aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Wemm <peter@FreeBSD.org>1998-06-20 18:29:38 +0000
committerPeter Wemm <peter@FreeBSD.org>1998-06-20 18:29:38 +0000
commit9b632708fe7d7ae0badd09f08d11857ca24400f7 (patch)
tree7c9206c000e7ad493db842a3fecdf77deacb096a
parentf4b66beedb1f2c1f5413c63927069490c58d80f9 (diff)
downloadsrc-9b632708fe7d7ae0badd09f08d11857ca24400f7.tar.gz
src-9b632708fe7d7ae0badd09f08d11857ca24400f7.zip
Import trimmed version of ipfilter 3.2.7.
Obtained from: Darren Reed via http://cheops.anu.edu.au/~avalon/
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=37074
-rw-r--r--contrib/ipfilter/COMPILE.2.54
-rw-r--r--contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt707
-rw-r--r--contrib/ipfilter/FreeBSD-2.2/files.diffs10
-rw-r--r--contrib/ipfilter/HISTORY56
-rw-r--r--contrib/ipfilter/IMPORTANT2
-rw-r--r--contrib/ipfilter/INST.FreeBSD-2.24
-rw-r--r--contrib/ipfilter/INSTALL.FreeBSD3
-rw-r--r--contrib/ipfilter/INSTALL.Linux11
-rw-r--r--contrib/ipfilter/INSTALL.NetBSD12
-rw-r--r--contrib/ipfilter/INSTALL.Sol22
-rw-r--r--contrib/ipfilter/INSTALL.SunOS8
-rw-r--r--contrib/ipfilter/INSTALL.xBSD9
-rw-r--r--contrib/ipfilter/Makefile50
-rw-r--r--contrib/ipfilter/README4
-rw-r--r--contrib/ipfilter/Y2K3
-rwxr-xr-xcontrib/ipfilter/buildsunos17
-rw-r--r--contrib/ipfilter/fil.c62
-rw-r--r--contrib/ipfilter/ip_auth.c5
-rw-r--r--contrib/ipfilter/ip_compat.h14
-rw-r--r--contrib/ipfilter/ip_fil.c7
-rw-r--r--contrib/ipfilter/ip_fil.h3
-rw-r--r--contrib/ipfilter/ip_frag.h3
-rw-r--r--contrib/ipfilter/ip_ftp_pxy.c14
-rw-r--r--contrib/ipfilter/ip_nat.c20
-rw-r--r--contrib/ipfilter/ip_nat.h11
-rw-r--r--contrib/ipfilter/ip_proxy.c42
-rw-r--r--contrib/ipfilter/ip_state.c148
-rw-r--r--contrib/ipfilter/ip_state.h16
-rw-r--r--contrib/ipfilter/ipf.c38
-rw-r--r--contrib/ipfilter/ipft_tx.c8
-rw-r--r--contrib/ipfilter/ipl.h2
-rw-r--r--contrib/ipfilter/iplang/iplang_l.l269
-rw-r--r--contrib/ipfilter/iplang/iplang_y.y53
-rw-r--r--contrib/ipfilter/ipmon.c124
-rw-r--r--contrib/ipfilter/ipnat.c40
-rw-r--r--contrib/ipfilter/ipsd/README2
-rw-r--r--contrib/ipfilter/ipsend/README2
-rw-r--r--contrib/ipfilter/ipsend/ip.c5
-rw-r--r--contrib/ipfilter/ipsend/ipresend.14
-rw-r--r--contrib/ipfilter/ipsend/ipsend.12
-rw-r--r--contrib/ipfilter/ipsend/ipsend.55
-rw-r--r--contrib/ipfilter/ipsend/ipsend.c4
-rw-r--r--contrib/ipfilter/ipsend/iptest.14
-rw-r--r--contrib/ipfilter/ipsend/iptests.c179
-rw-r--r--contrib/ipfilter/man/ipf.411
-rw-r--r--contrib/ipfilter/man/ipf.512
-rw-r--r--contrib/ipfilter/man/ipf.812
-rw-r--r--contrib/ipfilter/man/ipfstat.84
-rw-r--r--contrib/ipfilter/man/ipftest.15
-rw-r--r--contrib/ipfilter/man/ipmon.86
-rw-r--r--contrib/ipfilter/man/ipnat.14
-rw-r--r--contrib/ipfilter/man/ipnat.47
-rw-r--r--contrib/ipfilter/man/ipnat.516
-rw-r--r--contrib/ipfilter/mlf_ipl.c6
-rw-r--r--contrib/ipfilter/mln_ipl.c5
-rw-r--r--contrib/ipfilter/parse.c28
-rw-r--r--contrib/ipfilter/rules/BASIC_1.FW2
-rw-r--r--contrib/ipfilter/rules/BASIC_2.FW2
-rw-r--r--contrib/ipfilter/solaris.c15
-rw-r--r--contrib/ipfilter/test/input/1122
-rw-r--r--contrib/ipfilter/test/regress/1036
-rw-r--r--contrib/ipfilter/todo5
62 files changed, 1643 insertions, 543 deletions
diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5
index 6e96665f9c76..45442c5a4051 100644
--- a/contrib/ipfilter/COMPILE.2.5
+++ b/contrib/ipfilter/COMPILE.2.5
@@ -1,3 +1,7 @@
+If you have BOTH GNU make and the normal make shipped with your system,
+DO NOT use the GNU make to build this package. If you have any errors
+relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as
+shipped with Solaris 2.
If you get the following error whilst compiling:
diff --git a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
new file mode 100644
index 000000000000..2e719383f32b
--- /dev/null
+++ b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
@@ -0,0 +1,707 @@
+diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
+*** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998
+--- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998
+***************
+*** 44,49 ****
+--- 44,51 ----
+
+ extern char *optarg;
+
++ char *getdsthost();
++
+ #include "firewall.h"
+
+
+***************
+*** 88,93 ****
+--- 90,97 ----
+ static int cmdcnt = 0;
+ static int timeout = PROXY_TIMEOUT;
+
++ static int do_transparent = 0;
++
+
+ static int cmd_user();
+ static int cmd_authorize();
+***************
+*** 101,106 ****
+--- 105,111 ----
+ static int cmd_passthru();
+ static void saveline();
+ static void flushsaved();
++ static int connectdest();
+
+ #define OP_CONN 001 /* only valid if connected */
+ #define OP_WCON 002 /* writethrough if connected */
+***************
+*** 173,178 ****
+--- 178,184 ----
+ char xuf[1024];
+ char huf[512];
+ char *passuser = (char *)0; /* passed user as av */
++ char *psychic, *hotline;
+
+ #ifndef LOG_DAEMON
+ openlog("ftp-gw",LOG_PID);
+***************
+*** 317,322 ****
+--- 323,332 ----
+ } else
+ timeout = PROXY_TIMEOUT;
+
++ psychic = getdsthost(0, NULL);
++ if (psychic)
++ do_transparent++;
++
+ /* display a welcome file or message */
+ if(passuser == (char *)0) {
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+***************
+*** 324,329 ****
+--- 334,345 ----
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
++ if (do_transparent) {
++ if (sayfile2(0, cf->argv[0], 220)) {
++ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
++ exit(1);
++ }
++ } else
+ if(sayfile(0,cf->argv[0],220)) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
+ exit(1);
+***************
+*** 336,341 ****
+--- 352,360 ----
+ if(say(0,"220-Proxy first requires authentication"))
+ exit(1);
+
++ if (do_transparent)
++ sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
++ else
+ sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
+ if(say(0,xuf))
+ exit(1);
+***************
+*** 357,362 ****
+--- 376,384 ----
+ exit(1);
+ }
+
++ if (do_transparent)
++ connectdest(psychic, 21);
++
+ /* main loop */
+ while(1) {
+ FD_ZERO(&rdy);
+***************
+*** 653,658 ****
+--- 675,696 ----
+ return(sayn(0,noad,sizeof(noad)-1));
+ }
+
++ if (do_transparent) {
++ if((rfd == (-1)) && (x = connectdest(dest,port)))
++ return x;
++
++ sprintf(buf,"USER %s",user);
++
++ if (say(rfd, buf))
++ return(1);
++
++ x = getresp(rfd, buf, sizeof(buf), 1);
++ if (sendsaved(0, x))
++ return(1);
++
++ return(say(0, buf));
++ }
++
+ if(*dest == '\0')
+ dest = "localhost";
+
+***************
+*** 694,705 ****
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+! sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+! saveline(buf);
+
+ /* we are now connected and need to try the autologin thing */
+ x = getresp(rfd,buf,sizeof(buf),1);
+--- 732,748 ----
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+! if (do_transparent)
+! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
+! else
+! sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+! if (!do_transparent) {
+! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+! saveline(buf);
+! }
+
+ /* we are now connected and need to try the autologin thing */
+ x = getresp(rfd,buf,sizeof(buf),1);
+***************
+*** 1889,1891 ****
+--- 1932,2050 ----
+ dup(nread);
+ }
+ #endif
++
++ static int connectdest(dest, port)
++ char *dest;
++ short port;
++ {
++ char buf[1024], mbuf[512];
++ int msg_int, x;
++
++ if(*dest == '\0')
++ dest = "localhost";
++
++ if(validests != (char **)0) {
++ char **xp;
++ int x;
++
++ for(xp = validests; *xp != (char *)0; xp++) {
++ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
++ return(baddest(0,dest));
++ } else {
++ if(hostmatch(*xp,dest))
++ break;
++ }
++ }
++ if(*xp == (char *)0)
++ return(baddest(0,dest));
++ }
++
++ /* Extended permissions processing goes in here for destination */
++ if(extendperm) {
++ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
++ if(msg_int == 1) {
++ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
++ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
++ say(0,mbuf);
++ return(1);
++ } else {
++ if(msg_int == -1) {
++ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
++ say(0,mbuf);
++ return(1);
++ }
++ }
++ }
++
++ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
++
++ if((rfd = conn_server(dest,port,0,buf)) < 0) {
++ char ebuf[512];
++
++ strcpy(ebuf,buf);
++ if (do_transparent)
++ sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
++ else
++ sprintf(buf,"521 %s: %s",dest,ebuf);
++ rfd = -1;
++ return(say(0,buf));
++ }
++ if (!do_transparent) {
++ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
++ saveline(buf);
++ }
++
++ /* we are now connected and need to try the autologin thing */
++ x = getresp(rfd,buf,sizeof(buf),1);
++ if(x / 100 != COMPLETE) {
++ sendsaved(0,-1);
++ return(say(0,buf));
++ }
++ saveline(buf);
++
++ sendsaved(0,-1);
++ return 0;
++ }
++
++ /* quick hack */
++ sayfile2(fd,fn,code)
++ int fd;
++ char *fn;
++ int code;
++ {
++ FILE *f;
++ char buf[BUFSIZ];
++ char yuf[BUFSIZ];
++ char *c;
++ int x;
++ int saidsomething = 0;
++
++ if((f = fopen(fn,"r")) == (FILE *)0)
++ return(1);
++ while(fgets(buf,sizeof(buf),f) != (char *)0) {
++ if((c = index(buf,'\n')) != (char *)0)
++ *c = '\0';
++ x = fgetc(f);
++ if(feof(f))
++ sprintf(yuf,"%3.3d-%s",code,buf);
++ else {
++ sprintf(yuf,"%3.3d-%s",code,buf);
++ ungetc(x,f);
++ }
++ if(say(fd,yuf)) {
++ fclose(f);
++ return(1);
++ }
++ saidsomething++;
++ }
++ fclose(f);
++ if (!saidsomething) {
++ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
++ sprintf(yuf, "%3.3d The file to display is empty",code);
++ if(say(fd,yuf)) {
++ fclose(f);
++ return(1);
++ }
++ }
++ return(0);
++ }
+diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
+*** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998
+--- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998
+***************
+*** 27,32 ****
+--- 27,35 ----
+ static char http_buffer[8192];
+ static char reason[8192];
+ static int checkBrowserType = 1;
++ static int do_transparent = 0;
++
++ char * getdsthost();
+
+ static void do_logging()
+ { char *proto = "GOPHER";
+***************
+*** 473,478 ****
+--- 476,490 ----
+ /*(NOT A SPECIAL FORM)*/
+
+ if((rem_type & TYPE_LOCAL)== 0){
++ char * psychic = getdsthost(sockfd, &def_port);
++ if (psychic) {
++ if (strlen(psychic) <= MAXHOSTNAMELEN) {
++ do_transparent ++;
++ strncpy(def_httpd, psychic, strlen(psychic));
++ strncpy(def_server, psychic, strlen(psychic));
++ }
++ }
++
+ /* See if it can be forwarded */
+
+ if( can_forward(buf)){
+***************
+*** 1564,1570 ****
+ parse_vec[0],
+ parse_vec[1],
+ ourname, ourport);
+! }else{
+ sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
+ parse_vec[0], parse_vec[2],
+ parse_vec[3], chk_type_ch,
+--- 1576,1589 ----
+ parse_vec[0],
+ parse_vec[1],
+ ourname, ourport);
+! }
+! else
+! if (do_transparent) {
+! sprintf(new_reply, "%s\t%s\t%s\t%s",
+! parse_vec[0], parse_vec[1],
+! parse_vec[2],parse_vec[3]);
+! }
+! else {
+ sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
+ parse_vec[0], parse_vec[2],
+ parse_vec[3], chk_type_ch,
+diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
+*** ./lib/hnam.c Tue Dec 10 13:08:48 1996
+--- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998
+***************
+*** 23,28 ****
+--- 23,33 ----
+
+ #include "firewall.h"
+
++ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
++ #include <net/if.h>
++ #include "ip_nat.h"
++ #endif /* __FreeBSD__ */
++
+
+ char *
+ maphostname(name)
+***************
+*** 49,52 ****
+--- 54,132 ----
+ }
+ bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
+ return(inet_ntoa(sin.sin_addr));
++ }
++
++ char *getdsthost(fd, ptr)
++ int fd;
++ int *ptr;
++ {
++ struct sockaddr_in sin;
++ struct hostent * hp;
++ int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
++ char buf[255], hostbuf[255];
++ #ifdef __FreeBSD__
++ struct sockaddr_in rsin;
++ struct natlookup natlookup;
++ #endif
++
++ #ifdef linux
++ if (!(err = getsockname(0, &sin, &sl))) {
++ if(ptr)
++ * ptr = ntohs(sin.sin_port);
++
++ sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
++ gethostname(hostbuf, 254);
++ hp = gethostbyname(hostbuf);
++ while (hp->h_addr_list[i]) {
++ bzero(&sin, &sl);
++ memcpy(&sin.sin_addr, hp->h_addr_list[i++],
++ sizeof(hp->h_addr_list[i++]));
++
++ if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
++ local_h++;
++ }
++
++ if(local_h)
++ return(NULL);
++ else
++ return(buf);
++ }
++ #endif
++
++ #ifdef __FreeBSD__
++ /* The basis for this block of code is Darren Reed's
++ * patches to the TIS ftwk's ftp-gw.
++ */
++ bzero((char*)&sin, sizeof(sin));
++ bzero((char*)&rsin, sizeof(rsin));
++
++ if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
++ return NULL;
++
++ sl = sizeof(rsin);
++
++ if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
++ return NULL;
++
++ natlookup.nl_inport=sin.sin_port;
++ natlookup.nl_outport=rsin.sin_port;
++ natlookup.nl_inip=sin.sin_addr;
++ natlookup.nl_outip=rsin.sin_addr;
++
++ if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
++ return NULL;
++
++ if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
++ return NULL;
++
++ close(natfd);
++
++ if (ptr)
++ *ptr = ntohs(natlookup.nl_inport);
++
++ sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
++ #endif
++
++ /* No transparent proxy support */
++ return(NULL);
+ }
+diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
+*** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998
+--- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998
+***************
+*** 43,48 ****
+--- 43,50 ----
+ static char **validdests = (char **)0;
+ static int net_write();
+
++ static int do_transparent = 0;
++
+ main(ac,av)
+ int ac;
+ char *av[];
+***************
+*** 198,206 ****
+--- 200,220 ----
+ char *ptr;
+ int state = 0;
+ int ssl_plug = 0;
++ char * getdsthost();
++ int pport = 0;
+
+ struct timeval timo;
+
++ /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
++ * idea ..
