aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2007-10-18 21:42:51 +0000
committerDarren Reed <darrenr@FreeBSD.org>2007-10-18 21:42:51 +0000
commit39ff65a633dd44a40233913b84b347003c732868 (patch)
treeda6aaa7272c76c9c4cad931122fd1f4e4db237a5
parent4a9a9e0514bae1d22577753d9cd844d061805071 (diff)
downloadsrc-39ff65a633dd44a40233913b84b347003c732868.tar.gz
src-39ff65a633dd44a40233913b84b347003c732868.zip
Import IPFilter 4.1.28
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=172771
-rw-r--r--contrib/ipfilter/BSD/Makefile12
-rw-r--r--contrib/ipfilter/BSD/kupgrade14
-rw-r--r--contrib/ipfilter/HISTORY100
-rw-r--r--contrib/ipfilter/Makefile19
-rw-r--r--contrib/ipfilter/ip_fil.c9
-rw-r--r--contrib/ipfilter/iplang/Makefile9
-rw-r--r--contrib/ipfilter/ipsend/iptests.c8
-rw-r--r--contrib/ipfilter/ipsend/sock.c8
-rw-r--r--contrib/ipfilter/l4check/Makefile2
-rw-r--r--contrib/ipfilter/l4check/l4check.c43
-rw-r--r--contrib/ipfilter/lib/Makefile8
-rw-r--r--contrib/ipfilter/lib/alist_new.c8
-rw-r--r--contrib/ipfilter/lib/ipft_tx.c37
-rw-r--r--contrib/ipfilter/lib/printnat.c13
-rw-r--r--contrib/ipfilter/lib/printpacket.c4
-rw-r--r--contrib/ipfilter/lib/printpool_live.c13
-rw-r--r--contrib/ipfilter/lib/printstate.c4
-rw-r--r--contrib/ipfilter/man/ippool.52
-rw-r--r--contrib/ipfilter/md5.h2
-rw-r--r--contrib/ipfilter/radix.c6
-rw-r--r--contrib/ipfilter/radix_ipf.h4
-rw-r--r--contrib/ipfilter/test/Makefile24
-rw-r--r--contrib/ipfilter/test/dotest8
-rw-r--r--contrib/ipfilter/test/expected/Makefile41
-rw-r--r--contrib/ipfilter/test/expected/f11124
-rw-r--r--contrib/ipfilter/test/expected/f245
-rw-r--r--contrib/ipfilter/test/expected/i19.dist22
-rw-r--r--contrib/ipfilter/test/expected/i216
-rw-r--r--contrib/ipfilter/test/expected/in11
-rw-r--r--contrib/ipfilter/test/expected/in61
-rw-r--r--contrib/ipfilter/test/expected/ipv6.63
-rw-r--r--contrib/ipfilter/test/expected/n1621
-rw-r--r--contrib/ipfilter/test/input/f1122
-rw-r--r--contrib/ipfilter/test/input/f2427
-rw-r--r--contrib/ipfilter/test/input/ipv6.617
-rw-r--r--contrib/ipfilter/test/input/l116
-rw-r--r--contrib/ipfilter/test/input/n1640
-rwxr-xr-xcontrib/ipfilter/test/nattest9
-rw-r--r--contrib/ipfilter/test/regress/f241
-rw-r--r--contrib/ipfilter/test/regress/i211
-rw-r--r--contrib/ipfilter/test/regress/i36
-rw-r--r--contrib/ipfilter/test/regress/in11
-rw-r--r--contrib/ipfilter/test/regress/in61
-rw-r--r--contrib/ipfilter/test/regress/ipv6.61
-rw-r--r--contrib/ipfilter/test/regress/n161
-rw-r--r--contrib/ipfilter/test/test.format5
-rw-r--r--contrib/ipfilter/tools/ipf_y.y24
-rw-r--r--contrib/ipfilter/tools/ipfstat.c9
-rw-r--r--contrib/ipfilter/tools/ipmon.c35
-rw-r--r--contrib/ipfilter/tools/ipnat.c65
-rw-r--r--contrib/ipfilter/tools/ipnat_y.y1
-rw-r--r--contrib/ipfilter/tools/lexer.c55
52 files changed, 775 insertions, 143 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile
index 6f4ea5d3d6bd..fe8a4d4e567f 100644
--- a/contrib/ipfilter/BSD/Makefile
+++ b/contrib/ipfilter/BSD/Makefile
@@ -485,13 +485,21 @@ install:
cp if_ipl.o /lkm; \
fi
-if [ -d /modules -a -f ipf.ko ] ; then \
- cp ipf.ko /modules; \
+ if [ -f /modules/ipl.ko ] ; then \
+ cp ipf.ko /modules/ipl.ko; \
+ else \
+ cp ipf.ko /modules; \
+ fi \
fi
-if [ -d /modules -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /modules; \
fi
-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
- cp ipf.ko /boot/kernel; \
+ if [ -f /boot/kernel/ipl.ko ] ; then \
+ cp ipf.ko /boot/kernel/ipl.ko; \
+ else \
+ cp ipf.ko /boot/kernel; \
+ fi \
fi
-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /boot/kernel; \
diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade
index 77a6ba1f534e..04b257d7ca60 100644
--- a/contrib/ipfilter/BSD/kupgrade
+++ b/contrib/ipfilter/BSD/kupgrade
@@ -32,11 +32,15 @@ else
fi
if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
- echo "Please do a build of ipfilter and then run the following"
- echo "command to build extra files:"
- echo
- echo "make ip_rules.c"
- exit 1
+ echo "Trying to build ip_rules.c and ip_rules.h"
+ make ip_rules.c
+ if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
+ echo "Please do a build of ipfilter and then run the following"
+ echo "command to build extra files:"
+ echo
+ echo "make ip_rules.c"
+ exit 1
+ fi
fi
echo -n "Installing "
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 7a177168cb99..b500c20632ca 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -10,12 +10,110 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+4.1.28 - Release 16 October 2007
+
+backout changes (B1) & (B2) as they've caused NAT entries to persist for
+too long and possibly other side effects.
+
+Still need to compile in our own radix.c for Solaris as the one in S10U4
+has a different alignment of structure members (causes panic)
+
+keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
+
+ippool -l may only lists every 2nd pool's contents
+
+4.1.27 - Released 29 September 2007
+
+SunOS5/replace script does not deal with i386 systems that have the
+i86/amd64 directory pair.
+
+make BSD/kupgrade try to build ip_rules.[ch] before complaining
+
+Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
+
+Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
+to drive 32bit cc builds differently for sparc/i386 now.
+
+Update instructions for rebuilding FreeBSD kernels
+
+Make the target "freebsd" work for building ipfilter
+
+destroying NAT entries for blocked packets can lead to NAT table entry leak,
+provide a counter of orphan'd NAT entries to track this problem.
+
+4.1.26 - Released 24 September 2007
+
+Fix build problem for Solaris prior to S10U4
+
+4.1.25 - Released 20 September 2007
+
+stepping through structures with ioctls can lead to the wrong things
+being free'd and panics
+
+if a NAT entry (such as an rdr) is created but the packet ends up being
+blocked, tear down the NAT entry.
+
+fix fragment cache preventing keep state from functioning
+
+fix handling of \ to indicate a continued line in .conf files
+
+include port ranges in the allowed input for ipf when using "port = ()"
+
+only advance TCP state for packets on the leading edge of the window. (B1)
+
+using ipnat -l can lead to memory corruption in high stress situations
+
+track TCP sequence numbers with NAT so that it can do timeout advances
+correctly inline with state
+
+ICMP checksums for some redirect'd packets are not adjusted correctly.
+
+IPv6 address components need to be explicitly cast to a 32bit pointer
+boundary so that compilers don't try to access them as two 64bit
+pieces (no guarantee is made that an Ipv6 address is on a 64bit
+aligned address)
+
+filling up the ipauth packet queue can lead to no more packets being
+processed.
