRECTION) != 0) {
if (a->ac_direction == IPM_IN) {
- if ((ipf->fl_flags & FR_INQUE) == 0)
+ if ((ipf->fl_flags & FR_INQUE) == 0) {
+ verbose(8, "-- direction not in\n");
continue;
+ }
} else if (a->ac_direction == IPM_OUT) {
- if ((ipf->fl_flags & FR_OUTQUE) == 0)
+ if ((ipf->fl_flags & FR_OUTQUE) == 0) {
+ verbose(8, "-- direction not out\n");
continue;
+ }
}
}
- if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic))
+ if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic)) {
+ verbose(8, "-- type mismatch\n");
continue;
+ }
if ((a->ac_mflag & IPMAC_EVERY) != 0) {
gettimeofday(&tv, NULL);
@@ -492,8 +485,10 @@
if (tv.tv_usec <= a->ac_lastusec)
t1--;
if (a->ac_second != 0) {
- if (t1 < a->ac_second)
+ if (t1 < a->ac_second) {
+ verbose(8, "-- too soon\n");
continue;
+ }
a->ac_lastsec = tv.tv_sec;
a->ac_lastusec = tv.tv_usec;
}
@@ -503,9 +498,11 @@
a->ac_pktcnt++;
else if (a->ac_pktcnt == a->ac_packet) {
a->ac_pktcnt = 0;
+ verbose(8, "-- packet count\n");
continue;
} else {
a->ac_pktcnt++;
+ verbose(8, "-- packet count\n");
continue;
}
}
@@ -512,123 +509,120 @@
}
if ((a->ac_mflag & IPMAC_DSTIP) != 0) {
- if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip)
+ if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip) {
+ verbose(8, "-- dstip wrong\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_DSTPORT) != 0) {
- if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP)
+ if (ip->ip_p != IPPROTO_UDP &&
+ ip->ip_p != IPPROTO_TCP) {
+ verbose(8, "-- not port protocol\n");
continue;
- if (tcp->th_dport != a->ac_dport)
+ }
+ if (tcp->th_dport != a->ac_dport) {
+ verbose(8, "-- dport mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_GROUP) != 0) {
if (strncmp(a->ac_group, ipf->fl_group,
- FR_GROUPLEN) != 0)
+ FR_GROUPLEN) != 0) {
+ verbose(8, "-- group mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_INTERFACE) != 0) {
- if (strcmp(a->ac_iface, ipf->fl_ifname))
+ if (strcmp(a->ac_iface, ipf->fl_ifname)) {
+ verbose(8, "-- ifname mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) {
- if (a->ac_proto != ip->ip_p)
+ if (a->ac_proto != ip->ip_p) {
+ verbose(8, "-- protocol mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_RESULT) != 0) {
if ((ipf->fl_flags & FF_LOGNOMATCH) != 0) {
- if (a->ac_result != IPMR_NOMATCH)
+ if (a->ac_result != IPMR_NOMATCH) {
+ verbose(8, "-- ff-flags mismatch\n");
continue;
+ }
} else if (FR_ISPASS(ipf->fl_flags)) {
- if (a->ac_result != IPMR_PASS)
+ if (a->ac_result != IPMR_PASS) {
+ verbose(8, "-- pass mismatch\n");
continue;
+ }
} else if (FR_ISBLOCK(ipf->fl_flags)) {
- if (a->ac_result != IPMR_BLOCK)
+ if (a->ac_result != IPMR_BLOCK) {
+ verbose(8, "-- block mismatch\n");
continue;
+ }
} else { /* Log only */
- if (a->ac_result != IPMR_LOG)
+ if (a->ac_result != IPMR_LOG) {
+ verbose(8, "-- log mismatch\n");
continue;
+ }
}
}
if ((a->ac_mflag & IPMAC_RULE) != 0) {
- if (a->ac_rule != ipf->fl_rule)
+ if (a->ac_rule != ipf->fl_rule) {
+ verbose(8, "-- rule mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_SRCIP) != 0) {
- if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip)
+ if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip) {
+ verbose(8, "-- srcip mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_SRCPORT) != 0) {
- if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP)
+ if (ip->ip_p != IPPROTO_UDP &&
+ ip->ip_p != IPPROTO_TCP) {
+ verbose(8, "-- port protocol mismatch\n");
continue;
- if (tcp->th_sport != a->ac_sport)
+ }
+ if (tcp->th_sport != a->ac_sport) {
+ verbose(8, "-- sport mismatch\n");
continue;
+ }
}
if ((a->ac_mflag & IPMAC_LOGTAG) != 0) {
- if (a->ac_logtag != ipf->fl_logtag)
+ if (a->ac_logtag != ipf->fl_logtag) {
+ verbose(8, "-- logtag %d != %d\n",
+ a->ac_logtag, ipf->fl_logtag);
continue;
+ }
}
if ((a->ac_mflag & IPMAC_NATTAG) != 0) {
if (strncmp(a->ac_nattag, ipf->fl_nattag.ipt_tag,
- IPFTAG_LEN) != 0)
+ IPFTAG_LEN) != 0) {
+ verbose(8, "-- nattag mismatch\n");
continue;
+ }
}
matched = 1;
+ verbose(8, "++ matched\n");
/*
- * It matched so now execute the command
+ * It matched so now perform the saves
*/
- if (a->ac_syslog != 0) {
- syslog(lvl, "%s", log);
- }
-
- if (a->ac_savefp != NULL) {
- if (a->ac_dflag & IPMDO_SAVERAW)
- fwrite(ipl, 1, ipl->ipl_dsize, a->ac_savefp);
- else
- fputs(log, a->ac_savefp);
- }
-
- if (a->ac_exec != NULL) {
- switch (fork())
- {
- case 0 :
- {
- FILE *pi;
-
- pi = popen(a->ac_run, "w");
- if (pi != NULL) {
- fprintf(pi, "%s\n", log);
- if ((opts & OPT_HEXHDR) != 0) {
- dumphex(pi, 0, buf,
- sizeof(*ipl) +
- sizeof(*ipf));
- }
- if ((opts & OPT_HEXBODY) != 0) {
- dumphex(pi, 0, (char *)ip,
- ipf->fl_hlen +
- ipf->fl_plen);
- }
- pclose(pi);
- }
- exit(1);
- }
- case -1 :
- break;
- default :
- break;
- }
- }
+ for (d = a->ac_doing; d != NULL; d = d->ipmd_next)
+ (*d->ipmd_store)(d->ipmd_token, &msg);
}
return matched;
@@ -635,27 +629,18 @@
}
-static void free_action(a)
-ipmon_action_t *a;
+static void
+free_action(a)
+ ipmon_action_t *a;
{
- if (a->ac_savefile != NULL) {
- free(a->ac_savefile);
- a->ac_savefile = NULL;
+ ipmon_doing_t *d;
+
+ while ((d = a->ac_doing) != NULL) {
+ a->ac_doing = d->ipmd_next;
+ (*d->ipmd_saver->ims_destroy)(d->ipmd_token);
+ free(d);
}
- if (a->ac_savefp != NULL) {
- fclose(a->ac_savefp);
- a->ac_savefp = NULL;
- }
- if (a->ac_exec != NULL) {
- free(a->ac_exec);
- if (a->ac_run == a->ac_exec)
- a->ac_run = NULL;
- a->ac_exec = NULL;
- }
- if (a->ac_run != NULL) {
- free(a->ac_run);
- a->ac_run = NULL;
- }
+
if (a->ac_iface != NULL) {
free(a->ac_iface);
a->ac_iface = NULL;
@@ -665,13 +650,15 @@
}
-int load_config(file)
-char *file;
+int
+load_config(file)
+ char *file;
{
- ipmon_action_t *a;
FILE *fp;
char *s;
+ unload_config();
+
s = getenv("YYDEBUG");
if (s != NULL)
yydebug = atoi(s);
@@ -678,11 +665,6 @@
else
yydebug = 0;
- while ((a = alist) != NULL) {
- alist = a->ac_next;
- free_action(a);
- }
-
yylineNum = 1;
(void) yysettab(yywords);
@@ -698,3 +680,373 @@
fclose(fp);
return 0;
}
+
+
+void
+unload_config()
+{
+ ipmon_saver_int_t *sav, **imsip;
+ ipmon_saver_t *is;
+ ipmon_action_t *a;
+
+ while ((a = alist) != NULL) {
+ alist = a->ac_next;
+ free_action(a);
+ }
+
+ /*
+ * Look for savers that have been added in dynamically from the
+ * configuration file.
+ */
+ for (imsip = &saverlist; (sav = *imsip) != NULL; ) {
+ if (sav->imsi_handle == NULL)
+ imsip = &sav->imsi_next;
+ else {
+ dlclose(sav->imsi_handle);
+
+ *imsip = sav->imsi_next;
+ is = sav->imsi_stor;
+ free(sav);
+
+ free(is->ims_name);
+ free(is);
+ }
+ }
+}
+
+
+void
+dump_config()
+{
+ ipmon_action_t *a;
+
+ for (a = alist; a != NULL; a = a->ac_next) {
+ print_action(a);
+
+ printf("#\n");
+ }
+}
+
+
+static void
+print_action(a)
+ ipmon_action_t *a;
+{
+ ipmon_doing_t *d;
+
+ printf("match { ");
+ print_match(a);
+ printf("; }\n");
+ printf("do {");
+ for (d = a->ac_doing; d != NULL; d = d->ipmd_next) {
+ printf("%s", d->ipmd_saver->ims_name);
+ if (d->ipmd_saver->ims_print != NULL) {
+ printf("(\"");
+ (*d->ipmd_saver->ims_print)(d->ipmd_token);
+ printf("\")");
+ }
+ printf(";");
+ }
+ printf("};\n");
+}
+
+
+void *
+add_doing(saver)
+ ipmon_saver_t *saver;
+{
+ ipmon_saver_int_t *it;
+
+ if (find_doing(saver->ims_name) == IPM_DOING)
+ return NULL;
+
+ it = calloc(1, sizeof(*it));
+ if (it == NULL)
+ return NULL;
+ it->imsi_stor = saver;
+ it->imsi_next = saverlist;
+ saverlist = it;
+ return it;
+}
+
+
+static int
+find_doing(string)
+ char *string;
+{
+ ipmon_saver_int_t *it;
+
+ for (it = saverlist; it != NULL; it = it->imsi_next) {
+ if (!strcmp(it->imsi_stor->ims_name, string))
+ return IPM_DOING;
+ }
+ return 0;
+}
+
+
+static ipmon_doing_t *
+build_doing(target, options)
+ char *target;
+ char *options;
+{
+ ipmon_saver_int_t *it;
+ char *strarray[2];
+ ipmon_doing_t *d, *d1;
+ ipmon_action_t *a;
+ ipmon_saver_t *save;
+
+ d = calloc(1, sizeof(*d));
+ if (d == NULL)
+ return NULL;
+
+ for (it = saverlist; it != NULL; it = it->imsi_next) {
+ if (!strcmp(it->imsi_stor->ims_name, target))
+ break;
+ }
+ if (it == NULL) {
+ free(d);
+ return NULL;
+ }
+
+ strarray[0] = options;
+ strarray[1] = NULL;
+
+ d->ipmd_token = (*it->imsi_stor->ims_parse)(strarray);
+ if (d->ipmd_token == NULL) {
+ free(d);
+ return NULL;
+ }
+
+ save = it->imsi_stor;
+ d->ipmd_saver = save;
+ d->ipmd_store = it->imsi_stor->ims_store;
+
+ /*
+ * Look for duplicate do-things that need to be dup'd
+ */
+ for (a = alist; a != NULL; a = a->ac_next) {
+ for (d1 = a->ac_doing; d1 != NULL; d1 = d1->ipmd_next) {
+ if (save != d1->ipmd_saver)
+ continue;
+ if (save->ims_match == NULL || save->ims_dup == NULL)
+ continue;
+ if ((*save->ims_match)(d->ipmd_token, d1->ipmd_token))
+ continue;
+
+ (*d->ipmd_saver->ims_destroy)(d->ipmd_token);
+ d->ipmd_token = (*save->ims_dup)(d1->ipmd_token);
+ break;
+ }
+ }
+
+ return d;
+}
+
+
+static void
+print_match(a)
+ ipmon_action_t *a;
+{
+ char *coma = "";
+
+ if ((a->ac_mflag & IPMAC_DIRECTION) != 0) {
+ printf("direction = ");
+ if (a->ac_direction == IPM_IN)
+ printf("in");
+ else if (a->ac_direction == IPM_OUT)
+ printf("out");
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_DSTIP) != 0) {
+ printf("%sdstip = ", coma);
+ printhostmask(AF_INET, &a->ac_dip, &a->ac_dmsk);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_DSTPORT) != 0) {
+ printf("%sdstport = %hu", coma, ntohs(a->ac_dport));
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_GROUP) != 0) {
+ char group[FR_GROUPLEN+1];
+
+ strncpy(group, a->ac_group, FR_GROUPLEN);
+ group[FR_GROUPLEN] = '\0';
+ printf("%sgroup = %s", coma, group);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_INTERFACE) != 0) {
+ printf("%siface = %s", coma, a->ac_iface);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_LOGTAG) != 0) {
+ printf("%slogtag = %u", coma, a->ac_logtag);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_NATTAG) != 0) {
+ char tag[17];
+
+ strncpy(tag, a->ac_nattag, 16);
+ tag[16] = '\0';
+ printf("%snattag = %s", coma, tag);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) {
+ printf("%sprotocol = %u", coma, a->ac_proto);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_RESULT) != 0) {
+ printf("%sresult = ", coma);
+ switch (a->ac_result)
+ {
+ case IPMR_LOG :
+ printf("log");
+ break;
+ case IPMR_PASS :
+ printf("pass");
+ break;
+ case IPMR_BLOCK :
+ printf("block");
+ break;
+ case IPMR_NOMATCH :
+ printf("nomatch");
+ break;
+ }
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_RULE) != 0) {
+ printf("%srule = %u", coma, a->ac_rule);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_EVERY) != 0) {
+ if (a->ac_packet > 1) {
+ printf("%severy %d packets", coma, a->ac_packet);
+ coma = ", ";
+ } else if (a->ac_packet == 1) {
+ printf("%severy packet", coma);
+ coma = ", ";
+ }
+ if (a->ac_second > 1) {
+ printf("%severy %d seconds", coma, a->ac_second);
+ coma = ", ";
+ } else if (a->ac_second == 1) {
+ printf("%severy second", coma);
+ coma = ", ";
+ }
+ }
+
+ if ((a->ac_mflag & IPMAC_SRCIP) != 0) {
+ printf("%ssrcip = ", coma);
+ printhostmask(AF_INET, &a->ac_sip, &a->ac_smsk);
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_SRCPORT) != 0) {
+ printf("%ssrcport = %hu", coma, ntohs(a->ac_sport));
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_TYPE) != 0) {
+ printf("%stype = ", coma);
+ switch (a->ac_type)
+ {
+ case IPL_LOGIPF :
+ printf("ipf");
+ break;
+ case IPL_LOGSTATE :
+ printf("state");
+ break;
+ case IPL_LOGNAT :
+ printf("nat");
+ break;
+ }
+ coma = ", ";
+ }
+
+ if ((a->ac_mflag & IPMAC_WITH) != 0) {
+ printf("%swith ", coma);
+ coma = ", ";
+ }
+}
+
+
+static int
+install_saver(name, path)
+ char *name, *path;
+{
+ ipmon_saver_int_t *isi;
+ ipmon_saver_t *is;
+ char nbuf[80];
+
+ if (find_doing(name) == IPM_DOING)
+ return -1;
+
+ isi = calloc(1, sizeof(*isi));
+ if (isi == NULL)
+ return -1;
+
+ is = calloc(1, sizeof(*is));
+ if (is == NULL)
+ goto loaderror;
+
+ is->ims_name = name;
+
+#ifdef RTLD_LAZY
+ isi->imsi_handle = dlopen(path, RTLD_LAZY);
+#endif
+#ifdef DL_LAZY
+ isi->imsi_handle = dlopen(path, DL_LAZY);
+#endif
+
+ if (isi->imsi_handle == NULL)
+ goto loaderror;
+
+ snprintf(nbuf, sizeof(nbuf), "%sdup", name);
+ is->ims_dup = (ims_dup_func_t)dlsym(isi->imsi_handle, nbuf);
+
+ snprintf(nbuf, sizeof(nbuf), "%sdestroy", name);
+ is->ims_destroy = (ims_destroy_func_t)dlsym(isi->imsi_handle, nbuf);
+ if (is->ims_destroy == NULL)
+ goto loaderror;
+
+ snprintf(nbuf, sizeof(nbuf), "%smatch", name);
+ is->ims_match = (ims_match_func_t)dlsym(isi->imsi_handle, nbuf);
+
+ snprintf(nbuf, sizeof(nbuf), "%sparse", name);
+ is->ims_parse = (ims_parse_func_t)dlsym(isi->imsi_handle, nbuf);
+ if (is->ims_parse == NULL)
+ goto loaderror;
+
+ snprintf(nbuf, sizeof(nbuf), "%sprint", name);
+ is->ims_print = (ims_print_func_t)dlsym(isi->imsi_handle, nbuf);
+ if (is->ims_print == NULL)
+ goto loaderror;
+
+ snprintf(nbuf, sizeof(nbuf), "%sstore", name);
+ is->ims_store = (ims_store_func_t)dlsym(isi->imsi_handle, nbuf);
+ if (is->ims_store == NULL)
+ goto loaderror;
+
+ isi->imsi_stor = is;
+ isi->imsi_next = saverlist;
+ saverlist = isi;
+
+ return 0;
+
+loaderror:
+ if (isi->imsi_handle != NULL)
+ dlclose(isi->imsi_handle);
+ free(isi);
+ if (is != NULL)
+ free(is);
+ return -1;
+}
Modified: trunk/contrib/ipfilter/tools/ipnat.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipnat.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipnat.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipnat.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
@@ -37,7 +37,7 @@
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
@@ -67,7 +67,7 @@
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.3 2012-12-21 03:48:04 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
@@ -79,23 +79,25 @@
extern char *optarg;
-void dostats __P((int, natstat_t *, int, int));
-void dotable __P((natstat_t *, int, int));
-void flushtable __P((int, int));
+void dostats __P((int, natstat_t *, int, int, int *));
+void dotable __P((natstat_t *, int, int, int, char *));
+void flushtable __P((int, int, int *));
void usage __P((char *));
int main __P((int, char*[]));
void showhostmap __P((natstat_t *nsp));
void natstat_dead __P((natstat_t *, char *));
-void dostats_live __P((int, natstat_t *, int));
+void dostats_live __P((int, natstat_t *, int, int *));
void showhostmap_dead __P((natstat_t *));
void showhostmap_live __P((int, natstat_t *));
-void dostats_dead __P((natstat_t *, int));
-void showtqtable_live __P((int));
+void dostats_dead __P((natstat_t *, int, int *));
+int nat_matcharray __P((nat_t *, int *));
-int opts;
+int opts;
+int nohdrfields = 0;
+wordtab_t *nat_fields = NULL;
void usage(name)
-char *name;
+ char *name;
{
fprintf(stderr, "Usage: %s [-CFhlnrRsv] [-f filename]\n", name);
exit(1);
@@ -103,12 +105,12 @@
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
+ int fd, c, mode, *natfilter;
char *file, *core, *kernel;
natstat_t ns, *nsp;
- int fd, c, mode;
ipfobj_t obj;
fd = -1;
@@ -118,8 +120,11 @@
core = NULL;
kernel = NULL;
mode = O_RDWR;
+ natfilter = NULL;
- while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1)
+ assigndefined(getenv("IPNAT_PREDEFINED"));
+
+ while ((c = getopt(argc, argv, "CdFf:hlm:M:N:nO:prRsv")) != -1)
switch (c)
{
case 'C' :
@@ -141,6 +146,9 @@
opts |= OPT_LIST;
mode = O_RDONLY;
break;
+ case 'm' :
+ natfilter = parseipfexpr(optarg, NULL);
+ break;
case 'M' :
core = optarg;
break;
@@ -148,9 +156,15 @@
kernel = optarg;
break;
case 'n' :
- opts |= OPT_DONOTHING;
+ opts |= OPT_DONOTHING|OPT_DONTOPEN;
mode = O_RDONLY;
break;
+ case 'O' :
+ nat_fields = parsefields(natfields, optarg);
+ break;
+ case 'p' :
+ opts |= OPT_PURGE;
+ break;
case 'R' :
opts |= OPT_NORESOLVE;
break;
@@ -168,6 +182,12 @@
usage(argv[0]);
}
+ if (((opts & OPT_PURGE) != 0) && ((opts & OPT_REMOVE) == 0)) {
+ (void) fprintf(stderr, "%s: -p must be used with -r\n",
+ argv[0]);
+ exit(1);
+ }
+
initparse();
if ((kernel != NULL) || (core != NULL)) {
@@ -200,7 +220,7 @@
obj.ipfo_size = sizeof(*nsp);
obj.ipfo_ptr = (void *)nsp;
if (ioctl(fd, SIOCGNATS, &obj) == -1) {
- perror("ioctl(SIOCGNATS)");
+ ipferror(fd, "ioctl(SIOCGNATS)");
exit(1);
}
(void) setgid(getgid());
@@ -211,17 +231,17 @@
natstat_dead(nsp, kernel);
if (opts & (OPT_LIST|OPT_STAT))
- dostats(fd, nsp, opts, 0);
+ dostats(fd, nsp, opts, 0, natfilter);
exit(0);
}
if (opts & (OPT_FLUSH|OPT_CLEAR))
- flushtable(fd, opts);
+ flushtable(fd, opts, natfilter);
if (file) {
- ipnat_parsefile(fd, ipnat_addrule, ioctl, file);
+ return ipnat_parsefile(fd, ipnat_addrule, ioctl, file);
}
if (opts & (OPT_LIST|OPT_STAT))
- dostats(fd, nsp, opts, 1);
+ dostats(fd, nsp, opts, 1, natfilter);
return 0;
}
@@ -231,8 +251,8 @@
* rather than doing ioctl's.