++ */
++ dhost = getdsthost(0, &pport);
++ if (dhost) {
++ do_transparent++;
++ portid = pport;
++ }
++
++
+ if(c->flags & PERM_DENY) {
+ if (p == -1)
+ syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
+***************
+*** 220,226 ****
+ syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
+ exit (1);
+ }
+! dhost = av[x];
+ continue;
+ }
+
+--- 234,241 ----
+ syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
+ exit (1);
+ }
+! if (!dhost)
+! dhost = av[x];
+ continue;
+ }
+
+diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
+*** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998
+--- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998
+***************
+*** 103,108 ****
+--- 103,111 ----
+ static int trusted = 0;
+ static int doX = 0;
+ static char *prompt;
++ static int do_transparent = 0;
++
++ char * getdsthost();
+
+ main(ac,av)
+ int ac;
+***************
+*** 123,128 ****
+--- 126,132 ----
+ static char *tokav[56];
+ int tokac;
+ struct timeval timo;
++ char * psychic;
+
+ #ifndef LOG_NDELAY
+ openlog("rlogin-gw",LOG_PID);
+***************
+*** 188,194 ****
+ xforwarder = cf->argv[0];
+ }
+
+!
+
+ if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+--- 192,203 ----
+ xforwarder = cf->argv[0];
+ }
+
+! psychic = getdsthost(0, NULL);
+! if (psychic) {
+! do_transparent++;
+! strncpy(dest, psychic, 511);
+! dest[511] = '\0';
+! }
+
+ if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+***************
+*** 266,271 ****
+--- 275,281 ----
+ if((p = index(rusername,'@')) != (char *)0) {
+ char *namp;
+
++ dest[0] = '\0';
+ *p++ = '\0';
+ if(*p == '\0')
+ p = "localhost";
+***************
+*** 297,302 ****
+--- 307,326 ----
+
+ if(dest[0] != '\0') {
+ /* Setup connection directly to remote machine */
++ if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
++ if (cf->argc != 1) {
++ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
++ exit(1);
++ }
++
++ if (sayfile(0, cf->argv[0])) {
++ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
++ exit(1);
++ }
++ }
++
++ /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
++
+ sprintf(buf,"connect %.1000s",dest);
+ tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
+ if (cmd_connect(tokac, tokav, buf) != 2)
+***************
+*** 535,548 ****
+ char ebuf[512];
+
+ syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
+! if(strlen(namp) > 20)
+! namp[20] = '\0';
+! if(rusername[0] != '\0')
+! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
+! else
+! sprintf(ebuf,"Trying %s...",namp);
+! if(say(0,ebuf))
+! return(1);
+ } else
+ syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
+ if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
+--- 559,574 ----
+ char ebuf[512];
+
+ syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
+! if (!do_transparent) {
+! if(strlen(namp) > 20)
+! namp[20] = '\0';
+! if(rusername[0] != '\0')
+! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
+! else
+! sprintf(ebuf,"Trying %s...",namp);
+! if(say(0,ebuf))
+! return(1);
+! }
+ } else
+ syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
+ if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
+diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
+*** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998
+--- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998
+***************
+*** 91,96 ****
+--- 91,100 ----
+ static int cmd_xforward();
+ static int cmd_timeout();
+
++ char * getdsthost();
++
++ static int do_transparent = 0;
++
+ static int tn3270 = 1; /* don't do tn3270 stuff */
+ static int doX;
+
+***************
+*** 144,149 ****
+--- 148,155 ----
+ char tokbuf[BSIZ];
+ char *tokav[56];
+ int tokac;
++ int port;
++ char * psychic;
+
+ #ifndef LOG_DAEMON
+ openlog("tn-gw",LOG_PID);
+***************
+*** 325,330 ****
+--- 331,362 ----
+ }
+ }
+
++ psychic = getdsthost(0, &port);
++ if (psychic) {
++ if ((strlen(psychic) + 10) < 510) {
++ do_transparent++;
++ if (port)
++ sprintf(dest, "%s:%d", psychic, port);
++ else
++ sprintf(dest, "%s", psychic);
++
++ if (!welcomedone)
++ if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
++ if (cf->argc != 1) {
++ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
++ exit(1);
++ }
++
++ if (sayfile(0, cf->argv[0])) {
++ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
++ exit(1);
++ }
++
++ welcomedone = 1;
++ }
++ }
++ }
++
+ while (argc > 1) {
+ argc--;
+ argv++;
+***************
+*** 947,955 ****
+ char ebuf[512];
+
+ syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
+! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
+! if(say(0,ebuf))
+! return(1);
+ } else
+ syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
+
+--- 979,989 ----
+ char ebuf[512];
+
+ syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
+! if (!do_transparent) {
+! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
+! if(say(0,ebuf))
+! return(1);
+! }
+ } else
+ syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
+
+***************
+*** 991,998 ****
+
+ syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
+ strncpy(dest,av[1], 511);
+! sprintf(buf, "Connected to %.512s.", dest);
+! say(0, buf);
+ return(2);
+ }
+
+--- 1025,1034 ----
+
+ syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
+ strncpy(dest,av[1], 511);
+! if (!do_transparent) {
+! sprintf(buf, "Connected to %.512s.", dest);
+! say(0, buf);
+! }
+ return(2);
+ }
+
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs
index de05264b555d..10bce4b28e9b 100644
--- a/contrib/ipfilter/FreeBSD-2.2/files.diffs
+++ b/contrib/ipfilter/FreeBSD-2.2/files.diffs
@@ -1,8 +1,8 @@
-*** /sys/conf/files.orig Sat May 24 14:05:28 1997
---- /sys/conf/files Sat May 24 14:06:44 1997
+*** files.orig Tue Sep 9 16:58:40 1997
+--- files Sat Apr 4 10:52:58 1998
***************
-*** 217,222 ****
---- 217,230 ----
+*** 222,227 ****
+--- 222,236 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
@@ -17,4 +17,4 @@
+ netinet/ip_log.c optional ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
- netipx/ipx_error.c optional ipx
+ netipx/ipx_input.c optional ipx
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index c708038e7dc8..50711eabd894 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -5,6 +5,62 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
+# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
+# to further support development of IP Filter under BSDI.
+#
+# Thanks also to all those who have contributed patches and other code,
+# and especially those who have found the time to port IP Filter to new
+# platforms.
+
+3.2.7 24/05/98 - Released
+
+u_long -> u_32_t conversions
+
+patches from Bernd Ernesti for NetBSD
+
+fixup ipmon to actually handle HUP's.
+
+Linux fixes from Michael H. Warfield (mhw@wittsend.com)
+
+update for keep state patch (not security related) - Guido
+
+dumphex() uses stdout rather than log
+
+3.2.6 18/05/98 - Released
+
+fix potential security loop hole in keep state code.
+
+update examples.
+
+3.2.5 09/05/98 - Released
+
+BSD/OS 3.1 .o files added for the kernel.
+
+fix sequence # skew vs window size check.
+
+fix minimum ICMP header size check.
+
+remove references to Cybersource.
+
+fix my email address.
+
+remove ntohl in ipnat - Thomas Tornblom
+
+3.2.4 09/04/98 - Released
+
+add script to make devices for /dev on BSD boxes
+
+fixup building into the kernel for FreeBSD 2.2.5
+
+add -D command line option to ipmon to make it a daemon and SIGHUP causes
+it to close and reopen the logfile
+
+fixup make clean and make package for SunOS5 - Marc Boucher
+
+postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
+
+protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
+
3.2.3 10/11/97 - Released
fix some iplang bugs
diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT
index d706c3626da0..de2cc85b7c9c 100644
--- a/contrib/ipfilter/IMPORTANT
+++ b/contrib/ipfilter/IMPORTANT
@@ -42,5 +42,5 @@ If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.
Darren
-darrenr@cyber.com.au
+darrenr@pobox.com
****************************************
diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2
index b0bae0359237..78f7295e0894 100644
--- a/contrib/ipfilter/INST.FreeBSD-2.2
+++ b/contrib/ipfilter/INST.FreeBSD-2.2
@@ -44,6 +44,7 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
+ mknod /dev/ipauth c 79 3
5b) For versions prior to FreeBSD 2.2:
create devices for IP Filter as follows (assuming it was
@@ -51,8 +52,9 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
+ mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD
index f64263691744..3f0a88503a00 100644
--- a/contrib/ipfilter/INSTALL.FreeBSD
+++ b/contrib/ipfilter/INSTALL.FreeBSD
@@ -41,8 +41,9 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
+ mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.Linux b/contrib/ipfilter/INSTALL.Linux
index c190095fddf1..1a5d15b59f02 100644
--- a/contrib/ipfilter/INSTALL.Linux
+++ b/contrib/ipfilter/INSTALL.Linux
@@ -19,11 +19,12 @@ The first step is to make the IP Filter binaries. Do this with a
"make linux" from the ip_fil3.2.x directory. If this completes with
no errors, install IP Filter with a "make install-linux".
-Now that the user part of it is complete, it is time to work on the
-kernel. To start this off, run "Linux/kinstall". This will patch your
-kernel source code and configuration files so you can enabled IP Filter.
-You must now go to /usr/src/linux and configure your kernel using one of
-the available interfaces to enable IP Filter. IP Filter will be presented
+Now that the user part of it is complete, it is time to work on the kernel.
+To start this off, run "Linux/minstall". This will configure the devices
+you will need for the IP Filter. Then run "Linux/kinstall". This will
+patch your kernel source code and configuration files so you can enabled IP
+Filter. You must now go to /usr/src/linux and configure your kernel using one
+of the available interfaces to enable IP Filter. IP Filter will be presented
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
configuration file, rebuild, install and reboot with the new kernel.
diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD
index 847871203f66..012d6d7f8d2d 100644
--- a/contrib/ipfilter/INSTALL.NetBSD
+++ b/contrib/ipfilter/INSTALL.NetBSD
@@ -41,8 +41,14 @@ To build a kernel with the IP filter, follow these steps:
4. build a new kernel
- 5. create /dev/ipl with "mknod /dev/ipl c 59 0".
- (for NetBSD-1.2, use "mknod /dev/ipl c 49 0")
+ 5. Create device files. For NetBSD-1.2 (or later), use 49 as the
+ major number. For NetBSD-1.1 or earlier, use 59. Run these
+ commands as root, substituting <major> for the appropriate number:
+
+ mknod /dev/ipl c <major> 0
+ mknod /dev/ipnat c <major> 1
+ mknod /dev/ipstate c <major> 2
+ mknod /dev/ipauth c <major> 3
** NOTE: both the numbers 49 and 59 should be substituted with
whatever number you inserted it into conf.c as.
@@ -50,4 +56,4 @@ To build a kernel with the IP filter, follow these steps:
6. install and reboot with the new kernel
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2
index 1939c265663e..cc6600750e15 100644
--- a/contrib/ipfilter/INSTALL.Sol2
+++ b/contrib/ipfilter/INSTALL.Sol2
@@ -24,4 +24,4 @@ called "ipf.conf" using touch. The rc scripts have been written to look
for the configuration file here, using the installed binaries in /sbin.
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.SunOS b/contrib/ipfilter/INSTALL.SunOS
index 64392fdf3119..0d4dd8c5e07a 100644
--- a/contrib/ipfilter/INSTALL.SunOS
+++ b/contrib/ipfilter/INSTALL.SunOS
@@ -28,9 +28,13 @@ To install as part of a SunOS 4.1.x kernel:
NOTE: This script sets up /dev/ipl as char. device 59,0
in /sys/sun/conf.c
- 3. Do "mknod /dev/ipl c 59 0" as root.
+ 3. Run the following commands as root:
+ mknod /dev/ipl c 59 0
+ mknod /dev/ipnat c 59 1
+ mknod /dev/ipstate c 59 2
+ mknod /dev/ipauth c 59 3
4. Reboot using the new kernel
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.xBSD b/contrib/ipfilter/INSTALL.xBSD
index 9ab66f12932c..b06ad4b8ab3b 100644
--- a/contrib/ipfilter/INSTALL.xBSD
+++ b/contrib/ipfilter/INSTALL.xBSD
@@ -31,9 +31,14 @@ To build a kernel with the IP filter, follow these steps:
4. build a new kernel
- 5. create /dev/ipl with "mknod /dev/ipl c 59 0".
+ 5. create devices for IP Filter as follows (assuming it was
+ installed into the device table as char dev 20):
+ mknod /dev/ipl c 20 0
+ mknod /dev/ipnat c 20 1
+ mknod /dev/ipstate c 20 2
+ mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index a48ad31e5907..65540956ccaa 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
-# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $
+# $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@@ -88,7 +88,11 @@ freebsd22 freebsd30: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
@if [ -n $(IPFILKERN) ] ; then \
+ if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \
+ ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \
+ else \
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
+ fi \
elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
echo -n "Can't find ioconf.h in "; \
echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
@@ -100,41 +104,41 @@ freebsd22 freebsd30: include
netbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
openbsd openbsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
freebsd freebsd20 freebsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
bsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS); cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
bsdi bsdos: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
- (cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..)
- (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..)
+ (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= ; cd ..)
+ (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
- (cd IRIX/$(CPUDIR); smake build "TOP=../.." $(MFLAGS); cd ..)
- (cd IRIX/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd IRIX/$(CPUDIR); smake build TOP=../.. $(MFLAGS); cd ..)
+ (cd IRIX/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
linux: include
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
./buildlinux
linuxrev:
- (cd Linux/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..)
- (cd Linux/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
+ (cd Linux/$(CPUDIR); make build TOP=../.. $(MFLAGS) LKM= ; cd ..)
+ (cd Linux/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
setup:
-if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi
@@ -146,8 +150,8 @@ clean:
${RM} -rf netinet
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
vnode_if.h $(LKM)
- (cd SunOS4; make clean)
- (cd SunOS5; make clean)
+ if [ "`uname -s`" = "SunOS" ]; then (cd SunOS4; make clean); fi
+ if [ "`uname -s`" = "SunOS" ]; then (cd SunOS5; make clean); fi
(cd BSD; make clean)
(cd Linux; make clean)
if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; make clean); fi
@@ -187,12 +191,16 @@ sunos4 solaris1:
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..)
sunos5 solaris2:
- (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
- (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
+ (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
+ (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
- (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
- (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
+ (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
+ (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
+
+install-linux:
+ (cd Linux/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
+ (cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
diff --git a/contrib/ipfilter/README b/contrib/ipfilter/README
index 3fac6ecb2bf5..80ce748c5652 100644
--- a/contrib/ipfilter/README
+++ b/contrib/ipfilter/README
@@ -46,7 +46,7 @@ Bugs/Problems
-------------
If you have a problem with IP Filter on your operating system, please email
a copy of the file "BugReport" with the details of your setup as required
-and email to darrenr@cyber.com.au.
+and email to darrenr@pobox.com.
Some general notes.
-------------------
@@ -95,4 +95,4 @@ BNF
- BNF rule set for the filter rules
Darren Reed
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/Y2K b/contrib/ipfilter/Y2K
new file mode 100644
index 000000000000..a8350a590070
--- /dev/null
+++ b/contrib/ipfilter/Y2K
@@ -0,0 +1,3 @@
+IP Filter is Year 2000 (Y2K) Compliant.