+
+locking used to deref a nat entry causes a significant performance hit
+
+m_pulldown isn't properly handled, leading to possible panics with ICMPv6
+packets
+
+IPv6 fragment handling doesn't allow for "keep frag" to work
+
+build on Solaris10 Update4 with pfhooks in the kernel
+
+logging of Ipv6 packets with extension headers fix - Miroslaw Luc
+
+4.1.24 - Released 8 July 2007
+
+patch from Stuart Remphrey to address recursive mutex lock with TCP state
+
+add hash table bucket stats display to ipnat -s
+
+give ASSERT some teeth for user compiles
+
+initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
+early on
+
+do some caddr_t cleanup, where possible
+
+fr_ref no longer tracks the number of children rules in a group for head rules
+
+make sure all BCOPY* have a value assigned to something
+
+fix possible use of icmp pointer after pullup makes it invalid
+
+resolve compile problems related to FreeBSD tree
+
4.1.23 - Released 31 May 2007
NAT was not always correctly fixing ICMP headers for errors
some TCP state steps when closing do not update timeouts, leading to
-them being removed prematurely.
+them being removed prematurely. (B2)
fix compilation problems for netbsd 4.99
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index 25db5ef560dc..1b2f8f5618a5 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
-# $Id: Makefile,v 2.76.2.21 2007/05/11 21:57:25 darrenr Exp $
+# $Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $
#
SHELL=/bin/sh
BINDEST=/usr/local/bin
@@ -131,10 +131,7 @@ all:
@echo "openbsd - compile for OpenBSD"
@echo "freebsd20 - compile for FreeBSD 2.0, 2.1 or earlier"
@echo "freebsd22 - compile for FreeBSD-2.2 or greater"
- @echo "freebsd3 - compile for FreeBSD-3.x"
- @echo "freebsd4 - compile for FreeBSD-4.x"
- @echo "freebsd5 - compile for FreeBSD-5.x"
- @echo "freebsd6 - compile for FreeBSD-6.x"
+ @echo "freebsd - compile for all other versions of FreeBSD"
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@@ -151,6 +148,7 @@ retest:
else echo test directory not present, sorry; fi
include:
+ -mkdir -p net netinet
if [ ! -f netinet/done ] ; then \
(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \
(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
@@ -166,6 +164,9 @@ sunos solaris: include
MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos
+freebsd:
+ make freebsd`uname -r|cut -c1`
+
freebsd22: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
@@ -350,13 +351,9 @@ sunos4 solaris1:
(cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2: null
- (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
+ (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..)
(cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
-sunos5x86 solaris2x86: null
- (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
- (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
-
linux: include
(cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..)
(cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..)
@@ -373,7 +370,7 @@ install-sunos4: solaris
(cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install)
install-sunos5: solaris null
- (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install)
+ (cd SunOS5; $(MAKE) TOP=.. install)
install-aix:
(cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index daeb201c6444..f2006e9c805e 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -5,7 +5,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.16 2007/05/28 11:56:22 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -79,7 +79,7 @@ struct file;
#include <sys/hashing.h>
# endif
#endif
-#if defined(__FreeBSD__)
+#if defined(__FreeBSD__) || defined(SOLARIS2)
# include "radix_ipf.h"
#endif
#ifndef __osf__
@@ -388,7 +388,7 @@ int v;
*addr++ = '\0';
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
- COPYIFNAME(ifp, ifname);
+ COPYIFNAME(v, ifp, ifname);
if (!strcmp(name, ifname)) {
if (addr != NULL)
fr_setifpaddr(ifp, addr);
@@ -427,6 +427,9 @@ int v;
}
ifp = ifneta[nifs - 1];
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
+ TAILQ_INIT(&ifp->if_addrlist);
+#endif
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
diff --git a/contrib/ipfilter/iplang/Makefile b/contrib/ipfilter/iplang/Makefile
index 5b53e9a43609..1d66bb655c5a 100644
--- a/contrib/ipfilter/iplang/Makefile
+++ b/contrib/ipfilter/iplang/Makefile
@@ -3,20 +3,21 @@
#
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
+CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend
all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
- $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
+ $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
- $(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
+ $(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
iplang_y.o: iplang_y.c
- $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
+ $(CC) $(CCARGS) $< -o $@
iplang_l.o: iplang_l.c
- $(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
+ $(CC) $(CCARGS) $< -o $@
$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
lex iplang_l.l
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
index 8f492a24a46e..56cc34b9f87d 100644
--- a/contrib/ipfilter/ipsend/iptests.c
+++ b/contrib/ipfilter/ipsend/iptests.c
@@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.8 2007/02/17 12:41:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -20,6 +20,9 @@ typedef int boolean_t;
#endif
#include <sys/time.h>
#if !defined(__osf__)
+# ifdef __NetBSD__
+# include <machine/lock.h>
+# endif
# define _KERNEL
# define KERNEL
# if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux)
@@ -1095,7 +1098,8 @@ int ptest;
struct tcpcb *tcbp, tcb;
struct tcpiphdr ti;
struct sockaddr_in sin;
- int fd, slen;
+ int fd;
+ socklen_t slen;
bzero((char *)&sin, sizeof(sin));
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
index 65f4f924971e..f4317fcccb16 100644
--- a/contrib/ipfilter/ipsend/sock.c
+++ b/contrib/ipfilter/ipsend/sock.c
@@ -6,7 +6,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.6 2007/02/17 12:41:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -29,6 +29,9 @@ typedef int boolean_t;
# include <sys/dir.h>
#endif
#if !defined(__osf__)
+# ifdef __NetBSD__
+# include <machine/lock.h>
+# endif
# define _KERNEL
# define KERNEL
# ifdef ultrix
@@ -384,7 +387,8 @@ struct in_addr gwip;
{
struct sockaddr_in rsin, lsin;
struct tcpcb *t, tcb;
- int fd, nfd, len;
+ int fd, nfd;
+ socklen_t len;
printf("Dest. Port: %d\n", ti->ti_dport);
diff --git a/contrib/ipfilter/l4check/Makefile b/contrib/ipfilter/l4check/Makefile
index e7366b63ad6a..e2bb9f8b3cff 100644
--- a/contrib/ipfilter/l4check/Makefile
+++ b/contrib/ipfilter/l4check/Makefile
@@ -4,7 +4,7 @@
all: l4check
l4check: l4check.c
- $(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@
+ $(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@
clean:
/bin/rm -f l4check
diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c
index 3fecb80dbb9b..a096fffe4477 100644
--- a/contrib/ipfilter/l4check/l4check.c
+++ b/contrib/ipfilter/l4check/l4check.c
@@ -25,6 +25,7 @@
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
+#include "ipl.h"
#include "ipf.h"
@@ -96,13 +97,21 @@ char *dst, *src;
void addnat(l4)
l4cfg_t *l4;
{
+
ipnat_t *ipn = &l4->l4_nat;
- printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0]),
+ printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4),
