[Midnightbsd-cvs] src [11861] trunk/contrib/ipfilter: remove old files
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Jul 13 09:33:02 EDT 2018
Revision: 11861
http://svnweb.midnightbsd.org/src/?rev=11861
Author: laffer1
Date: 2018-07-13 09:33:01 -0400 (Fri, 13 Jul 2018)
Log Message:
-----------
remove old files
Removed Paths:
-------------
trunk/contrib/ipfilter/.cvsignore
trunk/contrib/ipfilter/BSD/
trunk/contrib/ipfilter/FAQ.FreeBSD
trunk/contrib/ipfilter/FWTK/
trunk/contrib/ipfilter/FreeBSD/
trunk/contrib/ipfilter/FreeBSD-2.2/
trunk/contrib/ipfilter/FreeBSD-3/
trunk/contrib/ipfilter/FreeBSD-4.0/
trunk/contrib/ipfilter/IMPORTANT
trunk/contrib/ipfilter/INST.FreeBSD-2.2
trunk/contrib/ipfilter/INSTALL.FreeBSD
trunk/contrib/ipfilter/INSTALL.xBSD
trunk/contrib/ipfilter/IPF.KANJI
trunk/contrib/ipfilter/WhatsNew40.txt
trunk/contrib/ipfilter/bsdinstall
trunk/contrib/ipfilter/etc/
trunk/contrib/ipfilter/perl/
trunk/contrib/ipfilter/radix.c
trunk/contrib/ipfilter/test/
trunk/contrib/ipfilter/todo
Deleted: trunk/contrib/ipfilter/.cvsignore
===================================================================
--- trunk/contrib/ipfilter/.cvsignore 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/.cvsignore 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,28 +0,0 @@
-ipf
-sparcv7
-sparcv9
-h
-ipf-darren
-bugs
-ipftest
-patches
-state
-cbits
-CVS
-old
-new
-netinet
-import
-bak
-streams
-cvs.diff
-threads
-glibc
-hp
-windows
-ipnat
-opt_inet6.h
-ippool
-ipmon
-ip_rules.c
-ip_rules.h
Deleted: trunk/contrib/ipfilter/FAQ.FreeBSD
===================================================================
--- trunk/contrib/ipfilter/FAQ.FreeBSD 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/FAQ.FreeBSD 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,104 +0,0 @@
-These are Instructions for Configuring A FreeBSD Box For NAT
-After you have installed IP-Filter.
-
-You will need to change three files:
-
-/etc/rc.local
-/etc/sysconfig
-/etc/natrules
-
-You will have to:
-
-1) Load the kernel module
-2) Make the ipnat rules
-3) Load the ipnat rules
-4) Enable routing between interfaces
-5) Add static routes for the subnet ranges
-6) Configure your network interfaces
-7) reboot the computer for the changes to take effect.
-
-The FAQ was written by Chris Coleman <chris@@bbcc.ctc.edu>
-This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE
-_________________________________________________________
-1) Loading the Kernel Module
-
-If you are using a Kernal Loadable Module you need to edit your
-/etc/rc.local file and load the module at boot time.
-use the line:
-
- modload /lkm/if_ipl.o
-
-If you are not loading a kernel module, skip this step.
-_________________________________________________________
-2) Setting up the NAT Rules
-
-Make a file called /etc/natrules
-put in the rules that you need for your system.
-
-If you want to use the whole 10 Network. Try:
-
-map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000
-
-_________________________________________________________
-Here is an explaination of each part of the command:
-
-map starts the command.
-
-fpx0 is the interface with the real internet address.
-
-10.0.0.0 is the subnet you want to use.
-
-/8 is the subnet mask. ie 255.0.0.0
-
-208.8.0.1 is the real ip address that you use.
-
-/32 is the subnet mask 255.255.255.255, ie only use this ip address.
-
-portmap tcp/udp 10000:65000
- tells it to use the ports to redirect the tcp/udp calls through
-
-
-The one line should work for the whole network.
-_________________________________________________________
-3) Loading the NAT Rules:
-
-The NAT Rules will need to be loaded every time the computer
-reboots.
-
-In your /etc/rc.local put the line:
-
-ipnat -f /etc/natrules
-
-To check and see if it is loaded, as root type
- ipnat -ls
-_________________________________________________________
-4) Enable Routing between interfaces.
-
-Tell the kernel to route these addresses.
-
-in the rc.local file put the line:
-
-sysctl -w net.inet.ip.forwarding=1
-
-_________________________________________________________
-5) Static Routes to Subnet Ranges
-
-Now you have to add a static routes for the subnet ranges.
-Edit your /etc/sysconfig to add them at bootup.
-
-static_routes="foo"
-route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"
-
-
-_________________________________________________________
-6) Make sure that you have your interfaces configured.
-
-I have two Intel Ether Express Pro B cards.
-One is on 208.8.0.1 The other is on 10.0.0.1
-
-You need to configure these in the /etc/sysconfig
-
-network_interfaces="fxp0 fxp1"
-ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
-ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"
-_________________________________________________________
Deleted: trunk/contrib/ipfilter/IMPORTANT
===================================================================
--- trunk/contrib/ipfilter/IMPORTANT 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/IMPORTANT 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,11 +0,0 @@
- ****************************************
- IMPORTANT NOTICE
- ****************************************
-1)
-
-If you have BOTH GNU make and the normal make shipped with your system,
-DO NOT use the GNU make to build this package.
-
-Darren
-darrenr at pobox.com
- ****************************************
Deleted: trunk/contrib/ipfilter/INST.FreeBSD-2.2
===================================================================
--- trunk/contrib/ipfilter/INST.FreeBSD-2.2 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/INST.FreeBSD-2.2 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,62 +0,0 @@
-.\" $MidnightBSD$
-.\"
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
- 1. In /sys/i386/conf, create a new kernel config file (to be used
- with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
-
- 2. build the object files, telling it the name of the kernel to be
- used. "freebsd22" MUST be the target, so the command would be
- something like this: "make freebsd22 IPFILKERN=FIREWALL"
-
- 3. do "make install-bsd"
- (probably has to be done as root)
-
- 4. run "FreeBSD-2.2/minstall" as root
-
- 5. build a new kernel
-
- 6. install and reboot with the new kernel
-
- 7. use modload(8) to load the packet filter with:
- modload if_ipl.o
-
- 8. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
- under the name (IPL_NAME) from the Makefile. It will also remove itself
- from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-*** KERNEL INSTALL CURRENTLY UNSUPPORTED ***
- 1. do "make freebsd22"
-
- 2. do "make install-bsd"
- (probably has to be done as root)
-
- 3. run "FreeBSD-2.2/kinstall" as root
-
- 4. build a new kernel
-
- 5a) For FreeBSD 2.2 (or later)
- create devices for IP Filter as follows:
- mknod /dev/ipl c 79 0
- mknod /dev/ipnat c 79 1
- mknod /dev/ipstate c 79 2
- mknod /dev/ipauth c 79 3
-
- 5b) For versions prior to FreeBSD 2.2:
- create devices for IP Filter as follows (assuming it was
- installed into the device table as char dev 20):
- mknod /dev/ipl c 20 0
- mknod /dev/ipnat c 20 1
- mknod /dev/ipstate c 20 2
- mknod /dev/ipauth c 20 3
-
- 6. install and reboot with the new kernel
-
-Darren Reed
-darrenr at pobox.com
Deleted: trunk/contrib/ipfilter/INSTALL.FreeBSD
===================================================================
--- trunk/contrib/ipfilter/INSTALL.FreeBSD 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/INSTALL.FreeBSD 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,56 +0,0 @@
-
-This file is for use with FreeBSD 4.x and 5.x only.
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
- 1. For FreeBSD version:
- 4.* do make freebsd4
- 5.* do make freebsd5
-
- 2. do "make install-bsd"
- (probably has to be done as root)
-
- 3. Run "BSD/kupgrade"
-
- 4. build a new kernel
-
- 5. install and reboot with the new kernel
-
- 6. use modload(8) to load the packet filter with:
- modload if_ipl.o
-
- 7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
- under the name (IPL_NAME) from the Makefile. It will also remove itself
- from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
- 1. For FreeBSD version:
- 4.* do make freebsd4
- 5.* do make freebsd5
-
- 2. do "make install-bsd"
- (probably has to be done as root)
-
- 3. run "FreeBSD/kinstall" as root
-
- 4. build a new kernel
-
- 5.
