1
0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-21 15:45:02 +00:00

Import version 3.2alpha7

This commit is contained in:
Darren Reed 1997-05-25 15:45:04 +00:00
parent 5a1a935563
commit 0eab801c99
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/vendor/ipfilter/dist/; revision=26119
65 changed files with 1525 additions and 552 deletions

View File

@ -0,0 +1,18 @@
*** /sys/conf/files.orig Sat May 24 14:05:28 1997
--- /sys/conf/files Sat May 24 14:06:44 1997
***************
*** 217,222 ****
--- 217,228 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter inet
+ netinet/fil.c optional ipfilter inet
+ netinet/ip_nat.c optional ipfilter inet
+ netinet/ip_frag.c optional ipfilter inet
+ netinet/ip_state.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/mlf_ipl.c optional ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_error.c optional ipx

View File

@ -0,0 +1,16 @@
*** files.newconf.orig Sun Jun 25 02:17:29 1995
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,171 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

View File

@ -1,5 +1,5 @@
*** in_proto.c.orig Wed Apr 2 19:50:00 1997 *** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997
--- in_proto.c Wed Apr 2 19:51:21 1997 --- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997
*************** ***************
*** 89,94 **** *** 89,94 ****
--- 89,99 ---- --- 89,99 ----

View File

@ -1,5 +1,5 @@
*** ip_input.c.orig Wed Apr 2 19:41:44 1997 *** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997
--- /sys/netinet/ip_input.c Wed Apr 2 19:28:53 1997 --- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997
*************** ***************
*** 74,79 **** *** 74,79 ****
--- 74,82 ---- --- 74,82 ----
@ -13,7 +13,7 @@
int rsvp_on = 0; int rsvp_on = 0;
static int ip_rsvp_on; static int ip_rsvp_on;
*************** ***************
*** 310,316 **** *** 310,315 ****
--- 313,327 ---- --- 313,327 ----
* - Wrap: fake packet's addr/port <unimpl.> * - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.> * - Encapsulate: put it in another IP and send out. <unimp.>
@ -21,12 +21,12 @@
+ #if defined(IPFILTER_LKM) || defined(IPFILTER) + #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) { + if (fr_checkp) {
+ struct mbuf *m1 = m; + struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) + if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ return; + return;
+ ip = mtod(m = m1, struct ip *); + ip = mtod(m = m1, struct ip *);
+ } + }
+ #endif + #endif
#ifdef COMPAT_IPFW #ifdef COMPAT_IPFW
if (ip_fw_chk_ptr) { if (ip_fw_chk_ptr) {
int action;

View File

@ -1,5 +1,5 @@
*** ip_output.c.orig Wed Apr 2 19:41:48 1997 *** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997
--- /sys/netinet/ip_output.c Wed Apr 2 19:38:19 1997 --- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997
*************** ***************
*** 67,72 **** *** 67,72 ****
--- 67,76 ---- --- 67,76 ----
@ -31,7 +31,7 @@
static int ip_setmoptions static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *)); __P((int, struct ip_moptions **, struct mbuf *));
*************** ***************
*** 338,344 **** *** 338,343 ****
--- 342,358 ---- --- 342,358 ----
* - Wrap: fake packet's addr/port <unimpl.> * - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.> * - Encapsulate: put it in another IP and send out. <unimp.>
@ -39,17 +39,17 @@
+ #if defined(IPFILTER_LKM) || defined(IPFILTER) + #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) { + if (fr_checkp) {
+ struct mbuf *m1 = m; + struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
+ error = EHOSTUNREACH; + error = EHOSTUNREACH;
+ if (error || !m1) + if (error || !m1)
+ goto done; + goto done;
+ ip = mtod(m = m1, struct ip *); + ip = mtod(m = m1, struct ip *);
+ } + }
+ #endif + #endif
#ifdef COMPAT_IPFW #ifdef COMPAT_IPFW
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) { if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
error = EACCES;
*************** ***************
*** 559,565 **** *** 559,565 ****
* Copy options from ip to jp, * Copy options from ip to jp,
@ -59,7 +59,7 @@
ip_optcopy(ip, jp) ip_optcopy(ip, jp)
struct ip *ip, *jp; struct ip *ip, *jp;
{ {
--- 573,579 ---- --- 574,580 ----
* Copy options from ip to jp, * Copy options from ip to jp,
* omitting those not copied during fragmentation. * omitting those not copied during fragmentation.
*/ */

View File

@ -0,0 +1,61 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
end
echo ""
echo "Copying /usr/include/osreldate.h to /sys/sys"
cp /usr/include/osreldate.h /sys/sys
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch)
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

View File

@ -0,0 +1,55 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c ip_compat.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

View File

@ -6,9 +6,9 @@ if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch" if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf" set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd .. if ( $dir =~ */FreeBSD* ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c" echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \ cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R) (cd /sys/netinet; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1` set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`

View File

@ -5,6 +5,59 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software. # loan of a machine to work on a Solaris 2.x port of this software.
# #
3.2alpha7 25/5/97 - Released
add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
fix (negative) host matching in filtering.
add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
or later.
make all the candidates for kernel compiling include "netinet/..." and build
a subdirectory "netinet" when compiling and symlink all .h files into this.
add install make target to Makefile.ipsend
3.2alpha6 8/5/97 - Released
Add "!" (not) to hostname/ip matching.
Automatically add packet info to the fragment cache if it is a fragment
and we're translating addreses for.
Automatically add packet info to the fragment cache if it is a fragment
and we're "keeping state" for the packet.
Solaris2 patches - Anthony Baxter (arb@connect.com.au)
change install procedure for FreeBSD 2.2 to allow building to a kernel
which is different to the running kernel.
add FIONREAD for Solaris2!
when expiring NAT table entries, if we would set a time to fr_tcpclosed
(which is 1), make it fr_tcplaskack(20) so that the state tables have a
chance to clear up.
3.2alpha5
add proxying skeleton support and sample ftp transparent proxy code.
add printfs at startup to tell user what is happening.
add packets & bytes for EXPIRE NAT log records.
fix the "install-bsd" target in the root Makefile. Chris Williams
<psion@mv.mv.com>
Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
3.2alpha4 2/4/97 - Released 3.2alpha4 2/4/97 - Released
Some compiler warnings cleaned up. Some compiler warnings cleaned up.
@ -656,4 +709,3 @@ added code for ouput filtering as well as input filtering and added support for
1.0 22/04/93 - Released 1.0 22/04/93 - Released
First release cut. First release cut.

View File

@ -1,21 +1,26 @@
To build a kernel for use with the loadable kernel module, follow these To build a kernel for use with the loadable kernel module, follow these
steps: steps:
1. do "make freebsd22" 1. In /sys/i386/conf, create a new kernel config file (to be used
with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
2. do "make install-bsd" 2. build the object files, telling it the name of the kernel to be
used. "freebsd22" MUST be the target, so the command would be
something like this: "make freebsd22 IPFILKERN=FIREWALL"
3. do "make install-bsd"
(probably has to be done as root) (probably has to be done as root)
3. run "FreeBSD-2.2/minstall" as root 4. run "FreeBSD-2.2/minstall" as root
4. build a new kernel 5. build a new kernel
5. install and reboot with the new kernel 6. install and reboot with the new kernel
6. use modload(8) to load the packet filter with: 7. use modload(8) to load the packet filter with:
modload if_ipl.o modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully. 8. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev; There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values, - upon loading the module, it will create itself with the correct values,

View File

@ -4,7 +4,7 @@
To build a kernel for use with the loadable kernel module, follow these To build a kernel for use with the loadable kernel module, follow these
steps: steps:
1. do "make bsd" 1. do "make freebsd"
2. do "make install-bsd" 2. do "make install-bsd"
(probably has to be done as root) (probably has to be done as root)
@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
To build a kernel with the IP filter, follow these steps: To build a kernel with the IP filter, follow these steps:
1. do "make bsd" 1. do "make freebsd"
2. do "make install-bsd" 2. do "make install-bsd"
(probably has to be done as root) (probably has to be done as root)

View File

@ -1,7 +1,7 @@
To build a kernel for use with the loadable kernel module, follow these To build a kernel for use with the loadable kernel module, follow these
steps: steps:
1. do "make bsd" 1. do "make netbsd"
2. do "make install-bsd" 2. do "make install-bsd"
(probably has to be done as root) (probably has to be done as root)
@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
To build a kernel with the IP filter, follow these steps: To build a kernel with the IP filter, follow these steps:
1. do "make bsd" 1. do "make netbsd"
2. do "make install-bsd" 2. do "make install-bsd"
(probably has to be done as root) (probably has to be done as root)

View File

@ -5,13 +5,13 @@
# and is not changed in any way. The author accepts no responsibility # and is not changed in any way. The author accepts no responsibility
# for the use of this software. I hate legaleese, don't you ? # for the use of this software. I hate legaleese, don't you ?
# #
# $Id: Makefile,v 2.0.2.7 1997/04/02 12:23:14 darrenr Exp $ # $Id: Makefile,v 2.0.2.12 1997/05/24 08:13:34 darrenr Exp $
# #
# where to put things. # where to put things.
# #
BINDEST=/usr/local/ip_fil3.1.1/bin BINDEST=/usr/local/bin
SBINDEST=/usr/local/ip_fil3.1.1/sbin SBINDEST=/sbin
MANDIR=/usr/local/ip_fil3.1.1/man MANDIR=/usr/local/man
#To test prototyping #To test prototyping
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror #CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
CC=gcc CC=gcc
@ -65,20 +65,44 @@ tests:
@if [ -d test ]; then (cd test; make) \ @if [ -d test ]; then (cd test; make) \
else echo test directory not present, sorry; fi else echo test directory not present, sorry; fi
sunos solaris: include:
mkdir -p netinet
(cd netinet; /bin/rm -f *; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .)
sunos solaris: include
./buildsunos ./buildsunos
freebsd22 freebsd30: freebsd22 freebsd30: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
@if [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ -rm -f BSD/$(CPU)/ioconf.h
echo "Can't find ioconf.h"; \ @if [ -n $(IPFILKERN) ] ; then \
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPU); \
elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
echo -n "Can't find ioconf.h in "; \
echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
exit 1;\ exit 1;\
else \
ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
fi fi
rm -f BSD/$(CPU)/ioconf.h make freebsd
ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU)
make bsd
bsd netbsd freebsd freebsd20 freebsd21: netbsd: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile
-ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
freebsd freebsd20 freebsd21: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile
-ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
bsd: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile -ln -s ../Makefile BSD/$(CPU)/Makefile
@ -86,7 +110,7 @@ bsd netbsd freebsd freebsd20 freebsd21:
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..) (cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) (cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
bsdi bsdos: bsdi bsdos: include
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi -if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend -rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
-ln -s ../Makefile BSD/$(CPU)/Makefile -ln -s ../Makefile BSD/$(CPU)/Makefile
@ -138,20 +162,15 @@ sunos5x86 solaris2x86:
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
install-bsd: bsd install-bsd: bsd
(cd BSD/$(CPU); $(MAKE) "CPU=$(CPU) TOP=../.." install) (cd BSD/$(CPU); make install "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPU); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-sunos4: solaris install-sunos4: solaris
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
install-sunos5: solaris install-sunos5: solaris
(cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install) (cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install)
# XXX FIXME: bogus to depend on all!
install: all ip_fil.h
-$(CP) ip_fil.h /usr/include/netinet/ip_fil.h
-$(CHMOD) 444 /usr/include/netinet/ip_fil.h
-$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST)
-$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST)
(cd man; $(MAKE) INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd ..)
rcsget: rcsget:
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \ -@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \ ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \

View File

@ -1,10 +1,10 @@
#! /bin/sh #! /bin/sh
# $Id: buildsunos,v 2.0.2.3 1997/03/30 15:37:34 darrenr Exp $ # $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
: :
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m` cpu=`uname -m`
if [ $rev = 5 ] ; then if [ $rev = 5 ] ; then
solrev=`uname -r | sed -e 's/^\([0-9]*\)\.\([0-9]*\)$/\2/'` solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
mkdir -p SunOS5/${cpu} mkdir -p SunOS5/${cpu}
/bin/rm -f SunOS5/${cpu}/Makefile /bin/rm -f SunOS5/${cpu}/Makefile
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend /bin/rm -f SunOS5/${cpu}/Makefile.ipsend

View File

@ -7,7 +7,7 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $"; static char rcsid[] = "$Id: fil.c,v 2.0.2.13 1997/05/24 07:33:37 darrenr Exp $";
#endif #endif
#include <sys/errno.h> #include <sys/errno.h>
@ -45,11 +45,12 @@ static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $";
#include <netinet/udp.h> #include <netinet/udp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include "ip_compat.h" #include "netinet/ip_compat.h"
#include "ip_fil.h" #include "netinet/ip_fil.h"
#include "ip_nat.h" #include "netinet/ip_proxy.h"
#include "ip_frag.h" #include "netinet/ip_nat.h"
#include "ip_state.h" #include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#ifndef MIN #ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b))
#endif #endif
@ -70,7 +71,6 @@ extern int opts;
# define IPLLOG(a, c, d, e) ipllog() # define IPLLOG(a, c, d, e) ipllog()
# if SOLARIS # if SOLARIS
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
# define bcmp memcmp
# else # else
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
# endif # endif
@ -100,19 +100,12 @@ extern kmutex_t ipf_mutex;
# endif # endif
#endif #endif
#ifndef IPF_LOGGING
#define IPF_LOGGING 0
#endif
#ifdef IPF_DEFAULT_PASS
#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
#else
#define IPF_NOMATCH (FR_PASS|FR_NOMATCH)
#endif
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
int fr_flags = IPF_LOGGING, fr_active = 0; int fr_flags = IPF_LOGGING, fr_active = 0;
int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
fr_info_t frcache[2]; fr_info_t frcache[2];
@ -417,7 +410,7 @@ void *m;
#endif #endif
{ {
register u_long *ld, *lm, *lip; register u_long *ld, *lm, *lip;
register int i; register int i, j;
lip = (u_long *)fi; lip = (u_long *)fi;
lm = (u_long *)&fr->fr_mip; lm = (u_long *)&fr->fr_mip;
@ -425,10 +418,10 @@ void *m;
i = ((lip[0] & lm[0]) != ld[0]); i = ((lip[0] & lm[0]) != ld[0]);
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n", FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
lip[0], lm[0], ld[0])); lip[0], lm[0], ld[0]));
i |= ((lip[1] & lm[1]) != ld[1]); i |= ((lip[1] & lm[1]) != ld[1]) << 21;
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n", FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
lip[1], lm[1], ld[1])); lip[1], lm[1], ld[1]));
i |= ((lip[2] & lm[2]) != ld[2]); i |= ((lip[2] & lm[2]) != ld[2]) << 22;
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n", FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
lip[2], lm[2], ld[2])); lip[2], lm[2], ld[2]));
i |= ((lip[3] & lm[3]) != ld[3]); i |= ((lip[3] & lm[3]) != ld[3]);
@ -437,6 +430,7 @@ void *m;
i |= ((lip[4] & lm[4]) != ld[4]); i |= ((lip[4] & lm[4]) != ld[4]);
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n", FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
lip[4], lm[4], ld[4])); lip[4], lm[4], ld[4]));
i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
if (i) if (i)
continue; continue;
} }
@ -557,6 +551,7 @@ int out;
fr_makefrip(hlen, ip, fin); fr_makefrip(hlen, ip, fin);
fin->fin_ifp = ifp; fin->fin_ifp = ifp;
fin->fin_out = out; fin->fin_out = out;
fin->fin_mp = mp;
MUTEX_ENTER(&ipf_mutex); MUTEX_ENTER(&ipf_mutex);
if (!out) { if (!out) {
@ -566,24 +561,8 @@ int out;
frstats[0].fr_acct++; frstats[0].fr_acct++;
} }
if ((pass = ipfr_knownfrag(ip, fin))) { if (!(pass = ipfr_knownfrag(ip, fin)) &&
if ((pass & FR_KEEPSTATE)) { !(pass = fr_checkstate(ip, fin))) {
if (fr_addstate(ip, fin, pass) == -1)
frstats[out].fr_bads++;
else
frstats[out].fr_ads++;
}
} else if ((pass = fr_checkstate(ip, fin))) {
if ((pass & FR_KEEPFRAG)) {
if (fin->fin_fi.fi_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1)
frstats[out].fr_bnfr++;
else
frstats[out].fr_nfr++;
} else
frstats[out].fr_cfr++;
}
} else {
fc = frcache + out; fc = frcache + out;
if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) { if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
/* /*
@ -594,16 +573,16 @@ int out;
frstats[out].fr_chit++; frstats[out].fr_chit++;
pass = fin->fin_fr->fr_flags; pass = fin->fin_fr->fr_flags;
} else { } else {
pass = IPF_NOMATCH; pass = fr_pass;
if ((fin->fin_fr = ipfilter[out][fr_active])) if ((fin->fin_fr = ipfilter[out][fr_active]))
pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m); pass = FR_SCANLIST(fr_pass, ip, fin, m);
bcopy((char *)fin, (char *)fc, FI_CSIZE); bcopy((char *)fin, (char *)fc, FI_CSIZE);
if (pass & FR_NOMATCH) if (pass & FR_NOMATCH)
frstats[out].fr_nom++; frstats[out].fr_nom++;
} }
fr = fin->fin_fr; fr = fin->fin_fr;
if ((pass & FR_KEEPFRAG)) { if (pass & FR_KEEPFRAG) {
if (fin->fin_fi.fi_fl & FI_FRAG) { if (fin->fin_fi.fi_fl & FI_FRAG) {
if (ipfr_newfrag(ip, fin, pass) == -1) if (ipfr_newfrag(ip, fin, pass) == -1)
frstats[out].fr_bnfr++; frstats[out].fr_bnfr++;
@ -660,6 +639,19 @@ int out;
} }
} }
#endif /* IPFILTER_LOG */ #endif /* IPFILTER_LOG */
#ifdef _KERNEL
/*
* Only allow FR_DUP to work if a rule matched - it makes no sense to
* set FR_DUP as a "default" as there are no instructions about where
* to send the packet.
*/
if (fr && (pass & FR_DUP))
# if SOLARIS
mc = dupmsg(m);
# else
mc = m_copy(m, 0, M_COPYALL);
# endif
#endif
if (pass & FR_PASS) if (pass & FR_PASS)
frstats[out].fr_pass++; frstats[out].fr_pass++;
@ -703,10 +695,16 @@ int out;
#endif #endif
} }
} }
/*
* If we didn't drop off the bottom of the list of rules (and thus
* the 'current' rule fr is not NULL), then we may have some extra
* instructions about what to do with a packet.
* Once we're finished return to our caller, freeing the packet if
* we are dropping it (* BSD ONLY *).
*/
#ifdef _KERNEL #ifdef _KERNEL
# if !SOLARIS # if !SOLARIS
if (pass & FR_DUP)
mc = m_copy(m, 0, M_COPYALL);
if (fr) { if (fr) {
frdest_t *fdp = &fr->fr_tif; frdest_t *fdp = &fr->fr_tif;
@ -722,8 +720,6 @@ int out;
m_freem(m); m_freem(m);
return (pass & FR_PASS) ? 0 : -1; return (pass & FR_PASS) ? 0 : -1;
# else # else
if (pass & FR_DUP)
mc = dupmsg(m);
if (fr) { if (fr) {
frdest_t *fdp = &fr->fr_tif; frdest_t *fdp = &fr->fr_tif;
@ -777,3 +773,126 @@ int len;
return len; return len;
} }
#endif #endif
u_short ipf_cksum(addr, len)
register u_short *addr;
register int len;
{
register u_long sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
/* mop up an odd byte, if necessary */
if (len == 1)
sum += *(u_char *)addr;
/*
* add back carry outs from top 16 bits to low 16 bits
*/
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
return (u_short)(~sum);
}
/*
* NB: This function assumes we've pullup'd enough for all of the IP header
* and the TCP header. We also assume that data blocks aren't allocated in
* odd sizes.
*/
u_short fr_tcpsum(m, ip, tcp)
#if SOLARIS
mblk_t *m;
#else
struct mbuf *m;
#endif
ip_t *ip;
tcphdr_t *tcp;
{
union {
u_char c[2];
u_short s;
} bytes;
u_long sum;
u_short *sp;
int len, add, hlen, ilen;
/*
* Add up IP Header portion
*/
ilen = len = ip->ip_len - (ip->ip_hl << 2);
bytes.c[0] = 0;
bytes.c[1] = IPPROTO_TCP;
sum = bytes.s;
sum += htons((u_short)len);
sp = (u_short *)&ip->ip_src;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp++;
if (sp != (u_short *)tcp)
sp = (u_short *)tcp;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp++;
sum += *sp;
sp += 2; /* Skip over checksum */
sum += *sp++;
#if SOLARIS
/*
* In case we had to copy the IP & TCP header out of mblks,
* skip over the mblk bits which are the header
*/
if ((caddr_t)ip != (caddr_t)m->b_rptr) {
hlen = (caddr_t)sp - (caddr_t)ip;
while (hlen) {
add = MIN(hlen, m->b_wptr - m->b_rptr);
sp = (u_short *)((caddr_t)m->b_rptr + add);
if ((hlen -= add))
m = m->b_cont;
}
}
#endif
if (!(len -= sizeof(*tcp)))
goto nodata;
while (len > 1) {
sum += *sp++;
len -= 2;
#if SOLARIS
if ((caddr_t)sp > (caddr_t)m->b_wptr) {
m = m->b_cont;
PANIC((!m),("fr_tcpsum: not enough data"));
sp = (u_short *)m->b_rptr;
}
#else
# ifdef m_data
if ((caddr_t)sp > (m->m_data + m->m_len))
# else
if ((caddr_t)sp > (caddr_t)(m->m_dat + m->m_off + m->m_len))
# endif
{
m = m->m_next;
PANIC((!m),("fr_tcpsum: not enough data"));
sp = mtod(m, u_short *);
}
#endif /* SOLARIS */
}
if (len) {
bytes.c[1] = 0;
bytes.c[0] = *(u_char *)sp;
sum += bytes.s;
}
nodata:
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
sum = (u_short)((~sum) & 0xffff);
return sum;
}