*/
void natstat_dead(nsp, kernel)
-natstat_t *nsp;
-char *kernel;
+ natstat_t *nsp;
+ char *kernel;
{
struct nlist nat_nlist[10] = {
{ "nat_table" }, /* 0 */
@@ -243,7 +263,6 @@
{ "ipf_rdrrules_sz" }, /* 5 */
{ "ipf_hostmap_sz" },
{ "nat_instances" },
- { "ap_sess_list" },
{ NULL }
};
void *tables[2];
@@ -259,8 +278,8 @@
* one in individually.
*/
kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
- nsp->ns_table[0] = tables[0];
- nsp->ns_table[1] = tables[1];
+ nsp->ns_side[0].ns_table = tables[0];
+ nsp->ns_side[1].ns_table = tables[1];
kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
sizeof(nsp->ns_list));
@@ -276,8 +295,6 @@
sizeof(nsp->ns_hostmap_sz));
kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
sizeof(nsp->ns_instances));
- kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
- sizeof(nsp->ns_apslist));
}
@@ -285,16 +302,33 @@
* Issue an ioctl to flush either the NAT rules table or the active mapping
* table or both.
*/
-void flushtable(fd, opts)
-int fd, opts;
+void flushtable(fd, opts, match)
+ int fd, opts, *match;
{
int n = 0;
if (opts & OPT_FLUSH) {
n = 0;
- if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
- perror("ioctl(SIOCFLNAT)");
- else
+ if (!(opts & OPT_DONOTHING)) {
+ if (match != NULL) {
+ ipfobj_t obj;
+
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_size = match[0] * sizeof(int);
+ obj.ipfo_type = IPFOBJ_IPFEXPR;
+ obj.ipfo_ptr = match;
+ if (ioctl(fd, SIOCMATCHFLUSH, &obj) == -1) {
+ ipferror(fd, "ioctl(SIOCMATCHFLUSH)");
+ n = -1;
+ } else {
+ n = obj.ipfo_retval;
+ }
+ } else if (ioctl(fd, SIOCIPFFL, &n) == -1) {
+ ipferror(fd, "ioctl(SIOCIPFFL)");
+ n = -1;
+ }
+ }
+ if (n >= 0)
printf("%d entries flushed from NAT table\n", n);
}
@@ -301,7 +335,7 @@
if (opts & OPT_CLEAR) {
n = 1;
if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
- perror("ioctl(SIOCCNATL)");
+ ipferror(fd, "ioctl(SIOCCNATL)");
else
printf("%d entries flushed from NAT list\n", n);
}
@@ -311,34 +345,65 @@
/*
* Display NAT statistics.
*/
-void dostats_dead(nsp, opts)
-natstat_t *nsp;
-int opts;
+void dostats_dead(nsp, opts, filter)
+ natstat_t *nsp;
+ int opts, *filter;
{
nat_t *np, nat;
ipnat_t ipn;
+ int i;
- printf("List of active MAP/Redirect filters:\n");
- while (nsp->ns_list) {
- if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
- sizeof(ipn))) {
- perror("kmemcpy");
- break;
+ if (nat_fields == NULL) {
+ printf("List of active MAP/Redirect filters:\n");
+ while (nsp->ns_list) {
+ if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
+ sizeof(ipn))) {
+ perror("kmemcpy");
+ break;
+ }
+ if (opts & OPT_HITS)
+ printf("%lu ", ipn.in_hits);
+ printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
+ nsp->ns_list = ipn.in_next;
}
- if (opts & OPT_HITS)
- printf("%lu ", ipn.in_hits);
- printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
- nsp->ns_list = ipn.in_next;
}
- printf("\nList of active sessions:\n");
+ if (nat_fields == NULL) {
+ printf("\nList of active sessions:\n");
+ } else if (nohdrfields == 0) {
+ for (i = 0; nat_fields[i].w_value != 0; i++) {
+ printfieldhdr(natfields, nat_fields + i);
+ if (nat_fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ }
+
for (np = nsp->ns_instances; np; np = nat.nat_next) {
if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
break;
- printactivenat(&nat, opts, 0, nsp->ns_ticks);
- if (nat.nat_aps)
- printaps(nat.nat_aps, opts);
+ if ((filter != NULL) && (nat_matcharray(&nat, filter) == 0))
+ continue;
+ if (nat_fields != NULL) {
+ for (i = 0; nat_fields[i].w_value != 0; i++) {
+ printnatfield(&nat, nat_fields[i].w_value);
+ if (nat_fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ } else {
+ printactivenat(&nat, opts, nsp->ns_ticks);
+ if (nat.nat_aps) {
+ int proto;
+
+ if (nat.nat_dir & NAT_OUTBOUND)
+ proto = nat.nat_pr[1];
+ else
+ proto = nat.nat_pr[0];
+ printaps(nat.nat_aps, opts, proto);
+ }
+ }
}
if (opts & OPT_VERBOSE)
@@ -346,51 +411,23 @@
}
-void dostats(fd, nsp, opts, alive)
-natstat_t *nsp;
-int fd, opts, alive;
+void dotable(nsp, fd, alive, which, side)
+ natstat_t *nsp;
+ int fd, alive, which;
+ char *side;
{
- /*
- * Show statistics ?
- */
- if (opts & OPT_STAT) {
- printf("mapped\tin\t%lu\tout\t%lu\n",
- nsp->ns_mapped[0], nsp->ns_mapped[1]);
- printf("added\t%lu\texpired\t%lu\n",
- nsp->ns_added, nsp->ns_expire);
- printf("no memory\t%lu\tbad nat\t%lu\n",
- nsp->ns_memfail, nsp->ns_badnat);
- printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n",
- nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules);
- printf("wilds\t%u\n", nsp->ns_wilds);
- dotable(nsp, fd, alive);
- if (opts & OPT_VERBOSE)
- printf("table %p list %p\n",
- nsp->ns_table, nsp->ns_list);
- if (alive)
- showtqtable_live(fd);
- }
-
- if (opts & OPT_LIST) {
- if (alive)
- dostats_live(fd, nsp, opts);
- else
- dostats_dead(nsp, opts);
- }
-}
-
-
-void dotable(nsp, fd, alive)
-natstat_t *nsp;
-int fd, alive;
-{
- int sz, i, used, totallen, maxlen, minlen;
+ int sz, i, used, maxlen, minlen, totallen;
ipftable_t table;
- u_long *buckets;
+ u_int *buckets;
ipfobj_t obj;
sz = sizeof(*buckets) * nsp->ns_nattab_sz;
- buckets = (u_long *)malloc(sz);
+ buckets = (u_int *)malloc(sz);
+ if (buckets == NULL) {
+ fprintf(stderr,
+ "cannot allocate memory (%d) for buckets\n", sz);
+ return;
+ }
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_type = IPFOBJ_GTABLE;
@@ -397,11 +434,16 @@
obj.ipfo_size = sizeof(table);
obj.ipfo_ptr = &table;
- table.ita_type = IPFTABLE_BUCKETS_NATIN;
+ if (which == 0) {
+ table.ita_type = IPFTABLE_BUCKETS_NATIN;
+ } else if (which == 1) {
+ table.ita_type = IPFTABLE_BUCKETS_NATOUT;
+ }
table.ita_table = buckets;
if (alive) {
if (ioctl(fd, SIOCGTABL, &obj) != 0) {
+ ipferror(fd, "SIOCFTABL");
free(buckets);
return;
}
@@ -412,9 +454,9 @@
}
}
+ minlen = nsp->ns_side[which].ns_inuse;
totallen = 0;
maxlen = 0;
- minlen = nsp->ns_inuse;
used = 0;
for (i = 0; i < nsp->ns_nattab_sz; i++) {
@@ -427,27 +469,84 @@
totallen += buckets[i];
}
- printf("hash efficiency\t%2.2f%%\n",
- totallen ? ((float)used / totallen) * 100.0 : 0.0);
- printf("bucket usage\t%2.2f%%\n",
- ((float)used / nsp->ns_nattab_sz) * 100.0);
- printf("minimal length\t%d\n", minlen);
- printf("maximal length\t%d\n", maxlen);
- printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0);
+ printf("%d%%\thash efficiency %s\n",
+ totallen ? used * 100 / totallen : 0, side);
+ printf("%2.2f%%\tbucket usage %s\n",
+ ((float)used / nsp->ns_nattab_sz) * 100.0, side);
+ printf("%d\tminimal length %s\n", minlen, side);
+ printf("%d\tmaximal length %s\n", maxlen, side);
+ printf("%.3f\taverage length %s\n",
+ used ? ((float)totallen / used) : 0.0, side);
+
+ free(buckets);
}
+void dostats(fd, nsp, opts, alive, filter)
+ natstat_t *nsp;
+ int fd, opts, alive, *filter;
+{
+ /*
+ * Show statistics ?
+ */
+ if (opts & OPT_STAT) {
+ printnatside("in", &nsp->ns_side[0]);
+ dotable(nsp, fd, alive, 0, "in");
+
+ printnatside("out", &nsp->ns_side[1]);
+ dotable(nsp, fd, alive, 1, "out");
+
+ printf("%lu\tlog successes\n", nsp->ns_side[0].ns_log);
+ printf("%lu\tlog failures\n", nsp->ns_side[1].ns_log);
+ printf("%lu\tadded in\n%lu\tadded out\n",
+ nsp->ns_side[0].ns_added,
+ nsp->ns_side[1].ns_added);
+ printf("%u\tactive\n", nsp->ns_active);
+ printf("%lu\ttransparent adds\n", nsp->ns_addtrpnt);
+ printf("%lu\tdivert build\n", nsp->ns_divert_build);
+ printf("%lu\texpired\n", nsp->ns_expire);
+ printf("%lu\tflush all\n", nsp->ns_flush_all);
+ printf("%lu\tflush closing\n", nsp->ns_flush_closing);
+ printf("%lu\tflush queue\n", nsp->ns_flush_queue);
+ printf("%lu\tflush state\n", nsp->ns_flush_state);
+ printf("%lu\tflush timeout\n", nsp->ns_flush_timeout);
+ printf("%lu\thostmap new\n", nsp->ns_hm_new);
+ printf("%lu\thostmap fails\n", nsp->ns_hm_newfail);
+ printf("%lu\thostmap add\n", nsp->ns_hm_addref);
+ printf("%lu\thostmap NULL rule\n", nsp->ns_hm_nullnp);
+ printf("%lu\tlog ok\n", nsp->ns_log_ok);
+ printf("%lu\tlog fail\n", nsp->ns_log_fail);
+ printf("%u\torphan count\n", nsp->ns_orphans);
+ printf("%u\trule count\n", nsp->ns_rules);
+ printf("%u\tmap rules\n", nsp->ns_rules_map);
+ printf("%u\trdr rules\n", nsp->ns_rules_rdr);
+ printf("%u\twilds\n", nsp->ns_wilds);
+ if (opts & OPT_VERBOSE)
+ printf("list %p\n", nsp->ns_list);
+ }
+
+ if (opts & OPT_LIST) {
+ if (alive)
+ dostats_live(fd, nsp, opts, filter);
+ else
+ dostats_dead(nsp, opts, filter);
+ }
+}
+
+
/*
* Display NAT statistics.
*/
-void dostats_live(fd, nsp, opts)
-natstat_t *nsp;
-int fd, opts;
+void dostats_live(fd, nsp, opts, filter)
+ natstat_t *nsp;
+ int fd, opts, *filter;
{
ipfgeniter_t iter;
+ char buffer[2000];
ipfobj_t obj;
- ipnat_t ipn;
+ ipnat_t *ipn;
nat_t nat;
+ int i;
bzero((char *)&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
@@ -457,23 +556,40 @@
iter.igi_type = IPFGENITER_IPNAT;
iter.igi_nitems = 1;
- iter.igi_data = &ipn;
+ iter.igi_data = buffer;
+ ipn = (ipnat_t *)buffer;
/*
* Show list of NAT rules and NAT sessions ?
*/
- printf("List of active MAP/Redirect filters:\n");
- while (nsp->ns_list) {
- if (ioctl(fd, SIOCGENITER, &obj) == -1)
- break;
- if (opts & OPT_HITS)
- printf("%lu ", ipn.in_hits);
- printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
- nsp->ns_list = ipn.in_next;
+ if (nat_fields == NULL) {
+ printf("List of active MAP/Redirect filters:\n");
+ while (nsp->ns_list) {
+ if (ioctl(fd, SIOCGENITER, &obj) == -1)
+ break;
+ if (opts & OPT_HITS)
+ printf("%lu ", ipn->in_hits);
+ printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
+ nsp->ns_list = ipn->in_next;
+ }
}
- printf("\nList of active sessions:\n");
+ if (nat_fields == NULL) {
+ printf("\nList of active sessions:\n");
+ } else if (nohdrfields == 0) {
+ for (i = 0; nat_fields[i].w_value != 0; i++) {
+ printfieldhdr(natfields, nat_fields + i);
+ if (nat_fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ }
+
+ i = IPFGENITER_IPNAT;
+ (void) ioctl(fd,SIOCIPFDELTOK, &i);
+
+
iter.igi_type = IPFGENITER_NAT;
iter.igi_nitems = 1;
iter.igi_data = &nat;
@@ -481,14 +597,35 @@
while (nsp->ns_instances != NULL) {
if (ioctl(fd, SIOCGENITER, &obj) == -1)
break;
- printactivenat(&nat, opts, 1, nsp->ns_ticks);
- if (nat.nat_aps)
- printaps(nat.nat_aps, opts);
+ if ((filter != NULL) && (nat_matcharray(&nat, filter) == 0))
+ continue;
+ if (nat_fields != NULL) {
+ for (i = 0; nat_fields[i].w_value != 0; i++) {
+ printnatfield(&nat, nat_fields[i].w_value);
+ if (nat_fields[i + 1].w_value != 0)
+ printf("\t");
+ }
+ printf("\n");
+ } else {
+ printactivenat(&nat, opts, nsp->ns_ticks);
+ if (nat.nat_aps) {
+ int proto;
+
+ if (nat.nat_dir & NAT_OUTBOUND)
+ proto = nat.nat_pr[1];
+ else
+ proto = nat.nat_pr[0];
+ printaps(nat.nat_aps, opts, proto);
+ }
+ }
nsp->ns_instances = nat.nat_next;
}
if (opts & OPT_VERBOSE)
showhostmap_live(fd, nsp);
+
+ i = IPFGENITER_NAT;
+ (void) ioctl(fd,SIOCIPFDELTOK, &i);
}
@@ -496,7 +633,7 @@
* Display the active host mapping table.
*/
void showhostmap_dead(nsp)
-natstat_t *nsp;
+ natstat_t *nsp;
{
hostmap_t hm, *hmp, **maptable;
u_int hv;
@@ -532,12 +669,13 @@
* Display the active host mapping table.