- b) If you are using FreeBSD-3 or later:
- create devices for IP Filter as follows (assuming it was
- installed into the device table as char dev 20):
- mknod /dev/ipl c 79 0
- mknod /dev/ipnat c 79 1
- mknod /dev/ipstate c 79 2
- mknod /dev/ipauth c 79 3
- mknod /dev/ipsync c 79 4
- mknod /dev/ipscan c 79 5
-
- 6. install and reboot with the new kernel
-
-Darren Reed
-darrenr at pobox.com
Deleted: trunk/contrib/ipfilter/INSTALL.xBSD
===================================================================
--- trunk/contrib/ipfilter/INSTALL.xBSD 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/INSTALL.xBSD 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,45 +0,0 @@
-# $MidnightBSD$
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
- 1. do "make bsd"
-
- 2. cd to the "BSD" directory and type "make install"
-
- 3. run "4bsd/minstall" as root
-
- 4. build a new kernel
-
- 5. install and reboot with the new kernel
-
- 6. use modload(8) to load the packet filter with:
- modload if_ipl.o
-
- 7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
- under the name (IPL_NAME) from the Makefile. It will also remove itself
- from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
- 1. do "make bsd"
-
- 2. cd to the "BSD" directory and type "make install"
-
- 3. run "4bsd/kinstall" as root
-
- 4. build a new kernel
-
- 5. create devices for IP Filter as follows (assuming it was
- installed into the device table as char dev 20):
- mknod /dev/ipl c 20 0
- mknod /dev/ipnat c 20 1
- mknod /dev/ipstate c 20 2
- mknod /dev/ipauth c 20 3
-
- 6. install and reboot with the new kernel
-
-Darren
-darrenr at pobox.com
Deleted: trunk/contrib/ipfilter/IPF.KANJI
===================================================================
--- trunk/contrib/ipfilter/IPF.KANJI 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/IPF.KANJI 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,465 +0,0 @@
-IP filter �$B%7%g!<%H%,%$%I�(B Dec, 1999
-
-�$B%[!<%`%Z!<%8�(B: http://coombs.anu.edu.au/~avalon/ip-filter.html
-FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
-
- �$B30;3�(B �$B=c at 8�(B <sumio at is.s.u-tokyo.ac.jp>
- �$B;3K\�(B �$BBY1'�(B <ymmt at is.s.u-tokyo.ac.jp>
-
------
-�$B$O$8$a$K�(B
-
-IP filter �$B$r�(B gateway �$B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#�(B
-�$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#�(B
-
-�$B%$%s%9%H!<%k$NJ}K!$O!"�(BINSTALL�$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F�(B
-�$B$/$@$5$$!#�(BIP filter �$B$N%P!<%8%g%s�(B 3.3.5 �$B$O!"�(B
- Solaris/Solaris-x86 2.3 - 8 (early access)
- SunOS 4.1.1 - 4.1.4
- NetBSD 1.0 - 1.4
- FreeBSD 2.0.0 - 2.2.8
- BSD/OS-1.1 - 4
- IRIX 6.2
-�$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#�(B
-
-�$B$J$*!"�(B64 bit kernel �$B$NAv$C$F$k�(B Solaris7 �$B%^%7%s$G$O!"�(Bgcc �$B$H$+$G%3�(B
-�$B%s%Q%$%k$7$?�(B kernel driver �$B$OF0:n$7$^$;$s!#�(B
-
-�$B$=$N$h$&$J>l9g$K$O!"�(Bprecompiled binary �$B$r�(B
-ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
-(1999�$BG/�(B12�$B7n�(B14�$BF|8=:_!"$^$@�(B3.3.5�$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s�(B)
-�$B$+$i<h$C$F$/$k$+!"�(BWorkshop Compiler 5.0 �$B$G%3%s%Q%$%k$7$F�(B 64bit
-driver �$B$r:n$C$F$/$@$5$$!#�(B
-
------
-�$B at _Dj%U%!%$%k$N5-=RJ}K!�(B
-
-IP filter�$B$N at _Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I�(B
-�$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r�(B block �$B$9$k$+�(B pass �$B$9$k$+!"�(B
-�$B$r;XDj$9$k$3$H$G9T$$$^$9!#�(B
-
-�$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9�(B
-�$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"�(B
-�$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#�(B
-
-�$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r�(B
- 123.45.1.0/24
-�$B$H$7$FNc$r<($7$^$9!#�(B24�$B$O%5%V%M%C%H%^%9%/$G$9!#�(B
-
-�$B$^$?!"�(Bgateway �$B$O�(B
- 123.45.1.111 (hme0)
-�$B$,�(B LAN�$BB&$N%$%s%?!<%U%'!<%9!"�(B
- 123.45.2.10 (hme1)
-�$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#�(B
-
-
-===================== �$B$3$3$+$i�(B ====================
-########## quickly deny malicious packets
-#
-block in quick from any to any with short
-block in log quick from any to any with ipopts
-===================== �$B$3$3$^$G�(B ====================
-
-�$B$^$:$O$3$N%k!<%k$G!"IT at 5$J%Q%1%C%H$r$O$M$^$9!#�(Bblock �$B$O�(B block �$B$9�(B
-�$B$k0UL#$G!"H?BP$KDL$9>l9g$O�(B pass �$B$H$J$j$^$9!#�(B
-
-log �$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G�(B
-�$B$9!#%m%0$O�(B /dev/ipl �$B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"�(B
-�$B$3$N%G%P%$%9$O�(B bounded buffer �$B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F�(B
-�$B$7$^$$$^$9!#�(B
-
-/dev/ipl �$B$NFbMF$rFI$_=P$9$K$O�(B ipmon �$B$H$$$&%W%m%0%i%`$r;H$$$^$9!#�(B
-ipmon �$B$O�(B stdout, syslog, �$B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^�(B
-�$B$9!#5/F0;~$K�(B ipmon �$B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r�(B rc �$B%U%!%$%k�(B
-�$B$K=q$/$H$h$$$G$7$g$&!#�(B
-
-ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
-
-${IPMONLOG} �$B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#�(Bsyslog �$B$K=PNO�(B
-�$B$9$k>l9g$O!"�(B-s �$B%*%W%7%g%s$rIU$1$^$9!#�(Bsyslog �$B$K=PNO$9$k>l9g!"�(B
-local0.info �$B$r5-O?$9$k$h$&$K�(B syslog.conf �$B$rJT=8$7$F$/$@$5$$!#�(B
-�$BNc$($P!"�(B
-
-local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
-
-
-quick �$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r�(B
-�$BD4$Y$:$K!"%"%/%7%g%s�(B(block or pass)�$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?�(B
-�$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#�(B
-
-
-===================== �$B$3$3$+$i�(B ====================
-########## group setup
-#
-block in on hme1 all head 100
-block out on hme1 all head 150
-pass in quick on hme0 all
-pass out quick on hme0 all
-===================== �$B$3$3$^$G�(B ====================
-
-�$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,�(B
-�$BN`$7$^$9!#�(Bhme0 �$B$O�(B LAN �$BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D�(B
-(pass quick)�$B$7$F$$$^$9!#�(B
-
-all �$B$H$$$&$N$O!"�(Bfrom any to any �$B$N>JN,7A$G$9!#�(B
-
-�$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k�(B hme1 �$B$O�(B incoming �$B$H�(B outgoing �$B$G!"�(B
-�$B$=$l$>$l�(B group 100 �$BHV$H�(B 150 �$BHV$KJ,N`$7$^$9!#�(Bhead �$B$H$$$&$N$O!"$3�(B
-�$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&�(B
-�$B0UL#$G$9!#�(B
-
-
-===================== �$B$3$3$+$i�(B ====================
-########## deny IP spoofing
-#
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from 123.45.2.10/32 to any group 100
-block in log quick from 123.45.1.111/24 to any group 100
-#
-########## deny reserved addresses
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-===================== �$B$3$3$^$G�(B ====================
-
-IP �$B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N�(B
-group 100 �$B$H$$$&$N$O�(B head 100 �$B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9�(B
-�$B$k%k!<%k$H$$$&0UL#$G$9!#�(B
-
------
-�$B$3$3$^$G$G!"4pK\E*$K�(BLAN�$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)�(B
-�$B%k%H$G0l at Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP�(B
-�$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#�(B
-
-�$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k at _Dj$r$7$^$9!#�(B
-===================== �$B$3$3$+$i�(B ====================
-########## OUTGOING
-#
-## allow ping out
-#
-pass out quick proto icmp from any to any keep state group 150
-#
-## allow all outgoing UDP packets except for netbios ports (137-139).
-#
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-#
-## pass all TCP connection setup packets except for netbios ports (137-139).