View File

@ -30,9 +30,11 @@
#include <netdb.h> #include <netdb.h>
#include <arpa/nameser.h> #include <arpa/nameser.h>
#include <resolv.h> #include <resolv.h>
#include <netinet/tcp.h>
#include "ip_compat.h" #include "ip_compat.h"
#include "ip_fil.h" #include "ip_fil.h"
#include "ipf.h" #include "ipf.h"
#include "ip_proxy.h"
#include "ip_nat.h" #include "ip_nat.h"
#include "ip_frag.h" #include "ip_frag.h"
#include "ip_state.h" #include "ip_state.h"
@ -43,7 +45,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: fils.c,v 2.0.2.7 1997/04/02 12:23:16 darrenr Exp $"; static char rcsid[] = "$Id: fils.c,v 2.0.2.9 1997/05/08 10:11:31 darrenr Exp $";
#endif #endif
#ifdef _PATH_UNIX #ifdef _PATH_UNIX
#define VMUNIX _PATH_UNIX #define VMUNIX _PATH_UNIX
@ -95,7 +97,7 @@ char *argv[];
(void)setuid(getuid()); (void)setuid(getuid());
(void)setgid(getgid()); (void)setgid(getgid());
while ((c = getopt(argc, argv, "afhIiosvd:")) != -1) while ((c = getopt(argc, argv, "afhIinosvd:")) != -1)
{ {
switch (c) switch (c)
{ {
@ -148,9 +150,18 @@ char *argv[];
perror("ioctl(SIOCGETFS)"); perror("ioctl(SIOCGETFS)");
exit(-1); exit(-1);
} }
if ((opts & OPT_IPSTATES) && (ioctl(fd, SIOCGIPST, &ipsst) == -1)) { if ((opts & OPT_IPSTATES)) {
perror("ioctl(SIOCGIPST)"); int sfd = open(IPL_STATE, O_RDONLY);
exit(-1);
if (sfd == -1) {
perror("open");
exit(-1);
}
if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
perror("ioctl(SIOCGIPST)");
exit(-1);
}
close(sfd);
} }
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) { if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
perror("ioctl(SIOCGFRST)"); perror("ioctl(SIOCGFRST)");

View File

@ -55,7 +55,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.3 1997/03/27 13:45:00 darrenr Exp $"; static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.4 1997/05/08 10:11:34 darrenr Exp $";
#endif /* LIBC_SCCS and not lint */ #endif /* LIBC_SCCS and not lint */
#include <sys/param.h> #include <sys/param.h>
@ -179,7 +179,11 @@ inet_aton(cp, addr)
* Ascii internet address interpretation routine. * Ascii internet address interpretation routine.
* The value returned is in network order. * The value returned is in network order.
*/ */
#if defined(SOLARIS2) && (SOLARIS2 > 5)
u_int
#else
u_long u_long
#endif
inet_addr(cp) inet_addr(cp)
register const char *cp; register const char *cp;
{ {

View File

@ -1,15 +1,15 @@
/* /*
* (C)opyright 1993, 1994, 1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ip_compat.h 1.8 1/14/96 * @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.0.2.6 1997/04/02 12:23:17 darrenr Exp $ * $Id: ip_compat.h,v 2.0.2.11 1997/05/04 05:29:02 darrenr Exp $
*/ */
#ifndef __IP_COMPAT_H_ #ifndef __IP_COMPAT_H__
#define __IP_COMPAT_H__ #define __IP_COMPAT_H__
#ifndef __P #ifndef __P
@ -24,6 +24,22 @@
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif #endif
#if defined(_KERNEL) && !defined(KERNEL)
#define KERNEL
#endif
#if defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
#if defined(__SVR4) || defined(__svr4__)
#define index strchr
# ifndef _KERNEL
# define bzero(a,b) memset(a,0,b)
# define bcmp memcmp
# define bcopy(a,b,c) memmove(b,a,c)
# endif
#endif
#if SOLARIS #if SOLARIS
# define MTYPE(m) ((m)->b_datap->db_type) # define MTYPE(m) ((m)->b_datap->db_type)
# include <sys/ioccom.h> # include <sys/ioccom.h>
@ -58,8 +74,10 @@
#if BSD > 199306 #if BSD > 199306
# define USE_QUAD_T # define USE_QUAD_T
# define U_QUAD_T u_quad_t # define U_QUAD_T u_quad_t
# define QUAD_T quad_t
#else #else
# define U_QUAD_T u_long # define U_QUAD_T u_long
# define QUAD_T long
#endif #endif
#ifndef MAX #ifndef MAX
@ -167,6 +185,7 @@ extern ill_t *get_unit __P((char *));
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d) # define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
# define SLEEP(id, n) sleep((id), PZERO+1) # define SLEEP(id, n) sleep((id), PZERO+1)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
# define KFREES(x,s) kmem_free((char *)(x), (s))
# if SOLARIS # if SOLARIS
typedef struct qif { typedef struct qif {
struct qif *qf_next; struct qif *qf_next;
@ -219,13 +238,16 @@ extern vm_map_t kmem_map;
# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c)) # define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c))
# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
sizeof(*(x))) sizeof(*(x)))
# define KFREES(x,s) kmem_free(kmem_map, (vm_offset_t)(x), (s))
*/ */
# ifdef M_PFIL # ifdef M_PFIL
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
# define KFREE(x) FREE((x), M_PFIL) # define KFREE(x) FREE((x), M_PFIL)
# define KFREES(x,s) FREE((x), M_PFIL)
# else # else
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
# define KFREE(x) FREE((x), M_TEMP) # define KFREE(x) FREE((x), M_TEMP)
# define KFREES(x,s) FREE((x), M_TEMP)
# endif # endif
# define UIOMOVE(a,b,c,d) uiomove(a,b,d) # define UIOMOVE(a,b,c,d) uiomove(a,b,d)
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
@ -238,7 +260,9 @@ extern vm_map_t kmem_map;
# define SPLX(x) (void) splx(x) # define SPLX(x) (void) splx(x)
# endif # endif
# endif # endif
# define PANIC(x,y) if (x) panic y
#else #else
# define PANIC(x,y) ;
# define MUTEX_ENTER(x) ; # define MUTEX_ENTER(x) ;
# define MUTEX_EXIT(x) ; # define MUTEX_EXIT(x) ;
# define SPLNET(x) ; # define SPLNET(x) ;
@ -246,6 +270,7 @@ extern vm_map_t kmem_map;
# define SPLX(x) ; # define SPLX(x) ;
# define KMALLOC(a,b,c) (a) = (b)malloc(c) # define KMALLOC(a,b,c) (a) = (b)malloc(c)
# define KFREE(x) free(x) # define KFREE(x) free(x)
# define KFREES(x,s) free(x)
# define GETUNIT(x) get_unit(x) # define GETUNIT(x) get_unit(x)
# define IRCOPY(a,b,c) bcopy((a), (b), (c)) # define IRCOPY(a,b,c) bcopy((a), (b), (c))
# define IWCOPY(a,b,c) bcopy((a), (b), (c)) # define IWCOPY(a,b,c) bcopy((a), (b), (c))
@ -365,6 +390,7 @@ struct ipovly {
# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
# define KFREE(x) kfree_s((x), sizeof(*(x))) # define KFREE(x) kfree_s((x), sizeof(*(x)))
# define KFREES(x,s) kfree_s((x), (s))
# define IRCOPY(a,b,c) { \ # define IRCOPY(a,b,c) { \
error = verify_area(VERIFY_READ, \ error = verify_area(VERIFY_READ, \
(b) ,sizeof((b))); \ (b) ,sizeof((b))); \

View File

@ -1,5 +1,5 @@
/* /*
* (C)opyright 1993,1994,1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
@ -7,7 +7,7 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $"; static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.12 1997/05/24 07:39:56 darrenr Exp $";
#endif #endif
#ifndef SOLARIS #ifndef SOLARIS
@ -15,7 +15,14 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#endif #endif
#ifdef __FreeBSD__ #ifdef __FreeBSD__
#include <osreldate.h> # if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
# endif
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/osreldate.h>
# else
# include <osreldate.h>
# endif
#endif #endif
#ifndef _KERNEL #ifndef _KERNEL
#include <stdio.h> #include <stdio.h>
@ -25,7 +32,12 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/file.h> #include <sys/file.h>
#include <sys/ioctl.h> #if __FreeBSD_version >= 220000 && defined(_KERNEL)
# include <sys/fcntl.h>
# include <sys/filio.h>
#else
# include <sys/ioctl.h>
#endif
#include <sys/time.h> #include <sys/time.h>
#ifdef _KERNEL #ifdef _KERNEL
#include <sys/systm.h> #include <sys/systm.h>
@ -35,9 +47,6 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <sys/dir.h> #include <sys/dir.h>
#include <sys/mbuf.h> #include <sys/mbuf.h>
#else #else
#define bcmp memcmp
#define bzero(a,b) memset(a,0,b)
#define bcopy(a,b,c) memcpy(b,a,c)
#include <sys/filio.h> #include <sys/filio.h>
#endif #endif
#include <sys/protosw.h> #include <sys/protosw.h>
@ -47,6 +56,9 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#ifdef sun #ifdef sun
#include <net/af.h> #include <net/af.h>
#endif #endif
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <net/route.h> #include <net/route.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <netinet/in_var.h> #include <netinet/in_var.h>
@ -57,17 +69,23 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
#include <netinet/udp.h> #include <netinet/udp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include <syslog.h> #ifndef _KERNEL
#include "ip_compat.h" # include <syslog.h>
#include "ip_fil.h" #endif
#include "ip_frag.h" #include "netinet/ip_compat.h"
#include "ip_nat.h" #include "netinet/ip_fil.h"
#include "ip_state.h" #include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#ifndef MIN #ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b))
#endif #endif
#if !SOLARIS && defined(_KERNEL)
extern int ip_optcopy __P((struct ip *, struct ip *));
#endif
extern fr_flags, fr_active;
extern struct protosw inetsw[]; extern struct protosw inetsw[];
#if BSD < 199306 #if BSD < 199306
static int (*fr_saveslowtimo) __P((void)); static int (*fr_saveslowtimo) __P((void));
@ -139,6 +157,7 @@ char *s;
int iplattach() int iplattach()
{ {
char *defpass;
int s, i; int s, i;
SPLNET(s); SPLNET(s);
@ -157,11 +176,21 @@ int iplattach()
/* /*
* Set log buffer pointers for each of the log buffers * Set log buffer pointers for each of the log buffers
*/ */
#ifdef IPFILTER_LOG
for (i = 0; i <= 2; i++) { for (i = 0; i <= 2; i++) {
iplh[i] = iplbuf[i]; iplh[i] = iplbuf[i];
iplt[i] = iplbuf[i]; iplt[i] = iplbuf[i];
} }
#endif
SPLX(s); SPLX(s);
if (fr_pass & FR_PASS)
defpass = "pass";
else if (fr_pass & FR_BLOCK)
defpass = "block";
else
defpass = "no-match -> block";
printf("IP Filter: initialized. Default = %s all\n", defpass);
return 0; return 0;
} }
@ -258,7 +287,8 @@ caddr_t data;
* Filter ioctl interface. * Filter ioctl interface.
*/ */
int iplioctl(dev, cmd, data, mode int iplioctl(dev, cmd, data, mode
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) #if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
, p) , p)
struct proc *p; struct proc *p;
#else #else
@ -278,10 +308,21 @@ int mode;
#endif #endif
SPLNET(s); SPLNET(s);
if (unit == IPL_LOGNAT) {
error = nat_ioctl(data, cmd, mode);
SPLX(s);
return error;
}
if (unit == IPL_LOGSTATE) {
error = fr_state_ioctl(data, cmd, mode);
SPLX(s);
return error;
}
switch (cmd) { switch (cmd) {
case FIONREAD : case FIONREAD :
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
*(int *)data = iplused[unit]; *(int *)data = iplused[IPL_LOGIPF];
#endif #endif
break; break;
#if !defined(IPFILTER_LKM) && defined(_KERNEL) #if !defined(IPFILTER_LKM) && defined(_KERNEL)
@ -373,24 +414,13 @@ int mode;
else { else {
*(int *)data = iplused[unit]; *(int *)data = iplused[unit];
iplh[unit] = iplt[unit] = iplbuf[unit]; iplh[unit] = iplt[unit] = iplbuf[unit];
iplused[unit] = 0; iplused[unix] = 0;
} }
break; break;
#endif /* IPFILTER_LOG */ #endif /* IPFILTER_LOG */
case SIOCADNAT :
case SIOCRMNAT :
case SIOCGNATS :
case SIOCGNATL :
case SIOCFLNAT :
case SIOCCNATL :
error = nat_ioctl(data, cmd, mode);
break;
case SIOCGFRST : case SIOCGFRST :
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
break; break;
case SIOCGIPST :
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
break;
default : default :
error = EINVAL; error = EINVAL;
break; break;
@ -508,7 +538,8 @@ caddr_t data;
* routines below for saving IP headers to buffer * routines below for saving IP headers to buffer
*/ */
int iplopen(dev, flags int iplopen(dev, flags
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) #if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
, devtype, p) , devtype, p)
int devtype; int devtype;
struct proc *p; struct proc *p;
@ -529,7 +560,8 @@ int flags;
int iplclose(dev, flags int iplclose(dev, flags
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) #if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
, devtype, p) , devtype, p)
int devtype; int devtype;
struct proc *p; struct proc *p;
@ -699,6 +731,9 @@ struct tcpiphdr *ti;
struct tcphdr *tcp; struct tcphdr *tcp;
struct mbuf *m; struct mbuf *m;
int tlen = 0; int tlen = 0;
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
struct route ro;
#endif
if (ti->ti_flags & TH_RST) if (ti->ti_flags & TH_RST)
return -1; /* feedback loop */ return -1; /* feedback loop */
@ -710,6 +745,8 @@ struct tcpiphdr *ti;
# endif # endif
if (m == NULL) if (m == NULL)
return -1; return -1;
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
#endif
if (ti->ti_flags & TH_SYN) if (ti->ti_flags & TH_SYN)
tlen = 1; tlen = 1;
@ -743,18 +780,29 @@ struct tcpiphdr *ti;
ip->ip_ttl = ip_defttl; ip->ip_ttl = ip_defttl;
# endif # endif
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
bzero((char *)&ro, sizeof(ro));
(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
if (ro.ro_rt)
RTFREE(ro.ro_rt);
#else
/* /*
* extra 0 in case of multicast * extra 0 in case of multicast
*/ */
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0); (void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
#endif
return 0; return 0;
} }
# ifndef IPFILTER_LKM # if !defined(IPFILTER_LKM) && !(__FreeBSD_version >= 300000)
# if BSD < 199306 # if BSD < 199306
int iplinit __P((void));
int int
# else # else
void iplinit __P((void));
void void
# endif # endif
iplinit() iplinit()