ipn->in_outmsk, ntohs(ipn->in_pmin));
- printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ntohs(ipn->in_pnext));
+ printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext));
if (!(opts & OPT_DONOTHING)) {
- if (ioctl(natfd, SIOCADNAT, &ipn) == -1)
+ ipfobj_t obj;
+
+ bzero(&obj, sizeof(obj));
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_size = sizeof(*ipn);
+ obj.ipfo_ptr = ipn;
+
+ if (ioctl(natfd, SIOCADNAT, &obj) == -1)
perror("ioctl(SIOCADNAT)");
}
}
@@ -114,9 +123,16 @@ l4cfg_t *l4;
ipnat_t *ipn = &l4->l4_nat;
printf("Remove NAT rule for %s/%#x,%u -> ",
- inet_ntoa(ipn->in_out[0]), ipn->in_outmsk, ipn->in_pmin);
- printf("%s,%u\n", inet_ntoa(ipn->in_in[0]), ipn->in_pnext);
+ inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin);
+ printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext);
if (!(opts & OPT_DONOTHING)) {
+ ipfobj_t obj;
+
+ bzero(&obj, sizeof(obj));
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_size = sizeof(*ipn);
+ obj.ipfo_ptr = ipn;
+
if (ioctl(natfd, SIOCRMNAT, &ipn) == -1)
perror("ioctl(SIOCRMNAT)");
}
@@ -176,7 +192,6 @@ l4cfg_t *l4;
void writefd(l4)
l4cfg_t *l4;
{
- char buf[80], *ptr;
int n, i, fd;
fd = l4->l4_fd;
@@ -408,7 +423,6 @@ u_short *portp;
struct servent *sp;
struct hostent *hp;
char *host, *port;
- struct in_addr ip;
host = str;
port = strchr(host, ',');
@@ -553,7 +567,8 @@ char *filename;
break;
}
- strncpy(ipn->in_ifname, s, sizeof(ipn->in_ifname));
+ strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ);
+ strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ);
if (!gethostport(t, num, &ipn->in_outip,
&ipn->in_pmin)) {
errtxt = line;
@@ -565,11 +580,11 @@ char *filename;
if (opts & OPT_VERBOSE)
fprintf(stderr,
"Interface %s %s/%#x port %u\n",
- ipn->in_ifname,
- inet_ntoa(ipn->in_out[0]),
+ ipn->in_ifnames[0],
+ inet_ntoa(ipn->in_out[0].in4),
ipn->in_outmsk, ipn->in_pmin);
} else if (!strcasecmp(t, "remote")) {
- if (!*ipn->in_ifname) {
+ if (!*ipn->in_ifnames[0]) {
fprintf(stderr,
"%d: ifname not set prior to remote\n",
num);
@@ -604,7 +619,7 @@ char *filename;
break;
}
bcopy((char *)&template, (char *)l4, sizeof(*l4));
- l4->l4_sin.sin_addr = ipn->in_in[0];
+ l4->l4_sin.sin_addr = ipn->in_in[0].in4;
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_next = l4list;
l4list = l4;
@@ -791,7 +806,7 @@ char *argv[];
}
if (!(opts & OPT_DONOTHING)) {
- natfd = open(IPL_NAT, O_RDWR);
+ natfd = open(IPNAT_NAME, O_RDWR);
if (natfd == -1) {
perror("open(IPL_NAT)");
exit(1);
@@ -802,4 +817,6 @@ char *argv[];
fprintf(stderr, "Starting...\n");
while (runconfig() == 0)
;
+
+ exit(1);
}
diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile
index b0d50523df39..a838063c674c 100644
--- a/contrib/ipfilter/lib/Makefile
+++ b/contrib/ipfilter/lib/Makefile
@@ -3,7 +3,7 @@
#
# See the IPFILTER.LICENCE file for details on licencing.
#
-# $Id: Makefile,v 1.41.2.13 2007/05/10 06:02:19 darrenr Exp $
+# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $
#
INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
@@ -135,8 +135,6 @@ $(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
-$(DEST)/getline.o: $(LIBSRC)/getline.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/getline.c -o $@
$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
@@ -218,10 +216,6 @@ $(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
-$(DEST)/portnum.o: $(LIBSRC)/portnum.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/portnum.c -o $@
-$(DEST)/ports.o: $(LIBSRC)/ports.c $(INCDEP)
- $(CC) $(CCARGS) -c $(LIBSRC)/ports.c -o $@
$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
diff --git a/contrib/ipfilter/lib/alist_new.c b/contrib/ipfilter/lib/alist_new.c
index 72da866849cb..50a4275e7d54 100644
--- a/contrib/ipfilter/lib/alist_new.c
+++ b/contrib/ipfilter/lib/alist_new.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: alist_new.c,v 1.1.2.2 2006/08/25 22:43:21 darrenr Exp $
+ * $Id: alist_new.c,v 1.1.2.3 2007/06/06 08:05:33 darrenr Exp $
*/
#include "ipf.h"
@@ -53,12 +53,14 @@ alist_new(int v, char *host)
}
if (gethost(host, &al->al_addr) == -1) {
- *slash = '/';
+ if (slash != NULL)
+ *slash = '/';
fprintf(stderr, "Cannot parse hostname\n");
free(al);
return NULL;
}
al->al_mask = htonl(mask);
- *slash = '/';
+ if (slash != NULL)
+ *slash = '/';
return al;
}
diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c
index 302f177a72da..5dc65b42be2f 100644
--- a/contrib/ipfilter/lib/ipft_tx.c
+++ b/contrib/ipfilter/lib/ipft_tx.c
@@ -3,11 +3,11 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ipft_tx.c,v 1.15.2.9 2006/06/16 17:21:04 darrenr Exp $
+ * $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.9 2006/06/16 17:21:04 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $";
#endif
#include <ctype.h>
@@ -257,19 +257,30 @@ int *out;
}
ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
cpp++;
- if (*cpp && ip->ip_p == IPPROTO_TCP) {
- char *s, *t;
-
- tcp->th_flags = 0;
- for (s = *cpp; *s; s++)
- if ((t = strchr(myflagset, *s)))
- tcp->th_flags |= myflags[t - myflagset];
- if (tcp->th_flags)
- cpp++;
- if (tcp->th_flags == 0)
- abort();
+ if (ip->ip_p == IPPROTO_TCP) {
+ if (*cpp != NULL) {
+ char *s, *t;
+
+ tcp->th_flags = 0;
+ for (s = *cpp; *s; s++)
+ if ((t = strchr(myflagset, *s)))
+ tcp->th_flags |= myflags[t-myflagset];
+ if (tcp->th_flags)
+ cpp++;
+ }
+
if (tcp->th_flags & TH_URG)
tcp->th_urp = htons(1);
+
+ if (*cpp && !strncasecmp(*cpp, "seq=", 4)) {
+ tcp->th_seq = htonl(atoi(*cpp + 4));
+ cpp++;
+ }
+
+ if (*cpp && !strncasecmp(*cpp, "ack=", 4)) {
+ tcp->th_ack = htonl(atoi(*cpp + 4));
+ cpp++;
+ }
} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
extern char *tx_icmptypes[];
char **s, *t;
diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c
index da375d9b1076..37666a2a8d58 100644
--- a/contrib/ipfilter/lib/printnat.c
+++ b/contrib/ipfilter/lib/printnat.c
@@ -11,7 +11,7 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.13 2006/12/09 10:37:47 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.14 2007/09/06 16:40:11 darrenr Exp $";
#endif
/*
@@ -134,6 +134,8 @@ int opts;
if (opts & OPT_DEBUG)
printf("\tpmax %u\n", np->in_pmax);
} else {
+ int protoprinted = 0;
+
if (!(np->in_flags & IPN_FILTER)) {
printf("%s/", inet_ntoa(np->in_in[0].in4));
bits = count4bits(np->in_inmsk);
@@ -170,6 +172,7 @@ int opts;
printf(" %.*s/", (int)sizeof(np->in_plabel),
np->in_plabel);
printproto(pr, np->in_p, NULL);
+ protoprinted = 1;
} else if (np->in_redir == NAT_MAPBLK) {
if ((np->in_pmin == 0) &&
(np->in_flags & IPN_AUTOPORTMAP))
@@ -185,6 +188,7 @@ int opts;
printf(" portmap ");
}
printproto(pr, np->in_p, np);
+ protoprinted = 1;
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)
@@ -196,9 +200,6 @@ int opts;
printf(" %d:%d", ntohs(np->in_pmin),
ntohs(np->in_pmax));
}
- } else if (np->in_flags & IPN_TCPUDP || np->in_p) {
- putchar(' ');
- printproto(pr, np->in_p, np);
}
if (np->in_flags & IPN_FRAG)
@@ -210,6 +211,10 @@ int opts;
printf(" mssclamp %d", np->in_mssclamp);
if (np->in_tag.ipt_tag[0] != '\0')
printf(" tag %s", np->in_tag.ipt_tag);
+ if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) {
+ putchar(' ');
+ printproto(pr, np->in_p, np);
+ }
printf("\n");
if (opts & OPT_DEBUG) {
struct in_addr nip;
diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c
