aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>1997-05-25 15:45:04 +0000
committerDarren Reed <darrenr@FreeBSD.org>1997-05-25 15:45:04 +0000
commit0eab801c99f78937c9e75115eda47053a94bd5c5 (patch)
treef9876809ef0dd75bd4671d4afb7d3488f1972a5f
parent5a1a935563263ad6eabdbbfadd6aca9b6585c704 (diff)
downloadsrc-0eab801c99f78937c9e75115eda47053a94bd5c5.tar.gz
src-0eab801c99f78937c9e75115eda47053a94bd5c5.zip
Import version 3.2alpha7
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=26119
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/files.diffs18
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs16
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs4
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs10
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs16
-rwxr-xr-xcontrib/ipfilter/FreeBSD-2.2/kinstall61
-rwxr-xr-xcontrib/ipfilter/FreeBSD-2.2/unkinstall55
-rwxr-xr-xcontrib/ipfilter/FreeBSD-2.2/unminstall4
-rw-r--r--contrib/ipfilter/HISTORY54
-rw-r--r--contrib/ipfilter/INST.FreeBSD-2.219
-rw-r--r--contrib/ipfilter/INSTALL.FreeBSD4
-rw-r--r--contrib/ipfilter/INSTALL.NetBSD4
-rw-r--r--contrib/ipfilter/Makefile63
-rwxr-xr-xcontrib/ipfilter/buildsunos4
-rw-r--r--contrib/ipfilter/fil.c205
-rw-r--r--contrib/ipfilter/fils.c21
-rw-r--r--contrib/ipfilter/inet_addr.c6
-rw-r--r--contrib/ipfilter/ip_compat.h32
-rw-r--r--contrib/ipfilter/ip_fil.c110
-rw-r--r--contrib/ipfilter/ip_fil.h91
-rw-r--r--contrib/ipfilter/ip_frag.c223
-rw-r--r--contrib/ipfilter/ip_frag.h11
-rw-r--r--contrib/ipfilter/ip_nat.c321
-rw-r--r--contrib/ipfilter/ip_nat.h50
-rw-r--r--contrib/ipfilter/ip_sfil.c58
-rw-r--r--contrib/ipfilter/ip_state.c56
-rw-r--r--contrib/ipfilter/ip_state.h19
-rw-r--r--contrib/ipfilter/ipf.c9
-rw-r--r--contrib/ipfilter/ipf.h14
-rw-r--r--contrib/ipfilter/ipft_ef.c4
-rw-r--r--contrib/ipfilter/ipft_hx.c4
-rw-r--r--contrib/ipfilter/ipft_pc.c3
-rw-r--r--contrib/ipfilter/ipft_sn.c4
-rw-r--r--contrib/ipfilter/ipft_td.c4
-rw-r--r--contrib/ipfilter/ipft_tx.c3
-rw-r--r--contrib/ipfilter/ipl.h6
-rw-r--r--contrib/ipfilter/ipmon.c21
-rw-r--r--contrib/ipfilter/ipnat.c117
-rw-r--r--contrib/ipfilter/ipsend/Makefile3
-rw-r--r--contrib/ipfilter/ipsend/arp.c5
-rw-r--r--contrib/ipfilter/ipsend/ipsend.c2
-rw-r--r--contrib/ipfilter/ipsend/iptest.c3
-rw-r--r--contrib/ipfilter/ipsend/iptests.c3
-rw-r--r--contrib/ipfilter/ipt.c11
-rw-r--r--contrib/ipfilter/ipt.h9
-rw-r--r--contrib/ipfilter/kmem.h8
-rw-r--r--contrib/ipfilter/linux.h4
-rw-r--r--contrib/ipfilter/man/ipf.12
-rw-r--r--contrib/ipfilter/man/ipf.57
-rw-r--r--contrib/ipfilter/man/ipfilter.52
-rw-r--r--contrib/ipfilter/man/mkfilters.113
-rw-r--r--contrib/ipfilter/misc.c3
-rw-r--r--contrib/ipfilter/mln_ipl.c135
-rw-r--r--contrib/ipfilter/parse.c22
-rw-r--r--contrib/ipfilter/pcap.h4
-rwxr-xr-xcontrib/ipfilter/rules/ftppxy6
-rw-r--r--contrib/ipfilter/snoop.h9
-rw-r--r--contrib/ipfilter/solaris.c16
-rw-r--r--contrib/ipfilter/test/Makefile4
-rw-r--r--contrib/ipfilter/test/expected/1440
-rw-r--r--contrib/ipfilter/test/expected/i12
-rw-r--r--contrib/ipfilter/test/input/145
-rw-r--r--contrib/ipfilter/test/regress/148
-rw-r--r--contrib/ipfilter/test/regress/i12
-rw-r--r--contrib/ipfilter/todo19
65 files changed, 1522 insertions, 549 deletions
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs
new file mode 100644
index 000000000000..8bd40ac74609
--- /dev/null
+++ b/contrib/ipfilter/FreeBSD-2.2/files.diffs
@@ -0,0 +1,18 @@
+*** /sys/conf/files.orig Sat May 24 14:05:28 1997
+--- /sys/conf/files Sat May 24 14:06:44 1997
+***************
+*** 217,222 ****
+--- 217,228 ----
+ netinet/tcp_timer.c optional inet
+ netinet/tcp_usrreq.c optional inet
+ netinet/udp_usrreq.c optional inet
++ netinet/ip_fil.c optional ipfilter inet
++ netinet/fil.c optional ipfilter inet
++ netinet/ip_nat.c optional ipfilter inet
++ netinet/ip_frag.c optional ipfilter inet
++ netinet/ip_state.c optional ipfilter inet
++ netinet/ip_proxy.c optional ipfilter inet
++ netinet/mlf_ipl.c optional ipfilter inet
+ netipx/ipx.c optional ipx
+ netipx/ipx_cksum.c optional ipx
+ netipx/ipx_error.c optional ipx
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
new file mode 100644
index 000000000000..784ef5d80a7f
--- /dev/null
+++ b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
@@ -0,0 +1,16 @@
+*** files.newconf.orig Sun Jun 25 02:17:29 1995
+--- files.newconf Sun Jun 25 02:19:10 1995
+***************
+*** 161,166 ****
+--- 161,171 ----
+ file netinet/ip_input.c inet
+ file netinet/ip_mroute.c inet
+ file netinet/ip_output.c inet
++ file netinet/ip_fil.c ipfilter
++ file netinet/fil.c ipfilter
++ file netinet/ip_nat.c ipfilter
++ file netinet/ip_frag.c ipfilter
++ file netinet/ip_state.c ipfilter
+ file netinet/raw_ip.c inet
+ file netinet/tcp_debug.c inet
+ file netinet/tcp_input.c inet
diff --git a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
index dfebbe8f9472..c2822d3ff9d3 100644
--- a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
+++ b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
@@ -1,5 +1,5 @@
-*** in_proto.c.orig Wed Apr 2 19:50:00 1997
---- in_proto.c Wed Apr 2 19:51:21 1997
+*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997
+--- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997
***************
*** 89,94 ****
--- 89,99 ----
diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
index 1339e012512e..c2b2b15301ce 100644
--- a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
+++ b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
@@ -1,5 +1,5 @@
-*** ip_input.c.orig Wed Apr 2 19:41:44 1997
---- /sys/netinet/ip_input.c Wed Apr 2 19:28:53 1997
+*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997
+--- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997
***************
*** 74,79 ****
--- 74,82 ----
@@ -13,7 +13,7 @@
int rsvp_on = 0;
static int ip_rsvp_on;
***************
-*** 310,316 ****
+*** 310,315 ****
--- 313,327 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
@@ -21,12 +21,12 @@
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
-
++
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ return;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
+
#ifdef COMPAT_IPFW
if (ip_fw_chk_ptr) {
- int action;
diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
index 3f53ac72caf5..d3cebd0a7374 100644
--- a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
+++ b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
@@ -1,5 +1,5 @@
-*** ip_output.c.orig Wed Apr 2 19:41:48 1997
---- /sys/netinet/ip_output.c Wed Apr 2 19:38:19 1997
+*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997
+--- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997
***************
*** 67,72 ****
--- 67,76 ----
@@ -31,7 +31,7 @@
static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *));
***************
-*** 338,344 ****
+*** 338,343 ****
--- 342,358 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
@@ -39,17 +39,17 @@
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
-
++
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
+ error = EHOSTUNREACH;
-+ if (error || !m1)
++ if (error || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
-+ }
++ }
+ #endif
+
#ifdef COMPAT_IPFW
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
- error = EACCES;
***************
*** 559,565 ****
* Copy options from ip to jp,
@@ -59,7 +59,7 @@
ip_optcopy(ip, jp)
struct ip *ip, *jp;
{
---- 573,579 ----
+--- 574,580 ----
* Copy options from ip to jp,
* omitting those not copied during fragmentation.
*/
diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall
new file mode 100755
index 000000000000..035468551efd
--- /dev/null
+++ b/contrib/ipfilter/FreeBSD-2.2/kinstall
@@ -0,0 +1,61 @@
+#!/bin/csh -f
+#
+set dir=`pwd`
+set karch=`uname -m`
+if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
+if ( -d /sys/$karch ) set archdir="/sys/$karch"
+set confdir="$archdir/conf"
+
+if ( $dir =~ */FreeBSD* ) cd ..
+echo -n "Installing "
+foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
+ ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h)
+ echo -n "$i ";
+ cp $i /sys/netinet
+ chmod 644 /sys/netinet/$i
+end
+echo ""
+echo "Copying /usr/include/osreldate.h to /sys/sys"
+cp /usr/include/osreldate.h /sys/sys
+echo "Patching ip_input.c, ip_output.c and in_proto.c"
+cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
+(cd /sys/netinet; patch)
+
+if ( -f /sys/conf/files.newconf ) then
+ echo "Patching /sys/conf/files.newconf"
+ cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
+ echo "Patching /sys/conf/files"
+ cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
+endif
+if ( -f /sys/conf/files.oldconf ) then
+ echo "Patching /sys/conf/files.oldconf"
+ cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
+ echo "Patching /sys/conf/files"
+ cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
+endif
+
+set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
+echo -n "Kernel configuration to update [$config] "
+set newconfig=$<
+if ( "$newconfig" != "" ) then
+ set config="$confdir/$newconfig"
+else
+ set newconfig=$config
+endif
+echo "Re-config'ing $newconfig..."
+if ( -f $confdir/$newconfig ) then
+ mv $confdir/$newconfig $confdir/$newconfig.bak
+endif
+if ( -d $archdir/../compile/$newconfig ) then
+ set bak=".bak"
+ set dot=0
+ while ( -d $archdir/../compile/${newconfig}.${bak} )
+ set bak=".bak.$dot"
+ set dot=`expr 1 + $dot`
+ end
+ mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
+endif
+awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
+ $confdir/$newconfig.bak > $confdir/$newconfig
+echo 'You will now need to run "config" and build a new kernel.'
+exit 0
diff --git a/contrib/ipfilter/FreeBSD-2.2/unkinstall b/contrib/ipfilter/FreeBSD-2.2/unkinstall
new file mode 100755
index 000000000000..e31edfb69849
--- /dev/null
+++ b/contrib/ipfilter/FreeBSD-2.2/unkinstall
@@ -0,0 +1,55 @@
+#!/bin/csh -f
+#
+set dir=`pwd`
+set karch=`uname -m`
+if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
+if ( -d /sys/$karch ) set archdir="/sys/$karch"
+set confdir="$archdir/conf"
+
+if ( $dir =~ */FreeBSD* ) cd ..
+echo -n "Uninstalling "
+foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c ip_compat.h)
+ echo -n "$i ";
+ /bin/rm -f /sys/netinet/$i
+end
+echo ""
+echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
+cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
+(cd /sys/netinet; patch -R)
+
+if ( -f /sys/conf/files.newconf ) then
+ echo "Unpatching /sys/conf/files.newconf"
+ cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
+ echo "Unpatching /sys/conf/files"
+ cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
+endif
+if ( -f /sys/conf/files.oldconf ) then
+ echo "Unpatching /sys/conf/files.oldconf"
+ cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
+ echo "Unpatching /sys/conf/files"
+ cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
+endif
+
+set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
+echo -n "Kernel configuration to update [$config] "
+set newconfig=$<
+if ( "$newconfig" != "" ) then
+ set config="$confdir/$newconfig"
+else
+ set newconfig=$config
+endif
+if ( -f $confdir/$newconfig ) then
+ mv $confdir/$newconfig $confdir/$newconfig.bak
+endif
+if ( -d $archdir/../compile/$newconfig ) then
+ set bak=".bak"
+ set dot=0
+ while ( -d $archdir/../compile/${newconfig}.${bak} )
+ set bak=".bak.$dot"
+ set dot=`expr 1 + $dot`
+ end
+ mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
+endif
+egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
+echo 'You will now need to run "config" and build a new kernel.'
+exit 0
diff --git a/contrib/ipfilter/FreeBSD-2.2/unminstall b/contrib/ipfilter/FreeBSD-2.2/unminstall
index abb263114a3e..07aaac08f2ce 100755
--- a/contrib/ipfilter/FreeBSD-2.2/unminstall
+++ b/contrib/ipfilter/FreeBSD-2.2/unminstall
@@ -6,9 +6,9 @@ if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
-if ( $dir =~ */FreeBSD ) cd ..
+if ( $dir =~ */FreeBSD* ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
+cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 425aa2432bfb..867535098125 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -5,6 +5,59 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
+3.2alpha7 25/5/97 - Released
+
+add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
+
+setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
+
+split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
+mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
+
+fix (negative) host matching in filtering.
+
+add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
+or later.
+
+make all the candidates for kernel compiling include "netinet/..." and build
+a subdirectory "netinet" when compiling and symlink all .h files into this.
+
+add install make target to Makefile.ipsend
+
+3.2alpha6 8/5/97 - Released
+
+Add "!" (not) to hostname/ip matching.
+
+Automatically add packet info to the fragment cache if it is a fragment
+and we're translating addreses for.
+
+Automatically add packet info to the fragment cache if it is a fragment
+and we're "keeping state" for the packet.
+
+Solaris2 patches - Anthony Baxter (arb@connect.com.au)
+
+change install procedure for FreeBSD 2.2 to allow building to a kernel
+which is different to the running kernel.
+
+add FIONREAD for Solaris2!
+
+when expiring NAT table entries, if we would set a time to fr_tcpclosed
+(which is 1), make it fr_tcplaskack(20) so that the state tables have a
+chance to clear up.
+
+3.2alpha5
+
+add proxying skeleton support and sample ftp transparent proxy code.
+
+add printfs at startup to tell user what is happening.
+
+add packets & bytes for EXPIRE NAT log records.
+
+fix the "install-bsd" target in the root Makefile. Chris Williams
+<psion@mv.mv.com>
+
+Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
+
3.2alpha4 2/4/97 - Released
Some compiler warnings cleaned up.
@@ -656,4 +709,3 @@ added code for ouput filtering as well as input filtering and added support for
1.0 22/04/93 - Released
First release cut.