+
+Darren
diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos
index b3f65788cba2..ed8a034c8d01 100755
--- a/contrib/ipfilter/buildsunos
+++ b/contrib/ipfilter/buildsunos
@@ -1,23 +1,24 @@
#! /bin/sh
-# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
+# $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $
:
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m`
+cpudir=${cpu}-`uname -r`
if [ $rev = 5 ] ; then
solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
- mkdir -p SunOS5/${cpu}
- /bin/rm -f SunOS5/${cpu}/Makefile
- /bin/rm -f SunOS5/${cpu}/Makefile.ipsend
- ln -s ../Makefile SunOS5/${cpu}/Makefile
- ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend
+ mkdir -p SunOS5/${cpudir}
+ /bin/rm -f SunOS5/${cpudir}/Makefile
+ /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend
+ ln -s ../Makefile SunOS5/${cpudir}/Makefile
+ ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend
fi
if [ $cpu = i86pc ] ; then
- make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
+ make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?
fi
if [ x$solrev = x ] ; then
make ${1+"$@"} sunos$rev "ARCH=`uname -m`"
exit $?
fi
-make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
+make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 58c28e14126b..f2b19a58aa92 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -21,6 +21,7 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 d
#else
# include <stdio.h>
# include <string.h>
+# include <stdlib.h>
#endif
#include <sys/uio.h>
#if !defined(__SVR4) && !defined(__svr4__)
@@ -194,6 +195,7 @@ fr_info_t *fin;
{
struct optlist *op;
tcphdr_t *tcp;
+ icmphdr_t *icmp;
fr_ip_t *fi = &fin->fin_fi;
u_short optmsk = 0, secmsk = 0, auth = 0;
int i, mv, ol, off;
@@ -214,6 +216,7 @@ fr_info_t *fin;
fin->fin_hlen = hlen;
fin->fin_dlen = ip->ip_len - hlen;
tcp = (tcphdr_t *)((char *)ip + hlen);
+ icmp = (icmphdr_t *)tcp;
fin->fin_dp = (void *)tcp;
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
(*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3));
@@ -226,12 +229,20 @@ fr_info_t *fin;
switch (ip->ip_p)
{
case IPPROTO_ICMP :
- if ((!IPMINLEN(ip, icmp) && !off) ||
+ {
+ int minicmpsz = sizeof(struct icmp);
+
+ if (!off && ip->ip_len > ICMP_MINLEN + hlen &&
+ (icmp->icmp_type == ICMP_ECHOREPLY ||
+ icmp->icmp_type == ICMP_UNREACH))
+ minicmpsz = ICMP_MINLEN;
+ if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
(off && off < sizeof(struct icmp)))
fi->fi_fl |= FI_SHORT;
if (fin->fin_dlen > 1)
fin->fin_data[0] = *(u_short *)tcp;
break;
+ }
case IPPROTO_TCP :
fi->fi_fl |= FI_TCPUDP;
if ((!IPMINLEN(ip, tcphdr) && !off) ||
@@ -418,7 +429,7 @@ void *m;
off = ip->ip_off & 0x1fff;
pass |= (fi->fi_fl << 24);
- if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
+ if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
portcmp = 1;
for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
@@ -475,24 +486,22 @@ void *m;
* If a fragment, then only the first has what we're looking
* for here...
*/
+ if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
+ fr->fr_tcpfm))
+ continue;
if (fi->fi_fl & FI_TCPUDP) {
- if (portcmp) {
- if (!fr_tcpudpchk(fr, fin))
- continue;
- } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
- fr->fr_tcpfm)
+ if (!fr_tcpudpchk(fr, fin))
continue;
- } else if (fi->fi_p == IPPROTO_ICMP) {
- if (!off && (fin->fin_dlen > 1)) {
- if ((fin->fin_data[0] & fr->fr_icmpm) !=
- fr->fr_icmp) {
- FR_DEBUG(("i. %#x & %#x != %#x\n",
- fin->fin_data[0],
- fr->fr_icmpm, fr->fr_icmp));
- continue;
- }
- } else if (fr->fr_icmpm || fr->fr_icmp)
+ } else if (fr->fr_icmpm || fr->fr_icmp) {
+ if ((fi->fi_p != IPPROTO_ICMP) || off ||
+ (fin->fin_dlen < 2))
continue;
+ if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
+ FR_DEBUG(("i. %#x & %#x != %#x\n",
+ fin->fin_data[0], fr->fr_icmpm,
+ fr->fr_icmp));
+ continue;
+ }
}
FR_VERBOSE(("*"));
/*
@@ -571,6 +580,15 @@ int out;
# endif
int up;
+#ifdef M_CANFASTFWD
+ /*
+ * XXX For now, IP Filter and fast-forwarding of cached flows
+ * XXX are mutually exclusive. Eventually, IP Filter should
+ * XXX get a "can-fast-forward" filter rule.
+ */
+ m->m_flags &= ~M_CANFASTFWD;
+#endif /* M_CANFASTFWD */
+
if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
ip->ip_p == IPPROTO_ICMP)) {
int plen = 0;
@@ -887,7 +905,7 @@ u_short ipf_cksum(addr, len)
register u_short *addr;
register int len;
{
- register u_long sum = 0;
+ register u_32_t sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
@@ -920,7 +938,7 @@ int len;
u_char c[2];
u_short s;
} bytes;
- u_long sum;
+ u_32_t sum;
u_short *sp;
# if SOLARIS || defined(__sgi)
int add, hlen;
@@ -1019,7 +1037,7 @@ int len;
#endif /* SOLARIS */
if (len < 2)
break;
- if((u_long)sp & 1) {
+ if((u_32_t)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
} else
@@ -1073,7 +1091,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $
+ * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
index 2640a77245cc..bdb3114f88bf 100644
--- a/contrib/ipfilter/ip_auth.c
+++ b/contrib/ipfilter/ip_auth.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.2 1997/11/12 10:45:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -86,6 +86,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#include "netinet/ip_auth.h"
#if !SOLARIS && !defined(linux)
# include <net/netisr.h>
+# ifdef __FreeBSD__
+# include <machine/cpufunc.h>
+# endif
#endif
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index 1fe90c3cb677..1f91cf3c949b 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $
+ * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -123,7 +123,7 @@ typedef unsigned int u_32_t;
# else
typedef unsigned long u_32_t;
# endif
-#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ */
+#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
#ifndef MAX
#define MAX(a,b) (((a) > (b)) ? (a) : (b))
@@ -369,6 +369,9 @@ typedef struct mbuf mb_t;
* not be in other places or maybe one day linux will grow up and some
* of these will turn up there too.
*/
+#ifndef ICMP_MINLEN
+# define ICMP_MINLEN 8
+#endif
#ifndef ICMP_UNREACH
# define ICMP_UNREACH ICMP_DEST_UNREACH
#endif
@@ -680,6 +683,12 @@ typedef struct uio {
# undef UINT_MAX
# undef LONG_MAX
# undef ULONG_MAX
+# define s8 __s8
+# define u8 __u8
+# define s16 __s16
+# define u16 __u16
+# define s32 __s32
+# define u32 __u32
# include <linux/netdevice.h>
# undef __KERNEL__
# endif
@@ -714,4 +723,5 @@ struct ether_addr {
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
+
#endif /* __IP_COMPAT_H__ */
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index d518d1793af0..09c4b6efacd9 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -164,7 +164,7 @@ struct devsw iplsw = {
};
#endif /* _BSDI_VERSION >= 199510 && _KERNEL */
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
# include <sys/conf.h>
# if defined(NETBSD_PF)
# include <net/pfil.h>
@@ -933,7 +933,8 @@ frdest_t *fdp;
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
}
- ro->ro_rt->rt_use++;
+ if (ro->ro_rt)
+ ro->ro_rt->rt_use++;
/*
* For input packets which are being "fastrouted", they won't
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index 2e2aaa7cb28d..edbd68556016 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $
+ * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -518,4 +518,5 @@ extern int iplused[IPL_LOGMAX + 1];
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct frgroup *ipfgroups[3][2];
extern struct filterstats frstats[];
+
#endif /* __IP_FIL_H__ */
diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h
index ade7139e4933..9122f17a5115 100644
--- a/contrib/ipfilter/ip_frag.h
+++ b/contrib/ipfilter/ip_frag.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.0.2.12 1997/10/23 14:56:01 darrenr Exp $
+ * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@@ -55,4 +55,5 @@ extern void ipfr_slowtimer __P((void));
#else
extern int ipfr_slowtimer __P((void));
#endif
+
#endif /* __IP_FIL_H__ */
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
index 5d6ce1fc002d..7ff8adb50e78 100644
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ b/contrib/ipfilter/ip_ftp_pxy.c
@@ -54,18 +54,18 @@ tcphdr_t *tcp;
ap_session_t *aps;
nat_t *nat;
{
- u_long sum1, sum2;
+ u_32_t sum1, sum2;
short sel;
if (tcp->th_sport == aps->aps_dport) {
- sum2 = (u_long)ntohl(tcp->th_ack);
+ sum2 = (u_32_t)ntohl(tcp->th_ack);
sel = aps->aps_sel;
if ((aps->aps_after[!sel] > aps->aps_after[sel]) &&
(sum2 > aps->aps_after[!sel])) {
sel = aps->aps_sel = !sel; /* switch to other set */
}
if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) {
- sum1 = (u_long)aps->aps_seqoff[sel];
+ sum1 = (u_32_t)aps->aps_seqoff[sel];
tcp->th_ack = htonl(sum2 - sum1);
return 2;
}
@@ -110,7 +110,7 @@ tcphdr_t *tcp;
ap_session_t *aps;
nat_t *nat;
{
- register u_long sum1, sum2;
+ register u_32_t sum1, sum2;
char newbuf[IPF_MAXPORTLEN+1];
char portbuf[IPF_MAXPORTLEN+1], *s;
int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2);
@@ -243,17 +243,17 @@ nat_t *nat;
adjust_seqack:
if (tcp->th_dport == aps->aps_dport) {
- sum2 = (u_long)ntohl(tcp->th_seq);
+ sum2 = (u_32_t)ntohl(tcp->th_seq);
off = aps->aps_sel;
if ((aps->aps_after[!off] > aps->aps_after[off]) &&
(sum2 > aps->aps_after[!off])) {
off = aps->aps_sel = !off; /* switch to other set */
}
if (aps->aps_seqoff[off]) {
- sum1 = (u_long)aps->aps_after[off] -
+ sum1 = (u_32_t)aps->aps_after[off] -
aps->aps_seqoff[off];
if (sum2 > sum1) {
- sum1 = (u_long)aps->aps_seqoff[off];
+ sum1 = (u_32_t)aps->aps_seqoff[off];
sum2 += sum1;
tcp->th_seq = htonl(sum2);
ch = 1;
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index 0b6c07fc9b4f..102d57f32ab9 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -130,10 +130,10 @@ static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *));
void fix_outcksum(sp, n)
u_short *sp;
-u_long n;
+u_32_t n;
{
register u_short sumshort;
- register u_long sum1;
+ register u_32_t sum1;
if (!n)
return;
@@ -149,10 +149,10 @@ u_long n;
void fix_incksum(sp, n)
u_short *sp;
-u_long n;
+u_32_t n;
{
register u_short sumshort;
- register u_long sum1;
+ register u_32_t sum1;
if (!n)
return;
@@ -456,7 +456,7 @@ struct in_addr *inp;
struct in_addr in;
#if SOLARIS
- in.s_addr = ill->ill_ipif->ipif_local_addr;
+ in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr);
#else /* SOLARIS */
# if linux
;
@@ -521,7 +521,7 @@ fr_info_t *fin;
u_short flags;
int direction;
{
- register u_long sum1, sum2, sumd, l;
+ register u_32_t sum1, sum2, sumd, l;
u_short port = 0, sport = 0, dport = 0, nport = 0;
struct in_addr in;
tcphdr_t *tcp = NULL;
@@ -779,7 +779,7 @@ int *nflags;
*/
if (flags & IPN_TCPUDP) {
tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
- u_long sum1, sum2, sumd;
+ u_32_t sum1, sum2, sumd;
struct in_addr in;
if (nat->nat_dir == NAT_OUTBOUND) {
@@ -964,7 +964,7 @@ int hlen;
fr_info_t *fin;
{
register ipnat_t *np;
- register u_long ipa;
+ register u_32_t ipa;
tcphdr_t *tcp = NULL;
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
@@ -1281,7 +1281,7 @@ void *ifp;
#endif
{
register nat_t *nat;
- register u_long sum1, sum2, sumd;
+ register u_32_t sum1, sum2, sumd;
struct in_addr in;
ipnat_t *np;
#if defined(_KERNEL) && !SOLARIS
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index f0cb517bb007..49f5d509d777 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.0.2.23.2.1 1997/11/05 11:08:18 darrenr Exp $
+ * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -44,8 +44,8 @@
typedef struct nat {
u_long nat_age;
int nat_flags;
- u_long nat_sumd;
- u_long nat_ipsumd;
+ u_32_t nat_sumd;
+ u_32_t nat_ipsumd;
void *nat_data;
struct in_addr nat_inip;
struct in_addr nat_outip;
@@ -175,6 +175,7 @@ extern int ip_natout __P((ip_t *, int, fr_info_t *));
extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short));
-extern void fix_incksum __P((u_short *, u_long));
-extern void fix_outcksum __P((u_short *, u_long));
+extern void fix_incksum __P((u_short *, u_32_t));
+extern void fix_outcksum __P((u_short *, u_32_t));
+
#endif /* __IP_NAT_H__ */
diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c
index cc3b9a0d032e..0fb7e95e1bb2 100644
--- a/contrib/ipfilter/ip_proxy.c
+++ b/contrib/ipfilter/ip_proxy.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -111,15 +111,37 @@ ipnat_t *nat;
}
+static int
+ap_matchsrcdst(aps, src, dst, tcp, sport, dport)
+ap_session_t *aps;
+struct in_addr src, dst;
+void *tcp;
+u_short sport, dport;
+{
+ if (aps->aps_dst.s_addr == dst.s_addr) {
+ if ((aps->aps_src.s_addr == src.s_addr) &&
+ (!tcp || (sport == aps->aps_sport) &&
+ (dport == aps->aps_dport)))
+ return 1;
+ } else if (aps->aps_dst.s_addr == src.s_addr) {
+ if ((aps->aps_src.s_addr == dst.s_addr) &&
+ (!tcp || (sport == aps->aps_dport) &&
+ (dport == aps->aps_sport)))
+ return 1;
+ }
+ return 0;
+}
+
+
static ap_session_t *ap_find(ip, tcp)
ip_t *ip;
tcphdr_t *tcp;
{
- struct in_addr src, dst;
- register u_long hv;
- register u_short sp, dp;
- register ap_session_t *aps;
register u_char p = ip->ip_p;
+ register ap_session_t *aps;
+ register u_short sp, dp;
+ register u_long hv;
+ struct in_addr src, dst;
src = ip->ip_src, dst = ip->ip_dst;
sp = dp = 0; /* XXX gcc -Wunitialized */
@@ -136,14 +158,8 @@ tcphdr_t *tcp;
for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next)
if ((aps->aps_p == p) &&
- IPPAIR(aps->aps_src, aps->aps_dst, src, dst)) {
- if (tcp) {
- if (PAIRS(aps->aps_sport, aps->aps_dport,
- sp, dp))
- break;
- } else
- break;
- }
+ ap_matchsrcdst(aps, src, dst, tcp, sp, dp))
+ break;
return aps;
}
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index bffb17b7fa45..89a2c3bf358a 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
@@ -85,6 +85,11 @@ ips_stat_t ips_stats;
extern kmutex_t ipf_state;
#endif
+static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
+ fr_info_t *, void *, u_short, u_short));
+static int fr_state_flush __P((int));
+static ips_stat_t *fr_statetstats __P((void));
+
#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
@@ -97,7 +102,7 @@ u_long fr_tcpidletimeout = FIVE_DAYS,
fr_icmptimeout = 120;
-ips_stat_t *fr_statetstats()
+static ips_stat_t *fr_statetstats()
{
ips_stats.iss_active = ips_num;
ips_stats.iss_table = ips_table;
@@ -111,7 +116,7 @@ ips_stat_t *fr_statetstats()
* which == 1 : flush TCP connections which have started to close but are
* stuck for some reason.