index 142028ac5851..6ee36792b419 100644
--- a/contrib/ipfilter/lib/printpacket.c
+++ b/contrib/ipfilter/lib/printpacket.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: printpacket.c,v 1.12.4.4 2006/09/30 21:44:43 darrenr Exp $
+ * $Id: printpacket.c,v 1.12.4.5 2007/09/09 22:15:30 darrenr Exp $
*/
#include "ipf.h"
@@ -54,7 +54,7 @@ struct ip *ip;
printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len),
IP_HL(ip) << 2, ip->ip_p);
if (off & IP_OFFMASK)
- printf(" @%d", off << 3);
+ printf(" @%d", (off & IP_OFFMASK) << 3);
printf(" %s", inet_ntoa(ip->ip_src));
if (!(off & IP_OFFMASK))
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
diff --git a/contrib/ipfilter/lib/printpool_live.c b/contrib/ipfilter/lib/printpool_live.c
index 0588cfbb7c8d..e228a3965adb 100644
--- a/contrib/ipfilter/lib/printpool_live.c
+++ b/contrib/ipfilter/lib/printpool_live.c
@@ -52,11 +52,12 @@ int opts;
while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
if (entry.ipn_next == NULL)
last = 1;
- entry.ipn_next = top;
- top = malloc(sizeof(*top));
- if (top == NULL)
+ node = malloc(sizeof(*top));
+ if (node == NULL)
break;
- bcopy(&entry, top, sizeof(entry));
+ bcopy(&entry, node, sizeof(entry));
+ node->ipn_next = top;
+ top = node;
}
while (top != NULL) {
@@ -74,5 +75,9 @@ int opts;
if ((opts & OPT_DEBUG) == 0)
PRINTF(" };\n");
+
+ if (ioctl(fd, SIOCIPFDELTOK, &iter.ili_key) != 0)
+ perror("SIOCIPFDELTOK");
+
return pool->ipo_next;
}
diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c
index c1c14423d4f3..fcf42d675b4d 100644
--- a/contrib/ipfilter/lib/printstate.c
+++ b/contrib/ipfilter/lib/printstate.c
@@ -33,8 +33,8 @@ u_long now;
sp->is_send, sp->is_dend,
sp->is_maxswin, sp->is_swinscale,
sp->is_maxdwin, sp->is_dwinscale);
- PRINTF("\tcmsk %04x smsk %04x isc %p s0 %08x/%08x\n",
- sp->is_smsk[0], sp->is_smsk[1], sp->is_isc,
+ PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n",
+ sp->is_smsk[0], sp->is_smsk[1],
sp->is_s0[0], sp->is_s0[1]);
PRINTF("\tFWD:ISN inc %x sumd %x\n",
sp->is_isninc[0], sp->is_sumd[0]);
diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5
index 1c720b9392dd..aeff3c8b3ae5 100644
--- a/contrib/ipfilter/man/ippool.5
+++ b/contrib/ipfilter/man/ippool.5
@@ -92,7 +92,7 @@ to use the tree data storage type with
configuration entries.
.SH POOL ROLES
.PP
-When a pool is defined in the configruation file, it must have an associated
+When a pool is defined in the configuration file, it must have an associated
role. At present the only supported role is
.B ipf.
Future development will see futher expansion of their use by other sections
diff --git a/contrib/ipfilter/md5.h b/contrib/ipfilter/md5.h
index 48bbaf1bb9d0..e67f5b1d05cd 100644
--- a/contrib/ipfilter/md5.h
+++ b/contrib/ipfilter/md5.h
@@ -37,7 +37,7 @@
***********************************************************************
*/
-#ifndef __MD5_INCLUDE__
+#if !defined(__MD5_INCLUDE__) && !defined(_SYS_MD5_H)
#ifndef __P
# ifdef __STDC__
diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c
index 4614f1da5d1b..f9fc20cc3e18 100644
--- a/contrib/ipfilter/radix.c
+++ b/contrib/ipfilter/radix.c
@@ -74,8 +74,14 @@ void panic __P((char *str));
#include <netinet/in.h>
#include <sys/socket.h>
#include <net/if.h>
+#ifdef SOLARIS2
+# define _RADIX_H_
+#endif
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
+#ifdef SOLARIS2
+# undef _RADIX_H_
+#endif
/* END OF INCLUDES */
#include "radix_ipf.h"
#ifndef min
diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h
index 1fe10df171ad..f9b0a3077de9 100644
--- a/contrib/ipfilter/radix_ipf.h
+++ b/contrib/ipfilter/radix_ipf.h
@@ -40,7 +40,7 @@
# endif
#endif
-#if defined(__sgi) || defined(__osf__)
+#if defined(__sgi) || defined(__osf__) || defined(sun)
# define radix_mask ipf_radix_mask
# define radix_node ipf_radix_node
# define radix_node_head ipf_radix_node_head
@@ -161,7 +161,7 @@ struct radix_node_head {
#define FreeS(p, z) KFREES(p, z)
#define Free(p) KFREE(p)
-#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516)) && defined(_KERNEL)
+#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL)
# define rn_init ipf_rn_init
# define rn_fini ipf_rn_fini
# define rn_inithead ipf_rn_inithead
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
index 9273ca6113e9..b0462f3f388d 100644
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@@ -6,7 +6,10 @@
BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/share/man
-all: results tests
+all: expected.d results tests
+
+expected.d:
+ (cd expected; make)
results:
mkdir -p results
@@ -21,13 +24,13 @@ first:
-mkdir -p results
# Filtering tests
-ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
+ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
i20 i21
-ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
+ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16
nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \
ni16 ni19 ni20 ni21 ni23
@@ -38,20 +41,20 @@ logtests: l1
pools: p1 p2 p3 p5 ip1 ip2
-ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5
+ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6
bpf: bpf1 bpf-f1
f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19:
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
-f15 f16 f17 f18 f20:
+f15 f16 f17 f18 f20 f24:
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1:
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
-n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14:
+n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16:
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20:
@@ -66,7 +69,7 @@ in1 in2 in3 in4 in5 in6:
l1:
@/bin/sh ./logtest `awk "/^$@ / { print; } " test.format`
-ipv6.1 ipv6.2 ipv6.3 ipv6.5:
+ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6:
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
p1 p2 p3 p5:
@@ -79,17 +82,18 @@ bpf-f1:
/bin/sh ./bpftest `awk "/^$@ / { print; } " test.format`
clean:
- /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
+ /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21
- /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
+ /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16
/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9
/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 ni23
/bin/rm -f in1 in2 in3 in4 in5 in6
/bin/rm -f p1 p2 p3 p5 ip1 ip2
/bin/rm -f l1
- /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5
+ /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6
/bin/rm -f bpf1 bpf-f1
/bin/rm -f results/* logout
+ (cd expected; make clean)
diffs:
-cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then diff -c $$i ../results/$$i >> ../diff.out; fi done
diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest
index 72853d4eb0b3..29891091da59 100644
--- a/contrib/ipfilter/test/dotest
+++ b/contrib/ipfilter/test/dotest
@@ -15,7 +15,13 @@ else
fi
fi
if [ "$tuning" != "" ] ; then
- tuning="-T $tuning"
+ case $tuning in
+ -*)
+ ;;
+ *)
+ tuning="-T $tuning"
+ ;;
+ esac
fi
echo "${thistest}...";
/bin/cp /dev/null results/${thistest}
diff --git a/contrib/ipfilter/test/expected/Makefile b/contrib/ipfilter/test/expected/Makefile
new file mode 100644
index 000000000000..bb91b8b60c4f
--- /dev/null
+++ b/contrib/ipfilter/test/expected/Makefile
@@ -0,0 +1,41 @@
+#
+# (C)opyright 2007 by Darren Reed.
+#
+# See the IPFILTER.LICENCE file for details on licencing.