-
diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2
index 400963d416bb..b0bae0359237 100644
--- a/contrib/ipfilter/INST.FreeBSD-2.2
+++ b/contrib/ipfilter/INST.FreeBSD-2.2
@@ -1,21 +1,26 @@
To build a kernel for use with the loadable kernel module, follow these
steps:
- 1. do "make freebsd22"
+ 1. In /sys/i386/conf, create a new kernel config file (to be used
+ with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
- 2. do "make install-bsd"
+ 2. build the object files, telling it the name of the kernel to be
+ used. "freebsd22" MUST be the target, so the command would be
+ something like this: "make freebsd22 IPFILKERN=FIREWALL"
+
+ 3. do "make install-bsd"
(probably has to be done as root)
- 3. run "FreeBSD-2.2/minstall" as root
+ 4. run "FreeBSD-2.2/minstall" as root
- 4. build a new kernel
+ 5. build a new kernel
- 5. install and reboot with the new kernel
+ 6. install and reboot with the new kernel
- 6. use modload(8) to load the packet filter with:
+ 7. use modload(8) to load the packet filter with:
modload if_ipl.o
- 7. do "modstat" to confirm that it has been loaded successfully.
+ 8. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD
index fc35ecb34a0c..f64263691744 100644
--- a/contrib/ipfilter/INSTALL.FreeBSD
+++ b/contrib/ipfilter/INSTALL.FreeBSD
@@ -4,7 +4,7 @@
To build a kernel for use with the loadable kernel module, follow these
steps:
- 1. do "make bsd"
+ 1. do "make freebsd"
2. do "make install-bsd"
(probably has to be done as root)
@@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
To build a kernel with the IP filter, follow these steps:
- 1. do "make bsd"
+ 1. do "make freebsd"
2. do "make install-bsd"
(probably has to be done as root)
diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD
index 2387827ea3ca..cc48d17325b7 100644
--- a/contrib/ipfilter/INSTALL.NetBSD
+++ b/contrib/ipfilter/INSTALL.NetBSD
@@ -1,7 +1,7 @@
To build a kernel for use with the loadable kernel module, follow these
steps:
- 1. do "make bsd"
+ 1. do "make netbsd"
2. do "make install-bsd"
(probably has to be done as root)
@@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
To build a kernel with the IP filter, follow these steps:
- 1. do "make bsd"
+ 1. do "make netbsd"
2. do "make install-bsd"
(probably has to be done as root)
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index 9c83fc4ead02..80cebc77f7dc 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,13 +5,13 @@
# and is not changed in any way. The author accepts no responsibility
# for the use of this software. I hate legaleese, don't you ?
#
-# $Id: Makefile,v 2.0.2.7 1997/04/02 12:23:14 darrenr Exp $
+# $Id: Makefile,v 2.0.2.12 1997/05/24 08:13:34 darrenr Exp $
#
# where to put things.
#
-BINDEST=/usr/local/ip_fil3.1.1/bin
-SBINDEST=/usr/local/ip_fil3.1.1/sbin
-MANDIR=/usr/local/ip_fil3.1.1/man
+BINDEST=/usr/local/bin
+SBINDEST=/sbin
+MANDIR=/usr/local/man
#To test prototyping
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
CC=gcc
@@ -65,20 +65,44 @@ tests:
@if [ -d test ]; then (cd test; make) \
else echo test directory not present, sorry; fi
-sunos solaris:
+include:
+ mkdir -p netinet
+ (cd netinet; /bin/rm -f *; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .)
+
+sunos solaris: include
./buildsunos
-freebsd22 freebsd30:
+freebsd22 freebsd30: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
- @if [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
- echo "Can't find ioconf.h"; \
+ -rm -f BSD/$(CPU)/ioconf.h
+ @if [ -n $(IPFILKERN) ] ; then \
+ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPU); \
+ elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
+ echo -n "Can't find ioconf.h in "; \
+ echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
exit 1;\
+ else \
+ ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
fi
- rm -f BSD/$(CPU)/ioconf.h
- ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU)
- make bsd
+ make freebsd
+
+netbsd: include
+ -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
+ -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
+ -ln -s ../Makefile BSD/$(CPU)/Makefile
+ -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
+ (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mln_ipl.c"; cd ..)
+ (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+
+freebsd freebsd20 freebsd21: include
+ -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
+ -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
+ -ln -s ../Makefile BSD/$(CPU)/Makefile
+ -ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
+ (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
+ (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
-bsd netbsd freebsd freebsd20 freebsd21:
+bsd: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile
@@ -86,7 +110,7 @@ bsd netbsd freebsd freebsd20 freebsd21:
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
-bsdi bsdos:
+bsdi bsdos: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile
@@ -138,20 +162,15 @@ sunos5x86 solaris2x86:
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
install-bsd: bsd
- (cd BSD/$(CPU); $(MAKE) "CPU=$(CPU) TOP=../.." install)
+ (cd BSD/$(CPU); make install "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPU); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
+
install-sunos4: solaris
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
+
install-sunos5: solaris
(cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install)
-# XXX FIXME: bogus to depend on all!
-install: all ip_fil.h
- -$(CP) ip_fil.h /usr/include/netinet/ip_fil.h
- -$(CHMOD) 444 /usr/include/netinet/ip_fil.h
- -$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST)
- -$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST)
- (cd man; $(MAKE) INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd ..)
-
rcsget:
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos
index 5e396695455d..b3f65788cba2 100755
--- a/contrib/ipfilter/buildsunos
+++ b/contrib/ipfilter/buildsunos
@@ -1,10 +1,10 @@
#! /bin/sh
-# $Id: buildsunos,v 2.0.2.3 1997/03/30 15:37:34 darrenr Exp $
+# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
:
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m`
if [ $rev = 5 ] ; then
- solrev=`uname -r | sed -e 's/^\([0-9]*\)\.\([0-9]*\)$/\2/'`
+ solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
mkdir -p SunOS5/${cpu}
/bin/rm -f SunOS5/${cpu}/Makefile
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 32b6068dfecb..b40695f829e3 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $";
+static char rcsid[] = "$Id: fil.c,v 2.0.2.13 1997/05/24 07:33:37 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -45,11 +45,12 @@ static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $";
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_frag.h"
-#include "ip_state.h"
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
@@ -70,7 +71,6 @@ extern int opts;
# define IPLLOG(a, c, d, e) ipllog()
# if SOLARIS
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
-# define bcmp memcmp
# else
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
# endif
@@ -100,19 +100,12 @@ extern kmutex_t ipf_mutex;
# endif
#endif
-#ifndef IPF_LOGGING
-#define IPF_LOGGING 0
-#endif
-#ifdef IPF_DEFAULT_PASS
-#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
-#else
-#define IPF_NOMATCH (FR_PASS|FR_NOMATCH)
-#endif
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
int fr_flags = IPF_LOGGING, fr_active = 0;
+int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
fr_info_t frcache[2];
@@ -417,7 +410,7 @@ void *m;
#endif
{
register u_long *ld, *lm, *lip;
- register int i;
+ register int i, j;
lip = (u_long *)fi;
lm = (u_long *)&fr->fr_mip;
@@ -425,10 +418,10 @@ void *m;
i = ((lip[0] & lm[0]) != ld[0]);
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
lip[0], lm[0], ld[0]));
- i |= ((lip[1] & lm[1]) != ld[1]);
+ i |= ((lip[1] & lm[1]) != ld[1]) << 21;
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
lip[1], lm[1], ld[1]));
- i |= ((lip[2] & lm[2]) != ld[2]);
+ i |= ((lip[2] & lm[2]) != ld[2]) << 22;
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
lip[2], lm[2], ld[2]));
i |= ((lip[3] & lm[3]) != ld[3]);
@@ -437,6 +430,7 @@ void *m;
i |= ((lip[4] & lm[4]) != ld[4]);
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
lip[4], lm[4], ld[4]));
+ i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
if (i)
continue;
}
@@ -557,6 +551,7 @@ int out;
fr_makefrip(hlen, ip, fin);
fin->fin_ifp = ifp;
fin->fin_out = out;
+ fin->fin_mp = mp;
MUTEX_ENTER(&ipf_mutex);
if (!out) {
@@ -566,24 +561,8 @@ int out;
frstats[0].fr_acct++;
}
- if ((pass = ipfr_knownfrag(ip, fin))) {
- if ((pass & FR_KEEPSTATE)) {
- if (fr_addstate(ip, fin, pass) == -1)
- frstats[out].fr_bads++;
- else
- frstats[out].fr_ads++;
- }
- } else if ((pass = fr_checkstate(ip, fin))) {
- if ((pass & FR_KEEPFRAG)) {
- if (fin->fin_fi.fi_fl & FI_FRAG) {
- if (ipfr_newfrag(ip, fin, pass) == -1)
- frstats[out].fr_bnfr++;
- else
- frstats[out].fr_nfr++;
- } else
- frstats[out].fr_cfr++;
- }
- } else {
+ if (!(pass = ipfr_knownfrag(ip, fin)) &&
+ !(pass = fr_checkstate(ip, fin))) {
fc = frcache + out;
if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
/*
@@ -594,16 +573,16 @@ int out;
frstats[out].fr_chit++;
pass = fin->fin_fr->fr_flags;
} else {
- pass = IPF_NOMATCH;
+ pass = fr_pass;
if ((fin->fin_fr = ipfilter[out][fr_active]))
- pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m);
+ pass = FR_SCANLIST(fr_pass, ip, fin, m);
bcopy((char *)fin, (char *)fc, FI_CSIZE);
if (pass & FR_NOMATCH)
frstats[out].fr_nom++;
}
fr = fin->fin_fr;
- if ((pass & FR_KEEPFRAG)) {
+ if (pass & FR_KEEPFRAG) {
if (fin->fin_fi.fi_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1)
frstats[out].fr_bnfr++;
@@ -660,6 +639,19 @@ logit:
}
}
#endif /* IPFILTER_LOG */
+#ifdef _KERNEL
+ /*
+ * Only allow FR_DUP to work if a rule matched - it makes no sense to
+ * set FR_DUP as a "default" as there are no instructions about where
+ * to send the packet.
+ */
+ if (fr && (pass & FR_DUP))
+# if SOLARIS
+ mc = dupmsg(m);
+# else
+ mc = m_copy(m, 0, M_COPYALL);
+# endif
+#endif
if (pass & FR_PASS)
frstats[out].fr_pass++;
@@ -703,10 +695,16 @@ logit:
#endif
}
}
+
+ /*
+ * If we didn't drop off the bottom of the list of rules (and thus
+ * the 'current' rule fr is not NULL), then we may have some extra
+ * instructions about what to do with a packet.
+ * Once we're finished return to our caller, freeing the packet if
+ * we are dropping it (* BSD ONLY *).
+ */
#ifdef _KERNEL
# if !SOLARIS
- if (pass & FR_DUP)
- mc = m_copy(m, 0, M_COPYALL);
if (fr) {
frdest_t *fdp = &fr->fr_tif;
@@ -722,8 +720,6 @@ logit:
m_freem(m);
return (pass & FR_PASS) ? 0 : -1;
# else
- if (pass & FR_DUP)
- mc = dupmsg(m);
if (fr) {
frdest_t *fdp = &fr->fr_tif;
@@ -777,3 +773,126 @@ int len;
return len;
}
#endif
+
+
+u_short ipf_cksum(addr, len)
+register u_short *addr;
+register int len;
+{
+ register u_long sum = 0;
+
+ for (sum = 0; len > 1; len -= 2)
+ sum += *addr++;
+
+ /* mop up an odd byte, if necessary */
+ if (len == 1)
+ sum += *(u_char *)addr;
+
+ /*
+ * add back carry outs from top 16 bits to low 16 bits
+ */
+ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
+ sum += (sum >> 16); /* add carry */
+ return (u_short)(~sum);
+}
+
+
+/*
+ * NB: This function assumes we've pullup'd enough for all of the IP header
+ * and the TCP header. We also assume that data blocks aren't allocated in
+ * odd sizes.
+ */
+u_short fr_tcpsum(m, ip, tcp)
+#if SOLARIS
+mblk_t *m;
+#else
+struct mbuf *m;
+#endif
+ip_t *ip;
+tcphdr_t *tcp;
+{
+ union {
+ u_char c[2];
+ u_short s;
+ } bytes;
+ u_long sum;
+ u_short *sp;
+ int len, add, hlen, ilen;
+
+ /*
+ * Add up IP Header portion
+ */
+ ilen = len = ip->ip_len - (ip->ip_hl << 2);
+ bytes.c[0] = 0;
+ bytes.c[1] = IPPROTO_TCP;
+ sum = bytes.s;
+ sum += htons((u_short)len);
+ sp = (u_short *)&ip->ip_src;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ if (sp != (u_short *)tcp)
+ sp = (u_short *)tcp;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp;
+ sp += 2; /* Skip over checksum */
+ sum += *sp++;
+
+#if SOLARIS
+ /*
+ * In case we had to copy the IP & TCP header out of mblks,
+ * skip over the mblk bits which are the header
+ */
+ if ((caddr_t)ip != (caddr_t)m->b_rptr) {
+ hlen = (caddr_t)sp - (caddr_t)ip;
+ while (hlen) {
+ add = MIN(hlen, m->b_wptr - m->b_rptr);
+ sp = (u_short *)((caddr_t)m->b_rptr + add);
+ if ((hlen -= add))
+ m = m->b_cont;
+ }
+ }
+#endif
+
+ if (!(len -= sizeof(*tcp)))
+ goto nodata;
+ while (len > 1) {
+ sum += *sp++;
+ len -= 2;
+#if SOLARIS
+ if ((caddr_t)sp > (caddr_t)m->b_wptr) {
+ m = m->b_cont;
+ PANIC((!m),("fr_tcpsum: not enough data"));
+ sp = (u_short *)m->b_rptr;
+ }
+#else
+# ifdef m_data
+ if ((caddr_t)sp > (m->m_data + m->m_len))
+# else
+ if ((caddr_t)sp > (caddr_t)(m->m_dat + m->m_off + m->m_len))
+# endif
+ {
+ m = m->m_next;
+ PANIC((!m),("fr_tcpsum: not enough data"));
+ sp = mtod(m, u_short *);
+ }
+#endif /* SOLARIS */
+ }
+ if (len) {
+ bytes.c[1] = 0;
+ bytes.c[0] = *(u_char *)sp;
+ sum += bytes.s;
+ }
+nodata:
+ sum = (sum >> 16) + (sum & 0xffff);
+ sum += (sum >> 16);
+ sum = (u_short)((~sum) & 0xffff);
+ return sum;
+}
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
index ca6abe0cdb09..20384e006f47 100644
--- a/contrib/ipfilter/fils.c
+++ b/contrib/ipfilter/fils.c
@@ -30,9 +30,11 @@
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
+#include <netinet/tcp.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ipf.h"
+#include "ip_proxy.h"
#include "ip_nat.h"
#include "ip_frag.h"
#include "ip_state.h"
@@ -43,7 +45,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: fils.c,v 2.0.2.7 1997/04/02 12:23:16 darrenr Exp $";
+static char rcsid[] = "$Id: fils.c,v 2.0.2.9 1997/05/08 10:11:31 darrenr Exp $";
#endif
#ifdef _PATH_UNIX
#define VMUNIX _PATH_UNIX
@@ -95,7 +97,7 @@ char *argv[];
(void)setuid(getuid());
(void)setgid(getgid());
- while ((c = getopt(argc, argv, "afhIiosvd:")) != -1)
+ while ((c = getopt(argc, argv, "afhIinosvd:")) != -1)
{
switch (c)
{
@@ -148,9 +150,18 @@ char *argv[];
perror("ioctl(SIOCGETFS)");
exit(-1);
}
- if ((opts & OPT_IPSTATES) && (ioctl(fd, SIOCGIPST, &ipsst) == -1)) {
- perror("ioctl(SIOCGIPST)");
- exit(-1);
+ if ((opts & OPT_IPSTATES)) {
+ int sfd = open(IPL_STATE, O_RDONLY);
+
+ if (sfd == -1) {
+ perror("open");
+ exit(-1);
+ }
+ if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
+ perror("ioctl(SIOCGIPST)");
+ exit(-1);
+ }
+ close(sfd);
}
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
perror("ioctl(SIOCGFRST)");
diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c
index 3a91e7a5dd7c..0a83f2859dff 100644
--- a/contrib/ipfilter/inet_addr.c
+++ b/contrib/ipfilter/inet_addr.c
@@ -55,7 +55,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.3 1997/03/27 13:45:00 darrenr Exp $";
+static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.4 1997/05/08 10:11:34 darrenr Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
@@ -179,7 +179,11 @@ inet_aton(cp, addr)
* Ascii internet address interpretation routine.