*/
-int fr_state_flush(which)
+static int fr_state_flush(which)
int which;
{
register int i;
@@ -134,10 +139,10 @@ int which;
break;
case 1 :
if ((is->is_p == IPPROTO_TCP) &&
- ((is->is_state[0] <= TCPS_ESTABLISHED) &&
- (is->is_state[1] > TCPS_ESTABLISHED)) ||
- ((is->is_state[1] <= TCPS_ESTABLISHED) &&
- (is->is_state[0] > TCPS_ESTABLISHED)))
+ (((is->is_state[0] <= TCPS_ESTABLISHED) &&
+ (is->is_state[1] > TCPS_ESTABLISHED)) ||
+ ((is->is_state[1] <= TCPS_ESTABLISHED) &&
+ (is->is_state[0] > TCPS_ESTABLISHED))))
delete = 1;
break;
}
@@ -237,7 +242,7 @@ u_int pass;
switch (ic->icmp_type)
{
case ICMP_ECHO :
- is->is_icmp.ics_type = 0;
+ is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */
hv += (is->is_icmp.ics_id = ic->icmp_id);
hv += (is->is_icmp.ics_seq = ic->icmp_seq);
break;
@@ -301,11 +306,33 @@ u_int pass;
bcopy((char *)&ips, (char *)is, sizeof(*is));
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
- is->is_next = ips_table[hv];
- ips_table[hv] = is;
+
is->is_pass = pass;
is->is_pkts = 1;
is->is_bytes = ip->ip_len;
+ /*
+ * Copy these from the rule itself.
+ */
+ is->is_opt = fin->fin_fr->fr_ip.fi_optmsk;
+ is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk;
+ is->is_sec = fin->fin_fr->fr_ip.fi_secmsk;
+ is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk;
+ is->is_auth = fin->fin_fr->fr_ip.fi_auth;
+ is->is_authmsk = fin->fin_fr->fr_mip.fi_auth;
+ is->is_flags = fin->fin_fr->fr_ip.fi_fl;
+ is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4;
+ /*
+ * add into table.
+ */
+ is->is_next = ips_table[hv];
+ ips_table[hv] = is;
+ if (fin->fin_out) {
+ is->is_ifpin = NULL;
+ is->is_ifpout = fin->fin_ifp;
+ } else {
+ is->is_ifpin = fin->fin_ifp;
+ is->is_ifpout = NULL;
+ }
if (pass & FR_LOGFIRST)
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
ips_num++;
@@ -324,12 +351,11 @@ u_int pass;
* change timeout depending on whether new packet is a SYN-ACK returning for a
* SYN or a RST or FIN which indicate time to close up shop.
*/
-int fr_tcpstate(is, fin, ip, tcp, sport)
+int fr_tcpstate(is, fin, ip, tcp)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
tcphdr_t *tcp;
-u_short sport;
{
register int seqskew, ackskew;
register u_short swin, dwin;
@@ -341,7 +367,7 @@ u_short sport;
*/
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
- source = (sport == is->is_sport);
+ source = (ip->ip_src.s_addr == is->is_src.s_addr);
if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */
ack = source ? is->is_ack : is->is_seq;
@@ -385,7 +411,7 @@ u_short sport;
swin = is->is_dwin;
}
- if ((seqskew <= swin) && (ackskew <= dwin)) {
+ if ((seqskew <= dwin) && (ackskew <= swin)) {
if (source) {
is->is_seq = seq;
is->is_ack = ack;
@@ -401,14 +427,81 @@ u_short sport;
/*
* Nearing end of connection, start timeout.
*/
- fr_tcp_age(&is->is_age, is->is_state, ip, fin,
- tcp->th_sport == is->is_sport);
+ fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
return 1;
}
return 0;
}
+static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp)
+ipstate_t *is;
+struct in_addr src, dst;
+fr_info_t *fin;
+void *tcp;
+u_short sp, dp;
+{
+ int ret = 0, rev, out;
+ void *ifp;
+
+ rev = (is->is_dst.s_addr != dst.s_addr);
+ ifp = fin->fin_ifp;
+ out = fin->fin_out;
+
+ if (!rev) {
+ if (out) {
+ if (!is->is_ifpout)
+ is->is_ifpout = ifp;
+ } else {
+ if (!is->is_ifpin)
+ is->is_ifpin = ifp;
+ }
+ } else {
+ if (out) {
+ if (!is->is_ifpin)
+ is->is_ifpin = ifp;
+ } else {
+ if (!is->is_ifpout)
+ is->is_ifpout = ifp;
+ }
+ }
+
+ if (!rev) {
+ if (((out && is->is_ifpout == ifp) ||
+ (!out && is->is_ifpin == ifp)) &&
+ (is->is_dst.s_addr == dst.s_addr) &&
+ (is->is_src.s_addr == src.s_addr) &&
+ (!tcp || (sp == is->is_sport) &&
+ (dp == is->is_dport))) {
+ ret = 1;
+ }
+ } else {
+ if (((out && is->is_ifpin == ifp) ||
+ (!out && is->is_ifpout == ifp)) &&
+ (is->is_dst.s_addr == src.s_addr) &&
+ (is->is_src.s_addr == dst.s_addr) &&
+ (!tcp || (sp == is->is_dport) &&
+ (dp == is->is_sport))) {
+ ret = 1;
+ }
+ }
+
+ /*
+ * Whether or not this should be here, is questionable, but the aim
+ * is to get this out of the main line.
+ */
+ if (ret) {
+ if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
+ ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
+ ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) ||
+ ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) !=
+ (is->is_flags & 0xf)))
+ ret = 0;
+ }
+ return ret;
+}
+
+
/*
* Check if a packet has a registered state.
*/
@@ -447,13 +540,8 @@ fr_info_t *fin;
if ((is->is_p == pr) &&
(ic->icmp_id == is->is_icmp.ics_id) &&
(ic->icmp_seq == is->is_icmp.ics_seq) &&
- IPPAIR(src, dst, is->is_src, is->is_dst)) {
- /*
- * If we have type 0 stored, allow any icmp
- * replies through.
- */
- if (is->is_icmp.ics_type &&
- is->is_icmp.ics_type != ic->icmp_type)
+ fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) {
+ if (is->is_icmp.ics_type != ic->icmp_type)
continue;
is->is_age = fr_icmptimeout;
is->is_pkts++;
@@ -473,11 +561,11 @@ fr_info_t *fin;
hv += sport;
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
- for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) {
+ for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
if ((is->is_p == pr) &&
- PAIRS(sport, dport, is->is_sport, is->is_dport) &&
- IPPAIR(src, dst, is->is_src, is->is_dst))
- if (fr_tcpstate(is, fin, ip, tcp, sport)) {
+ fr_matchsrcdst(is, src, dst, fin, tcp,
+ sport, dport)) {
+ if (fr_tcpstate(is, fin, ip, tcp)) {
pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
@@ -491,7 +579,7 @@ fr_info_t *fin;
#endif
return pass;
}
- }
+ }
MUTEX_EXIT(&ipf_state);
break;
}
@@ -508,8 +596,8 @@ fr_info_t *fin;
MUTEX_ENTER(&ipf_state);
for (is = ips_table[hv]; is; is = is->is_next)
if ((is->is_p == pr) &&
- PAIRS(sport, dport, is->is_sport, is->is_dport) &&
- IPPAIR(src, dst, is->is_src, is->is_dst)) {
+ fr_matchsrcdst(is, src, dst, fin,
+ tcp, sport, dport)) {
ips_stats.iss_hits++;
is->is_pkts++;
is->is_bytes += ip->ip_len;
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
index 3d87a2186c6d..f2ae94bb7020 100644
--- a/contrib/ipfilter/ip_state.h
+++ b/contrib/ipfilter/ip_state.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.0.2.14.2.1 1997/11/06 21:23:15 darrenr Exp $
+ * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -47,10 +47,18 @@ typedef struct ipstate {
u_int is_pass;
U_QUAD_T is_pkts;
U_QUAD_T is_bytes;
+ void *is_ifpin;
+ void *is_ifpout;
struct in_addr is_src;
struct in_addr is_dst;
u_char is_p;
u_char is_flags;
+ u_32_t is_opt;
+ u_32_t is_optmsk;
+ u_short is_sec;
+ u_short is_secmsk;
+ u_short is_auth;
+ u_short is_authmsk;
union {
icmpstate_t is_ics;
tcpstate_t is_ts;
@@ -120,14 +128,11 @@ extern u_long fr_tcptimeout;
extern u_long fr_tcpclosed;
extern u_long fr_udptimeout;
extern u_long fr_icmptimeout;
-extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
- tcphdr_t *, u_short));
-extern ips_stat_t *fr_statetstats __P((void));
+extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
extern int fr_addstate __P((ip_t *, fr_info_t *, u_int));
extern int fr_checkstate __P((ip_t *, fr_info_t *));
extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
-extern int fr_state_flush __P((int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short));
#if defined(__NetBSD__) || defined(__OpenBSD__)
@@ -135,4 +140,5 @@ extern int fr_state_ioctl __P((caddr_t, u_long, int));
#else
extern int fr_state_ioctl __P((caddr_t, int, int));
#endif
+
#endif /* __IP_STATE_H__ */
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index b4069e2ebcf1..28500198957e 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -40,7 +40,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.2 1997/11/06 21:23:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $";
#endif
static void frsync __P((void));
@@ -204,12 +204,10 @@ char *name, *file;
exit(1);
}
- while (getline(line, sizeof(line)-1, fp)) {
+ while (getline(line, sizeof(line), fp)) {
/*
- * treat both CR and LF as EOL
+ * treat CR as EOL. LF is converted to NUL by getline().
*/
- if ((s = index(line, '\n')))
- *s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
/*
@@ -222,7 +220,7 @@ char *name, *file;
continue;
if (opts & OPT_VERBOSE)
- (void)fprintf(stderr, "[%s]\n",line);
+ (void)fprintf(stderr, "[%s]\n", line);
fr = parse(line);
(void)fflush(stdout);
@@ -269,24 +267,34 @@ char *name, *file;
}
}
}
+ if (ferror(fp) || !feof(fp)) {
+ fprintf(stderr, "%s: %s: file error or line too long\n",
+ name, file);
+ exit(1);
+ }
(void)fclose(fp);
}
/*
- * Similar to fgets(3) but can handle '\\'
+ * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
+ * Returns NULL if error occured, EOF encounterd or input line is too long.
*/
static char *getline(str, size, file)
register char *str;
size_t size;
FILE *file;
{
- register char *p;
- register int len;
+ char *p;
+ int s, len;
do {
- for (p = str; ; p += strlen(p) - 1) {
- if (!fgets(p, size, file))
- return(NULL);
+ for (p = str, s = size;; p += len, s -= len) {
+ /*
+ * if an error occured, EOF was encounterd, or there
+ * was no room to put NUL, return NULL.
+ */
+ if (fgets(p, s, file) == NULL)
+ return (NULL);
len = strlen(p);
p[len - 1] = '\0';
if (p[len - 1] != '\\')
@@ -294,7 +302,7 @@ FILE *file;
size -= len;
}
} while (*str == '\0' || *str == '\n');
- return(str);
+ return (str);
}
@@ -398,7 +406,9 @@ static void swapactive()
static void frsync()
{
- if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
+ int frsyn = 0;
+
+ if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
perror("SIOCFRSYN");
else
printf("filter sync'd\n");
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
index 9be852b6619a..36372a1ae26c 100644
--- a/contrib/ipfilter/ipft_tx.c
+++ b/contrib/ipfilter/ipft_tx.c
@@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.1 1997/11/12 10:56:11 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $";
#endif
extern int opts;
@@ -62,7 +62,7 @@ struct ipread iptext = { text_open, text_close, text_readip };
static FILE *tfp = NULL;
static int tfd = -1;
-static u_long tx_hostnum __P((char *, int *));
+static u_32_t tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
@@ -70,7 +70,7 @@ static u_short tx_portnum __P((char *));
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
-static u_long tx_hostnum(host, resolved)
+static u_32_t tx_hostnum(host, resolved)
char *host;
int *resolved;
{
@@ -89,7 +89,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
- return np->n_net;
+ return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 4ad6bd312f5d..d92ec79542ff 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -11,6 +11,6 @@
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter v3.2.3"
+#define IPL_VERSION "IP Filter v3.2.7"
#endif
diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l
index 458a85206996..89b77322ef25 100644
--- a/contrib/ipfilter/iplang/iplang_l.l
+++ b/contrib/ipfilter/iplang/iplang_l.l
@@ -1,7 +1,3 @@
-%e 1500
-%p 4000
-%a 4000
-%o 6000
%{
/*
* Copyright (C) 1997 by Darren Reed.