+#
+all: i19
+
+i19: i19.dist Makefile
+ -if [ "`grep LOG_SECURITY /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+ if [ "`grep LOG_AUDIT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+ sed -e 's/security/!!!/g' i19.dist > i19.p1; \
+ else \
+ sed -e 's/security/audit/g' i19.dist > i19.p1; \
+ fi \
+ else \
+ /bin/cp i19.dist i19.p1; \
+ fi
+ -if [ "`grep LOG_AUTHPRIV /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+ sed -e 's/authpriv/!!!/g' i19.p1 > i19.p2; \
+ else \
+ /bin/cp i19.p1 i19.p2; \
+ fi
+ -if [ "`grep LOG_LOGALERT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+ sed -e 's/logalert/!!!/g' i19.p2 > i19.p1; \
+ else \
+ /bin/cp i19.p2 i19.p1; \
+ fi
+ -if [ "`grep LOG_FTP /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+ sed -e 's/ftp/!!!/g' i19.p1 > i19.p2; \
+ else \
+ /bin/cp i19.p1 i19.p2; \
+ fi
+ -if [ "`egrep 'LOG_CRON.*15' /usr/include/sys/syslog.h 2>&1`" != "" ] ; then \
+ sed -e 's/cron/cron2/g' i19.p2 > i19; \
+ else \
+ /bin/cp i19.p2 i19; \
+ fi
+ /bin/rm i19.p?
+
+clean:
+ /bin/rm -f i19
diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11
index b977e41604ee..c1eb060a7126 100644
--- a/contrib/ipfilter/test/expected/f11
+++ b/contrib/ipfilter/test/expected/f11
@@ -14,6 +14,16 @@ nomatch
nomatch
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
block
nomatch
@@ -31,6 +41,16 @@ nomatch
nomatch
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
nomatch
nomatch
@@ -48,6 +68,16 @@ pass
nomatch
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
nomatch
nomatch
@@ -65,6 +95,16 @@ block
nomatch
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
nomatch
nomatch
@@ -82,6 +122,36 @@ pass
pass
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+2.2.2.2 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
+ tag 0 ttl 240 2 -> 53
+ forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
+ pass in keep state IPv4
+ pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0
+ pkt_security & ffff = 0, pkt_auth & ffff = 0
+ is_flx 0x8001 0 0 0
+ interfaces: in X[e1],X[] out X[],X[]
+ Sync status: not synchronized
+1.1.1.1 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
+ tag 0 ttl 24 1 -> 53
+ forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ pass in keep state IPv4
+ pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0
+ pkt_security & ffff = 0, pkt_auth & ffff = 0
+ is_flx 0x8001 0x8001 0 0
+ interfaces: in X[e1],X[e0] out X[],X[]
+ Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
nomatch
nomatch
@@ -99,6 +169,36 @@ block
block
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+2.2.2.2 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
+ tag 0 ttl 240 2 -> 53
+ forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
+ block in keep state IPv4
+ pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0
+ pkt_security & ffff = 0, pkt_auth & ffff = 0
+ is_flx 0x8001 0 0 0
+ interfaces: in X[e1],X[] out X[],X[]
+ Sync status: not synchronized
+1.1.1.1 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
+ tag 0 ttl 24 1 -> 53
+ forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+ block in keep state IPv4
+ pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0
+ pkt_security & ffff = 0, pkt_auth & ffff = 0
+ is_flx 0x8001 0x8001 0 0
+ interfaces: in X[e1],X[e0] out X[],X[]
+ Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
nomatch
nomatch
@@ -116,4 +216,28 @@ nomatch
nomatch
nomatch
nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+1.1.1.1 -> 2.1.2.2 pass 0x40008402 pr 6 state 3/4
+ tag 0 ttl 864000
+ 1 -> 25 2:66 4096<<0:16384<<0
+ cmsk 0000 smsk 0000 s0 00000000/00000000
+ FWD:ISN inc 0 sumd 0
+ REV:ISN inc 0 sumd 0
+ forward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
+ backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
+ pass in keep state IPv4
+ pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0
+ pkt_security & ffff = 0, pkt_auth & ffff = 0
+ is_flx 0x8001 0x8001 0 0
+ interfaces: in X[e0],X[e1] out X[],X[]
+ Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
--------
diff --git a/contrib/ipfilter/test/expected/f24 b/contrib/ipfilter/test/expected/f24
new file mode 100644
index 000000000000..801abd369426
--- /dev/null
+++ b/contrib/ipfilter/test/expected/f24
@@ -0,0 +1,5 @@
+pass
+pass
+pass
+pass
+--------
diff --git a/contrib/ipfilter/test/expected/i19.dist b/contrib/ipfilter/test/expected/i19.dist
new file mode 100644
index 000000000000..5d9c26cfe15a
--- /dev/null
+++ b/contrib/ipfilter/test/expected/i19.dist
@@ -0,0 +1,22 @@
+block in log level user.debug quick proto icmp from any to any
+block in log level mail.info quick proto icmp from any to any
+block in log level daemon.notice quick proto icmp from any to any
+block in log level auth.warn quick proto icmp from any to any
+block in log level syslog.err quick proto icmp from any to any
+block in log level lpr.crit quick proto icmp from any to any
+block in log level news.alert quick proto icmp from any to any
+block in log level uucp.emerg quick proto icmp from any to any
+block in log level cron.debug quick proto icmp from any to any
+block in log level ftp.info quick proto icmp from any to any
+block in log level authpriv.notice quick proto icmp from any to any
+block in log level logalert.warn quick proto icmp from any to any
+block in log level local0.err quick proto icmp from any to any
+block in log level local1.crit quick proto icmp from any to any
+block in log level local2.alert quick proto icmp from any to any
+block in log level local3.emerg quick proto icmp from any to any
+block in log level local4.debug quick proto icmp from any to any
+block in log level local5.info quick proto icmp from any to any
+block in log level local6.notice quick proto icmp from any to any
+block in log level local7.warn quick proto icmp from any to any
+block in log level kern.err quick proto icmp from any to any
+block in log level security.emerg quick proto icmp from any to any
diff --git a/contrib/ipfilter/test/expected/i21 b/contrib/ipfilter/test/expected/i21
index a5f55b36d6f5..d4d28daa4a58 100644
--- a/contrib/ipfilter/test/expected/i21
+++ b/contrib/ipfilter/test/expected/i21
@@ -8,3 +8,9 @@ pass out from any to any port = 7
pass out from any to any port = 9
block in from any port = 20 to any
block in from any port = 25 to any
+pass in from any port 11:12 to any port 1:2
+pass in from any port 21:22 to any port 1:2
+pass in from any port 11:12 to any port 4:5
+pass in from any port 21:22 to any port 4:5
+pass in from any port 11:12 to any port 8:9
+pass in from any port 21:22 to any port 8:9
diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1
index 8c47a929e540..03436b65a4dd 100644
--- a/contrib/ipfilter/test/expected/in1
+++ b/contrib/ipfilter/test/expected/in1
@@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc
map thisisalonginte 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere
map bar0 0.0.0.0/0 -> 0.0.0.0/32 icmpidmap icmp 1000:2000
map ppp0,adsl0 0.0.0.0/0 -> 0.0.0.0/32
+map ppp0 from 192.168.0.0/16 to any port = 123 -> 0.0.0.0/32 age 30/1 udp
diff --git a/contrib/ipfilter/test/expected/in6 b/contrib/ipfilter/test/expected/in6
index 338bd808f57f..05426e7a8dc2 100644
--- a/contrib/ipfilter/test/expected/in6
+++ b/contrib/ipfilter/test/expected/in6
@@ -5,3 +5,4 @@ map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0.0.0.0/32 tcp/udp
+map foo0 from any port 10:20 to any port 30:40 -> 0.0.0.0/32 tcp/udp
diff --git a/contrib/ipfilter/test/expected/ipv6.6 b/contrib/ipfilter/test/expected/ipv6.6
new file mode 100644
index 000000000000..abc0e87c6917
--- /dev/null
+++ b/contrib/ipfilter/test/expected/ipv6.6
@@ -0,0 +1,3 @@
+pass
+pass
+--------
diff --git a/contrib/ipfilter/test/expected/n16 b/contrib/ipfilter/test/expected/n16
new file mode 100644
index 000000000000..da617d9d3600
--- /dev/null
+++ b/contrib/ipfilter/test/expected/n16
@@ -0,0 +1,21 @@
+4520 0068 17e4 0000 6b11 cbba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 c05b ac33 0303 4ca1 0000 0000 4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+4500 0084 ee0f 0000 8001 4a21 45f8 4fc1 c05b ac33 0303 bf85 0000 0000 4520 0068 17e4 0000 6a11 3639 c05b ac33 45f8 4fc1 1194 94f8 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+List of active MAP/Redirect filters:
+rdr vlan0 from any to 69.248.79.193/32 port = 38136 -> 172.31.83.24 port 2013 udp
+
+List of active sessions:
+RDR 172.31.83.24 2013 <- -> 69.248.79.193 38136 [192.91.172.51 4500]
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
+-------------------------------
diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11
index c54bb80eb476..d558150045c2 100644
--- a/contrib/ipfilter/test/input/f11
+++ b/contrib/ipfilter/test/input/f11
@@ -1,14 +1,14 @@
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
-in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA
-in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
-in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S seq=1 ack=0
+in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA seq=1 ack=1
+in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA seq=101 ack=2
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA seq=101 ack=2
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
+in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A seq=2 ack=102
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A seq=102 ack=2
+in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A seq=102 ack=2
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA seq=2 ack=102
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
+in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A seq=2 ack=102
in on e1 udp 1.1.1.1,1 4.4.4.4,53
in on e1 udp 2.2.2.2,2 4.4.4.4,53
in on e0 udp 4.4.4.4,53 1.1.1.1,1
diff --git a/contrib/ipfilter/test/input/f24 b/contrib/ipfilter/test/input/f24
new file mode 100644
index 000000000000..1d066822561f
--- /dev/null
+++ b/contrib/ipfilter/test/input/f24
@@ -0,0 +1,27 @@
+[out,hme0]
+4500 003f 6e48 0000 4011 8816 c0a8 0101
+c0a8 01fe eb22 0035 002b d9e6 4a82 0100
+0001 0000 0000 0000 0663 6f6f 6d62 7303
+616e 7503 6564 7502 6175 0000 0100 01
+
+[in,hme0]
+4500 004c fc96 2000 4011 d9ba c0a8 01fe
+c0a8 0101 0035 eb22 00a9 d7b9 4a82 8180
+0001 0001 0003 0003 0663 6f6f 6d62 7303
+616e 7503 6564 7502 6175 0000 0100 01c0
+0c00 0100 0100 0000 3c00 0496
+
+[in,hme0]
+4500 004c fc96 2006 4011 d9b4 c0a8 01fe
+c0a8 0101 cbe7 50c0 1300 0200 0100 0078
+8c00 0603 6e73 31c0 13c0 1300 0200 0100
+0078 8c00 0e02 6e73 0861 6465 6c61 6964
+65c0 17c0 1300 0200 0100 0078
+
+[in,hme0]
+4500 004d fc96 000c 4011 f9ad c0a8 01fe
+c0a8 0101 8c00 0603 756e 61c0 13c0 6b00
+0100 0100 0027 5800 0496 cb16 1cc0 5100
+0100 0100 0018 4700 0481 7f28 03c0 3f00
+0100 0100 0027 5800 0496 cb01 0a
+
diff --git a/contrib/ipfilter/test/input/ipv6.6 b/contrib/ipfilter/test/input/ipv6.6
new file mode 100644
index 000000000000..82efeac624da
--- /dev/null
+++ b/contrib/ipfilter/test/input/ipv6.6
@@ -0,0 +1,17 @@
+[out,gif0]
+6000 0000 0020 2c01
+ef00 1001 2002 0001 0000 0000 0000 0070
+2001 1002 3333 0001 0000 0000 0000 0001
+1100 0001 0000 0001
+8083 829a
+0020
+f4c1
+0000 0000 0000 0000 0000 0000 0000 0000
+
+[out,gif0]
+6000 0000 0020 2c01
+ef00 1001 2002 0001 0000 0000 0000 0070
+2001 1002 3333 0001 0000 0000 0000 0001
+1100 0008 0000 0001
+0000 0000 0000 0000 0000 0000 0000 0000
+
diff --git a/contrib/ipfilter/test/input/l1 b/contrib/ipfilter/test/input/l1
index 56d766aa07bf..a59dbe3ce6b5 100644
--- a/contrib/ipfilter/test/input/l1
+++ b/contrib/ipfilter/test/input/l1
@@ -1,36 +1,36 @@
# 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF SYN
[]
4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5002 2000 85c3 0000
+0401 0019 0000 0001 0000 0000 5002 2000 85c2 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
[]
4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0001 0000 0000 5010 2000 85b4 0000
#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
[]
4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0000 0000 0000 5012 2000 85b3 0000
+0019 0401 0000 0011 0000 0002 5012 2000 85a0 0000
#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
[out,e1] 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0000 0000 0000 5010 2000 85b5 0000
+0019 0401 0000 0012 0000 0002 5010 2000 85a1 0000
-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 AF
[]
4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5011 2000 85b4 0000
+0401 0019 0000 0002 0000 0012 5011 2000 85a0 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
[]
4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000
#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
[]
4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000
#in on e1 udp 1.1.1.1,1 4.4.4.4,53
[]
diff --git a/contrib/ipfilter/test/input/n16 b/contrib/ipfilter/test/input/n16
new file mode 100644
index 000000000000..2e77e40d7671
--- /dev/null
+++ b/contrib/ipfilter/test/input/n16
@@ -0,0 +1,40 @@
+[in,vlan0]
+4520 0068 17e4 0000 6b11 3539 c05b ac33 45f8 4fc1
+1194 94f8 0054 0000
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+[out,vlan2]
+4520 0068 17e4 0000 6a11 ccba c05b ac33
+ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5
+
+[in,vlan2]
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
+c05b ac33 0303 4ca1 0000 0000 4520 0068
+17e4 0000 6a11 ccba c05b ac33 ac1f 5318
+1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5
+
+[out,vlan0]
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
+c05b ac33 0303 4ca1 0000 0000 4520 0068
+17e4 0000 6a11 ccba c05b ac33 ac1f 5318
+1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5
+
diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest
index 78b757ec4341..fece276a6a76 100755
--- a/contrib/ipfilter/test/nattest
+++ b/contrib/ipfilter/test/nattest
@@ -5,7 +5,14 @@ else
format="-F $2"
fi
if [ "$4" != "" ] ; then
- format="-T $4 $format"
+ case $4 in
+ -*)
+ format="$4 $format"
+ ;;
+ *)
+ format="-T $4 $format"
+ ;;
+ esac
fi
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
diff --git a/contrib/ipfilter/test/regress/f24 b/contrib/ipfilter/test/regress/f24
new file mode 100644
index 000000000000..5cb3bab6b8a1
--- /dev/null
+++ b/contrib/ipfilter/test/regress/f24
@@ -0,0 +1 @@
+pass out quick proto udp all keep state keep frags
diff --git a/contrib/ipfilter/test/regress/i21 b/contrib/ipfilter/test/regress/i21
index bf797f953b70..9d583ab0894f 100644
--- a/contrib/ipfilter/test/regress/i21
+++ b/contrib/ipfilter/test/regress/i21
@@ -4,3 +4,4 @@ block in from port 20:21
block out from any to port 10 <> 100
pass out from any to port = (3,5,7,9)
block in from port = (20,25)
+pass in from any port = (11:12, 21:22) to any port = (1:2, 4:5, 8:9)
diff --git a/contrib/ipfilter/test/regress/i3 b/contrib/ipfilter/test/regress/i3
index 0d82e8a0b834..390fc3c60e42 100644
--- a/contrib/ipfilter/test/regress/i3
+++ b/contrib/ipfilter/test/regress/i3
@@ -1,7 +1,9 @@
log in all
pass in from 128.16/16 to 129.10.10/24
-pass in from 128.0.0.1/24 to 128\
-.0.0.1/16
+pass in from 128.0.0.1/24 to 1\
+28\
+.\
+0.0.1/16
pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000
pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0
pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000
diff --git a/contrib/ipfilter/test/regress/in1 b/contrib/ipfilter/test/regress/in1
index 163d834fb1c1..d5d0cf4c3d19 100644
--- a/contrib/ipfilter/test/regress/in1
+++ b/contrib/ipfilter/test/regress/in1
@@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc
map thisisalonginte 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere
map bar0 0/0 -> 0/32 icmpidmap icmp 1000:2000
map ppp0,adsl0 0/0 -> 0/32
+map ppp0 from 192.168.0.0/16 to any port = 123 -> 0/32 age 30/1 udp
diff --git a/contrib/ipfilter/test/regress/in6 b/contrib/ipfilter/test/regress/in6
index 932df9b23676..70e71ddeb16b 100644
--- a/contrib/ipfilter/test/regress/in6
+++ b/contrib/ipfilter/test/regress/in6
@@ -5,3 +5,4 @@ map foo0 from any port lt 1 to any port gt 0 -> 0/32 tcp
map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp
map foo0 from any port le 1 to any port ge 0 -> 0/32 tcp/udp
map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0/32 tcp/udp
+map foo0 from any port 10:20 to any port 30:40 -> 0/32 tcp/udp
diff --git a/contrib/ipfilter/test/regress/ipv6.6 b/contrib/ipfilter/test/regress/ipv6.6
new file mode 100644
index 000000000000..f1f904b4eb61
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ipv6.6
@@ -0,0 +1 @@
+pass out on gif0 proto udp all keep frag
diff --git a/contrib/ipfilter/test/regress/n16 b/contrib/ipfilter/test/regress/n16
new file mode 100644
index 000000000000..ff8958cad869
--- /dev/null
+++ b/contrib/ipfilter/test/regress/n16
@@ -0,0 +1 @@
+rdr vlan0 from any to 69.248.79.193 port = 38136 -> 172.31.83.24 port 2013 udp
diff --git a/contrib/ipfilter/test/test.format b/contrib/ipfilter/test/test.format
index 7c13d6ee79ef..dfc3f35b619a 100644
--- a/contrib/ipfilter/test/test.format
+++ b/contrib/ipfilter/test/test.format
@@ -11,7 +11,7 @@ f7 text text
f8 text text
f9 text text
f10 text text
-f11 text text
+f11 text text -D
f12 hex hex
f13 hex hex
f14 text text
@@ -94,3 +94,6 @@ p2 text text
p3 text text
p4 text text
p5 text text
+n16 hex hex -D
+f24 hex text
+ipv6.6 hex text
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
index dfda237f28fd..4156250d0fa1 100644
--- a/contrib/ipfilter/tools/ipf_y.y
+++ b/contrib/ipfilter/tools/ipf_y.y
@@ -770,8 +770,20 @@ fromport:
srcportlist:
portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
+ | portnum ':' portnum
+ { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
+ fr->fr_stop = $3;) }
+ | portnum YY_RANGE_IN portnum
+ { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
+ fr->fr_stop = $3;) }
| srcportlist lmore portnum
{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
+ | srcportlist lmore portnum ':' portnum
+ { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
+ fr->fr_stop = $5;) }
+ | srcportlist lmore portnum YY_RANGE_IN portnum
+ { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
+ fr->fr_stop = $5;) }
;
dstobject:
@@ -836,8 +848,20 @@ toport:
dstportlist:
portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
+ | portnum ':' portnum
+ { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
+ fr->fr_dtop = $3;) }
+ | portnum YY_RANGE_IN portnum
+ { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
+ fr->fr_dtop = $3;) }
| dstportlist lmore portnum
{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
+ | dstportlist lmore portnum ':' portnum
+ { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
+ fr->fr_dtop = $5;) }
+ | dstportlist lmore portnum YY_RANGE_IN portnum
+ { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
+ fr->fr_dtop = $5;) }
;
addr: pool '/' YY_NUMBER { pooled = 1;
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
index db8de45db9a0..e28fe4c347e8 100644
--- a/contrib/ipfilter/tools/ipfstat.c
+++ b/contrib/ipfilter/tools/ipfstat.c
@@ -69,7 +69,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $";
#endif
#ifdef __hpux
@@ -1118,7 +1118,7 @@ ips_stat_t *ipsp;
PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
- minlen = ipsp->iss_max;
+ minlen = ipsp->iss_inuse;
totallen = 0;
maxlen = 0;
@@ -1126,7 +1126,7 @@ ips_stat_t *ipsp;
if (buckets[i] > maxlen)
maxlen = buckets[i];
if (buckets[i] < minlen)
- minlen = buckets[i];
+ minlen = buckets[i];
totallen += buckets[i];
}
@@ -1809,7 +1809,7 @@ int *port;
*port = -1;
} else if (!sscanf(comma + 1, "%d", port) ||
(*port < 0) || (*port > 65535)) {
- fprintf(stderr, "Invalid port specfication in %s\n",
+ fprintf(stderr, "Invalid port specification in %s\n",
argument);
free(s);
exit(-2);
@@ -1821,6 +1821,7 @@ int *port;
/* get ip address */
if (!strcasecmp(s, "any")) {
ip->in4.s_addr = INADDR_ANY;
+ ok = 1;
#ifdef USE_INET6
ip->in6 = in6addr_any;
} else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) {
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
index 3bc0555b7a94..f07396dbbcb0 100644
--- a/contrib/ipfilter/tools/ipmon.c
+++ b/contrib/ipfilter/tools/ipmon.c
@@ -76,7 +76,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $";
#endif
@@ -750,6 +750,8 @@ int blen;
strcpy(t, "NAT:MAPBLOCK ");
else if (nl->nl_type == NL_CLONE)
strcpy(t, "NAT:CLONE ");
+ else if (nl->nl_type == NL_DESTROY)
+ strcpy(t, "NAT:DESTROY ");
else
sprintf(t, "Type: %d ", nl->nl_type);
t += strlen(t);
@@ -762,8 +764,9 @@ int blen;
(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