View File

@ -1,12 +1,12 @@
/* /*
* (C)opyright 1993-1996 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ip_fil.h 1.35 6/5/96 * @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.0.2.9 1997/04/02 12:23:20 darrenr Exp $ * $Id: ip_fil.h,v 2.0.2.13 1997/05/24 07:41:55 darrenr Exp $
*/ */
#ifndef __IP_FIL_H__ #ifndef __IP_FIL_H__
@ -97,6 +97,7 @@ typedef struct fr_info {
u_short fin_dlen; u_short fin_dlen;
char *fin_dp; /* start of data past IP header */ char *fin_dp; /* start of data past IP header */
struct frentry *fin_fr; struct frentry *fin_fr;
void *fin_mp;
} fr_info_t; } fr_info_t;
#define FI_CSIZE (sizeof(struct fr_ip) + 11) #define FI_CSIZE (sizeof(struct fr_ip) + 11)
@ -179,16 +180,18 @@ typedef struct frentry {
#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */ #define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
#define FR_DUP 0x20000 /* duplicate packet */ #define FR_DUP 0x20000 /* duplicate packet */
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
#define FR_NOTSRCIP 0x80000 /* not the src IP# */
#define FR_NOTDSTIP 0x100000 /* not the dst IP# */
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
/* /*
* recognized flags for SIOCGETFF and SIOCSETFF * recognized flags for SIOCGETFF and SIOCSETFF
*/ */
#define FF_LOGPASS 0x100000 #define FF_LOGPASS 0x10000000
#define FF_LOGBLOCK 0x200000 #define FF_LOGBLOCK 0x20000000
#define FF_LOGNOMATCH 0x400000 #define FF_LOGNOMATCH 0x40000000
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */ #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
#define FR_NONE 0 #define FR_NONE 0
#define FR_EQUAL 1 #define FR_EQUAL 1
@ -257,9 +260,9 @@ typedef struct ipl_ci {
u_long flags; u_long flags;
u_char ifname[IFNAMSIZ]; /* = 32 bytes */ u_char ifname[IFNAMSIZ]; /* = 32 bytes */
#else #else
u_long flags:24; u_long flags;
u_long unit:8; u_int unit;
u_char ifname[4]; /* = 20 bytes */ u_char ifname[4]; /* = 24 bytes */
#endif #endif
} ipl_ci_t; } ipl_ci_t;
@ -268,6 +271,13 @@ typedef struct ipl_ci {
#define ICMP_UNREACH_FILTER 13 #define ICMP_UNREACH_FILTER 13
#endif #endif
#ifndef IPF_LOGGING
#define IPF_LOGGING 0
#endif
#ifndef IPF_DEFAULT_PASS
#define IPF_DEFAULT_PASS 0
#endif
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define IPLLOGSIZE 8192 #define IPLLOGSIZE 8192
@ -301,7 +311,12 @@ extern int send_reset __P((struct ip *, struct ifnet *));
extern int icmp_error __P((struct ip *, struct ifnet *)); extern int icmp_error __P((struct ip *, struct ifnet *));
extern void ipllog __P((void)); extern void ipllog __P((void));
extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *)); extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
#else extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
#else /* #ifndef _KERNEL */
extern int iplattach __P((void));
extern int ipldetach __P((void));
# if SOLARIS # if SOLARIS
extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *, extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
queue_t *, mblk_t **)); queue_t *, mblk_t **));
@ -309,33 +324,6 @@ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
int, qif_t *, queue_t *, mblk_t *)); int, qif_t *, queue_t *, mblk_t *));
extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *, extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *,
struct in_addr)); struct in_addr));
# else
extern int fr_check __P((struct ip *, int, struct ifnet *, int,
struct mbuf **));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
struct mbuf **));
extern int send_reset __P((struct tcpiphdr *));
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
# endif
#endif
extern int fr_copytolog __P((int, char *, int));
extern int ipl_unreach;
extern fr_info_t frcache[];
extern char *iplh[3], *iplt[3];
extern char iplbuf[3][IPLLOGSIZE];
extern int iplused[3];
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct filterstats frstats[];
#ifndef _KERNEL
extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
#else
extern int iplattach __P((void));
extern int ipldetach __P((void));
# if SOLARIS
extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *));
@ -343,11 +331,21 @@ extern int ipfsync __P((void));
# ifdef IPFILTER_LOG # ifdef IPFILTER_LOG
extern int iplread __P((dev_t, struct uio *, cred_t *)); extern int iplread __P((dev_t, struct uio *, cred_t *));
# endif # endif
# else extern u_short fr_tcpsum __P((mblk_t *, ip_t *, tcphdr_t *));
# else /* SOLARIS */
extern int fr_check __P((struct ip *, int, struct ifnet *, int,
struct mbuf **));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
struct mbuf **));
extern int send_reset __P((struct tcpiphdr *));
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
# ifdef IPFILTER_LKM # ifdef IPFILTER_LKM
extern int iplidentify __P((char *)); extern int iplidentify __P((char *));
# endif # endif
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612) extern u_short fr_tcpsum __P((struct mbuf *, ip_t *, tcphdr_t *));
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
(NetBSD >= 199511)
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *));
@ -366,5 +364,18 @@ extern int iplread __P((dev_t, struct uio *));
# define iplread noread # define iplread noread
# endif /* IPFILTER_LOG */ # endif /* IPFILTER_LOG */
# endif /* SOLARIS */ # endif /* SOLARIS */
#endif /* _KERNEL */ #endif /* #ifndef _KERNEL */
extern u_short ipf_cksum __P((u_short *, int));
extern int fr_copytolog __P((int, char *, int));
extern int ipl_unreach;
extern int ipl_inited;
extern int fr_pass;
extern int fr_flags;
extern int fr_active;
extern fr_info_t frcache[];
extern char *iplh[3], *iplt[3];
extern char iplbuf[3][IPLLOGSIZE];
extern int iplused[3];
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct filterstats frstats[];
#endif /* __IP_FIL_H__ */ #endif /* __IP_FIL_H__ */

View File

@ -7,7 +7,7 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp $"; static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.10 1997/05/24 07:36:23 darrenr Exp $";
#endif #endif
#if !defined(_KERNEL) && !defined(KERNEL) #if !defined(_KERNEL) && !defined(KERNEL)
@ -19,8 +19,7 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/file.h> #include <sys/file.h>
#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) #if defined(KERNEL) && (__FreeBSD_version >= 220000)
#include <sys/ioccom.h>
#include <sys/filio.h> #include <sys/filio.h>
#include <sys/fcntl.h> #include <sys/fcntl.h>
#else #else
@ -54,39 +53,36 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
#include <netinet/udp.h> #include <netinet/udp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include "ip_compat.h" #include "netinet/ip_compat.h"
#include "ip_fil.h" #include "netinet/ip_fil.h"
#include "ip_frag.h" #include "netinet/ip_proxy.h"
#include "ip_nat.h" #include "netinet/ip_nat.h"
#include "ip_state.h" #include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
ipfr_t *ipfr_heads[IPFT_SIZE]; ipfr_t *ipfr_heads[IPFT_SIZE];
ipfr_t *ipfr_nattab[IPFT_SIZE];
ipfrstat_t ipfr_stats; ipfrstat_t ipfr_stats;
u_long ipfr_inuse = 0, u_long ipfr_inuse = 0,
fr_ipfrttl = 120; /* 60 seconds */ fr_ipfrttl = 120; /* 60 seconds */
#ifdef _KERNEL #ifdef _KERNEL
extern int ipfr_timer_id; extern int ipfr_timer_id;
#endif #endif
#if SOLARIS #if SOLARIS && defined(_KERNEL)
# ifdef _KERNEL
extern kmutex_t ipf_frag; extern kmutex_t ipf_frag;
# else extern kmutex_t ipf_natfrag;
#define bcmp(a,b,c) memcmp(a,b,c) extern kmutex_t ipf_nat;
#define bcopy(a,b,c) memmove(b,a,c)
# endif
#endif #endif
#ifdef __FreeBSD__
# if BSD < 199306 static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **));
int ipfr_slowtimer __P((void)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
# else
void ipfr_slowtimer __P((void));
# endif
#endif /* __FreeBSD__ */
ipfrstat_t *ipfr_fragstats() ipfrstat_t *ipfr_fragstats()
{ {
ipfr_stats.ifs_table = ipfr_heads; ipfr_stats.ifs_table = ipfr_heads;
ipfr_stats.ifs_nattab = ipfr_nattab;
ipfr_stats.ifs_inuse = ipfr_inuse; ipfr_stats.ifs_inuse = ipfr_inuse;
return &ipfr_stats; return &ipfr_stats;
} }
@ -96,10 +92,11 @@ ipfrstat_t *ipfr_fragstats()
* add a new entry to the fragment cache, registering it as having come * add a new entry to the fragment cache, registering it as having come
* through this box, with the result of the filter operation. * through this box, with the result of the filter operation.
*/ */
int ipfr_newfrag(ip, fin, pass) static ipfr_t *ipfr_new(ip, fin, pass, table)
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
int pass; int pass;
ipfr_t *table[];
{ {
ipfr_t **fp, *fr, frag; ipfr_t **fp, *fr, frag;
u_int idx; u_int idx;
@ -119,33 +116,77 @@ int pass;
/* /*
* first, make sure it isn't already there... * first, make sure it isn't already there...
*/ */
MUTEX_ENTER(&ipf_frag); for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next)
for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next)
if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
IPFR_CMPSZ)) { IPFR_CMPSZ)) {
ipfr_stats.ifs_exists++; ipfr_stats.ifs_exists++;
MUTEX_EXIT(&ipf_frag); MUTEX_EXIT(&ipf_frag);
return -1; return NULL;
} }
/*
* allocate some memory, if possible, if not, just record that we
* failed to do so.
*/
KMALLOC(fr, ipfr_t *, sizeof(*fr)); KMALLOC(fr, ipfr_t *, sizeof(*fr));
if (fr == NULL) { if (fr == NULL) {
ipfr_stats.ifs_nomem++; ipfr_stats.ifs_nomem++;
MUTEX_EXIT(&ipf_frag); MUTEX_EXIT(&ipf_frag);
return -1; return NULL;
} }
if ((fr->ipfr_next = ipfr_heads[idx]))
ipfr_heads[idx]->ipfr_prev = fr; /*
* Instert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field.
* Set the ttl to the default and mask out logging from "pass"
*/
if ((fr->ipfr_next = table[idx]))
table[idx]->ipfr_prev = fr;
fr->ipfr_prev = NULL; fr->ipfr_prev = NULL;
ipfr_heads[idx] = fr; fr->ipfr_data = NULL;
table[idx] = fr;
bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ); bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
fr->ipfr_ttl = fr_ipfrttl; fr->ipfr_ttl = fr_ipfrttl;
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
/*
* Compute the offset of the expected start of the next packet.
*/
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
ipfr_stats.ifs_new++; ipfr_stats.ifs_new++;
ipfr_inuse++; ipfr_inuse++;
return fr;
}
int ipfr_newfrag(ip, fin, pass)
ip_t *ip;
fr_info_t *fin;
int pass;
{
ipfr_t *ipf;
MUTEX_ENTER(&ipf_frag);
ipf = ipfr_new(ip, fin, pass, ipfr_heads);
MUTEX_EXIT(&ipf_frag); MUTEX_EXIT(&ipf_frag);
return 0; return ipf ? 0 : -1;
}
int ipfr_nat_newfrag(ip, fin, pass, nat)
ip_t *ip;
fr_info_t *fin;
int pass;
nat_t *nat;
{
ipfr_t *ipf;
MUTEX_ENTER(&ipf_natfrag);
if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) {
ipf->ipfr_data = nat;
nat->nat_frag = ipf;
}
MUTEX_EXIT(&ipf_natfrag);
return ipf ? 0 : -1;
} }
@ -153,9 +194,10 @@ int pass;
* check the fragment cache to see if there is already a record of this packet * check the fragment cache to see if there is already a record of this packet
* with its filter result known. * with its filter result known.
*/ */
int ipfr_knownfrag(ip, fin) static ipfr_t *ipfr_lookup(ip, fin, table)
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
ipfr_t *table[];
{ {
ipfr_t *f, frag; ipfr_t *f, frag;
u_int idx; u_int idx;
@ -164,6 +206,8 @@ fr_info_t *fin;
/* /*
* For fragments, we record protocol, packet id, TOS and both IP#'s * For fragments, we record protocol, packet id, TOS and both IP#'s
* (these should all be the same for all fragments of a packet). * (these should all be the same for all fragments of a packet).
*
* build up a hash value to index the table with.
*/ */
frag.ipfr_p = ip->ip_p; frag.ipfr_p = ip->ip_p;
idx = ip->ip_p; idx = ip->ip_p;
@ -177,25 +221,26 @@ fr_info_t *fin;
idx *= 127; idx *= 127;
idx %= IPFT_SIZE; idx %= IPFT_SIZE;
MUTEX_ENTER(&ipf_frag); /*
for (f = ipfr_heads[idx]; f; f = f->ipfr_next) * check the table, careful to only compare the right amount of data
*/
for (f = table[idx]; f; f = f->ipfr_next)
if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src, if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
IPFR_CMPSZ)) { IPFR_CMPSZ)) {
u_short atoff, off; u_short atoff, off;
if (f != ipfr_heads[idx]) { if (f != table[idx]) {
/* /*
* move fragment info. to the top of the list * move fragment info. to the top of the list
* to speed up searches. * to speed up searches.
*/ */
if ((f->ipfr_prev->ipfr_next = f->ipfr_next)) if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
f->ipfr_next->ipfr_prev = f->ipfr_prev; f->ipfr_next->ipfr_prev = f->ipfr_prev;
f->ipfr_next = ipfr_heads[idx]; f->ipfr_next = table[idx];
ipfr_heads[idx]->ipfr_prev = f; table[idx]->ipfr_prev = f;
f->ipfr_prev = NULL; f->ipfr_prev = NULL;
ipfr_heads[idx] = f; table[idx] = f;
} }
ret = f->ipfr_pass;
off = ip->ip_off; off = ip->ip_off;
atoff = (off & 0x1fff) - (fin->fin_dlen >> 3); atoff = (off & 0x1fff) - (fin->fin_dlen >> 3);
/* /*
@ -209,11 +254,45 @@ fr_info_t *fin;
f->ipfr_off = off; f->ipfr_off = off;
} }
ipfr_stats.ifs_hits++; ipfr_stats.ifs_hits++;
MUTEX_EXIT(&ipf_frag); return f;
return ret;
} }
return NULL;
}
/*
* functional interface for normal lookups of the fragment cache
*/
nat_t *ipfr_nat_knownfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
nat_t *nat;
ipfr_t *ipf;
MUTEX_ENTER(&ipf_natfrag);
ipf = ipfr_lookup(ip, fin, ipfr_heads);
nat = ipf ? ipf->ipfr_data : NULL;
MUTEX_EXIT(&ipf_natfrag);
return nat;
}
/*
* functional interface for NAT lookups of the NAT fragment cache
*/
int ipfr_knownfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
int ret;
ipfr_t *ipf;
MUTEX_ENTER(&ipf_frag);
ipf = ipfr_lookup(ip, fin, ipfr_heads);
ret = ipf ? ipf->ipfr_pass : 0;
MUTEX_EXIT(&ipf_frag); MUTEX_EXIT(&ipf_frag);
return 0; return ret;
} }
@ -223,20 +302,35 @@ fr_info_t *fin;
void ipfr_unload() void ipfr_unload()
{ {
ipfr_t **fp, *fr; ipfr_t **fp, *fr;
nat_t *nat;
int idx; int idx;
#if !SOLARIS && defined(_KERNEL) #if !SOLARIS && defined(_KERNEL)
int s; int s;
#endif #endif
MUTEX_ENTER(&ipf_frag);
SPLNET(s); SPLNET(s);
MUTEX_ENTER(&ipf_frag);
for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_heads[idx]; (fr = *fp); ) { for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
*fp = fr->ipfr_next; *fp = fr->ipfr_next;
KFREE(fr); KFREE(fr);
} }
SPLX(s);
MUTEX_EXIT(&ipf_frag); MUTEX_EXIT(&ipf_frag);
MUTEX_ENTER(&ipf_nat);
MUTEX_ENTER(&ipf_natfrag);
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
*fp = fr->ipfr_next;
if ((nat = (nat_t *)fr->ipfr_data)) {
if (nat->nat_frag == fr)
nat->nat_frag = NULL;
}
KFREE(fr);
}
MUTEX_EXIT(&ipf_natfrag);
MUTEX_EXIT(&ipf_nat);
SPLX(s);
} }
@ -252,11 +346,17 @@ int ipfr_slowtimer()
# endif # endif
{ {
ipfr_t **fp, *fr; ipfr_t **fp, *fr;
nat_t *nat;
int s, idx; int s, idx;
MUTEX_ENTER(&ipf_frag); MUTEX_ENTER(&ipf_frag);
SPLNET(s); SPLNET(s);
/*
* Go through the entire table, looking for entries to expire,
* decreasing the ttl by one for each entry. If it reaches 0,
* remove it from the chain and free it.
*/
for (idx = IPFT_SIZE - 1; idx >= 0; idx--) for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_heads[idx]; (fr = *fp); ) { for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
--fr->ipfr_ttl; --fr->ipfr_ttl;
@ -274,12 +374,45 @@ int ipfr_slowtimer()
} else } else
fp = &fr->ipfr_next; fp = &fr->ipfr_next;
} }
MUTEX_EXIT(&ipf_frag);
/*
* Same again for the NAT table, except that if the structure also
* still points to a NAT structure, and the NAT structure points back
* at the one to be free'd, NULL the reference from the NAT struct.
* NOTE: We need to grab both mutex's early, and in this order so as
* to prevent a deadlock if both try to expire at the same time.
*/
MUTEX_ENTER(&ipf_nat);
MUTEX_ENTER(&ipf_natfrag);
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
--fr->ipfr_ttl;
if (fr->ipfr_ttl == 0) {
if (fr->ipfr_prev)
fr->ipfr_prev->ipfr_next =
fr->ipfr_next;
if (fr->ipfr_next)
fr->ipfr_next->ipfr_prev =
fr->ipfr_prev;
*fp = fr->ipfr_next;
ipfr_stats.ifs_expire++;
ipfr_inuse--;
if ((nat = (nat_t *)fr->ipfr_data)) {
if (nat->nat_frag == fr)
nat->nat_frag = NULL;
}
KFREE(fr);
} else
fp = &fr->ipfr_next;
}
MUTEX_EXIT(&ipf_natfrag);
MUTEX_EXIT(&ipf_nat);
SPLX(s); SPLX(s);
# if SOLARIS # if SOLARIS
MUTEX_EXIT(&ipf_frag);
fr_timeoutstate(); fr_timeoutstate();
ip_natexpire(); ip_natexpire();
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2); ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
# else # else
fr_timeoutstate(); fr_timeoutstate();
ip_natexpire(); ip_natexpire();