* The value returned is in network order.
*/
+#if defined(SOLARIS2) && (SOLARIS2 > 5)
+u_int
+#else
u_long
+#endif
inet_addr(cp)
register const char *cp;
{
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index c1fbfce0cebe..cbb3239b2b8d 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -1,15 +1,15 @@
/*
- * (C)opyright 1993, 1994, 1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.0.2.6 1997/04/02 12:23:17 darrenr Exp $
+ * $Id: ip_compat.h,v 2.0.2.11 1997/05/04 05:29:02 darrenr Exp $
*/
-#ifndef __IP_COMPAT_H_
+#ifndef __IP_COMPAT_H__
#define __IP_COMPAT_H__
#ifndef __P
@@ -24,6 +24,22 @@
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
+#if defined(_KERNEL) && !defined(KERNEL)
+#define KERNEL
+#endif
+#if defined(KERNEL) && !defined(_KERNEL)
+#define _KERNEL
+#endif
+
+#if defined(__SVR4) || defined(__svr4__)
+#define index strchr
+# ifndef _KERNEL
+# define bzero(a,b) memset(a,0,b)
+# define bcmp memcmp
+# define bcopy(a,b,c) memmove(b,a,c)
+# endif
+#endif
+
#if SOLARIS
# define MTYPE(m) ((m)->b_datap->db_type)
# include <sys/ioccom.h>
@@ -58,8 +74,10 @@
#if BSD > 199306
# define USE_QUAD_T
# define U_QUAD_T u_quad_t
+# define QUAD_T quad_t
#else
# define U_QUAD_T u_long
+# define QUAD_T long
#endif
#ifndef MAX
@@ -167,6 +185,7 @@ extern ill_t *get_unit __P((char *));
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
# define SLEEP(id, n) sleep((id), PZERO+1)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# define KFREES(x,s) kmem_free((char *)(x), (s))
# if SOLARIS
typedef struct qif {
struct qif *qf_next;
@@ -219,13 +238,16 @@ extern vm_map_t kmem_map;
# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c))
# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
sizeof(*(x)))
+# define KFREES(x,s) kmem_free(kmem_map, (vm_offset_t)(x), (s))
*/
# ifdef M_PFIL
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
# define KFREE(x) FREE((x), M_PFIL)
+# define KFREES(x,s) FREE((x), M_PFIL)
# else
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
# define KFREE(x) FREE((x), M_TEMP)
+# define KFREES(x,s) FREE((x), M_TEMP)
# endif
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
@@ -238,7 +260,9 @@ extern vm_map_t kmem_map;
# define SPLX(x) (void) splx(x)
# endif
# endif
+# define PANIC(x,y) if (x) panic y
#else
+# define PANIC(x,y) ;
# define MUTEX_ENTER(x) ;
# define MUTEX_EXIT(x) ;
# define SPLNET(x) ;
@@ -246,6 +270,7 @@ extern vm_map_t kmem_map;
# define SPLX(x) ;
# define KMALLOC(a,b,c) (a) = (b)malloc(c)
# define KFREE(x) free(x)
+# define KFREES(x,s) free(x)
# define GETUNIT(x) get_unit(x)
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
@@ -365,6 +390,7 @@ struct ipovly {
# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
# define KFREE(x) kfree_s((x), sizeof(*(x)))
+# define KFREES(x,s) kfree_s((x), (s))
# define IRCOPY(a,b,c) { \
error = verify_area(VERIFY_READ, \
(b) ,sizeof((b))); \
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 353d7a6e8ec7..b79c030bb822 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -1,5 +1,5 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $";
+static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.12 1997/05/24 07:39:56 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -15,7 +15,14 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#endif
#ifdef __FreeBSD__
-#include <osreldate.h>
+# if defined(KERNEL) && !defined(_KERNEL)
+# define _KERNEL
+# endif
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+# include <sys/osreldate.h>
+# else
+# include <osreldate.h>
+# endif
#endif
#ifndef _KERNEL
#include <stdio.h>
@@ -25,7 +32,12 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
-#include <sys/ioctl.h>
+#if __FreeBSD_version >= 220000 && defined(_KERNEL)
+# include <sys/fcntl.h>
+# include <sys/filio.h>
+#else
+# include <sys/ioctl.h>
+#endif
#include <sys/time.h>
#ifdef _KERNEL
#include <sys/systm.h>
@@ -35,9 +47,6 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <sys/dir.h>
#include <sys/mbuf.h>
#else
-#define bcmp memcmp
-#define bzero(a,b) memset(a,0,b)
-#define bcopy(a,b,c) memcpy(b,a,c)
#include <sys/filio.h>
#endif
#include <sys/protosw.h>
@@ -47,6 +56,9 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#ifdef sun
#include <net/af.h>
#endif
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -57,17 +69,23 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_frag.h"
-#include "ip_nat.h"
-#include "ip_state.h"
+#ifndef _KERNEL
+# include <syslog.h>
+#endif
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
+#if !SOLARIS && defined(_KERNEL)
+extern int ip_optcopy __P((struct ip *, struct ip *));
+#endif
+
-extern fr_flags, fr_active;
extern struct protosw inetsw[];
#if BSD < 199306
static int (*fr_saveslowtimo) __P((void));
@@ -139,6 +157,7 @@ char *s;
int iplattach()
{
+ char *defpass;
int s, i;
SPLNET(s);
@@ -157,11 +176,21 @@ int iplattach()
/*
* Set log buffer pointers for each of the log buffers
*/
+#ifdef IPFILTER_LOG
for (i = 0; i <= 2; i++) {
iplh[i] = iplbuf[i];
iplt[i] = iplbuf[i];
}
+#endif
SPLX(s);
+ if (fr_pass & FR_PASS)
+ defpass = "pass";
+ else if (fr_pass & FR_BLOCK)
+ defpass = "block";
+ else
+ defpass = "no-match -> block";
+
+ printf("IP Filter: initialized. Default = %s all\n", defpass);
return 0;
}
@@ -258,7 +287,8 @@ caddr_t data;
* Filter ioctl interface.
*/
int iplioctl(dev, cmd, data, mode
-#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
+ (__FreeBSD_version >= 220000)) && defined(_KERNEL)
, p)
struct proc *p;
#else
@@ -278,10 +308,21 @@ int mode;
#endif
SPLNET(s);
+
+ if (unit == IPL_LOGNAT) {
+ error = nat_ioctl(data, cmd, mode);
+ SPLX(s);
+ return error;
+ }
+ if (unit == IPL_LOGSTATE) {
+ error = fr_state_ioctl(data, cmd, mode);
+ SPLX(s);
+ return error;
+ }
switch (cmd) {
case FIONREAD :
#ifdef IPFILTER_LOG
- *(int *)data = iplused[unit];
+ *(int *)data = iplused[IPL_LOGIPF];
#endif
break;
#if !defined(IPFILTER_LKM) && defined(_KERNEL)
@@ -373,24 +414,13 @@ int mode;
else {
*(int *)data = iplused[unit];
iplh[unit] = iplt[unit] = iplbuf[unit];
- iplused[unit] = 0;
+ iplused[unix] = 0;
}
break;
#endif /* IPFILTER_LOG */
- case SIOCADNAT :
- case SIOCRMNAT :
- case SIOCGNATS :
- case SIOCGNATL :
- case SIOCFLNAT :
- case SIOCCNATL :
- error = nat_ioctl(data, cmd, mode);
- break;
case SIOCGFRST :
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
break;
- case SIOCGIPST :
- IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
- break;
default :
error = EINVAL;
break;
@@ -508,7 +538,8 @@ caddr_t data;
* routines below for saving IP headers to buffer
*/
int iplopen(dev, flags
-#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
+ (__FreeBSD_version >= 220000)) && defined(_KERNEL)
, devtype, p)
int devtype;
struct proc *p;
@@ -529,7 +560,8 @@ int flags;
int iplclose(dev, flags
-#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
+ (__FreeBSD_version >= 220000)) && defined(_KERNEL)
, devtype, p)
int devtype;
struct proc *p;
@@ -699,6 +731,9 @@ struct tcpiphdr *ti;
struct tcphdr *tcp;
struct mbuf *m;
int tlen = 0;
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
+ struct route ro;
+#endif
if (ti->ti_flags & TH_RST)
return -1; /* feedback loop */
@@ -710,6 +745,8 @@ struct tcpiphdr *ti;
# endif
if (m == NULL)
return -1;
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
+#endif
if (ti->ti_flags & TH_SYN)
tlen = 1;
@@ -743,18 +780,29 @@ struct tcpiphdr *ti;
ip->ip_ttl = ip_defttl;
# endif
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
+ bzero((char *)&ro, sizeof(ro));
+ (void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
+ if (ro.ro_rt)
+ RTFREE(ro.ro_rt);
+#else
/*
* extra 0 in case of multicast
*/
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
+#endif
return 0;
}
-# ifndef IPFILTER_LKM
+# if !defined(IPFILTER_LKM) && !(__FreeBSD_version >= 300000)
# if BSD < 199306
+int iplinit __P((void));
+
int
# else
+void iplinit __P((void));
+
void
# endif
iplinit()
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index f6acda702e88..661e109f407e 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -1,12 +1,12 @@
/*
- * (C)opyright 1993-1996 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.0.2.9 1997/04/02 12:23:20 darrenr Exp $
+ * $Id: ip_fil.h,v 2.0.2.13 1997/05/24 07:41:55 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -97,6 +97,7 @@ typedef struct fr_info {
u_short fin_dlen;
char *fin_dp; /* start of data past IP header */
struct frentry *fin_fr;
+ void *fin_mp;
} fr_info_t;
#define FI_CSIZE (sizeof(struct fr_ip) + 11)
@@ -179,16 +180,18 @@ typedef struct frentry {
#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
#define FR_DUP 0x20000 /* duplicate packet */
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
+#define FR_NOTSRCIP 0x80000 /* not the src IP# */
+#define FR_NOTDSTIP 0x100000 /* not the dst IP# */
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
/*
* recognized flags for SIOCGETFF and SIOCSETFF
*/
-#define FF_LOGPASS 0x100000
-#define FF_LOGBLOCK 0x200000
-#define FF_LOGNOMATCH 0x400000
+#define FF_LOGPASS 0x10000000
+#define FF_LOGBLOCK 0x20000000
+#define FF_LOGNOMATCH 0x40000000
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
-#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */
+#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
#define FR_NONE 0
#define FR_EQUAL 1
@@ -257,9 +260,9 @@ typedef struct ipl_ci {
u_long flags;
u_char ifname[IFNAMSIZ]; /* = 32 bytes */
#else
- u_long flags:24;
- u_long unit:8;
- u_char ifname[4]; /* = 20 bytes */
+ u_long flags;
+ u_int unit;
+ u_char ifname[4]; /* = 24 bytes */
#endif
} ipl_ci_t;
@@ -268,6 +271,13 @@ typedef struct ipl_ci {
#define ICMP_UNREACH_FILTER 13
#endif
+#ifndef IPF_LOGGING
+#define IPF_LOGGING 0
+#endif
+#ifndef IPF_DEFAULT_PASS
+#define IPF_DEFAULT_PASS 0
+#endif
+
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define IPLLOGSIZE 8192
@@ -301,7 +311,12 @@ extern int send_reset __P((struct ip *, struct ifnet *));
extern int icmp_error __P((struct ip *, struct ifnet *));
extern void ipllog __P((void));
extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
-#else
+extern int iplioctl __P((dev_t, int, caddr_t, int));
+extern int iplopen __P((dev_t, int));
+extern int iplclose __P((dev_t, int));
+#else /* #ifndef _KERNEL */
+extern int iplattach __P((void));
+extern int ipldetach __P((void));
# if SOLARIS
extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
queue_t *, mblk_t **));
@@ -309,33 +324,6 @@ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
int, qif_t *, queue_t *, mblk_t *));
extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *,
struct in_addr));
-# else
-extern int fr_check __P((struct ip *, int, struct ifnet *, int,
- struct mbuf **));
-extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
- struct mbuf **));
-extern int send_reset __P((struct tcpiphdr *));
-extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
-extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
-# endif
-#endif
-extern int fr_copytolog __P((int, char *, int));
-extern int ipl_unreach;
-extern fr_info_t frcache[];
-extern char *iplh[3], *iplt[3];
-extern char iplbuf[3][IPLLOGSIZE];
-extern int iplused[3];
-extern struct frentry *ipfilter[2][2], *ipacct[2][2];
-extern struct filterstats frstats[];
-
-#ifndef _KERNEL
-extern int iplioctl __P((dev_t, int, caddr_t, int));
-extern int iplopen __P((dev_t, int));
-extern int iplclose __P((dev_t, int));
-#else
-extern int iplattach __P((void));
-extern int ipldetach __P((void));
-# if SOLARIS
extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
@@ -343,11 +331,21 @@ extern int ipfsync __P((void));
# ifdef IPFILTER_LOG
extern int iplread __P((dev_t, struct uio *, cred_t *));
# endif
-# else
+extern u_short fr_tcpsum __P((mblk_t *, ip_t *, tcphdr_t *));
+# else /* SOLARIS */
+extern int fr_check __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
+extern int send_reset __P((struct tcpiphdr *));
+extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
+extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
# ifdef IPFILTER_LKM
extern int iplidentify __P((char *));
# endif
-# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612)
+extern u_short fr_tcpsum __P((struct mbuf *, ip_t *, tcphdr_t *));
+# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
+ (NetBSD >= 199511)
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *));
@@ -366,5 +364,18 @@ extern int iplread __P((dev_t, struct uio *));
# define iplread noread
# endif /* IPFILTER_LOG */
# endif /* SOLARIS */
-#endif /* _KERNEL */
+#endif /* #ifndef _KERNEL */
+extern u_short ipf_cksum __P((u_short *, int));
+extern int fr_copytolog __P((int, char *, int));
+extern int ipl_unreach;
+extern int ipl_inited;
+extern int fr_pass;
+extern int fr_flags;
+extern int fr_active;
+extern fr_info_t frcache[];
+extern char *iplh[3], *iplt[3];
+extern char iplbuf[3][IPLLOGSIZE];
+extern int iplused[3];
+extern struct frentry *ipfilter[2][2], *ipacct[2][2];
+extern struct filterstats frstats[];
#endif /* __IP_FIL_H__ */
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index 59dac40b23fa..9b9bce35e7eb 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp $";
+static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.10 1997/05/24 07:36:23 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -19,8 +19,7 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
-#include <sys/ioccom.h>
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
#include <sys/filio.h>
#include <sys/fcntl.h>
#else
@@ -54,39 +53,36 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_frag.h"
-#include "ip_nat.h"
-#include "ip_state.h"
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
ipfr_t *ipfr_heads[IPFT_SIZE];
+ipfr_t *ipfr_nattab[IPFT_SIZE];
ipfrstat_t ipfr_stats;
u_long ipfr_inuse = 0,
fr_ipfrttl = 120; /* 60 seconds */
#ifdef _KERNEL
extern int ipfr_timer_id;
#endif
-#if SOLARIS
-# ifdef _KERNEL
+#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_frag;
-# else
-#define bcmp(a,b,c) memcmp(a,b,c)
-#define bcopy(a,b,c) memmove(b,a,c)
-# endif
+extern kmutex_t ipf_natfrag;
+extern kmutex_t ipf_nat;
#endif
-#ifdef __FreeBSD__
-# if BSD < 199306
-int ipfr_slowtimer __P((void));
-# else
-void ipfr_slowtimer __P((void));
-# endif
-#endif /* __FreeBSD__ */
+
+static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **));
+static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
+
ipfrstat_t *ipfr_fragstats()
{
ipfr_stats.ifs_table = ipfr_heads;
+ ipfr_stats.ifs_nattab = ipfr_nattab;
ipfr_stats.ifs_inuse = ipfr_inuse;
return &ipfr_stats;
}
@@ -96,10 +92,11 @@ ipfrstat_t *ipfr_fragstats()
* add a new entry to the fragment cache, registering it as having come
* through this box, with the result of the filter operation.