@@ -10,7 +6,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
- * $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $
+ * $Id: iplang_l.l,v 2.0.2.15.2.5 1997/12/28 01:32:13 darrenr Exp $
*/
#include <stdio.h>
#include <string.h>
@@ -46,134 +42,143 @@ int next_item __P((int));
int save_token __P((void));
void swallow __P((void));
int yylex __P((void));
-%}
+struct wordtab {
+ char *word;
+ int state;
+ int next;
+};
+
+struct wordtab words[] = {
+ { "interface", IL_INTERFACE, -1 },
+ { "iface", IL_INTERFACE, -1 },
+ { "name", IL_IFNAME, IL_TOKEN },
+ { "ifname", IL_IFNAME, IL_TOKEN },
+ { "router", IL_DEFROUTER, IL_TOKEN },
+ { "mtu", IL_MTU, IL_NUMBER },
+ { "eaddr", IL_EADDR, IL_TOKEN },
+ { "v4addr", IL_V4ADDR, IL_TOKEN },
+ { "ipv4", IL_IPV4, -1 },
+ { "v", IL_V4V, IL_TOKEN },
+ { "proto", IL_V4PROTO, IL_TOKEN },
+ { "hl", IL_V4HL, IL_TOKEN },
+ { "id", IL_V4ID, IL_TOKEN },
+ { "ttl", IL_V4TTL, IL_TOKEN },
+ { "tos", IL_V4TOS, IL_TOKEN },
+ { "src", IL_V4SRC, IL_TOKEN },
+ { "dst", IL_V4DST, IL_TOKEN },
+ { "opt", IL_OPT, -1 },
+ { "len", IL_LEN, IL_TOKEN },
+ { "off", IL_OFF, IL_TOKEN },
+ { "sum", IL_SUM, IL_TOKEN },
+ { "tcp", IL_TCP, -1 },
+ { "sport", IL_SPORT, IL_TOKEN },
+ { "dport", IL_DPORT, IL_TOKEN },
+ { "seq", IL_TCPSEQ, IL_TOKEN },
+ { "ack", IL_TCPACK, IL_TOKEN },
+ { "flags", IL_TCPFL, IL_TOKEN },
+ { "urp", IL_TCPURP, IL_TOKEN },
+ { "win", IL_TCPWIN, IL_TOKEN },
+ { "udp", IL_UDP, -1 },
+ { "send", IL_SEND, -1 },
+ { "via", IL_VIA, IL_TOKEN },
+ { "arp", IL_ARP, -1 },
+ { "data", IL_DATA, -1 },
+ { "value", IL_DVALUE, IL_TOKEN },
+ { "file", IL_DFILE, IL_TOKEN },
+ { "nop", IL_IPO_NOP, -1 },
+ { "eol", IL_IPO_EOL, -1 },
+ { "rr", IL_IPO_RR, -1 },
+ { "zsu", IL_IPO_ZSU, -1 },
+ { "mtup", IL_IPO_MTUP, -1 },
+ { "mtur", IL_IPO_MTUR, -1 },
+ { "encode", IL_IPO_ENCODE, -1 },
+ { "ts", IL_IPO_TS, -1 },
+ { "tr", IL_IPO_TR, -1 },
+ { "sec", IL_IPO_SEC, -1 },
+ { "secclass", IL_IPO_SECCLASS, IL_TOKEN },
+ { "lsrr", IL_IPO_LSRR, -1 },
+ { "esec", IL_IPO_ESEC, -1 },
+ { "cipso", IL_IPO_CIPSO, -1 },
+ { "satid", IL_IPO_SATID, -1 },
+ { "ssrr", IL_IPO_SSRR, -1 },
+ { "addext", IL_IPO_ADDEXT, -1 },
+ { "visa", IL_IPO_VISA, -1 },
+ { "imitd", IL_IPO_IMITD, -1 },
+ { "eip", IL_IPO_EIP, -1 },
+ { "finn", IL_IPO_FINN, -1 },
+ { "mss", IL_TCPO_MSS, IL_TOKEN },
+ { "wscale", IL_TCPO_WSCALE, IL_TOKEN },
+ { "reserv-4", IL_IPS_RESERV4, -1 },
+ { "topsecret", IL_IPS_TOPSECRET, -1 },
+ { "secret", IL_IPS_SECRET, -1 },
+ { "reserv-3", IL_IPS_RESERV3, -1 },
+ { "confid", IL_IPS_CONFID, -1 },
+ { "unclass", IL_IPS_UNCLASS, -1 },
+ { "reserv-2", IL_IPS_RESERV2, -1 },
+ { "reserv-1", IL_IPS_RESERV1, -1 },
+ { "icmp", IL_ICMP, -1 },
+ { "type", IL_ICMPTYPE, -1 },
+ { "code", IL_ICMPCODE, -1 },
+ { "echorep", IL_ICMP_ECHOREPLY, -1 },
+ { "unreach", IL_ICMP_UNREACH, -1 },
+ { "squench", IL_ICMP_SOURCEQUENCH, -1 },
+ { "redir", IL_ICMP_REDIRECT, -1 },
+ { "echo", IL_ICMP_ECHO, -1 },
+ { "routerad", IL_ICMP_ROUTERADVERT, -1 },
+ { "routersol", IL_ICMP_ROUTERSOLICIT, -1 },
+ { "timex", IL_ICMP_TIMXCEED, -1 },
+ { "paramprob", IL_ICMP_PARAMPROB, -1 },
+ { "timest", IL_ICMP_TSTAMP, -1 },
+ { "timestrep", IL_ICMP_TSTAMPREPLY, -1 },
+ { "inforeq", IL_ICMP_IREQ, -1 },
+ { "inforep", IL_ICMP_IREQREPLY, -1 },
+ { "maskreq", IL_ICMP_MASKREQ, -1 },
+ { "maskrep", IL_ICMP_MASKREPLY, -1 },
+ { "net-unr", IL_ICMP_UNREACH_NET, -1 },
+ { "host-unr", IL_ICMP_UNREACH_HOST, -1 },
+ { "proto-unr", IL_ICMP_UNREACH_PROTOCOL, -1 },
+ { "port-unr", IL_ICMP_UNREACH_PORT, -1 },
+ { "needfrag", IL_ICMP_UNREACH_NEEDFRAG, -1 },
+ { "srcfail", IL_ICMP_UNREACH_SRCFAIL, -1 },
+ { "net-unk", IL_ICMP_UNREACH_NET_UNKNOWN, -1 },
+ { "host-unk", IL_ICMP_UNREACH_HOST_UNKNOWN, -1 },
+ { "isolate", IL_ICMP_UNREACH_ISOLATED, -1 },
+ { "net-prohib", IL_ICMP_UNREACH_NET_PROHIB, -1 },
+ { "host-prohib", IL_ICMP_UNREACH_HOST_PROHIB, -1 },
+ { "net-tos", IL_ICMP_UNREACH_TOSNET, -1 },
+ { "host-tos", IL_ICMP_UNREACH_TOSHOST, -1 },
+ { "filter-prohib", IL_ICMP_UNREACH_FILTER_PROHIB, -1 },
+ { "host-preced", IL_ICMP_UNREACH_HOST_PRECEDENCE, -1 },
+ { "cutoff-preced", IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1 },
+ { "net-redir", IL_ICMP_REDIRECT_NET, -1 },
+ { "host-redir", IL_ICMP_REDIRECT_HOST, -1 },
+ { "tos-net-redir", IL_ICMP_REDIRECT_TOSNET, -1 },
+ { "tos-host-redir", IL_ICMP_REDIRECT_TOSHOST, -1 },
+ { "intrans", IL_ICMP_TIMXCEED_INTRANS, -1 },
+ { "reass", IL_ICMP_TIMXCEED_REASS, -1 },
+ { "optabsent", IL_ICMP_PARAMPROB_OPTABSENT, -1 },
+ { "otime", IL_ICMP_OTIME, -1 },
+ { "rtime", IL_ICMP_RTIME, -1 },
+ { "ttime", IL_ICMP_TTIME, -1 },
+ { "icmpseq", IL_ICMP_SEQ, -1 },
+ { "icmpid", IL_ICMP_SEQ, -1 },
+ { ".", IL_DOT, -1 },
+ { NULL, 0, 0 }
+};
+%}
+white [ \t\r]+
%%
-[ \t\r] ;
+{white} ;
\n { lineNum++; swallow(); }
-interface |
-iface { return next_state(IL_INTERFACE, -1); }
-name |
-ifname { return next_state(IL_IFNAME, IL_TOKEN); }
-router { return next_state(IL_DEFROUTER, IL_TOKEN); }
-mtu { return next_state(IL_MTU, IL_NUMBER); }
-eaddr { return next_state(IL_EADDR, IL_TOKEN); }
-v4addr { return next_state(IL_V4ADDR, IL_TOKEN); }
-ipv4 { return next_state(IL_IPV4, -1); }
-v { return next_state(IL_V4V, IL_TOKEN); }
-proto { return next_state(IL_V4PROTO, IL_TOKEN); }
-hl { return next_state(IL_V4HL, IL_TOKEN); }
-id { return next_state(IL_V4ID, IL_TOKEN); }
-ttl { return next_state(IL_V4TTL, IL_TOKEN); }
-tos { return next_state(IL_V4TOS, IL_TOKEN); }
-src { return next_state(IL_V4SRC, IL_TOKEN); }
-dst { return next_state(IL_V4DST, IL_TOKEN); }
-opt { return next_state(IL_OPT, -1); }
-len { return next_state(IL_LEN, IL_TOKEN); }
-off { return next_state(IL_OFF, IL_TOKEN); }
-sum { return next_state(IL_SUM, IL_TOKEN); }
-tcp { return next_state(IL_TCP, -1); }
-sport { return next_state(IL_SPORT, IL_TOKEN); }
-dport { return next_state(IL_DPORT, IL_TOKEN); }
-seq { return next_state(IL_TCPSEQ, IL_TOKEN); }
-ack { return next_state(IL_TCPACK, IL_TOKEN); }
-flags { return next_state(IL_TCPFL, IL_TOKEN); }
-urp { return next_state(IL_TCPURP, IL_TOKEN); }
-win { return next_state(IL_TCPWIN, IL_TOKEN); }
-udp { return next_state(IL_UDP, -1); }
-send { return next_state(IL_SEND, -1); }
-via { return next_state(IL_VIA, IL_TOKEN); }
-arp { return next_state(IL_ARP, -1); }
-data { return next_state(IL_DATA, -1); }
-value { return next_state(IL_DVALUE, IL_TOKEN); }
-file { return next_state(IL_DFILE, IL_TOKEN); }
-nop { return next_state(IL_IPO_NOP, -1); }
-eol { return next_state(IL_IPO_EOL, -1); }
-rr { return next_state(IL_IPO_RR, -1); }
-zsu { return next_state(IL_IPO_ZSU, -1); }
-mtup { return next_state(IL_IPO_MTUP, -1); }
-mtur { return next_state(IL_IPO_MTUR, -1); }
-encode { return next_state(IL_IPO_ENCODE, -1); }
-ts { return next_state(IL_IPO_TS, -1); }
-tr { return next_state(IL_IPO_TR, -1); }
-sec { return next_state(IL_IPO_SEC, -1); }
-secclass { return next_state(IL_IPO_SECCLASS, IL_TOKEN); }
-lsrr { return next_state(IL_IPO_LSRR, -1); }
-esec { return next_state(IL_IPO_ESEC, -1); }
-cipso { return next_state(IL_IPO_CIPSO, -1); }
-satid { return next_state(IL_IPO_SATID, -1); }
-ssrr { return next_state(IL_IPO_SSRR, -1); }
-addext { return next_state(IL_IPO_ADDEXT, -1); }
-visa { return next_state(IL_IPO_VISA, -1); }
-imitd { return next_state(IL_IPO_IMITD, -1); }
-eip { return next_state(IL_IPO_EIP, -1); }
-finn { return next_state(IL_IPO_FINN, -1); }
-mss { return next_state(IL_TCPO_MSS, IL_TOKEN); }
-wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); }
-reserv-4 { return next_state(IL_IPS_RESERV4, -1); }
-topsecret { return next_state(IL_IPS_TOPSECRET, -1); }
-secret { return next_state(IL_IPS_SECRET, -1); }
-reserv-3 { return next_state(IL_IPS_RESERV3, -1); }
-confid { return next_state(IL_IPS_CONFID, -1); }
-unclass { return next_state(IL_IPS_UNCLASS, -1); }
-reserv-2 { return next_state(IL_IPS_RESERV2, -1); }
-reserv-1 { return next_state(IL_IPS_RESERV1, -1); }
-icmp { return next_state(IL_ICMP, -1); }
-type { return next_state(IL_ICMPTYPE, -1); }
-code { return next_state(IL_ICMPCODE, -1); }
-echorep { return next_state(IL_ICMP_ECHOREPLY, -1); }
-unreach { return next_state(IL_ICMP_UNREACH, -1); }
-squench { return next_state(IL_ICMP_SOURCEQUENCH, -1); }
-redir { return next_state(IL_ICMP_REDIRECT, -1); }
-echo { return next_state(IL_ICMP_ECHO, -1); }
-routerad { return next_state(IL_ICMP_ROUTERADVERT, -1); }
-routersol { return next_state(IL_ICMP_ROUTERSOLICIT, -1); }
-timex { return next_state(IL_ICMP_TIMXCEED, -1); }
-paramprob { return next_state(IL_ICMP_PARAMPROB, -1); }
-timest { return next_state(IL_ICMP_TSTAMP, -1); }
-timestrep { return next_state(IL_ICMP_TSTAMPREPLY, -1); }
-inforeq { return next_state(IL_ICMP_IREQ, -1); }
-inforep { return next_state(IL_ICMP_IREQREPLY, -1); }
-maskreq { return next_state(IL_ICMP_MASKREQ, -1); }
-maskrep { return next_state(IL_ICMP_MASKREPLY, -1); }
-net-unr { return next_state(IL_ICMP_UNREACH_NET, -1); }
-host-unr { return next_state(IL_ICMP_UNREACH_HOST, -1); }
-proto-unr { return next_state(IL_ICMP_UNREACH_PROTOCOL, -1); }
-port-unr { return next_state(IL_ICMP_UNREACH_PORT, -1); }
-needfrag { return next_state(IL_ICMP_UNREACH_NEEDFRAG, -1); }
-srcfail { return next_state(IL_ICMP_UNREACH_SRCFAIL, -1); }
-net-unk { return next_state(IL_ICMP_UNREACH_NET_UNKNOWN, -1); }
-host-unk { return next_state(IL_ICMP_UNREACH_HOST_UNKNOWN, -1); }
-isolate { return next_state(IL_ICMP_UNREACH_ISOLATED, -1); }
-net-prohib { return next_state(IL_ICMP_UNREACH_NET_PROHIB, -1); }
-host-prohib { return next_state(IL_ICMP_UNREACH_HOST_PROHIB, -1); }
-net-tos { return next_state(IL_ICMP_UNREACH_TOSNET, -1); }
-host-tos { return next_state(IL_ICMP_UNREACH_TOSHOST, -1); }
-filter-prohib { return next_state(IL_ICMP_UNREACH_FILTER_PROHIB, -1); }
-host-preced { return next_state(IL_ICMP_UNREACH_HOST_PRECEDENCE, -1); }
-cutoff-preced { return next_state(IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1); }
-net-redir { return next_state(IL_ICMP_REDIRECT_NET, -1); }
-host-redir { return next_state(IL_ICMP_REDIRECT_HOST, -1); }
-tos-net-redir { return next_state(IL_ICMP_REDIRECT_TOSNET, -1); }
-tos-host-redir { return next_state(IL_ICMP_REDIRECT_TOSHOST, -1); }
-intrans { return next_state(IL_ICMP_TIMXCEED_INTRANS, -1); }
-reass { return next_state(IL_ICMP_TIMXCEED_REASS, -1); }
-optabsent { return next_state(IL_ICMP_PARAMPROB_OPTABSENT, -1); }
-otime { return next_state(IL_ICMP_OTIME, -1); }
-rtime { return next_state(IL_ICMP_RTIME, -1); }
-ttime { return next_state(IL_ICMP_TTIME, -1); }
-icmpseq { return next_state(IL_ICMP_SEQ, -1); }
-icmpid { return next_state(IL_ICMP_SEQ, -1); }
-\377 { return 0; } /* EOF */
\{ { push_proto(); return next_item('{'); }
\} { pop_proto(); return next_item('}'); }
-\. { return next_item(IL_DOT); }
; { return next_item(';'); }
[0-9]+ { return next_item(IL_NUMBER); }
[0-9a-fA-F] { return next_item(IL_HEXDIGIT); }
: { return next_item(IL_COLON); }
#[^\n]* { return next_item(IL_COMMENT); }
-[^ {}\n\t;]* { return next_item(IL_TOKEN); }
+[^ \{\}\n\t;:{}]* { return next_item(IL_TOKEN); }
\"[^\"]*\" { return next_item(IL_TOKEN); }
%%
void yyerror(msg)
@@ -220,10 +225,21 @@ int save_token()
int next_item(nstate)
int nstate;
{
+ struct wordtab *wt;
+
+ if (opts & OPT_DEBUG)
+ printf("text=[%s] id=%d next=%d\n", yytext, nstate, next);
if (next == IL_TOKEN) {
next = -1;
return save_token();
}
+ token++;
+
+ for (wt = words; wt->word; wt++)
+ if (!strcasecmp(wt->word, yytext))
+ return next_state(wt->state, wt->next);
+ if (opts & OPT_DEBUG)
+ printf("unknown keyword=[%s]\n", yytext);
next = -1;
if (nstate == IL_NUMBER)
yylval.num = atoi(yytext);
@@ -235,13 +251,6 @@ int nstate;
int next_state(nstate, fornext)
int nstate, fornext;
{
- token++;
-
- if (next == IL_TOKEN) {
- next = -1;
- return save_token();
- }
-
next = fornext;
switch (nstate)
diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y
index 090668041045..e01bb373a045 100644
--- a/contrib/ipfilter/iplang/iplang_y.y
+++ b/contrib/ipfilter/iplang/iplang_y.y
@@ -6,7 +6,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
- * $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $
+ * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $
*/
#include <stdio.h>
@@ -48,7 +48,9 @@
#include "ipf.h"
#include "iplang.h"
+#ifndef __NetBSD__
extern struct ether_addr *ether_aton __P((char *));
+#endif
extern int opts;
extern struct ipopt_names ionames[];
@@ -345,7 +347,7 @@ tcpopts:
tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); }
| IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); }
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
- | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
+ | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_WSCALE,&$2);}
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);}
;
@@ -779,6 +781,8 @@ char **arg;
*t++ = (u_char)(val & 0xff);
todo = 0;
}
+ if (todo)
+ continue;
}
if (quote) {
if (isdigit(c)) {
@@ -807,8 +811,8 @@ char **arg;
*t++ = '\t';
break;
}
- quote = 0;
}
+ quote = 0;
continue;
}
@@ -817,6 +821,8 @@ char **arg;
else
*t++ = c;
}
+ if (todo)
+ *t++ = (u_char)(val & 0xff);
if (quote)
*t++ = '\\';
len = t - (u_char *)canip->ah_data;
@@ -910,7 +916,7 @@ char **arg;
void set_ipv4off(arg)
char **arg;
{
- ip->ip_off = strtol(*arg, NULL, 0);
+ ip->ip_off = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -961,7 +967,7 @@ char **arg;
void set_ipv4id(arg)
char **arg;
{
- ip->ip_id = strtol(*arg, NULL, 0);
+ ip->ip_id = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -999,7 +1005,7 @@ void new_tcpheader()
ip->ip_p = IPPROTO_TCP;
tcp = (tcphdr_t *)new_header(IPPROTO_TCP);