View File

@ -1,21 +1,22 @@
/* /*
* (C)opyright 1993, 1994, 1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ip_frag.h 1.5 3/24/96 * @(#)ip_frag.h 1.5 3/24/96
* $Id: ip_frag.h,v 2.0.2.4 1997/03/27 13:45:09 darrenr Exp $ * $Id: ip_frag.h,v 2.0.2.7 1997/05/08 10:10:18 darrenr Exp $
*/ */
#ifndef __IP_FRAG_H_ #ifndef __IP_FRAG_H__
#define __IP_FRAG_H__ #define __IP_FRAG_H__
#define IPFT_SIZE 257 #define IPFT_SIZE 257
typedef struct ipfr { typedef struct ipfr {
struct ipfr *ipfr_next, *ipfr_prev; struct ipfr *ipfr_next, *ipfr_prev;
void *ipfr_data;
struct in_addr ipfr_src; struct in_addr ipfr_src;
struct in_addr ipfr_dst; struct in_addr ipfr_dst;
u_short ipfr_id; u_short ipfr_id;
@ -35,14 +36,18 @@ typedef struct ipfrstat {
u_long ifs_expire; u_long ifs_expire;
u_long ifs_inuse; u_long ifs_inuse;
struct ipfr **ifs_table; struct ipfr **ifs_table;
struct ipfr **ifs_nattab;
} ipfrstat_t; } ipfrstat_t;
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
extern ipfrstat_t *ipfr_fragstats __P((void)); extern ipfrstat_t *ipfr_fragstats __P((void));
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int));
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *));
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern int ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_unload __P((void)); extern void ipfr_unload __P((void));
#if (BSD >= 199306) || SOLARIS #if (BSD >= 199306) || SOLARIS
extern void ipfr_slowtimer __P((void)); extern void ipfr_slowtimer __P((void));
#else #else