*/
-int ipfr_newfrag(ip, fin, pass)
+static ipfr_t *ipfr_new(ip, fin, pass, table)
ip_t *ip;
fr_info_t *fin;
int pass;
+ipfr_t *table[];
{
ipfr_t **fp, *fr, frag;
u_int idx;
@@ -119,33 +116,77 @@ int pass;
/*
* first, make sure it isn't already there...
*/
- MUTEX_ENTER(&ipf_frag);
- for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next)
+ for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next)
if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
IPFR_CMPSZ)) {
ipfr_stats.ifs_exists++;
MUTEX_EXIT(&ipf_frag);
- return -1;
+ return NULL;
}
+ /*
+ * allocate some memory, if possible, if not, just record that we
+ * failed to do so.
+ */
KMALLOC(fr, ipfr_t *, sizeof(*fr));
if (fr == NULL) {
ipfr_stats.ifs_nomem++;
MUTEX_EXIT(&ipf_frag);
- return -1;
+ return NULL;
}
- if ((fr->ipfr_next = ipfr_heads[idx]))
- ipfr_heads[idx]->ipfr_prev = fr;
+
+ /*
+ * Instert the fragment into the fragment table, copy the struct used
+ * in the search using bcopy rather than reassign each field.
+ * Set the ttl to the default and mask out logging from "pass"
+ */
+ if ((fr->ipfr_next = table[idx]))
+ table[idx]->ipfr_prev = fr;
fr->ipfr_prev = NULL;
- ipfr_heads[idx] = fr;
+ fr->ipfr_data = NULL;
+ table[idx] = fr;
bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
fr->ipfr_ttl = fr_ipfrttl;
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
+ /*
+ * Compute the offset of the expected start of the next packet.
+ */
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
ipfr_stats.ifs_new++;
ipfr_inuse++;
+ return fr;
+}
+
+
+int ipfr_newfrag(ip, fin, pass)
+ip_t *ip;
+fr_info_t *fin;
+int pass;
+{
+ ipfr_t *ipf;
+
+ MUTEX_ENTER(&ipf_frag);
+ ipf = ipfr_new(ip, fin, pass, ipfr_heads);
MUTEX_EXIT(&ipf_frag);
- return 0;
+ return ipf ? 0 : -1;
+}
+
+
+int ipfr_nat_newfrag(ip, fin, pass, nat)
+ip_t *ip;
+fr_info_t *fin;
+int pass;
+nat_t *nat;
+{
+ ipfr_t *ipf;
+
+ MUTEX_ENTER(&ipf_natfrag);
+ if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) {
+ ipf->ipfr_data = nat;
+ nat->nat_frag = ipf;
+ }
+ MUTEX_EXIT(&ipf_natfrag);
+ return ipf ? 0 : -1;
}
@@ -153,9 +194,10 @@ int pass;
* check the fragment cache to see if there is already a record of this packet
* with its filter result known.
*/
-int ipfr_knownfrag(ip, fin)
+static ipfr_t *ipfr_lookup(ip, fin, table)
ip_t *ip;
fr_info_t *fin;
+ipfr_t *table[];
{
ipfr_t *f, frag;
u_int idx;
@@ -164,6 +206,8 @@ fr_info_t *fin;
/*
* For fragments, we record protocol, packet id, TOS and both IP#'s
* (these should all be the same for all fragments of a packet).
+ *
+ * build up a hash value to index the table with.
*/
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
@@ -177,25 +221,26 @@ fr_info_t *fin;
idx *= 127;
idx %= IPFT_SIZE;
- MUTEX_ENTER(&ipf_frag);
- for (f = ipfr_heads[idx]; f; f = f->ipfr_next)
+ /*
+ * check the table, careful to only compare the right amount of data
+ */
+ for (f = table[idx]; f; f = f->ipfr_next)
if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
IPFR_CMPSZ)) {
u_short atoff, off;
- if (f != ipfr_heads[idx]) {
+ if (f != table[idx]) {
/*
* move fragment info. to the top of the list
* to speed up searches.
*/
if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
f->ipfr_next->ipfr_prev = f->ipfr_prev;
- f->ipfr_next = ipfr_heads[idx];
- ipfr_heads[idx]->ipfr_prev = f;
+ f->ipfr_next = table[idx];
+ table[idx]->ipfr_prev = f;
f->ipfr_prev = NULL;
- ipfr_heads[idx] = f;
+ table[idx] = f;
}
- ret = f->ipfr_pass;
off = ip->ip_off;
atoff = (off & 0x1fff) - (fin->fin_dlen >> 3);
/*
@@ -209,11 +254,45 @@ fr_info_t *fin;
f->ipfr_off = off;
}
ipfr_stats.ifs_hits++;
- MUTEX_EXIT(&ipf_frag);
- return ret;
+ return f;
}
+ return NULL;
+}
+
+
+/*
+ * functional interface for normal lookups of the fragment cache
+ */
+nat_t *ipfr_nat_knownfrag(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+ nat_t *nat;
+ ipfr_t *ipf;
+
+ MUTEX_ENTER(&ipf_natfrag);
+ ipf = ipfr_lookup(ip, fin, ipfr_heads);
+ nat = ipf ? ipf->ipfr_data : NULL;
+ MUTEX_EXIT(&ipf_natfrag);
+ return nat;
+}
+
+
+/*
+ * functional interface for NAT lookups of the NAT fragment cache
+ */
+int ipfr_knownfrag(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+ int ret;
+ ipfr_t *ipf;
+
+ MUTEX_ENTER(&ipf_frag);
+ ipf = ipfr_lookup(ip, fin, ipfr_heads);
+ ret = ipf ? ipf->ipfr_pass : 0;
MUTEX_EXIT(&ipf_frag);
- return 0;
+ return ret;
}
@@ -223,20 +302,35 @@ fr_info_t *fin;
void ipfr_unload()
{
ipfr_t **fp, *fr;
+ nat_t *nat;
int idx;
#if !SOLARIS && defined(_KERNEL)
int s;
#endif
- MUTEX_ENTER(&ipf_frag);
SPLNET(s);
+ MUTEX_ENTER(&ipf_frag);
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
*fp = fr->ipfr_next;
KFREE(fr);
}
- SPLX(s);
MUTEX_EXIT(&ipf_frag);
+
+ MUTEX_ENTER(&ipf_nat);
+ MUTEX_ENTER(&ipf_natfrag);
+ for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+ for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
+ *fp = fr->ipfr_next;
+ if ((nat = (nat_t *)fr->ipfr_data)) {
+ if (nat->nat_frag == fr)
+ nat->nat_frag = NULL;
+ }
+ KFREE(fr);
+ }
+ MUTEX_EXIT(&ipf_natfrag);
+ MUTEX_EXIT(&ipf_nat);
+ SPLX(s);
}
@@ -252,11 +346,17 @@ int ipfr_slowtimer()
# endif
{
ipfr_t **fp, *fr;
+ nat_t *nat;
int s, idx;
MUTEX_ENTER(&ipf_frag);
SPLNET(s);
+ /*
+ * Go through the entire table, looking for entries to expire,
+ * decreasing the ttl by one for each entry. If it reaches 0,
+ * remove it from the chain and free it.
+ */
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
--fr->ipfr_ttl;
@@ -274,12 +374,45 @@ int ipfr_slowtimer()
} else
fp = &fr->ipfr_next;
}
+ MUTEX_EXIT(&ipf_frag);
+
+ /*
+ * Same again for the NAT table, except that if the structure also
+ * still points to a NAT structure, and the NAT structure points back
+ * at the one to be free'd, NULL the reference from the NAT struct.
+ * NOTE: We need to grab both mutex's early, and in this order so as
+ * to prevent a deadlock if both try to expire at the same time.
+ */
+ MUTEX_ENTER(&ipf_nat);
+ MUTEX_ENTER(&ipf_natfrag);
+ for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+ for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
+ --fr->ipfr_ttl;
+ if (fr->ipfr_ttl == 0) {
+ if (fr->ipfr_prev)
+ fr->ipfr_prev->ipfr_next =
+ fr->ipfr_next;
+ if (fr->ipfr_next)
+ fr->ipfr_next->ipfr_prev =
+ fr->ipfr_prev;
+ *fp = fr->ipfr_next;
+ ipfr_stats.ifs_expire++;
+ ipfr_inuse--;
+ if ((nat = (nat_t *)fr->ipfr_data)) {
+ if (nat->nat_frag == fr)
+ nat->nat_frag = NULL;
+ }
+ KFREE(fr);
+ } else
+ fp = &fr->ipfr_next;
+ }
+ MUTEX_EXIT(&ipf_natfrag);
+ MUTEX_EXIT(&ipf_nat);
SPLX(s);
# if SOLARIS
- MUTEX_EXIT(&ipf_frag);
fr_timeoutstate();
ip_natexpire();
- ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
+ ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
# else
fr_timeoutstate();
ip_natexpire();
diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h
index 28b314c72aff..df275babb318 100644
--- a/contrib/ipfilter/ip_frag.h
+++ b/contrib/ipfilter/ip_frag.h
@@ -1,21 +1,22 @@
/*
- * (C)opyright 1993, 1994, 1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.0.2.4 1997/03/27 13:45:09 darrenr Exp $
+ * $Id: ip_frag.h,v 2.0.2.7 1997/05/08 10:10:18 darrenr Exp $
*/
-#ifndef __IP_FRAG_H_
+#ifndef __IP_FRAG_H__
#define __IP_FRAG_H__
#define IPFT_SIZE 257
typedef struct ipfr {
struct ipfr *ipfr_next, *ipfr_prev;
+ void *ipfr_data;
struct in_addr ipfr_src;
struct in_addr ipfr_dst;
u_short ipfr_id;
@@ -35,14 +36,18 @@ typedef struct ipfrstat {
u_long ifs_expire;
u_long ifs_inuse;
struct ipfr **ifs_table;
+ struct ipfr **ifs_nattab;
} ipfrstat_t;
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
extern ipfrstat_t *ipfr_fragstats __P((void));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int));
+extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *));
+extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern int ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_unload __P((void));
+
#if (BSD >= 199306) || SOLARIS
extern void ipfr_slowtimer __P((void));
#else
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index 7e0e38177089..3c9476fe68d2 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -9,10 +9,10 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $";
+static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $";
#endif
-#if defined(__FreeBSD__) && defined(KERNEL)
+#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
@@ -26,7 +26,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#include <sys/ioctl.h>
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fnctl.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/fcntl.h>
#include <sys/uio.h>
#include <sys/protosw.h>
#include <sys/socket.h>
@@ -36,13 +42,19 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
#if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h>
#else
+# include <sys/filio.h>
# include <sys/byteorder.h>
# include <sys/dditypes.h>
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
-
+#if __FreeBSD_version >= 300000
+# include <sys/queue.h>
+#endif
#include <net/if.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
#ifdef sun
#include <net/af.h>
#endif
@@ -62,36 +74,30 @@ extern struct ifnet vpnif;
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
+#undef SOCKADDR_IN
+#define SOCKADDR_IN struct sockaddr_in
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
ipnat_t *nat_list = NULL;
-u_long nat_inuse = 0,
- fr_defnatage = 1200;
+u_long fr_defnatage = 1200;
natstat_t nat_stats;
-#if SOLARIS
-# ifndef _KERNEL
-#define bzero(a,b) memset(a,0,b)
-#define bcmp(a,b,c) memcpy(a,b,c)
-#define bcopy(a,b,c) memmove(b,a,c)
-# else
+#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_nat;
-# endif
+extern kmutex_t ipf_natfrag;
#endif
static int flush_nattable __P((void)), clear_natlist __P((void));
-static void nattable_sync __P((void)), nat_delete __P((struct nat *));
-static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
-static void fix_outcksum __P((u_short *, u_long));
-static void fix_incksum __P((u_short *, u_long));
-static void fix_outcksum(sp, n)
+void fix_outcksum(sp, n)
u_short *sp;
u_long n;
{
@@ -112,7 +118,7 @@ u_long n;
}
-static void fix_incksum(sp, n)
+void fix_incksum(sp, n)
u_short *sp;
u_long n;
{
@@ -197,6 +203,7 @@ int cmd, mode;
}
IRCOPY((char *)data, (char *)n, sizeof(*n));
n->in_ifp = (void *)GETUNIT(n->in_ifname);
+ n->in_apr = ap_match(n->in_p, n->in_plabel);
n->in_next = *np;
n->in_use = 0;
n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
@@ -208,7 +215,7 @@ int cmd, mode;
n->in_nip = ntohl(n->in_outip) + 1;
else
n->in_nip = ntohl(n->in_outip);
- if (n->in_redir == NAT_MAP) {
+ if (n->in_redir & NAT_MAP) {
n->in_pnext = ntohs(n->in_pmin);
/*
* Multiply by the number of ports made available.
@@ -219,6 +226,7 @@ int cmd, mode;
}
/* Otherwise, these fields are preset */
*np = n;
+ nat_stats.ns_rules++;
break;
case SIOCRMNAT :
if (!(mode & FWRITE)) {
@@ -230,15 +238,20 @@ int cmd, mode;
break;
}
*np = n->in_next;
-
- KFREE(n);
- nattable_sync();
+ if (!n->in_use) {
+ if (n->in_apr)
+ ap_free(n->in_apr);
+ KFREE(n);
+ nat_stats.ns_rules--;
+ } else {
+ n->in_flags |= IPN_DELETE;
+ n->in_next = NULL;
+ }
break;
case SIOCGNATS :
nat_stats.ns_table[0] = nat_table[0];
nat_stats.ns_table[1] = nat_table[1];
nat_stats.ns_list = nat_list;
- nat_stats.ns_inuse = nat_inuse;
IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
break;
case SIOCGNATL :
@@ -269,6 +282,11 @@ int cmd, mode;
ret = clear_natlist();
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
+ case FIONREAD :
+#ifdef IPFILTER_LOG
+ *(int *)data = iplused[IPL_LOGNAT];
+#endif
+ break;
}
SPLX(s);
MUTEX_EXIT(&ipf_nat);
@@ -280,6 +298,7 @@ static void nat_delete(natd)
struct nat *natd;
{
register struct nat **natp, *nat;
+ struct ipnat *ipn;
for (natp = natd->nat_hstart[0]; (nat = *natp);
natp = &nat->nat_hnext[0])
@@ -295,12 +314,21 @@ struct nat *natd;
break;
}
- if (natd->nat_ptr) {
- natd->nat_ptr->in_space++;
- natd->nat_ptr->in_use--;
+ if ((ipn = natd->nat_ptr)) {
+ ipn->in_space++;
+ ipn->in_use--;
+ if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
+ if (ipn->in_apr)
+ ap_free(ipn->in_apr);
+ KFREE(ipn);
+ nat_stats.ns_rules--;
+ }
}
+ MUTEX_ENTER(&ipf_natfrag);
+ if (nat->nat_frag && nat->nat_frag->ipfr_data == nat)
+ nat->nat_frag->ipfr_data = NULL;
+ MUTEX_EXIT(&ipf_natfrag);
KFREE(natd);
- nat_inuse--;
}
@@ -330,43 +358,27 @@ static int flush_nattable()
/*
- * I know this is O(N*M), but it can't be avoided.