*/
void showhostmap_live(fd, nsp)
-int fd;
-natstat_t *nsp;
+ int fd;
+ natstat_t *nsp;
{
ipfgeniter_t iter;
hostmap_t hm;
ipfobj_t obj;
+ int i;
bzero((char *)&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
@@ -554,25 +692,167 @@
while (nsp->ns_maplist != NULL) {
if (ioctl(fd, SIOCGENITER, &obj) == -1)
break;
- printhostmap(&hm, 0);
+ printhostmap(&hm, hm.hm_hv);
nsp->ns_maplist = hm.hm_next;
}
+
+ i = IPFGENITER_HOSTMAP;
+ (void) ioctl(fd,SIOCIPFDELTOK, &i);
}
-void showtqtable_live(fd)
-int fd;
+int nat_matcharray(nat, array)
+ nat_t *nat;
+ int *array;
{
- ipftq_t table[IPF_TCP_NSTATES];
- ipfobj_t obj;
+ int i, n, *x, rv, p;
+ ipfexp_t *e;
- bzero((char *)&obj, sizeof(obj));
- obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_size = sizeof(table);
- obj.ipfo_ptr = (void *)table;
- obj.ipfo_type = IPFOBJ_STATETQTAB;
+ rv = 0;
+ n = array[0];
+ x = array + 1;
- if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
- printtqtable(table);
+ for (; n > 0; x += 3 + x[3], rv = 0) {
+ e = (ipfexp_t *)x;
+ if (e->ipfe_cmd == IPF_EXP_END)
+ break;
+ n -= e->ipfe_size;
+
+ p = e->ipfe_cmd >> 16;
+ if ((p != 0) && (p != nat->nat_pr[1]))
+ break;
+
+ switch (e->ipfe_cmd)
+ {
+ case IPF_EXP_IP_PR :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (nat->nat_pr[1] == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_IP_SRCADDR :
+ if (nat->nat_v[0] != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((nat->nat_osrcaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((nat->nat_nsrcaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+ case IPF_EXP_IP_DSTADDR :
+ if (nat->nat_v[0] != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((nat->nat_odstaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((nat->nat_ndstaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+ case IPF_EXP_IP_ADDR :
+ if (nat->nat_v[0] != 4)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= ((nat->nat_osrcaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((nat->nat_nsrcaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((nat->nat_odstaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]) ||
+ ((nat->nat_ndstaddr &
+ e->ipfe_arg0[i * 2 + 1]) ==
+ e->ipfe_arg0[i * 2]);
+ }
+ break;
+
+#ifdef USE_INET6
+ case IPF_EXP_IP6_SRCADDR :
+ if (nat->nat_v[0] != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&nat->nat_osrc6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&nat->nat_nsrc6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+
+ case IPF_EXP_IP6_DSTADDR :
+ if (nat->nat_v[0] != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&nat->nat_odst6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&nat->nat_ndst6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+
+ case IPF_EXP_IP6_ADDR :
+ if (nat->nat_v[0] != 6)
+ break;
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= IP6_MASKEQ(&nat->nat_osrc6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&nat->nat_nsrc6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&nat->nat_odst6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]) ||
+ IP6_MASKEQ(&nat->nat_ndst6,
+ &e->ipfe_arg0[i * 8 + 4],
+ &e->ipfe_arg0[i * 8]);
+ }
+ break;
+#endif
+
+ case IPF_EXP_UDP_PORT :
+ case IPF_EXP_TCP_PORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (nat->nat_osport == e->ipfe_arg0[i]) ||
+ (nat->nat_nsport == e->ipfe_arg0[i]) ||
+ (nat->nat_odport == e->ipfe_arg0[i]) ||
+ (nat->nat_ndport == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_UDP_SPORT :
+ case IPF_EXP_TCP_SPORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (nat->nat_osport == e->ipfe_arg0[i]) ||
+ (nat->nat_nsport == e->ipfe_arg0[i]);
+ }
+ break;
+
+ case IPF_EXP_UDP_DPORT :
+ case IPF_EXP_TCP_DPORT :
+ for (i = 0; !rv && i < e->ipfe_narg; i++) {
+ rv |= (nat->nat_odport == e->ipfe_arg0[i]) ||
+ (nat->nat_ndport == e->ipfe_arg0[i]);
+ }
+ break;
+ }
+ rv ^= e->ipfe_not;
+
+ if (rv == 0)
+ break;
}
+
+ return rv;
}
Modified: trunk/contrib/ipfilter/tools/ipnat_y.y
===================================================================
--- trunk/contrib/ipfilter/tools/ipnat_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipnat_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipnat_y.y 272990 2014-10-12 17:03:47Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -35,7 +35,7 @@
#include <sys/time.h>
#include <syslog.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h>
@@ -60,33 +60,58 @@
static ioctlfunc_t natioctlfunc = NULL;
static addfunc_t nataddfunc = NULL;
static int suggest_port = 0;
+static proxyrule_t *prules = NULL;
+static int parser_error = 0;
static void newnatrule __P((void));
static void setnatproto __P((int));
-
+static void setmapifnames __P((void));
+static void setrdrifnames __P((void));
+static void proxy_setconfig __P((int));
+static void proxy_unsetconfig __P((void));
+static namelist_t *proxy_dns_add_pass __P((char *, char *));
+static namelist_t *proxy_dns_add_block __P((char *, char *));
+static void proxy_addconfig __P((char *, int, char *, namelist_t *));
+static void proxy_loadconfig __P((int, ioctlfunc_t, char *, int,
+ char *, namelist_t *));
+static void proxy_loadrules __P((int, ioctlfunc_t, proxyrule_t *));
+static void setmapifnames __P((void));
+static void setrdrifnames __P((void));
+static void setifname __P((ipnat_t **, int, char *));
+static int addname __P((ipnat_t **, char *));
%}
%union {
char *str;
u_32_t num;
- struct in_addr ipa;
+ struct {
+ i6addr_t a;
+ int f;
+ } ipa;
frentry_t fr;
frtuc_t *frt;
u_short port;
struct {
- u_short p1;
- u_short p2;
+ int p1;
+ int p2;
int pc;
} pc;
struct {
- struct in_addr a;
- struct in_addr m;
+ i6addr_t a;
+ i6addr_t m;
+ int t; /* Address type */
+ int u;
+ int f; /* Family */
+ int v; /* IP version */
+ int s; /* 0 = number, 1 = text */
+ int n; /* number */
} ipp;
union i6addr ip6;
+ namelist_t *names;
};
%token <num> YY_NUMBER YY_HEX
%token <str> YY_STR
-%token YY_COMMENT
+%token YY_COMMENT
%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
@@ -95,24 +120,43 @@
%token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
%token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
%token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
-%token IPNY_TLATE IPNY_SEQUENTIAL
+%token IPNY_TLATE IPNY_POOL IPNY_HASH IPNY_NO IPNY_REWRITE IPNY_PROTO
+%token IPNY_ON IPNY_SRC IPNY_DST IPNY_IN IPNY_OUT IPNY_DIVERT
+%token IPNY_CONFIG IPNY_ALLOW IPNY_DENY IPNY_DNS IPNY_INET IPNY_INET6
+%token IPNY_SEQUENTIAL IPNY_DSTLIST IPNY_PURGE
%type <port> portspec
%type <num> hexnumber compare range proto
-%type <ipa> hostname ipv4
-%type <ipp> addr nummask rhaddr
-%type <pc> portstuff
+%type <num> saddr daddr sobject dobject mapfrom rdrfrom dip
+%type <ipa> hostname ipv4 ipaddr
+%type <ipp> addr rhsaddr rhdaddr erhdaddr
+%type <pc> portstuff portpair comaports srcports dstports
+%type <names> dnslines dnsline
%%
file: line
| assign
| file line
| file assign
+ | file pconf ';'
;
-line: xx rule { while ((nat = nattop) != NULL) {
+line: xx rule { int err;
+ while ((nat = nattop) != NULL) {
+ if (nat->in_v[0] == 0)
+ nat->in_v[0] = 4;
+ if (nat->in_v[1] == 0)
+ nat->in_v[1] = nat->in_v[0];
nattop = nat->in_next;
- (*nataddfunc)(natfd, natioctlfunc, nat);
+ err = (*nataddfunc)(natfd, natioctlfunc, nat);
free(nat);
+ if (err != 0) {
+ parser_error = err;
+ break;
+ }
}
+ if (parser_error == 0 && prules != NULL) {
+ proxy_loadrules(natfd, natioctlfunc, prules);
+ prules = NULL;
+ }
resetlexer();
}
| YY_COMMENT
@@ -136,208 +180,543 @@
rule: map eol
| mapblock eol
| redir eol
+ | rewrite ';'
+ | divert ';'
;
+no: IPNY_NO { nat->in_flags |= IPN_NO; }
+ ;
+
eol: | ';'
;
-map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
- { nat->in_v = 4;
- nat->in_inip = $3.a.s_addr;
- nat->in_inmsk = $3.m.s_addr;
- nat->in_outip = $5.a.s_addr;
- nat->in_outmsk = $5.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if ((nat->in_flags & IPN_TCPUDP) == 0)
- setnatproto(nat->in_p);
- if (((nat->in_redir & NAT_MAPBLK) != 0) ||
- ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
- nat_setgroupmap(nat);
+map: mapit ifnames addr tlate rhsaddr proxy mapoptions
+ { if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
+ yyerror("3.address family mismatch");
+ if (nat->in_v[0] == 0 && $5.v != 0)
+ nat->in_v[0] = $5.v;
+ else if (nat->in_v[0] == 0 && $3.v != 0)
+ nat->in_v[0] = $3.v;
+ if (nat->in_v[1] == 0 && $5.v != 0)
+ nat->in_v[1] = $5.v;
+ else if (nat->in_v[1] == 0 && $3.v != 0)
+ nat->in_v[1] = $3.v;
+ nat->in_osrcatype = $3.t;
+ bcopy(&$3.a, &nat->in_osrc.na_addr[0],
+ sizeof($3.a));
+ bcopy(&$3.m, &nat->in_osrc.na_addr[1],
+ sizeof($3.a));
+ nat->in_nsrcatype = $5.t;
+ nat->in_nsrcafunc = $5.u;
+ bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
}
- | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions
- { nat->in_v = 4;
- nat->in_inip = $3.a.s_addr;
- nat->in_inmsk = $3.m.s_addr;
- nat->in_outip = $5.a.s_addr;
- nat->in_outmsk = $5.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if (((nat->in_redir & NAT_MAPBLK) != 0) ||
- ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
- nat_setgroupmap(nat);
+ | mapit ifnames addr tlate rhsaddr mapport mapoptions
+ { if ($3.f != $5.f && $3.f != 0 && $5.f != 0)
+ yyerror("4.address family mismatch");
+ if (nat->in_v[1] == 0 && $5.v != 0)
+ nat->in_v[1] = $5.v;
+ else if (nat->in_v[0] == 0 && $3.v != 0)
+ nat->in_v[0] = $3.v;
+ if (nat->in_v[0] == 0 && $5.v != 0)
+ nat->in_v[0] = $5.v;
+ else if (nat->in_v[1] == 0 && $3.v != 0)
+ nat->in_v[1] = $3.v;
+ nat->in_osrcatype = $3.t;
+ bcopy(&$3.a, &nat->in_osrc.na_addr[0],
+ sizeof($3.a));
+ bcopy(&$3.m, &nat->in_osrc.na_addr[1],
+ sizeof($3.a));
+ nat->in_nsrcatype = $5.t;
+ nat->in_nsrcafunc = $5.u;
+ bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
}
- | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions
- { nat->in_v = 4;
- nat->in_outip = $5.a.s_addr;
- nat->in_outmsk = $5.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if ((suggest_port == 1) &&
- (nat->in_flags & IPN_TCPUDP) == 0)
- nat->in_flags |= IPN_TCPUDP;
- if ((nat->in_flags & IPN_TCPUDP) == 0)
- setnatproto(nat->in_p);
- if (((nat->in_redir & NAT_MAPBLK) != 0) ||
- ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
- nat_setgroupmap(nat);
+ | no mapit ifnames addr setproto ';'
+ { if (nat->in_v[0] == 0)
+ nat->in_v[0] = $4.v;
+ nat->in_osrcatype = $4.t;
+ bcopy(&$4.a, &nat->in_osrc.na_addr[0],
+ sizeof($4.a));
+ bcopy(&$4.m, &nat->in_osrc.na_addr[1],
+ sizeof($4.a));
+
+ setmapifnames();
}
- | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions
- { nat->in_v = 4;
- nat->in_outip = $5.a.s_addr;
- nat->in_outmsk = $5.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if ((suggest_port == 1) &&
- (nat->in_flags & IPN_TCPUDP) == 0)
- nat->in_flags |= IPN_TCPUDP;
- if (((nat->in_redir & NAT_MAPBLK) != 0) ||
- ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
- nat_setgroupmap(nat);
+ | mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
+ { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
+ yyerror("5.address family mismatch");
+ if (nat->in_v[0] == 0 && $5.v != 0)
+ nat->in_v[0] = $5.v;
+ else if (nat->in_v[0] == 0 && $3 != 0)
+ nat->in_v[0] = ftov($3);
+ if (nat->in_v[1] == 0 && $5.v != 0)
+ nat->in_v[1] = $5.v;
+ else if (nat->in_v[1] == 0 && $3 != 0)
+ nat->in_v[1] = ftov($3);
+ nat->in_nsrcatype = $5.t;
+ nat->in_nsrcafunc = $5.u;
+ bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
}
+ | no mapit ifnames mapfrom setproto ';'
+ { nat->in_v[0] = ftov($4);
+ setmapifnames();
+ }
+ | mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
+ { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
+ yyerror("6.address family mismatch");
+ if (nat->in_v[0] == 0 && $5.v != 0)
+ nat->in_v[0] = $5.v;
+ else if (nat->in_v[0] == 0 && $3 != 0)
+ nat->in_v[0] = ftov($3);
+ if (nat->in_v[1] == 0 && $5.v != 0)
+ nat->in_v[1] = $5.v;
+ else if (nat->in_v[1] == 0 && $3 != 0)
+ nat->in_v[1] = ftov($3);
+ nat->in_nsrcatype = $5.t;
+ nat->in_nsrcafunc = $5.u;
+ bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
+ }
;
mapblock:
- mapblockit ifnames addr IPNY_TLATE addr ports mapoptions
- { nat->in_v = 4;
- nat->in_inip = $3.a.s_addr;
- nat->in_inmsk = $3.m.s_addr;
- nat->in_outip = $5.a.s_addr;
- nat->in_outmsk = $5.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if ((nat->in_flags & IPN_TCPUDP) == 0)
- setnatproto(nat->in_p);
- if (((nat->in_redir & NAT_MAPBLK) != 0) ||
- ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
- nat_setgroupmap(nat);
+ mapblockit ifnames addr tlate addr ports mapoptions
+ { if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
+ yyerror("7.address family mismatch");
+ if (nat->in_v[0] == 0 && $5.v != 0)
+ nat->in_v[0] = $5.v;
+ else if (nat->in_v[0] == 0 && $3.v != 0)
+ nat->in_v[0] = $3.v;
+ if (nat->in_v[1] == 0 && $5.v != 0)
+ nat->in_v[1] = $5.v;
+ else if (nat->in_v[1] == 0 && $3.v != 0)
+ nat->in_v[1] = $3.v;
+ nat->in_osrcatype = $3.t;
+ bcopy(&$3.a, &nat->in_osrc.na_addr[0],
+ sizeof($3.a));
+ bcopy(&$3.m, &nat->in_osrc.na_addr[1],
+ sizeof($3.a));
+ nat->in_nsrcatype = $5.t;
+ nat->in_nsrcafunc = $5.u;
+ bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
}
+ | no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
+ { if (nat->in_v[0] == 0)
+ nat->in_v[0] = $5.v;
+ if (nat->in_v[1] == 0)
+ nat->in_v[1] = $5.v;
+ nat->in_osrcatype = $5.t;
+ bcopy(&$5.a, &nat->in_osrc.na_addr[0],
+ sizeof($5.a));
+ bcopy(&$5.m, &nat->in_osrc.na_addr[1],
+ sizeof($5.a));
+
+ setmapifnames();
+ }
;
-redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
- { nat->in_v = 4;
- nat->in_outip = $3.a.s_addr;
- nat->in_outmsk = $3.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
- if ((nat->in_p == 0) &&
- ((nat->in_flags & IPN_TCPUDP) == 0) &&
- (nat->in_pmin != 0 ||
- nat->in_pmax != 0 ||
- nat->in_pnext != 0))
- setnatproto(IPPROTO_TCP);
+redir: rdrit ifnames addr dport tlate dip nport setproto rdroptions
+ { if ($6 != 0 && $3.f != 0 && $6 != $3.f)
+ yyerror("21.address family mismatch");
+ if (nat->in_v[0] == 0) {
+ if ($3.v != AF_UNSPEC)
+ nat->in_v[0] = ftov($3.f);
+ else
+ nat->in_v[0] = ftov($6);
+ }
+ nat->in_odstatype = $3.t;
+ bcopy(&$3.a, &nat->in_odst.na_addr[0],
+ sizeof($3.a));
+ bcopy(&$3.m, &nat->in_odst.na_addr[1],
+ sizeof($3.a));
+
+ setrdrifnames();
}
- | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
- { nat->in_v = 4;
- if ((nat->in_p == 0) &&
- ((nat->in_flags & IPN_TCPUDP) == 0) &&
- (nat->in_pmin != 0 ||
- nat->in_pmax != 0 ||
- nat->in_pnext != 0))
- setnatproto(IPPROTO_TCP);
- if ((suggest_port == 1) &&
- (nat->in_flags & IPN_TCPUDP) == 0)
- nat->in_flags |= IPN_TCPUDP;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
+ | no rdrit ifnames addr dport setproto ';'
+ { if (nat->in_v[0] == 0)
+ nat->in_v[0] = ftov($4.f);
+ nat->in_odstatype = $4.t;
+ bcopy(&$4.a, &nat->in_odst.na_addr[0],
+ sizeof($4.a));
+ bcopy(&$4.m, &nat->in_odst.na_addr[1],
+ sizeof($4.a));
+
+ setrdrifnames();
}
- | rdrit ifnames addr IPNY_TLATE dip setproto rdroptions
- { nat->in_v = 4;
- nat->in_outip = $3.a.s_addr;
- nat->in_outmsk = $3.m.s_addr;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
+ | rdrit ifnames rdrfrom tlate dip nport setproto rdroptions
+ { if ($5 != 0 && $3 != 0 && $5 != $3)
+ yyerror("20.address family mismatch");
+ if (nat->in_v[0] == 0) {
+ if ($3 != AF_UNSPEC)
+ nat->in_v[0] = ftov($3);
+ else
+ nat->in_v[0] = ftov($5);
+ }
+ setrdrifnames();
}
- | rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions
- { nat->in_v = 4;
- if ((suggest_port == 1) &&
- (nat->in_flags & IPN_TCPUDP) == 0)
- nat->in_flags |= IPN_TCPUDP;
- if (nat->in_ifnames[1][0] == '\0')
- strncpy(nat->in_ifnames[1],
- nat->in_ifnames[0],
- sizeof(nat->in_ifnames[0]));
+ | no rdrit ifnames rdrfrom setproto ';'
+ { nat->in_v[0] = ftov($4);
+
+ setrdrifnames();
}
;
+rewrite:
+ IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
+ { if (nat->in_v[0] == 0)
+ nat->in_v[0] = ftov($4);
+ if (nat->in_redir & NAT_MAP)
+ setmapifnames();
+ else
+ setrdrifnames();
+ nat->in_redir |= NAT_REWRITE;
+ }
+ ;
+
+divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
+ { if (nat->in_v[0] == 0)
+ nat->in_v[0] = ftov($4);
+ if (nat->in_redir & NAT_MAP) {
+ setmapifnames();
+ nat->in_pr[0] = IPPROTO_UDP;
+ } else {
+ setrdrifnames();
+ nat->in_pr[1] = IPPROTO_UDP;
+ }
+ nat->in_flags &= ~IPN_TCP;
+ }
+ ;
+
+tlate: IPNY_TLATE { yyexpectaddr = 1; }
+ ;
+
+pconf: IPNY_PROXY { yysetdict(proxies); }
+ IPNY_DNS '/' proto IPNY_CONFIG YY_STR '{'