-#
-pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
-block out log quick proto tcp from any to any port 136 >< 140 group 170
-===================== �$B$3$3$^$G�(B ====================
-
-�$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"�(Bnetbios
-(137-139/udp, tcp)�$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#�(Bnetbios�$B$O�(B Windows
-�$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"�(B
-Windows�$B$N at _Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k�(B
-�$B62$l$,$"$j$^$9!#�(B
-
-�$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"�(B
-* �$B:G=i$NC18l$G!"�(Bblock�$B$9$k$+�(Bpass�$B$9$k$+;XDj$9$k�(B
-* proto �$B$N8e$NC18l$G!"�(Bprotocol�$B$r;XDj$9$k�(B(udp, tcp, icmp, etc.)�$B!#�(B
-* from A to B �$B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k�(B
-* head XXX�$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"�(Bgroup
- XXX�$B$H$7$F;2>H$G$-$k�(B
-* group�$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r�(B(�$BM=$a�(Bhead�$B$G at _Dj$7$?�(B)
- group�$B$K8BDj$G$-$k!#�(B
-
-�$B$^$?!"�(Bfrom A to B�$B$N�(BA�$B$d�(BB�$B$O!"�(BIP�$B%"%I%l%9$H�(Bport�$B$r=q$/$3$H$,$G$-$^$9!#�(B
- from any to any port 136 >< 140
-�$B$H$$$&$N$O!"�(B
- �$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"�(B137�$BHV$+$i�(B139�$BHV%]!<%H$NG$0U$N�(B
- �$B%"%I%l%9$X$N%Q%1%C%H!W�(B
-�$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K�(B/etc/service�$B$K5-�(B
-�$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#�(B
-�$B$?$H$($P�(B
- from any to any port = telnet
-�$B$H�(B
- from any to any port = 23
-�$B$OF1$80UL#$H$J$j$^$9!#�(B
-
-�$B$5$F!"$3$3$G�(B quick �$B$NNc30$r at bL@$7$F$*$-$^$9!#�(Bquick �$B$NIU$$$?�(B
-rule �$B$,�(B head �$B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@�(B
-�$B$G$O3NDj$7$^$;$s!#0J9_!"!V�(Bhead �$B$G at k8@$5$l$?%0%k!<%W$N%k!<%k!W�(B
-�$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"�(B
-
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-
-�$B$O!"$^$:�(B 150�$BHV%0%k!<%W$K%^%C%A$9$k�(B UDP �$B%Q%1%C%H$OAGDL$7�(B
-�$B$9$k!"$,!"0J2<$N�(B 160�$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#�(B
-�$B$=$7$F�(B2�$B9TL\$G�(B 160�$BHV%0%k!<%W$KBP$7$F�(B netbios packet �$B$r�(B
-block �$B$7$F$$$kLu$G$9!#�(B
-�$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7�(B150�$BHV$N%0%k!<%W$N�(B
-�$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#�(B
-
-----------
-�$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N at _Dj$r$7$^$9!#�(B
-
-* �$B%k!<%F%#%s%0>pJs�(B(RIP)�$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#�(B
-pass in quick proto udp from any to any port = 520 keep state group 100
-
-* ICMP�$B$N%Q%1%C%H$OA4It5v$7$^$9!#�(B
-pass in quick proto icmp from any to any group 100
-
-* �$BFbIt$+$i30It$X$N�(Bftp�$B$r5v$9$?$a$K!"�(Bftp-data port�$B$+$i0lHL%]!<%H$X�(B
- �$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O�(Bpassive mode�$B$G$J$$�(BFTP�$B$N5sF0�(B
- �$B$G$9!#�(B
-pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
-
- �$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,�(B
- 1024�$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#�(B
- �$B$3$N9T$r2C$($:$K!"�(Bpassive mode (ftp �$B$G�(B pasv �$B%3%^%s%I$GF~$l$k�(B)
- �$B$G�(B FTP �$B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N�(B FTP client �$B$O:G=i�(B
- �$B$+$i�(B passive mode �$B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#�(B
-
-* sendmail�$B$d�(Bftpd�$B$K7R$0$H!"Aj<j$,�(Bident�$B%]!<%H$X%"%/%;%9$7$F$/$k$3�(B
- �$B$H$,$"$k$N$G!"�(Bident port�$B$r3+$1$^$9!#�(Bident �$B$ODL>o$O5/F0$5$l$F$$�(B
- �$B$J$$�(B daemon �$B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"�(B
- �$B$j$^$;$s�(B(connection refused�$B$K$J$k$@$1$G$9�(B)�$B!#$3$l$r3+$1$J$$$H!"�(B
- �$BAj<jB&$O�(B timeout �$B$9$k$^$G at h$K?J$^$J$$$N$G!"�(BFTP �$B$d�(B mail �$B$NAw?.�(B
- �$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#�(B
- �$B$b$7�(B 113 �$BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K�(B
- �$BDd;_$9$k$3$H$r4+$a$^$9!#�(B
-pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
-
-------
-�$B<!$K!"30It$+$i�(B firewall �$B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-�(B
-�$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV�(B
-�$B9f$r$D$1$^$9!#�(B
-
-===================== �$B$3$3$+$i�(B ====================
-## grouping by host
-block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
-block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
-===================== �$B$3$3$^$G�(B ====================
-
-�$B$3$l$G!"�(B
- �$B30It$+$i�(B 123.45.1.X �$B$X$N@\B3$O�(B group 110
- �$B30It$+$i�(B 123.45.1.Y �$B$X$N@\B3$O�(B group 111
-�$B$G;2>H$9$k$3$H$,$G$-$^$9!#�(B
-
-�$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"�(Bhead�$B$N8e�(B
-�$B$K!"?7$7$$?t;z�(B(112, 113�$B$J$I�(B)�$B$r3d$jEv$F$F$/$@$5$$!#�(B
-
-�$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"�(Bquick �$B$H�(B head �$B$,F1;~$K8=$l$k%k!<%k�(B
-�$B0J9_$G$O!"�(Bhead �$B$G at k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j�(B
-�$B$^$9!#$G$9$+$i!">e$N�(B ident �$B$d�(B ftp data-port �$B$N$h$&$K!"FbIt$N�(B
-�$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1�(B
-�$B$NA0$KCV$/I,MW$,$"$j$^$9!#�(B
-
-
-X�$B$X$O!"�(Btelnet, ftp, ssh �$B$r!"�(BY�$B$X$O!"�(Bftp, http, smtp, pop �$B$r5v$9$3�(B
-�$B$H$K$7$^$9!#�(B
-
-* X(group 110)�$B$X$N�(Btelnet�$B$r5v$7$^$9�(B
-pass in quick proto tcp from any to any port = telnet keep state group 110
-
-* X�$B$X$N�(Bftp�$B$r5v$7$^$9!#�(Bftp-data port �$B$b3+$1$F$*$-$^$9!#�(B
- (�$BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&�(B)�$B!#�(B
-pass in quick proto tcp from any to any port = ftp keep state group 110
-pass in quick proto tcp from any to any port = ftp-data keep state group 110
-
-* X�$B$X$N�(Bssh�$B$r5v$7$^$9!#�(B
-pass in quick proto tcp from any to any port = 22 keep state group 110
-
-* Y�$B$X$N�(Bftp�$B$r5v$7$^$9!#�(B
-pass in quick proto tcp from any to any port = ftp keep state group 111
-pass in quick proto tcp from any to any port = ftp-data keep state group 111
-pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
-
- Y�$B$O�(B anonoymous ftp �$B%5!<%P$r1?1D$7$F$$$k$?$a�(B wu-ftpd �$B$r;H$C$F$$�(B
- �$B$^$9!#�(Bwu-ftpd �$B$O�(B passive mode �$B$N�(BFTP�$B$K$bBP1~$7$F$$$^$9$N$G!"$I�(B
- �$B$N%]!<%H$r�(BPASV�$BMQ$K;H$&$+!"�(Bwu-ftpd �$B$N at _Dj$K=q$$$F$*$/I,MW$,$"$j�(B
- �$B$^$9!#$3$3$G$O�(B3000�$B$+$i�(B3099�$BHV%]!<%H$r;HMQ$9$k$h$&$K!"�(Bwu-ftpd �$B$r�(B
- �$B at _Dj$7$F$$$^$9!#�(B
-
- passive FTP �$B$K$D$$$F2r at b$7$^$9!#�(Bpassive FTP �$B$O!"%/%i%$%"%s%H$,�(B
- �$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G�(B
- �$B$9!#%G%U%)%k%H$G$O>e$G at bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P�(B
- �$B$N�(B ftp-data port �$B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#�(B
-
- passive FTP �$B$G$O!"%G!<%?E>Aw$b�(B client �$B$+$i%5!<%P$K@\B3$9$k$h$&�(B
- �$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3�(B
- �$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#�(B
-
- �$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV�(B
- �$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"�(Bwu-ftpd �$B$N�(B
- �$B at _Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"�(B
- �$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#�(Bwu-ftpd �$B$N>l9g$O!"�(Bftpaccess
- �$B$H$$$&%U%!%$%k$K�(B
-
- # passive ports <cidr> <min> <max>
- passive ports 0.0.0.0/0 3000 3099
-
- �$B$HDI2C$9$k$3$H$G at _Dj$G$-$^$9!#�(Bftpaccess(5)�$B$r;2>H$7$F$/$@$5$$!#�(B
-
-* Y�$B$X$N�(Bhttp�$B$r5v$7$^$9!#�(B
-pass in quick proto tcp from any to any port = 80 keep state group 111
-
-* Y�$B$X$N�(Bsmtp�$B$r5v$7$^$9!#�(B
-pass in quick proto tcp from any to any port = smtp keep state group 111
-
-* Y�$B$X$N�(Bpop�$B$r5v$7$^$9!#�(B
-pass in quick proto tcp from any to any port = 110 keep state group 111
-
-�$B0J>e$N at _Dj$K$h$j!"�(BX, Y �$B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l at Z�(B
-�$B9T$($J$/$J$j$^$9$N$G!"�(Bremote exploit �$BBP:v$O!"�(BX, Y �$B$K$N$_9T$($P$h�(B
-�$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#�(B
-
-�$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q�(B
-�$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#�(B
-
------
-�$B$=$NB>$NCm0U�(B
-
-1) gateway �$B%^%7%s$N$h$&$K!"J#?t$N�(BIP�$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S�(B
-�$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N�(BIP�$B%"%I%l%9$KBP$7$F!"�(Bport �$B$r3+$/�(B
-�$BI,MW$,$"$j$^$9!#Nc$($P�(B X �$B$,�(B IP:a �$B$H�(B IP:b �$B$r;}$D$J$i!"�(Bgroup �$B$O�(B a,
-b �$B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K�(B rule �$B$rDI2C$9$kI,MW$,$"$j�(B
-�$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s�(B(123.45.2.10�$B$H�(B123.45.1.111
-�$B$N�(BIP�$B$r;}$D�(B)�$B$K�(BNNTP�$B%5!<%P$rN)$F$F$$$^$9!#�(B
-
-(�$BNc�(B)
-#### grouping by host
-block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
-block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
-#### allow NNTP
-pass in quick proto tcp from any to any port = nntp keep state group 112
-pass in quick proto tcp from any to any port = nntp keep state group 113
-
-gateway �$B$,�(B2�$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N�(B gateway �$B$K�(B IP
-filter �$B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N�(B
-�$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#�(B
-
-2) NFS�$B$H�(Brsh�$B$O%W%m%H%3%k$N4X78>e!"�(Bfirewall�$BD6$($OIT2DG=$G$9!#�(B
- NFS�$B$NBeBX$K$D$$$F$OITL@$G$9$,!"�(Brsh�$B$NBeBX$H$7$F$O�(Bssh�$B$,;H$($^$9!#�(B
-
-3) �$B30It$N�(BX client �$B$r!"%U%!%$%"%&%)!<%kFb$N�(BX�$B%5!<%P$K@\B3$5$;$?$$!"�(B
- �$B$H$$$&$N$O�(B FAQ �$B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"�(Bssh �$B$N�(B X forwarding
- �$B5!9=$r;H$&$3$H$G$9!#�(Bssh�$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K�(B secure
- �$B$GHFMQE*$JJ}K!$G$9!#�(B
-
-�$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs�(B
-�$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#�(B
-# X:0 �$B$O�(B tcp:6000 �$BHV$K$J$j$^$9!#�(B
-
-# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
-pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-
------
-�$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N�(B
-�$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C�(B
-�$B$($^$9!#�(B
-
-## log blocked packets
-block in log quick from any to 123.45.1.111/24 group 100
-block in log quick from any to 123.45.2.10 group 100
-
-------
-�$B:#Kx$N at _Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#�(B
-
-===================== �$B$3$3$+$i�(B ====================
-########## Packet Filtering Rules for 123.45.1. ##########
-#
-# The following routes should be configured, if not already:
-#
-# route add 123.45.1.111 localhost 0 (hme0) (LAN)
-# route add 123.45.2.10 localhost 0 (hme1) (upstream)
-#
-########## quickly deny malicious packets
-#
-block in quick from any to any with short
-block in log quick from any to any with ipopts
-#
-########## group setup
-#
-block in on hme1 all head 100
-block out on hme1 all head 150
-pass in quick on hme0 all
-pass out quick on hme0 all
-#
-########## deny IP spoofing
-#
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from 123.45.2.10/32 to any group 100
-block in log quick from 123.45.1.111/24 to any group 100
-#
-########## deny reserved addresses
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-########## OUTGOING
-#
-## allow ping out
-pass out quick proto icmp from any to any keep state group 150
-#
-## allow all outgoing UDP packets except for netbios ports (137-139).