- */
-static void nattable_sync()
-{
- register nat_t *nat;
- register ipnat_t *np;
- int i;
-
- for (i = NAT_SIZE - 1; i >= 0; i--)
- for (nat = nat_instances; nat; nat = nat->nat_next) {
- for (np = nat_list; np; np = np->in_next)
- if (nat->nat_ptr == np)
- break;
- /*
- * XXX - is it better to remove this if ? works the
- * same if it is just "nat->nat_ptr = np".
- */
- if (!np)
- nat->nat_ptr = NULL;
- }
-}
-
-
-/*
* clear_natlist - delete all entries in the active NAT mapping list.
*/
static int clear_natlist()
{
- register ipnat_t *n, **np;
+ register ipnat_t *n, **np = &nat_list;
int i = 0;
- for (np = &nat_list; (n = *np); i++) {
+ while ((n = *np)) {
*np = n->in_next;
- KFREE(n);
+ if (!n->in_use) {
+ if (n->in_apr)
+ ap_free(n->in_apr);
+ KFREE(n);
+ nat_stats.ns_rules--;
+ i++;
+ } else {
+ n->in_flags |= IPN_DELETE;
+ n->in_next = NULL;
+ }
}
-
- nattable_sync();
+ nat_stats.ns_inuse = 0;
return i;
}
@@ -374,7 +386,7 @@ static int clear_natlist()
/*
* Create a new NAT table entry.
*/
-static nat_t *nat_new(np, ip, fin, flags, direction)
+nat_t *nat_new(np, ip, fin, flags, direction)
ipnat_t *np;
ip_t *ip;
fr_info_t *fin;
@@ -426,15 +438,31 @@ int direction;
struct ifaddr *ifa;
struct sockaddr_in *sin;
+# if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_FIRST(&ifp->if_addrhead);
+# else
+# ifdef __NetBSD__
+ ifa = ifp->if_addrlist.tqh_first;
+# else
ifa = ifp->if_addrlist;
+# endif
+# endif
# if BSD < 199306
- sin = (struct sockaddr_in *)&ifa->ifa_addr;
+ sin = (SOCKADDR_IN *)&ifa->ifa_addr;
# else
- sin = (struct sockaddr_in *)ifa->ifa_addr;
+ sin = (SOCKADDR_IN *)ifa->ifa_addr;
while (sin && ifa &&
sin->sin_family != AF_INET) {
+# if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_NEXT(ifa, ifa_link);
+# else
+# ifdef __NetBSD__
+ ifa = ifa->ifa_list.tqe_next;
+# else
ifa = ifa->ifa_next;
- sin = (struct sockaddr_in *)ifa->ifa_addr;
+# endif
+# endif
+ sin = (SOCKADDR_IN *)ifa->ifa_addr;
}
if (!ifa)
sin = NULL;
@@ -465,7 +493,8 @@ int direction;
if ((np->in_nip & ntohl(np->in_outmsk)) >
ntohl(np->in_outip))
np->in_nip = ntohl(np->in_outip) + 1;
- } while (nat_inlookup(flags, ip->ip_dst, dport, in, port));
+ } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst,
+ dport, in, port));
/* Setup the NAT table */
nat->nat_inip = ip->ip_src;
@@ -562,7 +591,10 @@ int direction;
nat->nat_hnext[1] = *natp;
*natp = nat;
nat->nat_ptr = np;
- np->in_use++;
+ nat->nat_bytes = 0;
+ nat->nat_pkts = 0;
+ nat->nat_ifp = fin->fin_ifp;
+ nat->nat_dir = direction;
if (direction == NAT_OUTBOUND) {
if (flags & IPN_TCPUDP)
tcp->th_sport = htons(port);
@@ -571,7 +603,8 @@ int direction;
tcp->th_dport = htons(nport);
}
nat_stats.ns_added++;
- nat_inuse++;
+ nat_stats.ns_inuse++;
+ np->in_use++;
return nat;
}
@@ -586,7 +619,8 @@ int direction;
* we're looking for a table entry, based on the destination address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
-nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport)
+nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport)
+void *ifp;
register int flags;
struct in_addr src , mapdst;
u_short sport, mapdport;
@@ -597,7 +631,8 @@ u_short sport, mapdport;
nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[1])
- if (nat->nat_oip.s_addr == src.s_addr &&
+ if ((!ifp || ifp == nat->nat_ifp) &&
+ nat->nat_oip.s_addr == src.s_addr &&
nat->nat_outip.s_addr == mapdst.s_addr &&
flags == nat->nat_flags && (!flags ||
(nat->nat_oport == sport &&
@@ -613,7 +648,8 @@ u_short sport, mapdport;
* we're looking for a table entry, based on the source address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
-nat_t *nat_outlookup(flags, src, sport, dst, dport)
+nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport)
+void *ifp;
register int flags;
struct in_addr src , dst;
u_short sport, dport;
@@ -624,7 +660,8 @@ u_short sport, dport;
nat = nat_table[0][src.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[0])
- if (nat->nat_inip.s_addr == src.s_addr &&
+ if ((!ifp || ifp == nat->nat_ifp) &&
+ nat->nat_inip.s_addr == src.s_addr &&
nat->nat_oip.s_addr == dst.s_addr &&
flags == nat->nat_flags && (!flags ||
(nat->nat_inport == sport && nat->nat_oport == dport)))
@@ -638,7 +675,8 @@ u_short sport, dport;
* real destination address/port. We use this lookup when sending a packet
* out, we're looking for a table entry, based on the source address.
*/
-nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport)
+nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport)
+void *ifp;
register int flags;
struct in_addr mapsrc , dst;
u_short mapsport, dport;
@@ -649,8 +687,9 @@ u_short mapsport, dport;
nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[0])
- if (nat->nat_outip.s_addr == mapsrc.s_addr &&
+ if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_oip.s_addr == dst.s_addr &&
+ nat->nat_outip.s_addr == mapsrc.s_addr &&
flags == nat->nat_flags && (!flags ||
(nat->nat_outport == mapsport &&
nat->nat_oport == dport)))
@@ -671,7 +710,7 @@ register natlookup_t *np;
* If nl_inip is non null, this is a lookup based on the real
* ip address. Else, we use the fake.
*/
- if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport,
+ if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport,
np->nl_outip, np->nl_outport))) {
np->nl_inip = nat->nat_outip;
np->nl_inport = nat->nat_outport;
@@ -718,43 +757,56 @@ fr_info_t *fin;
ipa = ip->ip_src.s_addr;
MUTEX_ENTER(&ipf_nat);
- for (np = nat_list; np; np = np->in_next)
- if ((np->in_ifp == ifp) && np->in_space &&
- (!np->in_flags || (np->in_flags & nflags)) &&
- ((ipa & np->in_inmsk) == np->in_inip) &&
- ((np->in_redir == NAT_MAP) ||
- (np->in_pnext == sport))) {
- /*
- * If there is no current entry in the nat table for
- * this IP#, create one for it.
- */
- if (!(nat = nat_outlookup(nflags, ip->ip_src, sport,
- ip->ip_dst, dport))) {
+ if ((nat = ipfr_nat_knownfrag(ip, fin)))
+ ;
+ else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
+ ip->ip_dst, dport)))
+ np = nat->nat_ptr;
+ else
+ /*
+ * If there is no current entry in the nat table for this IP#,
+ * create one for it (if there is a matching rule).
+ */
+ for (np = nat_list; np; np = np->in_next)
+ if ((np->in_ifp == ifp) && np->in_space &&
+ (!np->in_flags || (np->in_flags & nflags)) &&
+ ((ipa & np->in_inmsk) == np->in_inip) &&
+ ((np->in_redir & NAT_MAP) ||
+ (np->in_pnext == sport))) {
+ if (*np->in_plabel && !ap_ok(ip, tcp, np))
+ continue;
/*
- * If it's a redirection, then we don't want
- * to create new outgoing port stuff.
+ * If it's a redirection, then we don't want to
+ * create new outgoing port stuff.
* Redirections are only for incoming
* connections.
*/
- if (np->in_redir == NAT_REDIRECT)
+ if (!(np->in_redir & NAT_MAP))
continue;
- if (!(nat = nat_new(np, ip, fin, nflags,
+ if ((nat = nat_new(np, ip, fin, nflags,
NAT_OUTBOUND)))
- break;
#ifdef IPFILTER_LOG
- nat_log(nat, (u_short)np->in_redir);
+ nat_log(nat, (u_short)np->in_redir);
+#else
+ ;
#endif
+ break;
}
- ip->ip_src = nat->nat_outip;
- nat->nat_age = fr_defnatage; /* 5 mins */
+ if (nat) {
+ if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
+ ipfr_nat_newfrag(ip, fin, 0, nat);
+ nat->nat_age = fr_defnatage;
+ ip->ip_src = nat->nat_outip;
+ nat->nat_bytes += ip->ip_len;
+ nat->nat_pkts++;
/*
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
#if SOLARIS
- if (np->in_redir == NAT_MAP)
+ if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
else
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
@@ -770,6 +822,14 @@ fr_info_t *fin;
csump = &tcp->th_sum;
fr_tcp_age(&nat->nat_age,
nat->nat_state, ip, fin,1);
+ /*
+ * Increase this because we may have
+ * "keep state" following this too and
+ * packet storms can occur if this is
+ * removed too quickly.
+ */
+ if (nat->nat_age == fr_tcpclosed)
+ nat->nat_age = fr_tcplastack;
} else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -781,7 +841,7 @@ fr_info_t *fin;
csump = &ic->icmp_cksum;
}
if (csump) {
- if (np->in_redir == NAT_MAP)
+ if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump,
nat->nat_sumd);
else
@@ -789,6 +849,7 @@ fr_info_t *fin;
nat->nat_sumd);
}
}
+ (void) ap_check(ip, tcp, fin, nat);
nat_stats.ns_mapped[1]++;
MUTEX_EXIT(&ipf_nat);
return 1;
@@ -829,38 +890,55 @@ fr_info_t *fin;
in = ip->ip_dst;
MUTEX_ENTER(&ipf_nat);
- for (np = nat_list; np; np = np->in_next)
- if ((np->in_ifp == ifp) &&
- (!np->in_flags || (nflags & np->in_flags)) &&
- ((in.s_addr & np->in_outmsk) == np->in_outip) &&
- (np->in_redir == NAT_MAP || np->in_pmin == dport)) {
- if (!(nat = nat_inlookup(nflags, ip->ip_src, sport,
- ip->ip_dst, dport))) {
+
+ if ((nat = ipfr_nat_knownfrag(ip, fin)))
+ ;
+ else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
+ ip->ip_dst, dport)))
+ np = nat->nat_ptr;
+ else
+ /*
+ * If there is no current entry in the nat table for this IP#,
+ * create one for it (if there is a matching rule).
+ */
+ for (np = nat_list; np; np = np->in_next)
+ if ((np->in_ifp == ifp) &&
+ (!np->in_flags || (nflags & np->in_flags)) &&
+ ((in.s_addr & np->in_outmsk) == np->in_outip) &&
+ (np->in_redir & NAT_REDIRECT ||
+ np->in_pmin == dport)) {
/*
* If this rule (np) is a redirection, rather
* than a mapping, then do a nat_new.
* Otherwise, if it's just a mapping, do a
* continue;
*/
- if (np->in_redir == NAT_MAP)
+ if (!(np->in_redir & NAT_REDIRECT))
continue;
- if (!(nat = nat_new(np, ip, fin, nflags,
+ if ((nat = nat_new(np, ip, fin, nflags,
NAT_INBOUND)))
- break;
#ifdef IPFILTER_LOG
- nat_log(nat, (u_short)np->in_redir);
+ nat_log(nat, (u_short)np->in_redir);
+#else
+ ;
#endif
+ break;
}
- ip->ip_dst = nat->nat_inip;
-
+ if (nat) {
+ if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
+ ipfr_nat_newfrag(ip, fin, 0, nat);
+ (void) ap_check(ip, tcp, fin, nat);
nat->nat_age = fr_defnatage;
+ ip->ip_dst = nat->nat_inip;
+ nat->nat_bytes += ip->ip_len;
+ nat->nat_pkts++;
/*
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
#if SOLARIS
- if (np->in_redir == NAT_MAP)
+ if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
else
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
@@ -875,6 +953,14 @@ fr_info_t *fin;
csump = &tcp->th_sum;
fr_tcp_age(&nat->nat_age,
nat->nat_state, ip, fin,0);
+ /*
+ * Increase this because we may have
+ * "keep state" following this too and
+ * packet storms can occur if this is
+ * removed too quickly.
+ */
+ if (nat->nat_age == fr_tcpclosed)
+ nat->nat_age = fr_tcplastack;
} else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -886,7 +972,7 @@ fr_info_t *fin;
csump = &ic->icmp_cksum;
}
if (csump) {
- if (np->in_redir == NAT_MAP)
+ if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(csump,
nat->nat_sumd);
else
@@ -914,6 +1000,7 @@ void ip_natunload()
SPLNET(s);
(void) clear_natlist();
(void) flush_nattable();
+ (void) ap_unload();
SPLX(s)
MUTEX_EXIT(&ipf_nat);
}
@@ -970,12 +1057,14 @@ u_short type;
# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&natl);
# endif
+ natl.nl_inip = nat->nat_inip;
+ natl.nl_outip = nat->nat_outip;
+ natl.nl_origip = nat->nat_oip;
+ natl.nl_bytes = nat->nat_bytes;
+ natl.nl_pkts = nat->nat_pkts;
natl.nl_origport = nat->nat_oport;
- natl.nl_outport = nat->nat_outport;
natl.nl_inport = nat->nat_inport;
- natl.nl_origip = nat->nat_oip;
- natl.nl_outip = nat->nat_outip;
- natl.nl_inip = nat->nat_inip;
+ natl.nl_outport = nat->nat_outport;
natl.nl_type = type;
natl.nl_rule = -1;
if (nat->nat_ptr) {
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index bf435e08e3b3..add4a9a237e6 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -1,17 +1,21 @@
/*
- * (C)opyright 1995 by Darren Reed.