- tcp->th_win = 4096;
+ tcp->th_win = htons(4096);
tcp->th_off = sizeof(*tcp) >> 2;
}
@@ -1047,7 +1053,7 @@ char **arg;
void set_tcpseq(arg)
char **arg;
{
- tcp->th_seq = strtol(*arg, NULL, 0);
+ tcp->th_seq = htonl(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -1056,7 +1062,7 @@ char **arg;
void set_tcpack(arg)
char **arg;
{
- tcp->th_ack = strtol(*arg, NULL, 0);
+ tcp->th_ack = htonl(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -1078,7 +1084,7 @@ char **arg;
void set_tcpurp(arg)
char **arg;
{
- tcp->th_urp = strtol(*arg, NULL, 0);
+ tcp->th_urp = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -1087,7 +1093,7 @@ char **arg;
void set_tcpwin(arg)
char **arg;
{
- tcp->th_win = strtol(*arg, NULL, 0);
+ tcp->th_win = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@@ -1298,7 +1304,8 @@ void packet_done()
u_char *s = (u_char *)ipbuffer, *t = (u_char *)outline;
if (opts & OPT_VERBOSE) {
- for (i = ip->ip_len, j = 0; i; i--, j++, s++) {
+ ip->ip_len = htons(ip->ip_len);
+ for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) {
if (j && !(j & 0xf)) {
*t++ = '\n';
*t = '\0';
@@ -1338,6 +1345,7 @@ void packet_done()
}
fputs(outline, stdout);
fflush(stdout);
+ ip->ip_len = ntohs(ip->ip_len);
}
prep_packet();
@@ -1542,35 +1550,35 @@ char **type;
void set_icmpid(arg)
int arg;
{
- icmp->icmp_id = arg;
+ icmp->icmp_id = htons(arg);
}
void set_icmpseq(arg)
int arg;
{
- icmp->icmp_seq = arg;
+ icmp->icmp_seq = htons(arg);
}
void set_icmpotime(arg)
int arg;
{
- icmp->icmp_otime = arg;
+ icmp->icmp_otime = htonl(arg);
}
void set_icmprtime(arg)
int arg;
{
- icmp->icmp_rtime = arg;
+ icmp->icmp_rtime = htonl(arg);
}
void set_icmpttime(arg)
int arg;
{
- icmp->icmp_ttime = arg;
+ icmp->icmp_ttime = htonl(arg);
}
@@ -1578,7 +1586,7 @@ void set_icmpmtu(arg)
int arg;
{
#if BSD >= 199306
- icmp->icmp_nextmtu = arg;
+ icmp->icmp_nextmtu = htons(arg);
#endif
}
@@ -1730,7 +1738,9 @@ void end_ipv4()
aniphdr_t *aip;
ip->ip_sum = 0;
+ ip->ip_len = htons(ip->ip_len);
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
+ ip->ip_len = ntohs(ip->ip_len);
free_anipheader();
for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_IP)
@@ -1761,9 +1771,10 @@ void end_udp()
iptmp.ip_p = ip->ip_p;
iptmp.ip_src = ip->ip_src;
iptmp.ip_dst = ip->ip_dst;
- iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2);
+ iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
- udp->uh_sum = c_chksum((u_short *)udp, (u_int)iptmp.ip_len, sum);
+ udp->uh_ulen = htons(udp->uh_ulen);
+ udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum);
free_anipheader();
for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_UDP)
@@ -1781,10 +1792,10 @@ void end_tcp()
iptmp.ip_p = ip->ip_p;
iptmp.ip_src = ip->ip_src;
iptmp.ip_dst = ip->ip_dst;
- iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2);
+ iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
tcp->th_sum = 0;
- tcp->th_sum = c_chksum((u_short *)tcp, (u_int)iptmp.ip_len, sum);
+ tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum);
free_anipheader();
for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_TCP)
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 4d738b6df3c2..283e9ff2034b 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $";
#endif
#include <stdio.h>
@@ -18,6 +18,7 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
+#include <signal.h>
#include <sys/dir.h>
#else
#include <sys/filio.h>
@@ -87,7 +88,11 @@ struct flags tcpfl[] = {
static char line[2048];
static int opts = 0;
+static FILE *newlog = NULL;
+static char *logfile = NULL;
+static int donehup = 0;
static void usage __P((char *));
+static void handlehup __P((void));
static void flushlogs __P((char *, FILE *));
static void print_log __P((int, FILE *, char *, int));
static void print_ipflog __P((FILE *, char *, int));
@@ -99,6 +104,8 @@ char *hostname __P((int, struct in_addr));
char *portname __P((int, char *, u_short));
int main __P((int, char *[]));
+static void logopts __P((int, char *));
+
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
@@ -117,6 +124,17 @@ int main __P((int, char *[]));
#endif
+static void handlehup()
+{
+ FILE *fp;
+
+ signal(SIGHUP, handlehup);
+ if (logfile && (fp = fopen(logfile, "a")))
+ newlog = fp;
+ donehup = 1;
+}
+
+
static int read_log(fd, lenp, buf, bufsize, log)
int fd, bufsize, *lenp;
char *buf;
@@ -181,7 +199,7 @@ int len;
*t++ = '\n';
*t = '\0';
if (!(opts & OPT_SYSLOG))
- fputs(line, stdout);
+ fputs(line, log);
else
syslog(LOG_INFO, "%s", line);
t = (u_char *)line;
@@ -217,8 +235,8 @@ int len;
*t = '\0';
}
if (!(opts & OPT_SYSLOG)) {
- fputs(line, stdout);
- fflush(stdout);
+ fputs(line, log);
+ fflush(log);
} else
syslog(LOG_INFO, "%s", line);
}
@@ -232,19 +250,21 @@ int blen;
iplog_t *ipl = (iplog_t *)buf;
char *t = line;
struct tm *tm;
- int res;
+ int res, i, len;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
- (void) sprintf(t, "%2d/%02d/%4d ",
- tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
- t += strlen(t);
+ (void) strftime(t, len, "%d/%m/%Y ", tm);
+ i = strlen(t);
+ len -= i;
+ t += i;
}
- (void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ",
- tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec,
- nl->nl_rule+1);
+ (void) strftime(t, len, "%T", tm);
+ t += strlen(t);
+ (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
t += strlen(t);
if (nl->nl_type == NL_NEWMAP)
@@ -295,18 +315,21 @@ int blen;
struct protoent *pr;
char *t = line, *proto, pname[6];
struct tm *tm;
- int res;
+ int res, i, len;
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
- (void) sprintf(t, "%2d/%02d/%4d ",
- tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
- t += strlen(t);
+ (void) strftime(t, len, "%d/%m/%Y ", tm);
+ i = strlen(t);
+ len -= i;
+ t += i;
}
- (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ",
- tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec);
+ (void) strftime(t, len, "%T", tm);
+ t += strlen(t);
+ (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (sl->isl_type == ISL_NEW)
@@ -364,13 +387,26 @@ char *buf;
int logtype, blen;
{
iplog_t *ipl;
+ char *bp = NULL, *bpo = NULL;
int psize;
while (blen > 0) {
ipl = (iplog_t *)buf;
+ if ((u_long)ipl & (sizeof(long)-1)) {
+ if (bp)
+ bpo = bp;
+ bp = (char *)malloc(blen);
+ bcopy((char *)ipl, bp, blen);
+ if (bpo) {
+ free(bpo);
+ bpo = NULL;
+ }
+ buf = bp;
+ continue;
+ }
if (ipl->ipl_magic != IPL_MAGIC) {
/* invalid data or out of sync */
- return;
+ break;
}
psize = ipl->ipl_dsize;
switch (logtype)
@@ -389,6 +425,9 @@ int logtype, blen;
blen -= psize;
buf += psize;
}
+ if (bp)
+ free(bp);
+ return;
}
@@ -421,13 +460,16 @@ int blen;
ip->ip_len = ntohs(ip->ip_len);
#endif
+ len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
- (void) sprintf(t, "%2d/%02d/%4d ",
- tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
- t += strlen(t);
+ (void) strftime(t, len, "%d/%m/%Y ", tm);
+ i = strlen(t);
+ len -= i;
+ t += i;
}
- (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min,
- tm->tm_sec, ipl->ipl_usec);
+ (void) strftime(t, len, "%T", tm);
+ t += strlen(t);
+ (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
(void) sprintf(t, "%dx ", ipl->ipl_count);
@@ -519,9 +561,9 @@ int blen;
ic = (struct icmp *)((char *)ip + hl);
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
t += strlen(t);
- (void) sprintf(t, "%s PR icmp len %hu (%hu) icmp %d/%d",
- hostname(res, ip->ip_dst), hl,
- ntohs(ip->ip_len), ic->icmp_type, ic->icmp_code);
+ (void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d",
+ hostname(res, ip->ip_dst), hl, ip->ip_len,
+ ic->icmp_type, ic->icmp_code);
if (ic->icmp_type == ICMP_UNREACH ||
ic->icmp_type == ICMP_SOURCEQUENCH ||
ic->icmp_type == ICMP_PARAMPROB ||
@@ -663,7 +705,7 @@ char *argv[];
FILE *log = stdout;
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
- int fdt[3], devices = 0;
+ int fdt[3], devices = 0, make_daemon = 0;
char buf[512], *iplfile[3];
extern int optind;
extern char *optarg;
@@ -674,12 +716,15 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
- while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1)
+ while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
opts |= OPT_ALL;
break;
+ case 'D' :
+ make_daemon = 1;
+ break;
case 'f' : case 'I' :
opts |= OPT_FILTER;
fdt[0] = IPL_LOGIPF;
@@ -768,7 +813,8 @@ char *argv[];
}
if (!(opts & OPT_SYSLOG)) {
- log = argv[optind] ? fopen(argv[optind], "a") : stdout;
+ logfile = argv[optind];
+ log = logfile ? fopen(logfile, "a") : stdout;
if (log == NULL) {
(void) fprintf(stderr, "%s: fopen: %s\n", argv[optind],
@@ -778,6 +824,17 @@ char *argv[];
setvbuf(log, NULL, _IONBF, 0);
}
+ if (make_daemon && (log != stdout)) {
+ if (fork() > 0)
+ exit(0);
+ close(0);
+ close(1);
+ close(2);
+ setsid();
+ }
+
+ signal(SIGHUP, handlehup);
+
for (doread = 1; doread; ) {
nr = 0;
@@ -800,6 +857,15 @@ char *argv[];
nr += tr;
tr = read_log(fd[i], &n, buf, sizeof(buf), log);
+ if (donehup) {
+ donehup = 0;
+ if (newlog) {
+ fclose(log);
+ log = newlog;
+ newlog = NULL;
+ }
+ }
+
switch (tr)
{
case -1 :
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
index a97d1a3ff540..ae0f71d02be9 100644
--- a/contrib/ipfilter/ipnat.c
+++ b/contrib/ipfilter/ipnat.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
+#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
@@ -52,9 +53,16 @@
#include "netinet/ip_nat.h"
#include "kmem.h"
+#if defined(sun) && !SOLARIS2
+# define STRERROR(x) sys_errlist[x]
+extern char *sys_errlist[];
+#else
+# define STRERROR(x) strerror(x)
+#endif
+
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $";
#endif
@@ -65,14 +73,14 @@ static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55
extern char *optarg;
ipnat_t *parse __P((char *));
-u_long hostnum __P((char *, int *));
-u_long hostmask __P((char *));
+u_32_t hostnum __P((char *, int *));
+u_32_t hostmask __P((char *));
u_short portnum __P((char *, char *));
void dostats __P((int, int)), flushtable __P((int, int));
void printnat __P((ipnat_t *, int, void *));
void parsefile __P((int, char *, int));
void usage __P((char *));
-int countbits __P((u_long));
+int countbits __P((u_32_t));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
@@ -133,7 +141,8 @@ char *argv[];
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) &&
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
- perror("open");
+ (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
+ STRERROR(errno));
exit(-1);
}
@@ -153,9 +162,9 @@ char *argv[];
* of bits.
*/
int countbits(ip)
-u_long ip;
+u_32_t ip;
{
- u_long ipn;
+ u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
@@ -233,7 +242,7 @@ void *ptr;
else
printf("%s", inet_ntoa(np->in_in[1]));
printf(" -> %s/", inet_ntoa(np->in_out[0]));
- bits = countbits(ntohl(np->in_out[1].s_addr));
+ bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
@@ -408,18 +417,18 @@ char *name, *proto;
}
-u_long hostmask(msk)
+u_32_t hostmask(msk)
char *msk;
{
int bits = -1;
- u_long mask;
+ u_32_t mask;
if (!isdigit(*msk))
- return (u_long)-1;
+ return (u_32_t)-1;
if (strchr(msk, '.'))
return inet_addr(msk);
if (strchr(msk, 'x'))
- return (u_long)strtol(msk, NULL, 0);
+ return (u_32_t)strtol(msk, NULL, 0);
/*
* set x most significant bits
*/
@@ -436,7 +445,7 @@ char *msk;
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
-u_long hostnum(host, resolved)
+u_32_t hostnum(host, resolved)
char *host;
int *resolved;
{
@@ -455,7 +464,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
- return np->n_net;
+ return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
@@ -760,7 +769,8 @@ int opts;
if (strcmp(file, "-")) {
if (!(fp = fopen(file, "r"))) {
- perror(file);
+ (void) fprintf(stderr, "%s: open: %s\n", file,
+ STRERROR(errno));
exit(1);
}
} else
diff --git a/contrib/ipfilter/ipsd/README b/contrib/ipfilter/ipsd/README
index 6746d01d3852..eb6b7986cd77 100644
--- a/contrib/ipfilter/ipsd/README
+++ b/contrib/ipfilter/ipsd/README
@@ -29,4 +29,4 @@ Lastly, being passive means that no action is taken to stop port scans being
done or discourage them.
Darren
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/README b/contrib/ipfilter/ipsend/README
index 6898cdd44b37..198556d834fb 100644
--- a/contrib/ipfilter/ipsend/README
+++ b/contrib/ipfilter/ipsend/README
@@ -5,4 +5,4 @@ http://coombs.anu.edu.au/~avalon/ip-filter.html
Patches, bugs, etc, please send to:
-darrenr@cyber.com.au
+darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c
index 459c09bdeca3..69149244ad16 100644
--- a/contrib/ipfilter/ipsend/ip.c
+++ b/contrib/ipfilter/ipsend/ip.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
-static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.3 1997/12/21 12:17:37 darrenr Exp $";
#endif
#include <errno.h>
#include <stdio.h>
@@ -117,7 +117,6 @@ int frag;
last_gw.s_addr = gwip.s_addr;
iplen = ip->ip_len;
ip->ip_len = htons(iplen);
- ip->ip_off = htons(ip->ip_off);
if (!(frag & 2)) {
if (!ip->ip_v)
ip->ip_v = IPVERSION;
@@ -260,7 +259,7 @@ struct in_addr gwip;
i = sizeof(struct tcpiphdr) / sizeof(long);
- if ((ti->ti_flags == TH_SYN) && !ip->ip_off &&
+ if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) &&
(lbuf[i] != htonl(0x020405b4))) {
lbuf[i] = htonl(0x020405b4);
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1
index 40f98256209f..448fa41e9e24 100644
--- a/contrib/ipfilter/ipsend/ipresend.1
+++ b/contrib/ipfilter/ipsend/ipresend.1
@@ -92,8 +92,6 @@ option combinations:
.B \-X
The input file is composed of text descriptions of IP packets.
.TP
-.SH FILES
-.DT
.SH SEE ALSO
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
@@ -103,5 +101,5 @@ Needs to be run as root.