+ { proxy_setconfig(IPNY_DNS); }
+ dnslines ';' '}'
+ { proxy_addconfig("dns", $5, $7, $10);
+ proxy_unsetconfig();
+ }
+ ;
+
+dnslines:
+ dnsline { $$ = $1; }
+ | dnslines ';' dnsline { $$ = $1; $1->na_next = $3; }
+ ;
+
+dnsline:
+ IPNY_ALLOW YY_STR { $$ = proxy_dns_add_pass(NULL, $2); }
+ | IPNY_DENY YY_STR { $$ = proxy_dns_add_block(NULL, $2); }
+ | IPNY_ALLOW '.' YY_STR { $$ = proxy_dns_add_pass(".", $3); }
+ | IPNY_DENY '.' YY_STR { $$ = proxy_dns_add_block(".", $3); }
+ ;
+
+oninout:
+ inout IPNY_ON ifnames { ; }
+ ;
+
+inout: IPNY_IN { nat->in_redir = NAT_REDIRECT; }
+ | IPNY_OUT { nat->in_redir = NAT_MAP; }
+ ;
+
+rwrproto:
+ | IPNY_PROTO setproto
+ ;
+
+newdst: src rhsaddr srcports dst erhdaddr dstports
+ { nat->in_nsrc.na_addr[0] = $2.a;
+ nat->in_nsrc.na_addr[1] = $2.m;
+ nat->in_nsrc.na_atype = $2.t;
+ if ($2.t == FRI_LOOKUP) {
+ nat->in_nsrc.na_type = $2.u;
+ nat->in_nsrc.na_subtype = $2.s;
+ nat->in_nsrc.na_num = $2.n;
+ }
+ nat->in_nsports[0] = $3.p1;
+ nat->in_nsports[1] = $3.p2;
+ nat->in_ndst.na_addr[0] = $5.a;
+ nat->in_ndst.na_addr[1] = $5.m;
+ nat->in_ndst.na_atype = $5.t;
+ if ($5.t == FRI_LOOKUP) {
+ nat->in_ndst.na_type = $5.u;
+ nat->in_ndst.na_subtype = $5.s;
+ nat->in_ndst.na_num = $5.n;
+ }
+ nat->in_ndports[0] = $6.p1;
+ nat->in_ndports[1] = $6.p2;
+ }
+ ;
+
+divdst: src addr ',' portspec dst addr ',' portspec IPNY_UDP
+ { nat->in_nsrc.na_addr[0] = $2.a;
+ if ($2.m.in4.s_addr != 0xffffffff)
+ yyerror("divert must have /32 dest");
+ nat->in_nsrc.na_addr[1] = $2.m;
+ nat->in_nsports[0] = $4;
+ nat->in_nsports[1] = $4;
+
+ nat->in_ndst.na_addr[0] = $6.a;
+ nat->in_ndst.na_addr[1] = $6.m;
+ if ($6.m.in4.s_addr != 0xffffffff)
+ yyerror("divert must have /32 dest");
+ nat->in_ndports[0] = $8;
+ nat->in_ndports[1] = $8;
+
+ nat->in_redir |= NAT_DIVERTUDP;
+ }
+ ;
+
+src: IPNY_SRC { yyexpectaddr = 1; }
+ ;
+
+dst: IPNY_DST { yyexpectaddr = 1; }
+ ;
+
+srcports:
+ comaports { $$.p1 = $1.p1;
+ $$.p2 = $1.p2;
+ }
+ | IPNY_PORT '=' portspec
+ { $$.p1 = $3;
+ $$.p2 = $3;
+ nat->in_flags |= IPN_FIXEDSPORT;
+ }
+ ;
+
+dstports:
+ comaports { $$.p1 = $1.p1;
+ $$.p2 = $1.p2;
+ }
+ | IPNY_PORT '=' portspec
+ { $$.p1 = $3;
+ $$.p2 = $3;
+ nat->in_flags |= IPN_FIXEDDPORT;
+ }
+ ;
+
+comaports:
+ { $$.p1 = 0;
+ $$.p2 = 0;
+ }
+ | ',' { if (!(nat->in_flags & IPN_TCPUDP))
+ yyerror("must be TCP/UDP for ports");
+ }
+ portpair { $$.p1 = $3.p1;
+ $$.p2 = $3.p2;
+ }
+ ;
+
proxy: | IPNY_PROXY port portspec YY_STR '/' proto
- { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
+ { int pos;
+ pos = addname(&nat, $4);
+ nat->in_plabel = pos;
if (nat->in_dcmp == 0) {
- nat->in_dport = htons($3);
- } else if ($3 != nat->in_dport) {
+ nat->in_odport = $3;
+ } else if ($3 != nat->in_odport) {
yyerror("proxy port numbers not consistant");
}
+ nat->in_ndport = $3;
setnatproto($6);
free($4);
}
| IPNY_PROXY port YY_STR YY_STR '/' proto
- { int pnum;
- strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
+ { int pnum, pos;
+ pos = addname(&nat, $4);
+ nat->in_plabel = pos;
pnum = getportproto($3, $6);
if (pnum == -1)
yyerror("invalid port number");
- nat->in_dport = pnum;
+ nat->in_odport = ntohs(pnum);
+ nat->in_ndport = ntohs(pnum);
setnatproto($6);
free($3);
free($4);
}
+ | IPNY_PROXY port portspec YY_STR '/' proto IPNY_CONFIG YY_STR
+ { int pos;
+ pos = addname(&nat, $4);
+ nat->in_plabel = pos;
+ if (nat->in_dcmp == 0) {
+ nat->in_odport = $3;
+ } else if ($3 != nat->in_odport) {
+ yyerror("proxy port numbers not consistant");
+ }
+ nat->in_ndport = $3;
+ setnatproto($6);
+ nat->in_pconfig = addname(&nat, $8);
+ free($4);
+ free($8);
+ }
+ | IPNY_PROXY port YY_STR YY_STR '/' proto IPNY_CONFIG YY_STR
+ { int pnum, pos;
+ pos = addname(&nat, $4);
+ nat->in_plabel = pos;
+ pnum = getportproto($3, $6);
+ if (pnum == -1)
+ yyerror("invalid port number");
+ nat->in_odport = ntohs(pnum);
+ nat->in_ndport = ntohs(pnum);
+ setnatproto($6);
+ pos = addname(&nat, $8);
+ nat->in_pconfig = pos;
+ free($3);
+ free($4);
+ free($8);
+ }
;
-
setproto:
- | proto { if (nat->in_p != 0 ||
+ | proto { if (nat->in_pr[0] != 0 ||
+ nat->in_pr[1] != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
setnatproto($1);
}
- | IPNY_TCPUDP { if (nat->in_p != 0 ||
+ | IPNY_TCPUDP { if (nat->in_pr[0] != 0 ||
+ nat->in_pr[1] != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
nat->in_flags |= IPN_TCPUDP;
- nat->in_p = 0;
+ nat->in_pr[0] = 0;
+ nat->in_pr[1] = 0;
}
- | IPNY_TCP '/' IPNY_UDP { if (nat->in_p != 0 ||
+ | IPNY_TCP '/' IPNY_UDP { if (nat->in_pr[0] != 0 ||
+ nat->in_pr[1] != 0 ||
nat->in_flags & IPN_TCPUDP)
yyerror("protocol set twice");
nat->in_flags |= IPN_TCPUDP;
- nat->in_p = 0;
+ nat->in_pr[0] = 0;
+ nat->in_pr[1] = 0;
}
;
-rhaddr: addr { $$.a = $1.a; $$.m = $1.m; }
- | IPNY_RANGE ipv4 '-' ipv4
- { $$.a = $2; $$.m = $4;
- nat->in_flags |= IPN_IPRANGE; }
+rhsaddr:
+ addr { $$ = $1;
+ yyexpectaddr = 0;
+ }
+ | hostname '-' { yyexpectaddr = 1; } hostname
+ { $$.t = FRI_RANGE;
+ if ($1.f != $4.f)
+ yyerror("8.address family "
+ "mismatch");
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ $$.a = $1.a;
+ $$.m = $4.a;
+ nat->in_flags |= IPN_SIPRANGE;
+ yyexpectaddr = 0;
+ }
+ | IPNY_RANGE hostname '-' { yyexpectaddr = 1; } hostname
+ { $$.t = FRI_RANGE;
+ if ($2.f != $5.f)
+ yyerror("9.address family "
+ "mismatch");
+ $$.f = $2.f;
+ $$.v = ftov($2.f);
+ $$.a = $2.a;
+ $$.m = $5.a;
+ nat->in_flags |= IPN_SIPRANGE;
+ yyexpectaddr = 0;
+ }
;
dip:
- hostname { nat->in_inip = $1.s_addr;
- nat->in_inmsk = 0xffffffff; }
- | hostname '/' YY_NUMBER { if ($3 != 0 || $1.s_addr != 0)
- yyerror("Only 0/0 supported");
- nat->in_inip = 0;
- nat->in_inmsk = 0;
+ hostname ',' { yyexpectaddr = 1; } hostname
+ { nat->in_flags |= IPN_SPLIT;
+ if ($1.f != $4.f)
+ yyerror("10.address family "
+ "mismatch");
+ $$ = $1.f;
+ nat->in_ndstip6 = $1.a;
+ nat->in_ndstmsk6 = $4.a;
+ nat->in_ndstatype = FRI_SPLIT;
+ yyexpectaddr = 0;
+ }
+ | rhdaddr { int bits;
+ nat->in_ndstip6 = $1.a;
+ nat->in_ndstmsk6 = $1.m;
+ nat->in_ndst.na_atype = $1.t;
+ yyexpectaddr = 0;
+ if ($1.f == AF_INET)
+ bits = count4bits($1.m.in4.s_addr);
+ else
+ bits = count6bits($1.m.i6);
+ if (($1.f == AF_INET) && (bits != 0) &&
+ (bits != 32)) {
+ yyerror("dest ip bitmask not /32");
+ } else if (($1.f == AF_INET6) &&
+ (bits != 0) && (bits != 128)) {
+ yyerror("dest ip bitmask not /128");
+ }
+ $$ = $1.f;
+ }
+ ;
+
+rhdaddr:
+ addr { $$ = $1;
+ yyexpectaddr = 0;
}
- | hostname ',' hostname { nat->in_flags |= IPN_SPLIT;
- nat->in_inip = $1.s_addr;
- nat->in_inmsk = $3.s_addr; }
+ | hostname '-' hostname { bzero(&$$, sizeof($$));
+ $$.t = FRI_RANGE;
+ if ($1.f != 0 && $3.f != 0 &&
+ $1.f != $3.f)
+ yyerror("11.address family "
+ "mismatch");
+ $$.a = $1.a;
+ $$.m = $3.a;
+ nat->in_flags |= IPN_DIPRANGE;
+ yyexpectaddr = 0;
+ }
+ | IPNY_RANGE hostname '-' hostname
+ { bzero(&$$, sizeof($$));
+ $$.t = FRI_RANGE;
+ if ($2.f != 0 && $4.f != 0 &&
+ $2.f != $4.f)
+ yyerror("12.address family "
+ "mismatch");
+ $$.a = $2.a;
+ $$.m = $4.a;
+ nat->in_flags |= IPN_DIPRANGE;
+ yyexpectaddr = 0;
+ }
;
+erhdaddr:
+ rhdaddr { $$ = $1; }
+ | IPNY_DSTLIST '/' YY_NUMBER { $$.t = FRI_LOOKUP;
+ $$.u = IPLT_DSTLIST;
+ $$.s = 0;
+ $$.n = $3;
+ }
+ | IPNY_DSTLIST '/' YY_STR { $$.t = FRI_LOOKUP;
+ $$.u = IPLT_DSTLIST;
+ $$.s = 1;
+ $$.n = addname(&nat, $3);
+ }
+ ;
+
port: IPNY_PORT { suggest_port = 1; }
;
@@ -347,27 +726,44 @@
else
$$ = $1;
}
- | YY_STR { if (getport(NULL, $1, &($$)) == -1)
+ | YY_STR { if (getport(NULL, $1,
+ &($$), NULL) == -1)
yyerror("invalid port number");
$$ = ntohs($$);
}
;
-dport: | port portspec { nat->in_pmin = htons($2);
- nat->in_pmax = htons($2); }
- | port portspec '-' portspec { nat->in_pmin = htons($2);
- nat->in_pmax = htons($4); }
- | port portspec ':' portspec { nat->in_pmin = htons($2);
- nat->in_pmax = htons($4); }
+portpair:
+ portspec { $$.p1 = $1; $$.p2 = $1; }
+ | portspec '-' portspec { $$.p1 = $1; $$.p2 = $3; }
+ | portspec ':' portspec { $$.p1 = $1; $$.p2 = $3; }
;
-nport: port portspec { nat->in_pnext = htons($2); }
- | port '=' portspec { nat->in_pnext = htons($3);
+dport: | port portpair { nat->in_odport = $2.p1;
+ if ($2.p2 == 0)
+ nat->in_dtop = $2.p1;
+ else
+ nat->in_dtop = $2.p2;
+ }
+ ;
+
+nport: | port portpair { nat->in_dpmin = $2.p1;
+ nat->in_dpnext = $2.p1;
+ nat->in_dpmax = $2.p2;
+ nat->in_ndport = $2.p1;
+ if (nat->in_dtop == 0)
+ nat->in_dtop = $2.p2;
+ }
+ | port '=' portspec { nat->in_dpmin = $3;
+ nat->in_dpnext = $3;
+ nat->in_ndport = $3;
+ if (nat->in_dtop == 0)
+ nat->in_dtop = nat->in_odport;
nat->in_flags |= IPN_FIXEDDPORT;
}
;
-ports: | IPNY_PORTS YY_NUMBER { nat->in_pmin = $2; }
+ports: | IPNY_PORTS YY_NUMBER { nat->in_spmin = $2; }
| IPNY_PORTS IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; }
;
@@ -383,147 +779,300 @@
;
mapfrom:
- from sobject IPNY_TO dobject
- | from sobject '!' IPNY_TO dobject
- { nat->in_flags |= IPN_NOTDST; }
- | from sobject IPNY_TO '!' dobject
- { nat->in_flags |= IPN_NOTDST; }
+ from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4)
+ yyerror("13.address family "
+ "mismatch");
+ $$ = $2;
+ }
+ | from sobject '!' to dobject
+ { if ($2 != 0 && $5 != 0 && $2 != $5)
+ yyerror("14.address family "
+ "mismatch");
+ nat->in_flags |= IPN_NOTDST;
+ $$ = $2;
+ }
+ | from sobject to '!' dobject
+ { if ($2 != 0 && $5 != 0 && $2 != $5)
+ yyerror("15.address family "
+ "mismatch");
+ nat->in_flags |= IPN_NOTDST;
+ $$ = $2;
+ }
;
rdrfrom:
- from sobject IPNY_TO dobject
- | '!' from sobject IPNY_TO dobject
- { nat->in_flags |= IPN_NOTSRC; }
- | from '!' sobject IPNY_TO dobject
- { nat->in_flags |= IPN_NOTSRC; }
+ from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4)
+ yyerror("16.address family "
+ "mismatch");
+ $$ = $2;
+ }
+ | '!' from sobject to dobject
+ { if ($3 != 0 && $5 != 0 && $3 != $5)
+ yyerror("17.address family "
+ "mismatch");
+ nat->in_flags |= IPN_NOTSRC;
+ $$ = $3;
+ }
+ | from '!' sobject to dobject
+ { if ($3 != 0 && $5 != 0 && $3 != $5)
+ yyerror("18.address family "
+ "mismatch");
+ nat->in_flags |= IPN_NOTSRC;
+ $$ = $3;
+ }
;
-from: IPNY_FROM { nat->in_flags |= IPN_FILTER; }
+from: IPNY_FROM { nat->in_flags |= IPN_FILTER;
+ yyexpectaddr = 1;
+ }
;
+to: IPNY_TO { yyexpectaddr = 1; }
+ ;
+
ifnames:
- ifname
- | ifname ',' otherifname
+ ifname family { yyexpectaddr = 1; }
+ | ifname ',' otherifname family { yyexpectaddr = 1; }
;
-ifname: YY_STR { strncpy(nat->in_ifnames[0], $1,
- sizeof(nat->in_ifnames[0]));
- nat->in_ifnames[0][LIFNAMSIZ - 1] = '\0';
- free($1);
- }
+ifname: YY_STR { setifname(&nat, 0, $1);
+ free($1);
+ }
;
+family: | IPNY_INET { nat->in_v[0] = 4; nat->in_v[1] = 4; }
+ | IPNY_INET6 { nat->in_v[0] = 6; nat->in_v[1] = 6; }
+ ;
+
otherifname:
- YY_STR { strncpy(nat->in_ifnames[1], $1,
- sizeof(nat->in_ifnames[1]));
- nat->in_ifnames[1][LIFNAMSIZ - 1] = '\0';
- free($1);
- }
+ YY_STR { setifname(&nat, 1, $1);
+ free($1);
+ }
;
mapport:
- IPNY_PORTMAP tcpudp portspec ':' portspec randport
- { nat->in_pmin = htons($3);
- nat->in_pmax = htons($5);
- }
- | IPNY_PORTMAP tcpudp IPNY_AUTO randport
- { nat->in_flags |= IPN_AUTOPORTMAP;
- nat->in_pmin = htons(1024);
- nat->in_pmax = htons(65535);
- }
- | IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER
- { if (strcmp($2, "icmp") != 0) {
+ IPNY_PORTMAP tcpudp portpair sequential
+ { nat->in_spmin = $3.p1;
+ nat->in_spmax = $3.p2;
+ }
+ | IPNY_PORTMAP portpair tcpudp sequential
+ { nat->in_spmin = $2.p1;
+ nat->in_spmax = $2.p2;
+ }
+ | IPNY_PORTMAP tcpudp IPNY_AUTO sequential
+ { nat->in_flags |= IPN_AUTOPORTMAP;
+ nat->in_spmin = 1024;
+ nat->in_spmax = 65535;
+ }
+ | IPNY_ICMPIDMAP YY_STR portpair sequential
+ { if (strcmp($2, "icmp") != 0 &&
+ strcmp($2, "ipv6-icmp") != 0) {
yyerror("icmpidmap not followed by icmp");
}
free($2);
- if ($3 < 0 || $3 > 65535)
- yyerror("invalid ICMP Id number");
- if ($5 < 0 || $5 > 65535)
- yyerror("invalid ICMP Id number");
+ if ($3.p1 < 0 || $3.p1 > 65535)
+ yyerror("invalid 1st ICMP Id number");
+ if ($3.p2 < 0 || $3.p2 > 65535)
+ yyerror("invalid 2nd ICMP Id number");
+ if (strcmp($2, "ipv6-icmp") == 0) {
+ nat->in_pr[0] = IPPROTO_ICMPV6;
+ nat->in_pr[1] = IPPROTO_ICMPV6;
+ } else {
+ nat->in_pr[0] = IPPROTO_ICMP;
+ nat->in_pr[1] = IPPROTO_ICMP;
+ }
nat->in_flags = IPN_ICMPQUERY;
- nat->in_pmin = htons($3);
- nat->in_pmax = htons($5);
+ nat->in_spmin = $3.p1;
+ nat->in_spmax = $3.p2;
}
;
-randport:
- | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; }
- ;
-
sobject:
- saddr
- | saddr port portstuff { nat->in_sport = $3.p1;
+ saddr { $$ = $1; }
+ | saddr port portstuff { nat->in_osport = $3.p1;
nat->in_stop = $3.p2;
- nat->in_scmp = $3.pc; }
+ nat->in_scmp = $3.pc;
+ $$ = $1;
+ }
;
-saddr: addr { if (nat->in_redir == NAT_REDIRECT) {
- nat->in_srcip = $1.a.s_addr;
- nat->in_srcmsk = $1.m.s_addr;
- } else {
- nat->in_inip = $1.a.s_addr;
- nat->in_inmsk = $1.m.s_addr;
- }
+saddr: addr { nat->in_osrcatype = $1.t;
+ bcopy(&$1.a,
+ &nat->in_osrc.na_addr[0],
+ sizeof($1.a));
+ bcopy(&$1.m,
+ &nat->in_osrc.na_addr[1],
+ sizeof($1.m));
+ $$ = $1.f;
}
;
dobject:
- daddr
- | daddr port portstuff { nat->in_dport = $3.p1;
+ daddr { $$ = $1; }
+ | daddr port portstuff { nat->in_odport = $3.p1;
nat->in_dtop = $3.p2;
nat->in_dcmp = $3.pc;
- if (nat->in_redir == NAT_REDIRECT)
- nat->in_pmin = htons($3.p1);
+ $$ = $1;
}
;
-daddr: addr { if (nat->in_redir == NAT_REDIRECT) {
- nat->in_outip = $1.a.s_addr;
- nat->in_outmsk = $1.m.s_addr;
- } else {
- nat->in_srcip = $1.a.s_addr;
- nat->in_srcmsk = $1.m.s_addr;
+daddr: addr { nat->in_odstatype = $1.t;
+ bcopy(&$1.a,
+ &nat->in_odst.na_addr[0],
+ sizeof($1.a));
+ bcopy(&$1.m,
+ &nat->in_odst.na_addr[1],
+ sizeof($1.m));
+ $$ = $1.f;
+ }
+ ;
+
+addr: IPNY_ANY { yyexpectaddr = 0;
+ bzero(&$$, sizeof($$));
+ $$.t = FRI_NORMAL;
+ }
+ | hostname { bzero(&$$, sizeof($$));
+ $$.a = $1.a;
+ $$.t = FRI_NORMAL;
+ $$.v = ftov($1.f);
+ $$.f = $1.f;
+ if ($$.f == AF_INET) {
+ $$.m.in4.s_addr = 0xffffffff;
+ } else if ($$.f == AF_INET6) {
+ $$.m.i6[0] = 0xffffffff;
+ $$.m.i6[1] = 0xffffffff;
+ $$.m.i6[2] = 0xffffffff;
+ $$.m.i6[3] = 0xffffffff;
}
+ yyexpectaddr = 0;
}
+ | hostname slash YY_NUMBER
+ { bzero(&$$, sizeof($$));
+ $$.a = $1.a;
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ $$.t = FRI_NORMAL;
+ ntomask($$.f, $3, (u_32_t *)&$$.m);
+ $$.a.i6[0] &= $$.m.i6[0];
+ $$.a.i6[1] &= $$.m.i6[1];
+ $$.a.i6[2] &= $$.m.i6[2];
+ $$.a.i6[3] &= $$.m.i6[3];
+ yyexpectaddr = 0;
+ }
+ | hostname slash ipaddr { bzero(&$$, sizeof($$));
+ if ($1.f != $3.f) {
+ yyerror("1.address family "
+ "mismatch");
+ }
+ $$.a = $1.a;
+ $$.m = $3.a;
+ $$.t = FRI_NORMAL;
+ $$.a.i6[0] &= $$.m.i6[0];
+ $$.a.i6[1] &= $$.m.i6[1];
+ $$.a.i6[2] &= $$.m.i6[2];
+ $$.a.i6[3] &= $$.m.i6[3];
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ yyexpectaddr = 0;
+ }
+ | hostname slash hexnumber { bzero(&$$, sizeof($$));
+ $$.a = $1.a;
+ $$.m.in4.s_addr = htonl($3);
+ $$.t = FRI_NORMAL;
+ $$.a.in4.s_addr &= $$.m.in4.s_addr;
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ if ($$.f == AF_INET6)
+ yyerror("incorrect inet6 mask");
+ }
+ | hostname mask ipaddr { bzero(&$$, sizeof($$));
+ if ($1.f != $3.f) {
+ yyerror("2.address family "
+ "mismatch");
+ }
+ $$.a = $1.a;
+ $$.m = $3.a;
+ $$.t = FRI_NORMAL;
+ $$.a.i6[0] &= $$.m.i6[0];
+ $$.a.i6[1] &= $$.m.i6[1];
+ $$.a.i6[2] &= $$.m.i6[2];
+ $$.a.i6[3] &= $$.m.i6[3];
+ $$.f = $1.f;
+ $$.v = ftov($1.f);
+ yyexpectaddr = 0;
+ }
+ | hostname mask hexnumber { bzero(&$$, sizeof($$));
+ $$.a = $1.a;
+ $$.m.in4.s_addr = htonl($3);
+ $$.t = FRI_NORMAL;
+ $$.a.in4.s_addr &= $$.m.in4.s_addr;
+ $$.f = AF_INET;
+ $$.v = 4;
+ }
+ | pool slash YY_NUMBER { bzero(&$$, sizeof($$));
+ $$.a.iplookupnum = $3;
+ $$.a.iplookuptype = IPLT_POOL;
+ $$.a.iplookupsubtype = 0;
+ $$.t = FRI_LOOKUP;
+ }
+ | pool slash YY_STR { bzero(&$$, sizeof($$));
+ $$.a.iplookupname = addname(&nat,$3);
+ $$.a.iplookuptype = IPLT_POOL;
+ $$.a.iplookupsubtype = 1;
+ $$.t = FRI_LOOKUP;
+ }
+ | hash slash YY_NUMBER { bzero(&$$, sizeof($$));
+ $$.a.iplookupnum = $3;
+ $$.a.iplookuptype = IPLT_HASH;
+ $$.a.iplookupsubtype = 0;
+ $$.t = FRI_LOOKUP;
+ }
+ | hash slash YY_STR { bzero(&$$, sizeof($$));
+ $$.a.iplookupname = addname(&nat,$3);
+ $$.a.iplookuptype = IPLT_HASH;
+ $$.a.iplookupsubtype = 1;
+ $$.t = FRI_LOOKUP;
+ }
;
-addr: IPNY_ANY { $$.a.s_addr = 0; $$.m.s_addr = 0; }
- | nummask { $$.a = $1.a; $$.m = $1.m;
- $$.a.s_addr &= $$.m.s_addr; }
- | hostname '/' ipv4 { $$.a = $1; $$.m = $3;
- $$.a.s_addr &= $$.m.s_addr; }