+ * (C)opyright 1995-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.0.2.6 1997/03/31 10:05:30 darrenr Exp $
+ * $Id: ip_nat.h,v 2.0.2.12 1997/05/24 07:35:20 darrenr Exp $
*/
-#ifndef __IP_NAT_H_
+#ifndef __IP_NAT_H__
#define __IP_NAT_H__
+#ifndef __IP_PROXY_H__
+#include "netinet/ip_proxy.h"
+#endif
+
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
@@ -44,9 +48,12 @@ typedef struct nat {
int nat_flags;
u_long nat_sumd;
u_long nat_ipsumd;
+ struct ipfr *nat_frag;
struct in_addr nat_inip;
struct in_addr nat_outip;
struct in_addr nat_oip; /* other ip */
+ U_QUAD_T nat_pkts;
+ U_QUAD_T nat_bytes;
u_short nat_oport; /* other port */
u_short nat_inport;
u_short nat_outport;
@@ -56,6 +63,8 @@ typedef struct nat {
struct nat *nat_next;
struct nat *nat_hnext[2];
struct nat **nat_hstart[2];
+ void *nat_ifp;
+ int nat_dir;
} nat_t;
typedef struct ipnat {
@@ -69,8 +78,12 @@ typedef struct ipnat {
u_short in_port[2];
struct in_addr in_in[2];
struct in_addr in_out[2];
+ struct aproxy *in_apr;
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
char in_ifname[IFNAMSIZ];
+ char in_plabel[APR_LABELLEN]; /* proxy label */
+ char in_p; /* protocol */
+ u_short in_dport;
} ipnat_t;
#define in_pmin in_port[0] /* Also holds static redir port */
@@ -81,11 +94,12 @@ typedef struct ipnat {
#define in_outip in_out[0].s_addr
#define in_outmsk in_out[1].s_addr
-#define NAT_INBOUND 0
-#define NAT_OUTBOUND 1
+#define NAT_OUTBOUND 0
+#define NAT_INBOUND 1
-#define NAT_MAP 0
-#define NAT_REDIRECT 1
+#define NAT_MAP 0x01
+#define NAT_REDIRECT 0x02
+#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT)
#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \
sizeof(int))
@@ -99,6 +113,7 @@ typedef struct natlookup {
typedef struct natstat {
u_long ns_mapped[2];
+ u_long ns_rules;
u_long ns_added;
u_long ns_expire;
u_long ns_inuse;
@@ -108,10 +123,11 @@ typedef struct natstat {
ipnat_t *ns_list;
} natstat_t;
-#define IPN_ANY 0
-#define IPN_TCP 1
-#define IPN_UDP 2
-#define IPN_TCPUDP 3
+#define IPN_ANY 0x00
+#define IPN_TCP 0x01
+#define IPN_UDP 0x02
+#define IPN_TCPUDP 0x03
+#define IPN_DELETE 0x04
typedef struct natlog {
@@ -124,6 +140,8 @@ typedef struct natlog {
u_short nl_inport;
u_short nl_type;
int nl_rule;
+ U_QUAD_T nl_pkts;
+ U_QUAD_T nl_bytes;
} natlog_t;
@@ -132,18 +150,22 @@ typedef struct natlog {
#define NL_EXPIRE 0xffff
+extern u_long fr_defnatage;
extern nat_t *nat_table[2][NAT_SIZE];
extern int nat_ioctl __P((caddr_t, int, int));
-extern nat_t *nat_outlookup __P((int, struct in_addr, u_short,
+extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
+extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short));
-extern nat_t *nat_inlookup __P((int, struct in_addr, u_short,
+extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short));
extern nat_t *nat_lookupredir __P((natlookup_t *));
-extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short,
+extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short));
extern int ip_natout __P((ip_t *, int, fr_info_t *));
extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short));
+extern void fix_incksum __P((u_short *, u_long));
+extern void fix_outcksum __P((u_short *, u_long));
#endif /* __IP_NAT_H__ */
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index 5d0e8fe3a896..5a5a33090ba9 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp $";
+static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.8 1997/05/24 07:42:56 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -18,6 +18,7 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
#include <sys/cpuvar.h>
#include <sys/open.h>
#include <sys/ioctl.h>
+#include <sys/filio.h>
#include <sys/systm.h>
#include <sys/cred.h>
#include <sys/ddi.h>
@@ -43,8 +44,8 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_state.h"
-#include "ip_frag.h"
#include "ip_nat.h"
+#include "ip_frag.h"
#include <inet/ip_ire.h>
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
@@ -63,11 +64,11 @@ int ipllog __P((u_int, int, ip_t *, fr_info_t *, mblk_t *));
static void frflush __P((caddr_t));
char iplbuf[3][IPLLOGSIZE];
caddr_t iplh[3], iplt[3];
-static int iplused[3] = {0, 0, 0};
+int iplused[3] = {0, 0, 0};
#endif /* IPFILTER_LOG */
static int frrequest __P((int, caddr_t, int));
kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex;
-kmutex_t ipf_frag, ipf_state, ipf_nat;
+kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag;
kcondvar_t iplwait;
@@ -86,6 +87,7 @@ int ipldetach()
mutex_destroy(&ipfs_mutex);
mutex_destroy(&ipf_frag);
mutex_destroy(&ipf_state);
+ mutex_destroy(&ipf_natfrag);
mutex_destroy(&ipf_nat);
return 0;
}
@@ -107,8 +109,9 @@ int iplattach __P((void))
mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL);
+ mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL);
cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
- ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
+ ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
return 0;
}
@@ -190,6 +193,17 @@ int *rp;
int error = 0, unit;
unit = getminor(dev);
+ if ((2 < unit) || (unit < 0))
+ return ENXIO;
+
+ if (unit == IPL_LOGNAT) {
+ error = nat_ioctl((caddr_t)data, cmd, mode);
+ return error;
+ }
+ if (unit == IPL_LOGSTATE) {
+ error = fr_state_ioctl((caddr_t)data, cmd, mode);
+ return error;
+ }
switch (cmd) {
case SIOCFRENB :
@@ -304,6 +318,11 @@ int *rp;
IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data,
sizeof(ips_stat_t));
break;
+ case FIONREAD :
+#ifdef IPFILTER_LOG
+ *(int *)data = iplused[IPL_LOGIPF];
+#endif
+ break;
default :
error = EINVAL;
break;
@@ -365,7 +384,11 @@ caddr_t data;
if (!ill)
ire = (ire_t *)-1;
else if ((ipif = ill->ill_ipif)) {
+#if SOLARIS2 > 5
+ ire = ipif_to_ire(ipif);
+#else
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
+#endif
if (!ire)
ire = (ire_t *)-1;
else
@@ -380,7 +403,11 @@ caddr_t data;
if (!ill)
ire = (ire_t *)-1;
else if ((ipif = ill->ill_ipif)) {
+#if SOLARIS2 > 5
+ ire = ipif_to_ire(ipif);
+#else
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
+#endif
if (!ire)
ire = (ire_t *)-1;
}
@@ -629,27 +656,6 @@ mblk_t *m;
#endif /* IPFILTER_LOG */
-u_short ipf_cksum(addr, len)
-register u_short *addr;
-register int len;
-{
- register u_long sum = 0;
-
- for (sum = 0; len > 1; len -= 2)
- sum += *addr++;
-
- /* mop up an odd byte, if necessary */
- if (len == 1)
- sum += *(u_char *)addr;
-
- /*
- * add back carry outs from top 16 bits to low 16 bits
- */
- sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
- sum += (sum >> 16); /* add carry */
- return (u_short)(~sum);
-}
-
/*
* send_reset - this could conceivably be a call to tcp_respond(), but that
* requires a large amount of setting up and isn't any more efficient.
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index edd05b85280d..a6bda8a170ed 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp $";
+static char rcsid[] = "$Id: ip_state.c,v 2.0.2.12 1997/05/24 07:34:10 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -19,12 +19,11 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
-#include <sys/ioccom.h>
-#include <sys/filio.h>
-#include <sys/fcntl.h>
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fcntl.h>
#else
-#include <sys/ioctl.h>
+# include <sys/ioctl.h>
#endif
#include <sys/uio.h>
#include <sys/protosw.h>
@@ -35,6 +34,7 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h>
#else
+# include <sys/filio.h>
# include <sys/byteorder.h>
# include <sys/dditypes.h>
# include <sys/stream.h>
@@ -55,9 +55,10 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_state.h"
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_state.h"
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
@@ -67,11 +68,8 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
ipstate_t *ips_table[IPSTATE_SIZE];
int ips_num = 0;
ips_stat_t ips_stats;
-#if SOLARIS
+#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_state;
-# if !defined(_KERNEL)
-#define bcopy(a,b,c) memmove(b,a,c)
-# endif
#endif
@@ -94,10 +92,27 @@ ips_stat_t *fr_statetstats()
}
-#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
- (((s1) == (d2)) && ((d1) == (s2))))
-#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
- (s2).s_addr, (d2).s_addr)
+int fr_state_ioctl(data, cmd, mode)
+caddr_t data;
+int cmd;
+int mode;
+{
+ switch (cmd)
+ {
+ case SIOCGIPST :
+ IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
+ break;
+ case FIONREAD :
+#ifdef IPFILTER_LOG
+ *(int *)data = iplused[IPL_LOGSTATE];
+#endif
+ break;
+ default :
+ return -1;
+ }
+ return 0;
+}
+
/*
* Create a new ipstate structure and hang it off the hash table.
@@ -212,6 +227,8 @@ u_int pass;
ipstate_log(is, ISL_NEW);
#endif
MUTEX_EXIT(&ipf_state);
+ if (fin->fin_fi.fi_fl & FI_FRAG)
+ ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
return 0;
}
@@ -346,8 +363,9 @@ fr_info_t *fin;
is->is_pkts++;
is->is_bytes += ip->ip_len;
ips_stats.iss_hits++;
+ pass = is->is_pass;
MUTEX_EXIT(&ipf_state);
- return is->is_pass;
+ return pass;
}
MUTEX_EXIT(&ipf_state);
break;
@@ -364,10 +382,10 @@ fr_info_t *fin;
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
IPPAIR(src, dst, is->is_src, is->is_dst))
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
+ pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
#else
- int pass = is->is_pass;
if (tcp->th_flags & TCP_CLOSE) {
*isp = is->is_next;
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
index 33395fc7021c..930110157488 100644
--- a/contrib/ipfilter/ip_state.h
+++ b/contrib/ipfilter/ip_state.h
@@ -1,12 +1,12 @@
/*
- * (C)opyright 1995 by Darren Reed.
+ * (C)opyright 1995-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.0.2.5 1997/03/31 10:05:32 darrenr Exp $
+ * $Id: ip_state.h,v 2.0.2.9 1997/05/24 07:35:11 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -14,6 +14,12 @@
#define IPSTATE_SIZE 257
#define IPSTATE_MAX 2048 /* Maximum number of states held */
+#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
+ (((s1) == (d2)) && ((d1) == (s2))))
+#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
+ (s2).s_addr, (d2).s_addr)
+
+
typedef struct udpstate {
u_short us_sport;
u_short us_dport;
@@ -106,6 +112,14 @@ typedef struct ips_stat {
ipstate_t **iss_table;
} ips_stat_t;
+
+extern u_long fr_tcpidletimeout;
+extern u_long fr_tcpclosewait;
+extern u_long fr_tcplastack;
+extern u_long fr_tcptimeout;
+extern u_long fr_tcpclosed;
+extern u_long fr_udptimeout;
+extern u_long fr_icmptimeout;
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
tcphdr_t *, u_short));
extern ips_stat_t *fr_statetstats __P((void));
@@ -115,4 +129,5 @@ extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short));
+extern int fr_state_ioctl __P((caddr_t, int, int));
#endif /* __IP_STATE_H__ */
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index d4747a1d8353..326ffe38efbd 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -5,6 +5,9 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
+#ifdef __FreeBSD__
+# include <osreldate.h>
+#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
@@ -22,7 +25,11 @@
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
+#include <sys/time.h>
#include <net/if.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/nameser.h>
@@ -33,7 +40,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ipf.c,v 2.0.2.5 1997/03/31 10:05:33 darrenr Exp $";
+static char rcsid[] = "$Id: ipf.c,v 2.0.2.6 1997/04/30 13:59:59 darrenr Exp $";
#endif
#if SOLARIS
diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h
index 4d35281dfc45..67554cb820b8 100644
--- a/contrib/ipfilter/ipf.h
+++ b/contrib/ipfilter/ipf.h
@@ -1,14 +1,17 @@
/*
- * (C)opyright 1993-1996 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ipf.h 1.12 6/5/96
- * $Id: ipf.h,v 2.0.2.4 1997/03/27 13:45:18 darrenr Exp $
+ * $Id: ipf.h,v 2.0.2.6 1997/04/30 13:49:05 darrenr Exp $
*/
+#ifndef __IPF_H__
+#define __IPF_H__
+
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
@@ -46,12 +49,6 @@ extern void binprint __P((struct frentry *)), initparse __P((void));
extern u_short portnum __P((char *));
-#if defined(__SVR4) || defined(__svr4__)
-#define index strchr
-#define bzero(a,b) memset(a, 0, b)
-#define bcopy(a,b,c) memmove(b,a,c)
-#endif
-
struct ipopt_names {
int on_value;
int on_bit;
@@ -79,3 +76,4 @@ extern char *sys_errlist[];
#define MIN(a,b) ((a) > (b) ? (b) : (a))
#endif
+#endif /* __IPF_H__ */
diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c
index 13e85577de6b..e1f228f90756 100644
--- a/contrib/ipfilter/ipft_ef.c
+++ b/contrib/ipfilter/ipft_ef.c
@@ -31,6 +31,7 @@ etherfind -n -t
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
@@ -42,12 +43,13 @@ etherfind -n -t
#include <netinet/tcpip.h>
#include <net/if.h>
#include <netdb.h>
+#include "ip_compat.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
-static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.3 1997/03/10 08:10:24 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp $";
#endif
static int etherf_open __P((char *));
diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c
index e57eedae7d5c..30b3d6d93959 100644
--- a/contrib/ipfilter/ipft_hx.c
+++ b/contrib/ipfilter/ipft_hx.c
@@ -16,6 +16,7 @@
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -33,12 +34,13 @@
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
+#include "ip_compat.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
-static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.3 1997/03/10 08:10:25 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.4 1997/04/30 13:55:07 darrenr Exp $";
#endif
extern int opts;
diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c
index 5b8967a534a2..948a8921ecf4 100644
--- a/contrib/ipfilter/ipft_pc.c
+++ b/contrib/ipfilter/ipft_pc.c
@@ -25,12 +25,13 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
+#include "ip_compat.h"
#include "ipf.h"
#include "ipt.h"
#include "pcap.h"
#if !defined(lint) && defined(LIBC_SCCS)
-static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.3 1997/03/10 08:10:26 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp $";
#endif
struct llc {
diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c
index e8c098a63787..11a878f767de 100644
--- a/contrib/ipfilter/ipft_sn.c
+++ b/contrib/ipfilter/ipft_sn.c
@@ -21,6 +21,7 @@
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip_var.h>
@@ -28,12 +29,13 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
+#include "ip_compat.h"
#include "ipf.h"
#include "ipt.h"
#include "snoop.h"
#if !defined(lint) && defined(LIBC_SCCS)