View File

@ -9,10 +9,10 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $"; static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $";
#endif #endif
#if defined(__FreeBSD__) && defined(KERNEL) #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL #define _KERNEL
#endif #endif
@ -26,7 +26,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/file.h> #include <sys/file.h>
#include <sys/ioctl.h> #if defined(KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fnctl.h>
#else
# include <sys/ioctl.h>
#endif
#include <sys/fcntl.h>
#include <sys/uio.h> #include <sys/uio.h>
#include <sys/protosw.h> #include <sys/protosw.h>
#include <sys/socket.h> #include <sys/socket.h>
@ -36,13 +42,19 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
#if !defined(__SVR4) && !defined(__svr4__) #if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h> # include <sys/mbuf.h>
#else #else
# include <sys/filio.h>
# include <sys/byteorder.h> # include <sys/byteorder.h>
# include <sys/dditypes.h> # include <sys/dditypes.h>
# include <sys/stream.h> # include <sys/stream.h>
# include <sys/kmem.h> # include <sys/kmem.h>
#endif #endif
#if __FreeBSD_version >= 300000
# include <sys/queue.h>
#endif
#include <net/if.h> #include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#ifdef sun #ifdef sun
#include <net/af.h> #include <net/af.h>
#endif #endif
@ -62,36 +74,30 @@ extern struct ifnet vpnif;
#include <netinet/udp.h> #include <netinet/udp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include "ip_compat.h" #include "netinet/ip_compat.h"
#include "ip_fil.h" #include "netinet/ip_fil.h"
#include "ip_nat.h" #include "netinet/ip_proxy.h"
#include "ip_state.h" #include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#ifndef MIN #ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b))
#endif #endif
#undef SOCKADDR_IN
#define SOCKADDR_IN struct sockaddr_in
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
ipnat_t *nat_list = NULL; ipnat_t *nat_list = NULL;
u_long nat_inuse = 0, u_long fr_defnatage = 1200;
fr_defnatage = 1200;
natstat_t nat_stats; natstat_t nat_stats;
#if SOLARIS #if SOLARIS && defined(_KERNEL)
# ifndef _KERNEL
#define bzero(a,b) memset(a,0,b)
#define bcmp(a,b,c) memcpy(a,b,c)
#define bcopy(a,b,c) memmove(b,a,c)
# else
extern kmutex_t ipf_nat; extern kmutex_t ipf_nat;
# endif extern kmutex_t ipf_natfrag;
#endif #endif
static int flush_nattable __P((void)), clear_natlist __P((void)); static int flush_nattable __P((void)), clear_natlist __P((void));
static void nattable_sync __P((void)), nat_delete __P((struct nat *));
static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
static void fix_outcksum __P((u_short *, u_long));
static void fix_incksum __P((u_short *, u_long));
static void fix_outcksum(sp, n) void fix_outcksum(sp, n)
u_short *sp; u_short *sp;
u_long n; u_long n;
{ {
@ -112,7 +118,7 @@ u_long n;
} }
static void fix_incksum(sp, n) void fix_incksum(sp, n)
u_short *sp; u_short *sp;
u_long n; u_long n;
{ {
@ -197,6 +203,7 @@ int cmd, mode;
} }
IRCOPY((char *)data, (char *)n, sizeof(*n)); IRCOPY((char *)data, (char *)n, sizeof(*n));
n->in_ifp = (void *)GETUNIT(n->in_ifname); n->in_ifp = (void *)GETUNIT(n->in_ifname);
n->in_apr = ap_match(n->in_p, n->in_plabel);
n->in_next = *np; n->in_next = *np;
n->in_use = 0; n->in_use = 0;
n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
@ -208,7 +215,7 @@ int cmd, mode;
n->in_nip = ntohl(n->in_outip) + 1; n->in_nip = ntohl(n->in_outip) + 1;
else else
n->in_nip = ntohl(n->in_outip); n->in_nip = ntohl(n->in_outip);
if (n->in_redir == NAT_MAP) { if (n->in_redir & NAT_MAP) {
n->in_pnext = ntohs(n->in_pmin); n->in_pnext = ntohs(n->in_pmin);
/* /*
* Multiply by the number of ports made available. * Multiply by the number of ports made available.
@ -219,6 +226,7 @@ int cmd, mode;
} }
/* Otherwise, these fields are preset */ /* Otherwise, these fields are preset */
*np = n; *np = n;
nat_stats.ns_rules++;
break; break;
case SIOCRMNAT : case SIOCRMNAT :
if (!(mode & FWRITE)) { if (!(mode & FWRITE)) {
@ -230,15 +238,20 @@ int cmd, mode;
break; break;
} }
*np = n->in_next; *np = n->in_next;
if (!n->in_use) {
KFREE(n); if (n->in_apr)
nattable_sync(); ap_free(n->in_apr);
KFREE(n);
nat_stats.ns_rules--;
} else {
n->in_flags |= IPN_DELETE;
n->in_next = NULL;
}
break; break;
case SIOCGNATS : case SIOCGNATS :
nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[0] = nat_table[0];
nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_table[1] = nat_table[1];
nat_stats.ns_list = nat_list; nat_stats.ns_list = nat_list;
nat_stats.ns_inuse = nat_inuse;
IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
break; break;
case SIOCGNATL : case SIOCGNATL :
@ -269,6 +282,11 @@ int cmd, mode;
ret = clear_natlist(); ret = clear_natlist();
IWCOPY((caddr_t)&ret, data, sizeof(ret)); IWCOPY((caddr_t)&ret, data, sizeof(ret));
break; break;
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGNAT];
#endif
break;
} }
SPLX(s); SPLX(s);
MUTEX_EXIT(&ipf_nat); MUTEX_EXIT(&ipf_nat);
@ -280,6 +298,7 @@ static void nat_delete(natd)
struct nat *natd; struct nat *natd;
{ {
register struct nat **natp, *nat; register struct nat **natp, *nat;
struct ipnat *ipn;
for (natp = natd->nat_hstart[0]; (nat = *natp); for (natp = natd->nat_hstart[0]; (nat = *natp);
natp = &nat->nat_hnext[0]) natp = &nat->nat_hnext[0])
@ -295,12 +314,21 @@ struct nat *natd;
break; break;
} }
if (natd->nat_ptr) { if ((ipn = natd->nat_ptr)) {
natd->nat_ptr->in_space++; ipn->in_space++;
natd->nat_ptr->in_use--; ipn->in_use--;
if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
if (ipn->in_apr)
ap_free(ipn->in_apr);
KFREE(ipn);
nat_stats.ns_rules--;
}
} }
MUTEX_ENTER(&ipf_natfrag);
if (nat->nat_frag && nat->nat_frag->ipfr_data == nat)
nat->nat_frag->ipfr_data = NULL;
MUTEX_EXIT(&ipf_natfrag);
KFREE(natd); KFREE(natd);
nat_inuse--;
} }
@ -329,44 +357,28 @@ static int flush_nattable()
} }
/*
* I know this is O(N*M), but it can't be avoided.
*/
static void nattable_sync()
{
register nat_t *nat;
register ipnat_t *np;
int i;
for (i = NAT_SIZE - 1; i >= 0; i--)
for (nat = nat_instances; nat; nat = nat->nat_next) {
for (np = nat_list; np; np = np->in_next)
if (nat->nat_ptr == np)
break;
/*
* XXX - is it better to remove this if ? works the
* same if it is just "nat->nat_ptr = np".
*/
if (!np)
nat->nat_ptr = NULL;
}
}
/* /*
* clear_natlist - delete all entries in the active NAT mapping list. * clear_natlist - delete all entries in the active NAT mapping list.
*/ */
static int clear_natlist() static int clear_natlist()
{ {
register ipnat_t *n, **np; register ipnat_t *n, **np = &nat_list;
int i = 0; int i = 0;
for (np = &nat_list; (n = *np); i++) { while ((n = *np)) {
*np = n->in_next; *np = n->in_next;
KFREE(n); if (!n->in_use) {
if (n->in_apr)
ap_free(n->in_apr);
KFREE(n);
nat_stats.ns_rules--;
i++;
} else {
n->in_flags |= IPN_DELETE;
n->in_next = NULL;
}
} }
nat_stats.ns_inuse = 0;
nattable_sync();
return i; return i;
} }
@ -374,7 +386,7 @@ static int clear_natlist()
/* /*
* Create a new NAT table entry. * Create a new NAT table entry.
*/ */
static nat_t *nat_new(np, ip, fin, flags, direction) nat_t *nat_new(np, ip, fin, flags, direction)
ipnat_t *np; ipnat_t *np;
ip_t *ip; ip_t *ip;
fr_info_t *fin; fr_info_t *fin;
@ -426,15 +438,31 @@ int direction;
struct ifaddr *ifa; struct ifaddr *ifa;
struct sockaddr_in *sin; struct sockaddr_in *sin;
ifa = ifp->if_addrlist; # if (__FreeBSD_version >= 300000)
# if BSD < 199306 ifa = TAILQ_FIRST(&ifp->if_addrhead);
sin = (struct sockaddr_in *)&ifa->ifa_addr;
# else # else
sin = (struct sockaddr_in *)ifa->ifa_addr; # ifdef __NetBSD__
ifa = ifp->if_addrlist.tqh_first;
# else
ifa = ifp->if_addrlist;
# endif
# endif
# if BSD < 199306
sin = (SOCKADDR_IN *)&ifa->ifa_addr;
# else
sin = (SOCKADDR_IN *)ifa->ifa_addr;
while (sin && ifa && while (sin && ifa &&
sin->sin_family != AF_INET) { sin->sin_family != AF_INET) {
# if (__FreeBSD_version >= 300000)
ifa = TAILQ_NEXT(ifa, ifa_link);
# else
# ifdef __NetBSD__
ifa = ifa->ifa_list.tqe_next;
# else
ifa = ifa->ifa_next; ifa = ifa->ifa_next;
sin = (struct sockaddr_in *)ifa->ifa_addr; # endif
# endif
sin = (SOCKADDR_IN *)ifa->ifa_addr;
} }
if (!ifa) if (!ifa)
sin = NULL; sin = NULL;
@ -465,7 +493,8 @@ int direction;
if ((np->in_nip & ntohl(np->in_outmsk)) > if ((np->in_nip & ntohl(np->in_outmsk)) >
ntohl(np->in_outip)) ntohl(np->in_outip))
np->in_nip = ntohl(np->in_outip) + 1; np->in_nip = ntohl(np->in_outip) + 1;
} while (nat_inlookup(flags, ip->ip_dst, dport, in, port)); } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst,
dport, in, port));
/* Setup the NAT table */ /* Setup the NAT table */
nat->nat_inip = ip->ip_src; nat->nat_inip = ip->ip_src;
@ -562,7 +591,10 @@ int direction;
nat->nat_hnext[1] = *natp; nat->nat_hnext[1] = *natp;
*natp = nat; *natp = nat;
nat->nat_ptr = np; nat->nat_ptr = np;
np->in_use++; nat->nat_bytes = 0;
nat->nat_pkts = 0;
nat->nat_ifp = fin->fin_ifp;
nat->nat_dir = direction;
if (direction == NAT_OUTBOUND) { if (direction == NAT_OUTBOUND) {
if (flags & IPN_TCPUDP) if (flags & IPN_TCPUDP)
tcp->th_sport = htons(port); tcp->th_sport = htons(port);
@ -571,7 +603,8 @@ int direction;
tcp->th_dport = htons(nport); tcp->th_dport = htons(nport);
} }
nat_stats.ns_added++; nat_stats.ns_added++;
nat_inuse++; nat_stats.ns_inuse++;
np->in_use++;
return nat; return nat;
} }
@ -586,7 +619,8 @@ int direction;
* we're looking for a table entry, based on the destination address. * we're looking for a table entry, based on the destination address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/ */
nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport) nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport)
void *ifp;
register int flags; register int flags;
struct in_addr src , mapdst; struct in_addr src , mapdst;
u_short sport, mapdport; u_short sport, mapdport;
@ -597,7 +631,8 @@ u_short sport, mapdport;
nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[1]) for (; nat; nat = nat->nat_hnext[1])
if (nat->nat_oip.s_addr == src.s_addr && if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_oip.s_addr == src.s_addr &&
nat->nat_outip.s_addr == mapdst.s_addr && nat->nat_outip.s_addr == mapdst.s_addr &&
flags == nat->nat_flags && (!flags || flags == nat->nat_flags && (!flags ||
(nat->nat_oport == sport && (nat->nat_oport == sport &&
@ -613,7 +648,8 @@ u_short sport, mapdport;
* we're looking for a table entry, based on the source address. * we're looking for a table entry, based on the source address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/ */
nat_t *nat_outlookup(flags, src, sport, dst, dport) nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport)
void *ifp;
register int flags; register int flags;
struct in_addr src , dst; struct in_addr src , dst;
u_short sport, dport; u_short sport, dport;
@ -624,7 +660,8 @@ u_short sport, dport;
nat = nat_table[0][src.s_addr % NAT_SIZE]; nat = nat_table[0][src.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[0]) for (; nat; nat = nat->nat_hnext[0])
if (nat->nat_inip.s_addr == src.s_addr && if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_inip.s_addr == src.s_addr &&
nat->nat_oip.s_addr == dst.s_addr && nat->nat_oip.s_addr == dst.s_addr &&
flags == nat->nat_flags && (!flags || flags == nat->nat_flags && (!flags ||
(nat->nat_inport == sport && nat->nat_oport == dport))) (nat->nat_inport == sport && nat->nat_oport == dport)))
@ -638,7 +675,8 @@ u_short sport, dport;
* real destination address/port. We use this lookup when sending a packet * real destination address/port. We use this lookup when sending a packet
* out, we're looking for a table entry, based on the source address. * out, we're looking for a table entry, based on the source address.
*/ */
nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport) nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport)
void *ifp;
register int flags; register int flags;
struct in_addr mapsrc , dst; struct in_addr mapsrc , dst;
u_short mapsport, dport; u_short mapsport, dport;
@ -649,8 +687,9 @@ u_short mapsport, dport;
nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
for (; nat; nat = nat->nat_hnext[0]) for (; nat; nat = nat->nat_hnext[0])
if (nat->nat_outip.s_addr == mapsrc.s_addr && if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_oip.s_addr == dst.s_addr && nat->nat_oip.s_addr == dst.s_addr &&
nat->nat_outip.s_addr == mapsrc.s_addr &&
flags == nat->nat_flags && (!flags || flags == nat->nat_flags && (!flags ||
(nat->nat_outport == mapsport && (nat->nat_outport == mapsport &&
nat->nat_oport == dport))) nat->nat_oport == dport)))
@ -671,7 +710,7 @@ register natlookup_t *np;
* If nl_inip is non null, this is a lookup based on the real * If nl_inip is non null, this is a lookup based on the real
* ip address. Else, we use the fake. * ip address. Else, we use the fake.
*/ */
if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport, if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport,
np->nl_outip, np->nl_outport))) { np->nl_outip, np->nl_outport))) {
np->nl_inip = nat->nat_outip; np->nl_inip = nat->nat_outip;
np->nl_inport = nat->nat_outport; np->nl_inport = nat->nat_outport;
@ -718,43 +757,56 @@ fr_info_t *fin;
ipa = ip->ip_src.s_addr; ipa = ip->ip_src.s_addr;
MUTEX_ENTER(&ipf_nat); MUTEX_ENTER(&ipf_nat);
for (np = nat_list; np; np = np->in_next) if ((nat = ipfr_nat_knownfrag(ip, fin)))
if ((np->in_ifp == ifp) && np->in_space && ;
(!np->in_flags || (np->in_flags & nflags)) && else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
((ipa & np->in_inmsk) == np->in_inip) && ip->ip_dst, dport)))
((np->in_redir == NAT_MAP) || np = nat->nat_ptr;
(np->in_pnext == sport))) { else
/* /*
* If there is no current entry in the nat table for * If there is no current entry in the nat table for this IP#,
* this IP#, create one for it. * create one for it (if there is a matching rule).
*/ */
if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, for (np = nat_list; np; np = np->in_next)
ip->ip_dst, dport))) { if ((np->in_ifp == ifp) && np->in_space &&
(!np->in_flags || (np->in_flags & nflags)) &&
((ipa & np->in_inmsk) == np->in_inip) &&
((np->in_redir & NAT_MAP) ||
(np->in_pnext == sport))) {
if (*np->in_plabel && !ap_ok(ip, tcp, np))
continue;
/* /*
* If it's a redirection, then we don't want * If it's a redirection, then we don't want to
* to create new outgoing port stuff. * create new outgoing port stuff.
* Redirections are only for incoming * Redirections are only for incoming
* connections. * connections.
*/ */
if (np->in_redir == NAT_REDIRECT) if (!(np->in_redir & NAT_MAP))
continue; continue;
if (!(nat = nat_new(np, ip, fin, nflags, if ((nat = nat_new(np, ip, fin, nflags,
NAT_OUTBOUND))) NAT_OUTBOUND)))
break;
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
nat_log(nat, (u_short)np->in_redir); nat_log(nat, (u_short)np->in_redir);
#else
;
#endif #endif
break;
} }
ip->ip_src = nat->nat_outip;
nat->nat_age = fr_defnatage; /* 5 mins */ if (nat) {
if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
nat->nat_age = fr_defnatage;
ip->ip_src = nat->nat_outip;
nat->nat_bytes += ip->ip_len;
nat->nat_pkts++;
/* /*
* Fix up checksums, not by recalculating them, but * Fix up checksums, not by recalculating them, but
* simply computing adjustments. * simply computing adjustments.
*/ */
#if SOLARIS #if SOLARIS
if (np->in_redir == NAT_MAP) if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
else else
fix_incksum(&ip->ip_sum, nat->nat_ipsumd); fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
@ -770,6 +822,14 @@ fr_info_t *fin;
csump = &tcp->th_sum; csump = &tcp->th_sum;
fr_tcp_age(&nat->nat_age, fr_tcp_age(&nat->nat_age,
nat->nat_state, ip, fin,1); nat->nat_state, ip, fin,1);
/*
* Increase this because we may have
* "keep state" following this too and
* packet storms can occur if this is
* removed too quickly.
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
} else if (ip->ip_p == IPPROTO_UDP) { } else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp; udphdr_t *udp = (udphdr_t *)tcp;
@ -781,7 +841,7 @@ fr_info_t *fin;
csump = &ic->icmp_cksum; csump = &ic->icmp_cksum;
} }
if (csump) { if (csump) {
if (np->in_redir == NAT_MAP) if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump, fix_outcksum(csump,
nat->nat_sumd); nat->nat_sumd);
else else
@ -789,6 +849,7 @@ fr_info_t *fin;
nat->nat_sumd); nat->nat_sumd);
} }
} }
(void) ap_check(ip, tcp, fin, nat);
nat_stats.ns_mapped[1]++; nat_stats.ns_mapped[1]++;
MUTEX_EXIT(&ipf_nat); MUTEX_EXIT(&ipf_nat);
return 1; return 1;
@ -829,38 +890,55 @@ fr_info_t *fin;
in = ip->ip_dst; in = ip->ip_dst;
MUTEX_ENTER(&ipf_nat); MUTEX_ENTER(&ipf_nat);
for (np = nat_list; np; np = np->in_next)
if ((np->in_ifp == ifp) && if ((nat = ipfr_nat_knownfrag(ip, fin)))
(!np->in_flags || (nflags & np->in_flags)) && ;
((in.s_addr & np->in_outmsk) == np->in_outip) && else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
(np->in_redir == NAT_MAP || np->in_pmin == dport)) { ip->ip_dst, dport)))
if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, np = nat->nat_ptr;
ip->ip_dst, dport))) { else
/*
* If there is no current entry in the nat table for this IP#,
* create one for it (if there is a matching rule).
*/
for (np = nat_list; np; np = np->in_next)
if ((np->in_ifp == ifp) &&
(!np->in_flags || (nflags & np->in_flags)) &&
((in.s_addr & np->in_outmsk) == np->in_outip) &&
(np->in_redir & NAT_REDIRECT ||
np->in_pmin == dport)) {
/* /*
* If this rule (np) is a redirection, rather * If this rule (np) is a redirection, rather
* than a mapping, then do a nat_new. * than a mapping, then do a nat_new.
* Otherwise, if it's just a mapping, do a * Otherwise, if it's just a mapping, do a
* continue; * continue;
*/ */
if (np->in_redir == NAT_MAP) if (!(np->in_redir & NAT_REDIRECT))
continue; continue;
if (!(nat = nat_new(np, ip, fin, nflags, if ((nat = nat_new(np, ip, fin, nflags,
NAT_INBOUND))) NAT_INBOUND)))
break;
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
nat_log(nat, (u_short)np->in_redir); nat_log(nat, (u_short)np->in_redir);
#else
;
#endif #endif
break;
} }
ip->ip_dst = nat->nat_inip; if (nat) {
if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
(void) ap_check(ip, tcp, fin, nat);
nat->nat_age = fr_defnatage; nat->nat_age = fr_defnatage;
ip->ip_dst = nat->nat_inip;
nat->nat_bytes += ip->ip_len;
nat->nat_pkts++;
/* /*
* Fix up checksums, not by recalculating them, but * Fix up checksums, not by recalculating them, but
* simply computing adjustments. * simply computing adjustments.
*/ */
#if SOLARIS #if SOLARIS
if (np->in_redir == NAT_MAP) if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, nat->nat_ipsumd); fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
else else
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
@ -875,6 +953,14 @@ fr_info_t *fin;
csump = &tcp->th_sum; csump = &tcp->th_sum;
fr_tcp_age(&nat->nat_age, fr_tcp_age(&nat->nat_age,
nat->nat_state, ip, fin,0); nat->nat_state, ip, fin,0);
/*
* Increase this because we may have
* "keep state" following this too and
* packet storms can occur if this is
* removed too quickly.
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
} else if (ip->ip_p == IPPROTO_UDP) { } else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp; udphdr_t *udp = (udphdr_t *)tcp;
@ -886,7 +972,7 @@ fr_info_t *fin;
csump = &ic->icmp_cksum; csump = &ic->icmp_cksum;
} }
if (csump) { if (csump) {
if (np->in_redir == NAT_MAP) if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(csump, fix_incksum(csump,
nat->nat_sumd); nat->nat_sumd);
else else
@ -914,6 +1000,7 @@ void ip_natunload()
SPLNET(s); SPLNET(s);
(void) clear_natlist(); (void) clear_natlist();
(void) flush_nattable(); (void) flush_nattable();
(void) ap_unload();
SPLX(s) SPLX(s)
MUTEX_EXIT(&ipf_nat); MUTEX_EXIT(&ipf_nat);
} }
@ -970,12 +1057,14 @@ u_short type;
# if BSD >= 199306 || defined(__FreeBSD__) # if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&natl); microtime((struct timeval *)&natl);
# endif # endif
natl.nl_origport = nat->nat_oport;
natl.nl_outport = nat->nat_outport;
natl.nl_inport = nat->nat_inport;
natl.nl_origip = nat->nat_oip;
natl.nl_outip = nat->nat_outip;
natl.nl_inip = nat->nat_inip; natl.nl_inip = nat->nat_inip;
natl.nl_outip = nat->nat_outip;
natl.nl_origip = nat->nat_oip;
natl.nl_bytes = nat->nat_bytes;
natl.nl_pkts = nat->nat_pkts;
natl.nl_origport = nat->nat_oport;
natl.nl_inport = nat->nat_inport;
natl.nl_outport = nat->nat_outport;
natl.nl_type = type; natl.nl_type = type;
natl.nl_rule = -1; natl.nl_rule = -1;
if (nat->nat_ptr) { if (nat->nat_ptr) {

View File

@ -1,17 +1,21 @@
/* /*
* (C)opyright 1995 by Darren Reed. * (C)opyright 1995-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ip_nat.h 1.5 2/4/96 * @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.0.2.6 1997/03/31 10:05:30 darrenr Exp $ * $Id: ip_nat.h,v 2.0.2.12 1997/05/24 07:35:20 darrenr Exp $
*/ */
#ifndef __IP_NAT_H_ #ifndef __IP_NAT_H__
#define __IP_NAT_H__ #define __IP_NAT_H__
#ifndef __IP_PROXY_H__
#include "netinet/ip_proxy.h"
#endif
#ifndef SOLARIS #ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif #endif
@ -44,9 +48,12 @@ typedef struct nat {
int nat_flags; int nat_flags;
u_long nat_sumd; u_long nat_sumd;
u_long nat_ipsumd; u_long nat_ipsumd;
struct ipfr *nat_frag;
struct in_addr nat_inip; struct in_addr nat_inip;
struct in_addr nat_outip; struct in_addr nat_outip;
struct in_addr nat_oip; /* other ip */ struct in_addr nat_oip; /* other ip */
U_QUAD_T nat_pkts;
U_QUAD_T nat_bytes;
u_short nat_oport; /* other port */ u_short nat_oport; /* other port */
u_short nat_inport; u_short nat_inport;
u_short nat_outport; u_short nat_outport;
@ -56,6 +63,8 @@ typedef struct nat {
struct nat *nat_next; struct nat *nat_next;
struct nat *nat_hnext[2]; struct nat *nat_hnext[2];
struct nat **nat_hstart[2]; struct nat **nat_hstart[2];
void *nat_ifp;
int nat_dir;
} nat_t; } nat_t;
typedef struct ipnat { typedef struct ipnat {
@ -69,8 +78,12 @@ typedef struct ipnat {
u_short in_port[2]; u_short in_port[2];
struct in_addr in_in[2]; struct in_addr in_in[2];
struct in_addr in_out[2]; struct in_addr in_out[2];
struct aproxy *in_apr;
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
char in_ifname[IFNAMSIZ]; char in_ifname[IFNAMSIZ];
char in_plabel[APR_LABELLEN]; /* proxy label */
char in_p; /* protocol */
u_short in_dport;
} ipnat_t; } ipnat_t;
#define in_pmin in_port[0] /* Also holds static redir port */ #define in_pmin in_port[0] /* Also holds static redir port */
@ -81,11 +94,12 @@ typedef struct ipnat {
#define in_outip in_out[0].s_addr #define in_outip in_out[0].s_addr
#define in_outmsk in_out[1].s_addr #define in_outmsk in_out[1].s_addr
#define NAT_INBOUND 0 #define NAT_OUTBOUND 0
#define NAT_OUTBOUND 1 #define NAT_INBOUND 1
#define NAT_MAP 0 #define NAT_MAP 0x01
#define NAT_REDIRECT 1 #define NAT_REDIRECT 0x02
#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT)
#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \ #define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \
sizeof(int)) sizeof(int))
@ -99,6 +113,7 @@ typedef struct natlookup {
typedef struct natstat { typedef struct natstat {
u_long ns_mapped[2]; u_long ns_mapped[2];
u_long ns_rules;
u_long ns_added; u_long ns_added;
u_long ns_expire; u_long ns_expire;
u_long ns_inuse; u_long ns_inuse;
@ -108,10 +123,11 @@ typedef struct natstat {
ipnat_t *ns_list; ipnat_t *ns_list;
} natstat_t; } natstat_t;
#define IPN_ANY 0 #define IPN_ANY 0x00
#define IPN_TCP 1 #define IPN_TCP 0x01
#define IPN_UDP 2 #define IPN_UDP 0x02
#define IPN_TCPUDP 3 #define IPN_TCPUDP 0x03
#define IPN_DELETE 0x04
typedef struct natlog { typedef struct natlog {
@ -124,6 +140,8 @@ typedef struct natlog {
u_short nl_inport; u_short nl_inport;
u_short nl_type; u_short nl_type;
int nl_rule; int nl_rule;
U_QUAD_T nl_pkts;
U_QUAD_T nl_bytes;
} natlog_t; } natlog_t;
@ -132,18 +150,22 @@ typedef struct natlog {
#define NL_EXPIRE 0xffff #define NL_EXPIRE 0xffff
extern u_long fr_defnatage;
extern nat_t *nat_table[2][NAT_SIZE]; extern nat_t *nat_table[2][NAT_SIZE];
extern int nat_ioctl __P((caddr_t, int, int)); extern int nat_ioctl __P((caddr_t, int, int));
extern nat_t *nat_outlookup __P((int, struct in_addr, u_short, extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short)); struct in_addr, u_short));
extern nat_t *nat_inlookup __P((int, struct in_addr, u_short, extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short)); struct in_addr, u_short));
extern nat_t *nat_lookupredir __P((natlookup_t *)); extern nat_t *nat_lookupredir __P((natlookup_t *));
extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short, extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short,
struct in_addr, u_short)); struct in_addr, u_short));
extern int ip_natout __P((ip_t *, int, fr_info_t *)); extern int ip_natout __P((ip_t *, int, fr_info_t *));
extern int ip_natin __P((ip_t *, int, fr_info_t *)); extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short)); extern void nat_log __P((struct nat *, u_short));
extern void fix_incksum __P((u_short *, u_long));
extern void fix_outcksum __P((u_short *, u_long));
#endif /* __IP_NAT_H__ */ #endif /* __IP_NAT_H__ */