- | hostname '/' hexnumber { $$.a = $1; $$.m.s_addr = htonl($3);
- $$.a.s_addr &= $$.m.s_addr; }
- | hostname IPNY_MASK ipv4 { $$.a = $1; $$.m = $3;
- $$.a.s_addr &= $$.m.s_addr; }
- | hostname IPNY_MASK hexnumber { $$.a = $1; $$.m.s_addr = htonl($3);
- $$.a.s_addr &= $$.m.s_addr; }
+slash: '/' { yyexpectaddr = 0; }
;
-nummask:
- hostname { $$.a = $1;
- $$.m.s_addr = 0xffffffff; }
- | hostname '/' YY_NUMBER { $$.a = $1;
- ntomask(4, $3, &$$.m.s_addr); }
+mask: IPNY_MASK { yyexpectaddr = 0; }
;
+pool: IPNY_POOL { if (!(nat->in_flags & IPN_FILTER)) {
+ yyerror("Can only use pool with from/to rules\n");
+ }
+ yyexpectaddr = 0;
+ yyresetdict();
+ }
+ ;
+
+hash: IPNY_HASH { if (!(nat->in_flags & IPN_FILTER)) {
+ yyerror("Can only use hash with from/to rules\n");
+ }
+ yyexpectaddr = 0;
+ yyresetdict();
+ }
+ ;
+
portstuff:
- compare portspec { $$.pc = $1; $$.p1 = $2; }
+ compare portspec { $$.pc = $1; $$.p1 = $2; $$.p2 = 0; }
| portspec range portspec { $$.pc = $2; $$.p1 = $1; $$.p2 = $3; }
;
mapoptions:
- rr frag age mssclamp nattag setproto
+ rr frag age mssclamp nattag setproto purge
;
rdroptions:
- rr frag age sticky mssclamp rdrproxy nattag
+ rr frag age sticky mssclamp rdrproxy nattag purge
;
nattag: | IPNY_TAG YY_STR { strncpy(nat->in_tag.ipt_tag, $2,
sizeof(nat->in_tag.ipt_tag));
}
-
rr: | IPNY_ROUNDROBIN { nat->in_flags |= IPN_ROUNDR; }
;
@@ -536,9 +1085,9 @@
nat->in_age[1] = $4; }
;
-sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) &&
+sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) &&
!(nat->in_flags & IPN_SPLIT)) {
- fprintf(stderr,
+ FPRINTF(stderr,
"'sticky' for use with round-robin/IP splitting only\n");
} else
nat->in_flags |= IPN_STICKY;
@@ -549,32 +1098,49 @@
| IPNY_MSSCLAMP YY_NUMBER { nat->in_mssclamp = $2; }
;
-tcpudp: | IPNY_TCP { setnatproto(IPPROTO_TCP); }
+tcpudp: IPNY_TCP { setnatproto(IPPROTO_TCP); }
| IPNY_UDP { setnatproto(IPPROTO_UDP); }
| IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP;
- nat->in_p = 0;
+ nat->in_pr[0] = 0;
+ nat->in_pr[1] = 0;
}
| IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP;
- nat->in_p = 0;
+ nat->in_pr[0] = 0;
+ nat->in_pr[1] = 0;
}
;
+sequential:
+ | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; }
+ ;
+
+purge:
+ | IPNY_PURGE { nat->in_flags |= IPN_PURGE; }
+ ;
+
rdrproxy:
IPNY_PROXY YY_STR
- { strncpy(nat->in_plabel, $2,
- sizeof(nat->in_plabel));
- nat->in_dport = nat->in_pnext;
- nat->in_dport = htons(nat->in_dport);
+ { int pos;
+ pos = addname(&nat, $2);
+ nat->in_plabel = pos;
+ nat->in_odport = nat->in_dpnext;
+ nat->in_dtop = nat->in_odport;
free($2);
}
- | proxy { if (nat->in_plabel[0] != '\0') {
- nat->in_pmin = nat->in_dport;
- nat->in_pmax = nat->in_pmin;
- nat->in_pnext = nat->in_pmin;
- }
- }
+ | proxy { if (nat->in_plabel != -1) {
+ nat->in_ndport = nat->in_odport;
+ nat->in_dpmin = nat->in_odport;
+ nat->in_dpmax = nat->in_dpmin;
+ nat->in_dtop = nat->in_dpmin;
+ nat->in_dpnext = nat->in_dpmin;
+ }
+ }
;
+newopts:
+ | IPNY_PURGE { nat->in_flags |= IPN_PURGE; }
+ ;
+
proto: YY_NUMBER { $$ = $1;
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
@@ -582,7 +1148,10 @@
}
| IPNY_TCP { $$ = IPPROTO_TCP; }
| IPNY_UDP { $$ = IPPROTO_UDP; }
- | YY_STR { $$ = getproto($1); free($1);
+ | YY_STR { $$ = getproto($1);
+ free($1);
+ if ($$ == -1)
+ yyerror("unknown protocol");
if ($$ != IPPROTO_TCP &&
$$ != IPPROTO_UDP)
suggest_port = 0;
@@ -594,14 +1163,42 @@
;
hostname:
- YY_STR { if (gethost($1, &$$.s_addr) == -1)
- fprintf(stderr,
+ YY_STR { i6addr_t addr;
+ int family;
+
+#ifdef USE_INET6
+ if (nat->in_v[0] == 6)
+ family = AF_INET6;
+ else
+#endif
+ family = AF_INET;
+ memset(&($$), 0, sizeof($$));
+ memset(&addr, 0, sizeof(addr));
+ $$.f = family;
+ if (gethost(family, $1,
+ &addr) == 0) {
+ $$.a = addr;
+ } else {
+ FPRINTF(stderr,
"Unknown host '%s'\n",
$1);
+ }
free($1);
}
- | YY_NUMBER { $$.s_addr = htonl($1); }
- | ipv4 { $$.s_addr = $1.s_addr; }
+ | YY_NUMBER { memset(&($$), 0, sizeof($$));
+ $$.a.in4.s_addr = htonl($1);
+ if ($$.a.in4.s_addr != 0)
+ $$.f = AF_INET;
+ }
+ | ipv4 { $$ = $1; }
+ | YY_IPV6 { memset(&($$), 0, sizeof($$));
+ $$.a = $1;
+ $$.f = AF_INET6;
+ }
+ | YY_NUMBER YY_IPV6 { memset(&($$), 0, sizeof($$));
+ $$.a = $2;
+ $$.f = AF_INET6;
+ }
;
compare:
@@ -619,13 +1216,21 @@
| ':' { $$ = FR_INCRANGE; }
;
+ipaddr: ipv4 { $$ = $1; }
+ | YY_IPV6 { $$.a = $1;
+ $$.f = AF_INET6;
+ }
+ ;
+
ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
yyerror("Invalid octet string for IP address");
return 0;
}
- $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
- $$.s_addr = htonl($$.s_addr);
+ bzero((char *)&$$, sizeof($$));
+ $$.a.in4.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
+ $$.a.in4.s_addr = htonl($$.a.in4.s_addr);
+ $$.f = AF_INET;
}
;
@@ -632,27 +1237,56 @@
%%
+static wordtab_t proxies[] = {
+ { "dns", IPNY_DNS }
+};
+
+static wordtab_t dnswords[] = {
+ { "allow", IPNY_ALLOW },
+ { "block", IPNY_DENY },
+ { "deny", IPNY_DENY },
+ { "drop", IPNY_DENY },
+ { "pass", IPNY_ALLOW },
+
+};
+
static wordtab_t yywords[] = {
{ "age", IPNY_AGE },
{ "any", IPNY_ANY },
{ "auto", IPNY_AUTO },
{ "bimap", IPNY_BIMAP },
+ { "config", IPNY_CONFIG },
+ { "divert", IPNY_DIVERT },
+ { "dst", IPNY_DST },
+ { "dstlist", IPNY_DSTLIST },
{ "frag", IPNY_FRAG },
{ "from", IPNY_FROM },
+ { "hash", IPNY_HASH },
{ "icmpidmap", IPNY_ICMPIDMAP },
+ { "in", IPNY_IN },
+ { "inet", IPNY_INET },
+ { "inet6", IPNY_INET6 },
{ "mask", IPNY_MASK },
{ "map", IPNY_MAP },
{ "map-block", IPNY_MAPBLOCK },
{ "mssclamp", IPNY_MSSCLAMP },
{ "netmask", IPNY_MASK },
+ { "no", IPNY_NO },
+ { "on", IPNY_ON },
+ { "out", IPNY_OUT },
+ { "pool", IPNY_POOL },
{ "port", IPNY_PORT },
{ "portmap", IPNY_PORTMAP },
{ "ports", IPNY_PORTS },
+ { "proto", IPNY_PROTO },
{ "proxy", IPNY_PROXY },
+ { "purge", IPNY_PURGE },
{ "range", IPNY_RANGE },
+ { "rewrite", IPNY_REWRITE },
{ "rdr", IPNY_RDR },
{ "round-robin",IPNY_ROUNDROBIN },
{ "sequential", IPNY_SEQUENTIAL },
+ { "src", IPNY_SRC },
{ "sticky", IPNY_STICKY },
{ "tag", IPNY_TAG },
{ "tcp", IPNY_TCP },
@@ -671,15 +1305,19 @@
};
-int ipnat_parsefile(fd, addfunc, ioctlfunc, filename)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t ioctlfunc;
-char *filename;
+int
+ipnat_parsefile(fd, addfunc, ioctlfunc, filename)
+ int fd;
+ addfunc_t addfunc;
+ ioctlfunc_t ioctlfunc;
+ char *filename;
{
FILE *fp = NULL;
+ int rval;
char *s;
+ yylineNum = 1;
+
(void) yysettab(yywords);
s = getenv("YYDEBUG");
@@ -691,7 +1329,7 @@
if (strcmp(filename, "-")) {
fp = fopen(filename, "r");
if (!fp) {
- fprintf(stderr, "fopen(%s) failed: %s\n", filename,
+ FPRINTF(stderr, "fopen(%s) failed: %s\n", filename,
STRERROR(errno));
return -1;
}
@@ -698,38 +1336,42 @@
} else
fp = stdin;
- while (ipnat_parsesome(fd, addfunc, ioctlfunc, fp) == 1)
+ while ((rval = ipnat_parsesome(fd, addfunc, ioctlfunc, fp)) == 0)
;
if (fp != NULL)
fclose(fp);
- return 0;
+ if (rval == -1)
+ rval = 0;
+ else if (rval != 0)
+ rval = 1;
+ return rval;
}
-int ipnat_parsesome(fd, addfunc, ioctlfunc, fp)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t ioctlfunc;
-FILE *fp;
+int
+ipnat_parsesome(fd, addfunc, ioctlfunc, fp)
+ int fd;
+ addfunc_t addfunc;
+ ioctlfunc_t ioctlfunc;
+ FILE *fp;
{
char *s;
int i;
- yylineNum = 1;
-
natfd = fd;
+ parser_error = 0;
nataddfunc = addfunc;
natioctlfunc = ioctlfunc;
if (feof(fp))
- return 0;
+ return -1;
i = fgetc(fp);
if (i == EOF)
- return 0;
+ return -1;
if (ungetc(i, fp) == EOF)
- return 0;
+ return -1;
if (feof(fp))
- return 0;
+ return -1;
s = getenv("YYDEBUG");
if (s)
yydebug = atoi(s);
@@ -738,11 +1380,12 @@
yyin = fp;
yyparse();
- return 1;
+ return parser_error;
}
-static void newnatrule()
+static void
+newnatrule()
{
ipnat_t *n;
@@ -750,21 +1393,32 @@
if (n == NULL)
return;
- if (nat == NULL)
+ if (nat == NULL) {
nattop = nat = n;
- else {
+ n->in_pnext = &nattop;
+ } else {
nat->in_next = n;
+ n->in_pnext = &nat->in_next;
nat = n;
}
+ n->in_flineno = yylineNum;
+ n->in_ifnames[0] = -1;
+ n->in_ifnames[1] = -1;
+ n->in_plabel = -1;
+ n->in_pconfig = -1;
+ n->in_size = sizeof(*n);
+
suggest_port = 0;
}
-static void setnatproto(p)
-int p;
+static void
+setnatproto(p)
+ int p;
{
- nat->in_p = p;
+ nat->in_pr[0] = p;
+ nat->in_pr[1] = p;
switch (p)
{
@@ -776,14 +1430,21 @@
nat->in_flags |= IPN_UDP;
nat->in_flags &= ~IPN_TCP;
break;
+#ifdef USE_INET6
+ case IPPROTO_ICMPV6 :
+#endif
case IPPROTO_ICMP :
nat->in_flags &= ~IPN_TCPUDP;
- if (!(nat->in_flags & IPN_ICMPQUERY)) {
+ if (!(nat->in_flags & IPN_ICMPQUERY) &&
+ !(nat->in_redir & NAT_DIVERTUDP)) {
nat->in_dcmp = 0;
nat->in_scmp = 0;
- nat->in_pmin = 0;
- nat->in_pmax = 0;
- nat->in_pnext = 0;
+ nat->in_dpmin = 0;
+ nat->in_dpmax = 0;
+ nat->in_dpnext = 0;
+ nat->in_spmin = 0;
+ nat->in_spmax = 0;
+ nat->in_spnext = 0;
}
break;
default :
@@ -791,22 +1452,36 @@
nat->in_flags &= ~IPN_TCPUDP;
nat->in_dcmp = 0;
nat->in_scmp = 0;
- nat->in_pmin = 0;
- nat->in_pmax = 0;
- nat->in_pnext = 0;
+ nat->in_dpmin = 0;
+ nat->in_dpmax = 0;
+ nat->in_dpnext = 0;
+ nat->in_spmin = 0;
+ nat->in_spmax = 0;
+ nat->in_spnext = 0;
}
break;
}
+ if ((nat->in_flags & (IPN_TCP|IPN_UDP)) == 0) {
+ nat->in_stop = 0;
+ nat->in_dtop = 0;
+ nat->in_osport = 0;
+ nat->in_odport = 0;
+ nat->in_stop = 0;
+ nat->in_osport = 0;
+ nat->in_dtop = 0;
+ nat->in_odport = 0;
+ }
if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT)
nat->in_flags &= ~IPN_FIXEDDPORT;
}
-void ipnat_addrule(fd, ioctlfunc, ptr)
-int fd;
-ioctlfunc_t ioctlfunc;
-void *ptr;
+int
+ipnat_addrule(fd, ioctlfunc, ptr)
+ int fd;
+ ioctlfunc_t ioctlfunc;
+ void *ptr;
{
ioctlcmd_t add, del;
ipfobj_t obj;
@@ -815,11 +1490,9 @@
ipn = ptr;
bzero((char *)&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
- obj.ipfo_size = sizeof(ipnat_t);
+ obj.ipfo_size = ipn->in_size;
obj.ipfo_type = IPFOBJ_IPNAT;
obj.ipfo_ptr = ptr;
- add = 0;
- del = 0;
if ((opts & OPT_DONOTHING) != 0)
fd = -1;
@@ -826,9 +1499,10 @@
if (opts & OPT_ZERORULEST) {
add = SIOCZRLST;
- } else if (opts & OPT_INACTIVE) {
- add = SIOCADNAT;
- del = SIOCRMNAT;
+ del = 0;
+ } else if (opts & OPT_PURGE) {
+ add = 0;
+ del = SIOCPURGENAT;
} else {
add = SIOCADNAT;
del = SIOCRMNAT;
@@ -838,26 +1512,25 @@
printnat(ipn, opts);
if (opts & OPT_DEBUG)
- binprint(ipn, sizeof(*ipn));
+ binprint(ipn, ipn->in_size);
if ((opts & OPT_ZERORULEST) != 0) {
if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
if ((opts & OPT_DONOTHING) == 0) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(SIOCZRLST)");
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(zero nat rule)",
+ ipn->in_flineno);
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
} else {
-#ifdef USE_QUAD_T
-/*
- printf("hits %qd bytes %qd ",
- (long long)fr->fr_hits,
- (long long)fr->fr_bytes);
-*/
+ PRINTF("hits %lu ", ipn->in_hits);
+#ifdef USE_QUAD_T
+ PRINTF("bytes %"PRIu64" ",
+ ipn->in_bytes[0] + ipn->in_bytes[1]);
#else
-/*
- printf("hits %ld bytes %ld ",
- fr->fr_hits, fr->fr_bytes);
-*/
+ PRINTF("bytes %lu ",
+ ipn->in_bytes[0] + ipn->in_bytes[1]);
#endif
printnat(ipn, opts);
}
@@ -864,16 +1537,249 @@
} else if ((opts & OPT_REMOVE) != 0) {
if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
if ((opts & OPT_DONOTHING) == 0) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(delete nat rule)");
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(delete nat rule)",
+ ipn->in_flineno);
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
}
} else {
if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
if ((opts & OPT_DONOTHING) == 0) {
- fprintf(stderr, "%d:", yylineNum);
- perror("ioctl(add/insert nat rule)");
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(add/insert nat rule)",
+ ipn->in_flineno);
+ if (errno == EEXIST) {
+ sprintf(msg + strlen(msg), "(line %d)",
+ ipn->in_flineno);
+ }
+ return ipf_perror_fd(fd, ioctlfunc, msg);
}
}
}
+ return 0;
}
+
+
+static void
+setmapifnames()
+{
+ if (nat->in_ifnames[1] == -1)
+ nat->in_ifnames[1] = nat->in_ifnames[0];
+
+ if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0)
+ nat->in_flags |= IPN_TCPUDP;
+
+ if ((nat->in_flags & IPN_TCPUDP) == 0)
+ setnatproto(nat->in_pr[1]);
+
+ if (((nat->in_redir & NAT_MAPBLK) != 0) ||
+ ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
+ nat_setgroupmap(nat);
+}
+
+
+static void
+setrdrifnames()
+{
+ if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0)
+ nat->in_flags |= IPN_TCPUDP;
+
+ if ((nat->in_pr[0] == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) &&
+ (nat->in_dpmin != 0 || nat->in_dpmax != 0 || nat->in_dpnext != 0))
+ setnatproto(IPPROTO_TCP);
+
+ if (nat->in_ifnames[1] == -1)
+ nat->in_ifnames[1] = nat->in_ifnames[0];
+}
+
+
+static void
+proxy_setconfig(proxy)
+ int proxy;
+{
+ if (proxy == IPNY_DNS) {
+ yysetfixeddict(dnswords);
+ }
+}
+
+
+static void
+proxy_unsetconfig()
+{
+ yyresetdict();
+}
+
+
+static namelist_t *
+proxy_dns_add_pass(prefix, name)
+ char *prefix, *name;
+{
+ namelist_t *n;
+
+ n = calloc(1, sizeof(*n));
+ if (n != NULL) {
+ if (prefix == NULL || *prefix == '\0') {
+ n->na_name = strdup(name);
+ } else {
+ n->na_name = malloc(strlen(name) + strlen(prefix) + 1);
+ strcpy(n->na_name, prefix);
+ strcat(n->na_name, name);
+ }
+ }
+ return n;
+}
+
+
+static namelist_t *
+proxy_dns_add_block(prefix, name)
+ char *prefix, *name;
+{
+ namelist_t *n;
+
+ n = calloc(1, sizeof(*n));
+ if (n != NULL) {
+ if (prefix == NULL || *prefix == '\0') {
+ n->na_name = strdup(name);
+ } else {
+ n->na_name = malloc(strlen(name) + strlen(prefix) + 1);
+ strcpy(n->na_name, prefix);
+ strcat(n->na_name, name);
+ }
+ n->na_value = 1;
+ }
+ return n;
+}
+
+
+static void
+proxy_addconfig(proxy, proto, conf, list)
+ char *proxy, *conf;
+ int proto;
+ namelist_t *list;
+{
+ proxyrule_t *pr;
+
+ pr = calloc(1, sizeof(*pr));
+ if (pr != NULL) {
+ pr->pr_proto = proto;
+ pr->pr_proxy = proxy;
+ pr->pr_conf = conf;
+ pr->pr_names = list;
+ pr->pr_next = prules;
+ prules = pr;
+ }
+}
+
+
+static void
+proxy_loadrules(fd, ioctlfunc, rules)
+ int fd;
+ ioctlfunc_t ioctlfunc;
+ proxyrule_t *rules;
+{
+ proxyrule_t *pr;
+
+ while ((pr = rules) != NULL) {
+ proxy_loadconfig(fd, ioctlfunc, pr->pr_proxy, pr->pr_proto,
+ pr->pr_conf, pr->pr_names);
+ rules = pr->pr_next;
+ free(pr->pr_conf);
+ free(pr);
+ }
+}
+
+
+static void
+proxy_loadconfig(fd, ioctlfunc, proxy, proto, conf, list)
+ int fd;
+ ioctlfunc_t ioctlfunc;
+ char *proxy, *conf;
+ int proto;
+ namelist_t *list;
+{
+ namelist_t *na;
+ ipfobj_t obj;
+ ap_ctl_t pcmd;
+
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_type = IPFOBJ_PROXYCTL;
+ obj.ipfo_size = sizeof(pcmd);
+ obj.ipfo_ptr = &pcmd;
+
+ while ((na = list) != NULL) {
+ if ((opts & OPT_REMOVE) != 0)
+ pcmd.apc_cmd = APC_CMD_DEL;
+ else
+ pcmd.apc_cmd = APC_CMD_ADD;
+ pcmd.apc_dsize = strlen(na->na_name) + 1;
+ pcmd.apc_data = na->na_name;
+ pcmd.apc_arg = na->na_value;
+ pcmd.apc_p = proto;
+
+ strncpy(pcmd.apc_label, proxy, APR_LABELLEN);
+ pcmd.apc_label[APR_LABELLEN - 1] = '\0';
+
+ strncpy(pcmd.apc_config, conf, APR_LABELLEN);
+ pcmd.apc_config[APR_LABELLEN - 1] = '\0';
+
+ if ((*ioctlfunc)(fd, SIOCPROXY, (void *)&obj) == -1) {
+ if ((opts & OPT_DONOTHING) == 0) {
+ char msg[80];
+
+ sprintf(msg, "%d:ioctl(add/remove proxy rule)",
+ yylineNum);
+ ipf_perror_fd(fd, ioctlfunc, msg);
+ return;
+ }
+ }
+
+ list = na->na_next;
+ free(na->na_name);
+ free(na);
+ }
+}
+
+
+static void
+setifname(np, idx, name)
+ ipnat_t **np;
+ int idx;
+ char *name;
+{
+ int pos;
+
+ pos = addname(np, name);
+ if (pos == -1)
+ return;
+ (*np)->in_ifnames[idx] = pos;
+}
+
+
+static int
+addname(np, name)
+ ipnat_t **np;
+ char *name;
+{
+ ipnat_t *n;
+ int nlen;
+ int pos;
+
+ nlen = strlen(name) + 1;
+ n = realloc(*np, (*np)->in_size + nlen);
+ if (*np == nattop)
+ nattop = n;
+ *np = n;
+ if (n == NULL)
+ return -1;
+ if (n->in_pnext != NULL)
+ *n->in_pnext = n;
+ n->in_size += nlen;
+ pos = n->in_namelen;
+ n->in_namelen += nlen;
+ strcpy(n->in_names + pos, name);
+ n->in_names[n->in_namelen] = '\0';
+ return pos;
+}
Modified: trunk/contrib/ipfilter/tools/ippool.c
===================================================================
--- trunk/contrib/ipfilter/tools/ippool.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ippool.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ippool.c 318206 2017-05-12 02:32:01Z cy $ */
/*
- * Copyright (C) 2002-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -15,7 +15,7 @@
#include <sys/ioctl.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/in.h>