-static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.3 1997/03/10 08:10:29 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp $";
#endif
struct llc {
diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c
index ef39bf0e1dee..f70a08fe6e4d 100644
--- a/contrib/ipfilter/ipft_td.c
+++ b/contrib/ipfilter/ipft_td.c
@@ -35,6 +35,7 @@ tcpdump -nqte
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -51,12 +52,13 @@ tcpdump -nqte
#include <netinet/tcpip.h>
#include <net/if.h>
#include <netdb.h>
+#include "ip_compat.h"
#include "ipf.h"
#include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
-static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.3 1997/03/10 08:10:30 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp $";
#endif
static int tcpd_open __P((char *));
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
index cce9af7baec5..04e5e3f62b44 100644
--- a/contrib/ipfilter/ipft_tx.c
+++ b/contrib/ipfilter/ipft_tx.c
@@ -16,6 +16,7 @@
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -40,7 +41,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.3 1997/03/10 08:10:31 darrenr Exp $";
+static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.4 1997/04/30 13:55:13 darrenr Exp $";
#endif
extern int opts;
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 1057a58936dd..a7a582800b0c 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -1,5 +1,5 @@
/*
- * (C)opyright 1993-1996 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@@ -8,9 +8,9 @@
* @(#)ipl.h 1.21 6/5/96
*/
-#ifndef __IPL_H_
+#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter v3.2alpha4"
+#define IPL_VERSION "IP Filter v3.2alpha7"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index cb71ff7e782c..f8b339d3012e 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -15,6 +15,7 @@
#include <strings.h>
#include <sys/dir.h>
#else
+#include <sys/filio.h>
#include <sys/byteorder.h>
#endif
#include <sys/types.h>
@@ -48,12 +49,13 @@
#include "ip_compat.h"
#include "ip_fil.h"
+#include "ip_proxy.h"
#include "ip_nat.h"
#include "ip_state.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed";
-static char rcsid[] = "$Id: ipmon.c,v 2.0.2.6 1997/04/02 12:23:27 darrenr Exp $";
+static char rcsid[] = "$Id: ipmon.c,v 2.0.2.9 1997/04/30 13:54:10 darrenr Exp $";
#endif
@@ -443,6 +445,15 @@ int blen;
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
portname(res, NULL, nl->nl_origport));
t += strlen(t);
+ if (nl->nl_type == NL_EXPIRE) {
+#ifdef USE_QUAD_T
+ (void) sprintf(t, " Pkts %qd Bytes %qd",
+#else
+ (void) sprintf(t, " Pkts %ld Bytes %ld",
+#endif
+ nl->nl_pkts, nl->nl_bytes);
+ t += strlen(t);
+ }
*t++ = '\n';
*t++ = '\0';
@@ -495,21 +506,21 @@ int blen;
hostname(res, sl->isl_src),
portname(res, proto, sl->isl_sport));
t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s ",
+ (void) sprintf(t, "%s,%s PR %s",
hostname(res, sl->isl_dst),
portname(res, proto, sl->isl_dport), proto);
} else if (sl->isl_p == IPPROTO_ICMP) {
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
t += strlen(t);
- (void) sprintf(t, "%s PR icmp %d ",
+ (void) sprintf(t, "%s PR icmp %d",
hostname(res, sl->isl_dst), sl->isl_itype);
}
t += strlen(t);
if (sl->isl_type != ISL_NEW) {
#ifdef USE_QUAD_T
- (void) sprintf(t, "Pkts %qd Bytes %qd",
+ (void) sprintf(t, " Pkts %qd Bytes %qd",
#else
- (void) sprintf(t, "Pkts %ld Bytes %ld",
+ (void) sprintf(t, " Pkts %ld Bytes %ld",
#endif
sl->isl_pkts, sl->isl_bytes);
t += strlen(t);
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
index 8c731e370284..189640252c96 100644
--- a/contrib/ipfilter/ipnat.c
+++ b/contrib/ipfilter/ipnat.c
@@ -48,13 +48,14 @@
#include <ctype.h>
#include "ip_compat.h"
#include "ip_fil.h"
+#include "ip_proxy.h"
#include "ip_nat.h"
#include "kmem.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static char rcsid[] = "$Id: ipnat.c,v 2.0.2.6 1997/04/02 12:23:29 darrenr Exp $";
+static char rcsid[] = "$Id: ipnat.c,v 2.0.2.9 1997/05/05 14:03:55 darrenr Exp $";
#endif
#if SOLARIS
@@ -130,8 +131,8 @@ char *argv[];
usage(argv[0]);
}
- if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) &&
- ((fd = open(IPL_NAME, O_RDONLY)) == -1)) {
+ if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) &&
+ ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
perror("open");
exit(-1);
}
@@ -182,8 +183,25 @@ void *ptr;
{
int bits;
+ switch (np->in_redir)
+ {
+ case NAT_REDIRECT :
+ printf("redir ");
+ break;
+ case NAT_MAP :
+ printf("map ");
+ break;
+ case NAT_BIMAP :
+ printf("bimap ");
+ break;
+ default :
+ fprintf(stderr, "unknown value for in_redir: %#x\n",
+ np->in_redir);
+ break;
+ }
+
if (np->in_redir == NAT_REDIRECT) {
- printf("rdr %s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
+ printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("/%d ", bits);
@@ -207,7 +225,7 @@ void *ptr;
np->in_use);
} else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
- printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
+ printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr);
if (bits != -1)
printf("%d ", bits);
@@ -219,7 +237,13 @@ void *ptr;
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
- if (np->in_pmin || np->in_pmax) {
+ if (*np->in_plabel) {
+ printf(" proxy");
+ if (np->in_dport)
+ printf(" %hu", ntohs(np->in_dport));
+ printf(" %.*s/%d", sizeof(np->in_plabel),
+ np->in_plabel, np->in_p);
+ } else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
@@ -245,13 +269,29 @@ void *ptr;
char *getnattype(ipnat)
ipnat_t *ipnat;
{
+ char *which;
ipnat_t ipnatbuff;
if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
sizeof(ipnatbuff)))
return "???";
- return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR";
+ switch (ipnatbuff.in_redir)
+ {
+ case NAT_MAP :
+ which = "MAP";
+ break;
+ case NAT_REDIRECT :
+ which = "RDR";
+ break;
+ case NAT_BIMAP :
+ which = "BIMAP";
+ break;
+ default :
+ which = "unknown";
+ break;
+ }
+ return which;
}
@@ -275,7 +315,7 @@ int fd, opts;
ns.ns_mapped[0], ns.ns_mapped[1]);
printf("added\t%lu\texpired\t%lu\n",
ns.ns_added, ns.ns_expire);
- printf("inuse\t%lu\n", ns.ns_inuse);
+ printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules);
if (opts & OPT_VERBOSE)
printf("table %p list %p\n", ns.ns_table, ns.ns_list);
}
@@ -419,6 +459,7 @@ int *resolved;
ipnat_t *parse(line)
char *line;
{
+ struct protoent *pr;
static ipnat_t ipn;
char *s, *t;
char *shost, *snetm, *dhost, *proto;
@@ -438,9 +479,11 @@ char *line;
ipn.in_redir = NAT_MAP;
else if (!strcasecmp(s, "rdr"))
ipn.in_redir = NAT_REDIRECT;
+ else if (!strcasecmp(s, "bimap"))
+ ipn.in_redir = NAT_BIMAP;
else {
(void)fprintf(stderr,
- "expected \"map\" or \"rdr\", got \"%s\"\n", s);
+ "expected map/rdr/bimap, got \"%s\"\n", s);
return NULL;
}
@@ -508,7 +551,7 @@ char *line;
}
dhost = s;
- if (ipn.in_redir == NAT_MAP) {
+ if (ipn.in_redir & NAT_MAP) {
if (!(s = strtok(NULL, " \t"))) {
dnetm = strrchr(dhost, '/');
if (!dnetm) {
@@ -517,7 +560,8 @@ char *line;
return NULL;
}
}
- if (!s || !strcasecmp(s, "portmap")) {
+ if (!s || !strcasecmp(s, "portmap") ||
+ !strcasecmp(s, "proxy")) {
dnetm = strrchr(dhost, '/');
if (!dnetm) {
fprintf(stderr,
@@ -562,7 +606,7 @@ char *line;
if (*snetm == '/')
*snetm++ = '\0';
- if (ipn.in_redir == NAT_MAP) {
+ if (ipn.in_redir & NAT_MAP) {
ipn.in_inip = hostnum(shost, &resolved);
if (resolved == -1)
return NULL;
@@ -612,6 +656,55 @@ char *line;
}
if (!s)
return &ipn;
+ if (ipn.in_redir == NAT_BIMAP) {
+ fprintf(stderr, "extra words at the end of bimap line: %s\n",
+ s);
+ return NULL;
+ }
+ if (!strcasecmp(s, "proxy")) {
+ if (!(s = strtok(NULL, " \t"))) {
+ fprintf(stderr, "missing parameter for \"proxy\"\n");
+ return NULL;
+ }
+ dport = NULL;
+
+ if (!strcasecmp(s, "port")) {
+ if (!(s = strtok(NULL, " \t"))) {
+ fprintf(stderr,
+ "missing parameter for \"port\"\n");
+ return NULL;
+ }
+
+ dport = s;
+
+ if (!(s = strtok(NULL, " \t"))) {
+ fprintf(stderr,
+ "missing parameter for \"proxy\"\n");
+ return NULL;
+ }
+ }
+ if ((proto = index(s, '/'))) {
+ *proto++ = '\0';
+ if ((pr = getprotobyname(proto)))
+ ipn.in_p = pr->p_proto;
+ else
+ ipn.in_p = atoi(proto);
+ if (dport)
+ ipn.in_dport = portnum(dport, proto);
+ } else {
+ ipn.in_p = 0;
+ if (dport)
+ ipn.in_dport = portnum(dport, NULL);
+ }
+
+ (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel));
+ if ((s = strtok(NULL, " \t"))) {
+ fprintf(stderr, "too many parameters for \"proxy\"\n");
+ return NULL;
+ }
+ return &ipn;
+
+ }
if (strcasecmp(s, "portmap")) {
fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s);
return NULL;
diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile
index 1f049125c307..df650aa7af2d 100644
--- a/contrib/ipfilter/ipsend/Makefile
+++ b/contrib/ipfilter/ipsend/Makefile
@@ -32,6 +32,9 @@ all:
.c.o:
$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
+install:
+ -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)
+
bpf sunos4-bpf :
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
"CFLAGS=$(CFLAGS) -DDOSOCKET"
diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c
index e010b9b93946..10f27cd7995f 100644
--- a/contrib/ipfilter/ipsend/arp.c
+++ b/contrib/ipfilter/ipsend/arp.c
@@ -25,11 +25,6 @@ static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
#include <netinet/tcp.h>
#include "ipsend.h"
-#if defined(__SVR4) || defined(__svr4__)
-#define bcopy(a,b,c) memmove(b,a,c)
-#define bzero(a,c) memset(a,0,c)
-#define bcmp(a,b,c) memcmp(a,b,c)
-#endif
/*
* lookup host and return
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 4c37557abcd7..ecc64737ce46 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -175,7 +175,7 @@ char **argv;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
- while ((c = getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
+ while ((c = (char)getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
switch (c)
{
case 'I' :
diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c
index 00b51fb40d45..93d7f4ab74f6 100644
--- a/contrib/ipfilter/ipsend/iptest.c
+++ b/contrib/ipfilter/ipsend/iptest.c
@@ -108,7 +108,8 @@ char **argv;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
- while ((c = getopt(argc, argv, "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
+ while ((c = (char)getopt(argc, argv,
+ "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
switch (c)
{
case '1' :
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
index 4de99c4727f5..6b5ecb9a2cd0 100644
--- a/contrib/ipfilter/ipsend/iptests.c
+++ b/contrib/ipfilter/ipsend/iptests.c
@@ -27,6 +27,9 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
#endif
#include <kvm.h>
#include <sys/socket.h>
+#if defined(solaris)
+# include <sys/stream.h>
+#endif
#include <sys/socketvar.h>
#ifdef sun
#include <sys/systm.h>
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
index 1e0f3e4464f0..cc0c223743a4 100644
--- a/contrib/ipfilter/ipt.c
+++ b/contrib/ipfilter/ipt.c
@@ -5,6 +5,9 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
+#ifdef __FreeBSD__
+# include <osreldate.h>
+#endif
#include <stdio.h>
#include <assert.h>
#include <string.h>
@@ -16,6 +19,7 @@
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -30,6 +34,9 @@
#include <netinet/ip_icmp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
@@ -42,7 +49,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: ipt.c,v 2.0.2.4 1997/04/02 12:23:30 darrenr Exp $";
+static char rcsid[] = "$Id: ipt.c,v 2.0.2.5 1997/04/30 13:59:39 darrenr Exp $";
#endif
extern char *optarg;
@@ -66,7 +73,7 @@ char *argv[];
char *rules = NULL, *datain = NULL, *iface = NULL;
int fd, i, dir = 0;
- while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1)
+ while ((c = (char)getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1)
switch (c)
{
case 'b' :
diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h
index e91190ba81bf..f7cc61f52416 100644
--- a/contrib/ipfilter/ipt.h
+++ b/contrib/ipfilter/ipt.h
@@ -1,12 +1,15 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
- * $Id: ipt.h,v 2.0.2.4 1997/03/27 13:45:23 darrenr Exp $
+ * $Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp $
*/
+#ifndef __IPT_H__
+#define __IPT_H__
+
#include <fcntl.h>
#ifdef __STDC__
#include <stdarg.h>
@@ -23,3 +26,5 @@ struct ipread {
extern void debug __P((char *, ...));
extern void verbose __P((char *, ...));
+
+#endif /* __IPT_H__ */
diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h
index 38d64304bddf..d98f391c27a9 100644
--- a/contrib/ipfilter/kmem.h
+++ b/contrib/ipfilter/kmem.h
@@ -1,12 +1,15 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
- * $Id: kmem.h,v 2.0.2.3 1997/03/10 08:10:38 darrenr Exp $
+ * $Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp $
*/
+#ifndef __KMEM_H__
+#define __KMEM_H__
+
#ifndef __P
# ifdef __STDC__
# define __P(x) x
@@ -19,3 +22,4 @@ extern int kmemcpy __P((char *, long, int));
#define KMEM "/dev/kmem"
+#endif /* __KMEM_H__ */
diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h
index 3f28724318da..75aec954baed 100644
--- a/contrib/ipfilter/linux.h
+++ b/contrib/ipfilter/linux.h
@@ -1,5 +1,5 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@@ -7,7 +7,7 @@
* responsibility and is not changed in any way.
*
* I hate legaleese, don't you ?
- * $Id: linux.h,v 2.0.2.2 1997/02/23 10:38:08 darrenr Exp $
+ * $Id: linux.h,v 2.0.2.3 1997/04/07 09:59:01 darrenr Exp $
*/
#include <linux/config.h>
diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1
index 912d7ef475d0..5ea06fa74c35 100644
--- a/contrib/ipfilter/man/ipf.1
+++ b/contrib/ipfilter/man/ipf.1
@@ -99,7 +99,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
.SH SEE ALSO
-ipfstat(1), ipftest(1), ipf(5)
+ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index 417a0eaa3518..f8ceedd65c54 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -277,7 +277,10 @@ packets from both protocols are compared. This is equivalent to "proto
tcp/udp". When composing \fBport\fP comparisons, either the service
name or an integer port number may be used. Port comparisons may be
done in a number of forms, with a number of comparison operators, or
-port ranges may be specified. See the examples for more information.
+port ranges may be specified. When the port appears as part of the
+\fBfrom\fP object, it matches the source port number, when it appears
+as part of the \fBto\fP object, it matches the destination port number.
+See the examples for more information.
.PP
The \fBall\fP keyword is essentially a synonym for "from any to any"
with no other match parameters.
@@ -430,4 +433,4 @@ would be needed before the first block.