View File

@ -9,7 +9,7 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp $"; static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.8 1997/05/24 07:42:56 darrenr Exp $";
#endif #endif
#include <sys/types.h> #include <sys/types.h>
@ -18,6 +18,7 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
#include <sys/cpuvar.h> #include <sys/cpuvar.h>
#include <sys/open.h> #include <sys/open.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <sys/filio.h>
#include <sys/systm.h> #include <sys/systm.h>
#include <sys/cred.h> #include <sys/cred.h>
#include <sys/ddi.h> #include <sys/ddi.h>
@ -43,8 +44,8 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
#include "ip_compat.h" #include "ip_compat.h"
#include "ip_fil.h" #include "ip_fil.h"
#include "ip_state.h" #include "ip_state.h"
#include "ip_frag.h"
#include "ip_nat.h" #include "ip_nat.h"
#include "ip_frag.h"
#include <inet/ip_ire.h> #include <inet/ip_ire.h>
#ifndef MIN #ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b))
@ -63,11 +64,11 @@ int ipllog __P((u_int, int, ip_t *, fr_info_t *, mblk_t *));
static void frflush __P((caddr_t)); static void frflush __P((caddr_t));
char iplbuf[3][IPLLOGSIZE]; char iplbuf[3][IPLLOGSIZE];
caddr_t iplh[3], iplt[3]; caddr_t iplh[3], iplt[3];
static int iplused[3] = {0, 0, 0}; int iplused[3] = {0, 0, 0};
#endif /* IPFILTER_LOG */ #endif /* IPFILTER_LOG */
static int frrequest __P((int, caddr_t, int)); static int frrequest __P((int, caddr_t, int));
kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex; kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex;
kmutex_t ipf_frag, ipf_state, ipf_nat; kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag;
kcondvar_t iplwait; kcondvar_t iplwait;
@ -86,6 +87,7 @@ int ipldetach()
mutex_destroy(&ipfs_mutex); mutex_destroy(&ipfs_mutex);
mutex_destroy(&ipf_frag); mutex_destroy(&ipf_frag);
mutex_destroy(&ipf_state); mutex_destroy(&ipf_state);
mutex_destroy(&ipf_natfrag);
mutex_destroy(&ipf_nat); mutex_destroy(&ipf_nat);
return 0; return 0;
} }
@ -107,8 +109,9 @@ int iplattach __P((void))
mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL);
cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2); ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
return 0; return 0;
} }
@ -190,6 +193,17 @@ int *rp;
int error = 0, unit; int error = 0, unit;
unit = getminor(dev); unit = getminor(dev);
if ((2 < unit) || (unit < 0))
return ENXIO;
if (unit == IPL_LOGNAT) {
error = nat_ioctl((caddr_t)data, cmd, mode);
return error;
}
if (unit == IPL_LOGSTATE) {
error = fr_state_ioctl((caddr_t)data, cmd, mode);
return error;
}
switch (cmd) { switch (cmd) {
case SIOCFRENB : case SIOCFRENB :
@ -304,6 +318,11 @@ int *rp;
IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data, IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data,
sizeof(ips_stat_t)); sizeof(ips_stat_t));
break; break;
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGIPF];
#endif
break;
default : default :
error = EINVAL; error = EINVAL;
break; break;
@ -365,7 +384,11 @@ caddr_t data;
if (!ill) if (!ill)
ire = (ire_t *)-1; ire = (ire_t *)-1;
else if ((ipif = ill->ill_ipif)) { else if ((ipif = ill->ill_ipif)) {
#if SOLARIS2 > 5
ire = ipif_to_ire(ipif);
#else
ire = ire_lookup_myaddr(ipif->ipif_local_addr); ire = ire_lookup_myaddr(ipif->ipif_local_addr);
#endif
if (!ire) if (!ire)
ire = (ire_t *)-1; ire = (ire_t *)-1;
else else
@ -380,7 +403,11 @@ caddr_t data;
if (!ill) if (!ill)
ire = (ire_t *)-1; ire = (ire_t *)-1;
else if ((ipif = ill->ill_ipif)) { else if ((ipif = ill->ill_ipif)) {
#if SOLARIS2 > 5
ire = ipif_to_ire(ipif);
#else
ire = ire_lookup_myaddr(ipif->ipif_local_addr); ire = ire_lookup_myaddr(ipif->ipif_local_addr);
#endif
if (!ire) if (!ire)
ire = (ire_t *)-1; ire = (ire_t *)-1;
} }
@ -629,27 +656,6 @@ mblk_t *m;
#endif /* IPFILTER_LOG */ #endif /* IPFILTER_LOG */
u_short ipf_cksum(addr, len)
register u_short *addr;
register int len;
{
register u_long sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
/* mop up an odd byte, if necessary */
if (len == 1)
sum += *(u_char *)addr;
/*
* add back carry outs from top 16 bits to low 16 bits
*/
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
return (u_short)(~sum);
}
/* /*
* send_reset - this could conceivably be a call to tcp_respond(), but that * send_reset - this could conceivably be a call to tcp_respond(), but that
* requires a large amount of setting up and isn't any more efficient. * requires a large amount of setting up and isn't any more efficient.

View File

@ -7,7 +7,7 @@
*/ */
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp $"; static char rcsid[] = "$Id: ip_state.c,v 2.0.2.12 1997/05/24 07:34:10 darrenr Exp $";
#endif #endif
#if !defined(_KERNEL) && !defined(KERNEL) #if !defined(_KERNEL) && !defined(KERNEL)
@ -19,12 +19,11 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/file.h> #include <sys/file.h>
#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) #if defined(KERNEL) && (__FreeBSD_version >= 220000)
#include <sys/ioccom.h> # include <sys/filio.h>
#include <sys/filio.h> # include <sys/fcntl.h>
#include <sys/fcntl.h>
#else #else
#include <sys/ioctl.h> # include <sys/ioctl.h>
#endif #endif
#include <sys/uio.h> #include <sys/uio.h>
#include <sys/protosw.h> #include <sys/protosw.h>
@ -35,6 +34,7 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#if !defined(__SVR4) && !defined(__svr4__) #if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h> # include <sys/mbuf.h>
#else #else
# include <sys/filio.h>
# include <sys/byteorder.h> # include <sys/byteorder.h>
# include <sys/dditypes.h> # include <sys/dditypes.h>
# include <sys/stream.h> # include <sys/stream.h>
@ -55,9 +55,10 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
#include <netinet/udp.h> #include <netinet/udp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include "ip_compat.h" #include "netinet/ip_compat.h"
#include "ip_fil.h" #include "netinet/ip_fil.h"
#include "ip_state.h" #include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
#ifndef MIN #ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b))
#endif #endif
@ -67,11 +68,8 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
ipstate_t *ips_table[IPSTATE_SIZE]; ipstate_t *ips_table[IPSTATE_SIZE];
int ips_num = 0; int ips_num = 0;
ips_stat_t ips_stats; ips_stat_t ips_stats;
#if SOLARIS #if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_state; extern kmutex_t ipf_state;
# if !defined(_KERNEL)
#define bcopy(a,b,c) memmove(b,a,c)
# endif
#endif #endif
@ -94,10 +92,27 @@ ips_stat_t *fr_statetstats()
} }
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ int fr_state_ioctl(data, cmd, mode)
(((s1) == (d2)) && ((d1) == (s2)))) caddr_t data;
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ int cmd;
(s2).s_addr, (d2).s_addr) int mode;
{
switch (cmd)
{
case SIOCGIPST :
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
break;
case FIONREAD :
#ifdef IPFILTER_LOG
*(int *)data = iplused[IPL_LOGSTATE];
#endif
break;
default :
return -1;
}
return 0;
}
/* /*
* Create a new ipstate structure and hang it off the hash table. * Create a new ipstate structure and hang it off the hash table.
@ -212,6 +227,8 @@ u_int pass;
ipstate_log(is, ISL_NEW); ipstate_log(is, ISL_NEW);
#endif #endif
MUTEX_EXIT(&ipf_state); MUTEX_EXIT(&ipf_state);
if (fin->fin_fi.fi_fl & FI_FRAG)
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
return 0; return 0;
} }
@ -346,8 +363,9 @@ fr_info_t *fin;
is->is_pkts++; is->is_pkts++;
is->is_bytes += ip->ip_len; is->is_bytes += ip->ip_len;
ips_stats.iss_hits++; ips_stats.iss_hits++;
pass = is->is_pass;
MUTEX_EXIT(&ipf_state); MUTEX_EXIT(&ipf_state);
return is->is_pass; return pass;
} }
MUTEX_EXIT(&ipf_state); MUTEX_EXIT(&ipf_state);
break; break;
@ -364,10 +382,10 @@ fr_info_t *fin;
PAIRS(sport, dport, is->is_sport, is->is_dport) && PAIRS(sport, dport, is->is_sport, is->is_dport) &&
IPPAIR(src, dst, is->is_src, is->is_dst)) IPPAIR(src, dst, is->is_src, is->is_dst))
if (fr_tcpstate(is, fin, ip, tcp, sport)) { if (fr_tcpstate(is, fin, ip, tcp, sport)) {
pass = is->is_pass;
#ifdef _KERNEL #ifdef _KERNEL
MUTEX_EXIT(&ipf_state); MUTEX_EXIT(&ipf_state);
#else #else
int pass = is->is_pass;
if (tcp->th_flags & TCP_CLOSE) { if (tcp->th_flags & TCP_CLOSE) {
*isp = is->is_next; *isp = is->is_next;

View File

@ -1,12 +1,12 @@
/* /*
* (C)opyright 1995 by Darren Reed. * (C)opyright 1995-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $Id: ip_state.h,v 2.0.2.5 1997/03/31 10:05:32 darrenr Exp $ * $Id: ip_state.h,v 2.0.2.9 1997/05/24 07:35:11 darrenr Exp $
*/ */
#ifndef __IP_STATE_H__ #ifndef __IP_STATE_H__
#define __IP_STATE_H__ #define __IP_STATE_H__
@ -14,6 +14,12 @@
#define IPSTATE_SIZE 257 #define IPSTATE_SIZE 257
#define IPSTATE_MAX 2048 /* Maximum number of states held */ #define IPSTATE_MAX 2048 /* Maximum number of states held */
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
(s2).s_addr, (d2).s_addr)
typedef struct udpstate { typedef struct udpstate {
u_short us_sport; u_short us_sport;
u_short us_dport; u_short us_dport;
@ -106,6 +112,14 @@ typedef struct ips_stat {
ipstate_t **iss_table; ipstate_t **iss_table;
} ips_stat_t; } ips_stat_t;
extern u_long fr_tcpidletimeout;
extern u_long fr_tcpclosewait;
extern u_long fr_tcplastack;
extern u_long fr_tcptimeout;
extern u_long fr_tcpclosed;
extern u_long fr_udptimeout;
extern u_long fr_icmptimeout;
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
tcphdr_t *, u_short)); tcphdr_t *, u_short));
extern ips_stat_t *fr_statetstats __P((void)); extern ips_stat_t *fr_statetstats __P((void));
@ -115,4 +129,5 @@ extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
extern void fr_stateunload __P((void)); extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short)); extern void ipstate_log __P((struct ipstate *, u_short));
extern int fr_state_ioctl __P((caddr_t, int, int));
#endif /* __IP_STATE_H__ */ #endif /* __IP_STATE_H__ */

View File

@ -5,6 +5,9 @@
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
*/ */
#ifdef __FreeBSD__
# include <osreldate.h>
#endif
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
@ -22,7 +25,11 @@
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <netinet/in_systm.h> #include <netinet/in_systm.h>
#include <sys/time.h>
#include <net/if.h> #include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/ip.h> #include <netinet/ip.h>
#include <netdb.h> #include <netdb.h>
#include <arpa/nameser.h> #include <arpa/nameser.h>
@ -33,7 +40,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ipf.c,v 2.0.2.5 1997/03/31 10:05:33 darrenr Exp $"; static char rcsid[] = "$Id: ipf.c,v 2.0.2.6 1997/04/30 13:59:59 darrenr Exp $";
#endif #endif
#if SOLARIS #if SOLARIS

View File

@ -1,14 +1,17 @@
/* /*
* (C)opyright 1993-1996 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* *
* @(#)ipf.h 1.12 6/5/96 * @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.0.2.4 1997/03/27 13:45:18 darrenr Exp $ * $Id: ipf.h,v 2.0.2.6 1997/04/30 13:49:05 darrenr Exp $
*/ */
#ifndef __IPF_H__
#define __IPF_H__
#ifndef SOLARIS #ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif #endif
@ -46,12 +49,6 @@ extern void binprint __P((struct frentry *)), initparse __P((void));
extern u_short portnum __P((char *)); extern u_short portnum __P((char *));
#if defined(__SVR4) || defined(__svr4__)
#define index strchr
#define bzero(a,b) memset(a, 0, b)
#define bcopy(a,b,c) memmove(b,a,c)
#endif
struct ipopt_names { struct ipopt_names {
int on_value; int on_value;
int on_bit; int on_bit;
@ -79,3 +76,4 @@ extern char *sys_errlist[];
#define MIN(a,b) ((a) > (b) ? (b) : (a)) #define MIN(a,b) ((a) > (b) ? (b) : (a))
#endif #endif
#endif /* __IPF_H__ */

View File

@ -31,6 +31,7 @@ etherfind -n -t
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <netinet/in_systm.h> #include <netinet/in_systm.h>
@ -42,12 +43,13 @@ etherfind -n -t
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <net/if.h> #include <net/if.h>
#include <netdb.h> #include <netdb.h>
#include "ip_compat.h"
#include "ipf.h" #include "ipf.h"
#include "ipt.h" #include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.3 1997/03/10 08:10:24 darrenr Exp $"; static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp $";
#endif #endif
static int etherf_open __P((char *)); static int etherf_open __P((char *));

View File

@ -16,6 +16,7 @@
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -33,12 +34,13 @@
#include <netdb.h> #include <netdb.h>
#include <arpa/nameser.h> #include <arpa/nameser.h>
#include <resolv.h> #include <resolv.h>
#include "ip_compat.h"
#include "ipf.h" #include "ipf.h"
#include "ipt.h" #include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.3 1997/03/10 08:10:25 darrenr Exp $"; static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.4 1997/04/30 13:55:07 darrenr Exp $";
#endif #endif
extern int opts; extern int opts;

View File

@ -25,12 +25,13 @@
#include <netinet/tcp.h> #include <netinet/tcp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <net/if.h> #include <net/if.h>
#include "ip_compat.h"
#include "ipf.h" #include "ipf.h"
#include "ipt.h" #include "ipt.h"
#include "pcap.h" #include "pcap.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.3 1997/03/10 08:10:26 darrenr Exp $"; static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp $";
#endif #endif
struct llc { struct llc {

View File

@ -21,6 +21,7 @@
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <netinet/in_systm.h> #include <netinet/in_systm.h>
#include <netinet/ip_var.h> #include <netinet/ip_var.h>
@ -28,12 +29,13 @@
#include <netinet/tcp.h> #include <netinet/tcp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <net/if.h> #include <net/if.h>
#include "ip_compat.h"
#include "ipf.h" #include "ipf.h"
#include "ipt.h" #include "ipt.h"
#include "snoop.h" #include "snoop.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.3 1997/03/10 08:10:29 darrenr Exp $"; static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp $";
#endif #endif
struct llc { struct llc {

View File

@ -35,6 +35,7 @@ tcpdump -nqte
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -51,12 +52,13 @@ tcpdump -nqte
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <net/if.h> #include <net/if.h>
#include <netdb.h> #include <netdb.h>
#include "ip_compat.h"
#include "ipf.h" #include "ipf.h"
#include "ipt.h" #include "ipt.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.3 1997/03/10 08:10:30 darrenr Exp $"; static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp $";
#endif #endif
static int tcpd_open __P((char *)); static int tcpd_open __P((char *));

View File

@ -16,6 +16,7 @@
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -40,7 +41,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.3 1997/03/10 08:10:31 darrenr Exp $"; static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.4 1997/04/30 13:55:13 darrenr Exp $";
#endif #endif
extern int opts; extern int opts;

View File

@ -1,5 +1,5 @@
/* /*
* (C)opyright 1993-1996 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
@ -8,9 +8,9 @@
* @(#)ipl.h 1.21 6/5/96 * @(#)ipl.h 1.21 6/5/96
*/ */
#ifndef __IPL_H_ #ifndef __IPL_H__
#define __IPL_H__ #define __IPL_H__
#define IPL_VERSION "IP Filter v3.2alpha4" #define IPL_VERSION "IP Filter v3.2alpha7"
#endif #endif