-#
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-#
-## pass all TCP connection setup packets except for netbios ports (137-139).
-#
-pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
-block out log quick proto tcp from any to any port 136 >< 140 group 170
-#
-######### INCOMING
-## ICMP
-pass in quick proto icmp from any to any group 100
-## RIP
-pass in quick proto udp from any to any port = 520 keep state group 100
-## FTP
-pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
-## IDENT
-pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
-#
-## grouping by host (112 & 113 is the gateway address)
-block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
-block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
-block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
-block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
-#
-## telnet, ftp, ssh, www, smtp, pop
-pass in quick proto tcp from any to any port = telnet keep state group 110
-pass in quick proto tcp from any to any port = ftp keep state group 110
-pass in quick proto tcp from any to any port = ftp-data keep state group 110
-pass in quick proto tcp from any to any port = 22 keep state group 110
-pass in quick proto tcp from any to any port = ftp keep state group 111
-pass in quick proto tcp from any to any port = ftp-data keep state group 111
-pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
-pass in quick proto tcp from any to any port = 80 keep state group 111
-pass in quick proto tcp from any to any port = smtp keep state group 111
-pass in quick proto tcp from any to any port = 110 keep state
-group 111
-#
-## allow NNTP on the gateway
-pass in quick proto tcp from any to any port = nntp keep state group 112
-pass in quick proto tcp from any to any port = nntp keep state group 113
-#
-## X connections
-# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
-pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-#
-## log blocked packets
-## THIS MUST BE THE LAST RULE!
-block in log quick from any to 123.45.1.111/24 group 100
-block in log quick from any to 123.45.2.10 group 100
-===================== �$B$3$3$^$G�(B ====================
-
-----
-�$B$3$NJ8=q$N<h$j07$$$K$D$$$F�(B
-Copyright (C) 1999 TOYAMA Sumio <sumio at is.s.u-tokyo.ac.jp>
- and YAMAMOTO Hirotaka <ymmt at is.s.u-tokyo.ac.jp>
-
-THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.
-
-Permission to modify this document and to distribute it is hereby
-granted, as long as above notices and copyright notice are retained.
Deleted: trunk/contrib/ipfilter/WhatsNew40.txt
===================================================================
--- trunk/contrib/ipfilter/WhatsNew40.txt 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/WhatsNew40.txt 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,90 +0,0 @@
-What's new in IPFilter 4.1
-==========================
-(Well, compared to 3.*, anyway)
-In no particular order, except headline alphabetical:
-
-Administration:
- - Run-time support for modifying ipf table size parameters.
- - Run-time support for tuning other ipfilter parameters.
-
-Content Scanning:
- - Simple matching of content for TCP session startup.
-
-Firewall Synchronising:
- - Master/slave programs available.
-
-General:
- - All input files allow simple 'marco' definitions and expansion,
- including nesting.
- - Code has been rototilled to make maintenance and enhancements
- eaiser for me and you.
- - More configuration files and binaries.
- - Takes up more memory.
- - Probably slower.
- - Versioned API to support changes in the ABI without breaking
- existing binaries (4.0 onward only.)
- - IP-Filter framework in place for handling multiple different
- types of packet matching for firewalling.
- - IP Id number rewriting available.
- - Verification of checksums for recognised packet types.
- - Optionally enable/disable IP forwarding when enabled/disabled.
-
-IPF:
- - BPF syntax available for matching packets in ipf rules (1).
- - Can convert IPv4 ipf rules into C code and either:
- * load them as an LKM o;
- * compile them statically into the kernel (where possible.)
- - Address pools allow for simpler rules covering large numbers of
- addresses/networks (IPv4 only).
- - Lookup functions available to map an IPv4 address to a group.
- - Groups can be referenced by multiple heads for subroutine-like use.
- - NAT/ipf rules can refer to each other via a tag, creating an implied
- join that forms part of the packet matching.
- - Extra packet attributes available for filter rules:
- * source address/routing interface mismatch;
- * multicast (3);
- * broadcast (2,3);
- * state lookup partially failed;
- * out of the TCP window for a state connection;
- * NAT lookup partially failed.
- - PPS (packets per second) matching available for ipf rules.
- - Rule collections (cf FreeBSD numbering) supported for ipf rules.
- - Groups can now be names rather than just numbers
-
-IPV6:
- - understands extension headers.
- - can filter on extension headers.
-
-Logging:
- - ipmon now comes with a configuration file for more advanced logging
- behaviour.
- - Can append arbitrary logging tags with ipf rules for easy matching.
-
-NAT:
- - "sticky" mapping available to ensure an address translation on
- a per-address basis is always the same (while known) for a set
- IP address.
-
-Operating System Support:
- - HP-UX 11 added.
- - Tru64 5.1a added.
- - Solaris/HP-UX now use pfil STREAMS module.
- - Linux 2.4 on the way.
-
-Proxies:
- - PPTP proxy added.
- - IRC proxy added.
- - RPCBIND proxy added.
- - FTP proxy support for EPSV (IPv4 only.)
-
-Stateful Inspection:
- - Can insist that all TCP data arrives in order.
- - Can insist that all fragments pass through in order.
- - The number of states created per-rule can be set where the total
- across all rules may exceed the maximum allowed.
- - Can elect not to automatically match ICMP error packets.
- - TCP sequence number rewriting supported.
-
-(1) - Requires libpcap for rule parsing
-(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
-(3) - Not supported on SunOS4
Deleted: trunk/contrib/ipfilter/bsdinstall
===================================================================
--- trunk/contrib/ipfilter/bsdinstall 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/bsdinstall 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,88 +0,0 @@
-#! /bin/sh
-#
-# @(#)install.sh 4.5 (Berkeley) 10/12/83
-#
-cmd=/bin/mv
-strip=""
-chmod="chmod 755"
-if [ "`uname -s`" = "HP-UX" ] ; then
- chown="chown root"
- chgrp="chgrp bin"
-else
- chown="chown -f root"
- chgrp="chgrp -f bin"
-fi
-while true ; do
- case $1 in
- -s ) strip="strip"
- shift
- ;;
- -c ) cmd="cp"
- shift
- ;;
- -m ) chmod="chmod $2"
- shift
- shift
- ;;
- -o ) chown="chown -f $2"
- shift
- shift
- ;;
- -g ) chgrp="chgrp -f $2"
- shift
- shift
- ;;
- -d ) cmd="mkdir"
- shift
- ;;
- * ) break
- ;;
- esac
-done
-
-if [ ! ${2-""} ]
-then echo "install: no destination specified"
- exit 1
-fi
-if [ ${3-""} ]
-then echo "install: too many files specified -> $*"
- exit 1
-fi
-if [ $1 = $2 -o $2 = . ]
-then echo "install: can't move $1 onto itself"
- exit 1
-fi
-case $cmd in
-/bin/mkdir )
- file=$2/$1
- ;;
-* )
- if [ '!' -f $1 ]
- then echo "install: can't open $1"
- exit 1
- fi
- if [ -d $2 ]
- then file=$2/$1
- else file=$2
- fi
- /bin/rm -f $file
- ;;
-esac
-
-case $cmd in
-/bin/mkdir )
- if [ ! -d "$file" ]
- then $cmd $file
- fi
- ;;
-* )
- $cmd $1 $file
- if [ $strip ]
- then $strip $file
- fi
- ;;
-esac
-
-$chown $file
-$chgrp $file
-$chmod $file
Deleted: trunk/contrib/ipfilter/radix.c
===================================================================
--- trunk/contrib/ipfilter/radix.c 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/radix.c 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,1214 +0,0 @@
-/* $MidnightBSD$ */
-
-/*
- * Copyright (c) 1988, 1989, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * @(#)radix.c 8.6 (Berkeley) 10/17/95
- */
-
-/*
- * Routines to build and maintain radix trees for routing lookups.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define KERNEL 1
-# define _KERNEL 1
-#endif
-#define __SYS_ATOMIC_OPS_H__
-#if !defined(__svr4__) && !defined(__SVR4) && !defined(__osf__) && \
- !defined(__hpux) && !defined(__sgi)
-#include <sys/cdefs.h>
-#endif
-#ifndef __P
-# ifdef __STDC__
-# define __P(x) x
-# else
-# define __P(x) ()
-# endif
-#endif
-#ifdef __osf__
-# define CONST
-# define _IPV6_SWTAB_H
-# define _PROTO_NET_H_
-# define _PROTO_IPV6_H
-# include <sys/malloc.h>
-#endif
-
-#include <sys/param.h>
-#ifdef _KERNEL
-#include <sys/systm.h>
-#else
-void panic __P((char *str));
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#endif
-#ifdef __hpux
-#include <syslog.h>
-#else
-#include <sys/syslog.h>
-#endif
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <net/if.h>
-#ifdef SOLARIS2
-# define _RADIX_H_
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#ifdef SOLARIS2
-# undef _RADIX_H_
-#endif
-/* END OF INCLUDES */
-#include "radix_ipf.h"
-#ifndef min
-# define min MIN
-#endif
-#ifndef max
-# define max MAX
-#endif
-
-int max_keylen = 16;
-static struct radix_mask *rn_mkfreelist;
-static struct radix_node_head *mask_rnhead;
-static char *addmask_key;
-static u_char normal_chars[] = {0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff};
-static char *rn_zeros = NULL, *rn_ones = NULL;
-
-#define rn_masktop (mask_rnhead->rnh_treetop)
-#undef Bcmp
-#define Bcmp(a, b, l) (l == 0 ? 0 : bcmp((caddr_t)(a), (caddr_t)(b), (u_long)l))
-
-static int rn_satisfies_leaf __P((char *, struct radix_node *, int));
-static int rn_lexobetter __P((void *, void *));
-static struct radix_mask *rn_new_radix_mask __P((struct radix_node *,
- struct radix_mask *));
-static int rn_freenode __P((struct radix_node *, void *));
-#if defined(AIX) && !defined(_KERNEL)
-struct radix_node *rn_match __P((void *, struct radix_node_head *));
-struct radix_node *rn_addmask __P((int, int, void *));
-#define FreeS(x, y) KFREES(x, y)
-#define Bcopy(x, y, z) bcopy(x, y, z)
-#endif
-
-/*
- * The data structure for the keys is a radix tree with one way
- * branching removed. The index rn_b at an internal node n represents a bit
- * position to be tested. The tree is arranged so that all descendants
- * of a node n have keys whose bits all agree up to position rn_b - 1.