.PP
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/ipsend.1 b/contrib/ipfilter/ipsend/ipsend.1
index d99038ddca77..6554e585c036 100644
--- a/contrib/ipfilter/ipsend/ipsend.1
+++ b/contrib/ipfilter/ipsend/ipsend.1
@@ -106,4 +106,4 @@ ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
Needs to be run as root.
.SH BUGS
.PP
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5
index b6a3e0496775..9fa459355fb6 100644
--- a/contrib/ipfilter/ipsend/ipsend.5
+++ b/contrib/ipfilter/ipsend/ipsend.5
@@ -392,7 +392,10 @@ Address mask request.
.B maskrep
Address mask reply.
.SH FILES
+/etc/hosts
+.br
/etc/protocols
+.br
/etc/services
-/etc/hosts
.SH SEE ALSO
+ipsend(1), iptest(1), hosts(5), protocols(5), services(5)
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 1f47466f7366..5f0ca43a0e68 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -12,7 +12,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19 1997/10/12 09:48:38 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
@@ -357,7 +357,7 @@ char **argv;
}
if (ip->ip_p == IPPROTO_TCP)
- for (s = argv[optind]; (c = *s); s++)
+ for (s = argv[optind]; s && (c = *s); s++)
switch(c)
{
case 'S' : case 's' :
diff --git a/contrib/ipfilter/ipsend/iptest.1 b/contrib/ipfilter/ipsend/iptest.1
index 3c98a4caab42..02036b905d4d 100644
--- a/contrib/ipfilter/ipsend/iptest.1
+++ b/contrib/ipfilter/ipsend/iptest.1
@@ -91,11 +91,11 @@ MTU's without setting them so.
Run a...
.DT
.SH SEE ALSO
-ipsend(1), ipresend(1), bpf(4), dlpi(7p)
+ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
Needs to be run as root.
.SH BUGS
.PP
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
index f12dbadd2024..16c830a006e9 100644
--- a/contrib/ipfilter/ipsend/iptests.c
+++ b/contrib/ipfilter/ipsend/iptests.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17:38 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@@ -98,24 +98,21 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)(ip + 1);
- u->uh_sport = 1;
- u->uh_dport = 9;
+ u->uh_sport = htons(1);
+ u->uh_dport = htons(9);
u->uh_sum = 0;
- u->uh_ulen = sizeof(*u) + 4;
- ip->ip_len = sizeof(*ip) + u->uh_ulen;
+ u->uh_ulen = htons(sizeof(*u) + 4);
+ ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
nfd = initdevice(dev, u->uh_sport, 1);
- u->uh_sport = htons(u->uh_sport);
- u->uh_dport = htons(u->uh_dport);
- u->uh_ulen = htons(u->uh_ulen);
if (!ptest || (ptest == 1)) {
/*
* Part1: hl < len
*/
ip->ip_id = 0;
printf("1.1. sending packets with ip_hl < ip_len\n");
- for (i = 0; i < ((sizeof(*ip) + u->uh_ulen) >> 2); i++) {
+ for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
@@ -131,7 +128,7 @@ int ptest;
*/
ip->ip_id = 0;
printf("1.2. sending packets with ip_hl > ip_len\n");
- for (; i < ((sizeof(*ip) * 2 + u->uh_ulen) >> 2); i++) {
+ for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
@@ -181,10 +178,8 @@ int ptest;
ip->ip_id = 0;
ip->ip_v = IPVERSION;
i = ip->ip_len + 1;
- ip->ip_len = htons(ip->ip_len);
- ip->ip_off = htons(ip->ip_off);
printf("1.5.0 ip_len < packet size (size++, long packets)\n");
- for (; i < (ntohs(ip->ip_len) * 2); i++) {
+ for (; i < (ip->ip_len * 2); i++) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
@@ -197,7 +192,7 @@ int ptest;
printf("1.5.1 ip_len < packet size (ip_len-, short packets)\n");
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
- ip->ip_len = htons(i);
+ ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
@@ -216,7 +211,7 @@ int ptest;
printf("1.6.0 ip_len > packet size (increase ip_len)\n");
for (i = len + 1; i < (len * 2); i++) {
ip->ip_id = htons(id++);
- ip->ip_len = htons(i);
+ ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
@@ -225,7 +220,7 @@ int ptest;
PAUSE();
}
putchar('\n');
- ip->ip_len = htons(len);
+ ip->ip_len = len;
printf("1.6.1 ip_len > packet size (size--, short packets)\n");
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
@@ -288,7 +283,7 @@ int ptest;
* about that here.
*/
ip->ip_p = IPPROTO_ICMP;
- ip->ip_off = IP_MF;
+ ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.1 63k packet + 1k fragment at offset 0x1ffe\n");
@@ -299,14 +294,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
- ip->ip_off = IP_MF | (i >> 3);
+ ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = (i >> 3);
+ ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@@ -319,7 +314,7 @@ int ptest;
* about that here. (Lossage here)
*/
ip->ip_p = IPPROTO_ICMP;
- ip->ip_off = IP_MF;
+ ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.2 63k packet + 1k fragment at offset 0x1ffe\n");
@@ -333,7 +328,7 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
- ip->ip_off = IP_MF | (i >> 3);
+ ip->ip_off = htons(IP_MF | (i >> 3));
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@@ -343,7 +338,7 @@ int ptest;
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = (i >> 3);
+ ip->ip_off = htons(i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@@ -359,7 +354,7 @@ int ptest;
* about that here.
*/
ip->ip_p = IPPROTO_ICMP;
- ip->ip_off = IP_MF;
+ ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.3 33k packet\n");
@@ -370,14 +365,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (32 * 1024 + 768); i += 768) {
- ip->ip_off = IP_MF | (i >> 3);
+ ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
- ip->ip_off = (i >> 3);
+ ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@@ -391,7 +386,7 @@ int ptest;
* Part9: off & 0x8000 == 0x8000
*/
ip->ip_id = 0;
- ip->ip_off = 0x8000;
+ ip->ip_off = htons(0x8000);
printf("1.9. ip_off & 0x8000 == 0x8000\n");
(void) send_ip(nfd, mtu, ip, gwip, 1);
fflush(stdout);
@@ -440,7 +435,7 @@ int ptest;
u_char *s;
s = (u_char *)(ip + 1);
- nfd = initdevice(dev, 1, 1);
+ nfd = initdevice(dev, htons(1), 1);
ip->ip_hl = 6;
ip->ip_len = ip->ip_hl << 2;
@@ -539,7 +534,7 @@ int ptest;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
- nfd = initdevice(dev, 1, 1);
+ nfd = initdevice(dev, htons(1), 1);
if (!ptest || (ptest == 1)) {
/*
@@ -731,20 +726,20 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2));
- u->uh_sport = 1;
- u->uh_dport = 1;
- u->uh_ulen = sizeof(*u) + 4;
+ u->uh_sport = htons(1);
+ u->uh_dport = htons(1);
+ u->uh_ulen = htons(sizeof(*u) + 4);
nfd = initdevice(dev, u->uh_sport, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1. ulen > packet
*/
- u->uh_ulen = sizeof(*u) + 4;
- ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
+ u->uh_ulen = htons(sizeof(*u) + 4);
+ ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.1 UDP uh_ulen > packet size - short packets\n");
- for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) {
- u->uh_ulen = i;
+ for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
+ u->uh_ulen = htons(i);
(void) send_udp(nfd, 1500, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -757,10 +752,10 @@ int ptest;
/*
* Test 2. ulen < packet
*/
- u->uh_ulen = sizeof(*u) + 4;
- ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
+ u->uh_ulen = htons(sizeof(*u) + 4);
+ ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.2 UDP uh_ulen < packet size - short packets\n");
- for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) {
+ for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
ip->ip_len = i;
(void) send_udp(nfd, 1500, ip, gwip);
printf("%d\r", i);
@@ -776,7 +771,7 @@ int ptest;
* sport = 32768, sport = 65535
*/
u->uh_ulen = sizeof(*u) + 4;
- ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
+ ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.3.1 UDP sport = 0\n");
u->uh_sport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@@ -784,26 +779,26 @@ int ptest;
fflush(stdout);
PAUSE();
printf("4.3.2 UDP sport = 1\n");
- u->uh_sport = 1;
+ u->uh_sport = htons(1);
(void) send_udp(nfd, 1500, ip, gwip);
printf("1\n");
fflush(stdout);
PAUSE();
printf("4.3.3 UDP sport = 32767\n");
- u->uh_sport = 32767;
+ u->uh_sport = htons(32767);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32767\n");
fflush(stdout);
PAUSE();
printf("4.3.4 UDP sport = 32768\n");
- u->uh_sport = 32768;
+ u->uh_sport = htons(32768);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32768\n");
putchar('\n');
fflush(stdout);
PAUSE();
printf("4.3.5 UDP sport = 65535\n");
- u->uh_sport = 65535;
+ u->uh_sport = htons(65535);
(void) send_udp(nfd, 1500, ip, gwip);
printf("65535\n");
fflush(stdout);
@@ -815,9 +810,9 @@ int ptest;
* Test 4: dport = 0, dport = 1, dport = 32767
* dport = 32768, dport = 65535
*/
- u->uh_ulen = sizeof(*u) + 4;
- u->uh_sport = 1;
- ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
+ u->uh_ulen = ntohs(sizeof(*u) + 4);
+ u->uh_sport = htons(1);
+ ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.4.1 UDP dport = 0\n");
u->uh_dport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@@ -825,25 +820,25 @@ int ptest;
fflush(stdout);
PAUSE();
printf("4.4.2 UDP dport = 1\n");
- u->uh_dport = 1;
+ u->uh_dport = htons(1);
(void) send_udp(nfd, 1500, ip, gwip);
printf("1\n");
fflush(stdout);
PAUSE();
printf("4.4.3 UDP dport = 32767\n");
- u->uh_dport = 32767;
+ u->uh_dport = htons(32767);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32767\n");
fflush(stdout);
PAUSE();
printf("4.4.4 UDP dport = 32768\n");
- u->uh_dport = 32768;
+ u->uh_dport = htons(32768);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32768\n");
fflush(stdout);
PAUSE();
printf("4.4.5 UDP dport = 65535\n");
- u->uh_dport = 65535;
+ u->uh_dport = htons(65535);
(void) send_udp(nfd, 1500, ip, gwip);
printf("65535\n");
fflush(stdout);
@@ -856,7 +851,7 @@ int ptest;
* sizeof(ip_t)
*/
printf("4.5 UDP 20 <= MTU <= 32\n");
- for (i = sizeof(*ip); i <= u->uh_ulen; i++) {
+ for (i = sizeof(*ip); i <= ntohs(u->uh_ulen); i++) {
(void) send_udp(nfd, i, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@@ -885,12 +880,12 @@ int ptest;
t->th_x2 = 0;
#endif
t->th_off = 0;
- t->th_sport = 1;
- t->th_dport = 1;
- t->th_win = 4096;
+ t->th_sport = htons(1);
+ t->th_dport = htons(1);
+ t->th_win = htons(4096);
t->th_urp = 0;
t->th_sum = 0;
- t->th_seq = 1;
+ t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, t->th_sport, 1);
@@ -919,37 +914,37 @@ int ptest;
* seq = 0xa000000, seq = 0xffffffff
*/
printf("5.2.1 TCP seq = 0\n");
- t->th_seq = 0;
+ t->th_seq = htonl(0);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.2 TCP seq = 1\n");
- t->th_seq = 1;
+ t->th_seq = htonl(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.3 TCP seq = 0x7fffffff\n");
- t->th_seq = 0x7fffffff;
+ t->th_seq = htonl(0x7fffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.4 TCP seq = 0x80000000\n");
- t->th_seq = 0x80000000;
+ t->th_seq = htonl(0x80000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.5 TCP seq = 0xc0000000\n");
- t->th_seq = 0xc0000000;
+ t->th_seq = htonl(0xc0000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.6 TCP seq = 0xffffffff\n");
- t->th_seq = 0xffffffff;
+ t->th_seq = htonl(0xffffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@@ -968,31 +963,31 @@ int ptest;
PAUSE();
printf("5.3.2 TCP ack = 1\n");
- t->th_ack = 1;
+ t->th_ack = htonl(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.3 TCP ack = 0x7fffffff\n");
- t->th_ack = 0x7fffffff;
+ t->th_ack = htonl(0x7fffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.4 TCP ack = 0x80000000\n");
- t->th_ack = 0x80000000;
+ t->th_ack = htonl(0x80000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.5 TCP ack = 0xc0000000\n");
- t->th_ack = 0xc0000000;
+ t->th_ack = htonl(0xc0000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.6 TCP ack = 0xffffffff\n");
- t->th_ack = 0xffffffff;
+ t->th_ack = htonl(0xffffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@@ -1004,19 +999,19 @@ int ptest;
* Test 4: win = 0, win = 32768, win = 65535
*/
printf("5.4.1 TCP win = 0\n");
- t->th_seq = 0;
+ t->th_seq = htonl(0);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.4.2 TCP win = 32768\n");
- t->th_seq = 0x7fff;
+ t->th_seq = htonl(0x7fff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.4.3 TCP win = 65535\n");
- t->th_win = 0xffff;
+ t->th_win = htons(0xffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@@ -1061,7 +1056,7 @@ int ptest;
}
KMCPY(&tcb, tcbp, sizeof(tcb));
ti.ti_win = tcb.rcv_adv;
- ti.ti_seq = tcb.snd_nxt - 1;
+ ti.ti_seq = htonl(tcb.snd_nxt - 1);
ti.ti_ack = tcb.rcv_nxt;
if (!ptest || (ptest == 5)) {
@@ -1075,7 +1070,7 @@ int ptest;
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
- t->th_seq = tcb.snd_nxt;
+ t->th_seq = htonl(tcb.snd_nxt);
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1;
t->th_urp = htons(0x7fff);
(void) send_tcp(nfd, mtu, ip, gwip);
@@ -1086,7 +1081,7 @@ int ptest;
t->th_urp = htons(0xffff);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
- t->th_urp = htons(0);
+ t->th_urp = 0;
t->th_flags &= ~TH_URG;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
}
@@ -1112,8 +1107,8 @@ int ptest;
}
skip_five_and_six:
#endif
- t->th_seq = 1;
- t->th_ack = 1;
+ t->th_seq = htonl(1);
+ t->th_ack = htonl(1);
t->th_off = 0;
if (!ptest || (ptest == 7)) {
@@ -1129,32 +1124,32 @@ skip_five_and_six:
PAUSE();
printf("5.7.2 TCP sport = 1\n");
- t->th_sport = 1;
+ t->th_sport = htons(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.3 TCP sport = 32767\n");
- t->th_sport = 32767;
+ t->th_sport = htons(32767);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.4 TCP sport = 32768\n");
- t->th_sport = 32768;
+ t->th_sport = htons(32768);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.5 TCP sport = 65535\n");
- t->th_sport = 65535;
+ t->th_sport = htons(65535);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
}
if (!ptest || (ptest == 8)) {
- t->th_sport = 1;
+ t->th_sport = htons(1);
t->th_flags = TH_SYN;
/*
* Test 8: dport = 0, dport = 1, dport = 32767
@@ -1167,25 +1162,25 @@ skip_five_and_six:
PAUSE();
printf("5.8.2 TCP dport = 1\n");
- t->th_dport = 1;
+ t->th_dport = htons(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.3 TCP dport = 32767\n");
- t->th_dport = 32767;
+ t->th_dport = htons(32767);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.4 TCP dport = 32768\n");
- t->th_dport = 32768;
+ t->th_dport = htons(32768);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.5 TCP dport = 65535\n");
- t->th_dport = 65535;
+ t->th_dport = htons(65535);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@@ -1229,14 +1224,12 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)(ip + 1);
- u->uh_sport = 1;
- u->uh_dport = 9;
+ u->uh_sport = htons(1);
+ u->uh_dport = htons(9);
u->uh_sum = 0;
nfd = initdevice(dev, u->uh_sport, 1);
- u->uh_sport = htons(u->uh_sport);
- u->uh_dport = htons(u->uh_dport);
- u->uh_ulen = 7168;
+ u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n");
@@ -1247,7 +1240,7 @@ int ptest;
*/
ip->ip_len = sizeof(*ip) + 768 + sizeof(*u);
ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_off = IP_MF;
+ ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
fflush(stdout);
@@ -1256,7 +1249,7 @@ int ptest;
* And again using 128 byte chunks.