portname(res, proto, (u_int)nl->nl_outport));
t += strlen(t);
- (void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
- portname(res, proto, (u_int)nl->nl_origport));
+ (void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip),
+ portname(res, proto, (u_int)nl->nl_origport),
+ getproto(nl->nl_p));
t += strlen(t);
if (nl->nl_type == NL_EXPIRE) {
#ifdef USE_QUAD_T
@@ -1000,7 +1003,10 @@ int blen;
ipflog_t *ipf;
iplog_t *ipl;
#ifdef USE_INET6
+ struct ip6_ext *ehp;
+ u_short ehl;
ip6_t *ip6;
+ int go;
#endif
ipl = (iplog_t *)buf;
@@ -1109,6 +1115,29 @@ int blen;
s = (u_32_t *)&ip6->ip6_src;
d = (u_32_t *)&ip6->ip6_dst;
plen = hl + ntohs(ip6->ip6_plen);
+ go = 1;
+ ehp = (struct ip6_ext *)((char *)ip6 + hl);
+ while (go == 1) {
+ switch (p)
+ {
+ case IPPROTO_HOPOPTS :
+ case IPPROTO_MOBILITY :
+ case IPPROTO_DSTOPTS :
+ case IPPROTO_ROUTING :
+ case IPPROTO_AH :
+ p = ehp->ip6e_nxt;
+ ehl = 8 + (ehp->ip6e_len << 3);
+ hl += ehl;
+ ehp = (struct ip6_ext *)((char *)ehp + ehl);
+ break;
+ case IPPROTO_FRAGMENT :
+ hl += sizeof(struct ip6_frag);
+ /* FALLTHROUGH */
+ default :
+ go = 0;
+ break;
+ }
+ }
#else
sprintf(t, "ipv6");
goto printipflog;
diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c
index 83eb5be1e633..038df6d069c9 100644
--- a/contrib/ipfilter/tools/ipnat.c
+++ b/contrib/ipfilter/tools/ipnat.c
@@ -65,7 +65,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $";
#endif
@@ -78,6 +78,7 @@ char thishost[MAXHOSTNAMELEN];
extern char *optarg;
void dostats __P((int, natstat_t *, int, int));
+void dotable __P((natstat_t *, int, int));
void flushtable __P((int, int));
void usage __P((char *));
int main __P((int, char*[]));
@@ -357,9 +358,10 @@ int fd, opts, alive;
nsp->ns_added, nsp->ns_expire);
printf("no memory\t%lu\tbad nat\t%lu\n",
nsp->ns_memfail, nsp->ns_badnat);
- printf("inuse\t%lu\nrules\t%lu\n",
- nsp->ns_inuse, nsp->ns_rules);
+ printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n",
+ nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules);
printf("wilds\t%u\n", nsp->ns_wilds);
+ dotable(nsp, fd, alive);
if (opts & OPT_VERBOSE)
printf("table %p list %p\n",
nsp->ns_table, nsp->ns_list);
@@ -376,6 +378,63 @@ int fd, opts, alive;
}
+void dotable(nsp, fd, alive)
+natstat_t *nsp;
+int fd, alive;
+{
+ int sz, i, used, totallen, maxlen, minlen;
+ ipftable_t table;
+ u_long *buckets;
+ ipfobj_t obj;
+
+ sz = sizeof(*buckets) * nsp->ns_nattab_sz;
+ buckets = (u_long *)malloc(sz);
+
+ obj.ipfo_rev = IPFILTER_VERSION;
+ obj.ipfo_type = IPFOBJ_GTABLE;
+ obj.ipfo_size = sizeof(table);
+ obj.ipfo_ptr = &table;
+
+ table.ita_type = IPFTABLE_BUCKETS_NATIN;
+ table.ita_table = buckets;
+
+ if (alive) {
+ if (ioctl(fd, SIOCGTABL, &obj) != 0) {
+ free(buckets);
+ return;
+ }
+ } else {
+ if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) {
+ free(buckets);
+ return;
+ }
+ }
+
+ totallen = 0;
+ maxlen = 0;
+ minlen = nsp->ns_inuse;
+ used = 0;
+
+ for (i = 0; i < nsp->ns_nattab_sz; i++) {
+ if (buckets[i] > maxlen)
+ maxlen = buckets[i];
+ if (buckets[i] < minlen)
+ minlen = buckets[i];
+ if (buckets[i] != 0)
+ used++;
+ totallen += buckets[i];
+ }
+
+ printf("hash efficiency\t%2.2f%%\n",
+ totallen ? ((float)used / totallen) * 100.0 : 0.0);
+ printf("bucket usage\t%2.2f%%\n",
+ ((float)used / nsp->ns_nattab_sz) * 100.0);
+ printf("minimal length\t%d\n", minlen);
+ printf("maximal length\t%d\n", maxlen);
+ printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0);
+}
+
+
/*
* Display NAT statistics.
*/
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index b20f623f0ef1..6208c989774b 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -609,6 +609,7 @@ compare:
range:
YY_RANGE_OUT { $$ = FR_OUTRANGE; }
| YY_RANGE_IN { $$ = FR_INRANGE; }
+ | ':' { $$ = FR_INCRANGE; }
;
ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
index 9810345540c7..1ad00c4c06f7 100644
--- a/contrib/ipfilter/tools/lexer.c
+++ b/contrib/ipfilter/tools/lexer.c
@@ -36,6 +36,7 @@ extern int yydebug;
char *yystr = NULL;
int yytext[YYBUFSIZ+1];
+char yychars[YYBUFSIZ+1];
int yylineNum = 1;
int yypos = 0;
int yylast = -1;
@@ -49,13 +50,15 @@ wordtab_t *yysavewords[30];
static wordtab_t *yyfindkey __P((char *));
-static int yygetc __P((void));
+static int yygetc __P((int));
static void yyunputc __P((int));
static int yyswallow __P((int));
static char *yytexttostr __P((int, int));
static void yystrtotext __P((char *));
+static char *yytexttochar __P((void));
-static int yygetc()
+static int yygetc(docont)
+int docont;
{
int c;
@@ -74,6 +77,13 @@ static int yygetc()
yypos++;
} else {
c = fgetc(yyin);
+ if (docont && (c == '\\')) {
+ c = fgetc(yyin);
+ if (c == '\n') {
+ yylineNum++;
+ c = fgetc(yyin);
+ }
+ }
}
if (c == '\n')
yylineNum++;
@@ -99,7 +109,7 @@ int last;
{
int c;
- while (((c = yygetc()) > '\0') && (c != last))
+ while (((c = yygetc(0)) > '\0') && (c != last))
;
if (c != EOF)
@@ -110,6 +120,17 @@ int last;
}
+static char *yytexttochar()
+{
+ int i;
+
+ for (i = 0; i < yypos; i++)
+ yychars[i] = (char)(yytext[i] & 0xff);
+ yychars[i] = '\0';
+ return yychars;
+}
+
+
static void yystrtotext(str)
char *str;
{
@@ -165,7 +186,9 @@ int yylex()
}
nextchar:
- c = yygetc();
+ c = yygetc(0);
+ if (yydebug > 1)
+ printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar());
switch (c)
{
@@ -228,20 +251,20 @@ nextchar:
yyunputc(c);
goto done;
}
- n = yygetc();
+ n = yygetc(0);
if (n == '{') {
if (yyswallow('}') == -1) {
rval = -2;
goto done;
}
- (void) yygetc();
+ (void) yygetc(0);
} else {
if (!ISALPHA(n)) {
yyunputc(n);
break;
}
do {
- n = yygetc();
+ n = yygetc(1);
} while (ISALPHA(n) || ISDIGIT(n) || n == '_');
yyunputc(n);
}
@@ -273,7 +296,7 @@ nextchar:
goto done;
}
do {
- n = yygetc();
+ n = yygetc(1);
if (n == EOF || n == TOOLONG) {
rval = -2;
goto done;
@@ -323,7 +346,7 @@ nextchar:
break;
if (isbuilding == 1)
break;
- n = yygetc();
+ n = yygetc(0);
if (n == '>') {
isbuilding = 1;
goto done;
@@ -337,7 +360,7 @@ nextchar:
yyunputc(c);
goto done;
}
- n = yygetc();
+ n = yygetc(0);
if (n == '=') {
rval = YY_CMP_NE;
goto done;
@@ -353,7 +376,7 @@ nextchar:
yyunputc(c);
goto done;
}
- n = yygetc();
+ n = yygetc(0);
if (n == '=') {
rval = YY_CMP_LE;
goto done;
@@ -373,7 +396,7 @@ nextchar:
yyunputc(c);
goto done;
}
- n = yygetc();
+ n = yygetc(0);
if (n == '=') {
rval = YY_CMP_GE;
goto done;
@@ -410,7 +433,7 @@ nextchar:
*/
do {
*s++ = c;
- c = yygetc();
+ c = yygetc(1);
} while ((ishex(c) || c == ':' || c == '.') &&
(s - ipv6buf < 46));
yyunputc(c);
@@ -436,10 +459,10 @@ nextchar:
}
if (isbuilding == 0 && c == '0') {
- n = yygetc();
+ n = yygetc(0);
if (n == 'x') {
do {
- n = yygetc();
+ n = yygetc(1);
} while (ishex(n));
yyunputc(n);
rval = YY_HEX;
@@ -453,7 +476,7 @@ nextchar:
*/
if (isbuilding == 0 && ISDIGIT(c)) {
do {
- n = yygetc();
+ n = yygetc(1);
} while (ISDIGIT(n));
yyunputc(n);
rval = YY_NUMBER;