- * (We say the index of n is rn_b.)
- *
- * There is at least one descendant which has a one bit at position rn_b,
- * and at least one with a zero there.
- *
- * A route is determined by a pair of key and mask. We require that the
- * bit-wise logical and of the key and mask to be the key.
- * We define the index of a route to associated with the mask to be
- * the first bit number in the mask where 0 occurs (with bit number 0
- * representing the highest order bit).
- *
- * We say a mask is normal if every bit is 0, past the index of the mask.
- * If a node n has a descendant (k, m) with index(m) == index(n) == rn_b,
- * and m is a normal mask, then the route applies to every descendant of n.
- * If the index(m) < rn_b, this implies the trailing last few bits of k
- * before bit b are all 0, (and hence consequently true of every descendant
- * of n), so the route applies to all descendants of the node as well.
- *
- * Similar logic shows that a non-normal mask m such that
- * index(m) <= index(n) could potentially apply to many children of n.
- * Thus, for each non-host route, we attach its mask to a list at an internal
- * node as high in the tree as we can go.
- *
- * The present version of the code makes use of normal routes in short-
- * circuiting an explicit mask and compare operation when testing whether
- * a key satisfies a normal route, and also in remembering the unique leaf
- * that governs a subtree.
- */
-
-struct radix_node *
-rn_search(v_arg, head)
- void *v_arg;
- struct radix_node *head;
-{
- struct radix_node *x;
- caddr_t v;
-
- for (x = head, v = v_arg; x->rn_b >= 0;) {
- if (x->rn_bmask & v[x->rn_off])
- x = x->rn_r;
- else
- x = x->rn_l;
- }
- return (x);
-}
-
-struct radix_node *
-rn_search_m(v_arg, head, m_arg)
- struct radix_node *head;
- void *v_arg, *m_arg;
-{
- struct radix_node *x;
- caddr_t v = v_arg, m = m_arg;
-
- for (x = head; x->rn_b >= 0;) {
- if ((x->rn_bmask & m[x->rn_off]) &&
- (x->rn_bmask & v[x->rn_off]))
- x = x->rn_r;
- else
- x = x->rn_l;
- }
- return x;
-}
-
-int
-rn_refines(m_arg, n_arg)
- void *m_arg, *n_arg;
-{
- caddr_t m = m_arg, n = n_arg;
- caddr_t lim, lim2 = lim = n + *(u_char *)n;
- int longer = (*(u_char *)n++) - (int)(*(u_char *)m++);
- int masks_are_equal = 1;
-
- if (longer > 0)
- lim -= longer;
- while (n < lim) {
- if (*n & ~(*m))
- return 0;
- if (*n++ != *m++)
- masks_are_equal = 0;
- }
- while (n < lim2)
- if (*n++)
- return 0;
- if (masks_are_equal && (longer < 0))
- for (lim2 = m - longer; m < lim2; )
- if (*m++)
- return 1;
- return (!masks_are_equal);
-}
-
-struct radix_node *
-rn_lookup(v_arg, m_arg, head)
- void *v_arg, *m_arg;
- struct radix_node_head *head;
-{
- struct radix_node *x;
- caddr_t netmask = 0;
-
- if (m_arg) {
- if ((x = rn_addmask(m_arg, 1, head->rnh_treetop->rn_off)) == 0)
- return (0);
- netmask = x->rn_key;
- }
- x = rn_match(v_arg, head);
- if (x && netmask) {
- while (x && x->rn_mask != netmask)
- x = x->rn_dupedkey;
- }
- return x;
-}
-
-static int
-rn_satisfies_leaf(trial, leaf, skip)
- char *trial;
- struct radix_node *leaf;
- int skip;
-{
- char *cp = trial, *cp2 = leaf->rn_key, *cp3 = leaf->rn_mask;
- char *cplim;
- int length = min(*(u_char *)cp, *(u_char *)cp2);
-
- if (cp3 == 0)
- cp3 = rn_ones;
- else
- length = min(length, *(u_char *)cp3);
- cplim = cp + length;
- cp3 += skip;
- cp2 += skip;
- for (cp += skip; cp < cplim; cp++, cp2++, cp3++)
- if ((*cp ^ *cp2) & *cp3)
- return 0;
- return 1;
-}
-
-struct radix_node *
-rn_match(v_arg, head)
- void *v_arg;
- struct radix_node_head *head;
-{
- caddr_t v = v_arg;
- struct radix_node *t = head->rnh_treetop, *x;
- caddr_t cp = v, cp2;
- caddr_t cplim;
- struct radix_node *saved_t, *top = t;
- int off = t->rn_off, vlen = *(u_char *)cp, matched_off;
- int test, b, rn_b;
-
- /*
- * Open code rn_search(v, top) to avoid overhead of extra
- * subroutine call.
- */
- for (; t->rn_b >= 0; ) {
- if (t->rn_bmask & cp[t->rn_off])
- t = t->rn_r;
- else
- t = t->rn_l;
- }
- /*
- * See if we match exactly as a host destination
- * or at least learn how many bits match, for normal mask finesse.
- *
- * It doesn't hurt us to limit how many bytes to check
- * to the length of the mask, since if it matches we had a genuine
- * match and the leaf we have is the most specific one anyway;
- * if it didn't match with a shorter length it would fail
- * with a long one. This wins big for class B&C netmasks which
- * are probably the most common case...
- */
- if (t->rn_mask)
- vlen = *(u_char *)t->rn_mask;
- cp += off;
- cp2 = t->rn_key + off;
- cplim = v + vlen;
- for (; cp < cplim; cp++, cp2++)
- if (*cp != *cp2)
- goto on1;
- /*
- * This extra grot is in case we are explicitly asked
- * to look up the default. Ugh!
- */
- if ((t->rn_flags & RNF_ROOT) && t->rn_dupedkey)
- t = t->rn_dupedkey;
- return t;
-on1:
- test = (*cp ^ *cp2) & 0xff; /* find first bit that differs */
- for (b = 7; (test >>= 1) > 0;)
- b--;
- matched_off = cp - v;
- b += matched_off << 3;
- rn_b = -1 - b;
- /*
- * If there is a host route in a duped-key chain, it will be first.
- */
- if ((saved_t = t)->rn_mask == 0)
- t = t->rn_dupedkey;
- for (; t; t = t->rn_dupedkey)
- /*
- * Even if we don't match exactly as a host,
- * we may match if the leaf we wound up at is
- * a route to a net.
- */
- if (t->rn_flags & RNF_NORMAL) {
- if (rn_b <= t->rn_b)
- return t;
- } else if (rn_satisfies_leaf(v, t, matched_off))
- return t;
- t = saved_t;
- /* start searching up the tree */
- do {
- struct radix_mask *m;
- t = t->rn_p;
- m = t->rn_mklist;
- if (m) {
- /*
- * If non-contiguous masks ever become important
- * we can restore the masking and open coding of
- * the search and satisfaction test and put the
- * calculation of "off" back before the "do".