@@ -61,41 +61,48 @@
int poolstats __P((int, char *[]));
int gettype __P((char *, u_int *));
int getrole __P((char *));
-int setnodeaddr __P((ip_pool_node_t *node, char *arg));
-void showpools_live __P((int, int, ip_pool_stat_t *, char *));
+int setnodeaddr __P((int, int, void *ptr, char *arg));
+void showpools_live __P((int, int, ipf_pool_stat_t *, char *));
void showhashs_live __P((int, int, iphtstat_t *, char *));
+void showdstls_live __P((int, int, ipf_dstl_stat_t *, char *));
int opts = 0;
int fd = -1;
int use_inet6 = 0;
+wordtab_t *pool_fields = NULL;
+int nohdrfields = 0;
-void usage(prog)
-char *prog;
+void
+usage(prog)
+ char *prog;
{
fprintf(stderr, "Usage:\t%s\n", prog);
- fprintf(stderr, "\t\t\t-a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
- fprintf(stderr, "\t\t\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n");
- fprintf(stderr, "\t\t\t-f <file> [-dnuv]\n");
- fprintf(stderr, "\t\t\t-F [-dv] [-o <role>] [-t <type>]\n");
- fprintf(stderr, "\t\t\t-l [-dv] [-m <name>] [-t <type>]\n");
- fprintf(stderr, "\t\t\t-r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
- fprintf(stderr, "\t\t\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n");
- fprintf(stderr, "\t\t\t-s [-dtv] [-M <core>] [-N <namelist>]\n");
+ fprintf(stderr, "\t-a [-dnv] [-m <name>] [-o <role>] [-t type] [-T ttl] -i <ipaddr>[/netmask]\n");
+ fprintf(stderr, "\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n");
+ fprintf(stderr, "\t-f <file> [-dnuv]\n");
+ fprintf(stderr, "\t-F [-dv] [-o <role>] [-t <type>]\n");
+ fprintf(stderr, "\t-l [-dv] [-m <name>] [-t <type>] [-O <fields>]\n");
+ fprintf(stderr, "\t-r [-dnv] [-m <name>] [-o <role>] [-t type] -i <ipaddr>[/netmask]\n");
+ fprintf(stderr, "\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n");
+ fprintf(stderr, "\t-s [-dtv] [-M <core>] [-N <namelist>]\n");
exit(1);
}
-int main(argc, argv)
-int argc;
-char *argv[];
+int
+main(argc, argv)
+ int argc;
+ char *argv[];
{
- int err;
+ int err = 1;
if (argc < 2)
usage(argv[0]);
- switch (getopt(argc, argv, "aAf:FlrRs"))
+ assigndefined(getenv("IPPOOL_PREDEFINED"));
+
+ switch (getopt(argc, argv, "aAf:FlnrRsv"))
{
case 'a' :
err = poolnodecommand(0, argc, argv);
@@ -112,6 +119,9 @@
case 'l' :
err = poollist(argc, argv);
break;
+ case 'n' :
+ opts |= OPT_DONOTHING|OPT_DONTOPEN;
+ break;
case 'r' :
err = poolnodecommand(1, argc, argv);
break;
@@ -121,6 +131,9 @@
case 's' :
err = poolstats(argc, argv);
break;
+ case 'v' :
+ opts |= OPT_VERBOSE;
+ break;
default :
exit(1);
}
@@ -131,19 +144,23 @@
}
-int poolnodecommand(remove, argc, argv)
-int remove, argc;
-char *argv[];
+int
+poolnodecommand(remove, argc, argv)
+ int remove, argc;
+ char *argv[];
{
- int err, c, ipset, role;
+ int err = 0, c, ipset, role, type = IPLT_POOL, ttl = 0;
char *poolname = NULL;
- ip_pool_node_t node;
+ ip_pool_node_t pnode;
+ iphtent_t hnode;
+ void *ptr = &pnode;
ipset = 0;
role = IPL_LOGIPF;
- bzero((char *)&node, sizeof(node));
+ bzero((char *)&pnode, sizeof(pnode));
+ bzero((char *)&hnode, sizeof(hnode));
- while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1)
+ while ((c = getopt(argc, argv, "di:m:no:Rt:T:v")) != -1)
switch (c)
{
case 'd' :
@@ -151,7 +168,7 @@
ippool_yydebug++;
break;
case 'i' :
- if (setnodeaddr(&node, optarg) == 0)
+ if (setnodeaddr(type, role, ptr, optarg) == 0)
ipset = 1;
break;
case 'm' :
@@ -158,9 +175,14 @@
poolname = optarg;
break;
case 'n' :
- opts |= OPT_DONOTHING;
+ opts |= OPT_DONOTHING|OPT_DONTOPEN;
break;
case 'o' :
+ if (ipset == 1) {
+ fprintf(stderr,
+ "cannot set role after ip address\n");
+ return -1;
+ }
role = getrole(optarg);
if (role == IPL_LOGNONE)
return -1;
@@ -168,6 +190,32 @@
case 'R' :
opts |= OPT_NORESOLVE;
break;
+ case 't' :
+ if (ipset == 1) {
+ fprintf(stderr,
+ "cannot set type after ip address\n");
+ return -1;
+ }
+ type = gettype(optarg, NULL);
+ switch (type) {
+ case IPLT_NONE :
+ fprintf(stderr, "unknown type '%s'\n", optarg);
+ return -1;
+ case IPLT_HASH :
+ ptr = &hnode;
+ break;
+ case IPLT_POOL :
+ default :
+ break;
+ }
+ break;
+ case 'T' :
+ ttl = atoi(optarg);
+ if (ttl < 0) {
+ fprintf(stderr, "cannot set negative ttl\n");
+ return -1;
+ }
+ break;
case 'v' :
opts |= OPT_VERBOSE;
break;
@@ -174,7 +222,7 @@
}
if (argv[optind] != NULL && ipset == 0) {
- if (setnodeaddr(&node, argv[optind]) == 0)
+ if (setnodeaddr(type, role, ptr, argv[optind]) == 0)
ipset = 1;
}
@@ -191,17 +239,30 @@
return -1;
}
- if (remove == 0)
- err = load_poolnode(0, poolname, &node, ioctl);
- else
- err = remove_poolnode(0, poolname, &node, ioctl);
+ switch (type) {
+ case IPLT_POOL :
+ if (remove == 0)
+ err = load_poolnode(role, poolname, &pnode, ttl, ioctl);
+ else
+ err = remove_poolnode(role, poolname, &pnode, ioctl);
+ break;
+ case IPLT_HASH :
+ if (remove == 0)
+ err = load_hashnode(role, poolname, &hnode, ttl, ioctl);
+ else
+ err = remove_hashnode(role, poolname, &hnode, ioctl);
+ break;
+ default :
+ break;
+ }
return err;
}
-int poolcommand(remove, argc, argv)
-int remove, argc;
-char *argv[];
+int
+poolcommand(remove, argc, argv)
+ int remove, argc;
+ char *argv[];
{
int type, role, c, err;
char *poolname;
@@ -216,7 +277,7 @@
bzero((char *)&iph, sizeof(iph));
bzero((char *)&pool, sizeof(pool));
- while ((c = getopt(argc, argv, "dm:no:RSt:v")) != -1)
+ while ((c = getopt(argc, argv, "dm:no:RSv")) != -1)
switch (c)
{
case 'd' :
@@ -227,7 +288,7 @@
poolname = optarg;
break;
case 'n' :
- opts |= OPT_DONOTHING;
+ opts |= OPT_DONOTHING|OPT_DONTOPEN;
break;
case 'o' :
role = getrole(optarg);
@@ -242,13 +303,6 @@
case 'S' :
iph.iph_seed = atoi(optarg);
break;
- case 't' :
- type = gettype(optarg, &iph.iph_type);
- if (type == IPLT_NONE) {
- fprintf(stderr, "unknown type '%s'\n", optarg);
- return -1;
- }
- break;
case 'v' :
opts |= OPT_VERBOSE;
break;
@@ -262,6 +316,12 @@
return -1;
}
+ type = gettype(argv[optind], &iph.iph_type);
+ if (type == IPLT_NONE) {
+ fprintf(stderr, "unknown type '%s'\n", argv[optind]);
+ return -1;
+ }
+
if (type == IPLT_HASH) {
strncpy(iph.iph_name, poolname, sizeof(iph.iph_name));
iph.iph_name[sizeof(iph.iph_name) - 1] = '\0';
@@ -297,9 +357,10 @@
}
-int loadpoolfile(argc, argv, infile)
-int argc;
-char *argv[], *infile;
+int
+loadpoolfile(argc, argv, infile)
+ int argc;
+ char *argv[], *infile;
{
int c;
@@ -313,7 +374,7 @@
ippool_yydebug++;
break;
case 'n' :
- opts |= OPT_DONOTHING;
+ opts |= OPT_DONOTHING|OPT_DONTOPEN;
break;
case 'R' :
opts |= OPT_NORESOLVE;
@@ -329,7 +390,7 @@
if (opts & OPT_DEBUG)
fprintf(stderr, "loadpoolfile: opts = %#x\n", opts);
- if (!(opts & OPT_DONOTHING) && (fd == -1)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) {
fd = open(IPLOOKUP_NAME, O_RDWR);
if (fd == -1) {
perror("open(IPLOOKUP_NAME)");
@@ -343,12 +404,14 @@
}
-int poolstats(argc, argv)
-int argc;
-char *argv[];
+int
+poolstats(argc, argv)
+ int argc;
+ char *argv[];
{
int c, type, role, live_kernel;
- ip_pool_stat_t plstat;
+ ipf_pool_stat_t plstat;
+ ipf_dstl_stat_t dlstat;
char *kernel, *core;
iphtstat_t htstat;
iplookupop_t op;
@@ -398,7 +461,7 @@
if (opts & OPT_DEBUG)
fprintf(stderr, "poolstats: opts = %#x\n", opts);
- if (!(opts & OPT_DONOTHING) && (fd == -1)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) {
fd = open(IPLOOKUP_NAME, O_RDWR);
if (fd == -1) {
perror("open(IPLOOKUP_NAME)");
@@ -410,14 +473,14 @@
op.iplo_type = IPLT_POOL;
op.iplo_struct = &plstat;
op.iplo_size = sizeof(plstat);
- if (!(opts & OPT_DONOTHING)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) {
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(S0IOCLOOKUPSTAT)");
return -1;
}
- printf("Pools:\t%lu\n", plstat.ipls_pools);
- printf("Nodes:\t%lu\n", plstat.ipls_nodes);
+ printf("%lu\taddress pools\n", plstat.ipls_pools);
+ printf("%lu\taddress pool nodes\n", plstat.ipls_nodes);
}
}
@@ -425,24 +488,49 @@
op.iplo_type = IPLT_HASH;
op.iplo_struct = &htstat;
op.iplo_size = sizeof(htstat);
- if (!(opts & OPT_DONOTHING)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) {
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return -1;
}
- printf("Hash Tables:\t%lu\n", htstat.iphs_numtables);
- printf("Nodes:\t%lu\n", htstat.iphs_numnodes);
- printf("Out of Memory:\t%lu\n", htstat.iphs_nomem);
+ printf("%lu\thash tables\n", htstat.iphs_numtables);
+ printf("%lu\thash table nodes\n", htstat.iphs_numnodes);
+ printf("%lu\thash table no memory \n",
+ htstat.iphs_nomem);
}
}
+
+ if (type == IPLT_ALL || type == IPLT_DSTLIST) {
+ op.iplo_type = IPLT_DSTLIST;
+ op.iplo_struct = &dlstat;
+ op.iplo_size = sizeof(dlstat);
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) {
+ c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+ if (c == -1) {
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
+ return -1;
+ }
+ printf("%u\tdestination lists\n",
+ dlstat.ipls_numlists);
+ printf("%u\tdestination list nodes\n",
+ dlstat.ipls_numnodes);
+ printf("%lu\tdestination list no memory\n",
+ dlstat.ipls_nomem);
+ printf("%u\tdestination list zombies\n",
+ dlstat.ipls_numdereflists);
+ printf("%u\tdesetination list node zombies\n",
+ dlstat.ipls_numderefnodes);
+ }
+ }
return 0;
}
-int poolflush(argc, argv)
-int argc;
-char *argv[];
+int
+poolflush(argc, argv)
+ int argc;
+ char *argv[];
{
int c, role, type, arg;
iplookupflush_t flush;
@@ -479,7 +567,7 @@
if (opts & OPT_DEBUG)
fprintf(stderr, "poolflush: opts = %#x\n", opts);
- if (!(opts & OPT_DONOTHING) && (fd == -1)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) {
fd = open(IPLOOKUP_NAME, O_RDWR);
if (fd == -1) {
perror("open(IPLOOKUP_NAME)");
@@ -492,14 +580,14 @@
flush.iplf_unit = role;
flush.iplf_arg = arg;
- if (!(opts & OPT_DONOTHING)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN))) {
if (ioctl(fd, SIOCLOOKUPFLUSH, &flush) == -1) {
- perror("ioctl(SIOCLOOKUPFLUSH)");
+ ipferror(fd, "ioctl(SIOCLOOKUPFLUSH)");
exit(1);
}
}
- printf("%zd object%s flushed\n", flush.iplf_count,
+ printf("%u object%s flushed\n", flush.iplf_count,
(flush.iplf_count == 1) ? "" : "s");
return 0;
@@ -506,8 +594,9 @@
}
-int getrole(rolename)
-char *rolename;
+int
+getrole(rolename)
+ char *rolename;
{
int role;
@@ -537,19 +626,20 @@
}
-int gettype(typename, minor)
-char *typename;
-u_int *minor;
+int
+gettype(typename, minor)
+ char *typename;
+ u_int *minor;
{
int type;
- if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) {
+ if (!strcasecmp(typename, "tree") || !strcasecmp(typename, "pool")) {
type = IPLT_POOL;
- } else if (!strcasecmp(optarg, "hash")) {
+ } else if (!strcasecmp(typename, "hash")) {
type = IPLT_HASH;
if (minor != NULL)
*minor = IPHASH_LOOKUP;
- } else if (!strcasecmp(optarg, "group-map")) {
+ } else if (!strcasecmp(typename, "group-map")) {
type = IPLT_HASH;
if (minor != NULL)
*minor = IPHASH_GROUPMAP;
@@ -560,9 +650,10 @@
}
-int poollist(argc, argv)
-int argc;
-char *argv[];
+int
+poollist(argc, argv)
+ int argc;
+ char *argv[];
{
char *kernel, *core, *poolname;
int c, role, type, live_kernel;
@@ -599,6 +690,9 @@
return -1;
}
break;
+ case 'O' :
+ pool_fields = parsefields(poolfields, optarg);
+ break;
case 'R' :
opts |= OPT_NORESOLVE;
break;
@@ -617,7 +711,7 @@
if (opts & OPT_DEBUG)
fprintf(stderr, "poollist: opts = %#x\n", opts);
- if (!(opts & OPT_DONOTHING) && (fd == -1)) {
+ if (!(opts & (OPT_DONOTHING|OPT_DONTOPEN)) && (fd == -1)) {
fd = open(IPLOOKUP_NAME, O_RDWR);
if (fd == -1) {
perror("open(IPLOOKUP_NAME)");
@@ -640,9 +734,10 @@
}
-void poollist_dead(role, poolname, type, kernel, core)
-int role, type;
-char *poolname, *kernel, *core;
+void
+poollist_dead(role, poolname, type, kernel, core)
+ int role, type;
+ char *poolname, *kernel, *core;
{
iphtable_t *hptr;
ip_pool_t *ptr;
@@ -665,7 +760,7 @@
ptr = pools[role];
while (ptr != NULL) {
ptr = printpool(ptr, kmemcpywrap, poolname,
- opts);
+ opts, pool_fields);
}
} else {
for (role = 0; role <= IPL_LOGMAX; role++) {
@@ -672,7 +767,8 @@
ptr = pools[role];
while (ptr != NULL) {
ptr = printpool(ptr, kmemcpywrap,
- poolname, opts);
+ poolname, opts,
+ pool_fields);
}
}
role = IPL_LOGALL;
@@ -693,7 +789,7 @@
hptr = tables[role];
while (hptr != NULL) {
hptr = printhash(hptr, kmemcpywrap,
- poolname, opts);
+ poolname, opts, pool_fields);
}
} else {
for (role = 0; role <= IPL_LOGMAX; role++) {
@@ -700,7 +796,8 @@
hptr = tables[role];
while (hptr != NULL) {
hptr = printhash(hptr, kmemcpywrap,
- poolname, opts);
+ poolname, opts,
+ pool_fields);
}
}
}
@@ -708,12 +805,12 @@
}
-void poollist_live(role, poolname, type, fd)
-int role, type, fd;
-char *poolname;
+void
+poollist_live(role, poolname, type, fd)
+ int role, type, fd;
+ char *poolname;
{
- ip_pool_stat_t plstat;
- iphtstat_t htstat;
+ ipf_pool_stat_t plstat;
iplookupop_t op;
int c;
@@ -729,18 +826,18 @@
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
showpools_live(fd, role, &plstat, poolname);
} else {
- for (role = 0; role <= IPL_LOGMAX; role++) {
+ for (role = -1; role <= IPL_LOGMAX; role++) {
op.iplo_unit = role;
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
@@ -752,6 +849,8 @@
}
if (type == IPLT_ALL || type == IPLT_HASH) {
+ iphtstat_t htstat;
+
op.iplo_type = IPLT_HASH;
op.iplo_size = sizeof(htstat);
op.iplo_struct = &htstat;
@@ -763,7 +862,7 @@
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
showhashs_live(fd, role, &htstat, poolname);
@@ -773,21 +872,57 @@
op.iplo_unit = role;
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
- perror("ioctl(SIOCLOOKUPSTAT)");
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
showhashs_live(fd, role, &htstat, poolname);
}
+ role = IPL_LOGALL;
}
}
+
+ if (type == IPLT_ALL || type == IPLT_DSTLIST) {
+ ipf_dstl_stat_t dlstat;
+
+ op.iplo_type = IPLT_DSTLIST;
+ op.iplo_size = sizeof(dlstat);
+ op.iplo_struct = &dlstat;
+ op.iplo_name[0] = '\0';
+ op.iplo_arg = 0;
+
+ if (role != IPL_LOGALL) {
+ op.iplo_unit = role;
+
+ c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+ if (c == -1) {
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
+ return;
+ }
+ showdstls_live(fd, role, &dlstat, poolname);
+ } else {
+ for (role = 0; role <= IPL_LOGMAX; role++) {
+
+ op.iplo_unit = role;
+ c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+ if (c == -1) {
+ ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
+ return;
+ }
+
+ showdstls_live(fd, role, &dlstat, poolname);
+ }
+ role = IPL_LOGALL;
+ }
+ }
}
-void showpools_live(fd, role, plstp, poolname)
-int fd, role;
-ip_pool_stat_t *plstp;
-char *poolname;
+void
+showpools_live(fd, role, plstp, poolname)
+ int fd, role;
+ ipf_pool_stat_t *plstp;
+ char *poolname;
{
ipflookupiter_t iter;
ip_pool_t pool;
@@ -806,22 +941,27 @@
iter.ili_unit = role;
*iter.ili_name = '\0';
- while (plstp->ipls_list[role] != NULL) {
+ bzero((char *)&pool, sizeof(pool));
+
+ while (plstp->ipls_list[role + 1] != NULL) {
if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
- perror("ioctl(SIOCLOOKUPITER)");
+ ipferror(fd, "ioctl(SIOCLOOKUPITER)");
break;
}
- printpool_live(&pool, fd, poolname, opts);
+ if (((pool.ipo_flags & IPOOL_DELETE) == 0) ||
+ ((opts & OPT_DEBUG) != 0))
+ printpool_live(&pool, fd, poolname, opts, pool_fields);
- plstp->ipls_list[role] = pool.ipo_next;
+ plstp->ipls_list[role + 1] = pool.ipo_next;
}
}
-void showhashs_live(fd, role, htstp, poolname)
-int fd, role;
-iphtstat_t *htstp;
-char *poolname;
+void
+showhashs_live(fd, role, htstp, poolname)
+ int fd, role;
+ iphtstat_t *htstp;
+ char *poolname;
{
ipflookupiter_t iter;
iphtable_t table;
@@ -842,11 +982,11 @@
while (htstp->iphs_tables != NULL) {
if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
- perror("ioctl(SIOCLOOKUPITER)");
+ ipferror(fd, "ioctl(SIOCLOOKUPITER)");
break;
}
- printhash_live(&table, fd, poolname, opts);
+ printhash_live(&table, fd, poolname, opts, pool_fields);
htstp->iphs_tables = table.iph_next;
}
@@ -853,8 +993,45 @@
}
-int setnodeaddr(ip_pool_node_t *node, char *arg)
+void
+showdstls_live(fd, role, dlstp, poolname)
+ int fd, role;
+ ipf_dstl_stat_t *dlstp;
+ char *poolname;
{
+ ipflookupiter_t iter;
+ ippool_dst_t table;
+ ipfobj_t obj;
+
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_type = IPFOBJ_LOOKUPITER;
+ obj.ipfo_size = sizeof(iter);
+ obj.ipfo_ptr = &iter;
+
+ iter.ili_type = IPLT_DSTLIST;
+ iter.ili_otype = IPFLOOKUPITER_LIST;
+ iter.ili_ival = IPFGENITER_LOOKUP;
+ iter.ili_nitems = 1;
+ iter.ili_data = &table;
+ iter.ili_unit = role;
+ *iter.ili_name = '\0';
+
+ while (dlstp->ipls_list[role] != NULL) {
+ if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
+ ipferror(fd, "ioctl(SIOCLOOKUPITER)");