.br
/etc/hosts
.SH SEE ALSO
-ipf(1), ipftest(1)
+ipf(1), ipftest(1), mkfilters(1)
diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5
index 03a87a5f4548..40175e48d8df 100644
--- a/contrib/ipfilter/man/ipfilter.5
+++ b/contrib/ipfilter/man/ipfilter.5
@@ -4,4 +4,4 @@ IP FIlter
.SH DESCRIPTION
.PP
.SH SEE ALSO
-ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5)
+ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
new file mode 100644
index 000000000000..e55054c2a99c
--- /dev/null
+++ b/contrib/ipfilter/man/mkfilters.1
@@ -0,0 +1,13 @@
+.TH IPF 1
+.SH NAME
+mkfilters \- generate a minimal firewall ruleset for ipfilter
+.SH SYNOPSIS
+.B mkfilters
+.SH DESCRIPTION
+.PP
+\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
+use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
+.DT
+.SH SEE ALSO
+ipf(1), ipf(5), ipfilter(5), ifconfig(8)
+
diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c
index c0e415c94c97..3ff46ba14474 100644
--- a/contrib/ipfilter/misc.c
+++ b/contrib/ipfilter/misc.c
@@ -15,6 +15,7 @@
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -40,7 +41,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
-static char rcsid[] = "$Id: misc.c,v 2.0.2.5 1997/03/31 10:05:36 darrenr Exp $";
+static char rcsid[] = "$Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp $";
#endif
extern int opts;
diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c
index 068a9ff39dde..fe035da0cbb7 100644
--- a/contrib/ipfilter/mln_ipl.c
+++ b/contrib/ipfilter/mln_ipl.c
@@ -13,19 +13,12 @@
#include <sys/param.h>
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
- * on those hooks. We don't need any special mods with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
- (defined(NetBSD1_2) && NetBSD1_2 > 1)
-# define NETBSD_PF
-#endif
-
#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
-# include <osreldate.h>
# ifdef IPFILTER_LKM
+# include <osreldate.h>
# define ACTUALLY_LKM_NOT_KERNEL
+# else
+# include <sys/osreldate.h>
# endif
#endif
#include <sys/systm.h>
@@ -48,8 +41,10 @@
#include <sys/mount.h>
#include <sys/exec.h>
#include <sys/mbuf.h>
-#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \
- (__FreeBSD_version >= 199511))
+#if BSD >= 199506
+# include <sys/sysctl.h>
+#endif
+#if (__FreeBSD_version >= 199511)
#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
@@ -59,13 +54,13 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#endif
-#ifndef __NetBSD__
-#include <sys/sysent.h>
+#if (__FreeBSD__ > 1)
+# include <sys/sysent.h>
#endif
#include <sys/lkm.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
+#include "netinet/ipl.h"
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
#ifndef IPL_NAME
#define IPL_NAME "/dev/ipl"
@@ -84,43 +79,12 @@
extern int lkmenodev __P((void));
-#ifdef NETBSD_PF
-#include <net/pfil.h>
-#endif
-#ifndef IPFILTER_LOG
-# ifdef NETBSD_PF
-# define iplread enodev
-# else
-# define iplread nodev
-# endif
-#endif
-
-#ifdef NETBSD_PF
-int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
-#endif
-
static int ipl_unload __P((void));
static int ipl_load __P((void));
static int ipl_remove __P((void));
int xxxinit __P((struct lkm_table *, int, int));
-#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
- (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
-struct cdevsw ipldevsw =
-{
- iplopen, /* open */
- iplclose, /* close */
- iplread, /* read */
- 0, /* write */
- iplioctl, /* ioctl */
- 0, /* stop */
- 0, /* tty */
- 0, /* select */
- 0, /* mmap */
- NULL /* strategy */
-};
-#else
struct cdevsw ipldevsw =
{
iplopen, /* open */
@@ -135,6 +99,16 @@ struct cdevsw ipldevsw =
(void *)nullop, /* mmap */
NULL /* strategy */
};
+
+#ifdef SYSCTL_INT
+SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW,
+ &ipl_unreach, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD,
+ &ipl_inited, 0, "");
#endif
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
@@ -149,7 +123,7 @@ extern int nchrdev;
int ipl_major = CDEV_MAJOR;
static struct cdevsw ipl_cdevsw = {
- iplopen, iplclose, iplread, nowrite, /* 79 */
+ iplopen, iplclose, iplread, nowrite, /* 79 */
iplioctl, nostop, noreset, nodevtotty,
noselect, nommap, nostrategy, "ipl",
NULL, -1
@@ -157,6 +131,8 @@ static struct cdevsw ipl_cdevsw = {
#endif
+static int iplaction __P((struct lkm_table *, int));
+
static int iplaction(lkmtp, cmd)
struct lkm_table *lkmtp;
@@ -229,6 +205,7 @@ static int ipl_remove __P((void))
VOP_LOCK(nd.ni_vp);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
+ return 0;
}
@@ -237,9 +214,6 @@ static int ipl_unload()
int error = 0;
error = ipldetach();
-#ifdef NETBSD_PF
- pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT);
-#endif
if (!error)
error = ipl_remove();
return error;
@@ -253,9 +227,6 @@ static int ipl_load()
int error = 0, fmode = S_IFCHR|0600;
error = iplattach();
-#ifdef NETBSD_PF
- pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT);
-#endif
if (error)
return error;
(void) ipl_remove();
@@ -327,6 +298,20 @@ static int ipl_load()
#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
+/*
+ * strlen isn't present in 2.1.* kernels.
+ */
+size_t strlen(string)
+char *string;
+{
+ register char *s;
+
+ for (s = string; *s; s++)
+ ;
+ return (size_t)(s - string);
+}
+
+
int xxxinit(lkmtp, cmd, ver)
struct lkm_table *lkmtp;
int cmd, ver;
@@ -334,8 +319,8 @@ int cmd, ver;
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}
#else
-#include <sys/exec.h>
-#include <sys/sysent.h>
+# ifdef IPFILTER_LKM
+# include <sys/exec.h>
MOD_DECL(if_ipl);
@@ -354,21 +339,39 @@ int cmd, ver;
{
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
}
+# else
-/*
+#ifdef DEVFS
+static void *ipf_devfs_token[3];
+#endif
static ipl_devsw_installed = 0;
static void ipl_drvinit __P((void *unused))
{
- dev_t dev;
+ dev_t dev;
+#ifdef DEVFS
+ void **tp = ipf_devfs_token;
+#endif
- if( ! ipl_devsw_installed ) {
- dev = makedev(CDEV_MAJOR,0);
- cdevsw_add(&dev, &ipl_cdevsw,NULL);
- ipl_devsw_installed = 1;
- }
+ if (!ipl_devsw_installed ) {
+ dev = makedev(CDEV_MAJOR, 0);
+ cdevsw_add(&dev, &ipl_cdevsw, NULL);
+ ipl_devsw_installed = 1;
+
+#ifdef DEVFS
+ tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
+ DV_CHR, 0, 0, 0600,
+ "ipf", IPL_LOGIPF);
+ tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
+ DV_CHR, 0, 0, 0600,
+ "ipnat", IPL_LOGNAT);
+ tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
+ DV_CHR, 0, 0, 0600,
+ "ipstate", IPL_LOGSTATE);
+#endif
+ }
}
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
-*/
-#endif /* __FreeBSD__ */
+# endif /* IPFILTER_LKM */
+#endif /* _FreeBSD_version */
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index 432fb99a4052..92487a42f798 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -14,6 +14,7 @@
#endif
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
@@ -34,7 +35,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: parse.c,v 2.0.2.5 1997/03/31 10:05:38 darrenr Exp $";
+static char rcsid[] = "$Id: parse.c,v 2.0.2.7 1997/05/08 11:24:09 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -325,6 +326,10 @@ char *line;
return NULL;
}
ch = 0;
+ if (**cpp == '!') {
+ fil.fr_flags |= FR_NOTSRCIP;
+ (*cpp)++;
+ }
if (hostmask(&cpp, (u_long *)&fil.fr_src,
(u_long *)&fil.fr_smsk, &fil.fr_sport, &ch,
&fil.fr_stop)) {
@@ -350,6 +355,10 @@ char *line;
return NULL;
}
ch = 0;
+ if (**cpp == '!') {
+ fil.fr_flags |= FR_NOTDSTIP;
+ (*cpp)++;
+ }
if (hostmask(&cpp, (u_long *)&fil.fr_dst,
(u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch,
&fil.fr_dtop)) {
@@ -1164,10 +1173,11 @@ struct frentry *fp;
(void)printf("proto %d ", fp->fr_proto);
}
+ printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr)
- (void)printf("from any ");
+ (void)printf("any ");
else {
- (void)printf("from %s", inet_ntoa(fp->fr_src));
+ (void)printf("%s", inet_ntoa(fp->fr_src));
if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
(void)printf("/%s ", inet_ntoa(fp->fr_smsk));
else
@@ -1180,10 +1190,12 @@ struct frentry *fp;
else
(void)printf("port %s %s ", pcmp1[fp->fr_scmp],
portname(pr, fp->fr_sport));
+
+ printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr)
- (void)printf("to any");
+ (void)printf("any");
else {
- (void)printf("to %s", inet_ntoa(fp->fr_dst));
+ (void)printf("%s", inet_ntoa(fp->fr_dst));
if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
(void)printf("/%s", inet_ntoa(fp->fr_dmsk));
else
diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h
index 1eee3c692852..f915a1a79694 100644
--- a/contrib/ipfilter/pcap.h
+++ b/contrib/ipfilter/pcap.h
@@ -1,10 +1,10 @@
/*
- * (C)opyright 1993-1996 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
- * $Id: pcap.h,v 2.0.2.2 1997/02/23 10:38:17 darrenr Exp $
+ * $Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp $
*/
/*
* This header file is constructed to match the version described by
diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy
new file mode 100755
index 000000000000..2c42c527fa1e
--- /dev/null
+++ b/contrib/ipfilter/rules/ftppxy
@@ -0,0 +1,6 @@
+#!/bin/sh
+# The proxy bit is as follows:
+# proxy [port <portname>] <tag>/<protocol>
+# the <tag> should match a tagname in the proxy table, as does the protocol.
+# this format isn't finalised yet
+echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h
index e257be5ec24d..076a7af66599 100644
--- a/contrib/ipfilter/snoop.h
+++ b/contrib/ipfilter/snoop.h
@@ -1,14 +1,17 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
+#ifndef __SNOOP_H__
+#define __SNOOP_H__
+
/*
* written to comply with the RFC (1761) from Sun.
- * $Id: snoop.h,v 2.0.2.2 1997/02/23 10:38:19 darrenr Exp $
+ * $Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp $
*/
struct snoophdr {
char s_id[8];
@@ -40,3 +43,5 @@ struct snooppkt {
int sp_sec;
int sp_usec;
};
+
+#endif /* __SNOOP_H__ */
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
index 8f158fca2174..10d397f85b0c 100644
--- a/contrib/ipfilter/solaris.c
+++ b/contrib/ipfilter/solaris.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "$Id: solaris.c,v 2.0.2.3 1997/03/27 13:45:28 darrenr Exp $";
+#pragma ident "$Id: solaris.c,v 2.0.2.5 1997/05/08 10:11:04 darrenr Exp $";
#include <sys/systm.h>
#include <sys/types.h>
@@ -177,18 +177,18 @@ ddi_attach_cmd_t cmd;
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance);
#endif
- if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance,
+ if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL);
goto attach_failed;
}
- if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, instance,
- DDI_PSEUDO, 1) == DDI_FAILURE) {
+ if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT,
+ DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL);
goto attach_failed;
}
- if (ddi_create_minor_node(dip, "ipstate", S_IFCHR, instance,
- DDI_PSEUDO, 2) == DDI_FAILURE) {
+ if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE,
+ DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL);
goto attach_failed;
}
@@ -942,7 +942,11 @@ frdest_t *fdp;
else
dst = fin->fin_fi.fi_dst;
+#if SOLARIS2 > 5
+ if (dir = ire_cache_lookup(dst.s_addr))
+#else
if (dir = ire_lookup(dst.s_addr))
+#endif
if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
dir = NULL;
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
index d3bdcc24d2ff..f2e3ca908638 100644
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@@ -17,7 +17,7 @@ first:
-mkdir -p results
# Filtering tests
-ftests: 1 2 3 4 5 6 7 8 9 10 11 12
+ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
@@ -25,7 +25,7 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
0:
@(cd ..; make ipftest; )
-1 2 3 4 5 6 7 8 9 10 11:
+1 2 3 4 5 6 7 8 9 10 11 14:
@./dotest $@
12:
diff --git a/contrib/ipfilter/test/expected/14 b/contrib/ipfilter/test/expected/14
new file mode 100644
index 000000000000..d06d92b3e02a
--- /dev/null
+++ b/contrib/ipfilter/test/expected/14
@@ -0,0 +1,40 @@
+nomatch
+block
+nomatch
+nomatch
+nomatch
+nomatch
+pass
+nomatch
+nomatch
+nomatch
+nomatch
+block
+block
+nomatch
+nomatch
+nomatch
+pass
+pass
+nomatch
+nomatch
+nomatch
+block
+block
+block
+nomatch
+nomatch
+pass
+pass
+pass
+nomatch
+block
+block
+block
+block
+block
+pass
+pass
+pass
+pass
+pass
diff --git a/contrib/ipfilter/test/expected/i1 b/contrib/ipfilter/test/expected/i1
index f69e0553a874..3eb14be74356 100644
--- a/contrib/ipfilter/test/expected/i1
+++ b/contrib/ipfilter/test/expected/i1
@@ -3,6 +3,8 @@ block out from any to any
log in from any to any
log body in from any to any
count in from any to any
+pass in from !any to any
+block in from any to !any
pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
block in log first on lo0(!) from any to any
pass in log body quick from any to any
diff --git a/contrib/ipfilter/test/input/14 b/contrib/ipfilter/test/input/14
new file mode 100644
index 000000000000..16a806ffec7b
--- /dev/null
+++ b/contrib/ipfilter/test/input/14
@@ -0,0 +1,5 @@
+in 127.0.0.1 127.0.0.1
+in 1.1.1.1 1.2.1.1
+in 1.1.1.2 1.2.1.1
+in 1.1.2.2 1.2.1.1
+in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/regress/14 b/contrib/ipfilter/test/regress/14
new file mode 100644
index 000000000000..aa54af8df11d
--- /dev/null
+++ b/contrib/ipfilter/test/regress/14
@@ -0,0 +1,8 @@
+block in from !1.1.1.1 to any
+pass in from 1.1.1.1 to !any
+block in from 1.1.1.1/24 to !any
+pass in from !1.1.1.1/24 to any
+block in from !1.1.1.1/16 to any
+pass in from 1.1.1.1/16 to !any
+block in from 1.1.1.1/0 to !any
+pass in from !1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/i1 b/contrib/ipfilter/test/regress/i1
index 583cd8b5b770..736801edcb2d 100644
--- a/contrib/ipfilter/test/regress/i1
+++ b/contrib/ipfilter/test/regress/i1
@@ -3,6 +3,8 @@ block out all
log in all
log body in all
count in from any to any
+pass in from !any to any
+block in from any to !any
pass in on ed0 from localhost to localhost
block in log first on lo0 from any to any
pass in log body quick from any to any
diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo
index 3914bef42457..d90d75db660a 100644
--- a/contrib/ipfilter/todo
+++ b/contrib/ipfilter/todo
@@ -1,12 +1,5 @@
-* automatically use the interface's IP# for NAT rather than any specific IP#
- - Done. Use "0/32" as destination address/mask. Uses first interface IP#
- set for an interface.
-
* use fr_tcpstate() with NAT code for increased NAT usage security or even
- fr_checkstate()
-
-* use minor devices for controlling access to alternate parts of IP Filter
- such as filtering, accounting, state, NAT, etc.
+ fr_checkstate() - suspect this is not possible.
* see if the Solaris2 and dynamic plumb/unplumb problem is solvable
@@ -17,11 +10,17 @@ time permitting:
* record buffering for TCP/UDP
* modular application proxying
+on the way
* invesitgate making logging better
+done ?
* add reverse nat (similar to rdr) to map addresses going in both directions
-
-* add 'tail' switch to ipmon
(this might just be some changes to rdr). In 1:1 relationships maybe make
it an option.
+
+* keep fragment information for NAT/state entries automatically.
+done
+
+* support traceroute through the firewall
+