*/
ip->ip_len = sizeof(*ip) + 128 + sizeof(*u);
- ip->ip_off = IP_MF;
+ ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
fflush(stdout);
@@ -1264,7 +1257,7 @@ int ptest;
for (j = 768; j < 3584; j += 768) {
ip->ip_len = sizeof(*ip) + 768;
- ip->ip_off = IP_MF|(j>>3);
+ ip->ip_off = htons(IP_MF|(j>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, j);
fflush(stdout);
@@ -1272,7 +1265,7 @@ int ptest;
ip->ip_len = sizeof(*ip) + 128;
for (k = j - 768; k < j; k += 128) {
- ip->ip_off = IP_MF|(k>>3);
+ ip->ip_off = htons(IP_MF|(k>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, k);
fflush(stdout);
@@ -1326,7 +1319,7 @@ int ptest;
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
pip->ip_v = IPVERSION;
- pip->ip_off &= 0xc000;
+ pip->ip_off &= htons(0xc000);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));
pip->ip_sum = 0;
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index 9d835506c50b..3519d522248f 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -3,6 +3,7 @@
ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
+.br
#include <netinet/ip_fil.h>
.SH IOCTLS
.PP
@@ -200,5 +201,13 @@ struct filterstats {
#endif
};
.fi
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipnat
+.br
+/dev/ipstate
.SH SEE ALSO
-ipfstat(8), ipf(8), ipf(5)
+ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index 1ee1584d1875..79ab393b1fd2 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -1,6 +1,6 @@
.TH IPF 5
.SH NAME
-ipf \- IP packet filter rule syntax
+ipf, ipf.conf \- IP packet filter rule syntax
.SH DESCRIPTION
.PP
A rule file for \fBipf\fP may have any name or even be stdin. As
@@ -477,8 +477,14 @@ Note, that if we wanted to say "port = telnet", "proto tcp" would
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
.SH FILES
-/etc/services
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
.br
/etc/hosts
+.br
+/etc/services
.SH SEE ALSO
-ipf(8), ipftest(1), mkfilters(1), ipmon(8)
+ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index 11a1666e2e32..06d2723ffc15 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -66,7 +66,7 @@ lists.
.B \-I
Set the list to make changes to the inactive list.
.TP
-.B \-l \0<param>
+.B \-l \0<pass|block|nomatch>
Use of the \fB-l\fP flag toggles default logging of packets. Valid
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
When an option is set, any packet which exits filtering and matches the
@@ -106,12 +106,18 @@ display the statistics prior to them being zero'd.
Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
.SH SEE ALSO
-ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
+ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually
be affected inside the kernel.
.SH BUGS
.PP
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index 166a114b26b6..94525eb2d491 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -69,6 +69,10 @@ kernel.
.SH FILES
/dev/kmem
.br
+/dev/ipl
+.br
+/dev/ipstate
+.br
/vmunix
.SH SEE ALSO
ipf(8)
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index e77ef96bc4be..aba216a87fdb 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -1,4 +1,4 @@
-.TH ipftest 8
+.TH ipftest 1
.SH NAME
ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
@@ -119,9 +119,8 @@ Specify the filename from which to take input. Default is stdin.
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules.
-.SH FILES
.SH SEE ALSO
-ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
+ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index a4f7fc46ea0d..3fba05fe8d4b 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -101,6 +101,10 @@ saved and will abort if it fails an assertion which detects an anomoly in the
recorded data.
.SH FILES
/dev/ipl
+.br
+/dev/ipnat
+.br
+/dev/ipstate
.SH SEE ALSO
-ipf(8), ipfstat(8)
+ipl(4), ipf(8), ipfstat(8), ipnat(8)
.SH BUGS
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
index 9b29f4d21278..01b5100ab497 100644
--- a/contrib/ipfilter/man/ipnat.1
+++ b/contrib/ipfilter/man/ipnat.1
@@ -41,5 +41,7 @@ Remove matching NAT rules rather than add them to the internal lists
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
.DT
+.SH FILES
+/dev/ipnat
.SH SEE ALSO
-ipfstat(1), ipftest(8), ipf(8), ipnat(5)
+ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 6af517f23db2..578c7fbd88d0 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -3,8 +3,11 @@
ipnat \- Network Address Translation kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
+.br
#include <netinet/ip_fil.h>
+.br
#include <netinet/ip_proxy.h>
+.br
#include <netinet/ip_nat.h>
.SH IOCTLS
.PP
@@ -87,5 +90,7 @@ typedef struct natstat {
.SH BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
+.SH FILES
+/dev/ipnat
.SH SEE ALSO
-ipfstat(8), ipf(8), ipf(4), ipnat(5)
+ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 783262380b18..576e9c20ce8b 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -1,6 +1,6 @@
.TH IPNAT 5
.SH NAME
-ipnat \- IP NAT file format
+ipnat, ipnat.conf \- IP NAT file format
.SH DESCRIPTION
The format for files accepted by ipnat is described by the following grammar:
.LP
@@ -37,10 +37,10 @@ range of port numbers to remap into given as \fBport-number:port-number\fP.
.SH Examples
.PP
To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0, the following would be used:
+subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
.LP
.nf
-map 10.0.0.0/8 -> 209.1.2.0/24
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
The obvious problem here is we're trying to squeeze over 16,000,000 IP
@@ -48,7 +48,7 @@ addresses into a 254 address space. To increase the scope, remapping for TCP
and/or UDP, port remapping can be used;
.LP
.nf
-map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
.fi
.PP
which falls only 527,566 `addresses' short of the space available in network
@@ -56,15 +56,17 @@ which falls only 527,566 `addresses' short of the space available in network
follows:
.LP
.nf
-map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-map 10.0.0.0/8 -> 209.1.2.0/24
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
so that all TCP/UDP packets were port mapped and only other protocols, such as
ICMP, only have their IP# changed.
.SH FILES
+/dev/ipnat
+.br
/etc/services
.br
/etc/hosts
.SH SEE ALSO
-ipnat(1), ipf(5), ipnat(4)
+ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
index d6601ba2ebc6..3cda6c19e749 100644
--- a/contrib/ipfilter/mlf_ipl.c
+++ b/contrib/ipfilter/mlf_ipl.c
@@ -27,6 +27,9 @@
# include <sys/kernel.h>
# ifdef DEVFS
# include <sys/devfsext.h>
+# if defined(IPFILTER) && defined(_KERNEL)
+# include "opt_devfs.h"
+# endif
# endif /*DEVFS*/
#endif
#include <sys/conf.h>
@@ -375,7 +378,8 @@ static void ipl_drvinit __P((void *unused))
}
}
-# ifdef IPFILTER_LKM
+# if defined(IPFILTER_LKM) || \
+ defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
# endif /* IPFILTER_LKM */
#endif /* _FreeBSD_version */
diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c
index 3d70831ff9b4..7f2166ed1994 100644
--- a/contrib/ipfilter/mln_ipl.c
+++ b/contrib/ipfilter/mln_ipl.c
@@ -48,6 +48,9 @@
#include "ip_compat.h"
#include "ip_fil.h"
+#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
+#define vn_lock(v,f) VOP_LOCK(v)
+#endif
#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
#define VOP_LEASE LEASE_CHECK
@@ -179,7 +182,7 @@ static int ipl_remove()
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
- VOP_LOCK(nd.ni_vp);
+ vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
}
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index bbc19257023e..76ee474ac9be 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -35,7 +35,7 @@
#if !defined(lint)
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -57,7 +57,7 @@ int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *));
int to_interface __P((frdest_t *, char *));
void print_toif __P((char *, frdest_t *));
void optprint __P((u_short, u_short, u_long, u_long));
-int countbits __P((u_long));
+int countbits __P((u_32_t));
char *portname __P((int, int));
@@ -475,12 +475,21 @@ char *line;
/*
* lazy users...
*/
- if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
- (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
- (void)fprintf(stderr,
- "no protocol given for TCP/UDP comparisons\n");
+ if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
+ (void)fprintf(stderr, "TCP protocol not specified\n");
return NULL;
}
+ if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
+ (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
+ if (!fil.fr_proto) {
+ fil.fr_ip.fi_fl |= FI_TCPUDP;
+ fil.fr_mip.fi_fl |= FI_TCPUDP;
+ } else {
+ (void)fprintf(stderr,
+ "port comparisons for non-TCP/UDP\n");
+ return NULL;
+ }
+ }
/*
if ((fil.fr_flags & FR_KEEPFRAG) &&
(!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
@@ -621,7 +630,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
- return np->n_net;
+ return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
@@ -980,7 +989,6 @@ struct frentry *fp;
fp->fr_proto = IPPROTO_ICMP;
if (isdigit(***cp)) {
i = atoi(**cp);
- (*cp)++;
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
@@ -1082,9 +1090,9 @@ struct frentry *fp;
* of bits.
*/
int countbits(ip)
-u_long ip;
+u_32_t ip;
{
- u_long ipn;
+ u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
index 47cb941b2fd0..42d27927eb7c 100644
--- a/contrib/ipfilter/rules/BASIC_1.FW
+++ b/contrib/ipfilter/rules/BASIC_1.FW
@@ -48,7 +48,7 @@ pass out quick on lo0 all
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/16 to any group 100
+block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
index 1614e91ccb5d..b966dfb1160f 100644
--- a/contrib/ipfilter/rules/BASIC_2.FW
+++ b/contrib/ipfilter/rules/BASIC_2.FW
@@ -33,7 +33,7 @@ block out log on ed0 all head 250
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/16 to any group 100
+block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
index 4179133baa2a..fe2a243744ac 100644
--- a/contrib/ipfilter/solaris.c
+++ b/contrib/ipfilter/solaris.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $";
+#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.4 1998/02/28 02:35:21 darrenr Exp $";
#include <sys/systm.h>
#include <sys/types.h>
@@ -190,15 +190,16 @@ static int ipf_attach(dip, cmd)
dev_info_t *dip;
ddi_attach_cmd_t cmd;
{
+#ifdef IPFDEBUG
int instance;
-#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
#endif
switch (cmd) {
case DDI_ATTACH:
- instance = ddi_get_instance(dip);
#ifdef IPFDEBUG
+ instance = ddi_get_instance(dip);
+
cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
#endif
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
@@ -895,7 +896,7 @@ void solattach()
* Activate any rules directly associated with this interface
*/
mutex_enter(&ipf_mutex);
- for (f = ipfilter[0][0]; f; f = f->fr_next) {
+ for (f = ipfilter[0][fr_active]; f; f = f->fr_next) {
if ((f->fr_ifa == (struct ifnet *)-1)) {
len = strlen(f->fr_ifname)+1; /* includes \0 */
if (len && (len == il->ill_name_length) &&
@@ -903,7 +904,7 @@ void solattach()
f->fr_ifa = il;
}
}
- for (f = ipfilter[1][0]; f; f = f->fr_next) {
+ for (f = ipfilter[1][fr_active]; f; f = f->fr_next) {
if ((f->fr_ifa == (struct ifnet *)-1)) {
len = strlen(f->fr_ifname)+1; /* includes \0 */
if (len && (len == il->ill_name_length) &&
@@ -996,10 +997,10 @@ int ipfsync()
np->in_ifp = (struct ifnet *)-1;
mutex_exit(&ipf_nat);
mutex_enter(&ipf_mutex);
- for (f = ipfilter[0][0]; f; f = f->fr_next)
+ for (f = ipfilter[0][fr_active]; f; f = f->fr_next)
if (f->fr_ifa == (void *)qif->qf_ill)
f->fr_ifa = (struct ifnet *)-1;
- for (f = ipfilter[1][0]; f; f = f->fr_next)
+ for (f = ipfilter[1][fr_active]; f; f = f->fr_next)
if (f->fr_ifa == (void *)qif->qf_ill)
f->fr_ifa = (struct ifnet *)-1;
diff --git a/contrib/ipfilter/test/input/11 b/contrib/ipfilter/test/input/11
index b6e2c1d977ad..4eda58eac04e 100644
--- a/contrib/ipfilter/test/input/11
+++ b/contrib/ipfilter/test/input/11
@@ -1,11 +1,11 @@
-in tcp 1.1.1.1,1 2.1.2.2,23 S
-in tcp 1.1.1.1,1 2.1.2.2,23 A
-in tcp 2.1.2.2,23 1.1.1.1,1 A
-in tcp 1.1.1.1,1 2.1.2.2,23 F
-in tcp 1.1.1.1,1 2.1.2.2,23 A
-in tcp 1.1.1.1,2 2.1.2.2,23 A
-in udp 1.1.1.1,1 4.4.4.4,53
-in udp 2.2.2.2,2 4.4.4.4,53
-in udp 4.4.4.4,53 1.1.1.1,1
-in udp 4.4.4.4,1023 1.1.1.1,2049
-in udp 4.4.4.4,2049 1.1.1.1,1023
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
+in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
+in on e1 udp 1.1.1.1,1 4.4.4.4,53
+in on e1 udp 2.2.2.2,2 4.4.4.4,53
+in on e0 udp 4.4.4.4,53 1.1.1.1,1
+in on e0 udp 4.4.4.4,1023 1.1.1.1,2049
+in on e0 udp 4.4.4.4,2049 1.1.1.1,1023
diff --git a/contrib/ipfilter/test/regress/10 b/contrib/ipfilter/test/regress/10
index 444737a59b1c..355298308e72 100644
--- a/contrib/ipfilter/test/regress/10
+++ b/contrib/ipfilter/test/regress/10
@@ -1,18 +1,18 @@
-block in from any to any and not ipopts
-pass in from any to any and not opt sec-class topsecret
-block in from any to any and not opt ssrr,sec-class topsecret
-pass in from any to any and not opt ssrr,sec-class topsecret
-block in from any to any and not opt ts,sec-class topsecret
-pass in from any to any and not opt ts,sec-class topsecret
-block in from any to any and not opt sec-class secret
-pass in from any to any and not opt sec-class secret
-block in from any to any and not opt lsrr,ssrr
-pass in from any to any and not opt lsrr,ssrr
-pass in from any to any and not ipopts
-block in from any to any and not opt lsrr
-pass in from any to any and not opt lsrr
-block in from any to any and not opt ssrr,ts
-pass in from any to any and not opt ssrr,ts
-block in from any to any and not opt rr
-pass in from any to any and not opt rr
-block in from any to any and not opt sec-class topsecret
+block in from any to any with not ipopts
+pass in from any to any with not opt sec-class topsecret
+block in from any to any with not opt ssrr,sec-class topsecret
+pass in from any to any with not opt ssrr,sec-class topsecret
+block in from any to any with not opt ts,sec-class topsecret
+pass in from any to any with not opt ts,sec-class topsecret
+block in from any to any with not opt sec-class secret
+pass in from any to any with not opt sec-class secret
+block in from any to any with not opt lsrr,ssrr
+pass in from any to any with not opt lsrr,ssrr
+pass in from any to any with not ipopts
+block in from any to any with not opt lsrr
+pass in from any to any with not opt lsrr
+block in from any to any with not opt ssrr,ts
+pass in from any to any with not opt ssrr,ts
+block in from any to any with not opt rr
+pass in from any to any with not opt rr
+block in from any to any with not opt sec-class topsecret
diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo
index f974adc77ad8..6900056ec560 100644
--- a/contrib/ipfilter/todo
+++ b/contrib/ipfilter/todo
@@ -34,3 +34,8 @@ done
* ipfsync() should change IP#'s in current mappings as well as what's
in rules.
+document bimap
+
+document NAT rule order processing
+
+add more docs