+ break;
+ }
+
+ printdstl_live(&table, fd, poolname, opts, pool_fields);
+
+ dlstp->ipls_list[role] = table.ipld_next;
+ }
+}
+
+
+int
+setnodeaddr(int type, int role, void *ptr, char *arg)
+{
struct in_addr mask;
char *s;
@@ -862,7 +1039,7 @@
if (s == NULL)
mask.s_addr = 0xffffffff;
else if (strchr(s, '.') == NULL) {
- if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0)
+ if (ntomask(AF_INET, atoi(s + 1), &mask.s_addr) != 0)
return -1;
} else {
mask.s_addr = inet_addr(s + 1);
@@ -869,10 +1046,33 @@
}
if (s != NULL)
*s = '\0';
- node->ipn_addr.adf_len = sizeof(node->ipn_addr);
- node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg);
- node->ipn_mask.adf_len = sizeof(node->ipn_mask);
- node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr;
+ if (type == IPLT_POOL) {
+ ip_pool_node_t *node = ptr;
+
+#ifdef USE_INET6
+ if (node->ipn_addr.adf_family == AF_INET)
+#endif
+ node->ipn_addr.adf_len = offsetof(addrfamily_t,
+ adf_addr) +
+ sizeof(struct in_addr);
+#ifdef USE_INET6
+ else
+ node->ipn_addr.adf_len = offsetof(addrfamily_t,
+ adf_addr) +
+ sizeof(struct in6_addr);
+#endif
+ node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg);
+ node->ipn_mask.adf_len = node->ipn_addr.adf_len;
+ node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr;
+ } else if (type == IPLT_HASH) {
+ iphtent_t *node = ptr;
+
+ node->ipe_addr.in4.s_addr = inet_addr(arg);
+ node->ipe_mask.in4.s_addr = mask.s_addr;
+ node->ipe_family = AF_INET;
+ node->ipe_unit = role;
+ }
+
return 0;
}
Modified: trunk/contrib/ipfilter/tools/ippool_y.y
===================================================================
--- trunk/contrib/ipfilter/tools/ippool_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ippool_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ippool_y.y 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -16,7 +16,7 @@
#include <sys/ioctl.h>
#include <net/if.h>
-#if defined(__MidnightBSD__) || __FreeBSD_version >= 300000
+#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/in.h>
@@ -35,6 +35,7 @@
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
#include "netinet/ip_htable.h"
+#include "netinet/ip_dstlist.h"
#include "ippool_l.h"
#include "kmem.h"
@@ -48,11 +49,14 @@
static iphtable_t ipht;
static iphtent_t iphte;
static ip_pool_t iplo;
+static ippool_dst_t ipld;
static ioctlfunc_t poolioctl = NULL;
static char poolname[FR_GROUPLEN];
static iphtent_t *add_htablehosts __P((char *));
static ip_pool_node_t *add_poolhosts __P((char *));
+static ip_pool_node_t *read_whoisfile __P((char *));
+static void setadflen __P((addrfamily_t *));
%}
@@ -59,32 +63,38 @@
%union {
char *str;
u_32_t num;
- struct in_addr addr;
+ struct in_addr ip4;
struct alist_s *alist;
- struct in_addr adrmsk[2];
+ addrfamily_t adrmsk[2];
iphtent_t *ipe;
ip_pool_node_t *ipp;
- union i6addr ip6;
+ ipf_dstnode_t *ipd;
+ addrfamily_t ipa;
+ i6addr_t ip6;
}
-%token <num> YY_NUMBER YY_HEX
-%token <str> YY_STR
-%token YY_COMMENT
-%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token YY_RANGE_OUT YY_RANGE_IN
-%token <ip6> YY_IPV6
-
-%token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT
-%token IPT_TABLE IPT_GROUPMAP IPT_HASH
+%token <num> YY_NUMBER YY_HEX
+%token <str> YY_STR
+%token <ip6> YY_IPV6
+%token YY_COMMENT
+%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
+%token YY_RANGE_OUT YY_RANGE_IN
+%token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT IPT_ALL
+%token IPT_TABLE IPT_GROUPMAP IPT_HASH IPT_SRCHASH IPT_DSTHASH
%token IPT_ROLE IPT_TYPE IPT_TREE
-%token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME
-%type <num> role table inout
+%token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME IPT_POLICY
+%token IPT_POOL IPT_DSTLIST IPT_ROUNDROBIN
+%token IPT_WEIGHTED IPT_RANDOM IPT_CONNECTION
+%token IPT_WHOIS IPT_FILE
+%type <num> role table inout unit dstopts weighting
%type <ipp> ipftree range addrlist
%type <adrmsk> addrmask
%type <ipe> ipfgroup ipfhash hashlist hashentry
%type <ipe> groupentry setgrouplist grouplist
-%type <addr> ipaddr mask ipv4
-%type <str> number setgroup
+%type <ipa> ipaddr mask
+%type <ip4> ipv4
+%type <str> number setgroup name
+%type <ipd> dstentry dstentries dstlist
%%
file: line
@@ -93,25 +103,44 @@
| file assign
;
-line: table role ipftree eol { iplo.ipo_unit = $2;
+line: table role ipftree eol { ip_pool_node_t *n;
+ iplo.ipo_unit = $2;
iplo.ipo_list = $3;
load_pool(&iplo, poolioctl);
+ while ((n = $3) != NULL) {
+ $3 = n->ipn_next;
+ free(n);
+ }
resetlexer();
+ use_inet6 = 0;
}
- | table role ipfhash eol { ipht.iph_unit = $2;
+ | table role ipfhash eol { iphtent_t *h;
+ ipht.iph_unit = $2;
ipht.iph_type = IPHASH_LOOKUP;
load_hash(&ipht, $3, poolioctl);
+ while ((h = $3) != NULL) {
+ $3 = h->ipe_next;
+ free(h);
+ }
resetlexer();
+ use_inet6 = 0;
}
| groupmap role number ipfgroup eol
- { ipht.iph_unit = $2;
+ { iphtent_t *h;
+ ipht.iph_unit = $2;
strncpy(ipht.iph_name, $3,
sizeof(ipht.iph_name));
ipht.iph_type = IPHASH_GROUPMAP;
load_hash(&ipht, $4, poolioctl);
+ while ((h = $4) != NULL) {
+ $4 = h->ipe_next;
+ free(h);
+ }
resetlexer();
+ use_inet6 = 0;
}
| YY_COMMENT
+ | poolline eol
;
eol: ';'
@@ -132,6 +161,7 @@
table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht));
bzero((char *)&iphte, sizeof(iphte));
bzero((char *)&iplo, sizeof(iplo));
+ bzero((char *)&ipld, sizeof(ipld));
*ipht.iph_name = '\0';
iplo.ipo_flags = IPHASH_ANON;
iplo.ipo_name[0] = '\0';
@@ -150,13 +180,17 @@
inout: IPT_IN { $$ = FR_INQUE; }
| IPT_OUT { $$ = FR_OUTQUE; }
;
-role:
- IPT_ROLE '=' IPT_IPF { $$ = IPL_LOGIPF; }
- | IPT_ROLE '=' IPT_NAT { $$ = IPL_LOGNAT; }
- | IPT_ROLE '=' IPT_AUTH { $$ = IPL_LOGAUTH; }
- | IPT_ROLE '=' IPT_COUNT { $$ = IPL_LOGCOUNT; }
+
+role: IPT_ROLE '=' unit { $$ = $3; }
;
+unit: IPT_IPF { $$ = IPL_LOGIPF; }
+ | IPT_NAT { $$ = IPL_LOGNAT; }
+ | IPT_AUTH { $$ = IPL_LOGAUTH; }
+ | IPT_COUNT { $$ = IPL_LOGCOUNT; }
+ | IPT_ALL { $$ = IPL_LOGALL; }
+ ;
+
ipftree:
IPT_TYPE '=' IPT_TREE number start addrlist end
{ strncpy(iplo.ipo_name, $4,
@@ -183,14 +217,21 @@
$1,
FR_GROUPLEN);
$$ = $4;
+ free($1);
}
- | hashopts start setgrouplist end { $$ = $3; }
+ | hashopts start setgrouplist end
+ { $$ = $3; }
;
number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3);
$$ = poolname;
}
- | IPT_NAME '=' YY_STR { $$ = $3; }
+ | IPT_NAME '=' YY_STR { strncpy(poolname, $3,
+ FR_GROUPLEN);
+ poolname[FR_GROUPLEN-1]='\0';
+ free($3);
+ $$ = poolname;
+ }
| { $$ = ""; }
;
@@ -198,6 +239,7 @@
IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1];
strncpy(tmp, $3, FR_GROUPLEN);
$$ = strdup(tmp);
+ free($3);
}
| IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1];
sprintf(tmp, "%u", $3);
@@ -212,36 +254,42 @@
;
addrlist:
- next { $$ = NULL; }
- | range next addrlist { $1->ipn_next = $3; $$ = $1; }
+ ';' { $$ = NULL; }
+ | range next addrlist { $$ = $1;
+ while ($1->ipn_next != NULL)
+ $1 = $1->ipn_next;
+ $1->ipn_next = $3;
+ }
| range next { $$ = $1; }
;
grouplist:
- next { $$ = NULL; }
+ ';' { $$ = NULL; }
| groupentry next grouplist { $$ = $1; $1->ipe_next = $3; }
| addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t));
- bcopy((char *)&($1[0]),
- (char *)&($$->ipe_addr),
- sizeof($$->ipe_addr));
- bcopy((char *)&($1[1]),
- (char *)&($$->ipe_mask),
- sizeof($$->ipe_mask));
+ $$->ipe_addr = $1[0].adf_addr;
+ $$->ipe_mask = $1[1].adf_addr;
+ $$->ipe_family = $1[0].adf_family;
$$->ipe_next = $3;
}
| groupentry next { $$ = $1; }
| addrmask next { $$ = calloc(1, sizeof(iphtent_t));
- bcopy((char *)&($1[0]),
- (char *)&($$->ipe_addr),
- sizeof($$->ipe_addr));
- bcopy((char *)&($1[1]),
- (char *)&($$->ipe_mask),
- sizeof($$->ipe_mask));
+ $$->ipe_addr = $1[0].adf_addr;
+ $$->ipe_mask = $1[1].adf_addr;
+#ifdef AF_INET6
+ if (use_inet6)
+ $$->ipe_family = AF_INET6;
+ else
+#endif
+ $$->ipe_family = AF_INET;
}
+ | YY_STR { $$ = add_htablehosts($1);
+ free($1);
+ }
;
setgrouplist:
- next { $$ = NULL; }
+ ';' { $$ = NULL; }
| groupentry next { $$ = $1; }
| groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; }
;
@@ -248,85 +296,122 @@
groupentry:
addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t));
- bcopy((char *)&($1[0]),
- (char *)&($$->ipe_addr),
- sizeof($$->ipe_addr));
- bcopy((char *)&($1[1]),
- (char *)&($$->ipe_mask),
- sizeof($$->ipe_mask));
+ $$->ipe_addr = $1[0].adf_addr;
+ $$->ipe_mask = $1[1].adf_addr;
strncpy($$->ipe_group, $3,
FR_GROUPLEN);
+#ifdef AF_INET6
+ if (use_inet6)
+ $$->ipe_family = AF_INET6;
+ else
+#endif
+ $$->ipe_family = AF_INET;
free($3);
}
- | YY_STR { $$ = add_htablehosts($1); }
;
-range: addrmask { $$ = calloc(1, sizeof(*$$));
- $$->ipn_info = 0;
- $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
- $$->ipn_addr.adf_addr.in4.s_addr = $1[0].s_addr;
- $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
- $$->ipn_mask.adf_addr.in4.s_addr = $1[1].s_addr;
- }
- | '!' addrmask { $$ = calloc(1, sizeof(*$$));
- $$->ipn_info = 1;
- $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
- $$->ipn_addr.adf_addr.in4.s_addr = $2[0].s_addr;
- $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
- $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr;
- }
- | YY_STR { $$ = add_poolhosts($1); }
+range: addrmask { $$ = calloc(1, sizeof(*$$));
+ $$->ipn_info = 0;
+ $$->ipn_addr = $1[0];
+ $$->ipn_mask = $1[1];
+ }
+ | '!' addrmask { $$ = calloc(1, sizeof(*$$));
+ $$->ipn_info = 1;
+ $$->ipn_addr = $2[0];
+ $$->ipn_mask = $2[1];
+ }
+ | YY_STR { $$ = add_poolhosts($1);
+ free($1);
+ }
+ | IPT_WHOIS IPT_FILE YY_STR { $$ = read_whoisfile($3);
+ free($3);
+ }
+ ;
hashlist:
- next { $$ = NULL; }
+ ';' { $$ = NULL; }
| hashentry next { $$ = $1; }
| hashentry next hashlist { $1->ipe_next = $3; $$ = $1; }
;
hashentry:
- addrmask { $$ = calloc(1, sizeof(iphtent_t));
- bcopy((char *)&($1[0]),
- (char *)&($$->ipe_addr),
- sizeof($$->ipe_addr));
- bcopy((char *)&($1[1]),
- (char *)&($$->ipe_mask),
- sizeof($$->ipe_mask));
- }
- | YY_STR { $$ = add_htablehosts($1); }
+ addrmask { $$ = calloc(1, sizeof(iphtent_t));
+ $$->ipe_addr = $1[0].adf_addr;
+ $$->ipe_mask = $1[1].adf_addr;
+#ifdef USE_INET6
+ if (use_inet6)
+ $$->ipe_family = AF_INET6;
+ else
+#endif
+ $$->ipe_family = AF_INET;
+ }
+ | YY_STR { $$ = add_htablehosts($1);
+ free($1);
+ }
;
addrmask:
- ipaddr '/' mask { $$[0] = $1; $$[1].s_addr = $3.s_addr;
- yyexpectaddr = 0;
+ ipaddr '/' mask { $$[0] = $1;
+ setadflen(&$$[0]);
+ $$[1] = $3;
+ $$[1].adf_len = $$[0].adf_len;
}
- | ipaddr { $$[0] = $1; $$[1].s_addr = 0xffffffff;
- yyexpectaddr = 0;
+ | ipaddr { $$[0] = $1;
+ setadflen(&$$[1]);
+ $$[1].adf_len = $$[0].adf_len;
+#ifdef USE_INET6
+ if (use_inet6)
+ memset(&$$[1].adf_addr, 0xff,
+ sizeof($$[1].adf_addr.in6));
+ else
+#endif
+ memset(&$$[1].adf_addr, 0xff,
+ sizeof($$[1].adf_addr.in4));
}
;
-ipaddr: ipv4 { $$ = $1; }
- | YY_NUMBER { $$.s_addr = htonl($1); }
+ipaddr: ipv4 { $$.adf_addr.in4 = $1;
+ $$.adf_family = AF_INET;
+ setadflen(&$$);
+ use_inet6 = 0;
+ }
+ | YY_NUMBER { $$.adf_addr.in4.s_addr = htonl($1);
+ $$.adf_family = AF_INET;
+ setadflen(&$$);
+ use_inet6 = 0;
+ }
+ | YY_IPV6 { $$.adf_addr = $1;
+ $$.adf_family = AF_INET6;
+ setadflen(&$$);
+ use_inet6 = 1;
+ }
;
-mask: YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$.s_addr); }
- | ipv4 { $$ = $1; }
+mask: YY_NUMBER { bzero(&$$, sizeof($$));
+ if (use_inet6) {
+ if (ntomask(AF_INET6, $1,
+ (u_32_t *)&$$.adf_addr) == -1)
+ yyerror("bad bitmask");
+ } else {
+ if (ntomask(AF_INET, $1,
+ (u_32_t *)&$$.adf_addr.in4) == -1)
+ yyerror("bad bitmask");
+ }
+ }
+ | ipv4 { bzero(&$$, sizeof($$));
+ $$.adf_addr.in4 = $1;
+ }
+ | YY_IPV6 { bzero(&$$, sizeof($$));
+ $$.adf_addr = $1;
+ }
;
-start: '{' { yyexpectaddr = 1; }
+size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
;
-end: '}' { yyexpectaddr = 0; }
+seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
;
-next: ';' { yyexpectaddr = 1; }
- ;
-
-size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
- ;
-
-seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
- ;
-
ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
yyerror("Invalid octet string for IP address");
@@ -336,26 +421,180 @@
$$.s_addr = htonl($$.s_addr);
}
;
+
+next: ';' { yyexpectaddr = 1; }
+ ;
+
+start: '{' { yyexpectaddr = 1; }
+ ;
+
+end: '}' { yyexpectaddr = 0; }
+ ;
+
+poolline:
+ IPT_POOL unit '/' IPT_DSTLIST '(' name ';' dstopts ')'
+ start dstlist end
+ { bzero((char *)&ipld, sizeof(ipld));
+ strncpy(ipld.ipld_name, $6,
+ sizeof(ipld.ipld_name));
+ ipld.ipld_unit = $2;
+ ipld.ipld_policy = $8;
+ load_dstlist(&ipld, poolioctl, $11);
+ resetlexer();
+ use_inet6 = 0;
+ free($6);
+ }
+ | IPT_POOL unit '/' IPT_TREE '(' name ';' ')'
+ start addrlist end
+ { bzero((char *)&iplo, sizeof(iplo));
+ strncpy(iplo.ipo_name, $6,
+ sizeof(iplo.ipo_name));
+ iplo.ipo_list = $10;
+ iplo.ipo_unit = $2;
+ load_pool(&iplo, poolioctl);
+ resetlexer();
+ use_inet6 = 0;
+ free($6);
+ }
+ | IPT_POOL '(' name ';' ')' start addrlist end
+ { bzero((char *)&iplo, sizeof(iplo));
+ strncpy(iplo.ipo_name, $3,
+ sizeof(iplo.ipo_name));
+ iplo.ipo_list = $7;
+ iplo.ipo_unit = IPL_LOGALL;
+ load_pool(&iplo, poolioctl);
+ resetlexer();
+ use_inet6 = 0;
+ free($3);
+ }
+ | IPT_POOL unit '/' IPT_HASH '(' name ';' hashoptlist ')'
+ start hashlist end
+ { iphtent_t *h;
+ bzero((char *)&ipht, sizeof(ipht));
+ strncpy(ipht.iph_name, $6,
+ sizeof(ipht.iph_name));
+ ipht.iph_unit = $2;
+ load_hash(&ipht, $11, poolioctl);
+ while ((h = ipht.iph_list) != NULL) {
+ ipht.iph_list = h->ipe_next;
+ free(h);
+ }
+ resetlexer();
+ use_inet6 = 0;
+ free($6);
+ }
+ | IPT_GROUPMAP '(' name ';' inout ';' ')'
+ start setgrouplist end
+ { iphtent_t *h;
+ bzero((char *)&ipht, sizeof(ipht));
+ strncpy(ipht.iph_name, $3,
+ sizeof(ipht.iph_name));
+ ipht.iph_type = IPHASH_GROUPMAP;
+ ipht.iph_unit = IPL_LOGIPF;
+ ipht.iph_flags = $5;
+ load_hash(&ipht, $9, poolioctl);
+ while ((h = ipht.iph_list) != NULL) {
+ ipht.iph_list = h->ipe_next;
+ free(h);
+ }
+ resetlexer();
+ use_inet6 = 0;
+ free($3);
+ }
+ ;
+
+name: IPT_NAME YY_STR { $$ = $2; }
+ | IPT_NUM YY_NUMBER { char name[80];
+ sprintf(name, "%d", $2);
+ $$ = strdup(name);
+ }
+ ;
+
+hashoptlist:
+ | hashopt ';'
+ | hashoptlist ';' hashopt ';'
+ ;
+hashopt:
+ IPT_SIZE YY_NUMBER
+ | IPT_SEED YY_NUMBER
+ ;
+
+dstlist:
+ dstentries { $$ = $1; }
+ | ';' { $$ = NULL; }
+ ;
+
+dstentries:
+ dstentry next { $$ = $1; }
+ | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
+ ;
+
+dstentry:
+ YY_STR ':' ipaddr { int size = sizeof(*$$) + strlen($1) + 1;
+ $$ = calloc(1, size);
+ if ($$ != NULL) {
+ $$->ipfd_dest.fd_name = strlen($1) + 1;
+ bcopy($1, $$->ipfd_names,
+ $$->ipfd_dest.fd_name);
+ $$->ipfd_dest.fd_addr = $3;
+ $$->ipfd_size = size;
+ }
+ free($1);
+ }
+ | ipaddr { $$ = calloc(1, sizeof(*$$));
+ if ($$ != NULL) {
+ $$->ipfd_dest.fd_name = -1;
+ $$->ipfd_dest.fd_addr = $1;
+ $$->ipfd_size = sizeof(*$$);
+ }
+ }
+ ;
+
+dstopts:
+ { $$ = IPLDP_NONE; }
+ | IPT_POLICY IPT_ROUNDROBIN ';' { $$ = IPLDP_ROUNDROBIN; }
+ | IPT_POLICY IPT_WEIGHTED weighting ';' { $$ = $3; }
+ | IPT_POLICY IPT_RANDOM ';' { $$ = IPLDP_RANDOM; }
+ | IPT_POLICY IPT_HASH ';' { $$ = IPLDP_HASHED; }
+ | IPT_POLICY IPT_SRCHASH ';' { $$ = IPLDP_SRCHASH; }
+ | IPT_POLICY IPT_DSTHASH ';' { $$ = IPLDP_DSTHASH; }
+ ;
+
+weighting:
+ IPT_CONNECTION { $$ = IPLDP_CONNECTION; }
+ ;
%%
static wordtab_t yywords[] = {
- { "auth", IPT_AUTH },
- { "count", IPT_COUNT },
- { "group", IPT_GROUP },
- { "group-map", IPT_GROUPMAP },
- { "hash", IPT_HASH },
- { "in", IPT_IN },
- { "ipf", IPT_IPF },
- { "name", IPT_NAME },
- { "nat", IPT_NAT },
- { "number", IPT_NUM },
- { "out", IPT_OUT },
- { "role", IPT_ROLE },
- { "seed", IPT_SEED },
- { "size", IPT_SIZE },
- { "table", IPT_TABLE },
- { "tree", IPT_TREE },
- { "type", IPT_TYPE },
- { NULL, 0 }
+ { "all", IPT_ALL },
+ { "auth", IPT_AUTH },
+ { "connection", IPT_CONNECTION },
+ { "count", IPT_COUNT },
+ { "dst-hash", IPT_DSTHASH },
+ { "dstlist", IPT_DSTLIST },
+ { "file", IPT_FILE },
+ { "group", IPT_GROUP },
+ { "group-map", IPT_GROUPMAP },
+ { "hash", IPT_HASH },
+ { "in", IPT_IN },
+ { "ipf", IPT_IPF },
+ { "name", IPT_NAME },
+ { "nat", IPT_NAT },
+ { "number", IPT_NUM },
+ { "out", IPT_OUT },
+ { "policy", IPT_POLICY },
+ { "pool", IPT_POOL },
+ { "random", IPT_RANDOM },
+ { "round-robin", IPT_ROUNDROBIN },
+ { "role", IPT_ROLE },
+ { "seed", IPT_SEED },
+ { "size", IPT_SIZE },
+ { "src-hash", IPT_SRCHASH },
+ { "table", IPT_TABLE },
+ { "tree", IPT_TREE },
+ { "type", IPT_TYPE },
+ { "weighted", IPT_WEIGHTED },