- */
- do {
- if (m->rm_flags & RNF_NORMAL) {
- if (rn_b <= m->rm_b)
- return (m->rm_leaf);
- } else {
- off = min(t->rn_off, matched_off);
- x = rn_search_m(v, t, m->rm_mask);
- while (x && x->rn_mask != m->rm_mask)
- x = x->rn_dupedkey;
- if (x && rn_satisfies_leaf(v, x, off))
- return x;
- }
- m = m->rm_mklist;
- } while (m);
- }
- } while (t != top);
- return 0;
-}
-
-#ifdef RN_DEBUG
-int rn_nodenum;
-struct radix_node *rn_clist;
-int rn_saveinfo;
-int rn_debug = 1;
-#endif
-
-struct radix_node *
-rn_newpair(v, b, nodes)
- void *v;
- int b;
- struct radix_node nodes[2];
-{
- struct radix_node *tt = nodes, *t = tt + 1;
- t->rn_b = b;
- t->rn_bmask = 0x80 >> (b & 7);
- t->rn_l = tt;
- t->rn_off = b >> 3;
- tt->rn_b = -1;
- tt->rn_key = (caddr_t)v;
- tt->rn_p = t;
- tt->rn_flags = t->rn_flags = RNF_ACTIVE;
-#ifdef RN_DEBUG
- tt->rn_info = rn_nodenum++;
- t->rn_info = rn_nodenum++;
- tt->rn_twin = t;
- tt->rn_ybro = rn_clist;
- rn_clist = tt;
-#endif
- return t;
-}
-
-struct radix_node *
-rn_insert(v_arg, head, dupentry, nodes)
- void *v_arg;
- struct radix_node_head *head;
- int *dupentry;
- struct radix_node nodes[2];
-{
- caddr_t v = v_arg;
- struct radix_node *top = head->rnh_treetop;
- int head_off = top->rn_off, vlen = (int)*((u_char *)v);
- struct radix_node *t = rn_search(v_arg, top);
- caddr_t cp = v + head_off;
- int b;
- struct radix_node *tt;
-
-#ifdef RN_DEBUG
- if (rn_debug)
- log(LOG_DEBUG, "rn_insert(%p,%p,%p,%p)\n", v_arg, head, dupentry, nodes);
-#endif
- /*
- * Find first bit at which v and t->rn_key differ
- */
- {
- caddr_t cp2 = t->rn_key + head_off;
- int cmp_res;
- caddr_t cplim = v + vlen;
-
- while (cp < cplim)
- if (*cp2++ != *cp++)
- goto on1;
- *dupentry = 1;
- return t;
-on1:
- *dupentry = 0;
- cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
- for (b = (cp - v) << 3; cmp_res; b--)
- cmp_res >>= 1;
- }
- {
- struct radix_node *p, *x = top;
- cp = v;
- do {
- p = x;
- if (cp[x->rn_off] & x->rn_bmask)
- x = x->rn_r;
- else
- x = x->rn_l;
- } while (b > (unsigned) x->rn_b); /* x->rn_b < b && x->rn_b >= 0 */
-#ifdef RN_DEBUG
- if (rn_debug)
- log(LOG_DEBUG, "rn_insert: Going In:\n"); // traverse(p);
-#endif
- t = rn_newpair(v_arg, b, nodes);
- tt = t->rn_l;
- if ((cp[p->rn_off] & p->rn_bmask) == 0)
- p->rn_l = t;
- else
- p->rn_r = t;
- x->rn_p = t;
- t->rn_p = p; /* frees x, p as temp vars below */
- if ((cp[t->rn_off] & t->rn_bmask) == 0) {
- t->rn_r = x;
- } else {
- t->rn_r = tt;
- t->rn_l = x;
- }
-#ifdef RN_DEBUG
- if (rn_debug)
- log(LOG_DEBUG, "rn_insert: Coming Out:\n"); // traverse(p);
-#endif
- }
- return (tt);
-}
-
-struct radix_node *
-rn_addmask(n_arg, search, skip)
- int search, skip;
- void *n_arg;
-{
- caddr_t netmask = (caddr_t)n_arg;
- struct radix_node *x;
- caddr_t cp, cplim;
- int b = 0, mlen, j;
- int maskduplicated, m0, isnormal;
- struct radix_node *saved_x;
- static int last_zeroed = 0;
-
-#ifdef RN_DEBUG
- if (rn_debug)
- log(LOG_DEBUG, "rn_addmask(%p,%d,%d)\n", n_arg, search, skip);
-#endif
- mlen = *(u_char *)netmask;
- if ((mlen = *(u_char *)netmask) > max_keylen)
- mlen = max_keylen;
- if (skip == 0)
- skip = 1;
- if (mlen <= skip)
- return (mask_rnhead->rnh_nodes);
- if (skip > 1)
- Bcopy(rn_ones + 1, addmask_key + 1, skip - 1);
- if ((m0 = mlen) > skip)
- Bcopy(netmask + skip, addmask_key + skip, mlen - skip);
- /*
- * Trim trailing zeroes.
- */
- for (cp = addmask_key + mlen; (cp > addmask_key) && cp[-1] == 0;)
- cp--;
- mlen = cp - addmask_key;
- if (mlen <= skip) {
- if (m0 >= last_zeroed)
- last_zeroed = mlen;
- return (mask_rnhead->rnh_nodes);
- }
- if (m0 < last_zeroed)
- Bzero(addmask_key + m0, last_zeroed - m0);
- *addmask_key = last_zeroed = mlen;
- x = rn_search(addmask_key, rn_masktop);
- if (Bcmp(addmask_key, x->rn_key, mlen) != 0)
- x = 0;
- if (x || search)
- return (x);
- R_Malloc(x, struct radix_node *, max_keylen + 2 * sizeof (*x));
- if ((saved_x = x) == 0)
- return (0);
- Bzero(x, max_keylen + 2 * sizeof (*x));
- netmask = cp = (caddr_t)(x + 2);
- Bcopy(addmask_key, cp, mlen);
- x = rn_insert(cp, mask_rnhead, &maskduplicated, x);
- if (maskduplicated) {
-#if 0
- log(LOG_ERR, "rn_addmask: mask impossibly already in tree\n");
-#endif
- Free(saved_x);
- return (x);
- }
- /*
- * Calculate index of mask, and check for normalcy.
- */
- cplim = netmask + mlen;
- isnormal = 1;
- for (cp = netmask + skip; (cp < cplim) && *(u_char *)cp == 0xff;)
- cp++;
- if (cp != cplim) {
- for (j = 0x80; (j & *cp) != 0; j >>= 1)
- b++;
- if (*cp != normal_chars[b] || cp != (cplim - 1))
- isnormal = 0;
- }
- b += (cp - netmask) << 3;
- x->rn_b = -1 - b;
- if (isnormal)
- x->rn_flags |= RNF_NORMAL;
- return (x);
-}
-
-static int /* XXX: arbitrary ordering for non-contiguous masks */
-rn_lexobetter(m_arg, n_arg)
- void *m_arg, *n_arg;
-{
- u_char *mp = m_arg, *np = n_arg, *lim;
-
- if (*mp > *np)
- return 1; /* not really, but need to check longer one first */
- if (*mp == *np)
- for (lim = mp + *mp; mp < lim;)
- if (*mp++ > *np++)
- return 1;
- return 0;
-}
-
-static struct radix_mask *
-rn_new_radix_mask(tt, next)
- struct radix_node *tt;
- struct radix_mask *next;
-{
- struct radix_mask *m;
-
- MKGet(m);
- if (m == 0) {
-#if 0
- log(LOG_ERR, "Mask for route not entered\n");
-#endif
- return (0);
- }
- Bzero(m, sizeof *m);
- m->rm_b = tt->rn_b;
- m->rm_flags = tt->rn_flags;
- if (tt->rn_flags & RNF_NORMAL)
- m->rm_leaf = tt;
- else
- m->rm_mask = tt->rn_mask;
- m->rm_mklist = next;
- tt->rn_mklist = m;
- return m;
-}
-
-struct radix_node *
-rn_addroute(v_arg, n_arg, head, treenodes)
- void *v_arg, *n_arg;
- struct radix_node_head *head;
- struct radix_node treenodes[2];
-{
- caddr_t v = (caddr_t)v_arg, netmask = (caddr_t)n_arg;
- struct radix_node *t, *x = NULL, *tt;
- struct radix_node *saved_tt, *top = head->rnh_treetop;
- short b = 0, b_leaf = 0;
- int keyduplicated;
- caddr_t mmask;
- struct radix_mask *m, **mp;
-
-#ifdef RN_DEBUG
- if (rn_debug)
- log(LOG_DEBUG, "rn_addroute(%p,%p,%p,%p)\n", v_arg, n_arg, head, treenodes);
-#endif
- /*
- * In dealing with non-contiguous masks, there may be
- * many different routes which have the same mask.
- * We will find it useful to have a unique pointer to
- * the mask to speed avoiding duplicate references at
- * nodes and possibly save time in calculating indices.
- */
- if (netmask) {
- if ((x = rn_addmask(netmask, 0, top->rn_off)) == 0)
- return (0);
- b_leaf = x->rn_b;
- b = -1 - x->rn_b;
- netmask = x->rn_key;
- }
- /*
- * Deal with duplicated keys: attach node to previous instance
- */
- saved_tt = tt = rn_insert(v, head, &keyduplicated, treenodes);
- if (keyduplicated) {
- for (t = tt; tt; t = tt, tt = tt->rn_dupedkey) {
- if (tt->rn_mask == netmask)
- return (0);
- if (netmask == 0 ||
- (tt->rn_mask &&
- ((b_leaf < tt->rn_b) || /* index(netmask) > node */
- rn_refines(netmask, tt->rn_mask) ||
- rn_lexobetter(netmask, tt->rn_mask))))
- break;
- }
- /*
- * If the mask is not duplicated, we wouldn't
- * find it among possible duplicate key entries
- * anyway, so the above test doesn't hurt.
- *
- * We sort the masks for a duplicated key the same way as
- * in a masklist -- most specific to least specific.
- * This may require the unfortunate nuisance of relocating
- * the head of the list.
- *
- * We also reverse, or doubly link the list through the
- * parent pointer.