View File

@ -15,6 +15,7 @@
#include <strings.h> #include <strings.h>
#include <sys/dir.h> #include <sys/dir.h>
#else #else
#include <sys/filio.h>
#include <sys/byteorder.h> #include <sys/byteorder.h>
#endif #endif
#include <sys/types.h> #include <sys/types.h>
@ -48,12 +49,13 @@
#include "ip_compat.h" #include "ip_compat.h"
#include "ip_fil.h" #include "ip_fil.h"
#include "ip_proxy.h"
#include "ip_nat.h" #include "ip_nat.h"
#include "ip_state.h" #include "ip_state.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed"; static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed";
static char rcsid[] = "$Id: ipmon.c,v 2.0.2.6 1997/04/02 12:23:27 darrenr Exp $"; static char rcsid[] = "$Id: ipmon.c,v 2.0.2.9 1997/04/30 13:54:10 darrenr Exp $";
#endif #endif
@ -443,6 +445,15 @@ int blen;
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
portname(res, NULL, nl->nl_origport)); portname(res, NULL, nl->nl_origport));
t += strlen(t); t += strlen(t);
if (nl->nl_type == NL_EXPIRE) {
#ifdef USE_QUAD_T
(void) sprintf(t, " Pkts %qd Bytes %qd",
#else
(void) sprintf(t, " Pkts %ld Bytes %ld",
#endif
nl->nl_pkts, nl->nl_bytes);
t += strlen(t);
}
*t++ = '\n'; *t++ = '\n';
*t++ = '\0'; *t++ = '\0';
@ -495,21 +506,21 @@ int blen;
hostname(res, sl->isl_src), hostname(res, sl->isl_src),
portname(res, proto, sl->isl_sport)); portname(res, proto, sl->isl_sport));
t += strlen(t); t += strlen(t);
(void) sprintf(t, "%s,%s PR %s ", (void) sprintf(t, "%s,%s PR %s",
hostname(res, sl->isl_dst), hostname(res, sl->isl_dst),
portname(res, proto, sl->isl_dport), proto); portname(res, proto, sl->isl_dport), proto);
} else if (sl->isl_p == IPPROTO_ICMP) { } else if (sl->isl_p == IPPROTO_ICMP) {
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src)); (void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
t += strlen(t); t += strlen(t);
(void) sprintf(t, "%s PR icmp %d ", (void) sprintf(t, "%s PR icmp %d",
hostname(res, sl->isl_dst), sl->isl_itype); hostname(res, sl->isl_dst), sl->isl_itype);
} }
t += strlen(t); t += strlen(t);
if (sl->isl_type != ISL_NEW) { if (sl->isl_type != ISL_NEW) {
#ifdef USE_QUAD_T #ifdef USE_QUAD_T
(void) sprintf(t, "Pkts %qd Bytes %qd", (void) sprintf(t, " Pkts %qd Bytes %qd",
#else #else
(void) sprintf(t, "Pkts %ld Bytes %ld", (void) sprintf(t, " Pkts %ld Bytes %ld",
#endif #endif
sl->isl_pkts, sl->isl_bytes); sl->isl_pkts, sl->isl_bytes);
t += strlen(t); t += strlen(t);

View File

@ -48,13 +48,14 @@
#include <ctype.h> #include <ctype.h>
#include "ip_compat.h" #include "ip_compat.h"
#include "ip_fil.h" #include "ip_fil.h"
#include "ip_proxy.h"
#include "ip_nat.h" #include "ip_nat.h"
#include "kmem.h" #include "kmem.h"
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static char rcsid[] = "$Id: ipnat.c,v 2.0.2.6 1997/04/02 12:23:29 darrenr Exp $"; static char rcsid[] = "$Id: ipnat.c,v 2.0.2.9 1997/05/05 14:03:55 darrenr Exp $";
#endif #endif
#if SOLARIS #if SOLARIS
@ -130,8 +131,8 @@ char *argv[];
usage(argv[0]); usage(argv[0]);
} }
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) && if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) &&
((fd = open(IPL_NAME, O_RDONLY)) == -1)) { ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
perror("open"); perror("open");
exit(-1); exit(-1);
} }
@ -182,8 +183,25 @@ void *ptr;
{ {
int bits; int bits;
switch (np->in_redir)
{
case NAT_REDIRECT :
printf("redir ");
break;
case NAT_MAP :
printf("map ");
break;
case NAT_BIMAP :
printf("bimap ");
break;
default :
fprintf(stderr, "unknown value for in_redir: %#x\n",
np->in_redir);
break;
}
if (np->in_redir == NAT_REDIRECT) { if (np->in_redir == NAT_REDIRECT) {
printf("rdr %s %s", np->in_ifname, inet_ntoa(np->in_out[0])); printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr); bits = countbits(np->in_out[1].s_addr);
if (bits != -1) if (bits != -1)
printf("/%d ", bits); printf("/%d ", bits);
@ -207,7 +225,7 @@ void *ptr;
np->in_use); np->in_use);
} else { } else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr); bits = countbits(np->in_in[1].s_addr);
if (bits != -1) if (bits != -1)
printf("%d ", bits); printf("%d ", bits);
@ -219,7 +237,13 @@ void *ptr;
printf("%d ", bits); printf("%d ", bits);
else else
printf("%s", inet_ntoa(np->in_out[1])); printf("%s", inet_ntoa(np->in_out[1]));
if (np->in_pmin || np->in_pmax) { if (*np->in_plabel) {
printf(" proxy");
if (np->in_dport)
printf(" %hu", ntohs(np->in_dport));
printf(" %.*s/%d", sizeof(np->in_plabel),
np->in_plabel, np->in_p);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap"); printf(" portmap");
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp"); printf(" tcp/udp");
@ -245,13 +269,29 @@ void *ptr;
char *getnattype(ipnat) char *getnattype(ipnat)
ipnat_t *ipnat; ipnat_t *ipnat;
{ {
char *which;
ipnat_t ipnatbuff; ipnat_t ipnatbuff;
if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
sizeof(ipnatbuff))) sizeof(ipnatbuff)))
return "???"; return "???";
return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR"; switch (ipnatbuff.in_redir)
{
case NAT_MAP :
which = "MAP";
break;
case NAT_REDIRECT :
which = "RDR";
break;
case NAT_BIMAP :
which = "BIMAP";
break;
default :
which = "unknown";
break;
}
return which;
} }
@ -275,7 +315,7 @@ int fd, opts;
ns.ns_mapped[0], ns.ns_mapped[1]); ns.ns_mapped[0], ns.ns_mapped[1]);
printf("added\t%lu\texpired\t%lu\n", printf("added\t%lu\texpired\t%lu\n",
ns.ns_added, ns.ns_expire); ns.ns_added, ns.ns_expire);
printf("inuse\t%lu\n", ns.ns_inuse); printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules);
if (opts & OPT_VERBOSE) if (opts & OPT_VERBOSE)
printf("table %p list %p\n", ns.ns_table, ns.ns_list); printf("table %p list %p\n", ns.ns_table, ns.ns_list);
} }
@ -419,6 +459,7 @@ int *resolved;
ipnat_t *parse(line) ipnat_t *parse(line)
char *line; char *line;
{ {
struct protoent *pr;
static ipnat_t ipn; static ipnat_t ipn;
char *s, *t; char *s, *t;
char *shost, *snetm, *dhost, *proto; char *shost, *snetm, *dhost, *proto;
@ -438,9 +479,11 @@ char *line;
ipn.in_redir = NAT_MAP; ipn.in_redir = NAT_MAP;
else if (!strcasecmp(s, "rdr")) else if (!strcasecmp(s, "rdr"))
ipn.in_redir = NAT_REDIRECT; ipn.in_redir = NAT_REDIRECT;
else if (!strcasecmp(s, "bimap"))
ipn.in_redir = NAT_BIMAP;
else { else {
(void)fprintf(stderr, (void)fprintf(stderr,
"expected \"map\" or \"rdr\", got \"%s\"\n", s); "expected map/rdr/bimap, got \"%s\"\n", s);
return NULL; return NULL;
} }
@ -508,7 +551,7 @@ char *line;
} }
dhost = s; dhost = s;
if (ipn.in_redir == NAT_MAP) { if (ipn.in_redir & NAT_MAP) {
if (!(s = strtok(NULL, " \t"))) { if (!(s = strtok(NULL, " \t"))) {
dnetm = strrchr(dhost, '/'); dnetm = strrchr(dhost, '/');
if (!dnetm) { if (!dnetm) {
@ -517,7 +560,8 @@ char *line;
return NULL; return NULL;
} }
} }
if (!s || !strcasecmp(s, "portmap")) { if (!s || !strcasecmp(s, "portmap") ||
!strcasecmp(s, "proxy")) {
dnetm = strrchr(dhost, '/'); dnetm = strrchr(dhost, '/');
if (!dnetm) { if (!dnetm) {
fprintf(stderr, fprintf(stderr,
@ -562,7 +606,7 @@ char *line;
if (*snetm == '/') if (*snetm == '/')
*snetm++ = '\0'; *snetm++ = '\0';
if (ipn.in_redir == NAT_MAP) { if (ipn.in_redir & NAT_MAP) {
ipn.in_inip = hostnum(shost, &resolved); ipn.in_inip = hostnum(shost, &resolved);
if (resolved == -1) if (resolved == -1)
return NULL; return NULL;
@ -612,6 +656,55 @@ char *line;
} }
if (!s) if (!s)
return &ipn; return &ipn;
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "extra words at the end of bimap line: %s\n",
s);
return NULL;
}
if (!strcasecmp(s, "proxy")) {
if (!(s = strtok(NULL, " \t"))) {
fprintf(stderr, "missing parameter for \"proxy\"\n");
return NULL;
}
dport = NULL;
if (!strcasecmp(s, "port")) {
if (!(s = strtok(NULL, " \t"))) {
fprintf(stderr,
"missing parameter for \"port\"\n");
return NULL;
}
dport = s;
if (!(s = strtok(NULL, " \t"))) {
fprintf(stderr,
"missing parameter for \"proxy\"\n");
return NULL;
}
}
if ((proto = index(s, '/'))) {
*proto++ = '\0';
if ((pr = getprotobyname(proto)))
ipn.in_p = pr->p_proto;
else
ipn.in_p = atoi(proto);
if (dport)
ipn.in_dport = portnum(dport, proto);
} else {
ipn.in_p = 0;
if (dport)
ipn.in_dport = portnum(dport, NULL);
}
(void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel));
if ((s = strtok(NULL, " \t"))) {
fprintf(stderr, "too many parameters for \"proxy\"\n");
return NULL;
}
return &ipn;
}
if (strcasecmp(s, "portmap")) { if (strcasecmp(s, "portmap")) {
fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s); fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s);
return NULL; return NULL;

View File

@ -32,6 +32,9 @@ all:
.c.o: .c.o:
$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@ $(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
install:
-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)
bpf sunos4-bpf : bpf sunos4-bpf :
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \ make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
"CFLAGS=$(CFLAGS) -DDOSOCKET" "CFLAGS=$(CFLAGS) -DDOSOCKET"

View File

@ -25,11 +25,6 @@ static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
#include <netinet/tcp.h> #include <netinet/tcp.h>
#include "ipsend.h" #include "ipsend.h"
#if defined(__SVR4) || defined(__svr4__)
#define bcopy(a,b,c) memmove(b,a,c)
#define bzero(a,c) memset(a,0,c)
#define bcmp(a,b,c) memcmp(a,b,c)
#endif
/* /*
* lookup host and return * lookup host and return

View File

@ -175,7 +175,7 @@ char **argv;
ip->ip_len = sizeof(*ip); ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2; ip->ip_hl = sizeof(*ip) >> 2;
while ((c = getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1) while ((c = (char)getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
switch (c) switch (c)
{ {
case 'I' : case 'I' :

View File

@ -108,7 +108,8 @@ char **argv;
ip->ip_len = sizeof(*ip); ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2; ip->ip_hl = sizeof(*ip) >> 2;
while ((c = getopt(argc, argv, "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1) while ((c = (char)getopt(argc, argv,
"1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
switch (c) switch (c)
{ {
case '1' : case '1' :

View File

@ -27,6 +27,9 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
#endif #endif
#include <kvm.h> #include <kvm.h>
#include <sys/socket.h> #include <sys/socket.h>
#if defined(solaris)
# include <sys/stream.h>
#endif
#include <sys/socketvar.h> #include <sys/socketvar.h>
#ifdef sun #ifdef sun
#include <sys/systm.h> #include <sys/systm.h>

View File

@ -5,6 +5,9 @@
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
*/ */
#ifdef __FreeBSD__
# include <osreldate.h>
#endif
#include <stdio.h> #include <stdio.h>
#include <assert.h> #include <assert.h>
#include <string.h> #include <string.h>
@ -16,6 +19,7 @@
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -30,6 +34,9 @@
#include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#include <net/if.h> #include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netdb.h> #include <netdb.h>
#include <arpa/nameser.h> #include <arpa/nameser.h>
#include <arpa/inet.h> #include <arpa/inet.h>
@ -42,7 +49,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: ipt.c,v 2.0.2.4 1997/04/02 12:23:30 darrenr Exp $"; static char rcsid[] = "$Id: ipt.c,v 2.0.2.5 1997/04/30 13:59:39 darrenr Exp $";
#endif #endif
extern char *optarg; extern char *optarg;
@ -66,7 +73,7 @@ char *argv[];
char *rules = NULL, *datain = NULL, *iface = NULL; char *rules = NULL, *datain = NULL, *iface = NULL;
int fd, i, dir = 0; int fd, i, dir = 0;
while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) while ((c = (char)getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1)
switch (c) switch (c)
{ {
case 'b' : case 'b' :

View File

@ -1,12 +1,15 @@
/* /*
* (C)opyright 1993,1994,1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* $Id: ipt.h,v 2.0.2.4 1997/03/27 13:45:23 darrenr Exp $ * $Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp $
*/ */
#ifndef __IPT_H__
#define __IPT_H__
#include <fcntl.h> #include <fcntl.h>
#ifdef __STDC__ #ifdef __STDC__
#include <stdarg.h> #include <stdarg.h>
@ -23,3 +26,5 @@ struct ipread {
extern void debug __P((char *, ...)); extern void debug __P((char *, ...));
extern void verbose __P((char *, ...)); extern void verbose __P((char *, ...));
#endif /* __IPT_H__ */

View File

@ -1,12 +1,15 @@
/* /*
* (C)opyright 1993,1994,1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* $Id: kmem.h,v 2.0.2.3 1997/03/10 08:10:38 darrenr Exp $ * $Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp $
*/ */
#ifndef __KMEM_H__
#define __KMEM_H__
#ifndef __P #ifndef __P
# ifdef __STDC__ # ifdef __STDC__
# define __P(x) x # define __P(x) x
@ -19,3 +22,4 @@ extern int kmemcpy __P((char *, long, int));
#define KMEM "/dev/kmem" #define KMEM "/dev/kmem"
#endif /* __KMEM_H__ */

View File

@ -1,5 +1,5 @@
/* /*
* (C)opyright 1993,1994,1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
@ -7,7 +7,7 @@
* responsibility and is not changed in any way. * responsibility and is not changed in any way.
* *
* I hate legaleese, don't you ? * I hate legaleese, don't you ?
* $Id: linux.h,v 2.0.2.2 1997/02/23 10:38:08 darrenr Exp $ * $Id: linux.h,v 2.0.2.3 1997/04/07 09:59:01 darrenr Exp $
*/ */
#include <linux/config.h> #include <linux/config.h>

View File

@ -99,7 +99,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics). affect fragment or state statistics).
.DT .DT
.SH SEE ALSO .SH SEE ALSO
ipfstat(1), ipftest(1), ipf(5) ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
.SH DIAGNOSTICS .SH DIAGNOSTICS
.PP .PP
Needs to be run as root for the packet filtering lists to actually Needs to be run as root for the packet filtering lists to actually

View File

@ -277,7 +277,10 @@ packets from both protocols are compared. This is equivalent to "proto
tcp/udp". When composing \fBport\fP comparisons, either the service tcp/udp". When composing \fBport\fP comparisons, either the service
name or an integer port number may be used. Port comparisons may be name or an integer port number may be used. Port comparisons may be
done in a number of forms, with a number of comparison operators, or done in a number of forms, with a number of comparison operators, or
port ranges may be specified. See the examples for more information. port ranges may be specified. When the port appears as part of the
\fBfrom\fP object, it matches the source port number, when it appears
as part of the \fBto\fP object, it matches the destination port number.
See the examples for more information.
.PP .PP
The \fBall\fP keyword is essentially a synonym for "from any to any" The \fBall\fP keyword is essentially a synonym for "from any to any"
with no other match parameters. with no other match parameters.
@ -430,4 +433,4 @@ would be needed before the first block.
.br .br
/etc/hosts /etc/hosts
.SH SEE ALSO .SH SEE ALSO
ipf(1), ipftest(1) ipf(1), ipftest(1), mkfilters(1)

View File

@ -4,4 +4,4 @@ IP FIlter
.SH DESCRIPTION .SH DESCRIPTION
.PP .PP
.SH SEE ALSO .SH SEE ALSO
ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5) ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)

View File

@ -0,0 +1,13 @@
.TH IPF 1
.SH NAME
mkfilters \- generate a minimal firewall ruleset for ipfilter
.SH SYNOPSIS
.B mkfilters
.SH DESCRIPTION
.PP
\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
.DT
.SH SEE ALSO
ipf(1), ipf(5), ipfilter(5), ifconfig(8)