+ { "whois", IPT_WHOIS },
+ { NULL, 0 }
};
@@ -441,8 +680,9 @@
if (hlist == NULL)
return NULL;
- if (gethost(url, &hlist->al_addr) == -1)
+ if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
yyerror("Unknown hostname");
+ }
}
hbot = NULL;
@@ -453,10 +693,9 @@
if (h == NULL)
break;
- bcopy((char *)&a->al_addr, (char *)&h->ipe_addr,
- sizeof(h->ipe_addr));
- bcopy((char *)&a->al_mask, (char *)&h->ipe_mask,
- sizeof(h->ipe_mask));
+ h->ipe_family = a->al_family;
+ h->ipe_addr = a->al_i6addr;
+ h->ipe_mask = a->al_i6mask;
if (hbot != NULL)
hbot->ipe_next = h;
@@ -487,8 +726,9 @@
if (hlist == NULL)
return NULL;
- if (gethost(url, &hlist->al_addr) == -1)
+ if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
yyerror("Unknown hostname");
+ }
}
pbot = NULL;
@@ -498,17 +738,20 @@
p = calloc(1, sizeof(*p));
if (p == NULL)
break;
+ p->ipn_mask.adf_addr = a->al_i6mask;
- p->ipn_addr.adf_len = 8;
- p->ipn_mask.adf_len = 8;
-
+ if (a->al_family == AF_INET) {
+ p->ipn_addr.adf_family = AF_INET;
+#ifdef USE_INET6
+ } else if (a->al_family == AF_INET6) {
+ p->ipn_addr.adf_family = AF_INET6;
+#endif
+ }
+ setadflen(&p->ipn_addr);
+ p->ipn_addr.adf_addr = a->al_i6addr;
p->ipn_info = a->al_not;
+ p->ipn_mask.adf_len = p->ipn_addr.adf_len;
- bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr,
- sizeof(p->ipn_addr.adf_addr));
- bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr,
- sizeof(p->ipn_mask.adf_addr));
-
if (pbot != NULL)
pbot->ipn_next = p;
else
@@ -520,3 +763,59 @@
return ptop;
}
+
+
+ip_pool_node_t *
+read_whoisfile(file)
+ char *file;
+{
+ ip_pool_node_t *ntop, *ipn, node, *last;
+ char line[1024];
+ FILE *fp;
+
+ fp = fopen(file, "r");
+ if (fp == NULL)
+ return NULL;
+
+ last = NULL;
+ ntop = NULL;
+ while (fgets(line, sizeof(line) - 1, fp) != NULL) {
+ line[sizeof(line) - 1] = '\0';
+
+ if (parsewhoisline(line, &node.ipn_addr, &node.ipn_mask))
+ continue;
+ ipn = calloc(1, sizeof(*ipn));
+ if (ipn == NULL)
+ continue;
+ ipn->ipn_addr = node.ipn_addr;
+ ipn->ipn_mask = node.ipn_mask;
+ if (last == NULL)
+ ntop = ipn;
+ else
+ last->ipn_next = ipn;
+ last = ipn;
+ }
+ fclose(fp);
+ return ntop;
+}
+
+
+static void
+setadflen(afp)
+ addrfamily_t *afp;
+{
+ afp->adf_len = offsetof(addrfamily_t, adf_addr);
+ switch (afp->adf_family)
+ {
+ case AF_INET :
+ afp->adf_len += sizeof(struct in_addr);
+ break;
+#ifdef USE_INET6
+ case AF_INET6 :
+ afp->adf_len += sizeof(struct in6_addr);
+ break;
+#endif
+ default :
+ break;
+ }
+}
Modified: trunk/contrib/ipfilter/tools/ipscan_y.y
===================================================================
--- trunk/contrib/ipfilter/tools/ipscan_y.y 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipscan_y.y 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipscan_y.y 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -13,6 +13,7 @@
#include "kmem.h"
#include "ipscan_l.h"
#include "netinet/ip_scan.h"
+#include <ctype.h>
#define YYDEBUG 1
@@ -60,7 +61,7 @@
%token <num> YY_NUMBER YY_HEX
%token <str> YY_STR
-%token YY_COMMENT
+%token YY_COMMENT
%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
%token YY_RANGE_OUT YY_RANGE_IN
%token <ip6> YY_IPV6
Modified: trunk/contrib/ipfilter/tools/ipsyncm.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipsyncm.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipsyncm.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,13 +1,13 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipsyncm.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/types.h>
#include <sys/time.h>
@@ -49,13 +49,13 @@
}
#endif
-
+
/* should be large enough to hold header + any datatype */
#define BUFFERLEN 1400
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
struct sockaddr_in sin;
char buff[BUFFERLEN];
@@ -66,7 +66,7 @@
u_32_t magic;
synchdr_t *sh;
char *progname;
-
+
progname = strrchr(argv[0], '/');
if (progname) {
progname++;
@@ -73,8 +73,8 @@
} else {
progname = argv[0];
}
-
+
if (argc < 2) {
usage(progname);
exit(1);
@@ -108,13 +108,13 @@
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
goto tryagain;
}
-
+
nfd = socket(AF_INET, SOCK_DGRAM, 0);
if (nfd == -1) {
syslog(LOG_ERR, "Socket :%m");
goto tryagain;
}
-
+
if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
syslog(LOG_ERR, "Connect: %m");
goto tryagain;
@@ -122,15 +122,15 @@
syslog(LOG_INFO, "Sending data to %s",
inet_ntoa(sin.sin_addr));
-
- inbuf = 0;
+
+ inbuf = 0;
while (1) {
n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf);
-
+
printf("header : %d bytes read (header = %d bytes)\n",
- n1, sizeof(*sh));
-
+ n1, (int) sizeof(*sh));
+
if (n1 < 0) {
syslog(LOG_ERR, "Read error (header): %m");
goto tryagain;
@@ -143,9 +143,9 @@
sleep(1);
continue;
}
-
- inbuf += n1;
+ inbuf += n1;
+
moreinbuf:
if (inbuf < sizeof(*sh)) {
continue; /* need more data */
@@ -153,7 +153,7 @@
sh = (synchdr_t *)buff;
len = ntohl(sh->sm_len);
- magic = ntohl(sh->sm_magic);
+ magic = ntohl(sh->sm_magic);
if (magic != SYNHDRMAGIC) {
syslog(LOG_ERR,
@@ -181,8 +181,8 @@
printf(" table:Unknown(%d)", sh->sm_table);
printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
-#endif
-
+#endif
+
if (inbuf < sizeof(*sh) + len) {
continue; /* need more data */
goto tryagain;
@@ -195,9 +195,9 @@
} else if (sh->sm_cmd == SMC_UPDATE) {
su = (syncupdent_t *)buff;
if (sh->sm_p == IPPROTO_TCP) {
- printf(" TCP Update: age %lu state %d/%d\n",
+ printf(" TCP Update: age %lu state %d/%d\n",
su->sup_tcp.stu_age,
- su->sup_tcp.stu_state[0],
+ su->sup_tcp.stu_state[0],
su->sup_tcp.stu_state[1]);
}
} else {
@@ -212,7 +212,7 @@
goto tryagain;
}
-
+
if (n3 != n2) {
syslog(LOG_ERR, "Incomplete write (%d/%d)",
n3, n2);
@@ -226,7 +226,7 @@
/* move buffer to the front,we might need to make
* this more efficient, by using a rolling pointer
* over the buffer and only copying it, when
- * we are reaching the end
+ * we are reaching the end
*/
inbuf -= n2;
if (inbuf) {
Modified: trunk/contrib/ipfilter/tools/ipsyncs.c
===================================================================
--- trunk/contrib/ipfilter/tools/ipsyncs.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/ipsyncs.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,13 +1,13 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/ipsyncs.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2001-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.1.1.3 2012-07-21 15:01:08 laffer1 Exp $";
+static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/types.h>
#include <sys/time.h>
@@ -54,10 +54,10 @@
#define BUFFERLEN 1400
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
- int nfd = -1 , lfd = -1;
+ int nfd = -1 , lfd = -1;
int n1, n2, n3, magic, len, inbuf;
struct sockaddr_in sin;
struct sockaddr_in in;
@@ -66,7 +66,7 @@
syncupdent_t *su;
synchdr_t *sh;
char *progname;
-
+
progname = strrchr(argv[0], '/');
if (progname) {
progname++;
@@ -73,7 +73,7 @@
} else {
progname = argv[0];
}
-
+
if (argc < 2) {
usage(progname);
exit(1);
@@ -86,7 +86,7 @@
#endif
openlog(progname, LOG_PID, LOG_SECURITY);
-
+
lfd = open(IPSYNC_NAME, O_WRONLY);
if (lfd == -1) {
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
@@ -101,7 +101,7 @@
sin.sin_port = htons(atoi(argv[2]));
else
sin.sin_port = htons(43434);
- if (argc > 3)
+ if (argc > 3)
in.sin_addr.s_addr = inet_addr(argv[3]);
else
in.sin_addr.s_addr = 0;
@@ -108,7 +108,7 @@
in.sin_port = 0;
while(1) {
-
+
if (lfd != -1)
close(lfd);
if (nfd != -1)
@@ -119,7 +119,7 @@
syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
goto tryagain;
}
-
+
nfd = socket(AF_INET, SOCK_DGRAM, 0);
if (nfd == -1) {
syslog(LOG_ERR, "Socket :%m");
@@ -135,20 +135,20 @@
}
syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr));
-
- inbuf = 0;
+
+ inbuf = 0;
while (1) {
- /*
+ /*
* XXX currently we do not check the source address
* of a datagram, this can be a security risk
*/
n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf);
-
+
printf("header : %d bytes read (header = %d bytes)\n",
- n1, sizeof(*sh));
-
+ n1, (int) sizeof(*sh));
+
if (n1 < 0) {
syslog(LOG_ERR, "Read error (header): %m");
goto tryagain;
@@ -161,9 +161,9 @@
sleep(1);
continue;
}
-
- inbuf += n1;
+ inbuf += n1;
+
moreinbuf:
if (inbuf < sizeof(*sh)) {
continue; /* need more data */
@@ -171,7 +171,7 @@
sh = (synchdr_t *)buff;
len = ntohl(sh->sm_len);
- magic = ntohl(sh->sm_magic);
+ magic = ntohl(sh->sm_magic);
if (magic != SYNHDRMAGIC) {
syslog(LOG_ERR, "Invalid header magic %x",
@@ -199,8 +199,8 @@
printf(" table:Unknown(%d)", sh->sm_table);
printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
-#endif
-
+#endif
+
if (inbuf < sizeof(*sh) + len) {
continue; /* need more data */
goto tryagain;
@@ -213,9 +213,9 @@
} else if (sh->sm_cmd == SMC_UPDATE) {
su = (syncupdent_t *)buff;
if (sh->sm_p == IPPROTO_TCP) {
- printf(" TCP Update: age %lu state %d/%d\n",
+ printf(" TCP Update: age %lu state %d/%d\n",
su->sup_tcp.stu_age,
- su->sup_tcp.stu_state[0],
+ su->sup_tcp.stu_state[0],
su->sup_tcp.stu_state[1]);
}
} else {
@@ -231,7 +231,7 @@
goto tryagain;
}
-
+
if (n3 != n2) {
syslog(LOG_ERR, "%s: Incomplete write (%d/%d)",
IPSYNC_NAME, n3, n2);
@@ -245,7 +245,7 @@
/* move buffer to the front,we might need to make
* this more efficient, by using a rolling pointer
* over the buffer and only copying it, when
- * we are reaching the end
+ * we are reaching the end
*/
inbuf -= n2;
if (inbuf) {
Modified: trunk/contrib/ipfilter/tools/lex_var.h
===================================================================
--- trunk/contrib/ipfilter/tools/lex_var.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/lex_var.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/lex_var.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
Modified: trunk/contrib/ipfilter/tools/lexer.c
===================================================================
--- trunk/contrib/ipfilter/tools/lexer.c 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/lexer.c 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,7 +1,7 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/lexer.c 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2006 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
@@ -42,6 +42,7 @@
int yylineNum = 1;
int yypos = 0;
int yylast = -1;
+int yydictfixed = 0;
int yyexpectaddr = 0;
int yybreakondot = 0;
int yyvarnext = 0;
@@ -60,7 +61,7 @@
static char *yytexttochar __P((void));
static int yygetc(docont)
-int docont;
+ int docont;
{
int c;
@@ -98,7 +99,7 @@
static void yyunputc(c)
-int c;
+ int c;
{
if (c == '\n')
yylineNum--;
@@ -107,7 +108,7 @@
static int yyswallow(last)
-int last;
+ int last;
{
int c;
@@ -134,7 +135,7 @@
static void yystrtotext(str)
-char *str;
+ char *str;
{
int len;
char *s;
@@ -150,7 +151,7 @@
static char *yytexttostr(offset, max)
-int offset, max;
+ int offset, max;
{
char *str;
int i;
@@ -175,8 +176,11 @@
int yylex()
{
+ static int prior = 0;
+ static int priornum = 0;
int c, n, isbuilding, rval, lnext, nokey = 0;
char *name;
+ int triedv6 = 0;
isbuilding = 0;
lnext = 0;
@@ -190,7 +194,8 @@
nextchar:
c = yygetc(0);
if (yydebug > 1)
- printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar());
+ printf("yygetc = (%x) %c [%*.*s]\n",
+ c, c, yypos, yypos, yytexttochar());
switch (c)
{
@@ -209,6 +214,8 @@
sizeof(yytext[0]) * (yylast - yypos + 1));
}
yylast -= yypos;
+ if (yyexpectaddr == 2)
+ yyexpectaddr = 0;
yypos = 0;
lnext = 0;
nokey = 0;
@@ -232,6 +239,7 @@
if (lnext == 1) {
lnext = 0;
if ((isbuilding == 0) && !ISALNUM(c)) {
+ prior = c;
return c;
}
goto nextchar;
@@ -246,7 +254,7 @@
}
yyswallow('\n');
rval = YY_COMMENT;
- goto nextchar;
+ goto done;
case '$' :
if (isbuilding == 1) {
@@ -320,6 +328,9 @@
yybreakondot = 0;
yyvarnext = 0;
yytokentype = 0;
+ if (yydebug)
+ fprintf(stderr, "reset at EOF\n");
+ prior = 0;
return 0;
}
@@ -344,10 +355,6 @@
switch (c)
{
case '-' :
- if (yyexpectaddr)
- break;
- if (isbuilding == 1)
- break;
n = yygetc(0);
if (n == '>') {
isbuilding = 1;
@@ -354,6 +361,15 @@
goto done;
}
yyunputc(n);
+ if (yyexpectaddr) {
+ if (isbuilding == 1)
+ yyunputc(c);
+ else
+ rval = '-';
+ goto done;
+ }
+ if (isbuilding == 1)
+ break;
rval = '-';
goto done;
@@ -420,14 +436,21 @@
* 0000:0000:0000:0000:0000:0000:0000:0000
*/
#ifdef USE_INET6
- if (yyexpectaddr == 1 && isbuilding == 0 && (ishex(c) || c == ':')) {
+ if (yyexpectaddr != 0 && isbuilding == 0 &&
+ (ishex(c) || isdigit(c) || c == ':')) {
char ipv6buf[45 + 1], *s, oc;
int start;
+buildipv6:
start = yypos;
s = ipv6buf;
oc = c;
+ if (prior == YY_NUMBER && c == ':') {
+ sprintf(s, "%d", priornum);
+ s += strlen(s);
+ }
+
/*
* Perhaps we should implement stricter controls on what we
* swallow up here, but surely it would just be duplicating
@@ -451,7 +474,25 @@
}
#endif
- if (c == ':') {
+ if ((c == ':') && (rval != YY_IPV6) && (triedv6 == 0)) {
+#ifdef USE_INET6
+ yystr = yytexttostr(0, yypos - 1);
+ if (yystr != NULL) {
+ char *s;
+
+ for (s = yystr; *s && ishex(*s); s++)
+ ;
+ if (!*s && *yystr) {
+ isbuilding = 0;
+ c = *yystr;
+ free(yystr);
+ triedv6 = 1;
+ yypos = 1;
+ goto buildipv6;
+ }
+ free(yystr);
+ }
+#endif
if (isbuilding == 1) {
yyunputc(c);
goto done;
@@ -492,8 +533,8 @@
yystr = yytexttostr(0, yypos);
if (yydebug)
- printf("isbuilding %d yyvarnext %d nokey %d\n",
- isbuilding, yyvarnext, nokey);
+ printf("isbuilding %d yyvarnext %d nokey %d fixed %d addr %d\n",
+ isbuilding, yyvarnext, nokey, yydictfixed, yyexpectaddr);
if (isbuilding == 1) {
wordtab_t *w;
@@ -502,7 +543,7 @@
if ((yyvarnext == 0) && (nokey == 0)) {
w = yyfindkey(yystr);
- if (w == NULL && yywordtab != NULL) {
+ if (w == NULL && yywordtab != NULL && !yydictfixed) {
yyresetdict();
w = yyfindkey(yystr);
}
@@ -514,14 +555,19 @@
rval = YY_STR;
}
- if (rval == YY_STR && yysavedepth > 0)
- yyresetdict();
+ if (rval == YY_STR) {
+ if (yysavedepth > 0 && !yydictfixed)
+ yyresetdict();
+ if (yyexpectaddr != 0)
+ yyexpectaddr = 0;
+ }
yytokentype = rval;
if (yydebug)
- printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start,
- string_end, pos, rval, yysavedepth);
+ printf("lexed(%s) %d,%d,%d [%d,%d,%d] => %d @%d\n",
+ yystr, isbuilding, yyexpectaddr, yysavedepth,
+ string_start, string_end, pos, rval, yysavedepth);
switch (rval)
{
@@ -548,12 +594,15 @@
yypos = 0;
}
+ if (rval == YY_NUMBER)
+ priornum = yylval.num;
+ prior = rval;
return rval;
}
static wordtab_t *yyfindkey(key)
-char *key;
+ char *key;
{
wordtab_t *w;
@@ -568,7 +617,7 @@
char *yykeytostr(num)
-int num;
+ int num;
{
wordtab_t *w;
@@ -583,7 +632,7 @@
wordtab_t *yysettab(words)
-wordtab_t *words;
+ wordtab_t *words;
{
wordtab_t *save;
@@ -594,7 +643,7 @@
void yyerror(msg)
-char *msg;
+ char *msg;
{
char *txt, letter[2];
int freetxt = 0;
@@ -620,9 +669,31 @@
}
+void yysetfixeddict(newdict)
+ wordtab_t *newdict;
+{
+ if (yydebug)
+ printf("yysetfixeddict(%lx)\n", (u_long)newdict);
+
+ if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) {
+ fprintf(stderr, "%d: at maximum dictionary depth\n",
+ yylineNum);
+ return;
+ }
+
+ yysavewords[yysavedepth++] = yysettab(newdict);
+ if (yydebug)
+ printf("yysavedepth++ => %d\n", yysavedepth);
+ yydictfixed = 1;
+}
+
+
void yysetdict(newdict)
-wordtab_t *newdict;
+ wordtab_t *newdict;
{
+ if (yydebug)
+ printf("yysetdict(%lx)\n", (u_long)newdict);
+
if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) {
fprintf(stderr, "%d: at maximum dictionary depth\n",
yylineNum);
@@ -643,6 +714,7 @@
if (yydebug)
printf("yysavedepth-- => %d\n", yysavedepth);
}
+ yydictfixed = 0;
}
@@ -649,8 +721,8 @@
#ifdef TEST_LEXER
int main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
int n;
Modified: trunk/contrib/ipfilter/tools/lexer.h
===================================================================
--- trunk/contrib/ipfilter/tools/lexer.h 2018-07-01 21:37:49 UTC (rev 11252)
+++ trunk/contrib/ipfilter/tools/lexer.h 2018-07-01 23:54:57 UTC (rev 11253)
@@ -1,16 +1,11 @@
-/* $FreeBSD$ */
+/* $FreeBSD: stable/10/contrib/ipfilter/tools/lexer.h 255332 2013-09-06 23:11:19Z cy $ */
/*
- * Copyright (C) 2002-2004 by Darren Reed.
+ * Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-typedef struct wordtab {
- char *w_word;
- int w_value;
-} wordtab_t;
-
#ifdef NO_YACC
#define YY_COMMENT 1000
#define YY_CMP_NE 1001
@@ -29,6 +24,7 @@
extern wordtab_t *yysettab __P((wordtab_t *));
extern void yysetdict __P((wordtab_t *));
+extern void yysetfixeddict __P((wordtab_t *));
extern int yylex __P((void));
extern void yyerror __P((char *));
extern char *yykeytostr __P((int));
More information about the Midnightbsd-cvs
mailing list