- */
- if (tt == saved_tt) {
- struct radix_node *xx = x;
- /* link in at head of list */
- (tt = treenodes)->rn_dupedkey = t;
- tt->rn_flags = t->rn_flags;
- tt->rn_p = x = t->rn_p;
- t->rn_p = tt;
- if (x->rn_l == t)
- x->rn_l = tt;
- else
- x->rn_r = tt;
- saved_tt = tt;
- x = xx;
- } else {
- (tt = treenodes)->rn_dupedkey = t->rn_dupedkey;
- t->rn_dupedkey = tt;
- tt->rn_p = t;
- if (tt->rn_dupedkey)
- tt->rn_dupedkey->rn_p = tt;
- }
-#ifdef RN_DEBUG
- t=tt+1;
- tt->rn_info = rn_nodenum++;
- t->rn_info = rn_nodenum++;
- tt->rn_twin = t;
- tt->rn_ybro = rn_clist;
- rn_clist = tt;
-#endif
- tt->rn_key = (caddr_t) v;
- tt->rn_b = -1;
- tt->rn_flags = RNF_ACTIVE;
- }
- /*
- * Put mask in tree.
- */
- if (netmask) {
- tt->rn_mask = netmask;
- tt->rn_b = x->rn_b;
- tt->rn_flags |= x->rn_flags & RNF_NORMAL;
- }
- t = saved_tt->rn_p;
- if (keyduplicated)
- goto on2;
- b_leaf = -1 - t->rn_b;
- if (t->rn_r == saved_tt)
- x = t->rn_l;
- else
- x = t->rn_r;
- /* Promote general routes from below */
- if (x->rn_b < 0) {
- for (mp = &t->rn_mklist; x; x = x->rn_dupedkey)
- if (x->rn_mask && (x->rn_b >= b_leaf) && x->rn_mklist == 0) {
- *mp = m = rn_new_radix_mask(x, 0);
- if (m)
- mp = &m->rm_mklist;
- }
- } else if (x->rn_mklist) {
- /*
- * Skip over masks whose index is > that of new node
- */
- for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist)
- if (m->rm_b >= b_leaf)
- break;
- t->rn_mklist = m;
- *mp = 0;
- }
-on2:
- /* Add new route to highest possible ancestor's list */
- if ((netmask == 0) || (b > t->rn_b ))
- return tt; /* can't lift at all */
- b_leaf = tt->rn_b;
- do {
- x = t;
- t = t->rn_p;
- } while (b <= t->rn_b && x != top);
- /*
- * Search through routes associated with node to
- * insert new route according to index.
- * Need same criteria as when sorting dupedkeys to avoid
- * double loop on deletion.
- */
- for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist) {
- if (m->rm_b < b_leaf)
- continue;
- if (m->rm_b > b_leaf)
- break;
- if (m->rm_flags & RNF_NORMAL) {
- mmask = m->rm_leaf->rn_mask;
- if (tt->rn_flags & RNF_NORMAL) {
-#if 0
- log(LOG_ERR, "Non-unique normal route,"
- " mask not entered\n");
-#endif
- return tt;
- }
- } else
- mmask = m->rm_mask;
- if (mmask == netmask) {
- m->rm_refs++;
- tt->rn_mklist = m;
- return tt;
- }
- if (rn_refines(netmask, mmask)
- || rn_lexobetter(netmask, mmask))
- break;
- }
- *mp = rn_new_radix_mask(tt, *mp);
- return tt;
-}
-
-struct radix_node *
-rn_delete(v_arg, netmask_arg, head)
- void *v_arg, *netmask_arg;
- struct radix_node_head *head;
-{
- struct radix_node *t, *p, *x, *tt;
- struct radix_mask *m, *saved_m, **mp;
- struct radix_node *dupedkey, *saved_tt, *top;
- caddr_t v, netmask;
- int b, head_off, vlen;
-
- v = v_arg;
- netmask = netmask_arg;
- x = head->rnh_treetop;
- tt = rn_search(v, x);
- head_off = x->rn_off;
- vlen = *(u_char *)v;
- saved_tt = tt;
- top = x;
- if (tt == 0 ||
- Bcmp(v + head_off, tt->rn_key + head_off, vlen - head_off))
- return (0);
- /*
- * Delete our route from mask lists.
- */
- if (netmask) {
- if ((x = rn_addmask(netmask, 1, head_off)) == 0)
- return (0);
- netmask = x->rn_key;
- while (tt->rn_mask != netmask)
- if ((tt = tt->rn_dupedkey) == 0)
- return (0);
- }
- if (tt->rn_mask == 0 || (saved_m = m = tt->rn_mklist) == 0)
- goto on1;
- if (tt->rn_flags & RNF_NORMAL) {
- if (m->rm_leaf != tt || m->rm_refs > 0) {
-#if 0
- log(LOG_ERR, "rn_delete: inconsistent annotation\n");
-#endif
- return 0; /* dangling ref could cause disaster */
- }
- } else {
- if (m->rm_mask != tt->rn_mask) {
-#if 0
- log(LOG_ERR, "rn_delete: inconsistent annotation\n");
-#endif
- goto on1;
- }
- if (--m->rm_refs >= 0)
- goto on1;
- }
- b = -1 - tt->rn_b;
- t = saved_tt->rn_p;
- if (b > t->rn_b)
- goto on1; /* Wasn't lifted at all */
- do {
- x = t;
- t = t->rn_p;
- } while (b <= t->rn_b && x != top);
- for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist)
- if (m == saved_m) {
- *mp = m->rm_mklist;
- MKFree(m);
- break;
- }
- if (m == 0) {
-#if 0
- log(LOG_ERR, "rn_delete: couldn't find our annotation\n");
-#endif
- if (tt->rn_flags & RNF_NORMAL)
- return (0); /* Dangling ref to us */
- }
-on1:
- /*
- * Eliminate us from tree
- */
- if (tt->rn_flags & RNF_ROOT)
- return (0);
-#ifdef RN_DEBUG
- /* Get us out of the creation list */
- for (t = rn_clist; t && t->rn_ybro != tt; t = t->rn_ybro)
- ;
- if (t) t->rn_ybro = tt->rn_ybro;
-#endif
- t = tt->rn_p;
- dupedkey = saved_tt->rn_dupedkey;
- if (dupedkey) {
- /*
- * Here, tt is the deletion target and
- * saved_tt is the head of the dupedkey chain.
- */
- if (tt == saved_tt) {
- x = dupedkey;
- x->rn_p = t;
- if (t->rn_l == tt)
- t->rn_l = x;
- else
- t->rn_r = x;
- } else {
- /* find node in front of tt on the chain */
- for (x = p = saved_tt; p && p->rn_dupedkey != tt;)
- p = p->rn_dupedkey;
- if (p) {
- p->rn_dupedkey = tt->rn_dupedkey;
- if (tt->rn_dupedkey)
- tt->rn_dupedkey->rn_p = p;
- }
-#if 0
- else
- log(LOG_ERR, "rn_delete: couldn't find us\n");
-#endif
- }
- t = tt + 1;
- if (t->rn_flags & RNF_ACTIVE) {
-#ifndef RN_DEBUG
- *++x = *t;
- p = t->rn_p;
-#else
- b = t->rn_info;
- *++x = *t;
- t->rn_info = b;
- p = t->rn_p;
-#endif
- if (p->rn_l == t)
- p->rn_l = x;
- else
- p->rn_r = x;
- x->rn_l->rn_p = x;
- x->rn_r->rn_p = x;
- }
- goto out;
- }
- if (t->rn_l == tt)
- x = t->rn_r;
- else
- x = t->rn_l;
- p = t->rn_p;
- if (p->rn_r == t)
- p->rn_r = x;
- else
- p->rn_l = x;
- x->rn_p = p;
- /*
- * Demote routes attached to us.
- */
- if (t->rn_mklist) {
- if (x->rn_b >= 0) {
- for (mp = &x->rn_mklist; (m = *mp) != NULL;)
- mp = &m->rm_mklist;
- *mp = t->rn_mklist;
- } else {
- /* If there are any key,mask pairs in a sibling
- duped-key chain, some subset will appear sorted
- in the same order attached to our mklist */
- for (m = t->rn_mklist; m && x; x = x->rn_dupedkey)
- if (m == x->rn_mklist) {
- struct radix_mask *mm = m->rm_mklist;
- x->rn_mklist = 0;
- if (--(m->rm_refs) < 0)
- MKFree(m);
- m = mm;
- }
-#if 0
- if (m)
- log(LOG_ERR, "%s %p at %p\n",
- "rn_delete: Orphaned Mask", m, x);
-#endif
- }
- }
- /*
- * We may be holding an active internal node in the tree.
- */
- x = tt + 1;
- if (t != x) {
-#ifndef RN_DEBUG
- *t = *x;
-#else
- b = t->rn_info;
- *t = *x;
- t->rn_info = b;
-#endif
- t->rn_l->rn_p = t;
- t->rn_r->rn_p = t;
- p = x->rn_p;
- if (p->rn_l == x)
- p->rn_l = t;
- else
- p->rn_r = t;
- }
-out:
- tt->rn_flags &= ~RNF_ACTIVE;
- tt[1].rn_flags &= ~RNF_ACTIVE;
- return (tt);
-}
-
-int
-rn_walktree(h, f, w)
- struct radix_node_head *h;
- int (*f) __P((struct radix_node *, void *));
- void *w;
-{
- int error;
- struct radix_node *base, *next;
- struct radix_node *rn = h->rnh_treetop;
- /*
- * This gets complicated because we may delete the node
- * while applying the function f to it, so we need to calculate
- * the successor node in advance.