View File

@ -15,6 +15,7 @@
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -40,7 +41,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static char rcsid[] = "$Id: misc.c,v 2.0.2.5 1997/03/31 10:05:36 darrenr Exp $"; static char rcsid[] = "$Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp $";
#endif #endif
extern int opts; extern int opts;

View File

@ -13,19 +13,12 @@
#include <sys/param.h> #include <sys/param.h>
/*
* Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
* on those hooks. We don't need any special mods with this!
*/
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
(defined(NetBSD1_2) && NetBSD1_2 > 1)
# define NETBSD_PF
#endif
#if defined(__FreeBSD__) && (__FreeBSD__ > 1) #if defined(__FreeBSD__) && (__FreeBSD__ > 1)
# include <osreldate.h>
# ifdef IPFILTER_LKM # ifdef IPFILTER_LKM
# include <osreldate.h>
# define ACTUALLY_LKM_NOT_KERNEL # define ACTUALLY_LKM_NOT_KERNEL
# else
# include <sys/osreldate.h>
# endif # endif
#endif #endif
#include <sys/systm.h> #include <sys/systm.h>
@ -48,8 +41,10 @@
#include <sys/mount.h> #include <sys/mount.h>
#include <sys/exec.h> #include <sys/exec.h>
#include <sys/mbuf.h> #include <sys/mbuf.h>
#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \ #if BSD >= 199506
(__FreeBSD_version >= 199511)) # include <sys/sysctl.h>
#endif
#if (__FreeBSD_version >= 199511)
#include <net/if.h> #include <net/if.h>
#include <netinet/in_systm.h> #include <netinet/in_systm.h>
#include <netinet/in.h> #include <netinet/in.h>
@ -59,13 +54,13 @@
#include <netinet/tcp.h> #include <netinet/tcp.h>
#include <netinet/tcpip.h> #include <netinet/tcpip.h>
#endif #endif
#ifndef __NetBSD__ #if (__FreeBSD__ > 1)
#include <sys/sysent.h> # include <sys/sysent.h>
#endif #endif
#include <sys/lkm.h> #include <sys/lkm.h>
#include "ipl.h" #include "netinet/ipl.h"
#include "ip_compat.h" #include "netinet/ip_compat.h"
#include "ip_fil.h" #include "netinet/ip_fil.h"
#ifndef IPL_NAME #ifndef IPL_NAME
#define IPL_NAME "/dev/ipl" #define IPL_NAME "/dev/ipl"
@ -84,43 +79,12 @@
extern int lkmenodev __P((void)); extern int lkmenodev __P((void));
#ifdef NETBSD_PF
#include <net/pfil.h>
#endif
#ifndef IPFILTER_LOG
# ifdef NETBSD_PF
# define iplread enodev
# else
# define iplread nodev
# endif
#endif
#ifdef NETBSD_PF
int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
#endif
static int ipl_unload __P((void)); static int ipl_unload __P((void));
static int ipl_load __P((void)); static int ipl_load __P((void));
static int ipl_remove __P((void)); static int ipl_remove __P((void));
int xxxinit __P((struct lkm_table *, int, int)); int xxxinit __P((struct lkm_table *, int, int));
#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
struct cdevsw ipldevsw =
{
iplopen, /* open */
iplclose, /* close */
iplread, /* read */
0, /* write */
iplioctl, /* ioctl */
0, /* stop */
0, /* tty */
0, /* select */
0, /* mmap */
NULL /* strategy */
};
#else
struct cdevsw ipldevsw = struct cdevsw ipldevsw =
{ {
iplopen, /* open */ iplopen, /* open */
@ -135,6 +99,16 @@ struct cdevsw ipldevsw =
(void *)nullop, /* mmap */ (void *)nullop, /* mmap */
NULL /* strategy */ NULL /* strategy */
}; };
#ifdef SYSCTL_INT
SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW,
&ipl_unreach, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD,
&ipl_inited, 0, "");
#endif #endif
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000) #if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
@ -149,7 +123,7 @@ extern int nchrdev;
int ipl_major = CDEV_MAJOR; int ipl_major = CDEV_MAJOR;
static struct cdevsw ipl_cdevsw = { static struct cdevsw ipl_cdevsw = {
iplopen, iplclose, iplread, nowrite, /* 79 */ iplopen, iplclose, iplread, nowrite, /* 79 */
iplioctl, nostop, noreset, nodevtotty, iplioctl, nostop, noreset, nodevtotty,
noselect, nommap, nostrategy, "ipl", noselect, nommap, nostrategy, "ipl",
NULL, -1 NULL, -1
@ -157,6 +131,8 @@ static struct cdevsw ipl_cdevsw = {
#endif #endif
static int iplaction __P((struct lkm_table *, int));
static int iplaction(lkmtp, cmd) static int iplaction(lkmtp, cmd)
struct lkm_table *lkmtp; struct lkm_table *lkmtp;
@ -229,6 +205,7 @@ static int ipl_remove __P((void))
VOP_LOCK(nd.ni_vp); VOP_LOCK(nd.ni_vp);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
return 0;
} }
@ -237,9 +214,6 @@ static int ipl_unload()
int error = 0; int error = 0;
error = ipldetach(); error = ipldetach();
#ifdef NETBSD_PF
pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT);
#endif
if (!error) if (!error)
error = ipl_remove(); error = ipl_remove();
return error; return error;
@ -253,9 +227,6 @@ static int ipl_load()
int error = 0, fmode = S_IFCHR|0600; int error = 0, fmode = S_IFCHR|0600;
error = iplattach(); error = iplattach();
#ifdef NETBSD_PF
pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT);
#endif
if (error) if (error)
return error; return error;
(void) ipl_remove(); (void) ipl_remove();
@ -327,6 +298,20 @@ static int ipl_load()
#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000) #if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
/*
* strlen isn't present in 2.1.* kernels.
*/
size_t strlen(string)
char *string;
{
register char *s;
for (s = string; *s; s++)
;
return (size_t)(s - string);
}
int xxxinit(lkmtp, cmd, ver) int xxxinit(lkmtp, cmd, ver)
struct lkm_table *lkmtp; struct lkm_table *lkmtp;
int cmd, ver; int cmd, ver;
@ -334,8 +319,8 @@ int cmd, ver;
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
} }
#else #else
#include <sys/exec.h> # ifdef IPFILTER_LKM
#include <sys/sysent.h> # include <sys/exec.h>
MOD_DECL(if_ipl); MOD_DECL(if_ipl);
@ -354,21 +339,39 @@ int cmd, ver;
{ {
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction); DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
} }
# else
/* #ifdef DEVFS
static void *ipf_devfs_token[3];
#endif
static ipl_devsw_installed = 0; static ipl_devsw_installed = 0;
static void ipl_drvinit __P((void *unused)) static void ipl_drvinit __P((void *unused))
{ {
dev_t dev; dev_t dev;
#ifdef DEVFS
void **tp = ipf_devfs_token;
#endif
if( ! ipl_devsw_installed ) { if (!ipl_devsw_installed ) {
dev = makedev(CDEV_MAJOR,0); dev = makedev(CDEV_MAJOR, 0);
cdevsw_add(&dev, &ipl_cdevsw,NULL); cdevsw_add(&dev, &ipl_cdevsw, NULL);
ipl_devsw_installed = 1; ipl_devsw_installed = 1;
}
#ifdef DEVFS
tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
DV_CHR, 0, 0, 0600,
"ipf", IPL_LOGIPF);
tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
DV_CHR, 0, 0, 0600,
"ipnat", IPL_LOGNAT);
tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
DV_CHR, 0, 0, 0600,
"ipstate", IPL_LOGSTATE);
#endif
}
} }
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
*/ # endif /* IPFILTER_LKM */
#endif /* __FreeBSD__ */ #endif /* _FreeBSD_version */

View File

@ -14,6 +14,7 @@
#endif #endif
#include <sys/types.h> #include <sys/types.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <stddef.h> #include <stddef.h>
@ -34,7 +35,7 @@
#if !defined(lint) && defined(LIBC_SCCS) #if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: parse.c,v 2.0.2.5 1997/03/31 10:05:38 darrenr Exp $"; static char rcsid[] = "$Id: parse.c,v 2.0.2.7 1997/05/08 11:24:09 darrenr Exp $";
#endif #endif
extern struct ipopt_names ionames[], secclass[]; extern struct ipopt_names ionames[], secclass[];
@ -325,6 +326,10 @@ char *line;
return NULL; return NULL;
} }
ch = 0; ch = 0;
if (**cpp == '!') {
fil.fr_flags |= FR_NOTSRCIP;
(*cpp)++;
}
if (hostmask(&cpp, (u_long *)&fil.fr_src, if (hostmask(&cpp, (u_long *)&fil.fr_src,
(u_long *)&fil.fr_smsk, &fil.fr_sport, &ch, (u_long *)&fil.fr_smsk, &fil.fr_sport, &ch,
&fil.fr_stop)) { &fil.fr_stop)) {
@ -350,6 +355,10 @@ char *line;
return NULL; return NULL;
} }
ch = 0; ch = 0;
if (**cpp == '!') {
fil.fr_flags |= FR_NOTDSTIP;
(*cpp)++;
}
if (hostmask(&cpp, (u_long *)&fil.fr_dst, if (hostmask(&cpp, (u_long *)&fil.fr_dst,
(u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch, (u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch,
&fil.fr_dtop)) { &fil.fr_dtop)) {
@ -1164,10 +1173,11 @@ struct frentry *fp;
(void)printf("proto %d ", fp->fr_proto); (void)printf("proto %d ", fp->fr_proto);
} }
printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr) if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr)
(void)printf("from any "); (void)printf("any ");
else { else {
(void)printf("from %s", inet_ntoa(fp->fr_src)); (void)printf("%s", inet_ntoa(fp->fr_src));
if ((ones = countbits(fp->fr_smsk.s_addr)) == -1) if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
(void)printf("/%s ", inet_ntoa(fp->fr_smsk)); (void)printf("/%s ", inet_ntoa(fp->fr_smsk));
else else
@ -1180,10 +1190,12 @@ struct frentry *fp;
else else
(void)printf("port %s %s ", pcmp1[fp->fr_scmp], (void)printf("port %s %s ", pcmp1[fp->fr_scmp],
portname(pr, fp->fr_sport)); portname(pr, fp->fr_sport));
printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr) if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr)
(void)printf("to any"); (void)printf("any");
else { else {
(void)printf("to %s", inet_ntoa(fp->fr_dst)); (void)printf("%s", inet_ntoa(fp->fr_dst));
if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1) if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
(void)printf("/%s", inet_ntoa(fp->fr_dmsk)); (void)printf("/%s", inet_ntoa(fp->fr_dmsk));
else else

View File

@ -1,10 +1,10 @@
/* /*
* (C)opyright 1993-1996 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
* $Id: pcap.h,v 2.0.2.2 1997/02/23 10:38:17 darrenr Exp $ * $Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp $
*/ */
/* /*
* This header file is constructed to match the version described by * This header file is constructed to match the version described by

6
contrib/ipfilter/rules/ftppxy Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# The proxy bit is as follows:
# proxy [port <portname>] <tag>/<protocol>
# the <tag> should match a tagname in the proxy table, as does the protocol.
# this format isn't finalised yet
echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -

View File

@ -1,14 +1,17 @@
/* /*
* (C)opyright 1993,1994,1995 by Darren Reed. * (C)opyright 1993-1997 by Darren Reed.
* *
* Redistribution and use in source and binary forms are permitted * Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given * provided that this notice is preserved and due credit is given
* to the original author and the contributors. * to the original author and the contributors.
*/ */
#ifndef __SNOOP_H__
#define __SNOOP_H__
/* /*
* written to comply with the RFC (1761) from Sun. * written to comply with the RFC (1761) from Sun.
* $Id: snoop.h,v 2.0.2.2 1997/02/23 10:38:19 darrenr Exp $ * $Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp $
*/ */
struct snoophdr { struct snoophdr {
char s_id[8]; char s_id[8];
@ -40,3 +43,5 @@ struct snooppkt {
int sp_sec; int sp_sec;
int sp_usec; int sp_usec;
}; };
#endif /* __SNOOP_H__ */

View File

@ -6,7 +6,7 @@
* to the original author and the contributors. * to the original author and the contributors.
*/ */
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "$Id: solaris.c,v 2.0.2.3 1997/03/27 13:45:28 darrenr Exp $"; #pragma ident "$Id: solaris.c,v 2.0.2.5 1997/05/08 10:11:04 darrenr Exp $";
#include <sys/systm.h> #include <sys/systm.h>
#include <sys/types.h> #include <sys/types.h>
@ -177,18 +177,18 @@ ddi_attach_cmd_t cmd;
#ifdef IPFDEBUG #ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance); cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance);
#endif #endif
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance, if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
DDI_PSEUDO, 0) == DDI_FAILURE) { DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL); ddi_remove_minor_node(dip, NULL);
goto attach_failed; goto attach_failed;
} }
if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, instance, if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT,
DDI_PSEUDO, 1) == DDI_FAILURE) { DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL); ddi_remove_minor_node(dip, NULL);
goto attach_failed; goto attach_failed;
} }
if (ddi_create_minor_node(dip, "ipstate", S_IFCHR, instance, if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE,
DDI_PSEUDO, 2) == DDI_FAILURE) { DDI_PSEUDO, 0) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL); ddi_remove_minor_node(dip, NULL);
goto attach_failed; goto attach_failed;
} }
@ -942,7 +942,11 @@ frdest_t *fdp;
else else
dst = fin->fin_fi.fi_dst; dst = fin->fin_fi.fi_dst;
#if SOLARIS2 > 5
if (dir = ire_cache_lookup(dst.s_addr))
#else
if (dir = ire_lookup(dst.s_addr)) if (dir = ire_lookup(dst.s_addr))
#endif
if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length) if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
dir = NULL; dir = NULL;

View File

@ -17,7 +17,7 @@ first:
-mkdir -p results -mkdir -p results
# Filtering tests # Filtering tests
ftests: 1 2 3 4 5 6 7 8 9 10 11 12 ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14
# Rule parsing tests # Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
@ -25,7 +25,7 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
0: 0:
@(cd ..; make ipftest; ) @(cd ..; make ipftest; )
1 2 3 4 5 6 7 8 9 10 11: 1 2 3 4 5 6 7 8 9 10 11 14:
@./dotest $@ @./dotest $@
12: 12:

View File

@ -0,0 +1,40 @@
nomatch
block
nomatch
nomatch
nomatch
nomatch
pass
nomatch
nomatch
nomatch
nomatch
block
block
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
block
block
block
nomatch
nomatch
pass
pass
pass
nomatch
block
block
block
block
block
pass
pass
pass
pass
pass

View File

@ -3,6 +3,8 @@ block out from any to any
log in from any to any log in from any to any
log body in from any to any log body in from any to any
count in from any to any count in from any to any
pass in from !any to any
block in from any to !any
pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32 pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
block in log first on lo0(!) from any to any block in log first on lo0(!) from any to any
pass in log body quick from any to any pass in log body quick from any to any

View File

@ -0,0 +1,5 @@
in 127.0.0.1 127.0.0.1
in 1.1.1.1 1.2.1.1
in 1.1.1.2 1.2.1.1
in 1.1.2.2 1.2.1.1
in 1.2.2.2 1.2.1.1

View File

@ -0,0 +1,8 @@
block in from !1.1.1.1 to any
pass in from 1.1.1.1 to !any
block in from 1.1.1.1/24 to !any
pass in from !1.1.1.1/24 to any
block in from !1.1.1.1/16 to any
pass in from 1.1.1.1/16 to !any
block in from 1.1.1.1/0 to !any
pass in from !1.1.1.1/0 to any

View File

@ -3,6 +3,8 @@ block out all
log in all log in all
log body in all log body in all
count in from any to any count in from any to any
pass in from !any to any
block in from any to !any
pass in on ed0 from localhost to localhost pass in on ed0 from localhost to localhost
block in log first on lo0 from any to any block in log first on lo0 from any to any
pass in log body quick from any to any pass in log body quick from any to any

View File

@ -1,12 +1,5 @@
* automatically use the interface's IP# for NAT rather than any specific IP#
- Done. Use "0/32" as destination address/mask. Uses first interface IP#
set for an interface.
* use fr_tcpstate() with NAT code for increased NAT usage security or even * use fr_tcpstate() with NAT code for increased NAT usage security or even
fr_checkstate() fr_checkstate() - suspect this is not possible.
* use minor devices for controlling access to alternate parts of IP Filter
such as filtering, accounting, state, NAT, etc.
* see if the Solaris2 and dynamic plumb/unplumb problem is solvable * see if the Solaris2 and dynamic plumb/unplumb problem is solvable
@ -17,11 +10,17 @@ time permitting:
* record buffering for TCP/UDP * record buffering for TCP/UDP
* modular application proxying * modular application proxying
on the way
* invesitgate making logging better * invesitgate making logging better
done ?
* add reverse nat (similar to rdr) to map addresses going in both directions * add reverse nat (similar to rdr) to map addresses going in both directions
* add 'tail' switch to ipmon
(this might just be some changes to rdr). In 1:1 relationships maybe make (this might just be some changes to rdr). In 1:1 relationships maybe make
it an option. it an option.
* keep fragment information for NAT/state entries automatically.
done
* support traceroute through the firewall