- */
- /* First time through node, go left */
- while (rn->rn_b >= 0)
- rn = rn->rn_l;
- for (;;) {
- base = rn;
- /* If at right child go back up, otherwise, go right */
- while (rn->rn_p->rn_r == rn && (rn->rn_flags & RNF_ROOT) == 0)
- rn = rn->rn_p;
- /* Find the next *leaf* since next node might vanish, too */
- for (rn = rn->rn_p->rn_r; rn->rn_b >= 0;)
- rn = rn->rn_l;
- next = rn;
- /* Process leaves */
- while ((rn = base) != NULL) {
- base = rn->rn_dupedkey;
- if (!(rn->rn_flags & RNF_ROOT)
- && (error = (*f)(rn, w)))
- return (error);
- }
- rn = next;
- if (rn->rn_flags & RNF_ROOT)
- return (0);
- }
- /* NOTREACHED */
-}
-
-int
-rn_inithead(head, off)
- void **head;
- int off;
-{
- struct radix_node_head *rnh;
-
- if (*head)
- return (1);
- R_Malloc(rnh, struct radix_node_head *, sizeof (*rnh));
- if (rnh == 0)
- return (0);
- *head = rnh;
- return rn_inithead0(rnh, off);
-}
-
-int
-rn_inithead0(rnh, off)
- struct radix_node_head *rnh;
- int off;
-{
- struct radix_node *t, *tt, *ttt;
-
- Bzero(rnh, sizeof (*rnh));
- t = rn_newpair(rn_zeros, off, rnh->rnh_nodes);
- ttt = rnh->rnh_nodes + 2;
- t->rn_r = ttt;
- t->rn_p = t;
- tt = t->rn_l;
- tt->rn_flags = t->rn_flags = RNF_ROOT | RNF_ACTIVE;
- tt->rn_b = -1 - off;
- *ttt = *tt;
- ttt->rn_key = rn_ones;
- rnh->rnh_addaddr = rn_addroute;
- rnh->rnh_deladdr = rn_delete;
- rnh->rnh_matchaddr = rn_match;
- rnh->rnh_lookup = rn_lookup;
- rnh->rnh_walktree = rn_walktree;
- rnh->rnh_treetop = t;
- return (1);
-}
-
-void
-rn_init()
-{
- char *cp, *cplim;
-
- if (max_keylen == 0) {
-#if 0
- log(LOG_ERR,
- "rn_init: radix functions require max_keylen be set\n");
-#endif
- return;
- }
- if (rn_zeros == NULL) {
- R_Malloc(rn_zeros, char *, 3 * max_keylen);
- }
- if (rn_zeros == NULL)
- panic("rn_init");
- Bzero(rn_zeros, 3 * max_keylen);
- rn_ones = cp = rn_zeros + max_keylen;
- addmask_key = cplim = rn_ones + max_keylen;
- while (cp < cplim)
- *cp++ = -1;
- if (rn_inithead((void *)&mask_rnhead, 0) == 0)
- panic("rn_init 2");
-}
-
-
-static int
-rn_freenode(struct radix_node *n, void *p)
-{
- struct radix_node_head *rnh = p;
- struct radix_node *d;
-
- d = rnh->rnh_deladdr(n->rn_key, NULL, rnh);
- if (d != NULL) {
- FreeS(d, max_keylen + 2 * sizeof (*d));
- }
- return 0;
-}
-
-
-void
-rn_freehead(rnh)
- struct radix_node_head *rnh;
-{
-
- (void)rn_walktree(rnh, rn_freenode, rnh);
-
- rnh->rnh_addaddr = NULL;
- rnh->rnh_deladdr = NULL;
- rnh->rnh_matchaddr = NULL;
- rnh->rnh_lookup = NULL;
- rnh->rnh_walktree = NULL;
-
- Free(rnh);
-}
-
-
-void
-rn_fini()
-{
- struct radix_mask *m;
-
- if (rn_zeros != NULL) {
- FreeS(rn_zeros, 3 * max_keylen);
- rn_zeros = NULL;
- }
-
- if (mask_rnhead != NULL) {
- rn_freehead(mask_rnhead);
- mask_rnhead = NULL;
- }
-
- while ((m = rn_mkfreelist) != NULL) {
- rn_mkfreelist = m->rm_mklist;
- KFREE(m);
- }
-}
-
-
-#ifdef USE_MAIN
-
-typedef struct myst {
- addrfamily_t dst;
- addrfamily_t mask;
- struct radix_node nodes[2];
-} myst_t;
-
-int
-main(int argc, char *argv[])
-{
- struct radix_node_head *rnh;
- struct radix_node *rn;
- addrfamily_t af, mf;
- myst_t st1, st2, *stp;
-
- memset(&st1, 0, sizeof(st1));
- memset(&st2, 0, sizeof(st2));
- memset(&af, 0, sizeof(af));
-
- rn_init();
-
- rnh = NULL;
- rn_inithead(&rnh, offsetof(addrfamily_t, adf_addr) << 3);
-
- st1.dst.adf_len = sizeof(st1);
- st1.mask.adf_len = sizeof(st1);
- st1.dst.adf_addr.in4.s_addr = inet_addr("127.0.0.0");
- st1.mask.adf_addr.in4.s_addr = inet_addr("255.0.0.0");
- rn = rnh->rnh_addaddr(&st1.dst, &st1.mask, rnh, st1.nodes);
- printf("add.1 %p\n", rn);
-
- st2.dst.adf_len = sizeof(st2);
- st2.mask.adf_len = sizeof(st2);
- st2.dst.adf_addr.in4.s_addr = inet_addr("127.0.1.0");
- st2.mask.adf_addr.in4.s_addr = inet_addr("255.255.255.0");
- rn = rnh->rnh_addaddr(&st2.dst, &st2.mask, rnh, st2.nodes);
- printf("add.2 %p\n", rn);
-
- af.adf_len = sizeof(af);
- af.adf_addr.in4.s_addr = inet_addr("127.0.1.0");
- rn = rnh->rnh_matchaddr(&af, rnh);
- if (rn != NULL) {
- printf("1.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
- stp = rn->rn_key;
- printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
- stp = rn->rn_mask;
- printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
- }
-
- mf.adf_len = sizeof(mf);
- mf.adf_addr.in4.s_addr = inet_addr("255.255.255.0");
- rn = rnh->rnh_lookup(&af, &mf, rnh);
- if (rn != NULL) {
- printf("2.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
- stp = rn->rn_key;
- printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
- stp = rn->rn_mask;
- printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
- }
-
- af.adf_len = sizeof(af);
- af.adf_addr.in4.s_addr = inet_addr("126.0.0.1");
- rn = rnh->rnh_matchaddr(&af, rnh);
- if (rn != NULL) {
- printf("3.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
- stp = rn->rn_key;
- printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
- stp = rn->rn_mask;
- printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
- }
-
- return 0;
-}
-
-
-void
-log(int level, char *format, ...)
-{
- va_list ap;
-
- va_start(ap, format);
- vfprintf(stderr, format, ap);
- va_end(ap);
-}
-#endif
-
-
-#ifndef _KERNEL
-void
-panic(char *str)
-{
- fputs(str, stderr);
- abort();
-}
-#endif
Deleted: trunk/contrib/ipfilter/todo
===================================================================
--- trunk/contrib/ipfilter/todo 2018-07-13 13:29:37 UTC (rev 11860)
+++ trunk/contrib/ipfilter/todo 2018-07-13 13:33:01 UTC (rev 11861)
@@ -1,98 +0,0 @@
-BUGS:
------
-* fix "to <ifname>" bug on FreeBSD 2.2.8
-fastroute works
-
-===============================================================================
-GENERAL:
---------
-
-* support redirection like "rdr tun0 0/32 port 80 ..."
-
-* use fr_tcpstate() with NAT code for increased NAT usage security or even
- fr_checkstate() - suspect this is not possible.
-
-* add another alias for <thishost> for interfaces <thisif>? as well as
- all IP#'s associated with the box <myaddrs>?
-
-time permitting:
-
-* load balancing across interfaces
-
-* record buffering for TCP/UDP
-
-* modular application proxying
--done
-
-* allow multiple ip addresses in a source route list for ipsend
-
-* port IP Filter to Linux
-Not in this century.
-
-* document bimap
-
-* document NAT rule order processing
-
-* add more docs
-in progress
-
-3.4:
-XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
-traffic priorization) should be *TOP* in the TO DO list.
-
-* Bandwidth limiting!!!
-maybe for solaris, otherwise "ALTQ"
-* More examples
-* More documentation
-* Load balancing features added to the NAT code, so that I can have
-something coming in for 20.20.20.20:80 and it gets shuffled around between
-internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
-- done, stage 1 (round robin/split)
-The one thing that Cisco's PIX has on IPF that I can see is that
-rewrites the sequence numbers with semi-random ones.
-- done
-
-I would also love to see a more extensive NAT. It can choose to do
-rdr and map based on saddr, daddr, sport and dport. (Does the kernel
-module already have functionality for that and it just needs support in
-the userland ipnat?)
--sort of done
-
- * intrusion detection
- detection of port scans
- detection of multiple connection attempts
-
- * support for multiple log files
- i.e. all connections to ftp and telnet logged to
- a seperate log file
-
- * multiple levels of log severity with E-mail notification
- of intrusion alerts or other high priority errors
-
- * poison pill facility
- after detection of a port scan, start sending back
- large packets of garbage or other packets to
- otherwise confuse the intruder (ping of death?)
-
-IPv6:
------
-* NAT is yet not available, either as a null proxy or address translation
-
-BSD:
-* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
-
-Solaris:
-* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
-
-Tru64:
-------
-* IPv6 checksum calculation for RST's and ICMP packets is not done (there
- are routines in the Tru64 kernel to do this but what is the interface?)
-
-does bimap allow equal sized subnets?
-
-make return-icmp 'intelligent' if no type is given about what type to use?
-
-reply-to - enforce packets to pass through interfaces in particular
-combinations - opposite to "to", set reverse path interface
-
More information about the Midnightbsd-cvs
mailing list